ss-v2ray-docker

Deprecated: please use https://github.com/dmirubtsov/ss-xray-docker

Shadowsocks-libev server with v2ray-plugin running in Docker.

Current version

• shadowsocks-libev: 3.3.5
• v2ray-plugin: 1.3.1

Usage

Pull the image

I recommend use a specified tag instead of the "latest" tag. This article explained why.

docker pull mazy/ss-v2ray:v3.3.5-1.3.1

Start the proxy in HTTP mode

• Shell script

docker run \
    -d \
    --restart always \
    -p <server_address>:80:1080 \
    -e PASSWORD=<password> \
    mazy/ss-v2ray:v3.3.5-1.3.1

• With docker-compose

---
version: '3'

services:
  shadowsocks-obfs-docker:
    image: mazy/ss-v2ray:v3.3.5-1.3.1
    restart: always
    ports:
      - <server_address>:80:1080
    environment:
      PASSWORD: <password>

Then allow the port used by the shadowsocks in your firewall.

Start the proxy in HTTPS or QUIC mode

I haven't tried this. You can refer to Shadowsocks over websocket (HTTPS), Shadowsocks over quic and Issue a cert for TLS and QUIC.

Specifying additional arguments

You can also add additional arguments by specifying the environment variable ARGS, like -e ARGS=<arguments> in the script, or

environment:
  ARGS: <arguments>

in docker-compose.yaml.

Usually, running with no additional arguments will be just fine.

For a full list of arguments, you can refer to Shadowsocks libev - Usage and v2ray-plugin -h.

Case example

In my case, I'm running the shadowsocks-libev with v2ray-plugin, with Caddy as a websocket reverse proxy, behind a CloudFlare CDN.

Shadowsocks and v2ray-plugin server

The shadowsocks and v2ray-plugin is configured running in HTTP mode and is listening to localhost:10001.

The docker-compose.yml is like this:

---
version: '3'

services:
  ss-v2ray-docker:
    image: mazy/ss-v2ray:v3.3.5-1.3.1
    restart: always
    ports:
      - 127.0.0.1:10001:1080
    environment:
      PASSWORD: "a-really-secure-password"

Caddy example

www.mysite.com {
  proxy /shadowsocks localhost:10001 {
    without /shadowsocks
    websocket
    header_upstream -Origin
  }
}

Nginx example

location /shadowsocks {
  proxy_redirect off;
  proxy_pass http://127.0.0.1:10001;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header Host $http_host;
}

CloudFlare

I added an A record in CloudFlare DNS panel, which contains the domain, the IP address, with CDN enabled just like serving a normal website.

Mac

brew cask install v2ray-plugin
brew cask install shadowsocksx-ng

Start shadowsocksx-ng application and add new server with these properties:

Linux client

Tested on ArchLinux, should be similar on any distribution

pacman -S shadowsocks-libev shadowsocks-v2ray-plugin

/etc/shadowsocks/my-config.json

{
	"server":"www.mysite.com",
	"server_port":443,
	"local_port":1080,
	"password":"password",
	"timeout":600,
	"method":"chacha20-ietf-poly1305",
	"plugin":"/usr/bin/v2ray-plugin",
	"fast_open":true,
	"plugin_opts":"path=/shadowsocks;host=www.mysite.com;tls",
	"reuse_port": true
}

systemctl enable --now shadowsocks-libev@my-config

I'm connecting to port 443 because I'm using the Full SSL configuration in CloudFlare, which means all HTTP requests will be rewrited into a HTTPS request. And for the same reason, I made the client running in the HTTPS mode, as in plugin_opts section you can see I specified the tls flag.

Client on Android

First you need the Shadowsocks client and the v2ray plugin. You can install both of them from Google Play Store.

You can refer to the previous configuration or the config file above for the Shadowsocks part.

And for the plugin options, you can also refer to the config file above, but I think providing a little "translation" will be better.

I left the Concurrent connections and Certificate for TLS verification untouched since I don't quite sure what does it means, and it just works.

For now you should have a working Shadowsocks-libev with v2ray-plugin proxy.