22icon : material/alert-decagram
33---
44
5+ #### 1.14.0-alpha.19
6+
7+ * Preserve comments between formatting
8+ ** Fixes and improvements
9+
10+ #### 1.14.0-alpha.18
11+
12+ * Add Windows TLS engine ** 1**
13+ * Fixes and improvements
14+
15+ ** 1** :
16+
17+ The new ` windows ` value for outbound TLS
18+ [ ` engine ` ] ( /configuration/shared/tls/#engine ) routes the TLS handshake
19+ through Schannel via SSPI. Only available on Windows build 17763 or
20+ later (Windows 10 version 1809, Windows Server 2019, or newer); TLS 1.3
21+ is only negotiated on Windows 11 or Windows Server 2022 and newer.
22+
523#### 1.13.11
624
725* Fix process searcher failure introduced in 1.13.9
826* Fixes and improvements
927
28+ #### 1.14.0-alpha.16
29+
30+ * Add ACME profile support for IP address certificates ** 1**
31+ * Fixes and improvements
32+
33+ ** 1** :
34+
35+ See [ ACME Certificate Provider] ( /configuration/shared/certificate-provider/acme/#profile ) .
36+
1037#### 1.13.10
1138
1239* Fix process searcher failure introduced in 1.13.9
1340
41+ #### 1.14.0-alpha.15
42+
43+ * Add search domain support for Tailscale DNS ** 1**
44+ * Fixes and improvements
45+
46+ ** 1** :
47+
48+ See [ Tailscale DNS Server] ( /configuration/dns/server/tailscale/#accept_search_domain ) .
49+
1450#### 1.13.9
1551
1652* Fixes and improvements
1753
54+ #### 1.14.0-alpha.13
55+
56+ * Unify HTTP client ** 1**
57+ * Add Apple HTTP and TLS engines ** 2**
58+ * Unify HTTP/2 and QUIC parameters ** 3**
59+ * Add TLS spoof ** 4**
60+ * Fixes and improvements
61+
62+ ** 1** :
63+
64+ The new top-level [ ` http_clients ` ] ( /configuration/shared/http-client/ )
65+ option defines reusable HTTP clients (engine, version, dialer, TLS,
66+ HTTP/2 and QUIC parameters). Components that make outbound HTTP requests
67+ — remote rule-sets, ACME and Cloudflare Origin CA certificate providers,
68+ DERP ` verify_client_url ` , and the Tailscale ` control_http_client ` — now
69+ accept an inline HTTP client object or the tag of an ` http_clients `
70+ entry, replacing the dial and TLS fields previously inlined in each
71+ component. When the field is omitted, ACME, Cloudflare Origin CA, DERP
72+ and Tailscale dial direct (their existing default).
73+
74+ Remote rule-sets are the only HTTP-using component whose default for an
75+ omitted ` http_client ` has historically resolved to the default outbound,
76+ not to direct, and a typical configuration contains many of them. To
77+ avoid repeating the same ` http_client ` block in every rule-set,
78+ [ ` route.default_http_client ` ] ( /configuration/route/#default_http_client )
79+ selects a default rule-set client by tag and is the only field that
80+ consults it. If ` default_http_client ` is empty and ` http_clients ` is
81+ non-empty, the first entry is used automatically. The legacy fallback
82+ (use the default outbound when ` http_clients ` is empty altogether) is
83+ preserved with a deprecation warning and will be removed in sing-box
84+ 1.16.0, together with the legacy ` download_detour ` remote rule-set
85+ option and the legacy dialer fields on Tailscale endpoints.
86+
87+ ** 2** :
88+
89+ A new ` apple ` engine is available on Apple platforms in two independent
90+ places:
91+
92+ * [ HTTP client ` engine ` ] ( /configuration/shared/http-client/#engine ) —
93+ routes HTTP requests through ` NSURLSession ` .
94+ * Outbound TLS [ ` engine ` ] ( /configuration/shared/tls/#engine ) — routes
95+ the TLS handshake through ` Network.framework ` for direct TCP TLS
96+ client connections.
97+
98+ The default remains ` go ` . Both engines come with additional CGO and
99+ framework memory overhead and platform restrictions documented on each
100+ field.
101+
102+ ** 3** :
103+
104+ [ HTTP/2] ( /configuration/shared/http2/ ) and
105+ [ QUIC] ( /configuration/shared/quic/ ) parameters
106+ (` idle_timeout ` , ` keep_alive_period ` , ` stream_receive_window ` ,
107+ ` connection_receive_window ` , ` max_concurrent_streams ` ,
108+ ` initial_packet_size ` , ` disable_path_mtu_discovery ` ) are now shared
109+ across QUIC-based outbounds
110+ ([ Hysteria] ( /configuration/outbound/hysteria/ ) ,
111+ [ Hysteria2] ( /configuration/outbound/hysteria2/ ) ,
112+ [ TUIC] ( /configuration/outbound/tuic/ ) ) and HTTP clients running HTTP/2
113+ or HTTP/3.
