#!/bin/bash # ================================================================ # 🚀 终极四合一 代理管理面板 克劳德魔改版 # 支持 amd64 / arm64,Ubuntu / Debian / CentOS # 集成: Xray(Vision/Reality) + NaïveProxy + Sing-box(SS-TLS) + AnyTLS # ================================================================ RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' CYAN='\033[0;36m' NC='\033[0m' print_info() { echo -e "${BLUE}[信息]${NC} $1"; } print_success() { echo -e "${GREEN}[成功]${NC} $1"; } print_warning() { echo -e "${YELLOW}[警告]${NC} $1"; } print_error() { echo -e "${RED}[错误]${NC} $1"; } step() { echo -e "${CYAN} ▶ $1${NC}"; } askline() { local prompt="$1" local varname="$2" echo -e -n "${YELLOW} ➤ ${prompt}${NC} " read -r "$varname" } check_root() { if [[ $EUID -ne 0 ]]; then print_error "请使用 root 权限运行此脚本 (sudo bash $0)" exit 1 fi } detect_arch() { case "$(uname -m)" in x86_64) echo "amd64" ;; aarch64|arm64) echo "arm64" ;; *) echo "unsupported" ;; esac } rand_str() { cat /dev/urandom | tr -dc 'A-Za-z0-9' | head -c "$1"; } urlencode() { local string="$1" if command -v python3 &>/dev/null; then python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1], safe=''))" "$string" elif command -v python &>/dev/null; then python -c "import urllib, sys; print(urllib.quote(sys.argv[1], safe=''))" "$string" else local strlen=${#string} local encoded="" pos c o for (( pos=0; pos/dev/null | grep -q "bbr"; then print_info "开启 BBR 加速..." echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf sysctl -p >/dev/null 2>&1 fi } install_dependencies() { print_info "安装系统依赖..." if [ -f /etc/debian_version ]; then apt-get update -qq -y apt-get install -y -qq curl wget openssl jq socat cron ufw tar lsof ca-certificates elif [ -f /etc/redhat-release ]; then yum install -y -q epel-release yum install -y -q curl wget openssl jq socat cronie tar lsof ca-certificates fi } check_port() { local port=$1 if lsof -Pi :"$port" -sTCP:LISTEN -t >/dev/null 2>&1; then print_error "端口 $port 已被占用!请更换端口或先停止占用该端口的服务。" return 1 fi return 0 } open_ports() { local port=$1 if command -v ufw &>/dev/null; then ufw allow 80/tcp >/dev/null 2>&1 ufw allow "$port"/tcp >/dev/null 2>&1 ufw allow "$port"/udp >/dev/null 2>&1 fi if command -v firewall-cmd &>/dev/null; then firewall-cmd --zone=public --add-port=80/tcp --permanent >/dev/null 2>&1 firewall-cmd --zone=public --add-port="$port"/tcp --permanent >/dev/null 2>&1 firewall-cmd --zone=public --add-port="$port"/udp --permanent >/dev/null 2>&1 firewall-cmd --reload >/dev/null 2>&1 fi } # ================================================================ # 通用 SSL 证书申请 (使用 Let's Encrypt) # ================================================================ apply_cert() { local domain=$1 local cert_dir=$2 mkdir -p "$cert_dir" local acme_bin="$HOME/.acme.sh/acme.sh" print_info "正在为域名 $domain 申请 SSL 证书 (CA: Let's Encrypt)..." print_info "需确保 80 端口未被占用且域名已正确解析到本机 IP" # 安装 acme.sh(若尚未安装) if [ ! -f "$acme_bin" ]; then curl https://get.acme.sh | sh fi export PATH="$HOME/.acme.sh:$PATH" # 强制切换到 Let's Encrypt "$acme_bin" --set-default-ca --server letsencrypt >/dev/null 2>&1 # 释放 80 端口 systemctl stop nginx 2>/dev/null || true systemctl stop apache2 2>/dev/null || true systemctl stop caddy 2>/dev/null || true systemctl stop caddy-naive 2>/dev/null || true # 申请证书 "$acme_bin" --issue -d "$domain" --standalone -k ec-256 --force \ --server letsencrypt if [ $? -eq 0 ]; then print_success "证书申请成功!" "$acme_bin" --installcert -d "$domain" \ --fullchainpath "$cert_dir/fullchain.pem" \ --keypath "$cert_dir/privkey.pem" \ --ecc chmod 755 "$cert_dir" chmod 644 "$cert_dir/fullchain.pem" "$cert_dir/privkey.pem" return 0 else print_error "证书申请失败!请检查:" print_error " 1. 域名 $domain 是否已解析到本机公网 IP" print_error " 2. 80 端口是否可以从外部访问(Oracle 安全组需放行 80)" return 1 fi } # ================================================================ # 1. 部署 Xray (Vision/Reality) # ================================================================ do_install_xray() { clear echo -e "${BLUE} ── 部署 Xray (VLESS-Reality / Vision-TLS) ────────${NC}" install_dependencies echo "1. VLESS-Reality (无需域名,适合无域名用户 - 推荐)" echo "2. VLESS-Vision-TLS (需要自有域名并解析到本机)" askline "请选择 [1-2]: " mode askline "请输入 Xray 端口 [留空默认 443]: " PORT PORT=${PORT:-443} if ! check_port "$PORT"; then sleep 2; return; fi open_ports "$PORT" if ! command -v xray &>/dev/null; then bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install fi local UUID UUID=$(xray uuid) local CONFIG_FILE="/usr/local/etc/xray/config.json" if [ "$mode" == "2" ]; then askline "请输入你的域名 (如 s1.example.com): " USER_DOMAIN if ! apply_cert "$USER_DOMAIN" "/usr/local/etc/xray/cert"; then return; fi cat > "$CONFIG_FILE" << EOF { "inbounds": [{ "port": $PORT, "protocol": "vless", "settings": { "clients": [ { "id": "$UUID", "flow": "xtls-rprx-vision" } ], "decryption": "none" }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "certificates": [ { "certificateFile": "/usr/local/etc/xray/cert/fullchain.pem", "keyFile": "/usr/local/etc/xray/cert/privkey.pem" } ] } }, "sniffing": { "enabled": true, "destOverride": ["http", "tls"] } }], "outbounds": [{ "protocol": "freedom", "tag": "direct" }] } EOF LINK_ADDR="$USER_DOMAIN" LINK_SNI="$USER_DOMAIN" LINK_TYPE="tls" LINK_EXTRA="" SHOW_MSG="Vision-TLS" else local KEYS KEYS=$(xray x25519) local PRIVATE_KEY PRIVATE_KEY=$(echo "$KEYS" | grep -i "PrivateKey" | awk -F': ' '{print $2}' | tr -d ' ') local PUBLIC_KEY PUBLIC_KEY=$(echo "$KEYS" | grep -i "PublicKey" | awk -F': ' '{print $2}' | tr -d ' ') echo "选择伪装域名:" echo " 1. dl.google.com" echo " 2. www.apple.com" echo " 3. www.microsoft.com" askline "请选择 [留空默认 1]: " dest_choice case $dest_choice in 2) DEST="www.apple.com:443"; SNI="www.apple.com" ;; 3) DEST="www.microsoft.com:443"; SNI="www.microsoft.com" ;; *) DEST="dl.google.com:443"; SNI="dl.google.com" ;; esac local SHORT_ID SHORT_ID=$(openssl rand -hex 8) cat > "$CONFIG_FILE" << EOF { "inbounds": [{ "port": $PORT, "protocol": "vless", "settings": { "clients": [ { "id": "$UUID", "flow": "xtls-rprx-vision" } ], "decryption": "none" }, "streamSettings": { "network": "tcp", "security": "reality", "realitySettings": { "show": false, "dest": "$DEST", "xver": 0, "serverNames": ["$SNI"], "privateKey": "$PRIVATE_KEY", "shortIds": ["", "$SHORT_ID"] } }, "sniffing": { "enabled": true, "destOverride": ["http", "tls"] } }], "outbounds": [{ "protocol": "freedom", "tag": "direct" }] } EOF LINK_ADDR=$(curl -s4 ifconfig.me 2>/dev/null || curl -s6 ifconfig.me) LINK_SNI="$SNI" LINK_TYPE="reality" LINK_EXTRA="&pbk=${PUBLIC_KEY}&sid=${SHORT_ID}" SHOW_MSG="Reality" fi systemctl daemon-reload systemctl restart xray systemctl enable xray local ALIAS ALIAS=$(urlencode "Xray-${SHOW_MSG}-${PORT}") local VLESS_LINK="vless://${UUID}@${LINK_ADDR}:${PORT}?security=${LINK_TYPE}&encryption=none&type=tcp&flow=xtls-rprx-vision&sni=${LINK_SNI}&fp=chrome${LINK_EXTRA}#${ALIAS}" echo "==========================================" print_success "Xray ($SHOW_MSG) 部署成功!" echo -e "${YELLOW}【VLESS 分享链接 (直接导入)】${NC}" echo -e "${GREEN}${VLESS_LINK}${NC}" echo "==========================================" read -n 1 -s -r -p "按任意键返回..." } # ================================================================ # 2. 部署 NaïveProxy (Caddy + 网盘伪装) # ================================================================ generate_fake_site() { local site_name="$1" local domain="$2" local webroot="/var/www/naive-disguise" mkdir -p "$webroot" cat > "$webroot/index.html" <${site_name}Drive — Private Cloud
${site_name}Drive Private

Sign in to your vault

Access is restricted to authorized accounts only.

