Docker部署cloudflared并且用sing-box 添加前置代理

2024年05月01日 · 852字 · 2分钟

SingBox 安装使用 🔗

建议使用 docker-compose 部署，先看 Cloudflare Tunnel 速度慢？尝试给它加个前置代理提高速度 - Xiaomage’s Blog 和 https://sing-box.sagernet.org/zh/configuration/inbound/tun/ 来学习哪些需要走透明代理，怎么搞透明代理。

docker-compose 部署 singbox 🔗

给一个例子:

version: "3"

networks:
  proxy:
    external: true

services:
  sing-box:
    image: ghcr.io/sagernet/sing-box
    container_name: sing-box
    restart: always
    network_mode: host
    privileged: true
    cap_add:
      - NET_ADMIN
    volumes:
      - ./singbox:/etc/sing-box/
    command: -D /var/lib/sing-box -C /etc/sing-box/ run

配置文件例子，注意按需添加自己的服务器。

{
  "log": { "disabled": false, "level": "info", "timestamp": true },
  "dns": {
    "servers": [
      {
        "tag": "dns_proxy",
        "address": "tls://1.1.1.1",
        "address_resolver": "dns_resolver"
      },
      {
        "tag": "dns_direct",
        "address": "h3://dns.alidns.com/dns-query",
        "address_resolver": "dns_resolver",
        "detour": "DIRECT"
      },
      { "tag": "dns_fakeip", "address": "fakeip" },
      { "tag": "dns_resolver", "address": "223.5.5.5", "detour": "DIRECT" },
      { "tag": "block", "address": "rcode://success" }
    ],
    "rules": [
      { "outbound": ["any"], "server": "dns_resolver" },
      {
        "geosite": ["category-ads-all"],
        "server": "dns_block",
        "disable_cache": true
      },
      {
        "geosite": ["geolocation-!cn"],
        "query_type": ["A", "AAAA"],
        "server": "dns_fakeip"
      },
      { "geosite": ["geolocation-!cn"], "server": "dns_proxy" }
    ],
    "final": "dns_direct",
    "independent_cache": true,
    "fakeip": { "enabled": true, "inet4_range": "198.18.0.0/15" }
  },
  "ntp": {
    "enabled": true,
    "server": "ntp.ntsc.ac.cn",
    "server_port": 123,
    "interval": "30m",
    "detour": "DIRECT"
  },
  "inbounds": [
    {
      "type": "tun",
          "domain_strategy": "prefer_ipv4",
      "inet4_address": "172.19.0.1/30",
      "auto_route": true,
      "strict_route": false
    }
  ],
  "outbounds": [
    { "type": "direct", "tag": "DIRECT" },
    { "type": "block", "tag": "REJECT" },
    { "type": "dns", "tag": "dns-out" },
    {
      "type": "vmess",
      "tag": "haha",
      "server": "server.server.info",
      "server_port": 10086,
      "uuid": "嘿嘿",
      "alter_id": 0,
      "security": "auto",
      "network": "tcp",
      "tcp_fast_open": false
    }
  ],
  "route": {
    "rules": [
      { "clash_mode": "Global", "outbound": "haha" },
      { "clash_mode": "Direct", "outbound": "DIRECT" },
      { "protocol": "dns", "outbound": "dns-out" },
          {
        "ip_cidr": [
                        "198.41.192.0/24",
                        "198.41.200.0/24",
                        "104.17.18.19/32"
        ],
        "outbound": "haha"
      }
    ],
    "auto_detect_interface": true,
    "final": "DIRECT"
  },
  "experimental": {}
}

对了，还要编辑宿主机的 /etc/hosts 文件，添加下面的内容:

104.17.18.19 api.cloudflare.com
104.17.18.19 update.argotunnel.com
104.17.18.19 pqtunnels.cloudflareresearch.com
104.17.18.19 [你自己的team name].cloudflareaccess.com

怎么看 team name, You can view your team name and team domain in Zero Trust under Settings > Custom Pages.

然后启动: docker compose up -d

这样下面的 ip 都会走透明代理:

"198.41.192.0/24"
"198.41.200.0/24"
"104.17.18.19/32"

Cloudflared 安装使用 🔗

使用面板进行管理 🔗

获得 token 🔗

登录 cloudflare dashboard: https://dash.cloudflare.com/
选择 ZeroTurst 面板: https://one.dash.cloudflare.com/
在 Networks 下面选择: Tunnels
新建 Tunnels
在 Overview 面板得到一个 token: eyJhIjoi…

使用 docker-compoe 部署 cloudflared 🔗

先设置一下系统的参数:

sudo sysctl -w net.core.rmem_max=2500000
sudo sysctl -w net.core.wmem_max=2500000

给一个例子吧:

docker-compose.yml

version: "3"

networks:
  proxy:
    external: true
services:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    env_file:
      - ./.env
    networks:
      - proxy
    command: ["tunnel","run"]
    labels:
      - traefik.enable=false
      - traefik.docker.network=proxy

.env 文件:

TUNNEL_TOKEN=<你的token>
TUNNEL_TRANSPORT_PROTOCOL=http2

注意一定要设置 TUNNEL_TRANSPORT_PROTOCOL=http2，防止默认的走 QUIC。

添加反代端口 🔗

你得有 cloudflare 托管的域名
在 tunnel 的 Public Hostname 下面添加
- 指定一个子域名
- 需要反代的IP和端口，需要能从能运行 cloudflared 的机子上面连接的
如果是 http 或者 https 等，直接连接访问域名就可以看到了
如果是 ssh, xrdp 或者 vpn 可以看下面的文档: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/
- ssh
  - 部署一个网站 app
  - 通过 wrap 连接
  - 通过 cloudflared 连接
- xrdp
  - cloudflared access rdp –hostname rdp.example.com –url rdp://localhost:3389
- smb
  - cloudflared access tcp –hostname smb.example.com –url localhost:8445

问题 #todo 🔗

如何不对整个宿主机做透明代理而只是对 docker 内部做呢？

Reference 🔗

Cloudflare Tunnel 速度慢？尝试给它加个前置代理提高速度 - Xiaomage’s Blog
格式转换: https://subconverters.com/
sing-box tun 教程: https://sing-box.sagernet.org/zh/configuration/inbound/tun/

create: [[2024-05-01_星期三]]

cloudflare sing-box 内网穿透