{"id":24623194,"url":"https://github.com/localzet/shadowsocks-rust","last_synced_at":"2025-10-06T16:30:50.050Z","repository":{"id":264512431,"uuid":"825468004","full_name":"localzet/Shadowsocks-Rust","owner":"localzet","description":"Shadowsocks-Rust is a Rust implementation of the Shadowsocks protocol, designed to provide secure and efficient proxy services. It offers robust encryption and is ideal for bypassing internet censorship and ensuring privacy.","archived":true,"fork":false,"pushed_at":"2024-11-25T21:47:54.000Z","size":648,"stargazers_count":2,"open_issues_count":13,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-17T16:48:37.614Z","etag":null,"topics":["rust","shadowsocks"],"latest_commit_sha":null,"homepage":"https://localzet.github.io/Shadowsocks-Rust/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/localzet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-07T21:24:19.000Z","updated_at":"2025-07-10T07:20:28.000Z","dependencies_parsed_at":"2024-11-24T20:11:41.158Z","dependency_job_id":"e210e543-4a1e-4558-8c76-2e5ce489fada","html_url":"https://github.com/localzet/Shadowsocks-Rust","commit_stats":null,"previous_names":["localzet-dev/shadowsocks-rust","localzet/shadowsocks-rust"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/localzet/Shadowsocks-Rust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/localzet%2FShadowsocks-Rust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/localzet%2FShadowsocks-Rust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/localzet%2FShadowsocks-Rust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/localzet%2FShadowsocks-Rust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/localzet","download_url":"https://codeload.github.com/localzet/Shadowsocks-Rust/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/localzet%2FShadowsocks-Rust/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278643346,"owners_count":26021088,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-06T02:00:05.630Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rust","shadowsocks"],"created_at":"2025-01-25T03:55:51.551Z","updated_at":"2025-10-06T16:30:48.538Z","avatar_url":"https://github.com/localzet.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003ca href=\"https://www.localzet.com\" target=\"_blank\"\u003e\n \u003cimg src=\"https://cdn.localzet.com/assets/media/logos/ZorinProjectsSP.svg\" width=\"400\"\u003e\n\u003c/a\u003e\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://github.com/localzet/shadowsocks-rust\"\u003e\n \u003cimg src=\"https://img.shields.io/github/commit-activity/t/localzet/shadowsocks-rust?label=%D0%9A%D0%BE%D0%BC%D0%BC%D0%B8%D1%82%D1%8B\" alt=\"Коммиты\"\u003e\n \u003c/a\u003e\n \u003ca href=\"https://github.com/localzet/shadowsocks-rust/releases\"\u003e\n \u003cimg src=\"https://img.shields.io/github/downloads/localzet/shadowsocks-rust/total.svg\" alt=\"Релизы\"\u003e\n \u003c/a\u003e\n \u003ca href=\"https://github.com/localzet/shadowsocks-rust/search?l=rust\"\u003e\n \u003cimg src=\"https://img.shields.io/github/languages/top/localzet/shadowsocks-rust.svg\" alt=\"Язык\"\u003e\n \u003c/a\u003e\n \u003ca href=\"https://www.gnu.org/licenses/agpl-3.0\"\u003e\n \u003cimg src=\"https://img.shields.io/github/license/localzet/shadowsocks-rust?label=%D0%9B%D0%B8%D1%86%D0%B5%D0%BD%D0%B7%D0%B8%D1%8F\" alt=\"Лицензия\"\u003e\n \u003c/a\u003e\n\u003c/p\u003e\n\n# shadowsocks\n\n[![Build \u0026 Test](https://github.com/localzet/shadowsocks-rust/actions/workflows/build-and-test.yml/badge.svg)](https://github.com/localzet/shadowsocks-rust/actions/workflows/build-and-test.yml)\n[![Build MSRV](https://github.com/localzet/shadowsocks-rust/actions/workflows/build-msrv.yml/badge.svg)](https://github.com/localzet/shadowsocks-rust/actions/workflows/build-msrv.yml)\n[![Build Releases](https://github.com/localzet/shadowsocks-rust/actions/workflows/build-release.yml/badge.svg?event=push)](https://github.com/localzet/shadowsocks-rust/actions/workflows/build-release.yml)\n[![Build Nightly Releases](https://github.com/localzet/shadowsocks-rust/actions/workflows/build-nightly-release.yml/badge.svg)](https://github.com/localzet/shadowsocks-rust/actions/workflows/build-nightly-release.yml)\n\nshadowsocks is a fast tunnel proxy that helps you bypass firewalls.\n\n## Build \u0026 Install\n\n### Optional Features\n\n- `hickory-dns` - Uses [`hickory-resolver`](https://crates.io/crates/hickory-resolver) as DNS resolver instead of `tokio`'s builtin.