自建独享落地节点
适用于对 IP 质量要求较高的用户,需要一定的理解与动手能力
基于 L4 转发,理论上支持任何协议,以下仅为示例
系统建议:Linux Debian 10 及以上运行环境:Docker运行软件:Shadowsocks rust
安装步骤
apt install docker.io -ydocker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
-d --name=shadowsocks \
--net=host \
--restart=always \
--log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
ghcr.io/shadowsocks/ssserver-rust \
-s "[::]:8080" -m "aes-128-gcm" -k "Password" -Uor (DNS)
docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
-d --name=shadowsocks \
--net=host \
--restart=always \
--log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
ghcr.io/shadowsocks/ssserver-rust \
-s "[::]:8080" -m "aes-128-gcm" -k "Password" -U --dns "1.1.1.1,1.0.0.1"or (IPv6 first)
docker pull ghcr.io/shadowsocks/ssserver-rust && \
docker run --entrypoint ssserver \
-d --name=shadowsocks \
--net=host \
--restart=always \
--log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
ghcr.io/shadowsocks/ssserver-rust \
-s "[::]:8080" -m "aes-128-gcm" -k "Password" -U -6添加流量转发规则
选择起源节点
填入目标服务器地址
填入目标端口
勾选[目标节点与本站个人端口加密/协议一致](如果没有采用 Telegram Bot 命令部署请跳过此步骤)
一分钟内自动生效,正常情况下在代理客户端选择起源节点即可
口碑较好的商家(排名不分先后)
配合流量转发,仅需购买国际宽带网络(Routing Profile: Standard)VPS/VDS
商业:静态 IP (static IP)
香港
台湾
日本
美国
新加坡
全球
流媒体:动态IP (dynamic IP or Random IPv6)
香港
台湾
日本
美国
新加坡
韩国
英国
以上部分链接包含AFF
优化(将以下内容直接复制粘贴到 Shell 执行即可)
#!/bin/bash
set -e
# ===== Time Synchronization =====
if ! command -v chronyd >/dev/null 2>&1; then
apt-get update && apt-get install -y chrony
fi
if ! systemctl is-active --quiet chronyd; then
systemctl enable --now chronyd
fi
timedatectl set-timezone Asia/Shanghai 2>/dev/null || true
# ===== File Descriptor Limit =====
echo "1048576" > /proc/sys/fs/file-max
ulimit -n 1048576
# ===== Kernel Parameter Optimization =====
chattr -i /etc/sysctl.conf
cat > /etc/sysctl.conf << EOF
# ====== Memory Management ======
vm.swappiness = 5
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
# ====== File Descriptor & Connection Limits ======
fs.file-max = 1048576
net.core.somaxconn = 32768
net.ipv4.tcp_max_syn_backlog = 65536
# ====== Network Buffer Tuning ======
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.optmem_max = 8388608
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 16384 67108864
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
net.core.netdev_max_backlog = 65536
# ====== TCP Low-Latency Optimizations ======
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_adv_win_scale = 1
# ====== TCP Connection Management ======
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_synack_retries = 2
# ====== Protocol Stack Features ======
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_rfc1337 = 1
# ====== Routing & Forwarding ======
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv6.conf.all.forwarding = 1
# ====== Security Hardening ======
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
EOF
# Apply kernel parameters
sysctl -p
# ===== Security Limits Configuration =====
# Set user/process resource limits
cat > /etc/security/limits.conf << EOF
# File descriptor limits
* soft nofile 1048576
* hard nofile 1048576
# Process limits
* soft nproc 65535
* hard nproc 65535
# Memory locking
* soft memlock unlimited
* hard memlock unlimited
# Core dump size
* soft core unlimited
* hard core unlimited
# Root-specific limits
root soft nofile 1048576
root hard nofile 1048576
root soft nproc 65535
root hard nproc 65535
root soft memlock unlimited
root hard memlock unlimited
root soft core unlimited
root hard core unlimited
EOF
# Apply security limits
ulimit -n 1048576 # Open files
ulimit -u 65535 # User processes
ulimit -l unlimited # Locked memory
ulimit -c unlimited # Core dumps更换 XanMod 内核(将以下内容直接复制粘贴到 Shell 执行等待重启即可)
#!/bin/bash
# This script adds the XanMod kernel repository, fetches the necessary GPG keys,
# detects the CPU instruction set, installs the appropriate XanMod kernel version,
# and reboots the system.
set -euo pipefail
# Function to handle errors
error() {
echo "Error: $1" >&2
exit 1
}
# Ensure the script is run as root
if [ "$(id -u)" -ne 0 ]; then
error "This script must be run as root."
fi
# Update package lists
echo "Updating package lists..."
apt update || error "Failed to update package lists."
# Install necessary tools (gpg and curl)
for cmd in gpg curl; do
if ! command -v "$cmd" >/dev/null 2>&1; then
echo "Installing $cmd..."
apt install "$cmd" -y || error "Failed to install $cmd."
fi
done
# Ensure the keyrings directory exists
KEYRING_DIR="/etc/apt/keyrings"
mkdir -p "$KEYRING_DIR"
# Define XanMod's GPG key URL and keyring file path
XANMOD_KEY_URL="https://dl.xanmod.org/archive.key"
XANMOD_KEYRING="$KEYRING_DIR/xanmod-archive-keyring.gpg"
# Method 1: Use gpg options to suppress prompts
echo "Adding XanMod GPG key using gpg options..."
if ! curl -fsSL "$XANMOD_KEY_URL" | gpg --batch --yes --dearmor -o "$XANMOD_KEYRING"; then
echo "Failed to add GPG key using gpg options. Trying Method 2..."
# Method 2: Remove existing keyring file before writing
rm -f "$XANMOD_KEYRING"
if ! curl -fsSL "$XANMOD_KEY_URL" | gpg --dearmor -o "$XANMOD_KEYRING"; then
error "Failed to add GPG key from $XANMOD_KEY_URL using both methods."
fi
fi
# Define the repository list file and repository entry
REPO_LIST="/etc/apt/sources.list.d/xanmod-release.list"
REPO_ENTRY="deb [signed-by=$XANMOD_KEYRING] http://deb.xanmod.org releases main"
# Check if the repository is already added
if [ ! -f "$REPO_LIST" ] || ! grep -Fxq "$REPO_ENTRY" "$REPO_LIST"; then
echo "Adding XanMod repository..."
echo "$REPO_ENTRY" | tee "$REPO_LIST" >/dev/null
else
echo "XanMod repository already exists."
fi
# Update package lists to include the new repository
echo "Updating package lists (including XanMod repository)..."
apt update || error "Failed to update package lists after adding repository."
# Detect CPU instruction set
echo "Detecting CPU instruction set..."
cpu_flags=$(grep -o -w -E 'lm|cmov|cx8|fpu|fxsr|mmx|syscall|sse2|cx16|lahf|popcnt|sse4_1|sse4_2|ssse3|avx|avx2|bmi1|bmi2|f16c|fma|abm|movbe|xsave|avx512f|avx512bw|avx512cd|avx512dq|avx512vl' /proc/cpuinfo | sort -u | tr '\n' ' ')
echo "Detected CPU flags: $cpu_flags"
# Function to check if all required flags are present
has_flags() {
local flags="$1"
for flag in $flags; do
[[ "$cpu_flags" =~ $flag ]] || return 1
done
return 0
}
# Determine the CPU level based on flags
if has_flags "avx512f avx512bw avx512cd avx512dq avx512vl"; then
level=4
elif has_flags "avx avx2 bmi1 bmi2 f16c fma abm movbe xsave"; then
level=3
elif has_flags "cx16 lahf popcnt sse4_1 sse4_2 ssse3"; then
level=2
elif has_flags "lm cmov cx8 fpu fxsr mmx syscall sse2"; then
level=1
else
error "Unable to determine the appropriate XanMod kernel version based on CPU instruction set."
fi
echo "Detected CPU level: $level"
# Set the kernel package name based on the CPU level
case "$level" in
1)
kernel_package="linux-xanmod-lts-x64v1"
;;
2)
kernel_package="linux-xanmod-lts-x64v2"
;;
3)
kernel_package="linux-xanmod-lts-x64v3"
;;
4)
kernel_package="linux-xanmod-lts-x64v4"
;;
*)
error "Invalid CPU level: $level"
;;
esac
# Install the appropriate XanMod kernel
echo "Installing $kernel_package..."
apt install "$kernel_package" -y || error "Failed to install $kernel_package."
# Prompt for system reboot
echo "The system will reboot in 10 seconds. Press Ctrl+C to cancel."
for i in {10..1}; do
echo "$i..."
sleep 1
done
echo "Rebooting now!"
reboot最后更新于