https://github.com/ssrlive/reality-rs

AnyReality: A REALITY-wrapped AnyTLS proxy implementation in Rust
https://github.com/ssrlive/reality-rs

anyreality anytls client gfw proxy reality server vpn

Last synced: 26 days ago
JSON representation

AnyReality: A REALITY-wrapped AnyTLS proxy implementation in Rust

• Host: GitHub
• URL: https://github.com/ssrlive/reality-rs
• Owner: ssrlive
• License: other
• Created: 2026-04-22T17:13:46.000Z (2 months ago)
• Default Branch: main
• Last Pushed: 2026-05-14T17:37:17.000Z (about 1 month ago)
• Last Synced: 2026-05-14T19:11:41.536Z (about 1 month ago)
• Topics: anyreality, anytls, client, gfw, proxy, reality, server, vpn
• Language: Rust
• Homepage:
• Size: 15.7 MB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Audit: audit/TLS-01-report.pdf
  • Security: SECURITY.md
  • Roadmap: ROADMAP.md

Awesome Lists containing this project

README

          
## About anyreality

This repository contains a fork of `rustls` for a REALITY-wrapped AnyTLS proxy implementation.

Key user-facing binaries live in `anyreality/`:

- `anyreality-client`: a SOCKS5 client that tunnels traffic over REALITY+TLS

  and the AnyTLS session protocol.

- `anyreality-server`: the corresponding server that accepts REALITY+TLS

  connections and forwards streams to upstream targets.

If you only want to run the proxy pair quickly on a Linux system, the

convenience installer is provided at `install/installer.sh` (it generates a

local CA, server cert, REALITY keys, writes configs and attempts to enable a

systemd service).

[中文版安装指南](install.md)

### Quick install

Options:

- Install with the automated script (Linux, run as root):

```sh

sudo bash install/installer.sh install [domain] [port]

```

If you omit `[domain]` the script will prompt and may pick a random common

hostname for certificate generation. `[port]` defaults to `443`.

- Build and run from source (developer flow):

```sh

# build and install the anyreality binaries into your cargo bin

cargo install --path ./anyreality

# run the server with a config file

cargo run -p anyreality --bin anyreality-server -- --config anyreality/config/reality-server.toml

# run the client

cargo run -p anyreality --bin anyreality-client -- --config anyreality/config/reality-client.toml

```

See [anyreality/README.md](anyreality/README.md) for additional runtime and smoke-test instructions.

---



  





Rustls is a modern TLS library written in Rust.



# Status

Rustls is used in production at many organizations and projects. We aim to maintain

reasonable API surface stability but the API may evolve as we make changes to accommodate

new features or performance improvements.

We have a [roadmap](ROADMAP.md) for our future plans. We also have [benchmarks](BENCHMARKING.md) to

prevent performance regressions and to let you evaluate rustls on your target hardware.

If you'd like to help out, please see [CONTRIBUTING.md](CONTRIBUTING.md).

[![Build Status](https://github.com/rustls/rustls/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/rustls/rustls/actions/workflows/build.yml?query=branch%3Amain)

[![Coverage Status (codecov.io)](https://codecov.io/gh/rustls/rustls/branch/main/graph/badge.svg)](https://codecov.io/gh/rustls/rustls/)

[![Documentation](https://docs.rs/rustls/badge.svg)](https://docs.rs/rustls/)

[![Chat](https://img.shields.io/discord/976380008299917365?logo=discord)](https://discord.gg/MCSB76RU96)

[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9034/badge)](https://www.bestpractices.dev/projects/9034)

The maintainers pronounce "rustls" as rustles (rather than rust-TLS), but we don't feel strongly

about it.

## Changelog

The detailed list of changes in each release can be found at

https://github.com/rustls/rustls/releases.

# Documentation

https://docs.rs/rustls/

# Approach

Rustls is a TLS library that aims to provide a good level of cryptographic security,

requires no configuration to achieve that security, and provides no unsafe features or

obsolete cryptography by default.

Rustls implements TLS1.2 and TLS1.3 for both clients and servers. See [the full

list of protocol features](https://docs.rs/rustls/latest/rustls/manual/_04_features/index.html).

