├── .gitignore ├── Dockerfile ├── Docs ├── English.md └── Russian.md ├── Readme.md ├── blockcheck.sh ├── config ├── configs ├── dnscrypt-proxy.toml └── squid.conf ├── container.target ├── docker-compose.yml ├── generate_config.sh ├── quickstart.sh ├── scripts ├── add_user.sh ├── blockcheck_wrapper.sh ├── delete_user.sh ├── enable_services.sh ├── form_config.sh ├── iptables.sh └── start_zapret.sh ├── start.sh └── stop.sh /.gitignore: -------------------------------------------------------------------------------- 1 | /zapret 2 | /dnscrypt-proxy 3 | /configuration 4 | /squid 5 | config.* 6 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM sameersbn/squid 2 | 3 | RUN mkdir -p /var/log/squid3 && \ 4 | chown proxy:proxy /var/log/squid3 5 | 6 | # Setup the environment 7 | 8 | RUN apt-get update && \ 9 | apt-get install -y init && \ 10 | apt-get clean all 11 | 12 | ENV container=docker 13 | 14 | COPY container.target /etc/systemd/system/container.target 15 | 16 | RUN ln -sf /etc/systemd/system/container.target /etc/systemd/system/default.target 17 | 18 | ENTRYPOINT ["/sbin/init"] 19 | 20 | RUN apt-get update && \ 21 | apt-get install systemd 22 | 23 | STOPSIGNAL SIGRTMIN+3 24 | 25 | RUN systemctl set-default multi-user.target 26 | 27 | # Download essentials 28 | 29 | RUN apt-get install -y curl iptables lsof apache2-utils && \ 30 | apt-get clean 31 | 32 | # Setup directories and files 33 | 34 | # Copy downloaded programs 35 | COPY zapret /opt/zapret 36 | COPY dnscrypt-proxy /opt/dnscrypt-proxy 37 | 38 | 39 | # RUN mkdir -p /opt/zapret/configuration 40 | 41 | # RUN touch /opt/zapret/configuration/blockcheck_summary.txt && \ 42 | # touch /opt/zapret/configuration/blockcheck.log 43 | 44 | # Copy configs 45 | RUN mkdir -p /etc/dnscrypt-proxy 46 | COPY configs/dnscrypt-proxy.toml /etc/dnscrypt-proxy/dnscrypt-proxy.toml 47 | COPY configs/squid.conf /etc/squid/squid.conf 48 | 49 | # Copy scripts 50 | COPY scripts/enable_services.sh /opt/zapret/enable_services.sh 51 | COPY scripts/iptables.sh /opt/zapret/iptables.sh 52 | COPY scripts/start_zapret.sh /opt/zapret/start_zapret.sh 53 | COPY scripts/blockcheck_wrapper.sh /opt/zapret/blockcheck_in_container.sh 54 | COPY scripts/add_user.sh /etc/squid/add_user.sh 55 | COPY scripts/delete_user.sh /etc/squid/delete_user.sh 56 | 57 | WORKDIR /opt/zapret 58 | COPY /zapret/init.d/custom.d.examples.linux/50-discord /zapret/init.d/sysv/custom.d/50-discord 59 | 60 | COPY start.sh /opt/zapret/start.sh 61 | 62 | RUN chmod +x ./install_bin.sh ./install_prereq.sh ./install_easy.sh 63 | RUN chmod +x ./enable_services.sh ./iptables.sh ./start_zapret.sh ./start.sh 64 | 65 | # Disable default DNS 66 | RUN echo "DNSStubListener=no" >> /etc/systemd/resolved.conf 67 | 68 | # Install dnscrypt-proxy service 69 | RUN /opt/dnscrypt-proxy/dnscrypt-proxy -config /etc/dnscrypt-proxy/dnscrypt-proxy.toml -service install 70 | 71 | # Zapret installation 72 | 73 | RUN ./install_bin.sh && \ 74 | echo "1" | ./install_prereq.sh 75 | 76 | COPY config /opt/zapret/config 77 | 78 | # Add ips to iptables ! Currently unavailable 79 | # RUN ./iptables.sh 80 | 81 | CMD [ "/bin/bash" ] 82 | -------------------------------------------------------------------------------- /Docs/English.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/8hrsk/zapret-docker-proxy/b8e183a065389489fa9f9ff44e4a58e7b54cbde5/Docs/English.md -------------------------------------------------------------------------------- /Docs/Russian.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/8hrsk/zapret-docker-proxy/b8e183a065389489fa9f9ff44e4a58e7b54cbde5/Docs/Russian.md -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | # Proxy сервер с [bol-van/zapret](https://github.com/bol-van/zapret) в Docker 2 | 3 | ## Описание 4 | 5 | Данный проект является оберткой над [bol-van/zapret](https://github.com/bol-van/zapret) 6 | 7 | > Цель проекта — упростить развёртывание собственного прокси-сервера на удалённом сервере или на вашем собственном устройстве. 8 | 9 | ## ✨ Возможности 10 | 11 | - Быстрое развёртывание готового контейнера. 12 | - DNSCrypt. 13 | - Прокси с авторизацией. 14 | - Проброс / блокирование локальной сети. 15 | - (⚠️ реализовано частично) Автоматическая генерация конфигурационных файлов для zapret. 16 | - Лёгкость использования без необходимости глубокого понимания сетевых технологий. 17 | 18 | > **Примечание**: Я не являюсь сетевым специалистом, поэтому не смогу помочь с тонкой настройкой zapret. Однако, при необходимости, могу добавить новый функционал. Если Вам нужна помощь с настройкой zapret или Вы обнаружили проблему, связанную конкретно с zapret, то ищите решеение в оригинальном репозитории [bol-van/zapret](https://github.com/bol-van/zapret). 19 | 20 | ## ❓ Быстрый запуск 21 | 22 | Для быстрого запуска выполните следующие шаги: 23 | 24 | 1. **Установите `docker` и `docker-compose` на сервер:** 25 | 26 | ```shell 27 | sudo apt-get update && sudo apt-get install docker docker-compose 28 | ``` 29 | 30 | > После установки необходимо добавить текущего пользователя в группу `docker` и перезапустить систему 31 | 32 | 2. **Убедитесь, что `docker` настроен верно в вашей системе:** 33 | 34 | ```shell 35 | docker run hello-world 36 | ``` 37 | 38 | > В случае ошибки прав доступа, добавьте текущего пользователя в группу `docker` и перезапустите систему 39 | 40 | 3. **Клонируйте репозиторий на сервер:** 41 | 42 | ```shell 43 | git clone https://github.com/8hrsk/zapret-docker-proxy.git 44 | cd zapret-docker-proxy 45 | ``` 46 | 47 | 4. **Запустите скрипт `quickstart.sh`:** 48 | 49 | ```shell 50 | ./quickstart.sh 51 | ``` 52 | 53 | Этот скрипт автоматически развернёт проект в системе, используя дефолтный конфигурационный файл. 54 | 55 | ## ⚙️ Создание нового конфигурационного файла 56 | 57 | ### Вручную 58 | 59 | Если вы знаете какие параметры подходят для вашего провайдера, укажите их в 60 | `NFQWS_OPT` в файле `config` и пересобирите контейнер