Trojan — sing-box
sing-box implements both ends of Trojan. There is no flow field — the implementation follows the original Trojan spec rather than the XTLS fork. Fallback semantics are richer than Xray's: a single fallback target plus an ALPN-keyed fallback_for_alpn map.
Inbound
type: "trojan" inbound:
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | []TrojanUser | [] | [TrojanUser] | List of accepted users. |
fallback | *ServerOptions | (none) | ServerOptions | Fallback target — when a request does not authenticate as Trojan, the raw stream is forwarded here. Holds `server` + `server_port`. |
fallback_for_alpn | map[string]*ServerOptions | {} | {<alpn>: ServerOptions} | Per-ALPN fallback map. Takes precedence over `fallback` when the negotiated ALPN matches a key. |
multiplex | *InboundMultiplexOptions | (disabled) | InboundMultiplexOptions | Server-side multiplex. |
transport | *V2RayTransportOptions | (plain TCP) | V2RayTransportOptions | Optional V2Ray-style transport (ws, http, grpc, quic). |
Source: option/trojan.go:3-11 · pinned at v1.13.11 (553cfa1)
The struct embeds ListenOptions (listen address, port, sniff, …) and InboundTLSOptionsContainer (TLS material).
users[]
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
name | string | (unset) | <string> | Display name used in stats and logs. |
password | string | (required) | <string> | Trojan password. |
Source: option/trojan.go:13-16 · pinned at v1.13.11 (553cfa1)
Outbound
type: "trojan" outbound:
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
password | string | (required) | <string> | Password the upstream server expects. |
network | NetworkList | (tcp+udp) | tcp | udp | | Restrict to TCP-only or UDP-only. Empty enables both. |
multiplex | *OutboundMultiplexOptions | (disabled) | OutboundMultiplexOptions | Client-side multiplex (must match the server). |
transport | *V2RayTransportOptions | (plain TCP) | V2RayTransportOptions | V2Ray-style transport wrapper. |
Source: option/trojan.go:18-26 · pinned at v1.13.11 (553cfa1)
Embeds DialerOptions, ServerOptions (server, server_port), and OutboundTLSOptionsContainer (tls).
Examples
Inbound with a single user and an HTTPS fallback:
{
"inbounds": [
{
"type": "trojan",
"tag": "trojan-in",
"listen": "::",
"listen_port": 443,
"users": [
{ "name": "alice", "password": "<password>" }
],
"tls": {
"enabled": true,
"server_name": "example.com",
"certificate_path": "/etc/ssl/cert.pem",
"key_path": "/etc/ssl/key.pem"
},
"fallback": { "server": "127.0.0.1", "server_port": 8080 },
"fallback_for_alpn": {
"h2": { "server": "127.0.0.1", "server_port": 8443 },
"http/1.1": { "server": "127.0.0.1", "server_port": 8080 }
}
}
]
}Outbound:
{
"outbounds": [
{
"type": "trojan",
"tag": "trojan-out",
"server": "example.com",
"server_port": 443,
"password": "<password>",
"tls": {
"enabled": true,
"server_name": "example.com"
},
"transport": { "type": "ws", "path": "/tj" }
}
]
}Notes
- The fallback design differs from Xray's: Xray takes a list of fallbacks matched by
(sni, alpn, path)tuples, while sing-box takes a single defaultfallbackplus a map keyed by ALPN. Path-level matching is not exposed — for that, terminate TLS in front of sing-box. fallback_for_alpnis consulted first; if the negotiated ALPN matches a key, that target is used; otherwise the defaultfallbackapplies.- No
flowoption. Clients that ship XTLS Vision for Trojan (Xray-core with non-emptyflow) cannot connect to a sing-box Trojan server.
Cross-core notes
- Xray uses
clients[]and a list-formfallbacks[]. See Trojan — Xray-core. - mihomo uses a single proxy-object shape with
passwordon the outbound and a per-userpasswordon the inbound; it also exposes trojan-go'sss-optsfor chained Shadowsocks encryption. See Trojan — mihomo.
Source: option/trojan.go:3-26 · v1.13.11 (553cfa1)