documentation: Bump version

dcoumentation: Fix description of cipher_suites
Fix pprof URL path
2026-04-11 17:47:20 +10:00 · 2023-12-29 18:00:40 +08:00 · 2023-12-29 18:00:40 +08:00 · 2023-12-29 18:00:40 +08:00 · 2023-12-27 10:37:18 +08:00 · 2023-12-27 10:30:19 +08:00
99 changed files with 619 additions and 469 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -61,7 +61,22 @@ body:
    attributes:
      label: Logs
      description: |-
-        If you encounter a crash with the graphical client, please provide crash logs.
+        In addition, if you encounter a crash with the graphical client, please also provide crash logs.
        For Apple platform clients, please check `Settings - View Service Log` for crash logs.
        For the Android client, please check the `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` file for crash logs.
-      render: shell
+      render: shell
+  - type: checkboxes
+    attributes:
+      label: Integrity requirements
+      description: |-
+        Please check all of the following options to prove that you have read and understood the requirements, otherwise this issue will be closed.
+        Sing-box is not a project aimed to please users who can't make any meaningful contributions and gain unethical influence. If you deceive here to deliberately waste the time of the developers, you will be permanently blocked.
+      options:
+        - label: I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
+          required: true
+        - label: I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
+          required: true
+        - label: I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
+          required: true
+        - label: I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
+          required: true
--- a/.github/ISSUE_TEMPLATE/bug_report_zh.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report_zh.yml
@@ -61,21 +61,22 @@ body:
    attributes:
      label: 日志
      description: |-
-        如果您遭遇图形界面应用程序崩溃，请提供崩溃日志。
+        此外，如果您遭遇图形界面应用程序崩溃，请附加提供崩溃日志。
        对于 Apple 平台图形客户端程序，请检查 `Settings - View Service Log` 以导出崩溃日志。
        对于 Android 图形客户端程序，请检查 `/sdcard/Android/data/io.nekohasekai.sfa/files/stderr.log` 文件以导出崩溃日志。
      render: shell
  - type: checkboxes
    attributes:
      label: 完整性要求
-      description: 我保证我提供了完整的可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件，否则该 issue 将被关闭。
+      description: |-
+        请勾选以下所有选项以证明您已经阅读并理解了以下要求，否则该 issue 将被关闭。
+        sing-box 不是讨好无法作出任何意义上的贡献的最终用户并获取非道德影响力的项目，如果您在此处欺骗以故意浪费开发者的时间，您将被永久封锁。
      options:
-        - label: 我保证
+        - label: 我保证阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值。
+          required: true
+        - label: 我保证提供了可以在本地重现该问题的服务器、客户端配置文件与流程，而不是一个脱敏的复杂客户端配置文件。
+          required: true
+        - label: 我保证提供了可用于重现我报告的错误的最简配置，而不是依赖远程服务器、TUN、图形界面客户端或者其他闭源软件。
+          required: true
+        - label: 我保证提供了完整的配置文件与日志，而不是出于对自身智力的自信而仅提供了部分认为有用的部分。
          required: true
-  - type: checkboxes
-    attributes:
-      label: 负责性要求
-      description: 我保证我阅读了文档，了解所有我编写的配置文件项的含义，而不是大量堆砌看似有用的选项或默认值，否则该 issue 将被关闭。
-      options:
-        - label: 我保证
-          required: true
--- a/.github/workflows/debug.yml
+++ b/.github/workflows/debug.yml
@@ -216,7 +216,7 @@ jobs:
        id: build
        run: make
      - name: Upload artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
        with:
          name: sing-box-${{ matrix.name }}
          path: sing-box*
--- a/common/tls/acme.go
+++ b/common/tls/acme.go
@@ -105,5 +105,16 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		},
 	})
 	config = certmagic.New(cache, *config)
-	return config.TLSConfig(), &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
+	var tlsConfig *tls.Config
+	if acmeConfig.DisableTLSALPNChallenge || acmeConfig.DNS01Solver != nil {
+		tlsConfig = &tls.Config{
+			GetCertificate: config.GetCertificate,
+		}
+	} else {
+		tlsConfig = &tls.Config{
+			GetCertificate: config.GetCertificate,
+			NextProtos:     []string{ACMETLS1Protocol},
+		}
+	}
+	return tlsConfig, &acmeWrapper{ctx: ctx, cfg: config, cache: cache, domain: options.Domain}, nil
 }
--- a/common/tls/acme_contstant.go
+++ b/common/tls/acme_contstant.go
@@ -0,0 +1,3 @@
+package tls
+
+const ACMETLS1Protocol = "acme-tls/1"
--- a/common/tls/std_server.go
+++ b/common/tls/std_server.go
@@ -39,11 +39,19 @@ func (c *STDServerConfig) SetServerName(serverName string) {
 }

 func (c *STDServerConfig) NextProtos() []string {
-	return c.config.NextProtos
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+		return c.config.NextProtos[1:]
+	} else {
+		return c.config.NextProtos
+	}
 }

 func (c *STDServerConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
+	if c.acmeService != nil && len(c.config.NextProtos) > 1 && c.config.NextProtos[0] == ACMETLS1Protocol {
+		c.config.NextProtos = append(c.config.NextProtos[:1], nextProto...)
+	} else {
+		c.config.NextProtos = nextProto
+	}
 }

 func (c *STDServerConfig) Config() (*STDConfig, error) {
--- a/debug_http.go
+++ b/debug_http.go
@@ -5,6 +5,7 @@ import (
 	"net/http/pprof"
 	"runtime"
 	"runtime/debug"
+	"strings"

 	"github.com/sagernet/sing-box/common/badjson"
 	"github.com/sagernet/sing-box/common/humanize"
@@ -47,12 +48,20 @@ func applyDebugListenOption(options option.DebugOptions) {
 			encoder.SetIndent("", "  ")
 			encoder.Encode(memObject)
 		})
-		r.HandleFunc("/pprof", pprof.Index)
-		r.HandleFunc("/pprof/*", pprof.Index)
-		r.HandleFunc("/pprof/cmdline", pprof.Cmdline)
-		r.HandleFunc("/pprof/profile", pprof.Profile)
-		r.HandleFunc("/pprof/symbol", pprof.Symbol)
-		r.HandleFunc("/pprof/trace", pprof.Trace)
+		r.Route("/pprof", func(r chi.Router) {
+			r.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {
+				if !strings.HasSuffix(request.URL.Path, "/") {
+					http.Redirect(writer, request, request.URL.Path+"/", http.StatusMovedPermanently)
+				} else {
+					pprof.Index(writer, request)
+				}
+			})
+			r.HandleFunc("/*", pprof.Index)
+			r.HandleFunc("/cmdline", pprof.Cmdline)
+			r.HandleFunc("/profile", pprof.Profile)
+			r.HandleFunc("/symbol", pprof.Symbol)
+			r.HandleFunc("/trace", pprof.Trace)
+		})
 	})
 	debugHTTPServer = &http.Server{
 		Addr:    options.Listen,
--- a/debug_stub.go
+++ b/debug_stub.go
@@ -1,4 +1,4 @@
-//go:build !linux
+//go:build !(linux || darwin)

 package box

--- a/debug_linux.go
+++ b/debug_linux.go
@@ -1,3 +1,5 @@
+//go:build linux || darwin
+
 package box

 import (
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -4,6 +4,19 @@ icon: material/alert-decagram

 # ChangeLog

+#### 1.7.7
+
+* Fix V2Ray transport `path` validation behavior **1**
+* Fixes and improvements
+
+**1**:
+
+See [V2Ray transport](/configuration/shared/v2ray-transport/).
+
+#### 1.7.6
+
+* Fixes and improvements
+
 #### 1.7.5

 * Fixes and improvements
@@ -29,8 +42,8 @@ by the Apple App Store, so updates to Apple Platforms will be delayed._

 Important changes since 1.6:

-* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
-* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Add [exclude route support](/configuration/inbound/tun/) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen/) **1**
 * Add [HTTPUpgrade V2Ray transport](/configuration/shared/v2ray-transport#HTTPUpgrade) support **2**
 * Migrate multiplex and UoT server to inbound **3**
 * Add TCP Brutal support for multiplex **4**
@@ -60,7 +73,7 @@ and needs to be turned on explicitly in inbound options.
 **4**

 Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server,
-see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.

 **5**:

@@ -149,7 +162,7 @@ Only supported in graphical clients on Android and iOS.

 #### 1.6.1

-* Our [Android client](/installation/clients/sfa) is now available in the Google Play Store ▶️
+* Our [Android client](/installation/clients/sfa/) is now available in the Google Play Store ▶️
 * Fixes and improvements

 #### 1.7.0-alpha.6
@@ -169,7 +182,7 @@ options.
 **2**

 Hysteria Brutal Congestion Control Algorithm in TCP. A kernel module needs to be installed on the Linux server,
-see [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+see [TCP Brutal](/configuration/shared/tcp-brutal/) for details.

 #### 1.7.0-alpha.3

@@ -188,13 +201,13 @@ The new HTTPUpgrade transport has better performance than WebSocket and is bette

 Important changes since 1.5:

-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
+* Our [Apple tvOS client](/installation/clients/sft/) is now available in the App Store 🍎
 * Update BBR congestion control for TUIC and Hysteria2 **1**
 * Update brutal congestion control for Hysteria2
 * Add `brutal_debug` option for Hysteria2
 * Update legacy Hysteria protocol **2**
 * Add TLS self sign key pair generate command
-* Remove [Deprecated Features](/deprecated) by agreement
+* Remove [Deprecated Features](/deprecated/) by agreement

 **1**:

@@ -212,8 +225,8 @@ the old protocol (Hysteria 1) have been updated to be consistent with Hysteria 2

 #### 1.7.0-alpha.1

-* Add [exclude route support](/configuration/inbound/tun) for TUN inbound
-* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen) **1**
+* Add [exclude route support](/configuration/inbound/tun/) for TUN inbound
+* Add `udp_disable_domain_unmapping` [inbound listen option](/configuration/shared/listen/) **1**
 * Fixes and improvements

 **1**:
@@ -331,7 +344,7 @@ introduce new issues.

 #### 1.5.2

-* Our [Apple tvOS client](/installation/clients/sft) is now available in the App Store 🍎
+* Our [Apple tvOS client](/installation/clients/sft/) is now available in the App Store 🍎
 * Fixes and improvements

 #### 1.6.0-alpha.3
@@ -351,7 +364,7 @@ introduce new issues.
 * Update BBR congestion control for TUIC and Hysteria2 **1**
 * Update quic-go to v0.39.0
 * Update gVisor to 20230814.0
-* Remove [Deprecated Features](/deprecated) by agreement
+* Remove [Deprecated Features](/deprecated/) by agreement
 * Fixes and improvements

 **1**:
@@ -365,7 +378,7 @@ This update is intended to address the multi-send defects of the old implementat

 Important changes since 1.4:

-* Add TLS [ECH server](/configuration/shared/tls) support
+* Add TLS [ECH server](/configuration/shared/tls/) support
 * Improve TLS TCH client configuration
 * Add TLS ECH key pair generator **1**
 * Add TLS ECH support for QUIC based protocols **2**
@@ -374,7 +387,7 @@ Important changes since 1.4:
 * Add `interrupt_exist_connections` option for `Selector` and `URLTest` outbounds **4**
 * Add DNS01 challenge support for ACME TLS certificate issuer **5**
 * Add `merge` command **6**
-* Mark [Deprecated Features](/deprecated)
+* Mark [Deprecated Features](/deprecated/)

 **1**:

@@ -386,7 +399,7 @@ All inbounds and outbounds are supported, including `Naiveproxy`, `Hysteria[/2]`

 **3**:

-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+See [Hysteria2 inbound](/configuration/inbound/hysteria2/) and [Hysteria2 outbound](/configuration/outbound/hysteria2/)

 For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)

@@ -399,7 +412,7 @@ Only inbound connections are affected by this setting, internal connections will
 **5**:

 Only `Alibaba Cloud DNS` and `Cloudflare` are supported, see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/).

 **6**:

@@ -481,7 +494,7 @@ Global Flags:

 Only `Alibaba Cloud DNS` and `Cloudflare` are supported,
 see [ACME Fields](/configuration/shared/tls#acme-fields)
-and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge).
+and [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/).

 #### 1.5.0-beta.10

@@ -510,7 +523,7 @@ Only inbound connections are affected by this setting, internal connections will

 * Fix compatibility issues with official Hysteria2 server and client
 * Fixes and improvements
-* Mark [deprecated features](/deprecated)
+* Mark [deprecated features](/deprecated/)

 #### 1.5.0-beta.3

@@ -529,13 +542,13 @@ Hysteria2 server and client when using `fastOpen=false` or UDP MTU >= 1200.

