mirror of
https://github.com/SagerNet/sing-box.git
synced 2024-11-22 00:21:30 +00:00
Update documentation
This commit is contained in:
parent
f008d0bde3
commit
aa074a2063
|
@ -99,16 +99,7 @@ func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOpt
|
|||
certificate = content
|
||||
}
|
||||
if len(certificate) > 0 {
|
||||
var certPool *x509.CertPool
|
||||
if options.DisableSystemRoot {
|
||||
certPool = x509.NewCertPool()
|
||||
} else {
|
||||
var err error
|
||||
certPool, err = x509.SystemCertPool()
|
||||
if err != nil {
|
||||
return nil, E.Cause(err, "load system cert pool")
|
||||
}
|
||||
}
|
||||
certPool := x509.NewCertPool()
|
||||
if !certPool.AppendCertsFromPEM([]byte(options.Certificate)) {
|
||||
return nil, E.New("failed to parse certificate:\n\n", options.Certificate)
|
||||
}
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
"mixed-in"
|
||||
],
|
||||
"network": "tcp",
|
||||
"user": [
|
||||
"auth_user": [
|
||||
"usera",
|
||||
"userb"
|
||||
],
|
||||
|
@ -42,20 +42,45 @@
|
|||
"source_port": [
|
||||
12345
|
||||
],
|
||||
"source_port_range": [
|
||||
"1000:2000",
|
||||
":3000",
|
||||
"4000:"
|
||||
],
|
||||
"port": [
|
||||
80,
|
||||
443
|
||||
],
|
||||
"port_range": [
|
||||
"1000:2000",
|
||||
":3000",
|
||||
"4000:"
|
||||
],
|
||||
"process_name": [
|
||||
"curl"
|
||||
],
|
||||
"package_name": [
|
||||
"com.termux"
|
||||
],
|
||||
"user": [
|
||||
"sekai"
|
||||
],
|
||||
"user_id": [
|
||||
1000
|
||||
],
|
||||
"invert": false,
|
||||
"outbound": [
|
||||
"direct"
|
||||
],
|
||||
"server": "local"
|
||||
"server": "local",
|
||||
"disable_cache": false
|
||||
},
|
||||
{
|
||||
"type": "logical",
|
||||
"mode": "and",
|
||||
"rules": [],
|
||||
"server": "local"
|
||||
"server": "local",
|
||||
"disable_cache": false
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -124,18 +149,64 @@ Match source ip cidr.
|
|||
|
||||
Match source port.
|
||||
|
||||
#### source_port_range
|
||||
|
||||
Match source port range.
|
||||
|
||||
#### port
|
||||
|
||||
Match port.
|
||||
|
||||
#### port_range
|
||||
|
||||
Match port range.
|
||||
|
||||
#### process_name
|
||||
|
||||
!!! error ""
|
||||
|
||||
Only supported on Linux, Windows, and macOS.
|
||||
|
||||
Match process name.
|
||||
|
||||
#### package_name
|
||||
|
||||
Match android package name.
|
||||
|
||||
#### user
|
||||
|
||||
!!! error ""
|
||||
|
||||
Only supported on Linux with CGO enabled.
|
||||
|
||||
Match user name.
|
||||
|
||||
#### user_id
|
||||
|
||||
!!! error ""
|
||||
|
||||
Only supported on Linux.
|
||||
|
||||
Match user id.
|
||||
|
||||
#### invert
|
||||
|
||||
Invert match result.
|
||||
|
||||
#### outbound
|
||||
|
||||
Match outbound.
|
||||
|
||||
#### server
|
||||
|
||||
==Required==
|
||||
|
||||
Tag of the target dns server.
|
||||
|
||||
#### disable_cache
|
||||
|
||||
Disable cache and save cache in this query.
|
||||
|
||||
### Logical Fields
|
||||
|
||||
#### type
|
||||
|
@ -150,8 +221,16 @@ Tag of the target dns server.