при помощи скрипта `./start.sh` 61 | 62 | Помочь в определении параметров может скрипт `./blockcheck.sh`. Запустите его: 63 | 64 | ```shell 65 | ./blockcheck.sh 66 | ``` 67 | 68 | и дождитесь окончания анализа. Результат выполнения будет сохранён в файл `configuration/blockcheck.log` 69 | 70 | Проанализируйте раздел `* SUMMARY` и выберите подходящие для Вас параметры. Укажите их в 71 | `NFQWS_OPT` в файле `config` и пересобирите контейнер при помощи скрипта `./start.sh` 72 | 73 | ### Автоматически 74 | 75 | > ⚠️ Автоматическая генерация конфиг-файла реализована частично 76 | 77 | Если требуется сгенерировать новый конфигурационный файл автоматически, выполните следующие шаги: 78 | 79 | 1. Запустите скрипт `generate_config.sh`: 80 | 81 | ```shell 82 | ./generate_config.sh 83 | ``` 84 | 85 | 2. Скрипт выполнит поиск подходящих параметров для zapret и создаст новый конфигурационный файл. При этом старый конфигурационный файл будет сохранён для резервного использования. 86 | 87 | ## 🧱 Локальная сеть 88 | 89 | Вы можете разрешить / запретить доступ к локальной сети через прокси. Для этого: 90 | 91 | 1. Укажите шлюз и маску подсети в файле `configs/squid.conf` на строке `acl to_localnet dst` 92 | 2. Замените строку 93 | 94 | ```squidconf 95 | http_access deny to_localnet 96 | ``` 97 | 98 | на 99 | 100 | ```squidconf 101 | http_access allow to_localnet 102 | ``` 103 | 104 | чтобы разрешить доступ к локальной сети, и наоборот 105 | 106 | 3. Пересоберите и запустите контейнер: 107 | 108 | ```shell 109 | ./start.sh 110 | ``` 111 | 112 | ## 🪪 Прокси с авторизацией 113 | 114 | Для настройки прокси с авторизацией, в начале необходимо отредактировать файл `configs/squid.conf` 115 | 116 | 1. Закомментируйте строки 117 | 118 | ```squidconf 119 | http_access allow all 120 | ``` 121 | 122 | и 123 | 124 | ```squidconf 125 | http_access allow sitewhitelist 126 | ``` 127 | 128 | 2. Раскомментируйте все строки начиная с 129 | 130 | ```squidconf 131 | auth_param basic program ... 132 | ... 133 | ``` 134 | 135 | 3. Пересоберите и запустите контейнер: 136 | 137 | ```shell 138 | ./start.sh 139 | ``` 140 | 141 | 4. Запустите скрипт создания пользователя: 142 | 143 | ```shell 144 | docker exec -it zapret-proxy /etc/squid/add_user.sh 145 | ``` 146 | 147 | > ⚠️ В качестве имени пользователя допускается только стандартный формат имён пользователей Linux (латинские буквы a-z в нижнем регистре + цифры от 0 до 9) 148 | 149 | - Для удаления пользователя запустите скрипт: 150 | 151 | ```shell 152 | docker exec -it zapret-proxy /etc/squid/delete_user.sh 153 | ``` 154 | 155 | ## 🛑 Остановка контейнера 156 | 157 | - Для остановки, запустите скрипт `stop.sh`: 158 | 159 | ```shell 160 | ./stop.sh 161 | ``` 162 | 163 | ## 🫂 Обратная связь и улучшения 164 | 165 | Если вы обнаружили проблему или у вас есть идеи для улучшения функционала, создайте Issue или Pull Request в репозитории 166 | -------------------------------------------------------------------------------- /blockcheck.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Make sure container is stopped 4 | ./stop.sh 5 | 6 | # Build and start container 7 | docker-compose up --build -d 8 | 9 | # Wait for the container to be ready 10 | until docker exec zapret-proxy echo "Container is ready"; do 11 | echo "Waiting for container to start..." 12 | sleep 2 13 | done 14 | 15 | # Enable and start services 16 | docker exec zapret-proxy ./enable_services.sh 17 | 18 | # Run blockcheck.sh 19 | docker exec zapret-proxy ./blockcheck_in_container.sh 20 | -------------------------------------------------------------------------------- /config: -------------------------------------------------------------------------------- 1 | # this file is included from init scripts 2 | # change values here 3 | 4 | # can help in case /tmp has not enough space 5 | #TMPDIR=/opt/zapret/tmp 6 | 7 | # redefine user for zapret daemons. required on Keenetic 8 | #WS_USER=nobody 9 | 10 | # override firewall type : iptables,nftables,ipfw 11 | #FWTYPE=iptables 12 | # nftables only : set this to 0 to use pre-nat mode. default is post-nat. 13 | # pre-nat mode disables some bypass techniques for forwarded traffic but allows to see client IP addresses in debug log 14 | #POSTNAT=0 15 | 16 | # options for ipsets 17 | # maximum number of elements in sets. also used for nft sets 18 | SET_MAXELEM=522288 19 | # too low hashsize can cause memory allocation errors on low RAM systems , even if RAM is enough 20 | # too large hashsize will waste lots of RAM 21 | IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM" 22 | # dynamically generate additional ip. $1 = ipset/nfset/table name 23 | #IPSET_HOOK="/etc/zapret.ipset.hook" 24 | 25 | # options for ip2net. "-4" or "-6" auto added by ipset create script 26 | IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4" 27 | IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5" 28 | # options for auto hostlist 29 | AUTOHOSTLIST_RETRANS_THRESHOLD=3 30 | AUTOHOSTLIST_FAIL_THRESHOLD=3 31 | AUTOHOSTLIST_FAIL_TIME=60 32 | # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log 33 | AUTOHOSTLIST_DEBUGLOG=0 34 | 35 | # number of parallel threads for domain list resolves 36 | MDIG_THREADS=30 37 | 38 | # ipset/*.sh can compress large lists 39 | GZIP_LISTS=1 40 | # command to reload ip/host lists after update 41 | # comment or leave empty for auto backend selection : ipset or ipfw if present 42 | # on BSD systems with PF no auto reloading happens. you must provide your own command 43 | # set to "-" to disable reload 44 | #LISTS_RELOAD="pfctl -f /etc/pf.conf" 45 | 46 | # mark bit used by nfqws to prevent loop 47 | DESYNC_MARK=0x40000000 48 | DESYNC_MARK_POSTNAT=0x20000000 49 | 50 | TPWS_SOCKS_ENABLE=0 51 | # tpws socks listens on this port on localhost and LAN interfaces 52 | TPPORT_SOCKS=987 53 | # use and placeholders to engage standard hostlists and autohostlist in ipset dir 54 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy 55 | # appends ipset/zapret-hosts-auto.txt as normal list 56 | TPWS_SOCKS_OPT=" 57 | --filter-tcp=80 --methodeol --new 58 | --filter-tcp=443 --split-pos=1,midsld --disorder 59 | " 60 | 61 | TPWS_ENABLE=0 62 | TPWS_PORTS=80,443 63 | # use and placeholders to engage standard hostlists and autohostlist in ipset dir 64 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy 65 | # appends ipset/zapret-hosts-auto.txt as normal list 66 | TPWS_OPT=" 67 | --filter-tcp=80 --methodeol --new 68 | --filter-tcp=443 --split-pos=1,midsld --disorder 69 | " 70 | 71 | NFQWS_ENABLE=1 72 | # redirect outgoing traffic with connbytes limiter applied in both directions. 