自建独享落地节点
系统建议:Linux Debian 10 及以上
运行环境:Docker
运行软件:Shadowsocks rust
安装步骤
apt install docker.io -y
docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
-d --name=shadowsocks \
--net=host \
--restart=always \
--log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
ghcr.io/shadowsocks/ssserver-rust \
-s "[::]:8080" -m "aes-128-gcm" -k "Password" -U
or (DNS)
docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
-d --name=shadowsocks \
--net=host \
--restart=always \
--log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
ghcr.io/shadowsocks/ssserver-rust \
-s "[::]:8080" -m "aes-128-gcm" -k "Password" -U --dns "1.1.1.1,1.0.0.1"
or (IPv6 first)
docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
-d --name=shadowsocks \
--net=host \
--restart=always \
--log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
ghcr.io/shadowsocks/ssserver-rust \
-s "[::]:8080" -m "aes-128-gcm" -k "Password" -U -6
添加流量转发规则
选择起源节点
填入目标服务器地址
填入目标端口
勾选[目标节点与本站个人端口加密/协议一致](如果没有采用 Telegram Bot 命令部署请跳过此步骤)
一分钟内自动生效,正常情况下在代理客户端选择起源节点即可
口碑较好的商家(排名不分先后)
商业:静态 IP (static IP)
流媒体:动态IP (dynamic IP or Random IPv6)
以上部分链接包含AFF
优化(将以下内容直接复制粘贴到 Shell 执行即可)
#!/bin/bash
set -e
# ===== Time Synchronization =====
if ! command -v chronyd >/dev/null 2>&1; then
apt-get update && apt-get install -y chrony
fi
if ! systemctl is-active --quiet chronyd; then
systemctl enable --now chronyd
fi
timedatectl set-timezone Asia/Shanghai 2>/dev/null || true
# ===== File Descriptor Limit =====
echo "1048576" > /proc/sys/fs/file-max
ulimit -n 1048576
# ===== Kernel Parameter Optimization =====
chattr -i /etc/sysctl.conf
cat > /etc/sysctl.conf << EOF
# ====== Memory Management ======
vm.swappiness = 5
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
# ====== File Descriptor & Connection Limits ======
fs.file-max = 1048576
net.core.somaxconn = 32768
net.ipv4.tcp_max_syn_backlog = 65536
# ====== Network Buffer Tuning ======
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.optmem_max = 8388608
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 16384 67108864
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
net.core.netdev_max_backlog = 65536
# ====== TCP Low-Latency Optimizations ======
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_adv_win_scale = 1
# ====== TCP Connection Management ======
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_synack_retries = 2
# ====== Protocol Stack Features ======
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_rfc1337 = 1
# ====== Routing & Forwarding ======
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv6.conf.all.forwarding = 1
# ====== Security Hardening ======
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
EOF
# Apply kernel parameters
sysctl -p
# ===== Security Limits Configuration =====
# Set user/process resource limits
cat > /etc/security/limits.conf << EOF
# File descriptor limits
* soft nofile 1048576
* hard nofile 1048576
# Process limits
* soft nproc 65535
* hard nproc 65535
# Memory locking
* soft memlock unlimited
* hard memlock unlimited
# Core dump size
* soft core unlimited
* hard core unlimited
# Root-specific limits
root soft nofile 1048576
root hard nofile 1048576
root soft nproc 65535
root hard nproc 65535
root soft memlock unlimited
root hard memlock unlimited
root soft core unlimited
root hard core unlimited
EOF
# Apply security limits
ulimit -n 1048576 # Open files
ulimit -u 65535 # User processes
ulimit -l unlimited # Locked memory
ulimit -c unlimited # Core dumps
更换 XanMod 内核(将以下内容直接复制粘贴到 Shell 执行等待重启即可)
#!/bin/bash
# This script adds the XanMod kernel repository, fetches the necessary GPG keys,
# detects the CPU instruction set, installs the appropriate XanMod kernel version,
# and reboots the system.
set -euo pipefail
# Function to handle errors
error() {
echo "Error: $1" >&2
exit 1
}
# Ensure the script is run as root
if [ "$(id -u)" -ne 0 ]; then
error "This script must be run as root."
fi
# Update package lists
echo "Updating package lists..."
apt update || error "Failed to update package lists."
