├── Ban-Brute-Force-Crackers.md ├── Block-Connection-to-localhost.md ├── Change-Server-on-the-Fly.md ├── Configuration-via-Config-File.md ├── Configure-Multiple-Users.md ├── Configure-Shadowsocks-with-Supervisor.md ├── Connect to OpenVPN over Shadowsocks.md ├── Convert-Shadowsocks-into-an-HTTP-proxy.md ├── Encryption.md ├── Feature-Comparison-across-Different-Versions.md ├── Forcing-Chrome-to-Use-Socks5-Proxy.md ├── Generate QR Code for Android or iOS Clients.md ├── Gentoo overlay.md ├── Graceful-shutdown-and-restart.md ├── Home.md ├── Install-Shadowsocks-Server-on-Windows.md ├── Manage-Multiple-Users.md ├── Objective.md ├── Optimizing-Shadowsocks.md ├── Ports-and-Clients.md ├── Salsa20.md ├── Securing-Public-Shadowsocks-Server.md ├── Setting-Up-Shadowsocks-on-Linode.md ├── Setup-a-Shadowsocks-relay.md ├── Shadowsocks-使用说明.md ├── TCP-Fast-Open.md ├── Troubleshooting.md ├── Using-Shadowsocks-with-Command-Line-Tools.md ├── Workers.md ├── _Footer.md ├── _Sidebar.md ├── 优化-Shadowsocks.md ├── 回复模版.md ├── 在-Linode-上快速搭建-Shadowsocks.md └── 用-Supervisor-运行-Shadowsocks.md /Ban-Brute-Force-Crackers.md: -------------------------------------------------------------------------------- 1 | Shadowsocks 2.6.2+ output the IPs that try to brute force crack your password. 2 | 3 | You can use [utils/autoban.py](https://github.com/shadowsocks/shadowsocks/tree/master/utils) to ban them. 4 | 5 | python autoban.py < /var/log/shadowsocks.log 6 | 7 | Use `-c` to specify with how many failure times it should be considered as an 8 | attack. Default is 3. 9 | 10 | To continue watching for the log file: 11 | 12 | nohup tail -F /var/log/shadowsocks.log | python autoban.py >log 2>log & 13 | 14 | Use with caution. Avoid to ban yourself. -------------------------------------------------------------------------------- /Block-Connection-to-localhost.md: -------------------------------------------------------------------------------- 1 | From 2.6.7, localhost is blocked by default. If you don't want it, use `--forbidden-ip=""`. 2 | 3 | From 2.6.3, you can prevent the server from connecting to some IP like 127.0.0.1. 4 | 5 | ssserver -c /etc/shadowsocks.json --forbidden-ip 127.0.0.1,::1 6 | 7 | Notice only IPv4 and IPv6 addresses are allowed. Blocking will be processed **after DNS**. 8 | 9 | This is because if a client tries to visit a hostname, like `localhost` or a domain name 10 | a user has pointed to 127.0.0.1, it will be resolved into `127.0.0.1` or `::1`. 11 | Thus it will still get blocked. -------------------------------------------------------------------------------- /Change-Server-on-the-Fly.md: -------------------------------------------------------------------------------- 1 | Some clients(Shadowsocks-GUI, ShadowsocksX, GoAgentX) support choosing between different server profiles. 2 | 3 | Notice due to Chrome's persistent connection to the proxy, you may need to force Chrome to reconnect to the proxy to connect to another Shadowsocks server. You can either restart your Shadowsocks client, or: 4 | 5 | 1. Open [chrome://net-internals/#sockets](chrome://net-internals/#sockets) 6 | 2. Click `Flush socket pools`. -------------------------------------------------------------------------------- /Configuration-via-Config-File.md: -------------------------------------------------------------------------------- 1 | You can use a configuration file instead of command line arguments. 2 | 3 | Create a config file `/etc/shadowsocks.json`. 4 | Example: 5 | 6 | { 7 | "server":"my_server_ip", 8 | "server_port":8388, 9 | "local_address": "127.0.0.1", 10 | "local_port":1080, 11 | "password":"mypassword", 12 | "timeout":300, 13 | "method":"aes-256-cfb", 14 | "fast_open": false 15 | } 16 | 17 | Explanation of the fields: 18 | 19 | | Name | Explanation | 20 | | ------------- | ----------------------------------------------- | 21 | | server | the address your server listens | 22 | | server_port | server port | 23 | | local_address | the address your local listens | 24 | | local_port | local port | 25 | | password | password used for encryption | 26 | | timeout | in seconds | 27 | | method | default: "aes-256-cfb", see [Encryption] | 28 | | fast_open | use [TCP_FASTOPEN], true / false | 29 | | workers | number of workers, available on Unix/Linux | 30 | 31 | To run in the foreground: 32 | 33 | ssserver -c /etc/shadowsocks.json 34 | 35 | To run in the background: 36 | 37 | ssserver -c /etc/shadowsocks.json -d start 38 | ssserver -c /etc/shadowsocks.json -d stop 39 | 40 | 41 | [Encryption]: https://github.com/shadowsocks/shadowsocks/wiki/Encryption 42 | [TCP_FASTOPEN]: https://github.com/shadowsocks/shadowsocks/wiki/TCP-Fast-Open -------------------------------------------------------------------------------- /Configure-Multiple-Users.md: -------------------------------------------------------------------------------- 1 | Currently Python and Go servers support multiple users. 2 | 3 | You can use different passwords on different ports like this: 4 | 5 | { 6 | "server": "0.0.0.0", 7 | "port_password": { 8 | "8381": "foobar1", 9 | "8382": "foobar2", 10 | "8383": "foobar3", 11 | "8384": "foobar4" 12 | }, 13 | "timeout": 300, 14 | "method": "aes-256-cfb" 15 | } 16 | 17 | If you want to build a user management system, check the [Manager API](https://github.com/shadowsocks/shadowsocks/wiki/Manage-Multiple-Users). -------------------------------------------------------------------------------- /Configure-Shadowsocks-with-Supervisor.md: -------------------------------------------------------------------------------- 1 | [中文版](https://github.com/shadowsocks/shadowsocks/wiki/%E7%94%A8-Supervisor-%E8%BF%90%E8%A1%8C-Shadowsocks) 2 | 3 | **Notice: from Shadowsocks 2.6, you can run Shadowsocks directly in the background without Supervisor. 4 | This saves RAM for the extra supervisor process.** 5 | 6 | ssserver -c /etc/shadowsocks.json -d start 7 | ssserver -c /etc/shadowsocks.json -d stop 8 | 9 | For old versions: 10 | 11 | Edit `/etc/shadowsocks.json` 12 | 13 | ``` 14 | { 15 | "server":"my ip", 16 | "server_port":8388, 17 | "local_port":1080, 18 | "password":"my password", 19 | "timeout":600, 20 | "method":"aes-256-cfb" 21 | } 22 | ``` 23 | 24 | Run 25 | ``` 26 | apt-get update 27 | apt-get install python-pip python-m2crypto supervisor 28 | pip install shadowsocks 29 | ``` 30 | 31 | Edit `/etc/supervisor/conf.d/shadowsocks.conf` 32 | 33 | ``` 34 | [program:shadowsocks] 35 | command=ssserver -c /etc/shadowsocks.json 36 | autorestart=true 37 | user=nobody 38 | ``` 39 | 40 | Add the following line into `/etc/default/supervisor` 41 | 42 | ``` 43 | ulimit -n 51200 44 | ``` 45 | 46 | Run 47 | ``` 48 | service supervisor start 49 | supervisorctl reload 50 | ``` 51 | Now it's up. 52 | 53 | You can check logs or control the shadowsocks process: 54 | ``` 55 | supervisorctl tail -f shadowsocks stderr 56 | supervisorctl restart shadowsocks 57 | ``` -------------------------------------------------------------------------------- /Connect to OpenVPN over Shadowsocks.md: -------------------------------------------------------------------------------- 1 | Setup OpenVPN and Shadowsocks (Python / Node.js) on your server. 