|
|||
|
||||
Included default rules.
|
||||
|
||||
#### invert
|
||||
|
||||
Invert match result.
|
||||
|
||||
#### server
|
||||
|
||||
==Required==
|
||||
|
||||
Tag of the target dns server.
|
||||
|
||||
#### disable_cache
|
||||
|
||||
Disable cache and save cache in this query.
|
|
@ -36,11 +36,30 @@ The address of the dns server.
|
|||
| `UDP` | `8.8.8.8` `udp://8.8.4.4` |
|
||||
| `TLS` | `tls://dns.google` |
|
||||
| `HTTPS` | `https://1.1.1.1/dns-query` |
|
||||
| `QUIC` | `quic://dns.adguard.com` |
|
||||
| `HTTP3` | `h3://8.8.8.8/dns-query` |
|
||||
| `RCode` | `rcode://refused` |
|
||||
|
||||
!!! warning ""
|
||||
|
||||
To ensure that system DNS is in effect, rather than go's built-in default resolver, enable CGO at compile time.
|
||||
|
||||
!!! warning ""
|
||||
|
||||
QUIC and HTTP3 transport is not included by default, see [Installation](/#Installation).
|
||||
|
||||
!!! info ""
|
||||
|
||||
the RCode transport is often used to block queries. Use with rules and the `disable_cache` rule option.
|
||||
|
||||
| RCode | Description |
|
||||
|-------------------|-----------------------|
|
||||
| `success` | `No error` |
|
||||
| `format_error` | `Format error` |
|
||||
| `server_failure` | `Server failure` |
|
||||
| `name_error` | `Non-existent domain` |
|
||||
| `not_implemented` | `Not implemented` |
|
||||
|
||||
#### address_resolver
|
||||
|
||||
==Required if address contains domain==
|
||||
|
|
|
@ -15,14 +15,14 @@
|
|||
"sniff": false,
|
||||
"sniff_override_destination": false,
|
||||
"domain_strategy": "prefer_ipv6",
|
||||
|
||||
|
||||
"tls": {},
|
||||
"users": [
|
||||
{
|
||||
"username": "admin",
|
||||
"password": "admin"
|
||||
}
|
||||
],
|
||||
|
||||
"set_system_proxy": false
|
||||
}
|
||||
]
|
||||
|
@ -77,6 +77,10 @@ Automatically set system proxy configuration when start and clean up when stop.
|
|||
|
||||
### HTTP Fields
|
||||
|
||||
#### tls
|
||||
|
||||
TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).
|
||||
|
||||
#### users
|
||||
|
||||
HTTP users.
|
||||
|
|
|
@ -10,12 +10,12 @@
|
|||
{
|
||||
"type": "tun",
|
||||
"tag": "tun-in",
|
||||
|
||||
"inet4_address": "172.19.0.1/30",
|
||||
"inet6_address": "fdfe:dcba:9876::1/128",
|
||||
"mtu": 1500,
|
||||
"auto_route": true,
|
||||
|
||||
"endpoint_independent_nat": false,
|
||||
"udp_timeout": 300,
|
||||
"sniff": true,
|
||||
"sniff_override_destination": false,
|
||||
"domain_strategy": "prefer_ipv4"
|
||||
|
@ -48,6 +48,16 @@ Set the default route to the Tun.
|
|||
|
||||
To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`
|
||||
|
||||
#### endpoint_independent_nat
|
||||
|
||||
Enabled endpoint-independent NAT.
|
||||
|
||||
Performance may degrade slightly, so it is not recommended to enable on when it is not needed.
|
||||
|
||||
#### udp_timeout
|
||||
|
||||
UDP NAT expiration time in seconds, default is 300 (5 minutes).
|
||||
|
||||
### Listen Fields
|
||||
|
||||
#### sniff
|
||||
|
|
|
@ -49,9 +49,11 @@ The network interface to bind to.
