{ "$defs": { "ACMEDNS01ChallengeOptions": { "oneOf": [ { "properties": { "access_key_id": { "type": "string" }, "access_key_secret": { "type": "string" }, "provider": { "const": "alidns", "type": "string" }, "region_id": { "type": "string" }, "security_token": { "type": "string" } }, "required": [ "provider" ] }, { "properties": { "api_token": { "type": "string" }, "provider": { "const": "cloudflare", "type": "string" }, "zone_token": { "type": "string" } }, "required": [ "provider" ] }, { "properties": { "password": { "type": "string" }, "provider": { "const": "acmedns", "type": "string" }, "server_url": { "type": "string" }, "subdomain": { "type": "string" }, "username": { "type": "string" } }, "required": [ "provider" ] } ], "type": "object" }, "ACMEExternalAccountOptions": { "properties": { "key_id": { "type": "string" }, "mac_key": { "type": "string" } }, "type": "object" }, "AnyTLSUser": { "properties": { "name": { "type": "string" }, "password": { "type": "string" } }, "type": "object" }, "BrutalOptions": { "properties": { "down_mbps": { "type": "integer" }, "enabled": { "description": "Enable TCP Brutal congestion control algorithm。\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tcp-brutal/#enabled", "type": "boolean" }, "up_mbps": { "type": "integer" } }, "type": "object" }, "CCMUser": { "properties": { "name": { "type": "string" }, "token": { "type": "string" } }, "type": "object" }, "CacheFileOptions": { "properties": { "cache_id": { "description": "Identifier in the cache file\n\nIf not empty, configuration specified data will use a separate store keyed by it.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/cache-file/#cache_id", "type": "string" }, "enabled": { "description": "Enable cache file.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/cache-file/#enabled", "type": "boolean" }, "path": { "description": "Path to the cache file.\n\n`cache.db` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/cache-file/#path", "type": "string" }, "rdrc_timeout": { "description": "Timeout of rejected DNS response cache.\n\n`7d` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/cache-file/#rdrc_timeout", "type": "string" }, "store_fakeip": { "description": "Store fakeip in the cache file\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/cache-file/#store_fakeip", "type": "boolean" }, "store_rdrc": { "description": "Store rejected DNS response cache in the cache file\n\nThe check results of [Address filter DNS rule items](/configuration/dns/rule/#address-filter-fields)\nwill be cached until expiration.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/cache-file/#store_rdrc", "type": "boolean" } }, "type": "object" }, "CertificateOptions": { "properties": { "certificate": { "description": "The certificate line array to trust, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/certificate/#certificate", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "certificate_directory_path": { "description": "!!! note \"\"\n\nWill be automatically reloaded if file modified.\n\nThe directory path to search for certificates to trust,in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/certificate/#certificate_directory_path", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "certificate_path": { "description": "!!! note \"\"\n\nWill be automatically reloaded if file modified.\n\nThe paths to certificates to trust, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/certificate/#certificate_path", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "store": { "description": "The default X509 trusted CA certificate list.\n\n| Type | Description |\n|--------------------|----------------------------------------------------------------------------------------------------------------|\n| `system` (default) | System trusted CA certificates |\n| `mozilla` | [Mozilla Included List](https://wiki.mozilla.org/CA/Included_Certificates) with China CA certificates removed |\n| `chrome` | [Chrome Root Store](https://g.co/chrome/root-policy) with China CA certificates removed |\n| `none` | Empty list |\n\nSee documentation: https://sing-box.sagernet.org/configuration/certificate/#store", "type": "string" } }, "type": "object" }, "ClashAPIOptions": { "properties": { "access_control_allow_origin": { "description": "Since sing-box 1.10.0\n\nCORS allowed origins, `*` will be used if empty.\n\nTo access the Clash API on a private network from a public website, you must explicitly specify it in `access_control_allow_origin` instead of using `*`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#access_control_allow_origin", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "access_control_allow_private_network": { "description": "Since sing-box 1.10.0\n\nAllow access from private network.\n\nTo access the Clash API on a private network from a public website, `access_control_allow_private_network` must be enabled.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#access_control_allow_private_network", "type": "boolean" }, "cache_file": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\n`cache_file` is deprecated in Clash API and migrated to `cache_file.enabled` and `cache_file.path`.\n\nCache file path, `cache.db` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#cache_file", "type": "string" }, "cache_id": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\n`cache_id` is deprecated in Clash API and migrated to `cache_file.cache_id`.\n\nIdentifier in cache file.\n\nIf not empty, configuration specified data will use a separate store keyed by it.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#cache_id", "type": "string" }, "default_mode": { "description": "Default mode in clash, `Rule` will be used if empty.\n\nThis setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#default_mode", "type": "string" }, "external_controller": { "description": "RESTful web API listening address. Clash API will be disabled if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#external_controller", "type": "string" }, "external_ui": { "description": "A relative path to the configuration directory or an absolute path to a\ndirectory in which you put some static web resource. sing-box will then\nserve it at `http://{{external-controller}}/ui`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#external_ui", "type": "string" }, "external_ui_download_detour": { "description": "The tag of the outbound to download the external UI.\n\nDefault outbound will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#external_ui_download_detour", "type": "string" }, "external_ui_download_url": { "description": "ZIP download URL for the external UI, will be used if the specified `external_ui` directory is empty.\n\n`https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#external_ui_download_url", "type": "string" }, "secret": { "description": "Secret for the RESTful API (optional)\nAuthenticate by spedifying HTTP header `Authorization: Bearer ${secret}`\nALWAYS set a secret if RESTful API is listening on 0.0.0.0\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#secret", "type": "string" }, "store_fakeip": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\n`store_selected` is deprecated in Clash API and migrated to `cache_file.store_fakeip`.\n\nStore fakeip in cache file.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#store_fakeip", "type": "boolean" }, "store_mode": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\n`store_mode` is deprecated in Clash API and enabled by default if `cache_file.enabled`.\n\nStore Clash mode in cache file.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#store_mode", "type": "boolean" }, "store_selected": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\n`store_selected` is deprecated in Clash API and enabled by default if `cache_file.enabled`.\n\n!!! note \"\"\n\nThe tag must be set for target outbounds.\n\nStore selected outbound for the `Selector` outbound in cache file.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/#store_selected", "type": "boolean" } }, "type": "object" }, "DERPMeshOptions": { "properties": { "bind_address_no_port": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux.\n\nDo not reserve a port when binding to a source address.\n\nThis allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_address_no_port", "type": "boolean" }, "bind_interface": { "description": "The network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_interface", "type": "string" }, "connect_timeout": { "description": "Connect timeout, in golang's Duration format.\n\nA duration string is a possibly signed sequence of\ndecimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"-1.5h\" or \"2h45m\".\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#connect_timeout", "type": "string" }, "detour": { "description": "The tag of the upstream outbound.\n\nIf enabled, all other fields will be ignored.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#disable_tcp_keep_alive", "type": "boolean" }, "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions", "deprecated": true, "description": "`outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.\n\n\n\n`domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.\n\nSet domain resolver to use for resolving domain names.\n\nThis option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.\n\nSetting this option directly to a string is equivalent to setting `server` of this options.\n\n| Outbound/Endpoints | Effected domains |\n|--------------------|--------------------------|\n| `direct` | Domain in request |\n| others | Domain in server address |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_resolver" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`domain_strategy` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver).\n\nAvailable values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before connect.\n\n| Outbound | Effected domains | Fallback Value |\n|----------|--------------------------|-------------------------------------------|\n| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |\n| others | Domain in server address | / |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "fallback_delay": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nThe length of time to wait before spawning a RFC 6555 Fast Fallback connection.\n\nFor `domain_strategy`, is the amount of time to wait for connection to succeed before assuming\nthat IPv4/IPv6 is misconfigured and falling back to other type of addresses.\n\nFor `network_strategy`, is the amount of time to wait for connection to succeed before falling\nback to other interfaces.\n\nOnly take effect when `domain_strategy` or `network_strategy` is set.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_delay", "type": "string" }, "fallback_network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nFallback network types when preferred networks are unavailable or timeout when using `fallback` network strategy.\n\nAll other networks expect preferred are used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "host": { "type": "string" }, "inet4_bind_address": { "description": "The IPv4 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet4_bind_address", "type": "string" }, "inet6_bind_address": { "description": "The IPv6 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet6_bind_address", "type": "string" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#netns", "type": "string" }, "network_strategy": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nStrategy for selecting network interfaces.\n\nAvailable values:\n\n- `default` (default): Connect to default network or networks specified in `network_type` sequentially.\n- `hybrid`: Connect to all networks or networks specified in `network_type` concurrently.\n- `fallback`: Connect to default network or preferred networks specified in `network_type` concurrently, and try fallback networks when unavailable or timeout.\n\nFor fallback, when preferred interfaces fails or times out,\nit will enter a 15s fast fallback state (Connect to all preferred and fallback networks concurrently),\nand exit immediately if preferred networks recover.\n\nConflicts with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nNetwork types to use when using `default` or `hybrid` network strategy or\npreferred network types to use when using `fallback` network strategy.\n\nAvailable values: `wifi`, `cellular`, `ethernet`, `other`.\n\nDevice's default network is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "protect_path": { "type": "string" }, "reuse_addr": { "description": "Reuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Only supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "server": { "type": "string" }, "server_port": { "type": "integer" }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "Since sing-box 1.13.0\n\nTCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_multi_path", "type": "boolean" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#udp_fragment", "type": "boolean" } }, "type": "object" }, "DERPSTUNListenOptions": { "properties": { "bind_interface": { "description": "Since sing-box 1.12.0\n\nThe network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#bind_interface", "type": "string" }, "detour": { "description": "If set, connections will be forwarded to the specified inbound.\n\nRequires target inbound support, see [Injectable](/configuration/inbound/#fields).\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#disable_tcp_keep_alive", "type": "boolean" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nOne of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before routing.\n\nIf `sniff_override_destination` is in effect, its value will be taken as a fallback.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "listen": { "description": "Listen address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#listen", "type": "string" }, "listen_port": { "description": "Listen port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#listen_port", "type": "integer" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#netns", "type": "string" }, "proxy_protocol": { "deprecated": true, "type": "boolean" }, "proxy_protocol_accept_no_header": { "deprecated": true, "type": "boolean" }, "reuse_addr": { "description": "Since sing-box 1.12.0\n\nReuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "sniff": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nEnable sniffing.\n\nSee [Protocol Sniff](/configuration/route/sniff/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff", "type": "boolean" }, "sniff_override_destination": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0.\n\nOverride the connection destination address with the sniffed domain.\n\nIf the domain name is invalid (like tor), this will not work.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_override_destination", "type": "boolean" }, "sniff_timeout": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nTimeout for sniffing.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_timeout", "type": "string" }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "TCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_multi_path", "type": "boolean" }, "udp_disable_domain_unmapping": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nIf enabled, for UDP proxy requests addressed to a domain,\nthe original packet address will be sent in the response instead of the mapped domain.\n\nThis option is used for compatibility with clients that\ndo not support receiving UDP packets with domain addresses, such as Surge.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_disable_domain_unmapping", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_fragment", "type": "boolean" }, "udp_timeout": { "description": "UDP NAT expiration time.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_timeout", "oneOf": [ { "type": "integer" }, { "type": "string" } ] } }, "required": [ "listen" ], "type": "object" }, "DERPVerifyClientURLOptions": { "properties": { "bind_address_no_port": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux.\n\nDo not reserve a port when binding to a source address.\n\nThis allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_address_no_port", "type": "boolean" }, "bind_interface": { "description": "The network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_interface", "type": "string" }, "connect_timeout": { "description": "Connect timeout, in golang's Duration format.\n\nA duration string is a possibly signed sequence of\ndecimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"-1.5h\" or \"2h45m\".\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#connect_timeout", "type": "string" }, "detour": { "description": "The tag of the upstream outbound.\n\nIf enabled, all other fields will be ignored.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#disable_tcp_keep_alive", "type": "boolean" }, "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions", "deprecated": true, "description": "`outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.\n\n\n\n`domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.\n\nSet domain resolver to use for resolving domain names.\n\nThis option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.\n\nSetting this option directly to a string is equivalent to setting `server` of this options.\n\n| Outbound/Endpoints | Effected domains |\n|--------------------|--------------------------|\n| `direct` | Domain in request |\n| others | Domain in server address |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_resolver" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`domain_strategy` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver).\n\nAvailable values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before connect.\n\n| Outbound | Effected domains | Fallback Value |\n|----------|--------------------------|-------------------------------------------|\n| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |\n| others | Domain in server address | / |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "fallback_delay": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nThe length of time to wait before spawning a RFC 6555 Fast Fallback connection.\n\nFor `domain_strategy`, is the amount of time to wait for connection to succeed before assuming\nthat IPv4/IPv6 is misconfigured and falling back to other type of addresses.\n\nFor `network_strategy`, is the amount of time to wait for connection to succeed before falling\nback to other interfaces.\n\nOnly take effect when `domain_strategy` or `network_strategy` is set.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_delay", "type": "string" }, "fallback_network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nFallback network types when preferred networks are unavailable or timeout when using `fallback` network strategy.\n\nAll other networks expect preferred are used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "inet4_bind_address": { "description": "The IPv4 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet4_bind_address", "type": "string" }, "inet6_bind_address": { "description": "The IPv6 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet6_bind_address", "type": "string" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#netns", "type": "string" }, "network_strategy": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nStrategy for selecting network interfaces.\n\nAvailable values:\n\n- `default` (default): Connect to default network or networks specified in `network_type` sequentially.\n- `hybrid`: Connect to all networks or networks specified in `network_type` concurrently.\n- `fallback`: Connect to default network or preferred networks specified in `network_type` concurrently, and try fallback networks when unavailable or timeout.\n\nFor fallback, when preferred interfaces fails or times out,\nit will enter a 15s fast fallback state (Connect to all preferred and fallback networks concurrently),\nand exit immediately if preferred networks recover.\n\nConflicts with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nNetwork types to use when using `default` or `hybrid` network strategy or\npreferred network types to use when using `fallback` network strategy.\n\nAvailable values: `wifi`, `cellular`, `ethernet`, `other`.\n\nDevice's default network is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "protect_path": { "type": "string" }, "reuse_addr": { "description": "Reuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Only supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "Since sing-box 1.13.0\n\nTCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_multi_path", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#udp_fragment", "type": "boolean" }, "url": { "type": "string" } }, "type": "object" }, "DNSOptions": { "properties": { "cache_capacity": { "description": "Since sing-box 1.11.0\n\nLRU cache capacity.\n\nValue less than 1024 will be ignored.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/#cache_capacity", "type": "integer" }, "client_subnet": { "description": "Since sing-box 1.9.0\n\nAppend a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.\n\nIf value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.\n\nCan be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/#client_subnet", "type": "string" }, "disable_cache": { "description": "Disable dns cache.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/#disable_cache", "type": "boolean" }, "disable_expire": { "description": "Disable dns cache expire.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/#disable_expire", "type": "boolean" }, "fakeip": { "$ref": "#/$defs/LegacyDNSFakeIPOptions", "description": "Legacy FakeIP options (deprecated)" }, "final": { "description": "Default dns server tag.\n\nThe first server will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/#final", "type": "string" }, "independent_cache": { "description": "Make each DNS server's cache independent for special purposes. If enabled, will slightly degrade performance.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/#independent_cache", "type": "boolean" }, "reverse_mapping": { "description": "Stores a reverse mapping of IP addresses after responding to a DNS query in order to provide domain names when routing.\n\nSince this process relies on the act of resolving domain names by an application before making a request, it can be\nproblematic in environments such as macOS, where DNS is proxied and cached by the system.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/#reverse_mapping", "type": "boolean" }, "rules": { "description": "See documentation: https://sing-box.sagernet.org/configuration/dns/rule/", "items": { "$ref": "#/$defs/DNSRule" }, "type": "array" }, "servers": { "description": "DNS Server\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/", "items": { "$ref": "#/$defs/DNSServer" }, "type": "array" }, "strategy": { "description": "Default domain strategy for resolving the domain names.\n\nOne of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/#strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" } }, "type": "object" }, "DNSRecordOptions": { "type": "object" }, "DNSRule": { "oneOf": [ { "properties": { "action": { "enum": [ "", "route", "route-options", "reject", "predefined" ], "type": "string" }, "answer": { "description": "List of text DNS record to respond as answers.\n\nExamples:\n\n| Record Type | Example |\n|-------------|-------------------------------|\n| `A` | `localhost. IN A 127.0.0.1` |\n| `AAAA` | `localhost. IN AAAA ::1` |\n| `TXT` | `localhost. IN TXT \\\"Hello\\\"` |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#answer", "oneOf": [ { "$ref": "#/$defs/DNSRecordOptions" }, { "items": { "$ref": "#/$defs/DNSRecordOptions" }, "type": "array" } ] }, "auth_user": { "description": "Username, see each inbound for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#auth_user", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "clash_mode": { "description": "Match Clash mode.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#clash_mode", "type": "string" }, "client_subnet": { "description": "Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.\n\nIf value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.\n\nWill overrides `dns.client_subnet`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#client_subnet", "type": "string" }, "default_interface_address": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux, Windows, and macOS.\n\nMatch default interface address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#default_interface_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "disable_cache": { "description": "Disable cache and save cache in this query.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#disable_cache", "type": "boolean" }, "domain": { "description": "Match full domain.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#domain", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_keyword": { "description": "Match domain using keyword.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#domain_keyword", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_regex": { "description": "Match domain using regular expression.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#domain_regex", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_suffix": { "description": "Match domain suffix.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#domain_suffix", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "extra": { "description": "List of text DNS record to respond as extra records.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#extra", "oneOf": [ { "$ref": "#/$defs/DNSRecordOptions" }, { "items": { "$ref": "#/$defs/DNSRecordOptions" }, "type": "array" } ] }, "geoip": { "deprecated": true, "description": "Deprecated: Removed in sing-box 1.12.0\n\nGeoIP is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).\n\nMatch GeoIP with query response.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#geoip", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "geosite": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\nGeosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).\n\nMatch geosite.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#geosite", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inbound": { "description": "Tags of [Inbound](/configuration/inbound/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#inbound", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "interface_address": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux, Windows, and macOS.\n\nMatch interface address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#interface_address", "type": "object" }, "invert": { "description": "Invert match result.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#invert", "type": "boolean" }, "ip_accept_any": { "description": "Since sing-box 1.12.0\n\nMatch any IP with query response.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#ip_accept_any", "type": "boolean" }, "ip_cidr": { "description": "Since sing-box 1.9.0\n\nMatch IP CIDR with query response.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#ip_cidr", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "ip_is_private": { "description": "Since sing-box 1.9.0\n\nMatch private IP with query response.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#ip_is_private", "type": "boolean" }, "ip_version": { "description": "4 (A DNS query) or 6 (AAAA DNS query).\n\nNot limited if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#ip_version", "type": "integer" }, "method": { "description": "For TCP and UDP connections:\n\n- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.\n- `drop`: Drop packets.\n\nFor ICMP echo requests:\n\n- `default`: Reply with ICMP host unreachable.\n- `drop`: Drop packets.\n- `reply`: Reply with ICMP echo reply.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#method", "type": "string" }, "network": { "description": "`tcp` or `udp`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#network", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "network_interface_address": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Since sing-box 1.13.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatches network interface (same values as `network_type`) address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#network_interface_address", "type": "object" }, "network_is_constrained": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Apple platforms.\n\nMatch if network is in Low Data Mode.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#network_is_constrained", "type": "boolean" }, "network_is_expensive": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatch if network is considered Metered (on Android) or considered expensive,\nsuch as Cellular or a Personal Hotspot (on Apple platforms).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#network_is_expensive", "type": "boolean" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatch network type.\n\nAvailable values: `wifi`, `cellular`, `ethernet` and `other`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "no_drop": { "description": "If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.\n\nNot available when `method` is set to drop.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#no_drop", "type": "boolean" }, "ns": { "description": "List of text DNS record to respond as name servers.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#ns", "oneOf": [ { "$ref": "#/$defs/DNSRecordOptions" }, { "items": { "$ref": "#/$defs/DNSRecordOptions" }, "type": "array" } ] }, "outbound": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`outbound` rule items are deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).\n\nMatch outbound.\n\n`any` can be used as a value to match any outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#outbound", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "package_name": { "description": "Match android package name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#package_name", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "port": { "description": "Match port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#port", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "port_range": { "description": "Match port range.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#port_range", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_name": { "description": "Only supported on Linux, Windows, and macOS.\n\nMatch process name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#process_name", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_path": { "description": "Only supported on Linux, Windows, and macOS.\n\nMatch process path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#process_path", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_path_regex": { "description": "Since sing-box 1.10.0\n\n\nOnly supported on Linux, Windows, and macOS.\n\nMatch process path using regular expression.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#process_path_regex", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "protocol": { "description": "Sniffed protocol, see [Sniff](/configuration/route/sniff/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#protocol", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "query_type": { "description": "DNS query type. Values can be integers or type name strings.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#query_type", "oneOf": [ { "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, { "items": { "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "type": "array" } ] }, "rcode": { "description": "The response code.\n\n| Value | Value in the legacy rcode server | Description |\n|------------|----------------------------------|-----------------|\n| `NOERROR` | `success` | Ok |\n| `FORMERR` | `format_error` | Bad request |\n| `SERVFAIL` | `server_failure` | Server failure |\n| `NXDOMAIN` | `name_error` | Not found |\n| `NOTIMP` | `not_implemented` | Not implemented |\n| `REFUSED` | `refused` | Refused |\n\n`NOERROR` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#rcode", "type": "string" }, "rewrite_ttl": { "description": "Rewrite TTL in DNS responses.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#rewrite_ttl", "type": "integer" }, "rule_set": { "description": "Since sing-box 1.8.0\n\nMatch [rule-set](/configuration/route/#rule_set).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#rule_set", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "rule_set_ip_cidr_accept_empty": { "description": "Since sing-box 1.10.0\n\nMake `ip_cidr` rules in rule-sets accept empty query response.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#rule_set_ip_cidr_accept_empty", "type": "boolean" }, "rule_set_ip_cidr_match_source": { "description": "Since sing-box 1.10.0\n\nMake `ip_cidr` rule items in rule-sets match the source IP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#rule_set_ip_cidr_match_source", "type": "boolean" }, "rule_set_ipcidr_match_source": { "deprecated": true, "description": "Since sing-box 1.9.0\n\nDeprecated: Deprecated in sing-box 1.10.0\n\nMake `ip_cidr` rule items in rule-sets match the source IP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#rule_set_ipcidr_match_source", "type": "boolean" }, "server": { "description": "Tag of target server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#server", "type": "string" }, "source_geoip": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\nGeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).\n\nMatch source geoip.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#source_geoip", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "source_ip_cidr": { "description": "Match source IP CIDR.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#source_ip_cidr", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "source_ip_is_private": { "description": "Since sing-box 1.8.0\n\nMatch non-public source IP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#source_ip_is_private", "type": "boolean" }, "source_port": { "description": "Match source port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#source_port", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "source_port_range": { "description": "Match source port range.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#source_port_range", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "strategy": { "description": "Since sing-box 1.12.0\n\nSet domain strategy for this query.\n\nOne of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "user": { "description": "Only supported on Linux.\n\nMatch user name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#user", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "user_id": { "description": "Only supported on Linux.\n\nMatch user id.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#user_id", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "wifi_bssid": { "description": "Only supported in graphical clients on Android and Apple platforms, or on Linux.\n\nMatch WiFi BSSID.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#wifi_bssid", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "wifi_ssid": { "description": "Only supported in graphical clients on Android and Apple platforms, or on Linux.\n\nMatch WiFi SSID.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule/#wifi_ssid", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] } } }, { "properties": { "action": { "enum": [ "", "route", "route-options", "reject", "predefined" ], "type": "string" }, "answer": { "description": "List of text DNS record to respond as answers.\n\nExamples:\n\n| Record Type | Example |\n|-------------|-------------------------------|\n| `A` | `localhost. IN A 127.0.0.1` |\n| `AAAA` | `localhost. IN AAAA ::1` |\n| `TXT` | `localhost. IN TXT \\\"Hello\\\"` |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#answer", "oneOf": [ { "$ref": "#/$defs/DNSRecordOptions" }, { "items": { "$ref": "#/$defs/DNSRecordOptions" }, "type": "array" } ] }, "client_subnet": { "description": "Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.\n\nIf value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.\n\nWill overrides `dns.client_subnet`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#client_subnet", "type": "string" }, "disable_cache": { "description": "Disable cache and save cache in this query.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#disable_cache", "type": "boolean" }, "extra": { "description": "List of text DNS record to respond as extra records.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#extra", "oneOf": [ { "$ref": "#/$defs/DNSRecordOptions" }, { "items": { "$ref": "#/$defs/DNSRecordOptions" }, "type": "array" } ] }, "invert": { "type": "boolean" }, "method": { "description": "For TCP and UDP connections:\n\n- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.\n- `drop`: Drop packets.\n\nFor ICMP echo requests:\n\n- `default`: Reply with ICMP host unreachable.\n- `drop`: Drop packets.\n- `reply`: Reply with ICMP echo reply.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#method", "type": "string" }, "mode": { "enum": [ "and", "or" ], "type": "string" }, "no_drop": { "description": "If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.\n\nNot available when `method` is set to drop.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#no_drop", "type": "boolean" }, "ns": { "description": "List of text DNS record to respond as name servers.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#ns", "oneOf": [ { "$ref": "#/$defs/DNSRecordOptions" }, { "items": { "$ref": "#/$defs/DNSRecordOptions" }, "type": "array" } ] }, "rcode": { "description": "The response code.\n\n| Value | Value in the legacy rcode server | Description |\n|------------|----------------------------------|-----------------|\n| `NOERROR` | `success` | Ok |\n| `FORMERR` | `format_error` | Bad request |\n| `SERVFAIL` | `server_failure` | Server failure |\n| `NXDOMAIN` | `name_error` | Not found |\n| `NOTIMP` | `not_implemented` | Not implemented |\n| `REFUSED` | `refused` | Refused |\n\n`NOERROR` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#rcode", "type": "string" }, "rewrite_ttl": { "description": "Rewrite TTL in DNS responses.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#rewrite_ttl", "type": "integer" }, "rules": { "items": { "$ref": "#/$defs/DNSRule" }, "type": "array" }, "server": { "description": "Tag of target server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#server", "type": "string" }, "strategy": { "description": "Since sing-box 1.12.0\n\nSet domain strategy for this query.\n\nOne of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/rule_action/#strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "type": { "const": "logical" } }, "required": [ "type" ] } ], "type": "object" }, "DNSServer": { "allOf": [ { "properties": { "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type", "enum": [ "dhcp", "fakeip", "h3", "hosts", "https", "local", "quic", "resolved", "tailscale", "tcp", "tls", "udp" ], "type": "string" } }, "required": [ "type" ] }, { "oneOf": [ { "$ref": "#/$defs/DNSServer_dhcp" }, { "$ref": "#/$defs/DNSServer_fakeip" }, { "$ref": "#/$defs/DNSServer_h3" }, { "$ref": "#/$defs/DNSServer_hosts" }, { "$ref": "#/$defs/DNSServer_https" }, { "$ref": "#/$defs/DNSServer_local" }, { "$ref": "#/$defs/DNSServer_quic" }, { "$ref": "#/$defs/DNSServer_resolved" }, { "$ref": "#/$defs/DNSServer_tailscale" }, { "$ref": "#/$defs/DNSServer_tcp" }, { "$ref": "#/$defs/DNSServer_tls" }, { "$ref": "#/$defs/DNSServer_udp" } ] } ], "type": "object" }, "DNSServer_dhcp": { "allOf": [ { "properties": { "interface": { "description": "Interface name to listen on.\n\nTge default interface will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/dhcp/#interface", "type": "string" }, "prefer_go": { "description": "Since sing-box 1.13.0\n\nWhen enabled, `local` DNS server will resolve DNS by dialing itself whenever possible.\n\nSpecifically, it disables following behaviors which was added as features in sing-box 1.13.0:\n\n1. On Apple platforms: Attempt to resolve A/AAAA requests using `getaddrinfo` in NetworkExtension.\n2. On Linux: Resolve through `systemd-resolvd`'s DBus interface when available.\n\nAs a sole exception, it cannot disable the following behavior:\n\n1. In the Android graphical client,\n`local` will always resolve DNS through the platform interface,\nas there is no other way to obtain upstream DNS servers;\nOn devices running Android versions lower than 10, this interface can only resolve A/AAAA requests.\n\n2. On macOS, `local` will try DHCP first in Network Extension, since DHCP respects DIal Fields,\nit will not be disabled by `prefer_go`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/local/#prefer_go", "type": "boolean" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "const": "dhcp", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "DNSServer_fakeip": { "properties": { "inet4_range": { "description": "IPv4 address range for FakeIP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/fakeip/#inet4_range", "type": "string" }, "inet6_range": { "type": "string" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "const": "fakeip", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type" ] }, "DNSServer_h3": { "allOf": [ { "properties": { "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Additional headers to be sent to the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#headers", "type": "object" }, "method": { "type": "string" }, "path": { "description": "The path of the DNS server.\n\n`/dns-query` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#path", "type": "string" }, "server": { "description": "The address of the DNS server.\n\nIf domain name is used, `domain_resolver` must also be set to resolve IP address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#server", "type": "string" }, "server_port": { "description": "The port of the DNS server.\n\n`443` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#server_port", "type": "integer" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#tls" }, "type": { "const": "h3", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type", "server" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "DNSServer_hosts": { "properties": { "path": { "description": "List of paths to hosts files.\n\n`/etc/hosts` is used by default.\n\n`C:\\Windows\\System32\\Drivers\\etc\\hosts` is used by default on Windows.\n\nExample:\n\n```json\n{\n// \"path\": \"/etc/hosts\"\n\n\"path\": [\n\"/etc/hosts\",\n\"$HOME/.hosts\"\n]\n}\n```\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/hosts/#path", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "predefined": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Predefined hosts.\n\nExample:\n\n```json\n{\n\"predefined\": {\n\"www.google.com\": \"127.0.0.1\",\n\"localhost\": [\n\"127.0.0.1\",\n\"::1\"\n]\n}\n}\n```\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/hosts/#predefined", "type": "object" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "const": "hosts", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type" ] }, "DNSServer_https": { "allOf": [ { "properties": { "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Additional headers to be sent to the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#headers", "type": "object" }, "method": { "type": "string" }, "path": { "description": "The path of the DNS server.\n\n`/dns-query` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#path", "type": "string" }, "server": { "description": "The address of the DNS server.\n\nIf domain name is used, `domain_resolver` must also be set to resolve IP address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#server", "type": "string" }, "server_port": { "description": "The port of the DNS server.\n\n`443` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#server_port", "type": "integer" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/http3/#tls" }, "type": { "const": "https", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type", "server" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "DNSServer_local": { "allOf": [ { "properties": { "prefer_go": { "description": "Since sing-box 1.13.0\n\nWhen enabled, `local` DNS server will resolve DNS by dialing itself whenever possible.\n\nSpecifically, it disables following behaviors which was added as features in sing-box 1.13.0:\n\n1. On Apple platforms: Attempt to resolve A/AAAA requests using `getaddrinfo` in NetworkExtension.\n2. On Linux: Resolve through `systemd-resolvd`'s DBus interface when available.\n\nAs a sole exception, it cannot disable the following behavior:\n\n1. In the Android graphical client,\n`local` will always resolve DNS through the platform interface,\nas there is no other way to obtain upstream DNS servers;\nOn devices running Android versions lower than 10, this interface can only resolve A/AAAA requests.\n\n2. On macOS, `local` will try DHCP first in Network Extension, since DHCP respects DIal Fields,\nit will not be disabled by `prefer_go`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/local/#prefer_go", "type": "boolean" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "const": "local", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "DNSServer_quic": { "allOf": [ { "properties": { "server": { "description": "The address of the DNS server.\n\nIf domain name is used, `domain_resolver` must also be set to resolve IP address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/quic/#server", "type": "string" }, "server_port": { "description": "The port of the DNS server.\n\n`853` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/quic/#server_port", "type": "integer" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/quic/#tls" }, "type": { "const": "quic", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type", "server" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "DNSServer_resolved": { "properties": { "accept_default_resolvers": { "description": "Indicates whether the default DNS resolvers should be accepted for fallback queries in addition to matching domains.\n\nSpecifically, default DNS resolvers are DNS servers that have `SetLinkDefaultRoute` or `SetLinkDomains ~.` set.\n\nIf not enabled, `NXDOMAIN` will be returned for requests that do not match search or match domains.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/resolved/#accept_default_resolvers", "type": "boolean" }, "service": { "description": "The tag of the [Resolved Service](/configuration/service/resolved).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/resolved/#service", "type": "string" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "const": "resolved", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type", "service" ] }, "DNSServer_tailscale": { "properties": { "accept_default_resolvers": { "description": "Indicates whether default DNS resolvers should be accepted for fallback queries in addition to MagicDNS。\n\nif not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/tailscale/#accept_default_resolvers", "type": "boolean" }, "endpoint": { "description": "The tag of the [Tailscale Endpoint](/configuration/endpoint/tailscale).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/tailscale/#endpoint", "type": "string" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "const": "tailscale", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type", "endpoint" ] }, "DNSServer_tcp": { "allOf": [ { "properties": { "server": { "description": "The address of the DNS server.\n\nIf domain name is used, `domain_resolver` must also be set to resolve IP address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/tcp/#server", "type": "string" }, "server_port": { "description": "The port of the DNS server.\n\n`53` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/tcp/#server_port", "type": "integer" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "const": "tcp", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type", "server" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "DNSServer_tls": { "allOf": [ { "properties": { "server": { "description": "The address of the DNS server.\n\nIf domain name is used, `domain_resolver` must also be set to resolve IP address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/quic/#server", "type": "string" }, "server_port": { "description": "The port of the DNS server.\n\n`853` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/quic/#server_port", "type": "integer" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/quic/#tls" }, "type": { "const": "tls", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type", "server" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "DNSServer_udp": { "allOf": [ { "properties": { "server": { "description": "The address of the DNS server.\n\nIf domain name is used, `domain_resolver` must also be set to resolve IP address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/tcp/#server", "type": "string" }, "server_port": { "description": "The port of the DNS server.\n\n`53` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/tcp/#server_port", "type": "integer" }, "tag": { "description": "The tag of the DNS server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#tag", "type": "string" }, "type": { "const": "udp", "description": "The type of the DNS server.\n\n| Type | Format |\n|-----------------|---------------------------|\n| empty (default) | [Legacy](./legacy/) |\n| `local` | [Local](./local/) |\n| `hosts` | [Hosts](./hosts/) |\n| `tcp` | [TCP](./tcp/) |\n| `udp` | [UDP](./udp/) |\n| `tls` | [TLS](./tls/) |\n| `quic` | [QUIC](./quic/) |\n| `https` | [HTTPS](./https/) |\n| `h3` | [HTTP/3](./http3/) |\n| `dhcp` | [DHCP](./dhcp/) |\n| `fakeip` | [Fake IP](./fakeip/) |\n| `tailscale` | [Tailscale](./tailscale/) |\n| `resolved` | [Resolved](./resolved/) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/server/#type" } }, "required": [ "type", "server" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "DebugOptions": { "properties": { "gc_percent": { "type": "integer" }, "listen": { "type": "string" }, "max_stack": { "type": "integer" }, "max_threads": { "type": "integer" }, "memory_limit": { "type": "string" }, "oom_killer": { "type": "boolean" }, "panic_on_fault": { "type": "boolean" }, "trace_back": { "type": "string" } }, "type": "object" }, "DialerOptions": { "properties": { "bind_address_no_port": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux.\n\nDo not reserve a port when binding to a source address.\n\nThis allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_address_no_port", "type": "boolean" }, "bind_interface": { "description": "The network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_interface", "type": "string" }, "connect_timeout": { "description": "Connect timeout, in golang's Duration format.\n\nA duration string is a possibly signed sequence of\ndecimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"-1.5h\" or \"2h45m\".\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#connect_timeout", "type": "string" }, "detour": { "description": "The tag of the upstream outbound.\n\nIf enabled, all other fields will be ignored.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#disable_tcp_keep_alive", "type": "boolean" }, "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions", "deprecated": true, "description": "`outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.\n\n\n\n`domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.\n\nSet domain resolver to use for resolving domain names.\n\nThis option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.\n\nSetting this option directly to a string is equivalent to setting `server` of this options.\n\n| Outbound/Endpoints | Effected domains |\n|--------------------|--------------------------|\n| `direct` | Domain in request |\n| others | Domain in server address |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_resolver" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`domain_strategy` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver).\n\nAvailable values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before connect.\n\n| Outbound | Effected domains | Fallback Value |\n|----------|--------------------------|-------------------------------------------|\n| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |\n| others | Domain in server address | / |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "fallback_delay": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nThe length of time to wait before spawning a RFC 6555 Fast Fallback connection.\n\nFor `domain_strategy`, is the amount of time to wait for connection to succeed before assuming\nthat IPv4/IPv6 is misconfigured and falling back to other type of addresses.\n\nFor `network_strategy`, is the amount of time to wait for connection to succeed before falling\nback to other interfaces.\n\nOnly take effect when `domain_strategy` or `network_strategy` is set.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_delay", "type": "string" }, "fallback_network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nFallback network types when preferred networks are unavailable or timeout when using `fallback` network strategy.\n\nAll other networks expect preferred are used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "inet4_bind_address": { "description": "The IPv4 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet4_bind_address", "type": "string" }, "inet6_bind_address": { "description": "The IPv6 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet6_bind_address", "type": "string" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#netns", "type": "string" }, "network_strategy": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nStrategy for selecting network interfaces.\n\nAvailable values:\n\n- `default` (default): Connect to default network or networks specified in `network_type` sequentially.\n- `hybrid`: Connect to all networks or networks specified in `network_type` concurrently.\n- `fallback`: Connect to default network or preferred networks specified in `network_type` concurrently, and try fallback networks when unavailable or timeout.\n\nFor fallback, when preferred interfaces fails or times out,\nit will enter a 15s fast fallback state (Connect to all preferred and fallback networks concurrently),\nand exit immediately if preferred networks recover.\n\nConflicts with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nNetwork types to use when using `default` or `hybrid` network strategy or\npreferred network types to use when using `fallback` network strategy.\n\nAvailable values: `wifi`, `cellular`, `ethernet`, `other`.\n\nDevice's default network is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "protect_path": { "type": "string" }, "reuse_addr": { "description": "Reuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Only supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "Since sing-box 1.13.0\n\nTCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_multi_path", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#udp_fragment", "type": "boolean" } }, "type": "object" }, "DomainResolveOptions": { "properties": { "client_subnet": { "type": "string" }, "disable_cache": { "type": "boolean" }, "rewrite_ttl": { "type": "integer" }, "server": { "type": "string" }, "strategy": { "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" } }, "type": "object" }, "Endpoint": { "allOf": [ { "properties": { "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/#tag", "type": "string" }, "type": { "enum": [ "tailscale", "wireguard" ], "type": "string" } }, "required": [ "type" ] }, { "oneOf": [ { "$ref": "#/$defs/Endpoint_tailscale" }, { "$ref": "#/$defs/Endpoint_wireguard" } ] } ], "type": "object" }, "Endpoint_tailscale": { "allOf": [ { "properties": { "accept_routes": { "description": "Indicates whether the node should accept routes advertised by other nodes.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#accept_routes", "type": "boolean" }, "advertise_exit_node": { "description": "Indicates whether the node should advertise itself as an exit node.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#advertise_exit_node", "type": "boolean" }, "advertise_routes": { "description": "CIDR prefixes to advertise into the Tailscale network as reachable through the current node.\n\nExample: `[\"192.168.1.1/24\"]`\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#advertise_routes", "items": { "type": "string" }, "type": "array" }, "advertise_tags": { "description": "Since sing-box 1.13.0\n\nTags to advertise for this node, for ACL enforcement purposes.\n\nExample: `[\"tag:server\"]`\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#advertise_tags", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "auth_key": { "description": "!!! note\n\nAuth key is not required. By default, sing-box will log the login URL (or popup a notification on graphical clients).