documentation: Bump version & Refactor docs

Add wifi_ssid and wifi_bssid route and DNS rules
Update quic-go to v0.40.0
2025-06-13 21:54:13 +08:00 · 2023-11-24 23:01:50 +08:00 · 2023-11-24 23:01:50 +08:00 · 2023-11-24 23:01:50 +08:00 · 2023-11-24 23:01:50 +08:00 · 2023-11-24 23:01:49 +08:00
201 changed files with 4054 additions and 2254 deletions
--- a/10
+++ b/10
@ -14,7 +14,7 @@ MAIN_PARAMS = $(PARAMS) -tags $(TAGS)
 MAIN = ./cmd/sing-box
 PREFIX ?= $(shell go env GOPATH)

-.PHONY: test release
+.PHONY: test release docs

 build:
 	go build $(MAIN_PARAMS) $(MAIN)
@ -182,6 +182,14 @@ lib_install:
 	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20230915142329-c6740b6d2950
 	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20230915142329-c6740b6d2950

+docs:
+	mkdocs serve
+
+publish_docs:
+	mkdocs gh-deploy -m "Update" --force --ignore-version --no-history
+
+docs_install:
+	pip install --force-reinstall mkdocs-material=="9.*" mkdocs-static-i18n=="1.2.*"
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box
--- a/adapter/conn_router.go
+++ b/adapter/conn_router.go
@ -0,0 +1,104 @@
+package adapter
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type ConnectionRouter interface {
+	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+}
+
+func NewRouteHandler(
+	metadata InboundContext,
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeHandlerWrapper{
+		metadata: metadata,
+		router:   router,
+		logger:   logger,
+	}
+}
+
+func NewRouteContextHandler(
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeContextHandlerWrapper{
+		router: router,
+		logger: logger,
+	}
+}
+
+var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
+
+type routeHandlerWrapper struct {
+	metadata InboundContext
+	router   ConnectionRouter
+	logger   logger.ContextLogger
+}
+
+func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}
+
+var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
+
+type routeContextHandlerWrapper struct {
+	router ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}
--- a/adapter/router.go
+++ b/adapter/router.go
@ -2,14 +2,12 @@ package adapter

 import (
 	"context"
-	"net"
 	"net/netip"

 	"github.com/sagernet/sing-box/common/geoip"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing-tun"
 	"github.com/sagernet/sing/common/control"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service"

 	mdns "github.com/miekg/dns"
@ -24,8 +22,7 @@ type Router interface {

 	FakeIPStore() FakeIPStore

-	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	ConnectionRouter

 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
@ -44,6 +41,7 @@ type Router interface {
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
+	WIFIState() WIFIState
 	Rules() []Rule

 	ClashServer() ClashServer
@ -81,3 +79,8 @@ type DNSRule interface {
 type InterfaceUpdateListener interface {
 	InterfaceUpdated()
 }
+
+type WIFIState struct {
+	SSID  string
+	BSSID string
+}
--- a/common/dialer/detour.go
+++ b/common/dialer/detour.go
@ -6,6 +6,7 @@ import (
 	"sync"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/bufio/deadline"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@ -44,7 +45,14 @@ func (d *DetourDialer) DialContext(ctx context.Context, network string, destinat
 	if err != nil {
 		return nil, err
 	}
-	return dialer.DialContext(ctx, network, destination)
+	conn, err := dialer.DialContext(ctx, network, destination)
+	if err != nil {
+		return nil, err
+	}
+	if deadline.NeedAdditionalReadDeadline(conn) {
+		conn = deadline.NewConn(conn)
+	}
+	return conn, nil
 }

 func (d *DetourDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
--- a/common/mux/client.go
+++ b/common/mux/client.go
@ -1,21 +1,42 @@
 package mux

 import (
+	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-mux"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 )

-func NewClientWithOptions(dialer N.Dialer, options option.MultiplexOptions) (*Client, error) {
+type Client = mux.Client
+
+func NewClientWithOptions(dialer N.Dialer, logger logger.Logger, options option.OutboundMultiplexOptions) (*Client, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
+	var brutalOptions mux.BrutalOptions
+	if options.Brutal != nil && options.Brutal.Enabled {
+		brutalOptions = mux.BrutalOptions{
+			Enabled:    true,
+			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
+			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
+		}
+		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid upload speed")
+		}
+		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid download speed")
+		}
+	}
 	return mux.NewClient(mux.Options{
 		Dialer:         dialer,
+		Logger:         logger,
 		Protocol:       options.Protocol,
 		MaxConnections: options.MaxConnections,
 		MinStreams:     options.MinStreams,
 		MaxStreams:     options.MaxStreams,
 		Padding:        options.Padding,
+		Brutal:         brutalOptions,
 	})
 }
--- a/common/mux/protocol.go
+++ b/common/mux/protocol.go
@ -1,14 +0,0 @@
-package mux
-
-import (
-	"github.com/sagernet/sing-mux"
-)
-
-type (
-	Client = mux.Client
-)
-
-var (
-	Destination      = mux.Destination
-	HandleConnection = mux.HandleConnection
-)
--- a/common/mux/router.go
+++ b/common/mux/router.go
@ -0,0 +1,65 @@
+package mux
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-mux"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type Router struct {
+	router  adapter.ConnectionRouter
+	service *mux.Service
+}
+
+func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
+	if !options.Enabled {
+		return router, nil
+	}
+	var brutalOptions mux.BrutalOptions
+	if options.Brutal != nil && options.Brutal.Enabled {
+		brutalOptions = mux.BrutalOptions{
+			Enabled:    true,
+			SendBPS:    uint64(options.Brutal.UpMbps * C.MbpsToBps),
+			ReceiveBPS: uint64(options.Brutal.DownMbps * C.MbpsToBps),
+		}
+		if brutalOptions.SendBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid upload speed")
+		}
+		if brutalOptions.ReceiveBPS < mux.BrutalMinSpeedBPS {
+			return nil, E.New("brutal: invalid download speed")
+		}
+	}
+	service, err := mux.NewService(mux.ServiceOptions{
+		NewStreamContext: func(ctx context.Context, conn net.Conn) context.Context {
+			return log.ContextWithNewID(ctx)
+		},
+		Logger:  logger,
+		Handler: adapter.NewRouteContextHandler(router, logger),
+		Padding: options.Padding,
+		Brutal:  brutalOptions,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &Router{router, service}, nil
+}
+
+func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	if metadata.Destination == mux.Destination {
+		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
+	} else {
+		return r.router.RouteConnection(ctx, conn, metadata)
+	}
+}
+
+func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}
--- a/common/mux/v2ray_legacy.go
+++ b/common/mux/v2ray_legacy.go
@ -0,0 +1,32 @@
+package mux
+
+import (
+	"context"
+	"net"
+
+	"github.com/sagernet/sing-box/adapter"
+	vmess "github.com/sagernet/sing-vmess"
+	"github.com/sagernet/sing/common/logger"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type V2RayLegacyRouter struct {
+	router adapter.ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
+	return &V2RayLegacyRouter{router, logger}
+}
+
+func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
+		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
+		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
+	}
+	return r.router.RouteConnection(ctx, conn, metadata)
+}
+
+func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}
--- a/common/uot/router.go
+++ b/common/uot/router.go
@ -0,0 +1,53 @@
+package uot
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/uot"
+)
+
+var _ adapter.ConnectionRouter = (*Router)(nil)
+
+type Router struct {
+	router adapter.ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func NewRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) *Router {
+	return &Router{router, logger}
+}
+
+func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
+	switch metadata.Destination.Fqdn {
+	case uot.MagicAddress:
+		request, err := uot.ReadRequest(conn)
+		if err != nil {
+			return E.Cause(err, "read UoT request")
+		}
+		if request.IsConnect {
+			r.logger.InfoContext(ctx, "inbound UoT connect connection to ", request.Destination)
+		} else {
+			r.logger.InfoContext(ctx, "inbound UoT connection to ", request.Destination)
+		}
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = request.Destination
+		return r.router.RoutePacketConnection(ctx, uot.NewConn(conn, *request), metadata)
+	case uot.LegacyMagicAddress:
+		r.logger.InfoContext(ctx, "inbound legacy UoT connection")
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = M.Socksaddr{Addr: netip.IPv4Unspecified()}
+		return r.RoutePacketConnection(ctx, uot.NewConn(conn, uot.Request{}), metadata)
+	}
+	return r.router.RouteConnection(ctx, conn, metadata)
+}
+
+func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
+	return r.router.RoutePacketConnection(ctx, conn, metadata)
+}
--- a/constant/speed.go
+++ b/constant/speed.go
@ -0,0 +1,3 @@
+package constant
+
+const MbpsToBps = 125000
--- a/constant/v2ray.go
+++ b/constant/v2ray.go
@ -1,8 +1,9 @@
 package constant

 const (
-	V2RayTransportTypeHTTP      = "http"
-	V2RayTransportTypeWebsocket = "ws"
-	V2RayTransportTypeQUIC      = "quic"
-	V2RayTransportTypeGRPC      = "grpc"
+	V2RayTransportTypeHTTP        = "http"
+	V2RayTransportTypeWebsocket   = "ws"
+	V2RayTransportTypeQUIC        = "quic"
+	V2RayTransportTypeGRPC        = "grpc"
+	V2RayTransportTypeHTTPUpgrade = "httpupgrade"
 )
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -1,21 +1,80 @@
+---
+icon: material/alert-decagram
+---
+
+# ChangeLog
+
+#### 1.7.0-rc.3
+
+* Fixes and improvements
+
+#### 1.7.0-rc.2
+
+* Fix missing UDP user context on TUIC/Hysteria2 inbounds
+* macOS: Add button for uninstall SystemExtension in the standalone graphical client
+
 #### 1.6.6

 * Fixes and improvements

+#### 1.7.0-rc.1
+
+* Fixes and improvements
+
+#### 1.7.0-beta.5
+
+* Update gVisor to 20231113.0
+* Fixes and improvements
+
+#### 1.7.0-beta.4
+
+* Add `wifi_ssid` and `wifi_bssid` route and DNS rules **1**
+* Fixes and improvements
+
+**1**:
+
+Only supported in graphical clients on Android and iOS.
+
+#### 1.7.0-beta.3
+
+* Fix zero TTL was incorrectly reset
+* Fixes and improvements
+
 #### 1.6.5

 * Fix crash if TUIC inbound authentication failed
 * Fixes and improvements

+#### 1.7.0-beta.2
+
+* Fix crash if TUIC inbound authentication failed
+* Update quic-go to v0.40.0
+* Fixes and improvements
+
 #### 1.6.4

 * Fixes and improvements

+#### 1.7.0-beta.1
+
+* Fixes and improvements
+
 #### 1.6.3

 * iOS/Android: Fix profile auto update
 * Fixes and improvements

+#### 1.7.0-alpha.11
+
+* iOS/Android: Fix profile auto update
+* Fixes and improvements
+
+#### 1.7.0-alpha.10
+
+* Fix tcp-brutal not working with TLS
+* Fix Android client not closing in some cases
+* Fixes and improvements
+
 #### 1.6.2

 * Fixes and improvements
@ -25,6 +84,34 @@
 * Our [Android client](/installation/clients/sfa) is now available in the Google Play Store ▶️
 * Fixes and improvements

+#### 1.7.0-alpha.6
+
+* Fixes and improvements
+
+#### 1.7.0-alpha.4
+
+* Migrate multiplex and UoT server to inbound **1**
+* Add TCP Brutal support for multiplex **2**
+
+**1**:
+
+Starting in 1.7.0, multiplexing support is no longer enabled by default and needs to be turned on explicitly in inbound options.
+
+**2**
+
+Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server, see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+
+#### 1.7.0-alpha.3
+
+* Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **1**
+* Fixes and improvements
+
+**1**:
+
+Introduced in V2Ray 5.10.0.
+
+The new HTTPUpgrade transport has better performance than WebSocket and is better suited for CDN abuse.
+
 #### 1.6.0

 * Fixes and improvements
@ -49,6 +136,23 @@ This update is intended to address the multi-send defects of the old implementat
 Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
 the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2

+#### 1.7.0-alpha.2
+
+* Fix bugs introduced in 1.7.0-alpha.1
+
+#### 1.7.0-alpha.1
+
+* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Fixes and improvements
+
+**1**:
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.

 #### 1.5.5

@ -110,6 +214,24 @@ the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
 * Update golang.org/x/net to v0.17.0
 * Fixes and improvements

+#### 1.6.0-beta.3
+
+* Update the legacy Hysteria protocol **1**
+* Fixes and improvements
+
+**1**
+
+Based on discussions with the original author, the brutal CC and QUIC protocol parameters of
+the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2
+
+#### 1.6.0-beta.2
+
+* Add TLS self sign key pair generate command
+* Update brutal congestion control for Hysteria2
+* Fix Clash cache crash on arm32 devices
+* Update golang.org/x/net to v0.17.0
+* Fixes and improvements
+
 #### 1.5.3

 * Fix compatibility with Android 14
--- a/docs/clients/android/features.md
+++ b/docs/clients/android/features.md
@ -0,0 +1,64 @@
+# :material-decagram: Features
+
+#### UI options
+
+* Display realtime network speed in the notification
+
+#### Service
+
+SFA allows you to run sing-box through ForegroundService or VpnService (when TUN is required).
+
+#### TUN
+
+SFA provides an unprivileged TUN implementation through Android VpnService.
+
+| TUN inbound option            | Available        | Note               |
+|-------------------------------|------------------|--------------------|
+| `interface_name`              | :material-close: | Managed by Android |
+| `inet4_address`               | :material-check: | /                  |
+| `inet6_address`               | :material-check: | /                  |
+| `mtu`                         | :material-check: | /                  |
+| `auto_route`                  | :material-check: | /                  |
+| `strict_route`                | :material-close: | Not implemented    |
+| `inet4_route_address`         | :material-check: | /                  |
+| `inet6_route_address`         | :material-check: | /                  |
+| `inet4_route_exclude_address` | :material-check: | /                  |
+| `inet6_route_exclude_address` | :material-check: | /                  |
+| `endpoint_independent_nat`    | :material-check: | /                  |
+| `stack`                       | :material-check: | /                  |
+| `include_interface`           | :material-close: | No permission      |
+| `exclude_interface`           | :material-close: | No permission      |
+| `include_uid`                 | :material-close: | No permission      |
+| `exclude_uid`                 | :material-close: | No permission      |
+| `include_android_user`        | :material-close: | No permission      |
+| `include_package`             | :material-check: | /                  |
+| `exclude_package`             | :material-check: | /                  |
+| `platform`                    | :material-check: | /                  |
+
+| Route/DNS rule option | Available        | Note                              |
+|-----------------------|------------------|-----------------------------------|
+| `process_name`        | :material-close: | No permission                     |
+| `process_path`        | :material-close: | No permission                     |
+| `package_name`        | :material-check: | /                                 |
+| `user`                | :material-close: | Use `package_name` instead        |
+| `user_id`             | :material-close: | Use `package_name` instead        |
+| `wifi_ssid`           | :material-check: | Fine location permission required |
+| `wifi_bssid`          | :material-check: | Fine location permission required |
+
+### Override
+
+Overrides profile configuration items with platform-specific values.
+
+#### Per-app proxy
+
+SFA allows you to select a list of Android apps that require proxying or bypassing in the graphical interface to
+override the `include_package` and `exclude_package` configuration items.
+
+In particular, the selector also provides the “China apps” scanning feature, providing Chinese users with an excellent
+experience to bypass apps that do not require a proxy. Specifically, by scanning China application or SDK
+characteristics through dex class path and other means, there will be almost no missed reports.
+
+### Chore
+
+* The working directory is located at `/sdcard/Android/data/io.nekohasekai.sfa/files` (External files directory)
+* Crash logs is located in `$working_directory/stderr.log`
--- a/docs/clients/android/index.md
+++ b/docs/clients/android/index.md
@ -0,0 +1,22 @@
+---
+icon: material/android
+---
+
+# sing-box for Android
+
+SFA allows users to manage and run local or remote sing-box configuration files, and provides
+platform-specific function implementation, such as TUN transparent proxy implementation.
+
+## :material-graph: Requirements
+
+* Android 5.0+
+
+## :material-download: Download
+
+* [Play Store](https://play.google.com/store/apps/details?id=io.nekohasekai.sfa)
+* [Play Store (Beta)](https://play.google.com/apps/testing/io.nekohasekai.sfa)
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+
+## :material-source-repository: Source code
+
+* [GitHub](https://github.com/SagerNet/sing-box-for-android)
--- a/docs/clients/apple/features.md
+++ b/docs/clients/apple/features.md
@ -0,0 +1,52 @@
+# :material-decagram: Features
+
+#### UI options
+
+* Always On
+* Include All Networks (Proxy traffic for LAN and cellular services)
+* (Apple tvOS) Import profile from iPhone/iPad
+
+#### Service
+
+SFI/SFM/SFT allows you to run sing-box through NetworkExtension with Application Extension or System Extension.
+
+#### TUN
+
+SFI/SFM/SFT provides an unprivileged TUN implementation through NetworkExtension.
+
+| TUN inbound option            | Available | Note              |
+|-------------------------------|-----------|-------------------|
+| `interface_name`              | ✖️        | Managed by Darwin |
+| `inet4_address`               | ✔️        | /                 |
+| `inet6_address`               | ✔️        | /                 |
+| `mtu`                         | ✔️        | /                 |
+| `auto_route`                  | ✔️        | /                 |
+| `strict_route`                | ✖️        | Not implemented   |
+| `inet4_route_address`         | ✔️        | /                 |
+| `inet6_route_address`         | ✔️        | /                 |
+| `inet4_route_exclude_address` | ✔️        | /                 |
+| `inet6_route_exclude_address` | ✔️        | /                 |
+| `endpoint_independent_nat`    | ✔️        | /                 |
+| `stack`                       | ✔️        | /                 |
+| `include_interface`           | ✖️        | Not implemented   |
+| `exclude_interface`           | ✖️        | Not implemented   |
+| `include_uid`                 | ✖️        | Not implemented   |
+| `exclude_uid`                 | ✖️        | Not implemented   |
+| `include_android_user`        | ✖️        | Not implemented   |
+| `include_package`             | ✖️        | Not implemented   |
+| `exclude_package`             | ✖️        | Not implemented   |
+| `platform`                    | ✔️        | /                 |
+
+| Route/DNS rule option | Available        | Note                  |
+|-----------------------|------------------|-----------------------|
+| `process_name`        | :material-close: | No permission         |
+| `process_path`        | :material-close: | No permission         |
+| `package_name`        | :material-close: | /                     |
+| `user`                | :material-close: | No permission         |
+| `user_id`             | :material-close: | No permission         |
+| `wifi_ssid`           | :material-alert: | Only supported on iOS |
+| `wifi_bssid`          | :material-alert: | Only supported on iOS |
+
+### Chore
+
+* Crash logs is located in `Settings` -> `View Service Log`
--- a/docs/clients/apple/index.md
+++ b/docs/clients/apple/index.md
@ -0,0 +1,32 @@
+---
+icon: material/apple
+---
+
+# sing-box for Apple platforms
+
+SFI/SFM/SFT allows users to manage and run local or remote sing-box configuration files, and provides
+platform-specific function implementation, such as TUN transparent proxy implementation.
+
+## :material-graph: Requirements
+
+* iOS 15.0+ / macOS 13.0+ / Apple tvOS 17.0+
+* An Apple account outside of mainland China
+
+## :material-download: Download
+
+* [App Store](https://apps.apple.com/us/app/sing-box/id6451272673)
+* [TestFlight (Beta)](https://testflight.apple.com/join/AcqO44FH)
+
+## :material-file-download: Download (macOS standalone version)
+
+* [Homebrew Cask](https://formulae.brew.sh/cask/sfm)
+
+```bash
+brew install sfm
+```
+
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases)
+
+## :material-source-repository: Source code
+
+* [GitHub](https://github.com/SagerNet/sing-box-for-apple)
--- a/docs/clients/general.md
+++ b/docs/clients/general.md
@ -0,0 +1,63 @@
+---
+icon: material/pencil-ruler
+---
+
+# General
+
+Describes and explains the functions implemented uniformly by sing-box graphical clients.
+
+### Profile
+
+Profile describes a sing-box configuration file and its state.
+
+#### Local
+
+* Local Profile represents a local sing-box configuration with minimal state
+* The graphical client must provide an editor to modify configuration content
+
+#### iCloud (on iOS and macOS)
+
+* iCloud Profile represents a remote sing-box configuration with iCloud as the update source
+* The configuration file is stored in the sing-box folder under iCloud
+* The graphical client must provide an editor to modify configuration content
+
+#### Remote
+
+* Remote Profile represents a remote sing-box configuration with a URL as the update source.
+* The graphical client should provide a configuration content viewer
+* The graphical client must implement automatic profile update (default interval is 60 minutes) and HTTP Basic
+  authorization.
+
+At the same time, the graphical client must provide support for importing remote profiles
+through a specific URL Scheme. The URL is defined as follows:
+
+```
+sing-box://import-remote-profile?url=urlEncodedURL#urlEncodedName
+```
+
+### Dashboard
+
+While the sing-box service is running, the graphical client should provide a Dashboard interface to manage the service.
+
+#### Status
+
+Dashboard should display status information such as memory, connection, and traffic.
+
+#### Mode
+
+Dashboard should provide a Mode selector for switching when the configuration uses at least two `clash_mode` values.
+
+#### Groups
+
+When the configuration includes group outbounds (specifically, Selector or URLTest),
+the dashboard should provide a Group selector for status display or switching.
+
+### Chore
+
+#### Core
+
+Graphical clients should provide a Core region:
+
+* Display the current sing-box version
+* Provides a button to clean the working directory
+* Provides a memory limiter switch
--- a/docs/clients/index.md
+++ b/docs/clients/index.md
@ -0,0 +1,13 @@
+# :material-cellphone-link: Graphical Clients
+
+Maintained by Project S to provide a unified experience and platform-specific functionality.
+
+| Platform                              | Client                                  |
+|---------------------------------------|-----------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-laptop: Desktop             | Working in progress                     |
+
+Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core
+motivation of the maintainers of such projects is to acquire more users, and even though they provide friendly VPN
+client features, the code is usually of poor quality and contains ads.
--- a/docs/clients/index.zh.md
+++ b/docs/clients/index.zh.md
@ -0,0 +1,12 @@
+# :material-cellphone-link: 图形界面客户端
+
+由 Project S 维护，提供统一的体验与平台特定的功能。
+
+| 平台                                    | 客户端                                     |
+|---------------------------------------|-----------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-laptop: Desktop             | 施工中                                     |
+
+此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
+VPN 客户端功能， 但代码质量很差且包含广告。
--- a/docs/clients/privacy.md
+++ b/docs/clients/privacy.md
@ -0,0 +1,8 @@
+---
+icon: material/security
+---
+
+# Privacy policy
+
+sing-box and official graphics clients do not collect or share personal data,
+and the data generated by the software is always on your device.
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@ -79,6 +79,12 @@
          1000
        ],
        "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
        "invert": false,
        "outbound": [
          "direct"
@ -188,7 +194,7 @@ Match port range.

 #### process_name

-!!! error ""
+!!! quote ""

    Only supported on Linux, Windows, and macOS.

@ -196,7 +202,7 @@ Match process name.

 #### process_path

-!!! error ""
+!!! quote ""

    Only supported on Linux, Windows, and macOS.

@ -208,7 +214,7 @@ Match android package name.

 #### user

-!!! error ""
+!!! quote ""

    Only supported on Linux.

@ -216,7 +222,7 @@ Match user name.

 #### user_id

-!!! error ""
+!!! quote ""

    Only supported on Linux.

@ -226,6 +232,24 @@ Match user id.

 Match Clash mode.

+#### wifi_ssid
+
+<!-- md:version 1.7.0-beta.4 -->
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi SSID.
+
+#### wifi_bssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi BSSID.
+
 #### invert

 Invert match result.
--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@ -78,6 +78,12 @@
          1000
        ],
        "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
        "invert": false,
        "outbound": [
          "direct"
@ -185,7 +191,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 #### process_name

-!!! error ""
+!!! quote ""

    仅支持 Linux、Windows 和 macOS.

@ -193,7 +199,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 #### process_path

-!!! error ""
+!!! quote ""

    仅支持 Linux、Windows 和 macOS.

@ -205,7 +211,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 #### user

-!!! error ""
+!!! quote ""

    仅支持 Linux。

@ -213,7 +219,7 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 #### user_id

-!!! error ""
+!!! quote ""

    仅支持 Linux。

@ -223,6 +229,22 @@ DNS 查询类型。值可以为整数或者类型名称字符串。

 匹配 Clash 模式。

+#### wifi_ssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi SSID。
+
+#### wifi_bssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi BSSID。
+
 #### invert

 反选匹配结果。
--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@ -49,7 +49,7 @@ The address of the dns server.

 !!! warning ""

-    QUIC and HTTP3 transport is not included by default, see [Installation](/#installation).
+    QUIC and HTTP3 transport is not included by default, see [Installation](./#installation).

 !!! info ""

@ -57,7 +57,7 @@ The address of the dns server.

 !!! warning ""

-    DHCP transport is not included by default, see [Installation](/#installation).
+    DHCP transport is not included by default, see [Installation](./#installation).

 | RCode             | Description           | 
 |-------------------|-----------------------|
--- a/docs/configuration/experimental/index.md
+++ b/docs/configuration/experimental/index.md
@ -44,9 +44,9 @@

 ### Clash API Fields

-!!! error ""
+!!! quote ""

-    Clash API is not included by default, see [Installation](/#installation).
+    Clash API is not included by default, see [Installation](./#installation).

 #### external_controller

@ -110,9 +110,9 @@ If not empty, `store_selected` will use a separate store keyed by it.

 ### V2Ray API Fields

-!!! error ""
+!!! quote ""

-    V2Ray API is not included by default, see [Installation](/#installation).
+    V2Ray API is not included by default, see [Installation](./#installation).

 #### listen

--- a/docs/configuration/experimental/index.zh.md
+++ b/docs/configuration/experimental/index.zh.md
@ -44,7 +44,7 @@

 ### Clash API 字段

-!!! error ""
+!!! quote ""

    默认安装不包含 Clash API，参阅 [安装](/zh/#_2)。

@ -108,7 +108,7 @@ Clash 中的默认模式，默认使用 `Rule`。

 ### V2Ray API 字段

-!!! error ""
+!!! quote ""

    默认安装不包含 V2Ray API，参阅 [安装](/zh/#_2)。

--- a/docs/configuration/inbound/http.md
+++ b/docs/configuration/inbound/http.md
@ -36,7 +36,7 @@ No authentication required if empty.

 #### set_system_proxy

-!!! error ""
+!!! quote ""

    Only supported on Linux, Android, Windows, and macOS.

--- a/docs/configuration/inbound/http.zh.md
+++ b/docs/configuration/inbound/http.zh.md
@ -36,7 +36,7 @@ HTTP 用户

 #### set_system_proxy

-!!! error ""
+!!! quote ""

    仅支持 Linux、Android、Windows 和 macOS。

--- a/docs/configuration/inbound/hysteria.md
+++ b/docs/configuration/inbound/hysteria.md
@ -31,7 +31,7 @@

 !!! warning ""

-    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
+    QUIC, which is required by hysteria is not included by default, see [Installation](./#installation).

 ### Listen Fields

--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@ -4,8 +4,8 @@
 {
  "type": "hysteria2",
  "tag": "hy2-in",
-  
-  ... // Listen Fields
+  ...
+  // Listen Fields

  "up_mbps": 100,
  "down_mbps": 100,
@ -28,7 +28,14 @@

 !!! warning ""

-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](./#installation).
+
+!!! warning "Difference from official Hysteria2"
+
+    The official program supports an authentication method called **userpass**,
+    which essentially uses a combination of `<username>:<password>` as the actual password,
+    while sing-box does not provide this alias.
+    To use sing-box with the official program, you need to fill in that combination as the actual password.

 ### Listen Fields

--- a/docs/configuration/inbound/hysteria2.zh.md
+++ b/docs/configuration/inbound/hysteria2.zh.md
@ -4,8 +4,8 @@
 {
  "type": "hysteria2",
  "tag": "hy2-in",
-  
-  ... // 监听字段
+  ...
+  // 监听字段

  "up_mbps": 100,
  "down_mbps": 100,
@ -30,6 +30,12 @@

    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。

+!!! warning "与官方 Hysteria2 的区别"
+
+    官方程序支持一种名为 **userpass** 的验证方式，
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
+
 ### 监听字段

 参阅 [监听字段](/zh/configuration/shared/listen/)。
@ -62,7 +68,7 @@ Hysteria 用户

 #### ignore_client_bandwidth

-命令客户端使用 BBR 流量控制算法而不是 Hysteria CC。
+命令客户端使用 BBR 拥塞控制算法而不是 Hysteria CC。

 与 `up_mbps` 和 `down_mbps` 冲突。

--- a/docs/configuration/inbound/mixed.md
+++ b/docs/configuration/inbound/mixed.md
@ -33,7 +33,7 @@ No authentication required if empty.

 #### set_system_proxy

-!!! error ""
+!!! quote ""

    Only supported on Linux, Android, Windows, and macOS.

--- a/docs/configuration/inbound/mixed.zh.md
+++ b/docs/configuration/inbound/mixed.zh.md
@ -33,7 +33,7 @@ SOCKS 和 HTTP 用户

 #### set_system_proxy

-!!! error ""
+!!! quote ""

    仅支持 Linux、Android、Windows 和 macOS。

--- a/docs/configuration/inbound/naive.md
+++ b/docs/configuration/inbound/naive.md
@ -20,7 +20,7 @@

 !!! warning ""

-    HTTP3 transport is not included by default, see [Installation](/#installation).
+    HTTP3 transport is not included by default, see [Installation](./#installation).

 ### Listen Fields

--- a/docs/configuration/inbound/redirect.md
+++ b/docs/configuration/inbound/redirect.md
@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""

    Only supported on Linux and macOS.

--- a/docs/configuration/inbound/redirect.zh.md
+++ b/docs/configuration/inbound/redirect.zh.md
@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""

    仅支持 Linux 和 macOS。

--- a/docs/configuration/inbound/shadowsocks.md
+++ b/docs/configuration/inbound/shadowsocks.md
@ -8,7 +8,8 @@
  ... // Listen Fields

  "method": "2022-blake3-aes-128-gcm",
-  "password": "8JCsPssfgS8tiRwiMlhARg=="
+  "password": "8JCsPssfgS8tiRwiMlhARg==",
+  "multiplex": {}
 }
 ```

@ -23,7 +24,8 @@
      "name": "sekai",
      "password": "PCD2Z4o12bKUoFa3cC97Hw=="
    }
-  ]
+  ],
+  "multiplex": {}
 }
 ```

@ -41,7 +43,8 @@
      "server_port": 8080,
      "password": "PCD2Z4o12bKUoFa3cC97Hw=="
    }
-  ]
+  ],
+  "multiplex": {}
 }
 ```

@ -82,3 +85,7 @@ Both if empty.
 | none          | /                                              |
 | 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
 | other methods | any string                                     |
+
+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#inbound) for details.
--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@ -8,7 +8,8 @@
  ... // 监听字段

  "method": "2022-blake3-aes-128-gcm",
-  "password": "8JCsPssfgS8tiRwiMlhARg=="
+  "password": "8JCsPssfgS8tiRwiMlhARg==",
+  "multiplex": {}
 }
 ```

@ -23,7 +24,8 @@
      "name": "sekai",
      "password": "PCD2Z4o12bKUoFa3cC97Hw=="
    }
-  ]
+  ],
+  "multiplex": {}
 }
 ```

@ -41,7 +43,8 @@
      "server_port": 8080,
      "password": "PCD2Z4o12bKUoFa3cC97Hw=="
    }
-  ]
+  ],
+  "multiplex": {}
 }
 ```

@ -82,3 +85,7 @@ See [Listen Fields](/configuration/shared/listen) for details.
 | none          | /                                        |
 | 2022 methods  | `sing-box generate rand --base64 <密钥长度>` |
 | other methods | 任意字符串                                    |
+
+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
--- a/docs/configuration/inbound/tproxy.md
+++ b/docs/configuration/inbound/tproxy.md
@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""

    Only supported on Linux.

--- a/docs/configuration/inbound/tproxy.zh.md
+++ b/docs/configuration/inbound/tproxy.zh.md
@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""

    仅支持 Linux。

--- a/docs/configuration/inbound/trojan.md
+++ b/docs/configuration/inbound/trojan.md
@ -24,6 +24,7 @@
      "server_port": 8081
    }
  },
+  "multiplex": {},
  "transport": {}
 }
 ```
@ -46,7 +47,7 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

 #### fallback

-!!! error ""
+!!! quote ""

    There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature.

@ -58,6 +59,10 @@ Fallback server configuration for specified ALPN.

 If not empty, TLS fallback requests with ALPN not in this table will be rejected.

+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#inbound) for details.
+
 #### transport

 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@ -24,6 +24,7 @@
      "server_port": 8081
    }
  },
+  "multiplex": {},
  "transport": {}
 }
 ```
@ -48,7 +49,7 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### fallback

-!!! error ""
+!!! quote ""

    没有证据表明 GFW 基于 HTTP 响应检测并阻止 Trojan 服务器，并且在服务器上打开标准 http/s 端口是一个更大的特征。

@ -60,6 +61,10 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 如果不为空，ALPN 不在此列表中的 TLS 回退请求将被拒绝。

+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+
 #### transport

 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
--- a/docs/configuration/inbound/tuic.md
+++ b/docs/configuration/inbound/tuic.md
@ -24,7 +24,7 @@

 !!! warning ""

-    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+    QUIC, which is required by TUIC is not included by default, see [Installation](./#installation).

 ### Listen Fields

--- a/docs/configuration/inbound/tuic.zh.md
+++ b/docs/configuration/inbound/tuic.zh.md
@ -48,7 +48,7 @@ TUIC 用户密码

 #### congestion_control

-QUIC 流量控制算法
+QUIC 拥塞控制算法

 可选值: `cubic`, `new_reno`, `bbr`

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""

    Only supported on Linux, Windows and macOS.

@ -22,6 +22,12 @@
    "::/1",
    "8000::/1"
  ],
+  "inet4_route_exclude_address": [
+    "192.168.0.0/16"
+  ],
+  "inet6_route_exclude_address": [
+    "fc00::/7"
+  ],
  "endpoint_independent_nat": false,
  "stack": "system",
  "include_interface": [
@ -96,7 +102,7 @@ The maximum transmission unit.

 Set the default route to the Tun.

-!!! error ""
+!!! quote ""

    To avoid traffic loopback, set `route.auto_detect_interface` or `route.default_interface` or `outbound.bind_interface`

@ -130,6 +136,14 @@ Use custom routes instead of default when `auto_route` is enabled.

 Use custom routes instead of default when `auto_route` is enabled.

+#### inet4_route_exclude_address
+
+Exclude custom routes when `auto_route` is enabled.
+
+#### inet6_route_exclude_address
+
+Exclude custom routes when `auto_route` is enabled.
+
 #### endpoint_independent_nat

 !!! info ""
@ -157,11 +171,11 @@ TCP/IP stack.

 !!! warning ""

-    gVisor and LWIP stacks is not included by default, see [Installation](/#installation).
+    gVisor and LWIP stacks is not included by default, see [Installation](./#installation).

 #### include_interface

-!!! error ""
+!!! quote ""

    Interface rules are only supported on Linux and require auto_route.

@ -177,7 +191,7 @@ Conflict with `include_interface`.

 #### include_uid

-!!! error ""
+!!! quote ""

    UID rules are only supported on Linux and require auto_route.

@ -197,7 +211,7 @@ Exclude users in route, but in range.

 #### include_android_user

-!!! error ""
+!!! quote ""

    Android user and package rules are only supported on Android and require auto_route.

--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@ -1,4 +1,4 @@
-!!! error ""
+!!! quote ""

    仅支持 Linux、Windows 和 macOS。

@ -22,6 +22,12 @@
    "::/1",
    "8000::/1"
  ],
+  "inet4_route_exclude_address": [
+    "192.168.0.0/16"
+  ],
+  "inet6_route_exclude_address": [
+    "fc00::/7"
+  ],
  "endpoint_independent_nat": false,
  "stack": "system",
  "include_interface": [
@ -96,7 +102,7 @@ tun 接口的 IPv6 前缀。

 设置到 Tun 的默认路由。

-!!! error ""
+!!! quote ""

    为避免流量环回，请设置 `route.auto_detect_interface` 或 `route.default_interface` 或 `outbound.bind_interface`。

@ -131,6 +137,14 @@ tun 接口的 IPv6 前缀。

 启用 `auto_route` 时使用自定义路由而不是默认路由。

+#### inet4_route_exclude_address
+
+启用 `auto_route` 时排除自定义路由。
+
+#### inet6_route_exclude_address
+
+启用 `auto_route` 时排除自定义路由。
+
 #### endpoint_independent_nat

 启用独立于端点的 NAT。
@ -157,7 +171,7 @@ TCP/IP 栈。

 #### include_interface

-!!! error ""
+!!! quote ""

    接口规则仅在 Linux 下被支持，并且需要 `auto_route`。

@ -173,7 +187,7 @@ TCP/IP 栈。

 #### include_uid

-!!! error ""
+!!! quote ""

    UID 规则仅在 Linux 下被支持，并且需要 `auto_route`。

@ -193,7 +207,7 @@ TCP/IP 栈。

 #### include_android_user

-!!! error ""
+!!! quote ""

    Android 用户和应用规则仅在 Android 下被支持，并且需要 `auto_route`。

--- a/docs/configuration/inbound/vless.md
+++ b/docs/configuration/inbound/vless.md
@ -15,6 +15,7 @@
    }
  ],
  "tls": {},
+  "multiplex": {},
  "transport": {}
 }
 ```
@ -49,6 +50,10 @@ Available values:

 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#inbound) for details.
+
 #### transport

 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
--- a/docs/configuration/inbound/vless.zh.md
+++ b/docs/configuration/inbound/vless.zh.md
@ -15,6 +15,7 @@
    }
  ],
  "tls": {},
+  "multiplex": {},
  "transport": {}
 }
 ```
@ -49,6 +50,10 @@ VLESS 子协议。

 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+
 #### transport

 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
--- a/docs/configuration/inbound/vmess.md
+++ b/docs/configuration/inbound/vmess.md
@ -15,6 +15,7 @@
    }
  ],
  "tls": {},
+  "multiplex": {},
  "transport": {}
 }
 ```
@ -44,6 +45,10 @@ VMess users.

 TLS configuration, see [TLS](/configuration/shared/tls/#inbound).

+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#inbound) for details.
+
 #### transport

 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
--- a/docs/configuration/inbound/vmess.zh.md
+++ b/docs/configuration/inbound/vmess.zh.md
@ -15,6 +15,7 @@
    }
  ],
  "tls": {},
+  "multiplex": {},
  "transport": {}
 }
 ```
@ -44,6 +45,10 @@ VMess 用户。

 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#inbound)。
+
 #### transport

 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
--- a/docs/configuration/outbound/hysteria.md
+++ b/docs/configuration/outbound/hysteria.md
@ -26,7 +26,7 @@

 !!! warning ""

-    QUIC, which is required by hysteria is not included by default, see [Installation](/#installation).
+    QUIC, which is required by hysteria is not included by default, see [Installation](./#installation).

 ### Fields

--- a/docs/configuration/outbound/hysteria2.md
+++ b/docs/configuration/outbound/hysteria2.md
@ -24,7 +24,15 @@

 !!! warning ""

-    QUIC, which is required by Hysteria2 is not included by default, see [Installation](/#installation).
+    QUIC, which is required by Hysteria2 is not included by default, see [Installation](./#installation).
+
+!!! warning "Difference from official Hysteria2"
+
+    The official Hysteria2 supports an authentication method called **userpass**,
+    which essentially uses a combination of `<username>:<password>` as the actual password,
+    while sing-box does not provide this alias.
+    If you are planning to use sing-box with the official program,
+    please note that you will need to fill the combination as the password.

 ### Fields

--- a/docs/configuration/outbound/hysteria2.zh.md
+++ b/docs/configuration/outbound/hysteria2.zh.md
@ -26,6 +26,12 @@

    默认安装不包含被 Hysteria2 依赖的 QUIC，参阅 [安装](/zh/#_2)。

+!!! warning "与官方 Hysteria2 的区别"
+
+    官方程序支持一种名为 **userpass** 的验证方式，
+    本质上上是将用户名与密码的组合 `<username>:<password>` 作为实际上的密码，而 sing-box 不提供此别名。
+    要将 sing-box 与官方程序一起使用， 您需要填写该组合作为实际密码。
+
 ### 字段

 #### server
@ -44,7 +50,7 @@

 最大带宽。

-如果为空，将使用 BBR 流量控制算法而不是 Hysteria CC。
+如果为空，将使用 BBR 拥塞控制算法而不是 Hysteria CC。

 #### obfs.type

--- a/docs/configuration/outbound/selector.md
+++ b/docs/configuration/outbound/selector.md
@ -15,7 +15,7 @@
 }
 ```

-!!! error ""
+!!! quote ""

    The selector can only be controlled through the [Clash API](/configuration/experimental#clash-api-fields) currently.

--- a/docs/configuration/outbound/selector.zh.md
+++ b/docs/configuration/outbound/selector.zh.md
@ -15,7 +15,7 @@
 }
 ```

-!!! error ""
+!!! quote ""

    选择器目前只能通过 [Clash API](/zh/configuration/experimental#clash-api) 来控制。

--- a/docs/configuration/outbound/shadowsocks.md
+++ b/docs/configuration/outbound/shadowsocks.md
@ -95,7 +95,7 @@ Conflict with `multiplex`.

 #### multiplex

-Multiplex configuration, see [Multiplex](/configuration/shared/multiplex).
+See [Multiplex](/configuration/shared/multiplex#outbound) for details.

 ### Dial Fields

--- a/docs/configuration/outbound/shadowsocks.zh.md
+++ b/docs/configuration/outbound/shadowsocks.zh.md
@ -95,7 +95,7 @@ UDP over TCP 配置。

 #### multiplex

-多路复用配置, 参阅 [多路复用](/zh/configuration/shared/multiplex)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。

 ### 拨号字段

--- a/docs/configuration/outbound/shadowsocksr.md
+++ b/docs/configuration/outbound/shadowsocksr.md
@ -25,7 +25,7 @@

 !!! warning ""

-    ShadowsocksR is not included by default, see [Installation](/#installation).
+    ShadowsocksR is not included by default, see [Installation](./#installation).

 ### Fields

--- a/docs/configuration/outbound/tor.md
+++ b/docs/configuration/outbound/tor.md
@ -18,7 +18,7 @@

 !!! info ""

-    Embedded tor is not included by default, see [Installation](/#installation).
+    Embedded tor is not included by default, see [Installation](./#installation).

 ### Fields

--- a/docs/configuration/outbound/trojan.md
+++ b/docs/configuration/outbound/trojan.md
@ -51,7 +51,7 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 #### multiplex

-Multiplex configuration, see [Multiplex](/configuration/shared/multiplex).
+See [Multiplex](/configuration/shared/multiplex#outbound) for details.

 #### transport

--- a/docs/configuration/outbound/trojan.zh.md
+++ b/docs/configuration/outbound/trojan.zh.md
@ -51,7 +51,7 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 #### multiplex

-多路复用配置, 参阅 [多路复用](/zh/configuration/shared/multiplex)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。

 #### transport

--- a/docs/configuration/outbound/tuic.md
+++ b/docs/configuration/outbound/tuic.md
@ -23,7 +23,7 @@

 !!! warning ""

-    QUIC, which is required by TUIC is not included by default, see [Installation](/#installation).
+    QUIC, which is required by TUIC is not included by default, see [Installation](./#installation).

 ### Fields

--- a/docs/configuration/outbound/tuic.zh.md
+++ b/docs/configuration/outbound/tuic.zh.md
@ -51,7 +51,7 @@ TUIC 用户密码

 #### congestion_control

-QUIC 流量控制算法
+QUIC 拥塞控制算法

 可选值: `cubic`, `new_reno`, `bbr`

--- a/docs/configuration/outbound/vless.md
+++ b/docs/configuration/outbound/vless.md
@ -12,6 +12,7 @@
  "network": "tcp",
  "tls": {},
  "packet_encoding": "",
+  "multiplex": {},
  "transport": {},

  ... // Dial Fields
@ -68,6 +69,10 @@ UDP packet encoding, xudp is used by default.
 | packetaddr | Supported by v2ray 5+ |
 | xudp       | Supported by xray     |

+#### multiplex
+
+See [Multiplex](/configuration/shared/multiplex#outbound) for details.
+
 #### transport

 V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
--- a/docs/configuration/outbound/vless.zh.md
+++ b/docs/configuration/outbound/vless.zh.md
@ -12,6 +12,7 @@
  "network": "tcp",
  "tls": {},
  "packet_encoding": "",
+  "multiplex": {},
  "transport": {},
  
  ... // 拨号字段
@ -68,6 +69,10 @@ UDP 包编码，默认使用 xudp。
 | packetaddr | 由 v2ray 5+ 支持 |
 | xudp       | 由 xray 支持     |

+#### multiplex
+
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。
+
 #### transport

 V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
--- a/docs/configuration/outbound/vmess.md
+++ b/docs/configuration/outbound/vmess.md
@ -15,8 +15,8 @@
  "network": "tcp",
  "tls": {},
  "packet_encoding": "",
-  "multiplex": {},
  "transport": {},
+  "multiplex": {},

  ... // Dial Fields
 }
@ -96,7 +96,7 @@ UDP packet encoding.

 #### multiplex

-Multiplex configuration, see [Multiplex](/configuration/shared/multiplex).
+See [Multiplex](/configuration/shared/multiplex#outbound) for details.

 #### transport

--- a/docs/configuration/outbound/vmess.zh.md
+++ b/docs/configuration/outbound/vmess.zh.md
@ -96,7 +96,7 @@ UDP 包编码。

 #### multiplex

-多路复用配置, 参阅 [多路复用](/zh/configuration/shared/multiplex)。
+参阅 [多路复用](/zh/configuration/shared/multiplex#outbound)。

 #### transport

--- a/docs/configuration/outbound/wireguard.md
+++ b/docs/configuration/outbound/wireguard.md
@ -38,11 +38,11 @@

 !!! warning ""

-    WireGuard is not included by default, see [Installation](/#installation).
+    WireGuard is not included by default, see [Installation](./#installation).

 !!! warning ""

-    gVisor, which is required by the unprivileged WireGuard is not included by default, see [Installation](/#installation).
+    gVisor, which is required by the unprivileged WireGuard is not included by default, see [Installation](./#installation).

 ### Fields

--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@ -31,7 +31,7 @@ Default outbound tag. the first outbound will be used if empty.

 #### auto_detect_interface

-!!! error ""
+!!! quote ""

    Only supported on Linux, Windows and macOS.

@ -41,7 +41,7 @@ Takes no effect if `outbound.bind_interface` is set.

 #### override_android_vpn

-!!! error ""
+!!! quote ""

    Only supported on Android.

@ -49,7 +49,7 @@ Accept Android VPN as upstream NIC when `auto_detect_interface` enabled.

 #### default_interface

-!!! error ""
+!!! quote ""

    Only supported on Linux, Windows and macOS.

@ -59,7 +59,7 @@ Takes no effect if `auto_detect_interface` is set.

 #### default_mark

-!!! error ""
+!!! quote ""

    Only supported on Linux.

--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@ -32,7 +32,7 @@

 #### auto_detect_interface

-!!! error ""
+!!! quote ""

    仅支持 Linux、Windows 和 macOS。

@ -42,7 +42,7 @@

 #### override_android_vpn

-!!! error ""
+!!! quote ""

    仅支持 Android。

@ -50,7 +50,7 @@

 #### default_interface

-!!! error ""
+!!! quote ""

    仅支持 Linux、Windows 和 macOS。

@ -60,7 +60,7 @@

 #### default_mark

-!!! error ""
+!!! quote ""

    仅支持 Linux。

--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@ -83,6 +83,12 @@
          1000
        ],
        "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
        "invert": false,
        "outbound": "direct"
      },
@ -190,7 +196,7 @@ Match port range.

 #### process_name

-!!! error ""
+!!! quote ""

    Only supported on Linux, Windows, and macOS.

@ -198,7 +204,7 @@ Match process name.

 #### process_path

-!!! error ""
+!!! quote ""

    Only supported on Linux, Windows, and macOS.

@ -210,7 +216,7 @@ Match android package name.

 #### user

-!!! error ""
+!!! quote ""

    Only supported on Linux.

@ -218,7 +224,7 @@ Match user name.

 #### user_id

-!!! error ""
+!!! quote ""

    Only supported on Linux.

@ -228,6 +234,22 @@ Match user id.

 Match Clash mode.

+#### wifi_ssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi SSID.
+
+#### wifi_bssid
+
+!!! quote ""
+
+    Only supported in graphical clients on Android and iOS.
+
+Match WiFi BSSID.
+
 #### invert

 Invert match result.
--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@ -81,6 +81,12 @@
          1000
        ],
        "clash_mode": "direct",
+        "wifi_ssid": [
+          "My WIFI"
+        ],
+        "wifi_bssid": [
+          "00:00:00:00:00:00"
+        ],
        "invert": false,
        "outbound": "direct"
      },
@ -188,7 +194,7 @@

 #### process_name

-!!! error ""
+!!! quote ""

    仅支持 Linux、Windows 和 macOS。

@ -196,7 +202,7 @@

 #### process_path

-!!! error ""
+!!! quote ""

    仅支持 Linux、Windows 和 macOS.

@ -208,7 +214,7 @@

 #### user

-!!! error ""
+!!! quote ""

    仅支持 Linux.

@ -216,7 +222,7 @@

 #### user_id

-!!! error ""
+!!! quote ""

    仅支持 Linux.

@ -226,6 +232,22 @@

 匹配 Clash 模式。

+#### wifi_ssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi SSID。
+
+#### wifi_bssid
+
+!!! quote ""
+
+    仅在 Android 与 iOS 的图形客户端中支持。
+
+匹配 WiFi BSSID。
+
 #### invert

 反选匹配结果。
--- a/docs/configuration/shared/dial.md
+++ b/docs/configuration/shared/dial.md
@ -41,7 +41,7 @@ The IPv6 address to bind to.

 #### routing_mark

-!!! error ""
+!!! quote ""

    Only supported on Linux.

--- a/docs/configuration/shared/dial.zh.md
+++ b/docs/configuration/shared/dial.zh.md
@ -44,7 +44,7 @@

 #### routing_mark

-!!! error ""
+!!! quote ""

    仅支持 Linux。

--- a/docs/configuration/shared/listen.md
+++ b/docs/configuration/shared/listen.md
@ -7,28 +7,26 @@
  "tcp_fast_open": false,
  "tcp_multi_path": false,
  "udp_fragment": false,
+  "udp_timeout": 300,
+  "detour": "another-in",
  "sniff": false,
  "sniff_override_destination": false,
  "sniff_timeout": "300ms",
  "domain_strategy": "prefer_ipv6",
-  "udp_timeout": 300,
-  "proxy_protocol": false,
-  "proxy_protocol_accept_no_header": false,
-  "detour": "another-in"
+  "udp_disable_domain_unmapping": false
 }
 ```

 ### Fields

-| Field                             | Available Context                                                 |
-|-----------------------------------|-------------------------------------------------------------------|
-| `listen`                          | Needs to listen on TCP or UDP.                                    |
-| `listen_port`                     | Needs to listen on TCP or UDP.                                    |
-| `tcp_fast_open`                   | Needs to listen on TCP.                                           |
-| `tcp_multi_path`                  | Needs to listen on TCP.                                           |
-| `udp_timeout`                     | Needs to assemble UDP connections, currently Tun and Shadowsocks. |
-| `proxy_protocol`                  | Needs to listen on TCP.                                           |
-| `proxy_protocol_accept_no_header` | When `proxy_protocol` enabled                                     |
+| Field                          | Available Context                                                 |
+|--------------------------------|-------------------------------------------------------------------|
+| `listen`                       | Needs to listen on TCP or UDP.                                    |
+| `listen_port`                  | Needs to listen on TCP or UDP.                                    |
+| `tcp_fast_open`                | Needs to listen on TCP.                                           |
+| `tcp_multi_path`               | Needs to listen on TCP.                                           |
+| `udp_timeout`                  | Needs to assemble UDP connections, currently Tun and Shadowsocks. |
+| `udp_disable_domain_unmapping` | Needs to listen on UDP and accept domain UDP addresses.           |

 #### listen

@ -56,6 +54,16 @@ Enable TCP Multi Path.

 Enable UDP fragmentation.

+#### udp_timeout
+
+UDP NAT expiration time in seconds, default is 300 (5 minutes).
+
+#### detour
+
+If set, connections will be forwarded to the specified inbound.
+
+Requires target inbound support, see [Injectable](/configuration/inbound/#fields).
+
 #### sniff

 Enable sniffing.
@ -82,20 +90,10 @@ If set, the requested domain name will be resolved to IP before routing.

 If `sniff_override_destination` is in effect, its value will be taken as a fallback.

-#### udp_timeout
+#### udp_disable_domain_unmapping

-UDP NAT expiration time in seconds, default is 300 (5 minutes).
+If enabled, for UDP proxy requests addressed to a domain, 
+the original packet address will be sent in the response instead of the mapped domain.

-#### proxy_protocol
-
-Parse [Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) in the connection header.
-
-#### proxy_protocol_accept_no_header
-
-Accept connections without Proxy Protocol header.
-
-#### detour
-
-If set, connections will be forwarded to the specified inbound.
-
-Requires target inbound support, see [Injectable](/configuration/inbound/#fields).
+This option is used for compatibility with clients that 
+do not support receiving UDP packets with domain addresses, such as Surge.
--- a/docs/configuration/shared/listen.zh.md
+++ b/docs/configuration/shared/listen.zh.md
@ -7,14 +7,13 @@
  "tcp_fast_open": false,
  "tcp_multi_path": false,
  "udp_fragment": false,
+  "udp_timeout": 300,
+  "detour": "another-in",
  "sniff": false,
  "sniff_override_destination": false,
  "sniff_timeout": "300ms",
  "domain_strategy": "prefer_ipv6",
-  "udp_timeout": 300,
-  "proxy_protocol": false,
-  "proxy_protocol_accept_no_header": false,
-  "detour": "another-in"
+  "udp_disable_domain_unmapping": false
 }
 ```

@ -26,8 +25,7 @@
 | `tcp_fast_open`                   | 需要监听 TCP。                           |
 | `tcp_multi_path`                  | 需要监听 TCP。                           |
 | `udp_timeout`                     | 需要组装 UDP 连接, 当前为 Tun 和 Shadowsocks。 |
-| `proxy_protocol`                  | 需要监听 TCP。                           |
-| `proxy_protocol_accept_no_header` | `proxy_protocol` 启用时                |
+| 

 ### 字段

@ -57,6 +55,16 @@

 启用 UDP 分段。

+#### udp_timeout
+
+UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
+
+#### detour
+
+如果设置，连接将被转发到指定的入站。
+
+需要目标入站支持，参阅 [注入支持](/zh/configuration/inbound/#_3)。
+
 #### sniff

 启用协议探测。
@ -83,20 +91,8 @@

 如果 `sniff_override_destination` 生效，它的值将作为后备。

-#### udp_timeout
+#### udp_disable_domain_unmapping

-UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
+如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。

-#### proxy_protocol
-
-解析连接头中的 [代理协议](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)。
-
-#### proxy_protocol_accept_no_header
-
-接受没有代理协议标头的连接。
-
-#### detour
-
-如果设置，连接将被转发到指定的入站。
-
-需要目标入站支持，参阅 [注入支持](/zh/configuration/inbound/#_3)。
+此选项用于兼容不支持接收带有域地址的 UDP 包的客户端，如 Surge。
--- a/docs/configuration/shared/multiplex.md
+++ b/docs/configuration/shared/multiplex.md
@ -1,8 +1,14 @@
-### Server Requirements
+### Inbound

-`sing-box` :)
+```json
+{
+  "enabled": true,
+  "padding": false,
+  "brutal": {}
+}
+```

-### Structure
+### Outbound

 ```json
 {
@ -11,11 +17,27 @@
  "max_connections": 4,
  "min_streams": 4,
  "max_streams": 0,
-  "padding": false
+  "padding": false,
+  "brutal": {}
 }
 ```

-### Fields
+
+### Inbound Fields
+
+#### enabled
+
+Enable multiplex support.
+
+#### padding
+
+If enabled, non-padded connections will be rejected.
+
+#### brutal
+
+See [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+
+### Outbound Fields

 #### enabled

@ -59,3 +81,6 @@ Conflict with `max_connections` and `min_streams`.

 Enable padding.

+#### brutal
+
+See [TCP Brutal](/configuration/shared/tcp-brutal) for details.
--- a/docs/configuration/shared/multiplex.zh.md
+++ b/docs/configuration/shared/multiplex.zh.md
@ -1,8 +1,14 @@
-### 服务器要求
+### 入站

-`sing-box` :)
+```json
+{
+  "enabled": true,
+  "padding": false,
+  "brutal": {}
+}
+```

-### 结构
+### 出站

 ```json
 {
@ -10,11 +16,27 @@
  "protocol": "smux",
  "max_connections": 4,
  "min_streams": 4,
-  "max_streams": 0
+  "max_streams": 0,
+  "padding": false,
+  "brutal": {}
 }
 ```

-### 字段
+### 入站字段
+
+#### enabled
+
+启用多路复用支持。
+
+#### padding
+
+如果启用，将拒绝非填充连接。
+
+#### brutal
+
+参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal)。
+
+### 出站字段

 #### enabled

@ -58,3 +80,6 @@

 启用填充。

+#### brutal
+
+参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal)。
--- a/docs/configuration/shared/tcp-brutal.md
+++ b/docs/configuration/shared/tcp-brutal.md
@ -0,0 +1,28 @@
+### Server Requirements
+
+* Linux
+* `brutal` congestion control algorithm kernel module installed
+
+See [tcp-brutal](https://github.com/apernet/tcp-brutal) for details.
+
+### Structure
+
+```json
+{
+  "enabled": true,
+  "up_mbps": 100,
+  "down_mbps": 100
+}
+```
+
+### Fields
+
+#### enabled
+
+Enable TCP Brutal congestion control algorithm。
+
+#### up_mbps, down_mbps
+
+==Required==
+
+Upload and download bandwidth, in Mbps.
--- a/docs/configuration/shared/tcp-brutal.zh.md
+++ b/docs/configuration/shared/tcp-brutal.zh.md
@ -0,0 +1,28 @@
+### 服务器要求
+
+* Linux
+* `brutal` 拥塞控制算法内核模块已安装
+
+参阅 [tcp-brutal](https://github.com/apernet/tcp-brutal)。
+
+### 结构
+
+```json
+{
+  "enabled": true,
+  "up_mbps": 100,
+  "down_mbps": 100
+}
+```
+
+### 字段
+
+#### enabled
+
+启用 TCP Brutal 拥塞控制算法。
+
+#### up_mbps, down_mbps
+
+==必填==
+
+上传和下载带宽，以 Mbps 为单位。
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@ -201,7 +201,7 @@ The path to the server private key, in PEM format.

 !!! warning ""

-    uTLS is not included by default, see [Installation](/#installation).
+    uTLS is not included by default, see [Installation](./#installation).

 !!! note ""

@ -228,7 +228,7 @@ Chrome fingerprint will be used if empty.

 !!! warning ""

-    ECH is not included by default, see [Installation](/#installation).
+    ECH is not included by default, see [Installation](./#installation).

 ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
 message.
@ -280,7 +280,7 @@ If empty, load from DNS will be attempted.

 !!! warning ""

-    ACME is not included by default, see [Installation](/#installation).
+    ACME is not included by default, see [Installation](./#installation).

 #### domain

@ -359,11 +359,11 @@ See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge) for details.

 !!! warning ""

-    reality server is not included by default, see [Installation](/#installation).
+    reality server is not included by default, see [Installation](./#installation).

 !!! warning ""

-    uTLS, which is required by reality client is not included by default, see [Installation](/#installation).
+    uTLS, which is required by reality client is not included by default, see [Installation](./#installation).

 #### handshake

--- a/docs/configuration/shared/v2ray-transport.md
+++ b/docs/configuration/shared/v2ray-transport.md
@ -15,6 +15,7 @@ Available transports:
 * WebSocket
 * QUIC
 * gRPC
+* HTTPUpgrade

 !!! warning "Difference from v2ray-core"

@ -130,7 +131,7 @@ It needs to be consistent with the server.

 !!! warning ""

-    QUIC is not included by default, see [Installation](/#installation).
+    QUIC is not included by default, see [Installation](./#installation).

 !!! warning "Difference from v2ray-core"

@ -141,7 +142,7 @@ It needs to be consistent with the server.

 !!! note ""

-    standard gRPC has good compatibility but poor performance and is not included by default, see [Installation](/#installation).
+    standard gRPC has good compatibility but poor performance and is not included by default, see [Installation](./#installation).

 ```json
 {
@ -184,3 +185,32 @@ In standard gRPC client:
 If enabled, the client transport sends keepalive pings even with no active connections. If disabled, when there are no active connections, `idle_timeout` and `ping_timeout` will be ignored and no keepalive pings will be sent.

 Disabled by default.
+
+### HTTPUpgrade
+
+```json
+{
+  "type": "httpupgrade",
+  "host": "",
+  "path": "",
+  "headers": {}
+}
+```
+
+#### host
+
+Host domain.
+
+The server will verify if not empty.
+
+#### path
+
+Path of HTTP request.
+
+The server will verify if not empty.
+
+#### headers
+
+Extra headers of HTTP request.
+
+The server will write in response if not empty.
--- a/docs/configuration/shared/v2ray-transport.zh.md
+++ b/docs/configuration/shared/v2ray-transport.zh.md
@ -14,6 +14,7 @@ V2Ray Transport 是 v2ray 发明的一组私有协议，并污染了其他协议
 * WebSocket
 * QUIC
 * gRPC
+* HTTPUpgrade

 !!! warning "与 v2ray-core 的区别"

@ -183,3 +184,32 @@ gRPC 服务名称。
 如果启用，客户端传输即使没有活动连接也会发送 keepalive ping。如果禁用，则在没有活动连接时，将忽略 `idle_timeout` 和 `ping_timeout`，并且不会发送 keepalive ping。

 默认禁用。
+
+### HTTPUpgrade
+
+```json
+{
+  "type": "httpupgrade",
+  "host": "",
+  "path": "",
+  "headers": {}
+}
+```
+
+#### host
+
+主机域名。
+
+默认服务器将验证。
+
+#### path
+
+HTTP 请求路径
+
+默认服务器将验证。
+
+#### headers
+
+HTTP 请求的额外标头。
+
+默认服务器将写入响应。
--- a/docs/contributing/environment.md
+++ b/docs/contributing/environment.md
@ -1,50 +0,0 @@
-# Development environment
-
-#### For the documentation
-
-##### Setup
-
-You need to configure python3 and pip first.
-
-```shell
-pip install mkdocs-material mkdocs-static-i18n
-```
-
-##### Run the site locally
-
-```shell
-mkdocs serve
-```
-
-or
-
-```shell
-python3 -m mkdocs serve
-```
-
-#### For the project
-
-By default you have the latest Go installed (currently 1.19), and added `GOPATH/bin` to the PATH environment variable.
-
-##### Setup
-
-```shell
-make fmt_insalll
-make lint_install
-```
-
-This installs the formatting and lint tools, which can be used via `make fmt` and `make lint`.
-
-For ProtoBuffer changes, you also need `make proto_install` and `make proto`.
-
-##### Build binary to the project directory
-
-```shell
-make
-```
-
-##### Install binary to GOPATH/bin
-
-```shell
-make install
-```
--- a/docs/contributing/index.md
+++ b/docs/contributing/index.md
@ -1,17 +0,0 @@
-# Contributing to sing-box
-
-An introduction to contributing to the sing-box project.
-
-The sing-box project welcomes, and depends, on contributions from developers and users in the open source community.
-Contributions can be made in a number of ways, a few examples are:
-
-* Code patches via pull requests
-* Documentation improvements
-* Bug reports and patch reviews
-
-### Reporting an Issue?
-
-Please follow
-the [issue template](https://github.com/SagerNet/sing-box/issues/new?assignees=&labels=&template=bug_report.yml) to
-submit bugs. Always include **FULL** log content, especially if you don't understand the code that generates it.
-
--- a/docs/contributing/sub-projects.md
+++ b/docs/contributing/sub-projects.md
@ -1,67 +0,0 @@
-The sing-box uses the following projects which also need to be maintained:
-
-#### sing
-
-Link: [GitHub repository](https://github.com/SagerNet/sing)
-
-As a base tool library, there are no dependencies other than `golang.org/x/sys`.
-
-#### sing-dns
-
-Link: [GitHub repository](https://github.com/SagerNet/sing-dns)
-
-Handles DNS lookups and caching.
-
-#### sing-tun
-
-Link: [GitHub repository](https://github.com/SagerNet/sing-tun)
-
-Handle Tun traffic forwarding, configure routing, monitor network and routing.
-
-This library needs to periodically update its dependency gVisor (according to tags), including checking for changes to
-the used parts of the code and updating its usage. If you are involved in maintenance, you also need to check that if it
-works or contains memory leaks.
-
-#### sing-shadowsocks
-
-Link: [GitHub repository](https://github.com/SagerNet/sing-shadowsocks)
-
-Provides Shadowsocks client and server
-
-#### sing-vmess
-
-Link: [GitHub repository](https://github.com/SagerNet/sing-vmess)
-
-Provides VMess client and server
-
-#### netlink
-
-Link: [GitHub repository](https://github.com/SagerNet/netlink)
-
-Fork of `vishvananda/netlink`, with some rule fixes.
-
-The library needs to be updated with the upstream.
-
-#### quic-go
-
-Link: [GitHub repository](https://github.com/SagerNet/quic-go)
-
-Fork of `lucas-clemente/quic-go`  and `HyNetwork/quic-go`, contains quic flow control and other fixes used by Hysteria.
-
-Since the author of Hysteria does not follow the upstream updates in time, and the provided fork needs to use replace,
-we need to do this.
-
-The library needs to be updated with the upstream.
-
-#### smux
-
-Link: [GitHub repository](https://github.com/SagerNet/smux)
-
-Fork of `xtaci/smux`
-
-Modify the code to support the writev it uses internally and unify the buffer pool, which prevents it from allocating
-64k buffers for per connection and improves performance.
-
-Upstream doesn't seem to be updated anymore, maybe a replacement is needed.
-
-Note: while yamux is still actively maintained and better known, it seems to be less performant.
--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@ -1,5 +1,11 @@
+---
+icon: material/delete-alert
+---
+
 # Deprecated Feature List

+### 1.6.0
+
 The following features will be marked deprecated in 1.5.0 and removed entirely in 1.6.0.

 #### ShadowsocksR
--- a/docs/deprecated.zh.md
+++ b/docs/deprecated.zh.md
@ -0,0 +1,17 @@
+---
+icon: material/delete-alert
+---
+
+# 废弃功能列表
+
+### 1.6.0
+
+下列功能已在 1.5.0 中标记为已弃用，并在 1.6.0 中完全删除。
+
+#### ShadowsocksR
+
+ShadowsocksR 支持从未默认启用，自从常用的黑产代理销售面板停止使用该协议，继续维护它是没有意义的。
+
+#### Proxy Protocol
+
+Proxy Protocol 支持由 Pull Request 添加，存在问题且仅由 HTTP 多路复用器（如 nginx）的后端使用，具有侵入性，对于代理目的毫无意义。
--- a/docs/examples/clash-api.md
+++ b/docs/examples/clash-api.md
@ -1,52 +0,0 @@
-```json
-{
-  "dns": {
-    "rules": [
-      {
-        "domain": [
-          "clash.razord.top",
-          "yacd.haishan.me"
-        ],
-        "server": "local"
-      },
-      {
-        "clash_mode": "direct",
-        "server": "local"
-      }
-    ]
-  },
-  "outbounds": [
-    {
-      "type": "selector",
-      "tag": "default",
-      "outbounds": [
-        "proxy-a",
-        "proxy-b"
-      ]
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "clash_mode": "direct",
-        "outbound": "direct"
-      },
-      {
-        "domain": [
-          "clash.razord.top",
-          "yacd.haishan.me"
-        ],
-        "outbound": "direct"
-      }
-    ],
-    "final": "default"
-  },
-  "experimental": {
-    "clash_api": {
-      "external_controller": "127.0.0.1:9090",
-      "store_selected": true
-    }
-  }
-}
-
-```
--- a/docs/examples/dns-hijack.md
+++ b/docs/examples/dns-hijack.md
@ -1,65 +0,0 @@
-#### Sniff Mode
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true // required
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
-
-#### Port Mode
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true // not required
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "port": 53,
-        "outbound": "dns-out"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
--- a/docs/examples/dns-hijack.zh.md
+++ b/docs/examples/dns-hijack.zh.md
@ -1,65 +0,0 @@
-#### 探测模式
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true // 必须
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
-
-#### 端口模式
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true // 非必须
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "direct"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "port": 53,
-        "outbound": "dns-out"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
--- a/docs/examples/fakeip.md
+++ b/docs/examples/fakeip.md
@ -1,106 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "remote",
-        "address": "fakeip"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      },
-      {
-        "query_type": [
-          "A",
-          "AAAA"
-        ],
-        "server": "remote"
-      }
-    ],
-    "fakeip": {
-      "enabled": true,
-      "inet4_range": "198.18.0.0/15",
-      "inet6_range": "fc00::/18"
-    },
-    "independent_cache": true,
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "domain_strategy": "ipv4_only" // remove this line if you want to resolve the domain remotely (if the server is not sing-box, UDP may not work due to wrong behavior).
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
--- a/docs/examples/fakeip.zh.md
+++ b/docs/examples/fakeip.zh.md
@ -1,106 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "remote",
-        "address": "fakeip"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      },
-      {
-        "query_type": [
-          "A",
-          "AAAA"
-        ],
-        "server": "remote"
-      }
-    ],
-    "fakeip": {
-      "enabled": true,
-      "inet4_range": "198.18.0.0/15",
-      "inet6_range": "fc00::/18"
-    },
-    "independent_cache": true,
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "sniff": true,
-      "domain_strategy": "ipv4_only" // 如果您想在远程解析域，删除此行 (如果服务器程序不为 sing-box，可能由于错误的行为导致 UDP 无法使用)。
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
--- a/docs/examples/index.md
+++ b/docs/examples/index.md
@ -1,11 +0,0 @@
-# Examples
-
-Configuration examples for sing-box.
-
-* [Linux Server Installation](./linux-server-installation)
-* [Tun](./tun)
-* [DNS Hijack](./dns-hijack.md)
-* [Shadowsocks](./shadowsocks)
-* [ShadowTLS](./shadowtls)
-* [Clash API](./clash-api)
-* [FakeIP](./fakeip)
--- a/docs/examples/index.zh.md
+++ b/docs/examples/index.zh.md
@ -1,11 +0,0 @@
-# 示例
-
-sing-box 的配置示例。
-
-* [Linux 服务器安装](./linux-server-installation)
-* [Tun](./tun)
-* [DNS 劫持](./dns-hijack.md)
-* [Shadowsocks](./shadowsocks)
-* [ShadowTLS](./shadowtls)
-* [Clash API](./clash-api)
-* [FakeIP](./fakeip)
--- a/docs/examples/linux-server-installation.md
+++ b/docs/examples/linux-server-installation.md
@ -1,38 +0,0 @@
-#### Requirements
-
-* Linux & Systemd
-* Git
-* C compiler environment
-
-#### Install
-
-```shell
-git clone -b main https://github.com/SagerNet/sing-box
-cd sing-box
-./release/local/install_go.sh # skip if you have golang already installed
-./release/local/install.sh
-```
-
-Edit configuration file in `/usr/local/etc/sing-box/config.json`
-
-```shell
-./release/local/enable.sh
-```
-
-#### Update
-
-```shell
-./release/local/update.sh
-```
-
-#### Other commands
-
-| Operation | Command                                       |
-|-----------|-----------------------------------------------|
-| Start     | `sudo systemctl start sing-box`               |
-| Stop      | `sudo systemctl stop sing-box`                |
-| Kill      | `sudo systemctl kill sing-box`                |
-| Restart   | `sudo systemctl restart sing-box`             |
-| Logs      | `sudo journalctl -u sing-box --output cat -e` |
-| New Logs  | `sudo journalctl -u sing-box --output cat -f` |
-| Uninstall | `./release/local/uninstall.sh`                |
--- a/docs/examples/linux-server-installation.zh.md
+++ b/docs/examples/linux-server-installation.zh.md
@ -1,38 +0,0 @@
-#### 依赖
-
-* Linux & Systemd
-* Git
-* C 编译器环境
-
-#### 安装
-
-```shell
-git clone -b main https://github.com/SagerNet/sing-box
-cd sing-box
-./release/local/install_go.sh # 如果已安装 golang 则跳过
-./release/local/install.sh
-```
-
-编辑配置文件 `/usr/local/etc/sing-box/config.json`
-
-```shell
-./release/local/enable.sh
-```
-
-#### 更新
-
-```shell
-./release/local/update.sh
-```
-
-#### 其他命令
-
-| 操作   | 命令                                            |
-|------|-----------------------------------------------|
-| 启动   | `sudo systemctl start sing-box`               |
-| 停止   | `sudo systemctl stop sing-box`                |
-| 强制停止 | `sudo systemctl kill sing-box`                |
-| 重启   | `sudo systemctl restart sing-box`             |
-| 查看日志 | `sudo journalctl -u sing-box --output cat -e` |
-| 实时日志 | `sudo journalctl -u sing-box --output cat -f` |
-| 卸载   | `./release/local/uninstall.sh`                |
--- a/docs/examples/shadowsocks.md
+++ b/docs/examples/shadowsocks.md
@ -1,163 +0,0 @@
-# Shadowsocks
-
-!!! warning ""
-
-    For censorship bypass usage in China, we recommend using UDP over TCP and disabling UDP on the server.
-
-## Single User
-
-#### Server
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8080,
-      "network": "tcp",
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
-
-#### Client
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "listen": "::",
-      "listen_port": 2080
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "server": "127.0.0.1",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "udp_over_tcp": true
-    }
-  ]
-}
-
-```
-
-## Multiple Users
-
-#### Server
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "users": [
-        {
-          "name": "sekai",
-          "password": "BXYxVUXJ9NgF7c7KPLQjkg=="
-        }
-      ]
-    }
-  ]
-}
-```
-
-#### Client
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "listen": "::",
-      "listen_port": 2080
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "server": "127.0.0.1",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==:BXYxVUXJ9NgF7c7KPLQjkg=="
-    }
-  ]
-}
-
-```
-
-## Relay
-
-#### Server
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
-
-#### Relay
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowsocks",
-      "listen": "::",
-      "listen_port": 8081,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "BXYxVUXJ9NgF7c7KPLQjkg==",
-      "destinations": [
-        {
-          "name": "my_server",
-          "password": "8JCsPssfgS8tiRwiMlhARg==",
-          "server": "127.0.0.1",
-          "server_port": 8080
-        }
-      ]
-    }
-  ]
-}
-```
-
-#### Client
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "mixed",
-      "listen": "::",
-      "listen_port": 2080
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "server": "127.0.0.1",
-      "server_port": 8081,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==:BXYxVUXJ9NgF7c7KPLQjkg=="
-    }
-  ]
-}
-
-```
--- a/docs/examples/shadowtls.md
+++ b/docs/examples/shadowtls.md
@ -1,70 +0,0 @@
-#### Server
-
-```json
-{
-  "inbounds": [
-    {
-      "type": "shadowtls",
-      "listen": "::",
-      "listen_port": 4443,
-      "version": 3,
-      "users": [
-        {
-          "name": "sekai",
-          "password": "8JCsPssfgS8tiRwiMlhARg=="
-        }
-      ],
-      "handshake": {
-        "server": "google.com",
-        "server_port": 443
-      },
-      "detour": "shadowsocks-in"
-    },
-    {
-      "type": "shadowsocks",
-      "tag": "shadowsocks-in",
-      "listen": "127.0.0.1",
-      "network": "tcp",
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ]
-}
-```
-
-#### Client
-
-```json
-{
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "detour": "shadowtls-out",
-      "multiplex": {
-        "enabled": true,
-        "max_connections": 4,
-        "min_streams": 4
-      }
-      // or "udp_over_tcp": true
-    },
-    {
-      "type": "shadowtls",
-      "tag": "shadowtls-out",
-      "server": "127.0.0.1",
-      "server_port": 4443,
-      "version": 3,
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "tls": {
-        "enabled": true,
-        "server_name": "google.com",
-        "utls": {
-          "enabled": true,
-          "fingerprint": "chrome"
-        }
-      }
-    }
-  ]
-}
-```
--- a/docs/examples/tun.md
+++ b/docs/examples/tun.md
@ -1,89 +0,0 @@
-```json
-{
-  "dns": {
-    "servers": [
-      {
-        "tag": "google",
-        "address": "tls://8.8.8.8"
-      },
-      {
-        "tag": "local",
-        "address": "223.5.5.5",
-        "detour": "direct"
-      },
-      {
-        "tag": "block",
-        "address": "rcode://success"
-      }
-    ],
-    "rules": [
-      {
-        "geosite": "category-ads-all",
-        "server": "block",
-        "disable_cache": true
-      },
-      {
-        "outbound": "any",
-        "server": "local"
-      },
-      {
-        "geosite": "cn",
-        "server": "local"
-      }
-    ],
-    "strategy": "ipv4_only"
-  },
-  "inbounds": [
-    {
-      "type": "tun",
-      "inet4_address": "172.19.0.1/30",
-      "auto_route": true,
-      "strict_route": false,
-      "sniff": true
-    }
-  ],
-  "outbounds": [
-    {
-      "type": "shadowsocks",
-      "tag": "proxy",
-      "server": "mydomain.com",
-      "server_port": 8080,
-      "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    },
-    {
-      "type": "direct",
-      "tag": "direct"
-    },
-    {
-      "type": "block",
-      "tag": "block"
-    },
-    {
-      "type": "dns",
-      "tag": "dns-out"
-    }
-  ],
-  "route": {
-    "rules": [
-      {
-        "protocol": "dns",
-        "outbound": "dns-out"
-      },
-      {
-        "geosite": "cn",
-        "geoip": [
-          "private",
-          "cn"
-        ],
-        "outbound": "direct"
-      },
-      {
-        "geosite": "category-ads-all",
-        "outbound": "block"
-      }
-    ],
-    "auto_detect_interface": true
-  }
-}
-```
--- a/docs/faq/fakeip.md
+++ b/docs/faq/fakeip.md
@ -1,19 +0,0 @@
-# FakeIP
-
-FakeIP refers to a type of behavior in a program that simultaneously hijacks both DNS and connection requests. It
-responds to DNS requests with virtual results and restores mapping when accepting connections.
-
-#### Advantage
-
-*
-
-#### Limitation
-
-* Its mechanism breaks applications that depend on returning correct remote addresses.
-* Only A and AAAA (IP) requests are supported, which may break applications that rely on other requests.
-
-#### Recommendation
-
-* Enable `dns.independent_cache` unless you always resolve FakeIP domains remotely.
-* If using tun, make sure FakeIP ranges is included in the tun's routes.
-* Enable `experimental.clash_api.store_fakeip` to persist FakeIP records, or use `dns.rules.rewrite_ttl` to avoid losing records after program restart in DNS cached environments.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	0f643bf414	documentation: Bump version & Refactor docs	2023-11-24 23:01:50 +08:00
世界	a5cea605b2	Add `wifi_ssid` and `wifi_bssid` route and DNS rules	2023-11-24 23:01:50 +08:00
世界	4fcf29da96	Update quic-go to v0.40.0	2023-11-24 23:01:50 +08:00
世界	615e93b62b	Migrate multiplex and UoT server to inbound & Add tcp-brutal support for multiplex	2023-11-24 23:01:50 +08:00
世界	c9aa5992d1	Add support for v2ray http upgrade transport	2023-11-24 23:01:49 +08:00
世界	39517da2c9	Add exclude route support for tun & Update gVisor to 20231113.0	2023-11-24 23:01:49 +08:00
世界	a19fbbabc0	Add udp_disable_domain_unmapping inbound listen option	2023-11-24 23:01:49 +08:00
世界	41452efebb	Migrate to gobwas/ws	2023-11-24 23:01:49 +08:00