{"id":16005544,"url":"https://github.com/kwaa/comet","last_synced_at":"2025-10-01T08:30:42.172Z","repository":{"id":177352921,"uuid":"658034424","full_name":"kwaa/comet","owner":"kwaa","description":"🌠 Comet Gateway - 实验性 Naiveproxy 透明网关. [WIP]","archived":false,"fork":false,"pushed_at":"2024-03-04T08:41:20.000Z","size":37,"stargazers_count":9,"open_issues_count":1,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-11T23:54:43.775Z","etag":null,"topics":["docker","docker-compose","naiveproxy","sing-box","tun"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"wtfpl","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kwaa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-24T15:03:40.000Z","updated_at":"2025-01-08T14:57:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"d3fd7460-acf6-458a-b0d2-25fd54700868","html_url":"https://github.com/kwaa/comet","commit_stats":null,"previous_names":["kwaa/comet"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kwaa%2Fcomet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kwaa%2Fcomet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kwaa%2Fcomet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kwaa%2Fcomet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kwaa","download_url":"https://codeload.github.com/kwaa/comet/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234841990,"owners_count":18895146,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-compose","naiveproxy","sing-box","tun"],"created_at":"2024-10-08T11:05:13.858Z","updated_at":"2025-10-01T08:30:36.903Z","avatar_url":"https://github.com/kwaa.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🌠 Comet Gateway\n\n实验性 Naiveproxy 透明网关. [WIP]\n\n\u003e 配置未经严格测试，欢迎[反馈](https://github.com/kwaa/comet/discussions)或[提交 bug](https://github.com/kwaa/comet/issues)。\n\n## 介绍\n\n### 这是什么\n\n这是一套基于 Docker Compose 的透明网关方案，简单修改配置便可启动。\n\n你需要一个（或多个）可用的 Naiveproxy 服务端。\n\n### 为什么是\n\n#### Naiveproxy\n\n我从 2019 年开始用 Naiveproxy，2022 年 10 月的大规模封锁（[net4people/bbs#129](https://github.com/net4people/bbs/issues/129)）说明了我的选择是对的。\n\n#### sing-box\n\n不熟悉 Clash / Clash Premium / Clash.Meta，就是这样。\n\n#### HAProxy\n\n因为它很流行。\n\n## 用法\n\n\u003e 推荐 512M 以上 RAM，RK3328 以上 CPU\n\n以 Debian 系发行版为例，以下所有命令都以 root 账号执行。\n\n```bash\n# 安装 docker, docker-compose, git, curl\napt install docker.io docker-compose git curl\n# 跳转到你希望的目录，此处将复制到 /opt/comet\ncd /opt\n# 复制存储库\ngit clone https://github.com/kwaa/comet.git\n# 移动到 /opt/comet\ncd comet\n```\n\n接下来修改 Naiveproxy 和 sing-box 的配置（替换 `comet.local, user, pass` 为你的域名、账号和密码）：\n\n###### ./naive/config.json\n\n```diff\n{\n  \"listen\": \"socks://0.0.0.0:1080\",\n- \"proxy\": \"https://user:pass@comet.local\",\n+ \"proxy\": \"https://admin:1234@example.com\",\n  \"log\": \"\"\n}\n```\n\n###### ./sing-box/config.json\n\n```diff\n\"route\": {\n  ...\n  \"rules\": [\n    ...