ShadowsocksR — sing-box
sing-box implements the SSR client side. Inbound is not supported — for that you need an SSR-specific server like ShadowsocksR-libev or one of its forks.
Outbound
type: "shadowsocksr":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
method | string | (required) | aes-256-cfb | aes-128-ctr | chacha20-ietf | rc4-md5 | <other SSR ciphers> | SSR cipher. The accepted set is the historical SSR cipher catalog — RC4, AES-CFB, AES-CTR, ChaCha20, etc. Modern AEAD ciphers belong on the regular Shadowsocks outbound. |
password | string | (required) | <string> | Server password. |
obfs | string | (unset) | plain | http_simple | http_post | random_head | tls1.2_ticket_auth | Obfuscation plugin. `plain` is no obfs; `http_simple` and `http_post` emit a fake HTTP request; `tls1.2_ticket_auth` mimics a TLS resumption. |
obfs_param | string | (unset) | <string> | Plugin-specific parameter. For HTTP obfs, this is the Host header. |
protocol | string | origin | origin | auth_aes128_md5 | auth_aes128_sha1 | auth_sha1_v4 | auth_chain_a | auth_chain_b | Protocol-layer plugin. `origin` is no plugin; the `auth_*` family adds per-packet authentication. |
protocol_param | string | (unset) | <string> | Protocol-layer parameter. Many plugins use this as a user-count or rate-limit hint. |
network | NetworkList | (tcp+udp) | tcp | udp | | Restrict to TCP-only or UDP-only. |
Source: option/shadowsocksr.go:3-13 · pinned at v1.13.11 (553cfa1)
Embeds DialerOptions and ServerOptions.
Examples
Plain SSR with HTTP-obfs:
json
{
"outbounds": [
{
"type": "shadowsocksr",
"tag": "ssr-out",
"server": "example.com",
"server_port": 443,
"method": "aes-256-cfb",
"password": "<password>",
"obfs": "http_simple",
"obfs_param": "www.bing.com",
"protocol": "auth_chain_a",
"protocol_param": "32"
}
]
}TLS-ticket-auth obfs:
json
{
"outbounds": [
{
"type": "shadowsocksr",
"server": "example.com",
"server_port": 443,
"method": "chacha20-ietf",
"password": "<password>",
"obfs": "tls1.2_ticket_auth",
"obfs_param": "www.bing.com",
"protocol": "auth_chain_b"
}
]
}Notes
- This is client-only. To run an SSR server you need a dedicated SSR daemon — sing-box's
shadowsocksroutbound is not paired with an inbound type of the same name. - The accepted
method,obfs, andprotocolstrings are the historical SSR catalog. The "modern" Shadowsocks ciphers (AEAD,2022-blake3-*) belong on the Shadowsocks outbound instead. - The
auth_chain_*protocol plugins are the only ones still in active use today — the olderauth_aes128_*andauth_sha1_v4variants are vulnerable to a replay-attack class identified in 2018.
Cross-core notes
- Xray-core does not support SSR. See SSR — Xray-core.
- mihomo uses
cipher(notmethod) and kebab-case for the parameter fields (obfs-param,protocol-param). See SSR — mihomo.
Source: option/shadowsocksr.go:3-13 · v1.13.11 (553cfa1)