2 | 3 | Setup OpenVPN client and Shadowsocks(Python / Node.js) on your local machine. 4 | 5 | Connect Shadowsocks. 6 | 7 | Add these lines to your .ovpn file: 8 | 9 | socks-proxy 127.0.0.1 1080 10 | route SHADOWSOCKS_SERVER_IP 255.255.255.255 net_gateway 11 | 12 | Then connect OpenVPN. 13 | 14 | Notice: only [versions that support UDP relay](https://github.com/shadowsocks/shadowsocks/wiki/Feature-Comparison-across-Different-Versions) support this feature. -------------------------------------------------------------------------------- /Convert-Shadowsocks-into-an-HTTP-proxy.md: -------------------------------------------------------------------------------- 1 | First run polipo with parent proxy set to Shadowsocks: 2 | 3 | ```bash 4 | apt-get install polipo 5 | service polipo stop 6 | polipo socksParentProxy=localhost:1080 7 | ``` 8 | 9 | Then you can play with the HTTP proxy: 10 | 11 | ```bash 12 | http_proxy=http://localhost:8123 apt-get update 13 | 14 | http_proxy=http://localhost:8123 curl www.google.com 15 | 16 | http_proxy=http://localhost:8123 wget www.google.com 17 | 18 | git config --global http.proxy 127.0.0.1:8123 19 | git clone https://github.com/xxx/xxx.git 20 | git xxx 21 | git xxx 22 | git config --global --unset-all http.proxy 23 | ``` -------------------------------------------------------------------------------- /Encryption.md: -------------------------------------------------------------------------------- 1 | Supported Ciphers 2 | ================= 3 | 4 | | Python | libev | Go | node.js 5 | ------------------ | --------- | ----------- | ----------| --------- 6 | OpenSSL (AES, etc) | Y | Y | Y | Y 7 | RC4-MD5 | Y | Y | Y | Y 8 | Salsa20, Chacha20 | Y | Y | N | N 9 | 10 | - aes-256-cfb: Default 11 | - aes-128-cfb 12 | - aes-192-cfb 13 | - aes-256-ofb 14 | - aes-128-ofb 15 | - aes-192-ofb 16 | - aes-128-ctr 17 | - aes-192-ctr 18 | - aes-256-ctr 19 | - aes-128-cfb8 20 | - aes-192-cfb8 21 | - aes-256-cfb8 22 | - aes-128-cfb1 23 | - aes-192-cfb1 24 | - aes-256-cfb1 25 | - bf-cfb 26 | - camellia-128-cfb 27 | - camellia-192-cfb 28 | - camellia-256-cfb 29 | - cast5-cfb 30 | - chacha20 31 | - idea-cfb 32 | - rc2-cfb 33 | - rc4-md5 34 | - salsa20 35 | - seed-cfb 36 | 37 | Installing `M2Crypto` will make encryption a little faster. 38 | 39 | Debian: 40 | 41 | apt-get install python-m2crypto 42 | 43 | CentOS: 44 | 45 | yum install m2crypto 46 | 47 | rc4-md5 48 | ======= 49 | `rc4-md5` is a safe, fast encryption that use different key per connection. It is recommended for OpenWRT routers. 50 | 51 | salsa20 and chacha20 52 | ==================== 53 | `salsa20` and `chacha20` are fast stream ciphers. Optimized `salsa20` implementation on x86_64 is even 2x faster than `rc4` (but slightly slower on ARM). 54 | 55 | Install [libsodium](https://github.com/jedisct1/libsodium) >= 1.0.0 if you want to use them. 56 | 57 | apt-get install build-essential 58 | wget https://github.com/jedisct1/libsodium/releases/download/1.0.1/libsodium-1.0.1.tar.gz 59 | tar xf libsodium-1.0.1.tar.gz && cd libsodium-1.0.1 60 | ./configure && make -j2 && make install 61 | ldconfig 62 | 63 | Deprecated Ciphers 64 | ================== 65 | These legacy ciphers are either slow or not safe. Do not use them: 66 | - rc4 67 | - des-cfb 68 | - table 69 | - salsa20-ctr 70 | -------------------------------------------------------------------------------- /Feature-Comparison-across-Different-Versions.md: -------------------------------------------------------------------------------- 1 | Here's the page answering questions: does A support B? 2 | 3 | ## Servers 4 | 5 | | [Python] | [libev] | [Go] | [node.js] 6 | ----------------- | --------- | ----------- | ----------| --------- 7 | Fast Open | Y | Y | N | N 8 | Multiple Users | Y | Y | Y | Y 9 | Management API | Y | Y | N | N 10 | Workers | Y | N | N | N 11 | Graceful Restart | Y | N | N | N 12 | ss-redir | N | Y | N | N 13 | ss-tunnel | N | Y | N | N 14 | UDP Relay | Y | Y | N | Y 15 | 16 | ## Clients 17 | 18 | | [Windows] | [ShadowsocksX] | [Qt5] | [Android] | [iOS App Store] | [iOS Cydia] 19 | ------------------ | ------- | ------------ | --- | ------- | ------------- | --------- 20 | System Proxy | Y | Y | N | Y | N | Y 21 | CHNRoutes | Y | Y | N | Y | Y | Y 22 | PAC Configuration | Y | Y | N | N | N | N 23 | Profile Switching | Y | Y | Y | Y | N | Y 24 | QR Code Scan | Y | Y | Y | Y | Y | Y 25 | QR Code Generation | Y | Y | Y | N | N | Y 26 | 27 | [Python]: https://github.com/shadowsocks/shadowsocks 28 | [libev]: https://github.com/shadowsocks/shadowsocks-libev 29 | [Go]: https://github.com/shadowsocks/shadowsocks-go 30 | [node.js]: https://github.com/shadowsocks/shadowsocks-nodejs 31 | [Windows]: https://github.com/shadowsocks/shadowsocks-csharp 32 | [ShadowsocksX]: https://github.com/shadowsocks/shadowsocks-iOS 33 | [qt5]: https://github.com/librehat/shadowsocks-qt5 34 | [Android]: https://github.com/shadowsocks/shadowsocks-android 35 | [iOS App Store]: https://github.com/shadowsocks/shadowsocks-iOS 36 | [iOS Cydia]: https://github.com/linusyang/MobileShadowSocks -------------------------------------------------------------------------------- /Forcing-Chrome-to-Use-Socks5-Proxy.md: -------------------------------------------------------------------------------- 1 | Launch chrome with the following arguments: 2 | 3 | /path/to/Chrome.exe --proxy-server="socks5://127.0.0.1:1080" --host-resolver-rules="MAP * 0.0.0.0 , EXCLUDE localhost" 4 | 5 | Reference: 6 | 7 | http://www.chromium.org/developers/design-documents/network-stack/socks-proxy -------------------------------------------------------------------------------- /Generate QR Code for Android or iOS Clients.md: -------------------------------------------------------------------------------- 1 | Shadowsocks Android and iOS supports QR Code configuration. 2 | 3 | Update: now you can also scan QR code on Windows and OS X. 4 | 5 | Protocol 6 | ======== 7 | 8 | You can encode your server configuration to a QR Code. 9 | 10 | 1. Put your configuration together like this: 11 | 12 | method:password@hostname:port 13 | 14 | 2. Transform it into base64: 15 | 16 | bWV0aG9kOnBhc3N3b3JkQGhvc3RuYW1lOnBvcnQ= 17 | 18 | 3. Prepend with `ss://` 19 | 20 | ss://bWV0aG9kOnBhc3N3b3JkQGhvc3RuYW1lOnBvcnQ= 21 | 22 | 4. Generate a QR Code from the url above. 