Deployment
Deploying trojan-rs with systemd, Docker, and performance tuning
systemd Service
Create a systemd unit file at /etc/systemd/system/trojan.service:
[Unit]
Description=trojan-rs server
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
ExecStart=/usr/local/bin/trojan server -c /etc/trojan/config.toml
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5
# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
ReadOnlyPaths=/etc/trojan
PrivateTmp=yes
# Resource limits
LimitNOFILE=65535
[Install]
WantedBy=multi-user.targetsudo systemctl daemon-reload
sudo systemctl enable --now trojan
# View logs
sudo journalctl -u trojan -f
# Reload configuration
sudo systemctl reload trojan
# Restart
sudo systemctl restart trojanDocker
Dockerfile
FROM rust:latest AS builder
WORKDIR /build
COPY . .
RUN cargo build --release
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
COPY --from=builder /build/target/release/trojan /usr/local/bin/
ENTRYPOINT ["trojan"]
CMD ["server", "-c", "/etc/trojan/config.toml"]Docker Compose
services:
trojan:
image: trojan-rs
build: .
ports:
- "443:443"
- "9100:9100" # metrics
volumes:
- ./config.toml:/etc/trojan/config.toml:ro
- ./certs:/etc/trojan/certs:ro
restart: unless-stopped
ulimits:
nofile:
soft: 65535
hard: 65535Run
docker compose up -d
docker compose logs -fPerformance Tuning
System Limits
Increase file descriptor limits for high connection counts:
# /etc/security/limits.conf
* soft nofile 65535
* hard nofile 65535Or via sysctl:
echo "fs.file-max = 2097152" >> /etc/sysctl.conf
sysctl -pTCP Stack Tuning
# /etc/sysctl.conf
# Connection tracking
net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 65535
# TCP Fast Open
net.ipv4.tcp_fastopen = 3
# Buffer sizes
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# TIME_WAIT reuse
net.ipv4.tcp_tw_reuse = 1
# Keepalive
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 5Apply with sysctl -p.
trojan-rs Configuration for Performance
[server]
listen = "0.0.0.0:443"
fallback = "127.0.0.1:80"
max_connections = 50000
[server.tcp]
no_delay = true
keepalive_secs = 300
reuse_port = true # Multi-process scaling
fast_open = true # Reduce connection latency
[server.resource_limits]
relay_buffer_size = 16384 # Larger relay buffer
connection_backlog = 4096 # Larger listener backlogMulti-Process with SO_REUSEPORT
Run multiple server processes on the same port for multi-core scaling:
[server.tcp]
reuse_port = true# Start multiple instances
for i in $(seq 1 $(nproc)); do
trojan server -c config.toml &
doneOr use systemd template units:
# /etc/systemd/system/trojan@.service
[Service]
ExecStart=/usr/local/bin/trojan server -c /etc/trojan/config.tomlsudo systemctl enable trojan@{1..4}
sudo systemctl start trojan@{1..4}TLS Certificate Setup
Let's Encrypt with certbot
sudo apt install certbot
sudo certbot certonly --standalone -d your-domain.comAuto-renewal
# /etc/cron.d/certbot-trojan
0 0 1 * * root certbot renew --quiet --deploy-hook "systemctl reload trojan"Monitoring
Pair with Prometheus and Grafana:
[metrics]
listen = "127.0.0.1:9100"See Metrics for the full metrics reference.
Security Checklist
- Run as a non-root user (use
CAP_NET_BIND_SERVICEfor port 443) - Enable systemd security hardening (
NoNewPrivileges,ProtectSystem) - Use proper TLS certificates (not self-signed) in production
- Set up rate limiting to prevent abuse
- Monitor auth failure metrics for brute-force detection
- Keep the fallback server running to maintain HTTPS camouflage
- Restrict metrics endpoint to localhost or internal network