99 个稳定版本
| 1.20.4 | 2024 年 8 月 15 日 |
|---|---|
| 1.20.3 | 2024 年 7 月 28 日 |
| 1.20.1 | 2024 年 6 月 20 日 |
| 1.18.2 | 2024 年 3 月 13 日 |
| 0.9.15 | 2016 年 11 月 5 日 |
在 网络编程 中排名第 54
每月 805 次下载
2.5MB
64K SLoC
shadowsocks
这是 shadowsocks 的一个端口。
shadowsocks 是一种快速隧道代理,帮助您绕过防火墙。
| 库 | 描述 |
|---|---|
| shadowsocks |   shadowsocks 核心协议 |
| shadowsocks-service |   提供shadowsocks服务的组件 |
| shadowsocks-rust | 运行常见shadowsocks服务的二进制文件 |
相关项目
- spyophobia/shadowsocks-gtk-rs 使用 GTK 为
sslocal在 Linux 上提供的 GUI,讨论 - honwen/openwrt-shadowsocks-rust 为
sslocal提供的 OpenWRT 解决方案,讨论 - cg31/shadowsocks-windows-gui-rust Windows GUI 客户端,讨论
构建 & 安装
可选特性
-
hickory-dns- 使用hickory-resolver作为 DNS 解析器,而不是tokio内置的。 -
local-http- 允许使用 HTTP 协议进行sslocal-
local-http-native-tls- 支持 HTTPS,使用native-tls -
local-http-rustls- 支持 HTTPS,使用rustls
-
-
local-tunnel- 允许使用隧道协议进行sslocal -
local-socks4- 允许使用 SOCKS4/4a 协议进行sslocal -
local-redir- 允许使用 redir(透明代理)协议进行sslocal -
local-dns- 允许使用 dns 协议进行sslocal,作为 DNS 服务器代理查询本地或远程 DNS 服务器,通过 ACL 规则 -
local-fake-dns- 假 DNS,从特定的 IP 池中为每个单独的查询分配一个 IP 地址 -
local-tun- TUN 接口支持sslocal -
local-online-config- SIP008 在线配置交付 -
stream-cipher- 启用已弃用的流加密。警告:流加密是不安全的! -
aead-cipher-extra- 启用非标准 AEAD 加密 -
aead-cipher-2022- 启用 AEAD-2022 加密(SIP022) -
aead-cipher-2022-extra- 启用 AEAD-2022 额外加密(非标准加密)
内存分配器
此项目使用系统(libc)内存分配器(Rust 的默认分配器)。但它也允许您通过特性使用其他著名分配器
jemalloc- 使用 jemalloc 作为全局内存分配器mimalloc- 使用 mi-malloc 作为全局内存分配器tcmalloc- 使用 TCMalloc 作为全局内存分配器。默认尝试链接系统级 tcmalloc,使用tcmalloc-vendored从源代码中打包。snmalloc- 使用 snmalloc 作为全局内存分配器rpmalloc- 使用 rpmalloc 作为全局内存分配器
