—01/06/2022
世界上最小的国家之一密克罗尼西亚刚刚让中国这个巨头遭受了让人
法国世界报在华记者勒梅特周二写道,
美国政府则于5月26日表示,
Tuesday 31 May 2022
南太平洋岛国拒绝将自己的命运与北京联在一起
乌克兰:俄罗斯开始“抢劫”金属材料
—31/05/2022
乌克兰南部重要港口马里乌波尔被俄军占领后,
据路透社消息,
OpenProxy
OpenProxy is an open source http proxy stack that is a combination of Varnish Cache and Nginx.
Introduction
The main goal of the OpenProxy project is to create a high-performance open source http and https proxy server for production environments.
If you don't want to use both services at the same time, nothing prevents you from using the configurations only for a specific service.
Varnish Cache
Before using the Varnish Cache please read Introduction.
Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 - 1000x, depending on your architecture.
To increase your knowledge, read Varnish Documentation.
Varnish Cache with OpenProxy
The next step should be to read the Varnish Cache OpenProxy documentation.
Nginx
Before using the Nginx please read Beginner’s Guide.
Nginx (/ˌɛndʒɪnˈɛks/ EN-jin-EKS) is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler.
To increase your knowledge, read Nginx Documentation.
Nginx with OpenProxy
The next step should be to read the Nginx OpenProxy documentation.
Installation
Remember to make a copy of the current configuration and all files/directories.
It's very simple - full directory sync:
rsync -avur --delete lib/nginx/ /etc/nginx/
rsync -avur --delete lib/varnish-cache/ /etc/varnish/For leaving your configuration (not recommended) remove --delete rsync param.
Configuration
Initializing new domain
Varnish Cache
Added your domain definitions to default.vcl:
### BACKENDS DEFINITION
include "/etc/varnish/master/domains/your.domain/backends.vcl";
### DOMAINS DEFINITION
include "/etc/varnish/master/domains/your.domain/main.vcl";Clone to your domain directory:
cd /etc/varnish/master/domains
cp -R example.com/ your.domainand replace example.com to your domain name:
cd your.domain
sed -i 's/example.com/your.domain/g' *
sed -i 's/example_com/your_domain/g' *Remember to adjust the configuration to your needs.
Nginx
Added your domain definitions to domains.conf:
cd /etc/nginx/master/
cat >> domains.conf << __EOF__
# Configuration for your.domain domain.
include /etc/nginx/master/_domains/your.domain/servers.conf;
include /etc/nginx/master/_domains/your.domain/backends.conf;
__EOF__
cd _domains
cp -R example.com/ your.domainand replace example.com to your domain name:
cd domains/your.domain
sed -i 's/example.com/your.domain/g' *
sed -i 's/example_com/your_domain/g' *Remember to adjust the configuration to your needs.
Aliases
Import aliases from lib/etc/skel/aliases to your shell init file and reload shell session with exec $SHELL -l.
Error pages
For example:
cd /usr/share/www/
git clone https://github.com/trimstray/http-error-pages && cd http-error-pages
./httpgenBefore init services
- reinit systemd configuration:
systemctl daemon-reload - adjust
/etc/default/varnish
Maintenance
Varnish Cache
Show config params
varnishadm param.show
varnishadm param.show max_retriesShow boot configuration
varnishadm vcl.show bootCompile new configuration
varnishadm vcl.load config_name /etc/varnish/default.vclLoad new configuration
varnishadm vcl.use config_nameShow backend list
varnishadm backend.listDrop objects from cache
varnishadm ban req.http.host == example.com
varnishadm ban "req.http.host == example.com && req.url == /backend.*"Show backends health
varnishlog -g raw -i Backend_healthShow all requests (without filters)
varnishlog -g requestShow all requests and responses (raw format)
varnishlog -g rawShow requests with specific Host header
varnishlog -g request -q "ReqHeader eq 'Host: example.com'" -i Begin,ReqMethod,ReqUrl,ReqHeaderShow requests with specific User-Agent header
varnishlog -g request -q "ReqHeader eq 'User-Agent: x-bypass'"Show requests with HTTP 200 status
varnishlog -i BackendOpen,BereqURL -q "BerespStatus == 200"Show requests with HTTP 503 status from backends
varnishlog -d -q 'RespStatus == 503' -g requestShow requests with Backend Fetch Error
varnishlog -b -q 'FetchError'External resources
Varnish Cache
Base
🔸 Varnish HTTP Cache Project
🔸 Varnish Cache source code repository
🔸 Varnish Dashboard
🔸 Varnish 4.0 Template
🔸 Varnish 5.0 Template
🔸 Getting started with web app accelerator Varnish Cache
Cheatsheets
🔸 Varnish Regexp
🔸 VCL regular expression cheat sheet
🔸 5 Basic Tips to Using Regular Expressions in Varnish
🔸 Varnishlog: measure your Varnish cache performance
Performance & Hardening
🔸 Protect your websites with Varnish rules
🔸 Collection of Varnish Cache modules (vmods) by Varnish Software
Nginx
Base
🔸 Nginx Project
🔸 Nginx official read-only mirror
🔸 Nginx boilerplate configs
🔸 Awesome Nginx configuration template
🔸 Nginx static analyzer
🔸 A collection of resources covering Nginx and more
Cheatsheets
🔸 Nginx Cheatsheet
🔸 Nginx Quick Reference
🔸 Nginx Cheatsheet by Mijdert Stuij
Performance & Hardening
🔸 WAF for Nginx
🔸 ModSecurity for Nginx
🔸 How to Build a Tough NGINX Server in 15 Steps
🔸 Top 25 Nginx Web Server Best Security Practices
🔸 Strong SSL Security on Nginx
🔸 Nginx Tuning For Best Performance by Denji
🔸 Enable cross-origin resource sharing (CORS)
Comparison
🔸 BBC Digital Media Distribution: How we improved throughput by 4x
🔸 Web cache server performance benchmark: nuster vs nginx vs varnish vs squid
Performance Analyzers
🔸 ngxtop
Log Analyzers
🔸 GoAccess
🔸 Graylog
🔸 Logstash
Online tools
🔸 Online tool to learn, build, & test Regular Expressions
🔸 Online Regex Tester & Debugger
🔸 SSL Server Test
🔸 Strong ciphers for Apache, Nginx, Lighttpd and more
🔸 Analyse the HTTP response headers by Security Headers
🔸 Analyze your website by Mozilla Observatory
from https://github.com/fo0nikens/OpenProxy
fget
A fast download program.
一般下载工具,都是按顺序下载,且服务器给一个每个链接提供的流量是有限制的 而fget是建立多个链接,同时下载,最后合并成目标文件。
- usage
-H value
http headers
-o string
out put file name
-proxy value
proxys url eg: http://192.168.1.2:8080
-ps int
block size (default 10)
-th int
thread counts (default 10)
-uri string
download url
- examples
-
fget -uri http://xxxxx -
fget -uri http://xxxxx -H "Referer: http://test.com" -H "Cookies: xxxxx"from https://github.com/BrockChen/fget
Master-List-of-HTML5-JS-CSS-Resources
This list started out as a blog post, with the intent of sharing a list of HTML5, JavaScript, and CSS3 resources that I found very useful. Feel free to read the original article to see what links I deemed relevent in January of 2011.
The structure of this list has changed from a single file (which can still be found here), to a more organized, yet still simple, collection of files. This should make it a bit easier to organize, digest, and maintain (for those who would like to contribute).
I have also taken a more opinionated stance on what to include, and what to recommend to others, based upon my experiences in the field, and my consumption of a varied and vast number of articles on the subjects. Note that most of the resources listed herein are free and open source. There are exceptions, but for the most part, you can obtain all the knowledge and tools you need to become a crack front end designer or developer thanks to the hard work of others. Please consider donating to individuals or purchasing tools whenever possible to help support this thriving ecosystem.
The new list is now broken up into the following topics:
Core Technologies
Popular Topics
Articles & Resources, Updated Daily
- JavaScript, CSS, HTML5 - Front end design & development magazine curated by @gloparco
NOTE: I am in the process of migrating the old list into these new categories, while adding/subtracting/reorganizing at the same time. While it is a work in progress, you will still find useful information. Keep in mind, you can always see the original list here.
from https://github.com/gloparco/Master-List-of-HTML5-JS-CSS-Resources
pi_tor_socks
Web interface for Raspberry Pi。
https://nova.ws/pi-tor-socks/
from https://github.com/novaws/pi_tor_socks
socks-manager
动态生成socks5 用户名和密码
使用gost配合redis实现socks5认证
https://github.com/yknext/gost
from https://github.com/yknext/socks-manager
Pshell
ICMP/IP tunnel manager for Linux.
这是一个 ICMP/IP 隧道管理脚本,从服务器到本地的全部操作,都可以通过这个脚本完成,目前完美支持主流 Linux 发行版(能运行最新版本 Docker 即可)。
可以用来做什么
- 内网穿透(从外网访问内网的主机,比如在家里访问学校内网的资源)
- 绕过认证(绕过一般的网络认证,比如绕过学校网络认证,直接上网)
- 网络代理(又一个翻墙姿势,比如服务端放在海外就可以翻墙了)
功能
- 支持服务器自动部署并启动,服务端遇到意外可以自动重启。
- 支持本地自动部署并启动,支持 ICMP/IP 双协议隧道。
- 支持断线自动重连。
- 提供直观的监视器,可以实时查看连接状态。
- 支持指定网卡分享 socks5 代理给他人。
- 支持 socks5 转发为 http 代理。
- 支持 TCP-BBR 算法,极大提高网速(需要内核支持)。
- 密码认证。
- 自动更新脚本。
待添加/修复功能
- 支持自动修复 http 代理并允许指定 http 端口。
- 自动启用负载均衡。
- TCP-BBR 算法自动启用。
- 添加 DNS Tunnel 功能。
- proxy.list 文件最后一行不是空行会执行失败。
$ ./Pshell.sh -h
------------------------------------------------------------------------------
___ ____ __ __ ____ _____ ____ ____ _ _ _
|_ _/ ___| \/ | _ \ / /_ _| _ \ / ___|| |__ ___| | |
| | | | |\/| | |_) / / | || |_) | \___ \| '_ \ / _ \ | |
| | |___| | | | __/ / | || __/ ___) | | | | __/ | |
|___\____|_| |_|_| /_/ |___|_| |____/|_| |_|\___|_|_|
Email: i@zuolan.me Blog: https://zuolan.me
一个隧道部署与代理管理的脚本。不加参数直接运行脚本即可连接。
------------------------------------------------------------------------------
可选参数 - 说明
------------------------------------------------------------------------------
-d (driver) - 指定网卡(enp3s0|wlp2s0|eth0|wlan0),默认全部。
-e (edit) - 编辑配置列表。
-f (fast) - 快速模式(切换为 IP 协议隧道,速度更快,安全性降低)。
-h (help) - 显示帮助信息。更详细说明请阅读 README 文件。
-k (kill) - 杀死 autossh 和 sshd 进程(当连接长时间中断时使用)。
-l (local) - 安装本地守护容器。
-m (monitor) - 查看代理与容器运行的情况。
-n (net) - 统计代理端口的流量(-n set/unset 开启/重置流量统计)。
-p (port) - 选择本地 HTTP 代理端口(默认配置/etc/privoxy/config)。
-s (server) - 安装服务器守护进程。
-u (update) - 检测版本以及更新脚本。
------------------------------------------------------------------------------安装
第零步、ssh 免密码设置
在本地生成一对密钥(邮箱替换为你的邮箱):
ssh-keygen -t rsa -b 4096 -C "i@zuolan.me"把公钥(id_rsa.pub)内容复制粘贴到服务器的 ~/.ssh/authorized_keys 文件中:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys第一步、服务器安装
执行 sudo ./Pshell.sh --server 即可自动安装并启动。服务器就一句话。
第二步、填写本地配置文件
现在回到本地,在运行脚本连接之前需要填写配置文件,模板如下。打开 proxy.list,然后按照下面的模板填写你的配置。
节点名称:容器名称:容器端口:Socks5端口:服务器IP:密码:密钥例如:
广州:gz:8001:10001:123.45.67.89:pass1:~/.ssh/id_rsa.gz
香港:hk:8002:10002:123.45.67.89:pass1:~/.ssh/id_rsa.hk
青岛:qd:8003:10003:123.45.67.89:pass2:~/.ssh/id_rsa.qd
东京:to:8004:10004:123.45.67.89:password:~/.ssh/id_rsa.to填完就可以进行下一步了,但如果你想更详细定义脚本变量可以在脚本头部中设置(不建议)。
第三步、本地电脑安装
执行 ./Pshell.sh --local 即可自动安装并运行。
使用
下面方法任选其一。
一、基于 SSH 的 Socks5 代理
1. ICMP 模式(限速150KB/s)
使用 ./Pshell.sh 直接运行脚本即为 ICMP 协议隧道,然后你可以使用配置文件中设置的 Socks5 端口(见安装步骤第二步)连接到外网。设置方法和普通 Socks5 端口使用一样。(例如 Google Chrome 中的插件 SwitchyOmega。)
2. IP 模式(不限速)
使用 ./Pshell.sh -f 即可启用 IP 协议的隧道,相比使用 ICMP 协议的隧道而言,IP 协议的隧道速度更快(有可能被云服务提供商误判为DDos攻击)。启用之后使用方式和 ICMP 模式一样,连接 Socks5 端口即可。
二、基于 IP 协议的端口映射
由于 SSH 的连接不是非常稳定,即便加了自动重连的方法还是会出现短暂的断网现象(自动重连大概要零点几秒),对于下载、游戏等过程有比较大影响,所以建议设置端口映射,由于 ICMP 协议速度不快,我就不写 ICMP 的端口映射了,用 ICMP 刷个网页基本不会感受到断网的情况。
由于脚本尚未完善,目前仅支持一台服务器的端口映射,如果你列表中有多台服务器,只会连接列表中的第一台服务器。
以广州:gz:8001:10001:123.45.67.89:pass1:~/.ssh/id_rsa.gz为例,完成服务端和客户端的安装之后,在服务端启动一个代理(SS、SSR之类的你懂的软件),然后本地可以通过10.1.2.1这个地址连接到服务器的代理软件。
服务端完整示例:
# 安装 Pshell 服务端
$ ./Pshell.sh -s
# 安装 Shadowsocks 服务端
$ docker run -d --name ss -p 10001:10001 mritd/shadowsocks -s "-s 0.0.0.0 -p 10001 -k ss_password -m aes-256-cfb"然后回到本地的电脑,安装好 Pshell 本地端之后(./Pshell.sh -l),打开 Shadowsocks 客户端,服务器地址为10.1.2.1,其他根据你的设置改变。
现在你可以使用 IP 协议稳定连接网络了。
扩展
一、Socks5 转 http
有些软件不支持 Socks5 代理协议,所以提供端口转换功。
使用 ./Pshell.sh -p <port> 可以指定其中一个 socks5 端口转换为 http 端口(转换后 http 协议代理端口为 8118)。
端口转换功能是保存起来的,不需要每次运行都指定它,除非你想重新指定转换的 socks5 端口。
二、分享 Socks5 端口
如果你想分享代理给他人用,可以使用 ./Pshell.sh -d <enp3s0> 参数指定网卡分享 Socks5 端口。
常用的网卡有 enp3s0|wlp2s0|eth0|wlan0 这些,使用
ifconfig命令可以查看。
注意一点就是 Privoxy 的 8118 端口默认为仅 localhost 访问,如果需要他人访问,你还需要修改 localhost 为其他地址(例如 0.0.0.0),这样他人可以通过这个 http 端口访问外网。
三、重启 sshd 进程
在使用过程中可能会出现 sshd 进程崩溃的情况,这时候明明没有连接异常但死活连不上。
这个时候你可以使用 ./Pshell.sh -k 参数来杀死崩溃 sshd 进程并手动执行 ./Pshell.sh 重新启动 sshd 进程。
最后
使用 alias 指定脚本为特定命令即可更加方便启动。
其他功能自己发现(其实也没什么其他功能了),在脚本中可以看到全部可选参数。
frm https://github.com/izuolan/Pshell
tawdemo-socks5-c
tawdemo-socks5-c为一个C语言编写的sock5代理工具DEMO,需要同时部署客户端和服务端。
本项目仅作研究linux底层网络通信学习使用。不具备生产特性,请勿用于生产环境。
ps: 个人并不是专业写C语言的,使用C语言只是为了加深对网络协议底层处理的了解,因此项目代码风格非常糟糕,请勿随意模仿,还请见谅
环境
系统:linux或mac
使用方式
1. 构建编译
git clone tawdemo-socks5-c
cd tawdemo-socks5-c
cmake .
make2. 使用
客户端
./tawdemo-socks5-c -P [本地监听端口] -c -h [服务器地址] -p [服务器端口]服务端
./tawdemo-socks5-c -P [本地监听端口] -s版本信息
v1.0
初版,仅支持不设密码的sock5协议,仅支持TCP代理,客户端与服务端之间未做压缩/加密处理。只具备初步可用性。
frm https://github.com/lyytaw/tawdemo-socks5-c
-----
socks5 server/client demo.
This repository implement a simple socks5 server and client according to rfc1928(partially), rfc1929
Only support TCP CONNECT currently.
from https://github.com/kumakichi/go-socks5 (估计server and client之间的连接也是未加密的。)
-----------------------------------------------------------
"客户端与服务端之间未做压缩/加密处理",搭配stunnel后,即可安全翻墙:
https://briteming.blogspot.com/2012/01/vpsstunnel.html
Monday 30 May 2022
习李内外危机难解 拜登逢百年机遇
习近平下,李克强上?中共政坛的变化让人眼花了乱,外国人看蒙了,连中共官场的干部也蒙了。习近平的一尊权威为何遭到挑战?失业率上升,社会不稳,政权不稳,中共元老出手,党内斗争加剧。两大极权衰落,百年未有之机遇就在眼前。拜登老而精明,美国不断出手,十面埋伏,步步进逼。美中俄三国大戏卷入全球各国。
习近平清零抗疫 李克强提振经济 官员两难
近一段时间来,习近平在电视报刊露脸的机会少了,李克强忽然大大露脸,四处救经济。一个强调清零不谈经济,一个强调经济不问清零,给人感觉中央两派唱对台戏。
彭博社5月26日报导说,负责在基层实施政策的中共官员不太确定到底该听谁的:习近平继续强调要坚决推动清零政策,而李克强则不断敦促他们提振经济。
5月25日,李克强召开十万干部大会,号称“全国稳住经济大盘电视电话会议”。报导说,李克强对经济发出“迄今为止最严厉的警告”,要求官员们要更好地平衡疫情控制和经济增长。
据中共官方媒体报导,第二天(26日),“国务院稳增长稳市场主体保就业专项督查组”已经出现在河南、山东、陕西、辽宁、江苏、安徽、湖北、湖南、四川、福建、浙江等省分,确保地方在5月31日前能推动落实相关政策。督察组还是部级领导担任组长的高规格小组。
如果中共疫情防控方式不变,许多地方处于严格的封控下,这些提振经济举措将如何实施呢?
有专家认为,李克强面临不可能完成的任务——在不能调整清零政策的同时要挽救经济。瑞银5月24日把中国全年GDP增长预期从4.2%下调至3%。
如果不是中国经济面临重大危机,不是党内权力斗争发生重大变化,习近平不会在二十大三连任之际,做出如此重大让步,让之前被自己压制的李克强突然如此活跃,让李克强出面召开十万干部大会,并部署督察组奔赴各省督察经济。
5月5日,习近平在中央政治局常委会上,还强调要毫不动摇地坚持“动态清零”,“坚决和一切歪曲、怀疑、否定中国防疫方针的言行做斗争”,但是没有提到如何减少对经济造成的损害。而同一天,李克强在国务院常务会议上,却大谈如何“帮扶外贸企业”。
李克强从上海封城以来,多次召开经济会议,从4月上旬至今至少有5次,呼吁稳住经济大盘,但基本不提“动态清零”。而习近平只顾“清零”,不提经济,中共两个最高的领导人,像两匹马拉着一辆车背道而驰。
年轻的失业大军何去何从
中共“清零”防疫自毁经济,老百姓深有痛感。国进民退,大型科企被中共整肃,纷纷裁员。
中小企业也难以生存。疫情封控导致商店关门,影院歇业,工厂停工,服务业停摆,学校放假;它困住了消费者,困住了工人,制造了物流混乱,甚至经济停摆。后果就是失业率飙升,社会不稳定。
主打年轻人市场的白酒品牌江小白被爆出裁员千人、杭州分公司裁40%,但江小白回应裁员可能只涉及一两百人。媒体报导称之为“裁员风波”。
白色家电龙头美的集团也卷入“裁员风波”。有网友发帖称,美的裁员比例高达50%。但美的集团人士说这是谣言。不过多名美的在职和离职员工对财新确认,最近一两个月中,公司不少人离职,涉及多个部门,但具体比例尚难以估计。
不管怎么说,中国失业率飙升已经遮掩不住。中共国家统计局5月16日公布数据显示,4月全国城镇调查失业率上升至6.1%,其中16到24岁的青年失业率达到18.2%,创历史新高。这还可能是缩水的数据。
2022届中国大学毕业生的数量高达空前的1076万。中国“智联招聘”5月发布的《2022大学生就业力调研报告》显示,到目前为止,男生的签约率22.2%,比上年的54.4%萎缩了几乎一半,女生的签约率是10.4%,更是只有上年的40.1%的几乎1/4。
“小鹏汽车被曝毁约20余名应届生”的话题,近日就登上了微博热搜榜。北京4月份还发布了“北京市2022年高校毕业生到农村从事支农工作”,感觉像过去的“上山下乡”了。
城市失业人口大量增加,尤其是受过教育的年轻人找不到工作,他们对当局和社会的不满情绪急剧上升。
北京大学生频爆抗议 社会不稳上升
目前恰恰邻近六四纪念日,因为疫情封控,北京高校频频爆发学生抗议。
5月26日晚,天津大学的学生因不满当局的极端防疫而举行集会示威活动,并高喊口号:“打倒官僚主义!”紧邻的南开大学也出现抗议活动。
24日晚,北京师范大学学生在校内游行,获校方口头表示让步。
23日晚,中国政法大学也爆发抗议活动。次日校方发出通知,允许学生有条件申请离校。
15日晚,北京大学学生聚集在校园,集体抗议学校连夜建墙隔离。北大副校长陈宝剑到现场喊话,最后学生推翻了围墙。事件在网络上引起热议,但相关视频、话题很快被删除。
京津重地的大学近日频繁爆发学生抗议,可想而知,社会不满演化到何种程度。中共非常担心六四学生运动会重演。
习近平的“一尊”权威为何被动摇
2021年9月,英国商人沈栋在美国出版《红色赌盘:当今中国财富,权力,腐败和复仇的内幕故事》一书,书中大爆中共高层内斗、权贵捞金的内幕。书中提到作者夫妇与70~80年代担任过副总理的谷牧的孙子刘诗来曾经是邻居。沈栋和刘诗来谈起过六四运动。
刘说6月3日当军队进驻天安门的时候,当时十几岁的他和家人躲在北京市中心有警卫看守的四合院的房子里,他记得他的亲戚是多么害怕示威者真的会成功推翻共产党。6月3日晚上,刘的祖父谷牧把AK-47放在腿上,守在房子里。在外面,中共军队血腥屠杀抗议者并清理了天安门广场。谷牧是邓小平的盟友,原名刘家语,2009年病逝。
这个故事告诉我们,中共权贵多么害怕失去权力。亡党危机时时威胁着中共统治者,随着经济下滑,中共执政的合法性进一步消失。老干部们不干了,庞大的中共既得利益集团,必定干涉当前的执政者,所以才出现文章开头说的,习近平“一尊”权威动摇,李克强出面救经济。李克强出面未必是直接跟习近平对着干,或许是党内达成一定共识,习近平被迫让步,不管他是否情愿。可以想象,当前的危机导致中共内部乱成一团,改革开放的红利没了,中共垮了,权贵们的富贵也没了,甚至身家性命难保,所以党内元老和反对势力出面,横加干涉,要让“一尊”改弦易辙,否则不惜把他拉下马。权威比肩毛邓的习近平,这才肯让步。
这个猜测可以从一个侧面得到印证。5月15日,中共中央办公厅印发《关于加强新时代离退休干部党的建设工作的意见》,要求离退休干部“不得妄议党中央大政方针,不得传播政治性的负面言论,不得参与非法社会组织活动”。过去是要求党员“不得妄议党中央大政方针”,现在破天荒要求退休老人也“不得妄议”。
布林肯“发起全面战略竞争或战争的宣言”
在习李为内政和内斗焦头烂额之际,外部的压力也急遽上升。美国国务卿布林肯5月26日发表对华政策演讲,指出中共对国际秩序构成最严峻的长期挑战,美国的战略是:“投资、结盟和竞争”,即进一步投资美国国内建设,巩固盟友体系以及在“实力基础上”同中国(中共)展开公开、公平的竞争。
美国对华政策过去说的是“竞争、对抗与合作”三分法,现在改为“投资、结盟和竞争”,重心落在“竞争”上。美国对内投资也好,对外结盟也好,目的是和中共竞争。按照中共专家的话说“大有调动全球力量推进对华竞争的架势”。
布林肯点名习近平和中国共产党,“在国内变得更加具有压制性,在国外变得更加咄咄逼人”。
布林肯说,“我们同中国共产党和中国政府有重大分歧。但这些分歧存在于政府和制度之间——不存在于人民之间。”
布林肯还明确表态人权问题是普世价值,美国必须过问。
布林肯的讲话全文被中共全网删,中共大力放送官媒和网民对布林肯讲话的批评和谩骂。
中共外交部发言人汪文斌在例行记者会上反驳,称这篇演讲“实质是散布虚假信息,渲染中国(中共)威胁,干涉中国(中共)内政,抹黑中国(中共)内外政策”。
中共外交部发言人华春莹则在推特上连发11条推文反驳。
2021年3月拜登在就任总统后的首次新闻发布会上为中美竞争定调,“这是21世纪的民主与专制的较量”。
布林肯这次演讲中讲到,“但我们不能指望北京改弦更张。因此,我们将塑造北京所处的战略环境,以推进我们建设一个开放和包容的国际体系的愿景。”
美国如何塑造北京所处的战略环境?那就是十面埋伏,全球围堵中共。
布林肯在讲话中历数美国为对抗中共所做的种种努力,并列举他们的盟友团队。虽然布林肯讲话被美国鹰派批评还不够强硬,但虚弱的中共已经感到压力山大了。
布林肯提到,拜登总统启动了美印在内的13国印太经济繁荣框架(Indo-Pacific Economic Framework for Prosperity)。
拜登出席了四方(Quad)国家领导人峰会——澳大利亚、日本、印度和美国,启动了新的印太海域意识伙伴关系,应对中共在海域的扩张。
拜登本月早些时候在白宫主持了美国-东盟峰会,还在印太和欧洲伙伴之间构筑桥梁,其中包括邀请亚洲盟国下月出席马德里举行的北约峰会。
布林肯提到被称为“AUKUS”的澳英美国三国新安全联盟,北约比以往任何时候都更加强大(因为俄乌战争)。
布林肯还列举二十国集团(G20),七国集团(G7)之间的合作,以及美国去年启动了美国-欧盟贸易和技术委员会(U.S.-EU Trade and Technology Council),主持召开了重振全世界民主的全球峰会。
等等这一切,都剑指中共。诚如华春莹反驳中说的那样,“布林肯演讲听起来更像是针对中国发起全面战略竞争或战争的宣言”。
两大极权流年不利 拜登逢百年未有之机遇
为什么拜登敢于大打出手?因为今年国际局势发生了重大变化。中共的老大哥俄罗斯已经被美国联合欧盟,由乌克兰出面打残了。俄罗斯对美欧联盟不再构成主要威胁,在布林肯演讲中,中共是美国目前全球唯一的主要威胁。
中俄两大极权统治者今年犯下“颠覆性”错误,俄罗斯入侵乌克兰,却不堪一击。拜登抓住机会,亲自上阵攻击普京,美国大力拨款,武器弹药应给尽给,经济制裁前所未有,全球联合齐心协力,把俄罗斯打入第三世界国家。
如今中共清零封城,打压科技企业,战狼四处出击,自己把自己折腾得半死不活。党内反对派顺势而起,习近平权威遭到挑战;为保连任,习近平奋力反击,自顾不暇。
美国情报机构目光如炬,拜登老而精明,俄乌战争大局已定,对中共的外部包围圈已经形成,美国围堵中共再无顾忌。
推倒“红墙”,让共产主义阵营解体,此时不出手更待何时?中共面临的生存危机,或许超出外界的想象。亡党恶梦不再是梦,而是步步紧逼的现实。
拜登身边的情报人员和智囊团应该已经看到了,百年未有之机遇来临。这一届政府虽然内政搞得不佳,但是两大极权政体更烂,如果顺势解除它们对全球的威胁,拜登政府将建立不世之功,名垂青史。
拜登趁机访问亚洲,将之前亲共的韩国拉入对抗中共的联盟,建立亚太经济框架,重组供应链,稳固亚洲小北约,巩固包围圈,并第三次“失言”说要武力保卫台湾。拜登亚洲行之前,还在白宫召集东盟会议,联合对抗中共。所以,美国在亚洲有日韩、东盟、台湾,南半球有澳洲、新西兰,大西洋有英国、欧盟等盟友,明火执仗,联合全球对抗中共。
识时务者为俊杰。中共体制内的人,应该为了自己和家人留后路,寻出路,不要临时抱佛脚。海外正义媒体的话虽然忠言逆耳,但是关乎您的身家性命,不可不察。
linux桌面系统上的全局代理程序Sixtysocks
Building Sixtysocks
You will need the following packages:
- qt5-qmake
- Boost (libboost-dev(el))
- Mozilla NSS (libnss-dev(el))
- Threading Building Blocks (libtbb-dev(el))
- libsocks6msg ([https://github.com/45G/libsocks6msg])
- libsocks6util ([https://github.com/45G/libsocks6util])
Then run:
qmake
make
Quick start guide
This section is meant to help you quickly setup a transparent SOCKSv6 proxifier and a proxy.
Creating a certificate DB
If you don't want to run SOCKS on top of TLS, you can skip this section.
Start off by creating a self-signed certificate (you must provide a non-empty CN):
openssl req -x509 -newkey rsa:4096 -keyout socks.key -out socks.crt -days 365
Next, create the database:
certutil -N -d /path/to/database
Add the certificate:
certutil -A -a -n socks -i socks.crt -t "cCu,," -d /path/to/database
Finally, convert the key to PKCS12 format and add it to the DB:
openssl pkcs12 -export -out socks.pfx -inkey socks.key -in socks.crt -certfile socks.crt
pk12util -i socks.pfx -d /path/to/database
Setting up proxification rules
You'll need to get iptables to redirect the traffic that must be proxified to the proxifier. In this example, all TCP traffic created by the user proxyme will be redirected to the local port 12345.
iptables -t nat -N SIXTYSOCKS
iptables -t mangle -N SIXTYSOCKS
iptables -t mangle -N SIXTYSOCKS_MARK
iptables -t nat -A SIXTYSOCKS -p tcp -m owner --uid-owner proxyme -j REDIRECT --to-ports 12345
iptables -t nat -A OUTPUT -p tcp -j SIXTYSOCKS
iptables -t mangle -A PREROUTING -j SIXTYSOCKS
iptables -t mangle -A OUTPUT -j SIXTYSOCKS_MARK
The proxifier
Run the proxy and proxifier as follows:
./sixtysocks -m proxy -t <proxy port> -C /path/to/database -n socks
./sixtysocks -m proxify -l 12345 -s <proxy IP> -p <proxy port> -C /path/to/database -S <proxy CN>
If you don't need TLS, use these commands instead:
./sixtysocks -m proxy -l <proxy port>
./sixtysocks -m proxify -l 12345 -s <proxy IP> -p <proxy port>
Optionally, you can also require authentication by supplying both the proxifier and proxy with a username and a password. Just append the following arguments:
-U username -P password
DNS (optional)
Optionally, you can install Dnsmasq (or some other local DNS proxy). Sixtysocks will redirect all requests to 0.0.0.0:53 to 127.0.0.1:53.
