-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.yaml
157 lines (147 loc) · 4.72 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
apiVersion: v1alpha
kind: ProxyDefinition
# fine tuning the io parameters, following are default values and you dont have to change it unless you know what you are doing
ioParams:
bufferSize: 65536
useSplice: true
metrics:
# api prefix, defaults to "/api"
# api_prefix: /api
# static files to serve, set to null to disable, set "<embedded>" to use embedded ui (if feature enabled)
# ui: ./ui
bind: "0.0.0.0:8888"
timeouts:
idle: 10 # unit: seconds, default value: 600
udp: 10 # unit: seconds, default value: 600
listeners:
# if type is omited, it trys the name field for type,
- name: tproxy
bind: 0.0.0.0:8080
protocol: tcp # default
# udp tproxy listener requires cap_net_admin,
# set with command `setcap cap_net_admin+ep redproxy-rs` or run with root user
- name: tproxy-udp
type: tproxy
bind: 0.0.0.0:8080
protocol: udp
# default: false, whether use full cone NAT or restrictive NAT,
# full cone NAT is slower and unable to filter with dst address,
# restrictive NAT is a little faster and able to filter with dst address
# NOTE: socks5 upstreams only supports full cone NAT
udpFullCone: false
# default: 128, only applies for full cone NAT, controls how many sockets to be cached for sending udp replies.
udpMaxSocket: 256
- name: udp-reverse
type: reverse
bind: 0.0.0.0:8053
#target: 1.1.1.1:53
target: one.one.one.one:53
protocol: udp
- name: http
bind: 0.0.0.0:8081
- name: https
type: http
bind: 0.0.0.0:8082
tls:
cert: test.crt
key: test.key
client:
ca: ca.crt
required: true
- name: socks
bind: 0.0.0.0:1080
allowUdp: true
enforceUdpClient: false # refs RFC1928 page 6 "The server MAY use this information to limit access to the association."
# overrideUdpAddress: 127.0.0.1 # override ip address returned to client, useful if your server is behind NAT
auth:
# required means client MUST send username,
# if it's false, user/pass is still asked from client but not check agaist following list
# it's main used to satisfy some strange software that do not work with NoAuth option of SOCK5
required: true
# following section are checked first, then run cmd if previous check failed.
users:
- username: a
password: a
cmd:
- test
- "#USER#"
- ==
- "#PASS#"
cache:
timeout: 10 # cache time in seconds
- name: quic
bind: 0.0.0.0:4433
tls:
cert: test.crt
key: test.key
connectors:
- name: loadbalance
connectors:
- direct
- http
algo:
hashBy: request.source
- name: direct
# bind: 192.168.100.1
dns:
# could be one of: google,cloudflare,system,comma splited ip list with optional port number
servers: system
# servers: 192.168.100.1:5353,1.1.1.1,8.8.8.8:53
family: V4Only # one of V4Only, V6Only, V4First, V6First(default)
- name: http
server: 192.168.100.1
port: 7081
- name: https
type: http
server: 192.168.100.1
port: 3333
tls:
insecure: true
ca: ca.crt
auth:
cert: proxy.crt
key: proxy.key
- name: socks
server: 192.168.100.1
port: 1080
- name: socks-tls
type: socks
server: 192.168.100.1
port: 9123
auth:
username: proxy
password: fuckgfw
tls:
insecure: true
- name: quic
server: 192.168.100.1
port: 7081
inline_udp: false # inline udp connection means to use reliable streams instead of unreliable datagrams for udp forwarding, default: false
tls:
insecure: true
rules:
# - filter: cidr_match(request.target.host,"127.0.0.0/8") || request.target.host == "localhost"
# target: deny
# - filter: request.target.type == "domain"
# target: loadbalance
- filter: request.feature == "UdpForward"
target: quic
- filter: request.source.host == "127.0.0.1"
target: direct
# available varibles are request: { source: string, target: {port:int, host:string, type:string }, listener: string }
# available functions: split(str,str)->[str] to_string(any)->str to_integer(str)->int
- filter: request.source =~ "127.0.0.1" and request.target =~ "google.com"
target: direct
- filter: request.target.type == "ipv6"
target: https
- filter: request.target =~ "deny-me.com"
# target "deny" is a resvered target name for explicitly deny a matching request
target: deny
- target: direct
# an empty filter means that all requests will be accepted.
# if no rule matches the request, access will be denied.
accessLog:
path: access.log
format: json
# script: |
# `src=${request.source} dst=${request.target} listener=${request.listener} connector=${request.connector}`