Core Concepts

Surge has four core jobs: capture traffic, resolve names, choose an outbound policy, and optionally inspect or modify HTTP traffic.

Traffic Takeover

Surge can receive traffic through the system proxy settings, a local proxy server, or Surge VIF. Surge VIF is the virtual network interface used to handle apps that do not honor system proxy settings.

DNS Resolution

Surge has its own DNS client. This makes advanced behaviors possible, including encrypted DNS, local DNS mapping, fake IP handling, and per-domain DNS server assignment.

Rules and Policies

Rules answer "which traffic is this?" Policies answer "what should Surge do with it?"

A rule matches a request and returns a policy. The policy may be a built-in policy such as DIRECT or REJECT, a proxy policy, or a policy group.

Policy Groups

Policy groups make routing flexible. You can write rules against a stable group name, then change the selected proxy manually, by latency testing, by fallback behavior, or by subnet.

HTTP Processing

After traffic reaches Surge, HTTP requests and responses can be rewritten, mocked, decrypted with MITM, or processed by scripts. HTTPS traffic must match the MITM hostname list before Surge can see the decrypted HTTP content.

Management and Observability

Surge provides Dashboard, Logbook, HTTP API, and surge-cli for observing traffic, checking profiles, running tests, and controlling local or remote instances.