308 lines
8.7 KiB
Bash
308 lines
8.7 KiB
Bash
#!/bin/bash
|
||
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:~/bin
|
||
export PATH
|
||
|
||
RED_COLOR="\033[0;31m"
|
||
NO_COLOR="\033[0m"
|
||
GREEN="\033[32m\033[01m"
|
||
BLUE="\033[0;36m"
|
||
FUCHSIA="\033[0;35m"
|
||
|
||
nginx_v=1.25.3.1
|
||
|
||
install_nginx(){
|
||
apt update -y && apt install vim curl lsof wget -y
|
||
apt install build-essential libpcre3 libpcre3-dev zlib1g-dev openssl libssl-dev linux-image-amd64 linux-headers-amd64 -y
|
||
wget -N --no-check-certificate https://git.igewu.org/yanglc/tunnel/raw/branch/main/$nginx_v.tar.gz && tar -xvzf $nginx_v.tar.gz
|
||
cd openresty-$nginx_v
|
||
./configure \
|
||
--prefix=/etc/nginx \
|
||
--sbin-path=/usr/sbin/nginx \
|
||
--conf-path=/etc/nginx/nginx.conf \
|
||
--error-log-path=/var/log/nginx/error.log \
|
||
--http-log-path=/var/log/nginx/access.log \
|
||
--pid-path=/var/run/nginx.pid \
|
||
--lock-path=/var/run/nginx.lock \
|
||
--with-file-aio \
|
||
--with-threads \
|
||
--with-stream \
|
||
--with-stream_realip_module \
|
||
--with-stream_ssl_module \
|
||
--with-stream_ssl_preread_module
|
||
make && make install
|
||
cd
|
||
rm -rf $nginx_v.tar.gz openresty-$nginx_v
|
||
wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf"
|
||
wget -N --no-check-certificate -P /usr/lib/systemd/system/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.service"
|
||
systemctl enable nginx --now
|
||
systemctl daemon-reload
|
||
install_wireguard
|
||
99_menu
|
||
}
|
||
|
||
install_wireguard(){
|
||
apt install linux-image-amd64 -y && apt install wireguard -y
|
||
systemctl enable wg-quick@wg0
|
||
}
|
||
|
||
nginx_conf(){
|
||
echo -e "
|
||
${GREEN} 1.跳板机
|
||
${GREEN} 2.中转机
|
||
"
|
||
read -p "输入选项:" aNum
|
||
echo -e "
|
||
${GREEN} 1.隧道1(tunnel1)
|
||
${GREEN} 2.隧道2(tunnel2)
|
||
${GREEN} 3.隧道3(tunnel3)
|
||
"
|
||
read -p "请输入括号里的代号:" mplsdh
|
||
if [ "$aNum" = "1" ];then
|
||
rm -rf /etc/nginx/nginx.conf
|
||
wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/client/nginx.txt"
|
||
wget -N --no-check-certificate -P /etc/nginx/ssl "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/client/ca1.crt"
|
||
wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf"
|
||
nginx_rows=`wc -l /etc/nginx/nginx.txt | awk '{print $1}'`
|
||
echo -e "
|
||
stream {" >> /etc/nginx/nginx.conf
|
||
for((i=1;i<=$nginx_rows;i++));
|
||
do
|
||
listen_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $1}'`
|
||
listen_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $2}'`
|
||
remote_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $3}'`
|
||
remote_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $4}'`
|
||
lan_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $5}'`
|
||
echo -e "
|
||
server {
|
||
listen $listen_ip:$listen_port ssl;
|
||
listen $lan_ip:$listen_port udp;
|
||
ssl_protocols TLSv1.3;
|
||
ssl_conf_command MinProtocol TLSv1.3;
|
||
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
|
||
ssl_certificate /etc/nginx/ssl/server.crt;
|
||
ssl_certificate_key /etc/nginx/ssl/server.key;
|
||
ssl_client_certificate /etc/nginx/ssl/ca1.crt;
|
||
