Configure Multiple Users for Shadowsocks-libev

The original Python release of shadowsocks supports multiple users through configuration, by assigning different passwords on multiple ports.

{
    "server": "0.0.0.0",
    "port_password": {
        "8381": "foobar1",
        "8382": "foobar2",
        "8383": "foobar3",
        "8384": "foobar4"
    },
    "timeout": 300,
    "method": "aes-256-cfb"
}

Currently I am using shadowsocks-libev, which is the libev port of shadowsocks. And I also need to support the usage of multiple users. According to Madeye’s reply to the GitHub Issue, shadowsocks-libev does not support multi-port configuration:

Sorry, we have no plan to support multi port configuration. Actually you can use multiple instances instead. For example:

ss-server -c config1.json -f pid1
ss-server -c config2.json -f pid2
ss-server -c config3.json -f pid3

As the best practice we recommend for shadowsocks-libev, it helps to isolate each user in different processes and reconfigure each user’s port/password/encryption/timeout without reload/restart the whole service. Furthermore, this approach enables us to manage users with legacy control panels, for example old SSH / VHOST panels with each user’s ss-server running in its own space.

Compared to other implementations, shadowsocks-libev uses much fewer resources (about 1MB memory and hundreds of file descriptors in a typical usage) . As a result, this kind of multi processes should only introduce slight overhead and even works well for low end boxes.

I choose to use systemctl to manage the systemd instances of shadowsocks-libev. The following template unit files are installed in the /lib/systemd/system directory:

shadowsocks-libev-local@.service
shadowsocks-libev-redir@.service
shadowsocks-libev-server@.service
shadowsocks-libev-tunnel@.service

Take a look at the template unit file shadowsocks-libev-server@.service:

[Unit]
Description=Shadowsocks-Libev Custom Server Service for %I
Documentation=man:ss-server(1)
After=network.target

[Service]
Type=simple
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/%i.json
User=nobody
Group=nobody
LimitNOFILE=32768

[Install]
WantedBy=multi-user.target

With the help of template unit files, service instances could be deployed and managed easily. For example, Cloud and Tifa, two AVALANCHE members, are planning to deploy shadowsocks-libev services on the same VPS to bypass the firewall of Shinra Inc. In this case, they could simply create cloud.json and tifa.json configurations with different ports, passwords and encryption methods in /etc/shadowsocks-libev directory. Then enable and start the systemd services using the following commands:

sudo systemctl enable shadowsocks-libev-server@cloud.service --now
sudo systemctl enable shadowsocks-libev-server@tifa.service --now

The status of shadowsocks-libev instances could be checked with the following commands:

sudo systemctl status shadowsocks-libev-server@cloud.service
sudo systemctl status shadowsocks-libev-server@tifa.service

That’s all done. Enjoy!