yanistyle/sing-box-extended
1
0
Fork 0
mirror of https://github.com/shtorm-7/sing-box-extended.git synced 2026-05-31 00:14:21 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update sing-box core

Browse Source
This commit is contained in:
Shtorm
2026-03-10 04:25:01 +03:00
parent c9dd381736 e942da339b
commit 494fa5a9da
439 changed files with 30827 additions and 6031 deletions
Download Patch File Download Diff File Expand all files Collapse all files

482
docs/changelog.md
View File

@@ -2,22 +2,232 @@
icon: material/alert-decagram
---
#### 1.13.2
* Fixes and improvements
#### 1.13.1
* Fixes and improvements
#### 1.12.14
* Backport fixes
#### 1.13.0
Important changes since 1.12:
* Add NaiveProxy outbound **1**
* Add pre-match support for `auto_redirect` **2**
* Improve `auto_redirect` **3**
* Add Chrome Root Store certificate option **4**
* Add new options for ACME DNS-01 challenge providers **5**
* Add Wi-Fi state support for Linux and Windows **6**
* Add curve preferences, pinned public key SHA256, mTLS and ECH `query_server_name` for TLS options **7**
* Add kTLS support **8**
* Add ICMP echo (ping) proxy support **9**
* Add `interface_address`, `network_interface_address` and `default_interface_address` rule items **10**
* Add `preferred_by` route rule item **11**
* Improve `local` DNS server **12**
* Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for listen and dial fields **13**
* Add `bind_address_no_port` option for dial fields **14**
* Add system interface, relay server and advertise tags options for Tailscale endpoint **15**
* Add Claude Code Multiplexer service **16**
* Add OpenAI Codex Multiplexer service **17**
* Apple/Android: Refactor GUI
* Apple/Android: Add support for sharing configurations via [QRS](https://github.com/qifi-dev/qrs)
* Android: Add support for resisting VPN detection via Xposed
* Drop support for go1.23 **18**
* Drop support for Android 5.0 **19**
* Update uTLS to v1.8.2 **20**
* Update quic-go to v0.59.0
* Update gVisor to v20250811
* Update Tailscale to v1.92.4
**1**:
NaiveProxy outbound now supports QUIC, ECH, UDP over TCP, and configurable QUIC congestion control.
Only available on Apple platforms, Android, Windows and some Linux architectures.
Each Windows release includes `libcronet.dll`
ensure this file is in the same directory as `sing-box.exe` or in a directory listed in `PATH`.
See [NaiveProxy outbound](/configuration/outbound/naive/).
**2**:
`auto_redirect` now allows you to bypass sing-box for connections based on routing rules.
A new rule action `bypass` is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.
This feature requires Linux with `auto_redirect` enabled.
See [Pre-match](/configuration/shared/pre-match/) and [Rule Action](/configuration/route/rule_action/#bypass).
**3**:
`auto_redirect` now rejects MPTCP connections by default to fix compatibility issues.
You can change it to bypass sing-box via the new `exclude_mptcp` option.
Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
ensuring traffic is routed to the sing-box table when no route is found in system tables.
The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
See [TUN](/configuration/inbound/tun/#exclude_mptcp).
**4**:
Adds `chrome` as a new certificate store option alongside `mozilla`.
Both stores filter out China-based CA certificates.
See [Certificate](/configuration/certificate/#store).
**5**:
See [DNS-01 Challenge](/configuration/shared/dns01_challenge/).
**6**:
sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
See [Wi-Fi State](/configuration/shared/wifi-state/).
**7**:
See [TLS](/configuration/shared/tls/).
**8**:
Adds `kernel_tx` and `kernel_rx` options for TLS inbound.
Enables kernel-level TLS offloading via `splice(2)` on Linux 5.1+ with TLS 1.3.
See [TLS](/configuration/shared/tls/).
**9**:
sing-box can now proxy ICMP echo (ping) requests.
A new `icmp` network type is available for route rules.
Supported from TUN, WireGuard and Tailscale inbounds to Direct, WireGuard and Tailscale outbounds.
The `reject` action can also reply to ICMP echo requests.
**10**:
New rule items for matching based on interface IP addresses, available in route rules, DNS rules and rule-sets.
**11**:
Matches outbounds' preferred routes.
For Tailscale: MagicDNS domains and peers' allowed IPs. For WireGuard: peers' allowed IPs.
**12**:
The `local` DNS server now uses platform-native resolution:
`getaddrinfo`/libresolv on Apple platforms, systemd-resolved DBus on Linux.
A new `prefer_go` option is available to opt out.
See [Local DNS](/configuration/dns/server/local/).
**13**:
The default TCP keep-alive initial period has been updated from 10 minutes to 5 minutes.
See [Dial Fields](/configuration/shared/dial/#tcp_keep_alive).
**14**:
Adds the Linux socket option `IP_BIND_ADDRESS_NO_PORT` support when explicitly binding to a source address.
This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).
**15**:
Tailscale endpoint can now create a system TUN interface to handle traffic directly.
New `relay_server_port` and `relay_server_static_endpoints` options for incoming relay connections.
New `advertise_tags` option for ACL tag advertisement.
See [Tailscale endpoint](/configuration/endpoint/tailscale/).
**16**:
CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
See [CCM](/configuration/service/ccm).
**17**:
See [OCM](/configuration/service/ocm).
**18**:
Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
**19**:
Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
and only through a separate legacy build (with `-legacy-android-5` suffix).
For standalone binaries, the minimum Android version has been raised to Android 6.0,
since Termux requires Android 7.0 or later.
**20**:
This update fixes missing padding extension for Chrome 120+ fingerprints.
Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
use NaiveProxy instead for TLS fingerprint resistance.
#### 1.12.23
* Fixes and improvements
#### 1.13.0-rc.5
* Add `mipsle`, `mips64le`, `riscv64` and `loong64` support for NaiveProxy outbound
#### 1.12.22
* Fixes and improvements
#### 1.13.0-rc.3
* Fixes and improvements
#### 1.12.21
* Fixes and improvements
#### 1.13.0-rc.2
* Fixes and improvements
#### 1.12.20
* Fixes and improvements
#### 1.13.0-rc.1
* Fixes and improvements
#### 1.12.19
* Fixes and improvements
#### 1.13.0-beta.8
* Add fallback routing rule for `auto_redirect` **1**
* Fixes and improvements
**1**:
Adds a fallback iproute2 rule checked after system default rules (32766: main, 32767: default),
ensuring traffic is routed to the sing-box table when no route is found in system tables.
The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
#### 1.12.18
* Add fallback routing rule for `auto_redirect` **1**
@@ -30,6 +240,19 @@ ensuring traffic is routed to the sing-box table when no route is found in syste
The rule index can be customized via `auto_redirect_iproute2_fallback_rule_index` (default: 32768).
#### 1.13.0-beta.6
* Update uTLS to v1.8.2 **1**
* Fixes and improvements
**1**:
This update fixes missing padding extension for Chrome 120+ fingerprints.
Also, documentation has been updated with a warning about uTLS fingerprinting vulnerabilities.
uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
use NaiveProxy instead for TLS fingerprint resistance.
#### 1.12.17
* Update uTLS to v1.8.2 **1**
@@ -43,18 +266,204 @@ Also, documentation has been updated with a warning about uTLS fingerprinting vu
uTLS is not recommended for censorship circumvention due to fundamental architectural limitations;
use NaiveProxy instead for TLS fingerprint resistance.
#### 1.13.0-beta.5
* Fixes and improvements
#### 1.12.16
* Fixes and improvements
#### 1.13.0-beta.4
* Apple/Android: Add support for sharing configurations via [QRS](https://github.com/qifi-dev/qrs)
* Android: Add support for resisting VPN detection via Xposed
* Update quic-go to v0.59.0
* Fixes and improvements
#### 1.13.0-beta.2
* Add `bind_address_no_port` option for dial fields **1**
* Fixes and improvements
**1**:
Adds the Linux socket option `IP_BIND_ADDRESS_NO_PORT` support when explicitly binding to a source address.
This allows reusing the same source port for multiple connections, improving scalability for high-concurrency proxy scenarios.
See [Dial Fields](/configuration/shared/dial/#bind_address_no_port).
#### 1.13.0-beta.1
* Add system interface support for Tailscale endpoint **1**
* Fixes and improvements
**1**:
Tailscale endpoint can now create a system TUN interface to handle traffic directly.
See [Tailscale endpoint](/configuration/endpoint/tailscale/#system_interface).
#### 1.12.15
* Fixes and improvements
#### 1.13.0-alpha.36
* Downgrade quic-go to v0.57.1
* Fixes and improvements
#### 1.13.0-alpha.35
* Add pre-match support for `auto_redirect` **1**
* Fixes and improvements
**1**:
`auto_redirect` now allows you to bypass sing-box for connections based on routing rules.
A new rule action `bypass` is introduced to support this feature. When matched during pre-match, the connection will bypass sing-box and connect directly.
This feature requires Linux with `auto_redirect` enabled.
See [Pre-match](/configuration/shared/pre-match/) and [Rule Action](/configuration/route/rule_action/#bypass).
#### 1.13.0-alpha.34
* Add Chrome Root Store certificate option **1**
* Add new options for ACME DNS-01 challenge providers **2**
* Add Wi-Fi state support for Linux and Windows **3**
* Update naiveproxy to 143.0.7499.109
* Update quic-go to v0.58.0
* Update tailscale to v1.92.4
* Drop support for go1.23 **4**
* Drop support for Android 5.0 **5**
**1**:
Adds `chrome` as a new certificate store option alongside `mozilla`.
Both stores filter out China-based CA certificates.
See [Certificate](/configuration/certificate/#store).
**2**:
See [DNS-01 Challenge](/configuration/shared/dns01_challenge/).
**3**:
sing-box can now monitor Wi-Fi state on Linux and Windows to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
See [Wi-Fi State](/configuration/shared/wifi-state/).
**4**:
Due to maintenance difficulties, sing-box 1.13.0 requires at least Go 1.24 to compile.
**5**:
Due to maintenance difficulties, sing-box 1.13.0 will be the last version to support Android 5.0,
and only through a separate legacy build (with `-legacy-android-5` suffix).
For standalone binaries, the minimum Android version has been raised to Android 6.0,
since Termux requires Android 7.0 or later.
#### 1.12.14
* Fixes and improvements
#### 1.13.0-alpha.33
* Fixes and improvements
#### 1.13.0-alpha.32
* Remove `certificate_public_key_sha256` option for NaiveProxy outbound **1**
* Fixes and improvements
**1**:
Self-signed certificates change traffic behavior significantly, which defeats the purpose of NaiveProxy's design to resist traffic analysis.
For this reason, and due to maintenance costs, there is no reason to continue supporting `certificate_public_key_sha256`, which was designed to simplify the use of self-signed certificates.
#### 1.13.0-alpha.31
* Add QUIC support for NaiveProxy outbound **1**
* Add QUIC congestion control option for NaiveProxy **2**
* Fixes and improvements
**1**:
NaiveProxy outbound now supports QUIC.
See [NaiveProxy outbound](/configuration/outbound/naive/#quic).
**2**:
NaiveProxy inbound and outbound now supports configurable QUIC congestion control algorithms, including BBR and BBRv2.
See [NaiveProxy inbound](/configuration/inbound/naive/#quic_congestion_control) and [NaiveProxy outbound](/configuration/outbound/naive/#quic_congestion_control).
#### 1.13.0-alpha.30
* Add ECH support for NaiveProxy outbound **1**
* Add `tls.ech.query_server_name` option **2**
* Fix NaiveProxy outbound on Windows **3**
* Add OpenAI Codex Multiplexer service **4**
* Fixes and improvements
**1**:
See [NaiveProxy outbound](/configuration/outbound/naive/#tls).
**2**:
See [TLS](/configuration/shared/tls/#query_server_name).
**3**:
Each Windows release now includes `libcronet.dll`.
Ensure this file is in the same directory as `sing-box.exe` or in a directory listed in `PATH`.
**4**:
See [OCM](/configuration/service/ocm).
#### 1.13.0-alpha.29
* Add UDP over TCP support for naiveproxy outbound **1**
* Fixes and improvements
**1**:
See [NaiveProxy outbound](/configuration/outbound/naive/#udp_over_tcp).
#### 1.13.0-alpha.28
* Add naiveproxy outbound **1**
* Add `disable_tcp_keep_alive`, `tcp_keep_alive` and `tcp_keep_alive_interval` options for dial fields **2**
* Update default TCP keep-alive initial period from 10 minutes to 5 minutes
* Update quic-go to v0.57.1
* Fixes and improvements
**1**:
Only available on Apple platforms, Android, Windows and some Linux architectures.
See [NaiveProxy outbound](/configuration/outbound/naive/).
**2**:
See [Dial Fields](/configuration/shared/dial/#tcp_keep_alive).
* __Unfortunately, for non-technical reasons, we are currently unable to notarize the standalone version of the macOS client:
because system extensions require signatures to function, we have had to temporarily halt its release.__
__We plan to fix the App Store release issue and launch a new standalone desktop client, but until then,
only clients on TestFlight will be available (unless you have an Apple Developer Program and compile from source code).__
#### 1.12.13
* Fix naive inbound
@@ -70,10 +479,49 @@ only clients on TestFlight will be available (unless you have an Apple Developer
* Fixes and improvements
#### 1.13.0-alpha.26
* Update quic-go to v0.55.0
* Fix memory leak in hysteria2
* Fixes and improvements
#### 1.12.11
* Fixes and improvements
#### 1.13.0-alpha.24
* Add Claude Code Multiplexer service **1**
* Fixes and improvements
**1**:
CCM (Claude Code Multiplexer) service allows you to access your local Claude Code subscription remotely through custom tokens, eliminating the need for OAuth authentication on remote clients.
See [CCM](/configuration/service/ccm).
#### 1.13.0-alpha.23
* Fix compatibility with MPTCP **1**
* Fixes and improvements
**1**:
`auto_redirect` now rejects MPTCP connections by default to fix compatibility issues,
but you can change it to bypass the sing-box via the new `exclude_mptcp` option.
See [TUN](/configuration/inbound/tun/#exclude_mptcp).
#### 1.13.0-alpha.22
* Update uTLS to v1.8.1 **1**
* Fixes and improvements
**1**:
This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
see https://github.com/refraction-networking/utls/pull/375.
#### 1.12.10
* Update uTLS to v1.8.1 **1**
@@ -84,18 +532,52 @@ only clients on TestFlight will be available (unless you have an Apple Developer
This update fixes an critical issue that could cause simulated Chrome fingerprints to be detected,
see https://github.com/refraction-networking/utls/pull/375.
#### 1.13.0-alpha.21
* Fix missing mTLS support in client options **1**
* Fixes and improvements
See [TLS](/configuration/shared/tls/).
#### 1.12.9
* Fixes and improvements
#### 1.13.0-alpha.16
* Add curve preferences, pinned public key SHA256 and mTLS for TLS options **1**
* Fixes and improvements
See [TLS](/configuration/shared/tls/).
#### 1.13.0-alpha.15
* Update quic-go to v0.54.0
* Update gVisor to v20250811
* Update Tailscale to v1.86.5
* Fixes and improvements
#### 1.12.8
* Fixes and improvements
#### 1.13.0-alpha.11
* Fixes and improvements
#### 1.12.5
* Fixes and improvements
#### 1.13.0-alpha.10
* Improve kTLS support **1**
* Fixes and improvements
**1**:
kTLS is now compatible with custom TLS implementations other than uTLS.
#### 1.12.4
* Fixes and improvements

13
docs/configuration/certificate/index.md
View File

@@ -4,6 +4,10 @@ icon: material/new-box
!!! question "Since sing-box 1.12.0"
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [Chrome Root Store](#store)
# Certificate
### Structure
@@ -27,11 +31,12 @@ icon: material/new-box
The default X509 trusted CA certificate list.
| Type | Description |
|--------------------|---------------------------------------------------------------------------------------------------------------|
| `system` (default) | System trusted CA certificates |
| Type | Description |
|--------------------|----------------------------------------------------------------------------------------------------------------|
| `system` (default) | System trusted CA certificates |
| `mozilla` | [Mozilla Included List](https://wiki.mozilla.org/CA/Included_Certificates) with China CA certificates removed |
| `none` | Empty list |
| `chrome` | [Chrome Root Store](https://g.co/chrome/root-policy) with China CA certificates removed |
| `none` | Empty list |
#### certificate

59
docs/configuration/certificate/index.zh.md Normal file
View File

@@ -0,0 +1,59 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [Chrome Root Store](#store)
# 证书
### 结构
```json
{
"store": "",
"certificate": [],
"certificate_path": [],
"certificate_directory_path": []
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### 字段
#### store
默认的 X509 受信任 CA 证书列表。
| 类型 | 描述 |
|-------------------|--------------------------------------------------------------------------------------------|
| `system`(默认) | 系统受信任的 CA 证书 |
| `mozilla` | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)(已移除中国 CA 证书) |
| `chrome` | [Chrome Root Store](https://g.co/chrome/root-policy)(已移除中国 CA 证书) |
| `none` | 空列表 |
#### certificate
要信任的证书行数组PEM 格式。
#### certificate_path
!!! note ""
文件修改时将自动重新加载。
要信任的证书路径PEM 格式。
#### certificate_directory_path
!!! note ""
文件修改时将自动重新加载。
搜索要信任的证书的目录路径PEM 格式。

53
docs/configuration/dns/rule.md
View File

@@ -2,6 +2,12 @@
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [interface_address](#interface_address)
:material-plus: [network_interface_address](#network_interface_address)
:material-plus: [default_interface_address](#default_interface_address)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [ip_accept_any](#ip_accept_any)
@@ -130,6 +136,19 @@ icon: material/alert-decagram
],
"network_is_expensive": false,
"network_is_constrained": false,
"interface_address": {
"en0": [
"2000::/3"
]
},
"network_interface_address": {
"wifi": [
"2000::/3"
]
},
"default_interface_address": [
"2000::/3"
],
"wifi_ssid": [
"My WIFI"
],
@@ -359,19 +378,49 @@ such as Cellular or a Personal Hotspot (on Apple platforms).
Match if network is in Low Data Mode.
#### wifi_ssid
#### interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match interface address.
#### network_interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms.
Matches network interface (same values as `network_type`) address.
#### default_interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match default interface address.
#### wifi_ssid
!!! quote ""
Only supported in graphical clients on Android and Apple platforms, or on Linux.
Match WiFi SSID.
#### wifi_bssid
!!! quote ""
Only supported in graphical clients on Android and Apple platforms.
Only supported in graphical clients on Android and Apple platforms, or on Linux.
Match WiFi BSSID.

53
docs/configuration/dns/rule.zh.md
View File

@@ -2,6 +2,12 @@
icon: material/alert-decagram
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [interface_address](#interface_address)
:material-plus: [network_interface_address](#network_interface_address)
:material-plus: [default_interface_address](#default_interface_address)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [ip_accept_any](#ip_accept_any)
@@ -130,6 +136,19 @@ icon: material/alert-decagram
],
"network_is_expensive": false,
"network_is_constrained": false,
"interface_address": {
"en0": [
"2000::/3"
]
},
"network_interface_address": {
"wifi": [
"2000::/3"
]
},
"default_interface_address": [
"2000::/3"
],
"wifi_ssid": [
"My WIFI"
],
@@ -358,19 +377,49 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
匹配如果网络在低数据模式下。
#### wifi_ssid
#### interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配接口地址。
#### network_interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅在 Android 与 Apple 平台图形客户端中支持。
匹配网络接口(可用值同 `network_type`)地址。
#### default_interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配默认接口地址。
#### wifi_ssid
!!! quote ""
仅在 Android 与 Apple 平台图形客户端和 Linux 中支持。
匹配 WiFi SSID。
#### wifi_bssid
!!! quote ""
仅在 Android 与 Apple 平台图形客户端中支持。
仅在 Android 与 Apple 平台图形客户端和 Linux 中支持。
匹配 WiFi BSSID。

38
docs/configuration/dns/server/dhcp.zh.md Normal file
View File

@@ -0,0 +1,38 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DHCP
### 结构
```json
{
"dns": {
"servers": [
{
"type": "dhcp",
"tag": "",
"interface": "",
// 拨号字段
}
]
}
}
```
### 字段
#### interface
要监听的网络接口名称。
默认使用默认接口。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

35
docs/configuration/dns/server/fakeip.zh.md Normal file
View File

@@ -0,0 +1,35 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Fake IP
### 结构
```json
{
"dns": {
"servers": [
{
"type": "fakeip",
"tag": "",
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
]
}
}
```
### 字段
#### inet4_range
FakeIP 的 IPv4 地址范围。
#### inet6_range
FakeIP 的 IPv6 地址范围。

96
docs/configuration/dns/server/hosts.zh.md Normal file
View File

@@ -0,0 +1,96 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Hosts
### 结构
```json
{
"dns": {
"servers": [
{
"type": "hosts",
"tag": "",
"path": [],
"predefined": {}
}
]
}
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### 字段
#### path
hosts 文件路径列表。
默认使用 `/etc/hosts`
在 Windows 上默认使用 `C:\Windows\System32\Drivers\etc\hosts`
示例:
```json
{
// "path": "/etc/hosts"
"path": [
"/etc/hosts",
"$HOME/.hosts"
]
}
```
#### predefined
预定义的 hosts。
示例:
```json
{
"predefined": {
"www.google.com": "127.0.0.1",
"localhost": [
"127.0.0.1",
"::1"
]
}
}
```
### 示例
=== "如果可用则使用 hosts"
```json
{
"dns": {
"servers": [
{
...
},
{
"type": "hosts",
"tag": "hosts"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "hosts"
}
]
}
}
```

71
docs/configuration/dns/server/http3.zh.md Normal file
View File

@@ -0,0 +1,71 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DNS over HTTP3 (DoH3)
### 结构
```json
{
"dns": {
"servers": [
{
"type": "h3",
"tag": "",
"server": "",
"server_port": 443,
"path": "",
"headers": {},
"tls": {},
// 拨号字段
}
]
}
}
```
!!! info "与旧版 H3 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `443`
#### path
DNS 服务器的路径。
默认使用 `/dns-query`
#### headers
发送到 DNS 服务器的额外标头。
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

71
docs/configuration/dns/server/https.zh.md Normal file
View File

@@ -0,0 +1,71 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DNS over HTTPS (DoH)
### 结构
```json
{
"dns": {
"servers": [
{
"type": "https",
"tag": "",
"server": "",
"server_port": 443,
"path": "",
"headers": {},
"tls": {},
// 拨号字段
}
]
}
}
```
!!! info "与旧版 HTTPS 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `443`
#### path
DNS 服务器的路径。
默认使用 `/dns-query`
#### headers
发送到 DNS 服务器的额外标头。
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

96
docs/configuration/dns/server/index.zh.md
View File

@@ -1,48 +1,48 @@
---
icon: material/alert-decagram
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [type](#type)
# DNS Server
### 结构
```json
{
"dns": {
"servers": [
{
"type": "",
"tag": ""
}
]
}
}
```
#### type
DNS 服务器的类型。
| 类型 | 格式 |
|-----------------|---------------------------|
| empty (default) | [Legacy](./legacy/) |
| `local` | [Local](./local/) |
| `hosts` | [Hosts](./hosts/) |
| `tcp` | [TCP](./tcp/) |
| `udp` | [UDP](./udp/) |
| `tls` | [TLS](./tls/) |
| `quic` | [QUIC](./quic/) |
| `https` | [HTTPS](./https/) |
| `h3` | [HTTP/3](./http3/) |
| `dhcp` | [DHCP](./dhcp/) |
| `fakeip` | [Fake IP](./fakeip/) |
| `tailscale` | [Tailscale](./tailscale/) |
| `resolved` | [Resolved](./resolved/) |
#### tag
DNS 服务器的标签。
---
icon: material/alert-decagram
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [type](#type)
# DNS Server
### 结构
```json
{
"dns": {
"servers": [
{
"type": "",
"tag": ""
}
]
}
}
```
#### type
DNS 服务器的类型。
| 类型 | 格式 |
|-----------------|---------------------------|
| empty (default) | [Legacy](./legacy/) |
| `local` | [Local](./local/) |
| `hosts` | [Hosts](./hosts/) |
| `tcp` | [TCP](./tcp/) |
| `udp` | [UDP](./udp/) |
| `tls` | [TLS](./tls/) |
| `quic` | [QUIC](./quic/) |
| `https` | [HTTPS](./https/) |
| `h3` | [HTTP/3](./http3/) |
| `dhcp` | [DHCP](./dhcp/) |
| `fakeip` | [Fake IP](./fakeip/) |
| `tailscale` | [Tailscale](./tailscale/) |
| `resolved` | [Resolved](./resolved/) |
#### tag
DNS 服务器的标签。

2
docs/configuration/dns/server/legacy.zh.md
View File

@@ -53,7 +53,7 @@ DNS 服务器的地址。
| `HTTP3` | `h3://8.8.8.8/dns-query` |
| `RCode` | `rcode://refused` |
| `DHCP` | `dhcp://auto``dhcp://en0` |
| [FakeIP](/configuration/dns/fakeip/) | `fakeip` |
| [FakeIP](/zh/configuration/dns/fakeip/) | `fakeip` |
!!! warning ""

30
docs/configuration/dns/server/local.md
View File

@@ -2,6 +2,10 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [prefer_go](#prefer_go)
!!! question "Since sing-box 1.12.0"
# Local
@@ -15,6 +19,7 @@ icon: material/new-box
{
"type": "local",
"tag": "",
"prefer_go": false
// Dial Fields
}
@@ -24,10 +29,33 @@ icon: material/new-box
```
!!! info "Difference from legacy local server"
* The old legacy local server only handles IP requests; the new one handles all types of requests and supports concurrent for IP requests.
* The old local server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
### Fields
#### prefer_go
!!! question "Since sing-box 1.13.0"
When enabled, `local` DNS server will resolve DNS by dialing itself whenever possible.
Specifically, it disables following behaviors which was added as features in sing-box 1.13.0:
1. On Apple platforms: Attempt to resolve A/AAAA requests using `getaddrinfo` in NetworkExtension.
2. On Linux: Resolve through `systemd-resolvd`'s DBus interface when available.
As a sole exception, it cannot disable the following behavior:
1. In the Android graphical client,
`local` will always resolve DNS through the platform interface,
as there is no other way to obtain upstream DNS servers;
On devices running Android versions lower than 10, this interface can only resolve A/AAAA requests.
2. On macOS, `local` will try DHCP first in Network Extension, since DHCP respects DIal Fields,
it will not be disabled by `prefer_go`.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

61
docs/configuration/dns/server/local.zh.md Normal file
View File

@@ -0,0 +1,61 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [prefer_go](#prefer_go)
!!! question "自 sing-box 1.12.0 起"
# Local
### 结构
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "",
"prefer_go": false,
// 拨号字段
}
]
}
}
```
!!! info "与旧版本地服务器的区别"
* 旧的传统本地服务器只处理 IP 请求;新的服务器处理所有类型的请求,并支持 IP 请求的并发处理。
* 旧的本地服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
### 字段
#### prefer_go
!!! question "自 sing-box 1.13.0 起"
启用后,`local` DNS 服务器将尽可能通过拨号自身来解析 DNS。
具体来说,它禁用了在 sing-box 1.13.0 中作为功能添加的以下行为:
1. 在 Apple 平台上:尝试在 NetworkExtension 中使用 `getaddrinfo` 解析 A/AAAA 请求。
2. 在 Linux 上:当可用时通过 `systemd-resolvd` 的 DBus 接口进行解析。
作为唯一的例外,它无法禁用以下行为:
1. 在 Android 图形客户端中,
`local` 将始终通过平台接口解析 DNS
因为没有其他方法来获取上游 DNS 服务器;
在运行 Android 10 以下版本的设备上,此接口只能解析 A/AAAA 请求。
2. 在 macOS 上,`local` 会在 Network Extension 中首先尝试 DHCP由于 DHCP 遵循拨号字段,
它不会被 `prefer_go` 禁用。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

58
docs/configuration/dns/server/quic.zh.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DNS over QUIC (DoQ)
### 结构
```json
{
"dns": {
"servers": [
{
"type": "quic",
"tag": "",
"server": "",
"server_port": 853,
"tls": {},
// 拨号字段
}
]
}
}
```
!!! info "与旧版 QUIC 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `853`
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

83
docs/configuration/dns/server/resolved.zh.md Normal file
View File

@@ -0,0 +1,83 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Resolved
```json
{
"dns": {
"servers": [
{
"type": "resolved",
"tag": "",
"service": "resolved",
"accept_default_resolvers": false
}
]
}
}
```
### 字段
#### service
==必填==
[Resolved 服务](/zh/configuration/service/resolved) 的标签。
#### accept_default_resolvers
指示是否除了匹配域名外,还应接受默认 DNS 解析器以进行回退查询。
具体来说,默认 DNS 解析器是设置了 `SetLinkDefaultRoute``SetLinkDomains ~.` 的 DNS 服务器。
如果未启用,对于不匹配搜索域或匹配域的请求,将返回 `NXDOMAIN`
### 示例
=== "仅分割 DNS"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "resolved",
"tag": "resolved",
"service": "resolved"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "resolved"
}
]
}
}
```
=== "用作全局 DNS"
```json
{
"dns": {
"servers": [
{
"type": "resolved",
"service": "resolved",
"accept_default_resolvers": true
}
]
}
}
```

83
docs/configuration/dns/server/tailscale.zh.md Normal file
View File

@@ -0,0 +1,83 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Tailscale
### 结构
```json
{
"dns": {
"servers": [
{
"type": "tailscale",
"tag": "",
"endpoint": "ts-ep",
"accept_default_resolvers": false
}
]
}
}
```
### 字段
#### endpoint
==必填==
[Tailscale 端点](/zh/configuration/endpoint/tailscale) 的标签。
#### accept_default_resolvers
指示是否除了 MagicDNS 外,还应接受默认 DNS 解析器以进行回退查询。
如果未启用,对于非 Tailscale 域名查询将返回 `NXDOMAIN`
### 示例
=== "仅 MagicDNS"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "tailscale",
"tag": "ts",
"endpoint": "ts-ep"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "ts"
}
]
}
}
```
=== "用作全局 DNS"
```json
{
"dns": {
"servers": [
{
"type": "tailscale",
"endpoint": "ts-ep",
"accept_default_resolvers": true
}
]
}
}
```

