First Commmit
This commit is contained in:
150
docs/configuration/shared/certificate-provider/acme.md
Normal file
150
docs/configuration/shared/certificate-provider/acme.md
Normal file
@@ -0,0 +1,150 @@
|
||||
---
|
||||
icon: material/new-box
|
||||
---
|
||||
|
||||
!!! quote "Changes in sing-box 1.14.0"
|
||||
|
||||
:material-plus: [account_key](#account_key)
|
||||
:material-plus: [key_type](#key_type)
|
||||
:material-plus: [detour](#detour)
|
||||
|
||||
# ACME
|
||||
|
||||
!!! quote ""
|
||||
|
||||
`with_acme` build tag required.
|
||||
|
||||
### Structure
|
||||
|
||||
```json
|
||||
{
|
||||
"type": "acme",
|
||||
"tag": "",
|
||||
|
||||
"domain": [],
|
||||
"data_directory": "",
|
||||
"default_server_name": "",
|
||||
"email": "",
|
||||
"provider": "",
|
||||
"account_key": "",
|
||||
"disable_http_challenge": false,
|
||||
"disable_tls_alpn_challenge": false,
|
||||
"alternative_http_port": 0,
|
||||
"alternative_tls_port": 0,
|
||||
"external_account": {
|
||||
"key_id": "",
|
||||
"mac_key": ""
|
||||
},
|
||||
"dns01_challenge": {},
|
||||
"key_type": "",
|
||||
"detour": ""
|
||||
}
|
||||
```
|
||||
|
||||
### Fields
|
||||
|
||||
#### domain
|
||||
|
||||
==Required==
|
||||
|
||||
List of domains.
|
||||
|
||||
#### data_directory
|
||||
|
||||
The directory to store ACME data.
|
||||
|
||||
`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
|
||||
|
||||
#### default_server_name
|
||||
|
||||
Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
|
||||
|
||||
#### email
|
||||
|
||||
The email address to use when creating or selecting an existing ACME server account.
|
||||
|
||||
#### provider
|
||||
|
||||
The ACME CA provider to use.
|
||||
|
||||
| Value | Provider |
|
||||
|-------------------------|---------------|
|
||||
| `letsencrypt (default)` | Let's Encrypt |
|
||||
| `zerossl` | ZeroSSL |
|
||||
| `https://...` | Custom |
|
||||
|
||||
When `provider` is `zerossl`, sing-box will automatically request ZeroSSL EAB credentials if `email` is set and
|
||||
`external_account` is empty.
|
||||
|
||||
When `provider` is `zerossl`, at least one of `external_account`, `email`, or `account_key` is required.
|
||||
|
||||
#### account_key
|
||||
|
||||
!!! question "Since sing-box 1.14.0"
|
||||
|
||||
The PEM-encoded private key of an existing ACME account.
|
||||
|
||||
#### disable_http_challenge
|
||||
|
||||
Disable all HTTP challenges.
|
||||
|
||||
#### disable_tls_alpn_challenge
|
||||
|
||||
Disable all TLS-ALPN challenges
|
||||
|
||||
#### alternative_http_port
|
||||
|
||||
The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
|
||||
listener for the HTTP challenge.
|
||||
|
||||
#### alternative_tls_port
|
||||
|
||||
The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
|
||||
succeed.
|
||||
|
||||
#### external_account
|
||||
|
||||
EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
|
||||
by the CA.
|
||||
|
||||
External account bindings are used to associate an ACME account with an existing account in a non-ACME system, such as
|
||||
a CA customer database.
|
||||
|
||||
To enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a
|
||||
key identifier, using some mechanism outside of ACME. §7.3.4
|
||||
|
||||
#### external_account.key_id
|
||||
|
||||
The key identifier.
|
||||
|
||||
#### external_account.mac_key
|
||||
|
||||
The MAC key.
|
||||
|
||||
#### dns01_challenge
|
||||
|
||||
ACME DNS01 challenge field. If configured, other challenge methods will be disabled.
|
||||
|
||||
See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.
|
||||
|
||||
#### key_type
|
||||
|
||||
!!! question "Since sing-box 1.14.0"
|
||||
|
||||
The private key type to generate for new certificates.
|
||||
|
||||
| Value | Type |
|
||||
|------------|---------|
|
||||
| `ed25519` | Ed25519 |
|
||||
| `p256` | P-256 |
|
||||
| `p384` | P-384 |
|
||||
| `rsa2048` | RSA |
|
||||
| `rsa4096` | RSA |
|
||||
|
||||
#### detour
|
||||
|
||||
!!! question "Since sing-box 1.14.0"
|
||||
|
||||
The tag of the upstream outbound.
|
||||
|
||||
All provider HTTP requests will use this outbound.
|
||||
145
docs/configuration/shared/certificate-provider/acme.zh.md
Normal file
145
docs/configuration/shared/certificate-provider/acme.zh.md
Normal file
@@ -0,0 +1,145 @@
|
||||
---
|
||||
icon: material/new-box
|
||||
---
|
||||
|
||||
!!! quote "sing-box 1.14.0 中的更改"
|
||||
|
||||
:material-plus: [account_key](#account_key)
|
||||
:material-plus: [key_type](#key_type)
|
||||
:material-plus: [detour](#detour)
|
||||
|
||||
# ACME
|
||||
|
||||
!!! quote ""
|
||||
|
||||
需要 `with_acme` 构建标签。
|
||||
|
||||
### 结构
|
||||
|
||||
```json
|
||||
{
|
||||
"type": "acme",
|
||||
"tag": "",
|
||||
|
||||
"domain": [],
|
||||
"data_directory": "",
|
||||
"default_server_name": "",
|
||||
"email": "",
|
||||
"provider": "",
|
||||
"account_key": "",
|
||||
"disable_http_challenge": false,
|
||||
"disable_tls_alpn_challenge": false,
|
||||
"alternative_http_port": 0,
|
||||
"alternative_tls_port": 0,
|
||||
"external_account": {
|
||||
"key_id": "",
|
||||
"mac_key": ""
|
||||
},
|
||||
"dns01_challenge": {},
|
||||
"key_type": "",
|
||||
"detour": ""
|
||||
}
|
||||
```
|
||||
|
||||
### 字段
|
||||
|
||||
#### domain
|
||||
|
||||
==必填==
|
||||
|
||||
域名列表。
|
||||
|
||||
#### data_directory
|
||||
|
||||
ACME 数据存储目录。
|
||||
|
||||
如果为空则使用 `$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic`。
|
||||
|
||||
#### default_server_name
|
||||
|
||||
如果 ClientHello 的 ServerName 字段为空,则选择证书时要使用的服务器名称。
|
||||
|
||||
#### email
|
||||
|
||||
创建或选择现有 ACME 服务器帐户时使用的电子邮件地址。
|
||||
|
||||
#### provider
|
||||
|
||||
要使用的 ACME CA 提供商。
|
||||
|
||||
| 值 | 提供商 |
|
||||
|--------------------|---------------|
|
||||
| `letsencrypt (默认)` | Let's Encrypt |
|
||||
| `zerossl` | ZeroSSL |
|
||||
| `https://...` | 自定义 |
|
||||
|
||||
当 `provider` 为 `zerossl` 时,如果设置了 `email` 且未设置 `external_account`,
|
||||
sing-box 会自动向 ZeroSSL 请求 EAB 凭据。
|
||||
|
||||
当 `provider` 为 `zerossl` 时,必须至少设置 `external_account`、`email` 或 `account_key` 之一。
|
||||
|
||||
#### account_key
|
||||
|
||||
!!! question "自 sing-box 1.14.0 起"
|
||||
|
||||
现有 ACME 帐户的 PEM 编码私钥。
|
||||
|
||||
#### disable_http_challenge
|
||||
|
||||
禁用所有 HTTP 质询。
|
||||
|
||||
#### disable_tls_alpn_challenge
|
||||
|
||||
禁用所有 TLS-ALPN 质询。
|
||||
|
||||
#### alternative_http_port
|
||||
|
||||
用于 ACME HTTP 质询的备用端口;如果非空,将使用此端口而不是 80 来启动 HTTP 质询的侦听器。
|
||||
|
||||
#### alternative_tls_port
|
||||
|
||||
用于 ACME TLS-ALPN 质询的备用端口; 系统必须将 443 转发到此端口以使质询成功。
|
||||
|
||||
#### external_account
|
||||
|
||||
EAB(外部帐户绑定)包含将 ACME 帐户绑定或映射到 CA 已知的其他帐户所需的信息。
|
||||
|
||||
外部帐户绑定用于将 ACME 帐户与非 ACME 系统中的现有帐户相关联,例如 CA 客户数据库。
|
||||
|
||||
为了启用 ACME 帐户绑定,运行 ACME 服务器的 CA 需要使用 ACME 之外的某种机制向 ACME 客户端提供 MAC 密钥和密钥标识符。§7.3.4
|
||||
|
||||
#### external_account.key_id
|
||||
|
||||
密钥标识符。
|
||||
|
||||
#### external_account.mac_key
|
||||
|
||||
MAC 密钥。
|
||||
|
||||
#### dns01_challenge
|
||||
|
||||
ACME DNS01 质询字段。如果配置,将禁用其他质询方法。
|
||||
|
||||
参阅 [DNS01 质询字段](/zh/configuration/shared/dns01_challenge/)。
|
||||
|
||||
#### key_type
|
||||
|
||||
!!! question "自 sing-box 1.14.0 起"
|
||||
|
||||
为新证书生成的私钥类型。
|
||||
|
||||
| 值 | 类型 |
|
||||
|-----------|----------|
|
||||
| `ed25519` | Ed25519 |
|
||||
| `p256` | P-256 |
|
||||
| `p384` | P-384 |
|
||||
| `rsa2048` | RSA |
|
||||
| `rsa4096` | RSA |
|
||||
|
||||
#### detour
|
||||
|
||||
!!! question "自 sing-box 1.14.0 起"
|
||||
|
||||
上游出站的标签。
|
||||
|
||||
所有提供者 HTTP 请求将使用此出站。
|
||||
@@ -0,0 +1,82 @@
|
||||
---
|
||||
icon: material/new-box
|
||||
---
|
||||
|
||||
!!! question "Since sing-box 1.14.0"
|
||||
|
||||
# Cloudflare Origin CA
|
||||
|
||||
### Structure
|
||||
|
||||
```json
|
||||
{
|
||||
"type": "cloudflare-origin-ca",
|
||||
"tag": "",
|
||||
|
||||
"domain": [],
|
||||
"data_directory": "",
|
||||
"api_token": "",
|
||||
"origin_ca_key": "",
|
||||
"request_type": "",
|
||||
"requested_validity": 0,
|
||||
"detour": ""
|
||||
}
|
||||
```
|
||||
|
||||
### Fields
|
||||
|
||||
#### domain
|
||||
|
||||
==Required==
|
||||
|
||||
List of domain names or wildcard domain names to include in the certificate.
|
||||
|
||||
#### data_directory
|
||||
|
||||
Root directory used to store the issued certificate, private key, and metadata.
|
||||
|
||||
If empty, sing-box uses the same default data directory as the ACME certificate provider:
|
||||
`$XDG_DATA_HOME/certmagic` or `$HOME/.local/share/certmagic`.
|
||||
|
||||
#### api_token
|
||||
|
||||
Cloudflare API token used to create the certificate.
|
||||
|
||||
Get or create one in [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens).
|
||||
|
||||
Requires the `Zone / SSL and Certificates / Edit` permission.
|
||||
|
||||
Conflict with `origin_ca_key`.
|
||||
|
||||
#### origin_ca_key
|
||||
|
||||
Cloudflare Origin CA Key.
|
||||
|
||||
Get it in [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens).
|
||||
|
||||
Conflict with `api_token`.
|
||||
|
||||
#### request_type
|
||||
|
||||
The signature type to request from Cloudflare.
|
||||
|
||||
| Value | Type |
|
||||
|----------------------|-------------|
|
||||
| `origin-rsa` | RSA |
|
||||
| `origin-ecc` | ECDSA P-256 |
|
||||
|
||||
`origin-rsa` is used if empty.
|
||||
|
||||
#### requested_validity
|
||||
|
||||
The requested certificate validity in days.
|
||||
|
||||
Available values: `7`, `30`, `90`, `365`, `730`, `1095`, `5475`.
|
||||
|
||||
`5475` days (15 years) is used if empty.
|
||||
|
||||
#### detour
|
||||
|
||||
The tag of the upstream outbound.
|
||||
|
||||
All provider HTTP requests will use this outbound.
|
||||
@@ -0,0 +1,82 @@
|
||||
---
|
||||
icon: material/new-box
|
||||
---
|
||||
|
||||
!!! question "自 sing-box 1.14.0 起"
|
||||
|
||||
# Cloudflare Origin CA
|
||||
|
||||
### 结构
|
||||
|
||||
```json
|
||||
{
|
||||
"type": "cloudflare-origin-ca",
|
||||
"tag": "",
|
||||
|
||||
"domain": [],
|
||||
"data_directory": "",
|
||||
"api_token": "",
|
||||
"origin_ca_key": "",
|
||||
"request_type": "",
|
||||
"requested_validity": 0,
|
||||
"detour": ""
|
||||
}
|
||||
```
|
||||
|
||||
### 字段
|
||||
|
||||
#### domain
|
||||
|
||||
==必填==
|
||||
|
||||
要写入证书的域名或通配符域名列表。
|
||||
|
||||
#### data_directory
|
||||
|
||||
保存签发证书、私钥和元数据的根目录。
|
||||
|
||||
如果为空,sing-box 会使用与 ACME 证书提供者相同的默认数据目录:
|
||||
`$XDG_DATA_HOME/certmagic` 或 `$HOME/.local/share/certmagic`。
|
||||
|
||||
#### api_token
|
||||
|
||||
用于创建证书的 Cloudflare API Token。
|
||||
|
||||
可在 [Cloudflare Dashboard > My Profile > API Tokens](https://dash.cloudflare.com/profile/api-tokens) 获取或创建。
|
||||
|
||||
需要 `Zone / SSL and Certificates / Edit` 权限。
|
||||
|
||||
与 `origin_ca_key` 冲突。
|
||||
|
||||
#### origin_ca_key
|
||||
|
||||
Cloudflare Origin CA Key。
|
||||
|
||||
可在 [Cloudflare Dashboard > My Profile > API Tokens > API Keys > Origin CA Key](https://dash.cloudflare.com/profile/api-tokens) 获取。
|
||||
|
||||
与 `api_token` 冲突。
|
||||
|
||||
#### request_type
|
||||
|
||||
向 Cloudflare 请求的签名类型。
|
||||
|
||||
| 值 | 类型 |
|
||||
|----------------------|-------------|
|
||||
| `origin-rsa` | RSA |
|
||||
| `origin-ecc` | ECDSA P-256 |
|
||||
|
||||
如果为空,使用 `origin-rsa`。
|
||||
|
||||
#### requested_validity
|
||||
|
||||
请求的证书有效期,单位为天。
|
||||
|
||||
可用值:`7`、`30`、`90`、`365`、`730`、`1095`、`5475`。
|
||||
|
||||
如果为空,使用 `5475` 天(15 年)。
|
||||
|
||||
#### detour
|
||||
|
||||
上游出站的标签。
|
||||
|
||||
所有提供者 HTTP 请求将使用此出站。
|
||||
32
docs/configuration/shared/certificate-provider/index.md
Normal file
32
docs/configuration/shared/certificate-provider/index.md
Normal file
@@ -0,0 +1,32 @@
|
||||
---
|
||||
icon: material/new-box
|
||||
---
|
||||
|
||||
!!! question "Since sing-box 1.14.0"
|
||||
|
||||
# Certificate Provider
|
||||
|
||||
### Structure
|
||||
|
||||
```json
|
||||
{
|
||||
"certificate_providers": [
|
||||
{
|
||||
"type": "",
|
||||
"tag": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
### Fields
|
||||
|
||||
| Type | Format |
|
||||
|--------|------------------|
|
||||
| `acme` | [ACME](/configuration/shared/certificate-provider/acme) |
|
||||
| `tailscale` | [Tailscale](/configuration/shared/certificate-provider/tailscale) |
|
||||
| `cloudflare-origin-ca` | [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca) |
|
||||
|
||||
#### tag
|
||||
|
||||
The tag of the certificate provider.
|
||||
32
docs/configuration/shared/certificate-provider/index.zh.md
Normal file
32
docs/configuration/shared/certificate-provider/index.zh.md
Normal file
@@ -0,0 +1,32 @@
|
||||
---
|
||||
icon: material/new-box
|
||||
---
|
||||
|
||||
!!! question "自 sing-box 1.14.0 起"
|
||||
|
||||
# 证书提供者
|
||||
|
||||
### 结构
|
||||
|
||||
```json
|
||||
{
|
||||
"certificate_providers": [
|
||||
{
|
||||
"type": "",
|
||||
"tag": ""
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
### 字段
|
||||
|
||||
| 类型 | 格式 |
|
||||
|--------|------------------|
|
||||
| `acme` | [ACME](/zh/configuration/shared/certificate-provider/acme) |
|
||||
| `tailscale` | [Tailscale](/zh/configuration/shared/certificate-provider/tailscale) |
|
||||
| `cloudflare-origin-ca` | [Cloudflare Origin CA](/zh/configuration/shared/certificate-provider/cloudflare-origin-ca) |
|
||||
|
||||
#### tag
|
||||
|
||||
证书提供者的标签。
|
||||
27
docs/configuration/shared/certificate-provider/tailscale.md
Normal file
27
docs/configuration/shared/certificate-provider/tailscale.md
Normal file
@@ -0,0 +1,27 @@
|
||||
---
|
||||
icon: material/new-box
|
||||
---
|
||||
|
||||
!!! question "Since sing-box 1.14.0"
|
||||
|
||||
# Tailscale
|
||||
|
||||
### Structure
|
||||
|
||||
```json
|
||||
{
|
||||
"type": "tailscale",
|
||||
"tag": "ts-cert",
|
||||
"endpoint": "ts-ep"
|
||||
}
|
||||
```
|
||||
|
||||
### Fields
|
||||
|
||||
#### endpoint
|
||||
|
||||
==Required==
|
||||
|
||||
The tag of the [Tailscale endpoint](/configuration/endpoint/tailscale/) to reuse.
|
||||
|
||||
[MagicDNS and HTTPS](https://tailscale.com/kb/1153/enabling-https) must be enabled in the Tailscale admin console.
|
||||
@@ -0,0 +1,27 @@
|
||||
---
|
||||
icon: material/new-box
|
||||
---
|
||||
|
||||
!!! question "自 sing-box 1.14.0 起"
|
||||
|
||||
# Tailscale
|
||||
|
||||
### 结构
|
||||
|
||||
```json
|
||||
{
|
||||
"type": "tailscale",
|
||||
"tag": "ts-cert",
|
||||
"endpoint": "ts-ep"
|
||||
}
|
||||
```
|
||||
|
||||
### 字段
|
||||
|
||||
#### endpoint
|
||||
|
||||
==必填==
|
||||
|
||||
要复用的 [Tailscale 端点](/zh/configuration/endpoint/tailscale/) 的标签。
|
||||
|
||||
必须在 Tailscale 管理控制台中启用 [MagicDNS 和 HTTPS](https://tailscale.com/kb/1153/enabling-https)。
|
||||
Reference in New Issue
Block a user