From c3d0e794db28b5e12815677d5bbfb8b730e99864 Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Wed, 9 Jul 2025 19:54:49 +0800
Subject: [PATCH] add sing-box config

---
 scripts/sing-box/README.md                    |  95 ++++++++++++
 .../sing-box/client-gvisor-tun-reality.json   |  72 ++++++++++
 scripts/sing-box/client-gvisor-tun-vless.json |  69 +++++++++
 scripts/sing-box/create-reality-keypair.sh    |   1 +
 scripts/sing-box/install-singbox.sh           | 136 ++++++++++++++++++
 scripts/sing-box/server-VLESS-TCP-XTLS.json   |  34 +++++
 scripts/sing-box/server-reality.json          |  38 +++++
 7 files changed, 445 insertions(+)
 create mode 100644 scripts/sing-box/README.md
 create mode 100644 scripts/sing-box/client-gvisor-tun-reality.json
 create mode 100644 scripts/sing-box/client-gvisor-tun-vless.json
 create mode 100644 scripts/sing-box/create-reality-keypair.sh
 create mode 100644 scripts/sing-box/install-singbox.sh
 create mode 100644 scripts/sing-box/server-VLESS-TCP-XTLS.json
 create mode 100644 scripts/sing-box/server-reality.json

diff --git a/scripts/sing-box/README.md b/scripts/sing-box/README.md
new file mode 100644
index 0000000..05eb390
--- /dev/null
+++ b/scripts/sing-box/README.md
@@ -0,0 +1,95 @@
+
+# Sing-box VLESS + Reality 一键部署脚本
+
+该脚本用于在 Linux 服务器上快速部署一个基于 sing-box 的隐匿代理服务，采用 `VLESS + Reality` 协议，结合 systemd 自启动支持，适用于高隐蔽性代理通信场景。
+
+---
+
+## 🧩 功能特性
+
+- 🚀 自动安装并配置 sing-box（如未安装）
+- 🔐 自动生成 Reality 密钥对（无需手动管理）
+- 📄 自动生成服务端配置文件（支持伪装 SNI）
+- ⚙️ 自动创建并启用 systemd 启动服务
+- 📦 自动输出客户端配置片段，支持 Windows/macOS/Linux
+
+---
+
+## 🖥️ 支持平台
+
+- 服务端：Debian / Ubuntu / CentOS / Arch / 兼容 Linux 系统
+- 客户端平台：macOS / Windows / Linux（任意 sing-box 客户端）
+
+---
+
+## ⚙️ 使用方式
+
+### 一键安装（推荐）
+
+```bash
+bash <(curl -fsSL https://your.cdn/installer/install-singbox.sh) \
+  --ip 123.123.123.123 \
+  --sni www.bing.com \
+  --client-platform macos
+
+  参数说明：
+
+参数	示例值	说明
+--ip	123.123.123.123	当前服务器公网 IP
+--sni	www.bing.com	Reality 伪装域名
+--client-platform	macos / windows / linux	客户端类型（影响输出说明）
+
+📂 脚本行为说明
+部署完成后，脚本会生成：
+
+文件路径	说明
+/etc/sing-box/config-server.json	sing-box 服务端配置
+/etc/systemd/system/sing-box.service	systemd 启动配置
+/usr/local/bin/sing-box	主程序（如未安装将自动下载）
+
+并自动执行：
+
+bash
+复制
+编辑
+systemctl daemon-reload
+systemctl enable --now sing-box
+🔐 示例输出
+部署成功后会输出如下：
+
+css
+复制
+编辑
+✅ 服务端已部署成功！
+👉 Reality 公钥: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
+👉 ShortID: abcd
+👉 UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+
+📦 推荐客户端配置如下：
+{
+  "outbounds": [
+    {
+      "type": "vless",
+      ...