\n\n- `local-http` - Allow using HTTP protocol for `sslocal`\n\n - `local-http-native-tls` - Support HTTPS with [`native-tls`](https://crates.io/crates/native-tls)\n\n - `local-http-rustls` - Support HTTPS with [`rustls`](https://crates.io/crates/rustls)\n\n- `local-tunnel` - Allow using tunnel protocol for `sslocal`\n\n- `local-socks4` - Allow using SOCKS4/4a protocol for `sslocal`\n\n- `local-redir` - Allow using redir (transparent proxy) protocol for `sslocal`\n\n- `local-dns` - Allow using dns protocol for `sslocal`, serves as a DNS server proxying queries to local or remote DNS servers by ACL rules\n\n- `local-fake-dns` - FakeDNS, allocating an IP address for each individual Query from a specific IP pool\n\n- `local-tun` - [TUN](https://en.wikipedia.org/wiki/TUN/TAP) interface support for `sslocal`\n\n- `stream-cipher` - Enable deprecated stream ciphers. WARN: stream ciphers are UNSAFE!\n\n- `aead-cipher-extra` - Enable non-standard AEAD ciphers\n\n- `aead-cipher-2022` - Enable AEAD-2022 ciphers ([SIP022](https://github.com/shadowsocks/shadowsocks-org/issues/196))\n\n- `aead-cipher-2022-extra` - Enable AEAD-2022 extra ciphers (non-standard ciphers)\n\n#### Memory Allocators\n\nThis project uses system (libc) memory allocator (Rust's default). But it also allows you to use other famous allocators by features:\n\n- `jemalloc` - Uses [jemalloc](http://jemalloc.net/) as global memory allocator\n- `mimalloc` - Uses [mi-malloc](https://microsoft.github.io/mimalloc/) as global memory allocator\n- `tcmalloc` - Uses [TCMalloc](https://google.github.io/tcmalloc/overview.html) as global memory allocator. It tries to link system-wide tcmalloc by default, use vendored from source with `tcmalloc-vendored`.\n- `snmalloc` - Uses [snmalloc](https://github.com/microsoft/snmalloc) as global memory allocator\n- `rpmalloc` - Uses [rpmalloc](https://github.com/mjansson/rpmalloc) as global memory allocator\n\n### **crates.io**\n\nInstall from [crates.io](https://crates.io/crates/shadowsocks-rust):\n\n```bash\n# Install from crates.io\ncargo install shadowsocks-rust\n```\n\nthen you can find `sslocal` and `ssserver` in `$CARGO_HOME/bin`.\n\n### **Install using Homebrew**\n\nFor macOS and Linux, you can install it using [Homebrew](https://brew.sh/):\n\n```bash\nbrew install shadowsocks-rust\n```\n\n### **Install using snap**\n\n```bash\n# Install from snapstore\nsnap install shadowsocks-rust\n\n# List services\nsnap services shadowsocks-rust\n\n# Enable and start shadowsocks-rust.sslocal-daemon snap service\nsnap start --enable shadowsocks-rust.sslocal-daemon\n\n# Show generated systemd service status\nsystemctl status snap.shadowsocks-rust.sslocal-daemon.service\n\n# Override generated systemd service (configure startup options)\nsystemctl edit snap.shadowsocks-rust.sslocal-daemon.service\n\n## NOTE: you can pass args to sslocal:\n## [Service]\n## ExecStart=\n## ExecStart=/usr/bin/snap run shadowsocks-rust.sslocal-daemon -b \"127.0.0.1:1080\" --server-url \"ss://....\"\n\n# Restart generated systemd service to apply changes\nsystemctl restart snap.shadowsocks-rust.sslocal-daemon.service\n\n# ... and show service status\nsystemctl status snap.shadowsocks-rust.sslocal-daemon.service\n```\n\n### **Download release**\n\nDownload static-linked build [here](https://github.com/localzet/shadowsocks-rust/releases).\n\n- `build-windows`: Build for `x86_64-pc-windows-msvc`\n- `build-linux`: Build for `x86_64-unknown-linux-gnu`, Debian 9 (Stretch), GLIBC 2.18\n- `build-docker`: Build for `x86_64-unknown-linux-musl`, `x86_64-pc-windows-gnu`, ... (statically linked)\n\n### **Docker**\n\nThis project provided Docker images for the `linux/i386` and `linux/amd64` and `linux/arm64/v8` architectures.\n\n\u003e :warning: **Docker containers do not have access to IPv6 by default**: Make sure to disable IPv6 Route in the client or [enable IPv6 access to docker containers](https://docs.docker.com/config/daemon/ipv6/#use-ipv6-for-the-default-bridge-network).\n\n#### Build on the local machine(Optional)\n\nIf you want to build the Docker image yourself, you need to use the [BuildX](https://docs.docker.com/buildx/working-with-buildx/).\n\n```bash\ndocker buildx build -t shadowsocks/ssserver-rust:latest -t shadowsocks/ssserver-rust:v1.15.2 --target ssserver .\ndocker buildx build -t shadowsocks/sslocal-rust:latest -t shadowsocks/sslocal-rust:v1.15.2 --target sslocal .\n```\n\n#### Run the container\n\nYou need to mount the configuration file into the container and create an external port map for the container to connect to it.\n\n```bash\ndocker run --name sslocal-rust \\\n --restart always \\\n -p 1080:1080/tcp \\\n -v /path/to/config.json:/etc/shadowsocks-rust/config.json \\\n -dit ghcr.io/shadowsocks/sslocal-rust:latest\n\ndocker run --name ssserver-rust \\\n --restart always \\\n -p 8388:8388/tcp \\\n -p 8388:8388/udp \\\n -v /path/to/config.json:/etc/shadowsocks-rust/config.json \\\n -dit ghcr.io/shadowsocks/ssserver-rust:latest\n```\n\n### **Deploy to Kubernetes**\n\nThis project provided yaml manifests for deploying to Kubernetes.