[General]
# 日志等级: warning, notify, info, verbose (默认值: notify)
loglevel = notify

# 跳过某个域名或者 IP 段，这些目标主机将不会由 Surge Proxy 处理。(在 macOS 
# 版本中，如果启用了 Set as System Proxy,  那么这些值会被写入到系统网络代理
# 设置中.)
# 特别跳过 apple 相关服务、百度网盘、CSDN
skip-proxy = localhost, *.local, 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32, *csdn.net, pan.baidu.com, *.mzstatic.com, *apple.com

# This option asks Surge to return a real IP address instead of a fake IP address when Surge VIF handles a DNS question.
always-real-ip = *.apple.com

# 强制使用特定的 DNS 服务器
dns-server = system, 223.5.5.5, 114.114.114.114

proxy-test-url = http://www.gstatic.com/generate_204
internet-test-url = http://www.gstatic.com/generate_204
test-timeout = 10

# 将系统相关请求交给 Surge TUN 处理，并自动追加规则 
bypass-system = true
# 将特定 IP 段跳过 Surge TUN，详见 Manual
bypass-tun = 192.168.0.0/16, 172.16.0.0/12, 100.64.0.0/10, 10.0.0.0/8, 17.0.0.0/8

# Surge VIF can only process TCP and UDP protocols. Use this option to bypass specific IP ranges to allow all traffic to pass through.
tun-excluded-routes = 192.168.0.0/16, 172.16.0.0/12, 100.64.0.0/10, 10.0.0.0/8, 17.0.0.0/8
# Make Surge treat TCP connections as HTTP requests. Surge HTTP engine will process the requests, and all advanced features will be available, such as capturing, rewrite and scripting.
force-http-engine-hosts = -*.apple.com
# You may use hijack-dns = *:53 to hijack all DNS queries.
# By default, Surge only returns fake IP addresses for DNS queries sent to Surge DNS address (198.18.0.2). Queries sent to a standard DNS will be forwarded.

# Some devices or software always use a hardcoded DNS server. (For example, Google Speakers always use 8.8.8.8). You may use this option to hijack the query to get a fake address.
hijack-dns = *:53

http-listen = 0.0.0.0
interface = 0.0.0.0
socks-interface = 0.0.0.0

allow-wifi-access = false

# 是否启动完整的 IPv6 支持 (默认值: false)
ipv6 = true
network-framework = false
shared-jsvm-context = false

exclude-simple-hostnames = true

# 允许外部控制器访问 Surge， 如 Surge-CLI。
external-controller-access = 12345678@0.0.0.0:6170

# 截取并保存 HTTP 流量 (启用后将对性能有较大影响)
[Replica]
hide-apple-request=1
hide-crashlytics-request=1
use-keyword-filter=false
hide-udp=0
keyword-filter-type=(null)
keyword-filter=(null)

# It's equivalent to /etc/hosts, but with more powerful features, including wildcard, alias and assigning DNS server.
[Host]
local.com = 127.0.0.1
# Since Surge has its own DNS client implementation, some hostnames may fail to resolve. You can use 'server:system' to let system handle the lookup.
Macbook = server:system

# related: https://manual.nssurge.com/policy/proxy.html
[Proxy]
ProxyHTTP = http, 1.2.3.4, 443, username, password, skip-common-name-verify=false
ProxyHTTPS = http, 1.2.3.4, 443, username, password, tls=true // 等价于 "https, 1.2.3.4, 443, username, password"
ProxySOCKS5 = socks5, 1.2.3.4, 443, username, password
ProxySOCKS5TLS = socks5, 1.2.3.4, 443, username, password, tls=true
SSproxy = ss, 1.2.3.4, 1025, encrypt-method=加密方式, password=密码, (obfs=http|tls, obfs-host=混淆域名, udp-relay=true|false, tfo=true|false) //括号 ( ) 内为可选参数
ProxySnell = snell, 1.2.3.4, 8000, psk=password
ProxySS = ss, 1.2.3.4, 8000, encrypt-method=chacha20-ietf-poly1305, password=abcd1234
ProxyVMess = vmess, 1.2.3.4, 8000, username=0233d11c-15a4-47d3-ade3-48ffca0ce119
ProxyTrojan = trojan, 192.168.20.6, 443, password=password1

[Proxy Group]
PROXY = select, AUTO, ProxyHTTP, ProxyHTTPS, ProxySOCKS5, ProxySOCKS5TLS, SSproxy
AUTO = url-test, ProxyHTTP, ProxyHTTPS, ProxySOCKS5, ProxySOCKS5TLS, SSproxy, url = http://captive.apple.com, interval = 600

# 该段定义请求处理规则
# 一个规则有三个基础部分:
#          类型,          值,            策略
# 比如:     DOMAIN-SUFFIX,apple.com,     DIRECT
#          IP-CIDR,      192.168.0.0/16,ProxyA
# 有 3 种基于域名的规则: "DOMAIN", "DOMAIN-SUFFIX" 和 "DOMAIN-KEYWORD"
#   参数:
#   force-remote-dns: 可选 (默认值: false)
#   如果某请求被该规则匹配, 且策略不是DIRECT. 那么 DNS 查询将永远在远端代理服务
#   器执行, 即使该请求由 Surge TUN 处理. 
#   更多信息请参见手册.
# 有 2 种基于 IP 的规则: "IP-CIDR" and "GEOIP".
# 如果是一个使用域名进行访问的请求，那么 Surge 将进行 DNS 查询以确认是否应该被
# 该规则匹配. 若 DNS 查询失败，将放弃规则匹配过程并直接给出错误。
#   OPTIONS:
#   no-resolve: 可选 (默认值: false)
#   如果是一个使用域名进行访问的请求，跳过该条规则，不触发 DNS 查询。
[Rule]
// Custom

// Rulesets
# DIRECT
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/CN.list,DIRECT
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Apple.list,DIRECT
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Special.list,DIRECT
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Teamviewer.list,DIRECT
# REJECT
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/AdDomains.list,REJECT
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/StreamAd.list,REJECT
# REJECT-TINYGIF
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/AdCN.list,REJECT-TINYGIF
# PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/CNSpecial.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Spotify.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/TikTok.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/NameCheap.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Google.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Facebook.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Twitter.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/AgentNEO.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/BBC.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Line.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Netflix.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Pinterest.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/PornHub.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/YouTube.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Telegram.list,PROXY
RULE-SET,https://raw.githubusercontent.com/funnyzak/network-rules/master/Surge/Rulesets/Outside.list,PROXY

// CN and FINAL all to DIRECT
GEOIP,CN,DIRECT
FINAL,DIRECT

# URL Rewrite
[URL Rewrite]


# MITM
[MITM]


# Script
[Script]