GuanM/hysteria-dev
1
0
Fork 0
mirror of https://github.com/cmz0228/hysteria-dev.git synced 2025-06-08 13:29:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

docs: docs moved to our wiki

Browse Source
This commit is contained in:
Toby 2022-01-19 16:41:21 -08:00
parent 99a4ac3060
commit 0790bfd770
6 changed files with 10 additions and 1160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
ACL.md
View File

@ -1,52 +0,0 @@
# ACL File Format
ACL files describe how to process incoming requests. Both the server and the client support ACL and follow the identical
syntax.
```
action condition_type condition argument
```
Example:
```
direct domain evil.corp
proxy domain-suffix google.com
block ip 1.2.3.4
block country cn
hijack cidr 192.168.1.1/24 127.0.0.1
direct all
```
Hysteria acts according to the first matching rule in the file for each request. When there is no match, the default
behavior is to proxy all connections. You can override this by adding a rule at the end of the file with the condition
`all`.
4 actions:
`direct` - connect directly to the target server without going through the proxy
`proxy` - connect to the target server through the proxy (only available on the client)
`block` - block the connection from establishing
`hijack` - hijack the connection to another target address (must be specified in the argument)
6 condition types:
`domain` - match a specific domain (does NOT match subdomains! e.g. `apple.com` will not match `cdn.apple.com`)
`domain-suffix` - match a domain suffix (match subdomains, but `apple.com` will still not match `fakeapple.com`)
`cidr` - IPv4 or IPv6 CIDR
`ip` - IPv4 or IPv6 address
`country` - match IP by ISO 3166-1 alpha-2 country code
`all` - match anything (usually placed at the end of the file as a default rule)
For domain requests, Hysteria will try to resolve the domains and match both domain & IP rules. In other words, an IP
rule covers all connections that would end up connecting to this IP, regardless of whether the client requests with IP
or domain.

47
ACL.zh.md
View File

@ -1,47 +0,0 @@
# ACL 文件格式
ACL 文件描述如何处理传入请求。服务器和客户端都支持 ACL并且遵循相同的语法。
```
处理方式 条件类型 条件 参数
```
例子:
```
direct domain evil.corp
proxy domain-suffix google.com
block ip 1.2.3.4
block country cn
hijack cidr 192.168.1.1/24 127.0.0.1
direct all
```
Hysteria 根据文件中第一个匹配到规则对每个请求进行操作。当没有匹配时默认的行为是代理连接。可以通过在文件的末尾添加一个规则加上条件 "all" 来设置默认行为。
4 种处理方式:
`direct` - 直接连接到目标服务器,不经过代理
`proxy` - 通过代理连接到目标服务器(仅在客户端上可用)
`block` - 拒绝连接建立
`hijack` - 把连接劫持到另一个目的地 (必须在参数中指定)
6 种条件类型:
`domain` - 匹配特定的域名(不匹配子域名!例如:`apple.com` 不匹配 `cdn.apple.com`
`domain-suffix` - 匹配域名后缀(包含子域名,但 `apple.com` 仍不会匹配 `fakeapple.com`
`cidr` - IPv4 / IPv6 CIDR
`ip` - IPv4 / IPv6 地址
`country` - 匹配国家 IPISO 两位字母国家代码
`all` - 匹配所有地址 (通常放在文件尾作为默认规则)
对于域名请求Hysteria 将尝试解析域名并同时匹配域名规则和 IP 规则。换句话说IP 规则能覆盖到所有连接,无论客户端是用 IP 还是域名请求。

67
Docker.md
View File

@ -1,67 +0,0 @@
## About Dockerfile
The hysteria docker image is based on the **alpine** system. This means that
**some glibc calls may not work if you run programs that depend on glibc in a container.**
By default, **bash** is installed in the docker container for debugging, **tzdata** is used to
provide container time zone configuration, and **ca-certificates** is used to ensure the
trust of the ssl certificate chain; in addition, the docker container does not contain
any tools other than the alpine standard system.
The hysteria binary is installed in `/usr/local/bin/hysteria`, and the **ENTRYPOINT**
of the docker container is set to **execute the `hysteria` command**; this means that
the `hysteria` command is always the first command.
## How to use docker image?
### For standard docker users
You can mount the configuration file to any location of the docker container and use it.
In the following commands, we assume that the **`/root/hysteria.json`** configuration
file is mounted to **`/etc/hysteria.json`**:
⚠️ Note: **If you don't want to use the host network (`--network=host`), please make sure that
the hysteria UDP port is correctly mapped (`-p 1234:1234/udp`)**
```sh
# Please replace `/root/hysteria.json` with the actual configuration file location
docker run -dt --network=host --name hysteria \
-v /root/hysteria.json:/etc/hysteria.json \
tobyxdd/hysteria -config /etc/hysteria.json server
```
### For docker-compose users
First, you need to create a directory with any name, and then copy [docker-compose.yaml](https://raw.githubusercontent.com/HyNetwork/hysteria/master/docker-compose.yaml) to
that directory. Finally, create your configuration file and start it.
