Shadowsocks 服务端
使用 shadowsocks-libev 软件包来部署 Shadowsocks 服务端
https://github.com/shadowsocks/shadowsocks-libev
github 的 README.md 里面详细介绍了不同发行版的安装方法,其他发行版可以参考 README.md 方法安装
install
介绍 Redhat 系 系统 ( CentOS 7 / Fedora 27 x86_64 ) 下安装 shadowsocks-libev 安装方法
CentOS7
在 Fedora Project 的 copr 自动打包平台 上创建了 RedHat 系发行版 ( Fedora / CentOS ) yum 仓库:
https://copr.fedorainfracloud.org/coprs/outman/shadowsocks-libev/
编译好的 rpm 包位于:https://copr-be.cloud.fedoraproject.org/results/outman/shadowsocks-libev/epel-7-x86_64/
CentOS7 系统:
repo_url='https://copr.fedorainfracloud.org/coprs/outman/shadowsocks-libev/repo/epel-7/outman-shadowsocks-libev-epel-7.repo'
wget -c -nv -t5 -T5 "$repo_url" -O /etc/yum.repos.d/outman-shadowsocks-libev.repo
yum install -y epel-release
yum install -y libsodium shadowsocks-libev simple-obfs
Fedora 27 系统:
dnf copr enable -y outman/shadowsocks-libev
dnf install -y shadowsocks-libev simple-obfs
config
查看 shadowsocks-libev 包含的 配置文件 和 相关命令 :
# rpm -ql shadowsocks-libev |egrep 'etc|bin|service'
/etc/shadowsocks-libev/config.json
/etc/sysconfig/shadowsocks-libev
/usr/bin/ss-local
/usr/bin/ss-manager
/usr/bin/ss-redir
/usr/bin/ss-server
/usr/bin/ss-tunnel
/usr/lib/systemd/system/shadowsocks-libev-local.service
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/[email protected]
/usr/lib/systemd/system/shadowsocks-libev.service
修改默认配置文件:/etc/shadowsocks-libev/config.json
{
"server":"45.67.89.10",
"server_port": 12345,
"local_port": 9090,
"password": "V_V1_fuck.GFW",
"method": "chacha20-ietf-poly1305",
"timeout": 60,
"fast_open": true,
"reuse_port": false
}
设置 shadowsocks-libev 服务 开机自启动:
# systemctl enable shadowsocks-libev
Created symlink from /etc/systemd/system/multi-user.target.wants/shadowsocks-libev.service
to /usr/lib/systemd/system/shadowsocks-libev.service.
启动 shadowsocks-libev 服务:
# systemctl start shadowsocks-libev
# systemctl status shadowsocks-libev
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
Loaded: loaded (/usr/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2017-11-28 23:33:38 CST; 1s ago
Docs: man:shadowsocks-libev(8)
Main PID: 12566 (ss-server)
CGroup: /system.slice/shadowsocks-libev.service
└─12566 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u
Nov 28 23:33:38 minion systemd[1]: Started Shadowsocks-libev Default Server Service.
Nov 28 23:33:38 minion systemd[1]: Starting Shadowsocks-libev Default Server Service...
确认服务 进程 和 端口 :
# pgrep -af ss-server
2260 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u
# netstat -lntup|grep ss-server
tcp 0 0 45.67.89.10:12345 0.0.0.0:* LISTEN 2260/ss-server
udp 0 0 45.67.89.10:12345 0.0.0.0:* 2260/ss-server
security
AHEAD
https://shadowsocks.org/en/spec/AEAD-Ciphers.html
| Alias | Key Size | Salt Size | Nonce Size | Tag Size |
|---|---|---|---|---|
chacha20-ietf-poly1305 |
32 |
32 |
12 |
16 |
aes-256-gcm |
32 |
32 |
12 |
16 |
aes-192-gcm |
24 |
24 |
12 |
16 |
aes-128-gcm |
16 |
16 |
12 |
16 |
为何 shadowsocks 要弃用一次性验证 (OTA) 2017-02-09
使用了 AEAD 算法的新协议能够解决上面描述的 Original/OTA 协议的所有问题, 可以有效防范 CCA 和中间人攻击,减少被主动探测的风险。 我能想到的唯一的缺点大概就是 性能 了,但是它又能影响多少呢?
shadowsocks-libev 加密方式评测 2017-02-10
https://gist.github.com/madeye/c046fc35e10a82154f4697fb316a7ac6
#!/bin/bash
method=$1
ss-tunnel -k test -m $method -l 8387 -L 127.0.0.1:8388 -s 127.0.0.1 -p 8389 &
ss_tunnel_pid=$!
ss-server -k test -m $method -s 127.0.0.1 -p 8389 &
ss_server_pid=$!
iperf -s -p 8388 &
iperf_pid=$!
