但是你可以用 acme.sh 自动签发证书给 caddy 用
首先关闭所有占用 80/443 端口的软件,安装 socat,用 acme.sh 独立模式手动签发一次
acme.sh --issue
-d =YOURIP=
–standalone
–server letsencrypt
–certificate-profile shortlived
–days 3
然后配置 caddy:
mkdir -p /etc/caddy/certs
chown caddy:caddy /etc/caddy/certs
chmod 700 /etc/caddy/certs
/etc/caddy/Caddyfile:
{
auto_https off
servers {
protocols h1 h2
}
order forward_proxy before file_server
}
:80 {
handle /.well-known/acme-challenge/* {
root * /var/www/letsencrypt
file_server
}
handle {
redir https://{host}{uri} permanent
}
}
:443 {
tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/key.pem {
protocols tls1.2 tls1.3
}
forward_proxy {
basic_auth ussername password
hide_ip
hide_via
probe_resistance
}
respond "OK"
}
然后用 acme.sh 安装证书到指定位置
acme.sh --install-cert
-d =YOURIP=
–cert-file /etc/caddy/certs/cert.pem
–key-file /etc/caddy/certs/key.pem
–fullchain-file /etc/caddy/certs/fullchain.pem
–reloadcmd "chown caddy:caddy -R /etc/caddy/certs; systemctl reload cd "
重启 caddy,然后配置 acme.sh 用 webroot 方式后续自动签发证书
acme.sh --issue --server letsencrypt
-d =YOURIP=
-w /var/www/letsencrypt
–certificate-profile shortlived
–days 3
以上操作后理论上你可以用 TCP 方式翻墙(naiveproxy)
需要用 xcaddy 编译带 forwardproxy 模块儿的 caddy
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy=github.com/klzgrad/forwardproxy@naive
当然 UDP 方式性能会更高(tuic)
参考 tuic/tuic-server at main · Itsusinn/tuic · GitHub 安装配置:
cargo install --git https://github.com/Itsusinn/tuic.git tuic-server
tuic-server --init
config.toml 里需要修改的地方:
server = “[::]:443”
data_dir = “/etc/tuics”
[users]
self_sign = false
certificate = “/etc/caddy/certs/fullchain.pem”
private_key = “/etc/caddy/certs/key.pem”
alpn = [“h3”]
hostname = “=YOURIP=”
auto_ssl = false
服务器推荐 Hosthatch 
首尔
4$/month 1C2G
通过 LG_DACOM 接入三网,<80ms 低延迟,晚高峰低丢包率(最高的中国电信也不过 10%)
Geekbench5 单核 1000 分(和 Hetzner 的 CPX22 一样)
可以跑满你的带宽
yt-dlp 不在 IP 黑名单。