23 | 24 | Generate via GUI clients 25 | ======================== 26 | 27 | You can also generate QR Codes from some GUI clients: 28 | - [Shadowsocks for Windows](https://github.com/shadowsocks/shadowsocks-csharp) 29 | - [Shadowsocks for OS X](https://github.com/shadowsocks/shadowsocks-iOS/wiki/Shadowsocks-for-OSX-Help) 30 | - [Shadowsocks-Qt5](https://github.com/librehat/shadowsocks-qt5) 31 | - [Shadowsocks GUI](https://github.com/shadowsocks/shadowsocks-gui) 32 | 33 | ![image](https://cloud.githubusercontent.com/assets/1073082/4605261/a345d9d4-51d6-11e4-94e8-a13a987567e7.png) 34 | 35 | Generate via Command line 36 | ========================= 37 | 38 | pip install qrcode 39 | echo -n "ss://"`echo -n aes-256-cfb:password@1.2.3.4:8388 | base64` | qr 40 | 41 | If you can't scan the code, try changing your terminal font. 42 | 43 | ![image](https://cloud.githubusercontent.com/assets/1073082/4605437/6a41d15a-51e1-11e4-801a-424b5add2009.png) 44 | -------------------------------------------------------------------------------- /Gentoo overlay.md: -------------------------------------------------------------------------------- 1 | See https://github.com/bolasblack/overlay/tree/master/net-misc/shadowsocks -------------------------------------------------------------------------------- /Graceful-shutdown-and-restart.md: -------------------------------------------------------------------------------- 1 | Shadowsocks supports graceful shutdown like nginx. 2 | 3 | You can send `SIGQUIT` to sslocal or ssserver process. The process closes listening sockets but still serves alive connections, allowing you to start a new process on the same port. When all connections on the old process are closed, it will then exit. 4 | 5 | If you are using workers, send `SIGQUIT` to the master process. 6 | 7 | On Windows, please use `SIGTERM` instead. 8 | 9 | Notice: only [some versions](https://github.com/shadowsocks/shadowsocks/wiki/Feature-Comparison-across-Different-Versions) support this feature. -------------------------------------------------------------------------------- /Home.md: -------------------------------------------------------------------------------- 1 | ### About This Project 2 | 3 | Shadowsocks is a fast tunnel proxy that helps you bypass firewalls. 4 | 5 | ### Quick Navigation 6 | 7 | - Getting Started 8 | * [Tutorial] 9 | * [中文教程][Chinese Readme] 10 | - [Ports and clients](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients) 11 | * [Windows](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients#windows) 12 | * [OS X](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients#os-x) 13 | * [iOS](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients#ios) 14 | * [Android](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients#android) 15 | * [OpenWRT](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients#openwrt) 16 | - [Optimizing Shadowsocks](https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks) 17 | - Configuration 18 | * [Configuration via Config File](https://github.com/shadowsocks/shadowsocks/wiki/Configuration-via-Config-File) 19 | * [Generate QR Code for Android or iOS Clients](https://github.com/clowwindy/shadowsocks/wiki/Generate-QR-Code-for-Android-or-iOS-Clients) 20 | * [Configure Multiple Users](https://github.com/shadowsocks/shadowsocks/wiki/Configure-Multiple-Users) 21 | * [Encryption](https://github.com/shadowsocks/shadowsocks/wiki/Encryption) 22 | * [TCP Fast Open](https://github.com/shadowsocks/shadowsocks/wiki/TCP-Fast-Open) 23 | * [Using Workers](https://github.com/shadowsocks/shadowsocks/wiki/Workers) 24 | - Advanced Features 25 | * [Manage Multiple Users](https://github.com/shadowsocks/shadowsocks/wiki/Manage-Multiple-Users) 26 | * [Securing Public Server](https://github.com/shadowsocks/shadowsocks/wiki/Securing-Public-Shadowsocks-Server) 27 | * [Convert Shadowsocks into an HTTP proxy](https://github.com/shadowsocks/shadowsocks/wiki/Convert-Shadowsocks-into-an-HTTP-proxy) 28 | * [Using Shadowsocks with Command Line Tools](https://github.com/shadowsocks/shadowsocks/wiki/Using-Shadowsocks-with-Command-Line-Tools) 29 | * [Setup a Shadowsocks Relay](https://github.com/shadowsocks/shadowsocks/wiki/Setup-a-Shadowsocks-relay) 30 | * [Forcing Chrome to Use Socks5 Proxy](https://github.com/shadowsocks/shadowsocks/wiki/Forcing-Chrome-to-Use-Socks5-Proxy) 31 | * [OpenVPN over Shadowsocks](https://github.com/shadowsocks/shadowsocks/wiki/Connect-to-OpenVPN-over-Shadowsocks) 32 | * [Graceful shutdown and restart](https://github.com/shadowsocks/shadowsocks/wiki/Graceful-shutdown-and-restart) 33 | * [Change Server on the Fly](https://github.com/shadowsocks/shadowsocks/wiki/Change-Server-on-the-Fly) 34 | * [Ban Brute Force Crackers](https://github.com/shadowsocks/shadowsocks/wiki/Ban-Brute-Force-Crackers) 35 | * [Block Connection to localhost](https://github.com/shadowsocks/shadowsocks/wiki/Block-Connection-to-localhost) 36 | 37 | ### Latest Release 38 | 39 | - [Python Package Index](https://pypi.python.org/pypi/shadowsocks) 40 | 41 | ### Questions 42 | 43 | Make sure to read [Contribute to Shadowsocks](https://github.com/shadowsocks/shadowsocks/blob/master/CONTRIBUTING.md) first before you submit issues or ask questions. 44 | 45 | - [Troubleshooting] 46 | - [Mailing list] 47 | - [Issue Tracker] 48 | 49 | [Build Status]: https://img.shields.io/travis/shadowsocks/shadowsocks/master.svg?style=flat 50 | [Chinese Readme]: https://github.com/shadowsocks/shadowsocks/wiki/Shadowsocks-%E4%BD%BF%E7%94%A8%E8%AF%B4%E6%98%8E 51 | [Issue Tracker]: https://github.com/shadowsocks/shadowsocks/issues?state=open 52 | [Mailing list]: http://groups.google.com/group/shadowsocks 53 | [PyPI]: https://pypi.python.org/pypi/shadowsocks 54 | [PyPI version]: https://img.shields.io/pypi/v/shadowsocks.svg?style=flat 55 | [Tutorial]: https://github.com/shadowsocks/shadowsocks/blob/master/README.md 56 | [Supervisor]: https://github.com/shadowsocks/shadowsocks/wiki/Configure-Shadowsocks-with-Supervisor 57 | [TCP_FASTOPEN]: https://github.com/shadowsocks/shadowsocks/wiki/TCP-Fast-Open 58 | [Travis CI]: https://travis-ci.org/shadowsocks/shadowsocks 59 | [Troubleshooting]: https://github.com/shadowsocks/shadowsocks/wiki/Troubleshooting -------------------------------------------------------------------------------- /Install-Shadowsocks-Server-on-Windows.md: -------------------------------------------------------------------------------- 1 | Notice: this page is for **server side**. If you are looking for clients, visit [clients](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients#windows). 2 | 3 | Server deployment on Windows is discouraged, since the `select` API performs very poor. If you want to serve many users, you should always set up your server on Linux. Please visit [README](https://github.com/shadowsocks/shadowsocks/blob/master/README.md) for more details. 4 | 5 | 1. Download and install [Python for Windows](https://www.python.org/downloads/windows/), you can download x86-64 MSI installer in 64bit Windows. 6 | 2. During installation you should install `pip` 7 | ![Python](https://cloud.githubusercontent.com/assets/493124/5639371/0b91b9fa-9650-11e4-9782-44526d25f2fa.png) 8 | 3. Install [OpenSSL for Windows](https://slproweb.com/products/Win32OpenSSL.html). If you installed 64bit Python, you should install 64bit OpenSSL. 