连接前缀伪装
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
从 Outline 客户端 1.9.0 版开始,访问密钥支持“prefix”选项。“prefix”是一个字节列表,用作 Shadowsocks TCP 连接的盐的第一个字节。
这可以让连接看起来像是网络允许的协议,从而绕过会拒绝陌生协议的防火墙。
何时尝试此选项?
如果您怀疑自己的 Outline 部署的用户仍然处于被封锁状态,不妨考虑尝试一些不同的 prefix。
操作说明
prefix 不应超过 16 个字节。prefix 太长可能会导致盐冲突,进而影响到加密安全性,造成连接被检测到。请使用尽可能短的 prefix,这有助于绕过您当前面临的封锁。
您使用的端口应与 prefix 所伪装的协议相匹配。IANA 维护着一个传输协议端口号注册表,该表将协议和端口号对应起来。
下面是一些可伪装成常见协议的有效 prefix 示例:
|
建议的端口 |
JSON 编码格式 |
网址编码格式 |
HTTP 请求 |
80 (http) |
"POST " |
POST%20 |
HTTP 响应 |
80 (http) |
"HTTP/1.1 " |
HTTP%2F1.1%20 |
DNS-over-TCP 请求 |
53 (dns) |
"\u0005\u00DC\u005F\u00E0\u0001\u0020" |
%05%C3%9C_%C3%A0%01%20 |
TLS ClientHello |
443 (https)、463 (smtps)、563 (nntps)、636 (ldaps)、989 (ftps-data)、990 (ftps)、993 (imaps)、995 (pop3s)、5223 (Apple APN)、5228 (Play 商店)、5349 (turns) |
"\u0016\u0003\u0001\u0000\u00a8\u0001\u0001" |
%16%03%01%00%C2%A8%01%01 |
TLS 应用数据 |
443 (https)、463 (smtps)、563 (nntps)、636 (ldaps)、989 (ftps-data)、990 (ftps)、993 (imaps)、995 (pop3s)、5223 (Apple APN)、5228 (Play 商店)、5349 (turns) |
"\u0013\u0003\u0003\u003F" |
%13%03%03%3F |
TLS ServerHello |
443 (https)、463 (smtps)、563 (nntps)、636 (ldaps)、989 (ftps-data)、990 (ftps)、993 (imaps)、995 (pop3s)、5223 (Apple APN)、5228 (Play 商店)、5349 (turns) |
"\u0016\u0003\u0003\u0040\u0000\u0002" |
%16%03%03%40%00%02 |
SSH |
22 (ssh)、830 (netconf-ssh)、4334 (netconf-ch-ssh)、5162 (snmpssh-trap) |
"SSH-2.0\r\n" |
SSH-2.0%0D%0A |
动态访问密钥
如需将 prefix 功能与动态访问密钥 (ssconf://
) 搭配使用,请为 JSON 对象添加一个“prefix”键,并采用 JSON 编码值来表示所需的 prefix(请参见上方表格中的示例)。您可以使用转义代码(例如 \u00FF)来表示 U+0
至 U+FF
范围内不可打印的 Unicode 代码点。例如:
{
"server": "example.com",
"server_port": 8388,
"password": "example",
"method": "chacha20-ietf-poly1305",
"prefix": "\u0005\u00DC\u005F\u00E0\u0001\u0020"
}
静态访问密钥
如需将 prefix 与静态访问密钥 (ss://) 搭配使用,您需要修改现有的密钥,然后再进行分发。如果您拥有 Outline 管理器生成的静态访问密钥,请提取网址编码格式的 prefix(请参见上方表格中的示例),然后将其添加到访问密钥的末尾,例如:
ss://Z34nthataITHiTNIHTohithITHbVBqQ1o3bkk@127.0.0.1:33142/?outline=1&prefix=<your url-encoded prefix goes here>
对于高级用户,您可以使用浏览器的 encodeURIComponent()
函数,将 JSON 编码格式的 prefix 转换为网址编码格式的 prefix。为此,请打开 Web Inspector 控制台(在 Chrome 中依次找到*“开发者”>“JavaScript Web 控制台”*),然后输入以下内容:
encodeURIComponent("<your json-encoded prefix goes here>")
按 Enter 键。所生成的值将采用*网址编码*格式。例如:
encodeURIComponent("\u0016\u0003\u0001\u0000\u00a8\u0001\u0001")
'%16%03%01%00%C2%A8%01%01'
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-25。
[null,null,["最后更新时间 (UTC):2025-07-25。"],[[["\u003cp\u003eOutline Client version 1.9.0 and later supports the "prefix" option for access keys, allowing users to define a sequence of bytes at the beginning of the Shadowsocks TCP connection salt.\u003c/p\u003e\n"],["\u003cp\u003eThe "prefix" feature is designed to help bypass firewalls by making connections appear to use a recognized protocol, and is useful if users are being blocked.\u003c/p\u003e\n"],["\u003cp\u003ePrefixes should not exceed 16 bytes to avoid salt collisions and potential compromise of encryption, with shorter prefixes being recommended.