Update documentation

constant/version.go

@@ -1,6 +1,6 @@
 package constant
 
 var (
-	Version = "1.1-beta1"
+	Version = "1.1-beta2"
 	Commit  = ""
 )

docs/changelog.md

@@ -1,3 +1,28 @@
+#### 1.1-beta2
+
+* Add Clash mode and persistence support **1**
+* Add TLS ECH and uTLS support for outbound TLS options **2**
+* Fix socks4 request
+* Fix processing empty dns result
+
+*1*:
+
+Switching modes using the Clash API, and `store-selected` are now supported,
+see [Experimental](/configuration/experimental).
+
+*2*:
+
+ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
+message, see [TLS#ECH](/configuration/shared/tls#ech).
+
+uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance,
+see [TLS#uTLS](/configuration/shared/tls#utls).
+
+#### 1.0.2
+
+* Fix socks4 request
+* Fix processing empty dns result
+
 #### 1.1-beta1
 
 * Add support for use with android VPNService **1**

docs/configuration/dns/rule.md

@@ -73,6 +73,7 @@
         "user_id": [
           1000
         ],
+        "clash_mode": "direct",
         "invert": false,
         "outbound": [
           "direct"
@@ -208,6 +209,10 @@ Match user name.
 
 Match user id.
 
+#### clash_mode
+
+Match Clash mode.
+
 #### invert
 
 Invert match result.

docs/configuration/dns/rule.zh.md

@@ -72,6 +72,7 @@
         "user_id": [
           1000
         ],
+        "clash_mode": "direct",
         "invert": false,
         "outbound": [
           "direct"
@@ -207,6 +208,10 @@
 
 匹配用户 ID。
 
+#### clash_mode
+
+匹配 Clash 模式。
+
 #### invert
 
 反选匹配结果。

docs/configuration/experimental/index.md

@@ -8,7 +8,10 @@
     "clash_api": {
       "external_controller": "127.0.0.1:9090",
       "external_ui": "folder",
-      "secret": ""
+      "secret": "",
+      "default_mode": "rule",
+      "store_selected": false,
+      "cache_file": "cache.db"
     }
   }
 }
@@ -26,7 +29,7 @@
 
 #### external_controller
 
-RESTful web API listening address. Disabled if empty.
+RESTful web API listening address. Clash API will be disabled if empty.
 
 #### external_ui
 
@@ -38,4 +41,22 @@ serve it at `http://{{external-controller}}/ui`.
 
 Secret for the RESTful API (optional)
 Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
-ALWAYS set a secret if RESTful API is listening on 0.0.0.0
+ALWAYS set a secret if RESTful API is listening on 0.0.0.0
+
+#### default_mode
+
+Default mode in clash, `rule` will be used if empty.
+
+This setting has no direct effect, but can be used in routing and DNS rules via the `clash_mode` rule item.
+
+#### store_selected
+
+!!! note ""
+
+    The tag must be set for target outbounds.
+
+Store selected outbound for the `Selector` outbound in cache file.
+
+#### cache_file
+
+Cache file path, `cache.db` will be used if empty.

docs/configuration/experimental/index.zh.md

@@ -8,7 +8,10 @@
     "clash_api": {
       "external_controller": "127.0.0.1:9090",
       "external_ui": "folder",
-      "secret": ""
+      "secret": "",
+      "default_mode": "rule",
+      "store_selected": false,
+      "cache_file": "cache.db"
     }
   }
 }
@@ -26,7 +29,7 @@
 
 #### external_controller
 
-RESTful web API 监听地址。
+RESTful web API 监听地址。如果为空，则禁用 Clash API。
 
 #### external_ui
 
@@ -36,4 +39,22 @@ RESTful web API 监听地址。
 
 RESTful API 的密钥（可选）
 通过指定 HTTP 标头 `Authorization: Bearer ${secret}` 进行身份验证
-如果 RESTful API 正在监听 0.0.0.0，请始终设置一个密钥。
+如果 RESTful API 正在监听 0.0.0.0，请始终设置一个密钥。
+
+#### default_mode
+
+Clash 中的默认模式，默认使用 `rule`。
+
+此设置没有直接影响，但可以通过 `clash_mode` 规则项在路由和 DNS 规则中使用。
+
+#### store_selected
+
+!!! note ""
+
+    必须为目标出站设置标签。
+
+将 `Selector` 中出站的选定的目标出站存储在缓存文件中。
+
+#### cache_file
+
+缓存文件路径，默认使用`cache.db`。

docs/configuration/route/rule.md

@@ -80,6 +80,7 @@
         "user_id": [
           1000
         ],
+        "clash_mode": "direct",
         "invert": false,
         "outbound": "direct"
       },
@@ -219,6 +220,10 @@ Match user name.
 
 Match user id.
 
+#### clash_mode
+
+Match Clash mode.
+
 #### invert
 
 Invert match result.

docs/configuration/route/rule.zh.md

@@ -78,6 +78,7 @@
         "user_id": [
           1000
         ],
+        "clash_mode": "direct",
         "invert": false,
         "outbound": "direct"
       },
@@ -217,6 +218,10 @@
 
 匹配用户 ID。
 
+#### clash_mode
+
+匹配 Clash 模式。
+
 #### invert
 
 反选匹配结果。

docs/configuration/shared/tls.md

@@ -30,10 +30,6 @@
 }
 ```
 
-!!! warning ""
-
-    ACME is not included by default, see [Installation](/#installation).
-
 ### Outbound
 
 ```json
@@ -47,7 +43,17 @@
   "max_version": "",
   "cipher_suites": [],
   "certificate": "",
-  "certificate_path": ""
+  "certificate_path": "",
+  "ech": {
+    "enabled": false,
+    "pq_signature_schemes_enabled": false,
+    "dynamic_record_sizing_disabled": false,
+    "config": ""
+  },
+  "utls": {
+    "enabled": false,
+    "fingerprint": ""
+  }
 }
 ```
 
@@ -155,8 +161,48 @@ The server private key, in PEM format.
 
 The path to the server private key, in PEM format.
 
+#### ech
+
+==Client only==
+
+!!! warning ""
+
+    ECH is not included by default, see [Installation](/#installation).
+
+ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
+message.
+
+If you don't know how to fill in the other configuration, just set `enabled`.
+
+#### utls
+
+==Client only==
+
+!!! warning ""
+
+    uTLS is not included by default, see [Installation](/#installation).
+
+!!! note ""
+
+    uTLS is poorly maintained and the effect may be unproven, use at your own risk.
+
+uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance.
+
+Available fingerprint values:
+
+* chrome
+* firefox
+* ios
+* android
+* random
+
+
 ### ACME Fields
 
+!!! warning ""
+
+    ACME is not included by default, see [Installation](/#installation).
+
 #### domain
 
 List of domain.
@@ -205,10 +251,6 @@ listener for the HTTP challenge.
 The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
 succeed.
 
-### Reload
-
-For server configuration, certificate and key will be automatically reloaded if modified.
-
 #### external_account
 
 EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
@@ -226,4 +268,8 @@ The key identifier.
 
 #### external_account.mac_key
 
-The MAC key.
+The MAC key.
+
+### Reload
+
+For server configuration, certificate and key will be automatically reloaded if modified.

docs/configuration/shared/tls.zh.md

@@ -30,10 +30,6 @@
 }
 ```
 
-!!! warning ""
-
-    默认安装不包含 ACME，参阅 [安装](/zh/#_2)。
-
 ### 出站
 
 ```json
@@ -47,7 +43,17 @@
   "max_version": "",
   "cipher_suites": [],
   "certificate": "",
-  "certificate_path": ""
+  "certificate_path": "",
+  "ech": {
+    "enabled": false,
+    "pq_signature_schemes_enabled": false,
+    "dynamic_record_sizing_disabled": false,
+    "config": ""
+  },
+  "utls": {
+    "enabled": false,
+    "fingerprint": ""
+  }
 }
 ```
 
@@ -155,8 +161,47 @@ TLS 版本值：
 
 服务器 PEM 私钥路径。
 
+#### ech
+
+==仅客户端==
+
+!!! warning ""
+
+    默认安装不包含 ECH, 参阅 [安装](/zh/#_2)。
+
+ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其 ClientHello 的第一部分
+信息。
+
+如果您不知道如何填写其他配置，只需设置 `enabled` 即可。
+
+#### utls
+
+==仅客户端==
+
+!!! warning ""
+
+    默认安装不包含 uTLS, 参阅 [安装](/zh/#_2)。
+
+!!! note ""
+
+    uTLS 维护不善且其效果可能未经证实，使用风险自负。
+
+uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻力。
+
+可用的指纹值：
+
+* chrome
+* firefox
+* ios
+* android
+* random
+
 ### ACME 字段
 
+!!! warning ""
+
+    默认安装不包含 ACME，参阅 [安装](/zh/#_2)。
+
 #### domain
 
 一组域名。
@@ -203,10 +248,6 @@ ACME 数据目录。
 
 用于 ACME TLS-ALPN 质询的备用端口； 系统必须将 443 转发到此端口以使质询成功。
 
-### Reload
-
-对于服务器配置，如果修改，证书和密钥将自动重新加载。
-
 #### external_account
 
 EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知帐户所需的信息由 CA。
@@ -222,4 +263,8 @@ EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知
 
 #### external_account.mac_key
 
-MAC 密钥。
+MAC 密钥。
+
+### 重载
+
+对于服务器配置，如果修改，证书和密钥将自动重新加载。

docs/index.md

@@ -27,6 +27,8 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat
 | `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 dns transports](./configuration/dns/server), [Naive inbound](./configuration/inbound/naive), [Hysteria Inbound](./configuration/inbound/hysteria), [Hysteria Outbound](./configuration/outbound/hysteria) and [V2Ray Transport#QUIC](./configuration/shared/v2ray-transport#quic). |
 | `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](./configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
 | `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](./configuration/outbound/wireguard).                                                                                                                                                                                                                                     |
+| `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](./configuration/shared/tls#ech).                                                                                                                                                                                                                               |
+| `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](./configuration/shared/tls#utls).                                                                                                                                                                                          |
 | `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](./configuration/shared/tls).                                                                                                                                                                                                                                          |
 | `with_clash_api`                   | Build with Clash API support, see [Experimental](./configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
 | `no_gvisor`                        | Build without gVisor Tun stack support, see [Tun inbound](./configuration/inbound/tun#stack).                                                                                                                                                                                                                                   |

docs/index.zh.md

@@ -27,6 +27,8 @@ go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@lat
 | `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](./configuration/dns/server)，[Naive 入站](./configuration/inbound/naive)，[Hysteria 入站](./configuration/inbound/hysteria)，[Hysteria 出站](./configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](./configuration/shared/v2ray-transport#quic)。 |
 | `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](./configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                               |
 | `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](./configuration/outbound/wireguard)。                                                                                                                                                                                                       |
+| `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](./configuration/shared/tls#ech)。                                                                                                                                                                                                                    |
+| `with_utls`                  | 启用 [uTLS](https://github.com/refraction-networking/utls) 支持， 参阅 [TLS](./configuration/shared/tls#utls)。                                                                                                                                                                      |
 | `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](./configuration/shared/tls)。                                                                                                                                                                                                                     |
 | `with_clash_api`             | 启用 Clash api 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                     |
 | `no_gvisor`                  | 禁用 gVisor Tun 栈支持，参阅 [Tun 入站](./configuration/inbound/tun#stack)。                                                                                                                                                                                                            |