Shadowsocks + simple-obfs + IPv6 [CentOS 7]

Sometimes, the network traffic need to be encrypted and obfuscated. shadowsocks + simple-obfs is a simple solution. shadowsocks is a socks5 proxy, with traffic encryption. all traffic through shadosocks will be encrypted. simple-obfs is used for obfuscate traffic. The upstream traffic encapsulation in HTTP or tls stream. The outer traffic will look like an HTTP session.

Server-side config

Install shadowsocks, simple-obfs

Enable copr and install:

curl https://copr.fedorainfracloud.org/coprs/antonchen/proxy/repo/epel-7/antonchen-proxy-epel-7.repo -o /etc/yum.repos.d/antonchen-proxy-epel-7.repo
dnf install shadowsocks-libev simple-obfs

Config shadowsocks:

# cat /etc/shadowsocks-libev/config.json
{
“server”: [“[::1]“, “127.0.0.1”],
“server_port”: 8888,
“password”: “Password”,
“timeout”: 600,
“method”: “salsa20”,
“fast_open”: true,
“workers”: 2,
“plugin”: “obfs-server”,
“plugin_opts”: “obfs=http;fast-open=true”
}

server with value ["[::1]", "127.0.0.1"] means listen 127.0.0.1 and ::1(localhost in IPv6), not listen all interface. fast_open means use TCP Fast Open, but with plugin, so actually 8888 is listened by obfs_-server, so we add fast-open=true to plugin_opts._ ipv6_first means while proxying DNS request, use IPv6 firstly. When you access google.com via proxy, you will use IPv6. Start it, make it autostart:

systemctl start shadowsocks-libev
systemctl enable shadowsocks-libev

Then,

Use nginx as reverse proxy

# cat /etc/nginx/conf.d/ss.conf
server {
listen 80;

server_name ss.example.com;

charset utf-8;
gzip on;
keepalive_timeout 120s;

location / {
if ($http_upgrade = “”) {
return 301 https://www.example.com$request\_uri;
}
proxy_pass http://[::1]:8888;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}
}

Request without Upgrade header will redirect to www.example.com, behave like a normal site. Request with Upgrade is send by obfs-local, so proxy_pass to obfs-server. Maybe you need configure firewall_. For_ firewalld_:_

firewall-cmd –permanent –add-service http
firewall-cmd –add-service http

Client config

macOS

Install shadowsocks-libev, simple-obfs:

brew install shadowsocks-libev simple-obfs

Configure it:

$ cat /usr/local/etc/shadowsocks-libev.json
{
“server”: “ss.example.com”,
“server_port”: 80,
“password”: “Password”,
“local_port”: 1080,
“method”: “salsa20”,
“timeout”: 600,
“fast_open”: true,
“plugin”: “/usr/local/bin/obfs-local”,
“plugin_opts”: “obfs=http;obfs-host=ss.example.com;fast-open=true”
}

Start ss-local:

brew services start shadowsocks-libev

You can now use 127.0.0.1:1080 as socks5 proxy.

Android

You need install shadowsocks-android, and simple-obfs-android. Configure it:

Bonus

• You can use CDN that support WebSocket as a middle reverse proxy. for example, Cloudflare, 加速乐 by 知道创宇.
• You can put your site and obfs under same domain.