github.com/metacubex/mihomo@v1.18.5/docs/config.yaml (about) 1 # port: 7890 # HTTP(S) 代理服务器端口 2 # socks-port: 7891 # SOCKS5 代理端口 3 mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口 4 # redir-port: 7892 # 透明代理端口,用于 Linux 和 MacOS 5 6 # Transparent proxy server port for Linux (TProxy TCP and TProxy UDP) 7 # tproxy-port: 7893 8 9 allow-lan: true # 允许局域网连接 10 bind-address: "*" # 绑定 IP 地址,仅作用于 allow-lan 为 true,'*'表示所有地址 11 authentication: # http,socks 入口的验证用户名,密码 12 - "username:password" 13 skip-auth-prefixes: # 设置跳过验证的 IP 段 14 - 127.0.0.1/8 15 - ::1/128 16 lan-allowed-ips: # 允许连接的 IP 地址段,仅作用于 allow-lan 为 true, 默认值为 0.0.0.0/0 和::/0 17 - 0.0.0.0/0 18 - ::/0 19 lan-disallowed-ips: # 禁止连接的 IP 地址段,黑名单优先级高于白名单,默认值为空 20 - 192.168.0.3/32 21 22 # find-process-mode has 3 values:always, strict, off 23 # - always, 开启,强制匹配所有进程 24 # - strict, 默认,由 mihomo 判断是否开启 25 # - off, 不匹配进程,推荐在路由器上使用此模式 26 find-process-mode: strict 27 28 mode: rule 29 30 #自定义 geodata url 31 geox-url: 32 geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat" 33 geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat" 34 mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb" 35 36 geo-auto-update: false # 是否自动更新 geodata 37 geo-update-interval: 24 # 更新间隔,单位:小时 38 39 # Matcher implementation used by GeoSite, available implementations: 40 # - succinct (default, same as rule-set) 41 # - mph (from V2Ray, also `hybrid` in Xray) 42 # geosite-matcher: succinct 43 44 log-level: debug # 日志等级 silent/error/warning/info/debug 45 46 ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录 47 48 tls: 49 certificate: string # 证书 PEM 格式,或者 证书的路径 50 private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径 51 custom-certifactes: 52 - | 53 -----BEGIN CERTIFICATE----- 54 format/pem... 55 -----END CERTIFICATE----- 56 57 external-controller: 0.0.0.0:9093 # RESTful API 监听地址 58 external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件 59 # secret: "123456" # `Authorization:Bearer ${secret}` 60 61 # RESTful API Unix socket 监听地址( windows版本大于17063也可以使用,即大于等于1803/RS4版本即可使用 ) 62 # !!!注意: 从Unix socket访问api接口不会验证secret, 如果开启请自行保证安全问题 !!! 63 # 测试方法: curl -v --unix-socket "mihomo.sock" http://localhost/ 64 external-controller-unix: mihomo.sock 65 66 # tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP 67 68 # 配置 WEB UI 目录,使用 http://{{external-controller}}/ui 访问 69 external-ui: /path/to/ui/folder/ 70 external-ui-name: xd 71 external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip" 72 73 # interface-name: en0 # 设置出口网卡 74 75 # 全局 TLS 指纹,优先低于 proxy 内的 client-fingerprint 76 # 可选: "chrome","firefox","safari","ios","random","none" options. 77 # Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan. 78 global-client-fingerprint: chrome 79 80 # TCP keep alive interval 81 keep-alive-interval: 15 82 83 # routing-mark:6666 # 配置 fwmark 仅用于 Linux 84 experimental: 85 # Disable quic-go GSO support. This may result in reduced performance on Linux. 86 # This is not recommended for most users. 87 # Only users encountering issues with quic-go's internal implementation should enable this, 88 # and they should disable it as soon as the issue is resolved. 89 # This field will be removed when quic-go fixes all their issues in GSO. 90 # This equivalent to the environment variable QUIC_GO_DISABLE_GSO=1. 91 #quic-go-disable-gso: true 92 93 # 类似于 /etc/hosts, 仅支持配置单个 IP 94 hosts: 95 # '*.mihomo.dev': 127.0.0.1 96 # '.dev': 127.0.0.1 97 # 'alpha.mihomo.dev': '::1' 98 # test.com: [1.1.1.1, 2.2.2.2] 99 # home.lan: lan # lan 为特别字段,将加入本地所有网卡的地址 100 # baidu.com: google.com # 只允许配置一个别名 101 102 profile: # 存储 select 选择记录 103 store-selected: false 104 105 # 持久化 fake-ip 106 store-fake-ip: true 107 108 # Tun 配置 109 tun: 110 enable: false 111 stack: system # gvisor/mixed 112 dns-hijack: 113 - 0.0.0.0:53 # 需要劫持的 DNS 114 # auto-detect-interface: true # 自动识别出口网卡 115 # auto-route: true # 配置路由表 116 # mtu: 9000 # 最大传输单元 117 # gso: false # 启用通用分段卸载,仅支持 Linux 118 # gso-max-size: 65536 # 通用分段卸载包的最大大小 119 # strict-route: true # 将所有连接路由到 tun 来防止泄漏,但你的设备将无法其他设备被访问 120 inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由 121 - 0.0.0.0/1 122 - 128.0.0.0/1 123 inet6-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由 124 - "::/1" 125 - "8000::/1" 126 # endpoint-independent-nat: false # 启用独立于端点的 NAT 127 # include-interface: # 限制被路由的接口。