# Install necessary tools (gpg and curl)
for cmd in gpg curl; do
if ! command -v "$cmd" >/dev/null 2>&1; then
echo "Installing $cmd..."
apt install "$cmd" -y || error "Failed to install $cmd."
fi
done
# Ensure the keyrings directory exists
KEYRING_DIR="/etc/apt/keyrings"
mkdir -p "$KEYRING_DIR"
# Define XanMod's GPG key URL and keyring file path
XANMOD_KEY_URL="https://dl.xanmod.org/archive.key"
XANMOD_KEYRING="$KEYRING_DIR/xanmod-archive-keyring.gpg"
# Method 1: Use gpg options to suppress prompts
echo "Adding XanMod GPG key using gpg options..."
if ! curl -fsSL "$XANMOD_KEY_URL" | gpg --batch --yes --dearmor -o "$XANMOD_KEYRING"; then
echo "Failed to add GPG key using gpg options. Trying Method 2..."
# Method 2: Remove existing keyring file before writing
rm -f "$XANMOD_KEYRING"
if ! curl -fsSL "$XANMOD_KEY_URL" | gpg --dearmor -o "$XANMOD_KEYRING"; then
error "Failed to add GPG key from $XANMOD_KEY_URL using both methods."
fi
fi
# Define the repository list file and repository entry
REPO_LIST="/etc/apt/sources.list.d/xanmod-release.list"
REPO_ENTRY="deb [signed-by=$XANMOD_KEYRING] http://deb.xanmod.org releases main"
# Check if the repository is already added
if [ ! -f "$REPO_LIST" ] || ! grep -Fxq "$REPO_ENTRY" "$REPO_LIST"; then
echo "Adding XanMod repository..."
echo "$REPO_ENTRY" | tee "$REPO_LIST" >/dev/null
else
echo "XanMod repository already exists."
fi
# Update package lists to include the new repository
echo "Updating package lists (including XanMod repository)..."
apt update || error "Failed to update package lists after adding repository."
# Detect CPU instruction set
echo "Detecting CPU instruction set..."
cpu_flags=$(grep -o -w -E 'lm|cmov|cx8|fpu|fxsr|mmx|syscall|sse2|cx16|lahf|popcnt|sse4_1|sse4_2|ssse3|avx|avx2|bmi1|bmi2|f16c|fma|abm|movbe|xsave|avx512f|avx512bw|avx512cd|avx512dq|avx512vl' /proc/cpuinfo | sort -u | tr '\n' ' ')
echo "Detected CPU flags: $cpu_flags"
# Function to check if all required flags are present
has_flags() {
local flags="$1"
for flag in $flags; do
[[ "$cpu_flags" =~ $flag ]] || return 1
done
return 0
}
# Determine the CPU level based on flags
if has_flags "avx512f avx512bw avx512cd avx512dq avx512vl"; then
level=4
elif has_flags "avx avx2 bmi1 bmi2 f16c fma abm movbe xsave"; then
level=3
elif has_flags "cx16 lahf popcnt sse4_1 sse4_2 ssse3"; then
level=2
elif has_flags "lm cmov cx8 fpu fxsr mmx syscall sse2"; then
level=1
else
error "Unable to determine the appropriate XanMod kernel version based on CPU instruction set."
fi
echo "Detected CPU level: $level"
# Set the kernel package name based on the CPU level
case "$level" in
1)
kernel_package="linux-xanmod-lts-x64v1"
;;
2)
kernel_package="linux-xanmod-lts-x64v2"
;;
3)
kernel_package="linux-xanmod-lts-x64v3"
;;
4)
kernel_package="linux-xanmod-lts-x64v4"
;;
*)
error "Invalid CPU level: $level"
;;
esac
# Install the appropriate XanMod kernel
echo "Installing $kernel_package..."
apt install "$kernel_package" -y || error "Failed to install $kernel_package."
