Shadowsocks Manager

Shadowsocks Manager offers a graphical user interface (GUI) for managing Shadowsocks and Wireguard nodes and users. This tutorial is for a Debian 10 virtual private server (VPS). All commands are issued as root.

Add DNS and rDNS Records


If you have not already done so, add a DNS A record pointing from your hostname (e.g. yourhost.yourdomainname.tld) to your server IP address.

Since we will be sending email, add a DNS record of type MX pointing from your naked domain to your hostname (such as yourhost.yourdomainname.tld). The naked domain is often represented by a commercial at sign in control panels.

Add a Sender Policy Framework (SPF) TXT record for your domain. The name of the entry is the naked domain. The value of the text field is:

v=spf1 mx -all

This specifies that you will allow the domain's MX server(s) to send email for the domain, but you want to prohibit all other servers from sending email on your behalf.

Some email recipients will check your that your server's IP address maps back to the hostname of your server. To pass this test, and hence decrease the likelihood of your emails being considered spam, add a reverse DNS (rDNS) entry from your server IP address to its hostname.

Install Firewall


Installing a firewall:

apt update
apt upgrade

apt install nftables
systemctl enable nftables
systemctl start nftables

Open the ports for SSH, mail, HTTP, HTTPS, and Shadowsocks. In what follows, replace YOUR.PC.IP.ADDRESS with your actual PC IP address (or a range of IP addresses such as YOUR.PC.0.0/16 if your ISP changes your IP address from time to time).

nft add rule inet filter input ct state related,established counter accept
nft add rule inet filter input iif lo counter accept
nft add rule inet filter input tcp dport 22 ip saddr YOUR.PC.IP.ADDRESS counter accept
nft add rule inet filter input tcp dport 25 counter accept
nft add rule inet filter input tcp dport {80, 443} counter accept
nft add rule inet filter input tcp dport 50000-60000 counter accept

Drop any unexpected traffic:

nft add rule inet filter input counter drop

Save the rules:

nft list ruleset > /etc/nftables.conf

Install SMTP Server


Postfix is a free and open-source mail transfer agent (MTA). Install Postfix:

apt install postfix

During the installation, the Postfix Configuration screen appears, informing you of the possible types of Postfix mail server you can have.

  1. On the initial package configuration screen, tab to Ok and press Enter.
  2. On the next screen, the actual choices appear. An Internet Site is the default. Tab to Ok and press Enter.
  3. On the next screen, you are asked to enter your domain name. Enter your naked domain name (i.e., just the domain name, not the full hostname), tab to Ok, and press Enter.

Edit the main Postfix configuration file:

vi /etc/postfix/main.cf

Copy and paste the first three lines for smtpd (incoming) TLS configuration, then change the copied lines so that they specify smtp (outgoing) TLS:

smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtp_use_tls=yes

Write the file to disk and quit the editor.

Edit the Postfix master file:

vi /etc/postfix/master.cf

Uncomment the smtps lines:

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Write the file to disk and quit the editor.

Restart Postfix:

systemctl restart postfix

For testing your Postfix server, also install the Mutt command-line email client:

apt install mutt

Create Admin User


Create a non-root user to be the administrator of Shadowsocks-Manager:

adduser admin

Enter and confirm the password for the admin user. Other fields can be left blank.

You will need to either set up an authorized public key for admin in /home/admin/.ssh/authorized_keys, or make sure PasswordAuthentication is allowed in /etc/ssh/sshd_config. If you edit /etc/ssh/sshd_config, also issue the command systemctl restart sshd.

Test Mail Server


Temporarily exit as root, and log back into your server as admin.

Edit your Mutt user configuration file:

vi ~/.muttrc

Insert contents, replacing yourdomainname.tld with your actual domain name:

mailboxes "/var/mail/admin"
set editor="vim"
set realname="Admin"
set from="admin@yourdomainname.tld"

Write the file to disk and quit the editor.

Send a test email to your Gmail account:

  1. Enter command mutt
  2. Type y to create the mailbox
  3. Type m for mail
  4. Enter To: yourgmailaccount@gmail.com
  5. Enter Subject: First Test
  6. Enter i for insert mode
  7. Type This is my first email.
  8. Press Esc key on your keyboard
  9. Enter :wq
  10. Type y to send
  11. Type q for quit

You should receive the email in your Gmail account. It may go to your spam folder. Once you have brought up the email, select the option Show Original. The Authentication-Results header should include spf=pass.

Exit your server session as admin, and log back in to your server as root for the rest of the process.

Install Saslauthd


Saslauthd handles plaintext authentication requests. Install the Saslauthd packages:

apt install libsasl2-2 libsasl2-modules sasl2-bin

Edit the Saslauthd defaults:

vi /etc/default/saslauthd

  • Change START=no to START=yes
  • At the end of the file, change OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

Write the file to disk and quit the editor.

Create the directory:

mkdir -p /var/spool/postfix/var/run/saslauthd

Create a symbolic link to the directory:

rm -rf /var/run/saslauthd

ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Create the SMTPD configuration file:

vi /etc/postfix/sasl/smtpd.conf

Insert contents:

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true

Write the file to disk and quit the editor.