\n\nThe auth key to create the node. If the node is already created (from state previously stored), then this field is not\nused.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#auth_key", "type": "string" }, "control_url": { "description": "The coordination server URL.\n\n`https://controlplane.tailscale.com` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#control_url", "type": "string" }, "ephemeral": { "description": "Indicates whether the instance should register as an Ephemeral node (https://tailscale.com/s/ephemeral-nodes).\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#ephemeral", "type": "boolean" }, "exit_node": { "description": "The exit node name or IP address to use.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#exit_node", "type": "string" }, "exit_node_allow_lan_access": { "description": "!!! note\n\nWhen the exit node does not have a corresponding advertised route, private traffics cannot be routed to the exit node even if `exit_node_allow_lan_access is` set.\n\nIndicates whether locally accessible subnets should be routed directly or via the exit node.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#exit_node_allow_lan_access", "type": "boolean" }, "hostname": { "description": "The hostname of the node.\n\nSystem hostname is used by default.\n\nExample: `localhost`\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#hostname", "type": "string" }, "relay_server_port": { "description": "Since sing-box 1.13.0\n\nThe port to listen on for incoming relay connections from other Tailscale nodes.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#relay_server_port", "type": "integer" }, "relay_server_static_endpoints": { "description": "Since sing-box 1.13.0\n\nStatic endpoints to advertise for the relay server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#relay_server_static_endpoints", "items": { "type": "string" }, "type": "array" }, "state_directory": { "description": "The directory where the Tailscale state is stored.\n\n`tailscale` is used by default.\n\nExample: `$HOME/.tailscale`\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#state_directory", "type": "string" }, "system_interface": { "description": "Since sing-box 1.13.0\n\nCreate a system TUN interface for Tailscale.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#system_interface", "type": "boolean" }, "system_interface_mtu": { "description": "Since sing-box 1.13.0\n\nOverride the TUN MTU. By default, Tailscale's own MTU is used.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#system_interface_mtu", "type": "integer" }, "system_interface_name": { "description": "Since sing-box 1.13.0\n\nCustom TUN interface name. By default, `tailscale` (or `utun` on macOS) will be used.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#system_interface_name", "type": "string" }, "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/#tag", "type": "string" }, "type": { "const": "tailscale" }, "udp_timeout": { "description": "UDP NAT expiration time.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/tailscale/#udp_timeout", "oneOf": [ { "type": "integer" }, { "type": "string" } ] } }, "required": [ "type" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "Endpoint_wireguard": { "allOf": [ { "properties": { "address": { "description": "List of IP (v4 or v6) address prefixes to be assigned to the interface.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/wireguard/#address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "listen_port": { "type": "integer" }, "mtu": { "description": "WireGuard MTU.\n\n`1408` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/wireguard/#mtu", "type": "integer" }, "name": { "description": "Custom interface name for system interface.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/wireguard/#name", "type": "string" }, "peers": { "description": "List of WireGuard peers.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/wireguard/#peers", "items": { "$ref": "#/$defs/WireGuardPeer" }, "type": "array" }, "private_key": { "description": "WireGuard requires base64-encoded public and private keys. These can be generated using the wg(8) utility:\n\n```shell\nwg genkey\necho \"private key\" || wg pubkey\n```\n\nor `sing-box generate wg-keypair`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/wireguard/#private_key", "type": "string" }, "system": { "description": "Use system interface.\n\nRequires privilege and cannot conflict with exists system interfaces.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/wireguard/#system", "type": "boolean" }, "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/#tag", "type": "string" }, "type": { "const": "wireguard" }, "udp_timeout": { "description": "UDP NAT expiration time.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/wireguard/#udp_timeout", "type": "string" }, "workers": { "description": "WireGuard worker count.\n\nCPU count is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/wireguard/#workers", "type": "integer" } }, "required": [ "type", "address", "private_key", "peers" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "ExperimentalOptions": { "properties": { "cache_file": { "$ref": "#/$defs/CacheFileOptions", "description": "See documentation: https://sing-box.sagernet.org/configuration/experimental/cache-file/" }, "clash_api": { "$ref": "#/$defs/ClashAPIOptions", "description": "See documentation: https://sing-box.sagernet.org/configuration/experimental/clash-api/" }, "debug": { "$ref": "#/$defs/DebugOptions" }, "v2ray_api": { "$ref": "#/$defs/V2RayAPIOptions", "description": "See documentation: https://sing-box.sagernet.org/configuration/experimental/v2ray-api/" } }, "type": "object" }, "GeoIPOptions": { "properties": { "download_detour": { "description": "The tag of the outbound to download the database.\n\nDefault outbound will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/geoip/#download_detour", "type": "string" }, "download_url": { "description": "The download URL of the sing-geoip database.\n\nDefault is `https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/geoip/#download_url", "type": "string" }, "path": { "description": "The path to the sing-geoip database.\n\n`geoip.db` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/geoip/#path", "type": "string" } }, "type": "object" }, "GeositeOptions": { "properties": { "download_detour": { "description": "The tag of the outbound to download the database.\n\nDefault outbound will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/geosite/#download_detour", "type": "string" }, "download_url": { "description": "The download URL of the sing-geoip database.\n\nDefault is `https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/geosite/#download_url", "type": "string" }, "path": { "description": "The path to the sing-geosite database.\n\n`geosite.db` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/geosite/#path", "type": "string" } }, "type": "object" }, "HTTPProxyOptions": { "properties": { "bypass_domain": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "enabled": { "type": "boolean" }, "match_domain": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "server": { "type": "string" }, "server_port": { "type": "integer" } }, "type": "object" }, "HeadlessRule": { "oneOf": [ { "properties": { "default_interface_address": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux, Windows, and macOS.\n\nMatch default interface address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#default_interface_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain": { "description": "Match full domain.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#domain", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_keyword": { "description": "Match domain using keyword.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#domain_keyword", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_regex": { "description": "Match domain using regular expression.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#domain_regex", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_suffix": { "description": "Match domain suffix.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#domain_suffix", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "invert": { "description": "Invert match result.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#invert", "type": "boolean" }, "ip_cidr": { "description": "\n\n`ip_cidr` is an alias for `source_ip_cidr` when `rule_set_ipcidr_match_source` enabled in route/DNS rules.\n\nMatch IP CIDR.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#ip_cidr", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "network": { "description": "`tcp` or `udp`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#network", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "network_interface_address": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Since sing-box 1.13.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatches network interface (same values as `network_type`) address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#network_interface_address", "type": "object" }, "network_is_constrained": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Apple platforms.\n\nMatch if network is in Low Data Mode.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#network_is_constrained", "type": "boolean" }, "network_is_expensive": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatch if network is considered Metered (on Android) or considered expensive,\nsuch as Cellular or a Personal Hotspot (on Apple platforms).\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#network_is_expensive", "type": "boolean" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatch network type.\n\nAvailable values: `wifi`, `cellular`, `ethernet` and `other`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "package_name": { "description": "Match android package name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#package_name", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "port": { "description": "Match port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#port", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "port_range": { "description": "Match port range.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#port_range", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_name": { "description": "Only supported on Linux, Windows, and macOS.\n\nMatch process name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#process_name", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_path": { "description": "Only supported on Linux, Windows, and macOS.\n\nMatch process path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#process_path", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_path_regex": { "description": "Since sing-box 1.10.0\n\n\nOnly supported on Linux, Windows, and macOS.\n\nMatch process path using regular expression.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#process_path_regex", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "query_type": { "description": "DNS query type. Values can be integers or type name strings.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#query_type", "oneOf": [ { "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, { "items": { "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "type": "array" } ] }, "source_ip_cidr": { "description": "Match source IP CIDR.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#source_ip_cidr", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "source_port": { "description": "Match source port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#source_port", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "source_port_range": { "description": "Match source port range.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#source_port_range", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "wifi_bssid": { "description": "Only supported in graphical clients on Android and Apple platforms.\n\nMatch WiFi BSSID.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#wifi_bssid", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "wifi_ssid": { "description": "Only supported in graphical clients on Android and Apple platforms.\n\nMatch WiFi SSID.\n\nSee documentation: https://sing-box.sagernet.org/configuration/rule-set/headless-rule/#wifi_ssid", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] } } }, { "properties": { "invert": { "type": "boolean" }, "mode": { "enum": [ "and", "or" ], "type": "string" }, "rules": { "items": { "$ref": "#/$defs/HeadlessRule" }, "type": "array" }, "type": { "const": "logical" } }, "required": [ "type" ] } ], "type": "object" }, "Hysteria2Masquerade": { "oneOf": [ { "properties": { "directory": { "type": "string" }, "type": { "const": "file", "type": "string" } }, "required": [ "type" ] }, { "properties": { "rewrite_host": { "type": "boolean" }, "type": { "const": "proxy", "type": "string" }, "url": { "type": "string" } }, "required": [ "type" ] }, { "properties": { "content": { "type": "string" }, "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "type": "object" }, "status_code": { "type": "integer" }, "type": { "const": "string", "type": "string" } }, "required": [ "type" ] } ], "type": "object" }, "Hysteria2Obfs": { "properties": { "password": { "type": "string" }, "type": { "type": "string" } }, "type": "object" }, "Hysteria2User": { "properties": { "name": { "type": "string" }, "password": { "type": "string" } }, "type": "object" }, "HysteriaUser": { "properties": { "auth": { "items": { "type": "string" }, "type": "array" }, "auth_str": { "type": "string" }, "name": { "type": "string" } }, "type": "object" }, "Inbound": { "allOf": [ { "properties": { "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "type": { "enum": [ "anytls", "direct", "http", "hysteria", "hysteria2", "mixed", "naive", "redirect", "shadowsocks", "shadowtls", "socks", "tproxy", "trojan", "tuic", "tun", "vless", "vmess" ], "type": "string" } }, "required": [ "type" ] }, { "oneOf": [ { "$ref": "#/$defs/Inbound_anytls" }, { "$ref": "#/$defs/Inbound_direct" }, { "$ref": "#/$defs/Inbound_http" }, { "$ref": "#/$defs/Inbound_hysteria" }, { "$ref": "#/$defs/Inbound_hysteria2" }, { "$ref": "#/$defs/Inbound_mixed" }, { "$ref": "#/$defs/Inbound_naive" }, { "$ref": "#/$defs/Inbound_redirect" }, { "$ref": "#/$defs/Inbound_shadowsocks" }, { "$ref": "#/$defs/Inbound_shadowtls" }, { "$ref": "#/$defs/Inbound_socks" }, { "$ref": "#/$defs/Inbound_tproxy" }, { "$ref": "#/$defs/Inbound_trojan" }, { "$ref": "#/$defs/Inbound_tuic" }, { "$ref": "#/$defs/Inbound_tun" }, { "$ref": "#/$defs/Inbound_vless" }, { "$ref": "#/$defs/Inbound_vmess" } ] } ], "type": "object" }, "InboundACMEOptions": { "properties": { "alternative_http_port": { "description": "The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a\nlistener for the HTTP challenge.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#alternative_http_port", "type": "integer" }, "alternative_tls_port": { "description": "The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to\nsucceed.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#alternative_tls_port", "type": "integer" }, "data_directory": { "description": "The directory to store ACME data.\n\n`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#data_directory", "type": "string" }, "default_server_name": { "description": "Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#default_server_name", "type": "string" }, "disable_http_challenge": { "description": "Disable all HTTP challenges.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#disable_http_challenge", "type": "boolean" }, "disable_tls_alpn_challenge": { "description": "Disable all TLS-ALPN challenges\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#disable_tls_alpn_challenge", "type": "boolean" }, "dns01_challenge": { "$ref": "#/$defs/ACMEDNS01ChallengeOptions", "description": "ACME DNS01 challenge field. If configured, other challenge methods will be disabled.\n\nSee [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#dns01_challenge" }, "domain": { "description": "List of domain.\n\nACME will be disabled if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#domain", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "email": { "description": "The email address to use when creating or selecting an existing ACME server account\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#email", "type": "string" }, "external_account": { "$ref": "#/$defs/ACMEExternalAccountOptions", "description": "EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known\nby the CA.\n\nExternal account bindings are \"used to associate an ACME account with an existing account in a non-ACME system, such as\na CA customer database.\n\nTo enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a\nkey identifier, using some mechanism outside of ACME. §7.3.4\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#external_account" }, "provider": { "description": "The ACME CA provider to use.\n\n| Value | Provider |\n|-------------------------|---------------|\n| `letsencrypt (default)` | Let's Encrypt |\n| `zerossl` | ZeroSSL |\n| `https://...` | Custom |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#provider", "type": "string" } }, "type": "object" }, "InboundECHOptions": { "properties": { "dynamic_record_sizing_disabled": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`dynamic_record_sizing_disabled` has nothing to do with ECH, was added by mistake, has been deprecated and no longer works.\n\nDisables adaptive sizing of TLS records.\n\nWhen true, the largest possible TLS record size is always used.\nWhen false, the size of TLS records may be adjusted in an attempt to improve latency.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#dynamic_record_sizing_disabled", "type": "boolean" }, "enabled": { "description": "Enable TLS.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#enabled", "type": "boolean" }, "key": { "description": "==Server only==\n\nECH key line array, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#key", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "key_path": { "description": "==Server only==\n\n!!! note \"\"\n\nWill be automatically reloaded if file modified.\n\nThe path to ECH key, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#key_path", "type": "string" }, "pq_signature_schemes_enabled": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\nECH support has been migrated to use stdlib in sing-box 1.12.0, which does not come with support for PQ signature schemes, so `pq_signature_schemes_enabled` has been deprecated and no longer works.\n\nEnable support for post-quantum peer certificate signature schemes.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#pq_signature_schemes_enabled", "type": "boolean" } }, "type": "object" }, "InboundMultiplexOptions": { "properties": { "brutal": { "$ref": "#/$defs/BrutalOptions", "description": "See [TCP Brutal](/configuration/shared/tcp-brutal/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#brutal" }, "enabled": { "description": "Enable multiplex.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#enabled", "type": "boolean" }, "padding": { "description": "Requires sing-box server version 1.3-beta9 or later.\n\nEnable padding.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#padding", "type": "boolean" } }, "type": "object" }, "InboundRealityHandshakeOptions": { "properties": { "bind_address_no_port": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux.\n\nDo not reserve a port when binding to a source address.\n\nThis allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_address_no_port", "type": "boolean" }, "bind_interface": { "description": "The network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_interface", "type": "string" }, "connect_timeout": { "description": "Connect timeout, in golang's Duration format.\n\nA duration string is a possibly signed sequence of\ndecimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"-1.5h\" or \"2h45m\".\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#connect_timeout", "type": "string" }, "detour": { "description": "The tag of the upstream outbound.\n\nIf enabled, all other fields will be ignored.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#disable_tcp_keep_alive", "type": "boolean" }, "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions", "deprecated": true, "description": "`outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.\n\n\n\n`domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.\n\nSet domain resolver to use for resolving domain names.\n\nThis option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.\n\nSetting this option directly to a string is equivalent to setting `server` of this options.\n\n| Outbound/Endpoints | Effected domains |\n|--------------------|--------------------------|\n| `direct` | Domain in request |\n| others | Domain in server address |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_resolver" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`domain_strategy` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver).\n\nAvailable values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before connect.\n\n| Outbound | Effected domains | Fallback Value |\n|----------|--------------------------|-------------------------------------------|\n| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |\n| others | Domain in server address | / |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "fallback_delay": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nThe length of time to wait before spawning a RFC 6555 Fast Fallback connection.\n\nFor `domain_strategy`, is the amount of time to wait for connection to succeed before assuming\nthat IPv4/IPv6 is misconfigured and falling back to other type of addresses.\n\nFor `network_strategy`, is the amount of time to wait for connection to succeed before falling\nback to other interfaces.\n\nOnly take effect when `domain_strategy` or `network_strategy` is set.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_delay", "type": "string" }, "fallback_network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nFallback network types when preferred networks are unavailable or timeout when using `fallback` network strategy.\n\nAll other networks expect preferred are used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "inet4_bind_address": { "description": "The IPv4 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet4_bind_address", "type": "string" }, "inet6_bind_address": { "description": "The IPv6 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet6_bind_address", "type": "string" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#netns", "type": "string" }, "network_strategy": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nStrategy for selecting network interfaces.\n\nAvailable values:\n\n- `default` (default): Connect to default network or networks specified in `network_type` sequentially.\n- `hybrid`: Connect to all networks or networks specified in `network_type` concurrently.\n- `fallback`: Connect to default network or preferred networks specified in `network_type` concurrently, and try fallback networks when unavailable or timeout.\n\nFor fallback, when preferred interfaces fails or times out,\nit will enter a 15s fast fallback state (Connect to all preferred and fallback networks concurrently),\nand exit immediately if preferred networks recover.\n\nConflicts with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nNetwork types to use when using `default` or `hybrid` network strategy or\npreferred network types to use when using `fallback` network strategy.\n\nAvailable values: `wifi`, `cellular`, `ethernet`, `other`.\n\nDevice's default network is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "protect_path": { "type": "string" }, "reuse_addr": { "description": "Reuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Only supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "server": { "type": "string" }, "server_port": { "type": "integer" }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "Since sing-box 1.13.0\n\nTCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_multi_path", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#udp_fragment", "type": "boolean" } }, "type": "object" }, "InboundRealityOptions": { "properties": { "enabled": { "description": "Enable TLS.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#enabled", "type": "boolean" }, "handshake": { "$ref": "#/$defs/InboundRealityHandshakeOptions", "description": "==Server only==\n\n\nHandshake server address and [Dial Fields](/configuration/shared/dial/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#handshake" }, "max_time_difference": { "description": "==Server only==\n\nThe maximum time difference between the server and the client.\n\nCheck disabled if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#max_time_difference", "type": "string" }, "private_key": { "description": "==Server only==\n\n\nPrivate key, generated by `sing-box generate reality-keypair`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#private_key", "type": "string" }, "short_id": { "description": "A hexadecimal string with zero to eight digits.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#short_id", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] } }, "required": [ "handshake", "private_key", "short_id" ], "type": "object" }, "InboundTLSOptions": { "properties": { "acme": { "$ref": "#/$defs/InboundACMEOptions" }, "alpn": { "description": "List of supported application level protocols, in order of preference.\n\nIf both peers support ALPN, the selected protocol will be one from this list, and the connection will fail if there is\nno mutually supported protocol.\n\nSee [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation).\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#alpn", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "certificate": { "description": "Server certificates chain line array, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#certificate", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "certificate_path": { "description": "!!! note \"\"\n\nWill be automatically reloaded if file modified.\n\nThe path to server certificate chain, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#certificate_path", "type": "string" }, "cipher_suites": { "description": "List of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored.\nNote that TLS 1.3 cipher suites are not configurable.\n\nIf empty, a safe default list is used. The default cipher suites might change over time.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#cipher_suites", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "client_authentication": { "description": "Since sing-box 1.13.0\n\n==Server only==\n\nThe type of client authentication to use.\n\nAvailable values:\n\n* `no` (default)\n* `request`\n* `require-any`\n* `verify-if-given`\n* `require-and-verify`\n\nOne of `client_certificate`, `client_certificate_path`, or `client_certificate_public_key_sha256` is required\nif this option is set to `verify-if-given`, or `require-and-verify`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#client_authentication", "enum": [ "no", "request", "require-any", "verify-if-given", "require-and-verify" ], "type": "string" }, "client_certificate": { "description": "Since sing-box 1.13.0\n\n==Server only==\n\nClient certificate chain line array, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#client_certificate", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "client_certificate_path": { "description": "Since sing-box 1.13.0\n\n==Server only==\n\n!!! note \"\"\n\nWill be automatically reloaded if file modified.\n\nList of path to client certificate chain, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#client_certificate_path", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "client_certificate_public_key_sha256": { "description": "Since sing-box 1.13.0\n\n==Server only==\n\nList of SHA-256 hashes of client certificate public keys, in base64 format.\n\nTo generate the SHA-256 hash for a certificate's public key, use the following commands:\n\n```bash\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#client_certificate_public_key_sha256", "oneOf": [ { "items": { "type": "string" }, "type": "array" }, { "items": { "items": { "type": "string" }, "type": "array" }, "type": "array" } ] }, "curve_preferences": { "description": "Since sing-box 1.13.0\n\nSet of supported key exchange mechanisms. The order of the list is ignored, and key exchange mechanisms are chosen\nfrom this list using an internal preference order by Golang.