mirror of
https://github.com/XTLS/Xray-docs-next.git
synced 2025-02-01 15:31:41 +03:00
94 lines
2.9 KiB
Markdown
94 lines
2.9 KiB
Markdown
# Shadowsocks
|
|
|
|
The [Shadowsocks](https://en.wikipedia.org/wiki/Shadowsocks) protocol is compatible with most other implementations of Shadowsocks.
|
|
|
|
The current compatibility is as follows:
|
|
|
|
- Supports TCP and UDP packet forwarding, with the option to selectively disable UDP.
|
|
- Recommended encryption methods:
|
|
- 2022-blake3-aes-128-gcm
|
|
- 2022-blake3-aes-256-gcm
|
|
- 2022-blake3-chacha20-poly1305
|
|
- Other encryption methods:
|
|
- aes-256-gcm
|
|
- aes-128-gcm
|
|
- chacha20-poly1305 or chacha20-ietf-poly1305
|
|
- xchacha20-poly1305 or xchacha20-ietf-poly1305
|
|
- none or plain
|
|
|
|
The Shadowsocks 2022 new protocol format improves performance and includes complete replay protection, addressing the following security issues in the old protocol:
|
|
|
|
- [Serious vulnerabilities in Shadowsocks AEAD encryption, which cannot guarantee the integrity of the communication content](https://github.com/shadowsocks/shadowsocks-org/issues/183)
|
|
- Increasing false positive rate of the original TCP replay filter over time
|
|
- Lack of UDP replay protection
|
|
- TCP behaviors that can be used for active probing
|
|
|
|
::: danger
|
|
Traffic transmitted without encryption using the "none" method will be in plain text. Do not use it on public networks for security reasons.
|
|
:::
|
|
|
|
## InboundConfigurationObject
|
|
|
|
```json
|
|
{
|
|
"settings": {
|
|
"password": "password",
|
|
"method": "aes-256-gcm",
|
|
"level": 0,
|
|
"email": "love@xray.com",
|
|
"network": "tcp,udp"
|
|
}
|
|
}
|
|
```
|
|
|
|
> `network`: "tcp" | "udp" | "tcp,udp"
|
|
|
|
The supported network protocol type. For example, when specified as `"tcp"`, it will only handle TCP traffic. The default value is `"tcp"`.
|
|
|
|
## ClientObject
|
|
|
|
```json
|
|
{
|
|
"password": "密码",
|
|
"method": "aes-256-gcm",
|
|
"level": 0,
|
|
"email": "love@xray.com"
|
|
}
|
|
```
|
|
|
|
> `method`: string
|
|
|
|
Required.
|
|
|
|
> `password`: string
|
|
|
|
Required.
|
|
|
|
- Shadowsocks 2022
|
|
|
|
Use a pre-shared key similar to WireGuard as the password.
|
|
|
|
Use `openssl rand -base64 <length>` to generate a compatible key with shadowsocks-rust, where the length depends on the encryption method used.
|
|
|
|
| Encryption Method | Key Length |
|
|
| ----------------------------- | ---------: |
|
|
| 2022-blake3-aes-128-gcm | 16 |
|
|
| 2022-blake3-aes-256-gcm | 32 |
|
|
| 2022-blake3-chacha20-poly1305 | 32 |
|
|
|
|
In the Go implementation, a 32-byte key always works.
|
|
|
|
- Other encryption methods
|
|
|
|
Any string. There is no limitation on the password length, but shorter passwords are more susceptible to cracking. It is recommended to use a password of 16 characters or longer.
|
|
|
|
> `level`: number
|
|
|
|
The user level that the connection will use to determine the corresponding [Local Policy](../policy.md#levelpolicyobject).
|
|
|
|
The value of `level` corresponds to the value of `level` in the [policy](../policy.md#policyobject). If not specified, the default value is 0.
|
|
|
|
> `email`: string
|
|
|
|
The user's email, used to differentiate traffic from different users (logs, statistics).
|