documentation: TLS fragment

SagerNet · Jan 30, 2025 · 4380c0e · 4380c0e
1 parent 8fff056
commit 4380c0e
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 1 deletion.
diff --git a/docs/configuration/route/rule_action.md b/docs/configuration/route/rule_action.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.12.0"
+
+    :material-plus: [tls_fragment](#tls_fragment)  
+    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)
+
 ## Final actions
 
 ### route
@@ -81,7 +86,9 @@ Not available when `method` is set to drop.
   "fallback_delay": "",
   "udp_disable_domain_unmapping": false,
   "udp_connect": false,
-  "udp_timeout": ""
+  "udp_timeout": "",
+  "tls_fragment": false,
+  "tls_fragment_fallback_delay": ""
 }
 ```
 
@@ -148,6 +155,28 @@ If no protocol is sniffed, the following ports will be recognized as protocols b
 | 443  | `quic`   |
 | 3478 | `stun`   |
 
+#### tls_fragment
+
+!!! question "Since sing-box 1.12.0"
+
+Fragment the TLS handshake to bypass firewalls.
+
+This feature is intended to circumvent simple firewalls based on **plaintext packet matching**, and should not be used to circumvent real censorship.
+
+Since it is not designed for performance, it should not be applied to all connections, but only to server names that are known to be blocked.
+
+On Linux, Apple platforms, (administrator privileges required) Windows, the wait time can be automatically detected, otherwise it will fall back to waiting for a fixed time specified by `tls_fragment_fallback_delay`.
+
+In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time, because the target is considered to be local or behind a transparent proxy.
+
+#### tls_fragment_fallback_delay
+
+!!! question "Since sing-box 1.12.0"
+
+The fallback value used when TLS segmentation cannot automatically determine the wait time.
+
+`500ms` is used by default.
+
 ### sniff
 
 ```json

diff --git a/docs/configuration/route/rule_action.zh.md b/docs/configuration/route/rule_action.zh.md
@@ -2,6 +2,11 @@
 icon: material/new-box
 ---
 
+!!! quote "sing-box 1.12.0 中的更改"
+
+    :material-plus: [tls_fragment](#tls_fragment)  
+    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)
+
 ## 最终动作
 
 ### route
@@ -146,6 +151,28 @@ UDP 连接超时时间。
 | 443  | `quic` |
 | 3478 | `stun` |
 
+#### tls_fragment
+
+!!! question "自 sing-box 1.12.0 起"
+
+通过分段 TLS 握手数据包来绕过防火墙检测。
+
+此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
+
+由于它不是为性能设计的，不应被应用于所有连接，而仅应用于已知被阻止的服务器名称。
+
+在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
+
+此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。
+
+#### tls_fragment_fallback_delay
+
+!!! question "自 sing-box 1.12.0 起"
+
+当 TLS 分片功能无法自动判定等待时间时使用的回退值。
+
+默认使用 `500ms`。
+
 ### sniff
 
 ```json