Skip to content

Clash

Repo:https://github.com/Dreamacro/clash

Premium Binary:https://github.com/Dreamacro/clash/releases/tag/premium

Configuration:https://dreamacro.github.io/clash/configuration/configuration-reference.html

配置

  • 下载最新版的premium内核二进制文件

  • 编写配置文件

    yaml
    # /root/.config/clash/config.yaml
    
    # (HTTP and SOCKS5 in one port)
    mixed-port: 7890
    # RESTful API for clash
    external-controller: 127.0.0.1:9090
    secret: 123456
    allow-lan: false
    mode: rule
    log-level: warning
    
    tun:
      enable: true
      stack: system # system gvisor
      auto-route: true
      auto-detect-interface: true
      dns-hijack:
        - any:53 # DNS hijacking might result in a failure, if the system DNS is at a private IP address (since auto-route does not capture private network traffic).
    
    dns:
      enable: true
      listen: 0.0.0.0:7874
      ipv6: false
      default-nameserver:
        - 114.114.114.114
      nameserver:
        - 119.29.29.29
        - 223.5.5.5
        - 8.8.8.8
      fallback:
        - https://dns.cloudflare.com/dns-query
        - tls://dns.google:853
        - https://1.1.1.1/dns-query
      enhanced-mode: fake-ip # fake-ip redir-host
      fake-ip-range: 198.18.0.1/16
      fake-ip-filter:
      - "*.lan"
      - "*.localdomain"
      - "*.example"
      - "*.invalid"
      - "*.localhost"
      - "*.test"
      - "*.local"
      - "*.home.arpa"
      - time.*.com
      - time.*.gov
      - time.*.edu.cn
      - time.*.apple.com
      - time-ios.apple.com
      - time1.*.com
      - time2.*.com
      - time3.*.com
      - time4.*.com
      - time5.*.com
      - time6.*.com
      - time7.*.com
      - ntp.*.com
      - ntp1.*.com
      - ntp2.*.com
      - ntp3.*.com
      - ntp4.*.com
      - ntp5.*.com
      - ntp6.*.com
      - ntp7.*.com
      - "*.time.edu.cn"
      - "*.ntp.org.cn"
      - "+.pool.ntp.org"
      - time1.cloud.tencent.com
      - music.163.com
      - "*.music.163.com"
      - "*.126.net"
      - musicapi.taihe.com
      - music.taihe.com
      - songsearch.kugou.com
      - trackercdn.kugou.com
      - "*.kuwo.cn"
      - api-jooxtt.sanook.com
      - api.joox.com
      - joox.com
      - y.qq.com
      - "*.y.qq.com"
      - streamoc.music.tc.qq.com
      - mobileoc.music.tc.qq.com
      - isure.stream.qqmusic.qq.com
      - dl.stream.qqmusic.qq.com
      - aqqmusic.tc.qq.com
      - amobile.music.tc.qq.com
      - "*.xiami.com"
      - "*.music.migu.cn"
      - music.migu.cn
      - "+.msftconnecttest.com"
      - "+.msftncsi.com"
      - localhost.ptlogin2.qq.com
      - localhost.sec.qq.com
      - "+.qq.com"
      - "+.tencent.com"
      - "+.srv.nintendo.net"
      - "*.n.n.srv.nintendo.net"
      - "+.stun.playstation.net"
      - xbox.*.*.microsoft.com
      - "*.*.xboxlive.com"
      - xbox.*.microsoft.com
      - xnotify.xboxlive.com
      - "+.battlenet.com.cn"
      - "+.wotgame.cn"
      - "+.wggames.cn"
      - "+.wowsgame.cn"
      - "+.wargaming.net"
      - proxy.golang.org
      - stun.*.*
      - stun.*.*.*
      - "+.stun.*.*"
      - "+.stun.*.*.*"
      - "+.stun.*.*.*.*"
      - "+.stun.*.*.*.*.*"
      - heartbeat.belkin.com
      - "*.linksys.com"
      - "*.linksyssmartwifi.com"
      - mobileoc.music.tc.qq.com
      - isure.stream.qqmusic.qq.com
      - dl.stream.qqmusic.qq.com
      - aqqmusic.tc.qq.com
      - amobile.music.tc.qq.com
      - "*.xiami.com"
      - "*.music.migu.cn"
      - music.migu.cn
      - "+.msftconnecttest.com"
      - "+.msftncsi.com"
      - localhost.ptlogin2.qq.com
      - localhost.sec.qq.com
      - "+.qq.com"
      - "+.tencent.com"
      - "+.srv.nintendo.net"
      - "*.n.n.srv.nintendo.net"
      - "+.stun.playstation.net"
      - xbox.*.*.microsoft.com
      - "*.*.xboxlive.com"
      - xbox.*.microsoft.com
      - xnotify.xboxlive.com
      - "+.battlenet.com.cn"
      - "+.wotgame.cn"
      - "+.wggames.cn"
      - "+.wowsgame.cn"
      - "+.wargaming.net"
      - proxy.golang.org
      - stun.*.*
      - stun.*.*.*
      - "+.stun.*.*"
      - "+.stun.*.*.*"
      - "+.stun.*.*.*.*"
      - "+.stun.*.*.*.*.*"
      - heartbeat.belkin.com
      - "*.linksys.com"
      - "*.linksyssmartwifi.com"
      - "*.router.asus.com"
      - mesu.apple.com
      - swscan.apple.com
      - swquery.apple.com
      - swdownload.apple.com
      - swcdn.apple.com
      - swdist.apple.com
      - lens.l.google.com
      - stun.l.google.com
      - "+.nflxvideo.net"
      - "*.square-enix.com"
      - "*.finalfantasyxiv.com"
      - "*.ffxiv.com"
      - "*.ff14.sdo.com"
      - ff.dorado.sdo.com
      - "*.mcdn.bilivideo.cn"
      - "+.media.dssott.com"
      - shark007.net
      - Mijia Cloud
      - "+.cmbchina.com"
      - "+.cmbimg.com"
      - local.adguard.org
      - "+.sandai.net"
      - "+.n0808.com"
        
