Update documentation

2022-09-10 22:42:20 +08:00
parent d727710d60
commit ebf5cbf1b9
12 changed files with 209 additions and 27 deletions
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -30,10 +30,6 @@
 }
 ```

-!!! warning ""
-
-    ACME is not included by default, see [Installation](/#installation).
-
 ### Outbound

 ```json
@@ -47,7 +43,17 @@
  "max_version": "",
  "cipher_suites": [],
  "certificate": "",
-  "certificate_path": ""
+  "certificate_path": "",
+  "ech": {
+    "enabled": false,
+    "pq_signature_schemes_enabled": false,
+    "dynamic_record_sizing_disabled": false,
+    "config": ""
+  },
+  "utls": {
+    "enabled": false,
+    "fingerprint": ""
+  }
 }
 ```

@@ -155,8 +161,48 @@ The server private key, in PEM format.

 The path to the server private key, in PEM format.

+#### ech
+
+==Client only==
+
+!!! warning ""
+
+    ECH is not included by default, see [Installation](/#installation).
+
+ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
+message.
+
+If you don't know how to fill in the other configuration, just set `enabled`.
+
+#### utls
+
+==Client only==
+
+!!! warning ""
+
+    uTLS is not included by default, see [Installation](/#installation).
+
+!!! note ""
+
+    uTLS is poorly maintained and the effect may be unproven, use at your own risk.
+
+uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance.
+
+Available fingerprint values:
+
+* chrome
+* firefox
+* ios
+* android
+* random
+
+
 ### ACME Fields

+!!! warning ""
+
+    ACME is not included by default, see [Installation](/#installation).
+
 #### domain

 List of domain.
@@ -205,10 +251,6 @@ listener for the HTTP challenge.
 The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
 succeed.

-### Reload
-
-For server configuration, certificate and key will be automatically reloaded if modified.
-
 #### external_account

 EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
@@ -226,4 +268,8 @@ The key identifier.

 #### external_account.mac_key

-The MAC key.
+The MAC key.
+
+### Reload
+
+For server configuration, certificate and key will be automatically reloaded if modified.
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -30,10 +30,6 @@
 }
 ```

-!!! warning ""
-
-    默认安装不包含 ACME，参阅 [安装](/zh/#_2)。
-
 ### 出站

 ```json
@@ -47,7 +43,17 @@
  "max_version": "",
  "cipher_suites": [],
  "certificate": "",
-  "certificate_path": ""
+  "certificate_path": "",
+  "ech": {
+    "enabled": false,
+    "pq_signature_schemes_enabled": false,
+    "dynamic_record_sizing_disabled": false,
+    "config": ""
+  },
+  "utls": {
+    "enabled": false,
+    "fingerprint": ""
+  }
 }
 ```

@@ -155,8 +161,47 @@ TLS 版本值：

 服务器 PEM 私钥路径。

+#### ech
+
+==仅客户端==
+
+!!! warning ""
+
+    默认安装不包含 ECH, 参阅 [安装](/zh/#_2)。
+
+ECH (Encrypted Client Hello) 是一个 TLS 扩展，它允许客户端加密其 ClientHello 的第一部分
+信息。
+
+如果您不知道如何填写其他配置，只需设置 `enabled` 即可。
+
+#### utls
+
+==仅客户端==
+
+!!! warning ""
+
+    默认安装不包含 uTLS, 参阅 [安装](/zh/#_2)。
+
+!!! note ""
+
+    uTLS 维护不善且其效果可能未经证实，使用风险自负。
+
+uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻力。
+
+可用的指纹值：
+
+* chrome
+* firefox
+* ios
+* android
+* random
+
 ### ACME 字段

+!!! warning ""
+
+    默认安装不包含 ACME，参阅 [安装](/zh/#_2)。
+
 #### domain

 一组域名。
@@ -203,10 +248,6 @@ ACME 数据目录。

 用于 ACME TLS-ALPN 质询的备用端口； 系统必须将 443 转发到此端口以使质询成功。

-### Reload
-
-对于服务器配置，如果修改，证书和密钥将自动重新加载。
-
 #### external_account

 EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知帐户所需的信息由 CA。
@@ -222,4 +263,8 @@ EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知

 #### external_account.mac_key

-MAC 密钥。
+MAC 密钥。
+
+### 重载
+
+对于服务器配置，如果修改，证书和密钥将自动重新加载。