 **1**:

-See [Hysteria2 inbound](/configuration/inbound/hysteria2) and [Hysteria2 outbound](/configuration/outbound/hysteria2)
+See [Hysteria2 inbound](/configuration/inbound/hysteria2/) and [Hysteria2 outbound](/configuration/outbound/hysteria2/)

 For protocol description, please refer to [https://v2.hysteria.network](https://v2.hysteria.network)

 #### 1.5.0-beta.1

-* Add TLS [ECH server](/configuration/shared/tls) support
+* Add TLS [ECH server](/configuration/shared/tls/) support
 * Improve TLS TCH client configuration
 * Add TLS ECH key pair generator **1**
 * Add TLS ECH support for QUIC based protocols **2**
@@ -568,12 +581,12 @@ Important changes since 1.3:

 *1*:

-See [TUIC inbound](/configuration/inbound/tuic)
-and [TUIC outbound](/configuration/outbound/tuic)
+See [TUIC inbound](/configuration/inbound/tuic/)
+and [TUIC outbound](/configuration/outbound/tuic/)

 **2**:

-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.

@@ -604,7 +617,7 @@ Requires sing-box to be compiled with Go 1.21.

 **1**:

-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.

@@ -642,8 +655,8 @@ Requires sing-box to be compiled with Go 1.21.

 *1*:

-See [TUIC inbound](/configuration/inbound/tuic)
-and [TUIC outbound](/configuration/outbound/tuic)
+See [TUIC inbound](/configuration/inbound/tuic/)
+and [TUIC outbound](/configuration/outbound/tuic/)

 #### 1.3.6

@@ -652,7 +665,7 @@ and [TUIC outbound](/configuration/outbound/tuic)
 #### 1.3.5

 * Fixes and improvements
-* Introducing our [Apple tvOS](/installation/clients/sft) client applications **1**
+* Introducing our [Apple tvOS](/installation/clients/sft/) client applications **1**
 * Add per app proxy and app installed/updated trigger support for Android client
 * Add profile sharing support for Android/iOS/macOS clients

@@ -679,7 +692,7 @@ downloaded through TestFlight.

 #### 1.3.1-beta.3

-* Introducing our [new iOS](/installation/clients/sfi) and [macOS](/installation/clients/sfm) client applications **1**
+* Introducing our [new iOS](/installation/clients/sfi/) and [macOS](/installation/clients/sfm/) client applications **1**
 * Fixes and improvements

 **1**:
@@ -700,7 +713,7 @@ The old testflight link and app are no longer valid.

 Important changes since 1.2:

-* Add [FakeIP](/configuration/dns/fakeip) support **1**
+* Add [FakeIP](/configuration/dns/fakeip/) support **1**
 * Improve multiplex **2**
 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
 * Add `rewrite_ttl` DNS rule action
@@ -727,11 +740,11 @@ Important changes since 1.2:

 *1*:

-See [FAQ](/faq/fakeip) for more information.
+See [FAQ](/faq/fakeip/) for more information.

 *2*:

-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex/).

 #### 1.3-rc2

@@ -793,7 +806,7 @@ Improved performance and reduced memory usage.

 *1*:

-Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex/).

 #### 1.2.6

@@ -845,25 +858,25 @@ This is an incompatible update for XUDP in VLESS if vision flow is enabled.
 #### 1.3-beta1

 * Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
-* Add [L3 routing](/configuration/route/ip-rule) support **1**
+* Add [L3 routing](/configuration/route/ip-rule/) support **1**
 * Add `rewrite_ttl` DNS rule action
-* Add [FakeIP](/configuration/dns/fakeip) support **2**
+* Add [FakeIP](/configuration/dns/fakeip/) support **2**
 * Add `store_fakeip` Clash API option
 * Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
 * Add loopback detect

 *1*:

-It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct) or block connections
+It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct/) or block connections
 at the IP layer.

 *2*:

-See [FAQ](/faq/fakeip) for more information.
+See [FAQ](/faq/fakeip/) for more information.

 #### 1.2.3

-* Introducing our [new Android client application](/installation/clients/sfa)
+* Introducing our [new Android client application](/installation/clients/sfa/)
 * Improve UDP domain destination NAT
 * Update reality protocol
 * Fix TTL calculation for DNS response
@@ -892,16 +905,16 @@ to `domain` rule.

 Important changes since 1.1:

-* Introducing our [new iOS client application](/installation/clients/sfi)
-* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Introducing our [new iOS client application](/installation/clients/sfi/)
+* Introducing [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp/)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add [ShadowTLS protocol v3](https://github.com/ihciah/shadow-tls/blob/master/docs/protocol-v3-en.md)
-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
-* Add [NTP service](/configuration/ntp)
-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add [VLESS server](/configuration/inbound/vless/) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls/) support
+* Add [NTP service](/configuration/ntp/)
+* Add [DHCP DNS server](/configuration/dns/server/) support
+* Add SSH [host key validation](/configuration/outbound/ssh/) support
+* Add [query_type](/configuration/dns/rule/) DNS rule item
 * Add fallback support for v2ray transport
 * Add custom TLS server support for http based v2ray transports
 * Add health check support for http-based v2ray transports
@@ -932,7 +945,7 @@ name.

 #### 1.2-beta9

-* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp)
+* Introducing the [UDP over TCP protocol version 2](/configuration/shared/udp-over-tcp/)
 * Add health check support for http-based v2ray transports
 * Remove length limit on short_id for reality TLS config
 * Fix bugs and update dependencies
@@ -949,7 +962,7 @@ name.

 #### 1.2-beta6

-* Introducing our [new iOS client application](/installation/clients/sfi)
+* Introducing our [new iOS client application](/installation/clients/sfi/)
 * Add [platform options](/configuration/inbound/tun#platform) for tun inbound
 * Add custom TLS server support for http based v2ray transports
 * Add generate commands
@@ -962,8 +975,8 @@ name.

 #### 1.2-beta5

-* Add [VLESS server](/configuration/inbound/vless) and [vision](/configuration/outbound/vless#flow) support
-* Add [reality TLS](/configuration/shared/tls) support
+* Add [VLESS server](/configuration/inbound/vless/) and [vision](/configuration/outbound/vless#flow) support
+* Add [reality TLS](/configuration/shared/tls/) support
 * Fix match private address

 #### 1.1.6
@@ -978,7 +991,7 @@ name.

 #### 1.2-beta4

-* Add [NTP service](/configuration/ntp)
+* Add [NTP service](/configuration/ntp/)
 * Add Add multiple server names and multi-user support for shadowtls
 * Add strict mode support for shadowtls v3
 * Add uTLS support for shadowtls v3
@@ -998,9 +1011,9 @@ name.

 #### 1.2-beta1

-* Add [DHCP DNS server](/configuration/dns/server) support
-* Add SSH [host key validation](/configuration/outbound/ssh) support
-* Add [query_type](/configuration/dns/rule) DNS rule item
+* Add [DHCP DNS server](/configuration/dns/server/) support
+* Add SSH [host key validation](/configuration/outbound/ssh/) support
+* Add [query_type](/configuration/dns/rule/) DNS rule item
 * Add v2ray [user stats](/configuration/experimental#statsusers) api
 * Add new clash DNS query api
 * Improve vmess request
@@ -1229,7 +1242,7 @@ and [ShadowTLS outbound](/configuration/outbound/shadowtls#version)

 #### 1.1-beta6

-* Add [URLTest outbound](/configuration/outbound/urltest)
+* Add [URLTest outbound](/configuration/outbound/urltest/)
 * Fix bugs in 1.1-beta5

 #### 1.1-beta5
@@ -1261,8 +1274,8 @@ The default tun stack is changed to system.
 #### 1.1-beta4

 * Add internal simple-obfs and v2ray-plugin [Shadowsocks plugins](/configuration/outbound/shadowsocks#plugin)
-* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr)
-* Add [VLESS outbound and XUDP](/configuration/outbound/vless)
+* Add [ShadowsocksR outbound](/configuration/outbound/shadowsocksr/)
+* Add [VLESS outbound and XUDP](/configuration/outbound/vless/)
 * Skip wait for hysteria tcp handshake response
 * Fix socks4 client
 * Fix hysteria inbound
@@ -1289,7 +1302,7 @@ The default tun stack is changed to system.
 *1*:

 Switching modes using the Clash API, and `store-selected` are now supported,
-see [Experimental](/configuration/experimental).
+see [Experimental](/configuration/experimental/).

 *2*:

@@ -1370,15 +1383,15 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 * Fix write trojan udp
 * Fix DNS routing
 * Add attribute support for geosite
-* Update documentation for [Dial Fields](/configuration/shared/dial)
+* Update documentation for [Dial Fields](/configuration/shared/dial/)

 #### 1.0-beta3

 * Add [chained inbound](/configuration/shared/listen#detour) support
 * Add process_path rule item
 * Add macOS redirect support
-* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls), [Outbound](/configuration/outbound/shadowtls)
-  and [Examples](/examples/shadowtls)
+* Add ShadowTLS [Inbound](/configuration/inbound/shadowtls/), [Outbound](/configuration/outbound/shadowtls/)
+  and [Examples](/examples/shadowtls/)
 * Fix search android package in non-owner users
 * Fix socksaddr type condition
 * Fix smux session status
@@ -1422,7 +1435,7 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/23

-* Add [V2Ray Transport](/configuration/shared/v2ray-transport) support for VMess and Trojan
+* Add [V2Ray Transport](/configuration/shared/v2ray-transport/) support for VMess and Trojan
 * Allow plain http request in Naive inbound (It can now be used with nginx)
 * Add proxy protocol support
 * Free memory after start
@@ -1431,13 +1444,13 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/22

-* Add strategy setting for each [DNS server](/configuration/dns/server)
+* Add strategy setting for each [DNS server](/configuration/dns/server/)
 * Add bind address to outbound options

 ##### 2022/08/21

-* Add [Tor outbound](/configuration/outbound/tor)
-* Add [SSH outbound](/configuration/outbound/ssh)
+* Add [Tor outbound](/configuration/outbound/tor/)
+* Add [SSH outbound](/configuration/outbound/ssh/)

 ##### 2022/08/20

@@ -1451,8 +1464,8 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).

 ##### 2022/08/19

-* Add Hysteria [Inbound](/configuration/inbound/hysteria) and [Outbund](/configuration/outbound/hysteria)
-* Add [ACME TLS certificate issuer](/configuration/shared/tls)
+* Add Hysteria [Inbound](/configuration/inbound/hysteria/) and [Outbund](/configuration/outbound/hysteria/)
+* Add [ACME TLS certificate issuer](/configuration/shared/tls/)
 * Allow read config from stdin (-c stdin)
 * Update gVisor to 20220815.0

@@ -1470,11 +1483,11 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 ##### 2022/08/16

 * Add ip_version (route/dns) rule item
-* Add [WireGuard](/configuration/outbound/wireguard) outbound
+* Add [WireGuard](/configuration/outbound/wireguard/) outbound

 ##### 2022/08/15

-* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun) routing.
+* Add uid, android user and package rules support in [Tun](/configuration/inbound/tun/) routing.

 ##### 2022/08/13

@@ -1483,15 +1496,15 @@ and [Listen Fields](/configuration/shared/listen#udp_fragment).
 ##### 2022/08/12

 * Performance improvements
-* Add UoT option for [SOCKS](/configuration/outbound/socks) outbound
+* Add UoT option for [SOCKS](/configuration/outbound/socks/) outbound

 ##### 2022/08/11

-* Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks) outbound, UoT support for all inbounds
+* Add UoT option for [Shadowsocks](/configuration/outbound/shadowsocks/) outbound, UoT support for all inbounds

 ##### 2022/08/10

-* Add full-featured [Naive](/configuration/inbound/naive) inbound
+* Add full-featured [Naive](/configuration/inbound/naive/) inbound
 * Fix default dns server option [#9] by iKirby

 ##### 2022/08/09
--- a/docs/clients/index.md
+++ b/docs/clients/index.md
@@ -2,11 +2,11 @@

 Maintained by Project S to provide a unified experience and platform-specific functionality.

-| Platform                              | Client                                  |
-|---------------------------------------|-----------------------------------------|
-| :material-android: Android            | [sing-box for Android](./android)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
-| :material-laptop: Desktop             | Working in progress                     |
+| Platform                              | Client                                   |
+|---------------------------------------|------------------------------------------|
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
+| :material-laptop: Desktop             | Working in progress                      |

 Some third-party projects that claim to use sing-box or use sing-box as a selling point are not listed here. The core
 motivation of the maintainers of such projects is to acquire more users, and even though they provide friendly VPN
--- a/docs/clients/index.zh.md
+++ b/docs/clients/index.zh.md
@@ -4,8 +4,8 @@

 | 平台                                    | 客户端                                     |
 |---------------------------------------|-----------------------------------------|
-| :material-android: Android            | [sing-box for Android](./android)       |
-| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple) |
+| :material-android: Android            | [sing-box for Android](./android/)       |
+| :material-apple: iOS/macOS/Apple tvOS | [sing-box for Apple platforms](./apple/) |
 | :material-laptop: Desktop             | 施工中                                     |

 此处没有列出一些声称使用或以 sing-box 为卖点的第三方项目。此类项目维护者的动机是获得更多用户，即使它们提供友好的商业
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@@ -23,9 +23,9 @@

 | Key      | Format                         |
 |----------|--------------------------------|
-| `server` | List of [DNS Server](./server) |
-| `rules`  | List of [DNS Rule](./rule)     |
-| `fakeip` | [FakeIP](./fakeip)             |
+| `server` | List of [DNS Server](./server/) |
+| `rules`  | List of [DNS Rule](./rule/)     |
+| `fakeip` | [FakeIP](./fakeip/)             |

 #### final

@@ -62,4 +62,4 @@ problematic in environments such as macOS, where DNS is proxied and cached by th

 #### fakeip

-[FakeIP](./fakeip) settings.
+[FakeIP](./fakeip/) settings.
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@@ -21,10 +21,10 @@

 ### 字段

-| 键        | 格式                     |
-|----------|------------------------|
-| `server` | 一组 [DNS 服务器](./server) |
-| `rules`  | 一组 [DNS 规则](./rule)    |
+| 键        | 格式                      |
+|----------|-------------------------|
+| `server` | 一组 [DNS 服务器](./server/) |
+| `rules`  | 一组 [DNS 规则](./rule/)    |

 #### final

@@ -60,4 +60,4 @@

 #### fakeip

-[FakeIP](./fakeip) 设置。
+[FakeIP](./fakeip/) 设置。
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@@ -124,7 +124,7 @@

 #### inbound

-Tags of [Inbound](/configuration/inbound).
+Tags of [Inbound](/configuration/inbound/).

 #### ip_version

--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@@ -121,7 +121,7 @@

 #### inbound

-[入站](/zh/configuration/inbound) 标签.
+[入站](/zh/configuration/inbound/) 标签.

 #### ip_version

--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@@ -30,18 +30,18 @@ The tag of the dns server.

 The address of the dns server.

-| Protocol                            | Format                        |
-|-------------------------------------|-------------------------------|
-| `System`                            | `local`                       |
-| `TCP`                               | `tcp://1.0.0.1`               |
-| `UDP`                               | `8.8.8.8` `udp://8.8.4.4`     |
-| `TLS`                               | `tls://dns.google`            |
-| `HTTPS`                             | `https://1.1.1.1/dns-query`   |
-| `QUIC`                              | `quic://dns.adguard.com`      |
-| `HTTP3`                             | `h3://8.8.8.8/dns-query`      |
-| `RCode`                             | `rcode://refused`             |
-| `DHCP`                              | `dhcp://auto` or `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                      |
+| Protocol                             | Format                        |
+|--------------------------------------|-------------------------------|
+| `System`                             | `local`                       |
+| `TCP`                                | `tcp://1.0.0.1`               |
+| `UDP`                                | `8.8.8.8` `udp://8.8.4.4`     |
+| `TLS`                                | `tls://dns.google`            |
+| `HTTPS`                              | `https://1.1.1.1/dns-query`   |
+| `QUIC`                               | `quic://dns.adguard.com`      |
+| `HTTP3`                              | `h3://8.8.8.8/dns-query`      |
+| `RCode`                              | `rcode://refused`             |
+| `DHCP`                               | `dhcp://auto` or `dhcp://en0` |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                      |

 !!! warning ""

--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@@ -30,18 +30,18 @@ DNS 服务器的标签。

 DNS 服务器的地址。

-| 协议                                  | 格式                           |
-|-------------------------------------|------------------------------|
-| `System`                            | `local`                      |
-| `TCP`                               | `tcp://1.0.0.1`              |
-| `UDP`                               | `8.8.8.8` `udp://8.8.4.4`    |
-| `TLS`                               | `tls://dns.google`           |
-| `HTTPS`                             | `https://1.1.1.1/dns-query`  |
-| `QUIC`                              | `quic://dns.adguard.com`     |
-| `HTTP3`                             | `h3://8.8.8.8/dns-query`     |
-| `RCode`                             | `rcode://refused`            |
-| `DHCP`                              | `dhcp://auto` 或 `dhcp://en0` |
-| [FakeIP](/configuration/dns/fakeip) | `fakeip`                     |
+| 协议                                   | 格式                           |
+|--------------------------------------|------------------------------|
+| `System`                             | `local`                      |
+| `TCP`                                | `tcp://1.0.0.1`              |
+| `UDP`                                | `8.8.8.8` `udp://8.8.4.4`    |
+| `TLS`                                | `tls://dns.google`           |
+| `HTTPS`                              | `https://1.1.1.1/dns-query`  |
+| `QUIC`                               | `quic://dns.adguard.com`     |
+| `HTTP3`                              | `h3://8.8.8.8/dns-query`     |
+| `RCode`                              | `rcode://refused`            |
+| `DHCP`                               | `dhcp://auto` 或 `dhcp://en0` |
+| [FakeIP](/configuration/dns/fakeip/) | `fakeip`                     |

 !!! warning ""

--- a/docs/configuration/inbound/direct.md
+++ b/docs/configuration/inbound/direct.md
@@ -17,7 +17,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/http.md
+++ b/docs/configuration/inbound/http.md
@@ -20,7 +20,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/hysteria.md
+++ b/docs/configuration/inbound/hysteria.md
@@ -35,7 +35,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/hysteria2.md
+++ b/docs/configuration/inbound/hysteria2.md
@@ -39,7 +39,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/index.md
+++ b/docs/configuration/inbound/index.md
@@ -15,24 +15,24 @@

 ### Fields

-| Type          | Format                       | Injectable |
-|---------------|------------------------------|------------|
-| `direct`      | [Direct](./direct)           | X          |
-| `mixed`       | [Mixed](./mixed)             | TCP        |
-| `socks`       | [SOCKS](./socks)             | TCP        |
-| `http`        | [HTTP](./http)               | TCP        |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) | TCP        |
-| `vmess`       | [VMess](./vmess)             | TCP        |
-| `trojan`      | [Trojan](./trojan)           | TCP        |
-| `naive`       | [Naive](./naive)             | X          |
-| `hysteria`    | [Hysteria](./hysteria)       | X          |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP        |
-| `tuic`        | [TUIC](./tuic)               | X          |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X          |
-| `vless`       | [VLESS](./vless)             | TCP        |
-| `tun`         | [Tun](./tun)                 | X          |
-| `redirect`    | [Redirect](./redirect)       | X          |
-| `tproxy`      | [TProxy](./tproxy)           | X          |
+| Type          | Format                        | Injectable |
+|---------------|-------------------------------|------------|
+| `direct`      | [Direct](./direct/)           | X          |
+| `mixed`       | [Mixed](./mixed/)             | TCP        |
+| `socks`       | [SOCKS](./socks/)             | TCP        |
+| `http`        | [HTTP](./http/)               | TCP        |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP        |
+| `vmess`       | [VMess](./vmess/)             | TCP        |
+| `trojan`      | [Trojan](./trojan/)           | TCP        |
+| `naive`       | [Naive](./naive/)             | X          |
+| `hysteria`    | [Hysteria](./hysteria/)       | X          |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP        |
+| `tuic`        | [TUIC](./tuic/)               | X          |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | X          |
+| `vless`       | [VLESS](./vless/)             | TCP        |
+| `tun`         | [Tun](./tun/)                 | X          |
+| `redirect`    | [Redirect](./redirect/)       | X          |
+| `tproxy`      | [TProxy](./tproxy/)           | X          |

 #### tag

--- a/docs/configuration/inbound/index.zh.md
+++ b/docs/configuration/inbound/index.zh.md
@@ -17,22 +17,22 @@

 | 类型            | 格式                           | 注入支持 |
 |---------------|------------------------------|------|
-| `direct`      | [Direct](./direct)           | X    |
-| `mixed`       | [Mixed](./mixed)             | TCP  |
-| `socks`       | [SOCKS](./socks)             | TCP  |
-| `http`        | [HTTP](./http)               | TCP  |
-| `shadowsocks` | [Shadowsocks](./shadowsocks) | TCP  |
-| `vmess`       | [VMess](./vmess)             | TCP  |
-| `trojan`      | [Trojan](./trojan)           | TCP  |
-| `naive`       | [Naive](./naive)             | X    |
-| `hysteria`    | [Hysteria](./hysteria)       | X    |
-| `shadowtls`   | [ShadowTLS](./shadowtls)     | TCP  |
-| `tuic`        | [TUIC](./tuic)               | X    |
-| `hysteria2`   | [Hysteria2](./hysteria2)     | X    |
-| `vless`       | [VLESS](./vless)             | TCP  |
-| `tun`         | [Tun](./tun)                 | X    |
-| `redirect`    | [Redirect](./redirect)       | X    |
-| `tproxy`      | [TProxy](./tproxy)           | X    |
+| `direct`      | [Direct](./direct/)           | X    |
+| `mixed`       | [Mixed](./mixed/)             | TCP  |
+| `socks`       | [SOCKS](./socks/)             | TCP  |
+| `http`        | [HTTP](./http/)               | TCP  |
+| `shadowsocks` | [Shadowsocks](./shadowsocks/) | TCP  |
+| `vmess`       | [VMess](./vmess/)             | TCP  |
+| `trojan`      | [Trojan](./trojan/)           | TCP  |
+| `naive`       | [Naive](./naive/)             | X    |
+| `hysteria`    | [Hysteria](./hysteria/)       | X    |
+| `shadowtls`   | [ShadowTLS](./shadowtls/)     | TCP  |
+| `tuic`        | [TUIC](./tuic/)               | X    |
+| `hysteria2`   | [Hysteria2](./hysteria2/)     | X    |
+| `vless`       | [VLESS](./vless/)             | TCP  |
+| `tun`         | [Tun](./tun/)                 | X    |
+| `redirect`    | [Redirect](./redirect/)       | X    |
+| `tproxy`      | [TProxy](./tproxy/)           | X    |

 #### tag

--- a/docs/configuration/inbound/mixed.md
+++ b/docs/configuration/inbound/mixed.md
@@ -21,7 +21,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/naive.md
+++ b/docs/configuration/inbound/naive.md
@@ -24,7 +24,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/redirect.md
+++ b/docs/configuration/inbound/redirect.md
@@ -15,4 +15,4 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.
--- a/docs/configuration/inbound/shadowsocks.md
+++ b/docs/configuration/inbound/shadowsocks.md
@@ -50,7 +50,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/shadowsocks.zh.md
+++ b/docs/configuration/inbound/shadowsocks.zh.md
@@ -50,7 +50,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### 字段

--- a/docs/configuration/inbound/shadowtls.md
+++ b/docs/configuration/inbound/shadowtls.md
@@ -35,7 +35,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -66,11 +66,11 @@ Only available in the ShadowTLS protocol 3.

 ==Required==

-Handshake server address and [Dial options](/configuration/shared/dial).
+Handshake server address and [Dial options](/configuration/shared/dial/).

 #### handshake_for_server_name

-Handshake server address and [Dial options](/configuration/shared/dial) for specific server name.
+Handshake server address and [Dial options](/configuration/shared/dial/) for specific server name.

 Only available in the ShadowTLS protocol 2/3.

--- a/docs/configuration/inbound/socks.md
+++ b/docs/configuration/inbound/socks.md
@@ -20,7 +20,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/tproxy.md
+++ b/docs/configuration/inbound/tproxy.md
@@ -17,7 +17,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/trojan.md
+++ b/docs/configuration/inbound/trojan.md
@@ -31,7 +31,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -65,4 +65,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/trojan.zh.md
+++ b/docs/configuration/inbound/trojan.zh.md
@@ -67,4 +67,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/inbound/tuic.md
+++ b/docs/configuration/inbound/tuic.md
@@ -28,7 +28,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

--- a/docs/configuration/inbound/tun.md
+++ b/docs/configuration/inbound/tun.md
@@ -29,6 +29,7 @@
    "fc00::/7"
  ],
  "endpoint_independent_nat": false,
+  "udp_timeout": "5m",
  "stack": "system",
  "include_interface": [
    "lan0"
@@ -240,4 +241,4 @@ System HTTP proxy settings.

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.
--- a/docs/configuration/inbound/tun.zh.md
+++ b/docs/configuration/inbound/tun.zh.md
@@ -29,6 +29,7 @@
    "fc00::/7"
  ],
  "endpoint_independent_nat": false,
+  "udp_timeout": "5m",
  "stack": "system",
  "include_interface": [
    "lan0"
--- a/docs/configuration/inbound/vless.md
+++ b/docs/configuration/inbound/vless.md
@@ -22,7 +22,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -56,4 +56,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/vless.zh.md
+++ b/docs/configuration/inbound/vless.zh.md
@@ -56,4 +56,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/inbound/vmess.md
+++ b/docs/configuration/inbound/vmess.md
@@ -22,7 +22,7 @@

 ### Listen Fields

-See [Listen Fields](/configuration/shared/listen) for details.
+See [Listen Fields](/configuration/shared/listen/) for details.

 ### Fields

@@ -51,4 +51,4 @@ See [Multiplex](/configuration/shared/multiplex#inbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).
--- a/docs/configuration/inbound/vmess.zh.md
+++ b/docs/configuration/inbound/vmess.zh.md
@@ -51,4 +51,4 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#inbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。
--- a/docs/configuration/index.md
+++ b/docs/configuration/index.md
@@ -18,15 +18,15 @@ sing-box uses JSON for configuration files.

 ### Fields

-| Key            | Format                         |
-|----------------|--------------------------------|
-| `log`          | [Log](./log)                   |
-| `dns`          | [DNS](./dns)                   |
-| `ntp`          | [NTP](./ntp)                   |
-| `inbounds`     | [Inbound](./inbound)           |
-| `outbounds`    | [Outbound](./outbound)         |
-| `route`        | [Route](./route)               |
-| `experimental` | [Experimental](./experimental) |
+| Key            | Format                          |
+|----------------|---------------------------------|
+| `log`          | [Log](./log/)                   |
+| `dns`          | [DNS](./dns/)                   |
+| `ntp`          | [NTP](./ntp/)                   |
+| `inbounds`     | [Inbound](./inbound/)           |
+| `outbounds`    | [Outbound](./outbound/)         |
+| `route`        | [Route](./route/)               |
+| `experimental` | [Experimental](./experimental/) |

 ### Check

--- a/docs/configuration/index.zh.md
+++ b/docs/configuration/index.zh.md
@@ -17,14 +17,14 @@ sing-box 使用 JSON 作为配置文件格式。

 ### 字段

-| Key            | Format                |
-|----------------|-----------------------|
-| `log`          | [日志](./log)           |
-| `dns`          | [DNS](./dns)          |
-| `inbounds`     | [入站](./inbound)       |
-| `outbounds`    | [出站](./outbound)      |
-| `route`        | [路由](./route)         |
-| `experimental` | [实验性](./experimental) |
+| Key            | Format                 |
+|----------------|------------------------|
+| `log`          | [日志](./log/)           |
+| `dns`          | [DNS](./dns/)          |
+| `inbounds`     | [入站](./inbound/)       |
+| `outbounds`    | [出站](./outbound/)      |
+| `route`        | [路由](./route/)         |
+| `experimental` | [实验性](./experimental/) |

 ### 检查

--- a/docs/configuration/ntp/index.md
+++ b/docs/configuration/ntp/index.md
@@ -47,4 +47,4 @@ Time synchronization interval.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/direct.md
+++ b/docs/configuration/outbound/direct.md
@@ -33,4 +33,4 @@ Protocol value can be `1` or `2`.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/http.md
+++ b/docs/configuration/outbound/http.md
@@ -55,4 +55,4 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/hysteria.md
+++ b/docs/configuration/outbound/hysteria.md
@@ -113,4 +113,4 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/hysteria2.md
+++ b/docs/configuration/outbound/hysteria2.md
@@ -88,4 +88,4 @@ Enable debug information logging for Hysteria Brutal CC.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/index.md
+++ b/docs/configuration/outbound/index.md
@@ -15,27 +15,27 @@

 ### Fields

-| Type           | Format                         |
-|----------------|--------------------------------|
-| `direct`       | [Direct](./direct)             |
-| `block`        | [Block](./block)               |
-| `socks`        | [SOCKS](./socks)               |
-| `http`         | [HTTP](./http)                 |
-| `shadowsocks`  | [Shadowsocks](./shadowsocks)   |
-| `vmess`        | [VMess](./vmess)               |
-| `trojan`       | [Trojan](./trojan)             |
-| `wireguard`    | [Wireguard](./wireguard)       |
-| `hysteria`     | [Hysteria](./hysteria)         |
-| `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
-| `vless`        | [VLESS](./vless)               |
-| `shadowtls`    | [ShadowTLS](./shadowtls)       |
-| `tuic`         | [TUIC](./tuic)                 |
-| `hysteria2`    | [Hysteria2](./hysteria2)       |
-| `tor`          | [Tor](./tor)                   |
-| `ssh`          | [SSH](./ssh)                   |
-| `dns`          | [DNS](./dns)                   |
-| `selector`     | [Selector](./selector)         |
-| `urltest`      | [URLTest](./urltest)           |
+| Type           | Format                          |
+|----------------|---------------------------------|
+| `direct`       | [Direct](./direct/)             |
+| `block`        | [Block](./block/)               |
+| `socks`        | [SOCKS](./socks/)               |
+| `http`         | [HTTP](./http/)                 |
+| `shadowsocks`  | [Shadowsocks](./shadowsocks/)   |
+| `vmess`        | [VMess](./vmess/)               |
+| `trojan`       | [Trojan](./trojan/)             |
+| `wireguard`    | [Wireguard](./wireguard/)       |
+| `hysteria`     | [Hysteria](./hysteria/)         |
+| `shadowsocksr` | [ShadowsocksR](./shadowsocksr/) |
+| `vless`        | [VLESS](./vless/)               |
+| `shadowtls`    | [ShadowTLS](./shadowtls/)       |
+| `tuic`         | [TUIC](./tuic/)                 |
+| `hysteria2`    | [Hysteria2](./hysteria2/)       |
+| `tor`          | [Tor](./tor/)                   |
+| `ssh`          | [SSH](./ssh/)                   |
+| `dns`          | [DNS](./dns/)                   |
+| `selector`     | [Selector](./selector/)         |
+| `urltest`      | [URLTest](./urltest/)           |

 #### tag

--- a/docs/configuration/outbound/index.zh.md
+++ b/docs/configuration/outbound/index.zh.md
@@ -15,27 +15,27 @@

 ### 字段

-| 类型             | 格式                             |
-|----------------|--------------------------------|
-| `direct`       | [Direct](./direct)             |
-| `block`        | [Block](./block)               |
-| `socks`        | [SOCKS](./socks)               |
-| `http`         | [HTTP](./http)                 |
-| `shadowsocks`  | [Shadowsocks](./shadowsocks)   |
-| `vmess`        | [VMess](./vmess)               |
-| `trojan`       | [Trojan](./trojan)             |
-| `wireguard`    | [Wireguard](./wireguard)       |
-| `hysteria`     | [Hysteria](./hysteria)         |
-| `shadowsocksr` | [ShadowsocksR](./shadowsocksr) |
-| `vless`        | [VLESS](./vless)               |
-| `shadowtls`    | [ShadowTLS](./shadowtls)       |
-| `tuic`         | [TUIC](./tuic)                 |
-| `hysteria2`    | [Hysteria2](./hysteria2)       |
-| `tor`          | [Tor](./tor)                   |
-| `ssh`          | [SSH](./ssh)                   |
-| `dns`          | [DNS](./dns)                   |
-| `selector`     | [Selector](./selector)         |
-| `urltest`      | [URLTest](./urltest)           |
+| 类型             | 格式                              |
+|----------------|---------------------------------|
+| `direct`       | [Direct](./direct/)             |
+| `block`        | [Block](./block/)               |
+| `socks`        | [SOCKS](./socks/)               |
+| `http`         | [HTTP](./http/)                 |
+| `shadowsocks`  | [Shadowsocks](./shadowsocks/)   |
+| `vmess`        | [VMess](./vmess/)               |
+| `trojan`       | [Trojan](./trojan/)             |
+| `wireguard`    | [Wireguard](./wireguard/)       |
+| `hysteria`     | [Hysteria](./hysteria/)         |
+| `shadowsocksr` | [ShadowsocksR](./shadowsocksr/) |
+| `vless`        | [VLESS](./vless/)               |
+| `shadowtls`    | [ShadowTLS](./shadowtls/)       |
+| `tuic`         | [TUIC](./tuic/)                 |
+| `hysteria2`    | [Hysteria2](./hysteria2/)       |
+| `tor`          | [Tor](./tor/)                   |
+| `ssh`          | [SSH](./ssh/)                   |
+| `dns`          | [DNS](./dns/)                   |
+| `selector`     | [Selector](./selector/)         |
+| `urltest`      | [URLTest](./urltest/)           |

 #### tag

--- a/docs/configuration/outbound/shadowsocks.md
+++ b/docs/configuration/outbound/shadowsocks.md
@@ -89,7 +89,7 @@ Both is enabled by default.

 UDP over TCP configuration.

-See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.
+See [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.

 Conflict with `multiplex`.

@@ -99,4 +99,4 @@ See [Multiplex](/configuration/shared/multiplex#outbound) for details.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/shadowsocks.zh.md
+++ b/docs/configuration/outbound/shadowsocks.zh.md
@@ -89,7 +89,7 @@ Shadowsocks SIP003 插件参数。

 UDP over TCP 配置。

-参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。
+参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp/)。

 与 `multiplex` 冲突。

--- a/docs/configuration/outbound/shadowsocksr.md
+++ b/docs/configuration/outbound/shadowsocksr.md
@@ -103,4 +103,4 @@ Both is enabled by default.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/shadowtls.md
+++ b/docs/configuration/outbound/shadowtls.md
@@ -53,4 +53,4 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/socks.md
+++ b/docs/configuration/outbound/socks.md
@@ -59,8 +59,8 @@ Both is enabled by default.

 UDP over TCP protocol settings.

-See [UDP Over TCP](/configuration/shared/udp-over-tcp) for details.
+See [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/socks.zh.md
+++ b/docs/configuration/outbound/socks.zh.md
@@ -59,7 +59,7 @@ SOCKS5 密码。

 UDP over TCP 配置。

-参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp)。
+参阅 [UDP Over TCP](/zh/configuration/shared/udp-over-tcp/)。

 ### 拨号字段

--- a/docs/configuration/outbound/ssh.md
+++ b/docs/configuration/outbound/ssh.md
@@ -68,4 +68,4 @@ Client version. Random version will be used if empty.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/tor.md
+++ b/docs/configuration/outbound/tor.md
@@ -48,4 +48,4 @@ See [tor(1)](https://linux.die.net/man/1/tor) for details.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/trojan.md
+++ b/docs/configuration/outbound/trojan.md
@@ -55,8 +55,8 @@ See [Multiplex](/configuration/shared/multiplex#outbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/trojan.zh.md
+++ b/docs/configuration/outbound/trojan.zh.md
@@ -55,7 +55,7 @@ TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。

 ### 拨号字段

--- a/docs/configuration/outbound/tuic.md
+++ b/docs/configuration/outbound/tuic.md
@@ -72,7 +72,7 @@ Conflict with `udp_over_stream`.

 #### udp_over_stream

-This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp), designed to provide a QUIC
+This is the TUIC port of the [UDP over TCP protocol](/configuration/shared/udp-over-tcp/), designed to provide a QUIC
 stream based UDP relay mode that TUIC does not provide. Since it is an add-on protocol, you will need to use sing-box or
 another program compatible with the protocol as a server.

@@ -97,4 +97,4 @@ TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/tuic.zh.md
+++ b/docs/configuration/outbound/tuic.zh.md
@@ -70,7 +70,7 @@ UDP 包中继模式

 #### udp_over_stream

-这是 TUIC 的 [UDP over TCP 协议](/configuration/shared/udp-over-tcp) 移植， 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议，因此您需要使用 sing-box 或其他兼容的程序作为服务器。
+这是 TUIC 的 [UDP over TCP 协议](/configuration/shared/udp-over-tcp/) 移植， 旨在提供 TUIC 不提供的 基于 QUIC 流的 UDP 中继模式。 由于它是一个附加协议，因此您需要使用 sing-box 或其他兼容的程序作为服务器。

 此模式在正确的 UDP 代理场景中没有任何积极作用，仅适用于中继流式 UDP 流量（基本上是 QUIC 流）。

--- a/docs/configuration/outbound/vless.md
+++ b/docs/configuration/outbound/vless.md
@@ -75,8 +75,8 @@ See [Multiplex](/configuration/shared/multiplex#outbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/vless.zh.md
+++ b/docs/configuration/outbound/vless.zh.md
@@ -75,7 +75,7 @@ UDP 包编码，默认使用 xudp。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。

 ### 拨号字段

--- a/docs/configuration/outbound/vmess.md
+++ b/docs/configuration/outbound/vmess.md
@@ -100,8 +100,8 @@ See [Multiplex](/configuration/shared/multiplex#outbound) for details.

 #### transport

-V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport).
+V2Ray Transport configuration, see [V2Ray Transport](/configuration/shared/v2ray-transport/).

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/vmess.zh.md
+++ b/docs/configuration/outbound/vmess.zh.md
@@ -100,7 +100,7 @@ UDP 包编码。

 #### transport

-V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport)。
+V2Ray 传输配置，参阅 [V2Ray 传输层](/zh/configuration/shared/v2ray-transport/)。

 ### 拨号字段

--- a/docs/configuration/outbound/wireguard.md
+++ b/docs/configuration/outbound/wireguard.md
@@ -139,4 +139,4 @@ Both is enabled by default.

 ### Dial Fields

-See [Dial Fields](/configuration/shared/dial) for details.
+See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/route/index.md
+++ b/docs/configuration/route/index.md
@@ -19,11 +19,11 @@

 ### Fields

-| Key        | Format                             |
-|------------|------------------------------------|
-| `geoip`    | [GeoIP](./geoip)                   |
-| `geosite`  | [Geosite](./geosite)               |
-| `rules`    | List of [Route Rule](./rule)       |
+| Key       | Format                        |
+|-----------|-------------------------------|
+| `geoip`   | [GeoIP](./geoip/)             |
+| `geosite` | [Geosite](./geosite/)         |
+| `rules`   | List of [Route Rule](./rule/) |

 #### final

--- a/docs/configuration/route/index.zh.md
+++ b/docs/configuration/route/index.zh.md
@@ -20,11 +20,11 @@

 ### 字段

-| 键          | 格式                      |
-|------------|-------------------------|
-| `geoip`    | [GeoIP](./geoip)        |
-| `geosite`  | [GeoSite](./geosite)    |
-| `rules`    | 一组 [路由规则](./rule)       |
+| 键         | 格式                    |
+|-----------|-----------------------|
+| `geoip`   | [GeoIP](./geoip/)     |
+| `geosite` | [GeoSite](./geosite/) |
+| `rules`   | 一组 [路由规则](./rule/)    |

 #### final

--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@@ -122,7 +122,7 @@

 #### inbound

-Tags of [Inbound](/configuration/inbound).
+Tags of [Inbound](/configuration/inbound/).

 #### ip_version

--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@@ -120,7 +120,7 @@

 #### inbound

-[入站](/zh/configuration/inbound) 标签。
+[入站](/zh/configuration/inbound/) 标签。

 #### ip_version

--- a/docs/configuration/shared/listen.md
+++ b/docs/configuration/shared/listen.md
@@ -7,7 +7,7 @@
  "tcp_fast_open": false,
  "tcp_multi_path": false,
  "udp_fragment": false,
-  "udp_timeout": 300,
+  "udp_timeout": "5m",
  "detour": "another-in",
  "sniff": false,
  "sniff_override_destination": false,
@@ -19,14 +19,14 @@

 ### Fields

-| Field                          | Available Context                                                 |
-|--------------------------------|-------------------------------------------------------------------|
-| `listen`                       | Needs to listen on TCP or UDP.                                    |
-| `listen_port`                  | Needs to listen on TCP or UDP.                                    |
-| `tcp_fast_open`                | Needs to listen on TCP.                                           |
-| `tcp_multi_path`               | Needs to listen on TCP.                                           |
-| `udp_timeout`                  | Needs to assemble UDP connections, currently Tun and Shadowsocks. |
-| `udp_disable_domain_unmapping` | Needs to listen on UDP and accept domain UDP addresses.           |
+| Field                          | Available Context                                       |
+|--------------------------------|---------------------------------------------------------|
+| `listen`                       | Needs to listen on TCP or UDP.                          |
+| `listen_port`                  | Needs to listen on TCP or UDP.                          |
+| `tcp_fast_open`                | Needs to listen on TCP.                                 |
+| `tcp_multi_path`               | Needs to listen on TCP.                                 |
+| `udp_timeout`                  | Needs to assemble UDP connections.                      |
+| `udp_disable_domain_unmapping` | Needs to listen on UDP and accept domain UDP addresses. |

 #### listen

@@ -56,7 +56,9 @@ Enable UDP fragmentation.

 #### udp_timeout

-UDP NAT expiration time in seconds, default is 300 (5 minutes).
+UDP NAT expiration time in seconds.
+
+`5m` is used by default.

 #### detour

--- a/docs/configuration/shared/listen.zh.md
+++ b/docs/configuration/shared/listen.zh.md
@@ -7,7 +7,7 @@
  "tcp_fast_open": false,
  "tcp_multi_path": false,
  "udp_fragment": false,
-  "udp_timeout": 300,
+  "udp_timeout": "5m",
  "detour": "another-in",
  "sniff": false,
  "sniff_override_destination": false,
@@ -18,13 +18,13 @@
 ```


-| 字段                                | 可用上下文                               |
-|-----------------------------------|-------------------------------------|
-| `listen`                          | 需要监听 TCP 或 UDP。                     |
-| `listen_port`                     | 需要监听 TCP 或 UDP。                     |
-| `tcp_fast_open`                   | 需要监听 TCP。                           |
-| `tcp_multi_path`                  | 需要监听 TCP。                           |
-| `udp_timeout`                     | 需要组装 UDP 连接, 当前为 Tun 和 Shadowsocks。 |
+| 字段               | 可用上下文           |
+|------------------|-----------------|
+| `listen`         | 需要监听 TCP 或 UDP。 |
+| `listen_port`    | 需要监听 TCP 或 UDP。 |
+| `tcp_fast_open`  | 需要监听 TCP。       |
+| `tcp_multi_path` | 需要监听 TCP。       |
+| `udp_timeout`    | 需要组装 UDP 连接。    |
 | 

 ### 字段
@@ -57,7 +57,9 @@

 #### udp_timeout

-UDP NAT 过期时间，以秒为单位，默认为 300（5 分钟）。
+UDP NAT 过期时间，以秒为单位。
+
+默认使用 `5m`。

 #### detour

--- a/docs/configuration/shared/multiplex.md
+++ b/docs/configuration/shared/multiplex.md
@@ -35,7 +35,7 @@ If enabled, non-padded connections will be rejected.

 #### brutal

-See [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+See [TCP Brutal](/configuration/shared/tcp-brutal/) for details.

 ### Outbound Fields

@@ -83,4 +83,4 @@ Enable padding.

 #### brutal

-See [TCP Brutal](/configuration/shared/tcp-brutal) for details.
+See [TCP Brutal](/configuration/shared/tcp-brutal/) for details.
--- a/docs/configuration/shared/multiplex.zh.md
+++ b/docs/configuration/shared/multiplex.zh.md
@@ -34,7 +34,7 @@

 #### brutal

-参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal)。
+参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal/)。

 ### 出站字段

@@ -82,4 +82,4 @@

 #### brutal

-参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal)。
+参阅 [TCP Brutal](/zh/configuration/shared/tcp-brutal/)。
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -164,10 +164,9 @@ By default, the maximum version is currently TLS 1.3.

 #### cipher_suites

-The elliptic curves that will be used in an ECDHE handshake, in preference order.
+A list of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored. Note that TLS 1.3 cipher suites are not configurable.

-If empty, the default will be used. The client will use the first preference as the type for its key share in TLS 1.3.
-This may change in the future.
+If empty, a safe default list is used. The default cipher suites might change over time.

 #### certificate

@@ -353,7 +352,7 @@ The MAC key.

 ACME DNS01 challenge field. If configured, other challenge methods will be disabled.

-See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge) for details.
+See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge/) for details.

 ### Reality Fields

@@ -371,7 +370,7 @@ See [DNS01 Challenge Fields](/configuration/shared/dns01_challenge) for details.

 ==Required==

-Handshake server address and [Dial options](/configuration/shared/dial).
+Handshake server address and [Dial options](/configuration/shared/dial/).

 #### private_key

--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -162,12 +162,9 @@ TLS 版本值：

 #### cipher_suites

-将在 ECDHE 握手中使用的椭圆曲线，按优先顺序排列。
+启用的 TLS 1.0-1.2密码套件的列表。列表的顺序被忽略。请注意，TLS 1.3 的密码套件是不可配置的。

-如果为空，将使用默认值。
-
-客户端将使用第一个首选项作为其在 TLS 1.3 中的密钥共享类型。
-这在未来可能会改变。
+如果为空，则使用安全的默认列表。默认密码套件可能会随着时间的推移而改变。

 #### certificate

@@ -344,7 +341,7 @@ MAC 密钥。

 ACME DNS01 验证字段。如果配置，将禁用其他验证方法。

-参阅 [DNS01 验证字段](/configuration/shared/dns01_challenge)。
+参阅 [DNS01 验证字段](/configuration/shared/dns01_challenge/)。

 ### Reality 字段

--- a/docs/configuration/shared/v2ray-transport.md
+++ b/docs/configuration/shared/v2ray-transport.md
@@ -53,9 +53,15 @@ The client will choose randomly and the server will verify if not empty.

 #### path

+!!! warning
+
+    V2Ray's documentation says that the path between the server and the client must be consistent, 
+    but the actual code allows the client to add any suffix to the path.
+    sing-box uses the same behavior as V2Ray, but note that the behavior does not exist in `WebSocket` and `HTTPUpgrade` transport.
+
 Path of HTTP request.

-The server will verify if not empty.
+The server will verify.

 #### method

@@ -77,7 +83,10 @@ Specifies the time until idle clients should be closed with a GOAWAY frame. PING

 In HTTP2 client:

-Specifies the period of time after which a health check will be performed using a ping frame if no frames have been received on the connection. Please note that a ping response is considered a received frame, so if there is no other traffic on the connection, the health check will be executed every interval. If the value is zero, no health check will be performed.
+Specifies the period of time after which a health check will be performed using a ping frame if no frames have been
+received on the connection.Please note that a ping response is considered a received frame, so if there is no other
+traffic on the connection, the health check will be executed every interval. If the value is zero, no health check will
+be performed.

 Zero is used by default.

@@ -85,7 +94,9 @@ Zero is used by default.

 In HTTP2 client:

-Specifies the timeout duration after sending a PING frame, within which a response must be received. If a response to the PING frame is not received within the specified timeout duration, the connection will be closed. The default timeout duration is 15 seconds.
+Specifies the timeout duration after sending a PING frame, within which a response must be received.
+If a response to the PING frame is not received within the specified timeout duration, the connection will be closed.
+The default timeout duration is 15 seconds.

 ### WebSocket

@@ -103,12 +114,14 @@ Specifies the timeout duration after sending a PING frame, within which a respon

 Path of HTTP request.

-The server will verify if not empty.
+The server will verify.

 #### headers

 Extra headers of HTTP request.

+The server will write in response if not empty.
+
 #### max_early_data

 Allowed payload size is in the request. Enabled if not zero.
@@ -162,7 +175,8 @@ Service name of gRPC.

 In standard gRPC server/client:

-If the transport doesn't see any activity after a duration of this time, it pings the client to check if the connection is still active.
+If the transport doesn't see any activity after a duration of this time,
+it pings the client to check if the connection is still active.

 In default gRPC server/client:

@@ -172,7 +186,8 @@ It has the same behavior as the corresponding setting in HTTP transport.

 In standard gRPC server/client:

-The timeout that after performing a keepalive check, the client will wait for activity. If no activity is detected, the connection will be closed.
+The timeout that after performing a keepalive check, the client will wait for activity.
+If no activity is detected, the connection will be closed.

 In default gRPC server/client:

@@ -182,7 +197,9 @@ It has the same behavior as the corresponding setting in HTTP transport.

 In standard gRPC client:

-If enabled, the client transport sends keepalive pings even with no active connections. If disabled, when there are no active connections, `idle_timeout` and `ping_timeout` will be ignored and no keepalive pings will be sent.
+If enabled, the client transport sends keepalive pings even with no active connections.
+If disabled, when there are no active connections, `idle_timeout` and `ping_timeout` will be ignored and no keepalive
+pings will be sent.

 Disabled by default.

@@ -207,7 +224,7 @@ The server will verify if not empty.

 Path of HTTP request.

-The server will verify if not empty.
+The server will verify.

 #### headers

--- a/docs/configuration/shared/v2ray-transport.zh.md
+++ b/docs/configuration/shared/v2ray-transport.zh.md
@@ -48,25 +48,30 @@ V2Ray Transport 是 v2ray 发明的一组私有协议，并污染了其他协议

 主机域名列表。

-客户端将随机选择，默认服务器将验证。
+如果设置，客户端将随机选择，服务器将验证。

 #### path

+!!! warning
+
+    V2Ray 文档称服务端和客户端的路径必须一致，但实际代码允许客户端向路径添加任何后缀。
+    sing-box 使用与 V2Ray 相同的行为，但请注意，该行为在 `WebSocket` 和 `HTTPUpgrade` 传输层中不存在。
+
 HTTP 请求路径

-默认服务器将验证。
+服务器将验证。

 #### method

 HTTP 请求方法

-默认服务器将验证。
+如果设置，服务器将验证。

 #### headers

 HTTP 请求的额外标头

-默认服务器将写入响应。
+如果设置，服务器将写入响应。

 #### idle_timeout

@@ -102,11 +107,13 @@ HTTP 请求的额外标头

 HTTP 请求路径

-默认服务器将验证。
+服务器将验证。

 #### headers

-HTTP 请求的额外标头。
+HTTP 请求的额外标头
+
+如果设置，服务器将写入响应。

 #### max_early_data

@@ -200,16 +207,16 @@ gRPC 服务名称。

 主机域名。

-默认服务器将验证。
+服务器将验证。

 #### path

 HTTP 请求路径

-默认服务器将验证。
+服务器将验证。

 #### headers

 HTTP 请求的额外标头。

-默认服务器将写入响应。
+如果设置，服务器将写入响应。
--- a/docs/installation/build-from-source.md
+++ b/docs/installation/build-from-source.md
@@ -43,21 +43,21 @@ go build -tags "tag_a tag_b" ./cmd/sing-box

 ## :material-folder-settings: Build Tags

-| Build Tag                          | Enabled by default | Description                                                                                                                                                                                                                                                                                                                |
-|------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `with_quic`                        | ✔                  | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server), [Naive inbound](/configuration/inbound/naive), [Hysteria Inbound](/configuration/inbound/hysteria), [Hysteria Outbound](/configuration/outbound/hysteria) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
-| `with_grpc`                        | ✖️                 | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                  |
-| `with_dhcp`                        | ✔                  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server).                                                                                                                                                                                                                                              |
-| `with_wireguard`                   | ✔                  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard).                                                                                                                                                                                                                                 |
-| `with_ech`                         | ✔                  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                           |
-| `with_utls`                        | ✔                  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                      |
-| `with_reality_server`              | ✔                  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                              |
-| `with_acme`                        | ✔                  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls).                                                                                                                                                                                                                                      |
-| `with_clash_api`                   | ✔                  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                            |
-| `with_v2ray_api`                   | ✖️                 | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                            |
-| `with_gvisor`                      | ✔                  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                               |
-| `with_embedded_tor` (CGO required) | ✖️                 | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor).                                                                                                                                                                                                                                          |
-| `with_lwip` (CGO required)         | ✖️                 | Build with LWIP Tun stack support, see [Tun inbound](/configuration/inbound/tun#stack).                                                                                                                                                                                                                                    |
+| Build Tag                          | Enabled by default | Description                                                                                                                                                                                                                                                                                                                    |
+|------------------------------------|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `with_quic`                        | ✔                  | Build with QUIC support, see [QUIC and HTTP3 DNS transports](/configuration/dns/server/), [Naive inbound](/configuration/inbound/naive/), [Hysteria Inbound](/configuration/inbound/hysteria/), [Hysteria Outbound](/configuration/outbound/hysteria/) and [V2Ray Transport#QUIC](/configuration/shared/v2ray-transport#quic). |
+| `with_grpc`                        | ✖️                 | Build with standard gRPC support, see [V2Ray Transport#gRPC](/configuration/shared/v2ray-transport#grpc).                                                                                                                                                                                                                      |
+| `with_dhcp`                        | ✔                  | Build with DHCP support, see [DHCP DNS transport](/configuration/dns/server/).                                                                                                                                                                                                                                                 |
+| `with_wireguard`                   | ✔                  | Build with WireGuard support, see [WireGuard outbound](/configuration/outbound/wireguard/).                                                                                                                                                                                                                                    |
+| `with_ech`                         | ✔                  | Build with TLS ECH extension support for TLS outbound, see [TLS](/configuration/shared/tls#ech).                                                                                                                                                                                                                               |
+| `with_utls`                        | ✔                  | Build with [uTLS](https://github.com/refraction-networking/utls) support for TLS outbound, see [TLS](/configuration/shared/tls#utls).                                                                                                                                                                                          |
+| `with_reality_server`              | ✔                  | Build with reality TLS server support,  see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                                 |
+| `with_acme`                        | ✔                  | Build with ACME TLS certificate issuer support, see [TLS](/configuration/shared/tls/).                                                                                                                                                                                                                                         |
+| `with_clash_api`                   | ✔                  | Build with Clash API support, see [Experimental](/configuration/experimental#clash-api-fields).                                                                                                                                                                                                                                |
+| `with_v2ray_api`                   | ✖️                 | Build with V2Ray API support, see [Experimental](/configuration/experimental#v2ray-api-fields).                                                                                                                                                                                                                                |
+| `with_gvisor`                      | ✔                  | Build with gVisor support, see [Tun inbound](/configuration/inbound/tun#stack) and [WireGuard outbound](/configuration/outbound/wireguard#system_interface).                                                                                                                                                                   |
+| `with_embedded_tor` (CGO required) | ✖️                 | Build with embedded Tor support, see [Tor outbound](/configuration/outbound/tor/).                                                                                                                                                                                                                                             |
+| `with_lwip` (CGO required)         | ✖️                 | Build with LWIP Tun stack support, see [Tun inbound](/configuration/inbound/tun#stack).                                                                                                                                                                                                                                        |


 It is not recommended to change the default build tag list unless you really know what you are adding.
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/cloudflare/circl v1.3.6
 	github.com/cretz/bine v0.2.0
 	github.com/fsnotify/fsnotify v1.7.0
-	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-chi/chi/v5 v5.0.11
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
 	github.com/gofrs/uuid/v5 v5.0.0
@@ -26,10 +26,10 @@ require (
 	github.com/sagernet/gvisor v0.0.0-20231119034329-07cfb6aaf930
 	github.com/sagernet/quic-go v0.40.0
 	github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691
-	github.com/sagernet/sing v0.2.19
-	github.com/sagernet/sing-dns v0.1.11
-	github.com/sagernet/sing-mux v0.1.5
-	github.com/sagernet/sing-quic v0.1.5
+	github.com/sagernet/sing v0.2.20
+	github.com/sagernet/sing-dns v0.1.12
+	github.com/sagernet/sing-mux v0.1.6
+	github.com/sagernet/sing-quic v0.1.6
 	github.com/sagernet/sing-shadowsocks v0.2.6
 	github.com/sagernet/sing-shadowsocks2 v0.1.5
 	github.com/sagernet/sing-shadowtls v0.1.4
@@ -44,12 +44,12 @@ require (
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/zap v1.26.0
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.16.0
+	golang.org/x/crypto v0.17.0
 	golang.org/x/net v0.19.0
 	golang.org/x/sys v0.15.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
-	google.golang.org/grpc v1.59.0
-	google.golang.org/protobuf v1.31.0
+	google.golang.org/grpc v1.60.1
+	google.golang.org/protobuf v1.32.0
 	howett.net/plist v1.0.1
 )

@@ -86,12 +86,12 @@ require (
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20231127185646-65229373498e // indirect
+	golang.org/x/exp v0.0.0-20231219180239-dc181d75b848 // indirect
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.4.0 // indirect
 	golang.org/x/tools v0.16.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect
--- a/go.sum
+++ b/go.sum
@@ -17,8 +17,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
-github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.0.11 h1:BnpYbFZ3T3S1WMpD79r7R5ThWX40TaFB7L31Y8xqSwA=
+github.com/go-chi/chi/v5 v5.0.11/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
@@ -110,14 +110,14 @@ github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691 h1:5Th31OC6yj8byL
 github.com/sagernet/reality v0.0.0-20230406110435-ee17307e7691/go.mod h1:B8lp4WkQ1PwNnrVMM6KyuFR20pU8jYBD+A4EhJovEXU=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
 github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
-github.com/sagernet/sing v0.2.19 h1:Mdj/YJ5TtEyG+eIZaAlvX8j2cHxMN6eW4RF6Xh9iWyg=
-github.com/sagernet/sing v0.2.19/go.mod h1:Ce5LNojQOgOiWhiD8pPD6E9H7e2KgtOe3Zxx4Ou5u80=
-github.com/sagernet/sing-dns v0.1.11 h1:PPrMCVVrAeR3f5X23I+cmvacXJ+kzuyAsBiWyUKhGSE=
-github.com/sagernet/sing-dns v0.1.11/go.mod h1:zJ/YjnYB61SYE+ubMcMqVdpaSvsyQ2iShQGO3vuLvvE=
-github.com/sagernet/sing-mux v0.1.5 h1:jUbYth9QQd1wsDmU8Ush+fKce7lNo9TMv2dp8PJtSOY=
-github.com/sagernet/sing-mux v0.1.5/go.mod h1:MoH6Soz1R+CYZcCeIXZWx6fkZa6hQc9o3HZu9G6CDTw=
-github.com/sagernet/sing-quic v0.1.5 h1:PIQzE4cGrry+JkkMEJH/EH3wRkv/QgD48+ScNr/2oig=
-github.com/sagernet/sing-quic v0.1.5/go.mod h1:n2mXukpubasyV4SlWyyW0+LCdAn7DZ8/brAkUxZujrw=
+github.com/sagernet/sing v0.2.20 h1:ckcCB/5xu8G8wElNeH74IF6Soac5xWN+eQUXRuonjPQ=
+github.com/sagernet/sing v0.2.20/go.mod h1:Ce5LNojQOgOiWhiD8pPD6E9H7e2KgtOe3Zxx4Ou5u80=
+github.com/sagernet/sing-dns v0.1.12 h1:1HqZ+ln+Rezx/aJMStaS0d7oPeX2EobSV1NT537kyj4=
+github.com/sagernet/sing-dns v0.1.12/go.mod h1:rx/DTOisneQpCgNQ4jbFU/JNEtnz0lYcHXenlVzpjEU=
+github.com/sagernet/sing-mux v0.1.6 h1:9+LsHgrtG/hgKpJOhtGcEFPeWHXaWeJDO3x4DeDQk5g=
+github.com/sagernet/sing-mux v0.1.6/go.mod h1:UmcVSPrVjsOGe95jDXmGgOyKKIXOcjz6FKbFy+0LeDU=
+github.com/sagernet/sing-quic v0.1.6 h1:yNkZiNOlmEGpS+A7I4/Zavhe/fRrLz7yCO/dVMZzt+k=
+github.com/sagernet/sing-quic v0.1.6/go.mod h1:g1Ogcy2KSwKvC7eDXEUu9AnHbjotC+2xsSP+A1i/VOA=
 github.com/sagernet/sing-shadowsocks v0.2.6 h1:xr7ylAS/q1cQYS8oxKKajhuQcchd5VJJ4K4UZrrpp0s=
 github.com/sagernet/sing-shadowsocks v0.2.6/go.mod h1:j2YZBIpWIuElPFL/5sJAj470bcn/3QQ5lxZUNKLDNAM=
 github.com/sagernet/sing-shadowsocks2 v0.1.5 h1:JDeAJ4ZWlYZ7F6qEVdDKPhQEangxKw/JtmU+i/YfCYE=
@@ -169,10 +169,10 @@ go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBs
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
-golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
-golang.org/x/exp v0.0.0-20231127185646-65229373498e h1:Gvh4YaCaXNs6dKTlfgismwWZKyjVZXwOPfIyUaqU3No=
-golang.org/x/exp v0.0.0-20231127185646-65229373498e/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/exp v0.0.0-20231219180239-dc181d75b848 h1:+iq7lrkxmFNBM7xx+Rae2W6uyPfhPeDWD+n+JgppptE=
+golang.org/x/exp v0.0.0-20231219180239-dc181d75b848/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -205,14 +205,14 @@ golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M=
-google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk=
-google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 h1:6GQBEOdGkX6MMTLT9V+TjtIRZCw9VPD5Z+yHY9wMgS0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97/go.mod h1:v7nGkzlmW8P3n/bKmWBn2WpBjpOEx8Q6gMueudAmKfY=
+google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU=
+google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
+google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/inbound/direct.go
+++ b/inbound/direct.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"net/netip"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
@@ -47,13 +48,13 @@ func NewDirect(ctx context.Context, router adapter.Router, logger log.ContextLog
 		inbound.overrideOption = 3
 		inbound.overrideDestination = M.Socksaddr{Port: options.OverridePort}
 	}
-	var udpTimeout int64
+	var udpTimeout time.Duration
 	if options.UDPTimeout != 0 {
-		udpTimeout = options.UDPTimeout
+		udpTimeout = time.Duration(options.UDPTimeout)
 	} else {
-		udpTimeout = int64(C.UDPTimeout.Seconds())
+		udpTimeout = C.UDPTimeout
 	}
-	inbound.udpNat = udpnat.New[netip.AddrPort](udpTimeout, adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound))
+	inbound.udpNat = udpnat.New[netip.AddrPort](int64(udpTimeout.Seconds()), adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound))
 	inbound.connHandler = inbound
 	inbound.packetHandler = inbound
 	inbound.packetUpstream = inbound.udpNat
--- a/inbound/hysteria.go
+++ b/inbound/hysteria.go
@@ -5,6 +5,7 @@ package inbound
 import (
 	"context"
 	"net"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/humanize"
@@ -66,6 +67,12 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 	} else {
 		receiveBps = uint64(options.DownMbps) * hysteria.MbpsToBps
 	}
+	var udpTimeout time.Duration
+	if options.UDPTimeout != 0 {
+		udpTimeout = time.Duration(options.UDPTimeout)
+	} else {
+		udpTimeout = C.UDPTimeout
+	}
 	service, err := hysteria.NewService[int](hysteria.ServiceOptions{
 		Context:       ctx,
 		Logger:        logger,
@@ -73,6 +80,7 @@ func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextL
 		ReceiveBPS:    receiveBps,
 		XPlusPassword: options.Obfs,
 		TLSConfig:     tlsConfig,
+		UDPTimeout:    udpTimeout,
 		Handler:       adapter.NewUpstreamHandler(adapter.InboundContext{}, inbound.newConnection, inbound.newPacketConnection, nil),

 		// Legacy options
--- a/inbound/hysteria2.go
+++ b/inbound/hysteria2.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/tls"
@@ -87,6 +88,12 @@ func NewHysteria2(ctx context.Context, router adapter.Router, logger log.Context
 		},
 		tlsConfig: tlsConfig,
 	}
+	var udpTimeout time.Duration
+	if options.UDPTimeout != 0 {
+		udpTimeout = time.Duration(options.UDPTimeout)
+	} else {
+		udpTimeout = C.UDPTimeout
+	}
 	service, err := hysteria2.NewService[int](hysteria2.ServiceOptions{
 		Context:               ctx,
 		Logger:                logger,
@@ -96,6 +103,7 @@ func NewHysteria2(ctx context.Context, router adapter.Router, logger log.Context
 		SalamanderPassword:    salamanderPassword,
 		TLSConfig:             tlsConfig,
 		IgnoreClientBandwidth: options.IgnoreClientBandwidth,
+		UDPTimeout:            udpTimeout,
 		Handler:               adapter.NewUpstreamHandler(adapter.InboundContext{}, inbound.newConnection, inbound.newPacketConnection, nil),
 		MasqueradeHandler:     masqueradeHandler,
 	})
--- a/inbound/shadowsocks.go
+++ b/inbound/shadowsocks.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"os"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/mux"
@@ -65,19 +66,19 @@ func newShadowsocks(ctx context.Context, router adapter.Router, logger log.Conte
 		return nil, err
 	}

-	var udpTimeout int64
+	var udpTimeout time.Duration
 	if options.UDPTimeout != 0 {
-		udpTimeout = options.UDPTimeout
+		udpTimeout = time.Duration(options.UDPTimeout)
 	} else {
-		udpTimeout = int64(C.UDPTimeout.Seconds())
+		udpTimeout = C.UDPTimeout
 	}
 	switch {
 	case options.Method == shadowsocks.MethodNone:
-		inbound.service = shadowsocks.NewNoneService(options.UDPTimeout, inbound.upstreamContextHandler())
+		inbound.service = shadowsocks.NewNoneService(int64(udpTimeout.Seconds()), inbound.upstreamContextHandler())
 	case common.Contains(shadowaead.List, options.Method):
-		inbound.service, err = shadowaead.NewService(options.Method, nil, options.Password, udpTimeout, inbound.upstreamContextHandler())
+		inbound.service, err = shadowaead.NewService(options.Method, nil, options.Password, int64(udpTimeout.Seconds()), inbound.upstreamContextHandler())
 	case common.Contains(shadowaead_2022.List, options.Method):
-		inbound.service, err = shadowaead_2022.NewServiceWithPassword(options.Method, options.Password, udpTimeout, inbound.upstreamContextHandler(), ntp.TimeFuncFromContext(ctx))
+		inbound.service, err = shadowaead_2022.NewServiceWithPassword(options.Method, options.Password, int64(udpTimeout.Seconds()), inbound.upstreamContextHandler(), ntp.TimeFuncFromContext(ctx))
 	default:
 		err = E.New("unsupported method: ", options.Method)
 	}
--- a/inbound/shadowsocks_multi.go
+++ b/inbound/shadowsocks_multi.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"os"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/mux"
@@ -53,25 +54,25 @@ func newShadowsocksMulti(ctx context.Context, router adapter.Router, logger log.
 	if err != nil {
 		return nil, err
 	}
-	var udpTimeout int64
+	var udpTimeout time.Duration
 	if options.UDPTimeout != 0 {
-		udpTimeout = options.UDPTimeout
+		udpTimeout = time.Duration(options.UDPTimeout)
 	} else {
-		udpTimeout = int64(C.UDPTimeout.Seconds())
+		udpTimeout = C.UDPTimeout
 	}
 	var service shadowsocks.MultiService[int]
 	if common.Contains(shadowaead_2022.List, options.Method) {
 		service, err = shadowaead_2022.NewMultiServiceWithPassword[int](
 			options.Method,
 			options.Password,
-			udpTimeout,
+			int64(udpTimeout.Seconds()),
 			adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound),
 			ntp.TimeFuncFromContext(ctx),
 		)
 	} else if common.Contains(shadowaead.List, options.Method) {
 		service, err = shadowaead.NewMultiService[int](
 			options.Method,
-			udpTimeout,
+			int64(udpTimeout.Seconds()),
 			adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound))
 	} else {
 		return nil, E.New("unsupported method: " + options.Method)
--- a/inbound/shadowsocks_relay.go
+++ b/inbound/shadowsocks_relay.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"os"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/mux"
@@ -50,16 +51,16 @@ func newShadowsocksRelay(ctx context.Context, router adapter.Router, logger log.
 	if err != nil {
 		return nil, err
 	}
-	var udpTimeout int64
+	var udpTimeout time.Duration
 	if options.UDPTimeout != 0 {
-		udpTimeout = options.UDPTimeout
+		udpTimeout = time.Duration(options.UDPTimeout)
 	} else {
-		udpTimeout = int64(C.UDPTimeout.Seconds())
+		udpTimeout = C.UDPTimeout
 	}
 	service, err := shadowaead_2022.NewRelayServiceWithPassword[int](
 		options.Method,
 		options.Password,
-		udpTimeout,
+		int64(udpTimeout.Seconds()),
 		adapter.NewUpstreamContextHandler(inbound.newConnection, inbound.newPacketConnection, inbound),
 	)
 	if err != nil {
--- a/inbound/tproxy.go
+++ b/inbound/tproxy.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/netip"
 	"syscall"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/redir"
@@ -37,15 +38,15 @@ func NewTProxy(ctx context.Context, router adapter.Router, logger log.ContextLog
 			listenOptions: options.ListenOptions,
 		},
 	}
-	var udpTimeout int64
+	var udpTimeout time.Duration
 	if options.UDPTimeout != 0 {
-		udpTimeout = options.UDPTimeout
+		udpTimeout = time.Duration(options.UDPTimeout)
 	} else {
-		udpTimeout = int64(C.UDPTimeout.Seconds())
+		udpTimeout = C.UDPTimeout
 	}
 	tproxy.connHandler = tproxy
 	tproxy.oobPacketHandler = tproxy
-	tproxy.udpNat = udpnat.New[netip.AddrPort](udpTimeout, tproxy.upstreamContextHandler())
+	tproxy.udpNat = udpnat.New[netip.AddrPort](int64(udpTimeout.Seconds()), tproxy.upstreamContextHandler())
 	tproxy.packetUpstream = tproxy.udpNat
 	return tproxy
 }
--- a/inbound/tuic.go
+++ b/inbound/tuic.go
@@ -52,6 +52,12 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 		},
 		tlsConfig: tlsConfig,
 	}
+	var udpTimeout time.Duration
+	if options.UDPTimeout != 0 {
+		udpTimeout = time.Duration(options.UDPTimeout)
+	} else {
+		udpTimeout = C.UDPTimeout
+	}
 	service, err := tuic.NewService[int](tuic.ServiceOptions{
 		Context:           ctx,
 		Logger:            logger,
@@ -60,6 +66,7 @@ func NewTUIC(ctx context.Context, router adapter.Router, logger log.ContextLogge
 		AuthTimeout:       time.Duration(options.AuthTimeout),
 		ZeroRTTHandshake:  options.ZeroRTTHandshake,
 		Heartbeat:         time.Duration(options.Heartbeat),
+		UDPTimeout:        udpTimeout,
 		Handler:           adapter.NewUpstreamHandler(adapter.InboundContext{}, inbound.newConnection, inbound.newPacketConnection, nil),
 	})
 	if err != nil {
--- a/inbound/tun.go
+++ b/inbound/tun.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
@@ -42,11 +43,11 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 	if tunMTU == 0 {
 		tunMTU = 9000
 	}
-	var udpTimeout int64
+	var udpTimeout time.Duration
 	if options.UDPTimeout != 0 {
-		udpTimeout = options.UDPTimeout
+		udpTimeout = time.Duration(options.UDPTimeout)
 	} else {
-		udpTimeout = int64(C.UDPTimeout.Seconds())
+		udpTimeout = C.UDPTimeout
 	}
 	includeUID := uidToRange(options.IncludeUID)
 	if len(options.IncludeUIDRange) > 0 {
@@ -92,7 +93,7 @@ func NewTun(ctx context.Context, router adapter.Router, logger log.ContextLogger
 			TableIndex:               2022,
 		},
 		endpointIndependentNat: options.EndpointIndependentNat,
-		udpTimeout:             udpTimeout,
+		udpTimeout:             int64(udpTimeout.Seconds()),
 		stack:                  options.Stack,
 		platformInterface:      platformInterface,
 		platformOptions:        common.PtrValueOrDefault(options.Platform),
--- a/option/inbound.go
+++ b/option/inbound.go
@@ -1,6 +1,8 @@
 package option

 import (
+	"time"
+
 	"github.com/sagernet/sing-box/common/json"
 	C "github.com/sagernet/sing-box/constant"
 	E "github.com/sagernet/sing/common/exceptions"
@@ -128,15 +130,31 @@ type InboundOptions struct {
 }

 type ListenOptions struct {
-	Listen                      *ListenAddress `json:"listen,omitempty"`
-	ListenPort                  uint16         `json:"listen_port,omitempty"`
-	TCPFastOpen                 bool           `json:"tcp_fast_open,omitempty"`
-	TCPMultiPath                bool           `json:"tcp_multi_path,omitempty"`
-	UDPFragment                 *bool          `json:"udp_fragment,omitempty"`
-	UDPFragmentDefault          bool           `json:"-"`
-	UDPTimeout                  int64          `json:"udp_timeout,omitempty"`
-	ProxyProtocol               bool           `json:"proxy_protocol,omitempty"`
-	ProxyProtocolAcceptNoHeader bool           `json:"proxy_protocol_accept_no_header,omitempty"`
-	Detour                      string         `json:"detour,omitempty"`
+	Listen                      *ListenAddress   `json:"listen,omitempty"`
+	ListenPort                  uint16           `json:"listen_port,omitempty"`
+	TCPFastOpen                 bool             `json:"tcp_fast_open,omitempty"`
+	TCPMultiPath                bool             `json:"tcp_multi_path,omitempty"`
+	UDPFragment                 *bool            `json:"udp_fragment,omitempty"`
+	UDPFragmentDefault          bool             `json:"-"`
+	UDPTimeout                  UDPTimeoutCompat `json:"udp_timeout,omitempty"`
+	ProxyProtocol               bool             `json:"proxy_protocol,omitempty"`
+	ProxyProtocolAcceptNoHeader bool             `json:"proxy_protocol_accept_no_header,omitempty"`
+	Detour                      string           `json:"detour,omitempty"`
 	InboundOptions
 }
+
+type UDPTimeoutCompat Duration
+
+func (c UDPTimeoutCompat) MarshalJSON() ([]byte, error) {
+	return json.Marshal((time.Duration)(c).String())
+}
+
+func (c *UDPTimeoutCompat) UnmarshalJSON(data []byte) error {
+	var valueNumber int64
+	err := json.Unmarshal(data, &valueNumber)
+	if err == nil {
+		*c = UDPTimeoutCompat(time.Second * time.Duration(valueNumber))
+		return nil
+	}
+	return json.Unmarshal(data, (*Duration)(c))
+}
--- a/option/tun.go
+++ b/option/tun.go
@@ -23,7 +23,7 @@ type TunInboundOptions struct {
 	IncludePackage           Listable[string]       `json:"include_package,omitempty"`
 	ExcludePackage           Listable[string]       `json:"exclude_package,omitempty"`
 	EndpointIndependentNat   bool                   `json:"endpoint_independent_nat,omitempty"`
-	UDPTimeout               int64                  `json:"udp_timeout,omitempty"`
+	UDPTimeout               UDPTimeoutCompat       `json:"udp_timeout,omitempty"`
 	Stack                    string                 `json:"stack,omitempty"`
 	Platform                 *TunPlatformOptions    `json:"platform,omitempty"`
 	InboundOptions
--- a/outbound/urltest.go
+++ b/outbound/urltest.go
@@ -43,6 +43,7 @@ func NewURLTest(ctx context.Context, router adapter.Router, logger log.ContextLo
 	outbound := &URLTest{
 		myOutboundAdapter: myOutboundAdapter{
 			protocol:     C.TypeURLTest,
+			network:      []string{N.NetworkTCP, N.NetworkUDP},
 			router:       router,
 			logger:       logger,
 			tag:          tag,
@@ -61,13 +62,6 @@ func NewURLTest(ctx context.Context, router adapter.Router, logger log.ContextLo
 	return outbound, nil
 }

-func (s *URLTest) Network() []string {
-	if s.group == nil {
-		return []string{N.NetworkTCP, N.NetworkUDP}
-	}
-	return s.group.Select(N.NetworkTCP).Network()
-}
-
 func (s *URLTest) Start() error {
 	outbounds := make([]adapter.Outbound, 0, len(s.tags))
 	for i, tag := range s.tags {
@@ -93,7 +87,12 @@ func (s *URLTest) Close() error {
 }

 func (s *URLTest) Now() string {
-	return s.group.Select(N.NetworkTCP).Tag()
+	if s.group.selectedOutboundTCP != nil {
+		return s.group.selectedOutboundTCP.Tag()
+	} else if s.group.selectedOutboundUDP != nil {
+		return s.group.selectedOutboundUDP.Tag()
+	}
+	return ""
 }

 func (s *URLTest) All() []string {
@@ -111,6 +110,9 @@ func (s *URLTest) CheckOutbounds() {
 func (s *URLTest) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	s.group.Touch()
 	outbound := s.group.Select(network)
+	if outbound == nil {
+		return nil, E.New("missing supported outbound")
+	}
 	conn, err := outbound.DialContext(ctx, network, destination)
 	if err == nil {
 		return s.group.interruptGroup.NewConn(conn, interrupt.IsExternalConnectionFromContext(ctx)), nil
@@ -123,6 +125,9 @@ func (s *URLTest) DialContext(ctx context.Context, network string, destination M
 func (s *URLTest) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	s.group.Touch()
 	outbound := s.group.Select(N.NetworkUDP)
+	if outbound == nil {
+		return nil, E.New("missing supported outbound")
+	}
 	conn, err := outbound.ListenPacket(ctx, destination)
 	if err == nil {
 		return s.group.interruptGroup.NewPacketConn(conn, interrupt.IsExternalConnectionFromContext(ctx)), nil
@@ -346,12 +351,12 @@ func (g *URLTestGroup) urlTest(ctx context.Context, force bool) (map[string]uint
 func (g *URLTestGroup) performUpdateCheck() {
 	outbound := g.Select(N.NetworkTCP)
 	var updated bool
-	if outbound != g.selectedOutboundTCP {
+	if outbound != nil && outbound != g.selectedOutboundTCP {
 		g.selectedOutboundTCP = outbound
 		updated = true
 	}
 	outbound = g.Select(N.NetworkUDP)
-	if outbound != g.selectedOutboundUDP {
+	if outbound != nil && outbound != g.selectedOutboundUDP {
 		g.selectedOutboundUDP = outbound
 		updated = true
 	}
--- a/test/mux_test.go
+++ b/test/mux_test.go
@@ -75,6 +75,9 @@ func testShadowsocksMux(t *testing.T, options option.OutboundMultiplexOptions) {
 					},
 					Method:   method,
 					Password: password,
+					Multiplex: &option.InboundMultiplexOptions{
+						Enabled: true,
+					},
 				},
 			},
 		},
--- a/transport/v2rayhttp/client.go
+++ b/transport/v2rayhttp/client.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@@ -28,7 +29,7 @@ type Client struct {
 	serverAddr M.Socksaddr
 	transport  http.RoundTripper
 	http2      bool
-	url        *url.URL
+	requestURL url.URL
 	host       []string
 	method     string
 	headers    http.Header
@@ -58,33 +59,35 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 			},
 		}
 	}
-	client := &Client{
+	if options.Method == "" {
+		options.Method = http.MethodPut
+	}
+	var requestURL url.URL
+	if tlsConfig == nil {
+		requestURL.Scheme = "http"
+	} else {
+		requestURL.Scheme = "https"
+	}
+	requestURL.Host = serverAddr.String()
+	requestURL.Path = options.Path
+	err := sHTTP.URLSetPath(&requestURL, options.Path)
+	if err != nil {
+		return nil, E.Cause(err, "parse path")
+	}
+	if !strings.HasPrefix(requestURL.Path, "/") {
+		requestURL.Path = "/" + requestURL.Path
+	}
+	return &Client{
 		ctx:        ctx,
 		dialer:     dialer,
 		serverAddr: serverAddr,
+		requestURL: requestURL,
 		host:       options.Host,
 		method:     options.Method,
 		headers:    options.Headers.Build(),
 		transport:  transport,
 		http2:      tlsConfig != nil,
-	}
-	if client.method == "" {
-		client.method = "PUT"
-	}
-	var uri url.URL
-	if tlsConfig == nil {
-		uri.Scheme = "http"
-	} else {
-		uri.Scheme = "https"
-	}
-	uri.Host = serverAddr.String()
-	uri.Path = options.Path
-	err := sHTTP.URLSetPath(&uri, options.Path)
-	if err != nil {
-		return nil, E.Cause(err, "parse path")
-	}
-	client.url = &uri
-	return client, nil
+	}, nil
 }

 func (c *Client) DialContext(ctx context.Context) (net.Conn, error) {
@@ -103,7 +106,7 @@ func (c *Client) dialHTTP(ctx context.Context) (net.Conn, error) {

 	request := &http.Request{
 		Method: c.method,
-		URL:    c.url,
+		URL:    &c.requestURL,
 		Header: c.headers.Clone(),
 	}
 	switch hostLen := len(c.host); hostLen {
@@ -123,7 +126,7 @@ func (c *Client) dialHTTP2(ctx context.Context) (net.Conn, error) {
 	request := &http.Request{
 		Method: c.method,
 		Body:   pipeInReader,
-		URL:    c.url,
+		URL:    &c.requestURL,
 		Header: c.headers.Clone(),
 	}
 	request = request.WithContext(ctx)
--- a/transport/v2rayhttpupgrade/server.go
+++ b/transport/v2rayhttpupgrade/server.go
@@ -65,7 +65,7 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 		s.invalidRequest(writer, request, http.StatusBadRequest, E.New("bad host: ", host))
 		return
 	}
-	if !strings.HasPrefix(request.URL.Path, s.path) {
+	if request.URL.Path != s.path {
 		s.invalidRequest(writer, request, http.StatusNotFound, E.New("bad path: ", request.URL.Path))
 		return
 	}
--- a/transport/v2raywebsocket/client.go
+++ b/transport/v2raywebsocket/client.go
@@ -55,15 +55,10 @@ func NewClient(ctx context.Context, dialer N.Dialer, serverAddr M.Socksaddr, opt
 	if !strings.HasPrefix(requestURL.Path, "/") {
 		requestURL.Path = "/" + requestURL.Path
 	}
-	headers := make(http.Header)
-	for key, value := range options.Headers {
-		headers[key] = value
-		if key == "Host" {
-			if len(value) > 1 {
-				return nil, E.New("multiple Host headers")
-			}
-			requestURL.Host = value[0]
-		}
+	headers := options.Headers.Build()
+	if host := headers.Get("Host"); host != "" {
+		headers.Del("Host")
+		requestURL.Host = host
 	}
 	if headers.Get("User-Agent") == "" {
 		headers.Set("User-Agent", "Go-http-client/1.1")
--- a/transport/v2raywebsocket/server.go
+++ b/transport/v2raywebsocket/server.go
@@ -33,6 +33,7 @@ type Server struct {
 	path                string
 	maxEarlyData        uint32
 	earlyDataHeaderName string
+	upgrader            ws.HTTPUpgrader
 }

 func NewServer(ctx context.Context, options option.V2RayWebsocketOptions, tlsConfig tls.ServerConfig, handler adapter.V2RayServerTransportHandler) (*Server, error) {
@@ -43,6 +44,10 @@ func NewServer(ctx context.Context, options option.V2RayWebsocketOptions, tlsCon
 		path:                options.Path,
 		maxEarlyData:        options.MaxEarlyData,
 		earlyDataHeaderName: options.EarlyDataHeaderName,
+		upgrader: ws.HTTPUpgrader{
+			Timeout: C.TCPTimeout,
+			Header:  options.Headers.Build(),
+		},
 	}
 	if !strings.HasPrefix(server.path, "/") {
 		server.path = "/" + server.path
@@ -79,6 +84,10 @@ func (s *Server) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 			return
 		}
 	} else {
+		if request.URL.Path != s.path {
+			s.invalidRequest(writer, request, http.StatusNotFound, E.New("bad path: ", request.URL.Path))
+			return
+		}
 		earlyDataStr := request.Header.Get(s.earlyDataHeaderName)
 		if earlyDataStr != "" {
 			earlyData, err = base64.RawURLEncoding.DecodeString(earlyDataStr)
Author	SHA1	Message	Date
世界	19c445d28e	documentation: Bump version	2023-12-29 18:00:40 +08:00
世界	9119a5209b	dcoumentation: Fix description of `cipher_suites`	2023-12-29 18:00:40 +08:00
世界	46c8d6e61f	Fix pprof URL path	2023-12-29 18:00:40 +08:00
世界	ea17c2786d	Update dependencies	2023-12-27 10:37:18 +08:00
世界	12ababd911	Fix mux test	2023-12-27 10:30:19 +08:00
世界	0523845833	Update issue reporting templates Enhanced the issue reporting templates for both English and Chinese versions by adding more structured and comprehensive guideline checkboxes. This aims to ensure contributors provide sufficient and beneficial information for reproducing and resolving issues, thereby improving the quality of reports and making issue tracking more efficient.	2023-12-26 19:05:19 +08:00
renovate[bot]	57794919fa	[dependencies] Update actions/upload-artifact action to v4	2023-12-26 19:04:51 +08:00
世界	f5bb5cf343	Fix missing marshal for `udp_timeout`	2023-12-26 10:52:46 +08:00
世界	3eed614dea	Fix ACME ALPN conflict	2023-12-26 09:02:58 +08:00
世界	76a295a660	Fix missing nil check for URLTest	2023-12-26 09:02:58 +08:00
世界	082e3fb8df	Fix V2Ray transport `path` validation behavior	2023-12-26 09:02:58 +08:00
世界	a0cab4f563	Fix websocket client initialize	2023-12-22 20:38:06 +08:00
世界	aeb7308e81	documentation: Bump version	2023-12-21 15:25:19 +08:00
世界	bb1ebfda83	documentation: Fix link format	2023-12-21 15:24:05 +08:00
世界	c05c798221	Fix missing UDP timeout for QUIC protocols	2023-12-21 15:16:36 +08:00
世界	55b1bcc6a5	Migrate `udp_timeout` from seconds to duration format	2023-12-21 14:50:33 +08:00
世界	d6eddce420	Fix missing handshake timeout for multiplex	2023-12-21 14:21:59 +08:00
世界	4bf057139b	Fix DNS dial context	2023-12-21 14:19:27 +08:00
世界	a1b28b8282	Try to fix HTTP server leak again	2023-12-21 14:16:16 +08:00