52
docs/configuration/dns/server/tcp.zh.md Normal file
View File

@@ -0,0 +1,52 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# TCP
### 结构
```json
{
"dns": {
"servers": [
{
"type": "tcp",
"tag": "",
"server": "",
"server_port": 53,
// 拨号字段
}
]
}
}
```
!!! info "与旧版 TCP 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `53`
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

58
docs/configuration/dns/server/tls.zh.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DNS over TLS (DoT)
### 结构
```json
{
"dns": {
"servers": [
{
"type": "tls",
"tag": "",
"server": "",
"server_port": 853,
"tls": {},
// 拨号字段
}
]
}
}
```
!!! info "与旧版 TLS 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `853`
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

52
docs/configuration/dns/server/udp.zh.md Normal file
View File

@@ -0,0 +1,52 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# UDP
### 结构
```json
{
"dns": {
"servers": [
{
"type": "udp",
"tag": "",
"server": "",
"server_port": 53,
// 拨号字段
}
]
}
}
```
!!! info "与旧版 UDP 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `53`
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

4
docs/configuration/endpoint/index.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.11.0"
# Endpoint

4
docs/configuration/endpoint/index.zh.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.11.0 起"
# 端点

55
docs/configuration/endpoint/tailscale.md
View File

@@ -2,6 +2,15 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [relay_server_port](#relay_server_port)
:material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)
:material-plus: [system_interface](#system_interface)
:material-plus: [system_interface_name](#system_interface_name)
:material-plus: [system_interface_mtu](#system_interface_mtu)
:material-plus: [advertise_tags](#advertise_tags)
!!! question "Since sing-box 1.12.0"
### Structure
@@ -20,8 +29,14 @@ icon: material/new-box
"exit_node_allow_lan_access": false,
"advertise_routes": [],
"advertise_exit_node": false,
"advertise_tags": [],
"relay_server_port": 0,
"relay_server_static_endpoints": [],
"system_interface": false,
"system_interface_name": "",
"system_interface_mtu": 0,
"udp_timeout": "5m",
... // Dial Fields
}
```
@@ -89,6 +104,44 @@ Example: `["192.168.1.1/24"]`
Indicates whether the node should advertise itself as an exit node.
#### advertise_tags
!!! question "Since sing-box 1.13.0"
Tags to advertise for this node, for ACL enforcement purposes.
Example: `["tag:server"]`
#### relay_server_port
!!! question "Since sing-box 1.13.0"
The port to listen on for incoming relay connections from other Tailscale nodes.
#### relay_server_static_endpoints
!!! question "Since sing-box 1.13.0"
Static endpoints to advertise for the relay server.
#### system_interface
!!! question "Since sing-box 1.13.0"
Create a system TUN interface for Tailscale.
#### system_interface_name
!!! question "Since sing-box 1.13.0"
Custom TUN interface name. By default, `tailscale` (or `utun` on macOS) will be used.
#### system_interface_mtu
!!! question "Since sing-box 1.13.0"
Override the TUN MTU. By default, Tailscale's own MTU is used.
#### udp_timeout
UDP NAT expiration time.

156
docs/configuration/endpoint/tailscale.zh.md Normal file
View File

@@ -0,0 +1,156 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [relay_server_port](#relay_server_port)
:material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)
:material-plus: [system_interface](#system_interface)
:material-plus: [system_interface_name](#system_interface_name)
:material-plus: [system_interface_mtu](#system_interface_mtu)
:material-plus: [advertise_tags](#advertise_tags)
!!! question "自 sing-box 1.12.0 起"
### 结构
```json
{
"type": "tailscale",
"tag": "ts-ep",
"state_directory": "",
"auth_key": "",
"control_url": "",
"ephemeral": false,
"hostname": "",
"accept_routes": false,
"exit_node": "",
"exit_node_allow_lan_access": false,
"advertise_routes": [],
"advertise_exit_node": false,
"advertise_tags": [],
"relay_server_port": 0,
"relay_server_static_endpoints": [],
"system_interface": false,
"system_interface_name": "",
"system_interface_mtu": 0,
"udp_timeout": "5m",
... // 拨号字段
}
```
### 字段
#### state_directory
存储 Tailscale 状态的目录。
默认使用 `tailscale`
示例:`$HOME/.tailscale`
#### auth_key
!!! note
认证密钥不是必需的。默认情况下sing-box 将记录登录 URL或在图形客户端上弹出通知
用于创建节点的认证密钥。如果节点已经创建(从之前存储的状态),则不使用此字段。
#### control_url
协调服务器 URL。
默认使用 `https://controlplane.tailscale.com`
#### ephemeral
指示实例是否应注册为临时节点 (https://tailscale.com/s/ephemeral-nodes)。
#### hostname
节点的主机名。
默认使用系统主机名。
示例:`localhost`
#### accept_routes
指示节点是否应接受其他节点通告的路由。
#### exit_node
要使用的出口节点名称或 IP 地址。
#### exit_node_allow_lan_access
!!! note
当出口节点没有相应的通告路由时,即使设置了 `exit_node_allow_lan_access`,私有流量也无法路由到出口节点。
指示本地可访问的子网应该直接路由还是通过出口节点路由。
#### advertise_routes
通告到 Tailscale 网络的 CIDR 前缀,作为可通过当前节点访问的路由。
示例:`["192.168.1.1/24"]`
#### advertise_exit_node
指示节点是否应将自己通告为出口节点。
#### advertise_tags
!!! question "自 sing-box 1.13.0 起"
为此节点通告的标签,用于 ACL 执行。
示例:`["tag:server"]`
#### relay_server_port
!!! question "自 sing-box 1.13.0 起"
监听来自其他 Tailscale 节点的中继连接的端口。
#### relay_server_static_endpoints
!!! question "自 sing-box 1.13.0 起"
为中继服务器通告的静态端点。
#### system_interface
!!! question "自 sing-box 1.13.0 起"
为 Tailscale 创建系统 TUN 接口。
#### system_interface_name
!!! question "自 sing-box 1.13.0 起"
自定义 TUN 接口名。默认使用 `tailscale`macOS 上为 `utun`)。
#### system_interface_mtu
!!! question "自 sing-box 1.13.0 起"
覆盖 TUN 的 MTU。默认使用 Tailscale 自己的 MTU。
#### udp_timeout
UDP NAT 过期时间。
默认使用 `5m`
### 拨号字段
!!! note
Tailscale 端点中的拨号字段仅控制它如何连接到控制平面,与实际连接无关。
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

4
docs/configuration/endpoint/wireguard.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.11.0"
### Structure

4
docs/configuration/endpoint/wireguard.zh.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.11.0 起"
### 结构

2
docs/configuration/experimental/cache-file.md
View File

@@ -3,7 +3,7 @@
!!! quote "Changes in sing-box 1.9.0"
:material-plus: [store_rdrc](#store_rdrc)
:material-plus: [rdrc_timeout](#rdrc_timeout)
:material-plus: [rdrc_timeout](#rdrc_timeout)
### Structure

2
docs/configuration/experimental/cache-file.zh.md
View File

@@ -3,7 +3,7 @@
!!! quote "sing-box 1.9.0 中的更改"
:material-plus: [store_rdrc](#store_rdrc)
:material-plus: [rdrc_timeout](#rdrc_timeout)
:material-plus: [rdrc_timeout](#rdrc_timeout)
### 结构

46
docs/configuration/inbound/naive.md
View File

@@ -1,20 +1,25 @@
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [quic_congestion_control](#quic_congestion_control)
### Structure
```json
{
"type": "naive",
"tag": "naive-in",
"network": "udp",
"type": "naive",
"tag": "naive-in",
"network": "udp",
...
// Listen Fields
... // Listen Fields
"users": [
{
"username": "sekai",
"password": "password"
}
],
"tls": {}
"users": [
{
"username": "sekai",
"password": "password"
}
],
"quic_congestion_control": "",
"tls": {}
}
```
@@ -36,6 +41,23 @@ Both if empty.
Naive users.
#### quic_congestion_control
!!! question "Since sing-box 1.13.0"
QUIC congestion control algorithm.
| Algorithm | Description |
|----------------|---------------------------------|
| `bbr` | BBR |
| `bbr_standard` | BBR (Standard version) |
| `bbr2` | BBRv2 |
| `bbr2_variant` | BBRv2 (An experimental variant) |
| `cubic` | CUBIC |
| `reno` | New Reno |
`bbr` is used by default (the default of QUICHE, used by Chromium which NaiveProxy is based on).
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

44
docs/configuration/inbound/naive.zh.md
View File

@@ -1,20 +1,25 @@
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [quic_congestion_control](#quic_congestion_control)
### 结构
```json
{
"type": "naive",
"tag": "naive-in",
"network": "udp",
"type": "naive",
"tag": "naive-in",
"network": "udp",
... // 监听字段
... // 监听字段
"users": [
{
"username": "sekai",
"password": "password"
}
],
"tls": {}
"users": [
{
"username": "sekai",
"password": "password"
}
],
"quic_congestion_control": "",
"tls": {}
}
```
@@ -36,6 +41,23 @@
Naive 用户。
#### quic_congestion_control
!!! question "Since sing-box 1.13.0"
QUIC 拥塞控制算法。
| 算法 | 描述 |
|----------------|--------------------|
| `bbr` | BBR |
| `bbr_standard` | BBR (标准版) |
| `bbr2` | BBRv2 |
| `bbr2_variant` | BBRv2 (一种试验变体) |
| `cubic` | CUBIC |
| `reno` | New Reno |
默认使用 `bbr`NaiveProxy 基于的 Chromium 使用的 QUICHE 的默认值)。
#### tls
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

4
docs/configuration/inbound/shadowsocks.zh.md
View File

@@ -49,9 +49,9 @@
}
```
### Listen Fields
### 监听字段
See [Listen Fields](/configuration/shared/listen/) for details.
参阅 [监听字段](/zh/configuration/shared/listen/)
### 字段

6
docs/configuration/inbound/trojan.zh.md
View File

@@ -43,13 +43,11 @@ Trojan 用户。
#### tls
==如果启用 HTTP3 则必填==
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
#### fallback
!!! quote ""
!!! failure ""
没有证据表明 GFW 基于 HTTP 响应检测并阻止 Trojan 服务器,并且在服务器上打开标准 http/s 端口是一个更大的特征。

40
docs/configuration/inbound/tun.md
View File

@@ -2,8 +2,11 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.18"
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)
:material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)
:material-plus: [exclude_mptcp](#exclude_mptcp)
:material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)
!!! quote "Changes in sing-box 1.12.0"
@@ -38,7 +41,7 @@ icon: material/new-box
!!! quote "Changes in sing-box 1.9.0"
:material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)
:material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)
:material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)
!!! quote "Changes in sing-box 1.8.0"
@@ -67,7 +70,10 @@ icon: material/new-box
"auto_redirect": true,
"auto_redirect_input_mark": "0x2023",
"auto_redirect_output_mark": "0x2024",
"auto_redirect_reset_mark": "0x2025",
"auto_redirect_nfqueue": 100,
"auto_redirect_iproute2_fallback_rule_index": 32768,
"exclude_mptcp": false,
"loopback_address": [
"10.7.0.1"
],
@@ -283,6 +289,22 @@ Connection output mark used by `auto_redirect`.
`0x2024` is used by default.
#### auto_redirect_reset_mark
!!! question "Since sing-box 1.13.0"
Connection reset mark used by `auto_redirect` pre-matching.
`0x2025` is used by default.
#### auto_redirect_nfqueue
!!! question "Since sing-box 1.13.0"
NFQueue number used by `auto_redirect` pre-matching.
`100` is used by default.
#### auto_redirect_iproute2_fallback_rule_index
!!! question "Since sing-box 1.12.18"
@@ -294,6 +316,20 @@ routing traffic to the sing-box table only when no route is found in system tabl
`32768` is used by default.
#### exclude_mptcp
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
MPTCP cannot be transparently proxied due to protocol limitations.
Such traffic is usually created by Apple systems.
When enabled, MPTCP connections will bypass sing-box and connect directly, otherwise, will be rejected to avoid errors by default.
#### loopback_address
!!! question "Since sing-box 1.12.0"

43
docs/configuration/inbound/tun.zh.md
View File

@@ -2,8 +2,11 @@
icon: material/new-box
---
!!! quote "sing-box 1.12.18 中的更改"
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)
:material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)
:material-plus: [exclude_mptcp](#exclude_mptcp)
:material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)
!!! quote "sing-box 1.12.0 中的更改"
@@ -26,7 +29,7 @@ icon: material/new-box
:material-delete-clock: [inet6_route_address](#inet6_route_address)
:material-plus: [route_exclude_address](#route_address)
:material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)
:material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)
:material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)
:material-plus: [iproute2_table_index](#iproute2_table_index)
:material-plus: [iproute2_rule_index](#iproute2_table_index)
:material-plus: [auto_redirect](#auto_redirect)
@@ -38,7 +41,7 @@ icon: material/new-box
!!! quote "sing-box 1.9.0 中的更改"
:material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)
:material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)
:material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)
!!! quote "sing-box 1.8.0 中的更改"
@@ -67,7 +70,10 @@ icon: material/new-box
"auto_redirect": true,
"auto_redirect_input_mark": "0x2023",
"auto_redirect_output_mark": "0x2024",
"auto_redirect_reset_mark": "0x2025",
"auto_redirect_nfqueue": 100,
"auto_redirect_iproute2_fallback_rule_index": 32768,
"exclude_mptcp": false,
"loopback_address": [
"10.7.0.1"
],
@@ -282,6 +288,22 @@ tun 接口的 IPv6 前缀。
默认使用 `0x2024`
#### auto_redirect_reset_mark
!!! question "自 sing-box 1.13.0 起"
`auto_redirect` 预匹配使用的连接重置标记。
默认使用 `0x2025`
#### auto_redirect_nfqueue
!!! question "自 sing-box 1.13.0 起"
`auto_redirect` 预匹配使用的 NFQueue 编号。
默认使用 `100`
#### auto_redirect_iproute2_fallback_rule_index
!!! question "自 sing-box 1.12.18 起"
@@ -293,6 +315,20 @@ tun 接口的 IPv6 前缀。
默认使用 `32768`
#### exclude_mptcp
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux且需要 nftables`auto_route``auto_redirect` 已启用。
由于协议限制MPTCP 无法被透明代理。
此类流量通常由 Apple 系统创建。
启用时MPTCP 连接将绕过 sing-box 直接连接,否则,将被拒绝以避免错误。
#### loopback_address
!!! question "自 sing-box 1.12.0 起"
@@ -543,3 +579,4 @@ TCP/IP 栈。
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。