9 | 4. Install shadowsocks like Linux. In Command Prompt, type command line 10 | ```` 11 | pip install shadowsocks 12 | ```` 13 | 5. If you want to use `salsa20` or `chacha20` encryption, download [libsodium](http://download.libsodium.org/libsodium/releases/) and put dll files (without path) into `C:\Windows\System32` or `C:\Windows\SysWOW64` (32bit Python on 64bit Windows). -------------------------------------------------------------------------------- /Manage-Multiple-Users.md: -------------------------------------------------------------------------------- 1 | If you want to build a user management system, Shadowsocks provides an API that allows you to add/remove ports on the fly, as well as get transfer statistics from Shadowsocks. 2 | 3 | If you simply want to add multiple users without changing them on the fly, you can check [this tutorial](https://github.com/shadowsocks/shadowsocks/wiki/Configure-Multiple-Users). 4 | 5 | Notice: only Python and libev versions support this feature. 6 | 7 | Setup 8 | ----- 9 | 10 | Enable manager API by specifying `--manager-address`, which is either a Unix socket or an IP address: 11 | ``` 12 | # Use a Unix socket 13 | ssserver --manager-address /var/run/shadowsocks-manager.sock -c tests/server-multi-passwd.json 14 | # Use an IP address 15 | ssserver --manager-address 127.0.0.1:6001 -c tests/server-multi-passwd.json 16 | ``` 17 | 18 | For security reasons, you should use Unix sockets. 19 | 20 | When manager is enabled, [workers](https://github.com/shadowsocks/shadowsocks/wiki/Workers) and [graceful restart](https://github.com/shadowsocks/shadowsocks/wiki/Graceful-shutdown-and-restart) are disabled. 21 | 22 | Protocol 23 | -------- 24 | 25 | You can send UDP data to Shadowsocks. 26 | 27 | ``` 28 | command[: JSON data] 29 | ``` 30 | 31 | To add a port: 32 | 33 | ``` 34 | add: {"server_port": 8001, "password":"7cd308cc059"} 35 | ``` 36 | 37 | To remove a port: 38 | 39 | ``` 40 | remove: {"server_port": 8001} 41 | ``` 42 | 43 | To receive a pong: 44 | 45 | ``` 46 | ping 47 | ``` 48 | 49 | Shadowsocks will send back transfer statistics: 50 | 51 | ``` 52 | stat: {"8001":11370} 53 | ``` 54 | 55 | Example Code 56 | ------------ 57 | 58 | Here's code that demonstrates how to talk to the Shadowsocks server: 59 | ``` 60 | import socket 61 | 62 | cli = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM) 63 | cli.bind('/tmp/client.sock') # address of the client 64 | cli.connect('/var/run/shadowsocks-manager.sock') # address of Shadowsocks manager 65 | 66 | cli.send(b'ping') 67 | print(cli.recv(1506)) # You'll receive 'pong' 68 | 69 | cli.send(b'add: {"server_port":8001, "password":"7cd308cc059"}') 70 | print(cli.recv(1506)) # You'll receive 'ok' 71 | 72 | cli.send(b'remove: {"server_port":8001}') 73 | print(cli.recv(1506)) # You'll receive 'ok' 74 | 75 | while True: 76 | print(cli.recv(1506)) # when data is transferred on Shadowsocks, you'll receive stat info every 10 seconds 77 | ``` -------------------------------------------------------------------------------- /Objective.md: -------------------------------------------------------------------------------- 1 | SSL and VPN provides data security. To users in China and many other countries, 2 | their goal is not to protect the data security, but to unblock YouTube and Facebook. 3 | 4 | SSL and VPN failed because some of their protocol information is in plain text. 5 | For example, firewalls can read certification information from SSL connections, and 6 | block connections based on certification identity. In some countries, they just ban 7 | all OpenVPN traffic. 8 | 9 | Unlike SSL and VPN, Shadowsocks is designed for protocol anonymity, which means 10 | its main objective is to make firewalls deployed on routers hard to tell Shadowsocks 11 | from normal traffic. 12 | 13 | If you need data securify, you can [wrap SSL or VPN inside Shadowsocks](https://github.com/shadowsocks/shadowsocks/wiki/Connect-to-OpenVPN-over-Shadowsocks). -------------------------------------------------------------------------------- /Optimizing-Shadowsocks.md: -------------------------------------------------------------------------------- 1 | If you see a lot of `error: too many open files` in your log, you should optimize your system. 2 | This tutorial applies to all shadowsocks servers (Python, libev, etc). 3 | 4 | On Debian 7: 5 | 6 | Create `/etc/sysctl.d/local.conf` with the following content: 7 | 8 | ``` 9 | # max open files 10 | fs.file-max = 51200 11 | # max read buffer 12 | net.core.rmem_max = 67108864 13 | # max write buffer 14 | net.core.wmem_max = 67108864 15 | # default read buffer 16 | net.core.rmem_default = 65536 17 | # default write buffer 18 | net.core.wmem_default = 65536 19 | # max processor input queue 20 | net.core.netdev_max_backlog = 4096 21 | # max backlog 22 | net.core.somaxconn = 4096 23 | 24 | # resist SYN flood attacks 25 | net.ipv4.tcp_syncookies = 1 26 | # reuse timewait sockets when safe 27 | net.ipv4.tcp_tw_reuse = 1 28 | # turn off fast timewait sockets recycling 29 | net.ipv4.tcp_tw_recycle = 0 30 | # short FIN timeout 31 | net.ipv4.tcp_fin_timeout = 30 32 | # short keepalive time 33 | net.ipv4.tcp_keepalive_time = 1200 34 | # outbound port range 35 | net.ipv4.ip_local_port_range = 10000 65000 36 | # max SYN backlog 37 | net.ipv4.tcp_max_syn_backlog = 4096 38 | # max timewait sockets held by system simultaneously 39 | net.ipv4.tcp_max_tw_buckets = 5000 40 | # turn on TCP Fast Open on both client and server side 41 | net.ipv4.tcp_fastopen = 3 42 | # TCP receive buffer 43 | net.ipv4.tcp_rmem = 4096 87380 67108864 44 | # TCP write buffer 45 | net.ipv4.tcp_wmem = 4096 65536 67108864 46 | # turn on path MTU discovery 47 | net.ipv4.tcp_mtu_probing = 1 48 | 49 | # for high-latency network 50 | net.ipv4.tcp_congestion_control = hybla 51 | 52 | # for low-latency network, use cubic instead 53 | # net.ipv4.tcp_congestion_control = cubic 54 | ``` 55 | 56 | Then: 57 | 58 | sysctl --system 59 | 60 | Older system: 61 | 62 | sysctl -p /etc/sysctl.d/local.conf 63 | 64 | Warning: **DO NOT ENABLE `net.ipv4.tcp_tw_recycle`!!!** See [this article](http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html). 65 | 66 | If you use [Supervisor](https://github.com/shadowsocks/shadowsocks/wiki/Configure-Shadowsocks-with-Supervisor), Make sure you have the following line in `/etc/default/supervisor`. Once you added that line, restart Supervisor (`service stop supervisor && service start supervisor`). 67 | 68 | ``` 69 | ulimit -n 51200 70 | ``` 71 | 72 | If you run shadowsocks in the background in other ways, make sure to add `ulimit -n 51200` in your init script. 