\n\nYou can leverage k8s Service to expose traffic outside, like LoadBalancer or NodePort which gains more fine-grained compared with fixed host or port.\n\nFor a more interesting use case, you can use a Ingress(Istio, nginx, etc.) which routes the matched traffic to shadowsocks along with the real web service.\n\n#### Using `kubectl`\n\n`kubectl apply -f https://github.com/localzet/shadowsocks-rust/raw/master/k8s/shadowsocks-rust.yaml`\n\nYou can change the config via editing the ConfigMap named `shadowsocks-rust`.\n\nFor more fine-grained control, use `helm`.\n\n#### Использование `helm`\n\n`helm install my-release k8s/chart -f my-values.yaml`\n\nНиже приведены общие значения по умолчанию, которые вы можете изменить.:\n\n```yaml\n# Это конфигурация Shadowsocks, которая будет смонтирована в /etc/shadowocks-rust.\n# Сюда можно поместить произвольный yaml, и перед монтированием он будет переведен в json..\nservers:\n- server: \"::\"\n server_port: 8388\n service_port: 80 # the k8s service port, default to server_port\n password: mypassword\n method: aes-256-gcm\n fast_open: true\n mode: tcp_and_udp\n # plugin: v2ray-plugin\n # plugin_opts: server;tls;host=github.com\n\n# Стоит ли загружать плагин v2ray и xray.\ndownloadPlugins: false\n\n# Имя ConfigMap с конфигурацией config.json для shadowsocks-rust.\nconfigMapName: \"\"\n\nservice:\n # Перейдите на LoadBalancer, если вы пользуетесь услугами облачного провайдера, такого как aws, gce или tke.\n type: ClusterIP\n\n# Привяжите порт ShadowSocks к хосту, т. е. мы можем использовать хост:порт для доступа к серверу Shawdowsocks..\nhostPort: false\n\nreplicaCount: 1\n\nimage:\n repository: ghcr.io/shadowsocks/ssserver-rust\n pullPolicy: IfNotPresent\n # Overrides the image tag whose default is the chart appVersion.\n tag: \"latest\"\n```\n\n### **Build from source**\n\nUse cargo to build. NOTE: **RAM \u003e= 2GiB**\n\n```bash\ncargo build --release\n```\n\nThen `sslocal` and `ssserver` will appear in `./target/(debug|release)/`, it works similarly as the two binaries in the official ShadowSocks' implementation.\n\n```bash\nmake install TARGET=release\n```\n\nThen `sslocal`, `ssserver`, `ssmanager` and `ssurl` will be installed to `/usr/local/bin` (variable PREFIX).\n\nFor Windows users, if you have encountered any problem in building, check and discuss in [#102](https://github.com/shadowsocks/shadowsocks-rust/issues/102).\n\n### **target-cpu optimization**\n\nIf you are building for your current CPU platform (for example, build and run on your personal computer), it is recommended to set `target-cpu=native` feature to let `rustc` generate and optimize code for the CPU running the compiler.\n\n```bash\nexport RUSTFLAGS=\"-C target-cpu=native\"\n```\n\n### **Build standalone binaries**\n\nRequirements:\n\n- Docker\n\n```bash\n./build/build-release\n```\n\nThen `sslocal`, `ssserver`, `ssmanager` and `ssurl` will be packaged in\n\n- `./build/shadowsocks-${VERSION}-stable.x86_64-unknown-linux-musl.tar.xz`\n- `./build/shadowsocks-${VERSION}-stable.x86_64-pc-windows-gnu.zip`\n\nRead `Cargo.toml` for more details.\n\n## Getting Started\n\nGenerate a safe and secured password for a specific encryption method (`aes-128-gcm` in the example) with:\n\n```bash\nssservice genkey -m \"aes-128-gcm\"\n```\n\nCreate a ShadowSocks' configuration file. Example\n\n```jsonc\n{\n \"server\": \"my_server_ip\",\n \"server_port\": 8388,\n \"password\": \"rwQc8qPXVsRpGx3uW+Y3Lj4Y42yF9Bs0xg1pmx8/+bo=\",\n \"method\": \"aes-256-gcm\",\n // ONLY FOR `sslocal`\n // Delete these lines if you are running `ssserver` or `ssmanager`\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1080\n}\n```\n\n\nIn shadowsocks-rust, we also have an extended configuration file format, which is able to define more than one server. You can also disable individual servers.\n\n```jsonc\n{\n \"servers\": [\n {\n \"server\": \"127.0.0.1\",\n \"server_port\": 8388,\n \"password\": \"rwQc8qPXVsRpGx3uW+Y3Lj4Y42yF9Bs0xg1pmx8/+bo=\",\n \"method\": \"aes-256-gcm\",\n \"timeout\": 7200\n },\n {\n \"server\": \"127.0.0.1\",\n \"server_port\": 8389,\n \"password\": \"/dliNXn5V4jg6vBW4MnC1I8Jljg9x7vSihmk6UZpRBM=\",\n \"method\": \"chacha20-ietf-poly1305\"\n },\n {\n \"disabled\": true,\n \"server\": \"eg.disable.me\",\n \"server_port\": 8390,\n \"password\": \"mGvbWWay8ueP9IHnV5F1uWGN2BRToiVCAWJmWOTLU24=\",\n \"method\": \"chacha20-ietf-poly1305\"\n }\n ],\n // ONLY FOR `sslocal`\n // Delete these lines if you are running `ssserver` or `ssmanager`\n \"local_port\": 1080,\n \"local_address\": \"127.0.0.1\"\n}\n```\n\n`sslocal` automatically selects the best server with the lowest latency and the highest availability.