[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-5497":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":16,"forks30d":16,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":32,"readmeContent":33,"aiSummary":34,"trendingCount":16,"starSnapshotCount":16,"syncStatus":35,"lastSyncTime":36,"discoverSource":37},5497,"shadowsocks-rust","shadowsocks\u002Fshadowsocks-rust","shadowsocks","A Rust port of shadowsocks","https:\u002F\u002Fshadowsocks.org\u002F",null,"Rust",10694,1430,147,55,0,14,88,7,44.47,"MIT License",false,"master",true,[26,27,28,7,29,30,31],"http-proxy","rust","security","socks4","socks5","transparent-proxy","2026-06-12 02:01:11","# shadowsocks\n\n[![License](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Flicense\u002Fzonyitoo\u002Fshadowsocks-rust.svg)](https:\u002F\u002Fgithub.com\u002Fzonyitoo\u002Fshadowsocks-rust)\n[![Build & Test](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Factions\u002Fworkflows\u002Fbuild-and-test.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Factions\u002Fworkflows\u002Fbuild-and-test.yml)\n[![Build MSRV](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Factions\u002Fworkflows\u002Fbuild-msrv.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Factions\u002Fworkflows\u002Fbuild-msrv.yml)\n[![Build Releases](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Factions\u002Fworkflows\u002Fbuild-release.yml\u002Fbadge.svg?event=push)](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Factions\u002Fworkflows\u002Fbuild-release.yml)\n[![Build Nightly Releases](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Factions\u002Fworkflows\u002Fbuild-nightly-release.yml\u002Fbadge.svg)](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Factions\u002Fworkflows\u002Fbuild-nightly-release.yml)\n[![Gurubase](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FGurubase-Ask%20shadowsocks%20Guru-006BFF)](https:\u002F\u002Fgurubase.io\u002Fg\u002Fshadowsocks)\n\n[![crates.io](https:\u002F\u002Fimg.shields.io\u002Fcrates\u002Fv\u002Fshadowsocks-rust.svg)](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fshadowsocks-rust)\n[![Release](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Frelease\u002Fshadowsocks\u002Fshadowsocks-rust.svg)](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Freleases)\n[![shadowsocks-rust](https:\u002F\u002Fimg.shields.io\u002Farchlinux\u002Fv\u002Fextra\u002Fx86_64\u002Fshadowsocks-rust)](https:\u002F\u002Farchlinux.org\u002Fpackages\u002Fextra\u002Fx86_64\u002Fshadowsocks-rust\u002F)\n[![aur shadowsocks-rust-git](https:\u002F\u002Fimg.shields.io\u002Faur\u002Fversion\u002Fshadowsocks-rust-git)](https:\u002F\u002Faur.archlinux.org\u002Fpackages\u002Fshadowsocks-rust-git)\n[![NixOS](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FNixOS-shadowsocks--rust-blue?logo=nixos)](https:\u002F\u002Fgithub.com\u002FNixOS\u002Fnixpkgs\u002Fblob\u002Fmaster\u002Fpkgs\u002Fby-name\u002Fsh\u002Fshadowsocks-rust\u002Fpackage.nix)\n[![snap shadowsocks-rust](https:\u002F\u002Fsnapcraft.io\u002Fshadowsocks-rust\u002Fbadge.svg)](https:\u002F\u002Fsnapcraft.io\u002Fshadowsocks-rust)\n[![homebrew shadowsocks-rust](https:\u002F\u002Fimg.shields.io\u002Fhomebrew\u002Fv\u002Fshadowsocks-rust)](https:\u002F\u002Fformulae.brew.sh\u002Fformula\u002Fshadowsocks-rust#default)\n[![MacPorts shadowsocks-rust](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fdynamic\u002Fjson?url=https%3A%2F%2Fports.macports.org%2Fapi%2Fv1%2Fports%2Fshadowsocks-rust%2F&query=%24.version&label=macports)](https:\u002F\u002Fports.macports.org\u002Fport\u002Fshadowsocks-rust\u002F)\n\nThis is a port of [shadowsocks](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks).\n\nshadowsocks is a fast tunnel proxy that helps you bypass firewalls.\n\n| Library | Description |\n| ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| [**shadowsocks**](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fshadowsocks) | [![crates.io](https:\u002F\u002Fimg.shields.io\u002Fcrates\u002Fv\u002Fshadowsocks.svg)](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fshadowsocks) [![docs.rs](https:\u002F\u002Fimg.shields.io\u002Fdocsrs\u002Fshadowsocks)](https:\u002F\u002Fdocs.rs\u002Fshadowsocks) shadowsocks core protocol |\n| [**shadowsocks-service**](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fshadowsocks-service) | [![crates.io](https:\u002F\u002Fimg.shields.io\u002Fcrates\u002Fv\u002Fshadowsocks-service.svg)](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fshadowsocks-service) [![docs.rs](https:\u002F\u002Fimg.shields.io\u002Fdocsrs\u002Fshadowsocks-service)](https:\u002F\u002Fdocs.rs\u002Fshadowsocks-service) Services for serving shadowsocks |\n| [**shadowsocks-rust**](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fshadowsocks-rust) | [![crates.io](https:\u002F\u002Fimg.shields.io\u002Fcrates\u002Fv\u002Fshadowsocks-rust.svg)](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fshadowsocks-rust) Binaries running common shadowsocks services |\n\nRelated Projects:\n\n- [spyophobia\u002Fshadowsocks-gtk-rs](https:\u002F\u002Fgithub.com\u002Fspyophobia\u002Fshadowsocks-gtk-rs) A GUI on Linux for `sslocal` using GTK, [discussion](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Fissues\u002F664)\n- [honwen\u002Fopenwrt-shadowsocks-rust](https:\u002F\u002Fgithub.com\u002Fhonwen\u002Fopenwrt-shadowsocks-rust) OpenWRT solution for `sslocal`, [discussion](https:\u002F\u002Fgithub.com\u002Fhonwen\u002Fopenwrt-shadowsocks-rust)\n- [cg31\u002Fshadowsocks-windows-gui-rust](https:\u002F\u002Fgithub.com\u002Fcg31\u002Fshadowsocks-windows-gui-rust) Windows GUI client, [discussion](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Fissues\u002F375)\n\n## Build & Install\n\n### Optional Features\n\n- `hickory-dns` - Uses [`hickory-resolver`](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fhickory-resolver) as DNS resolver instead of `tokio`'s builtin.