crates.io
从 crates.io 安装
# Install from crates.io
cargo install shadowsocks-rust
然后您可以在 $CARGO_HOME/bin 中找到 sslocal 和 ssserver
使用 Homebrew 安装
对于 macOS 和 Linux,您可以使用 Homebrew 安装它
brew install shadowsocks-rust
使用 snap 安装
# Install from snapstore
snap install shadowsocks-rust
# List services
snap services shadowsocks-rust
# Enable and start shadowsocks-rust.sslocal-daemon snap service
snap start --enable shadowsocks-rust.sslocal-daemon
# Show generated systemd service status
systemctl status snap.shadowsocks-rust.sslocal-daemon.service
# Override generated systemd service (configure startup options)
systemctl edit snap.shadowsocks-rust.sslocal-daemon.service
## NOTE: you can pass args to sslocal:
## [Service]
## ExecStart=
## ExecStart=/usr/bin/snap run shadowsocks-rust.sslocal-daemon -b "127.0.0.1:1080" --server-url "ss://...."
# Restart generated systemd service to apply changes
systemctl restart snap.shadowsocks-rust.sslocal-daemon.service
# ... and show service status
systemctl status snap.shadowsocks-rust.sslocal-daemon.service
下载发布版本
在此 处 下载静态链接构建版本。
build-windows: 为x86_64-pc-windows-msvc构建build-linux: 为x86_64-unknown-linux-gnu构建,Debian 9(Stretch),GLIBC 2.18build-docker: 为x86_64-unknown-linux-musl、x86_64-pc-windows-gnu等(静态链接)构建
Docker
此项目为 linux/i386、linux/amd64 和 linux/arm64/v8 架构提供了 Docker 镜像。
⚠️ 默认情况下,Docker容器无法访问IPv6:请确保在客户端禁用IPv6路由或启用Docker容器的IPv6访问。
从GitHub容器注册库拉取
Docker将从我们的GitHub软件包中拉取相应架构的镜像。
docker pull ghcr.io/shadowsocks/sslocal-rust:latest
docker pull ghcr.io/shadowsocks/ssserver-rust:latest
在本地机器上构建(可选)
如果您想自己构建Docker镜像,您需要使用BuildX。
docker buildx build -t shadowsocks/ssserver-rust:latest -t shadowsocks/ssserver-rust:v1.15.2 --target ssserver .
docker buildx build -t shadowsocks/sslocal-rust:latest -t shadowsocks/sslocal-rust:v1.15.2 --target sslocal .
运行容器
您需要将配置文件挂载到容器中,并为容器创建一个外部端口映射,以便容器能够连接到它。
docker run --name sslocal-rust \
--restart always \
-p 1080:1080/tcp \
-v /path/to/config.json:/etc/shadowsocks-rust/config.json \
-dit ghcr.io/shadowsocks/sslocal-rust:latest
docker run --name ssserver-rust \
--restart always \
-p 8388:8388/tcp \
-p 8388:8388/udp \
-v /path/to/config.json:/etc/shadowsocks-rust/config.json \
-dit ghcr.io/shadowsocks/ssserver-rust:latest
部署到Kubernetes
该项目提供了部署到Kubernetes的yaml配置文件。
您可以使用k8s Service来公开流量,如LoadBalancer或NodePort,与固定主机或端口的比较更为精细。
对于更有趣的使用场景,您可以使用Ingress(Istio、nginx等),它将匹配的流量路由到shadowsocks,同时与真实Web服务一起。
使用kubectl
kubectl apply-f https://github.com/shadowsocks/shadowsocks-rust/raw/master/k8s/shadowsocks-rust.yaml
您可以通过编辑名为shadowsocks-rust的ConfigMap来更改配置。
为了更精细的控制,请使用helm。
使用helm
helm install my-release k8s/chart-f my-values.yaml
以下是您可以更改的常见默认值
# This is the shadowsocks config which will be mount to /etc/shadowocks-rust.
# You can put arbitrary yaml here, and it will be translated to json before mounting.
servers:
- server: "::"
server_port: 8388
service_port: 80 # the k8s service port, default to server_port
password: mypassword
method: aes-256-gcm
fast_open: true
mode: tcp_and_udp
# plugin: v2ray-plugin
# plugin_opts: server;tls;host=github.com
# Whether to download v2ray and xray plugin.
downloadPlugins: false
# Name of the ConfigMap with config.json configuration for shadowsocks-rust.
configMapName: ""
service:
# Change to LoadBalancer if you are behind a cloud provider like aws, gce, or tke.
type: ClusterIP
# Bind shadowsocks port port to host, i.e., we can use host:port to access shawdowsocks server.
hostPort: false
replicaCount: 1
image:
repository: ghcr.io/shadowsocks/ssserver-rust
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: "latest"
从源代码构建
使用cargo构建。注意:**RAM >= 2GiB**
cargo build --release
然后,sslocal和ssserver将出现在./target/(debug|release)/中,它们的工作方式与官方ShadowSocks实现中的两个二进制文件类似。
make install TARGET=release
然后,sslocal、ssserver、ssmanager和ssurl将被安装到/usr/local/bin(变量PREFIX)中。
对于Windows用户,如果您在构建过程中遇到了任何问题,请检查并在#102中讨论。
目标CPU优化
如果您正在为当前CPU平台构建(例如,在您的个人电脑上构建和运行),建议设置target-cpu=native特性,让rustc为正在运行编译器的CPU生成和优化代码。
export RUSTFLAGS="-C target-cpu=native"
构建独立二进制文件
要求
- Docker
./build/build-release
然后,sslocal、ssserver、ssmanager和ssurl将被打包在
./build/shadowsocks-${VERSION}-stable.x86_64-unknown-linux-musl.tar.xz./build/shadowsocks-${VERSION}-stable.x86_64-pc-windows-gnu.zip
阅读Cargo.toml以获取更多详细信息。
入门指南
使用以下命令为特定的加密方法(例如,示例中的aes-128-gcm)生成一个安全且安全的密码:
ssservice genkey -m "aes-128-gcm"
创建ShadowSocks的配置文件。示例
{
"server": "my_server_ip",
"server_port": 8388,
"password": "rwQc8qPXVsRpGx3uW+Y3Lj4Y42yF9Bs0xg1pmx8/+bo=",
"method": "aes-256-gcm",
// ONLY FOR `sslocal`
// Delete these lines if you are running `ssserver` or `ssmanager`
"local_address": "127.0.0.1",
"local_port": 1080
}
配置文件的详细说明可以在shadowsocks的文档中找到。!(链接到原始项目,不再维护!)