+    }
+  ]
+}
+🧱 安全建议
+建议使用 Cloudflare DNS 或境外解析加快 SNI 匹配
+
+Reality 不需要 TLS 证书即可启用加密通信
+
+可进一步结合 iptables 或 fail2ban 做入站控制
+
+🛠️ 后续扩展（可选）
+你可以基于本项目扩展支持：
+
+fallback 到 nginx / 80 端口
+
+多用户（多个 UUID）
+
+动态配置（通过 API 控制）
+
+客户端同步配置工具
+
+
diff --git a/scripts/sing-box/client-gvisor-tun-reality.json b/scripts/sing-box/client-gvisor-tun-reality.json
new file mode 100644
index 0000000..9ee45ae
--- /dev/null
+++ b/scripts/sing-box/client-gvisor-tun-reality.json
@@ -0,0 +1,72 @@
+{
+  "log": {
+    "level": "debug"
+  },
+  "dns": {
+    "servers": [
+      {
+        "tag": "direct_dns",
+        "address": "223.5.5.5",
+        "detour": "direct"
+      }
+    ]
+  },
+  "inbounds": [
+    {
+      "type": "tun",
+      "tag": "tun-in",
+      "interface_name": "sing-tun",
+      "mtu": 1500,
+      "stack": "gvisor",
+      "endpoint_independent_nat": true,
+      "address": ["172.19.0.1/30"],
+      "auto_route": true,
+      "strict_route": true
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct"
+    },
+    {
+      "type": "vless",
+      "tag": "proxy-out",
+      "server": "your.server.ip",         // 替换为你的服务端IP或域名
+      "server_port": 443,
+      "uuid": "your-uuid",                // 与服务端一致
+      "flow": "",
+      "tls": {
+        "enabled": true,
+        "server_name": "fake-sni.com",    // 可伪装的域名，如 bing.com
+        "utls": {
+          "enabled": true,
+          "fingerprint": "chrome"
+        },
+        "reality": {
+          "enabled": true,
+          "public_key": "your-server-pubkey", // 服务端生成的 Reality 公钥
+          "short_id": "abcd"                   // 与服务端一致
+        }
+      }
+    }
+  ],
+  "route": {
+    "auto_detect_interface": true,
+    "rules": [
+      {
+        "geoip": ["cn"],
+        "outbound": "direct"
+      },
+      {
+        "ip_cidr": ["0.0.0.0/0"],
+        "outbound": "proxy-out"
+      },
+      {
+        "protocol": ["dns"],
+        "action": "hijack-dns"
+      }
+    ]
+  }
+}
+
diff --git a/scripts/sing-box/client-gvisor-tun-vless.json b/scripts/sing-box/client-gvisor-tun-vless.json
new file mode 100644
index 0000000..091c31b
--- /dev/null
+++ b/scripts/sing-box/client-gvisor-tun-vless.json
@@ -0,0 +1,69 @@
+{
+  "log": {
+    "level": "info"
+  },
+  "dns": {
+    "servers": [
+      {
+        "tag": "direct_dns",
+        "address": "223.5.5.5",
+        "detour": "direct"
+      }
+    ]
+  },
+  "inbounds": [
+    {
+      "type": "tun",
+      "tag": "tun-in",
+      "interface_name": "sing-tun",           // 虚拟网卡名，不会真实创建（gVisor 模式）
+      "mtu": 1500,
+      "stack": "gvisor",                      // 用户态 TCP/IP 栈
+      "endpoint_independent_nat": true,
+      "address": [
+        "172.19.0.1/30"
+      ],
+      "auto_route": true,
+      "strict_route": true
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "vless",
+      "tag": "proxy-out",
+      "server": "your.domain.com",           // ✅ 你的 TLS 证书域名
+      "server_port": 443,
+      "uuid": "your-uuid",                   // ✅ 与服务端一致 UUID
+      "flow": "xtls-rprx-vision",            // ✅ 开启 XTLS-Vision 加速
+      "tls": {
+        "enabled": true,
+        "server_name": "your.domain.com",    // ✅ 与证书一致
+        "utls": {
+          "enabled": true,
+          "fingerprint": "chrome"            // 可选 uTLS 指纹伪装
+        }
+        // ❌ 无 Reality 字段
+      }
+    },
+    {
+      "type": "direct",
+      "tag": "direct"
+    }
+  ],
+  "route": {
+    "auto_detect_interface": true,
+    "rules": [
+      {
+        "geoip": ["cn"],
+        "outbound": "direct"                 // 国内走直连
+      },
+      {
+        "ip_cidr": ["0.0.0.0/0"],
+        "outbound": "proxy-out"             // 其余走 VLESS XTLS 出口
+      },
+      {
+        "protocol": ["dns"],
+        "action": "hijack-dns"              // 劫持系统 DNS
+      }
+    ]
+  }
+}
diff --git a/scripts/sing-box/create-reality-keypair.sh b/scripts/sing-box/create-reality-keypair.sh
new file mode 100644
index 0000000..88d9f80
--- /dev/null
+++ b/scripts/sing-box/create-reality-keypair.sh
@@ -0,0 +1 @@
+sing-box generate reality-keypair
diff --git a/scripts/sing-box/install-singbox.sh b/scripts/sing-box/install-singbox.sh
new file mode 100644
index 0000000..7157d4b
--- /dev/null
+++ b/scripts/sing-box/install-singbox.sh
@@ -0,0 +1,136 @@
+#!/bin/bash
+
+set -e
+
+# 参数
+SERVER_IP="$1"
+SNI="$2"
+CLIENT_PLATFORM="$3"
+
+# 示例用法提示
+if [[ -z "$SERVER_IP" || -z "$SNI" || -z "$CLIENT_PLATFORM" ]]; then
+  echo "用法: $0 --ip <服务器IP> --sni <伪装域名> --client-platform <macos|linux|windows>"
+  exit 1
+fi
+
+UUID=$(uuidgen)
+KEYPAIR=$(sing-box generate reality-keypair)
+PRIVATE_KEY=$(echo "$KEYPAIR" | grep PrivateKey | awk '{print $2}')
+PUBLIC_KEY=$(echo "$KEYPAIR" | grep PublicKey | awk '{print $2}')
+SHORT_ID=$(head /dev/urandom | tr -dc a-z0-9 | head -c 4)
+
+# 安装 sing-box（以 Debian 为例）
+if ! command -v sing-box &>/dev/null; then
+  echo "🔧 安装 sing-box..."
