admin/elmprodvpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6a56d734c2c1ed78ca5412e6780604d16bc8837f
elmprodvpn/docs/phase-e/E5_SINGBOX_PROTOCOLS_MATRIX.md

230 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# E5 SingBox Protocols Matrix (Desktop-first)
Дата: 2026-03-08
Статус: active
Владелец: Engineering
Цель: зафиксировать поля подключения до реализации форм протоколов в GUI.
## 1) Источники (primary)
- Outbound overview: https://sing-box.sagernet.org/configuration/outbound/
- VLESS: https://sing-box.sagernet.org/configuration/outbound/vless/
- Trojan: https://sing-box.sagernet.org/configuration/outbound/trojan/
- Shadowsocks: https://sing-box.sagernet.org/configuration/outbound/shadowsocks/
- WireGuard: https://sing-box.sagernet.org/configuration/outbound/wireguard/
- Hysteria2: https://sing-box.sagernet.org/configuration/outbound/hysteria2/
- TUIC: https://sing-box.sagernet.org/configuration/outbound/tuic/
- Shared TLS: https://sing-box.sagernet.org/configuration/shared/tls/
- Shared V2Ray transport: https://sing-box.sagernet.org/configuration/shared/v2ray-transport/
- Shared Dial fields: https://sing-box.sagernet.org/configuration/shared/dial/
- Multiplex: https://sing-box.sagernet.org/configuration/shared/multiplex/
- UDP over TCP: https://sing-box.sagernet.org/configuration/shared/udp-over-tcp/
## 2) Фрейм реализации
- Target: `sing-box >= 1.12.x` (текущий runtime у нас `1.12.12`).
- UI-стратегия:
- `MVP`: критичные поля подключения.
- `Advanced`: дополнительные tuning-поля.
- `Raw-only`: редкие/экзотические поля, остаются в raw JSON режиме.
---
## 3) Общие блоки (для большинства outbound)
### 3.1 Базовые outbound-поля
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.type` | enum/string | yes | MVP | фиксируется выбранным протоколом |
| `outbound.tag` | string | yes | MVP | стабильный id карточки |
| `outbound.detour` | string | no | Advanced | цепочка через другой outbound |
### 3.2 Shared Dial fields (ядро соединения)
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.server` | string | yes | MVP | hostname/IP сервера |
| `outbound.server_port` | int | yes | MVP | 1..65535 |
| `outbound.network` | enum | no | MVP | `tcp|udp` (по протоколу) |
| `outbound.connect_timeout` | duration | no | Advanced | таймаут dial |
| `outbound.tcp_fast_open` | bool | no | Advanced | TCP Fast Open |
| `outbound.tcp_multi_path` | bool | no | Advanced | MPTCP (если поддерживается) |
| `outbound.udp_fragment` | bool | no | Advanced | UDP fragmentation |
| `outbound.domain_resolver` | string/object | no | Advanced | используется с новым DNS-форматом |
| `outbound.bind_interface` | string | no | Advanced | привязка к интерфейсу |
| `outbound.routing_mark` | int | no | Advanced | fwmark для выхода |
### 3.3 Shared TLS/Reality блок (где применимо)
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.tls.enabled` | bool | depends | MVP | must be `true` для Reality |
| `outbound.tls.server_name` | string | depends | MVP | SNI |
| `outbound.tls.insecure` | bool | no | Advanced | skip verify |
| `outbound.tls.alpn` | []string | no | Advanced | ALPN list |
| `outbound.tls.utls.enabled` | bool | no | Advanced | uTLS toggle |
| `outbound.tls.utls.fingerprint` | enum/string | no | MVP | для Reality-сценариев обычно обязательно |
| `outbound.tls.reality.enabled` | bool | depends | MVP | Reality mode |
| `outbound.tls.reality.public_key` | string | depends | MVP | Reality PBK |
| `outbound.tls.reality.short_id` | string | no | MVP | Reality SID |
### 3.4 Shared V2Ray transport блок (где применимо)
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.transport.type` | enum/string | no | MVP | `ws|http|grpc|quic|httpupgrade|...` |
| `outbound.transport.path` | string | depends | MVP | чаще для `ws/http/httpupgrade` |
| `outbound.transport.host` | string/[]string | depends | Advanced | Host header/SNI-like values |
| `outbound.transport.service_name` | string | depends | MVP | обычно для `grpc` |
| `outbound.transport.headers` | object | no | Advanced | custom headers |
### 3.5 Shared Multiplex / UDP-over-TCP (где применимо)
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.multiplex` | object | no | Advanced | pooling/stream mux |
| `outbound.udp_over_tcp` | object | no | Advanced | туннелирование UDP через TCP |
---
## 4) Протокольные матрицы
## 4.1 VLESS outbound
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.type` | const `vless` | yes | MVP | |
| `outbound.server` | string | yes | MVP | |
| `outbound.server_port` | int | yes | MVP | |
| `outbound.uuid` | string | yes | MVP | UUID |
| `outbound.flow` | string | no | MVP | напр. `xtls-rprx-vision` |
| `outbound.packet_encoding` | enum/string | no | Advanced | с `1.11` default `none` |
| `outbound.network` | enum | no | MVP | |
| `outbound.tls` | object | depends | MVP | TLS/Reality для production-сценариев |
| `outbound.transport` | object | no | MVP | V2Ray transport block |
Guardrails:
- `VLESS-001`: если `tls.reality.enabled=true` -> `tls.enabled=true`.
- `VLESS-002`: если `flow=xtls-rprx-vision` -> transport должен быть совместим с сервером и TLS включён.
## 4.2 Trojan outbound
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.type` | const `trojan` | yes | MVP | |
| `outbound.server` | string | yes | MVP | |
| `outbound.server_port` | int | yes | MVP | |
| `outbound.password` | string | yes | MVP | secret |
| `outbound.network` | enum | no | MVP | |
| `outbound.tls` | object | yes (обычно) | MVP | TLS-блок |
| `outbound.transport` | object | no | MVP | V2Ray transport |
Guardrails:
- `TRJ-001`: пустой `password` блокирует apply.
- `TRJ-002`: без TLS для стандартного trojan-сервера помечать как risky.
## 4.3 Shadowsocks outbound
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.type` | const `shadowsocks` | yes | MVP | |
| `outbound.server` | string | yes | MVP | |
| `outbound.server_port` | int | yes | MVP | |
| `outbound.method` | enum/string | yes | MVP | cipher method |
| `outbound.password` | string | yes | MVP | secret |
| `outbound.plugin` | string | no | Advanced | SIP003 plugin |
| `outbound.plugin_opts` | string | no | Advanced | plugin options |
| `outbound.network` | enum | no | Advanced | |
| `outbound.udp_over_tcp` | object | no | Advanced | shared UDP-over-TCP fields |
| `outbound.multiplex` | object | no | Advanced | shared multiplex fields |
Guardrails:
- `SS-001`: `method` обязателен и валидируется против поддерживаемых cipher.
- `SS-002`: если `plugin` задан, но `plugin_opts` пуст и plugin его требует -> warning/block.
## 4.4 WireGuard outbound
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.type` | const `wireguard` | yes | MVP | |
| `outbound.server` | string | depends | MVP | при single-peer setup |
| `outbound.server_port` | int | depends | MVP | |
| `outbound.system_interface` | bool | no | Advanced | |
| `outbound.interface_name` | string | deprecated | Raw-only | deprecated с `1.11` |
| `outbound.local_address` | []string | yes | MVP | local tunnel address(es) |
| `outbound.private_key` | string | yes | MVP | secret |
| `outbound.peer_public_key` | string | depends | MVP | single-peer |
| `outbound.pre_shared_key` | string | no | Advanced | secret |
| `outbound.reserved` | []int | no | Advanced | |
| `outbound.workers` | int | no | Advanced | |
| `outbound.mtu` | int | no | Advanced | |
| `outbound.network` | enum | no | Advanced | |
| `outbound.peers` | []object | depends | Advanced | multi-peer schema |
| `outbound.peer_allowed_ips` | []string | no | Advanced | |
| `outbound.packet_encoding` | enum/string | no | Advanced | |
Guardrails:
- `WG-001`: `private_key` обязателен.
- `WG-002`: нужен или `peer_public_key` (single) или `peers[]` (multi).
## 4.5 Hysteria2 outbound
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.type` | const `hysteria2` | yes | MVP | |
| `outbound.server` | string | yes | MVP | |
| `outbound.server_port` | int | yes | MVP | |
| `outbound.up_mbps` | int | no | MVP | upload bandwidth hint |
| `outbound.down_mbps` | int | no | MVP | download bandwidth hint |
| `outbound.obfs` | string | no | Advanced | obfuscation method |
| `outbound.obfs_password` | string | depends | Advanced | secret |
| `outbound.password` | string | depends | MVP | auth password |
| `outbound.network` | enum | no | Advanced | |
| `outbound.tls` | object | yes (обычно) | MVP | TLS block |
| `outbound.brutal_debug` | bool | no | Raw-only | debug option |
Guardrails:
- `HY2-001`: если задан `obfs`, то `obfs_password` обязателен.
- `HY2-002`: пустой `password` при password-auth конфиге блокирует apply.
## 4.6 TUIC outbound
| JSON path | Type | Required | UI level | Notes |
|---|---|---|---|---|
| `outbound.type` | const `tuic` | yes | MVP | |
| `outbound.server` | string | yes | MVP | |
| `outbound.server_port` | int | yes | MVP | |
| `outbound.uuid` | string | yes | MVP | auth uuid |
| `outbound.password` | string | yes | MVP | secret |
| `outbound.congestion_control` | enum/string | no | Advanced | algo |
| `outbound.udp_relay_mode` | enum/string | no | Advanced | relay mode |
| `outbound.udp_over_stream` | bool | no | Advanced | |
| `outbound.zero_rtt_handshake` | bool | no | Raw-only | advanced/risky |
| `outbound.heartbeat` | duration/int | no | Raw-only | keepalive tuning |
| `outbound.network` | enum | no | Advanced | |
| `outbound.tls` | object | yes (обычно) | MVP | TLS block |
Guardrails:
- `TUIC-001`: `uuid` и `password` обязательны.
- `TUIC-002`: `zero_rtt_handshake=true` помечать warning (опция совместимости/риска).
---
## 5) Срез MVP полей для первой версии GUI
- `VLESS`: `server`, `server_port`, `uuid`, `flow`, `tls.server_name`, `tls.reality.public_key`, `tls.reality.short_id`, `tls.utls.fingerprint`.
- `Trojan`: `server`, `server_port`, `password`, `tls.server_name`.
- `Shadowsocks`: `server`, `server_port`, `method`, `password`.
- `WireGuard`: `server`, `server_port`, `local_address`, `private_key`, `peer_public_key`.
- `Hysteria2`: `server`, `server_port`, `password`, `up_mbps`, `down_mbps`.
- `TUIC`: `server`, `server_port`, `uuid`, `password`, `congestion_control`.
Все остальные поля:
- либо в секции `Advanced`,
- либо в `Raw JSON` (без потери функциональности).
## 6) DoD для этапа "матрица готова"
- Шаблон и матрица лежат в `docs/phase-e`.
- Для каждого протокола есть список MVP/Advanced/Raw-only полей.
- Для каждого протокола есть минимум 2 guardrail-правила валидации.
- Есть machine-readable манифест для последующей генерации форм.
Reference in New Issue View Git Blame Copy Permalink