#!/bin/bash # Envoy gRPC 极致性能优化脚本 # 基于 Envoy v1.37.0 官方文档标准 # 特性:长连接、高并发、BBR跑满带宽、智能熔断(Success Rate)、DNS无损更新、TLS会话复用、双向心跳、负载再平衡 # 修复:恢复完整菜单、路由路径修正、监听地址逻辑修正、热更新逻辑优化 # ===== 全局配置 ===== DOWNLOAD_SERVER="h5ai.feifei2020.top" ENVOY_BIN="/usr/sbin/envoy" ENVOY_CONFIG="/etc/envoy/envoy.yaml" SYSCTL_CONFIG="/etc/sysctl.d/99-envoy-optimized.conf" TOOL_PATH="/usr/local/bin/envoy_tool" # 默认值 DEFAULT_BW_MBPS=1000 DEFAULT_RTT_MS=200 # 最小值 8MB,最大值 32MB (防止 HTTP/2 SETTINGS 帧的窗口初始值过大变成显著特征) MIN_WINDOW_SIZE=$((8 * 1024 * 1024)) MAX_WINDOW_SIZE=$((32 * 1024 * 1024)) # 颜色 RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[0;33m' NC='\033[0m' # ===== 辅助函数 ===== log_info() { echo -e "${GREEN}[INFO]${NC} $1"; } log_err() { echo -e "${RED}[ERROR]${NC} $1" >&2; } check_root() { if [ "$EUID" -ne 0 ]; then log_err "请使用 root 运行" exit 1 fi } download_file() { local url="$1" local dest="$2" log_info "正在下载 $url -> $dest" if command -v curl >/dev/null 2>&1; then curl -fsSL "$url" -o "$dest" elif command -v wget >/dev/null 2>&1; then wget -qO "$dest" "$url" else log_err "未找到 curl 或 wget" return 1 fi if [ ! -s "$dest" ]; then log_err "下载失败或文件为空: $dest" rm -f "$dest" return 1 fi } check_install_cron() { # 检查并安装依赖 (cron) local install_cmd="" local pkg_manager="" if command -v apt-get >/dev/null 2>&1; then pkg_manager="apt-get" elif command -v yum >/dev/null 2>&1; then pkg_manager="yum" fi if ! command -v crontab >/dev/null 2>&1; then if [ "$pkg_manager" = "apt-get" ]; then install_cmd="$install_cmd cron" elif [ "$pkg_manager" = "yum" ]; then install_cmd="$install_cmd crontabs" fi fi if [ -n "$install_cmd" ]; then log_info "安装依赖: $install_cmd" if [ "$pkg_manager" = "apt-get" ]; then apt-get update && apt-get install -y $install_cmd elif [ "$pkg_manager" = "yum" ]; then yum install -y $install_cmd fi # 启动 cron 服务 (兼容不同服务名) if command -v systemctl >/dev/null 2>&1; then systemctl enable cron 2>/dev/null || systemctl enable crond 2>/dev/null systemctl start cron 2>/dev/null || systemctl start crond 2>/dev/null fi fi } # 智能更新函数:仅当配置内容(忽略版本号)变更时才覆盖文件,实现精准热加载 safe_update_config() { local new_file="$1" local target_file="$2" local resource_name="$3" if [ ! -f "$target_file" ]; then mv -f "$new_file" "$target_file" log_info "${resource_name} 初始化完成" return fi # 忽略第一行 (version_info) 进行内容比对 # 如果内容一致,则不更新文件,避免触发 Envoy 不必要的重载 if cmp -s <(tail -n +2 "$new_file") <(tail -n +2 "$target_file"); then rm -f "$new_file" # log_info "${resource_name} 无变更,跳过重载" else mv -f "$new_file" "$target_file" log_info "${resource_name} 已更新,触发热加载" fi } # ===== 核心配置应用逻辑 (复用) ===== _apply_envoy_config() { local USER_BW="$1" local tunnel_num="$2" local config_type="$3" local pass_real_ip="$4" local