需求描述

买了一块4TB的磁盘，需要格式化，发现fdisk不支持2TB以上的容量

执行步骤

安装parted工具

root@server:~# apt-get install parted

执行磁盘格式化

root@server:~# parted /dev/sda
(parted) mklabel gpt    # 执行修改为GPT格式
(parted) unit s                                                           
(parted) print  # 查看是否有分区，如果有，就按编号删除
(parted) rm 1                                                             
(parted) mkpart HDD4TB ext4 0% 100%   # 执行分区，名字是HDD4TB，全部磁盘
(parted) print  # 查看分区执行完的效果                                                          
Model: ADplus SuperVer (scsi)
Disk /dev/sda: 7814037168s
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags: 

Number  Start  End          Size         File system  Name    Flags
 1      2048s  7814035455s  7814033408s  ext4         HDD4TB

(parted) quit

如果出现提示，基本上没有按照系统的块大小对齐，用上面的unit s和mkpart百分比命令就OKAY

Warning: The resulting partition is not properly aligned for best performance.
Ignore/Cancel

如果出现如下报错，则可依次执行

# pvcreate /dev/vdb
  Device /dev/vdb excluded by a filter.

# wipefs -a /dev/vdb
/dev/vdb: 8 bytes were erased at offset 0x00000200 (gpt): 45 46 49 20 50 41 52 54
/dev/vdb: 8 bytes were erased at offset 0x136efffffe00 (gpt): 45 46 49 20 50 41 52 54
/dev/vdb: 2 bytes were erased at offset 0x000001fe (PMBR): 55 aa
/dev/vdb: calling ioclt to re-read partition table: Success

# pvcreate /dev/vdb
  Physical volume "/dev/vdb" successfully created.

# vgcreate vg01 /dev/vdb
  Volume group "vg01" successfully created

需求描述

我把自己的BT下载放在云VPS上了，这样可以不占用家里宽带的上行带宽，文件在VPS上下载完成后，通过rsync命令，把文件同步到本地的树莓派即可

这里就来介绍一个rsync这个工具的基础用法

rsync，同步文件的工具，支持增量备份

环境描述

1、 云服务器VPS的Linux环境，BT下载，Nextcloud云盘

2、本地树莓派Linux环境

配置实施

需求是同步云服务器里面的文件，到本地的树莓派的SSD固态硬盘上

本地和远端都安装rsync，我这里都是Ubuntu，直接如下命令即可安装

apt-get update
apt-get install rsync

参数释义

-v：显示rsync过程中详细信息。可以使用"-vvvv"获取更详细信息。
-P：显示文件传输的进度信息。(实际上"-P"="--partial --progress"，其中的"--progress"才是显示进度信息的)。
-n --dry-run  ：仅测试传输，而不实际传输。常和"-vvvv"配合使用来查看rsync是如何工作的。
-a --archive  ：归档模式，表示递归传输并保持文件属性。等同于"-rtopgDl"。
-r --recursive：递归到目录中去。
-t --times：保持mtime属性。强烈建议任何时候都加上"-t"，否则目标文件mtime会设置为系统时间，导致下次更新
          ：检查出mtime不同从而导致增量传输无效。
-o --owner：保持owner属性(属主)。
-g --group：保持group属性(属组)。
-p --perms：保持perms属性(权限，不包括特殊权限)。
-D        ：是"--device --specials"选项的组合，即也拷贝设备文件和特殊文件。
-l --links：如果文件是软链接文件，则拷贝软链接本身而非软链接所指向的对象。
-z        ：传输时进行压缩提高效率。
-R --relative：使用相对路径。意味着将命令行中指定的全路径而非路径最尾部的文件名发送给服务端，包括它们的属性。用法见下文示例。
--size-only ：默认算法是检查文件大小和mtime不同的文件，使用此选项将只检查文件大小。
-u --update ：仅在源mtime比目标已存在文件的mtime新时才拷贝。注意，该选项是接收端判断的，不会影响删除行为。
-d --dirs   ：以不递归的方式拷贝目录本身。默认递归时，如果源为"dir1/file1"，则不会拷贝dir1目录，使用该选项将拷贝dir1但不拷贝file1。
--max-size  ：限制rsync传输的最大文件大小。可以使用单位后缀，还可以是一个小数值(例如："--max-size=1.5m")
--min-size  ：限制rsync传输的最小文件大小。这可以用于禁止传输小文件或那些垃圾文件。
--exclude   ：指定排除规则来排除不需要传输的文件。
--delete    ：以SRC为主，对DEST进行同步。多则删之，少则补之。注意"--delete"是在接收端执行的，所以它是在
            ：exclude/include规则生效之后才执行的。
-b --backup ：对目标上已存在的文件做一个备份，备份的文件名后默认使用"~"做后缀。
--backup-dir：指定备份文件的保存路径。不指定时默认和待备份文件保存在同一目录下。
-e          ：指定所要使用的远程shell程序，默认为ssh。
--port      ：连接daemon时使用的端口号，默认为873端口。
--password-file：daemon模式时的密码文件，可以从中读取密码实现非交互式。注意，这不是远程shell认证的密码，而是rsync模块认证的密码。
-W --whole-file：rsync将不再使用增量传输，而是全量传输。在网络带宽高于磁盘带宽时，该选项比增量传输更高效。
--existing  ：要求只更新目标端已存在的文件，目标端还不存在的文件不传输。注意，使用相对路径时如果上层目录不存在也不会传输。
--ignore-existing：要求只更新目标端不存在的文件。和"--existing"结合使用有特殊功能，见下文示例。
--remove-source-files：要求删除源端已经成功传输的文件。


