#!/bin/bash # Envoy v1.38.0 安装与配置脚本 # 核心特性:gRPC/WS/CONNECT 长连接优先、BDP 动态窗口、STRICT_DNS 双栈解析、LEAST_REQUEST 负载均衡、主动健康检查与被动摘除 # 当前取向:优先不断流与多 IP/单 IP 双栈适配,兼顾 CLI 自动化部署与交互式运维 # 防护特性:路径规范化、TLS 版本收敛、请求头超时防护、可选普通流量反代 # ===== 全局配置 ===== DOWNLOAD_SERVER="666ATM666.x9y.club" # 伪装反代连接地址与路径需单独指定;不与下载站复用。 CAMOUFLAGE_HOST="www.netlify.com" # 留空时默认复用 CAMOUFLAGE_HOST;若反代站套了 CDN,可单独指定回源 Host/SNI。 CAMOUFLAGE_ORIGIN_HOST="www.netlify.com" # 留空表示保留原始请求路径;仅在确需固定落地页时设置形如 /new CAMOUFLAGE_PATH="" ENVOY_BIN="/usr/sbin/envoy" ENVOY_CONFIG="/etc/envoy/envoy.yaml" SYSCTL_CONFIG="/etc/sysctl.d/99-envoy-optimized.conf" TOOL_PATH="/usr/local/bin/envoy_tool" LIMITS_DROPIN="/etc/security/limits.d/99-envoy-optimized.conf" MODULES_LOAD_CONFIG="/etc/modules-load.d/bbr.conf" STATE_DIR="/var/lib/envoy-tool" THP_STATE_FILE="${STATE_DIR}/transparent_hugepage.mode" PROFILE_MARKER_BEGIN="# >>> envoy-tool managed block >>>" PROFILE_MARKER_END="# <<< envoy-tool managed block <<<" PAM_MARKER_BEGIN="# >>> envoy-tool pam_limits >>>" PAM_MARKER_END="# <<< envoy-tool pam_limits <<<" # 默认值 DEFAULT_BW_MBPS=1000 # 以跨境高时延场景为默认档位,面向约 350ms / 1Gbps 的目标进行调优 DEFAULT_RTT_MS=350 # 颜色 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[0;33m' NC='\033[0m' # ===== 辅助函数 ===== log_info() { echo -e "${GREEN}[INFO]${NC} $1"; } log_err() { echo -e "${RED}[ERROR]${NC} $1" >&2; } remove_managed_block() { local file_path="$1" local begin_marker="$2" local end_marker="$3" local tmp_file="${file_path}.tmp.$$" [ -f "$file_path" ] || return 0 awk -v begin="$begin_marker" -v end="$end_marker" ' $0 == begin { skip = 1; next } $0 == end { skip = 0; next } !skip { print } ' "$file_path" > "$tmp_file" && mv -f "$tmp_file" "$file_path" } write_managed_block() { local file_path="$1" local begin_marker="$2" local end_marker="$3" local block_content="$4" local tmp_file="${file_path}.tmp.$$" local file_dir file_dir=$(dirname "$file_path") mkdir -p "$file_dir" touch "$file_path" remove_managed_block "$file_path" "$begin_marker" "$end_marker" cp -f "$file_path" "$tmp_file" { cat "$tmp_file" printf "\n%s\n%s\n%s\n" "$begin_marker" "$block_content" "$end_marker" } > "$file_path" rm -f "$tmp_file" } save_thp_mode() { local current_mode="" [ -r /sys/kernel/mm/transparent_hugepage/enabled ] || return 0 mkdir -p "$STATE_DIR" if [ ! -f "$THP_STATE_FILE" ]; then current_mode=$(grep -o '\[[^]]*\]' /sys/kernel/mm/transparent_hugepage/enabled 2>/dev/null | tr -d '[]') case "$current_mode" in always|madvise|never) printf "%s\n" "$current_mode" > "$THP_STATE_FILE" ;; esac fi } restore_thp_mode() { local saved_mode="" [ -r "$THP_STATE_FILE" ] || return 0 [ -w /sys/kernel/mm/transparent_hugepage/enabled ] || return 0 saved_mode=$(tr -d '[:space:]' < "$THP_STATE_FILE") case "$saved_mode" in always|madvise|never) echo "$saved_mode" > /sys/kernel/mm/transparent_hugepage/enabled 2>/dev/null || true ;; esac rm -f "$THP_STATE_FILE" } check_root() { if [ "$EUID" -ne 0 ]; then log_err "请使用 root 运行" exit 1 fi } download_file() { local url="$1" local dest="$2" log_info "正在下载 $url -> $dest" if command -v curl >/dev/null 2>&1; then curl -fsSL "$url" -o "$dest" elif command -v wget >/dev/null 2>&1; then wget -qO "$dest" "$url" else log_err "未找到 curl 或 wget" return 1 fi if [ ! -s "$dest" ]; then log_err "下载失败或文件为空: $dest" rm -f "$dest" return 1 fi } normalize_optional_path() { local raw_path="$1" if [ -z "$raw_path" ] || [ "$raw_path" = "/" ]; then echo "" return fi case "$raw_path" in /*) echo "$raw_path" ;; *) echo "/$raw_path" ;; esac } get_effective_camouflage_origin_host() { if [ -n "$CAMOUFLAGE_ORIGIN_HOST" ]; then echo "$CAMOUFLAGE_ORIGIN_HOST" else echo "$CAMOUFLAGE_HOST" fi } validate_envoy_txt() { local file_path="$1" if [ ! -s "$file_path" ]; then log_err "envoy.txt 不存在或为空: $file_path" return 1 fi awk ' BEGIN { ok = 1 } /^[[:space:]]*($|#)/ { next } NF != 4 { printf("[ERROR] envoy.txt 第 %d 行字段数错误,期望 4 列,实际 %d 列\n", NR, NF) > "/dev/stderr" ok = 0 next } $2 !