mode="" envoy_txt_url="" crt_url="" key_url="" case $config_type in 1) mode="in" envoy_txt_url="https://${DOWNLOAD_SERVER}/tunnel/tunnel${tunnel_num}/in/envoy.txt" crt_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.crt" key_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.key" ;; 2) mode="out" envoy_txt_url="https://${DOWNLOAD_SERVER}/tunnel/tunnel${tunnel_num}/out/envoy.txt" crt_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.crt" key_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.key" ;; 3) mode="single" envoy_txt_url="https://${DOWNLOAD_SERVER}/tunnel/tunnel${tunnel_num}/out/envoy.txt" crt_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.crt" key_url="https://${DOWNLOAD_SERVER}/tunnel/ljfxz/server.key" ;; *) log_err "无效的配置类型"; return 1 ;; esac # 0. 环境自检与依赖修复 # 确保管理脚本是最新的 (用于热更新回调) if [ -f "$0" ]; then if [ ! -f "$TOOL_PATH" ] || ! cmp -s "$0" "$TOOL_PATH"; then cp -f "$0" "$TOOL_PATH" chmod +x "$TOOL_PATH" fi fi # 确保 cron 服务已安装 (用于热更新定时任务) check_install_cron # 下载配置文件 download_file "$envoy_txt_url" "/etc/envoy/envoy.txt" || return 1 # 转换格式 (DOS to Unix) sed -i 's/\r$//' /etc/envoy/envoy.txt 2>/dev/null # 证书下载 mkdir -p /etc/envoy/ssl download_file "$crt_url" "/etc/envoy/ssl/server.crt" || return 1 download_file "$key_url" "/etc/envoy/ssl/server.key" || return 1 # Session Ticket if [ ! -f /etc/envoy/ssl/ticket.key ]; then log_info "生成 TLS 会话复用密钥..." dd if=/dev/urandom of=/etc/envoy/ssl/ticket.key bs=80 count=1 2>/dev/null chmod 600 /etc/envoy/ssl/ticket.key fi calculate_params "$USER_BW" # 生成配置 (File-based XDS 模式) generate_envoy_yaml "$mode" "/etc/envoy/envoy.txt" "$pass_real_ip" # 智能启动/重载 if command -v systemctl >/dev/null 2>&1; then if systemctl is-active --quiet envoy; then log_info "Envoy 服务正在运行,配置已通过 File-based XDS 自动热加载。" else log_info "Envoy 服务未运行,正在启动..." systemctl start envoy sleep 2 systemctl is-active --quiet envoy && log_info "Envoy 启动成功!" fi fi } # ===== 1. 智能 BDP 算法 (带宽延迟积) ===== calculate_params() { local bw_mbps="$1" local rtt_ms="${2:-$DEFAULT_RTT_MS}" # BDP = 带宽(bps) * RTT(s) / 8 # 丢包补偿系数: 2.5 (应对公网波动和丢包) # 使用 awk 进行浮点运算并四舍五入取整 local bdp_bytes=$(echo "$bw_mbps $rtt_ms" | awk '{printf "%.0f", $1 * 1000000 * $2 / 1000 / 8 * 2.5}') # 边界限制 if [ "$bdp_bytes" -lt "$MIN_WINDOW_SIZE" ]; then bdp_bytes=$MIN_WINDOW_SIZE; fi if [ "$bdp_bytes" -gt "$MAX_WINDOW_SIZE" ]; then bdp_bytes=$MAX_WINDOW_SIZE; fi # HTTP/2 窗口设置 ENV_STREAM_WINDOW="$bdp_bytes" ENV_CONN_WINDOW=$(echo "$bdp_bytes" | awk '{printf "%.0f", $1 * 2}') if [ "$ENV_CONN_WINDOW" -gt "$MAX_WINDOW_SIZE" ]; then ENV_CONN_WINDOW=$MAX_WINDOW_SIZE; fi # 内核缓冲区限制: 必须大于等于 BDP ENV_PER_CONN_BUFFER="$ENV_CONN_WINDOW" log_info "极致优化参数 (带宽: ${bw_mbps}Mbps, RTT: ${rtt_ms}ms, 补偿系数: 2.5):" log_info " - Stream Window: $((ENV_STREAM_WINDOW / 1024 / 1024)) MB" log_info " - Conn Window: $((ENV_CONN_WINDOW / 1024 / 1024)) MB" log_info " - Buffer Limit: $((ENV_PER_CONN_BUFFER / 1024 / 1024)) MB" } # ===== 2. 配置生成器 (Envoy v1.37.0 标准) ===== get_socket_options() { cat < "$MAIN_CONFIG" < "$SDS_CONFIG" < "$LDS_TMP" <> "$LDS_TMP" <\r\n%RESPONSE_CODE% Bad Gateway\r\n\r\n

