HTTP & SOCKS — sing-box
sing-box bundles HTTP, SOCKS, and a combined "mixed" inbound (HTTP+SOCKS on the same port) into a single source file. Outbound HTTP optionally wraps the CONNECT stream in TLS, and outbound SOCKS supports v4, v4a, and v5 with optional udp_over_tcp framing.
SOCKS
Inbound
type: "socks":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | []auth.User | [] | [{username, password}] | User list. Empty disables authentication. |
domain_resolver | *DomainResolveOptions | (default) | DomainResolveOptions | Override how destination hostnames are resolved for this inbound. |
Source: option/simple.go:8-12 · pinned at v1.13.11 (553cfa1)
The struct also embeds ListenOptions (listen address, port, sniff, …).
Outbound
type: "socks":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
version | string | 5 | 4 | 4a | 5 | SOCKS protocol version. v4 is bare SOCKS4; v4a adds remote hostname resolution; v5 is the modern default. |
username | string | (unset) | <string> | Upstream auth username (v5 only). |
password | string | (unset) | <string> | Upstream auth password. |
network | NetworkList | (tcp+udp) | tcp | udp | | Restrict to TCP-only or UDP-only. |
udp_over_tcp | *UDPOverTCPOptions | (disabled) | UDPOverTCPOptions | Wrap UDP packets inside the TCP control channel. Useful when the upstream proxy does not support UDP-associate. |
Source: option/simple.go:22-30 · pinned at v1.13.11 (553cfa1)
Embeds DialerOptions and ServerOptions (server, server_port).
HTTP / Mixed
The http and mixed inbound types share a single Go struct (HTTPMixedInboundOptions). When the type field is mixed, the inbound accepts both HTTP CONNECT requests and SOCKS5 handshakes on the same port — the first byte of the client request determines which protocol is being spoken.
Inbound (type: "http" or type: "mixed")
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | []auth.User | [] | [{username, password}] | User list. |
domain_resolver | *DomainResolveOptions | (default) | DomainResolveOptions | Per-inbound domain-resolver override. |
set_system_proxy | bool | false | true | false | When true, sing-box programs the operating-system proxy settings to point at this listener on startup. Reverted on shutdown. |
Source: option/simple.go:14-20 · pinned at v1.13.11 (553cfa1)
Embeds ListenOptions and InboundTLSOptionsContainer (the inbound can serve HTTP over TLS — modern Squid-style HTTPS proxy).
Outbound
type: "http":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
username | string | (unset) | <string> | Upstream auth username. |
password | string | (unset) | <string> | Upstream auth password. |
path | string | (unset) | /<path> | Path prefix added to the CONNECT request line. Empty uses the upstream's expected default. |
headers | badoption.HTTPHeader | {} | {<header>: <value or list>} | Extra HTTP headers added to every CONNECT request. |
Source: option/simple.go:32-40 · pinned at v1.13.11 (553cfa1)
Embeds DialerOptions, ServerOptions, and OutboundTLSOptionsContainer (tls makes this an outbound to an HTTPS-proxy).
Examples
Mixed inbound with one user:
{
"inbounds": [
{
"type": "mixed",
"tag": "mixed-in",
"listen": "127.0.0.1",
"listen_port": 7890,
"users": [
{ "username": "alice", "password": "<password>" }
]
}
]
}HTTPS proxy inbound (HTTP over TLS):
{
"inbounds": [
{
"type": "http",
"tag": "https-proxy-in",
"listen": "0.0.0.0",
"listen_port": 8443,
"users": [{ "username": "alice", "password": "<password>" }],
"tls": {
"enabled": true,
"certificate_path": "/etc/ssl/cert.pem",
"key_path": "/etc/ssl/key.pem"
}
}
]
}SOCKS5 outbound with UoT:
{
"outbounds": [
{
"type": "socks",
"tag": "via-socks",
"server": "upstream.example.com",
"server_port": 1080,
"version": "5",
"username": "alice",
"password": "<password>",
"udp_over_tcp": { "enabled": true, "version": 2 }
}
]
}Notes
- The
mixedinbound's first-byte protocol detection means a misbehaving client that speaks neither HTTP nor SOCKS will close immediately rather than block the listener. set_system_proxyonly works on platforms where sing-box has a system proxy API (Windows, macOS, GNOME). On other systems it is silently ignored.version: "4a"is the only way to send hostnames to a SOCKS4 server (plain SOCKS4 only carries IPv4 destinations).- The HTTP outbound's
pathfield exists because some upstream CONNECT proxies require an explicit path-prefix (PUT /forward HTTP/1.1) for routing — most don't, in which case leave it empty.
Cross-core notes
- Xray-core keeps HTTP and SOCKS in separate files, uses
accounts[](notusers[]) anduser/pass(notusername/password), and has no "mixed" inbound — run two separate inbounds on different ports. See HTTP & SOCKS — Xray-core. - mihomo splits inbounds into three listener types (
http,socks,mixed) and uses kebab-case field names (skip-cert-verify, etc.). See HTTP & SOCKS — mihomo.
Source: option/simple.go:8-40 · v1.13.11 (553cfa1)