Last active
October 7, 2023 04:11
-
-
Save bankroft/59aea9b9e08b2558e1973b22519e8eed to your computer and use it in GitHub Desktop.
shadowrocket
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [General] | |
| bypass-system = true | |
| skip-proxy = 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,localhost,*.local,captive.apple.com,*.ccb.com,*.abchina.com.cn,*.psbc.com,www.baidu.com | |
| tun-excluded-routes = 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.88.99.0/24, 192.168.0.0/16, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 255.255.255.255/32, 239.255.255.250/32 | |
| dns-server = https://doh.pub/dns-query,https://dns.alidns.com/dns-query,223.5.5.5,119.29.29.29 | |
| fallback-dns-server = system | |
| ipv6 = false | |
| prefer-ipv6 = false | |
| # 直连的域名类规则使用系统dns进行查询。false表示不启用。 | |
| dns-direct-system = true | |
| icmp-auto-reply = false | |
| # 不开启时,REJECT策略默认只有在配置模式下生效。开启后,可以令该策略在其他全局路由模式下都生效。 | |
| always-reject-url-rewrite = false | |
| # 私有IP应答。如果不启用该选项,域名解析返回私有IP,Shadowrocket会认为该域名被劫持而强制使用代理。 | |
| private-ip-answer = true | |
| # 直连域名解析失败后使用代理。false表示不启用。 | |
| dns-direct-fallback-proxy = true | |
| # 当UDP流量匹配到规则里不支持UDP转发的节点策略时重新选择回退行为,可选行为包括DIRECT、REJECT。DIRECT表示直连转发UDP流量,REJECT表示拒绝转发UDP流量。 | |
| udp-policy-not-supported-behaviour = REJECT | |
| # DNS劫持。有些设备或软件总是使用硬编码的DNS服务器,例如Netflix通过Google DNS(8.8.8.8或8.8.4.4)发送请求,您可以使用此选项来劫持查询。 | |
| hijack-dns = 8.8.8.8:53,8.8.4.4:53 | |
| [Proxy] | |
| # 添加本地节点。 | |
| # Shadowsocks类型: | |
| # 节点名称=ss,地址,端口,password=密码,其他参数(如method=aes-256-cfb,obfs=websocket,plugin=none) | |
| # Vmess类型: | |
| # 节点名称=vmess,地址,端口,password=密码,其他参数(如alterId=0,method=auto,obfs=websocket,tfo=1) | |
| # VLESS类型: | |
| # 节点名称=vless,地址,端口,password=密码,tls=true,其他参数(如obfs=websocket,peer=example.com) | |
| # HTTP/HTTPS/Socks5/Socks5 Over TLS等类型: | |
| # 节点名称=http,地址,端口,用户,密码 | |
| # 节点名称=https,地址,端口,用户,密码 | |
| # 节点名称=socks5,地址,端口,用户,密码 | |
| # 节点名称=socks5-tls,地址,端口,用户,密码,skip-common-name-verify=true | |
| # Trojan类型: | |
| # 节点名称=trojan,地址,端口,password=密码,其他参数(如allowInsecure=1,peer=example.com) | |
| [Proxy Group] | |
| # 代理分组类型: | |
| # select:手动选择节点。 | |
| # url-test:自动选择延迟最低节点。 | |
| # fallback:节点挂掉时自动切换其他可用节点。 | |
| # load-balance:不同规则的请求使用分组里的不同节点进行连接。 | |
| # random:随机使用分组里的不同节点进行连接。 | |
| # ---------- | |
| # policy-regex-filter表示正则式或关键词筛选,常用写法: | |
| # 保留节点名称含有关键词A和B的节点: | |
| # (?=.*(A))^(?=.*(B))^.*$ | |
| # 保留节点名称含有关键词A或B的节点: | |
| # A|B | |
| # 排除节点名称含有关键词A或B的节点: | |
| # ^((?!(A|B)).)*$ | |
| # 保留节点名称含有关键词A并排除含有关键词B的节点: | |
| # (?=.*(A).)^((?!(B)).)*$ | |
| # ---------- | |
| # 代理分组其他设置参数: | |
| # interval:指定间隔多长时间后需要重新发起测试。 | |
| # timeout:如果测试在超时前未完成,放弃测试。 | |
| # tolerance:只有当新优胜者的分数高于旧优胜者的分数加上公差时,才会进行线路更换。 | |
| # url:指定要测试的URL。 | |
| # ---------- | |
| # 不含正则筛选的代理分组,示例: | |
| # 名称=类型(如select,url-test,fallback,load-balance,random),策略(如direct,proxy,订阅名称,代理分组,节点),interval=测试周期,timeout=超时时间,tolerance=公差,select=默认策略(0表示第一个策略,1表示第二个策略,2表示第三个策略……),url=测试地址 | |
| # 含正则筛选的代理分组,示例: | |
| # 名称=类型(如select,url-test,fallback,load-balance,random),policy-regex-filter=正则式或关键词筛选,interval=测试周期,timeout=超时时间,tolerance=公差,select=默认策略(0表示第一个策略,1表示第二个策略,2表示第三个策略……),url=测试地址 | |
