dae/example.dae

global {
    # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
    # In normal case, you do not need to use it.
    tproxy_port: 12345

    # Log level: error, warn, info, debug, trace.
    log_level: info

    # Node connectivity check.
    # Host of URL should have both IPv4 and IPv6 if you have double stack in local.
    # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
    tcp_check_url: 'http://keep-alv.google.com/generate_204'

    # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
    # TCP DNS connectivity of nodes.
    # This DNS should have both IPv4 and IPv6 if you have double stack in local.
    udp_check_dns: 'dns.google:53'

    check_interval: 30s

    # Group will switch node only when new_latency <= old_latency - tolerance.
    check_tolerance: 50ms

    # The LAN interface to bind. Use it if you only want to proxy LAN instead of localhost.
    # Multiple interfaces split by ",".
    #lan_interface: docker0

    # The WAN interface to bind. Use it if you want to proxy localhost.
    # Multiple interfaces split by ",".
    wan_interface: wlp5s0

    # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
    allow_insecure: false

    # Optional values of dial_mode are:
    # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
    #       respectively, and makes the IP version requested by the application meet expectations. For example, if you
    #       use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
    #       This may solve some wierd full-cone problem if your are be your node support that.
    # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
    #       if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
    #       re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
    #       That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
    # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
    #       DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
    #       go through dae, dae cannot split traffic by domain.
    dial_mode: domain
}

# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
subscription {
    # Add your subscription links here.
    my_sub: 'https://www.example.com/subscription/link'
    another_sub: 'https://example.com/another_sub'
    'https://example.com/no_tag_link'
}

# Nodes defined here will be merged as a part of the global node pool.
node {
    # Add your node links here.
    # Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go
    'socks5://localhost:1080'
    mylink: 'ss://LINK'
}

# See more at https://github.com/daeuniverse/dae/blob/main/docs/dns.md.
dns {
    upstream {
        # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.
        # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
        # IPv4 or IPv6 to use according to group policy (such as min latency policy).
        # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
        # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.

        alidns: 'udp://dns.alidns.com:53'
        googledns: 'tcp+udp://dns.google:53'
    }
    routing {
        request {
            fallback: asis
        }
        response {
            upstream(googledns) -> accept
            !qname(geosite:cn) && ip(geoip:private) -> googledns
            fallback: accept
        }
    }
}

# Node group (outbound).
group {
    my_group {
        # No filter. Use all nodes.

        # Randomly select a node from the group for every connection.
        #policy: random

        # Select the first node from the group for every connection.
        #policy: fixed(0)

        # Select the node with min last latency from the group for every connection.
        #policy: min

        # Select the node with min moving average of latencies from the group for every connection.
        policy: min_moving_avg
    }

    group2 {
        # Filter nodes from the global node pool defined by the subscription and node section above.
        filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')

        # Select the node with min average of the last 10 latencies from the group for every connection.
        policy: min_avg10
    }
}

# See https://github.com/daeuniverse/dae/blob/main/docs/routing.md for full examples.
routing {
    ### Preset rules.

    # If you bind to WAN and set upstream (in section "dns") to a DNS service in localhost (dnsmasq, adguard, etc.),
    # to avoid loops, let them "must_direct", which makes DNS requests not redirect back to dae again.
    # "pname" means process name.
    #pname(dnsmasq) && l4proto(udp) && dport(53) -> must_direct

    # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
    # WAN.
    pname(NetworkManager, systemd-resolved) -> direct

    # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
    # forwarded by the proxy.
    # "dip" means destination IP.
    dip(224.0.0.0/3, 'ff00::/8') -> direct

    # This line allows you to access private addresses directly instead of via your proxy. If you really want to access
    # private addresses in your proxy host network, modify the below line.
    dip(geoip:private) -> direct

    ### Write your rules below.

    dip(geoip:cn) -> direct
    domain(geosite:cn) -> direct

    fallback: my_group
}
feat: support config file 2023-01-28 00:50:21 +07:00			`global {`
feat: support reload 2023-02-27 12:29:42 +07:00			`# tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.`
docs: README 2023-02-12 15:04:30 +07:00			`# In normal case, you do not need to use it.`
feat: support config file 2023-01-28 00:50:21 +07:00			`tproxy_port: 12345`

docs: README 2023-02-12 00:06:43 +07:00			`# Log level: error, warn, info, debug, trace.`
feat: support to set log level in config file 2023-02-05 13:03:34 +07:00			`log_level: info`