|
|||
|
||||
#### routing_mark
|
||||
|
||||
The iptables routing mark.
|
||||
!!! error ""
|
||||
|
||||
Only available in linux.
|
||||
Linux only
|
||||
|
||||
The iptables routing mark.
|
||||
|
||||
#### reuse_addr
|
||||
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
"server_port": 1080,
|
||||
"username": "sekai",
|
||||
"password": "admin",
|
||||
"tls": {},
|
||||
|
||||
"detour": "upstream-out",
|
||||
"bind_interface": "en0",
|
||||
|
@ -49,6 +50,10 @@ Basic authorization username.
|
|||
|
||||
Basic authorization password.
|
||||
|
||||
#### tls
|
||||
|
||||
TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound-structure).
|
||||
|
||||
### Dial Fields
|
||||
|
||||
#### detour
|
||||
|
@ -63,9 +68,11 @@ The network interface to bind to.
|
|||
|
||||
#### routing_mark
|
||||
|
||||
The iptables routing mark.
|
||||
!!! error ""
|
||||
|
||||
Only available in linux.
|
||||
Linux only
|
||||
|
||||
The iptables routing mark.
|
||||
|
||||
#### reuse_addr
|
||||
|
||||
|
|
|
@ -98,9 +98,11 @@ The network interface to bind to.
|
|||
|
||||
#### routing_mark
|
||||
|
||||
The iptables routing mark.
|
||||
!!! error ""
|
||||
|
||||
Only available in linux.
|
||||
Linux only
|
||||
|
||||
The iptables routing mark.
|
||||
|
||||
#### reuse_addr
|
||||
|
||||
|
|
|
@ -8,14 +8,12 @@
|
|||
{
|
||||
"type": "socks",
|
||||
"tag": "socks-out",
|
||||
|
||||
"server": "127.0.0.1",
|
||||
"server_port": 1080,
|
||||
"version": "5",
|
||||
"username": "sekai",
|
||||
"password": "admin",
|
||||
"network": "udp",
|
||||
|
||||
"detour": "upstream-out",
|
||||
"bind_interface": "en0",
|
||||
"routing_mark": 1234,
|
||||
|
@ -79,9 +77,11 @@ The network interface to bind to.
|
|||
|
||||
#### routing_mark
|
||||
|
||||
The iptables routing mark.
|
||||
!!! error ""
|
||||
|
||||
Only available in linux.
|
||||
Linux only
|
||||
|
||||
The iptables routing mark.
|
||||
|
||||
#### reuse_addr
|
||||
|
||||
|
|
|
@ -8,7 +8,8 @@
|
|||
"rules": [],
|
||||
"final": "",
|
||||
"auto_detect_interface": false,
|
||||
"default_interface": "en0"
|
||||
"default_interface": "en0",
|
||||
"default_mark": 233
|
||||
}
|
||||
}
|
||||
```
|
||||
|
@ -44,3 +45,13 @@ Takes no effect if `outbound.bind_interface` is set.
|
|||
Bind outbound connections to the specified NIC by default to prevent routing loops under Tun.
|
||||
|
||||
Takes no effect if `auto_detect_interface` is set.
|
||||
|
||||
#### default_mark
|
||||
|
||||
!!! error ""
|
||||
|
||||
Linux only
|
||||
|
||||
Set iptables routing mark by default.
|
||||
|
||||
Takes no effect if `outbound.routing_mark` is set.
