CN-JS-HuiBai/SingboxForPanel
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First Commmit

Browse Source
This commit is contained in:
CN-JS-HuiBai
2026-04-14 22:41:14 +08:00
commit 9f867b19da
1086 changed files with 147554 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
docs/configuration/shared/certificate-provider/acme.md Normal file
View File

@@ -0,0 +1,150 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.14.0"
:material-plus: [account_key](#account_key)
:material-plus: [key_type](#key_type)
:material-plus: [detour](#detour)
# ACME
!!! quote ""
`with_acme` build tag required.
### Structure
```json
{
"type": "acme",
"tag": "",
"domain": [],
"data_directory": "",
"default_server_name": "",
"email": "",
"provider": "",
"account_key": "",
"disable_http_challenge": false,
"disable_tls_alpn_challenge": false,
"alternative_http_port": 0,
"alternative_tls_port": 0,
"external_account": {
"key_id": "",
"mac_key": ""
},
"dns01_challenge": {},
"key_type": "",
"detour": ""
}
```
### Fields
#### domain
==Required==
List of domains.
#### data_directory
The directory to store ACME data.
`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
#### default_server_name
Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
#### email
The email address to use when creating or selecting an existing ACME server account.
#### provider
The ACME CA provider to use.
| Value | Provider |
|-------------------------|---------------|
| `letsencrypt (default)` | Let's Encrypt |
| `zerossl` | ZeroSSL |
| `https://...` | Custom |
When `provider` is `zerossl`, sing-box will automatically request ZeroSSL EAB credentials if `email` is set and
`external_account` is empty.
When `provider` is `zerossl`, at least one of `external_account`, `email`, or `account_key` is required.
#### account_key
!!! question "Since sing-box 1.14.0"
The PEM-encoded private key of an existing ACME account.
#### disable_http_challenge
Disable all HTTP challenges.
#### disable_tls_alpn_challenge
Disable all TLS-ALPN challenges
#### alternative_http_port
The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
listener for the HTTP challenge.
#### alternative_tls_port
The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
succeed.
#### external_account
EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
by the CA.
External account bindings are used to associate an ACME account with an existing account in a non-ACME system, such as
a CA customer database.
To enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a
key identifier, using some mechanism outside of ACME. §7.3.4
#### external_account.key_id
The key identifier.
#### external_account.mac_key
The MAC key.
#### dns01_challenge
ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.
#### key_type
!!! question "Since sing-box 1.14.0"
The private key type to generate for new certificates.
| Value | Type |
|------------|---------|
| `ed25519` | Ed25519 |
| `p256` | P-256 |
| `p384` | P-384 |
| `rsa2048` | RSA |
| `rsa4096` | RSA |
#### detour
!!! question "Since sing-box 1.14.0"
The tag of the upstream outbound.
All provider HTTP requests will use this outbound.

145
docs/configuration/shared/certificate-provider/acme.zh.md Normal file
View File

@@ -0,0 +1,145 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.14.0 中的更改"
:material-plus: [account_key](#account_key)
:material-plus: [key_type](#key_type)
:material-plus: [detour](#detour)
# ACME
!!! quote ""
需要 `with_acme` 构建标签。
### 结构
```json
{
"type": "acme",
"tag": "",
"domain": [],
"data_directory": "",
"default_server_name": "",
"email": "",
"provider": "",
"account_key": "",
"disable_http_challenge": false,
"disable_tls_alpn_challenge": false,
"alternative_http_port": 0,
"alternative_tls_port": 0,
"external_account": {
"key_id": "",
"mac_key": ""
},
"dns01_challenge": {},
"key_type": "",
"detour": ""
}
```
### 字段
#### domain
==必填==
域名列表。
#### data_directory
ACME 数据存储目录。
如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`
#### default_server_name
如果 ClientHello 的 ServerName 字段为空,则选择证书时要使用的服务器名称。
#### email
创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。
#### provider
要使用的 ACME CA 提供商。
| 值 | 提供商 |
|--------------------|---------------|
| `letsencrypt (默认)` | Let's Encrypt |
| `zerossl` | ZeroSSL |
| `https://...` | 自定义 |
`provider``zerossl` 时,如果设置了 `email` 且未设置 `external_account`
sing-box 会自动向 ZeroSSL 请求 EAB 凭据。
`provider``zerossl` 时,必须至少设置 `external_account``email``account_key` 之一。
#### account_key
!!! question "自 sing-box 1.14.0 起"
现有 ACME 帐户的 PEM 编码私钥。
#### disable_http_challenge
禁用所有 HTTP 质询。
#### disable_tls_alpn_challenge
禁用所有 TLS-ALPN 质询。
#### alternative_http_port
用于 ACME HTTP 质询的备用端口;如果非空,将使用此端口而不是 80 来启动 HTTP 质询的侦听器。
#### alternative_tls_port
用于 ACME TLS-ALPN 质询的备用端口; 系统必须将 443 转发到此端口以使质询成功。
#### external_account
EAB外部帐户绑定包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。
外部帐户绑定用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联,例如 CA 客户数据库。
为了启用 ACME 帐户绑定,运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4
#### external_account.key_id
密钥标识符。
#### external_account.mac_key
MAC 密钥。
#### dns01_challenge
ACME DNS01 质询字段。如果配置,将禁用其他质询方法。
参阅 [DNS01 质询字段](/zh/configuration/shared/dns01_challenge/)。
#### key_type
!!! question "自 sing-box 1.14.0 起"
为新证书生成的私钥类型。
| 值 | 类型 |
|-----------|----------|
| `ed25519` | Ed25519 |
| `p256` | P-256 |
| `p384` | P-384 |
| `rsa2048` | RSA |
| `rsa4096` | RSA |
#### detour
!!! question "自 sing-box 1.14.0 起"
上游出站的标签。
所有提供者 HTTP 请求将使用此出站。

82
docs/configuration/shared/certificate-provider/cloudflare-origin-ca.md Normal file
View File

@@ -0,0 +1,82 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.14.0"
# Cloudflare Origin CA
### Structure
```json
{
"type": "cloudflare-origin-ca",
"tag": "",
"domain": [],
"data_directory": "",
"api_token": "",
"origin_ca_key": "",
"request_type": "",
"requested_validity": 0,
"detour": ""
}
```
### Fields
#### domain
==Required==
List of domain names or wildcard domain names to include in the certificate.
#### data_directory
Root directory used to store the issued certificate, private key, and metadata.
If empty, sing-box uses the same default data directory as the ACME certificate provider:
`$XDG_DATA_HOME/certmagic` or `$HOME/.local/share/certmagic`.
#### api_token
Cloudflare API token used to create the certificate.
Get or create one in [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens).
Requires the `Zone / SSL and Certificates / Edit` permission.
Conflict with `origin_ca_key`.
#### origin_ca_key
Cloudflare Origin CA Key.
Get it in [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens).
Conflict with `api_token`.
#### request_type
The signature type to request from Cloudflare.
| Value | Type |
|----------------------|-------------|
| `origin-rsa` | RSA |
| `origin-ecc` | ECDSA P-256 |
`origin-rsa` is used if empty.
#### requested_validity
The requested certificate validity in days.
Available values: `7`, `30`, `90`, `365`, `730`, `1095`, `5475`.
`5475` days (15 years) is used if empty.
#### detour
The tag of the upstream outbound.
All provider HTTP requests will use this outbound.

82
docs/configuration/shared/certificate-provider/cloudflare-origin-ca.zh.md Normal file
View File

@@ -0,0 +1,82 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.14.0 起"
# Cloudflare Origin CA
### 结构
```json
{
"type": "cloudflare-origin-ca",
"tag": "",
"domain": [],
"data_directory": "",
"api_token": "",
"origin_ca_key": "",
"request_type": "",
"requested_validity": 0,
"detour": ""
}
```
### 字段
#### domain
==必填==
要写入证书的域名或通配符域名列表。
#### data_directory
保存签发证书、私钥和元数据的根目录。
如果为空sing-box 会使用与 ACME 证书提供者相同的默认数据目录:
`$XDG_DATA_HOME/certmagic``$HOME/.local/share/certmagic`
#### api_token
用于创建证书的 Cloudflare API Token。
可在 [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens) 获取或创建。
需要 `Zone / SSL and Certificates / Edit` 权限。
`origin_ca_key` 冲突。
#### origin_ca_key
Cloudflare Origin CA Key。
可在 [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens) 获取。
`api_token` 冲突。
#### request_type
向 Cloudflare 请求的签名类型。
| 值 | 类型 |
|----------------------|-------------|
| `origin-rsa` | RSA |
| `origin-ecc` | ECDSA P-256 |
如果为空,使用 `origin-rsa`
#### requested_validity
请求的证书有效期,单位为天。
可用值:`7``30``90``365``730``1095``5475`
如果为空,使用 `5475`15 年)。
#### detour
上游出站的标签。
所有提供者 HTTP 请求将使用此出站。

32
docs/configuration/shared/certificate-provider/index.md Normal file
View File

@@ -0,0 +1,32 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.14.0"
# Certificate Provider
### Structure
```json
{
"certificate_providers": [
{
"type": "",
"tag": ""
}
]
}
```
### Fields
| Type | Format |
|--------|------------------|
| `acme` | [ACME](/configuration/shared/certificate-provider/acme) |
| `tailscale` | [Tailscale](/configuration/shared/certificate-provider/tailscale) |
| `cloudflare-origin-ca` | [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca) |
#### tag
The tag of the certificate provider.

32
docs/configuration/shared/certificate-provider/index.zh.md Normal file
View File

@@ -0,0 +1,32 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.14.0 起"
# 证书提供者
### 结构
```json
{
"certificate_providers": [
{
"type": "",
"tag": ""
}
]
}
```
### 字段
| 类型 | 格式 |
|--------|------------------|
| `acme` | [ACME](/zh/configuration/shared/certificate-provider/acme) |
| `tailscale` | [Tailscale](/zh/configuration/shared/certificate-provider/tailscale) |
| `cloudflare-origin-ca` | [Cloudflare Origin CA](/zh/configuration/shared/certificate-provider/cloudflare-origin-ca) |
#### tag
证书提供者的标签。

27
docs/configuration/shared/certificate-provider/tailscale.md Normal file
View File

@@ -0,0 +1,27 @@
---
icon: material/new-box
---
!!! question "Since sing-box 1.14.0"
# Tailscale
### Structure
```json
{
"type": "tailscale",
"tag": "ts-cert",
"endpoint": "ts-ep"
}
```
### Fields
#### endpoint
==Required==
The tag of the [Tailscale endpoint](/configuration/endpoint/tailscale/) to reuse.
[MagicDNS and HTTPS](https://tailscale.com/kb/1153/enabling-https) must be enabled in the Tailscale admin console.

27
docs/configuration/shared/certificate-provider/tailscale.zh.md Normal file
View File

@@ -0,0 +1,27 @@
---
icon: material/new-box
---
!!! question "自 sing-box 1.14.0 起"
# Tailscale
### 结构
```json
{
"type": "tailscale",
"tag": "ts-cert",
"endpoint": "ts-ep"
}
```
### 字段
#### endpoint
==必填==
要复用的 [Tailscale 端点](/zh/configuration/endpoint/tailscale/) 的标签。
必须在 Tailscale 管理控制台中启用 [MagicDNS 和 HTTPS](https://tailscale.com/kb/1153/enabling-https)。

270
docs/configuration/shared/dial.md Normal file
View File

@@ -0,0 +1,270 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
:material-plus: [tcp_keep_alive](#tcp_keep_alive)
:material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)
:material-plus: [bind_address_no_port](#bind_address_no_port)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [domain_resolver](#domain_resolver)
:material-delete-clock: [domain_strategy](#domain_strategy)
:material-plus: [netns](#netns)
!!! quote "Changes in sing-box 1.11.0"
:material-plus: [network_strategy](#network_strategy)
:material-alert: [fallback_delay](#fallback_delay)
:material-alert: [network_type](#network_type)
:material-alert: [fallback_network_type](#fallback_network_type)
### Structure
```json
{
"detour": "",
"bind_interface": "",
"inet4_bind_address": "",
"inet6_bind_address": "",
"bind_address_no_port": false,
"routing_mark": 0,
"reuse_addr": false,
"netns": "",
"connect_timeout": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"disable_tcp_keep_alive": false,
"tcp_keep_alive": "",
"tcp_keep_alive_interval": "",
"udp_fragment": false,
"domain_resolver": "", // or {}
"network_strategy": "",
"network_type": [],
"fallback_network_type": [],
"fallback_delay": "",
// Deprecated
"domain_strategy": ""
}
```
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Fields
#### detour
The tag of the upstream outbound.
If enabled, all other fields will be ignored.
#### bind_interface
The network interface to bind to.
#### inet4_bind_address
The IPv4 address to bind to.
#### inet6_bind_address
The IPv6 address to bind to.
#### bind_address_no_port
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux.
Do not reserve a port when binding to a source address.
This allows reusing the same source port for multiple connections if the full 4-tuple (source IP, source port, destination IP, destination port) remains unique.
#### routing_mark
!!! quote ""
Only supported on Linux.
Set netfilter routing mark.
Integers (e.g. `1234`) and string hexadecimals (e.g. `"0x1234"`) are supported.
#### reuse_addr
Reuse listener address.
#### netns
!!! question "Since sing-box 1.12.0"
!!! quote ""
Only supported on Linux.
Set network namespace, name or path.
#### connect_timeout
Connect timeout, in golang's Duration format.
A duration string is a possibly signed sequence of
decimal numbers, each with optional fraction and a unit suffix,
such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#### tcp_fast_open
Enable TCP Fast Open.
#### tcp_multi_path
!!! warning ""
Go 1.21 required.
Enable TCP Multi Path.
#### disable_tcp_keep_alive
!!! question "Since sing-box 1.13.0"
Disable TCP keep alive.
#### tcp_keep_alive
!!! question "Since sing-box 1.13.0"
Default value changed from `10m` to `5m`.
TCP keep alive initial period.
`5m` will be used by default.
#### tcp_keep_alive_interval
!!! question "Since sing-box 1.13.0"
TCP keep alive interval.
`75s` will be used by default.
#### udp_fragment
Enable UDP fragmentation.
#### domain_resolver
!!! warning ""
`outbound` DNS rule items are deprecated and will be removed in sing-box 1.14.0, so this item will be required for outbound/endpoints using domain name in server address since sing-box 1.14.0.
!!! info ""
`domain_resolver` or `route.default_domain_resolver` is optional when only one DNS server is configured.
Set domain resolver to use for resolving domain names.
This option uses the same format as the [route DNS rule action](/configuration/dns/rule_action/#route) without the `action` field.
Setting this option directly to a string is equivalent to setting `server` of this options.
| Outbound/Endpoints | Effected domains |
|--------------------|--------------------------|
| `direct` | Domain in request |
| others | Domain in server address |
#### network_strategy
!!! question "Since sing-box 1.11.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.
Strategy for selecting network interfaces.
Available values:
- `default` (default): Connect to default network or networks specified in `network_type` sequentially.
- `hybrid`: Connect to all networks or networks specified in `network_type` concurrently.
- `fallback`: Connect to default network or preferred networks specified in `network_type` concurrently, and try fallback networks when unavailable or timeout.
For fallback, when preferred interfaces fails or times out,
it will enter a 15s fast fallback state (Connect to all preferred and fallback networks concurrently),
and exit immediately if preferred networks recover.
Conflicts with `bind_interface`, `inet4_bind_address` and `inet6_bind_address`.
#### network_type
!!! question "Since sing-box 1.11.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.
Network types to use when using `default` or `hybrid` network strategy or
preferred network types to use when using `fallback` network strategy.
Available values: `wifi`, `cellular`, `ethernet`, `other`.
Device's default network is used by default.
#### fallback_network_type
!!! question "Since sing-box 1.11.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.
Fallback network types when preferred networks are unavailable or timeout when using `fallback` network strategy.
All other networks expect preferred are used by default.
#### fallback_delay
!!! question "Since sing-box 1.11.0"
!!! quote ""
Only supported in graphical clients on Android and Apple platforms with `auto_detect_interface` enabled.
The length of time to wait before spawning a RFC 6555 Fast Fallback connection.
For `domain_strategy`, is the amount of time to wait for connection to succeed before assuming
that IPv4/IPv6 is misconfigured and falling back to other type of addresses.
For `network_strategy`, is the amount of time to wait for connection to succeed before falling
back to other interfaces.
Only take effect when `domain_strategy` or `network_strategy` is set.
`300ms` is used by default.
#### domain_strategy
!!! failure "Deprecated in sing-box 1.12.0"
`domain_strategy` is deprecated and will be removed in sing-box 1.14.0, check [Migration](/migration/#migrate-outbound-domain-strategy-option-to-domain-resolver).
Available values: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.
If set, the requested domain name will be resolved to IP before connect.
| Outbound | Effected domains | Fallback Value |
|----------|--------------------------|-------------------------------------------|
| `direct` | Domain in request | Take `inbound.domain_strategy` if not set |
| others | Domain in server address | / |

258
docs/configuration/shared/dial.zh.md Normal file
View File

@@ -0,0 +1,258 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
:material-plus: [tcp_keep_alive](#tcp_keep_alive)
:material-plus: [tcp_keep_alive_interval](#tcp_keep_alive_interval)
:material-plus: [bind_address_no_port](#bind_address_no_port)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [domain_resolver](#domain_resolver)
:material-delete-clock: [domain_strategy](#domain_strategy)
:material-plus: [netns](#netns)
!!! quote "sing-box 1.11.0 中的更改"
:material-plus: [network_strategy](#network_strategy)
:material-alert: [fallback_delay](#fallback_delay)
:material-alert: [network_type](#network_type)
:material-alert: [fallback_network_type](#fallback_network_type)
### 结构
```json
{
"detour": "",
"bind_interface": "",
"inet4_bind_address": "",
"inet6_bind_address": "",
"bind_address_no_port": false,
"routing_mark": 0,
"reuse_addr": false,
"netns": "",
"connect_timeout": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"disable_tcp_keep_alive": false,
"tcp_keep_alive": "",
"tcp_keep_alive_interval": "",
"udp_fragment": false,
"domain_resolver": "", // 或 {}
"network_strategy": "",
"network_type": [],
"fallback_network_type": [],
"fallback_delay": "",
// 废弃的
"domain_strategy": ""
}
```
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### 字段
#### detour
上游出站的标签。
启用时,其他拨号字段将被忽略。
#### bind_interface
要绑定到的网络接口。
#### inet4_bind_address
要绑定的 IPv4 地址。
#### inet6_bind_address
要绑定的 IPv6 地址。
#### bind_address_no_port
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux。
绑定到源地址时不保留端口。
这允许在完整的四元组(源 IP、源端口、目标 IP、目标端口保持唯一的情况下为多个连接复用同一源端口。
#### routing_mark
!!! quote ""
仅支持 Linux。
设置 netfilter 路由标记。
支持数字 (如 `1234`) 和十六进制字符串 (如 `"0x1234"`)。
#### reuse_addr
重用监听地址。
#### netns
!!! question "自 sing-box 1.12.0 起"
!!! quote ""
仅支持 Linux。
设置网络命名空间,名称或路径。
#### connect_timeout
连接超时,采用 golang 的 Duration 格式。
持续时间字符串是一个可能有符号的序列十进制数,每个都有可选的分数和单位后缀, 例如 "300ms"、"-1.5h" 或 "2h45m"。
有效时间单位为 "ns"、"us"(或 "µs")、"ms"、"s"、"m"、"h"。
#### tcp_fast_open
启用 TCP Fast Open。
#### tcp_multi_path
!!! warning ""
需要 Go 1.21。
启用 TCP Multi Path。
#### disable_tcp_keep_alive
!!! question "自 sing-box 1.13.0 起"
禁用 TCP keep alive。
#### tcp_keep_alive
!!! question "自 sing-box 1.13.0 起"
默认值从 `10m` 更改为 `5m`
TCP keep alive 初始周期。
默认使用 `5m`
#### tcp_keep_alive_interval
!!! question "自 sing-box 1.13.0 起"
TCP keep alive 间隔。
默认使用 `75s`
#### udp_fragment
启用 UDP 分段。
#### domain_resolver
!!! warning ""
`outbound` DNS 规则项已弃用,且将在 sing-box 1.14.0 中被移除。因此,从 sing-box 1.14.0 版本开始,所有在服务器地址中使用域名的出站/端点均需配置此项。
!!! info ""
当只有一个 DNS 服务器已配置时,`domain_resolver``route.default_domain_resolver` 是可选的。
用于设置解析域名的域名解析器。
此选项的格式与 [路由 DNS 规则动作](/zh/configuration/dns/rule_action/#route) 相同,但不包含 `action` 字段。
若直接将此选项设置为字符串,则等同于设置该选项的 `server` 字段。
| 出站/端点 | 受影响的域名 |
|----------------|---------------------------|
| `direct` | 请求中的域名 |
| 其他类型 | 服务器地址中的域名 |
#### network_strategy
!!! question "自 sing-box 1.11.0 起"
!!! quote ""
仅在 Android 与 iOS 平台图形客户端中支持,并且需要 `route.auto_detect_interface`
用于选择网络接口的策略。
可用值:
- `default`(默认值):按顺序连接默认网络或 `network_type` 中指定的网络。
- `hybrid`:同时连接所有网络或 `network_type` 中指定的网络。
- `fallback`:同时连接默认网络或 `network_type` 中指定的首选网络,当不可用或超时时尝试回退网络。
对于回退模式,当首选接口失败或超时时,
将进入15秒的快速回退状态同时连接所有首选和回退网络
如果首选网络恢复,则立即退出。
`bind_interface`, `bind_inet4_address``bind_inet6_address` 冲突。
#### network_type
!!! question "自 sing-box 1.11.0 起"
!!! quote ""
仅在 Android 与 iOS 平台图形客户端中支持,并且需要 `route.auto_detect_interface`
当使用 `default``hybrid` 网络策略时要使用的网络类型,或当使用 `fallback` 网络策略时要使用的首选网络类型。
可用值:`wifi`, `cellular`, `ethernet`, `other`
默认使用设备默认网络。
#### fallback_network_type
!!! question "自 sing-box 1.11.0 起"
!!! quote ""
仅在 Android 与 iOS 平台图形客户端中支持,并且需要 `route.auto_detect_interface`
当使用 `fallback` 网络策略时,在首选网络不可用或超时的情况下要使用的回退网络类型。
默认使用除首选网络外的所有其他网络。
#### fallback_delay
在生成 RFC 6555 快速回退连接之前等待的时间长度。
对于 `domain_strategy`,是在假设之前等待 IPv6 成功的时间量如果设置了 "prefer_ipv4",则 IPv6 配置错误并回退到 IPv4。
对于 `network_strategy`,对于 `network_strategy`,是在回退到其他接口之前等待连接成功的时间。
仅当 `domain_strategy``network_strategy` 已设置时生效。
默认使用 `300ms`
#### domain_strategy
!!! failure "已在 sing-box 1.12.0 废弃"
`domain_strategy` 已废弃且将在 sing-box 1.14.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移出站域名策略选项到域名解析器)。
可选值:`prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
如果设置,域名将在请求发出之前解析为 IP。
| 出站 | 受影响的域名 | 默认回退值 |
|----------|-----------|---------------------------|
| `direct` | 请求中的域名 | `inbound.domain_strategy` |
| others | 服务器地址中的域名 | / |

