@@ -6,32 +6,231 @@ icon: material/alert-decagram
66
77* Fix process searcher failure introduced in 1.13.9
88
9+ #### 1.14.0-alpha.15
10+
11+ * Add search domain support for Tailscale DNS ** 1**
12+ * Fixes and improvements
13+
14+ ** 1** :
15+
16+ See [ Tailscale DNS Server] ( /configuration/dns/server/tailscale/#accept_search_domain ) .
17+
918#### 1.13.9
1019
1120* Fixes and improvements
1221
22+ #### 1.14.0-alpha.13
23+
24+ * Unify HTTP client ** 1**
25+ * Add Apple HTTP and TLS engines ** 2**
26+ * Unify HTTP/2 and QUIC parameters ** 3**
27+ * Add TLS spoof ** 4**
28+ * Fixes and improvements
29+
30+ ** 1** :
31+
32+ The new top-level [ ` http_clients ` ] ( /configuration/shared/http-client/ )
33+ option defines reusable HTTP clients (engine, version, dialer, TLS,
34+ HTTP/2 and QUIC parameters). Components that make outbound HTTP requests
35+ — remote rule-sets, ACME and Cloudflare Origin CA certificate providers,
36+ DERP ` verify_client_url ` , and the Tailscale ` control_http_client ` — now
37+ accept an inline HTTP client object or the tag of an ` http_clients `
38+ entry, replacing the dial and TLS fields previously inlined in each
39+ component. When the field is omitted, ACME, Cloudflare Origin CA, DERP
40+ and Tailscale dial direct (their existing default).
41+
42+ Remote rule-sets are the only HTTP-using component whose default for an
43+ omitted ` http_client ` has historically resolved to the default outbound,
44+ not to direct, and a typical configuration contains many of them. To
45+ avoid repeating the same ` http_client ` block in every rule-set,
46+ [ ` route.default_http_client ` ] ( /configuration/route/#default_http_client )
47+ selects a default rule-set client by tag and is the only field that
48+ consults it. If ` default_http_client ` is empty and ` http_clients ` is
49+ non-empty, the first entry is used automatically. The legacy fallback
50+ (use the default outbound when ` http_clients ` is empty altogether) is
51+ preserved with a deprecation warning and will be removed in sing-box
52+ 1.16.0, together with the legacy ` download_detour ` remote rule-set
53+ option and the legacy dialer fields on Tailscale endpoints.
54+
55+ ** 2** :
56+
57+ A new ` apple ` engine is available on Apple platforms in two independent
58+ places:
59+
60+ * [ HTTP client ` engine ` ] ( /configuration/shared/http-client/#engine ) —
61+ routes HTTP requests through ` NSURLSession ` .
62+ * Outbound TLS [ ` engine ` ] ( /configuration/shared/tls/#engine ) — routes
63+ the TLS handshake through ` Network.framework ` for direct TCP TLS
64+ client connections.
65+
66+ The default remains ` go ` . Both engines come with additional CGO and
67+ framework memory overhead and platform restrictions documented on each
68+ field.
69+
70+ ** 3** :
71+
72+ [ HTTP/2] ( /configuration/shared/http2/ ) and
73+ [ QUIC] ( /configuration/shared/quic/ ) parameters
74+ (` idle_timeout ` , ` keep_alive_period ` , ` stream_receive_window ` ,
75+ ` connection_receive_window ` , ` max_concurrent_streams ` ,
76+ ` initial_packet_size ` , ` disable_path_mtu_discovery ` ) are now shared
77+ across QUIC-based outbounds
78+ ([ Hysteria] ( /configuration/outbound/hysteria/ ) ,
79+ [ Hysteria2] ( /configuration/outbound/hysteria2/ ) ,
80+ [ TUIC] ( /configuration/outbound/tuic/ ) ) and HTTP clients running HTTP/2
81+ or HTTP/3.
82+
83+ This deprecates the Hysteria v1 tuning fields ` recv_window_conn ` ,
84+ ` recv_window ` , ` recv_window_client ` , ` max_conn_client ` and
85+ ` disable_mtu_discovery ` ; they will be removed in sing-box 1.16.0.
86+
87+ ** 4** :
88+
89+ Added outbound TLS [ ` spoof ` ] ( /configuration/shared/tls/#spoof ) and
90+ [ ` spoof_method ` ] ( /configuration/shared/tls/#spoof_method ) fields. When
91+ enabled, a forged ClientHello carrying a whitelisted SNI is sent before
92+ the real handshake to fool SNI-filtering middleboxes. Requires
93+ ` CAP_NET_RAW ` + ` CAP_NET_ADMIN ` or root on Linux and macOS, and
94+ Administrator privileges on Windows (ARM64 is not supported). IP-literal
95+ server names are rejected.