~ /^[0-9]+$/ || $4 !~ /^[0-9]+$/ { printf("[ERROR] envoy.txt 第 %d 行端口不是数字: %s %s %s %s\n", NR, $1, $2, $3, $4) > "/dev/stderr" ok = 0 next } $2 < 1 || $2 > 65535 || $4 < 1 || $4 > 65535 { printf("[ERROR] envoy.txt 第 %d 行端口超出范围: %s %s %s %s\n", NR, $1, $2, $3, $4) > "/dev/stderr" ok = 0 next } seen_port[$2]++ { if (seen_port[$2] > 1) { printf("[ERROR] envoy.txt 第 %d 行监听端口重复: %s;当前脚本会以本地端口生成 listener/cluster 名称,端口必须唯一\n", NR, $2) > "/dev/stderr" ok = 0 } } END { exit(ok ? 0 : 1) } ' "$file_path" } check_install_curl() { if ! command -v curl >/dev/null 2>&1; then log_info "安装依赖: curl" if command -v apt-get >/dev/null 2>&1; then apt-get update && apt-get install -y curl elif command -v yum >/dev/null 2>&1; then yum install -y curl fi fi } check_install_cron() { # 检查并安装依赖 (cron) local install_cmd="" local pkg_manager="" if command -v apt-get >/dev/null 2>&1; then pkg_manager="apt-get" elif command -v yum >/dev/null 2>&1; then pkg_manager="yum" fi if ! command -v crontab >/dev/null 2>&1; then if [ "$pkg_manager" = "apt-get" ]; then install_cmd="$install_cmd cron" elif [ "$pkg_manager" = "yum" ]; then install_cmd="$install_cmd crontabs" fi fi if [ -n "$install_cmd" ]; then log_info "安装依赖: $install_cmd" if [ "$pkg_manager" = "apt-get" ]; then apt-get update && apt-get install -y $install_cmd elif [ "$pkg_manager" = "yum" ]; then yum install -y $install_cmd fi fi # 无论是否刚安装,都尽量确保 cron 服务已运行。 if command -v systemctl >/dev/null 2>&1; then systemctl enable cron 2>/dev/null || systemctl enable crond 2>/dev/null systemctl start cron 2>/dev/null || systemctl start crond 2>/dev/null fi } # 智能更新函数:仅当配置内容(忽略版本号)变更时才覆盖文件,实现精准热加载 safe_update_config() { local new_file="$1" local target_file="$2" local resource_name="$3" if [ ! -f "$target_file" ]; then mv -f "$new_file" "$target_file" log_info "${resource_name} 初始化完成" return fi # 忽略第一行 (version_info) 进行内容比对 # 如果内容一致,则不更新文件,避免触发 Envoy 不必要的重载 if cmp -s <(tail -n +2 "$new_file") <(tail -n +2 "$target_file"); then rm -f "$new_file" # log_info "${resource_name} 无变更,跳过重载" else mv -f "$new_file" "$target_file" log_info "${resource_name} 已更新,触发热加载" fi } # ===== 核心配置应用逻辑 (复用) ===== _apply_envoy_config() { local USER_BW="$1" local tunnel_num="$2" local config_type="$3" local pass_real_ip="$4" local USER_RTT="${5:-$DEFAULT_RTT_MS}" local mode="" envoy_txt_url="" crt_url="" key_url="" case $config_type in 1) mode="in" envoy_txt_url="https://${DOWNLOAD_SERVER}/tunnel/tunnel${tunnel_num}/in/envoy.txt" crt_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.crt" key_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.key" ;; 2) mode="out" envoy_txt_url="https://${DOWNLOAD_SERVER}/tunnel/tunnel${tunnel_num}/out/envoy.txt" crt_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.crt" key_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.key" ;; 3) mode="single" envoy_txt_url="https://${DOWNLOAD_SERVER}/tunnel/tunnel${tunnel_num}/out/envoy.txt" crt_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.crt" key_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.key" ;; *) log_err "无效的配置类型"; return 1 ;; esac # 0. 环境自检与依赖修复 # 确保管理脚本是最新的 (用于热更新回调) if [ -f "$0" ]; then if [ ! -f "$TOOL_PATH" ] || ! cmp -s "$0" "$TOOL_PATH"; then cp -f "$0" "$TOOL_PATH" chmod +x "$TOOL_PATH" fi fi # 确保 cron 服务已安装 (用于热更新定时任务) check_install_cron # 下载配置文件 download_file "$envoy_txt_url" "/etc/envoy/envoy.txt" || return 1 # 转换格式 (DOS to Unix) sed -i 's/\r$//' /etc/envoy/envoy.txt 2>/dev/null validate_envoy_txt "/etc/envoy/envoy.txt" || return 1 # 证书下载 mkdir -p /etc/envoy/ssl download_file "$crt_url" "/etc/envoy/ssl/server.crt" || return 1 download_file "$key_url" "/etc/envoy/ssl/server.key" || return 1 chmod 644 /etc/envoy/ssl/server.crt chmod 600 /etc/envoy/ssl/server.key # Session Ticket if [ ! -f /etc/envoy/ssl/ticket.key ]; then log_info "生成 TLS 会话复用密钥..." dd if=/dev/urandom of=/etc/envoy/ssl/ticket.key bs=80 count=1 2>/dev/null chmod 600 /etc/envoy/ssl/ticket.key fi calculate_params "$USER_BW" "$USER_RTT" # 生成配置 (File-based XDS 模式) generate_envoy_yaml "$mode" "/etc/envoy/envoy.txt" "$pass_real_ip" # 智能启动/重载 if command -v systemctl >/dev/null 2>&1; then if systemctl is-active --quiet envoy; then log_info "Envoy 服务正在运行,配置已通过 File-based XDS 自动热加载。" else log_info "Envoy 服务未运行,正在启动..." systemctl start envoy sleep 2 systemctl is-active --quiet envoy && log_info "Envoy 启动成功!" fi fi } get_effective_nofile_limit() { local nofile_limit="" local nr_open="" nr_open=$(cat /proc/sys/fs/nr_open 2>/dev/null) if ! [[ "$nr_open" =~ ^[0-9]+$ ]] || [ "$nr_open" -le 0 ]; then nr_open=1048576 fi # 优先读取 systemd 中 envoy 服务的真实 LimitNOFILE,避免只看当前 shell 的 ulimit。 if command -v systemctl >/dev/null 2>&1; then nofile_limit=$(systemctl show -p LimitNOFILE --value envoy 2>/dev/null | tr -d '[:space:]') fi # 若 envoy 服务尚未安装或 systemd 尚未生效,则回退到 manager 默认值。 if ! [[ "$nofile_limit" =~ ^[0-9]+$ ]] || [ "$nofile_limit" -le 0 ]; then nofile_limit=$(awk -F= '/^LimitNOFILE=/ {gsub(/[[:space:]]/, "", $2); print $2; exit}' /etc/systemd/system/envoy.service 2>/dev/null) fi # 再回退到发行版默认的 unit 安装路径,兼容“直接下拉 envoy.service 使用”的模式。 if ! [[ "$nofile_limit" =~ ^[0-9]+$ ]] || [ "$nofile_limit" -le 0 ]; then nofile_limit=$(awk -F= '/^LimitNOFILE=/ {gsub(/[[:space:]]/, "", $2); print $2; exit}' /usr/lib/systemd/system/envoy.service 2>/dev/null) fi # 最后才回退到当前 shell。 if ! [[ "$nofile_limit" =~ ^[0-9]+$ ]] || [ "$nofile_limit" -le 0 ]; then nofile_limit=$(ulimit -n 2>/dev/null) fi # infinity 或超出内核上限时,按 nr_open 收敛。 if ! [[ "$nofile_limit" =~ ^[0-9]+$ ]] || [ "$nofile_limit" -le 0 ] || [ "$nofile_limit" -gt "$nr_open" ]; then nofile_limit="$nr_open" fi echo "$nofile_limit" } # ===== 1. 智能 BDP 算法 (带宽延迟积) ===== calculate_params() { local bw_mbps="$1" local rtt_ms="${2:-$DEFAULT_RTT_MS}" local MiB=$((1024 * 1024)) local KiB=1024 local mem_total_bytes local nofile_limit mem_total_bytes=$(awk '/MemTotal/ {printf "%.0f", $2 * 1024}' /proc/meminfo 2>/dev/null) if ! [[ "$mem_total_bytes" =~ ^[0-9]+$ ]] || [ "$mem_total_bytes" -le 0 ]; then mem_total_bytes=$((2 * 1024 * MiB)) fi nofile_limit=$(get_effective_nofile_limit) if ! [[ "$nofile_limit" =~ ^[0-9]+$ ]] || [ "$nofile_limit" -le 0 ]; then nofile_limit=1048576 fi # 原始 BDP = 带宽(bps) * RTT(s) / 8 local raw_bdp_bytes raw_bdp_bytes=$(echo "$bw_mbps $rtt_ms" | awk '{printf "%.0f", $1 * 1000000 * $2 / 1000 / 8}') local raw_bdp_mib=$(( (raw_bdp_bytes + MiB - 1) / MiB )) # 以实际内存为上限,给窗口做“够用但不过肥”的裁剪。 local stream_cap_mem=$((mem_total_bytes / 200)) # 0.5% local conn_cap_mem=$((mem_total_bytes / 100)) # 1.0% [ "$stream_cap_mem" -lt $((16 * MiB)) ] && stream_cap_mem=$((16 * MiB)) [ "$stream_cap_mem" -gt $((64 * MiB)) ] && stream_cap_mem=$((64 * MiB)) [ "$conn_cap_mem" -lt $((32 * MiB)) ] && conn_cap_mem=$((32 * MiB)) [ "$conn_cap_mem" -gt $((128 * MiB)) ] && conn_cap_mem=$((128 * MiB)) ENV_STREAM_WINDOW="$raw_bdp_bytes" [ "$ENV_STREAM_WINDOW" -gt "$stream_cap_mem" ] && ENV_STREAM_WINDOW="$stream_cap_mem" ENV_STREAM_WINDOW=$((((ENV_STREAM_WINDOW + MiB - 1) / MiB) * MiB)) local two_bdp=$((raw_bdp_bytes * 2)) local conn_target="$two_bdp" [ "$conn_target" -gt "$conn_cap_mem" ] && conn_target="$conn_cap_mem" ENV_CONN_WINDOW=$((ENV_STREAM_WINDOW * 2)) [ "$ENV_CONN_WINDOW" -lt "$conn_target" ] && ENV_CONN_WINDOW="$conn_target" ENV_CONN_WINDOW=$((((ENV_CONN_WINDOW + MiB - 1) / MiB) * MiB)) # Envoy 的 per_connection_buffer_limit_bytes 需要不小于连接窗口,否则会先被软缓冲限制卡住。 ENV_PER_CONN_BUFFER="$ENV_CONN_WINDOW" # 用实际内存和 fd 推导平衡档的总连接能力。 local reserve_os=$((mem_total_bytes / 5)) # 20% local reserve_envoy=$((mem_total_bytes / 10)) # 10% [ "$reserve_os" -lt $((2 * 1024 * MiB)) ] && reserve_os=$((2 * 1024 * MiB)) [ "$reserve_envoy" -lt $((512 * MiB)) ] && reserve_envoy=$((512 * MiB)) # 小内存主机上不能把可用内存强行钳回 512MiB,否则会高估承载能力。 if [ $((reserve_os + reserve_envoy)) -ge "$mem_total_bytes" ]; then reserve_os=$((mem_total_bytes / 5)) reserve_envoy=$((mem_total_bytes / 10)) fi local usable_mem=$((mem_total_bytes - reserve_os - reserve_envoy)) if [ "$usable_mem" -le 0 ]; then usable_mem=$((mem_total_bytes / 10)) fi [ "$usable_mem" -lt $((128 * MiB)) ] && usable_mem=$((128 * MiB)) local idle_cost=$((96 * KiB)) local hot_fixed_cost=$((1 * MiB)) local hot_cost=$((hot_fixed_cost + ENV_PER_CONN_BUFFER + ENV_STREAM_WINDOW / 2)) local effective_conn_cost=$((idle_cost + (hot_cost - idle_cost) / 100)) # active_ratio=1% [ "$effective_conn_cost" -lt "$idle_cost" ] && effective_conn_cost="$idle_cost" ENV_EST_CONN_LIMIT_MEM=$((usable_mem / effective_conn_cost)) ENV_EST_CONN_LIMIT_FD=$((nofile_limit * 80 / 100)) [ "$ENV_EST_CONN_LIMIT_FD" -lt 1024 ] && ENV_EST_CONN_LIMIT_FD=1024 # 不主动限制 H2 并发流,尽量只受协议栈和系统资源本身约束。 ENV_H2_MAX_CONCURRENT_STREAMS=2147483647 ENV_EFFECTIVE_NOFILE="$nofile_limit" ENV_REAL_RTT_MS="$rtt_ms" ENV_HEAP_BUDGET_BYTES=$((reserve_envoy + usable_mem)) [ "$ENV_HEAP_BUDGET_BYTES" -gt "$mem_total_bytes" ] && ENV_HEAP_BUDGET_BYTES="$mem_total_bytes" local est_single_stream_mbps est_single_stream_mbps=$(echo "$ENV_STREAM_WINDOW $rtt_ms" | awk '{printf "%.0f", ($1 * 8) / ($2 / 1000) / 1000000}') log_info "平衡优化参数 (带宽: ${bw_mbps}Mbps, RTT: ${rtt_ms}ms):" log_info " - Raw BDP: ${raw_bdp_mib} MiB" log_info " - Stream Window: $((ENV_STREAM_WINDOW / MiB)) MiB" log_info " - Conn Window: $((ENV_CONN_WINDOW / MiB)) MiB" log_info " - Buffer Limit: $((ENV_PER_CONN_BUFFER / MiB)) MiB" log_info " - H2并发流上限: ${ENV_H2_MAX_CONCURRENT_STREAMS}" log_info " - 内存估算连接上限: ${ENV_EST_CONN_LIMIT_MEM}" log_info " - FD估算连接上限: ${ENV_EST_CONN_LIMIT_FD}" log_info " - Effective NOFILE: ${ENV_EFFECTIVE_NOFILE}" log_info " - Envoy堆预算: $((ENV_HEAP_BUDGET_BYTES / MiB)) MiB" log_info " - 单流理论上限: ${est_single_stream_mbps} Mbps" } # ===== 2. 配置生成器 (Envoy v1.38.0 标准) ===== get_socket_options() { cat <404

404

' EOF fi } generate_envoy_yaml() { local mode="$1" # in, out, single local listeners_file="$2" local pass_real_ip="${3:-y}" log_info "正在生成 Envoy 配置 (Mode: $mode, RealIP: $pass_real_ip)..." validate_envoy_txt "$listeners_file" || return 1 # 动态获取当前机器的物理内存总大小 (单位: 字节) local SYS_MEM_BYTES=$(awk '/MemTotal/ {printf "%.0f", $2 * 1024}' /proc/meminfo 2>/dev/null) # 容错:如果获取失败或结果包含非数字字符,保底设置为 2GB (2147483648 字节) if ! [[ "$SYS_MEM_BYTES" =~ ^[0-9]+$ ]] || [ "$SYS_MEM_BYTES" -le 0 ]; then SYS_MEM_BYTES=2147483648 log_info "未能获取有效的系统物理内存,已启用保底策略:2GB (2048 MB)" else local mem_mb=$((SYS_MEM_BYTES / 1024 / 1024)) log_info "智能过载保护:检测到系统物理内存 ${mem_mb} MB,已动态绑定至 Envoy 熔断引擎" fi local ENVOY_HEAP_BUDGET_BYTES="${ENV_HEAP_BUDGET_BYTES:-$SYS_MEM_BYTES}" if ! [[ "$ENVOY_HEAP_BUDGET_BYTES" =~ ^[0-9]+$ ]] || [ "$ENVOY_HEAP_BUDGET_BYTES" -le 0 ]; then ENVOY_HEAP_BUDGET_BYTES="$SYS_MEM_BYTES" fi local listener_count=0 while read -r l_ip l_port t_host t_port; do [[ -z "$l_ip" || "$l_ip" =~ ^# ]] && continue listener_count=$((listener_count + 1)) done < "$listeners_file" [ "$listener_count" -lt 1 ] && listener_count=1 # 当前脚本模型是一行监听映射生成一个 listener 和一个隧道 cluster。 # 若显式配置了伪装站点,则额外生成一个普通网页流量用的伪装 cluster。 local cluster_count="$listener_count" [ -n "$CAMOUFLAGE_HOST" ] && cluster_count=$((cluster_count + 1)) local ENV_UPSTREAM_MAX_CONNECTIONS=4294967295 local ENV_UPSTREAM_MAX_PENDING_REQUESTS=4294967295 local ENV_UPSTREAM_MAX_REQUESTS=4294967295 local ENV_UPSTREAM_MAX_RETRIES=4294967295 local ENV_UPSTREAM_MAX_CONNECTION_POOLS=4294967295 log_info "连接限制策略:" log_info " - Downstream Global: disabled" log_info " - Listener Limit: disabled" log_info " - Upstream Conn: unlimited" log_info " - Upstream Pending: unlimited" log_info " - Upstream Requests: unlimited" log_info " - Listener Count: ${listener_count}" log_info " - Cluster Count: ${cluster_count}" # 生成主配置文件 envoy.yaml (只需生成一次) local MAIN_CONFIG="/etc/envoy/envoy.yaml" local MAIN_CONFIG_TMP="/etc/envoy/envoy.yaml.tmp" cat > "$MAIN_CONFIG_TMP" < "$SDS_CONFIG_TMP" < "$LDS_TMP" <> "$LDS_TMP" <%RESPONSE_CODE%

%RESPONSE_CODE%

' content_type: "text/html" use_remote_address: ${use_remote_address} xff_num_trusted_hops: ${xff_hops} skip_xff_append: ${skip_xff_append} # 防主动探测核心:必须限制请求头超时! # 真实的 Web 服务器绝不会允许客户端建立连接后永远不发送完整的 HTTP 头 (Slowloris 攻击)。 # XHTTP/gRPC/WS 在发送握手头时只需几十毫秒。这里设置为 60s 足够宽容。 request_headers_timeout: 60s stream_idle_timeout: 0s request_timeout: 0s common_http_protocol_options: idle_timeout: 3600s max_headers_count: 200 headers_with_underscores_action: REJECT_REQUEST http2_protocol_options: initial_stream_window_size: ${ENV_STREAM_WINDOW} initial_connection_window_size: ${ENV_CONN_WINDOW} max_concurrent_streams: ${ENV_H2_MAX_CONCURRENT_STREAMS} # 启用 CONNECT 隧道支持,适配隧道与长连接场景 allow_connect: true connection_keepalive: interval: 30s timeout: 10s connection_idle_interval: 30s route_config: name: local_route virtual_hosts: - name: local_service domains: ["*"] routes: - match: connect_matcher: {} route: cluster: ${cluster_name} timeout: 0s max_stream_duration: max_stream_duration: 0s grpc_timeout_header_max: 0s upgrade_configs: - upgrade_type: CONNECT enabled: true - match: { prefix: "/ljfxz" } ${request_headers_to_add} route: cluster: ${cluster_name} timeout: 0s max_stream_duration: max_stream_duration: 0s grpc_timeout_header_max: 0s upgrade_configs: - upgrade_type: websocket enabled: true $(get_camouflage_route) http_filters: - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router suppress_envoy_headers: true EOF # 所有模式强制 TLS 监听 get_downstream_tls >> "$LDS_TMP" done < "$listeners_file" # 生成 CDS 配置文件 (cds.yaml) local CDS_CONFIG="/etc/envoy/cds.yaml" local CDS_TMP="/etc/envoy/cds.yaml.tmp" local cds_timestamp=$(date +%s) cat > "$CDS_TMP" <> "$CDS_TMP" <> "$CDS_TMP" fi cat >> "$CDS_TMP" <> "$CDS_TMP" <> "$CDS_TMP" cat >> "$CDS_TMP" < "/usr/local/bin/update_envoy_config.sh" </dev/null 2>&1; then curl -m 10 -fsSL "\$url" -o "\$dest" elif command -v wget >/dev/null 2>&1; then wget -T 10 -qO "\$dest" "\$url" else return 1 fi [ -s "\$dest" ] } validate_envoy_txt() { local file_path="\$1" if [ ! -s "\$file_path" ]; then echo "[ERROR] envoy.txt 不存在或为空: \$file_path" >&2 return 1 fi awk ' BEGIN { ok = 1 } /^[[:space:]]*($|#)/ { next } NF != 4 { printf("[ERROR] envoy.txt 第 %d 行字段数错误,期望 4 列,实际 %d 列\n", NR, NF) > "/dev/stderr" ok = 0 next } \$2 !~ /^[0-9]+$/ || \$4 !~ /^[0-9]+$/ { printf("[ERROR] envoy.txt 第 %d 行端口不是数字: %s %s %s %s\n", NR, \$1, \$2, \$3, \$4) > "/dev/stderr" ok = 0 next } \$2 < 1 || \$2 > 65535 || \$4 < 1 || \$4 > 65535 { printf("[ERROR] envoy.txt 第 %d 行端口超出范围: %s %s %s %s\n", NR, \$1, \$2, \$3, \$4) > "/dev/stderr" ok = 0 next } seen_port[\$2]++ { if (seen_port[\$2] > 1) { printf("[ERROR] envoy.txt 第 %d 行监听端口重复: %s;当前脚本会以本地端口生成 listener/cluster 名称,端口必须唯一\n", NR, \$2) > "/dev/stderr" ok = 0 } } END { exit(ok ? 0 : 1) } ' "\$file_path" } # 下载新配置到临时文件 if ! download_with_fallback "\$ENVOY_TXT_URL" /tmp/envoy_new.txt; then exit 1 fi sed -i 's/\r$//' /tmp/envoy_new.txt if ! validate_envoy_txt /tmp/envoy_new.txt; then rm -f /tmp/envoy_new.txt exit 1 fi # 标记配置是否变更 CONFIG_CHANGED=0 if ! cmp -s /tmp/envoy_new.txt /etc/envoy/envoy.txt; then CONFIG_CHANGED=1 fi # 1. 始终检查证书更新 (防止证书过期但配置未变的情况) # 下载新证书到临时文件 if ! download_with_fallback "\$CRT_URL" /tmp/server.crt.new || ! download_with_fallback "\$KEY_URL" /tmp/server.key.new; then # 如果证书下载失败但配置变了,依然继续更新配置,不强制退出 : else # 对比证书差异 (如果新证书与旧证书不同,则更新) if ! cmp -s /tmp/server.crt.new /etc/envoy/ssl/server.crt || ! cmp -s /tmp/server.key.new /etc/envoy/ssl/server.key; then mv /tmp/server.crt.new /etc/envoy/ssl/server.crt mv /tmp/server.key.new /etc/envoy/ssl/server.key chmod 644 /etc/envoy/ssl/server.crt chmod 600 /etc/envoy/ssl/server.key # 证书更新后,即使配置没变,也需要触发 Envoy 热加载 # SDS 模式:将新证书内容写入 sds.yaml (inline_string) 以触发热更新 # 注意:使用 inline_string 确保内容变更能被 Envoy 捕捉 CERT_CONTENT=\$(sed 's/^/ /' /etc/envoy/ssl/server.crt) KEY_CONTENT=\$(sed 's/^/ /' /etc/envoy/ssl/server.key) # 1. 写入临时文件,避免写入过程中被 Envoy 读取导致配置不完整 TIMESTAMP=\$(date +%s) cat > /etc/envoy/sds.yaml.tmp </dev/null 2>&1 EOF chmod +x "/usr/local/bin/update_envoy_config.sh" if command -v systemctl >/dev/null 2>&1; then systemctl enable cron 2>/dev/null || systemctl enable crond 2>/dev/null systemctl start cron 2>/dev/null || systemctl start crond 2>/dev/null # 自动添加定时任务 (每分钟执行一次) local cron_job="* * * * * /usr/local/bin/update_envoy_config.sh >/dev/null 2>&1" if ! crontab -l 2>/dev/null | grep -q "update_envoy_config.sh"; then (crontab -l 2>/dev/null; echo "$cron_job") | crontab - log_info "已添加证书自动热更新定时任务" fi fi fi } # 新增一个隐藏的 CLI 命令,用于脚本内部调用生成 YAML # 在 main 函数中处理 # ===== 功能菜单函数 ===== envoy_install() { log_info "安装 Envoy..." # 安装前先停止服务,防止文件占用或冲突 if command -v systemctl >/dev/null 2>&1; then systemctl stop envoy 2>/dev/null fi # 强制下载最新版 Envoy (移除条件判断) mkdir -p /etc/envoy/ssl download_file "https://${DOWNLOAD_SERVER}/tools/envoy" "$ENVOY_BIN" || return 1 chmod +x "$ENVOY_BIN" # 远程下载 service 文件 download_file "https://${DOWNLOAD_SERVER}/tools/envoy.service" "/usr/lib/systemd/system/envoy.service" || return 1 if command -v systemctl >/dev/null 2>&1; then systemctl daemon-reload systemctl enable envoy else log_info "未检测到 systemctl,已跳过 Envoy service 注册,请手动接管服务启动" fi # 安装时自动执行系统优化 system_optimize # 安装管理脚本 if [ -f "$0" ]; then cp "$0" "$TOOL_PATH" chmod +x "$TOOL_PATH" log_info "管理脚本已安装到 $TOOL_PATH" fi log_info "Envoy 安装完成" # 更新或安装后自动尝试重启服务 if [ -f "$ENVOY_CONFIG" ]; then if command -v systemctl >/dev/null 2>&1; then log_info "检测到已有配置文件,正在启动 Envoy..." systemctl restart envoy if systemctl is-active --quiet envoy; then echo -e "${GREEN}[INFO] Envoy 服务已成功启动并加载最新版本!${NC}" else echo -e "${RED}[ERROR] Envoy 启动失败,请检查配置或日志。${NC}" fi else echo -e "${YELLOW}[WARN] 已生成配置,但当前环境无 systemctl,请手动启动 Envoy。${NC}" fi else echo -e "${YELLOW}[WARN] Envoy 安装完成,但尚未配置。