126
docs/configuration/shared/dns01_challenge.md Normal file
View File

@@ -0,0 +1,126 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.14.0"
:material-plus: [ttl](#ttl)
:material-plus: [propagation_delay](#propagation_delay)
:material-plus: [propagation_timeout](#propagation_timeout)
:material-plus: [resolvers](#resolvers)
:material-plus: [override_domain](#override_domain)
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [alidns.security_token](#security_token)
:material-plus: [cloudflare.zone_token](#zone_token)
:material-plus: [acmedns](#acmedns)
### Structure
```json
{
"ttl": "",
"propagation_delay": "",
"propagation_timeout": "",
"resolvers": [],
"override_domain": "",
"provider": "",
... // Provider Fields
}
```
### Fields
#### ttl
!!! question "Since sing-box 1.14.0"
The TTL of the temporary TXT record used for the DNS challenge.
#### propagation_delay
!!! question "Since sing-box 1.14.0"
How long to wait after creating the challenge record before starting propagation checks.
#### propagation_timeout
!!! question "Since sing-box 1.14.0"
The maximum time to wait for the challenge record to propagate.
Set to `-1` to disable propagation checks.
#### resolvers
!!! question "Since sing-box 1.14.0"
Preferred DNS resolvers to use for DNS propagation checks.
#### override_domain
!!! question "Since sing-box 1.14.0"
Override the domain name used for the DNS challenge record.
Useful when `_acme-challenge` is delegated to a different zone.
#### provider
The DNS provider. See below for provider-specific fields.
### Provider Fields
#### Alibaba Cloud DNS
```json
{
"provider": "alidns",
"access_key_id": "",
"access_key_secret": "",
"region_id": "",
"security_token": ""
}
```
##### security_token
!!! question "Since sing-box 1.13.0"
The Security Token for STS temporary credentials.
#### Cloudflare
```json
{
"provider": "cloudflare",
"api_token": "",
"zone_token": ""
}
```
##### zone_token
!!! question "Since sing-box 1.13.0"
Optional API token with `Zone:Read` permission.
When provided, allows `api_token` to be scoped to a single zone.
#### ACME-DNS
!!! question "Since sing-box 1.13.0"
```json
{
"provider": "acmedns",
"username": "",
"password": "",
"subdomain": "",
"server_url": ""
}
```
See [ACME-DNS](https://github.com/joohoi/acme-dns) for details.

126
docs/configuration/shared/dns01_challenge.zh.md Normal file
View File

@@ -0,0 +1,126 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.14.0 中的更改"
:material-plus: [ttl](#ttl)
:material-plus: [propagation_delay](#propagation_delay)
:material-plus: [propagation_timeout](#propagation_timeout)
:material-plus: [resolvers](#resolvers)
:material-plus: [override_domain](#override_domain)
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [alidns.security_token](#security_token)
:material-plus: [cloudflare.zone_token](#zone_token)
:material-plus: [acmedns](#acmedns)
### 结构
```json
{
"ttl": "",
"propagation_delay": "",
"propagation_timeout": "",
"resolvers": [],
"override_domain": "",
"provider": "",
... // 提供商字段
}
```
### 字段
#### ttl
!!! question "自 sing-box 1.14.0 起"
DNS 质询临时 TXT 记录的 TTL。
#### propagation_delay
!!! question "自 sing-box 1.14.0 起"
创建质询记录后,在开始传播检查前要等待的时间。
#### propagation_timeout
!!! question "自 sing-box 1.14.0 起"
等待质询记录传播完成的最长时间。
设为 `-1` 可禁用传播检查。
#### resolvers
!!! question "自 sing-box 1.14.0 起"
进行 DNS 传播检查时优先使用的 DNS 解析器。
#### override_domain
!!! question "自 sing-box 1.14.0 起"
覆盖 DNS 质询记录使用的域名。
适用于将 `_acme-challenge` 委托到其他 zone 的场景。
#### provider
DNS 提供商。提供商专有字段见下文。
### 提供商字段
#### Alibaba Cloud DNS
```json
{
"provider": "alidns",
"access_key_id": "",
"access_key_secret": "",
"region_id": "",
"security_token": ""
}
```
##### security_token
!!! question "自 sing-box 1.13.0 起"
用于 STS 临时凭证的安全令牌。
#### Cloudflare
```json
{
"provider": "cloudflare",
"api_token": "",
"zone_token": ""
}
```
##### zone_token
!!! question "自 sing-box 1.13.0 起"
具有 `Zone:Read` 权限的可选 API 令牌。
提供后可将 `api_token` 限定到单个区域。
#### ACME-DNS
!!! question "自 sing-box 1.13.0 起"
```json
{
"provider": "acmedns",
"username": "",
"password": "",
"subdomain": "",
"server_url": ""
}
```
参阅 [ACME-DNS](https://github.com/joohoi/acme-dns)。

202
docs/configuration/shared/listen.md Normal file
View File

@@ -0,0 +1,202 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
:material-alert: [tcp_keep_alive](#tcp_keep_alive)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [netns](#netns)
:material-plus: [bind_interface](#bind_interface)
:material-plus: [routing_mark](#routing_mark)
:material-plus: [reuse_addr](#reuse_addr)
!!! quote "Changes in sing-box 1.11.0"
:material-delete-clock: [sniff](#sniff)
:material-delete-clock: [sniff_override_destination](#sniff_override_destination)
:material-delete-clock: [sniff_timeout](#sniff_timeout)
:material-delete-clock: [domain_strategy](#domain_strategy)
:material-delete-clock: [udp_disable_domain_unmapping](#udp_disable_domain_unmapping)
### Structure
```json
{
"listen": "",
"listen_port": 0,
"bind_interface": "",
"routing_mark": 0,
"reuse_addr": false,
"netns": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"disable_tcp_keep_alive": false,
"tcp_keep_alive": "",
"tcp_keep_alive_interval": "",
"udp_fragment": false,
"udp_timeout": "",
"detour": "",
// Deprecated
"sniff": false,
"sniff_override_destination": false,
"sniff_timeout": "",
"domain_strategy": "",
"udp_disable_domain_unmapping": false
}
```
### Fields
#### listen
==Required==
Listen address.
#### listen_port
Listen port.
#### bind_interface
!!! question "Since sing-box 1.12.0"
The network interface to bind to.
#### routing_mark
!!! question "Since sing-box 1.12.0"
!!! quote ""
Only supported on Linux.
Set netfilter routing mark.
Integers (e.g. `1234`) and string hexadecimals (e.g. `"0x1234"`) are supported.
#### reuse_addr
!!! question "Since sing-box 1.12.0"
Reuse listener address.
#### netns
!!! question "Since sing-box 1.12.0"
!!! quote ""
Only supported on Linux.
Set network namespace, name or path.
#### tcp_fast_open
Enable TCP Fast Open.
#### tcp_multi_path
!!! warning ""
Go 1.21 required.
Enable TCP Multi Path.
#### disable_tcp_keep_alive
!!! question "Since sing-box 1.13.0"
Disable TCP keep alive.
#### tcp_keep_alive
!!! question "Since sing-box 1.13.0"
Default value changed from `10m` to `5m`.
TCP keep alive initial period.
`5m` will be used by default.
#### tcp_keep_alive_interval
TCP keep alive interval.
`75s` will be used by default.
#### udp_fragment
Enable UDP fragmentation.
#### udp_timeout
UDP NAT expiration time.
`5m` will be used by default.
#### detour
If set, connections will be forwarded to the specified inbound.
Requires target inbound support, see [Injectable](/configuration/inbound/#fields).
#### sniff
!!! failure "Deprecated in sing-box 1.11.0"
Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
Enable sniffing.
See [Protocol Sniff](/configuration/route/sniff/) for details.
#### sniff_override_destination
!!! failure "Deprecated in sing-box 1.11.0"
Inbound fields are deprecated and will be removed in sing-box 1.13.0.
Override the connection destination address with the sniffed domain.
If the domain name is invalid (like tor), this will not work.
#### sniff_timeout
!!! failure "Deprecated in sing-box 1.11.0"
Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
Timeout for sniffing.
`300ms` is used by default.
#### domain_strategy
!!! failure "Deprecated in sing-box 1.11.0"
Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
If set, the requested domain name will be resolved to IP before routing.
If `sniff_override_destination` is in effect, its value will be taken as a fallback.
#### udp_disable_domain_unmapping
!!! failure "Deprecated in sing-box 1.11.0"
Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
If enabled, for UDP proxy requests addressed to a domain,
the original packet address will be sent in the response instead of the mapped domain.
This option is used for compatibility with clients that
do not support receiving UDP packets with domain addresses, such as Surge.

200
docs/configuration/shared/listen.zh.md Normal file
View File

@@ -0,0 +1,200 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [disable_tcp_keep_alive](#disable_tcp_keep_alive)
:material-alert: [tcp_keep_alive](#tcp_keep_alive)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [netns](#netns)
:material-plus: [bind_interface](#bind_interface)
:material-plus: [routing_mark](#routing_mark)
:material-plus: [reuse_addr](#reuse_addr)
!!! quote "sing-box 1.11.0 中的更改"
:material-delete-clock: [sniff](#sniff)
:material-delete-clock: [sniff_override_destination](#sniff_override_destination)
:material-delete-clock: [sniff_timeout](#sniff_timeout)
:material-delete-clock: [domain_strategy](#domain_strategy)
:material-delete-clock: [udp_disable_domain_unmapping](#udp_disable_domain_unmapping)
### 结构
```json
{
"listen": "",
"listen_port": 0,
"bind_interface": "",
"routing_mark": 0,
"reuse_addr": false,
"netns": "",
"tcp_fast_open": false,
"tcp_multi_path": false,
"disable_tcp_keep_alive": false,
"tcp_keep_alive": "",
"tcp_keep_alive_interval": "",
"udp_fragment": false,
"udp_timeout": "",
"detour": "",
// 废弃的
"sniff": false,
"sniff_override_destination": false,
"sniff_timeout": "",
"domain_strategy": "",
"udp_disable_domain_unmapping": false
}
```
### 字段
#### listen
==必填==
监听地址。
#### listen_port
监听端口。
#### bind_interface
!!! question "自 sing-box 1.12.0 起"
要绑定到的网络接口。
#### routing_mark
!!! question "自 sing-box 1.12.0 起"
!!! quote ""
仅支持 Linux。
设置 netfilter 路由标记。
支持数字 (如 `1234`) 和十六进制字符串 (如 `"0x1234"`)。
#### reuse_addr
!!! question "自 sing-box 1.12.0 起"
重用监听地址。
#### netns
!!! question "自 sing-box 1.12.0 起"
!!! quote ""
仅支持 Linux。
设置网络命名空间,名称或路径。
#### tcp_fast_open
启用 TCP Fast Open。
#### tcp_multi_path
!!! warning ""
需要 Go 1.21。
启用 TCP Multi Path。
#### disable_tcp_keep_alive
!!! question "自 sing-box 1.13.0 起"
禁用 TCP keep alive。
#### tcp_keep_alive
!!! question "自 sing-box 1.13.0 起"
默认值从 `10m` 更改为 `5m`
TCP keep alive 初始周期。
默认使用 `5m`
#### tcp_keep_alive_interval
TCP keep alive 间隔。
默认使用 `75s`
#### udp_fragment
启用 UDP 分段。
#### udp_timeout
UDP NAT 过期时间。
默认使用 `5m`
#### detour
如果设置,连接将被转发到指定的入站。
需要目标入站支持,参阅 [注入支持](/zh/configuration/inbound/#字段)。
#### sniff
!!! failure "已在 sing-box 1.11.0 废弃"
入站字段已废弃且将在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).
启用协议探测。
参阅 [协议探测](/zh/configuration/route/sniff/)
#### sniff_override_destination
!!! failure "已在 sing-box 1.11.0 废弃"
入站字段已废弃且将在 sing-box 1.12.0 中被移除。
用探测出的域名覆盖连接目标地址。
如果域名无效(如 Tor将不生效。
#### sniff_timeout
!!! failure "已在 sing-box 1.11.0 废弃"
入站字段已废弃且将在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).
探测超时时间。
默认使用 300ms。
#### domain_strategy
!!! failure "已在 sing-box 1.11.0 废弃"
入站字段已废弃且将在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).
可选值: `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`
如果设置,请求的域名将在路由之前解析为 IP。
如果 `sniff_override_destination` 生效,它的值将作为后备。
#### udp_disable_domain_unmapping
!!! failure "已在 sing-box 1.11.0 废弃"
入站字段已废弃且将在 sing-box 1.12.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移旧的入站字段到规则动作).
如果启用,对于地址为域的 UDP 代理请求,将在响应中发送原始包地址而不是映射的域。
此选项用于兼容不支持接收带有域地址的 UDP 包的客户端,如 Surge。

86
docs/configuration/shared/multiplex.md Normal file
View File

@@ -0,0 +1,86 @@
### Inbound
```json
{
"enabled": true,
"padding": false,
"brutal": {}
}
```
### Outbound
```json
{
"enabled": true,
"protocol": "smux",
"max_connections": 4,
"min_streams": 4,
"max_streams": 0,
"padding": false,
"brutal": {}
}
```
### Inbound Fields
#### enabled
Enable multiplex support.
#### padding
If enabled, non-padded connections will be rejected.
#### brutal
See [TCP Brutal](/configuration/shared/tcp-brutal/) for details.
### Outbound Fields
#### enabled
Enable multiplex.
#### protocol
Multiplex protocol.
| Protocol | Description |
|----------|------------------------------------|
| smux | https://github.com/xtaci/smux |
| yamux | https://github.com/hashicorp/yamux |
| h2mux | https://golang.org/x/net/http2 |
h2mux is used by default.
#### max_connections
Maximum connections.
Conflict with `max_streams`.
#### min_streams
Minimum multiplexed streams in a connection before opening a new connection.
Conflict with `max_streams`.
#### max_streams
Maximum multiplexed streams in a connection before opening a new connection.
Conflict with `max_connections` and `min_streams`.
#### padding
!!! info
Requires sing-box server version 1.3-beta9 or later.
Enable padding.
#### brutal
See [TCP Brutal](/configuration/shared/tcp-brutal/) for details.

85
docs/configuration/shared/multiplex.zh.md Normal file
View File

@@ -0,0 +1,85 @@
### 入站
```json
{
"enabled": true,
"padding": false,
"brutal": {}
}
```
### 出站
```json
{
"enabled": true,
"protocol": "smux",
"max_connections": 4,
"min_streams": 4,
"max_streams": 0,
"padding": false,
"brutal": {}
}
```
### 入站字段
#### enabled
启用多路复用支持。
#### padding
如果启用,将拒绝非填充连接。
#### brutal
参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal/)。
### 出站字段
#### enabled
启用多路复用。
#### protocol
多路复用协议
| 协议 | 描述 |
|-------|------------------------------------|
| smux | https://github.com/xtaci/smux |
| yamux | https://github.com/hashicorp/yamux |
| h2mux | https://golang.org/x/net/http2 |
默认使用 h2mux。
#### max_connections
最大连接数量。
`max_streams` 冲突。
#### min_streams
在打开新连接之前,连接中的最小多路复用流数量。
`max_streams` 冲突。
#### max_streams
在打开新连接之前,连接中的最大多路复用流数量。
`max_connections``min_streams` 冲突。
#### padding
!!! info
需要 sing-box 服务器版本 1.3-beta9 或更高。
启用填充。
#### brutal
参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal/)。

49
docs/configuration/shared/neighbor.md Normal file
View File

@@ -0,0 +1,49 @@
---
icon: material/lan
---
# Neighbor Resolution
Match LAN devices by MAC address and hostname using
[`source_mac_address`](/configuration/route/rule/#source_mac_address) and
[`source_hostname`](/configuration/route/rule/#source_hostname) rule items.
Neighbor resolution is automatically enabled when these rule items exist.
Use [`route.find_neighbor`](/configuration/route/#find_neighbor) to force enable it for logging without rules.
## Linux
Works natively. No special setup required.
Hostname resolution requires DHCP lease files,
automatically detected from common DHCP servers (dnsmasq, odhcpd, ISC dhcpd, Kea).
Custom paths can be set via [`route.dhcp_lease_files`](/configuration/route/#dhcp_lease_files).
## Android
!!! quote ""
Only supported in graphical clients.
Requires Android 11 or above and ROOT.
Must use [VPNHotspot](https://github.com/Mygod/VPNHotspot) to share the VPN connection.
ROM built-in features like "Use VPN for connected devices" can share VPN
but cannot provide MAC address or hostname information.
Set **IP Masquerade Mode** to **None** in VPNHotspot settings.
Only route/DNS rules are supported. TUN include/exclude routes are not supported.
### Hostname Visibility
Hostname is only visible in sing-box if it is visible in VPNHotspot.
For Apple devices, change **Private Wi-Fi Address** from **Rotating** to **Fixed** in the Wi-Fi settings
of the connected network. Non-Apple devices are always visible.
## macOS
Requires the standalone version (macOS system extension).
The App Store version can share the VPN as a hotspot but does not support MAC address or hostname reading.
See [VPN Hotspot](/manual/misc/vpn-hotspot/#macos) for Internet Sharing setup.

49
docs/configuration/shared/neighbor.zh.md Normal file
View File

@@ -0,0 +1,49 @@
---
icon: material/lan
---
# 邻居解析
通过
[`source_mac_address`](/configuration/route/rule/#source_mac_address) 和
[`source_hostname`](/configuration/route/rule/#source_hostname) 规则项匹配局域网设备的 MAC 地址和主机名。
当这些规则项存在时,邻居解析自动启用。
使用 [`route.find_neighbor`](/configuration/route/#find_neighbor) 可在没有规则时强制启用以输出日志。
## Linux
原生支持,无需特殊设置。
主机名解析需要 DHCP 租约文件,
自动从常见 DHCP 服务器dnsmasq、odhcpd、ISC dhcpd、Kea检测。
可通过 [`route.dhcp_lease_files`](/configuration/route/#dhcp_lease_files) 设置自定义路径。
## Android
!!! quote ""
仅在图形客户端中支持。
需要 Android 11 或以上版本和 ROOT。
必须使用 [VPNHotspot](https://github.com/Mygod/VPNHotspot) 共享 VPN 连接。
ROM 自带的「通过 VPN 共享连接」等功能可以共享 VPN
但无法提供 MAC 地址或主机名信息。
在 VPNHotspot 设置中将 **IP 遮掩模式** 设为 **无**
仅支持路由/DNS 规则。不支持 TUN 的 include/exclude 路由。
### 设备可见性
MAC 地址和主机名仅在 VPNHotspot 中可见时 sing-box 才能读取。
对于 Apple 设备,需要在所连接网络的 Wi-Fi 设置中将**私有无线局域网地址**从**轮替**改为**固定**。
非 Apple 设备始终可见。
## macOS
需要独立版本macOS 系统扩展)。
App Store 版本可以共享 VPN 热点但不支持 MAC 地址或主机名读取。
参阅 [VPN 热点](/manual/misc/vpn-hotspot/#macos) 了解互联网共享设置。

50
docs/configuration/shared/pre-match.md Normal file
View File

@@ -0,0 +1,50 @@
---
icon: material/new-box
---
# Pre-match
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [bypass](#bypass)
Pre-match is rule matching that runs before the connection is established.
### How it works
When TUN receives a connection request, the connection has not yet been established,
so no connection data can be read. In this phase, sing-box runs the routing rules in pre-match mode.
Since connection data is unavailable, only actions that do not require connection data can be executed.
When a rule matches an action that requires an established connection, pre-match stops at that rule.
### Supported actions
#### reject
Reject with TCP RST / ICMP unreachable.
See [reject](/configuration/route/rule_action/#reject) for details.
#### route
Route ICMP connections to the specified outbound for direct reply.
See [route](/configuration/route/rule_action/#route) for details.
#### bypass
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux with `auto_redirect` enabled.
Bypass sing-box and connect directly at kernel level.
If `outbound` is not specified, the rule only matches in pre-match from auto redirect,
and will be skipped in other contexts.
For all other contexts, bypass with `outbound` behaves like `route` action.
See [bypass](/configuration/route/rule_action/#bypass) for details.

47
docs/configuration/shared/pre-match.zh.md Normal file
View File

@@ -0,0 +1,47 @@
---
icon: material/new-box
---
# 预匹配
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [bypass](#bypass)
预匹配是在连接建立之前运行的规则匹配。
### 工作原理
当 TUN 收到连接请求时连接尚未建立因此无法读取连接数据。在此阶段sing-box 在预匹配模式下运行路由规则。
由于连接数据不可用,只有不需要连接数据的动作才能执行。当规则匹配到需要已建立连接的动作时,预匹配将在该规则处停止。
### 支持的动作
#### reject
以 TCP RST / ICMP 不可达拒绝。
详情参阅 [reject](/zh/configuration/route/rule_action/#reject)。
#### route
将 ICMP 连接路由到指定出站以直接回复。
详情参阅 [route](/zh/configuration/route/rule_action/#route)。
#### bypass
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux且需要启用 `auto_redirect`
在内核层面绕过 sing-box 直接连接。
如果未指定 `outbound`,规则仅在来自 auto redirect 的预匹配中匹配,在其他场景中将被跳过。
对于其他所有场景,指定了 `outbound` 的 bypass 行为与 `route` 相同。
详情参阅 [bypass](/zh/configuration/route/rule_action/#bypass)。

28
docs/configuration/shared/tcp-brutal.md Normal file
View File

@@ -0,0 +1,28 @@
### Server Requirements
* Linux
* `brutal` congestion control algorithm kernel module installed
See [tcp-brutal](https://github.com/apernet/tcp-brutal) for details.
### Structure
```json
{
"enabled": true,
"up_mbps": 100,
"down_mbps": 100
}
```
### Fields
#### enabled
Enable TCP Brutal congestion control algorithm。
#### up_mbps, down_mbps
==Required==
Upload and download bandwidth, in Mbps.

28
docs/configuration/shared/tcp-brutal.zh.md Normal file
View File

@@ -0,0 +1,28 @@
### 服务器要求
* Linux
* `brutal` 拥塞控制算法内核模块已安装
参阅 [tcp-brutal](https://github.com/apernet/tcp-brutal)。
### 结构
```json
{
"enabled": true,
"up_mbps": 100,
"down_mbps": 100
}
```
### 字段
#### enabled
启用 TCP Brutal 拥塞控制算法。
#### up_mbps, down_mbps
==必填==
上传和下载带宽,以 Mbps 为单位。

705
docs/configuration/shared/tls.md Normal file
View File

@@ -0,0 +1,705 @@
---
icon: material/new-box
---
!!! quote "Changes in sing-box 1.14.0"
:material-plus: [certificate_provider](#certificate_provider)
:material-delete-clock: [acme](#acme-fields)
!!! quote "Changes in sing-box 1.13.0"
:material-plus: [kernel_tx](#kernel_tx)
:material-plus: [kernel_rx](#kernel_rx)
:material-plus: [curve_preferences](#curve_preferences)
:material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)
:material-plus: [client_certificate](#client_certificate)
:material-plus: [client_certificate_path](#client_certificate_path)
:material-plus: [client_key](#client_key)
:material-plus: [client_key_path](#client_key_path)
:material-plus: [client_authentication](#client_authentication)
:material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)
:material-plus: [ech.query_server_name](#query_server_name)
!!! quote "Changes in sing-box 1.12.0"
:material-plus: [fragment](#fragment)
:material-plus: [fragment_fallback_delay](#fragment_fallback_delay)
:material-plus: [record_fragment](#record_fragment)
:material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)
:material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
!!! quote "Changes in sing-box 1.10.0"
:material-alert-decagram: [utls](#utls)
### Inbound
```json
{
"enabled": true,
"server_name": "",
"alpn": [],
"min_version": "",
"max_version": "",
"cipher_suites": [],
"curve_preferences": [],
"certificate": [],
"certificate_path": "",
"client_authentication": "",
"client_certificate": [],
"client_certificate_path": [],
"client_certificate_public_key_sha256": [],
"key": [],
"key_path": "",
"kernel_tx": false,
"kernel_rx": false,
"certificate_provider": "",
// Deprecated
"acme": {
"domain": [],
"data_directory": "",
"default_server_name": "",
"email": "",
"provider": "",
"disable_http_challenge": false,
"disable_tls_alpn_challenge": false,
"alternative_http_port": 0,
"alternative_tls_port": 0,
"external_account": {
"key_id": "",
"mac_key": ""
},
"dns01_challenge": {}
},
"ech": {
"enabled": false,
"key": [],
"key_path": "",
// Deprecated
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false
},
"reality": {
"enabled": false,
"handshake": {
"server": "google.com",
"server_port": 443,
... // Dial Fields
},
"private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
"short_id": [
"0123456789abcdef"
],
"max_time_difference": "1m"
}
}
```
### Outbound
```json
{
"enabled": true,
"disable_sni": false,
"server_name": "",
"insecure": false,
"alpn": [],
"min_version": "",
"max_version": "",
"cipher_suites": [],
"curve_preferences": [],
"certificate": "",
"certificate_path": "",
"certificate_public_key_sha256": [],
"client_certificate": [],
"client_certificate_path": "",
"client_key": [],
"client_key_path": "",
"fragment": false,
"fragment_fallback_delay": "",
"record_fragment": false,
"ech": {
"enabled": false,
"config": [],
"config_path": "",
"query_server_name": "",
// Deprecated
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false
},
"utls": {
"enabled": false,
"fingerprint": ""
},
"reality": {
"enabled": false,
"public_key": "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
"short_id": "0123456789abcdef"
}
}
```
TLS version values:
* `1.0`
* `1.1`
* `1.2`
* `1.3`
Cipher suite values:
* `TLS_RSA_WITH_AES_128_CBC_SHA`
* `TLS_RSA_WITH_AES_256_CBC_SHA`
* `TLS_RSA_WITH_AES_128_GCM_SHA256`
* `TLS_RSA_WITH_AES_256_GCM_SHA384`
* `TLS_AES_128_GCM_SHA256`
* `TLS_AES_256_GCM_SHA384`
* `TLS_CHACHA20_POLY1305_SHA256`
* `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
* `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
* `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
* `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
* `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### Fields
#### enabled
Enable TLS.
#### disable_sni
==Client only==
Do not send server name in ClientHello.
#### server_name
Used to verify the hostname on the returned certificates unless insecure is given.
It is also included in the client's handshake to support virtual hosting unless it is an IP address.
#### insecure
==Client only==
Accepts any server certificate.
#### alpn
List of supported application level protocols, in order of preference.
If both peers support ALPN, the selected protocol will be one from this list, and the connection will fail if there is
no mutually supported protocol.
See [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation).
#### min_version
The minimum TLS version that is acceptable.
By default, TLS 1.2 is currently used as the minimum when acting as a
client, and TLS 1.0 when acting as a server.
#### max_version
The maximum TLS version that is acceptable.
By default, the maximum version is currently TLS 1.3.
#### cipher_suites
List of enabled TLS 1.01.2 cipher suites. The order of the list is ignored.
Note that TLS 1.3 cipher suites are not configurable.
If empty, a safe default list is used. The default cipher suites might change over time.
#### curve_preferences
!!! question "Since sing-box 1.13.0"
Set of supported key exchange mechanisms. The order of the list is ignored, and key exchange mechanisms are chosen
from this list using an internal preference order by Golang.
Available values, also the default list:
* `P256`
* `P384`
* `P521`
* `X25519`
* `X25519MLKEM768`
#### certificate
Server certificates chain line array, in PEM format.
#### certificate_path
!!! note ""
Will be automatically reloaded if file modified.
The path to server certificate chain, in PEM format.
#### certificate_public_key_sha256
!!! question "Since sing-box 1.13.0"
==Client only==
List of SHA-256 hashes of server certificate public keys, in base64 format.
To generate the SHA-256 hash for a certificate's public key, use the following commands:
```bash
# For a certificate file
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# For a certificate from a remote server
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```
#### client_certificate
!!! question "Since sing-box 1.13.0"
==Client only==
Client certificate chain line array, in PEM format.
#### client_certificate_path
!!! question "Since sing-box 1.13.0"
==Client only==
The path to client certificate chain, in PEM format.
#### client_key
!!! question "Since sing-box 1.13.0"
==Client only==
Client private key line array, in PEM format.
#### client_key_path
!!! question "Since sing-box 1.13.0"
==Client only==
The path to client private key, in PEM format.
#### key
==Server only==
The server private key line array, in PEM format.
#### key_path
==Server only==
!!! note ""
Will be automatically reloaded if file modified.
The path to the server private key, in PEM format.
#### client_authentication
!!! question "Since sing-box 1.13.0"
==Server only==
The type of client authentication to use.
Available values:
* `no` (default)
* `request`
* `require-any`
* `verify-if-given`
* `require-and-verify`
One of `client_certificate`, `client_certificate_path`, or `client_certificate_public_key_sha256` is required
if this option is set to `verify-if-given`, or `require-and-verify`.
#### client_certificate
!!! question "Since sing-box 1.13.0"
==Server only==
Client certificate chain line array, in PEM format.
#### client_certificate_path
!!! question "Since sing-box 1.13.0"
==Server only==
!!! note ""
Will be automatically reloaded if file modified.
List of path to client certificate chain, in PEM format.
#### client_certificate_public_key_sha256
!!! question "Since sing-box 1.13.0"
==Server only==
List of SHA-256 hashes of client certificate public keys, in base64 format.
To generate the SHA-256 hash for a certificate's public key, use the following commands:
```bash
# For a certificate file
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# For a certificate from a remote server
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```
#### kernel_tx
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux 5.1+, use a newer kernel if possible.
!!! quote ""
Only TLS 1.3 is supported.
!!! warning ""
kTLS TX may only improve performance when `splice(2)` is available (both ends must be TCP or TLS without additional protocols after handshake); otherwise, it will definitely degrade performance.
Enable kernel TLS transmit support.
#### kernel_rx
!!! question "Since sing-box 1.13.0"
!!! quote ""
Only supported on Linux 5.1+, use a newer kernel if possible.
!!! quote ""
Only TLS 1.3 is supported.
!!! failure ""
kTLS RX will definitely degrade performance even if `splice(2)` is in use, so enabling it is not recommended.
Enable kernel TLS receive support.
#### certificate_provider
!!! question "Since sing-box 1.14.0"
==Server only==
A string or an object.
When string, the tag of a shared [Certificate Provider](/configuration/shared/certificate-provider/).
When object, an inline certificate provider. See [Certificate Provider](/configuration/shared/certificate-provider/) for available types and fields.
## Custom TLS support
!!! info "QUIC support"
Only ECH is supported in QUIC.
#### utls
==Client only==
!!! failure "Not Recommended"
uTLS has had repeated fingerprinting vulnerabilities discovered by researchers.
uTLS is a Go library that attempts to imitate browser TLS fingerprints by copying
ClientHello structure. However, browsers use completely different TLS stacks
(Chrome uses BoringSSL, Firefox uses NSS) with distinct implementation behaviors
that cannot be replicated by simply copying the handshake format, making detection possible.
Additionally, the library lacks active maintenance and has poor code quality,
making it unsuitable for censorship circumvention.
For TLS fingerprint resistance, use [NaiveProxy](/configuration/inbound/naive/) instead.
uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance.
Available fingerprint values:
!!! warning "Removed since sing-box 1.10.0"
Some legacy chrome fingerprints have been removed and will fallback to chrome:
:material-close: chrome_psk
:material-close: chrome_psk_shuffle
:material-close: chrome_padding_psk_shuffle
:material-close: chrome_pq
:material-close: chrome_pq_psk
* chrome
* firefox
* edge
* safari
* 360
* qq
* ios
* android
* random
* randomized
Chrome fingerprint will be used if empty.
### ECH Fields
ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
message.
The ECH key and configuration can be generated by `sing-box generate ech-keypair`.
#### pq_signature_schemes_enabled
!!! failure "Deprecated in sing-box 1.12.0"
`pq_signature_schemes_enabled` is deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0.
Enable support for post-quantum peer certificate signature schemes.
#### dynamic_record_sizing_disabled
!!! failure "Deprecated in sing-box 1.12.0"
`dynamic_record_sizing_disabled` is deprecated in sing-box 1.12.0 and removed in sing-box 1.13.0.
Disables adaptive sizing of TLS records.
When true, the largest possible TLS record size is always used.
When false, the size of TLS records may be adjusted in an attempt to improve latency.
#### key
==Server only==
ECH key line array, in PEM format.
#### key_path
==Server only==
!!! note ""
Will be automatically reloaded if file modified.
The path to ECH key, in PEM format.
#### config
==Client only==
ECH configuration line array, in PEM format.
If empty, load from DNS will be attempted.
#### config_path
==Client only==
The path to ECH configuration, in PEM format.
If empty, load from DNS will be attempted.
#### query_server_name
!!! question "Since sing-box 1.13.0"
==Client only==
Overrides the domain name used for ECH HTTPS record queries.
If empty, `server_name` is used for queries.
#### fragment
!!! question "Since sing-box 1.12.0"
==Client only==
Fragment TLS handshakes to bypass firewalls.
This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
and should not be used to circumvent real censorship.
Due to poor performance, try `record_fragment` first, and only apply to server names known to be blocked.
On Linux, Apple platforms, (administrator privileges required) Windows,
the wait time can be automatically detected. Otherwise, it will fall back to
waiting for a fixed time specified by `fragment_fallback_delay`.
In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
because the target is considered to be local or behind a transparent proxy.
#### fragment_fallback_delay
!!! question "Since sing-box 1.12.0"
==Client only==
The fallback value used when TLS segmentation cannot automatically determine the wait time.
`500ms` is used by default.
#### record_fragment
!!! question "Since sing-box 1.12.0"
==Client only==
Fragment TLS handshake into multiple TLS records to bypass firewalls.
### ACME Fields
!!! failure "Deprecated in sing-box 1.14.0"
Inline ACME options are deprecated in sing-box 1.14.0 and will be removed in sing-box 1.16.0, check [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
#### domain
List of domain.
ACME will be disabled if empty.
#### data_directory
The directory to store ACME data.
`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
#### default_server_name
Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
#### email
The email address to use when creating or selecting an existing ACME server account
#### provider
The ACME CA provider to use.
| Value | Provider |
|-------------------------|---------------|
| `letsencrypt (default)` | Let's Encrypt |
| `zerossl` | ZeroSSL |
| `https://...` | Custom |
#### disable_http_challenge
Disable all HTTP challenges.
#### disable_tls_alpn_challenge
Disable all TLS-ALPN challenges
#### alternative_http_port
The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
listener for the HTTP challenge.
#### alternative_tls_port
The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
succeed.
#### external_account
EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
by the CA.
External account bindings are "used to associate an ACME account with an existing account in a non-ACME system, such as
a CA customer database.
To enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a
key identifier, using some mechanism outside of ACME. §7.3.4
#### external_account.key_id
The key identifier.
#### external_account.mac_key
The MAC key.
#### dns01_challenge
ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.
### Reality Fields
#### handshake
==Server only==
==Required==
Handshake server address and [Dial Fields](/configuration/shared/dial/).
#### private_key
==Server only==
==Required==
Private key, generated by `sing-box generate reality-keypair`.
#### public_key
==Client only==
==Required==
Public key, generated by `sing-box generate reality-keypair`.
#### short_id
==Required==
A hexadecimal string with zero to eight digits.
#### max_time_difference
==Server only==
The maximum time difference between the server and the client.
Check disabled if empty.

695
docs/configuration/shared/tls.zh.md Normal file
View File

@@ -0,0 +1,695 @@
---
icon: material/new-box
---
!!! quote "sing-box 1.14.0 中的更改"
:material-plus: [certificate_provider](#certificate_provider)
:material-delete-clock: [acme](#acme-字段)
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: [kernel_tx](#kernel_tx)
:material-plus: [kernel_rx](#kernel_rx)
:material-plus: [curve_preferences](#curve_preferences)
:material-plus: [certificate_public_key_sha256](#certificate_public_key_sha256)
:material-plus: [client_certificate](#client_certificate)
:material-plus: [client_certificate_path](#client_certificate_path)
:material-plus: [client_key](#client_key)
:material-plus: [client_key_path](#client_key_path)
:material-plus: [client_authentication](#client_authentication)
:material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)
:material-plus: [ech.query_server_name](#query_server_name)
!!! quote "sing-box 1.12.0 中的更改"
:material-plus: [fragment](#fragment)
:material-plus: [fragment_fallback_delay](#fragment_fallback_delay)
:material-plus: [record_fragment](#record_fragment)
:material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)
:material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
!!! quote "sing-box 1.10.0 中的更改"
:material-alert-decagram: [utls](#utls)
### 入站
```json
{
"enabled": true,
"server_name": "",
"alpn": [],
"min_version": "",
"max_version": "",
"cipher_suites": [],
"curve_preferences": [],
"certificate": [],
"certificate_path": "",
"client_authentication": "",
"client_certificate": [],
"client_certificate_path": [],
"client_certificate_public_key_sha256": [],
"key": [],
"key_path": "",
"kernel_tx": false,
"kernel_rx": false,
"certificate_provider": "",
// 废弃的
"acme": {
"domain": [],
"data_directory": "",
"default_server_name": "",
"email": "",
"provider": "",
"disable_http_challenge": false,
"disable_tls_alpn_challenge": false,
"alternative_http_port": 0,
"alternative_tls_port": 0,
"external_account": {
"key_id": "",
"mac_key": ""
},
"dns01_challenge": {}
},
"ech": {
"enabled": false,
"key": [],
"key_path": "",
// 废弃的
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false
},
"reality": {
"enabled": false,
"handshake": {
"server": "google.com",
"server_port": 443,
... // 拨号字段
},
"private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
"short_id": [
"0123456789abcdef"
],
"max_time_difference": "1m"
}
}
```
### 出站
```json
{
"enabled": true,
"disable_sni": false,
"server_name": "",
"insecure": false,
"alpn": [],
"min_version": "",
"max_version": "",
"cipher_suites": [],
"curve_preferences": [],
"certificate": "",
"certificate_path": "",
"certificate_public_key_sha256": [],
"client_certificate": [],
"client_certificate_path": "",
"client_key": [],
"client_key_path": "",
"fragment": false,
"fragment_fallback_delay": "",
"record_fragment": false,
"ech": {
"enabled": false,
"config": [],
"config_path": "",
"query_server_name": "",
// 废弃的
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false
},
"utls": {
"enabled": false,
"fingerprint": ""
},
"reality": {
"enabled": false,
"public_key": "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
"short_id": "0123456789abcdef"
}
}
```
TLS 版本值:
* `1.0`
* `1.1`
* `1.2`
* `1.3`
密码套件值:
* `TLS_RSA_WITH_AES_128_CBC_SHA`
* `TLS_RSA_WITH_AES_256_CBC_SHA`
* `TLS_RSA_WITH_AES_128_GCM_SHA256`
* `TLS_RSA_WITH_AES_256_GCM_SHA384`
* `TLS_AES_128_GCM_SHA256`
* `TLS_AES_256_GCM_SHA384`
* `TLS_CHACHA20_POLY1305_SHA256`
* `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
* `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
* `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
* `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
* `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签
### 字段
#### enabled
启用 TLS
#### disable_sni
==仅客户端==
不要在 ClientHello 中发送服务器名称.
#### server_name
用于验证返回证书上的主机名,除非设置不安全。
它还包含在 ClientHello 中以支持虚拟主机,除非它是 IP 地址。
#### insecure
==仅客户端==
接受任何服务器证书。
#### alpn
支持的应用层协议协商列表,按优先顺序排列。
如果两个对等点都支持 ALPN则选择的协议将是此列表中的一个如果没有相互支持的协议则连接将失败。
参阅 [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation)。
#### min_version
可接受的最低 TLS 版本。
默认情况下,当前使用 TLS 1.2 作为客户端的最低要求。作为服务器时使用 TLS 1.0。
#### max_version
可接受的最大 TLS 版本。
默认情况下,当前最高版本为 TLS 1.3。
#### cipher_suites
启用的 TLS 1.01.2 密码套件列表。列表的顺序被忽略。请注意TLS 1.3 的密码套件是不可配置的。
如果为空,则使用安全的默认列表。默认密码套件可能会随着时间的推移而改变。
#### curve_preferences
!!! question "自 sing-box 1.13.0 起"
支持的密钥交换机制集合。列表的顺序被忽略,密钥交换机制通过 Golang 的内部偏好顺序从此列表中选择。
可用值,同时也是默认列表:
* `P256`
* `P384`
* `P521`
* `X25519`
* `X25519MLKEM768`
#### certificate
服务器证书链行数组PEM 格式。
#### certificate_path
!!! note ""
文件更改时将自动重新加载。
服务器证书链路径PEM 格式。
#### certificate_public_key_sha256
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
服务器证书公钥的 SHA-256 哈希列表base64 格式。
要生成证书公钥的 SHA-256 哈希,请使用以下命令:
```bash
# 对于证书文件
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# 对于远程服务器的证书
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```
#### client_certificate
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
客户端证书链行数组PEM 格式。
#### client_certificate_path
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
客户端证书链路径PEM 格式。
#### client_key
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
客户端私钥行数组PEM 格式。
#### client_key_path
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
客户端私钥路径PEM 格式。
#### key
==仅服务器==
!!! note ""
文件更改时将自动重新加载。
服务器 PEM 私钥行数组。
#### key_path
==仅服务器==
!!! note ""
文件更改时将自动重新加载。
服务器私钥路径PEM 格式。
#### client_authentication
!!! question "自 sing-box 1.13.0 起"
==仅服务器==
要使用的客户端身份验证类型。
可用值:
* `no`(默认)
* `request`
* `require-any`
* `verify-if-given`
* `require-and-verify`
如果此选项设置为 `verify-if-given``require-and-verify`
则需要 `client_certificate``client_certificate_path``client_certificate_public_key_sha256` 中的一个。
#### client_certificate
!!! question "自 sing-box 1.13.0 起"
==仅服务器==
客户端证书链行数组PEM 格式。
#### client_certificate_path
!!! question "自 sing-box 1.13.0 起"
==仅服务器==
!!! note ""
文件更改时将自动重新加载。
客户端证书链路径列表PEM 格式。
#### client_certificate_public_key_sha256
!!! question "自 sing-box 1.13.0 起"
==仅服务器==
客户端证书公钥的 SHA-256 哈希列表base64 格式。
要生成证书公钥的 SHA-256 哈希,请使用以下命令:
```bash
# 对于证书文件
openssl x509 -in certificate.pem -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# 对于远程服务器的证书
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
```
#### kernel_tx
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux 5.1+,如果可能,使用较新的内核。
!!! quote ""
仅支持 TLS 1.3。
!!! warning ""
kTLS TX 仅当 `splice(2)` 可用时(两端经过握手后必须为没有附加协议的 TCP 或 TLS才能提高性能否则肯定会降低性能。
启用内核 TLS 发送支持。
#### kernel_rx
!!! question "自 sing-box 1.13.0 起"
!!! quote ""
仅支持 Linux 5.1+,如果可能,使用较新的内核。
!!! quote ""
仅支持 TLS 1.3。
!!! failure ""
即使使用 `splice(2)`kTLS RX 也肯定会降低性能,因此不建议启用。
启用内核 TLS 接收支持。
#### certificate_provider
!!! question "自 sing-box 1.14.0 起"
==仅服务器==
字符串或对象。
为字符串时,共享[证书提供者](/zh/configuration/shared/certificate-provider/)的标签。
为对象时,内联的证书提供者。可用类型和字段参阅[证书提供者](/zh/configuration/shared/certificate-provider/)。
## 自定义 TLS 支持
!!! info "QUIC 支持"
只有 ECH 在 QUIC 中被支持.
#### utls
==仅客户端==
!!! failure "不推荐"
uTLS 已被研究人员多次发现其指纹可被识别的漏洞。
uTLS 是一个试图通过复制 ClientHello 结构来模仿浏览器 TLS 指纹的 Go 库。
然而,浏览器使用完全不同的 TLS 实现Chrome 使用 BoringSSLFirefox 使用 NSS
其实现行为无法通过简单复制握手格式来复现,其行为细节必然存在差异,使得检测成为可能。
此外,此库缺乏积极维护,且代码质量较差,不建议用于反审查场景。
如需 TLS 指纹抵抗,请改用 [NaiveProxy](/zh/configuration/inbound/naive/)。
uTLS 是 "crypto/tls" 的一个分支,它提供了 ClientHello 指纹识别阻力。
可用的指纹值:
!!! warning "已在 sing-box 1.10.0 移除"
一些旧 chrome 指纹已被删除,并将会退到 chrome
:material-close: chrome_psk
:material-close: chrome_psk_shuffle
:material-close: chrome_padding_psk_shuffle
:material-close: chrome_pq
:material-close: chrome_pq_psk
* chrome
* firefox
* edge
* safari
* 360
* qq
* ios
* android
* random
* randomized
默认使用 chrome 指纹。
### ECH 字段
ECH (Encrypted Client Hello) 是一个 TLS 扩展,它允许客户端加密其 ClientHello 的第一部分信息。
ECH 密钥和配置可以通过 `sing-box generate ech-keypair` 生成。
#### pq_signature_schemes_enabled
!!! failure "已在 sing-box 1.12.0 废弃"
`pq_signature_schemes_enabled` 已在 sing-box 1.12.0 废弃且已在 sing-box 1.13.0 中被移除。
启用对后量子对等证书签名方案的支持。
#### dynamic_record_sizing_disabled
!!! failure "已在 sing-box 1.12.0 废弃"
`dynamic_record_sizing_disabled` 已在 sing-box 1.12.0 废弃且已在 sing-box 1.13.0 中被移除。
禁用 TLS 记录的自适应大小调整。
当为 true 时,总是使用最大可能的 TLS 记录大小。
当为 false 时,可能会调整 TLS 记录的大小以尝试改善延迟。
#### key
==仅服务器==
ECH 密钥行数组PEM 格式。
#### key_path
==仅服务器==
!!! note ""
文件更改时将自动重新加载。
ECH 密钥路径PEM 格式。
#### config
==仅客户端==
ECH 配置行数组PEM 格式。
如果为空,将尝试从 DNS 加载。
#### config_path
==仅客户端==
ECH 配置路径PEM 格式。
如果为空,将尝试从 DNS 加载。
#### query_server_name
!!! question "自 sing-box 1.13.0 起"
==仅客户端==
覆盖用于 ECH HTTPS 记录查询的域名。
如果为空,使用 `server_name` 查询。
#### fragment
!!! question "自 sing-box 1.12.0 起"
==仅客户端==
通过分段 TLS 握手数据包来绕过防火墙。
此功能旨在规避基于**明文数据包匹配**的简单防火墙,不应该用于规避真正的审查。
由于性能不佳,请首先尝试 `record_fragment`,且仅应用于已知被阻止的服务器名称。
在 Linux、Apple 平台和需要管理员权限的Windows 系统上,
可以自动检测等待时间。否则,将回退到
等待 `fragment_fallback_delay` 指定的固定时间。
此外,如果实际等待时间少于 20ms也会回退到等待固定时间
因为目标被认为是本地的或在透明代理后面。
#### fragment_fallback_delay
!!! question "自 sing-box 1.12.0 起"
==仅客户端==
当 TLS 分段无法自动确定等待时间时使用的回退值。
默认使用 `500ms`
#### record_fragment
!!! question "自 sing-box 1.12.0 起"
==仅客户端==
将 TLS 握手分段为多个 TLS 记录以绕过防火墙。
### ACME 字段
!!! failure "已在 sing-box 1.14.0 废弃"
内联 ACME 选项已在 sing-box 1.14.0 废弃且将在 sing-box 1.16.0 中被移除,参阅 [迁移指南](/zh/migration/#迁移内联-acme-到证书提供者)。
#### domain
域名列表。
如果为空则禁用 ACME。
#### data_directory
ACME 数据存储目录。
如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`
#### default_server_name
如果 ClientHello 的 ServerName 字段为空,则选择证书时要使用的服务器名称。
#### email
创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。
#### provider
要使用的 ACME CA 供应商。
| 值 | 供应商 |
|--------------------|---------------|
| `letsencrypt (默认)` | Let's Encrypt |
| `zerossl` | ZeroSSL |
| `https://...` | 自定义 |
#### disable_http_challenge
禁用所有 HTTP 质询。
#### disable_tls_alpn_challenge
禁用所有 TLS-ALPN 质询。
#### alternative_http_port
用于 ACME HTTP 质询的备用端口;如果非空,将使用此端口而不是 80 来启动 HTTP 质询的侦听器。
#### alternative_tls_port
用于 ACME TLS-ALPN 质询的备用端口; 系统必须将 443 转发到此端口以使质询成功。
#### external_account
EAB外部帐户绑定包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。
外部帐户绑定"用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联,例如 CA 客户数据库。
为了启用 ACME 帐户绑定,运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4
#### external_account.key_id
密钥标识符。
#### external_account.mac_key
MAC 密钥。
#### dns01_challenge
ACME DNS01 验证字段。如果配置,将禁用其他验证方法。
参阅 [DNS01 验证字段](/zh/configuration/shared/dns01_challenge/)。
### Reality 字段
#### handshake
==仅服务器==
==必填==
握手服务器地址和 [拨号参数](/zh/configuration/shared/dial/)。
#### private_key
==仅服务器==
==必填==
私钥,由 `sing-box generate reality-keypair` 生成。
#### public_key
==仅客户端==
==必填==
公钥,由 `sing-box generate reality-keypair` 生成。
#### short_id
==必填==
一个零到八位的十六进制字符串。
#### max_time_difference
==仅服务器==
服务器和客户端之间的最大时间差。
如果为空则禁用检查。

82
docs/configuration/shared/udp-over-tcp.md Normal file
View File

@@ -0,0 +1,82 @@
!!! warning ""
It's a proprietary protocol created by SagerNet, not part of shadowsocks.
The UDP over TCP protocol is used to transmit UDP packets in TCP.
### Structure
```json
{
"enabled": true,
"version": 2
}
```
!!! info ""
The structure can be replaced with a boolean value when the version is not specified.
### Fields
#### enabled
Enable the UDP over TCP protocol.
#### version
The protocol version, `1` or `2`.
2 is used by default.
### Application support
| Project | UoT v1 | UoT v2 |
|--------------|----------------------|----------------------|
| sing-box | v0 (2022/08/11) | v1.2-beta9 |
| Clash.Meta | v1.12.0 (2022/07/02) | v1.14.3 (2023/03/31) |
| Shadowrocket | v2.2.12 (2022/08/13) | / |
### Protocol details
#### Protocol version 1
The client requests the magic address to the upper layer proxy protocol to indicate the request: `sp.udp-over-tcp.arpa`
#### Stream format
| ATYP | address | port | length | data |
|------|----------|-------|--------|----------|
| u8 | variable | u16be | u16be | variable |
**ATYP / address / port**: Uses the SOCKS address format, but with different address types:
| ATYP | Address type |
|--------|--------------|
| `0x00` | IPv4 Address |
| `0x01` | IPv6 Address |
| `0x02` | Domain Name |
#### Protocol version 2
Protocol version 2 uses a new magic address: `sp.v2.udp-over-tcp.arpa`
##### Request format
| isConnect | ATYP | address | port |
|-----------|------|----------|-------|
| u8 | u8 | variable | u16be |
**isConnect**: Set to 1 to indicates that the stream uses the connect format, 0 to disable.
**ATYP / address / port**: Request destination, uses the SOCKS address format.
##### Connect stream format
| length | data |
|--------|----------|
| u16be | variable |
##### Non-connect stream format
As the same as the stream format in protocol version 1.

82
docs/configuration/shared/udp-over-tcp.zh.md Normal file
View File

@@ -0,0 +1,82 @@
!!! warning ""
这是 SagerNet 创建的专有协议,不是 shadowsocks 的一部分。
UDP over TCP 协议用于在 TCP 中传输 UDP 数据包。
### 结构
```json
{
"enabled": true,
"version": 2
}
```
!!! info ""
当不指定版本时,结构可以用布尔值替换。
### 字段
#### enabled
启用 UDP over TCP 协议。
#### version
协议版本,`1``2`
默认使用 2。
### 应用程序支持
| 项目 | UoT v1 | UoT v2 |
|--------------|----------------------|----------------------|
| sing-box | v0 (2022/08/11) | v1.2-beta9 |
| Clash.Meta | v1.12.0 (2022/07/02) | v1.14.3 (2023/03/31) |
| Shadowrocket | v2.2.12 (2022/08/13) | / |
### 协议详情
#### 协议版本 1
客户端向上层代理协议请求魔法地址以表示请求:`sp.udp-over-tcp.arpa`
#### 流格式
| ATYP | 地址 | 端口 | 长度 | 数据 |
|------|----------|-------|--------|----------|
| u8 | 可变长 | u16be | u16be | 可变长 |
**ATYP / 地址 / 端口**:使用 SOCKS 地址格式,但使用不同的地址类型:
| ATYP | 地址类型 |
|--------|-----------|
| `0x00` | IPv4 地址 |
| `0x01` | IPv6 地址 |
| `0x02` | 域名 |
#### 协议版本 2
协议版本 2 使用新的魔法地址:`sp.v2.udp-over-tcp.arpa`
##### 请求格式
| isConnect | ATYP | 地址 | 端口 |
|-----------|------|----------|-------|
| u8 | u8 | 可变长 | u16be |
**isConnect**:设置为 1 表示流使用连接格式0 表示禁用。
**ATYP / 地址 / 端口**:请求目标,使用 SOCKS 地址格式。
##### 连接流格式
| 长度 | 数据 |
|--------|----------|
| u16be | 可变长 |
##### 非连接流格式
与协议版本 1 中的流格式相同。

229
docs/configuration/shared/v2ray-transport.md Normal file
View File

@@ -0,0 +1,229 @@
V2Ray Transport is a set of private protocols invented by v2ray, and has contaminated the names of other protocols, such
as `trojan-grpc` in clash.
### Structure
```json
{
"type": ""
}
```
Available transports:
* HTTP
* WebSocket
* QUIC
* gRPC
* HTTPUpgrade
!!! warning "Difference from v2ray-core"
* No TCP transport, plain HTTP is merged into the HTTP transport.
* No mKCP transport.
* No DomainSocket transport.
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
### HTTP
```json
{
"type": "http",
"host": [],
"path": "",
"method": "",
"headers": {},
"idle_timeout": "15s",
"ping_timeout": "15s"
}
```
!!! warning "Difference from v2ray-core"
TLS is not enforced. If TLS is not configured, plain HTTP 1.1 is used.
#### host
List of host domain.
The client will choose randomly and the server will verify if not empty.
#### path
!!! warning
V2Ray's documentation says that the path between the server and the client must be consistent,
but the actual code allows the client to add any suffix to the path.
sing-box uses the same behavior as V2Ray, but note that the behavior does not exist in `WebSocket` and `HTTPUpgrade` transport.
Path of HTTP request.
The server will verify.
#### method
Method of HTTP request.
The server will verify if not empty.
#### headers
Extra headers of HTTP request.
The server will write in response if not empty.
#### idle_timeout
In HTTP2 server:
Specifies the time until idle clients should be closed with a GOAWAY frame. PING frames are not considered as activity.
In HTTP2 client:
Specifies the period of time after which a health check will be performed using a ping frame if no frames have been
received on the connection.Please note that a ping response is considered a received frame, so if there is no other
traffic on the connection, the health check will be executed every interval. If the value is zero, no health check will
be performed.
Zero is used by default.
#### ping_timeout
In HTTP2 client:
Specifies the timeout duration after sending a PING frame, within which a response must be received.
If a response to the PING frame is not received within the specified timeout duration, the connection will be closed.
The default timeout duration is 15 seconds.
### WebSocket
```json
{
"type": "ws",
"path": "",
"headers": {},
"max_early_data": 0,
"early_data_header_name": ""
}
```
#### path
Path of HTTP request.
The server will verify.
#### headers
Extra headers of HTTP request.
The server will write in response if not empty.
#### max_early_data
Allowed payload size is in the request. Enabled if not zero.
#### early_data_header_name
Early data is sent in path instead of header by default.
To be compatible with Xray-core, set this to `Sec-WebSocket-Protocol`.
It needs to be consistent with the server.
### QUIC
```json
{
"type": "quic"
}
```
!!! warning "Difference from v2ray-core"
No additional encryption support:
It's basically duplicate encryption. And Xray-core is not compatible with v2ray-core in here.
### gRPC
!!! note ""
standard gRPC has good compatibility but poor performance and is not included by default, see [Installation](/installation/build-from-source/#build-tags).
```json
{
"type": "grpc",
"service_name": "TunService",
"idle_timeout": "15s",
"ping_timeout": "15s",
"permit_without_stream": false
}
```
#### service_name
Service name of gRPC.
#### idle_timeout
In standard gRPC server/client:
If the transport doesn't see any activity after a duration of this time,
it pings the client to check if the connection is still active.
In default gRPC server/client:
It has the same behavior as the corresponding setting in HTTP transport.
#### ping_timeout
In standard gRPC server/client:
The timeout that after performing a keepalive check, the client will wait for activity.
If no activity is detected, the connection will be closed.
In default gRPC server/client:
It has the same behavior as the corresponding setting in HTTP transport.
#### permit_without_stream
In standard gRPC client:
If enabled, the client transport sends keepalive pings even with no active connections.
If disabled, when there are no active connections, `idle_timeout` and `ping_timeout` will be ignored and no keepalive
pings will be sent.
Disabled by default.
### HTTPUpgrade
```json
{
"type": "httpupgrade",
"host": "",
"path": "",
"headers": {}
}
```
#### host
Host domain.
The server will verify if not empty.
#### path
Path of HTTP request.
The server will verify.
#### headers
Extra headers of HTTP request.
The server will write in response if not empty.

218
docs/configuration/shared/v2ray-transport.zh.md Normal file
View File

@@ -0,0 +1,218 @@
V2Ray Transport 是 v2ray 发明的一组私有协议,并污染了其他协议的名称,如 clash 中的 `trojan-grpc`
### 结构
```json
{
"type": ""
}
```
可用的传输协议:
* HTTP
* WebSocket
* QUIC
* gRPC
* HTTPUpgrade
!!! warning "与 v2ray-core 的区别"
* 没有 TCP 传输层, 纯 HTTP 已合并到 HTTP 传输层。
* 没有 mKCP 传输层。
* 没有 DomainSocket 传输层。
!!! note ""
当内容只有一项时,可以忽略 JSON 数组 [] 标签。
### HTTP
```json
{
"type": "http",
"host": [],
"path": "",
"method": "",
"headers": {},
"idle_timeout": "15s",
"ping_timeout": "15s"
}
```
!!! warning "与 v2ray-core 的区别"
不强制执行 TLS。如果未配置 TLS将使用纯 HTTP 1.1。
#### host
主机域名列表。
如果设置,客户端将随机选择,服务器将验证。
#### path
!!! warning
V2Ray 文档称服务端和客户端的路径必须一致,但实际代码允许客户端向路径添加任何后缀。
sing-box 使用与 V2Ray 相同的行为,但请注意,该行为在 `WebSocket``HTTPUpgrade` 传输层中不存在。
HTTP 请求路径
服务器将验证。
#### method
HTTP 请求方法
如果设置,服务器将验证。
#### headers
HTTP 请求的额外标头
如果设置,服务器将写入响应。
#### idle_timeout
在 HTTP2 服务器中:
指定闲置客户端应在多长时间内使用 GOAWAY 帧关闭。PING 帧不被视为活动。
在 HTTP2 客户端中:
如果连接上没有收到任何帧,指定一段时间后将使用 PING 帧执行健康检查。需要注意的是PING 响应被视为已接收的帧,因此如果连接上没有其他流量,则健康检查将在每个间隔执行一次。如果值为零,则不会执行健康检查。
默认使用零。
#### ping_timeout
在 HTTP2 客户端中:
指定发送 PING 帧后,在指定的超时时间内必须接收到响应。如果在指定的超时时间内没有收到 PING 帧的响应,则连接将关闭。默认超时持续时间为 15 秒。
### WebSocket
```json
{
"type": "ws",
"path": "",
"headers": {},
"max_early_data": 0,
"early_data_header_name": ""
}
```
#### path
HTTP 请求路径
服务器将验证。
#### headers
HTTP 请求的额外标头
如果设置,服务器将写入响应。
#### max_early_data
请求中允许的最大有效负载大小。默认启用。
#### early_data_header_name
默认情况下,早期数据在路径而不是标头中发送。
要与 Xray-core 兼容,请将其设置为 `Sec-WebSocket-Protocol`
它需要与服务器保持一致。
### QUIC
```json
{
"type": "quic"
}
```
!!! warning "与 v2ray-core 的区别"
没有额外的加密支持:
它基本上是重复加密。 并且 Xray-core 在这里与 v2ray-core 不兼容。
### gRPC
!!! note ""
默认安装不包含标准 gRPC (兼容性好,但性能较差), 参阅 [安装](/zh/installation/build-from-source/#构建标记)。
```json
{
"type": "grpc",
"service_name": "TunService",
"idle_timeout": "15s",
"ping_timeout": "15s",
"permit_without_stream": false
}
```
#### service_name
gRPC 服务名称。
#### idle_timeout
在标准 gRPC 服务器/客户端:
如果传输在此时间段后没有看到任何活动,它会向客户端发送 ping 请求以检查连接是否仍然活动。
在默认 gRPC 服务器/客户端:
它的行为与 HTTP 传输层中的相应设置相同。
#### ping_timeout
在标准 gRPC 服务器/客户端:
经过一段时间之后,客户端将执行 keepalive 检查并等待活动。如果没有检测到任何活动,则会关闭连接。
在默认 gRPC 服务器/客户端:
它的行为与 HTTP 传输层中的相应设置相同。
#### permit_without_stream
在标准 gRPC 客户端:
如果启用,客户端传输即使没有活动连接也会发送 keepalive ping。如果禁用则在没有活动连接时将忽略 `idle_timeout``ping_timeout`,并且不会发送 keepalive ping。
默认禁用。
### HTTPUpgrade
```json
{
"type": "httpupgrade",
"host": "",
"path": "",
"headers": {}
}
```
#### host
主机域名。
服务器将验证。
#### path
HTTP 请求路径
服务器将验证。
#### headers
HTTP 请求的额外标头。
如果设置,服务器将写入响应。

41
docs/configuration/shared/wifi-state.md Normal file
View File

@@ -0,0 +1,41 @@
---
icon: material/new-box
---
# Wi-Fi State
!!! quote "Changes in sing-box 1.13.0"
:material-plus: Linux support
:material-plus: Windows support
sing-box can monitor Wi-Fi state to enable routing rules based on `wifi_ssid` and `wifi_bssid`.
### Platform Support
| Platform | Support | Notes |
|-----------------|------------------|--------------------------|
| Android | :material-check: | In graphical client |
| Apple platforms | :material-check: | In graphical clients |
| Linux | :material-check: | Requires supported daemon |
| Windows | :material-check: | WLAN API |
| Others | :material-close: | |
### Linux
!!! question "Since sing-box 1.13.0"
The following backends are supported and will be auto-detected in order of priority:
| Backend | Interface |
|------------------|-------------|
| NetworkManager | D-Bus |
| IWD | D-Bus |
| wpa_supplicant | Unix socket |
| ConnMan | D-Bus |
### Windows
!!! question "Since sing-box 1.13.0"
Uses Windows WLAN API.

41
docs/configuration/shared/wifi-state.zh.md Normal file
View File

@@ -0,0 +1,41 @@
---
icon: material/new-box
---
# Wi-Fi 状态
!!! quote "sing-box 1.13.0 中的更改"
:material-plus: Linux 支持
:material-plus: Windows 支持
sing-box 可以监控 Wi-Fi 状态,以启用基于 `wifi_ssid``wifi_bssid` 的路由规则。
### 平台支持
| 平台 | 支持 | 备注 |
|-----------------|------------------|----------------|
| Android | :material-check: | 仅图形客户端 |
| Apple 平台 | :material-check: | 仅图形客户端 |
| Linux | :material-check: | 需要支持的守护进程 |
| Windows | :material-check: | WLAN API |
| 其他 | :material-close: | |
### Linux
!!! question "自 sing-box 1.13.0 起"
支持以下后端,将按优先级顺序自动探测:
| 后端 | 接口 |
|------------------|-------------|
| NetworkManager | D-Bus |
| IWD | D-Bus |
| wpa_supplicant | Unix socket |
| ConnMan | D-Bus |
### Windows
!!! question "自 sing-box 1.13.0 起"
使用 Windows WLAN API。