Repository: docmirror/dev-sidecar-doc Branch: main Commit: f1a9f8775d5e Files: 12 Total size: 12.6 KB Directory structure: gitextract_d1jnicqc/ ├── .gitignore ├── README.md ├── cf-works.md ├── docker/ │ ├── Dockerfile │ ├── config/ │ │ ├── nginx.conf │ │ └── start.sh │ └── docker-compose.yml ├── docker.md ├── ds-nginx/ │ ├── docker-compose.yml │ └── ssl/ │ ├── cert.crt │ └── cert.key └── ow.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: .gitignore ================================================ # Created by .ignore support plugin (hsz.mobi) .idea ================================================ FILE: README.md ================================================ # dev-sidecar-doc ================================================ FILE: cf-works.md ================================================ # 部署到cloudflare免费workers上 ## 1、 注册cloudflare账号 https://www.cloudflare.com/ 验证完邮箱 ## 2、创建workers * 点击左侧Workers菜单 * 点击右边创建服务按钮 * 服务名称随意填写(YourWorkersName) * 点击右下角的创建服务,创建成功后会自动进入服务配置页面 ## 3、部署代理脚本 * 点击快速编辑按钮 * 删除左侧原有的代码 * 将下方代码粘贴进去 * 按照代码中注释部分进行修改 ```js addEventListener("fetch", event => { event.respondWith(eventHandler(event)) }) async function eventHandler(event) { const req = event.request const url = req.url // YourWorkersName.YourAccountName.修改为你的works地址 // xxxxxxx改成任意一串字符,作为path,当做密码,不要公开 const target = url.replace("https://YourWorkersName.YourAccountName.workers.dev/xxxxxxxx/","") req.url = target; if(target.startsWith("http")){ return new Response("500") } const resp = await fetch("https://"+target,req) return resp } ``` ## 4、 点击部署按钮 ## 5、 配置DevSidecar功能增强的代理服务端 域名 = YourWorkersName.YourAccountName.workers.dev 路径 = xxxxxxxx 配置你代码中的域名和路径,点击应用即可 ## 6、 测试访问 ================================================ FILE: docker/Dockerfile ================================================ FROM nginx:1.19.4 ENV TZ=Asia/Shanghai ENV PASSWORD='' COPY ./config/nginx.conf /etc/nginx/nginx-template.conf COPY ./config/start.sh /app/start.sh RUN chmod +x /app/start.sh CMD ["/app/start.sh"] ================================================ FILE: docker/config/nginx.conf ================================================ user nginx; worker_processes auto; worker_rlimit_nofile 10000; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { use epoll; multi_accept on; worker_connections 10240; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '[$time_local] $remote_addr "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; #gzip on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; keepalive_timeout 65; client_max_body_size 50m; server { listen 443 ssl; # 1.1版本后这样写 server_name ${HOSTNAME} ; #填写绑定证书的域名 ssl_certificate ${SSL_CERTIFICATE}; # 指定证书的位置,绝对路径 ssl_certificate_key ${SSL_CERTIFICATE_KEY}; # 绝对路径,同上 ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #按照这个协议配置 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置 ssl_prefer_server_ciphers on; client_max_body_size 50M; client_body_buffer_size 10M; location ^~/${CONTEXT_PATH}/ { resolver 1.1.1.1 ipv6=off; if ( $http_dspassword != '${PASSWORD}' ){ return 403; } set $_full_uri $uri$is_args$args; if ( $_full_uri ~ /${CONTEXT_PATH}/([^/]+)/(.