    proxy-providers:
      provider:
        type: http
        path: ./profile/provider.yaml
        url: subscription.url
        interval: 36000
        health-check:
          enable: true
          url: http://www.gstatic.com/generate_204
          interval: 3600
    
    proxy-groups:
      - name: PROXY
        type: select
        use:
          - provider
    
    rule-providers:
      reject:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt"
        path: ./ruleset/reject.yaml
        interval: 86400
    
      icloud:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/icloud.txt"
        path: ./ruleset/icloud.yaml
        interval: 86400
    
      apple:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/apple.txt"
        path: ./ruleset/apple.yaml
        interval: 86400
    
      # google:
      #   type: http
      #   behavior: domain
      #   url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
      #   path: ./ruleset/google.yaml
      #   interval: 86400
    
      proxy:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/proxy.txt"
        path: ./ruleset/proxy.yaml
        interval: 86400
    
      direct:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/direct.txt"
        path: ./ruleset/direct.yaml
        interval: 86400
      private:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/private.txt"
        path: ./ruleset/private.yaml
        interval: 86400
    
      gfw:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/gfw.txt"
        path: ./ruleset/gfw.yaml
        interval: 86400
    
      tld-not-cn:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/tld-not-cn.txt"
        path: ./ruleset/tld-not-cn.yaml
        interval: 86400
    
      telegramcidr:
        type: http
        behavior: ipcidr
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/telegramcidr.txt"
        path: ./ruleset/telegramcidr.yaml
        interval: 86400
    
      cncidr:
        type: http
        behavior: ipcidr
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt"
        path: ./ruleset/cncidr.yaml
        interval: 86400
    
      lancidr:
        type: http
        behavior: ipcidr
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/lancidr.txt"
        path: ./ruleset/lancidr.yaml
        interval: 86400
    
      applications:
        type: http
        behavior: classical
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/applications.txt"
        path: ./ruleset/applications.yaml
        interval: 86400
    