⚠️ 对于snap安装,配置文件很可能位于
/var/snap/shadowsocks-rust/common/etc/shadowsocks-rust/config.json(见https://github.com/shadowsocks/shadowsocks-rust/issues/621 / https://github.com/shadowsocks/shadowsocks-rust/issues/1146)
在 shadowsocks-rust 中,我们还支持扩展配置文件格式,可以定义多个服务器。您也可以禁用单个服务器。
{
"servers": [
{
"server": "127.0.0.1",
"server_port": 8388,
"password": "rwQc8qPXVsRpGx3uW+Y3Lj4Y42yF9Bs0xg1pmx8/+bo=",
"method": "aes-256-gcm",
"timeout": 7200
},
{
"server": "127.0.0.1",
"server_port": 8389,
"password": "/dliNXn5V4jg6vBW4MnC1I8Jljg9x7vSihmk6UZpRBM=",
"method": "chacha20-ietf-poly1305"
},
{
"disabled": true,
"server": "eg.disable.me",
"server_port": 8390,
"password": "mGvbWWay8ueP9IHnV5F1uWGN2BRToiVCAWJmWOTLU24=",
"method": "chacha20-ietf-poly1305"
}
],
// ONLY FOR `sslocal`
// Delete these lines if you are running `ssserver` or `ssmanager`
"local_port": 1080,
"local_address": "127.0.0.1"
}
sslocal 会自动选择延迟最低、可用性最高的服务器。
使用以下命令启动 Shadowsocks 客户端和服务器
sslocal -c config.json
ssserver -c config.json
如果您使用 Cargo 构建
cargo run --bin sslocal -- -c config.json
cargo run --bin ssserver -- -c config.json
使用 -h 列出所有可用参数。
用法
使用配置文件启动本地客户端
# Read local client configuration from file
sslocal -c /path/to/shadowsocks.json
Socks5 本地客户端
# Pass all parameters via command line
sslocal -b "127.0.0.1:1080" -s "[::1]:8388" -m "aes-256-gcm" -k "hello-kitty" --plugin "v2ray-plugin" --plugin-opts "server;tls;host=github.com"
# Pass server with SIP002 URL
sslocal -b "127.0.0.1:1080" --server-url "ss://[email protected]:8388/?plugin=v2ray-plugin%3Bserver%3Btls%3Bhost%3Dgithub.com"
HTTP 本地客户端
sslocal -b "127.0.0.1:3128" --protocol http -s "[::1]:8388" -m "aes-256-gcm" -k "hello-kitty"
所有参数与 Socks5 客户端相同,除了 --protocol http。
隧道本地客户端
# Set 127.0.0.1:8080 as the target for forwarding to
sslocal --protocol tunnel -b "127.0.0.1:3128" -f "127.0.0.1:8080" -s "[::1]:8388" -m "aes-256-gcm" -k "hello-kitty"
--protocol tunnel启用本地客户端隧道模式-f "127.0.0.1:8080设置隧道目标地址
透明代理本地客户端
注意:目前仅支持
- Linux(使用
iptables目标REDIRECT和TPROXY) - BSDs(使用
pf),例如 OS X 10.10+、FreeBSD 等
sslocal -b "127.0.0.1:60080" --protocol redir -s "[::1]:8388" -m "aes-256-gcm" -k "hello-kitty" --tcp-redir "redirect" --udp-redir "tproxy"
使用 iptables 配置将连接重定向到 sslocal 监听的端口。
--protocol redir启用本地客户端 Redir 模式- (可选)
--tcp-redir将 TCP 模式设置为REDIRECT(Linux) - (可选)
--udp-redir将 UDP 模式设置为TPROXY(Linux)
Tun 接口客户端
注意:目前仅支持
- Linux、Android
- macOS、iOS
- Windows
Linux
创建名为 tun0 的 Tun 接口
ip tuntap add mode tun tun0
ifconfig tun0 inet 10.255.0.1 netmask 255.255.255.0 up
使用 --protocol tun 启动 sslocal 并绑定到 tun0
sslocal --protocol tun -s "[::1]:8388" -m "aes-256-gcm" -k "hello-kitty" --outbound-bind-interface lo0 --tun-interface-name tun0
macOS
sslocal --protocol tun -s "[::1]:8388" -m "aes-256-gcm" -k "hello-kitty" --outbound-bind-interface lo0 --tun-interface-address 10.255.0.1/24
