Preface
I still remember that I spent a lot of time searching and researching on the Internet in order to run a standard proxy server function on macOS, Windows, and Debian (mainly to support username and password authentication). I even used the cracked version of ccproxy for a long time on Win (to be honest, it is still usable). Later, I found gost. Wow, it only takes one simple command to build a proxy server for various protocols. It also supports multiple platforms and can be deployed uniformly on all platforms. The key is that it can flexibly support proxy chains and various other extended functions. It's really cool. This article mainly introduces the most basic functions of gost to build a proxy server and build a forwarding proxy chain.
Deploy gost
Deploy the latest version in a standard way
linux
The command is as follows:
wget -O - https://github.com/ginuerzh/gost/releases/download/v2.11.5/gost-linux-amd64-2.11.5.gz | gzip -d > /usr/bin/gost chmod +x / usr/bin/gost
If you want to set gost to start automatically at boot, the recommended way is to register gost as a system service. You can refer to my other article:3 common ways to set up commands or scripts for Debian series to start at boot.
windows
You need to download the package of the corresponding architecture first:
amd64:https://github.com/ginuerzh/gost/releases/download/v2.11.5/gost-windows-amd64-2.11.5.zip
arm:https://github.com/ginuerzh/gost/releases/download/v2.11.5/gost-windows-arm64-2.11.5.zip
Unzip the exe file in the zip package (for example, the arm version is gost-windows-arm64.exe) to a custom path (such as the c:/gost directory), rename the file to gost.exe, and then runcmdcommand into the terminal and use the commandcd c:/gostEnter the gost directory, and finally run the gost format command directly.
Windows also has GUI usage, see the next section.
Desktop GUI method
If you are using a desktop system (macos, windows, linux desktop), there is actually another option: gost-ui-3, the project address is as follows:https://github.com/yarnto/gost-ui-3This project simply encapsulates gost into an app, which can be directly installed and run. The key is to be able to intuitively see the deployed content:
You can download the corresponding version and install it according to your environment.
Win version download link:
https://github.com/yarnto/gost-ui-3/releases/download/3.0.0-20220515/gost-ui-3-win-amd64.Setup.3.0.0.exe
Linux version download link:
https://github.com/yarnto/gost-ui-3/releases/download/3.0.0-20220515/gostui3-linux-amd64.zip
Download link for MacOS version:
https://github.com/yarnto/gost-ui-3/releases/download/3.0.0-20220608/gostui3.app-darwin-20220608.zip
gost simple tutorial
Why is it called a simple tutorial? Because gost is so powerful that I don’t even know where to start:
In fact, if you have a certain foundation, I recommend that you watch the tutorial on the official website directly:https://v2.gost.run/, which has been written in great detail. Here I can only give a brief introduction to the functions and related commands of setting up proxy servers and building forwarding proxy chains that I think you may encounter most often.
Proxy server (-L parameter)
The proxy server function provided by gost supports many protocols:
The four protocols we use most often are http, https, socks5, and shadowsocks. Let’s take the proxy servers that deploy these four protocols as an example.
Enable a local http proxy server on port 8080:
gost -L http://:8080 # Enable http proxy service on local port 8080 without username and password authentication gost -L http://192.168.0.1:8080 # Limit http proxy to port 8080 of local address 192.168.0.1 gost -L http://guest:guest@:8080 # Accessing http proxy requires account and password authentication, where the account and password are both guest
Enable a local https proxy server on port 8443:
gost -L http+tls://:8443 # Enable https proxy service on local port 8443 without username and password authentication gost -L http+tls://192.168.0.1:8443 # Limit https proxy to port 8443 of local address 192.168.0.1 gost -L http+tls://guest:guest@:8443 # Accessing https proxy requires account and password authentication, where the account and password are both guest
Enable a local socks5 proxy server on port 1080:
gost -L socks5://:1080 #Enable socks5 proxy service on local port 1080 that does not require username and password authenticationgost -L socks5://192.168.0.1:1080 #Limit socks5 proxy to port 1080 of local address 192.168.0.1gost -L socks5://guest:guest@:1080 #socks5 proxy requires account and password authentication, where the account and password are both guest gost -L socks5+tls://:1080 #Use tls encryption for socks5gost -L socks5+tls://guest:guest@:1080 #Use tls encryption for socks5 and enable account authenticationgost -L socks5+quic://:1080 #socks5 over quic
Enable a local ss proxy server on port 8338:
gost -L ss://aes-256-gcm:guest@:8338 # uses aes-256-gcm encryption algorithm and the password is guest to enable ss proxy service on port 8338 gost -L ss://aes-256-gcm:[email protected]:8338 # uses aes-256-gcm encryption algorithm and the password is guest to enable ss proxy service on port 8338 of the local address 192.168.0.1 gost -L ss+tls://aes-256-gcm:guest@:8338 # uses aes-256-gcm encryption algorithm and the password is guest to enable ss+tls encrypted proxy service on port 8338
