github.com/database64128/shadowsocks-go@v1.7.0/README.md (about) 1 # shadowsocks-go 2 3 [](https://pkg.go.dev/github.com/database64128/shadowsocks-go) 4 [](https://github.com/database64128/shadowsocks-go/actions/workflows/test.yml) 5 [](https://github.com/database64128/shadowsocks-go/actions/workflows/release.yml) 6 [](https://aur.archlinux.org/packages/shadowsocks-go) 7 [](https://aur.archlinux.org/packages/shadowsocks-go-git) 8 [](https://aur.archlinux.org/packages/shadowsocks-go-domain-sets-git) 9 [](https://aur.archlinux.org/packages/shadowsocks-go-geolite2-country-git) 10 11 A versatile and efficient proxy platform for secure communications. 12 13 ## Features 14 15 - Reference Go implementation of Shadowsocks 2022 and later editions. 16 - Client and server implementation of SOCKS5, HTTP proxy, and Shadowsocks "none" method. 17 - Transparent proxy support for Linux. 18 - Built-in router and DNS resolver with support for extensible routing rules. 19 - RESTful API for server user management and traffic statistics. 20 - TCP relay fast path on Linux with `splice(2)`. 21 - UDP relay fast path on Linux with `recvmmsg(2)` and `sendmmsg(2)`. 22 23 ## Configuration Examples 24 25 All configuration examples and systemd unit files can be found in the [docs](docs) directory. 26 27 ### 1. Shadowsocks 2022 Server 28 29 The `clients` field can be omitted or left empty. A default "direct" client will be automatically added. 30 31 On production servers, you may want to set `udpRelayBatchSize` to a lower value like 8 to reduce memory usage while still benefiting from `recvmmsg(2)` and `sendmmsg(2)`. 32 33 UDP packets may be padded to up to the maximum packet size calculated from `mtu`. If the server may be used from a PPPoE connection, `mtu` should be reduced to 1492. If the client-to-server PMTU is unknown, padding can be completely disabled by setting `paddingPolicy` to `NoPadding`. 34 35 For servers without any user PSKs (single-user mode), the `psk` field specifies the PSK, and the `uPSKStorePath` field can be omitted or left empty. When one or more user PSKs are specified in the uPSK store file, the `psk` field specifies the identity PSK. 36 37 To add/update/remove users without restarting the server, modify the uPSK store file and send a `SIGUSR1` signal to the server process, or use the RESTful API. Updates from the RESTful API will be saved to the uPSK store file automatically. 38 39 ```json 40 { 41 "servers": [ 42 { 43 "name": "ss-2022", 44 "listen": ":20220", 45 "protocol": "2022-blake3-aes-128-gcm", 46 "enableTCP": true, 47 "listenerTFO": true, 48 "enableUDP": true, 49 "mtu": 1500, 50 "psk": "qQln3GlVCZi5iJUObJVNCw==", 51 "uPSKStorePath": "/etc/shadowsocks-go/upsks.json" 52 } 53 ] 54 } 55 ``` 56 57 ```json 58 { 59 "Steve": "oE/s2z9Q8EWORAB8B3UCxw==", 60 "Alex": "hWXLOSW/r/LtNKynrA3S8Q==" 61 } 62 ``` 63 64 ### 2. Shadowsocks 2022 Client 65 66 By default, the router uses the configured DNS server to resolve domain names and match IP rules. The resolved IP addresses are only used for matching IP rules. Requests are made using the original domain name. To disable IP rule matching for domain names, set `disableNameResolutionForIPRules` to true. 67 68 ```json 69 { 70 "servers": [ 71 { 72 "name": "socks5", 73 "listen": ":1080", 74 "protocol": "socks5", 75 "enableTCP": true, 76 "listenerTFO": true, 77 "enableUDP": true, 78 "mtu": 1500 79 }, 80 { 81 "name": "http", 82 "listen": ":8080", 83 "protocol": "http", 84 "enableTCP": true, 85 "listenerTFO": true 86 } 87 ], 88 "clients": [ 89 { 90 "name": "ss-2022", 91 "endpoint": "[2001:db8:bd63:362c:2071:a0f6:827:ab6a]:20220", 92 "protocol": "2022-blake3-aes-128-gcm", 93 "enableTCP": true, 94 "dialerTFO": true, 95 "enableUDP": true, 96 "mtu": 1500, 97 "psk": "oE/s2z9Q8EWORAB8B3UCxw==", 98 "iPSKs": [ 99 "qQln3GlVCZi5iJUObJVNCw==" 100 ] 101 }, 102 { 103 "name": "direct", 104 "protocol": "direct", 105 "enableTCP": true, 106 "dialerTFO": true, 107 "enableUDP": true, 108 "mtu": 1500 109 } 110 ], 111 "dns": [ 112 { 113 "name": "cf-v6", 