sleep 3
iperf -c 127.0.0.1 -p 8387
kill $ss_tunnel_pid
kill $ss_server_pid
kill $iperf_pid
echo "Test Finished"
libev 版新加的加密算法会添加到 Python 版吗 #751 2017-02-15
gcm 应该比 cfb 快不少吧 cfb 的 encryption 是不能 并行处理 的 gcm 的可以
添加 sodium:aes-256-gcm 模式和 ocb 模式 #783 2017-03-06
sodium 的 aes-256-gcm 实现比 openssl 的快 ocb 的加密效率比 gcm 高
gcm 需要硬件支持吧?而且需要双端的硬件都支持
ARM 的 64 位的 CPU 都支持 gcm 了,除此以外就是 ocb 和 chach20-ietf-poly1305 速度快
sodium:aes-256-gcm 有检测的,sodium 的 gcm 只支持 硬解,所以速度是最快的
各个库的对应加密算法是可以混用的,也就是说服务器端可以配置成 sodium:aes-256-gcm,客户端用 aes-256-gcm 或者 mbedtls:aes-256-gcm。因为不同加密库在不同 cpu 下性能不一样,在支持 sodium:aes-256-gcm 的 CPU 下 sodium:aes-256-gcm 是最快的 openssl 的慢 30% 左右,mbedtls 的 gcm 最慢,可能只有 sodium 的一半速度。
在 ARM 设备下可能 mbedtls 快点,服务器端 intel cpu 不建议用 mbedtls
在 HTTPS 加密连接中使用 CHACHA20-POLY1305 加密方法
因为 ARM 的 CPU 是精简指令集,没有 AES 硬件加速
Add a benchmark utility? #1173 2017-02-02
chacha20 is actually using SSSE3 instructions on supported devices under the hood.
EDIT: And SSSE3 is ~2 years older than AES-NI, even my old computer supports this technology.
https://github.com/jedisct1/libsodium/tree/master/src/libsodium/crypto_stream/chacha20/dolbeau
Linux kernel uses AVX2 for implementing Chacha20
ChaCha20-Poly1305 针对移动端设备大量使用的 ARM 芯片做了优化,能够充分利用 ARM 向量指令,在移动设备上加解密速度更快、更省电; 更加节省带宽 Poly1305 的输出是 16 字节,而 HMAC-SHA1 是 20 字节,可以节省 16% 的 overhead 消耗。
chacha20 和 chacha20-ietf 这两种加密方式有什么区别? #507 2016-01-05
好像是非 ietf 版本的加密方法 IV 长度不够 12 位
Deprecate stream ciphers with insufficient IV length #36 2017-02-04
Summary
For Shadowsocks deployment using stream ciphers, long-term key and randomly generated IV of insufficient length causes (key, IV) pair reuse with high probability, which allows Reused Key Attack. Adversaries can recover plaintext within reasonable budget constraint.
Proposal
- Stream ciphers with IV length less than
12bytes MUST be deprecated. Namely,bf-cfb,chacha20, andsalsa20. - Users SHOULD choose stream ciphers with IV length of
16or more bytes. - Users are RECOMMENDED to use the new AEAD ciphers.
https://shadowsocks.org/en/spec/Stream-Ciphers.html
| Name | Key Size | IV Length |
|---|---|---|
aes-128-ctr |
16 |
16 |
aes-192-ctr |
24 |
16 |
aes-256-ctr |
32 |
16 |
aes-128-cfb |
16 |
16 |
aes-192-cfb |
24 |
16 |
aes-256-cfb |
32 |
16 |
camellia-128-cfb |
16 |
16 |
camellia-192-cfb |
24 |
16 |
camellia-256-cfb |
32 |
16 |
chacha20-ietf |
32 |
12 |
bf-cfb |
16 |
8 |
chacha20 |
32 |
8 |
salsa20 |
32 |
8 |
chacha20-ietf-poly1305 |
16 |
16 |
OTA
OTA 已经不安全,请使用 AHEAD 加密方式
为何 shadowsocks 要弃用一次性验证 (OTA) 2017-02-09
OTA 当初是为了给原版协议的 流加密 加上一个 认证 以增强安全性,殊不知这带来了更大的隐患,
这也是为什么 shadowsocks.org 要急急忙忙 弃用 OTA 的原因。
OTA 一次认证 特性:https://shadowsocks.org/en/spec/one-time-auth.html
One-time authentication (shortened as OTA) is a new experimental feature designed to improve the security against CCA. You should understand the protocol before reading this document.
By default, the server that supports OTA should run in the compatible mode. OTA is only applied if the client's request header has a flag set. However, if the server switch on OTA explicitly, all clients must switch on OTA, otherwise connections will be denied.
The authentication method is HMAC-SHA1 which has wide supports among all major platforms and fairly good speed.
