AI-generated Key Takeaways
- 
          Outline Client version 1.9.0 and later supports the "prefix" option for access keys, allowing users to define a sequence of bytes at the beginning of the Shadowsocks TCP connection salt. 
- 
          The "prefix" feature is designed to help bypass firewalls by making connections appear to use a recognized protocol, and is useful if users are being blocked. 
- 
          Prefixes should not exceed 16 bytes to avoid salt collisions and potential compromise of encryption, with shorter prefixes being recommended. 
- 
          The selected port should align with the protocol the prefix is mimicking, and several examples of effective prefixes are provided for common protocols like HTTP, DNS, TLS, and SSH. 
- 
          Dynamic Access Keys require adding a JSON-encoded "prefix" key, while Static Access Keys need the URL-encoded prefix appended to the key, and a browser's encodeURIComponent()function can convert between the two formats.
As of Outline Client version 1.9.0, access keys support the "prefix" option. The "prefix" is a list of bytes used as the first bytes of the salt of a Shadowsocks connection. This can make the connection look like a protocol that is allowed in the network, circumventing firewalls that reject protocols they don't recognize.
When should I try this?
If you suspect the users of your Outline deployment are still being blocked, you may want to consider trying a few different prefixes.
Instructions
The prefix should be no longer than 16 bytes. Longer prefixes may cause salt collisions, which can compromise the encryption safety and cause connections to be detected. Use the shortest prefix you can to bypass the blocking you are facing.
The port you use should match the protocol that your prefix is pretending to be. IANA keeps a transport protocol port number registry that maps protocols and port numbers.
Some examples of effective TCP prefixes that look like common protocols:
| Recommended Port | YAML-encoded | URL-encoded | |
|---|---|---|---|
| HTTP request | 80 (http) | "POST " | POST%20 | 
| HTTP response | 80 (http) | "HTTP/1.1 " | HTTP%2F1.1%20 | 
| DNS-over-TCP request | 53 (dns) | "\u0005\u00DC\u005F\u00E0\u0001\u0020" | %05%C3%9C_%C3%A0%01%20 | 
| TLS ClientHello | 443 (https), 463 (smtps), 563 (nntps), 636 (ldaps), 989 (ftps-data), 990 (ftps), 993 (imaps), 995 (pop3s), 5223 (Apple APN), 5228 (Play Store), 5349 (turns) | "\u0016\u0003\u0001\u0000\u00a8\u0001\u0001" | %16%03%01%00%C2%A8%01%01 | 
| TLS Application Data | 443 (https), 463 (smtps), 563 (nntps), 636 (ldaps), 989 (ftps-data), 990 (ftps), 993 (imaps), 995 (pop3s), 5223 (Apple APN), 5228 (Play Store), 5349 (turns) | "\u0013\u0003\u0003\u003F" | %13%03%03%3F | 
| TLS ServerHello | 443 (https), 463 (smtps), 563 (nntps), 636 (ldaps), 989 (ftps-data), 990 (ftps), 993 (imaps), 995 (pop3s), 5223 (Apple APN), 5228 (Play Store), 5349 (turns) | "\u0016\u0003\u0003\u0040\u0000\u0002" | %16%03%03%40%00%02 | 
| SSH | 22 (ssh), 830 (netconf-ssh), 4334 (netconf-ch-ssh), 5162 (snmpssh-trap) | "SSH-2.0\r\n" | SSH-2.0%0D%0A | 
Some examples of effective UDP prefixes that look like common protocols:
| Recommended Port | YAML-encoded | |
|---|---|---|
| DNS request | 53 (dns) | "\u006b\u007b\u0001\u0020"(note: randomize the first two bytes) | 
| DNS response | 53 (dns) | "\u006b\u007b\u0081\u00a0\u0000\u0001"(note: randomize the first two bytes) | 
| QUIC Client Initial | 443 (https) | "\u00cd\u0000\u0000\u0000\u0001" | 
Dynamic Access Keys
To use the prefix feature with Dynamic Access Keys (ssconf://),
add a "prefix" key to the YAML object, with a YAML-encoded value
representing the prefix you want_ (see examples in the table above)_. You can
use escape codes (like \u00FF) to represent non-printable Unicode codepoints in
the U+0 to U+FF range. For example:
transport:
  $type: tcpudp
  tcp:
    <<: &shared
      $type: shadowsocks
      endpoint: 147.182.248.224:20478
      secret: cqXYJ2BtMyNHneQHjpIXyg
      cipher: chacha20-ietf-poly1305
    prefix: "\u0013\u0003\u0003\u003F"
  udp:
    <<: *shared
    prefix: "\u006b\u007b\u0001\u0020"
Static Access Keys
To use prefixes with Static Access Keys (ss://), you'll need to modify your existing key before distributing it. If you have a Static Access Key generated by Outline Manager, grab a URL-encoded version of your prefix (see examples of these in the table above) and add it to the end of the access key like so:
ss://Z34nthataITHiTNIHTohithITHbVBqQ1o3bkk@127.0.0.1:33142/?outline=1&prefix=<your url-encoded prefix goes here>
Prefixes in the URL format only work for TCP connections.
For advanced users, you can use your browser's encodeURIComponent() function
to convert your JSON-encoded prefix to a URL-encoded one. To do this,
open your web inspector console
(*Developer > Javascript Web Console *on Chrome), and type the following:
encodeURIComponent("<your json-encoded prefix goes here>")
Press enter. The value produced will be the *URL-encoded *version. For example:
encodeURIComponent("\u0016\u0003\u0001\u0000\u00a8\u0001\u0001")
'%16%03%01%00%C2%A8%01%01'