96+
97+ #### 1.14.0-alpha.12
98+
99+ * Fix fake-ip DNS server should return SUCCESS when address type is not configured
100+ * Fixes and improvements
101+
13102#### 1.13.8
14103
15104* Update naiveproxy to v147.0.7727.49-1
16105* Fix fake-ip DNS server should return SUCCESS when address type is not configured
17106* Fixes and improvements
18107
19- #### 1.13.7
108+ #### 1.14.0-alpha.11
20109
110+ * Add optimistic DNS cache ** 1**
111+ * Update NaiveProxy to 147.0.7727.49
21112* Fixes and improvements
22113
114+ ** 1** :
115+
116+ Optimistic DNS cache returns an expired cached response immediately while
117+ refreshing it in the background, reducing tail latency for repeated
118+ queries. Enabled via [ ` optimistic ` ] ( /configuration/dns/#optimistic )
119+ in DNS options, and can be persisted across restarts with the new
120+ [ ` store_dns ` ] ( /configuration/experimental/cache-file/#store_dns ) cache
121+ file option. A per-query
122+ [ ` disable_optimistic_cache ` ] ( /configuration/dns/rule_action/#disable_optimistic_cache )
123+ field is also available on DNS rule actions and the ` resolve ` route rule
124+ action.
125+
126+ This deprecates the ` independent_cache ` DNS option (the DNS cache now
127+ always keys by transport) and the ` store_rdrc ` cache file option
128+ (replaced by ` store_dns ` ); both will be removed in sing-box 1.16.0.
129+ See [ Migration] ( /migration/#migrate-independent-dns-cache ) .
130+
131+ #### 1.14.0-alpha.10
132+
133+ * Add ` evaluate ` DNS rule action and Response Match Fields ** 1**
134+ * ` ip_version ` and ` query_type ` now also take effect on internal DNS lookups ** 2**
135+ * Add ` package_name_regex ` route, DNS and headless rule item ** 3**
136+ * Add cloudflared inbound ** 4**
137+ * Fixes and improvements
138+
139+ ** 1** :
140+
141+ Response Match Fields
142+ ([ ` response_rcode ` ] ( /configuration/dns/rule/#response_rcode ) ,
143+ [ ` response_answer ` ] ( /configuration/dns/rule/#response_answer ) ,
144+ [ ` response_ns ` ] ( /configuration/dns/rule/#response_ns ) ,
145+ and [ ` response_extra ` ] ( /configuration/dns/rule/#response_extra ) )
146+ match the evaluated DNS response. They are gated by the new
147+ [ ` match_response ` ] ( /configuration/dns/rule/#match_response ) field and
148+ populated by a preceding
149+ [ ` evaluate ` ] ( /configuration/dns/rule_action/#evaluate ) DNS rule action;
150+ the evaluated response can also be returned directly by a
151+ [ ` respond ` ] ( /configuration/dns/rule_action/#respond ) action.
152+
153+ This deprecates the Legacy Address Filter Fields (` ip_cidr ` ,
154+ ` ip_is_private ` without ` match_response ` ) in DNS rules, the Legacy
155+ ` strategy ` DNS rule action option, and the Legacy
156+ ` rule_set_ip_cidr_accept_empty ` DNS rule item; all three will be removed
157+ in sing-box 1.16.0.
158+ See [ Migration] ( /migration/#migrate-address-filter-fields-to-response-matching ) .
159+
160+ ** 2** :
161+
162+ ` ip_version ` and ` query_type ` in DNS rules, together with ` query_type ` in
163+ referenced rule-sets, now take effect on every DNS rule evaluation,
164+ including matches from internal domain resolutions that do not target a
165+ specific DNS server (for example a ` resolve ` route rule action without
166+ ` server ` set). In earlier versions they were silently ignored in that
167+ path. Combining these fields with any of the legacy DNS fields deprecated
168+ in ** 1** in the same DNS configuration is no longer supported and is
169+ rejected at startup.
170+ See [ Migration] ( /migration/#ip_version-and-query_type-behavior-changes-in-dns-rules ) .
171+
172+ ** 3** :
173+
174+ See [ Route Rule] ( /configuration/route/rule/#package_name_regex ) ,
175+ [ DNS Rule] ( /configuration/dns/rule/#package_name_regex ) and
176+ [ Headless Rule] ( /configuration/rule-set/headless-rule/#package_name_regex ) .