### Platform support

While Rustls itself is platform independent, it requires the use of cryptography primitives

for implementing the cryptography algorithms used in TLS. In Rustls, a

[`crypto::CryptoProvider`] represents a collection of crypto primitive implementations.

By providing a custom instance of the [`crypto::CryptoProvider`] struct, you

can replace all cryptography dependencies of rustls.  This is a route to being portable

to a wider set of architectures and environments, or compliance requirements.  See the

[`crypto::CryptoProvider`] documentation for more details.

[`crypto::CryptoProvider`]: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html

### Cryptography providers

Since Rustls 0.22 it has been possible to choose the provider of the cryptographic primitives

that Rustls uses. This may be appealing if you have specific platform, compliance or feature

requirements.

From 0.24, users must explicitly provide a crypto provider when constructing `ClientConfig` or

`ServerConfig` instances. See the [`crypto::CryptoProvider`] documentation for more details.

#### First-party providers

The Rustls project currently maintains two cryptography providers:

* [`rustls-aws-lc-rs`] - a provider that uses the [`aws-lc-rs`] crate for cryptography.

While this provider can be harder to build on [some platforms][aws-lc-rs-platforms-faq], it provides excellent

performance and a complete feature set (including post-quantum algorithms).

* [`rustls-ring`] - a provider that uses the [`ring`] crate for cryptography. This

provider is easier to build on a variety of platforms, but has a more limited feature set

(for example, it does not support post-quantum algorithms).

The Rustls team recommends using the [`rustls-aws-lc-rs`] crate for its complete feature set

and performance. See [the aws-lc-rs FAQ][aws-lc-rs-platforms-faq] for more details of the

platform/architecture support constraints in aws-lc-rs.

See the documentation for [`crypto::CryptoProvider`] for details on how providers are

selected.

(For rustls versions prior to 0.24, both of these providers were shipped as part of the rustls

crate, and Cargo features were used to select the preferred provider. The `aws-lc-rs` feature

was enabled by default.)

[`rustls-aws-lc-rs`]: https://crates.io/crates/rustls-aws-lc-rs

[`aws-lc-rs`]: https://crates.io/crates/aws-lc-rs

[aws-lc-rs-platforms-faq]: https://aws.github.io/aws-lc-rs/faq.html#can-i-run-aws-lc-rs-on-x-platform-or-architecture

[`rustls-ring`]: https://crates.io/crates/rustls-ring

[`ring`]: https://crates.io/crates/ring

#### Third-party providers

The community has also started developing third-party providers for Rustls:

* [`boring-rustls-provider`] - a work-in-progress provider that uses [`boringssl`] for

cryptography.

* [`rustls-ccm`] - adds AES-CCM cipher suites (TLS 1.2 and 1.3) using [`RustCrypto`], for IoT/constrained-device protocols (IEEE 2030.5, Matter, RFC 7925).

* [`rustls-graviola`] - a provider that uses [`graviola`] for cryptography.

* [`rustls-mbedtls-provider`] - a provider that uses [`mbedtls`] for cryptography.

* [`rustls-openssl`] - a provider that uses [OpenSSL] for cryptography.

* [`rustls-rustcrypto`] - an experimental provider that uses the crypto primitives

from [`RustCrypto`] for cryptography.

* [`rustls-symcrypt`] - a provider that uses Microsoft's [SymCrypt] library.

* [`rustls-wolfcrypt-provider`] - a work-in-progress provider that uses [`wolfCrypt`] for cryptography.