4
docs/configuration/outbound/hysteria2.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [server_ports](#server_ports)

4
docs/configuration/outbound/hysteria2.zh.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [server_ports](#server_ports)

1
docs/configuration/outbound/index.md
View File

@@ -37,6 +37,7 @@
| `dns` | [DNS](./dns/) |
| `selector` | [Selector](./selector/) |
| `urltest` | [URLTest](./urltest/) |
| `naive` | [NaiveProxy](./naive/) |
#### tag

1
docs/configuration/outbound/index.zh.md
View File

@@ -37,6 +37,7 @@
| `dns` | [DNS](./dns/) |
| `selector` | [Selector](./selector/) |
| `urltest` | [URLTest](./urltest/) |
| `naive` | [NaiveProxy](./naive/) |
#### tag

114
docs/configuration/outbound/naive.md Normal file
View File

@@ -0,0 +1,114 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.13.0"
### Structure
```json
{
"type": "naive",
"tag": "naive-out",
"server": "127.0.0.1",
"server_port": 443,
"username": "sekai",
"password": "password",
"insecure_concurrency": 0,
"extra_headers": {},
"udp_over_tcp": false | {},
"quic": false,
"quic_congestion_control": "",
"tls": {},
... // Dial Fields
}
```
!!! warning "Platform Support"
NaiveProxy outbound is only available on Apple platforms, Android, Windows and certain Linux builds.
**Official Release Build Variants:**
| Build Variant | Platforms | Description |
|---------------|-----------|-------------|
| (default) | Linux amd64/arm64 | purego build with `libcronet.so` included |
| `-glibc` | Linux 386/amd64/arm/arm64 | CGO build dynamically linked with glibc, requires glibc >= 2.31 |
| `-musl` | Linux 386/amd64/arm/arm64 | CGO build statically linked with musl, no system requirements |
| (default) | Windows amd64/arm64 | purego build with `libcronet.dll` included |
**Runtime Requirements:**
- **Linux purego**: `libcronet.so` must be in the same directory as the sing-box binary or in system library path
- **Windows**: `libcronet.dll` must be in the same directory as `sing-box.exe` or in a directory listed in `PATH`
For self-built binaries, see [Build from source](/installation/build-from-source/#with_naive_outbound).
### Fields
#### server
==Required==
The server address.
#### server_port
==Required==
The server port.
#### username
Authentication username.
#### password
Authentication password.
#### insecure_concurrency
Number of concurrent tunnel connections. Multiple connections make the tunneling easier to detect through traffic analysis, which defeats the purpose of NaiveProxy's design to resist traffic analysis.
#### extra_headers
Extra headers to send in HTTP requests.
#### udp_over_tcp
UDP over TCP protocol settings.
See [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.
#### quic
Use QUIC instead of HTTP/2.
#### quic_congestion_control
QUIC congestion control algorithm.
| Algorithm | Description |
|-----------|-------------|
| `bbr` | BBR |
| `bbr2` | BBRv2 |
| `cubic` | CUBIC |
| `reno` | New Reno |
`bbr` is used by default (the default of QUICHE, used by Chromium which NaiveProxy is based on).
#### tls
==Required==
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
Only `server_name`, `certificate`, `certificate_path` and `ech` are supported.
Self-signed certificates change traffic behavior significantly, which defeats the purpose of NaiveProxy's design to resist traffic analysis, and should not be used in production.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

114
docs/configuration/outbound/naive.zh.md Normal file
View File

@@ -0,0 +1,114 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.13.0 起"
### 结构
```json
{
"type": "naive",
"tag": "naive-out",
"server": "127.0.0.1",
"server_port": 443,
"username": "sekai",
"password": "password",
"insecure_concurrency": 0,
"extra_headers": {},
"udp_over_tcp": false | {},
"quic": false,
"quic_congestion_control": "",
"tls": {},
... // 拨号字段
}
```
!!! warning "平台支持"
NaiveProxy 出站仅在 Apple 平台、Android、Windows 和特定 Linux 构建上可用。
**官方发布版本区别:**
| 构建变体 | 平台 | 说明 |
|-----------|------------------------|------------------------------------------|
| (默认) | Linux amd64/arm64 | purego 构建,包含 `libcronet.so` |
| `-glibc` | Linux 386/amd64/arm/arm64 | CGO 构建,动态链接 glibc要求 glibc >= 2.31 |
| `-musl` | Linux 386/amd64/arm/arm64 | CGO 构建,静态链接 musl无系统要求 |
| (默认) | Windows amd64/arm64 | purego 构建,包含 `libcronet.dll` |
**运行时要求:**
- **Linux purego**`libcronet.so` 必须位于 sing-box 二进制文件相同目录或系统库路径中
- **Windows**`libcronet.dll` 必须位于 `sing-box.exe` 相同目录或 `PATH` 中的任意目录
自行构建请参阅 [从源代码构建](/zh/installation/build-from-source/#with_naive_outbound)。
### 字段
#### server
==必填==
服务器地址。
#### server_port
==必填==
服务器端口。
#### username
认证用户名。
#### password
认证密码。
#### insecure_concurrency
并发隧道连接数。多连接使隧道更容易被流量分析检测,违背 NaiveProxy 抵抗流量分析的设计目的。
#### extra_headers
HTTP 请求中发送的额外头部。
#### udp_over_tcp
UDP over TCP 配置。
参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp/)。
#### quic
使用 QUIC 代替 HTTP/2。
#### quic_congestion_control
QUIC 拥塞控制算法。
| 算法 | 描述 |
|------|------|
| `bbr` | BBR |
| `bbr2` | BBRv2 |
| `cubic` | CUBIC |
| `reno` | New Reno |
默认使用 `bbr`NaiveProxy 基于的 Chromium 使用的 QUICHE 的默认值)。
#### tls
==必填==
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
只有 `server_name``certificate``certificate_path``ech` 是被支持的。
自签名证书会显著改变流量行为,违背了 NaiveProxy 旨在抵抗流量分析的设计初衷,不应该在生产环境中使用。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/)。

2
docs/configuration/outbound/tuic.zh.md
View File

@@ -66,7 +66,7 @@ UDP 包中继模式
#### udp_over_stream
这是 TUIC 的 [UDP over TCP 协议](/configuration/shared/udp-over-tcp/) 移植, 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议,因此您需要使用 sing-box 或其他兼容的程序作为服务器。
这是 TUIC 的 [UDP over TCP 协议](/zh/configuration/shared/udp-over-tcp/) 移植, 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议,因此您需要使用 sing-box 或其他兼容的程序作为服务器。
此模式在正确的 UDP 代理场景中没有任何积极作用,仅适用于中继流式 UDP 流量(基本上是 QUIC 流)。

2
docs/configuration/outbound/wireguard.md
View File

@@ -12,7 +12,7 @@ icon: material/delete-clock
!!! quote "Changes in sing-box 1.8.0"
:material-plus: [gso](#gso)
:material-plus: [gso](#gso)
### Structure

2
docs/configuration/outbound/wireguard.zh.md
View File

@@ -12,7 +12,7 @@ icon: material/delete-clock
!!! quote "sing-box 1.8.0 中的更改"
:material-plus: [gso](#gso)
:material-plus: [gso](#gso)
### 结构

2
docs/configuration/route/index.zh.md
View File

@@ -62,7 +62,7 @@ icon: material/alert-decagram
!!! question "自 sing-box 1.8.0 起"
一组 [规则集](/configuration/rule-set/)。
一组 [规则集](/zh/configuration/rule-set/)。
#### final

82
docs/configuration/route/rule.md
View File

@@ -2,6 +2,14 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [interface_address](#interface_address)
:material-plus: [network_interface_address](#network_interface_address)
:material-plus: [default_interface_address](#default_interface_address)
:material-plus: [preferred_by](#preferred_by)
:material-alert: [network](#network)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [action](#action)
@@ -128,12 +136,29 @@ icon: material/new-box
],
"network_is_expensive": false,
"network_is_constrained": false,
"interface_address": {
"en0": [
"2000::/3"
]
},
"network_interface_address": {
"wifi": [
"2000::/3"
]
},
"default_interface_address": [
"2000::/3"
],
"wifi_ssid": [
"My WIFI"
],
"wifi_bssid": [
"00:00:00:00:00:00"
],
"preferred_by": [
"tailscale",
"wireguard"
],
"rule_set": [
"geoip-cn",
"geosite-cn"
@@ -202,7 +227,15 @@ Sniffed client type, see [Protocol Sniff](/configuration/route/sniff/) for detai
#### network
`tcp` or `udp`.
!!! quote "Changes in sing-box 1.13.0"
Since sing-box 1.13.0, you can match ICMP echo (ping) requests via the new `icmp` network.
Such traffic originates from `TUN`, `WireGuard`, and `Tailscale` inbounds and can be routed to `Direct`, `WireGuard`, and `Tailscale` outbounds.
Match network type.
`tcp`, `udp` or `icmp`.
#### domain
@@ -363,22 +396,59 @@ such as Cellular or a Personal Hotspot (on Apple platforms).
Match if network is in Low Data Mode.
#### wifi_ssid
#### interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match interface address.
#### network_interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms.
Matches network interface (same values as `network_type`) address.
#### default_interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match default interface address.
#### wifi_ssid
Match WiFi SSID.
See [Wi-Fi State](/configuration/shared/wifi-state/) for details.
#### wifi_bssid
!!! quote ""
Only supported in graphical clients on Android and Apple platforms.
Match WiFi BSSID.
See [Wi-Fi State](/configuration/shared/wifi-state/) for details.
#### preferred_by
!!! question "Since sing-box 1.13.0"
Match specified outbounds' preferred routes.
| Type | Match |
|-------------|-----------------------------------------------|
| `tailscale` | Match MagicDNS domains and peers' allowed IPs |
| `wireguard` | Match peers's allowed IPs |
#### rule_set
!!! question "Since sing-box 1.8.0"

84
docs/configuration/route/rule.zh.md
View File

@@ -2,6 +2,14 @@
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [interface_address](#interface_address)
:material-plus: [network_interface_address](#network_interface_address)
:material-plus: [default_interface_address](#default_interface_address)
:material-plus: [preferred_by](#preferred_by)
:material-alert: [network](#network)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [action](#action)
@@ -125,12 +133,29 @@ icon: material/new-box
],
"network_is_expensive": false,
"network_is_constrained": false,
"interface_address": {
"en0": [
"2000::/3"
]
},
"network_interface_address": {
"wifi": [
"2000::/3"
]
},
"default_interface_address": [
"2000::/3"
],
"wifi_ssid": [
"My WIFI"
],
"wifi_bssid": [
"00:00:00:00:00:00"
],
"preferred_by": [
"tailscale",
"wireguard"
],
"rule_set": [
"geoip-cn",
"geosite-cn"
@@ -199,7 +224,15 @@ icon: material/new-box
#### network
`tcp``udp`
!!! quote "sing-box 1.13.0 中的更改"
自 sing-box 1.13.0 起,您可以通过新的 `icmp` 网络匹配 ICMP 回显ping请求。
此类流量源自 `TUN``WireGuard``Tailscale` 入站,并可路由至 `Direct``WireGuard``Tailscale` 出站。
匹配网络类型。
`tcp``udp``icmp`
#### domain
@@ -337,7 +370,7 @@ icon: material/new-box
匹配网络类型。
Available values: `wifi`, `cellular`, `ethernet` and `other`.
可用值: `wifi`, `cellular`, `ethernet` and `other`.
#### network_is_expensive
@@ -360,22 +393,59 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
匹配如果网络在低数据模式下。
#### wifi_ssid
#### interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配接口地址。
#### network_interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅在 Android 与 Apple 平台图形客户端中支持。
匹配网络接口(可用值同 `network_type`)地址。
#### default_interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配默认接口地址。
#### wifi_ssid
匹配 WiFi SSID。
参阅 [Wi-Fi 状态](/zh/configuration/shared/wifi-state/)。
#### wifi_bssid
!!! quote ""
仅在 Android 与 Apple 平台图形客户端中支持。
匹配 WiFi BSSID。
参阅 [Wi-Fi 状态](/zh/configuration/shared/wifi-state/)。
#### preferred_by
!!! question "自 sing-box 1.13.0 起"
匹配制定出站的首选路由。
| 类型 | 匹配 |
|-------------|--------------------------------|
| `tailscale` | 匹配 MagicDNS 域名和对端的 allowed IPs |
| `wireguard` | 匹配对端的 allowed IPs |
#### rule_set
!!! question "自 sing-box 1.8.0 起"

51
docs/configuration/route/rule_action.md
View File

@@ -2,6 +2,11 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [bypass](#bypass)
:material-alert: [reject](#reject)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [tls_fragment](#tls_fragment)
@@ -40,8 +45,46 @@ Tag of target outbound.
See `route-options` fields below.
### bypass
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux with `auto_redirect` enabled.
```json
{
"action": "bypass",
"outbound": "",
... // route-options Fields
}
```
`bypass` bypasses sing-box at the kernel level for auto redirect connections in pre-match.
For non-auto-redirect connections and already established connections,
if `outbound` is specified, the behavior is the same as `route`;
otherwise, the rule will be skipped.
#### outbound
Tag of target outbound.
If not specified, the rule only matches in [pre-match](/configuration/shared/pre-match/)
from auto redirect, and will be skipped in other contexts.
#### route-options Fields
See `route-options` fields below.
### reject
!!! quote "Changes in sing-box 1.13.0"
Since sing-box 1.13.0, you can reject (or directly reply to) ICMP echo (ping) requests using `reject` action.
```json
{
"action": "reject",
@@ -58,9 +101,17 @@ For non-tun connections and already established connections, will just be closed
#### method
For TCP and UDP connections:
- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
- `drop`: Drop packets.
For ICMP echo requests:
- `default`: Reply with ICMP host unreachable.
- `drop`: Drop packets.
- `reply`: Reply with ICMP echo reply.
#### no_drop
If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.

48
docs/configuration/route/rule_action.zh.md
View File

@@ -2,6 +2,11 @@
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [bypass](#bypass)
:material-alert: [reject](#reject)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [tls_fragment](#tls_fragment)
@@ -36,8 +41,43 @@ icon: material/new-box
参阅下方的 `route-options` 字段。
### bypass
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux且需要启用 `auto_redirect`
```json
{
"action": "bypass",
"outbound": "",
... // route-options 字段
}
```
`bypass` 在预匹配中为 auto redirect 连接在内核层面绕过 sing-box。
对于非 auto redirect 连接和已建立的连接,如果指定了 `outbound`,行为与 `route` 相同;否则规则将被跳过。
#### outbound
目标出站的标签。
如果未指定,规则仅在来自 auto redirect 的[预匹配](/configuration/shared/pre-match/)中匹配,在其他场景中将被跳过。
#### route-options 字段
参阅下方的 `route-options` 字段。
### reject
!!! quote "sing-box 1.13.0 中的更改"
自 sing-box 1.13.0 起,您可以通过 `reject` 动作拒绝或直接回复ICMP 回显ping请求。
```json
{
"action": "reject",
@@ -54,9 +94,17 @@ icon: material/new-box
#### method
对于 TCP 和 UDP 连接:
- `default`: 对于 TCP 连接回复 RST对于 UDP 包回复 ICMP 端口不可达。
- `drop`: 丢弃数据包。
对于 ICMP 回显请求:
- `default`: 回复 ICMP 主机不可达。
- `drop`: 丢弃数据包。
- `reply`: 回复以 ICMP 回显应答。
#### no_drop
如果未启用,则 30 秒内触发 50 次后,`method` 将被暂时覆盖为 `drop`