ssl_verify_client on;
|
||
ssl_session_cache shared:SSL:15m;
|
||
ssl_session_timeout 3h;
|
||
ssl_session_tickets off;
|
||
tcp_nodelay on;
|
||
proxy_pass $remote_ip:$remote_port;
|
||
proxy_protocol off;
|
||
access_log off;
|
||
}" >> /etc/nginx/nginx.conf
|
||
done
|
||
elif [ "$aNum" = "2" ];then
|
||
rm -rf /etc/nginx/nginx.conf
|
||
wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/server/nginx.txt"
|
||
wget -N --no-check-certificate -P /etc/nginx/ssl "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/server/ca1.crt"
|
||
wget -N --no-check-certificate -P /etc/nginx/ "https://git.igewu.org/yanglc/tunnel/raw/branch/main/nginx.conf"
|
||
nginx_rows=`wc -l /etc/nginx/nginx.txt | awk '{print $1}'`
|
||
echo -e "
|
||
stream {" >> /etc/nginx/nginx.conf
|
||
for((i=1;i<=$nginx_rows;i++));
|
||
do
|
||
listen_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $1}'`
|
||
listen_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $2}'`
|
||
remote_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $3}'`
|
||
remote_port=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $4}'`
|
||
lan_ip=`sed -n "$i, 1p" /etc/nginx/nginx.txt | awk '{print $5}'`
|
||
echo -e "
|
||
server {
|
||
listen $listen_ip:$listen_port;
|
||
proxy_ssl_certificate /etc/nginx/ssl/server.crt;
|
||
proxy_ssl_certificate_key /etc/nginx/ssl/server.key;
|
||
proxy_ssl_trusted_certificate /etc/nginx/ssl/ca1.crt;
|
||
proxy_ssl_protocols TLSv1.3;
|
||
proxy_ssl_server_name on;
|
||
proxy_ssl_verify on;
|
||
proxy_ssl on;
|
||
ssl_session_tickets off;
|
||
tcp_nodelay on;
|
||
proxy_ssl_name $remote_ip;
|
||
proxy_pass $remote_ip:$remote_port;
|
||
proxy_protocol off;
|
||
access_log off;
|
||
}
|
||
server {
|
||
listen $listen_ip:$listen_port udp;
|
||
proxy_pass $lan_ip:$remote_port;
|
||
proxy_protocol off;
|
||
access_log off;
|
||
}" >> /etc/nginx/nginx.conf
|
||
done
|
||
fi
|
||
echo -e "
|
||
}" >> /etc/nginx/nginx.conf
|
||
wireguard_conf
|
||
systemctl restart nginx
|
||
99_menu
|
||
}
|
||
|
||
wireguard_conf(){
|
||
if [ "$aNum" = "1" ];then
|
||
wget -N --no-check-certificate -P /etc/wireguard "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/client/wg0.conf"
|
||
elif [ "$aNum" = "2" ];then
|
||
wget -N --no-check-certificate -P /etc/wireguard "https://git.igewu.org/yanglc/tunnel/raw/branch/main/$mplsdh/server/wg0.conf"
|
||
fi
|
||
wg-quick down wg0
|
||
wg-quick up wg0
|
||
}
|
||
|
||
delete_firewall(){
|
||
if [[ "$EUID" -ne 0 ]]; then
|
||
echo "false"
|
||
else
|
||
echo "true"
|
||
fi
|
||
if [[ -f /etc/redhat-release ]]; then
|
||
release="centos"
|
||
elif cat /etc/issue | grep -q -E -i "debian"; then
|
||
release="debian"
|
||
elif cat /etc/issue | grep -q -E -i "ubuntu"; then
|
||
release="ubuntu"
|
||
elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then
|
||
release="centos"
|
||
elif cat /proc/version | grep -q -E -i "debian"; then
|
||
release="debian"
|
||
elif cat /proc/version | grep -q -E -i "ubuntu"; then
|
||
release="ubuntu"
|
||
elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then
|
||
release="centos"
|
||
fi
|
||
|
||
if [[ $release = "ubuntu" || $release = "debian" ]]; then