114+
115+ This deprecates the Hysteria v1 tuning fields ` recv_window_conn ` ,
116+ ` recv_window ` , ` recv_window_client ` , ` max_conn_client ` and
117+ ` disable_mtu_discovery ` ; they will be removed in sing-box 1.16.0.
118+
119+ ** 4** :
120+
121+ Added outbound TLS [ ` spoof ` ] ( /configuration/shared/tls/#spoof ) and
122+ [ ` spoof_method ` ] ( /configuration/shared/tls/#spoof_method ) fields. When
123+ enabled, a forged ClientHello carrying a whitelisted SNI is sent before
124+ the real handshake to fool SNI-filtering middleboxes. Requires
125+ ` CAP_NET_RAW ` + ` CAP_NET_ADMIN ` or root on Linux and macOS, and
126+ Administrator privileges on Windows (ARM64 is not supported). IP-literal
127+ server names are rejected.
128+
129+ #### 1.14.0-alpha.12
130+
131+ * Fix fake-ip DNS server should return SUCCESS when address type is not configured
132+ * Fixes and improvements
133+
18134#### 1.13.8
19135
20136* Update naiveproxy to v147.0.7727.49-1
21137* Fix fake-ip DNS server should return SUCCESS when address type is not configured
22138* Fixes and improvements
23139
24- #### 1.13.7
140+ #### 1.14.0-alpha.11
25141
142+ * Add optimistic DNS cache ** 1**
143+ * Update NaiveProxy to 147.0.7727.49
26144* Fixes and improvements
27145
146+ ** 1** :
147+
148+ Optimistic DNS cache returns an expired cached response immediately while
149+ refreshing it in the background, reducing tail latency for repeated
150+ queries. Enabled via [ ` optimistic ` ] ( /configuration/dns/#optimistic )
151+ in DNS options, and can be persisted across restarts with the new
152+ [ ` store_dns ` ] ( /configuration/experimental/cache-file/#store_dns ) cache
153+ file option. A per-query
154+ [ ` disable_optimistic_cache ` ] ( /configuration/dns/rule_action/#disable_optimistic_cache )
155+ field is also available on DNS rule actions and the ` resolve ` route rule
156+ action.
157+
158+ This deprecates the ` independent_cache ` DNS option (the DNS cache now
159+ always keys by transport) and the ` store_rdrc ` cache file option
160+ (replaced by ` store_dns ` ); both will be removed in sing-box 1.16.0.
161+ See [ Migration] ( /migration/#migrate-independent-dns-cache ) .
162+
163+ #### 1.14.0-alpha.10
164+
165+ * Add ` evaluate ` DNS rule action and Response Match Fields ** 1**
166+ * ` ip_version ` and ` query_type ` now also take effect on internal DNS lookups ** 2**
167+ * Add ` package_name_regex ` route, DNS and headless rule item ** 3**
168+ * Add cloudflared inbound ** 4**
169+ * Fixes and improvements
170+
171+ ** 1** :
172+
173+ Response Match Fields
174+ ([ ` response_rcode ` ] ( /configuration/dns/rule/#response_rcode ) ,
175+ [ ` response_answer ` ] ( /configuration/dns/rule/#response_answer ) ,
176+ [ ` response_ns ` ] ( /configuration/dns/rule/#response_ns ) ,
177+ and [ ` response_extra ` ] ( /configuration/dns/rule/#response_extra ) )
178+ match the evaluated DNS response. They are gated by the new
179+ [ ` match_response ` ] ( /configuration/dns/rule/#match_response ) field and
180+ populated by a preceding
181+ [ ` evaluate ` ] ( /configuration/dns/rule_action/#evaluate ) DNS rule action;
182+ the evaluated response can also be returned directly by a
183+ [ ` respond ` ] ( /configuration/dns/rule_action/#respond ) action.
184+
185+ This deprecates the Legacy Address Filter Fields (` ip_cidr ` ,
186+ ` ip_is_private ` without ` match_response ` ) in DNS rules, the Legacy
187+ ` strategy ` DNS rule action option, and the Legacy
188+ ` rule_set_ip_cidr_accept_empty ` DNS rule item; all three will be removed
189+ in sing-box 1.16.0.
190+ See [ Migration] ( /migration/#migrate-address-filter-fields-to-response-matching ) .
191+
192+ ** 2** :
193+
194+ ` ip_version ` and ` query_type ` in DNS rules, together with ` query_type ` in
195+ referenced rule-sets, now take effect on every DNS rule evaluation,
196+ including matches from internal domain resolutions that do not target a
197+ specific DNS server (for example a ` resolve ` route rule action without
198+ ` server ` set). In earlier versions they were silently ignored in that
199+ path. Combining these fields with any of the legacy DNS fields deprecated
200+ in ** 1** in the same DNS configuration is no longer supported and is
201+ rejected at startup.
202+ See [ Migration] ( /migration/#ip_version-and-query_type-behavior-changes-in-dns-rules ) .
203+
204+ ** 3** :
205+
206+ See [ Route Rule] ( /configuration/route/rule/#package_name_regex ) ,
207+ [ DNS Rule] ( /configuration/dns/rule/#package_name_regex ) and
208+ [ Headless Rule] ( /configuration/rule-set/headless-rule/#package_name_regex ) .
209+
210+ ** 4** :
211+
212+ See [ Cloudflared] ( /configuration/inbound/cloudflared/ ) .
213+
214+ #### 1.13.7
215+
216+ * Fixes and improvement
217+
28218#### 1.13.6
29219
30220* Fixes and improvements
31221
222+ #### 1.14.0-alpha.8
223+
224+ * Add BBR profile and hop interval randomization for Hysteria2 ** 1**
225+ * Fixes and improvements
226+
227+ ** 1** :
228+
229+ See [ Hysteria2 Inbound] ( /configuration/inbound/hysteria2/#bbr_profile ) and [ Hysteria2 Outbound] ( /configuration/outbound/hysteria2/#bbr_profile ) .
230+
32231#### 1.13.5
33232
34233* Fixes and improvements
35234
235+ #### 1.14.0-alpha.7
236+
237+ * Fixes and improvements
238+
36239#### 1.13.4
37240
38241* Fixes and improvements
39242
243+ #### 1.14.0-alpha.4
244+
245+ * Refactor ACME support to certificate provider system ** 1**
246+ * Add Cloudflare Origin CA certificate provider ** 2**
247+ * Add Tailscale certificate provider ** 3**
248+ * Fixes and improvements
249+
250+ ** 1** :
251+
252+ See [ Certificate Provider] ( /configuration/shared/certificate-provider/ ) and [ Migration] ( /migration/#migrate-inline-acme-to-certificate-provider ) .
253+
254+ ** 2** :
255+
256+ See [ Cloudflare Origin CA] ( /configuration/shared/certificate-provider/cloudflare-origin-ca ) .
257+
258+ ** 3** :
259+
260+ See [ Tailscale] ( /configuration/shared/certificate-provider/tailscale ) .
261+
40262#### 1.13.3
41263
42264* Add OpenWrt and Alpine APK packages to release ** 1**
@@ -61,6 +283,59 @@ from [SagerNet/go](https://github.com/SagerNet/go).
61283
62284See [ OCM] ( /configuration/service/ocm ) .
63285
286+ #### 1.12.24
287+
288+ * Fixes and improvements
289+
290+ #### 1.14.0-alpha.2
291+
292+ * Add OpenWrt and Alpine APK packages to release ** 1**
293+ * Backport to macOS 10.13 High Sierra ** 2**
294+ * OCM service: Add WebSocket support for Responses API ** 3**
295+ * Fixes and improvements
296+
297+ ** 1** :
298+
299+ Alpine APK files use ` linux ` in the filename to distinguish from OpenWrt APKs which use the ` openwrt ` prefix:
300+
301+ - OpenWrt: ` sing-box_{version}_openwrt_{architecture}.apk `
302+ - Alpine: ` sing-box_{version}_linux_{architecture}.apk `
303+
304+ ** 2** :
305+
306+ Legacy macOS binaries (with ` -legacy-macos-10.13 ` suffix) now support
307+ macOS 10.13 High Sierra, built using Go 1.25 with patches
308+ from [ SagerNet/go] ( https://github.com/SagerNet/go ) .
309+
310+ ** 3** :
311+
312+ See [ OCM] ( /configuration/service/ocm ) .
313+
314+ #### 1.14.0-alpha.1
315+
316+ * Add ` source_mac_address ` and ` source_hostname ` rule items ** 1**
317+ * Add ` include_mac_address ` and ` exclude_mac_address ` TUN options ** 2**
318+ * Update NaiveProxy to 145.0.7632.159 ** 3**
319+ * Fixes and improvements
320+
321+ ** 1** :
322+
323+ New rule items for matching LAN devices by MAC address and hostname via neighbor resolution.
324+ Supported on Linux, macOS, or in graphical clients on Android and macOS.
325+
326+ See [ Route Rule] ( /configuration/route/rule/#source_mac_address ) , [ DNS Rule] ( /configuration/dns/rule/#source_mac_address ) and [ Neighbor Resolution] ( /configuration/shared/neighbor/ ) .
327+
328+ ** 2** :
329+
330+ Limit or exclude devices from TUN routing by MAC address.
331+ Only supported on Linux with ` auto_route ` and ` auto_redirect ` enabled.
332+
333+ See [ TUN] ( /configuration/inbound/tun/#include_mac_address ) .
334+
335+ ** 3** :
336+
337+ This is not an official update from NaiveProxy. Instead, it's a Chromium codebase update maintained by Project S.
338+
64339#### 1.13.2
65340
66341* Fixes and improvements
0 commit comments