explaingit

toicf/cf-workers-shadowsocks

Analysis updated 2026-05-18

29Audience · developerComplexity · 3/5LicenseSetup · moderate

TLDR

An experimental Shadowsocks proxy that runs entirely inside a single Cloudflare Workers script, supporting 18 encryption methods.

Mindmap

mindmap
  root((CF Shadowsocks))
    What it does
      Encrypts traffic over WebSocket
      Runs inside a Worker
      Supports 18 cipher methods
    Tech stack
      Cloudflare Workers
      JavaScript
      WebSocket
    Use cases
      Research encryption methods
      Edge based proxying
      Compare with other proxy tools
    Audience
      Developers
      Researchers
    Setup
      Deploy to Workers
      Set password or PSK
      Match client config

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Test whether old and new Shadowsocks encryption methods work correctly in a single Worker file.

USE CASE 2

Run an encrypted proxy on Cloudflare's edge network instead of a dedicated server.

USE CASE 3

Compare method naming between this project, sing-box, NekoBox, and Xray.

What is it built with?

Cloudflare WorkersJavaScriptWebSocket

How does it compare?

toicf/cf-workers-shadowsocksasdaw4/forza-horizon-6-downloaddabit3/agent-hooks-in-depth
Stars292929
LanguagePython
Setup difficultymoderateeasymoderate
Complexity3/51/53/5
Audiencedevelopergeneraldeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires a Cloudflare Workers account and matching client side proxy settings.

You can use and modify this freely, but any distributed version, including modified copies, must also be released as open source under the same license.

In plain English

This project is an experimental implementation of the Shadowsocks proxy protocol built to run entirely inside a single Cloudflare Workers script. Shadowsocks is a method for tunneling internet traffic through an encrypted connection so that a third party watching the network cannot easily see what sites you are visiting. This version carries the traffic over WebSocket connections, which lets it run on Cloudflare's edge network instead of needing a dedicated server. The author describes this as research and learning code, built to test whether older Shadowsocks encryption methods, newer authenticated encryption methods, and the newest Shadowsocks 2022 standard can all work correctly together inside a single Cloudflare Worker file. It is not intended as production ready software, and the readme is upfront that it makes no promises about performance or stability under real traffic. The code supports 18 different encryption methods in total, covering the original unauthenticated ciphers, several AEAD authenticated ciphers such as AES-GCM and ChaCha20-Poly1305 variants, and the three methods defined by the newer Shadowsocks 2022 standard which use the BLAKE3 hashing algorithm. Because Shadowsocks encrypts its own data before it ever reaches the WebSocket layer, the project works whether or not the connection also uses TLS, since the encryption is happening at the Shadowsocks layer regardless. Configuration is done by editing a small object in the source file with a password, a pre shared key for the 2022 style methods, and a chosen encryption method name. The readme includes worked examples of how passwords and keys turn into the actual encryption keys the code uses. It also documents how the method names in this project map onto the naming used by other popular proxy tools like NekoBox, sing-box, and Xray, so users switching between tools can match settings correctly. The project is licensed under GPL-3.0 and the current implementation only handles TCP traffic over WebSocket, not the full Shadowsocks UDP protocol.

Copy-paste prompts

Prompt 1
Explain the difference between the AEAD and Shadowsocks 2022 encryption methods in this project.
Prompt 2
Help me configure the pw and psk values for the 2022-blake3-aes-128-gcm method.
Prompt 3
Why does this proxy work with or without TLS on top of it?
Prompt 4
What would it take to add UDP support to this Shadowsocks Worker?

Frequently asked questions

What is cf-workers-shadowsocks?

An experimental Shadowsocks proxy that runs entirely inside a single Cloudflare Workers script, supporting 18 encryption methods.

What license does cf-workers-shadowsocks use?

You can use and modify this freely, but any distributed version, including modified copies, must also be released as open source under the same license.

How hard is cf-workers-shadowsocks to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is cf-workers-shadowsocks for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.