```sh
# Create dir
mkdir hysteria && cd hysteria
# Download the docker-compose example config
wget https://raw.githubusercontent.com/HyNetwork/hysteria/master/docker-compose.yaml
# Create your config
cat <<EOF > hysteria.json
{
"listen": ":36712",
"acme": {
"domains": [
"your.domain.com"
],
"email": "hacker@gmail.com"
},
"obfs": "fuck me till the daylight",
"up_mbps": 100,
"down_mbps": 100
}
EOF
# Start container
docker-compose up -d
```

62
Docker.zh.md
View File

@ -1,62 +0,0 @@
## 关于 Dockerfile
hysteria 的 docker 镜像基于 **alpine** 系统,这意味着如果您在容器里运行一些依赖于 glibc
的自定义程序可能会失败。
默认情况下容器内安装了 **`bash`** 用于调试目的,安装的 **`tzdata`** 用于提供容器的时区信息;
为了保证 ACME 等连其他网站时 SSL 证书信任还安装了 **`ca-certificates`**;除此之外容器内不包含
任何非标准 alpine 系统的其他工具。
hysteria 二进制可执行文件默认被安装到 `/usr/local/bin/hysteria`,同时容器的 **ENTRYPOINT**
被设置为**执行 `hysteria` 命令**;这意味着在不进行覆盖的情况下容器启动后首先将执行 `hysteria`
命令。
## 如何使用本镜像?
### 标准 Docker 用户
您可以将配置文件挂载到容器内的任何位置然后使用它。
在下面的命令中我们假设将 **`/root/hysteria.json`** 配置文件挂载为容器内的 **`/etc/hysteria.json`** 文件。
⚠️ 注意: 如果您不想使用宿主机网络(`--network=host`),请确保正确的映射了 hysteria 的 UDP 端口(`-p 1234:1234/udp`)。
```sh
# Please replace `/root/hysteria.json` with the actual configuration file location
docker run -dt --network=host --name hysteria \
-v /root/hysteria.json:/etc/hysteria.json \
tobyxdd/hysteria -config /etc/hysteria.json server
```
### Docker Compose 用户
首先您需要创建一个任意名称的目录,然后将项目内的 [docker-compose.yaml](https://raw.githubusercontent.com/HyNetwork/hysteria/master/docker-compose.yaml) 文件复制到该目录;
最后创建自己的配置文件并启动即可。
```sh
# Create dir
mkdir hysteria && cd hysteria
# Download the docker-compose example config
wget https://raw.githubusercontent.com/HyNetwork/hysteria/master/docker-compose.yaml
# Create your config
cat <<EOF > hysteria.json
{
"listen": ":36712",
"acme": {
"domains": [
"your.domain.com"
],
"email": "hacker@gmail.com"
},
"obfs": "fuck me till the daylight",
"up_mbps": 100,
"down_mbps": 100
}
EOF
# Start container
docker-compose up -d
```

469
README.md
View File

@ -18,8 +18,6 @@
[8]: https://github.com/HyNetwork/hysteria/discussions [8]: https://github.com/HyNetwork/hysteria/discussions
[中文](README.zh.md)
Hysteria is a feature-packed network utility optimized for networks of poor quality (e.g. satellite connections, Hysteria is a feature-packed network utility optimized for networks of poor quality (e.g. satellite connections,
congested public Wi-Fi, connecting from China to servers abroad) powered by a custom version of QUIC protocol. It congested public Wi-Fi, connecting from China to servers abroad) powered by a custom version of QUIC protocol. It
currently has the following features: (still growing!) currently has the following features: (still growing!)
@ -30,467 +28,20 @@ currently has the following features: (still growing!)
- TCP/UDP TPROXY (Linux only) - TCP/UDP TPROXY (Linux only)
- TUN (TAP on Windows) - TUN (TAP on Windows)
## Installation **[Documentation has now been moved to our wiki](https://github.com/HyNetwork/hysteria/wiki)**
### Windows, Linux, macOS CLI ----------
- Download pre-built binaries from https://github.com/tobyxdd/hysteria/releases Hysteria 是一个功能丰富的,专为恶劣网络环境进行优化的网络工具(双边加速),比如卫星网络、拥挤的公共 Wi-Fi、在中国连接国外服务器等。 基于修改版的 QUIC 协议。目前有以下模式:(仍在增加中)
- Linux builds are available as `hysteria-tun` (with tun support) and `hysteria` (without tun support). Builds
without tun support are statically linked and do not depend on glibc. **If you use a Linux distribution that
can't run `hysteria-tun` properly, try `hysteria` instead.**
- Other platforms do not have glibc compatibility issues. The builds are all with tun support.
- Use Docker or Docker Compose: https://github.com/HyNetwork/hysteria/blob/master/Docker.md
- Use our Arch Linux AUR: https://aur.archlinux.org/packages/hysteria/
- Build from source with `go build ./cmd`
### OpenWrt LuCI app SOCKS5 代理 (TCP & UDP)
HTTP/HTTPS 代理
TCP/UDP 转发
TCP/UDP TPROXY 透明代理 (Linux)
TUN (Windows 下为 TAP)
- [openwrt-passwall](https://github.com/xiaorouji/openwrt-passwall) **[文档现已移动到 wiki](https://github.com/HyNetwork/hysteria/wiki/%E9%A6%96%E9%A1%B5)**
### Android ----------
- [SagerNet](https://github.com/SagerNet/SagerNet) with [hysteria-plugin](https://github.com/SagerNet/SagerNet/releases/tag/hysteria-plugin-0.9.3)
### iOS
- [Shadowrocket](https://apps.apple.com/us/app/shadowrocket/id932747118)
## Quick Start
Note: This is only a bare-bones example to get the server and client running. Go to [Advanced usage](#advanced-usage)
for all the available options.
### Server
Create a `config.json` under the root directory of the program:
```json
{
"listen": ":36712",
"acme": {
"domains": [
"your.domain.com"
],
"email": "hacker@gmail.com"
},
"obfs": "fuck me till the daylight",
"up_mbps": 100,
"down_mbps": 100
}
```
Hysteria requires a TLS certificate. You can either get a trusted TLS certificate from Let's Encrypt automatically using
the built-in ACME integration, or provide it yourself. It does not have to be valid and trusted, but in that case the
clients need additional configuration. To use your own existing TLS certificate, refer to this config:
```json
{
"listen": ":36712",
"cert": "/home/ubuntu/my.crt",
"key": "/home/ubuntu/my.key",
"obfs": "fuck me till the daylight",
"up_mbps": 100,
"down_mbps": 100
}
```
The (optional) `obfs` option obfuscates the protocol using the provided password, so that it is not apparent that this
is Hysteria/QUIC, which could be useful for bypassing DPI blocking or QoS. If the passwords of the server and client do
not match, no connection can be established. Therefore, this can also serve as a simple password authentication. For
more advanced authentication schemes, see `auth` below.