73 | 74 | After optimizing, a busy Shadowsocks server that handles thousands of connections, takes about 30MB memory and 10% CPU. Notice that at the same time, **Linux kernel usually uses >100MB RAM** to hold buffer and cache for those connections. By using the sysctl config above, you are trading off RAM for speed. If you want to use less RAM, 75 | reduce the size of rmem and wmem. 76 | 77 | ![if_eth0-day](https://cloud.githubusercontent.com/assets/1073082/3358558/2a18bc5a-fadf-11e3-96c3-473c42f1a3a3.png) 78 | 79 | ![fw_conntrack-day](https://cloud.githubusercontent.com/assets/1073082/3358559/2bf8662e-fadf-11e3-8039-3d59bf689fe2.png) 80 | 81 | ![cpu-day](https://cloud.githubusercontent.com/assets/1073082/3358579/53951d80-fadf-11e3-8e6b-0ceed96950e2.png) 82 | 83 | ![proc_mem-day](https://cloud.githubusercontent.com/assets/1073082/3358599/87c98c08-fadf-11e3-9fc9-949f4061d2ca.png) 84 | 85 | Before & after: 86 | 87 | ![cc](https://cloud.githubusercontent.com/assets/1073082/3296349/10c34b04-f5d9-11e3-95fc-e38f5299c274.jpg) -------------------------------------------------------------------------------- /Ports-and-Clients.md: -------------------------------------------------------------------------------- 1 | Please open an issue to add to this list. 2 | 3 | - [Version Feature Comparison](https://github.com/shadowsocks/shadowsocks/wiki/Feature-Comparison-across-Different-Versions) 4 | 5 | #### Windows 6 | 7 | * [Shadowsocks for Windows](https://github.com/shadowsocks/shadowsocks-csharp) - Shadowsocks client for Windows - [Download](https://github.com/shadowsocks/shadowsocks-csharp/releases) 8 | * [shadowsocks-qt5](https://github.com/librehat/shadowsocks-qt5) - Powered by Qt - [Download](https://github.com/librehat/shadowsocks-qt5/releases) 9 | 10 | #### OS X 11 | 12 | * [ShadowsocksX](https://github.com/shadowsocks/shadowsocks-iOS/) - Shadowsocks client for Mac - [Download](https://github.com/shadowsocks/shadowsocks-iOS/releases) 13 | 14 | #### Linux / Server side 15 | 16 | * [shadowsocks](https://github.com/shadowsocks/shadowsocks) - Python version 17 | * [shadowsocks-libev](https://github.com/shadowsocks/shadowsocks-libev) - C libev version 18 | * [shadowsocks-go](https://github.com/shadowsocks/shadowsocks-go) - Go version 19 | * [shadowsocks-qt5](https://github.com/librehat/shadowsocks-qt5) - Qt GUI client frontend 20 | * [fukei](https://github.com/thomashuang/Fukei) - Python Tornado version 21 | 22 | #### iOS 23 | 24 | * [MobileShadowSocks](https://github.com/linusyang/MobileShadowSocks) - Recommended for jailbroken devices, global proxy with no restriction 25 | * [shadowsocks-iOS](https://github.com/shadowsocks/shadowsocks-iOS) - All devices, web browser, global proxy **with some restrictions** 26 | 27 | #### Android 28 | 29 | * [shadowsocks-android](https://github.com/shadowsocks/shadowsocks-android) 30 | 31 | 32 | 33 | #### OpenWRT 34 | 35 | * [openwrt-shadowsocks](https://github.com/shadowsocks/openwrt-shadowsocks) - LuCI package for shadowsocks-libev 36 | 37 | #### Related 38 | 39 | * [cow](https://github.com/cyfdecyf/cow) - Powerful HTTP proxy, detecting blocked sites automatically 40 | * [GFWList2PAC](https://github.com/clowwindy/gfwlist2pac) - Generate fast PAC file from gfwlist 41 | * [ChinaDNS](https://github.com/clowwindy/ChinaDNS) - Fix weird things with DNS in China 42 | * [ShadowVPN](https://github.com/clowwindy/ShadowVPN) - A fast, safe VPN based on libsodium 43 | 44 | #### Deploy scripts 45 | 46 | * [stackscript for Linode](https://github.com/shadowsocks/shadowsocks/wiki/Setting-Up-Shadowsocks-on-Linode) 47 | * [Streisand](https://github.com/jlund/streisand) - Sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, Stunnel, and a Tor bridge. 48 | * [ansible-shadowsocks](https://github.com/jlund/ansible-shadowsocks) - An [Ansible](http://www.ansibleworks.com/) role that automates setting up a Shadowsocks server 49 | 50 | #### Experimental 51 | 52 | * [shadowsocks-manyuser](https://github.com/mengskysama/shadowsocks/tree/manyuser) - User management system for Shadowsocks server 53 | * [libQtShadowsocks](https://github.com/librehat/libQtShadowsocks) - C++/Qt version library and shadowsocks-libqss, a server based on the library 54 | * [shadowsocks-ruby](https://github.com/Sen/shadowsocks-ruby) Ruby version 55 | * [shadowsocks-chromeapp](https://github.com/clowwindy/shadowsocks-chromeapp) - Chrome App 56 | * [shadowsocks-haskell](https://github.com/rnons/shadowsocks-haskell) - Haskell version 57 | * [shadowsocks-gtk](https://github.com/apporc/shadowsocks-gtk) - Python GTK version 58 | * [shadowsocks-rust](https://github.com/zonyitoo/shadowsocks-rust) - Rust version 59 | 60 | #### Deprecated or maintenance discontinued 61 | 62 | * [shadowsocks-nodejs](https://github.com/shadowsocks/shadowsocks-nodejs) - Node.js version 63 | * [shadowsocks-gui](https://github.com/shadowsocks/shadowsocks-gui) - Powered by node-webkit - [Download](https://sourceforge.net/projects/shadowsocksgui/files/dist/) 64 | * [shadowsocks-dotcloud](https://github.com/clowwindy/shadowsocks-dotcloud) - Dotcloud PAAS version. **Not compatible with other versions** 65 | * [shadowsocks-erlang](https://github.com/Yongke/shadowsocks-erlang) - Erlang version 66 | * [Nevermore](https://github.com/nihgwu/Nevermore) - Powered by node-webkit - [Download](https://github.com/nihgwu/Nevermore/releases) 67 | * [gShadowsocks](https://github.com/kawaiiushio/gShadowsocks) - Powered by shadowsocks-nodejs 68 | * [shadowsocks-libuv](https://github.com/dndx/shadowsocks-libuv) - C libuv version 69 | * [lightsocks](https://github.com/clowwindy/lightsocks) - Transparent TCP proxy 70 | * [ShadowDNS](https://github.com/clowwindy/ShadowDNS) - DNS Forwarder powered by Shadowsocks 71 | * [pobi](https://github.com/jackyz/pobi) 72 | * [fqrouter](https://github.com/fqrouter/fqrouter) 73 | * [GoAgentX](https://github.com/ohdarling/GoAgentX) - Supports multiple protocols - [Download](https://github.com/ohdarling/GoAgentX/releases) 74 | * [shadowsocks-tiny](https://github.com/zhao-gang/shadowsocks-tiny) -------------------------------------------------------------------------------- /Salsa20.md: -------------------------------------------------------------------------------- 1 | Moved to [Encryption](https://github.com/clowwindy/shadowsocks/wiki/Encryption). -------------------------------------------------------------------------------- /Securing-Public-Shadowsocks-Server.md: -------------------------------------------------------------------------------- 1 | If you share your server with strangers, you need to be careful. The numbers used below are just examples. 2 | 3 | 1. [Optimize your server](https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks) 4 | 5 | 2. Limit bandwidth 6 | 7 | apt-get install wondershaper 8 | # limit bandwidth to 10Mb/10Mb on eth0 9 | wondershaper eth0 10000 10000 10 | 11 | 3. Limit connections 12 | 13 | iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset 14 | 15 | 4. Prevent ssh password cracking 16 | 17 | apt-get install denyhosts 18 | 19 | 5. [Prevent Shadowsocks password cracking](https://github.com/shadowsocks/shadowsocks/wiki/Ban-Brute-Force-Crackers) 20 | 21 | 6. [Block connection to localhost](https://github.com/shadowsocks/shadowsocks/wiki/Block-Connection-to-localhost) 22 | 23 | 7. Run Shadowsocks server as nonroot user 24 | 25 | sudo useradd ssuser 26 | sudo ssserver [other options] --user ssuser 27 | 28 | 8. Block traffic to non-HTTP port 29 | 30 | iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j ACCEPT 31 | iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 443 -j ACCEPT 32 | iptables -t filter -m owner --uid-owner ssuser -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset 33 | 34 | 9. Block BitTorrent trackers 35 | 36 | apt-get install nginx 37 | 38 | Edit nginx configuration: 39 | 40 | server { 41 | listen 0.0.0.0:3128; 42 | resolver 8.8.8.8; 43 | location / { 44 | set $upstream_host $host; 45 | if ($request_uri ~ "^/announce.