\n\nStart Shadowsocks client and server with:\n\n```bash\nsslocal -c config.json\nssserver -c config.json\n```\n\nIf you Build it with Cargo:\n\n```bash\ncargo run --bin sslocal -- -c config.json\ncargo run --bin ssserver -- -c config.json\n```\n\nList all available arguments with `-h`.\n\n## Usage\n\nStart local client with configuration file\n\n```bash\n# Read local client configuration from file\nsslocal -c /path/to/shadowsocks.json\n```\n\n### Socks5 Local client\n\n```bash\n# Pass all parameters via command line\nsslocal -b \"127.0.0.1:1080\" -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --plugin \"v2ray-plugin\" --plugin-opts \"server;tls;host=github.com\"\n\n# Pass server with SIP002 URL\nsslocal -b \"127.0.0.1:1080\" --server-url \"ss://YWVzLTI1Ni1nY206cGFzc3dvcmQ@127.0.0.1:8388/?plugin=v2ray-plugin%3Bserver%3Btls%3Bhost%3Dgithub.com\"\n```\n\n### HTTP Local client\n\n```bash\nsslocal -b \"127.0.0.1:3128\" --protocol http -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\"\n```\n\nAll parameters are the same as Socks5 client, except `--protocol http`.\n\n### Tunnel Local client\n\n```bash\n# Set 127.0.0.1:8080 as the target for forwarding to\nsslocal --protocol tunnel -b \"127.0.0.1:3128\" -f \"127.0.0.1:8080\" -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\"\n```\n\n- `--protocol tunnel` enables local client Tunnel mode\n- `-f \"127.0.0.1:8080` sets the tunnel target address\n\n### Transparent Proxy Local client\n\n**NOTE**: It currently only supports\n\n- Linux (with `iptables` targets `REDIRECT` and `TPROXY`)\n- BSDs (with `pf`), such as OS X 10.10+, FreeBSD, ...\n\n```bash\nsslocal -b \"127.0.0.1:60080\" --protocol redir -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --tcp-redir \"redirect\" --udp-redir \"tproxy\"\n```\n\nRedirects connections with `iptables` configurations to the port that `sslocal` is listening on.\n\n- `--protocol redir` enables local client Redir mode\n- (optional) `--tcp-redir` sets TCP mode to `REDIRECT` (Linux)\n- (optional) `--udp-redir` sets UDP mode to `TPROXY` (Linux)\n\n### Tun interface client\n\n**NOTE**: It currently only supports\n\n- Linux, Android\n- macOS, iOS\n- Windows\n\n#### Linux\n\nCreate a Tun interface with name `tun0`\n\n```bash\nip tuntap add mode tun tun0\nifconfig tun0 inet 10.255.0.1 netmask 255.255.255.0 up\n```\n\nStart `sslocal` with `--protocol tun` and binds to `tun0`\n\n```bash\nsslocal --protocol tun -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --outbound-bind-interface lo0 --tun-interface-name tun0\n```\n\n#### macOS\n\n```bash\nsslocal --protocol tun -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --outbound-bind-interface lo0 --tun-interface-address 10.255.0.1/24\n```\n\nIt will create a Tun interface with address `10.255.0.1` and netmask `255.255.255.0`.\n\n#### Windows\n\nDownload `wintun.dll` from [Wintun](https://www.wintun.net/), and place it in the folder with shadowsocks' runnable binaries, or in the system PATH.\n\n```powershell\nsslocal --protocol tun -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --outbound-bind-interface \"Ethernet 0\" --tun-interface-name \"shadowsocks\"\n```\n\n### Local client for Windows Service\n\nCompile it by enabling `--features \"winservice\"` (not included in the default build):\n\n```bash\ncargo build --release --bin \"sswinservice\" --features \"winservice\"\n```\n\nInstall it as a Windows Service (PowerShell):\n\n```powershell\nNew-Service -Name \"shadowsocks-local-service\" `\n -DisplayName \"Shadowsocks Local Service\" `\n -BinaryPathName \"\u003cPath\\to\u003e\\sswinservice.exe local -c \u003cPath\\to\u003e\\local_config.json\"\n```\n\nThere are other ways to install `sswinservice` as a Windows Service, for example, the `sc` command.\n\nAs you may have noticed that the `-BinaryPathName` contains not only just the `sswinservice.exe`, but `local -c local_config.json`. These command line parameters will be used as the default parameter when the Windows Service starts. You can also start the service with customized parameters.\n\nLearn more from [Microsoft's Document](https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications).\n\nThe `sswinservice`'s parameter works exactly the same as `ssservice`. It supports `local`, `server` and `manager` subcommands.\n\n### Server\n\n```bash\n# Read server configuration from file\nssserver -c /path/to/shadowsocks.json\n\n# Pass all parameters via command line\nssserver -s \"[::]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --plugin \"v2ray-plugin\" --plugin-opts \"server;tls;host=github.com\"\n```\n\n### Server Manager\n\nSupported Manage Multiple Users API:\n\n- `add` - Starts a server instance\n- `remove` - Deletes an existing server instance\n- `list` - Lists all current running servers\n- `ping` - Lists all servers' statistic data\n\nNOTE: `stat` command is not supported. Because servers are running in the same process with the manager itself.