This script is designed to fully and easily configure a secure proxy server with Sing-Box core and NGINX or HAProxy camouflage. Two setup methods:
- All requests to the proxy are received by NGINX, the requests are passed to Sing-Box only if they contain the correct path (WebSocket or HTTPUpgrade transport)
- All requests to the proxy are received by HAProxy, then Trojan passwords are read from the first 56 bytes of the request by using a Lua script, the requests are passed to Sing-Box only if they contain the correct Trojan password (TCP transport) — FPPweb3 method
Both setup methods make it impossible to detect Sing-Box from the outside, which improves security.
Important
Recommended OS: Debian 11/12 or Ubuntu 22.04/24.04. You will also need an IPv4 on the server and your own domain linked to your Cloudflare account (How to set it up?). Run as root on a newly installed system. It's recommended to update and reboot the system before running this script.
This project is created for educational and demonstration purposes. Please make sure that your actions are legal before using it.
Note
With routing rules for Russia. Open ports on the server: 443 and SSH.
- Sing-Box server setup
- NGINX or HAProxy reverse proxy and website setup on port 443
- Multiplexing to optimise connections
- Security setup (optional)
- Cloudflare TLS certificates with auto renewal
- WARP setup
- Enable BBR
- Client Sing-Box configs with routing rules for Russia
- Automated management of user config files
- Optional setup of proxy chains of two or more servers
Run this command to setup the server:
bash <(curl -Ls https://raw.githubusercontent.com/BLUEBL0B/Secret-Sing-Box/master/Scripts/install-server.sh)
Then just enter the necessary information:
The script will show your client links in the end, it's recommended to save them.
To display additional settings, run this command:
sbmanager
Then follow the instructions:
Options 5 and 6 synchronize the settings in client configs of all users, which eliminates the need to edit the config of each user separately.
To activate a WARP+ key, enter this command (replace the key with yours):
warp-cli registration license CMD5m479-Y5hS6y79-U06c5mq9
Important
On some devices, "stack": "system" in tun interface settings in client configs might not work. In such cases, it is recommended to replace it with "gvisor" by using option 4 in sbmanager.
Android and iOS: the guide is given for Android, the interface is different in iOS, but it has similar settings.
Windows: this method is recommended due to more complete routing settings, but you can also import the link to Hiddify client app.
Linux: run the command below and follow the instructions. Or use Hiddify client app.
bash <(curl -Ls https://raw.githubusercontent.com/BLUEBL0B/Secret-Sing-Box/master/Scripts/sb-pc-linux-en.sh)
- USDT (BEP20): 0xe2FeA540a9F1f85C2bfA3e6949c722393B5d636A
- USDT (TRC20): TFN44R1PnhyX29vBqv9Z4cB5wH7MrVyFoC
- Bitcoin (BIP84): bc1qhn2ghk3pcpsrr6l9ywfryvqfzvyx8gs2wnpz89
- Litecoin (BIP84): ltc1q7quvcq3gtlwf2yuk370vhf2syad8ee4we9huj4
- Toncoin (TON): UQCWmIBsU-EZJSH3rhghbtSOtKQBmb5y74mkjbohpDWZ6l-H
