From d2bc7a3b7abdeabf65bec5b0cdca8416549ac885 Mon Sep 17 00:00:00 2001 From: Larvan2 <78135608+Larvan2@users.noreply.github.com> Date: Fri, 14 Apr 2023 13:20:10 +0800 Subject: [PATCH] Destroyed Configuring example (markdown) --- Configuring-example.md | 1003 ---------------------------------------- 1 file changed, 1003 deletions(-) delete mode 100644 Configuring-example.md diff --git a/Configuring-example.md b/Configuring-example.md deleted file mode 100644 index fc848c3..0000000 --- a/Configuring-example.md +++ /dev/null @@ -1,1003 +0,0 @@ - -这是一个使用 [Alpha](https://github.com/MetaCubeX/Clash.Meta/tree/Alpha) 分支的配置文件示例,完整配置见[此处](https://github.com/MetaCubeX/Clash.Meta/blob/Alpha/docs/config.yaml)。 - - - -- [General](#general) -- [Tun](#tun) -- [ebpf](#ebpf) -- [sniffer](#sniffer) -- [tunnels](#tunnels) -- [DNS 配置](#dns-配置) -- [Proxies](#proxies) - - [Shadowsocks](#shadowsocks) - - [ShadowsocksR](#shadowsocksr) - - [vmess](#vmess) - - [Socks](#socks) - - [HTTP](#http) - - [VLESS](#vless) - - [Snell](#snell) - - [Trojan](#trojan) - - [Hysteria](#hysteria) - - [Tuic](#tuic) - - [Wireguard](#wireguard) -- [Proxy-groups](#proxy-groups) -- [Providers](#providers) - - [Proxy-providers](#proxy-providers) - - [Rule-providers](#rule-providers) -- [Rules](#rules) -- [Listeners](#listeners) -- [入口配置](#入口配置) - - [ss-config](#ss-config) - - [vmess-config](#vmess-config) - - [tuic 服务器入口](#tuic-服务器入口) - -## General -```yaml -# port: 7890 # HTTP(S) 代理服务器端口 -# socks-port: 7891 # SOCKS5 代理端口 -mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口 -# redir-port: 7892 # 透明代理端口,用于 Linux 和 MacOS - -# Transparent proxy server port for Linux (TProxy TCP and TProxy UDP) -# tproxy-port: 7893 - -allow-lan: true # 允许局域网连接 -bind-address: "*" # 绑定 IP 地址,仅作用于 allow-lan 为 true,'*'表示所有地址 - -# find-process-mode has 3 values:always, strict, off -# - always, 开启,强制匹配所有进程 -# - strict, 默认,由 clash 判断是否开启 -# - off, 不匹配进程,推荐在路由器上使用此模式 -find-process-mode: strict - -mode: rule - -#自定义 geodata url -geox-url: - geoip: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat" - geosite: "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat" - mmdb: "https://cdn.jsdelivr.net/gh/Loyalsoldier/geoip@release/Country.mmdb" - -log-level: debug # 日志等级 silent/error/warning/info/debug - -ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录 - -tls: - certificate: string # 证书 PEM 格式,或者 证书的路径 - private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径 - -external-controller: 0.0.0.0:9093 # RESTful API 监听地址 -external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件 -# secret: "123456" # `Authorization:Bearer ${secret}` - -# tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP -external-ui: /path/to/ui/folder # 配置 WEB UI 目录,使用 http://{{external-controller}}/ui 访问 - -# interface-name: en0 # 设置出口网卡 - -# 全局 TLS 指纹,优先低于 proxy 内的 client-fingerprint -# 可选: "chrome","firefox","safari","ios","random","none" options. -# Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan. -global-client-fingerprint: chrome - -# routing-mark:6666 # 配置 fwmark 仅用于 Linux -experimental: - -# 类似于 /etc/hosts, 仅支持配置单个 IP -hosts: -# '*.clash.dev': 127.0.0.1 -# '.dev': 127.0.0.1 -# 'alpha.clash.dev': '::1' - -profile: - # 存储 select 选择记录 - store-selected: false - - # 持久化 fake-ip - store-fake-ip: true -``` - -## Tun -Supports macOS, Linux and Windows. - -Built-in [Wintun](https://www.wintun.net) driver. -```yaml -tun: -tun: - enable: false - stack: system # gvisor / lwip - dns-hijack: - - 0.0.0.0:53 # 需要劫持的 DNS - auto-detect-interface: true # 自动识别出口网卡 - auto-route: true # 配置路由表 - # mtu: 9000 # 最大传输单元 - # strict_route: true # 将所有连接路由到tun来防止泄漏,但你的设备将无法其他设备被访问 - # inet4_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由 - # - 0.0.0.0/1 - # - 128.0.0.0/1 - # inet6_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由 - # - "::/1" - # - "8000::/1" - # endpoint_independent_nat: false # 启用独立于端点的 NAT - # include_uid: # UID 规则仅在 Linux 下被支持,并且需要 auto_route - # - 0 - # include_uid_range: # 限制被路由的的用户范围 - # - 1000-99999 - # exclude_uid: # 排除路由的的用户 - #- 1000 - # exclude_uid_range: # 排除路由的的用户范围 - # - 1000-99999 - - # Android 用户和应用规则仅在 Android 下被支持 - # 并且需要 auto_route - - # include_android_user: # 限制被路由的 Android 用户 - # - 0 - # - 10 - # include_package: # 限制被路由的 Android 应用包名 - # - com.android.chrome - # exclude_package: # 排除被路由的 Android 应用包名 - # - com.android.captiveportallogin -``` - -## ebpf - -```yaml -ebpf: - auto-redir: # redirect 模式,仅支持 TCP - - eth0 - redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route - - eth0 -``` - -## sniffer - -```yaml -sniffer: - enable: false - ## 对 redir-host 类型识别的流量进行强制嗅探 - ## 如:Tun、Redir 和 TProxy 并 DNS 为 redir-host 皆属于 - # force-dns-mapping: false - ## 对所有未获取到域名的流量进行强制嗅探 - # parse-pure-ip: false - # 是否使用嗅探结果作为实际访问,默认 true - # 全局配置,优先级低于 sniffer.sniff 实际配置 - override-destination: false - sniff: - # TLS 默认如果不配置 ports 默认嗅探 443 - TLS: - # ports: [443, 8443] - - # 默认嗅探 80 - HTTP: - # 需要嗅探的端口 - - ports: [80, 8080-8880] - # 可覆盖 sniffer.override-destination - override-destination: true - force-domain: - - +.v2ex.com - ## 对嗅探结果进行跳过 - # skip-domain: - # - Mijia Cloud -``` - -## tunnels -```yaml -tunnels: - # one line config - - tcp/udp,127.0.0.1:6553,114.114.114.114:53,proxy - - tcp,127.0.0.1:6666,rds.mysql.com:3306,vpn - # full yaml config - - network: [tcp, udp] - address: 127.0.0.1:7777 - target: target.com - proxy: proxy -``` - -## DNS 配置 - -```yaml -dns: - enable: false # 关闭将使用系统 DNS - prefer-h3: true # 开启 DoH 支持 HTTP/3,将并发尝试 - listen:0.0.0.0: 5353 # 开启 DNS 服务器监听 - # ipv6: false # false 将返回 AAAA 的空结果 - - # 用于解析 nameserver,fallback 以及其他 DNS 服务器配置的,DNS 服务域名 - # 只能使用纯 IP 地址,可使用加密 DNS - default-nameserver: - - 114.114.114.114 - - tls://1.12.12.12:853 - - tls://223.5.5.5:853 - - enhanced-mode: redir-host # or fake-ip - - fake-ip-range: 198.18.0.1/16 # fake-ip 池设置 - - # use-hosts: true # 查询 hosts - - # 配置查询域名使用的 DNS 服务器 - # nameserver-policy 可以使用 geosite 分流 DNS 解析。 - # 将国内域名指定为国内 DOH 进行解析,其余 DNS 使用境外 DOH 解析 - nameserver-policy: - "geosite:cn": [https://doh.pub/dns-query,https://dns.alidns.com/dns-query] - # 'www.baidu.com':'114.114.114.114' - # '+.internal.crop.com':'10.0.0.1' - - # DNS 主要域名配置 - # 支持 UDP,TCP,DoT,DoH,DoQ - nameserver: - - https://dns.google/dns-query - - https://dns.cloudflare.com/dns-query - - https://doh.opendns.com/dns-query - - https://doh.dns.sb/dns-query - - https://[2001:4860:4860::8888]/dns-query - - https://[2001:4860:4860::8844]/dns-query - - https://[2001:4860:4860::6464]/dns-query - - https://[2001:4860:4860::64]/dns-query - - # - 114.114.114.114 # default value - # - 8.8.8.8 # default value - # - tls://223.5.5.5:853 # DNS over TLS - # - https://doh.pub/dns-query # DNS over HTTPS - # - https://dns.alidns.com/dns-query#h3=true # 强制 HTTP/3,与 perfer-h3 无关,强制开启 DoH 的 HTTP/3 支持,若不支持将无法使用 - # - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3 - # - dhcp://en0 # dns from dhcp - # - quic://dns.adguard.com:784 # DNS over QUIC - # - '8.8.8.8#en0' # 兼容指定 DNS 出口网卡 - - # 当配置 fallback 时,会查询 nameserver 中返回的 IP 是否为 CN,非必要配置 - # 当不是 CN,则使用 fallback 中的 DNS 查询结果 - # 确保配置 fallback 时能够正常查询 - # fallback: - # - tcp://1.1.1.1 - # - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询,ProxyGroupName 为策略组名或节点名,过代理配置优先于配置出口网卡,当找不到策略组或节点名则设置为出口网卡 - - # 专用于节点域名解析的 DNS 服务器,非必要配置项 - # 配置服务器若查询失败将使用 nameserver,非并发查询 - # proxy-server-nameserver: - # - https://dns.google/dns-query - # - tls://one.one.one.one - - # 配置 fallback 使用条件 - # fallback-filter: - # geoip: true # 配置是否使用 geoip - # geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时,不使用 fallback 中的 DNS 查询结果 - # 配置强制 fallback,优先于 IP 判断,具体分类自行查看 geosite 库 - # geosite: - # - "geolocation-!cn" - # 如果不匹配 ipcidr 则使用 nameservers 中的结果 - # ipcidr: - # - 240.0.0.0/4 - # domain: - # - '+.google.com' - # - '+.facebook.com' - # - '+.youtube.com' - - # 配置不使用 fake-ip 的域名 - # fake-ip-filter: - # - "+.lan" - # # QQ Loopback - # - localhost.sec.qq.com - # - localhost.ptlogin2.qq.com - # - "+.linksys.com" - # - "+.pool.ntp.org" - # # Router - # - hiwifi.com - # - leike.cc - # - miwifi.com - # - my.router - # - peiluyou.com - # - phicomm.me - # - router.ctc - # - routerlogin.com - # # Tenda router - # - tendawifi.com - # # TP-Link router - # - tplinkwifi.net - # # Windows - # - “+.msftconnecttest.com” - # - “+.msftncsi.com” - # # 中興路由器 - # - zte.home - # # Stun Services - # - "+.stun.*.*" - # - "+.stun.*.*.*" - # - "+.stun.*.*.*.*" - # - "+.stun.*.*.*.*.*" - # # Google Voices - # - "lens.l.google.com" - # # Nintendo Switch - # - "+.srv.nintendo.net" - # # PlayStation - # - "+.stun.playstation.net" - # # XBox - # - "xbox.*.*.microsoft.com" - # - "+.xboxlive.com" - # # Bilibili CDN - # - "+.mcdn.bilivideo.cn" -``` - -## Proxies - -### Shadowsocks -```yaml -proxies: - # cipher 支持: - # aes-128-gcm aes-192-gcm aes-256-gcm - # aes-128-cfb aes-192-cfb aes-256-cfb - # aes-128-ctr aes-192-ctr aes-256-ctr - # rc4-md5 chacha20-ietf xchacha20 - # chacha20-ietf-poly1305 xchacha20-ietf-poly1305 - # 2022-blake3-aes-128-gcm 2022-blake3-aes-256-gcm 2022-blake3-chacha20-poly1305 - - name: "ss1" - type: ss - server: server - port: 443 - cipher: chacha20-ietf-poly1305 - password: "password" - # udp: true - # udp-over-tcp: false - # ip-version: ipv4 # 设置节点使用 IP 版本,可选:dual,ipv4,ipv6,ipv4-prefer,ipv6-prefer。默认使用 dual - # ipv4:仅使用 IPv4 ipv6:仅使用 IPv6 - # ipv4-prefer:优先使用 IPv4 对于 TCP 会进行双栈解析,并发链接但是优先使用 IPv4 链接, - # UDP 则为双栈解析,获取结果中的第一个 IPv4 - # ipv6-prefer 同 ipv4-prefer - # 现有协议都支持此参数,TCP 效果仅在开启 tcp-concurrent 生效 - - name: "ss2" - type: ss - server: server - port: 443 - cipher: chacha20-ietf-poly1305 - password: "password" - plugin: obfs - plugin-opts: - mode: tls # or http - # host: bing.com - - - name: "ss3" - type: ss - server: server - port: 443 - cipher: chacha20-ietf-poly1305 - password: "password" - plugin: v2ray-plugin - plugin-opts: - mode: websocket # no QUIC now - # tls: true # wss - # 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取 - # 配置指纹将实现 SSL Pining 效果 - # fingerprint: xxxx - # skip-cert-verify: true - # host: bing.com - # path: "/" - # mux: true - # headers: - # custom: value - - - name: "ss4" - type: ss - server: server - port: 443 - cipher: chacha20-ietf-poly1305 - password: "password" - plugin: shadow-tls - plugin-opts: - host: "cloud.tencent.com" - password: "shadow_tls_password" -``` -### ShadowsocksR -```yaml - # The supported ciphers (encryption methods): all stream ciphers in ss - # The supported obfses: - # plain http_simple http_post - # random_head tls1.2_ticket_auth tls1.2_ticket_fastauth - # The supported supported protocols: - # origin auth_sha1_v4 auth_aes128_md5 - # auth_aes128_sha1 auth_chain_a auth_chain_b - - name: "ssr" - type: ssr - server: server - port: 443 - cipher: chacha20-ietf - password: "password" - obfs: tls1.2_ticket_auth - protocol: auth_sha1_v4 - # obfs-param: domain.tld - # protocol-param: "#" - # udp: true -``` - -### vmess -```yaml - # cipher 支持 auto/aes-128-gcm/chacha20-poly1305/none - - name: "vmess" - type: vmess - server: server - port: 443 - uuid: uuid - alterId: 32 - cipher: auto - # udp: true - # tls: true - # fingerprint: xxxx - # client-fingerprint: chrome # Available: "chrome","firefox","safari","ios","random", currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan. - # skip-cert-verify: true - # servername: example.com # priority over wss host - # network: ws - # ws-opts: - # path: /path - # headers: - # Host: v2ray.com - # max-early-data: 2048 - # early-data-header-name: Sec-WebSocket-Protocol - - - name: "vmess-h2" - type: vmess - server: server - port: 443 - uuid: uuid - alterId: 32 - cipher: auto - network: h2 - tls: true - # fingerprint: xxxx - h2-opts: - host: - - http.example.com - - http-alt.example.com - path: / - - - name: "vmess-http" - type: vmess - server: server - port: 443 - uuid: uuid - alterId: 32 - cipher: auto - # udp: true - # network: http - # http-opts: - # # method: "GET" - # # path: - # # - '/' - # # - '/video' - # # headers: - # # Connection: - # # - keep-alive - # ip-version: ipv4 # 设置使用 IP 类型偏好,可选:ipv4,ipv6,dual,默认值:dual - - - name: vmess-grpc - server: server - port: 443 - type: vmess - uuid: uuid - alterId: 32 - cipher: auto - network: grpc - tls: true - # fingerprint: xxxx - servername: example.com - # skip-cert-verify: true - grpc-opts: - grpc-service-name: "example" - # ip-version: ipv4 -``` -### Socks -``` - - name: "socks" - type: socks5 - server: server - port: 443 - # username: username - # password: password - # tls: true - # fingerprint: xxxx - # skip-cert-verify: true - # udp: true - # ip-version: ipv6 -``` - -### HTTP -```yaml - - name: "http" - type: http - server: server - port: 443 - # username: username - # password: password - # tls: true # https - # skip-cert-verify: true - # sni: custom.com - # fingerprint: xxxx # 同 experimental.fingerprints 使用 sha256 指纹,配置协议独立的指纹,将忽略 experimental.fingerprints - # ip-version: dual -``` -### VLESS -```yaml - - name: "vless-tcp" - type: vless - server: server - port: 443 - uuid: uuid - network: tcp - servername: example.com # AKA SNI - # flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS - # skip-cert-verify: true - # fingerprint: xxxx - # client-fingerprint: random # Available: "chrome","firefox","safari","random","none" - - - name: "vless-ws" - type: vless - server: server - port: 443 - uuid: uuid - udp: true - tls: true - network: ws - # client-fingerprint: random # Available: "chrome","firefox","safari","random","none" - servername: example.com # priority over wss