First Commmit

docs/configuration/shared/certificate-provider/acme.md

@@ -0,0 +1,150 @@
+---
+icon: material/new-box
+---
+
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [account_key](#account_key)  
+    :material-plus: [key_type](#key_type)  
+    :material-plus: [detour](#detour)
+
+# ACME
+
+!!! quote ""
+
+    `with_acme` build tag required.
+
+### Structure
+
+```json
+{
+  "type": "acme",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "default_server_name": "",
+  "email": "",
+  "provider": "",
+  "account_key": "",
+  "disable_http_challenge": false,
+  "disable_tls_alpn_challenge": false,
+  "alternative_http_port": 0,
+  "alternative_tls_port": 0,
+  "external_account": {
+    "key_id": "",
+    "mac_key": ""
+  },
+  "dns01_challenge": {},
+  "key_type": "",
+  "detour": ""
+}
+```
+
+### Fields
+
+#### domain
+
+==Required==
+
+List of domains.
+
+#### data_directory
+
+The directory to store ACME data.
+
+`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
+
+#### default_server_name
+
+Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
+
+#### email
+
+The email address to use when creating or selecting an existing ACME server account.
+
+#### provider
+
+The ACME CA provider to use.
+
+| Value                   | Provider      |
+|-------------------------|---------------|
+| `letsencrypt (default)` | Let's Encrypt |
+| `zerossl`               | ZeroSSL       |
+| `https://...`           | Custom        |
+
+When `provider` is `zerossl`, sing-box will automatically request ZeroSSL EAB credentials if `email` is set and
+`external_account` is empty.
+
+When `provider` is `zerossl`, at least one of `external_account`, `email`, or `account_key` is required.
+
+#### account_key
+
+!!! question "Since sing-box 1.14.0"
+
+The PEM-encoded private key of an existing ACME account.
+
+#### disable_http_challenge
+
+Disable all HTTP challenges.
+
+#### disable_tls_alpn_challenge
+
+Disable all TLS-ALPN challenges
+
+#### alternative_http_port
+
+The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
+listener for the HTTP challenge.
+
+#### alternative_tls_port
+
+The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
+succeed.
+
+#### external_account
+
+EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
+by the CA.
+
+External account bindings are used to associate an ACME account with an existing account in a non-ACME system, such as
+a CA customer database.
+
+To enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a
+key identifier, using some mechanism outside of ACME. §7.3.4
+
+#### external_account.key_id
+
+The key identifier.
+
+#### external_account.mac_key
+
+The MAC key.
+
+#### dns01_challenge
+
+ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
+
+See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.
+
+#### key_type
+
+!!! question "Since sing-box 1.14.0"
+
+The private key type to generate for new certificates.
+
+| Value      | Type    |
+|------------|---------|
+| `ed25519`  | Ed25519 |
+| `p256`     | P-256   |
+| `p384`     | P-384   |
+| `rsa2048`  | RSA     |
+| `rsa4096`  | RSA     |
+
+#### detour
+
+!!! question "Since sing-box 1.14.0"
+
+The tag of the upstream outbound.
+
+All provider HTTP requests will use this outbound.

docs/configuration/shared/certificate-provider/acme.zh.md

@@ -0,0 +1,145 @@
+---
+icon: material/new-box
+---
+
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [account_key](#account_key)  
+    :material-plus: [key_type](#key_type)  
+    :material-plus: [detour](#detour)
+
+# ACME
+
+!!! quote ""
+
+    需要 `with_acme` 构建标签。
+
+### 结构
+
+```json
+{
+  "type": "acme",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "default_server_name": "",
+  "email": "",
+  "provider": "",
+  "account_key": "",
+  "disable_http_challenge": false,
+  "disable_tls_alpn_challenge": false,
+  "alternative_http_port": 0,
+  "alternative_tls_port": 0,
+  "external_account": {
+    "key_id": "",
+    "mac_key": ""
+  },
+  "dns01_challenge": {},
+  "key_type": "",
+  "detour": ""
+}
+```
+
+### 字段
+
+#### domain
+
+==必填==
+
+域名列表。
+
+#### data_directory
+
+ACME 数据存储目录。
+
+如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`。
+
+#### default_server_name
+
+如果 ClientHello 的 ServerName 字段为空，则选择证书时要使用的服务器名称。
+
+#### email
+
+创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。
+
+#### provider
+
+要使用的 ACME CA 提供商。
+
+| 值                  | 提供商           |
+|--------------------|---------------|
+| `letsencrypt (默认)` | Let's Encrypt |
+| `zerossl`          | ZeroSSL       |
+| `https://...`      | 自定义           |
+
+当 `provider` 为 `zerossl` 时，如果设置了 `email` 且未设置 `external_account`，
+sing-box 会自动向 ZeroSSL 请求 EAB 凭据。
+
+当 `provider` 为 `zerossl` 时，必须至少设置 `external_account`、`email` 或 `account_key` 之一。
+
+#### account_key
+
+!!! question "自 sing-box 1.14.0 起"
+
+现有 ACME 帐户的 PEM 编码私钥。
+
+#### disable_http_challenge
+
+禁用所有 HTTP 质询。
+
+#### disable_tls_alpn_challenge
+
+禁用所有 TLS-ALPN 质询。
+
+#### alternative_http_port
+
+用于 ACME HTTP 质询的备用端口；如果非空，将使用此端口而不是 80 来启动 HTTP 质询的侦听器。
+
+#### alternative_tls_port
+
+用于 ACME TLS-ALPN 质询的备用端口； 系统必须将 443 转发到此端口以使质询成功。
+
+#### external_account
+
+EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。
+
+外部帐户绑定用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联，例如 CA 客户数据库。
+
+为了启用 ACME 帐户绑定，运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4
+
+#### external_account.key_id
+
+密钥标识符。
+
+#### external_account.mac_key
+
+MAC 密钥。
+
+#### dns01_challenge
+
+ACME DNS01 质询字段。如果配置，将禁用其他质询方法。
+
+参阅 [DNS01 质询字段](/zh/configuration/shared/dns01_challenge/)。
+
+#### key_type
+
+!!! question "自 sing-box 1.14.0 起"
+
+为新证书生成的私钥类型。
+
+| 值         | 类型      |
+|-----------|----------|
+| `ed25519` | Ed25519 |
+| `p256`    | P-256   |
+| `p384`    | P-384   |
+| `rsa2048` | RSA     |
+| `rsa4096` | RSA     |
+
+#### detour
+
+!!! question "自 sing-box 1.14.0 起"
+
+上游出站的标签。
+
+所有提供者 HTTP 请求将使用此出站。

docs/configuration/shared/certificate-provider/cloudflare-origin-ca.md

@@ -0,0 +1,82 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Cloudflare Origin CA
+
+### Structure
+
+```json
+{
+  "type": "cloudflare-origin-ca",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "api_token": "",
+  "origin_ca_key": "",
+  "request_type": "",
+  "requested_validity": 0,
+  "detour": ""
+}
+```
+
+### Fields
+
+#### domain
+
+==Required==
+
+List of domain names or wildcard domain names to include in the certificate.
+
+#### data_directory
+
+Root directory used to store the issued certificate, private key, and metadata.
+
+If empty, sing-box uses the same default data directory as the ACME certificate provider:
+`$XDG_DATA_HOME/certmagic` or `$HOME/.local/share/certmagic`.
+
+#### api_token
+
+Cloudflare API token used to create the certificate.
+
+Get or create one in [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens).
+
+Requires the `Zone / SSL and Certificates / Edit` permission.
+
+Conflict with `origin_ca_key`.
+
+#### origin_ca_key
+
+Cloudflare Origin CA Key.
+
+Get it in [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens).
+
+Conflict with `api_token`.
+
+#### request_type
+
+The signature type to request from Cloudflare.
+
+| Value                | Type        |
+|----------------------|-------------|
+| `origin-rsa`         | RSA         |
+| `origin-ecc`         | ECDSA P-256 |
+
+`origin-rsa` is used if empty.
+
+#### requested_validity
+
+The requested certificate validity in days.
+
+Available values: `7`, `30`, `90`, `365`, `730`, `1095`, `5475`.
+
+`5475` days (15 years) is used if empty.
+
+#### detour
+
+The tag of the upstream outbound.
+
+All provider HTTP requests will use this outbound.

docs/configuration/shared/certificate-provider/cloudflare-origin-ca.zh.md

@@ -0,0 +1,82 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# Cloudflare Origin CA
+
+### 结构
+
+```json
+{
+  "type": "cloudflare-origin-ca",
+  "tag": "",
+
+  "domain": [],
+  "data_directory": "",
+  "api_token": "",
+  "origin_ca_key": "",
+  "request_type": "",
+  "requested_validity": 0,
+  "detour": ""
+}
+```
+
+### 字段
+
+#### domain
+
+==必填==
+
+要写入证书的域名或通配符域名列表。
+
+#### data_directory
+
+保存签发证书、私钥和元数据的根目录。
+
+如果为空，sing-box 会使用与 ACME 证书提供者相同的默认数据目录：
+`$XDG_DATA_HOME/certmagic` 或 `$HOME/.local/share/certmagic`。
+
+#### api_token
+
+用于创建证书的 Cloudflare API Token。
+
+可在 [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens) 获取或创建。
+
+需要 `Zone / SSL and Certificates / Edit` 权限。
+
+与 `origin_ca_key` 冲突。
+
+#### origin_ca_key
+
+Cloudflare Origin CA Key。
+
+可在 [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens) 获取。
+
+与 `api_token` 冲突。
+
+#### request_type
+
+向 Cloudflare 请求的签名类型。
+
+| 值                   | 类型        |
+|----------------------|-------------|
+| `origin-rsa`         | RSA         |
+| `origin-ecc`         | ECDSA P-256 |
+
+如果为空，使用 `origin-rsa`。
+
+#### requested_validity
+
+请求的证书有效期，单位为天。
+
+可用值：`7`、`30`、`90`、`365`、`730`、`1095`、`5475`。
+
+如果为空，使用 `5475` 天（15 年）。
+
+#### detour
+
+上游出站的标签。
+
+所有提供者 HTTP 请求将使用此出站。

docs/configuration/shared/certificate-provider/index.md

@@ -0,0 +1,32 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Certificate Provider
+
+### Structure
+
+```json
+{
+  "certificate_providers": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### Fields
+
+| Type   | Format           |
+|--------|------------------|
+| `acme` | [ACME](/configuration/shared/certificate-provider/acme)   |
+| `tailscale` | [Tailscale](/configuration/shared/certificate-provider/tailscale) |
+| `cloudflare-origin-ca` | [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca) |
+
+#### tag
+
+The tag of the certificate provider.

docs/configuration/shared/certificate-provider/index.zh.md

@@ -0,0 +1,32 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# 证书提供者
+
+### 结构
+
+```json
+{
+  "certificate_providers": [
+    {
+      "type": "",
+      "tag": ""
+    }
+  ]
+}
+```
+
+### 字段
+
+| 类型   | 格式             |
+|--------|------------------|
+| `acme` | [ACME](/zh/configuration/shared/certificate-provider/acme)   |
+| `tailscale` | [Tailscale](/zh/configuration/shared/certificate-provider/tailscale) |
+| `cloudflare-origin-ca` | [Cloudflare Origin CA](/zh/configuration/shared/certificate-provider/cloudflare-origin-ca) |
+
+#### tag
+
+证书提供者的标签。

docs/configuration/shared/certificate-provider/tailscale.md

@@ -0,0 +1,27 @@
+---
+icon: material/new-box
+---
+
+!!! question "Since sing-box 1.14.0"
+
+# Tailscale
+
+### Structure
+
+```json
+{
+  "type": "tailscale",
+  "tag": "ts-cert",
+  "endpoint": "ts-ep"
+}
+```
+
+### Fields
+
+#### endpoint
+
+==Required==
+
+The tag of the [Tailscale endpoint](/configuration/endpoint/tailscale/) to reuse.
+
+[MagicDNS and HTTPS](https://tailscale.com/kb/1153/enabling-https) must be enabled in the Tailscale admin console.

docs/configuration/shared/certificate-provider/tailscale.zh.md

@@ -0,0 +1,27 @@
+---
+icon: material/new-box
+---
+
+!!! question "自 sing-box 1.14.0 起"
+
+# Tailscale
+
+### 结构
+
+```json
+{
+  "type": "tailscale",
+  "tag": "ts-cert",
+  "endpoint": "ts-ep"
+}
+```
+
+### 字段
+
+#### endpoint
+
+==必填==
+
+要复用的 [Tailscale 端点](/zh/configuration/endpoint/tailscale/) 的标签。
+
+必须在 Tailscale 管理控制台中启用 [MagicDNS 和 HTTPS](https://tailscale.com/kb/1153/enabling-https)。