HTTP & SOCKS — mihomo
mihomo splits the inbound side into three listener types — http, socks, and mixed (HTTP+SOCKS on one port) — each with a separate Go struct. Outbounds keep them separate: type: http and type: socks5. TLS is supported on every variant via the listener's certificate fields.
HTTP outbound
Entry under proxies: with type: http. Embeds BasicOption.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (required) | <string> | Unique proxy name. |
server | string | (required) | <host> | Upstream HTTP-proxy host. |
port | int | (required) | <port> | Upstream port. |
username | string | (unset) | <string> | HTTP Basic auth username. |
password | string | (unset) | <string> | HTTP Basic auth password. |
tls | bool | false | true | false | Wrap the upstream connection in TLS (HTTPS proxy). |
sni | string | (server) | <SNI> | TLS Server Name Indication. |
skip-cert-verify | bool | false | true | false | Disable TLS verification (test only). |
fingerprint | string | (unset) | <SHA256 hex> | Pin the server's TLS certificate fingerprint. |
certificate | string | (unset) | <PEM file path> | Client certificate (mTLS). |
private-key | string | (unset) | <key file path> | Private key for `certificate`. |
headers | map[string]string | {} | {<header>: <value>} | Extra HTTP headers added to every request. |
Source: adapter/outbound/http.go:28-42 · pinned at v1.19.27 (5184081)
SOCKS5 outbound
Entry under proxies: with type: socks5. Embeds BasicOption.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (required) | <string> | Unique proxy name. |
server | string | (required) | <host> | Upstream SOCKS host. |
port | int | (required) | <port> | Upstream port. |
username | string | (unset) | <string> | SOCKS5 username. |
password | string | (unset) | <string> | SOCKS5 password. |
tls | bool | false | true | false | Wrap the SOCKS connection in TLS. |
udp | bool | false | true | false | Enable SOCKS5 UDP-associate. |
skip-cert-verify | bool | false | true | false | Disable TLS verification (test only). |
fingerprint | string | (unset) | <SHA256 hex> | Pin the server's TLS certificate fingerprint. |
certificate | string | (unset) | <PEM file path> | Client certificate (mTLS). |
private-key | string | (unset) | <key file path> | Private key for `certificate`. |
Source: adapter/outbound/socks5.go:30-43 · pinned at v1.19.27 (5184081)
HTTP inbound
Entry under listeners: with type: http. Embeds BaseOption.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | AuthUsers | [] | <AuthUsers> | Accepted users. Each entry is a `user:pass` string. |
certificate | string | (unset) | <PEM file path> | Optional TLS cert (HTTPS proxy). Pair with `private-key`. |
private-key | string | (unset) | <key file path> | TLS private key. |
client-auth-type | string | (none) | no-client-cert | request-client-cert | require-any-client-cert | verify-client-cert-if-given | require-and-verify-client-cert | Mutual-TLS client-auth mode. |
client-auth-cert | string | (unset) | <PEM file path> | CA bundle accepted as client roots. |
ech-key | string | (unset) | <ECH config> | Encrypted Client Hello material. |
reality-config | RealityConfig | (disabled) | RealityConfig | REALITY server configuration. |
Source: listener/inbound/http.go:14-23 · pinned at v1.19.27 (5184081)
SOCKS inbound
Entry under listeners: with type: socks. Embeds BaseOption.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | AuthUsers | [] | <AuthUsers> | Accepted users. |
udp | bool | false | true | false | Enable SOCKS5 UDP-associate. |
certificate | string | (unset) | <PEM file path> | Optional TLS cert. |
private-key | string | (unset) | <key file path> | TLS private key. |
client-auth-type | string | (none) | <see HTTP> | Same as HTTP inbound. |
client-auth-cert | string | (unset) | <PEM file path> | Same as HTTP inbound. |
ech-key | string | (unset) | <ECH config> | Encrypted Client Hello material. |
reality-config | RealityConfig | (disabled) | RealityConfig | REALITY server configuration. |
Source: listener/inbound/socks.go:14-24 · pinned at v1.19.27 (5184081)
Mixed inbound (HTTP + SOCKS)
Entry under listeners: with type: mixed. Multiplexes HTTP and SOCKS5 on a single port — the first byte of the client request decides which half handles the connection.
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | AuthUsers | [] | <AuthUsers> | Accepted users (shared between HTTP and SOCKS halves). |
udp | bool | false | true | false | Enable SOCKS5 UDP-associate on the SOCKS half. |
certificate | string | (unset) | <PEM file path> | Optional TLS cert. |
private-key | string | (unset) | <key file path> | TLS private key. |
client-auth-type | string | (none) | <see HTTP> | Same as HTTP inbound. |
client-auth-cert | string | (unset) | <PEM file path> | Same as HTTP inbound. |
ech-key | string | (unset) | <ECH config> | Encrypted Client Hello material. |
reality-config | RealityConfig | (disabled) | RealityConfig | REALITY server configuration. |
Source: listener/inbound/mixed.go:15-25 · pinned at v1.19.27 (5184081)
Examples
HTTP outbound:
yaml
proxies:
- name: http-upstream
type: http
server: upstream.example.com
port: 8080
username: alice
password: <password>
tls: true
sni: upstream.example.comSOCKS5 outbound with UDP:
yaml
proxies:
- name: socks-upstream
type: socks5
server: upstream.example.com
port: 1080
username: alice
password: <password>
udp: trueMixed inbound for client devices:
yaml
listeners:
- name: client-mixed
type: mixed
listen: 127.0.0.1
port: 7890
users:
- alice:<password>
udp: trueHTTPS-proxy inbound (HTTP over TLS):
yaml
listeners:
- name: https-proxy
type: http
listen: 0.0.0.0
port: 8443
users:
- alice:<password>
certificate: /etc/mihomo/server.crt
private-key: /etc/mihomo/server.keyNotes
users:here is a list ofuser:passstrings — not a structured object array. The:separator is required. An empty list disables authentication.- The
mixedlistener accepts both HTTP and SOCKS5 on the same port, controlled by first-byte detection in the listener. - Top-level shortcuts (
port,socks-port,mixed-porton the rootRawConfig) are an alternative way to declare unauthenticated listeners — they don't go throughlisteners[]. Pick one approach per inbound. - mihomo's top-level
authenticationlist (see Basics) applies to every legacy port (port,socks-port,mixed-port) but not tolisteners:entries — those have their ownusersfield.
Cross-core notes
- Xray-core keeps HTTP and SOCKS in separate source files, uses
accounts[](each{user, pass}), and has no built-in "mixed" inbound. See HTTP & SOCKS — Xray-core. - sing-box also offers a
mixedinbound, withusers[]carrying structured{username, password}objects. Field names are snake_case. See HTTP & SOCKS — sing-box.
Source: adapter/outbound/http.go:28-42 · v1.19.27 (5184081)