yanistyle/sing-box-extended
1
0
Fork 0
mirror of https://github.com/shtorm-7/sing-box-extended.git synced 2026-05-14 00:51:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

Resolve conflicts

Browse Source
This commit is contained in:
Sergei Maklagin
2025-08-15 12:56:52 +03:00
parent e22416f0d9 2dcb86941f
commit 93eb435e26
365 changed files with 22978 additions and 4724 deletions
Download Patch File Download Diff File Expand all files Collapse all files

435
docs/changelog.md
View File

@@ -2,6 +2,157 @@
icon: material/alert-decagram
---
#### 1.12.0
* Refactor DNS servers **1**
* Add domain resolver options**2**
* Add TLS fragment/record fragment support to route options and outbound TLS options **3**
* Add certificate options **4**
* Add Tailscale endpoint and DNS server **5**
* Drop support for go1.22 **6**
* Add AnyTLS protocol **7**
* Migrate to stdlib ECH implementation **8**
* Add NTP sniffer **9**
* Add wildcard SNI support for ShadowTLS inbound **10**
* Improve `auto_redirect` **11**
* Add control options for listeners **12**
* Add DERP service **13**
* Add Resolved service and DNS server **14**
* Add SSM API service **15**
* Add loopback address support for tun **16**
* Improve tun performance on Apple platforms **17**
* Update quic-go to v0.52.0
* Update gVisor to 20250319.0
* Update the status of graphical clients in stores **18**
**1**:
DNS servers are refactored for better performance and scalability.
See [DNS server](/configuration/dns/server/).
For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
Compatibility for old formats will be removed in sing-box 1.14.0.
**2**:
Legacy `outbound` DNS rules are deprecated
and can be replaced by the new `domain_resolver` option.
See [Dial Fields](/configuration/shared/dial/#domain_resolver) and
[Route](/configuration/route/#default_domain_resolver).
For migration,
see [Migrate outbound DNS rule items to domain resolver](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
**3**:
See [Route Action](/configuration/route/rule_action/#tls_fragment) and [TLS](/configuration/shared/tls/).
**4**:
New certificate options allow you to manage the default list of trusted X509 CA certificates.
For the system certificate list, fixed Go not reading Android trusted certificates correctly.
You can also use the Mozilla Included List instead, or add trusted certificates yourself.
See [Certificate](/configuration/certificate/).
**5**:
See [Tailscale](/configuration/endpoint/tailscale/).
**6**:
Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
**7**:
The new AnyTLS protocol claims to mitigate TLS proxy traffic characteristics and comes with a new multiplexing scheme.
See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/configuration/outbound/anytls/).
**8**:
See [TLS](/configuration/shared/tls).
The build tag `with_ech` is no longer needed and has been removed.
**9**:
See [Protocol Sniff](/configuration/route/sniff/).
**10**:
See [ShadowTLS](/configuration/inbound/shadowtls/#wildcard_sni).
**11**:
Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks,
see [Tun](/configuration/inbound/tun/#auto_redirect).
**12**:
You can now set `bind_interface`, `routing_mark` and `reuse_addr` in Listen Fields.
See [Listen Fields](/configuration/shared/listen/).
**13**:
DERP service is a Tailscale DERP server, similar to [derper](https://pkg.go.dev/tailscale.com/cmd/derper).
See [DERP Service](/configuration/service/derp/).
**14**:
Resolved service is a fake systemd-resolved DBUS service to receive DNS settings from other programs
(e.g. NetworkManager) and provide DNS resolution.
See [Resolved Service](/configuration/service/resolved/) and [Resolved DNS Server](/configuration/dns/server/resolved/).
**15**:
SSM API service is a RESTful API server for managing Shadowsocks servers.
See [SSM API Service](/configuration/service/ssm-api/).
**16**:
TUN now implements SideStore's StosVPN.
See [Tun](/configuration/inbound/tun/#loopback_address).
**17**:
We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.
The following data was tested using [tun_bench](https://github.com/SagerNet/sing-box/blob/dev-next/cmd/internal/tun_bench/main.go) on M4 MacBook pro.
| Version | Stack | MTU | Upload | Download |
|-------------|--------|-------|--------|----------|
| 1.11.15 | gvisor | 1500 | 852M | 2.57G |
| 1.12.0-rc.4 | gvisor | 1500 | 2.90G | 4.68G |
| 1.11.15 | gvisor | 4064 | 2.31G | 6.34G |
| 1.12.0-rc.4 | gvisor | 4064 | 7.54G | 12.2G |
| 1.11.15 | gvisor | 65535 | 27.6G | 18.1G |
| 1.12.0-rc.4 | gvisor | 65535 | 39.8G | 34.7G |
| 1.11.15 | system | 1500 | 664M | 706M |
| 1.12.0-rc.4 | system | 1500 | 2.44G | 2.51G |
| 1.11.15 | system | 4064 | 1.88G | 1.94G |
| 1.12.0-rc.4 | system | 4064 | 6.45G | 6.27G |
| 1.11.15 | system | 65535 | 26.2G | 17.4G |
| 1.12.0-rc.4 | system | 65535 | 17.6G | 21.0G |
**18**:
We continue to experience issues updating our sing-box apps on the App Store and Play Store.
Until we rewrite and resubmit the apps, they are considered irrecoverable.
Therefore, after this release, we will not be repeating this notice unless there is new information.
### 1.11.15
* Fixes and improvements
@@ -9,6 +160,15 @@ icon: material/alert-decagram
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-beta.32
* Improve tun performance on Apple platforms **1**
* Fixes and improvements
**1**:
We have significantly improved the performance of tun inbound on Apple platforms, especially in the gVisor stack.
### 1.11.14
* Fixes and improvements
@@ -16,6 +176,49 @@ violated the rules (TestFlight users are not affected)._
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-beta.24
* Allow `tls_fragment` and `tls_record_fragment` to be enabled together **1**
* Also add fragment options for TLS client configuration **2**
* Fixes and improvements
**1**:
For debugging only, it is recommended to disable if record fragmentation works.
See [Route Action](/configuration/route/rule_action/#tls_fragment).
**2**:
See [TLS](/configuration/shared/tls/).
#### 1.12.0-beta.23
* Add loopback address support for tun **1**
* Add cache support for ssm-api **2**
* Fixes and improvements
**1**:
TUN now implements SideStore's StosVPN.
See [Tun](/configuration/inbound/tun/#loopback_address).
**2**:
See [SSM API Service](/configuration/service/ssm-api/#cache_path).
#### 1.12.0-beta.21
* Fix missing `home` option for DERP service **1**
* Fixes and improvements
**1**:
You can now choose what the DERP home page shows, just like with derper's `-home` flag.
See [DERP](/configuration/service/derp/#home).
### 1.11.13
* Fixes and improvements
@@ -23,6 +226,37 @@ violated the rules (TestFlight users are not affected)._
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-beta.17
* Update quic-go to v0.52.0
* Fixes and improvements
#### 1.12.0-beta.15
* Add DERP service **1**
* Add Resolved service and DNS server **2**
* Add SSM API service **3**
* Fixes and improvements
**1**:
DERP service is a Tailscale DERP server, similar to [derper](https://pkg.go.dev/tailscale.com/cmd/derper).
See [DERP Service](/configuration/service/derp/).
**2**:
Resolved service is a fake systemd-resolved DBUS service to receive DNS settings from other programs
(e.g. NetworkManager) and provide DNS resolution.
See [Resolved Service](/configuration/service/resolved/) and [Resolved DNS Server](/configuration/dns/server/resolved/).
**3**:
SSM API service is a RESTful API server for managing Shadowsocks servers.
See [SSM API Service](/configuration/service/ssm-api/).
### 1.11.11
* Fixes and improvements
@@ -30,6 +264,31 @@ violated the rules (TestFlight users are not affected)._
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-beta.13
* Add TLS record fragment route options **1**
* Add missing `accept_routes` option for Tailscale **2**
* Fixes and improvements
**1**:
See [Route Action](/configuration/route/rule_action/#tls_record_fragment).
**2**:
See [Tailscale](/configuration/endpoint/tailscale/#accept_routes).
#### 1.12.0-beta.10
* Add control options for listeners **1**
* Fixes and improvements
**1**:
You can now set `bind_interface`, `routing_mark` and `reuse_addr` in Listen Fields.
See [Listen Fields](/configuration/shared/listen/).
### 1.11.10
* Undeprecate the `block` outbound **1**
@@ -43,6 +302,11 @@ we decided to temporarily undeprecate the `block` outbound until a replacement i
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-beta.9
* Update quic-go to v0.51.0
* Fixes and improvements
### 1.11.9
* Fixes and improvements
@@ -50,6 +314,10 @@ violated the rules (TestFlight users are not affected)._
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-beta.5
* Fixes and improvements
### 1.11.8
* Improve `auto_redirect` **1**
@@ -63,6 +331,10 @@ see [Tun](/configuration/inbound/tun/#auto_redirect).
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-beta.3
* Fixes and improvements
### 1.11.7
* Fixes and improvements
@@ -70,6 +342,15 @@ violated the rules (TestFlight users are not affected)._
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-beta.1
* Fixes and improvements
**1**:
Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks,
see [Tun](/configuration/inbound/tun/#auto_redirect).
### 1.11.6
* Fixes and improvements
@@ -77,6 +358,40 @@ violated the rules (TestFlight users are not affected)._
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-alpha.19
* Update gVisor to 20250319.0
* Fixes and improvements
#### 1.12.0-alpha.18
* Add wildcard SNI support for ShadowTLS inbound **1**
* Fixes and improvements
**1**:
See [ShadowTLS](/configuration/inbound/shadowtls/#wildcard_sni).
#### 1.12.0-alpha.17
* Add NTP sniffer **1**
* Fixes and improvements
**1**:
See [Protocol Sniff](/configuration/route/sniff/).
#### 1.12.0-alpha.16
* Update `domain_resolver` behavior **1**
* Fixes and improvements
**1**:
`route.default_domain_resolver` or `outbound.domain_resolver` is now optional when only one DNS server is configured.
See [Dial Fields](/configuration/shared/dial/#domain_resolver).
### 1.11.5
* Fixes and improvements
@@ -84,10 +399,71 @@ violated the rules (TestFlight users are not affected)._
_We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we
violated the rules (TestFlight users are not affected)._
#### 1.12.0-alpha.13
* Move `predefined` DNS server to DNS rule action **1**
* Fixes and improvements
**1**:
See [DNS Rule Action](/configuration/dns/rule_action/#predefined).
### 1.11.4
* Fixes and improvements
#### 1.12.0-alpha.11
* Fixes and improvements
#### 1.12.0-alpha.10
* Add AnyTLS protocol **1**
* Improve `resolve` route action **2**
* Migrate to stdlib ECH implementation **3**
* Fixes and improvements
**1**:
The new AnyTLS protocol claims to mitigate TLS proxy traffic characteristics and comes with a new multiplexing scheme.
See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/configuration/outbound/anytls/).
**2**:
`resolve` route action now accepts `disable_cache` and other options like in DNS route actions, see [Route Action](/configuration/route/rule_action).
**3**:
See [TLS](/configuration/shared/tls).
The build tag `with_ech` is no longer needed and has been removed.
#### 1.12.0-alpha.7
* Add Tailscale DNS server **1**
* Fixes and improvements
**1**:
See [Tailscale](/configuration/dns/server/tailscale/).
#### 1.12.0-alpha.6
* Add Tailscale endpoint **1**
* Drop support for go1.22 **2**
* Fixes and improvements
**1**:
See [Tailscale](/configuration/endpoint/tailscale/).
**2**:
Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile.
For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go).
### 1.11.3
* Fixes and improvements
@@ -95,10 +471,69 @@ violated the rules (TestFlight users are not affected)._
_This version overwrites 1.11.2, as incorrect binaries were released due to a bug in the continuous integration
process._
#### 1.12.0-alpha.5
* Fixes and improvements
### 1.11.1
* Fixes and improvements
#### 1.12.0-alpha.2
* Update quic-go to v0.49.0
* Fixes and improvements
#### 1.12.0-alpha.1
* Refactor DNS servers **1**
* Add domain resolver options**2**
* Add TLS fragment route options **3**
* Add certificate options **4**
**1**:
DNS servers are refactored for better performance and scalability.
See [DNS server](/configuration/dns/server/).
For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers).
Compatibility for old formats will be removed in sing-box 1.14.0.
**2**:
Legacy `outbound` DNS rules are deprecated
and can be replaced by the new `domain_resolver` option.
See [Dial Fields](/configuration/shared/dial/#domain_resolver) and
[Route](/configuration/route/#default_domain_resolver).
For migration,
see [Migrate outbound DNS rule items to domain resolver](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
**3**:
The new TLS fragment route options allow you to fragment TLS handshakes to bypass firewalls.
This feature is intended to circumvent simple firewalls based on **plaintext packet matching**, and should not be used
to circumvent real censorship.
Since it is not designed for performance, it should not be applied to all connections, but only to server names that are
known to be blocked.
See [Route Action](/configuration/route/rule_action/#tls_fragment).
**4**:
New certificate options allow you to manage the default list of trusted X509 CA certificates.
For the system certificate list, fixed Go not reading Android trusted certificates correctly.
You can also use the Mozilla Included List instead, or add trusted certificates yourself.
See [Certificate](/configuration/certificate/).
### 1.11.0
Important changes since 1.10:

4
docs/clients/privacy.md
View File

@@ -9,6 +9,10 @@ and the data generated by the software is always on your device.
## Android
The broad package (App) visibility (QUERY_ALL_PACKAGES) permission
is used to provide per-application proxy features for VPN,
sing-box will not collect your app list.
If your configuration contains `wifi_ssid` or `wifi_bssid` routing rules,
sing-box uses the location permission in the background
to get information about the connected Wi-Fi network to make them work.