Options
 -v, --verbose               increase verbosity
     --info=FLAGS            fine-grained informational verbosity
     --debug=FLAGS           fine-grained debug verbosity
     --msgs2stderr           special output handling for debugging
 -q, --quiet                 suppress non-error messages
     --no-motd               suppress daemon-mode MOTD (see manpage caveat)
 -c, --checksum              skip based on checksum, not mod-time & size
 -a, --archive               archive mode; equals -rlptgoD (no -H,-A,-X)
     --no-OPTION             turn off an implied OPTION (e.g. --no-D)
 -r, --recursive             recurse into directories
 -R, --relative              use relative path names
     --no-implied-dirs       don't send implied dirs with --relative
 -b, --backup                make backups (see --suffix & --backup-dir)
     --backup-dir=DIR        make backups into hierarchy based in DIR
     --suffix=SUFFIX         set backup suffix (default ~ w/o --backup-dir)
 -u, --update                skip files that are newer on the receiver
     --inplace               update destination files in-place (SEE MAN PAGE)
     --append                append data onto shorter files
     --append-verify         like --append, but with old data in file checksum
 -d, --dirs                  transfer directories without recursing
 -l, --links                 copy symlinks as symlinks
 -L, --copy-links            transform symlink into referent file/dir
     --copy-unsafe-links     only "unsafe" symlinks are transformed
     --safe-links            ignore symlinks that point outside the source tree
     --munge-links           munge symlinks to make them safer (but unusable)
 -k, --copy-dirlinks         transform symlink to a dir into referent dir
 -K, --keep-dirlinks         treat symlinked dir on receiver as dir
 -H, --hard-links            preserve hard links
 -p, --perms                 preserve permissions
 -E, --executability         preserve the file's executability
     --chmod=CHMOD           affect file and/or directory permissions
 -A, --acls                  preserve ACLs (implies --perms)
 -X, --xattrs                preserve extended attributes
 -o, --owner                 preserve owner (super-user only)
 -g, --group                 preserve group
     --devices               preserve device files (super-user only)
     --copy-devices          copy device contents as regular file
     --specials              preserve special files
 -D                          same as --devices --specials
 -t, --times                 preserve modification times
 -O, --omit-dir-times        omit directories from --times
 -J, --omit-link-times       omit symlinks from --times
     --super                 receiver attempts super-user activities
     --fake-super            store/recover privileged attrs using xattrs
 -S, --sparse                turn sequences of nulls into sparse blocks
     --preallocate           allocate dest files before writing them
 -n, --dry-run               perform a trial run with no changes made
 -W, --whole-file            copy files whole (without delta-xfer algorithm)
     --checksum-choice=STR   choose the checksum algorithms
 -x, --one-file-system       don't cross filesystem boundaries
 -B, --block-size=SIZE       force a fixed checksum block-size
 -e, --rsh=COMMAND           specify the remote shell to use
     --rsync-path=PROGRAM    specify the rsync to run on the remote machine
     --existing              skip creating new files on receiver
     --ignore-existing       skip updating files that already exist on receiver
     --remove-source-files   sender removes synchronized files (non-dirs)
     --del                   an alias for --delete-during
     --delete                delete extraneous files from destination dirs
     --delete-before         receiver deletes before transfer, not during
     --delete-during         receiver deletes during the transfer
     --delete-delay          find deletions during, delete after
     --delete-after          receiver deletes after transfer, not during
     --delete-excluded       also delete excluded files from destination dirs
     --ignore-missing-args   ignore missing source args without error
     --delete-missing-args   delete missing source args from destination
     --ignore-errors         delete even if there are I/O errors
     --force                 force deletion of directories even if not empty
