Manual Installation and Configuration of Shadowsocks-Rust on Debian

Description

A brief guide to set up a Shadowsocks server on a Debian-based system using binary releases and systemd.

Steps

1. Pre-requisites

Download and extract the Shadowsocks-Rust binary, and move it to /usr/local/bin for system-wide access:

wget [BINARY_RELEASE_URL]

tar -xvf shadowsocks-rust-<VERSION>-x86_64-unknown-linux-gnu.tar.xz

sudo cp ssserver /usr/local/bin/

2. Server Configuration

Create a config file for the Shadowsocks server under directory /etc/ with the following content (modify as needed):

{
  "server": "[YOUR_SERVER_IP_OR_DOMAIN]",
  "server_port": 443,
  "nameserver": "8.8.8.8",
  "password": "[YOUR_PASSWORD]",
  "timeout": 300,
  "method": "[YOUR_ENCRYPTION_METHOD]",
  "fast_open": true,
  "reuse_port": true,
  "no_delay": true,
  "prefer_ipv6": false,
  "log": {
    "writers": [
      { "console": { "level": 1 } }, // Error level
      {
        "file": {
          "directory": "[DIRECTORY_PATH_FOR_LOG_FILES]",
          "rotation": "[HOURLY|DAILY|WEEKLY|MONTHLY|NEVER]",
          "prefix": "[CUSTOM_LOG_PREFIX]",
          "suffix": "[CUSTOM_LOG_SUFFIX]"
        }
      }
    ]
  }
}

  • Example:

    sudo mkdir -p /etc/shadowsocks/
sudo vim /etc/shadowsocks/server.json

    {
  "server": "111.111.111.111",
  "server_port": 443,
  "nameserver": "8.8.8.8",
  "password": "example_password",
  "timeout": 300,
  "method": "2022-blake3-aes-128-gcm",
  "fast_open": true,
  "reuse_port": true,
  "no_delay": true,
  "prefer_ipv6": false,
  "log": {
    "writers": [
      { "console": { "level": 3 } }, // Info level
      {
        "file": {
          "directory": "/var/log/shadowsocks",
          "rotation": "never",
          "prefix": "ss_2022",
          "suffix": "log"
        }
      }
    ]
  }
}
// Note: For Shadowsocks 2022 methods, the password must be a valid Base64 string.
// Generate one using: openssl rand -base64 16

3. Set up as a systemd Service

Test run the Shadowsocks server with the created config file:

sudo ssserver -c /etc/shadowsocks/server.json

Build a systemd service file to manage the Shadowsocks server as a background service:

sudo vim /etc/systemd/system/shadowsocks-rust.service

Add the following content as template to the service file:

[Unit]
Description=Shadowsocks-Rust Service
After=network.target nss-lookup.target

[Service]
Type=simple
User=root

# Ensure the access to the log path
ReadWritePaths=/var/log/
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

ExecStart=/usr/local/bin/ssserver -c /etc/shadowsocks/server.json
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=5s

[Install]
# Enable the service to start during multi-user runlevel boot
WantedBy=multi-user.target

  • If prefer to patch the config by adding an override file at /etc/systemd/system/shadowsocks-rust.service.d/override.conf:

    sudo SYSTEMD_EDITOR=vim systemctl edit shadowsocks-rust

  • If prefer managing logs via systemd instead of the built-in logging mechanism, add the following lines under the [Service] section in the service file or the override file, and make sure to remove or comment out the log section in the config file server.json created in Step 2:

    [Service]
  # Logging redirect
  StandardOutput=append:/var/log/shadowsocks/ss_rust.log
  StandardError=inherit

YOLO approach

For the condition when you want to skip systemd entirely (ignore all steps since Step 3), run the server manually in the background using:

  • Option 1: Using nohup to push the process to the background and pipes everything into a local log file.

    sudo nohup ssserver -c /etc/shadowsocks/server.json > ./shadowsocks.log 2>&1 &

  • Option 2: Using the built-in daemon mode

    Logs might be discarded to /dev/null in daemon mode.

    sudo ssserver -c /etc/shadowsocks/server.json -d

4. Start and Enable the Service

Reload systemd to recognize the new service, then start and enable it to run on boot:

# In case the directory does not exist, create it first
sudo mkdir -p /var/log/shadowsocks

# Re-scan the services under `/etc/systemd/system/`
sudo systemctl daemon-reload

# Start and enable the service
sudo systemctl start shadowsocks-rust && sudo systemctl enable shadowsocks-rust
  # Or combine the last two commands as:
  sudo systemctl enable --now shadowsocks-rust

# Check the service status
sudo systemctl status shadowsocks-rust

# Restart the service if config changes
sudo systemctl daemon-reload && sudo systemctl restart shadowsocks-rust

Check the log file for any runtime warnings/errors:

# View logs using journalctl
#  -u: Unit filter. Shows logs only for the specified service.
#  -f: Follow mode. Displays new log entries in real-time.
journalctl -u shadowsocks-rust -f

# Check the log file directly with colorized output using ccze
tail -f /var/log/shadowsocks/ss_rust.log | ccze -A
 # Or using gcr
 grc tail -f /var/log/shadowsocks/ss_rust.log

# Or use less to view the entire log file (use F to enter follow mode)
less +G /var/log/shadowsocks/ss_rust.log

5. (Optional) Rotate the log file periodically using logrotate

sudo vim /etc/logrotate.d/shadowsocks-rust

Add the following content to the logrotate config file:

⚠️ Caution: Remove all inline comments in the actual configuration file.logrotate will fail to parse the directives if comments are present on the same line.

/var/log/shadowsocks/ss*.log {
    daily         # Rotate logs daily
    rotate 7      # Keep 7 days worth of logs
    missingok     # Don't error if the log file is missing
    notifempty    # Don't rotate if the log file is empty
    compress      # Enable log file
    delaycompress # Delay compression until the next rotation
    dateext       # Append date to rotated log file names
    # script to run after log rotation
    sharedscripts
    postrotate
        # Reload the service to reopen log files
        # Only reload when the service is active, and mute all output to prevent errors
        /usr/bin/systemctl is-active --quiet shadowsocks-rust && /usr/bin/systemctl reload shadowsocks-rust > /dev/null 2>&1 || true
        /usr/bin/systemctl is-active --quiet shadowsocks-rust_legacy && /usr/bin/systemctl reload shadowsocks-rust_legacy > /dev/null 2>&1 || true
    endscript
}

  • Alternatively, if preferring to use copytruncate (less robust) instead of sending a reload signal to the service, replace the postrotate block with:

    copytruncate  # Truncate the original log file after creating a copy

Test the logrotate configuration:

sudo logrotate --debug /etc/logrotate.d/shadowsocks-rust

References

comments powered by Disqus