\n\nAvailable values, also the default list:\n\n* `P256`\n* `P384`\n* `P521`\n* `X25519`\n* `X25519MLKEM768`\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#curve_preferences", "oneOf": [ { "enum": [ "P256", "P384", "P521", "X25519", "X25519MLKEM768" ], "type": "string" }, { "items": { "enum": [ "P256", "P384", "P521", "X25519", "X25519MLKEM768" ], "type": "string" }, "type": "array" } ] }, "ech": { "$ref": "#/$defs/InboundECHOptions" }, "enabled": { "description": "Enable TLS.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#enabled", "type": "boolean" }, "insecure": { "description": "==Client only==\n\nAccepts any server certificate.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#insecure", "type": "boolean" }, "kernel_rx": { "deprecated": true, "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux 5.1+, use a newer kernel if possible.\n\n\nOnly TLS 1.3 is supported.\n\nDeprecated: \n\nkTLS RX will definitely degrade performance even if `splice(2)` is in use, so enabling it is not recommended.\n\nEnable kernel TLS receive support.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx", "type": "boolean" }, "kernel_tx": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux 5.1+, use a newer kernel if possible.\n\n\nOnly TLS 1.3 is supported.\n\n\nkTLS TX may only improve performance when `splice(2)` is available (both ends must be TCP or TLS without additional protocols after handshake); otherwise, it will definitely degrade performance.\n\nEnable kernel TLS transmit support.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#kernel_tx", "type": "boolean" }, "key": { "description": "==Server only==\n\nECH key line array, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#key", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "key_path": { "description": "==Server only==\n\n!!! note \"\"\n\nWill be automatically reloaded if file modified.\n\nThe path to ECH key, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#key_path", "type": "string" }, "max_version": { "description": "The maximum TLS version that is acceptable.\n\nBy default, the maximum version is currently TLS 1.3.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#max_version", "type": "string" }, "min_version": { "description": "The minimum TLS version that is acceptable.\n\nBy default, TLS 1.2 is currently used as the minimum when acting as a\nclient, and TLS 1.0 when acting as a server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#min_version", "type": "string" }, "reality": { "$ref": "#/$defs/InboundRealityOptions" }, "server_name": { "description": "Used to verify the hostname on the returned certificates unless insecure is given.\n\nIt is also included in the client's handshake to support virtual hosting unless it is an IP address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#server_name", "type": "string" } }, "type": "object" }, "Inbound_anytls": { "allOf": [ { "properties": { "padding_scheme": { "description": "AnyTLS padding scheme line array.\n\nDefault padding scheme:\n\n```json\n[\n\"stop=8\",\n\"0=30-30\",\n\"1=100-400\",\n\"2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000\",\n\"3=9-9,500-1000\",\n\"4=500-1000\",\n\"5=500-1000\",\n\"6=500-1000\",\n\"7=500-1000\"\n]\n```\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/anytls/#padding_scheme", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/anytls/#tls" }, "type": { "const": "anytls" }, "users": { "description": "AnyTLS users.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/anytls/#users", "items": { "$ref": "#/$defs/AnyTLSUser" }, "type": "array" } }, "required": [ "type", "users" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_direct": { "allOf": [ { "properties": { "network": { "description": "Listen network, one of `tcp` `udp`.\n\nBoth if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/direct/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "override_address": { "description": "Override the connection destination address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/direct/#override_address", "type": "string" }, "override_port": { "description": "Override the connection destination port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/direct/#override_port", "type": "integer" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "type": { "const": "direct" } }, "required": [ "type" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_http": { "allOf": [ { "properties": { "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions" }, "set_system_proxy": { "description": "Only supported on Linux, Android, Windows, and macOS.\n\n\nTo work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.\n\nAutomatically set system proxy configuration when start and clean up when stop.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/http/#set_system_proxy", "type": "boolean" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/http/#tls" }, "type": { "const": "http" }, "users": { "description": "HTTP users.\n\nNo authentication required if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/http/#users", "items": { "properties": { "password": { "type": "string" }, "username": { "type": "string" } }, "type": "object" }, "type": "array" } }, "required": [ "type" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_hysteria": { "allOf": [ { "properties": { "disable_mtu_discovery": { "description": "Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.\n\nForce enabled on for systems other than Linux and Windows (according to upstream).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria/#disable_mtu_discovery", "type": "boolean" }, "down": { "type": "string" }, "down_mbps": { "type": "integer" }, "max_conn_client": { "description": "The maximum number of QUIC concurrent bidirectional streams that a peer is allowed to open.\n\n`1024` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria/#max_conn_client", "type": "integer" }, "obfs": { "description": "Obfuscated password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria/#obfs", "type": "string" }, "recv_window_client": { "description": "The QUIC connection-level flow control window for receiving data.\n\n`67108864 (64 MB/s)` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria/#recv_window_client", "type": "integer" }, "recv_window_conn": { "description": "The QUIC stream-level flow control window for receiving data.\n\n`15728640 (15 MB/s)` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria/#recv_window_conn", "type": "integer" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria/#tls" }, "type": { "const": "hysteria" }, "up": { "type": "string" }, "up_mbps": { "type": "integer" }, "users": { "description": "Hysteria users\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria/#users", "items": { "$ref": "#/$defs/HysteriaUser" }, "type": "array" } }, "required": [ "type", "tls" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_hysteria2": { "allOf": [ { "properties": { "brutal_debug": { "description": "Enable debug information logging for Hysteria Brutal CC.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria2/#brutal_debug", "type": "boolean" }, "down_mbps": { "type": "integer" }, "ignore_client_bandwidth": { "description": "*When `up_mbps` and `down_mbps` are not set*:\n\nCommands clients to use the BBR CC instead of Hysteria CC.\n\n*When `up_mbps` and `down_mbps` are set*:\n\nDeny clients to use the BBR CC.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria2/#ignore_client_bandwidth", "type": "boolean" }, "masquerade": { "$ref": "#/$defs/Hysteria2Masquerade", "description": "HTTP3 server behavior (URL string configuration) when authentication fails.\n\n| Scheme | Example | Description |\n|--------------|-------------------------|--------------------|\n| `file` | `file:///var/www` | As a file server |\n| `http/https` | `http://127.0.0.1:8080` | As a reverse proxy |\n\nConflict with `masquerade.type`.\n\nA 404 page will be returned if masquerade is not configured.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria2/#masquerade" }, "obfs": { "$ref": "#/$defs/Hysteria2Obfs" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria2/#tls" }, "type": { "const": "hysteria2" }, "up_mbps": { "type": "integer" }, "users": { "description": "Hysteria2 users\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/hysteria2/#users", "items": { "$ref": "#/$defs/Hysteria2User" }, "type": "array" } }, "required": [ "type", "tls" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_mixed": { "allOf": [ { "properties": { "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions" }, "set_system_proxy": { "description": "Only supported on Linux, Android, Windows, and macOS.\n\n\nTo work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.\n\nAutomatically set system proxy configuration when start and clean up when stop.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/http/#set_system_proxy", "type": "boolean" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/http/#tls" }, "type": { "const": "mixed" }, "users": { "description": "HTTP users.\n\nNo authentication required if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/http/#users", "items": { "properties": { "password": { "type": "string" }, "username": { "type": "string" } }, "type": "object" }, "type": "array" } }, "required": [ "type" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_naive": { "allOf": [ { "properties": { "network": { "description": "Listen network, one of `tcp` `udp`.\n\nBoth if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/naive/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "quic_congestion_control": { "description": "Since sing-box 1.13.0\n\nQUIC congestion control algorithm.\n\n| Algorithm | Description |\n|----------------|---------------------------------|\n| `bbr` | BBR |\n| `bbr_standard` | BBR (Standard version) |\n| `bbr2` | BBRv2 |\n| `bbr2_variant` | BBRv2 (An experimental variant) |\n| `cubic` | CUBIC |\n| `reno` | New Reno |\n\n`bbr` is used by default (the default of QUICHE, used by Chromium which NaiveProxy is based on).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/naive/#quic_congestion_control", "type": "string" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/naive/#tls" }, "type": { "const": "naive" }, "users": { "description": "Naive users.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/naive/#users", "items": { "properties": { "password": { "type": "string" }, "username": { "type": "string" } }, "type": "object" }, "type": "array" } }, "required": [ "type", "users" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_redirect": { "properties": { "bind_interface": { "description": "Since sing-box 1.12.0\n\nThe network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#bind_interface", "type": "string" }, "detour": { "description": "If set, connections will be forwarded to the specified inbound.\n\nRequires target inbound support, see [Injectable](/configuration/inbound/#fields).\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#disable_tcp_keep_alive", "type": "boolean" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nOne of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before routing.\n\nIf `sniff_override_destination` is in effect, its value will be taken as a fallback.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "listen": { "description": "Listen address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#listen", "type": "string" }, "listen_port": { "description": "Listen port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#listen_port", "type": "integer" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#netns", "type": "string" }, "proxy_protocol": { "deprecated": true, "type": "boolean" }, "proxy_protocol_accept_no_header": { "deprecated": true, "type": "boolean" }, "reuse_addr": { "description": "Since sing-box 1.12.0\n\nReuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "sniff": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nEnable sniffing.\n\nSee [Protocol Sniff](/configuration/route/sniff/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff", "type": "boolean" }, "sniff_override_destination": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0.\n\nOverride the connection destination address with the sniffed domain.\n\nIf the domain name is invalid (like tor), this will not work.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_override_destination", "type": "boolean" }, "sniff_timeout": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nTimeout for sniffing.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_timeout", "type": "string" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "TCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_multi_path", "type": "boolean" }, "type": { "const": "redirect" }, "udp_disable_domain_unmapping": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nIf enabled, for UDP proxy requests addressed to a domain,\nthe original packet address will be sent in the response instead of the mapped domain.\n\nThis option is used for compatibility with clients that\ndo not support receiving UDP packets with domain addresses, such as Surge.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_disable_domain_unmapping", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_fragment", "type": "boolean" }, "udp_timeout": { "description": "UDP NAT expiration time.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_timeout", "oneOf": [ { "type": "integer" }, { "type": "string" } ] } }, "required": [ "type", "listen" ] }, "Inbound_shadowsocks": { "allOf": [ { "properties": { "destinations": { "items": { "$ref": "#/$defs/ShadowsocksDestination" }, "type": "array" }, "managed": { "description": "Defaults to `false`. Enable this when the inbound is managed by the [SSM API](/configuration/service/ssm-api) for dynamic user.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowsocks/#managed", "type": "boolean" }, "method": { "description": "| Method | Key Length |\n|-------------------------------|------------|\n| 2022-blake3-aes-128-gcm | 16 |\n| 2022-blake3-aes-256-gcm | 32 |\n| 2022-blake3-chacha20-poly1305 | 32 |\n| none | / |\n| aes-128-gcm | / |\n| aes-192-gcm | / |\n| aes-256-gcm | / |\n| chacha20-ietf-poly1305 | / |\n| xchacha20-ietf-poly1305 | / |\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowsocks/#method", "type": "string" }, "multiplex": { "$ref": "#/$defs/InboundMultiplexOptions", "description": "See [Multiplex](/configuration/shared/multiplex#inbound) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowsocks/#multiplex" }, "network": { "description": "Listen network, one of `tcp` `udp`.\n\nBoth if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowsocks/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "password": { "description": "| Method | Password Format |\n|---------------|------------------------------------------------|\n| none | / |\n| 2022 methods | `sing-box generate rand --base64 \u003cKey Length\u003e` |\n| other methods | any string |\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowsocks/#password", "type": "string" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "type": { "const": "shadowsocks" }, "users": { "items": { "$ref": "#/$defs/ShadowsocksUser" }, "type": "array" } }, "required": [ "type", "method", "password" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_shadowtls": { "allOf": [ { "properties": { "handshake": { "$ref": "#/$defs/ShadowTLSHandshakeOptions", "description": "When `wildcard_sni` is configured to `all`, the server address is optional.\n\nHandshake server address and [Dial Fields](/configuration/shared/dial/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowtls/#handshake" }, "handshake_for_server_name": { "additionalProperties": { "$ref": "#/$defs/ShadowTLSHandshakeOptions" }, "description": "Handshake server address and [Dial Fields](/configuration/shared/dial/) for specific server name.\n\nOnly available in the ShadowTLS protocol 2/3.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowtls/#handshake_for_server_name", "type": "object" }, "password": { "description": "ShadowTLS password.\n\nOnly available in the ShadowTLS protocol 2.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowtls/#password", "type": "string" }, "strict_mode": { "description": "ShadowTLS strict mode.\n\nOnly available in the ShadowTLS protocol 3.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowtls/#strict_mode", "type": "boolean" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "type": { "const": "shadowtls" }, "users": { "description": "ShadowTLS users.\n\nOnly available in the ShadowTLS protocol 3.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowtls/#users", "items": { "$ref": "#/$defs/ShadowTLSUser" }, "type": "array" }, "version": { "description": "ShadowTLS protocol version.\n\n| Value | Protocol Version |\n|---------------|-----------------------------------------------------------------------------------------|\n| `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |\n| `2` | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |\n| `3` | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowtls/#version", "type": "integer" }, "wildcard_sni": { "description": "Since sing-box 1.12.0\n\nShadowTLS wildcard SNI mode.\n\nAvailable values are:\n\n* `off`: (default) Disabled.\n* `authed`: Authenticated connections will have their destination overwritten to `(servername):443`\n* `all`: All connections will have their destination overwritten to `(servername):443`\n\nAdditionally, connections matching `handshake_for_server_name` are not affected.\n\nOnly available in the ShadowTLS protocol 3.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/shadowtls/#wildcard_sni", "type": "string" } }, "required": [ "type", "handshake" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_socks": { "allOf": [ { "properties": { "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "type": { "const": "socks" }, "users": { "description": "SOCKS users.\n\nNo authentication required if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/socks/#users", "items": { "properties": { "password": { "type": "string" }, "username": { "type": "string" } }, "type": "object" }, "type": "array" } }, "required": [ "type" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_tproxy": { "allOf": [ { "properties": { "network": { "description": "Listen network, one of `tcp` `udp`.\n\nBoth if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tproxy/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "type": { "const": "tproxy" } }, "required": [ "type" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_trojan": { "allOf": [ { "properties": { "fallback": { "$ref": "#/$defs/ServerOptions", "deprecated": true, "description": "Deprecated: \n\nThere is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.\n\nFallback server configuration. Disabled if `fallback` and `fallback_for_alpn` are empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/trojan/#fallback" }, "fallback_for_alpn": { "additionalProperties": { "$ref": "#/$defs/ServerOptions" }, "description": "Fallback server configuration for specified ALPN.\n\nIf not empty, TLS fallback requests with ALPN not in this table will be rejected.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/trojan/#fallback_for_alpn", "type": "object" }, "multiplex": { "$ref": "#/$defs/InboundMultiplexOptions", "description": "See [Multiplex](/configuration/shared/multiplex#inbound) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/trojan/#multiplex" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/trojan/#tls" }, "transport": { "$ref": "#/$defs/V2RayTransportOptions", "description": "V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/trojan/#transport" }, "type": { "const": "trojan" }, "users": { "description": "Trojan users.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/trojan/#users", "items": { "$ref": "#/$defs/TrojanUser" }, "type": "array" } }, "required": [ "type", "users" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_tuic": { "allOf": [ { "properties": { "auth_timeout": { "description": "How long the server should wait for the client to send the authentication command\n\n`3s` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tuic/#auth_timeout", "type": "string" }, "congestion_control": { "description": "QUIC congestion control algorithm\n\nOne of: `cubic`, `new_reno`, `bbr`\n\n`cubic` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tuic/#congestion_control", "type": "string" }, "heartbeat": { "description": "Interval for sending heartbeat packets for keeping the connection alive\n\n`10s` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tuic/#heartbeat", "type": "string" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tuic/#tls" }, "type": { "const": "tuic" }, "users": { "description": "TUIC users\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tuic/#users", "items": { "$ref": "#/$defs/TUICUser" }, "type": "array" }, "zero_rtt_handshake": { "description": "Enable 0-RTT QUIC connection handshake on the client side\nThis is not impacting much on the performance, as the protocol is fully multiplexed\n\nDisabling this is highly recommended, as it is vulnerable to replay attacks.\nSee [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tuic/#zero_rtt_handshake", "type": "boolean" } }, "required": [ "type", "tls" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_tun": { "properties": { "address": { "description": "Since sing-box 1.10.0\n\nIPv4 and IPv6 prefix for the tun interface.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "auto_redirect": { "description": "Since sing-box 1.10.0\n\n\nOnly supported on Linux with `auto_route` enabled.\n\nImprove TUN routing and performance using nftables.\n\n`auto_redirect` is always recommended on Linux, it provides better routing,\nhigher performance (better than tproxy),\nand avoids conflicts between TUN and Docker bridge networks.\n\nNote that `auto_redirect` also works on Android,\nbut due to the lack of `nftables` and `ip6tables`,\nonly simple IPv4 TCP forwarding is performed.\nTo share your VPN connection over hotspot or repeater on Android,\nuse [VPNHotspot](https://github.com/Mygod/VPNHotspot).\n\n`auto_redirect` also automatically inserts compatibility rules\ninto the OpenWrt fw4 table, i.e.\nit will work on routers without any extra configuration.\n\nConflict with `route.default_mark` and `[dialOptions].routing_mark`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#auto_redirect", "type": "boolean" }, "auto_redirect_input_mark": { "description": "Since sing-box 1.10.0\n\nConnection input mark used by `auto_redirect`.\n\n`0x2023` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#auto_redirect_input_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "auto_redirect_iproute2_fallback_rule_index": { "description": "Since sing-box 1.12.18\n\nLinux iproute2 fallback rule index generated by `auto_redirect`.\n\nThis rule is checked after system default rules (32766: main, 32767: default),\nrouting traffic to the sing-box table only when no route is found in system tables.\n\n`32768` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#auto_redirect_iproute2_fallback_rule_index", "type": "integer" }, "auto_redirect_nfqueue": { "description": "Since sing-box 1.13.0\n\nNFQueue number used by `auto_redirect` pre-matching.\n\n`100` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#auto_redirect_nfqueue", "type": "integer" }, "auto_redirect_output_mark": { "description": "Since sing-box 1.10.0\n\nConnection output mark used by `auto_redirect`.\n\n`0x2024` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#auto_redirect_output_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "auto_redirect_reset_mark": { "description": "Since sing-box 1.13.0\n\nConnection reset mark used by `auto_redirect` pre-matching.\n\n`0x2025` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#auto_redirect_reset_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "auto_route": { "description": "Set the default route to the Tun.\n\n\nTo avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`\n\n!!! note \"Use with Android VPN\"\n\nBy default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.\n\n!!! note \"Also enable `auto_redirect`\"\n\n`auto_redirect` is always recommended on Linux, it provides better routing, higher performance (better than tproxy), and avoids conflicts between TUN and Docker bridge networks.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#auto_route", "type": "boolean" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nOne of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before routing.\n\nIf `sniff_override_destination` is in effect, its value will be taken as a fallback.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "endpoint_independent_nat": { "deprecated": true, "description": "\n\nThis item is only available on the gvisor stack, other stacks are endpoint-independent NAT by default.\n\nEnable endpoint-independent NAT.\n\nPerformance may degrade slightly, so it is not recommended to enable on when it is not needed.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#endpoint_independent_nat", "type": "boolean" }, "exclude_interface": { "description": "When `strict_route` enabled, return traffic to excluded interfaces will not be automatically excluded, so add them as well (example: `br-lan` and `pppoe-wan`).\n\nExclude interfaces in route.\n\nConflict with `include_interface`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#exclude_interface", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "exclude_mptcp": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.\n\nMPTCP cannot be transparently proxied due to protocol limitations.\n\nSuch traffic is usually created by Apple systems.\n\nWhen enabled, MPTCP connections will bypass sing-box and connect directly, otherwise, will be rejected to avoid errors by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#exclude_mptcp", "type": "boolean" }, "exclude_package": { "description": "Exclude android packages in route.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#exclude_package", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "exclude_uid": { "description": "Exclude users in route.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#exclude_uid", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "exclude_uid_range": { "description": "Exclude users in route, but in range.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#exclude_uid_range", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "gso": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nGSO has no advantages for transparent proxy scenarios, is deprecated and no longer works, and will be removed in sing-box 1.12.0.\n\nSince sing-box 1.8.0\n\n\nOnly supported on Linux with `auto_route` enabled.\n\nEnable generic segmentation offload.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#gso", "type": "boolean" }, "include_android_user": { "description": "Android user and package rules are only supported on Android and require auto_route.\n\nLimit android users in route.\n\n| Common user | ID |\n|--------------|----|\n| Main | 0 |\n| Work Profile | 10 |\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#include_android_user", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "include_interface": { "description": "Interface rules are only supported on Linux and require auto_route.\n\nLimit interfaces in route. Not limited by default.\n\nConflict with `exclude_interface`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#include_interface", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "include_package": { "description": "Limit android packages in route.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#include_package", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "include_uid": { "description": "UID rules are only supported on Linux and require auto_route.\n\nLimit users in route. Not limited by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#include_uid", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "include_uid_range": { "description": "Limit users in route, but in range.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#include_uid_range", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inet4_address": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.10.0\n\n`inet4_address` is merged to `address` and will be removed in sing-box 1.12.0.\n\nIPv4 prefix for the tun interface.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#inet4_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inet4_route_address": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.10.0\n\n`inet4_route_address` is deprecated and will be removed in sing-box 1.12.0, please use [route_address](#route_address)\ninstead.\n\nUse custom routes instead of default when `auto_route` is enabled.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#inet4_route_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inet4_route_exclude_address": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.10.0\n\n`inet4_route_exclude_address` is deprecated and will be removed in sing-box 1.12.0, please\nuse [route_exclude_address](#route_exclude_address) instead.\n\nExclude custom routes when `auto_route` is enabled.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#inet4_route_exclude_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inet6_address": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.10.0\n\n`inet6_address` is merged to `address` and will be removed in sing-box 1.12.0.\n\nIPv6 prefix for the tun interface.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#inet6_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inet6_route_address": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.10.0\n\n`inet6_route_address` is deprecated and will be removed in sing-box 1.12.0, please use [route_address](#route_address)\ninstead.\n\nUse custom routes instead of default when `auto_route` is enabled.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#inet6_route_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inet6_route_exclude_address": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.10.0\n\n`inet6_route_exclude_address` is deprecated and will be removed in sing-box 1.12.0, please\nuse [route_exclude_address](#route_exclude_address) instead.\n\nExclude custom routes when `auto_route` is enabled.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#inet6_route_exclude_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "interface_name": { "description": "Virtual device name, automatically selected if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#interface_name", "type": "string" }, "iproute2_rule_index": { "description": "Since sing-box 1.10.0\n\nLinux iproute2 rule start index generated by `auto_route`.\n\n`9000` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#iproute2_rule_index", "type": "integer" }, "iproute2_table_index": { "description": "Since sing-box 1.10.0\n\nLinux iproute2 table index generated by `auto_route`.\n\n`2022` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#iproute2_table_index", "type": "integer" }, "loopback_address": { "description": "Since sing-box 1.12.0\n\nLoopback addresses make TCP connections to the specified address connect to the source address.\n\nSetting option value to `10.7.0.1` achieves the same behavior as SideStore/StosVPN.\n\nWhen `auto_redirect` is enabled, the same behavior can be achieved for LAN devices (not just local) as a gateway.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#loopback_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "mtu": { "description": "The maximum transmission unit.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#mtu", "type": "integer" }, "platform": { "$ref": "#/$defs/TunPlatformOptions", "description": "Platform-specific settings, provided by client applications.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#platform" }, "route_address": { "description": "Since sing-box 1.10.0\n\nUse custom routes instead of default when `auto_route` is enabled.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#route_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "route_address_set": { "description": "=== \"With `auto_redirect` enabled\"\n\nSince sing-box 1.10.0\n\n\nOnly supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.\n\nAdd the destination IP CIDR rules in the specified rule-sets to the firewall.\nUnmatched traffic will bypass the sing-box routes.\n\nConflict with `route.default_mark` and `[dialOptions].routing_mark`.\n\n=== \"Without `auto_redirect` enabled\"\n\nSince sing-box 1.11.0\n\nNote that it **doesn't work on the Android graphical client** due to\nthe Android VpnService not being able to handle a large number of routes (DeadSystemException),\nbut otherwise it works fine on all command line clients and Apple platforms.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#route_address_set", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "route_exclude_address": { "description": "Since sing-box 1.10.0\n\nExclude custom routes when `auto_route` is enabled.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#route_exclude_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "route_exclude_address_set": { "description": "=== \"With `auto_redirect` enabled\"\n\nSince sing-box 1.10.0\n\n\nOnly supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.\n\nAdd the destination IP CIDR rules in the specified rule-sets to the firewall.\nMatched traffic will bypass the sing-box routes.\n\n=== \"Without `auto_redirect` enabled\"\n\nSince sing-box 1.11.0\n\nNote that it **doesn't work on the Android graphical client** due to\nthe Android VpnService not being able to handle a large number of routes (DeadSystemException),\nbut otherwise it works fine on all command line clients and Apple platforms.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#route_exclude_address_set", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "sniff": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nEnable sniffing.\n\nSee [Protocol Sniff](/configuration/route/sniff/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff", "type": "boolean" }, "sniff_override_destination": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0.\n\nOverride the connection destination address with the sniffed domain.\n\nIf the domain name is invalid (like tor), this will not work.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_override_destination", "type": "boolean" }, "sniff_timeout": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nTimeout for sniffing.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_timeout", "type": "string" }, "stack": { "deprecated": true, "description": ":material-delete-alert: The legacy LWIP stack has been deprecated and removed.\n\nTCP/IP stack.\n\n| Stack | Description |\n|----------|-------------------------------------------------------------------------------------------------------|\n| `system` | Perform L3 to L4 translation using the system network stack |\n| `gvisor` | Perform L3 to L4 translation using [gVisor](https://github.com/google/gvisor)'s virtual network stack |\n| `mixed` | Mixed `system` TCP stack and `gvisor` UDP stack |\n\nDefaults to the `mixed` stack if the gVisor build tag is enabled, otherwise defaults to the `system` stack.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#stack", "type": "string" }, "strict_route": { "description": "Enforce strict routing rules when `auto_route` is enabled:\n\n*In Linux*:\n\n* Let unsupported network unreachable\n* For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.\n* When `auto_redirect` is enabled, `strict_route` also affects `SO_BINDTODEVICE` traffic:\n* Enabled: `SO_BINDTODEVICE` traffic is redirected through sing-box.\n* Disabled: `SO_BINDTODEVICE` traffic bypasses sing-box.\n\n*In Windows*:\n\n* Let unsupported network unreachable\n* prevent DNS leak caused by\nWindows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)\n\nIt may prevent some Windows applications (such as VirtualBox) from working properly in certain situations.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#strict_route", "type": "boolean" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "type": { "const": "tun" }, "udp_disable_domain_unmapping": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nIf enabled, for UDP proxy requests addressed to a domain,\nthe original packet address will be sent in the response instead of the mapped domain.\n\nThis option is used for compatibility with clients that\ndo not support receiving UDP packets with domain addresses, such as Surge.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_disable_domain_unmapping", "type": "boolean" }, "udp_timeout": { "description": "UDP NAT expiration time.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/tun/#udp_timeout", "oneOf": [ { "type": "integer" }, { "type": "string" } ] } }, "required": [ "type" ] }, "Inbound_vless": { "allOf": [ { "properties": { "multiplex": { "$ref": "#/$defs/InboundMultiplexOptions", "description": "See [Multiplex](/configuration/shared/multiplex#inbound) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/vless/#multiplex" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/vless/#tls" }, "transport": { "$ref": "#/$defs/V2RayTransportOptions", "description": "V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/vless/#transport" }, "type": { "const": "vless" }, "users": { "description": "VLESS users.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/vless/#users", "items": { "$ref": "#/$defs/VLESSUser" }, "type": "array" } }, "required": [ "type", "users" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Inbound_vmess": { "allOf": [ { "properties": { "multiplex": { "$ref": "#/$defs/InboundMultiplexOptions", "description": "See [Multiplex](/configuration/shared/multiplex#inbound) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/vmess/#multiplex" }, "tag": { "description": "The tag of the inbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/vmess/#tls" }, "transport": { "$ref": "#/$defs/V2RayTransportOptions", "description": "V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/vmess/#transport" }, "type": { "const": "vmess" }, "users": { "description": "VMess users.\n\n| Alter ID | Description |\n|----------|-------------------------|\n| 0 | Disable legacy protocol |\n| \u003e 0 | Enable legacy protocol |\n\n\nLegacy protocol support (VMess MD5 Authentication) is provided for compatibility purposes only, use of alterId \u003e 1 is not recommended.\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/vmess/#users", "items": { "$ref": "#/$defs/VMessUser" }, "type": "array" } }, "required": [ "type", "users" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "LegacyDNSFakeIPOptions": { "properties": { "enabled": { "description": "Enable FakeIP service.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/fakeip/#enabled", "type": "boolean" }, "inet4_range": { "description": "IPv4 address range for FakeIP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/fakeip/#inet4_range", "type": "string" }, "inet6_range": { "type": "string" } }, "type": "object" }, "ListenOptions": { "properties": { "bind_interface": { "description": "Since sing-box 1.12.0\n\nThe network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#bind_interface", "type": "string" }, "detour": { "description": "If set, connections will be forwarded to the specified inbound.\n\nRequires target inbound support, see [Injectable](/configuration/inbound/#fields).\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#disable_tcp_keep_alive", "type": "boolean" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nOne of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before routing.\n\nIf `sniff_override_destination` is in effect, its value will be taken as a fallback.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "listen": { "description": "Listen address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#listen", "type": "string" }, "listen_port": { "description": "Listen port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#listen_port", "type": "integer" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#netns", "type": "string" }, "proxy_protocol": { "deprecated": true, "type": "boolean" }, "proxy_protocol_accept_no_header": { "deprecated": true, "type": "boolean" }, "reuse_addr": { "description": "Since sing-box 1.12.0\n\nReuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "sniff": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nEnable sniffing.\n\nSee [Protocol Sniff](/configuration/route/sniff/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff", "type": "boolean" }, "sniff_override_destination": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0.\n\nOverride the connection destination address with the sniffed domain.\n\nIf the domain name is invalid (like tor), this will not work.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_override_destination", "type": "boolean" }, "sniff_timeout": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nTimeout for sniffing.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_timeout", "type": "string" }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "TCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_multi_path", "type": "boolean" }, "udp_disable_domain_unmapping": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nIf enabled, for UDP proxy requests addressed to a domain,\nthe original packet address will be sent in the response instead of the mapped domain.\n\nThis option is used for compatibility with clients that\ndo not support receiving UDP packets with domain addresses, such as Surge.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_disable_domain_unmapping", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_fragment", "type": "boolean" }, "udp_timeout": { "description": "UDP NAT expiration time.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_timeout", "oneOf": [ { "type": "integer" }, { "type": "string" } ] } }, "required": [ "listen" ], "type": "object" }, "LogOptions": { "properties": { "disabled": { "description": "Disable logging, no output after start.\n\nSee documentation: https://sing-box.sagernet.org/configuration/log/#disabled", "type": "boolean" }, "level": { "description": "Log level. One of: `trace` `debug` `info` `warn` `error` `fatal` `panic`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/log/#level", "type": "string" }, "output": { "description": "Output file path. Will not write log to console after enable.\n\nSee documentation: https://sing-box.sagernet.org/configuration/log/#output", "type": "string" }, "timestamp": { "description": "Add time to each line.\n\nSee documentation: https://sing-box.sagernet.org/configuration/log/#timestamp", "type": "boolean" } }, "type": "object" }, "NTPOptions": { "properties": { "bind_address_no_port": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux.\n\nDo not reserve a port when binding to a source address.\n\nThis allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_address_no_port", "type": "boolean" }, "bind_interface": { "description": "The network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_interface", "type": "string" }, "connect_timeout": { "description": "Connect timeout, in golang's Duration format.\n\nA duration string is a possibly signed sequence of\ndecimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"-1.5h\" or \"2h45m\".\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#connect_timeout", "type": "string" }, "detour": { "description": "The tag of the upstream outbound.\n\nIf enabled, all other fields will be ignored.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#disable_tcp_keep_alive", "type": "boolean" }, "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions", "deprecated": true, "description": "`outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.\n\n\n\n`domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.\n\nSet domain resolver to use for resolving domain names.\n\nThis option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.\n\nSetting this option directly to a string is equivalent to setting `server` of this options.\n\n| Outbound/Endpoints | Effected domains |\n|--------------------|--------------------------|\n| `direct` | Domain in request |\n| others | Domain in server address |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_resolver" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`domain_strategy` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver).\n\nAvailable values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before connect.\n\n| Outbound | Effected domains | Fallback Value |\n|----------|--------------------------|-------------------------------------------|\n| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |\n| others | Domain in server address | / |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "enabled": { "description": "Enable NTP service.\n\nSee documentation: https://sing-box.sagernet.org/configuration/ntp/#enabled", "type": "boolean" }, "fallback_delay": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nThe length of time to wait before spawning a RFC 6555 Fast Fallback connection.\n\nFor `domain_strategy`, is the amount of time to wait for connection to succeed before assuming\nthat IPv4/IPv6 is misconfigured and falling back to other type of addresses.\n\nFor `network_strategy`, is the amount of time to wait for connection to succeed before falling\nback to other interfaces.\n\nOnly take effect when `domain_strategy` or `network_strategy` is set.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_delay", "type": "string" }, "fallback_network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nFallback network types when preferred networks are unavailable or timeout when using `fallback` network strategy.\n\nAll other networks expect preferred are used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "inet4_bind_address": { "description": "The IPv4 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet4_bind_address", "type": "string" }, "inet6_bind_address": { "description": "The IPv6 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet6_bind_address", "type": "string" }, "interval": { "description": "Time synchronization interval.\n\n30 minutes is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/ntp/#interval", "type": "string" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#netns", "type": "string" }, "network_strategy": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nStrategy for selecting network interfaces.\n\nAvailable values:\n\n- `default` (default): Connect to default network or networks specified in `network_type` sequentially.\n- `hybrid`: Connect to all networks or networks specified in `network_type` concurrently.\n- `fallback`: Connect to default network or preferred networks specified in `network_type` concurrently, and try fallback networks when unavailable or timeout.\n\nFor fallback, when preferred interfaces fails or times out,\nit will enter a 15s fast fallback state (Connect to all preferred and fallback networks concurrently),\nand exit immediately if preferred networks recover.\n\nConflicts with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nNetwork types to use when using `default` or `hybrid` network strategy or\npreferred network types to use when using `fallback` network strategy.\n\nAvailable values: `wifi`, `cellular`, `ethernet`, `other`.\n\nDevice's default network is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "protect_path": { "type": "string" }, "reuse_addr": { "description": "Reuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Only supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "server": { "description": "NTP server address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/ntp/#server", "type": "string" }, "server_port": { "description": "NTP server port.\n\n123 is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/ntp/#server_port", "type": "integer" }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "Since sing-box 1.13.0\n\nTCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_multi_path", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#udp_fragment", "type": "boolean" }, "write_to_system": { "type": "boolean" } }, "required": [ "server" ], "type": "object" }, "OCMUser": { "properties": { "name": { "type": "string" }, "token": { "type": "string" } }, "type": "object" }, "Outbound": { "allOf": [ { "properties": { "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "type": { "enum": [ "anytls", "block", "direct", "http", "hysteria", "hysteria2", "naive", "selector", "shadowsocks", "shadowtls", "socks", "ssh", "tor", "trojan", "tuic", "urltest", "vless", "vmess" ], "type": "string" } }, "required": [ "type" ] }, { "oneOf": [ { "$ref": "#/$defs/Outbound_anytls" }, { "$ref": "#/$defs/Outbound_block" }, { "$ref": "#/$defs/Outbound_direct" }, { "$ref": "#/$defs/Outbound_http" }, { "$ref": "#/$defs/Outbound_hysteria" }, { "$ref": "#/$defs/Outbound_hysteria2" }, { "$ref": "#/$defs/Outbound_naive" }, { "$ref": "#/$defs/Outbound_selector" }, { "$ref": "#/$defs/Outbound_shadowsocks" }, { "$ref": "#/$defs/Outbound_shadowtls" }, { "$ref": "#/$defs/Outbound_socks" }, { "$ref": "#/$defs/Outbound_ssh" }, { "$ref": "#/$defs/Outbound_tor" }, { "$ref": "#/$defs/Outbound_trojan" }, { "$ref": "#/$defs/Outbound_tuic" }, { "$ref": "#/$defs/Outbound_urltest" }, { "$ref": "#/$defs/Outbound_vless" }, { "$ref": "#/$defs/Outbound_vmess" } ] } ], "type": "object" }, "OutboundECHOptions": { "properties": { "config": { "description": "==Client only==\n\nECH configuration line array, in PEM format.\n\nIf empty, load from DNS will be attempted.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#config", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "config_path": { "description": "==Client only==\n\nThe path to ECH configuration, in PEM format.\n\nIf empty, load from DNS will be attempted.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#config_path", "type": "string" }, "dynamic_record_sizing_disabled": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`dynamic_record_sizing_disabled` has nothing to do with ECH, was added by mistake, has been deprecated and no longer works.\n\nDisables adaptive sizing of TLS records.\n\nWhen true, the largest possible TLS record size is always used.\nWhen false, the size of TLS records may be adjusted in an attempt to improve latency.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#dynamic_record_sizing_disabled", "type": "boolean" }, "enabled": { "description": "Enable TLS.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#enabled", "type": "boolean" }, "pq_signature_schemes_enabled": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\nECH support has been migrated to use stdlib in sing-box 1.12.0, which does not come with support for PQ signature schemes, so `pq_signature_schemes_enabled` has been deprecated and no longer works.\n\nEnable support for post-quantum peer certificate signature schemes.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#pq_signature_schemes_enabled", "type": "boolean" }, "query_server_name": { "description": "Since sing-box 1.13.0\n\n==Client only==\n\nOverrides the domain name used for ECH HTTPS record queries.\n\nIf empty, `server_name` is used for queries.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#query_server_name", "type": "string" } }, "type": "object" }, "OutboundMultiplexOptions": { "properties": { "brutal": { "$ref": "#/$defs/BrutalOptions", "description": "See [TCP Brutal](/configuration/shared/tcp-brutal/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#brutal" }, "enabled": { "description": "Enable multiplex.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#enabled", "type": "boolean" }, "max_connections": { "description": "Maximum connections.\n\nConflict with `max_streams`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#max_connections", "type": "integer" }, "max_streams": { "description": "Maximum multiplexed streams in a connection before opening a new connection.\n\nConflict with `max_connections` and `min_streams`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#max_streams", "type": "integer" }, "min_streams": { "description": "Minimum multiplexed streams in a connection before opening a new connection.\n\nConflict with `max_streams`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#min_streams", "type": "integer" }, "padding": { "description": "Requires sing-box server version 1.3-beta9 or later.\n\nEnable padding.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#padding", "type": "boolean" }, "protocol": { "description": "Multiplex protocol.\n\n| Protocol | Description |\n|----------|------------------------------------|\n| smux | https://github.com/xtaci/smux |\n| yamux | https://github.com/hashicorp/yamux |\n| h2mux | https://golang.org/x/net/http2 |\n\nh2mux is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/multiplex/#protocol", "type": "string" } }, "type": "object" }, "OutboundRealityOptions": { "properties": { "enabled": { "description": "Enable TLS.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#enabled", "type": "boolean" }, "public_key": { "description": "==Client only==\n\n\nPublic key, generated by `sing-box generate reality-keypair`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#public_key", "type": "string" }, "short_id": { "description": "A hexadecimal string with zero to eight digits.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#short_id", "type": "string" } }, "required": [ "public_key", "short_id" ], "type": "object" }, "OutboundTLSOptions": { "properties": { "alpn": { "description": "List of supported application level protocols, in order of preference.\n\nIf both peers support ALPN, the selected protocol will be one from this list, and the connection will fail if there is\nno mutually supported protocol.\n\nSee [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation).\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#alpn", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "certificate": { "description": "Server certificates chain line array, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#certificate", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "certificate_path": { "description": "!!! note \"\"\n\nWill be automatically reloaded if file modified.\n\nThe path to server certificate chain, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#certificate_path", "type": "string" }, "certificate_public_key_sha256": { "description": "Since sing-box 1.13.0\n\n==Client only==\n\nList of SHA-256 hashes of server certificate public keys, in base64 format.\n\nTo generate the SHA-256 hash for a certificate's public key, use the following commands:\n\n```bash\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#certificate_public_key_sha256", "oneOf": [ { "items": { "type": "string" }, "type": "array" }, { "items": { "items": { "type": "string" }, "type": "array" }, "type": "array" } ] }, "cipher_suites": { "description": "List of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored.\nNote that TLS 1.3 cipher suites are not configurable.\n\nIf empty, a safe default list is used. The default cipher suites might change over time.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#cipher_suites", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "client_certificate": { "description": "Since sing-box 1.13.0\n\n==Server only==\n\nClient certificate chain line array, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#client_certificate", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "client_certificate_path": { "description": "Since sing-box 1.13.0\n\n==Server only==\n\n!!! note \"\"\n\nWill be automatically reloaded if file modified.\n\nList of path to client certificate chain, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#client_certificate_path", "type": "string" }, "client_key": { "description": "Since sing-box 1.13.0\n\n==Client only==\n\nClient private key line array, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#client_key", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "client_key_path": { "description": "Since sing-box 1.13.0\n\n==Client only==\n\nThe path to client private key, in PEM format.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#client_key_path", "type": "string" }, "curve_preferences": { "description": "Since sing-box 1.13.0\n\nSet of supported key exchange mechanisms. The order of the list is ignored, and key exchange mechanisms are chosen\nfrom this list using an internal preference order by Golang.