Configuration Reference
Juicity uses JSON for configuration. Below is a detailed explanation of all supported fields for both Client and Server.
Common Fields
These fields can be used in both client.json and server.json.
| Field | Type | Description |
|---|---|---|
listen |
string | Required. Server: Address to listen for incoming QUIC connections (e.g., :23182). Client: Address to serve the local SOCKS5/HTTP proxy (e.g., :1080). |
congestion_control |
string | Congestion control algorithm. Options: bbr, cubic, new_reno. Default depends on system, usually cubic. |
log_level |
string | Logging verbosity. Options: debug, info, warn, error, fatal. |
Client Configuration (juicity-client)
| Field | Type | Description |
|---|---|---|
server |
string | Required. The address of the remote Juicity server (e.g., 1.2.3.4:23182). |
uuid |
string | Required. The user ID for authentication. |
password |
string | Required. The password for authentication. |
sni |
string | Server Name Indication. Required if server is an IP address. Must match the server certificate. |
allow_insecure |
bool | If true, skips TLS certificate verification. Not recommended unless testing. |
pinned_certchain_sha256 |
string | Hash of the remote certificate chain for pinning. Useful for self-signed certificates. Generate via juicity-server generate-certchain-hash. |
protect_path |
string | Android/Linux only. Path to a unix socket for VPN service protection (protecting socket from VPN loop). |
forward |
map | Port forwarding rules. Maps a local address to a remote address. Format: "<Local>" : "<Remote>". Example: "127.0.0.1:2222": "192.168.1.5:22". |
Forwarding Example
"forward": {
"127.0.0.1:12322": "127.0.0.1:22",
"0.0.0.0:5201/tcp": "127.0.0.1:5201",
"0.0.0.0:5353/udp": "8.8.8.8:53"
}Server Configuration (juicity-server)
| Field | Type | Description |
|---|---|---|
users |
map | Required. A map of legitimate users. Key is UUID, Value is password. |
certificate |
string | Required. Path to the TLS certificate file (full chain). |
private_key |
string | Required. Path to the TLS private key file. |
disable_outbound_udp443 |
bool | If true, blocks outbound UDP traffic to port 443. This is often QUIC traffic, blocking it forces fallbacks to TCP, saving server resources. |
fwmark |
string | Optional firewall mark (e.g., 0x1000) for outgoing connections. Useful for policy routing on Linux. |
send_through |
string | Specific IP address to bind for outgoing connections. |
dialer_link |
string | Advanced. Specifies a proxy chain or specific dialer for outbound connections. Uses daeuniverse/outbound format. |
Full Server Example
{
"listen": ":23182",
"users": {
"00000000-0000-0000-0000-000000000000": "my_password"
},
"certificate": "/etc/juicity/fullchain.cer",
"private_key": "/etc/juicity/private.key",
"congestion_control": "bbr",
"log_level": "info",
"disable_outbound_udp443": true
}