Digital run

As the saying goes, at least one of your body and mind must be on the road. The body is inside the wall, but the mind doesn't have to. So I'll share some simple solutions.

# Prepare

Buy a vps that can be connected directly in China, use Ubuntu 20.04 LTS, and install docker (opens new window), (opens new window), nginx-full.

sudo apt-get update -y

# docker
sudo apt-get install -y \
  apt-transport-https \
  ca-certificates \
  curl \
  gnupg \

curl -fsSL | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

echo \
  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt-get update -y

sudo apt-get install -y docker-ce docker-ce-cli

sudo usermod -aG docker $USER

sudo apt-get install -y git
git clone
cd ./
./ --install -m [email protected]

# nginx-full
sudo apt-get install -y nginx-full

# Issue certs with

sudo mkdir -p /var/www/acmefiles
sudo chown $USER /var/www/acmefiles --issue -d -w /var/www/acmefiles/ \
  --install-cert -d \
  --key-file /etc/nginx/certs/ \
  --fullchain-file /etc/nginx/certs/ \
  --reloadcmd "sudo nginx -s reload && docker restart gost"

# Install gost (opens new window)



docker run --name gost \
  --net=host \
  -v ${CERT_DIR}:/certs:ro \
  -d --restart=unless-stopped \
  ginuerzh/gost -L "http2://${USER}:${PASS}@${BIND_IP}:${PORT}?cert=${CERT}&key=${KEY}&probe_resist=code:403&"

# test
curl -v "" --proxy "https://${DOMAIN}:4430" --proxy-user "${USER}:${PASS}"

# Install shadowsocks

docker run --name ss \
  -p \
  -d --restart=unless-stopped \
  mritd/shadowsocks -s "-s -p 1984 -m chacha20-ietf-poly1305 -k UiGGQvG6TszhLATP --fast-open"

# Nginx and gost share 443 port

The server is deployed with nginx for web services and gost for https proxy. Both require port 443. Forwarding directly to gost with proxy_pass in the nginx configuration does not work. Because proxy_pass is forwarded at the layer 7 application layer, gost requires raw tcp traffic. So it needs to be forwarded at the layer 4 transport layer, which fortunately nginx supports.

Nginx provides the ngx_stream_ssl_preread_module module to get the SNI information at layer 4 and then dispatch the traffic. It is not started by default and needs to be started manually.

Nginx provides the ngx_http_realip_module module to hide known proxy IPs and get the real user IPs.

Nginx supports proxy protocol, which insert client IPs and ports into tcp traffic.

Ubuntu 20.04 LTS apt install nginx installs nginx without the above module, so you need to use apt install nginx-full.

# update nginx configurations


# traffic forwarding core configuration
stream {
  # Here is the SNI identification, mapping the domain name to a configuration name
  map $ssl_preread_server_name $backend_name { proxy_gost;
    default web;

  # The subsequent virtual host configuration should listen to 44300 instead of 443
  upstream web {

  upstream proxy_gost {
  upstream gost {

  # listen to 443 and enable ssl_preread and proxy_protocol
  server {
    listen 443 reuseport;
    listen [::]:443 reuseport;
    proxy_pass $backend_name;
    proxy_protocol on;
    ssl_preread on;

  # The server here is the middle layer used to unload the proxy protocol for gost
  # The original upstream gost configuration does not need to be changed
  server {
    listen 44301 proxy_protocol;
    proxy_pass gost;

http {
  # ... unchanged


server {
  listen 44300 ssl http2 proxy_protocol;
  ssl_certificate certs/;
  ssl_certificate_key certs/;

  # Hide the IP of the forwarding layer and set remote_addr to the real client IP
  # Because of this traffic forwarding configuration, which is equivalent to opening another tcp link to this 44300 port at layer 4, the client IP becomes the local IP
  # So the proxy_protocol carries the original client ip, and then the following configuration changes the client ip to the real ip instead of the forwarding layer ip.
  # If you don't do this, the following ip restrictions won't work either.
  real_ip_header proxy_protocol;
  real_ip_recursive on;

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

  access_log logs/web.example.com_access.log;

# gost/ss behind airport with clash

Considering the price, secrecy, privacy, network speed, etc., the best option is to use ss transit through the airport. The next best option is to use gost directly.


  - name: "gost"
    type: http
    port: 443
    username: "aaron1984"
    password: "8d1HTRn1uSjynLpbxg4otZEPnd52DqAX"
    tls: true # https

  - name: "ss"
    type: ss
    server: "IP"
    port: 1984
    cipher: chacha20-ietf-poly1305
    password: "UiGGQvG6TszhLATP"

    type: file
    path: ./airport.yaml
      enable: true
      interval: 36000

  - name: "Proxy"
    type: select
      - Airport
    proxies: ["TestPing", "gost", "airport-ss"]

  - name: "TestPing"
    type: url-test
      - Airport
    proxies: []
    url: ""
    interval: 300

  - name: "airport-ss"
    type: relay
      - TestPing
      - ss

  - MATCH,Proxy