From f2687a71dd7261e6e40763bb8ac244a9677d6b59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Mon, 28 Apr 2025 10:31:15 +0800 Subject: [PATCH 1/2] documentation: Bump version --- docs/changelog.md | 205 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 205 insertions(+) diff --git a/docs/changelog.md b/docs/changelog.md index 4fe24664..b7a2bb61 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -2,6 +2,35 @@ icon: material/alert-decagram --- +#### 1.12.0-beta.14 + +* Fixes and improvements + +#### 1.12.0-beta.13 + +* Add TLS record fragment route options **1** +* Add missing `accept_routes` option for Tailscale **2** +* Fixes and improvements + +**1**: + +See [Route Action](/configuration/route/rule_action/#tls_record_fragment). + +**2**: + +See [Tailscale](/configuration/endpoint/tailscale/#accept_routes). + +#### 1.12.0-beta.10 + +* Add control options for listeners **1** +* Fixes and improvements + +**1**: + +You can now set `bind_interface`, `routing_mark` and `reuse_addr` in Listen Fields. + +See [Listen Fields](/configuration/shared/listen/). + ### 1.11.10 * Undeprecate the `block` outbound **1** @@ -15,6 +44,11 @@ we decided to temporarily undeprecate the `block` outbound until a replacement i _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._ +#### 1.12.0-beta.9 + +* Update quic-go to v0.51.0 +* Fixes and improvements + ### 1.11.9 * Fixes and improvements @@ -22,6 +56,10 @@ violated the rules (TestFlight users are not affected)._ _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._ +#### 1.12.0-beta.5 + +* Fixes and improvements + ### 1.11.8 * Improve `auto_redirect` **1** @@ -35,6 +73,10 @@ see [Tun](/configuration/inbound/tun/#auto_redirect). _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._ +#### 1.12.0-beta.3 + +* Fixes and improvements + ### 1.11.7 * Fixes and improvements @@ -42,6 +84,15 @@ violated the rules (TestFlight users are not affected)._ _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._ +#### 1.12.0-beta.1 + +* Fixes and improvements + +**1**: + +Now `auto_redirect` fixes compatibility issues between tun and Docker bridge networks, +see [Tun](/configuration/inbound/tun/#auto_redirect). + ### 1.11.6 * Fixes and improvements @@ -49,6 +100,40 @@ violated the rules (TestFlight users are not affected)._ _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._ +#### 1.12.0-alpha.19 + +* Update gVisor to 20250319.0 +* Fixes and improvements + +#### 1.12.0-alpha.18 + +* Add wildcard SNI support for ShadowTLS inbound **1** +* Fixes and improvements + +**1**: + +See [ShadowTLS](/configuration/inbound/shadowtls/#wildcard_sni). + +#### 1.12.0-alpha.17 + +* Add NTP sniffer **1** +* Fixes and improvements + +**1**: + +See [Protocol Sniff](/configuration/route/sniff/). + +#### 1.12.0-alpha.16 + +* Update `domain_resolver` behavior **1** +* Fixes and improvements + +**1**: + +`route.default_domain_resolver` or `outbound.domain_resolver` is now optional when only one DNS server is configured. + +See [Dial Fields](/configuration/shared/dial/#domain_resolver). + ### 1.11.5 * Fixes and improvements @@ -56,10 +141,71 @@ violated the rules (TestFlight users are not affected)._ _We are temporarily unable to update sing-box apps on the App Store because the reviewer mistakenly found that we violated the rules (TestFlight users are not affected)._ +#### 1.12.0-alpha.13 + +* Move `predefined` DNS server to DNS rule action **1** +* Fixes and improvements + +**1**: + +See [DNS Rule Action](/configuration/dns/rule_action/#predefined). + ### 1.11.4 * Fixes and improvements +#### 1.12.0-alpha.11 + +* Fixes and improvements + +#### 1.12.0-alpha.10 + +* Add AnyTLS protocol **1** +* Improve `resolve` route action **2** +* Migrate to stdlib ECH implementation **3** +* Fixes and improvements + +**1**: + +The new AnyTLS protocol claims to mitigate TLS proxy traffic characteristics and comes with a new multiplexing scheme. + +See [AnyTLS Inbound](/configuration/inbound/anytls/) and [AnyTLS Outbound](/configuration/outbound/anytls/). + +**2**: + +`resolve` route action now accepts `disable_cache` and other options like in DNS route actions, see [Route Action](/configuration/route/rule_action). + +**3**: + +See [TLS](/configuration/shared/tls). + +The build tag `with_ech` is no longer needed and has been removed. + +#### 1.12.0-alpha.7 + +* Add Tailscale DNS server **1** +* Fixes and improvements + +**1**: + +See [Tailscale](/configuration/dns/server/tailscale/). + +#### 1.12.0-alpha.6 + +* Add Tailscale endpoint **1** +* Drop support for go1.22 **2** +* Fixes and improvements + +**1**: + +See [Tailscale](/configuration/endpoint/tailscale/). + +**2**: + +Due to maintenance difficulties, sing-box 1.12.0 requires at least Go 1.23 to compile. + +For Windows 7 users, legacy binaries now continue to compile with Go 1.23 and patches from [MetaCubeX/go](https://github.com/MetaCubeX/go). + ### 1.11.3 * Fixes and improvements @@ -67,10 +213,69 @@ violated the rules (TestFlight users are not affected)._ _This version overwrites 1.11.2, as incorrect binaries were released due to a bug in the continuous integration process._ +#### 1.12.0-alpha.5 + +* Fixes and improvements + ### 1.11.1 * Fixes and improvements +#### 1.12.0-alpha.2 + +* Update quic-go to v0.49.0 +* Fixes and improvements + +#### 1.12.0-alpha.1 + +* Refactor DNS servers **1** +* Add domain resolver options**2** +* Add TLS fragment route options **3** +* Add certificate options **4** + +**1**: + +DNS servers are refactored for better performance and scalability. + +See [DNS server](/configuration/dns/server/). + +For migration, see [Migrate to new DNS server formats](/migration/#migrate-to-new-dns-servers). + +Compatibility for old formats will be removed in sing-box 1.14.0. + +**2**: + +Legacy `outbound` DNS rules are deprecated +and can be replaced by the new `domain_resolver` option. + +See [Dial Fields](/configuration/shared/dial/#domain_resolver) and +[Route](/configuration/route/#default_domain_resolver). + +For migration, +see [Migrate outbound DNS rule items to domain resolver](/migration/#migrate-outbound-dns-rule-items-to-domain-resolver). + +**3**: + +The new TLS fragment route options allow you to fragment TLS handshakes to bypass firewalls. + +This feature is intended to circumvent simple firewalls based on **plaintext packet matching**, and should not be used +to circumvent real censorship. + +Since it is not designed for performance, it should not be applied to all connections, but only to server names that are +known to be blocked. + +See [Route Action](/configuration/route/rule_action/#tls_fragment). + +**4**: + +New certificate options allow you to manage the default list of trusted X509 CA certificates. + +For the system certificate list, fixed Go not reading Android trusted certificates correctly. + +You can also use the Mozilla Included List instead, or add trusted certificates yourself. + +See [Certificate](/configuration/certificate/). + ### 1.11.0 Important changes since 1.10: From 78bb59f0c5c319736a1f896cfdcfbd64baa51a14 Mon Sep 17 00:00:00 2001 From: PuerNya Date: Thu, 15 May 2025 23:04:56 +0800 Subject: [PATCH 2/2] Support `GET` method for doh --- dns/transport/https.go | 22 +++++++++++++++++-- dns/transport/quic/http3.go | 20 ++++++++++++++++-- docs/configuration/dns/server/http3.md | 9 ++++++++ docs/configuration/dns/server/https.md | 9 ++++++++ option/dns.go | 29 +++++++++++++++++++++++++- protocol/tailscale/dns_transport.go | 4 ++-- 6 files changed, 86 insertions(+), 7 deletions(-) diff --git a/dns/transport/https.go b/dns/transport/https.go index a13d9116..5b0499f6 100644 --- a/dns/transport/https.go +++ b/dns/transport/https.go @@ -3,6 +3,7 @@ package transport import ( "bytes" "context" + "encoding/base64" "io" "net" "net/http" @@ -42,6 +43,7 @@ type HTTPSTransport struct { logger logger.ContextLogger dialer N.Dialer destination *url.URL + method string headers http.Header transport *http.Transport } @@ -104,6 +106,7 @@ func NewHTTPS(ctx context.Context, logger log.ContextLogger, tag string, options logger, transportDialer, &destinationURL, + options.Method, headers, serverAddr, tlsConfig, @@ -115,6 +118,7 @@ func NewHTTPSRaw( logger log.ContextLogger, dialer N.Dialer, destination *url.URL, + method string, headers http.Header, serverAddr M.Socksaddr, tlsConfig tls.Config, @@ -147,6 +151,7 @@ func NewHTTPSRaw( TransportAdapter: adapter, logger: logger, dialer: dialer, + method: method, destination: destination, headers: headers, transport: transport, @@ -176,13 +181,26 @@ func (t *HTTPSTransport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS requestBuffer.Release() return nil, err } - request, err := http.NewRequestWithContext(ctx, http.MethodPost, t.destination.String(), bytes.NewReader(rawMessage)) + destination := *t.destination + var request *http.Request + var body io.Reader + switch t.method { + case http.MethodGet: + query := url.Values{} + query.Set("dns", base64.RawURLEncoding.EncodeToString(rawMessage)) + destination.RawQuery = query.Encode() + case http.MethodPost: + body = bytes.NewReader(rawMessage) + } + request, err = http.NewRequestWithContext(ctx, t.method, destination.String(), body) if err != nil { requestBuffer.Release() return nil, err } request.Header = t.headers.Clone() - request.Header.Set("Content-Type", MimeType) + if t.method == http.MethodPost { + request.Header.Set("Content-Type", MimeType) + } request.Header.Set("Accept", MimeType) response, err := t.transport.RoundTrip(request) requestBuffer.Release() diff --git a/dns/transport/quic/http3.go b/dns/transport/quic/http3.go index fd1591a3..037acba1 100644 --- a/dns/transport/quic/http3.go +++ b/dns/transport/quic/http3.go @@ -3,6 +3,7 @@ package quic import ( "bytes" "context" + "encoding/base64" "io" "net" "net/http" @@ -40,6 +41,7 @@ type HTTP3Transport struct { logger logger.ContextLogger dialer N.Dialer destination *url.URL + method string headers http.Header transport *http3.Transport } @@ -100,6 +102,7 @@ func NewHTTP3(ctx context.Context, logger log.ContextLogger, tag string, options logger: logger, dialer: transportDialer, destination: &destinationURL, + method: options.Method, headers: headers, transport: &http3.Transport{ Dial: func(ctx context.Context, addr string, tlsCfg *tls.STDConfig, cfg *quic.Config) (quic.EarlyConnection, error) { @@ -132,13 +135,26 @@ func (t *HTTP3Transport) Exchange(ctx context.Context, message *mDNS.Msg) (*mDNS requestBuffer.Release() return nil, err } - request, err := http.NewRequestWithContext(ctx, http.MethodPost, t.destination.String(), bytes.NewReader(rawMessage)) + destination := *t.destination + var request *http.Request + var body io.Reader + switch t.method { + case http.MethodGet: + query := url.Values{} + query.Set("dns", base64.RawURLEncoding.EncodeToString(rawMessage)) + destination.RawQuery = query.Encode() + case http.MethodPost: + body = bytes.NewReader(rawMessage) + } + request, err = http.NewRequestWithContext(ctx, t.method, destination.String(), body) if err != nil { requestBuffer.Release() return nil, err } request.Header = t.headers.Clone() - request.Header.Set("Content-Type", transport.MimeType) + if t.method == http.MethodPost { + request.Header.Set("Content-Type", transport.MimeType) + } request.Header.Set("Accept", transport.MimeType) response, err := t.transport.RoundTrip(request) requestBuffer.Release() diff --git a/docs/configuration/dns/server/http3.md b/docs/configuration/dns/server/http3.md index dd81ba2d..5d6589f6 100644 --- a/docs/configuration/dns/server/http3.md +++ b/docs/configuration/dns/server/http3.md @@ -20,6 +20,7 @@ icon: material/new-box "server_port": 443, "path": "", + "method": "", "headers": {}, "tls": {}, @@ -58,6 +59,14 @@ The path of the DNS server. `/dns-query` will be used by default. +#### method + +The method of the DNS server. + +Only `GET` and `POST` are supported. + +`POST` will be used by default. + #### headers Additional headers to be sent to the DNS server. diff --git a/docs/configuration/dns/server/https.md b/docs/configuration/dns/server/https.md index 46e69a55..10f2041e 100644 --- a/docs/configuration/dns/server/https.md +++ b/docs/configuration/dns/server/https.md @@ -20,6 +20,7 @@ icon: material/new-box "server_port": 443, "path": "", + "method": "", "headers": {}, "tls": {}, @@ -58,6 +59,14 @@ The path of the DNS server. `/dns-query` will be used by default. +#### method + +The method of the DNS server. + +Only `GET` and `POST` are supported. + +`POST` will be used by default. + #### headers Additional headers to be sent to the DNS server. diff --git a/option/dns.go b/option/dns.go index f303b894..bb923eed 100644 --- a/option/dns.go +++ b/option/dns.go @@ -2,6 +2,7 @@ package option import ( "context" + "net/http" "net/netip" "net/url" @@ -371,13 +372,39 @@ type RemoteTLSDNSServerOptions struct { OutboundTLSOptionsContainer } -type RemoteHTTPSDNSServerOptions struct { +type _RemoteHTTPSDNSServerOptions struct { RemoteTLSDNSServerOptions Path string `json:"path,omitempty"` Method string `json:"method,omitempty"` Headers badoption.HTTPHeader `json:"headers,omitempty"` } +type RemoteHTTPSDNSServerOptions _RemoteHTTPSDNSServerOptions + +func (o *RemoteHTTPSDNSServerOptions) MarshalJSONContext(ctx context.Context) ([]byte, error) { + switch o.Method { + case http.MethodPost: + o.Method = "" + } + return badjson.MarshallObjectsContext(ctx, (*_RemoteHTTPSDNSServerOptions)(o)) +} + +func (o *RemoteHTTPSDNSServerOptions) UnmarshalJSONContext(ctx context.Context, content []byte) error { + err := json.UnmarshalContext(ctx, content, (*_RemoteHTTPSDNSServerOptions)(o)) + if err != nil { + return err + } + switch o.Method { + case "", http.MethodPost: + o.Method = http.MethodPost + case http.MethodGet: + o.Method = http.MethodGet + default: + return E.New("unsupported method") + } + return nil +} + type FakeIPDNSServerOptions struct { Inet4Range *badoption.Prefix `json:"inet4_range,omitempty"` Inet6Range *badoption.Prefix `json:"inet6_range,omitempty"` diff --git a/protocol/tailscale/dns_transport.go b/protocol/tailscale/dns_transport.go index 3447b6b2..3c093802 100644 --- a/protocol/tailscale/dns_transport.go +++ b/protocol/tailscale/dns_transport.go @@ -180,13 +180,13 @@ func (t *DNSTransport) createResolver(directDialer func() N.Dialer, resolver *dn tlsConfig := common.Must1(tls.NewClient(t.ctx, serverAddr.AddrString(), option.OutboundTLSOptions{ ALPN: []string{http2.NextProtoTLS, "http/1.1"}, })) - return transport.NewHTTPSRaw(t.TransportAdapter, t.logger, myDialer, serverURL, http.Header{}, serverAddr, tlsConfig), nil + return transport.NewHTTPSRaw(t.TransportAdapter, t.logger, myDialer, serverURL, http.MethodPost, http.Header{}, serverAddr, tlsConfig), nil case "http": serverAddr = M.ParseSocksaddrHostPortStr(serverURL.Hostname(), serverURL.Port()) if serverAddr.Port == 0 { serverAddr.Port = 80 } - return transport.NewHTTPSRaw(t.TransportAdapter, t.logger, myDialer, serverURL, http.Header{}, serverAddr, nil), nil + return transport.NewHTTPSRaw(t.TransportAdapter, t.logger, myDialer, serverURL, http.MethodPost, http.Header{}, serverAddr, nil), nil // case "tls": default: return nil, E.New("unknown resolver scheme: ", serverURL.Scheme)