shoes uses a YAML-based configuration format. Each configuration file can contain multiple entries of different types.
There are three main configuration types:
- Server configurations (
ServerConfig) - Client proxy groups (
ClientConfigGroup) - Rule groups (
RuleConfigGroup)
A server configuration defines a proxy server instance:
bind_location: address | path # Network address or Unix socket path
protocol: ServerProxyConfig # Server protocol configuration
transport: tcp | quic | udp # Optional, defaults to tcp
tcp_settings: # Optional TCP settings
no_delay: bool # Default: true
quic_settings: # Required if transport is quic
cert: string # TLS certificate path
key: string # TLS private key path
alpn_protocols: [string] # Optional ALPN protocols
client_fingerprints: [string] # Optional allowed client cert fingerprints
rules: string | RuleConfig # Optional, defaults to allow-all-directprotocol:
type: http | socks
username: string? # Optional
password: string? # Optionalprotocol:
type: shadowsocks | ss | snell
cipher: string # Encryption algorithm
password: stringprotocol:
type: vless
user_id: string # UUIDprotocol:
type: trojan
password: string
shadowsocks: # Optional additional encryption
cipher: string
password: stringprotocol:
type: vmess
cipher: string
user_id: string # UUID
force_aead: bool # Default: true
udp_enabled: bool # Default: trueprotocol:
type: tls
sni_targets: # Map of SNI hostnames to configs
"example.com":
cert: string # Certificate path
key: string # Private key path
alpn_protocols: [string] # Optional ALPN protocols
client_fingerprints: [string] # Optional allowed client fingerprints
protocol: ServerProxyConfig # Inner protocol configuration
override_rules: string | [RuleConfig] # Optional override rules
default_target: # Optional default configuration
cert: string
key: string
protocol: ServerProxyConfig
override_rules: string | [RuleConfig]protocol:
type: websocket | ws
targets:
- matching_path: string? # Optional path to match
matching_headers: # Optional headers to match
header_name: string
protocol: ServerProxyConfig # Inner protocol configuration
ping_type: disabled | ping-frame | empty-frame # Default: ping-frame
override_rules: string | [RuleConfig] # Optional override rulesprotocol:
type: forward | port_forward
targets: string | [string] # Target address(es) to forward toClient protocols (ClientProxyConfig) include all server protocols plus:
protocol:
type: directprotocol:
type: tls
verify: bool # Default: true
server_fingerprints: [string] # Optional allowed server fingerprints
sni_hostname: string? # Optional SNI hostname
alpn_protocols: [string] # Optional ALPN protocols
key: string? # Optional client key
cert: string? # Optional client cert
protocol: ClientProxyConfig # Inner protocol configurationprotocol:
type: websocket | ws
matching_path: string? # Optional path to match
matching_headers: # Optional headers to match
header_name: string
ping_type: disabled | ping-frame | empty-frame # Default: ping-frame
protocol: ClientProxyConfig # Inner protocol configurationA client configuration defines proxy client settings:
bind_interface: string? # Optional interface name (Linux/Android only)
address: string # Optional target address
protocol: ClientProxyConfig # Client protocol configuration
transport: tcp | quic | udp # Optional, defaults to tcp
tcp_settings: # Optional TCP settings
no_delay: bool # Default: true
quic_settings: # Optional QUIC settings
verify: bool # Default: true
server_fingerprints: [string] # Optional allowed server fingerprints
sni_hostname: string? # Optional SNI hostname
alpn_protocols: [string] # Optional ALPN protocols
key: string? # Optional client key
cert: string? # Optional client certClient proxy groups allow defining reusable proxy configurations:
client_group: string
client_proxies: ClientConfig | [ClientConfig]Rule groups define access control and routing rules:
rule_group: string
rules: RuleConfig | [RuleConfig]masks: string | [string] # IP/CIDR masks to match
action: allow | block # Action to take
override_address: string? # Optional address override for allow action
client_proxies: string | ClientConfig | [string | ClientConfig] # Required for allow actionThe system includes these built-in defaults:
direct: Direct connections without proxy
allow-all-direct: Allows all traffic directlyblock-all: Blocks all traffic
-
TLS/QUIC Security:
- Use strong certificates and private keys
- Consider enabling client certificate authentication
- Use secure cipher suites
- Verify certificate fingerprints when possible
-
Authentication:
- Use strong passwords for all authentication methods
- Consider using client certificates where supported
- Rotate credentials regularly
-
Network Security:
- Be cautious with 0.0.0.0 bind addresses
- Use firewalls to restrict access
- Consider binding to specific interfaces when possible
- Monitor logs for suspicious activity
-
WebSocket Security:
- Use path and header matching to restrict access
- Consider using TLS for transport security
- Implement rate limiting if needed
bind_location: "127.0.0.1:8080"
protocol:
type: http
username: user
password: passbind_location: "0.0.0.0:1080"
protocol:
type: tls
sni_targets:
"proxy.example.com":
cert: "cert.pem"
key: "key.pem"
protocol:
type: socks
username: user
password: passbind_location: "0.0.0.0:443"
protocol:
type: websocket
targets:
- matching_path: "/vmess"
protocol:
type: vmess
cipher: auto
user_id: "123e4567-e89b-12d3-a456-426614174000"# Define client proxies
client_group: "proxies"
client_proxies:
- protocol:
type: shadowsocks
cipher: chacha20-ietf-poly1305
password: secret1
- protocol:
type: vmess
cipher: auto
user_id: "123e4567-e89b-12d3-a456-426614174000"
# Define routing rules
rule_group: "routing"
rules:
- masks: "192.168.0.0/16"
action: allow
client_proxy: direct
- masks: "0.0.0.0/0"
action: allow
client_proxy: proxies
# Main server config
bind_location: "0.0.0.0:8080"
protocol:
type: http
rules: routing