github.com/igoogolx/clash@v1.19.8/docs/configuration/configuration-reference.md (about) 1 --- 2 sidebarTitle: Configuration Reference 3 sidebarOrder: 7 4 --- 5 6 # Configuration Reference 7 8 ```yaml 9 # Port of HTTP(S) proxy server on the local end 10 port: 7890 11 12 # Port of SOCKS5 proxy server on the local end 13 socks-port: 7891 14 15 # Transparent proxy server port for Linux and macOS (Redirect TCP and TProxy UDP) 16 # redir-port: 7892 17 18 # Transparent proxy server port for Linux (TProxy TCP and TProxy UDP) 19 # tproxy-port: 7893 20 21 # HTTP(S) and SOCKS4(A)/SOCKS5 server on the same port 22 # mixed-port: 7890 23 24 # authentication of local SOCKS5/HTTP(S) server 25 # authentication: 26 # - "user1:pass1" 27 # - "user2:pass2" 28 29 # Set to true to allow connections to the local-end server from 30 # other LAN IP addresses 31 # allow-lan: false 32 33 # This is only applicable when `allow-lan` is `true` 34 # '*': bind all IP addresses 35 # 192.168.122.11: bind a single IPv4 address 36 # "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address 37 # bind-address: '*' 38 39 # Clash router working mode 40 # rule: rule-based packet routing 41 # global: all packets will be forwarded to a single endpoint 42 # direct: directly forward the packets to the Internet 43 mode: rule 44 45 # Clash by default prints logs to STDOUT 46 # info / warning / error / debug / silent 47 # log-level: info 48 49 # When set to false, resolver won't translate hostnames to IPv6 addresses 50 # ipv6: false 51 52 # RESTful web API listening address 53 external-controller: 127.0.0.1:9090 54 55 # A relative path to the configuration directory or an absolute path to a 56 # directory in which you put some static web resource. Clash core will then 57 # serve it at `http://{{external-controller}}/ui`. 58 # external-ui: folder 59 60 # Secret for the RESTful API (optional) 61 # Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}` 62 # ALWAYS set a secret if RESTful API is listening on 0.0.0.0 63 # secret: "" 64 65 # Outbound interface name 66 # interface-name: en0 67 68 # fwmark on Linux only 69 # routing-mark: 6666 70 71 # Static hosts for DNS server and connection establishment (like /etc/hosts) 72 # 73 # Wildcard hostnames are supported (e.g. *.clash.dev, *.foo.*.example.com) 74 # Non-wildcard domain names have a higher priority than wildcard domain names 75 # e.g. foo.example.com > *.example.com > .example.com 76 # P.S. +.foo.com equals to .foo.com and foo.com 77 # hosts: 78 # '*.clash.dev': 127.0.0.1 79 # '.dev': 127.0.0.1 80 # 'alpha.clash.dev': '::1' 81 82 # profile: 83 # Store the `select` results in $HOME/.config/clash/.cache 84 # set false If you don't want this behavior 85 # when two different configurations have groups with the same name, the selected values are shared 86 # store-selected: true 87 88 # persistence fakeip 89 # store-fake-ip: false 90 91 # DNS server settings 92 # This section is optional. When not present, the DNS server will be disabled. 93 dns: 94 enable: false 95 listen: 0.0.0.0:53 96 # ipv6: false # when the false, response to AAAA questions will be empty 97 98 # These nameservers are used to resolve the DNS nameserver hostnames below. 99 # Specify IP addresses only 100 default-nameserver: 101 - 114.114.114.114 102 - 8.8.8.8 103 # enhanced-mode: fake-ip 104 fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR 105 # use-hosts: true # lookup hosts and return IP record 106 107 # search-domains: [local] # search domains for A/AAAA record 108 109 # Hostnames in this list will not be resolved with fake IPs 110 # i.e. questions to these domain names will always be answered with their 111 # real IP addresses 112 # fake-ip-filter: 113 # - '*.lan' 114 # - localhost.ptlogin2.qq.com 115 116 # Supports UDP, TCP, DoT, DoH. You can specify the port to connect to. 117 # All DNS questions are sent directly to the nameserver, without proxies 118 # involved. Clash answers the DNS question with the first result gathered. 