sukanka · May 16, 2024 10:34
diff --git a/config.yaml b/config.yaml
 # port: 7890 # HTTP(S) 代理服务器端口
 # socks-port: 7891 # SOCKS5 代理端口
 mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口
 # redir-port: 7892 # 透明代理端口，用于 Linux 和 MacOS

 # Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)
 # tproxy-port: 7893

 allow-lan: true # 允许局域网连接
 bind-address: # 绑定 IP 地址，仅作用于 allow-lan 为 true
  "*" # 所有地址
  # 192.168.122.11                #单个ip4地址
  # "[aaaa::a8aa:ff:fe09:57d8]"   #单个ip6地址
 authentication: # http,socks入口的验证用户名，密码
  - "username:password"
 skip-auth-prefixes: # 设置跳过验证的IP段
  - 127.0.0.1/8
  - ::1/128

 #  find-process-mode has 3 values:always, strict, off
 #  - always, 开启，强制匹配所有进程
 #  - strict, 默认，由 mihomo 判断是否开启
 #  - off, 不匹配进程，推荐在路由器上使用此模式
 find-process-mode: strict

 mode: rule

 #自定义 geodata url
 geox-url:
  geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
  geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
  mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"

 log-level: info # 日志等级 silent/error/warning/info/debug

 ipv6: true # 开启 IPv6 总开关，关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录

 # tls:
 #   certificate: string # 证书 PEM 格式，或者 证书的路径
 #   private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
 #   custom-certifactes:
 #     - |
 #       -----BEGIN CERTIFICATE-----
 #       format/pem...
 #       -----END CERTIFICATE-----

 geodata-loader: standard

 external-controller: 127.0.0.1:9090 # RESTful API 监听地址
 # external-controller-tls: 127.0.0.1:9090 # RESTful API HTTPS 监听地址，需要配置 tls 部分配置文件
 # secret: "123456" # `Authorization:Bearer ${secret}`

 tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP

 # 配置 WEB UI 目录，使用 http://{{external-controller}}/ui 访问
 # external-ui: /path/to/ui/folder/
 # external-ui-name: xd
 # external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"

 interface-name: wlp3s0 # 设置出口网卡

 # 全局 TLS 指纹，优先低于 proxy 内的 client-fingerprint
 # 可选： "chrome","firefox","safari","ios","random","none" options.
 # Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
 global-client-fingerprint: chrome

 #  TCP keep alive interval
 keep-alive-interval: 15

 routing-mark: 6666 # 配置 fwmark 仅用于 Linux
 experimental:
  # Disable quic-go GSO support. This may result in reduced performance on Linux.
  # This is not recommended for most users.
  # Only users encountering issues with quic-go's internal implementation should enable this,
  # and they should disable it as soon as the issue is resolved.
  # This field will be removed when quic-go fixes all their issues in GSO.
  # This equivalent to the environment variable QUIC_GO_DISABLE_GSO=1.
  #quic-go-disable-gso: true

 # 类似于 /etc/hosts, 仅支持配置单个 IP
 hosts:
 # '*.mihomo.dev': 127.0.0.1
 # '.dev': 127.0.0.1
 # 'alpha.mihomo.dev': '::1'
 # test.com: [1.1.1.1, 2.2.2.2]
 # home.lan: lan # lan 为特别字段，将加入本地所有网卡的地址
 # baidu.com: google.com # 只允许配置一个别名

 profile: # 存储 select 选择记录
  store-selected: false

  # 持久化 fake-ip
  store-fake-ip: true

 # Tun 配置
 tun:
  enable: true
  stack: gvisor # gvisor / lwip /system
  # dns-hijack:
  #   - 0.0.0.0:53 # 需要劫持的 DNS
  # auto-detect-interface: true # 自动识别出口网卡
  # auto-route: true # 配置路由表
  # mtu: 9000 # 最大传输单元
  # strict-route: true # 将所有连接路由到tun来防止泄漏，但你的设备将无法其他设备被访问
  inet4-route-address: # 启用 auto_route 时使用自定义路由而不是默认路由
    - 0.0.0.0/1
    - 128.0.0.0/1
  inet6-route-address: # 启用 auto_route 时使用自定义路由而不是默认路由
    - "::/1"
    - "8000::/1"
  # endpoint-independent-nat: false # 启用独立于端点的 NAT
  # include-uid: # UID 规则仅在 Linux 下被支持，并且需要 auto_route
  # - 0
  # include-uid-range: # 限制被路由的的用户范围
  # - 1000-99999
  # exclude-uid: # 排除路由的的用户
  #- 1000
  # exclude-uid-range: # 排除路由的的用户范围
  # - 1000-99999

  # Android 用户和应用规则仅在 Android 下被支持
  # 并且需要 auto-route

  # include-android-user: # 限制被路由的 Android 用户
  # - 0
  # - 10
  # include-package: # 限制被路由的 Android 应用包名
  # - com.android.chrome
  # exclude-package: # 排除被路由的 Android 应用包名
  # - com.android.captiveportallogin

 #ebpf配置
 ebpf:
  auto-redir: # redirect 模式，仅支持 TCP
    - wlp3s0
    - enp2s0
  redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route
    - wlp3s0
    - enp2s0

 # 嗅探域名 可选配置
 sniffer:
  enable: false
  ## 对 redir-host 类型识别的流量进行强制嗅探
  ## 如：Tun、Redir 和 TProxy 并 DNS 为 redir-host 皆属于
  # force-dns-mapping: false
  ## 对所有未获取到域名的流量进行强制嗅探
  # parse-pure-ip: false
  # 是否使用嗅探结果作为实际访问，默认 true
  # 全局配置，优先级低于 sniffer.sniff 实际配置
  override-destination: false
  sniff: # TLS 和 QUIC 默认如果不配置 ports 默认嗅探 443
    QUIC:
    #  ports: [ 443 ]
    TLS:
    #  ports: [443, 8443]

    # 默认嗅探 80
    HTTP: # 需要嗅探的端口
      ports: [80, 8080-8880]
      # 可覆盖 sniffer.override-destination
      override-destination: true
  force-domain:
    - +.v2ex.com
  ## 对嗅探结果进行跳过
  # skip-domain:
  #   - Mijia Cloud
  # 需要嗅探协议
  # 已废弃，若 sniffer.sniff 配置则此项无效
  sniffing:
    - tls
    - http
  # 强制对此域名进行嗅探

  # 仅对白名单中的端口进行嗅探，默认为 443，80
  # 已废弃，若 sniffer.sniff 配置则此项无效
  port-whitelist:
    - "80"
    - "443"
    # - 8000-9999

 # tunnels: # one line config
 #   - tcp/udp,127.0.0.1:6553,114.114.114.114:53,DIRECT
 #   - tcp,127.0.0.1:6666,rds.mysql.com:3306,PROXY
 #   # full yaml config
 #   - network: [tcp, udp]
 #     address: 127.0.0.1:7777
 #     target: target.com
 #     proxy: PROXY

 # DNS配置
 dns:
  cache-algorithm: arc
  enable: true # 关闭将使用系统 DNS
  prefer-h3: true # 开启 DoH 支持 HTTP/3，将并发尝试
  listen: 0.0.0.0:53 # 开启 DNS 服务器监听
  # ipv6: false # false 将返回 AAAA 的空结果
  # ipv6-timeout: 300 # 单位：ms，内部双栈并发时，向上游查询 AAAA 时，等待 AAAA 的时间，默认 100ms
  # 用于解析 nameserver，fallback 以及其他DNS服务器配置的，DNS 服务域名
  # 只能使用纯 IP 地址，可使用加密 DNS
  default-nameserver:
    - 114.114.114.114
    - 8.8.8.8
    - tls://1.12.12.12:853
    - tls://223.5.5.5:853
    - system # append DNS server from system configuration. If not found, it would print an error log and skip.
  enhanced-mode: redir-host # fake-ip or redir-host

  fake-ip-range: 198.18.0.1/16 # fake-ip 池设置

  # use-hosts: true # 查询 hosts

  # 配置不使用fake-ip的域名
  # fake-ip-filter:
  #   - '*.lan'
  #   - localhost.ptlogin2.qq.com

  # DNS主要域名配置
  # 支持 UDP，TCP，DoT，DoH，DoQ
  # 这部分为主要 DNS 配置，影响所有直连，确保使用对大陆解析精准的 DNS
  nameserver:
    - 114.114.114.114 # default value
    - 8.8.8.8 # default value
    - tls://223.5.5.5:853 # DNS over TLS
    - https://doh.pub/dns-query # DNS over HTTPS
    - https://dns.alidns.com/dns-query#h3=true # 强制 HTTP/3，与 perfer-h3 无关，强制开启 DoH 的 HTTP/3 支持，若不支持将无法使用
    - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
    - dhcp://en0 # dns from dhcp
    - quic://dns.adguard.com:784 # DNS over QUIC
    # - '8.8.8.8#en0' # 兼容指定DNS出口网卡