    
    # Script Shortcuts enables the use of script in rules mode. By default, DNS resolution takes place for SCRIPT rules. no-resolve can be appended to the rule to prevent the resolution. (i.e.: SCRIPT,quic,DIRECT,no-resolve)
    script:
      engine: expr # or starlark (10x to 20x slower)
      shortcuts:
        quic: network == 'udp' and dst_port == 443
        curl: resolve_process_name() == 'curl'
        # curl: resolve_process_path() == '/usr/bin/curl'
        not_common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]
    
    
    rules:
      - SCRIPT,not_common_port,DIRECT # 只代理常规端口,常用于防止PT、BT的流量走代理
      - SCRIPT,quic,REJECT
      - DST-PORT,22,DIRECT
      - RULE-SET,applications,DIRECT
      - DOMAIN,clash.razord.top,DIRECT
      - DOMAIN,yacd.haishan.me,DIRECT
      - RULE-SET,private,DIRECT
      - RULE-SET,reject,REJECT
      - RULE-SET,icloud,DIRECT
      - RULE-SET,apple,DIRECT
      # - RULE-SET,google,DIRECT
      - RULE-SET,proxy,PROXY
      - RULE-SET,direct,DIRECT
      - RULE-SET,lancidr,DIRECT
      - RULE-SET,cncidr,DIRECT
      - RULE-SET,telegramcidr,PROXY
      - GEOIP,LAN,DIRECT
      - GEOIP,CN,DIRECT
      - MATCH,PROXY
    # /root/.config/clash/config.yaml
    
    # (HTTP and SOCKS5 in one port)
    mixed-port: 7890
    # RESTful API for clash
    external-controller: 127.0.0.1:9090
    secret: 123456
    allow-lan: false
    mode: rule
    log-level: warning
    
    tun:
      enable: true
      stack: system # system gvisor
      auto-route: true
      auto-detect-interface: true
      dns-hijack:
        - any:53 # DNS hijacking might result in a failure, if the system DNS is at a private IP address (since auto-route does not capture private network traffic).
    
    dns:
      enable: true
      listen: 0.0.0.0:7874
      ipv6: false
      default-nameserver:
        - 114.114.114.114
      nameserver:
        - 119.29.29.29
        - 223.5.5.5
        - 8.8.8.8
      fallback:
        - https://dns.cloudflare.com/dns-query
        - tls://dns.google:853
        - https://1.1.1.1/dns-query
      enhanced-mode: fake-ip # fake-ip redir-host
      fake-ip-range: 198.18.0.1/16
      fake-ip-filter:
      - "*.lan"
      - "*.localdomain"
      - "*.example"
      - "*.invalid"
      - "*.localhost"
      - "*.test"
      - "*.local"
      - "*.home.arpa"
      - time.*.com
      - time.*.gov
      - time.*.edu.cn
      - time.*.apple.com
      - time-ios.apple.com
      - time1.*.com
      - time2.*.com
      - time3.*.com
      - time4.*.com
      - time5.*.com
      - time6.*.com
      - time7.*.com
      - ntp.*.com
      - ntp1.*.com
      - ntp2.*.com
      - ntp3.*.com
      - ntp4.*.com
      - ntp5.*.com
      - ntp6.*.com
      - ntp7.*.com
      - "*.time.edu.cn"
      - "*.ntp.org.cn"
      - "+.pool.ntp.org"
      - time1.cloud.tencent.com
      - music.163.com
      - "*.music.163.com"
      - "*.126.net"
      - musicapi.taihe.com
      - music.taihe.com
      - songsearch.kugou.com
      - trackercdn.kugou.com
      - "*.kuwo.cn"
      - api-jooxtt.sanook.com
      - api.joox.com
      - joox.com
      - y.qq.com
      - "*.y.qq.com"
      - streamoc.music.tc.qq.com
      - mobileoc.music.tc.qq.com
      - isure.stream.qqmusic.qq.com
      - dl.stream.qqmusic.qq.com
      - aqqmusic.tc.qq.com
      - amobile.music.tc.qq.com
      - "*.xiami.com"
      - "*.music.migu.cn"
      - music.migu.cn
      - "+.msftconnecttest.com"
      - "+.msftncsi.com"
      - localhost.ptlogin2.qq.com
      - localhost.sec.qq.com
      - "+.qq.com"
      - "+.tencent.com"
      - "+.srv.nintendo.net"
      - "*.n.n.srv.nintendo.net"
      - "+.stun.playstation.net"
      - xbox.*.*.microsoft.com
      - "*.*.xboxlive.com"
      - xbox.*.microsoft.com
      - xnotify.xboxlive.com
      - "+.battlenet.com.cn"
      - "+.wotgame.cn"
      - "+.wggames.cn"
      - "+.wowsgame.cn"
      - "+.wargaming.net"
      - proxy.golang.org
      - stun.*.*
      - stun.*.*.*
      - "+.stun.*.*"
      - "+.stun.*.*.*"
      - "+.stun.*.*.*.*"
      - "+.stun.*.*.*.*.*"
      - heartbeat.belkin.com
      - "*.linksys.com"
      - "*.linksyssmartwifi.com"
      - mobileoc.music.tc.qq.com
      - isure.stream.qqmusic.qq.com
      - dl.stream.qqmusic.qq.com
      - aqqmusic.tc.qq.com
      - amobile.music.tc.qq.com
      - "*.xiami.com"
      - "*.music.migu.cn"
      - music.migu.cn
      - "+.msftconnecttest.com"
      - "+.msftncsi.com"
      - localhost.ptlogin2.qq.com
      - localhost.sec.qq.com
      - "+.qq.com"
      - "+.tencent.com"
      - "+.srv.nintendo.net"
      - "*.n.n.srv.nintendo.net"
      - "+.stun.playstation.net"
      - xbox.*.*.microsoft.com
      - "*.*.xboxlive.com"
      - xbox.*.microsoft.com
      - xnotify.xboxlive.com
      - "+.battlenet.com.cn"
      - "+.wotgame.cn"
      - "+.wggames.cn"
      - "+.wowsgame.cn"
      - "+.wargaming.net"
      - proxy.golang.org
      - stun.*.*
      - stun.*.*.*
      - "+.stun.*.*"
      - "+.stun.*.*.*"
      - "+.stun.*.*.*.*"
      - "+.stun.*.*.*.*.*"
      - heartbeat.belkin.com
      - "*.linksys.com"
      - "*.linksyssmartwifi.com"
      - "*.router.asus.com"
      - mesu.apple.com
      - swscan.apple.com
      - swquery.apple.com
      - swdownload.apple.com
      - swcdn.apple.com
      - swdist.apple.com
      - lens.l.google.com
      - stun.l.google.com
      - "+.nflxvideo.net"
      - "*.square-enix.com"
      - "*.finalfantasyxiv.com"
      - "*.ffxiv.com"
      - "*.ff14.sdo.com"
      - ff.dorado.sdo.com
      - "*.mcdn.bilivideo.cn"
      - "+.media.dssott.com"
      - shark007.net
      - Mijia Cloud
      - "+.cmbchina.com"
      - "+.cmbimg.com"
      - local.adguard.org
      - "+.sandai.net"
      - "+.n0808.com"
        
    proxy-providers:
      provider:
        type: http
        path: ./profile/provider.yaml
        url: subscription.url
        interval: 36000
        health-check:
          enable: true
          url: http://www.gstatic.com/generate_204
          interval: 3600
    
    proxy-groups:
      - name: PROXY
        type: select
        use:
          - provider
    
    rule-providers:
      reject:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/reject.txt"
        path: ./ruleset/reject.yaml
        interval: 86400
    
      icloud:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/icloud.txt"
        path: ./ruleset/icloud.yaml
        interval: 86400
    
      apple:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/apple.txt"
        path: ./ruleset/apple.yaml
        interval: 86400
    
      # google:
      #   type: http
      #   behavior: domain
      #   url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/google.txt"
      #   path: ./ruleset/google.yaml
      #   interval: 86400
    
      proxy:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/proxy.txt"
        path: ./ruleset/proxy.yaml
        interval: 86400
    
      direct:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/direct.txt"
        path: ./ruleset/direct.yaml
        interval: 86400
      private:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/private.txt"
        path: ./ruleset/private.yaml
        interval: 86400
    
      gfw:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/gfw.txt"
        path: ./ruleset/gfw.yaml
        interval: 86400
    
      tld-not-cn:
        type: http
        behavior: domain
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/tld-not-cn.txt"
        path: ./ruleset/tld-not-cn.yaml
        interval: 86400
    
      telegramcidr:
        type: http
        behavior: ipcidr
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/telegramcidr.txt"
        path: ./ruleset/telegramcidr.yaml
        interval: 86400
    
      cncidr:
        type: http
        behavior: ipcidr
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/cncidr.txt"
        path: ./ruleset/cncidr.yaml
        interval: 86400
    
      lancidr:
        type: http
        behavior: ipcidr
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/lancidr.txt"
        path: ./ruleset/lancidr.yaml
        interval: 86400
    
      applications:
        type: http
        behavior: classical
        url: "https://raw.githubusercontent.com/Loyalsoldier/clash-rules/release/applications.txt"
        path: ./ruleset/applications.yaml
        interval: 86400
    
    
    # Script Shortcuts enables the use of script in rules mode. By default, DNS resolution takes place for SCRIPT rules. no-resolve can be appended to the rule to prevent the resolution. (i.e.: SCRIPT,quic,DIRECT,no-resolve)
    script:
      engine: expr # or starlark (10x to 20x slower)
      shortcuts:
        quic: network == 'udp' and dst_port == 443
        curl: resolve_process_name() == 'curl'
        # curl: resolve_process_path() == '/usr/bin/curl'
        not_common_port: dst_port not in [21, 22, 23, 53, 80, 123, 143, 194, 443, 465, 587, 853, 993, 995, 998, 2052, 2053, 2082, 2083, 2086, 2095, 2096, 5222, 5228, 5229, 5230, 8080, 8443, 8880, 8888, 8889]
    
    
    rules:
      - SCRIPT,not_common_port,DIRECT # 只代理常规端口,常用于防止PT、BT的流量走代理
      - SCRIPT,quic,REJECT
      - DST-PORT,22,DIRECT
      - RULE-SET,applications,DIRECT
      - DOMAIN,clash.razord.top,DIRECT
      - DOMAIN,yacd.haishan.me,DIRECT
      - RULE-SET,private,DIRECT
      - RULE-SET,reject,REJECT
      - RULE-SET,icloud,DIRECT
      - RULE-SET,apple,DIRECT
      # - RULE-SET,google,DIRECT
      - RULE-SET,proxy,PROXY
      - RULE-SET,direct,DIRECT
      - RULE-SET,lancidr,DIRECT
      - RULE-SET,cncidr,DIRECT
      - RULE-SET,telegramcidr,PROXY
      - GEOIP,LAN,DIRECT
      - GEOIP,CN,DIRECT
      - MATCH,PROXY
    shell
    cat > /etc/systemd/system/clash.service <<EOF
    [Unit]
    Description=clash
    After=network.target
    [Service]
    Type=simple
    ExecStart=/usr/bin/clash -d /root/.config/clash
    Restart=on-failure
    [Install]
    WantedBy=multi-user.target
    EOF
    
    # systemctl daemon-reload
    cat > /etc/systemd/system/clash.service <<EOF
    [Unit]
    Description=clash
    After=network.target
    [Service]
    Type=simple
    ExecStart=/usr/bin/clash -d /root/.config/clash
    Restart=on-failure
    [Install]
    WantedBy=multi-user.target
    EOF
    
    # systemctl daemon-reload

管理API

  • 获取代理信息:curl -X GET http://127.0.0.1:9090/proxies --header 'Authorization: Bearer 123456'
  • 获取指定代理信息:curl -X GET http://127.0.0.1:9090/proxies/{proxyGroupName} --header 'Authorization: Bearer 123456'
  • 代理组切换指定节点:curl -X PUT http://127.0.0.1:9090/proxies/{proxyGroupName} --header 'Authorization: Bearer 123456' --header "Content-Type: application/json" -d '{"name": "代理节点名称"}'