Awesome
Outline ss-server
This repository has the Shadowsocks backend used by the Outline Server.
The Outline Shadowsocks service allows for:
- Multiple users on a single port.
- Does so by trying all the different credentials until one succeeds.
- Multiple ports
- Whitebox monitoring of the service using prometheus.io
- Includes traffic measurements and other health indicators.
- Live updates via config change + SIGHUP
- Replay defense (add
--replay_history 10000
). See PROBES for details.
How to run it
Call the outline-ss-server
command with the recommended flags, as done by the official Outline Server:
outline-ss-server -replay_history=10000 -metrics=127.0.0.1:9091 -config=$CONFIG_YML -ip_country_db=$COUNTRY_MMDB -ip_asn_db=$ASN_MMDB
Flags:
replay_history
: Enables replay protection for the last 10000 connections.metrics
: Where the webserver exposing the Prometheus metrics will listen on. You should specify localhost so it's not accessible from outside the machine, unless you know what you are doing.config
: The config file with the access keys. See the config example.ip_country_db
: The IP-Country MMDB file to enable per-country metrics breakdown.ip_asn_db
: The IP-ASN MMDB file to enable per-country metrics breakdown.
In the example, you can open https://127.0.0.1:9091 on your browser to see the exported Prometheus metrics.
To fetch and update MMDB files from DB-IP, you can do something like the update_mmdb.sh from the Outline Server.
Full Working Example: Try It!
Download the Prometheus binary.
Run the server
On Terminal 1, from the repository directory, build and start the SS server:
go run ./cmd/outline-ss-server -config cmd/outline-ss-server/config_example.yml -metrics localhost:9091 --replay_history=10000
In production, you may want to specify -ip_country_db
to get per-country metrics. See how the Outline Server calls outline-ss-server.
Run the Prometheus scraper for metrics collection
On Terminal 2, start prometheus scraper for metrics collection:
prometheus --config.file=cmd/outline-ss-server/prometheus_example.yml
Run the SOCKS-to-Shadowsocks client
On Terminal 3, start the SS client:
go run github.com/shadowsocks/go-shadowsocks2@latest -c ss://chacha20-ietf-poly1305:Secret0@:9000 -verbose -socks localhost:1080
Fetch a page over Shadowsocks
On Terminal 4, fetch a page using the SS client:
curl --proxy socks5h://localhost:1080 example.com
Stop and restart the client on Terminal 3 with "Secret1" as the password and try to fetch the page again on Terminal 4.
Check the metrics
Open http://localhost:9091/metrics and see the exported Prometheus variables.
Open http://localhost:9090/ and see the Prometheus server dashboard.
Performance Testing
Start the iperf3 server (runs on port 5201 by default):
iperf3 -s
Start the SS server (listening on port 9000):
go run ./cmd/outline-ss-server -config cmd/outline-ss-server/config_example.yml
Start the SS tunnel to redirect port 8000 -> localhost:5201 via the proxy on 9000:
go run github.com/shadowsocks/go-shadowsocks2@latest -c ss://chacha20-ietf-poly1305:Secret0@:9000 -tcptun ":8000=localhost:5201" -udptun ":8000=localhost:5201" -verbose
Test TCP upload (client -> server):
iperf3 -c localhost -p 8000
Test TCP download (server -> client):
iperf3 -c localhost -p 8000 --reverse
Test UDP upload:
iperf3 -c localhost -p 8000 --udp -b 0
Test UDP download:
iperf3 -c localhost -p 8000 --udp -b 0 --reverse
Compare to go-shadowsocks2
Run the commands above, but start the SS server with
go run github.com/shadowsocks/go-shadowsocks2 -s ss://chacha20-ietf-poly1305:Secret0@:9000 -verbose
Compare to shadowsocks-libev
Start the SS server (listening on port 10001):
ss-server -s localhost -p 10001 -m chacha20-ietf-poly1305 -k Secret1 -u -v
Start the SS tunnel to redirect port 10002 -> localhost:5201 via the proxy on 10001:
ss-tunnel -s localhost -p 10001 -m chacha20-ietf-poly1305 -k Secret1 -l 10002 -L localhost:5201 -u -v
Run the iperf3 client tests listed above on port 10002.
You can mix and match the libev and go servers and clients.
Tests and Benchmarks
To run the tests and benchmarks, call:
go run github.com/go-task/task/v3/cmd/task test
You can benchmark the cipher finding code with
go test -cpuprofile cpu.prof -memprofile mem.prof -bench . -benchmem -run=^$ github.com/Jigsaw-Code/outline-ss-server/shadowsocks
You can inspect the CPU or memory profiles with go tool pprof cpu.prof
or go tool pprof mem.prof
, and then enter web
on the prompt.
Release
We use GoReleaser to build and upload binaries to our GitHub releases.
Summary:
-
Test the build locally:
go run github.com/go-task/task/v3/cmd/task release-local
-
Export an environment variable named
GITHUB_TOKEN
with a temporary repo-scoped GitHub token (create one here):read -s -p "Type your Github token:" GITHUB_TOKEN export GITHUB_TOKEN
-
Create a new tag and push it to GitHub e.g.:
git tag v1.0.0 git push origin v1.0.0
-
Build and upload:
go run github.com/go-task/task/v3/cmd/task release
-
Go to https://github.com/Jigsaw-Code/outline-ss-server/releases, review and publish the release.
-
Delete the Github token you created for the release on the Personal Access Tokens page.
Full instructions in GoReleaser's Quick Start (jump to the section starting "You’ll need to export a GITHUB_TOKEN environment variable").