Invalid credentials.
HTMLEOF } do_install_naive() { clear echo -e "${BLUE} ── 部署 NaïveProxy (带 Vault 私有网盘伪装) ────────${NC}" local arch arch=$(detect_arch) [ "$arch" = "unsupported" ] && { print_error "不支持的 CPU 架构"; return; } install_dependencies askline "请输入代理域名 (DNS需提前解析到本机): " domain askline "请输入 Naive 端口 [留空默认 443]: " PORT PORT=${PORT:-443} if ! check_port "$PORT"; then sleep 2; return; fi askline "网盘名称 [留空默认 Vault]: " sitename sitename=${sitename:-Vault} local username="naive_$(rand_str 6 | tr '[:upper:]' '[:lower:]')" local password password=$(rand_str 18) open_ports "$PORT" if ! apply_cert "$domain" "/etc/caddy/cert"; then return; fi step "下载 Caddy (含 forwardproxy)..." local caddy_url if [ "$arch" = "arm64" ]; then caddy_url="https://github.com/Michaol/caddy-naive/releases/latest/download/caddy-linux-arm64" else caddy_url="https://github.com/Michaol/caddy-naive/releases/latest/download/caddy-linux-amd64" fi if ! wget -q --show-progress -O /usr/local/bin/caddy "$caddy_url"; then print_error "下载 Caddy 失败,请检查网络。" return fi chmod +x /usr/local/bin/caddy setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy 2>/dev/null || true mkdir -p /etc/caddy /var/lib/caddy /var/log/caddy id caddy &>/dev/null || useradd --system --home /var/lib/caddy --shell /usr/sbin/nologin caddy generate_fake_site "$sitename" "$domain" chown -R caddy:caddy /var/www/naive-disguise /etc/caddy /var/lib/caddy /var/log/caddy cat > /etc/caddy/Caddyfile < /etc/systemd/system/caddy-naive.service </dev/null; then step "下载 Sing-box Core..." local version version=$(curl -s https://api.github.com/repos/SagerNet/sing-box/releases/latest \ | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') if [ -z "$version" ]; then print_error "无法获取 sing-box 最新版本,请检查网络。" return fi wget -q --show-progress -O /tmp/sing-box.tar.gz \ "https://github.com/SagerNet/sing-box/releases/download/v${version}/sing-box-${version}-linux-${sb_arch}.tar.gz" tar -xzf /tmp/sing-box.tar.gz -C /tmp/ mv "/tmp/sing-box-${version}-linux-${sb_arch}/sing-box" /usr/local/bin/ chmod +x /usr/local/bin/sing-box rm -rf /tmp/sing-box.tar.gz "/tmp/sing-box-${version}-linux-${sb_arch}" fi if ! apply_cert "$USER_DOMAIN" "/usr/local/etc/sing-box/cert"; then return; fi local ss_pass ss_pass="$(rand_str 16)" mkdir -p /usr/local/etc/sing-box cat > /usr/local/etc/sing-box/config.json < /etc/systemd/system/sing-box.service </dev/null; then need_install=1 else local sb_ver sb_ver=$(sing-box version 2>/dev/null | grep -E '^sing-box version' | awk '{print $3}' | head -1) local sb_major=${sb_ver%%.*} local sb_minor sb_minor=$(echo "$sb_ver" | awk -F. '{print $2}') if [ "${sb_major:-0}" -lt 1 ] || { [ "${sb_major:-0}" -eq 1 ] && [ "${sb_minor:-0}" -lt 11 ]; }; then print_warning "当前 sing-box 版本 ($sb_ver) 不支持 AnyTLS,需要 1.11+,将重新安装最新版..." need_install=1 fi fi if [ "$need_install" -eq 1 ]; then step "下载 Sing-box Core (最新版)..." local version version=$(curl -s https://api.github.com/repos/SagerNet/sing-box/releases/latest \ | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') if [ -z "$version" ]; then print_error "无法获取 sing-box 最新版本,请检查网络。" return fi wget -q --show-progress -O /tmp/sing-box.tar.gz \ "https://github.com/SagerNet/sing-box/releases/download/v${version}/sing-box-${version}-linux-${sb_arch}.tar.gz" tar -xzf /tmp/sing-box.tar.gz -C /tmp/ mv "/tmp/sing-box-${version}-linux-${sb_arch}/sing-box" /usr/local/bin/sing-box chmod +x /usr/local/bin/sing-box rm -rf /tmp/sing-box.tar.gz "/tmp/sing-box-${version}-linux-${sb_arch}" fi if ! apply_cert "$USER_DOMAIN" "/usr/local/etc/sing-box-anytls/cert"; then return; fi local password password="$(rand_str 32)" mkdir -p /usr/local/etc/sing-box-anytls cat > /usr/local/etc/sing-box-anytls/config.json < /etc/systemd/system/sing-box-anytls.service </dev/null || true systemctl disable caddy-naive 2>/dev/null || true rm -f /etc/systemd/system/caddy-naive.service /usr/local/bin/caddy rm -rf /etc/caddy /var/lib/caddy /var/www/naive-disguise print_success "NaïveProxy 已卸载" } un_singbox() { systemctl stop sing-box 2>/dev/null || true systemctl disable sing-box 2>/dev/null || true rm -f /etc/systemd/system/sing-box.service /usr/local/bin/sing-box rm -rf /usr/local/etc/sing-box print_success "Sing-box 已卸载" } un_anytls() { systemctl stop sing-box-anytls 2>/dev/null || true systemctl disable sing-box-anytls 2>/dev/null || true rm -f /etc/systemd/system/sing-box-anytls.service rm -rf /usr/local/etc/sing-box-anytls print_success "AnyTLS 已卸载" } # ================================================================ # 主菜单 # ================================================================ while true; do clear echo -e "${BLUE} ╔════════════════════════════════════════════════════╗${NC}" echo -e "${BLUE} ║ 🚀 终极四合一 代理管理面板 ║${NC}" echo -e "${BLUE} ║ Xray(Reality/Vision) + NaïveProxy + SS-TLS + AnyTLS ║${NC}" echo -e "${BLUE} ╚════════════════════════════════════════════════════╝${NC}" echo -e " ${YELLOW}注意: 同时部署多个协议请使用不同端口!(如 443, 8443, 9443)${NC}" echo "" echo -e " ${CYAN}[安装 & 部署]${NC}" echo -e " ${YELLOW}1)${NC} 部署 Xray ${GREEN}(VLESS-Reality / Vision-TLS)${NC}" echo -e " ${YELLOW}2)${NC} 部署 NaïveProxy ${GREEN}(含 Vault 网盘伪装 - 究极隐蔽)${NC}" echo -e " ${YELLOW}3)${NC} 部署 Sing-box ${GREEN}(Shadowsocks + TLS 协议)${NC}" echo -e " ${YELLOW}4)${NC} 部署 AnyTLS ${GREEN}(sing-box,抗流量检测 - 推荐)${NC}" echo "" echo -e " ${CYAN}[管理 & 卸载]${NC}" echo -e " ${YELLOW}5)${NC} 管理 Xray" echo -e " ${YELLOW}6)${NC} 管理 NaïveProxy" echo -e " ${YELLOW}7)${NC} 管理 Sing-box (SS-TLS)" echo -e " ${YELLOW}8)${NC} 管理 AnyTLS" echo "" echo -e " ${YELLOW}0)${NC} 退出" echo "" askline "请输入选项: " choice case "$choice" in 1) check_root; enable_bbr; do_install_xray ;; 2) check_root; enable_bbr; do_install_naive ;; 3) check_root; enable_bbr; do_install_sstls ;; 4) check_root; enable_bbr; do_install_anytls ;; 5) check_root; manage_service "xray" "Xray" "un_xray" ;; 6) check_root; manage_service "caddy-naive" "NaïveProxy" "un_naive" ;; 7) check_root; manage_service "sing-box" "Sing-box" "un_singbox" ;; 8) check_root; manage_service "sing-box-anytls" "AnyTLS" "un_anytls" ;; 0|q|Q) echo -e "\n${BLUE}向开源生态致敬!再见 🫡${NC}\n"; exit 0 ;; *) print_warning "无效选项"; sleep 1 ;; esac done