diff --git a/docs/config/inbound/listeners/anytls.en.md b/docs/config/inbound/listeners/anytls.en.md new file mode 100644 index 000000000..9b9da0eba --- /dev/null +++ b/docs/config/inbound/listeners/anytls.en.md @@ -0,0 +1,64 @@ +```{.yaml linenums="1"} +listeners: +- name: anytls-in-1 + type: anytls + port: 10818 + listen: 0.0.0.0 + # routing-mark: 0 # set routing-mark for listening socket (Linux only) + # When "shadow-tls", "res-tls", and "jls-config" are all disabled and "allow-insecure" is not true, "certificate" and "private-key" must be filled in; do not fill them in when ShadowTLS, ResTLS, or JLS is enabled + users: + username1: password1 + username2: password2 + certificate: ./server.crt # certificate in PEM format, or the path to the certificate + private-key: ./server.key # corresponding private key in PEM format, or the path to the private key + # The following two options are for mTLS configuration. If client-auth-type is set to "verify-if-given" or "require-and-verify", client-auth-cert must not be empty + # client-auth-type: "" # available values: "", "request", "require-any", "verify-if-given", "require-and-verify" + # client-auth-cert: string # certificate in PEM format, or the path to the certificate + # If filled, ECH will be enabled (can be generated by `mihomo generate ech-keypair `) + # ech-key: | + # -----BEGIN ECH KEYS----- + # ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK + # madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz + # dC5jb20AAA== + # -----END ECH KEYS----- + # shadow-tls: + # enable: true + # version: 3 # 支持 v1/v2/v3 + # # password: shadow-tls-password # v2 配置项 + # users: # v3 配置项 + # - name: shadow-tls-user + # password: shadow-tls-password + # handshake: + # dest: www.example.com:443 + # # proxy: "" + # res-tls: + # enable: true + # dest: www.example.com:443 + # password: restls-password + # # restls-script: "" + # # min-record-len: 0 + # # proxy: "" + # jls-config: # JLS replaces standard TLS; unauthenticated connections fall back to dest + # enable: true + # users: + # - username: jls-user + # password: jls-password + # dest: [www.example.com:443](https://www.example.com:443) + # # sni: [www.example.com](https://www.example.com) # inferred from dest if left empty + # # alpn: [h2, http/1.1] + # # proxy: "" + # # rate-limit: 0 # fallback forwarding rate limit, in bit/s; 0 means unlimited + ### NOTE: For anytls listener, if "allow-insecure" is not true, at least one of "certificate and private-key" or "jls-config" must be filled in ### + ### NOTE: For anytls listener, if "allow-insecure" is not true, at least one of "certificate and private-key" or "shadow-tls" or "res-tls" or "jls-config" must be filled in ### + # allow-insecure: false # whether to allow disabling TLS encryption (NOTE: only used when upstreamed by nginx, caddy, etc.) + padding-scheme: "" # https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme +``` + +[General Fields](./index.md) + +!!! warning + certificate and private-key are required unless allow-insecure: true (NOTE: only used when upstreamed by nginx, caddy, etc.) + + ## padding-scheme + +See https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme diff --git a/docs/config/inbound/listeners/anytls.md b/docs/config/inbound/listeners/anytls.md index 8c686ef3a..2e9ac8aa8 100644 --- a/docs/config/inbound/listeners/anytls.md +++ b/docs/config/inbound/listeners/anytls.md @@ -7,6 +7,7 @@ listeners: port: 10818 listen: 0.0.0.0 # routing-mark: 0 # 为监听socket设置routing-mark(仅支持linux) +# "shadow-tls"、"res-tls" 和 "jls-config" 均未启用且 "allow-insecure" 不为 true 时,必须填写 "certificate" 和 "private-key";启用 ShadowTLS、ResTLS 或 JLS 时不要填写 users: username1: password1 username2: password2 @@ -22,7 +23,34 @@ listeners: # madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz # dC5jb20AAA== # -----END ECH KEYS----- - ### 注意,anytls listener, 如果 "allow-insecure" 不为 true, 必须填写 “certificate和private-key” ### + # shadow-tls: + # enable: true + # version: 3 # 支持 v1/v2/v3 + # # password: shadow-tls-password # v2 配置项 + # users: # v3 配置项 + # - name: shadow-tls-user + # password: shadow-tls-password + # handshake: + # dest: www.example.com:443 + # # proxy: "" + # res-tls: + # enable: true + # dest: www.example.com:443 + # password: restls-password + # # restls-script: "" + # # min-record-len: 0 + # # proxy: "" + # jls-config: # JLS 替代普通 TLS;未认证连接回落到 dest + # enable: true + # users: + # - username: jls-user + # password: jls-password + # dest: www.example.com:443 + # # sni: www.example.com # 留空时从 dest 推导 + # # alpn: [h2, http/1.1] + # # proxy: "" + # # rate-limit: 0 # fallback 转发限速,单位 bit/s;0 表示不限速 + ### 注意,anytls listener, 如果 "allow-insecure" 不为 true, 至少需要填写 “certificate和private-key” 或 “shadow-tls” 或 “res-tls” 或 “jls-config” 的其中一项 ### # allow-insecure: false # 是否允许不开启tls加密(注意:仅用于有 nginx, caddy 前置的情况) padding-scheme: "" # https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme ``` diff --git a/docs/config/inbound/listeners/anytls.ru.md b/docs/config/inbound/listeners/anytls.ru.md index ba20823ae..6468dbddf 100644 --- a/docs/config/inbound/listeners/anytls.ru.md +++ b/docs/config/inbound/listeners/anytls.ru.md @@ -6,7 +6,8 @@ listeners: type: anytls port: 10818 listen: 0.0.0.0 - # routing-mark: 0 # Устанавливает routing-mark для прослушивающего сокета (поддерживается только в Linux) + # routing-mark: 0 # устанавливает routing-mark для слушающего сокета (только для Linux) + # Если "shadow-tls", "res-tls" и "jls-config" отключены и "allow-insecure" не равен true, необходимо заполнить "certificate" и "private-key"; не заполняйте их, если включены ShadowTLS, ResTLS или JLS users: username1: password1 username2: password2 @@ -22,7 +23,34 @@ listeners: # madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz # dC5jb20AAA== # -----END ECH KEYS----- - ### Обратите внимание, что для любого TLS-слушателя, если параметр "allow-insecure" не равен true, необходимо указать "certificate and private-key". ### + # shadow-tls: + # enable: true + # version: 3 # поддерживает v1/v2/v3 + # # password: shadow-tls-password # параметр конфигурации v2 + # users: # параметр конфигурации v3 + # - name: shadow-tls-user + # password: shadow-tls-password + # handshake: + # dest: www.example.com:443 + # # proxy: "" + # res-tls: + # enable: true + # dest: www.example.com:443 + # password: restls-password + # # restls-script: "" + # # min-record-len: 0 + # # proxy: "" + # jls-config: # JLS заменяет обычный TLS; неавторизованные соединения перенаправляются на dest + # enable: true + # users: + # - username: jls-user + # password: jls-password + # dest: www.example.com:443 + # # sni: www.example.com # если пусто, выводится из dest + # # alpn: [h2, http/1.1] + # # proxy: "" + # # rate-limit: 0 # ограничение скорости перенаправления (fallback), в бит/с; 0 означает без ограничений + ### ВНИМАНИЕ: Для слушателя anytls, если "allow-insecure" не равен true, необходимо заполнить как минимум одну из опций: "certificate и private-key" или "shadow-tls" или "res-tls" или "jls-config" ### # allow-insecure: false # Разрешить ли отключение шифрования TLS (Примечание: используется только при предварительной установке nginx или caddy) padding-scheme: "" # https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme ```