history-museum/Clash.Meta
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated Configuring example (markdown)

Larvan2 2023-02-13 17:50:11 +08:00
parent b8451d15bc
commit 129fcf3ce7
1 changed files with 248 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

490
Configuring-example.md

@ -1,5 +1,5 @@
这是一个使用 [Alpha](https: //github.com/MetaCubeX/Clash.Meta/tree/Alpha) 分支的配置文件示例,完整配置见[此处](https: //github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml)。
这是一个使用 [Alpha](https://github.com/MetaCubeX/Clash.Meta/tree/Alpha) 分支的配置文件示例,完整配置见[此处](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml)。
@ -10,14 +10,16 @@
- [tunnels](#tunnels)
- [DNS 配置](#dns-配置)
- [Proxies](#proxies)
- [Shadowsocks](#shadowsocks)
- [ShadowsocksR](#shadowsocksr)
- [vmess](#vmess)
- [Socks \& HTTP](#socks--http)
- [Socks](#socks)
- [HTTP](#http)
- [VLESS](#vless)
- [Snell](#snell)
- [Trojan](#trojan)
- [Hysteria](#hysteria)
- [Tuic](#tuic)
- [ShadowsocksR](#shadowsocksr)
- [Wireguard](#wireguard)
- [Proxy-groups](#proxy-groups)
- [Providers](#providers)
@ -26,254 +28,254 @@
- [Rules](#rules)
- [Listeners](#listeners)
- [入口配置](#入口配置)
- [ss-config:](#ss-config)
- [vmess-config:](#vmess-config)
- [ss-config](#ss-config)
- [vmess-config](#vmess-config)
- [tuic 服务器入口](#tuic-服务器入口)
## General
```yaml
# port: 7890 # HTTP(S) 代理服务器端口
# socks-port: 7891 # SOCKS5 代理端口
# port:7890 # HTTP(S) 代理服务器端口
# socks-port:7891 # SOCKS5 代理端口
mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口
# redir-port: 7892 # 透明代理端口,用于 Linux 和 MacOS
# redir-port:7892 # 透明代理端口,用于 Linux 和 MacOS
# Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)
# tproxy-port: 7893
# tproxy-port:7893
allow-lan: true # 允许局域网连接
bind-address: "*" # 绑定 IP 地址,仅作用于 allow-lan 为 true'*'表示所有地址
allow-lan:true # 允许局域网连接
bind-address:"*" # 绑定 IP 地址,仅作用于 allow-lan 为 true'*'表示所有地址
# find-process-mode has 3 values: always, strict, off
# find-process-mode has 3 values:always, strict, off
# - always, 开启,强制匹配所有进程
# - strict, 默认,由 clash 判断是否开启
# - off, 不匹配进程,推荐在路由器上使用此模式
find-process-mode: strict
find-process-mode:strict
mode: rule
mode:rule
#自定义 geodata url
geox-url:
geoip: "https: //cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat"
geosite: "https: //cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat"
mmdb: "https: //cdn.jsdelivr.net/gh/Loyalsoldier/geoip@release/Country.mmdb"
geox-url:
geoip:"https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat"
geosite:"https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat"
mmdb:"https://cdn.jsdelivr.net/gh/Loyalsoldier/geoip@release/Country.mmdb"
log-level: debug # 日志等级 silent/error/warning/info/debug
log-level:debug # 日志等级 silent/error/warning/info/debug
ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录
ipv6:true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录
tls:
certificate: string # 证书 PEM 格式,或者 证书的路径
private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径
tls:
certificate:string # 证书 PEM 格式,或者 证书的路径
private-key:string # 证书对应的私钥 PEM 格式,或者私钥路径
external-controller: 0.0.0.0: 9093 # RESTful API 监听地址
external-controller-tls: 0.0.0.0: 9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件
# secret: "123456" # `Authorization: Bearer ${secret}`
external-controller:0.0.0.0:9093 # RESTful API 监听地址
external-controller-tls:0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件
# secret:"123456" # `Authorization:Bearer ${secret}`
# tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP
external-ui: /path/to/ui/folder # 配置 WEB UI 目录,使用 http: //{{external-controller}}/ui 访问
# tcp-concurrent:true # TCP 并发连接所有 IP, 将使用最快握手的 TCP
external-ui:/path/to/ui/folder # 配置 WEB UI 目录,使用 http://{{external-controller}}/ui 访问
# interface-name: en0 # 设置出口网卡
# interface-name:en0 # 设置出口网卡
# global-client-fingerprint: 全局 TLS 指纹,优先低于 proxy 内的 client-fingerprint
# accepts "chrome","firefox","safari","ios","random","none" options.
# Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
global-client-fingerprint: chrome
# routing-mark: 6666 # 配置 fwmark 仅用于 Linux
experimental:
# routing-mark:6666 # 配置 fwmark 仅用于 Linux
experimental:
# 类似于 /etc/hosts, 仅支持配置单个 IP
hosts:
# '*.clash.dev': 127.0.0.1
# '.dev': 127.0.0.1
# 'alpha.clash.dev': ': : 1'
hosts:
# '*.clash.dev':127.0.0.1
# '.dev':127.0.0.1
# 'alpha.clash.dev':'::1'
profile:
profile:
# 存储 select 选择记录
store-selected: false
store-selected:false
# 持久化 fake-ip
store-fake-ip: true
store-fake-ip:true
```
## Tun
Supports macOS, Linux and Windows.
Built-in [Wintun](https: //www.wintun.net) driver.
Built-in [Wintun](https://www.wintun.net) driver.
```yaml
tun:
enable: false
stack: system # gvisor / lwip
dns-hijack:
- 0.0.0.0: 53 # 需要劫持的 DNS
auto-detect-interface: true # 自动识别出口网卡
auto-route: true # 配置路由表
# mtu: 9000 # 最大传输单元
# strict_route: true # 将所有连接路由到 tun 来防止泄漏,但你的设备将无法其他设备被访问
# inet4_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
tun:
enable:false
stack:system # gvisor / lwip
dns-hijack:
- 0.0.0.0:53 # 需要劫持的 DNS
auto-detect-interface:true # 自动识别出口网卡
auto-route:true # 配置路由表
# mtu:9000 # 最大传输单元
# strict_route:true # 将所有连接路由到 tun 来防止泄漏,但你的设备将无法其他设备被访问
# inet4_route_address:# 启用 auto_route 时使用自定义路由而不是默认路由
# - 0.0.0.0/1
# - 128.0.0.0/1
# inet6_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
# - ": : /1"
# - "8000: : /1"
# endpoint_independent_nat: false # 启用独立于端点的 NAT
# include_uid: # UID 规则仅在 Linux 下被支持,并且需要 auto_route
# inet6_route_address:# 启用 auto_route 时使用自定义路由而不是默认路由
# - "::/1"
# - "8000::/1"
# endpoint_independent_nat:false # 启用独立于端点的 NAT
# include_uid:# UID 规则仅在 Linux 下被支持,并且需要 auto_route
# - 0
# include_uid_range: # 限制被路由的的用户范围
# include_uid_range:# 限制被路由的的用户范围
# - 1000-99999
# exclude_uid: # 排除路由的的用户
# exclude_uid:# 排除路由的的用户
#- 1000
# exclude_uid_range: # 排除路由的的用户范围
# exclude_uid_range:# 排除路由的的用户范围
# - 1000-99999
# Android 用户和应用规则仅在 Android 下被支持
# 并且需要 auto_route
# include_android_user: # 限制被路由的 Android 用户
# include_android_user:# 限制被路由的 Android 用户
# - 0
# - 10
# include_package: # 限制被路由的 Android 应用包名
# include_package:# 限制被路由的 Android 应用包名
# - com.android.chrome
# exclude_package: # 排除被路由的 Android 应用包名
# exclude_package:# 排除被路由的 Android 应用包名
# - com.android.captiveportallogin
```
## ebpf
```yaml
ebpf:
auto-redir: # redirect 模式,仅支持 TCP
ebpf:
auto-redir:# redirect 模式,仅支持 TCP
- eth0
redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route
redirect-to-tun:# UDP+TCP 使用该功能请勿启用 auto-route
- eth0
```
## sniffer
```yaml
sniffer:
enable: false
sniffer:
enable:false
## 对 redir-host 类型识别的流量进行强制嗅探
## 如Tun、Redir 和 TProxy 并 DNS 为 redir-host 皆属于
# force-dns-mapping: false
# force-dns-mapping:false
## 对所有未获取到域名的流量进行强制嗅探
# parse-pure-ip: false
# parse-pure-ip:false
# 是否使用嗅探结果作为实际访问,默认 true
# 全局配置,优先级低于 sniffer.sniff 实际配置
override-destination: false
sniff:
override-destination:false
sniff:
# TLS 默认如果不配置 ports 默认嗅探 443
TLS:
# ports: [443, 8443]
TLS:
# ports:[443, 8443]
# 默认嗅探 80
HTTP:
HTTP:
# 需要嗅探的端口
ports: [80, 8080-8880]
ports:[80, 8080-8880]
# 可覆盖 sniffer.override-destination
override-destination: true
force-domain:
override-destination:true
force-domain:
- +.v2ex.com
## 对嗅探结果进行跳过
# skip-domain:
# skip-domain:
# - Mijia Cloud
```
## tunnels
```yaml
tunnels:
tunnels:
# one line config
- tcp/udp,127.0.0.1: 6553,114.114.114.114: 53,proxy
- tcp,127.0.0.1: 6666,rds.mysql.com: 3306,vpn
- tcp/udp,127.0.0.1:6553,114.114.114.114:53,proxy
- tcp,127.0.0.1:6666,rds.mysql.com:3306,vpn
# full yaml config
- network: [tcp, udp]
address: 127.0.0.1: 7777
target: target.com
proxy: proxy
- network:[tcp, udp]
address:127.0.0.1:7777
target:target.com
proxy:proxy
```
## DNS 配置
```yaml
dns:
enable: false # 关闭将使用系统 DNS
prefer-h3: true # 开启 DoH 支持 HTTP/3将并发尝试
listen: 0.0.0.0: 5353 # 开启 DNS 服务器监听
# ipv6: false # false 将返回 AAAA 的空结果
dns:
enable:false # 关闭将使用系统 DNS
prefer-h3:true # 开启 DoH 支持 HTTP/3将并发尝试
listen:0.0.0.0:5353 # 开启 DNS 服务器监听
# ipv6:false # false 将返回 AAAA 的空结果
# 用于解析 nameserverfallback 以及其他 DNS 服务器配置的DNS 服务域名
# 只能使用纯 IP 地址,可使用加密 DNS
default-nameserver:
default-nameserver:
- 114.114.114.114
- tls: //1.12.12.12: 853
- tls: //223.5.5.5: 853
- tls://1.12.12.12:853
- tls://223.5.5.5:853
enhanced-mode: redir-host # or fake-ip
enhanced-mode:redir-host # or fake-ip
fake-ip-range: 198.18.0.1/16 # fake-ip 池设置
fake-ip-range:198.18.0.1/16 # fake-ip 池设置
# use-hosts: true # 查询 hosts
# use-hosts:true # 查询 hosts
# 配置查询域名使用的 DNS 服务器
# nameserver-policy 可以使用 geosite 分流 DNS 解析。
# 将国内域名指定为国内 DOH 进行解析,其余 DNS 使用境外 DOH 解析
nameserver-policy:
"geosite: cn": [https: //doh.pub/dns-query,https: //dns.alidns.com/dns-query]
# 'www.baidu.com': '114.114.114.114'
# '+.internal.crop.com': '10.0.0.1'
nameserver-policy:
"geosite:cn":[https://doh.pub/dns-query,https://dns.alidns.com/dns-query]
# 'www.baidu.com':'114.114.114.114'
# '+.internal.crop.com':'10.0.0.1'
# DNS 主要域名配置
# 支持 UDPTCPDoTDoHDoQ
nameserver:
- https: //dns.google/dns-query
- https: //dns.cloudflare.com/dns-query
- https: //doh.opendns.com/dns-query
- https: //doh.dns.sb/dns-query
- https: //[2001: 4860: 4860: : 8888]/dns-query
- https: //[2001: 4860: 4860: : 8844]/dns-query
- https: //[2001: 4860: 4860: : 6464]/dns-query
- https: //[2001: 4860: 4860: : 64]/dns-query
nameserver:
- https://dns.google/dns-query
- https://dns.cloudflare.com/dns-query
- https://doh.opendns.com/dns-query
- https://doh.dns.sb/dns-query
- https://[2001:4860:4860::8888]/dns-query
- https://[2001:4860:4860::8844]/dns-query
- https://[2001:4860:4860::6464]/dns-query
- https://[2001:4860:4860::64]/dns-query
# - 114.114.114.114 # default value
# - 8.8.8.8 # default value
# - tls: //223.5.5.5: 853 # DNS over TLS
# - https: //doh.pub/dns-query # DNS over HTTPS
# - https: //dns.alidns.com/dns-query#h3=true # 强制 HTTP/3与 perfer-h3 无关,强制开启 DoH 的 HTTP/3 支持,若不支持将无法使用
# - https: //mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
# - dhcp: //en0 # dns from dhcp
# - quic: //dns.adguard.com: 784 # DNS over QUIC
# - tls://223.5.5.5:853 # DNS over TLS
# - https://doh.pub/dns-query # DNS over HTTPS
# - https://dns.alidns.com/dns-query#h3=true # 强制 HTTP/3与 perfer-h3 无关,强制开启 DoH 的 HTTP/3 支持,若不支持将无法使用
# - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
# - dhcp://en0 # dns from dhcp
# - quic://dns.adguard.com:784 # DNS over QUIC
# - '8.8.8.8#en0' # 兼容指定 DNS 出口网卡
# 当配置 fallback 时,会查询 nameserver 中返回的 IP 是否为 CN非必要配置
# 当不是 CN则使用 fallback 中的 DNS 查询结果
# 确保配置 fallback 时能够正常查询
# fallback:
# - tcp: //1.1.1.1
# - 'tcp: //1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询ProxyGroupName 为策略组名或节点名,过代理配置优先于配置出口网卡,当找不到策略组或节点名则设置为出口网卡
# fallback:
# - tcp://1.1.1.1
# - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询ProxyGroupName 为策略组名或节点名,过代理配置优先于配置出口网卡,当找不到策略组或节点名则设置为出口网卡
# 专用于节点域名解析的 DNS 服务器,非必要配置项
# 配置服务器若查询失败将使用 nameserver非并发查询
# proxy-server-nameserver:
# - https: //dns.google/dns-query
# - tls: //one.one.one.one
# proxy-server-nameserver:
# - https://dns.google/dns-query
# - tls://one.one.one.one
# 配置 fallback 使用条件
# fallback-filter:
# geoip: true # 配置是否使用 geoip
# geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时,不使用 fallback 中的 DNS 查询结果
# fallback-filter:
# geoip:true # 配置是否使用 geoip
# geoip-code:CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时,不使用 fallback 中的 DNS 查询结果
# 配置强制 fallback优先于 IP 判断,具体分类自行查看 geosite 库
# geosite:
# geosite:
# - "geolocation-!cn"
# 如果不匹配 ipcidr 则使用 nameservers 中的结果
# ipcidr:
# ipcidr:
# - 240.0.0.0/4
# domain:
# domain:
# - '+.google.com'
# - '+.facebook.com'
# - '+.youtube.com'
# 配置不使用 fake-ip 的域名
# fake-ip-filter:
# fake-ip-filter:
# - "+.lan"
# # QQ Loopback
# - localhost.sec.qq.com
@ -317,9 +319,10 @@ dns:
```
## Proxies
### Shadowsocks
```yaml
proxies:
# Shadowsocks
proxies:
# cipher 支持:
# aes-128-gcm aes-192-gcm aes-256-gcm
# aes-128-cfb aes-192-cfb aes-256-cfb
@ -337,7 +340,7 @@ proxies:
# udp-over-tcp: false
# ip-version: ipv4 # 设置节点使用 IP 版本可选dualipv4ipv6ipv4-preferipv6-prefer。默认使用 dual
# ipv4仅使用 IPv4 ipv6仅使用 IPv6
# ipv4-prefer优先使用 IPv4 对于 TCP 会进行双栈解析,并发链接但是优先使用 IPv4 链接
# ipv4-prefer优先使用 IPv4 对于 TCP 会进行双栈解析,并发链接但是优先使用 IPv4 链接,
# UDP 则为双栈解析,获取结果中的第一个 IPv4
# ipv6-prefer 同 ipv4-prefer
# 现有协议都支持此参数TCP 效果仅在开启 tcp-concurrent 生效
@ -348,7 +351,7 @@ proxies:
cipher: chacha20-ietf-poly1305
password: "password"
plugin: obfs
plugin-opts:
plugin-opts:
mode: tls # or http
# host: bing.com
@ -359,7 +362,7 @@ proxies:
cipher: chacha20-ietf-poly1305
password: "password"
plugin: v2ray-plugin
plugin-opts:
plugin-opts:
mode: websocket # no QUIC now
# tls: true # wss
# 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
@ -369,7 +372,7 @@ proxies:
# host: bing.com
# path: "/"
# mux: true
# headers:
# headers:
# custom: value
- name: "ss4"
@ -379,10 +382,31 @@ proxies:
cipher: chacha20-ietf-poly1305
password: "password"
plugin: shadow-tls
plugin-opts:
plugin-opts:
host: "cloud.tencent.com"
password: "shadow_tls_password"
```
### ShadowsocksR
```yaml
# The supported ciphers (encryption methods): all stream ciphers in ss
# The supported obfses:
# plain http_simple http_post
# random_head tls1.2_ticket_auth tls1.2_ticket_fastauth
# The supported supported protocols:
# origin auth_sha1_v4 auth_aes128_md5
# auth_aes128_sha1 auth_chain_a auth_chain_b
- name: "ssr"
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: "password"
obfs: tls1.2_ticket_auth
protocol: auth_sha1_v4
# obfs-param: domain.tld
# protocol-param: "#"
# udp: true
```
### vmess
```yaml
@ -401,9 +425,9 @@ proxies:
# skip-cert-verify: true
# servername: example.com # priority over wss host
# network: ws
# ws-opts:
# ws-opts:
# path: /path
# headers:
# headers:
# Host: v2ray.com
# max-early-data: 2048
# early-data-header-name: Sec-WebSocket-Protocol
@ -418,8 +442,8 @@ proxies:
network: h2
tls: true
# fingerprint: xxxx
h2-opts:
host:
h2-opts:
host:
- http.example.com
- http-alt.example.com
path: /
@ -433,13 +457,13 @@ proxies:
cipher: auto
# udp: true
# network: http
# http-opts:
# http-opts:
# # method: "GET"
# # path:
# # path:
# # - '/'
# # - '/video'
# # headers:
# # Connection:
# # headers:
# # Connection:
# # - keep-alive
# ip-version: ipv4 # 设置使用 IP 类型偏好可选ipv4ipv6dual默认值dual
@ -455,13 +479,12 @@ proxies:
# fingerprint: xxxx
servername: example.com
# skip-cert-verify: true
grpc-opts:
grpc-opts:
grpc-service-name: "example"
# ip-version: ipv4
```
### Socks & HTTP
### Socks
```
# socks5
- name: "socks"
type: socks5
server: server
@ -473,8 +496,10 @@ proxies:
# skip-cert-verify: true
# udp: true
# ip-version: ipv6
```
# http
### HTTP
```yaml
- name: "http"
type: http
server: server
@ -499,7 +524,7 @@ proxies:
# flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS
# skip-cert-verify: true
# fingerprint: xxxx
# client-fingerprint: random # Available: "chrome","firefox","safari","random"
# client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
- name: "vless-ws"
type: vless
@ -509,14 +534,15 @@ proxies:
udp: true
tls: true
network: ws
# client-fingerprint: random # Available: "chrome","firefox","safari","random"
# client-fingerprint: random # Available: "chrome","firefox","safari","random","none"
servername: example.com # priority over wss host
# skip-cert-verify: true
# fingerprint: xxxx
ws-opts:
ws-opts:
path: "/"
headers:
headers:
Host: example.com
```
### Snell
@ -528,7 +554,7 @@ proxies:
port: 44046
psk: yourpsk
# version: 2
# obfs-opts:
# obfs-opts:
# mode: http # or tls
# host: bing.com
```
@ -540,11 +566,11 @@ proxies:
server: server
port: 443
password: yourpsk
# client-fingerprint: chrome # Available: "chrome","firefox","safari","ios","random", currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan.
# client-fingerprint: chrome # Available:"chrome","firefox","safari","ios","random", currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan.
# fingerprint: xxxx
# udp: true
# sni: example.com # aka server name
# alpn:
# alpn:
# - h2
# - http/1.1
# skip-cert-verify: true
@ -559,10 +585,10 @@ proxies:
# skip-cert-verify: true
# fingerprint: xxxx
udp: true
grpc-opts:
grpc-service-name: "example"
grpc-opts:
grpc-service-name:"example"
- name: trojan-ws
- name:trojan-ws
server: server
port: 443
type: trojan
@ -572,10 +598,10 @@ proxies:
# skip-cert-verify: true
# fingerprint: xxxx
udp: true
# ws-opts:
# ws-opts:
# path: /path
# headers:
# Host: example.com
# headers:
# Host:example.com
- name: "trojan-xtls"
type: trojan
@ -599,7 +625,7 @@ proxies:
auth_str: yourpassword # 将会在未来某个时候删除
# auth-str: yourpassword
# obfs: obfs_str
# alpn:
# alpn:
# - h3
protocol: udp # 支持 udp/wechat-video/faketcp
up: "30 Mbps" # 若不写单位,默认为 Mbps
@ -639,27 +665,7 @@ proxies:
# max-open-streams: 20 # default 100, too many open streams may hurt performance
```
### ShadowsocksR
```
# The supported ciphers (encryption methods): all stream ciphers in ss
# The supported obfses:
# plain http_simple http_post
# random_head tls1.2_ticket_auth tls1.2_ticket_fastauth
# The supported supported protocols:
# origin auth_sha1_v4 auth_aes128_md5
# auth_aes128_sha1 auth_chain_a auth_chain_b
- name: "ssr"
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: "password"
obfs: tls1.2_ticket_auth
protocol: auth_sha1_v4
# obfs-param: domain.tld
# protocol-param: "#"
# udp: true
```
### Wireguard
```yaml
@ -668,7 +674,7 @@ proxies:
server: 162.159.192.1
port: 2480
ip: 172.16.0.2
ipv6: fd01: 5ca1: ab1e: 80fa: ab85: 6eea: 213f: f4a5
ipv6: fd01:5ca1:ab1e:80fa:ab85:6eea:213f:f4a5
private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
udp: true
@ -679,12 +685,12 @@ proxies:
Active health detection `urltest / fallback` (based on tcp handshake, multiple failures within a limited time will actively trigger health detection to use the node)
```yaml
proxy-groups:
proxy-groups:
# 代理链,若落地协议支持 UDP over TCP 则可支持 UDP
# Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
# Traffic:clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
- name: "relay"
type: relay
proxies:
proxies:
- http
- vmess
- ss1
@ -693,41 +699,41 @@ proxy-groups:
# url-test 将按照 url 测试结果使用延迟最低节点
- name: "auto"
type: url-test
proxies:
proxies:
- ss1
- ss2
- vmess1
# tolerance: 150
# lazy: true
url: "https: //cp.cloudflare.com/generate_204"
url: "https://cp.cloudflare.com/generate_204"
interval: 300
# fallback 将按照 url 测试结果按照节点顺序选择
- name: "fallback-auto"
type: fallback
proxies:
proxies:
- ss1
- ss2
- vmess1
url: "https: //cp.cloudflare.com/generate_204"
url: "https://cp.cloudflare.com/generate_204"
interval: 300
# load-balance 将按照算法随机选择节点
- name: "load-balance"
type: load-balance
proxies:
proxies:
- ss1
- ss2
- vmess1
url: "https: //cp.cloudflare.com/generate_204"
url: "https://cp.cloudflare.com/generate_204"
interval: 300
# strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions
# select 用户自行选择节点
- name: Proxy
type: select
# disable-udp: true
proxies:
# disable-udp:true
proxies:
- ss1
- ss2
- vmess1
@ -738,16 +744,16 @@ proxy-groups:
type: select
interface-name: en1
routing-mark: 6667
proxies:
proxies:
- DIRECT
# Support `Policy Group Filter`
- name: UseProvider
type: select
filter: "HK|TW" # 正则表达式,过滤 provider1 中节点名包含 HK 或 TW
use:
use:
- provider1
proxies:
proxies:
- Proxy
- DIRECT
```
@ -755,36 +761,36 @@ proxy-groups:
## Providers
### Proxy-providers
```
proxy-providers:
provider1:
proxy-providers:
provider1:
type: http
url: "url"
interval: 3600
path: ./provider1.yaml
health-check:
health-check:
enable: true
interval: 600
# lazy: true
url: https: //cp.cloudflare.com/generate_204
test:
url: https://cp.cloudflare.com/generate_204
test:
type: file
path: /test.yaml
health-check:
health-check:
enable: true
interval: 36000
url: https: //cp.cloudflare.com/generate_204
url: https://cp.cloudflare.com/generate_204
```
### Rule-providers
```yaml
rule-providers:
rule1:
rule-providers:
rule1:
behavior: classical # domain ipcidr
interval: 259200
path: /path/to/save/file.yaml
type: http
url: "url"
rule2:
rule2:
behavior: classical
interval: 259200
path: /path/to/save/file.yaml
@ -797,22 +803,22 @@ rule-providers:
- Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`.
- Support `network` condition for all rules.
- Support source IPCIDR condition for all rules, just append to the end.
- The `GEOSITE` databases via https: //github.com/Loyalsoldier/v2ray-rules-dat.
- The `GEOSITE` databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
```yaml
rules:
rules:
- RULE-SET,rule1,REJECT
- DOMAIN-SUFFIX,baidu.com,DIRECT
- DOMAIN-KEYWORD,google,ss1
- IP-CIDR,1.1.1.1/32,ss1
- IP-CIDR6,2409: : /64,DIRECT
- IP-CIDR6,2409::/64,DIRECT
- SUB-RULE,(OR,((NETWORK,TCP),(NETWORK,UDP))),sub-rule-name1 # 当满足条件是 TCP 或 UDP 流量时,使用名为 sub-rule-name1 当规则集
- SUB-RULE,(AND,((NETWORK,UDP))),sub-rule-name2
# 定义多个子规则集,规则将以分叉匹配,使用 SUB-RULE 使用
# google.com(not match)--> baidu.com(match)
# /
# /
# https: //baidu.com --> rule1 --> rule2 --> sub-rule-name1(match tcp) 使用 DIRECT
# https://baidu.com --> rule1 --> rule2 --> sub-rule-name1(match tcp) 使用 DIRECT
#
# google.com(not match)--> baidu.com(not match)
# /
@ -822,11 +828,11 @@ rules:
# 使用 REJECT <-- 1.1.1.1/32(match)
#
sub-rules:
sub-rule-name1:
sub-rules:
sub-rule-name1:
- DOMAIN,google.com,ss1
- DOMAIN,baidu.com,DIRECT
sub-rule-name2:
sub-rule-name2:
- IP-CIDR,1.1.1.1/32,REJECT
- IP-CIDR,8.8.8.8/32,ss1
- DOMAIN,dns.alidns.com,REJECT
@ -835,13 +841,13 @@ sub-rules:
## Listeners
```yaml
# 流量入站
listeners:
listeners:
- name: socks5-in-1
type: socks
port: 10808
#listen: 0.0.0.0 # 默认监听 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理
# udp: false # 默认 true
- name: http-in-1
@ -849,14 +855,14 @@ listeners:
port: 10809
listen: 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
- name: mixed-in-1
type: mixed # HTTP(S) 和 SOCKS 代理混合
port: 10810
listen: 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
# udp: false # 默认 true
- name: reidr-in-1
@ -864,14 +870,14 @@ listeners:
port: 10811
listen: 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
- name: tproxy-in-1
type: tproxy
port: 10812
listen: 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
# udp: false # 默认 true
- name: shadowsocks-in-1
@ -879,7 +885,7 @@ listeners:
port: 10813
listen: 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
password: vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=
cipher: 2022-blake3-aes-256-gcm
@ -888,8 +894,8 @@ listeners:
port: 10814
listen: 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
users:
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
users:
- username: 1
uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68
alterId: 1
@ -899,15 +905,15 @@ listeners:
port: 10815
listen: 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
# token:
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
# token:
# - TOKEN
# certificate: ./server.crt
# private-key: ./server.key
# congestion-controller: bbr
# max-idle-time: 15000
# authentication-timeout: 1000
# alpn:
# alpn:
# - h3
# max-udp-relay-packet-size: 1500
@ -916,31 +922,31 @@ listeners:
port: 10816
listen: 0.0.0.0
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
network: [tcp, udp]
target: target.com
- name: tun-in-1
type: tun
# rule: sub-rule-name1 # 默认使用 rules如果未找到 sub-rule 则直接使用 rules
# proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理(当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错)
# proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时这里的proxy名称必须合法否则会出错)
stack: system # gvisor / lwip
dns-hijack:
- 0.0.0.0: 53 # 需要劫持的 DNS
dns-hijack:
- 0.0.0.0:53 # 需要劫持的 DNS
# auto-detect-interface: false # 自动识别出口网卡
# auto-route: false # 配置路由表
# mtu: 9000 # 最大传输单元
inet4-address: # 必须手动设置 ipv4 地址段
inet4-address: # 必须手动设置ipv4地址段
- 198.19.0.1/30
inet6-address: # 必须手动设置 ipv6 地址段
- "fdfe: dcba: 9877: : 1/126"
# strict_route: true # 将所有连接路由到 tun 来防止泄漏,但你的设备将无法其他设备被访问
inet6-address: # 必须手动设置ipv6地址段
- "fdfe:dcba:9877::1/126"
# strict_route: true # 将所有连接路由到tun来防止泄漏但你的设备将无法其他设备被访问
# inet4_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
# - 0.0.0.0/1
# - 128.0.0.0/1
# inet6_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由
# - ": : /1"
# - "8000: : /1"
# - "::/1"
# - "8000::/1"
# endpoint_independent_nat: false # 启用独立于端点的 NAT
# include_uid: # UID 规则仅在 Linux 下被支持,并且需要 auto_route
# - 0
@ -966,29 +972,29 @@ listeners:
## 入口配置
入口配置与 Listener 等价,传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理
### ss-config:
### ss-config
```yaml
ss: //2022-blake3-aes-256-gcm: vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@: 23456
ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456
```
### vmess-config:
### vmess-config
```yaml
vmess: //1: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@: 12345
vmess-config: vmess://1:9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@:12345
```
### tuic 服务器入口
传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理
```yaml
tuic-server:
tuic-server:
enable: true
listen: 127.0.0.1: 10443
token:
listen: 127.0.0.1:10443
token:
- TOKEN
certificate: ./server.crt
private-key: ./server.key
congestion-controller: bbr
max-idle-time: 15000
authentication-timeout: 1000
alpn:
alpn:
- h3
max-udp-relay-packet-size: 1500
```