feat: support shadow-tls in sing-box subscription output#823
Open
onesyue wants to merge 1 commit intocedar2025:masterfrom
Open
feat: support shadow-tls in sing-box subscription output#823onesyue wants to merge 1 commit intocedar2025:masterfrom
onesyue wants to merge 1 commit intocedar2025:masterfrom
Conversation
sing-box does not support shadow-tls as a shadowsocks plugin field.
The current code passes raw `plugin` and `plugin_opts` strings which
sing-box cannot parse, breaking shadow-tls nodes for all sing-box
based clients (sing-box, Hiddify, SFM).
The correct sing-box configuration requires a separate `shadowtls`
outbound with the SS outbound referencing it via `detour`:
```json
{"type": "shadowsocks", "detour": "node-shadowtls", ...}
{"type": "shadowtls", "tag": "node-shadowtls", "version": 3, ...}
```
This commit:
- Detects `plugin: shadow-tls` in protocol_settings
- Generates a proper shadowtls outbound + detour chain
- Filters shadowtls helper tags from selector/urltest groups
- Falls through to raw plugin handling for other plugins (obfs etc.)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a Shadowsocks node has
plugin: shadow-tlsconfigured inprotocol_settings, the sing-box subscription handler passes rawplugin/plugin_optsstrings:{ "type": "shadowsocks", "plugin": "shadow-tls", "plugin_opts": "version=3;host=gateway.icloud.com;password=xxx" }sing-box does not support shadow-tls as a plugin field. This causes shadow-tls nodes to be completely broken for all sing-box-based clients (sing-box, Hiddify, SFM).
Note: Clash Meta (
ClashMeta.php) already handles this correctly with a dedicatedcase 'shadow-tls'block.Fix
Detect
shadow-tlsplugin and generate the proper sing-box outbound chain:{ "type": "shadowsocks", "tag": "NodeName", "detour": "NodeName-shadowtls", ... } { "type": "shadowtls", "tag": "NodeName-shadowtls", "server": "...", "server_port": 443, "version": 3, "password": "...", "tls": { "enabled": true, "server_name": "gateway.icloud.com" } }The
-shadowtlshelper outbounds are filtered fromselector/urltestproxy groups so they don't appear as standalone nodes.Other plugins (obfs, v2ray-plugin, etc.) continue to use the existing raw passthrough behavior.
Test
Verified with sing-box 1.13.x client — shadow-tls nodes now connect successfully via subscription.