默认不限制,与 `exclude-interface` 冲突 128 # - "lan0" 129 # exclude-interface: # 排除路由的接口,与 `include-interface` 冲突 130 # - "lan1" 131 # include-uid: # UID 规则仅在 Linux 下被支持,并且需要 auto-route 132 # - 0 133 # include-uid-range: # 限制被路由的的用户范围 134 # - 1000:9999 135 # exclude-uid: # 排除路由的的用户 136 #- 1000 137 # exclude-uid-range: # 排除路由的的用户范围 138 # - 1000:9999 139 140 # Android 用户和应用规则仅在 Android 下被支持 141 # 并且需要 auto-route 142 143 # include-android-user: # 限制被路由的 Android 用户 144 # - 0 145 # - 10 146 # include-package: # 限制被路由的 Android 应用包名 147 # - com.android.chrome 148 # exclude-package: # 排除被路由的 Android 应用包名 149 # - com.android.captiveportallogin 150 151 #ebpf 配置 152 ebpf: 153 auto-redir: # redirect 模式,仅支持 TCP 154 - eth0 155 redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route 156 - eth0 157 158 # 嗅探域名 可选配置 159 sniffer: 160 enable: false 161 ## 对 redir-host 类型识别的流量进行强制嗅探 162 ## 如:Tun、Redir 和 TProxy 并 DNS 为 redir-host 皆属于 163 # force-dns-mapping: false 164 ## 对所有未获取到域名的流量进行强制嗅探 165 # parse-pure-ip: false 166 # 是否使用嗅探结果作为实际访问,默认 true 167 # 全局配置,优先级低于 sniffer.sniff 实际配置 168 override-destination: false 169 sniff: # TLS 和 QUIC 默认如果不配置 ports 默认嗅探 443 170 QUIC: 171 # ports: [ 443 ] 172 TLS: 173 # ports: [443, 8443] 174 175 # 默认嗅探 80 176 HTTP: # 需要嗅探的端口 177 ports: [80, 8080-8880] 178 # 可覆盖 sniffer.override-destination 179 override-destination: true 180 force-domain: 181 - +.v2ex.com 182 ## 对嗅探结果进行跳过 183 # skip-domain: 184 # - Mijia Cloud 185 # 需要嗅探协议 186 # 已废弃,若 sniffer.sniff 配置则此项无效 187 sniffing: 188 - tls 189 - http 190 # 强制对此域名进行嗅探 191 192 # 仅对白名单中的端口进行嗅探,默认为 443,80 193 # 已废弃,若 sniffer.sniff 配置则此项无效 194 port-whitelist: 195 - "80" 196 - "443" 197 # - 8000-9999 198 199 tunnels: # one line config 200 - tcp/udp,127.0.0.1:6553,114.114.114.114:53,proxy 201 - tcp,127.0.0.1:6666,rds.mysql.com:3306,vpn 202 # full yaml config 203 - network: [tcp, udp] 204 address: 127.0.0.1:7777 205 target: target.com 206 proxy: proxy 207 208 # DNS 配置 209 dns: 210 cache-algorithm: arc 211 enable: false # 关闭将使用系统 DNS 212 prefer-h3: true # 开启 DoH 支持 HTTP/3,将并发尝试 213 listen: 0.0.0.0:53 # 开启 DNS 服务器监听 214 # ipv6: false # false 将返回 AAAA 的空结果 215 # ipv6-timeout: 300 # 单位:ms,内部双栈并发时,向上游查询 AAAA 时,等待 AAAA 的时间,默认 100ms 216 # 用于解析 nameserver,fallback 以及其他 DNS 服务器配置的,DNS 服务域名 217 # 只能使用纯 IP 地址,可使用加密 DNS 218 default-nameserver: 219 - 114.114.114.114 220 - 8.8.8.8 221 - tls://1.12.12.12:853 222 - tls://223.5.5.5:853 223 - system # append DNS server from system configuration. If not found, it would print an error log and skip. 224 enhanced-mode: fake-ip # or redir-host 225 226 fake-ip-range: 198.18.0.1/16 # fake-ip 池设置 227 228 # use-hosts: true # 查询 hosts 229 230 # 配置不使用 fake-ip 的域名 231 # fake-ip-filter: 232 # - '*.lan' 233 # - localhost.ptlogin2.qq.com 234 235 # DNS 主要域名配置 236 # 支持 UDP,TCP,DoT,DoH,DoQ 237 # 这部分为主要 DNS 配置,影响所有直连,确保使用对大陆解析精准的 DNS 238 nameserver: 239 - 114.114.114.114 # default value 240 - 8.8.8.8 # default value 241 - tls://223.5.5.5:853 # DNS over TLS 242 - https://doh.pub/dns-query # DNS over HTTPS 243 - https://dns.alidns.com/dns-query#h3=true # 强制 HTTP/3,与 perfer-h3 无关,强制开启 DoH 的 HTTP/3 支持,若不支持将无法使用 244 - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3 245 - dhcp://en0 # dns from dhcp 246 - quic://dns.adguard.com:784 # DNS over QUIC 247 # - '8.8.8.8#en0' # 兼容指定 DNS 出口网卡 248 249 # 当配置 fallback 时,会查询 nameserver 中返回的 IP 是否为 CN,非必要配置 250 # 当不是 CN,则使用 fallback 中的 DNS 查询结果 251 # 确保配置 fallback 时能够正常查询 252 # fallback: 253 # - tcp://1.1.1.1 254 # - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询,ProxyGroupName 为策略组名或节点名,过代理配置优先于配置出口网卡,当找不到策略组或节点名则设置为出口网卡 255 256 # 专用于节点域名解析的 DNS 服务器,非必要配置项 257 # proxy-server-nameserver: 258 # - https://dns.google/dns-query 259 # - tls://one.one.one.one 260 261 # 配置 fallback 使用条件 262 # fallback-filter: 263 # geoip: true # 配置是否使用 geoip 264 # geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时,不使用 fallback 中的 DNS 查询结果 265 # 配置强制 fallback,优先于 IP 判断,具体分类自行查看 geosite 库 266 # geosite: 267 # - gfw 268 # 如果不匹配 ipcidr 则使用 nameservers 中的结果 269 # ipcidr: 270 # - 240.0.0.0/4 271 # domain: 272 # - '+.google.com' 273 # - '+.facebook.com' 274 # - '+.youtube.com' 275 276 # 配置查询域名使用的 DNS 服务器 277 nameserver-policy: 278 # 'www.baidu.com': '114.114.114.114' 279 # '+.internal.crop.com': '10.0.0.1' 280 "geosite:cn,private,apple": 281 - https://doh.pub/dns-query 282 - https://dns.alidns.com/dns-query 283 "geosite:category-ads-all": rcode://success 284 "www.baidu.com,+.google.cn": [223.5.5.5, https://dns.alidns.com/dns-query] 285 ## global,dns 为 rule-providers 中的名为 global 和 dns 规则订阅, 286 ## 且 behavior 必须为 domain/classical,当为 classical 时仅会生效域名类规则 287 # "rule-set:global,dns": 8.8.8.8 288 289 proxies: # socks5 290 - name: "socks" 291 type: socks5 292 server: server 293 port: 443 294 # username: username 295 # password: password 296 # tls: true 297 # fingerprint: xxxx 298 # skip-cert-verify: true 299 # udp: true 300 # ip-version: ipv6 301 302 # http 303 - name: "http" 304 type: http 305 server: server 306 port: 443 307 # username: username 308 # password: password 309 # tls: true # https 310 # skip-cert-verify: true 311 # sni: custom.com 312 # fingerprint: xxxx # 同 experimental.fingerprints 使用 sha256 指纹,配置协议独立的指纹,将忽略 experimental.fingerprints 313 # ip-version: dual 314 315 # Snell 316 # Beware that there's currently no UDP support yet 317 - name: "snell" 318 type: snell 319 server: server 320 port: 44046 321 psk: yourpsk 322 # version: 2 323 # obfs-opts: 324 # mode: http # or tls 325 # host: bing.com 326 327 # Shadowsocks 328 # cipher支持: 329 # aes-128-gcm aes-192-gcm aes-256-gcm 330 # aes-128-cfb aes-192-cfb aes-256-cfb 331 # aes-128-ctr aes-192-ctr aes-256-ctr 332 # rc4-md5 chacha20-ietf xchacha20 333 # chacha20-ietf-poly1305 xchacha20-ietf-poly1305 334 # 2022-blake3-aes-128-gcm 2022-blake3-aes-256-gcm 2022-blake3-chacha20-poly1305 335 - name: "ss1" 336 type: ss 337 server: server 338 port: 443 339 cipher: chacha20-ietf-poly1305 340 password: "password" 341 # udp: true 342 # udp-over-tcp: false 343 # ip-version: ipv4 # 设置节点使用 IP 版本,可选:dual,ipv4,ipv6,ipv4-prefer,ipv6-prefer。默认使用 dual 344 # ipv4:仅使用 IPv4 ipv6:仅使用 IPv6 345 # ipv4-prefer:优先使用 IPv4 对于 TCP 会进行双栈解析,并发链接但是优先使用 IPv4 链接, 346 # UDP 则为双栈解析,获取结果中的第一个 IPv4 347 # ipv6-prefer 同 ipv4-prefer 348 # 现有协议都支持此参数,TCP 效果仅在开启 tcp-concurrent 生效 349 smux: 350 enabled: false 351 protocol: smux # smux/yamux/h2mux 352 # max-connections: 4 # Maximum connections. Conflict with max-streams. 353 # min-streams: 4 # Minimum multiplexed streams in a connection before opening a new connection. Conflict with max-streams. 354 # max-streams: 0 # Maximum multiplexed streams in a connection before opening a new connection. Conflict with max-connections and min-streams. 355 # padding: false # Enable padding. Requires sing-box server version 1.3-beta9 or later. 356 # statistic: false # 控制是否将底层连接显示在面板中,方便打断底层连接 357 # only-tcp: false # 如果设置为 true, smux 的设置将不会对 udp 生效,udp 连接会直接走底层协议 358 359 - name: "ss2" 360 type: ss 361 server: server 362 port: 443 363 cipher: chacha20-ietf-poly1305 364 password: "password" 365 plugin: obfs 366 plugin-opts: 367 mode: tls # or http 368 # host: bing.com 369 370 - name: "ss3" 371 type: ss 372 server: server 373 port: 443 374 cipher: chacha20-ietf-poly1305 375 password: "password" 376 plugin: v2ray-plugin 377 plugin-opts: 378 mode: websocket # no QUIC now 379 # tls: true # wss 380 # 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取 381 # 配置指纹将实现 SSL Pining 效果 382 # fingerprint: xxxx 383 # skip-cert-verify: true 384 # host: bing.com 385 # path: "/" 386 # mux: true 387 # headers: 388 # custom: value 389 # v2ray-http-upgrade: false 390 # v2ray-http-upgrade-fast-open: false 391 392 - name: "ss4-shadow-tls" 393 type: ss 394 server: server 395 port: 443 396 cipher: chacha20-ietf-poly1305 397 password: "password" 398 plugin: shadow-tls 399 client-fingerprint: chrome 400 plugin-opts: 401 host: "cloud.tencent.com" 402 password: "shadow_tls_password" 403 version: 2 # support 1/2/3 404 405 - name: "ss-restls-tls13" 406 type: ss 407 server: [YOUR_SERVER_IP] 408 port: 443 409 cipher: chacha20-ietf-poly1305 410 password: [YOUR_SS_PASSWORD] 411 client-fingerprint: 412 chrome # One of: chrome, ios, firefox or safari 413 # 可以是 chrome, ios, firefox, safari 中的一个 414 plugin: restls 415 plugin-opts: 416 host: 417 "www.microsoft.com" # Must be a TLS 1.3 server 418 # 应当是一个 TLS 1.3 服务器 419 password: [YOUR_RESTLS_PASSWORD] 420 version-hint: "tls13" 421 # Control your post-handshake traffic through restls-script 422 # Hide proxy behaviors like "tls in tls". 423 # see https://github.com/3andne/restls/blob/main/Restls-Script:%20Hide%20Your%20Proxy%20Traffic%20Behavior.md 424 # 用 restls 剧本来控制握手后的行为,隐藏"tls in tls"等特征 425 # 详情:https://github.com/3andne/restls/blob/main/Restls-Script:%20%E9%9A%90%E8%97%8F%E4%BD%A0%E7%9A%84%E4%BB%A3%E7%90%86%E8%A1%8C%E4%B8%BA.md 426 restls-script: "300?100<1,400~100,350~100,600~100,300~200,300~100" 427 428 - name: "ss-restls-tls12" 429 type: ss 430 server: [YOUR_SERVER_IP] 431 port: 443 432 cipher: chacha20-ietf-poly1305 433 password: [YOUR_SS_PASSWORD] 434 client-fingerprint: 435 chrome # One of: chrome, ios, firefox or safari 436 # 可以是 chrome, ios, firefox, safari 中的一个 437 plugin: restls 438 plugin-opts: 439 host: 440 "vscode.dev" # Must be a TLS 1.2 server 441 # 应当是一个 TLS 1.2 服务器 442 password: [YOUR_RESTLS_PASSWORD] 443 version-hint: "tls12" 444 restls-script: "1000?100<1,500~100,350~100,600~100,400~200" 445 446 # vmess 447 # cipher 支持 auto/aes-128-gcm/chacha20-poly1305/none 448 - name: "vmess" 449 type: vmess 450 server: server 451 port: 443 452 uuid: uuid 453 alterId: 32 454 cipher: auto 455 # udp: true 456 # tls: true 457 # fingerprint: xxxx 458 # client-fingerprint: chrome # Available: "chrome","firefox","safari","ios","random", currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan. 459 # skip-cert-verify: true 460 # servername: example.com # priority over wss host 461 # network: ws 462 # ws-opts: 463 # path: /path 464 # headers: 465 # Host: v2ray.com 466 # max-early-data: 2048 467 # early-data-header-name: Sec-WebSocket-Protocol 468 # v2ray-http-upgrade: false 469 # v2ray-http-upgrade-fast-open: false 470 471 - name: "vmess-h2" 472 type: vmess 473 server: server 474 port: 443 475 uuid: uuid 476 alterId: 32 477 cipher: auto 478 network: h2 479 tls: true 480 # fingerprint: xxxx 481 h2-opts: 482 host: 483 - http.example.com 484 - http-alt.example.com 485 path: / 486 487 - name: "vmess-http" 488 type: vmess 489 server: server 490 port: 443 491 uuid: uuid 492 alterId: 32 493 cipher: auto 494 # udp: true 495 # network: http 496 # http-opts: 497 # method: "GET" 498 # path: 499 # - '/' 500 # - '/video' 501 # headers: 502 # Connection: 503 # - keep-alive 504 # ip-version: ipv4 # 设置使用 IP 类型偏好,可选:ipv4,ipv6,dual,默认值:dual 505 506 - name: vmess-grpc 507 server: server 508 port: 443 509 type: vmess 510 uuid: uuid 511 alterId: 32 512 cipher: auto 513 network: grpc 514 tls: true 515 # fingerprint: xxxx 516 servername: example.com 517 # skip-cert-verify: true 518 grpc-opts: 519 grpc-service-name: "example" 520 # ip-version: ipv4 521 522 # vless 523 - name: "vless-tcp" 524 type: vless 525 server: server 526 port: 443 527 uuid: uuid 528 network: tcp 529 servername: example.com # AKA SNI 530 # flow: xtls-rprx-direct # xtls-rprx-origin # enable XTLS 531 # skip-cert-verify: true 532 # fingerprint: xxxx 533 # client-fingerprint: random # Available: "chrome","firefox","safari","random","none" 534 535 - name: "vless-vision" 536 type: vless 537 server: server 