[ { "path": ".gitignore", "content": "# Created by .ignore support plugin (hsz.mobi)\n.idea" }, { "path": "README.md", "content": "# dev-sidecar-doc" }, { "path": "cf-works.md", "content": "\n# 部署到cloudflare免费workers上\n\n## 1、 注册cloudflare账号\nhttps://www.cloudflare.com/ \n验证完邮箱\n## 2、创建workers\n* 点击左侧Workers菜单\n* 点击右边创建服务按钮\n* 服务名称随意填写(YourWorkersName)\n* 点击右下角的创建服务,创建成功后会自动进入服务配置页面\n\n## 3、部署代理脚本\n\n* 点击快速编辑按钮\n* 删除左侧原有的代码\n* 将下方代码粘贴进去\n* 按照代码中注释部分进行修改\n```js\n\naddEventListener(\"fetch\", event => {\n event.respondWith(eventHandler(event))\n})\n\nasync function eventHandler(event) {\n const req = event.request\n const url = req.url\n // YourWorkersName.YourAccountName.修改为你的works地址\n // xxxxxxx改成任意一串字符,作为path,当做密码,不要公开\n const target = url.replace(\"https://YourWorkersName.YourAccountName.workers.dev/xxxxxxxx/\",\"\")\n req.url = target;\n if(target.startsWith(\"http\")){\n return new Response(\"500\")\n }\n const resp = await fetch(\"https://\"+target,req)\n return resp\n}\n```\n\n## 4、 点击部署按钮\n\n## 5、 配置DevSidecar功能增强的代理服务端\n 域名 = YourWorkersName.YourAccountName.workers.dev \n 路径 = xxxxxxxx\n\n 配置你代码中的域名和路径,点击应用即可\n \n## 6、 测试访问" }, { "path": "docker/Dockerfile", "content": "FROM nginx:1.19.4\nENV TZ=Asia/Shanghai\nENV PASSWORD=''\nCOPY ./config/nginx.conf /etc/nginx/nginx-template.conf\nCOPY ./config/start.sh /app/start.sh\nRUN chmod +x /app/start.sh\n\nCMD [\"/app/start.sh\"]\n" }, { "path": "docker/config/nginx.conf", "content": "user nginx;\nworker_processes auto;\nworker_rlimit_nofile 10000;\n\nerror_log /var/log/nginx/error.log warn;\npid /var/run/nginx.pid;\n\nevents {\n use epoll;\n multi_accept on;\n worker_connections 10240;\n}\n\nhttp {\n\n\n\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n\n\n log_format main '[$time_local] $remote_addr \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n\n access_log /var/log/nginx/access.log main;\n\n sendfile on;\n #tcp_nopush on;\n #gzip on;\n\n proxy_set_header X-Real-IP $remote_addr;\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n\n\n keepalive_timeout 65;\n client_max_body_size 50m;\n\n server {\n\n listen 443 ssl; # 1.1版本后这样写\n server_name ${HOSTNAME} ; #填写绑定证书的域名\n ssl_certificate ${SSL_CERTIFICATE}; # 指定证书的位置,绝对路径\n ssl_certificate_key ${SSL_CERTIFICATE_KEY}; # 绝对路径,同上\n ssl_session_timeout 5m;\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #按照这个协议配置\n ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置\n ssl_prefer_server_ciphers on;\n\n client_max_body_size 50M;\n client_body_buffer_size 10M;\n\n location ^~/${CONTEXT_PATH}/ {\n resolver 1.1.1.1 ipv6=off;\n\n\n if ( $http_dspassword != '${PASSWORD}' ){\n return 403;\n }\n\n set $_full_uri $uri$is_args$args;\n if ( $_full_uri ~ /${CONTEXT_PATH}/([^/]+)/(.