Hysteria 是一个代理工具,支持 SOCKS5、HTTP 代理、TCP/UDP 转发、Linux TProxy、TUN 等代理方式;基于魔改的 QUIC 协议和抢占式塞控制算法,Hysteria 在不稳定和容易丢包的网络环境中也能比 Trojan 有相对较好的延迟表现,这对于代理来说是非常重要的
Hysteria 由服务端和客户端组成,服务端支持 Docker、二进制等方式部署,客户端可以是 ClashX、ShellCrash 等支持 Hysteria 协议的软件,或者 Hysteria 自己的客户端
基于 Docker 容器搭建服务端,并使用运行在路由器中的 ShellCrash 作为客户端
服务端
因为 Hysteria 需要伪装成 HTTP/3 流量,需要一个公网 IP 和域名(如果没有域名也可以在 ZeroSSL 申请 IP 的 TLS 证书)
获取 SSL 证书
证书可以使用 Let’s Encrypt,ZeroSSL 等免费获取,参考 使用 Let’s Encrypt 申请 HTTPS 证书
部署服务端
服务端配置文件
config/hysteria.yaml
服务端配置文件位于 config/
路径下,关于配置细节可以参考 完整服务端配置
listen: :443
# 伪装为 bing
masquerade:
listenHTTP: :80
listenHTTPS: :9443
forceHTTPS: true
type: proxy
proxy:
url: https://bing.com
rewriteHost: true
# 用于流量分析
trafficStats:
listen: :9999
secret: 123456
disableUDP: false
log:
level: debug
speedTest: true
# 带宽
bandwidth:
up: 100 mbps
down: 50 mbps
# DNS
resolver:
type: tcp
tcp:
addr: 8.8.8.8:53
timeout: 4s
udp:
addr: 8.8.4.4:53
timeout: 4s
tls:
addr: 1.1.1.1:853
timeout: 10s
sni: cloudflare-dns.com
insecure: false
https:
addr: 1.1.1.1:443
timeout: 10s
sni: cloudflare-dns.com
insecure: false
tls:
cert: /cert/hy.example.com.crt
key: /cert/hy.example.com.key
auth:
type: userpass
userpass:
- admin: 123456
# 协议嗅探
sniff:
enable: true
timeout: 2s
rewriteDomain: false
tcpPorts: 80,9443,8000-9000
udpPorts: all
部署
- docker-compose.yaml
申请后的证书放在 cert/
路径下,挂载到容器中
services:
hysteria:
image: tobyxdd/hysteria
container_name: hysteria
hostname: hysteria
restart: unless-stopped
network_mode: host
environment:
- TZ=Asia/Shanghai
- HYSTERIA_BBR_DEBUG=1
- HYSTERIA_LOG_LEVEL=debug
- HYSTERIA_BRUTAL_DEBUG=1
volumes:
- ./cert:/cert
- ./config/hysteria.yaml:/etc/hysteria.yaml
command: ["server", "-c", "/etc/hysteria.yaml"]
使用 docker compose up -d
启动后便会监听 443 端口,添加 DNS 解析后访问 hy.example.com 域名会自动重定向到 bing.com
客户端
客户端使用 ShellCrash,安装使用参考 ShellCrash
Hysteria 节点配置
hysteria 的配置文件放在了 GitHub Gist 中,通过 proxy-providers 提供给 Clash,配置内容如下:
proxies:
- name: "hy-node"
type: hysteria2
server: hy.example.com
password: "admin:123456"
port: 443
ports: 443
up: "50 mbps"
down: "100 mbps"
ShellCrash 配置文件
- config.yaml
port: 7890
socks-port: 7891
redir-port: 7892
allow-lan: true
mode: rule
log-level: info
# 控制端口
external-controller: :9090
# 访问密码,建议设置
secret: "123456"
# TUN 模式,用于代理 TCP、UDP、ICMP 流量
tun:
enable: true
stack: system
auto-route: true
auto-redir: true
auto-detect-interface: true
proxy-providers:
# 配置文件地址,参考 https://wiki.metacubex.one/config/proxy-providers/
hysteria:
type: http
url: "https://gist.githubusercontent.com/xx/raw/hysteria.yaml"
path: ./hysteria.yaml
proxy-groups:
- name: "PROXY"
type: url-test
use:
- hysteria
url: "http://www.gstatic.com/generate_204"
interval: 180
rule-providers:
reject:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
path: ./ruleset/reject.yaml
interval: 86400
icloud:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/icloud.txt"
path: ./ruleset/icloud.yaml
interval: 86400
apple:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/apple.txt"
path: ./ruleset/apple.yaml
interval: 86400
google:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
path: ./ruleset/google.yaml
interval: 86400
proxy:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/proxy.txt"
path: ./ruleset/proxy.yaml
interval: 86400
direct:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/direct.txt"
path: ./ruleset/direct.yaml
interval: 86400
private:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/private.txt"
path: ./ruleset/private.yaml
interval: 86400
gfw:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/gfw.txt"
path: ./ruleset/gfw.yaml
interval: 86400
tld-not-cn:
type: http
behavior: domain
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/tld-not-cn.txt"
path: ./ruleset/tld-not-cn.yaml
interval: 86400
telegramcidr:
type: http
behavior: ipcidr
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/telegramcidr.txt"
path: ./ruleset/telegramcidr.yaml
interval: 86400
cncidr:
type: http
behavior: ipcidr
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
path: ./ruleset/cncidr.yaml
interval: 86400
lancidr:
type: http
behavior: ipcidr
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/lancidr.txt"
path: ./ruleset/lancidr.yaml
interval: 86400
applications:
type: http
behavior: classical
url: "https://fastly.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/applications.txt"
path: ./ruleset/applications.yaml
interval: 86400
rules:
- RULE-SET,google,PROXY
- RULE-SET,proxy,PROXY
- RULE-SET,telegramcidr,PROXY
- RULE-SET,applications,DIRECT
- RULE-SET,private,DIRECT
- RULE-SET,reject,REJECT
- RULE-SET,icloud,DIRECT
- RULE-SET,apple,DIRECT
- RULE-SET,direct,DIRECT
- RULE-SET,lancidr,DIRECT
- RULE-SET,cncidr,DIRECT
- GEOIP,LAN,DIRECT
- GEOIP,CN,DIRECT
- MATCH,DIRECT
启动 ShellCrash,即可在代理中看到节点信息,协议类型是 Hysteria2