     --max-delete=NUM        don't delete more than NUM files
     --max-size=SIZE         don't transfer any file larger than SIZE
     --min-size=SIZE         don't transfer any file smaller than SIZE
     --partial               keep partially transferred files
     --partial-dir=DIR       put a partially transferred file into DIR
     --delay-updates         put all updated files into place at transfer's end
 -m, --prune-empty-dirs      prune empty directory chains from the file-list
     --numeric-ids           don't map uid/gid values by user/group name
     --usermap=STRING        custom username mapping
     --groupmap=STRING       custom groupname mapping
     --chown=USER:GROUP      simple username/groupname mapping
     --timeout=SECONDS       set I/O timeout in seconds
     --contimeout=SECONDS    set daemon connection timeout in seconds
 -I, --ignore-times          don't skip files that match in size and mod-time
 -M, --remote-option=OPTION  send OPTION to the remote side only
     --size-only             skip files that match in size
 -@, --modify-window=NUM     set the accuracy for mod-time comparisons
 -T, --temp-dir=DIR          create temporary files in directory DIR
 -y, --fuzzy                 find similar file for basis if no dest file
     --compare-dest=DIR      also compare destination files relative to DIR
     --copy-dest=DIR         ... and include copies of unchanged files
     --link-dest=DIR         hardlink to files in DIR when unchanged
 -z, --compress              compress file data during the transfer
     --compress-level=NUM    explicitly set compression level
     --skip-compress=LIST    skip compressing files with a suffix in LIST
 -C, --cvs-exclude           auto-ignore files the same way CVS does
 -f, --filter=RULE           add a file-filtering RULE
 -F                          same as --filter='dir-merge /.rsync-filter'
                             repeated: --filter='- .rsync-filter'
     --exclude=PATTERN       exclude files matching PATTERN
     --exclude-from=FILE     read exclude patterns from FILE
     --include=PATTERN       don't exclude files matching PATTERN
     --include-from=FILE     read include patterns from FILE
     --files-from=FILE       read list of source-file names from FILE
 -0, --from0                 all *-from/filter files are delimited by 0s
 -s, --protect-args          no space-splitting; only wildcard special-chars
     --address=ADDRESS       bind address for outgoing socket to daemon
     --port=PORT             specify double-colon alternate port number
     --sockopts=OPTIONS      specify custom TCP options
     --blocking-io           use blocking I/O for the remote shell
     --stats                 give some file-transfer stats
 -8, --8-bit-output          leave high-bit chars unescaped in output
 -h, --human-readable        output numbers in a human-readable format
     --progress              show progress during transfer
 -P                          same as --partial --progress
 -i, --itemize-changes       output a change-summary for all updates
     --out-format=FORMAT     output updates using the specified FORMAT
     --log-file=FILE         log what we're doing to the specified FILE
     --log-file-format=FMT   log updates using the specified FMT
     --password-file=FILE    read daemon-access password from FILE
     --list-only             list the files instead of copying them
     --bwlimit=RATE          limit socket I/O bandwidth
     --stop-at=y-m-dTh:m     Stop rsync at year-month-dayThour:minute
     --time-limit=MINS       Stop rsync after MINS minutes have elapsed
     --outbuf=N|L|B          set output buffering to None, Line, or Block
     --write-batch=FILE      write a batched update to FILE
     --only-write-batch=FILE like --write-batch but w/o updating destination
     --read-batch=FILE       read a batched update from FILE
     --protocol=NUM          force an older protocol version to be used
     --iconv=CONVERT_SPEC    request charset conversion of filenames
     --checksum-seed=NUM     set block/file checksum seed (advanced)
     --noatime               do not alter atime when opening source files
 -4, --ipv4                  prefer IPv4
 -6, --ipv6                  prefer IPv6
     --version               print version number
(-h) --help                  show this help (-h is --help only if used alone)


