fix: regexp

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,82 +0,0 @@
-name: Bug report
-description: Create a report to help us improve
-title: "[Bug] "
-body:
-  - type: checkboxes
-    id: ensure
-    attributes:
-      label: Verify steps
-      description: "
-在提交之前，请确认
-Please verify that you've followed these steps
-"
-      options:
-        - label: "
-确保你使用的是**本仓库**最新的的 clash 或 clash Alpha 版本
-Ensure you are using the latest version of Clash or Clash Premium from **this repository**.
-"
-          required: true
-        - label: "
-如果你可以自己 debug 并解决的话，提交 PR 吧
-Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
-"
-          required: false
-        - label: "
-我已经在 [Issue Tracker](……/) 中找过我要提出的问题
-I have searched on the [issue tracker](……/) for a related issue.
-"
-          required: true
-        - label: "
-我已经使用 Alpha 分支版本测试过，问题依旧存在
-I have tested using the dev branch, and the issue still exists.
-"
-          required: true
-        - label: "
-我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法自行解决问题
-I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
-"
-          required: true
-        - label: "
-这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
-This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash.
-"
-          required: true
-  - type: input
-    attributes:
-      label: Clash version
-      description: "use `clash -v`"
-    validations:
-      required: true
-  - type: dropdown
-    id: os
-    attributes:
-      label: What OS are you seeing the problem on?
-      multiple: true
-      options:
-        - macOS
-        - Windows
-        - Linux
-        - OpenBSD/FreeBSD
-  - type: textarea
-    attributes:
-      render: yaml
-      label: "Clash config"
-      description: "
-在下方附上 Clash core 配置文件，请确保配置文件中没有敏感信息（比如：服务器地址，密码，端口等）
-Paste the Clash core configuration file below, please make sure that there is no sensitive information in the configuration file (e.g., server address/url, password, port)
-"
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      render: shell
-      label: Clash log
-      description: "
-在下方附上 Clash Core 的日志，log level 使用 DEBUG
-Paste the Clash core log below with the log level set to `DEBUG`.
-"
-  - type: textarea
-    attributes:
-      label: Description
-    validations:
-      required: true

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,36 +0,0 @@
-name: Feature request
-description: Suggest an idea for this project
-title: "[Feature] "
-body:
-  - type: checkboxes
-    id: ensure
-    attributes:
-      label: Verify steps
-      description: "
-在提交之前，请确认
-Please verify that you've followed these steps
-"
-      options:
-        - label: "
-我已经在 [Issue Tracker](……/) 中找过我要提出的请求
-I have searched on the [issue tracker](……/) for a related feature request.
-"
-          required: true
-        - label: "
-我已经仔细看过 [Documentation](https://wiki.metacubex.one/) 并无法找到这个功能
-I have read the [documentation](https://wiki.metacubex.one/) and was unable to solve the issue.
-"
-          required: true
-  - type: textarea
-    attributes:
-      label: Description
-      description: 请详细、清晰地表达你要提出的论述，例如这个问题如何影响到你？你想实现什么功能？目前 Clash Core 的行为是什麽？
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: Possible Solution
-      description: "
-此项非必须，但是如果你有想法的话欢迎提出。
-Not obligatory, but suggest a fix/reason for the bug, or ideas how to implement the addition or change
-"

.github/genReleaseNote.sh

@@ -1,32 +0,0 @@
-#!/bin/bash
-
-while getopts "v:" opt; do
-  case $opt in
-    v)
-      version_range=$OPTARG
-      ;;
-    \?)
-      echo "Invalid option: -$OPTARG" >&2
-      exit 1
-      ;;
-  esac
-done
-
-if [ -z "$version_range" ]; then
-  echo "Please provide the version range using -v option. Example: ./genReleashNote.sh -v v1.14.1...v1.14.2"
-  exit 1
-fi
-
-echo "## What's Changed" > release.md
-git log --pretty=format:"* %s by @%an" --grep="^feat" -i $version_range | sort -f | uniq >> release.md
-echo "" >> release.md
-
-echo "## BUG & Fix" >> release.md
-git log --pretty=format:"* %s by @%an" --grep="^fix" -i $version_range | sort -f | uniq >> release.md
-echo "" >> release.md
-
-echo "## Maintenance" >> release.md
-git log --pretty=format:"* %s by @%an" --grep="^chore\|^docs\|^refactor" -i $version_range | sort -f | uniq >> release.md
-echo "" >> release.md
-
-echo "**Full Changelog**: https://github.com/MetaCubeX/Clash.Meta/compare/$version_range" >> release.md

.github/workflows/build.yml

@@ -94,6 +94,11 @@ jobs:
         run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
         shell: bash
 
+      - name: Set variables
+        if: ${{github.ref_name=='Beta'}}
+        run: echo "VERSION=beta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
+        shell: bash
+
       - name: Set variables
         if: ${{github.ref_name=='Meta'}}
         run: echo "VERSION=meta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
@@ -142,7 +147,7 @@ jobs:
         if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
         id: setup-ndk
         with:
-          ndk-version: r26
+          ndk-version: r25b
           add-to-path: false
           local-cache: true
 
@@ -204,7 +209,7 @@ jobs:
 
   Upload-Prerelease:
     permissions: write-all
-    if: ${{ github.ref_type=='branch' && github.event_name != 'pull_request' }}
+    if: ${{ github.ref_type=='branch' }}
     needs: [Build]
     runs-on: ubuntu-latest
     steps:
@@ -262,23 +267,6 @@ jobs:
     needs: [Build]
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Get tags
-        run: |
-          echo "CURRENTVERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          git fetch --tags
-          echo "PREVERSION=$(git describe --tags --abbrev=0 HEAD^)" >> $GITHUB_ENV
-
-      - name: Generate release notes
-        run: |
-          cp ./.github/genReleaseNote.sh ./
-          bash ./genReleaseNote.sh -v ${PREVERSION}...${CURRENTVERSION}
-          rm ./genReleaseNote.sh
-
       - uses: actions/download-artifact@v3
         with:
           name: artifact
@@ -295,7 +283,6 @@ jobs:
           tag_name: ${{ github.ref_name }}
           files: bin/*
           generate_release_notes: true
-          body_path: release.md
 
   Docker:
     if: ${{ github.event_name != 'pull_request'  }}

.github/workflows/delete.yml

@@ -1,15 +0,0 @@
-name: Delete old workflow runs
-on:
-  schedule:
-    - cron: "0 0 * * SUN"
-
-jobs:
-  del_runs:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Delete workflow runs
-        uses: GitRML/delete-workflow-runs@main
-        with:
-          token: ${{ secrets.AUTH_PAT }}
-          repository: ${{ github.repository }}
-          retain_days: 30

README.md

@@ -24,22 +24,13 @@
 - VMess, Shadowsocks, Trojan, Snell protocol support for remote connections
 - Built-in DNS server that aims to minimize DNS pollution attack impact, supports DoH/DoT upstream and fake IP.
 - Rules based off domains, GEOIP, IPCIDR or Process to forward packets to different nodes
-- Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node
-  based off latency
-- Remote providers, allowing users to get node lists remotely instead of hard-coding in config
+- Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency
+- Remote providers, allowing users to get node lists remotely instead of hardcoding in config
 - Netfilter TCP redirecting. Deploy Clash on your Internet gateway with `iptables`.
 - Comprehensive HTTP RESTful API controller
 
-## Dashboard
-
-We made an official web dashboard providing first class support for this project, check it out
-at [metacubexd](https://github.com/MetaCubeX/metacubexd)
-
 ## Wiki
-
-Configuration examples can be found
-at [/docs/config.yaml](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml), while documentation can be
-found [Clash.Meta Wiki](https://clash-meta.wiki).
+Configuration examples can be found at [/docs/config.yaml](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml), while documentation can be found [Clash.Meta Wiki](https://clash-meta.wiki).
 
 ## Build
 
@@ -52,7 +43,7 @@ git clone https://github.com/MetaCubeX/Clash.Meta.git
 cd Clash.Meta && go mod download
 ```
 
-If you can't visit GitHub, you should set proxy first:
+If you can't visit github,you should set proxy first:
 
 ```shell
 go env -w GOPROXY=https://goproxy.io,direct
@@ -333,27 +324,36 @@ ExecStart=/usr/local/bin/Clash-Meta -d /etc/Clash-Meta
 WantedBy=multi-user.target
 ```
 
-Launch clash-meta daemon on system startup with:
+Launch clashd on system startup with:
 
 ```shell
 $ systemctl enable Clash-Meta
 ```
 
-Launch clash-meta daemon immediately with:
+Launch clashd immediately with:
 
 ```shell
 $ systemctl start Clash-Meta
 ```
 
+### Display Process name
+
+Clash add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.
+
+To display process name in GUI please use [Razord-meta](https://github.com/MetaCubeX/Razord-meta).
+
+### Dashboard
+
+We also made a custom fork of yacd provide better support for this project, check it out at [Yacd-meta](https://github.com/MetaCubeX/Yacd-meta)
+
 ## Development
 
-If you want to build an application that uses clash as a library, check out
+If you want to build an application that uses clash as a library, check out the
 the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)
 
 ## Debugging
+Check [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki/How-to-use-debug-api) to get an instruction on using debug API.
 
-Check [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki/How-to-use-debug-api) to get an instruction on using debug
-API.
 
 ## Credits
 

adapter/adapter.go

@@ -217,10 +217,6 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In
 			if alive {
 				record.Delay = t
 			}
-			p.history.Put(record)
-			if p.history.Len() > defaultHistoriesNum {
-				p.history.Pop()
-			}
 
 			state, ok := p.extra.Load(url)
 			if !ok {

adapter/inbound/mitm.go

@@ -0,0 +1,22 @@
+package inbound
+
+import (
+	"net"
+
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/context"
+	"github.com/Dreamacro/clash/transport/socks5"
+)
+
+// NewMitm receive mitm request and return MitmContext
+func NewMitm(target socks5.Addr, source net.Addr, userAgent string, conn net.Conn) *context.ConnContext {
+	metadata := parseSocksAddr(target)
+	metadata.NetWork = C.TCP
+	metadata.Type = C.MITM
+	metadata.UserAgent = userAgent
+	if ip, port, err := parseAddr(source); err == nil {
+		metadata.SrcIP = ip
+		metadata.SrcPort = port
+	}
+	return context.NewConnContext(conn, metadata)
+}

adapter/outbound/direct.go

@@ -3,7 +3,6 @@ package outbound
 import (
 	"context"
 	"errors"
-	"net/netip"
 
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
@@ -41,7 +40,7 @@ func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		}
 		metadata.DstIP = ip
 	}
-	pc, err := dialer.NewDialer(d.Base.DialOptions(opts...)...).ListenPacket(ctx, "udp", "", netip.AddrPortFrom(metadata.DstIP, metadata.DstPort))
+	pc, err := dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", metadata.DstIP), "", d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
 	}

adapter/outbound/http.go

@@ -14,9 +14,9 @@ import (
 	"strconv"
 
 	N "github.com/Dreamacro/clash/common/net"
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 )
 
@@ -113,6 +113,10 @@ func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 		tempHeaders["Proxy-Authorization"] = "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
 	}
 
+	if metadata.Type == C.MITM {
+		tempHeaders["Origin-Request-Source-Address"] = metadata.SourceAddress()
+	}
+
 	for key, value := range tempHeaders {
 		HeaderString += key + ": " + value + "\r\n"
 	}
@@ -157,13 +161,19 @@ func NewHttp(option HttpOption) (*Http, error) {
 		if option.SNI != "" {
 			sni = option.SNI
 		}
-		var err error
-		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{
-			InsecureSkipVerify: option.SkipCertVerify,
-			ServerName:         sni,
-		}, option.Fingerprint)
-		if err != nil {
-			return nil, err
+		if len(option.Fingerprint) == 0 {
+			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
+				InsecureSkipVerify: option.SkipCertVerify,
+				ServerName:         sni,
+			})
+		} else {
+			var err error
+			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(&tls.Config{
+				InsecureSkipVerify: option.SkipCertVerify,
+				ServerName:         sni,
+			}, option.Fingerprint); err != nil {
+				return nil, err
+			}
 		}
 	}
 

adapter/outbound/hysteria.go

@@ -2,11 +2,16 @@ package outbound
 
 import (
 	"context"
+	"crypto/sha256"
 	"crypto/tls"
 	"encoding/base64"
+	"encoding/hex"
+	"encoding/pem"
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
+	"regexp"
 	"strconv"
 	"time"
 
@@ -14,9 +19,9 @@ import (
 	"github.com/metacubex/quic-go/congestion"
 	M "github.com/sagernet/sing/common/metadata"
 
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	hyCongestion "github.com/Dreamacro/clash/transport/hysteria/congestion"
@@ -38,6 +43,8 @@ const (
 	DefaultHopInterval = 10
 )
 
+var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
+
 type Hysteria struct {
 	*Base
 
@@ -113,12 +120,12 @@ type HysteriaOption struct {
 
 func (c *HysteriaOption) Speed() (uint64, uint64, error) {
 	var up, down uint64
-	up = StringToBps(c.Up)
+	up = stringToBps(c.Up)
 	if up == 0 {
 		return 0, 0, fmt.Errorf("invaild upload speed: %s", c.Up)
 	}
 
-	down = StringToBps(c.Down)
+	down = stringToBps(c.Down)
 	if down == 0 {
 		return 0, 0, fmt.Errorf("invaild download speed: %s", c.Down)
 	}
@@ -146,10 +153,37 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 		MinVersion:         tls.VersionTLS13,
 	}
 
+	var bs []byte
 	var err error
-	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
-	if err != nil {
-		return nil, err
+	if len(option.CustomCA) > 0 {
+		bs, err = os.ReadFile(option.CustomCA)
+		if err != nil {
+			return nil, fmt.Errorf("hysteria %s load ca error: %w", addr, err)
+		}
+	} else if option.CustomCAString != "" {
+		bs = []byte(option.CustomCAString)
+	}
+
+	if len(bs) > 0 {
+		block, _ := pem.Decode(bs)
+		if block == nil {
+			return nil, fmt.Errorf("CA cert is not PEM")
+		}
+
+		fpBytes := sha256.Sum256(block.Bytes)
+		if len(option.Fingerprint) == 0 {
+			option.Fingerprint = hex.EncodeToString(fpBytes[:])
+		}
+	}
+
+	if len(option.Fingerprint) != 0 {
+		var err error
+		tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}
 
 	if len(option.ALPN) > 0 {
@@ -234,6 +268,42 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 	}, nil
 }
 
+func stringToBps(s string) uint64 {
+	if s == "" {
+		return 0
+	}
+
+	// when have not unit, use Mbps
+	if v, err := strconv.Atoi(s); err == nil {
+		return stringToBps(fmt.Sprintf("%d Mbps", v))
+	}
+
+	m := rateStringRegexp.FindStringSubmatch(s)
+	if m == nil {
+		return 0
+	}
+	var n uint64
+	switch m[2] {
+	case "K":
+		n = 1 << 10
+	case "M":
+		n = 1 << 20
+	case "G":
+		n = 1 << 30
+	case "T":
+		n = 1 << 40
+	default:
+		n = 1
+	}
+	v, _ := strconv.ParseUint(m[1], 10, 64)
+	n = v * n
+	if m[3] == "b" {
+		// Bits, need to convert to bytes
+		n = n >> 3
+	}
+	return n
+}
+
 type hyPacketConn struct {
 	core.UDPConn
 }

adapter/outbound/hysteria2.go

@@ -1,157 +0,0 @@
-package outbound
-
-import (
-	"context"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"net"
-	"runtime"
-	"strconv"
-
-	CN "github.com/Dreamacro/clash/common/net"
-	"github.com/Dreamacro/clash/component/ca"
-	"github.com/Dreamacro/clash/component/dialer"
-	"github.com/Dreamacro/clash/component/proxydialer"
-	C "github.com/Dreamacro/clash/constant"
-	tuicCommon "github.com/Dreamacro/clash/transport/tuic/common"
-
-	"github.com/metacubex/sing-quic/hysteria2"
-
-	M "github.com/sagernet/sing/common/metadata"
-)
-
-func init() {
-	hysteria2.SetCongestionController = tuicCommon.SetCongestionController
-}
-
-type Hysteria2 struct {
-	*Base
-
-	option *Hysteria2Option
-	client *hysteria2.Client
-	dialer proxydialer.SingDialer
-}
-
-type Hysteria2Option struct {
-	BasicOption
-	Name           string   `proxy:"name"`
-	Server         string   `proxy:"server"`
-	Port           int      `proxy:"port"`
-	Up             string   `proxy:"up,omitempty"`
-	Down           string   `proxy:"down,omitempty"`
-	Password       string   `proxy:"password,omitempty"`
-	Obfs           string   `proxy:"obfs,omitempty"`
-	ObfsPassword   string   `proxy:"obfs-password,omitempty"`
-	SNI            string   `proxy:"sni,omitempty"`
-	SkipCertVerify bool     `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint    string   `proxy:"fingerprint,omitempty"`
-	ALPN           []string `proxy:"alpn,omitempty"`
-	CustomCA       string   `proxy:"ca,omitempty"`
-	CustomCAString string   `proxy:"ca-str,omitempty"`
-	CWND           int      `proxy:"cwnd,omitempty"`
-}
-
-func (h *Hysteria2) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	options := h.Base.DialOptions(opts...)
-	h.dialer.SetDialer(dialer.NewDialer(options...))
-	c, err := h.client.DialConn(ctx, M.ParseSocksaddr(metadata.RemoteAddress()))
-	if err != nil {
-		return nil, err
-	}
-	return NewConn(CN.NewRefConn(c, h), h), nil
-}
-
-func (h *Hysteria2) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	options := h.Base.DialOptions(opts...)
-	h.dialer.SetDialer(dialer.NewDialer(options...))
-	pc, err := h.client.ListenPacket(ctx)
-	if err != nil {
-		return nil, err
-	}
-	if pc == nil {
-		return nil, errors.New("packetConn is nil")
-	}
-	return newPacketConn(CN.NewRefPacketConn(CN.NewThreadSafePacketConn(pc), h), h), nil
-}
-
-func closeHysteria2(h *Hysteria2) {
-	if h.client != nil {
-		_ = h.client.CloseWithError(errors.New("proxy removed"))
-	}
-}
-
-func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
-	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-	var salamanderPassword string
-	if len(option.Obfs) > 0 {
-		if option.ObfsPassword == "" {
-			return nil, errors.New("missing obfs password")
-		}
-		switch option.Obfs {
-		case hysteria2.ObfsTypeSalamander:
-			salamanderPassword = option.ObfsPassword
-		default:
-			return nil, fmt.Errorf("unknown obfs type: %s", option.Obfs)
-		}
-	}
-
-	serverName := option.Server
-	if option.SNI != "" {
-		serverName = option.SNI
-	}
-
-	tlsConfig := &tls.Config{
-		ServerName:         serverName,
-		InsecureSkipVerify: option.SkipCertVerify,
-		MinVersion:         tls.VersionTLS13,
-	}
-
-	var err error
-	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
-	if err != nil {
-		return nil, err
-	}
-
-	if len(option.ALPN) > 0 {
-		tlsConfig.NextProtos = option.ALPN
-	}
-
-	singDialer := proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer())
-
-	clientOptions := hysteria2.ClientOptions{
-		Context:            context.TODO(),
-		Dialer:             singDialer,
-		ServerAddress:      M.ParseSocksaddrHostPort(option.Server, uint16(option.Port)),
-		SendBPS:            StringToBps(option.Up),
-		ReceiveBPS:         StringToBps(option.Down),
-		SalamanderPassword: salamanderPassword,
-		Password:           option.Password,
-		TLSConfig:          tlsConfig,
-		UDPDisabled:        false,
-		CWND:               option.CWND,
-	}
-
-	client, err := hysteria2.NewClient(clientOptions)
-	if err != nil {
-		return nil, err
-	}
-
-	outbound := &Hysteria2{
-		Base: &Base{
-			name:   option.Name,
-			addr:   addr,
-			tp:     C.Hysteria2,
-			udp:    true,
-			iface:  option.Interface,
-			rmark:  option.RoutingMark,
-			prefer: C.NewDNSPrefer(option.IPVersion),
-		},
-		option: &option,
-		client: client,
-		dialer: singDialer,
-	}
-	runtime.SetFinalizer(outbound, closeHysteria2)
-
-	return outbound, nil
-}

adapter/outbound/mitm.go

@@ -0,0 +1,50 @@
+package outbound
+
+import (
+	"context"
+	"net"
+	"time"
+
+	"github.com/Dreamacro/clash/component/dialer"
+	C "github.com/Dreamacro/clash/constant"
+)
+
+type Mitm struct {
+	*Base
+	serverAddr      *net.TCPAddr
+	httpProxyClient *Http
+}
+
+// DialContext implements C.ProxyAdapter
+func (m *Mitm) DialContext(ctx context.Context, metadata *C.Metadata, _ ...dialer.Option) (C.Conn, error) {
+	c, err := net.DialTCP("tcp", nil, m.serverAddr)
+	if err != nil {
+		return nil, err
+	}
+
+	_ = c.SetKeepAlive(true)
+	_ = c.SetKeepAlivePeriod(60 * time.Second)
+
+	metadata.Type = C.MITM
+
+	hc, err := m.httpProxyClient.StreamConnContext(ctx, c, metadata)
+	if err != nil {
+		_ = c.Close()
+		return nil, err
+	}
+
+	return NewConn(hc, m), nil
+}
+
+func NewMitm(serverAddr string) *Mitm {
+	tcpAddr, _ := net.ResolveTCPAddr("tcp", serverAddr)
+	http, _ := NewHttp(HttpOption{})
+	return &Mitm{
+		Base: &Base{
+			name: "Mitm",
+			tp:   C.Mitm,
+		},
+		serverAddr:      tcpAddr,
+		httpProxyClient: http,
+	}
+}

adapter/outbound/singmux.go

@@ -3,6 +3,7 @@ package outbound
 import (
 	"context"
 	"errors"
+	"net"
 	"runtime"
 
 	CN "github.com/Dreamacro/clash/common/net"
@@ -14,13 +15,14 @@ import (
 	mux "github.com/sagernet/sing-mux"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 )
 
 type SingMux struct {
 	C.ProxyAdapter
 	base    ProxyBase
 	client  *mux.Client
-	dialer  proxydialer.SingDialer
+	dialer  *muxSingDialer
 	onlyTcp bool
 }
 
@@ -39,9 +41,27 @@ type ProxyBase interface {
 	DialOptions(opts ...dialer.Option) []dialer.Option
 }
 
+type muxSingDialer struct {
+	dialer    dialer.Dialer
+	proxy     C.ProxyAdapter
+	statistic bool
+}
+
+var _ N.Dialer = (*muxSingDialer)(nil)
+
+func (d *muxSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	var cDialer C.Dialer = proxydialer.New(d.proxy, d.dialer, d.statistic)
+	return cDialer.DialContext(ctx, network, destination.String())
+}
+
+func (d *muxSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	var cDialer C.Dialer = proxydialer.New(d.proxy, d.dialer, d.statistic)
+	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
+}
+
 func (s *SingMux) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	options := s.base.DialOptions(opts...)
-	s.dialer.SetDialer(dialer.NewDialer(options...))
+	s.dialer.dialer = dialer.NewDialer(options...)
 	c, err := s.client.DialContext(ctx, "tcp", M.ParseSocksaddr(metadata.RemoteAddress()))
 	if err != nil {
 		return nil, err
@@ -54,7 +74,7 @@ func (s *SingMux) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		return s.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
 	}
 	options := s.base.DialOptions(opts...)
-	s.dialer.SetDialer(dialer.NewDialer(options...))
+	s.dialer.dialer = dialer.NewDialer(options...)
 
 	// sing-mux use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
@@ -94,7 +114,7 @@ func closeSingMux(s *SingMux) {
 }
 
 func NewSingMux(option SingMuxOption, proxy C.ProxyAdapter, base ProxyBase) (C.ProxyAdapter, error) {
-	singDialer := proxydialer.NewSingDialer(proxy, dialer.NewDialer(), option.Statistic)
+	singDialer := &muxSingDialer{dialer: dialer.NewDialer(), proxy: proxy, statistic: option.Statistic}
 	client, err := mux.NewClient(mux.Options{
 		Dialer:         singDialer,
 		Protocol:       option.Protocol,

adapter/outbound/socks5.go

@@ -10,9 +10,9 @@ import (
 	"strconv"
 
 	N "github.com/Dreamacro/clash/common/net"
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
@@ -156,7 +156,7 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 		bindUDPAddr.IP = serverAddr.IP
 	}
 
-	pc, err := cDialer.ListenPacket(ctx, "udp", "", bindUDPAddr.AddrPort())
+	pc, err := dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", bindUDPAddr.AddrPort().Addr()), "", ss.Base.DialOptions(opts...)...)
 	if err != nil {
 		return
 	}
@@ -180,10 +180,13 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 			ServerName:         option.Server,
 		}
 
-		var err error
-		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
-		if err != nil {
-			return nil, err
+		if len(option.Fingerprint) == 0 {
+			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+		} else {
+			var err error
+			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
+				return nil, err
+			}
 		}
 	}
 

adapter/outbound/trojan.go

@@ -9,7 +9,6 @@ import (
 	"strconv"
 
 	N "github.com/Dreamacro/clash/common/net"
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
@@ -281,10 +280,13 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			ServerName:         tOption.ServerName,
 		}
 
-		var err error
-		tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
-		if err != nil {
-			return nil, err
+		if len(option.Fingerprint) == 0 {
+			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+		} else {
+			var err error
+			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
+				return nil, err
+			}
 		}
 
 		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint, t.realityConfig)

adapter/outbound/tuic.go

@@ -2,18 +2,22 @@ package outbound
 
 import (
 	"context"
+	"crypto/sha256"
 	"crypto/tls"
+	"encoding/hex"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"math"
 	"net"
+	"os"
 	"strconv"
 	"time"
 
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/tuic"
 
@@ -158,10 +162,37 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		tlsConfig.ServerName = option.SNI
 	}
 
+	var bs []byte
 	var err error
-	tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString)
-	if err != nil {
-		return nil, err
+	if len(option.CustomCA) > 0 {
+		bs, err = os.ReadFile(option.CustomCA)
+		if err != nil {
+			return nil, fmt.Errorf("tuic %s load ca error: %w", addr, err)
+		}
+	} else if option.CustomCAString != "" {
+		bs = []byte(option.CustomCAString)
+	}
+
+	if len(bs) > 0 {
+		block, _ := pem.Decode(bs)
+		if block == nil {
+			return nil, fmt.Errorf("CA cert is not PEM")
+		}
+
+		fpBytes := sha256.Sum256(block.Bytes)
+		if len(option.Fingerprint) == 0 {
+			option.Fingerprint = hex.EncodeToString(fpBytes[:])
+		}
+	}
+
+	if len(option.Fingerprint) != 0 {
+		var err error
+		tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}
 
 	if option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array
@@ -292,10 +323,6 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 
 		t.client = tuic.NewPoolClientV4(clientOption)
 	} else {
-		maxUdpRelayPacketSize := option.MaxUdpRelayPacketSize
-		if maxUdpRelayPacketSize > tuic.MaxFragSizeV5 {
-			maxUdpRelayPacketSize = tuic.MaxFragSizeV5
-		}
 		clientOption := &tuic.ClientOptionV5{
 			TlsConfig:             tlsConfig,
 			QuicConfig:            quicConfig,
@@ -304,7 +331,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			UdpRelayMode:          udpRelayMode,
 			CongestionController:  option.CongestionController,
 			ReduceRtt:             option.ReduceRtt,
-			MaxUdpRelayPacketSize: maxUdpRelayPacketSize,
+			MaxUdpRelayPacketSize: option.MaxUdpRelayPacketSize,
 			MaxOpenStreams:        clientMaxOpenStreams,
 			CWND:                  option.CWND,
 		}

adapter/outbound/util.go

@@ -4,11 +4,8 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
-	"fmt"
 	"net"
 	"net/netip"
-	"regexp"
-	"strconv"
 	"sync"
 
 	"github.com/Dreamacro/clash/component/resolver"
@@ -123,41 +120,3 @@ func safeConnClose(c net.Conn, err error) {
 		_ = c.Close()
 	}
 }
-
-var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
-
-func StringToBps(s string) uint64 {
-	if s == "" {
-		return 0
-	}
-
-	// when have not unit, use Mbps
-	if v, err := strconv.Atoi(s); err == nil {
-		return StringToBps(fmt.Sprintf("%d Mbps", v))
-	}
-
-	m := rateStringRegexp.FindStringSubmatch(s)
-	if m == nil {
-		return 0
-	}
-	var n uint64
-	switch m[2] {
-	case "K":
-		n = 1 << 10
-	case "M":
-		n = 1 << 20
-	case "G":
-		n = 1 << 30
-	case "T":
-		n = 1 << 40
-	default:
-		n = 1
-	}
-	v, _ := strconv.ParseUint(m[1], 10, 64)
-	n = v * n
-	if m[3] == "b" {
-		// Bits, need to convert to bytes
-		n = n >> 3
-	}
-	return n
-}

adapter/outbound/vless.go

@@ -15,7 +15,6 @@ import (
 	"github.com/Dreamacro/clash/common/convert"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
@@ -111,9 +110,13 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				NextProtos:         []string{"http/1.1"},
 			}
 
-			wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
-			if err != nil {
-				return nil, err
+			if len(v.option.Fingerprint) == 0 {
+				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+			} else {
+				wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
+				if err != nil {
+					return nil, err
+				}
 			}
 
 			if v.option.ServerName != "" {
@@ -589,7 +592,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{
+			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				ServerName:         v.option.ServerName,
 			})

adapter/outbound/vmess.go

@@ -13,7 +13,6 @@ import (
 
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/proxydialer"
 	"github.com/Dreamacro/clash/component/resolver"
@@ -128,9 +127,12 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M
 				NextProtos:         []string{"http/1.1"},
 			}
 
-			wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
-			if err != nil {
-				return nil, err
+			if len(v.option.Fingerprint) == 0 {
+				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+			} else {
+				if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil {
+					return nil, err
+				}
 			}
 
 			if v.option.ServerName != "" {
@@ -481,7 +483,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 		var tlsConfig *tls.Config
 		if option.TLS {
-			tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{
+			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				ServerName:         v.option.ServerName,
 			})

adapter/outbound/wireguard.go

@@ -27,6 +27,7 @@ import (
 	"github.com/sagernet/sing/common/debug"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/wireguard-go/device"
 )
 
@@ -35,7 +36,7 @@ type WireGuard struct {
 	bind      *wireguard.ClientBind
 	device    *device.Device
 	tunDevice wireguard.Device
-	dialer    proxydialer.SingDialer
+	dialer    *wgSingDialer
 	startOnce sync.Once
 	startErr  error
 	resolver  *dns.Resolver
@@ -69,6 +70,37 @@ type WireGuardPeerOption struct {
 	AllowedIPs   []string `proxy:"allowed-ips,omitempty"`
 }
 
+type wgSingDialer struct {
+	dialer    dialer.Dialer
+	proxyName string
+}
+
+var _ N.Dialer = (*wgSingDialer)(nil)
+
+func (d *wgSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	var cDialer C.Dialer = d.dialer
+	if len(d.proxyName) > 0 {
+		pd, err := proxydialer.NewByName(d.proxyName, d.dialer)
+		if err != nil {
+			return nil, err
+		}
+		cDialer = pd
+	}
+	return cDialer.DialContext(ctx, network, destination.String())
+}
+
+func (d *wgSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	var cDialer C.Dialer = d.dialer
+	if len(d.proxyName) > 0 {
+		pd, err := proxydialer.NewByName(d.proxyName, d.dialer)
+		if err != nil {
+			return nil, err
+		}
+		cDialer = pd
+	}
+	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
+}
+
 type wgSingErrorHandler struct {
 	name string
 }
@@ -136,7 +168,7 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		dialer: proxydialer.NewByNameSingDialer(option.DialerProxy, dialer.NewDialer()),
+		dialer: &wgSingDialer{dialer: dialer.NewDialer(), proxyName: option.DialerProxy},
 	}
 	runtime.SetFinalizer(outbound, closeWireGuard)
 
@@ -323,7 +355,7 @@ func closeWireGuard(w *WireGuard) {
 
 func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	options := w.Base.DialOptions(opts...)
-	w.dialer.SetDialer(dialer.NewDialer(options...))
+	w.dialer.dialer = dialer.NewDialer(options...)
 	var conn net.Conn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
@@ -355,7 +387,7 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 
 func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	options := w.Base.DialOptions(opts...)
-	w.dialer.SetDialer(dialer.NewDialer(options...))
+	w.dialer.dialer = dialer.NewDialer(options...)