*") { 46 | return 403; 47 | } 48 | if ($request_uri ~ "^.*torrent.*") { 49 | return 403; 50 | } 51 | proxy_set_header Host $upstream_host; 52 | proxy_pass http://$upstream_host; 53 | proxy_buffering off; 54 | } 55 | } 56 | 57 | Redirect 80 port to nginx: 58 | 59 | iptables -t nat -m owner --uid-owner ssuser -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128 60 | 61 | -------------------------------------------------------------------------------- /Setting-Up-Shadowsocks-on-Linode.md: -------------------------------------------------------------------------------- 1 | If you already created a [Linode] with Debian 7.0+, run the following and skip to Step 6. 2 | ``` 3 | apt-get install curl 4 | curl 'https://raw.githubusercontent.com/shadowsocks/stackscript/master/stackscript.sh?v=4' > /tmp/ss.sh && bash /tmp/ss.sh && rm /tmp/ss.sh 5 | ``` 6 | 7 | If you didn't, do the following: 8 | 9 | 1. Create a new Linode and select `Deploying using StackScripts` 10 | * ![88be8e49-2018-476c-8380-424ee8470561](https://cloud.githubusercontent.com/assets/1073082/3285904/fa5fc7b8-f540-11e3-948e-95a30d2d320b.png) 11 | 2. Search Shadowsocks StackScript written by clowwindy and click it 12 | * ![screen shot 2014-06-16 at 6 24 23 pm](https://cloud.githubusercontent.com/assets/1073082/3285908/0037b6be-f541-11e3-8881-000a8dc38f7c.png) 13 | 3. Set root password and rebuild your server 14 | * ![screen shot 2014-06-16 at 6 25 50 pm](https://cloud.githubusercontent.com/assets/1073082/3285916/0a27667e-f541-11e3-8408-4691c421e550.png) 15 | 4. Boot your server 16 | * ![0fdd081e-5288-4dcf-ae52-351e94ed1667](https://cloud.githubusercontent.com/assets/1073082/3285906/fda3820c-f540-11e3-8b1a-73f6cfbfd67f.png) 17 | 5. Wait the VPS to boot up. 18 | 6. Log in to your server, check everything is OK. And find the password and server port generated for you: 19 | 20 | ``` 21 | # supervisorctl status 22 | shadowsocks RUNNING pid 6929, uptime 0:01:25 23 | # cat /etc/shadowsocks.json 24 | { 25 | "server":"0.0.0.0", 26 | "server_port":4762, 27 | "local_port":1080, 28 | "password":"7f2aa2fef57d8414", 29 | "timeout":300, 30 | "method":"aes-256-cfb" 31 | } 32 | ``` 33 | 34 | If you need to restart the server, run 35 | 36 | supervisorctl restart shadowsocks 37 | 38 | [Linode]: https://www.linode.com/?r=e7932c8b03f9abc8aab71663b90b689a676402d1 -------------------------------------------------------------------------------- /Setup-a-Shadowsocks-relay.md: -------------------------------------------------------------------------------- 1 | If you want your client connected to a Japan VPS, but you want a US IP. 2 | 3 | Client <--> Japan VPS <--> US VPS 4 | 5 | ### Easy version: 6 | 7 | 1. Setup Shadowsocks server as usual on US VPS. 8 | 2. On Japan VPS, enable forwarding. Replace `US_VPS_IP` and `JAPAN_VPS_IP` with actual IP: 9 | 10 | sudo su 11 | echo 1 > /proc/sys/net/ipv4/ip_forward 12 | iptables -t nat -A PREROUTING -p tcp --dport 8388 -j DNAT --to-destination US_VPS_IP:8388 13 | iptables -t nat -A POSTROUTING -p tcp -d US_VPS_IP --dport 8388 -j SNAT --to-source JAPAN_VPS_IP 14 | 15 | 3. Set your server to JAPAN_VPS_IP:8388 on your client. 16 | 17 | ### Better version: 18 | 19 | For those who want more control and better performance, use haproxy instead. 20 | You can also enable load balance by adding multiple servers. 21 | 22 | For Debian 7.0: 23 | 24 | On Japan VPS. Append the following line to `/etc/apt/sources.list` 25 | 26 | deb http://ftp.us.debian.org/debian/ wheezy-backports main 27 | 28 | Run 29 | 30 | apt-get install haproxy 31 | 32 | Edit `/etc/haproxy/haproxy.cfg` 33 | 34 | ``` 35 | global 36 | ulimit-n 51200 37 | 38 | defaults 39 | log global 40 | mode tcp 41 | option dontlognull 42 | contimeout 1000 43 | clitimeout 150000 44 | srvtimeout 150000 45 | 46 | frontend ss-in 47 | bind *:8388 48 | default_backend ss-out 49 | 50 | backend ss-out 51 | server server1 US_VPS_IP:8388 maxconn 20480 52 | ``` 53 | 54 | Then run `haproxy -f /etc/haproxy/haproxy.cfg` -------------------------------------------------------------------------------- /Shadowsocks-使用说明.md: -------------------------------------------------------------------------------- 1 | [![PyPI version]][PyPI] 2 | [![Build Status]][Travis CI] 3 | [![Coverage Status]][Coverage] 4 | 5 | 一个可穿透防火墙的快速代理。 6 | 7 | 服务端 8 | ------ 9 | 10 | ### 安装 11 | 12 | Debian / Ubuntu: 13 | 14 | apt-get install python-pip 15 | pip install shadowsocks 16 | 17 | CentOS: 18 | 19 | yum install python-setuptools && easy_install pip 20 | pip install shadowsocks 21 | 22 | Windows: 23 | 24 | 参见 [在 Windows 上安装服务端] 25 | 26 | ### 使用 27 | 28 | ssserver -p 443 -k password -m rc4-md5 29 | 30 | 如果要后台运行: 31 | 32 | sudo ssserver -p 443 -k password -m rc4-md5 --user nobody -d start 33 | 34 | 如果要停止: 35 | 36 | sudo ssserver -d stop 37 | 38 | 如果要检查日志: 39 | 40 | sudo less /var/log/shadowsocks.log 41 | 42 | 用 `-h` 查看所有参数。你也可以使用 [配置文件] 进行配置。 43 | 44 | 服务器搭建 45 | -------- 46 | 47 | 建议选择 Ubuntu 14.04 LTS 作为服务器以便使用 [TCP Fast Open]。除非有明确理由,不建议用对新手不友好的 CentOS。 48 | 49 | 为了更好的性能,VPS 尽量选择 XEN 或 KVM,不要使用 OpenVZ。推荐使用以下 VPS: 50 | 51 | - [Digital Ocean] 自带的内核无需自己编译模块即可使用 [hybla] 算法 52 | - [Linode] 功能强大,机房较多 53 | 54 | 客户端 55 | ------ 56 | 57 | * [Windows] / [OS X] 58 | * [Android] / [iOS] 59 | * [OpenWRT] 60 | 61 | 在你本地的 PC 或手机上使用图形客户端。具体使用参见它们的使用说明。 62 | 63 | 文档 64 | ---- 65 | 66 | 可以在 [Wiki] 里找到所有的文档。 67 | 68 | License 69 | ------- 70 | 71 | Copyright 2015 clowwindy 72 | 73 | Licensed under the Apache License, Version 2.0 (the "License"); you may 74 | not use this file except in compliance with the License. You may obtain 75 | a copy of the License at 76 | 77 | http://www.apache.org/licenses/LICENSE-2.0 78 | 79 | Unless required by applicable law or agreed to in writing, software 80 | distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 81 | WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 82 | License for the specific language governing permissions and limitations 83 | under the License. 