\n\n- `local-http` - Allow using HTTP protocol for `sslocal`\n\n - `local-http-native-tls` - Support HTTPS with [`native-tls`](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fnative-tls)\n\n - `local-http-rustls` - Support HTTPS with [`rustls`](https:\u002F\u002Fcrates.io\u002Fcrates\u002Frustls)\n\n- `local-tunnel` - Allow using tunnel protocol for `sslocal`\n\n- `local-socks4` - Allow using SOCKS4\u002F4a protocol for `sslocal`\n\n- `local-redir` - Allow using redir (transparent proxy) protocol for `sslocal`\n\n- `local-dns` - Allow using dns protocol for `sslocal`, serves as a DNS server proxying queries to local or remote DNS servers by ACL rules\n\n- `local-fake-dns` - FakeDNS, allocating an IP address for each individual Query from a specific IP pool\n\n- `local-tun` - [TUN](https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FTUN\u002FTAP) interface support for `sslocal`\n\n- `local-online-config` - [SIP008](https:\u002F\u002Fshadowsocks.org\u002Fdoc\u002Fsip008.html) Online Configuration Delivery\n\n- `stream-cipher` - Enable deprecated stream ciphers. WARN: stream ciphers are UNSAFE!\n\n- `aead-cipher-extra` - Enable non-standard AEAD ciphers\n\n- `aead-cipher-2022` - Enable AEAD-2022 ciphers ([SIP022](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-org\u002Fissues\u002F196))\n\n- `aead-cipher-2022-extra` - Enable AEAD-2022 extra ciphers (non-standard ciphers)\n\n#### Memory Allocators\n\nThis project uses system (libc) memory allocator (Rust's default). But it also allows you to use other famous allocators by features:\n\n- `jemalloc` - Uses [jemalloc](http:\u002F\u002Fjemalloc.net\u002F) as global memory allocator\n- `mimalloc` - Uses [mi-malloc](https:\u002F\u002Fmicrosoft.github.io\u002Fmimalloc\u002F) as global memory allocator\n- `tcmalloc` - Uses [TCMalloc](https:\u002F\u002Fgoogle.github.io\u002Ftcmalloc\u002Foverview.html) as global memory allocator. It tries to link system-wide tcmalloc by default, use vendored from source with `tcmalloc-vendored`.\n- `snmalloc` - Uses [snmalloc](https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fsnmalloc) as global memory allocator\n- `rpmalloc` - Uses [rpmalloc](https:\u002F\u002Fgithub.com\u002Fmjansson\u002Frpmalloc) as global memory allocator\n\n### **crates.io**\n\nInstall from [crates.io](https:\u002F\u002Fcrates.io\u002Fcrates\u002Fshadowsocks-rust):\n\n```bash\n# Install from crates.io\ncargo install shadowsocks-rust\n```\n\nthen you can find `sslocal` and `ssserver` in `$CARGO_HOME\u002Fbin`.\n\n### **Install using Homebrew**\n\nFor macOS and Linux, you can install it using [Homebrew](https:\u002F\u002Fbrew.sh\u002F):\n\n```bash\nbrew install shadowsocks-rust\n```\n\n### **Install using snap**\n\n```bash\n# Install from snapstore\nsnap install shadowsocks-rust\n\n# List services\nsnap services shadowsocks-rust\n\n# Enable and start shadowsocks-rust.sslocal-daemon snap service\nsnap start --enable shadowsocks-rust.sslocal-daemon\n\n# Show generated systemd service status\nsystemctl status snap.shadowsocks-rust.sslocal-daemon.service\n\n# Override generated systemd service (configure startup options)\nsystemctl edit snap.shadowsocks-rust.sslocal-daemon.service\n\n## NOTE: you can pass args to sslocal:\n## [Service]\n## ExecStart=\n## ExecStart=\u002Fusr\u002Fbin\u002Fsnap run shadowsocks-rust.sslocal-daemon -b \"127.0.0.1:1080\" --server-url \"ss:\u002F\u002F....\"\n\n# Restart generated systemd service to apply changes\nsystemctl restart snap.shadowsocks-rust.sslocal-daemon.service\n\n# ... and show service status\nsystemctl status snap.shadowsocks-rust.sslocal-daemon.service\n```\n\nDefault configuration file path probably is `\u002Fvar\u002Fsnap\u002Fshadowsocks-rust\u002Fcommon\u002Fetc\u002Fshadowsocks-rust\u002Fconfig.json`.\n\n### **Download release**\n\nDownload static-linked build [here](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Freleases).\n\n- Most of them are built with [cross](https:\u002F\u002Fgithub.com\u002Fcross-rs\u002Fcross). Build environment details could be found in its README, such as glibc's version.\n- `x86_64-apple-darwin`, `aarch64-apple-darwin` are built in github's `macos-latest` image. Information could be found in [here](https:\u002F\u002Fdocs.github.com\u002Fen\u002Factions\u002Fusing-github-hosted-runners\u002Fusing-github-hosted-runners\u002Fabout-github-hosted-runners).\n- `x86_64-pc-windows-msvc` is built in github's `windows-latest` image. Information could be found in [here](https:\u002F\u002Fdocs.github.com\u002Fen\u002Factions\u002Fusing-github-hosted-runners\u002Fusing-github-hosted-runners\u002Fabout-github-hosted-runners).\n\n### **Docker**\n\nThis project provided Docker images for the `linux\u002Fi386` and `linux\u002Famd64` and `linux\u002Farm64\u002Fv8` architectures.\n\n> :warning: **Docker containers do not have access to IPv6 by default**: Make sure to disable IPv6 Route in the client or [enable IPv6 access to docker containers](https:\u002F\u002Fdocs.docker.com\u002Fconfig\u002Fdaemon\u002Fipv6\u002F#use-ipv6-for-the-default-bridge-network).\n\n#### Pull from GitHub Container Registry\n\nDocker will pull the image of the appropriate architecture from our [GitHub Packages](https:\u002F\u002Fgithub.com\u002Forgs\u002Fshadowsocks\u002Fpackages?repo_name=shadowsocks-rust).\n\n```bash\ndocker pull ghcr.io\u002Fshadowsocks\u002Fsslocal-rust:latest\ndocker pull ghcr.io\u002Fshadowsocks\u002Fssserver-rust:latest\n```\n\n#### Build on the local machine(Optional)\n\nIf you want to build the Docker image yourself, you need to use the [BuildX](https:\u002F\u002Fdocs.docker.com\u002Fbuildx\u002Fworking-with-buildx\u002F).\n\n```bash\ndocker buildx build -t shadowsocks\u002Fssserver-rust:latest -t shadowsocks\u002Fssserver-rust:v1.15.2 --target ssserver .\ndocker buildx build -t shadowsocks\u002Fsslocal-rust:latest -t shadowsocks\u002Fsslocal-rust:v1.15.2 --target sslocal .\n```\n\n#### Run the container\n\nYou need to mount the configuration file into the container and create an external port map for the container to connect to it.\n\n```bash\ndocker run --name sslocal-rust \\\n --restart always \\\n -p 1080:1080\u002Ftcp \\\n -v \u002Fpath\u002Fto\u002Fconfig.json:\u002Fetc\u002Fshadowsocks-rust\u002Fconfig.json \\\n -dit ghcr.io\u002Fshadowsocks\u002Fsslocal-rust:latest\n\ndocker run --name ssserver-rust \\\n --restart always \\\n -p 8388:8388\u002Ftcp \\\n -p 8388:8388\u002Fudp \\\n -v \u002Fpath\u002Fto\u002Fconfig.json:\u002Fetc\u002Fshadowsocks-rust\u002Fconfig.json \\\n -dit ghcr.io\u002Fshadowsocks\u002Fssserver-rust:latest\n```\n\n### **Deploy to Kubernetes**\n\nThis project provided yaml manifests for deploying to Kubernetes.\n\nYou can leverage k8s Service to expose traffic outside, like LoadBalancer or NodePort which gains more fine-grained compared with fixed host or port.\n\nFor a more interesting use case, you can use a Ingress(Istio, nginx, etc.) which routes the matched traffic to shadowsocks along with the real web service.