🌐 网络与运维

🧠 一、先建立“分层模型” 分成 3 层系统： 🟦 第1层：DNS 解析层（只负责“把域名变成IP”） dns.rules[] dns.servers[].detour dns.servers[].domain_resolver dns.final 🟩 第2层：连接决策层（决定“流量走哪条路”） route.rules[] route.final 🟥 第3层：拨号执行层（真正“连出去”） outbounds[].detour outbounds[].domain_resolver route.default_domain_resolver 👉 一句话理解： DNS层：查地址 Route层：选路径 Outbound层：怎么走 🔥 二、最核心一条链路（把所有东西串起来） 我们用一个完整例子👇 🎯 场景 访问： youtube.com 🧩 STEP 1️⃣：DNS 查询（进入 dns.rules） 请求：youtube.com 👉 匹配 dns.rules → server = remote_dns 🧩 STEP 2️⃣：处理 DNS server 自身 remote_dns = cloudflare-dns.com 👉 用 dns.servers[].domain_resolver 优先级： dns.servers[].domain_resolver > route.default_domain_resolver 👉 得到： cloudflare-dns.com → IP 🧩 STEP 3️⃣：DNS 查询如何发出去？ 👉 用： ...

sing-box 9大核心配置项全解析（100%匹配1.14.0+最新官方文档） 以下内容严格基于 sing-box 官方最新文档定义，先讲全链路执行总框架，再逐个拆解每个配置项的官方定义、生效边界、优先级与坑点，最后梳理它们的相互影响关系，并通过完整场景串联所有配置。 dns.servers[].domain_resolver outbounds[].domain_resolver route.default_domain_resolver dns.servers[].detour outbound.detour dns.rules[] route.rules[] dns.final route.final 一、全局执行总框架 sing-box 从启动到用户访问的完整生命周期，分为两大核心阶段，所有配置项都在这两个阶段里各司其职，顺序不可逆： 【第一阶段：sing-box 启动初始化】 ↓ 1. 解析所有域名形式的出站（代理节点）：优先用 outbound 自己的 domain_resolver，兜底用 route.default_domain_resolver ↓ 2. 按 outbound.detour 建立链式代理隧道，完成代理网络初始化 ↓ 3. 初始化 DNS 模块，加载 dns.servers、dns.rules、dns.final 【第二阶段：用户访问运行时】 ↓ 1. 用户发起域名访问 → 进入 DNS 模块 ↓ 2. dns.rules 从上到下匹配，命中即停止，决定用哪个 dns.server 解析；全不命中走 dns.final ↓ 3. 选中的 dns.server 执行解析： a. 若DNS服务器是域名（如DoH），先用自己的 domain_resolver 解析自身域名，解决鸡生蛋死锁 b. 按 dns.server.detour 指定的出站，发送DNS查询请求，拿到目标域名的IP ↓ 4. 拿到IP后，进入路由模块 ↓ 5. route.rules 从上到下匹配，命中即停止，决定流量走哪个 outbound；全不命中走 route.final ↓ 6. 按 outbound.detour 完成链式代理转发，最终访问目标服务 graph TD A[启动初始化] –> B[解析代理节点域名] B –> C{outbound是否配置domain_resolver?} C –>|是| D[用outbound.domain_resolver解析] C –>|否| E[用route.default_domain_resolver解析] D & E –> F[建立链式代理隧道] F –> G[用户访问google.com] ...

