Reformulated shadowsocks.md
- Reformulated - Added description for `clients` parameter - Added example for proper password generationpull/403/head
parent
6b73c2486d
commit
763d000739
|
@ -1,20 +1,20 @@
|
||||||
# Shadowsocks
|
# Shadowsocks
|
||||||
|
|
||||||
The [Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations of Shadowsocks.
|
The [Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations of Shadowsocks. The server supports TCP and UDP packet forwarding, with an option to selectively disable UDP.
|
||||||
|
|
||||||
The current compatibility is as follows:
|
### Supported Encryption Methods
|
||||||
|
The currently supported methods are following:
|
||||||
|
|
||||||
- Supports TCP and UDP packet forwarding, with the option to selectively disable UDP.
|
|
||||||
- Recommended encryption methods:
|
- Recommended encryption methods:
|
||||||
- 2022-blake3-aes-128-gcm
|
- `2022-blake3-aes-128-gcm`
|
||||||
- 2022-blake3-aes-256-gcm
|
- `2022-blake3-aes-256-gcm`
|
||||||
- 2022-blake3-chacha20-poly1305
|
- `2022-blake3-chacha20-poly1305`
|
||||||
- Other encryption methods:
|
- Other encryption methods:
|
||||||
- aes-256-gcm
|
- `aes-256-gcm`
|
||||||
- aes-128-gcm
|
- `aes-128-gcm`
|
||||||
- chacha20-poly1305 or chacha20-ietf-poly1305
|
- `chacha20-poly1305`/`chacha20-ietf-poly1305`
|
||||||
- xchacha20-poly1305 or xchacha20-ietf-poly1305
|
- `xchacha20-poly1305`/`xchacha20-ietf-poly1305`
|
||||||
- none or plain
|
- `none`/`plain`
|
||||||
|
|
||||||
The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol:
|
The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol:
|
||||||
|
|
||||||
|
@ -24,7 +24,7 @@ The Shadowsocks 2022 new protocol format improves performance and includes compl
|
||||||
- TCP behaviors that can be used for active probing
|
- TCP behaviors that can be used for active probing
|
||||||
|
|
||||||
::: danger
|
::: danger
|
||||||
Traffic transmitted without encryption using the "none" method will be in plain text. Do not use it on public networks for security reasons.
|
Traffic transmitted without encryption using the "none" method will be in plain text. **Do not use it on public networks** for security reasons.
|
||||||
:::
|
:::
|
||||||
|
|
||||||
## InboundConfigurationObject
|
## InboundConfigurationObject
|
||||||
|
@ -32,6 +32,7 @@ Traffic transmitted without encryption using the "none" method will be in plain
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"settings": {
|
"settings": {
|
||||||
|
"clients": [],
|
||||||
"password": "password",
|
"password": "password",
|
||||||
"method": "aes-256-gcm",
|
"method": "aes-256-gcm",
|
||||||
"level": 0,
|
"level": 0,
|
||||||
|
@ -41,6 +42,10 @@ Traffic transmitted without encryption using the "none" method will be in plain
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
> `clients`: a list of [`ClientObject`](#clientobject), empty list considered valid
|
||||||
|
|
||||||
|
The `password` parameter can be specified for the server at all, but also in the [`ClientObject`](#clientobject) being dedicated to the given user. Server-level `password` is not guaranteed to override the client-specific one.
|
||||||
|
|
||||||
> `network`: "tcp" | "udp" | "tcp,udp"
|
> `network`: "tcp" | "udp" | "tcp,udp"
|
||||||
|
|
||||||
The supported network protocol type. For example, when specified as `"tcp"`, it will only handle TCP traffic. The default value is `"tcp"`.
|
The supported network protocol type. For example, when specified as `"tcp"`, it will only handle TCP traffic. The default value is `"tcp"`.
|
||||||
|
@ -56,31 +61,30 @@ The supported network protocol type. For example, when specified as `"tcp"`, it
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
> `method`: string
|
> `method`: string, any of the [supported methods](#supportedencryptionmethods)
|
||||||
|
|
||||||
Required.
|
Required.
|
||||||
|
|
||||||
> `password`: string
|
> `password`: string
|
||||||
|
|
||||||
Required.
|
Required. For **Shadowsocks 2022** a pre-shared `base64` random key similar to WireGuard's keys should be used as the password. The command
|
||||||
|
```sh
|
||||||
- Shadowsocks 2022
|
openssl rand -base64 <length>
|
||||||
|
```
|
||||||
Use a pre-shared key similar to WireGuard as the password.
|
could used to generate a key. The length of the required key for `shadowsocks-rust` implementation depends on the encryption method:
|
||||||
|
|
||||||
Use `openssl rand -base64 <length>` to generate a compatible key with shadowsocks-rust, where the length depends on the encryption method used.
|
|
||||||
|
|
||||||
| Encryption Method | Key Length |
|
| Encryption Method | Key Length |
|
||||||
| ----------------------------- | ---------: |
|
| ----------------------------- | ---------: |
|
||||||
| 2022-blake3-aes-128-gcm | 16 |
|
| `2022-blake3-aes-128-gcm` | 16 |
|
||||||
| 2022-blake3-aes-256-gcm | 32 |
|
| `2022-blake3-aes-256-gcm` | 32 |
|
||||||
| 2022-blake3-chacha20-poly1305 | 32 |
|
| `2022-blake3-chacha20-poly1305` | 32 |
|
||||||
|
|
||||||
In the Go implementation, a 32-byte key always works.
|
In the `go-shadowsocks` implementation written in Golang, a 32-byte key always works.
|
||||||
|
|
||||||
- Other encryption methods
|
For **any other encryption method** _any string_ could be used. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a random-generated password of 16 characters or longer. The following example generates 40-characters length password:
|
||||||
|
```sh
|
||||||
Any string. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a password of 16 characters or longer.
|
sudo strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 40 | tr -d '\n'; echo
|
||||||
|
```
|
||||||
|
|
||||||
> `level`: number
|
> `level`: number
|
||||||
|
|
||||||
|
@ -90,4 +94,4 @@ The value of `level` corresponds to the value of `level` in the [policy](../poli
|
||||||
|
|
||||||
> `email`: string
|
> `email`: string
|
||||||
|
|
||||||
The user's email, used to differentiate traffic from different users (logs, statistics).
|
The user's email, used to differentiate traffic from different users for logs or statistics.
|
||||||
|
|
Loading…
Reference in New Issue