577 lines
13 KiB
Markdown
577 lines
13 KiB
Markdown
# Presets
|
|
|
|
Presets are chaining and composable, built-in presets are listed here. If you want to customize a new preset, feel free to read [this](../development/architecture#preset) first.
|
|
|
|
## Table of Contents
|
|
|
|
**functional**
|
|
|
|
* [proxy](#proxy)
|
|
* [tunnel](#tunnel)
|
|
* [stats](#stats)
|
|
* [tracker](#tracker)
|
|
|
|
**shadowsocks**
|
|
|
|
* [ss-base](#ss-base)*
|
|
* [ss-stream-cipher](#ss-stream-cipher)
|
|
* [ss-aead-cipher](#ss-aead-cipher)
|
|
|
|
**obfuscator**
|
|
|
|
* [obfs-random-padding](#obfs-random-padding)
|
|
* [obfs-http](#obfs-http)
|
|
* [obfs-tls1.2-ticket](#obfs-tls1.2-ticket)
|
|
|
|
**experimental**
|
|
|
|
* [exp-base-with-padding](#exp-base-with-padding)*
|
|
* [exp-base-auth-stream](#exp-base-auth-stream)*
|
|
* [exp-compress](#exp-compress)
|
|
|
|
**others**
|
|
|
|
* [aead-random-cipher](#aead-random-cipher)
|
|
|
|
### NOTICE
|
|
|
|
> You **MUST** put preset signed with * to the first in presets list if you
|
|
want to relay data to blinksocks server.
|
|
|
|
## [proxy]
|
|
|
|
This preset turns blinksocks to a proxy server, works on both client and server side.
|
|
|
|
* For client side, this preset is **added by default** on **client side**, so you don't have to put it into preset list if you are setting up a proxy service.
|
|
* For server side, this preset is useful to setup a network middleware(act as Man-in-the-middle) to do traffic analysis.
|
|
|
|
For example, setup a local proxy server using **blinksocks server** at 1080:
|
|
|
|
```
|
|
// blinksocks.server.json
|
|
{
|
|
"host": "localhost",
|
|
"port": 1080,
|
|
"presets": [{
|
|
"name": "proxy"
|
|
}],
|
|
...
|
|
}
|
|
```
|
|
|
|
```
|
|
applications <---Socks/HTTP---> [blinksocks server] <------> destinations
|
|
```
|
|
|
|
```
|
|
$ blinksocks --config blinksocks.server.json
|
|
$ curl -L --socks5-hostname localhost:1080 https://www.bing.com
|
|
```
|
|
|
|
## [tunnel]
|
|
|
|
This proxy does not use any proxy protocols, just proxy original traffic to a permanent destination.
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :------------- | :--------------- | :------ |
|
|
| host(optional) | destination host | - |
|
|
| port(optional) | destination port | - |
|
|
|
|
```
|
|
// blinksocks.client.json
|
|
{
|
|
"host": "localhost",
|
|
"port": 1080,
|
|
"servers": [{
|
|
"enabled": true,
|
|
"host": "localhost",
|
|
"port": 1081,
|
|
"presets": [{
|
|
"name": "tunnel",
|
|
"params": {
|
|
"host": "localhost",
|
|
"port": "1082"
|
|
}
|
|
}],
|
|
...
|
|
}],
|
|
...
|
|
}
|
|
```
|
|
|
|
```
|
|
applications <----> [blinksocks client] <----> [blinksocks server] <----> localhost:1082
|
|
(iperf -c) localhost:1080 localhost:1081 (iperf -s)
|
|
```
|
|
|
|
In this case, it's useful to test network performance between client and server using [iperf](https://en.wikipedia.org/wiki/Iperf).
|
|
|
|
## [stats]
|
|
|
|
This preset perform statistics among traffic via this preset, you can put it anywhere in preset list to obtain **summary/instant/process** information of specific preset traffic. This preset has no side-effect to the traffic through it.
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :-------------- | :--------------------------- | :------ |
|
|
| save_to | path to the result json file | - |
|
|
| sample_interval | sample interval in seconds | 30 |
|
|
| save_interval | save interval in seconds | 60 |
|
|
|
|
```
|
|
"presets": [{
|
|
"name": "ss-base"
|
|
}, {
|
|
"name": "ss-stream-cipher",
|
|
"params": {
|
|
"method": "aes-256-cfb"
|
|
}
|
|
}, {
|
|
"name": "stats",
|
|
"params": {
|
|
"save_to": "stats.json",
|
|
"sample_interval": 1,
|
|
"save_interval": 10
|
|
}
|
|
}]
|
|
```
|
|
|
|
```
|
|
// stats.json
|
|
{
|
|
"sample": {
|
|
"from": 1503920985192,
|
|
"to": 1503921026263,
|
|
"duration": 41071
|
|
},
|
|
"summary": {
|
|
"maxOutSpeed": 105254,
|
|
"maxInSpeed": 158,
|
|
"maxConnections": 2,
|
|
"totalOutBytes": 130360,
|
|
"totalOutPackets": 34,
|
|
"totalInBytes": 314,
|
|
"totalInPackets": 2,
|
|
"totalBytes": 130674,
|
|
"totalPackets": 36,
|
|
"totalErrors": 0
|
|
},
|
|
"instant": {
|
|
"outSpeed": 0,
|
|
"inSpeed": 0,
|
|
"totalConnections": 0,
|
|
"errorRate": 0,
|
|
"outBytesPerSecond": 3174.0157288597798,
|
|
"outPacketsPerSecond": 0.8278347252319155,
|
|
"inBytesPerSecond": 7.645297168318279,
|
|
"inPacketsPerSecond": 0.04869616030775974,
|
|
"totalBytesPerSecond": 3181.6610260280977,
|
|
"totalPacketsPerSecond": 0.8765308855396753
|
|
},
|
|
"process": {
|
|
"upTime": 42.067,
|
|
"cpuUsage": {
|
|
"user": 1219598,
|
|
"system": 96237
|
|
},
|
|
"memoryUsage": {
|
|
"rss": 54575104,
|
|
"heapTotal": 28311552,
|
|
"heapUsed": 21701240,
|
|
"external": 3688374
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
## [tracker]
|
|
|
|
Track data send/receive events via this preset, and print a part of them after connection closed.
|
|
|
|
```
|
|
"presets": [
|
|
...
|
|
{"name": "tracker"},
|
|
...
|
|
]
|
|
```
|
|
|
|
And you can get the track message in your terminal and log files:
|
|
|
|
```
|
|
[tracker] summary(out/in = 14/9, 5191b/3431b) abstract(127.0.0.1:55566 play.google.com:443 u 555 d 394 u 616 d 165 u 221 156 934 795 d 74 u 43 d 1201 u 51 174 531 d 51 573 u 51 172 841 d 51 854 u 51 d 68)
|
|
```
|
|
|
|
## [ss-base]
|
|
|
|
This is a very basic preset which delivers the real destination address from client to server.
|
|
|
|
```
|
|
"presets": [
|
|
{"name": "ss-base"}
|
|
]
|
|
```
|
|
|
|
## [ss-stream-cipher]
|
|
|
|
The shadowsocks's [stream cipher](https://shadowsocks.org/en/spec/Stream-Ciphers.html).
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :-------- | :------------------------------- | :------ |
|
|
| method | encryption and decryption method | - |
|
|
|
|
`method` can be one of:
|
|
|
|
aes-128-ctr, aes-192-ctr, aes-256-ctr,
|
|
|
|
aes-128-cfb, aes-192-cfb, aes-256-cfb,
|
|
|
|
camellia-128-cfb, camellia-192-cfb, camellia-256-cfb
|
|
|
|
```
|
|
"presets": [
|
|
{
|
|
"name": "ss-base"
|
|
},
|
|
{
|
|
"name": "ss-stream-cipher",
|
|
"params": {
|
|
"method": "camellia-256-cfb"
|
|
}
|
|
}
|
|
]
|
|
```
|
|
|
|
## [ss-aead-cipher]
|
|
|
|
The shadowsocks's [aead cipher](https://shadowsocks.org/en/spec/AEAD-Ciphers.html).
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :-------- | :------------------------------- | :------ |
|
|
| method | encryption and decryption method | - |
|
|
| info | a string to generate subkey | - |
|
|
|
|
`method` can be one of:
|
|
|
|
aes-128-gcm, aes-192-gcm, aes-256-gcm
|
|
|
|
If you want to work with shadowsocks client/server, the `info` must be **"ss-subkey"** without quotes.
|
|
Otherwise, it can be any string.
|
|
|
|
```
|
|
"presets": [
|
|
{
|
|
"name": "ss-base"
|
|
},
|
|
{
|
|
"name": "ss-aead-cipher",
|
|
"params": {
|
|
"method": "aes-256-gcm",
|
|
"info": "ss-subkey"
|
|
}
|
|
}
|
|
]
|
|
```
|
|
|
|
|
|
## [obfs-random-padding]
|
|
|
|
A simple obfuscator to significantly randomize the length of each packet. It can be used to prevent statistical analysis based on packet length.
|
|
|
|
```
|
|
"presets": [
|
|
{
|
|
"name": "ss-base"
|
|
},
|
|
{
|
|
"name": "obfs-random-padding"
|
|
},
|
|
{
|
|
"name": "ss-stream-cipher",
|
|
"params": {
|
|
"method": "aes-256-ctr"
|
|
}
|
|
}
|
|
]
|
|
```
|
|
|
|
## [obfs-http]
|
|
|
|
A http obfuscator, the first round after TCP handshake will wrap data within a random http header
|
|
selected from a text file.
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :-------- | :-------------------------------------------- | :------ |
|
|
| file | a text file which contains HTTP header paris. | - |
|
|
|
|
`file` for example:
|
|
|
|
```
|
|
======================
|
|
GET / HTTP/1.1
|
|
Host: bing.com
|
|
Accept: */*
|
|
----------------------
|
|
HTTP/1.1 200 OK
|
|
Content-Type: text/plain
|
|
======================
|
|
POST /login HTTP/1.1
|
|
Host: login.live.com
|
|
Content-type: application/json
|
|
----------------------
|
|
HTTP/1.1 200 OK
|
|
======================
|
|
```
|
|
|
|
```
|
|
"presets": [
|
|
{
|
|
"name": "ss-base"
|
|
},
|
|
{
|
|
"name": "obfs-http",
|
|
"params": {
|
|
"file": "path/to/fake.txt"
|
|
}
|
|
}
|
|
]
|
|
```
|
|
|
|
## [obfs-tls1.2-ticket]
|
|
|
|
A TLS1.2 obfuscator, do TLS handshake using SessionTicket TLS mechanism, transfer data inside of Application Data.
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :-------- | :--------------------------------------------------------------- | :------ |
|
|
| sni | [Server Name Indication], a server name or a list of server name | - |
|
|
|
|
```
|
|
"presets": [
|
|
{
|
|
"name": "ss-base"
|
|
},
|
|
{
|
|
"name": "obfs-tls1.2-ticket",
|
|
"params": {
|
|
"sni": ["cloudfront.net"]
|
|
}
|
|
}
|
|
]
|
|
```
|
|
|
|
## [exp-base-with-padding]
|
|
|
|
An **experimental** and advanced preset based on [ss-base], **SHOULD BE** used with ciphers in **cfb** operation mode.
|
|
It can prevent address from being tampered.
|
|
|
|
**NOTE**: Using [exp-base-with-padding] with non-cfb ciphers will lose protection.
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :-------- | :------------------------------ | :------ |
|
|
| salt | a string for generating padding | - |
|
|
|
|
```
|
|
"presets": [{
|
|
"name": "exp-base-with-padding",
|
|
"params": {
|
|
"salt": "any string"
|
|
}
|
|
}, {
|
|
"name": "ss-stream-cipher",
|
|
"params": {
|
|
"method": "aes-256-cfb"
|
|
}
|
|
}]
|
|
```
|
|
|
|
## [exp-base-auth-stream]
|
|
|
|
An **experimental** preset combines HMAC and stream encryption. HMAC only guarantees integrity for addressing part.
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :-------- | :------------------------------- | :------ |
|
|
| method | encryption and decryption method | - |
|
|
|
|
`method` can be one of:
|
|
|
|
aes-128-ctr, aes-192-ctr, aes-256-ctr,
|
|
|
|
aes-128-cfb, aes-192-cfb, aes-256-cfb,
|
|
|
|
camellia-128-cfb, camellia-192-cfb, camellia-256-cfb
|
|
|
|
```
|
|
"presets": [{
|
|
"name": "exp-base-auth-stream",
|
|
"params": {
|
|
"method": "aes-256-cfb"
|
|
}
|
|
}]
|
|
```
|
|
|
|
## [exp-compress]
|
|
|
|
An **experimental** to do stream compression/decompression. **Use with caution.**
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :-------- | :----------------------------------- | :------ |
|
|
| method | compression and decompression method | - |
|
|
|
|
`method` can be one of:
|
|
|
|
gzip, deflate
|
|
|
|
```
|
|
"presets": [
|
|
{"name": "ss-base"},
|
|
{"name": "exp-compress", "params": {"method": "deflate"}}
|
|
]
|
|
```
|
|
|
|
## [aead-random-cipher]
|
|
|
|
This preset is based on **ss-aead-cipher**, but added random padding in the front of **each chunk**. This preset inherited
|
|
all features from **ss-aead-cipher** and prevent server from being detected by packet length statistics analysis.
|
|
|
|
| PARAMS | DESCRIPTION | DEFAULT |
|
|
| :--------------- | :--------------------------------------- | :------ |
|
|
| method | encryption and decryption method | - |
|
|
| info | a string to generate subkey | - |
|
|
| factor(optional) | random padding length = (0-255) * factor | 2 |
|
|
|
|
```
|
|
"presets": [
|
|
{
|
|
"name": "exp-base-with-padding",
|
|
"params": {
|
|
"salt": "any string"
|
|
}
|
|
},
|
|
{
|
|
"name": "aead-random-cipher",
|
|
"params": {
|
|
"method": "aes-256-gcm",
|
|
"info": "bs-subkey",
|
|
"factor": 2
|
|
}
|
|
}
|
|
]
|
|
```
|
|
|
|
# Recommended Combinations
|
|
|
|
## Work with shadowsocks
|
|
|
|
To work with **shadowsocks**, please choose one of the following configuration:
|
|
|
|
**Steam Ciphers(Older Versions)**
|
|
|
|
```
|
|
"presets": [{
|
|
"name": "ss-base"
|
|
}, {
|
|
"name": "ss-stream-cipher",
|
|
"params": {
|
|
"method": "aes-256-cfb"
|
|
}
|
|
}]
|
|
```
|
|
|
|
**AEAD Ciphers(Newer Versions)**
|
|
|
|
```
|
|
"presets": [{
|
|
"name": "ss-base"
|
|
}, {
|
|
"name": "ss-aead-cipher",
|
|
"params": {
|
|
"method": "aes-256-gcm",
|
|
"info": "ss-subkey"
|
|
}
|
|
}]
|
|
```
|
|
|
|
Please also check out [#27](https://github.com/blinksocks/blinksocks/issues/27) for ciphers we've already implemented.
|
|
|
|
## Avoid QoS
|
|
|
|
You can use **http** or **tls** obfuscator to avoid bad [QoS], **tls** is recommended.
|
|
|
|
```
|
|
"presets": [{
|
|
"name": "ss-base"
|
|
}, {
|
|
"name": "ss-aead-cipher",
|
|
"params": {
|
|
"method": "aes-256-gcm",
|
|
"info": "ss-subkey"
|
|
}
|
|
}, {
|
|
"name": "obfs-tls1.2-ticket",
|
|
"params": {
|
|
"sni": ["www.bing.com"]
|
|
}
|
|
}]
|
|
```
|
|
|
|
## To prevent length analysis and ensure integrity as well
|
|
|
|
```
|
|
"presets": [
|
|
{
|
|
"name": "ss-base"
|
|
},
|
|
{
|
|
"name": "obfs-random-padding"
|
|
},
|
|
{
|
|
"name": "ss-aead-cipher",
|
|
"params": {
|
|
"method": "aes-128-gcm",
|
|
"info": "ss-subkey"
|
|
}
|
|
}
|
|
]
|
|
```
|
|
|
|
## Try other compositions
|
|
|
|
If you don't want to encrypt all your data, just remove **cipher** preset, the followings should work:
|
|
|
|
The fastest one:
|
|
|
|
```
|
|
"presets": [{"name": "ss-base"}]
|
|
```
|
|
|
|
Make some cheat:
|
|
|
|
```
|
|
"presets": [{
|
|
"name": "ss-base"
|
|
}, {
|
|
"name": "obfs-tls1.2-ticket",
|
|
"params": {
|
|
"sni": ["www.bing.com"]
|
|
}
|
|
}]
|
|
```
|
|
|
|
> You can also check out [benchmark] to choose a combination you prefer.
|
|
|
|
[proxy]: ../../src/presets/proxy.js
|
|
[tunnel]: ../../src/presets/tunnel.js
|
|
[stats]: ../../src/presets/stats.js
|
|
[tracker]: ../../src/presets/tracker.js
|
|
[exp-compress]: ../../src/presets/exp-compress.js
|
|
[ss-base]: ../../src/presets/ss-base.js
|
|
[exp-base-with-padding]: ../../src/presets/exp-base-with-padding.js
|
|
[exp-base-auth-stream]: ../../src/presets/exp-base-auth-stream.js
|
|
[ss-stream-cipher]: ../../src/presets/ss-stream-cipher.js
|
|
[ss-aead-cipher]: ../../src/presets/ss-aead-cipher.js
|
|
[aead-random-cipher]: ../../src/presets/aead-random-cipher.js
|
|
[obfs-random-padding]: ../../src/presets/obfs-random-padding.js
|
|
[obfs-http]: ../../src/presets/obfs-http.js
|
|
[obfs-tls1.2-ticket]: ../../src/presets/obfs-tls1.2-ticket.js
|
|
[Server Name Indication]: https://en.wikipedia.org/wiki/Server_Name_Indication
|
|
[QoS]: https://en.wikipedia.org/wiki/Quality_of_service
|
|
[benchmark]: ../../docs/benchmark
|