\n\n#### Using `kubectl`\n\n`kubectl apply -f https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Fraw\u002Fmaster\u002Fk8s\u002Fshadowsocks-rust.yaml`\n\nYou can change the config via editing the ConfigMap named `shadowsocks-rust`.\n\nFor more fine-grained control, use `helm`.\n\n#### Using `helm`\n\n`helm install my-release k8s\u002Fchart -f my-values.yaml`\n\nBelow is the common default values you can change:\n\n```yaml\n# This is the shadowsocks config which will be mount to \u002Fetc\u002Fshadowocks-rust.\n# You can put arbitrary yaml here, and it will be translated to json before mounting.\nservers:\n- server: \"::\"\n server_port: 8388\n service_port: 80 # the k8s service port, default to server_port\n password: mypassword\n method: aes-256-gcm\n fast_open: true\n mode: tcp_and_udp\n # plugin: v2ray-plugin\n # plugin_opts: server;tls;host=github.com\n\n# Whether to download v2ray and xray plugin.\ndownloadPlugins: false\n\n# Name of the ConfigMap with config.json configuration for shadowsocks-rust.\nconfigMapName: \"\"\n\nservice:\n # Change to LoadBalancer if you are behind a cloud provider like aws, gce, or tke.\n type: ClusterIP\n\n# Bind shadowsocks port port to host, i.e., we can use host:port to access shawdowsocks server.\nhostPort: false\n\nreplicaCount: 1\n\nimage:\n repository: ghcr.io\u002Fshadowsocks\u002Fssserver-rust\n pullPolicy: IfNotPresent\n # Overrides the image tag whose default is the chart appVersion.\n tag: \"latest\"\n```\n\n### **Build from source**\n\nUse cargo to build. NOTE: **RAM >= 2GiB**\n\n```bash\ncargo build --release\n```\n\nThen `sslocal` and `ssserver` will appear in `.\u002Ftarget\u002F(debug|release)\u002F`, it works similarly as the two binaries in the official ShadowSocks' implementation.\n\n```bash\nmake install TARGET=release\n```\n\nThen `sslocal`, `ssserver`, `ssmanager` and `ssurl` will be installed to `\u002Fusr\u002Flocal\u002Fbin` (variable PREFIX).\n\nFor Windows users, if you have encountered any problem in building, check and discuss in [#102](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Fissues\u002F102).\n\n### **target-cpu optimization**\n\nIf you are building for your current CPU platform (for example, build and run on your personal computer), it is recommended to set `target-cpu=native` feature to let `rustc` generate and optimize code for the CPU running the compiler.\n\n```bash\nexport RUSTFLAGS=\"-C target-cpu=native\"\n```\n\n### **Build standalone binaries**\n\nRequirements:\n\n- Docker\n\n```bash\n.\u002Fbuild\u002Fbuild-release\n```\n\nThen `sslocal`, `ssserver`, `ssmanager`, `ssservice` and `ssurl` will be packaged in\n\n- `.\u002Fbuild\u002Fshadowsocks-${VERSION}-stable.x86_64-unknown-linux-musl.tar.xz`\n- `.\u002Fbuild\u002Fshadowsocks-${VERSION}-stable.x86_64-pc-windows-gnu.zip`\n\nRead `Cargo.toml` for more details.\n\nFor Linux with low GLIBC versions, set `CROSS_CONFIG` to CentOS based image:\n\n```bash\nexport CROSS_CONFIG=Cross-centos.toml\n```\n\n## Getting Started\n\nGenerate a safe and secured password for a specific encryption method (`aes-128-gcm` in the example) with:\n\n```bash\nssservice genkey -m \"aes-128-gcm\"\n```\n\nCreate a ShadowSocks' configuration file. Example\n\n```jsonc\n{\n \"server\": \"my_server_ip\",\n \"server_port\": 8388,\n \"password\": \"rwQc8qPXVsRpGx3uW+Y3Lj4Y42yF9Bs0xg1pmx8\u002F+bo=\",\n \"method\": \"aes-256-gcm\",\n \u002F\u002F ONLY FOR `sslocal`\n \u002F\u002F Delete these lines if you are running `ssserver` or `ssmanager`\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1080\n}\n```\n\nDetailed explanation of the configuration file could be found in [shadowsocks' documentation](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks\u002Fwiki). (Link to original project, not maintained anymore !)\n\n> :warning: For snap installations, configuration file is most probably located in `\u002Fvar\u002Fsnap\u002Fshadowsocks-rust\u002Fcommon\u002Fetc\u002Fshadowsocks-rust\u002Fconfig.json` (see \u003Chttps:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Fissues\u002F621> \u002F \u003Chttps:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-rust\u002Fissues\u002F1146>)\n\nIn shadowsocks-rust, we also have an extended configuration file format, which is able to define more than one server. You can also disable individual servers.\n\n```jsonc\n{\n \"servers\": [\n {\n \"server\": \"127.0.0.1\",\n \"server_port\": 8388,\n \"password\": \"rwQc8qPXVsRpGx3uW+Y3Lj4Y42yF9Bs0xg1pmx8\u002F+bo=\",\n \"method\": \"aes-256-gcm\",\n \"timeout\": 7200\n },\n {\n \"server\": \"127.0.0.1\",\n \"server_port\": 8389,\n \"password\": \"\u002FdliNXn5V4jg6vBW4MnC1I8Jljg9x7vSihmk6UZpRBM=\",\n \"method\": \"chacha20-ietf-poly1305\"\n },\n {\n \"disabled\": true,\n \"server\": \"eg.disable.me\",\n \"server_port\": 8390,\n \"password\": \"mGvbWWay8ueP9IHnV5F1uWGN2BRToiVCAWJmWOTLU24=\",\n \"method\": \"chacha20-ietf-poly1305\"\n }\n ],\n \u002F\u002F ONLY FOR `sslocal`\n \u002F\u002F Delete these lines if you are running `ssserver` or `ssmanager`\n \"local_port\": 1080,\n \"local_address\": \"127.0.0.1\"\n}\n```\n\n`sslocal` automatically selects the best server with the lowest latency and the highest availability.\n\nStart Shadowsocks client and server with:\n\n```bash\nsslocal -c config.json\nssserver -c config.json\n```\n\nIf you Build it with Cargo:\n\n```bash\ncargo run --bin sslocal -- -c config.json\ncargo run --bin ssserver -- -c config.json\n```\n\nList all available arguments with `-h`.\n\n## Usage\n\nStart local client with configuration file\n\n```bash\n# Read local client configuration from file\nsslocal -c \u002Fpath\u002Fto\u002Fshadowsocks.json\n```\n\n`sslocal` also supports routing its outbound TCP connection to the Shadowsocks server through a proxy or proxy chain with the `outbound_proxy` config key. Supported hop types are `socks5:\u002F\u002F`, `http:\u002F\u002F`, and `https:\u002F\u002F`, with optional `user:pass@` credentials. This option is currently available through the configuration file for `sslocal`; `ssserver` supports both the config file and repeated `--outbound-proxy` command line flags.\n\n```jsonc\n{\n \"server\": \"server.example.com\",\n \"server_port\": 8388,\n \"password\": \"hello-kitty\",\n \"method\": \"aes-256-gcm\",\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1080,\n \"outbound_proxy\": [\n \"socks5:\u002F\u002Fuser:pass@127.0.0.1:1080\",\n \"https:\u002F\u002Fproxy.example.com:443\",\n \"http:\u002F\u002F127.0.0.1:1081\"\n ]\n}\n```\n\n### Socks5 Local client\n\n```bash\n# Pass all parameters via command line\nsslocal -b \"127.0.0.1:1080\" -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --plugin \"v2ray-plugin\" --plugin-opts \"server;tls;host=github.com\"\n\n# Pass server with SIP002 URL\nsslocal -b \"127.0.0.1:1080\" --server-url \"ss:\u002F\u002FYWVzLTI1Ni1nY206cGFzc3dvcmQ@127.0.0.1:8388\u002F?plugin=v2ray-plugin%3Bserver%3Btls%3Bhost%3Dgithub.com\"\n```\n\n### HTTP Local client\n\n```bash\nsslocal -b \"127.0.0.1:3128\" --protocol http -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\"\n```\n\nAll parameters are the same as Socks5 client, except `--protocol http`.\n\n### Tunnel Local client\n\n```bash\n# Set 127.0.0.1:8080 as the target for forwarding to\nsslocal --protocol tunnel -b \"127.0.0.1:3128\" -f \"127.0.0.1:8080\" -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\"\n```\n\n- `--protocol tunnel` enables local client Tunnel mode\n- `-f \"127.0.0.1:8080` sets the tunnel target address\n\n### Transparent Proxy Local client\n\n**NOTE**: It currently only supports\n\n- Linux (with `iptables` targets `REDIRECT` and `TPROXY`)\n- BSDs (with `pf`), such as OS X 10.10+, FreeBSD, ...\n\n```bash\nsslocal -b \"127.0.0.1:60080\" --protocol redir -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --tcp-redir \"redirect\" --udp-redir \"tproxy\"\n```\n\nRedirects connections with `iptables` configurations to the port that `sslocal` is listening on.\n\n- `--protocol redir` enables local client Redir mode\n- (optional) `--tcp-redir` sets TCP mode to `REDIRECT` (Linux)\n- (optional) `--udp-redir` sets UDP mode to `TPROXY` (Linux)\n\n### Tun interface client\n\n**NOTE**: It currently only supports\n\n- Linux, Android\n- macOS, iOS\n- Windows\n\n#### Linux\n\nCreate a Tun interface with name `tun0`\n\n```bash\nip tuntap add mode tun tun0\nifconfig tun0 inet 10.255.0.1 netmask 255.255.255.0 up\n```\n\nStart `sslocal` with `--protocol tun` and binds to `tun0`\n\n```bash\nsslocal --protocol tun -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --outbound-bind-interface lo0 --tun-interface-name tun0\n```\n\n#### macOS\n\n```bash\nsslocal --protocol tun -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --outbound-bind-interface lo0 --tun-interface-address 10.255.0.1\u002F24\n```\n\nIt will create a Tun interface with address `10.255.0.1` and netmask `255.255.255.0`.\n\n#### Windows\n\nDownload `wintun.dll` from [Wintun](https:\u002F\u002Fwww.wintun.net\u002F), and place it in the folder with shadowsocks' runnable binaries, or in the system PATH.\n\n```powershell\nsslocal --protocol tun -s \"[::1]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --outbound-bind-interface \"Ethernet 0\" --tun-interface-name \"shadowsocks\"\n```\n\n### Local client for Windows Service\n\nCompile it by enabling `--features \"winservice\"` (not included in the default build):\n\n```bash\ncargo build --release --bin \"sswinservice\" --features \"winservice\"\n```\n\nInstall it as a Windows Service (PowerShell):\n\n```powershell\nNew-Service -Name \"shadowsocks-local-service\" `\n -DisplayName \"Shadowsocks Local Service\" `\n -BinaryPathName \"\u003CPath\\to>\\sswinservice.exe local -c \u003CPath\\to>\\local_config.json\"\n```\n\nThere are other ways to install `sswinservice` as a Windows Service, for example, the `sc` command.\n\nAs you may have noticed that the `-BinaryPathName` contains not only just the `sswinservice.exe`, but `local -c local_config.json`. These command line parameters will be used as the default parameter when the Windows Service starts. You can also start the service with customized parameters.\n\nLearn more from [Microsoft's Document](https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fdotnet\u002Fframework\u002Fwindows-services\u002Fintroduction-to-windows-service-applications).\n\nThe `sswinservice`'s parameter works exactly the same as `ssservice`. It supports `local`, `server` and `manager` subcommands.\n\n### Server\n\n```bash\n# Read server configuration from file\nssserver -c \u002Fpath\u002Fto\u002Fshadowsocks.json\n\n# Pass all parameters via command line\nssserver -s \"[::]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" --plugin \"v2ray-plugin\" --plugin-opts \"server;tls;host=github.com\"\n\n# Route outbound TCP traffic through a proxy chain\nssserver -s \"[::]:8388\" -m \"aes-256-gcm\" -k \"hello-kitty\" \\\n --outbound-proxy socks5:\u002F\u002Fuser:pass@127.0.0.1:1080 \\\n --outbound-proxy https:\u002F\u002Fproxy.example.com:443 \\\n --outbound-proxy http:\u002F\u002F127.0.0.1:1081\n```\n\nRepeat `--outbound-proxy` in hop order. A single occurrence keeps the previous single-hop behavior.\nSupported hop types are `socks5:\u002F\u002F`, `http:\u002F\u002F`, and `https:\u002F\u002F`. The same `outbound_proxy` setting can also be used in configuration files for both `sslocal` and `ssserver`, but UDP traffic is not proxied.\n\n### Server Manager\n\nSupported [Manage Multiple Users](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks\u002Fwiki\u002FManage-Multiple-Users) API:\n\n- `add` - Starts a server instance\n- `remove` - Deletes an existing server instance\n- `list` - Lists all current running servers\n- `ping` - Lists all servers' statistic data\n\nNOTE: `stat` command is not supported. Because servers are running in the same process with the manager itself.\n\n```bash\n# Start it just with --manager-address command line parameter\nssmanager --manager-address \"127.0.0.1:6100\"\n\n# For *nix system, manager can bind to unix socket address\nssmanager --manager-address \"\u002Ftmp\u002Fshadowsocks-manager.sock\"\n\n# You can also provide a configuration file\n#\n# `manager_address` key must be provided in the configuration file\nssmanager -c \u002Fpath\u002Fto\u002Fshadowsocks.json\n\n# Create one server by UDP\necho 'add: {\"server_port\":8388,\"password\":\"hello-kitty\"}' | nc -u '127.0.0.1' '6100'\n\n# Close one server by unix socket\necho 'remove: {\"server_port\":8388}' | nc -Uu '\u002Ftmp\u002Fshadowsocks-manager.sock'\n```\n\nFor manager UI, check more details in the [shadowsocks-manager](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-manager) project.