Script Installation#
VMESS/VLESS/TROJAN/SHADOWSOCKS
- Personal script, this script is designed solely for tunneling or IPLC/IEPL relay, with no obfuscation.
- The TLS for Trojan is also a locally generated invalid certificate unless a custom certificate path is specified.
- For non-custom certificate paths for Trojan, please ensure to enable: skip-cert-verify: true
One-click Script#
bash <(curl -fsSL https://raw.githubusercontent.com/Slotheve/SingBox/main/singbox.sh)
Docker Installation#
Configuration Example
{
"log": {
"level": "trace",
"output": "/data/sing-box.log",
"timestamp": true
},
"inbounds": [
{
"type": "shadowsocks",
"listen": "::",
"listen_port": 25550,
"method": "chacha20-ietf-poly1305",
"password": "IloveNekopara"
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
},
{
"type": "block",
"tag": "block"
},
{
"type": "dns",
"tag": "dns-out"
}
],
"route": {
"geoip": {
"path": "/data/geoip.db",
"download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
"download_detour": "direct"
},
"geosite": {
"path": "/data/geosite.db",
"download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
"download_detour": "direct"
},
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
}
],
"final": "direct",
"auto_detect_interface": true
}
}
1. File Directory#
You need to build the following directory structure on the server:
sing-box
├── data
├── config.json
├── entry.sh
└── tls
└── docker-compose.yml
Among them, data/config.json is the configuration file for sing-box, all node configuration information is inside.
data/entry.sh is the container startup script.
The tls folder is used to store tls certificates; sing-box can automatically issue certificates, and you can also use your existing certificates. If automatically issued, just an empty folder will suffice, and certificate files will be generated in this directory after running; if you want to use existing certificates, you can copy the certificates to the current folder.
2. Docker Compose#
The reference content for docker-compose.yml is as follows:
version: '3'
services:
sing-box:
image: ghcr.io/sagernet/sing-box
container_name: sing-box
restart: unless-stopped
network_mode: "host"
# ports:
# - 80:80
# - 443:443
# - 8090:8090
# - 10080-10099:10080-10099/udp
volumes:
- ./data:/data
- ./tls:/tls
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
entrypoint: ["/bin/bash", "/data/entry.sh"]
Here, the network mode uses network_mode: "host", directly utilizing the host's network environment, and the host's firewall needs to be disabled with the following commands:
# CentOS:
systemctl disable firewalld
# Debian/Ubuntu:
sudo ufw disable
If there are issues with host mode, you can also switch to specified ports mode (comment out network_mode, then uncomment the ports below).
3. entry.sh#
The reference content is as follows:
#!/bin/bash
set -e
configFilePath="/data/config.json"
logFilePath="/data/sing-box.json"
echo "entry"
sing-box version
# https://sing-box.sagernet.org/configuration/
echo -e "\nconfig:"
sing-box check -c $configFilePath || cat $configFilePath
sing-box format -c /data/config.json -w
cat $configFilePath
echo -e "\nstarting"
sing-box run -c $configFilePath
tail -f $logFilePath
It will output the sing-box version, check and format the configuration file, start sing-box, and track the logs.
4. config.json#
The most critical configuration file, the reference content is as follows:
{
"log": {
"level": "trace",
"output": "/data/sing-box.log",
"timestamp": true
},
"inbounds": [
{
"type": "hysteria",
"tag": "hysteria-in",
"listen": "0.0.0.0",
"listen_port": 10080,
"domain_strategy": "ipv4_only",
"up_mbps": 50,
"down_mbps": 50,
"obfs": "nicetofuckyou",
"users": [
{
"name": "<proxy_name>",
"auth_str": "<proxy_pwd>"
}
],
"tls": {
"enabled": true,
"server_name": "<domain>",
"acme": {
"domain": "<domain>",
"data_directory": "/tls",
"default_server_name": "<domain>",
"email": "<email>"
}
}
},
{
"type": "naive",
"tag": "naive-in",
"listen": "0.0.0.0",
"listen_port": 8090,
"domain_strategy": "ipv4_only",
"users": [
{
"username": "<proxy_name>",
"password": "<proxy_pwd>"
}
],
"network": "tcp",
"tls": {
"enabled": true,
"server_name": "<domain>",
"acme": {
"domain": "<domain>",
"data_directory": "/tls",
"default_server_name": "<domain>",
"email": "<email>"
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
},
{
"type": "block",
"tag": "block"
},
{
"type": "dns",
"tag": "dns-out"
}
],
"route": {
"geoip": {
"path": "/data/geoip.db",
"download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db",
"download_detour": "direct"
},
"geosite": {
"path": "/data/geosite.db",
"download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db",
"download_detour": "direct"
},
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
}
],
"final": "direct",
"auto_detect_interface": true
}
}
There are several places that need to be replaced:
<proxy_name>replace with the proxy username, choose your own, e.g.,Ray<proxy_pwd>replace with the proxy password, choose your own, e.g.,1234@qwer<domain>replace with the domain name<email>replace with the emailobfsis thehysteriaobfuscation string, which can be customized
This configures two nodes, one UDP-based on port 10080 hysteria node, and one TCP-based on port 8090 naive node.