# Prompt for system reboot
echo "The system will reboot in 10 seconds. Press Ctrl+C to cancel."
for i in {10..1}; do
echo "$i..."
sleep 1
done
echo "Rebooting now!"
reboot
更换 XanMod 内核后的优化(将以下内容直接复制粘贴到 Shell 执行即可)
#!/bin/bash
# bash <(curl -L -s https://cdn.skk.moe/sh/optimize.sh)
echo=echo
for cmd in echo /bin/echo; do
$cmd >/dev/null 2>&1 || continue
if ! $cmd -e "" | grep -qE '^-e'; then
echo=$cmd
break
fi
done
CSI=$($echo -e "\033[")
CEND="${CSI}0m"
CDGREEN="${CSI}32m"
CRED="${CSI}1;31m"
CGREEN="${CSI}1;32m"
CYELLOW="${CSI}1;33m"
CBLUE="${CSI}1;34m"
CMAGENTA="${CSI}1;35m"
CCYAN="${CSI}1;36m"
OUT_ALERT() {
echo -e "${CYELLOW}$1${CEND}"
}
OUT_ERROR() {
echo -e "${CRED}$1${CEND}"
}
OUT_INFO() {
echo -e "${CCYAN}$1${CEND}"
}
if [[ -f /etc/redhat-release ]]; then
release="centos"
elif cat /etc/issue | grep -q -E -i "debian|raspbian"; then
release="debian"
elif cat /etc/issue | grep -q -E -i "ubuntu"; then
release="ubuntu"
elif cat /etc/issue | grep -q -E -i "centos|red hat|redhat"; then
release="centos"
elif cat /proc/version | grep -q -E -i "raspbian|debian"; then
release="debian"
elif cat /proc/version | grep -q -E -i "ubuntu"; then
release="ubuntu"
elif cat /proc/version | grep -q -E -i "centos|red hat|redhat"; then
release="centos"
else
OUT_ERROR "[错误] 不支持的操作系统!"
exit 1
fi
OUT_ALERT "[信息] 优化性能中!"
if ! command -v chronyd >/dev/null 2>&1; then
OUT_INFO "配置系统时间同步"
apt-get install -y chrony
fi
if ! systemctl is-active --quiet chronyd; then
systemctl enable --now chronyd
fi
timedatectl set-timezone Asia/Shanghai 2>/dev/null || true
if [[ -z "$(command -v haveged)" ]]; then
OUT_INFO "安装 haveged 改善随机数生成器性能"
apt install haveged -y
systemctl enable haveged
fi
if [[ -z "$(command -v rngd)" ]]; then
OUT_INFO "安装 rng-tools 改善随机数生成器性能"
apt install rng-tools -y
systemctl enable rng-tools
fi
if [[ ! -z "$(command -v ksmtuned)" ]]; then
OUT_INFO "禁用 ksmtuned"
systemctl stop ksmtuned
systemctl disable --now ksmtuned
echo 2 > /sys/kernel/mm/ksm/run
apt autoremove ksmtuned -y || true
fi
OUT_INFO "禁用 hugepage"
cat > /etc/systemd/system/disable-transparent-huge-pages.service << EOF
[Unit]
Description=Disable Transparent Huge Pages (THP)
DefaultDependencies=no
After=sysinit.target local-fs.target
Before=mongod.service
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/defrag > /dev/null'
[Install]
WantedBy=basic.target
EOF
systemctl daemon-reload
systemctl start disable-transparent-huge-pages
systemctl enable disable-transparent-huge-pages
OUT_INFO "优化参数中!"
