yf-hk · July 9, 2022 02:54
diff --git a/Dockerfile b/Dockerfile
 FROM alpine:latest

 WORKDIR /opt

 EXPOSE 443/tcp 500/udp 4500/udp

 ENV HOST_NAME=
 ENV LOGIN_USER=
 ENV LOGIN_PASSWORD=
 ENV LOCAL_SUBNET=172.19.240.0/20
 ENV V2RAY_ALTER_ID=64
 ENV V2RAY_FALLBACK_PORT=80
 ENV XRAY_LOCATION_ASSET=/usr/lib/xray

 COPY ./run.sh .

 RUN set -x
 RUN apk --update --no-cache add iptables strongswan acme.sh socat
 RUN mkdir -p /var/lib/acme.sh
 RUN mkdir -p ${XRAY_LOCATION_ASSET}
 RUN mkdir -p /etc/xray
 RUN TMP_DIR="$(mktemp -d)"
 RUN case "$(arch -s)" in 'i386' | 'i686') ARCH='32' ;; 'amd64' | 'x86_64') ARCH='64' ;; *) echo "error: The architecture is not supported." && rm -rf ${TMP_DIR} && exit 1 ;; esac
 RUN TAG=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/XTLS/Xray-core/releases/latest | grep -o '[0-9]*\.[0-9]*\.[0-9]*')
 RUN wget https://github.com/XTLS/Xray-core/releases/download/${TAG}/Xray-linux-${ARCH}.zip -P ${TMP_DIR}
 RUN unzip ${TMP_DIR}/*.zip -d ${TMP_DIR} -o
 RUN mv ${TMP_DIR}/xray /usr/bin
 RUN mv ${TMP_DIR}/*.dat ${XRAY_LOCATION_ASSET}
 RUN rm -rf ${TMP_DIR}
 RUN chmod +x /opt/run.sh

 CMD "/opt/run.sh"
diff --git a/run.sh b/run.sh
 #!/bin/sh

 # variables
 [ -z ${HOST_NAME} ] && echo 'Please provide "HOST_NAME" ENV variable' && exit;
 [ -z ${LOGIN_USER} ] && echo 'Please provide "LOGIN_USER" ENV variable' && exit;
 [ -z ${LOGIN_PASSWORD} ] && echo 'Please provide "LOGIN_PASSWORD" ENV variable' && exit;
 DEFAULT_IFACE="$(route | grep '^default' | grep -o '[^ ]*$')"
 DEFAULT_IP=$(curl -s http://checkip.amazonaws.com)

 # iptables
 iptables -F
 iptables -t nat -F
 iptables -t mangle -F
 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
 iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 iptables -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
 iptables -A FORWARD -d ${LOCAL_SUBNET} -i ${DEFAULT_IFACE} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j ACCEPT
 iptables -A FORWARD -j DROP
 iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j MASQUERADE
 iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -m policy --dir out --pol none -j MASQUERADE

 # acme.sh
 if [ ! -f "/etc/ipsec.d/private/privkey.pem" ]; then
 	wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
 	acme.sh --home /var/lib/acme.sh --issue --alpn --standalone -d ${HOST_NAME}
 	acme.sh --home /var/lib/acme.sh --force --install-cert -d ${HOST_NAME} --cert-file /etc/ipsec.d/certs/cert.pem --key-file /etc/ipsec.d/private/privkey.pem --ca-file /etc/ipsec.d/cacerts/chain.pem --fullchain-file /etc/ipsec.d/certs/fullchain.pem
 	chmod -R 755 /etc/ipsec.d
 fi

 # ipsec
 cat > /etc/ipsec.secrets<<-EOF
 ${HOST_NAME} : RSA privkey.pem
 ${LOGIN_USER} %any : EAP "${LOGIN_PASSWORD}"
 EOF
 cat > /etc/ipsec.conf<<-EOF
 config setup
 	uniqueids=never
 	strictcrlpolicy=no
 conn vpn
 	auto=add
 	compress=no
 	type=tunnel
 	keyexchange=ikev2
 	fragmentation=yes
 	forceencaps=yes
 	dpdaction=clear
 	dpddelay=300s
 	rekey=no
 	left=%any
 	leftid=@${HOST_NAME}
 	leftcert=cert.pem
 	leftsendcert=always
 	leftsubnet=0.0.0.0/0
 	right=%any
 	rightid=%any
 	rightauth=eap-mschapv2
 	rightdns=1.1.1.1,8.8.8.8
 	rightsourceip=${LOCAL_SUBNET}
 	rightsendcert=never
 	eap_identity=%identity
 EOF
 ipsec restart

