Update documentation

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/renovate.json

@@ -1,28 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "commitMessagePrefix": "[dependencies]",
-  "extends": [
-    "config:base",
-    ":disableRateLimiting"
-  ],
-  "baseBranches": [
-    "dev-next"
-  ],
-  "golang": {
-    "enabled": false
-  },
-  "packageRules": [
-    {
-      "matchManagers": [
-        "github-actions"
-      ],
-      "groupName": "github-actions"
-    },
-    {
-      "matchManagers": [
-        "dockerfile"
-      ],
-      "groupName": "Dockerfile"
-    }
-  ]
-}

.github/workflows/debug.yml

@@ -60,7 +60,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18.10
+          go-version: 1.18.7
       - name: Cache go module
         uses: actions/cache@v3
         with:
@@ -68,7 +68,8 @@ jobs:
             ~/go/pkg/mod
           key: go118-${{ hashFiles('**/go.sum') }}
       - name: Run Test
-        run: make
+        run: |
+          go test -v ./...
   cross:
     strategy:
       matrix:

.github/workflows/mkdocs.yml

@@ -14,7 +14,5 @@ jobs:
       - uses: actions/setup-python@v4
         with:
           python-version: 3.x
-      - run: |
-          pip install mkdocs-material=="9.*" mkdocs-static-i18n=="0.53"
-      - run: |
-          mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history
+      - run: pip install mkdocs-material mkdocs-static-i18n
+      - run: mkdocs gh-deploy -m "{sha}" --force --ignore-version --no-history

.gitignore

@@ -5,10 +5,4 @@
 /site/
 /bin/
 /dist/
-/sing-box
-/sing-box.exe
-/build/
-/*.jar
-/*.aar
-/*.xcframework/
-.DS_Store
+/sing-box

.golangci.yml

@@ -12,8 +12,6 @@ run:
     - transport/simple-obfs
     - transport/clashssr
     - transport/cloudflaretls
-    - transport/shadowtls/tls
-    - transport/shadowtls/tls_go119
 
 linters-settings:
   gci:

.goreleaser.yaml

@@ -10,7 +10,7 @@ builds:
     gcflags:
       - all=-trimpath={{.Env.GOPATH}}
     ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+      - -s -w -buildid=
     tags:
       - with_gvisor
       - with_quic
@@ -43,7 +43,7 @@ builds:
     gcflags:
       - all=-trimpath={{.Env.GOPATH}}
     ldflags:
-      - -X github.com/sagernet/sing-box/constant.Version={{ .Version }} -s -w -buildid=
+      - -s -w -buildid=
     tags:
       - with_gvisor
       - with_quic

Dockerfile

@@ -8,10 +8,9 @@ ENV CGO_ENABLED=0
 RUN set -ex \
     && apk add git build-base \
     && export COMMIT=$(git rev-parse --short HEAD) \
-    && export VERSION=$(go run ./cmd/internal/read_tag) \
     && go build -v -trimpath -tags with_quic,with_wireguard,with_acme \
         -o /go/bin/sing-box \
-        -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$VERSION\" -s -w -buildid=" \
+        -ldflags "-s -w -buildid=" \
         ./cmd/sing-box
 FROM alpine AS dist
 LABEL maintainer="nekohasekai <contact-git@sekai.icu>"

Makefile

@@ -1,15 +1,9 @@
 NAME = sing-box
 COMMIT = $(shell git rev-parse --short HEAD)
-TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api
-TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_reality_server,with_shadowsocksr
-
-GOHOSTOS = $(shell go env GOHOSTOS)
-GOHOSTARCH = $(shell go env GOHOSTARCH)
-VERSION=$(shell CGO_ENABLED=0 GOOS=$(GOHOSTOS) GOARCH=$(GOHOSTARCH) go run ./cmd/internal/read_tag)
-
-PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-X \"github.com/sagernet/sing-box/constant.Version=$(VERSION)\" -s -w -buildid="
+TAGS ?= with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api
+TAGS_TEST ?= with_gvisor,with_quic,with_wireguard,with_grpc,with_ech,with_utls,with_shadowsocksr
+PARAMS = -v -trimpath -tags "$(TAGS)" -ldflags "-s -w -buildid="
 MAIN = ./cmd/sing-box
-PREFIX ?= $(shell go env GOPATH)
 
 .PHONY: test release
 
@@ -17,7 +11,7 @@ build:
 	go build $(PARAMS) $(MAIN)
 
 install:
-	go build -o $(PREFIX)/bin/$(NAME) $(PARAMS) $(MAIN)
+	go install $(PARAMS) $(MAIN)
 
 fmt:
 	@gofumpt -l -w .
@@ -77,14 +71,6 @@ test_stdio:
 	go mod tidy && \
 	go test -v -tags "$(TAGS_TEST),force_stdio" .
 
-lib:
-	go run ./cmd/internal/build_libbox
-
-lib_install:
-	go get -v -d
-	go install -v github.com/sagernet/gomobile/cmd/gomobile@v0.0.0-20221130124640-349ebaa752ca
-	go install -v github.com/sagernet/gomobile/cmd/gobind@v0.0.0-20221130124640-349ebaa752ca
-
 clean:
 	rm -rf bin dist sing-box
 	rm -f $(shell go env GOPATH)/sing-box

adapter/experimental.go

@@ -45,6 +45,6 @@ type V2RayServer interface {
 }
 
 type V2RayStatsService interface {
-	RoutedConnection(inbound string, outbound string, user string, conn net.Conn) net.Conn
-	RoutedPacketConnection(inbound string, outbound string, user string, conn N.PacketConn) N.PacketConn
+	RoutedConnection(inbound string, outbound string, conn net.Conn) net.Conn
+	RoutedPacketConnection(inbound string, outbound string, conn N.PacketConn) N.PacketConn
 }

adapter/inbound.go

@@ -46,10 +46,6 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *process.Info
-
-	// dns cache
-
-	QueryType uint16
 }
 
 type inboundContextKey struct{}

adapter/router.go

@@ -34,15 +34,12 @@ type Router interface {
 	InterfaceFinder() control.InterfaceFinder
 	DefaultInterface() string
 	AutoDetectInterface() bool
-	AutoDetectInterfaceFunc() control.Func
 	DefaultMark() int
 	NetworkMonitor() tun.NetworkUpdateMonitor
 	InterfaceMonitor() tun.DefaultInterfaceMonitor
 	PackageManager() tun.PackageManager
 	Rules() []Rule
 
-	TimeService
-
 	ClashServer() ClashServer
 	SetClashServer(server ClashServer)
 
@@ -50,20 +47,6 @@ type Router interface {
 	SetV2RayServer(server V2RayServer)
 }
 
-type routerContextKey struct{}
-
-func ContextWithRouter(ctx context.Context, router Router) context.Context {
-	return context.WithValue(ctx, (*routerContextKey)(nil), router)
-}
-
-func RouterFromContext(ctx context.Context) Router {
-	metadata := ctx.Value((*routerContextKey)(nil))
-	if metadata == nil {
-		return nil
-	}
-	return metadata.(Router)
-}
-
 type Rule interface {
 	Service
 	Type() string

adapter/time.go

@@ -1,8 +0,0 @@
-package adapter
-
-import "time"
-
-type TimeService interface {
-	Service
-	TimeFunc() func() time.Time
-}

adapter/v2ray.go

@@ -3,10 +3,6 @@ package adapter
 import (
 	"context"
 	"net"
-
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 )
 
 type V2RayServerTransport interface {
@@ -16,12 +12,6 @@ type V2RayServerTransport interface {
 	Close() error
 }
 
-type V2RayServerTransportHandler interface {
-	N.TCPConnectionHandler
-	E.Handler
-	FallbackConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error
-}
-
 type V2RayClientTransport interface {
 	DialContext(ctx context.Context) (net.Conn, error)
 }

box.go

@@ -9,9 +9,7 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
-	"github.com/sagernet/sing-box/experimental/libbox/platform"
 	"github.com/sagernet/sing-box/inbound"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -37,7 +35,7 @@ type Box struct {
 	done        chan struct{}
 }
 
-func New(ctx context.Context, options option.Options, platformInterface platform.Interface) (*Box, error) {
+func New(ctx context.Context, options option.Options) (*Box, error) {
 	createdAt := time.Now()
 	logOptions := common.PtrValueOrDefault(options.Log)
 
@@ -55,25 +53,19 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 	var logFactory log.Factory
 	var observableLogFactory log.ObservableFactory
 	var logFile *os.File
-	var logWriter io.Writer
 	if logOptions.Disabled {
 		observableLogFactory = log.NewNOPFactory()
 		logFactory = observableLogFactory
 	} else {
+		var logWriter io.Writer
 		switch logOptions.Output {
-		case "":
-			if platformInterface != nil {
-				logWriter = io.Discard
-			} else {
-				logWriter = os.Stdout
-			}
-		case "stderr":
+		case "", "stderr":
 			logWriter = os.Stderr
 		case "stdout":
 			logWriter = os.Stdout
 		default:
 			var err error
-			logFile, err = os.OpenFile(C.BasePath(logOptions.Output), os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
+			logFile, err = os.OpenFile(logOptions.Output, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0o644)
 			if err != nil {
 				return nil, err
 			}
@@ -87,10 +79,10 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 			TimestampFormat:  "-0700 2006-01-02 15:04:05",
 		}
 		if needClashAPI {
-			observableLogFactory = log.NewObservableFactory(logFormatter, logWriter, platformInterface)
+			observableLogFactory = log.NewObservableFactory(logFormatter, logWriter)
 			logFactory = observableLogFactory
 		} else {
-			logFactory = log.NewFactory(logFormatter, logWriter, platformInterface)
+			logFactory = log.NewFactory(logFormatter, logWriter)
 		}
 		if logOptions.Level != "" {
 			logLevel, err := log.ParseLevel(logOptions.Level)
@@ -108,9 +100,7 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 		logFactory,
 		common.PtrValueOrDefault(options.Route),
 		common.PtrValueOrDefault(options.DNS),
-		common.PtrValueOrDefault(options.NTP),
 		options.Inbounds,
-		platformInterface,
 	)
 	if err != nil {
 		return nil, E.Cause(err, "parse route options")
@@ -130,7 +120,6 @@ func New(ctx context.Context, options option.Options, platformInterface platform
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			inboundOptions,
-			platformInterface,
 		)
 		if err != nil {
 			return nil, E.Cause(err, "parse inbound[", i, "]")
@@ -213,18 +202,6 @@ func (s *Box) Start() error {
 }
 
 func (s *Box) start() error {
-	if s.clashServer != nil {
-		err := s.clashServer.Start()
-		if err != nil {
-			return E.Cause(err, "start clash api server")
-		}
-	}
-	if s.v2rayServer != nil {
-		err := s.v2rayServer.Start()
-		if err != nil {
-			return E.Cause(err, "start v2ray api server")
-		}
-	}
 	for i, out := range s.outbounds {
 		if starter, isStarter := out.(common.Starter); isStarter {
 			err := starter.Start()
@@ -255,7 +232,18 @@ func (s *Box) start() error {
 			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
 		}
 	}
-
+	if s.clashServer != nil {
+		err = s.clashServer.Start()
+		if err != nil {
+			return E.Cause(err, "start clash api server")
+		}
+	}
+	if s.v2rayServer != nil {
+		err = s.v2rayServer.Start()
+		if err != nil {
+			return E.Cause(err, "start v2ray api server")
+		}
+	}
 	s.logger.Info("sing-box started (", F.Seconds(time.Since(s.createdAt).Seconds()), "s)")
 	return nil
 }
@@ -267,43 +255,19 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	var errors error
-	for i, in := range s.inbounds {
-		errors = E.Append(errors, in.Close(), func(err error) error {
-			return E.Cause(err, "close inbound/", in.Type(), "[", i, "]")
-		})
+	for _, in := range s.inbounds {
+		in.Close()
 	}
-	for i, out := range s.outbounds {
-		errors = E.Append(errors, common.Close(out), func(err error) error {
-			return E.Cause(err, "close inbound/", out.Type(), "[", i, "]")
-		})
+	for _, out := range s.outbounds {
+		common.Close(out)
 	}
-	if err := common.Close(s.router); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close router")
-		})
-	}
-	if err := common.Close(s.logFactory); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close log factory")
-		})
-	}
-	if err := common.Close(s.clashServer); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close clash api server")
-		})
-	}
-	if err := common.Close(s.v2rayServer); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close v2ray api server")
-		})
-	}
-	if s.logFile != nil {
-		errors = E.Append(errors, s.logFile.Close(), func(err error) error {
-			return E.Cause(err, "close log file")
-		})
-	}
-	return errors
+	return common.Close(
+		s.router,
+		s.logFactory,
+		s.clashServer,
+		s.v2rayServer,
+		common.PtrOrNil(s.logFile),
+	)
 }
 
 func (s *Box) Router() adapter.Router {

cmd/internal/build/main.go

@@ -4,12 +4,11 @@ import (
 	"os"
 	"os/exec"
 
-	"github.com/sagernet/sing-box/cmd/internal/build_shared"
 	"github.com/sagernet/sing-box/log"
 )
 
 func main() {
-	build_shared.FindSDK()
+	findSDK()
 
 	command := exec.Command(os.Args[1], os.Args[2:]...)
 	command.Stdout = os.Stdout

cmd/internal/build/sdk.go

@@ -1,7 +1,6 @@
-package build_shared
+package main
 
 import (
-	"go/build"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -19,7 +18,7 @@ var (
 	androidNDKPath string
 )
 
-func FindSDK() {
+func findSDK() {
 	searchPath := []string{
 		"$ANDROID_HOME",
 		"$HOME/Android/Sdk",
@@ -80,13 +79,3 @@ func findNDK() bool {
 	}
 	return false
 }
-
-var GoBinPath string
-
-func FindMobile() {
-	goBin := filepath.Join(build.Default.GOPATH, "bin")
-	if !rw.FileExists(goBin + "/" + "gobind") {
-		log.Fatal("missing gomobile installation")
-	}
-	GoBinPath = goBin
-}

cmd/internal/build_libbox/main.go

@@ -1,136 +0,0 @@
-package main
-
-import (
-	"flag"
-	"os"
-	"os/exec"
-	"path/filepath"
-
-	_ "github.com/sagernet/gomobile/event/key"
-	"github.com/sagernet/sing-box/cmd/internal/build_shared"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing/common/rw"
-)
-
-var (
-	debugEnabled bool
-	target       string
-)
-
-func init() {
-	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
-	flag.StringVar(&target, "target", "android", "target platform")
-}
-
-func main() {
-	flag.Parse()
-
-	build_shared.FindMobile()
-
-	switch target {
-	case "android":
-		buildAndroid()
-	case "ios":
-		buildiOS()
-	}
-}
-
-var (
-	sharedFlags []string
-	debugFlags  []string
-)
-
-func init() {
-	sharedFlags = append(sharedFlags, "-trimpath")
-	sharedFlags = append(sharedFlags, "-ldflags")
-
-	currentTag, err := build_shared.ReadTag()
-	if err != nil {
-		currentTag = "unknown"
-	}
-	sharedFlags = append(sharedFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag+" -s -w -buildid=")
-	debugFlags = append(debugFlags, "-X github.com/sagernet/sing-box/constant.Version="+currentTag)
-}
-
-func buildAndroid() {
-	build_shared.FindSDK()
-
-	args := []string{
-		"bind",
-		"-v",
-		"-androidapi", "21",
-		"-javapkg=io.nekohasekai",
-		"-libname=box",
-	}
-	if !debugEnabled {
-		args = append(args, sharedFlags...)
-	} else {
-		args = append(args, debugFlags...)
-	}
-
-	args = append(args, "-tags")
-	if !debugEnabled {
-		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api")
-	} else {
-		args = append(args, "with_gvisor,with_quic,with_wireguard,with_utls,with_clash_api,debug")
-	}
-	args = append(args, "./experimental/libbox")
-
-	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
-	command.Stdout = os.Stdout
-	command.Stderr = os.Stderr
-	err := command.Run()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	const name = "libbox.aar"
-	copyPath := filepath.Join("..", "sing-box-for-android", "app", "libs")
-	if rw.FileExists(copyPath) {
-		copyPath, _ = filepath.Abs(copyPath)
-		err = rw.CopyFile(name, filepath.Join(copyPath, name))
-		if err != nil {
-			log.Fatal(err)
-		}
-		log.Info("copied to ", copyPath)
-	}
-}
-
-func buildiOS() {
-	args := []string{
-		"bind",
-		"-v",
-		"-target", "ios,iossimulator,macos",
-		"-libname=box",
-	}
-	if !debugEnabled {
-		args = append(args, sharedFlags...)
-	} else {
-		args = append(args, debugFlags...)
-	}
-
-	args = append(args, "-tags")
-	if !debugEnabled {
-		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack")
-	} else {
-		args = append(args, "with_gvisor,with_quic,with_utls,with_clash_api,with_low_memory,with_conntrack,debug")
-	}
-	args = append(args, "./experimental/libbox")
-
-	command := exec.Command(build_shared.GoBinPath+"/gomobile", args...)
-	command.Stdout = os.Stdout
-	command.Stderr = os.Stderr
-	err := command.Run()
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	copyPath := filepath.Join("..", "sing-box-for-ios")
-	if rw.FileExists(copyPath) {
-		targetDir := filepath.Join(copyPath, "Libbox.xcframework")
-		targetDir, _ = filepath.Abs(targetDir)
-		os.RemoveAll(targetDir)
-		os.Rename("Libbox.xcframework", targetDir)
-		log.Info("copied to ", targetDir)
-	}
-}

cmd/internal/build_shared/tag.go

@@ -1,16 +0,0 @@
-package build_shared
-
-import "github.com/sagernet/sing/common/shell"
-
-func ReadTag() (string, error) {
-	currentTag, err := shell.Exec("git", "describe", "--tags").ReadOutput()
-	if err != nil {
-		return currentTag, err
-	}
-	currentTagRev, _ := shell.Exec("git", "describe", "--tags", "--abbrev=0").ReadOutput()
-	if currentTagRev == currentTag {
-		return currentTag[1:], nil
-	}
-	shortCommit, _ := shell.Exec("git", "rev-parse", "--short", "HEAD").ReadOutput()
-	return currentTagRev[1:] + "-" + shortCommit, nil
-}

cmd/internal/read_tag/main.go

@@ -1,21 +0,0 @@
-package main
-
-import (
-	"os"
-
-	"github.com/sagernet/sing-box/cmd/internal/build_shared"
-	"github.com/sagernet/sing-box/log"
-)
-
-func main() {
-	currentTag, err := build_shared.ReadTag()
-	if err != nil {
-		log.Error(err)
-		_, err = os.Stdout.WriteString("unknown\n")
-	} else {
-		_, err = os.Stdout.WriteString(currentTag + "\n")
-	}
-	if err != nil {
-		log.Error(err)
-	}
-}

cmd/sing-box/cmd_check.go

@@ -31,10 +31,7 @@ func check() error {
 		return err
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options, nil)
-	if err == nil {
-		instance.Close()
-	}
+	_, err = box.New(ctx, options)
 	cancel()
 	return err
 }

cmd/sing-box/cmd_generate.go

@@ -1,139 +0,0 @@
-package main
-
-import (
-	"crypto/rand"
-	"encoding/base64"
-	"encoding/hex"
-	"os"
-	"strconv"
-
-	"github.com/sagernet/sing-box/log"
-
-	"github.com/gofrs/uuid"
-	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-)
-
-var commandGenerate = &cobra.Command{
-	Use:   "generate",
-	Short: "Generate things",
-}
-
-func init() {
-	commandGenerate.AddCommand(commandGenerateUUID)
-	commandGenerate.AddCommand(commandGenerateRandom)
-	commandGenerate.AddCommand(commandGenerateWireGuardKeyPair)
-	commandGenerate.AddCommand(commandGenerateRealityKeyPair)
-	mainCommand.AddCommand(commandGenerate)
-}
-
-var (
-	outputBase64 bool
-	outputHex    bool
-)
-
-var commandGenerateRandom = &cobra.Command{
-	Use:   "rand <length>",
-	Short: "Generate random bytes",
-	Args:  cobra.ExactArgs(1),
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateRandom(args)
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func init() {
-	commandGenerateRandom.Flags().BoolVar(&outputBase64, "base64", false, "Generate base64 string")
-	commandGenerateRandom.Flags().BoolVar(&outputHex, "hex", false, "Generate hex string")
-}
-
-func generateRandom(args []string) error {
-	length, err := strconv.Atoi(args[0])
-	if err != nil {
-		return err
-	}
-
-	randomBytes := make([]byte, length)
-	_, err = rand.Read(randomBytes)
-	if err != nil {
-		return err
-	}
-
-	if outputBase64 {
-		_, err = os.Stdout.WriteString(base64.StdEncoding.EncodeToString(randomBytes) + "\n")
-	} else if outputHex {
-		_, err = os.Stdout.WriteString(hex.EncodeToString(randomBytes) + "\n")
-	} else {
-		_, err = os.Stdout.Write(randomBytes)
-	}
-
-	return err
-}
-
-var commandGenerateUUID = &cobra.Command{
-	Use:   "uuid",
-	Short: "Generate UUID string",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateUUID()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateUUID() error {
-	newUUID, err := uuid.NewV4()
-	if err != nil {
-		return err
-	}
-	_, err = os.Stdout.WriteString(newUUID.String() + "\n")
-	return err
-}
-
-var commandGenerateWireGuardKeyPair = &cobra.Command{
-	Use:   "wg-keypair",
-	Short: "Generate WireGuard key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateWireGuardKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateWireGuardKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	os.Stdout.WriteString("PrivateKey: " + privateKey.String() + "\n")
-	os.Stdout.WriteString("PublicKey: " + privateKey.PublicKey().String() + "\n")
-	return nil
-}
-
-var commandGenerateRealityKeyPair = &cobra.Command{
-	Use:   "reality-keypair",
-	Short: "Generate reality key pair",
-	Args:  cobra.NoArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		err := generateRealityKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}
-
-func generateRealityKey() error {
-	privateKey, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return err
-	}
-	publicKey := privateKey.PublicKey()
-	os.Stdout.WriteString("PrivateKey: " + base64.RawURLEncoding.EncodeToString(privateKey[:]) + "\n")
-	os.Stdout.WriteString("PublicKey: " + base64.RawURLEncoding.EncodeToString(publicKey[:]) + "\n")
-	return nil
-}

cmd/sing-box/cmd_run.go

@@ -64,7 +64,7 @@ func create() (*box.Box, context.CancelFunc, error) {
 		options.Log.DisableColor = true
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	instance, err := box.New(ctx, options, nil)
+	instance, err := box.New(ctx, options)
 	if err != nil {
 		cancel()
 		return nil, nil, E.Cause(err, "create service")

cmd/sing-box/debug.go

@@ -25,9 +25,9 @@ func init() {
 		runtime.ReadMemStats(&memStats)
 
 		var memObject badjson.JSONObject
-		memObject.Put("heap", humanize.IBytes(memStats.HeapInuse))
-		memObject.Put("stack", humanize.IBytes(memStats.StackInuse))
-		memObject.Put("idle", humanize.IBytes(memStats.HeapIdle-memStats.HeapReleased))
+		memObject.Put("heap", humanize.Bytes(memStats.HeapInuse))
+		memObject.Put("stack", humanize.Bytes(memStats.StackInuse))
+		memObject.Put("idle", humanize.Bytes(memStats.HeapIdle-memStats.HeapReleased))
 		memObject.Put("goroutines", runtime.NumGoroutine())
 		memObject.Put("rss", rusageMaxRSS())
 

cmd/sing-box/main.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"os"
-	"time"
 
 	_ "github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
@@ -34,9 +33,6 @@ func main() {
 }
 
 func preRun(cmd *cobra.Command, args []string) {
-	if disableColor {
-		log.SetStdLogger(log.NewFactory(log.Formatter{BaseTime: time.Now(), DisableColors: true}, os.Stderr, nil).Logger())
-	}
 	if workingDir != "" {
 		if err := os.Chdir(workingDir); err != nil {
 			log.Fatal(err)

common/dialer/conntrack/conn.go

@@ -1,54 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type Conn struct {
-	net.Conn
-	element *list.Element[io.Closer]
-}
-
-func NewConn(conn net.Conn) (*Conn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := killerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &Conn{
-		Conn:    conn,
-		element: element,
-	}, nil
-}
-
-func (c *Conn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.Conn.Close()
-}
-
-func (c *Conn) Upstream() any {
-	return c.Conn
-}
-
-func (c *Conn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *Conn) WriterReplaceable() bool {
-	return true
-}

common/dialer/conntrack/killer.go

@@ -1,38 +0,0 @@
-package conntrack
-
-import (
-	"runtime"
-	runtimeDebug "runtime/debug"
-	"time"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-var (
-	KillerEnabled   bool
-	MemoryLimit     int64
-	killerLastCheck time.Time
-)
-
-func killerCheck() error {
-	if !KillerEnabled {
-		return nil
-	}
-	nowTime := time.Now()
-	if nowTime.Sub(killerLastCheck) < 3*time.Second {
-		return nil
-	}
-	killerLastCheck = nowTime
-	var memStats runtime.MemStats
-	runtime.ReadMemStats(&memStats)
-	inuseMemory := int64(memStats.StackInuse + memStats.HeapInuse + memStats.HeapIdle - memStats.HeapReleased)
-	if inuseMemory > MemoryLimit {
-		Close()
-		go func() {
-			time.Sleep(time.Second)
-			runtimeDebug.FreeOSMemory()
-		}()
-		return E.New("out of memory")
-	}
-	return nil
-}

common/dialer/conntrack/packet_conn.go

@@ -1,54 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"net"
-
-	"github.com/sagernet/sing/common/x/list"
-)
-
-type PacketConn struct {
-	net.PacketConn
-	element *list.Element[io.Closer]
-}
-
-func NewPacketConn(conn net.PacketConn) (*PacketConn, error) {
-	connAccess.Lock()
-	element := openConnection.PushBack(conn)
-	connAccess.Unlock()
-	if KillerEnabled {
-		err := killerCheck()
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-	}
-	return &PacketConn{
-		PacketConn: conn,
-		element:    element,
-	}, nil
-}
-
-func (c *PacketConn) Close() error {
-	if c.element.Value != nil {
-		connAccess.Lock()
-		if c.element.Value != nil {
-			openConnection.Remove(c.element)
-			c.element.Value = nil
-		}
-		connAccess.Unlock()
-	}
-	return c.PacketConn.Close()
-}
-
-func (c *PacketConn) Upstream() any {
-	return c.PacketConn
-}
-
-func (c *PacketConn) ReaderReplaceable() bool {
-	return true
-}
-
-func (c *PacketConn) WriterReplaceable() bool {
-	return true
-}

common/dialer/conntrack/track.go

@@ -1,38 +0,0 @@
-package conntrack
-
-import (
-	"io"
-	"sync"
-
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/x/list"
-)
-
-var (
-	connAccess     sync.RWMutex
-	openConnection list.List[io.Closer]
-)
-
-func Count() int {
-	return openConnection.Len()
-}
-
-func List() []io.Closer {
-	connAccess.RLock()
-	defer connAccess.RUnlock()
-	connList := make([]io.Closer, 0, openConnection.Len())
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		connList = append(connList, element.Value)
-	}
-	return connList
-}
-
-func Close() {
-	connAccess.Lock()
-	defer connAccess.Unlock()
-	for element := openConnection.Front(); element != nil; element = element.Next() {
-		common.Close(element.Value)
-		element.Value = nil
-	}
-	openConnection.Init()
-}

common/dialer/conntrack/track_disable.go

@@ -1,5 +0,0 @@
-//go:build !with_conntrack
-
-package conntrack
-
-const Enabled = false

common/dialer/conntrack/track_enable.go

@@ -1,5 +0,0 @@
-//go:build with_conntrack
-
-package conntrack
-
-const Enabled = true

common/dialer/default.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer/conntrack"
 	"github.com/sagernet/sing-box/common/warning"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
@@ -14,7 +13,8 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/tfo-go"
+
+	"github.com/database64128/tfo-go/v2"
 )
 
 var warnBindInterfaceOnUnsupportedPlatform = warning.New(
@@ -71,7 +71,15 @@ func NewDefault(router adapter.Router, options option.DialerOptions) *DefaultDia
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	} else if router.AutoDetectInterface() {
-		bindFunc := router.AutoDetectInterfaceFunc()
+		const useInterfaceName = C.IsLinux
+		bindFunc := control.BindToInterfaceFunc(router.InterfaceFinder(), func(network string, address string) (interfaceName string, interfaceIndex int) {
+			remoteAddr := M.ParseSocksaddr(address).Addr
+			if C.IsLinux {
+				return router.InterfaceMonitor().DefaultInterfaceName(remoteAddr), -1
+			} else {
+				return "", router.InterfaceMonitor().DefaultInterfaceIndex(remoteAddr)
+			}
+		})
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	} else if router.DefaultInterface() != "" {
@@ -160,30 +168,16 @@ func (d *DefaultDialer) DialContext(ctx context.Context, network string, address
 		}
 	}
 	if !address.IsIPv6() {
-		return trackConn(DialSlowContext(&d.dialer4, ctx, network, address))
+		return DialSlowContext(&d.dialer4, ctx, network, address)
 	} else {
-		return trackConn(DialSlowContext(&d.dialer6, ctx, network, address))
+		return DialSlowContext(&d.dialer6, ctx, network, address)
 	}
 }
 
 func (d *DefaultDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	if !destination.IsIPv6() {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4))
+		return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr4)
 	} else {
-		return trackPacketConn(d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6))
+		return d.udpListener.ListenPacket(ctx, N.NetworkUDP, d.udpAddr6)
 	}
 }
-
-func trackConn(conn net.Conn, err error) (net.Conn, error) {
-	if !conntrack.Enabled || err != nil {
-		return conn, err
-	}
-	return conntrack.NewConn(conn)
-}
-
-func trackPacketConn(conn net.PacketConn, err error) (net.PacketConn, error) {
-	if !conntrack.Enabled || err != nil {
-		return conn, err
-	}
-	return conntrack.NewPacketConn(conn)
-}

common/dialer/tfo.go

@@ -12,7 +12,8 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/tfo-go"
+
+	"github.com/database64128/tfo-go/v2"
 )
 
 type slowOpenConn struct {

common/proxyproto/listener.go

@@ -24,13 +24,13 @@ func (l *Listener) Accept() (net.Conn, error) {
 	bufReader := std_bufio.NewReader(conn)
 	header, err := proxyproto.Read(bufReader)
 	if err != nil && !(l.AcceptNoHeader && err == proxyproto.ErrNoProxyProtocol) {
-		return nil, &Error{err}
+		return nil, err
 	}
 	if bufReader.Buffered() > 0 {
 		cache := buf.NewSize(bufReader.Buffered())
 		_, err = cache.ReadFullFrom(bufReader, cache.FreeLen())
 		if err != nil {
-			return nil, &Error{err}
+			return nil, err
 		}
 		conn = bufio.NewCachedConn(conn, cache)
 	}
@@ -42,21 +42,3 @@ func (l *Listener) Accept() (net.Conn, error) {
 	}
 	return conn, nil
 }
-
-var _ net.Error = (*Error)(nil)
-
-type Error struct {
-	error
-}
-
-func (e *Error) Unwrap() error {
-	return e.error
-}
-
-func (e *Error) Timeout() bool {
-	return false
-}
-
-func (e *Error) Temporary() bool {
-	return true
-}

common/settings/proxy_android.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/common/shell"
 )
 
 var (
@@ -26,9 +26,9 @@ func init() {
 
 func runAndroidShell(name string, args ...string) error {
 	if !useRish {
-		return shell.Exec(name, args...).Attach().Run()
+		return common.Exec(name, args...).Attach().Run()
 	} else {
-		return shell.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return common.Exec("sh", rishPath, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	}
 }
 

common/settings/proxy_darwin.go

@@ -6,9 +6,9 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
 )
 
@@ -34,13 +34,13 @@ func (p *systemProxy) update(event int) error {
 		return err
 	}
 	if p.isMixed {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = common.Exec("networksetup", "-setsocksfirewallproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = shell.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = common.Exec("networksetup", "-setwebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	if err == nil {
-		err = shell.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
+		err = common.Exec("networksetup", "-setsecurewebproxy", interfaceDisplayName, "127.0.0.1", F.ToString(p.port)).Attach().Run()
 	}
 	return err
 }
@@ -51,19 +51,19 @@ func (p *systemProxy) unset() error {
 		return err
 	}
 	if p.isMixed {
-		err = shell.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = common.Exec("networksetup", "-setsocksfirewallproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
-		err = shell.Exec("networksetup", "-setwebproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = common.Exec("networksetup", "-setwebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	if err == nil {
-		err = shell.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
+		err = common.Exec("networksetup", "-setsecurewebproxystate", interfaceDisplayName, "off").Attach().Run()
 	}
 	return err
 }
 
 func getInterfaceDisplayName(name string) (string, error) {
-	content, err := shell.Exec("networksetup", "-listallhardwareports").ReadOutput()
+	content, err := common.Exec("networksetup", "-listallhardwareports").Read()
 	if err != nil {
 		return "", err
 	}

common/settings/proxy_linux.go

@@ -11,7 +11,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
-	"github.com/sagernet/sing/common/shell"
 )
 
 var (
@@ -28,9 +27,9 @@ func init() {
 
 func runAsUser(name string, args ...string) error {
 	if os.Getuid() != 0 {
-		return shell.Exec(name, args...).Attach().Run()
+		return common.Exec(name, args...).Attach().Run()
 	} else if sudoUser != "" {
-		return shell.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
+		return common.Exec("su", "-", sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
 	} else {
 		return E.New("set system proxy: unable to set as root")
 	}

common/tls/client.go

@@ -2,15 +2,16 @@ package tls
 
 import (
 	"context"
+	"crypto/tls"
 	"net"
 	"os"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
-	aTLS "github.com/sagernet/sing/common/tls"
 )
 
 func NewDialerFromOptions(router adapter.Router, dialer N.Dialer, serverAddress string, options option.OutboundTLSOptions) (N.Dialer, error) {
@@ -30,19 +31,29 @@ func NewClient(router adapter.Router, serverAddress string, options option.Outbo
 	}
 	if options.ECH != nil && options.ECH.Enabled {
 		return NewECHClient(router, serverAddress, options)
-	} else if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityClient(router, serverAddress, options)
 	} else if options.UTLS != nil && options.UTLS.Enabled {
 		return NewUTLSClient(router, serverAddress, options)
 	} else {
-		return NewSTDClient(router, serverAddress, options)
+		return NewSTDClient(serverAddress, options)
 	}
 }
 
 func ClientHandshake(ctx context.Context, conn net.Conn, config Config) (Conn, error) {
+	tlsConn := config.Client(conn)
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	return aTLS.ClientHandshake(ctx, conn, config)
+	err := tlsConn.HandshakeContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if stdConn, isSTD := tlsConn.(*tls.Conn); isSTD {
+		var badConn badtls.TLSConn
+		badConn, err = badtls.Create(stdConn)
+		if err == nil {
+			return badConn, nil
+		}
+	}
+	return tlsConn, nil
 }
 
 type Dialer struct {

common/tls/config.go

@@ -1,25 +1,41 @@
 package tls
 
 import (
+	"context"
 	"crypto/tls"
+	"net"
 
+	"github.com/sagernet/sing-box/adapter"
 	E "github.com/sagernet/sing/common/exceptions"
-	aTLS "github.com/sagernet/sing/common/tls"
 )
 
 type (
-	Config                 = aTLS.Config
-	ConfigCompat           = aTLS.ConfigCompat
-	ServerConfig           = aTLS.ServerConfig
-	ServerConfigCompat     = aTLS.ServerConfigCompat
-	WithSessionIDGenerator = aTLS.WithSessionIDGenerator
-	Conn                   = aTLS.Conn
-
-	STDConfig       = tls.Config
-	STDConn         = tls.Conn
-	ConnectionState = tls.ConnectionState
+	STDConfig = tls.Config
+	STDConn   = tls.Conn
 )
 
+type Config interface {
+	ServerName() string
+	SetServerName(serverName string)
+	NextProtos() []string
+	SetNextProtos(nextProto []string)
+	Config() (*STDConfig, error)
+	Client(conn net.Conn) Conn
+	Clone() Config
+}
+
+type ServerConfig interface {
+	Config
+	adapter.Service
+	Server(conn net.Conn) Conn
+}
+
+type Conn interface {
+	net.Conn
+	HandshakeContext(ctx context.Context) error
+	ConnectionState() tls.ConnectionState
+}
+
 func ParseTLSVersion(version string) (uint16, error) {
 	switch version {
 	case "1.0":

common/tls/ech_client.go

@@ -44,8 +44,8 @@ func (e *ECHClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for ECH")
 }
 
-func (e *ECHClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &echConnWrapper{cftls.Client(conn, e.config)}, nil
+func (e *ECHClientConfig) Client(conn net.Conn) Conn {
+	return &echConnWrapper{cftls.Client(conn, e.config)}
 }
 
 func (e *ECHClientConfig) Clone() Config {
@@ -76,10 +76,6 @@ func (c *echConnWrapper) ConnectionState() tls.ConnectionState {
 	}
 }
 
-func (c *echConnWrapper) Upstream() any {
-	return c.Conn
-}
-
 func NewECHClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
@@ -94,7 +90,6 @@ func NewECHClient(router adapter.Router, serverAddress string, options option.Ou
 	}
 
 	var tlsConfig cftls.Config
-	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {

common/tls/mkcert.go

@@ -11,10 +11,7 @@ import (
 	"time"
 )
 
-func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certificate, error) {
-	if timeFunc == nil {
-		timeFunc = time.Now
-	}
+func GenerateKeyPair(serverName string) (*tls.Certificate, error) {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, err
@@ -25,8 +22,8 @@ func GenerateKeyPair(timeFunc func() time.Time, serverName string) (*tls.Certifi
 	}
 	template := &x509.Certificate{
 		SerialNumber:          serialNumber,
-		NotBefore:             timeFunc().Add(time.Hour * -1),
-		NotAfter:              timeFunc().Add(time.Hour),
+		NotBefore:             time.Now().Add(time.Hour * -1),
+		NotAfter:              time.Now().Add(time.Hour),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,

common/tls/reality_client.go

@@ -1,231 +0,0 @@
-//go:build with_utls
-
-package tls
-
-import (
-	"bytes"
-	"context"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/ed25519"
-	"crypto/hmac"
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/binary"
-	"encoding/hex"
-	"fmt"
-	"io"
-	mRand "math/rand"
-	"net"
-	"net/http"
-	"reflect"
-	"strings"
-	"time"
-	"unsafe"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/debug"
-	E "github.com/sagernet/sing/common/exceptions"
-	aTLS "github.com/sagernet/sing/common/tls"
-	utls "github.com/sagernet/utls"
-
-	"golang.org/x/crypto/hkdf"
-	"golang.org/x/net/http2"
-)
-
-var _ ConfigCompat = (*RealityClientConfig)(nil)
-
-type RealityClientConfig struct {
-	uClient   *UTLSClientConfig
-	publicKey []byte
-	shortID   [8]byte
-}
-
-func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*RealityClientConfig, error) {
-	if options.UTLS == nil || !options.UTLS.Enabled {
-		return nil, E.New("uTLS is required by reality client")
-	}
-
-	uClient, err := NewUTLSClient(router, serverAddress, options)
-	if err != nil {
-		return nil, err
-	}
-
-	publicKey, err := base64.RawURLEncoding.DecodeString(options.Reality.PublicKey)
-	if err != nil {
-		return nil, E.Cause(err, "decode public_key")
-	}
-	if len(publicKey) != 32 {
-		return nil, E.New("invalid public_key")
-	}
-	var shortID [8]byte
-	decodedLen, err := hex.Decode(shortID[:], []byte(options.Reality.ShortID))
-	if err != nil {
-		return nil, E.Cause(err, "decode short_id")
-	}
-	if decodedLen > 8 {
-		return nil, E.New("invalid short_id")
-	}
-	return &RealityClientConfig{uClient, publicKey, shortID}, nil
-}
-
-func (e *RealityClientConfig) ServerName() string {
-	return e.uClient.ServerName()
-}
-
-func (e *RealityClientConfig) SetServerName(serverName string) {
-	e.uClient.SetServerName(serverName)
-}
-
-func (e *RealityClientConfig) NextProtos() []string {
-	return e.uClient.NextProtos()
-}
-
-func (e *RealityClientConfig) SetNextProtos(nextProto []string) {
-	e.uClient.SetNextProtos(nextProto)
-}
-
-func (e *RealityClientConfig) Config() (*STDConfig, error) {
-	return nil, E.New("unsupported usage for reality")
-}
-
-func (e *RealityClientConfig) Client(conn net.Conn) (Conn, error) {
-	return ClientHandshake(context.Background(), conn, e)
-}
-
-func (e *RealityClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
-	verifier := &realityVerifier{
-		serverName: e.uClient.ServerName(),
-	}
-	uConfig := e.uClient.config.Clone()
-	uConfig.InsecureSkipVerify = true
-	uConfig.SessionTicketsDisabled = true
-	uConfig.VerifyPeerCertificate = verifier.VerifyPeerCertificate
-	uConn := utls.UClient(conn, uConfig, e.uClient.id)
-	verifier.UConn = uConn
-	err := uConn.BuildHandshakeState()
-	if err != nil {
-		return nil, err
-	}
-	hello := uConn.HandshakeState.Hello
-	hello.SessionId = make([]byte, 32)
-	copy(hello.Raw[39:], hello.SessionId)
-
-	var nowTime time.Time
-	if uConfig.Time != nil {
-		nowTime = uConfig.Time()
-	} else {
-		nowTime = time.Now()
-	}
-	binary.BigEndian.PutUint64(hello.SessionId, uint64(nowTime.Unix()))
-
-	hello.SessionId[0] = 1
-	hello.SessionId[1] = 7
-	hello.SessionId[2] = 5
-	copy(hello.SessionId[8:], e.shortID[:])
-
-	if debug.Enabled {
-		fmt.Printf("REALITY hello.sessionId[:16]: %v\n", hello.SessionId[:16])
-	}
-
-	authKey := uConn.HandshakeState.State13.EcdheParams.SharedKey(e.publicKey)
-	if authKey == nil {
-		return nil, E.New("nil auth_key")
-	}
-	verifier.authKey = authKey
-	_, err = hkdf.New(sha256.New, authKey, hello.Random[:20], []byte("REALITY")).Read(authKey)
-	if err != nil {
-		return nil, err
-	}
-	aesBlock, _ := aes.NewCipher(authKey)
-	aesGcmCipher, _ := cipher.NewGCM(aesBlock)
-	aesGcmCipher.Seal(hello.SessionId[:0], hello.Random[20:], hello.SessionId[:16], hello.Raw)
-	copy(hello.Raw[39:], hello.SessionId)
-	if debug.Enabled {
-		fmt.Printf("REALITY hello.sessionId: %v\n", hello.SessionId)
-		fmt.Printf("REALITY uConn.AuthKey: %v\n", authKey)
-	}
-
-	err = uConn.HandshakeContext(ctx)
-	if err != nil {
-		return nil, err
-	}
-
-	if debug.Enabled {
-		fmt.Printf("REALITY Conn.Verified: %v\n", verifier.verified)
-	}
-
-	if !verifier.verified {
-		go realityClientFallback(uConn, e.uClient.ServerName(), e.uClient.id)
-		return nil, E.New("reality verification failed")
-	}
-
-	return &utlsConnWrapper{uConn}, nil
-}
-
-func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
-	defer uConn.Close()
-	client := &http.Client{
-		Transport: &http2.Transport{
-			DialTLSContext: func(ctx context.Context, network, addr string, config *tls.Config) (net.Conn, error) {
-				return uConn, nil
-			},
-		},
-	}
-	request, _ := http.NewRequest("GET", "https://"+serverName, nil)
-	request.Header.Set("User-Agent", fingerprint.Client)
-	request.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", mRand.Intn(32)+30)})
-	response, err := client.Do(request)
-	if err != nil {
-		return
-	}
-	_, _ = io.Copy(io.Discard, response.Body)
-	response.Body.Close()
-}
-
-func (e *RealityClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
-	e.uClient.config.SessionIDGenerator = generator
-}
-
-func (e *RealityClientConfig) Clone() Config {
-	return &RealityClientConfig{
-		e.uClient.Clone().(*UTLSClientConfig),
-		e.publicKey,
-		e.shortID,
-	}
-}
-
-type realityVerifier struct {
-	*utls.UConn
-	serverName string
-	authKey    []byte
-	verified   bool
-}
-
-func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-	p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
-	certs := *(*([]*x509.Certificate))(unsafe.Pointer(uintptr(unsafe.Pointer(c.Conn)) + p.Offset))
-	if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {
-		h := hmac.New(sha512.New, c.authKey)
-		h.Write(pub)
-		if bytes.Equal(h.Sum(nil), certs[0].Signature) {
-			c.verified = true
-			return nil
-		}
-	}
-	opts := x509.VerifyOptions{
-		DNSName:       c.serverName,
-		Intermediates: x509.NewCertPool(),
-	}
-	for _, cert := range certs[1:] {
-		opts.Intermediates.AddCert(cert)
-	}
-	if _, err := certs[0].Verify(opts); err != nil {
-		return err
-	}
-	return nil
-}

common/tls/reality_server.go

@@ -1,192 +0,0 @@
-//go:build with_reality_server
-
-package tls
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/base64"
-	"encoding/hex"
-	"net"
-	"time"
-
-	"github.com/sagernet/reality"
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/dialer"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing/common/debug"
-	E "github.com/sagernet/sing/common/exceptions"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-var _ ServerConfigCompat = (*RealityServerConfig)(nil)
-
-type RealityServerConfig struct {
-	config *reality.Config
-}
-
-func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (*RealityServerConfig, error) {
-	var tlsConfig reality.Config
-
-	if options.ACME != nil && len(options.ACME.Domain) > 0 {
-		return nil, E.New("acme is unavailable in reality")
-	}
-	tlsConfig.Time = router.TimeFunc()
-	if options.ServerName != "" {
-		tlsConfig.ServerName = options.ServerName
-	}
-	if len(options.ALPN) > 0 {
-		tlsConfig.NextProtos = append(tlsConfig.NextProtos, options.ALPN...)
-	}
-	if options.MinVersion != "" {
-		minVersion, err := ParseTLSVersion(options.MinVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse min_version")
-		}
-		tlsConfig.MinVersion = minVersion
-	}
-	if options.MaxVersion != "" {
-		maxVersion, err := ParseTLSVersion(options.MaxVersion)
-		if err != nil {
-			return nil, E.Cause(err, "parse max_version")
-		}
-		tlsConfig.MaxVersion = maxVersion
-	}
-	if options.CipherSuites != nil {
-	find:
-		for _, cipherSuite := range options.CipherSuites {
-			for _, tlsCipherSuite := range tls.CipherSuites() {
-				if cipherSuite == tlsCipherSuite.Name {
-					tlsConfig.CipherSuites = append(tlsConfig.CipherSuites, tlsCipherSuite.ID)
-					continue find
-				}
-			}
-			return nil, E.New("unknown cipher_suite: ", cipherSuite)
-		}
-	}
-	if options.Certificate != "" || options.CertificatePath != "" {
-		return nil, E.New("certificate is unavailable in reality")
-	}
-	if options.Key != "" || options.KeyPath != "" {
-		return nil, E.New("key is unavailable in reality")
-	}
-
-	tlsConfig.SessionTicketsDisabled = true
-	tlsConfig.Type = N.NetworkTCP
-	tlsConfig.Dest = options.Reality.Handshake.ServerOptions.Build().String()
-
-	tlsConfig.ServerNames = map[string]bool{options.ServerName: true}
-	privateKey, err := base64.RawURLEncoding.DecodeString(options.Reality.PrivateKey)
-	if err != nil {
-		return nil, E.Cause(err, "decode private key")
-	}
-	if len(privateKey) != 32 {
-		return nil, E.New("invalid private key")
-	}
-	tlsConfig.PrivateKey = privateKey
-	tlsConfig.MaxTimeDiff = time.Duration(options.Reality.MaxTimeDifference)
-
-	tlsConfig.ShortIds = make(map[[8]byte]bool)
-	for i, shortIDString := range options.Reality.ShortID {
-		var shortID [8]byte
-		decodedLen, err := hex.Decode(shortID[:], []byte(shortIDString))
-		if err != nil {
-			return nil, E.Cause(err, "decode short_id[", i, "]: ", shortIDString)
-		}
-		if decodedLen > 8 {
-			return nil, E.New("invalid short_id[", i, "]: ", shortIDString)
-		}
-		tlsConfig.ShortIds[shortID] = true
-	}
-
-	handshakeDialer := dialer.New(router, options.Reality.Handshake.DialerOptions)
-	tlsConfig.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-		return handshakeDialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
-	}
-
-	if debug.Enabled {
-		tlsConfig.Show = true
-	}
-
-	return &RealityServerConfig{&tlsConfig}, nil
-}
-
-func (c *RealityServerConfig) ServerName() string {
-	return c.config.ServerName
-}
-
-func (c *RealityServerConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
-}
-
-func (c *RealityServerConfig) NextProtos() []string {
-	return c.config.NextProtos
-}
-
-func (c *RealityServerConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
-}
-
-func (c *RealityServerConfig) Config() (*tls.Config, error) {
-	return nil, E.New("unsupported usage for reality")
-}
-
-func (c *RealityServerConfig) Client(conn net.Conn) (Conn, error) {
-	return ClientHandshake(context.Background(), conn, c)
-}
-
-func (c *RealityServerConfig) Start() error {
-	return nil
-}
-
-func (c *RealityServerConfig) Close() error {
-	return nil
-}
-
-func (c *RealityServerConfig) Server(conn net.Conn) (Conn, error) {
-	return ServerHandshake(context.Background(), conn, c)
-}
-
-func (c *RealityServerConfig) ServerHandshake(ctx context.Context, conn net.Conn) (Conn, error) {
-	tlsConn, err := reality.Server(ctx, conn, c.config)
-	if err != nil {
-		return nil, err
-	}
-	return &realityConnWrapper{Conn: tlsConn}, nil
-}
-
-func (c *RealityServerConfig) Clone() Config {
-	return &RealityServerConfig{
-		config: c.config.Clone(),
-	}
-}
-
-var _ Conn = (*realityConnWrapper)(nil)
-
-type realityConnWrapper struct {
-	*reality.Conn
-}
-
-func (c *realityConnWrapper) ConnectionState() ConnectionState {
-	state := c.Conn.ConnectionState()
-	return tls.ConnectionState{
-		Version:                     state.Version,
-		HandshakeComplete:           state.HandshakeComplete,
-		DidResume:                   state.DidResume,
-		CipherSuite:                 state.CipherSuite,
-		NegotiatedProtocol:          state.NegotiatedProtocol,
-		NegotiatedProtocolIsMutual:  state.NegotiatedProtocolIsMutual,
-		ServerName:                  state.ServerName,
-		PeerCertificates:            state.PeerCertificates,
-		VerifiedChains:              state.VerifiedChains,
-		SignedCertificateTimestamps: state.SignedCertificateTimestamps,
-		OCSPResponse:                state.OCSPResponse,
-		TLSUnique:                   state.TLSUnique,
-	}
-}
-
-func (c *realityConnWrapper) Upstream() any {
-	return c.Conn
-}

common/tls/reality_stub.go

@@ -1,16 +0,0 @@
-//go:build !with_reality_server
-
-package tls
-
-import (
-	"context"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-func NewRealityServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
-	return nil, E.New(`reality server is not included in this build, rebuild with -tags with_reality_server`)
-}

common/tls/server.go

@@ -2,28 +2,36 @@ package tls
 
 import (
 	"context"
+	"crypto/tls"
 	"net"
 
-	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/badtls"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	aTLS "github.com/sagernet/sing/common/tls"
 )
 
-func NewServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	if options.Reality != nil && options.Reality.Enabled {
-		return NewRealityServer(ctx, router, logger, options)
-	} else {
-		return NewSTDServer(ctx, router, logger, options)
-	}
+	return NewSTDServer(ctx, logger, options)
 }
 
 func ServerHandshake(ctx context.Context, conn net.Conn, config ServerConfig) (Conn, error) {
+	tlsConn := config.Server(conn)
 	ctx, cancel := context.WithTimeout(ctx, C.TCPTimeout)
 	defer cancel()
-	return aTLS.ServerHandshake(ctx, conn, config)
+	err := tlsConn.HandshakeContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if stdConn, isSTD := tlsConn.(*tls.Conn); isSTD {
+		var badConn badtls.TLSConn
+		badConn, err = badtls.Create(stdConn)
+		if err == nil {
+			return badConn, nil
+		}
+	}
+	return tlsConn, nil
 }

common/tls/std_client.go

@@ -7,7 +7,6 @@ import (
 	"net/netip"
 	"os"
 
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 )
@@ -36,15 +35,15 @@ func (s *STDClientConfig) Config() (*STDConfig, error) {
 	return s.config, nil
 }
 
-func (s *STDClientConfig) Client(conn net.Conn) (Conn, error) {
-	return tls.Client(conn, s.config), nil
+func (s *STDClientConfig) Client(conn net.Conn) Conn {
+	return tls.Client(conn, s.config)
 }
 
 func (s *STDClientConfig) Clone() Config {
 	return &STDClientConfig{s.config.Clone()}
 }
 
-func NewSTDClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewSTDClient(serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -58,7 +57,6 @@ func NewSTDClient(router adapter.Router, serverAddress string, options option.Ou
 	}
 
 	var tlsConfig tls.Config
-	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {

common/tls/std_server.go

@@ -48,12 +48,12 @@ func (c *STDServerConfig) Config() (*STDConfig, error) {
 	return c.config, nil
 }
 
-func (c *STDServerConfig) Client(conn net.Conn) (Conn, error) {
-	return tls.Client(conn, c.config), nil
+func (c *STDServerConfig) Client(conn net.Conn) Conn {
+	return tls.Client(conn, c.config)
 }
 
-func (c *STDServerConfig) Server(conn net.Conn) (Conn, error) {
-	return tls.Server(conn, c.config), nil
+func (c *STDServerConfig) Server(conn net.Conn) Conn {
+	return tls.Server(conn, c.config)
 }
 
 func (c *STDServerConfig) Clone() Config {
@@ -156,7 +156,7 @@ func (c *STDServerConfig) Close() error {
 	return nil
 }
 
-func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
+func NewSTDServer(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (ServerConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
@@ -175,7 +175,6 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 	} else {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.Time = router.TimeFunc()
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -231,7 +230,7 @@ func NewSTDServer(ctx context.Context, router adapter.Router, logger log.Logger,
 		}
 		if certificate == nil && key == nil && options.Insecure {
 			tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				return GenerateKeyPair(router.TimeFunc(), info.ServerName)
+				return GenerateKeyPair(info.ServerName)
 			}
 		} else {
 			if certificate == nil {

common/tls/utls_client.go

@@ -5,7 +5,6 @@ package tls
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"math/rand"
 	"net"
 	"net/netip"
 	"os"
@@ -13,9 +12,8 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	utls "github.com/sagernet/utls"
 
-	"golang.org/x/net/http2"
+	utls "github.com/refraction-networking/utls"
 )
 
 type UTLSClientConfig struct {
@@ -36,9 +34,6 @@ func (e *UTLSClientConfig) NextProtos() []string {
 }
 
 func (e *UTLSClientConfig) SetNextProtos(nextProto []string) {
-	if len(nextProto) == 1 && nextProto[0] == http2.NextProtoTLS {
-		nextProto = append(nextProto, "http/1.1")
-	}
 	e.config.NextProtos = nextProto
 }
 
@@ -46,19 +41,8 @@ func (e *UTLSClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }
 
-func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	return &utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, nil
-}
-
-func (e *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
-	e.config.SessionIDGenerator = generator
-}
-
-func (e *UTLSClientConfig) Clone() Config {
-	return &UTLSClientConfig{
-		config: e.config.Clone(),
-		id:     e.id,
-	}
+func (e *UTLSClientConfig) Client(conn net.Conn) Conn {
+	return &utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}
 }
 
 type utlsConnWrapper struct {
@@ -83,11 +67,14 @@ func (c *utlsConnWrapper) ConnectionState() tls.ConnectionState {
 	}
 }
 
-func (c *utlsConnWrapper) Upstream() any {
-	return c.UConn
+func (e *UTLSClientConfig) Clone() Config {
+	return &UTLSClientConfig{
+		config: e.config.Clone(),
+		id:     e.id,
+	}
 }
 
-func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
+func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
@@ -101,7 +88,6 @@ func NewUTLSClient(router adapter.Router, serverAddress string, options option.O
 	}
 
 	var tlsConfig utls.Config
-	tlsConfig.Time = router.TimeFunc()
 	if options.DisableSNI {
 		tlsConfig.ServerName = "127.0.0.1"
 	} else {
@@ -158,59 +144,28 @@ func NewUTLSClient(router adapter.Router, serverAddress string, options option.O
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	id, err := uTLSClientHelloID(options.UTLS.Fingerprint)
-	if err != nil {
-		return nil, err
+	var id utls.ClientHelloID
+	switch options.UTLS.Fingerprint {
+	case "chrome", "":
+		id = utls.HelloChrome_Auto
+	case "firefox":
+		id = utls.HelloFirefox_Auto
+	case "edge":
+		id = utls.HelloEdge_Auto
+	case "safari":
+		id = utls.HelloSafari_Auto
+	case "360":
+		id = utls.Hello360_Auto
+	case "qq":
+		id = utls.HelloQQ_Auto
+	case "ios":
+		id = utls.HelloIOS_Auto
+	case "android":
+		id = utls.HelloAndroid_11_OkHttp
+	case "random":
+		id = utls.HelloRandomized
+	default:
+		return nil, E.New("unknown uTLS fingerprint: ", options.UTLS.Fingerprint)
 	}
 	return &UTLSClientConfig{&tlsConfig, id}, nil
 }
-
-var (
-	randomFingerprint     utls.ClientHelloID
-	randomizedFingerprint utls.ClientHelloID
-)
-
-func init() {
-	modernFingerprints := []utls.ClientHelloID{
-		utls.HelloChrome_Auto,
-		utls.HelloFirefox_Auto,
-		utls.HelloEdge_Auto,
-		utls.HelloSafari_Auto,
-		utls.HelloIOS_Auto,
-	}
-	randomFingerprint = modernFingerprints[rand.Intn(len(modernFingerprints))]
-
-	weights := utls.DefaultWeights
-	weights.TLSVersMax_Set_VersionTLS13 = 1
-	weights.FirstKeyShare_Set_CurveP256 = 0
-	randomizedFingerprint = utls.HelloRandomized
-	randomizedFingerprint.Seed, _ = utls.NewPRNGSeed()
-	randomizedFingerprint.Weights = &weights
-}
-
-func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
-	switch name {
-	case "chrome", "":
-		return utls.HelloChrome_Auto, nil
-	case "firefox":
-		return utls.HelloFirefox_Auto, nil
-	case "edge":
-		return utls.HelloEdge_Auto, nil
-	case "safari":
-		return utls.HelloSafari_Auto, nil
-	case "360":
-		return utls.Hello360_Auto, nil
-	case "qq":
-		return utls.HelloQQ_Auto, nil
-	case "ios":
-		return utls.HelloIOS_Auto, nil
-	case "android":
-		return utls.HelloAndroid_11_OkHttp, nil
-	case "random":
-		return randomFingerprint, nil
-	case "randomized":
-		return randomizedFingerprint, nil
-	default:
-		return utls.ClientHelloID{}, E.New("unknown uTLS fingerprint: ", name)
-	}
-}

common/tls/utls_stub.go

@@ -11,7 +11,3 @@ import (
 func NewUTLSClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
 	return nil, E.New(`uTLS is not included in this build, rebuild with -tags with_utls`)
 }
-
-func NewRealityClient(router adapter.Router, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
-	return nil, E.New(`uTLS, which is required by reality client is not included in this build, rebuild with -tags with_utls`)
-}

constant/dhcp.go

@@ -1,8 +0,0 @@
-package constant
-
-import "time"
-
-const (
-	DHCPTTL     = time.Hour
-	DHCPTimeout = time.Minute
-)

constant/path.go

@@ -3,28 +3,13 @@ package constant
 import (
 	"os"
 	"path/filepath"
-	"strings"
 
 	"github.com/sagernet/sing/common/rw"
 )
 
 const dirName = "sing-box"
 
-var (
-	basePath      string
-	resourcePaths []string
-)
-
-func BasePath(name string) string {
-	if basePath == "" || strings.HasPrefix(name, "/") {
-		return name
-	}
-	return filepath.Join(basePath, name)
-}
-
-func SetBasePath(path string) {
-	basePath = path
-}
+var resourcePaths []string
 
 func FindPath(name string) (string, bool) {
 	name = os.ExpandEnv(name)

constant/version.go

@@ -1,3 +1,3 @@
 package constant
 
-var Version = "unknown"
+var Version = "1.1.6"

docs/assets/icon.svg

@@ -1,37 +0,0 @@
-<svg width="1027" height="1109" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" overflow="hidden">
-  <defs>
-    <filter id="fx0" x="-10%" y="-10%" width="120%" height="120%" filterUnits="userSpaceOnUse" primitiveUnits="userSpaceOnUse">
-      <feComponentTransfer color-interpolation-filters="sRGB">
-        <feFuncR type="discrete" tableValues="0 0" />
-          <feFuncG type="discrete" tableValues="0 0" />
-          <feFuncB type="discrete" tableValues="0 0" />
-          <feFuncA type="linear" slope="0.4" intercept="0" />
-      </feComponentTransfer>
-        <feGaussianBlur stdDeviation="4.58333 4.58333" />
-    </filter>
-      <clipPath id="clip1">
-      <rect x="692" y="855" width="1027" height="1109" />
-    </clipPath>
-      <clipPath id="clip2">
-      <rect x="-2" y="-2" width="541" height="786" />
-    </clipPath>
-      <clipPath id="clip3">
-      <rect x="0" y="0" width="535" height="782" />
-    </clipPath>
-  </defs>
-    <g clip-path="url(#clip1)" transform="translate(-692 -855)">
-    <path d="M692 1191 692 1575.69C692 1640.41 731.499 1651.19 731.499 1651.19L1148.03 1931.62C1212.66 1974.77 1194.71 1881.29 1194.71 1881.29L1194.71 1528.96 692 1191Z" fill="#37474F" fill-rule="evenodd" />
-        <g clip-path="url(#clip2)" filter="url(#fx0)" transform="translate(1184 1182)">
-      <g clip-path="url(#clip3)">
-        <path d="M520.482 15.4819 520.482 400.176C520.482 464.89 480.983 475.676 480.983 475.676 480.983 475.676 129.086 712.963 64.4523 756.106-0.181814 799.25 17.7721 705.773 17.7721 705.773L17.7721 353.437 520.482 15.4819Z" fill="#455A64" fill-rule="evenodd" />
-      </g>
-    </g>
-        <path d="M1698 1191 1698 1575.69C1698 1640.41 1658.5 1651.19 1658.5 1651.19 1658.5 1651.19 1306.6 1888.48 1241.97 1931.62 1177.34 1974.77 1195.29 1881.29 1195.29 1881.29L1195.29 1528.96 1698 1191Z" fill="#455A64" fill-rule="evenodd" />
-        <path d="M1241.71 868.473C1212.96 850.509 1169.85 850.509 1144.7 868.473L713.557 1163.07C684.814 1181.04 684.814 1213.37 713.557 1231.33L1144.7 1529.53C1173.44 1547.49 1216.56 1547.49 1241.71 1529.53L1676.44 1227.74C1705.19 1209.78 1705.19 1177.44 1676.44 1159.48L1241.71 868.473Z" fill="#546E7A" fill-rule="evenodd" />
-        <path d="M1195 1949C1173.4 1949 1159 1935.19 1159 1917.92L1159 1531.08C1159 1513.82 1173.4 1500 1195 1500 1216.6 1500 1231 1513.82 1231 1531.08L1231 1914.46C1231 1935.19 1216.6 1949 1195 1949Z" fill="#546E7A" fill-rule="evenodd" />
-        <path d="M1553.92 1435.92C1553.92 1471.89 1557.5 1486.27 1518.03 1511.45L1428.32 1568.99C1388.85 1594.17 1374.5 1572.59 1374.5 1540.22L1374.5 1446.71C1374.5 1439.52 1374.5 1435.92 1363.73 1428.73 1270.43 1363.99 911.591 1115.84 847 1069.09L1012.07 954C1058.72 982.772 1399.61 1209.35 1539.56 1306.45 1546.74 1310.05 1550.33 1317.24 1550.33 1320.84L1550.33 1435.92Z" fill="#99AAB5" fill-rule="evenodd" />
-        <path d="M1543.41 1310.21C1399.82 1213.17 1058.79 986.752 1015.72 958L951.103 997.534 847 1069.41C911.615 1116.14 1270.59 1360.53 1363.92 1425.22 1371.1 1428.81 1371.1 1432.41 1371.1 1436L1547 1313.8C1547 1313.8 1547 1310.21 1543.41 1310.21Z" fill="#CCD6DD" fill-rule="evenodd" />
-        <path d="M1554.9 1435.48 1554.9 1324.19C1554.9 1317.01 1551.3 1313.42 1544.11 1309.83 1400.28 1212.89 1058.67 986.721 1015.51 958L940 1008.26C1062.26 1090.83 1389.49 1306.24 1475.79 1367.27 1486.58 1374.45 1486.58 1381.63 1486.58 1385.22L1486.58 1536 1522.54 1510.87C1558.5 1485.74 1554.9 1467.79 1554.9 1435.48Z" fill="#CCD6DD" fill-rule="evenodd" />
-        <path d="M1543.23 1309.95C1399.6 1212.98 1058.49 986.731 1015.4 958L940 1008.28C1062.08 1090.88 1388.83 1306.36 1475.01 1367.41 1475.01 1367.41 1478.6 1371 1478.6 1371L1554 1317.13C1546.82 1313.54 1546.82 1309.95 1543.23 1309.95Z" fill="#E1E8ED" fill-rule="evenodd" />
-  </g>
-</svg>

docs/changelog.md

@@ -1,39 +1,3 @@
-#### 1.2-beta9
-
-* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
-* Add health check support for http-based v2ray transports
-* Remove length limit on short_id for reality TLS config
-* Fix bugs and update dependencies
-
-#### 1.2-beta8
-
-* Update reality and uTLS libraries
-* Fix `auto_detect_interface` incorrectly identifying the default interface on Windows
-
-#### 1.2-beta7
-
-* Fix the compatibility issue between VLESS's vision sub-protocol and the Xray-core client
-* Improve the stability of the VMESS server
-
-#### 1.2-beta6
-
-* Introducing our [new iOS client application](/installation/clients/sfi)
-* Add [platform options](/configuration/inbound/tun#platform) for tun inbound
-* Add custom TLS server support for http based v2ray transports
-* Add generate commands
-* Enable XUDP by default in VLESS
-* Update reality server
-* Update vision protocol
-* Fixed [user flow in vless server](/configuration/inbound/vless#usersflow)
-* Bug fixes
-* Update dependencies
-
-#### 1.2-beta5
-
-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
-* Fix match private address
-
 #### 1.1.6
 
 * Improve vmess request
@@ -44,37 +8,6 @@
 * Disable vmess header protection if transport enabled
 * Update QUIC v2 version number and initial salt
 
-#### 1.2-beta4
-
-* Add [NTP service](/configuration/ntp)
-* Add Add multiple server names and multi-user support for shadowtls
-* Add strict mode support for shadowtls v3
-* Add uTLS support for shadowtls v3
-
-#### 1.2-beta3
-
-* Update QUIC v2 version number and initial salt
-* Fix shadowtls v3 implementation
-
-#### 1.2-beta2
-
-* Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
-* Add fallback support for v2ray transport
-* Fix parse hysteria UDP message
-* Fix socks connect response
-* Disable vmess header protection if transport enabled
-
-#### 1.2-beta1
-
-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
-* Add v2ray [user stats](/configuration/experimental#statsusers) api
-* Add new clash DNS query api
-* Improve vmess request
-* Fix ipv6 redirect on Linux
-* Fix match geoip private
-
 #### 1.1.5
 
 * Add Go 1.20 support
@@ -122,7 +55,7 @@ Important changes since 1.0:
 * Add VLESS outbound and XUDP
 * Skip wait for hysteria tcp handshake response
 * Add v2ray mux support for all inbound
-* Add XUDP support for VMess
+* Add XUDP support for VMess 
 * Improve websocket writer
 * Refine tproxy write back
 * Fix DNS leak caused by

docs/configuration/dns/rule.md

@@ -9,11 +9,6 @@
           "mixed-in"
         ],
         "ip_version": 6,
-        "query_type": [
-          "A",
-          "HTTPS",
-          32768
-        ],
         "network": "tcp",
         "auth_user": [
           "usera",
@@ -124,10 +119,6 @@ Tags of [Inbound](/configuration/inbound).
 
 Not limited if empty.
 
-#### query_type
-
-DNS query type. Values can be integers or type name strings.
-
 #### network
 
 `tcp` or `udp`.

docs/configuration/dns/rule.zh.md

@@ -9,11 +9,6 @@
           "mixed-in"
         ],
         "ip_version": 6,
-        "query_type": [
-          "A",
-          "HTTPS",
-          32768
-        ],
         "network": "tcp",
         "auth_user": [
           "usera",
@@ -123,10 +118,6 @@
 
 默认不限制。
 
-#### query_type
-
-DNS 查询类型。值可以为整数或者类型名称字符串。
-
 #### network
 
 `tcp` 或 `udp`。

docs/configuration/dns/server.md

@@ -30,17 +30,16 @@ The tag of the dns server.
 
 The address of the dns server.
 
-| Protocol | Format                        |
-|----------|-------------------------------|
-| `System` | `local`                       |
-| `TCP`    | `tcp://1.0.0.1`               |
-| `UDP`    | `8.8.8.8` `udp://8.8.4.4`     |
-| `TLS`    | `tls://dns.google`            |
-| `HTTPS`  | `https://1.1.1.1/dns-query`   |
-| `QUIC`   | `quic://dns.adguard.com`      |
-| `HTTP3`  | `h3://8.8.8.8/dns-query`      |
-| `RCode`  | `rcode://refused`             |
-| `DHCP`   | `dhcp://auto` or `dhcp://en0` |
+| Protocol | Format                      |
+|----------|-----------------------------|
+| `System` | `local`                     |
+| `TCP`    | `tcp://1.0.0.1`             |
+| `UDP`    | `8.8.8.8` `udp://8.8.4.4`   |
+| `TLS`    | `tls://dns.google`          |
+| `HTTPS`  | `https://1.1.1.1/dns-query` |
+| `QUIC`   | `quic://dns.adguard.com`    |
+| `HTTP3`  | `h3://8.8.8.8/dns-query`    |
+| `RCode`  | `rcode://refused`           |
 
 !!! warning ""
 
@@ -54,10 +53,6 @@ The address of the dns server.
 
     the RCode transport is often used to block queries. Use with rules and the `disable_cache` rule option.
 
-!!! warning ""
-
-    DHCP transport is not included by default, see [Installation](/#installation).
-
 | RCode             | Description           | 
 |-------------------|-----------------------|
 | `success`         | `No error`            |

docs/configuration/dns/server.zh.md

@@ -30,17 +30,16 @@ DNS 服务器的标签。
 
 DNS 服务器的地址。
 
-| 协议       | 格式                           |
-|----------|------------------------------|
-| `System` | `local`                      |
-| `TCP`    | `tcp://1.0.0.1`              |
-| `UDP`    | `8.8.8.8` `udp://8.8.4.4`    |
-| `TLS`    | `tls://dns.google`           |
-| `HTTPS`  | `https://1.1.1.1/dns-query`  |
-| `QUIC`   | `quic://dns.adguard.com`     |
-| `HTTP3`  | `h3://8.8.8.8/dns-query`     |
-| `RCode`  | `rcode://refused`            |
-| `DHCP`   | `dhcp://auto` 或 `dhcp://en0` |
+| 协议       | 格式                          |
+|----------|-----------------------------|
+| `System` | `local`                     |
+| `TCP`    | `tcp://1.0.0.1`             |
+| `UDP`    | `8.8.8.8` `udp://8.8.4.4`   |
+| `TLS`    | `tls://dns.google`          |
+| `HTTPS`  | `https://1.1.1.1/dns-query` |
+| `QUIC`   | `quic://dns.adguard.com`    |
+| `HTTP3`  | `h3://8.8.8.8/dns-query`    |
+| `RCode`  | `rcode://refused`           |
 
 !!! warning ""
 
@@ -54,10 +53,6 @@ DNS 服务器的地址。
 
     RCode 传输层传输层常用于屏蔽请求. 与 DNS 规则和 `disable_cache` 规则选项一起使用。
 
-!!! warning ""
-
-    默认安装不包含 DHCP 传输层，请参阅 [安装](/zh/#_2)。
-
 | RCode             | 描述       | 
 |-------------------|----------|
 | `success`         | `无错误`    |

docs/configuration/experimental/index.md

@@ -9,6 +9,7 @@
       "external_controller": "127.0.0.1:9090",
       "external_ui": "folder",
       "secret": "",
+      "direct_io": false,
       "default_mode": "rule",
       "store_selected": false,
       "cache_file": "cache.db"
@@ -17,15 +18,13 @@
       "listen": "127.0.0.1:8080",
       "stats": {
         "enabled": true,
+        "direct_io": false,
         "inbounds": [
           "socks-in"
         ],
         "outbounds": [
           "proxy",
           "direct"
-        ],
-        "users": [
-          "sekai"
         ]
       }
     }
@@ -59,6 +58,10 @@ Secret for the RESTful API (optional)
 Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
 ALWAYS set a secret if RESTful API is listening on 0.0.0.0
 
+#### direct_io
+
+Allows lossless relays like splice without real-time traffic reporting.
+
 #### default_mode
 
 Default mode in clash, `rule` will be used if empty.
@@ -95,6 +98,10 @@ Traffic statistics service settings.
 
 Enable statistics service.
 
+#### stats.direct_io
+
+Allows lossless relays like splice without real-time traffic reporting.
+
 #### stats.inbounds
 
 Inbound list to count traffic.
@@ -102,7 +109,3 @@ Inbound list to count traffic.
 #### stats.outbounds
 
 Outbound list to count traffic.
-
-#### stats.users
-
-User list to count traffic.

docs/configuration/experimental/index.zh.md

@@ -9,6 +9,7 @@
       "external_controller": "127.0.0.1:9090",
       "external_ui": "folder",
       "secret": "",
+      "direct_io": false,
       "default_mode": "rule",
       "store_selected": false,
       "cache_file": "cache.db"
@@ -17,15 +18,13 @@
       "listen": "127.0.0.1:8080",
       "stats": {
         "enabled": true,
+        "direct_io": false,
         "inbounds": [
           "socks-in"
         ],
         "outbounds": [
           "proxy",
           "direct"
-        ],
-        "users": [
-          "sekai"
         ]
       }
     }
@@ -57,6 +56,10 @@ RESTful API 的密钥（可选）
 通过指定 HTTP 标头 `Authorization: Bearer ${secret}` 进行身份验证
 如果 RESTful API 正在监听 0.0.0.0，请始终设置一个密钥。
 
+#### direct_io
+
+允许像 splice 这样的没有实时流量报告的无损中继。
+
 #### default_mode
 
 Clash 中的默认模式，默认使用 `rule`。
@@ -93,6 +96,10 @@ gRPC API 监听地址。如果为空，则禁用 V2Ray API。
 
 启用统计服务。
 
+#### stats.direct_io
+
+允许像 splice 这样的没有实时流量报告的无损中继。
+
 #### stats.inbounds
 
 统计流量的入站列表。
@@ -100,7 +107,3 @@ gRPC API 监听地址。如果为空，则禁用 V2Ray API。
 #### stats.outbounds
 
 统计流量的出站列表。
-
-#### stats.users
-
-统计流量的用户列表。

docs/configuration/inbound/index.md

@@ -26,8 +26,6 @@
 | `trojan`      | [Trojan](./trojan)           | TCP        |
 | `naive`       | [Naive](./naive)             | X          |
 | `hysteria`    | [Hysteria](./hysteria)       | X          |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP        |
-| `vless`       | [VLESS](./vless)             | TCP        |
 | `tun`         | [Tun](./tun)                 | X          |
 | `redirect`    | [Redirect](./redirect)       | X          |
 | `tproxy`      | [TProxy](./tproxy)           | X          |

docs/configuration/inbound/shadowsocks.md

@@ -77,11 +77,11 @@ Both if empty.
 
 ==Required==
 
-| Method        | Password Format                                |
-|---------------|------------------------------------------------|
-| none          | /                                              |
-| 2022 methods  | `sing-box generate rand --base64 <Key Length>` |
-| other methods | any string                                     |
+| Method        | Password Format                     |
+|---------------|-------------------------------------|
+| none          | /                                   |
+| 2022 methods  | `openssl rand -base64 <Key Length>` |
+| other methods | any string                          |
 
 ### Listen Fields
 

docs/configuration/inbound/shadowsocks.zh.md

@@ -77,8 +77,8 @@ See [Listen Fields](/configuration/shared/listen) for details.
 
 ==必填==
 
-| 方法            | 密码格式                                     |
-|---------------|------------------------------------------|
-| none          | /                                        |
-| 2022 methods  | `sing-box generate rand --base64 <密钥长度>` |
-| other methods | 任意字符串                                    |
+| 方法            | 密码格式                          |
+|---------------|-------------------------------|
+| none          | /                             |
+| 2022 methods  | `openssl rand -base64 <密钥长度>` |
+| other methods | 任意字符串                         |

docs/configuration/inbound/shadowtls.md

@@ -7,29 +7,14 @@
 
   ... // Listen Fields
 
-  "version": 3,
+  "version": 2,
   "password": "fuck me till the daylight",
-  "users": [
-    {
-      "name": "sekai",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ],
   "handshake": {
     "server": "google.com",
     "server_port": 443,
     
     ... // Dial Fields
-  },
-  "handshake_for_server_name": {
-    "example.com": {
-      "server": "example.com",
-      "server_port": 443,
-
-      ... // Dial Fields
-    }
-  },
-  "strict_mode": false
+  }
 }
 ```
 
@@ -47,35 +32,15 @@ ShadowTLS protocol version.
 |---------------|-----------------------------------------------------------------------------------------|
 | `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
 | `2`           | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
-| `3`           | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |
 
 #### password
 
-ShadowTLS password.
+Set password.
 
-Only available in the ShadowTLS protocol 2.
-
-
-#### users
-
-ShadowTLS users.
-
-Only available in the ShadowTLS protocol 3.
+Only available in the ShadowTLS v2 protocol.
 
 #### handshake
 
 ==Required==
 
-Handshake server address and [Dial options](/configuration/shared/dial).
-
-#### handshake_for_server_name
-
-Handshake server address and [Dial options](/configuration/shared/dial) for specific server name.
-
-Only available in the ShadowTLS protocol 2/3.
-
-#### strict_mode
-
-ShadowTLS strict mode.
-
-Only available in the ShadowTLS protocol 3.
+Handshake server address and [Dial options](/configuration/shared/dial).

docs/configuration/inbound/shadowtls.zh.md

@@ -7,29 +7,14 @@
 
   ... // 监听字段
 
-  "version": 3,
+  "version": 2,
   "password": "fuck me till the daylight",
-  "users": [
-    {
-      "name": "sekai",
-      "password": "8JCsPssfgS8tiRwiMlhARg=="
-    }
-  ],
   "handshake": {
     "server": "google.com",
     "server_port": 443,
 
     ... // 拨号字段
-  },
-  "handshake_for_server_name": {
-    "example.com": {
-      "server": "example.com",
-      "server_port": 443,
-      
-      ... // 拨号字段
-    }
-  },
-  "strict_mode": false
+  }
 }
 ```
 
@@ -47,36 +32,15 @@ ShadowTLS 协议版本。
 |---------------|-----------------------------------------------------------------------------------------|
 | `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
 | `2`           | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
-| `3`           | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |
 
 #### password
 
-ShadowTLS 密码。
+设置密码。
 
-仅在 ShadowTLS 协议版本 2 中可用。
-
-#### users
-
-ShadowTLS 用户。
-
-仅在 ShadowTLS 协议版本 3 中可用。
+仅在 ShadowTLS v2 协议中可用。
 
 #### handshake
 
 ==必填==
 
 握手服务器地址和 [拨号参数](/zh/configuration/shared/dial/)。
-
-#### handshake_for_server_name
-
-==必填==
-
-对于特定服务器名称的握手服务器地址和 [拨号参数](/zh/configuration/shared/dial/)。
-
-仅在 ShadowTLS 协议版本 2/3 中可用。
-
-#### strict_mode
-
-ShadowTLS 严格模式。
-
-仅在 ShadowTLS 协议版本 3 中可用。

docs/configuration/inbound/tun.md

@@ -46,15 +46,8 @@
   "exclude_package": [
     "com.android.captiveportallogin"
   ],
-  "platform": {
-    "http_proxy": {
-      "enabled": false,
-      "server": "127.0.0.1",
-      "server_port": 8080
-    }
-  },
-  
-  ... // Listen Fields
+  ...
+  // Listen Fields
 }
 ```
 
@@ -194,14 +187,6 @@ Limit android packages in route.
 
 Exclude android packages in route.
 
-#### platform
-
-Platform-specific settings, provided by client applications.
-
-#### platform.http_proxy
-
-System HTTP proxy settings.
-
 ### Listen Fields
 
 See [Listen Fields](/configuration/shared/listen) for details.

docs/configuration/inbound/tun.zh.md

@@ -46,15 +46,8 @@
   "exclude_package": [
     "com.android.captiveportallogin"
   ],
-  "platform": {
-    "http_proxy": {
-      "enabled": false,
-      "server": "127.0.0.1",
-      "server_port": 8080
-    }
-  },
-  
-  ... // 监听字段
+  ...
+  // 监听字段
 }
 ```
 
@@ -155,19 +148,19 @@ TCP/IP 栈。
 
     UID 规则仅在 Linux 下被支持，并且需要 `auto_route`。
 
-限制被路由的用户。默认不限制。
+限制被路由的的用户。默认不限制。
 
 #### include_uid_range
 
-限制被路由的用户范围。
+限制被路由的的用户范围。
 
 #### exclude_uid
 
-排除路由的用户。
+排除路由的的用户。
 
 #### exclude_uid_range
 
-排除路由的用户范围。
+排除路由的的用户范围。
 
 #### include_android_user
 
@@ -190,14 +183,6 @@ TCP/IP 栈。
 
 排除路由的 Android 应用包名。
 
-#### platform
-
-平台特定的设置，由客户端应用提供。
-
-#### platform.http_proxy
-
-系统 HTTP 代理设置。
-
 ### 监听字段
 
 参阅 [监听字段](/zh/configuration/shared/listen/)。

docs/configuration/inbound/vless.md

@@ -1,54 +0,0 @@
-### Structure
-
-```json
-{
-  "type": "vless",
-  "tag": "vless-in",
-
-  ... // Listen Fields
-
-  "users": [
-    {
-      "name": "sekai",
-      "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
-      "flow": ""
-    }
-  ],
-  "tls": {},
-  "transport": {}
-}
-```
-
-### Listen Fields
-
-See [Listen Fields](/configuration/shared/listen) for details.
-
-### Fields
-
-#### users
-
-==Required==
-
-VLESS users.
-
-#### users.uuid
-
-==Required==
-
-VLESS user id.
-
-#### users.flow
-
-VLESS Sub-protocol.
-
-Available values:
-
-* `xtls-rprx-vision`
-
-#### tls
-
-TLS configuration, see [TLS](/configuration/shared/tls/#inbound).
-
-#### transport
-
-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).

docs/configuration/inbound/vless.zh.md

@@ -1,54 +0,0 @@
-### 结构
-
-```json
-{
-  "type": "vless",
-  "tag": "vless-in",
-
-  ... // 监听字段
-
-  "users": [
-    {
-      "name": "sekai",
-      "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
-      "flow": ""
-    }
-  ],
-  "tls": {},
-  "transport": {}
-}
-```
-
-### 监听字段
-
-参阅 [监听字段](/zh/configuration/shared/listen/)。
-
-### 字段
-
-#### users
-
-==必填==
-
-VLESS 用户。
-
-#### users.uuid
-
-==必填==
-
-VLESS 用户 ID。
-
-#### users.flow
-
-VLESS 子协议。
-
-可用值：
-
-* `xtls-rprx-vision`
-
-#### tls
-
-TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。
-
-#### transport
-
-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。

docs/configuration/index.md

@@ -8,7 +8,6 @@ sing-box uses JSON for configuration files.
 {
   "log": {},
   "dns": {},
-  "ntp": {},
   "inbounds": [],
   "outbounds": [],
   "route": {},
@@ -22,7 +21,6 @@ sing-box uses JSON for configuration files.
 |----------------|--------------------------------|
 | `log`          | [Log](./log)                   |
 | `dns`          | [DNS](./dns)                   |
-| `ntp`          | [NTP](./ntp)                   |
 | `inbounds`     | [Inbound](./inbound)           |
 | `outbounds`    | [Outbound](./outbound)         |
 | `route`        | [Route](./route)               |

docs/configuration/ntp/index.md

@@ -1,50 +0,0 @@
-# NTP
-
-Built-in NTP client service.
-
-If enabled, it will provide time for protocols like TLS/Shadowsocks/VMess, which is useful for environments where time
-synchronization is not possible.
-
-### Structure
-
-```json
-{
-  "ntp": {
-    "enabled": false,
-    "server": "time.apple.com",
-    "server_port": 123,
-    "interval": "30m",
-    
-    ... // Dial Fields
-  }
-}
-
-```
-
-### Fields
-
-#### enabled
-
-Enable NTP service.
-
-#### server
-
-==Required==
-
-NTP server address.
-
-#### server_port
-
-NTP server port.
-
-123 is used by default.
-
-#### interval
-
-Time synchronization interval.
-
-30 minutes is used by default.
-
-### Dial Fields
-
-See [Dial Fields](/configuration/shared/dial) for details.

docs/configuration/ntp/index.zh.md

@@ -1,49 +0,0 @@
-# NTP
-
-内建的 NTP 客户端服务。
-
-如果启用，它将为像 TLS/Shadowsocks/VMess 这样的协议提供时间，这对于无法进行时间同步的环境很有用。
-
-### 结构
-
-```json
-{
-  "ntp": {
-    "enabled": false,
-    "server": "time.apple.com",
-    "server_port": 123,
-    "interval": "30m",
-    
-    ... // 拨号字段
-  }
-}
-
-```
-
-### 字段
-
-#### enabled
-
-启用 NTP 服务。
-
-#### server
-
-==必填==
-
-NTP 服务器地址。
-
-#### server_port
-
-NTP 服务器端口。
-
-默认使用 123。
-
-#### interval
-
-时间同步间隔。
-
-默认使用 30 分钟。
-
-### 拨号字段
-
-参阅 [拨号字段](/zh/configuration/shared/dial/)。

docs/configuration/outbound/index.md

@@ -28,7 +28,6 @@
 | `hysteria`     | [Hysteria](./hysteria)         |
 | `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
 | `vless`        | [VLESS](./vless)               |
-| `shadowtls`    | [ShadowTLS](./shadowtls)       |
 | `tor`          | [Tor](./tor)                   |
 | `ssh`          | [SSH](./ssh)                   |
 | `dns`          | [DNS](./dns)                   |

docs/configuration/outbound/shadowsocks.md

@@ -12,7 +12,7 @@
   "plugin": "",
   "plugin_opts": "",
   "network": "udp",
-  "udp_over_tcp": false | {},
+  "udp_over_tcp": false,
   "multiplex": {},
 
   ... // Dial Fields
@@ -87,9 +87,7 @@ Both is enabled by default.
 
 #### udp_over_tcp
 
-UDP over TCP configuration.
-
-See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.
+Enable the UDP over TCP protocol.
 
 Conflict with `multiplex`.
 

docs/configuration/outbound/shadowsocks.zh.md

@@ -12,7 +12,7 @@
   "plugin": "",
   "plugin_opts": "",
   "network": "udp",
-  "udp_over_tcp": false | {},
+  "udp_over_tcp": false,
   "multiplex": {},
 
   ... // 拨号字段
@@ -87,9 +87,7 @@ Shadowsocks SIP003 插件参数。
 
 #### udp_over_tcp
 
-UDP over TCP 配置。
-
-参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。
+启用 UDP over TCP 协议。
 
 与 `multiplex` 冲突。
 

docs/configuration/outbound/shadowtls.md

@@ -7,7 +7,7 @@
   
   "server": "127.0.0.1",
   "server_port": 1080,
-  "version": 3,
+  "version": 2,
   "password": "fuck me till the daylight",
   "tls": {},
 
@@ -37,13 +37,12 @@ ShadowTLS protocol version.
 |---------------|-----------------------------------------------------------------------------------------|
 | `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
 | `2`           | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
-| `3`           | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |
 
 #### password
 
 Set password.
 
-Only available in the ShadowTLS v2/v3 protocol.
+Only available in the ShadowTLS v2 protocol.
 
 #### tls
 

docs/configuration/outbound/shadowtls.zh.md

@@ -7,7 +7,7 @@
   
   "server": "127.0.0.1",
   "server_port": 1080,
-  "version": 3,
+  "version": 2,
   "password": "fuck me till the daylight",
   "tls": {},
 
@@ -37,13 +37,12 @@ ShadowTLS 协议版本。
 |---------------|-----------------------------------------------------------------------------------------|
 | `1` (default) | [ShadowTLS v1](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v1) |
 | `2`           | [ShadowTLS v2](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-en.md#v2) |
-| `3`           | [ShadowTLS v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md) |
 
 #### password
 
 设置密码。
 
-仅在 ShadowTLS v2/v3 协议中可用。
+仅在 ShadowTLS v2 协议中可用。
 
 #### tls
 

docs/configuration/outbound/socks.md

@@ -13,7 +13,7 @@
   "username": "sekai",
   "password": "admin",
   "network": "udp",
-  "udp_over_tcp": false | {},
+  "udp_over_tcp": false,
 
   ... // Dial Fields
 }
@@ -57,9 +57,7 @@ Both is enabled by default.
 
 #### udp_over_tcp
 
-UDP over TCP protocol settings.
-
-See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.
+Enable the UDP over TCP protocol.
 
 ### Dial Fields
 

docs/configuration/outbound/socks.zh.md

@@ -13,7 +13,7 @@
   "username": "sekai",
   "password": "admin",
   "network": "udp",
-  "udp_over_tcp": false | {},
+  "udp_over_tcp": false,
 
   ... // 拨号字段
 }
@@ -57,9 +57,7 @@ SOCKS5 密码。
 
 #### udp_over_tcp
 
-UDP over TCP 配置。
-
-参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。
+启用 UDP over TCP 协议。
 
 ### 拨号字段
 

docs/configuration/outbound/ssh.md

@@ -12,9 +12,6 @@
   "private_key": "",
   "private_key_path": "$HOME/.ssh/id_rsa",
   "private_key_passphrase": "",
-  "host_key": [
-    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
-  ],
   "host_key_algorithms": [],
   "client_version": "SSH-2.0-OpenSSH_7.4p1",
 
@@ -54,10 +51,6 @@ Private key path.
 
 Private key passphrase.
 
-#### host_key
-
-Host key. Accept any if empty.
-
 #### host_key_algorithms
 
 Host key algorithms.

docs/configuration/outbound/ssh.zh.md

@@ -12,9 +12,6 @@
   "private_key": "",
   "private_key_path": "$HOME/.ssh/id_rsa",
   "private_key_passphrase": "",
-  "host_key": [
-    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdH..."
-  ],
   "host_key_algorithms": [],
   "client_version": "SSH-2.0-OpenSSH_7.4p1",
 
@@ -54,10 +51,6 @@ SSH 用户, 默认使用 root。
 
 密钥密码。
 
-#### host_key
-
-主机密钥，留空接受所有。
-
 #### host_key_algorithms
 
 主机密钥算法。

docs/configuration/outbound/vless.md

@@ -8,7 +8,6 @@
   "server": "127.0.0.1",
   "server_port": 1080,
   "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
-  "flow": "xtls-rprx-vision",
   "network": "tcp",
   "tls": {},
   "packet_encoding": "",
@@ -18,6 +17,10 @@
 }
 ```
 
+!!! warning ""
+
+    The VLESS protocol is architecturally coupled to v2ray and is unmaintained. This outbound is provided for compatibility purposes only.
+
 ### Fields
 
 #### server
@@ -36,15 +39,7 @@ The server port.
 
 ==Required==
 
-VLESS user id.
-
-#### flow
-
-VLESS Sub-protocol.
-
-Available values:
-
-* `xtls-rprx-vision`
+The VLESS user id.
 
 #### network
 
@@ -60,8 +55,6 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
 
 #### packet_encoding
 
-UDP packet encoding, xudp is used by default.
-
 | Encoding   | Description           |
 |------------|-----------------------|
 | (none)     | Disabled              |

docs/configuration/outbound/vless.zh.md

@@ -8,7 +8,6 @@
   "server": "127.0.0.1",
   "server_port": 1080,
   "uuid": "bf000d23-0752-40b4-affe-68f7707a9661",
-  "flow": "xtls-rprx-vision",
   "network": "tcp",
   "tls": {},
   "packet_encoding": "",
@@ -18,6 +17,10 @@
 }
 ```
 
+!!! warning ""
+
+    VLESS 协议与 v2ray 架构耦合且无人维护。 提供此出站仅出于兼容性目的。
+
 ### 字段
 
 #### server
@@ -38,14 +41,6 @@
 
 VLESS 用户 ID。
 
-#### flow
-
-VLESS 子协议。
-
-可用值：
-
-* `xtls-rprx-vision`
-
 #### network
 
 启用的网络协议。
@@ -60,8 +55,6 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### packet_encoding
 
-UDP 包编码，默认使用 xudp。
-
 | 编码         | 描述            |
 |------------|---------------|
 | (空)        | 禁用            |

docs/configuration/outbound/vmess.md

@@ -50,7 +50,7 @@ Encryption methods:
 * `none`
 * `zero`
 * `aes-128-gcm`
-* `chacha20-poly1305`
+* `chancha20-poly1305`
 
 Legacy encryption methods:
 
@@ -86,8 +86,6 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).
 
 #### packet_encoding
 
-UDP packet encoding.
-
 | Encoding   | Description           |
 |------------|-----------------------|
 | (none)     | Disabled              |

docs/configuration/outbound/vmess.zh.md

@@ -50,7 +50,7 @@ VMess 用户 ID。
 * `none`
 * `zero`
 * `aes-128-gcm`
-* `chacha20-poly1305`
+* `chancha20-poly1305`
 
 旧加密方法：
 
@@ -86,8 +86,6 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。
 
 #### packet_encoding
 
-UDP 包编码。
-
 | 编码         | 描述            |
 |------------|---------------|
 | (空)        | 禁用            |

docs/configuration/shared/tls.md

@@ -26,20 +26,6 @@
       "key_id": "",
       "mac_key": ""
     }
-  },
-  "reality": {
-    "enabled": false,
-    "handshake": {
-      "server": "google.com",
-      "server_port": 443,
-
-      ... // Dial Fields
-    },
-    "private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
-    "short_id": [
-      "0123456789abcdef"
-    ],
-    "max_time_difference": "1m"
   }
 }
 ```
@@ -67,11 +53,6 @@
   "utls": {
     "enabled": false,
     "fingerprint": ""
-  },
-  "reality": {
-    "enabled": false,
-    "public_key": "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-    "short_id": "0123456789abcdef"
   }
 }
 ```
@@ -218,7 +199,6 @@ Available fingerprint values:
 * ios
 * android
 * random
-* randomized
 
 Chrome fingerprint will be used if empty.
 
@@ -295,54 +275,6 @@ The key identifier.
 
 The MAC key.
 
-### Reality Fields
-
-!!! warning ""
-
-    reality server is not included by default, see [Installation](/#installation).
-
-!!! warning ""
-
-    uTLS, which is required by reality client is not included by default, see [Installation](/#installation).
-
-#### handshake
-
-==Server only==
-
-==Required==
-
-Handshake server address and [Dial options](/configuration/shared/dial).
-
-#### private_key
-
-==Server only==
-
-==Required==
-
-Private key, generated by `sing-box generate reality-keypair`.
-
-#### public_key
-
-==Client only==
-
-==Required==
-
-Public key, generated by `sing-box generate reality-keypair`.
-
-#### short_id
-
-==Required==
-
-A hexadecimal string with zero to eight digits.
-
-#### max_time_difference
-
-==Server only==
-
-The maximum time difference between the server and the client.
-
-Check disabled if empty.
-
 ### Reload
 
 For server configuration, certificate and key will be automatically reloaded if modified.

docs/configuration/shared/tls.zh.md

@@ -26,20 +26,6 @@
       "key_id": "",
       "mac_key": ""
     }
-  },
-  "reality": {
-    "enabled": false,
-    "handshake": {
-      "server": "google.com",
-      "server_port": 443,
-
-      ... // 拨号字段
-    },
-    "private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc",
-    "short_id": [
-      "0123456789abcdef"
-    ],
-    "max_time_difference": "1m"
   }
 }
 ```
@@ -67,11 +53,6 @@
   "utls": {
     "enabled": false,
     "fingerprint": ""
-  },
-  "reality": {
-    "enabled": false,
-    "public_key": "jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0",
-    "short_id": "0123456789abcdef"
   }
 }
 ```
@@ -218,7 +199,6 @@ uTLS 是 "crypto/tls" 的一个分支，它提供了 ClientHello 指纹识别阻
 * ios
 * android
 * random
-* randomized
 
 默认使用 chrome 指纹。
 
@@ -291,52 +271,6 @@ EAB（外部帐户绑定）包含将 ACME 帐户绑定或映射到其他已知
 
 MAC 密钥。
 
-### Reality 字段
-
-!!! warning ""
-
-    默认安装不包含 reality 服务器，参阅 [安装](/zh/#_2)。
-
-!!! warning ""
-
-    默认安装不包含被 reality 客户端需要的 uTLS, 参阅 [安装](/zh/#_2)。
-
-#### handshake
-
-==仅服务器==
-
-==必填==
-
-握手服务器地址和 [拨号参数](/zh/configuration/shared/dial/)。
-
-#### private_key
-
-==仅服务器==
-
-==必填==
-
-私钥，由 `sing-box generate reality-keypair` 生成。
-
-#### public_key
-
-==仅客户端==
-
-==必填==
-
-公钥，由 `sing-box generate reality-keypair` 生成。
-
-#### short_id
-
-==必填==
-
-一个零到八位的十六进制字符串。
-
-#### max_time_difference
-
-服务器与和客户端之间允许的最大时间差。
-
-默认禁用检查。
-
 ### 重载
 
 对于服务器配置，如果修改，证书和密钥将自动重新加载。

docs/configuration/shared/udp-over-tcp.md

@@ -1,81 +0,0 @@
-# UDP over TCP
-
-!!! warning ""
-
-    It's a proprietary protocol created by SagerNet, not part of shadowsocks.
-
-The UDP over TCP protocol is used to transmit UDP packets in TCP.
-
-### Structure
-
-```json
-{
-  "enabled": true,
-  "version": 2
-}
-```
-
-!!! info ""
-
-    The structure can be replaced with a boolean value when the version is not specified.
-
-### Fields
-
-#### enabled
-
-Enable the UDP over TCP protocol.
-
-#### version
-
-The protocol version, `1` or `2`.
-
-2 is used by default.
-
-### Application support
-
-| Project      | UoT v1               | UoT v2     |
-|--------------|----------------------|------------|
-| sing-box     | v0 (2022/08/11)      | v1.2-beta9 |
-| Xray-core    | v1.5.7 (2022/06/05)  | /          |
-| Clash.Meta   | v1.12.0 (2022/07/02) | /          |
-| Shadowrocket | v2.2.12 (2022/08/13) | /          |
-
-### Protocol details
-
-#### Protocol version 1
-
-The client requests the magic address to the upper layer proxy protocol to indicate the request: `sp.udp-over-tcp.arpa`
-
-#### Stream format
-
-| ATYP | address  | port  | length | data     |
-|------|----------|-------|--------|----------|
-| u8   | variable | u16be | u16be  | variable |
-
-**ATYP / address / port**: Uses the SOCKS address format.
-
-#### Protocol version 2
-
-Protocol version 2 uses a new magic address: `sp.v2.udp-over-tcp.arpa`
-
-##### Request format
-
-| isConnect | ATYP | address  | port  |
-|-----------|------|----------|-------|
-| u8        | u8   | variable | u16be |
-
-**version**: Fixed to 2.
-
-**isConnect**: Set to 1 to indicates that the stream uses the connect format, 0 to disable.
-
-**ATYP / address / port**: Request destination, uses the SOCKS address format.
-
-##### Connect stream format
-
-| length | data     |
-|--------|----------|
-| u16be  | variable |
-
-##### Non-connect stream format
-
-As the same as the stream format in protocol version 1.

docs/configuration/shared/v2ray-transport.md

@@ -34,9 +34,7 @@ Available transports:
   "host": [],
   "path": "",
   "method": "",
-  "headers": {},
-  "idle_timeout": "15s",
-  "ping_timeout": "15s"
+  "headers": {}
 }
 ```
 
@@ -68,24 +66,6 @@ Extra headers of HTTP request.
 
 The server will write in response if not empty.
 
-#### idle_timeout
-
-In HTTP2 server:
-
-Specifies the time until idle clients should be closed with a GOAWAY frame. PING frames are not considered as activity.
-
-In HTTP2 client:
-
-Specifies the period of time after which a health check will be performed using a ping frame if no frames have been received on the connection. Please note that a ping response is considered a received frame, so if there is no other traffic on the connection, the health check will be executed every interval. If the value is zero, no health check will be performed.
-
-Zero is used by default.
-
-#### ping_timeout
-
-In HTTP2 client:
-
-Specifies the timeout duration after sending a PING frame, within which a response must be received. If a response to the PING frame is not received within the specified timeout duration, the connection will be closed. The default timeout duration is 15 seconds.
-
 ### WebSocket
 
 ```json
@@ -146,41 +126,10 @@ It needs to be consistent with the server.
 ```json
 {
   "type": "grpc",
-  "service_name": "TunService",
-  "idle_timeout": "15s",
-  "ping_timeout": "15s",
-  "permit_without_stream": false
+  "service_name": "TunService"
 }
 ```
 
 #### service_name
 
-Service name of gRPC.
-
-#### idle_timeout
-
-In standard gRPC server/client:
-
-If the transport doesn't see any activity after a duration of this time, it pings the client to check if the connection is still active.
-
-In default gRPC server/client:
-
-It has the same behavior as the corresponding setting in HTTP transport.
-
-#### ping_timeout
-
-In standard gRPC server/client:
-
-The timeout that after performing a keepalive check, the client will wait for activity. If no activity is detected, the connection will be closed.
-
-In default gRPC server/client:
-
-It has the same behavior as the corresponding setting in HTTP transport.
-
-#### permit_without_stream
-
-In standard gRPC client:
-
-If enabled, the client transport sends keepalive pings even with no active connections. If disabled, when there are no active connections, `idle_timeout` and `ping_timeout` will be ignored and no keepalive pings will be sent.
-
-Disabled by default.
+Service name of gRPC.

docs/configuration/shared/v2ray-transport.zh.md

@@ -33,9 +33,7 @@ V2Ray Transport 是 v2ray 发明的一组私有协议，并污染了其他协议
   "host": [],
   "path": "",
   "method": "",
-  "headers": {},
-  "idle_timeout": "15s",
-  "ping_timeout": "15s"
+  "headers": {}
 }
 ```
 
@@ -67,24 +65,6 @@ HTTP 请求的额外标头
 
 默认服务器将写入响应。
 
-#### idle_timeout
-
-在 HTTP2 服务器中：
-
-指定闲置客户端应在多长时间内使用 GOAWAY 帧关闭。PING 帧不被视为活动。
-
-在 HTTP2 客户端中：
-
-如果连接上没有收到任何帧，指定一段时间后将使用 PING 帧执行健康检查。需要注意的是，PING 响应被视为已接收的帧，因此如果连接上没有其他流量，则健康检查将在每个间隔执行一次。如果值为零，则不会执行健康检查。
-
-默认使用零。
-
-#### ping_timeout
-
-在 HTTP2 客户端中：
-
-指定发送 PING 帧后，在指定的超时时间内必须接收到响应。如果在指定的超时时间内没有收到 PING 帧的响应，则连接将关闭。默认超时持续时间为 15 秒。
-
 ### WebSocket
 
 ```json
@@ -145,41 +125,10 @@ HTTP 请求的额外标头。
 ```json
 {
   "type": "grpc",
-  "service_name": "TunService",
-  "idle_timeout": "15s",
-  "ping_timeout": "15s",
-  "permit_without_stream": false
+  "service_name": "TunService"
 }
 ```
 
 #### service_name
 
-gRPC 服务名称。
-
-#### idle_timeout
-
-在标准 gRPC 服务器/客户端：
-
-如果传输在此时间段后没有看到任何活动，它会向客户端发送 ping 请求以检查连接是否仍然活动。
-
-在默认 gRPC 服务器/客户端：
-
-它的行为与 HTTP 传输层中的相应设置相同。
-
-#### ping_timeout
-
-在标准 gRPC 服务器/客户端：
-
-经过一段时间之后，客户端将执行 keepalive 检查并等待活动。如果没有检测到任何活动，则会关闭连接。
-
-在默认 gRPC 服务器/客户端：
-
-它的行为与 HTTP 传输层中的相应设置相同。
-
-#### permit_without_stream
-
-在标准 gRPC 客户端：
-
-如果启用，客户端传输即使没有活动连接也会发送 keepalive ping。如果禁用，则在没有活动连接时，将忽略 `idle_timeout` 和 `ping_timeout`，并且不会发送 keepalive ping。
-
-默认禁用。
+gRPC 服务名称。

docs/examples/shadowsocks.md

@@ -1,9 +1,5 @@
 # Shadowsocks
 
-!!! warning ""
-
-    For censorship bypass usage in China, we recommend using UDP over TCP and disabling UDP on the server.
-
 ## Single User
 
 #### Server
@@ -15,7 +11,6 @@
       "type": "shadowsocks",
       "listen": "::",
       "listen_port": 8080,
-      "network": "tcp",
       "method": "2022-blake3-aes-128-gcm",
       "password": "8JCsPssfgS8tiRwiMlhARg=="
     }
@@ -40,8 +35,7 @@
       "server": "127.0.0.1",
       "server_port": 8080,
       "method": "2022-blake3-aes-128-gcm",
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
-      "udp_over_tcp": true
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
     }
   ]
 }

docs/examples/shadowtls.md

@@ -7,13 +7,8 @@
       "type": "shadowtls",
       "listen": "::",
       "listen_port": 4443,
-      "version": 3,
-      "users": [
-        {
-          "name": "sekai",
-          "password": "8JCsPssfgS8tiRwiMlhARg=="
-        }
-      ],
+      "version": 2,
+      "password": "fuck me till the daylight",
       "handshake": {
         "server": "google.com",
         "server_port": 443
@@ -24,7 +19,6 @@
       "type": "shadowsocks",
       "tag": "shadowsocks-in",
       "listen": "127.0.0.1",
-      "network": "tcp",
       "method": "2022-blake3-aes-128-gcm",
       "password": "8JCsPssfgS8tiRwiMlhARg=="
     }
@@ -47,22 +41,17 @@
         "max_connections": 4,
         "min_streams": 4
       }
-      // or "udp_over_tcp": true
     },
     {
       "type": "shadowtls",
       "tag": "shadowtls-out",
       "server": "127.0.0.1",
       "server_port": 4443,
-      "version": 3,
-      "password": "8JCsPssfgS8tiRwiMlhARg==",
+      "version": 2,
+      "password": "fuck me till the daylight",
       "tls": {
         "enabled": true,
-        "server_name": "google.com",
-        "utls": {
-          "enabled": true,
-          "fingerprint": "chrome"
-        }
+        "server_name": "google.com"
       }
     }
   ]

docs/index.md

@@ -8,6 +8,44 @@ Welcome to the wiki page for the sing-box project.
 
 The universal proxy platform.
 
+## Installation
+
+sing-box requires Golang **1.18.5** or a higher version.
+
+```bash
+go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
+```
+
+Install with options:
+
+```bash
+go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
+```
+
+| Build Tag                          | Description                                                                                                                                                                                                                                                                                                                     |
+|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 dns transports](./configuration/dns/server), [Naive inbound](./configuration/inbound/naive), [Hysteria Inbound](./configuration/inbound/hysteria), [Hysteria Outbound](./configuration/outbound/hysteria) and [V2Ray Transport#QUIC](./configuration/shared/v2ray-transport#quic). |
+| `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](./configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
+| `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](./configuration/outbound/wireguard).                                                                                                                                                                                                                                     |
+| `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](./configuration/outbound/shadowsocksr).                                                                                                                                                                                                                            |
+| `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](./configuration/shared/tls#ech).                                                                                                                                                                                                                               |
+| `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](./configuration/shared/tls#utls).                                                                                                                                                                                          |
+| `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](./configuration/shared/tls).                                                                                                                                                                                                                                          |
+| `with_clash_api`                   | Build with Clash API support, see [Experimental](./configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
+| `with_v2ray_api`                   | Build with V2Ray API support, see [Experimental](./configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
+| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](./configuration/inbound/tun#stack) and [WireGuard outbound](./configuration/outbound/wireguard#system_interface).                                                                                                                                                                  |
+| `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](./configuration/outbound/tor).                                                                                                                                                                                                                                              |
+| `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](./configuration/inbound/tun#stack).                                                                                                                                                                                                                                        |
+
+The binary is built under $GOPATH/bin
+
+```bash
+sing-box version
+```
+
+It is also recommended to use systemd to manage sing-box service,
+see [Linux server installation example](./examples/linux-server-installation).
+
 ## License
 
 ```

docs/index.zh.md

@@ -8,6 +8,44 @@ description: 欢迎来到该 sing-box 项目的文档页。
 
 通用代理平台。
 
+## 安装
+
+sing-box 需要 Golang **1.18.5** 或更高版本。
+
+```bash
+go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
+```
+
+自定义安装：
+
+```bash
+go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
+```
+
+| 构建标志                         | 描述                                                                                                                                                                                                                                                                           |
+|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](./configuration/dns/server)，[Naive 入站](./configuration/inbound/naive)，[Hysteria 入站](./configuration/inbound/hysteria)，[Hysteria 出站](./configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](./configuration/shared/v2ray-transport#quic)。 |
+| `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](./configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                               |
+| `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](./configuration/outbound/wireguard)。                                                                                                                                                                                                       |
+| `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](./configuration/outbound/shadowsocksr)。                                                                                                                                                                                              |
+| `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](./configuration/shared/tls#ech)。                                                                                                                                                                                                                    |
+| `with_utls`                  | 启用 uTLS 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                          |
+| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](./configuration/shared/tls)。                                                                                                                                                                                                                     |
+| `with_clash_api`             | 启用 Clash API 支持，参阅 [实验性](./configuration/experimental#clash-api-fields)。                                                                                                                                                                                                     |
+| `with_v2ray_api`             | 启用 V2Rat API 支持，参阅 [实验性](./configuration/experimental#v2ray-api-fields)。                                                                                                                                                                                                     |
+| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](./configuration/inbound/tun#stack) 和 [WireGuard 出站](./configuration/outbound/wireguard#system_interface)。                                                                                                                                           |
+| `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](./configuration/outbound/tor)。                                                                                                                                                                                                                     |
+| `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](./configuration/inbound/tun#stack)。                                                                                                                                                                                                              |
+
+二进制文件将被构建在 `$GOPATH/bin` 下。
+
+```bash
+sing-box version
+```
+
+同时推荐使用 systemd 来管理 sing-box 服务器实例。
+参阅 [Linux 服务器安装示例](./examples/linux-server-installation)。
+
 ## 授权
 
 ```

docs/installation/clients/sfi/index.md

@@ -1,21 +0,0 @@
-# SFI
-
-Experimental official iOS client for sing-box.
-
-#### Requirements
-
-* iOS 15.0+
-* macOS 12.0+ with Apple Silicon
-
-#### Download
-
-* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
-
-#### Limit
-
-* `system` tun stack not working
-
-#### Privacy policy
-
-* SFI did not collect or share personal data.
-* The data generated by the software is always on your device.

docs/installation/clients/sfi/index.zh.md

@@ -1,21 +0,0 @@
-# SFI
-
-实验性的官方 iOS sing-box 客户端。
-
-#### 要求
-
-* iOS 15.0+
-* macOS 12.0+ with Apple Silicon
-
-#### 下载
-
-* [TestFlight](https://testflight.apple.com/join/c6ylui2j)
-
-#### 限制
-
-* `system` tun stack 不工作
-
-#### 隐私政策
-
-* SFI 不收集或共享个人数据。
-* 软件生成的数据始终在您的设备上。

docs/installation/from-source.md

@@ -1,39 +0,0 @@
-# Install from source
-
-sing-box requires Golang **1.18.5** or a higher version.
-
-```bash
-go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-Install with options:
-
-```bash
-go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-| Build Tag                          | Description                                                                                                                                                                                                                                                                                                                |
-|------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                        | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server), [Naive inbound](/configuration/inbound/naive), [Hysteria Inbound](/configuration/inbound/hysteria), [Hysteria Outbound](/configuration/outbound/hysteria) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
-| `with_dhcp`                        | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server).                                                                                                                                                                                                                                              |
-| `with_wireguard`                   | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard).                                                                                                                                                                                                                                 |
-| `with_shadowsocksr`                | Build with ShadowsocksR support, see [ShadowsocksR outbound](/configuration/outbound/shadowsocksr).                                                                                                                                                                                                                        |
-| `with_ech`                         | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
-| `with_utls`                        | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
-| `with_reality_server`              | Build with reality TLS server support,  see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                              |
-| `with_acme`                        | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                      |
-| `with_clash_api`                   | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
-| `with_v2ray_api`                   | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
-| `with_gvisor`                      | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
-| `with_embedded_tor` (CGO required) | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor).                                                                                                                                                                                                                                          |
-| `with_lwip` (CGO required)         | Build with LWIP Tun stack support, see [Tun inbound](/configuration/inbound/tun#stack).                                                                                                                                                                                                                                    |
-
-The binary is built under $GOPATH/bin
-
-```bash
-sing-box version
-```
-
-It is also recommended to use systemd to manage sing-box service,
-see [Linux server installation example](./examples/linux-server-installation).

docs/installation/from-source.zh.md

@@ -1,39 +0,0 @@
-# 从源代码安装
-
-sing-box 需要 Golang **1.18.5** 或更高版本。
-
-```bash
-go install -v github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-自定义安装：
-
-```bash
-go install -v -tags with_clash_api github.com/sagernet/sing-box/cmd/sing-box@latest
-```
-
-| 构建标志                         | 描述                                                                                                                                                                                                                                                                      |
-|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                  | 启用 QUIC 支持，参阅 [QUIC 和 HTTP3 DNS 传输层](/configuration/dns/server)，[Naive 入站](/configuration/inbound/naive)，[Hysteria 入站](/configuration/inbound/hysteria)，[Hysteria 出站](/configuration/outbound/hysteria) 和 [V2Ray 传输层#QUIC](/configuration/shared/v2ray-transport#quic)。 |
-| `with_grpc`                  | 启用标准 gRPC 支持，参阅 [V2Ray 传输层#gRPC](/configuration/shared/v2ray-transport#grpc)。                                                                                                                                                                                           |
-| `with_dhcp`                  | 启用 DHCP 支持，参阅 [DHCP DNS 传输层](/configuration/dns/server)。                                                                                                                                                                                                                |
-| `with_wireguard`             | 启用 WireGuard 支持，参阅 [WireGuard 出站](/configuration/outbound/wireguard)。                                                                                                                                                                                                   |
-| `with_shadowsocksr`          | 启用 ShadowsocksR 支持，参阅 [ShadowsocksR 出站](/configuration/outbound/shadowsocksr)。                                                                                                                                                                                          |
-| `with_ech`                   | 启用 TLS ECH 扩展支持，参阅 [TLS](/configuration/shared/tls#ech)。                                                                                                                                                                                                                |
-| `with_utls`                  | 启用 [uTLS](https://github.com/refraction-networking/utls) 支持，参阅 [TLS](/configuration/shared/tls#utls)。                                                                                                                                                                   |
-| `with_reality_server`        | 启用 reality TLS 服务器支持，参阅 [TLS](/configuration/shared/tls)。                                                                                                                                                                                                               |
-| `with_acme`                  | 启用 ACME TLS 证书签发支持，参阅 [TLS](/configuration/shared/tls)。                                                                                                                                                                                                                 |
-| `with_clash_api`             | 启用 Clash API 支持，参阅 [实验性](/configuration/experimental#clash-api-fields)。                                                                                                                                                                                                 |
-| `with_v2ray_api`             | 启用 V2Ray API 支持，参阅 [实验性](/configuration/experimental#v2ray-api-fields)。                                                                                                                                                                                                 |
-| `with_gvisor`                | 启用 gVisor 支持，参阅 [Tun 入站](/configuration/inbound/tun#stack) 和 [WireGuard 出站](/configuration/outbound/wireguard#system_interface)。                                                                                                                                        |
-| `with_embedded_tor` (需要 CGO) | 启用 嵌入式 Tor 支持，参阅 [Tor 出站](/configuration/outbound/tor)。                                                                                                                                                                                                                 |
-| `with_lwip` (需要 CGO)         | 启用 LWIP Tun 栈支持，参阅 [Tun 入站](/configuration/inbound/tun#stack)。                                                                                                                                                                                                          |
-
-二进制文件将被构建在 `$GOPATH/bin` 下。
-
-```bash
-sing-box version
-```
-
-同时推荐使用 systemd 来管理 sing-box 服务器实例。
-参阅 [Linux 服务器安装示例](./examples/linux-server-installation)。

experimental/clashapi/dns.go

@@ -1,82 +0,0 @@
-package clashapi
-
-import (
-	"context"
-	"net/http"
-
-	"github.com/sagernet/sing-box/adapter"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-
-	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/render"
-	"github.com/miekg/dns"
-)
-
-func dnsRouter(router adapter.Router) http.Handler {
-	r := chi.NewRouter()
-	r.Get("/query", queryDNS(router))
-	return r
-}
-
-func queryDNS(router adapter.Router) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		name := r.URL.Query().Get("name")
-		qTypeStr := r.URL.Query().Get("type")
-		if qTypeStr == "" {
-			qTypeStr = "A"
-		}
-
-		qType, exist := dns.StringToType[qTypeStr]
-		if !exist {
-			render.Status(r, http.StatusBadRequest)
-			render.JSON(w, r, newError("invalid query type"))
-			return
-		}
-
-		ctx, cancel := context.WithTimeout(context.Background(), C.DNSTimeout)
-		defer cancel()
-
-		msg := dns.Msg{}
-		msg.SetQuestion(dns.Fqdn(name), qType)
-		resp, err := router.Exchange(ctx, &msg)
-		if err != nil {
-			render.Status(r, http.StatusInternalServerError)
-			render.JSON(w, r, newError(err.Error()))
-			return
-		}
-
-		responseData := render.M{
-			"Status":   resp.Rcode,
-			"Question": resp.Question,
-			"Server":   "internal",
-			"TC":       resp.Truncated,
-			"RD":       resp.RecursionDesired,
-			"RA":       resp.RecursionAvailable,
-			"AD":       resp.AuthenticatedData,
-			"CD":       resp.CheckingDisabled,
-		}
-
-		rr2Json := func(rr dns.RR) render.M {
-			header := rr.Header()
-			return render.M{
-				"name": header.Name,
-				"type": header.Rrtype,
-				"TTL":  header.Ttl,
-				"data": rr.String()[len(header.String()):],
-			}
-		}
-
-		if len(resp.Answer) > 0 {
-			responseData["Answer"] = common.Map(resp.Answer, rr2Json)
-		}
-		if len(resp.Ns) > 0 {
-			responseData["Authority"] = common.Map(resp.Ns, rr2Json)
-		}
-		if len(resp.Extra) > 0 {
-			responseData["Additional"] = common.Map(resp.Extra, rr2Json)
-		}
-
-		render.JSON(w, r, responseData)
-	}
-}

experimental/clashapi/server.go

@@ -42,9 +42,9 @@ type Server struct {
 	httpServer     *http.Server
 	trafficManager *trafficontrol.Manager
 	urlTestHistory *urltest.HistoryStorage
+	tcpListener    net.Listener
 	mode           string
 	storeSelected  bool
-	cacheFilePath  string
 	cacheFile      adapter.ClashCacheFile
 }
 
@@ -71,12 +71,11 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 		if cachePath == "" {
 			cachePath = "cache.db"
 		}
-		if foundPath, loaded := C.FindPath(cachePath); loaded {
-			cachePath = foundPath
-		} else {
-			cachePath = C.BasePath(cachePath)
+		cacheFile, err := cachefile.Open(cachePath)
+		if err != nil {
+			return nil, E.Cause(err, "open cache file")
 		}
-		server.cacheFilePath = cachePath
+		server.cacheFile = cacheFile
 	}
 	cors := cors.New(cors.Options{
 		AllowedOrigins: []string{"*"},
@@ -100,11 +99,10 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 		r.Mount("/script", scriptRouter())
 		r.Mount("/profile", profileRouter())
 		r.Mount("/cache", cacheRouter())
-		r.Mount("/dns", dnsRouter(router))
 	})
 	if options.ExternalUI != "" {
 		chiRouter.Group(func(r chi.Router) {
-			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(C.BasePath(os.ExpandEnv(options.ExternalUI)))))
+			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(os.ExpandEnv(options.ExternalUI))))
 			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusTemporaryRedirect).ServeHTTP)
 			r.Get("/ui/*", func(w http.ResponseWriter, r *http.Request) {
 				fs.ServeHTTP(w, r)
@@ -115,18 +113,12 @@ func NewServer(router adapter.Router, logFactory log.ObservableFactory, options
 }
 
 func (s *Server) Start() error {
-	if s.cacheFilePath != "" {
-		cacheFile, err := cachefile.Open(s.cacheFilePath)
-		if err != nil {
-			return E.Cause(err, "open cache file")
-		}
-		s.cacheFile = cacheFile
-	}
 	listener, err := net.Listen("tcp", s.httpServer.Addr)
 	if err != nil {
 		return E.Cause(err, "external controller listen error")
 	}
 	s.logger.Info("restful api listening at ", listener.Addr())
+	s.tcpListener = listener
 	go func() {
 		err = s.httpServer.Serve(listener)
 		if err != nil && !errors.Is(err, http.ErrServerClosed) {
@@ -139,6 +131,7 @@ func (s *Server) Start() error {
 func (s *Server) Close() error {
 	return common.Close(
 		common.PtrOrNil(s.httpServer),
+		s.tcpListener,
 		s.trafficManager,
 		s.cacheFile,
 	)

experimental/libbox/command.go

@@ -1,11 +0,0 @@
-//go:build darwin
-
-package libbox
-
-const (
-	CommandLog int32 = iota
-	CommandStatus
-	CommandServiceStop
-	CommandServiceReload
-	CommandCloseConnections
-)