If you have security policies on your cloud, please ensure both ports are open.
As for the certificates, if there are no existing certificates in the tls directory, they will be automatically issued.
Other configurations can be found in the official documentation.
5. Run#
In the same directory as docker-compose.yml, execute:
docker compose up -d
Wait for the container to start.
If everything is normal, it means the startup is successful, and you can use your client to connect. (It's that simple)
Other reference commands:
# View currently running containers
docker ps
# View container startup logs
docker logs sing-box
# Track container running logs (use Ctrl C to exit tracking)
docker logs -f sing-box
# Enter the container
docker exec -it sing-box bash
Fully Manual Installation#
wget https://github.com/SagerNet/sing-box/releases/download/v1.7.2/sing-box-1.7.2-linux-amd64.tar.gz
tar -zxvf sing-box-1.7.2-linux-amd64.tar.gz
Reality#
root@xiaolv:~/singbox# ./sing-box generate reality-keypair
PrivateKey: GPqJLU6HiFGE4EnuRoj7PUR3Eb2yr0vVycZVwaoQXng
PublicKey: cE6e-BbY2zu-8TMEb6sWSh8PTemcd-hqVfaUFtAoAzI
{
"inbounds": [
{
"type": "vless",
"tag": "vless-in",
"listen": "::",
"listen_port": 25001,
"sniff": true,
"sniff_override_destination": true,
"users": [
{
"uuid": "3e8e5eae-6720-4668-8187-052840b385a7",
"flow": "xtls-rprx-vision"
}
],
"tls": {
"enabled": true,
"server_name": "oceanhero.today",
"reality": {
"enabled": true,
"handshake": {
"server": "oceanhero.today",
"server_port": 443
},
"private_key": "GPqJLU6HiFGE4EnuRoj7PUR3Eb2yr0vVycZVwaoQXng",
"short_id": [
"8535dfc6b2e73c78"
]
}
}
}
],
"outbounds": [
{
"type": "direct"
}
]
}
Config
{
"inbounds": [
{
"type": "shadowsocks",
"listen": "::",
"listen_port": 25565,
"method": "2022-blake3-aes-128-gcm",
"password": "LZ/4gLsyAbJQCWdT6iu1aQ==", // Execute sing-box generate rand 16 --base64 to generate
"multiplex": {
"enabled": true
}
}
],
"outbounds": [
{
"type": "direct"
}
]
}
{
"inbounds": [
{
"type": "shadowsocks",
"listen": "::",
"listen_port": 25565,
"method": "chacha20-ietf-poly1305",
"password": "LZ/4gLsyAbJQCWdT6iu1aQ==", // Execute sing-box generate rand 16 --base64 to generate
"multiplex": {
"enabled": true
}
}
],
"outbounds": [
{
"type": "direct"
}
]
}
System Service#
vim /etc/systemd/system/singbox.service
[Unit]
Description=singbox
After=network.target
[Service]
ExecStart=/root/singbox/sing-box run -C /root/singbox
Restart=always
User=root
[Install]
WantedBy=multi-user.target
Traffic Rule Example#
{
"inbounds": [
{
"type": "shadowsocks",
"listen": "::",
"listen_port": 2023,
"method": "chacha20-ietf-poly1305",
"password": "LZ/4gLsyAbJQCWdT6iu1aQ==",
"multiplex": {
"enabled": true
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
},
{
"type": "socks",
"tag": "hosthijack",
"server": "74.48.100.149",
"server_port": 10800,
"version": "5",
"username": "neko",
"password": "Vzkjs&Cm4@#TT5"
},
{
"type": "block",
"tag": "block"
},
{
"type": "dns",
"tag": "dns-out"
}
],
"route": {
"geoip": {
"download_url": "https://github.com/soffchen/sing-geoip/releases/latest/download/geoip.db",
"download_detour": "proxy"
},
"geosite": {
"download_url": "https://github.com/soffchen/sing-geosite/releases/latest/download/geosite.db",
"download_detour": "proxy"
},
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
},
{
"protocol": [
"quic"
],
"outbound": "block"
},
{
"domain": [
"ip.sb",
"ai.com",
"claude.ai",
"geosite:openai",
"cdn.openai.com",
"chat.openai.com",
"pay.openai.com",
"challenges.cloudflare.com",
"auth0.openai.com",
"platform.openai.com",
"invoice.stripe.com",
"stripe.com"
],
"outbound": "hosthijack"
}
],
"auto_detect_interface": true
}
}