\u003c/p\u003e\n"],["\u003cp\u003eThe selected port should align with the protocol the prefix is mimicking, and several examples of effective prefixes are provided for common protocols like HTTP, DNS, TLS, and SSH.\u003c/p\u003e\n"],["\u003cp\u003eDynamic Access Keys require adding a JSON-encoded "prefix" key, while Static Access Keys need the URL-encoded prefix appended to the key, and a browser's \u003ccode\u003eencodeURIComponent()\u003c/code\u003e function can convert between the two formats.\u003c/p\u003e\n"]]],["Outline Client version 1.9.0 and later supports the \"prefix\" option for access keys. Prefixes are byte lists placed at the beginning of the Shadowsocks TCP connection salt, masking the connection as a recognized protocol. To implement, select a prefix (max 16 bytes) resembling a common protocol (e.g., \"HTTP/1.1 \") and a matching port from IANA. Dynamic Access Keys use JSON-encoded prefixes, while Static Access Keys require URL-encoded prefixes added to the access key URL.\n"],null,["# Connection Prefix Disguises\n\nAs of Outline Client version 1.9.0, access keys support the \"prefix\" option. The\n\"prefix\" is a list of bytes used as the first bytes of the\n[salt](https://shadowsocks.org/guide/aead.html) of a Shadowsocks connection.\nThis can make the connection look like a protocol that is allowed in the\nnetwork, circumventing firewalls that reject protocols they don't recognize.\n\nWhen should I try this?\n-----------------------\n\nIf you suspect the users of your Outline deployment are still being blocked, you\nmay want to consider trying a few different prefixes.\n\nInstructions\n------------\n\nThe prefix should be no longer than 16 bytes. Longer prefixes may cause salt\ncollisions, which can compromise the encryption safety and cause connections to\nbe detected. Use the shortest prefix you can to bypass the blocking you are\nfacing.\n\nThe port you use should match the protocol that your prefix is pretending to be.\nIANA keeps a [transport protocol port number registry](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml)\nthat maps protocols and port numbers.\n\nSome examples of effective TCP prefixes that look like common protocols:\n\n| | Recommended Port | YAML-encoded | URL-encoded |\n|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------|----------------------------|\n| HTTP request | 80 (http) | `\"POST \"` | `POST%20` |\n| HTTP response | 80 (http) | `\"HTTP/1.1 \"` | `HTTP%2F1.1%20` |\n| DNS-over-TCP request | 53 (dns) | `\"\\u0005\\u00DC\\u005F\\u00E0\\u0001\\u0020\"` | `%05%C3%9C_%C3%A0%01%20` |\n| TLS ClientHello | 443 (https), 463 (smtps), 563 (nntps), 636 (ldaps), 989 (ftps-data), 990 (ftps), 993 (imaps), 995 (pop3s), 5223 (Apple APN), 5228 (Play Store), 5349 (turns) | `\"\\u0016\\u0003\\u0001\\u0000\\u00a8\\u0001\\u0001\"` | `%16%03%01%00%C2%A8%01%01` |\n| TLS Application Data | 443 (https), 