CN-JS-HuiBai/Singbox-For-SBPanel
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First Commmit

Browse Source
This commit is contained in:
CN-JS-HuiBai
2026-04-14 22:41:14 +08:00
commit 9f867b19da
1086 changed files with 147554 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
docs/configuration/certificate/index.md Normal file
View File

@@ -0,0 +1,59 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [Chrome Root Store](#store)
# Certificate
### Structure
```json
{
"store": "",
"certificate": [],
"certificate_path": [],
"certificate_directory_path": []
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Fields
#### store
The default X509 trusted CA certificate list.
| Type | Description |
|--------------------|----------------------------------------------------------------------------------------------------------------|
| `system` (default) | System trusted CA certificates |
| `mozilla` | [Mozilla Included List](https://wiki.mozilla.org/CA/Included_Certificates) with China CA certificates removed |
| `chrome` | [Chrome Root Store](https://g.co/chrome/root-policy) with China CA certificates removed |
| `none` | Empty list |
#### certificate
The certificate line array to trust, in PEM format.
#### certificate_path
!!! note ""
Will be automatically reloaded if file modified.
The paths to certificates to trust, in PEM format.
#### certificate_directory_path
!!! note ""
Will be automatically reloaded if file modified.
The directory path to search for certificates to trust,in PEM format.

59
docs/configuration/certificate/index.zh.md Normal file
View File

@@ -0,0 +1,59 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [Chrome Root Store](#store)
# 证书
### 结构
```json
{
"store": "",
"certificate": [],
"certificate_path": [],
"certificate_directory_path": []
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### 字段
#### store
默认的 X509 受信任 CA 证书列表。
| 类型 | 描述 |
|-------------------|--------------------------------------------------------------------------------------------|
| `system`(默认) | 系统受信任的 CA 证书 |
| `mozilla` | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)(已移除中国 CA 证书) |
| `chrome` | [Chrome Root Store](https://g.co/chrome/root-policy)(已移除中国 CA 证书) |
| `none` | 空列表 |
#### certificate
要信任的证书行数组PEM 格式。
#### certificate_path
!!! note ""
文件修改时将自动重新加载。
要信任的证书路径PEM 格式。
#### certificate_directory_path
!!! note ""
文件修改时将自动重新加载。
搜索要信任的证书的目录路径PEM 格式。

31
docs/configuration/dns/fakeip.md Normal file
View File

@@ -0,0 +1,31 @@
---
icon: material/note-remove
---
!!! failure "Removed in sing-box 1.14.0"
Legacy fake-ip configuration is deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).
### Structure
```json
{
"enabled": true,
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
```
### Fields
#### enabled
Enable FakeIP service.
#### inet4_range
IPv4 address range for FakeIP.
#### inet6_range
IPv6 address range for FakeIP.

31
docs/configuration/dns/fakeip.zh.md Normal file
View File

@@ -0,0 +1,31 @@
---
icon: material/note-remove
---
!!! failure "已在 sing-box 1.14.0 移除"
旧的 fake-ip 配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
### 结构
```json
{
"enabled": true,
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
```
### 字段
#### enabled
启用 FakeIP 服务。
#### inet4_range
用于 FakeIP 的 IPv4 地址范围。
#### inet6_range
用于 FakeIP 的 IPv6 地址范围。

133
docs/configuration/dns/index.md Normal file
View File

@@ -0,0 +1,133 @@
---
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.14.0"
:material-delete-clock: [independent_cache](#independent_cache)
:material-plus: [optimistic](#optimistic)
!!! quote "Changes in sing-box 1.12.0"
:material-decagram: [servers](#servers)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [cache_capacity](#cache_capacity)
# DNS
### Structure
```json
{
"dns": {
"servers": [],
"rules": [],
"final": "",
"strategy": "",
"disable_cache": false,
"disable_expire": false,
"independent_cache": false,
"cache_capacity": 0,
"optimistic": false, // or {}
"reverse_mapping": false,
"client_subnet": "",
"fakeip": {}
}
}
```
### Fields
| Key | Format |
|----------|---------------------------------|
| `server` | List of [DNS Server](./server/) |
| `rules` | List of [DNS Rule](./rule/) |
| `fakeip` | :material-note-remove: [FakeIP](./fakeip/) |
#### final
Default dns server tag.
The first server will be used if empty.
#### strategy
Default domain strategy for resolving the domain names.
One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
#### disable_cache
Disable dns cache.
Conflict with `optimistic`.
#### disable_expire
Disable dns cache expire.
Conflict with `optimistic`.
#### independent_cache
!!! failure "Deprecated in sing-box 1.14.0"
`independent_cache` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-independent-dns-cache).
Make each DNS server's cache independent for special purposes. If enabled, will slightly degrade performance.
#### cache_capacity
!!! question "Since sing-box 1.11.0"
LRU cache capacity.
Value less than 1024 will be ignored.
#### optimistic
!!! question "Since sing-box 1.14.0"
Enable optimistic DNS caching. When a cached DNS entry has expired but is still within the timeout window,
the stale response is returned immediately while a background refresh is triggered.
Conflict with `disable_cache` and `disable_expire`.
Accepts a boolean or an object. When set to `true`, the default timeout of `3d` is used.
```json
{
"enabled": true,
"timeout": "3d"
}
```
##### enabled
Enable optimistic DNS caching.
##### timeout
The maximum time an expired cache entry can be served optimistically.
`3d` is used by default.
#### reverse_mapping
Stores a reverse mapping of IP addresses after responding to a DNS query in order to provide domain names when routing.
Since this process relies on the act of resolving domain names by an application before making a request, it can be
problematic in environments such as macOS, where DNS is proxied and cached by the system.
#### client_subnet
!!! question "Since sing-box 1.9.0"
Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
Can be overridden by `servers.[].client_subnet` or `rules.[].client_subnet`.

135
docs/configuration/dns/index.zh.md Normal file
View File

@@ -0,0 +1,135 @@
---
icon: material/alert-decagram
---
!!! quote "sing-box 1.14.0 中的更改"
:material-delete-clock: [independent_cache](#independent_cache)
:material-plus: [optimistic](#optimistic)
!!! quote "sing-box 1.12.0 中的更改"
:material-decagram: [servers](#servers)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [cache_capacity](#cache_capacity)
# DNS
### 结构
```json
{
"dns": {
"servers": [],
"rules": [],
"final": "",
"strategy": "",
"disable_cache": false,
"disable_expire": false,
"independent_cache": false,
"cache_capacity": 0,
"optimistic": false, // or {}
"reverse_mapping": false,
"client_subnet": "",
"fakeip": {}
}
}
```
### 字段
| 键 | 格式 |
|----------|-------------------------|
| `server` | 一组 [DNS 服务器](./server/) |
| `rules` | 一组 [DNS 规则](./rule/) |
#### final
默认 DNS 服务器的标签。
默认使用第一个服务器。
#### strategy
默认解析域名策略。
可选值: `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
#### disable_cache
禁用 DNS 缓存。
`optimistic` 冲突。
#### disable_expire
禁用 DNS 缓存过期。
`optimistic` 冲突。
#### independent_cache
!!! failure "已在 sing-box 1.14.0 废弃"
`independent_cache` 已在 sing-box 1.14.0 废弃,且将在 sing-box 1.16.0 中被移除,参阅[迁移指南](/zh/migration/#迁移-independent-dns-cache)。
使每个 DNS 服务器的缓存独立,以满足特殊目的。如果启用,将轻微降低性能。
#### cache_capacity
!!! question "自 sing-box 1.11.0 起"
LRU 缓存容量。
小于 1024 的值将被忽略。
#### optimistic
!!! question "自 sing-box 1.14.0 起"
启用乐观 DNS 缓存。当缓存的 DNS 条目已过期但仍在超时窗口内时,
立即返回过期的响应,同时在后台触发刷新。
`disable_cache``disable_expire` 冲突。
接受布尔值或对象。当设置为 `true` 时,使用默认超时 `3d`
```json
{
"enabled": true,
"timeout": "3d"
}
```
##### enabled
启用乐观 DNS 缓存。
##### timeout
过期缓存条目可被乐观提供的最长时间。
默认使用 `3d`
#### reverse_mapping
在响应 DNS 查询后存储 IP 地址的反向映射以为路由目的提供域名。
由于此过程依赖于应用程序在发出请求之前解析域名的行为,因此在 macOS 等 DNS 由系统代理和缓存的环境中可能会出现问题。
#### client_subnet
!!! question "自 sing-box 1.9.0 起"
默认情况下,将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
如果值是 IP 地址而不是前缀,则会自动附加 `/32``/128`
可以被 `servers.[].client_subnet``rules.[].client_subnet` 覆盖。
#### fakeip :material-note-remove:
[FakeIP](./fakeip/) 设置。