它将创建一个具有地址 10.255.0.1 和子网掩码 255.255.255.0
Windows
从 Wintun 下载 wintun.dll,并将其放置在 shadowsocks 可执行文件的文件夹中,或放置在系统 PATH 中。
sslocal --protocol tun -s "[::1]:8388" -m "aes-256-gcm" -k "hello-kitty" --outbound-bind-interface "Ethernet 0" --tun-interface-name "shadowsocks"
Windows 服务本地客户端
通过启用 --features "winservice"(默认构建不包括)编译它
cargo build --release --bin "sswinservice" --features "winservice"
将安装为 Windows 服务(PowerShell)
New-Service -Name "shadowsocks-local-service" `
-DisplayName "Shadowsocks Local Service" `
-BinaryPathName "<Path\to>\sswinservice.exe local -c <Path\to>\local_config.json"
还有其他方法可以将 sswinservice 作为 Windows 服务安装,例如 sc 命令。
如您所注意到的,-BinaryPathName 不仅包含 sswinservice.exe,还包括 local -c local_config.json。这些命令行参数将在 Windows 服务启动时用作默认参数。您也可以使用自定义参数启动服务。
更多请参阅 Microsoft 的文档。
sswinservice 的参数与 ssservice 完全相同。它支持 local、server 和 manager 子命令。
服务器
# Read server configuration from file
ssserver -c /path/to/shadowsocks.json
# Pass all parameters via command line
ssserver -s "[::]:8388" -m "aes-256-gcm" -k "hello-kitty" --plugin "v2ray-plugin" --plugin-opts "server;tls;host=github.com"
服务器管理器
支持的 管理多个用户 API
add- 启动服务器实例remove- 删除现有服务器实例list- 列出所有当前运行的服务器ping- 列出所有服务器的统计数据
注意:不支持 stat 命令。因为服务器与管理者本身在同一进程中运行。
# Start it just with --manager-address command line parameter
ssmanager --manager-address "127.0.0.1:6100"
# For *nix system, manager can bind to unix socket address
ssmanager --manager-address "/tmp/shadowsocks-manager.sock"
# You can also provide a configuration file
#
# `manager_address` key must be provided in the configuration file
ssmanager -c /path/to/shadowsocks.json
# Create one server by UDP
echo 'add: {"server_port":8388,"password":"hello-kitty"}' | nc -u '127.0.0.1' '6100'
# Close one server by unix socket
echo 'remove: {"server_port":8388}' | nc -Uu '/tmp/shadowsocks-manager.sock'
对于管理者UI,更多详细信息请查看 shadowsocks-manager 项目。
示例配置
{
// Required option
// Address that ssmanager is listening on
"manager_address": "127.0.0.1",
"manager_port": 6100,
// Or bind to a Unix Domain Socket
"manager_address": "/tmp/shadowsocks-manager.sock",
"servers": [
// These servers will be started automatically when ssmanager is started
],
// Outbound socket binds to this IP address
// For choosing different network interface on the same machine
"local_address": "xxx.xxx.xxx.xxx",
// Other options that may be passed directly to new servers
}
配置
{
// LOCAL: Listen address. This is exactly the same as `locals[0]`
// SERVER: Bind address for remote sockets, mostly used for choosing interface
// Don't set it if you don't know what's this for.
"local_address": "127.0.0.1",
"local_port": 1080,
// Extended multiple local configuration
"locals": [
{
// Basic configuration, a SOCKS5 local server
"local_address": "127.0.0.1",
"local_port": 1080,
// OPTIONAL. Setting the `mode` for this specific local server instance.