请运行配置菜单生成配置文件。${NC}" fi } envoy_manage() { echo "1.启动 2.停止 3.重启 4.状态" read -p "选择: " c case $c in 1) systemctl start envoy ;; 2) systemctl stop envoy ;; 3) systemctl restart envoy ;; 4) systemctl status envoy --no-pager ;; esac } firewall_remove() { systemctl stop firewalld 2>/dev/null systemctl disable firewalld 2>/dev/null ufw disable 2>/dev/null log_info "防火墙已禁用" } envoy_monitor() { check_install_cron cat > /usr/local/bin/checkenvoy.sh <<'EOF' #!/bin/bash # 仅做 Envoy 服务级保活;上游节点健康由 Envoy 自身 health_checks/outlier_detection 负责。 if command -v systemctl >/dev/null 2>&1; then if systemctl is-active --quiet envoy; then exit 0 fi systemctl restart envoy exit $? fi if pgrep -x envoy >/dev/null 2>&1; then exit 0 fi exit 1 EOF chmod +x /usr/local/bin/checkenvoy.sh (crontab -l 2>/dev/null | grep -v checkenvoy; echo "* * * * * /usr/local/bin/checkenvoy.sh >/dev/null 2>&1") | crontab - log_info "已设置 Envoy 服务级保活巡检" } soga_setup() { local node_id="$1" local soga_key="$2" local webapi_domain="$3" local webapi_key="$4" # 检查并安装 curl 依赖 check_install_curl # 如果没有传参,进入交互模式 if [ -z "$node_id" ]; then read -r -p "节点ID: " node_id read -r -p "授权码: " soga_key read -r -p "域名: " webapi_domain read -r -p "webapi_key: " webapi_key fi log_info "正在下载并安装 soga..." local soga_install="/tmp/soga_install.sh" if ! curl -Ls https://raw.githubusercontent.com/vaxilu/soga/master/install.sh -o "$soga_install"; then log_err "下载 soga 安装脚本失败,请检查网络" return 1 fi bash "$soga_install" || { log_err "soga 安装失败"; rm -f "$soga_install"; return 1; } rm -f "$soga_install" # 确保配置目录存在 mkdir -p /etc/soga cat > /etc/soga/soga.conf </dev/null | grep -v "cf-ddns.sh"; echo "* * * * * $cron_cmd") | crontab - # 立即执行一次 log_info "正在执行第一次同步..." # 手动设置 HOME 环境变量以防万一 export HOME=${HOME:-/root} $ddns_script -k "$cf_key" -u "$cf_user" -h "$cf_record" -z "$cf_zone" -t "$record_type" -f true >/dev/null 2>&1 if [ $? -eq 0 ]; then log_info "DDNS 配置成功!每分钟自动更新。" else log_err "DDNS 同步失败,请检查 API Key 和网络。" fi } system_optimize() { log_info "正在应用极致系统优化 (BBR + Kernel)..." # 确保 BBR 模块已预先加载,防止 sysctl 设置失败 modprobe tcp_bbr 2>/dev/null || true mkdir -p /etc/modules-load.d echo "tcp_bbr" > "$MODULES_LOAD_CONFIG" 2>/dev/null || true # 直接写入专用配置文件 cat > "$SYSCTL_CONFIG" </sys/kernel/mm/transparent_hugepage/enabled 2>/dev/null || true mkdir -p /etc/security/limits.d cat > "$LIMITS_DROPIN" </dev/null 2>&1; then systemctl daemon-reload fi log_info "系统优化和 BBR 配置完成!" } envoy_uninstall() { local force="$1" if [ "$force" != "-y" ] && [ "$force" != "force" ]; then read -p "确定要卸载 Envoy 吗? [y/N]: " confirm [[ "$confirm" != "y" && "$confirm" != "Y" ]] && return fi log_info "正在停止 Envoy 服务..." if command -v systemctl >/dev/null 2>&1; then systemctl stop envoy 2>/dev/null systemctl disable envoy 2>/dev/null fi log_info "正在删除文件..." rm -f "$ENVOY_BIN" rm -f "/usr/lib/systemd/system/envoy.service" rm -rf "/etc/envoy" rm -f "$SYSCTL_CONFIG" rm -f "$LIMITS_DROPIN" rm -f "$MODULES_LOAD_CONFIG" rm -f "/usr/local/bin/update_envoy_config.sh" rm -f "/usr/local/bin/checkenvoy.sh" rm -f "$TOOL_PATH" remove_managed_block "/etc/profile" "$PROFILE_MARKER_BEGIN" "$PROFILE_MARKER_END" remove_managed_block "/etc/pam.d/common-session" "$PAM_MARKER_BEGIN" "$PAM_MARKER_END" restore_thp_mode crontab -l 2>/dev/null | grep -v "update_envoy_config.sh" | grep -v "checkenvoy.sh" | crontab - sysctl --system >/dev/null 2>&1 || true if command -v systemctl >/dev/null 2>&1; then systemctl daemon-reload fi log_info "Envoy 已卸载完成,并已回滚本脚本写入的系统优化项" } # ===== 核心配置流程 ===== envoy_tcp_config() { read -p "请输入带宽 (Mbps) [${DEFAULT_BW_MBPS}]: " USER_BW USER_BW=${USER_BW:-$DEFAULT_BW_MBPS} local USER_RTT="$DEFAULT_RTT_MS" read -p "隧道编号: " tunnel_num if [[ ! "$tunnel_num" =~ ^[0-9]+$ ]]; then log_err "必须是数字" return 1 fi echo "配置类型: 1)入口 2)出口 3)单层" read -p "选择 [1-3]: " config_type local pass_real_ip="y" if [ "$config_type" == "3" ]; then read -p "是否传递真实IP给后端? [Y/n]: " user_pass_ip [[ "$user_pass_ip" == "n" || "$user_pass_ip" == "N" ]] && pass_real_ip="n" fi # 调用核心函数 (无需 IP 版本参数) _apply_envoy_config "$USER_BW" "$tunnel_num" "$config_type" "$pass_real_ip" "$USER_RTT" } show_menu() { clear echo "=====================================" echo " Envoy 极致性能代理 v3.0" echo " 大带宽|不断流|长连接|BBR" echo "=====================================" echo "1. 安装 Envoy" echo "2. 生成配置" echo "3. 管理服务" echo "4. 删除防火墙" echo "5. 定时检测" echo "6. 对接 soga" echo "7. 设置 DDNS" echo "8. 系统优化 (BBR + 内核)" echo "9. 卸载 Envoy" echo "0. 退出" echo "=====================================" } show_cli_help() { cat <<'EOF' 用法: ./envoy.sh ./envoy.sh <命令> [参数] 可用命令: install 安装 Envoy、service 文件和管理脚本。 config <带宽Mbps> <隧道号> <配置类型1-3> [是否传IP y/n] [RTT毫秒] 配置类型: 1 = 入口 2 = 出口 3 = 单层 示例: ./envoy.sh config 1000 1 1 ./envoy.sh config 1000 1 3 n 350 optimize 应用系统级 BBR/sysctl/limits 优化。 ddns [API_KEY EMAIL DOMAIN RECORD TYPE] 不带参数时进入交互模式;TYPE 支持 1/A 或 2/AAAA。 soga [NodeID SogaKey Domain WebApiKey] 不带参数时进入交互模式。 uninstall [force|-y] 卸载 Envoy 及相关脚本,并回滚本脚本写入的系统优化项。 help 显示本帮助。 内部命令: generate_yaml [user_rtt] EOF } # ===== 主逻辑 ===== main() { # 支持命令行参数直接调用 if [ $# -gt 0 ]; then case "$1" in help|-h|--help) show_cli_help exit 0 ;; esac fi check_root # 支持命令行参数直接调用 if [ $# -gt 0 ]; then case "$1" in install) envoy_install exit $? ;; config) # 参数: config <带宽Mbps> <隧道号> <类型1-3> [是否传IP y/n] [RTT毫秒] # 参数校验逻辑: 至少需要 3 个参数 (config, bandwidth, tunnel_num, type) if [ $# -lt 4 ]; then echo "用法: $0 config <带宽Mbps> <隧道号> <配置类型1-3> [是否传IP y/n] [RTT毫秒]" echo "配置类型: 1:入口, 2:出口, 3:单层" exit 1 fi # 获取参数 local user_bw="$2" local tunnel_num="$3" local config_type="$4" local pass_real_ip="${5:-y}" # 默认为 y local user_rtt="${6:-$DEFAULT_RTT_MS}" if ! [[ "$user_rtt" =~ ^[0-9]+$ ]]; then # 兼容旧参数顺序: 第五个参数若是 RTT,则视作 RTT;第六个参数为 pass_real_ip if [[ "$pass_real_ip" =~ ^[0-9]+$ ]]; then user_rtt="$pass_real_ip" pass_real_ip="${6:-y}" else user_rtt="$DEFAULT_RTT_MS" fi fi # 调用核心配置函数 _apply_envoy_config "$user_bw" "$tunnel_num" "$config_type" "$pass_real_ip" "$user_rtt" exit $? ;; optimize) system_optimize exit $? ;; ddns) # 参数: ddns # 如果只有 "./envoy.sh ddns" (参数个数=1),进入交互模式 if [ $# -eq 1 ]; then setup_ddns else # 否则将参数传给函数 setup_ddns "$2" "$3" "$4" "$5" "$6" fi exit $? ;; soga) # 参数: soga if [ $# -eq 1 ]; then soga_setup else soga_setup "$2" "$3" "$4" "$5" fi exit $? ;; generate_yaml) # 隐藏命令,供热更新脚本内部调用 # 参数: generate_yaml [user_rtt] # 参数校验: 需要至少 4 个参数 (generate_yaml, mode, txt_file, pass_real_ip) if [ $# -lt 4 ]; then echo "用法: $0 generate_yaml [user_rtt]" exit 1 fi local mode="$2" local listeners_file="$3" local pass_real_ip="$4" local user_bw="${5:-1000}" local user_rtt="${6:-$DEFAULT_RTT_MS}" # 重新计算 BDP 参数 calculate_params "$user_bw" "$user_rtt" # 生成配置 generate_envoy_yaml "$mode" "$listeners_file" "$pass_real_ip" exit 0 ;; uninstall) envoy_uninstall "$2" exit $? ;; *) echo "未知命令: $1" show_cli_help exit 1 ;; esac fi # 无参数则进入交互式菜单 while true; do show_menu read -p "选择 [0-9]: " choice case $choice in 1) envoy_install ;; 2) envoy_tcp_config ;; 3) envoy_manage ;; 4) firewall_remove ;; 5) envoy_monitor ;; 6) soga_setup ;; 7) setup_ddns ;; 8) system_optimize ;; 9) envoy_uninstall ;; 0) exit 0 ;; *) echo "无效选择" ;; esac read -p "按回车继续..." done } main "$@"