diff --git a/common/dialer/tls.go b/common/dialer/tls.go index fff10871..6423d78a 100644 --- a/common/dialer/tls.go +++ b/common/dialer/tls.go @@ -99,16 +99,7 @@ func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOpt certificate = content } if len(certificate) > 0 { - var certPool *x509.CertPool - if options.DisableSystemRoot { - certPool = x509.NewCertPool() - } else { - var err error - certPool, err = x509.SystemCertPool() - if err != nil { - return nil, E.Cause(err, "load system cert pool") - } - } + certPool := x509.NewCertPool() if !certPool.AppendCertsFromPEM([]byte(options.Certificate)) { return nil, E.New("failed to parse certificate:\n\n", options.Certificate) } diff --git a/docs/configuration/dns/rule.md b/docs/configuration/dns/rule.md index 074bb2fc..f9bc0886 100644 --- a/docs/configuration/dns/rule.md +++ b/docs/configuration/dns/rule.md @@ -9,7 +9,7 @@ "mixed-in" ], "network": "tcp", - "user": [ + "auth_user": [ "usera", "userb" ], @@ -42,20 +42,45 @@ "source_port": [ 12345 ], + "source_port_range": [ + "1000:2000", + ":3000", + "4000:" + ], "port": [ 80, 443 ], + "port_range": [ + "1000:2000", + ":3000", + "4000:" + ], + "process_name": [ + "curl" + ], + "package_name": [ + "com.termux" + ], + "user": [ + "sekai" + ], + "user_id": [ + 1000 + ], + "invert": false, "outbound": [ "direct" ], - "server": "local" + "server": "local", + "disable_cache": false }, { "type": "logical", "mode": "and", "rules": [], - "server": "local" + "server": "local", + "disable_cache": false } ] } @@ -124,18 +149,64 @@ Match source ip cidr. Match source port. +#### source_port_range + +Match source port range. + #### port Match port. +#### port_range + +Match port range. + +#### process_name + +!!! error "" + + Only supported on Linux, Windows, and macOS. + +Match process name. + +#### package_name + +Match android package name. + +#### user + +!!! error "" + + Only supported on Linux with CGO enabled. + +Match user name. + +#### user_id + +!!! error "" + + Only supported on Linux. + +Match user id. + +#### invert + +Invert match result. + #### outbound Match outbound. #### server +==Required== + Tag of the target dns server. +#### disable_cache + +Disable cache and save cache in this query. + ### Logical Fields #### type @@ -150,8 +221,16 @@ Tag of the target dns server. Included default rules. +#### invert + +Invert match result. + #### server ==Required== Tag of the target dns server. + +#### disable_cache + +Disable cache and save cache in this query. \ No newline at end of file diff --git a/docs/configuration/dns/server.md b/docs/configuration/dns/server.md index fe61d861..6795b71a 100644 --- a/docs/configuration/dns/server.md +++ b/docs/configuration/dns/server.md @@ -36,11 +36,30 @@ The address of the dns server. | `UDP` | `8.8.8.8` `udp://8.8.4.4` | | `TLS` | `tls://dns.google` | | `HTTPS` | `https://1.1.1.1/dns-query` | +| `QUIC` | `quic://dns.adguard.com` | +| `HTTP3` | `h3://8.8.8.8/dns-query` | +| `RCode` | `rcode://refused` | !!! warning "" To ensure that system DNS is in effect, rather than go's built-in default resolver, enable CGO at compile time. +!!! warning "" + + QUIC and HTTP3 transport is not included by default, see [Installation](/#Installation). + +!!! info "" + + the RCode transport is often used to block queries. Use with rules and the `disable_cache` rule option. + +| RCode | Description | +|-------------------|-----------------------| +| `success` | `No error` | +| `format_error` | `Format error` | +| `server_failure` | `Server failure` | +| `name_error` | `Non-existent domain` | +| `not_implemented` | `Not implemented` | + #### address_resolver ==Required if address contains domain== diff --git a/docs/configuration/inbound/http.md b/docs/configuration/inbound/http.md index e169f8aa..dd3b543b 100644 --- a/docs/configuration/inbound/http.md +++ b/docs/configuration/inbound/http.md @@ -15,14 +15,14 @@ "sniff": false, "sniff_override_destination": false, "domain_strategy": "prefer_ipv6", - + + "tls": {}, "users": [ { "username": "admin", "password": "admin" } ], - "set_system_proxy": false } ] @@ -77,6 +77,10 @@ Automatically set system proxy configuration when start and clean up when stop. ### HTTP Fields +#### tls + +TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure). + #### users HTTP users. diff --git a/docs/configuration/inbound/tun.md b/docs/configuration/inbound/tun.md index 435fcf93..2b661339 100644 --- a/docs/configuration/inbound/tun.md +++ b/docs/configuration/inbound/tun.md @@ -10,12 +10,12 @@ { "type": "tun", "tag": "tun-in", - "inet4_address": "172.19.0.1/30", "inet6_address": "fdfe:dcba:9876::1/128", "mtu": 1500, "auto_route": true, - + "endpoint_independent_nat": false, + "udp_timeout": 300, "sniff": true, "sniff_override_destination": false, "domain_strategy": "prefer_ipv4" @@ -48,6 +48,16 @@ Set the default route to the Tun. To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface` +#### endpoint_independent_nat + +Enabled endpoint-independent NAT. + +Performance may degrade slightly, so it is not recommended to enable on when it is not needed. + +#### udp_timeout + +UDP NAT expiration time in seconds, default is 300 (5 minutes). + ### Listen Fields #### sniff diff --git a/docs/configuration/outbound/direct.md b/docs/configuration/outbound/direct.md index 3c371c7a..24d20d4a 100644 --- a/docs/configuration/outbound/direct.md +++ b/docs/configuration/outbound/direct.md @@ -49,9 +49,11 @@ The network interface to bind to. #### routing_mark -The iptables routing mark. +!!! error "" -Only available in linux. + Linux only + +The iptables routing mark. #### reuse_addr diff --git a/docs/configuration/outbound/http.md b/docs/configuration/outbound/http.md index 89139d35..b7e2a931 100644 --- a/docs/configuration/outbound/http.md +++ b/docs/configuration/outbound/http.md @@ -13,6 +13,7 @@ "server_port": 1080, "username": "sekai", "password": "admin", + "tls": {}, "detour": "upstream-out", "bind_interface": "en0", @@ -49,6 +50,10 @@ Basic authorization username. Basic authorization password. +#### tls + +TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound-structure). + ### Dial Fields #### detour @@ -63,9 +68,11 @@ The network interface to bind to. #### routing_mark -The iptables routing mark. +!!! error "" -Only available in linux. + Linux only + +The iptables routing mark. #### reuse_addr diff --git a/docs/configuration/outbound/shadowsocks.md b/docs/configuration/outbound/shadowsocks.md index 1bed475e..da42da06 100644 --- a/docs/configuration/outbound/shadowsocks.md +++ b/docs/configuration/outbound/shadowsocks.md @@ -98,9 +98,11 @@ The network interface to bind to. #### routing_mark -The iptables routing mark. +!!! error "" -Only available in linux. + Linux only + +The iptables routing mark. #### reuse_addr diff --git a/docs/configuration/outbound/socks.md b/docs/configuration/outbound/socks.md index 92041fa6..97b0e507 100644 --- a/docs/configuration/outbound/socks.md +++ b/docs/configuration/outbound/socks.md @@ -8,14 +8,12 @@ { "type": "socks", "tag": "socks-out", - "server": "127.0.0.1", "server_port": 1080, "version": "5", "username": "sekai", "password": "admin", "network": "udp", - "detour": "upstream-out", "bind_interface": "en0", "routing_mark": 1234, @@ -79,9 +77,11 @@ The network interface to bind to. #### routing_mark -The iptables routing mark. +!!! error "" -Only available in linux. + Linux only + +The iptables routing mark. #### reuse_addr diff --git a/docs/configuration/route/index.md b/docs/configuration/route/index.md index 31d34545..31dd3928 100644 --- a/docs/configuration/route/index.md +++ b/docs/configuration/route/index.md @@ -8,7 +8,8 @@ "rules": [], "final": "", "auto_detect_interface": false, - "default_interface": "en0" + "default_interface": "en0", + "default_mark": 233 } } ``` @@ -44,3 +45,13 @@ Takes no effect if `outbound.bind_interface` is set. Bind outbound connections to the specified NIC by default to prevent routing loops under Tun. Takes no effect if `auto_detect_interface` is set. + +#### default_mark + +!!! error "" + + Linux only + +Set iptables routing mark by default. + +Takes no effect if `outbound.routing_mark` is set. \ No newline at end of file diff --git a/docs/configuration/route/rule.md b/docs/configuration/route/rule.md index 848cc7cc..186b09f2 100644 --- a/docs/configuration/route/rule.md +++ b/docs/configuration/route/rule.md @@ -9,7 +9,7 @@ "mixed-in" ], "network": "tcp", - "user": [ + "auth_user": [ "usera", "userb" ], @@ -48,16 +48,40 @@ "source_port": [ 12345 ], + "source_port_range": [ + "1000:2000", + ":3000", + "4000:" + ], "port": [ 80, 443 ], + "port_range": [ + "1000:2000", + ":3000", + "4000:" + ], + "process_name": [ + "curl" + ], + "package_name": [ + "com.termux" + ], + "user": [ + "sekai" + ], + "user_id": [ + 1000 + ], + "invert": false, "outbound": "direct" }, { "type": "logical", "mode": "and", "rules": [], + "invert": false, "outbound": "direct" } ] @@ -83,7 +107,7 @@ Tags of [inbound](../inbound). -#### user +#### auth_user Username, see each inbound for details. @@ -135,12 +159,54 @@ Match ip cidr. Match source port. +#### source_port_range + +Match source port range. + #### port Match port. +#### port_range + +Match port range. + +#### process_name + +!!! error "" + + Only supported on Linux, Windows, and macOS. + +Match process name. + +#### package_name + +Match android package name. + +#### user + +!!! error "" + + Only supported on Linux with CGO enabled. + +Match user name. + +#### user_id + +!!! error "" + + Only supported on Linux. + +Match user id. + +#### invert + +Invert match result. + #### outbound +==Required== + Tag of the target outbound. ### Logical Fields @@ -157,6 +223,12 @@ Tag of the target outbound. Included default rules. +#### invert + +Invert match result. + #### outbound +==Required== + Tag of the target outbound. diff --git a/docs/configuration/shared/tls.md b/docs/configuration/shared/tls.md new file mode 100644 index 00000000..85763385 --- /dev/null +++ b/docs/configuration/shared/tls.md @@ -0,0 +1,136 @@ +### Inbound Structure + +```json +{ + "enabled": true, + "server_name": "", + "alpn": [], + "min_version": "", + "max_version": "", + "cipher_suites": [], + "certificate": "", + "certificate_path": "", + "key": "", + "key_path": "" +} +``` + +### Outbound Structure + +```json +{ + "enabled": true, + "server_name": "", + "insecure": false, + "alpn": [], + "min_version": "", + "max_version": "", + "cipher_suites": [], + "disable_system_root": false, + "certificate": "", + "certificate_path": "" +} +``` + +TLS version values: + +* `1.0` +* `1.1` +* `1.2` +* `1.3` + +Cipher suite values: + +* `TLS_RSA_WITH_AES_128_CBC_SHA` +* `TLS_RSA_WITH_AES_256_CBC_SHA` +* `TLS_RSA_WITH_AES_128_GCM_SHA256` +* `TLS_RSA_WITH_AES_256_GCM_SHA384` +* `TLS_AES_128_GCM_SHA256` +* `TLS_AES_256_GCM_SHA384` +* `TLS_CHACHA20_POLY1305_SHA256` +* `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` +* `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` +* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` +* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` +* `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` +* `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` +* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` +* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` +* `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` +* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` + +### Fields + +#### enabled + +Enabled TLS. + +#### server_name + +Used to verify the hostname on the returned certificates unless insecure is given. + +It is also included in the client's handshake to support virtual hosting unless it is an IP address. + +See [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication). + +#### insecure + +==Client only== + +Accepts any server certificate. + +#### alpn + +List of supported application level protocols, in order of preference. + +If both peers support ALPN, the selected protocol will be one from this list, and the connection will fail if there is +no mutually supported protocol. + +See [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation). + +#### min_version + +The minimum TLS version that is acceptable. + +By default, TLS 1.2 is currently used as the minimum when acting as a +client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum +supported by this package, both as a client and as a server. + +The client-side default can temporarily be reverted to TLS 1.0 by +including the value "x509sha1=1" in the GODEBUG environment variable. +Note that this option will be removed in Go 1.19 (but it will still be +possible to set this field to VersionTLS10 explicitly). + +#### max_version + +The maximum TLS version that is acceptable. + +By default, the maximum version supported by this package is used, +which is currently TLS 1.3. + +#### cipher_suites + +The elliptic curves that will be used in an ECDHE handshake, in preference order. + +If