54
docs/configuration/certificate/index.md Normal file
View File

@@ -0,0 +1,54 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Certificate
### Structure
```json
{
"store": "",
"certificate": [],
"certificate_path": [],
"certificate_directory_path": []
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Fields
#### store
The default X509 trusted CA certificate list.
| Type | Description |
|--------------------|---------------------------------------------------------------------------------------------------------------|
| `system` (default) | System trusted CA certificates |
| `mozilla` | [Mozilla Included List](https://wiki.mozilla.org/CA/Included_Certificates) with China CA certificates removed |
| `none` | Empty list |
#### certificate
The certificate line array to trust, in PEM format.
#### certificate_path
!!! note ""
Will be automatically reloaded if file modified.
The paths to certificates to trust, in PEM format.
#### certificate_directory_path
!!! note ""
Will be automatically reloaded if file modified.
The directory path to search for certificates to trust,in PEM format.

8
docs/configuration/dns/fakeip.md
View File

@@ -1,3 +1,11 @@
---
icon: material/delete-clock
---
!!! failure "Deprecated in sing-box 1.12.0"
Legacy fake-ip configuration is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
### Structure
```json

8
docs/configuration/dns/fakeip.zh.md
View File

@@ -1,3 +1,11 @@
---
icon: material/delete-clock
---
!!! failure "已在 sing-box 1.12.0 废弃"
旧的 fake-ip 配置已废弃且将在 sing-box 1.14.0 中被移除,参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
### 结构
```json

8
docs/configuration/dns/index.md
View File

@@ -1,7 +1,11 @@
---
icon: material/new-box
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.12.0"
:material-decagram: [servers](#servers)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [cache_capacity](#cache_capacity)
@@ -49,8 +53,6 @@ Default domain strategy for resolving the domain names.
One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
Take no effect if `server.strategy` is set.
#### disable_cache
Disable dns cache.

8
docs/configuration/dns/index.zh.md
View File

@@ -1,7 +1,11 @@
---
icon: material/new-box
icon: material/alert-decagram
---
!!! quote "sing-box 1.12.0 中的更改"
:material-decagram: [servers](#servers)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [cache_capacity](#cache_capacity)
@@ -48,8 +52,6 @@ icon: material/new-box
可选值: `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
如果设置了 `server.strategy`,则不生效。
#### disable_cache
禁用 DNS 缓存。

48
docs/configuration/dns/rule.md
View File

@@ -1,7 +1,12 @@
---
icon: material/new-box
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [ip_accept_any](#ip_accept_any)
:material-delete-clock: [outbound](#outbound)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [action](#action)
@@ -73,15 +78,6 @@ icon: material/new-box
"domain_regex": [
"^stun\\..+"
],
"geosite": [
"cn"
],
"source_geoip": [
"private"
],
"geoip": [
"cn"
],
"source_ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
@@ -92,6 +88,7 @@ icon: material/new-box
"192.168.0.1"
],
"ip_is_private": false,
"ip_accept_any": false,
"source_port": [
12345
],
@@ -143,8 +140,6 @@ icon: material/new-box
"geoip-cn",
"geosite-cn"
],
// deprecated
"rule_set_ipcidr_match_source": false,
"rule_set_ip_cidr_match_source": false,
"rule_set_ip_cidr_accept_empty": false,
"invert": false,
@@ -152,7 +147,20 @@ icon: material/new-box
"direct"
],
"action": "route",
"server": "local"
"server": "local",
// Deprecated
"rule_set_ipcidr_match_source": false,
"geosite": [
"cn"
],
"source_geoip": [
"private"
],
"geoip": [
"cn"
]
},
{
"type": "logical",
@@ -395,6 +403,10 @@ Invert match result.
#### outbound
!!! failure "Deprecated in sing-box 1.12.0"
`outbound` rule items are deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
Match outbound.
`any` can be used as a value to match any outbound.
@@ -443,7 +455,9 @@ Only takes effect for address requests (A/AAAA/HTTPS). When the query results do
#### geoip
!!! question "Since sing-box 1.9.0"
!!! failure "Removed in sing-box 1.12.0"
GeoIP is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
Match GeoIP with query response.
@@ -465,6 +479,12 @@ Match private IP with query response.
Make `ip_cidr` rules in rule-sets accept empty query response.
#### ip_accept_any
!!! question "Since sing-box 1.12.0"
Match any IP with query response.
### Logical Fields
#### type

56
docs/configuration/dns/rule.zh.md
View File

@@ -1,7 +1,12 @@
---
icon: material/new-box
icon: material/alert-decagram
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [ip_accept_any](#ip_accept_any)
:material-delete-clock: [outbound](#outbound)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [action](#action)
@@ -73,15 +78,6 @@ icon: material/new-box
"domain_regex": [
"^stun\\..+"
],
"geosite": [
"cn"
],
"source_geoip": [
"private"
],
"geoip": [
"cn"
],
"source_ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
@@ -92,6 +88,7 @@ icon: material/new-box
"192.168.0.1"
],
"ip_is_private": false,
"ip_accept_any": false,
"source_port": [
12345
],
@@ -143,8 +140,6 @@ icon: material/new-box
"geoip-cn",
"geosite-cn"
],
// 已弃用
"rule_set_ipcidr_match_source": false,
"rule_set_ip_cidr_match_source": false,
"rule_set_ip_cidr_accept_empty": false,
"invert": false,
@@ -152,7 +147,19 @@ icon: material/new-box
"direct"
],
"action": "route",
"server": "local"
"server": "local",
// 已弃用
"rule_set_ipcidr_match_source": false,
"geosite": [
"cn"
],
"source_geoip": [
"private"
],
"geoip": [
"cn"
]
},
{
"type": "logical",
@@ -228,17 +235,17 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
#### geosite
!!! failure "已在 sing-box 1.8.0 废弃"
!!! failure "已在 sing-box 1.12.0 中被移除"
Geosite 已废弃且可能在不久的将来移除,参阅 [迁移指南](/zh/migration/#geosite)。
GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#geosite)。
匹配 Geosite。
#### source_geoip
!!! failure "已在 sing-box 1.8.0 废弃"
!!! failure "已在 sing-box 1.12.0 中被移除"
GeoIP 已废弃且可能在不久的将来移除,参阅 [迁移指南](/zh/migration/#geoip)。
GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#geoip)。
匹配源 GeoIP。
@@ -395,6 +402,10 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
#### outbound
!!! failure "已在 sing-box 1.12.0 废弃"
`outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除,参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver)。
匹配出站。
`any` 可作为值用于匹配任意出站。
@@ -443,7 +454,10 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
#### geoip
!!! question "自 sing-box 1.9.0 "
!!! failure "已在 sing-box 1.12.0 中被移除"
GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#geoip)。
与查询响应匹配 GeoIP。
@@ -459,6 +473,12 @@ Available values: `wifi`, `cellular`, `ethernet` and `other`.
与查询响应匹配非公开 IP。
#### ip_accept_any
!!! question "自 sing-box 1.12.0 起"
匹配任意 IP。
#### rule_set_ip_cidr_accept_empty
!!! question "自 sing-box 1.10.0 起"

75
docs/configuration/dns/rule_action.md
View File

@@ -2,6 +2,11 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [strategy](#strategy)
:material-plus: [predefined](#predefined)
!!! question "Since sing-box 1.11.0"
### route
@@ -10,8 +15,9 @@ icon: material/new-box
{
"action": "route", // default
"server": "",
"strategy": "",
"disable_cache": false,
"rewrite_ttl": 0,
"rewrite_ttl": null,
"client_subnet": null
}
```
@@ -24,6 +30,14 @@ icon: material/new-box
Tag of target server.
#### strategy
!!! question "Since sing-box 1.12.0"
Set domain strategy for this query.
One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
#### disable_cache
Disable cache and save cache in this query.
@@ -38,7 +52,7 @@ Append a `edns0-subnet` OPT extra record with the specified IP prefix to every q
If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
Will overrides `dns.client_subnet`.
### route-options
@@ -58,7 +72,7 @@ Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
```json
{
"action": "reject",
"method": "default", // default
"method": "",
"no_drop": false
}
```
@@ -67,11 +81,64 @@ Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
#### method
- `default`: Reply with NXDOMAIN.
- `default`: Reply with REFUSED.
- `drop`: Drop the request.
`default` will be used by default.
#### no_drop
If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
Not available when `method` is set to drop.
### predefined
!!! question "Since sing-box 1.12.0"
```json
{
"action": "predefined",
"rcode": "",
"answer": [],
"ns": [],
"extra": []
}
```
`predefined` responds with predefined DNS records.
#### rcode
The response code.
| Value | Value in the legacy rcode server | Description |
|------------|----------------------------------|-----------------|
| `NOERROR` | `success` | Ok |
| `FORMERR` | `format_error` | Bad request |
| `SERVFAIL` | `server_failure` | Server failure |
| `NXDOMAIN` | `name_error` | Not found |
| `NOTIMP` | `not_implemented` | Not implemented |
| `REFUSED` | `refused` | Refused |
`NOERROR` will be used by default.
#### answer
List of text DNS record to respond as answers.
Examples:
| Record Type | Example |
|-------------|-------------------------------|
| `A` | `localhost. IN A 127.0.0.1` |
| `AAAA` | `localhost. IN AAAA ::1` |
| `TXT` | `localhost. IN TXT \"Hello\"` |
#### ns
List of text DNS record to respond as name servers.
#### extra
List of text DNS record to respond as extra records.

79
docs/configuration/dns/rule_action.zh.md
View File

@@ -2,18 +2,22 @@
icon: material/new-box
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [strategy](#strategy)
:material-plus: [predefined](#predefined)
!!! question "自 sing-box 1.11.0 起"
### route
```json
{
"action": "route", // 默认
"action": "route", // 默认
"server": "",
// 兼容性
"strategy": "",
"disable_cache": false,
"rewrite_ttl": 0,
"rewrite_ttl": null,
"client_subnet": null
}
```
@@ -26,6 +30,14 @@ icon: material/new-box
目标 DNS 服务器的标签。
#### strategy
!!! question "自 sing-box 1.12.0 起"
为此查询设置域名策略。
可选项:`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
#### disable_cache
在此查询中禁用缓存。
@@ -40,7 +52,7 @@ icon: material/new-box
如果值是 IP 地址而不是前缀,则会自动附加 `/32``/128`
将覆盖 `dns.client_subnet``servers.[].client_subnet`
将覆盖 `dns.client_subnet`.
### route-options
@@ -60,7 +72,7 @@ icon: material/new-box
```json
{
"action": "reject",
"method": "default", // default
"method": "",
"no_drop": false
}
```
@@ -69,11 +81,64 @@ icon: material/new-box
#### method
- `default`: 返回 NXDOMAIN
- `default`: 返回 REFUSED
- `drop`: 丢弃请求。
默认使用 `defualt`
#### no_drop
如果未启用,则 30 秒内触发 50 次后,`method` 将被暂时覆盖为 `drop`
`method` 设为 `drop` 时不可用。
### predefined
!!! question "自 sing-box 1.12.0 起"
```json
{
"action": "predefined",
"rcode": "",
"answer": [],
"ns": [],
"extra": []
}
```
`predefined` 以预定义的 DNS 记录响应。
#### rcode
响应码。
| 值 | 旧 rcode DNS 服务器中的值 | 描述 |
|------------|--------------------|-----------------|
| `NOERROR` | `success` | Ok |
| `FORMERR` | `format_error` | Bad request |
| `SERVFAIL` | `server_failure` | Server failure |
| `NXDOMAIN` | `name_error` | Not found |
| `NOTIMP` | `not_implemented` | Not implemented |
| `REFUSED` | `refused` | Refused |
默认使用 `NOERROR`
#### answer
用于作为回答响应的文本 DNS 记录列表。
例子:
| 记录类型 | 例子 |
|--------|-------------------------------|
| `A` | `localhost. IN A 127.0.0.1` |
| `AAAA` | `localhost. IN AAAA ::1` |
| `TXT` | `localhost. IN TXT \"Hello\"` |
#### ns
用于作为名称服务器响应的文本 DNS 记录列表。
#### extra
用于作为额外记录响应的文本 DNS 记录列表。

38
docs/configuration/dns/server/dhcp.md Normal file
View File

@@ -0,0 +1,38 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DHCP
### Structure
```json
{
"dns": {
"servers": [
{
"type": "dhcp",
"tag": "",
"interface": "",
// Dial Fields
}
]
}
}
```
### Fields
#### interface
Interface name to listen on.
Tge default interface will be used by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

35
docs/configuration/dns/server/fakeip.md Normal file
View File

@@ -0,0 +1,35 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Fake IP
### Structure
```json
{
"dns": {
"servers": [
{
"type": "fakeip",
"tag": "",
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
]
}
}
```
### Fields
#### inet4_range
IPv4 address range for FakeIP.
#### inet6_address
IPv6 address range for FakeIP.

96
docs/configuration/dns/server/hosts.md Normal file
View File

@@ -0,0 +1,96 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Hosts
### Structure
```json
{
"dns": {
"servers": [
{
"type": "hosts",
"tag": "",
"path": [],
"predefined": {}
}
]
}
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Fields
#### path
List of paths to hosts files.
`/etc/hosts` is used by default.
`C:\Windows\System32\Drivers\etc\hosts` is used by default on Windows.
Example:
```json
{
// "path": "/etc/hosts"
"path": [
"/etc/hosts",
"$HOME/.hosts"
]
}
```
#### predefined
Predefined hosts.
Example:
```json
{
"predefined": {
"www.google.com": "127.0.0.1",
"localhost": [
"127.0.0.1",
"::1"
]
}
}
```
### Examples
=== "Use hosts if available"
```json
{
"dns": {
"servers": [
{
...
},
{
"type": "hosts",
"tag": "hosts"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "hosts"
}
]
}
}
```

71
docs/configuration/dns/server/http3.md Normal file
View File

@@ -0,0 +1,71 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DNS over HTTP3 (DoH3)
### Structure
```json
{
"dns": {
"servers": [
{
"type": "h3",
"tag": "",
"server": "",
"server_port": 443,
"path": "",
"headers": {},
"tls": {},
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy H3 server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`443` will be used by default.
#### path
The path of the DNS server.
`/dns-query` will be used by default.
#### headers
Additional headers to be sent to the DNS server.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

71
docs/configuration/dns/server/https.md Normal file
View File

@@ -0,0 +1,71 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DNS over HTTPS (DoH)
### Structure
```json
{
"dns": {
"servers": [
{
"type": "https",
"tag": "",
"server": "",
"server_port": 443,
"path": "",
"headers": {},
"tls": {},
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy HTTPS server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`443` will be used by default.
#### path
The path of the DNS server.
`/dns-query` will be used by default.
#### headers
Additional headers to be sent to the DNS server.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

48
docs/configuration/dns/server/index.md Normal file
View File

@@ -0,0 +1,48 @@
---
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [type](#type)
# DNS Server
### Structure
```json
{
"dns": {
"servers": [
{
"type": "",
"tag": ""
}
]
}
}
```
#### type
The type of the DNS server.
| Type | Format |
|-----------------|---------------------------|
| empty (default) | [Legacy](./legacy/) |
| `local` | [Local](./local/) |
| `hosts` | [Hosts](./hosts/) |
| `tcp` | [TCP](./tcp/) |
| `udp` | [UDP](./udp/) |
| `tls` | [TLS](./tls/) |
| `quic` | [QUIC](./quic/) |
| `https` | [HTTPS](./https/) |
| `h3` | [HTTP/3](./http3/) |
| `dhcp` | [DHCP](./dhcp/) |
| `fakeip` | [Fake IP](./fakeip/) |
| `tailscale` | [Tailscale](./tailscale/) |
| `resolved` | [Resolved](./resolved/) |
#### tag
The tag of the DNS server.

48
docs/configuration/dns/server/index.zh.md Normal file
View File

@@ -0,0 +1,48 @@
---
icon: material/alert-decagram
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [type](#type)
# DNS Server
### 结构
```json
{
"dns": {
"servers": [
{
"type": "",
"tag": ""
}
]
}
}
```
#### type
DNS 服务器的类型。
| 类型 | 格式 |
|-----------------|---------------------------|
| empty (default) | [Legacy](./legacy/) |
| `local` | [Local](./local/) |
| `hosts` | [Hosts](./hosts/) |
| `tcp` | [TCP](./tcp/) |
| `udp` | [UDP](./udp/) |
| `tls` | [TLS](./tls/) |
| `quic` | [QUIC](./quic/) |
| `https` | [HTTPS](./https/) |
| `h3` | [HTTP/3](./http3/) |
| `dhcp` | [DHCP](./dhcp/) |
| `fakeip` | [Fake IP](./fakeip/) |
| `tailscale` | [Tailscale](./tailscale/) |
| `resolved` | [Resolved](./resolved/) |
#### tag
DNS 服务器的标签。

8
docs/configuration/dns/server.md → docs/configuration/dns/server/legacy.md
View File

@@ -1,3 +1,11 @@
---
icon: material/delete-clock
---
!!! failure "Deprecated in sing-box 1.12.0"
Legacy DNS servers is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-servers).
!!! quote "Changes in sing-box 1.9.0"
:material-plus: [client_subnet](#client_subnet)

8
docs/configuration/dns/server.zh.md → docs/configuration/dns/server/legacy.zh.md
View File

@@ -1,3 +1,11 @@
---
icon: material/delete-clock
---
!!! failure "Deprecated in sing-box 1.12.0"
旧的 DNS 服务器配置已废弃且将在 sing-box 1.14.0 中被移除,参阅 [迁移指南](/migration/#migrate-to-new-dns-servers)。
!!! quote "sing-box 1.9.0 中的更改"
:material-plus: [client_subnet](#client_subnet)

33
docs/configuration/dns/server/local.md Normal file
View File

@@ -0,0 +1,33 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Local
### Structure
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "",
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy local server"
* The old legacy local server only handles IP requests; the new one handles all types of requests and supports concurrent for IP requests.
* The old local server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

58
docs/configuration/dns/server/quic.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DNS over QUIC (DoQ)
### Structure
```json
{
"dns": {
"servers": [
{
"type": "quic",
"tag": "",
"server": "",
"server_port": 853,
"tls": {},
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy QUIC server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`853` will be used by default.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

84
docs/configuration/dns/server/resolved.md Normal file
View File

@@ -0,0 +1,84 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Resolved
```json
{
"dns": {
"servers": [
{
"type": "resolved",
"tag": "",
"service": "resolved",
"accept_default_resolvers": false
}
]
}
}
```
### Fields
#### service
==Required==
The tag of the [Resolved Service](/configuration/service/resolved).
#### accept_default_resolvers
Indicates whether the default DNS resolvers should be accepted for fallback queries in addition to matching domains.
Specifically, default DNS resolvers are DNS servers that have `SetLinkDefaultRoute` or `SetLinkDomains ~.` set.
If not enabled, `NXDOMAIN` will be returned for requests that do not match search or match domains.
### Examples
=== "Split DNS only"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "resolved",
"tag": "resolved",
"service": "resolved"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "resolved"
}
]
}
}
```
=== "Use as global DNS"
```json
{
"dns": {
"servers": [
{
"type": "resolved",
"service": "resolved",
"accept_default_resolvers": true
}
]
}
}
```

83
docs/configuration/dns/server/tailscale.md Normal file
View File

@@ -0,0 +1,83 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Tailscale
### Structure
```json
{
"dns": {
"servers": [
{
"type": "tailscale",
"tag": "",
"endpoint": "ts-ep",
"accept_default_resolvers": false
}
]
}
}
```
### Fields
#### endpoint
==Required==
The tag of the [Tailscale Endpoint](/configuration/endpoint/tailscale).
#### accept_default_resolvers
Indicates whether default DNS resolvers should be accepted for fallback queries in addition to MagicDNS。
if not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.
### Examples
=== "MagicDNS only"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "tailscale",
"tag": "ts",
"endpoint": "ts-ep"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "ts"
}
]
}
}
```
=== "Use as global DNS"
```json
{
"dns": {
"servers": [
{
"type": "tailscale",
"endpoint": "ts-ep",
"accept_default_resolvers": true
}
]
}
}
```

52
docs/configuration/dns/server/tcp.md Normal file
View File

@@ -0,0 +1,52 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# TCP
### Structure
```json
{
"dns": {
"servers": [
{
"type": "tcp",
"tag": "",
"server": "",
"server_port": 53,
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy TCP server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`53` will be used by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

58
docs/configuration/dns/server/tls.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DNS over TLS (DoT)
### Structure
```json
{
"dns": {
"servers": [
{
"type": "tls",
"tag": "",
"server": "",
"server_port": 853,
"tls": {},
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy TLS server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`853` will be used by default.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

52
docs/configuration/dns/server/udp.md Normal file
View File

@@ -0,0 +1,52 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# UDP
### Structure
```json
{
"dns": {
"servers": [
{
"type": "udp",
"tag": "",
"server": "",
"server_port": 53,
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy UDP server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`53` will be used by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

3
docs/configuration/endpoint/index.md
View File

@@ -6,7 +6,7 @@ icon: material/new-box
# Endpoint
Endpoint is protocols that has both inbound and outbound behavior.
An endpoint is a protocol with inbound and outbound behavior.
### Structure
@@ -26,6 +26,7 @@ Endpoint is protocols that has both inbound and outbound behavior.
| Type | Format |
|-------------|---------------------------|
| `wireguard` | [WireGuard](./wireguard/) |
| `tailscale` | [Tailscale](./tailscale/) |
#### tag

5
docs/configuration/endpoint/index.zh.md
View File

@@ -23,9 +23,10 @@ icon: material/new-box
### 字段
| 类型 | 格式 |
| 类型 | 格式 |
|-------------|---------------------------|
| `wireguard` | [WireGuard](./wiregaurd/) |
| `wireguard` | [WireGuard](./wireguard/) |
| `tailscale` | [Tailscale](./tailscale/) |
#### tag

104
docs/configuration/endpoint/tailscale.md Normal file
View File

@@ -0,0 +1,104 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
### Structure
```json
{
"type": "tailscale",
"tag": "ts-ep",
"state_directory": "",
"auth_key": "",
"control_url": "",
"ephemeral": false,
"hostname": "",
"accept_routes": false,
"exit_node": "",
"exit_node_allow_lan_access": false,
"advertise_routes": [],
"advertise_exit_node": false,
"udp_timeout": "5m",
... // Dial Fields
}
```
### Fields
#### state_directory
The directory where the Tailscale state is stored.
`tailscale` is used by default.
Example: `$HOME/.tailscale`
#### auth_key
!!! note
Auth key is not required. By default, sing-box will log the login URL (or popup a notification on graphical clients).
The auth key to create the node. If the node is already created (from state previously stored), then this field is not
used.
#### control_url
The coordination server URL.
`https://controlplane.tailscale.com` is used by default.
#### ephemeral
Indicates whether the instance should register as an Ephemeral node (https://tailscale.com/s/ephemeral-nodes).
#### hostname
The hostname of the node.
System hostname is used by default.
Example: `localhost`
#### accept_routes
Indicates whether the node should accept routes advertised by other nodes.
#### exit_node
The exit node name or IP address to use.
#### exit_node_allow_lan_access
!!! note
When the exit node does not have a corresponding advertised route, private traffics cannot be routed to the exit node even if `exit_node_allow_lan_access is` set.
Indicates whether locally accessible subnets should be routed directly or via the exit node.
#### advertise_routes
CIDR prefixes to advertise into the Tailscale network as reachable through the current node.
Example: `["192.168.1.1/24"]`
#### advertise_exit_node
Indicates whether the node should advertise itself as an exit node.
#### udp_timeout
UDP NAT expiration time.
`5m` will be used by default.
### Dial Fields
!!! note
Dial Fields in Tailscale endpoints only control how it connects to the control plane and have nothing to do with actual connections.
See [Dial Fields](/configuration/shared/dial/) for details.

2
docs/configuration/endpoint/wireguard.zh.md
View File

@@ -41,7 +41,7 @@ icon: material/new-box
### 字段
#### system_interface
#### system
使用系统设备。

4
docs/configuration/experimental/clash-api.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.10.0"
:material-plus: [access_control_allow_origin](#access_control_allow_origin)

4
docs/configuration/experimental/clash-api.zh.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.10.0 中的更改"
:material-plus: [access_control_allow_origin](#access_control_allow_origin)

61
docs/configuration/inbound/anytls.md Normal file
View File

@@ -0,0 +1,61 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
### Structure
```json
{
"type": "anytls",
"tag": "anytls-in",
... // Listen Fields
"users": [
{
"name": "sekai",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"padding_scheme": [],
"tls": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### users
==Required==
AnyTLS users.
#### padding_scheme
AnyTLS padding scheme line array.
Default padding scheme:
```json
[
"stop=8",
"0=30-30",
"1=100-400",
"2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000",
"3=9-9,500-1000",
"4=500-1000",
"5=500-1000",
"6=500-1000",
"7=500-1000"
]
```
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

61
docs/configuration/inbound/anytls.zh.md Normal file
View File

@@ -0,0 +1,61 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
### 结构
```json
{
"type": "anytls",
"tag": "anytls-in",
... // 监听字段
"users": [
{
"name": "sekai",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"padding_scheme": [],
"tls": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### users
==必填==
AnyTLS 用户。
#### padding_scheme
AnyTLS 填充方案行数组。
默认填充方案:
```json
[
"stop=8",
"0=30-30",
"1=100-400",
"2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000",
"3=9-9,500-1000",
"4=500-1000",
"5=500-1000",
"6=500-1000",
"7=500-1000"
]
```
#### tls
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

1
docs/configuration/inbound/index.md
View File

@@ -30,6 +30,7 @@
| `tuic` | [TUIC](./tuic/) | :material-close: |
| `hysteria2` | [Hysteria2](./hysteria2/) | :material-close: |
| `vless` | [VLESS](./vless/) | TCP |
| `anytls` | [AnyTLS](./anytls/) | TCP |
| `tun` | [Tun](./tun/) | :material-close: |
| `redirect` | [Redirect](./redirect/) | :material-close: |
| `tproxy` | [TProxy](./tproxy/) | :material-close: |

1
docs/configuration/inbound/index.zh.md
View File

@@ -30,6 +30,7 @@
| `tuic` | [TUIC](./tuic/) | :material-close: |
| `hysteria2` | [Hysteria2](./hysteria2/) | :material-close: |
| `vless` | [VLESS](./vless/) | TCP |
| `anytls` | [AnyTLS](./anytls/) | TCP |
| `tun` | [Tun](./tun/) | :material-close: |
| `redirect` | [Redirect](./redirect/) | :material-close: |
| `tproxy` | [TProxy](./tproxy/) | :material-close: |

30
docs/configuration/inbound/shadowtls.md
View File

@@ -1,3 +1,11 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [wildcard_sni](#wildcard_sni)
### Structure
```json
@@ -29,7 +37,8 @@
... // Dial Fields
}
},
"strict_mode": false
"strict_mode": false,
"wildcard_sni": ""
}
```
@@ -55,7 +64,6 @@ ShadowTLS password.
Only available in the ShadowTLS protocol 2.
#### users
ShadowTLS users.
@@ -66,6 +74,8 @@ Only available in the ShadowTLS protocol 3.
==Required==
When `wildcard_sni` is configured to `all`, the server address is optional.
Handshake server address and [Dial Fields](/configuration/shared/dial/).
#### handshake_for_server_name
@@ -79,3 +89,19 @@ Only available in the ShadowTLS protocol 2/3.
ShadowTLS strict mode.
Only available in the ShadowTLS protocol 3.
#### wildcard_sni
!!! question "Since sing-box 1.12.0"
ShadowTLS wildcard SNI mode.
Available values are:
* `off`: (default) Disabled.
* `authed`: Authenticated connections will have their destination overwritten to `(servername):443`
* `all`: All connections will have their destination overwritten to `(servername):443`
Additionally, connections matching `handshake_for_server_name` are not affected.
Only available in the ShadowTLS protocol 3.

27
docs/configuration/inbound/shadowtls.zh.md
View File

@@ -1,3 +1,11 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [wildcard_sni](#wildcard_sni)
### 结构
```json
@@ -29,7 +37,8 @@
... // 拨号字段
}
},
"strict_mode": false
"strict_mode": false,
"wildcard_sni": ""
}
```
@@ -80,3 +89,19 @@ ShadowTLS 用户。
ShadowTLS 严格模式。
仅在 ShadowTLS 协议版本 3 中可用。
#### wildcard_sni
!!! question "自 sing-box 1.12.0 起"
ShadowTLS 通配符 SNI 模式。
可用值:
* `off`:(默认)禁用。
* `authed`:已认证的连接的目标将被重写为 `(servername):443`
* `all`:所有连接的目标将被重写为 `(servername):443`
此外,匹配 `handshake_for_server_name` 的连接不受影响。
仅在 ShadowTLS 协议 3 中可用。

27
docs/configuration/inbound/tun.md
View File

@@ -1,7 +1,11 @@
---
icon: material/alert-decagram
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [loopback_address](#loopback_address)
!!! quote "Changes in sing-box 1.11.0"
:material-delete-alert: [gso](#gso)
@@ -56,9 +60,12 @@ icon: material/alert-decagram
"auto_route": true,
"iproute2_table_index": 2022,
"iproute2_rule_index": 9000,
"auto_redirect": false,
"auto_redirect": true,
"auto_redirect_input_mark": "0x2023",
"auto_redirect_output_mark": "0x2024",
"loopback_address": [
"10.7.0.1"
],
"strict_route": true,
"route_address": [
"0.0.0.0/1",
@@ -66,7 +73,6 @@ icon: material/alert-decagram
"::/1",
"8000::/1"
],
"route_exclude_address": [
"192.168.0.0/16",
"fc00::/7"
@@ -117,7 +123,6 @@ icon: material/alert-decagram
"match_domain": []
}
},
// Deprecated
"gso": false,
"inet4_address": [
@@ -140,8 +145,8 @@ icon: material/alert-decagram
"inet6_route_exclude_address": [
"fc00::/7"
],
... // Listen Fields
...
// Listen Fields
}
```
@@ -273,6 +278,16 @@ Connection output mark used by `auto_redirect`.
`0x2024` is used by default.
#### loopback_address
!!! question "Since sing-box 1.12.0"
Loopback addresses make TCP connections to the specified address connect to the source address.
Setting option value to `10.7.0.1` achieves the same behavior as SideStore/StosVPN.
When `auto_redirect` is enabled, the same behavior can be achieved for LAN devices (not just local) as a gateway.
#### strict_route
Enforce strict routing rules when `auto_route` is enabled:

21
docs/configuration/inbound/tun.zh.md
View File

@@ -1,7 +1,11 @@
---
icon: material/alert-decagram
icon: material/new-box
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [loopback_address](#loopback_address)
!!! quote "sing-box 1.11.0 中的更改"
:material-delete-alert: [gso](#gso)
@@ -56,9 +60,12 @@ icon: material/alert-decagram
"auto_route": true,
"iproute2_table_index": 2022,
"iproute2_rule_index": 9000,
"auto_redirect": false,
"auto_redirect": true,
"auto_redirect_input_mark": "0x2023",
"auto_redirect_output_mark": "0x2024",
"loopback_address": [
"10.7.0.1"
],
"strict_route": true,
"route_address": [
"0.0.0.0/1",
@@ -270,6 +277,16 @@ tun 接口的 IPv6 前缀。
默认使用 `0x2024`
#### loopback_address
!!! question "自 sing-box 1.12.0 起"
环回地址是用于使指向指定地址的 TCP 连接连接到来源地址的。
将选项值设置为 `10.7.0.1` 可实现与 SideStore/StosVPN 相同的行为。
当启用 `auto_redirect` 时,可以作为网关为局域网设备(而不仅仅是本地)实现相同的行为。
#### strict_route
当启用 `auto_route` 时,强制执行严格的路由规则:

4
docs/configuration/index.md
View File

@@ -9,10 +9,12 @@ sing-box uses JSON for configuration files.
"log": {},
"dns": {},
"ntp": {},
"certificate": {},
"endpoints": [],
"inbounds": [],
"outbounds": [],
"route": {},
"services": [],
"experimental": {}
}
```
@@ -24,10 +26,12 @@ sing-box uses JSON for configuration files.
| `log` | [Log](./log/) |
| `dns` | [DNS](./dns/) |
| `ntp` | [NTP](./ntp/) |
| `certificate` | [Certificate](./certificate/) |
| `endpoints` | [Endpoint](./endpoint/) |
| `inbounds` | [Inbound](./inbound/) |
| `outbounds` | [Outbound](./outbound/) |
| `route` | [Route](./route/) |
| `services` | [Service](./service/) |
| `experimental` | [Experimental](./experimental/) |
### Check

4
docs/configuration/index.zh.md
View File

@@ -9,10 +9,12 @@ sing-box 使用 JSON 作为配置文件格式。
"log": {},
"dns": {},
"ntp": {},
"certificate": {},
"endpoints": [],
"inbounds": [],
"outbounds": [],
"route": {},
"services": [],
"experimental": {}
}
```
@@ -24,10 +26,12 @@ sing-box 使用 JSON 作为配置文件格式。
| `log` | [日志](./log/) |
| `dns` | [DNS](./dns/) |
| `ntp` | [NTP](./ntp/) |
| `certificate` | [证书](./certificate/) |
| `endpoints` | [端点](./endpoint/) |
| `inbounds` | [入站](./inbound/) |
| `outbounds` | [出站](./outbound/) |
| `route` | [路由](./route/) |
| `services` | [服务](./service/) |
| `experimental` | [实验性](./experimental/) |
### 检查

66
docs/configuration/outbound/anytls.md Normal file
View File

@@ -0,0 +1,66 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
### Structure
```json
{
"type": "anytls",
"tag": "anytls-out",
"server": "127.0.0.1",
"server_port": 1080,
"password": "8JCsPssfgS8tiRwiMlhARg==",
"idle_session_check_interval": "30s",
"idle_session_timeout": "30s",
"min_idle_session": 5,
"tls": {},
... // Dial Fields
}
```
### Fields
#### server
==Required==
The server address.
#### server_port
==Required==
The server port.
#### password
==Required==
The AnyTLS password.
#### idle_session_check_interval
Interval checking for idle sessions. Default: 30s.
#### idle_session_timeout
In the check, close sessions that have been idle for longer than this. Default: 30s.
#### min_idle_session
In the check, at least the first `n` idle sessions are kept open. Default value: `n`=0
#### tls
==Required==
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

66
docs/configuration/outbound/anytls.zh.md Normal file
View File

@@ -0,0 +1,66 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
### 结构
```json
{
"type": "anytls",
"tag": "anytls-out",
"server": "127.0.0.1",
"server_port": 1080,
"password": "8JCsPssfgS8tiRwiMlhARg==",
"idle_session_check_interval": "30s",
"idle_session_timeout": "30s",
"min_idle_session": 5,
"tls": {},
... // 拨号字段
}
```
### 字段
#### server
==必填==
服务器地址。
#### server_port
==必填==
服务器端口。
#### password
==必填==
AnyTLS 密码。
#### idle_session_check_interval
检查空闲会话的时间间隔。默认值30秒。
#### idle_session_timeout
在检查中关闭闲置时间超过此值的会话。默认值30秒。
#### min_idle_session
在检查中,至少前 `n` 个空闲会话保持打开状态。默认值:`n`=0
#### tls
==必填==
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/)。

29
docs/configuration/outbound/hysteria.md
View File

@@ -1,3 +1,12 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [server_ports](#server_ports)
:material-plus: [hop_interval](#hop_interval)
### Structure
```json
@@ -7,6 +16,10 @@
"server": "127.0.0.1",
"server_port": 1080,
"server_ports": [
"2080:3000"
],
"hop_interval": "",
"up": "100 Mbps",
"up_mbps": 100,
"down": "100 Mbps",
@@ -38,6 +51,22 @@ The server address.
The server port.
#### server_ports
!!! question "Since sing-box 1.12.0"
Server port range list.
Conflicts with `server_port`.
#### hop_interval
!!! question "Since sing-box 1.12.0"
Port hopping interval.
`30s` is used by default.
#### up, down
==Required==

29
docs/configuration/outbound/hysteria.zh.md
View File

@@ -1,3 +1,12 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [server_ports](#server_ports)
:material-plus: [hop_interval](#hop_interval)
### 结构
```json
@@ -7,6 +16,10 @@
"server": "127.0.0.1",
"server_port": 1080,
"server_ports": [
"2080:3000"
],
"hop_interval": "",
"up": "100 Mbps",
"up_mbps": 100,
"down": "100 Mbps",
@@ -38,6 +51,22 @@
服务器端口。
#### server_ports
!!! question "自 sing-box 1.12.0 起"
服务器端口范围列表。
`server_port` 冲突。
#### hop_interval
!!! question "自 sing-box 1.12.0 起"
端口跳跃间隔。
默认使用 `30s`
#### up, down
==必填==

1
docs/configuration/outbound/index.md
View File

@@ -31,6 +31,7 @@
| `tuic` | [TUIC](./tuic/) |
| `hysteria2` | [Hysteria2](./hysteria2/) |
| `mieru` | [Mieru](./mieru/) |
| `anytls` | [AnyTLS](./anytls/) |
| `tor` | [Tor](./tor/) |
| `ssh` | [SSH](./ssh/) |
| `dns` | [DNS](./dns/) |

1
docs/configuration/outbound/index.zh.md
View File

@@ -31,6 +31,7 @@
| `tuic` | [TUIC](./tuic/) |
| `hysteria2` | [Hysteria2](./hysteria2/) |
| `mieru` | [Mieru](./mieru/) |
| `anytls` | [AnyTLS](./anytls/) |
| `tor` | [Tor](./tor/) |
| `ssh` | [SSH](./ssh/) |
| `dns` | [DNS](./dns/) |

6
docs/configuration/route/geoip.md
View File

@@ -1,10 +1,10 @@
---
icon: material/delete-clock
icon: material/note-remove
---
!!! failure "Deprecated in sing-box 1.8.0"
!!! failure "Removed in sing-box 1.12.0"
GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
GeoIP is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
### Structure

6
docs/configuration/route/geoip.zh.md
View File

@@ -1,10 +1,10 @@
---
icon: material/delete-clock
icon: material/note-remove
---
!!! failure "已在 sing-box 1.8.0 废弃"
!!! failure "已在 sing-box 1.12.0 中被移除"
GeoIP 已废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#geoip)。
GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#geoip)。
### 结构

6
docs/configuration/route/geosite.md
View File

@@ -1,10 +1,10 @@
---
icon: material/delete-clock
icon: material/note-remove
---
!!! failure "Deprecated in sing-box 1.8.0"
!!! failure "Removed in sing-box 1.12.0"
Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
Geosite is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
### Structure

6
docs/configuration/route/geosite.zh.md
View File

@@ -1,10 +1,10 @@
---
icon: material/delete-clock
icon: material/note-remove
---
!!! failure "已在 sing-box 1.8.0 废弃"
!!! failure "已在 sing-box 1.12.0 中被移除"
Geosite 已废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#geosite)。
Geosite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#geosite)。
### 结构

26
docs/configuration/route/index.md
View File

@@ -1,9 +1,15 @@
---
icon: material/new-box
icon: material/alert-decagram
---
# Route
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [default_domain_resolver](#default_domain_resolver)
:material-note-remove: [geoip](#geoip)
:material-note-remove: [geosite](#geosite)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [default_network_strategy](#default_network_strategy)
@@ -22,8 +28,6 @@ icon: material/new-box
```json
{
"route": {
"geoip": {},
"geosite": {},
"rules": [],
"rule_set": [],
"final": "",
@@ -31,10 +35,16 @@ icon: material/new-box
"override_android_vpn": false,
"default_interface": "",
"default_mark": 0,
"default_domain_resolver": "", // or {}
"default_network_strategy": "",
"default_network_type": [],
"default_fallback_network_type": [],
"default_fallback_delay": ""
"default_fallback_delay": "",
// Removed
"geoip": {},
"geosite": {}
}
}
```
@@ -97,6 +107,14 @@ Set routing mark by default.
Takes no effect if `outbound.routing_mark` is set.
#### default_domain_resolver
!!! question "Since sing-box 1.12.0"
See [Dial Fields](/configuration/shared/dial/#domain_resolver) for details.
Can be overrides by `outbound.domain_resolver`.
#### default_network_strategy
!!! question "Since sing-box 1.11.0"

16
docs/configuration/route/index.zh.md
View File

@@ -1,9 +1,15 @@
---
icon: material/new-box
icon: material/alert-decagram
---
# 路由
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [default_domain_resolver](#default_domain_resolver)
:material-note-remove: [geoip](#geoip)
:material-note-remove: [geosite](#geosite)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [network_strategy](#network_strategy)
@@ -100,6 +106,14 @@ icon: material/new-box
如果设置了 `outbound.routing_mark` 设置,则不生效。
#### default_domain_resolver
!!! question "自 sing-box 1.12.0 起"
详情参阅 [拨号字段](/configuration/shared/dial/#domain_resolver)。
可以被 `outbound.domain_resolver` 覆盖。
#### network_strategy
!!! question "自 sing-box 1.11.0 起"

77
docs/configuration/route/rule_action.md
View File

@@ -2,6 +2,15 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [tls_fragment](#tls_fragment)
:material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)
:material-plus: [tls_record_fragment](#tls_record_fragment)
:material-plus: [resolve.disable_cache](#disable_cache)
:material-plus: [resolve.rewrite_ttl](#rewrite_ttl)
:material-plus: [resolve.client_subnet](#client_subnet)
## Final actions
### route
@@ -81,7 +90,10 @@ Not available when `method` is set to drop.
"fallback_delay": "",
"udp_disable_domain_unmapping": false,
"udp_connect": false,
"udp_timeout": ""
"udp_timeout": "",
"tls_fragment": false,
"tls_fragment_fallback_delay": "",
"tls_record_fragment": ""
}
```
@@ -148,6 +160,38 @@ If no protocol is sniffed, the following ports will be recognized as protocols b
| 443 | `quic` |
| 3478 | `stun` |
#### tls_fragment
!!! question "Since sing-box 1.12.0"
Fragment TLS handshakes to bypass firewalls.
This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
and should not be used to circumvent real censorship.
Due to poor performance, try `tls_record_fragment` first, and only apply to server names known to be blocked.
On Linux, Apple platforms, (administrator privileges required) Windows,
the wait time can be automatically detected. Otherwise, it will fall back to
waiting for a fixed time specified by `tls_fragment_fallback_delay`.
In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
because the target is considered to be local or behind a transparent proxy.
#### tls_fragment_fallback_delay
!!! question "Since sing-box 1.12.0"
The fallback value used when TLS segmentation cannot automatically determine the wait time.
`500ms` is used by default.
#### tls_record_fragment
!!! question "Since sing-box 1.12.0"
Fragment TLS handshake into multiple TLS records to bypass firewalls.
### sniff
```json
@@ -181,19 +225,44 @@ Timeout for sniffing.
```json
{
"action": "resolve",
"server": "",
"strategy": "",
"server": ""
"disable_cache": false,
"rewrite_ttl": null,
"client_subnet": null
}
```
`resolve` resolve request destination from domain to IP addresses.
#### server
Specifies DNS server tag to use instead of selecting through DNS routing.
#### strategy
DNS resolution strategy, available values are: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.
`dns.strategy` will be used by default.
#### server
#### disable_cache
Specifies DNS server tag to use instead of selecting through DNS routing.
!!! question "Since sing-box 1.12.0"
Disable cache and save cache in this query.
#### rewrite_ttl
!!! question "Since sing-box 1.12.0"
Rewrite TTL in DNS responses.
#### client_subnet
!!! question "Since sing-box 1.12.0"
Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
Will overrides `dns.client_subnet`.

69
docs/configuration/route/rule_action.zh.md
View File

@@ -2,6 +2,15 @@
icon: material/new-box
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [tls_fragment](#tls_fragment)
:material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)
:material-plus: [tls_record_fragment](#tls_record_fragment)
:material-plus: [resolve.disable_cache](#disable_cache)
:material-plus: [resolve.rewrite_ttl](#rewrite_ttl)
:material-plus: [resolve.client_subnet](#client_subnet)
## 最终动作
### route
@@ -146,6 +155,35 @@ UDP 连接超时时间。
| 443 | `quic` |
| 3478 | `stun` |
#### tls_fragment
!!! question "自 sing-box 1.12.0 起"
通过分段 TLS 握手数据包来绕过防火墙检测。
此功能旨在规避基于**明文数据包匹配**的简单防火墙,不应该用于规避真的审查。
由于性能不佳,请首先尝试 `tls_record_fragment`,且仅应用于已知被阻止的服务器名称。
在 Linux、Apple 平台和需要管理员权限的 Windows 系统上,可自动检测等待时间。
若无法自动检测,将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
此外,若实际等待时间小于 20 毫秒,同样会回退至固定等待时间模式,因为此时判定目标处于本地或透明代理之后。
#### tls_fragment_fallback_delay
!!! question "自 sing-box 1.12.0 起"
当 TLS 分片功能无法自动判定等待时间时使用的回退值。
默认使用 `500ms`
#### tls_record_fragment
!!! question "自 sing-box 1.12.0 起"
通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
### sniff
```json
@@ -179,19 +217,44 @@ UDP 连接超时时间。
```json
{
"action": "resolve",
"server": "",
"strategy": "",
"server": ""
"disable_cache": false,
"rewrite_ttl": null,
"client_subnet": null
}
```
`resolve` 将请求的目标从域名解析为 IP 地址。
#### server
指定要使用的 DNS 服务器的标签,而不是通过 DNS 路由进行选择。
#### strategy
DNS 解析策略,可用值有:`prefer_ipv4``prefer_ipv6``ipv4_only``ipv6_only`
默认使用 `dns.strategy`
#### server
#### disable_cache
指定要使用的 DNS 服务器的标签,而不是通过 DNS 路由进行选择。
!!! question "自 sing-box 1.12.0 起"
在此查询中禁用缓存。
#### rewrite_ttl
!!! question "自 sing-box 1.12.0 起"
重写 DNS 回应中的 TTL。
#### client_subnet
!!! question "自 sing-box 1.12.0 起"
默认情况下,将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
如果值是 IP 地址而不是前缀,则会自动附加 `/32``/128`
将覆盖 `dns.client_subnet`.

5
docs/configuration/route/sniff.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.10.0"
:material-plus: QUIC client type detect support for QUIC
@@ -26,6 +22,7 @@ If enabled in the inbound, the protocol and domain name (if present) of by the c
| UDP | `dtls` | / | / |
| TCP | `ssh` | / | SSH Client Name |
| TCP | `rdp` | / | / |
| UDP | `ntp` | / | / |
| QUIC Client | Type |
|:------------------------:|:----------:|

9
docs/configuration/route/sniff.zh.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.10.0 中的更改"
:material-plus: QUIC 的 客户端类型探测支持
@@ -26,10 +22,11 @@ icon: material/new-box
| UDP | `dtls` | / | / |
| TCP | `ssh` | / | SSH 客户端名称 |
| TCP | `rdp` | / | / |
| UDP | `ntp` | / | / |
| QUIC 客户端 | 类型 |
|:------------------------:|:----------:|
| Chromium/Cronet | `chrimium` |
| Chromium/Cronet | `chromium` |
| Safari/Apple Network API | `safari` |
| Firefox / uquic firefox | `firefox` |
| quic-go / uquic chrome | `quic-go` |
| quic-go / uquic chrome | `quic-go` |

4
docs/configuration/rule-set/adguard.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.10.0"
sing-box supports some rule-set formats from other projects which cannot be fully translated to sing-box,

4
docs/configuration/rule-set/adguard.zh.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.10.0 起"
sing-box 支持其他项目的一些规则集格式,这些格式无法完全转换为 sing-box

4
docs/configuration/rule-set/index.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.10.0"
:material-plus: `type: inline`

4
docs/configuration/rule-set/index.zh.md
View File

@@ -1,7 +1,3 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.10.0 中的更改"
:material-plus: `type: inline`

135
docs/configuration/service/derp.md Normal file
View File

@@ -0,0 +1,135 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DERP
DERP service is a Tailscale DERP server, similar to [derper](https://pkg.go.dev/tailscale.com/cmd/derper).
### Structure
```json
{
"type": "derp",
... // Listen Fields
"tls": {},
"config_path": "",
"verify_client_endpoint": [],
"verify_client_url": [],
"home": "",
"mesh_with": [],
"mesh_psk": "",
"mesh_psk_file": "",
"stun": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
#### config_path
==Required==
Derper configuration file path.
Example: `derper.key`
#### verify_client_endpoint
Tailscale endpoints tags to verify clients.
#### verify_client_url
URL to verify clients.
Object format:
```json
{
"url": "https://my-headscale.com/verify",
... // Dial Fields
}
```
Setting Array value to a string `__URL__` is equivalent to configuring:
```json
{ "url": __URL__ }
```
#### home
What to serve at the root path. It may be left empty (the default, for a default homepage), `blank` for a blank page, or a URL to redirect to
#### mesh_with
Mesh with other DERP servers.
Object format:
```json
{
"server": "",
"server_port": "",
"host": "",
"tls": {},
... // Dial Fields
}
```
Object fields:
- `server`: **Required** DERP server address.
- `server_port`: **Required** DERP server port.
- `host`: Custom DERP hostname.
- `tls`: [TLS](/configuration/shared/tls/#outbound)
- `Dial Fields`: [Dial Fields](/configuration/shared/dial/)
#### mesh_psk
Pre-shared key for DERP mesh.
#### mesh_psk_file
Pre-shared key file for DERP mesh.
#### stun
STUN server listen options.
Object format:
```json
{
"enabled": true,
... // Listen Fields
}
```
Object fields:
- `enabled`: **Required** Enable STUN server.
- `listen`: **Required** STUN server listen address, default to `::`.
- `listen_port`: **Required** STUN server listen port, default to `3478`.
- `other Listen Fields`: [Listen Fields](/configuration/shared/listen/)
Setting `stun` value to a number `__PORT__` is equivalent to configuring:
```json
{ "enabled": true, "listen_port": __PORT__ }
```

32
docs/configuration/service/index.md Normal file
View File

@@ -0,0 +1,32 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Service
### Structure
```json
{
"services": [
{
"type": "",
"tag": ""
}
]
}
```
### Fields
| Type | Format |
|------------|------------------------|
| `derp` | [DERP](./derp) |
| `resolved` | [Resolved](./resolved) |
| `ssm-api` | [SSM API](./ssm-api) |
#### tag
The tag of the endpoint.

44
docs/configuration/service/resolved.md Normal file
View File

@@ -0,0 +1,44 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Resolved
Resolved service is a fake systemd-resolved DBUS service to receive DNS settings from other programs
(e.g. NetworkManager) and provide DNS resolution.
See also: [Resolved DNS Server](/configuration/dns/server/resolved/)
### Structure
```json
{
"type": "resolved",
... // Listen Fields
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### listen
==Required==
Listen address.
`127.0.0.53` will be used by default.
#### listen_port
==Required==
Listen port.
`53` will be used by default.

58
docs/configuration/service/ssm-api.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# SSM API
SSM API service is a RESTful API server for managing Shadowsocks servers.
See https://github.com/Shadowsocks-NET/shadowsocks-specs/blob/main/2023-1-shadowsocks-server-management-api-v1.md
### Structure
```json
{
"type": "ssm-api",
... // Listen Fields
"servers": {},
"cache_path": "",
"tls": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### servers
==Required==
A mapping Object from HTTP endpoints to [Shadowsocks Inbound](/configuration/inbound/shadowsocks) tags.
Selected Shadowsocks inbounds must be configured with [managed](/configuration/inbound/shadowsocks#managed) enabled.
Example:
```json
{
"servers": {
"/": "ss-in"
}
}
```
#### cache_path
If set, when the server is about to stop, traffic and user state will be saved to the specified JSON file
to be restored on the next startup.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

94
docs/configuration/shared/dial.md
View File

@@ -2,6 +2,12 @@
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [domain_resolver](#domain_resolver)
:material-delete-clock: [domain_strategy](#domain_strategy)
:material-plus: [netns](#netns)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [network_strategy](#network_strategy)
@@ -13,21 +19,27 @@ icon: material/new-box
```json
{
"detour": "upstream-out",
"bind_interface": "en0",
"inet4_bind_address": "0.0.0.0",
"inet6_bind_address": "::",
"routing_mark": 1234,
"detour": "",
"bind_interface": "",
"inet4_bind_address": "",
"inet6_bind_address": "",
"routing_mark": 0,
"reuse_addr": false,
"connect_timeout": "5s",
"netns": "",
"connect_timeout": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"udp_fragment": false,
"domain_strategy": "prefer_ipv6",
"network_strategy": "default",
"domain_resolver": "", // or {}
"network_strategy": "",
"network_type": [],
"fallback_network_type": [],
"fallback_delay": "300ms"
"fallback_delay": "",
// Deprecated
"domain_strategy": ""
}
```
@@ -63,10 +75,31 @@ The IPv6 address to bind to.
Set netfilter routing mark.
Integers (e.g. `1234`) and string hexadecimals (e.g. `"0x1234"`) are supported.
#### reuse_addr
Reuse listener address.
#### netns
!!! question "Since sing-box 1.12.0"
!!! quote ""
Only supported on Linux.
Set network namespace, name or path.
#### connect_timeout
Connect timeout, in golang's Duration format.
A duration string is a possibly signed sequence of
decimal numbers, each with optional fraction and a unit suffix,
such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#### tcp_fast_open
Enable TCP Fast Open.
@@ -83,25 +116,26 @@ Enable TCP Multi Path.
Enable UDP fragmentation.
#### connect_timeout
#### domain_resolver
Connect timeout, in golang's Duration format.
!!! warning ""
A duration string is a possibly signed sequence of
decimal numbers, each with optional fraction and a unit suffix,
such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
`outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.
#### domain_strategy
!!! info ""
Available values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.
`domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.
If set, the requested domain name will be resolved to IP before connect.
Set domain resolver to use for resolving domain names.
| Outbound | Effected domains | Fallback Value |
|----------|--------------------------|-------------------------------------------|
| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |
| others | Domain in server address | / |
This option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.
Setting this option directly to a string is equivalent to setting `server` of this options.
| Outbound/Endpoints | Effected domains |
|--------------------|--------------------------|
| `direct` | Domain in request |
| others | Domain in server address |
#### network_strategy
@@ -171,3 +205,19 @@ back to other interfaces.
Only take effect when `domain_strategy` or `network_strategy` is set.
`300ms` is used by default.
#### domain_strategy
!!! failure "Deprecated in sing-box 1.12.0"
`domain_strategy` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver).
Available values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.
If set, the requested domain name will be resolved to IP before connect.
| Outbound | Effected domains | Fallback Value |
|----------|--------------------------|-------------------------------------------|
| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |
| others | Domain in server address | / |