DNS设置 { "dns": { "servers": [ { "server": "223.5.5.5", "type": "udp", "tag": "local_local" }, { "server": "cloudflare-dns.com", "domain_resolver": "hosts_dns", "path": "/dns-query", "type": "https", "tag": "remote_dns", "detour": "🚀 节点选择" }, { "server": "dns.alidns.com", "domain_resolver": "hosts_dns", "path": "/dns-query", "type": "https", "tag": "direct_dns" }, { "predefined": { "dns.google": [ "8.8.8.8", "8.8.4.4", "2001:4860:4860::8888", "2001:4860:4860::8844" ], "dns.alidns.com": [ "223.5.5.5", "223.6.6.6", "2400:3200::1", "2400:3200:baba::1" ], "one.one.one.one": [ "1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001" ], "1dot1dot1dot1.cloudflare-dns.com": [ "1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001" ], "cloudflare-dns.com": [ "104.16.249.249", "104.16.248.249", "2606:4700::6810:f8f9", "2606:4700::6810:f9f9" ], "dns.cloudflare.com": [ "104.16.132.229", "104.16.133.229", "2606:4700::6810:84e5", "2606:4700::6810:85e5" ], "dot.pub": [ "1.12.12.12", "120.53.53.53" ], "doh.pub": [ "1.12.12.12", "120.53.53.53" ], "dns.quad9.net": [ "9.9.9.9", "149.112.112.112", "2620:fe::fe", "2620:fe::9" ], "dns.yandex.net": [ "77.88.8.8", "77.88.8.1", "2a02:6b8::feed:0ff", "2a02:6b8:0:1::feed:0ff" ], "dns.sb": [ "185.222.222.222", "2a09::" ], "dns.umbrella.com": [ "208.67.220.220", "208.67.222.222", "2620:119:35::35", "2620:119:53::53" ], "dns.sse.cisco.com": [ "208.67.220.220", "208.67.222.222", "2620:119:35::35", "2620:119:53::53" ], "engage.cloudflareclient.com": [ "162.159.192.1" ] }, "type": "hosts", "tag": "hosts_dns" }, { "inet4_range": "198.18.0.0/15", "inet6_range": "fc00::/18", "type": "fakeip", "tag": "fake_dns" }, { "type": "udp", "server_port": 53, "tag": "Router-DNS", "server": "192.168.3.1" }, { "server": "doh.cmliussss.net", "domain_resolver": "local_local", "path": "/CMLiussss", "type": "https", "tag": "ech_dns" }, { "tag": "opendns-udp-443", "type": "udp", "server": "208.67.220.220", "server_port": 443 } ], "rules": [ { "query_type":[12, "PTR"], "domain_suffix":[ "168.192.in-addr.arpa" ], "server": "Router-DNS" }, { "query_type": [ 12, "PTR" ], "action": "predefined", "rcode": "NXDOMAIN" }, { "server": "hosts_dns", "ip_accept_any": true }, { "server": "ech_dns", "domain": [ "sitebox.tomeetu.us.ci", "sitebox.tomeetu.indevs.in", "sitebox.cjz.indevs.in", "cloudflare-ech.com" ], "query_type": [ 64, 65 ] }, { "domain": [//此处多余，上面的存在导致这个永远不会匹配到，也就导致"opendns-udp-443"是一个冗余的存在 "sitebox.tomeetu.eu.cc", "cloudflare-ech.com" ], "query_type": [ 64, 65 ], "server": "opendns-udp-443" }, { "rule_set": [ "Category-Ads" ], "action": "reject" }, { "server": "remote_dns", "clash_mode": "Global" }, { "server": "direct_dns", "clash_mode": "Direct", "strategy": "prefer_ipv4" }, { "action": "predefined", "rcode": "NOTIMP", "query_type": [ 64, 65 ] }, { "server": "fake_dns", "type": "logical", "mode": "and", "rewrite_ttl": 1, "rules": [ { "query_type": [ 1, 28 ] }, { "invert": true, "domain": [ "amobile.music.tc.qq.com", "api-jooxtt.sanook.com", "api.joox.com", "aqqmusic.tc.qq.com", "dl.stream.qqmusic.qq.com", "ff.dorado.sdo.com", "heartbeat.belkin.com", "isure.stream.qqmusic.qq.com", "joox.com", "lens.l.google.com", "localhost.ptlogin2.qq.com", "localhost.sec.qq.com", "mesu.apple.com", "mobileoc.music.tc.qq.com", "music.taihe.com", "musicapi.taihe.com", "na.b.g-tun.com", "proxy.golang.org", "ps.res.netease.com", "shark007.net", "songsearch.kugou.com", "static.adtidy.org", "streamoc.music.tc.qq.com", "swcdn.apple.com", "swdist.apple.com", "swdownload.apple.com", "swquery.apple.com", "swscan.apple.com", "turn.cloudflare.com", "trackercdn.kugou.com", "xnotify.xboxlive.com" ], "domain_suffix": [ "126.net", "3gppnetwork.org", "battle.net", "battlenet.com.cn", "cdn.nintendo.net", "cmbchina.com", "cmbimg.com", "ff14.sdo.com", "ffxiv.com", "finalfantasyxiv.com", "gcloudcs.com", "home.arpa", "invalid", "kuwo.cn", "lan", "linksys.com", "linksyssmartwifi.com", "local", "localdomain", "localhost", "market.xiaomi.com", "mcdn.bilivideo.cn", "media.dssott.com", "msftconnecttest.com", "msftncsi.com", "music.163.com", "music.migu.cn", "n0808.com", "nflxvideo.net", "oray.com", "orayimg.com", "router.asus.com", "sandai.net", "square-enix.com", "srv.nintendo.net", "steamcontent.com", "uu.163.com", "wargaming.net", "wggames.cn", "wotgame.cn", "wowsgame.cn", "xiami.com", "y.qq.com" ], "domain_keyword": [ "ntp", "stun", "time" ], "domain_regex": [ "^[^.]+$", "^[^.]+\\.[^.]+\\.xboxlive\\.com$", "^localhost\\.[^.]+\\.weixin\\.qq\\.com$", "^mijia\\scloud$", "^xbox\\.[^.]+\\.microsoft\\.com$", "^xbox\\.[^.]+\\.[^.]+\\.microsoft\\.com$" ] } ] }, { "server": "remote_dns", "rule_set": [ "geosite-google" ] }, { "server": "Router-DNS", "rule_set": [ "GeoSite-Private" ], "strategy": "prefer_ipv4" }, { "server": "direct_dns", "domain_suffix": [ "alidns.com", "doh.pub", "dot.pub", "360.cn", "onedns.net" ], "strategy": "prefer_ipv4" }, { "server": "direct_dns", "rule_set": [ "GeoSite-CN" ], "strategy": "prefer_ipv4" } ], "final": "remote_dns", "disable_cache": false, "disable_expire": false, "independent_cache": true } } DNS解析 兼顾“防泄漏、极速解析、局域网直连与增强抗封锁能力”。 ...