|
|
@ -9,7 +9,7 @@
|
|||
"mixed-in"
|
||||
],
|
||||
"network": "tcp",
|
||||
"user": [
|
||||
"auth_user": [
|
||||
"usera",
|
||||
"userb"
|
||||
],
|
||||
|
@ -48,16 +48,40 @@
|
|||
"source_port": [
|
||||
12345
|
||||
],
|
||||
"source_port_range": [
|
||||
"1000:2000",
|
||||
":3000",
|
||||
"4000:"
|
||||
],
|
||||
"port": [
|
||||
80,
|
||||
443
|
||||
],
|
||||
"port_range": [
|
||||
"1000:2000",
|
||||
":3000",
|
||||
"4000:"
|
||||
],
|
||||
"process_name": [
|
||||
"curl"
|
||||
],
|
||||
"package_name": [
|
||||
"com.termux"
|
||||
],
|
||||
"user": [
|
||||
"sekai"
|
||||
],
|
||||
"user_id": [
|
||||
1000
|
||||
],
|
||||
"invert": false,
|
||||
"outbound": "direct"
|
||||
},
|
||||
{
|
||||
"type": "logical",
|
||||
"mode": "and",
|
||||
"rules": [],
|
||||
"invert": false,
|
||||
"outbound": "direct"
|
||||
}
|
||||
]
|
||||
|
@ -83,7 +107,7 @@
|
|||
|
||||
Tags of [inbound](../inbound).
|
||||
|
||||
#### user
|
||||
#### auth_user
|
||||
|
||||
Username, see each inbound for details.
|
||||
|
||||
|
@ -135,12 +159,54 @@ Match ip cidr.
|
|||
|
||||
Match source port.
|
||||
|
||||
#### source_port_range
|
||||
|
||||
Match source port range.
|
||||
|
||||
#### port
|
||||
|
||||
Match port.
|
||||
|
||||
#### port_range
|
||||
|
||||
Match port range.
|
||||
|
||||
#### process_name
|
||||
|
||||
!!! error ""
|
||||
|
||||
Only supported on Linux, Windows, and macOS.
|
||||
|
||||
Match process name.
|
||||
|
||||
#### package_name
|
||||
|
||||
Match android package name.
|
||||
|
||||
#### user
|
||||
|
||||
!!! error ""
|
||||
|
||||
Only supported on Linux with CGO enabled.
|
||||
|
||||
Match user name.
|
||||
|
||||
#### user_id
|
||||
|
||||
!!! error ""
|
||||
|
||||
Only supported on Linux.
|
||||
|
||||
Match user id.
|
||||
|
||||
#### invert
|
||||
|
||||
Invert match result.
|
||||
|
||||
#### outbound
|
||||
|
||||
==Required==
|
||||
|
||||
Tag of the target outbound.
|
||||
|
||||
### Logical Fields
|
||||
|
@ -157,6 +223,12 @@ Tag of the target outbound.
|
|||
|
||||
Included default rules.
|
||||
|
||||
#### invert
|
||||
|
||||
Invert match result.
|
||||
|
||||
#### outbound
|
||||
|
||||
==Required==
|
||||
|
||||
Tag of the target outbound.
|
||||
|
|
136
docs/configuration/shared/tls.md
Normal file
136
docs/configuration/shared/tls.md
Normal file
|
@ -0,0 +1,136 @@
|
|||
### Inbound Structure
|
||||
|
||||
```json
|
||||
{
|
||||
"enabled": true,
|
||||
"server_name": "",
|
||||
"alpn": [],
|
||||
"min_version": "",
|
||||
"max_version": "",
|
||||
"cipher_suites": [],
|
||||
"certificate": "",
|
||||
"certificate_path": "",
|
||||
"key": "",
|
||||
"key_path": ""
|
||||
}
|
||||
```
|
||||
|
||||
### Outbound Structure
|
||||
|
||||
```json
|
||||
{
|
||||
"enabled": true,
|
||||
"server_name": "",
|
||||
"insecure": false,
|
||||
"alpn": [],
|
||||
"min_version": "",
|
||||
"max_version": "",
|
||||
"cipher_suites": [],
|
||||
"disable_system_root": false,
|
||||
"certificate": "",
|
||||
"certificate_path": ""
|
||||
}
|
||||
```
|
||||
|
||||
TLS version values:
|
||||
|
||||
* `1.0`
|
||||
* `1.1`
|
||||
* `1.2`
|
||||
* `1.3`
|
||||
|
||||
Cipher suite values:
|
||||
|
||||
* `TLS_RSA_WITH_AES_128_CBC_SHA`
|
||||
* `TLS_RSA_WITH_AES_256_CBC_SHA`
|
||||
* `TLS_RSA_WITH_AES_128_GCM_SHA256`
|
||||
* `TLS_RSA_WITH_AES_256_GCM_SHA384`
|
||||
* `TLS_AES_128_GCM_SHA256`
|
||||
* `TLS_AES_256_GCM_SHA384`
|
||||
* `TLS_CHACHA20_POLY1305_SHA256`
|
||||
* `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
|
||||
* `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
|
||||
* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
|
||||
* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
|
||||
* `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
|
||||
* `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
|
||||
* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
|
||||
* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
|
||||
* `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
|
||||
* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
|
||||
|
||||
### Fields
|
||||
|
||||
#### enabled
|
||||
|
||||
Enabled TLS.