\n\nAvailable values, also the default list:\n\n* `P256`\n* `P384`\n* `P521`\n* `X25519`\n* `X25519MLKEM768`\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#curve_preferences", "oneOf": [ { "enum": [ "P256", "P384", "P521", "X25519", "X25519MLKEM768" ], "type": "string" }, { "items": { "enum": [ "P256", "P384", "P521", "X25519", "X25519MLKEM768" ], "type": "string" }, "type": "array" } ] }, "disable_sni": { "description": "==Client only==\n\nDo not send server name in ClientHello.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#disable_sni", "type": "boolean" }, "ech": { "$ref": "#/$defs/OutboundECHOptions" }, "enabled": { "description": "Enable TLS.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#enabled", "type": "boolean" }, "fragment": { "description": "Since sing-box 1.12.0\n\n==Client only==\n\nFragment TLS handshakes to bypass firewalls.\n\nThis feature is intended to circumvent simple firewalls based on **plaintext packet matching**,\nand should not be used to circumvent real censorship.\n\nDue to poor performance, try `record_fragment` first, and only apply to server names known to be blocked.\n\nOn Linux, Apple platforms, (administrator privileges required) Windows,\nthe wait time can be automatically detected. Otherwise, it will fall back to\nwaiting for a fixed time specified by `fragment_fallback_delay`.\n\nIn addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,\nbecause the target is considered to be local or behind a transparent proxy.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#fragment", "type": "boolean" }, "fragment_fallback_delay": { "description": "Since sing-box 1.12.0\n\n==Client only==\n\nThe fallback value used when TLS segmentation cannot automatically determine the wait time.\n\n`500ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#fragment_fallback_delay", "type": "string" }, "insecure": { "description": "==Client only==\n\nAccepts any server certificate.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#insecure", "type": "boolean" }, "kernel_rx": { "deprecated": true, "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux 5.1+, use a newer kernel if possible.\n\n\nOnly TLS 1.3 is supported.\n\nDeprecated: \n\nkTLS RX will definitely degrade performance even if `splice(2)` is in use, so enabling it is not recommended.\n\nEnable kernel TLS receive support.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#kernel_rx", "type": "boolean" }, "kernel_tx": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux 5.1+, use a newer kernel if possible.\n\n\nOnly TLS 1.3 is supported.\n\n\nkTLS TX may only improve performance when `splice(2)` is available (both ends must be TCP or TLS without additional protocols after handshake); otherwise, it will definitely degrade performance.\n\nEnable kernel TLS transmit support.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#kernel_tx", "type": "boolean" }, "max_version": { "description": "The maximum TLS version that is acceptable.\n\nBy default, the maximum version is currently TLS 1.3.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#max_version", "type": "string" }, "min_version": { "description": "The minimum TLS version that is acceptable.\n\nBy default, TLS 1.2 is currently used as the minimum when acting as a\nclient, and TLS 1.0 when acting as a server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#min_version", "type": "string" }, "reality": { "$ref": "#/$defs/OutboundRealityOptions" }, "record_fragment": { "description": "Since sing-box 1.12.0\n\n==Client only==\n\nFragment TLS handshake into multiple TLS records to bypass firewalls.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#record_fragment", "type": "boolean" }, "server_name": { "description": "Used to verify the hostname on the returned certificates unless insecure is given.\n\nIt is also included in the client's handshake to support virtual hosting unless it is an IP address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#server_name", "type": "string" }, "utls": { "$ref": "#/$defs/OutboundUTLSOptions", "deprecated": true, "description": "==Client only==\n\nDeprecated: Not Recommended\n\nuTLS has had repeated fingerprinting vulnerabilities discovered by researchers.\n\nuTLS is a Go library that attempts to imitate browser TLS fingerprints by copying\nClientHello structure. However, browsers use completely different TLS stacks\n(Chrome uses BoringSSL, Firefox uses NSS) with distinct implementation behaviors\nthat cannot be replicated by simply copying the handshake format, making detection possible.\nAdditionally, the library lacks active maintenance and has poor code quality,\nmaking it unsuitable for censorship circumvention.\n\nFor TLS fingerprint resistance, use [NaiveProxy](/configuration/inbound/naive/) instead.\n\nuTLS is a fork of \"crypto/tls\", which provides ClientHello fingerprinting resistance.\n\nAvailable fingerprint values:\n\n\nSome legacy chrome fingerprints have been removed and will fallback to chrome:\n\n:material-close: chrome_psk\n:material-close: chrome_psk_shuffle\n:material-close: chrome_padding_psk_shuffle\n:material-close: chrome_pq\n:material-close: chrome_pq_psk\n\n* chrome\n* firefox\n* edge\n* safari\n* 360\n* qq\n* ios\n* android\n* random\n* randomized\n\nChrome fingerprint will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#utls" } }, "type": "object" }, "OutboundUTLSOptions": { "properties": { "enabled": { "description": "Enable TLS.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/tls/#enabled", "type": "boolean" }, "fingerprint": { "type": "string" } }, "type": "object" }, "Outbound_anytls": { "allOf": [ { "properties": { "idle_session_check_interval": { "description": "Interval checking for idle sessions. Default: 30s.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/anytls/#idle_session_check_interval", "type": "string" }, "idle_session_timeout": { "description": "In the check, close sessions that have been idle for longer than this. Default: 30s.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/anytls/#idle_session_timeout", "type": "string" }, "min_idle_session": { "description": "In the check, at least the first `n` idle sessions are kept open. Default value: `n`=0\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/anytls/#min_idle_session", "type": "integer" }, "password": { "description": "The AnyTLS password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/anytls/#password", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/anytls/#tls" }, "type": { "const": "anytls" } }, "required": [ "type", "tls", "password" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_block": { "properties": { "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "type": { "const": "block" } }, "required": [ "type" ] }, "Outbound_direct": { "allOf": [ { "properties": { "override_address": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nDestination override fields are deprecated in sing-box 1.11.0 and will be removed in sing-box 1.13.0, see [Migration](/migration/#migrate-destination-override-fields-to-route-options).\n\nOverride the connection destination address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/direct/#override_address", "type": "string" }, "override_port": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nDestination override fields are deprecated in sing-box 1.11.0 and will be removed in sing-box 1.13.0, see [Migration](/migration/#migrate-destination-override-fields-to-route-options).\n\nOverride the connection destination port.\n\nProtocol value can be `1` or `2`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/direct/#override_port", "type": "integer" }, "proxy_protocol": { "deprecated": true, "type": "integer" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "type": { "const": "direct" } }, "required": [ "type" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "Outbound_http": { "allOf": [ { "properties": { "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Extra headers of HTTP request.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/http/#headers", "type": "object" }, "password": { "description": "Basic authorization password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/http/#password", "type": "string" }, "path": { "description": "Path of HTTP request.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/http/#path", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/http/#tls" }, "type": { "const": "http" }, "username": { "description": "Basic authorization username.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/http/#username", "type": "string" } }, "required": [ "type" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_hysteria": { "allOf": [ { "properties": { "auth": { "description": "Authentication password, in base64.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#auth", "items": { "type": "string" }, "type": "array" }, "auth_str": { "description": "Authentication password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#auth_str", "type": "string" }, "disable_mtu_discovery": { "description": "Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.\n\nForce enabled on for systems other than Linux and Windows (according to upstream).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#disable_mtu_discovery", "type": "boolean" }, "down": { "type": "string" }, "down_mbps": { "type": "integer" }, "hop_interval": { "description": "Since sing-box 1.12.0\n\nPort hopping interval.\n\n`30s` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#hop_interval", "type": "string" }, "network": { "description": "Enabled network\n\nOne of `tcp` `udp`.\n\nBoth is enabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "obfs": { "description": "Obfuscated password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#obfs", "type": "string" }, "recv_window": { "description": "The QUIC connection-level flow control window for receiving data.\n\n`67108864 (64 MB/s)` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#recv_window", "type": "integer" }, "recv_window_conn": { "description": "The QUIC stream-level flow control window for receiving data.\n\n`15728640 (15 MB/s)` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#recv_window_conn", "type": "integer" }, "server_ports": { "description": "Since sing-box 1.12.0\n\nServer port range list.\n\nConflicts with `server_port`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#server_ports", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria/#tls" }, "type": { "const": "hysteria" }, "up": { "type": "string" }, "up_mbps": { "type": "integer" } }, "required": [ "type", "tls" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_hysteria2": { "allOf": [ { "properties": { "brutal_debug": { "description": "Enable debug information logging for Hysteria Brutal CC.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria2/#brutal_debug", "type": "boolean" }, "down_mbps": { "type": "integer" }, "hop_interval": { "description": "Since sing-box 1.11.0\n\nPort hopping interval.\n\n`30s` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria2/#hop_interval", "type": "string" }, "network": { "description": "Enabled network\n\nOne of `tcp` `udp`.\n\nBoth is enabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria2/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "obfs": { "$ref": "#/$defs/Hysteria2Obfs" }, "password": { "description": "Authentication password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria2/#password", "type": "string" }, "server_ports": { "description": "Since sing-box 1.11.0\n\nServer port range list.\n\nConflicts with `server_port`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria2/#server_ports", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/hysteria2/#tls" }, "type": { "const": "hysteria2" }, "up_mbps": { "type": "integer" } }, "required": [ "type", "tls" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_naive": { "allOf": [ { "properties": { "extra_headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Extra headers to send in HTTP requests.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/naive/#extra_headers", "type": "object" }, "insecure_concurrency": { "description": "Number of concurrent tunnel connections. Multiple connections make the tunneling easier to detect through traffic analysis, which defeats the purpose of NaiveProxy's design to resist traffic analysis.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/naive/#insecure_concurrency", "type": "integer" }, "password": { "description": "Authentication password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/naive/#password", "type": "string" }, "quic": { "description": "Use QUIC instead of HTTP/2.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/naive/#quic", "type": "boolean" }, "quic_congestion_control": { "description": "QUIC congestion control algorithm.\n\n| Algorithm | Description |\n|-----------|-------------|\n| `bbr` | BBR |\n| `bbr2` | BBRv2 |\n| `cubic` | CUBIC |\n| `reno` | New Reno |\n\n`bbr` is used by default (the default of QUICHE, used by Chromium which NaiveProxy is based on).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/naive/#quic_congestion_control", "type": "string" }, "quic_session_receive_window": { "type": "string" }, "stream_receive_window": { "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nOnly `server_name`, `certificate`, `certificate_path` and `ech` are supported.\n\nSelf-signed certificates change traffic behavior significantly, which defeats the purpose of NaiveProxy's design to resist traffic analysis, and should not be used in production.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/naive/#tls" }, "type": { "const": "naive" }, "udp_over_tcp": { "$ref": "#/$defs/UDPOverTCPOptions", "description": "UDP over TCP protocol settings.\n\nSee [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/naive/#udp_over_tcp" }, "username": { "description": "Authentication username.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/naive/#username", "type": "string" } }, "required": [ "type", "tls" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_selector": { "properties": { "default": { "description": "The default outbound tag. The first outbound will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/selector/#default", "type": "string" }, "interrupt_exist_connections": { "description": "Interrupt existing connections when the selected outbound has changed.\n\nOnly inbound connections are affected by this setting, internal connections will always be interrupted.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/selector/#interrupt_exist_connections", "type": "boolean" }, "outbounds": { "description": "List of outbound tags to select.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/selector/#outbounds", "items": { "type": "string" }, "type": "array" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "type": { "const": "selector" } }, "required": [ "type", "outbounds" ] }, "Outbound_shadowsocks": { "allOf": [ { "properties": { "method": { "description": "Encryption methods:\n\n* `2022-blake3-aes-128-gcm`\n* `2022-blake3-aes-256-gcm`\n* `2022-blake3-chacha20-poly1305`\n* `none`\n* `aes-128-gcm`\n* `aes-192-gcm`\n* `aes-256-gcm`\n* `chacha20-ietf-poly1305`\n* `xchacha20-ietf-poly1305`\n\nLegacy encryption methods:\n\n* `aes-128-ctr`\n* `aes-192-ctr`\n* `aes-256-ctr`\n* `aes-128-cfb`\n* `aes-192-cfb`\n* `aes-256-cfb`\n* `rc4-md5`\n* `chacha20-ietf`\n* `xchacha20`\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowsocks/#method", "type": "string" }, "multiplex": { "$ref": "#/$defs/OutboundMultiplexOptions", "description": "See [Multiplex](/configuration/shared/multiplex#outbound) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowsocks/#multiplex" }, "network": { "description": "Enabled network\n\nOne of `tcp` `udp`.\n\nBoth is enabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowsocks/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "password": { "description": "The shadowsocks password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowsocks/#password", "type": "string" }, "plugin": { "description": "Shadowsocks SIP003 plugin, implemented in internal.\n\nOnly `obfs-local` and `v2ray-plugin` are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowsocks/#plugin", "type": "string" }, "plugin_opts": { "description": "Shadowsocks SIP003 plugin options.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowsocks/#plugin_opts", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "type": { "const": "shadowsocks" }, "udp_over_tcp": { "$ref": "#/$defs/UDPOverTCPOptions", "description": "UDP over TCP configuration.\n\nSee [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.\n\nConflict with `multiplex`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowsocks/#udp_over_tcp" } }, "required": [ "type", "method", "password" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_shadowtls": { "allOf": [ { "properties": { "password": { "description": "Set password.\n\nOnly available in the ShadowTLS v2/v3 protocol.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowtls/#password", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowtls/#tls" }, "type": { "const": "shadowtls" }, "version": { "description": "ShadowTLS protocol version.\n\n| Value | Protocol Version |\n|---------------|-----------------------------------------------------------------------------------------|\n| `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |\n| `2` | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |\n| `3` | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/shadowtls/#version", "type": "integer" } }, "required": [ "type", "tls" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_socks": { "allOf": [ { "properties": { "network": { "description": "Enabled network\n\nOne of `tcp` `udp`.\n\nBoth is enabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/socks/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "password": { "description": "SOCKS5 password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/socks/#password", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "type": { "const": "socks" }, "udp_over_tcp": { "$ref": "#/$defs/UDPOverTCPOptions", "description": "UDP over TCP protocol settings.\n\nSee [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/socks/#udp_over_tcp" }, "username": { "description": "SOCKS username.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/socks/#username", "type": "string" }, "version": { "description": "The SOCKS version, one of `4` `4a` `5`.\n\nSOCKS5 used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/socks/#version", "type": "string" } }, "required": [ "type" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_ssh": { "allOf": [ { "properties": { "client_version": { "description": "Client version. Random version will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/ssh/#client_version", "type": "string" }, "host_key": { "description": "Host key. Accept any if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/ssh/#host_key", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "host_key_algorithms": { "description": "Host key algorithms.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/ssh/#host_key_algorithms", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "password": { "description": "Password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/ssh/#password", "type": "string" }, "private_key": { "description": "Private key.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/ssh/#private_key", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "private_key_passphrase": { "description": "Private key passphrase.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/ssh/#private_key_passphrase", "type": "string" }, "private_key_path": { "description": "Private key path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/ssh/#private_key_path", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "type": { "const": "ssh" }, "user": { "description": "SSH user, root will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/ssh/#user", "type": "string" } }, "required": [ "type" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_tor": { "allOf": [ { "properties": { "data_directory": { "description": "==Recommended==\n\nThe data directory of Tor.\n\nEach start will be very slow if not specified.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tor/#data_directory", "type": "string" }, "executable_path": { "description": "The path to the Tor executable.\n\nEmbedded Tor will be ignored if set.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tor/#executable_path", "type": "string" }, "extra_args": { "description": "List of extra arguments passed to the Tor instance when started.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tor/#extra_args", "items": { "type": "string" }, "type": "array" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "torrc": { "additionalProperties": { "type": "string" }, "description": "Map of torrc options.\n\nSee [tor(1)](https://linux.die.net/man/1/tor) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tor/#torrc", "type": "object" }, "type": { "const": "tor" } }, "required": [ "type" ] }, { "$ref": "#/$defs/DialerOptions" } ] }, "Outbound_trojan": { "allOf": [ { "properties": { "multiplex": { "$ref": "#/$defs/OutboundMultiplexOptions", "description": "See [Multiplex](/configuration/shared/multiplex#outbound) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/trojan/#multiplex" }, "network": { "description": "Enabled network\n\nOne of `tcp` `udp`.\n\nBoth is enabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/trojan/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "password": { "description": "The Trojan password.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/trojan/#password", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/trojan/#tls" }, "transport": { "$ref": "#/$defs/V2RayTransportOptions", "description": "V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/trojan/#transport" }, "type": { "const": "trojan" } }, "required": [ "type", "password" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_tuic": { "allOf": [ { "properties": { "congestion_control": { "description": "QUIC congestion control algorithm\n\nOne of: `cubic`, `new_reno`, `bbr`\n\n`cubic` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tuic/#congestion_control", "type": "string" }, "heartbeat": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "network": { "description": "Enabled network\n\nOne of `tcp` `udp`.\n\nBoth is enabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tuic/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "password": { "description": "TUIC user password\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tuic/#password", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tuic/#tls" }, "type": { "const": "tuic" }, "udp_over_stream": { "description": "This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC\nstream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or\nanother program compatible with the protocol as a server.\n\nThis mode has no positive effect in a proper UDP proxy scenario and should only be applied to relay streaming UDP\ntraffic (basically QUIC streams).\n\nConflict with `udp_relay_mode`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tuic/#udp_over_stream", "type": "boolean" }, "udp_relay_mode": { "description": "UDP packet relay mode\n\n| Mode | Description |\n|:-------|:-------------------------------------------------------------------------|\n| native | native UDP characteristics |\n| quic | lossless UDP relay using QUIC streams, additional overhead is introduced |\n\n`native` is used by default.\n\nConflict with `udp_over_stream`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tuic/#udp_relay_mode", "type": "string" }, "uuid": { "description": "TUIC user uuid\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/tuic/#uuid", "type": "string" }, "zero_rtt_handshake": { "type": "boolean" } }, "required": [ "type", "uuid", "tls" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_urltest": { "properties": { "idle_timeout": { "description": "The idle timeout. `30m` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/urltest/#idle_timeout", "type": "string" }, "interrupt_exist_connections": { "description": "Interrupt existing connections when the selected outbound has changed.\n\nOnly inbound connections are affected by this setting, internal connections will always be interrupted.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/urltest/#interrupt_exist_connections", "type": "boolean" }, "interval": { "description": "The test interval. `3m` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/urltest/#interval", "type": "string" }, "outbounds": { "description": "List of outbound tags to test.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/urltest/#outbounds", "items": { "type": "string" }, "type": "array" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tolerance": { "description": "The test tolerance in milliseconds. `50` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/urltest/#tolerance", "type": "integer" }, "type": { "const": "urltest" }, "url": { "description": "The URL to test. `https://www.gstatic.com/generate_204` will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/urltest/#url", "type": "string" } }, "required": [ "type", "outbounds" ] }, "Outbound_vless": { "allOf": [ { "properties": { "flow": { "description": "VLESS Sub-protocol.\n\nAvailable values:\n\n* `xtls-rprx-vision`\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vless/#flow", "type": "string" }, "multiplex": { "$ref": "#/$defs/OutboundMultiplexOptions", "description": "See [Multiplex](/configuration/shared/multiplex#outbound) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vless/#multiplex" }, "network": { "description": "Enabled network\n\nOne of `tcp` `udp`.\n\nBoth is enabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vless/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "packet_encoding": { "description": "UDP packet encoding, xudp is used by default.\n\n| Encoding | Description |\n|------------|-----------------------|\n| (none) | Disabled |\n| packetaddr | Supported by v2ray 5+ |\n| xudp | Supported by xray |\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vless/#packet_encoding", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vless/#tls" }, "transport": { "$ref": "#/$defs/V2RayTransportOptions", "description": "V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vless/#transport" }, "type": { "const": "vless" }, "uuid": { "description": "VLESS user id.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vless/#uuid", "type": "string" } }, "required": [ "type", "uuid" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "Outbound_vmess": { "allOf": [ { "properties": { "alter_id": { "description": "| Alter ID | Description |\n|----------|---------------------|\n| 0 | Use AEAD protocol |\n| 1 | Use legacy protocol |\n| \u003e 1 | Unused, same as 1 |\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#alter_id", "type": "integer" }, "authenticated_length": { "description": "Protocol parameter. Enable length block encryption.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#authenticated_length", "type": "boolean" }, "global_padding": { "description": "Protocol parameter. Will waste traffic randomly if enabled (enabled by default in v2ray and cannot be disabled).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#global_padding", "type": "boolean" }, "multiplex": { "$ref": "#/$defs/OutboundMultiplexOptions", "description": "See [Multiplex](/configuration/shared/multiplex#outbound) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#multiplex" }, "network": { "description": "Enabled network\n\nOne of `tcp` `udp`.\n\nBoth is enabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#network", "oneOf": [ { "enum": [ "tcp", "udp" ], "type": "string" }, { "items": { "enum": [ "tcp", "udp" ], "type": "string" }, "type": "array" } ] }, "packet_encoding": { "description": "UDP packet encoding.\n\n| Encoding | Description |\n|------------|-----------------------|\n| (none) | Disabled |\n| packetaddr | Supported by v2ray 5+ |\n| xudp | Supported by xray |\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#packet_encoding", "type": "string" }, "security": { "description": "Encryption methods:\n\n* `auto`\n* `none`\n* `zero`\n* `aes-128-gcm`\n* `chacha20-poly1305`\n\nLegacy encryption methods:\n\n* `aes-128-ctr`\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#security", "type": "string" }, "tag": { "description": "The tag of the outbound.