33
docs/configuration/rule-set/headless-rule.md
View File

@@ -2,6 +2,11 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [network_interface_address](#network_interface_address)
:material-plus: [default_interface_address](#default_interface_address)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [network_type](#network_type)
@@ -78,6 +83,14 @@ icon: material/new-box
],
"network_is_expensive": false,
"network_is_constrained": false,
"network_interface_address": {
"wifi": [
"2000::/3"
]
},
"default_interface_address": [
"2000::/3"
],
"wifi_ssid": [
"My WIFI"
],
@@ -225,6 +238,26 @@ such as Cellular or a Personal Hotspot (on Apple platforms).
Match if network is in Low Data Mode.
#### network_interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms.
Matches network interface (same values as `network_type`) address.
#### default_interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match default interface address.
#### wifi_ssid
!!! quote ""

33
docs/configuration/rule-set/headless-rule.zh.md
View File

@@ -2,6 +2,11 @@
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [network_interface_address](#network_interface_address)
:material-plus: [default_interface_address](#default_interface_address)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [network_type](#network_type)
@@ -78,6 +83,14 @@ icon: material/new-box
],
"network_is_expensive": false,
"network_is_constrained": false,
"network_interface_address": {
"wifi": [
"2000::/3"
]
},
"default_interface_address": [
"2000::/3"
],
"wifi_ssid": [
"My WIFI"
],
@@ -221,6 +234,26 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
匹配如果网络在低数据模式下。
#### network_interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅在 Android 与 Apple 平台图形客户端中支持。
匹配网络接口(可用值同 `network_type`)地址。
#### default_interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配默认接口地址。
#### wifi_ssid
!!! quote ""

5
docs/configuration/rule-set/source-format.md
View File

@@ -2,6 +2,10 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: version `4`
!!! quote "Changes in sing-box 1.11.0"
:material-plus: version `3`
@@ -36,6 +40,7 @@ Version of rule-set.
* 1: sing-box 1.8.0: Initial rule-set version.
* 2: sing-box 1.10.0: Optimized memory usages of `domain_suffix` rules in binary rule-sets.
* 3: sing-box 1.11.0: Added `network_type`, `network_is_expensive` and `network_is_constrainted` rule items.
* 4: sing-box 1.13.0: Added `network_interface_address` and `default_interface_address` rule items.
#### rules

5
docs/configuration/rule-set/source-format.zh.md
View File

@@ -2,6 +2,10 @@
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: version `4`
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: version `3`
@@ -36,6 +40,7 @@ icon: material/new-box
* 1: sing-box 1.8.0: 初始规则集版本。
* 2: sing-box 1.10.0: 优化了二进制规则集中 `domain_suffix` 规则的内存使用。
* 3: sing-box 1.11.0: 添加了 `network_type``network_is_expensive``network_is_constrainted` 规则项。
* 4: sing-box 1.13.0: 添加了 `network_interface_address``default_interface_address` 规则项。
#### rules

106
docs/configuration/service/ccm.md Normal file
View File

@@ -0,0 +1,106 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.13.0"
# CCM
CCM (Claude Code Multiplexer) service is a multiplexing service that allows you to access your local Claude Code subscription remotely through custom tokens.
It handles OAuth authentication with Claude's API on your local machine while allowing remote Claude Code to authenticate using Auth Tokens via the `ANTHROPIC_AUTH_TOKEN` environment variable.
### Structure
```json
{
"type": "ccm",
... // Listen Fields
"credential_path": "",
"usages_path": "",
"users": [],
"headers": {},
"detour": "",
"tls": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### credential_path
Path to the Claude Code OAuth credentials file.
If not specified, defaults to:
- `$CLAUDE_CONFIG_DIR/.credentials.json` if `CLAUDE_CONFIG_DIR` environment variable is set
- `~/.claude/.credentials.json` otherwise
On macOS, credentials are read from the system keychain first, then fall back to the file if unavailable.
Refreshed tokens are automatically written back to the same location.
#### usages_path
Path to the file for storing aggregated API usage statistics.
Usage tracking is disabled if not specified.
When enabled, the service tracks and saves comprehensive statistics including:
- Request counts
- Token usage (input, output, cache read, cache creation)
- Calculated costs in USD based on Claude API pricing
Statistics are organized by model, context window (200k standard vs 1M premium), and optionally by user when authentication is enabled.
The statistics file is automatically saved every minute and upon service shutdown.
#### users
List of authorized users for token authentication.
If empty, no authentication is required.
Claude Code authenticates by setting the `ANTHROPIC_AUTH_TOKEN` environment variable to their token value.
#### headers
Custom HTTP headers to send to the Claude API.
These headers will override any existing headers with the same name.
#### detour
Outbound tag for connecting to the Claude API.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
### Example
```json
{
"services": [
{
"type": "ccm",
"listen": "127.0.0.1",
"listen_port": 8080
}
]
}
```
Connect to the CCM service:
```bash
export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
claude
```

106
docs/configuration/service/ccm.zh.md Normal file
View File

@@ -0,0 +1,106 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.13.0 起"
# CCM
CCMClaude Code 多路复用器)服务是一个多路复用服务,允许您通过自定义令牌远程访问本地的 Claude Code 订阅。
它在本地机器上处理与 Claude API 的 OAuth 身份验证,同时允许远程 Claude Code 通过 `ANTHROPIC_AUTH_TOKEN` 环境变量使用认证令牌进行身份验证。
### 结构
```json
{
"type": "ccm",
... // 监听字段
"credential_path": "",
"usages_path": "",
"users": [],
"headers": {},
"detour": "",
"tls": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
### 字段
#### credential_path
Claude Code OAuth 凭据文件的路径。
如果未指定,默认值为:
- 如果设置了 `CLAUDE_CONFIG_DIR` 环境变量,则使用 `$CLAUDE_CONFIG_DIR/.credentials.json`
- 否则使用 `~/.claude/.credentials.json`
在 macOS 上,首先从系统钥匙串读取凭据,如果不可用则回退到文件。
刷新的令牌会自动写回相同位置。
#### usages_path
用于存储聚合 API 使用统计信息的文件路径。
如果未指定,使用跟踪将被禁用。
启用后,服务会跟踪并保存全面的统计信息,包括:
- 请求计数
- 令牌使用量(输入、输出、缓存读取、缓存创建)
- 基于 Claude API 定价计算的美元成本
统计信息按模型、上下文窗口200k 标准版 vs 1M 高级版)以及可选的用户(启用身份验证时)进行组织。
统计文件每分钟自动保存一次,并在服务关闭时保存。
#### users
用于令牌身份验证的授权用户列表。
如果为空,则不需要身份验证。
Claude Code 通过设置 `ANTHROPIC_AUTH_TOKEN` 环境变量为其令牌值进行身份验证。
#### headers
发送到 Claude API 的自定义 HTTP 头。
这些头会覆盖同名的现有头。
#### detour
用于连接 Claude API 的出站标签。
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
### 示例
```json
{
"services": [
{
"type": "ccm",
"listen": "127.0.0.1",
"listen_port": 8080
}
]
}
```
连接到 CCM 服务:
```bash
export ANTHROPIC_BASE_URL="http://127.0.0.1:8080"
export ANTHROPIC_AUTH_TOKEN="sk-ant-ccm-auth-token-not-required-in-this-context"
claude
```

135
docs/configuration/service/derp.zh.md Normal file
View File

@@ -0,0 +1,135 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DERP
DERP 服务是一个 Tailscale DERP 服务器,类似于 [derper](https://pkg.go.dev/tailscale.com/cmd/derper)。
### 结构
```json
{
"type": "derp",
... // 监听字段
"tls": {},
"config_path": "",
"verify_client_endpoint": [],
"verify_client_url": [],
"home": "",
"mesh_with": [],
"mesh_psk": "",
"mesh_psk_file": "",
"stun": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
### 字段
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
#### config_path
==必填==
Derper 配置文件路径。
示例:`derper.key`
#### verify_client_endpoint
用于验证客户端的 Tailscale 端点标签。
#### verify_client_url
用于验证客户端的 URL。
对象格式:
```json
{
"url": "https://my-headscale.com/verify",
... // 拨号字段
}
```
将数组值设置为字符串 `__URL__` 等同于配置:
```json
{ "url": __URL__ }
```
#### home
在根路径提供的内容。可以留空(默认值,显示默认主页)、`blank` 显示空白页面,或一个重定向的 URL。
#### mesh_with
与其他 DERP 服务器组网。
对象格式:
```json
{
"server": "",
"server_port": "",
"host": "",
"tls": {},
... // 拨号字段
}
```
对象字段:
- `server`**必填** DERP 服务器地址。
- `server_port`**必填** DERP 服务器端口。
- `host`:自定义 DERP 主机名。
- `tls`[TLS](/zh/configuration/shared/tls/#outbound)
- `拨号字段`[拨号字段](/zh/configuration/shared/dial/)
#### mesh_psk
DERP 组网的预共享密钥。
#### mesh_psk_file
DERP 组网的预共享密钥文件。
#### stun
STUN 服务器监听选项。
对象格式:
```json
{
"enabled": true,
... // 监听字段
}
```
对象字段:
- `enabled`**必填** 启用 STUN 服务器。
- `listen`**必填** STUN 服务器监听地址,默认为 `::`
- `listen_port`**必填** STUN 服务器监听端口,默认为 `3478`
- `其他监听字段`[监听字段](/zh/configuration/shared/listen/)
`stun` 值设置为数字 `__PORT__` 等同于配置:
```json
{ "enabled": true, "listen_port": __PORT__ }
```

2
docs/configuration/service/index.md
View File

@@ -23,7 +23,9 @@ icon: material/new-box
| Type | Format |
|------------|------------------------|
| `ccm` | [CCM](./ccm) |
| `derp` | [DERP](./derp) |
| `ocm` | [OCM](./ocm) |
| `resolved` | [Resolved](./resolved) |
| `ssm-api` | [SSM API](./ssm-api) |

34
docs/configuration/service/index.zh.md Normal file
View File

@@ -0,0 +1,34 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# 服务
### 结构
```json
{
"services": [
{
"type": "",
"tag": ""
}
]
}
```
### 字段
| 类型 | 格式 |
|-----------|------------------------|
| `ccm` | [CCM](./ccm) |
| `derp` | [DERP](./derp) |
| `ocm` | [OCM](./ocm) |
| `resolved`| [Resolved](./resolved) |
| `ssm-api` | [SSM API](./ssm-api) |
#### tag
端点的标签。

171
docs/configuration/service/ocm.md Normal file
View File

@@ -0,0 +1,171 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.13.0"
# OCM
OCM (OpenAI Codex Multiplexer) service is a multiplexing service that allows you to access your local OpenAI Codex subscription remotely through custom tokens.
It handles OAuth authentication with OpenAI's API on your local machine while allowing remote clients to authenticate using custom tokens.
### Structure
```json
{
"type": "ocm",
... // Listen Fields
"credential_path": "",
"usages_path": "",
"users": [],
"headers": {},
"detour": "",
"tls": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### credential_path
Path to the OpenAI OAuth credentials file.
If not specified, defaults to `~/.codex/auth.json`.
Refreshed tokens are automatically written back to the same location.
#### usages_path
Path to the file for storing aggregated API usage statistics.
Usage tracking is disabled if not specified.
When enabled, the service tracks and saves comprehensive statistics including:
- Request counts
- Token usage (input, output, cached)
- Calculated costs in USD based on OpenAI API pricing
Statistics are organized by model and optionally by user when authentication is enabled.
The statistics file is automatically saved every minute and upon service shutdown.
#### users
List of authorized users for token authentication.
If empty, no authentication is required.
Object format:
```json
{
"name": "",
"token": ""
}
```
Object fields:
- `name`: Username identifier for tracking purposes.
- `token`: Bearer token for authentication. Clients authenticate by setting the `Authorization: Bearer <token>` header.
#### headers
Custom HTTP headers to send to the OpenAI API.
These headers will override any existing headers with the same name.
#### detour
Outbound tag for connecting to the OpenAI API.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
### Example
#### Server
```json
{
"services": [
{
"type": "ocm",
"listen": "127.0.0.1",
"listen_port": 8080
}
]
}
```
#### Client
Add to `~/.codex/config.toml`:
```toml
[model_providers.ocm]
name = "OCM Proxy"
base_url = "http://127.0.0.1:8080/v1"
wire_api = "responses"
requires_openai_auth = false
```
Then run:
```bash
codex --model-provider ocm
```
### Example with Authentication
#### Server
```json
{
"services": [
{
"type": "ocm",
"listen": "0.0.0.0",
"listen_port": 8080,
"usages_path": "./codex-usages.json",
"users": [
{
"name": "alice",
"token": "sk-alice-secret-token"
},
{
"name": "bob",
"token": "sk-bob-secret-token"
}
]
}
]
}
```
#### Client
Add to `~/.codex/config.toml`:
```toml
[model_providers.ocm]
name = "OCM Proxy"
base_url = "http://127.0.0.1:8080/v1"
wire_api = "responses"
requires_openai_auth = false
experimental_bearer_token = "sk-alice-secret-token"
```
Then run:
```bash
codex --model-provider ocm
```

171
docs/configuration/service/ocm.zh.md Normal file
View File

@@ -0,0 +1,171 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.13.0 起"
# OCM
OCMOpenAI Codex 多路复用器)服务是一个多路复用服务,允许您通过自定义令牌远程访问本地的 OpenAI Codex 订阅。
它在本地机器上处理与 OpenAI API 的 OAuth 身份验证,同时允许远程客户端使用自定义令牌进行身份验证。
### 结构
```json
{
"type": "ocm",
... // 监听字段
"credential_path": "",
"usages_path": "",
"users": [],
"headers": {},
"detour": "",
"tls": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
### 字段
#### credential_path
OpenAI OAuth 凭据文件的路径。
如果未指定,默认值为 `~/.codex/auth.json`
刷新的令牌会自动写回相同位置。
#### usages_path
用于存储聚合 API 使用统计信息的文件路径。
如果未指定,使用跟踪将被禁用。
启用后,服务会跟踪并保存全面的统计信息,包括:
- 请求计数
- 令牌使用量(输入、输出、缓存)
- 基于 OpenAI API 定价计算的美元成本
统计信息按模型以及可选的用户(启用身份验证时)进行组织。
统计文件每分钟自动保存一次,并在服务关闭时保存。
#### users
用于令牌身份验证的授权用户列表。
如果为空,则不需要身份验证。
对象格式:
```json
{
"name": "",
"token": ""
}
```
对象字段:
- `name`:用于跟踪的用户名标识符。
- `token`:用于身份验证的 Bearer 令牌。客户端通过设置 `Authorization: Bearer <token>` 头进行身份验证。
#### headers
发送到 OpenAI API 的自定义 HTTP 头。
这些头会覆盖同名的现有头。
#### detour
用于连接 OpenAI API 的出站标签。
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
### 示例
#### 服务端
```json
{
"services": [
{
"type": "ocm",
"listen": "127.0.0.1",
"listen_port": 8080
}
]
}
```
#### 客户端
`~/.codex/config.toml` 中添加:
```toml
[model_providers.ocm]
name = "OCM Proxy"
base_url = "http://127.0.0.1:8080/v1"
wire_api = "responses"
requires_openai_auth = false
```
然后运行:
```bash
codex --model-provider ocm
```
### 带身份验证的示例
#### 服务端
```json
{
"services": [
{
"type": "ocm",
"listen": "0.0.0.0",
"listen_port": 8080,
"usages_path": "./codex-usages.json",
"users": [
{
"name": "alice",
"token": "sk-alice-secret-token"
},
{
"name": "bob",
"token": "sk-bob-secret-token"
}
]
}
]
}
```
#### 客户端
`~/.codex/config.toml` 中添加:
```toml
[model_providers.ocm]
name = "OCM Proxy"
base_url = "http://127.0.0.1:8080/v1"
wire_api = "responses"
requires_openai_auth = false
experimental_bearer_token = "sk-alice-secret-token"
```
然后运行:
```bash
codex --model-provider ocm
```

44
docs/configuration/service/resolved.zh.md Normal file
View File

@@ -0,0 +1,44 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Resolved
Resolved 服务是一个伪造的 systemd-resolved DBUS 服务,用于从其他程序
(如 NetworkManager接收 DNS 设置并提供 DNS 解析。
另请参阅:[Resolved DNS 服务器](/zh/configuration/dns/server/resolved/)
### 结构
```json
{
"type": "resolved",
... // 监听字段
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
### 字段
#### listen
==必填==
监听地址。
默认使用 `127.0.0.53`
#### listen_port
==必填==
监听端口。
默认使用 `53`

