Proxy Policy

A proxy policy indicates forwarding the request to another proxy server. Surge supports HTTP/HTTPS/SOCKS5/SOCKS5-TLS and more proxy protocols.

Section [Proxy] declares proxy policies. You can create multiple proxies for different rules.

The configuration lines example:

[Proxy]
ProxyHTTP = http, 1.2.3.4, 443, username, password
ProxyHTTPS = https, 1.2.3.4, 443, username, password
ProxySOCKS5 = socks5, 1.2.3.4, 443, username, password
ProxySOCKS5TLS = socks5-tls, 1.2.3.4, 443, username, password, skip-common-name-verify=true

Proxy Type

Surge supports the most common standard proxy protocols.

  • HTTP Proxy: ProxyHTTP = http, 1.2.3.4, 443, username, password
  • HTTPS Proxy (HTTP Proxy via TLS): ProxyHTTPS = https, 1.2.3.4, 443, username, password
  • SOCKS5: ProxySOCKS5 = socks5, 1.2.3.4, 443, username, password
  • SOCKS5 via TLS: ProxySOCKS5TLS = socks5-tls, 1.2.3.4, 443, username, password
  • SSH
  • WireGuard (L3 layer VPN as proxy)

Surge also supports several non-standard proxy protocols.

  • Snell: Proxy-Snell = snell, 1.2.3.4, 8000, psk=password, version=4
  • Shadowsocks: Proxy-SS = ss, 1.2.3.4, 8000, encrypt-method=chacha20-ietf-poly1305, password=abcd1234
  • VMess: Proxy-VMess = vmess, 1.2.3.4, 8000, username=0233d11c-15a4-47d3-ade3-48ffca0ce119
  • Trojan: Proxy-Trojan = trojan, 192.168.20.6, 443, password=password1
  • TUIC: Proxy-TUIC = tuic, 192.168.20.6, 443, token=pwd, alpn=h3

Surge supports UDP relay of Snell V3/V4, Shadowsocks, Trojan, WireGuard, and TUIC protocols. The UDP relay support for shadowsocks proxies should be turned on manually by adding the parameter udp-relay=true since the shadowsocks server may not support the UDP relay.

Parameters

Proxy chain

  • underlying-proxy

Use a proxy to connect another proxy, aka proxy chain.

Parameter for proxy via TLS (HTTP, SOCKS5-TLS, VMess, Trojan, TUIC)

  • skip-cert-verify: Optional, "true" or "false" (Default: false).

    If this option is enabled, Surge will not verify the server's certificate.

  • sni: The default value is the proxy hostname

    You may customize the Server Name Indication (SNI) during the TLS handshake. Use sni=off to turn off SNI completely. By default, Surge sends the SNI using the hostname like most browsers.

  • server-cert-fingerprint-sha256: Optional

    Use a pinned server certificate instead of the standard X.509 validation.

Parameter for HTTP/HTTPS protocol

  • always-use-connect: Optional.

Always use the HTTP CONNECT method to relay the request, even for plain HTTP requests.

Parameter for protocols that support obfuscating (Shadowsocks, Snell)

  • obfs: Optional. http or tls`
  • obfs-host: Optional.
  • obfs-uri: Optional.

Parameter for Snell protocol

See Snell Protocol for more information.

  • psk: Required.
  • version: Required.
  • reuse: Optional. Connection reuse is an optional feature for Snell V4.

Parameter for Shadowsocks protocol

  • udp-relay: Optional. Since the UDP relay is optional for the shadowsocks server, you must enable the UDP relay explicitly.

Parameter for VMess protocol

  • ws: Optional. Use the Web Socket transport layer.
  • ws-path: Optional.
  • ws-headers: Optional.
  • encrypt-method: Optional.

Parameter for Trojan protocol

  • ws: Optional. Use the Web Socket transport layer.
  • ws-path: Optional.
  • ws-headers: Optional.

Parameter for TUIC

  • token: Required.
  • alpn: Optional. It must match the server's ALPN setting.

Client Certificate for TLS Proxy

Surge supports client certificate verification for TLS-based proxies.

Example:

[Proxy]
Proxy = https, example.com, 443, client-cert=cert1

[Keystore]
cert1 = base64=<P12 base64 string here>, password=123456

Shadow TLS

Shadow TLS is a proxy obfuscator and can be used with any TCP-based proxy. (https://github.com/ihciah/shadow-tls)

Starting from Surge iOS 5.2.0 & Surge Mac 4.10.0, Surge supports Shadow TLS v2 protocol. Append shadow-tls-password to any proxy declaration to utilize it.

Example:

[Proxy]
STLS-SNELL = snell, 1.2.3.4, 443, psk=pwd1, version=4, reuse=true, shadow-tls-password=pwd2

Starting from Surge iOS 5.5.0 & Surge Mac 5.0.3, Surge supports Shadow TLS v3 protocol.

Example:

STLS-SNELL = snell, 1.2.3.4, 443, psk=pwd1, version=4, reuse=true, shadow-tls-password=pwd2, shadow-tls-version=3

Parameters

  • shadow-tls-password: Required. It must match the server's setting.
  • shadow-tls-sni: Optional. The SNI will be sent to the server during the TLS handshake in plain. If not set, no SNI will be sent.
  • shadow-tls-version: Optional. Possible values: 2 or 3. Default value: 2.

results matching ""

    No results matching ""