*) ){\n set $_host $1;\n set $_uri $2;\n }\n proxy_pass $scheme://$_host/$_uri;\n proxy_redirect https://${HOSTNAME}/${CONTEXT_PATH}/ /;\n proxy_buffer_size 64k;\n proxy_buffers 64 64k;\n proxy_busy_buffers_size 1m;\n proxy_temp_file_write_size 512k;\n proxy_max_temp_file_size 128m;\n # proxy_set_header referer $scheme://$_host; 要去掉\n proxy_set_header Host $_host;\n proxy_ssl_server_name on;\n proxy_set_header dspassword '';\n }\n location /${CONTEXT_PATH}/robots.txt {\n resolver 1.1.1.1;\n deny all;\n }\n location / {\n resolver 1.1.1.1;\n deny all;\n }\n }\n include /etc/nginx/conf.d/*.conf;\n}\n\n\n" }, { "path": "docker/config/start.sh", "content": "cp -f '/etc/nginx/nginx-template.conf' '/etc/nginx/nginx.conf'\nsed -i 's#${SSL_CERTIFICATE}#'\"$SSL_CERTIFICATE\"'#g' '/etc/nginx/nginx.conf'\nsed -i 's#${SSL_CERTIFICATE_KEY}#'\"$SSL_CERTIFICATE_KEY\"'#g' '/etc/nginx/nginx.conf'\nsed -i 's#${HOSTNAME}#'\"$HOSTNAME\"'#g' '/etc/nginx/nginx.conf'\nsed -i 's#${PASSWORD}#'\"$PASSWORD\"'#g' '/etc/nginx/nginx.conf'\nsed -i 's#${CONTEXT_PATH}#'\"$CONTEXT_PATH\"'#g' '/etc/nginx/nginx.conf'\nnginx -g 'daemon off;'\n" }, { "path": "docker/docker-compose.yml", "content": "version: '2.4'\nservices:\n nginx:\n container_name: dev-sidecar-nginx\n image: docmirror/dev-sidecar-nginx:1.3.0\n build:\n context: ./\n dockerfile: Dockerfile\n restart: always\n ports:\n - 443:443\n volumes:\n - /disk02/www:/usr/share/nginx/html\n environment:\n - TZ=Asia/Shanghai\n - SSL_CERTIFICATE=/app/ssl/cert.crt\n - SSL_CERTIFICATE_KEY=/app/ssl/cert.key\n - HOSTNAME=yourdomain.com\n - PASSWORD=123456\n - CONTEXT_PATH=change_me\n" }, { "path": "docker.md", "content": "# docker镜像启动\n安装步骤\n* 安装docker\n* 安装docker-compose\n* 启动nginx容器\n* 配置dev-sidecar\n* go \n\n## 1、安装docker\n\n如果你是centos8.x\n```shell\nyum remove podman # 先卸载podman,docker-ce与podman有冲突\n# 如果你的系统已经有应用跑在podman上,就不要卸载了,请安装podman-compose,然后直接看第3步\n```\n\n如果你是centos,执行如下命令即可\n```shell\nsudo yum install -y yum-utils\nsudo yum-config-manager \\\n--add-repo \\\nhttps://download.docker.com/linux/centos/docker-ce.repo\n\nsudo yum install docker-ce docker-ce-cli containerd.io\nsudo systemctl enable docker.service\nsudo systemctl start docker\n```\n\n如果不是centos,请按如下官方步骤安装好docker\n\nhttps://docs.docker.com/engine/install/centos/\n\n\n## 2、安装docker-compose\n\n```shell\nsudo curl -L \"https://github.com/docker/compose/releases/download/1.28.6/docker-compose-$(uname -s)-$(uname -m)\" -o /usr/local/bin/docker-compose\nsudo chmod +x /usr/local/bin/docker-compose\n```\n更多安装信息,请参考官方文档\n\nhttps://docs.docker.com/compose/install/\n\n## 3、启动nginx容器\n* 先 clone 本仓库到本地\n* 复制你的证书文件到`ds-nginx/ssl`目录下\n* 修改`ds-nginx`下的`docker-compose.yml`文件(按照里面的提示修改)\n* 将`ds-nginx`整个目录,上传到你服务器的`~/deploy/`目录下\n* 执行启动命令\n```shell\ncd ~/deploy/ds-nginx/\ndocker-compose up -d\n```\n## 4、修改dev-sidecar服务端配置\n按如下设置 \n应用---> 功能增强 ---> 代理服务端 \n填上一步时配置的三个变量(域名、路径、密码),应用即可 \n![](./image/server.png) \n\n\n# 问题排查\n打印nginx日志,看看有什么报错\n```shell\ndocker logs -f --tail 200 dev-sidecar-nginx\n```\n" }, { "path": "ds-nginx/docker-compose.yml", "content": "version: '2.4'\nservices:\n nginx:\n container_name: dev-sidecar-nginx\n image: docmirror/dev-sidecar-nginx:1.3.0\n restart: always\n ports:\n - 443:443\n volumes:\n - ~/deploy/ds-nginx/ssl:/app/ssl/ # 证书目录映射,不用动\n environment:\n - TZ=Asia/Shanghai\n - SSL_CERTIFICATE=/app/ssl/cert.crt # 这里修改为 /app/ssl/你的证书名称\n - SSL_CERTIFICATE_KEY=/app/ssl/cert.key # 这里修改为 /app/ssl/你的证书私钥名称\n - HOSTNAME=yourdomain.com # 修改为你的域名\n - CONTEXT_PATH=ertccawe24234 # 路径,随便乱输入就行\n - PASSWORD=yourpassword # 密码\n\n" }, { "path": "ds-nginx/ssl/cert.crt", "content": "-----BEGIN CERTIFICATE-----\nMIIFIDCCBAigAwIBAgISBJrGhBBxZvgI/BOL+CjuGKe2MA0GCSqGSIb3DQEBCwUA\nMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\nEwJSMzAeFw0yMTAyMDgwNDUyMTlaFw0yMTA1MDkwNDUyMTlaMBkxFzAVBgNVBAMM\nDiouZG9jbWlycm9yLmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nwgs/L3dz1lSCsPQ96G1+qlBKl0orJb9lu7DU5f/xSRQ+yguuzuKp81cswD5O8fl+\nkBnHha9s83NtMovDRUtbg/wUnZnvYkIHwTR6keItTw632yFBD9ms3l+WBaINx1Xr\no8CBYraUIEP+PNpNvEerPzxAj7Qd00Pg0w/zztLDfgrpgbSSJdX6LbYFJyQlj5bv\nj58hLAMQYayV9fjfbYnMWnsugjrdRzr3Jlv0cIC9fOOrrb0FaequPsfRT4rQpjfy\nphrO4KFziyLvYcjhC90GS38ff0Jl0Yritk9HgpYFOlhZZrhqJXsaIix6kwlU83sn\nTFQ3NexVoHjGmxOyTXEJVwIDAQABo4ICRzCCAkMwDgYDVR0PAQH/BAQDAgWgMB0G\nA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud\nDgQWBBS0hy/hOrr/zAqUbyKsy8JTU0tDlzAfBgNVHSMEGDAWgBQULrMXt1hWy65Q\nCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y\nMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn\nLzAZBgNVHREEEjAQgg4qLmRvY21pcnJvci5jbjBMBgNVHSAERTBDMAgGBmeBDAEC\nATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl\nbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AJQgvB6O1Y1siHMf\ngosiLA3R2k1ebE+UPWHbTi9YTaLCAAABd4AyqGAAAAQDAEYwRAIgA3E2ZayN+1ib\nNcCj0IO8utCmiiOlH8Q9anUJRIKVKhQCIELac+SSuabDz4N3zShFE5Cl+Gx0VxmQ\nBULvE55PoFxsAHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF3\ngDKoUwAABAMARjBEAiA6uVlyVH6aLBaBXvj3ZHHIy7xg/Y7TOxuDhgEn56/fzwIg\nb+CT4OWHEHjdoQ4+sf7k+GoHBSYUfEPcKmgI2RqjfWkwDQYJKoZIhvcNAQELBQAD\nggEBAJb8+tmI1UKuTkNgusbNWLm4IskCmBVkjU9WLuReZmu5eBWLV++y8nHzmwok\nfDqGXuIeVRYLVdXj5pquiaZxw7/KFP5FXDBh3RHQWwAINDKY1xilOoGDG6aVheBV\nzo5vTeyxs2VinMDP3exGwxDkuxiyT1OllXb2acTzV7BbH2YovdQKBKfkRbhWvTlp\nZbr36/dYyixr6owWg4SH+TpUSfj2O7Hu7EvrY5u88HWbeD/mTz9AMtw2p/kQaET/\n1l+GAYV/u6etiSXsLf0xtiIlIgIA/w+VJGeeBtwQ5E4S9EWLDm7mo4HPx4UtCQ/+\nCQlckuKGAH+G9zKM93vE68kXrLI=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow\nMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT\nAlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs\njVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp\nTm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB\nU840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7\ngcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel\n/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R\noYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E\nBAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p\nZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE\np7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE\nAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu\nY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0\nLmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf\nr52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B\nAQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH\nejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8\nS8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL\nqjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p\nO5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw\nUdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==\n-----END CERTIFICATE-----" }, { "path": "ds-nginx/ssl/cert.key", "content": "-----BEGIN RSA PRIVATE KEY-----\n\n-----END RSA PRIVATE KEY-----\n" }, { "path": "ow.md", "content": "# 梯子原理\n\n1. 