The repository of this docs is on GitHub https://github.com/mohsenmottaghi/cloak-shadowsocks-docker
This docs is not ready
Cloak with Shadowsocks on Docker
Cloak is a universal pluggable transport that cryptographically obfuscates proxy traffic as legitimate HTTPS traffic, disguises the proxy server as a normal web server, multiplexes traffic through a fixed amount of TCP connections and provides multi-user usage control.
|Alpine container with Cloak Server
|Alpine container with Cloak Client
|Alpine container with ShadowSocks Server Golang
|Alpine conatiner with ShadowSocks Client Golang
|Your server IP
|Application listening port
|is a UID that is authorised without any bandwidth or credit limit restrictions
|is the redirection address when the incoming traffic is not from a Cloak client
|is the static curve25519 Diffie-Hellman private key encoded in base64.
|is the UID of the admin user in base64
|If the server host wishes you to connect to it directly, use direct.
|is the name of the proxy method you are using.
|is the name of the encryption algorithm you want Cloak to use.
|is the static curve25519 public key, given by the server admin
|is the domain you want to make your ISP or firewall think you are visiting.
|is the amount of underlying TCP connections you want to use
|is the browser you want to appear to be using. It's not relevant to the browser you are actually using. Currently, chrome and firefox are supported.
|Application listening IP
|Application listening Port
|Should be your Server IP
How to run Cloak with Shadowsocks Server
To run the server stack you have two option:
To run Cloak Server with
docker run :
Then you need to run ShadowSocks Server :
if you want to run this stack with
RedirAddr is the redirection address when the incoming traffic is not from a Cloak client. It should either be the same as, or correspond to the IP record of the
ServerName field set in
BindAddr is a list of addresses Cloak will bind and listen to (e.g.
[":443",":80"] to listen to port 443 and 80 on all interfaces)
ProxyBook is a nested JSON section which defines the address of different proxy server ends. For instance, if OpenVPN server is listening on 127.0.0.1:1194, the pair should be
"openvpn":"127.0.0.1:1194". There can be multiple pairs. You can add any other proxy server in a similar fashion, as long as the name matches the
ProxyMethod in the client config exactly (case-sensitive).
PrivateKey is the static curve25519 Diffie-Hellman private key encoded in base64.
AdminUID is the UID of the admin user in base64.
BypassUID is a list of UIDs that are authorised without any bandwidth or credit limit restrictions
DatabasePath is the path to userinfo.db. If userinfo.db doesn't exist in this directory, Cloak will create one automatically. If Cloak is started as a Shadowsocks plugin and Shadowsocks is started with its working directory as / (e.g. starting ss-server with systemctl), you need to set this field as an absolute path to a desired folder. If you leave it as default then Cloak will attempt to create userinfo.db under /, which it doesn't have the permission to do so and will raise an error. See Issue #13.
UID is your UID in base64.
Transport can be either
CDN. If the server host wishes you to connect to it directly, use
direct. If instead a CDN is used, use
PublicKey is the static curve25519 public key, given by the server admin.
ProxyMethod is the name of the proxy method you are using.
EncryptionMethod is the name of the encryption algorithm you want Cloak to use. Note: Cloak isn't intended to provide transport security. The point of encryption is to hide fingerprints of proxy protocols and render the payload statistically random-like. If the proxy protocol is already fingerprint-less, which is the case for Shadowsocks, this field can be left as
plain. Options are
ServerName is the domain you want to make your ISP or firewall think you are visiting.
NumConn is the amount of underlying TCP connections you want to use. The default of 4 should be appropriate for most people. Setting it too high will hinder the performance.
BrowserSig is the browser you want to appear to be using. It's not relevant to the browser you are actually using. Currently,
firefox are supported.
ShadowSocks Golang Configuration
Start a server listening on port 8488 using
AEAD_CHACHA20_POLY1305 AEAD cipher with password
Start a client connecting to the above server. The client listens on port 1080 for incoming SOCKS5 connections, and tunnels both UDP and TCP on port 8053 and port 8054 to 188.8.131.52:53 and 184.108.40.206:53 respectively.
[server_address] with the server's public address.