源路径如果是一个目录的话，带上尾随斜线和不带尾随斜线是不一样的，不带尾随斜线表示的是整个目录包括目录本身，带上尾随斜线表示的是目录中的文件，不包括目录本身

rsync -avz -e "ssh -p 22" root@10.11.11.247:/root/src /root/


rsync -avz -e "ssh -p 22" root@10.11.11.247:/root/src/*.gz /root/src/

段落1、需求描述

1台服务器，已配置的Shadowsocks-libev ，IP地址为 10.11.11.247

ss://aes-128-gcm:P1122330099@10.11.11.247:16805

1台服务器，配置的V2ray服务端，IP地址为 10.11.11.223

现在，需要让v2ray的流量，走到SS去。

实现的路由方向为：客户端 ~ ~ V2ray服务 ~ ~ SS服务

# Shadowsocks-libev IPv6出站优先的配置，参考 https://dasmz.com/?p=1804

# 编译安装Shadowsocks-libev服务端，AEAD加密算法支持，参考 https://dasmz.com/?p=1845

# 基于v2ray使用免费的socks5的IP为落地 ，参考 https://dasmz.com/?p=560

# VMess MD5 认证信息 淘汰机制 https://dasmz.com/?p=1051

段落2、需要配置V2ray的outbound参数

V2服务端配置文件

{
  "log": {
    "access": "/var/log/v2ray/access.log",
    "error": "/var/log/v2ray/errors.log",
    "loglevel": "info"
  },
  "inbound": {
    "port": 18505,
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "5b61942a-b2ee-434b-b39b-83daa7fcda39",
          "level": 1,
          "alterId": 6
        }
      ]
    }
  },
  "outbounds": [
    {
      "protocol": "shadowsocks",
      "settings": {
        "servers": [
          {
            "address": "10.11.11.247",
            "method": "aes-128-gcm",
            "ota": false,
            "password": "P1122330099",
            "port": 16805  
          }
        ]
      }
    }
  ],
  "routing": {
    "strategy": "rules",
    "settings": {
      "rules": [
        {
          "type": "field",
          "ip": [
            "10.0.0.0/8"
          ],
          "outboundTag": "blocked"
        }
      ]
    }
  }
}

          

上方是出站到Shadowsocks的服务端配置样例，已经过测试，有效。Shadowsocks的OTA已废弃，务必选择AEAD的加密算法。

客户端配置

{
  "log": {
    "access": "",
    "error": "",
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "tag": "proxy",
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ]
      },
      "settings": {
        "auth": "noauth",
        "udp": false
      }
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "protocol": "vmess",
      "settings": {
        "vnext": [
          {
            "address": "10.11.11.223",
            "port": 18505,
            "users": [
              {
                "id": "5b61942a-b2ee-434b-b39b-83daa7fcda39",
                "alterId": 6,
                "email": "t@t.tt",
                "security": "auto"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp"
      },
      "mux": {
        "enabled": false,
        "concurrency": -1
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    }
  ],
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api"
      }
    ]
  }
}

可能的报错，如果程序启动失败，大概率是v2ray对于非AEAD的加密算法的抛弃

例如
V2Ray 4.44.0 (V2Fly, a community-driven edition of V2Ray.) Custom (go1.17.3 linux/amd64)
A unified platform for anti-censorship.
2022/04/12 18:14:05 [Info] main/jsonem: Reading config: /etc/v2ray/config.json
main: failed to read config files: [/etc/v2ray/config.json] > infra/conf: unknown cipher method: aes-128-cfb

附录1、参考链接的清单

参考V2的SS协议配置 https://www.v2ray.com/en/configuration/protocols/shadowsocks.html

参考v2fly的配置 https://guide.v2fly.org/basics/shadowsocks.html#%E6%9C%8D%E5%8A%A1%E5%99%A8%E9%85%8D%E7%BD%AE

段落1、简略介绍

NaïveProxy是一个基于谷歌浏览器的网络组建，进行数据包转发的套件，具体的用途，你们懂的呦，它最大的优势是TLS的流量指纹，是谷歌浏览器Chrome的，那个叫啥“泯然众人”，是的，流量就是特征就跟普通浏览器的一模一样了。

项目地址 https://github.com/klzgrad/naiveproxy

段落2、环境

美国服务器 1C-1G-15GB磁盘

本地Windows电脑

段落3、软件套装

Debian 10 系统

go语言环境

caddy环境，因为需要其正向代理的功能，Nginx目前不支持。

段落4、安装GO语言的环境

官网 https://go.dev/

当前日期，go版本为1.18，但是，我这里需要安装go 1.17，因为go 1.18暂时还不支持qtls，如果有新版本，qtls功能支持了，你们到时候可以安装新版本。

root@server:~#  apt-get update
root@server:~#  apt-get install libnss3 debian-keyring debian-archive-keyring apt-transport-https   #安装依赖
root@server:~#  mkdir -p /root/src/ /usr/local/
root@server:~#  cd /root/src/
root@server:~#  wget https://go.dev/dl/go1.17.linux-amd64.tar.gz
root@server:~#  tar -zxvf go1.17.linux-amd64.tar.gz -C /usr/local/
root@server:~#  vi /etc/profile
#  /etc/profile 中添加 GO语言的 环境变量
export GOROOT=/usr/local/go
export PATH=$GOROOT/bin:$PATH
root@server:~#  source /etc/profile
root@server:~#  which go
/usr/local/go/bin/go
root@server:~#  go version
go version go1.17 linux/amd64