|
||
ufw disable
|
||
apt-get remove ufw
|
||
apt-get purge ufw
|
||
elif [[ $release = "centos" ]]; then
|
||
systemctl stop firewalld.service
|
||
systemctl disable firewalld.service
|
||
else
|
||
exit 1
|
||
fi
|
||
99_menu
|
||
}
|
||
|
||
create_ssl(){
|
||
mkdir -p /etc/nginx/ssl
|
||
cd /etc/nginx/ssl
|
||
servername=`curl -s https://ip.nekocat.cn`
|
||
cat > my-openssl.cnf << EOF
|
||
[ ca ]
|
||
default_ca = CA_default
|
||
[ CA_default ]
|
||
x509_extensions = usr_cert
|
||
[ req ]
|
||
default_bits = 2048
|
||
default_md = sha256
|
||
default_keyfile = privkey.pem
|
||
distinguished_name = req_distinguished_name
|
||
attributes = req_attributes
|
||
x509_extensions = v3_ca
|
||
string_mask = utf8only
|
||
[ req_distinguished_name ]
|
||
[ req_attributes ]
|
||
[ usr_cert ]
|
||
basicConstraints = CA:FALSE
|
||
nsComment = "OpenSSL Generated Certificate"
|
||
subjectKeyIdentifier = hash
|
||
authorityKeyIdentifier = keyid,issuer
|
||
[ v3_ca ]
|
||
subjectKeyIdentifier = hash
|
||
authorityKeyIdentifier = keyid:always,issuer
|
||
basicConstraints = CA:true
|
||
EOF
|
||
openssl genrsa -out ca.key 2048
|
||
openssl req -x509 -new -nodes -key ca.key -subj "/CN=${servername}" -days 5000 -out ca.crt
|
||
openssl genrsa -out server.key 2048
|
||
openssl req -new -sha256 -key server.key \
|
||
-subj "/C=CN/ST=yanglc/L=yanglc/O=mymisaka/CN=${servername}" \
|
||
-reqexts SAN \
|
||
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:${servername},IP:${servername}")) \
|
||
-out server.csr
|
||
openssl x509 -req -days 365 -sha256 \
|
||
-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
|
||
-extfile <(printf "subjectAltName=DNS:${servername},IP:${servername}") \
|
||
-out server.crt
|
||
cat /etc/nginx/ssl/ca.crt
|
||
}
|
||
|
||
install_kernel(){
|
||
wget -N --no-check-certificate "https://git.igewu.org/yanglc/tunnel/raw/branch/main/tcp.sh" && chmod +x tcp.sh && ./tcp.sh
|
||
}
|
||
|
||
get_ip(){
|
||
echo -e "你的ipv6地址是:"
|
||
curl -6 ip.nekocat.cn
|
||
echo -e "你的ipv4地址是:"
|
||
curl -4 ip.nekocat.cn
|
||
}
|
||
|
||
manage_nginx(){
|
||
echo -e "
|
||
${GREEN} 1.停止隧道
|
||
${GREEN} 2.启动隧道
|
||
${GREEN} 3.重启隧道
|
||
"
|
||
read -p "请输入选项:" bNum
|
||
if [ "$bNum" = "1" ];then
|
||
wg-quick down wg0
|
||
systemctl stop nginx
|
||
elif [ "$bNum" = "2" ];then
|
||
wg-quick up wg0
|
||
systemctl start nginx
|
||
elif [ "$bNum" = "3" ];then
|
||
wg-quick down wg0
|
||
wg-quick up wg0
|
||
systemctl restart nginx
|
||
fi
|
||
99_menu
|
||
}
|
||
|
||
99_menu(){
|
||
clear
|
||
echo -e "
|
||
${GREEN} 1.安装隧道工具
|
||
${GREEN} 2.获取隧道配置
|
||
${GREEN} 3.查看当前ip
|
||
${GREEN} 4.删除防火墙
|
||
${GREEN} 5.管理隧道
|
||
${GREEN} 6.自签ssl
|
||
${GREEN} 7.安装内核
|
||
${GREEN} 0.退出脚本"
|
||
read -p " 请输入数字后[0-7] 按回车键:" num
|
||
case "$num" in
|
||
1)
|
||
install_nginx
|
||
;;
|
||
2)
|
||
nginx_conf
|
||
;;
|
||
3)
|
||
get_ip
|
||
;;
|
||
4)
|
||
delete_firewall
|
||
;;
|
||
5)
|
||
manage_nginx
|
||
;;
|
||
6)
|
||
create_ssl
|
||
;;
|
||
7)
|
||
install_kernel
|
||
;;
|
||
0)
|
||
exit 1
|
||
;;
|
||
*)
|
||
echo "请输入正确数字 [0-7] 按回车键"
|
||
sleep 1s
|
||
99_menu
|
||
;;
|
||
esac
|
||
}
|
||
99_menu
|