86
docs/configuration/shared/dial.zh.md
View File

@@ -2,6 +2,12 @@
icon: material/new-box
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [domain_resolver](#domain_resolver)
:material-delete-clock: [domain_strategy](#domain_strategy)
:material-plus: [netns](#netns)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [network_strategy](#network_strategy)
@@ -13,21 +19,26 @@ icon: material/new-box
```json
{
"detour": "upstream-out",
"bind_interface": "en0",
"inet4_bind_address": "0.0.0.0",
"inet6_bind_address": "::",
"routing_mark": 1234,
"detour": "",
"bind_interface": "",
"inet4_bind_address": "",
"inet6_bind_address": "",
"routing_mark": 0,
"reuse_addr": false,
"connect_timeout": "5s",
"netns": "",
"connect_timeout": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"udp_fragment": false,
"domain_strategy": "prefer_ipv6",
"domain_resolver": "", // 或 {}
"network_strategy": "",
"network_type": [],
"fallback_network_type": [],
"fallback_delay": "300ms"
"fallback_delay": "",
// 废弃的
"domain_strategy": ""
}
```
@@ -63,10 +74,29 @@ icon: material/new-box
设置 netfilter 路由标记。
支持数字 (如 `1234`) 和十六进制字符串 (如 `"0x1234"`)。
#### reuse_addr
重用监听地址。
#### netns
!!! question "自 sing-box 1.12.0 起"
!!! quote ""
仅支持 Linux。
设置网络命名空间,名称或路径。
#### connect_timeout
连接超时,采用 golang 的 Duration 格式。
持续时间字符串是一个可能有符号的序列十进制数,每个都有可选的分数和单位后缀, 例如 "300ms"、"-1.5h" 或 "2h45m"。
有效时间单位为 "ns"、"us"(或 "µs")、"ms"、"s"、"m"、"h"。
#### tcp_fast_open
启用 TCP Fast Open。
@@ -83,23 +113,26 @@ icon: material/new-box
启用 UDP 分段。
#### connect_timeout
#### domain_resolver
连接超时,采用 golang 的 Duration 格式。
!!! warning ""
持续时间字符串是一个可能有符号的序列十进制数,每个都有可选的分数和单位后缀, 例如 "300ms"、"-1.5h" 或 "2h45m"
有效时间单位为 "ns"、"us"(或 "µs")、"ms"、"s"、"m"、"h"。
`outbound` DNS 规则项已弃用,且将在 sing-box 1.14.0 中被移除。因此,从 sing-box 1.14.0 版本开始,所有在服务器地址中使用域名的出站/端点均需配置此项
#### domain_strategy
!!! info ""
可选值:`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
当只有一个 DNS 服务器已配置时,`domain_resolver``route.default_domain_resolver` 是可选的。
如果设置,域名将在请求发出之前解析为 IP
用于设置解析域名的域名解析器
| 出站 | 受影响的域名 | 默认回退值 |
|----------|-----------|---------------------------|
| `direct` | 请求中的域名 | `inbound.domain_strategy` |
| others | 服务器地址中的域名 | / |
此选项的格式与 [路由 DNS 规则动作](/configuration/dns/rule_action/#route) 相同,但不包含 `action` 字段。
若直接将此选项设置为字符串,则等同于设置该选项的 `server` 字段。
| 出站/端点 | 受影响的域名 |
|----------------|---------------------------|
| `direct` | 请求中的域名 |
| 其他类型 | 服务器地址中的域名 |
#### network_strategy
@@ -160,3 +193,18 @@ icon: material/new-box
仅当 `domain_strategy``network_strategy` 已设置时生效。
默认使用 `300ms`
#### domain_strategy
!!! failure "已在 sing-box 1.12.0 废弃"
`domain_strategy` 已废弃且将在 sing-box 1.14.0 中被移除,参阅 [迁移指南](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver)。
可选值:`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
如果设置,域名将在请求发出之前解析为 IP。
| 出站 | 受影响的域名 | 默认回退值 |
|----------|-----------|---------------------------|
| `direct` | 请求中的域名 | `inbound.domain_strategy` |
| others | 服务器地址中的域名 | / |

71
docs/configuration/shared/listen.md
View File

@@ -1,7 +1,14 @@
---
icon: material/delete-clock
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [netns](#netns)
:material-plus: [bind_interface](#bind_interface)
:material-plus: [routing_mark](#routing_mark)
:material-plus: [reuse_addr](#reuse_addr)
!!! quote "Changes in sing-box 1.11.0"
:material-delete-clock: [sniff](#sniff)
@@ -14,32 +21,30 @@ icon: material/delete-clock
```json
{
"listen": "::",
"listen_port": 5353,
"listen": "",
"listen_port": 0,
"bind_interface": "",
"routing_mark": 0,
"reuse_addr": false,
"netns": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"udp_fragment": false,
"udp_timeout": "5m",
"detour": "another-in",
"udp_timeout": "",
"detour": "",
// Deprecated
"sniff": false,
"sniff_override_destination": false,
"sniff_timeout": "300ms",
"domain_strategy": "prefer_ipv6",
"sniff_timeout": "",
"domain_strategy": "",
"udp_disable_domain_unmapping": false
}
```
### Fields
| Field | Available Context |
|--------------------------------|---------------------------------------------------------|
| `listen` | Needs to listen on TCP or UDP. |
| `listen_port` | Needs to listen on TCP or UDP. |
| `tcp_fast_open` | Needs to listen on TCP. |
| `tcp_multi_path` | Needs to listen on TCP. |
| `udp_timeout` | Needs to assemble UDP connections. |
| `udp_disable_domain_unmapping` | Needs to listen on UDP and accept domain UDP addresses. |
#### listen
==Required==
@@ -50,6 +55,40 @@ Listen address.
Listen port.
#### bind_interface
!!! question "Since sing-box 1.12.0"
The network interface to bind to.
#### routing_mark
!!! question "Since sing-box 1.12.0"
!!! quote ""
Only supported on Linux.
Set netfilter routing mark.
Integers (e.g. `1234`) and string hexadecimals (e.g. `"0x1234"`) are supported.
#### reuse_addr
!!! question "Since sing-box 1.12.0"
Reuse listener address.
#### netns
!!! question "Since sing-box 1.12.0"
!!! quote ""
Only supported on Linux.
Set network namespace, name or path.
#### tcp_fast_open
Enable TCP Fast Open.

72
docs/configuration/shared/listen.zh.md
View File

@@ -1,7 +1,14 @@
---
icon: material/delete-clock
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [netns](#netns)
:material-plus: [bind_interface](#bind_interface)
:material-plus: [routing_mark](#routing_mark)
:material-plus: [reuse_addr](#reuse_addr)
!!! quote "sing-box 1.11.0 中的更改"
:material-delete-clock: [sniff](#sniff)
@@ -14,31 +21,28 @@ icon: material/delete-clock
```json
{
"listen": "::",
"listen_port": 5353,
"listen": "",
"listen_port": 0,
"bind_interface": "",
"routing_mark": 0,
"reuse_addr": false,
"netns": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"udp_fragment": false,
"udp_timeout": "5m",
"detour": "another-in",
"udp_timeout": "",
"detour": "",
// 废弃的
"sniff": false,
"sniff_override_destination": false,
"sniff_timeout": "300ms",
"domain_strategy": "prefer_ipv6",
"sniff_timeout": "",
"domain_strategy": "",
"udp_disable_domain_unmapping": false
}
```
| 字段 | 可用上下文 |
|------------------|-----------------|
| `listen` | 需要监听 TCP 或 UDP。 |
| `listen_port` | 需要监听 TCP 或 UDP。 |
| `tcp_fast_open` | 需要监听 TCP。 |
| `tcp_multi_path` | 需要监听 TCP。 |
| `udp_timeout` | 需要组装 UDP 连接。 |
|
### 字段
#### listen
@@ -51,6 +55,40 @@ icon: material/delete-clock
监听端口。
#### bind_interface
!!! question "自 sing-box 1.12.0 起"
要绑定到的网络接口。
#### routing_mark
!!! question "自 sing-box 1.12.0 起"
!!! quote ""
仅支持 Linux。
设置 netfilter 路由标记。
支持数字 (如 `1234`) 和十六进制字符串 (如 `"0x1234"`)。
#### reuse_addr
!!! question "自 sing-box 1.12.0 起"
重用监听地址。
#### netns
!!! question "自 sing-box 1.12.0 起"
!!! quote ""
仅支持 Linux。
设置网络命名空间,名称或路径。
#### tcp_fast_open
启用 TCP Fast Open。

78
docs/configuration/shared/tls.md
View File

@@ -2,6 +2,14 @@
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [fragment](#fragment)
:material-plus: [fragment_fallback_delay](#fragment_fallback_delay)
:material-plus: [record_fragment](#record_fragment)
:material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)
:material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
!!! quote "Changes in sing-box 1.10.0"
:material-alert-decagram: [utls](#utls)
@@ -38,10 +46,13 @@ icon: material/alert-decagram
},
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
"key_path": "",
// Deprecated
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false
},
"reality": {
"enabled": false,
@@ -74,12 +85,17 @@ icon: material/alert-decagram
"cipher_suites": [],
"certificate": "",
"certificate_path": "",
"fragment": false,
"fragment_fallback_delay": "",
"record_fragment": false,
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"config": [],
"config_path": ""
"config_path": "",
// Deprecated
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false
},
"utls": {
"enabled": false,
@@ -250,16 +266,22 @@ Chrome fingerprint will be used if empty.
ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
message.
The ECH key and configuration can be generated by `sing-box generate ech-keypair [--pq-signature-schemes-enabled]`.
The ECH key and configuration can be generated by `sing-box generate ech-keypair`.
#### pq_signature_schemes_enabled
!!! failure "Deprecated in sing-box 1.12.0"
ECH support has been migrated to use stdlib in sing-box 1.12.0, which does not come with support for PQ signature schemes, so `pq_signature_schemes_enabled` has been deprecated and no longer works.
Enable support for post-quantum peer certificate signature schemes.
It is recommended to match the parameters of `sing-box generate ech-keypair`.
#### dynamic_record_sizing_disabled
!!! failure "Deprecated in sing-box 1.12.0"
`dynamic_record_sizing_disabled` has nothing to do with ECH, was added by mistake, has been deprecated and no longer works.
Disables adaptive sizing of TLS records.
When true, the largest possible TLS record size is always used.
@@ -297,6 +319,44 @@ The path to ECH configuration, in PEM format.
If empty, load from DNS will be attempted.
#### fragment
!!! question "Since sing-box 1.12.0"
==Client only==
Fragment TLS handshakes to bypass firewalls.
This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
and should not be used to circumvent real censorship.
Due to poor performance, try `record_fragment` first, and only apply to server names known to be blocked.
On Linux, Apple platforms, (administrator privileges required) Windows,
the wait time can be automatically detected. Otherwise, it will fall back to
waiting for a fixed time specified by `fragment_fallback_delay`.
In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
because the target is considered to be local or behind a transparent proxy.
#### fragment_fallback_delay
!!! question "Since sing-box 1.12.0"
==Client only==
The fallback value used when TLS segmentation cannot automatically determine the wait time.
`500ms` is used by default.
#### record_fragment
!!! question "Since sing-box 1.12.0"
==Client only==
Fragment TLS handshake into multiple TLS records to bypass firewalls.
### ACME Fields
#### domain

93
docs/configuration/shared/tls.zh.md
View File

@@ -2,6 +2,14 @@
icon: material/alert-decagram
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [tls_fragment](#tls_fragment)
:material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)
:material-plus: [tls_record_fragment](#tls_record_fragment)
:material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)
:material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
!!! quote "sing-box 1.10.0 中的更改"
:material-alert-decagram: [utls](#utls)
@@ -38,18 +46,21 @@ icon: material/alert-decagram
},
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
"key_path": "",
// 废弃的
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false
},
"reality": {
"enabled": false,
"handshake": {
"server": "google.com",
"server_port": 443,
...
// 拨号字段
... // 拨号字段
},
"private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
"short_id": [
@@ -74,6 +85,9 @@ icon: material/alert-decagram
"cipher_suites": [],
"certificate": [],
"certificate_path": "",
"fragment": false,
"fragment_fallback_delay": "",
"record_fragment": false,
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
@@ -244,19 +258,6 @@ ECH (Encrypted Client Hello) 是一个 TLS 扩展,它允许客户端加密其
ECH 配置和密钥可以通过 `sing-box generate ech-keypair [--pq-signature-schemes-enabled]` 生成。
#### pq_signature_schemes_enabled
启用对后量子对等证书签名方案的支持。
建议匹配 `sing-box generate ech-keypair` 的参数。
#### dynamic_record_sizing_disabled
禁用 TLS 记录的自适应大小调整。
如果为 true则始终使用最大可能的 TLS 记录大小。
如果为 false则可能会调整 TLS 记录的大小以尝试改善延迟。
#### key
==仅服务器==
@@ -289,6 +290,62 @@ ECH PEM 配置路径
如果为空,将尝试从 DNS 加载。
#### pq_signature_schemes_enabled
!!! failure "已在 sing-box 1.12.0 废弃"
ECH 支持已在 sing-box 1.12.0 迁移至使用标准库,但标准库不支持后量子对等证书签名方案,因此 `pq_signature_schemes_enabled` 已被弃用且不再工作。
启用对后量子对等证书签名方案的支持。
建议匹配 `sing-box generate ech-keypair` 的参数。
#### dynamic_record_sizing_disabled
!!! failure "已在 sing-box 1.12.0 废弃"
`dynamic_record_sizing_disabled` 与 ECH 无关,是错误添加的,现已弃用且不再工作。
禁用 TLS 记录的自适应大小调整。
如果为 true则始终使用最大可能的 TLS 记录大小。
如果为 false则可能会调整 TLS 记录的大小以尝试改善延迟。
#### tls_fragment
!!! question "自 sing-box 1.12.0 起"
==仅客户端==
通过分段 TLS 握手数据包来绕过防火墙检测。
此功能旨在规避基于**明文数据包匹配**的简单防火墙,不应该用于规避真的审查。
由于性能不佳,请首先尝试 `tls_record_fragment`,且仅应用于已知被阻止的服务器名称。
在 Linux、Apple 平台和需要管理员权限的 Windows 系统上,可自动检测等待时间。
若无法自动检测,将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
此外,若实际等待时间小于 20 毫秒,同样会回退至固定等待时间模式,因为此时判定目标处于本地或透明代理之后。
#### tls_fragment_fallback_delay
!!! question "自 sing-box 1.12.0 起"
==仅客户端==
当 TLS 分片功能无法自动判定等待时间时使用的回退值。
默认使用 `500ms`
#### tls_record_fragment
==仅客户端==
!!! question "自 sing-box 1.12.0 起"
通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
### ACME 字段
#### domain

