diff --git a/docs/config/inbound/listeners/vless.en.md b/docs/config/inbound/listeners/vless.en.md new file mode 100644 index 000000000..4937eba6e --- /dev/null +++ b/docs/config/inbound/listeners/vless.en.md @@ -0,0 +1,103 @@ +# VLESS + +```{.yaml linenums="1"} +listeners: +- name: vless-in-1 + type: vless + port: 10817 # supports ports format, e.g., 200,302 or 200,204,401-429,501-503 + listen: 0.0.0.0 + # routing-mark: 0 # set routing-mark for listening socket (Linux only) + # rule: sub-rule-name1 # uses rules by default; if sub-rule is not found, uses rules directly + # proxy: proxy # if not empty, directly hands over inbound traffic to the specified proxy (if proxy is not empty, the proxy name here must be valid, otherwise an error will occur) + users: + - username: 1 + uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68 + flow: xtls-rprx-vision + # ws-path: "/" # if not empty, enables websocket transport layer + # grpc-service-name: "GunService" # if not empty, enables grpc transport layer + # xhttp-config: # If the field is not empty, enable the xhttp transport layer. + # path: "/" + # host: "" + # mode: auto # Available: "stream-one", "stream-up" or "packet-up" + # no-sse-header: false + # x-padding-bytes: "100-1000" + # x-padding-obfs-mode: false + # x-padding-key: x_padding + # x-padding-header: Referer + # x-padding-placement: queryInHeader # Available: queryInHeader, cookie, header, query + # x-padding-method: repeat-x # Available: repeat-x, tokenish + # uplink-http-method: POST # Available: POST, PUT, PATCH, DELETE + # session-placement: path # Available: path, query, cookie, header + # session-key: "" + # session-table: "" # Available: "", "uuid", "ALPHABET", "Alphabet", "BASE36", "Base62", "HEX", "alphabet", "base36", "hex", "number" + # session-length: "16-32" # the initial value cannot be 0, and the total ID space must be greater than 2.1 billion; takes effect only if session-table is not empty or uuid + # seq-placement: path # Available: path, query, cookie, header + # seq-key: "" + # uplink-data-placement: body # Available: body, cookie, header + # uplink-data-key: "" + # uplink-chunk-size: 0 # only applicable when uplink-data-placement is not body + # sc-max-buffered-posts: 30 + # sc-stream-up-server-secs: "20-80" + # sc-max-each-post-bytes: 1000000 + # ------------------------- + # Configuration of server-side vless encryption: + # (native mode / public key XOR only / fully random. 1-RTT generates a random ticket valid for 300-600 seconds each time for 0-RTT reuse / only 1-RTT is allowed) + # Filling in "600s" will randomly take between 50% and 100%, which is equivalent to filling in "300-600s" + # / means selecting only one option, followed by base64 - at least one, infinite chain, use `mihomo generate vless-x25519` and `mihomo generate vless-mlkem768` to generate, remove parentheses when replacing values + # + # Padding is an optional parameter, taking effect only on 1-RTT to eliminate handshake length characteristics, default value on both sides is "100-111-1111.75-0-111.50-0-3333": + # After 1-RTT client/server hello, a random padding of 111 to 1111 bytes is added with 100% probability + # With 75% probability, a random delay of 0 to 111 milliseconds is applied ("probability-from-to") + # Again with 50% probability, a random padding of 0 to 3333 bytes is sent (if 0, Write() is not called) + # Server and client can set different padding parameters, infinite chain in the order of len, gap, the first padding requires 100% probability, minimum 35 bytes + # ------------------------- + # decryption: "mlkem768x25519plus.native/xorpub/random.600s(300-600s)/0s.(padding len).(padding gap).(X25519 PrivateKey).(ML-KEM-768 Seed)..." + # if the following two options are filled, enables tls (must be filled together) + # certificate: ./server.crt # certificate in PEM format, or the path to the certificate + # private-key: ./server.key # corresponding private key in PEM format, or the path to the private key + # the following two options are for mTLS configuration. If client-auth-type is set to "verify-if-given" or "require-and-verify", client-auth-cert must not be empty + # client-auth-type: "" # available values: "", "request", "require-any", "verify-if-given", "require-and-verify" + # client-auth-cert: string # certificate in PEM format, or the path to the certificate + # if filled, enables ECH (can be generated by `mihomo generate ech-keypair `) + # ech-key: | + # -----BEGIN ECH KEYS----- + # ACATwY30o/RKgD6hgeQxwrSiApLaCgU+HKh7B6SUrAHaDwBD/g0APwAAIAAgHjzK + # madSJjYQIf9o1N5GXjkW4DEEeb17qMxHdwMdNnwADAABAAEAAQACAAEAAwAIdGVz + # dC5jb20AAA== + # -----END ECH KEYS----- + # if reality-config is filled, enables reality (note: cannot be filled simultaneously with certificate and private-key) + reality-config: + dest: test.com:443 + private-key: jNXHt1yRo0vDuchQlIP6Z0ZvjT3KtzVI-T4E7RoLJS0 # can be generated by `mihomo generate reality-keypair` command + short-id: + - 0123456789abcdef + server-names: + - test.com + # the following two limits are optional, used to rate-limit fallback connections that fail verification, bytesPerSec defaults to 0 which means disabled + # fallback rate limiting is a fingerprint feature and is not recommended; if you are a panel/one-click script developer, make sure to randomize these parameters + limit-fallback-upload: + after-bytes: 0 # starts rate limiting after transmitting specified bytes + bytes-per-sec: 0 # baseline speed (bytes/second) + burst-bytes-per-sec: 0 # burst speed (bytes/second), takes effect when greater than bytesPerSec + limit-fallback-download: + after-bytes: 0 # starts rate limiting after transmitting specified bytes + bytes-per-sec: 0 # baseline speed (bytes/second) + burst-bytes-per-sec: 0 # burst speed (bytes/second), takes effect when greater than bytesPerSec + # shadow-tls: + # enable: true + # version: 3 # supports v1/v2/v3 + # # password: shadow-tls-password # v2 configuration item + # users: # v3 configuration item + # - name: shadow-tls-user + # password: shadow-tls-password + # handshake: + # dest: [www.example.com:443](https://www.example.com:443) + # # proxy: "" + ### NOTE: For vless listener, if "allow-insecure" is not true, at least one of "certificate and private-key" or "shadow-tls" or "jls-config" or "reality-config" or "decryption" must be filled in ### + # allow-insecure: false # whether to allow disabling TLS encryption (NOTE: only used when upstreamed by nginx, caddy, etc.) + # mux-option: + # padding: true + # brutal: + # enabled: true + # up: 1000 # default Mbps + # down: 1000 diff --git a/docs/config/inbound/listeners/vless.md b/docs/config/inbound/listeners/vless.md index 8f7ecfecb..8c2ddc4da 100644 --- a/docs/config/inbound/listeners/vless.md +++ b/docs/config/inbound/listeners/vless.md @@ -83,7 +83,17 @@ listeners: after-bytes: 0 # 传输指定字节后开始限速 bytes-per-sec: 0 # 基准速率(字节/秒) burst-bytes-per-sec: 0 # 突发速率(字节/秒),大于 bytesPerSec 时生效 - ### 注意,对于vless listener, 如果 "allow-insecure" 不为 true, 至少需要填写 “certificate和private-key” 或 “reality-config” 或 “decryption” 的其中一项 ### + # shadow-tls: + # enable: true + # version: 3 # 支持 v1/v2/v3 + # # password: shadow-tls-password # v2 配置项 + # users: # v3 配置项 + # - name: shadow-tls-user + # password: shadow-tls-password + # handshake: + # dest: www.example.com:443 + # # proxy: "" + ### 注意,对于vless listener, 如果 "allow-insecure" 不为 true, 至少需要填写 “certificate和private-key” 或 “shadow-tls” 或 “jls-config” 或 “reality-config” 或 “decryption” 的其中一项 ### # allow-insecure: false # 是否允许不开启tls加密(注意:仅用于有 nginx, caddy 前置的情况) # mux-option: # padding: true diff --git a/docs/config/inbound/listeners/vless.ru.md b/docs/config/inbound/listeners/vless.ru.md index 3507fa6dd..1753fee16 100644 --- a/docs/config/inbound/listeners/vless.ru.md +++ b/docs/config/inbound/listeners/vless.ru.md @@ -83,7 +83,17 @@ listeners: after-bytes: 0 # начать ограничение скорости после передачи указанного количества байт bytes-per-sec: 0 # базовая скорость (байт/сек) burst-bytes-per-sec: 0 # пиковая скорость (байт/сек), действует когда больше bytesPerSec - ### Обратите внимание, что для слушателей Vless, если параметр "allow-insecure" не равен true, необходимо заполнить хотя бы одно из следующих полей: "certificate and private-key", "reality-config" или "decryption". ### + # shadow-tls: + # enable: true + # version: 3 # поддерживает v1/v2/v3 + # # password: shadow-tls-password # параметр конфигурации v2 + # users: # параметр конфигурации v3 + # - name: shadow-tls-user + # password: shadow-tls-password + # handshake: + # dest: www.example.com:443 + # # proxy: "" + ### ВНИМАНИЕ: Для слушателя vless, если "allow-insecure" не равен true, необходимо заполнить как минимум одну из опций: «certificate и private-key» или «shadow-tls» или «jls-config» или «reality-config» или «decryption» ### # allow-insecure: false # Разрешить ли отключение шифрования TLS (Примечание: только в случаях, когда nginx или caddy установлены предварительно) # mux-option: # padding: true