`up_mbps` and `down_mbps` limit the maximum upload and download speed of the server for each client. Feel free to remove
them if you don't need.
To launch the server, simply run
```
./hysteria-linux-amd64 server
```
If your config file is not named `config.json` or is in a different path, specify it with `-config`:
```
./hysteria-linux-amd64 -config blah.json server
```
### Client
Same as the server side, create a `config.json` under the root directory of the program:
```json
{
"server": "example.com:36712",
"obfs": "fuck me till the daylight",
"up_mbps": 10,
"down_mbps": 50,
"socks5": {
"listen": "127.0.0.1:1080"
},
"http": {
"listen": "127.0.0.1:8080"
}
}
```
This config enables a SOCKS5 proxy (with both TCP & UDP support), and an HTTP proxy at the same time. There are many
other modes in Hysteria, be sure to check them out in [Advanced usage](#advanced-usage)! To enable or disable a mode,
simply add or remove its entry in the config file.
If your server certificate is not issued by a trusted CA, you need to specify the CA used
with `"ca": "/path/to/file.ca"` on the client or use `"insecure": true` to ignore all certificate errors (not
recommended).
`up_mbps` and `down_mbps` are mandatory on the client side. Try to fill in these values as accurately as possible
according to your network conditions, as they are crucial for Hysteria to work optimally.
Some users may attempt to forward other encrypted proxy protocols such as Shadowsocks with relay. While this technically
works, it's not optimal from a performance standpoint - Hysteria itself uses TLS, considering that the proxy protocol
being forwarded is also encrypted, and the fact that almost all sites are now using HTTPS, it essentially becomes triple
encryption. If you need a proxy, just use our proxy modes.
## Comparison
![Bench](docs/bench/bench.png) ![Bench](docs/bench/bench.png)
## Advanced usage
### Server
```json5
{
"listen": ":36712", // Listen address
"protocol": "faketcp", // Blank, "udp", "wechat-video", "faketcp"
"acme": {
"domains": [
"your.domain.com",
"another.domain.net"
], // Domains for the ACME cert
"email": "hacker@gmail.com", // Registration email, optional but recommended
"disable_http": false, // Disable HTTP challenges
"disable_tlsalpn": false, // Disable TLS-ALPN challenges
"alt_http_port": 8080, // Alternate port for HTTP challenges
"alt_tlsalpn_port": 4433 // Alternate port for TLS-ALPN challenges
},
"cert": "/home/ubuntu/my_cert.crt", // Cert file, mutually exclusive with the ACME options above
"key": "/home/ubuntu/my_key.crt", // Key file, mutually exclusive with the ACME options above
"up_mbps": 100, // Max upload Mbps per client
"down_mbps": 100, // Max download Mbps per client
"disable_udp": false, // Disable UDP support
"acl": "my_list.acl", // See ACL below
"mmdb": "GeoLite2-Country.mmdb", // MaxMind database for ACL country lookups
"obfs": "AMOGUS", // Obfuscation password
"auth": { // Authentication
"mode": "password", // Mode, supports "password" "none" and "external" for now
"config": {
"password": "yubiyubi"
}
},
"alpn": "ayaya", // QUIC TLS ALPN
"prometheus_listen": ":8080", // Prometheus HTTP metrics server listen address (at /metrics)
"recv_window_conn": 15728640, // QUIC stream receive window
"recv_window_client": 67108864, // QUIC connection receive window
"max_conn_client": 4096, // Max concurrent connections per client
"disable_mtu_discovery": false, // Disable Path MTU Discovery (RFC 8899)
"ipv6_only": false, // Only resolve domains to IPv6 address
"resolver": "1.1.1.1:53" // DNS resolver address
}
```
#### ACME
Only HTTP and TLS-ALPN challenges are currently supported (no DNS challenges). Make sure your TCP ports 80/443 are
accessible respectively.
#### External authentication integration
If you are a commercial proxy provider, you may want to connect Hysteria to your own authentication backend.
```json5
{
// ...
"auth": {
"mode": "external",
"config": {
"http": "https://api.example.com/auth" // Both HTTP and HTTPS are supported
}
}
}
```
For the above config, Hysteria sends a POST request to `https://api.example.com/auth` upon each client's connection:
```json5
{
"addr": "111.222.111.222:52731",
"payload": "[BASE64]", // auth or auth_str of the client
"send": 12500000, // Negotiated server send speed for this client (Bps)
"recv": 12500000 // Negotiated server recv speed for this client (Bps)
}
```
The endpoint must return results with HTTP status code 200 (even if the authentication failed):
```json5
{
"ok": false,
"msg": "No idea who you are"
}
```
`ok` indicates whether the authentication passed. `msg` is a success/failure message.
#### Prometheus Metrics
You can make Hysteria expose a Prometheus HTTP client endpoint for monitoring traffic usage with `prometheus_listen`.
If configured on port 8080, the endpoint would be at `http://example.com:8080/metrics`.
```text
hysteria_active_conn{auth="55m95auW5oCq"} 32
hysteria_active_conn{auth="aGFja2VyISE="} 7
hysteria_traffic_downlink_bytes_total{auth="55m95auW5oCq"} 122639
hysteria_traffic_downlink_bytes_total{auth="aGFja2VyISE="} 3.225058e+06
hysteria_traffic_uplink_bytes_total{auth="55m95auW5oCq"} 40710
hysteria_traffic_uplink_bytes_total{auth="aGFja2VyISE="} 37452
```
`auth` is the auth payload sent by the clients, encoded in Base64.
