This is a clean, production-ready guide for deploying a sing-box client with Docker for SOCKS proxy access using VLESS + Reality.
It is designed for stability, security, and minimal system interference (ideal for Arch Linux users).
1. System Requirements
- Linux (Arch recommended)
- Root or sudo access
- Internet access
- A VPS with VLESS + Reality server already configured
2. Install Docker & Docker Compose
We use Docker and Docker Compose to isolate sing-box from the host system.
2.1 Install Docker
sudo pacman -S docker
Enable Docker:
sudo systemctl enable --now docker
Add user to docker group:
sudo usermod -aG docker $(whoami)
2.2 Install Docker Compose
sudo pacman -S docker-compose
Verify:
docker-compose version
3. Create Project Directory
mkdir -p ~/software/sing-box/config
cd ~/software/sing-box
4. Docker Compose Configuration
Create docker-compose.yml:
services:
sing-box:
image: ghcr.io/sagernet/sing-box
container_name: sing-box
restart: always
network_mode: host
volumes:
- ./config:/etc/sing-box
command: run -C /etc/sing-box
Start service:
docker-compose up -d
Check status:
docker ps | grep sing-box
5. Generate Required Credentials
5.1 Generate UUID
UUID identifies your client:
uuidgen
Example:
123e4567-e89b-12d3-a456-426614174000
5.2 Generate Reality Key Pair
Reality uses X25519 key exchange.
Recommended method (sing-box tool)
sing-box cert generate -t reality
Output:
Private key: xxxx
Public key: xxxx
- Private key → VPS server
- Public key → Client
Alternative method (OpenSSL)
openssl genpkey -algorithm X25519 -out reality_private.key
openssl pkey -in reality_private.key -pubout -out reality_public.key
6. Sing-box Client Configuration
Create config file:
mkdir -p config
nano config/config.json
6.1 Client Configuration
{
"log": {
"level": "warning",
"timestamp": true
},
"inbounds": [
{
"type": "socks",
"listen": "127.0.0.1",
"listen_port": 1080
}
],
"outbounds": [
{
"type": "vless",
"server": "YOUR_VPS_IP",
"server_port": 443,
"uuid": "YOUR_UUID",
"flow": "xtls-rprx-vision",
"tls": {
"enabled": true,
"server_name": "www.microsoft.com",
"utls": {
"enabled": true
},
"reality": {
"enabled": true,
"public_key": "YOUR_PUBLIC_KEY",
"short_id": "8f3a7b2c9d"
}
}
},
{
"type": "direct",
"tag": "direct"
}
],
"route": {
"rules": [
{
"protocol": "dns",
"outbound": "direct"
}
]
}
}
Key Notes
- UUID must match VPS configuration
- Public key must match server-generated Reality key
- short_id must be identical on both sides
- server_name should be a valid TLS fingerprint domain
7. Start Service
docker-compose restart
Check logs:
docker logs sing-box
8. Browser Setup
Firefox (Recommended)
- SOCKS Host: 127.0.0.1
- Port: 1080
- SOCKS v5 enabled
- Enable “Proxy DNS when using SOCKS v5”
Chromium
google-chrome --proxy-server="socks5://127.0.0.1:1080"
9. Security Best Practices
- Do NOT expose port 1080 to the internet
- Always bind SOCKS to 127.0.0.1
- Keep UUID and keys private
- Prefer TLS + Reality over raw TCP
- Do not modify system-wide routing unless necessary
10. Backup & Restore
Backup
mkdir -p ~/backup/sing-box
cp -r config ~/backup/sing-box/
Restore
rm -rf config
cp -r ~/backup/sing-box/config ./
docker-compose restart
11. Troubleshooting
Check logs
docker logs sing-box
Validate config
docker-compose config
Common issues
- Wrong UUID
- Reality key mismatch
- TLS server_name mismatch
- Port 443 blocked
12. Quick Checklist
- Docker running
- Container started
- UUID correct
- Reality keys matched
- short_id identical
- SOCKS 127.0.0.1:1080
- Browser proxy enabled
Final Note
This setup provides a lightweight, containerized, and reproducible proxy environment using sing-box with modern transport security (Reality).
It is designed for stability, portability, and minimal system intrusion.