By default, the shadowsocks protocol will wait for request data, and when it receives the request data, it will send the protocol header information together with the request data to the server.nodelayOption set totrueAfter that, the protocol header information will be sent to the server immediately without waiting for the user's request data. When the server connected through the proxy actively sends data to the client (such as VNC service, MySQL database), this option needs to be turned on to avoid connection abnormalities. The client configuration is illustrated as follows:
gost -L=:8080 -F ss://aes-256-gcm:[email protected]:8338?nodelay=true
If TLS is used for encryption, whether it is HTTP, SOCKS5 or other proxy protocols, there is a certificate issue involved. By default, gost will use a self-signed certificate. If the client is also gost, there will be no problem. However, if the client is other (such as the smartproxy of the Chrome browser), it will verify the validity of the certificate, which will cause problems. Therefore, if the deployed server needs to face other clients besides gost, it is necessary to deploy a legal custom certificate. There are two ways to deploy custom certificates:
1. Place the certificate and private key directly in the gost installation directory
Place the two files cert.pem (public key) and key.pem (private key) in the gost running directory (must be named like this), GOST will automatically load the cert.pem and key.pem files in the running directory
2. Use the cert and key parameters to specify the certificate path in the run command
The advantage of this method is that different certificates can be deployed for multiple domain names. The example is as follows:
gost -L="tls://:443?cert=/path/to/my/cert/file&key=/path/to/my/key/file"
Note:
1. If it is used in the intranet, you can directly use http or socks5
2. If the traffic will overwhelm the public network, it is strongly recommended to add tls, safety first. At the same time, http+tls can also be directly written as https. I wrote it this way to unify it with socks5+tls and ss+tls below. People with obsessive-compulsive disorder should understand.
3. -L defaults to HTTP & SOCKS5, which means-L http://:8080 and -L socks5://:1080Directly written-L :8080and-L :1080The effect is the same, but for the convenience of future operation and maintenance, it is recommended to write the full text.
4. http2 is compatible with https, that is to say, forhttp2://This type of proxy, clients that support https proxy can use it directly (of course, certificate issues still need to be considered)
5. gost only supports HTTP2 protocol encrypted with TLS, and does not support plain text HTTP2 transmission
6. The proxy chain of gost only supports one HTTP2 proxy node. It adopts the principle of proximity and regards the first HTTP2 proxy node encountered as an HTTP2 proxy, while other HTTP2 proxy nodes are regarded as HTTP proxies.
7. The recognition rate of shadowsocks protocol is now very high. You can consider changing it, or try to use it with other tunnel protocols or transmission encryption protocols.
Forwarding service (-F parameter)
As mentioned above, gost's self-signed certificate is not recognized by most clients except gost, and many clients do not support authentication:
Whether it is intentional or not, the reality now is that when using the smartproxy plug-in of Chrome, neither https nor socks5 supports authentication. I can't put a proxy server that supports encryption on the public Internet and turn it into an anonymous proxy because the access client does not support account authentication. I dare not do such a thing. What should I do? At this time, the forwarding function of gost (-F parameter) comes into play. Run any of the following two commands on the client local host (assuming that the client and server are in the intranet):
gost -L http://:8080 -F https://guest:[email protected]:8443 gost -L http://:8080 -F socks5://guest:[email protected]:1080
This command will open an http proxy service on port 8080 on the client host, and point the upper proxy to the host where gost is located on the server. At the same time, it will use the username and password specified by gost on the server for authentication. The client browser only needs to point the http proxy directly to the http proxy server running on port 8080 locally. Of course, in a normal use environment, the client must be on the external network, so it is necessary to use the public IP of the server or the domain name corresponding to the public IP to connect.
This approach has the following benefits:
1. Solved the problem of tls self-signed certificate on gost server
2. Solved the problem that the client browser plug-in may not support authentication
Forwarding proxy chain (multiple -F parameters)
Introduction to the concept of proxy chain
What is proxy chaining?
As shown in the figure above, a proxy chain refers to a chain structure formed by connecting multiple proxy servers in some way (such as the series connection in the figure above) between the user request and the target website. When a user initiates a request, the request will be forwarded to the next node through each proxy server in a set manner (for example, the series connection in the figure above means passing through each proxy server in the proxy chain in turn), and finally reach the target server.