177+
178+ ** 4** :
179+
180+ See [ Cloudflared] ( /configuration/inbound/cloudflared/ ) .
181+
182+ #### 1.13.7
183+
184+ * Fixes and improvement
185+
23186#### 1.13.6
24187
25188* Fixes and improvements
26189
190+ #### 1.14.0-alpha.8
191+
192+ * Add BBR profile and hop interval randomization for Hysteria2 ** 1**
193+ * Fixes and improvements
194+
195+ ** 1** :
196+
197+ See [ Hysteria2 Inbound] ( /configuration/inbound/hysteria2/#bbr_profile ) and [ Hysteria2 Outbound] ( /configuration/outbound/hysteria2/#bbr_profile ) .
198+
199+ #### 1.14.0-alpha.8
200+
201+ * Fixes and improvements
202+
27203#### 1.13.5
28204
29205* Fixes and improvements
30206
207+ #### 1.14.0-alpha.7
208+
209+ * Fixes and improvements
210+
31211#### 1.13.4
32212
33213* Fixes and improvements
34214
215+ #### 1.14.0-alpha.4
216+
217+ * Refactor ACME support to certificate provider system ** 1**
218+ * Add Cloudflare Origin CA certificate provider ** 2**
219+ * Add Tailscale certificate provider ** 3**
220+ * Fixes and improvements
221+
222+ ** 1** :
223+
224+ See [ Certificate Provider] ( /configuration/shared/certificate-provider/ ) and [ Migration] ( /migration/#migrate-inline-acme-to-certificate-provider ) .
225+
226+ ** 2** :
227+
228+ See [ Cloudflare Origin CA] ( /configuration/shared/certificate-provider/cloudflare-origin-ca ) .
229+
230+ ** 3** :
231+
232+ See [ Tailscale] ( /configuration/shared/certificate-provider/tailscale ) .
233+
35234#### 1.13.3
36235
37236* Add OpenWrt and Alpine APK packages to release ** 1**
@@ -56,6 +255,59 @@ from [SagerNet/go](https://github.com/SagerNet/go).
56255
57256See [ OCM] ( /configuration/service/ocm ) .
58257
258+ #### 1.12.24
259+
260+ * Fixes and improvements
261+
262+ #### 1.14.0-alpha.2
263+
264+ * Add OpenWrt and Alpine APK packages to release ** 1**
265+ * Backport to macOS 10.13 High Sierra ** 2**
266+ * OCM service: Add WebSocket support for Responses API ** 3**
267+ * Fixes and improvements
268+
269+ ** 1** :
270+
271+ Alpine APK files use ` linux ` in the filename to distinguish from OpenWrt APKs which use the ` openwrt ` prefix:
272+
273+ - OpenWrt: ` sing-box_{version}_openwrt_{architecture}.apk `
274+ - Alpine: ` sing-box_{version}_linux_{architecture}.apk `
275+
276+ ** 2** :
277+
278+ Legacy macOS binaries (with ` -legacy-macos-10.13 ` suffix) now support
279+ macOS 10.13 High Sierra, built using Go 1.25 with patches
280+ from [ SagerNet/go] ( https://github.com/SagerNet/go ) .
281+
282+ ** 3** :
283+
284+ See [ OCM] ( /configuration/service/ocm ) .
285+
286+ #### 1.14.0-alpha.1
287+
288+ * Add ` source_mac_address ` and ` source_hostname ` rule items ** 1**
289+ * Add ` include_mac_address ` and ` exclude_mac_address ` TUN options ** 2**
290+ * Update NaiveProxy to 145.0.7632.159 ** 3**
291+ * Fixes and improvements
292+
293+ ** 1** :
294+
295+ New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
296+ Supported on Linux, macOS, or in graphical clients on Android and macOS.
297+
298+ See [ Route Rule] ( /configuration/route/rule/#source_mac_address ) , [ DNS Rule] ( /configuration/dns/rule/#source_mac_address ) and [ Neighbor Resolution] ( /configuration/shared/neighbor/ ) .
299+
300+ ** 2** :
301+
302+ Limit or exclude devices from TUN routing by MAC address.
303+ Only supported on Linux with ` auto_route ` and ` auto_redirect ` enabled.
304+
305+ See [ TUN] ( /configuration/inbound/tun/#include_mac_address ) .
306+
307+ ** 3** :
308+
309+ This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
310+
59311#### 1.13.2
60312
61313* Fixes and improvements
0 commit comments