### Client
```json5
{
"server": "example.com:36712", // Server address
"protocol": "faketcp", // Blank, "udp", "wechat-video", "faketcp"
"up_mbps": 10, // Max upload Mbps
"down_mbps": 50, // Max download Mbps
"socks5": {
"listen": "127.0.0.1:1080", // SOCKS5 listen address
"timeout": 300, // TCP timeout in seconds
"disable_udp": false, // Disable UDP support
"user": "me", // SOCKS5 authentication username
"password": "lmaolmao" // SOCKS5 authentication password
},
"http": {
"listen": "127.0.0.1:8080", // HTTP listen address
"timeout": 300, // TCP timeout in seconds
"user": "me", // HTTP authentication username
"password": "lmaolmao", // HTTP authentication password
"cert": "/home/ubuntu/my_cert.crt", // Cert file (HTTPS proxy)
"key": "/home/ubuntu/my_key.crt" // Key file (HTTPS proxy)
},
"tun": {
"name": "tun-hy", // TUN interface name
"timeout": 300, // Timeout in seconds
"address": "192.0.2.2", // TUN interface address, not applicable for Linux
"gateway": "192.0.2.1", // TUN interface gateway, not applicable for Linux
"mask": "255.255.255.252", // TUN interface mask, not applicable for Linux
"dns": [ "8.8.8.8", "8.8.4.4" ], // TUN interface DNS, only applicable for Windows
"persist": false // Persist TUN interface after exit, only applicable for Linux
},
"relay_tcps": [
{
"listen": "127.0.0.1:2222", // TCP relay listen address
"remote": "123.123.123.123:22", // TCP relay remote address
"timeout": 300 // TCP timeout in seconds
},
{
"listen": "127.0.0.1:13389", // TCP relay listen address
"remote": "124.124.124.124:3389", // TCP relay remote address
"timeout": 300 // TCP timeout in seconds
}
],
"relay_udps": [
{
"listen": "127.0.0.1:5333", // UDP relay listen address
"remote": "8.8.8.8:53", // UDP relay remote address
"timeout": 60 // UDP session timeout in seconds
},
{
"listen": "127.0.0.1:11080", // UDP relay listen address
"remote": "9.9.9.9.9:1080", // UDP relay remote address
"timeout": 60 // UDP session timeout in seconds
}
],
"tproxy_tcp": {
"listen": "127.0.0.1:9000", // TCP TProxy listen address
"timeout": 300 // TCP timeout in seconds
},
"tproxy_udp": {
"listen": "127.0.0.1:9000", // UDP TProxy listen address
"timeout": 60 // UDP session timeout in seconds
},
"acl": "my_list.acl", // See ACL below
"mmdb": "GeoLite2-Country.mmdb", // MaxMind database for ACL country lookups
"obfs": "AMOGUS", // Obfuscation password
"auth": "[BASE64]", // Authentication payload in Base64
"auth_str": "yubiyubi", // Authentication payload in string, mutually exclusive with the option above
"alpn": "ayaya", // QUIC TLS ALPN
"server_name": "real.name.com", // TLS hostname used to verify the server certificate
"insecure": false, // Ignore all certificate errors
"ca": "my.ca", // Custom CA file
"recv_window_conn": 15728640, // QUIC stream receive window
"recv_window": 67108864, // QUIC connection receive window
"disable_mtu_discovery": false, // Disable Path MTU Discovery (RFC 8899)
"resolver": "1.1.1.1:53" // DNS resolver address
}
```
#### Fake TCP / TCP masquerade
Certain networks may impose various restrictions on UDP traffic or block it altogether. Hysteria offers a "faketcp" mode
that allows servers and clients to communicate using a protocol that looks like TCP but does not actually go through the
system TCP stack. This tricks whatever middleboxes into thinking it's actually TCP traffic, rendering UDP-specific
restrictions useless.
This mode is currently only supported on Linux (both client and server) and requires root privileges.
If your server is behind a firewall, open the corresponding TCP port instead of UDP.
#### Transparent proxy
TPROXY modes (`tproxy_tcp` & `tproxy_udp`) are only available on Linux.
References:
- https://www.kernel.org/doc/Documentation/networking/tproxy.txt
- https://powerdns.org/tproxydoc/tproxy.md.html
## Optimization tips
### Optimizing for extreme transfer speeds
If you want to use Hysteria for very high speed transfers (e.g. 10GE, 1G+ over inter-country long fat pipes), consider
increasing your system's UDP receive buffer size.
```shell
sysctl -w net.core.rmem_max=4000000
```
This would increase the buffer size to roughly 4 MB on Linux.
You may also need to increase `recv_window_conn` and `recv_window` (`recv_window_client` on server side) to make sure
they are at least no less than the bandwidth-delay product. For example, if you want to achieve a transfer speed of 500
MB/s on a line with an RTT of 200 ms, you need a minimum receive window size of 100 MB (500*0.2).
### Routers and other embedded devices
For devices with very limited computing power and RAM, turning off obfuscation can bring a slight performance boost.
The default receive window size for both Hysteria server and client is 64 MB. Consider lowering them if it's too large
for your device. Keeping a ratio of one to four between stream receive window and connection receive window is
recommended.
## ACL
[ACL File Format](ACL.md)
ACL is available on both client & server. On the server side it can be used to restrict what the clients can access, and
is valid for any mode on the client side. On the client side, it's only supported in SOCKS5 & HTTP proxy modes, and has
no effect in other modes (all traffic will go through the proxy)
## URI Scheme
Third party clients looking to implement a "share by link" feature are advised to follow the following URI scheme
(initially introduced by Shadowrocket):
hysteria://host:port?protocol=udp&auth=123456&peer=sni.domain&insecure=1&upmbps=100&downmbps=100&alpn=hysteria&obfs=xplus&obfsParam=123456#remarks
- host: hostname or IP address of the server to connect to (required)
- port: port of the server to connect to (required)
- protocol: protocol to use ("udp", "wechat-video", "faketcp") (optional, default: "udp")
- auth: authentication payload (string) (optional)
- peer: SNI for TLS (optional)
- insecure: ignore certificate errors (optional)
- upmbps: upstream bandwidth in Mbps (required)
- downmbps: downstream bandwidth in Mbps (required)
- alpn: QUIC ALPN (optional)
- obfs: Obfuscation mode (optional, empty or "xplus")
- obfsParam: Obfuscation password (optional)
- remarks: remarks (optional)
## Logging
The program outputs `DEBUG` level, text format logs via stdout by default.
