### Server Command Line Example Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Plugin Example of starting a Shadowsocks server with an 'obfs-server' plugin and HTTP obfuscation options. ```bash ss-server --plugin obfs-server --plugin-opts "obfs=http" ``` -------------------------------- ### Client Command Line Example Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Plugin Example of starting a Shadowsocks client with an 'obfs-local' plugin, HTTP obfuscation, and a specific host. ```bash ss-local -c config.json --plugin obfs-local --plugin-opts "obfs=http;obfs-host=www.baidu.com" ``` -------------------------------- ### Install Dependencies and Build Docs Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/README.md Use these commands to install project dependencies and build the documentation. ```bash yarn install yarn docs:build ``` -------------------------------- ### Install go-shadowsocks2 Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Use 'go install' to install the go-shadowsocks2 package. This is the recommended next-generation Shadowsocks client in Go. ```bash go install github.com/shadowsocks/go-shadowsocks2@latest ``` -------------------------------- ### Install outline-ss-server Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Install the outline-ss-server from source. This Shadowsocks implementation is used by the Outline Server and can be used standalone. ```bash go install github.com/Jigsaw-Code/outline-ss-server@latest $(go env GOPATH)/bin/outline-ss-server -config=config.yml -metrics=127.0.0.1:9091 ``` -------------------------------- ### Install Net::Shadowsocks using Build.PL Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Install the Net::Shadowsocks Perl module on Unix-like systems using the Build.PL script. ```bash $ perl Build.PL $ ./Build $ ./Build test $ ./Build install ``` -------------------------------- ### Install Net::Shadowsocks using CPAN Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Install the Net::Shadowsocks Perl module using the CPAN client. ```bash $ cpan Net::Shadowsocks ``` -------------------------------- ### Clone and Build libQtShadowsocks Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Clone the libQtShadowsocks repository from GitHub, then build and install it using qmake and make. ```bash $ git clone https://github.com/shadowsocks/libQtShadowsocks.git $ cd libQtShadowsocks $ qmake $ make -j4 $ sudo make install ``` -------------------------------- ### Example SIP002 URI with Plain User Info and Plugin Source: https://github.com/shadowsocks/shadowsocks-org/wiki/SIP002-URI-Scheme An example of a SIP002 URI with plain user info and a plugin argument. The plugin argument uses percent-encoding for its parameters. ```text ss://2022-blake3-aes-256-gcm:YctPZ6U7xPPcU%2Bgp3u%2B0tx%2FtRizJN9K8y%2BuKlW2qjlI%3D@192.168.100.1:8888/?plugin=v2ray-plugin%3Bserver#Example3 ``` -------------------------------- ### Build shadowsocks-libev from Source Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Compile and install shadowsocks-libev from its GitHub repository. This involves installing build dependencies, cloning the repository, and running the build scripts. ```bash $ sudo apt-get install --no-install-recommends build-essential autoconf libtool \ libssl-dev gawk debhelper dh-systemd init-system-helpers pkg-config asciidoc \ xmlto apg libpcre3-dev zlib1g-dev libev-dev libudns-dev libsodium-dev libmbedtls-dev libc-ares-dev automake $ git clone https://github.com/shadowsocks/shadowsocks-libev.git $ cd shadowsocks-libev $ git submodule update --init $ ./autogen.sh && ./configure && make $ sudo make install ``` -------------------------------- ### Example SIP002 URI with Plugin and Tag Source: https://github.com/shadowsocks/shadowsocks-org/wiki/SIP002-URI-Scheme A comprehensive example of a SIP002 URI including a plugin with URL-encoded arguments and a profile tag. ```text ss://YmYtY2ZiOnRlc3Q@192.168.100.1:8888/?plugin=url-encoded-plugin-argument-value&unsupported-arguments=should-be-ignored#Dummy+profile+name ``` -------------------------------- ### Shadowsocks-Libev Log Example Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Setup-fail2ban An example log entry from ss-server indicating a failed handshake and authentication error. ```log Aug 15 08:59:07 ss-server[1382]: 2018-08-15 08:59:07 ERROR: failed to handshake with : authentication error ``` -------------------------------- ### Install shadowsocks-libev on Debian/Ubuntu Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Use apt to install shadowsocks-libev from official repositories. Ensure your package list is up-to-date. ```bash sudo apt update sudo apt install shadowsocks-libev ``` -------------------------------- ### Install Net::Shadowsocks using Makefile.PL Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Install the Net::Shadowsocks Perl module on Unix-like systems using Makefile.PL. May require dmake or nmake on Windows. ```bash $ perl Makefile.PL $ make $ make test $ make install ``` -------------------------------- ### JSON Configuration Example Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/configs.md A standard JSON configuration file for Shadowsocks. This format is used for server and client configurations. ```json { "server":"my_server_ip", "server_port":8388, "local_port":1080, "password":"barfoo!", "method":"chacha20-ietf-poly1305" } ``` -------------------------------- ### Example SIP002 URI with Plain User Info and AEAD-2022 Source: https://github.com/shadowsocks/shadowsocks-org/wiki/SIP002-URI-Scheme Demonstrates a SIP002 URI using plain (unencoded) user info with AEAD-2022, requiring percent-encoded method and password. ```text ss://2022-blake3-aes-256-gcm:YctPZ6U7xPPcU%2Bgp3u%2B0tx%2FtRizJN9K8y%2BuKlW2qjlI%3D@192.168.100.1:8888#Example3 ``` -------------------------------- ### SIP008 JSON Document Format Example Source: https://github.com/shadowsocks/shadowsocks-org/wiki/SIP008-Online-Configuration-Delivery This is an example of a standard SIP008 JSON document, including server details and optional data usage fields. Custom fields can be added to the root object. ```json { "version": 1, "servers": [ { // Server UUID to distinguish between servers when updating. "id": "27b8a625-4f4b-4428-9f0f-8a2317db7c79", "remarks": "Name of the server", "server": "example.com", "server_port": 8388, "password": "example", "method": "chacha20-ietf-poly1305", "plugin": "xxx", "plugin_opts": "xxxxx" }, // Another server { "id": "7842c068-c667-41f2-8f7d-04feece3cb67", "remarks": "Name of the server", "server": "example.com", "server_port": 8388, "password": "example", "method": "chacha20-ietf-poly1305", "plugin": "xxx", "plugin_opts": "xxxxx" } ], // The above fields are mandatory. // Optional fields for data usage: "bytes_used": 274877906944, "bytes_remaining": 824633720832 // You may add other custom fields in the root object. } ``` -------------------------------- ### Example SIP002 URI with Base64URL Encoded User Info and Plugin Source: https://github.com/shadowsocks/shadowsocks-org/wiki/SIP002-URI-Scheme Shows a SIP002 URI with Base64URL encoded user info and a plugin argument. Note the escaped characters in the plugin. ```text ss://cmM0LW1kNTpwYXNzd2Q@192.168.100.1:8888/?plugin=obfs-local%3Bobfs%3Dhttp#Example2 ``` -------------------------------- ### Restart and Enable Fail2ban Service Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Setup-fail2ban Restart the Fail2ban service to apply changes and ensure it starts on boot. Also, check its status. ```bash sudo systemctl restart fail2ban sudo systemctl enable fail2ban sudo systemctl start fail2ban sudo systemctl status fail2ban ``` -------------------------------- ### Example SIP002 URI with Base64URL Encoded User Info Source: https://github.com/shadowsocks/shadowsocks-org/wiki/SIP002-URI-Scheme Illustrates a SIP002 URI where the user info (method:password) is encoded using Base64URL. ```text ss://YWVzLTEyOC1nY206dGVzdA@192.168.100.1:8888#Example1 ``` -------------------------------- ### Shadowsocks URI with Tag Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/configs.md An example of a Shadowsocks URI that includes a tag for identification. This tag is appended after the BASE64 encoded string. ```plaintext ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTp0ZXN0LyFAIzpAMTkyLjE2OC4xMDAuMTo4ODg4#example-server ``` -------------------------------- ### Plugin Argument Escaping Example Source: https://github.com/shadowsocks/shadowsocks-org/wiki/SIP002-URI-Scheme Illustrates the escaping rules for plugin arguments, similar to TOR_PT_SERVER_TRANSPORT_OPTIONS, where colons, semicolons, etc., are escaped with a backslash. ```text simple-obfs;obfs=http;obfs-host=example.com ``` -------------------------------- ### Generating BASE64 Encoded URI Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/configs.md Example of how to generate a BASE64 encoded Shadowsocks URI using JavaScript's btoa function. This is useful for creating shareable configuration links. ```javascript > console.log( "ss://" + btoa("chacha20-ietf-poly1305:test/!