ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a1636ec67aca94e51875888959470ad4549fd8f5
nexus/raw/Home Office/群晖NAS科学上网方法.md

220 lines
8.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: 测试 Google 连接(强制走代理端口,假设 HTTP 端口是 20171
source:
author: shenwei
published:
created: 2025-03-08
description:
tags: [docker, nas, synology, v2raya, vpn]
---
#v2raya #nas #synology #vpn #docker
```table-of-contents
```
## 安装V2RayA
1. Docker Desktop pull image: **mz2017/v2raya**
2. 通过以下方法把v2raya的images load到NAS Docker里 [[🟠如何传输Docker images 并且在另一个Docker安装|🟠如何传输Docker images 并且在另一个Docker安装]]
3. 参考[v2raya官方网站](https://v2raya.org/) 里的关于[V2RayA Docker安装文档](https://v2raya.org/docs/prologue/installation/docker/)用以下命令来启动 V2RayA:
```
docker run -d \
--restart=always \
--privileged \
--network=host \
--name v2raya \
-e V2RAYA_LOG_FILE=/tmp/v2raya.log \
-e V2RAYA_V2RAY_BIN=/usr/local/bin/v2ray \
-e V2RAYA_NFTABLES_SUPPORT=off \
-e IPTABLES_MODE=legacy \
-v /lib/modules:/lib/modules:ro \
-v /etc/resolv.conf:/etc/resolv.conf \
-v /docker/v2raya:/etc/v2raya \
mzz2017/v2raya
```
**请注意 ==/docker/v2raya== 为实际在NAS上创建的目录其他配置不用修改**
## 启动V2RayA
http://192.168.3.17:2017/
## 配置V2RayA让NAS上的Docker可以科学上网
![[IMG-20251229190624430.png]]
![[IMG-20251229190624730.png]]
在Synology DSM环境下要验证透明代理是否对Host即NAS本机也就是负责执行 `docker pull` 的守护进程)生效,请按照以下逻辑进行排查和验证。
---
### 第一步:在 v2rayA 后台“打开开关”
仅仅运行容器是不够的你必须在Web界面配置路由规则。
1. 打开浏览器访问 `http://<NAS_IP>:2017`。
2. 进入 **设置 (Settings)** -> **透明代理 (Transparent Proxy)**。
3. **核心设置:**
- **启用 (Enable):** 开启。
- **分流模式 (Traffic Splitting):** 建议选择 **"大陆白名单 (Whitelist of Mainland China)"**。这会确保国内流量直连国外流量包括Docker Hub走代理。
- **实现方式:** 既然你在启动命令里加了 `IPTABLES_MODE=legacy`,这里通常保持默认即可。
4. 点击右上角 **保存并应用**。
> **⚠️ 风险提示:** 在NAS上开启透明代理尤其是Host模式有极小概率会导致局域网连接中断。如果你正在远程操作请确保有备用连接方案如QuickConnect或同局域网设备
---
### 第二步:验证 NAS 本机的连通性 (SSH)
SSH 登录到你的群晖 NAS按顺序执行以下测试。
**1. 测试端口监听是否正常** 先确认代理端口是通的:
Bash
```
# 测试 Google 连接(强制走代理端口,假设 HTTP 端口是 20171
curl -I -x http://127.0.0.1:20171 https://www.google.com
```
正确·结果:
``` bash
ash-4.4# curl -I -x http://127.0.0.1:20171 https://www.google.com
HTTP/1.1 200 Connection established
HTTP/2 200
content-type: text/html; charset=ISO-8859-1
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-Yp5bWu7rNq-vtmDGkOlBXQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
accept-ch: Sec-CH-Prefers-Color-Scheme
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
date: Fri, 19 Dec 2025 03:11:44 GMT
server: gws
x-xss-protection: 0
x-frame-options: SAMEORIGIN
expires: Fri, 19 Dec 2025 03:11:44 GMT
cache-control: private
set-cookie: AEC=AaJma5vsWePrX0JcVuFI8-_KwORsyiWxthLxJF9At74ncKOuryIHfjWKpw; expires=Wed, 17-Jun-2026 03:11:44 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
set-cookie: NID=527=w38RE1jq1xO007vl-G-dXmylbeNcX6RrVZsaz16KpJm-VmBVO-dUI4hyW4bqbNK6v3PDNKsGQXeJK8d6n6V9pXHHo5ljqr9FeRMsUwX3Ou1v-hnlKhgIVvCPacBGU-DH3X9WmVgHAMe9ZFMml-RoYQYTLq7-l342kDivOJw7kfuJDnx9ovYV2mATeK11m2PCGL-AcQVDQABuivlpPR4jH22zQ7d7viAmrQ; expires=Sat, 20-Jun-2026 03:11:44 GMT; path=/; domain=.google.com; HttpOnly
set-cookie: __Secure-BUCKET=CPwD; expires=Wed, 17-Jun-2026 03:11:44 GMT; path=/; domain=.google.com; Secure; HttpOnly
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
```
- **成功:** 返回 `HTTP/1.1 200 OK` 或 `301`。
- **失败:** 检查 v2rayA 端口映射或节点连接状态。
**2. 测试透明代理是否生效 (关键步骤)** 不加 `-x` 参数,直接访问,看流量是否被劫持:
Bash
```
curl -I https://www.google.com
```
正确结果:
``` bash
ash-4.4# curl -I https://www.google.com
HTTP/2 200
content-type: text/html; charset=ISO-8859-1
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-aSgzymp_JxooD_Xigz-OgA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
accept-ch: Sec-CH-Prefers-Color-Scheme
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
date: Fri, 19 Dec 2025 03:12:46 GMT
server: gws
x-xss-protection: 0
x-frame-options: SAMEORIGIN
expires: Fri, 19 Dec 2025 03:12:46 GMT
cache-control: private
set-cookie: AEC=AaJma5sAaR7bW6DxFcTK7qYEJTzl5WO0BYlgJZwxrqpXEi_I3xcW5GckOA; expires=Wed, 17-Jun-2026 03:12:46 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
set-cookie: NID=527=kjjqA9JJyZpXTZGor0foKUDy_xoODeloa9HmubM9DXlCdPwWyNAcgkUMSlKI_ddkcWWIdnD_NqC3GZEN4Yt476PWJXPTjgJqvSSBtEbQ7fY5eM295GEKNwaykECAABE9yELqHgh-VmxRmp8ri4XUYByN11ryyVNI4wgnblCMzfwKRHnfJhCvA7g2IvEdOm2ldJ2ZM8lAQSiRY_CTheXpMZXsq_kIegSt2w; expires=Sat, 20-Jun-2026 03:12:46 GMT; path=/; domain=.google.com; HttpOnly
set-cookie: __Secure-BUCKET=CI8G; expires=Wed, 17-Jun-2026 03:12:46 GMT; path=/; domain=.google.com; Secure; HttpOnly
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
```
- **如果返回 200/301** 说明透明代理已经接管了 NAS 的出站流量。你的 `docker pull` 应该可以直接成功。
- **如果超时/无法连接:** 说明透明代理未对 Host 生效,或者 DSM 的防火墙/路由表与 v2rayA 的规则冲突(这在群晖上很常见)。
---
### 第三步:验证 Docker Pull
如果第二步成功,直接尝试拉取一个通常较慢或被墙的镜像:
Bash
```
# 使用 docker pull 测试docker-compose pull 本质也是调用的 daemon
docker pull google/pause
# 或者
docker pull busybox
```
正确结果
``` bash
ash-4.4# docker pull google/pause
Using default tag: latest
latest: Pulling from google/pause
Image docker.io/google/pause:latest uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/
a3ed95caeb02: Already exists
f72a00a23f01: Already exists
Digest: sha256:e8fc56926ac3d5705772f13befbaee3aa2fc6e9c52faee3d96b26612cd77556c
Status: Image is up to date for google/pause:latest
docker.io/google/pause:latest
```
### 如果透明代理对 Docker Daemon 无效(常见情况)
在群晖 DSM 7.x 中Docker Daemon (`dockerd`) 的网络栈有时候不会完全遵循 v2rayA 修改的 iptables 规则。如果上面的 `docker pull` 仍然慢或失败,**不要死磕透明代理**,直接配置 Docker 守护进程走 HTTP 代理是最稳妥的方案。
**解决方案:配置 Docker Daemon 代理**
1. **编辑/创建配置目录:**
Bash
```
sudo mkdir -p /etc/systemd/system/pkg-ContainerManager-dockerd.service.d/
# 注意DSM 7.2 叫 ContainerManager旧版叫 Docker
```
2. **创建代理配置文件:**
Bash
```
sudo vi /etc/systemd/system/pkg-ContainerManager-dockerd.service.d/http-proxy.conf
```
3. **写入以下内容:**
``` bash
[Service]
Environment="HTTP_PROXY=http://127.0.0.1:20171"
Environment="HTTPS_PROXY=http://127.0.0.1:20171"
Environment="NO_PROXY=localhost,127.0.0.1,192.168.*,*.synology.me"
```
4. **重载并重启 Docker 服务:**
Bash
```
sudo systemctl daemon-reload
sudo systemctl restart pkg-ContainerManager-dockerd
```
### 总结
- **验证方法:** 先用 `curl -x` 测端口,再用 `curl` 测直连,最后用 `docker pull` 实战。
- **经验之谈:** 对于企业级或生产环境即使是SOHO我建议**不要**依赖 NAS Host 的透明代理来解决 `docker pull` 问题,因为这修改了系统级路由表,容易影响 NAS 其他服务。**显式配置 Docker Daemon 的 Proxy 环境变量(上面的最后一种方法)是更符合 Engineering Best Practice 的做法。**
Reference in New Issue View Git Blame Copy Permalink