AnyTLS — mihomo
mihomo speaks AnyTLS on both sides, with the standard mihomo conventions (cipher-free; outbound carries TLS / ECH / uTLS knobs at the top level).
Outbound
Entry under proxies: with type: anytls. Embeds BasicOption.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (required) | <string> | Unique proxy name. |
server | string | (required) | <host> | Upstream server hostname or IP. |
port | int | (required) | <port> | Upstream server port. |
password | string | (required) | <string> | Server password. |
alpn | []string | [] | h2 | http/1.1 | ALPN list offered during the TLS handshake. |
sni | string | (server) | <SNI> | TLS Server Name Indication. |
ech-opts | ECHOptions | (disabled) | ECHOptions | Encrypted Client Hello configuration. |
client-fingerprint | string | (global) | chrome | firefox | safari | ios | edge | random | randomized | uTLS client-hello fingerprint. |
skip-cert-verify | bool | false | true | false | Disable TLS verification (test only). |
fingerprint | string | (unset) | <SHA256 hex> | Pin the server's TLS certificate fingerprint. |
certificate | string | (unset) | <PEM file path> | Client certificate (mTLS). |
private-key | string | (unset) | <key file path> | Private key for `certificate`. |
udp | bool | false | true | false | Allow UDP packets to be relayed through this outbound. |
idle-session-check-interval | int | 0 | <seconds> | Session-pool scan interval. 0 keeps the runtime default. |
idle-session-timeout | int | 0 | <seconds> | Sessions idle longer than this many seconds are recycled. 0 keeps the runtime default. |
min-idle-session | int | 0 | <int> | Minimum warm sessions to keep in the pool. |
Source: adapter/outbound/anytls.go:25-43 · pinned at v1.19.27 (5184081)
Inbound
Entry under listeners: with type: anytls. Embeds BaseOption.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | map[string]string | {} | {<username>: <password>} | User table — username → password. |
certificate | string | (required) | <PEM file path> | TLS server certificate. |
private-key | string | (required) | <key file path> | TLS private key. |
client-auth-type | string | (none) | no-client-cert | request-client-cert | require-any-client-cert | verify-client-cert-if-given | require-and-verify-client-cert | Mutual-TLS client-auth mode. |
client-auth-cert | string | (unset) | <PEM file path> | CA bundle accepted as client roots. |
ech-key | string | (unset) | <ECH config> | Encrypted Client Hello material. |
allow-insecure | bool | false | true | false | Skip TLS client-certificate verification on the listener (testing only). |
padding-scheme | string | (server default) | <scheme> | Custom padding scheme. Single string; the upstream protocol-spec format. |
Source: listener/inbound/anytls.go:12-22 · pinned at v1.19.27 (5184081)
Examples
Outbound:
yaml
proxies:
- name: anytls
type: anytls
server: example.com
port: 443
password: <password>
sni: example.com
alpn: [h2, http/1.1]
udp: true
client-fingerprint: chrome
idle-session-check-interval: 30
idle-session-timeout: 60
min-idle-session: 4Inbound:
yaml
listeners:
- name: anytls-in
type: anytls
listen: 0.0.0.0
port: 443
users:
alice: <alice-password>
bob: <bob-password>
certificate: /etc/mihomo/server.crt
private-key: /etc/mihomo/server.keyNotes
- mihomo uses seconds for the three session-pool timeouts; sing-box uses duration strings (
"30s") for the same fields. The field-name spelling is also different — kebab-case here, snake_case there. users:is a YAML map of username → password, mirroring mihomo's TUIC and Hysteria2 inbounds.- mihomo's outbound carries TLS, ECH, and uTLS-fingerprint knobs inline. sing-box places these in the embedded
tls:block.
Cross-core notes
- Xray-core does not support AnyTLS. See AnyTLS — Xray-core.
- sing-box uses snake_case field names, takes Go-style duration strings for the session-pool timeouts, and lists users as a
[{name, password}]array. See AnyTLS — sing-box.
Source: adapter/outbound/anytls.go:25-43 · v1.19.27 (5184081)