Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions docs/config/inbound/listeners/anytls.en.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
```{.yaml linenums="1"}
listeners:
- name: anytls-in-1
type: anytls
port: 10818
listen: 0.0.0.0
# routing-mark: 0 # set routing-mark for listening socket (Linux only)
# When "shadow-tls", "res-tls", and "jls-config" are all disabled and "allow-insecure" is not true, "certificate" and "private-key" must be filled in; do not fill them in when ShadowTLS, ResTLS, or JLS is enabled
users:
username1: password1
username2: password2
certificate: ./server.crt # certificate in PEM format, or the path to the certificate
private-key: ./server.key # corresponding private key in PEM format, or the path to the private key
# The following two options are for mTLS configuration. If client-auth-type is set to "verify-if-given" or "require-and-verify", client-auth-cert must not be empty
# client-auth-type: "" # available values: "", "request", "require-any", "verify-if-given", "require-and-verify"
# client-auth-cert: string # certificate in PEM format, or the path to the certificate
# If filled, ECH will be enabled (can be generated by `mihomo generate ech-keypair <plaintext-domain>`)
# ech-key: |
# -----BEGIN ECH KEYS-----
# ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
# dC5jb20AAA==
# -----END ECH KEYS-----
# shadow-tls:
# enable: true
# version: 3 # 支持 v1/v2/v3
# # password: shadow-tls-password # v2 配置项
# users: # v3 配置项
# - name: shadow-tls-user
# password: shadow-tls-password
# handshake:
# dest: www.example.com:443
# # proxy: ""
# res-tls:
# enable: true
# dest: www.example.com:443
# password: restls-password
# # restls-script: ""
# # min-record-len: 0
# # proxy: ""
# jls-config: # JLS replaces standard TLS; unauthenticated connections fall back to dest
# enable: true
# users:
# - username: jls-user
# password: jls-password
# dest: [www.example.com:443](https://www.example.com:443)
# # sni: [www.example.com](https://www.example.com) # inferred from dest if left empty
# # alpn: [h2, http/1.1]
# # proxy: ""
# # rate-limit: 0 # fallback forwarding rate limit, in bit/s; 0 means unlimited
### NOTE: For anytls listener, if "allow-insecure" is not true, at least one of "certificate and private-key" or "jls-config" must be filled in ###
### NOTE: For anytls listener, if "allow-insecure" is not true, at least one of "certificate and private-key" or "shadow-tls" or "res-tls" or "jls-config" must be filled in ###
# allow-insecure: false # whether to allow disabling TLS encryption (NOTE: only used when upstreamed by nginx, caddy, etc.)
padding-scheme: "" # https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme
```

[General Fields](./index.md)

!!! warning
certificate and private-key are required unless allow-insecure: true (NOTE: only used when upstreamed by nginx, caddy, etc.)

## padding-scheme

See https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme
30 changes: 29 additions & 1 deletion docs/config/inbound/listeners/anytls.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ listeners:
port: 10818
listen: 0.0.0.0
# routing-mark: 0 # 为监听socket设置routing-mark(仅支持linux)
# "shadow-tls"、"res-tls" 和 "jls-config" 均未启用且 "allow-insecure" 不为 true 时,必须填写 "certificate" 和 "private-key";启用 ShadowTLS、ResTLS 或 JLS 时不要填写
users:
username1: password1
username2: password2
Expand All @@ -22,7 +23,34 @@ listeners:
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
# dC5jb20AAA==
# -----END ECH KEYS-----
### 注意,anytls listener, 如果 "allow-insecure" 不为 true, 必须填写 “certificate和private-key” ###
# shadow-tls:
# enable: true
# version: 3 # 支持 v1/v2/v3
# # password: shadow-tls-password # v2 配置项
# users: # v3 配置项
# - name: shadow-tls-user
# password: shadow-tls-password
# handshake:
# dest: www.example.com:443
# # proxy: ""
# res-tls:
# enable: true
# dest: www.example.com:443
# password: restls-password
# # restls-script: ""
# # min-record-len: 0
# # proxy: ""
# jls-config: # JLS 替代普通 TLS;未认证连接回落到 dest
# enable: true
# users:
# - username: jls-user
# password: jls-password
# dest: www.example.com:443
# # sni: www.example.com # 留空时从 dest 推导
# # alpn: [h2, http/1.1]
# # proxy: ""
# # rate-limit: 0 # fallback 转发限速,单位 bit/s;0 表示不限速
### 注意,anytls listener, 如果 "allow-insecure" 不为 true, 至少需要填写 “certificate和private-key” 或 “shadow-tls” 或 “res-tls” 或 “jls-config” 的其中一项 ###
# allow-insecure: false # 是否允许不开启tls加密(注意:仅用于有 nginx, caddy 前置的情况)
padding-scheme: "" # https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme
```
Expand Down
32 changes: 30 additions & 2 deletions docs/config/inbound/listeners/anytls.ru.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ listeners:
type: anytls
port: 10818
listen: 0.0.0.0
# routing-mark: 0 # Устанавливает routing-mark для прослушивающего сокета (поддерживается только в Linux)
# routing-mark: 0 # устанавливает routing-mark для слушающего сокета (только для Linux)
# Если "shadow-tls", "res-tls" и "jls-config" отключены и "allow-insecure" не равен true, необходимо заполнить "certificate" и "private-key"; не заполняйте их, если включены ShadowTLS, ResTLS или JLS
users:
username1: password1
username2: password2
Expand All @@ -22,7 +23,34 @@ listeners:
# madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz
# dC5jb20AAA==
# -----END ECH KEYS-----
### Обратите внимание, что для любого TLS-слушателя, если параметр "allow-insecure" не равен true, необходимо указать "certificate and private-key". ###
# shadow-tls:
# enable: true
# version: 3 # поддерживает v1/v2/v3
# # password: shadow-tls-password # параметр конфигурации v2
# users: # параметр конфигурации v3
# - name: shadow-tls-user
# password: shadow-tls-password
# handshake:
# dest: www.example.com:443
# # proxy: ""
# res-tls:
# enable: true
# dest: www.example.com:443
# password: restls-password
# # restls-script: ""
# # min-record-len: 0
# # proxy: ""
# jls-config: # JLS заменяет обычный TLS; неавторизованные соединения перенаправляются на dest
# enable: true
# users:
# - username: jls-user
# password: jls-password
# dest: www.example.com:443
# # sni: www.example.com # если пусто, выводится из dest
# # alpn: [h2, http/1.1]
# # proxy: ""
# # rate-limit: 0 # ограничение скорости перенаправления (fallback), в бит/с; 0 означает без ограничений
### ВНИМАНИЕ: Для слушателя anytls, если "allow-insecure" не равен true, необходимо заполнить как минимум одну из опций: "certificate и private-key" или "shadow-tls" или "res-tls" или "jls-config" ###
# allow-insecure: false # Разрешить ли отключение шифрования TLS (Примечание: используется только при предварительной установке nginx или caddy)
padding-scheme: "" # https://github.com/anytls/anytls-go/blob/main/docs/protocol.md#cmdupdatepaddingscheme
```
Expand Down