shoes is a multi-protocol proxy server written in Rust.
- HTTP/HTTPS (TCP, QUIC)
- SOCKS5 (TCP, QUIC)
- Vmess (TCP, QUIC, UDP-over-TCP)
- AEAD and Legacy modes
- Supported ciphers:
- aes-128-gcm
- chacha20-poly1305
- Vless (TCP, QUIC, UDP-over-TCP)
- Snell v3 (TCP, QUIC, UDP-over-TCP)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
- Supported ciphers:
- Shadowsocks (TCP, QUIC)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
- 2022-blake3-aes-128-gcm
- 2022-blake3-aes-256-gcm
- 2022-blake3-chacha20-ietf-poly1305
- Supported ciphers:
- Trojan (TCP, QUIC)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
- Supported ciphers:
- Hysteria2 (QUIC)
- TUIC v5 (QUIC)
All supported protocols can be combined with the following features:
- TLS support with SNI based forwarding
- Websocket obfs (Shadowsocks SIP003)
- ShadowTLS v3
- Upstream proxy support: route connections through other proxy servers
- Forwarding rules: Redirect or block connections based on target IP or hostname
- Hot reloading: Updated configs are automatically reloaded
- Netmask and proxy groups
For advanced access control of incoming connections (eg. IP allowlist/blocklists), check out tobaru.
Here's an example of running a WSS vmess and shadowsocks server, with all requests routed through a SOCKS proxy:
# Listen on all IPv4 interfaces, port 443 (HTTPS)
- address: 0.0.0.0:443
transport: tcp
# Use TLS as the first protocol layer
protocol:
type: tls
# Set a default target, for any (or no) SNI
default_target:
cert: cert.pem
key: key.pem
# ..which goes to a websocket server
protocol:
type: ws
# .. where we have different supported proxy protocols, based on HTTP request path and headers.
targets:
- matching_path: /vmess
matching_headers:
X-Secret-Key: "secret"
protocol:
type: vmess
# allow any cipher, which means: none, aes-128-gcm, or chacha20-poly1305.
cipher: any
user_id: b0e80a62-8a51-47f0-91f1-f0f7faf8d9d4
- matching_path: /shadowsocks
protocol:
type: shadowsocks
cipher: 2022-blake3-aes-256-gcm
password: Hax8btYlNao5qcaN/l/NUl9JgbwapfqG5QyAtH+aKPg=
# Set a ShadowTLS v3 target by SNI
shadowtls_targets:
google.com:
# ShadowTLS password
password: 83a44859c0e7fbb589b
# Configure handshake server.
handshake:
address: google.com:443
# Use the local SOCKS server to connect to the handshake server.
client_proxies:
- address: 127.0.0.1:1080
protocol:
type: socks
username: socksuser
password: secretpass
rules:
# Allow clients to connect to all IPs
- mask: 0.0.0.0/0
action: allow
# Forward all requests through a local SOCKS server.
client_proxy:
address: 127.0.0.1:5000
protocol:
type: socks
username: socksuser
password: secretpassFor other YAML config examples, see the examples directory.
Precompiled binaries for x86_64 and Apple aarch64 are available on Github Releases.
Else, if you have a fairly recent Rust and cargo installation on your system, shoes can be installed with cargo.
cargo install shoesshoes [OPTIONS] <YAML CONFIG PATH> [YAML CONFIG PATH] [..]
OPTIONS:
-t, --threads NUM
Set the number of worker threads. This usually defaults to the number of CPUs.
-d, --dry-run
Parse the config and exit.
See CONFIG.md for the YAML config format. You can also refer to the examples, or open an issue if you need help.
- Proxy client chaining
- SOCKS and Shadowsocks UDP support
-
shadowsocks/shadowsocks-rust: A Rust port of shadowsocks
-
v2ray/v2ray-core: A full-featured proxy platform written in Go
-
ihciah/shadow-tls: A proxy to expose real TLS handshake to the firewall
-
apernet/hysteria: Hysteria is a powerful, lightning fast and censorship resistant proxy
-
tuic-protocol/tuic: Delicately-TUICed 0-RTT proxy protocol