84 | 85 | Bugs and Issues 86 | ---------------- 87 | 88 | * [Troubleshooting] 89 | * [Issue Tracker] 90 | * [Mailing list] 91 | 92 | 93 | [Android]: https://github.com/shadowsocks/shadowsocks-android 94 | [Build Status]: https://img.shields.io/travis/shadowsocks/shadowsocks/master.svg?style=flat 95 | [Chinese Readme]: https://github.com/shadowsocks/shadowsocks/wiki/Shadowsocks-%E4%BD%BF%E7%94%A8%E8%AF%B4%E6%98%8E 96 | [配置文件]: https://github.com/shadowsocks/shadowsocks/wiki/Configuration-via-Config-File 97 | [Coverage Status]: https://jenkins.shadowvpn.org/result/shadowsocks 98 | [Coverage]: https://jenkins.shadowvpn.org/job/Shadowsocks/ws/htmlcov/index.html 99 | [Debian sid]: https://packages.debian.org/unstable/python/shadowsocks 100 | [iOS]: https://github.com/shadowsocks/shadowsocks-iOS/wiki/Help 101 | [Issue Tracker]: https://github.com/shadowsocks/shadowsocks/issues?state=open 102 | [TCP Fast Open]: https://github.com/clowwindy/shadowsocks/wiki/TCP-Fast-Open 103 | [在 Windows 上安装服务端]: https://github.com/shadowsocks/shadowsocks/wiki/Install-Shadowsocks-Server-on-Windows 104 | [Mailing list]: https://groups.google.com/group/shadowsocks 105 | [OpenWRT]: https://github.com/shadowsocks/openwrt-shadowsocks 106 | [OS X]: https://github.com/shadowsocks/shadowsocks-iOS/wiki/Shadowsocks-for-OSX-Help 107 | [PyPI]: https://pypi.python.org/pypi/shadowsocks 108 | [PyPI version]: https://img.shields.io/pypi/v/shadowsocks.svg?style=flat 109 | [Travis CI]: https://travis-ci.org/shadowsocks/shadowsocks 110 | [Troubleshooting]: https://github.com/shadowsocks/shadowsocks/wiki/Troubleshooting 111 | [Wiki]: https://github.com/shadowsocks/shadowsocks/wiki 112 | [Windows]: https://github.com/shadowsocks/shadowsocks-windows/wiki/Shadowsocks-Windows-%E4%BD%BF%E7%94%A8%E8%AF%B4%E6%98%8E 113 | [Digital Ocean]: https://www.digitalocean.com/?refcode=b1cddd149721 114 | [Linode]: https://www.linode.com/?r=e7932c8b03f9abc8aab71663b90b689a676402d1 115 | [hybla]: https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks 116 | [Bandwagon Host]: https://bandwagonhost.com/aff.php?pid=19 -------------------------------------------------------------------------------- /TCP-Fast-Open.md: -------------------------------------------------------------------------------- 1 | If both of your server and client are deployed on Linux 3.7+, you can turn on 2 | fast_open for lower latency. 3 | 4 | First set `fast_open` to `true` in your config.json. 5 | 6 | Then turn on fast open on your OS temporarily: 7 | 8 | echo 3 > /proc/sys/net/ipv4/tcp_fastopen 9 | 10 | To turn on fast open permanently, see [Optimizing Shadowsocks](https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks). 11 | 12 | Notice: only [some versions](https://github.com/shadowsocks/shadowsocks/wiki/Feature-Comparison-across-Different-Versions) support this feature. -------------------------------------------------------------------------------- /Troubleshooting.md: -------------------------------------------------------------------------------- 1 | 出现问题时,可以按下列步骤确定和诊断问题: 2 | 3 | 1. 先确定是本地的问题,还是服务端的问题。可以通过更换服务端(比如用别人的或者公共服务器),更换本地端(比如分别用手机和电脑测试)。 4 | 2. 查看本地端的日志来诊断本地端有没有收到浏览器的请求。如果本地端没有收到请求,检查浏览器代理设置,检查本地防火墙。如果日志中只有 IP 没有域名,确保你配置浏览器远程解析域名,否则本地需要做防 DNS 污染。 5 | 3. 查看服务端的日志来诊断服务端有没有收到本地端发来的请求。如果服务端没有收到请求,检查服务器防火墙,在本地用 tcping 等端口扫描工具检查服务器端口有没有打开。尝试更换 IP 或端口。 6 | 4. 如果服务端收到了请求,但浏览器没有载入内容,检查服务端的 DNS `/etc/resolv.conf`,改为 `8.8.8.8` 再重启服务端。 7 | 5. 如果服务端速度慢,可能无良 ISP 做了 QoS,更换端口到 `80` `25` `443` `995` `3389` 等常用端口再测试。 8 | 6. 如果服务端启动时提示权限问题,可能是系统限制了 <1024 端口权限,用 iptables 做转发即可 `iptables -t nat -A PREROUTING -p tcp --dport 995 -j REDIRECT --to-ports 8387` 9 | 7. 如果访问特定的网站有问题,打开浏览器开发者工具网络部分,看一下哪个请求卡住了,然后在服务器上尝试用 ping curl 等工具检查这个请求的 URL 和主机的联通性。并检查这个请求的 URL 是不是被你的 PAC 规则排除了。 10 | 11 | When you have problems, follow the steps below to diagnose: 12 | 13 | 1. Check whether the problem is caused by client or server. Replace your server with public server and check again; replace your client with others like mobile or another client version. 14 | 2. Check client logs to see if the client received requests from your browser. If the client did not receive any requests, check proxy settings and local firewall. 15 | 3. Check server logs to see if the server received requests from your client. If the server did not receive any requests, check server firewall and use `tcping` to check server port. 16 | 4. If the server received requests but your browser got no responses, check the DNS on your server. Change it into `8.8.8.8`, restart your server and test again. 17 | 5. If the server is slow, change your server port into common port like `80` `25` `443` `995` `3389`. 18 | 6. If you see `Permission Denied` when server starts, use `iptables` to redirect ports<1024 to ports>1024 `iptables -t nat -A PREROUTING -p tcp --dport 995 -j REDIRECT --to-ports 8387` 19 | 7. If you have connection problem only to a specific website, open developer console and check which request block the loading process. Check its url and hostname, and use `ping` `curl` to check connectivity from your server to that url and hostname. Also check if this URL is bypassed by your PAC. -------------------------------------------------------------------------------- /Using-Shadowsocks-with-Command-Line-Tools.md: -------------------------------------------------------------------------------- 1 | First, set up shadowsocks as usual. Suppose your local is running on 127.0.0.1:1080. 2 | 3 | Install [proxychains][1]. 4 | 5 | On Debian/Ubuntu: 6 | 7 | apt-get install proxychains 8 | 9 | On Mac OS X: 10 | 11 | brew install proxychains-ng 12 | 13 | Make a config file at `~/.proxychains/proxychains.conf` with content: 14 | 15 | strict_chain 16 | proxy_dns 17 | remote_dns_subnet 224 18 | tcp_read_time_out 15000 19 | tcp_connect_time_out 8000 20 | localnet 127.0.0.0/255.0.0.0 21 | quiet_mode 22 | 23 | [ProxyList] 24 | socks5 127.0.0.1 1080 25 | 26 | 27 | Then run command with proxychains. Examples: 28 | 29 | proxychains4 curl https://www.twitter.com/ 30 | proxychains4 git push origin master 31 | 32 | Or just proxify bash: 33 | 34 | proxychains4 bash 35 | curl https://www.twitter.com/ 36 | git push origin master 37 | 38 | [1]: http://proxychains.sourceforge.net/ -------------------------------------------------------------------------------- /Workers.md: -------------------------------------------------------------------------------- 1 | Shadowsocks supports spawning child processes like nginx. 2 | 3 | You can use `--workers` to specify how many workers to use. 4 | 5 | This argument is only supported on Unix and ssserver. 6 | 7 | Currently UDP relay does not work well on multiple workers. -------------------------------------------------------------------------------- /_Footer.md: -------------------------------------------------------------------------------- 1 | | [Download](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients) | [Tutorial](https://github.com/shadowsocks/shadowsocks/blob/master/README.md) | [Wiki](https://github.com/clowwindy/shadowsocks/wiki) | [Troubleshooting](https://github.com/shadowsocks/shadowsocks/wiki/Troubleshooting) | 2 | --- | --- | --- | --- -------------------------------------------------------------------------------- /_Sidebar.md: -------------------------------------------------------------------------------- 1 | - [Download](https://github.com/shadowsocks/shadowsocks/wiki/Ports-and-Clients) 2 | - [Tutorial](https://github.com/shadowsocks/shadowsocks/blob/master/README.md) 3 | - [Wiki](https://github.com/clowwindy/shadowsocks/wiki) 4 | - [Troubleshooting](https://github.com/shadowsocks/shadowsocks/wiki/Troubleshooting) -------------------------------------------------------------------------------- /优化-Shadowsocks.md: -------------------------------------------------------------------------------- 1 | 如果在你的日志中看到很多 `error: too many open files`,这时就应该优化你的系统了。 