From 4f6c5d7b5c70a1e9e981590ac89898c72c08c169 Mon Sep 17 00:00:00 2001 From: win Date: Wed, 25 Mar 2026 14:06:06 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E4=B8=89=E8=8A=82=E7=82=B9=E9=83=A8?= =?UTF-8?q?=E7=BD=B2=E8=84=9A=E6=9C=AC=EF=BC=88=E4=B8=8A=E6=B5=B7/CN?= =?UTF-8?q?=E4=B8=AD=E8=BD=AC/=E7=BE=8E=E5=9B=BD=E8=90=BD=E5=9C=B0?= =?UTF-8?q?=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../maintenance/setup-node1-shanghai.sh | 92 +++++++++++ .../maintenance/setup-node2-cn-relay.sh | 96 ++++++++++++ .../maintenance/setup-node3-us-landing.sh | 143 ++++++++++++++++++ 3 files changed, 331 insertions(+) create mode 100755 antigravity/maintenance/setup-node1-shanghai.sh create mode 100755 antigravity/maintenance/setup-node2-cn-relay.sh create mode 100755 antigravity/maintenance/setup-node3-us-landing.sh diff --git a/antigravity/maintenance/setup-node1-shanghai.sh b/antigravity/maintenance/setup-node1-shanghai.sh new file mode 100755 index 00000000..e8995bb5 --- /dev/null +++ b/antigravity/maintenance/setup-node1-shanghai.sh @@ -0,0 +1,92 @@ +#!/bin/bash +# ============================================================= +# 节点 1:上海服务器 +# 部署:sub2api + node-tls-proxy + postgres + redis +# ============================================================= +# 用法:bash setup-node1-shanghai.sh +# 前置:已安装 Docker,已克隆仓库到当前目录 + +set -euo pipefail +GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' +ok() { echo -e "${GREEN}✅ $*${NC}"; } +info() { echo -e "${YELLOW}ℹ $*${NC}"; } + +echo "================================================" +echo " 节点1:上海服务器 部署" +echo "================================================" + +# ── 1. 检查 Docker ───────────────────────────────── +if ! command -v docker &>/dev/null; then + info "安装 Docker..." + curl -fsSL https://get.docker.com | bash + systemctl enable docker && systemctl start docker +fi +ok "Docker 已就绪" + +# ── 2. 进入 deploy 目录 ───────────────────────────── +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +DEPLOY_DIR="$(dirname "$SCRIPT_DIR")/deploy" +cd "$DEPLOY_DIR" +ok "工作目录: $DEPLOY_DIR" + +# ── 3. 生成 .env(如不存在)────────────────────────── +if [ ! -f .env ]; then + cat > .env << EOF +# ========== 必填 ========== +POSTGRES_PASSWORD=$(openssl rand -hex 16) +ADMIN_EMAIL=admin@sub2api.local +ADMIN_PASSWORD=$(openssl rand -hex 8) +JWT_SECRET=$(openssl rand -hex 32) +TOTP_ENCRYPTION_KEY=$(openssl rand -hex 32) + +# ========== 时区(上海)========== +TZ=Asia/Shanghai + +# ========== node-tls-proxy 指向 CN中转机 ========== +# 上海的 sub2api 通过 GOST 把 TLS 流量送到 CN中转, +# 中转再转发到美国落地,最终到 Anthropic/Google +# 这里填 CN中转机 IP + GOST 暴露给上海的端口 +GATEWAY_NODE_TLS_PROXY_ENABLED=true +GATEWAY_NODE_TLS_PROXY_LISTEN_HOST= +GATEWAY_NODE_TLS_PROXY_LISTEN_PORT=3456 + +# ========== Gemini OAuth(如有)========== +GEMINI_CLI_OAUTH_CLIENT_SECRET= +ANTIGRAVITY_OAUTH_CLIENT_SECRET= +EOF + ok ".env 已生成,请编辑填入 CN中转机 IP" + echo "" + echo " → 编辑: nano $DEPLOY_DIR/.env" + echo " → 修改 GATEWAY_NODE_TLS_PROXY_LISTEN_HOST=" + echo "" + read -rp "填完后按 Enter 继续..." _ +fi + +# ── 4. 启动服务 ───────────────────────────────────── +info "启动 sub2api + node-tls-proxy..." +docker compose -f docker-compose.yml \ + -f docker-compose.tls-proxy.yml \ + pull +docker compose -f docker-compose.yml \ + -f docker-compose.tls-proxy.yml \ + up -d + +ok "服务启动完成" + +# ── 5. 验证 ──────────────────────────────────────── +sleep 10 +echo "" +echo "【验证】" +docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" +echo "" +if curl -sf http://127.0.0.1:8080/health >/dev/null 2>&1; then + ok "sub2api 健康检查通过(端口 8080)" +else + echo "⏳ sub2api 还在启动,等 30 秒后手动检查..." +fi + +echo "" +echo "================================================" +echo " 节点1 部署完成" +echo " 管理面板: http://$(curl -sf ipinfo.io/ip 2>/dev/null || echo '<服务器IP>'):8080" +echo "================================================" diff --git a/antigravity/maintenance/setup-node2-cn-relay.sh b/antigravity/maintenance/setup-node2-cn-relay.sh new file mode 100755 index 00000000..ec12713e --- /dev/null +++ b/antigravity/maintenance/setup-node2-cn-relay.sh @@ -0,0 +1,96 @@ +#!/bin/bash +# ============================================================= +# 节点 2:海外 CN 中转机 +# 部署:GOST 双向中转 +# 接收上海: relay+tls :3456 → 转发到美国落地 :8443 +# ============================================================= +# 用法:bash setup-node2-cn-relay.sh + +set -euo pipefail +GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' +ok() { echo -e "${GREEN}✅ $*${NC}"; } +info() { echo -e "${YELLOW}ℹ $*${NC}"; } +fail() { echo -e "${RED}❌ $*${NC}"; } + +# ── 配置(修改这里)────────────────────────────────── +US_LANDING_IP="${US_LANDING_IP:-}" # 美国落地机 IP +GOST_USER="${GOST_USER:-gostuser}" +GOST_PASS="${GOST_PASS:-$(openssl rand -hex 8)}" +LISTEN_PORT_FROM_SH="${LISTEN_PORT_FROM_SH:-3456}" # 接收上海的端口 +LISTEN_PORT_TO_US="${LISTEN_PORT_TO_US:-8443}" # 美国落地机监听端口 + +echo "================================================" +echo " 节点2:海外CN中转机 部署" +echo "================================================" + +# 检查必填 +if [ -z "$US_LANDING_IP" ]; then + read -rp "请输入美国落地机 IP: " US_LANDING_IP +fi + +# ── 1. 安装 GOST ──────────────────────────────────── +if ! command -v gost &>/dev/null; then + info "安装 GOST..." + ARCH=$(uname -m) + [ "$ARCH" = "x86_64" ] && GARCH="amd64" || GARCH="arm64" + LATEST=$(curl -sf https://api.github.com/repos/go-gost/gost/releases/latest | grep '"tag_name"' | cut -d'"' -f4) + wget -qO /tmp/gost.tar.gz \ + "https://github.com/go-gost/gost/releases/download/${LATEST}/gost_linux_${GARCH}.tar.gz" + tar xzf /tmp/gost.tar.gz -C /tmp/ + mv /tmp/gost /usr/local/bin/gost + chmod +x /usr/local/bin/gost +fi +ok "GOST $(gost -V 2>/dev/null | head -1 || echo '已安装')" + +# ── 2. 