arkbriar / ssmgr Goto Github PK

Shadowsocks manager of multiple servers, with advanced features for management.

License: GNU General Public License v3.0

Go 62.12% JavaScript 14.31% CSS 1.12% HTML 15.30% Makefile 3.05% Shell 0.71% C++ 3.38%

shadowsocks golang shadowsocks-manager grpc angularjs proxy

ssmgr's Introduction

SSMGR

Shadowsocks manager of multiple servers, providing simple and easy way for users to acquire shadowsocks services over regions of servers and advanced tools for operators to manage the servers.

NOTIFICATION After commit ca33594, slave's managed dir changes to $HOME/.ssmgr, refer to #23 if you want to do a migration.

Compile

First of all, install the dependent tools.

For mac users,

brew install go node protobuf

For ubuntu/debian users, install golang toolchain (>=1.7) and

sudo add-apt-repository ppa:maarten-fonville/protobuf
curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
sudo apt update
sudo apt install nodejs protobuf-compiler

Then,

# Install protobuf go plugin
go get -u github.com/golang/protobuf/protoc-gen-go
# And make sure that protoc-gen-go is in 
# your env $PATH so that protoc can find and use it, such as

# export PATH=$PATH:$(go env GOPATH)/bin

make all

Install

[NOTE] install is only supported on linux with systemd.

[NOTE] If you want to enable TLS, you should modify the env and config files and specify your certificates. For more details about generating self-signed certificates, please see Generate Self-signed Certificates.

Before install ssmgr, install shadowsocks-libev first.

sudo apt install shadowsocks-libev

To install it completely (binaries and systemd services),

# Install to /usr/local/ssmgr/*, /etc/default/ssmgr.{master/slave}, 
# /lib/systemd/system/ssmgr-{master/slave}.service and /etc/ssmgr/*
sudo make install

Or you can install master/slave seperately,

# Master
sudo make install-master
# Slave
sudo make install-slave

Docs

Enable TLS

Enable TLS to secure the communication between master and slaves.

TLS on Slave

Add "tls" field to config.json file.

{
  "port": 6001,
  "manager_port": 6001,
  "token": "SSMGRTEST",
  "tls": {
    "cert_file": "testdata/certs/server.crt",
    "key_file": "testdata/certs/server.key"
  }
}

TLS on Master

Specify CA X.509 file when you start the master.

master -w frontend -c config.json -ca path/to/ca.pem

Generate Self-signed Certificates

Generate CA key and PEM file if you do not have one:

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem

Then, using script gssc to generate these certificates.

./tools/gssc --ip SLAVE_IP --ca CA_DIR

This will generate a 2048 bits key and a certificate whose expiry is 365 days in current directory.

For more details of gssc, please see

./tools/gssc -h

Log to Slack

We implement a hook of logrus to send some levels of logs to slack channel. This helps developers to monitor servers and to develop ChatOps in the future.

Slack logs is only supported on master. To enable it, add the "slack" field to config.json file,

{
  "...": "...",
  "slack": {
    "channel": "#SLACK_CHANNEL",
    "token": "TEST_SLACK_TOKEN",
    "levels": [
      "panic",
      "fatal",
      "error",
      "warn",
      "info",
      "debug"
    ]
  }
}

where token is the application token and levels are the logrus levels to send.

Known Issues

Issues here with bug tags.
Can not debug on master because it imports a library with native C codes (go-sqlite3).

License

Licensed under GPL v3.

ssmgr's People

Stargazers

Watchers

Forkers

awesome-archive attackgithub alexpretender

ssmgr's Issues

New rule of Group

Different from Free users, I am sure the paid users do not want to create account every time when their account expired or out of traffic. So have to design some mechanism to preserve account, not just delete it.

Log to slack

Sends some of them to slack.

Reference

Hooks of logrus

Use encrypted RPC

Email rejected by qq mail

Mail was rejected by qq mail server.
Sent by mailgun.

Design the manager

This issue is about how to design our multiple server manager based on shadowsocks manager APIs.

Here is the rules and goals.

We develop this tool to manage a large scale of vps servers to provide a self-help shadowsocks service allocator. It should manage users, ports, passwords, traffic statistics and other useful datas, which are the bases of this system.
We do not change the original APIs.
We use golang as our main programming language and are strongly opposed to node.js.
We should make the system stable and robust so that it is able to run correctly in an environment with terrible network.

Suggestions and improvements of the rules and goals are appreciated.

Any idea and discussion is highly welcomed.

Support tcp connections limit using iptables

Although shadowsocks-libev can handle thousands of concurrent connections nicely, we still recommend setting up your server's firewall rules to limit connections from each user:

# Up to 32 connections are enough for normal usage
iptables -A INPUT -p tcp --syn --dport ${SHADOWSOCKS_PORT} -m connlimit --connlimit-above 32 -j REJECT --reject-with tcp-reset