\n\nExample configuration:\n\n```jsonc\n{\n \u002F\u002F Required option\n \u002F\u002F Address that ssmanager is listening on\n \"manager_address\": \"127.0.0.1\",\n \"manager_port\": 6100,\n\n \u002F\u002F Or bind to a Unix Domain Socket\n \"manager_address\": \"\u002Ftmp\u002Fshadowsocks-manager.sock\",\n\n \"servers\": [\n \u002F\u002F These servers will be started automatically when ssmanager is started\n ],\n\n \u002F\u002F Outbound socket binds to this IP address\n \u002F\u002F For choosing different network interface on the same machine\n \"local_address\": \"xxx.xxx.xxx.xxx\",\n\n \u002F\u002F Other options that may be passed directly to new servers\n}\n```\n\n## Configuration\n\n```jsonc\n{\n \u002F\u002F LOCAL: Listen address. This is exactly the same as `locals[0]`\n \u002F\u002F SERVER: Bind address for remote sockets, mostly used for choosing interface\n \u002F\u002F Don't set it if you don't know what's this for.\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1080,\n\n \u002F\u002F Extended multiple local configuration\n \"locals\": [\n {\n \u002F\u002F Basic configuration, a SOCKS5 local server\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1080,\n \u002F\u002F OPTIONAL. Setting the `mode` for this specific local server instance.\n \u002F\u002F If not set, it will derive from the outer `mode`\n \"mode\": \"tcp_and_udp\",\n \u002F\u002F OPTIONAL. Authentication configuration file\n \u002F\u002F Configuration file document could be found in the next section.\n \"socks5_auth_config_path\": \"\u002Fpath\u002Fto\u002Fauth.json\",\n \u002F\u002F OPTIONAL. Instance specific ACL\n \"acl\": \"\u002Fpath\u002Fto\u002Facl\u002Ffile.acl\",\n \u002F\u002F OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \"launchd_udp_socket_name\": \"UDPListener\"\n },\n {\n \u002F\u002F SOCKS5, SOCKS4\u002F4a local server\n \"protocol\": \"socks\",\n \u002F\u002F Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 1081,\n \u002F\u002F OPTIONAL. Enables UDP relay\n \"mode\": \"tcp_and_udp\",\n \u002F\u002F OPTIONAL. Customizing the UDP's binding address. Depending on `mode`, if\n \u002F\u002F - TCP is enabled, then SOCKS5's UDP Association command will return this address\n \u002F\u002F - UDP is enabled, then SOCKS5's UDP server will listen to this address.\n \"local_udp_address\": \"127.0.0.1\",\n \"local_udp_port\": 2081,\n \u002F\u002F OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \"launchd_udp_socket_name\": \"UDPListener\"\n },\n {\n \u002F\u002F Tunnel local server (feature = \"local-tunnel\")\n \"protocol\": \"tunnel\",\n \u002F\u002F Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 5353,\n \u002F\u002F Forward address, the target of this tunnel\n \u002F\u002F In this example, this will build a `127.0.0.1:5353` -> `8.8.8.8:53` tunnel\n \"forward_address\": \"8.8.8.8\",\n \"forward_port\": 53,\n \u002F\u002F OPTIONAL. Customizing whether to start TCP and UDP tunnel\n \"mode\": \"tcp_only\",\n \u002F\u002F OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \"launchd_udp_socket_name\": \"UDPListener\"\n },\n {\n \u002F\u002F HTTP local server (feature = \"local-http\")\n \"protocol\": \"http\",\n \u002F\u002F Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 3128,\n \u002F\u002F OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \u002F\u002F OPTIONAL. Authentication configuration file\n \u002F\u002F Configuration file document could be found in the next section.\n \"http_auth_config_path\": \"\u002Fpath\u002Fto\u002Fauth.json\",\n },\n {\n \u002F\u002F DNS local server (feature = \"local-dns\")\n \u002F\u002F This DNS works like China-DNS, it will send requests to `local_dns` and `remote_dns` and choose by ACL rules\n \"protocol\": \"dns\",\n \u002F\u002F Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 53,\n \u002F\u002F OPTIONAL. DNS local server uses `tcp_and_udp` mode by default\n \"mode\": \"udp_only\",\n \u002F\u002F Local DNS address, DNS queries will be sent directly to this address\n \"local_dns_address\": \"114.114.114.114\",\n \u002F\u002F OPTIONAL. Local DNS's port, 53 by default\n \"local_dns_port\": 53,\n \u002F\u002F Remote DNS address, DNS queries will be sent through ssserver to this address\n \"remote_dns_address\": \"8.8.8.8\",\n \u002F\u002F OPTIONAL. Remote DNS's port, 53 by default\n \"remote_dns_port\": 53,\n \u002F\u002F OPTIONAL. dns client cache size for fetching dns queries.\n \"client_cache_size\": 5,\n \u002F\u002F OPTIONAL. macOS launchd activate socket\n \"launchd_tcp_socket_name\": \"TCPListener\",\n \"launchd_udp_socket_name\": \"UDPListener\"\n },\n {\n \u002F\u002F Tun local server (feature = \"local-tun\")\n \"protocol\": \"tun\",\n \u002F\u002F Tun interface name\n \"tun_interface_name\": \"tun0\",\n \u002F\u002F Tun interface address\n \u002F\u002F\n \u002F\u002F It has to be a host address in CIDR form\n \"tun_interface_address\": \"10.255.0.1\u002F24\"\n },\n {\n \u002F\u002F Transparent Proxy (redir) local server (feature = \"local-redir\")\n \"protocol\": \"redir\",\n \u002F\u002F OPTIONAL: TCP type, may be different between platforms\n \u002F\u002F Linux\u002FAndroid: redirect (default), tproxy\n \u002F\u002F FreeBSD\u002FOpenBSD: pf (default), ipfw\n \u002F\u002F NetBSD\u002FmacOS\u002FSolaris: pf (default), ipfw\n \"tcp_redir\": \"tproxy\",\n \u002F\u002F OPTIONAL: UDP type, may be different between platforms\n \u002F\u002F Linux\u002FAndroid: tproxy (default)\n \u002F\u002F FreeBSD\u002FOpenBSD: pf (default)\n \"udp_redir\": \"tproxy\"\n },\n {\n \u002F\u002F FakeDNS local server (feature = \"local-fake-dns\")\n \u002F\u002F FakeDNS is a DNS server that allocates an IPv4 \u002F IPv6 address in a specific pool for each queries.\n \u002F\u002F Subsequence requests from the other local interfaces that the target addresses includes those allocated IP addresses,\n \u002F\u002F will be substituted back to their original domain name addresses.\n \u002F\u002F This feature is useful mostly for transparent proxy, which will allow the proxied domain names to be resolved remotely.\n \"protocol\": \"fake-dns\",\n \u002F\u002F Listen address\n \"local_address\": \"127.0.0.1\",\n \"local_port\": 10053,\n \u002F\u002F IPv4 address pool (for A records)\n \"fake_dns_ipv4_network\": \"10.255.0.0\u002F16\",\n \u002F\u002F IPv6 address pool (for AAAA records)\n \"fake_dns_ipv6_network\": \"fdf2:e786:ab40:9d2f::\u002F64\",\n \u002F\u002F Persistent storage for all allocated DNS records\n \"fake_dns_database_path\": \"\u002Fvar\u002Fshadowsocks\u002Ffakedns.db\",\n \u002F\u002F OPTIONAL: Record expire duration in seconds, 10s by default\n \"fake_dns_record_expire_duration\": 10\n }\n ],\n\n \u002F\u002F Server configuration\n \u002F\u002F listen on :: for dual stack support, no need add [] around.