ansible-proxy-chain/openspec/changes/archive/2026-04-22-chain-proxy-setup/proposal.md

Why

We need to set up two servers as a chained proxy pair using Ansible for automated, repeatable deployment. The "relay server" (中转机) handles general traffic and forwards it onward, while the "landing server" (落地机) provides local IP access for services that require geo-specific endpoints (AI services, streaming). Surge (client-side) uses its underlying-proxy feature to chain connections through both servers. The servers themselves run encrypted proxy daemons — Shadowsocks on the relay for fast transit, Trojan on the landing for HTTPS-disguised access to geo-sensitive services.

What Changes

• Create Ansible inventory defining two server roles: relay (中转机) and landing (落地机)
• Create playbooks and roles to provision both servers with base system configuration (packages, security hardening, SSH)
• Deploy and configure shadowsocks-rust on the relay server as an encrypted forward proxy
• Deploy and configure Trojan (trojan-go or trojan) on the landing server with TLS termination
• Configure the landing server to also expose a direct proxy endpoint (bypassing the relay chain)
• Client-side Surge uses underlying-proxy to chain: Client → Relay (SS) → Landing (Trojan) → Internet
• Surge policy rules on the client route AI/streaming traffic through the landing chain, other traffic through the relay directly

Capabilities

New Capabilities

• server-base: Base server initialization (packages, security, SSH hardening, firewall)
• shadowsocks-relay: Shadowsocks-rust deployment and configuration for the relay/transit server
• trojan-landing: Trojan deployment and configuration for the landing server with TLS
• proxy-rules: Client-side Surge routing rules for AI services, streaming services, and default traffic

Modified Capabilities

(none - this is a greenfield project)

Impact

• New Ansible project structure: inventory, playbooks, roles, and group_vars
• Relay server will run shadowsocks-rust as a systemd service
• Landing server will run Trojan as a systemd service, requiring a domain name and TLS certificate
• Network traffic patterns: chained traffic flows Client → Relay (SS) → Landing (Trojan) → Internet; direct traffic flows Client → Landing (Trojan) → Internet
• Firewall rules: relay allows SS port, landing allows Trojan port (443)