段落5、安装NaïveProxy和Caddy

需要安装NaïveProxy，且不是单独安装Caddy，务必按照命令执行。

以下命令，在服务器上执行，需要保证服务器到github的网络通畅。编译build需要一定的时间，看你服务器的CPU性能，耐心等待。

root@server:~# cd /root/src/
root@server:~# go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
root@server:~# ~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive
root@server:~# cp caddy /usr/bin/
root@server:~# /usr/bin/caddy version        # 2022-4-8 23:09
v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=  
root@server:~# setcap cap_net_bind_service=+ep /usr/bin/caddy  # 设置bind权限，可443

安装日志记录

root@server:~#   go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
go: downloading github.com/caddyserver/xcaddy v0.2.1
go: downloading github.com/Masterminds/semver/v3 v3.1.1

root@server:~#   ~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive
2022/04/08 04:15:51 [INFO] Temporary folder: /tmp/buildenv_2022-04-08-0415.1787806031
2022/04/08 04:15:51 [INFO] Writing main module: /tmp/buildenv_2022-04-08-0415.1787806031/main.go
2022/04/08 04:15:51 [INFO] Initializing Go module
2022/04/08 04:15:51 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod init caddy 
go: creating new go.mod: module caddy
go: to add module requirements and sums:
	go mod tidy
2022/04/08 04:15:51 [INFO] Replace github.com/caddyserver/forwardproxy => github.com/klzgrad/forwardproxy@naive
2022/04/08 04:15:51 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod edit -replace github.com/caddyserver/forwardproxy=github.com/klzgrad/forwardproxy@naive 
2022/04/08 04:15:51 [INFO] Pinning versions
2022/04/08 04:15:51 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/caddyserver/caddy/v2 
go: downloading github.com/caddyserver/caddy/v2 v2.4.6
go: downloading github.com/caddyserver/caddy v1.0.5
...
日志非常多，不贴出来了……
...
/root/go/pkg/mod/github.com/lucas-clemente/quic-go@v0.23.0/internal/qtls/go118.go:5:13: cannot use "quic-go doesn't build on Go 1.18 yet." (untyped string constant) as int value in variable declaration

如果出现如下的报错提示，则需要降级GO语言环境

/root/go/pkg/mod/github.com/lucas-clemente/quic-go@v0.23.0/internal/qtls/go118.go:5:13: cannot use "quic-go doesn't build on Go 1.18 yet." (untyped string constant) as int value in variable declaration

报错提示，根据开发者说，暂时go 1.18还没有支持到qtls，所以，要安装go 1.17版本即可。

如果安装出现上面的报错，则把执行命令的目录下的缓存目录删掉，重新build即可。

如果提醒内容如下，表示build成功

go: downloading github.com/shurcooL/sanitized_anchor_name v1.0.0
go: downloading github.com/OneOfOne/xxhash v1.2.2
go: downloading github.com/spaolacci/murmur3 v1.1.0
go: downloading github.com/fsnotify/fsnotify v1.4.9
go: downloading golang.org/x/mod v0.4.2
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/klzgrad/forwardproxy v0.0.0-20210613072432-ff60d3bb5ad1
go: found github.com/caddyserver/forwardproxy in github.com/caddyserver/forwardproxy v0.0.0-00010101000000-000000000000
go: downloading github.com/klauspost/cpuid v1.2.5
2022/04/08 06:12:32 [INFO] exec (timeout=0s): /usr/local/go/bin/go build -o /root/src/caddy -ldflags -w -s -trimpath 
2022/04/08 06:17:07 [INFO] Build complete: ./caddy
2022/04/08 06:17:07 [INFO] Cleaning up temporary folder: /tmp/buildenv_2022-04-08-0548.1309641503

段落6、Caddy的配置文件

通常大家都用的IPv4地址，故而，这里需要配置一个域名的A记录，指向你的服务器公网IPv4地址，且需要一套可信的证书文件，不要用自签的证书。

官方给到的配置示例

{
  servers {
    protocol {
      experimental_http3
    }
  }
}
:443, example.com
tls me@example.com
route {
  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance
  }
  file_server { root /var/www/html }
}

语法解释，官方地址 https://caddyserver.com/docs/json/

{
  servers {
    protocol {
      experimental_http3  # 启用 HTTP/3
    }
  }
}
:443, example.com   # example.com为服务器的A或者AAAA记录，域名
tls me@example.com   # 邮箱地址
route {
  forward_proxy {
    basic_auth user pass   # 自定义用户名和密码 #多用户就按照这个格式新增一行
    hide_ip
    hide_via
    probe_resistance  # 抗探测
  }
  reverse_proxy {another.website.domain} # 要反代的网站，二选一
  file_server { root /var/www/html } # 自检的网站，二选一
}

Dasmz提醒，目前来说，国内的网络环境，不推荐启用HTTP/3，因为它使用了QUIC/UDP，国内的运营商QoS，对此并不友好。

其他Caddy参数用法示例
forwardproxy {
    basicauth user1 password1
    basicauth user2 password2
    ports     80 443
    hide_ip
    hide_via
    probe_resistance secret-link-kWWL9Q.com # alternatively you can use a real domain, such as caddyserver.com
    serve_pac        /secret-proxy.pac
    response_timeout 30
    dial_timeout     30
    upstream         https://user:password@extra-upstream-hop.com
    acl {
      allow     *.caddyserver.com
      deny      192.168.1.1/32 192.168.0.0/16 *.prohibitedsite.com *.localhost
      allow     ::1/128 8.8.8.8 github.com *.github.io
      allowfile /path/to/whitelist.txt
      denyfile  /path/to/blacklist.txt
      allow     all
      deny      all # unreachable rule, remaining requests are matched by `allow all` above
    }
}

给到一个服务器的示范配置信息 2022-4-9
#  /etc/caddy/caddy_server.json
{
  "admin": {
    "disabled": true
  },
  "logging": {
    "sink": {
      "writer": {
        "output": "discard"
      }
    },
    "logs": {
      "default": {
        "writer": {
          "output": "discard"
        }
      }
    }
  },
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":18443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "auth_pass_deprecated": "U",
                          "auth_user_deprecated": "P_75b8B1",
                          "handler": "forward_proxy",
                          "hide_ip": true,
                          "hide_via": true,
                          "probe_resistance": {}
                        }
                      ]
                    },
                    {
                      "match": [
                        {
                          "host": [
                            "server.my999999999.com"
                          ]
                        }
                      ],
                      "handle": [
                        {
                          "handler": "file_server",
                          "root": "/var/www/html",
                          "index_names": [
                            "index.html"
                          ]
                        }
                      ],
                      "terminal": true
                    }
                  ]
                }
              ]
            }
          ],
          "experimental_http3": false,
          "tls_connection_policies": [
            {
              "match": {
                "sni": [
                  "server.my999999999.com"
                ]
              }
            }
          ],
          "automatic_https": {
            "disable": true
          }
        }
      }
    },
    "tls": {
      "certificates": {
        "load_files": [
          {
            "certificate": "/root/server.my999999999.com/server.my999999999.com.cer",
            "key": "/root/server.my999999999.com/server.my999999999.com.key"
          }
        ]
      }
    }
  }
}

运行服务端

/usr/bin/caddy run --config /etc/caddy/caddy_server.json

段落7、配置服务

# /etc/systemd/system/naive.service
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/caddy_server.json
ExecReload=/usr/bin/caddy reload --config /etc/caddy/caddy_server.json
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

段落8、客户端配置

到Release页面，下载 NaiveProxy 对应的客户端，解压执行，尽量用新版本的，修改config.json配置文件，编辑客户端配置文件，/etc/naive/config.json

{
  "listen": "socks://127.0.0.1:1080",
  "proxy": "https://U:P_75b8B1@server.my999999999.com:18443"
}

# 客户端执行
naive config.json

NaiveProxy 客户端配置（如果使用 HTTP3 则将 https:// 改为 quic://）

附录1、参考

XCADDY项目 https://github.com/caddyserver/xcaddy

https://www.oilandfish.com/posts/naiveproxy-caddy-2.html

https://raw.githubusercontent.com/proxysu/shellscript/master/Caddy-Naive/caddy-naive-install.sh

自己在测试一些软件，程序的时候，有时候，希望有一个轻量级别的云计算环境，虚拟化环境，可选的是EXSi，Proxmox VE，Openstack，Hyper-V，XCP-ng

国人，应该用的居多的是EXSi，相比于商业盗版，会收到律师函，个人使用盗版，目前大环境下，没有法律问题。

今天，我们给大家介绍的是Proxmox VE，下面简称 PVE

段落1、PVE入门篇，下载，安装

PVE，是一个全虚拟化的平台，需要直接在硬件设施上部署安装，它是适合一个简单的小型组网结构的虚拟化平台，符合我搭建一个简易测试环境的需求。

官网地址 https://www.proxmox.com/en/downloads

在写本篇文章的今天(2022-4-6)，PVE的最新稳定版本为，7.1-2，直接从官网下载这个ISO安装包即可

使用UltraISO，Rufus，Ventoy这类U盘写镜像的工具，把这个做成一个启动盘。

进入安装引导后，给电脑接上网线，有几个选项

1、需要安装到的盘，我这里，选择的是我的120GB的SSD固态硬盘，格式为EXT4

2、主机名，要写成 xxx.domain.com

3、邮箱，可以写真实的 yourname@126.com

4、安装完成，访问地址一般是 https://192.168.1.X:8006/ 用户名root，密码是你刚刚自定义的

在自己的本机电脑上，打开浏览器，打开上面的访问地址即可通过WEB管理PVE，这样一个最基础的虚拟化PVE环境，就算搭建完成了。

默认是英文环境，打开WEB管理页面后，选择右上方的root@pam位置点击，选择languages，选择 Chinese Simplified(简体中文)