Add Postfix to the SASL group:

usermod -a -G sasl postfix

Restart Postfix and Saslauthd:

systemctl restart postfix
systemctl restart saslauthd

Check that Saslauthd is working correctly, replacing adminpassword by the actual server password you chose for admin:

testsaslauthd -u admin -p adminpassword

You should see the results:

0: OK "Success."

Install Nginx


Install Nginx:

apt install nginx

Edit the default site definition:

vi /etc/nginx/sites-available/default

Insert your actual hostname, replacing yourhost.yourdomainname.tld by your own hostname:

server_name yourhost.yourdomainname.tld;

Write the file to disk and quit the editor. Restart Nginx:

systemctl restart nginx

Install SSL Certificate


Install Certbot, the Let's Encrypt client:

apt install certbot python-certbot-nginx

Run Certbot for Nginx:

certbot --nginx

In response to the prompts:

  1. Enter your email
  2. Enter a for agree to terms of service
  3. Enter y or n to share your email or not
  4. Enter the number of your hostname
  5. Enter 2 for redirect HTTP to HTTPS

Set up for SSL certificate renewal every 90 days:

certbot renew --dry-run

Test your SSL certificate by visiting https://yourhost.yourdomainname.tld in a browser, replacing yourhost.yourdomainname.tld by your actual hostname. You should see the page Welcome to nginx!

Install Node JS


Install Node JS:

apt install curl

curl -sL https://deb.nodesource.com/setup_13.x | bash -

apt install nodejs

node -v

Install Redis


Install Redis, an in-memory key/value database:

apt install redis-server

Edit the Redis configuration file:

vi /etc/redis/redis.conf

Set the supervisor to systemd:

# supervised no
supervised systemd

Specify your chosen password, replacing YourRedisPasswordGoesHere by your actual choice for a Redis password:

# requirepass foobared
requirepass YourRedisPasswordGoesHere

Write the file to disk and quit the editor. Restart Redis:

systemctl restart redis

Check that Redis is running on port 6379 and that your password works:

redis-cli

auth YourRedisPasswordGoesHere

quit

Install Shadowsocks-Libev


apt install shadowsocks-libev

Run Shadowsocks-Libev


Start Shadowsocks-Libev in a new screen session:

screen -dmS ss ss-manager -m aes-256-cfb -u --manager-address 127.0.0.1:6001

Install Shadowsocks-Manager


Install Shadowsocks-Manager:

npm i -g shadowsocks-manager

If a permission error message appears, try:

npm i -g shadowsocks-manager --unsafe-perm

Configure Shadowsocks-Manager


Create a configuration file in the ~/.ssmgr directory:

mkdir ~/.ssmgr

vi ~/.ssmgr/ssmgr.yml

Insert contents:

type: s
shadowsocks:
  address: 127.0.0.1:6001
manager:
  address: 0.0.0.0:6002
  password: '123456'
db: 'db.sqlite'

Run Shadowsocks-Manager


Invoke Shadowsocks-Manager in a separate screen session with the configuration file created a moment ago:

screen -dmS ssmgr ssmgr -c ~/.ssmgr/ssmgr.yml

Configure Web GUI


Create a configuration file for the Web GUI in the ~/.ssmgr directory:

vi ~/.ssmgr/webgui.yml

Insert contents:

  • Replace SERVER.PUBLIC.IP.ADDRESS by actual IP address of server
  • Replace adminpassword by actual server password of the admin user
  • Replace yourhost.yourdomainname.tld by actual hostname
  • Replace yourdomainname.tld by actual domain name
  • Replace YourWebGUIPassword by actual choice of admin password for Web GUI
  • Replace YourRedisPasswordGoesHere by actual Redis password

type: m
manager:
  address: SERVER.PUBLIC.IP.ADDRESS:6002
  password: '123456'
plugins:
  flowSaver:
    use: true
  user:
    use: true
  account:
    use: true
  email:
    use: true
    type: 'smtp'
    username: 'admin'
    password: 'adminpassword'
    host: '127.0.0.1'
    allowUnauthorizedTls: true
  webgui:
    use: true
    host: '127.0.0.1'
    port: '8080'
    site: 'https://yourhost.yourdomainname.tld'
    admin_username: 'admin@yourdomainname.tld'
    admin_password: 'YourWebGUIPassword'
    # icon: 'icon.png'
    # skin: 'default'
    # language: 'en-US'
    # googleAnalytics: 'UA-xxxxxxxx-x'
    # gcmSenderId: '476902381496'
    # gcmAPIKey: 'AAAAGzddLRc:XXXXXXXXXXXXXX'
    # google_login_client_id: '724695589056-p78tu8738t4fjel56yhe34qq34gjufsi.apps.googleusercontent.com'
    # google_login_client_secret: 'TjUd36YnQ-YUI2uUtQa_43Tl'
    # facebook_login_client_id: '9825686749820123'
    # facebook_login_client_secret: 'a46c6bb6f8281c23d2b74b43008c9c46'
    # github_login_client_id: '7c45c34c1de3ef937d37'
    # github_login_client_secret: 'd2768efe5258cfb9ce4da11ed7ddc334bc65756b'
    # twitter_login_consumer_key: 'tKPH3RViDT68PtHBMHYJuQ'
    # twitter_login_consumer_secret: 'wYCtWdUSEfm8H3ES0r5rgHKeqGvYGiFDrGj4THiq3T6'

db: 'webgui.sqlite'
redis:
  host: '127.0.0.1'
  port: 6379
  password: 'YourRedisPasswordGoesHere'
  db: 0