feat: support config file 2023-01-28 00:50:21 +07:00			`# Node connectivity check.`
feat: support to check independent tcp dns connectivity 2023-02-12 14:39:00 +07:00			`# Host of URL should have both IPv4 and IPv6 if you have double stack in local.`
fix: ipv4in6 should be converged 2023-02-13 17:26:31 +07:00			`# Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.`
feat: add sniffing suite and dial_mode option (#16) 2023-02-15 00:53:53 +07:00			`tcp_check_url: 'http://keep-alv.google.com/generate_204'`
docs: README 2023-02-12 00:06:43 +07:00
feat: allow tcp_check_url and udp_check_dns are not double stack 2023-02-13 01:40:34 +07:00			`# This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check`
feat: support to check independent tcp dns connectivity 2023-02-12 14:39:00 +07:00			`# TCP DNS connectivity of nodes.`
feat: allow tcp_check_url and udp_check_dns are not double stack 2023-02-13 01:40:34 +07:00			`# This DNS should have both IPv4 and IPv6 if you have double stack in local.`
chore 2023-02-09 12:42:52 +07:00			`udp_check_dns: 'dns.google:53'`
docs: README 2023-02-12 00:06:43 +07:00
optimize: url check and log 2023-01-28 14:47:43 +07:00			`check_interval: 30s`
docs: README 2023-02-12 00:06:43 +07:00
			`# Group will switch node only when new_latency <= old_latency - tolerance.`
feat: add check_tolerance to make node selection stable 2023-02-09 20:16:51 +07:00			`check_tolerance: 50ms`
feat: support config file 2023-01-28 00:50:21 +07:00
feat: support multiple lan and wan interfaces to bind 2023-02-01 11:18:19 +07:00			`# The LAN interface to bind. Use it if you only want to proxy LAN instead of localhost.`
			`# Multiple interfaces split by ",".`
fix: must_direct logic for WAN 2023-02-19 11:37:37 +07:00			`#lan_interface: docker0`
docs: README 2023-01-30 17:13:43 +07:00
docs: example.dae 2023-02-11 12:53:43 +07:00			`# The WAN interface to bind. Use it if you want to proxy localhost.`
feat: add DNS rush-answer filter 2023-02-04 19:53:29 +07:00			`# Multiple interfaces split by ",".`
feat: support bind to wan 2023-01-30 14:50:55 +07:00			`wan_interface: wlp5s0`
feat/fix: support allow_insecure and fix ws path with query 2023-02-12 16:17:51 +07:00
			`# Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.`
			`allow_insecure: false`
feat: add sniffing suite and dial_mode option (#16) 2023-02-15 00:53:53 +07:00
docs: example.dae 2023-02-18 01:06:23 +07:00			`# Optional values of dial_mode are:`
feat: add sniffing suite and dial_mode option (#16) 2023-02-15 00:53:53 +07:00			`# 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path`
docs: example.dae 2023-02-18 01:06:23 +07:00			`# respectively, and makes the IP version requested by the application meet expectations. For example, if you`
			`# use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.`
			`# This may solve some wierd full-cone problem if your are be your node support that.`
feat: add sniffing suite and dial_mode option (#16) 2023-02-15 00:53:53 +07:00			`# 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent`
docs: example.dae 2023-02-18 01:06:23 +07:00			`# if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will`
			`# re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.`
			`# That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.`
docs: update dial_mode 2023-03-13 15:49:01 +07:00			`# 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose`
			`# DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not`
			`# go through dae, dae cannot split traffic by domain.`
feat: add sniffing suite and dial_mode option (#16) 2023-02-15 00:53:53 +07:00			`dial_mode: domain`
feat: support config file 2023-01-28 00:50:21 +07:00			`}`

feat: add lan_snat_direct option for non-transparent-bridge user (#14) 2023-02-11 12:34:12 +07:00			`# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.`
			`# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.`
feat: support config file 2023-01-28 00:50:21 +07:00			`subscription {`
			`# Add your subscription links here.`
docs: README 2023-02-10 10:59:40 +07:00			`my_sub: 'https://www.example.com/subscription/link'`
			`another_sub: 'https://example.com/another_sub'`
			`'https://example.com/no_tag_link'`
feat: support config file 2023-01-28 00:50:21 +07:00			`}`

feat: add lan_snat_direct option for non-transparent-bridge user (#14) 2023-02-11 12:34:12 +07:00			`# Nodes defined here will be merged as a part of the global node pool.`
feat: support config file 2023-01-28 00:50:21 +07:00			`node {`
			`# Add your node links here.`
			`# Support socks5, http, https, ss, ssr, vmess, vless, trojan, trojan-go`
docs: README 2023-01-30 17:13:43 +07:00			`'socks5://localhost:1080'`
chore: examples.dae 2023-03-07 12:30:27 +07:00			`mylink: 'ss://LINK'`
feat: support config file 2023-01-28 00:50:21 +07:00			`}`

chore: transferred to daeuniverse 2023-03-14 14:01:55 +07:00			`# See more at https://github.com/daeuniverse/dae/blob/main/docs/dns.md.`
feat: dns routing (#26) 2023-02-25 01:38:21 +07:00			`dns {`
			`upstream {`
			`# Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp.`
			`# If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose`
			`# IPv4 or IPv6 to use according to group policy (such as min latency policy).`
			`# Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.`
			`# If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.`