|
||||
|
||||
#### server_name
|
||||
|
||||
Used to verify the hostname on the returned certificates unless insecure is given.
|
||||
|
||||
It is also included in the client's handshake to support virtual hosting unless it is an IP address.
|
||||
|
||||
See [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication).
|
||||
|
||||
#### insecure
|
||||
|
||||
==Client only==
|
||||
|
||||
Accepts any server certificate.
|
||||
|
||||
#### alpn
|
||||
|
||||
List of supported application level protocols, in order of preference.
|
||||
|
||||
If both peers support ALPN, the selected protocol will be one from this list, and the connection will fail if there is
|
||||
no mutually supported protocol.
|
||||
|
||||
See [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation).
|
||||
|
||||
#### min_version
|
||||
|
||||
The minimum TLS version that is acceptable.
|
||||
|
||||
By default, TLS 1.2 is currently used as the minimum when acting as a
|
||||
client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
|
||||
supported by this package, both as a client and as a server.
|
||||
|
||||
The client-side default can temporarily be reverted to TLS 1.0 by
|
||||
including the value "x509sha1=1" in the GODEBUG environment variable.
|
||||
Note that this option will be removed in Go 1.19 (but it will still be
|
||||
possible to set this field to VersionTLS10 explicitly).
|
||||
|
||||
#### max_version
|
||||
|
||||
The maximum TLS version that is acceptable.
|
||||
|
||||
By default, the maximum version supported by this package is used,
|
||||
which is currently TLS 1.3.
|
||||
|
||||
#### cipher_suites
|
||||
|
||||
The elliptic curves that will be used in an ECDHE handshake, in preference order.
|
||||
|
||||
If empty, the default will be used. The client will use the first preference as the type for its key share in TLS 1.3.
|
||||
This may change in the future.
|
||||
|
||||
#### certificate
|
||||
|
||||
The server certificate, in PEM format.
|
||||
|
||||
#### certificate_path
|
||||
|
||||
The path to the server certificate, in PEM format.
|
||||
|
||||
#### key
|
||||
|
||||
==Server only==
|
||||
|
||||
The server private key, in PEM format.
|
||||
|
||||
#### key_path
|
||||
|
||||
==Server only==
|
||||
|
||||
The path to the server private key, in PEM format.
