Server Configuration
Security Settings
This is section contains the security settings
NOTE:
socketSettings,maskSettingsandfinalRulesare optional. You can choose not to add them to the configuration.
Mask Settings
maskSettings is optional and applies transport-level obfuscation. All three fields tcp, udp, quicParams are optional and can be used independently or together.
TCP mask types: header-custom, fragment, sudoku
UDP mask types: mkcp-legacy, noise, salamander, sudoku, xdns, xicmp, realm
{
"maskSettings": {
"tcp": [
{
"type": "fragment",
"settings": {
"packets": "tlshello",
"length": { "from": 100, "to": 200 },
"delay": { "from": 10, "to": 20 },
"maxSplit": { "from": 0, "to": 0 }
}
}
],
"udp": [
{
"type": "noise",
"settings": {
"reset": { "from": 0, "to": 0 },
"noise": [
{
"type": "str",
"packet": "GET / HTTP/1.1\r\n",
"rand": { "from": 0, "to": 0 },
"delay": { "from": 10, "to": 50 }
}
]
}
}
],
"quicParams": {
"congestion": "bbr",
"debug": false,
"bbrProfile": "standard",
"brutalUp": "100mbps",
"brutalDown": "100mbps",
"udpHop": {
"ports": ["443,8443"],
"interval": { "from": 10, "to": 30 }
},
"initStreamReceiveWindow": 8388608,
"maxStreamReceiveWindow": 8388608,
"initConnectionReceiveWindow": 20971520,
"maxConnectionReceiveWindow": 20971520,
"maxIdleTimeout": 30,
"keepAlivePeriod": 10,
"disablePathMTUDiscovery": false,
"maxIncomingStreams": 100
}
}
}
maskSettings — quicParams fields
| Field | Type | Description |
|---|---|---|
congestion | string | Congestion control algorithm, e.g. "bbr", "cubic" |
debug | bool | Enable debug mode |
bbrProfile | string | BBR profile: "conservative", "standard", "aggressive" |
brutalUp | string | Upload bandwidth for brutal congestion, e.g. "100mbps", "1gbps" |
brutalDown | string | Download bandwidth for brutal congestion |
udpHop.ports | string/array | Port list for UDP hopping |
udpHop.interval | object | Hop interval range in seconds { "from": N, "to": N } |
initStreamReceiveWindow | uint64 | Initial stream receive window size (bytes) |
maxStreamReceiveWindow | uint64 | Max stream receive window size (bytes) |
initConnectionReceiveWindow | uint64 | Initial connection receive window size (bytes) |
maxConnectionReceiveWindow | uint64 | Max connection receive window size (bytes) |
maxIdleTimeout | int64 | Max idle timeout in seconds |
keepAlivePeriod | int64 | Keep-alive period in seconds |
disablePathMTUDiscovery | bool | Disable path MTU discovery |
maxIncomingStreams | int64 | Max number of incoming streams |
Final Rule Settings (finalRule)
"finalRules": [
{
"action": "block",
"network": "tcp,udp",
"port": "53,443",
"ip": ["10.0.0.0/8", "2001:db8::/32"],
"blockDelay": "30-90"
}
]
finalRules fields
| Field | Type | Description |
|---|---|---|
action | string | Action when rule matches. "allow" permits the connection, "block" drops it |
network | string | Comma-separated network types: "tcp", "udp", "tcp,udp" |
port | string | Port or range to match, e.g. "53", "443", "8080-9000", "53,443,8080-9000" |
ip | array | List of IP CIDRs or geo tags, e.g. "10.0.0.0/8", "geoip:cn" |
blockDelay | string | Random delay (ms) before dropping when action is "block", e.g. "30-90". Omit for immediate drop |
Socket Settings (socketSettings)
Socket-level options applied to the underlying TCP/UDP socket. All fields are optional — omitting a field leaves Xray's default in place.
{
"socketSettings": {
"acceptProxyProtocol": false,
"domainStrategy": "AsIs",
"tcpFastOpen": false,
"tcpKeepAliveInterval": 0,
"tcpKeepAliveIdle": 0,
"tcpUserTimeout": 0,
"tcpMaxSeg": 0,
"tcpWindowClamp": 0,
"tcpMptcp": false,
"tcpCongestion": "bbr",
"interface": "",
"v6only": false,
"dialerProxy": "",
"trustedXForwardedFor": []
}
}
socketSettings fields
| Field | Type | Default | Scope | Description |
|---|---|---|---|---|
acceptProxyProtocol | bool | false | Inbound | Accept PROXY protocol v1/v2 from an upstream load balancer or reverse proxy (e.g. Nginx, HAProxy). Real client IP is read from the PROXY header. TCP-based transports only (tcp, ws, httpupgrade). |
domainStrategy | string | "AsIs" | Both | DNS resolution strategy for outbound connections. See strategies table below. |
tcpFastOpen | bool | int | false | Both | Enable TCP Fast Open (TFO). true uses OS default queue size; integer sets explicit queue size. Requires kernel ≥ 3.7 (Linux) or Windows 10 1607+. |
tcpKeepAliveInterval | int | 0 | Both | Seconds between TCP keep-alive probes after idle period expires. Set together with tcpKeepAliveIdle. |
tcpKeepAliveIdle | int | 0 | Both | Seconds of inactivity before first keep-alive probe. OS default ~7200s on Linux. |
tcpUserTimeout | int | 0 | Both | Milliseconds before aborting connection with unacknowledged data (TCP_USER_TIMEOUT). |
tcpMaxSeg | int | 0 | Both | Max TCP segment size in bytes (TCP_MAXSEG). Reduce below 1460 when using tunnels to avoid fragmentation. |
tcpWindowClamp | int | 0 | Both | Clamp TCP receive window to this size (TCP_WINDOW_CLAMP). |
tcpMptcp | bool | false | Both | Enable Multipath TCP. Requires kernel ≥ 5.6 with MPTCP compiled in. |
tcpCongestion | string | "" | Both | TCP congestion algorithm: "bbr", "cubic", "reno". Must be loaded in kernel (modprobe tcp_bbr). |
interface | string | "" | Both | Bind socket to a specific network interface, e.g. "eth0", "wg0". |
v6only | bool | false | Both | When true, IPv6 socket will not accept IPv4-mapped connections (IPV6_V6ONLY). |
dialerProxy | string | "" | Outbound | Tag of another outbound to use as underlying transport. Enables outbound chaining. |
trustedXForwardedFor | string | [] | Inbound | Trusted upstream CIDRs for X-Forwarded-For header extraction. HTTP-based inbounds only. |
domainStrategy values
| Value | Description |
|---|---|
"AsIs" | Use domain name as-is; let the OS resolve it. Default. |
"UseIP" | Resolve domain to IP using Xray's internal DNS before connecting. |
"UseIPv4" | Resolve and force IPv4. |
"UseIPv6" | Resolve and force IPv6. |
"UseIPv4v6" | Resolve and prefer IPv4, fall back to IPv6. |
"UseIPv6v4" | Resolve and prefer IPv6, fall back to IPv4. |
Notes
acceptProxyProtocol vs trustedXForwardedFor — acceptProxyProtocol reads the real IP from a binary PROXY protocol header at the TCP layer (Nginx proxy_protocol on). trustedXForwardedFor reads it from an HTTP header at the application layer (Nginx proxy_set_header X-Forwarded-For). Use the one that matches your reverse proxy configuration.
tcpKeepAliveInterval and tcpKeepAliveIdle — both must be set together for keep-alive to behave predictably.
tcpFastOpen — must be enabled on both client and server. Also requires net.ipv4.tcp_fastopen=3 (sysctl -w net.ipv4.tcp_fastopen=3).
interface — the named interface must exist when the node starts. Existing connections are not migrated if it goes down and comes back.
dialerProxy — the referenced outbound tag must exist in the Xray config. Circular references cause a connection loop.
NONE
{
"none": []
}
TLS
Referee to official documentation regarding the meaning of the parameters.