To change the logging level, use `LOGGING_LEVEL` environment variable. The available levels are `panic`, `fatal`
, `error`, `warn`, `info`, ` debug`, `trace`
To print JSON instead, set `LOGGING_FORMATTER` to `json`
To change the logging timestamp format, set `LOGGING_TIMESTAMP_FORMAT`
## Custom CA
1. Suppose the server address is `123.123.123.123`, UDP port `5678` is not blocked by firewall
2. openssl is already installed
3. hysteria is already installed in `/root/hysteria/`
<details>
<summary>4. Generate custom CA certificate</summary>
- Run the script below in `/root/hysteria/`
``` shell
#!/usr/bin/env bash
domain=$(openssl rand -hex 8)
password=$(openssl rand -hex 16)
obfs=$(openssl rand -hex 6)
path="/root/hysteria"
openssl genrsa -out hysteria.ca.key 2048
openssl req -new -x509 -days 3650 -key hysteria.ca.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=Hysteria Root CA" -out hysteria.ca.crt
openssl req -newkey rsa:2048 -nodes -keyout hysteria.server.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=*.${domain}.com" -out hysteria.server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:${domain}.com,DNS:www.${domain}.com") -days 3650 -in hysteria.server.csr -CA hysteria.ca.crt -CAkey hysteria.ca.key -CAcreateserial -out hysteria.server.crt
cat > ./client.json <<EOF
{
"server": "123.123.123.123:5678",
"alpn": "h3",
"obfs": "${obfs}",
"auth_str": "${password}",
"up_mbps": 30,
"down_mbps": 30,
"socks5": {
"listen": "0.0.0.0:1080"
},
"http": {
"listen": "0.0.0.0:8080"
},
"server_name": "www.${domain}.com",
"ca": "${path}/hysteria.ca.crt"
}
EOF
cat > ./server.json <<EOF
{
"listen": ":5678",
"alpn": "h3",
"obfs": "${obfs}",
"cert": "${path}/hysteria.server.crt",
"key": "${path}/hysteria.server.key" ,
"auth": {
"mode": "password",
"config": {
"password": "${password}"
}
}
}
EOF
```
</details>
5. On the server side, copy `server.json`, `hysteria.server.crt`, `hysteria.server.key` to `/root/hysteria/`,
run `/root/hysteria/hysteria -c /root/hysteria/server.json server`
6. On the client side, assuming that the client is also in `/root/hysteria`, copy `client.json`, `hysteria.ca.crt`
to `/root/hysteria/`, run `/root/hysteria/hysteria -c /root/hysteria/client.json`
7. After getting your certificate, modify the server address, port, certificate path, etc. according to your needs
8. If you are using Shadowrocket on iOS, you can airdrop the file `hysteria.ca.crt` to your device and install it

473
README.zh.md
View File

@ -1,473 +0,0 @@
# ![Logo](docs/logos/readme.png)
[![License][1]][2] [![Release][3]][4] [![Telegram][5]][6] [![Discussions][7]][8]
[1]: https://img.shields.io/github/license/tobyxdd/hysteria?style=flat-square
[2]: LICENSE.md
[3]: https://img.shields.io/github/v/release/tobyxdd/hysteria?style=flat-square
[4]: https://github.com/tobyxdd/hysteria/releases
[5]: https://img.shields.io/badge/chat-Telegram-blue?style=flat-square
[6]: https://t.me/hysteria_github
[7]: https://img.shields.io/github/discussions/HyNetwork/hysteria?style=flat-square
[8]: https://github.com/HyNetwork/hysteria/discussions
Hysteria 是一个功能丰富的,专为恶劣网络环境进行优化的网络工具(双边加速),比如卫星网络、拥挤的公共 Wi-Fi、在中国连接国外服务器等。
基于修改版的 QUIC 协议。目前有以下模式:(仍在增加中)
- SOCKS5 代理 (TCP & UDP)
- HTTP/HTTPS 代理
- TCP/UDP 转发
- TCP/UDP TPROXY 透明代理 (Linux)
- TUN (Windows 下为 TAP)
## 下载安装
### Windows, Linux, macOS CLI
- 从 https://github.com/tobyxdd/hysteria/releases 下载编译好的版本
- Linux 分为 `hysteria-tun` (带有 tun 支持) 和 `hysteria` (无 tun 支持) 两个版本。无 tun 支持的版本是静态链接,不依赖系统
glibc 的。**如果你使用的 Linux 发行版无法正常执行 `hysteria-tun`,请尝试 `hysteria`**
- 其余平台无 glibc 兼容性问题,提供的都是带有 tun 支持的版本
