shoes is a multi-protocol proxy server written in Rust.
- HTTP/HTTPS (TCP, QUIC)
- SOCKS5 (TCP, QUIC)
- Vmess (TCP, QUIC, UDP-over-TCP)
- AEAD and Legacy modes
- Supported ciphers:
- aes-128-gcm
- chacha20-poly1305
- Vless (TCP, QUIC)
- Snell v3 (TCP, QUIC, UDP-over-TCP)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
- Supported ciphers:
- Shadowsocks (TCP, QUIC)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
- 2022-blake3-aes-128-gcm
- 2022-blake3-aes-256-gcm
- 2022-blake3-chacha20-ietf-poly1305
- Supported ciphers:
- Trojan (TCP, QUIC)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
- Supported ciphers:
All supported protocols can be combined with the following features:
- TLS support with SNI based forwarding
- Websocket obfs (Shadowsocks SIP003)
- Upstream proxy support: route connections through other proxy servers
- Forwarding rules: Redirect or block connections based on target IP or hostname
- Hot reloading: Updated configs are automatically reloaded
- Netmask and proxy groups
For advanced access control of incoming connections (eg. IP allowlist/blocklists), check out tobaru.
Here's an example of running a WSS vmess and shadowsocks server, with all requests routed through a SOCKS proxy:
# Listen on all IPv4 interfaces, port 443 (HTTPS)
- address: 0.0.0.0:443
transport: tcp
# Use TLS as the first protocol layer
protocol:
type: tls
# Set a default target, for any (or no) SNI
default_target:
cert: cert.pem
key: key.pem
# ..which goes to a websocket server
protocol:
type: ws
# .. where we have different supported proxy protocols, based on HTTP request path and headers.
targets:
- matching_path: /vmess
matching_headers:
X-Secret-Key: "secret"
protocol:
type: vmess
# allow any cipher, which means: none, aes-128-gcm, or chacha20-poly1305.
cipher: any
user_id: b0e80a62-8a51-47f0-91f1-f0f7faf8d9d4
- matching_path: /shadowsocks
protocol:
type: shadowsocks
cipher: 2022-blake3-aes-256-gcm
password: Hax8btYlNao5qcaN/l/NUl9JgbwapfqG5QyAtH+aKPg=
rules:
# Allow clients to connect to all IPs
- mask: 0.0.0.0/0
action: allow
# Forward all requests through a local SOCKS server.
client_proxy:
address: 127.0.0.1:5000
protocol:
type: socks
username: socksuser
password: secretpass
For other YAML config examples, see the examples directory.
Precompiled binaries for x86_64 and Apple aarch64 are available on Github Releases.
Else, if you have a fairly recent Rust and cargo installation on your system, shoes can be installed with cargo
.
cargo install shoes
shoes [OPTIONS] <YAML CONFIG PATH> [YAML CONFIG PATH] [..]
OPTIONS:
-t, --threads NUM
Set the number of worker threads. This usually defaults to the number of CPUs.
-d, --dry-run
Parse the config and exit.
Sorry, formal documentation for the YAML config format have not yet been written. You can refer to the examples, or open an issue if you need help.
- Proxy client chaining
- SOCKS and Shadowsocks UDP support
-
shadowsocks-rust: A Rust port of shadowsocks
-
v2ray-core: A full-featured proxy platform written in Go