Put shadowsocks behind nginx

README.md

@@ -16,7 +16,7 @@ https://getoutline.org/get-started/#step-3
 * [prometheus](https://prometheus.io): monitoring to detect traffic abuse
 
 # Setup
-This part requires [Ansible](https://www.ansible.com) knowledge.
+This part requires [Ansible](https://www.ansible.com) knowledge. The deployment is tested on and implemented for Debian only.
 
 ## At the very beginning
 1. Initialize pre-commit hook to prevent secrets from being leaked:

proxies.yml

@@ -3,4 +3,5 @@
   no_log: true
   roles:
     - shadowsocks
+    - shadowsocks-gateway
     - prometheus

roles/nginx/tasks/main.yml

@@ -0,0 +1,38 @@
+# http://nginx.org/en/linux_packages.html#Debian
+
+- name: Check if nginx is installed
+  shell: nginx -v
+  register: nginx_installed
+  ignore_errors: yes
+
+- name: Install the prerequisites
+  with_items:
+    - curl
+    - gnupg2
+    - ca-certificates
+    - lsb-release
+    - debian-archive-keyring
+  package:
+    name: "{{ item }}"
+    state: present
+  when: nginx_installed.failed
+
+- name: Import an official nginx signing key so apt could verify the packages authenticity
+  command: bash -c "curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg > /dev/null"
+  when: nginx_installed.failed
+
+- name: Set up the apt repository for stable nginx packages
+  command: bash -c "echo 'deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx' | tee /etc/apt/sources.list.d/nginx.list"
+  when: nginx_installed.failed
+
+- name: Install nginx
+  package:
+    name: nginx
+    state: present
+  when: nginx_installed.failed
+
+- name: Stop nginx
+  systemd:
+    name: nginx.service
+    state: stopped
+    enabled: false

roles/shadowsocks-gateway/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: nginx
+  - role: shadowsocks

roles/shadowsocks-gateway/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: Install libnginx-mod-stream
+  package:
+    name: libnginx-mod-stream
+    state: present
+
+- name: Create user
+  user: name={{ shadowsocks_gateway_user }}
+
+- name: Render nginx config
+  template:
+    src: nginx.conf.j2
+    dest: "/home/{{ shadowsocks_gateway_user }}/nginx.conf"
+    group: "{{ shadowsocks_gateway_user }}"
+    owner: "{{ shadowsocks_gateway_user }}"
+    mode: "600"
+  register: config
+
+- name: Remove unexpected files in home
+  include_tasks: tasks/remove-unexpected-files.yml
+  vars:
+    directory: "/home/{{ shadowsocks_gateway_user }}"
+    files:
+      - nginx.conf
+
+- name: Render systemd service config
+  template:
+    src: shadowsocks-gateway.service.j2
+    dest: /etc/systemd/system/shadowsocks-gateway.service
+  register: systemd
+
+- name: Reload daemon
+  systemd:
+    daemon_reload: yes
+  when: systemd.changed
+
+- name: Restart systemd app service
+  systemd:
+    name: shadowsocks-gateway.service
+    state: restarted
+    enabled: yes
+  when: systemd.changed or config.changed

roles/shadowsocks-gateway/templates/nginx.conf.j2

@@ -0,0 +1,31 @@
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
+daemon off;
+worker_processes auto;
+
+events {
+    worker_connections 1024;
+}
+
+stream {
+    map $ssl_preread_protocol $backend {
+        default shadowsocks_backend;
+        "TLSv1.2" https_backend;
+        "TLSv1.3" https_backend;
+    }
+
+    upstream https_backend {
+        server {{ shadowsocks_gateway_fallback_proxy_target }};
+    }
+
+    upstream shadowsocks_backend {
+        server localhost:{{ shadowsocks_port }};
+    }
+
+    server {
+        listen {{ server.port }};
+        proxy_timeout 5s;
+        ssl_preread on;
+
+        proxy_pass $backend;
+    }
+}

roles/shadowsocks-gateway/templates/shadowsocks-gateway.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=shadowsocks-gateway
+After=shadowsocks.service
+
+[Service]
+User=root
+ExecStart=nginx -c /home/{{ shadowsocks_gateway_user }}/nginx.conf
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/shadowsocks-gateway/vars/main.yml

@@ -0,0 +1,10 @@
+# linux user to run shadowsocks-gateway as
+shadowsocks_gateway_user: shadowsocks-gateway
+# where regular https requests (non-shadowsocks requests) proxy to
+shadowsocks_gateway_fallback_proxy_target: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  37333637313939636530653837626436396562306537353834326662383835353162393962336439
+  6430373734363064656263373964363839643862326433660a383630663561313838666335343462
+  65376263643234313439393933393262393932323664653030616432303439363164666539636362
+  6139373831393530360a663130336433373266333635303637393735313932336131326162373734
+  3066

roles/shadowsocks/vars/main.yml

@@ -18,4 +18,4 @@ shadowsocks_replay_history: 10000
 # port of metrics for prometheus to be exposed
 shadowsocks_metrics_port: 9091
 # port of shadowsocks behind gateway
-shadowsocks_port: 443
+shadowsocks_port: 46365