但下面的 docker 的 container 无法走透明代理, 搜索了一番, 应该是要把 docker 网络指定为 --net host, 只是 docker-compose.yml 如何修改就不知道了, 一会 append 上 docker-compose.yml 文件,哪位大佬帮忙改下, 谢谢

version: '3.7'services: server: image: nginx restart: always env_file: env volumes: # Vhost configuration #- ./config/caddy/Caddyfile:/etc/caddy/Caddyfiledocker-com - ./config/nginx/in-vhost.conf:/etc/nginx/conf.d/in-vhost.conf:ro - ./docker/app/public:/var/www/app/public:ro depends_on: - app # Run webserver nginx on port 80 # Feel free to modify depending what port is already occupied ports: - "9898:80" #- "443:443" extra_hosts: - "in5.localhost:192.168.2.99 " #host and ip app: image: invoiceninja/invoiceninja:5 env_file: env restart: always volumes: - ./config/hosts:/etc/hosts:ro - ./docker/app/public:/var/www/app/public:rw,delegated - ./docker/app/storage:/var/www/app/storage:rw,delegated - ./config/php/php.ini:/usr/local/etc/php/php.ini - ./config/php/php-cli.ini:/usr/local/etc/php/php-cli.ini depends_on: - db extra_hosts: - "in5.localhost:192.168.2.99 " #host and ip db: image: mysql:8# When running on ARM64 use MariaDB instead of MySQL# image: mariadb:10.4# For auto DB backups comment out image and use the build block below# build:# context: ./config/mysql ports: - "3306:3306" restart: always env_file: env volumes: - ./docker/mysql/data:/var/lib/mysql:rw,delegated # remove comments for next 4 lines if you want auto sql backups #- ./docker/mysql/bak:/backups:rw #- ./config/mysql/backup-script:/etc/cron.daily/daily:ro #- ./config/mysql/backup-script:/etc/cron.weekly/weekly:ro #- ./config/mysql/backup-script:/etc/cron.monthly/monthly:ro networks: network_mode: host extra_hosts: - "in5.localhost:192.168.2.99 " #host and ip

# THIS IS ONLY A VALID CONFIGURATION FOR IN 4. DO NOT USE FOR IN 5. # cron: # image: invoiceninja/invoiceninja:alpine-4 # volumes: # - ./docker/app/public:/var/www/app/public:rw,delegated # - ./docker/app/storage:/var/www/app/storage:rw,delegated # - ./docker/app/public/logo:/var/www/app/public/logo:rw,delegated # entrypoint: | # /bin/sh -c 'sh -s <<EOF # trap "break;exit" SIGHUP SIGINT SIGTERM # sleep 300s # while /bin/true; do # ./artisan ninja:send-invoices # ./artisan ninja:send-reminders # sleep 1d # done # EOF' # networks: # - invoiceninja #networks: mynetwork: driver: host

我忘记阐述清楚了, container docker exec -it xxx bash 进去后, 是可以进行 apt update 等动作的, 只是我想要它走宿主机的透明代理, 这样才可以访问外网服务进行更新或者配置.

network_mode: "host"这个问题是不是谷歌就知道?

网桥的流量默认不过 iptables

sysctl -a | grep bridge-nf-call 把这些都配成 0 。

如果你不需要限制容器的网络访问,在系统配置/etc/sysctl.conf 添加下面两行就行了net.bridge.bridge-nf-call-iptables = 0net.bridge.bridge-nf-call-ip6tables = 0

#4 按照你的提示设置了,还是不行.

#3 nano /etc/sysctl.conf net.bridge.bridge-nf-call-iptables = 0net.bridge.bridge-nf-call-ip6tables=0net.bridge.bridge-nf-call-arptables=0还是不行

请问宿主机是 Mac 吗,Linux 的话直接「宿主机 IP:代理端口」 不行吗

#6 那我估计你的透明代理只匹配了 output 路径的,而没有匹配 prerouting 的。

#6 可以参考这里进行修改: github.com/heiher/hev-socks5-tproxy?tab=readme-ov-file#netfilter github.com/heiher/hev-socks5-tproxy?tab=readme-ov-file#netfilter-and-routing

#7 宿主机是 debian, 你说的宿主机 ip:代理端口是在 container 中设置?我在研究这个文章看如何对已经跑起来的服务进行补救: wiki.eryajf.net/pages/674f53/#%E6%96%B9%E6%A1%88%E4%BA%8C

如果你的 docker 已经运行了,可以试下把 transparent proxy 换成 dae 实现 github.com/daeuniverse/dae如果还没运行那就更好配置了,想办法把你的代理暴漏出一个 socks 端口, 然后 docker 配置文件里加上代理就可以了

#11 晚点我来试下, docker 已经跑起来了, 这个 dae 和我现在跑的 v2raya 透明代理有什么不同?

比 v2raya 更有效,现在我还没有发现他不能劫持的服务

#13 刚看了文档, 正在部署编译中.

#13 很不幸, 折腾了一晚, 没有安装上.

啊?github 下二进制 直接运行, github.com/daeuniverse/dae/releases/tag/v0.5.1 github.com/daeuniverse/dae/blob/main/docs/zh/README.md或者 docker hub.docker.com/r/daeuniverse/dae不用安装呀

#16 就是二进制安装不行docker 的还没试, 晚点试试. 准备重装系统了, 因为搞了一堆乱七八糟的问题了.

是不是下错了?我试过,debian11 debian12 ,alpinelinux 都能直接运行呀 github.com/daeuniverse/dae/releases/download/v0.5.1/dae-linux-x86_64_v2_sse.zip

我下载下来 放到 /usr/loacal/bin/ 下面直接可以运行,他也没有什么额外的依赖

#18 docker 版本也不行, 试过了很多次了.> [dae stage-1 5/8] RUN wget -O /usr/local/share/dae/geosite.dat github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat:0.387 Connecting to github.com (20.205.243.166:443)10.59 wget: error getting response: Resource temporarily unavailable------failed to solve: process "/bin/sh -c wget -O /usr/local/share/dae/geosite.dat github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat" did not complete successfully: exit code: 1

这提示你没有 geoip, geosite github.com/Loyalsoldier/v2ray-rules-dat/releases/download/202405182208/geosite.dat github.com/Loyalsoldier/v2ray-rules-dat/releases/download/202405182208/geoip.dat似乎你那里 github 被墙了,你找个能访问 github 的设备上下载然后 SCP 传到这个设备就行了然后放到你 dae 配置的同目录下就可以了

#21 你说的我其实早意识到且解决了, 我用了 v2raya 先代理, 但是仍然不成功, 特别是 docker 跑的 dae, docker ps -a 是可以看到它起来, 但是你要 exec -it 进去的话, 它会提示一直在启动中, 表示服务无法用.

看下日志docker logs -f另外你配置过程中有没有漏掉那一步? github.com/daeuniverse/dae/blob/main/docs/zh/README.md

#23 肯定是没有漏过, 连 chmod config.dae 都试过了.那个脚本安装的也是同样问题.

#23 time="May 19 11:24:03" level=info msg="192.168.2.99:35535 <-> 23.95.xxx.xxx:33333" dialer=23.95.xxx.xxx-PVE dscp=0 ip="23.95.xxx.xxx:33333" mac="30:bf:21:06:02:b6" network=tcp4 outbound="my_group" pid=0 pname=v2ray policy=min_moving_avg sniffed=time="May 19 11:24:03" level=info msg="192.168.2.99:35513 <-> 23.95.xxx.xxx:33333" dialer=23.95.xxx.xxx-PVE dscp=0 ip="23.95.xxx.xxx:33333" mac="30:bf:21:06:02:b6" network=tcp4 outbound="my_group" pid=0 pname=v2ray policy=min_moving_avg sniffed=

再看下 dae docker 启动时的日志 有没有异常docker stop daetruncate -s 0 $(docker inspect --format='{{.LogPath}}' dae)docker start daedocker logs -f dae

#26 root@DATAHUB:/etc/dae# docker stop daetruncate -s 0 $(docker inspect --format='{{.LogPath}}' dae)docker start daedocker logs -f daedaedaetime="May 19 12:08:03" level=info msg="Include config files: [/etc/dae/config.dae]"time="May 19 12:08:03" level=info msg="Waiting for network..."

#26 time="May 19 12:14:21" level=info msg="Group 'my_group' [tcp6]: 1. [] 23.95.xxx.xxx-PVE: 4.611s"time="May 19 12:14:31" level=info msg="[ALIVE --tcp4-> NOT ALIVE]" dialer=23.95.xxx.xxx-PVE group="my_group"time="May 19 12:14:31" level=info msg="Group has no dialer alive" group="my_group" network=tcp4time="May 19 12:14:36" level=warning msg="handlePkt: no proper dialer for DNS upstream: tcp+udp://dns.google.com:53"time="May 19 12:14:41" level=warning msg="handlePkt: no proper dialer for DNS upstream: tcp+udp://dns.google.com:53"time="May 19 12:14:46" level=warning msg="handlePkt: no proper dialer for DNS upstream: tcp+udp://dns.google.com:53"我看了, 估计是电信屏蔽了 53 端口

dae 正常的初始化应该出现像下面的信息time="May 19 12:17:17" level=info msg="Include config files: [/etc/dae/config.dae]"time="May 19 12:17:18" level=info msg="Loading eBPF programs and maps into the kernel..."time="May 19 12:17:18" level=info msg="The loading process takes about 120MB free memory, which will be released after loading. Insufficient memory will cause loading failure."time="May 19 12:17:46" level=info msg="Loaded eBPF programs and maps"time="May 19 12:17:46" level=info msg="Bind to LAN: ens192"time="May 19 12:17:46" level=info msg="Bind to WAN: ens192"time="May 19 12:17:46" level=info msg="Group "Proxys" node list:"别外你也可以起个纯净的虚拟机重新测试配置,如果能启动,那么你的 配置过程就没有问题,还有如果有配置 iptable 之类的规则有没有清除

#29 上述信息都有了, 不过仍然无法代理, 我还是回到 v2raya, 因为可能要用它做外网接入