github
/
Xray-docs-next
mirror of https://github.com/XTLS/Xray-docs-next
1
0
Fork 0
Code Issues Releases Wiki Activity

English only: add `verifyPeerCertInNames` and `fromMitM` /// add `ForceIP` and "freedom domainStrategy warning" (#696) 

* Update transport.md

* Update freedom.md

* Update transport.md
pull/705/head
patterniha 2025-07-06 21:35:18 +02:00 committed by GitHub
parent b70438e9b4
commit 7d64b70395
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/en/config/outbounds/freedom.md
View File

@ -35,12 +35,21 @@ Freedom is an outbound protocol that can be used to send (normal) TCP or UDP dat
}
```
> `domainStrategy`: "AsIs" | "UseIP" | "UseIPv4" | "UseIPv6"
> `domainStrategy`: "AsIs"
"UseIP" | "UseIPv6v4" | "UseIPv6" | "UseIPv4v6" | "UseIPv4"
"ForceIP" | "ForceIPv6v4" | "ForceIPv6" | "ForceIPv4v6" | "ForceIPv4"
When the destination address is a domain name, configure the corresponding value for Freedom's behavior:
- `"AsIs"`: Freedom resolves the domain name using the system DNS server and connects to it.
- `"UseIP"`, `"UseIPv4"`, and `"UseIPv6"`: Xray resolves the domain name using the built-in [DNS server](../dns.md) and connects to it. The default value is `"AsIs"`.
- "IPv4" means that you are trying to connect using only IPv4, "IPv4v6" means that you are trying to connect using either IPv4 or IPv6, but for dual-stack domain names, IPv4 is used. (The same applies to the v4v6 switch, so I won't go into details.)
- When using "Use"the option beginning with , if the resolution result does not meet the requirements (for example, the domain name only has IPv4 resolution results but UseIPv6 is used), it will fall back to AsIs.
- When using "Force"an option beginning with , if the parsing result does not meet the requirements, the connection cannot be established.
::: warning
if we have multiple IPs and using `UseIP` or `ForceIP` only a random IP will replace the domain, for using `happyEyeballs` we should use `sockopt domainStrategy` instead.
:::
::: tip TIP 1
When using the `"UseIP"` mode and the `sendThrough` field is specified in the [outbound connection configuration](../outbound.md#outboundobject), Freedom will automatically determine the required IP type, IPv4 or IPv6, based on the value of `sendThrough`.

8
docs/en/config/transport.md
View File

@ -104,6 +104,7 @@ Configures transparent proxies.
{
"serverName": "xray.com",
"rejectUnknownSni": false,
"verifyPeerCertInNames": ["xray.com"]
"allowInsecure": false,
"alpn": ["h2", "http/1.1"],
"minVersion": "1.2",
@ -128,9 +129,16 @@ When the target is specified by domains, like when the domain is received by SOC
When `true`, the server rejects TLS handshakes if the SNI received does not match domains specified in the certificate. The default value is `false`.
> `verifyPeerCertInNames`: [string]
only client, used to verify the SNI used by the certificate, The certificate is verified if and only if it is verified for one of the domains in this list, the default is [serverName].
for using MitM+domainFronting there is special case "fromMitM", if the list contain "fromMitM" the domain and all subdomain of the real sni(initial sni before change) automatically added to the list.
> `alpn`: [ string ]
An array of strings specifying the ALPN values used in TLS handshakes. Defaults to `["h2", "http/1.1"]`.
for using MitM+domainFronting, there is special case ["fromMitM"], and this is selected alpn of initial tls request termination.
(also, when using `h2c` dns, this is equal to domain of the URL)
> `minVersion`: [ string ]