段落2、PVE入门篇，使用ubuntu 20.04的iso镜像，创建一个虚机

前缀，我这里PVE安装在笔记本电脑上，处理器i3，总内存8GB，总磁盘是120GB的SSD，网口就笔记本电脑的网线网卡，网线连接到家里的主路由器。

1、下载ubuntu20.04的镜像，一般推荐从ubuntu官网下载，大陆地址的建议从国内的镜像源下载，速度比较快。镜像源头较多，主流的如，清华源，中科大源，阿里源，腾讯源，163源等。

如图，一般服务器用途的，下载live-server版本， ubuntu-20.04.4-live-server-amd64.iso

2、上传刚下载的ubuntu 20.04的ISO镜像到PVE的 local/ISO Images

3、点击左侧宿主机的名称，点击 创建虚拟机(create vm)，名称ubuntu-20.04-server1，

下一步，到操作系统菜单，选择自己想要安装的ISO镜像

系统，默认

硬盘，磁盘空间，看你们自己的需求选择，不能超过本地磁盘的可用量，一般个人用的Ubuntu服务器，15GB磁盘够用了。

CPU，个人用的Linux Server，一般1核心够用

内存，个人用途的Linux Server，一般1GB够用

网络，我这里，默认的桥接的vmbr0

下面，开机，在左侧刚刚创建的虚机名称中，点击控制台，即可看到安装ubuntu 20.04的界面。

附录

000089. 云平台，虚拟化，Proxmox VE基础入门 20220406

本期博客地址 https://dasmz.com/?p=1869
本期视频地址 https://youtu.be/Ljy3qvtFzgo

段落1、需求描述

在服务器上通过apt-get install shadowsocks-libev安装了Shadowsocks，算法设置为aes-128-gcm，重启服务端，查看状态，发现

ERROR: Invalid cipher name: aes-128-gcm, use rc4-md5 instead

报错提示的意思是，加密算法，本版本的服务端不支持，用rc4-md5这个简单算法代替了

段落2、分析

查看服务器端的shadowsocks的版本

root@c501:～# ss-server -help
shadowsocks-libev 2.6.3 with mbed TLS 2.4.2

  maintained by Max Lv <max.c.lv@gmail.com> and Linus Yang <laokongzi@gmail.com>

  usage:

    ss-server

       -s <server_host>           Host name or IP address of your remote server.
       -p <server_port>           Port number of your remote server.
       -l <local_port>            Port number of your local server.
       -k <password>              Password of your remote server.
       -m <encrypt_method>        Encrypt method: table, rc4, rc4-md5,
                                  aes-128-cfb, aes-192-cfb, aes-256-cfb,
                                  aes-128-ctr, aes-192-ctr, aes-256-ctr,
                                  bf-cfb, camellia-128-cfb, camellia-192-cfb,
                                  camellia-256-cfb, cast5-cfb, des-cfb,
                                  idea-cfb, rc2-cfb, seed-cfb, salsa20 and
                                  chacha20.
                                  The default cipher is rc4-md5.

可以看到，我这台服务器上，通过apt-get install shadowsocks-libev安装的版本是2.6.3，支持的加密算法为

rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, aes-128-ctr, aes-192-ctr, aes-256-ctr, bf-cfb, camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb, idea-cfb, rc2-cfb, seed-cfb, salsa20 and chacha20

简单点说，就是没有带AEAD算法的库， 自己编译安装一下就行

段落3、需补充安装的Mbed-TLS和libsodium两个项目的信息

libsodium 项目地址 https://github.com/jedisct1/libsodium

Mbed-TLS 项目地址 https://github.com/Mbed-TLS/mbedtls

Shadowsocks-libev 项目地址 https://github.com/shadowsocks/shadowsocks-libev

写这篇文章的时间是 2022-4-5 13:59，当前最新的版本

Mbed-TLS 2.28.0，这个用2.X.X的最高版本

https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v2.28.0.tar.gz

libsodium 1.0.18

https://github.com/jedisct1/libsodium/releases/download/1.0.18-RELEASE/libsodium-1.0.18.tar.gz

shadowsocks-libev 3.3.5

https://github.com/shadowsocks/shadowsocks-libev/releases/download/v3.3.5/shadowsocks-libev-3.3.5.tar.gz

