diff --git a/vps-xray/backup.sh b/vps-xray/backup.sh deleted file mode 100644 index 7b99670..0000000 --- a/vps-xray/backup.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -# ============================================ -# Xray 备份脚本 -# 备份内容:Xray 配置 + .env 凭据 + 网络调优 -# 定时执行: crontab -e → 0 3 * * 0 /opt/vps-xray/backup.sh -# ============================================ - -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -cd "$SCRIPT_DIR" - -# 加载配置 -if [ -f .env ]; then - sed -i 's/\r$//' .env - set -a; source .env; set +a -fi - -BACKUP_DIR="${BACKUP_DIR:-/var/backups/xray}" -DATE=$(date +%Y%m%d_%H%M%S) -KEEP_DAYS=30 - -log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $*"; } - -mkdir -p "$BACKUP_DIR" - -# 1. 备份 Xray 配置 -log "正在备份 Xray 配置..." -if [ -f /usr/local/etc/xray/config.json ]; then - tar czf "${BACKUP_DIR}/xray_config_${DATE}.tar.gz" \ - -C /usr/local/etc xray/ - log "Xray 配置备份完成: xray_config_${DATE}.tar.gz" -else - log "警告: Xray 配置文件不存在,跳过" -fi - -# 2. 备份部署配置(.env + 脚本) -log "正在备份部署配置..." -tar czf "${BACKUP_DIR}/deploy_config_${DATE}.tar.gz" \ - -C "$SCRIPT_DIR" \ - $(ls .env deploy.sh backup.sh uninstall.sh 2>/dev/null) -log "部署配置备份完成: deploy_config_${DATE}.tar.gz" - -# 3. 备份网络调优配置 -if [ -f /etc/sysctl.d/99-xray-turbo.conf ]; then - log "正在备份网络调优配置..." - cp /etc/sysctl.d/99-xray-turbo.conf "${BACKUP_DIR}/sysctl_${DATE}.conf" - log "网络调优备份完成: sysctl_${DATE}.conf" -fi - -# 4. 清理过期备份 -log "清理 ${KEEP_DAYS} 天前的备份..." -deleted=$(find "$BACKUP_DIR" -type f -mtime +${KEEP_DAYS} -print -delete | wc -l) -log "已清理 ${deleted} 个过期文件" - -# 5. 输出备份摘要 -echo "" -log "===== 备份完成 =====" -log "备份目录: ${BACKUP_DIR}/" -ls -lh "${BACKUP_DIR}/"*"${DATE}"* 2>/dev/null || true -echo "" -log "总备份空间占用: $(du -sh "${BACKUP_DIR}" | cut -f1)" diff --git a/vps-xray/deploy.sh b/vps-xray/deploy.sh index 8d2d3a3..9d83e96 100644 --- a/vps-xray/deploy.sh +++ b/vps-xray/deploy.sh @@ -310,7 +310,7 @@ net.ipv4.tcp_fin_timeout=15 net.ipv4.tcp_keepalive_time=300 net.ipv4.tcp_keepalive_intvl=30 net.ipv4.tcp_keepalive_probes=5 -net.ipv4.tcp_max_tw_buckets=5000 +net.ipv4.tcp_max_tw_buckets=262144 net.ipv4.tcp_max_syn_backlog=8192 net.core.somaxconn=8192 net.core.netdev_max_backlog=8192 @@ -320,11 +320,61 @@ SYSEOF log "BBR 已启用,网络参数已优化" } +# ===== 新增:系统与服务加固 ===== +harden_system() { + step "加固系统与服务" + + # 文件描述符上限 + if ! grep -q '99-xray-nofile' /etc/security/limits.conf 2>/dev/null; then + cat >> /etc/security/limits.conf << 'EOF' +# 99-xray-nofile +* soft nofile 1000000 +* hard nofile 1000000 +root soft nofile 1000000 +root hard nofile 1000000 +EOF + fi + + # systemd 服务加固 + mkdir -p /etc/systemd/system/xray.service.d + cat > /etc/systemd/system/xray.service.d/override.conf << 'EOF' +[Service] +LimitNOFILE=1000000 +Restart=always +RestartSec=3 +EOF + + # 定时重启 timer(每日凌晨 4 点) + cat > /etc/systemd/system/xray-restart.service << 'EOF' +[Unit] +Description=Daily restart of Xray +After=network.target + +[Service] +Type=oneshot +ExecStart=/bin/systemctl restart xray +EOF + + cat > /etc/systemd/system/xray-restart.timer << 'EOF' +[Unit] +Description=Daily restart Xray at 04:00 CST + +[Timer] +OnCalendar=*-*-* 04:00:00 +TimeZone=Asia/Shanghai +Persistent=true + +[Install] +WantedBy=timers.target +EOF +} + # ===== 7. 