AnyTLS — sing-box
AnyTLS is a TLS-shaped tunnel that uses padding tricks to disguise its traffic shape. sing-box was the first stable implementation; it supports both inbound and outbound with a session-pool client.
Inbound
type: "anytls":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | []AnyTLSUser | [] | [AnyTLSUser] | Accepted users. |
padding_scheme | badoption.Listable[string] | (server default) | <scheme line> | [<scheme line>] | Custom padding scheme used to shape the wire traffic. Accepts a single string or a list of strings; an empty / unset value uses the server's built-in default. |
Source: option/anytls.go:5-10 · pinned at v1.13.11 (553cfa1)
The struct embeds ListenOptions and InboundTLSOptionsContainer. TLS is required — AnyTLS is always TLS-wrapped on the wire.
users[]
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (unset) | <string> | Display name used in stats and logs. |
password | string | (required) | <string> | User password. |
Source: option/anytls.go:12-15 · pinned at v1.13.11 (553cfa1)
Outbound
type: "anytls":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
password | string | (required) | <string> | Server password. |
idle_session_check_interval | badoption.Duration | 30s | <duration> | How often the client scans the pool for idle sessions to recycle. |
idle_session_timeout | badoption.Duration | 30s | <duration> | Sessions idle for longer than this are closed during the next check sweep. |
min_idle_session | int | 0 | <int> | Keep at least this many idle sessions warm for low-latency reuse. |
Source: option/anytls.go:17-25 · pinned at v1.13.11 (553cfa1)
Embeds DialerOptions, ServerOptions, and OutboundTLSOptionsContainer. TLS is required.
Examples
Inbound:
json
{
"inbounds": [
{
"type": "anytls",
"tag": "anytls-in",
"listen": "::",
"listen_port": 443,
"users": [{ "name": "alice", "password": "<password>" }],
"tls": {
"enabled": true,
"certificate_path": "/etc/ssl/cert.pem",
"key_path": "/etc/ssl/key.pem"
}
}
]
}Outbound with a kept-warm session pool:
json
{
"outbounds": [
{
"type": "anytls",
"tag": "anytls-out",
"server": "example.com",
"server_port": 443,
"password": "<password>",
"min_idle_session": 4,
"idle_session_check_interval": "30s",
"idle_session_timeout": "60s",
"tls": { "enabled": true, "server_name": "example.com" }
}
]
}Notes
padding_schemeaccepts either a single string (one rule per line inside) or a list of strings. The format follows the AnyTLS upstream spec — most users should leave it unset and use the server's default.- The session-pool fields (
idle_session_check_interval,idle_session_timeout,min_idle_session) are outbound-only. The pool keeps TLS sessions warm so new app-level requests pay one round trip rather than a full TLS handshake. min_idle_session: 0(the default) creates sessions lazily on demand and closes them afteridle_session_timeout. Bump it up if your workload has bursts of new requests.
Cross-core notes
- Xray-core does not support AnyTLS. See AnyTLS — Xray-core.
- mihomo has full AnyTLS support on both sides, with kebab-case field names (
idle-session-check-interval, …) and additional uTLS fingerprint and ECH options. See AnyTLS — mihomo.
Source: option/anytls.go:5-25 · v1.13.11 (553cfa1)