段落4、实施部署

安装必要的依赖

apt-get update
apt-get install gettext build-essential unzip gzip python3 curl openssl libssl-dev autoconf automake libtool gcc make perl cpio libpcre3 libpcre3-dev zlib1g-dev libev-dev libc-ares-dev

下载源代码

mkdir -p /root/src

cd /root/src/

# Mbed-TLS 2.28.0
wget https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v2.28.0.tar.gz
# libsodium 1.0.18
wget https://github.com/jedisct1/libsodium/releases/download/1.0.18-RELEASE/libsodium-1.0.18.tar.gz
# shadowsocks-libev 3.3.5
wget https://github.com/shadowsocks/shadowsocks-libev/releases/download/v3.3.5/shadowsocks-libev-3.3.5.tar.gz

# 安装 Mbed-TLS 2.28.0
cd /root/src
tar -zxf v2.28.0.tar.gz
cd mbedtls-2.28.0
make SHARED=1 CFLAGS=-fPIC
make DESTDIR=/usr install

# 安装 libsodium 1.0.18
cd /root/src
tar -zxf libsodium-1.0.18.tar.gz
cd libsodium-1.0.18
./configure --prefix=/usr && make && make install
ldconfig -p
echo '/usr/lib' > /etc/ld.so.conf.d/usr_lib.conf
ldconfig

# 安装 shadowsocks-libev 3.3.5
mkdir -p /etc/shadowsocks-libev
cd /root/src
tar -zxf shadowsocks-libev-3.3.5.tar.gz
cd shadowsocks-libev-3.3.5
./configure --prefix=/usr --disable-documentation && make && make install

# 配置服务，修改配置文件，设置开机启动
创建 /etc/systemd/system/shadowsocks-libev.service

[Unit]
Description=Shadowsocks-libev Default Server Service
After=network-online.target network-online.target 

[Service]
Type=simple
LimitNOFILE=32768
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/config.json
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

# 服务端的一个示例配置 /etc/shadowsocks-libev/config.json
{
    "server":["[::0]", "0.0.0.0"],
    "server_port":16805,
    "local_port":1080,
    "password":"P1122330099",
    "timeout":60,
    "method":"aes-128-gcm",
    "nameserver":"1.1.1.1",
    "mode":"tcp_only",
    "ipv6_first": true
}

# 如果不需要IPv6优先，则把对应规则删除即可
# 如果仅需要IPv4,监听为"0.0.0.0"
# 如果要UDP，则mode为 tcp_and_udp
# 服务端的一个示例配置 /etc/shadowsocks-libev/config.json
{
    "server":"0.0.0.0",
    "server_port":16805,
    "local_port":1080,
    "password":"P1122330099",
    "timeout":60,
    "method":"aes-128-gcm",
    "nameserver":"1.1.1.1",
    "mode":"tcp_and_udp"
}

# 如果不需要IPv6优先，则把对应规则删除即可
# 如果仅需要IPv4,监听为"0.0.0.0"
# 如果要UDP，则mode为 tcp_and_udp
# 如果需求为，国内服务器的，国内代理，nameserver需为国内的DNS服务器
# 服务端的一个示例配置 /etc/shadowsocks-libev/config.json
{
    "server":"0.0.0.0",
    "server_port":16805,
    "local_port":1080,
    "password":"P1122330099",
    "timeout":60,
    "method":"aes-128-gcm",
    "nameserver":"114.114.114.114",
    "mode":"tcp_and_udp"
}

支持的加密算法
Encrypt method: rc4-md5,
aes-128-gcm, aes-192-gcm, aes-256-gcm,
aes-128-cfb, aes-192-cfb, aes-256-cfb,
aes-128-ctr, aes-192-ctr, aes-256-ctr,
camellia-128-cfb, camellia-192-cfb,
camellia-256-cfb, bf-cfb,
chacha20-ietf-poly1305,
xchacha20-ietf-poly1305,
salsa20, chacha20 and chacha20-ietf.
The default cipher is chacha20-ietf-poly1305

附录1、可能的报错

checking whether mbedtls supports Cipher Feedback mode or not… configure: error: MBEDTLS_CIPHER_MODE_CFB required

这个报错，说明mbedtls没有安装，或者mbedtls 没有用对2.X.Y版本

附录2、参考链接
参考链接 https://raw.githubusercontent.com/teddysun/shadowsocks_install/master/shadowsocks-all.sh
参考链接 https://github.com/shadowsocks/shadowsocks-libev/issues/663