Skip to content

Instantly share code, notes, and snippets.

@chadtodd2077

chadtodd2077/caddy.sh

Last active December 31, 2025 08:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save chadtodd2077/d7af613910c86e63a5c02e1873594029 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save chadtodd2077/d7af613910c86e63a5c02e1873594029 to your computer and use it in GitHub Desktop.
Download ZIP
caddy + trojan + naiveproxy
Raw
caddy.sh
#!/bin/sh
#
#
#
SERVERNAME=$1
USERNAME=$2
PASSWORD=$3
#Enable BBR && System Optimization
echo "net.core.default_qdisc=fq" >>/etc/sysctl.d/99-sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >>/etc/sysctl.d/99-sysctl.conf
if [ ! -f "/etc/sysctl.d/99-sysctl.conf" ]; then
touch /etc/sysctl.d/99-sysctl.conf
fi
sed -i 'net.ipv4.tcp_fack/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.ipv4.tcp_early_retrans/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.ipv4.neigh.default.unres_qlen/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.ipv4.tcp_max_orphans/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.netfilter.nf_conntrack_buckets/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/kernel.pid_max/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/vm.nr_hugepages/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.optmem_max/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.all.route_localnet/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.ip_forward/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.all.forwarding/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.default.forwarding/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.all.forwarding/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.default.forwarding/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.lo.forwarding/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.default.disable_ipv6/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.lo.disable_ipv6/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.all.accept_ra/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.default.accept_ra/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.netdev_max_backlog/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.netdev_budget/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.netdev_budget_usecs/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/fs.file-max /d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.rmem_max/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.wmem_max/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.rmem_default/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.wmem_default/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.somaxconn/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.icmp_echo_ignore_all/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.icmp_ignore_bogus_error_responses/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.all.accept_redirects/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.default.accept_redirects/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.all.secure_redirects/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.default.secure_redirects/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.all.send_redirects/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.default.send_redirects/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.default.rp_filter/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.all.rp_filter/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_keepalive_time/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_keepalive_intvl/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_keepalive_probes/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_synack_retries/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_rfc1337/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_timestamps/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_tw_reuse/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_fin_timeout/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.ip_local_port_range/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_max_tw_buckets/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_fastopen/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_rmem/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_wmem/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.udp_rmem_min/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.udp_wmem_min/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_mtu_probing/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.all.arp_ignore /d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.default.arp_ignore/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.all.arp_announce/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.conf.default.arp_announce/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_autocorking/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_slow_start_after_idle/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_max_syn_backlog/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.core.default_qdisc/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_notsent_lowat/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_no_metrics_save/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_ecn/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_ecn_fallback/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.tcp_frto/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.all.accept_redirects/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.conf.default.accept_redirects/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/vm.swappiness/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.ip_unprivileged_port_start/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/vm.overcommit_memory/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.neigh.default.gc_thresh3/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.neigh.default.gc_thresh2/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv4.neigh.default.gc_thresh1/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.neigh.default.gc_thresh3/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.neigh.default.gc_thresh2/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.ipv6.neigh.default.gc_thresh1/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.netfilter.nf_conntrack_max/d' /etc/sysctl.d/99-sysctl.conf
sed -i '/net.nf_conntrack_max/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.netfilter.nf_conntrack_tcp_timeout_fin_wait/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.netfilter.nf_conntrack_tcp_timeout_time_wait/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.netfilter.nf_conntrack_tcp_timeout_close_wait/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.netfilter.nf_conntrack_tcp_timeout_established/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'fs.inotify.max_user_instances/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'fs.inotify.max_user_watches/d' /etc/sysctl.d/99-sysctl.conf
sed -i 'net.ipv4.tcp_low_latency/d' /etc/sysctl.d/99-sysctl.conf
cat >'/etc/sysctl.d/99-sysctl.conf' <<EOF
net.ipv4.tcp_fack = 1
net.ipv4.tcp_early_retrans = 3
net.ipv4.neigh.default.unres_qlen=10000
net.ipv4.conf.all.route_localnet=1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.accept_ra = 2
net.ipv6.conf.default.accept_ra = 2
net.core.netdev_max_backlog = 100000
net.core.netdev_budget = 50000
net.core.netdev_budget_usecs = 5000
#fs.file-max = 51200
net.core.rmem_max = 67108864
net.core.wmem_max = 67108864
net.core.rmem_default = 67108864
net.core.wmem_default = 67108864
net.core.optmem_max = 65536
net.core.somaxconn = 1000000
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 2
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_max_tw_buckets = 5000
#net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_autocorking = 0
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_max_syn_backlog = 819200
net.ipv4.tcp_notsent_lowat = 16384
net.ipv4.tcp_no_metrics_save = 0
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_ecn_fallback = 1
net.ipv4.tcp_frto = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.neigh.default.gc_thresh3=8192
net.ipv4.neigh.default.gc_thresh2=4096
net.ipv4.neigh.default.gc_thresh1=2048
net.ipv6.neigh.default.gc_thresh3=8192
net.ipv6.neigh.default.gc_thresh2=4096
net.ipv6.neigh.default.gc_thresh1=2048
net.ipv4.tcp_orphan_retries = 1
net.ipv4.tcp_retries2 = 5
vm.swappiness = 1
vm.overcommit_memory = 1
kernel.pid_max=64000
net.netfilter.nf_conntrack_max = 262144
net.nf_conntrack_max = 262144
## Enable bbr
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_low_latency = 1
EOF
sysctl -p
sysctl --system
echo always >/sys/kernel/mm/transparent_hugepage/enabled
cat >'/etc/systemd/system.conf' <<EOF
[Manager]
#DefaultTimeoutStartSec=90s
DefaultTimeoutStopSec=30s
#DefaultRestartSec=100ms
DefaultLimitCORE=infinity
DefaultLimitNOFILE=infinity
DefaultLimitNPROC=infinity
DefaultTasksMax=infinity
EOF
cat >'/etc/security/limits.conf' <<EOF
root soft nofile 1000000
root hard nofile 1000000
root soft nproc unlimited
root hard nproc unlimited
root soft core unlimited
root hard core unlimited
root hard memlock unlimited
root soft memlock unlimited
* soft nofile 1000000
* hard nofile 1000000
* soft nproc unlimited
* hard nproc unlimited
* soft core unlimited
* hard core unlimited
* hard memlock unlimited
* soft memlock unlimited
EOF
sed -i '/ulimit -SHn/d' /etc/profile
sed -i '/ulimit -SHu/d' /etc/profile
echo "ulimit -SHn 1000000" >>/etc/profile
if grep -q "pam_limits.so" /etc/pam.d/common-session; then
:
else
sed -i '/required pam_limits.so/d' /etc/pam.d/common-session
echo "session required pam_limits.so" >>/etc/pam.d/common-session
fi
DOWNLOAD_URL=$(curl -s https://api.github.com/repos/lxhao61/integrated-examples/releases/latest | grep "caddy-linux-amd64.tar.gz" | cut -d : -f 2,3 | tr -d \" | awk 'NR==2 {print $0}')
wget -q $DOWNLOAD_URL
tar zxf caddy-linux-amd64.tar.gz
mkdir -pv /usr/local/bin/caddy
mkdir -pv /usr/local/etc/caddy
mv caddy /usr/local/bin/caddy/
groupadd --system caddy
useradd --system --gid caddy --create-home --home-dir /var/lib/caddy --shell /usr/sbin/nologin --comment "Caddy web server" caddy
cat > /lib/systemd/system/caddy.service <<EOF
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy/caddy run --environ --config /usr/local/etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy/caddy reload --config /usr/local/etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable caddy
cat > /usr/local/etc/caddy/Caddyfile <<EOF
{
order trojan before route
order forward_proxy before trojan
admin off
log {
output file /var/log/caddy/error.log
level ERROR
}
servers :443 {
listener_wrappers {
trojan
}
}
trojan {
caddy
no_proxy
users ${PASSWORD}
}
}
:443, ${SERVERNAME} {
tls {
ciphers TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
curves x25519 secp521r1 secp384r1 secp256r1
}
forward_proxy {
basic_auth ${USERNAME} ${PASSWORD}
hide_ip
hide_via
probe_resistance
}
trojan {
connect_method
websocket
}
@host {
host ${SERVERNAME}
}
route @host {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
}
file_server {
root /var/www/html
}
}
}
EOF
mkdir -pv /var/www/html
mkdir -pv /var/log/caddy
chown -R caddy:caddy /var/www/html
chown -R caddy:caddy /var/log/caddy
(crontab -l ; echo "30 6 * * * systemctl restart caddy") | crontab -
crontab -l
systemctl start caddy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment