Warning
This translation was modified on 22 September 2024 and an updated version (6 December 2024) is available on the source page. View the original page
Inbound Proxy
Inbound connections are used to receive incoming data and the available protocols are listed in inbound protocols.
InboundObject
The InboundObject
corresponds to a subelement of the inbounds
item in the configuration file.
{
"inbounds": [
{
"listen": "127.0.0.1",
"port": 1080,
"protocol": "protocol_name",
"settings": {},
"streamSettings": {},
"tag": "identifier",
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"allocate": {
"strategy": "always",
"refresh": 5,
"concurrency": 3
}
}
]
}
listen
: address
The listening address, either an IP address or a Unix domain socket. The default value is "0.0.0.0"
, which means accepting connections on all network interfaces.
An available system IP address can be specified.
Unix domain socket can also be specified by providing the absolute path in the form of "/dev/shm/domain.socket"
. The @
symbol can be added at the beginning to represent abstract, and @@
represents padded abstract.
When Unix domain socket is specified, port
and allocate
will be ignored. The protocol currently supports VLESS, VMess, and Trojan. The transport methods available are TCP, WebSocket, HTTP/2, and gRPC.
When specifying a Unix domain socket, you can add a comma and an access permission indicator after the socket, such as "/dev/shm/domain.socket,0666"
, to specify the access permission of the socket. This can be used to solve the socket access permission issue that occurs by default.
port
: number | "env:variable" | string
Port. The accepted formats are:
- Integer: the actual port number.
- Environment variable: starts with
"env:"
, followed by the name of an environment variable, such as"env:PORT"
. Xray will parse this environment variable as a string. - String: can be a numeric string, such as
"1234"
, or a range of port numbers, such as"5-10"
which represents ports 5 through 10, a total of 6 ports. You can use commas to separate multiple ranges, such as11,13,15-17
, which represents ports 11, 13, and 15 through 17, a total of 5 ports.
When only one port is specified, Xray listens for inbound connections on that port. When a range of ports is specified, it depends on the allocate
setting.
protocol
: "dokodemo-door" | "http" | "shadowsocks" | "socks" | "vless" | "vmess" | "trojan" | "wireguard"
The connection protocol name. The optional protocol types are listed in inbound protocols.
settings
: InboundConfigurationObject
The specific configuration content depends on the protocol. See InboundConfigurationObject
in each protocol for details.
streamSettings
: StreamSettingsObject
The underlying transport method is how the current Xray node interfaces with other nodes.
tag
: stringThe identifier of this inbound connection, used to locate this connection in other configurations.
Danger
When it is not empty, its value must be unique among all tag
s.
sniffing
: SniffingObject
Traffic sniffing is mainly used in transparent proxies, for example:
- If a device wants to access
abc.com
while connected to the internet, it will first query the IP address ofabc.com
via DNS and get1.2.3.4
. Then the device will initiate a connection to1.2.3.4
. - If sniffing is not set up, Xray will receive a connection request for
1.2.3.4
, which cannot be used for routing based on domain rules. - When
enable
insniffing
is set totrue
, Xray will sniff the domain name,abc.com
, from the traffic data when processing the traffic of this connection. - Xray will reset
1.2.3.4
toabc.com
. Routing can then be based on domain rules.
Since the connection is now to abc.com
, more can be done, such as routing based on domain rules, and even re-resolving the DNS.
When enable
in sniffing
is set to true
, it can also sniff out bittorrent traffic and then configure the "protocol" item in routing rules to handle bittorrent traffic, such as intercepting bittorrent traffic on the server or forwarding bittorrent traffic to a VPS on the client side.
allocate
: AllocateObject
Specifies the specific settings for port allocation when multiple ports are set up.
SniffingObject
{
"enabled": true,
"destOverride": ["http", "tls", "quic", "fakedns", "fakedns+others"],
"metadataOnly": false,
"domainsExcluded": [],
"routeOnly": false
}
enabled
: true | false
Whether to enable traffic sniffing.
destOverride
: ["http" | "tls" | "quic" | "fakedns" | "fakedns+others" ]
When the traffic is of a specified type, reset the destination of the current connection to the target address included in the list.
["fakedns+others"]
is equivalent to ["http", "tls", "quic", "fakedns"]
, and when the IP address is in the FakeIP range but no domain records are hit, http
, tls
, and quic
will be used for matching. This option is only effective when metadataOnly
is set to false
.
metadataOnly
: true | false
When enabled, only use the connection's metadata to sniff the target address. In this case, sniffer other than fakedns
(including fakedns+others
) cannot be activated.
If metadata-only is disabled, the client must send data before the proxy server actually establishes the connection. This behavior is incompatible with protocols that require the server to initiate the first message, such as the SMTP protocol.
domainsExcluded
: [string] WIP
A list of domain names. If the traffic sniffing result matches a domain name in this list, the target address will not be reset.
Warning
Currently, domainsExcluded
does not support domain name matching in the routing sense. This option may change in the future and cross-version compatibility is not guaranteed.
routeOnly
: true | false
Use the sniffed domain name for routing only, and keep the target address as the IP address. The default value is false
.
This option requires destOverride
to be enabled.
Tip
When it is possible to ensure that the proxied connection can obtain correct DNS resolution, by using routeOnly
and enabling destOverride
, and setting the routing matching strategy domainStrategy
to AsIs
, it is possible to achieve domain and IP separation without DNS resolution throughout the process. The IP used when encountering an IP rule match is the original IP of the domain.
AllocateObject
{
"strategy": "always",
"refresh": 5,
"concurrency": 3
}
strategy
: "always" | "random"
The port allocation strategy.
"always"
means all specified ports inport
will be allocated, and Xray will listen on these ports."random"
means ports will be randomly selected from theport
range everyrefresh
minutes, andconcurrency
ports will be listened on.
refresh
: number
The interval for refreshing randomly allocated ports in minutes. The minimum value is 2
, and it is recommended to set to 5
. This property is only effective when strategy
is set to "random"
.
concurrency
: number
The number of randomly allocated ports. The minimum value is 1
, and the maximum value is one-third of the port
range. It is recommended to set to 3
.