host - # skip-cert-verify: true - # fingerprint: xxxx - ws-opts: - path: "/" - headers: - Host: example.com - -``` - -### Snell -```yaml - # Beware that there's currently no UDP support yet - - name: "snell" - type: snell - server: server - port: 44046 - psk: yourpsk - # version: 2 - # obfs-opts: - # mode: http # or tls - # host: bing.com -``` - -### Trojan -```yaml - - name: "trojan" - type: trojan - server: server - port: 443 - password: yourpsk - # client-fingerprint: chrome # Available:"chrome","firefox","safari","ios","random", currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan. - # fingerprint: xxxx - # udp: true - # sni: example.com # aka server name - # alpn: - # - h2 - # - http/1.1 - # skip-cert-verify: true - - - name: trojan-grpc - server: server - port: 443 - type: trojan - password: "example" - network: grpc - sni: example.com - # skip-cert-verify: true - # fingerprint: xxxx - udp: true - grpc-opts: - grpc-service-name:"example" - - - name:trojan-ws - server: server - port: 443 - type: trojan - password: "example" - network: ws - sni: example.com - # skip-cert-verify: true - # fingerprint: xxxx - udp: true - # ws-opts: - # path: /path - # headers: - # Host:example.com - - - name: "trojan-xtls" - type: trojan - server: server - port: 443 - password: yourpsk - flow: "xtls-rprx-direct" # xtls-rprx-origin xtls-rprx-direct - flow-show: true - # udp: true - # sni: example.com # aka server name - # skip-cert-verify: true - # fingerprint: xxxx -``` - -### Hysteria -```yaml - - name: "hysteria" - type: hysteria - server: server.com - port: 443 - auth_str: yourpassword # 将会在未来某个时候删除 - # auth-str: yourpassword - # obfs: obfs_str - # alpn: - # - h3 - protocol: udp # 支持 udp/wechat-video/faketcp - up: "30 Mbps" # 若不写单位,默认为 Mbps - down: "200 Mbps" # 若不写单位,默认为 Mbps - # sni: server.com - # skip-cert-verify: false - # recv_window_conn: 12582912 # 将会在未来某个时候删除 - # recv-window-conn: 12582912 - # recv_window: 52428800 # 将会在未来某个时候删除 - # recv-window: 52428800 - # ca: "./my.ca" - # ca_str: "xyz" # 将会在未来某个时候删除 - # ca-str: "xyz" - # disable_mtu_discovery: false - # fingerprint: xxxx - # fast-open: true # 支持 TCP 快速打开,默认为 false -``` - -### Tuic -```yaml - - name: tuic - server: www.example.com - port: 10443 - type: tuic - token: TOKEN - # ip: 127.0.0.1 # for overwriting the DNS lookup result of the server address set in option 'server' - # heartbeat-interval: 10000 - # alpn: [h3] - # disable-sni: true - reduce-rtt: true - # request-timeout: 8000 - udp-relay-mode: native # Available: "native", "quic". Default: "native" - # congestion-controller: bbr # Available: "cubic", "new_reno", "bbr". Default: "cubic" - # max-udp-relay-packet-size: 1500 - # fast-open: true - # skip-cert-verify: true - # max-open-streams: 20 # default 100, too many open streams may hurt performance -``` - - - -### Wireguard -```yaml - - name: "wg" - type: wireguard - server: 162.159.192.1 - port: 2480 - ip: 172.16.0.2 - ipv6: fd01:5ca1:ab1e:80fa:ab85:6eea:213f:f4a5 - private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU= - public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo= - udp: true - # reserved: 'U4An' -``` - -## Proxy-groups -Active health detection `urltest / fallback` (based on tcp handshake, multiple failures within a limited time will actively trigger health detection to use the node) - -```yaml -proxy-groups: - # 代理链,若落地协议支持 UDP over TCP 则可支持 UDP - # Traffic:clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet - - name: "relay" - type: relay - proxies: - - http - - vmess - - ss1 - - ss2 - - # url-test 将按照 url 测试结果使用延迟最低节点 - - name: "auto" - type: url-test - proxies: - - ss1 - - ss2 - - vmess1 - # tolerance: 150 - # lazy: true - url: "https://cp.cloudflare.com/generate_204" - interval: 300 - - # fallback 将按照 url 测试结果按照节点顺序选择 - - name: "fallback-auto" - type: fallback - proxies: - - ss1 - - ss2 - - vmess1 - url: "https://cp.cloudflare.com/generate_204" - interval: 300 - - # load-balance 将按照算法随机选择节点 - - name: "load-balance" - type: load-balance - proxies: - - ss1 - - ss2 - - vmess1 - url: "https://cp.cloudflare.com/generate_204" - interval: 300 - # strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions - - # select 用户自行选择节点 - - name: Proxy - type: select - # disable-udp:true - proxies: - - ss1 - - ss2 - - vmess1 - - auto - - # 配置指定 interface-name 和 fwmark 的 DIRECT - - name: en1 - type: select - interface-name: en1 - routing-mark: 6667 - proxies: - - DIRECT - - # Support `Policy Group Filter` - - name: UseProvider - type: select - filter: "HK|TW" # 正则表达式,过滤 provider1 中节点名包含 HK 或 TW - use: - - provider1 - proxies: - - Proxy - - DIRECT -``` - -## Providers -### Proxy-providers -``` -proxy-providers: - provider1: - type: http - url: "url" - interval: 3600 - path: ./provider1.yaml - health-check: - enable: true - interval: 600 - # lazy: true - url: https://cp.cloudflare.com/generate_204 - test: - type: file - path: /test.yaml - health-check: - enable: true - interval: 36000 - url: https://cp.cloudflare.com/generate_204 -``` - -### Rule-providers -```yaml -rule-providers: - rule1: - behavior: classical # domain ipcidr - interval: 259200 - path: /path/to/save/file.yaml - type: http - url: "url" - rule2: - behavior: classical - interval: 259200 - path: /path/to/save/file.yaml - type: file -``` - -## Rules -- Support rule `GEOSITE`. -- Support rule-providers `RULE-SET`. -- Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`. -- Support `network` condition for all rules. -- Support source IPCIDR condition for all rules, just append to the end. -- The `GEOSITE` databases via https://github.com/Loyalsoldier/v2ray-rules-dat. - -```yaml -rules: - - RULE-SET,rule1,REJECT - - DOMAIN-SUFFIX,baidu.com,DIRECT - - DOMAIN-KEYWORD,google,ss1 - - IP-CIDR,1.1.1.1/32,ss1 - - IP-CIDR6,2409::/64,DIRECT - - SUB-RULE,(OR,((NETWORK,TCP),(NETWORK,UDP))),sub-rule-name1 # 当满足条件是 TCP 或 UDP 流量时,使用名为 sub-rule-name1 当规则集 - - SUB-RULE,(AND,((NETWORK,UDP))),sub-rule-name2 -# 定义多个子规则集,规则将以分叉匹配,使用 SUB-RULE 使用 -# google.com(not match)--> baidu.com(match) -# / | -# / | -# https://baidu.com --> rule1 --> rule2 --> sub-rule-name1(match tcp) 使用 DIRECT -# -# google.com(not match)--> baidu.com(not match) -# / | -# / | -# dns 1.1.1.1 --> rule1 --> rule2 --> sub-rule-name1(match udp) sub-rule-name2(match udp) -# | -# 使用 REJECT <-- 1.1.1.1/32(match) -# - -sub-rules: - sub-rule-name1: - - DOMAIN,google.com,ss1 - - DOMAIN,baidu.com,DIRECT - sub-rule-name2: - - IP-CIDR,1.1.1.1/32,REJECT - - IP-CIDR,8.8.8.8/32,ss1 - - DOMAIN,dns.alidns.com,REJECT -``` - -## Listeners -```yaml -# 流量入站 -listeners: - - name: socks5-in-1 - type: socks - port: 10808 - #listen: 0.0.0.0 # 默认监听 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理 - # udp: false # 默认 true - - - name: http-in-1 - type: http - port: 10809 - listen: 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - - - name: mixed-in-1 - type: mixed # HTTP(S) 和 SOCKS 代理混合 - port: 10810 - listen: 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - # udp: false # 默认 true - - - name: reidr-in-1 - type: redir - port: 10811 - listen: 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - - - name: tproxy-in-1 - type: tproxy - port: 10812 - listen: 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - # udp: false # 默认 true - - - name: shadowsocks-in-1 - type: shadowsocks - port: 10813 - listen: 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - password: vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg= - cipher: 2022-blake3-aes-256-gcm - - - name: vmess-in-1 - type: vmess - port: 10814 - listen: 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - users: - - username: 1 - uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68 - alterId: 1 - - - name: tuic-in-1 - type: tuic - port: 10815 - listen: 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - # token: - # - TOKEN - # certificate: ./server.crt - # private-key: ./server.key - # congestion-controller: bbr - # max-idle-time: 15000 - # authentication-timeout: 1000 - # alpn: - # - h3 - # max-udp-relay-packet-size: 1500 - - - name: tunnel-in-1 - type: tunnel - port: 10816 - listen: 0.0.0.0 - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - network: [tcp, udp] - target: target.com - - - name: tun-in-1 - type: tun - # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules - # proxy: proxy # 如果不为空则直接将该入站流量交由指定proxy处理(当proxy不为空时,这里的proxy名称必须合法,否则会出错) - stack: system # gvisor / lwip - dns-hijack: - - 0.0.0.0:53 # 需要劫持的 DNS - # auto-detect-interface: false # 自动识别出口网卡 - # auto-route: false # 配置路由表 - # mtu: 9000 # 最大传输单元 - inet4-address: # 必须手动设置ipv4地址段 - - 198.19.0.1/30 - inet6-address: # 必须手动设置ipv6地址段 - - "fdfe:dcba:9877::1/126" - # strict_route: true # 将所有连接路由到tun来防止泄漏,但你的设备将无法其他设备被访问 - # inet4_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由 - # - 0.0.0.0/1 - # - 128.0.0.0/1 - # inet6_route_address: # 启用 auto_route 时使用自定义路由而不是默认路由 - # - "::/1" - # - "8000::/1" - # endpoint_independent_nat: false # 启用独立于端点的 NAT - # include_uid: # UID 规则仅在 Linux 下被支持,并且需要 auto_route - # - 0 - # include_uid_range: # 限制被路由的的用户范围 - # - 1000-99999 - # exclude_uid: # 排除路由的的用户 - #- 1000 - # exclude_uid_range: # 排除路由的的用户范围 - # - 1000-99999 - - # Android 用户和应用规则仅在 Android 下被支持 - # 并且需要 auto_route - - # include_android_user: # 限制被路由的 Android 用户 - # - 0 - # - 10 - # include_package: # 限制被路由的 Android 应用包名 - # - com.android.chrome - # exclude_package: # 排除被路由的 Android 应用包名 - # - com.android.captiveportallogin -``` - -## 入口配置 -入口配置与 Listener 等价,传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理 - -### ss-config -```yaml -ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456 -``` -### vmess-config -```yaml -vmess-config: vmess://1:9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@:12345 -``` - -### tuic 服务器入口 -传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理 -```yaml -tuic-server: - enable: true - listen: 127.0.0.1:10443 - token: - - TOKEN - certificate: ./server.crt - private-key: ./server.key - congestion-controller: bbr - max-idle-time: 15000 - authentication-timeout: 1000 - alpn: - - h3 - max-udp-relay-packet-size: 1500 -``` -