search

chika0801 / sing-box-examples

sing-box 配置示例
https://github.com/SagerNet/sing-box
1.61k stars 270 forks source link

请指点下sing-box配置 #102

Closed baraja closed 5 months ago

baraja commented 5 months ago

大佬您好,我依葫芦画瓢改了个配置,需求是 1、不使用tun,只使用系统代理,也就是mixed入站 2、海外域名全部交给远端,避免本地解析 3、国内的小众域名要能匹配上geoip=cn规则, 目前碰到的问题是: 一、同样一个配置,用tun模式以上都能实现,但改成mixed,geoip规则无法匹配,全部走了final规则 二、sing-box群里咨询后,设置了"domain_strategy": "ipv4_only",这样geoip可以匹配,实现了前述的3,但是2被破坏——本地把所有域名都解析成了ip,也不匹配我的fakeip规则 三、同样一套配置在android上跟adguard搭配,让adg走sing-box的代理和dns,是可以顺利实现前述123的

请问要如何做调整?

{
  "log": {
    "disabled": false,
    "level": "info",
    "output": "",
    "timestamp": false
  },
  "dns": {
    "servers": [
      {
        "tag": "dns_clean",
        "address": "quic://94.140.14.140",
        "address_resolver": "dns_bootstrap",
        "strategy": "ipv4_only",
        "detour": "direct"
      },
      {
        "tag": "dns_dirty",
        "address": "h3://dns.alidns.com/dns-query",
        "address_resolver": "dns_bootstrap",
        "strategy": "ipv4_only",
        "detour": "direct"
      },
      {
        "tag": "dns_bootstrap",
        "address": "119.29.29.29",
        "detour": "direct"
      },
      {
        "tag": "dns_success",
        "address": "rcode://success"
      },
      {
        "tag": "dns_refused",
        "address": "rcode://refused"
      },
      {
        "tag": "dns_fakeip",
        "address": "fakeip"
      }
    ],
    "rules": [
      {
        "outbound": "any",
        "server": "dns_bootstrap"
      },
      {
        "domain_suffix": [
          ".mcdn.bilivideo.cn",
          ".szbdyd.com"
        ],
        "domain_regex": [
          "cn-[a-zA-Z0-9-]+\\.bilivideo\\.com",
          "[a-zA-Z0-9-]+-pcdn-[a-zA-Z0-9-]+\\.biliapi\\.net"
        ],
        "rule_set": "BlockHttpDNS",
        "rule_set": "geosite-category-ads-all",
        "server": "dns_success",
        "disable_cache": true
      },
      {
        "query_type": [
          "A",
          "AAAA"
        ],
        "rule_set": "geosite-geolocation-!cn",
        "server": "dns_fakeip"
      },
      {
        "query_type": "CNAME",
        "rule_set": "geosite-geolocation-!cn",
        "server": "dns_clean"
      },
      {
        "clash_mode": "direct",
        "server": "dns_bootstrap"
      }
    ],
    "final": "dns_clean",
    "fakeip": {
      "enabled": true,
      "inet4_range": "198.15.0.0/15"
    },
    "independent_cache": true
  },
  "inbounds": [
    {
      "type": "direct",
      "tag": "dns-in",
      "listen": "127.0.0.1",
      "listen_port": 5353,
      "network": "udp"
    },
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "127.0.0.1",
      "listen_port": 1085,
      "sniff": true,
      "sniff_override_destination": false,
      "sniff_timeout": "300ms",
      "domain_strategy": "ipv4_only"
    }
  ],
  "outbounds": [
    {
      "type": "vless",
      "tag": "proxy",
      "server": "xxxx.com",
      "server_port": 1111,
      "uuid": "",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "www.apple.com",
        "utls": {
          "enabled": true,
          "fingerprint": "ios"
        },
        "reality": {
          "enabled": true,
          "public_key": "",
          "short_id": ""
        }
      },
      "packet_encoding": "xudp"
    },
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "block",
      "tag": "block"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "rules": [
      {
        "protocol": "dns",
        "outbound": "dns-out"
      },
      {
        "rule_set": "BlockHttpDNS",
        "rule_set": "geosite-category-ads-all",
        "domain_suffix": [
          ".mcdn.bilivideo.cn",
          ".szbdyd.com"
        ],
        "domain_regex": [
          "cn-[a-zA-Z0-9-]+\\.bilivideo\\.com",
          "[a-zA-Z0-9-]+-pcdn-[a-zA-Z0-9-]+\\.biliapi\\.net"
        ],
        "outbound": "block"
      },
      {
        "rule_set": "geosite-geolocation-!cn",
        "outbound": "proxy"
      },
      {
        "rule_set": "geoip-cn",
        "outbound": "direct"
      },
      {
        "ip_is_private": true,
        "outbound": "direct"
      }
    ],
    "rule_set": [
      {
        "type": "remote",
        "tag": "BlockHttpDNS",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/bm7/BlockHttpDNS.srs",
        "download_detour": "proxy",
        "update_interval": "24h0m0s"
      },
      {
        "type": "remote",
        "tag": "geosite-category-ads-all",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-category-ads-all.srs",
        "download_detour": "proxy",
        "update_interval": "24h0m0s"
      },
      {
        "type": "remote",
        "tag": "geoip-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geoip/cn.srs",
        "download_detour": "proxy",
        "update_interval": "24h0m0s"
      },
      {
        "type": "remote",
        "tag": "geosite-geolocation-!cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs",
        "download_detour": "proxy",
        "update_interval": "24h0m0s"
      }
    ],
    "final": "proxy"
  },
  "experimental": {
    "cache_file": {
      "enabled": true,
      "path": "cache.db",
      "store_fakeip": true
    },
    "clash_api": {
      "external_controller": "0.0.0.0:9988",
      "external_ui_download_detour": "proxy",
      "secret": "",
      "default_mode": "Rule"
    }
  }
}
chika0801 commented 5 months ago 
{
  "log": {
    "disabled": false,
    "level": "info",
    "output": "",
    "timestamp": false
  },
  "dns": {
    "servers": [
      {
        "tag": "dns_clean",
        "address": "quic://94.140.14.140",
        "address_resolver": "dns_bootstrap",
        "strategy": "ipv4_only",
        "detour": "direct"
      },
      {
        "tag": "dns_dirty",
        "address": "h3://dns.alidns.com/dns-query",
        "address_resolver": "dns_bootstrap",
        "strategy": "ipv4_only",
        "detour": "direct"
      },
      {
        "tag": "dns_bootstrap",
        "address": "119.29.29.29",
        "detour": "direct"
      },
      {
        "tag": "dns_success",
        "address": "rcode://success"
      },
      {
        "tag": "dns_refused",
        "address": "rcode://refused"
      },
      {
        "tag": "dns_fakeip",
        "address": "fakeip"
      }
    ],
    "rules": [
      {
        "outbound": "any",
        "server": "dns_bootstrap"
      },
      {
        "rule_set": "geosite-geolocation-!cn",
        "server": "dns_clean"
      }
    ],
    "final": "dns_dirty"
  },
  "inbounds": [
    {
      "type": "mixed",
      "tag": "mixed-in",
      "listen": "127.0.0.1",
      "listen_port": 1085,
      "sniff": true,
      "sniff_override_destination": false,
      "sniff_timeout": "300ms",
      "domain_strategy": "ipv4_only"
    }
  ],
  "outbounds": [
    {
      "type": "vless",
      "tag": "proxy",
      "server": "xxxx.com",
      "server_port": 1111,
      "uuid": "",
      "flow": "xtls-rprx-vision",
      "tls": {
        "enabled": true,
        "server_name": "www.apple.com",
        "utls": {
          "enabled": true,
          "fingerprint": "ios"
        },
        "reality": {
          "enabled": true,
          "public_key": "",
          "short_id": ""
        }
      },
      "packet_encoding": "xudp"
    },
    {
      "type": "direct",
      "tag": "direct"
    },
    {
      "type": "block",
      "tag": "block"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    }
  ],
  "route": {
    "rules": [
      {
        "rule_set": "geosite-geolocation-!cn",
        "outbound": "proxy"
      },
      {
        "rule_set": "geoip-cn",
        "outbound": "direct"
      },
      {
        "ip_is_private": true,
        "outbound": "direct"
      }
    ],
    "rule_set": [
      {
        "type": "remote",
        "tag": "geoip-cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/sing/geo/geoip/cn.srs",
        "download_detour": "proxy",
        "update_interval": "24h0m0s"
      },
      {
        "type": "remote",
        "tag": "geosite-geolocation-!cn",
        "format": "binary",
        "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-!cn.srs",
        "download_detour": "proxy",
        "update_interval": "24h0m0s"
      }
    ],
    "final": "proxy"
  },
  "experimental": {
    "cache_file": {
      "enabled": true,
      "path": "cache.db",
      "store_fakeip": true
    }
  }
}
chika0801 commented 5 months ago
  1. windows下你使用系统代理,默认是http(即使你强制填用socks),都不会接管(代理到)UDP流量。
  2. 所以入站中监听的1085端口,实际是接收到的目标地址类型,都会为域名。此时"sniff"你可试试开或不开,目标地址类型从日志观察得到都是域名。

  3. 由于你用了 "domain_strategy" ,sing-box的逻辑流程是接收到的域名,用DNS解析成IP,你写了DNS部分的。

    { "rule_set": "geosite-geolocation-!cn", "server": "dns_clean" }

给你这样改了,因为条件只是域名,你还抄 "query_type" 是命中不了的,这是给TUN模式下用到的。所以我删了。

没命中这个分类的域名用 "final": "dns_dirty" 的DNS解释得到IP。

  1. 然后域名和解析得到的IP进路由部分,从上到下匹配,"rule_set": "geosite-geolocation-!cn" 命中后走代理,剩下的如果是CN IP走直连,非的就走第1个出站即代理。

最后提醒,由于你在入站用了 "domain_strategy" 无论是客户端直连出站的目标地址,和发到服务端的目标地址,这地址的类型,都是解析后的IP。 你要清晰在服务端的入站配置中你有不有需求,使用sniff将目标地址的IP还原成域名。

baraja commented 5 months ago

感谢大佬,我用你的新配置,发现国外网站的ipv6还是有问题,test-ipv6.com, ipv6.google.com这些都不能正常访问 我粗略排查了一下发现貌似不用fakeip的话就会直接传ip给远端,而直接发v6 ip的话就会出问题。mixed入站用了fakeip的话,目前也没找到正确的配置方式 目前干脆把v6彻底禁用了,暂时能用。 发现sing-box这部分的逻辑和clash还是不太一样,有点复杂,折腾不动了~

baraja commented 5 months ago

感觉跟这个issue有点关联,不过目前还是没弄明白 https://github.com/chika0801/sing-box-examples/issues/94

baraja commented 5 months ago

你要清晰在服务端的入站配置中你有不有需求,使用sniff将目标地址的IP还原成域名。

服务端用的xray,也没有加sniff,我习惯是服务端接收到域名就直接连接,所以不太希望本地解析成ip再交给服务端

chika0801 commented 5 months ago

感谢大佬,我用你的新配置,发现国外网站的ipv6还是有问题,test-ipv6.com, ipv6.google.com这些都不能正常访问 我粗略排查了一下发现貌似不用fakeip的话就会直接传ip给远端,而直接发v6 ip的话就会出问题。mixed入站用了fakeip的话,目> 前也没找到正确的配置方式 目前干脆把v6彻底禁用了,暂时能用。

你这样回复,我也不想再帮助你,建议不要用V6即可。没看到具体配置也分析不出来其它什么了。

发现sing-box这部分的逻辑和clash还是不太一样,

我倒不会CLASH系,没研究太深。xray和sing-box的逻辑流程其实区别不大,我从Xray上手sing-box除了sing-box里clash系那些参数我没测试过,基它也试得多。

chika0801 commented 5 months ago

感觉跟这个issue有点关联,不过目前还是没弄明白 #94

它当时问的这问题,我后来想通后结论是:https://github.com/chika0801/sing-box-examples/issues/94#issuecomment-1890427168

他不来问这现象,我都没留意,当时回复它它的问题就是客户端怎么控制是用户的事,不是core作者的事。

chika0801 commented 5 months ago

以我win习惯是我用sing-box开TUN,配置就是发出来的自用那个版本,出站是到本机一个socks端口

sing-box配置里把xray.exe设置成走直连,xray接这socks端口再出站

DNS是由sing-box配置中出理的,在Xray接的配置中入站也没开sniff参数

服务端是Xray入站都开了Sniff的,反正我自己这样用,我的习惯日常没遇到什么。