HTTP & SOCKS — Xray-core
Universal proxy protocols. HTTP supports CONNECT and the older transparent-proxy mode; SOCKS supports both v4a and v5 (the version is auto-detected from the first byte the client sends).
HTTP
Inbound
settings for "protocol": "http":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
users | []*HTTPAccount | — | [HTTPAccount] | … | Inbound account list; same object shape as `accounts`. `users` is the newer name introduced in recent Xray and is accepted alongside `accounts`. |
accounts | []*HTTPAccount | [] | [HTTPAccount] | User list. Empty disables authentication (the inbound becomes an open proxy). |
allowTransparent | bool | false | true | false | When true, the inbound accepts CONNECT-less requests and forwards them as a transparent HTTP proxy. |
userLevel | uint32 | 0 | <uint32> | Default policy level for clients without per-user override. |
Source: infra/conf/http.go:25-30 · pinned at v26.6.1 (94ffd50)
accounts[]
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
user | string | (required) | <string> | Username for HTTP Basic auth. |
pass | string | (required) | <string> | Password for HTTP Basic auth. |
Source: infra/conf/http.go:13-16 · pinned at v26.6.1 (94ffd50)
Outbound
settings for an outbound of "protocol": "http":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
address | *Address | (unset) | <host> | Simplified shape — upstream proxy host. |
port | uint16 | (required with address) | <port> | Upstream proxy port. |
level | uint32 | 0 | <uint32> | Policy level. |
email | string | (unset) | <string> | Tag in stats and logs. |
user | string | (unset) | <string> | Username for upstream auth. |
pass | string | (unset) | <string> | Password for upstream auth. |
servers | []*HTTPRemoteConfig | (use simplified shape) | [HTTPRemoteConfig] | Verbose shape with exactly one server. |
headers | map[string]string | {} | {<header>: <value>} | Extra HTTP headers sent on every request. |
Source: infra/conf/http.go:58-67 · pinned at v26.6.1 (94ffd50)
servers[]
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
address | *Address | (required) | <host> | Upstream proxy host. |
port | uint16 | (required) | <port> | Upstream proxy port. |
users | []json.RawMessage | [] | [HTTPAccount] | Optional auth users (at most one). |
Source: infra/conf/http.go:52-56 · pinned at v26.6.1 (94ffd50)
SOCKS
Inbound
settings for "protocol": "socks":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
auth | string | noauth | noauth | password | Authentication mode. Unknown values silently fall back to `noauth` (`infra/conf/socks.go:45-47`). |
users | []*SocksAccount | — | [SocksAccount] | … | Inbound account list; same object shape as `accounts`. `users` is the newer name introduced in recent Xray and is accepted alongside `accounts`. |
accounts | []*SocksAccount | [] | [SocksAccount] | User list for `auth: password`. |
udp | bool | false | true | false | Enable SOCKS5 UDP-associate support. |
ip | *Address | (unset) | <address> | Public address advertised in UDP-associate replies. Required when the listener is behind NAT. |
userLevel | uint32 | 0 | <uint32> | Default policy level. |
Source: infra/conf/socks.go:30-37 · pinned at v26.6.1 (94ffd50)
accounts[]
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
user | string | (required) | <string> | Username. |
pass | string | (required) | <string> | Password. |
Source: infra/conf/socks.go:13-16 · pinned at v26.6.1 (94ffd50)
Outbound
settings for an outbound of "protocol": "socks":
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
address | *Address | (unset) | <host> | Simplified shape — upstream SOCKS host. |
port | uint16 | (required with address) | <port> | Upstream SOCKS port. |
level | uint32 | 0 | <uint32> | Policy level. |
email | string | (unset) | <string> | Stats tag. |
user | string | (unset) | <string> | Auth username. |
pass | string | (unset) | <string> | Auth password. |
servers | []*SocksRemoteConfig | (use simplified shape) | [SocksRemoteConfig] | Verbose shape with exactly one server. |
Source: infra/conf/socks.go:77-85 · pinned at v26.6.1 (94ffd50)
servers[]
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
address | *Address | (required) | <host> | Upstream SOCKS host. |
port | uint16 | (required) | <port> | Upstream SOCKS port. |
users | []json.RawMessage | [] | [SocksAccount] | Optional auth users. |
Source: infra/conf/socks.go:71-75 · pinned at v26.6.1 (94ffd50)
Examples
HTTP inbound with two users:
json
{
"inbounds": [
{
"tag": "http-in",
"listen": "127.0.0.1",
"port": 1080,
"protocol": "http",
"settings": {
"accounts": [
{ "user": "alice", "pass": "<password>" },
{ "user": "bob", "pass": "<password>" }
],
"allowTransparent": false
}
}
]
}SOCKS5 inbound with UDP-associate:
json
{
"inbounds": [
{
"tag": "socks-in",
"listen": "0.0.0.0",
"port": 1081,
"protocol": "socks",
"settings": {
"auth": "password",
"accounts": [{ "user": "alice", "pass": "<password>" }],
"udp": true,
"ip": "203.0.113.10"
}
}
]
}Outbound to an upstream HTTP proxy:
json
{
"outbounds": [
{
"tag": "via-http",
"protocol": "http",
"settings": {
"address": "upstream.example.com",
"port": 8080,
"user": "alice",
"pass": "<password>",
"headers": { "X-Forwarded-Proto": "https" }
}
}
]
}Notes
- HTTP inbound with no accounts acts as an open proxy. Restrict it with
listen: "127.0.0.1", a routing rule that drops external sources, or both. allowTransparent: trueis rarely what you want. It enables the old V2Ray-style "use the inbound as a transparent forwarder" mode which collides with the explicit-proxy CONNECT method. Leave it off unless you have a specific use case.auth: "password"is the only way to require credentials on SOCKS. Unknown auth-method strings silently downgrade tonoauth— there is no error for typos (infra/conf/socks.go:45-47).- The SOCKS
ipfield is the publicly-reachable address advertised in UDP-associate replies. Without it, clients on the far side of a NAT will receive an unroutable inner address. - Both HTTP and SOCKS outbounds use the simplified-vs-
servers[]shape pattern —servers[]must have exactly one entry.
Cross-core notes
- sing-box merges HTTP and SOCKS into the same source file (
option/simple.go) and exposes a third "mixed" inbound that serves both on a single port. See HTTP & SOCKS — sing-box. - mihomo uses
username/password(notuser/pass) on the outbound, splits inbound listeners into three types (http,socks,mixed), and supports TLS-wrapped HTTP/SOCKS via the listener's certificate field. See HTTP & SOCKS — mihomo.
Source: infra/conf/http.go:13-67 · v26.6.1 (94ffd50)