\n\n```bash\n# Start it just with --manager-address command line parameter\nssmanager --manager-address \"127.0.0.1:6100\"\n\n# For *nix system, manager can bind to unix socket address\nssmanager --manager-address \"/tmp/shadowsocks-manager.sock\"\n\n# You can also provide a configuration file\n#\n# `manager_address` key must be provided in the configuration file\nssmanager -c /path/to/shadowsocks.json\n\n# Create one server by UDP\necho 'add: {\"server_port\":8388,\"password\":\"hello-kitty\"}' | nc -u '127.0.0.1' '6100'\n\n# Close one server by unix socket\necho 'remove: {\"server_port\":8388}' | nc -Uu '/tmp/shadowsocks-manager.sock'\n```\n\nFor manager UI, check more details in the [shadowsocks-manager](https://github.com/localzet/shadowsocks-manager) project.\n\nExample configuration:\n\n```jsonc\n{\n // Required option\n // Address that ssmanager is listening on\n \"manager_address\": \"127.0.0.1\",\n \"manager_port\": 6100,\n\n // Or bind to a Unix Domain Socket\n \"manager_address\": \"/tmp/shadowsocks-manager.sock\",\n\n \"servers\": [\n // These servers will be started automatically when ssmanager is started\n ],\n\n // Outbound socket binds to this IP address\n // For choosing different network interface on the same machine\n \"local_address\": \"xxx.xxx.xxx.xxx\",\n\n // Other options that may be passed directly to new servers\n}\n```\n\n## Configuration\n\n```jsonc\n{\n // LOCAL: Listen address. This is exactly the same as `locals[0]`\n // SERVER: Bind address for remote sockets, mostly used for choosing interface\n // Don't set it if you don't know what's this for.\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1080,\n\n // Extended multiple local configuration\n \"locals\": [\n {\n // Basic configuration, a SOCKS5 local server\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1080,\n // OPTIONAL. Setting the `mode` for this specific local server instance.\n // If not set, it will derive from the outer `mode`\n \"mode\": \"tcp_and_udp\",\n // OPTIONAL. Authentication configuration file\n // Configuration file document could be found in the next section.\n \"socks5_auth_config_path\": \"/path/to/auth.json\",\n // OPTIONAL. Instance specific ACL\n \"acl\": \"/path/to/acl/file.acl\",\n // OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \"launchd_udp_socket_name\": \"UDPListener\"\n },\n {\n // SOCKS5, SOCKS4/4a local server\n \"protocol\": \"socks\",\n // Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1081,\n // OPTIONAL. Enables UDP relay\n \"mode\": \"tcp_and_udp\",\n // OPTIONAL. Customizing the UDP's binding address. Depending on `mode`, if\n // - TCP is enabled, then SOCKS5's UDP Association command will return this address\n // - UDP is enabled, then SOCKS5's UDP server will listen to this address.\n \"local_udp_address\": \"127.0.0.1\",\n \"local_udp_port\": 2081,\n // OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \"launchd_udp_socket_name\": \"UDPListener\"\n },\n {\n // Tunnel local server (feature = \"local-tunnel\")\n \"protocol\": \"tunnel\",\n // Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 5353,\n // Forward address, the target of this tunnel\n // In this example, this will build a `127.0.0.1:5353` -\u003e `8.8.8.8:53` tunnel\n \"forward_address\": \"8.8.8.8\",\n \"forward_port\": 53,\n // OPTIONAL. Customizing whether to start TCP and UDP tunnel\n \"mode\": \"tcp_only\",\n // OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \"launchd_udp_socket_name\": \"UDPListener\"\n },\n {\n // HTTP local server (feature = \"local-http\")\n \"protocol\": \"http\",\n // Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 3128,\n // OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\"\n },\n {\n // DNS local server (feature = \"local-dns\")\n // This DNS works like China-DNS, it will send requests to `local_dns` and `remote_dns` and choose by ACL rules\n \"protocol\": \"dns\",\n // Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 53,\n // OPTIONAL. DNS local server uses `tcp_and_udp` mode by default\n \"mode\": \"udp_only\",\n // Local DNS address, DNS queries will be sent directly to this address\n \"local_dns_address\": \"114.114.114.114\",\n // OPTIONAL. Local DNS's port, 53 by default\n \"local_dns_port\": 53,\n // Remote DNS address, DNS queries will be sent through ssserver to this address\n \"remote_dns_address\": \"8.8.8.8\",\n // OPTIONAL. Remote DNS's port, 53 by default\n \"remote_dns_port\": 53,\n // OPTIONAL. dns client cache size for fetching dns queries.