shoes is a multi-protocol proxy server written in Rust.
- HTTP/HTTPS (TCP, QUIC)
- SOCKS5 (TCP, QUIC)
- Vmess (TCP, QUIC, UDP-over-TCP)
- AEAD and Legacy modes
- Supported ciphers:
- aes-128-gcm
- chacha20-poly1305
 
 
- Vless (TCP, QUIC, UDP-over-TCP)
- Snell v3 (TCP, QUIC, UDP-over-TCP)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
 
 
- Supported ciphers:
- Shadowsocks (TCP, QUIC)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
- 2022-blake3-aes-128-gcm
- 2022-blake3-aes-256-gcm
- 2022-blake3-chacha20-ietf-poly1305
 
 
- Supported ciphers:
- Trojan (TCP, QUIC)
- Supported ciphers:
- aes-128-gcm
- aes-256-gcm
- chacha20-ietf-poly1305
 
 
- Supported ciphers:
- Hysteria2 (QUIC)
- TUIC v5 (QUIC)
All supported protocols can be combined with the following features:
- TLS support with SNI based forwarding
- Websocket obfs (Shadowsocks SIP003)
- ShadowTLS v3
- Upstream proxy support: route connections through other proxy servers
- Forwarding rules: Redirect or block connections based on target IP or hostname
- Hot reloading: Updated configs are automatically reloaded
- Netmask and proxy groups
For advanced access control of incoming connections (eg. IP allowlist/blocklists), check out tobaru.
Here's an example of running a WSS vmess and shadowsocks server, with all requests routed through a SOCKS proxy:
# Listen on all IPv4 interfaces, port 443 (HTTPS)
- address: 0.0.0.0:443
  transport: tcp
  # Use TLS as the first protocol layer
  protocol:
    type: tls
    # Set a default target, for any (or no) SNI
    default_target:
      cert: cert.pem
      key: key.pem
      # ..which goes to a websocket server
      protocol:
        type: ws
        # .. where we have different supported proxy protocols, based on HTTP request path and headers.
        targets:
          - matching_path: /vmess
            matching_headers:
              X-Secret-Key: "secret"
            protocol:
              type: vmess
              # allow any cipher, which means: none, aes-128-gcm, or chacha20-poly1305.
              cipher: any
              user_id: b0e80a62-8a51-47f0-91f1-f0f7faf8d9d4
          - matching_path: /shadowsocks
            protocol:
              type: shadowsocks
              cipher: 2022-blake3-aes-256-gcm
              password: Hax8btYlNao5qcaN/l/NUl9JgbwapfqG5QyAtH+aKPg=
    # Set a ShadowTLS v3 target by SNI
    shadowtls_targets:
      google.com:
        # ShadowTLS password
        password: 83a44859c0e7fbb589b
        # Configure handshake server.
        handshake:
          address: google.com:443
          # Use the local SOCKS server to connect to the handshake server.
          client_proxies:
            - address: 127.0.0.1:1080
              protocol:
                type: socks
                username: socksuser
                password: secretpass
    
  rules:
    # Allow clients to connect to all IPs
    - mask: 0.0.0.0/0
      action: allow
      # Forward all requests through a local SOCKS server.
      client_proxy:
        address: 127.0.0.1:5000
        protocol:
          type: socks
          username: socksuser
          password: secretpassFor other YAML config examples, see the examples directory.
Precompiled binaries for x86_64 and Apple aarch64 are available on Github Releases.
Else, if you have a fairly recent Rust and cargo installation on your system, shoes can be installed with cargo.
cargo install shoesshoes [OPTIONS] <YAML CONFIG PATH> [YAML CONFIG PATH] [..]
OPTIONS:
    -t, --threads NUM
        Set the number of worker threads. This usually defaults to the number of CPUs.
    -d, --dry-run
        Parse the config and exit.
See CONFIG.md for the YAML config format. You can also refer to the examples, or open an issue if you need help.
- Proxy client chaining
- SOCKS and Shadowsocks UDP support
- 
shadowsocks/shadowsocks-rust: A Rust port of shadowsocks 
- 
v2ray/v2ray-core: A full-featured proxy platform written in Go 
- 
ihciah/shadow-tls: A proxy to expose real TLS handshake to the firewall 
- 
apernet/hysteria: Hysteria is a powerful, lightning fast and censorship resistant proxy 
- 
tuic-protocol/tuic: Delicately-TUICed 0-RTT proxy protocol