@#:@192.168.100.1:8888") ) ss://Y2hhY2hhMjAtaWV0Zi1wb2x5MTMwNTp0ZXN0LyFAIzpAMTkyLjE2OC4xMDAuMTo4ODg4 ``` -------------------------------- ### TCP Stream Structure with Stream Ciphers Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Stream-Ciphers Illustrates the structure of a TCP stream encrypted with a stream cipher, starting with a random IV followed by encrypted payload. ```plaintext [IV][encrypted payload] ``` -------------------------------- ### Run shadowsocks-libev with Docker Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/deploying.md Deploy shadowsocks-libev using a Docker container. Set the password and map server ports for TCP and UDP traffic. ```bash docker pull shadowsocks/shadowsocks-libev docker run -e PASSWORD= -p:8388 -p:8388/udp -d shadowsocks/shadowsocks-libev ``` -------------------------------- ### Key Derivation with HKDF_SHA1 Source: https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers Illustrates the process of deriving a per-session subkey from a master key using HKDF_SHA1. The 'info' string must be 'ss-subkey'. The salt must be unique for the master key's lifetime. ```text HKDF_SHA1(key, salt, info) => subkey ``` -------------------------------- ### Create Fail2ban Filter for Shadowsocks-Libev Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Setup-fail2ban Create a Fail2ban filter configuration file for shadowsocks-libev to detect authentication errors. ```bash sudo tee /etc/fail2ban/filter.d/shadowsocks-libev.conf > /dev/null <: authentication error$ ignoreregex = datepattern = %%Y-%%m-%%d %%H:%%M:%%S EOF ``` -------------------------------- ### Update Fail2ban Jail Configuration Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Setup-fail2ban Configure the jail.local file to enable and set parameters for the shadowsocks-libev jail. ```ini [shadowsocks-libev] enabled = true filter = shadowsocks-libev port = 8839 logpath = /var/log/syslog maxretry = 3 findtime = 3600 bantime = 3600 ``` -------------------------------- ### Tune Kernel Parameters for Shadowsocks Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/advanced.md Configure `/etc/sysctl.conf` with optimized kernel parameters to improve network performance, connection reuse, and buffer sizes for the Shadowsocks server. Apply these changes using `sysctl -p`. ```bash fs.file-max = 51200 net.core.rmem_max = 67108864 net.core.wmem_max = 67108864 net.core.netdev_max_backlog = 250000 net.core.somaxconn = 4096 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 1200 net.ipv4.ip_local_port_range = 10000 65000 net.ipv4.tcp_max_syn_backlog = 8192 net.ipv4.tcp_max_tw_buckets = 5000 net.ipv4.tcp_fastopen = 3 net.ipv4.tcp_mem = 25600 51200 102400 net.ipv4.tcp_rmem = 4096 87380 67108864 net.ipv4.tcp_wmem = 4096 65536 67108864 net.ipv4.tcp_mtu_probing = 1 net.ipv4.tcp_congestion_control = hybla ``` ```bash sysctl -p ``` -------------------------------- ### Shadowsocks 2022 Subkey Derivation Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip022.md Illustrates the subkey derivation process for Shadowsocks 2022 sessions using BLAKE3's key derivation mode. It combines the pre-shared key and a random salt to generate session subkeys. ```pseudocode session_subkey := blake3::derive_key(context: "shadowsocks 2022 session subkey", key_material: key + salt) ``` -------------------------------- ### Escaping Spaces in URI Tags Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip002.md Demonstrates how to properly escape spaces within the tag component of a SIP002 URI to ensure it remains a legal URI. ```text ss://...#shadowsocks%20server%201 ``` -------------------------------- ### SIP002 URI Scheme Structure Source: https://github.com/shadowsocks/shadowsocks-org/wiki/SIP002-URI-Scheme Defines the structure of a Shadowsocks URI according to SIP002, including user info, hostname, port, and optional plugin/tag. ```text SS-URI = "ss://" userinfo "@" hostname ":" port [ "/" ] [ "?" plugin ] [ "#" tag ] userinfo = websafe-base64-encode-utf8(method ":" password) method ":" password ``` -------------------------------- ### Check Fail2ban Client Status Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Setup-fail2ban Verify the status of the Fail2ban client for specific jails, including the newly configured shadowsocks-libev jail. ```bash sudo fail2ban-client status shadowsocks sudo fail2ban-client status shadowsocks-libev ``` -------------------------------- ### AEAD Encryption and Decryption with Session Subkey Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip022.md Demonstrates the AEAD encryption and decryption process using a derived session subkey and a 12-byte little-endian counter as the nonce. This is used for encrypting data chunks in proxy streams. ```pseudocode u96le counter aead := aead_new(key: session_subkey) ciphertext := aead.seal(nonce: counter, plaintext) plaintext := aead.open(nonce: counter, ciphertext) ``` -------------------------------- ### Standard SIP008 JSON Document Format Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip008.md This JSON structure defines the standard format for online configuration sharing, including server details and optional data usage metrics. Ensure all mandatory fields are present and follow naming conventions for custom fields. ```json { "version": 1, "servers": [ { "id": "27b8a625-4f4b-4428-9f0f-8a2317db7c79", "remarks": "Name of the server", "server": "example.com", "server_port": 8388, "password": "example", "method": "chacha20-ietf-poly1305", "plugin": "xxx", "plugin_opts": "xxxxx" }, { "id": "7842c068-c667-41f2-8f7d-04feece3cb67", "remarks": "Name of the server", "server": "example.com", "server_port": 8388, "password": "example", "method": "chacha20-ietf-poly1305", "plugin": "xxx", "plugin_opts": "xxxxx" } ], "bytes_used": 274877906944, "bytes_remaining": 824633720832 } ``` -------------------------------- ### Shadowsocks Header Message Types Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip022.md Defines constants for client and server packet types within the SIP022 header. Use these constants to identify the origin of a message. ```go HeaderTypeClientPacket = 0 HeaderTypeServerPacket = 1 ``` -------------------------------- ### Generate PSK with OpenSSL Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip022.md Generates a cryptographically secure pre-shared key (PSK) of a specified size using OpenSSL. This PSK is used for deriving session subkeys in Shadowsocks 2022. ```bash openssl rand -base64 ``` -------------------------------- ### Header Type Constants Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip022.md Defines constants for differentiating client and server stream messages. HeaderTypeClientStream is used for requests. ```go HeaderTypeClientStream = 0 HeaderTypeServerStream = 1 MinPaddingLength = 0 MaxPaddingLength = 900 ``` -------------------------------- ### Increase Open File Descriptors Limit Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/advanced.md Modify `/etc/security/limits.conf` to set higher limits for open file descriptors, essential for handling numerous concurrent connections. This change requires a system restart or re-login to take effect. ```bash vi /etc/security/limits.conf ``` ```bash * soft nofile 51200 * hard nofile 51200 # for server running in root: root soft nofile 51200 root hard nofile 51200 ``` ```bash ulimit -n 51200 ``` -------------------------------- ### Plaintext URI Structure Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/configs.md The underlying structure of the Shadowsocks URI before BASE64 encoding. Note that the password is plain text and not percent-encoded. ```plaintext ss://method:password@hostname:port ``` -------------------------------- ### AEAD Cipher Details Source: https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers This table lists recommended AEAD ciphers for Shadowsocks, including their aliases, key size, salt size, nonce size, and tag size. Compliant implementations must support AEAD_CHACHA20_POLY1305. ```text
NameAliasKey SizeSalt SizeNonce SizeTag Size
AEAD_CHACHA20_POLY1305chacha20-ietf-poly130532321216
AEAD_AES_256_GCMaes-256-gcm32321216
AEAD_AES_128_GCMaes-128-gcm16161216
