Proxy Protocol

General

• "Custom outbound settings" will be merged into the corresponding outbound. However, the labels will be automatically generated.
• "Custom settings" will be merged with the final configuration.

VMess

• User ID: UUID. If you write a non-uuid string, it will be generated as UUID v5 by this specification.

• Global padding: This option is force-enabled in V2Ray for all encryption methods except aes-128-ctr. For compatibility, Husi also forces this option on.

• Authenticated length: This option was added to V2Ray a long time ago to address some VMess' flaws, but it has never been enabled by default. It may cause compatibility problems.

VLESS

• Due to lack of specification and breaking change frequently, the VLESS supported by sing-box is not latest. So-called XMUX, reverse proxy are not supported.

• The reason why Husi forked sing-box to implement encryption is to add missing "asymmetric encryption protocol" (SSH is, but it is not suitable for bypass GFW.) .

• User ID: UUID. If you write a non-uuid string, it will be generated as UUID v5 by this specification.

• The support of REALITY is limited. And we will not put many time to catch up with Xray-core's updates. So it is not recommaned to use VLESS or REALITY in this software.

Hysteria 1/2

• Support origin or sing-box style port hopping syntax. When sharing, it will use origin style.

  Ports entry example:

  443,444-445,446:447,999
  

• The speed of brutal should be set in the settings -> protocol settings.

• The official Hysteria 1 server default set ALPN as hysteria. If you set a different value, you may fail to connect.

TUIC

In fact, UDP over Stream is used as a UDP relay mode and can't be set with UDP relay mode. Also, it requires sing-box server as a "hard fork protocol".

Juicity

• The protocol specification declares that the implementation MUST support BBR. But the configuration provides congestion control option and the documentation said that this field can write cubic, bbr or new_reno. However, dramically in fact, it just implements BBR and other congestion controls are linked to BBR.

• Juicity #140 points out that Juicity has invalid DNS behavior. So when using FakeDNS, the core implemented Juicity will be forced enabled.

WireGuard

• Reserved field originally is a WireGuard reserved field ( see protocol specification ), consisting of 3 uint8 (byte) and all should be 0. However, due to the fact that Cloudflare WARP use this field as an authentication method in some way and disable the request from some country / area without editing this field, the usage of this filed was found and abused widely.

  Support write this filed as a list ( one line one value or split by comma ) or base64 encode the raw bytes.

AnyTLS

• The original server implementation only to use self-signed certificate, so if you are using it, you have to enable "Allow insecure", or you can use tools-get cert to pin the cert ( It is noticeable that if you restart your server, the cert will be generated again. ). Reference: AnyTLS documentation

• Some network hit showcase the usage that combines AnyTLS and REALITY. Yes, sing-box can do this. But this may be the accident production of implementing the protocol with sing-box. The developers of mihomo declare that unless the author of AnyTLS creates Pull Request themselves, the will not allow this usage. Husi also decide not not do it.

HTTP

Support UDP over TCP, but require the server using sing-box.

The original sing-box client does not support UDP over TCP, while the server support it for no reason. So husi support it.

NaïveProxy

Not support custom certificate. Refer: Options against spirit of naiveproxy. But considersing some debug situation or others, we still support custom SNI.

Because the sing-box server support UDP over TCP, we support it, too.

Principle:

graph TD
    A[user] -- "UDP packet" --> B[sing-box client];
    B -- "Socks5<br/>(with UoT magic address sp.v2.udp-over-tcp.arpa)" --> C[naiveproxy client];
    C -- "forward connection as is<br/>" --> D[sing-box server];

Loading

Shadow QUIC

Yet another QUIC based protocol based on JLS, implemented in rust.

Thanks to the rust implementation and some meticulous MTU settings, with Android VPN protection, although through socks forwarding, it still as fast as other QUIC based protocol provided by sing-box directly.

Common

Multiplex and TCP-Brutal

• Sing-mux is a private protocol invented by sing-box, using magic address sp.mux.sing-box.arpa:444. It is a different protocol with *ray's mux.cool, so they are incompatible.
• In normal situation, the preference: h2mux > smux > yamux.
• Sing-mux packs the data of each stream, with which can implement UDP over TCP or make the protocol that not supports UDP Fullcone due to the design flaw support fullcone.
• TCP-Brutal is a brute-force packet sending congestion control came from Hysteria. Because it's manual-set speed only work independently for each connection, so it requires multiplex to ensure their is only one connection exist. So in sing-box TCP-Brutal is forced couple with sing-mux and cann't be used with other protocols/transports that are able to multiplex.

UDP Over TCP

• UDP Over TCP is a private protocol invented in the area of SagerNet. It bumped to version 2 in the area of sing-box. The magic address of version 2 is sp.v2udp-over-tcp.arpa.
• Because sing-mux packs the requests again so it implement UDP over TCP, so it is meaningless to enable sing-mux and UDP Over TCP at the same time.

V2Ray transport

These so-called "transports" are a set of private protocols invented by *ray, are not parts of original protocols and have invalid semantics. They lack of standard but are used widely, making long-term language corruption. So in sing-box, only *ray-related protocols support them.

Unsupported transports:

• mKCP: Brute-force packet sending but low-performance, and its co-called "encryption" can be detected precisely.
• Meek: As a transport transplanted from Tor, it uses massive HTTP request to community. But it is very slow. It is designed to abuse CDN and to use in the extreme environments. ("The speed of this protocol is limited, not for using up the 10G bandwidth, but pray for the invaluable family latter to be sent successfully. ")
• XHTTP: Called "SplitHTTP" before. The master of abusing CDN. It's various mechanism are all for abusing CDN. It creatively use HTTP/3 to pass the CDN and has advanced design that split upload and download connections.
• mekya:: Combined with meek's HTTP ideas and mKCP's brute-force packet sending. ("Pray that the light to be reflected into the windy and snow.")

Below is supported transports:

HTTP

• If not enabled TLS, uses HTTP/1.1 and is similar to *ray's so-called "tcp" transports "http obfuscation". If enabled TLS, uses HTTP/2. This feature may cause incompatible.

WebSocket

• In most of the time it is used to abuse CDN.

• The early data is compatible with Xray-invented format that append ?ed=2048. In this format, the effect is equal to set max_early_data to 2048 and set early_data_header_name to Sec-WebSocket-Protocol.
• If set max_early_data but without early_data_header_name, the early data will be appended after the path.

QUIC

• Not support *ray's "encryption".
• In *ray, it's default ALPN is h2,http/1.1, but in sing-box, it is h3 due to a mistake Pull Request. So the interconnection between sing-box and *ray may fail due to this reason.
• Poor performance. It is recommended to use other QUIC-based protocol.

gRPC

• The original propose of this transport is to explore another way to abuse CDN instead of WebSocket. Originated from gun.
• The build of husi didn't include full gRPC, but to use grpclite, which is only a gRPC emulator, aiming at abusing CDN. This is not real and full gRPC implementation, so it's compatibility may be poor.
• Not compatible with Xray's multiMode authority or strange usages like using emoji as service.

HTTPUpgrade

• Only "perform" WebSocket Upgrade handshake to cheat the CDN, then the rest requests will be forward directly without HTTP/WebSocket packing, which ensure it's performance is better than WebSocket. It is applied to abuse CDN with higher performance.
• Not support early data.

TLS

Implementations of Certificate Hash Pinning

Type	Supporters	Features
Pin cert sha256	*ay, Juicity	A method for calculating the hash of a certificate chain that was "re-invented" by V2Ray. It concatenates the entire certificate chain together before calculating the sha256's base64 value. It is less flexible and generally used for the long-term use of a single, self-signed certificate without replacement.
Fingerprint	Mihomo	The sha256 hex value is used to match any certificate in the certificate chain. It is so flexible that it can be used to pin a Certificate Authority (CA) or a leaf certificate.
pinSHA256	Hysteria2	The lax behavior of fingerprint is considered unsafe, so Hysteria2 only match sha256 with end-entity certificate.
Certificate public key sha256	sing-box	Verifies only the certificate's public key and not other information, allowing the pin to remain valid even after the certificate is renewed.

uTLS

• Each option maps to the newest version of fingerprint.
• In fact, random pick a fingerprint between Chrome, FIrefox, Edge, Safari or IOS.
• randomized generates a unique fingerprint.
• random and randomized are picked and generated when core starting. So switching / reloading configuration not update them.

ECH

• If you not set ECH config, software will try to get ECH config from DNS record HTTPS.
• When using with uTLS, just fingerprint chrome and firefox can work.
• In fact, so-called android fingerprint is android_11_okhttp.
• QUIC proxy provided by sing-box also support it.