Install shadowsocks-libev

发表于 更新于 分类于

Shadowsocks(简称SS)是一种基于Socks5代理方式的加密传输协议,也可以指实现这个协议的各种开发包。当前包使用Python、C、C++、C#、Go语言等编程语言开发,大部分主要实现(iOS平台的除外)采用Apache许可证、GPL、MIT许可证等多种自由软件许可协议开放源代码。Shadowsocks分为服务器端和客户端,在使用之前,需要先将服务器端程序部署到服务器上面,然后通过客户端连接并创建本地代理。

Install shadowsocks-libev

TCP优化

修改文件句柄数限制

修改vi /etc/security/limits.conf文件,加入

* soft  nofile  102400
* hard  nofile  102400

修改 profile文件

vi /etc/profile

加入 ulimit -SHn 102400 然后重启服务器执行ulimit -n,查询返回102400即可。

  • 如果使用supervisor进程守护,需要修改文件/etc/default/supervisor,添加一行:ulimit -n 102400
  • 还可以在supervisord.conf的supervisord字段下添加minfds=102400来提升文件描述符限制

内核优化

################################################
vi /etc/sysctl.conf
################################################
# max open files
fs.file-max = 102400
# max read buffer
net.core.rmem_max = 67108864
# max write buffer
net.core.wmem_max = 67108864
# default read buffer
net.core.rmem_default = 65536
# default write buffer
net.core.wmem_default = 65536
# max processor input queue
net.core.netdev_max_backlog = 4096
# max backlog
net.core.somaxconn = 4096

# resist SYN flood attacks
net.ipv4.tcp_syncookies = 1
# reuse timewait sockets when safe
net.ipv4.tcp_tw_reuse = 1
# turn off fast timewait sockets recycling
net.ipv4.tcp_tw_recycle = 0
# short FIN timeout
net.ipv4.tcp_fin_timeout = 30
# short keepalive time
net.ipv4.tcp_keepalive_time = 1200
# outbound port range
net.ipv4.ip_local_port_range = 10000 65000
# max SYN backlog
net.ipv4.tcp_max_syn_backlog = 4096
# max timewait sockets held by system simultaneously
net.ipv4.tcp_max_tw_buckets = 5000
# turn on TCP Fast Open on both client and server side
net.ipv4.tcp_fastopen = 3
# TCP receive buffer
net.ipv4.tcp_rmem = 4096 87380 67108864
# TCP write buffer
net.ipv4.tcp_wmem = 4096 65536 67108864
# turn on path MTU discovery
net.ipv4.tcp_mtu_probing = 1

# for high-latency network
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
# forward ipv4
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

然后 : sysctl --system 其中最后的hybla是为高延迟网络(如美国,欧洲)准备的算法,需要内核支持,测试内核是否支持,在终端输入: sysctl net.ipv4.tcp_available_congestion_control 如果结果中有hybla,则证明你的内核已开启hybla,如果没有hybla,可以用命令modprobe tcp_hybla开启。

对于低延迟的网络(如日本,香港等),可以使用htcp,可以非常显著的提高速度,首先使用modprobe tcp_htcp开启,再将net.ipv4.tcp_congestion_control = hybla改为net.ipv4.tcp_congestion_control = htcp,建议EC2日本用户使用这个算法。

准备环境

# Installation of basic build dependencies
## Debian / Ubuntu
apt-get install --no-install-recommends gettext build-essential autoconf libtool libpcre3-dev asciidoc xmlto libev-dev libc-ares-dev automake libmbedtls-dev libsodium-dev
## CentOS / Fedora / RHEL
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
yum install gettext gcc autoconf libtool automake make asciidoc xmlto c-ares-devel libev-devel pcre-devel
## Arch
pacman -S gettext gcc autoconf libtool automake make asciidoc xmlto c-ares libev

# Installation of libsodium
export LIBSODIUM_VER=1.0.16
wget https://download.libsodium.org/libsodium/releases/libsodium-$LIBSODIUM_VER.tar.gz
tar xvf libsodium-$LIBSODIUM_VER.tar.gz
pushd libsodium-$LIBSODIUM_VER
./configure --prefix=/usr && make
make install
popd
ldconfig

# Installation of MbedTLS
export MBEDTLS_VER=2.6.0
wget https://tls.mbed.org/download/mbedtls-$MBEDTLS_VER-gpl.tgz
tar xvf mbedtls-$MBEDTLS_VER-gpl.tgz
pushd mbedtls-$MBEDTLS_VER
make SHARED=1 CFLAGS=-fPIC
make DESTDIR=/usr install
popd
ldconfig

安装Shadowsocks

git clone https://github.com/shadowsocks/shadowsocks-libev.git
cd shadowsocks-libev
git submodule update --init --recursive
./autogen.sh
./configure --prefix=/usr && make
make install
cd

安装v2ray-plugin

下载最新插件

https://github.com/shadowsocks/v2ray-plugin/releases

解压缩移动到/opt/文件

安装证书

$ apt-get -y install netcat socat
$ curl  https://get.acme.sh | sh
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
100   671  100   671    0     0    680      0 --:--:-- --:--:-- --:--:--   679
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                               Dload  Upload   Total   Spent    Left  Speed
100  112k  100  112k    0     0   690k      0 --:--:-- --:--:-- --:--:--  693k
[Fri 30 Dec 01:03:32 GMT 2016] Installing from online archive.
[Fri 30 Dec 01:03:32 GMT 2016] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Fri 30 Dec 01:03:33 GMT 2016] Extracting master.tar.gz
[Fri 30 Dec 01:03:33 GMT 2016] Installing to /home/user/.acme.sh
[Fri 30 Dec 01:03:33 GMT 2016] Installed to /home/user/.acme.sh/acme.sh
[Fri 30 Dec 01:03:33 GMT 2016] Installing alias to '/home/user/.profile'
[Fri 30 Dec 01:03:33 GMT 2016] OK, Close and reopen your terminal to start using acme.sh
[Fri 30 Dec 01:03:33 GMT 2016] Installing cron job
no crontab for user
no crontab for user
[Fri 30 Dec 01:03:33 GMT 2016] Good, bash is found, so change the shebang to use bash as preferred.
[Fri 30 Dec 01:03:33 GMT 2016] OK
[Fri 30 Dec 01:03:33 GMT 2016] Install success!

生成证书并移动到/opt/文件
~/.acme.sh/acme.sh --issue -d x.ml --standalone -k ec-256
~/.acme.sh/acme.sh --installcert -d x.ml --fullchainpath /opt/v2ray.crt --keypath /opt/v2ray.key --ecc

证书更新

~/.acme.sh/acme.sh --renew -d x.ml --force --ecc

配置系统防火墙

iptables-save >/etc/iptables
vi /etc/rc.local
iptables-restore < /etc/iptables
chmod +x /etc/rc.local