diff --git a/docs/configuration/dns/index.zh.md b/docs/configuration/dns/index.zh.md index 2b3d0db4..6b8e4d29 100644 --- a/docs/configuration/dns/index.zh.md +++ b/docs/configuration/dns/index.zh.md @@ -1,3 +1,5 @@ +# DNS + ### 结构 ```json diff --git a/docs/configuration/inbound/http.md b/docs/configuration/inbound/http.md index eac166cd..eaf26939 100644 --- a/docs/configuration/inbound/http.md +++ b/docs/configuration/inbound/http.md @@ -32,7 +32,7 @@ #### tls -TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure). +TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound). #### users diff --git a/docs/configuration/inbound/hysteria.md b/docs/configuration/inbound/hysteria.md index c337c8ba..370b1ded 100644 --- a/docs/configuration/inbound/hysteria.md +++ b/docs/configuration/inbound/hysteria.md @@ -102,7 +102,7 @@ Force enabled on for systems other than Linux and Windows (according to upstream ==Required== -TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure). +TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound). ### Listen Fields diff --git a/docs/configuration/inbound/naive.md b/docs/configuration/inbound/naive.md index 894776f0..4c3f9325 100644 --- a/docs/configuration/inbound/naive.md +++ b/docs/configuration/inbound/naive.md @@ -36,7 +36,7 @@ #### tls -TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure). +TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound). #### users diff --git a/docs/configuration/inbound/trojan.md b/docs/configuration/inbound/trojan.md index 27f48a75..1d71d6e9 100644 --- a/docs/configuration/inbound/trojan.md +++ b/docs/configuration/inbound/trojan.md @@ -40,7 +40,7 @@ Trojan users. #### tls -TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure). +TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound). #### fallback diff --git a/docs/configuration/inbound/vmess.md b/docs/configuration/inbound/vmess.md index eabc7f99..61e49970 100644 --- a/docs/configuration/inbound/vmess.md +++ b/docs/configuration/inbound/vmess.md @@ -46,7 +46,7 @@ VMess users. #### tls -TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure). +TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound). #### transport diff --git a/docs/configuration/outbound/http.md b/docs/configuration/outbound/http.md index b7087013..6dfa7485 100644 --- a/docs/configuration/outbound/http.md +++ b/docs/configuration/outbound/http.md @@ -53,7 +53,7 @@ Basic authorization password. #### tls -TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound-structure). +TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound). ### Dial Fields diff --git a/docs/configuration/outbound/hysteria.md b/docs/configuration/outbound/hysteria.md index a398ae0e..efa6155a 100644 --- a/docs/configuration/outbound/hysteria.md +++ b/docs/configuration/outbound/hysteria.md @@ -113,7 +113,7 @@ Force enabled on for systems other than Linux and Windows (according to upstream ==Required== -TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound-structure). +TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound). #### network diff --git a/docs/configuration/outbound/trojan.md b/docs/configuration/outbound/trojan.md index 9080171d..51d37470 100644 --- a/docs/configuration/outbound/trojan.md +++ b/docs/configuration/outbound/trojan.md @@ -59,7 +59,7 @@ Both is enabled by default. #### tls -TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound-structure). +TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound). #### multiplex diff --git a/docs/configuration/outbound/vmess.md b/docs/configuration/outbound/vmess.md index 67ac7e8a..07ada644 100644 --- a/docs/configuration/outbound/vmess.md +++ b/docs/configuration/outbound/vmess.md @@ -93,7 +93,7 @@ Both is enabled by default. #### tls -TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound-structure). +TLS configuration, see [TLS outbound structure](/configuration/shared/tls/#outbound). #### multiplex diff --git a/docs/configuration/shared/multiplex.zh.md b/docs/configuration/shared/multiplex.zh.md new file mode 100644 index 00000000..aa85064f --- /dev/null +++ b/docs/configuration/shared/multiplex.zh.md @@ -0,0 +1,50 @@ +### 服务器要求 + +`sing-box` :) + +### 结构 + +```json +{ + "enabled": true, + "protocol": "smux", + "max_connections": 4, + "min_streams": 4, + "max_streams": 0 +} +``` + +### 字段 + +#### enabled + +启用多路复用 + +#### protocol + +多路复用协议 + +| 协议 | 描述 | +|-------|------------------------------------| +| smux | https://github.com/xtaci/smux | +| yamux | https://github.com/hashicorp/yamux | + +默认使用 SMux. + +#### max_connections + +最大连接数量 + +与 `max_streams` 冲突. + +#### min_streams + +在打开新连接之前,连接中的最小多路复用流数量 + +与 `max_streams` 冲突. + +#### max_streams + +在打开新连接之前,连接中的最大多路复用流数量 + +与 `max_connections` 和 `min_streams` 冲突. \ No newline at end of file diff --git a/docs/configuration/shared/tls.md b/docs/configuration/shared/tls.md index 666c61df..a72af3ad 100644 --- a/docs/configuration/shared/tls.md +++ b/docs/configuration/shared/tls.md @@ -1,4 +1,4 @@ -### Inbound Structure +### Inbound ```json { @@ -34,7 +34,7 @@ ACME is not included by default, see [Installation](/#installation). -### Outbound Structure +### Outbound ```json { @@ -115,20 +115,13 @@ See [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Appli The minimum TLS version that is acceptable. By default, TLS 1.2 is currently used as the minimum when acting as a -client, and TLS 1.0 when acting as a server. TLS 1.0 is the minimum -supported by this package, both as a client and as a server. - -The client-side default can temporarily be reverted to TLS 1.0 by -including the value "x509sha1=1" in the GODEBUG environment variable. -Note that this option will be removed in Go 1.19 (but it will still be -possible to set this field to VersionTLS10 explicitly). +client, and TLS 1.0 when acting as a server. #### max_version The maximum TLS version that is acceptable. -By default, the maximum version supported by this package is used, -which is currently TLS 1.3. +By default, the maximum version is currently TLS 1.3. #### cipher_suites diff --git a/docs/configuration/shared/tls.zh.md b/docs/configuration/shared/tls.zh.md new file mode 100644 index 00000000..41eda2af --- /dev/null +++ b/docs/configuration/shared/tls.zh.md @@ -0,0 +1,219 @@ +### 入站 + +```json +{ + "enabled": true, + "server_name": "", + "alpn": [], + "min_version": "", + "max_version": "", + "cipher_suites": [], + "certificate": "", + "certificate_path": "", + "key": "", + "key_path": "", + "acme": { + "domain": [], + "data_directory": "", + "default_server_name": "", + "email": "", + "provider": "", + "disable_http_challenge": false, + "disable_tls_alpn_challenge": false, + "alternative_http_port": 0, + "alternative_tls_port": 0, + "external_account": { + "key_id": "", + "mac_key": "" + } + } +} +``` + +!!! warning "" + + 默认安装不包括 ACME, 参阅 [安装](/zh/#installation). + +### 出站 + +```json +{ + "enabled": true, + "server_name": "", + "insecure": false, + "alpn": [], + "min_version": "", + "max_version": "", + "cipher_suites": [], + "certificate": "", + "certificate_path": "" +} +``` + +TLS 版本值: + +* `1.0` +* `1.1` +* `1.2` +* `1.3` + +密码套件值: + +* `TLS_RSA_WITH_AES_128_CBC_SHA` +* `TLS_RSA_WITH_AES_256_CBC_SHA` +* `TLS_RSA_WITH_AES_128_GCM_SHA256` +* `TLS_RSA_WITH_AES_256_GCM_SHA384` +* `TLS_AES_128_GCM_SHA256` +* `TLS_AES_256_GCM_SHA384` +* `TLS_CHACHA20_POLY1305_SHA256` +* `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA` +* `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA` +* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` +* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA` +* `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` +* `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` +* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` +* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384` +* `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` +* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` + +!!! note "" + + 当内容只有一项时,可以忽略 JSON 数组 [] 标签 + +### 字段 + +#### enabled + +启用 TLS + +#### server_name + +用于验证返回证书上的主机名,除非设置不安全。 + +它还包含在 ClientHello 中以支持虚拟主机,除非它是 IP 地址。 + +检阅 [Server Name Indication](https://en.wikipedia.org/wiki/Server_Name_Indication). + +#### insecure + +==仅客户端== + +接受任何服务器证书 + +#### alpn + +支持的应用层协议协商列表,按优先顺序排列。 + +如果两个对等点都支持 ALPN,则选择的协议将是此列表中的一个,如果没有相互支持的协议则连接将失败。 + +检阅 [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation). + +#### min_version + +可接受的最低 TLS 版本。 + +默认情况下,当前使用 TLS 1.2 作为客户端的最低要求。作为服务器时使用 TLS 1.0. + +#### max_version + +可接受的最大 TLS 版本。 + +默认情况下,当前最高版本为 TLS 1.3。 + +#### cipher_suites + +将在 ECDHE 握手中使用的椭圆曲线,按优先顺序排列。 + +如果为空,将使用默认值。 + +客户端将使用第一个首选项作为其在 TLS 1.3 中的密钥共享类型。 +这在未来可能会改变。 + +#### certificate + +服务器 PEM 证书 + +#### certificate_path + +服务器 PEM 证书路径 + +#### key + +==仅服务器== + +服务器 PEM 私钥 + +#### key_path + +==仅服务器== + +服务器 PEM 私钥路径 + +### ACME 字段 + +#### domain + +一组域名。 + +如果为空,将禁用 ACME。 + +#### data_directory + +ACME 数据目录。 + +如果为空,则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`。 + +#### default_server_name + +如果 ClientHello 的 ServerName 字段为空,则选择证书时要使用的服务器名称。 + +#### email + +创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。 + +#### provider + +要使用的 ACME CA 供应商。 + +| 值 | 供应商 | +|--------------------|---------------| +| `letsencrypt (默认)` | Let's Encrypt | +| `zerossl` | ZeroSSL | +| `https://...` | 自定义 | + +#### disable_http_challenge + +禁用所有 HTTP 质询。 + +#### disable_tls_alpn_challenge + +禁用所有 TLS-ALPN 质询。 + +#### alternative_http_port + +用于 ACME HTTP 质询的备用端口;如果非空,将使用此端口而不是 80 来启动 HTTP 质询的侦听器。 + +#### alternative_tls_port + +用于 ACME TLS-ALPN 质询的备用端口; 系统必须将 443 转发到此端口以使质询成功。 + +### Reload + +对于服务器配置,如果修改,证书和密钥将自动重新加载。 + +#### external_account + +EAB(外部帐户绑定)包含将 ACME 帐户绑定或映射到其他已知帐户所需的信息由 CA。 + +外部帐户绑定“用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联,例如 CA 客户数据库。 + +为了启用 ACME 帐户绑定,运行 ACME 服务器的 CA 需要向 ACME 客户端提供 MAC 密钥和密钥标识符,使用 ACME 之外的一些机制。 §7.3.4 + +#### external_account.key_id + +密钥标识符 + +#### external_account.mac_key + +MAC 密钥 \ No newline at end of file diff --git a/docs/configuration/shared/v2ray-transport.zh.md b/docs/configuration/shared/v2ray-transport.zh.md new file mode 100644 index 00000000..8c243168 --- /dev/null +++ b/docs/configuration/shared/v2ray-transport.zh.md @@ -0,0 +1,130 @@ +V2Ray Transport 是 v2ray 发明的一组私有协议,并污染了其他协议的名称,如 clash 中的 `trojan-grpc`。 + +### 结构 + +```json +{ + "type": "" +} +``` + +可用的传输协议: + +* HTTP +* WebSocket +* QUIC +* gRPC + +!!! warning "与 v2ray-core 的区别" + + * 没有 TCP 传输层, 纯 HTTP 已合并到 HTTP 传输层。 + * 没有 mKCP 传输层。 + * 没有 DomainSocket 传输层。 + +!!! note + + 当内容只有一项时,可以忽略 JSON 数组 [] 标签 + +### HTTP + +```json +{ + "type": "http", + "host": [], + "path": "", + "method": "", + "headers": {} +} +``` + +!!! warning "与 v2ray-core 的区别" + + 不强制执行 TLS。 如果未配置 TLS,则使用纯 HTTP 1.1。 + +#### host + +主机域名列表。 + +客户端将随机选择,如果不为空,服务器将验证。 + +#### path + +HTTP 请求路径 + +如果不为空,服务器将验证。 + +#### method + +HTTP 请求方法 + +如果不为空,服务器将验证。 + +#### headers + +HTTP 请求的额外标头 + +如果不为空,服务器将写入响应。 + +### WebSocket + +```json +{ + "type": "ws", + "path": "", + "headers": {}, + "max_early_data": 0, + "early_data_header_name": "" +} +``` + +#### path + +HTTP 请求路径 + +如果不为空,服务器将验证。 + +#### headers + +HTTP 请求的额外标头 + +#### max_early_data + +请求中允许的最大有效负载大小。 如果不为零则启用。 + +#### early_data_header_name + +默认情况下,早期数据在路径而不是标头中发送。 + +要与 Xray-core 兼容,请将其设置为 `Sec-WebSocket-Protocol`。 + +它需要与服务器保持一致。 + +### QUIC + +```json +{ + "type": "quic" +} +``` + +!!! warning "与 v2ray-core 的区别" + + 没有额外的加密支持: + 它基本上是重复加密。 并且 Xray-core 在这里与 v2ray-core 不兼容。 + +### gRPC + +!!! warning "" + + 默认安装不包括 gRPC, 参阅 [安装](/zh/#installation). + +```json +{ + "type": "grpc", + "service_name": "TunService" +} +``` + +#### service_name + +gRPC 服务名称 \ No newline at end of file diff --git a/docs/index.zh.md b/docs/index.zh.md index 7fd3d1ca..29341b55 100644 --- a/docs/index.zh.md +++ b/docs/index.zh.md @@ -21,7 +21,7 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat | 构建标志 | 描述 | |------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `with_quic` | 启用 QUIC 支持, 参阅 [QUIC 和 HTTP3 DNS 传输层](./configuration/dns/server), [Naive 入站](./configuration/inbound/naive), [Hysteria 入站](./configuration/inbound/hysteria) 和 [Hysteria 出站](./configuration/outbound/hysteria). | -| `with_grpc` | 启用 gRPC 之后, 参阅 [V2Ray 传输层#gRPC](/configuration/shared/v2ray-transport#grpc). | +| `with_grpc` | 启用 gRPC 支持, 参阅 [V2Ray 传输层#gRPC](/configuration/shared/v2ray-transport#grpc). | | `with_wireguard` | 启用 WireGuard 支持, 参阅 [WireGuard 出站](./configuration/outbound/wireguard). | | `with_acme` | 启用 ACME TLS 证书签发支持, 参阅 [TLS](./configuration/shared/tls). | | `with_clash_api` | 启用 Clash api 支持, 参阅 [实验性](./configuration/experimental#clash-api-fields). | diff --git a/mkdocs.yml b/mkdocs.yml index 432a3b0a..36331602 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -144,7 +144,7 @@ plugins: Protocol Sniff: 协议探测 Experimental: 实验性 Shared: 通用 - Multiple: 多路复用 + Multiplex: 多路复用 V2Ray Transport: V2Ray 传输层 Inbound: 入站 Outbound: 出站