22icon : material/alert-decagram
33---
44
5+ #### 1.14.0-alpha.16
6+
7+ * Add ACME profile support for IP address certificates
8+ * Fixes and improvements
9+
510#### 1.13.10
611
712* Fix process searcher failure introduced in 1.13.9
813
14+ #### 1.14.0-alpha.15
15+
16+ * Add search domain support for Tailscale DNS ** 1**
17+ * Fixes and improvements
18+
19+ ** 1** :
20+
21+ See [ Tailscale DNS Server] ( /configuration/dns/server/tailscale/#accept_search_domain ) .
22+
923#### 1.13.9
1024
1125* Fixes and improvements
1226
27+ #### 1.14.0-alpha.13
28+
29+ * Unify HTTP client ** 1**
30+ * Add Apple HTTP and TLS engines ** 2**
31+ * Unify HTTP/2 and QUIC parameters ** 3**
32+ * Add TLS spoof ** 4**
33+ * Fixes and improvements
34+
35+ ** 1** :
36+
37+ The new top-level [ ` http_clients ` ] ( /configuration/shared/http-client/ )
38+ option defines reusable HTTP clients (engine, version, dialer, TLS,
39+ HTTP/2 and QUIC parameters). Components that make outbound HTTP requests
40+ — remote rule-sets, ACME and Cloudflare Origin CA certificate providers,
41+ DERP ` verify_client_url ` , and the Tailscale ` control_http_client ` — now
42+ accept an inline HTTP client object or the tag of an ` http_clients `
43+ entry, replacing the dial and TLS fields previously inlined in each
44+ component. When the field is omitted, ACME, Cloudflare Origin CA, DERP
45+ and Tailscale dial direct (their existing default).
46+
47+ Remote rule-sets are the only HTTP-using component whose default for an
48+ omitted ` http_client ` has historically resolved to the default outbound,
49+ not to direct, and a typical configuration contains many of them. To
50+ avoid repeating the same ` http_client ` block in every rule-set,
51+ [ ` route.default_http_client ` ] ( /configuration/route/#default_http_client )
52+ selects a default rule-set client by tag and is the only field that
53+ consults it. If ` default_http_client ` is empty and ` http_clients ` is
54+ non-empty, the first entry is used automatically. The legacy fallback
55+ (use the default outbound when ` http_clients ` is empty altogether) is
56+ preserved with a deprecation warning and will be removed in sing-box
57+ 1.16.0, together with the legacy ` download_detour ` remote rule-set
58+ option and the legacy dialer fields on Tailscale endpoints.
59+
60+ ** 2** :
61+
62+ A new ` apple ` engine is available on Apple platforms in two independent
63+ places:
64+
65+ * [ HTTP client ` engine ` ] ( /configuration/shared/http-client/#engine ) —
66+ routes HTTP requests through ` NSURLSession ` .
67+ * Outbound TLS [ ` engine ` ] ( /configuration/shared/tls/#engine ) — routes
68+ the TLS handshake through ` Network.framework ` for direct TCP TLS
69+ client connections.
70+
71+ The default remains ` go ` . Both engines come with additional CGO and
72+ framework memory overhead and platform restrictions documented on each
73+ field.
74+
75+ ** 3** :
76+
77+ [ HTTP/2] ( /configuration/shared/http2/ ) and
78+ [ QUIC] ( /configuration/shared/quic/ ) parameters
79+ (` idle_timeout ` , ` keep_alive_period ` , ` stream_receive_window ` ,
80+ ` connection_receive_window ` , ` max_concurrent_streams ` ,
81+ ` initial_packet_size ` , ` disable_path_mtu_discovery ` ) are now shared
82+ across QUIC-based outbounds
83+ ([ Hysteria] ( /configuration/outbound/hysteria/ ) ,
84+ [ Hysteria2] ( /configuration/outbound/hysteria2/ ) ,
85+ [ TUIC] ( /configuration/outbound/tuic/ ) ) and HTTP clients running HTTP/2
86+ or HTTP/3.
87+
88+ This deprecates the Hysteria v1 tuning fields ` recv_window_conn ` ,
89+ ` recv_window ` , ` recv_window_client ` , ` max_conn_client ` and
90+ ` disable_mtu_discovery ` ; they will be removed in sing-box 1.16.0.
