https://bolasblack.github.io/alcatraz/cookbook/Recent content in Cookbook on AlcatrazHugoenhttps://bolasblack.github.io/alcatraz/cookbook/transparent-proxy-sing-box/Mon, 01 Jan 0001 00:00:00 +0000https://bolasblack.github.io/alcatraz/cookbook/transparent-proxy-sing-box/<h1 id="transparent-tcp-proxy-with-sing-box">Transparent TCP Proxy with sing-box<a class="anchor" href="#transparent-tcp-proxy-with-sing-box">#</a></h1> <p>Route every outbound <strong>TCP</strong> byte the container emits — any protocol, any port — through a <a href="https://github.com/sagernet/sing-box">sing-box</a> instance that you control, which in turn forwards to your real upstream proxy (SOCKS5, VMess, Shadowsocks, Trojan, …).</p> <h2 id="scope-tcp-only">Scope: TCP only<a class="anchor" href="#scope-tcp-only">#</a></h2> <p><a href="https://bolasblack.github.io/alcatraz/config/fields/#networkproxy"><code>network.proxy</code></a> only proxies <strong>TCP</strong>. UDP traffic (DNS, QUIC, anything else) goes out via the container&rsquo;s normal network path, not through sing-box. The <em>why</em> is non-obvious — see <a href="https://bolasblack.github.io/alcatraz/config/network/#transparent-proxy">Transparent Proxy</a> in the network docs and <a href="https://github.com/bolasblack/alcatraz/blob/master/.agents/decisions/AGD-037_transparent-proxy-for-containers.md">AGD-037</a> for the full story. Short version: there is currently no working path for transparent UDP proxying of container traffic on Linux, and making the recipe pretend otherwise would just mislead you.</p>