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/OutboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#outbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#tls" }, "transport": { "$ref": "#/$defs/V2RayTransportOptions", "description": "V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#transport" }, "type": { "const": "vmess" }, "uuid": { "description": "The VMess user id.\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/vmess/#uuid", "type": "string" } }, "required": [ "type", "uuid" ] }, { "$ref": "#/$defs/DialerOptions" }, { "$ref": "#/$defs/ServerOptions" } ] }, "RouteOptions": { "properties": { "auto_detect_interface": { "description": "Only supported on Linux, Windows and macOS.\n\nBind outbound connections to the default NIC by default to prevent routing loops under tun.\n\nTakes no effect if `outbound.bind_interface` is set.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#auto_detect_interface", "type": "boolean" }, "default_domain_resolver": { "$ref": "#/$defs/DomainResolveOptions", "description": "Since sing-box 1.12.0\n\nSee [Dial Fields](/configuration/shared/dial/#domain_resolver) for details.\n\nCan be overrides by `outbound.domain_resolver`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#default_domain_resolver" }, "default_fallback_delay": { "description": "Since sing-box 1.11.0\n\nSee [Dial Fields](/configuration/shared/dial/#fallback_delay) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#default_fallback_delay", "type": "string" }, "default_fallback_network_type": { "description": "Since sing-box 1.11.0\n\nSee [Dial Fields](/configuration/shared/dial/#fallback_network_type) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#default_fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "default_interface": { "description": "Only supported on Linux, Windows and macOS.\n\nBind outbound connections to the specified NIC by default to prevent routing loops under tun.\n\nTakes no effect if `auto_detect_interface` is set.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#default_interface", "type": "string" }, "default_mark": { "description": "Only supported on Linux.\n\nSet routing mark by default.\n\nTakes no effect if `outbound.routing_mark` is set.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#default_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "default_network_strategy": { "description": "Since sing-box 1.11.0\n\nSee [Dial Fields](/configuration/shared/dial/#network_strategy) for details.\n\nTakes no effect if `outbound.bind_interface`, `outbound.inet4_bind_address` or `outbound.inet6_bind_address` is set.\n\nCan be overrides by `outbound.network_strategy`.\n\nConflicts with `default_interface`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#default_network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "default_network_type": { "description": "Since sing-box 1.11.0\n\nSee [Dial Fields](/configuration/shared/dial/#network_type) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#default_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "final": { "description": "Default outbound tag. the first outbound will be used if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#final", "type": "string" }, "find_process": { "type": "boolean" }, "geoip": { "$ref": "#/$defs/GeoIPOptions" }, "geosite": { "$ref": "#/$defs/GeositeOptions" }, "override_android_vpn": { "description": "Only supported on Android.\n\nAccept Android VPN as upstream NIC when `auto_detect_interface` enabled.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#override_android_vpn", "type": "boolean" }, "rule_set": { "description": "Since sing-box 1.8.0\n\nList of [rule-set](/configuration/rule-set/)\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#rule_set", "items": { "$ref": "#/$defs/RuleSet" }, "type": "array" }, "rules": { "description": "List of [Route Rule](./rule/)\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/#rules", "items": { "$ref": "#/$defs/Rule" }, "type": "array" } }, "type": "object" }, "Rule": { "oneOf": [ { "properties": { "action": { "enum": [ "", "route", "bypass", "reject", "hijack-dns", "route-options", "sniff", "resolve" ], "type": "string" }, "auth_user": { "description": "Username, see each inbound for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#auth_user", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "bind_address_no_port": { "type": "boolean" }, "bind_interface": { "type": "string" }, "clash_mode": { "description": "Match Clash mode.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#clash_mode", "type": "string" }, "client": { "description": "Since sing-box 1.10.0\n\nSniffed client type, see [Protocol Sniff](/configuration/route/sniff/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#client", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "client_subnet": { "description": "Since sing-box 1.12.0\n\nAppend a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.\n\nIf value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.\n\nWill overrides `dns.client_subnet`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#client_subnet", "type": "string" }, "connect_timeout": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "default_interface_address": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux, Windows, and macOS.\n\nMatch default interface address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#default_interface_address", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "detour": { "type": "string" }, "disable_cache": { "description": "Since sing-box 1.12.0\n\nDisable cache and save cache in this query.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#disable_cache", "type": "boolean" }, "disable_tcp_keep_alive": { "type": "boolean" }, "domain": { "description": "Match full domain.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#domain", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_keyword": { "description": "Match domain using keyword.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#domain_keyword", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_regex": { "description": "Match domain using regular expression.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#domain_regex", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions" }, "domain_strategy": { "deprecated": true, "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "domain_suffix": { "description": "Match domain suffix.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#domain_suffix", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "fallback_delay": { "description": "See [Dial Fields](/configuration/shared/dial/#fallback_delay) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#fallback_delay", "type": "integer" }, "fallback_network_type": { "description": "See [Dial Fields](/configuration/shared/dial/#fallback_network_type) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "geoip": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\nGeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).\n\nMatch geoip.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#geoip", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "geosite": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\nGeosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).\n\nMatch geosite.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#geosite", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inbound": { "description": "Tags of [Inbound](/configuration/inbound/).\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#inbound", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "inet4_bind_address": { "type": "string" }, "inet6_bind_address": { "type": "string" }, "interface_address": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux, Windows, and macOS.\n\nMatch interface address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#interface_address", "type": "object" }, "invert": { "description": "Invert match result.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#invert", "type": "boolean" }, "ip_cidr": { "description": "Match IP CIDR.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#ip_cidr", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "ip_is_private": { "description": "Since sing-box 1.8.0\n\nMatch non-public IP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#ip_is_private", "type": "boolean" }, "ip_version": { "description": "4 or 6.\n\nNot limited if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#ip_version", "type": "integer" }, "method": { "description": "For TCP and UDP connections:\n\n- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.\n- `drop`: Drop packets.\n\nFor ICMP echo requests:\n\n- `default`: Reply with ICMP host unreachable.\n- `drop`: Drop packets.\n- `reply`: Reply with ICMP echo reply.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#method", "type": "string" }, "netns": { "type": "string" }, "network": { "description": "Since sing-box 1.13.0, you can match ICMP echo (ping) requests via the new `icmp` network.\n\nMatch network type.\n\n`tcp`, `udp` or `icmp`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#network", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "network_interface_address": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Since sing-box 1.13.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatches network interface (same values as `network_type`) address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#network_interface_address", "type": "object" }, "network_is_constrained": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Apple platforms.\n\nMatch if network is in Low Data Mode.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#network_is_constrained", "type": "boolean" }, "network_is_expensive": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatch if network is considered Metered (on Android) or considered expensive,\nsuch as Cellular or a Personal Hotspot (on Apple platforms).\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#network_is_expensive", "type": "boolean" }, "network_strategy": { "description": "See [Dial Fields](/configuration/shared/dial/#network_strategy) for details.\n\nOnly take effect if outbound is direct without `outbound.bind_interface`,\n`outbound.inet4_bind_address` and `outbound.inet6_bind_address` set.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms.\n\nMatch network type.\n\nAvailable values: `wifi`, `cellular`, `ethernet` and `other`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "no_drop": { "description": "If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.\n\nNot available when `method` is set to drop.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#no_drop", "type": "boolean" }, "outbound": { "description": "Tag of target outbound.\n\nIf not specified, the rule only matches in [pre-match](/configuration/shared/pre-match/)\nfrom auto redirect, and will be skipped in other contexts.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#outbound", "type": "string" }, "override_address": { "description": "Override the connection destination address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#override_address", "type": "string" }, "override_port": { "description": "Override the connection destination port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#override_port", "type": "integer" }, "package_name": { "description": "Match android package name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#package_name", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "port": { "description": "Match port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#port", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "port_range": { "description": "Match port range.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#port_range", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "preferred_by": { "description": "Since sing-box 1.13.0\n\nMatch specified outbounds' preferred routes.\n\n| Type | Match |\n|-------------|-----------------------------------------------|\n| `tailscale` | Match MagicDNS domains and peers' allowed IPs |\n| `wireguard` | Match peers's allowed IPs |\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#preferred_by", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_name": { "description": "Only supported on Linux, Windows, and macOS.\n\nMatch process name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#process_name", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_path": { "description": "Only supported on Linux, Windows, and macOS.\n\nMatch process path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#process_path", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "process_path_regex": { "description": "Since sing-box 1.10.0\n\n\nOnly supported on Linux, Windows, and macOS.\n\nMatch process path using regular expression.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#process_path_regex", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "protect_path": { "type": "string" }, "protocol": { "description": "Sniffed protocol, see [Protocol Sniff](/configuration/route/sniff/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#protocol", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "reuse_addr": { "type": "boolean" }, "rewrite_ttl": { "description": "Since sing-box 1.12.0\n\nRewrite TTL in DNS responses.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#rewrite_ttl", "type": "integer" }, "routing_mark": { "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "rule_set": { "description": "Since sing-box 1.8.0\n\nMatch [rule-set](/configuration/route/#rule_set).\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#rule_set", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "rule_set_ip_cidr_match_source": { "description": "Since sing-box 1.10.0\n\nMake `ip_cidr` in rule-sets match the source IP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#rule_set_ip_cidr_match_source", "type": "boolean" }, "rule_set_ipcidr_match_source": { "deprecated": true, "description": "Since sing-box 1.8.0\n\nDeprecated: Deprecated in sing-box 1.10.0\n\n`rule_set_ipcidr_match_source` is renamed to `rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.\n\nMake `ip_cidr` in rule-sets match the source IP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#rule_set_ipcidr_match_source", "type": "boolean" }, "server": { "description": "Specifies DNS server tag to use instead of selecting through DNS routing.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#server", "type": "string" }, "sniffer": { "description": "Enabled sniffers.\n\nAll sniffers enabled by default.\n\nAvailable protocol values an be found on in [Protocol Sniff](../sniff/)\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#sniffer", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "source_geoip": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.8.0\n\nGeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).\n\nMatch source geoip.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#source_geoip", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "source_ip_cidr": { "description": "Match source IP CIDR.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#source_ip_cidr", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "source_ip_is_private": { "description": "Since sing-box 1.8.0\n\nMatch non-public source IP.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#source_ip_is_private", "type": "boolean" }, "source_port": { "description": "Match source port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#source_port", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "source_port_range": { "description": "Match source port range.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#source_port_range", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "strategy": { "description": "DNS resolution strategy, available values are: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.\n\n`dns.strategy` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "tcp_fast_open": { "type": "boolean" }, "tcp_keep_alive": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "tcp_keep_alive_interval": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "tcp_multi_path": { "type": "boolean" }, "timeout": { "description": "Timeout for sniffing.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#timeout", "type": "string" }, "tls_fragment": { "description": "Since sing-box 1.12.0\n\nFragment TLS handshakes to bypass firewalls.\n\nThis feature is intended to circumvent simple firewalls based on **plaintext packet matching**,\nand should not be used to circumvent real censorship.\n\nDue to poor performance, try `tls_record_fragment` first, and only apply to server names known to be blocked.\n\nOn Linux, Apple platforms, (administrator privileges required) Windows,\nthe wait time can be automatically detected. Otherwise, it will fall back to\nwaiting for a fixed time specified by `tls_fragment_fallback_delay`.\n\nIn addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,\nbecause the target is considered to be local or behind a transparent proxy.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#tls_fragment", "type": "boolean" }, "tls_fragment_fallback_delay": { "description": "Since sing-box 1.12.0\n\nThe fallback value used when TLS segmentation cannot automatically determine the wait time.\n\n`500ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#tls_fragment_fallback_delay", "type": "string" }, "tls_record_fragment": { "description": "Since sing-box 1.12.0\n\nFragment TLS handshake into multiple TLS records to bypass firewalls.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#tls_record_fragment", "type": "boolean" }, "udp_connect": { "description": "If enabled, attempts to connect UDP connection to the destination instead of listen.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#udp_connect", "type": "boolean" }, "udp_disable_domain_unmapping": { "description": "If enabled, for UDP proxy requests addressed to a domain,\nthe original packet address will be sent in the response instead of the mapped domain.\n\nThis option is used for compatibility with clients that\ndo not support receiving UDP packets with domain addresses, such as Surge.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#udp_disable_domain_unmapping", "type": "boolean" }, "udp_fragment": { "type": "boolean" }, "udp_timeout": { "description": "Timeout for UDP connections.\n\nSetting a larger value than the UDP timeout in inbounds will have no effect.\n\nDefault value for protocol sniffed connections:\n\n| Timeout | Protocol |\n|---------|----------------------|\n| `10s` | `dns`, `ntp`, `stun` |\n| `30s` | `quic`, `dtls` |\n\nIf no protocol is sniffed, the following ports will be recognized as protocols by default:\n\n| Port | Protocol |\n|------|----------|\n| 53 | `dns` |\n| 123 | `ntp` |\n| 443 | `quic` |\n| 3478 | `stun` |\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#udp_timeout", "type": "string" }, "user": { "description": "Only supported on Linux.\n\nMatch user name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#user", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "user_id": { "description": "Only supported on Linux.\n\nMatch user id.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#user_id", "oneOf": [ { "type": "integer" }, { "items": { "type": "integer" }, "type": "array" } ] }, "wifi_bssid": { "description": "Match WiFi BSSID.\n\nSee [Wi-Fi State](/configuration/shared/wifi-state/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#wifi_bssid", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "wifi_ssid": { "description": "Match WiFi SSID.\n\nSee [Wi-Fi State](/configuration/shared/wifi-state/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule/#wifi_ssid", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] } } }, { "properties": { "action": { "enum": [ "", "route", "bypass", "reject", "hijack-dns", "route-options", "sniff", "resolve" ], "type": "string" }, "bind_address_no_port": { "type": "boolean" }, "bind_interface": { "type": "string" }, "client_subnet": { "description": "Since sing-box 1.12.0\n\nAppend a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.\n\nIf value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.\n\nWill overrides `dns.client_subnet`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#client_subnet", "type": "string" }, "connect_timeout": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "detour": { "type": "string" }, "disable_cache": { "description": "Since sing-box 1.12.0\n\nDisable cache and save cache in this query.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#disable_cache", "type": "boolean" }, "disable_tcp_keep_alive": { "type": "boolean" }, "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions" }, "domain_strategy": { "deprecated": true, "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "fallback_delay": { "description": "See [Dial Fields](/configuration/shared/dial/#fallback_delay) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#fallback_delay", "type": "integer" }, "fallback_network_type": { "description": "See [Dial Fields](/configuration/shared/dial/#fallback_network_type) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "inet4_bind_address": { "type": "string" }, "inet6_bind_address": { "type": "string" }, "invert": { "type": "boolean" }, "method": { "description": "For TCP and UDP connections:\n\n- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.\n- `drop`: Drop packets.\n\nFor ICMP echo requests:\n\n- `default`: Reply with ICMP host unreachable.\n- `drop`: Drop packets.\n- `reply`: Reply with ICMP echo reply.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#method", "type": "string" }, "mode": { "enum": [ "and", "or" ], "type": "string" }, "netns": { "type": "string" }, "network_strategy": { "description": "See [Dial Fields](/configuration/shared/dial/#network_strategy) for details.\n\nOnly take effect if outbound is direct without `outbound.bind_interface`,\n`outbound.inet4_bind_address` and `outbound.inet6_bind_address` set.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "network_type": { "description": "See [Dial Fields](/configuration/shared/dial/#network_type) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "no_drop": { "description": "If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.\n\nNot available when `method` is set to drop.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#no_drop", "type": "boolean" }, "outbound": { "description": "Tag of target outbound.\n\nIf not specified, the rule only matches in [pre-match](/configuration/shared/pre-match/)\nfrom auto redirect, and will be skipped in other contexts.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#outbound", "type": "string" }, "override_address": { "description": "Override the connection destination address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#override_address", "type": "string" }, "override_port": { "description": "Override the connection destination port.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#override_port", "type": "integer" }, "protect_path": { "type": "string" }, "reuse_addr": { "type": "boolean" }, "rewrite_ttl": { "description": "Since sing-box 1.12.0\n\nRewrite TTL in DNS responses.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#rewrite_ttl", "type": "integer" }, "routing_mark": { "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "rules": { "items": { "$ref": "#/$defs/Rule" }, "type": "array" }, "server": { "description": "Specifies DNS server tag to use instead of selecting through DNS routing.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#server", "type": "string" }, "sniffer": { "description": "Enabled sniffers.\n\nAll sniffers enabled by default.\n\nAvailable protocol values an be found on in [Protocol Sniff](../sniff/)\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#sniffer", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "strategy": { "description": "DNS resolution strategy, available values are: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.\n\n`dns.strategy` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "tcp_fast_open": { "type": "boolean" }, "tcp_keep_alive": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "tcp_keep_alive_interval": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "tcp_multi_path": { "type": "boolean" }, "timeout": { "description": "Timeout for sniffing.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#timeout", "type": "string" }, "tls_fragment": { "description": "Since sing-box 1.12.0\n\nFragment TLS handshakes to bypass firewalls.\n\nThis feature is intended to circumvent simple firewalls based on **plaintext packet matching**,\nand should not be used to circumvent real censorship.\n\nDue to poor performance, try `tls_record_fragment` first, and only apply to server names known to be blocked.\n\nOn Linux, Apple platforms, (administrator privileges required) Windows,\nthe wait time can be automatically detected. Otherwise, it will fall back to\nwaiting for a fixed time specified by `tls_fragment_fallback_delay`.\n\nIn addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,\nbecause the target is considered to be local or behind a transparent proxy.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#tls_fragment", "type": "boolean" }, "tls_fragment_fallback_delay": { "description": "Since sing-box 1.12.0\n\nThe fallback value used when TLS segmentation cannot automatically determine the wait time.\n\n`500ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#tls_fragment_fallback_delay", "type": "string" }, "tls_record_fragment": { "description": "Since sing-box 1.12.0\n\nFragment TLS handshake into multiple TLS records to bypass firewalls.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#tls_record_fragment", "type": "boolean" }, "type": { "const": "logical" }, "udp_connect": { "description": "If enabled, attempts to connect UDP connection to the destination instead of listen.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#udp_connect", "type": "boolean" }, "udp_disable_domain_unmapping": { "description": "If enabled, for UDP proxy requests addressed to a domain,\nthe original packet address will be sent in the response instead of the mapped domain.\n\nThis option is used for compatibility with clients that\ndo not support receiving UDP packets with domain addresses, such as Surge.\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#udp_disable_domain_unmapping", "type": "boolean" }, "udp_fragment": { "type": "boolean" }, "udp_timeout": { "description": "Timeout for UDP connections.\n\nSetting a larger value than the UDP timeout in inbounds will have no effect.\n\nDefault value for protocol sniffed connections:\n\n| Timeout | Protocol |\n|---------|----------------------|\n| `10s` | `dns`, `ntp`, `stun` |\n| `30s` | `quic`, `dtls` |\n\nIf no protocol is sniffed, the following ports will be recognized as protocols by default:\n\n| Port | Protocol |\n|------|----------|\n| 53 | `dns` |\n| 123 | `ntp` |\n| 443 | `quic` |\n| 3478 | `stun` |\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/rule_action/#udp_timeout", "type": "string" } }, "required": [ "type" ] } ], "type": "object" }, "RuleSet": { "oneOf": [ { "properties": { "rules": { "items": { "$ref": "#/$defs/HeadlessRule" }, "type": "array" }, "tag": { "type": "string" }, "type": { "enum": [ "", "inline" ], "type": "string" } }, "required": [ "tag" ] }, { "properties": { "format": { "enum": [ "source", "binary" ], "type": "string" }, "path": { "type": "string" }, "tag": { "type": "string" }, "type": { "const": "local" } }, "required": [ "type", "tag" ] }, { "properties": { "download_detour": { "type": "string" }, "format": { "enum": [ "source", "binary" ], "type": "string" }, "tag": { "type": "string" }, "type": { "const": "remote" }, "update_interval": { "type": "string" }, "url": { "type": "string" } }, "required": [ "type", "tag", "url" ] } ], "type": "object" }, "ServerOptions": { "properties": { "server": { "type": "string" }, "server_port": { "type": "integer" } }, "type": "object" }, "Service": { "allOf": [ { "properties": { "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/#tag", "type": "string" }, "type": { "enum": [ "ccm", "derp", "ocm", "oom-killer", "resolved", "ssm-api" ], "type": "string" } }, "required": [ "type" ] }, { "oneOf": [ { "$ref": "#/$defs/Service_ccm" }, { "$ref": "#/$defs/Service_derp" }, { "$ref": "#/$defs/Service_ocm" }, { "$ref": "#/$defs/Service_oom-killer" }, { "$ref": "#/$defs/Service_resolved" }, { "$ref": "#/$defs/Service_ssm-api" } ] } ], "type": "object" }, "Service_ccm": { "allOf": [ { "properties": { "credential_path": { "description": "Path to the Claude Code OAuth credentials file.