| # ---------- | |
| Apple = select,DIRECT,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| Microsoft = select,DIRECT,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| PayPal = select,DIRECT,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| Netflix = select,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| TikTok = select,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| DouYin = select,DIRECT,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| Speedtest = select,DIRECT,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| Select = select,PROXY,DIRECT,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| OpenAI = select,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| Proxy = select,PROXY,interval=86400,timeout=5,select=0,url=http://www.gstatic.com/generate_204 | |
| Default = select,DIRECT,PROXY,select=0 | |
| [Rule] | |
| # 规则类型: | |
| # DOMAIN-SUFFIX:匹配请求域名的后缀。如“DOMAIN-SUFFIX,example.com,DIRECT”可以匹配到“a.example.com、a.b.example.com”。 | |
| # DOMAIN-KEYWORD:匹配请求域名的关键词。如“DOMAIN-KEYWORD,exa,DIRECT”可以匹配到“a.example.com、a.b.example.com”。 | |
| # DOMAIN:匹配请求的完整域名。如“DOMAIN,www.example.com,DIRECT”只能匹配到“www.example.com”。 | |
| # USER-AGENT:匹配用户代理字符串,支持使用通配符“*”。如“USER-AGENT,MicroMessenger*,DIRECT”可以匹配到“MicroMessenger Client”。 | |
| # URL-REGEX:匹配URL正则式。如“URL-REGEX,^https?://.+/item.+,REJECT”可以匹配到“https://www.example.com/item/abc/123”。 | |
| # IP-CIDR:匹配IPv4或IPv6地址。如“IP-CIDR,192.168.1.0/24,DIRECT,no-resolve”可以匹配到IP段“192.168.1.1~192.168.1.254”。规则加no-resolve时,IP请求会匹配到这条规则,而域名请求不会用解析出来的IP去匹配这条规则。规则不加no-resolve时,则IP请求可匹配,域名解析后的IP也可匹配。 | |
| # IP-ASN:匹配IP地址隶属的ASN编号。如“IP-ASN,56040,DIRECT”可以匹配到微信的相关IP请求。 | |
| # RULE-SET:匹配规则集内容。规则集的组成部分需包含规则类型。 | |
| # DOMAIN-SET:匹配域名集内容。域名集的组成部分不包含规则类型。 | |
| # SCRIPT:匹配脚本名称。 | |
| # DST-PORT:匹配目标主机名的端口号。如“DST-PORT,443,DIRECT”可以匹配到443目标端口。 | |
| # GEOIP:匹配IP数据库。如“GEOIP,CN,DIRECT”可以匹配到归属地为CN的IP地址。 | |
| # FINAL:兜底策略。如“FINAL,PROXY”表示当其他所有规则都匹配不到时才使用FINAL规则的策略。 | |
| # AND:逻辑规则,与规则。如“AND,((DOMAIN,www.example.com),(DST-PORT,123)),DIRECT”可以匹配到“www.example.com:123”。 | |
| # NOT:逻辑规则,非规则。如“NOT,((DST-PORT,123)),DIRECT”可以匹配到除了“123”端口的其他所有请求。 | |
| # OR:逻辑规则,或规则。如“OR,((DST-PORT,123),(DST-PORT,456)),DIRECT”可以匹配到“123”或“456”端口的所有请求。 | |
| # ---------- | |
| # 规则策略: | |
| # PROXY:代理。通过首页正在使用的代理服务器转发流量。 | |
| # DIRECT:直连。连接不经过任何代理服务器。 | |
| # REJECT:拒绝。返回HTTP状态码404,没有内容。 | |
| # REJECT-DICT:拒绝。返回HTTP状态码200,内容为空的JSON对象。 | |
| # REJECT-ARRAY:拒绝。返回HTTP状态码200,内容为空的JSON数组。 | |
| # REJECT-200:拒绝。返回HTTP状态码200,没有内容。 | |
| # REJECT-IMG:拒绝。返回HTTP状态码200,内容为1像素GIF。 | |
| # REJECT-TINYGIF:拒绝。返回HTTP状态码200,内容为1像素GIF。 | |
| # REJECT-DROP:拒绝。丢弃IP包。 | |
| # REJECT-NO-DROP:拒绝。返回ICMP端口不可达。 | |
| # 除此之外,规则策略还可以选择「代理分组」、「订阅名称」、「分组」、「节点」。 | |
| # ---------- | |
| # 规则匹配的优先级: | |
| # 1.规则从上到下依次匹配。 | |
| # 2.域名规则优先于IP规则。 | |
| # ---------- | |
| # 关于屏蔽443端口的UDP流量的解释内容:HTTP3/QUIC协议开始流行,但是国内ISP和国际出口的UDP优先级都很低,表现很差,屏蔽掉以强制回退HTTP2/HTTP1.1。(如需启用该逻辑规则,请删除AND前面的注释符号#) | |
| # AND,((PROTOCOL,UDP),(DST-PORT,443)),REJECT-NO-DROP | |
| # ---------- | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Advertising/Advertising.list,REJECT | |
| # 本地局域网地址的规则集。 | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Lan/Lan.list,DIRECT | |
