Clash配置详解
Clash
# 本地HTTP(S)代理服务器的端口
port: 7890
# 本地SOCKS5代理服务器的端口
socks-port: 7891
# 适用于Linux和macOS的透明代理服务器端口(重定向TCP和TProxy UDP)
redir-port: 7892
# Linux的透明代理服务器端口(TProxy TCP和TProxy UDP)
# tproxy-port: 7893
# HTTP(S)和SOCKS5服务器在同一端口上
mixed-port: 7890
# 本地SOCKS5、HTTP(S)服务器的身份验证
# authentication:
# - "user1:pass1"
# - "user2:pass2"
# 设置为true以允许从以下位置连接到本地服务器
# other LAN IP addresses
allow-lan: false
# 仅在“ allow-lan”为“ true”时适用
# '*': 绑定所有IP地址
# 192.168.122.11: 绑定一个IPv4地址
# "[aaaa::a8aa:ff:fe09:57d8]": 绑定一个IPv6地址
bind-address: '*'
# Clash工作模式
# rule: 基于规则转发
# global: 所有数据包都将转发
# direct: 直接访问不转发
mode: rule
# Clash默认日志级别,输出到用户目录下
# info / warning / error / debug / silent
log-level: info
# 设置为false时,不会将主机名转换为IPv6地址
ipv6: false
# RESTful Web API监听地址
external-controller: 127.0.0.1:9090
# A relative path to the configuration directory or an absolute path to a
# directory in which you put some static web resource. Clash core will then
# serve it at `http://{{external-controller}}/ui`.
external-ui: folder
# Secret for the RESTful API (optional)
# Authenticate by spedifying HTTP header `Authorization: Bearer ${secret}`
# ALWAYS set a secret if RESTful API is listening on 0.0.0.0
# secret: ""
# Outbound interface name
interface-name: en0
# Static hosts for DNS server and connection establishment (like /etc/hosts)
#
# Wildcard hostnames are supported (e.g. *.clash.dev, *.foo.*.example.com)
# Non-wildcard domain names have a higher priority than wildcard domain names
# e.g. foo.example.com > *.example.com > .example.com
# P.S. +.foo.com equals to .foo.com and foo.com
hosts:
# '*.clash.dev': 127.0.0.1
# '.dev': 127.0.0.1
# 'alpha.clash.dev': '::1'
profile:
# 将`select`结果存储在 $HOME/.config/clash/.cache
# 设置为false将不保存
# 当两个不同的配置具有相同名称的组时,将共享所选的值
store-selected: false
# DNS 服务器设置
# 本部分是可选的。如果不存在,则将禁用DNS服务器。
dns:
enable: false
listen: 0.0.0.0:53
# ipv6: false # when the false, response to AAAA questions will be empty
# These nameservers are used to resolve the DNS nameserver hostnames below.
# Specify IP addresses only
default-nameserver:
- 114.114.114.114
- 8.8.8.8
enhanced-mode: redir-host # or fake-ip
fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR
# use-hosts: true # lookup hosts and return IP record
# Hostnames in this list will not be resolved with fake IPs
# i.e. questions to these domain names will always be answered with their
# real IP addresses
# fake-ip-filter:
# - '*.lan'
# - localhost.ptlogin2.qq.com
# 支持 UDP, TCP, DoT, DoH. 您可以指定要连接的端口.
# 所有DNS问题都直接发送到nameserver,而无需代理
# Clash用收集到的第一个结果回答了DNS问题。
nameserver:
- 114.114.114.114 # default value
- 8.8.8.8 # default value
- tls://dns.rubyfish.cn:853 # DNS over TLS
- https://1.1.1.1/dns-query # DNS over HTTPS
# When `fallback` is present, the DNS server will send concurrent requests
# to the servers in this section along with servers in `nameservers`.
# The answers from fallback servers are used when the GEOIP country
# is not `CN`.
# fallback:
# - tcp://1.1.1.1
# If IP addresses resolved with servers in `nameservers` are in the specified
# subnets below, they are considered invalid and results from `fallback`
# servers are used instead.
#
# IP address resolved with servers in `nameserver` is used when
# `fallback-filter.geoip` is true and when GEOIP of the IP address is `CN`.
#
# If `fallback-filter.geoip` is false, results from `nameserver` nameservers
# are always used if not match `fallback-filter.ipcidr`.
#
# This is a countermeasure against DNS pollution attacks.
fallback-filter:
geoip: true
ipcidr:
# - 240.0.0.0/4
# domain:
# - '+.google.com'
# - '+.facebook.com'
# - '+.youtube.com'
# 机场设置
proxies:
# 支持的密码(加密方法):
# aes-128-gcm aes-192-gcm aes-256-gcm
# aes-128-cfb aes-192-cfb aes-256-cfb
# aes-128-ctr aes-192-ctr aes-256-ctr
# rc4-md5 chacha20-ietf xchacha20
# chacha20-ietf-poly1305 xchacha20-ietf-poly1305
- name: "ss1"
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: "password"
# udp: true
- name: "ss2"
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: "password"
plugin: obfs
plugin-opts:
mode: tls # or http
# host: bing.com
- name: "ss3"
type: ss
server: server
port: 443
cipher: chacha20-ietf-poly1305
password: "password"
plugin: v2ray-plugin
plugin-opts:
mode: websocket # no QUIC now
# tls: true # wss
# skip-cert-verify: true
# host: bing.com
# path: "/"
# mux: true
# headers:
# custom: value
# vmess
# cipher support auto/aes-128-gcm/chacha20-poly1305/none
- name: "vmess"
type: vmess
server: server
port: 443
uuid: uuid
alterId: 32
cipher: auto
# udp: true
# tls: true
# skip-cert-verify: true
# servername: example.com # priority over wss host
# network: ws
# ws-path: /path
# ws-headers:
# Host: v2ray.com
- name: "vmess-h2"
type: vmess
server: server
port: 443
uuid: uuid
alterId: 32
cipher: auto
network: h2
tls: true
h2-opts:
host:
- http.example.com
- http-alt.example.com
path: /
- name: "vmess-http"
type: vmess
server: server
port: 443
uuid: uuid
alterId: 32
cipher: auto
# udp: true
# network: http
# http-opts:
# # method: "GET"
# # path:
# # - '/'
# # - '/video'
# # headers:
# # Connection:
# # - keep-alive
- name: vmess-grpc
server: server
port: 443
type: vmess
uuid: uuid
alterId: 32
cipher: auto
network: grpc
tls: true
servername: example.com
# skip-cert-verify: true
grpc-opts:
grpc-service-name: "example"
# socks5
- name: "socks"
type: socks5
server: server
port: 443
# username: username
# password: password
# tls: true
# skip-cert-verify: true
# udp: true
# http
- name: "http"
type: http
server: server
port: 443
# username: username
# password: password
# tls: true # https
# skip-cert-verify: true
# sni: custom.com
# Snell
# Beware that there's currently no UDP support yet
- name: "snell"
type: snell
server: server
port: 44046
psk: yourpsk
# version: 2
# obfs-opts:
# mode: http # or tls
# host: bing.com
# Trojan
- name: "trojan"
type: trojan
server: server
port: 443
password: yourpsk
# udp: true
# sni: example.com # aka server name
# alpn:
# - h2
# - http/1.1
# skip-cert-verify: true
- name: trojan-grpc
server: server
port: 443
type: trojan
password: "example"
network: grpc
sni: example.com
# skip-cert-verify: true
udp: true
grpc-opts:
grpc-service-name: "example"
# ShadowsocksR
# The supported ciphers (encryption methods): all stream ciphers in ss
# The supported obfses:
# plain http_simple http_post
# random_head tls1.2_ticket_auth tls1.2_ticket_fastauth
# The supported supported protocols:
# origin auth_sha1_v4 auth_aes128_md5
# auth_aes128_sha1 auth_chain_a auth_chain_b
- name: "ssr"
type: ssr
server: server
port: 443
cipher: chacha20-ietf
password: "password"
obfs: tls1.2_ticket_auth
protocol: auth_sha1_v4
# obfs-param: domain.tld
# protocol-param: "#"
# udp: true
# 策略组
proxy-groups:
# relay chains the proxies. 代理不包含中继。不支持UDP。
# Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
- name: "relay"
type: relay
proxies:
- http
- vmess
- ss1
- ss2
# url-test 通过对URL进行基准测试来选择将使用哪个代理.
- name: "auto"
type: url-test
proxies:
- ss1
- ss2
- vmess1
# tolerance: 150
# lazy: true
url: 'http://www.gstatic.com/generate_204'
interval: 300
# fallback 按优先级选择可用策略。就像自动url测试组一样,通过访问URL来测试可用性。
- name: "fallback-auto"
type: fallback
proxies:
- ss1
- ss2
- vmess1
url: 'http://www.gstatic.com/generate_204'
interval: 300
# load-balance: 相同eTLD + 1的请求将被拨号到相同的代理。
- name: "load-balance"
type: load-balance
proxies:
- ss1
- ss2
- vmess1
url: 'http://www.gstatic.com/generate_204'
interval: 300
# strategy: consistent-hashing # or round-robin
# select 用于选择代理或代理组
# you can use RESTful API to switch proxy is recommended for use in GUI.
- name: Proxy
type: select
# disable-udp: true
proxies:
- ss1
- ss2
- vmess1
- auto
- name: UseProvider
type: select
use:
- provider1
proxies:
- Proxy
- DIRECT
# 服务器节点订阅
proxy-providers:
provider1:
type: http
url: "url"
interval: 3600
path: ./provider1.yaml
health-check:
enable: true
interval: 600
# lazy: true
url: http://www.gstatic.com/generate_204 # 订阅链接
test:
type: file
path: /test.yaml
health-check:
enable: true
interval: 36000
url: http://www.gstatic.com/generate_204
# 规则
rules:
# 需要 Clash for Windows v0.11.5 及以上版本;规则需要匹配完整的进程名(包括可执行文件后缀)方可生效;该规则不适用于 TAP 流量
# PROCESS-NAME:源进程名匹配
# DOMAIN-SUFFIX:域名后缀匹配
- DOMAIN-SUFFIX,google.com,auto
- DOMAIN-SUFFIX,ad.com,REJECT
# DOMAIN-KEYWORD:域名关键字匹配
- DOMAIN-KEYWORD,google,auto
# DOMAIN:域名匹配
- DOMAIN,google.com,auto
# SRC-IP-CIDR:源 IP 段匹配
- SRC-IP-CIDR,192.168.1.201/32,DIRECT
# optional param "no-resolve" for IP rules (GEOIP, IP-CIDR, IP-CIDR6)
# IP-CIDR:IP 段匹配
- IP-CIDR,127.0.0.0/8,DIRECT
# GEOIP:GEOIP 数据库(国家代码)匹配
- GEOIP,CN,DIRECT
# DST-PORT:目标端口匹配
- DST-PORT,80,DIRECT
# SRC-PORT:源端口匹配
- SRC-PORT,7777,DIRECT
# RULE-SET:Rule Provider 规则匹配
- RULE-SET,apple,REJECT # Premium only
# MATCH:全匹配
- MATCH,autoClash for Windows
# 没弄清楚
cfw-latency-url:
# 绕过系统代理
cfw-bypass:
# 没弄清楚
clash-for-android:
append-system-dns: false