``` -------------------------------- ### Shadowsocks 2022 UDP Relay Encryption and Decryption Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip022.md Demonstrates the encryption and decryption process for UDP relay packets in Shadowsocks 2022. It shows how a block cipher is used for the separate header and an AEAD cipher for the body, derived using a session subkey. ```plaintext block_cipher := aes_new(psk) encrypted_separate_header := block_cipher.encrypt(separate_header) decrypted_separate_header := block_cipher.decrypt(encrypted_separate_header) session_subkey := blake3::derive_key(context: "shadowsocks 2022 session subkey", key_material: key + separate_header[0..8]) session_aead_cipher := aes_gcm_new(session_subkey) encrypted_body := session_aead_cipher.seal(nonce: separate_header[4..16], body) decrypted_body := session_aead_cipher.open(nonce: separate_header[4..16], body) ``` -------------------------------- ### Shadowsocks URI Format Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/configs.md The basic structure of a Shadowsocks URI, which is a BASE64 encoded string. This format is commonly used for mobile clients and QR codes. ```plaintext ss://BASE64-ENCODED-STRING-WITHOUT-PADDING#TAG ``` -------------------------------- ### AEAD Encryption Function Source: https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers Defines the AEAD encryption function, which takes a secret key, a unique nonce, and a message to produce ciphertext and an authentication tag. The nonce must be unique for each encryption with the same key. ```text AE_encrypt(key, nonce, message) => (ciphertext, tag) ``` -------------------------------- ### TCP Identity Header Encryption Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip023.md Illustrates the process of deriving an identity subkey and encrypting plaintext for identity headers in TCP requests. This method is used when identity headers are placed between salt and AEAD chunks. ```plaintext identity_subkey := blake3::derive_key(context: "shadowsocks 2022 identity subkey", key_material: iPSKn + salt) plaintext := blake3::hash(iPSKn+1)[0..16] // Take the first 16 bytes of the next iPSK's hash. identity_header := aes_encrypt(key: identity_subkey, plaintext: plaintext) ``` -------------------------------- ### AEAD Encrypted UDP Packet Structure Source: https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers Outlines the structure of an AEAD encrypted UDP packet. It consists of a randomly generated salt for subkey derivation, followed by the encrypted payload and its authentication tag. Each UDP packet is processed independently. ```text [salt][encrypted payload][tag] ``` -------------------------------- ### AEAD Decryption Function Source: https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers Defines the AEAD decryption function. It requires the secret key, nonce, ciphertext, and authentication tag. Decryption fails if any input is tampered with, ensuring data integrity and authenticity. ```text AE_decrypt(key, nonce, ciphertext, tag) => message ``` -------------------------------- ### AEAD Encrypted TCP Chunk Structure Source: https://github.com/shadowsocks/shadowsocks-org/wiki/AEAD-Ciphers Describes the structure of an AEAD encrypted TCP chunk. It includes the encrypted payload length, its tag, the encrypted payload, and the payload's tag. The payload length is a 2-byte integer capped at 0x3FFF. ```text [encrypted payload length][length tag][encrypted payload][payload tag] ``` -------------------------------- ### UDP Identity Header Encryption Source: https://github.com/shadowsocks/shadowsocks-org/blob/main/docs/doc/sip023.md Details the encryption of identity headers for UDP packets, where the plaintext is XORed with session and packet IDs before encryption. This ensures packet-specific variations. ```plaintext plaintext := blake3::hash(iPSKn+1)[0..16] ^ session_id_packet_id // XOR to make it different for each packet. identity_header := aes_encrypt(key: iPSKn, plaintext: plaintext) ``` -------------------------------- ### Stream Cipher Encryption Function Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Stream-Ciphers Defines the conceptual function for stream cipher encryption, taking a key, IV, and message to produce ciphertext. ```plaintext Stream_encrypt(key, IV, message) => ciphertext ``` -------------------------------- ### Stream Cipher Decryption Function Source: https://github.com/shadowsocks/shadowsocks-org/wiki/Stream-Ciphers Defines the conceptual function for stream cipher decryption, taking a key, IV, and ciphertext to produce the original message. ```plaintext Stream_decrypt(key, IV, ciphertext) => message ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.