[`rustls-ccm`]: https://github.com/jsulmont/rustls-ccm

[`rustls-graviola`]: https://crates.io/crates/rustls-graviola

[`graviola`]: https://github.com/ctz/graviola

[`rustls-mbedtls-provider`]: https://github.com/fortanix/rustls-mbedtls-provider

[`mbedtls`]: https://github.com/Mbed-TLS/mbedtls

[`rustls-openssl`]: https://github.com/tofay/rustls-openssl

[OpenSSL]: https://openssl-library.org/

[`rustls-symcrypt`]: https://github.com/microsoft/rustls-symcrypt

[SymCrypt]: https://github.com/microsoft/SymCrypt

[`boring-rustls-provider`]: https://github.com/janrueth/boring-rustls-provider

[`boringssl`]: https://github.com/google/boringssl

[`rustls-rustcrypto`]: https://github.com/RustCrypto/rustls-rustcrypto

[`RustCrypto`]: https://github.com/RustCrypto

[`rustls-wolfcrypt-provider`]: https://github.com/wolfSSL/rustls-wolfcrypt-provider

[`wolfCrypt`]: https://www.wolfssl.com/products/wolfcrypt

See the [Making a custom CryptoProvider] section of the documentation for more information

on this topic.

[Making a custom CryptoProvider]: https://docs.rs/rustls/latest/rustls/crypto/struct.CryptoProvider.html#making-a-custom-cryptoprovider

# Example code

Our [examples] directory contains demos that show how to handle I/O using the

[`stream::Stream`] helper, as well as more complex asynchronous I/O using [`mio`].

If you're already using Tokio for an async runtime you may prefer to use

[`tokio-rustls`] instead of interacting with rustls directly.

The [`mio`] based examples are the most complete, and discussed below. Users

new to Rustls may prefer to look at the simple client/server examples before

diving in to the more complex MIO examples.

[examples]: examples/

[`stream::Stream`]: https://docs.rs/rustls/latest/rustls/struct.Stream.html

[`mio`]: https://docs.rs/mio/latest/mio/

[`tokio-rustls`]: https://docs.rs/tokio-rustls/latest/tokio_rustls/

## Client example program

The MIO client example program is named `tlsclient-mio`.

Some sample runs:

```

$ cargo run --bin tlsclient-mio -- --http mozilla-modern.badssl.com

HTTP/1.1 200 OK

Server: nginx/1.6.2 (Ubuntu)

Date: Wed, 01 Jun 2016 18:44:00 GMT

Content-Type: text/html

Content-Length: 644

(...)

```

or

```

$ cargo run --bin tlsclient-mio -- --http expired.badssl.com

TLS error: InvalidCertificate(Expired)

Connection closed

```

Run `cargo run --bin tlsclient-mio -- --help` for more options.

## Server example program

The MIO server example program is named `tlsserver-mio`.

Here's a sample run; we start a TLS echo server, then connect to it with

`openssl` and `tlsclient-mio`:

```

$ cargo run --bin tlsserver-mio -- --certs test-ca/rsa-2048/end.fullchain --key test-ca/rsa-2048/end.key -p 8443 echo &

$ echo hello world | openssl s_client -ign_eof -quiet -connect localhost:8443

depth=2 CN = ponytown RSA CA

verify error:num=19:self signed certificate in certificate chain

hello world

^C

$ echo hello world | cargo run --bin tlsclient-mio -- --cafile test-ca/rsa-2048/ca.cert --port 8443 localhost

hello world

^C

```

Run `cargo run --bin tlsserver-mio -- --help` for more options.

# License

Rustls is distributed under the following three licenses:

- Apache License version 2.0.

- MIT license.

- ISC license.

These are included as LICENSE-APACHE, LICENSE-MIT and LICENSE-ISC

respectively.  You may use this software under the terms of any

of these licenses, at your option.

# Project Membership

- Joe Birr-Pixton ([@ctz], Project Founder - full-time funded by [Prossimo])

- Dirkjan Ochtman ([@djc], Co-maintainer)

- Daniel McCarney ([@cpu], Co-maintainer)

- Josh Aas ([@bdaehlie], Project Management)

[@ctz]: https://github.com/ctz

[@djc]: https://github.com/djc

[@cpu]: https://github.com/cpu

[@bdaehlie]: https://github.com/bdaehlie

[Prossimo]: https://www.memorysafety.org/initiative/rustls/

# Code of conduct

This project adopts the [Rust Code of Conduct](https://www.rust-lang.org/policies/code-of-conduct).

Please email rustls-mod@googlegroups.com to report any instance of misconduct, or if you

have any comments or questions on the Code of Conduct.