自建独享落地节点

适用于对 IP 质量要求较高的用户，需要一定的理解与动手能力

基于 L4 转发，理论上支持任何协议，以下仅为示例

系统建议：Linux Debian 10 及以上
运行环境：Docker
运行软件：Shadowsocks rust

安装步骤

apt install docker.io -y

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U

or (DNS)

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U --dns "1.1.1.1,1.0.0.1"

or (IPv6 first)

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U -6

对 Telegram Bot 发送指令 "/ssserver" 或 "/ssserver_v6" 即可获取与本站个人端口加密/协议一致的部署命令

添加流量转发规则

选择起源节点
填入目标服务器地址
填入目标端口
勾选[目标节点与本站个人端口加密/协议一致]（如果没有采用 Telegram Bot 命令部署请跳过此步骤）

一分钟内自动生效，正常情况下在代理客户端选择起源节点即可

口碑较好的商家（排名不分先后）

配合流量转发，仅需购买国际宽带网络（Routing Profile: Standard）VPS/VDS

商业：静态 IP (static IP)

香港

台湾

日本

美国

新加坡

全球

流媒体：动态IP (dynamic IP or Random IPv6)

香港

台湾

日本

美国

新加坡

韩国

英国

以上部分链接包含AFF

优化（将以下内容直接复制粘贴到 Shell 执行即可）

#!/bin/bash

# Time Synchronization
# Ensure system time is accurate for logs and synchronization
for pkg in ntpdate htpdate; do
    if ! which $pkg >/dev/null 2>&1; then
        apt install $pkg -y
    fi
done

# Set timezone and sync system time
timedatectl set-timezone Asia/Shanghai
timeout 5 ntpdate time1.google.com || timeout 5 htpdate -s www.baidu.com
hwclock -w

# Entropy Pool Management
# Ensure sufficient entropy for cryptographic operations
entropy=$(< /proc/sys/kernel/random/entropy_avail)
if [ $entropy -lt "1000" ] && ! systemctl is-active --quiet haveged; then
    apt install haveged -y
    systemctl enable haveged
    systemctl restart haveged
fi

# File Descriptor Limit
# Increase the maximum number of file handles
echo "1048576" > /proc/sys/fs/file-max
ulimit -n 1048576

# Kernel parameter optimization
chattr -i /etc/sysctl.conf
cat > /etc/sysctl.conf << EOF
# Memory usage
# Optimize memory usage for high throughput on public networks
vm.swappiness = 10
vm.dirty_ratio = 20
vm.dirty_background_ratio = 5
vm.overcommit_memory = 1

# File descriptor limits
fs.file-max = 1048576

# TCP/UDP buffer settings for large traffic
net.core.netdev_max_backlog = 65536
net.core.somaxconn = 32768
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.optmem_max = 67108864
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384

# TCP connection management
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

# TCP advanced settings
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_congestion_control = bbr

# ICMP Settings
# Disable ICMP for security and to prevent unnecessary overhead
net.ipv4.icmp_echo_ignore_all = 1
# net.ipv6.icmp.echo_ignore_all = 1

# IPv4 routing
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# IPv6 settings
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1

# Path MTU Discovery
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_mtu_probing = 1

# Port Range
net.ipv4.ip_local_port_range = 1024 65535

# Connection Backlog
net.core.somaxconn = 32768

# TCP auxiliary settings
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_fastopen = 3
EOF

# Apply kernel parameters
sysctl -p

# Security limits configuration
cat > /etc/security/limits.conf << EOF
# File descriptor limits
* soft nofile 2097152
* hard nofile 2097152

# Process limits
* soft nproc 65535
* hard nproc 65535

# Memory locking
* soft memlock unlimited
* hard memlock unlimited

# Core dump size
* soft core unlimited
* hard core unlimited

# Root-specific limits
root soft nofile 2097152
root hard nofile 2097152
root soft nproc 65535
root hard nproc 65535
root soft memlock unlimited
root hard memlock unlimited
root soft core unlimited
root hard core unlimited
EOF

# Apply security limits
ulimit -n 1048576
ulimit -u 65535
ulimit -l unlimited
ulimit -c unlimited

更换 XanMod 内核（将以下内容直接复制粘贴到 Shell 执行等待重启即可)

#!/bin/bash

# This script adds the XanMod kernel repository, fetches the necessary GPG keys,
# detects the CPU instruction set, installs the appropriate XanMod kernel version,
# and reboots the system.

set -euo pipefail

# Function to handle errors
error() {
    echo "Error: $1" >&2
    exit 1
}

# Ensure the script is run as root
if [ "$(id -u)" -ne 0 ]; then
    error "This script must be run as root."
fi

# Update package lists
echo "Updating package lists..."
apt update || error "Failed to update package lists."

# Install necessary tools (gpg and curl)
for cmd in gpg curl; do
    if ! command -v "$cmd" >/dev/null 2>&1; then
        echo "Installing $cmd..."
        apt install "$cmd" -y || error "Failed to install $cmd."
    fi
done

# Ensure the keyrings directory exists
KEYRING_DIR="/etc/apt/keyrings"
mkdir -p "$KEYRING_DIR"

# Define XanMod's GPG key URL and keyring file path
XANMOD_KEY_URL="https://dl.xanmod.org/archive.key"
XANMOD_KEYRING="$KEYRING_DIR/xanmod-archive-keyring.gpg"

# Method 1: Use gpg options to suppress prompts
echo "Adding XanMod GPG key using gpg options..."
if ! curl -fsSL "$XANMOD_KEY_URL" | gpg --batch --yes --dearmor -o "$XANMOD_KEYRING"; then
    echo "Failed to add GPG key using gpg options. Trying Method 2..."

    # Method 2: Remove existing keyring file before writing
    rm -f "$XANMOD_KEYRING"
    if ! curl -fsSL "$XANMOD_KEY_URL" | gpg --dearmor -o "$XANMOD_KEYRING"; then
        error "Failed to add GPG key from $XANMOD_KEY_URL using both methods."
    fi
fi

# Define the repository list file and repository entry
REPO_LIST="/etc/apt/sources.list.d/xanmod-release.list"
REPO_ENTRY="deb [signed-by=$XANMOD_KEYRING] http://deb.xanmod.org releases main"

# Check if the repository is already added
if [ ! -f "$REPO_LIST" ] || ! grep -Fxq "$REPO_ENTRY" "$REPO_LIST"; then
    echo "Adding XanMod repository..."
    echo "$REPO_ENTRY" | tee "$REPO_LIST" >/dev/null
else
    echo "XanMod repository already exists."
fi

# Update package lists to include the new repository
echo "Updating package lists (including XanMod repository)..."
apt update || error "Failed to update package lists after adding repository."

# Detect CPU instruction set
echo "Detecting CPU instruction set..."
cpu_flags=$(grep -o -w -E 'lm|cmov|cx8|fpu|fxsr|mmx|syscall|sse2|cx16|lahf|popcnt|sse4_1|sse4_2|ssse3|avx|avx2|bmi1|bmi2|f16c|fma|abm|movbe|xsave|avx512f|avx512bw|avx512cd|avx512dq|avx512vl' /proc/cpuinfo | sort -u | tr '\n' ' ')
echo "Detected CPU flags: $cpu_flags"

# Function to check if all required flags are present
has_flags() {
    local flags="$1"
    for flag in $flags; do
        [[ "$cpu_flags" =~ $flag ]] || return 1
    done
    return 0
}

# Determine the CPU level based on flags
if has_flags "avx512f avx512bw avx512cd avx512dq avx512vl"; then
    level=4
elif has_flags "avx avx2 bmi1 bmi2 f16c fma abm movbe xsave"; then
    level=3
elif has_flags "cx16 lahf popcnt sse4_1 sse4_2 ssse3"; then
    level=2
elif has_flags "lm cmov cx8 fpu fxsr mmx syscall sse2"; then
    level=1
else
    error "Unable to determine the appropriate XanMod kernel version based on CPU instruction set."
fi

echo "Detected CPU level: $level"

# Set the kernel package name based on the CPU level
case "$level" in
    1)
        kernel_package="linux-xanmod-lts-x64v1"
        ;;
    2)
        kernel_package="linux-xanmod-lts-x64v2"
        ;;
    3)
        kernel_package="linux-xanmod-lts-x64v3"
        ;;
    4)
        kernel_package="linux-xanmod-lts-x64v4"
        ;;
    *)
        error "Invalid CPU level: $level"
        ;;
esac

# Install the appropriate XanMod kernel
echo "Installing $kernel_package..."
apt install "$kernel_package" -y || error "Failed to install $kernel_package."