  # 当配置 fallback 时，会查询 nameserver 中返回的 IP 是否为 CN，非必要配置
  # 当不是 CN，则使用 fallback 中的 DNS 查询结果
  # 确保配置 fallback 时能够正常查询
  # fallback:
  #   - tcp://1.1.1.1
  #   - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询，ProxyGroupName 为策略组名或节点名，过代理配置优先于配置出口网卡，当找不到策略组或节点名则设置为出口网卡

  # 专用于节点域名解析的 DNS 服务器，非必要配置项
  # 配置服务器若查询失败将使用 nameserver，非并发查询
  # proxy-server-nameserver:
  # - https://dns.google/dns-query
  # - tls://one.one.one.one

  # 配置 fallback 使用条件
  # fallback-filter:
  #   geoip: true # 配置是否使用 geoip
  #   geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时，不使用 fallback 中的 DNS 查询结果
  #   配置强制 fallback，优先于 IP 判断，具体分类自行查看 geosite 库
  #   geosite:
  #     - gfw
  #   如果不匹配 ipcidr 则使用 nameservers 中的结果
  #   ipcidr:
  #     - 240.0.0.0/4
  #   domain:
  #     - '+.google.com'
  #     - '+.facebook.com'
  #     - '+.youtube.com'

  # 配置查询域名使用的 DNS 服务器
  nameserver-policy:
    #   'www.baidu.com': '114.114.114.114'
    #   '+.internal.crop.com': '10.0.0.1'
    "geosite:cn,private,apple":
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query
    "geosite:category-ads-all": rcode://success
    "www.baidu.com,+.google.cn": [223.5.5.5, https://dns.alidns.com/dns-query]
    ## global，dns 为 rule-providers 中的名为 global 和 dns 规则订阅，
    ## 且 behavior 必须为 domain/classical，当为 classical 时仅会生效域名类规则
    # "rule-set:global,dns": 8.8.8.8

 proxy-groups:
  # 代理链，目前relay可以支持udp的只有vmess/vless/trojan/ss/ssr/tuic
  # wireguard目前不支持在relay中使用，请使用proxy中的dialer-proxy配置项
  # Traffic: mihomo <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
  # - name: "relay"
  #   type: relay
  #   proxies:
  #     - http
  #     - vmess
  #     - ss1
  #     - ss2

  # url-test 将按照 url 测试结果使用延迟最低节点


  # select 用户自行选择节点
  - name: PROXY
    type: select
    # disable-udp: true
    proxies:
      - DIRECT
      - auto
      - load-balance
    use:
      - 飞鸟云
      - 三分机场
      - 性价比机场
  - name: "auto"
    type: url-test
    use:
      - 飞鸟云
      - 性价比机场
    # tolerance: 150
    # lazy: true
    url: "https://cp.cloudflare.com/generate_204"
    interval: 300

  # fallback 将按照 url 测试结果按照节点顺序选择
  - name: "fallback-auto"
    type: fallback
    use:
      - 飞鸟云
      - 三分机场
      - 性价比机场
    url: "https://cp.cloudflare.com/generate_204"
    interval: 300

  # load-balance 将按照算法随机选择节点
  - name: "load-balance"
    type: load-balance
    use:
      - 飞鸟云
      - 性价比机场
    url: "https://cp.cloudflare.com/generate_204"
    interval: 300
  # strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions


  # 配置指定 interface-name 和 fwmark 的 DIRECT
  # - name: en1
  #   type: select
  #   interface-name: en1
  #   routing-mark: 6667
  #   proxies:
  #     - DIRECT

  # - name: UseProvider
  #   type: select
  #   filter: "HK|TW" # 正则表达式，过滤 provider1 中节点名包含 HK 或 TW
  #   use:
  #     - provider1
  #   proxies:
  #     - Proxy
  #     - DIRECT

 # Mihomo 格式的节点或支持 *ray 的分享格式

 proxy-providers:
  飞鸟云:
    type: http # http 的 path 可空置,默认储存路径为 homedir的proxies文件夹,文件名为url的md5
    url: "https://feiniaoyun01.com/api/v1/client/subscribe?token="
    interval: 3600
    path: ./profile/one.yaml  # 默认只允许存储在 mihomo 的 Home Dir，如果想存储到任意位置，添加环境变量 SKIP_SAFE_PATH_CHECK=1
    health-check:
      enable: true
      interval: 180
      lazy: true
      url: https://cp.cloudflare.com/generate_204
  三分机场:
    type: http
    url: "https://sub.sanfen017.xyz/api/v1/client/subscribe?token="    #【Meta专属】支持解析V2rayN等工具使用的普通订阅
    interval: 3600
    path: ./profile/two.yaml
    health-check:
      enable: true
      interval: 180
      lazy: true
      url: https://cp.cloudflare.com/generate_204