{
"tlsSettings": {
"alpn": ["h2", "http/1.1"],
"certMode": "http",
"certDomainName": "tld.dev",
"fragment": "1,40-60,30-50",
"serverName": "google.com",
"fingerprint": "chrome",
"curvePreferences": ["X25519", "X25519MLKEM768"],
"rejectUnknownSni": false,
"verifyPeerCertByName": "google.com",
"pinnedPeerCertSha256": "",
"echServerKeys": "",
"echConfigList": ""
}
}
Security Settings (TLS) with maskSettings, socketSettings and finalRules
{
"tlsSettings": {
"alpn": ["h2", "http/1.1"],
"certMode": "http",
"certDomainName": "tld.dev",
"fragment": "1,40-60,30-50",
"serverName": "google.com",
"fingerprint": "chrome",
"curvePreferences": ["X25519", "X25519MLKEM768"],
"rejectUnknownSni": false,
"verifyPeerCertByName": "google.com",
"pinnedPeerCertSha256": "",
"echServerKeys": "",
"echConfigList": ""
},
"socketSettings": {
"acceptProxyProtocol": false,
"domainStrategy": "AsIs",
"tcpFastOpen": false,
"tcpKeepAliveInterval": 0,
"tcpKeepAliveIdle": 0,
"tcpUserTimeout": 0,
"tcpMaxSeg": 0,
"tcpWindowClamp": 0,
"tcpMptcp": false,
"tcpCongestion": "bbr",
"interface": "",
"v6only": false,
"dialerProxy": "",
"trustedXForwardedFor": []
},
"maskSettings": {
"udp": [
{
"type": "salamander",
"settings": {
"password": "your-password-here"
}
}
]
},
"finalRules": [
{
"action": "block",
"network": "tcp,udp",
"port": "53,443",
"ip": ["10.0.0.0/8", "2001:db8::/32"],
"blockDelay": "30-90"
}
]
}
REALITY
Referee to official documentation regarding the meaning of the parameters.
{
"realitySettings": {
"target": "www.microsoft.com:443",
"show": false,
"shortids": ["6ba85179e30d4fc2"],
"password": "u2Yirzjxx5R5miuJ-Od8CL4gAiCWj-65WOF2mSVyUz4",
"privateKey": "sBFSY3OzslfjR2VcSHaQG-6GASrH5YswYyqBR-1m3Vc",
"fingerprint": "chrome",
"serverNames": ["www.microsoft.com"],
"proxyprotocol": 0,
"mldsa65Seed": "",
"mldsa65Verify": "",
"spiderX": "",
"minClientVer": "",
"maxClientVer": "",
"maxTimeDiff": 0
}
}
Security Settings(Reality) with maskSettings, socketSettings and finalRules
{
"realitySettings": {
"target": "www.microsoft.com:443",
"show": false,
"shortids": ["6ba85179e30d4fc2"],
"password": "u2Yirzjxx5R5miuJ-Od8CL4gAiCWj-65WOF2mSVyUz4",
"privateKey": "sBFSY3OzslfjR2VcSHaQG-6GASrH5YswYyqBR-1m3Vc",
"fingerprint": "chrome",
"serverNames": ["www.microsoft.com"],
"proxyprotocol": 0,
"mldsa65Seed": "",
"mldsa65Verify": "",
"spiderX": "",
"minClientVer": "",
"maxClientVer": "",
"maxTimeDiff": 0
},
"socketSettings": {
"acceptProxyProtocol": false,
"domainStrategy": "AsIs",
"tcpFastOpen": false,
"tcpKeepAliveInterval": 0,
"tcpKeepAliveIdle": 0,
"tcpUserTimeout": 0,
"tcpMaxSeg": 0,
"tcpWindowClamp": 0,
"tcpMptcp": false,
"tcpCongestion": "bbr",
"interface": "",
"v6only": false,
"dialerProxy": "",
"trustedXForwardedFor": []
},
"maskSettings": {
"udp": [
{
"type": "salamander",
"settings": {
"password": "your-password-here"
}
}
]
},
"finalRules": [
{
"action": "block",
"network": "tcp,udp",
"port": "53,443",
"ip": ["10.0.0.0/8", "2001:db8::/32"],
"blockDelay": "30-90"
}
]
}