Shadowsocks 各分支的安全性 2016-09-21
关于 ShadowsocksR 和 Shadowsocks 的安全性
Shadowsocks 通过加入 一次验证 提高了对抗 CCA 的安全性,各大 ports 已经陆续完成了支持。这里需要重申的是 Shadowsocks 的目标不是 100% bug-free 或 100% bullet-proof,而是保证连接轻量快速的同时让主流攻击手段的成本高到一般无法实施。
random port
shadowsocks 多端口随机
https://gist.github.com/suikatomoki/89b1221dab19f64ba2b3
远程 ss 服务端:
#ss-server 服务端(假设你的目前的服务端 ss 端口已经监听在 23 端口):
#-----------开始--------------
iptables -t nat -A PREROUTING -p tcp -m multiport --dport 81:1023 -j REDIRECT --to-ports 23
iptables -t nat -A PREROUTING -p udp -m multiport --dport 81:1023 -j REDIRECT --to-ports 23
#以下两条命令可选
service iptables save
service iptables restart
#-----------结束--------------
本地 openwrt 路由器:
#ss-redir 本地端(104.224.156.199 自行修改成自己服务器 ip):
#-----------开始--------------
iptables -t nat -I OUTPUT 1 -d 104.224.156.199 -p tcp --dport 23 -j DNAT --to-destination 104.224.156.199:81-1023 --random
iptables -t nat -I OUTPUT 1 -d 104.224.156.199 -p udp --dport 23 -j DNAT --to-destination 104.224.156.199:81-1023 --random
#以下两条命令可选
service iptables save
service iptables restart
#openwrt
#/etc/init.d/firewall restart
#-----------结束--------------
可使用 iptables -t nat -L -n --line-numbers 命令查看 nat 规则是否已经生效
network optimize
BBR
http://elrepo.org/tiki/tiki-index.php
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh https://www.elrepo.org/elrepo-release-7.0-4.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
sysctl -p
lsmod | grep bbr
How to Deploy Google BBR on CentOS 7
Google BBR拥塞控制算法模型初探 2017-09-03
最后需要提示一点 TCP 拥塞控制算法是 数据的发送端决定发送窗口,因此在哪边部署,就对哪边发出的数据有效。如果是 下载,就应在 server 部署;如果是 上传,就应在 client 部署。
TCP Fast Open
https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks
查看系统支持的内核网络模
$ sysctl net.ipv4.tcp_available_congestion_control
net.ipv4.tcp_available_congestion_control = hybla cubic reno
net-speeder
对于海外高延时的 VPS 可以安装 net-speeder 来提速
https://github.com/snooda/net-speeder
net-speeder 作者写的原理介绍:
net-speeder 网速优化/加速器(适用于高延迟不稳定链路加速)
由于光速的局限性,延迟会比较高(即使光沿直线传播,太平洋一个往返也要一百多毫秒)。并且由于距离较远,途径路由跳数较多,并且网络拥堵的原因。经常会发生丢包的情况。
对于平时使用最广泛的 TCP 协议来讲,发送端发出包后,接收端会回复 ACK 表示自己收到了。用这种机制来保证可靠性。但对于高延迟链路来讲,如果每发送一个包都等待应答,那么大部分时间都在等待数据包到达,而链路则空置了。为此一般会采用滑动窗口技术。即在窗口满之前,发送端一直发送包,然后收到应答后将确认收到的包从窗口中移除。这样可以提高链路利用率。
TCP 还有一个特性则是拥塞控制。当发送端检测到链路发生丢包时,则会主动缩小窗口大小以减慢发送速度,避免拥塞。不过对于跳数较多的链路来讲,只要有一个路由不够稳定丢包,就会被发送端判断为拥塞,从而影响网络速度。
为了解决丢包问题,最简单粗暴的方法就是双倍发送,即同一份数据包发送两份。这样的话在服务器带宽充足情况下,丢包率会平方级降低。
这种方式下,直接优点是降低丢包率,直接缺点是耗费双倍流量。一些延伸影响是更容易触发快速恢复逻辑,避免了丢包时窗口缩减过快。一定程度也能提高网络速度。
最近比较忙,空闲时间做了一个最简单的程序,试用效果很好,在一台 VPS 上测试后发现,未开启时单线程下载、ssh 管道速度在十几 K 级别。开启后可以达到平均 300KB+ 的速度。效果非常明显。但对于 不加速就可以跑满带宽的类型 来讲(多线程下载),开启后反而由于多出来的无效流量,导致速度减半。所以对于多线程/高速链路,这个方案是不适合的。
目前版本是最简单的逻辑,未来会进行细化(主动触发快速恢复、快速重传等),降低流量浪费,提升加速效果。
目前程序起名 net-speeder 相对于修改协议栈来讲,由于后者需要重新升级编译内核,使用用户态程序部署更方便,稳定性更高,兼容性更好。缺点则是性能开销稍大和自由度有损失。总体比较起来,个人使用还是使用用户态程序更合适一些,特别是在虚拟机中使用(OpenVZ,LXC等虚拟机无法自己定制内核)。
install
安装方法参考 github 的 README.md 即可,编译完成后,放在 后台运行 即可:
# /root/net-speeder-master/net_speeder venet0 "ip" 2>&1 > /dev/null &
# pgrep -af 'net_speeder venet0'
31263 /root/net-speeder-master/net_speeder venet0 ip
crontab
net_speeder 程序运行一段时间会崩溃,所以写了个 crontab 自动检查启动:
$ cat /root/net-speeder-master/net_speeder.cron.sh
#!/bin/bash
/bin/pgrep -af 'net_speeder venet0' || /root/net-speeder-master/net_speeder venet0 "ip" 2>&1 > /dev/null &
crontab 任务每隔 15 分钟运行一次:
# crontab -l
MAILTO=''
*/15 * * * * bash /root/net-speeder-master/net_speeder.cron.sh
troubleshooting
ERROR: Failed to open DNS resolver socket
如果系统禁用 ipv6 但是 /etc/resolv.conf 还有 ipv6 的 DNS 地址会导致服务无法启动:
# cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 2001:4860:4860::8844
nameserver 2001:4860:4860::8888
# ss-server -c config.json
2016-12-28 01:47:39 INFO: using tcp fast open
2016-12-28 01:47:39 INFO: initializing ciphers... chacha20-ietf-poly1305
2016-12-28 01:47:39 ERROR: Failed to open DNS resolver socket
系统已经禁用 IPV6 :
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether x4:x1:x4:xa:6a:x0 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
修改 /etc/resolv.conf 配置文件,重启服务,测试恢复正常:
# cat /etc/resolv.conf
nameserver 8.8.8.8
# chattr +i /etc/resolv.conf
# ss-server -c config.json
2016-12-28 01:51:28 INFO: using tcp fast open
2016-12-28 01:51:28 INFO: initializing ciphers... chacha20-ietf-poly1305
2016-12-28 01:51:28 INFO: tcp port reuse enabled
2016-12-28 01:51:28 INFO: listening at 192.168.1.100:10000
libsodium
https://download.libsodium.org/doc/installation/
http://pkgs.fedoraproject.org/cgit/rpms/libsodium.git/tree/libsodium.spec
创建打包目录:
mkdir -pv ~/rpmbuild/{SPECS,SOURCES}
安装编译打包相关依赖包:https://github.com/shadowsocks/shadowsocks-libev
yum install -y epel-release
yum install -y rpm-build rpmdevtools gcc autoconf libtool automake make
spec_url=http://pkgs.fedoraproject.org/cgit/rpms/libsodium.git/plain/libsodium.spec
curl -sS $spec_url -o ~/rpmbuild/SPECS/libsodium.spec
# spectool -l -A -R ~/rpmbuild/SPECS/libsodium.spec
Source0: http://download.libsodium.org/libsodium/releases/libsodium-1.0.15.tar.gz
# spectool -g -A -R ~/rpmbuild/SPECS/libsodium.spec
Getting http://download.libsodium.org/libsodium/releases/libsodium-1.0.15.tar.gz
to /root/rpmbuild/SOURCES/libsodium-1.0.15.tar.gz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 185 100 185 0 0 669 0 --:--:-- --:--:-- --:--:-- 672
100 1822k 100 1822k 0 0 323k 0 0:00:05 0:00:05 --:--:-- 366k
# time rpmbuild -bb --clean ~/rpmbuild/SPECS/libsodium.spec
## DO
real 2m11.577s
user 1m32.915s
sys 0m36.105s
shadowsocks-libev
https://copr-be.cloud.fedoraproject.org/results/outman/shadowsocks-libev/epel-7-$basearch/
https://github.com/shadowsocks/openwrt-shadowsocks/blob/master/Makefile
define Package/shadowsocks-libev/Default
SECTION:=net
CATEGORY:=Network
TITLE:=Lightweight Secured Socks5 Proxy
URL:=https://github.com/shadowsocks/shadowsocks-libev
DEPENDS:=+zlib +libev +libcares +libpcre +libpthread +libsodium +libmbedtls
endef
CONFIGURE_ARGS += --disable-ssp --disable-documentation --disable-assert
# ./configure --help
`configure' configures shadowsocks-libev 3.1.0 to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root
[DATAROOTDIR/doc/shadowsocks-libev]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
Program names:
--program-prefix=PREFIX prepend PREFIX to installed program names
--program-suffix=SUFFIX append SUFFIX to installed program names
--program-transform-name=PROGRAM run sed PROGRAM on installed program names
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-dependency-tracking
do not reject slow dependency extractors
--disable-dependency-tracking
speeds up one-time build
--enable-silent-rules less verbose build output (undo: "make V=1")
--disable-silent-rules verbose build output (undo: "make V=0")
--enable-maintainer-mode
enable make rules and dependencies not useful (and
sometimes confusing) to the casual installer
--enable-static[=PKGS] build static libraries [default=no]
--enable-shared[=PKGS] build shared libraries [default=no]
--enable-fast-install[=PKGS]
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
--enable-system-shared-lib
build against shared libraries when possible
--disable-documentation do not build documentation
--disable-ssp Do not compile with -fstack-protector
--disable-assert turn off assertions
--enable-connmarktos Enable saved connmark to IP TOS QoS feature
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use
both]
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-sysroot=DIR Search for dependent libraries within DIR
(or the compiler's sysroot if not specified).
