Add hysteria and acme TLS certificate issuer (#18)

* Add hysteria client/server
* Add acme TLS certificate issuer

docs/configuration/inbound/hysteria.md

@@ -0,0 +1,138 @@
+### Structure
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "hysteria",
+      "tag": "hysteria-in",
+      
+      "listen": "::",
+      "listen_port": 443,
+      "sniff": false,
+      "sniff_override_destination": false,
+      "domain_strategy": "prefer_ipv6",
+      
+      "up": "100 Mbps",
+      "up_mbps": 100,
+      "down": "100 Mbps",
+      "down_mbps": 100,
+      "obfs": "fuck me till the daylight",
+      "auth": "",
+      "auth_str": "password",
+      "recv_window_conn": 0,
+      "recv_window_client": 0,
+      "max_conn_client": 0,
+      "disable_mtu_discovery": false,
+      "tls": {}
+    }
+  ]
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by hysteria is not included by default, see [Installation](/#Installation).
+
+### Listen Fields
+
+#### listen
+
+==Required==
+
+Listen address.
+
+#### listen_port
+
+==Required==
+
+Listen port.
+
+#### sniff
+
+Enable sniffing.
+
+See [Sniff](/configuration/route/sniff/) for details.
+
+#### sniff_override_destination
+
+Override the connection destination address with the sniffed domain.
+
+If the domain name is invalid (like tor), this will not work.
+
+#### domain_strategy
+
+One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
+
+If set, the requested domain name will be resolved to IP before routing.
+
+If `sniff_override_destination` is in effect, its value will be taken as a fallback.
+
+### Hysteria Fields
+
+#### up, down
+
+==Required==
+
+Format: `[Integer] [Unit]` e.g. `100 Mbps, 640 KBps, 2 Gbps`
+
+Supported units (case sensitive, b = bits, B = bytes, 8b=1B):
+
+    bps (bits per second)
+    Bps (bytes per second)
+    Kbps (kilobits per second)
+    KBps (kilobytes per second)
+    Mbps (megabits per second)
+    MBps (megabytes per second)
+    Gbps (gigabits per second)
+    GBps (gigabytes per second)
+    Tbps (terabits per second)
+    TBps (terabytes per second)
+
+#### up_mbps, down_mbps
+
+==Required==
+
+`up, down` in Mbps.
+
+#### obfs
+
+Obfuscated password.
+
+#### auth
+
+Authentication password, in base64.
+
+#### auth_str
+
+Authentication password.
+
+#### recv_window_conn
+
+The QUIC stream-level flow control window for receiving data.
+
+`15728640 (15 MB/s)` will be used if empty.
+
+#### recv_window_client
+
+The QUIC connection-level flow control window for receiving data.
+
+`67108864 (64 MB/s)` will be used if empty.
+
+#### max_conn_client
+
+The maximum number of QUIC concurrent bidirectional streams that a peer is allowed to open.
+
+`1024` will be used if empty.
+
+#### disable_mtu_discovery
+
+Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
+
+Force enabled on for systems other than Linux and Windows (according to upstream).
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).

docs/configuration/inbound/index.md

@@ -23,6 +23,7 @@
 | `vmess`       | [VMess](./vmess)             |
 | `trojan`      | [Trojan](./trojan)           |
 | `naive`       | [Naive](./naive)             |
+| `hysteria`    | [Hysteria](./hysteria)       |
 | `tun`         | [Tun](./tun)                 |
 | `redirect`    | [Redirect](./redirect)       |
 | `tproxy`      | [TProxy](./tproxy)           |

docs/configuration/outbound/hysteria.md

@@ -0,0 +1,173 @@
+### Structure
+
+```json
+{
+  "outbounds": [
+    {
+      "type": "hysteria",
+      "tag": "hysteria-out",
+      
+      "server": "127.0.0.1",
+      "server_port": 1080,
+
+      "up": "100 Mbps",
+      "up_mbps": 100,
+      "down": "100 Mbps",
+      "down_mbps": 100,
+      "obfs": "fuck me till the daylight",
+      "auth": "",
+      "auth_str": "password",
+      "recv_window_conn": 0,
+      "recv_window": 0,
+      "disable_mtu_discovery": false,
+      "network": "tcp",
+      "tls": {},
+      
+      "detour": "upstream-out",
+      "bind_interface": "en0",
+      "routing_mark": 1234,
+      "reuse_addr": false,
+      "connect_timeout": "5s",
+      "domain_strategy": "prefer_ipv6",
+      "fallback_delay": "300ms"
+    }
+  ]
+}
+```
+
+!!! warning ""
+
+    QUIC, which is required by hysteria is not included by default, see [Installation](/#Installation).
+
+### Hysteria Fields
+
+#### server
+
+==Required==
+
+The server address.
+
+#### server_port
+
+==Required==
+
+The server port.
+
+#### up, down
+
+==Required==
+
+Format: `[Integer] [Unit]` e.g. `100 Mbps, 640 KBps, 2 Gbps`
+
+Supported units (case sensitive, b = bits, B = bytes, 8b=1B):
+
+    bps (bits per second)
+    Bps (bytes per second)
+    Kbps (kilobits per second)
+    KBps (kilobytes per second)
+    Mbps (megabits per second)
+    MBps (megabytes per second)
+    Gbps (gigabits per second)
+    GBps (gigabytes per second)
+    Tbps (terabits per second)
+    TBps (terabytes per second)
+
+#### up_mbps, down_mbps
+
+==Required==
+
+`up, down` in Mbps.
+
+#### obfs
+
+Obfuscated password.
+
+#### auth
+
+Authentication password, in base64.
+
+#### auth_str
+
+Authentication password.
+
+#### recv_window_conn
+
+The QUIC stream-level flow control window for receiving data.
+
+`15728640 (15 MB/s)` will be used if empty.
+
+#### recv_window
+
+The QUIC connection-level flow control window for receiving data.
+
+`67108864 (64 MB/s)` will be used if empty.
+
+#### disable_mtu_discovery
+
+Disables Path MTU Discovery (RFC 8899). Packets will then be at most 1252 (IPv4) / 1232 (IPv6) bytes in size.
+
+Force enabled on for systems other than Linux and Windows (according to upstream).
+
+#### tls
+
+==Required==
+
+TLS configuration, see [TLS inbound structure](/configuration/shared/tls/#inbound-structure).
+
+#### network
+
+Enabled network
+
+One of `tcp` `udp`.
+
+Both is enabled by default.
+
+### Dial Fields
+
+#### detour
+
+The tag of the upstream outbound.
+
+Other dial fields will be ignored when enabled.
+
+#### bind_interface
+
+The network interface to bind to.
+
+#### routing_mark
+
+!!! error ""
+
+    Linux only
+
+The iptables routing mark.
+
+#### reuse_addr
+
+Reuse listener address.
+
+#### connect_timeout
+
+Connect timeout, in golang's Duration format.
+
+A duration string is a possibly signed sequence of
+decimal numbers, each with optional fraction and a unit suffix,
+such as "300ms", "-1.5h" or "2h45m".
+Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+
+#### domain_strategy
+
+One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
+
+If set, the server domain name will be resolved to IP before connecting.
+
+`dns.strategy` will be used if empty.
+
+#### fallback_delay
+
+The length of time to wait before spawning a RFC 6555 Fast Fallback connection.
+That is, is the amount of time to wait for IPv6 to succeed before assuming
+that IPv6 is misconfigured and falling back to IPv4 if `prefer_ipv4` is set.
+If zero, a default delay of 300ms is used.
+
+Only take effect when `domain_strategy` is `prefer_ipv4` or `prefer_ipv6`.

docs/configuration/outbound/index.md

@@ -23,6 +23,7 @@
 | `vmess`       | [VMess](./vmess)             |
 | `trojan`      | [Trojan](./trojan)           |
 | `wireguard`   | [Wireguard](./wireguard)     |
+| `hysteria`    | [Hysteria](./hysteria)       |
 | `dns`         | [DNS](./dns)                 |
 | `selector`    | [Selector](./selector)       |
 

docs/configuration/shared/tls.md

@@ -11,10 +11,25 @@
   "certificate": "",
   "certificate_path": "",
   "key": "",
-  "key_path": ""
+  "key_path": "",
+  "acme": {
+    "domain": [],
+    "data_directory": "",
+    "default_server_name": "",
+    "email": "",
+    "provider": "",
+    "disable_http_challenge": false,
+    "disable_tls_alpn_challenge": false,
+    "alternative_http_port": 0,
+    "alternative_tls_port": 0
+  }
 }
 ```
 
+!!! warning ""
+
+    ACME is not included by default, see [Installation](/#Installation).
+
 ### Outbound Structure
 
 ```json
@@ -59,6 +74,10 @@ Cipher suite values:
 * `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
 * `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
 
+!!! note ""
+
+    You can ignore the JSON Array [] tag when the content is only one item
+
 ### Fields
 
 #### enabled
@@ -135,6 +154,56 @@ The server private key, in PEM format.
 
 The path to the server private key, in PEM format.
 
+### ACME Fields
+
+#### domain
+
+List of domain.
+
+ACME will be disabled if empty.
+
+#### data_directory
+
+The directory to store ACME data.
+
+`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
+
+#### default_server_name
+
+Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
+
+#### email
+
+The email address to use when creating or selecting an existing ACME server account
+
+#### provider
+
+The ACME CA provider to use.
+
+| Value                   | Provider      |
+|-------------------------|---------------|
+| `letsenctypt (default)` | Let's Encrypt |
+| `zerossl`               | ZeroSSL       |
+| `https://...`           | Custom        |
+
+#### disable_http_challenge
+
+Disable all HTTP challenges.
+
+#### disable_tls_alpn_challenge
+
+Disable all TLS-ALPN challenges
+
+#### alternative_http_port
+
+The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
+listener for the HTTP challenge.
+
+#### alternative_tls_port
+
+The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
+succeed.
+
 ### Reload
 
 For server configuration, certificate and key will be automatically reloaded if modified.