%RESPONSE_CODE% Bad Gateway

\r\n
nginx
\r\n\r\n\r\n' content_type: "text/html" use_remote_address: ${use_remote_address} xff_num_trusted_hops: ${xff_hops} # 流超时设置 (0s = 无限,防止断流) # stream_idle_timeout: 流空闲超时。如果流已建立但没有数据传输超过此时长,流会被关闭。 # 设置为 0s 禁用此超时,确保 gRPC 长连接心跳或低频数据流不被切断。 stream_idle_timeout: 0s # request_timeout: 整个请求的超时时间。对于 gRPC 流式传输,这必须是 0s (无限),否则流会在固定时间后强制中断。 request_timeout: 0s common_http_protocol_options: idle_timeout: 3600s # 连接空闲超时 (Connection Idle Timeout) # 当连接上没有任何活跃流时,超过此时间连接将被关闭。 # 设置为 1小时 (3600s) 是为了回收僵尸连接,不影响活跃连接。 max_headers_count: 200 max_connection_duration: 3600s # 强制 1 小时内断开并重连 (打破 DPI 的超长连接行为分析) http2_protocol_options: initial_stream_window_size: ${ENV_STREAM_WINDOW} initial_connection_window_size: ${ENV_CONN_WINDOW} max_concurrent_streams: 250 # 伪装成现代 Web 服务器的标准配置 (如 Nginx 默认 128-250),防止暴露代理节点特征 override_stream_error_on_invalid_http_message: true connection_keepalive: interval: 30s timeout: 10s connection_idle_interval: 15s route_config: name: local_route virtual_hosts: - name: local_service retry_policy: retry_on: "connect-failure,refused-stream,gateway-error,deadline-exceeded,stream-idle-timeout,unavailable,reset" num_retries: 3 retry_back_off: base_interval: 0.1s max_interval: 1s domains: ["*"] routes: - match: { prefix: "/ljfxz" } ${request_headers_to_add} route: cluster: ${cluster_name} timeout: 0s max_stream_duration: max_stream_duration: 0s grpc_timeout_header_max: 0s # 在请求发送给后端 (上游) 之前,将其剥离,实现内部隐身 request_headers_to_remove: ["user-agent"] - match: { prefix: "/" } direct_response: status: 404 body: { inline_string: '\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
nginx
\r\n\r\n' } response_headers_to_add: - header: key: "Content-Type" value: "text/html" append_action: OVERWRITE_IF_EXISTS_OR_ADD http_filters: - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router suppress_envoy_headers: true EOF # 所有模式强制 TLS 监听 get_downstream_tls "h2" >> "$LDS_TMP" done < "$listeners_file" # 生成 CDS 配置文件 (cds.yaml) local CDS_CONFIG="/etc/envoy/cds.yaml" local CDS_TMP="/etc/envoy/cds.yaml.tmp" cat > "$CDS_TMP" <> "$CDS_TMP" <> "$CDS_TMP" fi cat >> "$CDS_TMP" < "/usr/local/bin/update_envoy_config.sh" < /etc/envoy/sds.yaml.tmp </dev/null 2>&1 EOF chmod +x "/usr/local/bin/update_envoy_config.sh" if command -v systemctl >/dev/null 