--with-pcre=DIR use a specific pcre library
--with-mbedtls=DIR mbed TLS base directory, or:
--with-mbedtls-include=DIR
mbed TLS headers directory (without trailing
/mbedtls)
--with-mbedtls-lib=DIR mbed TLS library directory
--with-sodium=DIR The Sodium crypto library base directory, or:
--with-sodium-include=DIR
The Sodium crypto library headers directory (without
trailing /sodium)
--with-sodium-lib=DIR The Sodium crypto library library directory
--with-cares=DIR The c-ares library base directory, or:
--with-cares-include=DIR
The c-ares library headers directory (without
trailing /cares)
--with-cares-lib=DIR The c-ares library library directory
# ./configure --help|grep disable
--cache-file=FILE cache test results in FILE [disabled]
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--disable-dependency-tracking
--disable-silent-rules verbose build output (undo: "make V=0")
--disable-libtool-lock avoid locking (might break parallel builds)
--disable-documentation do not build documentation
--disable-ssp Do not compile with -fstack-protector
--disable-assert turn off assertions
https://github.com/shadowsocks/shadowsocks-libev/blob/master/rpm/SPECS/shadowsocks-libev.spec.in
# egrep -i 'doc|man' rpm/SPECS/shadowsocks-libev.spec.in
BuildRequires: make gcc pcre-devel asciidoc xmlto automake libtool mbedtls-devel libsodium-devel >= 1.0.4 libev-devel c-ares-devel
%doc %{_docdir}/shadowsocks-libev/*.html
%exclude %{_docdir}/shadowsocks-libev/ss-nat.html
%doc %{_mandir}/man*/*
%exclude %{_mandir}/man1/ss-nat.1.*
# egrep -i 'doc|man' rpm/SPECS/shadowsocks-libev.spec.in | sed -r -e '/_(doc|man)dir/d' -e 's/asciidoc xmlto //g'
BuildRequires: make gcc pcre-devel automake libtool mbedtls-devel libsodium-devel >= 1.0.4 libev-devel c-ares-devel
# grep configure rpm/SPECS/shadowsocks-libev.spec.in|sed -e 's/$/ --disable-documentation/g'
%configure --enable-shared --enable-system-shared-lib --disable-documentation
%configure --enable-shared --disable-documentation
ss
real 0m50.383s
user 0m39.101s
sys 0m9.543s
sed -i -e '1 s/^/%global _enable_debug_package 0\n%global debug_package %{nil}\n/'
yum install gcc autoconf libtool automake make zlib-devel openssl-devel c-ares-devel
https://github.com/aa65535/openwrt-simple-obfs/blob/master/Makefile
define Package/simple-obfs/Default
SECTION:=net
CATEGORY:=Network
TITLE:=Simple-obfs
URL:=https://github.com/shadowsocks/simple-obfs
DEPENDS:=+libev +libcares +libpthread +libsodium
endef
CONFIGURE_ARGS += --disable-ssp --disable-documentation --disable-assert
update
更新源码:
# git pull origin master
remote: Counting objects: 112, done.
remote: Compressing objects: 100% (38/38), done.
remote: Total 112 (delta 61), reused 99 (delta 61), pack-reused 13
Receiving objects: 100% (112/112), 118.16 KiB | 0 bytes/s, done.
Resolving deltas: 100% (61/61), completed with 15 local objects.
From https://github.com/shadowsocks/shadowsocks-libev
* branch master -> FETCH_HEAD
First, rewinding head to replay your work on top of it...
Fast-forwarded master to 85a64ae8360759aa59ebe3061c092c9a2054d078.
# git log -3
commit 85a64ae8360759aa59ebe3061c092c9a2054d078
Author: Max Lv <[email protected]>
Date: Mon Jan 15 17:25:03 2018 -0800
Bump version
# git tag | tail -n 2
v3.1.1
v3.1.2
更新 tag :
# git pull --tags
From https://github.com/shadowsocks/shadowsocks-libev
* [new tag] v3.1.3 -> v3.1.3
Fetching tags only, you probably meant:
git fetch --tags
# git tag | tail -n 2
v3.1.2
v3.1.3 ## <-- 新 tag
打包:
# bash rpm/srcrpm.sh
INFO - GIT tag-commit: v3.1.3-0-g85a64ae ; RPM version-release: 3.1.3-1
removed ‘/root/ss/shadowsocks-libev/rpm/SRPMS/shadowsocks-libev-3.1.3-1.el7.centos.src.rpm’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3-submodule-libbloom-7a9deb893fc1646c0b9186b50d46358379953d4b.tar’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3-submodule-libcork-0220aa5a2d11b7484b4aa464024ba8b6942d646f.tar’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3-submodule-libipset-3ea7fe30adf4b39b27d932e5a70a2ddce4adb508.tar’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3.tar’
removed ‘/root/ss/shadowsocks-libev/rpm/SOURCES/shadowsocks-libev-3.1.3.tar.gz’
~/ss/shadowsocks-libev ~/ss/shadowsocks-libev
Entering 'libbloom'
Entering 'libcork'
Entering 'libipset'
~/ss/shadowsocks-libev
Wrote: /root/ss/shadowsocks-libev/rpm/SRPMS/shadowsocks-libev-3.1.3-1.el7.centos.src.rpm
Executing(--clean): /bin/sh -e /var/tmp/rpm-tmp.y3vrlo
+ umask 022
+ cd /root/ss/shadowsocks-libev/rpm/BUILD
+ rm -rf shadowsocks-libev-3.1.3
+ exit 0
openwrt 更新:
#src/gz openwrt_dist http://example.com/packages/LEDE/base/mips_24kc
#src/gz openwrt_dist_luci http://example.com/packages/LEDE/luci
src/gz openwrt_dist http://openwrt-dist.sourceforge.net/packages/LEDE/base/mips_24kc
src/gz openwrt_dist_luci http://openwrt-dist.sourceforge.net/packages/LEDE/luci
root@LEDE:~# opkg update
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/base/mips_24kc/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_dist
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/base/mips_24kc/Packages.sig
Signature check passed.