// If not set, it will derive from the outer `mode`
"mode": "tcp_and_udp",
// OPTIONAL. Authentication configuration file
// Configuration file document could be found in the next section.
"socks5_auth_config_path": "/path/to/auth.json",
// OPTIONAL. Instance specific ACL
"acl": "/path/to/acl/file.acl",
// OPTIONAL. macOS launchd activate socket
"launchd_tcp_socket_name": "TCPListener",
"launchd_udp_socket_name": "UDPListener"
},
{
// SOCKS5, SOCKS4/4a local server
"protocol": "socks",
// Listen address
"local_address": "127.0.0.1",
"local_port": 1081,
// OPTIONAL. Enables UDP relay
"mode": "tcp_and_udp",
// OPTIONAL. Customizing the UDP's binding address. Depending on `mode`, if
// - TCP is enabled, then SOCKS5's UDP Association command will return this address
// - UDP is enabled, then SOCKS5's UDP server will listen to this address.
"local_udp_address": "127.0.0.1",
"local_udp_port": 2081,
// OPTIONAL. macOS launchd activate socket
"launchd_tcp_socket_name": "TCPListener",
"launchd_udp_socket_name": "UDPListener"
},
{
// Tunnel local server (feature = "local-tunnel")
"protocol": "tunnel",
// Listen address
"local_address": "127.0.0.1",
"local_port": 5353,
// Forward address, the target of this tunnel
// In this example, this will build a `127.0.0.1:5353` -> `8.8.8.8:53` tunnel
"forward_address": "8.8.8.8",
"forward_port": 53,
// OPTIONAL. Customizing whether to start TCP and UDP tunnel
"mode": "tcp_only",
// OPTIONAL. macOS launchd activate socket
"launchd_tcp_socket_name": "TCPListener",
"launchd_udp_socket_name": "UDPListener"
},
{
// HTTP local server (feature = "local-http")
"protocol": "http",
// Listen address
"local_address": "127.0.0.1",
"local_port": 3128,
// OPTIONAL. macOS launchd activate socket
"launchd_tcp_socket_name": "TCPListener"
},
{
// DNS local server (feature = "local-dns")
// This DNS works like China-DNS, it will send requests to `local_dns` and `remote_dns` and choose by ACL rules
"protocol": "dns",
// Listen address
"local_address": "127.0.0.1",
"local_port": 53,
// OPTIONAL. DNS local server uses `tcp_and_udp` mode by default
"mode": "udp_only",
// Local DNS address, DNS queries will be sent directly to this address
"local_dns_address": "114.114.114.114",
// OPTIONAL. Local DNS's port, 53 by default
"local_dns_port": 53,
// Remote DNS address, DNS queries will be sent through ssserver to this address
"remote_dns_address": "8.8.8.8",
// OPTIONAL. Remote DNS's port, 53 by default
"remote_dns_port": 53,
// OPTIONAL. dns client cache size for fetching dns queries.
"client_cache_size": 5,
// OPTIONAL. macOS launchd activate socket
"launchd_tcp_socket_name": "TCPListener",
"launchd_udp_socket_name": "UDPListener"
},
{
// Tun local server (feature = "local-tun")
"protocol": "tun",
// Tun interface name
"tun_interface_name": "tun0",
// Tun interface address
//
// It has to be a host address in CIDR form
"tun_interface_address": "10.255.0.1/24"
},
{
// Transparent Proxy (redir) local server (feature = "local-redir")
"protocol": "redir",
// OPTIONAL: TCP type, may be different between platforms
// Linux/Android: redirect (default), tproxy
// FreeBSD/OpenBSD: pf (default), ipfw
// NetBSD/macOS/Solaris: pf (default), ipfw
"tcp_redir": "tproxy",
// OPTIONAL: UDP type, may be different between platforms
// Linux/Android: tproxy (default)
// FreeBSD/OpenBSD: pf (default)
"udp_redir": "tproxy"
},
{
// FakeDNS local server (feature = "local-fake-dns")
// FakeDNS is a DNS server that allocates an IPv4 / IPv6 address in a specific pool for each queries.
// Subsequence requests from the other local interfaces that the target addresses includes those allocated IP addresses,
// will be substituted back to their original domain name addresses.
// This feature is useful mostly for transparent proxy, which will allow the proxied domain names to be resolved remotely.
