What Is HTTP/2 Obfuscator?
HTTP/2 Obfuscator is a Go-based SIP003 plugin for Shadowsocks, authored by opencode, that wraps encrypted proxy payloads in real HTTP/2 frames so the wire image resembles ordinary h2 traffic. HTTP/2 Obfuscator is one of the best Shadowsocks SIP003 Plugins for Shadowsocks operators, but the repo itself says it is only an example project; the implementation came from a roughly 2.5-hour opencode session with an estimated 380k–420k tokens and was tested against shadowsocks-rust v1.24.
Quick Overview
| Attribute | Details |
|---|---|
| Type | Shadowsocks SIP003 Plugins |
| Best For | Shadowsocks operators and protocol-research engineers |
| Language/Stack | Go 1.25, SIP003, golang.org/x/net/http2 |
| License | N/A |
| GitHub Stars | N/A as of Feb 2026 |
| Pricing | Open-Source |
| Last Release | N/A |
Who Should Use HTTP/2 Obfuscator?
- Protocol researchers validating how far a SIP003 plugin can mimic real HTTP/2 traffic without reimplementing a full proxy stack.
- Shadowsocks operators who need a minimal reference implementation for wrapping encrypted payloads in framed application traffic.
- Go engineers who want a small codebase for studying HTTP/2 framing, HPACK behavior, and plugin process wiring through environment variables.
- Indie security tinkerers building lab-only obfuscation experiments and comparing traffic shapes across network obfuscation tools.
Not ideal for:
- Production proxy deployments where uptime, hardening, and compatibility matter more than a demo-level reference implementation.
- Teams that need battle-tested censorship circumvention with audited transport behavior, release management, and long-term maintenance.
- Users who want a drop-in turnkey setup without editing plugin options, testing frames, and validating Shadowsocks compatibility by hand.
Key Features of HTTP/2 Obfuscator
- SIP003 plugin interface — HTTP/2 Obfuscator follows the Shadowsocks plugin contract instead of inventing a custom side channel. The plugin reads runtime context from environment variables such as
SS_REMOTE_HOSTandSS_LOCAL_HOST, which keeps the transport split betweenssserverorsslocaland the plugin process. - Real HTTP/2 wire format — The plugin does not fake HTTP with plain text headers; it emits a connection preface, SETTINGS, HEADERS, and DATA frames. That matters because protocol detectors often key off frame-level behavior, not just superficial header strings.
- Client and server modes —
mode=clientandmode=serverlet the same binary run on both ends of the tunnel. On the server side, the plugin unwraps the frames and forwards the decrypted Shadowsocks stream back intoss-server. - Configurable pseudo-headers —
hostandpathlet you change the HTTP/2:authorityand:pathvalues, which is useful for lab experiments where you want traffic to resemble a specific origin pattern. The defaulthostpoints at a CloudFront-style hostname and the defaultpathis/cdn-cgi/trace. - TLS hint support — The
server_nameoption exists as a TLS SNI hint, although the page notes that it is unused in TCP-only mode. That tells you the current implementation is focused on transport framing first, not on a full TLS termination story. - Go standard library adjacency — The project builds around
golang.org/x/net/http2, which gives it real RFC 7540 framing and HPACK support instead of a hand-rolled serializer. That keeps the frame encoding close to the spec and easier to audit. - Thread-safe framing path — The repo notes a
serialFramerdesign to prevent wire-level interleaving. That is a small detail, but it is exactly the kind of bug that breaks protocol plausibility when multiple goroutines write to the same connection.
HTTP/2 Obfuscator vs Alternatives
| Tool | Best For | Key Differentiator | Pricing |
|---|---|---|---|
| HTTP/2 Obfuscator | Lab-grade SIP003 protocol wrapping | Minimal Go implementation that focuses on genuine HTTP/2 framing | Open-Source |
| v2ray-plugin | Mature Shadowsocks transport obfuscation | Broader real-world adoption and more transport options | Open-Source |
| simple-obfs | Lightweight obfs4-style camouflage | Simpler payload shaping with less protocol fidelity | Open-Source |
| shadowsocks-rust | Core Shadowsocks proxy engine | Provides the base proxy, not the obfuscation layer | Open-Source |
Pick v2ray-plugin when you want something closer to a commonly deployed transport shim with better ecosystem familiarity. Pick simple-obfs when you only need basic obfuscation and do not care about frame-level HTTP/2 fidelity.