58
docs/configuration/service/ssm-api.zh.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# SSM API
SSM API 服务是一个用于管理 Shadowsocks 服务器的 RESTful API 服务器。
参阅 https://github.com/Shadowsocks-NET/shadowsocks-specs/blob/main/2023-1-shadowsocks-server-management-api-v1.md
### 结构
```json
{
"type": "ssm-api",
... // 监听字段
"servers": {},
"cache_path": "",
"tls": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/) 了解详情。
### 字段
#### servers
==必填==
从 HTTP 端点到 [Shadowsocks 入站](/zh/configuration/inbound/shadowsocks) 标签的映射对象。
选定的 Shadowsocks 入站必须配置启用 [managed](/zh/configuration/inbound/shadowsocks#managed)。
示例:
```json
{
"servers": {
"/": "ss-in"
}
}
```
#### cache_path
如果设置,当服务器即将停止时,流量和用户状态将保存到指定的 JSON 文件中,
以便在下次启动时恢复。
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

49
docs/configuration/shared/dial.md
View File

@@ -2,6 +2,13 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
:material-plus: [tcp_keep_alive](#tcp_keep_alive)
:material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)
:material-plus: [bind_address_no_port](#bind_address_no_port)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [domain_resolver](#domain_resolver)
@@ -23,14 +30,18 @@ icon: material/new-box
"bind_interface": "",
"inet4_bind_address": "",
"inet6_bind_address": "",
"bind_address_no_port": false,
"routing_mark": 0,
"reuse_addr": false,
"netns": "",
"connect_timeout": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"disable_tcp_keep_alive": false,
"tcp_keep_alive": "",
"tcp_keep_alive_interval": "",
"udp_fragment": false,
"domain_resolver": "", // or {}
"network_strategy": "",
"network_type": [],
@@ -67,6 +78,18 @@ The IPv4 address to bind to.
The IPv6 address to bind to.
#### bind_address_no_port
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux.
Do not reserve a port when binding to a source address.
This allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.
#### routing_mark
!!! quote ""
@@ -112,6 +135,30 @@ Enable TCP Fast Open.
Enable TCP Multi Path.
#### disable_tcp_keep_alive
!!! question "Since sing-box 1.13.0"
Disable TCP keep alive.
#### tcp_keep_alive
!!! question "Since sing-box 1.13.0"
Default value changed from `10m` to `5m`.
TCP keep alive initial period.
`5m` will be used by default.
#### tcp_keep_alive_interval
!!! question "Since sing-box 1.13.0"
TCP keep alive interval.
`75s` will be used by default.
#### udp_fragment
Enable UDP fragmentation.

48
docs/configuration/shared/dial.zh.md
View File

@@ -2,6 +2,13 @@
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
:material-plus: [tcp_keep_alive](#tcp_keep_alive)
:material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)
:material-plus: [bind_address_no_port](#bind_address_no_port)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [domain_resolver](#domain_resolver)
@@ -23,13 +30,18 @@ icon: material/new-box
"bind_interface": "",
"inet4_bind_address": "",
"inet6_bind_address": "",
"bind_address_no_port": false,
"routing_mark": 0,
"reuse_addr": false,
"netns": "",
"connect_timeout": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"disable_tcp_keep_alive": false,
"tcp_keep_alive": "",
"tcp_keep_alive_interval": "",
"udp_fragment": false,
"domain_resolver": "", // 或 {}
"network_strategy": "",
"network_type": [],
@@ -66,6 +78,18 @@ icon: material/new-box
要绑定的 IPv6 地址。
#### bind_address_no_port
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux。
绑定到源地址时不保留端口。
这允许在完整的四元组(源 IP、源端口、目标 IP、目标端口保持唯一的情况下为多个连接复用同一源端口。
#### routing_mark
!!! quote ""
@@ -109,6 +133,30 @@ icon: material/new-box
启用 TCP Multi Path。
#### disable_tcp_keep_alive
!!! question "自 sing-box 1.13.0 起"
禁用 TCP keep alive。
#### tcp_keep_alive
!!! question "自 sing-box 1.13.0 起"
默认值从 `10m` 更改为 `5m`
TCP keep alive 初始周期。
默认使用 `5m`
#### tcp_keep_alive_interval
!!! question "自 sing-box 1.13.0 起"
TCP keep alive 间隔。
默认使用 `75s`
#### udp_fragment
启用 UDP 分段。

50
docs/configuration/shared/dns01_challenge.md
View File

@@ -1,9 +1,19 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [alidns.security_token](#security_token)
:material-plus: [cloudflare.zone_token](#zone_token)
:material-plus: [acmedns](#acmedns)
### Structure
```json
{
"provider": "",
... // Provider Fields
}
```
@@ -17,15 +27,47 @@
"provider": "alidns",
"access_key_id": "",
"access_key_secret": "",
"region_id": ""
"region_id": "",
"security_token": ""
}
```
##### security_token
!!! question "Since sing-box 1.13.0"
The Security Token for STS temporary credentials.
#### Cloudflare
```json
{
"provider": "cloudflare",
"api_token": ""
"api_token": "",
"zone_token": ""
}
```
```
##### zone_token
!!! question "Since sing-box 1.13.0"
Optional API token with `Zone:Read` permission.
When provided, allows `api_token` to be scoped to a single zone.
#### ACME-DNS
!!! question "Since sing-box 1.13.0"
```json
{
"provider": "acmedns",
"username": "",
"password": "",
"subdomain": "",
"server_url": ""
}
```
See [ACME-DNS](https://github.com/joohoi/acme-dns) for details.

50
docs/configuration/shared/dns01_challenge.zh.md
View File

@@ -1,9 +1,19 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [alidns.security_token](#security_token)
:material-plus: [cloudflare.zone_token](#zone_token)
:material-plus: [acmedns](#acmedns)
### 结构
```json
{
"provider": "",
... // 提供商字段
}
```
@@ -17,15 +27,47 @@
"provider": "alidns",
"access_key_id": "",
"access_key_secret": "",
"region_id": ""
"region_id": "",
"security_token": ""
}
```
##### security_token
!!! question "自 sing-box 1.13.0 起"
用于 STS 临时凭证的安全令牌。
#### Cloudflare
```json
{
"provider": "cloudflare",
"api_token": ""
"api_token": "",
"zone_token": ""
}
```
```
##### zone_token
!!! question "自 sing-box 1.13.0 起"
具有 `Zone:Read` 权限的可选 API 令牌。
提供后可将 `api_token` 限定到单个区域。
#### ACME-DNS
!!! question "自 sing-box 1.13.0 起"
```json
{
"provider": "acmedns",
"username": "",
"password": "",
"subdomain": "",
"server_url": ""
}
```
参阅 [ACME-DNS](https://github.com/joohoi/acme-dns)。

30
docs/configuration/shared/listen.md
View File

@@ -2,6 +2,11 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
:material-alert: [tcp_keep_alive](#tcp_keep_alive)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [netns](#netns)
@@ -29,6 +34,9 @@ icon: material/new-box
"netns": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"disable_tcp_keep_alive": false,
"tcp_keep_alive": "",
"tcp_keep_alive_interval": "",
"udp_fragment": false,
"udp_timeout": "",
"detour": "",
@@ -101,6 +109,28 @@ Enable TCP Fast Open.
Enable TCP Multi Path.
#### disable_tcp_keep_alive
!!! question "Since sing-box 1.13.0"
Disable TCP keep alive.
#### tcp_keep_alive
!!! question "Since sing-box 1.13.0"
Default value changed from `10m` to `5m`.
TCP keep alive initial period.
`5m` will be used by default.
#### tcp_keep_alive_interval
TCP keep alive interval.
`75s` will be used by default.
#### udp_fragment
Enable UDP fragmentation.

32
docs/configuration/shared/listen.zh.md
View File

@@ -2,7 +2,12 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
:material-alert: [tcp_keep_alive](#tcp_keep_alive)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [netns](#netns)
:material-plus: [bind_interface](#bind_interface)
@@ -29,6 +34,9 @@ icon: material/new-box
"netns": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"disable_tcp_keep_alive": false,
"tcp_keep_alive": "",
"tcp_keep_alive_interval": "",
"udp_fragment": false,
"udp_timeout": "",
"detour": "",
@@ -101,6 +109,28 @@ icon: material/new-box
启用 TCP Multi Path。
#### disable_tcp_keep_alive
!!! question "自 sing-box 1.13.0 起"
禁用 TCP keep alive。
#### tcp_keep_alive
!!! question "自 sing-box 1.13.0 起"
默认值从 `10m` 更改为 `5m`
TCP keep alive 初始周期。
默认使用 `5m`
#### tcp_keep_alive_interval
TCP keep alive 间隔。
默认使用 `75s`
#### udp_fragment
启用 UDP 分段。

50
docs/configuration/shared/pre-match.md Normal file
View File

@@ -0,0 +1,50 @@
---
icon: material/new-box
---
# Pre-match
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [bypass](#bypass)
Pre-match is rule matching that runs before the connection is established.
### How it works
When TUN receives a connection request, the connection has not yet been established,
so no connection data can be read. In this phase, sing-box runs the routing rules in pre-match mode.
Since connection data is unavailable, only actions that do not require connection data can be executed.
When a rule matches an action that requires an established connection, pre-match stops at that rule.
### Supported actions
#### reject
Reject with TCP RST / ICMP unreachable.
See [reject](/configuration/route/rule_action/#reject) for details.
#### route
Route ICMP connections to the specified outbound for direct reply.
See [route](/configuration/route/rule_action/#route) for details.
#### bypass
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux with `auto_redirect` enabled.
Bypass sing-box and connect directly at kernel level.
If `outbound` is not specified, the rule only matches in pre-match from auto redirect,
and will be skipped in other contexts.
For all other contexts, bypass with `outbound` behaves like `route` action.
See [bypass](/configuration/route/rule_action/#bypass) for details.

47
docs/configuration/shared/pre-match.zh.md Normal file
View File

@@ -0,0 +1,47 @@
---
icon: material/new-box
---
# 预匹配
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [bypass](#bypass)
预匹配是在连接建立之前运行的规则匹配。
### 工作原理
当 TUN 收到连接请求时连接尚未建立因此无法读取连接数据。在此阶段sing-box 在预匹配模式下运行路由规则。
由于连接数据不可用,只有不需要连接数据的动作才能执行。当规则匹配到需要已建立连接的动作时,预匹配将在该规则处停止。
### 支持的动作
#### reject
以 TCP RST / ICMP 不可达拒绝。
详情参阅 [reject](/configuration/route/rule_action/#reject)。
#### route
将 ICMP 连接路由到指定出站以直接回复。
详情参阅 [route](/configuration/route/rule_action/#route)。
#### bypass
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux且需要启用 `auto_redirect`
在内核层面绕过 sing-box 直接连接。
如果未指定 `outbound`,规则仅在来自 auto redirect 的预匹配中匹配,在其他场景中将被跳过。
对于其他所有场景,指定了 `outbound` 的 bypass 行为与 `route` 相同。
详情参阅 [bypass](/configuration/route/rule_action/#bypass)。

208
docs/configuration/shared/tls.md
View File

@@ -1,7 +1,21 @@
---
icon: material/alert-decagram
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [kernel_tx](#kernel_tx)
:material-plus: [kernel_rx](#kernel_rx)
:material-plus: [curve_preferences](#curve_preferences)
:material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)
:material-plus: [client_certificate](#client_certificate)
:material-plus: [client_certificate_path](#client_certificate_path)
:material-plus: [client_key](#client_key)
:material-plus: [client_key_path](#client_key_path)
:material-plus: [client_authentication](#client_authentication)
:material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)
:material-plus: [ech.query_server_name](#query_server_name)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [fragment](#fragment)
@@ -12,7 +26,7 @@ icon: material/alert-decagram
!!! quote "Changes in sing-box 1.10.0"
:material-alert-decagram: [utls](#utls)
:material-alert-decagram: [utls](#utls)
### Inbound
@@ -24,10 +38,17 @@ icon: material/alert-decagram
"min_version": "",
"max_version": "",
"cipher_suites": [],
"curve_preferences": [],
"certificate": [],
"certificate_path": "",
"client_authentication": "",
"client_certificate": [],
"client_certificate_path": [],
"client_certificate_public_key_sha256": [],
"key": [],
"key_path": "",
"kernel_tx": false,
"kernel_rx": false,
"acme": {
"domain": [],
"data_directory": "",
@@ -83,8 +104,14 @@ icon: material/alert-decagram
"min_version": "",
"max_version": "",
"cipher_suites": [],
"curve_preferences": [],
"certificate": "",
"certificate_path": "",
"certificate_public_key_sha256": [],
"client_certificate": [],
"client_certificate_path": "",
"client_key": [],
"client_key_path": "",
"fragment": false,
"fragment_fallback_delay": "",
"record_fragment": false,
@@ -92,6 +119,7 @@ icon: material/alert-decagram
"enabled": false,
"config": [],
"config_path": "",
"query_server_name": "",
// Deprecated
"pq_signature_schemes_enabled": false,
@@ -188,13 +216,29 @@ By default, the maximum version is currently TLS 1.3.
#### cipher_suites
A list of enabled TLS 1.01.2 cipher suites. The order of the list is ignored. Note that TLS 1.3 cipher suites are not configurable.
List of enabled TLS 1.01.2 cipher suites. The order of the list is ignored.
Note that TLS 1.3 cipher suites are not configurable.
If empty, a safe default list is used. The default cipher suites might change over time.
#### curve_preferences
!!! question "Since sing-box 1.13.0"
Set of supported key exchange mechanisms. The order of the list is ignored, and key exchange mechanisms are chosen
from this list using an internal preference order by Golang.
Available values, also the default list:
* `P256`
* `P384`
* `P521`
* `X25519`
* `X25519MLKEM768`
#### certificate
The server certificate line array, in PEM format.
Server certificates chain line array, in PEM format.
#### certificate_path
@@ -202,7 +246,58 @@ The server certificate line array, in PEM format.
Will be automatically reloaded if file modified.
The path to the server certificate, in PEM format.
The path to server certificate chain, in PEM format.
#### certificate_public_key_sha256
!!! question "Since sing-box 1.13.0"
==Client only==
List of SHA-256 hashes of server certificate public keys, in base64 format.
To generate the SHA-256 hash for a certificate's public key, use the following commands:
```bash
# For a certificate file
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# For a certificate from a remote server
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```
#### client_certificate
!!! question "Since sing-box 1.13.0"
==Client only==
Client certificate chain line array, in PEM format.
#### client_certificate_path
!!! question "Since sing-box 1.13.0"
==Client only==
The path to client certificate chain, in PEM format.
#### client_key
!!! question "Since sing-box 1.13.0"
==Client only==
Client private key line array, in PEM format.
#### client_key_path
!!! question "Since sing-box 1.13.0"
==Client only==
The path to client private key, in PEM format.
#### key
@@ -220,6 +315,99 @@ The server private key line array, in PEM format.
The path to the server private key, in PEM format.
#### client_authentication
!!! question "Since sing-box 1.13.0"
==Server only==
The type of client authentication to use.
Available values:
* `no` (default)
* `request`
* `require-any`
* `verify-if-given`
* `require-and-verify`
One of `client_certificate`, `client_certificate_path`, or `client_certificate_public_key_sha256` is required
if this option is set to `verify-if-given`, or `require-and-verify`.
#### client_certificate
!!! question "Since sing-box 1.13.0"
==Server only==
Client certificate chain line array, in PEM format.
#### client_certificate_path
!!! question "Since sing-box 1.13.0"
==Server only==
!!! note ""
Will be automatically reloaded if file modified.
List of path to client certificate chain, in PEM format.
#### client_certificate_public_key_sha256
!!! question "Since sing-box 1.13.0"
==Server only==
List of SHA-256 hashes of client certificate public keys, in base64 format.
To generate the SHA-256 hash for a certificate's public key, use the following commands:
```bash
# For a certificate file
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# For a certificate from a remote server
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```
#### kernel_tx
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux 5.1+, use a newer kernel if possible.
!!! quote ""
Only TLS 1.3 is supported.
!!! warning ""
kTLS TX may only improve performance when `splice(2)` is available (both ends must be TCP or TLS without additional protocols after handshake); otherwise, it will definitely degrade performance.
Enable kernel TLS transmit support.
#### kernel_rx
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux 5.1+, use a newer kernel if possible.
!!! quote ""
Only TLS 1.3 is supported.
!!! failure ""
kTLS RX will definitely degrade performance even if `splice(2)` is in use, so enabling it is not recommended.
Enable kernel TLS receive support.
## Custom TLS support
!!! info "QUIC support"
@@ -328,6 +516,16 @@ The path to ECH configuration, in PEM format.
If empty, load from DNS will be attempted.
#### query_server_name
!!! question "Since sing-box 1.13.0"
==Client only==
Overrides the domain name used for ECH HTTPS record queries.
If empty, `server_name` is used for queries.
#### fragment
!!! question "Since sing-box 1.12.0"

361
docs/configuration/shared/tls.zh.md
View File

@@ -1,18 +1,32 @@
---
icon: material/alert-decagram
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [kernel_tx](#kernel_tx)
:material-plus: [kernel_rx](#kernel_rx)
:material-plus: [curve_preferences](#curve_preferences)
:material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)
:material-plus: [client_certificate](#client_certificate)
:material-plus: [client_certificate_path](#client_certificate_path)
:material-plus: [client_key](#client_key)
:material-plus: [client_key_path](#client_key_path)
:material-plus: [client_authentication](#client_authentication)
:material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)
:material-plus: [ech.query_server_name](#query_server_name)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [tls_fragment](#tls_fragment)
:material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)
:material-plus: [tls_record_fragment](#tls_record_fragment)
:material-plus: [fragment](#fragment)
:material-plus: [fragment_fallback_delay](#fragment_fallback_delay)
:material-plus: [record_fragment](#record_fragment)
:material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)
:material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
!!! quote "sing-box 1.10.0 中的更改"
:material-alert-decagram: [utls](#utls)
:material-alert-decagram: [utls](#utls)
### 入站
@@ -24,10 +38,17 @@ icon: material/alert-decagram
"min_version": "",
"max_version": "",
"cipher_suites": [],
"curve_preferences": [],
"certificate": [],
"certificate_path": "",
"client_authentication": "",
"client_certificate": [],
"client_certificate_path": [],
"client_certificate_public_key_sha256": [],
"key": [],
"key_path": "",
"kernel_tx": false,
"kernel_rx": false,
"acme": {