empty, the default will be used. The client will use the first preference as the type for its key share in TLS 1.3. +This may change in the future. + +#### certificate + +The server certificate, in PEM format. + +#### certificate_path + +The path to the server certificate, in PEM format. + +#### key + +==Server only== + +The server private key, in PEM format. + +#### key_path + +==Server only== + +The path to the server private key, in PEM format. \ No newline at end of file diff --git a/docs/index.md b/docs/index.md index 17879dd6..92a8946f 100644 --- a/docs/index.md +++ b/docs/index.md @@ -18,10 +18,11 @@ Install with options: go install -v -tags "with_clash_api,no_gvisor" github.com/sagernet/sing-box/cmd/sing-box@latest ``` -| Build Tag | Description | -|------------------|--------------------------------------------------------------------------------------------------| -| `with_clash_api` | Build with clash api support, see [Experimental](./configuration/experimental#clash-api-fields). | -| `no_gvisor` | Build without gVisor, which required by the [Tun](./configuration/inbound/tun) inbound. | +| Build Tag | Description | +|------------------|---------------------------------------------------------------------------------------------------------| +| `with_quic` | Build with quic support, which required by [QUIC and HTTP3](./configuration/dns/server) dns transports. | +| `with_clash_api` | Build with clash api support, see [Experimental](./configuration/experimental#clash-api-fields). | +| `no_gvisor` | Build without gVisor, which required by the [Tun](./configuration/inbound/tun) inbound. | The binary is built under $GOPATH/bin diff --git a/mkdocs.yml b/mkdocs.yml index fd0721e2..87cd4e1d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -65,6 +65,8 @@ nav: - Route Rule: configuration/route/rule.md - Protocol Sniff: configuration/route/sniff.md - Experimental: configuration/experimental.md + - Shared: + - TLS: configuration/shared/tls.md - Examples: - examples/index.md - Shadowsocks Server: examples/ss-server.md diff --git a/option/tls.go b/option/tls.go index 94658560..4b470e60 100644 --- a/option/tls.go +++ b/option/tls.go @@ -20,17 +20,16 @@ type InboundTLSOptions struct { } type OutboundTLSOptions struct { - Enabled bool `json:"enabled,omitempty"` - DisableSNI bool `json:"disable_sni,omitempty"` - ServerName string `json:"server_name,omitempty"` - Insecure bool `json:"insecure,omitempty"` - ALPN []string `json:"alpn,omitempty"` - MinVersion string `json:"min_version,omitempty"` - MaxVersion string `json:"max_version,omitempty"` - CipherSuites []string `json:"cipher_suites,omitempty"` - DisableSystemRoot bool `json:"disable_system_root,omitempty"` - Certificate string `json:"certificate,omitempty"` - CertificatePath string `json:"certificate_path,omitempty"` + Enabled bool `json:"enabled,omitempty"` + DisableSNI bool `json:"disable_sni,omitempty"` + ServerName string `json:"server_name,omitempty"` + Insecure bool `json:"insecure,omitempty"` + ALPN []string `json:"alpn,omitempty"` + MinVersion string `json:"min_version,omitempty"` + MaxVersion string `json:"max_version,omitempty"` + CipherSuites []string `json:"cipher_suites,omitempty"` + Certificate string `json:"certificate,omitempty"` + CertificatePath string `json:"certificate_path,omitempty"` } func ParseTLSVersion(version string) (uint16, error) { diff --git a/route/router.go b/route/router.go index f33cf862..3eacc41b 100644 --- a/route/router.go +++ b/route/router.go @@ -58,7 +58,7 @@ var warnFindProcessOnUnsupportedPlatform = warning.New( func() bool { return !(C.IsLinux || C.IsWindows || C.IsDarwin) }, - "route option `find_process` is only supported on Linux, Windows, and Mac OS X", + "route option `find_process` is only supported on Linux, Windows, and macOS", ) var _ adapter.Router = (*Router)(nil) diff --git a/route/rule_process.go b/route/rule_process.go index 84f474b2..d09d3eb4 100644 --- a/route/rule_process.go +++ b/route/rule_process.go @@ -11,7 +11,7 @@ import ( var warnProcessNameOnNonSupportedPlatform = warning.New( func() bool { return !(C.IsLinux || C.IsWindows || C.IsDarwin) }, - "rule item `process_item` is only supported on Linux, Windows, and Mac OS X", + "rule item `process_item` is only supported on Linux, Windows, and macOS", ) var _ RuleItem = (*ProcessItem)(nil)