非特权容器（Unprivileged Container） 权限映射问题及解决方法 在Proxmox VE (PVE) 中直接使用 LXC 运行应用（或者直接将 OCI/Docker 镜像转为 LXC 运行，而不套娃安装 Docker进程），是非常轻量且高效的做法。但这种做法最常遇到的就是无特权容器（Unprivileged Container）的权限与挂载问题。 为了安全，PVE 默认创建的是无特权 LXC。它的核心机制是UID/GID 映射偏移（User Namespace）： LXC 容器内的 root (UID 0) = PVE 宿主机的 100000 LXC 容器内的普通用户 (如 UID 1000) = PVE 宿主机的 101000 当你在 PVE 宿主机上把一个硬盘目录通过 Bind Mount（挂载点）映射给 LXC 时，LXC 内部的 比如Syncthing 会因为宿主机目录的属主是 PVE 的 root (0)，而容器内的 root 实际上是 100000，从而导致没有读写权限（Permission Denied）。 UID 映射断层场景分析 第一种情况 root@N3150:~# ls -lh /mnt/sdb/Download/ -rw-rw-r-- 1 root root 1.8G Mar 5 08:29 proxmox-ve_9.1-1.iso 在宿主机看来：文件属于 root (UID 0)。 在容器内部看来： 在标准的 PVE 非特权容器中，如果一个文件在宿主机上属于真正的 root (UID 0)，在容器内部 ls -l 看它，所有者通常不会显示为 root，而是会显示为 nobody（或者 nogroup / 65534）。因为容器内的 root (0) 已经被映射成了 100000，所以宿主机的真实 root (0) 对容器来说属于“映射范围之外的未知用户”，系统统统会将其显示为 nobody。 第二种情况 root@N3150:~# ls -lh /mnt/sdb/Download/ -rw-rw-r-- 1 root root 1.8G Mar 5 08:29 proxmox-ve_9.1-1.iso -rw-r--r-- 1 100000 100000 0 Mar 28 16:55 /mnt/sdb/Download/test 在宿主机看来：文件属于 lxc容器用户 (UID 100000)。 在容器内部看来： 在容器内部 ls -l 看它，所有者会显示为 root。 为什么 Download 能动，而 Compressed 动不了？ root@N3150:~# ls -lhd /mnt/sdb/Download drwxrwxrwx 13 root root 4.0K Mar 28 16:55 /mnt/sdb/Download root@N3150:~# ls -lhd /mnt/sdb/Download/Compressed/ drwxrwxr-x 9 root root 4.0K Mar 26 17:55 /mnt/sdb/Download/Compressed/ 看目录权限位： ...

服务端简单配置 注意： 使用了"method": "2022-blake3-aes-128-gcm", Shadowsocks-2022对密码格式有严格的校验要求，如果不符合规范，sing-box 启动时会直接报错。 密码必须是 Base64 格式。 密码生成方式： openssl rand -base64 16 生成的字符串类似于vgY7B3N6hM+8pW/J1Q9v9g==，把它填入 password 字段。 { "log": { "level": "info" }, "dns": { "servers": [ { "type": "tls", "tag": "ali-dns", "server": "223.5.5.5" } ] }, "inbounds": [ { "type": "shadowsocks", "tag": "ss-in", "listen": "::", "listen_port": 10808, "network": [ "tcp", "udp" ], "method": "2022-blake3-aes-128-gcm", "password": "vgY7B3N6hM+8pW/J1Q9v9g==", "multiplex": { "enabled": true, "padding": true } } ], "outbounds": [ { "type": "direct", "tag": "direct" } ], "route": { "rules": [ { "port": 53, "action": "hijack-dns" } ], "final": "direct" } } 客户端配置 下面的模版是，根据局域网设备的ip，确定出口 ...