\n\nIf not specified, defaults to:\n- `$CLAUDE_CONFIG_DIR/.credentials.json` if `CLAUDE_CONFIG_DIR` environment variable is set\n- `~/.claude/.credentials.json` otherwise\n\nOn macOS, credentials are read from the system keychain first, then fall back to the file if unavailable.\n\nRefreshed tokens are automatically written back to the same location.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ccm/#credential_path", "type": "string" }, "detour": { "description": "Outbound tag for connecting to the Claude API.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ccm/#detour", "type": "string" }, "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Custom HTTP headers to send to the Claude API.\n\nThese headers will override any existing headers with the same name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ccm/#headers", "type": "object" }, "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ccm/#tls" }, "type": { "const": "ccm" }, "usages_path": { "description": "Path to the file for storing aggregated API usage statistics.\n\nUsage tracking is disabled if not specified.\n\nWhen enabled, the service tracks and saves comprehensive statistics including:\n- Request counts\n- Token usage (input, output, cache read, cache creation)\n- Calculated costs in USD based on Claude API pricing\n\nStatistics are organized by model, context window (200k standard vs 1M premium), and optionally by user when authentication is enabled.\n\nThe statistics file is automatically saved every minute and upon service shutdown.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ccm/#usages_path", "type": "string" }, "users": { "description": "List of authorized users for token authentication.\n\nIf empty, no authentication is required.\n\nObject format:\n\n```json\n{\n\"name\": \"\",\n\"token\": \"\"\n}\n```\n\nObject fields:\n\n- `name`: Username identifier for tracking purposes.\n- `token`: Bearer token for authentication. Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ccm/#users", "items": { "$ref": "#/$defs/CCMUser" }, "type": "array" } }, "required": [ "type" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Service_derp": { "allOf": [ { "properties": { "config_path": { "description": "Derper configuration file path.\n\nExample: `derper.key`\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#config_path", "type": "string" }, "home": { "description": "What to serve at the root path. It may be left empty (the default, for a default homepage), `blank` for a blank page, or a URL to redirect to\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#home", "type": "string" }, "mesh_psk": { "description": "Pre-shared key for DERP mesh.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#mesh_psk", "type": "string" }, "mesh_psk_file": { "description": "Pre-shared key file for DERP mesh.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#mesh_psk_file", "type": "string" }, "mesh_with": { "description": "Mesh with other DERP servers.\n\nObject format:\n\n```json\n{\n\"server\": \"\",\n\"server_port\": \"\",\n\"host\": \"\",\n\"tls\": {},\n\n... // Dial Fields\n}\n```\n\nObject fields:\n\n- `server`: **Required** DERP server address.\n- `server_port`: **Required** DERP server port.\n- `host`: Custom DERP hostname.\n- `tls`: [TLS](/configuration/shared/tls/#outbound)\n- `Dial Fields`: [Dial Fields](/configuration/shared/dial/)\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#mesh_with", "oneOf": [ { "$ref": "#/$defs/DERPMeshOptions" }, { "items": { "$ref": "#/$defs/DERPMeshOptions" }, "type": "array" } ] }, "stun": { "$ref": "#/$defs/DERPSTUNListenOptions", "description": "STUN server listen options.\n\nObject format:\n\n```json\n{\n\"enabled\": true,\n\n... // Listen Fields\n}\n```\n\nObject fields:\n\n- `enabled`: **Required** Enable STUN server.\n- `listen`: **Required** STUN server listen address, default to `::`.\n- `listen_port`: **Required** STUN server listen port, default to `3478`.\n- `other Listen Fields`: [Listen Fields](/configuration/shared/listen/)\n\nSetting `stun` value to a number `__PORT__` is equivalent to configuring:\n\n```json\n{ \"enabled\": true, \"listen_port\": __PORT__ }\n```\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#stun" }, "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#tls" }, "type": { "const": "derp" }, "verify_client_endpoint": { "description": "Tailscale endpoints tags to verify clients.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#verify_client_endpoint", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "verify_client_url": { "description": "URL to verify clients.\n\nObject format:\n\n```json\n{\n\"url\": \"https://my-headscale.com/verify\",\n\n... // Dial Fields\n}\n```\n\nSetting Array value to a string `__URL__` is equivalent to configuring:\n\n```json\n{ \"url\": __URL__ }\n```\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/derp/#verify_client_url", "oneOf": [ { "$ref": "#/$defs/DERPVerifyClientURLOptions" }, { "items": { "$ref": "#/$defs/DERPVerifyClientURLOptions" }, "type": "array" } ] } }, "required": [ "type", "config_path" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Service_ocm": { "allOf": [ { "properties": { "credential_path": { "description": "Path to the OpenAI OAuth credentials file.\n\nIf not specified, defaults to:\n- `$CODEX_HOME/auth.json` if `CODEX_HOME` environment variable is set\n- `~/.codex/auth.json` otherwise\n\nRefreshed tokens are automatically written back to the same location.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ocm/#credential_path", "type": "string" }, "detour": { "description": "Outbound tag for connecting to the OpenAI API.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ocm/#detour", "type": "string" }, "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Custom HTTP headers to send to the OpenAI API.\n\nThese headers will override any existing headers with the same name.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ocm/#headers", "type": "object" }, "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ocm/#tls" }, "type": { "const": "ocm" }, "usages_path": { "description": "Path to the file for storing aggregated API usage statistics.\n\nUsage tracking is disabled if not specified.\n\nWhen enabled, the service tracks and saves comprehensive statistics including:\n- Request counts\n- Token usage (input, output, cached)\n- Calculated costs in USD based on OpenAI API pricing\n\nStatistics are organized by model and optionally by user when authentication is enabled.\n\nThe statistics file is automatically saved every minute and upon service shutdown.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ocm/#usages_path", "type": "string" }, "users": { "description": "List of authorized users for token authentication.\n\nIf empty, no authentication is required.\n\nObject format:\n\n```json\n{\n\"name\": \"\",\n\"token\": \"\"\n}\n```\n\nObject fields:\n\n- `name`: Username identifier for tracking purposes.\n- `token`: Bearer token for authentication. Clients authenticate by setting the `Authorization: Bearer \u003ctoken\u003e` header.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ocm/#users", "items": { "$ref": "#/$defs/OCMUser" }, "type": "array" } }, "required": [ "type" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "Service_oom-killer": { "properties": { "checks_before_limit": { "type": "integer" }, "max_interval": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "memory_limit": { "type": "string" }, "min_interval": { "description": "Duration string (e.g. \"300ms\", \"1h30m\")", "type": "string" }, "safety_margin": { "type": "string" }, "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/#tag", "type": "string" }, "type": { "const": "oom-killer" } }, "required": [ "type" ] }, "Service_resolved": { "properties": { "bind_interface": { "description": "Since sing-box 1.12.0\n\nThe network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#bind_interface", "type": "string" }, "detour": { "description": "If set, connections will be forwarded to the specified inbound.\n\nRequires target inbound support, see [Injectable](/configuration/inbound/#fields).\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#disable_tcp_keep_alive", "type": "boolean" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nOne of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before routing.\n\nIf `sniff_override_destination` is in effect, its value will be taken as a fallback.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "listen": { "description": "Listen address.\n\n`127.0.0.53` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/resolved/#listen", "type": "string" }, "listen_port": { "description": "Listen port.\n\n`53` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/resolved/#listen_port", "type": "integer" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#netns", "type": "string" }, "proxy_protocol": { "deprecated": true, "type": "boolean" }, "proxy_protocol_accept_no_header": { "deprecated": true, "type": "boolean" }, "reuse_addr": { "description": "Since sing-box 1.12.0\n\nReuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "sniff": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nEnable sniffing.\n\nSee [Protocol Sniff](/configuration/route/sniff/) for details.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff", "type": "boolean" }, "sniff_override_destination": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0.\n\nOverride the connection destination address with the sniffed domain.\n\nIf the domain name is invalid (like tor), this will not work.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_override_destination", "type": "boolean" }, "sniff_timeout": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nTimeout for sniffing.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#sniff_timeout", "type": "string" }, "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/#tag", "type": "string" }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "TCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#tcp_multi_path", "type": "boolean" }, "type": { "const": "resolved" }, "udp_disable_domain_unmapping": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.11.0\n\nInbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).\n\nIf enabled, for UDP proxy requests addressed to a domain,\nthe original packet address will be sent in the response instead of the mapped domain.\n\nThis option is used for compatibility with clients that\ndo not support receiving UDP packets with domain addresses, such as Surge.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_disable_domain_unmapping", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_fragment", "type": "boolean" }, "udp_timeout": { "description": "UDP NAT expiration time.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/listen/#udp_timeout", "oneOf": [ { "type": "integer" }, { "type": "string" } ] } }, "required": [ "type", "listen", "listen_port" ] }, "Service_ssm-api": { "allOf": [ { "properties": { "cache_path": { "description": "If set, when the server is about to stop, traffic and user state will be saved to the specified JSON file\nto be restored on the next startup.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ssm-api/#cache_path", "type": "string" }, "servers": { "additionalProperties": { "type": "string" }, "description": "A mapping Object from HTTP endpoints to [Shadowsocks Inbound](/configuration/inbound/shadowsocks) tags.\n\nSelected Shadowsocks inbounds must be configured with [managed](/configuration/inbound/shadowsocks#managed) enabled.\n\nExample:\n\n```json\n{\n\"servers\": {\n\"/\": \"ss-in\"\n}\n}\n```\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ssm-api/#servers", "type": "object" }, "tag": { "description": "The tag of the endpoint.\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/#tag", "type": "string" }, "tls": { "$ref": "#/$defs/InboundTLSOptions", "description": "TLS configuration, see [TLS](/configuration/shared/tls/#inbound).\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/ssm-api/#tls" }, "type": { "const": "ssm-api" } }, "required": [ "type", "servers" ] }, { "$ref": "#/$defs/ListenOptions" } ] }, "ShadowTLSHandshakeOptions": { "properties": { "bind_address_no_port": { "description": "Since sing-box 1.13.0\n\n\nOnly supported on Linux.\n\nDo not reserve a port when binding to a source address.\n\nThis allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_address_no_port", "type": "boolean" }, "bind_interface": { "description": "The network interface to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#bind_interface", "type": "string" }, "connect_timeout": { "description": "Connect timeout, in golang's Duration format.\n\nA duration string is a possibly signed sequence of\ndecimal numbers, each with optional fraction and a unit suffix,\nsuch as \"300ms\", \"-1.5h\" or \"2h45m\".\nValid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#connect_timeout", "type": "string" }, "detour": { "description": "The tag of the upstream outbound.\n\nIf enabled, all other fields will be ignored.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#detour", "type": "string" }, "disable_tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDisable TCP keep alive.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#disable_tcp_keep_alive", "type": "boolean" }, "domain_resolver": { "$ref": "#/$defs/DomainResolveOptions", "deprecated": true, "description": "`outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.\n\n\n\n`domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.\n\nSet domain resolver to use for resolving domain names.\n\nThis option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.\n\nSetting this option directly to a string is equivalent to setting `server` of this options.\n\n| Outbound/Endpoints | Effected domains |\n|--------------------|--------------------------|\n| `direct` | Domain in request |\n| others | Domain in server address |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_resolver" }, "domain_strategy": { "deprecated": true, "description": "Deprecated: Deprecated in sing-box 1.12.0\n\n`domain_strategy` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver).\n\nAvailable values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.\n\nIf set, the requested domain name will be resolved to IP before connect.\n\n| Outbound | Effected domains | Fallback Value |\n|----------|--------------------------|-------------------------------------------|\n| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |\n| others | Domain in server address | / |\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#domain_strategy", "enum": [ "", "prefer_ipv4", "prefer_ipv6", "ipv4_only", "ipv6_only" ], "type": "string" }, "fallback_delay": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nThe length of time to wait before spawning a RFC 6555 Fast Fallback connection.\n\nFor `domain_strategy`, is the amount of time to wait for connection to succeed before assuming\nthat IPv4/IPv6 is misconfigured and falling back to other type of addresses.\n\nFor `network_strategy`, is the amount of time to wait for connection to succeed before falling\nback to other interfaces.\n\nOnly take effect when `domain_strategy` or `network_strategy` is set.\n\n`300ms` is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_delay", "type": "string" }, "fallback_network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nFallback network types when preferred networks are unavailable or timeout when using `fallback` network strategy.\n\nAll other networks expect preferred are used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#fallback_network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "inet4_bind_address": { "description": "The IPv4 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet4_bind_address", "type": "string" }, "inet6_bind_address": { "description": "The IPv6 address to bind to.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#inet6_bind_address", "type": "string" }, "netns": { "description": "Since sing-box 1.12.0\n\n\nOnly supported on Linux.\n\nSet network namespace, name or path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#netns", "type": "string" }, "network_strategy": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nStrategy for selecting network interfaces.\n\nAvailable values:\n\n- `default` (default): Connect to default network or networks specified in `network_type` sequentially.\n- `hybrid`: Connect to all networks or networks specified in `network_type` concurrently.\n- `fallback`: Connect to default network or preferred networks specified in `network_type` concurrently, and try fallback networks when unavailable or timeout.\n\nFor fallback, when preferred interfaces fails or times out,\nit will enter a 15s fast fallback state (Connect to all preferred and fallback networks concurrently),\nand exit immediately if preferred networks recover.\n\nConflicts with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_strategy", "enum": [ "default", "hybrid", "fallback" ], "type": "string" }, "network_type": { "description": "Since sing-box 1.11.0\n\n\nOnly supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.\n\nNetwork types to use when using `default` or `hybrid` network strategy or\npreferred network types to use when using `fallback` network strategy.\n\nAvailable values: `wifi`, `cellular`, `ethernet`, `other`.\n\nDevice's default network is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#network_type", "oneOf": [ { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, { "items": { "enum": [ "wifi", "cellular", "ethernet", "other" ], "type": "string" }, "type": "array" } ] }, "protect_path": { "type": "string" }, "reuse_addr": { "description": "Reuse listener address.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#reuse_addr", "type": "boolean" }, "routing_mark": { "description": "Only supported on Linux.\n\nSet netfilter routing mark.\n\nIntegers (e.g. `1234`) and string hexadecimals (e.g. `\"0x1234\"`) are supported.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#routing_mark", "oneOf": [ { "type": "integer" }, { "type": "string" } ] }, "server": { "type": "string" }, "server_port": { "type": "integer" }, "tcp_fast_open": { "description": "Enable TCP Fast Open.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_fast_open", "type": "boolean" }, "tcp_keep_alive": { "description": "Since sing-box 1.13.0\n\nDefault value changed from `10m` to `5m`.\n\nTCP keep alive initial period.\n\n`5m` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive", "type": "string" }, "tcp_keep_alive_interval": { "description": "Since sing-box 1.13.0\n\nTCP keep alive interval.\n\n`75s` will be used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_keep_alive_interval", "type": "string" }, "tcp_multi_path": { "description": "Go 1.21 required.\n\nEnable TCP Multi Path.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#tcp_multi_path", "type": "boolean" }, "udp_fragment": { "description": "Enable UDP fragmentation.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/dial/#udp_fragment", "type": "boolean" } }, "type": "object" }, "ShadowTLSUser": { "properties": { "name": { "type": "string" }, "password": { "type": "string" } }, "type": "object" }, "ShadowsocksDestination": { "properties": { "name": { "type": "string" }, "password": { "type": "string" }, "server": { "type": "string" }, "server_port": { "type": "integer" } }, "type": "object" }, "ShadowsocksUser": { "properties": { "name": { "type": "string" }, "password": { "type": "string" } }, "type": "object" }, "TUICUser": { "properties": { "name": { "type": "string" }, "password": { "type": "string" }, "uuid": { "type": "string" } }, "type": "object" }, "TrojanUser": { "properties": { "name": { "type": "string" }, "password": { "type": "string" } }, "type": "object" }, "TunPlatformOptions": { "properties": { "http_proxy": { "$ref": "#/$defs/HTTPProxyOptions" } }, "type": "object" }, "UDPOverTCPOptions": { "properties": { "enabled": { "description": "Enable the UDP over TCP protocol.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/udp-over-tcp/#enabled", "type": "boolean" }, "version": { "description": "The protocol version, `1` or `2`.\n\n2 is used by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/udp-over-tcp/#version", "type": "integer" } }, "type": "object" }, "V2RayAPIOptions": { "properties": { "listen": { "description": "gRPC API listening address. V2Ray API will be disabled if empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/v2ray-api/#listen", "type": "string" }, "stats": { "$ref": "#/$defs/V2RayStatsServiceOptions", "description": "Traffic statistics service settings.\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/v2ray-api/#stats" } }, "type": "object" }, "V2RayStatsServiceOptions": { "properties": { "enabled": { "type": "boolean" }, "inbounds": { "items": { "type": "string" }, "type": "array" }, "outbounds": { "items": { "type": "string" }, "type": "array" }, "users": { "items": { "type": "string" }, "type": "array" } }, "type": "object" }, "V2RayTransportOptions": { "oneOf": [ { "properties": { "idle_timeout": { "description": "In standard gRPC server/client:\n\nIf the transport doesn't see any activity after a duration of this time,\nit pings the client to check if the connection is still active.\n\nIn default gRPC server/client:\n\nIt has the same behavior as the corresponding setting in HTTP transport.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#idle_timeout", "type": "string" }, "permit_without_stream": { "description": "In standard gRPC client:\n\nIf enabled, the client transport sends keepalive pings even with no active connections.\nIf disabled, when there are no active connections, `idle_timeout` and `ping_timeout` will be ignored and no keepalive\npings will be sent.\n\nDisabled by default.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#permit_without_stream", "type": "boolean" }, "ping_timeout": { "description": "In standard gRPC server/client:\n\nThe timeout that after performing a keepalive check, the client will wait for activity.\nIf no activity is detected, the connection will be closed.\n\nIn default gRPC server/client:\n\nIt has the same behavior as the corresponding setting in HTTP transport.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#ping_timeout", "type": "string" }, "service_name": { "description": "Service name of gRPC.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#service_name", "type": "string" }, "type": { "const": "grpc", "type": "string" } }, "required": [ "type" ] }, { "properties": { "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Extra headers of HTTP request.\n\nThe server will write in response if not empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#headers", "type": "object" }, "host": { "description": "Host domain.\n\nThe server will verify if not empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#host", "type": "string" }, "path": { "description": "Path of HTTP request.\n\nThe server will verify.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#path", "type": "string" }, "type": { "const": "httpupgrade", "type": "string" } }, "required": [ "type" ] }, { "properties": { "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Extra headers of HTTP request.\n\nThe server will write in response if not empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#headers", "type": "object" }, "host": { "description": "Host domain.\n\nThe server will verify if not empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#host", "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "idle_timeout": { "description": "In standard gRPC server/client:\n\nIf the transport doesn't see any activity after a duration of this time,\nit pings the client to check if the connection is still active.\n\nIn default gRPC server/client:\n\nIt has the same behavior as the corresponding setting in HTTP transport.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#idle_timeout", "type": "string" }, "method": { "description": "Method of HTTP request.\n\nThe server will verify if not empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#method", "type": "string" }, "path": { "description": "Path of HTTP request.\n\nThe server will verify.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#path", "type": "string" }, "ping_timeout": { "description": "In standard gRPC server/client:\n\nThe timeout that after performing a keepalive check, the client will wait for activity.\nIf no activity is detected, the connection will be closed.\n\nIn default gRPC server/client:\n\nIt has the same behavior as the corresponding setting in HTTP transport.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#ping_timeout", "type": "string" }, "type": { "const": "http", "type": "string" } }, "required": [ "type" ] }, { "properties": { "early_data_header_name": { "description": "Early data is sent in path instead of header by default.\n\nTo be compatible with Xray-core, set this to `Sec-WebSocket-Protocol`.\n\nIt needs to be consistent with the server.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#early_data_header_name", "type": "string" }, "headers": { "additionalProperties": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "description": "Extra headers of HTTP request.\n\nThe server will write in response if not empty.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#headers", "type": "object" }, "max_early_data": { "description": "Allowed payload size is in the request. Enabled if not zero.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#max_early_data", "type": "integer" }, "path": { "description": "Path of HTTP request.\n\nThe server will verify.\n\nSee documentation: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/#path", "type": "string" }, "type": { "const": "ws", "type": "string" } }, "required": [ "type" ] }, { "properties": { "type": { "const": "quic", "type": "string" } }, "required": [ "type" ] } ], "type": "object" }, "VLESSUser": { "properties": { "flow": { "type": "string" }, "name": { "type": "string" }, "uuid": { "type": "string" } }, "type": "object" }, "VMessUser": { "properties": { "alterId": { "type": "integer" }, "name": { "type": "string" }, "uuid": { "type": "string" } }, "type": "object" }, "WireGuardPeer": { "properties": { "address": { "type": "string" }, "allowed_ips": { "oneOf": [ { "type": "string" }, { "items": { "type": "string" }, "type": "array" } ] }, "persistent_keepalive_interval": { "type": "integer" }, "port": { "type": "integer" }, "pre_shared_key": { "type": "string" }, "public_key": { "type": "string" }, "reserved": { "items": { "type": "integer" }, "type": "array" } }, "type": "object" } }, "$schema": "https://json-schema.org/draft/2020-12/schema", "properties": { "$schema": { "type": "string" }, "certificate": { "$ref": "#/$defs/CertificateOptions", "description": "Certificate\n\nSee documentation: https://sing-box.sagernet.org/configuration/certificate/" }, "dns": { "$ref": "#/$defs/DNSOptions", "description": "DNS\n\nSee documentation: https://sing-box.sagernet.org/configuration/dns/" }, "endpoints": { "description": "Endpoint\n\nSee documentation: https://sing-box.sagernet.org/configuration/endpoint/", "items": { "$ref": "#/$defs/Endpoint" }, "type": "array" }, "experimental": { "$ref": "#/$defs/ExperimentalOptions", "description": "Experimental\n\nSee documentation: https://sing-box.sagernet.org/configuration/experimental/" }, "inbounds": { "description": "Inbound\n\nSee documentation: https://sing-box.sagernet.org/configuration/inbound/", "items": { "$ref": "#/$defs/Inbound" }, "type": "array" }, "log": { "$ref": "#/$defs/LogOptions", "description": "Log\n\nSee documentation: https://sing-box.sagernet.org/configuration/log/" }, "ntp": { "$ref": "#/$defs/NTPOptions", "description": "NTP\n\nSee documentation: https://sing-box.sagernet.org/configuration/ntp/" }, "outbounds": { "description": "Outbound\n\nSee documentation: https://sing-box.sagernet.org/configuration/outbound/", "items": { "$ref": "#/$defs/Outbound" }, "type": "array" }, "route": { "$ref": "#/$defs/RouteOptions", "description": "Route\n\nSee documentation: https://sing-box.sagernet.org/configuration/route/" }, "services": { "description": "Service\n\nSee documentation: https://sing-box.sagernet.org/configuration/service/", "items": { "$ref": "#/$defs/Service" }, "type": "array" } }, "title": "sing-box config schema", "type": "object" }