Skip to content

Commit 3367bde

Browse files
committed
Bump version
1 parent 2c2a406 commit 3367bde

1 file changed

Lines changed: 253 additions & 1 deletion

File tree

docs/changelog.md

Lines changed: 253 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,32 +2,231 @@
22
icon: material/alert-decagram
33
---
44

5+
#### 1.14.0-alpha.15
6+
7+
* Add search domain support for Tailscale DNS **1**
8+
* Fixes and improvements
9+
10+
**1**:
11+
12+
See [Tailscale DNS Server](/configuration/dns/server/tailscale/#accept_search_domain).
13+
514
#### 1.13.9
615

716
* Fixes and improvements
817

18+
#### 1.14.0-alpha.13
19+
20+
* Unify HTTP client **1**
21+
* Add Apple HTTP and TLS engines **2**
22+
* Unify HTTP/2 and QUIC parameters **3**
23+
* Add TLS spoof **4**
24+
* Fixes and improvements
25+
26+
**1**:
27+
28+
The new top-level [`http_clients`](/configuration/shared/http-client/)
29+
option defines reusable HTTP clients (engine, version, dialer, TLS,
30+
HTTP/2 and QUIC parameters). Components that make outbound HTTP requests
31+
— remote rule-sets, ACME and Cloudflare Origin CA certificate providers,
32+
DERP `verify_client_url`, and the Tailscale `control_http_client` — now
33+
accept an inline HTTP client object or the tag of an `http_clients`
34+
entry, replacing the dial and TLS fields previously inlined in each
35+
component. When the field is omitted, ACME, Cloudflare Origin CA, DERP
36+
and Tailscale dial direct (their existing default).
37+
38+
Remote rule-sets are the only HTTP-using component whose default for an
39+
omitted `http_client` has historically resolved to the default outbound,
40+
not to direct, and a typical configuration contains many of them. To
41+
avoid repeating the same `http_client` block in every rule-set,
42+
[`route.default_http_client`](/configuration/route/#default_http_client)
43+
selects a default rule-set client by tag and is the only field that
44+
consults it. If `default_http_client` is empty and `http_clients` is
45+
non-empty, the first entry is used automatically. The legacy fallback
46+
(use the default outbound when `http_clients` is empty altogether) is
47+
preserved with a deprecation warning and will be removed in sing-box
48+
1.16.0, together with the legacy `download_detour` remote rule-set
49+
option and the legacy dialer fields on Tailscale endpoints.
50+
51+
**2**:
52+
53+
A new `apple` engine is available on Apple platforms in two independent
54+
places:
55+
56+
* [HTTP client `engine`](/configuration/shared/http-client/#engine)
57+
routes HTTP requests through `NSURLSession`.
58+
* Outbound TLS [`engine`](/configuration/shared/tls/#engine) — routes
59+
the TLS handshake through `Network.framework` for direct TCP TLS
60+
client connections.
61+
62+
The default remains `go`. Both engines come with additional CGO and
63+
framework memory overhead and platform restrictions documented on each
64+
field.
65+
66+
**3**:
67+
68+
[HTTP/2](/configuration/shared/http2/) and
69+
[QUIC](/configuration/shared/quic/) parameters
70+
(`idle_timeout`, `keep_alive_period`, `stream_receive_window`,
71+
`connection_receive_window`, `max_concurrent_streams`,
72+
`initial_packet_size`, `disable_path_mtu_discovery`) are now shared
73+
across QUIC-based outbounds
74+
([Hysteria](/configuration/outbound/hysteria/),
75+
[Hysteria2](/configuration/outbound/hysteria2/),
76+
[TUIC](/configuration/outbound/tuic/)) and HTTP clients running HTTP/2
77+
or HTTP/3.
78+
79+
This deprecates the Hysteria v1 tuning fields `recv_window_conn`,
80+
`recv_window`, `recv_window_client`, `max_conn_client` and
81+
`disable_mtu_discovery`; they will be removed in sing-box 1.16.0.
82+
83+
**4**:
84+
85+
Added outbound TLS [`spoof`](/configuration/shared/tls/#spoof) and
86+
[`spoof_method`](/configuration/shared/tls/#spoof_method) fields. When
87+
enabled, a forged ClientHello carrying a whitelisted SNI is sent before
88+
the real handshake to fool SNI-filtering middleboxes. Requires
89+
`CAP_NET_RAW` + `CAP_NET_ADMIN` or root on Linux and macOS, and
90+
Administrator privileges on Windows (ARM64 is not supported). IP-literal
91+
server names are rejected.
92+
93+
#### 1.14.0-alpha.12
94+
95+
* Fix fake-ip DNS server should return SUCCESS when address type is not configured
96+
* Fixes and improvements
97+
998
#### 1.13.8
1099

11100
* Update naiveproxy to v147.0.7727.49-1
12101
* Fix fake-ip DNS server should return SUCCESS when address type is not configured
13102
* Fixes and improvements
14103

15-
#### 1.13.7
104+
#### 1.14.0-alpha.11
16105

106+
* Add optimistic DNS cache **1**
107+
* Update NaiveProxy to 147.0.7727.49
17108
* Fixes and improvements
18109

110+
**1**:
111+
112+
Optimistic DNS cache returns an expired cached response immediately while
113+
refreshing it in the background, reducing tail latency for repeated
114+
queries. Enabled via [`optimistic`](/configuration/dns/#optimistic)
115+
in DNS options, and can be persisted across restarts with the new
116+
[`store_dns`](/configuration/experimental/cache-file/#store_dns) cache
117+
file option. A per-query
118+
[`disable_optimistic_cache`](/configuration/dns/rule_action/#disable_optimistic_cache)
119+
field is also available on DNS rule actions and the `resolve` route rule
120+
action.
121+
122+
This deprecates the `independent_cache` DNS option (the DNS cache now
123+
always keys by transport) and the `store_rdrc` cache file option
124+
(replaced by `store_dns`); both will be removed in sing-box 1.16.0.
125+
See [Migration](/migration/#migrate-independent-dns-cache).
126+
127+
#### 1.14.0-alpha.10
128+
129+
* Add `evaluate` DNS rule action and Response Match Fields **1**
130+
* `ip_version` and `query_type` now also take effect on internal DNS lookups **2**
131+
* Add `package_name_regex` route, DNS and headless rule item **3**
132+
* Add cloudflared inbound **4**
133+
* Fixes and improvements
134+
135+
**1**:
136+
137+
Response Match Fields
138+
([`response_rcode`](/configuration/dns/rule/#response_rcode),
139+
[`response_answer`](/configuration/dns/rule/#response_answer),
140+
[`response_ns`](/configuration/dns/rule/#response_ns),
141+
and [`response_extra`](/configuration/dns/rule/#response_extra))
142+
match the evaluated DNS response. They are gated by the new
143+
[`match_response`](/configuration/dns/rule/#match_response) field and
144+
populated by a preceding
145+
[`evaluate`](/configuration/dns/rule_action/#evaluate) DNS rule action;
146+
the evaluated response can also be returned directly by a
147+
[`respond`](/configuration/dns/rule_action/#respond) action.
148+
149+
This deprecates the Legacy Address Filter Fields (`ip_cidr`,
150+
`ip_is_private` without `match_response`) in DNS rules, the Legacy
151+
`strategy` DNS rule action option, and the Legacy
152+
`rule_set_ip_cidr_accept_empty` DNS rule item; all three will be removed
153+
in sing-box 1.16.0.
154+
See [Migration](/migration/#migrate-address-filter-fields-to-response-matching).
155+
156+
**2**:
157+
158+
`ip_version` and `query_type` in DNS rules, together with `query_type` in
159+
referenced rule-sets, now take effect on every DNS rule evaluation,
160+
including matches from internal domain resolutions that do not target a
161+
specific DNS server (for example a `resolve` route rule action without
162+
`server` set). In earlier versions they were silently ignored in that
163+
path. Combining these fields with any of the legacy DNS fields deprecated
164+
in **1** in the same DNS configuration is no longer supported and is
165+
rejected at startup.
166+
See [Migration](/migration/#ip_version-and-query_type-behavior-changes-in-dns-rules).
167+
168+
**3**:
169+
170+
See [Route Rule](/configuration/route/rule/#package_name_regex),
171+
[DNS Rule](/configuration/dns/rule/#package_name_regex) and
172+
[Headless Rule](/configuration/rule-set/headless-rule/#package_name_regex).
173+
174+
**4**:
175+
176+
See [Cloudflared](/configuration/inbound/cloudflared/).
177+
178+
#### 1.13.7
179+
180+
* Fixes and improvement
181+
19182
#### 1.13.6
20183

21184
* Fixes and improvements
22185

186+
#### 1.14.0-alpha.8
187+
188+
* Add BBR profile and hop interval randomization for Hysteria2 **1**
189+
* Fixes and improvements
190+
191+
**1**:
192+
193+
See [Hysteria2 Inbound](/configuration/inbound/hysteria2/#bbr_profile) and [Hysteria2 Outbound](/configuration/outbound/hysteria2/#bbr_profile).
194+
195+
#### 1.14.0-alpha.8
196+
197+
* Fixes and improvements
198+
23199
#### 1.13.5
24200

25201
* Fixes and improvements
26202

203+
#### 1.14.0-alpha.7
204+
205+
* Fixes and improvements
206+
27207
#### 1.13.4
28208

29209
* Fixes and improvements
30210

211+
#### 1.14.0-alpha.4
212+
213+
* Refactor ACME support to certificate provider system **1**
214+
* Add Cloudflare Origin CA certificate provider **2**
215+
* Add Tailscale certificate provider **3**
216+
* Fixes and improvements
217+
218+
**1**:
219+
220+
See [Certificate Provider](/configuration/shared/certificate-provider/) and [Migration](/migration/#migrate-inline-acme-to-certificate-provider).
221+
222+
**2**:
223+
224+
See [Cloudflare Origin CA](/configuration/shared/certificate-provider/cloudflare-origin-ca).
225+
226+
**3**:
227+
228+
See [Tailscale](/configuration/shared/certificate-provider/tailscale).
229+
31230
#### 1.13.3
32231

33232
* Add OpenWrt and Alpine APK packages to release **1**
@@ -52,6 +251,59 @@ from [SagerNet/go](https://github.com/SagerNet/go).
52251

53252
See [OCM](/configuration/service/ocm).
54253

254+
#### 1.12.24
255+
256+
* Fixes and improvements
257+
258+
#### 1.14.0-alpha.2
259+
260+
* Add OpenWrt and Alpine APK packages to release **1**
261+
* Backport to macOS 10.13 High Sierra **2**
262+
* OCM service: Add WebSocket support for Responses API **3**
263+
* Fixes and improvements
264+
265+
**1**:
266+
267+
Alpine APK files use `linux` in the filename to distinguish from OpenWrt APKs which use the `openwrt` prefix:
268+
269+
- OpenWrt: `sing-box_{version}_openwrt_{architecture}.apk`
270+
- Alpine: `sing-box_{version}_linux_{architecture}.apk`
271+
272+
**2**:
273+
274+
Legacy macOS binaries (with `-legacy-macos-10.13` suffix) now support
275+
macOS 10.13 High Sierra, built using Go 1.25 with patches
276+
from [SagerNet/go](https://github.com/SagerNet/go).
277+
278+
**3**:
279+
280+
See [OCM](/configuration/service/ocm).
281+
282+
#### 1.14.0-alpha.1
283+
284+
* Add `source_mac_address` and `source_hostname` rule items **1**
285+
* Add `include_mac_address` and `exclude_mac_address` TUN options **2**
286+
* Update NaiveProxy to 145.0.7632.159 **3**
287+
* Fixes and improvements
288+
289+
**1**:
290+
291+
New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
292+
Supported on Linux, macOS, or in graphical clients on Android and macOS.
293+
294+
See [Route Rule](/configuration/route/rule/#source_mac_address), [DNS Rule](/configuration/dns/rule/#source_mac_address) and [Neighbor Resolution](/configuration/shared/neighbor/).
295+
296+
**2**:
297+
298+
Limit or exclude devices from TUN routing by MAC address.
299+
Only supported on Linux with `auto_route` and `auto_redirect` enabled.
300+
301+
See [TUN](/configuration/inbound/tun/#include_mac_address).
302+
303+
**3**:
304+
305+
This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
306+
55307
#### 1.13.2
56308

57309
* Fixes and improvements

0 commit comments

Comments
 (0)