Update documentation

This commit is contained in:
世界 2022-07-27 12:03:07 +08:00
parent f008d0bde3
commit aa074a2063
No known key found for this signature in database
GPG key ID: CD109927C34A63C4
17 changed files with 382 additions and 47 deletions

View file

@ -99,16 +99,7 @@ func NewTLS(dialer N.Dialer, serverAddress string, options option.OutboundTLSOpt
certificate = content
}
if len(certificate) > 0 {
var certPool *x509.CertPool
if options.DisableSystemRoot {
certPool = x509.NewCertPool()
} else {
var err error
certPool, err = x509.SystemCertPool()
if err != nil {
return nil, E.Cause(err, "load system cert pool")
}
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM([]byte(options.Certificate)) {
return nil, E.New("failed to parse certificate:\n\n", options.Certificate)
}

View file

@ -9,7 +9,7 @@
"mixed-in"
],
"network": "tcp",
"user": [
"auth_user": [
"usera",
"userb"
],
@ -42,20 +42,45 @@
"source_port": [
12345
],
"source_port_range": [
"1000:2000",
":3000",
"4000:"
],
"port": [
80,
443
],
"port_range": [
"1000:2000",
":3000",
"4000:"
],
"process_name": [
"curl"
],
"package_name": [
"com.termux"
],
"user": [
"sekai"
],
"user_id": [
1000
],
"invert": false,
"outbound": [
"direct"
],
"server": "local"
"server": "local",
"disable_cache": false
},
{
"type": "logical",
"mode": "and",
"rules": [],
"server": "local"
"server": "local",
"disable_cache": false
}
]
}
@ -124,18 +149,64 @@ Match source ip cidr.
Match source port.
#### source_port_range
Match source port range.
#### port
Match port.
#### port_range
Match port range.
#### process_name
!!! error ""
Only supported on Linux, Windows, and macOS.
Match process name.
#### package_name
Match android package name.
#### user
!!! error ""
Only supported on Linux with CGO enabled.
Match user name.
#### user_id
!!! error ""
Only supported on Linux.
Match user id.
#### invert
Invert match result.
#### outbound
Match outbound.
#### server
==Required==
Tag of the target dns server.
#### disable_cache
Disable cache and save cache in this query.
### Logical Fields
#### type
@ -150,8 +221,16 @@ Tag of the target dns server.
Included default rules.
#### invert
Invert match result.
#### server
==Required==
Tag of the target dns server.
#### disable_cache
Disable cache and save cache in this query.

View file

@ -36,11 +36,30 @@ The address of the dns server.
| `UDP` | `8.8.8.8` `udp://8.8.4.4` |
| `TLS` | `tls://dns.google` |
| `HTTPS` | `https://1.1.1.1/dns-query` |
| `QUIC` | `quic://dns.adguard.com` |
| `HTTP3` | `h3://8.8.8.8/dns-query` |
| `RCode` | `rcode://refused` |
!!! warning ""
To ensure that system DNS is in effect, rather than go's built-in default resolver, enable CGO at compile time.
!!! warning ""
QUIC and HTTP3 transport is not included by default, see [Installation](/#Installation).
!!! info ""
the RCode transport is often used to block queries. Use with rules and the `disable_cache` rule option.
| RCode | Description |
|-------------------|-----------------------|
| `success` | `No error` |
| `format_error` | `Format error` |
| `server_failure` | `Server failure` |
| `name_error` | `Non-existent domain` |
| `not_implemented` | `Not implemented` |
#### address_resolver
==Required if address contains domain==

View file

@ -16,13 +16,13 @@
"sniff_override_destination": false,
"domain_strategy": "prefer_ipv6",
"tls": {},
"users": [
{
"username": "admin",
"password": "admin"
}
],
"set_system_proxy": false
}
]
@ -77,6 +77,10 @@ Automatically set system proxy configuration when start and clean up when stop.
### HTTP Fields
#### tls
TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).
#### users
HTTP users.

View file

@ -10,12 +10,12 @@
{
"type": "tun",
"tag": "tun-in",
"inet4_address": "172.19.0.1/30",
"inet6_address": "fdfe:dcba:9876::1/128",
"mtu": 1500,
"auto_route": true,
"endpoint_independent_nat": false,
"udp_timeout": 300,
"sniff": true,
"sniff_override_destination": false,
"domain_strategy": "prefer_ipv4"
@ -48,6 +48,16 @@ Set the default route to the Tun.
To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`
#### endpoint_independent_nat
Enabled endpoint-independent NAT.
Performance may degrade slightly, so it is not recommended to enable on when it is not needed.
#### udp_timeout
UDP NAT expiration time in seconds, default is 300 (5 minutes).
### Listen Fields
#### sniff

