Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

修改了一下wiki里的compose部分 #70

Open
rayer4u opened this issue Feb 15, 2023 · 3 comments
Open

修改了一下wiki里的compose部分 #70

rayer4u opened this issue Feb 15, 2023 · 3 comments

Comments

@rayer4u
Copy link

rayer4u commented Feb 15, 2023

目前个人觉得可以改进的几个地方

  1. 不采用host网络,尽量少的暴露端口
  2. 补充了客户端的shadowsocks部分,并统一相关配置(这里是shadowsocks-libev镜像根本没考虑client部分,不采用额外配置文件的情况下,个人感觉这样最统一),这样也有socks5h proxy使用了
  3. 明确最小修改项,只用替换几处,就能直接使用。后续可能变更的只有映射的port和TLS
  4. 采用了compose 3,更成熟、方便
## Example Compose Files
Here is a sample server(a shadowsocks with a shadow-tls), user only need to replace `EXAMPLE_PASSWORD_SS`, `EXAMPLE_PASSWORD_ST`, run it on your remote vps:

```yaml
version: '3.5'
services:
  shadowsocks:
    image: shadowsocks/shadowsocks-libev
    restart: always
    command: /bin/sh -c 'exec ss-server -s 0.0.0.0 -p 24000 -k EXAMPLE_PASSWORD_SS -m chacha20-ietf-poly1305 -t 300'
  shadow-tls:
    image: ghcr.io/ihciah/shadow-tls:latest
    restart: always
    ports:
      - "8443:8443"
    environment:
      - MODE=server
      # - V3=1
      - LISTEN=0.0.0.0:8443
      - SERVER=shadowsocks:24000
      - TLS=cloud.tencent.com:443
      - PASSWORD=EXAMPLE_PASSWORD_ST
    depends_on:
      - shadowsocks

And the client side(you can deploy it in your private network or vps inside the country), replace EXAMPLE_PASSWORD_SS, EXAMPLE_PASSWORD_ST, YOUR_VPS_IP with yours like above:

version: '3.5'
services:
  shadow-tls:
    image: ghcr.io/ihciah/shadow-tls:latest
    restart: always
    ports:
      - "3443:3443"
    environment:
      - MODE=client
      # - V3=1
      - LISTEN=0.0.0.0:3443
      - SERVER=YOUR_VPS_IP:8443
      - TLS=cloud.tencent.com
      - PASSWORD=EXAMPLE_PASSWORD_ST
  shadowsocks:
    image: shadowsocks/shadowsocks-libev
    restart: always
    command: /bin/sh -c 'exec ss-local -b 0.0.0.0 -l 1080 -s shadow-tls -p 3443 -k EXAMPLE_PASSWORD_SS -m chacha20-ietf-poly1305 -t 300'
    ports:
      - "1080:1080"
    depends_on:
      - shadow-tls

Then connect cn_vps:3443 with shadowsocks protocol on your mobile phones or PCs will work or connect cn_vps:1080 with sock5h protocol on browser proxy.
@ihciah
Copy link
Owner

ihciah commented Feb 15, 2023

使用docker自带的端口转发担心会带来额外开销,对低配机器不友好。
并且shadowsocks和shadow-tls都不会监听额外端口,总体来说我觉得还是蛮可控的。

@IceCodeNew
Copy link

使用docker自带的端口转发担心会带来额外开销,对低配机器不友好。 并且shadowsocks和shadow-tls都不会监听额外端口,总体来说我觉得还是蛮可控的。

https://medium.com/nttlabs/dont-use-host-network-namespace-f548aeeef575
如果是担心性能问题的话,应该考虑关闭 userland proxy (docker-proxy)
本身社区关于要不要默认关闭这个选项也有很长时间的讨论,因为一些兼容问题才一直拖到现在都没有做。对于纯粹使用 docker 简化翻墙服务部署的情况,我觉得是不需要担心这些兼容问题的。下面是修改 docker 配置的一个实例,推荐看到这里的朋友自己搞清楚每个选项的含意,在自己服务器上调整下 docker 配置

_backup_dir="/mnt/backup_docker_config/"
sudo mkdir -p "${_backup_dir}"

_daemon_json_backup="${_backup_dir}/daemon.json.$(TZ='Asia/Shanghai' date --iso-8601=seconds).backup"
\cp -f /etc/docker/daemon.json "$_daemon_json_backup"

if ! [ -f "$_daemon_json_backup" ] || [ -z "$(cat "$_daemon_json_backup")" ]; then
    echo '{}' > "$_daemon_json_backup"
fi

echo
jq '. += {"ipv6":false,"log-driver":"local","userland-proxy":false}' "$_daemon_json_backup" \
    | sudo tee /etc/docker/daemon.json
echo

说回开头,我还是建议不要在 docker-compose 里使用 network: host 配置。@ihciah 担心的问题是可以绕过的

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ihciah @rayer4u @IceCodeNew and others