2>&1; then systemctl enable cron 2>/dev/null || systemctl enable crond 2>/dev/null systemctl start cron 2>/dev/null || systemctl start crond 2>/dev/null # 自动添加定时任务 (每分钟执行一次) local cron_job="* * * * * /usr/local/bin/update_envoy_config.sh >/dev/null 2>&1" if ! crontab -l 2>/dev/null | grep -q "update_envoy_config.sh"; then (crontab -l 2>/dev/null; echo "$cron_job") | crontab - log_info "已添加证书自动热更新定时任务" fi fi fi } # 新增一个隐藏的 CLI 命令,用于脚本内部调用生成 YAML # 在 main 函数中处理 # ===== 功能菜单函数 ===== envoy_install() { log_info "安装 Envoy..." # 安装前先停止服务,防止文件占用或冲突 systemctl stop envoy 2>/dev/null # 强制下载最新版 Envoy (移除条件判断) mkdir -p /etc/envoy/ssl download_file "https://${DOWNLOAD_SERVER}/tools/envoy" "$ENVOY_BIN" chmod +x "$ENVOY_BIN" # 远程下载 service 文件 download_file "https://${DOWNLOAD_SERVER}/tools/envoy.service" "/usr/lib/systemd/system/envoy.service" || return 1 systemctl daemon-reload systemctl enable envoy # 安装时自动执行系统优化 system_optimize # 安装管理脚本 if [ -f "$0" ]; then cp "$0" "$TOOL_PATH" chmod +x "$TOOL_PATH" log_info "管理脚本已安装到 $TOOL_PATH" fi log_info "Envoy 安装完成" } envoy_manage() { echo "1.启动 2.停止 3.重启 4.状态" read -p "选择: " c case $c in 1) systemctl start envoy ;; 2) systemctl stop envoy ;; 3) systemctl restart envoy ;; 4) systemctl status envoy --no-pager ;; esac } firewall_remove() { systemctl stop firewalld 2>/dev/null systemctl disable firewalld 2>/dev/null ufw disable 2>/dev/null log_info "防火墙已禁用" } envoy_monitor() { check_install_cron download_file "https://${DOWNLOAD_SERVER}/tools/checkenvoy.sh" "/usr/local/bin/checkenvoy.sh" || return 1 chmod +x /usr/local/bin/checkenvoy.sh (crontab -l 2>/dev/null | grep -v checkenvoy; echo "* * * * * /usr/local/bin/checkenvoy.sh >/dev/null 2>&1") | crontab - log_info "定时检测已设置" } soga_setup() { local node_id="$1" local soga_key="$2" local webapi_domain="$3" local webapi_key="$4" # 检查并安装 curl 依赖 if ! command -v curl >/dev/null 2>&1; then log_info "安装依赖: curl" if command -v apt-get >/dev/null 2>&1; then apt-get update && apt-get install -y curl elif command -v yum >/dev/null 2>&1; then yum install -y curl fi fi # 如果没有传参,进入交互模式 if [ -z "$node_id" ]; then read -r -p "节点ID: " node_id read -r -p "授权码: " soga_key read -r -p "域名: " webapi_domain read -r -p "webapi_key: " webapi_key fi log_info "正在下载并安装 soga..." local soga_install="/tmp/soga_install.sh" if ! curl -Ls https://raw.githubusercontent.com/vaxilu/soga/master/install.sh -o "$soga_install"; then log_err "下载 soga 安装脚本失败,请检查网络" return 1 fi bash "$soga_install" || { log_err "soga 安装失败"; rm -f "$soga_install"; return 1; } rm -f "$soga_install" # 确保配置目录存在 mkdir -p /etc/soga cat > /etc/soga/soga.conf </dev/null 2>&1; then log_info "安装依赖: curl" if command -v apt-get >/dev/null 2>&1; then apt-get update && apt-get install -y curl elif command -v yum >/dev/null 2>&1; then yum install -y curl fi fi # 如果没有传参,进入交互模式 if [ -z "$cf_key" ]; then read -p "请输入 Cloudflare API Key (Global Key): " cf_key read -p "请输入 Cloudflare 邮箱: " cf_user read -p "请输入主域名 (例如 example.com): " cf_zone read -p "请输入解析记录名 (例如 ddns): " cf_record echo "解析类型: 1)IPv4(A) 2)IPv6(AAAA)" read -p "选择 [1-2]: " record_type_choice record_type="A" [ "$record_type_choice" = "2" ] && record_type="AAAA" else # CLI 模式下的类型转换 if [ "$record_type" = "1" ]; then record_type="A" elif [ "$record_type" = "2" ]; then record_type="AAAA" fi # 如果用户直接传了 A 或 AAAA,则保持原样 fi # 下载并配置 DDNS 脚本 local ddns_script="/usr/local/bin/cf-ddns.sh" download_file "https://raw.githubusercontent.com/yulewang/cloudflare-api-v4-ddns/master/cf-v4-ddns.sh" "$ddns_script" || return 1 chmod +x "$ddns_script" # 修复环境变量缺失问题 (如 HOME) # 在脚本顶部添加 export HOME=/root 如果未定义 if ! grep -q "export HOME=" "$ddns_script"; then sed -i '2i export HOME=${HOME:-/root}' "$ddns_script" fi # 创建定时任务 local cron_cmd="$ddns_script -k $cf_key -u $cf_user -h $cf_record -z $cf_zone -t $record_type >/dev/null 2>&1" (crontab -l 2>/dev/null | grep -v "cf-ddns.sh"; echo "* * * * * $cron_cmd") | crontab - # 立即执行一次 log_info "正在执行第一次同步..." # 手动设置 HOME 环境变量以防万一 export HOME=${HOME:-/root} $ddns_script -k "$cf_key" -u "$cf_user" -h "$cf_record" -z "$cf_zone" -t "$record_type" -f true >/dev/null 2>&1 if [ $? -eq 0 ]; then log_info "DDNS 配置成功!每分钟自动更新。" else log_err "DDNS 同步失败,请检查 API Key 和网络。" fi } system_optimize() { log_info "正在应用极致系统优化 (BBR + Kernel)..." # 直接写入专用配置文件 cat > "$SYSCTL_CONFIG" </sys/kernel/mm/transparent_hugepage/enabled cat >'/etc/systemd/system.conf' <'/etc/security/limits.conf' <>/etc/profile if grep -q "pam_limits.so" /etc/pam.d/common-session; then : else sed -i '/required pam_limits.so/d' /etc/pam.d/common-session echo "session required pam_limits.so" >>/etc/pam.d/common-session fi systemctl daemon-reload log_info "系统优化和 BBR 配置完成!" } envoy_uninstall() { local force="$1" if [ "$force" != "-y" ] && [ "$force" != "force" ]; then read -p "确定要卸载 Envoy 吗? [y/N]: " confirm [[ "$confirm" != "y" && "$confirm" != "Y" ]] && return fi log_info "正在停止 Envoy 服务..." systemctl stop envoy 2>/dev/null systemctl disable envoy 2>/dev/null log_info "正在删除文件..." rm -f "$ENVOY_BIN" rm -f "/usr/lib/systemd/system/envoy.service" rm -rf "/etc/envoy" rm -f "$SYSCTL_CONFIG" rm -f "/etc/security/limits.d/envoy.conf" rm -f "/usr/local/bin/update_envoy_config.sh" rm -f "/usr/local/bin/checkenvoy.sh" rm -f "$TOOL_PATH" crontab -l 2>/dev/null | grep -v "update_envoy_config.sh" | grep -v "checkenvoy.sh" | crontab - systemctl daemon-reload log_info "Envoy 