 # xray-core
 rm -rf /run/*.sock
 rm -rf /run/*.lock
 cat > /etc/xray/config.json<<-EOF
 {
 	"log": {
 		"loglevel": "none"
 	},
 	"inbounds": [
 		{
 			"port": 443,
 			"protocol": "vless",
 			"settings": {
 				"clients": [
 					{
 						"id": "${LOGIN_PASSWORD}",
 						"flow": "xtls-rprx-direct",
 						"level": 0
 					}
 				],
 				"decryption": "none",
 				"fallbacks": [
 					{
 						"dest": "/run/xray-trojan.sock",
 						"xver": 1
 					},
 					{
 						"path": "/websocket",
 						"dest": "/run/xray-vmess-ws.sock",
 						"xver": 1
 					}
 				]
 			},
 			"streamSettings": {
 				"network": "tcp",
 				"security": "xtls",
 				"xtlsSettings": {
 					"alpn": [
 						"http/1.1"
 					],
 					"certificates": [
 						{
 							"certificateFile": "/etc/ipsec.d/certs/fullchain.pem",
 							"keyFile": "/etc/ipsec.d/private/privkey.pem"
 						}
 					]
 				}
 			}
 		},
 		{
 			"listen": "/run/xray-trojan.sock",
 			"protocol": "trojan",
 			"settings": {
 				"clients": [
 					{
 						"password": "${LOGIN_PASSWORD}",
 						"level": 0
 					}
 				],
 				"fallbacks": [
 					{
 						"dest": ${V2RAY_FALLBACK_PORT}
 					}
 				]
 			},
 			"streamSettings": {
 				"network": "tcp",
 				"security": "none",
 				"tcpSettings": {
 					"acceptProxyProtocol": true
 				}
 			}
 		},
 		{
 			"listen": "/run/xray-vmess-ws.sock",
 			"protocol": "vmess",
 			"settings": {
 				"clients": [
 					{
 						"id": "${LOGIN_PASSWORD}",
 						"alterId": ${V2RAY_ALTER_ID}
 					}
 				]
 			},
 			"streamSettings": {
 				"network": "ws",
 				"security": "none",
 				"wsSettings": {
 					"acceptProxyProtocol": true,
 					"path": "/websocket"
 				}
 			}
 		}
 	],
 	"outbounds": [
 		{
 			"protocol": "freedom"
 		}
 	]
 }

 EOF
 xray run -confdir /etc/xray

 # keep running
 tail -f /dev/null
	FROM alpine:latest

	WORKDIR /opt

	EXPOSE 443/tcp 500/udp 4500/udp

	ENV HOST_NAME=
	ENV LOGIN_USER=
	ENV LOGIN_PASSWORD=
	ENV LOCAL_SUBNET=172.19.240.0/20
	ENV V2RAY_ALTER_ID=64
	ENV V2RAY_FALLBACK_PORT=80
	ENV XRAY_LOCATION_ASSET=/usr/lib/xray

	COPY ./run.sh .

	RUN set -x
	RUN apk --update --no-cache add iptables strongswan acme.sh socat
	RUN mkdir -p /var/lib/acme.sh
	RUN mkdir -p ${XRAY_LOCATION_ASSET}
	RUN mkdir -p /etc/xray
	RUN TMP_DIR="$(mktemp -d)"
	RUN case "$(arch -s)" in 'i386' \| 'i686') ARCH='32' ;; 'amd64' \| 'x86_64') ARCH='64' ;; *) echo "error: The architecture is not supported." && rm -rf ${TMP_DIR} && exit 1 ;; esac
	RUN TAG=$(curl -Ls -o /dev/null -w %{url_effective} https://github.com/XTLS/Xray-core/releases/latest \| grep -o '[0-9]\.[0-9]\.[0-9]*')
	RUN wget https://github.com/XTLS/Xray-core/releases/download/${TAG}/Xray-linux-${ARCH}.zip -P ${TMP_DIR}
	RUN unzip ${TMP_DIR}/*.zip -d ${TMP_DIR} -o
	RUN mv ${TMP_DIR}/xray /usr/bin
	RUN mv ${TMP_DIR}/*.dat ${XRAY_LOCATION_ASSET}
	RUN rm -rf ${TMP_DIR}
	RUN chmod +x /opt/run.sh

	CMD "/opt/run.sh"
	#!/bin/sh

	# variables
	[ -z ${HOST_NAME} ] && echo 'Please provide "HOST_NAME" ENV variable' && exit;
	[ -z ${LOGIN_USER} ] && echo 'Please provide "LOGIN_USER" ENV variable' && exit;
	[ -z ${LOGIN_PASSWORD} ] && echo 'Please provide "LOGIN_PASSWORD" ENV variable' && exit;
	DEFAULT_IFACE="$(route \| grep '^default' \| grep -o '[^ ]*$')"
	DEFAULT_IP=$(curl -s http://checkip.amazonaws.com)

	# iptables
	iptables -F
	iptables -t nat -F
	iptables -t mangle -F
	iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
	iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
	iptables -A FORWARD -d ${LOCAL_SUBNET} -i ${DEFAULT_IFACE} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A FORWARD -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j ACCEPT
	iptables -A FORWARD -j DROP
	iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -j MASQUERADE
	iptables -t nat -A POSTROUTING -s ${LOCAL_SUBNET} -o ${DEFAULT_IFACE} -m policy --dir out --pol none -j MASQUERADE

	# acme.sh
	if [ ! -f "/etc/ipsec.d/private/privkey.pem" ]; then
	wget https://letsencrypt.org/certs/lets-encrypt-r3.pem -O /etc/ipsec.d/cacerts/lets-encrypt-r3.pem
	acme.sh --home /var/lib/acme.sh --issue --alpn --standalone -d ${HOST_NAME}
	acme.sh --home /var/lib/acme.sh --force --install-cert -d ${HOST_NAME} --cert-file /etc/ipsec.d/certs/cert.pem --key-file /etc/ipsec.d/private/privkey.pem --ca-file /etc/ipsec.d/cacerts/chain.pem --fullchain-file /etc/ipsec.d/certs/fullchain.pem
	chmod -R 755 /etc/ipsec.d
	fi

	# ipsec
	cat > /etc/ipsec.secrets<<-EOF
	${HOST_NAME} : RSA privkey.pem
	${LOGIN_USER} %any : EAP "${LOGIN_PASSWORD}"
	EOF
	cat > /etc/ipsec.conf<<-EOF
	config setup
	uniqueids=never
	strictcrlpolicy=no
	conn vpn
	auto=add
	compress=no
	type=tunnel
	keyexchange=ikev2
	fragmentation=yes
	forceencaps=yes
	dpdaction=clear
	dpddelay=300s
	rekey=no
	left=%any
	leftid=@${HOST_NAME}
	leftcert=cert.pem
	leftsendcert=always
	leftsubnet=0.0.0.0/0
	right=%any
	rightid=%any
	rightauth=eap-mschapv2
	rightdns=1.1.1.1,8.8.8.8
	rightsourceip=${LOCAL_SUBNET}
	rightsendcert=never
	eap_identity=%identity
	EOF
	ipsec restart

	# xray-core
	rm -rf /run/*.sock
	rm -rf /run/*.lock
	cat > /etc/xray/config.json<<-EOF
	{
	"log": {
	"loglevel": "none"
	},
	"inbounds": [
	{
	"port": 443,
	"protocol": "vless",
	"settings": {
	"clients": [
	{
	"id": "${LOGIN_PASSWORD}",
	"flow": "xtls-rprx-direct",
	"level": 0
	}
	],
	"decryption": "none",
	"fallbacks": [
	{
	"dest": "/run/xray-trojan.sock",
	"xver": 1
	},
	{
	"path": "/websocket",
	"dest": "/run/xray-vmess-ws.sock",
	"xver": 1
	}
	]
	},
	"streamSettings": {
	"network": "tcp",
	"security": "xtls",
	"xtlsSettings": {
	"alpn": [
	"http/1.1"
	],
	"certificates": [
	{
	"certificateFile": "/etc/ipsec.d/certs/fullchain.pem",
	"keyFile": "/etc/ipsec.d/private/privkey.pem"
	}
	]
	}
	}
	},
	{
	"listen": "/run/xray-trojan.sock",
	"protocol": "trojan",
	"settings": {
	"clients": [
	{
	"password": "${LOGIN_PASSWORD}",
	"level": 0
	}
	],
	"fallbacks": [
	{
	"dest": ${V2RAY_FALLBACK_PORT}
	}
	]
	},
	"streamSettings": {
	"network": "tcp",
	"security": "none",
	"tcpSettings": {
	"acceptProxyProtocol": true
	}
	}
	},
	{
	"listen": "/run/xray-vmess-ws.sock",
	"protocol": "vmess",
	"settings": {
	"clients": [
	{
	"id": "${LOGIN_PASSWORD}",
	"alterId": ${V2RAY_ALTER_ID}
	}
	]
	},
	"streamSettings": {
	"network": "ws",
	"security": "none",
	"wsSettings": {
	"acceptProxyProtocol": true,
	"path": "/websocket"
	}
	}
	}
	],
	"outbounds": [
	{
	"protocol": "freedom"
	}
	]
	}

	EOF
	xray run -confdir /etc/xray

	# keep running
	tail -f /dev/null