463 (smtps), 563 (nntps), 636 (ldaps), 989 (ftps-data), 990 (ftps), 993 (imaps), 995 (pop3s), 5223 (Apple APN), 5228 (Play Store), 5349 (turns) | `\"\\u0013\\u0003\\u0003\\u003F\"` | `%13%03%03%3F` |\n| TLS ServerHello | 443 (https), 463 (smtps), 563 (nntps), 636 (ldaps), 989 (ftps-data), 990 (ftps), 993 (imaps), 995 (pop3s), 5223 (Apple APN), 5228 (Play Store), 5349 (turns) | `\"\\u0016\\u0003\\u0003\\u0040\\u0000\\u0002\"` | `%16%03%03%40%00%02` |\n| SSH | 22 (ssh), 830 (netconf-ssh), 4334 (netconf-ch-ssh), 5162 (snmpssh-trap) | `\"SSH-2.0\\r\\n\"` | `SSH-2.0%0D%0A` |\n\nSome examples of effective UDP prefixes that look like common protocols:\n\n| | Recommended Port | YAML-encoded |\n|---------------------|------------------|--------------------------------------------------------------------------------|\n| DNS request | 53 (dns) | `\"\\u006b\\u007b\\u0001\\u0020\"` (note: randomize the first two bytes) |\n| DNS response | 53 (dns) | `\"\\u006b\\u007b\\u0081\\u00a0\\u0000\\u0001\"` (note: randomize the first two bytes) |\n| QUIC Client Initial | 443 (https) | `\"\\u00cd\\u0000\\u0000\\u0000\\u0001\"` |\n\n### Dynamic Access Keys\n\nTo use the prefix feature with [Dynamic Access Keys](/outline/docs/guides/service-providers/dynamic-access-keys) (`ssconf://`),\nadd a \"prefix\" key to the YAML object, with a **YAML-encoded** value\nrepresenting the prefix you want_ (see examples in the table above)_. You can\nuse escape codes (like \\\\u00FF) to represent non-printable Unicode codepoints in\nthe `U+0` to `U+FF` range. For example: \n\n transport:\n $type: tcpudp\n tcp:\n \u003c\u003c: &shared\n $type: shadowsocks\n endpoint: 147.182.248.224:20478\n secret: cqXYJ2BtMyNHneQHjpIXyg\n cipher: chacha20-ietf-poly1305\n prefix: \"\\u0013\\u0003\\u0003\\u003F\"\n udp:\n \u003c\u003c: *shared\n prefix: \"\\u006b\\u007b\\u0001\\u0020\"\n\n### Static Access Keys\n\nTo use prefixes with **Static Access Keys** (ss://), you'll need to modify your\nexisting key before distributing it. If you have a Static Access Key generated\nby Outline Manager, grab a **URL-encoded** version of your prefix (see examples\nof these in the table above) and add it to the end of the access key like so:\n\n`ss://Z34nthataITHiTNIHTohithITHbVBqQ1o3bkk@127.0.0.1:33142/?outline=1&prefix=\u003cyour url-encoded prefix goes here\u003e`\n\nPrefixes in the URL format only work for TCP connections.\n\nFor advanced users, you can use your browser's `encodeURIComponent()` function\nto convert your **JSON-encoded** prefix to a **URL-encoded** one. To do this,\nopen your web inspector console\n(\\*Developer \\\u003e Javascript Web Console \\*on Chrome), and type the following: \n\n encodeURIComponent(\"\u003cyour json-encoded prefix goes here\u003e\")\n\nPress enter. The value produced will be the \\*URL-encoded \\*version. For example: \n\n encodeURIComponent(\"\\u0016\\u0003\\u0001\\u0000\\u00a8\\u0001\\u0001\")\n '%16%03%01%00%C2%A8%01%01'"]]