diff --git a/adapter/outbound/ech.go b/adapter/outbound/ech.go index 47d9df4d..151a8498 100644 --- a/adapter/outbound/ech.go +++ b/adapter/outbound/ech.go @@ -12,6 +12,8 @@ import ( type ECHOptions struct { Enable bool `proxy:"enable,omitempty" obfs:"enable,omitempty"` Config string `proxy:"config,omitempty" obfs:"config,omitempty"` + + QueryServerName string `proxy:"query-server-name,omitempty" obfs:"query-server-name,omitempty"` } func (o ECHOptions) Parse() (*ech.Config, error) { @@ -29,6 +31,9 @@ func (o ECHOptions) Parse() (*ech.Config, error) { } } else { echConfig.GetEncryptedClientHelloConfigList = func(ctx context.Context, serverName string) ([]byte, error) { + if o.QueryServerName != "" { // overrides the domain name used for ECH HTTPS record queries + serverName = o.QueryServerName + } return resolver.ResolveECHWithResolver(ctx, serverName, resolver.ProxyServerHostResolver) } } diff --git a/docs/config.yaml b/docs/config.yaml index 9f7fe077..0170f08f 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -459,6 +459,7 @@ proxies: # socks5 # enable: true # 必须手动开启 # # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev) # config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA + # # query-server-name: xxx.com # 可选项,不为空时用于指定通过dns解析时的域名 # skip-cert-verify: true # host: bing.com # path: "/" @@ -600,6 +601,7 @@ proxies: # socks5 # enable: true # 必须手动开启 # # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev) # config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA + # # query-server-name: xxx.com # 可选项,不为空时用于指定通过dns解析时的域名 # ws-opts: # path: /path # headers: @@ -685,6 +687,7 @@ proxies: # socks5 # enable: true # 必须手动开启 # # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev) # config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA + # # query-server-name: xxx.com # 可选项,不为空时用于指定通过dns解析时的域名 - name: "vless-vision" type: vless @@ -807,6 +810,7 @@ proxies: # socks5 # enable: true # 必须手动开启 # # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev) # config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA + # # query-server-name: xxx.com # 可选项,不为空时用于指定通过dns解析时的域名 - name: trojan-grpc server: server @@ -878,6 +882,7 @@ proxies: # socks5 # enable: true # 必须手动开启 # # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev) # config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA + # # query-server-name: xxx.com # 可选项,不为空时用于指定通过dns解析时的域名 # skip-cert-verify: false # recv-window-conn: 12582912 # recv-window: 52428800 @@ -906,6 +911,7 @@ proxies: # socks5 # enable: true # 必须手动开启 # # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev) # config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA + # # query-server-name: xxx.com # 可选项,不为空时用于指定通过dns解析时的域名 # skip-cert-verify: false # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取 # 下面两项如果填写则开启 mTLS(需要同时填写) @@ -1002,6 +1008,7 @@ proxies: # socks5 # enable: true # 必须手动开启 # # 如果config为空则通过dns解析,不为空则通过该值指定,格式为经过base64编码的ech参数(dig +short TYPE65 tls-ech.dev) # config: AEn+DQBFKwAgACABWIHUGj4u+PIggYXcR5JF0gYk3dCRioBW8uJq9H4mKAAIAAEAAQABAANAEnB1YmxpYy50bHMtZWNoLmRldgAA + # # query-server-name: xxx.com # 可选项,不为空时用于指定通过dns解析时的域名 # # meta 和 sing-box 私有扩展,将 ss-uot 用于 udp 中继,开启此选项后 udp-relay-mode 将失效 # 警告,与原版 tuic 不兼容!!!