699
docs/configuration/dns/rule.md Normal file
View File

@@ -0,0 +1,699 @@
---
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.14.0"
:material-plus: [source_mac_address](#source_mac_address)
:material-plus: [source_hostname](#source_hostname)
:material-plus: [match_response](#match_response)
:material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
:material-plus: [response_rcode](#response_rcode)
:material-plus: [response_answer](#response_answer)
:material-plus: [response_ns](#response_ns)
:material-plus: [response_extra](#response_extra)
:material-plus: [package_name_regex](#package_name_regex)
:material-alert: [ip_version](#ip_version)
:material-alert: [query_type](#query_type)
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [interface_address](#interface_address)
:material-plus: [network_interface_address](#network_interface_address)
:material-plus: [default_interface_address](#default_interface_address)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [ip_accept_any](#ip_accept_any)
:material-delete-clock: [outbound](#outbound)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [action](#action)
:material-alert: [server](#server)
:material-alert: [disable_cache](#disable_cache)
:material-alert: [rewrite_ttl](#rewrite_ttl)
:material-alert: [client_subnet](#client_subnet)
:material-plus: [network_type](#network_type)
:material-plus: [network_is_expensive](#network_is_expensive)
:material-plus: [network_is_constrained](#network_is_constrained)
!!! quote "Changes in sing-box 1.10.0"
:material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
:material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)
:material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
:material-plus: [process_path_regex](#process_path_regex)
!!! quote "Changes in sing-box 1.9.0"
:material-plus: [geoip](#geoip)
:material-plus: [ip_cidr](#ip_cidr)
:material-plus: [ip_is_private](#ip_is_private)
:material-plus: [client_subnet](#client_subnet)
:material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
!!! quote "Changes in sing-box 1.8.0"
:material-plus: [rule_set](#rule_set)
:material-plus: [source_ip_is_private](#source_ip_is_private)
:material-delete-clock: [geoip](#geoip)
:material-delete-clock: [geosite](#geosite)
### Structure
```json
{
"dns": {
"rules": [
{
"inbound": [
"mixed-in"
],
"ip_version": 6,
"query_type": [
"A",
"HTTPS",
32768
],
"network": "tcp",
"auth_user": [
"usera",
"userb"
],
"protocol": [
"tls",
"http",
"quic"
],
"domain": [
"test.com"
],
"domain_suffix": [
".cn"
],
"domain_keyword": [
"test"
],
"domain_regex": [
"^stun\\..+"
],
"source_ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
],
"source_ip_is_private": false,
"source_port": [
12345
],
"source_port_range": [
"1000:2000",
":3000",
"4000:"
],
"port": [
80,
443
],
"port_range": [
"1000:2000",
":3000",
"4000:"
],
"process_name": [
"curl"
],
"process_path": [
"/usr/bin/curl"
],
"process_path_regex": [
"^/usr/bin/.+"
],
"package_name": [
"com.termux"
],
"package_name_regex": [
"^com\\.termux.*"
],
"user": [
"sekai"
],
"user_id": [
1000
],
"clash_mode": "direct",
"network_type": [
"wifi"
],
"network_is_expensive": false,
"network_is_constrained": false,
"interface_address": {
"en0": [
"2000::/3"
]
},
"network_interface_address": {
"wifi": [
"2000::/3"
]
},
"default_interface_address": [
"2000::/3"
],
"source_mac_address": [
"00:11:22:33:44:55"
],
"source_hostname": [
"my-device"
],
"wifi_ssid": [
"My WIFI"
],
"wifi_bssid": [
"00:00:00:00:00:00"
],
"rule_set": [
"geoip-cn",
"geosite-cn"
],
"rule_set_ip_cidr_match_source": false,
"match_response": false,
"ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
],
"ip_is_private": false,
"ip_accept_any": false,
"response_rcode": "",
"response_answer": [],
"response_ns": [],
"response_extra": [],
"invert": false,
"outbound": [
"direct"
],
"action": "route",
"server": "local",
// Deprecated
"rule_set_ip_cidr_accept_empty": false,
"rule_set_ipcidr_match_source": false,
"geosite": [
"cn"
],
"source_geoip": [
"private"
],
"geoip": [
"cn"
]
},
{
"type": "logical",
"mode": "and",
"rules": [],
"action": "route",
"server": "local"
}
]
}
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Default Fields
!!! note ""
The default rule uses the following matching logic:
(`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&
(`port` || `port_range`) &&
(`source_geoip` || `source_ip_cidr` `source_ip_is_private`) &&
(`source_port` || `source_port_range`) &&
`other fields`
Additionally, each branch inside an included rule-set can be considered merged into the outer rule, while different branches keep OR semantics.
#### inbound
Tags of [Inbound](/configuration/inbound/).
#### ip_version
!!! quote "Changes in sing-box 1.14.0"
This field now also applies when a DNS rule is matched from an internal
domain resolution that does not target a specific DNS server, such as a
[`resolve`](../../route/rule_action/#resolve) route rule action without a
`server` set. In earlier versions, only DNS queries received from a
client evaluated this field. See
[Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules)
for the full list.
Setting this field makes the DNS rule incompatible in the same DNS
configuration with Legacy Address Filter Fields in DNS rules, the Legacy
`strategy` DNS rule action option, and the Legacy
`rule_set_ip_cidr_accept_empty` DNS rule item. To combine with
address-based filtering, use the [`evaluate`](../rule_action/#evaluate)
action and [`match_response`](#match_response).
4 (A DNS query) or 6 (AAAA DNS query).
Not limited if empty.
#### query_type
!!! quote "Changes in sing-box 1.14.0"
This field now also applies when a DNS rule is matched from an internal
domain resolution that does not target a specific DNS server, such as a
[`resolve`](../../route/rule_action/#resolve) route rule action without a
`server` set. In earlier versions, only DNS queries received from a
client evaluated this field. See
[Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules)
for the full list.
Setting this field makes the DNS rule incompatible in the same DNS
configuration with Legacy Address Filter Fields in DNS rules, the Legacy
`strategy` DNS rule action option, and the Legacy
`rule_set_ip_cidr_accept_empty` DNS rule item. To combine with
address-based filtering, use the [`evaluate`](../rule_action/#evaluate)
action and [`match_response`](#match_response).
DNS query type. Values can be integers or type name strings.
#### network
`tcp` or `udp`.
#### auth_user
Username, see each inbound for details.
#### protocol
Sniffed protocol, see [Sniff](/configuration/route/sniff/) for details.
#### domain
Match full domain.
#### domain_suffix
Match domain suffix.
#### domain_keyword
Match domain using keyword.
#### domain_regex
Match domain using regular expression.
#### geosite
!!! failure "Deprecated in sing-box 1.8.0"
Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
Match geosite.
#### source_geoip
!!! failure "Deprecated in sing-box 1.8.0"
GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
Match source geoip.
#### source_ip_cidr
Match source IP CIDR.
#### source_ip_is_private
!!! question "Since sing-box 1.8.0"
Match non-public source IP.
#### source_port
Match source port.
#### source_port_range
Match source port range.
#### port
Match port.
#### port_range
Match port range.
#### process_name
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match process name.
#### process_path
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match process path.
#### process_path_regex
!!! question "Since sing-box 1.10.0"
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match process path using regular expression.
#### package_name
Match android package name.
#### package_name_regex
!!! question "Since sing-box 1.14.0"
Match android package name using regular expression.
#### user
!!! quote ""
Only supported on Linux.
Match user name.
#### user_id
!!! quote ""
Only supported on Linux.
Match user id.
#### clash_mode
Match Clash mode.
#### network_type
!!! question "Since sing-box 1.11.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms.
Match network type.
Available values: `wifi`, `cellular`, `ethernet` and `other`.
#### network_is_expensive
!!! question "Since sing-box 1.11.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms.
Match if network is considered Metered (on Android) or considered expensive,
such as Cellular or a Personal Hotspot (on Apple platforms).
#### network_is_constrained
!!! question "Since sing-box 1.11.0"
!!! quote ""
Only supported in graphical clients on Apple platforms.
Match if network is in Low Data Mode.
#### interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match interface address.
#### network_interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms.
Matches network interface (same values as `network_type`) address.
#### default_interface_address
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux, Windows, and macOS.
Match default interface address.
#### source_mac_address
!!! question "Since sing-box 1.14.0"
!!! quote ""
Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
Match source device MAC address.
#### source_hostname
!!! question "Since sing-box 1.14.0"
!!! quote ""
Only supported on Linux, macOS, or in graphical clients on Android and macOS. See [Neighbor Resolution](/configuration/shared/neighbor/) for setup.
Match source device hostname from DHCP leases.
#### wifi_ssid
!!! quote ""
Only supported in graphical clients on Android and Apple platforms, or on Linux.
Match WiFi SSID.
#### wifi_bssid
!!! quote ""
Only supported in graphical clients on Android and Apple platforms, or on Linux.
Match WiFi BSSID.
#### rule_set
!!! question "Since sing-box 1.8.0"
Match [rule-set](/configuration/route/#rule_set).
#### rule_set_ipcidr_match_source
!!! question "Since sing-box 1.9.0"
!!! failure "Deprecated in sing-box 1.10.0"
`rule_set_ipcidr_match_source` is renamed to `rule_set_ip_cidr_match_source` and will be remove in sing-box 1.11.0.
Make `ip_cidr` rule items in rule-sets match the source IP.
#### rule_set_ip_cidr_match_source
!!! question "Since sing-box 1.10.0"
Make `ip_cidr` rule items in rule-sets match the source IP.
#### match_response
!!! question "Since sing-box 1.14.0"
Enable response-based matching. When enabled, this rule matches against the evaluated response
(set by a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action)
instead of only matching the original query.
The evaluated response can also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
Required for Response Match Fields (`response_rcode`, `response_answer`, `response_ns`, `response_extra`).
Also required for `ip_cidr`, `ip_is_private`, and `ip_accept_any` when used with `evaluate` or Response Match Fields.
#### ip_accept_any
!!! question "Since sing-box 1.12.0"
Match when the DNS query response contains at least one address.
#### invert
Invert match result.
#### outbound
!!! failure "Deprecated in sing-box 1.12.0"
`outbound` rule items are deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver).
Match outbound.
`any` can be used as a value to match any outbound.
#### action
==Required==
See [DNS Rule Actions](../rule_action/) for details.
#### server
!!! failure "Deprecated in sing-box 1.11.0"
Moved to [DNS Rule Action](../rule_action#route).
#### disable_cache
!!! failure "Deprecated in sing-box 1.11.0"
Moved to [DNS Rule Action](../rule_action#route).
#### rewrite_ttl
!!! failure "Deprecated in sing-box 1.11.0"
Moved to [DNS Rule Action](../rule_action#route).
#### client_subnet
!!! failure "Deprecated in sing-box 1.11.0"
Moved to [DNS Rule Action](../rule_action#route).
### Legacy Address Filter Fields
!!! failure "Deprecated in sing-box 1.14.0"
Legacy Address Filter Fields are deprecated and will be removed in sing-box 1.16.0,
check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
Only takes effect for address requests (A/AAAA/HTTPS). When the query results do not match the address filtering rule items, the current rule will be skipped.
!!! info ""
`ip_cidr` items in included rule-sets also takes effect as an address filtering field.
!!! note ""
Enable `experimental.cache_file.store_rdrc` to cache results.
#### geoip
!!! failure "Removed in sing-box 1.12.0"
GeoIP is deprecated in sing-box 1.8.0 and removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
Match GeoIP with query response.
#### ip_cidr
!!! question "Since sing-box 1.9.0"
Match IP CIDR with query response.
As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
#### ip_is_private
!!! question "Since sing-box 1.9.0"
Match private IP with query response.
As a Legacy Address Filter Field, deprecated. Use with `match_response` instead,
check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
#### rule_set_ip_cidr_accept_empty
!!! question "Since sing-box 1.10.0"
!!! failure "Deprecated in sing-box 1.14.0"
`rule_set_ip_cidr_accept_empty` is deprecated and will be removed in sing-box 1.16.0,
check [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
Make `ip_cidr` rules in rule-sets accept empty query response.
### Response Match Fields
!!! question "Since sing-box 1.14.0"
Match fields for the evaluated response. Require `match_response` to be set to `true`
and a preceding rule with [`evaluate`](/configuration/dns/rule_action/#evaluate) action to populate the response.
That evaluated response may also be returned directly by a later [`respond`](/configuration/dns/rule_action/#respond) action.
#### response_rcode
Match DNS response code.
Accepted values are the same as in the [predefined action rcode](/configuration/dns/rule_action/#rcode).
#### response_answer
Match DNS answer records.
Record format is the same as in [predefined action answer](/configuration/dns/rule_action/#answer).
#### response_ns
Match DNS name server records.
Record format is the same as in [predefined action ns](/configuration/dns/rule_action/#ns).
#### response_extra
Match DNS extra records.
Record format is the same as in [predefined action extra](/configuration/dns/rule_action/#extra).
### Logical Fields
#### type
`logical`
#### mode
`and` or `or`
#### rules
Included rules.

694
docs/configuration/dns/rule.zh.md Normal file
View File

@@ -0,0 +1,694 @@
---
icon: material/alert-decagram
---
!!! quote "sing-box 1.14.0 中的更改"
:material-plus: [source_mac_address](#source_mac_address)
:material-plus: [source_hostname](#source_hostname)
:material-plus: [match_response](#match_response)
:material-delete-clock: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
:material-plus: [response_rcode](#response_rcode)
:material-plus: [response_answer](#response_answer)
:material-plus: [response_ns](#response_ns)
:material-plus: [response_extra](#response_extra)
:material-plus: [package_name_regex](#package_name_regex)
:material-alert: [ip_version](#ip_version)
:material-alert: [query_type](#query_type)
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [interface_address](#interface_address)
:material-plus: [network_interface_address](#network_interface_address)
:material-plus: [default_interface_address](#default_interface_address)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [ip_accept_any](#ip_accept_any)
:material-delete-clock: [outbound](#outbound)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [action](#action)
:material-alert: [server](#server)
:material-alert: [disable_cache](#disable_cache)
:material-alert: [rewrite_ttl](#rewrite_ttl)
:material-alert: [client_subnet](#client_subnet)
:material-plus: [network_type](#network_type)
:material-plus: [network_is_expensive](#network_is_expensive)
:material-plus: [network_is_constrained](#network_is_constrained)
!!! quote "sing-box 1.10.0 中的更改"
:material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
:material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source)
:material-plus: [rule_set_ip_cidr_accept_empty](#rule_set_ip_cidr_accept_empty)
:material-plus: [process_path_regex](#process_path_regex)
!!! quote "sing-box 1.9.0 中的更改"
:material-plus: [geoip](#geoip)
:material-plus: [ip_cidr](#ip_cidr)
:material-plus: [ip_is_private](#ip_is_private)
:material-plus: [client_subnet](#client_subnet)
:material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)
!!! quote "sing-box 1.8.0 中的更改"
:material-plus: [rule_set](#rule_set)
:material-plus: [source_ip_is_private](#source_ip_is_private)
:material-delete-clock: [geoip](#geoip)
:material-delete-clock: [geosite](#geosite)
### 结构
```json
{
"dns": {
"rules": [
{
"inbound": [
"mixed-in"
],
"ip_version": 6,
"query_type": [
"A",
"HTTPS",
32768
],
"network": "tcp",
"auth_user": [
"usera",
"userb"
],
"protocol": [
"tls",
"http",
"quic"
],
"domain": [
"test.com"
],
"domain_suffix": [
".cn"
],
"domain_keyword": [
"test"
],
"domain_regex": [
"^stun\\..+"
],
"source_ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
],
"source_ip_is_private": false,
"source_port": [
12345
],
"source_port_range": [
"1000:2000",
":3000",
"4000:"
],
"port": [
80,
443
],
"port_range": [
"1000:2000",
":3000",
"4000:"
],
"process_name": [
"curl"
],
"process_path": [
"/usr/bin/curl"
],
"process_path_regex": [
"^/usr/bin/.+"
],
"package_name": [
"com.termux"
],
"package_name_regex": [
"^com\\.termux.*"
],
"user": [
"sekai"
],
"user_id": [
1000
],
"clash_mode": "direct",
"network_type": [
"wifi"
],
"network_is_expensive": false,
"network_is_constrained": false,
"interface_address": {
"en0": [
"2000::/3"
]
},
"network_interface_address": {
"wifi": [
"2000::/3"
]
},
"default_interface_address": [
"2000::/3"
],
"source_mac_address": [
"00:11:22:33:44:55"
],
"source_hostname": [
"my-device"
],
"wifi_ssid": [
"My WIFI"
],
"wifi_bssid": [
"00:00:00:00:00:00"
],
"rule_set": [
"geoip-cn",
"geosite-cn"
],
"rule_set_ip_cidr_match_source": false,
"match_response": false,
"ip_cidr": [
"10.0.0.0/24",
"192.168.0.1"
],
"ip_is_private": false,
"ip_accept_any": false,
"response_rcode": "",
"response_answer": [],
"response_ns": [],
"response_extra": [],
"invert": false,
"outbound": [
"direct"
],
"action": "route",
"server": "local",
// 已弃用
"rule_set_ip_cidr_accept_empty": false,
"rule_set_ipcidr_match_source": false,
"geosite": [
"cn"
],
"source_geoip": [
"private"
],
"geoip": [
"cn"
]
},
{
"type": "logical",
"mode": "and",
"rules": [],
"action": "route",
"server": "local"
}
]
}
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### 默认字段
!!! note ""
默认规则使用以下匹配逻辑:
(`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite`) &&
(`port` || `port_range`) &&
(`source_geoip` || `source_ip_cidr` || `source_ip_is_private`) &&
(`source_port` || `source_port_range`) &&
`other fields`
另外,引用规则集中的每个分支都可视为与外层规则合并,不同分支之间仍保持 OR 语义。
#### inbound
[入站](/zh/configuration/inbound/) 标签.
#### ip_version
!!! quote "sing-box 1.14.0 中的更改"
此字段现在也会在 DNS 规则被未指定具体 DNS 服务器的内部域名解析匹配时生效,
例如未设置 `server` 的 [`resolve`](../../route/rule_action/#resolve) 路由规则动作。
此前只有来自客户端的 DNS 查询才会评估此字段。完整列表参阅
[迁移指南](/zh/migration/#dns-规则中的-ip_version-和-query_type-行为更改)。
在 DNS 规则中设置此字段后,该 DNS 规则在同一 DNS 配置中不能与
旧版地址筛选字段 (DNS 规则)、旧版 DNS 规则动作 `strategy` 选项,
或旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项共存。如需与
基于地址的筛选组合,请使用 [`evaluate`](../rule_action/#evaluate) 动作和
[`match_response`](#match_response)。
4 (A DNS 查询) 或 6 (AAAA DNS 查询)。
默认不限制。
#### query_type
!!! quote "sing-box 1.14.0 中的更改"
此字段现在也会在 DNS 规则被未指定具体 DNS 服务器的内部域名解析匹配时生效,
例如未设置 `server` 的 [`resolve`](../../route/rule_action/#resolve) 路由规则动作。
此前只有来自客户端的 DNS 查询才会评估此字段。完整列表参阅
[迁移指南](/zh/migration/#dns-规则中的-ip_version-和-query_type-行为更改)。
在 DNS 规则中设置此字段后,该 DNS 规则在同一 DNS 配置中不能与
旧版地址筛选字段 (DNS 规则)、旧版 DNS 规则动作 `strategy` 选项,
或旧版 `rule_set_ip_cidr_accept_empty` DNS 规则项共存。如需与
基于地址的筛选组合,请使用 [`evaluate`](../rule_action/#evaluate) 动作和
[`match_response`](#match_response)。
DNS 查询类型。值可以为整数或者类型名称字符串。
#### network
`tcp``udp`
#### auth_user
认证用户名,参阅入站设置。
#### protocol
探测到的协议, 参阅 [协议探测](/zh/configuration/route/sniff/)。
#### domain
匹配完整域名。
#### domain_suffix
匹配域名后缀。
#### domain_keyword
匹配域名关键字。
#### domain_regex
匹配域名正则表达式。
#### geosite
!!! failure "已在 sing-box 1.12.0 中被移除"
GeoSite 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移-geosite-到规则集)。
匹配 Geosite。
#### source_geoip
!!! failure "已在 sing-box 1.12.0 中被移除"
GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
匹配源 GeoIP。
#### source_ip_cidr
匹配源 IP CIDR。
#### source_ip_is_private
!!! question "自 sing-box 1.8.0 起"
匹配非公开源 IP。
#### source_port
匹配源端口。
#### source_port_range
匹配源端口范围。
#### port
匹配端口。
#### port_range
匹配端口范围。
#### process_name
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配进程名称。
#### process_path
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配进程路径。
#### process_path_regex
!!! question "自 sing-box 1.10.0 起"
!!! quote ""
仅支持 Linux、Windows 和 macOS.
使用正则表达式匹配进程路径。
#### package_name
匹配 Android 应用包名。
#### package_name_regex
!!! question "自 sing-box 1.14.0 起"
使用正则表达式匹配 Android 应用包名。
#### user
!!! quote ""
仅支持 Linux。
匹配用户名。
#### user_id
!!! quote ""
仅支持 Linux。
匹配用户 ID。
#### clash_mode
匹配 Clash 模式。
#### network_type
!!! question "自 sing-box 1.11.0 起"
!!! quote ""
仅在 Android 与 Apple 平台图形客户端中支持。
匹配网络类型。
Available values: `wifi`, `cellular`, `ethernet` and `other`.
#### network_is_expensive
!!! question "自 sing-box 1.11.0 起"
!!! quote ""
仅在 Android 与 Apple 平台图形客户端中支持。
匹配如果网络被视为计费 (在 Android) 或被视为昂贵,
像蜂窝网络或个人热点 (在 Apple 平台)。
#### network_is_constrained
!!! question "自 sing-box 1.11.0 起"
!!! quote ""
仅在 Apple 平台图形客户端中支持。
匹配如果网络在低数据模式下。
#### interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配接口地址。
#### network_interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅在 Android 与 Apple 平台图形客户端中支持。
匹配网络接口(可用值同 `network_type`)地址。
#### default_interface_address
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux、Windows 和 macOS.
匹配默认接口地址。
#### source_mac_address
!!! question "自 sing-box 1.14.0 起"
!!! quote ""
仅支持 Linux、macOS或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
匹配源设备 MAC 地址。
#### source_hostname
!!! question "自 sing-box 1.14.0 起"
!!! quote ""
仅支持 Linux、macOS或在 Android 和 macOS 图形客户端中支持。参阅 [邻居解析](/configuration/shared/neighbor/) 了解设置方法。
匹配源设备从 DHCP 租约获取的主机名。
#### wifi_ssid
!!! quote ""
仅在 Android 与 Apple 平台图形客户端和 Linux 中支持。
匹配 WiFi SSID。
#### wifi_bssid
!!! quote ""
仅在 Android 与 Apple 平台图形客户端和 Linux 中支持。
匹配 WiFi BSSID。
#### rule_set
!!! question "自 sing-box 1.8.0 起"
匹配[规则集](/zh/configuration/route/#rule_set)。
#### rule_set_ipcidr_match_source
!!! question "自 sing-box 1.9.0 起"
!!! failure "已在 sing-box 1.10.0 废弃"
`rule_set_ipcidr_match_source` 已重命名为 `rule_set_ip_cidr_match_source` 且将在 sing-box 1.11.0 中被移除。
使规则集中的 `ip_cidr` 规则匹配源 IP。
#### rule_set_ip_cidr_match_source
!!! question "自 sing-box 1.10.0 起"
使规则集中的 `ip_cidr` 规则匹配源 IP。
#### match_response
!!! question "自 sing-box 1.14.0 起"
启用响应匹配。启用后,此规则将匹配已评估的响应(由前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作设置),而不仅是匹配原始查询。
该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
响应匹配字段(`response_rcode``response_answer``response_ns``response_extra`)需要此选项。
当与 `evaluate` 或响应匹配字段一起使用时,`ip_cidr``ip_is_private``ip_accept_any` 也需要此选项。
#### ip_accept_any
!!! question "自 sing-box 1.12.0 起"
当 DNS 查询响应包含至少一个地址时匹配。
#### invert
反选匹配结果。
#### outbound
!!! failure "已在 sing-box 1.12.0 废弃"
`outbound` 规则项已废弃且将在 sing-box 1.14.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移-outbound-dns-规则项到域解析选项)。
匹配出站。
`any` 可作为值用于匹配任意出站。
#### action
==必填==
参阅 [规则动作](../rule_action/)。
#### server
!!! failure "已在 sing-box 1.11.0 废弃"
已移动到 [DNS 规则动作](../rule_action#route).
#### disable_cache
!!! failure "已在 sing-box 1.11.0 废弃"
已移动到 [DNS 规则动作](../rule_action#route).
#### rewrite_ttl
!!! failure "已在 sing-box 1.11.0 废弃"
已移动到 [DNS 规则动作](../rule_action#route).
#### client_subnet
!!! failure "已在 sing-box 1.11.0 废弃"
已移动到 [DNS 规则动作](../rule_action#route).
### 旧版地址筛选字段
!!! failure "已在 sing-box 1.14.0 废弃"
旧版地址筛选字段已废弃,且将在 sing-box 1.16.0 中被移除,
参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
仅对地址请求 (A/AAAA/HTTPS) 生效。 当查询结果与地址筛选规则项不匹配时,将跳过当前规则。
!!! info ""
引用的规则集中的 `ip_cidr` 项也作为地址筛选字段生效。
!!! note ""
启用 `experimental.cache_file.store_rdrc` 以缓存结果。
#### geoip
!!! failure "已在 sing-box 1.12.0 中被移除"
GeoIP 已在 sing-box 1.8.0 废弃且在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移-geoip-到规则集)。
与查询响应匹配 GeoIP。
#### ip_cidr
!!! question "自 sing-box 1.9.0 起"
与查询响应匹配 IP CIDR。
作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用,
参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
#### ip_is_private
!!! question "自 sing-box 1.9.0 起"
与查询响应匹配非公开 IP。
作为旧版地址筛选字段已废弃。请改为配合 `match_response` 使用,
参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
#### rule_set_ip_cidr_accept_empty
!!! question "自 sing-box 1.10.0 起"
!!! failure "已在 sing-box 1.14.0 废弃"
`rule_set_ip_cidr_accept_empty` 已废弃且将在 sing-box 1.16.0 中被移除,
参阅[迁移指南](/zh/migration/#迁移地址筛选字段到响应匹配)。
使规则集中的 `ip_cidr` 规则接受空查询响应。
### 响应匹配字段
!!! question "自 sing-box 1.14.0 起"
已评估的响应的匹配字段。需要将 `match_response` 设为 `true`
且需要前序规则使用 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作来填充响应。
该已评估的响应也可以被后续的 [`respond`](/zh/configuration/dns/rule_action/#respond) 动作直接返回。
#### response_rcode
匹配 DNS 响应码。
接受的值与 [predefined 动作 rcode](/zh/configuration/dns/rule_action/#rcode) 中相同。
#### response_answer
匹配 DNS 应答记录。
记录格式与 [predefined 动作 answer](/zh/configuration/dns/rule_action/#answer) 中相同。
#### response_ns
匹配 DNS 名称服务器记录。
记录格式与 [predefined 动作 ns](/zh/configuration/dns/rule_action/#ns) 中相同。
#### response_extra
匹配 DNS 额外记录。
记录格式与 [predefined 动作 extra](/zh/configuration/dns/rule_action/#extra) 中相同。
### 逻辑字段
#### type
`logical`
#### mode
==必填==
`and``or`
#### rules
==必填==
包括的规则。

231
docs/configuration/dns/rule_action.md Normal file
View File

@@ -0,0 +1,231 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.14.0"
:material-delete-clock: [strategy](#strategy)
:material-plus: [evaluate](#evaluate)
:material-plus: [respond](#respond)
:material-plus: [disable_optimistic_cache](#disable_optimistic_cache)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [strategy](#strategy)
:material-plus: [predefined](#predefined)
!!! question "Since sing-box 1.11.0"
### route
```json
{
"action": "route", // default
"server": "",
"strategy": "",
"disable_cache": false,
"disable_optimistic_cache": false,
"rewrite_ttl": null,
"client_subnet": null
}
```
`route` inherits the classic rule behavior of routing DNS requests to the specified server.
#### server
==Required==
Tag of target server.
#### strategy
!!! question "Since sing-box 1.12.0"
!!! failure "Deprecated in sing-box 1.14.0"
`strategy` is deprecated in sing-box 1.14.0 and will be removed in sing-box 1.16.0.
Set domain strategy for this query.
One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
#### disable_cache
Disable cache and save cache in this query.
#### disable_optimistic_cache
!!! question "Since sing-box 1.14.0"
Disable optimistic DNS caching in this query.
#### rewrite_ttl
Rewrite TTL in DNS responses.
#### client_subnet
Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
Will override `dns.client_subnet`.
### evaluate
!!! question "Since sing-box 1.14.0"
```json
{
"action": "evaluate",
"server": "",
"disable_cache": false,
"disable_optimistic_cache": false,
"rewrite_ttl": null,
"client_subnet": null
}
```
`evaluate` sends a DNS query to the specified server and saves the evaluated response for subsequent rules
to match against using [`match_response`](/configuration/dns/rule/#match_response) and response fields.
Unlike `route`, it does **not** terminate rule evaluation.
Only allowed on top-level DNS rules (not inside logical sub-rules).
Rules that use [`match_response`](/configuration/dns/rule/#match_response) or Response Match Fields
require a preceding top-level rule with `evaluate` action. A rule's own `evaluate` action
does not satisfy this requirement, because matching happens before the action runs.
#### server
==Required==
Tag of target server.
#### disable_cache
Disable cache and save cache in this query.
#### disable_optimistic_cache
!!! question "Since sing-box 1.14.0"
Disable optimistic DNS caching in this query.
#### rewrite_ttl
Rewrite TTL in DNS responses.
#### client_subnet
Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
Will override `dns.client_subnet`.
### respond
!!! question "Since sing-box 1.14.0"
```json
{
"action": "respond"
}
```
`respond` terminates rule evaluation and returns the evaluated response from a preceding [`evaluate`](/configuration/dns/rule_action/#evaluate) action.
This action does not send a new DNS query and has no extra options.
Only allowed after a preceding top-level `evaluate` rule. If the action is reached without an evaluated response at runtime, the request fails with an error instead of falling through to later rules.
### route-options
```json
{
"action": "route-options",
"disable_cache": false,
"disable_optimistic_cache": false,
"rewrite_ttl": null,
"client_subnet": null
}
```
`route-options` set options for routing.
### reject
```json
{
"action": "reject",
"method": "",
"no_drop": false
}
```
`reject` reject DNS requests.
#### method
- `default`: Reply with REFUSED.
- `drop`: Drop the request.
`default` will be used by default.
#### no_drop
If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
Not available when `method` is set to drop.
### predefined
!!! question "Since sing-box 1.12.0"
```json
{
"action": "predefined",
"rcode": "",
"answer": [],
"ns": [],
"extra": []
}
```
`predefined` responds with predefined DNS records.
#### rcode
The response code.
| Value | Value in the legacy rcode server | Description |
|------------|----------------------------------|-----------------|
| `NOERROR` | `success` | Ok |
| `FORMERR` | `format_error` | Bad request |
| `SERVFAIL` | `server_failure` | Server failure |
| `NXDOMAIN` | `name_error` | Not found |
| `NOTIMP` | `not_implemented` | Not implemented |
| `REFUSED` | `refused` | Refused |
`NOERROR` will be used by default.
#### answer
List of text DNS record to respond as answers.
Examples:
| Record Type | Example |
|-------------|-------------------------------|
| `A` | `localhost. IN A 127.0.0.1` |
| `AAAA` | `localhost. IN AAAA ::1` |
| `TXT` | `localhost. IN TXT \"Hello\"` |
#### ns
List of text DNS record to respond as name servers.
#### extra
List of text DNS record to respond as extra records.

229
docs/configuration/dns/rule_action.zh.md Normal file
View File

@@ -0,0 +1,229 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.14.0 中的更改"
:material-delete-clock: [strategy](#strategy)
:material-plus: [evaluate](#evaluate)
:material-plus: [respond](#respond)
:material-plus: [disable_optimistic_cache](#disable_optimistic_cache)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [strategy](#strategy)
:material-plus: [predefined](#predefined)
!!! question "自 sing-box 1.11.0 起"
### route
```json
{
"action": "route", // 默认
"server": "",
"strategy": "",
"disable_cache": false,
"disable_optimistic_cache": false,
"rewrite_ttl": null,
"client_subnet": null
}
```
`route` 继承了将 DNS 请求 路由到指定服务器的经典规则动作。
#### server
==必填==
目标 DNS 服务器的标签。
#### strategy
!!! question "自 sing-box 1.12.0 起"
!!! failure "已在 sing-box 1.14.0 废弃"
`strategy` 已在 sing-box 1.14.0 废弃,且将在 sing-box 1.16.0 中被移除。
为此查询设置域名策略。
可选项:`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
#### disable_cache
在此查询中禁用缓存。
#### disable_optimistic_cache
!!! question "自 sing-box 1.14.0 起"
在此查询中禁用乐观 DNS 缓存。
#### rewrite_ttl
重写 DNS 回应中的 TTL。
#### client_subnet
默认情况下,将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
如果值是 IP 地址而不是前缀,则会自动附加 `/32``/128`
将覆盖 `dns.client_subnet`.
### evaluate
!!! question "自 sing-box 1.14.0 起"
```json
{
"action": "evaluate",
"server": "",
"disable_cache": false,
"disable_optimistic_cache": false,
"rewrite_ttl": null,
"client_subnet": null
}
```
`evaluate` 向指定服务器发送 DNS 查询并保存已评估的响应,供后续规则通过 [`match_response`](/zh/configuration/dns/rule/#match_response) 和响应字段进行匹配。与 `route` 不同,它**不会**终止规则评估。
仅允许在顶层 DNS 规则中使用(不可在逻辑子规则内部使用)。
使用 [`match_response`](/zh/configuration/dns/rule/#match_response) 或响应匹配字段的规则,
需要位于更早的顶层 `evaluate` 规则之后。规则自身的 `evaluate` 动作不能满足这个条件,
因为匹配发生在动作执行之前。
#### server
==必填==
目标 DNS 服务器的标签。
#### disable_cache
在此查询中禁用缓存。
#### disable_optimistic_cache
!!! question "自 sing-box 1.14.0 起"
在此查询中禁用乐观 DNS 缓存。
#### rewrite_ttl
重写 DNS 回应中的 TTL。
#### client_subnet
默认情况下,将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
如果值是 IP 地址而不是前缀,则会自动附加 `/32``/128`
将覆盖 `dns.client_subnet`.
### respond
!!! question "自 sing-box 1.14.0 起"
```json
{
"action": "respond"
}
```
`respond` 会终止规则评估,并直接返回前序 [`evaluate`](/zh/configuration/dns/rule_action/#evaluate) 动作保存的已评估的响应。
此动作不会发起新的 DNS 查询,也没有额外选项。
只能用于前面已有顶层 `evaluate` 规则的场景。如果运行时命中该动作时没有已评估的响应,则请求会直接返回错误,而不是继续匹配后续规则。
### route-options
```json
{
"action": "route-options",
"disable_cache": false,
"disable_optimistic_cache": false,
"rewrite_ttl": null,
"client_subnet": null
}
```
`route-options` 为路由设置选项。
### reject
```json
{
"action": "reject",
"method": "",
"no_drop": false
}
```
`reject` 拒绝 DNS 请求。
#### method
- `default`: 返回 REFUSED。
- `drop`: 丢弃请求。
默认使用 `default`
#### no_drop
如果未启用,则 30 秒内触发 50 次后,`method` 将被暂时覆盖为 `drop`
`method` 设为 `drop` 时不可用。
### predefined
!!! question "自 sing-box 1.12.0 起"
```json
{
"action": "predefined",
"rcode": "",
"answer": [],
"ns": [],
"extra": []
}
```
`predefined` 以预定义的 DNS 记录响应。
#### rcode
响应码。
| 值 | 旧 rcode DNS 服务器中的值 | 描述 |
|------------|--------------------|-----------------|
| `NOERROR` | `success` | Ok |
| `FORMERR` | `format_error` | Bad request |
| `SERVFAIL` | `server_failure` | Server failure |
| `NXDOMAIN` | `name_error` | Not found |
| `NOTIMP` | `not_implemented` | Not implemented |
| `REFUSED` | `refused` | Refused |
默认使用 `NOERROR`
#### answer
用于作为回答响应的文本 DNS 记录列表。
例子:
| 记录类型 | 例子 |
|--------|-------------------------------|
| `A` | `localhost. IN A 127.0.0.1` |
| `AAAA` | `localhost. IN AAAA ::1` |
| `TXT` | `localhost. IN TXT \"Hello\"` |
#### ns
用于作为名称服务器响应的文本 DNS 记录列表。
#### extra
用于作为额外记录响应的文本 DNS 记录列表。

38
docs/configuration/dns/server/dhcp.md Normal file
View File

@@ -0,0 +1,38 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DHCP
### Structure
```json
{
"dns": {
"servers": [
{
"type": "dhcp",
"tag": "",
"interface": "",
// Dial Fields
}
]
}
}
```
### Fields
#### interface
Interface name to listen on.
Tge default interface will be used by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

38
docs/configuration/dns/server/dhcp.zh.md Normal file
View File

@@ -0,0 +1,38 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DHCP
### 结构
```json
{
"dns": {
"servers": [
{
"type": "dhcp",
"tag": "",
"interface": "",
// 拨号字段
}
]
}
}
```
### 字段
#### interface
要监听的网络接口名称。
默认使用默认接口。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

35
docs/configuration/dns/server/fakeip.md Normal file
View File

@@ -0,0 +1,35 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Fake IP
### Structure
```json
{
"dns": {
"servers": [
{
"type": "fakeip",
"tag": "",
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
]
}
}
```
### Fields
#### inet4_range
IPv4 address range for FakeIP.
#### inet6_address
IPv6 address range for FakeIP.

35
docs/configuration/dns/server/fakeip.zh.md Normal file
View File

@@ -0,0 +1,35 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Fake IP
### 结构
```json
{
"dns": {
"servers": [
{
"type": "fakeip",
"tag": "",
"inet4_range": "198.18.0.0/15",
"inet6_range": "fc00::/18"
}
]
}
}
```
### 字段
#### inet4_range
FakeIP 的 IPv4 地址范围。
#### inet6_range
FakeIP 的 IPv6 地址范围。

127
docs/configuration/dns/server/hosts.md Normal file
View File

@@ -0,0 +1,127 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Hosts
### Structure
```json
{
"dns": {
"servers": [
{
"type": "hosts",
"tag": "",
"path": [],
"predefined": {}
}
]
}
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Fields
#### path
List of paths to hosts files.
`/etc/hosts` is used by default.
`C:\Windows\System32\Drivers\etc\hosts` is used by default on Windows.
Example:
```json
{
// "path": "/etc/hosts"
"path": [
"/etc/hosts",
"$HOME/.hosts"
]
}
```
#### predefined
Predefined hosts.
Example:
```json
{
"predefined": {
"www.google.com": "127.0.0.1",
"localhost": [
"127.0.0.1",
"::1"
]
}
}
```
### Examples
=== "Use hosts if available"
=== ":material-card-multiple: sing-box 1.14.0"
```json
{
"dns": {
"servers": [
{
...
},
{
"type": "hosts",
"tag": "hosts"
}
],
"rules": [
{
"action": "evaluate",
"server": "hosts"
},
{
"match_response": true,
"ip_accept_any": true,
"action": "respond"
}
]
}
}
```
=== ":material-card-remove: sing-box < 1.14.0"
```json
{
"dns": {
"servers": [
{
...
},
{
"type": "hosts",
"tag": "hosts"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "hosts"
}
]
}
}
```

127
docs/configuration/dns/server/hosts.zh.md Normal file
View File

@@ -0,0 +1,127 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Hosts
### 结构
```json
{
"dns": {
"servers": [
{
"type": "hosts",
"tag": "",
"path": [],
"predefined": {}
}
]
}
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### 字段
#### path
hosts 文件路径列表。
默认使用 `/etc/hosts`
在 Windows 上默认使用 `C:\Windows\System32\Drivers\etc\hosts`
示例:
```json
{
// "path": "/etc/hosts"
"path": [
"/etc/hosts",
"$HOME/.hosts"
]
}
```
#### predefined
预定义的 hosts。
示例:
```json
{
"predefined": {
"www.google.com": "127.0.0.1",
"localhost": [
"127.0.0.1",
"::1"
]
}
}
```
### 示例
=== "如果可用则使用 hosts"
=== ":material-card-multiple: sing-box 1.14.0"
```json
{
"dns": {
"servers": [
{
...
},
{
"type": "hosts",
"tag": "hosts"
}
],
"rules": [
{
"action": "evaluate",
"server": "hosts"
},
{
"match_response": true,
"ip_accept_any": true,
"action": "respond"
}
]
}
}
```
=== ":material-card-remove: sing-box < 1.14.0"
```json
{
"dns": {
"servers": [
{
...
},
{
"type": "hosts",
"tag": "hosts"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "hosts"
}
]
}
}
```

71
docs/configuration/dns/server/http3.md Normal file
View File

@@ -0,0 +1,71 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DNS over HTTP3 (DoH3)
### Structure
```json
{
"dns": {
"servers": [
{
"type": "h3",
"tag": "",
"server": "",
"server_port": 443,
"path": "",
"headers": {},
"tls": {},
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy H3 server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`443` will be used by default.
#### path
The path of the DNS server.
`/dns-query` will be used by default.
#### headers
Additional headers to be sent to the DNS server.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

71
docs/configuration/dns/server/http3.zh.md Normal file
View File

@@ -0,0 +1,71 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DNS over HTTP3 (DoH3)
### 结构
```json
{
"dns": {
"servers": [
{
"type": "h3",
"tag": "",
"server": "",
"server_port": 443,
"path": "",
"headers": {},
"tls": {},
// 拨号字段
}
]
}
}
```
!!! info "与旧版 H3 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `443`
#### path
DNS 服务器的路径。
默认使用 `/dns-query`
#### headers
发送到 DNS 服务器的额外标头。
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#出站)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

71
docs/configuration/dns/server/https.md Normal file
View File

@@ -0,0 +1,71 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DNS over HTTPS (DoH)
### Structure
```json
{
"dns": {
"servers": [
{
"type": "https",
"tag": "",
"server": "",
"server_port": 443,
"path": "",
"headers": {},
"tls": {},
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy HTTPS server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`443` will be used by default.
#### path
The path of the DNS server.
`/dns-query` will be used by default.
#### headers
Additional headers to be sent to the DNS server.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

71
docs/configuration/dns/server/https.zh.md Normal file
View File

@@ -0,0 +1,71 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DNS over HTTPS (DoH)
### 结构
```json
{
"dns": {
"servers": [
{
"type": "https",
"tag": "",
"server": "",
"server_port": 443,
"path": "",
"headers": {},
"tls": {},
// 拨号字段
}
]
}
}
```
!!! info "与旧版 HTTPS 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `443`
#### path
DNS 服务器的路径。
默认使用 `/dns-query`
#### headers
发送到 DNS 服务器的额外标头。
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#出站)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

48
docs/configuration/dns/server/index.md Normal file
View File

@@ -0,0 +1,48 @@
---
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [type](#type)
# DNS Server
### Structure
```json
{
"dns": {
"servers": [
{
"type": "",
"tag": ""
}
]
}
}
```
#### type
The type of the DNS server.
| Type | Format |
|-----------------|---------------------------|
| empty (default) | :material-note-remove: [Legacy](./legacy/) |
| `local` | [Local](./local/) |
| `hosts` | [Hosts](./hosts/) |
| `tcp` | [TCP](./tcp/) |
| `udp` | [UDP](./udp/) |
| `tls` | [TLS](./tls/) |
| `quic` | [QUIC](./quic/) |
| `https` | [HTTPS](./https/) |
| `h3` | [HTTP/3](./http3/) |
| `dhcp` | [DHCP](./dhcp/) |
| `fakeip` | [Fake IP](./fakeip/) |
| `tailscale` | [Tailscale](./tailscale/) |
| `resolved` | [Resolved](./resolved/) |
#### tag
The tag of the DNS server.

48
docs/configuration/dns/server/index.zh.md Normal file
View File

@@ -0,0 +1,48 @@
---
icon: material/alert-decagram
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [type](#type)
# DNS Server
### 结构
```json
{
"dns": {
"servers": [
{
"type": "",
"tag": ""
}
]
}
}
```
#### type
DNS 服务器的类型。
| 类型 | 格式 |
|-----------------|---------------------------|
| empty (default) | :material-note-remove: [Legacy](./legacy/) |
| `local` | [Local](./local/) |
| `hosts` | [Hosts](./hosts/) |
| `tcp` | [TCP](./tcp/) |
| `udp` | [UDP](./udp/) |
| `tls` | [TLS](./tls/) |
| `quic` | [QUIC](./quic/) |
| `https` | [HTTPS](./https/) |
| `h3` | [HTTP/3](./http3/) |
| `dhcp` | [DHCP](./dhcp/) |
| `fakeip` | [Fake IP](./fakeip/) |
| `tailscale` | [Tailscale](./tailscale/) |
| `resolved` | [Resolved](./resolved/) |
#### tag
DNS 服务器的标签。

113
docs/configuration/dns/server/legacy.md Normal file
View File

@@ -0,0 +1,113 @@
---
icon: material/note-remove
---
!!! failure "Removed in sing-box 1.14.0"
Legacy DNS servers are deprecated in sing-box 1.12.0 and removed in sing-box 1.14.0, check [Migration](/migration/#migrate-to-new-dns-server-formats).
!!! quote "Changes in sing-box 1.9.0"
:material-plus: [client_subnet](#client_subnet)
### Structure
```json
{
"dns": {
"servers": [
{
"tag": "",
"address": "",
"address_resolver": "",
"address_strategy": "",
"strategy": "",
"detour": "",
"client_subnet": ""
}
]
}
}
```
### Fields
#### tag
The tag of the dns server.
#### address
==Required==
The address of the dns server.
| Protocol | Format |
|--------------------------------------|-------------------------------|
| `System` | `local` |
| `TCP` | `tcp://1.0.0.1` |
| `UDP` | `8.8.8.8` `udp://8.8.4.4` |
| `TLS` | `tls://dns.google` |
| `HTTPS` | `https://1.1.1.1/dns-query` |
| `QUIC` | `quic://dns.adguard.com` |
| `HTTP3` | `h3://8.8.8.8/dns-query` |
| `RCode` | `rcode://refused` |
| `DHCP` | `dhcp://auto` or `dhcp://en0` |
| [FakeIP](/configuration/dns/fakeip/) | `fakeip` |
!!! warning ""
To ensure that Android system DNS is in effect, rather than Go's built-in default resolver, enable CGO at compile time.
!!! info ""
the RCode transport is often used to block queries. Use with rules and the `disable_cache` rule option.
| RCode | Description |
|-------------------|-----------------------|
| `success` | `No error` |
| `format_error` | `Format error` |
| `server_failure` | `Server failure` |
| `name_error` | `Non-existent domain` |
| `not_implemented` | `Not implemented` |
| `refused` | `Query refused` |
#### address_resolver
==Required if address contains domain==
Tag of a another server to resolve the domain name in the address.
#### address_strategy
The domain strategy for resolving the domain name in the address.
One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
`dns.strategy` will be used if empty.
#### strategy
Default domain strategy for resolving the domain names.
One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
Take no effect if overridden by other settings.
#### detour
Tag of an outbound for connecting to the dns server.
Default outbound will be used if empty.
#### client_subnet
!!! question "Since sing-box 1.9.0"
Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
Can be overridden by `rules.[].client_subnet`.
Will override `dns.client_subnet`.

113
docs/configuration/dns/server/legacy.zh.md Normal file
View File

@@ -0,0 +1,113 @@
---
icon: material/note-remove
---
!!! failure "已在 sing-box 1.14.0 移除"
旧的 DNS 服务器配置已在 sing-box 1.12.0 废弃且已在 sing-box 1.14.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移到新的-dns-服务器格式)。
!!! quote "sing-box 1.9.0 中的更改"
:material-plus: [client_subnet](#client_subnet)
### 结构
```json
{
"dns": {
"servers": [
{
"tag": "",
"address": "",
"address_resolver": "",
"address_strategy": "",
"strategy": "",
"detour": "",
"client_subnet": ""
}
]
}
}
```
### 字段
#### tag
DNS 服务器的标签。
#### address
==必填==
DNS 服务器的地址。
| 协议 | 格式 |
|--------------------------------------|------------------------------|
| `System` | `local` |
| `TCP` | `tcp://1.0.0.1` |
| `UDP` | `8.8.8.8` `udp://8.8.4.4` |
| `TLS` | `tls://dns.google` |
| `HTTPS` | `https://1.1.1.1/dns-query` |
| `QUIC` | `quic://dns.adguard.com` |
| `HTTP3` | `h3://8.8.8.8/dns-query` |
| `RCode` | `rcode://refused` |
| `DHCP` | `dhcp://auto``dhcp://en0` |
| [FakeIP](/zh/configuration/dns/fakeip/) | `fakeip` |
!!! warning ""
为了确保 Android 系统 DNS 生效,而不是 Go 的内置默认解析器,请在编译时启用 CGO。
!!! info ""
RCode 传输层传输层常用于屏蔽请求. 与 DNS 规则和 `disable_cache` 规则选项一起使用。
| RCode | 描述 |
|-------------------|----------|
| `success` | `无错误` |
| `format_error` | `请求格式错误` |
| `server_failure` | `服务器出错` |
| `name_error` | `域名不存在` |
| `not_implemented` | `功能未实现` |
| `refused` | `请求被拒绝` |
#### address_resolver
==如果服务器地址包括域名则必须==
用于解析本 DNS 服务器的域名的另一个 DNS 服务器的标签。
#### address_strategy
用于解析本 DNS 服务器的域名的策略。
可选项:`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
默认使用 `dns.strategy`
#### strategy
默认解析策略。
可选项:`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
如果被其他设置覆盖则不生效。
#### detour
用于连接到 DNS 服务器的出站的标签。
如果为空,将使用默认出站。
#### client_subnet
!!! question "自 sing-box 1.9.0 起"
默认情况下,将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
如果值是 IP 地址而不是前缀,则会自动附加 `/32``/128`
可以被 `rules.[].client_subnet` 覆盖。
将覆盖 `dns.client_subnet`

61
docs/configuration/dns/server/local.md Normal file
View File

@@ -0,0 +1,61 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [prefer_go](#prefer_go)
!!! question "Since sing-box 1.12.0"
# Local
### Structure
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "",
"prefer_go": false
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy local server"
* The old legacy local server only handles IP requests; the new one handles all types of requests and supports concurrent for IP requests.
* The old local server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
### Fields
#### prefer_go
!!! question "Since sing-box 1.13.0"
When enabled, `local` DNS server will resolve DNS by dialing itself whenever possible.
Specifically, it disables following behaviors which was added as features in sing-box 1.13.0:
1. On Apple platforms: Attempt to resolve A/AAAA requests using `getaddrinfo` in NetworkExtension.
2. On Linux: Resolve through `systemd-resolvd`'s DBus interface when available.
As a sole exception, it cannot disable the following behavior:
1. In the Android graphical client,
`local` will always resolve DNS through the platform interface,
as there is no other way to obtain upstream DNS servers;
On devices running Android versions lower than 10, this interface can only resolve A/AAAA requests.
2. On macOS, `local` will try DHCP first in Network Extension, since DHCP respects DIal Fields,
it will not be disabled by `prefer_go`.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

61
docs/configuration/dns/server/local.zh.md Normal file
View File

@@ -0,0 +1,61 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [prefer_go](#prefer_go)
!!! question "自 sing-box 1.12.0 起"
# Local
### 结构
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "",
"prefer_go": false,
// 拨号字段
}
]
}
}
```
!!! info "与旧版本地服务器的区别"
* 旧的传统本地服务器只处理 IP 请求;新的服务器处理所有类型的请求,并支持 IP 请求的并发处理。
* 旧的本地服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
### 字段
#### prefer_go
!!! question "自 sing-box 1.13.0 起"
启用后,`local` DNS 服务器将尽可能通过拨号自身来解析 DNS。
具体来说,它禁用了在 sing-box 1.13.0 中作为功能添加的以下行为:
1. 在 Apple 平台上:尝试在 NetworkExtension 中使用 `getaddrinfo` 解析 A/AAAA 请求。
2. 在 Linux 上:当可用时通过 `systemd-resolvd` 的 DBus 接口进行解析。
作为唯一的例外,它无法禁用以下行为:
1. 在 Android 图形客户端中,
`local` 将始终通过平台接口解析 DNS
因为没有其他方法来获取上游 DNS 服务器;
在运行 Android 10 以下版本的设备上,此接口只能解析 A/AAAA 请求。
2. 在 macOS 上,`local` 会在 Network Extension 中首先尝试 DHCP由于 DHCP 遵循拨号字段,
它不会被 `prefer_go` 禁用。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

58
docs/configuration/dns/server/quic.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DNS over QUIC (DoQ)
### Structure
```json
{
"dns": {
"servers": [
{
"type": "quic",
"tag": "",
"server": "",
"server_port": 853,
"tls": {},
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy QUIC server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`853` will be used by default.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

58
docs/configuration/dns/server/quic.zh.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DNS over QUIC (DoQ)
### 结构
```json
{
"dns": {
"servers": [
{
"type": "quic",
"tag": "",
"server": "",
"server_port": 853,
"tls": {},
// 拨号字段
}
]
}
}
```
!!! info "与旧版 QUIC 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `853`
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#出站)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

117
docs/configuration/dns/server/resolved.md Normal file
View File

@@ -0,0 +1,117 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Resolved
```json
{
"dns": {
"servers": [
{
"type": "resolved",
"tag": "",
"service": "resolved",
"accept_default_resolvers": false
}
]
}
}
```
### Fields
#### service
==Required==
The tag of the [Resolved Service](/configuration/service/resolved).
#### accept_default_resolvers
Indicates whether the default DNS resolvers should be accepted for fallback queries in addition to matching domains.
Specifically, default DNS resolvers are DNS servers that have `SetLinkDefaultRoute` or `SetLinkDomains ~.` set.
If not enabled, `NXDOMAIN` will be returned for requests that do not match search or match domains.
### Examples
=== "Split DNS only"
=== ":material-card-multiple: sing-box 1.14.0"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "resolved",
"tag": "resolved",
"service": "resolved"
}
],
"rules": [
{
"action": "evaluate",
"server": "resolved"
},
{
"match_response": true,
"ip_accept_any": true,
"action": "respond"
}
]
}
}
```
=== ":material-card-remove: sing-box < 1.14.0"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "resolved",
"tag": "resolved",
"service": "resolved"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "resolved"
}
]
}
}
```
=== "Use as global DNS"
```json
{
"dns": {
"servers": [
{
"type": "resolved",
"service": "resolved",
"accept_default_resolvers": true
}
]
}
}
```

116
docs/configuration/dns/server/resolved.zh.md Normal file
View File

@@ -0,0 +1,116 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Resolved
```json
{
"dns": {
"servers": [
{
"type": "resolved",
"tag": "",
"service": "resolved",
"accept_default_resolvers": false
}
]
}
}
```
### 字段
#### service
==必填==
[Resolved 服务](/zh/configuration/service/resolved) 的标签。
#### accept_default_resolvers
指示是否除了匹配域名外,还应接受默认 DNS 解析器以进行回退查询。
具体来说,默认 DNS 解析器是设置了 `SetLinkDefaultRoute``SetLinkDomains ~.` 的 DNS 服务器。
如果未启用,对于不匹配搜索域或匹配域的请求,将返回 `NXDOMAIN`
### 示例
=== "仅分割 DNS"
=== ":material-card-multiple: sing-box 1.14.0"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "resolved",
"tag": "resolved",
"service": "resolved"
}
],
"rules": [
{
"action": "evaluate",
"server": "resolved"
},
{
"match_response": true,
"ip_accept_any": true,
"action": "respond"
}
]
}
}
```
=== ":material-card-remove: sing-box < 1.14.0"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "resolved",
"tag": "resolved",
"service": "resolved"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "resolved"
}
]
}
}
```
=== "用作全局 DNS"
```json
{
"dns": {
"servers": [
{
"type": "resolved",
"service": "resolved",
"accept_default_resolvers": true
}
]
}
}
```

116
docs/configuration/dns/server/tailscale.md Normal file
View File

@@ -0,0 +1,116 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# Tailscale
### Structure
```json
{
"dns": {
"servers": [
{
"type": "tailscale",
"tag": "",
"endpoint": "ts-ep",
"accept_default_resolvers": false
}
]
}
}
```
### Fields
#### endpoint
==Required==
The tag of the [Tailscale Endpoint](/configuration/endpoint/tailscale).
#### accept_default_resolvers
Indicates whether default DNS resolvers should be accepted for fallback queries in addition to MagicDNS。
if not enabled, `NXDOMAIN` will be returned for non-Tailscale domain queries.
### Examples
=== "MagicDNS only"
=== ":material-card-multiple: sing-box 1.14.0"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "tailscale",
"tag": "ts",
"endpoint": "ts-ep"
}
],
"rules": [
{
"action": "evaluate",
"server": "ts"
},
{
"match_response": true,
"ip_accept_any": true,
"action": "respond"
}
]
}
}
```
=== ":material-card-remove: sing-box < 1.14.0"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "tailscale",
"tag": "ts",
"endpoint": "ts-ep"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "ts"
}
]
}
}
```
=== "Use as global DNS"
```json
{
"dns": {
"servers": [
{
"type": "tailscale",
"endpoint": "ts-ep",
"accept_default_resolvers": true
}
]
}
}
```

116
docs/configuration/dns/server/tailscale.zh.md Normal file
View File

@@ -0,0 +1,116 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# Tailscale
### 结构
```json
{
"dns": {
"servers": [
{
"type": "tailscale",
"tag": "",
"endpoint": "ts-ep",
"accept_default_resolvers": false
}
]
}
}
```
### 字段
#### endpoint
==必填==
[Tailscale 端点](/zh/configuration/endpoint/tailscale) 的标签。
#### accept_default_resolvers
指示是否除了 MagicDNS 外,还应接受默认 DNS 解析器以进行回退查询。
如果未启用,对于非 Tailscale 域名查询将返回 `NXDOMAIN`
### 示例
=== "仅 MagicDNS"
=== ":material-card-multiple: sing-box 1.14.0"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "tailscale",
"tag": "ts",
"endpoint": "ts-ep"
}
],
"rules": [
{
"action": "evaluate",
"server": "ts"
},
{
"match_response": true,
"ip_accept_any": true,
"action": "respond"
}
]
}
}
```
=== ":material-card-remove: sing-box < 1.14.0"
```json
{
"dns": {
"servers": [
{
"type": "local",
"tag": "local"
},
{
"type": "tailscale",
"tag": "ts",
"endpoint": "ts-ep"
}
],
"rules": [
{
"ip_accept_any": true,
"server": "ts"
}
]
}
}
```
=== "用作全局 DNS"
```json
{
"dns": {
"servers": [
{
"type": "tailscale",
"endpoint": "ts-ep",
"accept_default_resolvers": true
}
]
}
}
```

52
docs/configuration/dns/server/tcp.md Normal file
View File

@@ -0,0 +1,52 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# TCP
### Structure
```json
{
"dns": {
"servers": [
{
"type": "tcp",
"tag": "",
"server": "",
"server_port": 53,
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy TCP server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`53` will be used by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

52
docs/configuration/dns/server/tcp.zh.md Normal file
View File

@@ -0,0 +1,52 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# TCP
### 结构
```json
{
"dns": {
"servers": [
{
"type": "tcp",
"tag": "",
"server": "",
"server_port": 53,
// 拨号字段
}
]
}
}
```
!!! info "与旧版 TCP 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `53`
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

58
docs/configuration/dns/server/tls.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# DNS over TLS (DoT)
### Structure
```json
{
"dns": {
"servers": [
{
"type": "tls",
"tag": "",
"server": "",
"server_port": 853,
"tls": {},
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy TLS server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`853` will be used by default.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

58
docs/configuration/dns/server/tls.zh.md Normal file
View File

@@ -0,0 +1,58 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# DNS over TLS (DoT)
### 结构
```json
{
"dns": {
"servers": [
{
"type": "tls",
"tag": "",
"server": "",
"server_port": 853,
"tls": {},
// 拨号字段
}
]
}
}
```
!!! info "与旧版 TLS 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `853`
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#出站)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

52
docs/configuration/dns/server/udp.md Normal file
View File

@@ -0,0 +1,52 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
# UDP
### Structure
```json
{
"dns": {
"servers": [
{
"type": "udp",
"tag": "",
"server": "",
"server_port": 53,
// Dial Fields
}
]
}
}
```
!!! info "Difference from legacy UDP server"
* The old server uses default outbound by default unless detour is specified; the new one uses dialer just like outbound, which is equivalent to using an empty direct outbound by default.
* The old server uses `address_resolver` and `address_strategy` to resolve the domain name in the server; the new one uses `domain_resolver` and `domain_strategy` in [Dial Fields](/configuration/shared/dial/) instead.
### Fields
#### server
==Required==
The address of the DNS server.
If domain name is used, `domain_resolver` must also be set to resolve IP address.
#### server_port
The port of the DNS server.
`53` will be used by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

52
docs/configuration/dns/server/udp.zh.md Normal file
View File

@@ -0,0 +1,52 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
# UDP
### 结构
```json
{
"dns": {
"servers": [
{
"type": "udp",
"tag": "",
"server": "",
"server_port": 53,
// 拨号字段
}
]
}
}
```
!!! info "与旧版 UDP 服务器的区别"
* 旧服务器默认使用默认出站,除非指定了绕行;新服务器像出站一样使用拨号器,相当于默认使用空的直连出站。
* 旧服务器使用 `address_resolver``address_strategy` 来解析服务器中的域名;新服务器改用 [拨号字段](/zh/configuration/shared/dial/) 中的 `domain_resolver``domain_strategy`
### 字段
#### server
==必填==
DNS 服务器的地址。
如果使用域名,还必须设置 `domain_resolver` 来解析 IP 地址。
#### server_port
DNS 服务器的端口。
默认使用 `53`
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

29
docs/configuration/endpoint/index.md Normal file
View File

@@ -0,0 +1,29 @@
!!! question "Since sing-box 1.11.0"
# Endpoint
An endpoint is a protocol with inbound and outbound behavior.
### Structure
```json
{
"endpoints": [
{
"type": "",
"tag": ""
}
]
}
```
### Fields
| Type | Format |
|-------------|---------------------------|
| `wireguard` | [WireGuard](./wireguard/) |
| `tailscale` | [Tailscale](./tailscale/) |
#### tag
The tag of the endpoint.

29
docs/configuration/endpoint/index.zh.md Normal file
View File

@@ -0,0 +1,29 @@
!!! question "自 sing-box 1.11.0 起"
# 端点
端点是具有入站和出站行为的协议。
### 结构
```json
{
"endpoints": [
{
"type": "",
"tag": ""
}
]
}
```
### 字段
| 类型 | 格式 |
|-------------|---------------------------|
| `wireguard` | [WireGuard](./wireguard/) |
| `tailscale` | [Tailscale](./tailscale/) |
#### tag
端点的标签。

157
docs/configuration/endpoint/tailscale.md Normal file
View File

@@ -0,0 +1,157 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [relay_server_port](#relay_server_port)
:material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)
:material-plus: [system_interface](#system_interface)
:material-plus: [system_interface_name](#system_interface_name)
:material-plus: [system_interface_mtu](#system_interface_mtu)
:material-plus: [advertise_tags](#advertise_tags)
!!! question "Since sing-box 1.12.0"
### Structure
```json
{
"type": "tailscale",
"tag": "ts-ep",
"state_directory": "",
"auth_key": "",
"control_url": "",
"ephemeral": false,
"hostname": "",
"accept_routes": false,
"exit_node": "",
"exit_node_allow_lan_access": false,
"advertise_routes": [],
"advertise_exit_node": false,
"advertise_tags": [],
"relay_server_port": 0,
"relay_server_static_endpoints": [],
"system_interface": false,
"system_interface_name": "",
"system_interface_mtu": 0,
"udp_timeout": "5m",
... // Dial Fields
}
```
### Fields
#### state_directory
The directory where the Tailscale state is stored.
`tailscale` is used by default.
Example: `$HOME/.tailscale`
#### auth_key
!!! note
Auth key is not required. By default, sing-box will log the login URL (or popup a notification on graphical clients).
The auth key to create the node. If the node is already created (from state previously stored), then this field is not
used.
#### control_url
The coordination server URL.
`https://controlplane.tailscale.com` is used by default.
#### ephemeral
Indicates whether the instance should register as an Ephemeral node (https://tailscale.com/s/ephemeral-nodes).
#### hostname
The hostname of the node.
System hostname is used by default.
Example: `localhost`
#### accept_routes
Indicates whether the node should accept routes advertised by other nodes.
#### exit_node
The exit node name or IP address to use.
#### exit_node_allow_lan_access
!!! note
When the exit node does not have a corresponding advertised route, private traffics cannot be routed to the exit node even if `exit_node_allow_lan_access is` set.
Indicates whether locally accessible subnets should be routed directly or via the exit node.
#### advertise_routes
CIDR prefixes to advertise into the Tailscale network as reachable through the current node.
Example: `["192.168.1.1/24"]`
#### advertise_exit_node
Indicates whether the node should advertise itself as an exit node.
#### advertise_tags
!!! question "Since sing-box 1.13.0"
Tags to advertise for this node, for ACL enforcement purposes.
Example: `["tag:server"]`
#### relay_server_port
!!! question "Since sing-box 1.13.0"
The port to listen on for incoming relay connections from other Tailscale nodes.
#### relay_server_static_endpoints
!!! question "Since sing-box 1.13.0"
Static endpoints to advertise for the relay server.
#### system_interface
!!! question "Since sing-box 1.13.0"
Create a system TUN interface for Tailscale.
#### system_interface_name
!!! question "Since sing-box 1.13.0"
Custom TUN interface name. By default, `tailscale` (or `utun` on macOS) will be used.
#### system_interface_mtu
!!! question "Since sing-box 1.13.0"
Override the TUN MTU. By default, Tailscale's own MTU is used.
#### udp_timeout
UDP NAT expiration time.
`5m` will be used by default.
### Dial Fields
!!! note
Dial Fields in Tailscale endpoints only control how it connects to the control plane and have nothing to do with actual connections.
See [Dial Fields](/configuration/shared/dial/) for details.

156
docs/configuration/endpoint/tailscale.zh.md Normal file
View File

@@ -0,0 +1,156 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [relay_server_port](#relay_server_port)
:material-plus: [relay_server_static_endpoints](#relay_server_static_endpoints)
:material-plus: [system_interface](#system_interface)
:material-plus: [system_interface_name](#system_interface_name)
:material-plus: [system_interface_mtu](#system_interface_mtu)
:material-plus: [advertise_tags](#advertise_tags)
!!! question "自 sing-box 1.12.0 起"
### 结构
```json
{
"type": "tailscale",
"tag": "ts-ep",
"state_directory": "",
"auth_key": "",
"control_url": "",
"ephemeral": false,
"hostname": "",
"accept_routes": false,
"exit_node": "",
"exit_node_allow_lan_access": false,
"advertise_routes": [],
"advertise_exit_node": false,
"advertise_tags": [],
"relay_server_port": 0,
"relay_server_static_endpoints": [],
"system_interface": false,
"system_interface_name": "",
"system_interface_mtu": 0,
"udp_timeout": "5m",
... // 拨号字段
}
```
### 字段
#### state_directory
存储 Tailscale 状态的目录。
默认使用 `tailscale`
示例:`$HOME/.tailscale`
#### auth_key
!!! note
认证密钥不是必需的。默认情况下sing-box 将记录登录 URL或在图形客户端上弹出通知
用于创建节点的认证密钥。如果节点已经创建(从之前存储的状态),则不使用此字段。
#### control_url
协调服务器 URL。
默认使用 `https://controlplane.tailscale.com`
#### ephemeral
指示实例是否应注册为临时节点 (https://tailscale.com/s/ephemeral-nodes)。
#### hostname
节点的主机名。
默认使用系统主机名。
示例:`localhost`
#### accept_routes
指示节点是否应接受其他节点通告的路由。
#### exit_node
要使用的出口节点名称或 IP 地址。
#### exit_node_allow_lan_access
!!! note
当出口节点没有相应的通告路由时,即使设置了 `exit_node_allow_lan_access`,私有流量也无法路由到出口节点。
指示本地可访问的子网应该直接路由还是通过出口节点路由。
#### advertise_routes
通告到 Tailscale 网络的 CIDR 前缀,作为可通过当前节点访问的路由。
示例:`["192.168.1.1/24"]`
#### advertise_exit_node
指示节点是否应将自己通告为出口节点。
#### advertise_tags
!!! question "自 sing-box 1.13.0 起"
为此节点通告的标签,用于 ACL 执行。
示例:`["tag:server"]`
#### relay_server_port
!!! question "自 sing-box 1.13.0 起"
监听来自其他 Tailscale 节点的中继连接的端口。
#### relay_server_static_endpoints
!!! question "自 sing-box 1.13.0 起"
为中继服务器通告的静态端点。
#### system_interface
!!! question "自 sing-box 1.13.0 起"
为 Tailscale 创建系统 TUN 接口。
#### system_interface_name
!!! question "自 sing-box 1.13.0 起"
自定义 TUN 接口名。默认使用 `tailscale`macOS 上为 `utun`)。
#### system_interface_mtu
!!! question "自 sing-box 1.13.0 起"
覆盖 TUN 的 MTU。默认使用 Tailscale 自己的 MTU。
#### udp_timeout
UDP NAT 过期时间。
默认使用 `5m`
### 拨号字段
!!! note
Tailscale 端点中的拨号字段仅控制它如何连接到控制平面,与实际连接无关。
参阅 [拨号字段](/zh/configuration/shared/dial/) 了解详情。

129
docs/configuration/endpoint/wireguard.md Normal file
View File

@@ -0,0 +1,129 @@
!!! question "Since sing-box 1.11.0"
### Structure
```json
{
"type": "wireguard",
"tag": "wg-ep",
"system": false,
"name": "",
"mtu": 1408,
"address": [],
"private_key": "",
"listen_port": 10000,
"peers": [
{
"address": "127.0.0.1",
"port": 10001,
"public_key": "",
"pre_shared_key": "",
"allowed_ips": [],
"persistent_keepalive_interval": 0,
"reserved": [0, 0, 0]
}
],
"udp_timeout": "",
"workers": 0,
... // Dial Fields
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Fields
#### system
Use system interface.
Requires privilege and cannot conflict with exists system interfaces.
#### name
Custom interface name for system interface.
#### mtu
WireGuard MTU.
`1408` will be used by default.
#### address
==Required==
List of IP (v4 or v6) address prefixes to be assigned to the interface.
#### private_key
==Required==
WireGuard requires base64-encoded public and private keys. These can be generated using the wg(8) utility:
```shell
wg genkey
echo "private key" || wg pubkey
```
or `sing-box generate wg-keypair`.
#### peers
==Required==
List of WireGuard peers.
#### peers.address
WireGuard peer address.
#### peers.port
WireGuard peer port.
#### peers.public_key
==Required==
WireGuard peer public key.
#### peers.pre_shared_key
WireGuard peer pre-shared key.
#### peers.allowed_ips
==Required==
WireGuard allowed IPs.
#### peers.persistent_keepalive_interval
WireGuard persistent keepalive interval, in seconds.
Disabled by default.
#### peers.reserved
WireGuard reserved field bytes.
#### udp_timeout
UDP NAT expiration time.
`5m` will be used by default.
#### workers
WireGuard worker count.
CPU count is used by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

131
docs/configuration/endpoint/wireguard.zh.md Normal file
View File

@@ -0,0 +1,131 @@
!!! question "自 sing-box 1.11.0 起"
### 结构
```json
{
"type": "wireguard",
"tag": "wg-ep",
"system": false,
"name": "",
"mtu": 1408,
"address": [],
"private_key": "",
"listen_port": 10000,
"peers": [
{
"address": "127.0.0.1",
"port": 10001,
"public_key": "",
"pre_shared_key": "",
"allowed_ips": [],
"persistent_keepalive_interval": 0,
"reserved": [0, 0, 0]
}
],
"udp_timeout": "",
"workers": 0,
... // 拨号字段
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### 字段
#### system
使用系统设备。
需要特权且不能与已有系统接口冲突。
#### name
为系统接口自定义设备名称。
#### mtu
WireGuard MTU。
默认使用 1408。
#### address
==必填==
接口的 IPv4/IPv6 地址或地址段的列表。
要分配给接口的 IPv4 或 v6地址段列表。
#### private_key
==必填==
WireGuard 需要 base64 编码的公钥和私钥。 这些可以使用 wg(8) 实用程序生成:
```shell
wg genkey
echo "private key" || wg pubkey
```
`sing-box generate wg-keypair`.
#### peers
==必填==
WireGuard 对等方的列表。
#### peers.address
对等方的 IP 地址。
#### peers.port
对等方的 WireGuard 端口。
#### peers.public_key
==必填==
对等方的 WireGuard 公钥。
#### peers.pre_shared_key
对等方的预共享密钥。
#### peers.allowed_ips
==必填==
对等方的允许 IP 地址。
#### peers.persistent_keepalive_interval
对等方的持久性保持活动间隔,以秒为单位。
默认禁用。
#### peers.reserved
对等方的保留字段字节。
#### udp_timeout
UDP NAT 过期时间。
默认使用 `5m`
#### workers
WireGuard worker 数量。
默认使用 CPU 数量。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/)。

70
docs/configuration/experimental/cache-file.md Normal file
View File

@@ -0,0 +1,70 @@
!!! question "Since sing-box 1.8.0"
!!! quote "Changes in sing-box 1.14.0"
:material-delete-clock: [store_rdrc](#store_rdrc)
:material-plus: [store_dns](#store_dns)
!!! quote "Changes in sing-box 1.9.0"
:material-plus: [store_rdrc](#store_rdrc)
:material-plus: [rdrc_timeout](#rdrc_timeout)
### Structure
```json
{
"enabled": true,
"path": "",
"cache_id": "",
"store_fakeip": false,
"store_rdrc": false,
"rdrc_timeout": "",
"store_dns": false
}
```
### Fields
#### enabled
Enable cache file.
#### path
Path to the cache file.
`cache.db` will be used if empty.
#### cache_id
Identifier in the cache file
If not empty, configuration specified data will use a separate store keyed by it.
#### store_fakeip
Store fakeip in the cache file
#### store_rdrc
!!! failure "Deprecated in sing-box 1.14.0"
`store_rdrc` is deprecated and will be removed in sing-box 1.16.0, check [Migration](/migration/#migrate-store-rdrc).
Store rejected DNS response cache in the cache file
The check results of [Legacy Address Filter Fields](/configuration/dns/rule/#legacy-address-filter-fields)
will be cached until expiration.
#### rdrc_timeout
Timeout of rejected DNS response cache.
`7d` is used by default.
#### store_dns
!!! question "Since sing-box 1.14.0"
Store DNS cache in the cache file.

67
docs/configuration/experimental/cache-file.zh.md Normal file
View File

@@ -0,0 +1,67 @@
!!! question "自 sing-box 1.8.0 起"
!!! quote "sing-box 1.14.0 中的更改"
:material-delete-clock: [store_rdrc](#store_rdrc)
:material-plus: [store_dns](#store_dns)
!!! quote "sing-box 1.9.0 中的更改"
:material-plus: [store_rdrc](#store_rdrc)
:material-plus: [rdrc_timeout](#rdrc_timeout)
### 结构
```json
{
"enabled": true,
"path": "",
"cache_id": "",
"store_fakeip": false,
"store_rdrc": false,
"rdrc_timeout": "",
"store_dns": false
}
```
### 字段
#### enabled
启用缓存文件。
#### path
缓存文件路径,默认使用`cache.db`
#### cache_id
缓存文件中的标识符。
如果不为空,配置特定的数据将使用由其键控的单独存储。
#### store_fakeip
将 fakeip 存储在缓存文件中。
#### store_rdrc
!!! failure "已在 sing-box 1.14.0 废弃"
`store_rdrc` 已在 sing-box 1.14.0 废弃,且将在 sing-box 1.16.0 中被移除,参阅[迁移指南](/zh/migration/#迁移-store_rdrc)。
将拒绝的 DNS 响应缓存存储在缓存文件中。
[旧版地址筛选字段](/zh/configuration/dns/rule/#旧版地址筛选字段) 的检查结果将被缓存至过期。
#### rdrc_timeout
拒绝的 DNS 响应缓存超时。
默认使用 `7d`
#### store_dns
!!! question "自 sing-box 1.14.0 起"
将 DNS 缓存存储在缓存文件中。

166
docs/configuration/experimental/clash-api.md Normal file
View File

@@ -0,0 +1,166 @@
!!! quote "Changes in sing-box 1.10.0"
:material-plus: [access_control_allow_origin](#access_control_allow_origin)
:material-plus: [access_control_allow_private_network](#access_control_allow_private_network)
!!! quote "Changes in sing-box 1.8.0"
:material-delete-alert: [store_mode](#store_mode)
:material-delete-alert: [store_selected](#store_selected)
:material-delete-alert: [store_fakeip](#store_fakeip)
:material-delete-alert: [cache_file](#cache_file)
:material-delete-alert: [cache_id](#cache_id)
### Structure
=== "Structure"
```json
{
"external_controller": "127.0.0.1:9090",
"external_ui": "",
"external_ui_download_url": "",
"external_ui_download_detour": "",
"secret": "",
"default_mode": "",
"access_control_allow_origin": [],
"access_control_allow_private_network": false,
// Deprecated
"store_mode": false,
"store_selected": false,
"store_fakeip": false,
"cache_file": "",
"cache_id": ""
}
```
=== "Example (online)"
!!! question "Since sing-box 1.10.0"
```json
{
"external_controller": "127.0.0.1:9090",
"access_control_allow_origin": [
"http://127.0.0.1",
"http://yacd.haishan.me"
],
"access_control_allow_private_network": true
}
```
=== "Example (download)"
!!! question "Since sing-box 1.10.0"
```json
{
"external_controller": "0.0.0.0:9090",
"external_ui": "dashboard"
// "external_ui_download_detour": "direct"
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Fields
#### external_controller
RESTful web API listening address. Clash API will be disabled if empty.
#### external_ui
A relative path to the configuration directory or an absolute path to a
directory in which you put some static web resource. sing-box will then
serve it at `http://{{external-controller}}/ui`.
#### external_ui_download_url
ZIP download URL for the external UI, will be used if the specified `external_ui` directory is empty.
`https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip` will be used if empty.
#### external_ui_download_detour
The tag of the outbound to download the external UI.
Default outbound will be used if empty.
#### secret
Secret for the RESTful API (optional)
Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
ALWAYS set a secret if RESTful API is listening on 0.0.0.0
#### default_mode
Default mode in clash, `Rule` will be used if empty.
This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
#### access_control_allow_origin
!!! question "Since sing-box 1.10.0"
CORS allowed origins, `*` will be used if empty.
To access the Clash API on a private network from a public website, you must explicitly specify it in `access_control_allow_origin` instead of using `*`.
#### access_control_allow_private_network
!!! question "Since sing-box 1.10.0"
Allow access from private network.
To access the Clash API on a private network from a public website, `access_control_allow_private_network` must be enabled.
#### store_mode
!!! failure "Deprecated in sing-box 1.8.0"
`store_mode` is deprecated in Clash API and enabled by default if `cache_file.enabled`.
Store Clash mode in cache file.
#### store_selected
!!! failure "Deprecated in sing-box 1.8.0"
`store_selected` is deprecated in Clash API and enabled by default if `cache_file.enabled`.
!!! note ""
The tag must be set for target outbounds.
Store selected outbound for the `Selector` outbound in cache file.
#### store_fakeip
!!! failure "Deprecated in sing-box 1.8.0"
`store_selected` is deprecated in Clash API and migrated to `cache_file.store_fakeip`.
Store fakeip in cache file.
#### cache_file
!!! failure "Deprecated in sing-box 1.8.0"
`cache_file` is deprecated in Clash API and migrated to `cache_file.enabled` and `cache_file.path`.
Cache file path, `cache.db` will be used if empty.
#### cache_id
!!! failure "Deprecated in sing-box 1.8.0"
`cache_id` is deprecated in Clash API and migrated to `cache_file.cache_id`.
Identifier in cache file.
If not empty, configuration specified data will use a separate store keyed by it.

164
docs/configuration/experimental/clash-api.zh.md Normal file
View File

@@ -0,0 +1,164 @@
!!! quote "sing-box 1.10.0 中的更改"
:material-plus: [access_control_allow_origin](#access_control_allow_origin)
:material-plus: [access_control_allow_private_network](#access_control_allow_private_network)
!!! quote "sing-box 1.8.0 中的更改"
:material-delete-alert: [store_mode](#store_mode)
:material-delete-alert: [store_selected](#store_selected)
:material-delete-alert: [store_fakeip](#store_fakeip)
:material-delete-alert: [cache_file](#cache_file)
:material-delete-alert: [cache_id](#cache_id)
### 结构
=== "结构"
```json
{
"external_controller": "127.0.0.1:9090",
"external_ui": "",
"external_ui_download_url": "",
"external_ui_download_detour": "",
"secret": "",
"default_mode": "",
"access_control_allow_origin": [],
"access_control_allow_private_network": false,
// Deprecated
"store_mode": false,
"store_selected": false,
"store_fakeip": false,
"cache_file": "",
"cache_id": ""
}
```
=== "示例 (在线)"
!!! question "自 sing-box 1.10.0 起"
```json
{
"external_controller": "127.0.0.1:9090",
"access_control_allow_origin": [
"http://127.0.0.1",
"http://yacd.haishan.me"
],
"access_control_allow_private_network": true
}
```
=== "示例 (下载)"
!!! question "自 sing-box 1.10.0 起"
```json
{
"external_controller": "0.0.0.0:9090",
"external_ui": "dashboard"
// "external_ui_download_detour": "direct"
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### Fields
#### external_controller
RESTful web API 监听地址。如果为空,则禁用 Clash API。
#### external_ui
到静态网页资源目录的相对路径或绝对路径。sing-box 会在 `http://{{external-controller}}/ui` 下提供它。
#### external_ui_download_url
静态网页资源的 ZIP 下载 URL如果指定的 `external_ui` 目录为空,将使用。
默认使用 `https://github.com/MetaCubeX/Yacd-meta/archive/gh-pages.zip`。
#### external_ui_download_detour
用于下载静态网页资源的出站的标签。
如果为空,将使用默认出站。
#### secret
RESTful API 的密钥(可选)
通过指定 HTTP 标头 `Authorization: Bearer ${secret}` 进行身份验证
如果 RESTful API 正在监听 0.0.0.0,请始终设置一个密钥。
#### default_mode
Clash 中的默认模式,默认使用 `Rule`。
此设置没有直接影响,但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
#### access_control_allow_origin
!!! question "自 sing-box 1.10.0 起"
允许的 CORS 来源,默认使用 `*`。
要从公共网站访问私有网络上的 Clash API必须在 `access_control_allow_origin` 中明确指定它而不是使用 `*`。
#### access_control_allow_private_network
!!! question "自 sing-box 1.10.0 起"
允许从私有网络访问。
要从公共网站访问私有网络上的 Clash API必须启用 `access_control_allow_private_network`。
#### store_mode
!!! failure "已在 sing-box 1.8.0 废弃"
`store_mode` 已在 Clash API 中废弃,且默认启用当 `cache_file.enabled`。
将 Clash 模式存储在缓存文件中。
#### store_selected
!!! failure "已在 sing-box 1.8.0 废弃"
`store_selected` 已在 Clash API 中废弃,且默认启用当 `cache_file.enabled`。
!!! note ""
必须为目标出站设置标签。
将 `Selector` 中出站的选定的目标出站存储在缓存文件中。
#### store_fakeip
!!! failure "已在 sing-box 1.8.0 废弃"
`store_selected` 已在 Clash API 中废弃,且已迁移到 `cache_file.store_fakeip`。
将 fakeip 存储在缓存文件中。
#### cache_file
!!! failure "已在 sing-box 1.8.0 废弃"
`cache_file` 已在 Clash API 中废弃,且已迁移到 `cache_file.enabled` 和 `cache_file.path`。
缓存文件路径,默认使用`cache.db`。
#### cache_id
!!! failure "已在 sing-box 1.8.0 废弃"
`cache_id` 已在 Clash API 中废弃,且已迁移到 `cache_file.cache_id`。
缓存 ID。
如果不为空,配置特定的数据将使用由其键控的单独存储。

26
docs/configuration/experimental/index.md Normal file
View File

@@ -0,0 +1,26 @@
# Experimental
!!! quote "Changes in sing-box 1.8.0"
:material-plus: [cache_file](#cache_file)
:material-alert-decagram: [clash_api](#clash_api)
### Structure
```json
{
"experimental": {
"cache_file": {},
"clash_api": {},
"v2ray_api": {}
}
}
```
### Fields
| Key | Format |
|--------------|----------------------------|
| `cache_file` | [Cache File](./cache-file/) |
| `clash_api` | [Clash API](./clash-api/) |
| `v2ray_api` | [V2Ray API](./v2ray-api/) |

26
docs/configuration/experimental/index.zh.md Normal file
View File

@@ -0,0 +1,26 @@
# 实验性
!!! quote "sing-box 1.8.0 中的更改"
:material-plus: [cache_file](#cache_file)
:material-alert-decagram: [clash_api](#clash_api)
### 结构
```json
{
"experimental": {
"cache_file": {},
"clash_api": {},
"v2ray_api": {}
}
}
```
### 字段
| 键 | 格式 |
|--------------|--------------------------|
| `cache_file` | [缓存文件](./cache-file/) |
| `clash_api` | [Clash API](./clash-api/) |
| `v2ray_api` | [V2Ray API](./v2ray-api/) |

50
docs/configuration/experimental/v2ray-api.md Normal file
View File

@@ -0,0 +1,50 @@
!!! quote ""
V2Ray API is not included by default, see [Installation](/installation/build-from-source/#build-tags).
### Structure
```json
{
"listen": "127.0.0.1:8080",
"stats": {
"enabled": true,
"inbounds": [
"socks-in"
],
"outbounds": [
"proxy",
"direct"
],
"users": [
"sekai"
]
}
}
```
### Fields
#### listen
gRPC API listening address. V2Ray API will be disabled if empty.
#### stats
Traffic statistics service settings.
#### stats.enabled
Enable statistics service.
#### stats.inbounds
Inbound list to count traffic.
#### stats.outbounds
Outbound list to count traffic.
#### stats.users
User list to count traffic.

50
docs/configuration/experimental/v2ray-api.zh.md Normal file
View File

@@ -0,0 +1,50 @@
!!! quote ""
默认安装不包含 V2Ray API参阅 [安装](/zh/installation/build-from-source/#构建标记)。
### 结构
```json
{
"listen": "127.0.0.1:8080",
"stats": {
"enabled": true,
"inbounds": [
"socks-in"
],
"outbounds": [
"proxy",
"direct"
],
"users": [
"sekai"
]
}
}
```
### 字段
#### listen
gRPC API 监听地址。如果为空,则禁用 V2Ray API。
#### stats
流量统计服务设置。
#### stats.enabled
启用统计服务。
#### stats.inbounds
统计流量的入站列表。
#### stats.outbounds
统计流量的出站列表。
#### stats.users
统计流量的用户列表。

61
docs/configuration/inbound/anytls.md Normal file
View File

@@ -0,0 +1,61 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
### Structure
```json
{
"type": "anytls",
"tag": "anytls-in",
... // Listen Fields
"users": [
{
"name": "sekai",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"padding_scheme": [],
"tls": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### users
==Required==
AnyTLS users.
#### padding_scheme
AnyTLS padding scheme line array.
Default padding scheme:
```json
[
"stop=8",
"0=30-30",
"1=100-400",
"2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000",
"3=9-9,500-1000",
"4=500-1000",
"5=500-1000",
"6=500-1000",
"7=500-1000"
]
```
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

61
docs/configuration/inbound/anytls.zh.md Normal file
View File

@@ -0,0 +1,61 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
### 结构
```json
{
"type": "anytls",
"tag": "anytls-in",
... // 监听字段
"users": [
{
"name": "sekai",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"padding_scheme": [],
"tls": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### users
==必填==
AnyTLS 用户。
#### padding_scheme
AnyTLS 填充方案行数组。
默认填充方案:
```json
[
"stop=8",
"0=30-30",
"1=100-400",
"2=400-500,c,500-1000,c,500-1000,c,500-1000,c,500-1000",
"3=9-9,500-1000",
"4=500-1000",
"5=500-1000",
"6=500-1000",
"7=500-1000"
]
```
#### tls
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

89
docs/configuration/inbound/cloudflared.md Normal file
View File

@@ -0,0 +1,89 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.14.0"
`cloudflared` inbound runs an embedded Cloudflare Tunnel client and routes all
incoming tunnel traffic (TCP, UDP, ICMP) through sing-box's routing engine.
### Structure
```json
{
"type": "cloudflared",
"tag": "",
"token": "",
"ha_connections": 0,
"protocol": "",
"post_quantum": false,
"edge_ip_version": 0,
"datagram_version": "",
"grace_period": "",
"region": "",
"control_dialer": {
... // Dial Fields
},
"tunnel_dialer": {
... // Dial Fields
}
}
```
### Fields
#### token
==Required==
Base64-encoded tunnel token from the Cloudflare Zero Trust dashboard
(`Networks → Tunnels → Install connector`).
#### ha_connections
Number of high-availability connections to the Cloudflare edge.
Capped by the number of discovered edge addresses.
#### protocol
Transport protocol for edge connections.
One of `quic` `http2`.
#### post_quantum
Enable post-quantum key exchange on the control connection.
#### edge_ip_version
IP version used when connecting to the Cloudflare edge.
One of `0` (automatic) `4` `6`.
#### datagram_version
Datagram protocol version used for UDP proxying over QUIC.
One of `v2` `v3`. Only meaningful when `protocol` is `quic`.
#### grace_period
Graceful shutdown window for in-flight edge connections.
#### region
Cloudflare edge region selector.
Conflict with endpoints embedded in `token`.
#### control_dialer
[Dial Fields](/configuration/shared/dial/) used when the tunnel client dials the
Cloudflare control plane.
#### tunnel_dialer
[Dial Fields](/configuration/shared/dial/) used when the tunnel client dials the
Cloudflare edge data plane.

89
docs/configuration/inbound/cloudflared.zh.md Normal file
View File

@@ -0,0 +1,89 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.14.0 起"
`cloudflared` 入站运行一个内嵌的 Cloudflare Tunnel 客户端,并将所有传入的隧道流量
TCP、UDP、ICMP通过 sing-box 的路由引擎转发。
### 结构
```json
{
"type": "cloudflared",
"tag": "",
"token": "",
"ha_connections": 0,
"protocol": "",
"post_quantum": false,
"edge_ip_version": 0,
"datagram_version": "",
"grace_period": "",
"region": "",
"control_dialer": {
... // 拨号字段
},
"tunnel_dialer": {
... // 拨号字段
}
}
```
### 字段
#### token
==必填==
来自 Cloudflare Zero Trust 仪表板的 Base64 编码隧道令牌
`Networks → Tunnels → Install connector`)。
#### ha_connections
到 Cloudflare edge 的高可用连接数。
上限为已发现的 edge 地址数量。
#### protocol
edge 连接使用的传输协议。
`quic` `http2` 之一。
#### post_quantum
在控制连接上启用后量子密钥交换。
#### edge_ip_version
连接 Cloudflare edge 时使用的 IP 版本。
`0`(自动)`4` `6` 之一。
#### datagram_version
通过 QUIC 进行 UDP 代理时使用的数据报协议版本。
`v2` `v3` 之一。仅在 `protocol``quic` 时有效。
#### grace_period
正在处理的 edge 连接的优雅关闭窗口。
#### region
Cloudflare edge 区域选择器。
`token` 中嵌入的 endpoint 冲突。
#### control_dialer
隧道客户端拨向 Cloudflare 控制面时使用的
[拨号字段](/zh/configuration/shared/dial/)。
#### tunnel_dialer
隧道客户端拨向 Cloudflare edge 数据面时使用的
[拨号字段](/zh/configuration/shared/dial/)。

36
docs/configuration/inbound/direct.md Normal file
View File

@@ -0,0 +1,36 @@
`direct` inbound is a tunnel server.
### Structure
```json
{
"type": "direct",
"tag": "direct-in",
... // Listen Fields
"network": "udp",
"override_address": "1.0.0.1",
"override_port": 53
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### network
Listen network, one of `tcp` `udp`.
Both if empty.
#### override_address
Override the connection destination address.
#### override_port
Override the connection destination port.

37
docs/configuration/inbound/direct.zh.md Normal file
View File

@@ -0,0 +1,37 @@
`direct` 入站是一个隧道服务器。
### 结构
```json
{
"type": "direct",
"tag": "direct-in",
... // 监听字段
"network": "udp",
"override_address": "1.0.0.1",
"override_port": 53
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### network
监听的网络协议,`tcp` `udp` 之一。
默认所有。
#### override_address
覆盖连接目标地址。
#### override_port
覆盖连接目标端口。

47
docs/configuration/inbound/http.md Normal file
View File

@@ -0,0 +1,47 @@
### Structure
```json
{
"type": "http",
"tag": "http-in",
... // Listen Fields
"users": [
{
"username": "admin",
"password": "admin"
}
],
"tls": {},
"set_system_proxy": false
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
#### users
HTTP users.
No authentication required if empty.
#### set_system_proxy
!!! quote ""
Only supported on Linux, Android, Windows, and macOS.
!!! warning ""
To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.
Automatically set system proxy configuration when start and clean up when stop.

47
docs/configuration/inbound/http.zh.md Normal file
View File

@@ -0,0 +1,47 @@
### 结构
```json
{
"type": "http",
"tag": "http-in",
... // 监听字段
"users": [
{
"username": "admin",
"password": "admin"
}
],
"tls": {},
"set_system_proxy": false
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### tls
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
#### users
HTTP 用户
如果为空则不需要验证。
#### set_system_proxy
!!! quote ""
仅支持 Linux、Android、Windows 和 macOS。
!!! warning ""
要在无特权的 Android 和 iOS 上工作,请改用 tun.platform.http_proxy。
启动时自动设置系统代理,停止时自动清理。

107
docs/configuration/inbound/hysteria.md Normal file
View File

@@ -0,0 +1,107 @@
### Structure
```json
{
"type": "hysteria",
"tag": "hysteria-in",
... // Listen Fields
"up": "100 Mbps",
"up_mbps": 100,
"down": "100 Mbps",
"down_mbps": 100,
"obfs": "fuck me till the daylight",
"users": [
{
"name": "sekai",
"auth": "",
"auth_str": "password"
}
],
"recv_window_conn": 0,
"recv_window_client": 0,
"max_conn_client": 0,
"disable_mtu_discovery": false,
"tls": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### up, down
==Required==
Format: `[Integer] [Unit]` e.g. `100 Mbps, 640 KBps, 2 Gbps`
Supported units (case sensitive, b = bits, B = bytes, 8b=1B):
bps (bits per second)
Bps (bytes per second)
Kbps (kilobits per second)
KBps (kilobytes per second)
Mbps (megabits per second)
MBps (megabytes per second)
Gbps (gigabits per second)
GBps (gigabytes per second)
Tbps (terabits per second)
TBps (terabytes per second)
#### up_mbps, down_mbps
==Required==
`up, down` in Mbps.
#### obfs
Obfuscated password.
#### users
Hysteria users
#### users.auth
Authentication password, in base64.
#### users.auth_str
Authentication password.
#### recv_window_conn
The QUIC stream-level flow control window for receiving data.
`15728640 (15 MB/s)` will be used if empty.
#### recv_window_client
The QUIC connection-level flow control window for receiving data.
`67108864 (64 MB/s)` will be used if empty.
#### max_conn_client
The maximum number of QUIC concurrent bidirectional streams that a peer is allowed to open.
`1024` will be used if empty.
#### disable_mtu_discovery
Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
Force enabled on for systems other than Linux and Windows (according to upstream).
#### tls
==Required==
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

107
docs/configuration/inbound/hysteria.zh.md Normal file
View File

@@ -0,0 +1,107 @@
### 结构
```json
{
"type": "hysteria",
"tag": "hysteria-in",
... // 监听字段
"up": "100 Mbps",
"up_mbps": 100,
"down": "100 Mbps",
"down_mbps": 100,
"obfs": "fuck me till the daylight",
"users": [
{
"name": "sekai",
"auth": "",
"auth_str": "password"
}
],
"recv_window_conn": 0,
"recv_window_client": 0,
"max_conn_client": 0,
"disable_mtu_discovery": false,
"tls": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### up, down
==必填==
格式: `[Integer] [Unit]` 例如: `100 Mbps, 640 KBps, 2 Gbps`
支持的单位 (大小写敏感, b = bits, B = bytes, 8b=1B)
bps (bits per second)
Bps (bytes per second)
Kbps (kilobits per second)
KBps (kilobytes per second)
Mbps (megabits per second)
MBps (megabytes per second)
Gbps (gigabits per second)
GBps (gigabytes per second)
Tbps (terabits per second)
TBps (terabytes per second)
#### up_mbps, down_mbps
==必填==
以 Mbps 为单位的 `up, down`
#### obfs
混淆密码。
#### users
Hysteria 用户
#### users.auth
base64 编码的认证密码。
#### users.auth_str
认证密码。
#### recv_window_conn
用于接收数据的 QUIC 流级流控制窗口。
默认 `15728640 (15 MB/s)`
#### recv_window_client
用于接收数据的 QUIC 连接级流控制窗口。
默认 `67108864 (64 MB/s)`
#### max_conn_client
允许对等点打开的 QUIC 并发双向流的最大数量。
默认 `1024`
#### disable_mtu_discovery
禁用路径 MTU 发现 (RFC 8899)。 数据包的大小最多为 1252 (IPv4) / 1232 (IPv6) 字节。
强制为 Linux 和 Windows 以外的系统启用(根据上游)。
#### tls
==必填==
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

159
docs/configuration/inbound/hysteria2.md Normal file
View File

@@ -0,0 +1,159 @@
---
icon: material/alert-decagram
---
!!! quote "Changes in sing-box 1.14.0"
:material-plus: [bbr_profile](#bbr_profile)
!!! quote "Changes in sing-box 1.11.0"
:material-alert: [masquerade](#masquerade)
:material-alert: [ignore_client_bandwidth](#ignore_client_bandwidth)
### Structure
```json
{
"type": "hysteria2",
"tag": "hy2-in",
... // Listen Fields
"up_mbps": 100,
"down_mbps": 100,
"obfs": {
"type": "salamander",
"password": "cry_me_a_r1ver"
},
"users": [
{
"name": "tobyxdd",
"password": "goofy_ahh_password"
}
],
"ignore_client_bandwidth": false,
"tls": {},
"masquerade": "", // or {}
"bbr_profile": "",
"brutal_debug": false
}
```
!!! warning "Difference from official Hysteria2"
The official program supports an authentication method called **userpass**,
which essentially uses a combination of `<username>:<password>` as the actual password,
while sing-box does not provide this alias.
To use sing-box with the official program, you need to fill in that combination as the actual password.
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### up_mbps, down_mbps
Max bandwidth, in Mbps.
Not limited if empty.
Conflict with `ignore_client_bandwidth`.
#### obfs.type
QUIC traffic obfuscator type, only available with `salamander`.
Disabled if empty.
#### obfs.password
QUIC traffic obfuscator password.
#### users
Hysteria2 users
#### users.password
Authentication password
#### ignore_client_bandwidth
*When `up_mbps` and `down_mbps` are not set*:
Commands clients to use the BBR CC instead of Hysteria CC.
*When `up_mbps` and `down_mbps` are set*:
Deny clients to use the BBR CC.
#### tls
==Required==
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
#### masquerade
HTTP3 server behavior (URL string configuration) when authentication fails.
| Scheme | Example | Description |
|--------------|-------------------------|--------------------|
| `file` | `file:///var/www` | As a file server |
| `http/https` | `http://127.0.0.1:8080` | As a reverse proxy |
Conflict with `masquerade.type`.
A 404 page will be returned if masquerade is not configured.
#### masquerade.type
HTTP3 server behavior (Object configuration) when authentication fails.
| Type | Description | Fields |
|----------|-----------------------------|-------------------------------------|
| `file` | As a file server | `directory` |
| `proxy` | As a reverse proxy | `url`, `rewrite_host` |
| `string` | Reply with a fixed response | `status_code`, `headers`, `content` |
Conflict with `masquerade`.
A 404 page will be returned if masquerade is not configured.
#### masquerade.directory
File server root directory.
#### masquerade.url
Reverse proxy target URL.
#### masquerade.rewrite_host
Rewrite the `Host` header to the target URL.
#### masquerade.status_code
Fixed response status code.
#### masquerade.headers
Fixed response headers.
#### masquerade.content
Fixed response content.
#### bbr_profile
!!! question "Since sing-box 1.14.0"
BBR congestion control algorithm profile, one of `conservative` `standard` `aggressive`.
`standard` is used by default.
#### brutal_debug
Enable debug information logging for Hysteria Brutal CC.

156
docs/configuration/inbound/hysteria2.zh.md Normal file
View File

@@ -0,0 +1,156 @@
---
icon: material/alert-decagram
---
!!! quote "sing-box 1.14.0 中的更改"
:material-plus: [bbr_profile](#bbr_profile)
!!! quote "sing-box 1.11.0 中的更改"
:material-alert: [masquerade](#masquerade)
:material-alert: [ignore_client_bandwidth](#ignore_client_bandwidth)
### 结构
```json
{
"type": "hysteria2",
"tag": "hy2-in",
... // 监听字段
"up_mbps": 100,
"down_mbps": 100,
"obfs": {
"type": "salamander",
"password": "cry_me_a_r1ver"
},
"users": [
{
"name": "tobyxdd",
"password": "goofy_ahh_password"
}
],
"ignore_client_bandwidth": false,
"tls": {},
"masquerade": "", // 或 {}
"bbr_profile": "",
"brutal_debug": false
}
```
!!! warning "与官方 Hysteria2 的区别"
官方程序支持一种名为 **userpass** 的验证方式,
本质上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码,而 sing-box 不提供此别名。
要将 sing-box 与官方程序一起使用, 您需要填写该组合作为实际密码。
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### up_mbps, down_mbps
支持的速率,默认不限制。
`ignore_client_bandwidth` 冲突。
#### obfs.type
QUIC 流量混淆器类型,仅可设为 `salamander`
如果为空则禁用。
#### obfs.password
QUIC 流量混淆器密码.
#### users
Hysteria 用户
#### users.password
认证密码。
#### ignore_client_bandwidth
*当 `up_mbps` 和 `down_mbps` 未设定时*:
命令客户端使用 BBR 拥塞控制算法而不是 Hysteria CC。
*当 `up_mbps` 和 `down_mbps` 已设定时*:
禁止客户端使用 BBR 拥塞控制算法。
#### tls
==必填==
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
#### masquerade
HTTP3 服务器认证失败时的行为 URL 字符串配置)。
| Scheme | 示例 | 描述 |
|--------------|-------------------------|---------|
| `file` | `file:///var/www` | 作为文件服务器 |
| `http/https` | `http://127.0.0.1:8080` | 作为反向代理 |
如果 masquerade 未配置,则返回 404 页。
`masquerade.type` 冲突。
#### masquerade.type
HTTP3 服务器认证失败时的行为 (对象配置)。
| Type | 描述 | 字段 |
|----------|---------|-------------------------------------|
| `file` | 作为文件服务器 | `directory` |
| `proxy` | 作为反向代理 | `url`, `rewrite_host` |
| `string` | 返回固定响应 | `status_code`, `headers`, `content` |
如果 masquerade 未配置,则返回 404 页。
`masquerade` 冲突。
#### masquerade.directory
文件服务器根目录。
#### masquerade.url
反向代理目标 URL。
#### masquerade.rewrite_host
重写请求头中的 Host 字段到目标 URL。
#### masquerade.status_code
固定响应状态码。
#### masquerade.headers
固定响应头。
#### masquerade.content
固定响应内容。
#### bbr_profile
!!! question "自 sing-box 1.14.0 起"
BBR 拥塞控制算法配置,可选 `conservative` `standard` `aggressive`
默认使用 `standard`
#### brutal_debug
启用 Hysteria Brutal CC 的调试信息日志记录。

41
docs/configuration/inbound/index.md Normal file
View File

@@ -0,0 +1,41 @@
# Inbound
### Structure
```json
{
"inbounds": [
{
"type": "",
"tag": ""
}
]
}
```
### Fields
| Type | Format | Injectable |
|---------------|-------------------------------|------------------|
| `direct` | [Direct](./direct/) | :material-close: |
| `mixed` | [Mixed](./mixed/) | TCP |
| `socks` | [SOCKS](./socks/) | TCP |
| `http` | [HTTP](./http/) | TCP |
| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP |
| `vmess` | [VMess](./vmess/) | TCP |
| `trojan` | [Trojan](./trojan/) | TCP |
| `naive` | [Naive](./naive/) | :material-close: |
| `hysteria` | [Hysteria](./hysteria/) | :material-close: |
| `shadowtls` | [ShadowTLS](./shadowtls/) | TCP |
| `tuic` | [TUIC](./tuic/) | :material-close: |
| `hysteria2` | [Hysteria2](./hysteria2/) | :material-close: |
| `vless` | [VLESS](./vless/) | TCP |
| `anytls` | [AnyTLS](./anytls/) | TCP |
| `tun` | [Tun](./tun/) | :material-close: |
| `redirect` | [Redirect](./redirect/) | :material-close: |
| `tproxy` | [TProxy](./tproxy/) | :material-close: |
| `cloudflared` | [Cloudflared](./cloudflared/) | :material-close: |
#### tag
The tag of the inbound.

41
docs/configuration/inbound/index.zh.md Normal file
View File

@@ -0,0 +1,41 @@
# 入站
### 结构
```json
{
"inbounds": [
{
"type": "",
"tag": ""
}
]
}
```
### 字段
| 类型 | 格式 | 注入支持 |
|---------------|-------------------------------|------------------|
| `direct` | [Direct](./direct/) | :material-close: |
| `mixed` | [Mixed](./mixed/) | TCP |
| `socks` | [SOCKS](./socks/) | TCP |
| `http` | [HTTP](./http/) | TCP |
| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP |
| `vmess` | [VMess](./vmess/) | TCP |
| `trojan` | [Trojan](./trojan/) | TCP |
| `naive` | [Naive](./naive/) | :material-close: |
| `hysteria` | [Hysteria](./hysteria/) | :material-close: |
| `shadowtls` | [ShadowTLS](./shadowtls/) | TCP |
| `tuic` | [TUIC](./tuic/) | :material-close: |
| `hysteria2` | [Hysteria2](./hysteria2/) | :material-close: |
| `vless` | [VLESS](./vless/) | TCP |
| `anytls` | [AnyTLS](./anytls/) | TCP |
| `tun` | [Tun](./tun/) | :material-close: |
| `redirect` | [Redirect](./redirect/) | :material-close: |
| `tproxy` | [TProxy](./tproxy/) | :material-close: |
| `cloudflared` | [Cloudflared](./cloudflared/) | :material-close: |
#### tag
入站的标签。

44
docs/configuration/inbound/mixed.md Normal file
View File

@@ -0,0 +1,44 @@
`mixed` inbound is a socks4, socks4a, socks5 and http server.
### Structure
```json
{
"type": "mixed",
"tag": "mixed-in",
... // Listen Fields
"users": [
{
"username": "admin",
"password": "admin"
}
],
"set_system_proxy": false
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### users
SOCKS and HTTP users.
No authentication required if empty.
#### set_system_proxy
!!! quote ""
Only supported on Linux, Android, Windows, and macOS.
!!! warning ""
To work on Android and Apple platforms without privileges, use tun.platform.http_proxy instead.
Automatically set system proxy configuration when start and clean up when stop.

44
docs/configuration/inbound/mixed.zh.md Normal file
View File

@@ -0,0 +1,44 @@
`mixed` 入站是一个 socks4, socks4a, socks5 和 http 服务器.
### 结构
```json
{
"type": "mixed",
"tag": "mixed-in",
... // 监听字段
"users": [
{
"username": "admin",
"password": "admin"
}
],
"set_system_proxy": false
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### users
SOCKS 和 HTTP 用户
如果为空则不需要验证。
#### set_system_proxy
!!! quote ""
仅支持 Linux、Android、Windows 和 macOS。
!!! warning ""
要在无特权的 Android 和 iOS 上工作,请改用 tun.platform.http_proxy。
启动时自动设置系统代理,停止时自动清理。

63
docs/configuration/inbound/naive.md Normal file
View File

@@ -0,0 +1,63 @@
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [quic_congestion_control](#quic_congestion_control)
### Structure
```json
{
"type": "naive",
"tag": "naive-in",
"network": "udp",
...
// Listen Fields
"users": [
{
"username": "sekai",
"password": "password"
}
],
"quic_congestion_control": "",
"tls": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### network
Listen network, one of `tcp` `udp`.
Both if empty.
#### users
==Required==
Naive users.
#### quic_congestion_control
!!! question "Since sing-box 1.13.0"
QUIC congestion control algorithm.
| Algorithm | Description |
|----------------|---------------------------------|
| `bbr` | BBR |
| `bbr_standard` | BBR (Standard version) |
| `bbr2` | BBRv2 |
| `bbr2_variant` | BBRv2 (An experimental variant) |
| `cubic` | CUBIC |
| `reno` | New Reno |
`bbr` is used by default (the default of QUICHE, used by Chromium which NaiveProxy is based on).
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

63
docs/configuration/inbound/naive.zh.md Normal file
View File

@@ -0,0 +1,63 @@
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [quic_congestion_control](#quic_congestion_control)
### 结构
```json
{
"type": "naive",
"tag": "naive-in",
"network": "udp",
... // 监听字段
"users": [
{
"username": "sekai",
"password": "password"
}
],
"quic_congestion_control": "",
"tls": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### network
监听的网络协议,`tcp` `udp` 之一。
默认所有。
#### users
==必填==
Naive 用户。
#### quic_congestion_control
!!! question "Since sing-box 1.13.0"
QUIC 拥塞控制算法。
| 算法 | 描述 |
|----------------|--------------------|
| `bbr` | BBR |
| `bbr_standard` | BBR (标准版) |
| `bbr2` | BBRv2 |
| `bbr2_variant` | BBRv2 (一种试验变体) |
| `cubic` | CUBIC |
| `reno` | New Reno |
默认使用 `bbr`NaiveProxy 基于的 Chromium 使用的 QUICHE 的默认值)。
#### tls
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

18
docs/configuration/inbound/redirect.md Normal file
View File

@@ -0,0 +1,18 @@
!!! quote ""
Only supported on Linux and macOS.
### Structure
```json
{
"type": "redirect",
"tag": "redirect-in",
... // Listen Fields
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.

17
docs/configuration/inbound/redirect.zh.md Normal file
View File

@@ -0,0 +1,17 @@
!!! quote ""
仅支持 Linux 和 macOS。
### 结构
```json
{
"type": "redirect",
"tag": "redirect-in",
... // 监听字段
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。

96
docs/configuration/inbound/shadowsocks.md Normal file
View File

@@ -0,0 +1,96 @@
### Structure
```json
{
"type": "shadowsocks",
"tag": "ss-in",
... // Listen Fields
"method": "2022-blake3-aes-128-gcm",
"password": "8JCsPssfgS8tiRwiMlhARg==",
"managed": false,
"multiplex": {}
}
```
### Multi-User Structure
```json
{
"method": "2022-blake3-aes-128-gcm",
"password": "8JCsPssfgS8tiRwiMlhARg==",
"users": [
{
"name": "sekai",
"password": "PCD2Z4o12bKUoFa3cC97Hw=="
}
],
"multiplex": {}
}
```
### Relay Structure
```json
{
"type": "shadowsocks",
"method": "2022-blake3-aes-128-gcm",
"password": "8JCsPssfgS8tiRwiMlhARg==",
"destinations": [
{
"name": "test",
"server": "example.com",
"server_port": 8080,
"password": "PCD2Z4o12bKUoFa3cC97Hw=="
}
],
"multiplex": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### network
Listen network, one of `tcp` `udp`.
Both if empty.
#### method
==Required==
| Method | Key Length |
|-------------------------------|------------|
| 2022-blake3-aes-128-gcm | 16 |
| 2022-blake3-aes-256-gcm | 32 |
| 2022-blake3-chacha20-poly1305 | 32 |
| none | / |
| aes-128-gcm | / |
| aes-192-gcm | / |
| aes-256-gcm | / |
| chacha20-ietf-poly1305 | / |
| xchacha20-ietf-poly1305 | / |
#### password
==Required==
| Method | Password Format |
|---------------|------------------------------------------------|
| none | / |
| 2022 methods | `sing-box generate rand --base64 <Key Length>` |
| other methods | any string |
#### managed
Defaults to `false`. Enable this when the inbound is managed by the [SSM API](/configuration/service/ssm-api) for dynamic user.
#### multiplex
See [Multiplex](/configuration/shared/multiplex#inbound) for details.

96
docs/configuration/inbound/shadowsocks.zh.md Normal file
View File

@@ -0,0 +1,96 @@
### 结构
```json
{
"type": "shadowsocks",
"tag": "ss-in",
... // 监听字段
"method": "2022-blake3-aes-128-gcm",
"password": "8JCsPssfgS8tiRwiMlhARg==",
"managed": false,
"multiplex": {}
}
```
### 多用户结构
```json
{
"method": "2022-blake3-aes-128-gcm",
"password": "8JCsPssfgS8tiRwiMlhARg==",
"users": [
{
"name": "sekai",
"password": "PCD2Z4o12bKUoFa3cC97Hw=="
}
],
"multiplex": {}
}
```
### 中转结构
```json
{
"type": "shadowsocks",
"method": "2022-blake3-aes-128-gcm",
"password": "8JCsPssfgS8tiRwiMlhARg==",
"destinations": [
{
"name": "test",
"server": "example.com",
"server_port": 8080,
"password": "PCD2Z4o12bKUoFa3cC97Hw=="
}
],
"multiplex": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### network
监听的网络协议,`tcp` `udp` 之一。
默认所有。
#### method
==必填==
| 方法 | 密钥长度 |
|-------------------------------|------|
| 2022-blake3-aes-128-gcm | 16 |
| 2022-blake3-aes-256-gcm | 32 |
| 2022-blake3-chacha20-poly1305 | 32 |
| none | / |
| aes-128-gcm | / |
| aes-192-gcm | / |
| aes-256-gcm | / |
| chacha20-ietf-poly1305 | / |
| xchacha20-ietf-poly1305 | / |
#### password
==必填==
| 方法 | 密码格式 |
|---------------|------------------------------------------|
| none | / |
| 2022 methods | `sing-box generate rand --base64 <密钥长度>` |
| other methods | 任意字符串 |
#### managed
默认为 `false`。当该入站需要由 [SSM API](/zh/configuration/service/ssm-api) 管理用户时必须启用此字段。
#### multiplex
参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。

107
docs/configuration/inbound/shadowtls.md Normal file
View File

@@ -0,0 +1,107 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [wildcard_sni](#wildcard_sni)
### Structure
```json
{
"type": "shadowtls",
"tag": "st-in",
... // Listen Fields
"version": 3,
"password": "fuck me till the daylight",
"users": [
{
"name": "sekai",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"handshake": {
"server": "google.com",
"server_port": 443,
... // Dial Fields
},
"handshake_for_server_name": {
"example.com": {
"server": "example.com",
"server_port": 443,
... // Dial Fields
}
},
"strict_mode": false,
"wildcard_sni": ""
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### version
ShadowTLS protocol version.
| Value | Protocol Version |
|---------------|-----------------------------------------------------------------------------------------|
| `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
| `2` | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
| `3` | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |
#### password
ShadowTLS password.
Only available in the ShadowTLS protocol 2.
#### users
ShadowTLS users.
Only available in the ShadowTLS protocol 3.
#### handshake
==Required==
When `wildcard_sni` is configured to `all`, the server address is optional.
Handshake server address and [Dial Fields](/configuration/shared/dial/).
#### handshake_for_server_name
Handshake server address and [Dial Fields](/configuration/shared/dial/) for specific server name.
Only available in the ShadowTLS protocol 2/3.
#### strict_mode
ShadowTLS strict mode.
Only available in the ShadowTLS protocol 3.
#### wildcard_sni
!!! question "Since sing-box 1.12.0"
ShadowTLS wildcard SNI mode.
Available values are:
* `off`: (default) Disabled.
* `authed`: Authenticated connections will have their destination overwritten to `(servername):443`
* `all`: All connections will have their destination overwritten to `(servername):443`
Additionally, connections matching `handshake_for_server_name` are not affected.
Only available in the ShadowTLS protocol 3.

107
docs/configuration/inbound/shadowtls.zh.md Normal file
View File

@@ -0,0 +1,107 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [wildcard_sni](#wildcard_sni)
### 结构
```json
{
"type": "shadowtls",
"tag": "st-in",
... // 监听字段
"version": 3,
"password": "fuck me till the daylight",
"users": [
{
"name": "sekai",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"handshake": {
"server": "google.com",
"server_port": 443,
... // 拨号字段
},
"handshake_for_server_name": {
"example.com": {
"server": "example.com",
"server_port": 443,
... // 拨号字段
}
},
"strict_mode": false,
"wildcard_sni": ""
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### version
ShadowTLS 协议版本。
| 值 | 协议版本 |
|---------------|-----------------------------------------------------------------------------------------|
| `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
| `2` | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
| `3` | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |
#### password
ShadowTLS 密码。
仅在 ShadowTLS 协议版本 2 中可用。
#### users
ShadowTLS 用户。
仅在 ShadowTLS 协议版本 3 中可用。
#### handshake
==必填==
握手服务器地址和 [拨号参数](/zh/configuration/shared/dial/)。
#### handshake_for_server_name
==必填==
对于特定服务器名称的握手服务器地址和 [拨号参数](/zh/configuration/shared/dial/)。
仅在 ShadowTLS 协议版本 2/3 中可用。
#### strict_mode
ShadowTLS 严格模式。
仅在 ShadowTLS 协议版本 3 中可用。
#### wildcard_sni
!!! question "自 sing-box 1.12.0 起"
ShadowTLS 通配符 SNI 模式。
可用值:
* `off`:(默认)禁用。
* `authed`:已认证的连接的目标将被重写为 `(servername):443`
* `all`:所有连接的目标将被重写为 `(servername):443`
此外,匹配 `handshake_for_server_name` 的连接不受影响。
仅在 ShadowTLS 协议 3 中可用。

31
docs/configuration/inbound/socks.md Normal file
View File

@@ -0,0 +1,31 @@
`socks` inbound is a socks4, socks4a, socks5 server.
### Structure
```json
{
"type": "socks",
"tag": "socks-in",
... // Listen Fields
"users": [
{
"username": "admin",
"password": "admin"
}
]
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### users
SOCKS users.
No authentication required if empty.

31
docs/configuration/inbound/socks.zh.md Normal file
View File

@@ -0,0 +1,31 @@
`socks` 入站是一个 socks4, socks4a 和 socks5 服务器.
### 结构
```json
{
"type": "socks",
"tag": "socks-in",
... // 监听字段
"users": [
{
"username": "admin",
"password": "admin"
}
]
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### users
SOCKS 用户
如果为空则不需要验证。

28
docs/configuration/inbound/tproxy.md Normal file
View File

@@ -0,0 +1,28 @@
!!! quote ""
Only supported on Linux.
### Structure
```json
{
"type": "tproxy",
"tag": "tproxy-in",
... // Listen Fields
"network": "udp"
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### network
Listen network, one of `tcp` `udp`.
Both if empty.

28
docs/configuration/inbound/tproxy.zh.md Normal file
View File

@@ -0,0 +1,28 @@
!!! quote ""
仅支持 Linux。
### 结构
```json
{
"type": "tproxy",
"tag": "tproxy-in",
... // 监听字段
"network": "udp"
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### network
监听的网络协议,`tcp` `udp` 之一。
默认所有。

68
docs/configuration/inbound/trojan.md Normal file
View File

@@ -0,0 +1,68 @@
### Structure
```json
{
"type": "trojan",
"tag": "trojan-in",
... // Listen Fields
"users": [
{
"name": "sekai",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"tls": {},
"fallback": {
"server": "127.0.0.1",
"server_port": 8080
},
"fallback_for_alpn": {
"http/1.1": {
"server": "127.0.0.1",
"server_port": 8081
}
},
"multiplex": {},
"transport": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### users
==Required==
Trojan users.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
#### fallback
!!! failure ""
There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.
Fallback server configuration. Disabled if `fallback` and `fallback_for_alpn` are empty.
#### fallback_for_alpn
Fallback server configuration for specified ALPN.
If not empty, TLS fallback requests with ALPN not in this table will be rejected.
#### multiplex
See [Multiplex](/configuration/shared/multiplex#inbound) for details.
#### transport
V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).

68
docs/configuration/inbound/trojan.zh.md Normal file
View File

@@ -0,0 +1,68 @@
### 结构
```json
{
"type": "trojan",
"tag": "trojan-in",
... // 监听字段
"users": [
{
"name": "sekai",
"password": "8JCsPssfgS8tiRwiMlhARg=="
}
],
"tls": {},
"fallback": {
"server": "127.0.0.1",
"server_port": 8080
},
"fallback_for_alpn": {
"http/1.1": {
"server": "127.0.0.1",
"server_port": 8081
}
},
"multiplex": {},
"transport": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### users
==必填==
Trojan 用户。
#### tls
TLS 配置,参阅 [TLS](/zh/configuration/shared/tls/#入站)。
#### fallback
!!! failure ""
没有证据表明 GFW 基于 HTTP 响应检测并阻止 Trojan 服务器,并且在服务器上打开标准 http/s 端口是一个更大的特征。
回退服务器配置。如果 `fallback``fallback_for_alpn` 为空,则禁用回退。
#### fallback_for_alpn
为 ALPN 指定回退服务器配置。
如果不为空ALPN 不在此列表中的 TLS 回退请求将被拒绝。
#### multiplex
参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
#### transport
V2Ray 传输配置,参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。

78
docs/configuration/inbound/tuic.md Normal file
View File

@@ -0,0 +1,78 @@
### Structure
```json
{
"type": "tuic",
"tag": "tuic-in",
... // Listen Fields
"users": [
{
"name": "sekai",
"uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
"password": "hello"
}
],
"congestion_control": "cubic",
"auth_timeout": "3s",
"zero_rtt_handshake": false,
"heartbeat": "10s",
"tls": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### users
TUIC users
#### users.uuid
==Required==
TUIC user uuid
#### users.password
TUIC user password
#### congestion_control
QUIC congestion control algorithm
One of: `cubic`, `new_reno`, `bbr`
`cubic` is used by default.
#### auth_timeout
How long the server should wait for the client to send the authentication command
`3s` is used by default.
#### zero_rtt_handshake
Enable 0-RTT QUIC connection handshake on the client side
This is not impacting much on the performance, as the protocol is fully multiplexed
!!! warning ""
Disabling this is highly recommended, as it is vulnerable to replay attacks.
See [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
#### heartbeat
Interval for sending heartbeat packets for keeping the connection alive
`10s` is used by default.
#### tls
==Required==
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

78
docs/configuration/inbound/tuic.zh.md Normal file
View File

@@ -0,0 +1,78 @@
### 结构
```json
{
"type": "tuic",
"tag": "tuic-in",
... // 监听字段
"users": [
{
"name": "sekai",
"uuid": "059032A9-7D40-4A96-9BB1-36823D848068",
"password": "hello"
}
],
"congestion_control": "cubic",
"auth_timeout": "3s",
"zero_rtt_handshake": false,
"heartbeat": "10s",
"tls": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### users
TUIC 用户
#### users.uuid
==必填==
TUIC 用户 UUID
#### users.password
TUIC 用户密码
#### congestion_control
QUIC 拥塞控制算法
可选值: `cubic`, `new_reno`, `bbr`
默认使用 `cubic`
#### auth_timeout
服务器等待客户端发送认证命令的时间
默认使用 `3s`
#### zero_rtt_handshake
在客户端启用 0-RTT QUIC 连接握手
这对性能影响不大,因为协议是完全复用的
!!! warning ""
强烈建议禁用此功能,因为它容易受到重放攻击。
请参阅 [Attack of the clones](https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/#attack-of-the-clones)
#### heartbeat
发送心跳包以保持连接存活的时间间隔
默认使用 `10s`
#### tls
==必填==
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。

635
docs/configuration/inbound/tun.md Normal file
View File

@@ -0,0 +1,635 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.14.0"
:material-plus: [include_mac_address](#include_mac_address)
:material-plus: [exclude_mac_address](#exclude_mac_address)
!!! quote "Changes in sing-box 1.13.3"
:material-alert: [strict_route](#strict_route)
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)
:material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)
:material-plus: [exclude_mptcp](#exclude_mptcp)
:material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [loopback_address](#loopback_address)
!!! quote "Changes in sing-box 1.11.0"
:material-delete-alert: [gso](#gso)
:material-alert-decagram: [route_address_set](#stack)
:material-alert-decagram: [route_exclude_address_set](#stack)
!!! quote "Changes in sing-box 1.10.0"
:material-plus: [address](#address)
:material-delete-clock: [inet4_address](#inet4_address)
:material-delete-clock: [inet6_address](#inet6_address)
:material-plus: [route_address](#route_address)
:material-delete-clock: [inet4_route_address](#inet4_route_address)
:material-delete-clock: [inet6_route_address](#inet6_route_address)
:material-plus: [route_exclude_address](#route_address)
:material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)
:material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)
:material-plus: [iproute2_table_index](#iproute2_table_index)
:material-plus: [iproute2_rule_index](#iproute2_table_index)
:material-plus: [auto_redirect](#auto_redirect)
:material-plus: [auto_redirect_input_mark](#auto_redirect_input_mark)
:material-plus: [auto_redirect_output_mark](#auto_redirect_output_mark)
:material-plus: [route_address_set](#route_address_set)
:material-plus: [route_exclude_address_set](#route_address_set)
!!! quote "Changes in sing-box 1.9.0"
:material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)
:material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)
!!! quote "Changes in sing-box 1.8.0"
:material-plus: [gso](#gso)
:material-alert-decagram: [stack](#stack)
!!! quote ""
Only supported on Linux, Windows and macOS.
### Structure
```json
{
"type": "tun",
"tag": "tun-in",
"interface_name": "tun0",
"address": [
"172.18.0.1/30",
"fdfe:dcba:9876::1/126"
],
"mtu": 9000,
"auto_route": true,
"iproute2_table_index": 2022,
"iproute2_rule_index": 9000,
"auto_redirect": true,
"auto_redirect_input_mark": "0x2023",
"auto_redirect_output_mark": "0x2024",
"auto_redirect_reset_mark": "0x2025",
"auto_redirect_nfqueue": 100,
"auto_redirect_iproute2_fallback_rule_index": 32768,
"exclude_mptcp": false,
"loopback_address": [
"10.7.0.1"
],
"strict_route": true,
"route_address": [
"0.0.0.0/1",
"128.0.0.0/1",
"::/1",
"8000::/1"
],
"route_exclude_address": [
"192.168.0.0/16",
"fc00::/7"
],
"route_address_set": [
"geoip-cloudflare"
],
"route_exclude_address_set": [
"geoip-cn"
],
"endpoint_independent_nat": false,
"udp_timeout": "5m",
"stack": "system",
"include_interface": [
"lan0"
],
"exclude_interface": [
"lan1"
],
"include_uid": [
0
],
"include_uid_range": [
"1000:99999"
],
"exclude_uid": [
1000
],
"exclude_uid_range": [
"1000:99999"
],
"include_android_user": [
0,
10
],
"include_package": [
"com.android.chrome"
],
"exclude_package": [
"com.android.captiveportallogin"
],
"include_mac_address": [
"00:11:22:33:44:55"
],
"exclude_mac_address": [
"66:77:88:99:aa:bb"
],
"platform": {
"http_proxy": {
"enabled": false,
"server": "127.0.0.1",
"server_port": 8080,
"bypass_domain": [],
"match_domain": []
}
},
// Deprecated
"gso": false,
"inet4_address": [
"172.19.0.1/30"
],
"inet6_address": [
"fdfe:dcba:9876::1/126"
],
"inet4_route_address": [
"0.0.0.0/1",
"128.0.0.0/1"
],
"inet6_route_address": [
"::/1",
"8000::/1"
],
"inet4_route_exclude_address": [
"192.168.0.0/16"
],
"inet6_route_exclude_address": [
"fc00::/7"
],
...
// Listen Fields
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
!!! warning ""
If tun is running in non-privileged mode, addresses and MTU will not be configured automatically, please make sure the settings are accurate.
### Fields
#### interface_name
Virtual device name, automatically selected if empty.
#### address
!!! question "Since sing-box 1.10.0"
IPv4 and IPv6 prefix for the tun interface.
#### inet4_address
!!! failure "Deprecated in sing-box 1.10.0"
`inet4_address` is merged to `address` and will be removed in sing-box 1.12.0.
IPv4 prefix for the tun interface.
#### inet6_address
!!! failure "Deprecated in sing-box 1.10.0"
`inet6_address` is merged to `address` and will be removed in sing-box 1.12.0.
IPv6 prefix for the tun interface.
#### mtu
The maximum transmission unit.
#### gso
!!! failure "Deprecated in sing-box 1.11.0"
GSO has no advantages for transparent proxy scenarios, is deprecated and no longer works, and will be removed in sing-box 1.12.0.
!!! question "Since sing-box 1.8.0"
!!! quote ""
Only supported on Linux with `auto_route` enabled.
Enable generic segmentation offload.
#### auto_route
Set the default route to the Tun.
!!! quote ""
To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`
!!! note "Use with Android VPN"
By default, VPN takes precedence over tun. To make tun go through VPN, enable `route.override_android_vpn`.
!!! note "Also enable `auto_redirect`"
`auto_redirect` is always recommended on Linux, it provides better routing, higher performance (better than tproxy), and avoids conflicts between TUN and Docker bridge networks.
#### iproute2_table_index
!!! question "Since sing-box 1.10.0"
Linux iproute2 table index generated by `auto_route`.
`2022` is used by default.
#### iproute2_rule_index
!!! question "Since sing-box 1.10.0"
Linux iproute2 rule start index generated by `auto_route`.
`9000` is used by default.
#### auto_redirect
!!! question "Since sing-box 1.10.0"
!!! quote ""
Only supported on Linux with `auto_route` enabled.
Improve TUN routing and performance using nftables.
`auto_redirect` is always recommended on Linux, it provides better routing,
higher performance (better than tproxy),
and avoids conflicts between TUN and Docker bridge networks.
Note that `auto_redirect` also works on Android,
but due to the lack of `nftables` and `ip6tables`,
only simple IPv4 TCP forwarding is performed.
To share your VPN connection over hotspot or repeater on Android,
use [VPNHotspot](https://github.com/Mygod/VPNHotspot).
`auto_redirect` also automatically inserts compatibility rules
into the OpenWrt fw4 table, i.e.
it will work on routers without any extra configuration.
Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
#### auto_redirect_input_mark
!!! question "Since sing-box 1.10.0"
Connection input mark used by `auto_redirect`.
`0x2023` is used by default.
#### auto_redirect_output_mark
!!! question "Since sing-box 1.10.0"
Connection output mark used by `auto_redirect`.
`0x2024` is used by default.
#### auto_redirect_reset_mark
!!! question "Since sing-box 1.13.0"
Connection reset mark used by `auto_redirect` pre-matching.
`0x2025` is used by default.
#### auto_redirect_nfqueue
!!! question "Since sing-box 1.13.0"
NFQueue number used by `auto_redirect` pre-matching.
`100` is used by default.
#### auto_redirect_iproute2_fallback_rule_index
!!! question "Since sing-box 1.12.18"
Linux iproute2 fallback rule index generated by `auto_redirect`.
This rule is checked after system default rules (32766: main, 32767: default),
routing traffic to the sing-box table only when no route is found in system tables.
`32768` is used by default.
#### exclude_mptcp
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
MPTCP cannot be transparently proxied due to protocol limitations.
Such traffic is usually created by Apple systems.
When enabled, MPTCP connections will bypass sing-box and connect directly, otherwise, will be rejected to avoid errors by default.
#### loopback_address
!!! question "Since sing-box 1.12.0"
Loopback addresses make TCP connections to the specified address connect to the source address.
Setting option value to `10.7.0.1` achieves the same behavior as SideStore/StosVPN.
When `auto_redirect` is enabled, the same behavior can be achieved for LAN devices (not just local) as a gateway.
#### strict_route
Enforce strict routing rules when `auto_route` is enabled:
*In Linux*:
* Let unsupported network unreachable
* For legacy reasons, when neither `strict_route` nor `auto_redirect` are enabled, all ICMP traffic will not go through TUN.
* When `auto_redirect` is enabled, `strict_route` also affects `SO_BINDTODEVICE` traffic:
* Enabled: `SO_BINDTODEVICE` traffic is redirected through sing-box.
* Disabled: `SO_BINDTODEVICE` traffic bypasses sing-box.
*In Windows*:
* Let unsupported network unreachable
* prevent DNS leak caused by
Windows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
It may prevent some Windows applications (such as VirtualBox) from working properly in certain situations.
#### route_address
!!! question "Since sing-box 1.10.0"
Use custom routes instead of default when `auto_route` is enabled.
#### inet4_route_address
!!! failure "Deprecated in sing-box 1.10.0"
`inet4_route_address` is deprecated and will be removed in sing-box 1.12.0, please use [route_address](#route_address)
instead.
Use custom routes instead of default when `auto_route` is enabled.
#### inet6_route_address
!!! failure "Deprecated in sing-box 1.10.0"
`inet6_route_address` is deprecated and will be removed in sing-box 1.12.0, please use [route_address](#route_address)
instead.
Use custom routes instead of default when `auto_route` is enabled.
#### route_exclude_address
!!! question "Since sing-box 1.10.0"
Exclude custom routes when `auto_route` is enabled.
#### inet4_route_exclude_address
!!! failure "Deprecated in sing-box 1.10.0"
`inet4_route_exclude_address` is deprecated and will be removed in sing-box 1.12.0, please
use [route_exclude_address](#route_exclude_address) instead.
Exclude custom routes when `auto_route` is enabled.
#### inet6_route_exclude_address
!!! failure "Deprecated in sing-box 1.10.0"
`inet6_route_exclude_address` is deprecated and will be removed in sing-box 1.12.0, please
use [route_exclude_address](#route_exclude_address) instead.
Exclude custom routes when `auto_route` is enabled.
#### route_address_set
=== "With `auto_redirect` enabled"
!!! question "Since sing-box 1.10.0"
!!! quote ""
Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
Add the destination IP CIDR rules in the specified rule-sets to the firewall.
Unmatched traffic will bypass the sing-box routes.
Conflict with `route.default_mark` and `[dialOptions].routing_mark`.
=== "Without `auto_redirect` enabled"
!!! question "Since sing-box 1.11.0"
Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_address`.
Unmatched traffic will bypass the sing-box routes.
Note that it **doesn't work on the Android graphical client** due to
the Android VpnService not being able to handle a large number of routes (DeadSystemException),
but otherwise it works fine on all command line clients and Apple platforms.
#### route_exclude_address_set
=== "With `auto_redirect` enabled"
!!! question "Since sing-box 1.10.0"
!!! quote ""
Only supported on Linux with nftables and requires `auto_route` and `auto_redirect` enabled.
Add the destination IP CIDR rules in the specified rule-sets to the firewall.
Matched traffic will bypass the sing-box routes.
=== "Without `auto_redirect` enabled"
!!! question "Since sing-box 1.11.0"
Add the destination IP CIDR rules in the specified rule-sets to routes, equivalent to adding to `route_exclude_address`.
Matched traffic will bypass the sing-box routes.
Note that it **doesn't work on the Android graphical client** due to
the Android VpnService not being able to handle a large number of routes (DeadSystemException),
but otherwise it works fine on all command line clients and Apple platforms.
#### endpoint_independent_nat
!!! info ""
This item is only available on the gvisor stack, other stacks are endpoint-independent NAT by default.
Enable endpoint-independent NAT.
Performance may degrade slightly, so it is not recommended to enable on when it is not needed.
#### udp_timeout
UDP NAT expiration time.
`5m` will be used by default.
#### stack
!!! quote "Changes in sing-box 1.8.0"
:material-delete-alert: The legacy LWIP stack has been deprecated and removed.
TCP/IP stack.
| Stack | Description |
|----------|-------------------------------------------------------------------------------------------------------|
| `system` | Perform L3 to L4 translation using the system network stack |
| `gvisor` | Perform L3 to L4 translation using [gVisor](https://github.com/google/gvisor)'s virtual network stack |
| `mixed` | Mixed `system` TCP stack and `gvisor` UDP stack |
Defaults to the `mixed` stack if the gVisor build tag is enabled, otherwise defaults to the `system` stack.
#### include_interface
!!! quote ""
Interface rules are only supported on Linux and require auto_route.
Limit interfaces in route. Not limited by default.
Conflict with `exclude_interface`.
#### exclude_interface
!!! warning ""
When `strict_route` enabled, return traffic to excluded interfaces will not be automatically excluded, so add them as well (example: `br-lan` and `pppoe-wan`).
Exclude interfaces in route.
Conflict with `include_interface`.
#### include_uid
!!! quote ""
UID rules are only supported on Linux and require auto_route.
Limit users in route. Not limited by default.
#### include_uid_range
Limit users in route, but in range.
#### exclude_uid
Exclude users in route.
#### exclude_uid_range
Exclude users in route, but in range.
#### include_android_user
!!! quote ""
Android user and package rules are only supported on Android and require auto_route.
Limit android users in route.
| Common user | ID |
|--------------|----|
| Main | 0 |
| Work Profile | 10 |
#### include_package
Limit android packages in route.
#### exclude_package
Exclude android packages in route.
#### include_mac_address
!!! question "Since sing-box 1.14.0"
!!! quote ""
Only supported on Linux with `auto_route` and `auto_redirect` enabled.
Limit MAC addresses in route. Not limited by default.
Conflict with `exclude_mac_address`.
#### exclude_mac_address
!!! question "Since sing-box 1.14.0"
!!! quote ""
Only supported on Linux with `auto_route` and `auto_redirect` enabled.
Exclude MAC addresses in route.
Conflict with `include_mac_address`.
#### platform
Platform-specific settings, provided by client applications.
#### platform.http_proxy
System HTTP proxy settings.
#### platform.http_proxy.enabled
Enable system HTTP proxy.
#### platform.http_proxy.server
==Required==
HTTP proxy server address.
#### platform.http_proxy.server_port
==Required==
HTTP proxy server port.
#### platform.http_proxy.bypass_domain
!!! note ""
On Apple platforms, `bypass_domain` items matches hostname **suffixes**.
Hostnames that bypass the HTTP proxy.
#### platform.http_proxy.match_domain
!!! quote ""
Only supported in graphical clients on Apple platforms.
Hostnames that use the HTTP proxy.
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.

623
docs/configuration/inbound/tun.zh.md Normal file
View File

@@ -0,0 +1,623 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.14.0 中的更改"
:material-plus: [include_mac_address](#include_mac_address)
:material-plus: [exclude_mac_address](#exclude_mac_address)
!!! quote "sing-box 1.13.3 中的更改"
:material-alert: [strict_route](#strict_route)
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [auto_redirect_reset_mark](#auto_redirect_reset_mark)
:material-plus: [auto_redirect_nfqueue](#auto_redirect_nfqueue)
:material-plus: [exclude_mptcp](#exclude_mptcp)
:material-plus: [auto_redirect_iproute2_fallback_rule_index](#auto_redirect_iproute2_fallback_rule_index)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [loopback_address](#loopback_address)
!!! quote "sing-box 1.11.0 中的更改"
:material-delete-alert: [gso](#gso)
:material-alert-decagram: [route_address_set](#stack)
:material-alert-decagram: [route_exclude_address_set](#stack)
!!! quote "sing-box 1.10.0 中的更改"
:material-plus: [address](#address)
:material-delete-clock: [inet4_address](#inet4_address)
:material-delete-clock: [inet6_address](#inet6_address)
:material-plus: [route_address](#route_address)
:material-delete-clock: [inet4_route_address](#inet4_route_address)
:material-delete-clock: [inet6_route_address](#inet6_route_address)
:material-plus: [route_exclude_address](#route_address)
:material-delete-clock: [inet4_route_exclude_address](#inet4_route_exclude_address)
:material-delete-clock: [inet6_route_exclude_address](#inet6_route_exclude_address)
:material-plus: [iproute2_table_index](#iproute2_table_index)
:material-plus: [iproute2_rule_index](#iproute2_table_index)
:material-plus: [auto_redirect](#auto_redirect)
:material-plus: [auto_redirect_input_mark](#auto_redirect_input_mark)
:material-plus: [auto_redirect_output_mark](#auto_redirect_output_mark)
:material-plus: [route_address_set](#route_address_set)
:material-plus: [route_exclude_address_set](#route_address_set)
!!! quote "sing-box 1.9.0 中的更改"
:material-plus: [platform.http_proxy.bypass_domain](#platformhttp_proxybypass_domain)
:material-plus: [platform.http_proxy.match_domain](#platformhttp_proxymatch_domain)
!!! quote "sing-box 1.8.0 中的更改"
:material-plus: [gso](#gso)
:material-alert-decagram: [stack](#stack)
!!! quote ""
仅支持 Linux、Windows 和 macOS。
### 结构
```json
{
"type": "tun",
"tag": "tun-in",
"interface_name": "tun0",
"address": [
"172.18.0.1/30",
"fdfe:dcba:9876::1/126"
],
"mtu": 9000,
"auto_route": true,
"iproute2_table_index": 2022,
"iproute2_rule_index": 9000,
"auto_redirect": true,
"auto_redirect_input_mark": "0x2023",
"auto_redirect_output_mark": "0x2024",
"auto_redirect_reset_mark": "0x2025",
"auto_redirect_nfqueue": 100,
"auto_redirect_iproute2_fallback_rule_index": 32768,
"exclude_mptcp": false,
"loopback_address": [
"10.7.0.1"
],
"strict_route": true,
"route_address": [
"0.0.0.0/1",
"128.0.0.0/1",
"::/1",
"8000::/1"
],
"route_exclude_address": [
"192.168.0.0/16",
"fc00::/7"
],
"route_address_set": [
"geoip-cloudflare"
],
"route_exclude_address_set": [
"geoip-cn"
],
"endpoint_independent_nat": false,
"udp_timeout": "5m",
"stack": "system",
"include_interface": [
"lan0"
],
"exclude_interface": [
"lan1"
],
"include_uid": [
0
],
"include_uid_range": [
"1000:99999"
],
"exclude_uid": [
1000
],
"exclude_uid_range": [
"1000:99999"
],
"include_android_user": [
0,
10
],
"include_package": [
"com.android.chrome"
],
"exclude_package": [
"com.android.captiveportallogin"
],
"include_mac_address": [
"00:11:22:33:44:55"
],
"exclude_mac_address": [
"66:77:88:99:aa:bb"
],
"platform": {
"http_proxy": {
"enabled": false,
"server": "127.0.0.1",
"server_port": 8080,
"bypass_domain": [],
"match_domain": []
}
},
// 已弃用
"gso": false,
"inet4_address": [
"172.19.0.1/30"
],
"inet6_address": [
"fdfe:dcba:9876::1/126"
],
"inet4_route_address": [
"0.0.0.0/1",
"128.0.0.0/1"
],
"inet6_route_address": [
"::/1",
"8000::/1"
],
"inet4_route_exclude_address": [
"192.168.0.0/16"
],
"inet6_route_exclude_address": [
"fc00::/7"
],
... // 监听字段
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签。
!!! warning ""
如果 tun 在非特权模式下运行,地址和 MTU 将不会自动配置,请确保设置正确。
### Tun 字段
#### interface_name
虚拟设备名称,默认自动选择。
#### address
!!! question "自 sing-box 1.10.0 起"
==必填==
tun 接口的 IPv4 和 IPv6 前缀。
#### inet4_address
!!! failure "已在 sing-box 1.10.0 废弃"
`inet4_address` 已合并到 `address` 且将在 sing-box 1.12.0 中被移除。
==必填==
tun 接口的 IPv4 前缀。
#### inet6_address
!!! failure "已在 sing-box 1.10.0 废弃"
`inet6_address` 已合并到 `address` 且将在 sing-box 1.12.0 中被移除。
tun 接口的 IPv6 前缀。
#### mtu
最大传输单元。
#### gso
!!! failure "已在 sing-box 1.11.0 废弃"
GSO 对于透明代理场景没有优势,已废弃和不再生效,且将在 sing-box 1.12.0 中被移除。
!!! question "自 sing-box 1.8.0 起"
!!! quote ""
仅支持 Linux。
启用通用分段卸载。
#### auto_route
设置到 Tun 的默认路由。
!!! quote ""
为避免流量环回,请设置 `route.auto_detect_interface``route.default_interface``outbound.bind_interface`
!!! note "与 Android VPN 一起使用"
VPN 默认优先于 tun。要使 tun 经过 VPN启用 `route.override_android_vpn`
!!! note "也启用 `auto_redirect`"
在 Linux 上始终推荐使用 `auto_redirect`,它提供更好的路由, 更高的性能(优于 tproxy 并避免 TUN 与 Docker 桥接网络冲突。
#### iproute2_table_index
!!! question "自 sing-box 1.10.0 起"
`auto_route` 生成的 iproute2 路由表索引。
默认使用 `2022`
#### iproute2_rule_index
!!! question "自 sing-box 1.10.0 起"
`auto_route` 生成的 iproute2 规则起始索引。
默认使用 `9000`
#### auto_redirect
!!! question "自 sing-box 1.10.0 起"
!!! quote ""
仅支持 Linux且需要 `auto_route` 已启用。
通过使用 nftables 改善 TUN 路由和性能。
在 Linux 上始终推荐使用 `auto_redirect`,它提供更好的路由、更高的性能(优于 tproxy并避免了 TUN 和 Docker 桥接网络之间的冲突。
请注意,`auto_redirect` 也适用于 Android但由于缺少 `nftables``ip6tables`,仅执行简单的 IPv4 TCP 转发。
若要在 Android 上通过热点或中继器共享 VPN 连接,请使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot)。
`auto_redirect` 还会自动将兼容性规则插入 OpenWrt 的 fw4 表中,即无需额外配置即可在路由器上工作。
`route.default_mark``[dialOptions].routing_mark` 冲突。
#### auto_redirect_input_mark
!!! question "自 sing-box 1.10.0 起"
`auto_redirect` 使用的连接输入标记。
默认使用 `0x2023`
#### auto_redirect_output_mark
!!! question "自 sing-box 1.10.0 起"
`auto_redirect` 使用的连接输出标记。
默认使用 `0x2024`
#### auto_redirect_reset_mark
!!! question "自 sing-box 1.13.0 起"
`auto_redirect` 预匹配使用的连接重置标记。
默认使用 `0x2025`
#### auto_redirect_nfqueue
!!! question "自 sing-box 1.13.0 起"
`auto_redirect` 预匹配使用的 NFQueue 编号。
默认使用 `100`
#### auto_redirect_iproute2_fallback_rule_index
!!! question "自 sing-box 1.12.18 起"
`auto_redirect` 生成的 iproute2 回退规则索引。
此规则在系统默认规则32766: main32767: default之后检查
仅当系统路由表中未找到路由时才将流量路由到 sing-box 路由表。
默认使用 `32768`
#### exclude_mptcp
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux且需要 nftables`auto_route``auto_redirect` 已启用。
由于协议限制MPTCP 无法被透明代理。
此类流量通常由 Apple 系统创建。
启用时MPTCP 连接将绕过 sing-box 直接连接,否则,将被拒绝以避免错误。
#### loopback_address
!!! question "自 sing-box 1.12.0 起"
环回地址是用于使指向指定地址的 TCP 连接连接到来源地址的。
将选项值设置为 `10.7.0.1` 可实现与 SideStore/StosVPN 相同的行为。
当启用 `auto_redirect` 时,可以作为网关为局域网设备(而不仅仅是本地)实现相同的行为。
#### strict_route
当启用 `auto_route` 时,强制执行严格的路由规则:
*在 Linux 中*
* 使不支持的网络不可达。
* 出于历史遗留原因,当未启用 `strict_route``auto_redirect` 时,所有 ICMP 流量将不会通过 TUN。
* 当启用 `auto_redirect` 时,`strict_route` 也影响 `SO_BINDTODEVICE` 流量:
* 启用:`SO_BINDTODEVICE` 流量被重定向通过 sing-box。
* 禁用:`SO_BINDTODEVICE` 流量绕过 sing-box。
*在 Windows 中*
* 使不支持的网络不可达。
* 阻止 Windows 的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29) 造成的 DNS 泄露
它可能会使某些 Windows 应用程序(如 VirtualBox在某些情况下无法正常工作。
#### route_address
!!! question "自 sing-box 1.10.0 起"
设置到 Tun 的自定义路由。
#### inet4_route_address
!!! failure "已在 sing-box 1.10.0 废弃"
`inet4_route_address` 已合并到 `route_address` 且将在 sing-box 1.12.0 中被移除。
启用 `auto_route` 时使用自定义路由而不是默认路由。
#### inet6_route_address
!!! failure "已在 sing-box 1.10.0 废弃"
`inet6_route_address` 已合并到 `route_address` 且将在 sing-box 1.12.0 中被移除。
启用 `auto_route` 时使用自定义路由而不是默认路由。
#### route_exclude_address
!!! question "自 sing-box 1.10.0 起"
设置到 Tun 的排除自定义路由。
#### inet4_route_exclude_address
!!! failure "已在 sing-box 1.10.0 废弃"
`inet4_route_exclude_address` 已合并到 `route_exclude_address` 且将在 sing-box 1.12.0 中被移除。
启用 `auto_route` 时排除自定义路由。
#### inet6_route_exclude_address
!!! failure "已在 sing-box 1.10.0 废弃"
`inet6_route_exclude_address` 已合并到 `route_exclude_address` 且将在 sing-box 1.12.0 中被移除。
启用 `auto_route` 时排除自定义路由。
#### route_address_set
=== "`auto_redirect` 已启用"
!!! question "自 sing-box 1.10.0 起"
!!! quote ""
仅支持 Linux且需要 nftables`auto_route``auto_redirect` 已启用。
将指定规则集中的目标 IP CIDR 规则添加到防火墙。
不匹配的流量将绕过 sing-box 路由。
=== "`auto_redirect` 未启用"
!!! question "自 sing-box 1.11.0 起"
将指定规则集中的目标 IP CIDR 规则添加到路由,相当于添加到 `route_address`
不匹配的流量将绕过 sing-box 路由。
请注意,由于 Android VpnService 无法处理大量路由DeadSystemException
因此它**在 Android 图形客户端上不起作用**,但除此之外,它在所有命令行客户端和 Apple 平台上都可以正常工作。
#### route_exclude_address_set
=== "`auto_redirect` 已启用"
!!! question "自 sing-box 1.10.0 起"
!!! quote ""
仅支持 Linux且需要 nftables`auto_route``auto_redirect` 已启用。
将指定规则集中的目标 IP CIDR 规则添加到防火墙。
匹配的流量将绕过 sing-box 路由。
`route.default_mark``[dialOptions].routing_mark` 冲突。
=== "`auto_redirect` 未启用"
!!! question "自 sing-box 1.11.0 起"
将指定规则集中的目标 IP CIDR 规则添加到路由,相当于添加到 `route_exclude_address`
匹配的流量将绕过 sing-box 路由。
请注意,由于 Android VpnService 无法处理大量路由DeadSystemException
因此它**在 Android 图形客户端上不起作用**,但除此之外,它在所有命令行客户端和 Apple 平台上都可以正常工作。
#### endpoint_independent_nat
启用独立于端点的 NAT。
性能可能会略有下降,所以不建议在不需要的时候开启。
#### udp_timeout
UDP NAT 过期时间。
默认使用 `5m`
#### stack
!!! quote "sing-box 1.8.0 中的更改"
:material-delete-alert: 旧的 LWIP 栈已被弃用并移除。
TCP/IP 栈。
| 栈 | 描述 |
|----------|-------------------------------------------------------------------------------------------------------|
| `system` | 基于系统网络栈执行 L3 到 L4 转换 |
| `gvisor` | 基于 [gVisor](https://github.com/google/gvisor) 虚拟网络栈执行 L3 到 L4 转换 |
| `mixed` | 混合 `system` TCP 栈与 `gvisor` UDP 栈 |
默认使用 `mixed` 栈如果 gVisor 构建标记已启用,否则默认使用 `system` 栈。
#### include_interface
!!! quote ""
接口规则仅在 Linux 下被支持,并且需要 `auto_route`
限制被路由的接口。默认不限制。
`exclude_interface` 冲突。
#### exclude_interface
!!! warning ""
`strict_route` 启用,到被排除接口的回程流量将不会被自动排除,因此也要添加它们(例:`br-lan``pppoe-wan`)。
排除路由的接口。
`include_interface` 冲突。
#### include_uid
!!! quote ""
UID 规则仅在 Linux 下被支持,并且需要 `auto_route`
限制被路由的用户。默认不限制。
#### include_uid_range
限制被路由的用户范围。
#### exclude_uid
排除路由的用户。
#### exclude_uid_range
排除路由的用户范围。
#### include_android_user
!!! quote ""
Android 用户和应用规则仅在 Android 下被支持,并且需要 `auto_route`
限制被路由的 Android 用户。
| 常用用户 | ID |
|------|----|
| 您 | 0 |
| 工作资料 | 10 |
#### include_package
限制被路由的 Android 应用包名。
#### exclude_package
排除路由的 Android 应用包名。
#### include_mac_address
!!! question "自 sing-box 1.14.0 起"
!!! quote ""
仅支持 Linux且需要 `auto_route``auto_redirect` 已启用。
限制被路由的 MAC 地址。默认不限制。
`exclude_mac_address` 冲突。
#### exclude_mac_address
!!! question "自 sing-box 1.14.0 起"
!!! quote ""
仅支持 Linux且需要 `auto_route``auto_redirect` 已启用。
排除路由的 MAC 地址。
`include_mac_address` 冲突。
#### platform
平台特定的设置,由客户端应用提供。
#### platform.http_proxy
系统 HTTP 代理设置。
##### platform.http_proxy.enabled
启用系统 HTTP 代理。
##### platform.http_proxy.server
==必填==
系统 HTTP 代理服务器地址。
##### platform.http_proxy.server_port
==必填==
系统 HTTP 代理服务器端口。
##### platform.http_proxy.bypass_domain
!!! note ""
在 Apple 平台,`bypass_domain` 项匹配主机名 **后缀**.
绕过代理的主机名列表。
##### platform.http_proxy.match_domain
!!! quote ""
仅在 Apple 平台图形客户端中支持。
代理的主机名列表。
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。

59
docs/configuration/inbound/vless.md Normal file
View File

@@ -0,0 +1,59 @@
### Structure
```json
{
"type": "vless",
"tag": "vless-in",
... // Listen Fields
"users": [
{
"name": "sekai",
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
"flow": ""
}
],
"tls": {},
"multiplex": {},
"transport": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### users
==Required==
VLESS users.
#### users.uuid
==Required==
VLESS user id.
#### users.flow
VLESS Sub-protocol.
Available values:
* `xtls-rprx-vision`
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
#### multiplex
See [Multiplex](/configuration/shared/multiplex#inbound) for details.
#### transport
V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).

59
docs/configuration/inbound/vless.zh.md Normal file
View File

@@ -0,0 +1,59 @@
### 结构
```json
{
"type": "vless",
"tag": "vless-in",
... // 监听字段
"users": [
{
"name": "sekai",
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
"flow": ""
}
],
"tls": {},
"multiplex": {},
"transport": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### users
==必填==
VLESS 用户。
#### users.uuid
==必填==
VLESS 用户 ID。
#### users.flow
VLESS 子协议。
可用值:
* `xtls-rprx-vision`
#### tls
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
#### multiplex
参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
#### transport
V2Ray 传输配置,参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。

54
docs/configuration/inbound/vmess.md Normal file
View File

@@ -0,0 +1,54 @@
### Structure
```json
{
"type": "vmess",
"tag": "vmess-in",
... // Listen Fields
"users": [
{
"name": "sekai",
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
"alterId": 0
}
],
"tls": {},
"multiplex": {},
"transport": {}
}
```
### Listen Fields
See [Listen Fields](/configuration/shared/listen/) for details.
### Fields
#### users
==Required==
VMess users.
| Alter ID | Description |
|----------|-------------------------|
| 0 | Disable legacy protocol |
| > 0 | Enable legacy protocol |
!!! warning ""
Legacy protocol support (VMess MD5 Authentication) is provided for compatibility purposes only, use of alterId > 1 is not recommended.
#### tls
TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
#### multiplex
See [Multiplex](/configuration/shared/multiplex#inbound) for details.
#### transport
V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).

54
docs/configuration/inbound/vmess.zh.md Normal file
View File

@@ -0,0 +1,54 @@
### 结构
```json
{
"type": "vmess",
"tag": "vmess-in",
... // 监听字段
"users": [
{
"name": "sekai",
"uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
"alterId": 0
}
],
"tls": {},
"multiplex": {},
"transport": {}
}
```
### 监听字段
参阅 [监听字段](/zh/configuration/shared/listen/)。
### 字段
#### users
==必填==
VMess 用户。
| Alter ID | 描述 |
|----------|-------|
| 0 | 禁用旧协议 |
| > 0 | 启用旧协议 |
!!! warning ""
提供旧协议支持VMess MD5 身份验证)仅出于兼容性目的,不建议使用 alterId > 1。
#### tls
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#入站)。
#### multiplex
参阅 [多路复用](/zh/configuration/shared/multiplex#入站)。
#### transport
V2Ray 传输配置,参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。

54
docs/configuration/index.md Normal file
View File

@@ -0,0 +1,54 @@
# Introduction
sing-box uses JSON for configuration files.
### Structure
```json
{
"log": {},
"dns": {},
"ntp": {},
"certificate": {},
"certificate_providers": [],
"endpoints": [],
"inbounds": [],
"outbounds": [],
"route": {},
"services": [],
"experimental": {}
}
```
### Fields
| Key | Format |
|----------------|---------------------------------|
| `log` | [Log](./log/) |
| `dns` | [DNS](./dns/) |
| `ntp` | [NTP](./ntp/) |
| `certificate` | [Certificate](./certificate/) |
| `certificate_providers` | [Certificate Provider](./shared/certificate-provider/) |
| `endpoints` | [Endpoint](./endpoint/) |
| `inbounds` | [Inbound](./inbound/) |
| `outbounds` | [Outbound](./outbound/) |
| `route` | [Route](./route/) |
| `services` | [Service](./service/) |
| `experimental` | [Experimental](./experimental/) |
### Check
```bash
sing-box check
```
### Format
```bash
sing-box format -w -c config.json -D config_directory
```
### Merge
```bash
sing-box merge output.json -c config.json -D config_directory
```

54
docs/configuration/index.zh.md Normal file
View File

@@ -0,0 +1,54 @@
# 引言
sing-box 使用 JSON 作为配置文件格式。
### 结构
```json
{
"log": {},
"dns": {},
"ntp": {},
"certificate": {},
"certificate_providers": [],
"endpoints": [],
"inbounds": [],
"outbounds": [],
"route": {},
"services": [],
"experimental": {}
}
```
### 字段
| Key | Format |
|----------------|------------------------|
| `log` | [日志](./log/) |
| `dns` | [DNS](./dns/) |
| `ntp` | [NTP](./ntp/) |
| `certificate` | [证书](./certificate/) |
| `certificate_providers` | [证书提供者](./shared/certificate-provider/) |
| `endpoints` | [端点](./endpoint/) |
| `inbounds` | [入站](./inbound/) |
| `outbounds` | [出站](./outbound/) |
| `route` | [路由](./route/) |
| `services` | [服务](./service/) |
| `experimental` | [实验性](./experimental/) |
### 检查
```bash
sing-box check
```
### 格式化
```bash
sing-box format -w -c config.json -D config_directory
```
### 合并
```bash
sing-box merge output.json -c config.json -D config_directory
```

33
docs/configuration/log/index.md Normal file
View File

@@ -0,0 +1,33 @@
# Log
### Structure
```json
{
"log": {
"disabled": false,
"level": "info",
"output": "box.log",
"timestamp": true
}
}
```
### Fields
#### disabled
Disable logging, no output after start.
#### level
Log level. One of: `trace` `debug` `info` `warn` `error` `fatal` `panic`.
#### output
Output file path. Will not write log to console after enable.
#### timestamp
Add time to each line.

33
docs/configuration/log/index.zh.md Normal file
View File

@@ -0,0 +1,33 @@
# 日志
### 结构
```json
{
"log": {
"disabled": false,
"level": "info",
"output": "box.log",
"timestamp": true
}
}
```
### 字段
#### disabled
禁用日志,启动后不输出日志。
#### level
日志等级,可选值:`trace` `debug` `info` `warn` `error` `fatal` `panic`
#### output
输出文件路径,启动后将不输出到控制台。
#### timestamp
添加时间到每行。

50
docs/configuration/ntp/index.md Normal file
View File

@@ -0,0 +1,50 @@
# NTP
Built-in NTP client service.
If enabled, it will provide time for protocols like TLS/Shadowsocks/VMess, which is useful for environments where time
synchronization is not possible.
### Structure
```json
{
"ntp": {
"enabled": false,
"server": "time.apple.com",
"server_port": 123,
"interval": "30m",
... // Dial Fields
}
}
```
### Fields
#### enabled
Enable NTP service.
#### server
==Required==
NTP server address.
#### server_port
NTP server port.
123 is used by default.
#### interval
Time synchronization interval.
30 minutes is used by default.
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

49
docs/configuration/ntp/index.zh.md Normal file
View File

@@ -0,0 +1,49 @@
# NTP
内建的 NTP 客户端服务。
如果启用,它将为像 TLS/Shadowsocks/VMess 这样的协议提供时间,这对于无法进行时间同步的环境很有用。
### 结构
```json
{
"ntp": {
"enabled": false,
"server": "time.apple.com",
"server_port": 123,
"interval": "30m",
... // 拨号字段
}
}
```
### 字段
#### enabled
启用 NTP 服务。
#### server
==必填==
NTP 服务器地址。
#### server_port
NTP 服务器端口。
默认使用 123。
#### interval
时间同步间隔。
默认使用 30 分钟。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/)。

66
docs/configuration/outbound/anytls.md Normal file
View File

@@ -0,0 +1,66 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.12.0"
### Structure
```json
{
"type": "anytls",
"tag": "anytls-out",
"server": "127.0.0.1",
"server_port": 1080,
"password": "8JCsPssfgS8tiRwiMlhARg==",
"idle_session_check_interval": "30s",
"idle_session_timeout": "30s",
"min_idle_session": 5,
"tls": {},
... // Dial Fields
}
```
### Fields
#### server
==Required==
The server address.
#### server_port
==Required==
The server port.
#### password
==Required==
The AnyTLS password.
#### idle_session_check_interval
Interval checking for idle sessions. Default: 30s.
#### idle_session_timeout
In the check, close sessions that have been idle for longer than this. Default: 30s.
#### min_idle_session
In the check, at least the first `n` idle sessions are kept open. Default value: `n`=0
#### tls
==Required==
TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
### Dial Fields
See [Dial Fields](/configuration/shared/dial/) for details.

66
docs/configuration/outbound/anytls.zh.md Normal file
View File

@@ -0,0 +1,66 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.12.0 起"
### 结构
```json
{
"type": "anytls",
"tag": "anytls-out",
"server": "127.0.0.1",
"server_port": 1080,
"password": "8JCsPssfgS8tiRwiMlhARg==",
"idle_session_check_interval": "30s",
"idle_session_timeout": "30s",
"min_idle_session": 5,
"tls": {},
... // 拨号字段
}
```
### 字段
#### server
==必填==
服务器地址。
#### server_port
==必填==
服务器端口。
#### password
==必填==
AnyTLS 密码。
#### idle_session_check_interval
检查空闲会话的时间间隔。默认值30秒。
#### idle_session_timeout
在检查中关闭闲置时间超过此值的会话。默认值30秒。
#### min_idle_session
在检查中,至少前 `n` 个空闲会话保持打开状态。默认值:`n`=0
#### tls
==必填==
TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#出站)。
### 拨号字段
参阅 [拨号字段](/zh/configuration/shared/dial/)。

16
docs/configuration/outbound/block.md Normal file
View File

@@ -0,0 +1,16 @@
---
icon: material/delete-clock
---
### Structure
```json
{
"type": "block",
"tag": "block"
}
```
### Fields
No fields.

18
docs/configuration/outbound/block.zh.md Normal file
View File

@@ -0,0 +1,18 @@
---
icon: material/delete-clock
---
`block` 出站关闭所有传入请求。
### 结构
```json
{
"type": "block",
"tag": "block"
}
```
### 字段
无字段。

Some files were not shown because too many files have changed in this diff Show More