73 | NFQWS_PORTS_TCP=80,443 74 | NFQWS_PORTS_UDP=443,50000-50099 75 | # PKT_OUT means connbytes dir original 76 | # PKT_IN means connbytes dir reply 77 | # this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU. 78 | NFQWS_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD)) 79 | NFQWS_TCP_PKT_IN=3 80 | NFQWS_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD)) 81 | NFQWS_UDP_PKT_IN=0 82 | # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter 83 | # normally it's needed only for stateless DPI that matches every packet in a single TCP session 84 | # typical example are plain HTTP keep alives 85 | # this mode can be very CPU consuming. enable with care ! 86 | #NFQWS_PORTS_TCP_KEEPALIVE=80 87 | #NFQWS_PORTS_UDP_KEEPALIVE= 88 | # use and placeholders to engage standard hostlists and autohostlist in ipset dir 89 | # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy 90 | # appends ipset/zapret-hosts-auto.txt as normal list 91 | NFQWS_OPT=" 92 | --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fake-quic="/opt/zapret/files/fake/quic_initial_www_google_com.bin" --new 93 | --filter-udp=50000-50100 --dpi-desync=fake --dpi-desync-any-protocol --dpi-desync-cutoff=d3 --dpi-desync-repeats=6 --new 94 | --filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-autottl=2 --dpi-desync-fooling=md5sig --new 95 | --filter-tcp=443 --dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-fooling=md5sig --dpi-desync-fake-tls="/opt/zapret/files/fake/tls_clienthello_www_google_com.bin" 96 | " 97 | 98 | # none,ipset,hostlist,autohostlist 99 | MODE_FILTER=none 100 | 101 | # openwrt only : donttouch,none,software,hardware 102 | FLOWOFFLOAD=donttouch 103 | 104 | # openwrt: specify networks to be treated as LAN. default is "lan" 105 | #OPENWRT_LAN="lan lan2 lan3" 106 | # openwrt: specify networks to be treated as WAN. default wans are interfaces with default route 107 | #OPENWRT_WAN4="wan vpn" 108 | #OPENWRT_WAN6="wan6 vpn6" 109 | 110 | # for routers based on desktop linux and macos. has no effect in openwrt. 111 | # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES 112 | # or leave them commented if its not router 113 | # it's possible to specify multiple interfaces like this : IFACE_LAN="eth0 eth1 eth2" 114 | # if IFACE_WAN6 is not defined it take the value of IFACE_WAN 115 | #IFACE_LAN=eth0 116 | #IFACE_WAN=eth1 117 | #IFACE_WAN6="ipsec0 wireguard0 he_net" 118 | 119 | # should start/stop command of init scripts apply firewall rules ? 120 | # not applicable to openwrt with firewall3+iptables 121 | INIT_APPLY_FW=1 122 | # firewall apply hooks 123 | #INIT_FW_PRE_UP_HOOK="/etc/firewall.zapret.hook.pre_up" 124 | #INIT_FW_POST_UP_HOOK="/etc/firewall.zapret.hook.post_up" 125 | #INIT_FW_PRE_DOWN_HOOK="/etc/firewall.zapret.hook.pre_down" 126 | #INIT_FW_POST_DOWN_HOOK="/etc/firewall.zapret.hook.post_down" 127 | 128 | # do not work with ipv4 129 | #DISABLE_IPV4=1 130 | # do not work with ipv6 131 | DISABLE_IPV6=1 132 | 133 | # select which init script will be used to get ip or host list 134 | # possible values : get_user.sh get_antizapret.sh get_combined.sh get_reestr.sh get_hostlist.sh 135 | # comment if not required 136 | #GETLIST= 137 | -------------------------------------------------------------------------------- /configs/dnscrypt-proxy.toml: -------------------------------------------------------------------------------- 1 | 2 | ############################################## 3 | # # 4 | # dnscrypt-proxy configuration # 5 | # # 6 | ############################################## 7 | 8 | ################################## 9 | # Global settings # 10 | ################################## 11 | 12 | server_names = ['cloudflare', 'google', 'scaleway-fr', 'yandex'] 13 | 14 | ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. 15 | ## Example with both IPv4 and IPv6: 16 | ## listen_addresses = ['127.0.0.1:53', '[::1]:53'] 17 | ## 18 | ## To listen to all IPv4 addresses, use `listen_addresses = ['0.0.0.0:53']` 19 | ## To listen to all IPv4+IPv6 addresses, use `listen_addresses = ['[::]:53']` 20 | 21 | listen_addresses = ['127.0.0.1:53'] 22 | 23 | ## Maximum number of simultaneous client connections to accept 24 | 25 | max_clients = 250 26 | 27 | ## Switch to a different system user after listening sockets have been created. 28 | ## Note (1): this feature is currently unsupported on Windows. 29 | ## Note (2): this feature is not compatible with systemd socket activation. 30 | ## Note (3): when using -pidfile, the PID file directory must be writable by the new user 31 | 32 | # user_name = 'nobody' 33 | 34 | ## Require servers (from remote sources) to satisfy specific properties 35 | 36 | # Use servers reachable over IPv4 37 | ipv4_servers = true 38 | 39 | # Use servers reachable over IPv6 -- Do not enable if you don't have IPv6 connectivity 40 | ipv6_servers = false 41 | 42 | # Use servers implementing the DNSCrypt protocol 43 | dnscrypt_servers = true 44 | 45 | # Use servers implementing the DNS-over-HTTPS protocol 46 | doh_servers = true 47 | 48 | # Use servers implementing the Oblivious DoH protocol 49 | odoh_servers = false 50 | 51 | ## Require servers defined by remote sources to satisfy specific properties 52 | 53 | # Server must support DNS security extensions (DNSSEC) 54 | require_dnssec = false 55 | 56 | # Server must not log user queries (declarative) 57 | require_nolog = true 58 | 59 | # Server must not enforce its own blocklist (for parental control, ads blocking...) 