\n \"server\": \"::\",\n \u002F\u002F Change to use your custom port number\n \"server_port\": 8388,\n \"method\": \"aes-256-gcm\",\n \"password\": \"your-password\",\n \"plugin\": \"v2ray-plugin\",\n \"plugin_opts\": \"mode=quic;host=github.com\",\n \"plugin_args\": [\n \u002F\u002F Each line is an argument passed to \"plugin\"\n \"--verbose\"\n ],\n \"plugin_mode\": \"tcp_and_udp\", \u002F\u002F SIP003u, default is \"tcp_only\"\n \u002F\u002F Server: TCP socket timeout in seconds.\n \u002F\u002F Client: TCP connection timeout in seconds.\n \u002F\u002F Omit this field if you don't have specific needs.\n \"timeout\": 7200,\n\n \u002F\u002F Extended multiple server configuration\n \u002F\u002F LOCAL: Choosing the best server to connect dynamically\n \u002F\u002F SERVER: Creating multiple servers in one process\n \"servers\": [\n {\n \u002F\u002F Fields are the same as the single server's configuration\n\n \u002F\u002F Individual servers can be disabled\n \u002F\u002F \"disabled\": true,\n \"address\": \"0.0.0.0\",\n \"port\": 8389,\n \"method\": \"aes-256-gcm\",\n \"password\": \"your-password\",\n \"plugin\": \"...\",\n \"plugin_opts\": \"...\",\n \"plugin_args\": [],\n \"plugin_mode\": \"...\",\n \"timeout\": 7200,\n\n \u002F\u002F Customized weight for local server's balancer\n \u002F\u002F\n \u002F\u002F Weight must be in [0, 1], default is 1.0.\n \u002F\u002F The higher weight, the server may rank higher.\n \"tcp_weight\": 1.0,\n \"udp_weight\": 1.0,\n\n \u002F\u002F OPTIONAL. Instance specific ACL\n \"acl\": \"\u002Fpath\u002Fto\u002Facl\u002Ffile.acl\",\n },\n {\n \u002F\u002F Same key as basic format \"server\" and \"server_port\"\n \"server\": \"0.0.0.0\",\n \"server_port\": 8388,\n \"method\": \"chacha20-ietf-poly1305\",\n \u002F\u002F Read the actual password from environment variable PASSWORD_FROM_ENV\n \"password\": \"${PASSWORD_FROM_ENV}\"\n },\n {\n \u002F\u002F AEAD-2022\n \"server\": \"::\",\n \"server_port\": 8390,\n \"method\": \"2022-blake3-aes-256-gcm\",\n \"password\": \"3SYJ\u002Ff8nmVuzKvKglykRQDSgg10e\u002FADilkdRWrrY9HU=\",\n \u002F\u002F For Server (OPTIONAL)\n \u002F\u002F Support multiple users with Extensible Identity Header\n \u002F\u002F https:\u002F\u002Fgithub.com\u002FShadowsocks-NET\u002Fshadowsocks-specs\u002Fblob\u002Fmain\u002F2022-2-shadowsocks-2022-extensible-identity-headers.md\n \"users\": [\n {\n \"name\": \"username\",\n \u002F\u002F User's password must have the same length as server's password\n \"password\": \"4w0GKJ9U3Ox7CIXGU4A3LDQAqP6qrp\u002FtUi\u002FilpOR9p4=\"\n }\n ],\n \u002F\u002F For Client (OPTIONAL)\n \u002F\u002F If EIH enabled, then \"password\" should have the following format: iPSK:iPSK:iPSK:uPSK\n \u002F\u002F - iPSK is one of the middle relay servers' PSK, for the last `ssserver`, it must be server's PSK (\"password\")\n \u002F\u002F - uPSK is the user's PSK (\"password\")\n \u002F\u002F Example:\n \u002F\u002F \"password\": \"3SYJ\u002Ff8nmVuzKvKglykRQDSgg10e\u002FADilkdRWrrY9HU=:4w0GKJ9U3Ox7CIXGU4A3LDQAqP6qrp\u002FtUi\u002FilpOR9p4=\"\n },\n {\n \"...\": \"Any other fields\",\n\n \u002F\u002F Some optional fields for this specific server\n\n \u002F\u002F Outbound socket options\n \u002F\u002F Linux Only (SO_MARK)\n \"outbound_fwmark\": 255,\n \u002F\u002F FreeBSD only (SO_USER_COOKIE)\n \"outbound_user_cookie\": 255,\n \u002F\u002F `SO_BINDTODEVICE` (Linux), `IP_BOUND_IF` (BSD), `IP_UNICAST_IF` (Windows) socket option for outbound sockets\n \"outbound_bind_interface\": \"eth1\",\n \u002F\u002F Outbound socket bind() to this IP (choose a specific interface)\n \"outbound_bind_addr\": \"11.22.33.44\",\n \u002F\u002F Outbound UDP socket allows IP fragmentation (default false)\n \"outbound_udp_allow_fragmentation\": false,\n \u002F\u002F Route outbound TCP connections through a proxy or proxy chain\n \u002F\u002F (TCP only; UDP is not proxied)\n \u002F\u002F Works for both sslocal and ssserver\n \u002F\u002F sslocal: configure in JSON; ssserver: JSON or repeated --outbound-proxy\n \u002F\u002F Single hop:\n \"outbound_proxy\": \"socks5:\u002F\u002F127.0.0.1:1080\",\n \u002F\u002F Single hop with username\u002Fpassword:\n \u002F\u002F \"outbound_proxy\": \"socks5:\u002F\u002Fuser:pass@127.0.0.1:1080\",\n \u002F\u002F Multi-hop:\n \u002F\u002F \"outbound_proxy\": [\n \u002F\u002F \"socks5:\u002F\u002Fuser:pass@127.0.0.1:1080\",\n \u002F\u002F \"https:\u002F\u002Fproxy.example.com:443\",\n \u002F\u002F \"http:\u002F\u002F127.0.0.1:1081\"\n \u002F\u002F ],\n }\n ],\n\n \u002F\u002F Global configurations for UDP associations\n \"udp_timeout\": 300, \u002F\u002F Timeout for UDP associations (in seconds), 5 minutes by default\n \"udp_max_associations\": 512, \u002F\u002F Maximum UDP associations to be kept in one server, unlimited by default\n\n \u002F\u002F Options for Manager\n \"manager_address\": \"127.0.0.1\", \u002F\u002F Could be a path to UNIX socket, \u002Ftmp\u002Fshadowsocks-manager.sock\n \"manager_port\": 5300, \u002F\u002F Not needed for UNIX socket\n\n \u002F\u002F DNS server's address for resolving domain names\n \u002F\u002F For *NIX and Windows, it uses system's configuration by default\n \u002F\u002F\n \u002F\u002F Value could be IP address of DNS server, for example, \"8.8.8.8\".\n \u002F\u002F DNS client will automatically request port 53 with both TCP and UDP protocol.\n \u002F\u002F\n \u002F\u002F - system, uses system provided API (`getaddrinfo` on *NIX)\n \u002F\u002F\n \u002F\u002F It also allows some pre-defined well-known public DNS servers:\n \u002F\u002F - google (TCP, UDP)\n \u002F\u002F - cloudflare (TCP, UDP)\n \u002F\u002F - cloudflare_tls (TLS), enable by feature \"dns-over-tls\"\n \u002F\u002F - cloudflare_https (HTTPS), enable by feature \"dns-over-https\"\n \u002F\u002F - quad9 (TCP, UDP)\n \u002F\u002F - quad9_tls (TLS), enable by feature \"dns-over-tls\"\n \u002F\u002F\n \u002F\u002F The field is only effective if feature \"hickory-dns\" is enabled.\n \"dns\": \"google\",\n \u002F\u002F Configure `cache_size` for \"hickory-dns\" ResolverOpts. Set to \"0\" to disable DNS cache.\n \"dns_cache_size\": 0,\n\n \u002F\u002F Mode, could be one of the\n \u002F\u002F - tcp_only\n \u002F\u002F - tcp_and_udp\n \u002F\u002F - udp_only\n \"mode\": \"tcp_only\",\n\n \u002F\u002F TCP_NODELAY\n \"no_delay\": false,\n\n \u002F\u002F Enables `SO_KEEPALIVE` and set `TCP_KEEPIDLE`, `TCP_KEEPINTVL` to the specified seconds\n \"keep_alive\": 15,\n\n \u002F\u002F Soft and Hard limit of file descriptors on *NIX systems\n \"nofile\": 10240,\n\n \u002F\u002F Try to resolve domain name to IPv6 (AAAA) addresses first\n \"ipv6_first\": false,\n \u002F\u002F Set IPV6_V6ONLY for all IPv6 listener sockets\n \u002F\u002F Only valid for locals and servers listening on `::`\n \"ipv6_only\": false,\n\n \u002F\u002F Outbound socket options\n \u002F\u002F Linux Only (SO_MARK)\n \"outbound_fwmark\": 255,\n \u002F\u002F FreeBSD only (SO_USER_COOKIE)\n \"outbound_user_cookie\": 255,\n \u002F\u002F `SO_BINDTODEVICE` (Linux), `IP_BOUND_IF` (BSD), `IP_UNICAST_IF` (Windows) socket option for outbound sockets\n \"outbound_bind_interface\": \"eth1\",\n \u002F\u002F Outbound socket bind() to this IP (choose a specific interface)\n \"outbound_bind_addr\": \"11.22.33.44\",\n \u002F\u002F Outbound UDP socket allows IP fragmentation (default false)\n \"outbound_udp_allow_fragmentation\": false,\n \u002F\u002F Route outbound TCP connections through a proxy or proxy chain\n \u002F\u002F (TCP only; UDP is not proxied)\n \u002F\u002F Works for both sslocal and ssserver\n \u002F\u002F sslocal: configure in JSON; ssserver: JSON or repeated --outbound-proxy\n \u002F\u002F Single hop:\n \"outbound_proxy\": \"socks5:\u002F\u002F127.0.0.1:1080\",\n \u002F\u002F Single hop with username\u002Fpassword:\n \u002F\u002F \"outbound_proxy\": \"socks5:\u002F\u002Fuser:pass@127.0.0.1:1080\",\n \u002F\u002F Multi-hop:\n \u002F\u002F \"outbound_proxy\": [\n \u002F\u002F \"socks5:\u002F\u002Fuser:pass@127.0.0.1:1080\",\n \u002F\u002F \"https:\u002F\u002Fproxy.example.com:443\",\n \u002F\u002F \"http:\u002F\u002F127.0.0.1:1081\"\n \u002F\u002F ],\n\n \u002F\u002F Balancer customization\n \"balancer\": {\n \u002F\u002F MAX Round-Trip-Time (RTT) of servers\n \u002F\u002F The timeout seconds of each individual checks\n \"max_server_rtt\": 5,\n \u002F\u002F Interval seconds between each check\n \"check_interval\": 10,\n \u002F\u002F Interval seconds between each check for the best server\n \u002F\u002F Optional. Specify to enable shorter checking interval for the best server only.\n \"check_best_interval\": 5\n },\n\n \u002F\u002F SIP008 Online Configuration Delivery\n \u002F\u002F https:\u002F\u002Fshadowsocks.org\u002Fdoc\u002Fsip008.html\n \"online_config\": {\n \"config_url\": \"https:\u002F\u002Fpath-to-online-sip008-configuration\",\n \u002F\u002F Optional. Seconds between each update to config_url. Default to 3600s\n \"update_interval\": 3600,\n \u002F\u002F Optional. Whitelist of plugins (RECOMMENDED for all users)\n \u002F\u002F SECURITY: To avoid executing untrusted commands loaded from config_url\n \"allowed_plugins\": [\n \"v2ray-plugin\"\n ]\n },\n\n \u002F\u002F Service configurations\n \u002F\u002F Logger configuration\n \"log\": {\n \u002F\u002F Default log level to use, if not overridden by `writers`, default is `0`\n \u002F\u002F Equivalent to `-v` command line option\n \"level\": 1,\n \u002F\u002F Default log format to use, if not overridden by `writers`\n \"format\": {\n \u002F\u002F Euiqvalent to `--log-without-time`, default is `false`\n \"without_time\": false,\n },\n \u002F\u002F Advanced logging configuration for configuring multiple writers\n \u002F\u002F A console writer will be configured by default.\n \u002F\u002F Set this to empty array `[]` to disable logging completely\n \"writers\": [\n {\n \u002F\u002F Configure a console writer\n \u002F\u002F The inner fields are optional, if not set, it will use the default values\n \u002F\u002F To minimally configure a console writer, simply write `\"console\": {}`.\n \"console\": {\n \"level\": 2,\n \"format\": {\n \"without_time\": false,\n }\n }\n },\n {\n \u002F\u002F Configure a file writer, useful when running as a Windows Service\n \"file\": {\n \u002F\u002F `level` and `format` can also be set here, if not set, it will use the default values\n \n \u002F\u002F Required. Directory to store log files\n \"directory\": \"\u002Fvar\u002Flog\u002Fshadowsocks-rust\",\n \u002F\u002F Optional. Log rotation frequency, must be one of the following:\n \u002F\u002F - never (default): This will result in log file located at `directory\u002Fprefix.suffix`\n \u002F\u002F - daily: A new log file in the format of `directory\u002Fprefix.yyyy-MM-dd.suffix` will be created daily\n \u002F\u002F - hourly: A new log file in the format of `directory\u002Fprefix.yyyy-MM-dd-HH.suffix` will be created hourly\n \"rotation\": \"never\",\n \u002F\u002F Optional. Prefix of log file, default is one of `sslocal`, `ssserver`, `ssmanager` depending on the service being run.\n \"prefix\": \"shadowsocks-rust\",\n \u002F\u002F Optional. Suffix of log file, default is `log`\n \"suffix\": \"log\",\n \u002F\u002F Optional. If set, keeps the last N log files\n \"max_files\": 5\n }\n },\n {\n \u002F\u002F Configure a syslog writer, only supported on *nix system\n \"syslog\": {\n \u002F\u002F `level` and `format` can also be set here, if not set, it will use the default values\n\n \u002F\u002F Optional. Set the \"identity\" when calling openlog(). Use current service name by default.\n \"identity\": \"identity_name\",\n \u002F\u002F Optional. Set the \"facility\" when calling openlog(). 1 (user-level messages) by default. See RFC5424.\n \"facility\": 1\n }\n }\n ]\n },\n \u002F\u002F Runtime configuration\n \"runtime\": {\n \u002F\u002F `single_thread` or `multi_thread`\n \"mode\": \"multi_thread\",\n \u002F\u002F Worker threads that are used in multi-thread runtime\n \"worker_count\": 10\n }\n}\n```\n\n### SOCKS5 Authentication Configuration\n\nThe configuration file is set by `socks5_auth_config_path` in `locals`.\n\n```jsonc\n{\n \u002F\u002F Password\u002FUsername Authentication (RFC1929)\n \"password\": {\n \"users\": [\n {\n \"user_name\": \"USERNAME in UTF-8\",\n \"password\": \"PASSWORD in UTF-8\"\n }\n ]\n }\n}\n```\n\n### HTTP Authentication Configuration\n\nThe configuration file is set by `http_auth_config_path` in `locals`.