114 "addrPort": "[2606:4700:4700::1111]:53", 115 "tcpClientName": "ss-2022", 116 "udpClientName": "ss-2022" 117 }, 118 { 119 "name": "systemd-resolved", 120 "addrPort": "127.0.0.53:53", 121 "tcpClientName": "direct", 122 "udpClientName": "direct" 123 } 124 ], 125 "router": { 126 "defaultTCPClientName": "ss-2022", 127 "defaultUDPClientName": "ss-2022", 128 "geoLite2CountryDbPath": "/usr/share/shadowsocks-go/Country.mmdb", 129 "domainSets": [ 130 { 131 "name": "category-ads-all", 132 "type": "gob", 133 "path": "/usr/share/shadowsocks-go/ss-go-gob-category-ads-all" 134 }, 135 { 136 "name": "private", 137 "type": "gob", 138 "path": "/usr/share/shadowsocks-go/ss-go-gob-private" 139 }, 140 { 141 "name": "cn", 142 "type": "gob", 143 "path": "/usr/share/shadowsocks-go/ss-go-gob-cn" 144 }, 145 { 146 "name": "geolocation-!cn@cn", 147 "type": "gob", 148 "path": "/usr/share/shadowsocks-go/ss-go-gob-geolocation-!cn@cn" 149 } 150 ], 151 "routes": [ 152 { 153 "name": "ads", 154 "client": "reject", 155 "toDomainSets": [ 156 "category-ads-all" 157 ] 158 }, 159 { 160 "name": "direct", 161 "client": "direct", 162 "resolver": "cf-v6", 163 "toDomainSets": [ 164 "private", 165 "cn" 166 ], 167 "toPrefixes": [ 168 "0.0.0.0/8", 169 "10.0.0.0/8", 170 "100.64.0.0/10", 171 "127.0.0.0/8", 172 "169.254.0.0/16", 173 "172.16.0.0/12", 174 "192.0.0.0/24", 175 "192.0.2.0/24", 176 "192.88.99.0/24", 177 "192.168.0.0/16", 178 "198.18.0.0/15", 179 "198.51.100.0/24", 180 "203.0.113.0/24", 181 "224.0.0.0/3", 182 "::1/128", 183 "fc00::/7", 184 "fe80::/10" 185 ], 186 "toGeoIPCountries": [ 187 "CN" 188 ] 189 }, 190 { 191 "name": "cn-verify-ip", 192 "client": "direct", 193 "resolver": "systemd-resolved", 194 "toDomainSets": [ 195 "geolocation-!cn@cn" 196 ], 197 "toMatchedDomainExpectedGeoIPCountries": [ 198 "CN" 199 ] 200 } 201 ] 202 } 203 } 204 ``` 205 206 ### 3. Feature Showcase 207 208 See [docs/config.json](docs/config.json). 209 210 ## Domain Sets and IP Geolocation Database 211 212 shadowsocks-go has its own domain set file format, because other formats I've seen are all horrible! 213 214 And don't worry, we have a simple conversion tool to convert between different formats: [shadowsocks-go-domain-set-converter](cmd/shadowsocks-go-domain-set-converter/main.go) 215 216 A domain set text file optionally starts with a capacity hint comment. The conversion tool can automatically generate a capacity hint for you. There are 4 types of domain matching rules: 217 218 - `domain:` Match the domain. 219 - `suffix:` Match the domain and its subdomains. 220 - `keyword:` Match if the domain contains the keyword. 221 - `regexp:` Match if the domain matches the regular expression. 222 223 Example of a domain set text file: 224 225 ``` 226 # shadowsocks-go domain set capacity hint 1 6 1 1 DSKR 227 domain:www.example.net 228 suffix:example.com 229 suffix:github.com 230 suffix:cube64128.xyz 231 suffix:api.ipify.org 232 suffix:api6.ipify.org 233 suffix:archlinux.org 234 keyword:dev 235 regexp:^adservice\.google\.([a-z]{2}|com?)(\.[a-z]{2})?$ 236 ``` 237 238 When loading a domain set text file, shadowsocks-go loads all suffixes as-is into a single map. This achieves the best balance between startup speed, memory usage and match speed. If you want better performance, you can use the conversion tool to convert the text file to the gob format. 239 240 The gob format is basically the same thing, but has everything binary serialized and uses a trie to store and match suffixes. The conversion tool loads the suffixes to build a suffix trie, and then serializes the trie and the other rules to a gob file. Quite neat, isn't it? 241 242 Of course, I'm not an algorithm guru, so the whole process still has a lot of inefficiencies. But it's good enough for me. If you have brilliant new ideas, please let me know! 243 244 ### Commonly Used Domain Sets 245 246 A set of commonly used domain sets are updated weekly at [shadowsocks-go-domain-sets](https://github.com/database64128/shadowsocks-go-domain-sets) in the release branch. Arch Linux users can install the [shadowsocks-go-domain-sets-git](https://aur.archlinux.org/packages/shadowsocks-go-domain-sets-git/) package from the AUR. 247 248 ### Manually Generate Domain Sets 249 250 To generate domain sets using https://github.com/v2fly/domain-list-community as the source, clone the repository and build the generator, then generate plaintext lists: 251 252 ```bash 253 ./domain-list-community -exportlists 'google,netflix' 254 ``` 255 256 Use `shadowsocks-go-domain-set-converter` to convert the plaintext lists to domain set files: 257 258 ```bash 259 shadowsocks-go-domain-set-converter -inDlc google.txt -outGob ss-go-gob-google 260 shadowsocks-go-domain-set-converter -inDlc netflix.txt -outGob ss-go-gob-netflix 261 ``` 262 263 ### IP Geolocation Database 264 265 shadowsocks-go uses the MaxMind GeoLite2 Country database for IP geolocation. The database can be downloaded from https://github.com/Dreamacro/maxmind-geoip. Arch Linux users can install the [shadowsocks-go-geolite2-country-git](https://aur.archlinux.org/packages/shadowsocks-go-geolite2-country-git/) package from the AUR. 266 267 ## Security 268 269 ### 1. Packet Padding Policy 270 271 Packet padding policies are implemented for the Shadowsocks 2022 protocol. A packet padding policy controls whether to add padding to outgoing packets. 272 273 When adding padding, the MTU is taken into account, so the size of the padded packet won't exceed the MTU. Therefore it is important to set the MTU correctly. 274 275 The padding policy can be configured individually for each Shadowsocks 2022 client and server. 276 277 - `PadPlainDNS`: Add padding if the destination port is 53. (Default) 278 - `PadAll`: Pad all packets. 279 - `NoPadding`: No padding. 280 281 ### 2. TCP Reject Policy 282 283 Reject policies are implemented for all TCP servers. A TCP server's reject policy is invoked when an accepted connection fails the protocol's handshake process. Each protocol has its own default reject policy. Custom reject policies can be useful for censorship circumvention servers to evade active probing. 284 285 - `JustClose`: Just close the connection. (Default for cleartext protocols) 286 - `ForceReset`: Forcibly reset the connection. Many protocols behave this way when invalid data is received. (Default for Shadowsocks 2022) 287 - `CloseWriteDrain`: Send FIN and keep reading until EOF. This is typically how legacy Shadowsocks servers handle replay. 288 - `ReplyWithGibberish`: Keep reading and send random garbage after each read returns. This emulates how a legacy Shadowsocks server without replay protection behaves, except it doesn't actually relay the replayed payload. 289 290 ### 3. Unsafe Fallback 291 292 A Shadowsocks 2022 server can be configured to forward TCP connections to a fallback address when the handshake fails. Add the `unsafeFallbackAddress` field to the server block to specify the fallback address. On startup a warning message will be printed to tell you that using this feature "taints" the server. Unsafe fallback only works for TCP connections. 293 294 This feature might be useful when your threat model only includes off-path attackers, and you want to reuse the port or trick probes into thinking the server is something else. An on-path attacker (e.g. a typical censor) can easily tell that the regular traffic does not match the fallback traffic. 295 296 ### 4. Unsafe Stream Prefix 297 298 The unsafe stream prefix feature allows you to configure a pair of pre-shared cleartext prefixes for Shadowsocks 2022 streams. The prefixes are prepended to the request and response streams to trick simple firewalls. 299 300 To use this feature, add `unsafeRequestStreamPrefix` and `unsafeResponseStreamPrefix` to both client and server blocks, and specify the prefixes in base64 encoding. The client and server must agree on the same pair of prefixes. On startup a warning message will be printed to tell you that using this feature "taints" the client and server. 301 302 ## License 303 304 [AGPLv3](LICENSE)