91+
92+ ** 4** :
93+
94+ Added outbound TLS [ ` spoof ` ] ( /configuration/shared/tls/#spoof ) and
95+ [ ` spoof_method ` ] ( /configuration/shared/tls/#spoof_method ) fields. When
96+ enabled, a forged ClientHello carrying a whitelisted SNI is sent before
97+ the real handshake to fool SNI-filtering middleboxes. Requires
98+ ` CAP_NET_RAW ` + ` CAP_NET_ADMIN ` or root on Linux and macOS, and
99+ Administrator privileges on Windows (ARM64 is not supported). IP-literal
100+ server names are rejected.
101+
102+ #### 1.14.0-alpha.12
103+
104+ * Fix fake-ip DNS server should return SUCCESS when address type is not configured
105+ * Fixes and improvements
106+
13107#### 1.13.8
14108
15109* Update naiveproxy to v147.0.7727.49-1
16110* Fix fake-ip DNS server should return SUCCESS when address type is not configured
17111* Fixes and improvements
18112
19- #### 1.13.7
113+ #### 1.14.0-alpha.11
114+
115+ * Add optimistic DNS cache ** 1**
116+ * Update NaiveProxy to 147.0.7727.49
117+ * Fixes and improvements
118+
119+ ** 1** :
120+
121+ Optimistic DNS cache returns an expired cached response immediately while
122+ refreshing it in the background, reducing tail latency for repeated
123+ queries. Enabled via [ ` optimistic ` ] ( /configuration/dns/#optimistic )
124+ in DNS options, and can be persisted across restarts with the new
125+ [ ` store_dns ` ] ( /configuration/experimental/cache-file/#store_dns ) cache
126+ file option. A per-query
127+ [ ` disable_optimistic_cache ` ] ( /configuration/dns/rule_action/#disable_optimistic_cache )
128+ field is also available on DNS rule actions and the ` resolve ` route rule
129+ action.
20130
131+ This deprecates the ` independent_cache ` DNS option (the DNS cache now
132+ always keys by transport) and the ` store_rdrc ` cache file option
133+ (replaced by ` store_dns ` ); both will be removed in sing-box 1.16.0.
134+ See [ Migration] ( /migration/#migrate-independent-dns-cache ) .
135+
136+ #### 1.14.0-alpha.10
137+
138+ * Add ` evaluate ` DNS rule action and Response Match Fields ** 1**
139+ * ` ip_version ` and ` query_type ` now also take effect on internal DNS lookups ** 2**
140+ * Add ` package_name_regex ` route, DNS and headless rule item ** 3**
141+ * Add cloudflared inbound ** 4**
21142* Fixes and improvements
22143
144+ ** 1** :
145+
146+ Response Match Fields
147+ ([ ` response_rcode ` ] ( /configuration/dns/rule/#response_rcode ) ,
148+ [ ` response_answer ` ] ( /configuration/dns/rule/#response_answer ) ,
149+ [ ` response_ns ` ] ( /configuration/dns/rule/#response_ns ) ,
150+ and [ ` response_extra ` ] ( /configuration/dns/rule/#response_extra ) )
151+ match the evaluated DNS response. They are gated by the new
152+ [ ` match_response ` ] ( /configuration/dns/rule/#match_response ) field and
153+ populated by a preceding
154+ [ ` evaluate ` ] ( /configuration/dns/rule_action/#evaluate ) DNS rule action;
155+ the evaluated response can also be returned directly by a
156+ [ ` respond ` ] ( /configuration/dns/rule_action/#respond ) action.
157+
158+ This deprecates the Legacy Address Filter Fields (` ip_cidr ` ,
159+ ` ip_is_private ` without ` match_response ` ) in DNS rules, the Legacy
160+ ` strategy ` DNS rule action option, and the Legacy
161+ ` rule_set_ip_cidr_accept_empty ` DNS rule item; all three will be removed
162+ in sing-box 1.16.0.
163+ See [ Migration] ( /migration/#migrate-address-filter-fields-to-response-matching ) .
164+
165+ ** 2** :
166+
167+ ` ip_version ` and ` query_type ` in DNS rules, together with ` query_type ` in
168+ referenced rule-sets, now take effect on every DNS rule evaluation,
169+ including matches from internal domain resolutions that do not target a
170+ specific DNS server (for example a ` resolve ` route rule action without
171+ ` server ` set). In earlier versions they were silently ignored in that
172+ path. Combining these fields with any of the legacy DNS fields deprecated
173+ in ** 1** in the same DNS configuration is no longer supported and is
174+ rejected at startup.
175+ See [ Migration] ( /migration/#ip_version-and-query_type-behavior-changes-in-dns-rules ) .
176+
177+ ** 3** :
178+
179+ See [ Route Rule] ( /configuration/route/rule/#package_name_regex ) ,
180+ [ DNS Rule] ( /configuration/dns/rule/#package_name_regex ) and
181+ [ Headless Rule] ( /configuration/rule-set/headless-rule/#package_name_regex ) .
182+
183+ ** 4** :
184+
185+ See [ Cloudflared] ( /configuration/inbound/cloudflared/ ) .
186+
187+ #### 1.13.7
188+
189+ * Fixes and improvement
190+
23191#### 1.13.6
24192
25193* Fixes and improvements
26194
195+ #### 1.14.0-alpha.8
196+
197+ * Add BBR profile and hop interval randomization for Hysteria2 ** 1**
198+ * Fixes and improvements
199+
200+ ** 1** :
201+
202+ See [ Hysteria2 Inbound] ( /configuration/inbound/hysteria2/#bbr_profile ) and [ Hysteria2 Outbound] ( /configuration/outbound/hysteria2/#bbr_profile ) .
203+
27204#### 1.13.5
28205
29206* Fixes and improvements
30207
208+ #### 1.14.0-alpha.7
209+
210+ * Fixes and improvements
211+
31212#### 1.13.4
32213
33214* Fixes and improvements
34215
216+ #### 1.14.0-alpha.4
217+
218+ * Refactor ACME support to certificate provider system ** 1**
219+ * Add Cloudflare Origin CA certificate provider ** 2**
220+ * Add Tailscale certificate provider ** 3**
221+ * Fixes and improvements
222+
223+ ** 1** :
224+
225+ See [ Certificate Provider] ( /configuration/shared/certificate-provider/ ) and [ Migration] ( /migration/#migrate-inline-acme-to-certificate-provider ) .
226+
227+ ** 2** :
228+
229+ See [ Cloudflare Origin CA] ( /configuration/shared/certificate-provider/cloudflare-origin-ca ) .
230+
231+ ** 3** :
232+
233+ See [ Tailscale] ( /configuration/shared/certificate-provider/tailscale ) .
234+
35235#### 1.13.3
36236
37237* Add OpenWrt and Alpine APK packages to release ** 1**
@@ -56,6 +256,59 @@ from [SagerNet/go](https://github.com/SagerNet/go).
56256
57257See [ OCM] ( /configuration/service/ocm ) .
58258
259+ #### 1.12.24
260+
261+ * Fixes and improvements
262+
263+ #### 1.14.0-alpha.2
264+
265+ * Add OpenWrt and Alpine APK packages to release ** 1**
266+ * Backport to macOS 10.13 High Sierra ** 2**
267+ * OCM service: Add WebSocket support for Responses API ** 3**
268+ * Fixes and improvements
269+
270+ ** 1** :
271+
272+ Alpine APK files use ` linux ` in the filename to distinguish from OpenWrt APKs which use the ` openwrt ` prefix:
273+
274+ - OpenWrt: ` sing-box_{version}_openwrt_{architecture}.apk `
275+ - Alpine: ` sing-box_{version}_linux_{architecture}.apk `
276+
277+ ** 2** :
278+
279+ Legacy macOS binaries (with ` -legacy-macos-10.13 ` suffix) now support
280+ macOS 10.13 High Sierra, built using Go 1.25 with patches
281+ from [ SagerNet/go] ( https://github.com/SagerNet/go ) .
282+
283+ ** 3** :
284+
285+ See [ OCM] ( /configuration/service/ocm ) .
286+
287+ #### 1.14.0-alpha.1
288+
289+ * Add ` source_mac_address ` and ` source_hostname ` rule items ** 1**
290+ * Add ` include_mac_address ` and ` exclude_mac_address ` TUN options ** 2**
291+ * Update NaiveProxy to 145.0.7632.159 ** 3**
292+ * Fixes and improvements
293+
294+ ** 1** :
295+
296+ New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
297+ Supported on Linux, macOS, or in graphical clients on Android and macOS.
298+
299+ See [ Route Rule] ( /configuration/route/rule/#source_mac_address ) , [ DNS Rule] ( /configuration/dns/rule/#source_mac_address ) and [ Neighbor Resolution] ( /configuration/shared/neighbor/ ) .
300+
301+ ** 2** :
302+
303+ Limit or exclude devices from TUN routing by MAC address.
304+ Only supported on Linux with ` auto_route ` and ` auto_redirect ` enabled.
305+
306+ See [ TUN] ( /configuration/inbound/tun/#include_mac_address ) .
307+
308+ ** 3** :
309+
310+ This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
311+
59312#### 1.13.2
60313
61314* Fixes and improvements
0 commit comments