538 port: 443 539 uuid: uuid 540 network: tcp 541 tls: true 542 udp: true 543 flow: xtls-rprx-vision 544 client-fingerprint: chrome 545 # fingerprint: xxxx 546 # skip-cert-verify: true 547 548 - name: "vless-reality-vision" 549 type: vless 550 server: server 551 port: 443 552 uuid: uuid 553 network: tcp 554 tls: true 555 udp: true 556 flow: xtls-rprx-vision 557 servername: www.microsoft.com # REALITY servername 558 reality-opts: 559 public-key: xxx 560 short-id: xxx # optional 561 client-fingerprint: chrome # cannot be empty 562 563 - name: "vless-reality-grpc" 564 type: vless 565 server: server 566 port: 443 567 uuid: uuid 568 network: grpc 569 tls: true 570 udp: true 571 flow: 572 # skip-cert-verify: true 573 client-fingerprint: chrome 574 servername: testingcf.jsdelivr.net 575 grpc-opts: 576 grpc-service-name: "grpc" 577 reality-opts: 578 public-key: CrrQSjAG_YkHLwvM2M-7XkKJilgL5upBKCp0od0tLhE 579 short-id: 10f897e26c4b9478 580 581 - name: "vless-ws" 582 type: vless 583 server: server 584 port: 443 585 uuid: uuid 586 udp: true 587 tls: true 588 network: ws 589 # client-fingerprint: random # Available: "chrome","firefox","safari","random","none" 590 servername: example.com # priority over wss host 591 # skip-cert-verify: true 592 # fingerprint: xxxx 593 ws-opts: 594 path: "/" 595 headers: 596 Host: example.com 597 # v2ray-http-upgrade: false 598 # v2ray-http-upgrade-fast-open: false 599 600 # Trojan 601 - name: "trojan" 602 type: trojan 603 server: server 604 port: 443 605 password: yourpsk 606 # client-fingerprint: random # Available: "chrome","firefox","safari","random","none" 607 # fingerprint: xxxx 608 # udp: true 609 # sni: example.com # aka server name 610 # alpn: 611 # - h2 612 # - http/1.1 613 # skip-cert-verify: true 614 615 - name: trojan-grpc 616 server: server 617 port: 443 618 type: trojan 619 password: "example" 620 network: grpc 621 sni: example.com 622 # skip-cert-verify: true 623 # fingerprint: xxxx 624 udp: true 625 grpc-opts: 626 grpc-service-name: "example" 627 628 - name: trojan-ws 629 server: server 630 port: 443 631 type: trojan 632 password: "example" 633 network: ws 634 sni: example.com 635 # skip-cert-verify: true 636 # fingerprint: xxxx 637 udp: true 638 # ws-opts: 639 # path: /path 640 # headers: 641 # Host: example.com 642 # v2ray-http-upgrade: false 643 # v2ray-http-upgrade-fast-open: false 644 645 - name: "trojan-xtls" 646 type: trojan 647 server: server 648 port: 443 649 password: yourpsk 650 flow: "xtls-rprx-direct" # xtls-rprx-origin xtls-rprx-direct 651 flow-show: true 652 # udp: true 653 # sni: example.com # aka server name 654 # skip-cert-verify: true 655 # fingerprint: xxxx 656 657 #hysteria 658 - name: "hysteria" 659 type: hysteria 660 server: server.com 661 port: 443 662 # ports: 1000,2000-3000,5000 # port 不可省略 663 auth-str: yourpassword 664 # obfs: obfs_str 665 # alpn: 666 # - h3 667 protocol: udp # 支持 udp/wechat-video/faketcp 668 up: "30 Mbps" # 若不写单位,默认为 Mbps 669 down: "200 Mbps" # 若不写单位,默认为 Mbps 670 # sni: server.com 671 # skip-cert-verify: false 672 # recv-window-conn: 12582912 673 # recv-window: 52428800 674 # ca: "./my.ca" 675 # ca-str: "xyz" 676 # disable-mtu-discovery: false 677 # fingerprint: xxxx 678 # fast-open: true # 支持 TCP 快速打开,默认为 false 679 680 #hysteria2 681 - name: "hysteria2" 682 type: hysteria2 683 server: server.com 684 port: 443 685 # ports: 1000,2000-3000,5000 # port 不可省略 686 # hop-interval: 15 687 # up 和 down 均不写或为 0 则使用 BBR 流控 688 # up: "30 Mbps" # 若不写单位,默认为 Mbps 689 # down: "200 Mbps" # 若不写单位,默认为 Mbps 690 password: yourpassword 691 # obfs: salamander # 默认为空,如果填写则开启 obfs,目前仅支持 salamander 692 # obfs-password: yourpassword 693 # sni: server.com 694 # skip-cert-verify: false 695 # fingerprint: xxxx 696 # alpn: 697 # - h3 698 # ca: "./my.ca" 699 # ca-str: "xyz" 700 701 # wireguard 702 - name: "wg" 703 type: wireguard 704 server: 162.159.192.1 705 port: 2480 706 ip: 172.16.0.2 707 ipv6: fd01:5ca1:ab1e:80fa:ab85:6eea:213f:f4a5 708 public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo= 709 # pre-shared-key: 31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM= 710 private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU= 711 udp: true 712 reserved: "U4An" 713 # 数组格式也是合法的 714 # reserved: [209,98,59] 715 # 一个出站代理的标识。当值不为空时,将使用指定的 proxy 发出连接 716 # dialer-proxy: "ss1" 717 # remote-dns-resolve: true # 强制 dns 远程解析,默认值为 false 718 # dns: [ 1.1.1.1, 8.8.8.8 ] # 仅在 remote-dns-resolve 为 true 时生效 719 # 如果 peers 不为空,该段落中的 allowed-ips 不可为空;前面段落的 server,port,public-key,pre-shared-key 均会被忽略,但 private-key 会被保留且只能在顶层指定 720 # peers: 721 # - server: 162.159.192.1 722 # port: 2480 723 # public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo= 724 # # pre-shared-key: 31aIhAPwktDGpH4JDhA8GNvjFXEf/a6+UaQRyOAiyfM= 725 # allowed-ips: ['0.0.0.0/0'] 726 # reserved: [209,98,59] 727 728 # tuic 729 - name: tuic 730 server: www.example.com 731 port: 10443 732 type: tuic 733 # tuicV4 必须填写 token(不可同时填写 uuid 和 password) 734 token: TOKEN 735 # tuicV5 必须填写 uuid 和 password(不可同时填写 token) 736 uuid: 00000000-0000-0000-0000-000000000001 737 password: PASSWORD_1 738 # ip: 127.0.0.1 # for overwriting the DNS lookup result of the server address set in option 'server' 739 # heartbeat-interval: 10000 740 # alpn: [h3] 741 disable-sni: true 742 reduce-rtt: true 743 request-timeout: 8000 744 udp-relay-mode: native # Available: "native", "quic". Default: "native" 745 # congestion-controller: bbr # Available: "cubic", "new_reno", "bbr". Default: "cubic" 746 # cwnd: 10 # default: 32 747 # max-udp-relay-packet-size: 1500 748 # fast-open: true 749 # skip-cert-verify: true 750 # max-open-streams: 20 # default 100, too many open streams may hurt performance 751 # sni: example.com 752 # 753 # meta 和 sing-box 私有扩展,将 ss-uot 用于 udp 中继,开启此选项后 udp-relay-mode 将失效 754 # 警告,与原版 tuic 不兼容!!! 755 # udp-over-stream: false 756 # udp-over-stream-version: 1 757 758 # ShadowsocksR 759 # The supported ciphers (encryption methods): all stream ciphers in ss 760 # The supported obfses: 761 # plain http_simple http_post 762 # random_head tls1.2_ticket_auth tls1.2_ticket_fastauth 763 # The supported protocols: 764 # origin auth_sha1_v4 auth_aes128_md5 765 # auth_aes128_sha1 auth_chain_a auth_chain_b 766 - name: "ssr" 767 type: ssr 768 server: server 769 port: 443 770 cipher: chacha20-ietf 771 password: "password" 772 obfs: tls1.2_ticket_auth 773 protocol: auth_sha1_v4 774 # obfs-param: domain.tld 775 # protocol-param: "#" 776 # udp: true 777 778 - name: "ssh-out" 779 type: ssh 780 781 server: 127.0.0.1 782 port: 22 783 username: root 784 password: password 785 privateKey: path 786 787 # dns 出站会将请求劫持到内部 dns 模块,所有请求均在内部处理 788 - name: "dns-out" 789 type: dns 790 proxy-groups: 791 # 代理链,目前 relay 可以支持 udp 的只有 vmess/vless/trojan/ss/ssr/tuic 792 # wireguard 目前不支持在 relay 中使用,请使用 proxy 中的 dialer-proxy 配置项 793 # Traffic: mihomo <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet 794 - name: "relay" 795 type: relay 796 proxies: 797 - http 798 - vmess 799 - ss1 800 - ss2 801 802 # url-test 将按照 url 测试结果使用延迟最低节点 803 - name: "auto" 804 type: url-test 805 proxies: 806 - ss1 807 - ss2 808 - vmess1 809 # tolerance: 150 810 # lazy: true 811 # expected-status: 204 # 当健康检查返回状态码与期望值不符时,认为节点不可用 812 url: "https://cp.cloudflare.com/generate_204" 813 interval: 300 814 815 # fallback 将按照 url 测试结果按照节点顺序选择 816 - name: "fallback-auto" 817 type: fallback 818 proxies: 819 - ss1 820 - ss2 821 - vmess1 822 url: "https://cp.cloudflare.com/generate_204" 823 interval: 300 824 825 # load-balance 将按照算法随机选择节点 826 - name: "load-balance" 827 type: load-balance 828 proxies: 829 - ss1 830 - ss2 831 - vmess1 832 url: "https://cp.cloudflare.com/generate_204" 833 interval: 300 834 # strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions 835 836 # select 用户自行选择节点 837 - name: Proxy 838 type: select 839 # disable-udp: true 840 proxies: 841 - ss1 842 - ss2 843 - vmess1 844 - auto 845 846 # 配置指定 interface-name 和 fwmark 的 DIRECT 847 - name: en1 848 type: select 849 interface-name: en1 850 routing-mark: 6667 851 proxies: 852 - DIRECT 853 854 - name: UseProvider 855 type: select 856 filter: "HK|TW" # 正则表达式,过滤 provider1 中节点名包含 HK 或 TW 857 use: 858 - provider1 859 proxies: 860 - Proxy 861 - DIRECT 862 863 # Mihomo 格式的节点或支持 *ray 的分享格式 864 proxy-providers: 865 provider1: 866 type: http # http 的 path 可空置,默认储存路径为 homedir 的 proxies 文件夹,文件名为 url 的 md5 867 url: "url" 868 interval: 3600 869 path: ./provider1.yaml # 默认只允许存储在 mihomo 的 Home Dir,如果想存储到任意位置,添加环境变量 SKIP_SAFE_PATH_CHECK=1 870 proxy: DIRECT 871 header: 872 User-Agent: 873 - "Clash/v1.18.0" 874 - "mihomo/1.18.3" 875 # Accept: 876 # - 'application/vnd.github.v3.raw' 877 # Authorization: 878 # - 'token 1231231' 879 health-check: 880 enable: true 881 interval: 600 882 # lazy: true 883 url: https://cp.cloudflare.com/generate_204 884 # expected-status: 204 # 当健康检查返回状态码与期望值不符时,认为节点不可用 885 override: # 覆写节点加载时的一些配置项 886 skip-cert-verify: true 887 udp: true 888 # down: "50 Mbps" 889 # up: "10 Mbps" 890 # dialer-proxy: proxy 891 # interface-name: tailscale0 892 # routing-mark: 233 893 # ip-version: ipv4-prefer 894 # additional-prefix: "[provider1]" 895 # additional-suffix: "test" 896 test: 897 type: file 898 path: /test.yaml 899 health-check: 900 enable: true 901 interval: 36000 902 url: https://cp.cloudflare.com/generate_204 903 rule-providers: 904 rule1: 905 behavior: classical # domain ipcidr 906 interval: 259200 907 path: /path/to/save/file.yaml # 默认只允许存储在 mihomo 的 Home Dir,如果想存储到任意位置,添加环境变量 SKIP_SAFE_PATH_CHECK=1 908 type: http # http 的 path 可空置,默认储存路径为 homedir 的 rules 文件夹,文件名为 url 的 md5 909 url: "url" 910 proxy: DIRECT 911 rule2: 912 behavior: classical 913 interval: 259200 914 path: /path/to/save/file.yaml 915 type: file 916 rules: 917 - RULE-SET,rule1,REJECT 918 - IP-ASN,1,PROXY 919 - DOMAIN-REGEX,^abc,DIRECT 920 - DOMAIN-SUFFIX,baidu.com,DIRECT 921 - DOMAIN-KEYWORD,google,ss1 922 - IP-CIDR,1.1.1.1/32,ss1 923 - IP-CIDR6,2409::/64,DIRECT 924 # 当满足条件是 TCP 或 UDP 流量时,使用名为 sub-rule-name1 的规则集 925 - SUB-RULE,(OR,((NETWORK,TCP),(NETWORK,UDP))),sub-rule-name1 926 - SUB-RULE,(AND,((NETWORK,UDP))),sub-rule-name2 927 # 定义多个子规则集,规则将以分叉匹配,使用 SUB-RULE 使用 928 # google.com(not match)--> baidu.com(match) 929 # / | 930 # / | 931 # https://baidu.com --> rule1 --> rule2 --> sub-rule-name1(match tcp) 使用 DIRECT 932 # 933 # 934 # google.com(not match)--> baidu.com(not match) 935 # / | 936 # / | 937 # dns 1.1.1.1 --> rule1 --> rule2 --> sub-rule-name1(match udp) sub-rule-name2(match udp) 938 # | 939 # | 940 # 使用 REJECT <-- 1.1.1.1/32(match) 941 # 942 943 sub-rules: 944 sub-rule-name1: 945 - DOMAIN,google.com,ss1 946 - DOMAIN,baidu.com,DIRECT 947 sub-rule-name2: 948 - IP-CIDR,1.1.1.1/32,REJECT 949 - IP-CIDR,8.8.8.8/32,ss1 950 - DOMAIN,dns.alidns.com,REJECT 951 952 # 流量入站 953 listeners: 954 - name: socks5-in-1 955 type: socks 956 port: 10808 957 #listen: 0.0.0.0 # 默认监听 0.0.0.0 958 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 959 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 960 # udp: false # 默认 true 961 962 - name: http-in-1 963 type: http 964 port: 10809 965 listen: 0.0.0.0 966 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 967 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 968 969 - name: mixed-in-1 970 type: mixed # HTTP(S) 和 SOCKS 代理混合 971 port: 10810 972 listen: 0.0.0.0 973 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 974 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 975 # udp: false # 默认 true 976 977 - name: reidr-in-1 978 type: redir 979 port: 10811 980 listen: 0.0.0.0 981 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 982 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 983 984 - name: tproxy-in-1 985 type: tproxy 986 port: 10812 987 listen: 0.0.0.0 988 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 989 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 990 # udp: false # 默认 true 991 992 - name: shadowsocks-in-1 993 type: shadowsocks 994 port: 10813 995 listen: 0.0.0.0 996 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 997 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 998 password: vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg= 999 cipher: 2022-blake3-aes-256-gcm 1000 1001 - name: vmess-in-1 1002 type: vmess 1003 port: 10814 1004 listen: 0.0.0.0 1005 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 1006 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 1007 users: 1008 - username: 1 1009 uuid: 9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68 1010 alterId: 1 1011 # ws-path: "/" # 如果不为空则开启 websocket 传输层 1012 # 下面两项如果填写则开启 tls(需要同时填写) 1013 # certificate: ./server.crt 1014 # private-key: ./server.key 1015 1016 - name: tuic-in-1 1017 type: tuic 1018 port: 10815 1019 listen: 0.0.0.0 1020 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 1021 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 1022 # token: # tuicV4 填写(可以同时填写 users) 1023 # - TOKEN 1024 # users: # tuicV5 填写(可以同时填写 token) 1025 # 00000000-0000-0000-0000-000000000000: PASSWORD_0 1026 # 00000000-0000-0000-0000-000000000001: PASSWORD_1 1027 # certificate: ./server.crt 1028 # private-key: ./server.key 1029 # congestion-controller: bbr 1030 # max-idle-time: 15000 1031 # authentication-timeout: 1000 1032 # alpn: 1033 # - h3 1034 # max-udp-relay-packet-size: 1500 1035 1036 - name: tunnel-in-1 1037 type: tunnel 1038 port: 10816 1039 listen: 0.0.0.0 1040 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 1041 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 1042 network: [tcp, udp] 1043 target: target.com 1044 1045 - name: tun-in-1 1046 type: tun 1047 # rule: sub-rule-name1 # 默认使用 rules,如果未找到 sub-rule 则直接使用 rules 1048 # proxy: proxy # 如果不为空则直接将该入站流量交由指定 proxy 处理 (当 proxy 不为空时,这里的 proxy 名称必须合法,否则会出错) 1049 stack: system # gvisor / mixed 1050 dns-hijack: 1051 - 0.0.0.0:53 # 需要劫持的 DNS 1052 # auto-detect-interface: false # 自动识别出口网卡 1053 # auto-route: false # 配置路由表 1054 # mtu: 9000 # 最大传输单元 1055 inet4-address: # 必须手动设置 ipv4 地址段 1056 - 198.19.0.1/30 1057 inet6-address: # 必须手动设置 ipv6 地址段 1058 - "fdfe:dcba:9877::1/126" 1059 # strict-route: true # 将所有连接路由到 tun 来防止泄漏,但你的设备将无法其他设备被访问 1060 # inet4-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由 1061 # - 0.0.0.0/1 1062 # - 128.0.0.0/1 1063 # inet6-route-address: # 启用 auto-route 时使用自定义路由而不是默认路由 1064 # - "::/1" 1065 # - "8000::/1" 1066 # endpoint-independent-nat: false # 启用独立于端点的 NAT 1067 # include-uid: # UID 规则仅在 Linux 下被支持,并且需要 auto-route 1068 # - 0 1069 # include-uid-range: # 限制被路由的的用户范围 1070 # - 1000:99999 1071 # exclude-uid: # 排除路由的的用户 1072 # - 1000 1073 # exclude-uid-range: # 排除路由的的用户范围 1074 # - 1000:99999 1075 1076 # Android 用户和应用规则仅在 Android 下被支持 1077 # 并且需要 auto-route 1078 1079 # include-android-user: # 限制被路由的 Android 用户 1080 # - 0 1081 # - 10 1082 # include-package: # 限制被路由的 Android 应用包名 1083 # - com.android.chrome 1084 # exclude-package: # 排除被路由的 Android 应用包名 1085 # - com.android.captiveportallogin 1086 # 入口配置与 Listener 等价,传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理 1087 # shadowsocks,vmess 入口配置(传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理) 1088 # ss-config: ss://2022-blake3-aes-256-gcm:vlmpIPSyHH6f4S8WVPdRIHIlzmB+GIRfoH3aNJ/t9Gg=@:23456 1089 # vmess-config: vmess://1:9d0cb9d0-964f-4ef6-897d-6c6b3ccf9e68@:12345 1090 1091 # tuic 服务器入口(传入流量将和 socks,mixed 等入口一样按照 mode 所指定的方式进行匹配处理) 1092 # tuic-server: 1093 # enable: true 1094 # listen: 127.0.0.1:10443 1095 # token: # tuicV4 填写(可以同时填写 users) 1096 # - TOKEN 1097 # users: # tuicV5 填写(可以同时填写 token) 1098 # 00000000-0000-0000-0000-000000000000: PASSWORD_0 1099 # 00000000-0000-0000-0000-000000000001: PASSWORD_1 1100 # certificate: ./server.crt 1101 # private-key: ./server.key 1102 # congestion-controller: bbr 1103 # max-idle-time: 15000 1104 # authentication-timeout: 1000 1105 # alpn: 1106 # - h3 1107 # max-udp-relay-packet-size: 1500