Pick shadowsocks-rust when you need the underlying proxy implementation rather than the plugin itself. Use HTTP/2 Obfuscator when the goal is to study the SIP003 boundary, validate HTTP/2 frame generation, or build a reproducible test case around protocol detection. For broader browsing, browse all Shadowsocks SIP003 Plugins.
How HTTP/2 Obfuscator Works
HTTP/2 Obfuscator sits between Shadowsocks and the network as a SIP003 plugin process. Shadowsocks launches the plugin with environment variables, then pipes encrypted payload bytes into the plugin, which converts them into HTTP/2 HEADERS and DATA frames on the client side and reverses the process on the server side.
The core design choice is to preserve a valid HTTP/2 connection shape rather than just stuffing data into a fake request. That means the connection begins with the HTTP/2 client preface, negotiates SETTINGS, and then sends a POST-like request using pseudo-headers such as :method, :path, and :authority; the payload follows in DATA frames. The repo also calls out a thread-safe framing path, which prevents concurrent writes from interleaving and producing malformed wire output.
# build the plugin
go build -o http2-obfuscator .
# server side
ssserver -s 0.0.0.0:443 -k password -m aes-256-gcm \
--plugin ./http2-obfuscator \
--plugin-opts 'mode=server;host=www.cloudfront.net;path=/cdn-cgi/trace'
# client side
sslocal -s server_ip:443 -b 127.0.0.1:1080 -k password -m aes-256-gcm \
--plugin ./http2-obfuscator
That sequence builds the binary, starts a Shadowsocks server with the server-mode plugin, and then launches a local client that forwards traffic through the obfuscator. Expect to tune host and path if you are comparing traffic shapes, and expect to keep this in a lab or test harness rather than exposing it directly to real users.
Pros and Cons of HTTP/2 Obfuscator
Pros:
- Authentic frame encoding — It uses
golang.org/x/net/http2, so the output is real HTTP/2 framing rather than a plain-text imitation. - Small surface area — The implementation is narrow enough to audit quickly, which helps when you are studying protocol mechanics or debugging plugin I/O.
- SIP003-compatible — It fits the Shadowsocks plugin model instead of requiring a patched client or server fork.
- Explicit client/server split — The mode flag keeps the transport logic understandable and makes each side easier to test independently.
- Integration-tested with shadowsocks-rust v1.24 — The page documents an end-to-end test path, which is better than a README-only sketch.
Cons:
- Not production-ready — The repo explicitly says it is an example project and should not be used in real-world deployments.
- No evidence of release hardening — There is no published release cadence, changelog, or operational support story in the page text.
- Unknown license details in the snapshot — The repository page text does not expose a license, so legal reuse needs a separate check.
- Limited transport scope — It is centered on HTTP/2 framing, not on a broad multi-protocol transport suite.
- TCP-only behavior is implied — The
server_nameoption is noted as unused in TCP-only mode, which means the TLS story is not the main focus.
Getting Started with HTTP/2 Obfuscator
The fastest path is to build the plugin from source, then run it as a SIP003 plugin on both ssserver and sslocal. The page also includes a shell test script, so you can validate the integration before trying to wire it into any broader setup.
# build
go build -o http2-obfuscator .
# run integration test
bash test_integration.sh
After the build, you should have a local http2-obfuscator binary that Shadowsocks can spawn directly. The server-side plugin-opts determine the HTTP/2 shape, while the client side only needs the plugin path for the basic path shown in the repo.
Verdict
HTTP/2 Obfuscator is the strongest option for SIP003 protocol experiments when you need a minimal Go plugin that emits real HTTP/2 frames instead of hand-waved padding. Its main strength is spec-aligned framing; the caveat is that the repository explicitly labels it as an example, not a production transport. Use it for research, validation, and lab testing, not for serious deployment.