			`alidns: 'udp://dns.alidns.com:53'`
			`googledns: 'tcp+udp://dns.google:53'`
			`}`
feat: support export config outline and config marshal (#27) 2023-02-25 21:53:18 +07:00			`routing {`
			`request {`
chore: examples.dae 2023-03-07 12:30:27 +07:00			`fallback: asis`
feat: support export config outline and config marshal (#27) 2023-02-25 21:53:18 +07:00			`}`
			`response {`
			`upstream(googledns) -> accept`
			`!qname(geosite:cn) && ip(geoip:private) -> googledns`
			`fallback: accept`
			`}`
feat: dns routing (#26) 2023-02-25 01:38:21 +07:00			`}`
			`}`

docs: update example.dae 2023-02-05 12:31:21 +07:00			`# Node group (outbound).`
feat: support config file 2023-01-28 00:50:21 +07:00			`group {`
			`my_group {`
chore: examples.dae 2023-03-07 12:30:27 +07:00			`# No filter. Use all nodes.`
feat: support config file 2023-01-28 00:50:21 +07:00
			`# Randomly select a node from the group for every connection.`
fix: must_direct logic for WAN 2023-02-19 11:37:37 +07:00			`#policy: random`
feat: support not operator and port, sport routing func 2023-01-29 06:31:52 +07:00
			`# Select the first node from the group for every connection.`
fix: must_direct logic for WAN 2023-02-19 11:37:37 +07:00			`#policy: fixed(0)`
chore/docs: use CO-RE and refine README 2023-02-07 20:54:57 +07:00
			`# Select the node with min last latency from the group for every connection.`
fix: must_direct logic for WAN 2023-02-19 11:37:37 +07:00			`#policy: min`
feat: add min moving average latencies policy 2023-02-19 00:49:36 +07:00
			`# Select the node with min moving average of latencies from the group for every connection.`
			`policy: min_moving_avg`
feat: support config file 2023-01-28 00:50:21 +07:00			`}`
docs: typo and example 2023-01-31 23:02:46 +07:00
			`group2 {`
feat: add lan_snat_direct option for non-transparent-bridge user (#14) 2023-02-11 12:34:12 +07:00			`# Filter nodes from the global node pool defined by the subscription and node section above.`
docs: example.dae 2023-02-10 11:02:25 +07:00			`filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')`
docs: typo and example 2023-01-31 23:02:46 +07:00
			`# Select the node with min average of the last 10 latencies from the group for every connection.`
			`policy: min_avg10`
			`}`
feat: support config file 2023-01-28 00:50:21 +07:00			`}`

chore: transferred to daeuniverse 2023-03-14 14:01:55 +07:00			`# See https://github.com/daeuniverse/dae/blob/main/docs/routing.md for full examples.`
feat: support config file 2023-01-28 00:50:21 +07:00			`routing {`
docs: example.dae 2023-02-19 11:46:11 +07:00			`### Preset rules.`
docs: typo and example 2023-01-31 23:02:46 +07:00
docs: update example.dae 2023-03-13 16:05:27 +07:00			`# If you bind to WAN and set upstream (in section "dns") to a DNS service in localhost (dnsmasq, adguard, etc.),`
			`# to avoid loops, let them "must_direct", which makes DNS requests not redirect back to dae again.`
chore: replace ip with dip, port with dport 2023-02-25 02:12:35 +07:00			`# "pname" means process name.`
docs: guide for external dns 2023-03-13 21:33:17 +07:00			`#pname(dnsmasq) && l4proto(udp) && dport(53) -> must_direct`
docs: example.dae 2023-02-19 11:46:11 +07:00
			`# Network managers in localhost should be direct to avoid false negative network connectivity check when binding to`
			`# WAN.`
			`pname(NetworkManager, systemd-resolved) -> direct`

			`# Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being`
			`# forwarded by the proxy.`
chore: replace ip with dip, port with dport 2023-02-25 02:12:35 +07:00			`# "dip" means destination IP.`
			`dip(224.0.0.0/3, 'ff00::/8') -> direct`
docs: example.dae 2023-02-19 11:46:11 +07:00
			`# This line allows you to access private addresses directly instead of via your proxy. If you really want to access`
			`# private addresses in your proxy host network, modify the below line.`
chore: replace ip with dip, port with dport 2023-02-25 02:12:35 +07:00			`dip(geoip:private) -> direct`
docs: example.dae 2023-02-19 11:46:11 +07:00
			`### Write your rules below.`
feat: support real process name traffic split (#6) 2023-02-04 10:24:03 +07:00
chore: replace ip with dip, port with dport 2023-02-25 02:12:35 +07:00			`dip(geoip:cn) -> direct`
feat: support config file 2023-01-28 00:50:21 +07:00			`domain(geosite:cn) -> direct`
docs: README 2023-02-11 23:53:33 +07:00
chore: rename routing final as fallback 2023-02-18 02:01:51 +07:00			`fallback: my_group`
feat: support config file 2023-01-28 00:50:21 +07:00			`}`