22icon : material/alert-decagram
33---
44
5+ #### 1.14.0-alpha.17
6+
7+ * Fixes and improvements
8+
59#### 1.13.11
610
711* Fix process searcher failure introduced in 1.13.9
812* Fixes and improvements
913
14+ #### 1.14.0-alpha.16
15+
16+ * Add ACME profile support for IP address certificates ** 1**
17+ * Fixes and improvements
18+
19+ ** 1** :
20+
21+ See [ ACME Certificate Provider] ( /configuration/shared/certificate-provider/acme/#profile ) .
22+
1023#### 1.13.10
1124
1225* Fix process searcher failure introduced in 1.13.9
1326
27+ #### 1.14.0-alpha.15
28+
29+ * Add search domain support for Tailscale DNS ** 1**
30+ * Fixes and improvements
31+
32+ ** 1** :
33+
34+ See [ Tailscale DNS Server] ( /configuration/dns/server/tailscale/#accept_search_domain ) .
35+
1436#### 1.13.9
1537
1638* Fixes and improvements
1739
40+ #### 1.14.0-alpha.13
41+
42+ * Unify HTTP client ** 1**
43+ * Add Apple HTTP and TLS engines ** 2**
44+ * Unify HTTP/2 and QUIC parameters ** 3**
45+ * Add TLS spoof ** 4**
46+ * Fixes and improvements
47+
48+ ** 1** :
49+
50+ The new top-level [ ` http_clients ` ] ( /configuration/shared/http-client/ )
51+ option defines reusable HTTP clients (engine, version, dialer, TLS,
52+ HTTP/2 and QUIC parameters). Components that make outbound HTTP requests
53+ — remote rule-sets, ACME and Cloudflare Origin CA certificate providers,
54+ DERP ` verify_client_url ` , and the Tailscale ` control_http_client ` — now
55+ accept an inline HTTP client object or the tag of an ` http_clients `
56+ entry, replacing the dial and TLS fields previously inlined in each
57+ component. When the field is omitted, ACME, Cloudflare Origin CA, DERP
58+ and Tailscale dial direct (their existing default).
59+
60+ Remote rule-sets are the only HTTP-using component whose default for an
61+ omitted ` http_client ` has historically resolved to the default outbound,
62+ not to direct, and a typical configuration contains many of them. To
63+ avoid repeating the same ` http_client ` block in every rule-set,
64+ [ ` route.default_http_client ` ] ( /configuration/route/#default_http_client )
65+ selects a default rule-set client by tag and is the only field that
66+ consults it. If ` default_http_client ` is empty and ` http_clients ` is
67+ non-empty, the first entry is used automatically. The legacy fallback
68+ (use the default outbound when ` http_clients ` is empty altogether) is
69+ preserved with a deprecation warning and will be removed in sing-box
70+ 1.16.0, together with the legacy ` download_detour ` remote rule-set
71+ option and the legacy dialer fields on Tailscale endpoints.
72+
73+ ** 2** :
74+
75+ A new ` apple ` engine is available on Apple platforms in two independent
76+ places:
77+
78+ * [ HTTP client ` engine ` ] ( /configuration/shared/http-client/#engine ) —
79+ routes HTTP requests through ` NSURLSession ` .
80+ * Outbound TLS [ ` engine ` ] ( /configuration/shared/tls/#engine ) — routes
81+ the TLS handshake through ` Network.framework ` for direct TCP TLS
82+ client connections.
83+
84+ The default remains ` go ` . Both engines come with additional CGO and
85+ framework memory overhead and platform restrictions documented on each
86+ field.
87+
88+ ** 3** :
89+
90+ [ HTTP/2] ( /configuration/shared/http2/ ) and
91+ [ QUIC] ( /configuration/shared/quic/ ) parameters
92+ (` idle_timeout ` , ` keep_alive_period ` , ` stream_receive_window ` ,
93+ ` connection_receive_window ` , ` max_concurrent_streams ` ,
94+ ` initial_packet_size ` , ` disable_path_mtu_discovery ` ) are now shared
95+ across QUIC-based outbounds
96+ ([ Hysteria] ( /configuration/outbound/hysteria/ ) ,
97+ [ Hysteria2] ( /configuration/outbound/hysteria2/ ) ,
98+ [ TUIC] ( /configuration/outbound/tuic/ ) ) and HTTP clients running HTTP/2
99+ or HTTP/3.
100+
101+ This deprecates the Hysteria v1 tuning fields ` recv_window_conn ` ,
102+ ` recv_window ` , ` recv_window_client ` , ` max_conn_client ` and
103+ ` disable_mtu_discovery ` ; they will be removed in sing-box 1.16.0.