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_dist_luci
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/luci/Packages.sig
Signature check passed.
...
注意: 如果有依赖包更新 libsodium 需要手动指明 ( opkg 不会 自动更新依赖)
root@LEDE:~# opkg upgrade shadowsocks-libev
Upgrading shadowsocks-libev on root from 3.1.2-1 to 3.1.3-1...
Downloading http://openwrt-dist.sourceforge.net/packages/LEDE/base/mips_24kc/shadowsocks-libev_3.1.3-1_mips_24kc.ipk
Configuring shadowsocks-libev.
root@LEDE:~# /etc/init.d/shadowsocks restart
2018-01-16 14:22:16 INFO: set MTU to 1492
2018-01-16 14:22:16 INFO: using tcp fast open
root@LEDE:~# pgrep -lf ss
3152 ss-redir -c /var/etc/shadowsocks.cfg0a4a8f.json --fast-open -l 1234 --mtu 1492 -f /var/run/ss-redir-cfg0a4a8f.pid
shadowsocks-libev-server
# cat /etc/shadowsocks-libev/config.json
{
"server":"45.67.89.10",
"server_port":62123,
"local_port":9090,
"password":"fdafdafdafda",
"timeout":600,
"fast_open": true,
"method":"chacha20-ietf-poly1305",
"plugin":"obfs-server",
"plugin_opts":"obfs=http;fast-open"
}
# systemctl start shadowsocks-libev
# systemctl status shadowsocks-libev
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
Loaded: loaded (/usr/lib/systemd/system/shadowsocks-libev.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-10-18 15:59:53 CST; 6s ago
Docs: man:shadowsocks-libev(8)
Main PID: 13796 (ss-server)
CGroup: /system.slice/shadowsocks-libev.service
├─13796 /usr/bin/ss-server -c /etc/shadowsocks-libev/config.json -u
└─13800 obfs-server
systemd[1]: Started Shadowsocks-libev Default Server Service.
systemd[1]: Starting Shadowsocks-libev Default Server Service...
ss-server[13796]: 2017-10-18 15:59:53 [simple-obfs] INFO: using tcp fast open
ss-server[13796]: 2017-10-18 15:59:53 [simple-obfs] INFO: obfuscating enabled
ss-server[13796]: 2017-10-18 15:59:53 [simple-obfs] INFO: tcp port reuse enabled
ss-server[13796]: 2017-10-18 15:59:53 [simple-obfs] INFO: listening at 45.67.89.10:12345
# netstat -lntpu|egrep 'ss-|obfs'
tcp 0 0 45.67.89.10:12345 0.0.0.0:* LISTEN 13800/obfs-server
tcp 0 0 127.0.0.1:58700 0.0.0.0:* LISTEN 13796/ss-server
udp 0 0 45.67.89.10:12345 0.0.0.0:* 13796/ss-server
root@LEDE:~# echo "net.ipv4.tcp_fastopen = 3" >> /etc/sysctl.conf
root@LEDE:~# sysctl -p
root@LEDE:~# uci changes
shadowsocks.cfg0a4a8f.plugin='obfs-local'
shadowsocks.cfg0a4a8f.plugin_opts='obfs=http;obfs-host=apple.com;fast-open'
shadowsocks.cfg0a4a8f.fast_open='1'
shadowsocks.cfg0a4a8f.server='45.67.89.10'
shadowsocks.cfg0a4a8f.encrypt_method='chacha20-ietf-poly1305'
shadowsocks.cfg0a4a8f.plugin_opts='obfs=http;obfs-host=itunes.apple.com;fast-open'
root@LEDE:~# uci show shadowsocks
shadowsocks.@general[0]=general
shadowsocks.@general[0].startup_delay='0'
shadowsocks.@transparent_proxy[0]=transparent_proxy
shadowsocks.@transparent_proxy[0].udp_relay_server='nil'
shadowsocks.@transparent_proxy[0].local_port='1234'
shadowsocks.@transparent_proxy[0].main_server='cfg0a4a8f'
shadowsocks.@transparent_proxy[0].mtu='1492'
shadowsocks.@socks5_proxy[0]=socks5_proxy
shadowsocks.@socks5_proxy[0].local_port='1080'
shadowsocks.@socks5_proxy[0].server='cfg0a4a8f'
shadowsocks.@socks5_proxy[0].mtu='1492'
shadowsocks.@port_forward[0]=port_forward
shadowsocks.@port_forward[0].server='nil'
shadowsocks.@port_forward[0].local_port='5300'
shadowsocks.@port_forward[0].destination='8.8.4.4:53'
shadowsocks.@port_forward[0].mtu='1492'
shadowsocks.@servers[0]=servers
shadowsocks.@servers[0].alias='sample'
shadowsocks.@servers[0].timeout='60'
shadowsocks.@servers[0].server_port='12345'
shadowsocks.@servers[0].password='YOUR_PASS'
shadowsocks.@servers[0].plugin='obfs-local'
shadowsocks.@servers[0].fast_open='1'
shadowsocks.@servers[0].server='45.67.89.10'
shadowsocks.@servers[0].encrypt_method='chacha20-ietf-poly1305'
shadowsocks.@servers[0].plugin_opts='obfs=http;obfs-host=itunes.apple.com;fast-open'
shadowsocks.@access_control[0]=access_control
shadowsocks.@access_control[0].self_proxy='1'
shadowsocks.@access_control[0].lan_target='SS_SPEC_WAN_AC'
shadowsocks.@access_control[0].wan_bp_list='/etc/chinadns_chnroute.txt'
root@LEDE:~# cat /etc/config/shadowsocks
config general
option startup_delay '0'
config transparent_proxy
option udp_relay_server 'nil'
option local_port '1234'
option main_server 'cfg0a4a8f'
option mtu '1492'
config socks5_proxy
option local_port '1080'
list server 'cfg0a4a8f'
option mtu '1492'
config port_forward
list server 'nil'
option local_port '5300'
option destination '8.8.4.4:53'
option mtu '1492'
config servers
option alias 'sample'
option timeout '60'
option server_port '12345'
option password 'YOUR_PASS'
option plugin 'obfs-local'
option fast_open '1'
option server '45.67.89.10'
option encrypt_method 'chacha20-ietf-poly1305'
option plugin_opts 'obfs=http;obfs-host=itunes.apple.com;fast-open'
config access_control
option self_proxy '1'
option lan_target 'SS_SPEC_WAN_AC'
option wan_bp_list '/etc/chinadns_chnroute.txt'
root@LEDE:~# uci commit
root@LEDE:~# /etc/init.d/shadowsocks restart
2017-10-18 08:33:12 INFO: set MTU to 1492
2017-10-18 08:33:12 INFO: plugin "obfs-local" enabled
2017-10-18 08:33:12 INFO: using tcp fast open
2017-10-18 08:33:13 INFO: set MTU to 1492
2017-10-18 08:33:13 INFO: plugin "obfs-local" enabled
三种方法实现移动端 HTTPS 加速和省电 2015-12-18
去年 Google 就已经在移动端做了 HTTPS 的性能加速,为 Android 平台的 Chrome 浏览器增加了一个新的 TLS 加密套件:ChaCha20-Poly1305 这是专门为 移动设备 推出的加密套件
| 常见的流式加密算法有 | RC4,ChaCha20-Poly1305 |
|---|---|
| 常见的分组加密算法有 | AES-CBC,AES-GCM |
RC4 由于存在严重安全漏洞,已经基本不再使用;AES-CBC 容易遭受 BEAST 和 LUCKY13 攻击,使用也逐渐减少;AES-GCM 是它们的安全替代,AES-GCM 也是目前最为流行的对称加密算法。
安全风险可参看 ssllabs 上的相关文章:https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
更加节省带宽 Poly1305 的输出是 16 字节,而 HMAC-SHA1 是 20 字节,可以节省 16% 的 overhead 消耗
AEAD 加密方式
aes-128-gcm
aes-192-gcm
aes-256-gcm
chacha20-ietf-poly1305
混淆域名
cloudfront.com
itunes.apple.com
is1.mzstatic.com
i1.hdslb.com
ajax.microsoft.com
apps.bdimg.com
atanx.alicdn.com
api.weibo.com
https://github.com/shadowsocks/shadowsocks/issues/783
sodium 的 gcm 只支持硬解,所以速度是最快的
ARM 64 位的 CPU 都支持 gcm 了,除此以外就是 ocb 和 chach20-ietf-poly1305 速度快了
https://en.wikipedia.org/wiki/OCB_mode#Attacks
CPU 支持不代表就用对应指令集写了对应的优化代码
sodium: aes-256-gcm 有检测的 sodium 的 gcm 只支持硬解,所以速度是最快的
ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)
https://www.ietf.org/proceedings/88/slides/slides-88-tls-1.pdf
增加 v 参数打印 simple-obfs 详细日志:
{
"server":"45.67.89.10",
"server_port":12345,
"local_port":9090,
"password":"fdafdafda",
"timeout":600,
"fast_open": true,
"method":"chacha20-ietf-poly1305",
"plugin":"obfs-server",
"plugin_opts":"obfs=tls;fast-open;t=3600;v"
}
ss-server: 2017-10-19 15:38:02 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:20 [simple-obfs] INFO: remote_recv close the connection
ss-server: 2017-10-19 15:38:20 [simple-obfs] INFO: current remote connection: 16
ss-server: 2017-10-19 15:38:20 [simple-obfs] INFO: current server connection: 16
ss-server: 2017-10-19 15:38:24 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:24 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:24 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: server_recv close the connection
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: current remote connection: 17
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: current server connection: 17