"domain": [],
"data_directory": "",
@@ -83,17 +104,26 @@ icon: material/alert-decagram
"min_version": "",
"max_version": "",
"cipher_suites": [],
"certificate": [],
"curve_preferences": [],
"certificate": "",
"certificate_path": "",
"certificate_public_key_sha256": [],
"client_certificate": [],
"client_certificate_path": "",
"client_key": [],
"client_key_path": "",
"fragment": false,
"fragment_fallback_delay": "",
"record_fragment": false,
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"config": [],
"config_path": ""
"config_path": "",
"query_server_name": "",
// 废弃的
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false
},
"utls": {
"enabled": false,
@@ -184,13 +214,27 @@ TLS 版本值:
#### cipher_suites
启用的 TLS 1.0-1.2密码套件列表。列表的顺序被忽略。请注意TLS 1.3 的密码套件是不可配置的。
启用的 TLS 1.01.2 密码套件列表。列表的顺序被忽略。请注意TLS 1.3 的密码套件是不可配置的。
如果为空,则使用安全的默认列表。默认密码套件可能会随着时间的推移而改变。
#### curve_preferences
!!! question "自 sing-box 1.13.0 起"
支持的密钥交换机制集合。列表的顺序被忽略,密钥交换机制通过 Golang 的内部偏好顺序从此列表中选择。
可用值,同时也是默认列表:
* `P256`
* `P384`
* `P521`
* `X25519`
* `X25519MLKEM768`
#### certificate
服务器 PEM 证书行数组。
服务器证书行数组PEM 格式
#### certificate_path
@@ -198,7 +242,57 @@ TLS 版本值:
文件更改时将自动重新加载。
服务器 PEM 证书路径
服务器证书链路径PEM 格式
#### certificate_public_key_sha256
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
服务器证书公钥的 SHA-256 哈希列表base64 格式。
要生成证书公钥的 SHA-256 哈希,请使用以下命令:
```bash
# 对于证书文件
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# 对于远程服务器的证书
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```
#### client_certificate
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
客户端证书链行数组PEM 格式。
#### client_certificate_path
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
客户端证书链路径PEM 格式。
#### client_key
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
客户端私钥行数组PEM 格式。
#### client_key_path
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
客户端私钥路径PEM 格式。
#### key
@@ -214,7 +308,110 @@ TLS 版本值:
==仅服务器==
服务器 PEM 私钥路径。
!!! note ""
文件更改时将自动重新加载。
服务器私钥路径PEM 格式。
#### client_authentication
!!! question "自 sing-box 1.13.0 起"
==仅服务器==
要使用的客户端身份验证类型。
可用值:
* `no`(默认)
* `request`
* `require-any`
* `verify-if-given`
* `require-and-verify`
如果此选项设置为 `verify-if-given``require-and-verify`
则需要 `client_certificate``client_certificate_path``client_certificate_public_key_sha256` 中的一个。
#### client_certificate
!!! question "自 sing-box 1.13.0 起"
==仅服务器==
客户端证书链行数组PEM 格式。
#### client_certificate_path
!!! question "自 sing-box 1.13.0 起"
==仅服务器==
!!! note ""
文件更改时将自动重新加载。
客户端证书链路径列表PEM 格式。
#### client_certificate_public_key_sha256
!!! question "自 sing-box 1.13.0 起"
==仅服务器==
客户端证书公钥的 SHA-256 哈希列表base64 格式。
要生成证书公钥的 SHA-256 哈希,请使用以下命令:
```bash
# 对于证书文件
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# 对于远程服务器的证书
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```
#### kernel_tx
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux 5.1+,如果可能,使用较新的内核。
!!! quote ""
仅支持 TLS 1.3。
!!! warning ""
kTLS TX 仅当 `splice(2)` 可用时(两端经过握手后必须为没有附加协议的 TCP 或 TLS才能提高性能否则肯定会降低性能。
启用内核 TLS 发送支持。
#### kernel_rx
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux 5.1+,如果可能,使用较新的内核。
!!! quote ""
仅支持 TLS 1.3。
!!! failure ""
即使使用 `splice(2)`kTLS RX 也肯定会降低性能,因此不建议启用。
启用内核 TLS 接收支持。
## 自定义 TLS 支持
!!! info "QUIC 支持"
只有 ECH 在 QUIC 中被支持.
#### utls
@@ -258,44 +455,11 @@ uTLS 是 "crypto/tls" 的一个分支,它提供了 ClientHello 指纹识别阻
默认使用 chrome 指纹。
## ECH 字段
### ECH 字段
ECH (Encrypted Client Hello) 是一个 TLS 扩展,它允许客户端加密其 ClientHello 的第一部分
信息。
ECH (Encrypted Client Hello) 是一个 TLS 扩展,它允许客户端加密其 ClientHello 的第一部分信息。
ECH 配置和密钥可以通过 `sing-box generate ech-keypair [--pq-signature-schemes-enabled]` 生成。
#### key
==仅服务器==
ECH PEM 密钥行数组
#### key_path
==仅服务器==
!!! note ""
文件更改时将自动重新加载。
ECH PEM 密钥路径
#### config
==仅客户端==
ECH PEM 配置行数组
如果为空,将尝试从 DNS 加载。
#### config_path
==仅客户端==
ECH PEM 配置路径
如果为空,将尝试从 DNS 加载。
ECH 密钥和配置可以通过 `sing-box generate ech-keypair` 生成。
#### pq_signature_schemes_enabled
@@ -305,8 +469,6 @@ ECH PEM 配置路径
启用对后量子对等证书签名方案的支持。
建议匹配 `sing-box generate ech-keypair` 的参数。
#### dynamic_record_sizing_disabled
!!! failure "已在 sing-box 1.12.0 废弃"
@@ -315,57 +477,101 @@ ECH PEM 配置路径
禁用 TLS 记录的自适应大小调整。
如果为 true,则始终使用最大可能的 TLS 记录大小。
如果为 false可能会调整 TLS 记录的大小以尝试改善延迟。
为 true 时,总是使用最大可能的 TLS 记录大小。
为 false,可能会调整 TLS 记录的大小以尝试改善延迟。
#### tls_fragment
#### key
==仅服务器==
ECH 密钥行数组PEM 格式。
#### key_path
==仅服务器==
!!! note ""
文件更改时将自动重新加载。
ECH 密钥路径PEM 格式。
#### config
==仅客户端==
ECH 配置行数组PEM 格式。
如果为空,将尝试从 DNS 加载。
#### config_path
==仅客户端==
ECH 配置路径PEM 格式。
如果为空,将尝试从 DNS 加载。
#### query_server_name
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
覆盖用于 ECH HTTPS 记录查询的域名。
如果为空,使用 `server_name` 查询。
#### fragment
!!! question "自 sing-box 1.12.0 起"
==仅客户端==
通过分段 TLS 握手数据包来绕过防火墙检测
通过分段 TLS 握手数据包来绕过防火墙。
此功能旨在规避基于**明文数据包匹配**的简单防火墙,不应该用于规避真的审查。
此功能旨在规避基于**明文数据包匹配**的简单防火墙,不应该用于规避真的审查。
由于性能不佳,请首先尝试 `tls_record_fragment`,且仅应用于已知被阻止的服务器名称。
由于性能不佳,请首先尝试 `record_fragment`,且仅应用于已知被阻止的服务器名称。
在 Linux、Apple 平台和需要管理员权限的 Windows 系统上,可自动检测等待时间。
若无法自动检测,将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
在 Linux、Apple 平台和需要管理员权限的Windows 系统上,
可以自动检测等待时间。否则,将回退到
等待 `fragment_fallback_delay` 指定的固定时间。
此外,实际等待时间于 20 毫秒,同样会回退至固定等待时间模式,因为此时判定目标处于本地或透明代理之后。
此外,如果实际等待时间于 20ms也会回退到等待固定时间
因为目标被认为是本地的或在透明代理后面。
#### tls_fragment_fallback_delay
#### fragment_fallback_delay
!!! question "自 sing-box 1.12.0 起"
==仅客户端==
当 TLS 分片功能无法自动定等待时间时使用的回退值。
当 TLS 分无法自动定等待时间时使用的回退值。
默认使用 `500ms`
#### tls_record_fragment
==仅客户端==
#### record_fragment
!!! question "自 sing-box 1.12.0 起"
通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
==仅客户端==
将 TLS 握手分段为多个 TLS 记录以绕过防火墙。
### ACME 字段
#### domain
一组域名。
域名列表
默认禁用 ACME。
如果为空则禁用 ACME。
#### data_directory
ACME 数据目录。
ACME 数据存储目录。
默认使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`
如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`
#### default_server_name
@@ -403,12 +609,11 @@ ACME 数据目录。
#### external_account
EAB外部帐户绑定包含将 ACME 帐户绑定或映射到其他已知帐户所需的信息由 CA
EAB外部帐户绑定包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。
外部帐户绑定用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联,例如 CA 客户数据库。
外部帐户绑定"用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联,例如 CA 客户数据库。
为了启用 ACME 帐户绑定,运行 ACME 服务器的 CA 需要向 ACME 客户端提供 MAC 密钥和密钥标识符,使用 ACME 之外的一些机制。
§7.3.4
为了启用 ACME 帐户绑定,运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4
#### external_account.key_id
@@ -422,7 +627,7 @@ MAC 密钥。
ACME DNS01 验证字段。如果配置,将禁用其他验证方法。
参阅 [DNS01 验证字段](/configuration/shared/dns01_challenge/)。
参阅 [DNS01 验证字段](/zh/configuration/shared/dns01_challenge/)。
### Reality 字段
@@ -458,6 +663,8 @@ ACME DNS01 验证字段。如果配置,将禁用其他验证方法。
#### max_time_difference
服务器与和客户端之间允许的最大时间差。
==仅服务器==
默认禁用检查
服务器和客户端之间的最大时间差
如果为空则禁用检查。

82
docs/configuration/shared/udp-over-tcp.zh.md Normal file
View File

@@ -0,0 +1,82 @@
!!! warning ""
这是 SagerNet 创建的专有协议,不是 shadowsocks 的一部分。
UDP over TCP 协议用于在 TCP 中传输 UDP 数据包。
### 结构
```json
{
"enabled": true,
"version": 2
}
```
!!! info ""
当不指定版本时,结构可以用布尔值替换。
### 字段
#### enabled
启用 UDP over TCP 协议。
#### version
协议版本,`1``2`
默认使用 2。
### 应用程序支持
| 项目 | UoT v1 | UoT v2 |
|--------------|----------------------|----------------------|
| sing-box | v0 (2022/08/11) | v1.2-beta9 |
| Clash.Meta | v1.12.0 (2022/07/02) | v1.14.3 (2023/03/31) |
| Shadowrocket | v2.2.12 (2022/08/13) | / |
### 协议详情
#### 协议版本 1
客户端向上层代理协议请求魔法地址以表示请求:`sp.udp-over-tcp.arpa`
#### 流格式
| ATYP | 地址 | 端口 | 长度 | 数据 |
|------|----------|-------|--------|----------|
| u8 | 可变长 | u16be | u16be | 可变长 |
**ATYP / 地址 / 端口**:使用 SOCKS 地址格式,但使用不同的地址类型:
| ATYP | 地址类型 |
|--------|-----------|
| `0x00` | IPv4 地址 |
| `0x01` | IPv6 地址 |
| `0x02` | 域名 |
#### 协议版本 2
协议版本 2 使用新的魔法地址:`sp.v2.udp-over-tcp.arpa`
##### 请求格式
| isConnect | ATYP | 地址 | 端口 |
|-----------|------|----------|-------|
| u8 | u8 | 可变长 | u16be |
**isConnect**:设置为 1 表示流使用连接格式0 表示禁用。
**ATYP / 地址 / 端口**:请求目标,使用 SOCKS 地址格式。
##### 连接流格式
| 长度 | 数据 |
|--------|----------|
| u16be | 可变长 |
##### 非连接流格式
与协议版本 1 中的流格式相同。

41
docs/configuration/shared/wifi-state.md Normal file
View File

@@ -0,0 +1,41 @@
---
icon: material/new-box
---
# Wi-Fi State
!!! quote "Changes in sing-box 1.13.0"
:material-plus: Linux support
:material-plus: Windows support
sing-box can monitor Wi-Fi state to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
### Platform Support
| Platform | Support | Notes |
|-----------------|------------------|--------------------------|
| Android | :material-check: | In graphical client |
| Apple platforms | :material-check: | In graphical clients |
| Linux | :material-check: | Requires supported daemon |
| Windows | :material-check: | WLAN API |
| Others | :material-close: | |
### Linux
!!! question "Since sing-box 1.13.0"
The following backends are supported and will be auto-detected in order of priority:
| Backend | Interface |
|------------------|-------------|
| NetworkManager | D-Bus |
| IWD | D-Bus |
| wpa_supplicant | Unix socket |
| ConnMan | D-Bus |
### Windows
!!! question "Since sing-box 1.13.0"
Uses Windows WLAN API.

41
docs/configuration/shared/wifi-state.zh.md Normal file
View File

@@ -0,0 +1,41 @@
---
icon: material/new-box
---
# Wi-Fi 状态
!!! quote "sing-box 1.13.0 的变更"
:material-plus: Linux 支持
:material-plus: Windows 支持
sing-box 可以监控 Wi-Fi 状态,以启用基于 `wifi_ssid``wifi_bssid` 的路由规则。
### 平台支持
| 平台 | 支持 | 备注 |
|-----------------|------------------|----------------|
| Android | :material-check: | 仅图形客户端 |
| Apple 平台 | :material-check: | 仅图形客户端 |
| Linux | :material-check: | 需要支持的守护进程 |
| Windows | :material-check: | WLAN API |
| 其他 | :material-close: | |
### Linux
!!! question "自 sing-box 1.13.0 起"
支持以下后端,将按优先级顺序自动探测:
| 后端 | 接口 |
|------------------|-------------|
| NetworkManager | D-Bus |
| IWD | D-Bus |
| wpa_supplicant | Unix socket |
| ConnMan | D-Bus |
### Windows
!!! question "自 sing-box 1.13.0 起"
使用 Windows WLAN API。

4
docs/deprecated.zh.md
View File

@@ -95,7 +95,7 @@ GeoIP 已废弃且将在 sing-box 1.12.0 中被移除。
maxmind GeoIP 国家数据库作为 IP 分类数据库,不完全适合流量绕过,
且现有的实现均存在内存使用大与管理困难的问题。
sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)
sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)
可以完全替代 GeoIP 参阅 [迁移指南](/zh/migration/#geoip)。
#### Geosite
@@ -105,7 +105,7 @@ Geosite 已废弃且将在 sing-box 1.12.0 中被移除。
Geosite即由 V2Ray 维护的 domain-list-community 项目,作为早期流量绕过解决方案,
存在着包括缺少维护、规则不准确和管理困难内的大量问题。
sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)
sing-box 1.8.0 引入了[规则集](/zh/configuration/rule-set/)
可以完全替代 Geosite参阅 [迁移指南](/zh/migration/#geosite)。
## 1.6.0

65
docs/installation/build-from-source.md
View File

@@ -57,6 +57,69 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
| `with_v2ray_api` | :material-close: | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields). |
| `with_gvisor` | :material-check: | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface). |
| `with_embedded_tor` (CGO required) | :material-close: | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/). |
| `with_tailscale` | :material-check: | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale) |
| `with_tailscale` | :material-check: | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale). |
| `with_ccm` | :material-check: | Build with Claude Code Multiplexer service support. |
| `with_ocm` | :material-check: | Build with OpenAI Codex Multiplexer service support. |
| `with_naive_outbound` | :material-check: | Build with NaiveProxy outbound support, see [NaiveProxy outbound](/configuration/outbound/naive/). |
| `badlinkname` | :material-check: | Enable `go:linkname` access to internal standard library functions. Required because the Go standard library does not expose many low-level APIs needed by this project, and reimplementing them externally is impractical. Used for kTLS (kernel TLS offload) and raw TLS record manipulation. |
| `tfogo_checklinkname0` | :material-check: | Companion to `badlinkname`. Go 1.23+ enforces `go:linkname` restrictions via the linker; this tag signals the build uses `-checklinkname=0` to bypass that enforcement. |
It is not recommended to change the default build tag list unless you really know what you are adding.
## :material-wrench: Linker Flags
The following `-ldflags` are used in official builds:
| Flag | Description |
|-------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'` | Go 1.24 enabled Multipath TCP for listeners by default (`multipathtcp=2`). This may cause errors on low-level sockets, and sing-box has its own MPTCP control (`tcp_multi_path` option). This flag disables the Go default. |
| `-checklinkname=0` | Go 1.23+ linker rejects unauthorized `go:linkname` usage. This flag disables the check, required together with the `badlinkname` build tag. |
## :material-package-variant: For Downstream Packagers
The default build tag lists and linker flags are available as files in the repository for downstream packagers to reference directly:
| File | Description |
|------|-------------|
| `release/DEFAULT_BUILD_TAGS` | Default for Linux (common architectures), Darwin, and Android. |
| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Default for Windows (includes `with_purego`). |
| `release/DEFAULT_BUILD_TAGS_OTHERS` | Default for other platforms (no `with_naive_outbound`). |
| `release/LDFLAGS` | Required linker flags (see above). |
## :material-layers: with_naive_outbound
NaiveProxy outbound requires special build configurations depending on your target platform.
### Supported Platforms
| Platform | Architectures | Mode | Requirements |
|-----------------|------------------------|--------|---------------------------------------------------|
| Linux | amd64, arm64 | purego | None (library included in official releases) |
| Linux | 386, amd64, arm, arm64 | CGO | Chromium toolchain, glibc >= 2.31 at runtime |
| Linux (musl) | 386, amd64, arm, arm64 | CGO | Chromium toolchain |
| Windows | amd64, arm64 | purego | None (library included in official releases) |
| Apple platforms | * | CGO | Xcode |
| Android | * | CGO | Android NDK |
### Windows
Use `with_purego` tag.
For official releases, `libcronet.dll` is included in the archive. For self-built binaries, download from [cronet-go releases](https://github.com/sagernet/cronet-go/releases) and place in the same directory as `sing-box.exe` or in a directory listed in `PATH`.
### Linux (purego, amd64/arm64 only)
Use `with_purego` tag.
For official releases, `libcronet.so` is included in the archive. For self-built binaries, download from [cronet-go releases](https://github.com/sagernet/cronet-go/releases) and place in the same directory as sing-box binary or in system library path.
### Linux (CGO)
See [cronet-go](https://github.com/sagernet/cronet-go#linux-build-instructions).
- **glibc build**: Requires glibc >= 2.31 at runtime
- **musl build**: Use `with_musl` tag, statically linked, no runtime requirements
### Apple platforms / Android
See [cronet-go](https://github.com/sagernet/cronet-go).

65
docs/installation/build-from-source.zh.md
View File

@@ -61,6 +61,69 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
| `with_v2ray_api` | :material-close: | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields). |
| `with_gvisor` | :material-check: | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface). |
| `with_embedded_tor` (CGO required) | :material-close: | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/). |
| `with_tailscale` | :material-check: | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale) |
| `with_tailscale` | :material-check: | 构建 Tailscale 支持,参阅 [Tailscale 端点](/configuration/endpoint/tailscale) |
| `with_ccm` | :material-check: | 构建 Claude Code Multiplexer 服务支持。 |
| `with_ocm` | :material-check: | 构建 OpenAI Codex Multiplexer 服务支持。 |
| `with_naive_outbound` | :material-check: | 构建 NaiveProxy 出站支持,参阅 [NaiveProxy 出站](/configuration/outbound/naive/)。 |
| `badlinkname` | :material-check: | 启用 `go:linkname` 以访问标准库内部函数。Go 标准库未提供本项目需要的许多底层 API且在外部重新实现不切实际。用于 kTLS内核 TLS 卸载)和原始 TLS 记录操作。 |
| `tfogo_checklinkname0` | :material-check: | `badlinkname` 的伴随标记。Go 1.23+ 链接器强制限制 `go:linkname` 使用;此标记表示构建使用 `-checklinkname=0` 以绕过该限制。 |
除非您确实知道您正在启用什么,否则不建议更改默认构建标签列表。
## :material-wrench: 链接器标志
以下 `-ldflags` 在官方构建中使用:
| 标志 | 说明 |
|-------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `-X 'internal/godebug.defaultGODEBUG=multipathtcp=0'` | Go 1.24 默认为监听器启用 Multipath TCP`multipathtcp=2`)。这可能在底层 socket 上导致错误,且 sing-box 有自己的 MPTCP 控制(`tcp_multi_path` 选项)。此标志禁用 Go 的默认行为。 |
| `-checklinkname=0` | Go 1.23+ 链接器拒绝未授权的 `go:linkname` 使用。此标志禁用该检查,需要与 `badlinkname` 构建标记一起使用。 |
## :material-package-variant: 下游打包者
默认构建标签列表和链接器标志以文件形式存放在仓库中,供下游打包者直接引用:
| 文件 | 说明 |
|------|------|
| `release/DEFAULT_BUILD_TAGS` | Linux常见架构、Darwin 和 Android 的默认标签。 |
| `release/DEFAULT_BUILD_TAGS_WINDOWS` | Windows 的默认标签(包含 `with_purego`)。 |
| `release/DEFAULT_BUILD_TAGS_OTHERS` | 其他平台的默认标签(不含 `with_naive_outbound`)。 |
| `release/LDFLAGS` | 必需的链接器标志(参见上文)。 |
## :material-layers: with_naive_outbound
NaiveProxy 出站需要根据目标平台进行特殊的构建配置。
### 支持的平台
| 平台 | 架构 | 模式 | 要求 |
|---------------|------------------------|--------|--------------------------------|
| Linux | amd64, arm64 | purego | 无(官方发布版本已包含库文件) |
| Linux | 386, amd64, arm, arm64 | CGO | Chromium 工具链,运行时需要 glibc >= 2.31 |
| Linux (musl) | 386, amd64, arm, arm64 | CGO | Chromium 工具链 |
| Windows | amd64, arm64 | purego | 无(官方发布版本已包含库文件) |
| Apple 平台 | * | CGO | Xcode |
| Android | * | CGO | Android NDK |
### Windows
使用 `with_purego` 标记。
官方发布版本已包含 `libcronet.dll`。自行构建时,从 [cronet-go releases](https://github.com/sagernet/cronet-go/releases) 下载并放置在 `sing-box.exe` 相同目录或 `PATH` 中的任意目录。
### Linux (purego, 仅 amd64/arm64)
使用 `with_purego` 标记。
官方发布版本已包含 `libcronet.so`。自行构建时,从 [cronet-go releases](https://github.com/sagernet/cronet-go/releases) 下载并放置在 sing-box 二进制文件相同目录或系统库路径中。
### Linux (CGO)
参阅 [cronet-go](https://github.com/sagernet/cronet-go#linux-build-instructions)。
- **glibc 构建**:运行时需要 glibc >= 2.31
- **musl 构建**:使用 `with_musl` 标记,静态链接,无运行时要求
### Apple 平台 / Android
参阅 [cronet-go](https://github.com/sagernet/cronet-go)。

4
docs/migration.zh.md
View File

@@ -10,8 +10,8 @@ DNS 服务器已经重构。
!!! info "引用"
[DNS 服务器](/configuration/dns/server/) /
[旧 DNS 服务器](/configuration/dns/server/legacy/)
[DNS 服务器](/zh/configuration/dns/server/) /
[旧 DNS 服务器](/zh/configuration/dns/server/legacy/)
=== "Local"