Note: These proxy servers can be of different types, such as proxy 1 is http, proxy 2 is socks5, proxy 3 is socks4
Advantages of proxy chain:
1. Anonymity and security
Proxy chains can enhance the anonymity and security of user access, because each proxy server hides the real IP address for the user (so why is it so difficult to find the real address after a hacker intrusion?).
2. Fixed IP address for accessing the website
Proxy chains allow users to fix their access IPs. They only need to specify a suitable proxy server at the last hop of the proxy chain. Then, as long as you keep using this server, you can always use this IP to access the target website, avoiding problems such as website account risk control due to IP switching and poor IP quality.
Disadvantages of proxy chain:
1. Problems caused by multiple nodes
It may cause network performance issues such as delay and bandwidth, and stability also depends on the comprehensive situation of all nodes.
2. Security
Proxy forwarding will improve security to a certain extent, but security depends on the weakest link, which does not mean that the longer the proxy chain, the safer it will be. If you need anonymity, please consider a mature anonymity solution.
Proxy chain principle
Not everyone may be interested in this question, but I searched for a long time out of interest and found the following two pictures for comparison.
1、没有代理链时的”proxy-to-proxy”方式
This should be the traditional way of referring to the upper-level proxy in the proxy server software. This method requires each level of proxy to resend the request in the client way, which affects efficiency.
2、使用代理链时的”proxy-to-proxy”方式
In this way, the sender has already indicated that proxyB is the final endpoint when sending the request, so proxyA will directly forward the request to proxyB, which is more efficient than the first traditional method.
Use gost to build a proxy chain
gost can use proxy chains to forward data very simply and flexibly.
Suppose we have two proxies, proxy1:10.10.10.10 (domestic vps), proxy2:20.20.20.20 (foreign vps), and the target host we need to access is example.com(Abroad), at this time, if we use our own computer to directly access example.com, it may be very slow or unable to open. Proxy1 can access proxy2 at a faster speed, and proxy2 can access example.com at a very fast speed. At this time, we can use proxy1 and proxy2 to form a proxy chain to access example.com.
Method 1:
The configuration on proxy1 is as follows:
gost -L https://guest1:guest1@:8443
The configuration on proxy2 is as follows:
gost -L socks5+tls://guest2:guest2@:1080
The client gost can be configured as follows:
gost -L http://:8080 -F https://guest1:[email protected]:8443 -F socks5+tls://guest2:[email protected]:1080
Finally, point the client browser's http proxy to 127.0.0.1:8080 to access example.com more quickly (of course, the premise of doing this is that the cloud provider's domestic vps accesses foreign vps faster than we access foreign vps, which is generally the case.).
The advantage of configuring the proxy chain directly on the client gost using multiple -F parameters is that it is flexible. If there are more proxy nodes, you can also use multiple combinations to set up the proxy chain. The disadvantage is that if there are multiple clients, the user of each client needs to know all the nodes in the proxy chain and the proxy method used, which makes operation and maintenance management troublesome.
Method 2:
The configuration on proxy1 is as follows:
gost -L https://guest1:guest1@:8443 -F socks5+tls://guest2:[email protected]:1080
The configuration on proxy2 is as follows:
gost -L socks5+tls://guest2:guest2@:1080
The client gost can be configured as follows:
gost -L http://:8080 -F https://guest1:[email protected]:8443
This method actually forms a chain between proxy1 and proxy2. The advantage is that the client only needs to know the https proxy address of proxy1, which is more convenient for operation and maintenance when there are many clients. The disadvantage is that proxy1 is already bound to proxy2 and is not flexible enough.
Summarize
This article mainly introduces the most basic method of setting up a proxy server and implementing a forwarding proxy chain. In fact, this method is widely used in some fields, and those who understand it will understand it, so I will not say more.
gost is really powerful, but I have other ways to implement some other functions, such as reverse proxy tunnel, which is actually similar to cloudflare's tunnel. If my cloud host wants to communicate with the devices at home, I can actually use this, but I have already implemented it with tailscale. . For example, for http file service, I also use tailscale to directly implement the mutual access of all virtual networking devices, which is also not useful. . For reverse proxy, I use nginx, so after all, I can only use the proxy server function, but this does not hinder the power of gost.
In fact, tailscale+gost is a perfect match, because each machine with tailscale deployed has a virtual networking address of 100.xxx, and the communication of tailscale is originally based on wireguard encryption, and gost does not need to use additional encrypted transmission protocols such as tls, all in plain text. Therefore, you only need to install gost on each machine with tailscale deployed, and you can build your own forwarding proxy chain conveniently and flexibly.