创建 Systemd 服务 ──────────────────────────── +# 中转机职责: +# - 接收上海 sub2api 发来的 relay+tls 连接(:3456) +# - 将流量通过 relay+tls 转发到美国落地机(:8443) +cat > /etc/systemd/system/gost-relay.service << EOF +[Unit] +Description=GOST CN Relay - 接收上海转发到美国落地 +After=network.target + +[Service] +Type=simple +User=nobody +ExecStart=/usr/local/bin/gost \\ + -L "relay+tls://${GOST_USER}:${GOST_PASS}@:${LISTEN_PORT_FROM_SH}" \\ + -F "relay+tls://${GOST_USER}:${GOST_PASS}@${US_LANDING_IP}:${LISTEN_PORT_TO_US}" +Restart=always +RestartSec=5 +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target +EOF + +systemctl daemon-reload +systemctl enable gost-relay +systemctl restart gost-relay +sleep 2 +ok "GOST 中转服务已启动" + +# ── 3. 防火墙开放端口 ─────────────────────────────── +if command -v ufw &>/dev/null; then + ufw allow "${LISTEN_PORT_FROM_SH}/tcp" comment "GOST from Shanghai" 2>/dev/null || true + ufw allow ssh 2>/dev/null || true + ok "ufw 端口已开放" +fi + +# ── 4. 输出上海配置 ───────────────────────────────── +MY_IP=$(curl -sf ipinfo.io/ip 2>/dev/null || echo '<本机IP>') +echo "" +echo "================================================" +echo " 节点2 部署完成" +echo "================================================" +echo "" +echo "【上海服务器 .env 填写以下值】" +echo " GATEWAY_NODE_TLS_PROXY_LISTEN_HOST=${MY_IP}" +echo " GATEWAY_NODE_TLS_PROXY_LISTEN_PORT=${LISTEN_PORT_FROM_SH}" +echo "" +echo "【GOST 认证信息(勿泄露)】" +echo " 用户名: ${GOST_USER}" +echo " 密码: ${GOST_PASS}" +echo "" +systemctl status gost-relay --no-pager -l | tail -5 diff --git a/antigravity/maintenance/setup-node3-us-landing.sh b/antigravity/maintenance/setup-node3-us-landing.sh new file mode 100755 index 00000000..626d9456 --- /dev/null +++ b/antigravity/maintenance/setup-node3-us-landing.sh @@ -0,0 +1,143 @@ +#!/bin/bash +# ============================================================= +# 节点 3:美国落地机(Debian 12,洛杉矶) +# 部署:GOST 出口 + TCP 指纹伪装 +# 接收 CN中转 relay+tls :8443 → 直连 Anthropic/Google +# ============================================================= +# 用法:sudo bash setup-node3-us-landing.sh + +set -euo pipefail +GREEN='\033[0;32m' YELLOW='\033[1;33m' RED='\033[0;31m' NC='\033[0m' +ok() { echo -e "${GREEN}✅ $*${NC}"; } +info() { echo -e "${YELLOW}ℹ $*${NC}"; } +fail() { echo -e "${RED}❌ $*${NC}"; } + +GOST_USER="${GOST_USER:-gostuser}" +GOST_PASS="${GOST_PASS:-}" # 与 CN中转机相同,启动时填写 +LISTEN_PORT="${LISTEN_PORT:-8443}" + +echo "================================================" +echo " 节点3:美国落地机 部署(Debian 12 / LA)" +echo "================================================" + +[ "$(id -u)" != "0" ] && { fail "请用 sudo 执行"; exit 1; } + +# ── 1. 系统更新 ───────────────────────────────────── +info "更新系统包..." +apt-get update -qq && apt-get upgrade -y -qq +ok "系统已更新" + +# ── 2. TCP 指纹伪装(macOS 特征)────────────────────── +info "应用 TCP 指纹伪装..." + +# 实时生效 +sysctl -w net.ipv4.ip_default_ttl=64 # TTL=64(macOS 标准) +sysctl -w net.ipv4.tcp_timestamps=0 # 禁用 TCP 时间戳(防 uptime 推算) +sysctl -w net.ipv4.tcp_window_scaling=1 # 窗口扩展(macOS 开启) +sysctl -w net.ipv4.tcp_rmem="4096 65535 6291456" # 接收窗口65535(macOS默认) +sysctl -w net.ipv4.tcp_wmem="4096 65535 6291456" # 发送窗口65535 +sysctl -w net.ipv6.conf.all.disable_ipv6=1 +sysctl -w net.ipv6.conf.default.disable_ipv6=1 + +# BBR 拥塞控制(降低丢包,提高吞吐) +sysctl -w net.core.default_qdisc=fq +sysctl -w