Run Web GUI


Invoke the Web GUI with the configuration file:

screen -dmS webgui ssmgr -c ~/.ssmgr/webgui.yml

Configure Nginx to Proxy to Web GUI


Edit default site definition:

vi /etc/nginx/sites-available/default

Change the location block for the SSL server listening on port 443 to proxy traffic to the Web GUI on port 8080:

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Frame-Options DENY;
proxy_pass http://127.0.0.1:8080;
}

Write the file to disk and quit the editor. Restart Nginx:

systemctl restart nginx

Sign In as Administrator


Open a browser and visit your site at https://yourhost.yourdomainname.tld, replacing yourhost.yourdomainname.tld by your actual hostname.

Click the SIGN IN button.

Sign in as admin@yourdomainname.tld with password YourWebGUIPassword.

If everything is normal, you should see the Web GUI.

Click Exit to exit your administrator session.

Sign Up as User


Click the SIGN UP button.

  1. Enter your email address.
  2. Click GET CODE.
  3. You should receive an email titled ss验证码 (Shadowsocks Verification Code).
  4. Enter the verification code in your email on the sign-up form line for verification code.
  5. Choose a password, and click SIGN UP.
  6. A message appears, Successfully registered. Click OK.

Click on the Account menu item.

You should see a Shadowsocks account displayed with the address of your server, port 50000, password, and method aes-256-cfb. There is also a quick response (QR) code.


Test Server from Windows Client as User


Download the latest Windows client zip file, Shadowsocks-4.1.8.0.zip, from https://github.com/shadowsocks/shadowsocks-windows/releases.

Extract the files from Shadowsocks-4.1.8.0.zip.

Launch Shadowsocks.exe from the extracted folder.

Enter Server Address, Port, and Password to match your account. Click Apply. Click OK.

Right-click on Shadowsocks icon in system tray, and select System Proxy > Global.

Open a browser and visit https://whatismyipaddress.com. Verify that it shows your server IP address, not your PC's IP address.

Right-click on Shadowsocks icon in system tray, and select Quit.

References


http://gogs.info/books/debian-mail/chunked/postfix.sasl.html

https://shadowsocks.github.io/shadowsocks-manager/#/home

https://duerxin.github.io/2018/Shadowsocks-Manager

https://www.flyzy2005.com/fan-qiang/shadowsocks/shadowsocks-manager-config

Comments

Post a Comment

Popular posts from this blog

V2-UI V2Ray User Management Panel

Image
https://www.youtube.com/watch?v=-hyeCe3w4-s You will need a VPS and a domain name that points to that VPS. Start by installing Nginx on your VPS: apt install nginx Edit the Nginx default site configuration file: vi /etc/nginx/sites-available/default Insert your real server_name. Write the file to disk and quit the editor. Restart Nginx: systemctl restart nginx Install an SSL certificate as explained on https://certbot.eff.org Download and run the V2-UI installation script: apt install curl bash <(curl -Ls https://blog.sprov.xyz/v2-ui.sh) Install the Sqlite3 shell for Sqlite: apt install sqlite3 Invoke Sqlite3 for the V2-UI database: sqlite3 /etc/v2-ui/v2-ui.db Set the value of the base path equal to /v2-ui (leading slash but no trailing slash): update setting set value="/v2-ui" where key="base_path"; Do Ctrl + d to exit from Sqlite3. Restart the V2-UI panel: v2-ui restart You should see a message v2-ui 重启成功 (which mean
Read more

Shadowsocks with V2Ray Plugin for Windows and Android Clients

Image
Domain Take out a domain name, e.g. example.com . Add A and/or AAAA DNS record(s) for server, e.g. my.example.com . Add domain example.com to Cloudflare. Set nameservers to Cloudflare nameservers. Initially, set Cloudflare SSL/TLS Encryption mode Off . Server Nginx These instructions are for Debian 10 logged in as root user. apt update && apt upgrade -y apt install nginx -y apt install wget zip unzip -y wget https://github.com/arcdetri/sample-blog/archive/master.zip unzip master.zip cp -rf sample-blog-master/html/* /var/www/html/ Edit /etc/nginx/sites-available/default . Replace my.example.com with actual server name. server {         listen 80 default_server;         listen [::]:80 default_server;         root /var/www/html;         index index.html;         server_name my.example.com;         location / {                 try_files $uri $uri/ =404;         } } systemctl restart nginx apt install certbot python-certbot-nginx -y certbot --nginx certbot renew --dry-run Now you
Read more