119 nameserver: 120 - 114.114.114.114 # default value 121 - 8.8.8.8 # default value 122 - tls://dns.rubyfish.cn:853 # DNS over TLS 123 - https://1.1.1.1/dns-query # DNS over HTTPS 124 - dhcp://en0 # dns from dhcp 125 # - '8.8.8.8#en0' 126 127 # When `fallback` is present, the DNS server will send concurrent requests 128 # to the servers in this section along with servers in `nameservers`. 129 # The answers from fallback servers are used when the GEOIP country 130 # is not `CN`. 131 # fallback: 132 # - tcp://1.1.1.1 133 # - 'tcp://1.1.1.1#en0' 134 135 # If IP addresses resolved with servers in `nameservers` are in the specified 136 # subnets below, they are considered invalid and results from `fallback` 137 # servers are used instead. 138 # 139 # IP address resolved with servers in `nameserver` is used when 140 # `fallback-filter.geoip` is true and when GEOIP of the IP address is `CN`. 141 # 142 # If `fallback-filter.geoip` is false, results from `nameserver` nameservers 143 # are always used if not match `fallback-filter.ipcidr`. 144 # 145 # This is a countermeasure against DNS pollution attacks. 146 # fallback-filter: 147 # geoip: true 148 # geoip-code: CN 149 # ipcidr: 150 # - 240.0.0.0/4 151 # domain: 152 # - '+.google.com' 153 # - '+.facebook.com' 154 # - '+.youtube.com' 155 156 # Lookup domains via specific nameservers 157 # nameserver-policy: 158 # 'www.baidu.com': '114.114.114.114' 159 # '+.internal.crop.com': '10.0.0.1' 160 161 proxies: 162 # Shadowsocks 163 # The supported ciphers (encryption methods): 164 # aes-128-gcm aes-192-gcm aes-256-gcm 165 # aes-128-cfb aes-192-cfb aes-256-cfb 166 # aes-128-ctr aes-192-ctr aes-256-ctr 167 # rc4-md5 chacha20-ietf xchacha20 168 # chacha20-ietf-poly1305 xchacha20-ietf-poly1305 169 - name: "ss1" 170 type: ss 171 server: server 172 port: 443 173 cipher: chacha20-ietf-poly1305 174 password: "password" 175 # udp: true 176 177 - name: "ss2" 178 type: ss 179 server: server 180 port: 443 181 cipher: chacha20-ietf-poly1305 182 password: "password" 183 plugin: obfs 184 plugin-opts: 185 mode: tls # or http 186 # host: bing.com 187 188 - name: "ss3" 189 type: ss 190 server: server 191 port: 443 192 cipher: chacha20-ietf-poly1305 193 password: "password" 194 plugin: v2ray-plugin 195 plugin-opts: 196 mode: websocket # no QUIC now 197 # tls: true # wss 198 # skip-cert-verify: true 199 # host: bing.com 200 # path: "/" 201 # mux: true 202 # headers: 203 # custom: value 204 205 # vmess 206 # cipher support auto/aes-128-gcm/chacha20-poly1305/none 207 - name: "vmess" 208 type: vmess 209 server: server 210 port: 443 211 uuid: uuid 212 alterId: 32 213 cipher: auto 214 # udp: true 215 # tls: true 216 # skip-cert-verify: true 217 # servername: example.com # priority over wss host 218 # network: ws 219 # ws-opts: 220 # path: /path 221 # headers: 222 # Host: v2ray.com 223 # max-early-data: 2048 224 # early-data-header-name: Sec-WebSocket-Protocol 225 226 - name: "vmess-h2" 227 type: vmess 228 server: server 229 port: 443 230 uuid: uuid 231 alterId: 32 232 cipher: auto 233 network: h2 234 tls: true 235 h2-opts: 236 host: 237 - http.example.com 238 - http-alt.example.com 239 path: / 240 241 - name: "vmess-http" 242 type: vmess 243 server: server 244 port: 443 245 uuid: uuid 246 alterId: 32 247 cipher: auto 248 # udp: true 249 # network: http 250 # http-opts: 251 # # method: "GET" 252 # # path: 253 # # - '/' 254 # # - '/video' 255 # # headers: 256 # # Connection: 257 # # - keep-alive 258 259 - name: vmess-grpc 260 server: server 261 port: 443 262 type: vmess 263 uuid: uuid 264 alterId: 32 265 cipher: auto 266 network: grpc 267 tls: true 268 servername: example.com 269 # skip-cert-verify: true 270 grpc-opts: 271 grpc-service-name: "example" 272 273 # socks5 274 - name: "socks" 275 type: socks5 276 server: server 277 port: 443 278 # username: username 279 # password: password 280 # tls: true 281 # skip-cert-verify: true 282 # udp: true 283 284 # http 285 - name: "http" 286 type: http 287 server: server 288 port: 443 289 # username: username 290 # password: password 291 # tls: true # https 292 # skip-cert-verify: true 293 # sni: custom.com 294 295 # Snell 296 # Beware that there's currently no UDP support yet 297 - name: "snell" 298 type: snell 299 server: server 300 port: 44046 301 psk: yourpsk 302 # version: 2 303 # obfs-opts: 304 # mode: http # or tls 305 # host: bing.com 306 307 # Trojan 308 - name: "trojan" 309 type: trojan 310 server: server 311 port: 443 312 password: yourpsk 313 # udp: true 314 # sni: example.com # aka server name 315 # alpn: 316 # - h2 317 # - http/1.1 318 # skip-cert-verify: true 319 320 - name: trojan-grpc 321 server: server 322 port: 443 323 type: trojan 324 password: "example" 325 network: grpc 326 sni: example.com 327 # skip-cert-verify: true 328 udp: true 329 grpc-opts: 330 grpc-service-name: "example" 331 332 - name: trojan-ws 333 server: server 334 port: 443 335 type: trojan 336 password: "example" 337 network: ws 338 sni: example.com 339 # skip-cert-verify: true 340 udp: true 341 # ws-opts: 342 # path: /path 343 # headers: 344 # Host: example.com 345 346 # ShadowsocksR 347 # The supported ciphers (encryption methods): all stream ciphers in ss 348 # The supported obfses: 349 # plain http_simple http_post 350 # random_head tls1.2_ticket_auth tls1.2_ticket_fastauth 351 # The supported supported protocols: 352 # origin auth_sha1_v4 auth_aes128_md5 353 # auth_aes128_sha1 auth_chain_a auth_chain_b 354 - name: "ssr" 355 type: ssr 356 server: server 357 port: 443 358 cipher: chacha20-ietf 359 password: "password" 360 obfs: tls1.2_ticket_auth 361 protocol: auth_sha1_v4 362 # obfs-param: domain.tld 363 # protocol-param: "#" 364 # udp: true 365 366 proxy-groups: 367 # relay chains the proxies. proxies shall not contain a relay. No UDP support. 368 # Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet 369 - name: "relay" 370 type: relay 371 proxies: 372 - http 373 - vmess 374 - ss1 375 - ss2 376 377 # url-test select which proxy will be used by benchmarking speed to a URL. 378 - name: "auto" 379 type: url-test 380 proxies: 381 - ss1 382 - ss2 383 - vmess1 384 # tolerance: 150 385 # lazy: true 386 url: 'http://www.gstatic.com/generate_204' 387 interval: 300 388 389 # fallback selects an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group. 390 - name: "fallback-auto" 391 type: fallback 392 proxies: 393 - ss1 394 - ss2 395 - vmess1 396 url: 'http://www.gstatic.com/generate_204' 397 interval: 300 398 399 # load-balance: The request of the same eTLD+1 will be dial to the same proxy. 400 - name: "load-balance" 401 type: load-balance 402 proxies: 403 - ss1 404 - ss2 405 - vmess1 406 url: 'http://www.gstatic.com/generate_204' 407 interval: 300 408 # strategy: consistent-hashing # or round-robin 409 410 # select is used for selecting proxy or proxy group 411 # you can use RESTful API to switch proxy is recommended for use in GUI. 412 - name: Proxy 413 type: select 414 # disable-udp: true 415 # filter: 'someregex' 416 proxies: 417 - ss1 418 - ss2 419 - vmess1 420 - auto 421 422 # direct to another interfacename or fwmark, also supported on proxy 423 - name: en1 424 type: select 425 interface-name: en1 426 routing-mark: 6667 427 proxies: 428 - DIRECT 429 430 - name: UseProvider 431 type: select 432 use: 433 - provider1 434 proxies: 435 - Proxy 436 - DIRECT 437 438 proxy-providers: 439 provider1: 440 type: http 441 url: "url" 442 interval: 3600 443 path: ./provider1.yaml 444 health-check: 445 enable: true 446 interval: 600 447 # lazy: true 448 url: http://www.gstatic.com/generate_204 449 test: 450 type: file 451 path: /test.yaml 452 health-check: 453 enable: true 454 interval: 36000 455 url: http://www.gstatic.com/generate_204 456 457 tunnels: 458 # one line config 459 - tcp/udp,127.0.0.1:6553,114.114.114.114:53,proxy 460 - tcp,127.0.0.1:6666,rds.mysql.com:3306,vpn 461 # full yaml config 462 - network: [tcp, udp] 463 address: 127.0.0.1:7777 464 target: target.com 465 proxy: proxy 466 467 rules: 468 - DOMAIN-SUFFIX,google.com,auto 469 - DOMAIN-KEYWORD,google,auto 470 - DOMAIN,google.com,auto 471 - DOMAIN-SUFFIX,ad.com,REJECT 472 - SRC-IP-CIDR,192.168.1.201/32,DIRECT 473 # optional param "no-resolve" for IP rules (GEOIP, IP-CIDR, IP-CIDR6) 474 - IP-CIDR,127.0.0.0/8,DIRECT 475 - GEOIP,CN,DIRECT 476 - DST-PORT,80,DIRECT 477 - SRC-PORT,7777,DIRECT 478 - RULE-SET,apple,REJECT # Premium only 479 - MATCH,auto 480 ```