2 | 本教程适用于所有 Shadowsocks 服务端 (Python 版、libev 版、还有其他) 3 | 4 | 以下教程适用于 Debian7 系统: 5 | 6 | 新建 `/etc/sysctl.d/local.conf` 这个文件并添加下面的内容: 7 | 8 | ``` 9 | fs.file-max = 51200 10 | 11 | net.core.rmem_max = 67108864 12 | net.core.wmem_max = 67108864 13 | net.core.rmem_default = 65536 14 | net.core.wmem_default = 65536 15 | net.core.netdev_max_backlog = 4096 16 | net.core.somaxconn = 4096 17 | 18 | net.ipv4.tcp_syncookies = 1 19 | net.ipv4.tcp_tw_reuse = 1 20 | net.ipv4.tcp_tw_recycle = 0 21 | net.ipv4.tcp_fin_timeout = 30 22 | net.ipv4.tcp_keepalive_time = 1200 23 | net.ipv4.ip_local_port_range = 10000 65000 24 | net.ipv4.tcp_max_syn_backlog = 4096 25 | net.ipv4.tcp_max_tw_buckets = 5000 26 | net.ipv4.tcp_fastopen = 3 27 | net.ipv4.tcp_rmem = 4096 87380 67108864 28 | net.ipv4.tcp_wmem = 4096 65536 67108864 29 | net.ipv4.tcp_mtu_probing = 1 30 | net.ipv4.tcp_congestion_control = hybla 31 | ``` 32 | 33 | 然后运行: 34 | 35 | `sysctl --system` 36 | 37 | 注意:**不要开启 `net.ipv4.tcp_tw_recycle`!!!**[看这个文章](http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html)。 38 | 39 | 如果你在使用 [Supervisor](https://github.com/clowwindy/shadowsocks/wiki/Configure-Shadowsocks-with-Supervisor) 的话,请确保 `/etc/default/supervisor` 文件中有下面这一行。添加这一行之后,请重启 Supervisor(`service supervisor stop && service supervisor start`) 40 | 41 | ``` 42 | ulimit -n 51200 43 | ``` 44 | 45 | 如果您通过其他方式来启动 Shadowsocks,确保 `ulimit -n 51200` 在您的启动脚本中。 46 | 47 | 优化后,一个繁忙的处理很多连接数的 Shadowsocks 服务器,会占用大约 30MB 的内存以及 10% 的 CPU。要注意的是同时,**Linux 内核使用了 >100MB 内存**来存储这些连接的缓存。用了上面提供的 sysctl 设置后,你是在用内存空间换取速度。如果你想用更少内存的话,减少 rmem 以及 wmem。 48 | 49 | ![if_eth0-day](https://cloud.githubusercontent.com/assets/1073082/3358558/2a18bc5a-fadf-11e3-96c3-473c42f1a3a3.png) 50 | 51 | ![fw_conntrack-day](https://cloud.githubusercontent.com/assets/1073082/3358559/2bf8662e-fadf-11e3-8039-3d59bf689fe2.png) 52 | 53 | ![cpu-day](https://cloud.githubusercontent.com/assets/1073082/3358579/53951d80-fadf-11e3-8e6b-0ceed96950e2.png) 54 | 55 | ![proc_mem-day](https://cloud.githubusercontent.com/assets/1073082/3358599/87c98c08-fadf-11e3-9fc9-949f4061d2ca.png) 56 | 57 | 使用前 & 使用后: 58 | 59 | ![cc](https://cloud.githubusercontent.com/assets/1073082/3296349/10c34b04-f5d9-11e3-95fc-e38f5299c274.jpg) -------------------------------------------------------------------------------- /回复模版.md: -------------------------------------------------------------------------------- 1 | 无法重现 2 | ------- 3 | 4 | 问题无法重现,或者说在我这里是好的。这有几个可能:可能问题只出现在特定的环境或设置上面,提供的信息不充足;用户的理解或者操作有误。 5 | 6 | 无法重现的问题大部分是解决不了的,请提供以下信息: 7 | 8 | 1. 系统版本,软件版本 9 | 2. 没有歧义的操作步骤,即点击了什么,输入了什么 10 | 3. 输出或日志 11 | 4. 看到的现象 12 | 13 | 如果你认为没有能力描述清楚,可以录屏。 14 | 15 | 依旧无法重现 16 | ---------- 17 | 18 | 根据经验,无论如何都无法重现的问题,是用户输错了或者配错了造成的,只能用户自己仔细检查: 19 | 20 | - https://github.com/shadowsocks/shadowsocks/issues/133 21 | - https://github.com/shadowsocks/shadowsocks/issues/146 22 | - https://github.com/shadowsocks/shadowsocks/issues/190 23 | - https://www.v2ex.com/t/160857#reply11 24 | - https://github.com/shadowsocks/shadowsocks-csharp/issues/135 25 | 26 | 好功能 27 | ------ 28 | 29 | 这个功能很好,谁有兴趣可以发个 Pull Request。 30 | 31 | 一般的功能 32 | ---------- 33 | 34 | 这个功能不错,谁有兴趣可以发个 Pull Request。 35 | 36 | 讨论过的功能 37 | ---------- 38 | 39 | 如果你被链接到这里,说明这个功能之前已经讨论过了,请自行搜索一下。 40 | 41 | Google 42 | ------ 43 | 44 | 这个问题 Google 结果第一页就有。 45 | 46 | Readme 47 | ------ 48 | 49 | 这个问题 Readme 和 Wiki 里就有。 -------------------------------------------------------------------------------- /在-Linode-上快速搭建-Shadowsocks.md: -------------------------------------------------------------------------------- 1 | 也适用于除了 Linode 之外的所有 Xen 的 Debian 7 VPS。如果你已经建了一个 Debian 7.0+ 节点,在节点上执行下列命令并跳到步骤 6。 2 | ``` 3 | apt-get install curl 4 | curl 'https://raw.githubusercontent.com/shadowsocks/stackscript/master/stackscript.sh?v=4' > /tmp/ss.sh && bash /tmp/ss.sh && rm /tmp/ss.sh 5 | ``` 6 | 7 | 如果你没有创建节点: 8 | 9 | 1. 创建一个节点,在部署界面选择 `Deploying using StackScripts` 10 | * ![88be8e49-2018-476c-8380-424ee8470561](https://cloud.githubusercontent.com/assets/1073082/3285904/fa5fc7b8-f540-11e3-948e-95a30d2d320b.png) 11 | 2. 搜索 Shadowsocks,点它: 12 | * ![screen shot 2014-06-16 at 6 24 23 pm](https://cloud.githubusercontent.com/assets/1073082/3285908/0037b6be-f541-11e3-8881-000a8dc38f7c.png) 13 | 3. 设置 root 密码,点 rebuild 14 | * ![screen shot 2014-06-16 at 6 25 50 pm](https://cloud.githubusercontent.com/assets/1073082/3285916/0a27667e-f541-11e3-8408-4691c421e550.png) 15 | 4. 到节点界面点开机 16 | * ![0fdd081e-5288-4dcf-ae52-351e94ed1667](https://cloud.githubusercontent.com/assets/1073082/3285906/fda3820c-f540-11e3-8b1a-73f6cfbfd67f.png) 17 | 5. 等 VPS 启动 18 | 6. 登录服务器,检查是否一切正常。 19 | 20 | ``` 21 | # supervisorctl status 22 | shadowsocks RUNNING pid 6929, uptime 0:01:25 23 | # supervisorctl tail shadowsocks stderr 24 | 2014-06-16 10:28:00 INFO starting server at 0.0.0.0:4762 25 | ``` 26 | 27 | 获取随机生成的密码和端口号: 28 | ``` 29 | # cat /etc/shadowsocks.json 30 | { 31 | "server":"0.0.0.0", 32 | "server_port":4762, 33 | "local_port":1080, 34 | "password":"8d779a1ee2db776db8e20adffaa12d0c", 35 | "timeout":300, 36 | "method":"aes-256-cfb" 37 | } 38 | ``` 39 | 40 | 如果需要重启服务,执行: 41 | 42 | supervisorctl restart shadowsocks 43 | 44 | 注:使用本安装脚本会自动[优化系统参数](https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks)。不过其中 hybla 算法的优化需要[更换内核](https://library.linode.com/custom-instances/pv-grub-howto#sph_debian-7-wheezy)后才能生效。 -------------------------------------------------------------------------------- /用-Supervisor-运行-Shadowsocks.md: -------------------------------------------------------------------------------- 1 | **说明: 从 Shadowsocks 2.6 开始,你可以直接在后台运行 Shadowsocks,无需 Supervisor 。 2 | 这样省掉了 Supervisor 进程占用的内存。** 3 | 4 | ssserver -c /etc/shadowsocks.json -d start 5 | ssserver -c /etc/shadowsocks.json -d stop 6 | 7 | 对于老版本: 8 | 9 | 编辑 `/etc/shadowsocks.json` 10 | 11 | 12 | { 13 | "server":"0.0.0.0", 14 | "server_port":7325, 15 | "local_port":1080, 16 | "password":"my password", 17 | "timeout":600, 18 | "method":"aes-256-cfb" 19 | } 20 | 21 | 记得改密码和服务端端口,不要用默认的。 22 | 23 | 执行 24 | 25 | apt-get update 26 | apt-get install python-pip python-m2crypto supervisor 27 | pip install shadowsocks 28 | 29 | 30 | 编辑 `/etc/supervisor/conf.d/shadowsocks.conf` 31 | 32 | 33 | [program:shadowsocks] 34 | command=ssserver -c /etc/shadowsocks.json 35 | autorestart=true 36 | user=nobody 37 | 38 | 如果端口 < 1024,把上面的 user=nobody 改成 user=root。 39 | 40 | 在 `/etc/default/supervisor` 最后加一行: 41 | 42 | ulimit -n 51200 43 | 44 | 执行 45 | 46 | service supervisor start 47 | supervisorctl reload 48 | 49 | 如果遇到问题,可以检查日志: 50 | 51 | supervisorctl tail -f shadowsocks stderr 52 | 53 | 如果修改了 shadowsocks 配置 `/etc/shadowsocks.json`, 54 | 可以重启 shadowsocks: 55 | 56 | supervisorctl restart shadowsocks 57 | 58 | 如果修改了 Supervisor 的配置文件 `/etc/supervisor/*`, 59 | 可以更新 supervisor 配置: 60 | 61 | supervisorctl update --------------------------------------------------------------------------------