From 41b062a13d9340a7881b70f38640c4de8d431db4 Mon Sep 17 00:00:00 2001 From: Toby Date: Sun, 30 Jun 2024 21:59:39 -0700 Subject: [PATCH] v2.5.0 --- docs/docs/Changelog.md | 6 +++++ docs/docs/Changelog.zh.md | 6 +++++ docs/docs/advanced/Full-Server-Config.md | 27 +++++++++++++++++++ docs/docs/advanced/Full-Server-Config.zh.md | 27 +++++++++++++++++++ .../Server-Installation-Script.md | 2 +- .../Server-Installation-Script.zh.md | 2 +- 6 files changed, 68 insertions(+), 2 deletions(-) diff --git a/docs/docs/Changelog.md b/docs/docs/Changelog.md index 5982125..97f37b4 100644 --- a/docs/docs/Changelog.md +++ b/docs/docs/Changelog.md @@ -4,6 +4,12 @@ hide: - navigation --- +## 2.5.0 + +- Added support for ACME DNS challenge, including several common providers such as Cloudflare, GoDaddy, and Name.com +- Added server-side protocol sniffing, supporting HTTP, TLS (HTTPS), and QUIC (HTTP/3) +- Fixed the issue with inaccurate unit conversion in the speed test command (1024 -> 1000) + ## 2.4.5 - Fixed some logic issues in BBR, and added `HYSTERIA_BBR_DEBUG` environment variable for printing debug information diff --git a/docs/docs/Changelog.zh.md b/docs/docs/Changelog.zh.md index 5a7bda4..8f9daca 100644 --- a/docs/docs/Changelog.zh.md +++ b/docs/docs/Changelog.zh.md @@ -4,6 +4,12 @@ hide: - navigation --- +## 2.5.0 + +- 新增 ACME DNS 验证支持,支持 Cloudflare, GoDaddy, Name.com 等多个常见服务商 +- 新增服务端协议嗅探 (Sniff),支持 HTTP, TLS (HTTPS) 和 QUIC (HTTP/3) 协议 +- 修复测速命令中速度显示单位转换不准确的问题 (1024 -> 1000) + ## 2.4.5 - 修复 BBR 中的一些逻辑问题,并新增 `HYSTERIA_BBR_DEBUG` 环境变量用于输出 BBR 调试信息 diff --git a/docs/docs/advanced/Full-Server-Config.md b/docs/docs/advanced/Full-Server-Config.md index f87c592..283bfcc 100644 --- a/docs/docs/advanced/Full-Server-Config.md +++ b/docs/docs/advanced/Full-Server-Config.md @@ -315,6 +315,33 @@ resolver: If omitted, Hysteria will use the system's default resolver. +## Protocol Sniffing + +Due to factors such as the client's inbound (e.g., TUN mode) and configuration, Hysteria sometimes can't get the domain name of the destination address and only gets the IP. But the IP the client and server get for the same domain might be different, and the ACL's domain rules can't match IP requests. By enabling protocol sniffing, the server can use DPI to extract the domain name from the connection (for supported protocols) and convert the IP request to a domain one. + +Currently supported protocols are: + +- HTTP - Host in the header +- TLS (HTTPS) - SNI +- QUIC (HTTP/3) - SNI + +```yaml +sniff: + enable: true # (1)! + timeout: 2s # (2)! + rewriteDomain: false # (3)! + tcpPorts: 80,443,8000-9000 # (4)! + udpPorts: all # (5)! +``` + +1. Whether to enable protocol sniffing. +2. Sniffing timeout. If the protocol/domain cannot be determined within this time, the original address will be used to initiate the connection. +3. Whether to rewrite requests that are already in domain name form. If enabled, requests with the target address already in domain name form will still be sniffed. +4. List of TCP ports. Only TCP requests on these ports will be sniffed. +5. List of UDP ports. Only UDP requests on these ports will be sniffed. + +> **Note:** If no port list is provided, all ports will be sniffed by default. The format of the port list is the same as port hopping, supporting multiple single ports and port ranges (inclusive) separated by commas. + ## ACL ACL, often used in combination with outbounds, is a very powerful feature of the Hysteria server that allows you to customize the way client's requests are handled. For example, you can use ACL to block certain addresses, or to use different outbounds for different websites. diff --git a/docs/docs/advanced/Full-Server-Config.zh.md b/docs/docs/advanced/Full-Server-Config.zh.md index a798452..71455e6 100644 --- a/docs/docs/advanced/Full-Server-Config.zh.md +++ b/docs/docs/advanced/Full-Server-Config.zh.md @@ -315,6 +315,33 @@ resolver: 如果省略,Hysteria 将使用系统默认的 DNS 服务器。 +## 协议嗅探 (Sniff) + +由于客户端连接入站的方式(如 TUN 模式)及配置等因素,Hysteria 有时无法获取到域名形式的目标地址,只能拿到解析后的 IP。但对于相同域名,客户端和服务端解析出的 IP 可能不同,且 ACL 的域名规则无法匹配 IP 请求。开启协议嗅探后,服务端能通过 DPI 从上层协议中获取目标域名,将 IP 请求转换为域名请求。 + +目前支持的协议有: + +- HTTP - Host 字段 +- TLS (HTTPS) - SNI +- QUIC (HTTP/3) - SNI + +```yaml +sniff: + enable: true # (1)! + timeout: 2s # (2)! + rewriteDomain: false # (3)! + tcpPorts: 80,443,8000-9000 # (4)! + udpPorts: all # (5)! +``` + +1. 是否启用协议嗅探。 +2. 嗅探超时时间。如果超过这个时间仍然无法确定协议/获取域名,将使用原地址发起连接。 +3. 是否重写已经是域名的请求。如果启用,对于目标地址已经是域名的请求,仍会进行嗅探。 +4. TCP 端口列表。只有这些端口的 TCP 请求会被嗅探。 +5. UDP 端口列表。只有这些端口的 UDP 请求会被嗅探。 + +> **注意:** 如果不提供端口列表,默认所有端口都会被嗅探。端口列表中的端口格式与端口跳跃相同,支持逗号分隔的多个单端口和端口范围(闭区间)。 + ## ACL ACL 是 Hysteria 服务端中一个非常强大的功能,可以用来自定义处理客户端请求的方式,往往配合出站规则(outbounds)使用。例如,可以使用 ACL 来屏蔽某些地址,或者针对不同网站使用不同的出口。 diff --git a/docs/docs/getting-started/Server-Installation-Script.md b/docs/docs/getting-started/Server-Installation-Script.md index dbbf518..d85f473 100644 --- a/docs/docs/getting-started/Server-Installation-Script.md +++ b/docs/docs/getting-started/Server-Installation-Script.md @@ -48,7 +48,7 @@ bash <(curl -fsSL https://get.hy2.sh/) Install or upgrade to a specified version. ```sh -bash <(curl -fsSL https://get.hy2.sh/) --version v2.4.5 +bash <(curl -fsSL https://get.hy2.sh/) --version v2.5.0 ``` ### Uninstall diff --git a/docs/docs/getting-started/Server-Installation-Script.zh.md b/docs/docs/getting-started/Server-Installation-Script.zh.md index 72758fc..da7d346 100644 --- a/docs/docs/getting-started/Server-Installation-Script.zh.md +++ b/docs/docs/getting-started/Server-Installation-Script.zh.md @@ -48,7 +48,7 @@ bash <(curl -fsSL https://get.hy2.sh/) 安装或升级为指定版本,不进行版本检查。 ```sh -bash <(curl -fsSL https://get.hy2.sh/) --version v2.4.5 +bash <(curl -fsSL https://get.hy2.sh/) --version v2.5.0 ``` ### 卸载