from https://github.com/45G/sixtysocks
netfilter-spooftcp
A lightweight kernel module/iptables extension for sending spoofed TCP packets。
This is a kernel-space, partial implementation of this paper
Build
Prerequisites:
- kernel headers
- xtables headers
Kernel Module
$ make
# insmod xt_SPOOFTCP.ko
iptables Extension
Copy libxt_SPOOFTCP.so to iptables library folder, say /lib/xtables.
Run iptables -j SPOOFTCP --help and see if it prints the help message of this module.
Usage
ip6tables -t mangle -A POSTROUTING -d 2001:db8::/64 -p tcp --dport 80 --syn -j SPOOFTCP --tcp-flags SYN,ACK
This will sent a spoofed SYN,ACK packet prior to the matched (original) SYN packet.
There are mechanisms to prevent the spoofed packets from being tracked
by nf_conntrack or being matched by another SPOOFTCP rule.
Known issue
Incompatible with SNAT because the spoofed packets bypass nf_conntrack.
Use either one of the workarounds below:
- Use
--masqparameter. It re-implementsMASQUERADEstatelessly, but it won't work in case of port changes or custom SNAT rules. - Patch the kernel to add a chain in
rawtable. The chain is hooked after SNAT. Tested on kernel 4.14 and 4.19
from https://github.com/hippocampi/netfilter-spooftcp
VPN-Launchpad
Build VPN server on AWS EC2 with QR code support. Build SOCKS/HTTP/DNS proxy locally. Support Ubuntu, OSX and Debian variants like Raspbian.
EC2 VPN server builder with multiple VPN support including L2TP, Shadowsocks, V2ray, Brook and Trojan.
Works in Ubuntu(Xenial and above), Mac OSX(Yosemite and above) and Debian(Buster and above) variants including Raspbian. Running in Windows with dind (Docker in docker) container is possible, but not yet verified.
How it works
Command vlp creates EC2 instance with VPN services installed out of box. Command lproxy creates proxy (SOCKS/HTTP/DNS) container running locally on your PC, Mac or Raspberry Pi, which tunneling all traffic through the VPN server on EC2. AWS account ID/key are necessary.
Quick start on Ubuntu / Debian(Buster) / Raspbian
1. Dependencies installation
$ sudo apt-get update; sudo apt-get install docker.io git dnsutils curl whois
...
$ sudo usermod -aG docker `whoami`; exitNote: It is necessary to log out current session and back to get docker group setting take effect.
Note: For Raspberry Pi users, please update to Raspbian Buster before Docker installation as Docker version earlier than 18.09 is not supported any more.
2. Initialize AWS credential and VPN server region
$ git clone --recurse-submodules https://github.com/samuelhbne/vpn-launchpad.git
$ cd vpn-launchpad
$ ./vlp init
AWS Access Key ID [None]: INPUT-YOUR-AWS-ID-HERE
AWS Secret Access Key [None]: INPUT-YOUR-AWS-KEY-HERE
Default region name [ap-northeast-1]:
Default output format [json]:
Done.
$Note: './vlp init' need to download docker image(about 100MB) during the 1st time execution. However hub.docker.com might be 'throttled' mysteriously in certain country. Please try './vlp --from-src init' instead to build the docker image from source in case './vlp init' stuck on downloading over 10 minutes without progress.
3. Build VPN server on AWS
$ ./vlp build --without-random --with-sslibev
...
Shadowsocks-URI: ss://YWVzLTI1Ni1nY206U1NTTElCRVYtUEFTUw==@13.231.224.253:28388#VLP-shadowsocks
...
Scan QR code above from Shadowsocks compatible mobile app to connect your mobile phone/tablet.
Done.
$
4. Connect from your mobile phone
Scan the QR code generated above from Shadowsocks compatible mobile app (Shadowrocket for iOS or Shadowsocks for Android etc.) to connect your mobile phone/tablet and enjoy.
5. Build local proxy on Ubuntu / Debian(Buster) / Raspbian [optional]
Please jump to step 8 if PC/Mac browser connection is not your goal.
$ ./lproxy build v2ray
...
Setting up local proxy daemon...
Done.
Starting up local proxy daemon...
Done.
Wait 15s for local proxy initialisation...
Done.
Local proxy is running.
VPN sever address: 13.231.224.253
Checking SOCKS5 proxy on 127.0.0.1:1080 TCP ...
curl -sSx socks5h://127.0.0.1:1080 http://ifconfig.co
13.231.224.253
SOCKS5 proxy check passed.
Checking HTTP proxy on 127.0.0.1:8123 TCP ...
curl -sSx http://127.0.0.1:8123 http://ifconfig.co
13.231.224.253
HTTP proxy check passed.
Checking DNS server on 127.0.0.1:65353 UDP ...
dig +short @127.0.0.1 -p 65353 twitter.com
104.244.42.1
104.244.42.193
Checking 104.244.42.1 IP owner ...
docker exec -it proxy-sslibev whois 104.244.42.1|grep OrgId
OrgId: TWITT
DNS server check passed.
Done.
$Note: './lproxy build' need to download docker image(about 90MB) during the 1st time execution. However hub.docker.com might be 'throttled' mysteriously in certain country. Please try './lproxy build --from-src' instead to build the docker image from source in case './lproxy build' stuck on downloading over 10 minutes without progress.
6. Browser configuration [optional]
Now modify connnection settings for Firefox, Safari or Chrome according to the proxy port settings given above.
7. Stop and remove local proxy container from Pi box after surfing [optional]
$ ./lproxy purge
Local proxy found. Purging...
Done.
$8. Terminate VPN server instance from AWS after surfing
$ ./vlp purge
...
Waiting Instance shutdown...
Done.
Removing Security Group of vlp-bionic...
Security Group Removed.
Deleting SSH Key-Pair of vlp-bionic...
Done.
$Note: Terminating VPN server instance from AWS after surfing is always recommended. It removes the potential trails from cloud to protect your privacy as well as reduces the cost for AWS service hiring in case you are not AWS free tier user.