启动服务 ===== start_service() { systemctl daemon-reload systemctl restart xray systemctl enable xray + systemctl enable --now xray-restart.timer sleep 2 if systemctl is-active --quiet xray; then @@ -425,6 +475,7 @@ main() { write_config configure_firewall tune_network + harden_system start_service save_env print_result diff --git a/vps-xray/vpn-vps-xray-optimized.yaml b/vps-xray/vpn-vps-xray-optimized.yaml index e491fa9..319658c 100644 --- a/vps-xray/vpn-vps-xray-optimized.yaml +++ b/vps-xray/vpn-vps-xray-optimized.yaml @@ -3,6 +3,20 @@ allow-lan: false mode: rule log-level: info +dns: + enable: true + ipv6: false + enhanced-mode: fake-ip + nameserver: + - 223.5.5.5 + - 119.29.29.29 + fallback: + - 8.8.8.8 + - 1.1.1.1 + fallback-filter: + geoip: true + geoip-code: CN + proxies: - name: "VPS-Reality" type: vless diff --git a/vps-xray/vps-xray-optimized.md b/vps-xray/vps-xray-optimized.md index c6b25ef..da2810e 100644 --- a/vps-xray/vps-xray-optimized.md +++ b/vps-xray/vps-xray-optimized.md @@ -196,17 +196,62 @@ net.ipv4.tcp_fin_timeout=15 net.ipv4.tcp_keepalive_time=300 net.ipv4.tcp_keepalive_intvl=30 net.ipv4.tcp_keepalive_probes=5 -net.ipv4.tcp_max_tw_buckets=5000 +net.ipv4.tcp_max_tw_buckets=262144 net.ipv4.tcp_max_syn_backlog=8192 net.core.somaxconn=8192 net.core.netdev_max_backlog=8192 SYSEOF sysctl --system > /dev/null 2>&1 +# ======================== 文件描述符 + 服务加固 ======================== +# 防止长时间运行后 "too many open files" 导致新连接无法建立 +grep -q '99-xray-nofile' /etc/security/limits.conf 2>/dev/null || cat >> /etc/security/limits.conf << 'LIMITEOF' +# 99-xray-nofile +* soft nofile 1000000 +* hard nofile 1000000 +root soft nofile 1000000 +root hard nofile 1000000 +LIMITEOF + +# systemd 服务:提升 fd 上限 + 崩溃自动重启 +mkdir -p /etc/systemd/system/xray.service.d +cat > /etc/systemd/system/xray.service.d/override.conf << 'OVERRIDE' +[Service] +LimitNOFILE=1000000 +Restart=always +RestartSec=3 +OVERRIDE + +# ======================== 定时重启(每日凌晨 4 点)======================== +# 使用 systemd timer,释放内存碎片,防止长时间运行后性能衰退 +cat > /etc/systemd/system/xray-restart.service << 'RSVC' +[Unit] +Description=Daily restart of Xray +After=network.target + +[Service] +Type=oneshot +ExecStart=/bin/systemctl restart xray +RSVC + +cat > /etc/systemd/system/xray-restart.timer << 'RTMR' +[Unit] +Description=Daily restart Xray at 04:00 CST + +[Timer] +OnCalendar=*-*-* 04:00:00 +TimeZone=Asia/Shanghai +Persistent=true + +[Install] +WantedBy=timers.target +RTMR + # ======================== 启动服务 ======================== systemctl daemon-reload systemctl restart xray systemctl enable xray +systemctl enable --now xray-restart.timer # ======================== 验证运行状态 ======================== sleep 2 @@ -274,6 +319,20 @@ allow-lan: false mode: rule log-level: info +dns: + enable: true + ipv6: false + enhanced-mode: fake-ip + nameserver: + - 223.5.5.5 + - 119.29.29.29 + fallback: + - 8.8.8.8 + - 1.1.1.1 + fallback-filter: + geoip: true + geoip-code: CN + proxies: - name: "VPS-Reality" type: vless @@ -383,6 +442,18 @@ sysctl net.ipv4.tcp_congestion_control # 验证 443 端口监听 ss -tlnp | grep 443 + +# 查看定时重启计划(下次执行时间) +systemctl list-timers xray-restart.timer + +# 手动触发一次定时重启任务 +systemctl start xray-restart.service + +# 关闭定时重启 +systemctl disable --now xray-restart.timer + +# 重新开启定时重启 +systemctl enable --now xray-restart.timer ``` ---