\n \"client_cache_size\": 5,\n // OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \"launchd_udp_socket_name\": \"UDPListener\"\n },\n {\n // Tun local server (feature = \"local-tun\")\n \"protocol\": \"tun\",\n // Tun interface name\n \"tun_interface_name\": \"tun0\",\n // Tun interface address\n //\n // It has to be a host address in CIDR form\n \"tun_interface_address\": \"10.255.0.1/24\"\n },\n {\n // Transparent Proxy (redir) local server (feature = \"local-redir\")\n \"protocol\": \"redir\",\n // OPTIONAL: TCP type, may be different between platforms\n // Linux/Android: redirect (default), tproxy\n // FreeBSD/OpenBSD: pf (default), ipfw\n // NetBSD/macOS/Solaris: pf (default), ipfw\n \"tcp_redir\": \"tproxy\",\n // OPTIONAL: UDP type, may be different between platforms\n // Linux/Android: tproxy (default)\n // FreeBSD/OpenBSD: pf (default)\n \"udp_redir\": \"tproxy\"\n },\n {\n // FakeDNS local server (feature = \"local-fake-dns\")\n // FakeDNS is a DNS server that allocates an IPv4 / IPv6 address in a specific pool for each queries.\n // Subsequence requests from the other local interfaces that the target addresses includes those allocated IP addresses,\n // will be substituted back to their original domain name addresses.\n // This feature is useful mostly for transparent proxy, which will allow the proxied domain names to be resolved remotely.\n \"protocol\": \"fake-dns\",\n // Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 10053,\n // IPv4 address pool (for A records)\n \"fake_dns_ipv4_network\": \"10.255.0.0/16\",\n // IPv6 address pool (for AAAA records)\n \"fake_dns_ipv6_network\": \"fdf2:e786:ab40:9d2f::/64\",\n // Persistent storage for all allocated DNS records\n \"fake_dns_database_path\": \"/var/shadowsocks/fakedns.db\",\n // OPTIONAL: Record expire duration in seconds, 10s by default\n \"fake_dns_record_expire_duration\": 10\n }\n ],\n\n // Server configuration\n // listen on :: for dual stack support, no need add [] around.\n \"server\": \"::\",\n // Change to use your custom port number\n \"server_port\": 8388,\n \"method\": \"aes-256-gcm\",\n \"password\": \"your-password\",\n \"plugin\": \"v2ray-plugin\",\n \"plugin_opts\": \"mode=quic;host=github.com\",\n \"plugin_args\": [\n // Each line is an argument passed to \"plugin\"\n \"--verbose\"\n ],\n \"plugin_mode\": \"tcp_and_udp\", // SIP003u, default is \"tcp_only\"\n // Server: TCP socket timeout in seconds.\n // Client: TCP connection timeout in seconds.\n // Omit this field if you don't have specific needs.\n \"timeout\": 7200,\n\n // Extended multiple server configuration\n // LOCAL: Choosing the best server to connect dynamically\n // SERVER: Creating multiple servers in one process\n \"servers\": [\n {\n // Fields are the same as the single server's configuration\n\n // Individual servers can be disabled\n // \"disabled\": true,\n \"address\": \"0.0.0.0\",\n \"port\": 8389,\n \"method\": \"aes-256-gcm\",\n \"password\": \"your-password\",\n \"plugin\": \"...\",\n \"plugin_opts\": \"...\",\n \"plugin_args\": [],\n \"plugin_mode\": \"...\",\n \"timeout\": 7200,\n\n // Customized weight for local server's balancer\n //\n // Weight must be in [0, 1], default is 1.0.\n // The higher weight, the server may rank higher.\n \"tcp_weight\": 1.0,\n \"udp_weight\": 1.0,\n\n // OPTIONAL. Instance specific ACL\n \"acl\": \"/path/to/acl/file.acl\",\n },\n {\n // Same key as basic format \"server\" and \"server_port\"\n \"server\": \"0.0.0.0\",\n \"server_port\": 8388,\n \"method\": \"chacha20-ietf-poly1305\",\n // Read the actual password from environment variable PASSWORD_FROM_ENV\n \"password\": \"${PASSWORD_FROM_ENV}\"\n },\n {\n // AEAD-2022\n \"server\": \"::\",\n \"server_port\": 8390,\n \"method\": \"2022-blake3-aes-256-gcm\",\n \"password\": \"3SYJ/f8nmVuzKvKglykRQDSgg10e/ADilkdRWrrY9HU=\",\n // For Server (OPTIONAL)\n // Support multiple users with Extensible Identity Header\n // https://github.com/Shadowsocks-NET/shadowsocks-specs/blob/main/2022-2-shadowsocks-2022-extensible-identity-headers.md\n \"users\": [\n {\n \"name\": \"username\",\n // User's password must have the same length as server's password\n \"password\": \"4w0GKJ9U3Ox7CIXGU4A3LDQAqP6qrp/tUi/ilpOR9p4=\"\n }\n ],\n // For Client (OPTIONAL)\n // If EIH enabled, then \"password\" should have the following format: iPSK:iPSK:iPSK:uPSK\n // - iPSK is one of the middle relay servers' PSK, for the last `ssserver`, it must be server's PSK (\"password\")\n // - uPSK is the user's PSK (\"password\")\n // Example:\n // \"password\": \"3SYJ/f8nmVuzKvKglykRQDSgg10e/ADilkdRWrrY9HU=:4w0GKJ9U3Ox7CIXGU4A3LDQAqP6qrp/tUi/ilpOR9p4=\"\n }\n ],\n\n // Global configurations for UDP associations\n \"udp_timeout\": 300, // Timeout for UDP associations (in seconds), 5 minutes by default\n \"udp_max_associations\": 512, // Maximum UDP associations to be kept in one server, unlimited by default\n\n // Options for Manager\n \"manager_address\": \"127.0.0.1\", // Could be a path to UNIX socket, /tmp/shadowsocks-manager.sock\n \"manager_port\": 5300, // Not needed for UNIX socket\n\n // DNS server's address for resolving domain names\n // For *NIX and Windows, it uses system's configuration by default\n //\n // Value could be IP address of DNS server, for example, \"8.8.8.8\".\n // DNS client will automatically request port 53 with both TCP and UDP protocol.\n //\n // - system, uses system provided API (`getaddrinfo` on *NIX)\n //\n // It also allows some pre-defined well-known public DNS servers:\n // - google (TCP, UDP)\n // - cloudflare (TCP, UDP)\n // - cloudflare_tls (TLS), enable by feature \"dns-over-tls\"\n // - cloudflare_https (HTTPS), enable by feature \"dns-over-https\"\n // - quad9 (TCP, UDP)\n // - quad9_tls (TLS), enable by feature \"dns-over-tls\"\n //\n // The field is only effective if feature \"hickory-dns\" is enabled.\n \"dns\": \"google\",\n // Configure `cache_size` for \"hickory-dns\" ResolverOpts. Set to \"0\" to disable DNS cache.\n \"dns_cache_size\": 0,\n\n // Mode, could be one of the\n // - tcp_only\n // - tcp_and_udp\n // - udp_only\n \"mode\": \"tcp_only\",\n\n // TCP_NODELAY\n \"no_delay\": false,\n\n // Enables `SO_KEEPALIVE` and set `TCP_KEEPIDLE`, `TCP_KEEPINTVL` to the specified seconds\n \"keep_alive\": 15,\n\n // Soft and Hard limit of file descriptors on *NIX systems\n \"nofile\": 10240,\n\n // Try to resolve domain name to IPv6 (AAAA) addresses first\n \"ipv6_first\": false,\n // Set IPV6_V6ONLY for all IPv6 listener sockets\n // Only valid for locals and servers listening on `::`\n \"ipv6_only\": false,\n\n // Outbound socket options\n // Linux Only (SO_MARK)\n \"outbound_fwmark\": 255,\n // FreeBSD only (SO_USER_COOKIE)\n \"outbound_user_cookie\": 255,\n // `SO_BINDTODEVICE` (Linux), `IP_BOUND_IF` (BSD), `IP_UNICAST_IF` (Windows) socket option for outbound sockets\n \"outbound_bind_interface\": \"eth1\",\n // Outbound socket bind() to this IP (choose a specific interface)\n \"outbound_bind_addr\": \"11.22.33.44\",\n\n // Balancer customization\n \"balancer\": {\n // MAX Round-Trip-Time (RTT) of servers\n // The timeout seconds of each individual checks\n \"max_server_rtt\": 5,\n // Interval seconds between each check\n \"check_interval\": 10,\n // Interval seconds between each check for the best server\n // Optional. Specify to enable shorter checking interval for the best server only.\n \"check_best_interval\": 5\n },\n\n // SIP008 Online Configuration Delivery\n // https://shadowsocks.org/doc/sip008.html\n \"online_config\": {\n \"config_url\": \"https://path-to-online-sip008-configuration\",\n // Optional. Seconds between each update to config_url. Default to 3600s\n \"update_interval\": 3600\n },\n\n // Service configurations\n // Logger configuration\n \"log\": {\n // Equivalent to `-v` command line option\n \"level\": 1,\n \"format\": {\n // Euiqvalent to `--log-without-time`\n \"without_time\": false,\n },\n // Equivalent to `--log-config`\n // More detail could be found in https://crates.io/crates/log4rs\n \"config_path\": \"/path/to/log4rs/config.yaml\"\n },\n // Runtime configuration\n \"runtime\": {\n // single_thread or multi_thread\n \"mode\": \"multi_thread\",\n // Worker threads that are used in multi-thread runtime\n \"worker_count\": 10\n }\n}\n```\n\n### SOCKS5 Authentication Configuration\n\nThe configuration file is set by `socks5_auth_config_path` in `locals`.\n\n```jsonc\n{\n // Password/Username Authentication (RFC1929)\n \"password\": {\n \"users\": [\n {\n \"user_name\": \"USERNAME in UTF-8\",\n \"password\": \"PASSWORD in UTF-8\"\n }\n ]\n }\n}\n```\n\n### Environment Variables\n\n- `SS_SERVER_PASSWORD`: A default password for servers that created from command line argument (`--server-addr`)\n- `SS_SYSTEM_DNS_RESOLVER_FORCE_BUILTIN`: `\"system\"` DNS resolver force use system's builtin (`getaddrinfo` in *NIX)\n\n## Supported Ciphers\n\n### AEAD 2022 Ciphers\n\n- `2022-blake3-aes-128-gcm`, `2022-blake3-aes-256-gcm`\n- `2022-blake3-chacha20-poly1305`, `2022-blake3-chacha8-poly1305`\n\nThese Ciphers require `\"password\"` to be a Base64 string of key that have **exactly the same length** of Cipher's Key Size. It is recommended to use `ssservice genkey -m \"METHOD_NAME\"` to generate a secured and safe key.