60 | require_nofilter = true 61 | 62 | # Server names to avoid even if they match all criteria 63 | disabled_server_names = [] 64 | 65 | ## Always use TCP to connect to upstream servers. 66 | ## This can be useful if you need to route everything through Tor. 67 | ## Otherwise, leave this to `false`, as it doesn't improve security 68 | ## (dnscrypt-proxy will always encrypt everything even using UDP), and can 69 | ## only increase latency. 70 | 71 | force_tcp = false 72 | 73 | ## Enable *experimental* support for HTTP/3 (DoH3, HTTP over QUIC) 74 | ## Note that, like DNSCrypt but unlike other HTTP versions, this uses 75 | ## UDP and (usually) port 443 instead of TCP. 76 | 77 | http3 = false 78 | 79 | ## SOCKS proxy 80 | ## Uncomment the following line to route all TCP connections to a local Tor node 81 | ## Tor doesn't support UDP, so set `force_tcp` to `true` as well. 82 | 83 | # proxy = 'socks5://127.0.0.1:9050' 84 | 85 | ## HTTP/HTTPS proxy 86 | ## Only for DoH servers 87 | 88 | # http_proxy = 'http://127.0.0.1:8888' 89 | 90 | ## How long a DNS query will wait for a response, in milliseconds. 91 | ## If you have a network with *a lot* of latency, you may need to 92 | ## increase this. Startup may be slower if you do so. 93 | ## Don't increase it too much. 10000 is the highest reasonable value. 94 | ## A timeout below 5000 is not recommended. 95 | 96 | timeout = 5000 97 | 98 | ## Keepalive for HTTP (HTTPS, HTTP/2, HTTP/3) queries, in seconds 99 | 100 | keepalive = 30 101 | 102 | ## Add EDNS-client-subnet information to outgoing queries 103 | ## 104 | ## Multiple networks can be listed; they will be randomly chosen. 105 | ## These networks don't have to match your actual networks. 106 | 107 | # edns_client_subnet = ['0.0.0.0/0', '2001:db8::/32'] 108 | 109 | ## Response for blocked queries. Options are `refused`, `hinfo` (default) or 110 | ## an IP response. To give an IP response, use the format `a:,aaaa:`. 111 | ## Using the `hinfo` option means that some responses will be lies. 112 | ## Unfortunately, the `hinfo` option appears to be required for Android 8+ 113 | 114 | # blocked_query_response = 'refused' 115 | 116 | ## Load-balancing strategy: 'p2' (default), 'ph', 'p', 'first' or 'random' 117 | ## Randomly choose 1 of the fastest 2, half, n, 1 or all live servers by latency. 118 | ## The response quality still depends on the server itself. 119 | 120 | # lb_strategy = 'p2' 121 | 122 | ## Set to `true` to constantly try to estimate the latency of all the resolvers 123 | ## and adjust the load-balancing parameters accordingly, or to `false` to disable. 124 | ## Default is `true` that makes 'p2' `lb_strategy` work well. 125 | 126 | # lb_estimator = true 127 | 128 | ## Log level (0-6, default: 2 - 0 is very verbose, 6 only contains fatal errors) 129 | 130 | # log_level = 2 131 | 132 | ## Log file for the application, as an alternative to sending logs to 133 | ## the standard system logging service (syslog/Windows event log). 134 | ## 135 | ## This file is different from other log files, and will not be 136 | ## automatically rotated by the application. 137 | 138 | # log_file = 'dnscrypt-proxy.log' 139 | 140 | ## When using a log file, only keep logs from the most recent launch. 141 | 142 | # log_file_latest = true 143 | 144 | ## Use the system logger (syslog on Unix, Event Log on Windows) 145 | 146 | # use_syslog = true 147 | 148 | ## The maximum concurrency to reload certificates from the resolvers. 149 | ## Default is 10. 150 | 151 | # cert_refresh_concurrency = 10 152 | 153 | ## Delay, in minutes, after which certificates are reloaded 154 | 155 | cert_refresh_delay = 240 156 | 157 | ## Initially don't check DNSCrypt server certificates for expiration, and 158 | ## only start checking them after a first successful connection to a resolver. 159 | ## This can be useful on routers with no battery-backed clock. 160 | 161 | # cert_ignore_timestamp = false 162 | 163 | ## DNSCrypt: Create a new, unique key for every single DNS query 164 | ## This may improve privacy but can also have a significant impact on CPU usage 165 | ## Only enable if you don't have a lot of network load 166 | 167 | # dnscrypt_ephemeral_keys = false 168 | 169 | ## DoH: Disable TLS session tickets - increases privacy but also latency 170 | 171 | # tls_disable_session_tickets = false 172 | 173 | ## DoH: Use TLS 1.2 and specific cipher suite instead of the server preference 174 | ## 49199 = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 175 | ## 49195 = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 176 | ## 52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 177 | ## 52393 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 178 | ## 179 | ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), 180 | ## the following suite improves performance. 181 | ## This may also help on Intel CPUs running 32-bit operating systems. 182 | ## 183 | ## Keep tls_cipher_suite empty if you have issues fetching sources or 184 | ## connecting to some DoH servers. 185 | 186 | # tls_cipher_suite = [52392, 49199] 187 | 188 | ## Log TLS key material to a file, for debugging purposes only. 189 | ## This file will contain the TLS master key, which can be used to decrypt 190 | ## all TLS traffic to/from DoH servers. 191 | ## Never ever enable except for debugging purposes with a tool such as mitmproxy. 192 | 193 | # tls_key_log_file = '/tmp/keylog.txt' 194 | 195 | ## Bootstrap resolvers 196 | ## 197 | ## These are normal, non-encrypted DNS resolvers, that will be only used 198 | ## for one-shot queries when retrieving the initial resolvers list and if 199 | ## the system DNS configuration doesn't work. 200 | ## 201 | ## No user queries will ever be leaked through these resolvers, and they will 202 | ## not be used after IP addresses of DoH resolvers have been found (if you are 203 | ## using DoH). 204 | ## 205 | ## They will never be used if lists have already been cached, and if the stamps 206 | ## of the configured servers already include IP addresses (which is the case for 207 | ## most of DoH servers, and for all DNSCrypt servers and relays). 208 | ## 209 | ## They will not be used if the configured system DNS works, or after the 210 | ## proxy already has at least one usable secure resolver. 211 | ## 212 | ## Resolvers supporting DNSSEC are recommended, and, if you are using 213 | ## DoH, bootstrap resolvers should ideally be operated by a different entity 214 | ## than the DoH servers you will be using, especially if you have IPv6 enabled. 215 | ## 216 | ## People in China may want to use 114.114.114.114:53 here. 217 | ## Other popular options include 8.8.8.8, 9.9.9.9 and 1.1.1.1. 218 | ## 219 | ## If more than one resolver is specified, they will be tried in sequence. 220 | ## 221 | ## TL;DR: put valid standard resolver addresses here. Your actual queries will 222 | ## not be sent there. If you're using DNSCrypt or Anonymized DNS and your 223 | ## lists are up to date, these resolvers will not even be used. 224 | 225 | bootstrap_resolvers = ['8.8.8.8:53', '9.9.9.11:53'] 226 | 227 | ## When internal DNS resolution is required, for example to retrieve 228 | ## the resolvers list: 229 | ## 230 | ## - queries will be sent to dnscrypt-proxy itself, if it is already 231 | ## running with active servers (*) 232 | ## - or else, queries will be sent to fallback servers 233 | ## - finally, if `ignore_system_dns` is `false`, queries will be sent 234 | ## to the system DNS 235 | ## 236 | ## (*) this is incompatible with systemd sockets. 237 | ## `listen_addrs` must not be empty. 238 | 239 | ignore_system_dns = true 240 | 241 | ## Maximum time (in seconds) to wait for network connectivity before 242 | ## initializing the proxy. 243 | ## Useful if the proxy is automatically started at boot, and network 244 | ## connectivity is not guaranteed to be immediately available. 245 | ## Use 0 to not test for connectivity at all (not recommended), 246 | ## and -1 to wait as much as possible. 247 | 248 | netprobe_timeout = 60 249 | 250 | ## Address and port to try initializing a connection to, just to check 251 | ## if the network is up. It can be any address and any port, even if 252 | ## there is nothing answering these on the other side. Just don't use 253 | ## a local address, as the goal is to check for Internet connectivity. 254 | ## On Windows, a datagram with a single, nul byte will be sent, only 255 | ## when the system starts. 256 | ## On other operating systems, the connection will be initialized 257 | ## but nothing will be sent at all. 258 | 259 | netprobe_address = '9.9.9.9:53' 260 | 261 | ## Offline mode - Do not use any remote encrypted servers. 262 | ## The proxy will remain fully functional to respond to queries that 263 | ## plugins can handle directly (forwarding, cloaking, ...) 264 | 265 | # offline_mode = false 266 | 267 | ## Additional data to attach to outgoing queries. 268 | ## These strings will be added as TXT records to queries. 269 | ## Do not use, except on servers explicitly asking for extra data 270 | ## to be present. 271 | ## encrypted-dns-server can be configured to use this for access control 272 | ## in the [access_control] section 273 | 274 | # query_meta = ['key1:value1', 'key2:value2', 'token:MySecretToken'] 275 | 276 | ## Automatic log files rotation 277 | 278 | # Maximum log files size in MB - Set to 0 for unlimited. 279 | log_files_max_size = 10 280 | 281 | # How long to keep backup files, in days 282 | log_files_max_age = 7 283 | 284 | # Maximum log files backups to keep (or 0 to keep all backups) 285 | log_files_max_backups = 1 286 | 287 | ######################### 288 | # Filters # 289 | ######################### 290 | 291 | ## Note: if you are using dnsmasq, disable the `dnssec` option in dnsmasq if you 292 | ## configure dnscrypt-proxy to do any kind of filtering (including the filters 293 | ## below and blocklists). 294 | ## You can still choose resolvers that do DNSSEC validation. 295 | 296 | ## Immediately respond to IPv6-related queries with an empty response 297 | ## This makes things faster when there is no IPv6 connectivity, but can 298 | ## also cause reliability issues with some stub resolvers. 299 | 300 | block_ipv6 = false 301 | 302 | ## Immediately respond to A and AAAA queries for host names without a domain name 303 | ## This also prevents "dotless domain names" from being resolved upstream. 304 | 305 | block_unqualified = true 306 | 307 | ## Immediately respond to queries for local zones instead of leaking them to 308 | ## upstream resolvers (always causing errors or timeouts). 309 | 310 | block_undelegated = true 311 | 312 | ## TTL for synthetic responses sent when a request has been blocked (due to 313 | ## IPv6 or blocklists). 314 | 315 | reject_ttl = 10 316 | 317 | ########################### 318 | # DNS cache # 319 | ########################### 320 | 321 | ## Enable a DNS cache to reduce latency and outgoing traffic 322 | 323 | cache = true 324 | 325 | ## Cache size 326 | 327 | cache_size = 4096 328 | 329 | ## Minimum TTL for cached entries 330 | 331 | cache_min_ttl = 2400 332 | 333 | ## Maximum TTL for cached entries 334 | 335 | cache_max_ttl = 86400 336 | 337 | ## Minimum TTL for negatively cached entries 338 | 339 | cache_neg_min_ttl = 60 340 | 341 | ## Maximum TTL for negatively cached entries 342 | 343 | cache_neg_max_ttl = 600 344 | 345 | ############################### 346 | # Query logging # 347 | ############################### 348 | 349 | ## Log client queries to a file 350 | 351 | [query_log] 352 | 353 | ## Path to the query log file (absolute, or relative to the same directory as the config file) 354 | ## Can be set to /dev/stdout in order to log to the standard output. 