shadowsocks-rust + claude code折腾记
美区apple id
https://zhuanlan.zhihu.com/p/30761252365
礼品卡商店
https://www.wmslz.com/s/iLBhV1f61Si 支付宝搜PockytShop小程序。购买并在苹果App Store兑换
购买claude会员
使用美区苹果id登录后,下载claude,选择Apple pay,登录claude时,我选择了Apple ID登录,并且隐藏了邮箱账户。因此登录桌面版claude时,需要用xxx@privaterelay.appleid.com这个邮箱账户登录,输入后,claude会给邮箱发一个登录链接
shadowsocks-rust部署
服务端采用nginx + xray-plugin + shadowsocks-rust. 采用nginx的原因是让整个服务器看上去完全是一个正常的https服务器,这样完全无法被检测。另外需要有一个域名,最好从aws购买域名,可以和let's encrypt无缝申请和更新证书
ss-server -- nginx安装部署、证书申请
sudo apt update
sudo apt install nginx-full nginx-extra
sudo mkdir /etc/nginx/ssl
sudo chown -R ubuntu:ubuntu /etc/nginx/ssl
cd /home/ubuntu
curl https://get.acme.sh | sh
cd .acme.sh
./acme.sh --upgrade --auto-upgrade
export EAB_KID="xxx"
export EAB_HMAC_KEY="yyy"
./acme.sh --register-account -m xxx@gmail.com --server zerossl --eab-kid $EAB_KID --eab-hmac-key $EAB_HMAC_KEY
export AWS_ACCESS_KEY_ID=xxx
export AWS_SECRET_ACCESS_KEY=yyyy
./acme.sh -f --issue --ocsp --dns dns_aws -d "xxx.net" -d "*.xxx.net"
./acme.sh --installcert -d "xxx.net" \
--key-file /etc/nginx/ssl/xxx.net.key \
--cert-file /etc/nginx/ssl/xxx.net.cer \
--ca-file /etc/nginx/ssl/xxx.net.ca.cer \
--fullchain-file /etc/nginx/ssl/xxx.net.fullchain.cer \
--reloadcmd "sudo systemctl restart nginx"
修改nginx.conf
user www-data;
worker_processes auto;
worker_rlimit_nofile 131072;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
events {
worker_connections 16384;
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main "$remote_addr - $remote_user [$time_local] \"$request\" "
"$status $body_bytes_sent \"$http_referer\" "
"\"$http_user_agent\" \"$http_x_forwarded_for\"";
access_log /var/log/nginx/access.log main;
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
keepalive_timeout 650;
types_hash_max_size 2048;
types_hash_bucket_size 64;
client_max_body_size 10G;
server_names_hash_bucket_size 64;
proxy_connect_timeout 60s;
proxy_send_timeout 1800s;
proxy_read_timeout 1800s;
# Buffering
proxy_buffering on;
proxy_request_buffering off;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml application/rss+xml application/atom+xml image/svg+xml;
ssl_session_timeout 1d;
ssl_session_tickets on;
ssl_session_cache shared:SSL:128m;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519:P-256;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=60s ipv6=on;
resolver_timeout 2s;
ssl_trusted_certificate /etc/nginx/ssl/xiedeacc.com.ca.cer;
ssl_certificate /etc/nginx/ssl/xiedeacc.com.fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/xiedeacc.com.key;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# HTTP to HTTPS redirect for all domains
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
# Security headers for HTTP redirects
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl fastopen=128;
listen [::]:443 ssl fastopen=128;
http2 on;
server_name ssserver.xxx.net forsimple.xxx.net;
ssl_trusted_certificate /etc/nginx/ssl/xxx.net.ca.cer;
ssl_certificate /etc/nginx/ssl/xxx.net.fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/xxx.net.key;
location /sspath {
proxy_redirect off;
proxy_pass http://127.0.0.1:1080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_buffering off;
proxy_request_buffering off;
proxy_socket_keepalive on;
tcp_nodelay on;
access_log off;
}
}
}
stream {
log_format ss_udp '$remote_addr [$time_local] $protocol '
'$bytes_received/$bytes_sent $session_time '
'-> $upstream_addr ($upstream_bytes_received/$upstream_bytes_sent)';
access_log /var/log/nginx/ss-udp.log ss_udp;
error_log /var/log/nginx/ss-udp-error.log warn;
server {
listen 443 udp reuseport;
proxy_pass 127.0.0.1:1080;
proxy_timeout 600s;
proxy_buffer_size 4k;
proxy_responses 0;
}
}
ss-server -- shadowsocks-rust安装
sudo mkdir /etc/shadowsocks-rust/ vi /etc/shadowsocks-rust/shadowsocks-server.json
{
"servers": [
{
"server": "127.0.0.1",
"server_port": 1080,
"password": "qh6289@QHW",
"mode": "tcp_and_udp",
"timeout": 600,
"method": "aes-256-gcm",
"plugin": "/usr/local/bin/xray-plugin_linux_arm64",
"plugin_opts": "server;host=forsimple.xxx.net;path=/sspath"
}
],
"fast_open": true,
"no_delay": true
}
vi /etc/systemd/system/shadowsocks-server.service
[Unit]
Description=shadowsocks-rust server
Wants=network-online.target
After=network-online.target
[Service]
LimitNOFILE=1048576
Type=simple
DynamicUser=true
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks-rust/shadowsocks-server.json
Restart=on-failure
RestartSec=5
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadOnlyPaths=/etc/shadowsocks-rust/shadowsocks-server.json
[Install]
shadowsocks-rust服务端使用原版的shadowsocks-rust即可: https://github.com/shadowsocks/shadowsocks-rust
xray插件可以从这里下载
https://github.com/teddysun/xray-plugin
下载好的二进制需要放到/usr/local/bin
ss-server -- 启动nginx和ss-server
sudo systemctl enable shadowsocks-server nginx
sudo systemctl start shadowsocks-server nginx
ss-server -- 服务器网络参数调优
vi /etc/sysctl.d/99-shadowsocks-tune.conf lsmod | grep bbr
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_slow_start_after_idle = 0
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.ipv4.tcp_rmem = 4096 262144 16777216
net.ipv4.tcp_wmem = 4096 262144 16777216
net.core.netdev_max_backlog = 10000
net.core.somaxconn = 8192
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_notsent_lowat = 131072
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 10000 65535
net.ipv4.tcp_max_tw_buckets = 32768
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_mem = 32768 65536 131072
ss-client部署
原版客户端shadowsocks-rust没有根据国外域名自动透明转发功能,我自己魔改了一个版本。实测了ubuntu/openwrt的ssdir,以及windows的tun模式,工作正常。由于claude桌面版会优先使用quic协议,因此可能触发redir失效,这种情况必须使用我魔改的版本。或者可以让nginx把udp stream中的配置删除,让整个shadowsocks不要支持udp转发
https://github.com/xiedeacc/shadowsocks-rust
参考下面脚本进行编译 https://github.com/xiedeacc/shadowsocks-rust/blob/config_dns/deploy/scripts/deploy_ubuntu.sh
参考下面文件夹,创建相应的目录和配置 https://github.com/xiedeacc/shadowsocks-rust/tree/config_dns/deploy/ubuntu
http://127.0.0.1:9090/是管理台,可以用来debug dns等是否工作正常
ref
https://blog.xiedeacc.com/archives/setup_shadowsocks_nginx_https
暂无评论,欢迎留下第一条评论。