This is a production-ready server guide for deploying a sing-box backend using VLESS + Reality + XTLS Vision, with optional Warp routing module and Fail2Ban security hardening.
It is designed for VPS (Debian/Ubuntu) environments and matches the structure of the client-side documentation for consistency.
1. System Requirements
- Debian / Ubuntu VPS
- Root or sudo access
- Open port: 443 (recommended)
- Basic firewall access (UFW recommended)
2. Install Docker & Docker Compose
We use Docker to ensure reproducible deployment.
2.1 Install Docker
sudo apt update && sudo apt upgrade -y
sudo apt install -y docker.io docker-compose
Enable Docker:
sudo systemctl enable --now docker
Verify:
docker --version
docker-compose --version
3. Create Project Directory
mkdir -p ~/software/sing-box/config
cd ~/software/sing-box
4. Docker Compose Configuration
Create docker-compose.yml:
services:
sing-box:
image: ghcr.io/sagernet/sing-box
container_name: sing-box
restart: always
network_mode: host
volumes:
- ./config:/etc/sing-box
command: run -C /etc/sing-box
Start service:
docker-compose up -d
Check status:
docker ps | grep sing-box
5. Generate Credentials (Shared for Server & Client)
Credentials are generated once per deployment.
UUID → shared between server & client
Reality keypair → generated on server
- private_key → server only
- public_key → client only
5.1 Generate UUID
uuidgen
Example:
123e4567-e89b-12d3-a456-426614174000
5.2 Generate Reality Key Pair
sing-box generate reality-keypair
Output:
PrivateKey: xxxx (SERVER ONLY)
PublicKey: xxxx (CLIENT USE)
6. Sing-box Server Configuration
Create config:
mkdir -p config
nano config/config.json
6.1 VLESS + Reality Inbound
{
"log": {
"level": "warning",
"timestamp": true
},
"inbounds": [
{
"type": "vless",
"tag": "vless-in",
"listen": "0.0.0.0",
"listen_port": 443,
"users": [
{
"uuid": "YOUR_UUID",
"flow": "xtls-rprx-vision"
}
],
"tls": {
"enabled": true,
"server_name": "www.microsoft.com",
"reality": {
"enabled": true,
"handshake": {
"server": "www.microsoft.com",
"server_port": 443
},
"private_key": "YOUR_PRIVATE_KEY",
"short_id": "8f3a7b2c9d"
}
}
}
],
"outbounds": [
{
"type": "direct",
"tag": "direct"
}
]
}
Key Notes
- UUID must match client
- Private key must match Reality key
- Public key is used only on client
- short_id must match both sides
- server_name must match client configuration
7. Start Service
Start
docker-compose up -d
Restart
docker-compose restart
Stop
docker-compose down
Logs
docker logs sing-box
8. Warp Module (Cloudflare Routing)
This module integrates WireGuard for optional outbound routing.
8.1 Install WireGuard
sudo apt install -y wireguard-tools
8.2 Setup Warp
bash <(curl -fsSL git.io/warp.sh) wg4
Edit config:
nano /etc/wireguard/wgcf.conf
8.3 Start Warp
sudo wg-quick up wgcf
sudo systemctl enable wg-quick@wgcf
sudo wg
9. Fail2Ban Module
Install
sudo apt install -y fail2ban
Enable
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
10. Firewall (Recommended)
ufw allow 443/tcp
ufw enable
ufw status
11. Backup & Restore
Backup
mkdir -p ~/backup/sing-box
cp -r config ~/backup/sing-box/
Restore
rm -rf config
cp -r ~/backup/sing-box/config ./
docker-compose restart
12. Troubleshooting
Logs
docker logs sing-box
Warp
wg
ip route
Common issues
- Port 443 in use
- UUID mismatch
- Reality key mismatch
- short_id mismatch
13. Quick Checklist
- Docker running
- sing-box container started
- UUID correct (shared)
- Reality keys matched
- short_id identical
- Port 443 open
- Warp working (optional)
- Fail2Ban enabled
Final Note
This server setup provides a production-grade VLESS + Reality backend with optional Warp routing and security hardening using sing-box.
It is fully aligned with the client-side documentation structure for consistency.