# Port of HTTP(S) proxy server on the local end port: 7890 # Port of SOCKS5 proxy server on the local end socks-port: 7891 # authentication of local SOCKS5/HTTP(S) server # authentication: # - "user1:pass1" # - "user2:pass2" # Set to true to allow connections to the local-end server from # other LAN IP addresses allow-lan: false # This is only applicable when allow-lan is true # '*': bind all IP addresses # 192.168.122.11: bind a single IPv4 address # "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address bind-address: '127.0.0.1' # Clash router working mode # rule: rule-based packet routing # global: all packets will be forwarded to a single endpoint # direct: directly forward the packets to the Internet mode: rule # Clash by default prints logs to STDOUT # info / warning / error / debug / silent log-level: error # When set to false, resolver won't translate hostnames to IPv6 addresses ipv6: false # RESTful web API listening address external-controller: 127.0.0.1:9090 # A relative path to the configuration directory or an absolute path to a # directory in which you put some static web resource. Clash core will then # serve it at 'http://{{external-controller}}/ui'. #external-ui: folder # Secret for the RESTful API (optional) # Authenticate by spedifying HTTP header 'Authorization: Bearer' # ALWAYS set a secret if RESTful API is listening on 0.0.0.0 # secret: "" # Outbound interface name #interface-name: en0 # fwmark on Linux only routing-mark: 6666 # Static hosts for DNS server and connection establishment (like /etc/hosts) # # Wildcard hostnames are supported (e.g. *.clash.dev, *.foo.*.example.com) # Non-wildcard domain names have a higher priority than wildcard domain names # e.g. foo.example.com > *.example.com > .example.com # P.S. +.foo.com equals to .foo.com and foo.com hosts: # '*.clash.dev': 127.0.0.1 # '.dev': 127.0.0.1 # 'alpha.clash.dev': '::1' profile: # Store the 'select' results in $HOME/.config/clash/.cache # set false If you don't want this behavior # when two different configurations have groups with the same name, the selected values are shared store-selected: false # persistence fakeip store-fake-ip: true # DNS server settings # This section is optional. When not present, the DNS server will be disabled. dns: enable: false listen: 0.0.0.0:53 # ipv6: false # when the false, response to AAAA questions will be empty # These nameservers are used to resolve the DNS nameserver hostnames below. # Specify IP addresses only default-nameserver: - 114.114.114.114 - 8.8.8.8 enhanced-mode: fake-ip # redir-host or fake-ip fake-ip-range: 198.18.0.1/16 # Fake IP addresses pool CIDR # use-hosts: true # lookup hosts and return IP record # Hostnames in this list will not be resolved with fake IPs # i.e. questions to these domain names will always be answered with their # real IP addresses fake-ip-filter: # - '*.lan' # - localhost.ptlogin2.qq.com - "dns.msftncsi.com" - "www.msftncsi.com" - "www.msftconnecttest.com" # Supports UDP, TCP, DoT, DoH. You can specify the port to connect to. # All DNS questions are sent directly to the nameserver, without proxies # involved. Clash answers the DNS question with the first result gathered. nameserver: - 114.114.114.114 # default value - 8.8.8.8 # default value #- tls://dns.rubyfish.cn:853 # DNS over TLS #- https://1.1.1.1/dns-query # DNS over HTTPS - dhcp://en0 # dns from dhcp # When 'fallback' is present, the DNS server will send concurrent requests # to the servers in this section along with servers in 'nameservers'. # The answers from fallback servers are used when the GEOIP country # is not 'CN'. # fallback: # - tcp://1.1.1.1 # If IP addresses resolved with servers in 'nameservers' are in the specified # subnets below, they are considered invalid and results from 'fallback' # servers are used instead. # # IP address resolved with servers in 'nameserver' is used when # 'fallback-filter.geoip' is true and when GEOIP of the IP address is 'CN'. # # If 'fallback-filter.geoip' is false, results from 'nameserver' nameservers # are always used if not match 'fallback-filter.ipcidr'. # # This is a countermeasure against DNS pollution attacks. # fallback-filter: # geoip: true # geoip-code: CN # ipcidr: # - 240.0.0.0/4 # domain: # - '+.google.com' # - '+.facebook.com' # - '+.youtube.com' # Lookup domains via specific nameservers # nameserver-policy: # 'www.baidu.com': '114.114.114.114' # '+.internal.crop.com': '10.0.0.1' tun: enable: true stack: gvisor # 使用 system 需要 Clash Premium 2021.05.08 及更高版本 dns-hijack: - 198.18.0.2:53 # 请勿更改 auto-route: true auto-detect-interface: true # 自动检测出口网卡 proxies: # vmess # cipher support auto/aes-128-gcm/chacha20-poly1305/none - name: "lk-5" type: vmess server: blog.aihi.uk port: 3306 uuid: fdf7dcdc-96f0-4d36-a412-1866c737c3fe alterId: 0 level: 0 cipher: none # udp: true tls: true skip-cert-verify: true servername: blog.aihi.uk # priority over wss host network: ws ws-opts: path: /ray headers: Host: blog.aihi.uk #max-early-data: 2048 #early-data-header-name: Sec-WebSocket-Protocol - name: "lk-ora" type: vmess server: ora.aihi.uk port: 3306 uuid: 979e39d7-fdf8-4e51-afb6-4d181c56170f alterId: 0 level: 0 cipher: none # udp: true tls: true skip-cert-verify: true servername: ora.aihi.uk # priority over wss host network: ws ws-opts: path: /ray headers: Host: ora.aihi.uk - name: "lk-ora-2" type: vmess server: ora2.aihi.uk port: 3306 uuid: 6b414f6a-9cfd-46c3-bcc8-af2c3447871d alterId: 0 level: 0 cipher: none # udp: true tls: true skip-cert-verify: true servername: ora2.aihi.uk # priority over wss host network: ws ws-opts: path: /ray headers: Host: ora2.aihi.uk - name: "lk-cloud-1" type: vless server: 172.67.72.73 port: 443 uuid: 99ce9188-20c8-437c-b68d-0a6ed701c744 network: ws tls: true udp: true sni: vless.aihi.uk client-fingerprint: firefox ws-opts: path: /?ed=2048 headers: host: vless.aihi.uk proxy-groups: # relay chains the proxies. proxies shall not contain a relay. No UDP support. # Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet #- name: "relay" # type: relay # proxies: # #- http # - vmess # #- ss1 # #- ss2 # url-test select which proxy will be used by benchmarking speed to a URL. - name: "auto" type: select proxies: #- ss1 #- ss2 - lk-5 - lk-ora - lk-ora-2 - lk-cloud-1 # tolerance: 150 lazy: true url: 'http://www.gstatic.com/generate_204' interval: 300 # fallback selects an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group. #- name: "fallback-auto" # type: fallback # proxies: # #- ss1 # #- ss2 # - vmess # url: 'http://www.gstatic.com/generate_204' # interval: 300 # load-balance: The request of the same eTLD+1 will be dial to the same proxy. #- name: "load-balance" # type: load-balance # proxies: # - ss1 # - ss2 # - vmess1 # url: 'http://www.gstatic.com/generate_204' # interval: 300 # strategy: consistent-hashing # or round-robin # select is used for selecting proxy or proxy group # you can use RESTful API to switch proxy is recommended for use in GUI. #- name: Proxy # type: select # # disable-udp: true # proxies: # - ss1 # - ss2 # - vmess1 # - auto # direct to another infacename #- name: en1 # type: select # interface-name: en1 # proxies: # - DIRECT rules: #- DOMAIN-SUFFIX,google.com,auto - DOMAIN-KEYWORD,google,auto #- DOMAIN,google.com,auto #- DOMAIN-SUFFIX,ad.com,REJECT # optional param "no-resolve" for IP rules (GEOIP, IP-CIDR, IP-CIDR6) - GEOIP,CN,DIRECT - GEOIP,LAN,DIRECT - MATCH,auto