 	var pc net.PacketConn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()

adapter/parser.go

@@ -92,13 +92,6 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewHysteria(*hyOption)
-	case "hysteria2":
-		hyOption := &outbound.Hysteria2Option{}
-		err = decoder.Decode(mapping, hyOption)
-		if err != nil {
-			break
-		}
-		proxy, err = outbound.NewHysteria2(*hyOption)
 	case "wireguard":
 		wgOption := &outbound.WireGuardOption{}
 		err = decoder.Decode(mapping, wgOption)

common/cert/cert.go

@@ -0,0 +1,303 @@
+package cert
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"os"
+	"strings"
+	"sync/atomic"
+	"time"
+)
+
+var currentSerialNumber = time.Now().Unix()
+
+type Config struct {
+	ca           *x509.Certificate
+	caPrivateKey *rsa.PrivateKey
+
+	roots *x509.CertPool
+
+	privateKey *rsa.PrivateKey
+
+	validity     time.Duration
+	keyID        []byte
+	organization string
+
+	certsStorage CertsStorage
+}
+
+type CertsStorage interface {
+	Get(key string) (*tls.Certificate, bool)
+
+	Set(key string, cert *tls.Certificate)
+}
+
+func NewAuthority(name, organization string, validity time.Duration) (*x509.Certificate, *rsa.PrivateKey, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+	pub := privateKey.Public()
+
+	pkixPub, err := x509.MarshalPKIXPublicKey(pub)
+	if err != nil {
+		return nil, nil, err
+	}
+	h := sha1.New()
+	_, err = h.Write(pkixPub)
+	if err != nil {
+		return nil, nil, err
+	}
+	keyID := h.Sum(nil)
+
+	serial := atomic.AddInt64(&currentSerialNumber, 1)
+
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(serial),
+		Subject: pkix.Name{
+			CommonName:   name,
+			Organization: []string{organization},
+		},
+		SubjectKeyId:          keyID,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		NotBefore:             time.Now().Add(-validity),
+		NotAfter:              time.Now().Add(validity),
+		DNSNames:              []string{name},
+		IsCA:                  true,
+	}
+
+	raw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, pub, privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	x509c, err := x509.ParseCertificate(raw)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return x509c, privateKey, nil
+}
+
+func NewConfig(ca *x509.Certificate, caPrivateKey *rsa.PrivateKey) (*Config, error) {
+	roots := x509.NewCertPool()
+	roots.AddCert(ca)
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	pub := privateKey.Public()
+
+	pkixPub, err := x509.MarshalPKIXPublicKey(pub)
+	if err != nil {
+		return nil, err
+	}
+	h := sha1.New()
+	_, err = h.Write(pkixPub)
+	if err != nil {
+		return nil, err
+	}
+	keyID := h.Sum(nil)
+
+	return &Config{
+		ca:           ca,
+		caPrivateKey: caPrivateKey,
+		privateKey:   privateKey,
+		keyID:        keyID,
+		validity:     time.Hour,
+		organization: "Clash",
+		certsStorage: NewDomainTrieCertsStorage(),
+		roots:        roots,
+	}, nil
+}
+
+func (c *Config) GetCA() *x509.Certificate {
+	return c.ca
+}
+
+func (c *Config) SetOrganization(organization string) {
+	c.organization = organization
+}
+
+func (c *Config) SetValidity(validity time.Duration) {
+	c.validity = validity
+}
+
+func (c *Config) NewTLSConfigForHost(hostname string) *tls.Config {
+	tlsConfig := &tls.Config{
+		GetCertificate: func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			host := clientHello.ServerName
+			if host == "" {
+				host = hostname
+			}
+
+			return c.GetOrCreateCert(host)
+		},
+		NextProtos: []string{"http/1.1"},
+	}
+
+	tlsConfig.InsecureSkipVerify = true
+
+	return tlsConfig
+}
+
+func (c *Config) GetOrCreateCert(hostname string, ips ...net.IP) (*tls.Certificate, error) {
+	var leaf *x509.Certificate
+	tlsCertificate, ok := c.certsStorage.Get(hostname)
+	if ok {
+		leaf = tlsCertificate.Leaf
+		if _, err := leaf.Verify(x509.VerifyOptions{
+			DNSName: hostname,
+			Roots:   c.roots,
+		}); err == nil {
+			return tlsCertificate, nil
+		}
+	}
+
+	var (
+		key          = hostname
+		topHost      = hostname
+		wildcardHost = "*." + hostname
+		dnsNames     []string
+	)
+
+	if ip := net.ParseIP(hostname); ip != nil {
+		ips = append(ips, ip)
+	} else {
+		parts := strings.Split(hostname, ".")
+		l := len(parts)
+
+		if leaf != nil {
+			dnsNames = append(dnsNames, leaf.DNSNames...)
+		}
+
+		if l > 2 {
+			topIndex := l - 2
+			topHost = strings.Join(parts[topIndex:], ".")
+
+			for i := topIndex; i > 0; i-- {
+				wildcardHost = "*." + strings.Join(parts[i:], ".")
+
+				if i == topIndex && (len(dnsNames) == 0 || dnsNames[0] != topHost) {
+					dnsNames = append(dnsNames, topHost, wildcardHost)
+				} else if !hasDnsNames(dnsNames, wildcardHost) {
+					dnsNames = append(dnsNames, wildcardHost)
+				}
+			}
+		} else {
+			dnsNames = append(dnsNames, topHost, wildcardHost)
+		}
+
+		key = "+." + topHost
+	}
+
+	serial := atomic.AddInt64(&currentSerialNumber, 1)
+
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(serial),
+		Subject: pkix.Name{
+			CommonName:   topHost,
+			Organization: []string{c.organization},
+		},
+		SubjectKeyId:          c.keyID,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		NotBefore:             time.Now().Add(-c.validity),
+		NotAfter:              time.Now().Add(c.validity),
+		DNSNames:              dnsNames,
+		IPAddresses:           ips,
+	}
+
+	raw, err := x509.CreateCertificate(rand.Reader, tmpl, c.ca, c.privateKey.Public(), c.caPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	x509c, err := x509.ParseCertificate(raw)
+	if err != nil {
+		return nil, err
+	}
+
+	tlsCertificate = &tls.Certificate{
+		Certificate: [][]byte{raw, c.ca.Raw},
+		PrivateKey:  c.privateKey,
+		Leaf:        x509c,
+	}
+
+	c.certsStorage.Set(key, tlsCertificate)
+	return tlsCertificate, nil
+}
+
+// GenerateAndSave generate CA private key and CA certificate and dump them to file
+func GenerateAndSave(caPath string, caKeyPath string) error {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return err
+	}
+
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().Unix()),
+		Subject: pkix.Name{
+			Country:      []string{"US"},
+			CommonName:   "Clash Root CA",
+			Organization: []string{"Clash Trust Services"},
+		},
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		NotBefore:             time.Now().Add(-(time.Hour * 24 * 60)),
+		NotAfter:              time.Now().Add(time.Hour * 24 * 365 * 25),
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caRaw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, privateKey.Public(), privateKey)
+	if err != nil {
+		return err
+	}
+
+	caOut, err := os.OpenFile(caPath, os.O_CREATE|os.O_WRONLY, 0o600)
+	if err != nil {
+		return err
+	}
+	defer func(caOut *os.File) {
+		_ = caOut.Close()
+	}(caOut)
+
+	if err = pem.Encode(caOut, &pem.Block{Type: "CERTIFICATE", Bytes: caRaw}); err != nil {
+		return err
+	}
+
+	caKeyOut, err := os.OpenFile(caKeyPath, os.O_CREATE|os.O_WRONLY, 0o600)
+	if err != nil {
+		return err
+	}
+	defer func(caKeyOut *os.File) {
+		_ = caKeyOut.Close()
+	}(caKeyOut)
+
+	if err = pem.Encode(caKeyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func hasDnsNames(dnsNames []string, hostname string) bool {
+	for _, name := range dnsNames {
+		if name == hostname {
+			return true
+		}
+	}
+	return false
+}

common/cert/storage.go

@@ -0,0 +1,32 @@
+package cert
+
+import (
+	"crypto/tls"
+
+	"github.com/Dreamacro/clash/component/trie"
+)
+
+// DomainTrieCertsStorage cache wildcard certificates
+type DomainTrieCertsStorage struct {
+	certsCache *trie.DomainTrie[*tls.Certificate]
+}
+
+// Get gets the certificate from the storage
+func (c *DomainTrieCertsStorage) Get(key string) (*tls.Certificate, bool) {
+	ca := c.certsCache.Search(key)
+	if ca == nil {
+		return nil, false
+	}
+	return ca.Data(), true
+}
+
+// Set saves the certificate to the storage
+func (c *DomainTrieCertsStorage) Set(key string, cert *tls.Certificate) {
+	_ = c.certsCache.Insert(key, cert)
+}
+
+func NewDomainTrieCertsStorage() *DomainTrieCertsStorage {
+	return &DomainTrieCertsStorage{
+		certsCache: trie.New[*tls.Certificate](),
+	}
+}

common/convert/converter.go

@@ -68,39 +68,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			hysteria["skip-cert-verify"], _ = strconv.ParseBool(query.Get("insecure"))
 
 			proxies = append(proxies, hysteria)
-		case "hysteria2":
-			urlHysteria2, err := url.Parse(line)
-			if err != nil {
-				continue
-			}
 
-			query := urlHysteria2.Query()
-			name := uniqueName(names, urlHysteria2.Fragment)
-			hysteria2 := make(map[string]any, 20)
-
-			hysteria2["name"] = name
-			hysteria2["type"] = scheme
-			hysteria2["server"] = urlHysteria2.Hostname()
-			if port := urlHysteria2.Port(); port != "" {
-				hysteria2["port"] = port
-			} else {
-				hysteria2["port"] = "443"
-			}
-			hysteria2["obfs"] = query.Get("obfs")
-			hysteria2["obfs-password"] = query.Get("obfs-password")
-			hysteria2["sni"] = query.Get("sni")
-			hysteria2["skip-cert-verify"], _ = strconv.ParseBool(query.Get("insecure"))
-			if alpn := query.Get("alpn"); alpn != "" {
-				hysteria2["alpn"] = strings.Split(alpn, ",")
-			}
-			if auth := urlHysteria2.User.String(); auth != "" {
-				hysteria2["password"] = auth
-			}
-			hysteria2["fingerprint"] = query.Get("pinSHA256")
-			hysteria2["down"] = query.Get("down")
-			hysteria2["up"] = query.Get("up")
-
-			proxies = append(proxies, hysteria2)
 		case "tuic":
 			// A temporary unofficial TUIC share link standard
 			// Modified from https://github.com/daeuniverse/dae/discussions/182

common/convert/converter_test.go

@@ -1,35 +0,0 @@
-package convert
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-// https://v2.hysteria.network/zh/docs/developers/URI-Scheme/
-func TestConvertsV2Ray_normal(t *testing.T) {
-	hy2test := "hysteria2://letmein@example.com:8443/?insecure=1&obfs=salamander&obfs-password=gawrgura&pinSHA256=deadbeef&sni=real.example.com&up=114&down=514&alpn=h3,h4#hy2test"
-
-	expected := []map[string]interface{}{
-		{
-			"name":             "hy2test",
-			"type":             "hysteria2",
-			"server":           "example.com",
-			"port":             "8443",
-			"sni":              "real.example.com",
-			"obfs":             "salamander",
-			"obfs-password":    "gawrgura",
-			"alpn":             []string{"h3", "h4"},
-			"password":         "letmein",
-			"up":               "114",
-			"down":             "514",
-			"skip-cert-verify": true,
-			"fingerprint":      "deadbeef",
-		},
-	}
-
-	proxies, err := ConvertsV2Ray([]byte(hy2test))
-
-	assert.Nil(t, err)
-	assert.Equal(t, expected, proxies)
-}

common/net/tcpip.go

@@ -7,7 +7,7 @@ import (
 	"time"
 )
 
-var KeepAliveInterval = 15 * time.Second
+var KeepAliveInterval time.Duration
 
 func SplitNetworkType(s string) (string, string, error) {
 	var (
@@ -51,6 +51,6 @@ func SplitHostPort(s string) (host, port string, hasPort bool, err error) {
 func TCPKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
-		_ = tcp.SetKeepAlivePeriod(KeepAliveInterval)
+		_ = tcp.SetKeepAlivePeriod(KeepAliveInterval * time.Second)
 	}
 }

component/geodata/memconservative/cache.go

@@ -32,7 +32,7 @@ func (g GeoIPCache) Set(key string, value *router.GeoIP) {
 }
 
 func (g GeoIPCache) Unmarshal(filename, code string) (*router.GeoIP, error) {
-	asset := C.Path.GetAssetLocation(filename)
+	asset := C.Path.Resolve(filename)
 	idx := strings.ToLower(asset + ":" + code)
 	if g.Has(idx) {
 		return g.Get(idx), nil
@@ -97,7 +97,7 @@ func (g GeoSiteCache) Set(key string, value *router.GeoSite) {
 }
 
 func (g GeoSiteCache) Unmarshal(filename, code string) (*router.GeoSite, error) {
-	asset := C.Path.GetAssetLocation(filename)
+	asset := C.Path.Resolve(filename)
 	idx := strings.ToLower(asset + ":" + code)
 	if g.Has(idx) {
 		return g.Get(idx), nil

component/geodata/standard/standard.go

@@ -26,7 +26,7 @@ func ReadFile(path string) ([]byte, error) {
 }
 
 func ReadAsset(file string) ([]byte, error) {
-	return ReadFile(C.Path.GetAssetLocation(file))
+	return ReadFile(C.Path.Resolve(file))
 }
 
 func loadIP(geoipBytes []byte, country string) ([]*router.CIDR, error) {

component/http/http.go

@@ -2,7 +2,6 @@ package http
 
 import (
 	"context"
-	"crypto/tls"
 	"io"
 	"net"
 	"net/http"
@@ -10,13 +9,15 @@ import (
 	"strings"
 	"time"
 
-	"github.com/Dreamacro/clash/component/ca"
-	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/listener/inner"
 )
 
+const (
+	UA = "clash.meta"
+)
+
 func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
-	UA := C.UA
 	method = strings.ToUpper(method)
 	urlRes, err := URL.Parse(url)
 	if err != nil {
@@ -59,7 +60,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 				return d.DialContext(ctx, network, address)
 			}
 		},
-		TLSClientConfig: ca.GetGlobalTLSConfig(&tls.Config{}),
+		TLSClientConfig: tls.GetDefaultTLSConfig(),
 	}
 
 	client := http.Client{Transport: transport}

component/proxydialer/sing.go

@@ -1,82 +0,0 @@
-package proxydialer
-
-import (
-	"context"
-	"net"
-
-	C "github.com/Dreamacro/clash/constant"
-
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type SingDialer interface {
-	N.Dialer
-	SetDialer(dialer C.Dialer)
-}
-
-type singDialer proxyDialer
-
-var _ N.Dialer = (*singDialer)(nil)
-
-func (d *singDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	return (*proxyDialer)(d).DialContext(ctx, network, destination.String())
-}
-
-func (d *singDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return (*proxyDialer)(d).ListenPacket(ctx, "udp", "", destination.AddrPort())
-}
-
-func (d *singDialer) SetDialer(dialer C.Dialer) {
-	(*proxyDialer)(d).dialer = dialer
-}
-
-func NewSingDialer(proxy C.ProxyAdapter, dialer C.Dialer, statistic bool) SingDialer {
-	return (*singDialer)(&proxyDialer{
-		proxy:     proxy,
-		dialer:    dialer,
-		statistic: statistic,
-	})
-}
-
-type byNameSingDialer struct {
-	dialer    C.Dialer
-	proxyName string
-}
-
-var _ N.Dialer = (*byNameSingDialer)(nil)
-
-func (d *byNameSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	var cDialer C.Dialer = d.dialer
-	if len(d.proxyName) > 0 {
-		pd, err := NewByName(d.proxyName, d.dialer)
-		if err != nil {
-			return nil, err
-		}
-		cDialer = pd
-	}
-	return cDialer.DialContext(ctx, network, destination.String())
-}
-
-func (d *byNameSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	var cDialer C.Dialer = d.dialer
-	if len(d.proxyName) > 0 {
-		pd, err := NewByName(d.proxyName, d.dialer)
-		if err != nil {
-			return nil, err
-		}
-		cDialer = pd
-	}
-	return cDialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
-}
-
-func (d *byNameSingDialer) SetDialer(dialer C.Dialer) {
-	d.dialer = dialer
-}
-
-func NewByNameSingDialer(proxyName string, dialer C.Dialer) SingDialer {
-	return &byNameSingDialer{
-		dialer:    dialer,
-		proxyName: proxyName,
-	}
-}

component/resolver/host.go

@@ -4,7 +4,6 @@ import (
 	"errors"
 	"net/netip"
 	"strings"
-	_ "unsafe"
 
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/trie"
@@ -21,39 +20,28 @@ func NewHosts(hosts *trie.DomainTrie[HostValue]) Hosts {
 	}
 }
 
-// lookupStaticHost looks up the addresses and the canonical name for the given host from /etc/hosts.
-//
-//go:linkname lookupStaticHost net.lookupStaticHost
-func lookupStaticHost(host string) ([]string, string)
-
 // Return the search result and whether to match the parameter `isDomain`
 func (h *Hosts) Search(domain string, isDomain bool) (*HostValue, bool) {
-	if value := h.DomainTrie.Search(domain); value != nil {
-		hostValue := value.Data()
-		for {
-			if isDomain && hostValue.IsDomain {
-				return &hostValue, true
+	value := h.DomainTrie.Search(domain)
+	if value == nil {
+		return nil, false
+	}
+	hostValue := value.Data()
+	for {
+		if isDomain && hostValue.IsDomain {
+			return &hostValue, true
+		} else {
+			if node := h.DomainTrie.Search(hostValue.Domain); node != nil {
+				hostValue = node.Data()
 			} else {
-				if node := h.DomainTrie.Search(hostValue.Domain); node != nil {
-					hostValue = node.Data()
-				} else {
-					break
-				}
+				break
 			}
 		}
-		if isDomain == hostValue.IsDomain {
-			return &hostValue, true
-		}
-
-		return &hostValue, false
 	}
-	if !isDomain {
-		addr, _ := lookupStaticHost(domain)
-		if hostValue, err := NewHostValue(addr); err == nil {
-			return &hostValue, true
-		}
+	if isDomain == hostValue.IsDomain {
+		return &hostValue, true
 	}
-	return nil, false
+	return &hostValue, false
 }
 
 type HostValue struct {

component/resolver/host_windows.go

@@ -1,19 +0,0 @@
-//go:build !go1.22
-
-// a simple standard lib fix from: https://github.com/golang/go/commit/33d4a5105cf2b2d549922e909e9239a48b8cefcc
-
-package resolver
-
-import (
-	"golang.org/x/sys/windows"
-	_ "unsafe"
-)
-
-//go:linkname testHookHostsPath net.testHookHostsPath
-var testHookHostsPath string
-
-func init() {
-	if dir, err := windows.GetSystemDirectory(); err == nil {
-		testHookHostsPath = dir + "/Drivers/etc/hosts"
-	}
-}

component/sniffer/dispatcher.go

@@ -35,8 +35,7 @@ type SnifferDispatcher struct {
 	parsePureIp     bool
 }
 
-// TCPSniff returns true if the connection is sniffed to have a domain
-func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) bool {
+func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) {
 	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Has(metadata.Host) || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
 		inWhitelist := false
 		overrideDest := false
@@ -51,7 +50,7 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 		}
 
 		if !inWhitelist {
-			return false
+			return
 		}
 
 		sd.rwMux.RLock()
@@ -59,18 +58,18 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 		if count, ok := sd.skipList.Get(dst); ok && count > 5 {
 			log.Debugln("[Sniffer] Skip sniffing[%s] due to multiple failures", dst)
 			defer sd.rwMux.RUnlock()
-			return false
+			return
 		}
 		sd.rwMux.RUnlock()
 
 		if host, err := sd.sniffDomain(conn, metadata); err != nil {
 			sd.cacheSniffFailed(metadata)
 			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%d] to [%s:%d]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
-			return false
+			return
 		} else {
 			if sd.skipSNI.Has(host) {
 				log.Debugln("[Sniffer] Skip sni[%s]", host)
-				return false
+				return
 			}
 
 			sd.rwMux.RLock()
@@ -78,23 +77,20 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 			sd.rwMux.RUnlock()
 
 			sd.replaceDomain(metadata, host, overrideDest)
-			return true
 		}
 	}
-	return false
 }
 
 func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) {
-	// show log early, since the following code may mutate `metadata.Host`
-	log.Debugln("[Sniffer] Sniff TCP [%s]-->[%s] success, replace domain [%s]-->[%s]",
-		metadata.SourceDetail(),
-		metadata.RemoteAddress(),
-		metadata.Host, host)
 	metadata.SniffHost = host
 	if overrideDest {
 		metadata.Host = host
 	}
 	metadata.DNSMode = C.DNSNormal
+	log.Debugln("[Sniffer] Sniff TCP [%s]-->[%s] success, replace domain [%s]-->[%s]",
+		metadata.SourceDetail(),
+		metadata.RemoteAddress(),
+		metadata.Host, host)
 }
 
 func (sd *SnifferDispatcher) Enable() bool {

component/tls/config.go

@@ -1,4 +1,4 @@
-package ca
+package tls
 
 import (
 	"bytes"
@@ -8,13 +8,12 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 	"sync"
 )
 
 var trustCerts []*x509.Certificate
-var globalCertPool *x509.CertPool
+var certPool *x509.CertPool
 var mutex sync.RWMutex
 var errNotMatch = errors.New("certificate fingerprints do not match")
 
@@ -34,12 +33,12 @@ func AddCertificate(certificate string) error {
 
 func initializeCertPool() {
 	var err error
-	globalCertPool, err = x509.SystemCertPool()
+	certPool, err = x509.SystemCertPool()
 	if err != nil {
-		globalCertPool = x509.NewCertPool()
+		certPool = x509.NewCertPool()
 	}
 	for _, cert := range trustCerts {
-		globalCertPool.AddCert(cert)
+		certPool.AddCert(cert)
 	}
 }
 
@@ -54,15 +53,15 @@ func getCertPool() *x509.CertPool {
 	if len(trustCerts) == 0 {
 		return nil
 	}
-	if globalCertPool == nil {
+	if certPool == nil {
 		mutex.Lock()
 		defer mutex.Unlock()
-		if globalCertPool != nil {
-			return globalCertPool
+		if certPool != nil {
+			return certPool
 		}
 		initializeCertPool()
 	}
-	return globalCertPool
+	return certPool
 }
 
 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@@ -95,49 +94,29 @@ func convertFingerprint(fingerprint string) (*[32]byte, error) {
 	return (*[32]byte)(fpByte), nil
 }
 
-// GetTLSConfig specified fingerprint, customCA and customCAString
-func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (*tls.Config, error) {
-	if tlsConfig == nil {
-		tlsConfig = &tls.Config{}
-	}
-	var certificate []byte
-	var err error
-	if len(customCA) > 0 {
-		certificate, err = os.ReadFile(customCA)
-		if err != nil {
-			return nil, fmt.Errorf("load ca error: %w", err)
-		}
-	} else if customCAString != "" {
-		certificate = []byte(customCAString)
-	}
-	if len(certificate) > 0 {
-		certPool := x509.NewCertPool()
-		if !certPool.AppendCertsFromPEM(certificate) {
-			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
-		}
-		tlsConfig.RootCAs = certPool
-	} else {
-		tlsConfig.RootCAs = getCertPool()
-	}
-	if len(fingerprint) > 0 {
-		var fingerprintBytes *[32]byte
-		fingerprintBytes, err = convertFingerprint(fingerprint)
-		if err != nil {
-			return nil, err
-		}
-		tlsConfig = GetGlobalTLSConfig(tlsConfig)
-		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
-		tlsConfig.InsecureSkipVerify = true
-	}
-	return tlsConfig, nil
+func GetDefaultTLSConfig() *tls.Config {
+	return GetGlobalTLSConfig(nil)
 }
 
 // GetSpecifiedFingerprintTLSConfig specified fingerprint
 func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
-	return GetTLSConfig(tlsConfig, fingerprint, "", "")
+	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
+		return nil, err
+	} else {
+		tlsConfig = GetGlobalTLSConfig(tlsConfig)
+		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
+		tlsConfig.InsecureSkipVerify = true
+		return tlsConfig, nil
+	}
 }
 
 func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
-	tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "")
+	certPool := getCertPool()
+	if tlsConfig == nil {
+		return &tls.Config{
+			RootCAs: certPool,
+		}
+	}
+	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }

config/config.go

@@ -8,7 +8,6 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
-	"path"
 	"regexp"
 	"strings"
 	"time"
@@ -36,6 +35,7 @@ import (
 	L "github.com/Dreamacro/clash/listener"
 	LC "github.com/Dreamacro/clash/listener/config"
 	"github.com/Dreamacro/clash/log"
+	rewrites "github.com/Dreamacro/clash/rewrite"
 	R "github.com/Dreamacro/clash/rules"
 	RP "github.com/Dreamacro/clash/rules/provider"
 	T "github.com/Dreamacro/clash/tunnel"
@@ -61,7 +61,7 @@ type General struct {
 	Sniffing                bool              `json:"sniffing"`
 	EBpf                    EBpf              `json:"-"`
 	GlobalClientFingerprint string            `json:"global-client-fingerprint"`
-	GlobalUA                string            `json:"global-ua"`
+	KeepAliveInterval       int               `json:"keep-alive-interval"`
 }
 
 // Inbound config
@@ -80,6 +80,7 @@ type Inbound struct {
 	BindAddress       string        `json:"bind-address"`
 	InboundTfo        bool          `json:"inbound-tfo"`
 	InboundMPTCP      bool          `json:"inbound-mptcp"`
+	MitmPort          int           `json:"mitm-port"`
 }
 
 // Controller config
@@ -92,12 +93,10 @@ type Controller struct {
 
 // NTP config
 type NTP struct {
-	Enable        bool   `yaml:"enable"`
-	Server        string `yaml:"server"`
-	Port          int    `yaml:"port"`
-	Interval      int    `yaml:"interval"`
-	DialerProxy   string `yaml:"dialer-proxy"`
-	WriteToSystem bool   `yaml:"write-to-system"`
+	Enable   bool   `yaml:"enable"`
+	Server   string `yaml:"server"`
+	Port     int    `yaml:"port"`
+	Interval int    `yaml:"interval"`
 }
 
 // DNS config
@@ -155,16 +154,22 @@ type Sniffer struct {
 	ParsePureIp     bool
 }
 
+// Mitm config
+type Mitm struct {
+	Port  int           `yaml:"port" json:"port"`
+	Rules C.RewriteRule `yaml:"rules" json:"rules"`
+}
+
 // Experimental config
 type Experimental struct {
-	Fingerprints     []string `yaml:"fingerprints"`
-	QUICGoDisableGSO bool     `yaml:"quic-go-disable-gso"`
+	Fingerprints []string `yaml:"fingerprints"`
 }
 
 // Config is clash config manager
 type Config struct {
 	General       *General
 	IPTables      *IPTables
+	Mitm          *Mitm
 	NTP           *NTP
 	DNS           *DNS
 	Experimental  *Experimental
@@ -183,12 +188,10 @@ type Config struct {
 }
 
 type RawNTP struct {
-	Enable        bool   `yaml:"enable"`
-	Server        string `yaml:"server"`
-	ServerPort    int    `yaml:"server-port"`
-	Interval      int    `yaml:"interval"`
-	DialerProxy   string `yaml:"dialer-proxy"`
-	WriteToSystem bool   `yaml:"write-to-system"`
+	Enable     bool   `yaml:"enable"`
+	Server     string `yaml:"server"`
+	ServerPort int    `yaml:"server-port"`
+	Interval   int    `yaml:"interval"`
 }
 
 type RawDNS struct {
@@ -259,12 +262,18 @@ type RawTuicServer struct {
 	CWND                  int               `yaml:"cwnd" json:"cwnd,omitempty"`
 }
 
+type RawMitm struct {
+	Port  int                    `yaml:"port" json:"port"`
+	Rules []rewrites.RawMitmRule `yaml:"rules" json:"rules"`
+}
+
 type RawConfig struct {
 	Port                    int               `yaml:"port"`
 	SocksPort               int               `yaml:"socks-port"`
 	RedirPort               int               `yaml:"redir-port"`
 	TProxyPort              int               `yaml:"tproxy-port"`
 	MixedPort               int               `yaml:"mixed-port"`
+	MitmPort                int               `yaml:"mitm-port"`
 	ShadowSocksConfig       string            `yaml:"ss-config"`
 	VmessConfig             string            `yaml:"vmess-config"`
 	InboundTfo              bool              `yaml:"inbound-tfo"`
@@ -279,8 +288,6 @@ type RawConfig struct {
 	ExternalController      string            `yaml:"external-controller"`
 	ExternalControllerTLS   string            `yaml:"external-controller-tls"`
 	ExternalUI              string            `yaml:"external-ui"`
-	ExternalUIURL           string            `yaml:"external-ui-url" json:"external-ui-url"`
-	ExternalUIName          string            `yaml:"external-ui-name" json:"external-ui-name"`
 	Secret                  string            `yaml:"secret"`
 	Interface               string            `yaml:"interface-name"`
 	RoutingMark             int               `yaml:"routing-mark"`
@@ -290,7 +297,6 @@ type RawConfig struct {
 	TCPConcurrent           bool              `yaml:"tcp-concurrent" json:"tcp-concurrent"`
 	FindProcessMode         P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"`
 	GlobalClientFingerprint string            `yaml:"global-client-fingerprint"`
-	GlobalUA                string            `yaml:"global-ua"`
 	KeepAliveInterval       int               `yaml:"keep-alive-interval"`
 
 	Sniffer       RawSniffer                `yaml:"sniffer"`
@@ -303,6 +309,7 @@ type RawConfig struct {
 	TuicServer    RawTuicServer             `yaml:"tuic-server"`
 	EBpf          EBpf                      `yaml:"ebpf"`
 	IPTables      IPTables                  `yaml:"iptables"`
+	MITM          RawMitm                   `yaml:"mitm"`
 	Experimental  Experimental              `yaml:"experimental"`
 	Profile       Profile                   `yaml:"profile"`
 	GeoXUrl       GeoXUrl                   `yaml:"geox-url"`
@@ -377,7 +384,6 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		ProxyGroup:      []map[string]any{},
 		TCPConcurrent:   false,
 		FindProcessMode: P.FindProcessStrict,
-		GlobalUA:        "clash.meta",
 		Tun: RawTun{
 			Enable:              false,
 			Device:              "",
@@ -409,13 +415,6 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			InboundInterface: "lo",
 			Bypass:           []string{},
 		},
-		NTP: RawNTP{
-			Enable:        false,
-			WriteToSystem: false,
-			Server:        "time.apple.com",
-			ServerPort:    123,
-			Interval:      30,
-		},
 		DNS: RawDNS{
 			Enable:       false,
 			IPv6:         false,
@@ -455,6 +454,10 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			ParsePureIp:     true,
 			OverrideDest:    true,
 		},
+		MITM: RawMitm{
+			Port:  0,
+			Rules: []rewrites.RawMitmRule{},
+		},
 		Profile: Profile{
 			StoreSelected: true,
 		},
@@ -463,7 +466,6 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			GeoIp:   "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat",
 			GeoSite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat",
 		},
-		ExternalUIURL: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip",
 	}
 
 	if err := yaml.Unmarshal(buf, rawCfg); err != nil {
@@ -550,6 +552,12 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 		return nil, err
 	}
 
+	mitm, err := parseMitm(rawCfg.MITM)
+	if err != nil {
+		return nil, err
+	}
+	config.Mitm = mitm
+
 	config.Users = parseAuthentication(rawCfg.Authentication)
 
 	config.Tunnels = rawCfg.Tunnels
@@ -574,40 +582,24 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 }
 
 func parseGeneral(cfg *RawConfig) (*General, error) {
+	externalUI := cfg.ExternalUI
 	geodata.SetLoader(cfg.GeodataLoader)
 	C.GeoIpUrl = cfg.GeoXUrl.GeoIp
 	C.GeoSiteUrl = cfg.GeoXUrl.GeoSite
 	C.MmdbUrl = cfg.GeoXUrl.Mmdb
 	C.GeodataMode = cfg.GeodataMode
-	C.UA = cfg.GlobalUA
-	if cfg.KeepAliveInterval != 0 {
-		N.KeepAliveInterval = time.Duration(cfg.KeepAliveInterval) * time.Second
+	if cfg.KeepAliveInterval == 0 {
+		cfg.KeepAliveInterval = 30
 	}
-
-	ExternalUIPath = cfg.ExternalUI
+	N.KeepAliveInterval = time.Duration(cfg.KeepAliveInterval) * time.Second
+	log.Infoln("Keep Alive Interval set %+v", N.KeepAliveInterval)
 	// checkout externalUI exist
-	if ExternalUIPath != "" {
-		ExternalUIPath = C.Path.Resolve(ExternalUIPath)
-		if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) {
-			defaultUIpath := path.Join(C.Path.HomeDir(), "ui")
-			log.Warnln("external-ui: %s does not exist, creating folder in %s", ExternalUIPath, defaultUIpath)
-			if err := os.MkdirAll(defaultUIpath, os.ModePerm); err != nil {
-				return nil, err
-			}
-			ExternalUIPath = defaultUIpath
-			cfg.ExternalUI = defaultUIpath
+	if externalUI != "" {
+		externalUI = C.Path.Resolve(externalUI)
+		if _, err := os.Stat(externalUI); os.IsNotExist(err) {
+			return nil, fmt.Errorf("external-ui: %s not exist", externalUI)
 		}
 	}
-	// checkout UIpath/name exist
-	if cfg.ExternalUIName != "" {
-		ExternalUIName = cfg.ExternalUIName
-	} else {
-		ExternalUIFolder = ExternalUIPath
-	}
-	if cfg.ExternalUIURL != "" {
-		ExternalUIURL = cfg.ExternalUIURL
-	}
-
 	cfg.Tun.RedirectToTun = cfg.EBpf.RedirectToTun
 	return &General{
 		Inbound: Inbound{
@@ -616,6 +608,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			RedirPort:         cfg.RedirPort,
 			TProxyPort:        cfg.TProxyPort,
 			MixedPort:         cfg.MixedPort,
+			MitmPort:          cfg.MitmPort,
 			ShadowSocksConfig: cfg.ShadowSocksConfig,
 			VmessConfig:       cfg.VmessConfig,
 			AllowLan:          cfg.AllowLan,
@@ -642,7 +635,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		FindProcessMode:         cfg.FindProcessMode,
 		EBpf:                    cfg.EBpf,
 		GlobalClientFingerprint: cfg.GlobalClientFingerprint,
-		GlobalUA:                cfg.GlobalUA,
+		KeepAliveInterval:       cfg.KeepAliveInterval,
 	}, nil
 }
 
@@ -663,6 +656,11 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 	proxies["PASS"] = adapter.NewProxy(outbound.NewPass())
 	proxyList = append(proxyList, "DIRECT", "REJECT")
 
+	if cfg.MITM.Port != 0 {
+		proxies["MITM"] = adapter.NewProxy(outbound.NewMitm(fmt.Sprintf("127.0.0.1:%d", cfg.MITM.Port)))
+		proxyList = append(proxyList, "MITM")
+	}
+
 	// parse proxy
 	for idx, mapping := range proxiesConfig {
 		proxy, err := adapter.ParseProxy(mapping)
@@ -943,6 +941,14 @@ func parseHosts(cfg *RawConfig) (*trie.DomainTrie[resolver.HostValue], error) {
 			_ = tree.Insert(domain, value)
 		}
 	}
+
+	if cfg.MITM.Port != 0 {
+		value, _ := resolver.NewHostValue("8.8.9.9")
+		if err := tree.Insert("mitm.clash", value); err != nil {
+			log.Errorln("insert mitm.clash to host error: %s", err.Error())
+		}
+	}
+
 	tree.Optimize()
 
 	return tree, nil
@@ -1196,14 +1202,24 @@ func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainM
 }
 
 func paresNTP(rawCfg *RawConfig) *NTP {
+	var server = "time.apple.com"
+	var port = 123
+	var interval = 30
 	cfg := rawCfg.NTP
+	if len(cfg.Server) != 0 {
+		server = cfg.Server
+	}
+	if cfg.ServerPort != 0 {
+		port = cfg.ServerPort
+	}
+	if cfg.Interval != 0 {
+		interval = cfg.Interval
+	}
 	ntpCfg := &NTP{
-		Enable:        cfg.Enable,
-		Server:        cfg.Server,
-		Port:          cfg.ServerPort,
-		Interval:      cfg.Interval,
-		DialerProxy:   cfg.DialerProxy,
-		WriteToSystem: cfg.WriteToSystem,
+		Enable:   cfg.Enable,
+		Server:   server,
+		Port:     port,
+		Interval: interval,
 	}
 	return ntpCfg
 }
@@ -1481,3 +1497,28 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 
 	return sniffer, nil
 }
+
+func parseMitm(rawMitm RawMitm) (*Mitm, error) {
+	var (
+		req []C.Rewrite
+		res []C.Rewrite
+	)
+
+	for _, line := range rawMitm.Rules {
+		rule, err := rewrites.ParseRewrite(line)
+		if err != nil {
+			return nil, fmt.Errorf("parse rewrite rule failure: %w", err)
+		}
+
+		if rule.RuleType() == C.MitmResponseHeader || rule.RuleType() == C.MitmResponseBody {
+			res = append(res, rule)
+		} else {
+			req = append(req, rule)
+		}
+	}
+
+	return &Mitm{
+		Port:  rawMitm.Port,
+		Rules: rewrites.NewRewriteRules(req, res),
+	}, nil
+}

config/updateGeo.go

@@ -1,11 +1,17 @@
 package config
 
 import (
+	"context"
 	"fmt"
+	"io"
+	"net/http"
+	"os"
 	"runtime"
+	"time"
 
 	"github.com/Dreamacro/clash/component/geodata"
 	_ "github.com/Dreamacro/clash/component/geodata/standard"
+	clashHttp "github.com/Dreamacro/clash/component/http"
 	C "github.com/Dreamacro/clash/constant"
 
 	"github.com/oschwald/maxminddb-golang"
@@ -66,3 +72,19 @@ func UpdateGeoDatabases() error {
 
 	return nil
 }
+
+func downloadForBytes(url string) ([]byte, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, url, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return io.ReadAll(resp.Body)
+}
+
+func saveFile(bytes []byte, path string) error {
+	return os.WriteFile(path, bytes, 0o644)
+}

config/update_ui.go

@@ -1,145 +0,0 @@
-package config
-
-import (
-	"archive/zip"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"path"
-	"path/filepath"
-	"strings"
-	"sync"
-
-	C "github.com/Dreamacro/clash/constant"
-)
-
-var (
-	ExternalUIURL    string
-	ExternalUIPath   string
-	ExternalUIFolder string
-	ExternalUIName   string
-)
-var (
-	ErrIncompleteConf = errors.New("ExternalUI configure incomplete")
-)
-var xdMutex sync.Mutex
-
-func UpdateUI() error {
-	xdMutex.Lock()
-	defer xdMutex.Unlock()
-
-	err := prepare()
-	if err != nil {
-		return err
-	}
-
-	data, err := downloadForBytes(ExternalUIURL)
-	if err != nil {
-		return fmt.Errorf("can't download  file: %w", err)
-	}
-
-	saved := path.Join(C.Path.HomeDir(), "download.zip")
-	if saveFile(data, saved) != nil {
-		return fmt.Errorf("can't save zip file: %w", err)
-	}
-	defer os.Remove(saved)
-
-	err = cleanup(ExternalUIFolder)
-	if err != nil {
-		if !os.IsNotExist(err) {
-			return fmt.Errorf("cleanup exist file error: %w", err)
-		}
-	}
-
-	unzipFolder, err := unzip(saved, C.Path.HomeDir())
-	if err != nil {
-		return fmt.Errorf("can't extract zip file: %w", err)
-	}
-
-	err = os.Rename(unzipFolder, ExternalUIFolder)
-	if err != nil {
-		return fmt.Errorf("can't rename folder: %w", err)
-	}
-	return nil
-}
-
-func prepare() error {
-	if ExternalUIPath == "" || ExternalUIURL == "" {
-		return ErrIncompleteConf
-	}
-
-	if ExternalUIName != "" {
-		ExternalUIFolder = filepath.Clean(path.Join(ExternalUIPath, ExternalUIName))
-		if _, err := os.Stat(ExternalUIPath); os.IsNotExist(err) {
-			if err := os.MkdirAll(ExternalUIPath, os.ModePerm); err != nil {
-				return err
-			}
-		}
-	} else {
-		ExternalUIFolder = ExternalUIPath
-	}
-
-	return nil
-}
-
-func unzip(src, dest string) (string, error) {
-	r, err := zip.OpenReader(src)
-	if err != nil {
-		return "", err
-	}
-	defer r.Close()
-	var extractedFolder string
-	for _, f := range r.File {
-		fpath := filepath.Join(dest, f.Name)
-		if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
-			return "", fmt.Errorf("invalid file path: %s", fpath)
-		}
-		if f.FileInfo().IsDir() {
-			os.MkdirAll(fpath, os.ModePerm)
-			continue
-		}
-		if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
-			return "", err
-		}
-		outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
-		if err != nil {
-			return "", err
-		}
-		rc, err := f.Open()
-		if err != nil {
-			return "", err
-		}
-		_, err = io.Copy(outFile, rc)
-		outFile.Close()
-		rc.Close()
-		if err != nil {
-			return "", err
-		}
-		if extractedFolder == "" {
-			extractedFolder = filepath.Dir(fpath)
-		}
-	}
-	return extractedFolder, nil
-}
-
-func cleanup(root string) error {
-	if _, err := os.Stat(root); os.IsNotExist(err) {
-		return nil
-	}
-	return filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if info.IsDir() {
-			if err := os.RemoveAll(path); err != nil {
-				return err
-			}
-		} else {
-			if err := os.Remove(path); err != nil {
-				return err
-			}
-		}
-		return nil
-	})
-}

config/utils.go

@@ -1,37 +1,15 @@
 package config
 
 import (
-	"context"
 	"fmt"
-	"io"
 	"net"
-	"net/http"
 	"net/netip"
-	"os"
 	"strings"
-	"time"
 
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/common/structure"
-	clashHttp "github.com/Dreamacro/clash/component/http"
 )
 
-func downloadForBytes(url string) ([]byte, error) {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
-	defer cancel()
-	resp, err := clashHttp.HttpRequest(ctx, url, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	return io.ReadAll(resp.Body)
-}
-
-func saveFile(bytes []byte, path string) error {
-	return os.WriteFile(path, bytes, 0o644)
-}
-
 func trimArr(arr []string) (r []string) {
 	for _, e := range arr {
 		r = append(r, strings.Trim(e, " "))

constant/adapters.go

@@ -19,6 +19,7 @@ const (
 	Direct AdapterType = iota
 	Reject
 	Compatible
+	Mitm
 	Pass
 
 	Relay
@@ -36,7 +37,6 @@ const (
 	Vless
 	Trojan
 	Hysteria
-	Hysteria2
 	WireGuard
 	Tuic
 )
@@ -183,6 +183,8 @@ func (at AdapterType) String() string {
 		return "Compatible"
 	case Pass:
 		return "Pass"
+	case Mitm:
+		return "Mitm"
 	case Shadowsocks:
 		return "Shadowsocks"
 	case ShadowsocksR:
@@ -201,8 +203,6 @@ func (at AdapterType) String() string {
 		return "Trojan"
 	case Hysteria:
 		return "Hysteria"
-	case Hysteria2:
-		return "Hysteria2"
 	case WireGuard:
 		return "WireGuard"
 	case Tuic:

constant/http.go

@@ -1,5 +0,0 @@
-package constant
-
-var (
-	UA string
-)

constant/metadata.go

@@ -30,8 +30,8 @@ const (
 	TUNNEL
 	TUN
 	TUIC
-	HYSTERIA2
 	INNER
+	MITM
 )
 
 type NetWork int
@@ -79,10 +79,10 @@ func (t Type) String() string {
 		return "Tun"
 	case TUIC:
 		return "Tuic"
-	case HYSTERIA2:
-		return "Hysteria2"
 	case INNER:
 		return "Inner"
+	case MITM:
+		return "Mitm"
 	default:
 		return "Unknown"
 	}
@@ -113,8 +113,6 @@ func ParseType(t string) (*Type, error) {
 		res = TUN
 	case "TUIC":
 		res = TUIC
-	case "HYSTERIA2":
-		res = HYSTERIA2
 	case "INNER":
 		res = INNER
 	default:
@@ -149,6 +147,8 @@ type Metadata struct {
 	RemoteDst    string     `json:"remoteDestination"`
 	// Only domain rule
 	SniffHost string `json:"sniffHost"`
+	// Only Mitm rule
+	UserAgent string `json:"userAgent"`
 }
 
 func (m *Metadata) RemoteAddress() string {
@@ -162,6 +162,8 @@ func (m *Metadata) SourceAddress() string {
 func (m *Metadata) SourceDetail() string {
 	if m.Type == INNER {
 		return fmt.Sprintf("%s", ClashName)
+	} else if m.Type == MITM {
+		return fmt.Sprintf("%s-MITM", ClashName)
 	}
 
 	switch {

constant/path.go

@@ -148,8 +148,12 @@ func (p *path) GeoSite() string {
 	return P.Join(p.homeDir, "GeoSite.dat")
 }
 
-func (p *path) GetAssetLocation(file string) string {
-	return P.Join(p.homeDir, file)
+func (p *path) RootCA() string {
+	return p.Resolve("mitm_ca.crt")
+}
+
+func (p *path) CAKey() string {
+	return p.Resolve("mitm_ca.key")
 }
 
 func (p *path) GetExecutableFullPath() string {

constant/rewrite.go

@@ -0,0 +1,120 @@
+package constant
+
+import (
+	"encoding/json"
+	"errors"
+	regexp "github.com/dlclark/regexp2"
+)
+
+var RewriteTypeMapping = map[string]RewriteType{
+	MitmReject.String():         MitmReject,
+	MitmReject200.String():      MitmReject200,
+	MitmRejectImg.String():      MitmRejectImg,
+	MitmRejectDict.String():     MitmRejectDict,
+	MitmRejectArray.String():    MitmRejectArray,
+	Mitm302.String():            Mitm302,
+	Mitm307.String():            Mitm307,
+	MitmRequestHeader.String():  MitmRequestHeader,
+	MitmRequestBody.String():    MitmRequestBody,
+	MitmResponseHeader.String(): MitmResponseHeader,
+	MitmResponseBody.String():   MitmResponseBody,
+}
+
+const (
+	MitmReject RewriteType = iota
+	MitmReject200
+	MitmRejectImg
+	MitmRejectDict
+	MitmRejectArray
+
+	Mitm302
+	Mitm307
+
+	MitmRequestHeader
+	MitmRequestBody
+
+	MitmResponseHeader
+	MitmResponseBody
+)
+
+type RewriteType int
+
+// UnmarshalYAML unserialize RewriteType with yaml
+func (e *RewriteType) UnmarshalYAML(unmarshal func(any) error) error {
+	var tp string
+	if err := unmarshal(&tp); err != nil {
+		return err
+	}
+	mode, exist := RewriteTypeMapping[tp]
+	if !exist {
+		return errors.New("invalid MITM Action")
+	}
+	*e = mode
+	return nil
+}
+
+// MarshalYAML serialize RewriteType with yaml
+func (e RewriteType) MarshalYAML() (any, error) {
+	return e.String(), nil
+}
+
+// UnmarshalJSON unserialize RewriteType with json
+func (e *RewriteType) UnmarshalJSON(data []byte) error {
+	var tp string
+	json.Unmarshal(data, &tp)
+	mode, exist := RewriteTypeMapping[tp]
+	if !exist {
+		return errors.New("invalid MITM Action")
+	}
+	*e = mode
+	return nil
+}
+
+// MarshalJSON serialize RewriteType with json
+func (e RewriteType) MarshalJSON() ([]byte, error) {
+	return json.Marshal(e.String())
+}
+
+func (rt RewriteType) String() string {
+	switch rt {
+	case MitmReject:
+		return "reject" // 404
+	case MitmReject200:
+		return "reject-200"
+	case MitmRejectImg:
+		return "reject-img"
+	case MitmRejectDict:
+		return "reject-dict"
+	case MitmRejectArray:
+		return "reject-array"
+	case Mitm302:
+		return "302"
+	case Mitm307:
+		return "307"
+	case MitmRequestHeader:
+		return "request-header"
+	case MitmRequestBody:
+		return "request-body"
+	case MitmResponseHeader:
+		return "response-header"
+	case MitmResponseBody:
+		return "response-body"
+	default:
+		return "Unknown"
+	}
+}
+
+type Rewrite interface {
+	ID() string
+	URLRegx() *regexp.Regexp
+	RuleType() RewriteType
+	RuleRegx() *regexp.Regexp
+	RulePayload() string
+	ReplaceURLPayload([]string) string
+	ReplaceSubPayload(string) string
+}
+
+type RewriteRule interface {
+	SearchInRequest(func(Rewrite) bool) bool
+	SearchInResponse(func(Rewrite) bool) bool
+}

constant/rule.go

@@ -23,6 +23,7 @@ const (
 	Network
 	Uid
 	SubRules
+	UserAgent
 	MATCH
 	AND
 	OR
@@ -67,6 +68,8 @@ func (rt RuleType) String() string {
 		return "Process"
 	case ProcessPath:
 		return "ProcessPath"
+	case UserAgent:
+		return "UserAgent"
 	case MATCH:
 		return "Match"
 	case RuleSet:

dns/client.go

@@ -9,9 +9,9 @@ import (
 	"strings"
 
 	"github.com/Dreamacro/clash/common/atomic"
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 
 	D "github.com/miekg/dns"
@@ -99,7 +99,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 	ch := make(chan result, 1)
 	go func() {
 		if strings.HasSuffix(c.Client.Net, "tls") {
-			conn = tls.Client(conn, ca.GetGlobalTLSConfig(c.Client.TLSConfig))
+			conn = tls.Client(conn, tlsC.GetGlobalTLSConfig(c.Client.TLSConfig))
 		}
 
 		msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{

dns/doh.go

@@ -15,7 +15,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/Dreamacro/clash/component/ca"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/metacubex/quic-go"
@@ -382,7 +382,7 @@ func (doh *dnsOverHTTPS) createClient(ctx context.Context) (*http.Client, error)
 // HTTP3 is enabled in the upstream options).  If this attempt is successful,
 // it returns an HTTP3 transport, otherwise it returns the H1/H2 transport.
 func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripper, err error) {
-	tlsConfig := ca.GetGlobalTLSConfig(
+	tlsConfig := tlsC.GetGlobalTLSConfig(
 		&tls.Config{
 			InsecureSkipVerify:     false,
 			MinVersion:             tls.VersionTLS12,

dns/doq.go

@@ -12,7 +12,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/Dreamacro/clash/component/ca"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/metacubex/quic-go"
@@ -330,7 +330,7 @@ func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connectio
 		return nil, err
 	}
 
-	tlsConfig := ca.GetGlobalTLSConfig(
+	tlsConfig := tlsC.GetGlobalTLSConfig(
 		&tls.Config{
 			ServerName:         host,
 			InsecureSkipVerify: false,

dns/resolver.go

@@ -200,7 +200,6 @@ func (r *Resolver) exchangeWithoutCache(ctx context.Context, m *D.Msg) (msg *D.M
 
 		isIPReq := isIPRequest(q)
 		if isIPReq {
-			cache=true
 			return r.ipExchange(ctx, m)
 		}
 

dns/util.go

@@ -30,13 +30,9 @@ const (
 )
 
 func minimalTTL(records []D.RR) uint32 {
-	minObj := lo.MinBy(records, func(r1 D.RR, r2 D.RR) bool {
+	return lo.MinBy(records, func(r1 D.RR, r2 D.RR) bool {
 		return r1.Header().Ttl < r2.Header().Ttl
-	})
-	if minObj != nil {
-		return minObj.Header().Ttl
-	}
-	return 0
+	}).Header().Ttl
 }
 
 func updateTTL(records []D.RR, ttl uint32) {
@@ -50,27 +46,27 @@ func updateTTL(records []D.RR, ttl uint32) {
 }
 
 func putMsgToCache(c *cache.LruCache[string, *D.Msg], key string, msg *D.Msg) {
-	putMsgToCacheWithExpire(c, key, msg, 0)
-}
-
-func putMsgToCacheWithExpire(c *cache.LruCache[string, *D.Msg], key string, msg *D.Msg, sec uint32) {
-	if sec == 0 {
-		if sec = minimalTTL(msg.Answer); sec == 0 {
-			if sec = minimalTTL(msg.Ns); sec == 0 {
-				sec = minimalTTL(msg.Extra)
-			}
-		}
-		if sec == 0 {
+	// skip dns cache for acme challenge
+	if len(msg.Question) != 0 {
+		if q := msg.Question[0]; q.Qtype == D.TypeTXT && strings.HasPrefix(q.Name, "_acme-challenge") {
+			log.Debugln("[DNS] dns cache ignored because of acme challenge for: %s", q.Name)
 			return
 		}
-
-		if sec > 120 {
-			sec = 120 // at least 2 minutes to cache
-		}
-
+	}
+	var ttl uint32
+	switch {
+	case len(msg.Answer) != 0:
+		ttl = minimalTTL(msg.Answer)
+	case len(msg.Ns) != 0:
+		ttl = minimalTTL(msg.Ns)
+	case len(msg.Extra) != 0:
+		ttl = minimalTTL(msg.Extra)
+	default:
+		log.Debugln("[DNS] response msg empty: %#v", msg)
+		return
 	}
 
-	c.SetWithExpire(key, msg.Copy(), time.Now().Add(time.Duration(sec)*time.Second))
+	c.SetWithExpire(key, msg.Copy(), time.Now().Add(time.Second*time.Duration(ttl)))
 }
 
 func setMsgTTL(msg *D.Msg, ttl uint32) {
@@ -290,7 +286,7 @@ func listenPacket(ctx context.Context, proxyAdapter C.ProxyAdapter, proxyName st
 		DstPort: uint16(uintPort),
 	}
 	if proxyAdapter == nil {
-		return dialer.NewDialer(opts...).ListenPacket(ctx, dialer.ParseNetwork(network, dstIP), "", netip.AddrPortFrom(metadata.DstIP, metadata.DstPort))
+		return dialer.ListenPacket(ctx, dialer.ParseNetwork(network, dstIP), "", opts...)
 	}
 
 	if !proxyAdapter.SupportUDP() {

docs/config.yaml

@@ -41,11 +41,7 @@ external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址，需要
 # secret: "123456" # `Authorization:Bearer ${secret}`
 
 # tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP
-
-# 配置 WEB UI 目录，使用 http://{{external-controller}}/ui 访问
-external-ui: /path/to/ui/folder/
-external-ui-name: xd
-external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"
+external-ui: /path/to/ui/folder # 配置 WEB UI 目录，使用 http://{{external-controller}}/ui 访问
 
 # interface-name: en0 # 设置出口网卡
 
@@ -54,18 +50,10 @@ external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-
 # Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
 global-client-fingerprint: chrome
 
-#  TCP keep alive interval
-keep-alive-interval: 15
+keep-alive-interval: 30
 
 # routing-mark:6666 # 配置 fwmark 仅用于 Linux
 experimental:
-  # Disable quic-go GSO support. This may result in reduced performance on Linux.
-  # This is not recommended for most users.
-  # Only users encountering issues with quic-go's internal implementation should enable this,
-  # and they should disable it as soon as the issue is resolved.
-  # This field will be removed when quic-go fixes all their issues in GSO.
-  # This equivalent to the environment variable QUIC_GO_DISABLE_GSO=1.
-  #quic-go-disable-gso: true
 
 # 类似于 /etc/hosts, 仅支持配置单个 IP
 hosts:
@@ -642,25 +630,6 @@ proxies: # socks5
     # fingerprint: xxxx
     # fast-open: true # 支持 TCP 快速打开，默认为 false
 
-  #hysteria2
-  - name: "hysteria2"
-    type: hysteria2
-    server: server.com
-    port: 443
-    #  up和down均不写或为0则使用BBR流控
-    # up: "30 Mbps" # 若不写单位，默认为 Mbps
-    # down: "200 Mbps" # 若不写单位，默认为 Mbps
-    password: yourpassword
-    # obfs: salamander # 默认为空，如果填写则开启obfs，目前仅支持salamander
-    # obfs-password: yourpassword
-    # sni: server.com
-    # skip-cert-verify: false
-    # fingerprint: xxxx
-    # alpn:
-    #   - h3
-    # ca: "./my.ca"
-    # ca-str: "xyz"
-
   # wireguard
   - name: "wg"
     type: wireguard

go.mod

@@ -5,51 +5,54 @@ go 1.20
 require (
 	github.com/3andne/restls-client-go v0.1.6
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da
+	github.com/beevik/ntp v1.3.0
 	github.com/cilium/ebpf v0.11.0
 	github.com/coreos/go-iptables v0.7.0
 	github.com/dlclark/regexp2 v1.10.0
 	github.com/go-chi/chi/v5 v5.0.10
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
+	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/gofrs/uuid/v5 v5.0.0
 	github.com/gorilla/websocket v1.5.0
-	github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a
+	github.com/insomniacslk/dhcp v0.0.0-20230731140434-0f9eb93a696c
 	github.com/jpillora/backoff v1.0.0
 	github.com/klauspost/cpuid/v2 v2.2.5
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/mdlayher/netlink v1.7.2
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759
-	github.com/metacubex/quic-go v0.38.1-0.20230909013832-033f6a2115cf
-	github.com/metacubex/sing-quic v0.0.0-20230921160948-82175eb07a81
-	github.com/metacubex/sing-shadowsocks v0.2.5
-	github.com/metacubex/sing-shadowsocks2 v0.1.4
-	github.com/metacubex/sing-tun v0.1.12
-	github.com/metacubex/sing-vmess v0.1.9-0.20230921005247-a0488d7dac74
+	github.com/metacubex/quic-go v0.38.1-0.20230821081539-517fdb17fb28
+	github.com/metacubex/sing-shadowsocks v0.2.4
+	github.com/metacubex/sing-shadowsocks2 v0.1.3
+	github.com/metacubex/sing-tun v0.1.11
+	github.com/metacubex/sing-vmess v0.1.8-0.20230801054944-603005461ff8
 	github.com/metacubex/sing-wireguard v0.0.0-20230611155257-1498ae315a28
-	github.com/miekg/dns v1.1.56
+	github.com/miekg/dns v1.1.55
 	github.com/mroth/weightedrand/v2 v2.1.0
 	github.com/openacid/low v0.1.21
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/puzpuzpuz/xsync/v2 v2.5.0
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
-	github.com/sagernet/sing v0.2.11
-	github.com/sagernet/sing-mux v0.1.3
+	github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a
+	github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c
 	github.com/sagernet/sing-shadowtls v0.1.4
 	github.com/sagernet/tfo-go v0.0.0-20230816093905-5a5c285d44a6
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
 	github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f
 	github.com/samber/lo v1.38.1
-	github.com/shirou/gopsutil/v3 v3.23.8
+	github.com/shirou/gopsutil/v3 v3.23.7
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.8.4
 	github.com/zhangyunhao116/fastrand v0.3.0
 	go.etcd.io/bbolt v1.3.7
+	go.uber.org/atomic v1.9.0
 	go.uber.org/automaxprocs v1.5.3
-	golang.org/x/crypto v0.13.0
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
-	golang.org/x/net v0.15.0
+	golang.org/x/crypto v0.12.0
+	golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb
+	golang.org/x/net v0.14.0
 	golang.org/x/sync v0.3.0
-	golang.org/x/sys v0.12.0
+	golang.org/x/sys v0.11.0
+	golang.org/x/text v0.12.0
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v3 v3.0.1
 	lukechampine.com/blake3 v1.2.1
@@ -67,7 +70,7 @@ require (
 	github.com/ericlagergren/subtle v0.0.0-20220507045147-890d697da010 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/gaukas/godicttls v0.0.4 // indirect
-	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/golang/mock v1.6.0 // indirect
 	github.com/google/btree v1.1.2 // indirect
@@ -85,7 +88,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.2 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
@@ -93,16 +96,15 @@ require (
 	github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b // indirect
 	github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c // indirect
 	github.com/sina-ghaderi/rabbitio v0.0.0-20220730151941-9ce26f4f872e // indirect
-	github.com/tklauser/go-sysconf v0.3.12 // indirect
-	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.11 // indirect
+	github.com/tklauser/numcpus v0.6.0 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
+	golang.org/x/tools v0.9.1 // indirect
 )
 
-replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20230921160249-edb949c9c140
+replace github.com/sagernet/sing => github.com/metacubex/sing v0.0.0-20230817143035-28d23f152579

go.sum

@@ -10,6 +10,8 @@ github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/beevik/ntp v1.3.0 h1:/w5VhpW5BGKS37vFm1p9oVk/t4HnnkKZAZIubHM6F7Q=
+github.com/beevik/ntp v1.3.0/go.mod h1:vD6h1um4kzXpqmLTuu0cCLcC+NfvC0IC+ltmEDA8E78=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
@@ -44,11 +46,12 @@ github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vz
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
-github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
-github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1YrTJupqA=
+github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid/v5 v5.0.0 h1:p544++a97kEL+svbcFbCQVM9KFu0Yo25UoISXGNNH9M=
 github.com/gofrs/uuid/v5 v5.0.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV+9bD8=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
@@ -70,8 +73,8 @@ github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
 github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
 github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a h1:S33o3djA1nPRd+d/bf7jbbXytXuK/EoXow7+aa76grQ=
-github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a/go.mod h1:zmdm3sTSDP3vOOX3CEWRkkRHtKr1DxBx+J1OQFoDQQs=
+github.com/insomniacslk/dhcp v0.0.0-20230731140434-0f9eb93a696c h1:P/3mFnHCv1A/ej4m8pF5EB6FUt9qEL2Q9lfrcUNwCYs=
+github.com/insomniacslk/dhcp v0.0.0-20230731140434-0f9eb93a696c/go.mod h1:7474bZ1YNCvarT6WFKie4kEET6J0KYRDC4XJqqXzQW4=
 github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
 github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -95,24 +98,22 @@ github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 h1:cjd4biTvO
 github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759/go.mod h1:UHOv2xu+RIgLwpXca7TLrXleEd4oR3sPatW6IF8wU88=
 github.com/metacubex/gvisor v0.0.0-20230611153922-78842f086475 h1:qSEOvPPaMrWggFyFhFYGyMR8i1HKyhXjdi1QYUAa2ww=
 github.com/metacubex/gvisor v0.0.0-20230611153922-78842f086475/go.mod h1:wehEpqiogdeyncfhckJP5gD2LtBgJW0wnDC24mJ+8Jg=
-github.com/metacubex/quic-go v0.38.1-0.20230909013832-033f6a2115cf h1:hflzPbb2M+3uUOZEVO72MKd2R62xEermoVaNhJOzBR8=
-github.com/metacubex/quic-go v0.38.1-0.20230909013832-033f6a2115cf/go.mod h1:7RCcKJJk1DMeNQQNnYKS+7FqftqPfG031oP8jrYRMw8=
-github.com/metacubex/sing v0.0.0-20230921160249-edb949c9c140 h1:qiTekhMDwY2vXARJx1D9EIEdtllbL7+ZBzHX9DQpWs4=
-github.com/metacubex/sing v0.0.0-20230921160249-edb949c9c140/go.mod h1:GQ673iPfUnkbK/dIPkfd1Xh1MjOGo36gkl/mkiHY7Jg=
-github.com/metacubex/sing-quic v0.0.0-20230921160948-82175eb07a81 h1:6g+ohVa8FQLXz/ATmped/4kWuK0HKvhy1hwzQXyF0EI=
-github.com/metacubex/sing-quic v0.0.0-20230921160948-82175eb07a81/go.mod h1:oGpQmqe5tj3sPdPWCNLbBoUSwqd+Z6SqVO7TlMNVnH4=
-github.com/metacubex/sing-shadowsocks v0.2.5 h1:O2RRSHlKGEpAVG/OHJQxyHqDy8uvvdCW/oW2TDBOIhc=
-github.com/metacubex/sing-shadowsocks v0.2.5/go.mod h1:Xz2uW9BEYGEoA8B4XEpoxt7ERHClFCwsMAvWaruoyMo=
-github.com/metacubex/sing-shadowsocks2 v0.1.4 h1:OOCf8lgsVcpTOJUeaFAMzyKVebaQOBnKirDdUdBoKIE=
-github.com/metacubex/sing-shadowsocks2 v0.1.4/go.mod h1:Qz028sLfdY3qxGRm9FDI+IM2Ae3ty2wR7HIzD/56h/k=
-github.com/metacubex/sing-tun v0.1.12 h1:Jgmz0k3ddRiJ8zfS4X7j6B/iSy6GnOdDEU0nhqiZcK4=
-github.com/metacubex/sing-tun v0.1.12/go.mod h1:X2P/H1HqXwqGcguGXWDVDhSS1GmDxVi13OmbtDedZ2M=
-github.com/metacubex/sing-vmess v0.1.9-0.20230921005247-a0488d7dac74 h1:FtupiyFkaVjFvRa7B/uDtRWg5BNsoyPC9MTev3sDasY=
-github.com/metacubex/sing-vmess v0.1.9-0.20230921005247-a0488d7dac74/go.mod h1:8EWBZpc+qNvf5gmvjAtMHK1/DpcWqzfcBL842K00BsM=
+github.com/metacubex/quic-go v0.38.1-0.20230821081539-517fdb17fb28 h1:ggSo4B1LDH9ZIROoUibxlrUpi7YCMri7HMXn4aNQkiM=
+github.com/metacubex/quic-go v0.38.1-0.20230821081539-517fdb17fb28/go.mod h1:SthFvvoqgrEUgIxQXRnqdUAAYQECBavkhl7iA0geVd8=
+github.com/metacubex/sing v0.0.0-20230817143035-28d23f152579 h1:dE1dBB6CTzNdSMFTE5OCHvzHLewiqiA1nhD+7egtvAc=
+github.com/metacubex/sing v0.0.0-20230817143035-28d23f152579/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+github.com/metacubex/sing-shadowsocks v0.2.4 h1:Gc99Z17JVif1PKKq1pjqhSmc2kvHUgk+AqxOstCzhQ0=
+github.com/metacubex/sing-shadowsocks v0.2.4/go.mod h1:w9qoEZSh9aKeXSLXHe0DGbG2UE9/2VlLGwukzQZ7byI=
+github.com/metacubex/sing-shadowsocks2 v0.1.3 h1:nZvH+4jQXZ92NeNdR9fXaUGTPNJPt6u0nkcuh/NEt5Y=
+github.com/metacubex/sing-shadowsocks2 v0.1.3/go.mod h1:5Mt93RlmRlIcDmvtapkhQJ8YTRGLFhHciLYopJjs7j8=
+github.com/metacubex/sing-tun v0.1.11 h1:B8meDewklvKkeUfjqR2ViuYLam0/m4IgkTi3qcJIOuc=
+github.com/metacubex/sing-tun v0.1.11/go.mod h1:vbki176Y5sxXC1DWXucrPh3q5j8cKai1D87y8m8rjQc=
+github.com/metacubex/sing-vmess v0.1.8-0.20230801054944-603005461ff8 h1:AqqZCr9gOeKdO6oIzFh4b2puOUFcw8MdpmGHWRehyX8=
+github.com/metacubex/sing-vmess v0.1.8-0.20230801054944-603005461ff8/go.mod h1:tyJg7b4s8NrSztl/Y1ajA7X0sJLlIsEJWkgRVocjmgY=
 github.com/metacubex/sing-wireguard v0.0.0-20230611155257-1498ae315a28 h1:mXFpxfR/1nADh+GoT8maWEvc6LO6uatPsARD8WzUDMA=
 github.com/metacubex/sing-wireguard v0.0.0-20230611155257-1498ae315a28/go.mod h1:KrDPq/dE793jGIJw9kcIvjA/proAfU0IeU7WlMXW7rs=
-github.com/miekg/dns v1.1.56 h1:5imZaSeoRNvpM9SzWNhEcP9QliKiz20/dA2QabIGVnE=
-github.com/miekg/dns v1.1.56/go.mod h1:cRm6Oo2C8TY9ZS/TqsSrseAcncm74lfK5G+ikN2SWWY=
+github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
+github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/mroth/weightedrand/v2 v2.1.0 h1:o1ascnB1CIVzsqlfArQQjeMy1U0NcIbBO5rfd5E/OeU=
 github.com/mroth/weightedrand/v2 v2.1.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU=
 github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7 h1:1102pQc2SEPp5+xrS26wEaeb26sZy6k9/ZXlZN+eXE4=
@@ -139,15 +140,15 @@ github.com/puzpuzpuz/xsync/v2 v2.5.0 h1:2k4qrO/orvmEXZ3hmtHqIy9XaQtPTwzMZk1+iErp
 github.com/puzpuzpuz/xsync/v2 v2.5.0/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-20 v0.3.3 h1:17/glZSLI9P9fDAeyCHBFSWSqJcwx1byhLwP5eUIDCM=
-github.com/quic-go/qtls-go1-20 v0.3.3/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
+github.com/quic-go/qtls-go1-20 v0.3.2 h1:rRgN3WfnKbyik4dBV8A6girlJVxGand/d+jVKbQq5GI=
+github.com/quic-go/qtls-go1-20 v0.3.2/go.mod h1:X9Nh97ZL80Z+bX/gUXMbipO6OxdiDi58b/fMC9mAL+k=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
-github.com/sagernet/sing-mux v0.1.3 h1:fAf7PZa2A55mCeh0KKM02f1k2Y4vEmxuZZ/51ahkkLA=
-github.com/sagernet/sing-mux v0.1.3/go.mod h1:wGeIeiiFLx4HUM5LAg65wrNZ/X1muOimqK0PEhNbPi0=
+github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c h1:35/FowAvt3Z62mck0TXzVc4jS5R5CWq62qcV2P1cp0I=
+github.com/sagernet/sing-mux v0.1.3-0.20230811111955-dc1639b5204c/go.mod h1:TKxqIvfQQgd36jp2tzsPavGjYTVZilV+atip1cssjIY=
 github.com/sagernet/sing-shadowtls v0.1.4 h1:aTgBSJEgnumzFenPvc+kbD9/W0PywzWevnVpEx6Tw3k=
 github.com/sagernet/sing-shadowtls v0.1.4/go.mod h1:F8NBgsY5YN2beQavdgdm1DPlhaKQlaL6lpDdcBglGK4=
 github.com/sagernet/smux v0.0.0-20230312102458-337ec2a5af37 h1:HuE6xSwco/Xed8ajZ+coeYLmioq0Qp1/Z2zczFaV8as=
@@ -162,8 +163,8 @@ github.com/samber/lo v1.38.1 h1:j2XEAqXKb09Am4ebOg31SpvzUTTs6EN3VfgeLUhPdXM=
 github.com/samber/lo v1.38.1/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
-github.com/shirou/gopsutil/v3 v3.23.8 h1:xnATPiybo6GgdRoC4YoGnxXZFRc3dqQTGi73oLvvBrE=
-github.com/shirou/gopsutil/v3 v3.23.8/go.mod h1:7hmCaBn+2ZwaZOr6jmPBZDfawwMGuo1id3C6aM8EDqQ=
+github.com/shirou/gopsutil/v3 v3.23.7 h1:C+fHO8hfIppoJ1WdsVm1RoI0RwXoNdfTK7yWXV0wVj4=
+github.com/shirou/gopsutil/v3 v3.23.7/go.mod h1:c4gnmoRC0hQuaLqvxnx1//VXQ0Ms/X9UnJF8pddY5z4=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
@@ -186,10 +187,10 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFAEVmqU=
-github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
-github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk=
-github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
+github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
+github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI=
+github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms=
+github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 h1:tHNk7XK9GkmKUR6Gh8gVBKXc2MVSZ4G/NnWLtzw4gNA=
 github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
@@ -198,6 +199,7 @@ github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
 github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 github.com/zhangyunhao116/fastrand v0.3.0 h1:7bwe124xcckPulX6fxtr2lFdO2KQqaefdtbk+mqO/Ig=
@@ -206,26 +208,39 @@ gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec h1:FpfFs4EhNehiV
 gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec/go.mod h1:BZ1RAoRPbCxum9Grlv5aeksu2H8BiKehBYooU2LFiOQ=
 go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
 go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
+go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
 go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb h1:mIKbk8weKhSeLH2GmUTrvx8CjkyJmnU1wFmg59CUjFA=
+golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
+golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
+golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
+golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -239,28 +254,42 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
+golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

hub/executor/executor.go

@@ -2,6 +2,7 @@ package executor
 
 import (
 	"fmt"
+	"github.com/Dreamacro/clash/ntp"
 	"net"
 	"net/netip"
 	"os"
@@ -11,13 +12,10 @@ import (
 	"sync"
 	"time"
 
-	"github.com/Dreamacro/clash/ntp"
-
 	"github.com/Dreamacro/clash/adapter"
 	"github.com/Dreamacro/clash/adapter/inbound"
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/component/auth"
-	"github.com/Dreamacro/clash/component/ca"
 	"github.com/Dreamacro/clash/component/dialer"
 	G "github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/iface"
@@ -25,6 +23,7 @@ import (
 	"github.com/Dreamacro/clash/component/profile/cachefile"
 	"github.com/Dreamacro/clash/component/resolver"
 	SNI "github.com/Dreamacro/clash/component/sniffer"
+	CTLS "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/component/trie"
 	"github.com/Dreamacro/clash/config"
 	C "github.com/Dreamacro/clash/constant"
@@ -84,18 +83,19 @@ func ApplyConfig(cfg *config.Config, force bool) {
 
 	tunnel.OnSuspend()
 
-	ca.ResetCertificate()
+	CTLS.ResetCertificate()
 	for _, c := range cfg.TLS.CustomTrustCert {
-		if err := ca.AddCertificate(c); err != nil {
+		if err := CTLS.AddCertificate(c); err != nil {
 			log.Warnln("%s\nadd error: %s", c, err.Error())
 		}
 	}
 
 	updateUsers(cfg.Users)
-	updateProxies(cfg.Proxies, cfg.Providers)
+	updateProxies(cfg.Mitm, cfg.Proxies, cfg.Providers)
 	updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders)
 	updateSniffer(cfg.Sniffer)
 	updateHosts(cfg.Hosts)
+	updateMitm(cfg.Mitm)
 	updateGeneral(cfg.General)
 	updateNTP(cfg.NTP)
 	updateDNS(cfg.DNS, cfg.RuleProviders, cfg.General.IPv6)
@@ -135,6 +135,7 @@ func GetGeneral() *config.General {
 			RedirPort:         ports.RedirPort,
 			TProxyPort:        ports.TProxyPort,
 			MixedPort:         ports.MixedPort,
+			MitmPort:          ports.MitmPort,
 			Tun:               listener.GetTunConf(),
 			TuicServer:        listener.GetTuicConf(),
 			ShadowSocksConfig: ports.ShadowSocksConfig,
@@ -143,7 +144,6 @@ func GetGeneral() *config.General {
 			AllowLan:          listener.AllowLan(),
 			BindAddress:       listener.BindAddress(),
 		},
-		Controller:    config.Controller{},
 		Mode:          tunnel.Mode(),
 		LogLevel:      log.Level(),
 		IPv6:          !resolver.DisableIPv6,
@@ -183,19 +183,12 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList
 }
 
 func updateExperimental(c *config.Config) {
-	if c.Experimental.QUICGoDisableGSO {
-		_ = os.Setenv("QUIC_GO_DISABLE_GSO", "1")
-	}
 }
 
 func updateNTP(c *config.NTP) {
 	if c.Enable {
-		ntp.ReCreateNTPService(
-			net.JoinHostPort(c.Server, strconv.Itoa(c.Port)),
-			time.Duration(c.Interval),
-			c.DialerProxy,
-			c.WriteToSystem,
-		)
+		ntp.ReCreateNTPService(net.JoinHostPort(c.Server, strconv.Itoa(c.Port)),
+			time.Duration(c.Interval))
 	}
 }
 
@@ -271,7 +264,7 @@ func updateHosts(tree *trie.DomainTrie[resolver.HostValue]) {
 	resolver.DefaultHosts = resolver.NewHosts(tree)
 }
 
-func updateProxies(proxies map[string]C.Proxy, providers map[string]provider.ProxyProvider) {
+func updateProxies(mitm *config.Mitm, proxies map[string]C.Proxy, providers map[string]provider.ProxyProvider) {
 	tunnel.UpdateProxies(proxies, providers)
 }
 
@@ -499,6 +492,11 @@ func updateIPTables(cfg *config.Config) {
 	log.Infoln("[IPTABLES] Setting iptables completed")
 }
 
+func updateMitm(mitm *config.Mitm) {
+	listener.ReCreateMitm(mitm.Port, tunnel.TCPIn())
+	tunnel.UpdateRewrites(mitm.Rules)
+}
+
 func Shutdown() {
 	listener.Cleanup()
 	tproxy.CleanupTProxyIPTables()

hub/route/configs.go

@@ -40,6 +40,7 @@ type configSchema struct {
 	RedirPort         *int               `json:"redir-port"`
 	TProxyPort        *int               `json:"tproxy-port"`
 	MixedPort         *int               `json:"mixed-port"`
+	MitmPort          *int               `json:"mitm-port"`
 	Tun               *tunSchema         `json:"tun"`
 	TuicServer        *tuicServerSchema  `json:"tuic-server"`
 	ShadowSocksConfig *string            `json:"ss-config"`
@@ -262,6 +263,7 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) {
 	P.ReCreateShadowSocks(pointerOrDefaultString(general.ShadowSocksConfig, ports.ShadowSocksConfig), tcpIn, udpIn)
 	P.ReCreateVmess(pointerOrDefaultString(general.VmessConfig, ports.VmessConfig), tcpIn, udpIn)
 	P.ReCreateTuic(pointerOrDefaultTuicServer(general.TuicServer, P.LastTuicConf), tcpIn, udpIn)
+	P.ReCreateMitm(pointerOrDefault(general.MitmPort, ports.MitmPort), tcpIn)
 
 	if general.Mode != nil {
 		tunnel.SetMode(*general.Mode)

hub/route/provider.go

@@ -4,35 +4,22 @@ import (
 	"context"
 	"net/http"
 
-	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/tunnel"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
-	"github.com/samber/lo"
 )
 
 func proxyProviderRouter() http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getProviders)
 
-	r.Route("/{providerName}", func(r chi.Router) {
+	r.Route("/{name}", func(r chi.Router) {
 		r.Use(parseProviderName, findProviderByName)
 		r.Get("/", getProvider)
 		r.Put("/", updateProvider)
 		r.Get("/healthcheck", healthCheckProvider)
-		r.Mount("/", proxyProviderProxyRouter())
-	})
-	return r
-}
-
-func proxyProviderProxyRouter() http.Handler {
-	r := chi.NewRouter()
-	r.Route("/{name}", func(r chi.Router) {
-		r.Use(parseProxyName, findProviderProxyByName)
-		r.Get("/", getProxy)
-		r.Get("/healthcheck", getProxyDelay)
 	})
 	return r
 }
@@ -67,7 +54,7 @@ func healthCheckProvider(w http.ResponseWriter, r *http.Request) {
 
 func parseProviderName(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		name := getEscapeParam(r, "providerName")
+		name := getEscapeParam(r, "name")
 		ctx := context.WithValue(r.Context(), CtxKeyProviderName, name)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
@@ -89,27 +76,6 @@ func findProviderByName(next http.Handler) http.Handler {
 	})
 }
 
-func findProviderProxyByName(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var (
-			name = r.Context().Value(CtxKeyProxyName).(string)
-			pd   = r.Context().Value(CtxKeyProvider).(provider.ProxyProvider)
-		)
-		proxy, exist := lo.Find(pd.Proxies(), func(proxy C.Proxy) bool {
-			return proxy.Name() == name
-		})
-
-		if !exist {
-			render.Status(r, http.StatusNotFound)
-			render.JSON(w, r, ErrNotFound)
-			return
-		}
-
-		ctx := context.WithValue(r.Context(), CtxKeyProxy, proxy)
-		next.ServeHTTP(w, r.WithContext(ctx))
-	})
-}
-
 func ruleProviderRouter() http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getRuleProviders)

hub/route/proxies.go

@@ -46,7 +46,7 @@ func parseProxyName(next http.Handler) http.Handler {
 func findProxyByName(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		name := r.Context().Value(CtxKeyProxyName).(string)
-		proxies := tunnel.ProxiesWithProviders()
+		proxies := tunnel.Proxies()
 		proxy, exist := proxies[name]
 		if !exist {
 			render.Status(r, http.StatusNotFound)
@@ -60,7 +60,7 @@ func findProxyByName(next http.Handler) http.Handler {
 }
 
 func getProxies(w http.ResponseWriter, r *http.Request) {
-	proxies := tunnel.ProxiesWithProviders()
+	proxies := tunnel.Proxies()
 	render.JSON(w, r, render.M{
 		"proxies": proxies,
 	})

hub/route/upgrade.go

@@ -1,12 +1,10 @@
 package route
 
 import (
-	"errors"
 	"fmt"
 	"net/http"
 	"os"
 
-	"github.com/Dreamacro/clash/config"
 	"github.com/Dreamacro/clash/hub/updater"
 	"github.com/Dreamacro/clash/log"
 
@@ -16,12 +14,11 @@ import (
 
 func upgradeRouter() http.Handler {
 	r := chi.NewRouter()
-	r.Post("/", upgradeCore)
-	r.Post("/ui", updateUI)
+	r.Post("/", upgrade)
 	return r
 }
 
-func upgradeCore(w http.ResponseWriter, r *http.Request) {
+func upgrade(w http.ResponseWriter, r *http.Request) {
 	// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/home/controlupdate.go#L108
 	log.Infoln("start update")
 	execPath, err := os.Executable()
@@ -46,24 +43,3 @@ func upgradeCore(w http.ResponseWriter, r *http.Request) {
 
 	go restartExecutable(execPath)
 }
-
-func updateUI(w http.ResponseWriter, r *http.Request) {
-	err := config.UpdateUI()
-	if err != nil {
-		if errors.Is(err, config.ErrIncompleteConf) {
-			log.Warnln("%s", err)
-			render.Status(r, http.StatusNotImplemented)
-			render.JSON(w, r, newError(fmt.Sprintf("%s", err)))
-		} else {
-			log.Warnln("%s", err)
-			render.Status(r, http.StatusInternalServerError)
-			render.JSON(w, r, newError(fmt.Sprintf("%s", err)))
-		}
-		return
-	}
-
-	render.JSON(w, r, render.M{"status": "ok"})
-	if f, ok := w.(http.Flusher); ok {
-		f.Flush()
-	}
-}

hub/updater/updater.go

@@ -32,7 +32,7 @@ var (
 	workDir string
 
 	// mu protects all fields below.
-	mu sync.Mutex
+	mu sync.RWMutex
 
 	currentExeName string // 当前可执行文件
 	updateDir      string // 更新目录

listener/config/hysteria2.go

@@ -1,25 +0,0 @@
-package config
-
-import "encoding/json"
-
-type Hysteria2Server struct {
-	Enable                bool              `yaml:"enable" json:"enable"`
-	Listen                string            `yaml:"listen" json:"listen"`
-	Users                 map[string]string `yaml:"users" json:"users,omitempty"`
-	Obfs                  string            `yaml:"obfs" json:"obfs,omitempty"`
-	ObfsPassword          string            `yaml:"obfs-password" json:"obfs-password,omitempty"`
-	Certificate           string            `yaml:"certificate" json:"certificate"`
-	PrivateKey            string            `yaml:"private-key" json:"private-key"`
-	MaxIdleTime           int               `yaml:"max-idle-time" json:"max-idle-time,omitempty"`
-	ALPN                  []string          `yaml:"alpn" json:"alpn,omitempty"`
-	Up                    string            `yaml:"up" json:"up,omitempty"`
-	Down                  string            `yaml:"down" json:"down,omitempty"`
-	IgnoreClientBandwidth bool              `yaml:"ignore-client-bandwidth" json:"ignore-client-bandwidth,omitempty"`
-	Masquerade            string            `yaml:"masquerade" json:"masquerade,omitempty"`
-	CWND                  int               `yaml:"cwnd" json:"cwnd,omitempty"`
-}
-
-func (h Hysteria2Server) String() string {
-	b, _ := json.Marshal(h)
-	return string(b)
-}

listener/http/proxy.go

@@ -36,7 +36,7 @@ func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.LruCache[strin
 		var resp *http.Response
 
 		if !trusted {
-			resp = authenticate(request, cache)
+			resp = Authenticate(request, cache)
 
 			trusted = resp == nil
 		}
@@ -66,19 +66,19 @@ func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.LruCache[strin
 				return // hijack connection
 			}
 
-			removeHopByHopHeaders(request.Header)
-			removeExtraHTTPHostPort(request)
+			RemoveHopByHopHeaders(request.Header)
+			RemoveExtraHTTPHostPort(request)
 
 			if request.URL.Scheme == "" || request.URL.Host == "" {
-				resp = responseWith(request, http.StatusBadRequest)
+				resp = ResponseWith(request, http.StatusBadRequest)
 			} else {
 				resp, err = client.Do(request)
 				if err != nil {
-					resp = responseWith(request, http.StatusBadGateway)
+					resp = ResponseWith(request, http.StatusBadGateway)
 				}
 			}
 
-			removeHopByHopHeaders(resp.Header)
+			RemoveHopByHopHeaders(resp.Header)
 		}
 
 		if keepAlive {
@@ -98,12 +98,12 @@ func HandleConn(c net.Conn, in chan<- C.ConnContext, cache *cache.LruCache[strin
 	_ = conn.Close()
 }
 
-func authenticate(request *http.Request, cache *cache.LruCache[string, bool]) *http.Response {
+func Authenticate(request *http.Request, cache *cache.LruCache[string, bool]) *http.Response {
 	authenticator := authStore.Authenticator()
 	if authenticator != nil {
 		credential := parseBasicProxyAuthorization(request)
 		if credential == "" {
-			resp := responseWith(request, http.StatusProxyAuthRequired)
+			resp := ResponseWith(request, http.StatusProxyAuthRequired)
 			resp.Header.Set("Proxy-Authenticate", "Basic")
 			return resp
 		}
@@ -117,14 +117,14 @@ func authenticate(request *http.Request, cache *cache.LruCache[string, bool]) *h
 		if !authed {
 			log.Infoln("Auth failed from %s", request.RemoteAddr)
 
-			return responseWith(request, http.StatusForbidden)
+			return ResponseWith(request, http.StatusForbidden)
 		}
 	}
 
 	return nil
 }
 
-func responseWith(request *http.Request, statusCode int) *http.Response {
+func ResponseWith(request *http.Request, statusCode int) *http.Response {
 	return &http.Response{
 		StatusCode: statusCode,
 		Status:     http.StatusText(statusCode),

listener/http/upgrade.go

@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/Dreamacro/clash/adapter/inbound"
 	N "github.com/Dreamacro/clash/common/net"
@@ -29,7 +30,7 @@ func handleUpgrade(conn net.Conn, request *http.Request, in chan<- C.ConnContext
 	defer conn.Close()
 
 	removeProxyHeaders(request.Header)
-	removeExtraHTTPHostPort(request)
+	RemoveExtraHTTPHostPort(request)
 
 	address := request.Host
 	if _, _, err := net.SplitHostPort(address); err != nil {
@@ -87,3 +88,65 @@ func handleUpgrade(conn net.Conn, request *http.Request, in chan<- C.ConnContext
 		N.Relay(bufferedLeft, conn)
 	}
 }
+
+func HandleUpgradeY(localConn net.Conn, serverConn *N.BufferedConn, request *http.Request, in chan<- C.ConnContext) (resp *http.Response) {
+	removeProxyHeaders(request.Header)
+	RemoveExtraHTTPHostPort(request)
+
+	if serverConn == nil {
+		address := request.Host
+		if _, _, err := net.SplitHostPort(address); err != nil {
+			port := "80"
+			if request.TLS != nil {
+				port = "443"
+			}
+			address = net.JoinHostPort(address, port)
+		}
+
+		dstAddr := socks5.ParseAddr(address)
+		if dstAddr == nil {
+			return
+		}
+
+		left, right := net.Pipe()
+
+		in <- inbound.NewHTTP(dstAddr, localConn.RemoteAddr(), right)
+
+		serverConn = N.NewBufferedConn(left)
+
+		defer func() {
+			_ = serverConn.Close()
+		}()
+	}
+
+	err := request.Write(serverConn)
+	if err != nil {
+		_ = localConn.Close()
+		return
+	}
+
+	resp, err = http.ReadResponse(serverConn.Reader(), request)
+	if err != nil {
+		_ = localConn.Close()
+		return
+	}
+
+	if resp.StatusCode == http.StatusSwitchingProtocols {
+		removeProxyHeaders(resp.Header)
+
+		err = localConn.SetReadDeadline(time.Time{}) // set to not time out
+		if err != nil {
+			return
+		}
+
+		err = resp.Write(localConn)
+		if err != nil {
+			return
+		}
+
+		N.Relay(serverConn, localConn) // blocking here
+		_ = localConn.Close()
+		resp = nil
+	}
+	return
+}

listener/http/utils.go

@@ -15,8 +15,8 @@ func removeProxyHeaders(header http.Header) {
 	header.Del("Proxy-Authorization")
 }
 
-// removeHopByHopHeaders remove hop-by-hop header
-func removeHopByHopHeaders(header http.Header) {
+// RemoveHopByHopHeaders remove hop-by-hop header
+func RemoveHopByHopHeaders(header http.Header) {
 	// Strip hop-by-hop header based on RFC:
 	// http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.5.1
 	// https://www.mnot.net/blog/2011/07/11/what_proxies_must_do
@@ -38,9 +38,9 @@ func removeHopByHopHeaders(header http.Header) {
 	}
 }
 
-// removeExtraHTTPHostPort remove extra host port (example.com:80 --> example.com)
+// RemoveExtraHTTPHostPort remove extra host port (example.com:80 --> example.com)
 // It resolves the behavior of some HTTP servers that do not handle host:80 (e.g. baidu.com)
-func removeExtraHTTPHostPort(req *http.Request) {
+func RemoveExtraHTTPHostPort(req *http.Request) {
 	host := req.Host
 	if host == "" {
 		host = req.URL.Host

listener/inbound/hysteria2.go

@@ -1,95 +0,0 @@
-package inbound
-
-import (
-	C "github.com/Dreamacro/clash/constant"
-	LC "github.com/Dreamacro/clash/listener/config"
-	"github.com/Dreamacro/clash/listener/sing_hysteria2"
-	"github.com/Dreamacro/clash/log"
-)
-
-type Hysteria2Option struct {
-	BaseOption
-	Users                 map[string]string `inbound:"users,omitempty"`
-	Obfs                  string            `inbound:"obfs,omitempty"`
-	ObfsPassword          string            `inbound:"obfs-password,omitempty"`
-	Certificate           string            `inbound:"certificate"`
-	PrivateKey            string            `inbound:"private-key"`
-	MaxIdleTime           int               `inbound:"max-idle-time,omitempty"`
-	ALPN                  []string          `inbound:"alpn,omitempty"`
-	Up                    string            `inbound:"up,omitempty"`
-	Down                  string            `inbound:"down,omitempty"`
-	IgnoreClientBandwidth bool              `inbound:"ignore-client-bandwidth,omitempty"`
-	Masquerade            string            `inbound:"masquerade,omitempty"`
-	CWND                  int               `inbound:"cwnd,omitempty"`
-}
-
-func (o Hysteria2Option) Equal(config C.InboundConfig) bool {
-	return optionToString(o) == optionToString(config)
-}
-
-type Hysteria2 struct {
-	*Base
-	config *Hysteria2Option
-	l      *sing_hysteria2.Listener
-	ts     LC.Hysteria2Server
-}
-
-func NewHysteria2(options *Hysteria2Option) (*Hysteria2, error) {
-	base, err := NewBase(&options.BaseOption)
-	if err != nil {
-		return nil, err
-	}
-	return &Hysteria2{
-		Base:   base,
-		config: options,
-		ts: LC.Hysteria2Server{
-			Enable:                true,
-			Listen:                base.RawAddress(),
-			Users:                 options.Users,
-			Obfs:                  options.Obfs,
-			ObfsPassword:          options.ObfsPassword,
-			Certificate:           options.Certificate,
-			PrivateKey:            options.PrivateKey,
-			MaxIdleTime:           options.MaxIdleTime,
-			ALPN:                  options.ALPN,
-			Up:                    options.Up,
-			Down:                  options.Down,
-			IgnoreClientBandwidth: options.IgnoreClientBandwidth,
-			Masquerade:            options.Masquerade,
-			CWND:                  options.CWND,
-		},
-	}, nil
-}
-
-// Config implements constant.InboundListener
-func (t *Hysteria2) Config() C.InboundConfig {
-	return t.config
-}
-
-// Address implements constant.InboundListener
-func (t *Hysteria2) Address() string {
-	if t.l != nil {
-		for _, addr := range t.l.AddrList() {
-			return addr.String()
-		}
-	}
-	return ""
-}
-
-// Listen implements constant.InboundListener
-func (t *Hysteria2) Listen(tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapter, natTable C.NatTable) error {
-	var err error
-	t.l, err = sing_hysteria2.New(t.ts, tcpIn, udpIn, t.Additions()...)
-	if err != nil {
-		return err
-	}
-	log.Infoln("Hysteria2[%s] proxy listening at: %s", t.Name(), t.Address())
-	return nil
-}
-
-// Close implements constant.InboundListener
-func (t *Hysteria2) Close() error {
-	return t.l.Close()
-}
-
-var _ C.InboundListener = (*Hysteria2)(nil)

listener/listener.go

@@ -1,19 +1,26 @@
 package listener
 
 import (
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"golang.org/x/exp/slices"
 	"net"
+	"os"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
+	"time"
 
+	"github.com/Dreamacro/clash/common/cert"
 	"github.com/Dreamacro/clash/component/ebpf"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/listener/autoredir"
 	LC "github.com/Dreamacro/clash/listener/config"
 	"github.com/Dreamacro/clash/listener/http"
+	"github.com/Dreamacro/clash/listener/mitm"
 	"github.com/Dreamacro/clash/listener/mixed"
 	"github.com/Dreamacro/clash/listener/redir"
 	embedSS "github.com/Dreamacro/clash/listener/shadowsocks"
@@ -23,9 +30,10 @@ import (
 	"github.com/Dreamacro/clash/listener/socks"
 	"github.com/Dreamacro/clash/listener/tproxy"
 	"github.com/Dreamacro/clash/listener/tuic"
-	"github.com/Dreamacro/clash/listener/tunnel"
+	LT "github.com/Dreamacro/clash/listener/tunnel"
 	"github.com/Dreamacro/clash/log"
 
+	rewrites "github.com/Dreamacro/clash/rewrite"
 	"github.com/samber/lo"
 )
 
@@ -42,8 +50,8 @@ var (
 	tproxyUDPListener   *tproxy.UDPListener
 	mixedListener       *mixed.Listener
 	mixedUDPLister      *socks.UDPListener
-	tunnelTCPListeners  = map[string]*tunnel.Listener{}
-	tunnelUDPListeners  = map[string]*tunnel.PacketConn{}
+	tunnelTCPListeners  = map[string]*LT.Listener{}
+	tunnelUDPListeners  = map[string]*LT.PacketConn{}
 	inboundListeners    = map[string]C.InboundListener{}
 	tunLister           *sing_tun.Listener
 	shadowSocksListener C.MultiAddrListener
@@ -52,6 +60,7 @@ var (
 	autoRedirListener   *autoredir.Listener
 	autoRedirProgram    *ebpf.TcEBpfProgram
 	tcProgram           *ebpf.TcEBpfProgram
+	mitmListener        *mitm.Listener
 
 	// lock for recreate function
 	socksMux     sync.Mutex
@@ -67,6 +76,7 @@ var (
 	tuicMux      sync.Mutex
 	autoRedirMux sync.Mutex
 	tcMux        sync.Mutex
+	mitmMux      sync.Mutex
 
 	LastTunConf  LC.Tun
 	LastTuicConf LC.TuicServer
@@ -80,6 +90,7 @@ type Ports struct {
 	MixedPort         int    `json:"mixed-port"`
 	ShadowSocksConfig string `json:"ss-config"`
 	VmessConfig       string `json:"vmess-config"`
+	MitmPort          int    `json:"mitm-port"`
 }
 
 func GetTunConf() LC.Tun {
@@ -699,7 +710,7 @@ func PatchTunnel(tunnels []LC.Tunnel, tcpIn chan<- C.ConnContext, udpIn chan<- C
 	for _, elm := range needCreate {
 		key := fmt.Sprintf("%s/%s/%s", elm.addr, elm.target, elm.proxy)
 		if elm.network == "tcp" {
-			l, err := tunnel.New(elm.addr, elm.target, elm.proxy, tcpIn)
+			l, err := LT.New(elm.addr, elm.target, elm.proxy, tcpIn)
 			if err != nil {
 				log.Errorln("Start tunnel %s error: %s", elm.target, err.Error())
 				continue
@@ -707,7 +718,7 @@ func PatchTunnel(tunnels []LC.Tunnel, tcpIn chan<- C.ConnContext, udpIn chan<- C
 			tunnelTCPListeners[key] = l
 			log.Infoln("Tunnel(tcp/%s) proxy %s listening at: %s", elm.target, elm.proxy, tunnelTCPListeners[key].Address())
 		} else {
-			l, err := tunnel.NewUDP(elm.addr, elm.target, elm.proxy, udpIn)
+			l, err := LT.NewUDP(elm.addr, elm.target, elm.proxy, udpIn)
 			if err != nil {
 				log.Errorln("Start tunnel %s error: %s", elm.target, err.Error())
 				continue
@@ -747,6 +758,79 @@ func PatchInboundListeners(newListenerMap map[string]C.InboundListener, tcpIn ch
 	}
 }
 
+func ReCreateMitm(port int, tcpIn chan<- C.ConnContext) {
+	mitmMux.Lock()
+	defer mitmMux.Unlock()
+
+	var err error
+	defer func() {
+		if err != nil {
+			log.Errorln("Start MITM server error: %s", err.Error())
+		}
+	}()
+
+	addr := genAddr(bindAddress, port, allowLan)
+
+	if mitmListener != nil {
+		if mitmListener.RawAddress() == addr {
+			return
+		}
+		_ = mitmListener.Close()
+		mitmListener = nil
+	}
+
+	if portIsZero(addr) {
+		return
+	}
+
+	if err = initCert(); err != nil {
+		return
+	}
+
+	var (
+		rootCACert tls.Certificate
+		x509c      *x509.Certificate
+		certOption *cert.Config
+	)
+
+	rootCACert, err = tls.LoadX509KeyPair(C.Path.RootCA(), C.Path.CAKey())
+	if err != nil {
+		return
+	}
+
+	privateKey := rootCACert.PrivateKey.(*rsa.PrivateKey)
+
+	x509c, err = x509.ParseCertificate(rootCACert.Certificate[0])
+	if err != nil {
+		return
+	}
+
+	certOption, err = cert.NewConfig(
+		x509c,
+		privateKey,
+	)
+	if err != nil {
+		return
+	}
+
+	certOption.SetValidity(time.Hour * 24 * 365 * 2) // 2 years
+	certOption.SetOrganization("Clash ManInTheMiddle Proxy Services")
+
+	opt := &mitm.Option{
+		Addr:       addr,
+		ApiHost:    "mitm.clash",
+		CertConfig: certOption,
+		Handler:    &rewrites.RewriteHandler{},
+	}
+
+	mitmListener, err = mitm.New(opt, tcpIn)
+	if err != nil {
+		return
+	}
+
+	log.Infoln("Mitm proxy listening at: %s", mitmListener.Address())
+}
+
 // GetPorts return the ports of proxy servers
 func GetPorts() *Ports {
 	ports := &Ports{}
@@ -789,6 +873,12 @@ func GetPorts() *Ports {
 		ports.VmessConfig = vmessListener.Config()
 	}
 
+	if mitmListener != nil {
+		_, portStr, _ := net.SplitHostPort(mitmListener.Address())
+		port, _ := strconv.Atoi(portStr)
+		ports.MitmPort = port
+	}
+
 	return ports
 }
 
@@ -902,6 +992,19 @@ func closeTunListener() {
 	}
 }
 
+func initCert() error {
+	if _, err := os.Stat(C.Path.RootCA()); os.IsNotExist(err) {
+		log.Infoln("Can't find mitm_ca.crt, start generate")
+		err = cert.GenerateAndSave(C.Path.RootCA(), C.Path.CAKey())
+		if err != nil {
+			return err
+		}
+		log.Infoln("Generated CA private key and CA certificate finish")
+	}
+
+	return nil
+}
+
 func Cleanup() {
 	closeTunListener()
 }

listener/mitm/client.go

@@ -0,0 +1,55 @@
+package mitm
+
+import (
+	"context"
+	"crypto/tls"
+	"net"
+	"net/http"
+
+	"github.com/Dreamacro/clash/adapter/inbound"
+	N "github.com/Dreamacro/clash/common/net"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/socks5"
+)
+
+func getServerConn(serverConn *N.BufferedConn, request *http.Request, srcAddr net.Addr, in chan<- C.ConnContext) (*N.BufferedConn, error) {
+	if serverConn != nil {
+		return serverConn, nil
+	}
+
+	address := request.URL.Host
+	if _, _, err := net.SplitHostPort(address); err != nil {
+		port := "80"
+		if request.TLS != nil {
+			port = "443"
+		}
+		address = net.JoinHostPort(address, port)
+	}
+
+	dstAddr := socks5.ParseAddr(address)
+	if dstAddr == nil {
+		return nil, socks5.ErrAddressNotSupported
+	}
+
+	left, right := net.Pipe()
+
+	in <- inbound.NewMitm(dstAddr, srcAddr, request.Header.Get("User-Agent"), right)
+
+	if request.TLS != nil {
+		tlsConn := tls.Client(left, &tls.Config{
+			ServerName: request.TLS.ServerName,
+		})
+
+		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
+		defer cancel()
+		if err := tlsConn.HandshakeContext(ctx); err != nil {
+			return nil, err
+		}
+
+		serverConn = N.NewBufferedConn(tlsConn)
+	} else {
+		serverConn = N.NewBufferedConn(left)
+	}
+
+	return serverConn, nil
+}

listener/mitm/hack.go

@@ -0,0 +1,9 @@
+package mitm
+
+import (
+	_ "net/http"
+	_ "unsafe"
+)
+
+//go:linkname validMethod net/http.validMethod
+func validMethod(method string) bool

listener/mitm/proxy.go

@@ -0,0 +1,349 @@
+package mitm
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/netip"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/Dreamacro/clash/common/cache"
+	N "github.com/Dreamacro/clash/common/net"
+	C "github.com/Dreamacro/clash/constant"
+	H "github.com/Dreamacro/clash/listener/http"
+)
+
+func HandleConn(c net.Conn, opt *Option, in chan<- C.ConnContext, cache *cache.LruCache[string, bool]) {
+	var (
+		clientIP   = netip.MustParseAddrPort(c.RemoteAddr().String()).Addr()
+		sourceAddr net.Addr
+		serverConn *N.BufferedConn
+		connState  *tls.ConnectionState
+	)
+
+	defer func() {
+		if serverConn != nil {
+			_ = serverConn.Close()
+		}
+	}()
+
+	conn := N.NewBufferedConn(c)
+
+	trusted := cache == nil // disable authenticate if cache is nil
+	if !trusted {
+		trusted = clientIP.IsLoopback() || clientIP.IsUnspecified()
+	}
+
+readLoop:
+	for {
+		// use SetReadDeadline instead of Proxy-Connection keep-alive
+		if err := conn.SetReadDeadline(time.Now().Add(65 * time.Second)); err != nil {
+			break
+		}
+
+		request, err := H.ReadRequest(conn.Reader())
+		if err != nil {
+			break
+		}
+
+		var response *http.Response
+
+		session := newSession(conn, request, response)
+
+		sourceAddr = parseSourceAddress(session.request, conn.RemoteAddr(), sourceAddr)
+		session.request.RemoteAddr = sourceAddr.String()
+
+		if !trusted {
+			session.response = H.Authenticate(session.request, cache)
+
+			trusted = session.response == nil
+		}
+
+		if trusted {
+			if session.request.Method == http.MethodConnect {
+				if session.request.ProtoMajor > 1 {
+					session.request.ProtoMajor = 1
+					session.request.ProtoMinor = 1
+				}
+
+				// Manual writing to support CONNECT for http 1.0 (workaround for uplay client)
+				if _, err = fmt.Fprintf(session.conn, "HTTP/%d.%d %03d %s\r\n\r\n", session.request.ProtoMajor, session.request.ProtoMinor, http.StatusOK, "Connection established"); err != nil {
+					handleError(opt, session, err)
+					break // close connection
+				}
+
+				if strings.HasSuffix(session.request.URL.Host, ":80") {
+					goto readLoop
+				}
+
+				b, err1 := conn.Peek(1)
+				if err1 != nil {
+					handleError(opt, session, err1)
+					break // close connection
+				}
+
+				// TLS handshake.
+				if b[0] == 0x16 {
+					tlsConn := tls.Server(conn, opt.CertConfig.NewTLSConfigForHost(session.request.URL.Hostname()))
+
+					ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
+					// handshake with the local client
+					if err = tlsConn.HandshakeContext(ctx); err != nil {
+						cancel()
+						session.response = session.NewErrorResponse(fmt.Errorf("handshake failed: %w", err))
+						_ = writeResponse(session, false)
+						break // close connection
+					}
+					cancel()
+
+					cs := tlsConn.ConnectionState()
+					connState = &cs
+
+					conn = N.NewBufferedConn(tlsConn)
+				}
+
+				if strings.HasSuffix(session.request.URL.Host, ":443") {
+					goto readLoop
+				}
+
+				if conn.SetReadDeadline(time.Now().Add(time.Second)) != nil {
+					break
+				}
+
+				buf, err2 := conn.Peek(7)
+				if err2 != nil {
+					if err2 != bufio.ErrBufferFull && !os.IsTimeout(err2) {
+						handleError(opt, session, err2)
+						break // close connection
+					}
+				}
+
+				// others protocol over tcp
+				if !isHTTPTraffic(buf) {
+					if connState != nil {
+						session.request.TLS = connState
+					}
+
+					serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
+					if err != nil {
+						break
+					}
+
+					if conn.SetReadDeadline(time.Time{}) != nil {
+						break
+					}
+
+					N.Relay(serverConn, conn)
+					return // hijack connection
+				}
+
+				goto readLoop
+			}
+
+			prepareRequest(connState, session.request)
+
+			// hijack api
+			if session.request.URL.Hostname() == opt.ApiHost {
+				if err = handleApiRequest(session, opt); err != nil {
+					handleError(opt, session, err)
+				}
+				break
+			}
+
+			// forward websocket
+			if isWebsocketRequest(request) {
+				serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
+				if err != nil {
+					break
+				}
+
+				session.request.RequestURI = ""
+				if session.response = H.HandleUpgradeY(conn, serverConn, request, in); session.response == nil {
+					return // hijack connection
+				}
+			}
+
+			if session.response == nil {
+				H.RemoveHopByHopHeaders(session.request.Header)
+				H.RemoveExtraHTTPHostPort(session.request)
+
+				// hijack custom request and write back custom response if necessary
+				newReq, newRes := opt.Handler.HandleRequest(session)
+				if newReq != nil {
+					session.request = newReq
+				}
+				if newRes != nil {
+					session.response = newRes
+
+					if err = writeResponse(session, false); err != nil {
+						handleError(opt, session, err)
+						break
+					}
+					continue
+				}
+
+				session.request.RequestURI = ""
+
+				if session.request.URL.Host == "" {
+					session.response = session.NewErrorResponse(ErrInvalidURL)
+				} else {
+					serverConn, err = getServerConn(serverConn, session.request, sourceAddr, in)
+					if err != nil {
+						break
+					}
+
+					// send the request to remote server
+					err = session.request.Write(serverConn)
+					if err != nil {
+						break
+					}
+
+					session.response, err = http.ReadResponse(serverConn.Reader(), request)
+					if err != nil {
+						break
+					}
+				}
+			}
+		}
+
+		if err = writeResponseWithHandler(session, opt); err != nil {
+			handleError(opt, session, err)
+			break // close connection
+		}
+	}
+
+	_ = conn.Close()
+}
+
+func writeResponseWithHandler(session *Session, opt *Option) error {
+	res := opt.Handler.HandleResponse(session)
+	if res != nil {
+		session.response = res
+	}
+
+	return writeResponse(session, true)
+}
+
+func writeResponse(session *Session, keepAlive bool) error {
+	H.RemoveHopByHopHeaders(session.response.Header)
+
+	if keepAlive {
+		session.response.Header.Set("Connection", "keep-alive")
+		session.response.Header.Set("Keep-Alive", "timeout=60")
+	}
+
+	return session.writeResponse()
+}
+
+func handleApiRequest(session *Session, opt *Option) error {
+	if opt.CertConfig != nil && strings.ToLower(session.request.URL.Path) == "/cert.crt" {
+		b := pem.EncodeToMemory(&pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: opt.CertConfig.GetCA().Raw,
+		})
+
+		session.response = session.NewResponse(http.StatusOK, bytes.NewReader(b))
+
+		session.response.Close = true
+		session.response.Header.Set("Content-Type", "application/x-x509-ca-cert")
+		session.response.ContentLength = int64(len(b))
+
+		return session.writeResponse()
+	}
+
+	b := `<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
+<html><head>
+<title>Clash MITM Proxy Services - 404 Not Found</title>
+</head><body>
+<h1>Not Found</h1>
+<p>The requested URL %s was not found on this server.</p>
+</body></html>
+`
+
+	if opt.Handler.HandleApiRequest(session) {
+		return nil
+	}
+
+	b = fmt.Sprintf(b, session.request.URL.Path)
+
+	session.response = session.NewResponse(http.StatusNotFound, bytes.NewReader([]byte(b)))
+	session.response.Close = true
+	session.response.Header.Set("Content-Type", "text/html;charset=utf-8")
+	session.response.ContentLength = int64(len(b))
+
+	return session.writeResponse()
+}
+
+func handleError(opt *Option, session *Session, err error) {
+	if session.response != nil {
+		defer func() {
+			_, _ = io.Copy(io.Discard, session.response.Body)
+			_ = session.response.Body.Close()
+		}()
+	}
+	opt.Handler.HandleError(session, err)
+}
+
+func prepareRequest(connState *tls.ConnectionState, request *http.Request) {
+	host := request.Header.Get("Host")
+	if host != "" {
+		request.Host = host
+	}
+
+	if request.URL.Host == "" {
+		request.URL.Host = request.Host
+	}
+
+	if request.URL.Scheme == "" {
+		request.URL.Scheme = "http"
+	}
+
+	if connState != nil {
+		request.TLS = connState
+		request.URL.Scheme = "https"
+	}
+
+	if request.Header.Get("Accept-Encoding") != "" {
+		request.Header.Set("Accept-Encoding", "gzip")
+	}
+}
+
+func parseSourceAddress(req *http.Request, connSource, source net.Addr) net.Addr {
+	if source != nil {
+		return source
+	}
+
+	sourceAddress := req.Header.Get("Origin-Request-Source-Address")
+	if sourceAddress == "" {
+		return connSource
+	}
+
+	req.Header.Del("Origin-Request-Source-Address")
+
+	addrPort, err := netip.ParseAddrPort(sourceAddress)
+	if err != nil {
+		return connSource
+	}
+
+	return &net.TCPAddr{
+		IP:   addrPort.Addr().AsSlice(),
+		Port: int(addrPort.Port()),
+	}
+}
+
+func isWebsocketRequest(req *http.Request) bool {
+	return strings.EqualFold(req.Header.Get("Connection"), "Upgrade") && strings.EqualFold(req.Header.Get("Upgrade"), "websocket")
+}
+
+func isHTTPTraffic(buf []byte) bool {
+	method, _, _ := strings.Cut(string(buf), " ")
+	return validMethod(method)
+}

listener/mitm/server.go

@@ -0,0 +1,88 @@
+package mitm
+
+import (
+	"crypto/tls"
+	"github.com/Dreamacro/clash/common/cache"
+	"github.com/Dreamacro/clash/common/cert"
+	C "github.com/Dreamacro/clash/constant"
+	"net"
+	"net/http"
+)
+
+type Handler interface {
+	HandleRequest(*Session) (*http.Request, *http.Response) // Session.Response maybe nil
+	HandleResponse(*Session) *http.Response
+	HandleApiRequest(*Session) bool
+	HandleError(*Session, error) // Session maybe nil
+}
+
+type Option struct {
+	Addr    string
+	ApiHost string
+
+	TLSConfig  *tls.Config
+	CertConfig *cert.Config
+
+	Handler Handler
+}
+
+type Listener struct {
+	*Option
+
+	listener net.Listener
+	addr     string
+	closed   bool
+}
+
+// RawAddress implements C.Listener
+func (l *Listener) RawAddress() string {
+	return l.addr
+}
+
+// Address implements C.Listener
+func (l *Listener) Address() string {
+	return l.listener.Addr().String()
+}
+
+// Close implements C.Listener
+func (l *Listener) Close() error {
+	l.closed = true
+	return l.listener.Close()
+}
+
+// New the MITM proxy actually is a type of HTTP proxy
+func New(option *Option, in chan<- C.ConnContext) (*Listener, error) {
+	return NewWithAuthenticate(option, in, true)
+}
+
+func NewWithAuthenticate(option *Option, in chan<- C.ConnContext, authenticate bool) (*Listener, error) {
+	l, err := net.Listen("tcp", option.Addr)
+	if err != nil {
+		return nil, err
+	}
+
+	var c *cache.LruCache[string, bool]
+	if authenticate {
+		c = cache.New[string, bool](cache.WithAge[string, bool](90))
+	}
+
+	hl := &Listener{
+		listener: l,
+		addr:     option.Addr,
+		Option:   option,
+	}
+	go func() {
+		for {
+			conn, err1 := hl.listener.Accept()
+			if err1 != nil {
+				if hl.closed {
+					break
+				}
+				continue
+			}
+			go HandleConn(conn, option, in, c)
+		}
+	}()
+
+	return hl, nil
+}

listener/mitm/session.go

@@ -0,0 +1,59 @@
+package mitm
+
+import (
+	"io"
+	"net"
+	"net/http"
+)
+
+type Session struct {
+	conn     net.Conn
+	request  *http.Request
+	response *http.Response
+
+	props map[string]any
+}
+
+func (s *Session) Request() *http.Request {
+	return s.request
+}
+
+func (s *Session) Response() *http.Response {
+	return s.response
+}
+
+func (s *Session) GetProperties(key string) (any, bool) {
+	v, ok := s.props[key]
+	return v, ok
+}
+
+func (s *Session) SetProperties(key string, val any) {
+	s.props[key] = val
+}
+
+func (s *Session) NewResponse(code int, body io.Reader) *http.Response {
+	return NewResponse(code, body, s.request)
+}
+
+func (s *Session) NewErrorResponse(err error) *http.Response {
+	return NewErrorResponse(s.request, err)
+}
+
+func (s *Session) writeResponse() error {
+	if s.response == nil {
+		return ErrInvalidResponse
+	}
+	defer func(resp *http.Response) {
+		_ = resp.Body.Close()
+	}(s.response)
+	return s.response.Write(s.conn)
+}
+
+func newSession(conn net.Conn, request *http.Request, response *http.Response) *Session {
+	return &Session{
+		conn:     conn,
+		request:  request,
+		response: response,
+		props:    map[string]any{},
+	}
+}

listener/mitm/utils.go

@@ -0,0 +1,95 @@
+package mitm
+
+import (
+	"bytes"
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"golang.org/x/text/encoding/charmap"
+	"golang.org/x/text/transform"
+)
+
+var (
+	ErrInvalidResponse = errors.New("invalid response")
+	ErrInvalidURL      = errors.New("invalid URL")
+)
+
+func NewResponse(code int, body io.Reader, req *http.Request) *http.Response {
+	if body == nil {
+		body = &bytes.Buffer{}
+	}
+
+	rc, ok := body.(io.ReadCloser)
+	if !ok {
+		rc = ioutil.NopCloser(body)
+	}
+
+	res := &http.Response{
+		StatusCode: code,
+		Status:     fmt.Sprintf("%d %s", code, http.StatusText(code)),
+		Proto:      "HTTP/1.1",
+		ProtoMajor: 1,
+		ProtoMinor: 1,
+		Header:     http.Header{},
+		Body:       rc,
+		Request:    req,
+	}
+
+	if req != nil {
+		res.Close = req.Close
+		res.Proto = req.Proto
+		res.ProtoMajor = req.ProtoMajor
+		res.ProtoMinor = req.ProtoMinor
+	}
+
+	return res
+}
+
+func NewErrorResponse(req *http.Request, err error) *http.Response {
+	res := NewResponse(http.StatusBadGateway, nil, req)
+	res.Close = true
+
+	date := res.Header.Get("Date")
+	if date == "" {
+		date = time.Now().Format(http.TimeFormat)
+	}
+
+	w := fmt.Sprintf(`199 "clash" %q %q`, err.Error(), date)
+	res.Header.Add("Warning", w)
+	return res
+}
+
+func ReadDecompressedBody(res *http.Response) ([]byte, error) {
+	rBody := res.Body
+	if res.Header.Get("Content-Encoding") == "gzip" {
+		gzReader, err := gzip.NewReader(rBody)
+		if err != nil {
+			return nil, err
+		}
+		rBody = gzReader
+
+		defer func(gzReader *gzip.Reader) {
+			_ = gzReader.Close()
+		}(gzReader)
+	}
+	return ioutil.ReadAll(rBody)
+}
+
+func DecodeLatin1(reader io.Reader) (string, error) {
+	r := transform.NewReader(reader, charmap.ISO8859_1.NewDecoder())
+	b, err := ioutil.ReadAll(r)
+	if err != nil {
+		return "", err
+	}
+
+	return string(b), nil
+}
+
+func EncodeLatin1(str string) ([]byte, error) {
+	return charmap.ISO8859_1.NewEncoder().Bytes([]byte(str))
+}

listener/parse.go

@@ -86,13 +86,6 @@ func ParseListener(mapping map[string]any) (C.InboundListener, error) {
 			return nil, err
 		}
 		listener, err = IN.NewVmess(vmessOption)
-	case "hysteria2":
-		hysteria2Option := &IN.Hysteria2Option{}
-		err = decoder.Decode(mapping, hysteria2Option)
-		if err != nil {
-			return nil, err
-		}
-		listener, err = IN.NewHysteria2(hysteria2Option)
 	case "tuic":
 		tuicOption := &IN.TuicOption{
 			MaxIdleTime:           15000,

listener/sing_hysteria2/server.go

@@ -1,181 +0,0 @@
-package sing_hysteria2
-
-import (
-	"context"
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"strings"
-
-	"github.com/Dreamacro/clash/adapter/inbound"
-	"github.com/Dreamacro/clash/adapter/outbound"
-	CN "github.com/Dreamacro/clash/common/net"
-	"github.com/Dreamacro/clash/common/sockopt"
-	C "github.com/Dreamacro/clash/constant"
-	LC "github.com/Dreamacro/clash/listener/config"
-	"github.com/Dreamacro/clash/listener/sing"
-	"github.com/Dreamacro/clash/log"
-
-	"github.com/metacubex/sing-quic/hysteria2"
-
-	E "github.com/sagernet/sing/common/exceptions"
-)
-
-type Listener struct {
-	closed       bool
-	config       LC.Hysteria2Server
-	udpListeners []net.PacketConn
-	services     []*hysteria2.Service[string]
-}
-
-func New(config LC.Hysteria2Server, tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapter, additions ...inbound.Addition) (*Listener, error) {
-	var sl *Listener
-	var err error
-	if len(additions) == 0 {
-		additions = []inbound.Addition{
-			inbound.WithInName("DEFAULT-HYSTERIA2"),
-			inbound.WithSpecialRules(""),
-		}
-	}
-
-	h := &sing.ListenerHandler{
-		TcpIn:     tcpIn,
-		UdpIn:     udpIn,
-		Type:      C.HYSTERIA2,
-		Additions: additions,
-	}
-
-	sl = &Listener{false, config, nil, nil}
-
-	cert, err := CN.ParseCert(config.Certificate, config.PrivateKey)
-	if err != nil {
-		return nil, err
-	}
-	tlsConfig := &tls.Config{
-		MinVersion:   tls.VersionTLS13,
-		Certificates: []tls.Certificate{cert},
-	}
-	if len(config.ALPN) > 0 {
-		tlsConfig.NextProtos = config.ALPN
-	} else {
-		tlsConfig.NextProtos = []string{"h3"}
-	}
-
-	var salamanderPassword string
-	if len(config.Obfs) > 0 {
-		if config.ObfsPassword == "" {
-			return nil, errors.New("missing obfs password")
-		}
-		switch config.Obfs {
-		case hysteria2.ObfsTypeSalamander:
-			salamanderPassword = config.ObfsPassword
-		default:
-			return nil, fmt.Errorf("unknown obfs type: %s", config.Obfs)
-		}
-	}
-	var masqueradeHandler http.Handler
-	if config.Masquerade != "" {
-		masqueradeURL, err := url.Parse(config.Masquerade)
-		if err != nil {
-			return nil, E.Cause(err, "parse masquerade URL")
-		}
-		switch masqueradeURL.Scheme {
-		case "file":
-			masqueradeHandler = http.FileServer(http.Dir(masqueradeURL.Path))
-		case "http", "https":
-			masqueradeHandler = &httputil.ReverseProxy{
-				Rewrite: func(r *httputil.ProxyRequest) {
-					r.SetURL(masqueradeURL)
-					r.Out.Host = r.In.Host
-				},
-				ErrorHandler: func(w http.ResponseWriter, r *http.Request, err error) {
-					w.WriteHeader(http.StatusBadGateway)
-				},
-			}
-		default:
-			return nil, E.New("unknown masquerade URL scheme: ", masqueradeURL.Scheme)
-		}
-	}
-
-	service, err := hysteria2.NewService[string](hysteria2.ServiceOptions{
-		Context:               context.Background(),
-		Logger:                log.SingLogger,
-		SendBPS:               outbound.StringToBps(config.Up),
-		ReceiveBPS:            outbound.StringToBps(config.Down),
-		SalamanderPassword:    salamanderPassword,
-		TLSConfig:             tlsConfig,
-		IgnoreClientBandwidth: config.IgnoreClientBandwidth,
-		Handler:               h,
-		MasqueradeHandler:     masqueradeHandler,
-		CWND:                  config.CWND,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	userNameList := make([]string, 0, len(config.Users))
-	userPasswordList := make([]string, 0, len(config.Users))
-	for name, password := range config.Users {
-		userNameList = append(userNameList, name)
-		userPasswordList = append(userPasswordList, password)
-	}
-	service.UpdateUsers(userNameList, userPasswordList)
-
-	for _, addr := range strings.Split(config.Listen, ",") {
-		addr := addr
-		_service := *service
-		service := &_service // make a copy
-
-		ul, err := net.ListenPacket("udp", addr)
-		if err != nil {
-			return nil, err
-		}
-
-		err = sockopt.UDPReuseaddr(ul.(*net.UDPConn))
-		if err != nil {
-			log.Warnln("Failed to Reuse UDP Address: %s", err)
-		}
-
-		sl.udpListeners = append(sl.udpListeners, ul)
-		sl.services = append(sl.services, service)
-
-		go func() {
-			_ = service.Start(ul)
-		}()
-	}
-
-	return sl, nil
-}
-
-func (l *Listener) Close() error {
-	l.closed = true
-	var retErr error
-	for _, service := range l.services {
-		err := service.Close()
-		if err != nil {
-			retErr = err
-		}
-	}
-	for _, lis := range l.udpListeners {
-		err := lis.Close()
-		if err != nil {
-			retErr = err
-		}
-	}
-	return retErr
-}
-
-func (l *Listener) Config() string {
-	return l.config.String()
-}
-
-func (l *Listener) AddrList() (addrList []net.Addr) {
-	for _, lis := range l.udpListeners {
-		addrList = append(addrList, lis.LocalAddr())
-	}
-	return
-}

listener/sing_tun/server.go

@@ -172,7 +172,7 @@ func New(options LC.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapte
 		}
 	}()
 
-	networkUpdateMonitor, err := tun.NewNetworkUpdateMonitor(log.SingLogger)
+	networkUpdateMonitor, err := tun.NewNetworkUpdateMonitor(handler)
 	if err != nil {
 		err = E.Cause(err, "create NetworkUpdateMonitor")
 		return
@@ -184,14 +184,15 @@ func New(options LC.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapte
 		return
 	}
 
-	defaultInterfaceMonitor, err := tun.NewDefaultInterfaceMonitor(networkUpdateMonitor, log.SingLogger, tun.DefaultInterfaceMonitorOptions{OverrideAndroidVPN: true})
+	defaultInterfaceMonitor, err := tun.NewDefaultInterfaceMonitor(networkUpdateMonitor, tun.DefaultInterfaceMonitorOptions{OverrideAndroidVPN: true})
 	if err != nil {
 		err = E.Cause(err, "create DefaultInterfaceMonitor")
 		return
 	}
 	l.defaultInterfaceMonitor = defaultInterfaceMonitor
-	defaultInterfaceMonitor.RegisterCallback(func(event int) {
+	defaultInterfaceMonitor.RegisterCallback(func(event int) error {
 		l.FlushDefaultInterface()
+		return nil
 	})
 	err = defaultInterfaceMonitor.Start()
 	if err != nil {

ntp/service.go

@@ -2,54 +2,53 @@ package ntp
 
 import (
 	"context"
+	"github.com/Dreamacro/clash/log"
+	"github.com/beevik/ntp"
 	"sync"
 	"time"
-
-	"github.com/Dreamacro/clash/component/dialer"
-	"github.com/Dreamacro/clash/component/proxydialer"
-	"github.com/Dreamacro/clash/log"
-
-	M "github.com/sagernet/sing/common/metadata"
-	"github.com/sagernet/sing/common/ntp"
 )
 
 var offset time.Duration
 var service *Service
 
 type Service struct {
-	server         M.Socksaddr
-	dialer         proxydialer.SingDialer
-	ticker         *time.Ticker
-	ctx            context.Context
-	cancel         context.CancelFunc
-	mu             sync.Mutex
-	syncSystemTime bool
-	running        bool
+	addr     string
+	interval time.Duration
+	ticker   *time.Ticker
+	ctx      context.Context
+	cancel   context.CancelFunc
+	mu       sync.Mutex
+	running  bool
 }
 
-func ReCreateNTPService(server string, interval time.Duration, dialerProxy string, syncSystemTime bool) {
+func ReCreateNTPService(addr string, interval time.Duration) {
 	if service != nil {
 		service.Stop()
 	}
 	ctx, cancel := context.WithCancel(context.Background())
-	service = &Service{
-		server:         M.ParseSocksaddr(server),
-		dialer:         proxydialer.NewByNameSingDialer(dialerProxy, dialer.NewDialer()),
-		ticker:         time.NewTicker(interval * time.Minute),
-		ctx:            ctx,
-		cancel:         cancel,
-		syncSystemTime: syncSystemTime,
-	}
+	service = &Service{addr: addr, interval: interval, ctx: ctx, cancel: cancel}
 	service.Start()
 }
 
 func (srv *Service) Start() {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
-	log.Infoln("NTP service start, sync system time is %t", srv.syncSystemTime)
+	log.Infoln("NTP service start")
+	srv.ticker = time.NewTicker(srv.interval * time.Minute)
 	service.running = true
-	srv.update()
-	go srv.loopUpdate()
+	go func() {
+		for {
+			err := srv.updateTime(srv.addr)
+			if err != nil {
+				log.Warnln("updateTime failed: %s", err)
+			}
+			select {
+			case <-srv.ticker.C:
+			case <-srv.ctx.Done():
+				return
+			}
+		}
+	}()
 }
 
 func (srv *Service) Stop() {
@@ -71,48 +70,20 @@ func (srv *Service) Running() bool {
 	return srv.running
 }
 
-func (srv *Service) update() {
-	var response *ntp.Response
-	var err error
-	for i := 0; i < 3; i++ {
-		response, err = ntp.Exchange(context.Background(), srv.dialer, srv.server)
-		if err != nil {
-			if i == 2 {
-				log.Errorln("Initialize NTP time failed: %s", err)
-				return
-			}
-			time.Sleep(time.Second * 2) // wait for 2 seconds before the next try
-			continue
-		}
-		break
+func (srv *Service) updateTime(addr string) error {
+	response, err := ntp.Query(addr)
+	if err != nil {
+		return err
 	}
-	offset = response.ClockOffset
+	localTime := time.Now()
+	ntpTime := response.Time
+	offset = localTime.Sub(ntpTime)
 	if offset > time.Duration(0) {
-		log.Infoln("System clock is ahead of NTP time by %s", offset)
+		log.Warnln("System clock is ahead of NTP time by %s", offset)
 	} else if offset < time.Duration(0) {
-		log.Infoln("System clock is behind NTP time by %s", -offset)
-	}
-	if srv.syncSystemTime {
-		timeNow := response.Time
-		err = setSystemTime(timeNow)
-		if err == nil {
-			log.Infoln("Sync system time success: %s", timeNow.Local().Format(ntp.TimeLayout))
-		} else {
-			log.Errorln("Write time to system: %s", err)
-			srv.syncSystemTime = false
-		}
-	}
-}
-
-func (srv *Service) loopUpdate() {
-	for {
-		select {
-		case <-srv.ctx.Done():
-			return
-		case <-srv.ticker.C:
-		}
-		srv.update()
+		log.Warnln("System clock is behind NTP time by %s", -offset)
 	}
+	return nil
 }
 
 func Now() time.Time {

ntp/time_stub.go

@@ -1,12 +0,0 @@
-//go:build !(windows || linux || darwin)
-
-package ntp
-
-import (
-	"os"
-	"time"
-)
-
-func setSystemTime(nowTime time.Time) error {
-	return os.ErrInvalid
-}

ntp/time_unix.go

@@ -1,14 +0,0 @@
-//go:build linux || darwin
-
-package ntp
-
-import (
-	"time"
-
-	"golang.org/x/sys/unix"
-)
-
-func setSystemTime(nowTime time.Time) error {
-	timeVal := unix.NsecToTimeval(nowTime.UnixNano())
-	return unix.Settimeofday(&timeVal)
-}

ntp/time_windows.go

@@ -1,32 +0,0 @@
-package ntp
-
-import (
-	"time"
-	"unsafe"
-
-	"golang.org/x/sys/windows"
-)
-
-func setSystemTime(nowTime time.Time) error {
-	var systemTime windows.Systemtime
-	systemTime.Year = uint16(nowTime.Year())
-	systemTime.Month = uint16(nowTime.Month())
-	systemTime.Day = uint16(nowTime.Day())
-	systemTime.Hour = uint16(nowTime.Hour())
-	systemTime.Minute = uint16(nowTime.Minute())
-	systemTime.Second = uint16(nowTime.Second())
-	systemTime.Milliseconds = uint16(nowTime.UnixMilli() - nowTime.Unix()*1000)
-
-	dllKernel32 := windows.NewLazySystemDLL("kernel32.dll")
-	proc := dllKernel32.NewProc("SetSystemTime")
-
-	_, _, err := proc.Call(
-		uintptr(unsafe.Pointer(&systemTime)),
-	)
-
-	if err != nil && err.Error() != "The operation completed successfully." {
-		return err
-	}
-
-	return nil
-}

rewrite/base.go

@@ -0,0 +1,72 @@
+package rewrites
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+
+	C "github.com/Dreamacro/clash/constant"
+)
+
+var (
+	EmptyDict   = NewResponseBody([]byte("{}"))
+	EmptyArray  = NewResponseBody([]byte("[]"))
+	OnePixelPNG = NewResponseBody([]byte{0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 0x00, 0x00, 0x00, 0x0d, 0x49, 0x48, 0x44, 0x52, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x08, 0x06, 0x00, 0x00, 0x00, 0x1f, 0x15, 0xc4, 0x89, 0x00, 0x00, 0x00, 0x11, 0x49, 0x44, 0x41, 0x54, 0x78, 0x9c, 0x62, 0x62, 0x60, 0x60, 0x60, 0x00, 0x04, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0x03, 0xfe, 0x8f, 0xeb, 0xcf, 0x00, 0x00, 0x00, 0x00, 0x49, 0x45, 0x4e, 0x44, 0xae, 0x42, 0x60, 0x82})
+)
+
+type Body interface {
+	Body() io.ReadCloser
+	ContentLength() int64
+}
+
+type ResponseBody struct {
+	data   []byte
+	length int64
+}
+
+func (r *ResponseBody) Body() io.ReadCloser {
+	return ioutil.NopCloser(bytes.NewReader(r.data))
+}
+
+func (r *ResponseBody) ContentLength() int64 {
+	return r.length
+}
+
+func NewResponseBody(data []byte) *ResponseBody {
+	return &ResponseBody{
+		data:   data,
+		length: int64(len(data)),
+	}
+}
+
+type RewriteRules struct {
+	request  []C.Rewrite
+	response []C.Rewrite
+}
+
+func (rr *RewriteRules) SearchInRequest(do func(C.Rewrite) bool) bool {
+	for _, v := range rr.request {
+		if do(v) {
+			return true
+		}
+	}
+	return false
+}
+
+func (rr *RewriteRules) SearchInResponse(do func(C.Rewrite) bool) bool {
+	for _, v := range rr.response {
+		if do(v) {
+			return true
+		}
+	}
+	return false
+}
+
+func NewRewriteRules(req []C.Rewrite, res []C.Rewrite) *RewriteRules {
+	return &RewriteRules{
+		request:  req,
+		response: res,
+	}
+}
+
+var _ C.RewriteRule = (*RewriteRules)(nil)

rewrite/handler.go

@@ -0,0 +1,212 @@
+package rewrites
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	log "github.com/sirupsen/logrus"
+	"io"
+	"net/http"
+	"net/textproto"
+	"strconv"
+	"strings"
+
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/listener/mitm"
+	"github.com/Dreamacro/clash/tunnel"
+)
+
+var _ mitm.Handler = (*RewriteHandler)(nil)
+
+type RewriteHandler struct{}
+
+func (*RewriteHandler) HandleRequest(session *mitm.Session) (*http.Request, *http.Response) {
+	var (
+		request  = session.Request()
+		response *http.Response
+	)
+
+	rule, sub, found := matchRewriteRule(request.URL.String(), true)
+	if !found {
+		return nil, nil
+	}
+
+	log.Infof("[MITM] %s <- request %s", rule.RuleType().String(), request.URL.String())
+
+	switch rule.RuleType() {
+	case C.MitmReject:
+		response = session.NewResponse(http.StatusNotFound, nil)
+		response.Header.Set("Content-Type", "text/html; charset=utf-8")
+	case C.MitmReject200:
+		response = session.NewResponse(http.StatusOK, nil)
+		response.Header.Set("Content-Type", "text/html; charset=utf-8")
+	case C.MitmRejectImg:
+		response = session.NewResponse(http.StatusOK, OnePixelPNG.Body())
+		response.Header.Set("Content-Type", "image/png")
+		response.ContentLength = OnePixelPNG.ContentLength()
+	case C.MitmRejectDict:
+		response = session.NewResponse(http.StatusOK, EmptyDict.Body())
+		response.Header.Set("Content-Type", "application/json; charset=utf-8")
+		response.ContentLength = EmptyDict.ContentLength()
+	case C.MitmRejectArray:
+		response = session.NewResponse(http.StatusOK, EmptyArray.Body())
+		response.Header.Set("Content-Type", "application/json; charset=utf-8")
+		response.ContentLength = EmptyArray.ContentLength()
+	case C.Mitm302:
+		response = session.NewResponse(http.StatusFound, nil)
+		response.Header.Set("Location", rule.ReplaceURLPayload(sub))
+	case C.Mitm307:
+		response = session.NewResponse(http.StatusTemporaryRedirect, nil)
+		response.Header.Set("Location", rule.ReplaceURLPayload(sub))
+	case C.MitmRequestHeader:
+		if len(request.Header) == 0 {
+			return nil, nil
+		}
+
+		rawHeader := &bytes.Buffer{}
+		oldHeader := request.Header
+		if err := oldHeader.Write(rawHeader); err != nil {
+			return nil, nil
+		}
+
+		newRawHeader := rule.ReplaceSubPayload(rawHeader.String())
+		tb := textproto.NewReader(bufio.NewReader(strings.NewReader(newRawHeader)))
+		newHeader, err := tb.ReadMIMEHeader()
+		if err != nil && !errors.Is(err, io.EOF) {
+			return nil, nil
+		}
+		request.Header = http.Header(newHeader)
+	case C.MitmRequestBody:
+		if !CanRewriteBody(request.ContentLength, request.Header.Get("Content-Type")) {
+			return nil, nil
+		}
+
+		buf := make([]byte, request.ContentLength)
+		_, err := io.ReadFull(request.Body, buf)
+		if err != nil {
+			return nil, nil
+		}
+
+		newBody := rule.ReplaceSubPayload(string(buf))
+		request.Body = io.NopCloser(strings.NewReader(newBody))
+		request.ContentLength = int64(len(newBody))
+	default:
+		found = false
+	}
+
+	if found {
+		if response != nil {
+			response.Close = true
+		}
+		return request, response
+	}
+	return nil, nil
+}
+
+func (*RewriteHandler) HandleResponse(session *mitm.Session) *http.Response {
+	var (
+		request  = session.Request()
+		response = session.Response()
+	)
+
+	rule, _, found := matchRewriteRule(request.URL.String(), false)
+	found = found && rule.RuleRegx() != nil
+	if !found {
+		return nil
+	}
+
+	log.Infof("[MITM] %s <- response %s", rule.RuleType().String(), request.URL.String())
+
+	switch rule.RuleType() {
+	case C.MitmResponseHeader:
+		if len(response.Header) == 0 {
+			return nil
+		}
+
+		rawHeader := &bytes.Buffer{}
+		oldHeader := response.Header
+		if err := oldHeader.Write(rawHeader); err != nil {
+			return nil
+		}
+
+		newRawHeader := rule.ReplaceSubPayload(rawHeader.String())
+		tb := textproto.NewReader(bufio.NewReader(strings.NewReader(newRawHeader)))
+		newHeader, err := tb.ReadMIMEHeader()
+		if err != nil && !errors.Is(err, io.EOF) {
+			return nil
+		}
+
+		response.Header = http.Header(newHeader)
+		response.Header.Set("Content-Length", strconv.FormatInt(response.ContentLength, 10))
+	case C.MitmResponseBody:
+		if !CanRewriteBody(response.ContentLength, response.Header.Get("Content-Type")) {
+			return nil
+		}
+
+		b, err := mitm.ReadDecompressedBody(response)
+		_ = response.Body.Close()
+		if err != nil {
+			return nil
+		}
+
+		//body, err := mitm.DecodeLatin1(bytes.NewReader(b))
+		//if err != nil {
+		//	return nil
+		//}
+
+		newBody := rule.ReplaceSubPayload(string(b))
+
+		//modifiedBody, err := mitm.EncodeLatin1(newBody)
+		//if err != nil {
+		//	return nil
+		//}
+		modifiedBody := []byte(newBody)
+
+		response.Body = io.NopCloser(bytes.NewReader(modifiedBody))
+		response.Header.Del("Content-Encoding")
+		response.ContentLength = int64(len(modifiedBody))
+	default:
+		found = false
+	}
+
+	if found {
+		return response
+	}
+	return nil
+}
+
+func (h *RewriteHandler) HandleApiRequest(*mitm.Session) bool {
+	return false
+}
+
+// HandleError session maybe nil
+func (h *RewriteHandler) HandleError(*mitm.Session, error) {}
+
+func matchRewriteRule(url string, isRequest bool) (rr C.Rewrite, sub []string, found bool) {
+	rewrites := tunnel.Rewrites()
+	if isRequest {
+		found = rewrites.SearchInRequest(func(r C.Rewrite) bool {
+			sub, err := r.URLRegx().FindStringMatch(url)
+			if err != nil || sub == nil {
+				return false
+			}
+
+			rr = r
+			var groups []string
+			for _, fg := range sub.Groups() {
+				groups = append(groups, fg.String())
+			}
+			return true
+		})
+	} else {
+		found = rewrites.SearchInResponse(func(r C.Rewrite) bool {
+			if b, err := r.URLRegx().MatchString(url); b && err == nil {
+				rr = r
+				return true
+			}
+			return false
+		})
+	}
+
+	return
+}

rewrite/parser.go

@@ -0,0 +1,53 @@
+package rewrites
+
+import (
+	regexp "github.com/dlclark/regexp2"
+	"strings"
+
+	C "github.com/Dreamacro/clash/constant"
+)
+
+func ParseRewrite(line RawMitmRule) (C.Rewrite, error) {
+	var (
+		urlRegx     *regexp.Regexp
+		ruleType    *C.RewriteType
+		ruleRegx    *regexp.Regexp
+		rulePayload string
+
+		err error
+	)
+
+	url := line.Url
+	urlRegx, err = regexp.Compile(strings.Trim(url, " "), regexp.None)
+	if err != nil {
+		return nil, err
+	}
+
+	ruleType = &line.Action
+	switch *ruleType {
+	case C.Mitm302, C.Mitm307:
+		{
+			rulePayload = line.New
+			break
+		}
+	case C.MitmRequestHeader, C.MitmRequestBody, C.MitmResponseHeader, C.MitmResponseBody:
+		{
+			var old string
+			if line.Old == nil {
+				old = ".*"
+			} else {
+				old = *line.Old
+			}
+
+			re, err := regexp.Compile(old, regexp.Singleline)
+			if err != nil {
+				return nil, err
+			}
+			ruleRegx = re
+
+			rulePayload = line.New
+		}
+	}
+
+	return NewRewriteRule(urlRegx, *ruleType, ruleRegx, rulePayload), nil
+}

rewrite/rewrite.go

@@ -0,0 +1,105 @@
+package rewrites
+
+import (
+	regexp "github.com/dlclark/regexp2"
+	"strconv"
+	"strings"
+
+	C "github.com/Dreamacro/clash/constant"
+
+	"github.com/gofrs/uuid"
+)
+
+type RawMitmRule struct {
+	Url    string        `yaml:"url" json:"url"`
+	Action C.RewriteType `yaml:"action" json:"action"`
+	Old    *string       `yaml:"old" json:"old"`
+	New    string        `yaml:"new" json:"new"`
+}
+
+type RewriteRule struct {
+	id          string
+	urlRegx     *regexp.Regexp
+	ruleType    C.RewriteType
+	ruleRegx    *regexp.Regexp
+	rulePayload string
+}
+
+func (r *RewriteRule) ID() string {
+	return r.id
+}
+
+func (r *RewriteRule) URLRegx() *regexp.Regexp {
+	return r.urlRegx
+}
+
+func (r *RewriteRule) RuleType() C.RewriteType {
+	return r.ruleType
+}
+
+func (r *RewriteRule) RuleRegx() *regexp.Regexp {
+	return r.ruleRegx
+}
+
+func (r *RewriteRule) RulePayload() string {
+	return r.rulePayload
+}
+
+func (r *RewriteRule) ReplaceURLPayload(matchSub []string) string {
+	url := r.rulePayload
+
+	l := len(matchSub)
+	if l < 2 {
+		return url
+	}
+
+	for i := 1; i < l; i++ {
+		url = strings.ReplaceAll(url, "$"+strconv.Itoa(i), matchSub[i])
+	}
+	return url
+}
+
+func (r *RewriteRule) ReplaceSubPayload(oldData string) string {
+	payload := r.rulePayload
+
+	if r.ruleRegx == nil {
+		return oldData
+	}
+
+	sub, err := r.ruleRegx.FindStringMatch(oldData)
+
+	for err == nil && sub != nil {
+		var (
+			groups   []string
+			sPayload = payload
+		)
+		for _, fg := range sub.Groups() {
+			groups = append(groups, fg.String())
+		}
+
+		l := len(groups)
+
+		for i := 1; i < l; i++ {
+			sPayload = strings.Replace(payload, "$"+strconv.Itoa(i), groups[i], 1)
+		}
+
+		oldData = strings.Replace(oldData, groups[0], sPayload, 1)
+
+		sub, err = r.ruleRegx.FindNextMatch(sub)
+	}
+
+	return oldData
+}
+
+func NewRewriteRule(urlRegx *regexp.Regexp, ruleType C.RewriteType, ruleRegx *regexp.Regexp, rulePayload string) *RewriteRule {
+	id, _ := uuid.NewV4()
+	return &RewriteRule{
+		id:          id.String(),
+		urlRegx:     urlRegx,
+		ruleType:    ruleType,
+		ruleRegx:    ruleRegx,
+		rulePayload: rulePayload,
+	}
+}
+
+var _ C.Rewrite = (*RewriteRule)(nil)

rewrite/util.go

@@ -0,0 +1,28 @@
+package rewrites
+
+import (
+	"strings"
+)
+
+var allowContentType = []string{
+	"text/",
+	"application/xhtml",
+	"application/xml",
+	"application/atom+xml",
+	"application/json",
+	"application/x-www-form-urlencoded",
+}
+
+func CanRewriteBody(contentLength int64, contentType string) bool {
+	if contentLength <= 0 {
+		return false
+	}
+
+	for _, v := range allowContentType {
+		if strings.HasPrefix(contentType, v) {
+			return true
+		}
+	}
+
+	return false
+}

rules/common/user_gent.go

@@ -0,0 +1,52 @@
+package common
+
+import (
+	"strings"
+
+	C "github.com/Dreamacro/clash/constant"
+)
+
+type UserAgent struct {
+	*Base
+	ua      string
+	adapter string
+}
+
+func (d *UserAgent) RuleType() C.RuleType {
+	return C.UserAgent
+}
+
+func (d *UserAgent) Match(metadata *C.Metadata) (bool, string) {
+	if metadata.Type != C.MITM || metadata.UserAgent == "" {
+		return false, d.adapter
+	}
+
+	return strings.Contains(metadata.UserAgent, d.ua), d.adapter
+}
+
+func (d *UserAgent) Adapter() string {
+	return d.adapter
+}
+
+func (d *UserAgent) Payload() string {
+	return d.ua
+}
+
+func (d *UserAgent) ShouldResolveIP() bool {
+	return false
+}
+
+func NewUserAgent(ua string, adapter string) (*UserAgent, error) {
+	ua = strings.Trim(ua, "*")
+	if ua == "" {
+		return nil, errPayload
+	}
+
+	return &UserAgent{
+		Base:    &Base{},
+		ua:      ua,
+		adapter: adapter,
+	}, nil
+}
+
+var _ C.Rule = (*UserAgent)(nil)

test/go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/docker/go-connections v0.4.0
 	github.com/miekg/dns v1.1.55
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/net v0.15.0
+	golang.org/x/net v0.14.0
 )
 
 replace github.com/Dreamacro/clash => ../
@@ -20,6 +20,7 @@ require (
 	github.com/Yawning/aez v0.0.0-20211027044916-e49e68abd344 // indirect
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
+	github.com/beevik/ntp v1.3.0 // indirect
 	github.com/cilium/ebpf v0.11.0 // indirect
 	github.com/coreos/go-iptables v0.7.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -42,7 +43,7 @@ require (
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
-	github.com/insomniacslk/dhcp v0.0.0-20230908212754-65c27093e38a // indirect
+	github.com/insomniacslk/dhcp v0.0.0-20230731140434-0f9eb93a696c // indirect
 	github.com/josharian/native v1.1.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/klauspost/compress v1.16.7 // indirect
@@ -53,7 +54,7 @@ require (
 	github.com/mdlayher/socket v0.4.1 // indirect
 	github.com/metacubex/gopacket v1.1.20-0.20230608035415-7e2f98a3e759 // indirect
 	github.com/metacubex/gvisor v0.0.0-20230611153922-78842f086475 // indirect
-	github.com/metacubex/quic-go v0.38.1-0.20230909013832-033f6a2115cf // indirect
+	github.com/metacubex/quic-go v0.38.1-0.20230821081539-517fdb17fb28 // indirect
 	github.com/metacubex/sing-shadowsocks v0.2.4 // indirect
 	github.com/metacubex/sing-shadowsocks2 v0.1.3 // indirect
 	github.com/metacubex/sing-tun v0.1.11 // indirect
@@ -74,7 +75,7 @@ require (
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/puzpuzpuz/xsync/v2 v2.5.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.2 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 // indirect
 	github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a // indirect
@@ -86,29 +87,40 @@ require (
 	github.com/sagernet/wireguard-go v0.0.0-20230807125731-5d4a7ef2dc5f // indirect
 	github.com/samber/lo v1.38.1 // indirect
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 // indirect
-	github.com/shirou/gopsutil/v3 v3.23.8 // indirect
+	github.com/shirou/gopsutil/v3 v3.23.7 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sina-ghaderi/poly1305 v0.0.0-20220724002748-c5926b03988b // indirect
 	github.com/sina-ghaderi/rabaead v0.0.0-20220730151906-ab6e06b96e8c // indirect
 	github.com/sina-ghaderi/rabbitio v0.0.0-20220730151941-9ce26f4f872e // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/tklauser/go-sysconf v0.3.12 // indirect
-	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.11 // indirect
+	github.com/tklauser/numcpus v0.6.0 // indirect
 	github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
+	github.com/xtls/go v0.0.0-20210920065950-d4af136d3672 // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
 	github.com/zhangyunhao116/fastrand v0.3.0 // indirect
 	gitlab.com/yawning/bsaes.git v0.0.0-20190805113838-0a714cd429ec // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
-	golang.org/x/crypto v0.13.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/mod v0.12.0 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	golang.org/x/crypto v0.12.0 // indirect
+	golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb // indirect
+	golang.org/x/mod v0.11.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/text v0.12.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.13.0 // indirect
+	golang.org/x/tools v0.9.1 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
+	golang.zx2c4.com/wireguard v0.0.0-20220318042302-193cf8d6a5d6 // indirect
+	golang.zx2c4.com/wireguard/windows v0.5.4-0.20220317000008-6432784c2469 // indirect
+	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
+	google.golang.org/grpc v1.53.0-dev.0.20230123225046-4075ef07c5d5 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gotest.tools/v3 v3.4.0 // indirect
+	gvisor.dev/gvisor v0.0.0-20220326024801-5d1f3d24cb84 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect
 )

transport/hysteria/pmtud_fix/avail.go

@@ -1,4 +1,5 @@
-//go:build linux || windows || darwin
+//go:build linux || windows
+// +build linux windows
 
 package pmtud_fix
 

transport/hysteria/pmtud_fix/unavail.go

@@ -1,4 +1,5 @@
-//go:build !linux && !windows && !darwin
+//go:build !linux && !windows
+// +build !linux,!windows
 
 package pmtud_fix
 

transport/sing-shadowtls/shadowtls.go

@@ -5,7 +5,6 @@ import (
 	"crypto/tls"
 	"net"
 
-	"github.com/Dreamacro/clash/component/ca"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/log"
 
@@ -40,9 +39,12 @@ func NewShadowTLS(ctx context.Context, conn net.Conn, option *ShadowTLSOption) (
 	}
 
 	var err error
-	tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
-	if err != nil {
-		return nil, err
+	if len(option.Fingerprint) == 0 {
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+	} else {
+		if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
+			return nil, err
+		}
 	}
 
 	tlsHandshake := shadowtls.DefaultTLSHandshakeFunc(option.Password, tlsConfig)

transport/trojan/trojan.go

@@ -14,7 +14,6 @@ import (
 
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/pool"
-	"github.com/Dreamacro/clash/component/ca"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
@@ -78,10 +77,13 @@ func (t *Trojan) StreamConn(ctx context.Context, conn net.Conn) (net.Conn, error
 		ServerName:         t.option.ServerName,
 	}
 
-	var err error
-	tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint)
-	if err != nil {
-		return nil, err
+	if len(t.option.Fingerprint) == 0 {
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+	} else {
+		var err error
+		if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint); err != nil {
+			return nil, err
+		}
 	}
 
 	if len(t.option.ClientFingerprint) != 0 {
@@ -110,7 +112,7 @@ func (t *Trojan) StreamConn(ctx context.Context, conn net.Conn) (net.Conn, error
 	ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
 	defer cancel()
 
-	err = tlsConn.HandshakeContext(ctx)
+	err := tlsConn.HandshakeContext(ctx)
 	return tlsConn, err
 }
 

transport/tuic/common/congestion.go

@@ -13,9 +13,7 @@ const (
 )
 
 func SetCongestionController(quicConn quic.Connection, cc string, cwnd int) {
-	if cwnd == 0 {
-		cwnd = 32
-	}
+	CWND := c.ByteCount(cwnd)
 	switch cc {
 	case "cubic":
 		quicConn.SetCongestionControl(
@@ -40,7 +38,7 @@ func SetCongestionController(quicConn quic.Connection, cc string, cwnd int) {
 			congestion.NewBBRSender(
 				congestion.DefaultClock{},
 				congestion.GetInitialPacketSize(quicConn.RemoteAddr()),
-				c.ByteCount(cwnd)*congestion.InitialMaxDatagramSize,
+				CWND*congestion.InitialMaxDatagramSize,
 				congestion.DefaultBBRMaxCongestionWindow*congestion.InitialMaxDatagramSize,
 			),
 		)

transport/tuic/congestion/minmax.go

@@ -3,11 +3,27 @@ package congestion
 import (
 	"math"
 	"time"
+
+	"golang.org/x/exp/constraints"
 )
 
 // InfDuration is a duration of infinite length
 const InfDuration = time.Duration(math.MaxInt64)
 
+func Max[T constraints.Ordered](a, b T) T {
+	if a < b {
+		return b
+	}
+	return a
+}
+
+func Min[T constraints.Ordered](a, b T) T {
+	if a < b {
+		return a
+	}
+	return b
+}
+
 // MinNonZeroDuration return the minimum duration that's not zero.
 func MinNonZeroDuration(a, b time.Duration) time.Duration {
 	if a == 0 {

transport/tuic/congestion/minmax_go120.go

@@ -1,19 +0,0 @@
-//go:build !go1.21
-
-package congestion
-
-import "golang.org/x/exp/constraints"
-
-func Max[T constraints.Ordered](a, b T) T {
-	if a < b {
-		return b
-	}
-	return a
-}
-
-func Min[T constraints.Ordered](a, b T) T {
-	if a < b {
-		return a
-	}
-	return b
-}

transport/tuic/congestion/minmax_go121.go

@@ -1,13 +0,0 @@
-//go:build go1.21
-
-package congestion
-
-import "cmp"
-
-func Max[T cmp.Ordered](a, b T) T {
-	return max(a, b)
-}
-
-func Min[T cmp.Ordered](a, b T) T {
-	return min(a, b)
-}

transport/tuic/server.go

@@ -223,10 +223,6 @@ func NewServer(option *ServerOption, pc net.PacketConn) (*Server, error) {
 		}
 	}
 	if len(option.Users) > 0 {
-		maxUdpRelayPacketSize := option.MaxUdpRelayPacketSize
-		if maxUdpRelayPacketSize > MaxFragSizeV5 {
-			maxUdpRelayPacketSize = MaxFragSizeV5
-		}
 		server.optionV5 = &v5.ServerOption{
 			HandleTcpFn:           option.HandleTcpFn,
 			HandleUdpFn:           option.HandleUdpFn,

transport/tuic/tuic.go

@@ -30,7 +30,6 @@ const DefaultConnectionReceiveWindow = common.DefaultConnectionReceiveWindow
 var GenTKN = v4.GenTKN
 var PacketOverHeadV4 = v4.PacketOverHead
 var PacketOverHeadV5 = v5.PacketOverHead
-var MaxFragSizeV5 = v5.MaxFragSize
 
 type UdpRelayMode = common.UdpRelayMode
 

transport/tuic/v5/frag.go

@@ -9,11 +9,6 @@ import (
 	"github.com/metacubex/quic-go"
 )
 
-// MaxFragSize is a safe udp relay packet size
-// because tuicv5 support udp fragment so we unneeded to do a magic modify for quic-go to increase MaxDatagramFrameSize
-// it may not work fine in some platform
-var MaxFragSize = 1200 - PacketOverHead
-
 func fragWriteNative(quicConn quic.Connection, packet Packet, buf *bytes.Buffer, fragSize int) (err error) {
 	fullPayload := packet.DATA
 	off := 0

transport/tuic/v5/packet.go

@@ -96,10 +96,10 @@ func (q *quicStreamPacketConn) SetWriteDeadline(t time.Time) error {
 }
 
 func (q *quicStreamPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
-	if inputConn := q.inputConn; inputConn != nil { // copy inputConn avoid be nil in for loop
+	if q.inputConn != nil {
 		for {
 			var packet Packet
-			packet, err = ReadPacket(inputConn)
+			packet, err = ReadPacket(q.inputConn)
 			if err != nil {
 				return
 			}
@@ -116,10 +116,10 @@ func (q *quicStreamPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err err
 }
 
 func (q *quicStreamPacketConn) WaitReadFrom() (data []byte, put func(), addr net.Addr, err error) {
-	if inputConn := q.inputConn; inputConn != nil { // copy inputConn avoid be nil in for loop
+	if q.inputConn != nil {
 		for {
 			var packet Packet
-			packet, err = ReadPacket(inputConn)
+			packet, err = ReadPacket(q.inputConn)
 			if err != nil {
 				return
 			}

transport/v2ray-plugin/websocket.go

@@ -6,7 +6,7 @@ import (
 	"net"
 	"net/http"
 
-	"github.com/Dreamacro/clash/component/ca"
+	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/transport/vmess"
 )
 
@@ -43,10 +43,13 @@ func NewV2rayObfs(ctx context.Context, conn net.Conn, option *Option) (net.Conn,
 			InsecureSkipVerify: option.SkipCertVerify,
 			NextProtos:         []string{"http/1.1"},
 		}
-		var err error
-		config.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
-		if err != nil {
-			return nil, err
+		if len(option.Fingerprint) == 0 {
+			config.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+		} else {
+			var err error
+			if config.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
+				return nil, err
+			}
 		}
 
 		if host := config.Headers.Get("Host"); host != "" {

transport/vmess/tls.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"net"
 
-	"github.com/Dreamacro/clash/component/ca"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 )
 
@@ -26,10 +25,13 @@ func StreamTLSConn(ctx context.Context, conn net.Conn, cfg *TLSConfig) (net.Conn
 		NextProtos:         cfg.NextProtos,
 	}
 
-	var err error
-	tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, cfg.FingerPrint)
-	if err != nil {
-		return nil, err
+	if len(cfg.FingerPrint) == 0 {
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
+	} else {
+		var err error
+		if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, cfg.FingerPrint); err != nil {
+			return nil, err
+		}
 	}
 
 	if len(cfg.ClientFingerprint) != 0 {
@@ -49,7 +51,7 @@ func StreamTLSConn(ctx context.Context, conn net.Conn, cfg *TLSConfig) (net.Conn
 
 	tlsConn := tls.Client(conn, tlsConfig)
 
-	err = tlsConn.HandshakeContext(ctx)
+	err := tlsConn.HandshakeContext(ctx)
 	return tlsConn, err
 }