github
/
Xray-docs-next
mirror of https://github.com/XTLS/Xray-docs-next
1
0
Fork 0
Code Issues Releases Wiki Activity

Reformulated shadowsocks.md 

- Reformulated
- Added description for `clients` parameter
- Added example for proper password generation
pull/403/head
Andrei Vukolov 2023-08-18 14:22:25 +02:00 committed by yuhan6665
parent 6b73c2486d
commit 763d000739
1 changed files with 35 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
docs/en/config/inbounds/shadowsocks.md
View File

@ -1,20 +1,20 @@
# Shadowsocks
The [Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations of Shadowsocks.
The [Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations of Shadowsocks. The server supports TCP and UDP packet forwarding, with an option to selectively disable UDP.
The current compatibility is as follows:
### Supported Encryption Methods
The currently supported methods are following:
- Supports TCP and UDP packet forwarding, with the option to selectively disable UDP.
- Recommended encryption methods:
- 2022-blake3-aes-128-gcm
- 2022-blake3-aes-256-gcm
- 2022-blake3-chacha20-poly1305
- Other encryption methods:
- aes-256-gcm
- aes-128-gcm
- chacha20-poly1305 or chacha20-ietf-poly1305
- xchacha20-poly1305 or xchacha20-ietf-poly1305
- none or plain
- `2022-blake3-aes-128-gcm`
- `2022-blake3-aes-256-gcm`
- `2022-blake3-chacha20-poly1305`
- Other encryption methods:
- `aes-256-gcm`
- `aes-128-gcm`
- `chacha20-poly1305`/`chacha20-ietf-poly1305`
- `xchacha20-poly1305`/`xchacha20-ietf-poly1305`
- `none`/`plain`
The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol:
@ -24,7 +24,7 @@ The Shadowsocks 2022 new protocol format improves performance and includes compl
- TCP behaviors that can be used for active probing
::: danger
Traffic transmitted without encryption using the "none" method will be in plain text. Do not use it on public networks for security reasons.
Traffic transmitted without encryption using the "none" method will be in plain text. **Do not use it on public networks** for security reasons.
:::
## InboundConfigurationObject
@ -32,6 +32,7 @@ Traffic transmitted without encryption using the "none" method will be in plain
```json
{
"settings": {
"clients": [],
"password": "password",
"method": "aes-256-gcm",
"level": 0,
@ -41,6 +42,10 @@ Traffic transmitted without encryption using the "none" method will be in plain
}
```
> `clients`: a list of [`ClientObject`](#clientobject), empty list considered valid
The `password` parameter can be specified for the server at all, but also in the [`ClientObject`](#clientobject) being dedicated to the given user. Server-level `password` is not guaranteed to override the client-specific one.
> `network`: "tcp" | "udp" | "tcp,udp"
The supported network protocol type. For example, when specified as `"tcp"`, it will only handle TCP traffic. The default value is `"tcp"`.
@ -56,31 +61,30 @@ The supported network protocol type. For example, when specified as `"tcp"`, it
}
```
> `method`: string
> `method`: string, any of the [supported methods](#supportedencryptionmethods)
Required.
> `password`: string
Required.
Required. For **Shadowsocks 2022** a pre-shared `base64` random key similar to WireGuard's keys should be used as the password. The command
```sh
openssl rand -base64 <length>
```
could used to generate a key. The length of the required key for `shadowsocks-rust` implementation depends on the encryption method:
- Shadowsocks 2022
| Encryption Method | Key Length |
| ----------------------------- | ---------: |
| `2022-blake3-aes-128-gcm` | 16 |
| `2022-blake3-aes-256-gcm` | 32 |
| `2022-blake3-chacha20-poly1305` | 32 |
Use a pre-shared key similar to WireGuard as the password.
In the `go-shadowsocks` implementation written in Golang, a 32-byte key always works.
Use `openssl rand -base64 <length>` to generate a compatible key with shadowsocks-rust, where the length depends on the encryption method used.
| Encryption Method | Key Length |
| ----------------------------- | ---------: |
| 2022-blake3-aes-128-gcm | 16 |
| 2022-blake3-aes-256-gcm | 32 |
| 2022-blake3-chacha20-poly1305 | 32 |
In the Go implementation, a 32-byte key always works.
- Other encryption methods
Any string. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a password of 16 characters or longer.
For **any other encryption method** _any string_ could be used. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a random-generated password of 16 characters or longer. The following example generates 40-characters length password:
```sh
sudo strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 40 | tr -d '\n'; echo
```
> `level`: number
@ -90,4 +94,4 @@ The value of `level` corresponds to the value of `level` in the [policy](../poli
> `email`: string
The user's email, used to differentiate traffic from different users (logs, statistics).
The user's email, used to differentiate traffic from different users for logs or statistics.