Add Shadowsocks gRPC Web TLS and Update Shadowsocks WSS Web TLS (#74)

* Create Shadowsocks-Websocket-Web-TLS

* Update README.md

* Update README.md

* Fixed a typo in README - zh-CN.md

* Add ss grcp web, and update ss wss web

* Use relative links

* Fix protocol mistakes, typos and change Nginx path

* Update README

* Format README-CN.md

* Correct and adding punctuations to readme.md

Co-authored-by: touamano <[email protected]>

Shadowsocks-Websocket-Web-TLS/Domainsocket-or-Redirect-Approach/README-CN.md

@@ -0,0 +1,59 @@
+# 这是一个使用 V2Ray 作为 ss + v2ray plugin 服务端的示例
+
+> 完整的设置还需要一个 web 服务器解密 TLS 后,将请求转发给位于 127.0.0.1:10000 的 v2ray。由于 [https://guide.v2fly.org/advanced/wss_and_web.html#%E9%85%8D%E7%BD%AE](https://guide.v2fly.org/advanced/wss_and_web.html#%E9%85%8D%E7%BD%AE) 已经有了服务器的设置这里不再赘述，可以按需参考白话文教程里的 web 服务器设置。
+
+config_server_redirect.json 和 config_server_domainsocket.json 选其一。
+
+如果使用 domain socket 需要修改`/etc/systemd/system/v2ray.service`。否则由于 fhs 脚本使用的 nobody 用户的权限不够，无法在/var/run 里新建文件夹`ss-loop`而导致启动失败。
+
+> 如果使用 fhs 脚本更新版本的话，会覆盖掉 service 文件，所以更新版本后需要重复下面的操作。
+
+修改文件`/etc/systemd/system/v2rary.service`，在`[Service]`部分添加下面一行：
+
+```properties
+RuntimeDirectory=ss-loop
+```
+
+`ss-loop`对应 config.json 里的`dsSettings`部分的 path 里的文件夹`/var/run/ss-loop`
+
+修改完成后需要执行
+
+```shell
+systemctl disable v2ray.service
+systemctl enable v2ray.service
+```
+
+最后重启下 v2ray 进程
+
+```shell
+systemctl restart v2ray
+```
+
+## 客户端配置示意
+
+你应该按照服务端的设置修改对应的参数
+
+### shadowsocks windows 客户端关键部分示例如下
+
+```properties
+Server_IP: example.com or your server ip
+Server_Port: 443
+Password: ifYouWantToKeepYourPassphraseSafeChangeThis!!
+Encryption: chacha20-ietf-poly1305
+Plugin_Program: pathToYourV2ray-plugin_windows_arch.exe
+Plugin_Options: tls;mode=websocket;path=/michi;host=example.com
+```
+
+### shadowsocks Android plugin 关键部分示例如下
+
+需安装 shadowsocks 和 v2ray plugin，并搭配一同使用
+
+```properties
+Plugin: v2ray
+Configuration:
+    Transport_mode: websocket-tls
+    Hostname: example.com
+    Path: /michi
+    Concurrent_connections: 1
+    Certificate_for_TLS_verification: Not set
+```

Shadowsocks-Websocket-Web-TLS/Domainsocket-or-Redirect-Approach/README.md

@@ -0,0 +1,63 @@
+# This is the server config.json example to utilizing V2ray as the server for Shadowsocks + V2Ray Plugin
+
+> The complete setup also requires a web server to handle the TLS and proxy pass the deciphered request to the backend v2ray server at 127.0.0.1:10000.
+> You can find the web server config example at [https://guide.v2fly.org/en_US/advanced/wss_and_web.html#server-side-configuration](https://guide.v2fly.org/en_US/advanced/wss_and_web.html#server-side-configuration).
+
+中文用户请看[这里](./README-CN.md)。
+
+Choose one of the server config `config_server_redirect.json` and `config_server_domainsocket.json`.
+
+If you choose to use `config_server_domainsocket.json`, the following extra steps are required. Since the default service file created by [`fhs-release.sh`](https://github.com/v2fly/fhs-install-v2ray) is using nobody as the runtime user, this user does not have the permission to create the `ss-loop` folder in `/var/run`.
+
+> You shall repeat the following steps after using [`fhs-release.sh`](https://github.com/v2fly/fhs-install-v2ray) scripts to upgrade v2ray-core versions each time. Since this script will always override the v2ray.service file.
+
+Use your prefered editor to modify the systemd service file at `/etc/systemd/system/v2ray.service`.\
+Add the following line to the block starting with `[Service]`.
+
+```properties
+RuntimeDirectory=ss-loop
+```
+
+`ss-loop` corresponds to the `/var/run/ss-loop` folder in the `dsSettings` inside config_server_domainsocket.json.
+
+Execute the following commands to re-enable the v2ray.service.
+
+```shell
+systemctl disable v2ray.service
+systemctl enable v2ray.service
+```
+
+Then restart the v2ray service.
+
+```shell
+systemctl restart v2ray
+```
+
+## Client configuration examples
+
+> You should change the following configurations according to your server configs.
+
+### shadowsocks windows client configuration examples
+
+```properties
+Server_IP: example.com or your server IP
+Server_Port: 443
+Password: ifYouWantToKeepYourPassphraseSafeChangeThis!!
+Encryption: chacha20-ietf-poly1305
+Plugin_Program: pathToYourV2ray-plugin_windows_arch.exe
+Plugin_Options: tls;mode=websocket;path=/michi;host=example.com
+```
+
+### shadowsocks Android plugin configuration examples
+
+> Both the shadowsocks android and the V2Ray plugin android are mandatory, they are available on Google Play Store.
+
+```properties
+Plugin: v2ray
+Configuration:
+    Transport_mode: websocket-tls
+    Hostname: example.com
+    Path: /michi
+    Concurrent_connections: 1
+    Certificate_for_TLS_verification: Not set
+```

Shadowsocks-Websocket-Web-TLS/config_server_domainsocket.json → Shadowsocks-Websocket-Web-TLS/Domainsocket-or-Redirect-Approach/config_server_domainsocket.json

@@ -40,7 +40,7 @@
             "streamSettings": {
                 "network": "ws",
                 "wsSettings": {
-                    "path": "/michi"
+                    "path": "/path"
                 }
             }
         },

Shadowsocks-Websocket-Web-TLS/config_server_redirect.json → Shadowsocks-Websocket-Web-TLS/Domainsocket-or-Redirect-Approach/config_server_redirect.json

@@ -40,7 +40,7 @@
             "streamSettings": {
                 "network": "ws",
                 "wsSettings": {
-                    "path": "/michi"
+                    "path": "/path"
                 }
             }
         },

Shadowsocks-Websocket-Web-TLS/README - zh-CN.md

@@ -1,42 +0,0 @@
-# 这是一个使用 V2Ray 作为 ss + v2ray plugin 服务端的示例
-> 完整的设置还需要一个web服务器解密TLS后将请求转发给后端的v2ray位于127.0.0.1:10000。由于 https://guide.v2fly.org/advanced/wss_and_web.html#%E9%85%8D%E7%BD%AE 已经有了服务器的设置这里不再赘述，可以按需参考白话文教程里的web服务器设置。
-
-**config_server_redirect.json 和 config_server_domainsocket.json 选其一**
-
-如果使用domain socket需要修改/etc/systemd/system/v2ray.service
-在[Service]部分添加
-```
-RuntimeDirectory=ss-loop 
-```
-'ss-loop'对应config.json里的"dsSettings"部分的path里的文件夹"/var/run/ss-loop"
-
-修改完成后需要执行
-```
-systemctl disable v2ray.service
-systemctl enable v2ray.service
-```
-否则由于fhs脚本使用的nobody用户的权限不够，无法在/var/run里新建文件夹'ss-loop'而导致启动失败。
-
-## 客户端配置示意
-**你应该按照服务端的设置修改对应的参数**
-### shadowsocks windows 客户端关键部分示例如下：
-```
-Server IP: example.com
-Server Port: 443
-Password: ifYouWantToKeepYourPassphraseSafeChangeThis!!
-Encryption: chacha20-ietf-poly1305
-Plugin Program: pathToYourV2ray-plugin_windows_arch.exe
-Plugin Options: tls;mode=websocket;path=/michi;host=example.com
-```
-### shadowsocks Android plugin 关键部分示例如下：
-
-**需安装 shadowsocks 和 v2ray plugin，并搭配一同使用**
-```
-Plugin: v2ray
-Configuration:
-    Transport mode: websocket-tls
-    Hostname: example.com
-    Path: /michi
-    Concurrent connections: 1
-    Certificate for TLS verification: Not set
-```

Shadowsocks-Websocket-Web-TLS/README-CN.md

@@ -0,0 +1,35 @@
+# 这个例子同样适用于 Shadowsocks 客户端+V2Ray-Plugins
+
+> 完整的设置还需要一个 web 服务器解密 TLS 后,将请求转发给监听在 127.0.0.1:10000 的 v2ray。由于 [https://guide.v2fly.org/advanced/wss_and_web.html#%E9%85%8D%E7%BD%AE](https://guide.v2fly.org/advanced/wss_and_web.html#%E9%85%8D%E7%BD%AE) 已经有了服务器的设置这里不再赘述，可以按需参考白话文教程里的 web 服务器设置。
+
+## 客户端配置示意
+
+你应该按照服务端的设置修改对应的参数。
+
+### shadowsocks windows 客户端关键部分示例如下
+
+> 必须设置 mux=0，否则无法正常连接服务器。如果需要使用 mux 可以参考本文件夹里的[Domainsocket or Redirect Approach](./Domainsocket-or-Redirect-Approach/)的方法。
+
+```properties
+Server_IP: example.com or your server ip
+Server_Port: 443
+Password: ifYouWantToKeepYourPassphraseSafeChangeThis!!
+Encryption: chacha20-ietf-poly1305
+Plugin_Program: pathToYourV2ray-plugin_windows_arch.exe
+Plugin_Options: mux=0;tls;mode=websocket;path=/path;host=example.com
+```
+
+### Shadowsocks Android plugin 关键部分示例如下
+
+> 需安装 shadowsocks 和 v2ray plugin，并搭配一同使用。
+> Concurrent connections 必须为 0，否则无法连接到服务器。
+
+```properties
+Plugin: v2ray
+Configuration:
+    Transport_mode: websocket-tls
+    Hostname: example.com
+    Path: /path
+    Concurrent_connections: 0
+    Certificate_for_TLS_verification: Not set
+```

Shadowsocks-Websocket-Web-TLS/README.md

@@ -1,45 +1,38 @@
-# This is the server config.json example to utilizing V2ray as the server for Shadowsocks + V2Ray Plugin
-> The complete setup also requires a web server to handle the TLS and proxy pass the deciphered request to the backend v2ray server at 127.0.0.1:10000.
-> You can find the web server example at https://guide.v2fly.org/en_US/advanced/wss_and_web.html#server-side-configuration 
+# These settings are also compatible with Shadowsocks client + V2Ray-plugin
 
-中文用户请看 Readme - zh-CN. md
+> The complete setup also requires a web server to handle the TLS and proxy pass the deciphered request to the backend v2ray server listeing on 127.0.0.1:10000.
+> You can find the web server config examples at [https://guide.v2fly.org/en_US/advanced/wss_and_web.html#server-side-configuration](https://guide.v2fly.org/en_US/advanced/wss_and_web.html#server-side-configuration).
 
-**Choose either one of config_server_redirect.json and config_server_domainsocket.json**
+中文用户请看[这里](./README-CN.md)。
 
-If you choose to use config_server_domainsocket.json remember to modify the systemd service file @ /etc/systemd/system/v2ray.service.
+## Shadowsocks client configuration examples
 
-Add the following line to the block starting with [Service]
-```
-RuntimeDirectory=ss-loop 
-```
-'ss-loop' corresponds to the "/var/run/ss-loop" folder in the "dsSettings" part of the config.json.
+> You should change the following configurations according to your server configs.
 
-Execute the following commands to re-enable the v2ray.service.
-```
-systemctl disable v2ray.service
-systemctl enable v2ray.service
-```
-Since nobody user does not have the right permission to create the 'ss-loop' folder in /var/run.
-## Client configuration examples
-**You should change the parameters according to your server configs**
-### shadowsocks windows client configuration examples：
-```
-Server IP: example.com
-Server Port: 443
+### Shadowsocks windows client configuration examples
+
+> `mux=0` is indispensable when connecting with V2Ray-plugin, if you wish to use mux you need to try the [Domainsocket or Redirect Approach](./Domainsocket-or-Redirect-Approach/).
+
+```properties
+Server_IP: example.com or your server IP
+Server_Port: 443
 Password: ifYouWantToKeepYourPassphraseSafeChangeThis!!
 Encryption: chacha20-ietf-poly1305
-Plugin Program: pathToYourV2ray-plugin_windows_arch.exe
-Plugin Options: tls;mode=websocket;path=/michi;host=example.com
+Plugin_Program: pathToYourV2ray-plugin_windows_arch.exe
+Plugin_Options: mux=0;tls;mode=websocket;path=/path;host=example.com
 ```
-### shadowsocks Android plugin configuration examples：
 
-> Both the shadowsocks android and the V2Ray plugin android are mandatory, they are available on Google Play Store.
-```
+### shadowsocks Android plugin configuration examples
+
+> Both the shadowsocks android and the V2Ray plugin android are mandatory, they are available on Google Play Store.\
+> _`Concurrent connections must be 0.`_
+
+```properties
 Plugin: v2ray
 Configuration:
-    Transport mode: websocket-tls
+    Transport_mode: websocket-tls
     Hostname: example.com
-    Path: /michi
-    Concurrent connections: 1
-    Certificate for TLS verification: Not set
+    Path: /path
+    Concurrent_connections: 0
+    Certificate_for_TLS_verification: Not set
 ```

Shadowsocks-Websocket-Web-TLS/config_client.json

@@ -0,0 +1,61 @@
+{
+    "log": {
+        "loglevel": "warning"
+    },
+    "routing": {
+        "domainStrategy": "AsIs",
+        "rules": [
+            {
+                "type": "field",
+                "ip": [
+                    "geoip:private"
+                ],
+                "outboundTag": "direct"
+            }
+        ]
+    },
+    "inbounds": [
+        {
+            "listen": "127.0.0.1",
+            "port": "1080",
+            "protocol": "socks",
+            "settings": {
+                "auth": "noauth",
+                "udp": true,
+                "ip": "127.0.0.1"
+            }
+        },
+        {
+            "listen": "127.0.0.1",
+            "port": "1081",
+            "protocol": "http"
+        }
+    ],
+    "outbounds": [
+        {
+            "protocol": "shadowsocks",
+            "settings": {
+                "servers": [
+                    {
+                        "address": "{{ host }}",
+                        "port": 443,
+                        "method": "chacha20-ietf-poly1305",
+                        "password": "{{ password }}"
+                    }
+                ]
+            },
+            "streamSettings": {
+                "network": "ws",
+                "security": "tls",
+                "wsSettings": {
+                    "path": "/path"
+                }
+            },
+            "tag": "proxy"
+        },
+        {
+            "protocol": "freedom",
+            "tag": "direct"
+        }
+    ]
+}

Shadowsocks-Websocket-Web-TLS/config_server.json

@@ -0,0 +1,42 @@
+{
+    "log": {
+        "loglevel": "warning"
+    },
+    "routing": {
+        "domainStrategy": "AsIs",
+        "rules": [
+            {
+                "type": "field",
+                "ip": [
+                    "geoip:private"
+                ],
+                "outboundTag": "block"
+            }
+        ]
+    },
+    "inbounds": [
+        {
+            "listen": "127.0.0.1",
+            "port": 10000,
+            "protocol": "shadowsocks",
+            "settings": {
+                "method": "chacha20-ietf-poly1305",
+                "password": "{{ password }}"
+            },
+            "streamSettings": {
+                "network": "ws",
+                "path": "/path"
+            }
+        }
+    ],
+    "outbounds": [
+        {
+            "protocol": "freedom",
+            "tag": "direct"
+        },
+        {
+            "protocol": "blackhole",
+            "tag": "block"
+        }
+    ]
+}

Shadowsocks-gRPC-Web-TLS/README-CN.md

@@ -0,0 +1,26 @@
+# 最低版本要求
+
+NGINX 的最低版本要求为 1.13.10:\
+[https://www.nginx.com/blog/nginx-1-13-10-grpc/](https://www.nginx.com/blog/nginx-1-13-10-grpc/)。
+
+V2Ray-core 的最低版本要求为 v4.36.0:\
+[https://www.v2fly.org/config/transport/grpc.html#grpcobject](https://www.v2fly.org/config/transport/grpc.html#grpcobject)。
+
+## 本设置同样适用于 Shadowsocks 客户端搭配 V2Ray-plugin 使用
+
+_你需要一个兼容 gRPC 的 v2ray-plugin 程序。
+例如由[TeddySun](https://github.com/teddysun)维护的 v2ray-plugin 叉子: \
+[https://github.com/teddysun/v2ray-plugin](https://github.com/teddysun/v2ray-plugin)。_
+
+### 客户端设置
+
+Shadowsocks Windows 设置示例:
+
+```properties
+Server_IP: mydomain.me OR your server IP
+Server_Port: 443
+Password: ifYouWantToKeepYourPassphraseSafeChangeThis!!
+Encryption: chacha20-ietf-poly1305
+Plugin_Program: pathToYourV2ray-plugin_windows_arch.exe
+Plugin_Options: tls;mode=grpc;serviceName=michi;host=mydomain.me
+```