  性价比机场:
    type: http
    url: "https://47.243.142.170/api/v1/client/subscribe?token="    #【Meta专属】支持解析V2rayN等工具使用的普通订阅
    interval: 3600
    path: ./profile/three.yaml
    health-check:
      enable: true
      interval: 180
      lazy: true
      url: https://cp.cloudflare.com/generate_204


 rule-providers:
  reject:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt"
    path: ./ruleset/reject.yaml
    interval: 86400

  icloud:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/icloud.txt"
    path: ./ruleset/icloud.yaml
    interval: 86400

  apple:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/apple.txt"
    path: ./ruleset/apple.yaml
    interval: 86400

  google:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/google.txt"
    path: ./ruleset/google.yaml
    interval: 86400

  proxy:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/proxy.txt"
    path: ./ruleset/proxy.yaml
    interval: 86400

  direct:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/direct.txt"
    path: ./ruleset/direct.yaml
    interval: 86400

  private:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/private.txt"
    path: ./ruleset/private.yaml
    interval: 86400

  gfw:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/gfw.txt"
    path: ./ruleset/gfw.yaml
    interval: 86400

  greatfire:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/greatfire.txt"
    path: ./ruleset/greatfire.yaml
    interval: 86400

  tld-not-cn:
    type: http
    behavior: domain
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/tld-not-cn.txt"
    path: ./ruleset/tld-not-cn.yaml
    interval: 86400

  telegramcidr:
    type: http
    behavior: ipcidr
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/telegramcidr.txt"
    path: ./ruleset/telegramcidr.yaml
    interval: 86400

  cncidr:
    type: http
    behavior: ipcidr
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt"
    path: ./ruleset/cncidr.yaml
    interval: 86400

  lancidr:
    type: http
    behavior: ipcidr
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/lancidr.txt"
    path: ./ruleset/lancidr.yaml
    interval: 86400

  applications:
    type: http
    behavior: classical
    url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/applications.txt"
    path: ./ruleset/applications.yaml
    interval: 86400

 rules:
  - RULE-SET,applications,DIRECT
  - DOMAIN,clash.razord.top,DIRECT
  - DOMAIN,yacd.haishan.me,DIRECT
  - DOMAIN-SUFFIX,steamcontent.com,DIRECT
  - RULE-SET,private,DIRECT
  - RULE-SET,reject,REJECT
  - RULE-SET,icloud,DIRECT
  - RULE-SET,apple,DIRECT
  - RULE-SET,google,DIRECT
  - RULE-SET,proxy,PROXY
  - RULE-SET,direct,DIRECT
  - RULE-SET,lancidr,DIRECT
  - RULE-SET,cncidr,DIRECT
  - RULE-SET,telegramcidr,PROXY
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT
  - MATCH,PROXY
  # 当满足条件是 TCP 或 UDP 流量时，使用名为 sub-rule-name1 的规则集
  # - SUB-RULE,(OR,((NETWORK,TCP),(NETWORK,UDP))),sub-rule-name1
  # - SUB-RULE,(AND,((NETWORK,UDP))),sub-rule-name2
 # 定义多个子规则集，规则将以分叉匹配，使用 SUB-RULE 使用
 #                                               google.com(not match)--> baidu.com(match)
 #                                                /                                ｜
 #                                               /                                 ｜
 #  https://baidu.com  --> rule1 --> rule2 --> sub-rule-name1(match tcp)          使用 DIRECT
 #
 #
 #                                              google.com(not match)--> baidu.com(not match)
 #                                                /                            ｜
 #                                               /                             ｜
 #  dns 1.1.1.1  --> rule1 --> rule2 --> sub-rule-name1(match udp)         sub-rule-name2(match udp)
 #                                                                             ｜
 #                                                                             ｜
 #                                                                 使用 REJECT <-- 1.1.1.1/32(match)
 #

 # sub-rules:
 #   sub-rule-name1:
 #     - DOMAIN,google.com,ss1
 #     - DOMAIN,baidu.com,DIRECT
 #   sub-rule-name2:
 #     - IP-CIDR,1.1.1.1/32,REJECT
 #     - IP-CIDR,8.8.8.8/32,ss1
 #     - DOMAIN,dns.alidns.com,REJECT
	# port: 7890 # HTTP(S) 代理服务器端口
	# socks-port: 7891 # SOCKS5 代理端口
	mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口
	# redir-port: 7892 # 透明代理端口，用于 Linux 和 MacOS

	# Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)
	# tproxy-port: 7893

	allow-lan: true # 允许局域网连接
	bind-address: # 绑定 IP 地址，仅作用于 allow-lan 为 true
	"*" # 所有地址
	# 192.168.122.11 #单个ip4地址
	# "[aaaa::a8aa:ff:fe09:57d8]" #单个ip6地址
	authentication: # http,socks入口的验证用户名，密码
	- "username:password"
	skip-auth-prefixes: # 设置跳过验证的IP段
	- 127.0.0.1/8
	- ::1/128

	# find-process-mode has 3 values:always, strict, off
	# - always, 开启，强制匹配所有进程
	# - strict, 默认，由 mihomo 判断是否开启
	# - off, 不匹配进程，推荐在路由器上使用此模式
	find-process-mode: strict

	mode: rule

	#自定义 geodata url
	geox-url:
	geoip: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
	geosite: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
	mmdb: "https://fastly.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.metadb"

	log-level: info # 日志等级 silent/error/warning/info/debug

	ipv6: true # 开启 IPv6 总开关，关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录

	# tls:
	# certificate: string # 证书 PEM 格式，或者证书的路径
	# private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
	# custom-certifactes:
	# - \|
	# -----BEGIN CERTIFICATE-----
	# format/pem...
	# -----END CERTIFICATE-----

	geodata-loader: standard

	external-controller: 127.0.0.1:9090 # RESTful API 监听地址
	# external-controller-tls: 127.0.0.1:9090 # RESTful API HTTPS 监听地址，需要配置 tls 部分配置文件
	# secret: "123456" # `Authorization:Bearer ${secret}`

	tcp-concurrent: true # TCP 并发连接所有 IP, 将使用最快握手的 TCP

	# 配置 WEB UI 目录，使用 http://{{external-controller}}/ui 访问
	# external-ui: /path/to/ui/folder/
	# external-ui-name: xd
	# external-ui-url: "https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip"

	interface-name: wlp3s0 # 设置出口网卡

	# 全局 TLS 指纹，优先低于 proxy 内的 client-fingerprint
	# 可选： "chrome","firefox","safari","ios","random","none" options.
	# Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.
	global-client-fingerprint: chrome

	# TCP keep alive interval
	keep-alive-interval: 15

	routing-mark: 6666 # 配置 fwmark 仅用于 Linux
	experimental:
	# Disable quic-go GSO support. This may result in reduced performance on Linux.
	# This is not recommended for most users.
	# Only users encountering issues with quic-go's internal implementation should enable this,
	# and they should disable it as soon as the issue is resolved.
	# This field will be removed when quic-go fixes all their issues in GSO.
	# This equivalent to the environment variable QUIC_GO_DISABLE_GSO=1.
	#quic-go-disable-gso: true

	# 类似于 /etc/hosts, 仅支持配置单个 IP
	hosts:
	# '*.mihomo.dev': 127.0.0.1
	# '.dev': 127.0.0.1
	# 'alpha.mihomo.dev': '::1'
	# test.com: [1.1.1.1, 2.2.2.2]
	# home.lan: lan # lan 为特别字段，将加入本地所有网卡的地址
	# baidu.com: google.com # 只允许配置一个别名

	profile: # 存储 select 选择记录
	store-selected: false

	# 持久化 fake-ip
	store-fake-ip: true

	# Tun 配置
	tun:
	enable: true
	stack: gvisor # gvisor / lwip /system
	# dns-hijack:
	# - 0.0.0.0:53 # 需要劫持的 DNS
	# auto-detect-interface: true # 自动识别出口网卡
	# auto-route: true # 配置路由表
	# mtu: 9000 # 最大传输单元
	# strict-route: true # 将所有连接路由到tun来防止泄漏，但你的设备将无法其他设备被访问
	inet4-route-address: # 启用 auto_route 时使用自定义路由而不是默认路由
	- 0.0.0.0/1
	- 128.0.0.0/1
	inet6-route-address: # 启用 auto_route 时使用自定义路由而不是默认路由
	- "::/1"
	- "8000::/1"
	# endpoint-independent-nat: false # 启用独立于端点的 NAT
	# include-uid: # UID 规则仅在 Linux 下被支持，并且需要 auto_route
	# - 0
	# include-uid-range: # 限制被路由的的用户范围
	# - 1000-99999
	# exclude-uid: # 排除路由的的用户
	#- 1000
	# exclude-uid-range: # 排除路由的的用户范围
	# - 1000-99999