\n    {\n      \"domain_keyword\": [\n-       \"comet.local\",\n+       \"example.com\"\n      ],\n      \"outbound\": \"direct\"\n    },\n  ],\n  ...\n},\n```\n\n将 `./sysctl.d/39-comet.conf` 复制到 `/etc/sysctl.d/`，开启 IP 转发：\n\n```bash\ncp ./sysctl.d/39-comet.conf /etc/sysctl.d/\nsysctl --system\n```\n\n设置 iptables 规则：\n\n```bash\niptables -t filter -A FORWARD -j ACCEPT\niptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE\n```\n\n现在可以启动了。\n\n```bash\ndocker compose up -d\n```\n\n在你希望代理的设备（或主路由）上将默认网关和 DNS 改为 Comet 所在机器的局域网 IP。就是这样！\n\n### 可选 - 负载均衡\n\n如果有多个可用服务器，可以启用基于 HAProxy 的负载均衡以提高整体可用性。\n\n取消 HAProxy 段落的注释：\n\n###### ./docker-compose.yml\n\n```diff\n- # haproxy:\n- #   container_name: haproxy\n- #   image: haproxy:alpine\n- #   restart: always\n- #   volumes:\n- #     - ./haproxy:/usr/local/etc/haproxy\n- #   ports:\n- #     - 1080:1080/tcp\n- #     - 1080:1080/udp\n+ haproxy:\n+   container_name: haproxy\n+   image: haproxy:alpine\n+   restart: always\n+   volumes:\n+     - ./haproxy:/usr/local/etc/haproxy\n+   ports:\n+     - 1080:1080/tcp\n+     - 1080:1080/udp\n```\n\n增加 naive 客户端：从 `ports` 改为 `expose`，并按照喜好重命名；\n\n还需要在 `./naive/` 文件夹内创建新的配置文件。\n\n###### ./docker-compose.yml\n\n```diff\n- naive:\n+ naive-a:\n-   container_name: naive\n+   container_name: naive-a\n    image: kwaabot/naive\n    restart: always\n    volumes:\n-     - ./naive/config.json:/etc/naive/config.json\n+     - ./naive/config-a.json:/etc/naive/config.json\n-   # expose:\n-   #   - '1080'\n+   expose:\n+     - '1080'\n-   ports:\n-     - 1080:1080/tcp\n-     - 1080:1080/udp\n\n+ naive-b:\n+   container_name: naive-b\n+   image: kwaabot/naive\n+   restart: always\n+   volumes:\n+     - ./naive/config-b.json:/etc/naive/config.json\n+   expose:\n+     - '1080'\n```\n\n接下来在 `haproxy.cfg` 中导入服务器：\n\n###### ./haproxy/haproxy.cfg\n\n```diff\nbackend naive-out\n  balance roundrobin\n- server naive naive:1080\n+ server naive-a naive-a:1080\n+ server naive-b naive-b:1080\n```\n\n### 可选 - UDP over TCP\n\n为了使用 [UDP over TCP](https://sing-box.sagernet.org/configuration/shared/udp-over-tcp/)，你需要使用支持此特性的服务端（例如 sing-box）。\n\n只需在客户端 `outbounds.proxy` 配置文件加上 `\"udp_over_tcp\": true`：\n\n###### ./sing-box/config.json\n\n```diff\n{\n  \"type\": \"socks\",\n  \"tag\": \"proxy\",\n  \"server\": \"127.0.0.1\",\n- \"server_port\": 1080\n+ \"server_port\": 1080,\n+ \"udp_over_tcp\": true\n},\n```\n\n### 可选 - PaoPaoDNS\n\n由于绕过 TUN 很麻烦，此存储库不再内置 [PaoPaoDNS](https://github.com/kkkgo/PaoPaoDNS)。\n\n如果你有能力（在同一个 Docker Compose 文件中）搞定这些，欢迎 PR！\n\n以下是搭建完成后 sing-box 配置对应的修改：\n\n###### ./sing-box/config.json\n\n```diff\n{\n  \"dns\": {\n    \"servers\": [\n-     {\n-       \"tag\": \"cloudflare\",\n-       \"address\": \"https://1.1.1.1/dns-query\"\n-     },\n      {\n        \"tag\": \"local\",\n-       \"address\": \"223.5.5.5\",\n+       \"address\": \"udp://{{PaoPaoDNS 服务的 IP}}\",\n        \"detour\": \"direct\"\n      },\n    ],\n    ...