自建独享落地节点

适用于对 IP 质量要求较高的用户,需要一定的理解与动手能力

基于 L4 转发,理论上支持任何协议,以下仅为示例

  • 系统建议:Linux Debian 10 及以上

  • 运行环境:Docker

  • 运行软件:Shadowsocks rust

安装步骤

apt install docker.io -y
docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U

or (DNS)

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U --dns "1.1.1.1,1.0.0.1"

or (IPv6 first)

docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
        -d --name=shadowsocks \
           --net=host \
           --restart=always \
           --log-driver json-file \
           --log-opt max-size=10m \
           --log-opt max-file=3 \
        ghcr.io/shadowsocks/ssserver-rust \
        -s "[::]:8080" -m "aes-128-gcm" -k "Password" -U -6

Telegram Bot 发送指令 "/ssserver" 或 "/ssserver_v6" 即可获取与本站个人端口加密/协议一致的部署命令

添加流量转发规则

  1. 选择起源节点

  2. 填入目标服务器地址

  3. 填入目标端口

  4. 勾选[目标节点与本站个人端口加密/协议一致](如果没有采用 Telegram Bot 命令部署请跳过此步骤)

一分钟内自动生效,正常情况下在代理客户端选择起源节点即可

口碑较好的商家(排名不分先后)

配合流量转发,仅需购买国际宽带网络(Routing Profile: StandardVPS/VDS

商业:静态 IP (static IP)

香港
台湾
日本
美国
新加坡
全球

流媒体:动态IP (dynamic IP or Random IPv6)

香港
台湾
日本
美国
新加坡
韩国
英国

以上部分链接包含AFF

优化(将以下内容直接复制粘贴到 Shell 执行即可)

#!/bin/bash

# Time Synchronization
# Ensure system time is accurate for logs and synchronization
for pkg in ntpdate htpdate; do
    if ! which $pkg >/dev/null 2>&1; then
        apt install $pkg -y
    fi
done

# Set timezone and sync system time
timedatectl set-timezone Asia/Shanghai
timeout 5 ntpdate time1.google.com || timeout 5 htpdate -s www.baidu.com
hwclock -w

# Entropy Pool Management
# Ensure sufficient entropy for cryptographic operations
entropy=$(< /proc/sys/kernel/random/entropy_avail)
if [ $entropy -lt "1000" ] && ! systemctl is-active --quiet haveged; then
    apt install haveged -y
    systemctl enable haveged
    systemctl restart haveged
fi

# File Descriptor Limit
# Increase the maximum number of file handles
echo "1048576" > /proc/sys/fs/file-max
ulimit -n 1048576

# Kernel parameter optimization
chattr -i /etc/sysctl.conf
cat > /etc/sysctl.conf << EOF
# Memory usage
# Optimize memory usage for high throughput on public networks
vm.swappiness = 10
vm.dirty_ratio = 20
vm.dirty_background_ratio = 5
vm.overcommit_memory = 1

# File descriptor limits
fs.file-max = 1048576

# TCP/UDP buffer settings for large traffic
net.core.netdev_max_backlog = 65536
net.core.somaxconn = 32768
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.optmem_max = 67108864
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384

# TCP connection management
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_keepalive_time = 120
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

# TCP advanced settings
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_congestion_control = bbr

# ICMP Settings
# Disable ICMP for security and to prevent unnecessary overhead
net.ipv4.icmp_echo_ignore_all = 1
# net.ipv6.icmp.echo_ignore_all = 1

# IPv4 routing
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# IPv6 settings
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1

# Path MTU Discovery
net.ipv4.ip_no_pmtu_disc = 0
net.ipv4.tcp_mtu_probing = 1

# Port Range
net.ipv4.ip_local_port_range = 1024 65535

# Connection Backlog
net.core.somaxconn = 32768

# TCP auxiliary settings
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_fastopen = 3
EOF

# Apply kernel parameters
sysctl -p

# Security limits configuration
cat > /etc/security/limits.conf << EOF
# File descriptor limits
* soft nofile 2097152
* hard nofile 2097152

# Process limits
* soft nproc 65535
* hard nproc 65535

# Memory locking
* soft memlock unlimited
* hard memlock unlimited

# Core dump size
* soft core unlimited
* hard core unlimited

# Root-specific limits
root soft nofile 2097152
root hard nofile 2097152
root soft nproc 65535
root hard nproc 65535
root soft memlock unlimited
root hard memlock unlimited
root soft core unlimited
root hard core unlimited
EOF

# Apply security limits
ulimit -n 1048576
ulimit -u 65535
ulimit -l unlimited
ulimit -c unlimited

最后更新于