Shadowsocks + simple-obfs + IPv6 [CentOS 7]

Sometimes, the network traffic need to be encrypted and obfuscated. shadowsocks + simple-obfs is a simple solution. shadowsocks is a socks5 proxy, with traffic encryption. all traffic through shadosocks will be encrypted. simple-obfs is used for obfuscate traffic. The upstream traffic encapsulation in HTTP or tls stream. The outer traffic will look like an HTTP session.

Server-side config

Install shadowsocks, simple-obfs

Enable copr and install:

curl -o /etc/yum.repos.d/antonchen-proxy-epel-7.repo
dnf install shadowsocks-libev simple-obfs

Config shadowsocks:

# cat /etc/shadowsocks-libev/config.json
“server”: [“[::1]“, “”],
“server_port”: 8888,
“password”: “Password”,
“timeout”: 600,
“method”: “salsa20”,
“fast_open”: true,
“workers”: 2,
“plugin”: “obfs-server”,
“plugin_opts”: “obfs=http;fast-open=true”

server with value ["[::1]", ""] means listen and ::1(localhost in IPv6), not listen all interface. fast_open means use TCP Fast Open, but with plugin, so actually 8888 is listened by obfs_-server, so we add fast-open=true to plugin_opts._ ipv6_first means while proxying DNS request, use IPv6 firstly. When you access via proxy, you will use IPv6. Start it, make it autostart:

systemctl start shadowsocks-libev
systemctl enable shadowsocks-libev


Use nginx as reverse proxy

# cat /etc/nginx/conf.d/ss.conf
server {
listen 80;


charset utf-8;
gzip on;
keepalive_timeout 120s;

location / {
if ($http_upgrade = “”) {
return 301$request\_uri;
proxy_pass http://[::1]:8888;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;

Request without Upgrade header will redirect to, behave like a normal site. Request with Upgrade is send by obfs-local, so proxy_pass to obfs-server. Maybe you need configure firewall_. For_ firewalld_:_

firewall-cmd –permanent –add-service http
firewall-cmd –add-service http

Client config


Install shadowsocks-libev, simple-obfs:

brew install shadowsocks-libev simple-obfs

Configure it:

$ cat /usr/local/etc/shadowsocks-libev.json
“server”: “”,
“server_port”: 80,
“password”: “Password”,
“local_port”: 1080,
“method”: “salsa20”,
“timeout”: 600,
“fast_open”: true,
“plugin”: “/usr/local/bin/obfs-local”,
“plugin_opts”: “obfs=http;;fast-open=true”

Start ss-local:

brew services start shadowsocks-libev

You can now use as socks5 proxy.


You need install shadowsocks-android, and simple-obfs-android. Configure it:


  • You can use CDN that support WebSocket as a middle reverse proxy. for example, Cloudflare, 加速乐 by 知道创宇.
  • You can put your site and obfs under same domain.

Shadowsocks + simple-obfs + IPv6 [CentOS 7]


Robert Lu





Robert Lu