+  curl -fsSL https://sing-box.app/install | bash
+fi
+
+# 创建配置目录
+mkdir -p /etc/sing-box
+
+# 写入服务端配置
+cat > /etc/sing-box/config-server.json <<EOF
+{
+  "log": {
+    "level": "info"
+  },
+  "inbounds": [
+    {
+      "type": "vless",
+      "tag": "vless-in",
+      "listen": "::",
+      "listen_port": 443,
+      "users": [
+        {
+          "uuid": "$UUID",
+          "flow": ""
+        }
+      ],
+      "tls": {
+        "enabled": true,
+        "server_name": "$SNI",
+        "reality": {
+          "enabled": true,
+          "handshake": {
+            "server": "$SNI",
+            "server_port": 443
+          },
+          "private_key": "$PRIVATE_KEY",
+          "short_id": ["$SHORT_ID"]
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct"
+    }
+  ]
+}
+EOF
+
+# 写入 systemd 文件
+cat > /etc/systemd/system/sing-box.service <<EOF
+[Unit]
+Description=Sing-box Proxy Service
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/sing-box run -c /etc/sing-box/config-server.json
+Restart=on-failure
+LimitNOFILE=1048576
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# 启动服务
+systemctl daemon-reexec
+systemctl daemon-reload
+systemctl enable sing-box --now
+
+# 客户端配置片段
+echo ""
+echo "✅ 服务端已部署成功！"
+echo "👉 Reality 公钥: $PUBLIC_KEY"
+echo "👉 ShortID: $SHORT_ID"
+echo "👉 UUID: $UUID"
+echo ""
+echo "📦 推荐客户端配置如下："
+
+cat <<EOF
+
+{
+  "outbounds": [
+    {
+      "type": "vless",
+      "tag": "proxy-out",
+      "server": "$SERVER_IP",
+      "server_port": 443,
+      "uuid": "$UUID",
+      "flow": "",
+      "tls": {
+        "enabled": true,
+        "server_name": "$SNI",
+        "utls": {
+          "enabled": true,
+          "fingerprint": "chrome"
+        },
+        "reality": {
+          "enabled": true,
+          "public_key": "$PUBLIC_KEY",
+          "short_id": "$SHORT_ID"
+        }
+      }
+    }
+  ]
+}
+EOF
+
+# 可选：根据客户端平台提醒适配位置
+if [[ "$CLIENT_PLATFORM" == "macos" || "$CLIENT_PLATFORM" == "linux" ]]; then
+  echo -e "\n📂 请将此配置合并到你的 sing-box 客户端配置文件中，如 ~/.config/sing-box/config.json"
+elif [[ "$CLIENT_PLATFORM" == "windows" ]]; then
+  echo -e "\n📂 请将此配置合并到你的 Windows sing-box GUI 或 config.json 文件中"
+fi
diff --git a/scripts/sing-box/server-VLESS-TCP-XTLS.json b/scripts/sing-box/server-VLESS-TCP-XTLS.json
new file mode 100644
index 0000000..df8b240
--- /dev/null
+++ b/scripts/sing-box/server-VLESS-TCP-XTLS.json
@@ -0,0 +1,34 @@
+{
+  "log": {
+    "level": "info"
+  },
+  "inbounds": [
+    {
+      "type": "vless",
+      "listen": "::",
+      "listen_port": 443,
+      "users": [
+        {
+          "uuid": "your-uuid",
+          "flow": "xtls-rprx-vision"
+        }
+      ],
+      "tls": {
+        "enabled": true,
+        "server_name": "your.domain.com",      // 必须有真实域名
+        "certificates": [
+          {
+            "certificate_file": "/etc/ssl/certs/fullchain.pem",
+            "key_file": "/etc/ssl/private/privkey.pem"
+          }
+        ]
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct"
+    }
+  ]
+}
+
diff --git a/scripts/sing-box/server-reality.json b/scripts/sing-box/server-reality.json
new file mode 100644
index 0000000..536632c
--- /dev/null
+++ b/scripts/sing-box/server-reality.json
@@ -0,0 +1,38 @@
+{
+  "log": {
+    "level": "info"
+  },
+  "inbounds": [
+    {
+      "type": "vless",
+      "tag": "vless-in",
+      "listen": "::",
+      "listen_port": 443,
+      "users": [
+        {
+          "uuid": "your-uuid",   // 与客户端一致
+          "flow": ""
+        }
+      ],
+      "tls": {
+        "enabled": true,
+        "server_name": "fake-sni.com",  // 与客户端一致
+        "reality": {
+          "enabled": true,
+          "handshake": {
+            "server": "fake-sni.com",  // 伪装域名
+            "server_port": 443
+          },
+          "private_key": "your-private-key",  // Reality 私钥
+          "short_id": ["abcd"]                // 可为多个，但需与客户端匹配
+        }
+      }
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct"
+    }
+  ]
+}