Quick tour for getting AWS account ID and key
- Create an new AWS free account here if you don't have. I'm not affiliate.
- Login into AWS IAM console with your account.
- Click "User" from left side then click "Add user" button on the top
- Input the "User name" and tick "Programmatic access" box below
- Click "Next: Permissions" button
- Click "Create group" button
- Fill "Group name" with "vlpadmin" and tick "AmazonEC2FullAccess" selection box which on the top of the policy list
- Click "Create group" blue button at the bottom right of the page.
- Tick the "vlpadmin" selection box in "Add user to group" page
- Click "Next: Tags", click "Next: Review" then click "Create user" button
- Click "Show" link
- Now you get the "Access key ID" and "Secret access key" that necessary for vpn-launchpad running
Follow the official AWS doc page for more details
Full command Usage
VPN server management
$ ./vlp
vlp [--from-src] <command> [options]
--from-src -- Build dependency container from source rather than docker image downloading
init -- Init aws account credential.
build -- Build VPN server.
--from-src -- Build VPN server from source rather than docker image downloading
--with-brook -- Build VPN server with Brook services installed
--with-l2tp -- Build VPN server with L2TP services installed
--with-v2ray -- Build VPN server with V2Ray services installed
--with-trojan -- Build VPN server with Trojan services installed
--with-sslibev -- Build VPN server with Shadowsocks services installed
--with-random -- Build VPN server with VPN passwords randomisation.
--without-random -- Build VPN server without VPN passwords randomisation.
status -- Check VPN server status.
--with-qrcode -- Print Shadowsocks and V2Ray connection QR Code.
purge -- Destory VPN server instance.
random -- Randomise VPN passwords.
ssh -- SSH login into VPN server instance.Local proxy management
$ ./lproxy
lproxy <command> [options]
build -- Build local proxy container.
--from-src -- Build local proxy container from source rather than docker image downloading.
brook -- Build local proxy container that connect to VPN server via Brook connector
sslibev -- Build local proxy container that connect to VPN server via Shadowsocks connector
trojan -- Build local proxy container that connect to VPN server via Trojan connector
v2ray -- Build local proxy container that connect to VPN server via V2ray connector
status -- Check local proxy container status.
purge -- Destory local proxy container.Note: Please build VPN server before local proxy building.
Note: Component depency fetching from golang.org is necessary during the progress of building v2ray/brook with '--from-src' switch. However, golang.org access might be blocked in cetain country hence lead to the consequent building failure. Please remove '--from-src' switch (which means build from docker hub images fetching) if that is your case.
VPN server configuration
Password, encryption method and listening port configuration for Shadowsocks server
$ cat server-sslibev/server-sslibev.env
SGTCP="28388"
SGUDP="28388"
SSPORT="28388"
SSPASS="SSSLIBEV-PASS"
SSMTHD="aes-256-gcm"
$NOTE: Please ensure SGTCP/SGUDP and SSPORT are the same value to guarantee that AWS enabled the specific TCP/UDP port for incoming connection which server-sslibev service listened.
NOTE: Please run './vlp purge; ./vlp build' to get the new Shadowsocks server configuration applied.
Credits to shadowsocks-libev
UUID, V2RAYAID, V2RAYLEVEL configuration for V2Ray server
$ cat server-v2ray/server-v2ray.env
SGTCP="10086"
V2RAYPORT="10086"
V2RAYUUID="2633f6b5-0032-4f9e-ae1d-c21d9010cd27"
V2RAYLEVEL="1"
V2RAYAID="64"
$NOTE: Please ensure SGTCP/SGUDP and V2RAYPORT are the same value to guarantee that AWS enabled the specific TCP/UDP port for incoming connection which server-v2ray service listened.
NOTE: Please run './vlp purge; ./vlp build' to get the new V2Ray server configuration applied.
Credits to V2Ray
Fake domain, Duckdns domain, Duckdns token, Trojan password configuration for Trojan server
$ cat server-trojan/server-trojan.env
SGTCP="443:8443"
TRJPORT="443"
TRJPASS="TROJAN_PASSWORD"
TRJFAKEDOMAIN="www.microsoft.com"
DUCKDNSTOKEN="6ad424a4-1cc3-4cf7-87ec-0f61ce2c9416"
DUCKDNSDOMAIN="myduckdomain"
DUCKSUBDOMAINS="wildcard"
$NOTE: You need to register a free domain name on duckdns.org first.
NOTE: Please replace DUCKDNSTOKEN with the token obtained from the top of your duckdns.org home page after login.
NOTE: Please replace DUCKDNSDOMAIN with the domain name you registered on duckdns.org.
NOTE: Please run './vlp purge; ./vlp build' to get the new Trojan server configuration applied.
Credits to Trojan
Username, password and pre-shared secret configuration for Softether L2TP server
$ cat server-softether/server-softether.env
...
PSK=YOUR-SHARED-SECRET
USERS=user0:pass0;user1:pass1;
...
$NOTE: Please run './vlp purge && ./vlp build' to get the new L2TP server configuration applied.
Credits to Tomohisa Kusano and SoftEtherVPN
Local proxy configuration
SOCKS/HTTP/DNS port for local proxy
$ cat proxy-sslibev/proxy-sslibev.env
SOCKSPORT="1080"
HTTPPORT="8123"
DNSPORT="65353"
$NOTE: Please run './lproxy build' to get the new Shadowsocks client configuration applied.
Credits to shadowsocks-libev
Before running
Docker installation is necessary for running vlp and lproxy. curl and dig will be used by 'lproxy status' for connection test and diagnosis but not compulsory.
Dependencies installation for Ubuntu / Debian(Buster) / Raspbian
$ sudo apt-get update; sudo apt-get install docker.io git dnsutils curl whois
...
$ sudo usermod -aG docker `whoami`; exitDocker installation for Mac OSX
https://store.docker.com/editions/community/docker-ce-desktop-mac
Connect to the VPN server via Shadowsocks/V2Ray/Trojan protocol from mobile devices
Both "vlp build" and "vlp status --with-qrcode" spit QR
codes (for Shadowsocks, V2Ray and Trojan) to facilitate the connection
from mobile devices via QR supported app like Shadowrocket for iOS, or Shadowsocks, v2rayNG and Igniter
(QR code scanning is unavailable so far) for Android. Simply scanning
the QR code from these apps will create a new connection entry. Connect
to it and Enjoy.
All credits to qrcode-terminal
Connect to the VPN server via L2TP
https://www.softether.org/4-docs/2-howto/9.L2TPIPsec_Setup_Guide_for_SoftEther_VPN_Server
Cleaning Before upgrading
Image/container names may changed after upgrading. Please do the following before upgrading:
- purge VPN server(s) and local proxy container you previously created via 'vlp' and 'lproxy';
- Stop and remove existing vpnlaunchpad and lproxy containers;
- Remove existing vpnlaunchpad and lproxy images.
Please follow the instructions here to do the cleaning:
$ ./vlp purge
...
$ ./lproxy purge
...
$ docker stop `docker ps -a|grep samuelhbne|awk '{print $1}'`
$ docker rm `docker ps -a|grep samuelhbne|awk '{print $1}'`
$ docker rmi `docker images |grep samuelhbne|awk '{print $3}'`Running in dind (Docker in Docker) container
It is possible to run vpn-launchpad in dind container if Ubuntu is not your option. The following instructions will start a dind container with necessary local proxy port mappings, install package dependencies inside the container, create a non-root user with docker service access, and start vlp/lproxy consiquently.
$ docker run --privileged --name vlpdind -p 1080:1080 -p 8123:8123 -p 65353:65353 -d docker:stable-dind
$ docker exec -it vlpdind sh
/ # apk add bash shadow git curl bind-tools whois
/ # adduser -s /bin/bash -D vlp
/ # usermod -aG root vlp
/ # su - vlp
72d645e47cb2:~$ git clone https://github.com/samuelhbne/vpn-launchpad
72d645e47cb2:~$ cd vpn-launchpad/
72d645e47cb2:~/vpn-launchpad$ ./vlp init
72d645e47cb2:~/vpn-launchpad$ ./vlp build --without-random --with-v2ray
72d645e47cb2:~/vpn-launchpad$ ./lproxy build v2ray
...FAQ
from https://github.com/samuelhbne/vpn-launchpad
iphone-socks-proxy
SOCKS - SOCKS Proxy for iPhone # Copyright (C) 2009 Ehud Ben-Reuven # udi@benreuven.com This is an iPhone App that is a SOCS Proxy. It allows you to connect your laptop to the Internet through the iPhone's 3G/Edge connection (tethering.) If you want to install the application on your iPhone you will have to build and install the App from the the supplied code. * Pay Apple for iPhone development program * get a development certificat from Apple's developers portal * download the entire source code to a Mac * double click SOCKS.xcodeproj * in the left panel select Targers and then select SOCKS * press the "i" Info button on the top * select Properties tab * In the Identifier field change "symfi" to your company name * connect an iPhone using a cable * click Build and Debug In order for this to work you need to follow few steps Instructions for Mac: * On your laptop start an add-hoc Wi-Fi network: * System Preferences->Network * select AirPort * click on Network Name and select Create Network * in Name enter "mywifi", press OK, press Apply * Connect you iPhone to the add-hoc wifi network: * Settings->Wi-Fi * select "mywifi" * Run this SOCKS App on your iPhone * In the SOCS Proxy tab press Start * configure your laptop to use SOCKS: * System Preferences->Network->Advanced...->Proxies * select SOCKS proxy * in the SOCKS Proxy Server field enter the address and port that appear on your iPhone screen * press OK * press Apply
from https://github.com/halogenica/iphone-socks-proxy
-----
SOCKS server for iOS. Handy for defeating tethering speed limits, among other uses.
SOCKS5 server for iOS
This app implements a very simple SOCKS5 server for iOS. You can use it to increase your tethering speeds when they are artificially limited; other uses are possible.
It is not distributed via the App Store because it'd probably get rejected.
Usage is simple: download this repo, git submodule update, and then build & deploy from XCode. Then set your system/browser SOCKS5 proxy to whatever it says on the screen (e.g. 172.20.10.1:4884) and away you go.
UPDATE: Because sideloading apps is a pain, I recommend using nneonneo/iOS-SOCKS-Server instead; it's a Python script that can be easily loaded into Pythonista for iOS and used forever without sideloading restrictions.
from https://github.com/nneonneo/socks5-ios
-----
SOCKS proxy server for iOS designed for Pythonista .
What
A simple SOCKS proxy designed to run on Pythonista on iOS, letting you fake-tether your devices to a phone.
Installation
- Install Pythonista from the App Store. It's a paid app, but it's worth every penny if you are a power user.
- Download the code from GitHub.
- Open the Files app, navigate to Downloads, and tap on the zip file to uncompress it.
- Move the resulting
iOS-SOCKS-Serverfolder to the Pythonista iCloud directory - Open Pythonista, navigate to iCloud,
iOS-SOCKS-Serverand open thesocks5.pyscript. - Optionally, you can tap on the wrench and select
Shortcuts...to add the script to your home screen.
Running
- Connect your devices to the same WiFi network as your phone. If there's no suitable network, you can create a computer-to-computer (ad-hoc) network using your laptop and connect to it with your phone.
- Open the home screen shortcut (if you made one), or open the
socks5.pyscript in Pythonista and hit Run. - Point your devices at the SOCKS proxy listed (on port 9876), or point them at the PAC (proxy autoconfiguration) URL if they don't support setting a SOCKS proxy (e.g. other iOS devices).
Why
Recently, while travelling in China, I found out that Google Fi doesn't support tethering on iOS (I guess it's a feature they want to keep Android-exclusive or something?). Since my phone has a nice, fast, unblocked connection, I wanted to let my computer access it too.
I previously wrote Socks5-iOS for doing exactly this, but it turned out to be quite cumbersome to deploy and modify. Plus, the app expires frequently (if you don't have an iOS developer account), which makes it annoying if you need it in a pinch. Enter Pythonista - an App Store app which puts a complete Python interpreter on iOS.
This script can be used to implement a functional alternative to tethering, which I refer to fake-tethering. Fake-tethering has some substantial advantages over standard iOS tethering. It works even when carriers ban tethering, and it bypasses limits set on tethering speed since all connections originate from the phone.
While it's easiest to use this with websites, it's actually possible to tunnel any TCP connection over a SOCKS proxy. For example, here's how you would proxy an SSH connection:
ssh -o ProxyCommand='nc -X 5 -x <IP>:9876 %h %p' user@host
Troubleshooting
Doesn't work with an ad-hoc network on macOS
macOS appears to incorrectly assess the Internet as unreachable with an ad-hoc network, even if a proxy is configured. A workaround for this, tested on macOS 10.14, is described under issue #1.
from https://github.com/nneonneo/ios-socks-server