View file

@ -49,9 +49,11 @@ The network interface to bind to.
#### routing_mark
The iptables routing mark.
!!! error ""
Only available in linux.
Linux only
The iptables routing mark.
#### reuse_addr

View file

@ -13,6 +13,7 @@
"server_port": 1080,
"username": "sekai",
"password": "admin",
"tls": {},
"detour": "upstream-out",
"bind_interface": "en0",
@ -49,6 +50,10 @@ Basic authorization username.
Basic authorization password.
#### tls
TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound-structure).
### Dial Fields
#### detour
@ -63,9 +68,11 @@ The network interface to bind to.
#### routing_mark
The iptables routing mark.
!!! error ""
Only available in linux.
Linux only
The iptables routing mark.
#### reuse_addr

View file

@ -98,9 +98,11 @@ The network interface to bind to.
#### routing_mark
The iptables routing mark.
!!! error ""
Only available in linux.
Linux only
The iptables routing mark.
#### reuse_addr

View file

@ -8,14 +8,12 @@
{
"type": "socks",
"tag": "socks-out",
"server": "127.0.0.1",
"server_port": 1080,
"version": "5",
"username": "sekai",
"password": "admin",
"network": "udp",
"detour": "upstream-out",
"bind_interface": "en0",
"routing_mark": 1234,
@ -79,9 +77,11 @@ The network interface to bind to.
#### routing_mark
The iptables routing mark.
!!! error ""
Only available in linux.
Linux only
The iptables routing mark.
#### reuse_addr

View file

@ -8,7 +8,8 @@
"rules": [],
"final": "",
"auto_detect_interface": false,
"default_interface": "en0"
"default_interface": "en0",
"default_mark": 233
}
}
```
@ -44,3 +45,13 @@ Takes no effect if `outbound.bind_interface` is set.
Bind outbound connections to the specified NIC by default to prevent routing loops under Tun.
Takes no effect if `auto_detect_interface` is set.
#### default_mark
!!! error ""
Linux only
Set iptables routing mark by default.
Takes no effect if `outbound.routing_mark` is set.

View file

@ -9,7 +9,7 @@
"mixed-in"
],
"network": "tcp",
"user": [
"auth_user": [
"usera",
"userb"
],
@ -48,16 +48,40 @@
"source_port": [
12345
],
"source_port_range": [
"1000:2000",
":3000",
"4000:"
],
"port": [
80,
443
],
"port_range": [
"1000:2000",
":3000",
"4000:"
],
"process_name": [
"curl"
],
"package_name": [
"com.termux"
],
"user": [
"sekai"
],
"user_id": [
1000
],
"invert": false,
"outbound": "direct"
},
{
"type": "logical",
"mode": "and",
"rules": [],
"invert": false,
"outbound": "direct"
}
]
@ -83,7 +107,7 @@
Tags of [inbound](../inbound).
#### user
#### auth_user
Username, see each inbound for details.
@ -135,12 +159,54 @@ Match ip cidr.
Match source port.
#### source_port_range
Match source port range.
#### port
Match port.
#### port_range
Match port range.
#### process_name
!!! error ""
Only supported on Linux, Windows, and macOS.
Match process name.
#### package_name
Match android package name.
#### user
!!! error ""
Only supported on Linux with CGO enabled.
Match user name.
#### user_id
!!! error ""
Only supported on Linux.
Match user id.
#### invert
Invert match result.
#### outbound
==Required==
Tag of the target outbound.
### Logical Fields
@ -157,6 +223,12 @@ Tag of the target outbound.
Included default rules.
#### invert
Invert match result.
#### outbound
==Required==
Tag of the target outbound.

View file

@ -0,0 +1,136 @@
### Inbound Structure
```json
{
"enabled": true,
"server_name": "",
"alpn": [],
"min_version": "",
"max_version": "",
"cipher_suites": [],
"certificate": "",
"certificate_path": "",
"key": "",
"key_path": ""
}
```
### Outbound Structure
```json
{
"enabled": true,
"server_name": "",
"insecure": false,
"alpn": [],
"min_version": "",
"max_version": "",
"cipher_suites": [],
"disable_system_root": false,
"certificate": "",
"certificate_path": ""
}
```
TLS version values:
* `1.0`
* `1.1`
* `1.2`
* `1.3`
Cipher suite values:
* `TLS_RSA_WITH_AES_128_CBC_SHA`
* `TLS_RSA_WITH_AES_256_CBC_SHA`
* `TLS_RSA_WITH_AES_128_GCM_SHA256`
* `TLS_RSA_WITH_AES_256_GCM_SHA384`
* `TLS_AES_128_GCM_SHA256`
* `TLS_AES_256_GCM_SHA384`
* `TLS_CHACHA20_POLY1305_SHA256`
* `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
* `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
* `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
* `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
* `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
### Fields
#### enabled
Enabled TLS.
#### server_name
Used to verify the hostname on the returned certificates unless insecure is given.
It is also included in the client's handshake to support virtual hosting unless it is an IP address.
See [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication).
#### insecure
==Client only==
Accepts any server certificate.
#### alpn
List of supported application level protocols, in order of preference.
If both peers support ALPN, the selected protocol will be one from this list, and the connection will fail if there is
no mutually supported protocol.
See [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation).
#### min_version
The minimum TLS version that is acceptable.
By default, TLS 1.2 is currently used as the minimum when acting as a
client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum
supported by this package, both as a client and as a server.
The client-side default can temporarily be reverted to TLS 1.0 by
including the value "x509sha1=1" in the GODEBUG environment variable.
Note that this option will be removed in Go 1.19 (but it will still be
possible to set this field to VersionTLS10 explicitly).
#### max_version
The maximum TLS version that is acceptable.
By default, the maximum version supported by this package is used,
which is currently TLS 1.3.
#### cipher_suites
The elliptic curves that will be used in an ECDHE handshake, in preference order.
If empty, the default will be used. The client will use the first preference as the type for its key share in TLS 1.3.
This may change in the future.
#### certificate
The server certificate, in PEM format.
#### certificate_path
The path to the server certificate, in PEM format.
#### key
==Server only==
The server private key, in PEM format.
#### key_path
==Server only==
The path to the server private key, in PEM format.

View file

@ -18,10 +18,11 @@ Install with options:
go install -v -tags "with_clash_api,no_gvisor" github.com/sagernet/sing-box/cmd/sing-box@latest
```
| Build Tag | Description |
|------------------|--------------------------------------------------------------------------------------------------|
| `with_clash_api` | Build with clash api support, see [Experimental](./configuration/experimental#clash-api-fields). |
| `no_gvisor` | Build without gVisor, which required by the [Tun](./configuration/inbound/tun) inbound. |
| Build Tag | Description |
|------------------|---------------------------------------------------------------------------------------------------------|
| `with_quic` | Build with quic support, which required by [QUIC and HTTP3](./configuration/dns/server) dns transports. |
| `with_clash_api` | Build with clash api support, see [Experimental](./configuration/experimental#clash-api-fields). |
| `no_gvisor` | Build without gVisor, which required by the [Tun](./configuration/inbound/tun) inbound. |
The binary is built under $GOPATH/bin