通过两层代理,将目标请求链接隐藏在https之中被加密,规避GFW的https握手特征检查\n2. 通过二级路径(下图的xxxxxxxx),规避GFW的试探性钓鱼检查\n\n\n```\n浏览器访问: https://www.google.com \n |\nDevSidecar【第一层代理】: https://yourdomain.com/xxxxxxxx/www.google.com/\n |\nGFW: GFW\n |\n境外Nginx【第二层代理】: 获取到xxxxxxxx之后的域名和地址,代理到https://www.google.com\n |\nDevSidecar: 返回给DevSidecar\n |\n浏览器访问: 返回给浏览器\n\n```\n\n在GFW看来你的流量就是在访问`yourdomain.com`这个正常的网站而已\n\n缺点:\n> 1、 仅支持HTTPS \n> 2、 只是简单的代理转发。 \n> 所以服务端可以篡改内容,存在安全风险,为了安全,最好是自建服务端。 \n> 理论上可以在`yourdomain.com/xxxxxxxx`的wss作为加密传输通道,通道内传输http访问请求,就可以不需要信任根证书了(有空再研究,现阶段的简单实现已经够用,不介意根证书的话)\n\n总结两点:\n> 大道至简:做的越多,错的越多。简单最有效,大隐隐于市。 \n> 降维打击:安全我都不要了。(自建服务器可以解决)\n\n## 自建服务端步骤\n配置非常简单,会搭nginx即可\n\n### 1. 准备工作\n* 一台境外服务器\n* 一个域名,免费证书\n* 下载[DevSidecar](https://github.com/docmirror/dev-sidecar)\n\n我的服务器是[1核1G的香港主机](https://www.ucloud.cn/site/active/kuaijie.html?invitation_code=C1xF886DAFF2658) \n如果你没有合适的境外主机,可以点击链接去购买,新用户还是挺划算的\n\n> 另外感谢群友@#贡献的一台日本服务器\n\n### 2. nginx配置\n\n```\n你需要定义如下三个变量\n域名:yourdomain.com 你注册域名,千万别跟google facebook github这些重点监控的域名相似\n路径:xxxxxxxx 你随便乱敲一串字母就行\n密码:yourpassword 同上\n\n证书:/xx/ssl证书.crt 绝对路径\n /xx/ssl证书私钥.key\n```\n\n```\n server {\n listen 443 ssl; \n server_name yourdomain.com ; # 修改为你的域名\n ssl_certificate /app/ssl/ssl证书.crt; # 修改为你域名ssl证书的绝对路径\n ssl_certificate_key /app/ssl/ssl证书私钥.key; # 修改为ssl证书私钥绝对路径\n ssl_session_timeout 5m;\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;\n ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;\n ssl_prefer_server_ciphers on;\n \n \n location ^~/xxxxxxxx/ { # xxxxxxxx 改成你自己随便任意的前缀地址\n resolver 1.1.1.1 ipv6=off;\n if ( $http_dspassword != 'your password' ){ # 校验密码,如果不配置密码,去掉它即可\n return 404; # 也可以改成403、502等其他错误,最好与下面的返回一致\n }\n set $_full_uri $uri$is_args$args;\n if ( $_full_uri ~ /xxxxxxxx/([^/]+)/(.*) ){ # 将xxxxxxxx修改为你路径前缀\n set $_host $1; # 获取路径后的目标网站的域名\n set $_uri $2; # 获取目标网站的请求地址\n }\n proxy_pass $scheme://$_host/$_uri;\n proxy_redirect https://yourdomain.com/xxxxxxxx/ /; # 修改为你的域名和路径前缀\n proxy_buffer_size 32k;\n proxy_buffers 64 32k;\n proxy_busy_buffers_size 1m;\n proxy_temp_file_write_size 512k;\n proxy_max_temp_file_size 128m;\n proxy_set_header Host $_host;\n proxy_ssl_server_name on;\n proxy_set_header dspassword '';\n }\n location / { # 其他访问全部拒绝,规避GFW的钓鱼试探\n resolver 1.1.1.1;\n return 404; # 也可以改成403、502等其他错误,最好与上面的密码错误返回一致,或者返回一个伪装网站\n }\n}\n```\n### 3. DevSidecar配置\n按如下设置 \n应用---> 功能增强 ---> 代理服务端 \n填上nginx配置时用的那三个变量,应用即可 \n![](./image/server.png) \n\n> `xxxxxxxx`一定要修改成你自己的,你把它也当成是一个密码 \n> 注意保护好 `域名、路径 和密码`,不要公开 \n\n## 其他部署方式\n### 1、docker镜像启动\n如果你不会安装nginx,推荐你按下面的docker镜像启动更方便 \n[docker启动教程](./docker.md)\n\n### 2、cf-workers\n你也可以试试免费的[cf-workers](./cf-works.md)\n" } ]