26
docs/deprecated.md
View File

@@ -4,6 +4,32 @@ icon: material/delete-alert
# Deprecated Feature List
## 1.12.0
#### Legacy DNS server formats
DNS servers are refactored,
check [Migration](../migration/#migrate-to-new-dns-servers).
Compatibility for old formats will be removed in sing-box 1.14.0.
#### `outbound` DNS rule item
Legacy `outbound` DNS rules are deprecated
and can be replaced by dial fields,
check [Migration](../migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
#### Legacy ECH fields
ECH support has been migrated to use stdlib in sing-box 1.12.0,
which does not come with support for PQ signature schemes,
so `pq_signature_schemes_enabled` has been deprecated and no longer works.
Also, `dynamic_record_sizing_disabled` has nothing to do with ECH,
was added by mistake, has been deprecated and no longer works.
These fields will be removed in sing-box 1.13.0.
## 1.11.0
#### Legacy special outbounds

24
docs/deprecated.zh.md
View File

@@ -4,6 +4,28 @@ icon: material/delete-alert
# 废弃功能列表
#### 旧的 DNS 服务器格式
DNS 服务器已重构,
参阅 [迁移指南](/migration/#migrate-to-new-dns-servers).
对旧格式的兼容性将在 sing-box 1.14.0 中被移除。
#### `outbound` DNS 规则项
旧的 `outbound` DNS 规则已废弃,
且可被拨号字段代替,
参阅 [迁移指南](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
#### 旧的 ECH 字段
ECH 支持已在 sing-box 1.12.0 迁移至使用标准库,但标准库不支持后量子对等证书签名方案,
因此 `pq_signature_schemes_enabled` 已被弃用且不再工作。
另外,`dynamic_record_sizing_disabled` 与 ECH 无关,是错误添加的,现已弃用且不再工作。
相关字段将在 sing-box 1.13.0 中被移除。
## 1.11.0
#### 旧的特殊出站
@@ -20,7 +42,7 @@ icon: material/delete-alert
旧字段将在 sing-box 1.13.0 中被移除。
#### direct 出站中的目标地址覆盖字段
#### direct 出站中的目标地址覆盖字段
direct 出站中的目标地址覆盖字段(`override_address` / `override_port`)已废弃且可以通过规则动作替代,
参阅 [迁移指南](/migration/#migrate-destination-override-fields-to-route-options)。

36
docs/installation/build-from-source.md
View File

@@ -6,19 +6,18 @@ icon: material/file-code
## :material-graph: Requirements
### sing-box 1.11
* Go 1.23.1 - ~
### sing-box 1.10
* Go 1.20.0 - ~
* Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
* Go 1.21.0 - ~ with tag `with_ech` enabled
### sing-box 1.9
* Go 1.18.5 - 1.22.x
* Go 1.20.0 - 1.22.x with tag `with_quic`, or `with_utls` enabled
* Go 1.21.0 - 1.22.x with tag `with_ech` enabled
You can download and install Go from: https://go.dev/doc/install, latest version is recommended.
## :material-fast-forward: Simple Build
@@ -46,19 +45,18 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
## :material-folder-settings: Build Tags
| Build Tag | Enabled by default | Description |
|------------------------------------|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `with_quic` | :material-check: | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
| `with_grpc` | :material-close: | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc). |
| `with_dhcp` | :material-check: | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/). |
| `with_wireguard` | :material-check: | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/). |
| `with_ech` | :material-check: | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech). |
| `with_utls` | :material-check: | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls). |
| `with_reality_server` | :material-check: | Build with reality TLS server support, see [TLS](/configuration/shared/tls/). |
| `with_acme` | :material-check: | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/). |
| `with_clash_api` | :material-check: | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields). |
| `with_v2ray_api` | :material-close: | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields). |
| `with_gvisor` | :material-check: | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface). |
| `with_embedded_tor` (CGO required) | :material-close: | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/). |
| Build Tag | Enabled by default | Description |
|------------------------------------|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `with_quic` | :material-check: | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
| `with_grpc` | :material-close: | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc). |
| `with_dhcp` | :material-check: | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/). |
| `with_wireguard` | :material-check: | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/). |
| `with_utls` | :material-check: | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls). |
| `with_acme` | :material-check: | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/). |
| `with_clash_api` | :material-check: | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields). |
| `with_v2ray_api` | :material-close: | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields). |
| `with_gvisor` | :material-check: | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface). |
| `with_embedded_tor` (CGO required) | :material-close: | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/). |
| `with_tailscale` | :material-check: | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale) |
It is not recommended to change the default build tag list unless you really know what you are adding.

8
docs/installation/build-from-source.zh.md
View File

@@ -6,10 +6,13 @@ icon: material/file-code
## :material-graph: 要求
### sing-box 1.11
* Go 1.23.1 - ~
### sing-box 1.10
* Go 1.20.0 - ~
* Go 1.20.0 - ~ with tag `with_quic`, or `with_utls` enabled
* Go 1.21.0 - ~ with tag `with_ech` enabled
### sing-box 1.9
@@ -52,13 +55,12 @@ go build -tags "tag_a tag_b" ./cmd/sing-box
| `with_grpc` | :material-close: | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc). |
| `with_dhcp` | :material-check: | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/). |
| `with_wireguard` | :material-check: | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/). |
| `with_ech` | :material-check: | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech). |
| `with_utls` | :material-check: | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls). |
| `with_reality_server` | :material-check: | Build with reality TLS server support, see [TLS](/configuration/shared/tls/). |
| `with_acme` | :material-check: | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/). |
| `with_clash_api` | :material-check: | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields). |
| `with_v2ray_api` | :material-close: | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields). |
| `with_gvisor` | :material-check: | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface). |
| `with_embedded_tor` (CGO required) | :material-close: | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/). |
| `with_tailscale` | :material-check: | Build with Tailscale support, see [Tailscale endpoint](/configuration/endpoint/tailscale) |
除非您确实知道您正在启用什么,否则不建议更改默认构建标签列表。

10
docs/installation/package-manager.zh.md
View File

@@ -63,7 +63,7 @@ curl -fsSL https://sing-box.app/install.sh | sh -s -- --version <version>
=== ":material-linux: Linux"
| 类型 | 平台 | 链接 | 命令 |
| 类型 | 平台 | 命令 | 链接 |
|----------|---------------|------------------------------|---------------------------------------------------------------------------------------------------------------|
| AUR | Arch Linux | `? -S sing-box` | [![AUR package](https://repology.org/badge/version-for-repo/aur/sing-box.svg)][aur] |
| nixpkgs | NixOS | `nix-env -iA nixos.sing-box` | [![nixpkgs unstable package](https://repology.org/badge/version-for-repo/nix_unstable/sing-box.svg)][nixpkgs] |
@@ -73,13 +73,13 @@ curl -fsSL https://sing-box.app/install.sh | sh -s -- --version <version>
=== ":material-apple: macOS"
| 类型 | 平台 | 链接 | 命令 |
| 类型 | 平台 | 命令 | 链接 |
|----------|-------|-------------------------|------------------------------------------------------------------------------------------------|
| Homebrew | macOS | `brew install sing-box` | [![Homebrew package](https://repology.org/badge/version-for-repo/homebrew/sing-box.svg)][brew] |
=== ":material-microsoft-windows: Windows"
| 类型 | 平台 | 链接 | 命令 |
| 类型 | 平台 | 命令 | 链接 |
|------------|---------|---------------------------|-----------------------------------------------------------------------------------------------------|
| Scoop | Windows | `scoop install sing-box` | [![Scoop package](https://repology.org/badge/version-for-repo/scoop/sing-box.svg)][scoop] |
| Chocolatey | Windows | `choco install sing-box` | [![Chocolatey package](https://repology.org/badge/version-for-repo/chocolatey/sing-box.svg)][choco] |
@@ -87,13 +87,13 @@ curl -fsSL https://sing-box.app/install.sh | sh -s -- --version <version>
=== ":material-android: Android"
| 类型 | 平台 | 链接 | 命令 |
| 类型 | 平台 | 命令 | 链接 |
|--------|---------|--------------------|----------------------------------------------------------------------------------------------|
| Termux | Android | `pkg add sing-box` | [![Termux package](https://repology.org/badge/version-for-repo/termux/sing-box.svg)][termux] |
=== ":material-freebsd: FreeBSD"
| 类型 | 平台 | 链接 | 命令 |
| 类型 | 平台 | 命令 | 链接 |
|------------|---------|------------------------|--------------------------------------------------------------------------------------------|
| FreshPorts | FreeBSD | `pkg install sing-box` | [![FreeBSD port](https://repology.org/badge/version-for-repo/freebsd/sing-box.svg)][ports] |

235
docs/manual/proxy/client.md
View File

@@ -94,18 +94,13 @@ flowchart TB
"servers": [
{
"tag": "google",
"address": "tls://8.8.8.8"
"type": "tls",
"server": "8.8.8.8"
},
{
"tag": "local",
"address": "223.5.5.5",
"detour": "direct"
}
],
"rules": [
{
"outbound": "any",
"server": "local"
"type": "udp",
"server": "223.5.5.5"
}
],
"strategy": "ipv4_only"
@@ -115,7 +110,8 @@ flowchart TB
"type": "tun",
"inet4_address": "172.19.0.1/30",
"auto_route": true,
"strict_route": false
// "auto_redirect": true, // On linux
"strict_route": true
}
],
"outbounds": [
@@ -123,25 +119,23 @@ flowchart TB
{
"type": "direct",
"tag": "direct"
},
{
"type": "dns",
"tag": "dns-out"
}
],
"route": {
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
"action": "sniff"
},
{
"geoip": [
"private"
],
"protocol": "dns",
"action": "hijack-dns"
},
{
"ip_is_private": true,
"outbound": "direct"
}
],
"default_domain_resolver": "local",
"auto_detect_interface": true
}
}
@@ -155,18 +149,13 @@ flowchart TB
"servers": [
{
"tag": "google",
"address": "tls://8.8.8.8"
"type": "tls",
"server": "8.8.8.8"
},
{
"tag": "local",
"address": "223.5.5.5",
"detour": "direct"
}
],
"rules": [
{
"outbound": "any",
"server": "local"
"type": "udp",
"server": "223.5.5.5"
}
]
},
@@ -176,7 +165,8 @@ flowchart TB
"inet4_address": "172.19.0.1/30",
"inet6_address": "fdfe:dcba:9876::1/126",
"auto_route": true,
"strict_route": false
// "auto_redirect": true, // On linux
"strict_route": true
}
],
"outbounds": [
@@ -184,25 +174,23 @@ flowchart TB
{
"type": "direct",
"tag": "direct"
},
{
"type": "dns",
"tag": "dns-out"
}
],
"route": {
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
"action": "sniff"
},
{
"geoip": [
"private"
],
"protocol": "dns",
"action": "hijack-dns"
},
{
"ip_is_private": true,
"outbound": "direct"
}
],
"default_domain_resolver": "local",
"auto_detect_interface": true
}
}
@@ -216,23 +204,22 @@ flowchart TB
"servers": [
{
"tag": "google",
"address": "tls://8.8.8.8"
"type": "tls",
"server": "8.8.8.8"
},
{
"tag": "local",
"address": "223.5.5.5",
"detour": "direct"
"type": "udp",
"server": "223.5.5.5"
},
{
"tag": "remote",
"address": "fakeip"
"type": "fakeip",
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
],
"rules": [
{
"outbound": "any",
"server": "local"
},
{
"query_type": [
"A",
@@ -241,11 +228,6 @@ flowchart TB
"server": "remote"
}
],
"fakeip": {
"enabled": true,
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
},
"independent_cache": true
},
"inbounds": [
@@ -254,6 +236,7 @@ flowchart TB
"inet4_address": "172.19.0.1/30",
"inet6_address": "fdfe:dcba:9876::1/126",
"auto_route": true,
// "auto_redirect": true, // On linux
"strict_route": true
}
],
@@ -262,25 +245,23 @@ flowchart TB
{
"type": "direct",
"tag": "direct"
},
{
"type": "dns",
"tag": "dns-out"
}
],
"route": {
"rules": [
{
"protocol": "dns",
"outbound": "dns-out"
"action": "sniff"
},
{
"geoip": [
"private"
],
"protocol": "dns",
"action": "hijack-dns"
},
{
"ip_is_private": true,
"outbound": "direct"
}
],
"default_domain_resolver": "local",
"auto_detect_interface": true
}
}
@@ -290,54 +271,6 @@ flowchart TB
=== ":material-dns: DNS rules"
```json
{
"dns": {
"servers": [
{
"tag": "google",
"address": "tls://8.8.8.8"
},
{
"tag": "local",
"address": "223.5.5.5",
"detour": "direct"
}
],
"rules": [
{
"outbound": "any",
"server": "local"
},
{
"clash_mode": "Direct",
"server": "local"
},
{
"clash_mode": "Global",
"server": "google"
},
{
"rule_set": "geosite-geolocation-cn",
"server": "local"
}
]
},
"route": {
"rule_set": [
{
"type": "remote",
"tag": "geosite-geolocation-cn",
"format": "binary",
"url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
}
]
}
}
```
=== ":material-dns: DNS rules (Enhanced, but slower) (1.9.0+)"
=== ":material-shield-off: With DNS leaks"
```json
@@ -346,35 +279,20 @@ flowchart TB
"servers": [
{
"tag": "google",
"address": "tls://8.8.8.8"
"type": "tls",
"server": "8.8.8.8"
},
{
"tag": "local",
"address": "https://223.5.5.5/dns-query",
"detour": "direct"
"type": "https",
"server": "223.5.5.5"
}
],
"rules": [
{
"outbound": "any",
"server": "local"
},
{
"clash_mode": "Direct",
"server": "local"
},
{
"clash_mode": "Global",
"server": "google"
},
{
"rule_set": "geosite-geolocation-cn",
"server": "local"
},
{
"clash_mode": "Default",
"server": "google"
},
{
"type": "logical",
"mode": "and",
@@ -392,6 +310,7 @@ flowchart TB
]
},
"route": {
"default_domain_resolver": "local",
"rule_set": [
{
"type": "remote",
@@ -425,35 +344,24 @@ flowchart TB
}
```
=== ":material-security: Without DNS leaks, but slower (1.9.0-alpha.2+)"
=== ":material-security: Without DNS leaks, but slower"
```json
{
"dns": {
"servers": [
{
"tag": "google",
"address": "tls://8.8.8.8"
"type": "tls",
"server": "8.8.8.8"
},
{
"tag": "local",
"address": "https://223.5.5.5/dns-query",
"detour": "direct"
"type": "https",
"server": "223.5.5.5"
}
],
"rules": [
{
"outbound": "any",
"server": "local"
},
{
"clash_mode": "Direct",
"server": "local"
},
{
"clash_mode": "Global",
"server": "google"
},
{
"rule_set": "geosite-geolocation-cn",
"server": "local"
@@ -476,6 +384,7 @@ flowchart TB
]
},
"route": {
"default_domain_resolver": "local",
"rule_set": [
{
"type": "remote",
@@ -517,14 +426,13 @@ flowchart TB
{
"type": "direct",
"tag": "direct"
},
{
"type": "block",
"tag": "block"
}
],
"route": {
"rules": [
{
"action": "sniff"
},
{
"type": "logical",
"mode": "or",
@@ -536,20 +444,12 @@ flowchart TB
"port": 53
}
],
"outbound": "dns"
"action": "hijack-dns"
},
{
"ip_is_private": true,
"outbound": "direct"
},
{
"clash_mode": "Direct",
"outbound": "direct"
},
{
"clash_mode": "Global",
"outbound": "default"
},
{
"type": "logical",
"mode": "or",
@@ -565,12 +465,23 @@ flowchart TB
"protocol": "stun"
}
],
"outbound": "block"
"action": "reject"
},
{
"rule_set": [
"geoip-cn",
"geosite-geolocation-cn"
"rule_set": "geosite-geolocation-cn",
"outbound": "direct"
},
{
"type": "logical",
"mode": "and",
"rules": [
{
"rule_set": "geoip-cn"
},
{
"rule_set": "geosite-geolocation-!cn",
"invert": true
}
],
"outbound": "direct"
}
@@ -591,4 +502,4 @@ flowchart TB
]
}
}
```
```

637
docs/migration.md
View File

@@ -2,6 +2,643 @@
icon: material/arrange-bring-forward
---
## 1.12.0
### Migrate to new DNS server formats
DNS servers are refactored for better performance and scalability.
!!! info "References"
[DNS Server](/configuration/dns/server/) /
[Legacy DNS Server](/configuration/dns/server/legacy/)
=== "Local"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "local"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "local"
}
]
}
}
```
=== "TCP"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "tcp://1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "tcp",
"server": "1.1.1.1"
}
]
}
}
```
=== "UDP"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "udp",
"server": "1.1.1.1"
}
]
}
}
```
=== "TLS"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "tls://1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "tls",
"server": "1.1.1.1"
}
]
}
}
```
=== "HTTPS"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "https://1.1.1.1/dns-query"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "https",
"server": "1.1.1.1"
}
]
}
}
```
=== "QUIC"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "quic://1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "quic",
"server": "1.1.1.1"
}
]
}
}
```
=== "HTTP3"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "h3://1.1.1.1/dns-query"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "h3",
"server": "1.1.1.1"
}
]
}
}
```
=== "DHCP"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "dhcp://auto"
},
{
"address": "dhcp://en0"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "dhcp",
},
{
"type": "dhcp",
"interface": "en0"
}
]
}
}
```
=== "FakeIP"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "1.1.1.1"
},
{
"address": "fakeip",
"tag": "fakeip"
}
],
"rules": [
{
"query_type": [
"A",
"AAAA"
],
"server": "fakeip"
}
],
"fakeip": {
"enabled": true,
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "udp",
"server": "1.1.1.1"
},
{
"type": "fakeip",
"tag": "fakeip",
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
],
"rules": [
{
"query_type": [
"A",
"AAAA"
],
"server": "fakeip"
}
]
}
}
```
=== "RCode"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "rcode://refused"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "predefined",
"responses": [
{
"rcode": "REFUSED"
}
]
}
]
}
}
```
=== "Servers with domain address"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "https://dns.google/dns-query",
"address_resolver": "google"
},
{
"tag": "google",
"address": "1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "https",
"server": "dns.google",
"domain_resolver": "google"
},
{
"type": "udp",
"tag": "google",
"server": "1.1.1.1"
}
]
}
}
```
=== "Servers with strategy"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "1.1.1.1",
"strategy": "ipv4_only"
},
{
"tag": "google",
"address": "8.8.8.8",
"strategy": "prefer_ipv6"
}
],
"rules": [
{
"domain": "google.com",
"server": "google"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "udp",
"server": "1.1.1.1"
},
{
"type": "udp",
"tag": "google",
"server": "8.8.8.8"
}
],
"rules": [
{
"domain": "google.com",
"server": "google",
"strategy": "prefer_ipv6"
}
],
"strategy": "ipv4_only"
}
}
```
=== "Servers with client subnet"
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "1.1.1.1"
},
{
"tag": "google",
"address": "8.8.8.8",
"client_subnet": "1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "udp",
"server": "1.1.1.1"
},
{
"type": "udp",
"tag": "google",
"server": "8.8.8.8"
}
],
"rules": [
{
"domain": "google.com",
"server": "google",
"client_subnet": "1.1.1.1"
}
]
}
}
```
### Migrate outbound DNS rule items to domain resolver
The legacy outbound DNS rules are deprecated and can be replaced by new domain resolver options.
!!! info "References"
[DNS rule](/configuration/dns/rule/#outbound) /
[Dial Fields](/configuration/shared/dial/#domain_resolver) /
[Route](/configuration/route/#domain_resolver)
=== ":material-card-remove: Deprecated"
```json
{
"dns": {
"servers": [
{
"address": "local",
"tag": "local"
}
],
"rules": [
{
"outbound": "any",
"server": "local"
}
]
},
"outbounds": [
{
"type": "socks",
"server": "example.org",
"server_port": 2080
}
]
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
}
]
},
"outbounds": [
{
"type": "socks",
"server": "example.org",
"server_port": 2080,
"domain_resolver": {
"server": "local",
"rewrite_ttl": 60,
"client_subnet": "1.1.1.1"
},
// or "domain_resolver": "local",
}
],
// or
"route": {
"default_domain_resolver": {
"server": "local",
"rewrite_ttl": 60,
"client_subnet": "1.1.1.1"
}
}
}
```
### Migrate outbound domain strategy option to domain resolver
!!! info "References"
[Dial Fields](/configuration/shared/dial/#domain_strategy)
The `domain_strategy` option in Dial Fields has been deprecated and can be replaced with the new domain resolver option.
Note that due to the use of Dial Fields by some of the new DNS servers introduced in sing-box 1.12,
some people mistakenly believe that `domain_strategy` is the same feature as in the legacy DNS servers.
=== ":material-card-remove: Deprecated"
```json
{
"outbounds": [
{
"type": "socks",
"server": "example.org",
"server_port": 2080,
"domain_strategy": "prefer_ipv4",
}
]
}
```
=== ":material-card-multiple: New"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
}
]
},
"outbounds": [
{
"type": "socks",
"server": "example.org",
"server_port": 2080,
"domain_resolver": {
"server": "local",
"strategy": "prefer_ipv4"
}
}
]
}
```
## 1.11.0
### Migrate legacy special outbounds to rule actions

656
docs/migration.zh.md
View File

@@ -2,6 +2,642 @@
icon: material/arrange-bring-forward
---
## 1.12.0
### 迁移到新的 DNS 服务器格式
DNS 服务器已经重构。
!!! info "饮用"
[DNS 服务器](/configuration/dns/server/) /
[旧 DNS 服务器](/configuration/dns/server/legacy/)
=== "Local"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "local"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "local"
}
]
}
}
```
=== "TCP"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "tcp://1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "tcp",
"server": "1.1.1.1"
}
]
}
}
```
=== "UDP"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "udp",
"server": "1.1.1.1"
}
]
}
}
```
=== "TLS"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "tls://1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "tls",
"server": "1.1.1.1"
}
]
}
}
```
=== "HTTPS"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "https://1.1.1.1/dns-query"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "https",
"server": "1.1.1.1"
}
]
}
}
```
=== "QUIC"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "quic://1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "quic",
"server": "1.1.1.1"
}
]
}
}
```
=== "HTTP3"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "h3://1.1.1.1/dns-query"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "h3",
"server": "1.1.1.1"
}
]
}
}
```
=== "DHCP"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "dhcp://auto"
},
{
"address": "dhcp://en0"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "dhcp",
},
{
"type": "dhcp",
"interface": "en0"
}
]
}
}
```
=== "FakeIP"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "1.1.1.1"
},
{
"address": "fakeip",
"tag": "fakeip"
}
],
"rules": [
{
"query_type": [
"A",
"AAAA"
],
"server": "fakeip"
}
],
"fakeip": {
"enabled": true,
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "udp",
"server": "1.1.1.1"
},
{
"type": "fakeip",
"tag": "fakeip",
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
],
"rules": [
{
"query_type": [
"A",
"AAAA"
],
"server": "fakeip"
}
]
}
}
```
=== "RCode"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "rcode://refused"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "predefined",
"responses": [
{
"rcode": "REFUSED"
}
]
}
]
}
}
```
=== "带有域名地址的服务器"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "https://dns.google/dns-query",
"address_resolver": "google"
},
{
"tag": "google",
"address": "1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "https",
"server": "dns.google",
"domain_resolver": "google"
},
{
"type": "udp",
"tag": "google",
"server": "1.1.1.1"
}
]
}
}
```
=== "带有域策略的服务器"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "1.1.1.1",
"strategy": "ipv4_only"
},
{
"tag": "google",
"address": "8.8.8.8",
"strategy": "prefer_ipv6"
}
],
"rules": [
{
"domain": "google.com",
"server": "google"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "udp",
"server": "1.1.1.1"
},
{
"type": "udp",
"tag": "google",
"server": "8.8.8.8"
}
],
"rules": [
{
"domain": "google.com",
"server": "google",
"strategy": "prefer_ipv6"
}
],
"strategy": "ipv4_only"
}
}
```
=== "带有客户端子网的服务器"
=== ":material-card-remove: 弃用的"
```json
{
"dns": {
"servers": [
{
"address": "1.1.1.1"
},
{
"tag": "google",
"address": "8.8.8.8",
"client_subnet": "1.1.1.1"
}
]
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "udp",
"server": "1.1.1.1"
},
{
"type": "udp",
"tag": "google",
"server": "8.8.8.8"
}
],
"rules": [
{
"domain": "google.com",
"server": "google",
"client_subnet": "1.1.1.1"
}
]
}
}
```
### 迁移 outbound DNS 规则项到域解析选项
旧的 `outbound` DNS 规则已废弃,且可新的域解析选项代替。
!!! info "参考"
[DNS 规则](/configuration/dns/rule/#outbound) /
[拨号字段](/configuration/shared/dial/#domain_resolver) /
[路由](/configuration/route/#default_domain_resolver)
=== ":material-card-remove: 废弃的"
```json
{
"dns": {
"servers": [
{
"address": "local",
"tag": "local"
}
],
"rules": [
{
"outbound": "any",
"server": "local"
}
]
},
"outbounds": [
{
"type": "socks",
"server": "example.org",
"server_port": 2080
}
]
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
}
]
},
"outbounds": [
{
"type": "socks",
"server": "example.org",
"server_port": 2080,
"domain_resolver": {
"server": "local",
"rewrite_ttl": 60,
"client_subnet": "1.1.1.1"
},
// 或 "domain_resolver": "local",
}
],
// 或
"route": {
"default_domain_resolver": {
"server": "local",
"rewrite_ttl": 60,
"client_subnet": "1.1.1.1"
}
}
}
```
### 迁移出站域名策略选项到域名解析器
拨号字段中的 `domain_strategy` 选项已被弃用,可以用新的域名解析器选项替代。
请注意,由于 sing-box 1.12 中引入的一些新 DNS 服务器使用了拨号字段,一些人错误地认为 `domain_strategy` 与旧 DNS 服务器中的功能相同。
!!! info "参考"
[拨号字段](/configuration/shared/dial/#domain_strategy)
=== ":material-card-remove: 弃用的"
```json
{
"outbounds": [
{
"type": "socks",
"server": "example.org",
"server_port": 2080,
"domain_strategy": "prefer_ipv4",
}
]
}
```
=== ":material-card-multiple: 新的"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
}
]
},
"outbounds": [
{
"type": "socks",
"server": "example.org",
"server_port": 2080,
"domain_resolver": {
"server": "local",
"strategy": "prefer_ipv4"
}
}
]
}
```
## 1.11.0
### 迁移旧的特殊出站到规则动作
@@ -17,7 +653,7 @@ icon: material/arrange-bring-forward
=== "Block"
=== ":material-card-remove: 弃用的"
```json
{
"outbounds": [
@@ -30,7 +666,7 @@ icon: material/arrange-bring-forward
"rules": [
{
...,
"outbound": "block"
}
]
@@ -39,14 +675,14 @@ icon: material/arrange-bring-forward
```
=== ":material-card-multiple: 新的"
```json
{
"route": {
"rules": [
{
...,
"action": "reject"
}
]
@@ -57,13 +693,13 @@ icon: material/arrange-bring-forward
=== "DNS"
=== ":material-card-remove: 弃用的"
```json
{
"inbound": [
{
...,
"sniff": true
}
],
@@ -83,9 +719,9 @@ icon: material/arrange-bring-forward
}
}
```
=== ":material-card-multiple: 新的"
```json
{
"route": {
@@ -129,7 +765,7 @@ icon: material/arrange-bring-forward
}
```
=== ":material-card-multiple: New"
=== ":material-card-multiple: 新的"
```json
{
@@ -549,4 +1185,4 @@ sing-box 1.9.0 使 QueryFullProcessImageNameW 输出 Win32 路径(如 `C:\fold
}
}
}
```
```