shadowsocks-rust服务端搭建

前言

shadowsocks-rust支持TCP/UDP中继、拥有更好的并发性能、并且维护活跃，故使用 shadowsocks-rust 是当前搭建 Shadowsocks 服务的最佳选择之一

项目维护地址：shadowsocks-rust

安装

下载地址

wget https://github.com/shadowsocks/shadowsocks-rust/releases/download/v1.23.5/shadowsocks-v1.23.5.x86_64-unknown-linux-gnu.tar.xz
tar -xf shadowsocks-v1.23.5.x86_64-unknown-linux-gnu.tar.xz

移动到/usr/local/bin

sudo mv ssserver /usr/local/bin

创建配置文件

sudo mkdir -p /etc/shadowsocks-rust
sudo vim /etc/shadowsocks-rust/config.json

写入：

{
    "server": ["::"],
    "mode": "tcp_and_udp",
    "server_port": 8388,
    "password": "YourStrongPasswordHere",
    "timeout": 300,
    "method": "chacha20-ietf-poly1305",
    "fast_open": false
}

配置系统服务（systemd）

为了让 ssserver 在后台稳定运行并在系统启动时自动启动，我们创建服务文件

创建一个专用用户（安全）

# 创建一个名为 'ssserver' 的系统用户，不创建家目录，并禁止登录
sudo useradd -r -s /usr/sbin/nologin ssserver

# 修改配置文件的所有权给这个新用户
sudo chown -R ssserver:ssserver /etc/shadowsocks-rust/

创建服务文件

sudo vim /etc/systemd/system/shadowsocks-rust.service

写入：

[Unit]
Description=Shadowsocks-Rust Server
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks-rust/config.json
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=10

# Security hardening
User=ssserver
Group=ssserver
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target

启动并起用服务：

# 重新加载 systemd 配置
sudo systemctl daemon-reload

# 启动服务
sudo systemctl start shadowsocks-rust

# 设置开机自启
sudo systemctl enable shadowsocks-rust

# 检查服务状态，确认正在运行
sudo systemctl status shadowsocks-rust

客户端配置

proxies:
  - {name: Server, type: ss, server: yourip, port: 8388, cipher: chacha20-ietf-poly1305, password: 'xxxxx', udp: true}

proxies:
  - name: "Server"
    type: ss
    server: "yourip"
    port: 8388
    cipher: chacha20-ietf-poly1305
    password: "xxxxxxxx"
    udp: true

nginx反代+cdn加速

需要插件：v2ray-plugin

ss节点配置/etc/shadowsocks-rust/config.json示例：

{
    "server": "127.0.0.1", // 修改为只监听本地连接
    "server_port": 8388,
    "password": "YourStrongPasswordHere",
    "timeout": 300,
    "method": "chacha20-ietf-poly1305",
    "mode": "tcp_and_udp",
    "fast_open": false,
    "plugin": "/etc/shadowsocks-rust/v2ray-plugin", // 指定使用 v2ray-plugin
    "plugin_opts": "server;path=/xxxxxx" // 设置 插件为服务器模式，并指定一个隐蔽的路径
}

nginx配置示例：

# --- 主配置：处理 HTTPS 和 WebSocket 流量 ---
server {
    # SSL 默认访问端口号为 443
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # 绑定证书的域名
    server_name your-domain;

    # --- SSL 证书配置 ---
    # 请将下面的文件名替换成您真实的文件名
    ssl_certificate /etc/nginx/ssl/xxx.crt;
    ssl_certificate_key /etc/nginx/ssl/xxx.key;

    # 推荐的 SSL 安全设置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;

    # 根目录，用于伪装
    root /var/www/html;

    # --- WebSocket 流量转发规则 ---
    # 这里的路径必须与您 Shadowsocks-rust 配置文件中的路径完全一致
    location /xxxxx {
        proxy_pass http://127.0.0.1:8388; # 转发到 ssserver + v2ray-plugin 
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

客户端配置：

- {name: Server-ss, type: ss, server: your-domain, port: 443, cipher: chacha20-ietf-poly1305, password: "YourStrongPasswordHere", udp: true, plugin: v2ray-plugin, plugin-opts: {mode: websocket, tls: true, host: your-domain, path: "/xxxxx"}}

- name: Server-ss
  type: ss
  server: your-domain
  port: 443
  cipher: chacha20-ietf-poly1305
  password: "YourStrongPasswordHere"
  udp: true
  plugin: v2ray-plugin
  plugin-opts:
    mode: websocket
    tls: true
    host: your-domain
    path: "/xxxxx"