Proxy Policy

A proxy policy indicates forwarding the request to another proxy server. Surge supports HTTP/HTTPS/SOCKS5/SOCKS5-TLS proxy protocols.

Section [Proxy] declares proxy policies. You can create multiple proxies for different rules.

The configuration lines example:

ProxyHTTP = http,, 443, username, password
ProxyHTTPS = https,, 443, username, password
ProxySOCKS5 = socks5,, 443, username, password
ProxySOCKS5TLS = socks5-tls,, 443, username, password, skip-common-name-verify=true

Proxy Type

Surge supports multiple standard proxy protocols.

  • HTTP Proxy: ProxyHTTP = http,, 443, username, password
  • HTTPS Proxy (HTTP Proxy via TLS): ProxyHTTPS = https,, 443, username, password
  • SOCKS5: ProxySOCKS5 = socks5,, 443, username, password
  • SOCKS5 via TLS: ProxySOCKS5TLS = socks5-tls,, 443, username, password

Surge also supports multiple non-standard proxy protocols.

  • Snell: ProxySnell = snell,, 8000, psk=password
  • Shadowsocks: ProxySS = ss,, 8000, encrypt-method=chacha20-ietf-poly1305, password=abcd1234
  • VMess: ProxyVMess = vmess,, 8000, username=0233d11c-15a4-47d3-ade3-48ffca0ce119
  • Trojan: ProxyTrojan = trojan,, 443, password=password1

Snell is a lightweight encryption proxy protocol developed by ourselves. You may get the server-side binary from


Parameters for all proxy types

  • interface: Optional (Default: N/A).

    Force to use a specified outgoing network interface (available in macOS only). Please make sure the interface has a valid route table to the destination address.

      ProxyHTTP = http,, 443, username, password, interface = en2
  • allow-other-interface: Optional (Default: false).

      ProxyHTTP = http,, 443, username, password, interface = en2, allow-other-interface=true

    When the option is true, if the desired interface is not available, Surge is allowed to use the default interface to bind the connection. Otherwise, the connection fails directly.

  • test-url

Override the global testing URL. The URL is used for availability and latency testing.

  • tfo

Enable the TCP Fast Open for the policy.

  • mptcp

Enable the MultiPath TCP for the policy. Must be used with the Network Framework. (Experimental features)

  • no-error-alert

Parameter for proxy via TLS (HTTP, SOCKS5-TLS, VMess, Trojan)

  • skip-cert-verify: Optional, "true" or "false" (Default: false).

    If this option is enabled, Surge will not verify the server's certificate.

  • sni (Default: the proxy hostname)

    You may customize the Server Name Indication (SNI) during the TLS handshake. Use sni=off to turn off SNI completely. By default Surge sends the SNI using the hostname like most browsers.

Parameter for HTTP/HTTPS protocol

  • always-use-connect

Parameter for protocols that support obfuscating (Shadowsocks, Snell)

  • obfs
  • obfs-host
  • obfs-uri

Parameter for Snell protocol

  • psk
  • version

Parameter for Shadowsocks protocol

  • udp-relay

Parameter for VMess protocol

  • ws
  • ws-path
  • ws-headers
  • encrypt-method

Client Certificate for TLS Proxy

Surge supports client certificate verification for TLS based proxies.

[Proxy] Proxy = https,, 443, client-cert=cert1

[Keystore] cert1 = base64=, password=123456

results matching ""

    No results matching ""