diff --git a/docs/en/config/inbounds/shadowsocks.md b/docs/en/config/inbounds/shadowsocks.md index 0df85f6..fcb3daf 100644 --- a/docs/en/config/inbounds/shadowsocks.md +++ b/docs/en/config/inbounds/shadowsocks.md @@ -1,20 +1,20 @@ # Shadowsocks -The [Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations of Shadowsocks. +The [Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations of Shadowsocks. The server supports TCP and UDP packet forwarding, with an option to selectively disable UDP. -The current compatibility is as follows: +### Supported Encryption Methods +The currently supported methods are following: -- Supports TCP and UDP packet forwarding, with the option to selectively disable UDP. - Recommended encryption methods: - - 2022-blake3-aes-128-gcm - - 2022-blake3-aes-256-gcm - - 2022-blake3-chacha20-poly1305 - - Other encryption methods: - - aes-256-gcm - - aes-128-gcm - - chacha20-poly1305 or chacha20-ietf-poly1305 - - xchacha20-poly1305 or xchacha20-ietf-poly1305 - - none or plain + - `2022-blake3-aes-128-gcm` + - `2022-blake3-aes-256-gcm` + - `2022-blake3-chacha20-poly1305` +- Other encryption methods: + - `aes-256-gcm` + - `aes-128-gcm` + - `chacha20-poly1305`/`chacha20-ietf-poly1305` + - `xchacha20-poly1305`/`xchacha20-ietf-poly1305` + - `none`/`plain` The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol: @@ -24,7 +24,7 @@ The Shadowsocks 2022 new protocol format improves performance and includes compl - TCP behaviors that can be used for active probing ::: danger -Traffic transmitted without encryption using the "none" method will be in plain text. Do not use it on public networks for security reasons. +Traffic transmitted without encryption using the "none" method will be in plain text. **Do not use it on public networks** for security reasons. ::: ## InboundConfigurationObject @@ -32,6 +32,7 @@ Traffic transmitted without encryption using the "none" method will be in plain ```json { "settings": { + "clients": [], "password": "password", "method": "aes-256-gcm", "level": 0, @@ -41,6 +42,10 @@ Traffic transmitted without encryption using the "none" method will be in plain } ``` +> `clients`: a list of [`ClientObject`](#clientobject), empty list considered valid + +The `password` parameter can be specified for the server at all, but also in the [`ClientObject`](#clientobject) being dedicated to the given user. Server-level `password` is not guaranteed to override the client-specific one. + > `network`: "tcp" | "udp" | "tcp,udp" The supported network protocol type. For example, when specified as `"tcp"`, it will only handle TCP traffic. The default value is `"tcp"`. @@ -56,31 +61,30 @@ The supported network protocol type. For example, when specified as `"tcp"`, it } ``` -> `method`: string +> `method`: string, any of the [supported methods](#supportedencryptionmethods) Required. > `password`: string -Required. +Required. For **Shadowsocks 2022** a pre-shared `base64` random key similar to WireGuard's keys should be used as the password. The command +```sh +openssl rand -base64 +``` +could used to generate a key. The length of the required key for `shadowsocks-rust` implementation depends on the encryption method: -- Shadowsocks 2022 +| Encryption Method | Key Length | +| ----------------------------- | ---------: | +| `2022-blake3-aes-128-gcm` | 16 | +| `2022-blake3-aes-256-gcm` | 32 | +| `2022-blake3-chacha20-poly1305` | 32 | -Use a pre-shared key similar to WireGuard as the password. +In the `go-shadowsocks` implementation written in Golang, a 32-byte key always works. -Use `openssl rand -base64 ` to generate a compatible key with shadowsocks-rust, where the length depends on the encryption method used. - -| Encryption Method | Key Length | -| ----------------------------- | ---------: | -| 2022-blake3-aes-128-gcm | 16 | -| 2022-blake3-aes-256-gcm | 32 | -| 2022-blake3-chacha20-poly1305 | 32 | - -In the Go implementation, a 32-byte key always works. - -- Other encryption methods - -Any string. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a password of 16 characters or longer. +For **any other encryption method** _any string_ could be used. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a random-generated password of 16 characters or longer. The following example generates 40-characters length password: +```sh +sudo strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 40 | tr -d '\n'; echo +``` > `level`: number @@ -90,4 +94,4 @@ The value of `level` corresponds to the value of `level` in the [policy](../poli > `email`: string -The user's email, used to differentiate traffic from different users (logs, statistics). +The user's email, used to differentiate traffic from different users for logs or statistics.