cat > /etc/sysctl.conf << EOF
kernel.panic = 1
kernel.task_delayacct = 1
# increase the maximum length of processor input queues
net.core.netdev_max_backlog = 16384
net.core.default_qdisc = fq
net.core.somaxconn = 32768
net.ipv4.ip_default_ttl = 128
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.ip_forward = 1
net.ipv4.ip_local_port_range = 10240 65535
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_adv_win_scale = -2
net.ipv4.tcp_autocorking = 1
net.ipv4.tcp_base_mss = 1024
net.ipv4.tcp_collapse_max_bytes = 6291456
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_ecn_fallback = 1
net.ipv4.tcp_fastopen = 1027
net.ipv4.tcp_fastopen_blackhole_timeout_sec = 10
net.ipv4.tcp_fin_timeout = 3
net.ipv4.tcp_frto = 1
net.ipv4.tcp_invalid_ratelimit = 200
net.ipv4.tcp_keepalive_intvl = 2
net.ipv4.tcp_keepalive_probes = 2
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_max_orphans = 8192
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 4096
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_no_ssthresh_metrics_save = 1
# can't set to 0, it will then default to 8: https://serverfault.com/a/408882/1029887
net.ipv4.tcp_orphan_retries = 1
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries1 = 2
net.ipv4.tcp_retries2 = 2
net.ipv4.tcp_rfc1337 = 1
net.core.rmem_default = 262144
net.core.rmem_max = 536870912
net.ipv4.tcp_rmem = 8192 262144 536870912
net.core.wmem_default = 32768
net.core.wmem_max = 536870912
net.ipv4.tcp_wmem = 4096 32768 536870912
net.ipv4.tcp_sack = 1
net.ipv4.tcp_shrink_window = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 2
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_no_metrics_save = 0
net.ipv4.tcp_notsent_lowat = 131072
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.accept_ra = 2
net.ipv6.conf.default.forwarding = 1
net.netfilter.nf_conntrack_generic_timeout = 10
net.netfilter.nf_conntrack_gre_timeout = 5
net.netfilter.nf_conntrack_gre_timeout_stream = 30
net.netfilter.nf_conntrack_icmp_timeout = 5
net.netfilter.nf_conntrack_icmpv6_timeout = 5
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_close = 5
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 5
net.netfilter.nf_conntrack_tcp_timeout_established = 120
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 5
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 5
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 5
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 5
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 5
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 5
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 5
net.netfilter.nf_conntrack_udp_timeout = 5
net.netfilter.nf_conntrack_udp_timeout_stream = 60
vm.overcommit_memory = 1
vm.swappiness = 0
EOF
page=$(getconf PAGESIZE)
size=$(($(cat /proc/meminfo | grep MemTotal | awk '{print $2}') * 1024))
min=$(printf '%d' $(($size / $page / 4 * 1)))
avg=$(printf '%d' $(($size / $page / 4 * 2)))
max=$(printf '%d' $(($size / $page / 4 * 3)))
if [[ ! -f /etc/issue ]] || [[ "$(cat /etc/issue | grep 'Welcome to the Proxmox Virtual Environment')" == '' ]]; then
[[ -f /proc/sys/net/ipv4/tcp_mem ]] && echo "net.ipv4.tcp_mem = ${min} ${avg} ${max}" >> /etc/sysctl.conf
[[ -f /proc/sys/net/ipv4/udp_mem ]] && echo "net.ipv4.udp_mem = ${min} ${avg} ${max}" >> /etc/sysctl.conf
fi
ln -fs /etc/sysctl.conf /etc/sysctl.d/99-sysctl.conf
sort -n /etc/sysctl.conf -o /etc/sysctl.conf
sysctl -p
OUT_INFO "启用 tls 和 nf_conntrack 内核模块"
[[ "$(cat /etc/modules | grep tls)" = '' ]] && echo tls >> /etc/modules
[[ "$(cat /etc/modules | grep nf_conntrack)" = '' ]] && echo nf_conntrack >> /etc/modules
OUT_INFO "禁用 nofile nproc 限制"
cat <<'EOF' > /etc/security/limits.conf
* soft nofile unlimited
* hard nofile unlimited
* soft nproc unlimited
* hard nproc unlimited
root soft nofile unlimited
root hard nofile unlimited
root soft nproc unlimited
root hard nproc unlimited
EOF
cat <<'EOF' > /etc/systemd/system.conf
[Manager]
DefaultCPUAccounting=yes
DefaultIOAccounting=yes
DefaultIPAccounting=yes
DefaultMemoryAccounting=yes
DefaultTasksAccounting=yes
DefaultLimitCORE=infinity
DefaultLimitNPROC=infinity
DefaultLimitNOFILE=infinity
EOF
OUT_INFO "调整 journald"
cat > /etc/systemd/journald.conf <<EOF
[Journal]
Compress=yes
SystemMaxUse=512M
SystemMaxFileSize=128M
SystemMaxFiles=3
RuntimeMaxUse=256M
RuntimeMaxFileSize=64M
RuntimeMaxFiles=3
MaxRetentionSec=86400
MaxFileSec=259200
ForwardToSyslog=no
EOF
OUT_INFO "[信息] 优化完毕!"
exit 0
最后更新于