已卸载完成" } # ===== 核心配置流程 ===== envoy_tcp_config() { read -p "请输入带宽 (Mbps) [${DEFAULT_BW_MBPS}]: " USER_BW USER_BW=${USER_BW:-$DEFAULT_BW_MBPS} read -p "隧道编号: " tunnel_num if [[ ! "$tunnel_num" =~ ^[0-9]+$ ]]; then log_err "必须是数字" return 1 fi echo "配置类型: 1)入口 2)出口 3)单层" read -p "选择 [1-3]: " config_type local pass_real_ip="y" if [ "$config_type" == "3" ]; then read -p "是否传递真实IP给后端? [Y/n]: " user_pass_ip [[ "$user_pass_ip" == "n" || "$user_pass_ip" == "N" ]] && pass_real_ip="n" fi # 调用核心函数 (无需 IP 版本参数) _apply_envoy_config "$USER_BW" "$tunnel_num" "$config_type" "$pass_real_ip" } show_menu() { clear echo "=====================================" echo " Envoy 极致性能代理 v3.0" echo " 大带宽|不断流|长连接|BBR" echo "=====================================" echo "1. 安装 Envoy" echo "2. 生成配置" echo "3. 管理服务" echo "4. 删除防火墙" echo "5. 定时检测" echo "6. 对接 soga" echo "7. 设置 DDNS" echo "8. 系统优化 (BBR + 内核)" echo "9. 卸载 Envoy" echo "0. 退出" echo "=====================================" } # ===== 主逻辑 ===== main() { check_root # 支持命令行参数直接调用 if [ $# -gt 0 ]; then case "$1" in install) envoy_install exit $? ;; config) # 参数: config <带宽MB> <隧道号> <类型1-3> [是否传IP y/n] # 参数校验逻辑: 至少需要 3 个参数 (config, bandwidth, tunnel_num, type) if [ $# -lt 4 ]; then echo "用法: $0 config <带宽MB> <隧道号> <配置类型1-3> [是否传IP y/n]" echo "配置类型: 1:入口, 2:出口, 3:单层" exit 1 fi # 获取参数 local user_bw="$2" local tunnel_num="$3" local config_type="$4" local pass_real_ip="${5:-y}" # 默认为 y # 调用核心配置函数 _apply_envoy_config "$user_bw" "$tunnel_num" "$config_type" "$pass_real_ip" exit $? ;; ddns) # 参数: ddns # 如果只有 "./envoy.sh ddns" (参数个数=1),进入交互模式 if [ $# -eq 1 ]; then setup_ddns else # 否则将参数传给函数 setup_ddns "$2" "$3" "$4" "$5" "$6" fi exit $? ;; soga) # 参数: soga if [ $# -eq 1 ]; then soga_setup else soga_setup "$2" "$3" "$4" "$5" fi exit $? ;; optimize) system_optimize exit $? ;; generate_yaml) # 隐藏命令,供热更新脚本内部调用 # 参数: generate_yaml # 参数校验: 需要至少 4 个参数 (generate_yaml, mode, txt_file, pass_real_ip) if [ $# -lt 4 ]; then echo "Usage: $0 generate_yaml " exit 1 fi local mode="$2" local listeners_file="$3" local pass_real_ip="$4" local user_bw="${5:-1000}" # 重新计算 BDP 参数 calculate_params "$user_bw" # 生成配置 generate_envoy_yaml "$mode" "$listeners_file" "$pass_real_ip" exit 0 ;; uninstall) envoy_uninstall "$2" exit $? ;; *) echo "未知命令: $1" echo "可用命令: install, config, ddns, soga, optimize, uninstall" exit 1 ;; esac fi # 无参数则进入交互式菜单 while true; do show_menu read -p "选择 [0-9]: " choice case $choice in 1) envoy_install ;; 2) envoy_tcp_config ;; 3) envoy_manage ;; 4) firewall_remove ;; 5) envoy_monitor ;; 6) soga_setup ;; 7) setup_ddns ;; 8) system_optimize ;; 9) envoy_uninstall ;; 0) exit 0 ;; *) echo "无效选择" ;; esac read -p "按回车继续..." done } main "$@"