104+
105+ ** 4** :
106+
107+ Added outbound TLS [ ` spoof ` ] ( /configuration/shared/tls/#spoof ) and
108+ [ ` spoof_method ` ] ( /configuration/shared/tls/#spoof_method ) fields. When
109+ enabled, a forged ClientHello carrying a whitelisted SNI is sent before
110+ the real handshake to fool SNI-filtering middleboxes. Requires
111+ ` CAP_NET_RAW ` + ` CAP_NET_ADMIN ` or root on Linux and macOS, and
112+ Administrator privileges on Windows (ARM64 is not supported). IP-literal
113+ server names are rejected.
114+
115+ #### 1.14.0-alpha.12
116+
117+ * Fix fake-ip DNS server should return SUCCESS when address type is not configured
118+ * Fixes and improvements
119+
18120#### 1.13.8
19121
20122* Update naiveproxy to v147.0.7727.49-1
21123* Fix fake-ip DNS server should return SUCCESS when address type is not configured
22124* Fixes and improvements
23125
24- #### 1.13.7
126+ #### 1.14.0-alpha.11
25127
128+ * Add optimistic DNS cache ** 1**
129+ * Update NaiveProxy to 147.0.7727.49
26130* Fixes and improvements
27131
132+ ** 1** :
133+
134+ Optimistic DNS cache returns an expired cached response immediately while
135+ refreshing it in the background, reducing tail latency for repeated
136+ queries. Enabled via [ ` optimistic ` ] ( /configuration/dns/#optimistic )
137+ in DNS options, and can be persisted across restarts with the new
138+ [ ` store_dns ` ] ( /configuration/experimental/cache-file/#store_dns ) cache
139+ file option. A per-query
140+ [ ` disable_optimistic_cache ` ] ( /configuration/dns/rule_action/#disable_optimistic_cache )
141+ field is also available on DNS rule actions and the ` resolve ` route rule
142+ action.
143+
144+ This deprecates the ` independent_cache ` DNS option (the DNS cache now
145+ always keys by transport) and the ` store_rdrc ` cache file option
146+ (replaced by ` store_dns ` ); both will be removed in sing-box 1.16.0.
147+ See [ Migration] ( /migration/#migrate-independent-dns-cache ) .
148+
149+ #### 1.14.0-alpha.10
150+
151+ * Add ` evaluate ` DNS rule action and Response Match Fields ** 1**
152+ * ` ip_version ` and ` query_type ` now also take effect on internal DNS lookups ** 2**
153+ * Add ` package_name_regex ` route, DNS and headless rule item ** 3**
154+ * Add cloudflared inbound ** 4**
155+ * Fixes and improvements
156+
157+ ** 1** :
158+
159+ Response Match Fields
160+ ([ ` response_rcode ` ] ( /configuration/dns/rule/#response_rcode ) ,
161+ [ ` response_answer ` ] ( /configuration/dns/rule/#response_answer ) ,
162+ [ ` response_ns ` ] ( /configuration/dns/rule/#response_ns ) ,
163+ and [ ` response_extra ` ] ( /configuration/dns/rule/#response_extra ) )
164+ match the evaluated DNS response. They are gated by the new
165+ [ ` match_response ` ] ( /configuration/dns/rule/#match_response ) field and
166+ populated by a preceding
167+ [ ` evaluate ` ] ( /configuration/dns/rule_action/#evaluate ) DNS rule action;
168+ the evaluated response can also be returned directly by a
169+ [ ` respond ` ] ( /configuration/dns/rule_action/#respond ) action.
170+
171+ This deprecates the Legacy Address Filter Fields (` ip_cidr ` ,
172+ ` ip_is_private ` without ` match_response ` ) in DNS rules, the Legacy
173+ ` strategy ` DNS rule action option, and the Legacy
174+ ` rule_set_ip_cidr_accept_empty ` DNS rule item; all three will be removed
175+ in sing-box 1.16.0.
176+ See [ Migration] ( /migration/#migrate-address-filter-fields-to-response-matching ) .
177+
178+ ** 2** :
179+
180+ ` ip_version ` and ` query_type ` in DNS rules, together with ` query_type ` in
181+ referenced rule-sets, now take effect on every DNS rule evaluation,
182+ including matches from internal domain resolutions that do not target a
183+ specific DNS server (for example a ` resolve ` route rule action without
184+ ` server ` set). In earlier versions they were silently ignored in that
185+ path. Combining these fields with any of the legacy DNS fields deprecated
186+ in ** 1** in the same DNS configuration is no longer supported and is
187+ rejected at startup.
188+ See [ Migration] ( /migration/#ip_version-and-query_type-behavior-changes-in-dns-rules ) .
189+
190+ ** 3** :
191+
192+ See [ Route Rule] ( /configuration/route/rule/#package_name_regex ) ,
193+ [ DNS Rule] ( /configuration/dns/rule/#package_name_regex ) and
194+ [ Headless Rule] ( /configuration/rule-set/headless-rule/#package_name_regex ) .
195+
196+ ** 4** :
197+
198+ See [ Cloudflared] ( /configuration/inbound/cloudflared/ ) .
199+
200+ #### 1.13.7
201+
202+ * Fixes and improvement
203+
28204#### 1.13.6
29205
30206* Fixes and improvements
31207
208+ #### 1.14.0-alpha.8
209+
210+ * Add BBR profile and hop interval randomization for Hysteria2 ** 1**
211+ * Fixes and improvements
212+
213+ ** 1** :
214+
215+ See [ Hysteria2 Inbound] ( /configuration/inbound/hysteria2/#bbr_profile ) and [ Hysteria2 Outbound] ( /configuration/outbound/hysteria2/#bbr_profile ) .
216+
32217#### 1.13.5
33218
34219* Fixes and improvements
35220
221+ #### 1.14.0-alpha.7
222+
223+ * Fixes and improvements
224+
36225#### 1.13.4
37226
38227* Fixes and improvements
39228
229+ #### 1.14.0-alpha.4
230+
231+ * Refactor ACME support to certificate provider system ** 1**
232+ * Add Cloudflare Origin CA certificate provider ** 2**
233+ * Add Tailscale certificate provider ** 3**
234+ * Fixes and improvements
235+
236+ ** 1** :
237+
238+ See [ Certificate Provider] ( /configuration/shared/certificate-provider/ ) and [ Migration] ( /migration/#migrate-inline-acme-to-certificate-provider ) .
239+
240+ ** 2** :
241+
242+ See [ Cloudflare Origin CA] ( /configuration/shared/certificate-provider/cloudflare-origin-ca ) .
243+
244+ ** 3** :
245+
246+ See [ Tailscale] ( /configuration/shared/certificate-provider/tailscale ) .
247+
40248#### 1.13.3
41249
42250* Add OpenWrt and Alpine APK packages to release ** 1**
@@ -61,6 +269,59 @@ from [SagerNet/go](https://github.com/SagerNet/go).
61269
62270See [ OCM] ( /configuration/service/ocm ) .
63271
272+ #### 1.12.24
273+
274+ * Fixes and improvements
275+
276+ #### 1.14.0-alpha.2
277+
278+ * Add OpenWrt and Alpine APK packages to release ** 1**
279+ * Backport to macOS 10.13 High Sierra ** 2**
280+ * OCM service: Add WebSocket support for Responses API ** 3**
281+ * Fixes and improvements
282+
283+ ** 1** :
284+
285+ Alpine APK files use ` linux ` in the filename to distinguish from OpenWrt APKs which use the ` openwrt ` prefix:
286+
287+ - OpenWrt: ` sing-box_{version}_openwrt_{architecture}.apk `
288+ - Alpine: ` sing-box_{version}_linux_{architecture}.apk `
289+
290+ ** 2** :
291+
292+ Legacy macOS binaries (with ` -legacy-macos-10.13 ` suffix) now support
293+ macOS 10.13 High Sierra, built using Go 1.25 with patches
294+ from [ SagerNet/go] ( https://github.com/SagerNet/go ) .
295+
296+ ** 3** :
297+
298+ See [ OCM] ( /configuration/service/ocm ) .
299+
300+ #### 1.14.0-alpha.1
301+
302+ * Add ` source_mac_address ` and ` source_hostname ` rule items ** 1**
303+ * Add ` include_mac_address ` and ` exclude_mac_address ` TUN options ** 2**
304+ * Update NaiveProxy to 145.0.7632.159 ** 3**
305+ * Fixes and improvements
306+
307+ ** 1** :
308+
309+ New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
310+ Supported on Linux, macOS, or in graphical clients on Android and macOS.
311+
312+ See [ Route Rule] ( /configuration/route/rule/#source_mac_address ) , [ DNS Rule] ( /configuration/dns/rule/#source_mac_address ) and [ Neighbor Resolution] ( /configuration/shared/neighbor/ ) .
313+
314+ ** 2** :
315+
316+ Limit or exclude devices from TUN routing by MAC address.
317+ Only supported on Linux with ` auto_route ` and ` auto_redirect ` enabled.
318+
319+ See [ TUN] ( /configuration/inbound/tun/#include_mac_address ) .
320+
321+ ** 3** :
322+
323+ This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
324+
64325#### 1.13.2
65326
66327* Fixes and improvements
0 commit comments