View file

@ -65,6 +65,8 @@ nav:
- Route Rule: configuration/route/rule.md
- Protocol Sniff: configuration/route/sniff.md
- Experimental: configuration/experimental.md
- Shared:
- TLS: configuration/shared/tls.md
- Examples:
- examples/index.md
- Shadowsocks Server: examples/ss-server.md

View file

@ -20,17 +20,16 @@ type InboundTLSOptions struct {
}
type OutboundTLSOptions struct {
Enabled bool `json:"enabled,omitempty"`
DisableSNI bool `json:"disable_sni,omitempty"`
ServerName string `json:"server_name,omitempty"`
Insecure bool `json:"insecure,omitempty"`
ALPN []string `json:"alpn,omitempty"`
MinVersion string `json:"min_version,omitempty"`
MaxVersion string `json:"max_version,omitempty"`
CipherSuites []string `json:"cipher_suites,omitempty"`
DisableSystemRoot bool `json:"disable_system_root,omitempty"`
Certificate string `json:"certificate,omitempty"`
CertificatePath string `json:"certificate_path,omitempty"`
Enabled bool `json:"enabled,omitempty"`
DisableSNI bool `json:"disable_sni,omitempty"`
ServerName string `json:"server_name,omitempty"`
Insecure bool `json:"insecure,omitempty"`
ALPN []string `json:"alpn,omitempty"`
MinVersion string `json:"min_version,omitempty"`
MaxVersion string `json:"max_version,omitempty"`
CipherSuites []string `json:"cipher_suites,omitempty"`
Certificate string `json:"certificate,omitempty"`
CertificatePath string `json:"certificate_path,omitempty"`
}
func ParseTLSVersion(version string) (uint16, error) {

View file

@ -58,7 +58,7 @@ var warnFindProcessOnUnsupportedPlatform = warning.New(
func() bool {
return !(C.IsLinux || C.IsWindows || C.IsDarwin)
},
"route option `find_process` is only supported on Linux, Windows, and Mac OS X",
"route option `find_process` is only supported on Linux, Windows, and macOS",
)
var _ adapter.Router = (*Router)(nil)

View file

@ -11,7 +11,7 @@ import (
var warnProcessNameOnNonSupportedPlatform = warning.New(
func() bool { return !(C.IsLinux || C.IsWindows || C.IsDarwin) },
"rule item `process_item` is only supported on Linux, Windows, and Mac OS X",
"rule item `process_item` is only supported on Linux, Windows, and macOS",
)
var _ RuleItem = (*ProcessItem)(nil)