Allows other devices to access the internet through Clash proxy port.
Optional values: true/false
allow-lan: true
Binding address, only allows other devices to access through this address.
"*"
binds to all IP addresses."192.168.31.31"
binds to a single IPV4 address."[aaaa::a8aa:ff:fe09:57d8]"
binds to a single IPV6 address.
bind-address: "*"
Allowed IP address ranges for connection, applicable only when allow-lan
is set to true
.
Default values are 0.0.0.0/0
and ::/0
.
lan-allowed-ips:
- 0.0.0.0/0
- ::/0
Disallowed IP address ranges for connection. Blacklist takes precedence over whitelist, default is empty.
lan-disallowed-ips:
- 192.168.0.3/32
User authentication for http(s), socks, and mixed proxies.
authentication:
- "user1:pass1"
- "user2:pass2"
Set the IP ranges allowed to skip authentication.
skip-auth-prefixes:
- 127.0.0.1/8
- ::1/128
rule
Rule-based matchingglobal
Global proxy (requires selecting proxy/strategy in GLOBAL proxy group)direct
Global direct connection
defaulting to rule
mode.
mode: rule
Controls the logging level of Clash core, only output to console and control page.
log-level: info
silent
Silent, no output.error
Outputs logs of errors and unusable logs.warning
Outputs logs of errors that do not affect operations, and logs of error level.info
Outputs general operational logs, as well as logs of error and warning levels.debug
Outputs as much information as possible during runtime.
Whether to allow the kernel to accept IPv6 traffic.
default is true
.
ipv6: true
Controls the interval at which Clash sends out TCP Keep Alive packets to reduce temporary measures for mobile device power consumption.
unit is seconds
keep-alive-interval: 30
The time Clash discovers and closes an invalid TCP connection:
1 × keep-alive-interval + 9 × keep-alive-interval
Controls whether Clash matches processes.
always
Enables, forces matching of all processes.strict
Default, Clash determines whether to enable.off
Does not match processes, recommended for use on routers.
find-process-mode: strict
External controller, allows controlling your Clash kernel using RESTful API.
API listening address, you can change 127.0.0.1
to 0.0.0.0
to listen on all IPs.
external-controller: 127.0.0.1:9090
Unix socket API listening address
!!! warning "" Accessing API endpoints via Unix socket does not verify secrets. If enabled, please ensure security measures are in place.
external-controller-unix: mihomo.sock
HTTPS-API listening address, requires configuring the tls section for certificate and private key configuration, external-controller must also be filled in.
external-controller-tls: 127.0.0.1:9443
Access key for the API.
secret: ""
Allows running static webpage resources (such as Clash-dashboard) on Clash API, path is API address/ui.
external-ui: /path/to/ui/folder
Can be an absolute path or a relative path to the Clash working directory.
external-ui-name: xd # Merged into external-ui/xd
Not mandatory, will be updated to the specified folder during updates, if not configured, it will be updated directly to the external-ui
directory.
external-ui-url: "<https://github.com/MetaCubeX/metacubexd/archive/refs/heads/gh-pages.zip>" # Get from GitHub Pages branch
In Clash official, profile should be an extension configuration, but in Clash.meta, it is only used as a cache item.
profile:
store-selected: true
# Stores API selections for strategy groups for use on the next start
store-fake-ip: true
# Stores the fakeip mapping table, using the original mapping address when the domain connects again
Change delay calculation method, remove additional delays such as handshakes.
unified-delay: true
tcp-concurrent: true
Clash's traffic outbound interface.
interface-name: en0
Provides a default traffic mark for outbound connections on Linux.
routing-mark: 6666
Currently only used for https in API.
tls:
certificate: string # Certificate PEM format or certificate path
private-key: string # Private key PEM format corresponding to the certificate, or private key path
Global TLS fingerprint, lower priority than client-fingerprint inside proxy.
Currently supports TCP/grpc/WS/HTTP transport with TLS, supported protocols are VLESS
, Vmess
, and trojan
.
global-client-fingerprint: chrome
!!! note
Options: chrome
, firefox
, safari
, iOS
, android
, edge
, 360
, qq
, random
If random
is selected, a modern browser fingerprint will be generated based on Cloudflare Radar data.
Change the geoip usage file, mmdb
or dat
,true
is dat
, with a default value of false
.
geodata-mode: true
Optional loading modes are as follows:
standard
: Standard loadermemconservative
: Loader optimized for memory-limited (small memory) devices (default)
geodata-loader: memconservative
geo-auto-update: false
Update interval, unit is hours
geo-update-interval: 24
geox-url:
geoip: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat"
geosite: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat"
mmdb: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/country.mmdb"
asn: "https://github.com/xishang0128/geoip/releases/download/latest/GeoLite2-ASN.mmdb"
Custom UA used when downloading external resources, default is clash.meta.
global-ua: clash.meta