- 使用 Docker 或 Docker Compose: https://github.com/HyNetwork/hysteria/blob/master/Docker.zh.md
- 使用 Arch Linux AUR: https://aur.archlinux.org/packages/hysteria/
- 自己用 `go build ./cmd` 从源码编译
### OpenWrt LuCI app
- [openwrt-passwall](https://github.com/xiaorouji/openwrt-passwall)
### Android
- [SagerNet](https://github.com/SagerNet/SagerNet) 配合 [hysteria-plugin](https://github.com/SagerNet/SagerNet/releases/tag/hysteria-plugin-0.9.3)
### iOS
- [Shadowrocket](https://apps.apple.com/us/app/shadowrocket/id932747118)
## 快速入门
注意:本节提供的配置只是为了快速上手,可能无法满足你的需求。请到 [高级用法](#高级用法) 中查看所有可用选项与含义。
### 服务器
在目录下建立一个 `config.json`
```json
{
"listen": ":36712",
"acme": {
"domains": [
"your.domain.com"
],
"email": "hacker@gmail.com"
},
"obfs": "fuck me till the daylight",
"up_mbps": 100,
"down_mbps": 100
}
```
服务端需要一个 TLS 证书。 你可以让 Hysteria 内置的 ACME 尝试自动从 Let's Encrypt 为你的服务器签发一个证书,也可以自己提供。
证书未必一定要是有效、可信的,但在这种情况下客户端需要进行额外的配置。要使用自己的 TLS 证书,参考这个配置:
```json
{
"listen": ":36712",
"cert": "/home/ubuntu/my.crt",
"key": "/home/ubuntu/my.key",
"obfs": "fuck me till the daylight",
"up_mbps": 100,
"down_mbps": 100
}
```
可选的 `obfs` 选项使用提供的密码对协议进行混淆,这样协议就不容易被检测出是 Hysteria/QUIC可以用来绕过针对性的 DPI 屏蔽或者 QoS。
如果服务端和客户端的密码不匹配就不能建立连接,因此这也可以作为一个简单的密码验证。对于更高级的验证方案请见下文 `auth`
`up_mbps``down_mbps` 限制服务器对每个客户端的最大上传和下载速度。这些也是可选的,如果不需要可以移除。
要启动服务端,只需运行
```
./hysteria-linux-amd64 server
```
如果你的配置文件没有命名为 `config.json` 或在别的路径,请用 `-config` 指定路径:
```
./hysteria-linux-amd64 -config blah.json server
```
### 客户端
和服务器端一样,在程序根目录下建立一个`config.json`
```json
{
"server": "example.com:36712",
"obfs": "fuck me till the daylight",
"up_mbps": 10,
"down_mbps": 50,
"socks5": {
"listen": "127.0.0.1:1080"
},
"http": {
"listen": "127.0.0.1:8080"
}
}
```
这个配置同时开了 SOCK5 (支持 TCP & UDP) 代理和 HTTP 代理。Hysteria 还有很多其他模式,请务必前往 [高级用法](#高级用法) 了解一下!
要启用/禁用一个模式,在配置文件中添加/移除对应条目即可。
如果你的服务端证书不是由受信任的 CA 签发的,需要用 `"ca": "/path/to/file.ca"` 指定使用的 CA 或者用 `"insecure": true` 忽略所有
证书错误(不推荐)。
`up_mbps``down_mbps` 在客户端是必填选项,请根据实际网络情况尽量准确地填写,否则将影响 Hysteria 的使用体验。
有些用户可能会尝试用这个功能转发其他加密代理协议,比如 Shadowsocks。这样虽然可行但从性能的角度不推荐 - Hysteria 本身就用 TLS
转发的代理协议也是加密的,再加上如今几乎所有网站都是 HTTPS 了,等于做了三重加密。如果需要代理,建议直接使用代理模式。
## 对比
![Bench](docs/bench/bench.png)
## 高级用法
### 服务器
```json5
{
"listen": ":36712", // 监听地址
"protocol": "faketcp", // 留空或 "udp", "wechat-video", "faketcp"
"acme": {
"domains": [
"your.domain.com",
"another.domain.net"
], // ACME 证书域名
"email": "hacker@gmail.com", // 注册邮箱,可选,推荐
"disable_http": false, // 禁用 HTTP 验证方式
"disable_tlsalpn": false, // 禁用 TLS-ALPN 验证方式
"alt_http_port": 8080, // HTTP 验证方式替代端口
"alt_tlsalpn_port": 4433 // TLS-ALPN 验证方式替代端口
},
"cert": "/home/ubuntu/my_cert.crt", // 证书
"key": "/home/ubuntu/my_key.crt", // 证书密钥
"up_mbps": 100, // 单客户端最大上传速度
"down_mbps": 100, // 单客户端最大下载速度
"disable_udp": false, // 禁用 UDP 支持
"acl": "my_list.acl", // 见下文 ACL
"mmdb": "GeoLite2-Country.mmdb", // MaxMind IP 库 (ACL)
"obfs": "AMOGUS", // 混淆密码
"auth": { // 验证
"mode": "password", // 验证模式,暂时只支持 "password" 与 "none"
"config": {
"password": "yubiyubi"
}
},
"alpn": "ayaya", // QUIC TLS ALPN
"prometheus_listen": ":8080", // Prometheus 统计接口监听地址 (在 /metrics)
"recv_window_conn": 15728640, // QUIC stream receive window
"recv_window_client": 67108864, // QUIC connection receive window
"max_conn_client": 4096, // 单客户端最大活跃连接数
"disable_mtu_discovery": false, // 禁用 MTU 探测 (RFC 8899)
"ipv6_only": false, // 强制把域名解析成 IPv6 地址
"resolver": "1.1.1.1:53" // DNS 地址
}
```
#### ACME
目前仅支持 HTTP 与 TLS-ALPN 验证方式,不支持 DNS 验证。对于两种方式请分别确保 TCP 80/443 端口能够被访问。
#### 接入外部验证
如果你是商业代理服务提供商,可以这样把 Hysteria 接入到自己的验证后端:
```json5
{
// ...
"auth": {
"mode": "external",
"config": {
"http": "https://api.example.com/auth" // 支持 HTTP 和 HTTPS
}
}
}
```
对于上述配置Hysteria 会把验证请求通过 HTTP POST 发送到 `https://api.example.com/auth`
```json5
{
"addr": "111.222.111.222:52731",
"payload": "[BASE64]", // 对应客户端配置的 auth 或 auth_str 字段
"send": 12500000, // 协商后的服务端最大发送速率 (Bps)
"recv": 12500000 // 协商后的服务端最大接收速率 (Bps)
}
```
后端必须用 HTTP 200 状态码返回验证结果(即使验证不通过):
```json5
{
"ok": false,
"msg": "No idea who you are"
}
```
`ok` 表示验证是否通过,`msg` 是成功/失败消息。
#### Prometheus 流量统计
通过 `prometheus_listen` 选项可以让 Hysteria 暴露一个 Prometheus HTTP 客户端 endpoint 用来统计流量使用情况。
例如如果配置在 8080 端口,则 API 地址是 `http://example.com:8080/metrics`
```text
hysteria_active_conn{auth="55m95auW5oCq"} 32
hysteria_active_conn{auth="aGFja2VyISE="} 7
hysteria_traffic_downlink_bytes_total{auth="55m95auW5oCq"} 122639
hysteria_traffic_downlink_bytes_total{auth="aGFja2VyISE="} 3.225058e+06
hysteria_traffic_uplink_bytes_total{auth="55m95auW5oCq"} 40710
hysteria_traffic_uplink_bytes_total{auth="aGFja2VyISE="} 37452
```
`auth` 是客户端发来的验证密钥,经过 Base64 编码。
### 客户端
```json5
{
"server": "example.com:36712", // 服务器地址
"protocol": "faketcp", // 留空或 "udp", "wechat-video", "faketcp"
"up_mbps": 10, // 最大上传速度
"down_mbps": 50, // 最大下载速度
"socks5": {
"listen": "127.0.0.1:1080", // SOCKS5 监听地址
"timeout": 300, // TCP 超时秒数
"disable_udp": false, // 禁用 UDP 支持
"user": "me", // SOCKS5 验证用户名
"password": "lmaolmao" // SOCKS5 验证密码
},
"http": {
"listen": "127.0.0.1:8080", // HTTP 监听地址
"timeout": 300, // TCP 超时秒数
"user": "me", // HTTP 验证用户名
"password": "lmaolmao", // HTTP 验证密码
"cert": "/home/ubuntu/my_cert.crt", // 证书 (变为 HTTPS 代理)
"key": "/home/ubuntu/my_key.crt" // 证书密钥 (变为 HTTPS 代理)
},
"tun": {
"name": "tun-hy", // TUN 接口名称
"timeout": 300, // 超时秒数
"address": "192.0.2.2", // TUN 接口地址(不适用于 Linux
"gateway": "192.0.2.1", // TUN 接口网关(不适用于 Linux
"mask": "255.255.255.252", // TUN 接口子网掩码(不适用于 Linux
"dns": [ "8.8.8.8", "8.8.4.4" ], // TUN 接口 DNS 服务器(仅适用于 Windows
"persist": false // 在程序退出之后保留接口(仅适用于 Linux
},
"relay_tcps": [
{
"listen": "127.0.0.1:2222", // TCP 转发监听地址
"remote": "123.123.123.123:22", // TCP 转发目标地址
"timeout": 300 // TCP 超时秒数
},
{
"listen": "127.0.0.1:13389", // TCP 转发监听地址
"remote": "124.124.124.124:3389", // TCP 转发目标地址
"timeout": 300 // TCP 超时秒数
}
],
"relay_udps": [
{
"listen": "127.0.0.1:5333", // UDP 转发监听地址
"remote": "8.8.8.8:53", // UDP 转发目标地址
"timeout": 60 // UDP 超时秒数
},
{
"listen": "127.0.0.1:11080", // UDP 转发监听地址
"remote": "9.9.9.9.9:1080", // UDP 转发目标地址
"timeout": 60 // UDP 超时秒数
}
],
"tproxy_tcp": {
"listen": "127.0.0.1:9000", // TCP 透明代理监听地址
"timeout": 300 // TCP 超时秒数
},
"tproxy_udp": {
"listen": "127.0.0.1:9000", // UDP 透明代理监听地址
"timeout": 60 // UDP 超时秒数
},
"acl": "my_list.acl", // 见下文 ACL
"mmdb": "GeoLite2-Country.mmdb", // MaxMind IP 库 (ACL)
"obfs": "AMOGUS", // 混淆密码
"auth": "[BASE64]", // Base64 验证密钥
"auth_str": "yubiyubi", // 字符串验证密钥,和上面的选项二选一
"alpn": "ayaya", // QUIC TLS ALPN
"server_name": "real.name.com", // 用于验证服务端证书的 hostname
"insecure": false, // 忽略一切证书错误
"ca": "my.ca", // 自定义 CA
"recv_window_conn": 15728640, // QUIC stream receive window
"recv_window": 67108864, // QUIC connection receive window
"disable_mtu_discovery": false, // 禁用 MTU 探测 (RFC 8899)
"resolver": "1.1.1.1:53" // DNS 地址
}
```
#### 伪装 TCP (faketcp 模式)
某些网络可能对 UDP 流量施加各种限制或者完全屏蔽。Hysteria 提供了一个 "faketcp" 模式,让服务端与客户端之间用看起来是 TCP 但实际不走
系统 TCP 栈的方式通信。通过这种方式可以让防火墙、QoS 设备认为这是真的 TCP 连接,绕过对 UDP 的限制。
目前只在 Linux 上支持(客户端和服务器都是),并且需要 root 权限。
如果你的服务器有防火墙,请放行相应的 TCP 端口而不是 UDP。
#### 透明代理
TPROXY 模式 (`tproxy_tcp``tproxy_udp`) 只在 Linux 下可用。
参考阅读:
- https://www.kernel.org/doc/Documentation/networking/tproxy.txt
- https://powerdns.org/tproxydoc/tproxy.md.html
## 优化建议
### 针对超高传速度进行优化
如果要用 Hysteria 进行极高速度的传输 (如内网超过 10G 或高延迟跨国超过 1G),请增加系统的 UDP receive buffer 大小。
```shell
sysctl -w net.core.rmem_max=4000000
```
这个命令会在 Linux 下将 buffer 大小提升到 4 MB 左右。
你可能还需要提高 `recv_window_conn``recv_window` (服务器端是 `recv_window_client`) 以确保它们至少不低于带宽-延迟的乘积。
比如如果想在一条 RTT 200ms 的线路上达到 500 MB/s 的速度receive window 至少需要 100 MB (500*0.2)
### 路由器与其他嵌入式设备
对于运算性能和内存十分有限的嵌入式设备,如果不是必须的话建议关闭混淆,可以带来少许性能提升。
Hysteria 服务端与客户端默认的 receive window 大小是 64 MB。如果设备内存不够请考虑通过配置降低。建议保持 stream receive window
和 connection receive window 之间 1:4 的比例关系。
## 关于 ACL
[ACL 文件格式](ACL.zh.md)
ACL 在服务端和客户端都可以使用。在服务端可以用来实现限制客户端能访问的目标,对客户端任何模式都有效。在客户端只有 SOCKS5 和 HTTP 代理
支持 ACL。其他模式下没有效果所有流量都会走代理
## URI Scheme
希望包含链接分享/导入功能的第三方客户端,建议按照如下 URI Scheme 实现(最初由 Shadowrocket 引入):
hysteria://host:port?protocol=udp&auth=123456&peer=sni.domain&insecure=1&upmbps=100&downmbps=100&alpn=hysteria&obfs=xplus&obfsParam=123456#remarks
- host: hostname or IP address of the server to connect to (required)
- port: port of the server to connect to (required)
- protocol: protocol to use ("udp", "wechat-video", "faketcp") (optional, default: "udp")
- auth: authentication payload (string) (optional)
- peer: SNI for TLS (optional)
- insecure: ignore certificate errors (optional)
- upmbps: upstream bandwidth in Mbps (required)
- downmbps: downstream bandwidth in Mbps (required)
- alpn: QUIC ALPN (optional)
- obfs: Obfuscation mode (optional, empty or "xplus")
- obfsParam: Obfuscation password (optional)
- remarks: remarks (optional)
## 日志
程序默认在 stdout 输出 DEBUG 级别,文字格式的日志。
如果需要修改日志级别可以使用 `LOGGING_LEVEL` 环境变量,支持 `panic`, `fatal`, `error`, `warn`, `info`, `debug`, `trace`
如果需要输出 JSON 可以把 `LOGGING_FORMATTER` 设置为 `json`
如果需要修改日志时间戳格式可以使用 `LOGGING_TIMESTAMP_FORMAT`
## 自定义 CA 方法
1. 假设服务器地址是 `123.123.123.123`, 端口`5678`UDP/TCP协议未被防火墙拦截
2. 已经安装了 openssl
3. hysteria 已经安装在 `/root/hysteria/`目录下
<details>
<summary>4. 生成自定义CA证书</summary>
- 在 `/root/hysteria/` 目录下将以下shell命令保存为 `generate.sh` , 并赋予执行权限: `chmod +x ./generate.sh` 后,运行 `./generate.sh` 命令生成自定义CA证书
- 或者在`/root/hysteria/` 目录下直接执行以下shell命令生成自定义CA证书
``` shell
#!/usr/bin/env bash
domain=$(openssl rand -hex 8)
password=$(openssl rand -hex 16)
obfs=$(openssl rand -hex 6)
path="/root/hysteria"
# 生成CAkey
openssl genrsa -out hysteria.ca.key 2048
# 生成CA证书
openssl req -new -x509 -days 3650 -key hysteria.ca.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=Hysteria Root CA" -out hysteria.ca.crt
openssl req -newkey rsa:2048 -nodes -keyout hysteria.server.key -subj "/C=CN/ST=GD/L=SZ/O=Hysteria, Inc./CN=*.${domain}.com" -out hysteria.server.csr
# 签发服务端用的证书
openssl x509 -req -extfile <(printf "subjectAltName=DNS:${domain}.com,DNS:www.${domain}.com") -days 3650 -in hysteria.server.csr -CA hysteria.ca.crt -CAkey hysteria.ca.key -CAcreateserial -out hysteria.server.crt
cat > ./client.json <<EOF
{
"server": "123.123.123.123:5678",
"alpn": "h3",
"obfs": "${obfs}",
"auth_str": "${password}",
"up_mbps": 30,
"down_mbps": 30,
"socks5": {
"listen": "0.0.0.0:1080"
},
"http": {
"listen": "0.0.0.0:8080"
},
"server_name": "www.${domain}.com",
"ca": "${path}/hysteria.ca.crt"
}
EOF
cat > ./server.json <<EOF
{
"listen": ":5678",
"alpn": "h3",
"obfs": "${obfs}",
"cert": "${path}/hysteria.server.crt",
"key": "${path}/hysteria.server.key" ,
"auth": {
"mode": "password",
"config": {
"password": "${password}"
}
}
}
EOF
```
</details>
5. 服务端:复制 `server.json``hysteria.server.crt``hysteria.server.key``/root/hysteria/` 目录下,运行 `/root/hysteria/hysteria -c /root/hysteria/server.json server` 命令
6. 客户端:假设客户端运行目录也为`/root/hysteria`, 复制 `client.json``hysteria.ca.crt``/root/hysteria/` 目录下,运行 `/root/hysteria/hysteria -c /root/hysteria/client.json` 命令
7. 生成CA证书之后根据自身情况修改服务器地址、端口和证书文件路径加上`obfs``alpn`是防止首次在某些环境下被墙,第一次在全参数情况下测试通过后,可以自身网络环境删除不必须要参数,比如`obfs``alpn`.
8. iOS 端如果使用的是小火箭 Shadowrocket可以把文件`hysteria.ca.crt` airdrop到手机然后在手机上安装并信任后, 就可以使用自定义CA证书了。