説明なし

kotoyuuko 7715ccf902 feat: add China domain/IP direct bypass rules in Surge client config		3 週間前
docs	7715ccf902 feat: add China domain/IP direct bypass rules in Surge client config	3 週間前
group_vars	7d72410741 feat: ansible chained proxy setup with shadowsocks + trojan	3 週間前
inventory	7d72410741 feat: ansible chained proxy setup with shadowsocks + trojan	3 週間前
openspec	7715ccf902 feat: add China domain/IP direct bypass rules in Surge client config	3 週間前
roles	7d72410741 feat: ansible chained proxy setup with shadowsocks + trojan	3 週間前
README.md	7d72410741 feat: ansible chained proxy setup with shadowsocks + trojan	3 週間前
ansible.cfg	7d72410741 feat: ansible chained proxy setup with shadowsocks + trojan	3 週間前
site.yml	7d72410741 feat: ansible chained proxy setup with shadowsocks + trojan	3 週間前

Ansible Proxy Chain

Ansible playbook for provisioning a two-server chained proxy setup:

Relay server (中转机): Shadowsocks-rust — handles general traffic
Landing server (落地机): Trojan-Go — handles AI/streaming services requiring local IP

Client-side Surge uses underlying-proxy to chain connections:

Client → Relay (SS) → Landing (Trojan) → Internet   # chained
Client → Landing (Trojan) → Internet                 # direct
Client → Relay (SS) → Internet                       # relay only

Prerequisites

Two servers running Ubuntu/Debian
A domain name pointing to the landing server (for Trojan TLS)
Ansible 2.12+ on your local machine
community.general Ansible collection: ansible-galaxy collection install community.general

Setup

1. Configure inventory

Edit inventory/hosts.yml with your server IPs:

all:
  children:
    relay:
      hosts:
        relay-server:
          ansible_host: "1.2.3.4"
    landing:
      hosts:
        landing-server:
          ansible_host: "5.6.7.8"

2. Configure secrets

cp group_vars/vault.yml.example group_vars/vault.yml
# Edit vault.yml with your passwords
ansible-vault encrypt group_vars/vault.yml

3. Configure variables

Edit group_vars/relay.yml:

ss_port: Shadowsocks listen port (default: 8388)
ss_cipher: Encryption method (default: aes-256-gcm)

Edit group_vars/landing.yml:

trojan_domain: Your domain name
certbot_email: Email for Let's Encrypt notifications

4. Run the playbook

ansible-playbook site.yml --ask-vault-pass

Client Configuration

See docs/surge-client.conf for a reference Surge client configuration with:

Proxy definitions (Relay-SS, Landing-Trojan, Landing-Chain)
Routing rules using Sukka's rulesets
AI and streaming traffic → chained through landing server
Default traffic → relay server

Project Structure

├── ansible.cfg
├── inventory/
│   └── hosts.yml
├── group_vars/
│   ├── all.yml
│   ├── relay.yml
│   ├── landing.yml
│   └── vault.yml.example
├── roles/
│   ├── base/           # SSH hardening, UFW, fail2ban
│   ├── shadowsocks/    # shadowsocks-rust (relay)
│   └── trojan/         # trojan-go + certbot (landing)
├── docs/
│   └── surge-client.conf
└── site.yml

Variables Reference

Variable	Default	Description
`ss_port`	8388	Shadowsocks listen port
`ss_cipher`	aes-256-gcm	Shadowsocks encryption method
`ss_version`	1.21.2	shadowsocks-rust release version
`trojan_port`	443	Trojan listen port
`trojan_domain`	—	Domain name for TLS certificate
`trojan_fallback_port`	8080	Fallback port for non-Trojan traffic
`trojan_version`	0.10.6	trojan-go release version
`certbot_email`	—	Email for Let's Encrypt
`ssh_port`	22	SSH listen port

README.md