You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

250 lines
7.7 KiB

Asciidoc man page rework (#699) * Add 'tunnel_address' support for json config parser And allow ss-tunnel to use the newly introduced parser. Signed-off-by: Adam Anonymous <anonymous_temp_user@yahoo.co.jp> * Add "mode" support for jconf Now jconf supports "mode" setting, allowed values are "tcp_only", "tcp_and_udp" and "udp_only". Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Use jconf "mode" for server/local/tunnel/manager Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Add per-project vimrc to gitignore As the coding style differs from kernel and other projects, so such project vimrc should be helpful. Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Introduce asciidoc based documentation framework Use asciidoc for new documentation framework, which could not only output man pages, but also htmls. And asciidoc documentation is much more human-readable than roff man pages. Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Convert shadowsocks-libev man page to asciidoc The port to asciidoc has some format change compared to old one. The most obvious one is the options listed in SYNOPSIS. Now the options list is not split into 2/3 columns, or we must use asciidoc tables and introduce table frames. Other small change includes the removal of AUTHOR sector, as it's not an expendable method to update AUTHOR sector every time it gets updated. Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Convert ss-local man page to asciidoc Also modify gitignore, since it use too generic rules to ignore such documentation. Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Convert ss-manager man page to asciidoc Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Convert ss-nat man page to asciidoc Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Convert ss-redir man page to asciidoc Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Convert ss-server man page to asciidoc Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Convert ss-tunnel man page to asciidoc Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Remove old roff man pages Welcome to the new age of asciidoc. Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp> * Doc: Add equivalent tables for command line options and config file Now user can get a more clear view of config file and command line options. Signed-off-by: Adam Anonymous <anonymous_temp_mail@yahoo.co.jp>
8 years ago
  1. shadowsocks-libev(8)
  2. ====================
  3. NAME
  4. ----
  5. shadowsocks-libev - a lightweight and secure socks5 proxy
  6. SYNOPSIS
  7. --------
  8. *ss-local*|*ss-redir*|*ss-server*|*ss-tunnel*|*ss-manager*
  9. [-s <server_host>] [-p <server_port>] [-l <local_port>] [-k <password>]
  10. [-m <encrypt_method>] [-f <pid_file>] [-t <timeout>] [-c <config_file>]
  11. DESCRIPTION
  12. -----------
  13. *Shadowsocks-libev* is a lightweight and secure socks5 proxy.
  14. It is a port of the original shadowsocks created by clowwindy.
  15. *Shadowsocks-libev* is written in pure C and takes advantage of *libev*
  16. to achieve both high performance and low resource consumption.
  17. *Shadowsocks-libev* consists of five components. One is `ss-server`(1)
  18. that runs on a remote server to provide secured tunnel service.
  19. `ss-local`(1) and `ss-redir`(1) are clients on your local machines to proxy
  20. traffic(TCP/UDP or both).
  21. `ss-tunnel`(1) is a tool for local port forwarding.
  22. While `ss-local`(1) works as a standard socks5 proxy, `ss-redir`(1) works
  23. as a transparent proxy and requires netfilter's NAT module. For more
  24. information, check out the 'EXAMPLE' section.
  25. `ss-manager`(1) is a controller for multi-user management and traffic
  26. statistics, using UNIX domain socket to talk with `ss-server`(1).
  27. Also, it provides a UNIX domain socket or IP based API for other software.
  28. About the details of this API, please refer to the 'PROTOCOL' section.
  29. OPTIONS
  30. -------
  31. -s <server_host>::
  32. Set the server's hostname or IP.
  33. -l <local_port>::
  34. Set the local port number.
  35. +
  36. Not available in server nor manager mode.
  37. -k <password>::
  38. Set the password. The server and the client should use the same password.
  39. -m <encrypt_method>::
  40. Set the cipher.
  41. +
  42. *Shadowsocks-libev* accepts 18 different ciphers:
  43. +
  44. table, rc4, rc4-md5, aes-128-cfb, aes-192-cfb, aes-256-cfb, bf-cfb,
  45. camellia-128-cfb, camellia-192-cfb, camellia-256-cfb, cast5-cfb, des-cfb,
  46. idea-cfb, rc2-cfb, seed-cfb, salsa20, chacha20 and chacha20-ietf.
  47. +
  48. The default cipher is 'table'.
  49. +
  50. If built with PolarSSL or custom OpenSSL libraries, some of
  51. these ciphers may not work.
  52. -a <user_name>::
  53. Run as a specific user.
  54. -f <pid_file>::
  55. Start shadowsocks as a daemon with specific pid file.
  56. -t <timeout>::
  57. Set the socket timeout in seconds. The default value is 60.
  58. -c <config_file>::
  59. Use a configuration file.
  60. -n <number>::
  61. Specify max number of open files.
  62. +
  63. Not available in manager mode.
  64. +
  65. Only available on Linux.
  66. -i <interface>::
  67. Send traffic through specific network interface.
  68. +
  69. For example, there are three interfaces in your device, which is
  70. lo (127.0.0.1), eth0 (192.168.0.1) and eth1 (192.168.0.2).
  71. Meanwhile, you configure *shadowsocks-libev* to listen on 0.0.0.0:8388
  72. and bind to eth1. That results the traffic go out through eth1,
  73. but not lo nor eth0. This option is useful to control traffic in
  74. multi-interface environment.
  75. +
  76. Not available in redir mode.
  77. -b <local_address>::
  78. Specify local address to bind.
  79. +
  80. Not available in server nor manager mode.
  81. -u::
  82. Enable UDP relay.
  83. +
  84. TPROXY is required in redir mode. You may need root permission.
  85. -U::
  86. Enable UDP relay and disable TCP relay.
  87. +
  88. Not available in local mode.
  89. -A::
  90. Enable onetime authentication.
  91. -w::
  92. Enable white list mode (when ACL enabled).
  93. +
  94. Only available in server mode.
  95. -L <addr:port>::
  96. Specify destination server address and port for local port forwarding.
  97. +
  98. Only available in tunnel mode.
  99. -d <addr>::
  100. Setup name servers for internal DNS resolver (libudns).
  101. The default server is fetched from /etc/resolv.conf.
  102. +
  103. Only available in server and manager mode.
  104. --fast-open::
  105. Enable TCP fast open.
  106. +
  107. Not available in redir nor tunnel mode, with Linux kernel > 3.7.0.
  108. --acl <acl_config>::
  109. Enable ACL (Access Control List) and specify config file.
  110. +
  111. Not available in redir nor tunnel mode.
  112. --manager-address <path_to_unix_domain>::
  113. Specify UNIX domain socket address.
  114. +
  115. Only available in server and manager mode.
  116. --executable <path_to_server_executable>::
  117. Specify the executable path of `ss-server`.
  118. +
  119. Only available in manager mode.
  120. -v::
  121. Enable verbose mode.
  122. -h|--help::
  123. Print help message.
  124. CONFIG FILE
  125. -----------
  126. The config file is written in JSON and easy to edit.
  127. The config file equivalent of command line options is listed as example below.
  128. [frame="topbot",options="header"]
  129. |==========================================================================
  130. | Command line | JSON
  131. | -s some.server.net | "server":"some.server.net"
  132. | -s some.server.net -p 1234 (client) | "server":"some.server.net:1234"
  133. | -p 1234 -k "PasSworD" (server) | "port_password":{"1234":"PasSworD"}
  134. | -p 1234 | "server_port":"1234"
  135. | -b 0.0.0.0 | "local_adress":"0.0.0.0"
  136. | -l 4321 | "local_port":"4321"
  137. | -k "PasSworD" | "password":"PasSworD"
  138. | -m "aes-256-cfb" | "method":"aes-256-cfb"
  139. | -t 60 | "timeout":60
  140. | --fast-open | "fast_open":true
  141. | -A | "auth":true
  142. | -n "/etc/nofile" | "nofile":"/etc/nofile"
  143. | -d "8.8.8.8" | "nameserver":"8.8.8.8"
  144. | -L "somedns.net:53" | "tunnel_address":"somedns.net:53"
  145. | -u | "mode":"tcp_and_udp"
  146. | -U | "mode":"udp_only"
  147. | no "-u" nor "-U" options (default) | "mode":"tcp_only"
  148. |============================================================================
  149. EXAMPLE
  150. -------
  151. `ss-redir` requires netfilter's NAT function. Here is an example:
  152. ....
  153. # Create new chain
  154. root@Wrt:~# iptables -t nat -N SHADOWSOCKS
  155. root@Wrt:~# iptables -t mangle -N SHADOWSOCKS
  156. # Ignore your shadowsocks server's addresses
  157. # It's very IMPORTANT, just be careful.
  158. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 123.123.123.123 -j RETURN
  159. # Ignore LANs and any other addresses you'd like to bypass the proxy
  160. # See Wikipedia and RFC5735 for full list of reserved networks.
  161. # See ashi009/bestroutetb for a highly optimized CHN route list.
  162. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 0.0.0.0/8 -j RETURN
  163. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 10.0.0.0/8 -j RETURN
  164. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 127.0.0.0/8 -j RETURN
  165. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 169.254.0.0/16 -j RETURN
  166. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 172.16.0.0/12 -j RETURN
  167. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 192.168.0.0/16 -j RETURN
  168. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 224.0.0.0/4 -j RETURN
  169. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -d 240.0.0.0/4 -j RETURN
  170. # Anything else should be redirected to shadowsocks's local port
  171. root@Wrt:~# iptables -t nat -A SHADOWSOCKS -p tcp -j REDIRECT --to-ports 12345
  172. # Add any UDP rules
  173. root@Wrt:~# ip rule add fwmark 0x01/0x01 table 100
  174. root@Wrt:~# ip route add local 0.0.0.0/0 dev lo table 100
  175. root@Wrt:~# iptables -t mangle -A SHADOWSOCKS -p udp --dport 53 -j TPROXY --on-port 12345 --tproxy-mark 0x01/0x01
  176. # Apply the rules
  177. root@Wrt:~# iptables -t nat -A PREROUTING -p tcp -j SHADOWSOCKS
  178. root@Wrt:~# iptables -t mangle -A PREROUTING -j SHADOWSOCKS
  179. # Start the shadowsocks-redir
  180. root@Wrt:~# ss-redir -u -c /etc/config/shadowsocks.json -f /var/run/shadowsocks.pid
  181. ....
  182. PROTOCOL
  183. --------
  184. `ss-manager`(1) provides several APIs through UDP protocol::
  185. Send UDP commands in the following format to the manager-address provided to ss-manager(1): ::::
  186. command: [JSON data]
  187. To add a port: ::::
  188. add: {"server_port": 8001, "password":"7cd308cc059"}
  189. To remove a port: ::::
  190. remove: {"server_port": 8001}
  191. To receive a pong: ::::
  192. ping
  193. Then `ss-manager`(1) will send back the traffic statistics: ::::
  194. stat: {"8001":11370}
  195. SEE ALSO
  196. --------
  197. `ss-local`(1),
  198. `ss-server`(1),
  199. `ss-tunnel`(1),
  200. `ss-redir`(1),
  201. `ss-manager`(1),
  202. `iptables`(8),
  203. /etc/shadowsocks-libev/config.json