transports.mdx 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199
  1. ---
  2. title: Transports & Security
  3. description: Every transport 3x-ui exposes — TCP, mKCP, WebSocket, gRPC, HTTPUpgrade, XHTTP, Hysteria — with their settings, plus FinalMask obfuscation, sockopt, TLS/REALITY, XTLS-Vision, and VLESS encryption.
  4. icon: Network
  5. ---
  6. A **transport** decides how packets are carried between client and server, a
  7. **security** layer decides how they're encrypted and disguised, and **FinalMask**
  8. can obfuscate what's left. The panel only offers valid combinations; this page
  9. lists every transport's settings and the rules the panel enforces.
  10. ## Transports
  11. Pick the transport (the inbound's `network`) in the inbound/outbound form. Each
  12. network writes its own settings key on the wire (`tcpSettings`, `kcpSettings`, …).
  13. | Transport | Settings key | When to use it |
  14. | --------------- | --------------------- | ---------------------------------------------------------------------- |
  15. | **TCP (Raw)** | `tcpSettings` | Lowest overhead. The basis for REALITY + XTLS-Vision and fallbacks; optional HTTP/1.1 header camouflage. |
  16. | **mKCP** | `kcpSettings` | Reliable protocol over **UDP** — trades bandwidth for lower latency on lossy links. Carries no TLS/REALITY. |
  17. | **WebSocket** | `wsSettings` | Works through CDNs and HTTP reverse proxies; very compatible. |
  18. | **gRPC** | `grpcSettings` | HTTP/2-based; multiplexes well and proxies cleanly through Nginx. |
  19. | **HTTPUpgrade** | `httpupgradeSettings` | CDN-friendly HTTP/1.1 `Upgrade`; lighter than full WebSocket. |
  20. | **XHTTP** | `xhttpSettings` | Modern stream-multiplexed HTTP transport; CDN-friendly and REALITY-capable. |
  21. | **Hysteria** | `hysteriaSettings` | QUIC-based transport — only for the **Hysteria2** protocol. |
  22. <Callout type="info">
  23. **WireGuard** and **Tunnel** (dokodemo-door) inbounds expose no transport
  24. selector — their stream carries only security/sockopt. Earlier panels also
  25. exposed a raw **HTTP/2 (`http`)** transport; it has been superseded by **XHTTP**
  26. and is no longer selectable.
  27. </Callout>
  28. ### TCP (Raw) — `tcpSettings`
  29. | Field | Default | Meaning |
  30. | ------------------------------ | ------- | ----------------------------------------------------------------------- |
  31. | `acceptProxyProtocol` | `false` | Accept the PROXY protocol from an upstream proxy so the real client IP is preserved. |
  32. | `header.type` | `none` | `none`, or `http` for HTTP/1.1 camouflage. |
  33. | `header.request` / `response` | — | When `type: http`: method, path, version and a header map that mimic a normal HTTP exchange. |
  34. ### mKCP — `kcpSettings`
  35. | Field | Default | Meaning |
  36. | ------------------ | ----------- | ---------------------------------------------------------------- |
  37. | `mtu` | `1350` | Maximum transmission unit, in bytes (576–1460). |
  38. | `tti` | `20` | Transmission time interval, in ms (10–100). Lower = more responsive, more overhead. |
  39. | `uplinkCapacity` | `5` | Upload bandwidth budget, in **MB/s**. |
  40. | `downlinkCapacity` | `20` | Download bandwidth budget, in **MB/s**. |
  41. | `cwndMultiplier` | `1` | Congestion-window multiplier; raise to push harder on good links. |
  42. | `maxSendingWindow` | `2097152` | Upper bound on in-flight packets. |
  43. <Callout type="info">
  44. mKCP can't carry TLS or REALITY. To disguise it, add a **FinalMask** UDP mask —
  45. the `mkcp-legacy` mask reproduces the classic header obfuscation that older Xray
  46. stored in `kcpSettings.header`/`seed` (those fields no longer exist here).
  47. </Callout>
  48. ### WebSocket — `wsSettings`
  49. | Field | Default | Meaning |
  50. | --------------------- | ------- | ---------------------------------------------------------------- |
  51. | `path` | `/` | Request path — route on it when several services share one host. |
  52. | `host` | _(none)_| `Host` header override (useful behind a CDN). |
  53. | `headers` | `{}` | Extra request headers. |
  54. | `heartbeatPeriod` | `0` | Seconds between keepalive pings; `0` disables them. |
  55. | `acceptProxyProtocol` | `false` | Accept the PROXY protocol from an upstream. |
  56. ### gRPC — `grpcSettings`
  57. | Field | Default | Meaning |
  58. | ------------- | ------- | --------------------------------------------------------- |
  59. | `serviceName` | _(none)_| gRPC service path; acts like a secret route. |
  60. | `authority` | _(none)_| `:authority` pseudo-header override. |
  61. | `multiMode` | `false` | Multiplex several streams over one connection. |
  62. ### HTTPUpgrade — `httpupgradeSettings`
  63. | Field | Default | Meaning |
  64. | --------------------- | ------- | --------------------------------------------- |
  65. | `path` | `/` | Request path. |
  66. | `host` | _(none)_| `Host` header override. |
  67. | `headers` | `{}` | Extra request headers. |
  68. | `acceptProxyProtocol` | `false` | Accept the PROXY protocol from an upstream. |
  69. HTTPUpgrade is a one-shot HTTP/1.1 `Upgrade` with no WebSocket framing — there's
  70. no heartbeat field.
  71. ### XHTTP — `xhttpSettings`
  72. XHTTP (SplitHTTP) has a large field set; the panel fills sensible defaults. The
  73. ones you'll usually touch:
  74. | Field | Default | Meaning |
  75. | ---------------------- | ----------- | ---------------------------------------------------------------------- |
  76. | `path` | `/` | Request path. |
  77. | `host` | _(none)_ | `Host` header override. |
  78. | `mode` | `auto` | `auto`, `packet-up`, `stream-up`, or `stream-one`. `packet-up` is the most CDN-compatible; `stream-*` are lower latency. |
  79. | `xPaddingBytes` | `100-1000` | Random padding range that blurs packet sizes. |
  80. | `scMaxBufferedPosts` | `30` | Server-side buffer for uploaded POSTs. |
  81. | `scStreamUpServerSecs` | `20-80` | Stream-up server window (dash range). |
  82. | `xmux` (`enableXmux`) | _(off)_ | Connection multiplexing — `maxConcurrency` `16-32`, `maxConnections` `6`, … Turn on for high concurrency. |
  83. Session-ID fields (`sessionIDPlacement`, `sessionIDKey`, `sessionIDTable`,
  84. `sessionIDLength`) and the `scMin/MaxEachPostBytes` knobs are advanced; leave them
  85. empty unless you're matching a specific upstream.
  86. ### Hysteria — `hysteriaSettings`
  87. Only valid when the protocol is **Hysteria2**.
  88. | Field | Default | Meaning |
  89. | ---------------- | ------- | ----------------------------------------------------------------------- |
  90. | `version` | `2` | Hysteria protocol version. |
  91. | `auth` | _(none)_| Shared authentication string. |
  92. | `udpIdleTimeout` | `60` | Seconds (2–600) before idle UDP sessions are dropped. |
  93. | `masquerade` | — | Disguise as an HTTP/3 server: `type` `proxy`/`file`/`string` with `url`/`dir`/`content`, plus `headers` and `statusCode`. |
  94. ## FinalMask — late-layer obfuscation
  95. **FinalMask** wraps traffic **after** the transport and security layers, so it can
  96. disguise transports that don't carry TLS (like mKCP) or add a second skin on top of
  97. TLS. Masks are configured per direction:
  98. - **TCP masks** — `fragment`, `sudoku`, `header-custom`.
  99. - **UDP masks** — `salamander`, `mkcp-legacy`, `header-custom`, `xdns`, `xicmp`,
  100. `noise`, `sudoku`, `realm`. (`mkcp-legacy` reproduces the old mKCP header
  101. obfuscation.)
  102. - **QUIC params** — congestion control (`reno`, `bbr`, `brutal`, `force-brutal`),
  103. Brutal up/down rates, `udpHop` (rotate the QUIC port across a range to dodge
  104. port blocking), and receive-window tuning.
  105. FinalMask replaces the per-transport `header`/`seed` obfuscation that older Xray
  106. builds exposed.
  107. ## sockopt — low-level socket options
  108. `sockopt` rides alongside any transport and tunes the underlying socket. The most
  109. useful fields:
  110. | Field | Default | Meaning |
  111. | --------------------- | ------- | ---------------------------------------------------------------- |
  112. | `tcpFastOpen` | `false` | Enable TCP Fast Open. |
  113. | `tcpcongestion` | `bbr` | Congestion control: `bbr`, `cubic`, or `reno`. |
  114. | `tproxy` | `off` | Transparent proxy mode: `off`, `redirect`, or `tproxy`. |
  115. | `domainStrategy` | `AsIs` | How addresses resolve (`UseIP`, `ForceIPv4`, …). |
  116. | `dialerProxy` | _(none)_| Chain this outbound's dialing through another outbound tag. |
  117. | `interface` | _(none)_| Bind to a specific network interface. |
  118. | `mark` | `0` | SO_MARK for policy routing (`0` = unset). |
  119. Numeric fields left at `0` are omitted on the wire so Xray keeps OS defaults.
  120. Advanced entries (`happyEyeballs`, `customSockopt[]`, keepalive timers) are
  121. available for special cases.
  122. ## Security
  123. The security layer is one of **`none`**, **`tls`**, or **`reality`**, with these
  124. eligibility rules:
  125. | Security | Eligible transports | Eligible protocols |
  126. | ----------- | -------------------------------------------- | --------------------------------------------------- |
  127. | **TLS** | `tcp`, `ws`, `grpc`, `httpupgrade`, `xhttp` | VLESS, VMess, Trojan, Shadowsocks (Hysteria2 is always TLS) |
  128. | **REALITY** | `tcp`, `grpc`, `xhttp` | VLESS, Trojan |
  129. mKCP and Hysteria don't take a separate TLS/REALITY layer — mKCP runs plaintext
  130. (obfuscate with FinalMask), and Hysteria is QUIC/TLS by design. REALITY disguises
  131. your server as a real TLS site and needs no certificate — see
  132. [REALITY](/docs/config/reality).
  133. ## XTLS-Vision flow
  134. The `xtls-rprx-vision` flow is fast and DPI-resistant. It's available for
  135. **VLESS** when either:
  136. - the transport is raw **TCP** with **TLS** or **REALITY** security (classic
  137. XTLS-Vision), or
  138. - the transport is **XHTTP** with VLESS encryption enabled (see below).
  139. Set the flow on the VLESS **client**, not the inbound. With classic Vision on
  140. TCP, the panel can also offer a **Vision seed** once a client uses the flow.
  141. ## VLESS encryption (ML-KEM)
  142. VLESS supports post-quantum **encryption** (ML-KEM / `mlkem768x25519`), stored in
  143. the inbound's `decryption` (server) and clients' `encryption` (for link
  144. generation). When enabled, it unlocks the Vision flow over XHTTP. Generate the
  145. keys from the panel's VLESS settings.
  146. ## Shadowsocks ciphers
  147. Shadowsocks inbounds support both classic ciphers and **Shadowsocks-2022**
  148. (method names starting with `2022-blake3-`). Most ciphers are multi-user;
  149. `2022-blake3-chacha20-poly1305` is single-user.
  150. <Callout type="info">
  151. Transports and security must match on both ends. The client's share link
  152. encodes them (`type=ws`, `security=reality`, `flow=xtls-rprx-vision`, …) —
  153. decode any link with the [share-link inspector](/docs/config/share-links).
  154. </Callout>