\n\n```jsonc\n{\n \u002F\u002F Basic Authentication (RFC9110)\n \"basic\": {\n \"users\": [\n {\n \"user_name\": \"USERNAME in UTF-8\",\n \"password\": \"PASSWORD in UTF-8\"\n }\n ]\n }\n}\n```\n\n### Environment Variables\n\n- `SS_SERVER_PASSWORD`: A default password for servers that created from command line argument (`--server-addr`)\n- `SS_SYSTEM_DNS_RESOLVER_FORCE_BUILTIN`: `\"system\"` DNS resolver force use system's builtin (`getaddrinfo` in *NIX)\n\n## Supported Ciphers\n\n### AEAD 2022 Ciphers\n\n- `2022-blake3-aes-128-gcm`, `2022-blake3-aes-256-gcm`\n- `2022-blake3-chacha20-poly1305`, `2022-blake3-chacha8-poly1305`\n\nThese Ciphers require `\"password\"` to be a Base64 string of key that have **exactly the same length** of Cipher's Key Size. It is recommended to use `ssservice genkey -m \"METHOD_NAME\"` to generate a secured and safe key.\n\n### AEAD Ciphers\n\n- `chacha20-ietf-poly1305`\n- `aes-128-gcm`, `aes-256-gcm`\n\n### Stream Ciphers\n\n- `plain` or `none` (No encryption, only used for debugging or with plugins that ensure transport security)\n\n\u003Cdetails>\u003Csummary>Deprecated\u003C\u002Fsummary>\n\u003Cp>\n\n- `table`\n- `aes-128-cfb`, `aes-128-cfb1`, `aes-128-cfb8`, `aes-128-cfb128`\n- `aes-192-cfb`, `aes-192-cfb1`, `aes-192-cfb8`, `aes-192-cfb128`\n- `aes-256-cfb`, `aes-256-cfb1`, `aes-256-cfb8`, `aes-256-cfb128`\n- `aes-128-ctr`\n- `aes-192-ctr`\n- `aes-256-ctr`\n- `camellia-128-cfb`, `camellia-128-cfb1`, `camellia-128-cfb8`, `camellia-128-cfb128`\n- `camellia-192-cfb`, `camellia-192-cfb1`, `camellia-192-cfb8`, `camellia-192-cfb128`\n- `camellia-256-cfb`, `camellia-256-cfb1`, `camellia-256-cfb8`, `camellia-256-cfb128`\n- `rc4-md5`\n- `chacha20-ietf`\n\n\u003C\u002Fp>\n\u003C\u002Fdetails>\n\n## ACL\n\n`sslocal`, `ssserver`, and `ssmanager` support ACL file with syntax like [shadowsocks-libev](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-libev). Some examples could be found in [here](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-libev\u002Ftree\u002Fmaster\u002Facl).\n\n### Available sections\n\n- For local servers (`sslocal`, `ssredir`, ...)\n - Modes:\n - `[bypass_all]` - ACL runs in `WhiteList` mode. Bypasses all addresses except those matching any rules.\n - `[proxy_all]` - ACL runs in `BlackList` mode. Proxies all addresses except those matching any rules. (default)\n - Rules:\n - `[bypass_list]` - Rules for connecting directly\n - `[proxy_list]` - Rules for connecting through proxies\n- For remote servers (`ssserver`)\n - Modes:\n - `[reject_all]` - ACL runs in `WhiteList` mode. Rejects all clients except those matching any rules.\n - `[accept_all]` - ACL runs in `BlackList` mode. Accepts all clients except those matching any rules. (default)\n - `[outbound_block_all]` - Outbound ACL runs in `WhiteList` mode. Blocks all outbound addresses except those matching any rules.\n - `[outbound_allow_all]` - Outbound ACL runs in `BlackList` mode. Allows all outbound addresses except those matching any rules. (default)\n - Rules:\n - `[white_list]` - Rules for accepted clients\n - `[black_list]` - Rules for rejected clients\n - `[outbound_block_list]` - Rules for blocking outbound addresses.\n - `[outbound_allow_list]` - Rules for allowing outbound addresses.\n\n### Example\n\n```ini\n# SERVERS\n# For ssserver, accepts requests from all clients by default\n[accept_all]\n\n# Blocks these clients\n[black_list]\n1.2.3.4\n127.0.0.1\u002F8\n\n# Disallow these outbound addresses\n[outbound_block_list]\n127.0.0.1\u002F8\n::1\n# Using regular expression\n^[a-z]{5}\\.baidu\\.com\n# Match exactly\n|baidu.com\n# Match with subdomains\n||google.com\n# An internationalized domain name should be converted to punycode\n# |☃-⌘.com - WRONG\n|xn----dqo34k.com\n# ||джpумлатест.bрфa - WRONG\n||xn--p-8sbkgc5ag7bhce.xn--ba-lmcq\n\n# CLIENTS\n# For sslocal, ..., bypasses all targets by default\n[bypass_all]\n\n# Proxy these addresses\n[proxy_list]\n||google.com\n8.8.8.8\n```\n\n## Useful Tools\n\n1. `ssurl` is for encoding and decoding ShadowSocks URLs (SIP002). Example:\n\n ```plain\n ss:\u002F\u002FYWVzLTI1Ni1jZmI6cGFzc3dvcmQ@127.0.0.1:8388\u002F?plugin=obfs-local%3Bobfs%3Dhttp%3Bobfs-host%3Dwww.baidu.com\n ```\n\n## Notes\n\nIt supports the following features:\n\n- [x] SOCKS5 CONNECT command\n- [x] SOCKS5 UDP ASSOCIATE command (partial)\n- [x] SOCKS4\u002F4a CONNECT command\n- [x] Various crypto algorithms\n- [x] Load balancing (multiple servers) and server delay checking\n- [x] [SIP004](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-org\u002Fissues\u002F30) AEAD ciphers\n- [x] [SIP003](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-org\u002Fissues\u002F28) Plugins\n- [x] [SIP003u](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-org\u002Fissues\u002F180) Plugin with UDP support\n- [x] [SIP002](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-org\u002Fissues\u002F27) Extension ss URLs\n- [x] [SIP022](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-org\u002Fissues\u002F196) AEAD 2022 ciphers\n- [x] HTTP Proxy Supports ([RFC 7230](http:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7230) and [CONNECT](https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Fdraft-luotonen-web-proxy-tunneling-01))\n- [x] Defend against replay attacks, [shadowsocks\u002Fshadowsocks-org#44](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-org\u002Fissues\u002F44)\n- [x] Manager APIs, supporting [Manage Multiple Users](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks\u002Fwiki\u002FManage-Multiple-Users)\n- [x] ACL (Access Control List)\n- [x] Support HTTP\u002FHTTPS Proxy protocol\n\n## TODO\n\n- [x] Documentation\n- [x] Extend configuration format\n- [x] Improved logging format (waiting for the new official log crate)\n- [x] Support more ciphers without depending on `libcrypto` (waiting for an acceptable Rust crypto lib implementation)\n- [x] Windows support.\n- [x] Build with stable `rustc` ~~(blocking by `crypto2`)~~.\n- [x] Support HTTP Proxy protocol\n- [x] AEAD ciphers. (proposed in [SIP004](https:\u002F\u002Fgithub.com\u002Fshadowsocks\u002Fshadowsocks-org\u002Fissues\u002F30), still under discussion)\n- [x] Choose server based on delay #152\n\n## License\n\n[The MIT License (MIT)](https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\n\nCopyright (c) 2014 Y. T. CHUNG\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and\u002For sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE.\n\n## Stargazers over time\n\n[![Stargazers over time](https:\u002F\u002Fstarchart.cc\u002Fshadowsocks\u002Fshadowsocks-rust.svg)](https:\u002F\u002Fstarchart.cc\u002Fshadowsocks\u002Fshadowsocks-rust)\n","shadowsocks-rust 是一个用 Rust 语言重写的 Shadowsocks 代理工具。它支持 HTTP、SOCKS4 和 SOCKS5 协议,并具备透明代理功能,能够帮助用户绕过网络防火墙访问受限内容。项目利用了 Rust 的内存安全和高性能特性,确保了软件的稳定性和效率。适用于需要增强网络隐私保护或突破地域限制的个人及企业场景。",2,"2026-06-11 03:03:39","top_language"]