net.ipv4.tcp_congestion_control=bbr + +# 持久化到 sysctl.conf +cat >> /etc/sysctl.conf << 'EOF' + +# ── Antigravity macOS TCP Fingerprint ── +net.ipv4.ip_default_ttl=64 +net.ipv4.tcp_timestamps=0 +net.ipv4.tcp_window_scaling=1 +net.ipv4.tcp_rmem=4096 65535 6291456 +net.ipv4.tcp_wmem=4096 65535 6291456 +net.ipv6.conf.all.disable_ipv6=1 +net.ipv6.conf.default.disable_ipv6=1 +net.core.default_qdisc=fq +net.ipv4.tcp_congestion_control=bbr +EOF +sysctl -p > /dev/null 2>&1 || true +ok "TCP 指纹伪装已应用(TTL=64, Window=65535, 时间戳禁用)" + +# ── 3. 时区(洛杉矶,匹配落地 IP 地理位置)───────────── +timedatectl set-timezone America/Los_Angeles +ok "时区已设置: $(date)" + +# ── 4. 安装 GOST ──────────────────────────────────── +if ! command -v gost &>/dev/null; then + info "安装 GOST..." + ARCH=$(uname -m) + [ "$ARCH" = "x86_64" ] && GARCH="amd64" || GARCH="arm64" + LATEST=$(curl -sf https://api.github.com/repos/go-gost/gost/releases/latest \ + | grep '"tag_name"' | cut -d'"' -f4) + wget -qO /tmp/gost.tar.gz \ + "https://github.com/go-gost/gost/releases/download/${LATEST}/gost_linux_${GARCH}.tar.gz" + tar xzf /tmp/gost.tar.gz -C /tmp/ + mv /tmp/gost /usr/local/bin/gost + chmod +x /usr/local/bin/gost +fi +ok "GOST $(gost -V 2>/dev/null | head -1 || echo '已安装')" + +# ── 5. 填写 GOST 密码 ────────────────────────────── +if [ -z "$GOST_PASS" ]; then + read -rp "请输入 GOST 密码(与 CN中转机相同): " GOST_PASS +fi + +# ── 6. 创建 GOST 出口服务 ────────────────────────── +# 落地机职责:监听 CN中转机 relay+tls 连接,直接出口到 Anthropic/Google +cat > /etc/systemd/system/gost-exit.service << EOF +[Unit] +Description=GOST US Landing Exit - 接收中转,直连 Anthropic/Google +After=network.target + +[Service] +Type=simple +User=nobody +# 监听 CN中转机的连接,透传到最终目标(relay 模式自动解析目标地址) +ExecStart=/usr/local/bin/gost -L "relay+tls://${GOST_USER}:${GOST_PASS}@:${LISTEN_PORT}" +Restart=always +RestartSec=5 +LimitNOFILE=65536 + +[Install] +WantedBy=multi-user.target +EOF + +systemctl daemon-reload +systemctl enable gost-exit +systemctl restart gost-exit +sleep 2 +ok "GOST 出口服务已启动" + +# ── 7. 防火墙 ────────────────────────────────────── +if command -v ufw &>/dev/null; then + ufw allow ssh + ufw allow "${LISTEN_PORT}/tcp" comment "GOST from CN Relay" + ufw --force enable + ok "防火墙已配置(只开放 SSH + $LISTEN_PORT)" +fi + +# ── 8. 验证 ─────────────────────────────────────── +echo "" +echo "================================================" +echo " 节点3 部署完成" +echo "================================================" +echo "" +echo "【验证指纹伪装】" +echo " TTL: $(sysctl -n net.ipv4.ip_default_ttl) (应为 64)" +echo " TCP 时间戳: $(sysctl -n net.ipv4.tcp_timestamps) (应为 0)" +echo " 时区: $(timedatectl show -p Timezone --value)" +echo " 当前时间: $(date)" +echo "" +echo "【GOST 服务状态】" +systemctl status gost-exit --no-pager -l | tail -5 +echo "" +echo "【出口 IP 信息】" +curl -sf ipinfo.io 2>/dev/null | python3 -c " +import json,sys +d=json.load(sys.stdin) +print(f' IP: {d.get(\"ip\")}') +print(f' ISP: {d.get(\"org\")}') +print(f' 城市: {d.get(\"city\")}, {d.get(\"region\")}') +" || echo " (获取 IP 信息失败)"