	# Android 用户和应用规则仅在 Android 下被支持
	# 并且需要 auto-route

	# include-android-user: # 限制被路由的 Android 用户
	# - 0
	# - 10
	# include-package: # 限制被路由的 Android 应用包名
	# - com.android.chrome
	# exclude-package: # 排除被路由的 Android 应用包名
	# - com.android.captiveportallogin

	#ebpf配置
	ebpf:
	auto-redir: # redirect 模式，仅支持 TCP
	- wlp3s0
	- enp2s0
	redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route
	- wlp3s0
	- enp2s0

	# 嗅探域名可选配置
	sniffer:
	enable: false
	## 对 redir-host 类型识别的流量进行强制嗅探
	## 如：Tun、Redir 和 TProxy 并 DNS 为 redir-host 皆属于
	# force-dns-mapping: false
	## 对所有未获取到域名的流量进行强制嗅探
	# parse-pure-ip: false
	# 是否使用嗅探结果作为实际访问，默认 true
	# 全局配置，优先级低于 sniffer.sniff 实际配置
	override-destination: false
	sniff: # TLS 和 QUIC 默认如果不配置 ports 默认嗅探 443
	QUIC:
	# ports: [ 443 ]
	TLS:
	# ports: [443, 8443]

	# 默认嗅探 80
	HTTP: # 需要嗅探的端口
	ports: [80, 8080-8880]
	# 可覆盖 sniffer.override-destination
	override-destination: true
	force-domain:
	- +.v2ex.com
	## 对嗅探结果进行跳过
	# skip-domain:
	# - Mijia Cloud
	# 需要嗅探协议
	# 已废弃，若 sniffer.sniff 配置则此项无效
	sniffing:
	- tls
	- http
	# 强制对此域名进行嗅探

	# 仅对白名单中的端口进行嗅探，默认为 443，80
	# 已废弃，若 sniffer.sniff 配置则此项无效
	port-whitelist:
	- "80"
	- "443"
	# - 8000-9999

	# tunnels: # one line config
	# - tcp/udp,127.0.0.1:6553,114.114.114.114:53,DIRECT
	# - tcp,127.0.0.1:6666,rds.mysql.com:3306,PROXY
	# # full yaml config
	# - network: [tcp, udp]
	# address: 127.0.0.1:7777
	# target: target.com
	# proxy: PROXY

	# DNS配置
	dns:
	cache-algorithm: arc
	enable: true # 关闭将使用系统 DNS
	prefer-h3: true # 开启 DoH 支持 HTTP/3，将并发尝试
	listen: 0.0.0.0:53 # 开启 DNS 服务器监听
	# ipv6: false # false 将返回 AAAA 的空结果
	# ipv6-timeout: 300 # 单位：ms，内部双栈并发时，向上游查询 AAAA 时，等待 AAAA 的时间，默认 100ms
	# 用于解析 nameserver，fallback 以及其他DNS服务器配置的，DNS 服务域名
	# 只能使用纯 IP 地址，可使用加密 DNS
	default-nameserver:
	- 114.114.114.114
	- 8.8.8.8
	- tls://1.12.12.12:853
	- tls://223.5.5.5:853
	- system # append DNS server from system configuration. If not found, it would print an error log and skip.
	enhanced-mode: redir-host # fake-ip or redir-host

	fake-ip-range: 198.18.0.1/16 # fake-ip 池设置

	# use-hosts: true # 查询 hosts

	# 配置不使用fake-ip的域名
	# fake-ip-filter:
	# - '*.lan'
	# - localhost.ptlogin2.qq.com

	# DNS主要域名配置
	# 支持 UDP，TCP，DoT，DoH，DoQ
	# 这部分为主要 DNS 配置，影响所有直连，确保使用对大陆解析精准的 DNS
	nameserver:
	- 114.114.114.114 # default value
	- 8.8.8.8 # default value
	- tls://223.5.5.5:853 # DNS over TLS
	- https://doh.pub/dns-query # DNS over HTTPS
	- https://dns.alidns.com/dns-query#h3=true # 强制 HTTP/3，与 perfer-h3 无关，强制开启 DoH 的 HTTP/3 支持，若不支持将无法使用
	- https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
	- dhcp://en0 # dns from dhcp
	- quic://dns.adguard.com:784 # DNS over QUIC
	# - '8.8.8.8#en0' # 兼容指定DNS出口网卡

	# 当配置 fallback 时，会查询 nameserver 中返回的 IP 是否为 CN，非必要配置
	# 当不是 CN，则使用 fallback 中的 DNS 查询结果
	# 确保配置 fallback 时能够正常查询
	# fallback:
	# - tcp://1.1.1.1
	# - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询，ProxyGroupName 为策略组名或节点名，过代理配置优先于配置出口网卡，当找不到策略组或节点名则设置为出口网卡

	# 专用于节点域名解析的 DNS 服务器，非必要配置项
	# 配置服务器若查询失败将使用 nameserver，非并发查询
	# proxy-server-nameserver:
	# - https://dns.google/dns-query
	# - tls://one.one.one.one

	# 配置 fallback 使用条件
	# fallback-filter:
	# geoip: true # 配置是否使用 geoip
	# geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时，不使用 fallback 中的 DNS 查询结果
	# 配置强制 fallback，优先于 IP 判断，具体分类自行查看 geosite 库
	# geosite:
	# - gfw
	# 如果不匹配 ipcidr 则使用 nameservers 中的结果
	# ipcidr:
	# - 240.0.0.0/4
	# domain:
	# - '+.google.com'
	# - '+.facebook.com'
	# - '+.youtube.com'

	# 配置查询域名使用的 DNS 服务器
	nameserver-policy:
	# 'www.baidu.com': '114.114.114.114'
	# '+.internal.crop.com': '10.0.0.1'
	"geosite:cn,private,apple":
	- https://doh.pub/dns-query
	- https://dns.alidns.com/dns-query
	"geosite:category-ads-all": rcode://success
	"www.baidu.com,+.google.cn": [223.5.5.5, https://dns.alidns.com/dns-query]
	## global，dns 为 rule-providers 中的名为 global 和 dns 规则订阅，
	## 且 behavior 必须为 domain/classical，当为 classical 时仅会生效域名类规则
	# "rule-set:global,dns": 8.8.8.8

	proxy-groups:
	# 代理链，目前relay可以支持udp的只有vmess/vless/trojan/ss/ssr/tuic
	# wireguard目前不支持在relay中使用，请使用proxy中的dialer-proxy配置项
	# Traffic: mihomo <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
	# - name: "relay"
	# type: relay
	# proxies:
	# - http
	# - vmess
	# - ss1
	# - ss2

	# url-test 将按照 url 测试结果使用延迟最低节点


	# select 用户自行选择节点
	- name: PROXY
	type: select
	# disable-udp: true
	proxies:
	- DIRECT
	- auto
	- load-balance
	use:
	- 飞鸟云
	- 三分机场
	- 性价比机场
	- name: "auto"
	type: url-test
	use:
	- 飞鸟云
	- 性价比机场
	# tolerance: 150
	# lazy: true
	url: "https://cp.cloudflare.com/generate_204"
	interval: 300

	# fallback 将按照 url 测试结果按照节点顺序选择
	- name: "fallback-auto"
	type: fallback
	use:
	- 飞鸟云
	- 三分机场
	- 性价比机场
	url: "https://cp.cloudflare.com/generate_204"
	interval: 300

	# load-balance 将按照算法随机选择节点
	- name: "load-balance"
	type: load-balance
	use:
	- 飞鸟云
	- 性价比机场
	url: "https://cp.cloudflare.com/generate_204"
	interval: 300
	# strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions


	# 配置指定 interface-name 和 fwmark 的 DIRECT
	# - name: en1
	# type: select
	# interface-name: en1
	# routing-mark: 6667
	# proxies:
	# - DIRECT

	# - name: UseProvider
	# type: select
	# filter: "HK\|TW" # 正则表达式，过滤 provider1 中节点名包含 HK 或 TW
	# use:
	# - provider1
	# proxies:
	# - Proxy
	# - DIRECT

	# Mihomo 格式的节点或支持 *ray 的分享格式

	proxy-providers:
	飞鸟云:
	type: http # http 的 path 可空置,默认储存路径为 homedir的proxies文件夹,文件名为url的md5
	url: "https://feiniaoyun01.com/api/v1/client/subscribe?token="
	interval: 3600
	path: ./profile/one.yaml # 默认只允许存储在 mihomo 的 Home Dir，如果想存储到任意位置，添加环境变量 SKIP_SAFE_PATH_CHECK=1
	health-check:
	enable: true
	interval: 180
	lazy: true
	url: https://cp.cloudflare.com/generate_204
	三分机场:
	type: http
	url: "https://sub.sanfen017.xyz/api/v1/client/subscribe?token=" #【Meta专属】支持解析V2rayN等工具使用的普通订阅
	interval: 3600
	path: ./profile/two.yaml
	health-check:
	enable: true
	interval: 180
	lazy: true
	url: https://cp.cloudflare.com/generate_204

	性价比机场:
	type: http
	url: "https://47.243.142.170/api/v1/client/subscribe?token=" #【Meta专属】支持解析V2rayN等工具使用的普通订阅
	interval: 3600
	path: ./profile/three.yaml
	health-check:
	enable: true
	interval: 180
	lazy: true
	url: https://cp.cloudflare.com/generate_204


	rule-providers:
	reject:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt"
	path: ./ruleset/reject.yaml
	interval: 86400

	icloud:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/icloud.txt"
	path: ./ruleset/icloud.yaml
	interval: 86400

	apple:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/apple.txt"
	path: ./ruleset/apple.yaml
	interval: 86400

	google:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/google.txt"
	path: ./ruleset/google.yaml
	interval: 86400

	proxy:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/proxy.txt"
	path: ./ruleset/proxy.yaml
	interval: 86400

	direct:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/direct.txt"
	path: ./ruleset/direct.yaml
	interval: 86400

	private:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/private.txt"
	path: ./ruleset/private.yaml
	interval: 86400

	gfw:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/gfw.txt"
	path: ./ruleset/gfw.yaml
	interval: 86400

	greatfire:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/greatfire.txt"
	path: ./ruleset/greatfire.yaml
	interval: 86400

	tld-not-cn:
	type: http
	behavior: domain
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/tld-not-cn.txt"
	path: ./ruleset/tld-not-cn.yaml
	interval: 86400

	telegramcidr:
	type: http
	behavior: ipcidr
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/telegramcidr.txt"
	path: ./ruleset/telegramcidr.yaml
	interval: 86400

	cncidr:
	type: http
	behavior: ipcidr
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt"
	path: ./ruleset/cncidr.yaml
	interval: 86400

	lancidr:
	type: http
	behavior: ipcidr
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/lancidr.txt"
	path: ./ruleset/lancidr.yaml
	interval: 86400

	applications:
	type: http
	behavior: classical
	url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/applications.txt"
	path: ./ruleset/applications.yaml
	interval: 86400

	rules:
	- RULE-SET,applications,DIRECT
	- DOMAIN,clash.razord.top,DIRECT
	- DOMAIN,yacd.haishan.me,DIRECT
	- DOMAIN-SUFFIX,steamcontent.com,DIRECT
	- RULE-SET,private,DIRECT
	- RULE-SET,reject,REJECT
	- RULE-SET,icloud,DIRECT
	- RULE-SET,apple,DIRECT
	- RULE-SET,google,DIRECT
	- RULE-SET,proxy,PROXY
	- RULE-SET,direct,DIRECT
	- RULE-SET,lancidr,DIRECT
	- RULE-SET,cncidr,DIRECT
	- RULE-SET,telegramcidr,PROXY
	- GEOIP,LAN,DIRECT
	- GEOIP,CN,DIRECT
	- MATCH,PROXY
	# 当满足条件是 TCP 或 UDP 流量时，使用名为 sub-rule-name1 的规则集
	# - SUB-RULE,(OR,((NETWORK,TCP),(NETWORK,UDP))),sub-rule-name1
	# - SUB-RULE,(AND,((NETWORK,UDP))),sub-rule-name2
	# 定义多个子规则集，规则将以分叉匹配，使用 SUB-RULE 使用
	# google.com(not match)--> baidu.com(match)
	# / ｜
	# / ｜
	# https://baidu.com --> rule1 --> rule2 --> sub-rule-name1(match tcp) 使用 DIRECT
	#
	#
	# google.com(not match)--> baidu.com(not match)
	# / ｜
	# / ｜
	# dns 1.1.1.1 --> rule1 --> rule2 --> sub-rule-name1(match udp) sub-rule-name2(match udp)
	# ｜
	# ｜
	# 使用 REJECT <-- 1.1.1.1/32(match)
	#

	# sub-rules:
	# sub-rule-name1:
	# - DOMAIN,google.com,ss1
	# - DOMAIN,baidu.com,DIRECT
	# sub-rule-name2:
	# - IP-CIDR,1.1.1.1/32,REJECT
	# - IP-CIDR,8.8.8.8/32,ss1
	# - DOMAIN,dns.alidns.com,REJECT