355 | 356 | file = '/var/log/dnscrypt-proxy/query.log' 357 | 358 | ## Query log format (currently supported: tsv and ltsv) 359 | 360 | format = 'tsv' 361 | 362 | ## Do not log these query types, to reduce verbosity. Keep empty to log everything. 363 | 364 | # ignored_qtypes = ['DNSKEY', 'NS'] 365 | 366 | ############################################ 367 | # Suspicious queries logging # 368 | ############################################ 369 | 370 | ## Log queries for nonexistent zones 371 | ## These queries can reveal the presence of malware, broken/obsolete applications, 372 | ## and devices signaling their presence to 3rd parties. 373 | 374 | [nx_log] 375 | 376 | ## Path to the query log file (absolute, or relative to the same directory as the config file) 377 | 378 | file = '/var/log/dnscrypt-proxy/nx.log' 379 | 380 | ## Query log format (currently supported: tsv and ltsv) 381 | 382 | format = 'tsv' 383 | 384 | ######################### 385 | # Servers # 386 | ######################### 387 | 388 | [sources] 389 | 390 | ### An example of a remote source from https://github.com/DNSCrypt/dnscrypt-resolvers 391 | 392 | [sources.public-resolvers] 393 | cache_file = 'public-resolvers.md' 394 | minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' 395 | prefix = '' 396 | refresh_delay = 73 397 | urls = [ 398 | 'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md', 399 | 'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 400 | ] 401 | 402 | ### Anonymized DNS relays 403 | 404 | [sources.relays] 405 | cache_file = 'relays.md' 406 | minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' 407 | prefix = '' 408 | refresh_delay = 73 409 | urls = [ 410 | 'https://download.dnscrypt.info/resolvers-list/v3/relays.md', 411 | 'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 412 | ] 413 | -------------------------------------------------------------------------------- /configs/squid.conf: -------------------------------------------------------------------------------- 1 | http_port 3128 2 | cache deny all 3 | # hierarchy_stoplist cgi-bin ? 4 | 5 | # access_log none 6 | access_log /var/log/squid3/access.log squid 7 | 8 | cache_effective_user proxy 9 | cache_store_log none 10 | cache_log /dev/null 11 | coredump_dir /var/spool/squid3 12 | 13 | refresh_pattern ^ftp: 1440 20% 10080 14 | refresh_pattern ^gopher: 1440 0% 1440 15 | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 16 | refresh_pattern . 0 20% 4320 17 | 18 | acl localhost src 127.0.0.1/32 ::1 19 | acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 20 | acl to_localnet dst 192.168.0.0/16 21 | 22 | acl SSL_ports port 1-65535 23 | acl Safe_ports port 1-65535 24 | acl CONNECT method CONNECT 25 | 26 | # You can create this files if needed and uncomment http_access deny / allow siteblacklist / sitewhitelist 27 | # acl siteblacklist dstdomain "/squid/sites.blacklist.txt" 28 | # acl sitewhitelist dstdomain "/squid/sites.whitelist.txt" 29 | 30 | http_access allow manager localhost 31 | http_access deny manager 32 | http_access deny !Safe_ports 33 | http_access deny to_localhost 34 | 35 | # Local net 36 | # http_access allow to_localnet 37 | http_access deny to_localnet 38 | 39 | icp_access deny all 40 | htcp_access deny all 41 | http_access deny CONNECT !SSL_ports 42 | # http_access deny siteblacklist 43 | # http_access allow sitewhitelist 44 | 45 | # Comment line below if auth is enabled 46 | http_access allow all 47 | 48 | # Uncomment lines below to enable auth 49 | # auth_param basic program /usr/lib/squid/basic_ncsa_auth /squid/passwd 50 | # auth_param basic children 5 51 | # auth_param basic realm Squid proxy-caching web server 52 | # auth_param basic credentialsttl 2 hours 53 | # acl password proxy_auth REQUIRED 54 | # http_access allow password 55 | 56 | forwarded_for off 57 | request_header_access Allow allow all 58 | request_header_access Authorization allow all 59 | request_header_access WWW-Authenticate allow all 60 | request_header_access Proxy-Authorization allow all 61 | request_header_access Proxy-Authenticate allow all 62 | request_header_access Cache-Control allow all 63 | request_header_access Content-Encoding allow all 64 | request_header_access Content-Length allow all 65 | request_header_access Content-Type allow all 66 | request_header_access Date allow all 67 | request_header_access Expires allow all 68 | request_header_access Host allow all 69 | request_header_access If-Modified-Since allow all 70 | request_header_access Last-Modified allow all 71 | request_header_access Location allow all 72 | request_header_access Pragma allow all 73 | request_header_access Accept allow all 74 | request_header_access Accept-Charset allow all 75 | request_header_access Accept-Encoding allow all 76 | request_header_access Accept-Language allow all 77 | request_header_access Content-Language allow all 78 | request_header_access Mime-Version allow all 79 | request_header_access Retry-After allow all 80 | request_header_access Title allow all 81 | request_header_access Connection allow all 82 | request_header_access Proxy-Connection allow all 83 | request_header_access User-Agent allow all 84 | request_header_access Cookie allow all 85 | request_header_access All deny all 86 | -------------------------------------------------------------------------------- /container.target: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Container target - special target for running systemd in docker containers -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | zapret-proxy: 3 | build: 4 | context: . 5 | dockerfile: Dockerfile 6 | container_name: zapret-proxy 7 | privileged: true # Требуется для работы iptables 8 | # network_mode: "host" # Используем host-сеть для управления трафиком 9 | tmpfs: 10 | - /run 11 | - /run/lock 12 | stdin_open: true 13 | tty: true # Для запуска systemd 14 | ports: 15 | - "3128:3128" 16 | volumes: 17 | - ./configuration:/configuration 18 | - ./squid:/squid 19 | -------------------------------------------------------------------------------- /generate_config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Make sure container is stopped 4 | ./stop.sh 5 | 6 | # Build and start container 7 | docker-compose up --build -d 8 | 9 | # Wait for the container to be ready 10 | until docker exec zapret-proxy echo "Container is ready"; do 11 | echo "Waiting for container to start..." 12 | sleep 2 13 | done 14 | 15 | # Enable and start services 16 | docker exec zapret-proxy ./enable_services.sh 17 | 18 | # Run blockcheck.sh 19 | docker exec zapret-proxy ./blockcheck_in_container.sh 20 | 21 | # Generate new config 22 | ./scripts/form_config.sh 23 | 24 | # Reinstall zapret and restart it 25 | docker exec zapret-proxy ./start_zapret.sh 26 | -------------------------------------------------------------------------------- /quickstart.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # See for more info 4 | DNSCRYPT_PLATFORM="linux" 5 | DNSCRYPT_ARCH="x86_64" 6 | 7 | # Remove old zapret directory if exists 8 | if [ -d "./zapret" ]; then rm -Rf ./zapret; fi 9 | 10 | # REMAKE быстрый фикс для 50 discord 11 | # Скачивание zapret версии v70.5 12 | version="v70.5" 13 | download_url=$(curl -s "https://api.github.com/repos/bol-van/zapret/releases/tags/$version" | grep -oP '"browser_download_url": "\K.*?\.tar\.gz(?=")' | grep -v "openwrt") 14 | 15 | if [ -z "$download_url" ]; then 16 | echo "Error: Не удалось найти .tar.gz архив для версии $version" 17 | echo "Проверьте, что версия $version существует на странице релизов: https://github.com/bol-van/zapret/releases" 18 | exit 1 19 | fi 20 | 21 | filename=$(basename "$download_url") 22 | echo "Скачивается $download_url" 23 | wget "$download_url" 24 | 25 | if ! tar -xvzf "$filename"; then 26 | tar xvzf "$filename" 27 | fi 28 | 29 | # REMAKE быстрый фикс 50 discord 30 | 31 | # Extract it 32 | rm "$filename" 33 | mv "./${filename%.*.*}" ./zapret 34 | 35 | # Check 36 | if [ ! -d "./zapret" ]; then 37 | echo "Error downloading or extracting zapret binaries" 38 | exit 1 39 | fi 40 | 41 | # Remove old dnscrypt-proxy directory if exists 42 | if [ -d "./dnscrypt-proxy" ]; then rm -Rf ./dnscrypt-proxy; fi 43 | 44 | # Download dnscrypt-proxy 45 | download_url=$(curl -s https://api.github.com/repos/DNSCrypt/dnscrypt-proxy/releases/latest | grep -oP '"browser_download_url": "\K.*?\.tar\.gz(?=")' | grep -oE ".*dnscrypt-proxy-${DNSCRYPT_PLATFORM}_${DNSCRYPT_ARCH}-.*\.tar\.gz") 46 | if [ -z "$download_url" ]; then 47 | echo "Error: Unable to find .tar.gz asset in the latest release of dnscrypt-proxy for ${DNSCRYPT_PLATFORM} ${DNSCRYPT_ARCH}" 48 | exit 1 49 | fi 50 | filename=$(basename "$download_url") 51 | echo "Downloading $download_url" 52 | wget "$download_url" 53 | if ! tar -xvzf "$filename"; then 54 | tar xvzf "$filename" 55 | fi 56 | 57 | # Extract it 58 | rm "$filename" 59 | mv "./${DNSCRYPT_PLATFORM}-${DNSCRYPT_ARCH}" ./dnscrypt-proxy 60 | 61 | # Check 62 | if [ ! -d "./dnscrypt-proxy" ]; then 63 | echo "Error downloading or extracting dnscrypt-proxy binaries" 64 | exit 1 65 | fi 66 | 67 | # Start build script 68 | ./start.sh 69 | -------------------------------------------------------------------------------- /scripts/add_user.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Original file: 4 | # 5 | 6 | read -e -p "Enter proxy username to add: " proxy_username 7 | 8 | if [ -f /squid/passwd ]; then 9 | /usr/bin/htpasswd /squid/passwd $proxy_username 10 | else 11 | /usr/bin/htpasswd -c /squid/passwd $proxy_username 12 | fi 13 | 14 | echo "Reloading squid" 15 | squid -k reconfigure 16 | 17 | echo "Done!" 18 | exit 0 19 | -------------------------------------------------------------------------------- /scripts/blockcheck_wrapper.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Domain to test on. Pls use only one domain! 4 | TEST_DOMAIN="x.com" 5 | 6 | # Output file 7 | LOG_FILE="blockcheck.log" 8 | 9 | # Run blockcheck.sh in BATCH mode 10 | DOMAINS="$TEST_DOMAIN" IPVS=4 ENABLE_HTTP=0 ENABLE_HTTPS_TLS12=1 ENABLE_HTTPS_TLS13=1 REPEATS=3 PARALLEL=1 SCANLEVEL=standard BATCH=1 SKIP_IPBLOCK=1 SKIP_TPWS=1 SECURE_DNS=1 ./blockcheck.sh | tee /configuration/"$LOG_FILE" 11 | -------------------------------------------------------------------------------- /scripts/delete_user.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ ! -f /squid/passwd ]; then 4 | echo "Error: No /passwd file" 5 | exit 1 6 | fi 7 | 8 | read -e -p "Enter proxy username to delete: " proxy_username 9 | 10 | /usr/bin/htpasswd -D /squid/passwd $proxy_username 11 | 12 | echo "Done!" 13 | exit 0 14 | -------------------------------------------------------------------------------- /scripts/enable_services.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Enabling and starting services..." 4 | 5 | echo "Reloading systemctl daemon..." 6 | systemctl daemon-reload 7 | 8 | echo "Stopping and disabling systemd-resolved service..." 9 | systemctl stop systemd-resolved 10 | systemctl disable systemd-resolved 11 | 12 | # Unmount /etc/resolv.conf and install resolvconf if needed 13 | if ! dpkg -s resolvconf &>/dev/null; then 14 | echo "Installing resolvconf..." 15 | umount -f /etc/resolv.conf 16 | apt-get install -y resolvconf 17 | fi 18 | 19 | # Set default DNS to dnscrypt-proxy using resolvconf package 20 | echo "Changing default DNS server to dnscrypt-proxy..." 21 | if [ -f "/run/resolvconf/resolv.conf" ]; then umount -f "/run/resolvconf/resolv.conf"; fi 22 | echo "nameserver 127.0.0.1" > /etc/resolvconf/resolv.conf.d/original 23 | echo "options edns0" >> /etc/resolvconf/resolv.conf.d/original 24 | echo "nameserver 127.0.0.1" > /etc/resolvconf/resolv.conf.d/base 25 | echo "options edns0" >> /etc/resolvconf/resolv.conf.d/base 26 | resolvconf -u 27 | 28 | echo "Restarting dnscrypt-proxy service..." 29 | /opt/dnscrypt-proxy/dnscrypt-proxy -service restart 30 | 31 | # echo "Enabling and restarting systemd-resolved service..." 32 | #systemctl enable systemd-resolved.service 33 | #systemctl restart systemd-resolved.service 34 | 35 | echo "Restarting squid service... This might take a while" 36 | systemctl restart squid 37 | 38 | echo "Services enabled and started" 39 | 40 | exit 0 41 | -------------------------------------------------------------------------------- /scripts/form_config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # blockcheck.sh output 4 | BLOCKCHECK_LOG="./configuration/blockcheck.log" 5 | 6 | # Original config file 7 | CONFIG_FILE="./config" 8 | 9 | if [[ ! -f "$CONFIG_FILE" ]]; then 10 | echo "Error: File $CONFIG_FILE doesn't exist" 11 | exit 1 12 | fi 13 | # Extract option from first string containing "nfqws" and cut everything before "nfqws" 14 | echo "Extracting FIRST working nfqws option..." 15 | summary_option=$(grep -A 1000 -i "summary" "$BLOCKCHECK_LOG" | grep -B 1000 -i "Please" | grep -v -i "Please" | grep -m1 "nfqws") 16 | summary_option=${summary_option##*"nfqws "} 17 | 18 | # Check 19 | if [[ -z "$summary_option" ]]; then 20 | echo "Error: Unable to extract summary options from $BLOCKCHECK_LOG" 21 | exit 1 22 | fi 23 | 24 | # Form new config params 25 | HTTP_CONF="--filter-tcp=80 $summary_option --new" 26 | HTTPS_CONF="--filter-tcp=443 $summary_option --new" 27 | UDP_CONF="--filter-udp=443 $summary_option " 28 | 29 | # Backup old config 30 | config_old="$CONFIG_FILE.old.$(date +%Y%m%d%H%M%S)" 31 | echo "Existing config file renamed to $config_old" 32 | cp $CONFIG_FILE "$config_old" 33 | 34 | # Replace lines in config file 35 | sed -i -E "s|--filter-tcp=80.*.*|$HTTP_CONF|" "$CONFIG_FILE" 36 | sed -i -E "s|--filter-tcp=443.*.*|$HTTPS_CONF|" "$CONFIG_FILE" 37 | sed -i -E "s|--filter-udp=443.*.*|$UDP_CONF|" "$CONFIG_FILE" 38 | 39 | # Log updates 40 | echo "Updated config:" 41 | echo "HTTP: $HTTP_CONF" 42 | echo "HTTPS: $HTTPS_CONF" 43 | echo "UDP: $UDP_CONF" 44 | 45 | echo "Done!" 46 | exit 0 47 | -------------------------------------------------------------------------------- /scripts/iptables.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Очистка старых правил iptables 4 | iptables -F 5 | iptables -t nat -F 6 | iptables -X 7 | 8 | # Перенаправление трафика к определённым доменам через локальный прокси (порт 3128) 9 | PROXY_PORT=3128 10 | 11 | # Добавляем IP-адреса для проксирования 12 | DOMAINS=( 13 | "googlevideo.com" 14 | "youtu.be" 15 | "youtube.com" 16 | "youtubei.googleapis.com" 17 | "youtubeembeddedplayer.googleapis.com" 18 | "ytimg.l.google.com" 19 | "ytimg.com" 20 | "jnn-pa.googleapis.com" 21 | "youtube-nocookie.com" 22 | "youtube-ui.l.google.com" 23 | "yt-video-upload.l.google.com" 24 | "wide-youtube.l.google.com" 25 | "youtubekids.com" 26 | "ggpht.com" 27 | "discord.com" 28 | "gateway.discord.gg" 29 | "cdn.discordapp.com" 30 | "discordapp.net" 31 | "discordapp.com" 32 | "discord.gg" 33 | "media.discordapp.net" 34 | "images-ext-1.discordapp.net" 35 | "discord.app" 36 | "discord.media" 37 | "discordcdn.com" 38 | "discord.dev" 39 | "discord.new" 40 | "discord.gift" 41 | "discordstatus.com" 42 | "dis.gd" 43 | "discord.co" 44 | "discord-attachments-uploads-prd.storage.googleapis.com" 45 | "7tv.app" 46 | "7tv.io" 47 | "10tv.app" 48 | "cloudflare-ech.com" 49 | ) 50 | 51 | # Функция добавления правил для IP-адреса 52 | add_iptables_rules() { 53 | local ip="$1" 54 | echo "Добавление правил для $ip" 55 | for port in 80 443; do 56 | iptables -t nat -A OUTPUT -p tcp -d "$ip" --dport "$PROXY_PORT" -j REDIRECT --to-ports "$port" 57 | done 58 | } 59 | 60 | # Обрабатываем домены 61 | for domain in "${DOMAINS[@]}"; do 62 | echo "Обработка домена: $domain" 63 | ip_addresses=$(dig +short "$domain" | grep -E '^[0-9.]+$') 64 | if [[ -z "$ip_addresses" ]]; then 65 | echo "⚠️ Не удалось разрешить домен: $domain" 66 | continue 67 | fi 68 | 69 | for ip in $ip_addresses; do 70 | add_iptables_rules "$ip" 71 | done 72 | done 73 | 74 | # Сохраняем правила iptables 75 | iptables-save > /etc/iptables/rules.v4 76 | 77 | echo "✅ Правила iptables успешно обновлены!" 78 | 79 | exit 0 80 | -------------------------------------------------------------------------------- /scripts/start_zapret.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Enable and start services 4 | ./enable_services.sh 5 | 6 | # Copy existing config to prevent overwriting it 7 | if [ -f "/opt/zapret/config" ]; then 8 | echo "Renaming config file into /opt/zapret/config_temp to prevent overwriting" 9 | mv "/opt/zapret/config" "/opt/zapret/config_temp" 10 | fi 11 | 12 | # Install zapret 13 | echo "Installing zapret..." 14 | echo -ne "\n" | ./install_easy.sh 15 | echo "zapret installed" 16 | 17 | # Restore config 18 | if [ -f "/opt/zapret/config_temp" ]; then 19 | echo "Restoring config file from /opt/zapret/config_temp" 20 | mv "/opt/zapret/config_temp" "/opt/zapret/config" 21 | fi 22 | 23 | # Restart zapret 24 | echo "Restarting zapret service..." 25 | systemctl restart zapret 26 | echo "Done!" 27 | 28 | exit 0 29 | -------------------------------------------------------------------------------- /start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Make sure container is stopped 4 | ./stop.sh 5 | 6 | # Build and start container 7 | docker-compose up --build -d 8 | 9 | # Wait for the container to be ready 10 | until docker exec zapret-proxy echo "Container is ready"; do 11 | echo "Waiting for container to start..." 12 | sleep 2 13 | done 14 | 15 | # Execute starting script 16 | docker exec zapret-proxy ./start_zapret.sh 17 | -------------------------------------------------------------------------------- /stop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | docker kill zapret-proxy 4 | echo "Container stopped" 5 | --------------------------------------------------------------------------------