#!MANAGED-CONFIG https://proxy.kerwin.dpdns.org/surge.conf interval=43200 strict=true # === Surge 配置文件 === # 官方文档: https://manual.nssurge.com/ # 配置原理: https://manual.nssurge.com/book/understanding-surge/cn/ # 技术社区: https://community.nssurge.com # 本配置参考:@Sukka https://blog.skk.moe/post/i-have-my-unique-surge-setup/ [General] # === 网络性能优化设置 === wifi-assist = true // Wi-Fi 辅助功能:自动识别并切换到最佳网络 all-hybrid = false // 混合网络模式:禁用多网络接口聚合 udp-priority = false // UDP 优先:系统负载高时优先处理 UDP 流量,适用于游戏场景 # === 网络延迟测试配置 === internet-test-url = http://wifi.vivo.com.cn/generate_204 // 互联网连接测试 URL:验证网络连通性 proxy-test-url = http://cp.cloudflare.com // 代理服务器测试 URL:验证代理可用性 proxy-test-udp = www.apple.com@64.6.64.6 // UDP 连接测试:验证 UDP 转发功能 test-timeout = 3 // 测试超时时间:3 秒 # https://lab.skk.moe/test-204/ // 互联网连接测试 URL:验证网络连通性 # === 安全和性能设置 === geoip-maxmind-url = https://github.com/Hackl0us/GeoIP2-CN/raw/release/Country.mmdb // GeoIP 数据库:从 GitHub 下载 MaxMind 格式地理位置数据 tls-provider = openssl // TLS 引擎 (default、secure-transport、openssl、network-framework) vif-mode = auto // 虚拟网卡模式:自动选择最佳模式 # === IPv6 网络设置 === # 注意:启用 IPv6 将同时请求 A 和 AAAA 记录,可能增加延迟 # 如果 DNS 服务器对 AAAA 查询响应不正常,可能导致网络卡顿 ipv6 = false // 禁用 IPv6 支持 ipv6-vif = off // 关闭虚拟接口的 IPv6 # === 本地访问控制 === allow-wifi-access = true // 允许通过 Wi-Fi 访问代理服务 wifi-access-http-port = 6152 // HTTP 代理端口 wifi-access-socks5-port = 6153 // SOCKS5 代理端口 http-listen = 0.0.0.0:6152 // HTTP代 理监听地址 socks5-listen = 0.0.0.0:6153 // SOCKS5 代理监听地址 allow-hotspot-access = true // 允许热点设备使用代理 # === 远程控制设置 === external-controller-access = kerwin@0.0.0.0:6160 // 远程控制访问地址 # === HTTP API 设置 === http-api = kerwin@0.0.0.0:6166 // HTTP API 监听地址和端口 http-api-web-dashboard = true // 启用 Web 仪表盘 http-api-tls = true // 启用 API 的 TLS 加密 # === 系统兼容性设置 === # 兼容性模式说明: # 0 - 完全禁用兼容模式 # 1 - 使用回环地址代理 # 2 - 仅代理模式 # 3 - 仅 VIF 模式 # 4 - VIF 代理模式(性能消耗较大) # 5 - 非默认路由模式(类似 Mac 增强模式) compatibility-mode = 0 // 默认兼容模式:完全禁用 # === 代理绕过设置 === # skip-proxy = 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 100.64.0.0/10, 162.14.0.0/16, 211.99.96.0/19, 162.159.192.0/24, 162.159.193.0/24, 162.159.195.0/24, fc00::/7, fe80::/10, localhost, *.local, captive.apple.com, passenger.t3go.cn, *.ccb.com, wxh.wo.cn, *.abcchina.com, *.abcchina.com.cn # >>>>> 模块配置:https://ruleset.kerwin.dpdns.org/modules/general.sgmodule # 控制不带点的域名(如 localhost、DEVICE-A114514 这类 mDNS 名)是否绕过 Surge Proxy、直接使用 Surge VIF 虚拟网卡处理。 exclude-simple-hostnames = true // 绕过简单主机名:跳过不带点的域名(如 localhost) # === DNS 服务设置 === # 基础 DNS 服务器配置 dns-server = 223.5.5.5, 114.114.114.114 // DNS 服务器列表 read-etc-hosts = true // 控制是否让 Surge for Mac 读取 /etc/hosts 文件并在 Surge DNS 中模拟该行为 # 加密 DNS 配置 encrypted-dns-server = quic://223.5.5.5, quic://223.6.6.6, https://1.12.12.12/dns-query, https://120.53.53.53/dns-query // 加密 DNS 服务器列表 # DNS 解析策略 encrypted-dns-follow-outbound-mode = false // 加密 DNS 请求不跟随出站模式 use-local-host-item-for-proxy = true // 优先使用本地 DNS 映射 # 注意事项: # 1. 加密 DNS 启用后,传统 DNS 仅用于解析 DOH 域名和网络连通性测试 # 2. 支持的加密 DNS 协议: # - DNS over HTTPS (DOH) # - DNS over HTTP/3 # - DNS over QUIC # === VIF 路由排除设置 === # 多播地址排除 tun-excluded-routes = 239.255.255.250/32 // 多播地址排除 # tun-included-routes = 192.168.1.12/32 // 包含的路由 # === 网络接口设置 === include-all-networks = false // 不包括所有网络接口 include-local-networks = false // 不包括本地网络接口 loglevel = notify // 日志级别:notify(通知级别) show-error-page-for-reject = true // 显示拒绝策略的错误页面 # === DNS 劫持配置 === # DNS 劫持设置(支持的 DNS 服务器) hijack-dns = 8.8.8.8:53, 8.8.4.4:53 // DNS 劫持设置 # === HTTP 引擎强制设置 === # 强制使用 HTTP 引擎处理的主机列表 # 说明: # 1. 支持通配符 * 和 ? # 2. 使用 :端口 指定特定端口 # 3. :0 表示所有端口 # 4. 前缀 - 用于排除主机名 force-http-engine-hosts = *.ott.cibntv.net, 123.59.31.1, 119.18.193.135, 122.14.246.33, 175.102.178.52, 116.253.24.*, 175.6.26.*, 220.169.153.* // 强制使用 HTTP 引擎处理的主机列表 # === UDP 策略设置 === # UDP 流量处理策略 # - DIRECT:使用直连策略 # - REJECT:拒绝 UDP 流量 udp-policy-not-supported-behaviour = REJECT // UDP 不支持时的回退策略 [Proxy] # === 代理服务器设置 === "🚫 Reject-no-Drop" = reject-no-drop // 拒绝但不丢弃 "⭕️ Reject-Drop" = reject-drop // 拒绝并丢弃 "⛔️ Reject" = reject // 拒绝 "⛳️ Direct" = direct // 直连 [Proxy Group] # === 代理策略组设置 === 🔰 Ad = select, "⛳️ Direct", "⛔️ Reject" 🌎 Proxy = select, "🦊 Smart", "🚩 Select", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan" 🍎 Apple = select, "🌎 Proxy", "⛳️ Direct", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan" 🌀 Microsoft = select, "🌎 Proxy", "⛳️ Direct", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan" 🎭 Streaming = select, "🌎 Proxy", "⛳️ Direct", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan" 🏎️ Speedtest = select, "🌎 Proxy", "⛳️ Direct", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan" 🍁 Download = select, "🌎 Proxy", "⛳️ Direct", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan" 🍃 Domestic = select, "🌎 Proxy", "⛳️ Direct", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan" 🤖 AIGC = select, "🌎 Proxy", "⛳️ Direct", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan" 🏁 Final = select, "🌎 Proxy", "⛳️ Direct", "🇺🇸 United States", "🇭🇰 Hong Kong", "🇸🇬 Singapore", "🇨🇳 Taiwan", "🇯🇵 Japan", "🦊 Smart", no-alert=0, hidden=0, include-all-proxies=0 🚩 Select = select, policy-path=https://example.com/proxies.list, update-interval=86400, include-all-proxies/proxies=0, no-alert=0, hidden=0 🇺🇸 United States = smart, policy-path=https://example.com/proxies.list, update-interval=86400, policy-regex-filter=\美国, no-alert=0, hidden=1, include-all-proxies=0 🇭🇰 Hong Kong = smart, policy-path=https://example.com/proxies.list, update-interval=86400, policy-regex-filter=\香港, no-alert=0, hidden=1, include-all-proxies=0 🇸🇬 Singapore = smart, policy-path=https://example.com/proxies.list, update-interval=86400, policy-regex-filter=\新加坡, no-alert=0, hidden=1, include-all-proxies=0 🇨🇳 Taiwan = smart, policy-path=https://example.com/proxies.list, update-interval=86400, policy-regex-filter=\台湾, no-alert=0, hidden=1, include-all-proxies=0 🇯🇵 Japan = smart, policy-path=https://example.com/proxies.list, update-interval=86400, policy-regex-filter=\日本, no-alert=0, hidden=1, include-all-proxies=0 🦊 Smart = smart, policy-path=https://example.com/proxies.list, update-interval=0, no-alert=0, hidden=0, include-all-proxies=0, policy-regex-filter=^((?!Game).)*$ [Rule] # === 浏览器安全规则 === DOMAIN,app-site-association.cdn-apple.com, "⛳️ Direct" // Safari 防跳转保护 # === 基础服务规则 === # 邮件服务器直连 DOMAIN-SUFFIX,smtp, "⛳️ Direct" // SMTP 直连 URL-REGEX,(Subject|HELO|SMTP), "⛳️ Direct" // SMTP 直连 # === 本地应用程序 === # 远程控制软件 PROCESS-NAME,SunloginClient, "⛳️ Direct" // 向日葵远程控制 PROCESS-NAME,ToDesk, "⛳️ Direct" // ToDesk 远程控制 # === 下载工具直连 === # 常用下载工具直连配置 PROCESS-NAME,"WebTorrent Helper", "⛳️ Direct" // WebTorrent Helper PROCESS-NAME,Transmission, "⛳️ Direct" // Transmission PROCESS-NAME,NetTransport, "⛳️ Direct" // NetTransport PROCESS-NAME,WebTorrent, "⛳️ Direct" // WebTorrent PROCESS-NAME,uTorrent, "⛳️ Direct" // uTorrent PROCESS-NAME,Thunder, "⛳️ Direct" // 迅雷 PROCESS-NAME,aria2c, "⛳️ Direct" // Aria2 PROCESS-NAME,Folx, "⛳️ Direct" // Folx PROCESS-NAME,fdm, "⛳️ Direct" // Free Download Manager # === 局域网访问规则 (non_ip) - 最高优先级 === RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/lan.conf,"⛳️ Direct" # === 广告拦截规则 (non_ip) === // 广告、隐私追踪和恶意域名拦截 DOMAIN-SET,https://ruleset.kerwin.dpdns.org/list/domainset/reject.conf,"🔰 Ad" // 广告、隐私追踪和恶意域名拦截 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/reject.conf,"🔰 Ad",extended-matching // 阻止视频平台 CDN 的 QUIC 和 P2P CDN RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/reject-no-drop.conf,"🚫 Reject-no-Drop",extended-matching // 丢弃发往 Adobe 系列软件内部的跟踪打点域名的数据包 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/reject-drop.conf,"⭕️ Reject-Drop",extended-matching # === 特殊服务规则 (non_ip) === // Speedtest 测速 DOMAIN-SET,https://ruleset.kerwin.dpdns.org/list/domainset/speedtest.conf,"🏎️ Speedtest",extended-matching // Apple 中国 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/apple_cn.conf,"⛳️ Direct" // Apple CDN RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/apple_cdn.conf,"🍎 Apple" // Microsoft CDN RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/microsoft_cdn.conf,"🌀 Microsoft" // 流媒体服务 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/stream.conf,"🎭 Streaming",extended-matching // Apple 服务 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/apple_services.conf,"🍎 Apple",extended-matching // Microsoft 服务 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/microsoft.conf,"🌀 Microsoft",extended-matching // Telegram 服务 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/telegram.conf,"🌎 Proxy",extended-matching // AI 服务 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/ai.conf,"🤖 AIGC",extended-matching // PayPal 服务 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/paypal.conf,"🇺🇸 United States" # === CDN和下载加速规则 (non_ip) === // CDN 加速 DOMAIN-SET,https://ruleset.kerwin.dpdns.org/list/domainset/cdn.conf,"🍃 Domestic",extended-matching // CDN 加速 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/cdn.conf,"🍃 Domestic",extended-matching // 下载加速 DOMAIN-SET,https://ruleset.kerwin.dpdns.org/list/domainset/download.conf,"🍁 Download",extended-matching RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/download.conf,"🍁 Download",extended-matching # === 代理与直连规则 (non_ip) === // 全局代理 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/global.conf,"🌎 Proxy",extended-matching // 国内直连 RULE-SET,https://ruleset.kerwin.dpdns.org/list/non_ip/domestic.conf,"⛳️ Direct",extended-matching # === IP 规则部分 (放在最后) === // 局域网直连 RULE-SET,https://ruleset.kerwin.dpdns.org/list/ip/lan.conf,"⛳️ Direct" // 广告、隐私追踪和恶意域名拦截 RULE-SET,https://ruleset.kerwin.dpdns.org/list/ip/reject.conf,"⭕️ Reject-Drop" // 流媒体服务 RULE-SET,https://ruleset.kerwin.dpdns.org/list/ip/stream.conf,"🎭 Streaming" // Telegram 服务 RULE-SET,https://ruleset.kerwin.dpdns.org/list/ip/telegram.conf,"🌎 Proxy" // 国内直连 RULE-SET,https://ruleset.kerwin.dpdns.org/list/ip/domestic.conf,"⛳️ Direct" // 国内 IP 直连 RULE-SET,https://ruleset.kerwin.dpdns.org/list/ip/china_ip.conf,"⛳️ Direct" # PROCESS-NAME,Telegram,"⭕️ Reject-Drop" // 丢弃 Telegram 客户端(macOS Swift)其余连接避免隐私泄露 # === 内置局域网规则 === RULE-SET,LAN, "⛳️ Direct" # === GeoIP 数据库 === GEOIP,CN, "⛳️ Direct", no-resolve # === 最终规则 === FINAL, "🏁 Final", dns-failed [Replica] # === 该段定义抓取流量的过滤 === # hide-apple-request = true // 隐藏 Apple 请求 # hide-crashlytics-request = true // 隐藏 Crashlytics 请求 # hide-udp = false // 隐藏 UDP 流量 # use-keyword-filter = false // 使用关键字过滤器 # keyword-filter-type = blacklist // 关键字过滤器类型:黑名单 # keyword-filter-type = whitelist // 关键字过滤器类型:白名单 # keyword-filter = // 关键字过滤器列表 [Host] # === 自定义 DNS 映射 === # Google 服务 mtalk.google.com = 108.177.125.188 # Google 下载加速 dl.google.com = server:119.29.29.29 dl.l.google.com = server:119.29.29.29 update.googleapis.com = server:119.29.29.29 # PlayStation 下载加速 *.dl.playstation.net = server:119.29.29.29 [URL Rewrite] # === URL 重写规则 === # 模块配置:https://ruleset.kerwin.dpdns.org/modules/general.sgmodule [Header Rewrite] # === 请求 Header 重写 === # 模块配置:https://ruleset.kerwin.dpdns.org/modules/general.sgmodule [SSID Setting] # === SSID 场景设置 === # SSID 配置说明: # 1. suspend=true:暂停 Surge # 2. cellular-fallback 参数: # - default:使用全局设置 # - off:关闭网络回退 # - hybrid:启用混合模式 # - wifi-assist:启用 Wi-Fi 辅助 # Wi-Fi 网络配置示例 "SSID Here" suspend=true // 在特定 Wi-Fi 下暂停Surge # 数据网络配置示例 #"TYPE:CELLULAR" tfo-behaviour=force-disabled // 关闭数据网络 TFO # 家庭网络配置示例 #"HOME_WIFI" cellular-fallback=off // 家庭网络禁用回退 # TCP 快速打开设置 "My Home" tfo-behaviour=force-enabled // 在家庭网络启用 TFO TYPE:CELLULAR tfo-behaviour=force-disabled // 关闭数据网络 TFO [MITM] # === MITM 安全配置 === # 证书和安全设置 skip-server-cert-verify = true // 跳过服务器证书验证 h2 = true // 启用 HTTP/2 支持 tcp-connection = true // 启用 TCP 连接支持 # === 主机名配置 === # 系统服务(禁用解密) hostname = -*.apple.com, -*.icloud.com, -*.mzstatic.com, -*.crashlytics.com, -*.facebook.com, -*.instagram.com # 安全提示: # 1. Surge 仅解密指定主机名的请求 # 2. iOS 系统和应用可能有严格的证书要求 # 3. 解密某些域名可能导致功能异常 # 配置说明: # * 通配符:* 和 ? # * 排除域名:使用前缀 - # * 端口指定:使用后缀 :端口号 # * 所有端口:使用后缀 :0 # * 默认仅解密443端口流量 # === CA 证书配置 ===