"protocol": "fake-dns",
// Listen address
"local_address": "127.0.0.1",
"local_port": 10053,
// IPv4 address pool (for A records)
"fake_dns_ipv4_network": "10.255.0.0/16",
// IPv6 address pool (for AAAA records)
"fake_dns_ipv6_network": "fdf2:e786:ab40:9d2f::/64",
// Persistent storage for all allocated DNS records
"fake_dns_database_path": "/var/shadowsocks/fakedns.db",
// OPTIONAL: Record expire duration in seconds, 10s by default
"fake_dns_record_expire_duration": 10
}
],
// Server configuration
// listen on :: for dual stack support, no need add [] around.
"server": "::",
// Change to use your custom port number
"server_port": 8388,
"method": "aes-256-gcm",
"password": "your-password",
"plugin": "v2ray-plugin",
"plugin_opts": "mode=quic;host=github.com",
"plugin_args": [
// Each line is an argument passed to "plugin"
"--verbose"
],
"plugin_mode": "tcp_and_udp", // SIP003u, default is "tcp_only"
// Server: TCP socket timeout in seconds.
// Client: TCP connection timeout in seconds.
// Omit this field if you don't have specific needs.
"timeout": 7200,
// Extended multiple server configuration
// LOCAL: Choosing the best server to connect dynamically
// SERVER: Creating multiple servers in one process
"servers": [
{
// Fields are the same as the single server's configuration
// Individual servers can be disabled
// "disabled": true,
"address": "0.0.0.0",
"port": 8389,
"method": "aes-256-gcm",
"password": "your-password",
"plugin": "...",
"plugin_opts": "...",
"plugin_args": [],
"plugin_mode": "...",
"timeout": 7200,
// Customized weight for local server's balancer
//
// Weight must be in [0, 1], default is 1.0.
// The higher weight, the server may rank higher.
"tcp_weight": 1.0,
"udp_weight": 1.0,
// OPTIONAL. Instance specific ACL
"acl": "/path/to/acl/file.acl",
},
{
// Same key as basic format "server" and "server_port"
"server": "0.0.0.0",
"server_port": 8388,
"method": "chacha20-ietf-poly1305",
// Read the actual password from environment variable PASSWORD_FROM_ENV
"password": "${PASSWORD_FROM_ENV}"
},
{
// AEAD-2022
"server": "::",
"server_port": 8390,
"method": "2022-blake3-aes-256-gcm",
"password": "3SYJ/f8nmVuzKvKglykRQDSgg10e/ADilkdRWrrY9HU=",
// For Server (OPTIONAL)
// Support multiple users with Extensible Identity Header
// https://github.com/Shadowsocks-NET/shadowsocks-specs/blob/main/2022-2-shadowsocks-2022-extensible-identity-headers.md
"users": [
{
"name": "username",
// User's password must have the same length as server's password
"password": "4w0GKJ9U3Ox7CIXGU4A3LDQAqP6qrp/tUi/ilpOR9p4="
}
],
// For Client (OPTIONAL)
// If EIH enabled, then "password" should have the following format: iPSK:iPSK:iPSK:uPSK
// - iPSK is one of the middle relay servers' PSK, for the last `ssserver`, it must be server's PSK ("password")
// - uPSK is the user's PSK ("password")
// Example:
// "password": "3SYJ/f8nmVuzKvKglykRQDSgg10e/ADilkdRWrrY9HU=:4w0GKJ9U3Ox7CIXGU4A3LDQAqP6qrp/tUi/ilpOR9p4="
}
],
// Global configurations for UDP associations
"udp_timeout": 300, // Timeout for UDP associations (in seconds), 5 minutes by default
"udp_max_associations": 512, // Maximum UDP associations to be kept in one server, unlimited by default
// Options for Manager
"manager_address": "127.0.0.1", // Could be a path to UNIX socket, /tmp/shadowsocks-manager.sock
"manager_port": 5300, // Not needed for UNIX socket
// DNS server's address for resolving domain names
// For *NIX and Windows, it uses system's configuration by default
//
// Value could be IP address of DNS server, for example, "8.8.8.8".
// DNS client will automatically request port 53 with both TCP and UDP protocol.
//
// - system, uses system provided API (`getaddrinfo` on *NIX)
//
// It also allows some pre-defined well-known public DNS servers:
// - google (TCP, UDP)
// - cloudflare (TCP, UDP)
// - cloudflare_tls (TLS), enable by feature "dns-over-tls"
// - cloudflare_https (HTTPS), enable by feature "dns-over-https"
// - quad9 (TCP, UDP)
// - quad9_tls (TLS), enable by feature "dns-over-tls"
//
// The field is only effective if feature "hickory-dns" is enabled.
"dns": "google",
// Configure `cache_size` for "hickory-dns" ResolverOpts. Set to "0" to disable DNS cache.
"dns_cache_size": 0,
// Mode, could be one of the
// - tcp_only
// - tcp_and_udp
// - udp_only
"mode": "tcp_only",
// TCP_NODELAY
"no_delay": false,
// Enables `SO_KEEPALIVE` and set `TCP_KEEPIDLE`, `TCP_KEEPINTVL` to the specified seconds
"keep_alive": 15,
// Soft and Hard limit of file descriptors on *NIX systems
"nofile": 10240,
// Try to resolve domain name to IPv6 (AAAA) addresses first
"ipv6_first": false,
// Set IPV6_V6ONLY for all IPv6 listener sockets
// Only valid for locals and servers listening on `::`
"ipv6_only": false,
// Outbound socket options
// Linux Only (SO_MARK)
"outbound_fwmark": 255,
// FreeBSD only (SO_USER_COOKIE)
"outbound_user_cookie": 255,
// `SO_BINDTODEVICE` (Linux), `IP_BOUND_IF` (BSD), `IP_UNICAST_IF` (Windows) socket option for outbound sockets
"outbound_bind_interface": "eth1",
// Outbound socket bind() to this IP (choose a specific interface)
"outbound_bind_addr": "11.22.33.44",
// Balancer customization
"balancer": {
// MAX Round-Trip-Time (RTT) of servers
// The timeout seconds of each individual checks
"max_server_rtt": 5,
// Interval seconds between each check
"check_interval": 10,
// Interval seconds between each check for the best server
// Optional. Specify to enable shorter checking interval for the best server only.
"check_best_interval": 5
},
// SIP008 Online Configuration Delivery
// https://shadowsocks.org/doc/sip008.html
"online_config": {
"config_url": "https://path-to-online-sip008-configuration",
// Optional. Seconds between each update to config_url. Default to 3600s
"update_interval": 3600
},
// Service configurations
// Logger configuration
"log": {
// Equivalent to `-v` command line option
"level": 1,
"format": {
// Euiqvalent to `--log-without-time`
"without_time": false,
},
// Equivalent to `--log-config`
// More detail could be found in https://crates.io/crates/log4rs
"config_path": "/path/to/log4rs/config.yaml"
},
// Runtime configuration
"runtime": {
// single_thread or multi_thread
"mode": "multi_thread",
// Worker threads that are used in multi-thread runtime
"worker_count": 10
}
}
SOCKS5 认证配置
配置文件由 socks5_auth_config_path 在 locals 中设置。
{
// Password/Username Authentication (RFC1929)
"password": {
"users": [
{
"user_name": "USERNAME in UTF-8",
"password": "PASSWORD in UTF-8"
}
]
}
}
环境变量
SS_SERVER_PASSWORD:从命令行参数(--server-addr)创建的服务器的默认密码SS_SYSTEM_DNS_RESOLVER_FORCE_BUILTIN:强制使用系统的内置 DNS 解析器(在 *NIX 中的getaddrinfo)
支持的加密算法
AEAD 2022 加密算法
2022-blake3-aes-128-gcm,2022-blake3-aes-256-gcm2022-blake3-chacha20-poly1305,2022-blake3-chacha8-poly1305
这些加密算法要求 "password" 必须是具有与加密算法密钥大小相同长度的 Base64 字符串。建议使用 ssservice genkey -m "METHOD_NAME" 生成一个安全且安全的密钥。
AEAD 加密算法
chacha20-ietf-poly1305aes-128-gcm,aes-256-gcm
流加密算法
plain或none(不加密,仅用于调试或与确保传输安全的插件一起使用)
已弃用
tableaes-128-cfb,aes-128-cfb1,aes-128-cfb8,aes-128-cfb128aes-192-cfb,aes-192-cfb1,aes-192-cfb8,aes-192-cfb128aes-256-cfb,aes-256-cfb1,aes-256-cfb8,aes-256-cfb128aes-128-ctraes-192-ctraes-256-ctrcamellia-128-cfb,camellia-128-cfb1,camellia-128-cfb8,camellia-128-cfb128camellia-192-cfb,camellia-192-cfb1,camellia-192-cfb8,camellia-192-cfb128camellia-256-cfb,camellia-256-cfb1,camellia-256-cfb8,camellia-256-cfb128rc4-md5chacha20-ietf
ACL
sslocal,ssserver 和 ssmanager 支持类似于 shadowsocks-libev 的 ACL 文件语法。一些示例可以在 这里 找到。
可用部分
- 对于本地服务器(
sslocal,ssredir,...)- 模式
[bypass_all]- ACL 在BlackList模式下运行。跳过所有不符合任何规则地址。[proxy_all]- ACL在WhiteList模式下运行。代理所有未匹配任何规则的地址。
- 规则
[bypass_list]- 直接连接的规则[proxy_list]- 通过代理连接的规则
- 模式
- 对于远程服务器(
ssserver)- 模式
[reject_all]- ACL在BlackList模式下运行。拒绝所有未匹配任何规则的客户端。[accept_all]- ACL在WhiteList模式下运行。接受所有未匹配任何规则的客户端。
- 规则
[white_list]- 接受客户端的规则[black_list]- 拒绝客户端的规则[outbound_block_list]- 阻塞出站地址的规则
- 模式
示例
# SERVERS
# For ssserver, accepts requests from all clients by default
[accept_all]
# Blocks these clients
[black_list]
1.2.3.4
127.0.0.1/8
# Disallow these outbound addresses
[outbound_block_list]
127.0.0.1/8
::1
# Using regular expression
^[a-z]{5}\.baidu\.com
# Match exactly
|baidu.com
# Match with subdomains
||google.com
# An internationalized domain name should be converted to punycode
# |☃-⌘.com - WRONG
|xn----dqo34k.com
# ||джpумлатест.bрфa - WRONG
||xn--p-8sbkgc5ag7bhce.xn--ba-lmcq
# CLIENTS
# For sslocal, ..., bypasses all targets by default
[bypass_all]
# Proxy these addresses
[proxy_list]
||google.com
8.8.8.8
有用工具
ssurl用于编码和解码ShadowSocks URL(SIP002)。示例
ss://[email protected]:8388/?plugin=obfs-local%3Bobfs%3Dhttp%3Bobfs-host%3Dwww.baidu.com
注意
它支持以下功能
- SOCKS5 CONNECT命令
- SOCKS5 UDP ASSOCIATE命令(部分)
- SOCKS4/4a CONNECT命令
- 各种加密算法
- 负载均衡(多个服务器)和服务器延迟检查
- SIP004 AEAD加密
- SIP003 插件
- SIP003u 支持UDP的插件
- SIP002 扩展ss URL
- SIP022 2022 AEAD加密
- HTTP代理支持(RFC 7230 和 CONNECT)
- 防御重放攻击,shadowsocks/shadowsocks-org#44
- 管理API,支持管理多个用户
- ACL(访问控制列表)
- 支持HTTP/HTTPS代理协议
待办事项
- 文档
- 扩展配置格式
- 改进的日志格式(等待新官方日志crate)
- 在不依赖于
libcrypto的情况下支持更多加密算法(等待可接受的Rust加密库实现) - Windows支持。
- 使用稳定的
rustc构建(由。crypto2阻塞) - 支持HTTP代理协议
- AEAD加密。 (在SIP004中提出,仍在讨论中)
- 基于延迟选择服务器 #152
许可证
版权所有(c)2014 Y. T. CHUNG
在此特此授予任何获得此软件及其相关文档副本(“软件”)的人免费处理软件的权利,包括但不限于使用、复制、修改、合并、发布、分发、再许可和/或出售软件副本,并允许向软件提供方提供软件的人这样做,但受以下条件的约束
上述版权声明和本许可声明应包含在软件的所有副本或实质性部分中。
软件按“原样”提供,不提供任何形式的保证,无论是明示的、暗示的还是法定的,包括但不限于适销性、特定用途适用性和非侵权性保证。在任何情况下,作者或版权所有者不对任何索赔、损害或其他责任负责,无论其是基于合同、侵权或其他原因,是否由软件本身、软件的使用或其他与软件相关的操作引起。
随时间推移的Star-gazers
依赖项
~24–47MB
~1M SLoC