\n  }\n  ...\n}\n```\n\n### 可选 - 丢弃 GFW 伪造的 DNS 抢答包\n\n来自 [如何构建一个防污染DNS - 影子屋](https://blog.bgme.me/posts/how-to-create-an-anti-pollution-dns/)。\n\n```bash\niptables -t raw -A PREROUTING -m bpf --bytecode '38,48 0 0 0,84 0 0 240,21 34 0 96,48 0 0 0,84 0 0 240,21 0 31 64,48 0 0 9,21 0 29 17,40 0 0 6,69 27 0 8191,177 0 0 0,72 0 0 0,21 0 24 53,40 0 0 2,37 22 0 128,72 0 0 12,21 0 20 1,72 0 0 14,21 0 18 1,72 0 0 16,21 0 16 0,72 0 0 18,21 0 14 1,72 0 0 4,20 0 0 8,12 0 0 0,7 0 0 0,64 0 0 0,21 0 8 268435456,177 0 0 0,72 0 0 4,20 0 0 4,12 0 0 0,7 0 0 0,64 0 0 0,21 0 1 0,6 0 0 65535,6 0 0 0' -j DROP\niptables -t raw -A PREROUTING -m bpf --bytecode '27,48 0 0 0,84 0 0 240,21 23 0 96,48 0 0 0,84 0 0 240,21 0 20 64,48 0 0 9,21 0 18 17,40 0 0 6,69 16 0 8191,177 0 0 0,72 0 0 0,21 0 13 53,40 0 0 4,21 0 11 0,40 0 0 6,21 0 9 0,48 0 0 8,37 7 0 40,72 0 0 12,21 0 5 1,72 0 0 14,21 0 3 1,72 0 0 16,21 0 1 0,6 0 0 65535,6 0 0 0' -j DROP\niptables -t raw -A PREROUTING -p udp -m bpf --bytecode '39,40 0 0 20,21 0 36 53,32 0 0 36,21 0 34 0,32 0 0 32,21 3 0 65537,21 0 31 65536,40 0 0 30,21 15 29 33152,40 0 0 30,84 0 0 65487,21 17 0 34176,40 0 0 24,7 0 0 0,64 0 0 4,21 5 0 3222011905,21 0 21 536936448,64 0 0 8,21 0 19 0,64 0 0 12,21 3 17 0,64 0 0 10,37 15 0 255,53 0 14 64,32 0 0 4,21 11 0 0,21 11 0 16384,84 0 0 65535,21 8 9 16384,40 0 0 6,21 0 7 0,40 0 0 24,7 0 0 0,64 0 0 6,21 0 3 65537,64 0 0 10,21 0 1 60,6 0 0 1,6 0 0 0' -j DROP\nip6tables -t raw -A PREROUTING -m bpf --bytecode '29,48 0 0 0,84 0 0 240,21 0 25 96,48 0 0 6,21 0 23 17,40 0 0 40,21 0 21 53,40 0 0 4,37 19 0 128,40 0 0 52,21 0 17 1,40 0 0 54,21 0 15 1,40 0 0 56,21 0 13 0,40 0 0 58,21 0 11 1,40 0 0 4,20 0 0 8,7 0 0 1,64 0 0 40,21 0 6 268435456,40 0 0 4,20 0 0 4,7 0 0 6,64 0 0 40,21 0 1 0,6 0 0 65535,6 0 0 0' -j DROP\nip6tables -t raw -A PREROUTING -m bpf --bytecode '19,48 0 0 0,84 0 0 240,21 0 15 96,48 0 0 6,21 0 13 17,40 0 0 40,21 0 11 53,32 0 0 0,21 0 9 1610612736,40 0 0 4,37 7 0 128,40 0 0 52,21 0 5 1,40 0 0 54,21 0 3 1,40 0 0 56,21 0 1 0,6 0 0 65535,6 0 0 0' -j DROP\nip6tables -t raw -A PREROUTING -p udp -m bpf --bytecode '23,40 0 0 40,21 0 20 53,32 0 0 52,21 0 18 65537,32 0 0 56,21 0 16 0,40 0 0 0,84 0 0 65520,21 0 13 24576,40 0 0 44,7 0 0 0,64 0 0 24,21 5 0 3222011905,21 0 8 536936448,64 0 0 28,21 0 6 0,64 0 0 32,21 3 4 0,64 0 0 30,37 2 0 255,53 0 1 64,6 0 0 1,6 0 0 0' -j DROP\n```\n\n## 许可证\n\n本项目采用 WTFPL（你他妈的想干嘛就干嘛公共许可证）。有关更多详情，请参阅 [COPYING](COPYING) 文件。\n\n### 特别感谢\n\n- 从 [chika0801/sing-box-examples](https://github.com/chika0801/sing-box-examples) 参考了 ~~一些~~ 大部分 sing-box 配置项\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkwaa%2Fcomet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkwaa%2Fcomet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkwaa%2Fcomet/lists"}