Shadowsocks + simple-obfs + IPv6 [CentOS 7]

Sometimes, the network traffic need to be encrypted and obfuscated. shadowsocks + simple-obfs is a simple solution.

shadowsocks is a socks5 proxy, with traffic encryption. all traffic through shadosocks will be encrypted.

simple-obfs is used for obfuscate traffic. The upstream traffic encapsulation in HTTP or tls stream. The outer traffic will look like an HTTP session.

Server-side config

Install shadowsocks, simple-obfs

Enable copr and install:

curl https://copr.fedorainfracloud.org/coprs/antonchen/proxy/repo/epel-7/antonchen-proxy-epel-7.repo \
  -o /etc/yum.repos.d/antonchen-proxy-epel-7.repo
dnf install shadowsocks-libev simple-obfs

Config shadowsocks:

# cat /etc/shadowsocks-libev/config.json
{
    "server": \["\[::1\]", "127.0.0.1"\],
    "server\_port": 8888,
    "password": "Password",
    "timeout": 600,
    "method": "salsa20",
    "fast\_open": true,
    "workers": 2,
    "plugin": "obfs-server",
    "plugin\_opts": "obfs=http;fast-open=true"
}

server with value ["[::1]", "127.0.0.1"] means listen 127.0.0.1 and ::1(localhost in IPv6), not listen all interface.

fast_open means use TCP Fast Open, but with plugin, so actually 8888 is listened by obfs_-server, so we add fast-open=true to plugin_opts.

ipv6_first means while proxying DNS request, use IPv6 firstly. When you access google.com via proxy, you will use IPv6.

Start it, and make it autostart:

systemctl start shadowsocks-libev
systemctl enable shadowsocks-libev

Then,

Use nginx as reverse proxy

# cat /etc/nginx/conf.d/ss.conf 
server {
  listen 80;

  server\_name ss.example.com;

  charset utf-8;
  gzip on;
  keepalive\_timeout 120s;

  location / {
    if ($http\_upgrade = "") {
      return 301 https://www.example.com$request\_uri;
    }
    proxy\_pass http://\[::1\]:8888;
    proxy\_http\_version 1.1;
    proxy\_set\_header Upgrade $http\_upgrade;
    proxy\_set\_header Connection "upgrade";
  }
}

Request without Upgrade header will redirect to www.example.com, behave like a normal site.

Request with Upgrade is send by obfs-local, so proxy_pass to obfs-server.

You might need to configure firewall. For firewalld:

firewall-cmd --permanent --add-service http
firewall-cmd --add-service http

Client config

macOS

Install shadowsocks-libev, simple-obfs:

brew install shadowsocks-libev simple-obfs

Configure it:

$ cat /usr/local/etc/shadowsocks-libev.json
{
    "server": "ss.example.com", 
    "server\_port": 80, 
    "password": "Password", 
    "local\_port": 1080, 
    "method": "salsa20", 
    "timeout": 600,
    "fast\_open": true,
    "plugin": "/usr/local/bin/obfs-local",
    "plugin\_opts": "obfs=http;obfs-host=ss.example.com;fast-open=true"
}

Start ss-local:

brew services start shadowsocks-libev

You could now use 127.0.0.1:1080 as socks5 proxy.

Android

You need install shadowsocks-android, and simple-obfs-android.

Configure it:

Bonus

• You can use CDN that support WebSocket as a middle reverse proxy. for example, Cloudflare, 加速乐 by 知道创宇.
• You can put your site and obfs under same domain.