# Prompt for system reboot
echo "The system will reboot in 10 seconds. Press Ctrl+C to cancel."
for i in {10..1}; do
    echo "$i..."
    sleep 1
done
echo "Rebooting now!"
reboot

上一页流量中继（外部转发）下一页跨区域流媒体解锁

最后更新于12天前

自建独享落地节点

适用于对 IP 质量要求较高的用户，需要一定的理解与动手能力

基于 L4 转发，理论上支持任何协议，以下仅为示例

系统建议：Linux Debian 10 及以上
运行环境：Docker
运行软件：Shadowsocks rust

安装步骤

apt install docker.io -y

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U

or (DNS)

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U --dns "1.1.1.1,1.0.0.1"

or (IPv6 first)

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U -6

对 Telegram Bot 发送指令 "/ssserver" 或 "/ssserver_v6" 即可获取与本站个人端口加密/协议一致的部署命令

添加流量转发规则

选择起源节点
填入目标服务器地址
填入目标端口
勾选[目标节点与本站个人端口加密/协议一致]（如果没有采用 Telegram Bot 命令部署请跳过此步骤）

一分钟内自动生效，正常情况下在代理客户端选择起源节点即可

口碑较好的商家（排名不分先后）

配合流量转发，仅需购买国际宽带网络（Routing Profile: Standard）VPS/VDS

商业：静态 IP (static IP)

香港

台湾

日本

美国

新加坡

全球

流媒体：动态IP (dynamic IP or Random IPv6)

香港

台湾

日本

美国

新加坡

韩国

英国

以上部分链接包含AFF

优化（将以下内容直接复制粘贴到 Shell 执行即可）

#!/bin/bash

# Time Synchronization
# Ensure system time is accurate for logs and synchronization
for pkg in ntpdate htpdate; do
    if ! which $pkg >/dev/null 2>&1; then
        apt install $pkg -y
    fi
done

# Set timezone and sync system time
timedatectl set-timezone Asia/Shanghai
timeout 5 ntpdate time1.google.com || timeout 5 htpdate -s www.baidu.com
hwclock -w

# Entropy Pool Management
# Ensure sufficient entropy for cryptographic operations
entropy=$(< /proc/sys/kernel/random/entropy_avail)
if [ $entropy -lt "1000" ] && ! systemctl is-active --quiet haveged; then
    apt install haveged -y
    systemctl enable haveged
    systemctl restart haveged
fi

# File Descriptor Limit
# Increase the maximum number of file handles
echo "1048576" > /proc/sys/fs/file-max
ulimit -n 1048576

# Kernel parameter optimization
chattr -i /etc/sysctl.conf
cat > /etc/sysctl.conf << EOF
# Memory usage
# Optimize memory usage for high throughput on public networks
vm.swappiness = 10
vm.dirty_ratio = 20
vm.dirty_background_ratio = 5
vm.overcommit_memory = 1

# File descriptor limits
fs.file-max = 1048576

# TCP/UDP buffer settings for large traffic
net.core.netdev_max_backlog = 65536
net.core.somaxconn = 32768
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.optmem_max = 67108864
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384

# TCP connection management
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

# TCP advanced settings
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_congestion_control = bbr

# ICMP Settings
# Disable ICMP for security and to prevent unnecessary overhead
net.ipv4.icmp_echo_ignore_all = 1
# net.ipv6.icmp.echo_ignore_all = 1

# IPv4 routing
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# IPv6 settings
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1

# Path MTU Discovery
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_mtu_probing = 1

# Port Range
net.ipv4.ip_local_port_range = 1024 65535

# Connection Backlog
net.core.somaxconn = 32768

# TCP auxiliary settings
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_fastopen = 3
EOF

# Apply kernel parameters
sysctl -p

# Security limits configuration
cat > /etc/security/limits.conf << EOF
# File descriptor limits
* soft nofile 2097152
* hard nofile 2097152

# Process limits
* soft nproc 65535
* hard nproc 65535

# Memory locking
* soft memlock unlimited
* hard memlock unlimited

# Core dump size
* soft core unlimited
* hard core unlimited

# Root-specific limits
root soft nofile 2097152
root hard nofile 2097152
root soft nproc 65535
root hard nproc 65535
root soft memlock unlimited
root hard memlock unlimited
root soft core unlimited
root hard core unlimited
EOF

# Apply security limits
ulimit -n 1048576
ulimit -u 65535
ulimit -l unlimited
ulimit -c unlimited

更换 XanMod 内核（将以下内容直接复制粘贴到 Shell 执行等待重启即可)

#!/bin/bash

# This script adds the XanMod kernel repository, fetches the necessary GPG keys,
# detects the CPU instruction set, installs the appropriate XanMod kernel version,
# and reboots the system.