Shadowsocks-gRPC-Web-TLS/README.md

@@ -0,0 +1,28 @@
+# Minimum Versions
+
+中文用户请看[这里](./README-CN.md)。
+
+Minimum NGINX version is 1.13.10:\
+[https://www.nginx.com/blog/nginx-1-13-10-grpc/](https://www.nginx.com/blog/nginx-1-13-10-grpc/).
+
+Minimum V2Ray-Core version is v4.36.0:\
+[https://www.v2fly.org/config/transport/grpc.html#grpcobject](https://www.v2fly.org/config/transport/grpc.html#grpcobject).
+
+## These settings are also compatible with shadowsocks + v2ray-plugins
+
+_You need a grpc compatible v2ray-plugin program to use with shadowsocks client.
+For example the one maintained by [TeddySun](https://github.com/teddysun): \
+[https://github.com/teddysun/v2ray-plugin](https://github.com/teddysun/v2ray-plugin)._
+
+### Client Configurations
+
+Shadowsocks Windows Example Config:
+
+```properties
+Server_IP: mydomain.me OR your server IP
+Server_Port: 443
+Password: ifYouWantToKeepYourPassphraseSafeChangeThis!!
+Encryption: chacha20-ietf-poly1305
+Plugin_Program: pathToYourV2ray-plugin_windows_arch.exe
+Plugin_Options: tls;mode=grpc;serviceName=michi;host=mydomain.me
+```

Shadowsocks-gRPC-Web-TLS/config_client.json

@@ -0,0 +1,61 @@
+{
+    "log": {
+        "loglevel": "warning"
+    },
+    "routing": {
+        "domainStrategy": "AsIs",
+        "rules": [
+            {
+                "type": "field",
+                "ip": [
+                    "geoip:private"
+                ],
+                "outboundTag": "direct"
+            }
+        ]
+    },
+    "inbounds": [
+        {
+            "listen": "127.0.0.1",
+            "port": "1080",
+            "protocol": "socks",
+            "settings": {
+                "auth": "noauth",
+                "udp": true,
+                "ip": "127.0.0.1"
+            }
+        },
+        {
+            "listen": "127.0.0.1",
+            "port": "1081",
+            "protocol": "http"
+        }
+    ],
+    "outbounds": [
+        {
+            "protocol": "shadowsocks",
+            "settings": {
+                "servers": [
+                    {
+                        "address": "{{ host }}",
+                        "port": 443,
+                        "method": "chacha20-ietf-poly1305",
+                        "password": "{{ password }}"
+                    }
+                ]
+            },
+            "streamSettings": {
+                "network": "grpc",
+                "security": "tls",
+                "grpcSettings": {
+                    "serviceName": "michi"
+                }
+            },
+            "tag": "proxy"
+        },
+        {
+            "protocol": "freedom",
+            "tag": "direct"
+        }
+    ]
+}

Shadowsocks-gRPC-Web-TLS/config_server.json

@@ -0,0 +1,44 @@
+{
+    "log": {
+        "loglevel": "warning"
+    },
+    "routing": {
+        "domainStrategy": "AsIs",
+        "rules": [
+            {
+                "type": "field",
+                "ip": [
+                    "geoip:private"
+                ],
+                "outboundTag": "block"
+            }
+        ]
+    },
+    "inbounds": [
+        {
+            "listen": "127.0.0.1",
+            "port": 12345,
+            "protocol": "shadowsocks",
+            "settings": {
+                "method": "chacha20-ietf-poly1305",
+                "password": "{{ password }}"
+            },
+            "streamSettings": {
+                "network": "grpc",
+                "grpcSettings": {
+                    "serviceName": "michi"
+                }
+            }
+        }
+    ],
+    "outbounds": [
+        {
+            "protocol": "freedom",
+            "tag": "direct"
+        },
+        {
+            "protocol": "blackhole",
+            "tag": "block"
+        }
+    ]
+}

Shadowsocks-gRPC-Web-TLS/nginx_proxy.conf

@@ -0,0 +1,32 @@
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  
+  ssl_certificate       /etc/v2ray/v2ray.crt;
+  ssl_certificate_key   /etc/v2ray/v2ray.key;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:MozSSL:10m;
+  ssl_session_tickets off;
+  
+  ssl_protocols         TLSv1.2 TLSv1.3;
+  ssl_ciphers           ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  
+  server_name           mydomain.me;
+  location /michi/Tun { # This michi shall in consistent with the grpc serviceName in v2ray config.json
+  
+    if ($request_method != "POST") { # if the request method is not POST for this location, return 404
+        return 404;
+    }
+
+    grpc_socket_keepalive on;
+    grpc_intercept_errors on;
+    grpc_pass grpc://127.0.0.1:12345; # presume v2ray is listening on port 12345 
+    grpc_set_header Upgrade $http_upgrade;
+    grpc_set_header Connection "upgrade";
+    grpc_set_header Host $host;
+    # Show real IP in v2ray access.log
+    grpc_set_header X-Real-IP $remote_addr;
+    grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  }
+}