Proxy Policy

A proxy policy indicates forwarding the request to another proxy server. Surge supports HTTP/HTTPS/SOCKS5/SOCKS5-TLS and more proxy protocols.

Section [Proxy] declares proxy policies. You can create multiple proxies for different rules.

The configuration lines example:

ProxyHTTP = http,, 443, username, password
ProxyHTTPS = https,, 443, username, password
ProxySOCKS5 = socks5,, 443, username, password
ProxySOCKS5TLS = socks5-tls,, 443, username, password, skip-common-name-verify=true

Proxy Type

Surge supports the most common standard proxy protocols.

  • HTTP Proxy: ProxyHTTP = http,, 443, username, password
  • HTTPS Proxy (HTTP Proxy via TLS): ProxyHTTPS = https,, 443, username, password
  • SOCKS5: ProxySOCKS5 = socks5,, 443, username, password
  • SOCKS5 via TLS: ProxySOCKS5TLS = socks5-tls,, 443, username, password

Surge also supports several non-standard proxy protocols.

  • Snell: Proxy-Snell = snell,, 8000, psk=password, version=4
  • Shadowsocks: Proxy-SS = ss,, 8000, encrypt-method=chacha20-ietf-poly1305, password=abcd1234
  • VMess: Proxy-VMess = vmess,, 8000, username=0233d11c-15a4-47d3-ade3-48ffca0ce119
  • Trojan: Proxy-Trojan = trojan,, 443, password=password1
  • TUIC: Proxy-TUIC = tuic,, 443, token=pwd, alpn=h3

Surge supports UDP relay of Snell V3/V4, Shadowsocks, Trojan, WireGuard, and TUIC protocols. The UDP relay support for shadowsocks proxies should be turned on manually by adding the parameter udp-relay=true since the shadowsocks server may not support the UDP relay.


Parameters for all proxy types

All parameters in Common Policy Parameters are also available for proxy policies.

  • no-error-alert

Do not show error alerts for this policy.

  • underlying-proxy

Use a proxy to connect another proxy, aka proxy chain.

  • test-udp


Override the global proxy-test-udp settings for the proxy. Surge test and benchmark the UDP relay by performing a DNS lookup.

Parameter for proxy via TLS (HTTP, SOCKS5-TLS, VMess, Trojan, TUIC)

  • skip-cert-verify: Optional, "true" or "false" (Default: false).

    If this option is enabled, Surge will not verify the server's certificate.

  • sni: The default value is the proxy hostname

    You may customize the Server Name Indication (SNI) during the TLS handshake. Use sni=off to turn off SNI completely. By default, Surge sends the SNI using the hostname like most browsers.

Parameter for HTTP/HTTPS protocol

  • always-use-connect: Optional.

Always use the HTTP CONNECT method to relay, even for plain HTTP requests.

Parameter for protocols that support obfuscating (Shadowsocks, Snell)

  • obfs: Optional. http or tls`
  • obfs-host: Optional.
  • obfs-uri: Optional.

Parameter for Snell protocol

See Snell Protocol for more information.

  • psk: Required.
  • version: Required.
  • reuse: Optional. Connection reuse is an optional feature for Snell V4.

Parameter for Shadowsocks protocol

  • udp-relay: Optional. Since the UDP relay is optional for the shadowsocks server, you must enable the UDP relay explicitly.

Parameter for VMess protocol

  • ws: Optional. Use the Web Socket transport layer.
  • ws-path: Optional.
  • ws-headers: Optional.
  • encrypt-method: Optional.

Parameter for Trojan protocol

  • ws: Optional. Use the Web Socket transport layer.
  • ws-path: Optional.
  • ws-headers: Optional.

Parameter for TUIC

  • token: Required.
  • alpn: Optional. It must match the server's ALPN setting.

Client Certificate for TLS Proxy

Surge supports client certificate verification for TLS-based proxies.


Proxy = https,, 443, client-cert=cert1

cert1 = base64=<P12 base64 string here>, password=123456

Shadow TLS

Shadow TLS is a proxy obfuscator and can be used with any TCP-based proxy. (

Starting from Surge iOS 5.2.0 & Surge Mac 4.10.0, Surge supports Shadow TLS V2 protocol. Append shadow-tls-password to any proxy declaration to utilize it.


STLS-SNELL = snell,, 443, psk=pwd1, version=4, reuse=true, shadow-tls-password=pwd2


  • shadow-tls-password: Required. It must match the server's setting.
  • shadow-tls-sni: Optional. The SNI will be sent to the server during the TLS handshake in plain. If not set, no SNI will be sent.

results matching ""

    No results matching ""