以下步骤可在ubuntu/raspbian下执行
需要有一个可ssh访问境外节点账号。
需要创建本地账号的密钥(如果没有~/.ssh/id_rsa):
ssh-keygen -t rsa -b 4096 -q -P ""
需要将该用户公钥设置到境外节点账号下:
ssh-copy-id ..
本地设置~/.ssh/config
Host ${foreign_node_name}
HostName 12.123.12.1
User ${foreign_node_user}
IdentityFile ~/.ssh/id_rsa
测试配置是否成功(免密码登录):
ssh ${foreign_node_name}
本地服务器安装autossh:
sudo apt-get install autossh -y创建proxy.service文件
sudo nano /etc/systemd/system/proxy.service
[Unit]
Description=Socks5 proxy service
After=network-online.target
[Service]
User=${local_user}
Group=adm
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 10" -o "ServerAliveCountMax 3" -D 1337 -C -N ${foreign_node_name}
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
-D,动态转发本地端口到1337,ssh client端的端口是动态的-C,压缩数据-N,不能在服务器端执行命令,只使用转发的端口
proxy.service生效:
sudo systemctl enable proxy.service启动proxy.service
sudo systemctl start proxy.service查看proxy.service状态
systemctl status proxy.service没有问题的话,查看1337端口是否已经打开
$ nc 127.0.0.1 1337 -vz
Connection to 127.0.0.1 1337 port [tcp/*] succeeded!测试1337端口是否正常工作:
$ curl cip.cc -x socks5h://127.0.0.1:1337 -v
* Expire in 0 ms for 6 (transfer 0x1914880)
* Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x1914880)
* SOCKS5 communication to cip.cc:80
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1337 (#0)
> GET / HTTP/1.1
> Host: cip.cc
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
..为什么要使用 privoxy
- 一些工具不支持 sock5 proxy,但都会支持http proxy
- 直接使用socks5 proxy不灵活,大多数网站不需要使用proxy
安装provoxy
sudo apt-get install privoxy -y在privoxy配置文件追加:
sudo nano /etc/privoxy/config
listen-address :8118
enable-edit-actions 1
actionsfile whitelist.action
- 监听8118端口
- 允许web界面访问编辑
- 引用
./whitelist.action文件的配置
sudo nano /etc/privoxy/whitelist.action
这个配置默认全部直接访问(不通过socks5代理),需要代理的列在{whitelist}下面:
{{alias}}
direct = +forward-override{forward .}
whitelist = +forward-override{forward-socks5 localhost:1337 .}
#default
{direct}
/
#whitelist
{whitelist}
.google.com
.cip.cc
.docker.com
.docker.io
.github.com
这种配置是默认都走socks5代理,{direct}下定义直接访问:
{{alias}}
proxy = +forward-override{forward-socks5 localhost:1337 .}
direct = +forward-override{forward .}
{proxy}
/
{direct}
.cn
.cip.cc
重启privoxy
sudo systemctl restart privoxy查看privoxy的8118端口是否正常:
$ nc 127.0.0.1 8118 -vz
Connection to 127.0.0.1 8118 port [tcp/*] succeeded!
测试privoxy代理是否生效:
$ curl cip.cc -x http://127.0.0.1:8118 -v
* Expire in 0 ms for 6 (transfer 0x1629880)
* Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x1629880)
* Connected to 127.0.0.1 (127.0.0.1) port 8118 (#0)
> GET http://cip.cc/ HTTP/1.1
> Host: cip.cc
> User-Agent: curl/7.64.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
..可在其他macOS/Windows/Linux节点设置全局的proxy,并做如下测试:
- 检查是否已经使用privoxy,可访问 http://p.p/ 设置privoxy
- 访问 http://www.cip.cc/ 已经是境外节点的ip地址
- 编辑
whitelist.action,sudo nano /etc/privoxy/whitelist.action,注释.cip.cc行,不必重启privoxy会立即生效,再次访问http://www.cip.cc/