set -euo pipefail

# Function to handle errors
error() {
    echo "Error: $1" >&2
    exit 1
}

# Ensure the script is run as root
if [ "$(id -u)" -ne 0 ]; then
    error "This script must be run as root."
fi

# Update package lists
echo "Updating package lists..."
apt update || error "Failed to update package lists."

# Install necessary tools (gpg and curl)
for cmd in gpg curl; do
    if ! command -v "$cmd" >/dev/null 2>&1; then
        echo "Installing $cmd..."
        apt install "$cmd" -y || error "Failed to install $cmd."
    fi
done

# Ensure the keyrings directory exists
KEYRING_DIR="/etc/apt/keyrings"
mkdir -p "$KEYRING_DIR"

# Define XanMod's GPG key URL and keyring file path
XANMOD_KEY_URL="https://dl.xanmod.org/archive.key"
XANMOD_KEYRING="$KEYRING_DIR/xanmod-archive-keyring.gpg"

# Method 1: Use gpg options to suppress prompts
echo "Adding XanMod GPG key using gpg options..."
if ! curl -fsSL "$XANMOD_KEY_URL" | gpg --batch --yes --dearmor -o "$XANMOD_KEYRING"; then
    echo "Failed to add GPG key using gpg options. Trying Method 2..."

    # Method 2: Remove existing keyring file before writing
    rm -f "$XANMOD_KEYRING"
    if ! curl -fsSL "$XANMOD_KEY_URL" | gpg --dearmor -o "$XANMOD_KEYRING"; then
        error "Failed to add GPG key from $XANMOD_KEY_URL using both methods."
    fi
fi

# Define the repository list file and repository entry
REPO_LIST="/etc/apt/sources.list.d/xanmod-release.list"
REPO_ENTRY="deb [signed-by=$XANMOD_KEYRING] http://deb.xanmod.org releases main"

# Check if the repository is already added
if [ ! -f "$REPO_LIST" ] || ! grep -Fxq "$REPO_ENTRY" "$REPO_LIST"; then
    echo "Adding XanMod repository..."
    echo "$REPO_ENTRY" | tee "$REPO_LIST" >/dev/null
else
    echo "XanMod repository already exists."
fi

# Update package lists to include the new repository
echo "Updating package lists (including XanMod repository)..."
apt update || error "Failed to update package lists after adding repository."

# Detect CPU instruction set
echo "Detecting CPU instruction set..."
cpu_flags=$(grep -o -w -E 'lm|cmov|cx8|fpu|fxsr|mmx|syscall|sse2|cx16|lahf|popcnt|sse4_1|sse4_2|ssse3|avx|avx2|bmi1|bmi2|f16c|fma|abm|movbe|xsave|avx512f|avx512bw|avx512cd|avx512dq|avx512vl' /proc/cpuinfo | sort -u | tr '\n' ' ')
echo "Detected CPU flags: $cpu_flags"

# Function to check if all required flags are present
has_flags() {
    local flags="$1"
    for flag in $flags; do
        [[ "$cpu_flags" =~ $flag ]] || return 1
    done
    return 0
}

# Determine the CPU level based on flags
if has_flags "avx512f avx512bw avx512cd avx512dq avx512vl"; then
    level=4
elif has_flags "avx avx2 bmi1 bmi2 f16c fma abm movbe xsave"; then
    level=3
elif has_flags "cx16 lahf popcnt sse4_1 sse4_2 ssse3"; then
    level=2
elif has_flags "lm cmov cx8 fpu fxsr mmx syscall sse2"; then
    level=1
else
    error "Unable to determine the appropriate XanMod kernel version based on CPU instruction set."
fi

echo "Detected CPU level: $level"

# Set the kernel package name based on the CPU level
case "$level" in
    1)
        kernel_package="linux-xanmod-lts-x64v1"
        ;;
    2)
        kernel_package="linux-xanmod-lts-x64v2"
        ;;
    3)
        kernel_package="linux-xanmod-lts-x64v3"
        ;;
    4)
        kernel_package="linux-xanmod-lts-x64v4"
        ;;
    *)
        error "Invalid CPU level: $level"
        ;;
esac

# Install the appropriate XanMod kernel
echo "Installing $kernel_package..."
apt install "$kernel_package" -y || error "Failed to install $kernel_package."

# Prompt for system reboot
echo "The system will reboot in 10 seconds. Press Ctrl+C to cancel."
for i in {10..1}; do
    echo "$i..."
    sleep 1
done
echo "Rebooting now!"
reboot

上一页流量中继（外部转发）下一页跨区域流媒体解锁

最后更新于12天前