| # 直连策略的修正规则集。 | |
| RULE-SET,https://gist.githubusercontent.com/bankroft/59aea9b9e08b2558e1973b22519e8eed/raw/6d3f127bc01a54f4efac37e7a3f4d36fab9a848b/direct.amend,DIRECT | |
| # 代理策略的修正规则集。 | |
| RULE-SET,https://gist.githubusercontent.com/bankroft/59aea9b9e08b2558e1973b22519e8eed/raw/6d3f127bc01a54f4efac37e7a3f4d36fab9a848b/proxy.amend,PROXY | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/QuantumultX/Apple/Apple.list,Apple | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Netflix/Netflix.list,Netflix | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/PayPal/PayPal.list,Paypal | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/OpenAI/OpenAI.list,OpenAI | |
| # Game | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Nintendo/Nintendo.list,Select | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Epic/Epic.list,Select | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Steam/Steam.list,Proxy | |
| # Microsoft | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Microsoft/Microsoft.list,Microsoft | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/OneDrive/OneDrive.list,Microsoft | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/GitHub/GitHub.list,Proxy | |
| # Tiktok | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/TikTok/TikTok.list,TikTok | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/DouYin/DouYin.list,DouYin | |
| # Speedtest | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Speedtest/Speedtest.list,Speedtest | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/Google/Google.list,Proxy | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/GoogleDrive/GoogleDrive.list,Proxy | |
| RULE-SET,https://raw.githubusercontent.com/blackmatrix7/ios_rule_script/master/rule/Shadowrocket/YouTube/YouTube.list,Proxy | |
| FINAL,Default | |
| [Host] | |
| # 域名指定本地值: | |
| # example.com=1.2.3.4 | |
| # 域名指定DNS服务器: | |
| # example.com=server:1.2.3.4 | |
| # wifi名称指定DNS服务器,如需指定多个DNS,可用逗号分隔: | |
| # ssid:wifi名称=server:1.2.3.4 | |
| localhost = 127.0.0.1 | |
| [URL Rewrite] | |
| # # Google搜索引擎防跳转的重写。 | |
| # ^https?://(www.)?g.cn https://www.google.com 302 | |
| # ^https?://(www.)?google.cn https://www.google.com 302 | |
| [Script] | |
| # BoxJs安装脚本。 | |
| # Rewrite: BoxJs = type=http-request,pattern=https?:\/\/boxjs\.(com|net),script-path=https://raw.githubusercontent.com/chavyleung/scripts/master/box/chavy.boxjs.js, requires-body=true, timeout=120 | |
| [MITM] | |
| # Shadowrocket仅会解密hostname指定的域名的请求,可以使用通配符。也可以使用前缀 - 排除特定主机名,如 -*.example.com。iOS系统和某些应用有严格的安全策略,仅信任某些特定的证书,对这些域名启动解密可能导致问题,如 *.apple.com,*.icloud.com。 | |
| # hostname = www.google.cn,*.tiktokv.com,*.byteoversea.com,*.tik-tokapi.com |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DOMAIN-SUFFIX,pool.ntp.org | |
| DOMAIN-SUFFIX,ntp.nasa.gov |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DOMAIN-SUFFIX,v2ex.com | |
| DOMAIN-SUFFIX,bing.com | |
| DOMAIN-SUFFIX,onedrive.live.com | |
| DOMAIN-SUFFIX,game.boombeachgame.com | |
| DOMAIN-SUFFIX,boombox.scinbox.qq.com | |
| DOMAIN-SUFFIX,supercell.helpshift.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment