# 适用于为 ubuntu/debian 服务器安装 gost

## 1. 使用说明

下面的操作都是在自己本地的电脑上完成，不需要在 VPS 上操作，这个 notebook 的功能就是把服务器上软件安装配置的过程变成了代码，会帮你在服务器上自动把软件安装好配置好。

In [None]:
# 如果在 colab/datalore 上需要执行下这条命令
!pip install fabric

## 2. [每次都需要执行]连接服务器

先执行下面代码，根据自己的情况，再从 2.1 和 2.2 中选择执行其中一个即可
* 2.1 [2选1]使用用户名密码连接服务器
* 2.2 [2选1]使用 SSH KEY 连接服务器

In [None]:
from fabric import Connection
from typing import IO
import uuid


# 如果用户名不是 root 需要使用 sudo，请为设置为 True
# 如果使用 sudo，请先在服务器上安装好 sudo
# >
# > apt-get install -y sudo
# >

USE_SUDO = False           

def run(c: Connection, cmd: str):
    if USE_SUDO:
        return c.sudo(cmd)
    else:
        return c.run(cmd)
    
def put(c: Connection, local_file: IO, remote_file_path: str):
    if USE_SUDO:
        tmp_remote_file_path = f"/tmp/{uuid.uuid4()}"
        c.put(local_file, tmp_remote_file_path)
        c.sudo(f'mv -f {tmp_remote_file_path} {remote_file_path} | true')
    else:
        c.put(local_file, remote_file_path)

### 2.1 [2选1]使用用户名密码连接服务器

In [None]:
REMOTE_HOST = "1.2.3.4"    # 替换为您的远程主机名或IP地址
REMOTE_PORT = 22           # 替换为您的远程SSH端口号
REMOTE_USER = "root"       # 替换为您的远程用户名
REMOTE_PASSWORD = ""       # 替换为您的远程密码

conn = Connection(host=REMOTE_HOST, port=REMOTE_PORT, user=REMOTE_USER, connect_kwargs={"password": REMOTE_PASSWORD})

### 2.2 [2选1]使用 SSH KEY 连接服务器

In [None]:
REMOTE_HOST = "1.2.3.4"       # 替换为您的远程主机名或IP地址
REMOTE_PORT = 22              # 替换为您的远程SSH端口号
REMOTE_USER = "ubuntu"          # 替换为您的远程用户名

# 替换为您的私钥
SSH_PRIVATE_KEY = """-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
"""
import io
import paramiko

pkey = paramiko.RSAKey.from_private_key(io.StringIO(SSH_PRIVATE_KEY))
conn = Connection(host=REMOTE_HOST, port=REMOTE_PORT, user=REMOTE_USER, connect_kwargs={"pkey": pkey})

## 3. 测试一下，确认没有任何报错，能连接上服务器，再进行下一步

In [None]:
## 如有需要请安装 sudo
#def install_sudo(c: Connection):
#    c.run('apt-get install -y sudo')
#install_sudo(conn)

def test(c: Connection):
    result = run(c, "uname -a")
    print(f"Command output: {result.stdout.strip()}")
        
test(conn)

## 4. 安装必要的工具

In [None]:
def install_tools(c: Connection):
    run(c, 'apt-get update')
    run(c, 'apt-get install wget -y')
install_tools(conn)

## 5. [每次必须执行]定义 GOST 的安装位置和 WSS 端口

In [None]:
# GOST 安装位置
GOST_HOME = '/opt/gost'


# 使用 Cloudflare 支持的 HTTPS 代理端口
# https://developers.cloudflare.com/fundamentals/get-started/reference/network-ports/#network-ports-compatible-with-cloudflares-proxy
# - 443
# - 2053
# - 2083
# - 2087
# - 2096
# - 8443
GOST_WSS_PORT=443

## 6. 下载 GOST

In [None]:
def download_gost(c: Connection, gost_ver: str = '2.11.5'):
    run(c, f'mkdir -p {GOST_HOME}')
    run(c, f'rm -rf {GOST_HOME}/gost-*')
    run(c, f'wget -nv https://github.com/ginuerzh/gost/releases/download/v{gost_ver}/gost-linux-amd64-{gost_ver}.gz -O {GOST_HOME}/gost-linux-amd64-{gost_ver}.gz | true')
    run(c, f'gunzip {GOST_HOME}/gost-linux-amd64-{gost_ver}.gz')
    run(c, f'mv {GOST_HOME}/gost-linux-amd64-{gost_ver} {GOST_HOME}/gost')
    run(c, f'chmod +x {GOST_HOME}/gost')

download_gost(conn)

## 7. 设置或更新域名证书(在 Cloudflare 后台获取证书，需要登录 Cloudflare 后台创建)

如果不使用 Cloudflare 的 Proxy，直连 VPS，那么这里也可以直接用默认的证书

In [None]:
ca_content = """-----BEGIN CERTIFICATE-----
MIIDHTCCAsSgAwIBAgIUcF63xnECqLlN94qEcweJwdIyz4gwCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0yMzAzMTcxNTIxMDBaFw0zODAzMTMxNTIxMDBaMGIxGTAXBgNVBAoTEENs
b3VkRmxhcmUsIEluYy4xHTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYw
JAYDVQQDEx1DbG91ZEZsYXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABKAuCXtkYpEsnVk4W0zVQuWLlAYX7QIxat9IYH5pmwf8
RZBxuSK+BrLvsRSgQaQ+Xuqv8bW/yqH81smwIxILceGjggEoMIIBJDAOBgNVHQ8B
Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFESjneNGQQGg4N9DiU6TwjCuM9S2MB8GA1UdIwQYMBaA
FIUwXTsqcNTt1ZJnB/3rObQaDjinMEQGCCsGAQUFBwEBBDgwNjA0BggrBgEFBQcw
AYYoaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYTAhBgNV
HREEGjAYggsqLmJpODMubGlua4IJYmk4My5saW5rMDwGA1UdHwQ1MDMwMaAvoC2G
K2h0dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2VjY19jYS5jcmwwCgYI
KoZIzj0EAwIDRwAwRAIgS5M2pcS9kjrOjVlR1ImN2ieip0lgiAKMDUT7HxRfi9EC
IGhVMiKTjlSj4u/yC+rMiDBEBvqcho9a7pvBmRdXpCRq
-----END CERTIFICATE-----
"""
key_content = """-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg5bLrVhwtwJ70nwPH
LG4Yac6+0YJilE60Gh+sLTPAXFShRANCAASgLgl7ZGKRLJ1ZOFtM1ULli5QGF+0C
MWrfSGB+aZsH/EWQcbkivgay77EUoEGkPl7qr/G1v8qh/NbJsCMSC3Hh
-----END PRIVATE KEY-----
"""
import io
def config_cert(c: Connection):
    ca_file_path= f"{GOST_HOME}/ca.pem"
    with io.StringIO(ca_content) as ca_file:
            put(conn, ca_file, ca_file_path)

    key_file_path= f"{GOST_HOME}/key.pem"
    with io.StringIO(key_content) as key_file:
            put(conn, key_file, key_file_path)

config_cert(conn)

## 8. 设置或更新客户端用户名密码

可以添加多个帐号，用户名和密码之间用空格分隔

In [None]:
secrets_content = """# period for live reloading
reload      10s

# username password
bob A5PUL_qqfkyj
alice P9QDhs9ZVmc
"""
import io
def config_secrets(c: Connection):
    secrets_file_path= f"{GOST_HOME}/secrets.txt"
    with io.StringIO(secrets_content) as secrets_file:
            put(conn, secrets_file, secrets_file_path)

config_secrets(conn)

## 9. 配置 GOST

In [None]:
import json
import io


def config_gost(c: Connection):
    conf_file_path = f"{GOST_HOME}/config.json"
    conf = dict(ServeNodes=[
        f"wss://:{GOST_WSS_PORT}?secrets={GOST_HOME}/secrets.txt&cert={GOST_HOME}/ca.pem&key={GOST_HOME}/key.pem"
    ])
    conf_content = json.dumps(conf, indent=4)
    with io.StringIO(conf_content) as conf_file:
            put(conn, conf_file, conf_file_path)

            
config_gost(conn)

## 10. 配置开机自启

In [None]:
gost_systemd_service_content = f"""[Unit]
Description=Gost Service
After=network.target
Wants=network.target

[Service]
Type=simple
User=root
ExecStart={GOST_HOME}/gost -C {GOST_HOME}/config.json
Restart=on-failure

[Install]
WantedBy=multi-user.target
"""
import io
def config_systemd(c: Connection):
    gost_systemd_service_file_path = "/usr/lib/systemd/system/gost.service"
    with io.StringIO(gost_systemd_service_content) as gost_systemd_service_file:
            put(conn, gost_systemd_service_file, gost_systemd_service_file_path)  
    run(c, 'systemctl enable gost')
    run(c, 'systemctl start gost')
    
config_systemd(conn)

## 11. [可选] 添加规则打开防火墙的 WSS 端口

In [None]:
def iptables_allow_wss(c: Connection):
    run(c, f'iptables -I INPUT -p tcp --dport {GOST_WSS_PORT} -j ACCEPT')
    
iptables_allow_wss(conn)

## 12. [可选] GOST 服务操作

## 12.1 [可选] 重启 GOST 服务

In [None]:
def restart_gost(c: Connection):
    run(c, 'systemctl restart gost')

restart_gost(conn)

## 12.2 [可选] 停止 GOST 服务

In [None]:
def stop_gost(c: Connection):
    run(c, 'systemctl stop gost')

stop_gost(conn)

## 12.3 [可选] 启动 GOST 服务

In [None]:
def start_gost(c: Connection):
    run(c, 'systemctl start gost')

start_gost(conn)

## 12.4 [可选] 查看 GOST 服务状态

In [None]:
def show_gost(c: Connection):
    run(c, 'systemctl status gost')

show_gost(conn)

## 13. [可选] 开启 BBR

In [None]:
def enable_bbr(c: Connection):
    prefix_sudo = 'sudo' if USE_SUDO else ''
    run(c, f'echo -e "net.core.default_qdisc=fq\nnet.ipv4.tcp_congestion_control=bbr" | {prefix_sudo} tee -a /etc/sysctl.conf >/dev/null')
    run(c, 'sysctl -p')
enable_bbr(conn)

## 14. [可选]安装 cloudflare-warp 解决 OpenAI 和 New Bing 无法使用的问题

### 14.1 准备安装 cloudflare-warp

In [None]:
def get_system_type(c: Connection):
    uname = c.run('uname -s', hide=True).stdout.strip().lower()
    if 'linux' in uname:
        distro = conn.run('cat /etc/os-release | grep -w ID', hide=True).stdout.strip().lower()
        if 'debian' in distro:
            return 'Debian'
        elif 'ubuntu' in distro:
            return 'Ubuntu'
    return 'Unknown'

def prepare_for_cloudflare_warp(c: Connection):
    run(c, 'apt-get update')
    run(c, 'apt-get install -y gpg curl lsb-release')
    prefix_sudo = 'sudo' if USE_SUDO else ''
    system_type = get_system_type(c)
    if system_type == 'Debian':
        run(c, f'curl https://pkg.cloudflareclient.com/pubkey.gpg | {prefix_sudo} gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg')
        run(c, f'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | {prefix_sudo} tee /etc/apt/sources.list.d/cloudflare-client.list')
    elif system_type == 'Ubuntu':
        run(c, f'curl https://pkg.cloudflareclient.com/pubkey.gpg | {prefix_sudo} gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg')
        run(c, f'echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ $(lsb_release -cs) main" | {prefix_sudo} tee /etc/apt/sources.list.d/cloudflare-client.list')
    else:
        print(system_type)
        
prepare_for_cloudflare_warp(conn)

### 14.2 安装 cloudflare-warp

In [None]:
def install_cloudflare_warp(c: Connection):
    run(c, 'apt-get update')
    run(c, 'apt-get install -y cloudflare-warp')

install_cloudflare_warp(conn)

### 14.3 配置 cloudflare-warp

In [None]:
def config_cloudflare_warp(c: Connection):
    run(c, 'warp-cli --accept-tos register')
    run(c, 'warp-cli --accept-tos set-mode proxy')
    run(c, 'warp-cli --accept-tos connect')
    run(c, 'warp-cli --accept-tos enable-always-on')
    run(c, 'warp-cli --accept-tos status')
    
config_cloudflare_warp(conn)

### 14.4 配置 GOST 的路由控制

In [None]:
# bypass 配置说明见 https://v2.gost.run/bypass/
# 本配置采用白名单设置，表示 google 网站会走 warp 代理
# reverse 为 true 表示采用白名单，也就是说域名在这个配置文件中的，将会走这个代理
# 请根据自己需要添加域名
# sharp 符号表示注释
# 如果不使用 bypass，请设置为 False，让所有的流量都走 warp 代理
USE_BYPASS=True

bypass_content = """# options
reload   10s
reverse  true

# bypass addresses
*.google.com
google.com
#*.openai.com
#openai.com
"""

import io
def config_bypass(c: Connection):
    bypass_file_path= f"{GOST_HOME}/bypass.txt"
    with io.StringIO(bypass_content) as bypass_file:
            put(conn, bypass_file, bypass_file_path)

config_bypass(conn)

### 14.5 配置 GOST 走 WAPR 代理链

执行完下面这段代码之后，再去执行 12 步重启 GOST 服务

In [None]:
import json
import io

GOST_WARP_WSS_PORT=2083

def config_gost_warp(c: Connection):
    bypass_query_string = f"?bypass={GOST_HOME}/bypass.txt" if USE_BYPASS else ""
    
    conf_file_path = f"{GOST_HOME}/config.json"
    conf = dict(
        ServeNodes=[f"wss://:{GOST_WSS_PORT}?secrets={GOST_HOME}/secrets.txt&cert={GOST_HOME}/ca.pem&key={GOST_HOME}/key.pem"], 
        Routes=[dict(ServeNodes=[f"wss://:{GOST_WARP_WSS_PORT}?secrets={GOST_HOME}/secrets.txt&cert={GOST_HOME}/ca.pem&key={GOST_HOME}/key.pem"], 
                     ChainNodes=[f"socks5://127.0.0.1:40000{bypass_query_string}"])])
    conf_content = json.dumps(conf, indent=4)
    with io.StringIO(conf_content) as conf_file:
            conn.put(conf_file, conf_file_path)

            
config_gost_warp(conn)
#restart_gost(conn)

### 14.6 [可选] 添加规则打开防火墙的 WARP WSS 端口

In [None]:
def iptables_allow_warp_wss(c: Connection):
    run(c, f'iptables -I INPUT -p tcp --dport {GOST_WARP_WSS_PORT} -j ACCEPT')
    
iptables_allow_warp_wss(conn)