General configuration ¶

Allow LAN ¶

Allows other devices to access the internet through Clash proxy port.

Optional values: true/false

allow-lan: true

Binding address, only allows other devices to access through this address.

"*" binds to all IP addresses.
"192.168.31.31" binds to a single IPV4 address.
"[aaaa::a8aa:ff:fe09:57d8]" binds to a single IPV6 address.

bind-address: "*"

Allowed IP address ranges for connection, applicable only when allow-lan is set to true. Default values are 0.0.0.0/0 and ::/0.

lan-allowed-ips:
- 0.0.0.0/0
- ::/0

Disallowed IP address ranges for connection. Blacklist takes precedence over whitelist, default is empty.

lan-disallowed-ips:
- 192.168.0.3/32

User Authentication ¶

User authentication for http(s), socks, and mixed proxies.

authentication:
- "user1:pass1"
- "user2:pass2"

Set the IP ranges allowed to skip authentication.

skip-auth-prefixes:
- 127.0.0.1/8
- ::1/128

Operation Mode ¶

rule Rule-based matching
global Global proxy (requires selecting proxy/strategy in GLOBAL proxy group)
direct Global direct connection

defaulting to rule mode.

mode: rule

Log Level ¶

Controls the logging level of Clash core, only output to console and control page.

log-level: info

silent Silent, no output.
error Outputs logs of errors and unusable logs.
warning Outputs logs of errors that do not affect operations, and logs of error level.
info Outputs general operational logs, as well as logs of error and warning levels.
debug Outputs as much information as possible during runtime.

IPv6 ¶

Whether to allow the kernel to accept IPv6 traffic.

default is true.

ipv6: true

TCP Keep Alive Interval ¶

Controls the interval at which Clash sends out TCP Keep Alive packets to reduce temporary measures for mobile device power consumption.

unit is seconds

keep-alive-interval: 30

The time Clash discovers and closes an invalid TCP connection:

1 × keep-alive-interval + 9 × keep-alive-interval

Process Matching Mode ¶

Controls whether Clash matches processes.

always Enables, forces matching of all processes.
strict Default, Clash determines whether to enable.
off Does not match processes, recommended for use on routers.

find-process-mode: strict

External Control (API)¶

External controller, allows controlling your Clash kernel using RESTful API.

API listening address, you can change 127.0.0.1 to 0.0.0.0 to listen on all IPs.

external-controller: 127.0.0.1:9090

Unix socket API listening address

Accessing API endpoints via Unix socket does not verify secrets. If enabled, please ensure security measures are in place.

external-controller-unix: mihomo.sock

HTTPS-API listening address, requires configuring the tls section for certificate and private key configuration, external-controller must also be filled in.

external-controller-tls: 127.0.0.1:9443

Access key for the API.

secret: ""

External User Interface ¶

Allows running static webpage resources (such as Clash-dashboard) on Clash API, path is API address/ui.

external-ui: /path/to/ui/folder

Can be an absolute path or a relative path to the Clash working directory.

Custom External User Interface Name ¶

external-ui-name: xd      # Merged into external-ui/xd

Not mandatory, will be updated to the specified folder during updates, if not configured, it will be updated directly to the external-ui directory.

Custom External User Interface Download URL ¶

external-ui-url: "<https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip>" # Get from GitHub Pages branch

Cache ¶

In Clash official, profile should be an extension configuration, but in Clash.meta, it is only used as a cache item.

profile:
  store-selected: true

# Stores API selections for strategy groups for use on the next start

  store-fake-ip: true

# Stores the fakeip mapping table, using the original mapping address when the domain connects again

Unified Delay ¶

Change delay calculation method, remove additional delays such as handshakes.

unified-delay: true

TCP Concurrency ¶

tcp-concurrent: true

Outbound Interface ¶

Clash's traffic outbound interface.

interface-name: en0

Routing Mark ¶

Provides a default traffic mark for outbound connections on Linux.

routing-mark: 6666

TLS ¶

Currently only used for https in API.

tls:
  certificate: string # Certificate PEM format or certificate path
  private-key: string # Private key PEM format corresponding to the certificate, or private key path

Global Client Fingerprint ¶

Global TLS fingerprint, lower priority than client-fingerprint inside proxy.

Currently supports TCP/grpc/WS/HTTP transport with TLS, supported protocols are VLESS, Vmess, and trojan.

global-client-fingerprint: chrome

Note

Options: chrome, firefox, safari, iOS, android, edge, 360, qq, random If random is selected, a modern browser fingerprint will be generated based on Cloudflare Radar data.

GEO Data Mode ¶

Change the geoip usage file, mmdb or dat,true is dat, with a default value of false.

geodata-mode: true

GEO File Loading Mode ¶

Optional loading modes are as follows:

standard: Standard loader
memconservative: Loader optimized for memory-limited (small memory) devices (default)

geodata-loader: memconservative

Auto Update GEO ¶

geo-auto-update: false

Update interval, unit is hours

geo-update-interval: 24

Custom GEO Download Address ¶

geox-url:
  geoip: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
  geosite: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
  mmdb: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/country.mmdb"
  asn: "https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb"

Custom Global UA ¶

Custom UA used when downloading external resources, default is clash.meta.

global-ua: clash.meta