98 lines
3.6 KiB
Markdown
98 lines
3.6 KiB
Markdown
# Shadowsocks
|
|
|
|
The [Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations of Shadowsocks. The server supports TCP and UDP packet forwarding, with an option to selectively disable UDP.
|
|
|
|
### Supported Encryption Methods
|
|
The currently supported methods are following:
|
|
|
|
- Recommended encryption methods:
|
|
- `2022-blake3-aes-128-gcm`
|
|
- `2022-blake3-aes-256-gcm`
|
|
- `2022-blake3-chacha20-poly1305`
|
|
- Other encryption methods:
|
|
- `aes-256-gcm`
|
|
- `aes-128-gcm`
|
|
- `chacha20-poly1305`/`chacha20-ietf-poly1305`
|
|
- `xchacha20-poly1305`/`xchacha20-ietf-poly1305`
|
|
- `none`/`plain`
|
|
|
|
The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol:
|
|
|
|
- [Serious vulnerabilities in Shadowsocks AEAD encryption, which cannot guarantee the integrity of the communication content](https://github.com/shadowsocks/shadowsocks-org/issues/183)
|
|
- Increasing false positive rate of the original TCP replay filter over time
|
|
- Lack of UDP replay protection
|
|
- TCP behaviors that can be used for active probing
|
|
|
|
::: danger
|
|
Traffic transmitted without encryption using the "none" method will be in plain text. **Do not use it on public networks** for security reasons.
|
|
:::
|
|
|
|
## InboundConfigurationObject
|
|
|
|
```json
|
|
{
|
|
"settings": {
|
|
"clients": [],
|
|
"password": "password",
|
|
"method": "aes-256-gcm",
|
|
"level": 0,
|
|
"email": "love@xray.com",
|
|
"network": "tcp,udp"
|
|
}
|
|
}
|
|
```
|
|
|
|
> `clients`: a list of [`ClientObject`](#clientobject), empty list considered valid
|
|
|
|
The `password` parameter can be specified for the server at all, but also in the [`ClientObject`](#clientobject) being dedicated to the given user. Server-level `password` is not guaranteed to override the client-specific one.
|
|
|
|
> `network`: "tcp" | "udp" | "tcp,udp"
|
|
|
|
The supported network protocol type. For example, when specified as `"tcp"`, it will only handle TCP traffic. The default value is `"tcp"`.
|
|
|
|
## ClientObject
|
|
|
|
```json
|
|
{
|
|
"password": "密码",
|
|
"method": "aes-256-gcm",
|
|
"level": 0,
|
|
"email": "love@xray.com"
|
|
}
|
|
```
|
|
|
|
> `method`: string, any of the [supported methods](#supportedencryptionmethods)
|
|
|
|
Required.
|
|
|
|
> `password`: string
|
|
|
|
Required. For **Shadowsocks 2022** a pre-shared `base64` random key similar to WireGuard's keys should be used as the password. The command
|
|
```sh
|
|
openssl rand -base64 <length>
|
|
```
|
|
could used to generate a key. The length of the required key for `shadowsocks-rust` implementation depends on the encryption method:
|
|
|
|
| Encryption Method | Key Length |
|
|
| ----------------------------- | ---------: |
|
|
| `2022-blake3-aes-128-gcm` | 16 |
|
|
| `2022-blake3-aes-256-gcm` | 32 |
|
|
| `2022-blake3-chacha20-poly1305` | 32 |
|
|
|
|
In the `go-shadowsocks` implementation written in Golang, a 32-byte key always works.
|
|
|
|
For **any other encryption method** _any string_ could be used. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a random-generated password of 16 characters or longer. The following example generates 40-characters length password:
|
|
```sh
|
|
sudo strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 40 | tr -d '\n'; echo
|
|
```
|
|
|
|
> `level`: number
|
|
|
|
The user level that the connection will use to determine the corresponding [Local Policy](../policy.md#levelpolicyobject).
|
|
|
|
The value of `level` corresponds to the value of `level` in the [policy](../policy.md#policyobject). If not specified, the default value is 0.
|
|
|
|
> `email`: string
|
|
|
|
The user's email, used to differentiate traffic from different users for logs or statistics.
|