\n\n### AEAD Ciphers\n\n- `chacha20-ietf-poly1305`\n- `aes-128-gcm`, `aes-256-gcm`\n\n### Stream Ciphers\n\n- `plain` or `none` (No encryption, only used for debugging or with plugins that ensure transport security)\n\n\u003cdetails\u003e\u003csummary\u003eDeprecated\u003c/summary\u003e\n\u003cp\u003e\n\n- `table`\n- `aes-128-cfb`, `aes-128-cfb1`, `aes-128-cfb8`, `aes-128-cfb128`\n- `aes-192-cfb`, `aes-192-cfb1`, `aes-192-cfb8`, `aes-192-cfb128`\n- `aes-256-cfb`, `aes-256-cfb1`, `aes-256-cfb8`, `aes-256-cfb128`\n- `aes-128-ctr`\n- `aes-192-ctr`\n- `aes-256-ctr`\n- `camellia-128-cfb`, `camellia-128-cfb1`, `camellia-128-cfb8`, `camellia-128-cfb128`\n- `camellia-192-cfb`, `camellia-192-cfb1`, `camellia-192-cfb8`, `camellia-192-cfb128`\n- `camellia-256-cfb`, `camellia-256-cfb1`, `camellia-256-cfb8`, `camellia-256-cfb128`\n- `rc4-md5`\n- `chacha20-ietf`\n\n\u003c/p\u003e\n\u003c/details\u003e\n\n## ACL\n\n`sslocal`, `ssserver`, and `ssmanager` support ACL file with syntax like [shadowsocks-libev](https://github.com/shadowsocks/shadowsocks-libev). Some examples could be found in [here](https://github.com/shadowsocks/shadowsocks-libev/tree/master/acl).\n\n### Available sections\n\n- For local servers (`sslocal`, `ssredir`, ...)\n - Modes:\n - `[bypass_all]` - ACL runs in `BlackList` mode. Bypasses all addresses that didn't match any rules.\n - `[proxy_all]` - ACL runs in `WhiteList` mode. Proxies all addresses that didn't match any rules.\n - Rules:\n - `[bypass_list]` - Rules for connecting directly\n - `[proxy_list]` - Rules for connecting through proxies\n- For remote servers (`ssserver`)\n - Modes:\n - `[reject_all]` - ACL runs in `BlackList` mode. Rejects all clients that didn't match any rules.\n - `[accept_all]` - ACL runs in `WhiteList` mode. Accepts all clients that didn't match any rules.\n - Rules:\n - `[white_list]` - Rules for accepted clients\n - `[black_list]` - Rules for rejected clients\n - `[outbound_block_list]` - Rules for blocking outbound addresses.\n\n### Example\n\n```ini\n# SERVERS\n# For ssserver, accepts requests from all clients by default\n[accept_all]\n\n# Blocks these clients\n[black_list]\n1.2.3.4\n127.0.0.1/8\n\n# Disallow these outbound addresses\n[outbound_block_list]\n127.0.0.1/8\n::1\n# Using regular expression\n^[a-z]{5}\\.baidu\\.com\n# Match exactly\n|baidu.com\n# Match with subdomains\n||google.com\n# An internationalized domain name should be converted to punycode\n# |☃-⌘.com - WRONG\n|xn----dqo34k.com\n# ||джpумлатест.bрфa - WRONG\n||xn--p-8sbkgc5ag7bhce.xn--ba-lmcq\n\n# CLIENTS\n# For sslocal, ..., bypasses all targets by default\n[bypass_all]\n\n# Proxy these addresses\n[proxy_list]\n||google.com\n8.8.8.8\n```\n\n## Useful Tools\n\n1. `ssurl` is for encoding and decoding ShadowSocks URLs (SIP002). Example:\n\n ```plain\n ss://YWVzLTI1Ni1jZmI6cGFzc3dvcmQ@127.0.0.1:8388/?plugin=obfs-local%3Bobfs%3Dhttp%3Bobfs-host%3Dwww.baidu.com\n ```\n\n## Notes\n\nIt supports the following features:\n\n- [x] SOCKS5 CONNECT command\n- [x] SOCKS5 UDP ASSOCIATE command (partial)\n- [x] SOCKS4/4a CONNECT command\n- [x] Various crypto algorithms\n- [x] Load balancing (multiple servers) and server delay checking\n- [x] [SIP004](https://github.com/shadowsocks/shadowsocks-org/issues/30) AEAD ciphers\n- [x] [SIP003](https://github.com/shadowsocks/shadowsocks-org/issues/28) Plugins\n- [x] [SIP003u](https://github.com/shadowsocks/shadowsocks-org/issues/180) Plugin with UDP support\n- [x] [SIP002](https://github.com/shadowsocks/shadowsocks-org/issues/27) Extension ss URLs\n- [x] [SIP022](https://github.com/shadowsocks/shadowsocks-org/issues/196) AEAD 2022 ciphers\n- [x] HTTP Proxy Supports ([RFC 7230](http://tools.ietf.org/html/rfc7230) and [CONNECT](https://tools.ietf.org/html/draft-luotonen-web-proxy-tunneling-01))\n- [x] Defend against replay attacks, [shadowsocks/shadowsocks-org#44](https://github.com/shadowsocks/shadowsocks-org/issues/44)\n- [x] Manager APIs, supporting [Manage Multiple Users](https://github.com/shadowsocks/shadowsocks/wiki/Manage-Multiple-Users)\n- [x] ACL (Access Control List)\n- [x] Support HTTP/HTTPS Proxy protocol\n\n## TODO\n\n- [x] Documentation\n- [x] Extend configuration format\n- [x] Improved logging format (waiting for the new official log crate)\n- [x] Support more ciphers without depending on `libcrypto` (waiting for an acceptable Rust crypto lib implementation)\n- [x] Windows support.\n- [x] Build with stable `rustc` ~~(blocking by `crypto2`)~~.\n- [x] Support HTTP Proxy protocol\n- [x] AEAD ciphers. (proposed in [SIP004](https://github.com/shadowsocks/shadowsocks-org/issues/30), still under discussion)\n- [x] Choose server based on delay #152\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flocalzet%2Fshadowsocks-rust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flocalzet%2Fshadowsocks-rust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flocalzet%2Fshadowsocks-rust/lists"}