|
|
@ -18,10 +18,11 @@ Install with options:
|
|||
go install -v -tags "with_clash_api,no_gvisor" github.com/sagernet/sing-box/cmd/sing-box@latest
|
||||
```
|
||||
|
||||
| Build Tag | Description |
|
||||
|------------------|--------------------------------------------------------------------------------------------------|
|
||||
| `with_clash_api` | Build with clash api support, see [Experimental](./configuration/experimental#clash-api-fields). |
|
||||
| `no_gvisor` | Build without gVisor, which required by the [Tun](./configuration/inbound/tun) inbound. |
|
||||
| Build Tag | Description |
|
||||
|------------------|---------------------------------------------------------------------------------------------------------|
|
||||
| `with_quic` | Build with quic support, which required by [QUIC and HTTP3](./configuration/dns/server) dns transports. |
|
||||
| `with_clash_api` | Build with clash api support, see [Experimental](./configuration/experimental#clash-api-fields). |
|
||||
| `no_gvisor` | Build without gVisor, which required by the [Tun](./configuration/inbound/tun) inbound. |
|
||||
|
||||
The binary is built under $GOPATH/bin
|
||||
|
||||
|
|
|
@ -65,6 +65,8 @@ nav:
|
|||
- Route Rule: configuration/route/rule.md
|
||||
- Protocol Sniff: configuration/route/sniff.md
|
||||
- Experimental: configuration/experimental.md
|
||||
- Shared:
|
||||
- TLS: configuration/shared/tls.md
|
||||
- Examples:
|
||||
- examples/index.md
|
||||
- Shadowsocks Server: examples/ss-server.md
|
||||
|
|
|
@ -20,17 +20,16 @@ type InboundTLSOptions struct {
|
|||
}
|
||||
|
||||
type OutboundTLSOptions struct {
|
||||
Enabled bool `json:"enabled,omitempty"`
|
||||
DisableSNI bool `json:"disable_sni,omitempty"`
|
||||
ServerName string `json:"server_name,omitempty"`
|
||||
Insecure bool `json:"insecure,omitempty"`
|
||||
ALPN []string `json:"alpn,omitempty"`
|
||||
MinVersion string `json:"min_version,omitempty"`
|
||||
MaxVersion string `json:"max_version,omitempty"`
|
||||
CipherSuites []string `json:"cipher_suites,omitempty"`
|
||||
DisableSystemRoot bool `json:"disable_system_root,omitempty"`
|
||||
Certificate string `json:"certificate,omitempty"`
|
||||
CertificatePath string `json:"certificate_path,omitempty"`
|
||||
Enabled bool `json:"enabled,omitempty"`
|
||||
DisableSNI bool `json:"disable_sni,omitempty"`
|
||||
ServerName string `json:"server_name,omitempty"`
|
||||
Insecure bool `json:"insecure,omitempty"`
|
||||
ALPN []string `json:"alpn,omitempty"`
|
||||
MinVersion string `json:"min_version,omitempty"`
|
||||
MaxVersion string `json:"max_version,omitempty"`
|
||||
CipherSuites []string `json:"cipher_suites,omitempty"`
|
||||
Certificate string `json:"certificate,omitempty"`
|
||||
CertificatePath string `json:"certificate_path,omitempty"`
|
||||
}
|
||||
|
||||
func ParseTLSVersion(version string) (uint16, error) {
|
||||
|
|
|
@ -58,7 +58,7 @@ var warnFindProcessOnUnsupportedPlatform = warning.New(
|
|||
func() bool {
|
||||
return !(C.IsLinux || C.IsWindows || C.IsDarwin)
|
||||
},
|
||||
"route option `find_process` is only supported on Linux, Windows, and Mac OS X",
|
||||
"route option `find_process` is only supported on Linux, Windows, and macOS",
|
||||
)
|
||||
|
||||
var _ adapter.Router = (*Router)(nil)
|
||||
|
|
|
@ -11,7 +11,7 @@ import (
|
|||
|
||||
var warnProcessNameOnNonSupportedPlatform = warning.New(
|
||||
func() bool { return !(C.IsLinux || C.IsWindows || C.IsDarwin) },
|
||||
"rule item `process_item` is only supported on Linux, Windows, and Mac OS X",
|
||||
"rule item `process_item` is only supported on Linux, Windows, and macOS",
|
||||
)
|
||||
|
||||
var _ RuleItem = (*ProcessItem)(nil)
|
||||
|
|
Loading…
Reference in a new issue