*) ){ set $_host $1; set $_uri $2; } proxy_pass $scheme://$_host/$_uri; proxy_redirect https://${HOSTNAME}/${CONTEXT_PATH}/ /; proxy_buffer_size 64k; proxy_buffers 64 64k; proxy_busy_buffers_size 1m; proxy_temp_file_write_size 512k; proxy_max_temp_file_size 128m; # proxy_set_header referer $scheme://$_host; 要去掉 proxy_set_header Host $_host; proxy_ssl_server_name on; proxy_set_header dspassword ''; } location /${CONTEXT_PATH}/robots.txt { resolver 1.1.1.1; deny all; } location / { resolver 1.1.1.1; deny all; } } include /etc/nginx/conf.d/*.conf; } ================================================ FILE: docker/config/start.sh ================================================ cp -f '/etc/nginx/nginx-template.conf' '/etc/nginx/nginx.conf' sed -i 's#${SSL_CERTIFICATE}#'"$SSL_CERTIFICATE"'#g' '/etc/nginx/nginx.conf' sed -i 's#${SSL_CERTIFICATE_KEY}#'"$SSL_CERTIFICATE_KEY"'#g' '/etc/nginx/nginx.conf' sed -i 's#${HOSTNAME}#'"$HOSTNAME"'#g' '/etc/nginx/nginx.conf' sed -i 's#${PASSWORD}#'"$PASSWORD"'#g' '/etc/nginx/nginx.conf' sed -i 's#${CONTEXT_PATH}#'"$CONTEXT_PATH"'#g' '/etc/nginx/nginx.conf' nginx -g 'daemon off;' ================================================ FILE: docker/docker-compose.yml ================================================ version: '2.4' services: nginx: container_name: dev-sidecar-nginx image: docmirror/dev-sidecar-nginx:1.3.0 build: context: ./ dockerfile: Dockerfile restart: always ports: - 443:443 volumes: - /disk02/www:/usr/share/nginx/html environment: - TZ=Asia/Shanghai - SSL_CERTIFICATE=/app/ssl/cert.crt - SSL_CERTIFICATE_KEY=/app/ssl/cert.key - HOSTNAME=yourdomain.com - PASSWORD=123456 - CONTEXT_PATH=change_me ================================================ FILE: docker.md ================================================ # docker镜像启动 安装步骤 * 安装docker * 安装docker-compose * 启动nginx容器 * 配置dev-sidecar * go ## 1、安装docker 如果你是centos8.x ```shell yum remove podman # 先卸载podman,docker-ce与podman有冲突 # 如果你的系统已经有应用跑在podman上,就不要卸载了,请安装podman-compose,然后直接看第3步 ``` 如果你是centos,执行如下命令即可 ```shell sudo yum install -y yum-utils sudo yum-config-manager \ --add-repo \ https://download.docker.com/linux/centos/docker-ce.repo sudo yum install docker-ce docker-ce-cli containerd.io sudo systemctl enable docker.service sudo systemctl start docker ``` 如果不是centos,请按如下官方步骤安装好docker https://docs.docker.com/engine/install/centos/ ## 2、安装docker-compose ```shell sudo curl -L "https://github.com/docker/compose/releases/download/1.28.6/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose ``` 更多安装信息,请参考官方文档 https://docs.docker.com/compose/install/ ## 3、启动nginx容器 * 先 clone 本仓库到本地 * 复制你的证书文件到`ds-nginx/ssl`目录下 * 修改`ds-nginx`下的`docker-compose.yml`文件(按照里面的提示修改) * 将`ds-nginx`整个目录,上传到你服务器的`~/deploy/`目录下 * 执行启动命令 ```shell cd ~/deploy/ds-nginx/ docker-compose up -d ``` ## 4、修改dev-sidecar服务端配置 按如下设置 应用---> 功能增强 ---> 代理服务端 填上一步时配置的三个变量(域名、路径、密码),应用即可 ![](./image/server.png) # 问题排查 打印nginx日志,看看有什么报错 ```shell docker logs -f --tail 200 dev-sidecar-nginx ``` ================================================ FILE: ds-nginx/docker-compose.yml ================================================ version: '2.4' services: nginx: container_name: dev-sidecar-nginx image: docmirror/dev-sidecar-nginx:1.3.0 restart: always ports: - 443:443 volumes: - ~/deploy/ds-nginx/ssl:/app/ssl/ # 证书目录映射,不用动 environment: - TZ=Asia/Shanghai - SSL_CERTIFICATE=/app/ssl/cert.crt # 这里修改为 /app/ssl/你的证书名称 - SSL_CERTIFICATE_KEY=/app/ssl/cert.key # 这里修改为 /app/ssl/你的证书私钥名称 - HOSTNAME=yourdomain.com # 修改为你的域名 - CONTEXT_PATH=ertccawe24234 # 路径,随便乱输入就行 - PASSWORD=yourpassword # 密码 ================================================ FILE: ds-nginx/ssl/cert.crt ================================================ -----BEGIN CERTIFICATE----- MIIFIDCCBAigAwIBAgISBJrGhBBxZvgI/BOL+CjuGKe2MA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTAyMDgwNDUyMTlaFw0yMTA1MDkwNDUyMTlaMBkxFzAVBgNVBAMM DiouZG9jbWlycm9yLmNuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA wgs/L3dz1lSCsPQ96G1+qlBKl0orJb9lu7DU5f/xSRQ+yguuzuKp81cswD5O8fl+ kBnHha9s83NtMovDRUtbg/wUnZnvYkIHwTR6keItTw632yFBD9ms3l+WBaINx1Xr o8CBYraUIEP+PNpNvEerPzxAj7Qd00Pg0w/zztLDfgrpgbSSJdX6LbYFJyQlj5bv j58hLAMQYayV9fjfbYnMWnsugjrdRzr3Jlv0cIC9fOOrrb0FaequPsfRT4rQpjfy phrO4KFziyLvYcjhC90GS38ff0Jl0Yritk9HgpYFOlhZZrhqJXsaIix6kwlU83sn TFQ3NexVoHjGmxOyTXEJVwIDAQABo4ICRzCCAkMwDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud DgQWBBS0hy/hOrr/zAqUbyKsy8JTU0tDlzAfBgNVHSMEGDAWgBQULrMXt1hWy65Q CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn LzAZBgNVHREEEjAQgg4qLmRvY21pcnJvci5jbjBMBgNVHSAERTBDMAgGBmeBDAEC ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl bmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AJQgvB6O1Y1siHMf gosiLA3R2k1ebE+UPWHbTi9YTaLCAAABd4AyqGAAAAQDAEYwRAIgA3E2ZayN+1ib NcCj0IO8utCmiiOlH8Q9anUJRIKVKhQCIELac+SSuabDz4N3zShFE5Cl+Gx0VxmQ BULvE55PoFxsAHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF3 gDKoUwAABAMARjBEAiA6uVlyVH6aLBaBXvj3ZHHIy7xg/Y7TOxuDhgEn56/fzwIg b+CT4OWHEHjdoQ4+sf7k+GoHBSYUfEPcKmgI2RqjfWkwDQYJKoZIhvcNAQELBQAD ggEBAJb8+tmI1UKuTkNgusbNWLm4IskCmBVkjU9WLuReZmu5eBWLV++y8nHzmwok fDqGXuIeVRYLVdXj5pquiaZxw7/KFP5FXDBh3RHQWwAINDKY1xilOoGDG6aVheBV zo5vTeyxs2VinMDP3exGwxDkuxiyT1OllXb2acTzV7BbH2YovdQKBKfkRbhWvTlp Zbr36/dYyixr6owWg4SH+TpUSfj2O7Hu7EvrY5u88HWbeD/mTz9AMtw2p/kQaET/ 1l+GAYV/u6etiSXsLf0xtiIlIgIA/w+VJGeeBtwQ5E4S9EWLDm7mo4HPx4UtCQ/+ CQlckuKGAH+G9zKM93vE68kXrLI= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7 gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel /xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0 LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8 S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== -----END CERTIFICATE----- ================================================ FILE: ds-nginx/ssl/cert.key ================================================ -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- ================================================ FILE: ow.md ================================================ # 梯子原理 1. 通过两层代理,将目标请求链接隐藏在https之中被加密,规避GFW的https握手特征检查 2. 通过二级路径(下图的xxxxxxxx),规避GFW的试探性钓鱼检查 ``` 浏览器访问: https://www.google.com | DevSidecar【第一层代理】: https://yourdomain.com/xxxxxxxx/www.google.com/ | GFW: GFW | 境外Nginx【第二层代理】: 获取到xxxxxxxx之后的域名和地址,代理到https://www.google.com | DevSidecar: 返回给DevSidecar | 浏览器访问: 返回给浏览器 ``` 在GFW看来你的流量就是在访问`yourdomain.com`这个正常的网站而已 缺点: > 1、 仅支持HTTPS > 2、 只是简单的代理转发。 > 所以服务端可以篡改内容,存在安全风险,为了安全,最好是自建服务端。 > 理论上可以在`yourdomain.com/xxxxxxxx`的wss作为加密传输通道,通道内传输http访问请求,就可以不需要信任根证书了(有空再研究,现阶段的简单实现已经够用,不介意根证书的话) 总结两点: > 大道至简:做的越多,错的越多。简单最有效,大隐隐于市。 > 降维打击:安全我都不要了。(自建服务器可以解决) ## 自建服务端步骤 配置非常简单,会搭nginx即可 ### 1. 准备工作 * 一台境外服务器 * 一个域名,免费证书 * 下载[DevSidecar](https://github.com/docmirror/dev-sidecar) 我的服务器是[1核1G的香港主机](https://www.ucloud.cn/site/active/kuaijie.html?invitation_code=C1xF886DAFF2658) 如果你没有合适的境外主机,可以点击链接去购买,新用户还是挺划算的 > 另外感谢群友@#贡献的一台日本服务器 ### 2. nginx配置 ``` 你需要定义如下三个变量 域名:yourdomain.com 你注册域名,千万别跟google facebook github这些重点监控的域名相似 路径:xxxxxxxx 你随便乱敲一串字母就行 密码:yourpassword 同上 证书:/xx/ssl证书.crt 绝对路径 /xx/ssl证书私钥.key ``` ``` server { listen 443 ssl; server_name yourdomain.com ; # 修改为你的域名 ssl_certificate /app/ssl/ssl证书.crt; # 修改为你域名ssl证书的绝对路径 ssl_certificate_key /app/ssl/ssl证书私钥.key; # 修改为ssl证书私钥绝对路径 ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location ^~/xxxxxxxx/ { # xxxxxxxx 改成你自己随便任意的前缀地址 resolver 1.1.1.1 ipv6=off; if ( $http_dspassword != 'your password' ){ # 校验密码,如果不配置密码,去掉它即可 return 404; # 也可以改成403、502等其他错误,最好与下面的返回一致 } set $_full_uri $uri$is_args$args; if ( $_full_uri ~ /xxxxxxxx/([^/]+)/(.*) ){ # 将xxxxxxxx修改为你路径前缀 set $_host $1; # 获取路径后的目标网站的域名 set $_uri $2; # 获取目标网站的请求地址 } proxy_pass $scheme://$_host/$_uri; proxy_redirect https://yourdomain.com/xxxxxxxx/ /; # 修改为你的域名和路径前缀 proxy_buffer_size 32k; proxy_buffers 64 32k; proxy_busy_buffers_size 1m; proxy_temp_file_write_size 512k; proxy_max_temp_file_size 128m; proxy_set_header Host $_host; proxy_ssl_server_name on; proxy_set_header dspassword ''; } location / { # 其他访问全部拒绝,规避GFW的钓鱼试探 resolver 1.1.1.1; return 404; # 也可以改成403、502等其他错误,最好与上面的密码错误返回一致,或者返回一个伪装网站 } } ``` ### 3. DevSidecar配置 按如下设置 应用---> 功能增强 ---> 代理服务端 填上nginx配置时用的那三个变量,应用即可 ![](./image/server.png) > `xxxxxxxx`一定要修改成你自己的,你把它也当成是一个密码 > 注意保护好 `域名、路径 和密码`,不要公开 ## 其他部署方式 ### 1、docker镜像启动 如果你不会安装nginx,推荐你按下面的docker镜像启动更方便 [docker启动教程](./docker.md) ### 2、cf-workers 你也可以试试免费的[cf-workers](./cf-works.md)