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:25 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:26 [simple-obfs] INFO: server_recv close the connection
ss-server: 2017-10-19 15:38:26 [simple-obfs] INFO: current remote connection: 18
ss-server: 2017-10-19 15:38:26 [simple-obfs] INFO: current server connection: 18
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: accept a connection
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: connect to 127.0.0.1:58591
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: remote connected
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: server_recv close the connection
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: current remote connection: 18
ss-server: 2017-10-19 15:38:31 [simple-obfs] INFO: current server connection: 18
ss-server: 2017-10-19 15:38:32 [simple-obfs] INFO: remote_recv close the connection
ss-server: 2017-10-19 15:38:32 [simple-obfs] INFO: current remote connection: 17
ss-server: 2017-10-19 15:38:32 [simple-obfs] INFO: current server connection: 17
https://github.com/shadowsocks/shadowsocks-libev/issues/1575
Server:
{
"server":"0.0.0.0",
"server_port":8388,
"local_port":1080,
"password":"xxxxxxxx",
"timeout":60,
"method":"aes-128-gcm",
"reuse_port": true,
"fast_open": true,
"nameserver": "8.8.8.8",
"mode": "tcp_and_udp",
"plugin":"obfs-server",
"plugin_opt":"obfs=http"
}
Client:
{
"server": "xx.xx.xx.xxx",
"server_port": 8388,
"password": "xxxxxxxx",
"method": "aes-128-gcm",
"local_address": "0.0.0.0",
"plugin": "obfs-local",
"plugin_opts": "obfs=http;obfs-host=www.bing.com",
"timeout": 60,
"reuse_port": true
}
https://anonscm.debian.org/cgit/collab-maint/simple-obfs.git/tree/debian/config.json
{
"server":"127.0.0.1",
"server_port":8388,
"local_port":1080,
"password":"barfoo!",
"timeout":60,
"method":"chacha20-ietf-poly1305",
"mode":"tcp_and_udp",
"fast_open":true,
"plugin":"obfs-server",
"plugin_opts":"obfs=tls;failover=127.0.0.1:8443;fast-open"
}
with web server add the options to your server's configuration file. Set shadowsocks server port to 443 ( tls mode) or 80 ( http mode).
"plugin_opts": "obfs=tls;failover=<your-domain-or-IP>:<port-that-web-server-listens-to>",
https://github.com/Old-Pussy/ss-obfs-ibm/blob/master/ss-obfs.sh
ss-server -p $1 -k $2 -m $3 --plugin obfs-server --plugin-opts "obfs=tls;failover=127.0.0.1:443"
http://blog.jejer.net/2013/01/openwrt-for-wr720n.html
USB Storage http://wiki.openwrt.org/doc/howto/usb.storage
extroot http://wiki.openwrt.org/doc/howto/extroot
3G http://wiki.openwrt.org/doc/recipes/3gdongle
https://github.com/stangri/openwrt-packages/blob/simple-adblock/net/simple-adblock/files/README.md
This service provides lightweight and very fast dnsmasq based ad blocking.
https://leamtrop.com/2017/05/14/shadowsocks-proxy-on-lede/
随机数生成器 (Random Number Generator, RNG) 是生成伪随机数的机制。伪随机数字可以用于生成 SSH key,进程随机 PID,TCP 序列号 以及 UUID 等。使用加密(文件系统,邮件等等)需要大量的伪随机数。
要允许应用程序获得伪随机数,至少有 2 个内核块设备:
/dev/urandom提供标准质量的随机数,不管是否有熵都可以工作:当需要大量的随机数的时候,随机性质量会下降(这是因为/dev/urandom设备是一个 不中断源,重用内核熵池,所以提供的是无限的 伪随机数)。/dev/random提供高质量随机数,但是缺乏熵的时候会停止工作:在 Linux 内核保留了一个4KB的熵池(entropy pool)(这个熵池的大小见/proc/sys/kernel/random/poolsize);当这个 pool 空的时候,内核阻塞。
为了得到优质的伪随机数,需要一些熵 (entropy) 这个熵是由操作系统搜集的随机性因素:
- 键盘实践,网络流量,鼠标移动,中断,ide 计时等内部源
- 在 Intel IvyBridge 和 Haswell 处理器提供的
RDRAND这种特定处理器指令 - 通过
virtio-rng半虚拟化设备实现虚拟机随机设备(参考 Red Hat 文档) - 独立的、外部、物理设备( 称为 TPM 即 Trusted Platform Module )
Red Hat Enterprise Linux Virtual Machines: Access to Random Numbers Made Easy 2015-03-09
https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks
