global {
    ##### Software options.

    # tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
    # In normal case, you do not need to use it.
    tproxy_port: 12345

    # Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
    # iptables tproxy rules.
    tproxy_port_protect: true

    # Set non-zero value to enable pprof.
    pprof_port: 0

    # If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
    # rules.
    so_mark_from_dae: 0

    # Log level: error, warn, info, debug, trace.
    log_level: info

    # Disable waiting for network before pulling subscriptions.
    disable_waiting_network: false

    # Enable fast redirect for local TCP connections. There is a known kernel issue that breaks certain clients/proxies, such as nadoo/glider. Users may enable this experimental option at their own risks.
    enable_local_tcp_fast_redirect: false

    ##### Interface and kernel options.

    # The LAN interface to bind. Use it if you want to proxy LAN.
    # Multiple interfaces split by ",".
    #lan_interface: docker0

    # The WAN interface to bind. Use it if you want to proxy localhost.
    # Multiple interfaces split by ",". Use "auto" to auto detect.
    wan_interface: auto

    # Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
    # https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
    auto_config_kernel_parameter: true

    ##### Node connectivity check.
    # These options, as defaults, are effective when no definition is given in the group.

    # Host of URL should have both IPv4 and IPv6 if you have double stack in local.
    # First is URL, others are IP addresses if given.
    # Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
    #tcp_check_url: 'http://cp.cloudflare.com'
    tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'

    # The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
    # accounting for this kind of traffic.
    tcp_check_http_method: HEAD

    # This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
    # TCP DNS connectivity of nodes.
    # First is URL, others are IP addresses if given.
    # This DNS should have both IPv4 and IPv6 if you have double stack in local.
    #udp_check_dns: 'dns.google:53'
    udp_check_dns: 'dns.google:53,8.8.8.8,2001:4860:4860::8888'

    check_interval: 30s

    # Group will switch node only when new_latency <= old_latency - tolerance.
    check_tolerance: 50ms


    ##### Connecting options.

    # Optional values of dial_mode are:
    # 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
    #       respectively, and makes the IP version requested by the application meet expectations. For example, if you
    #       use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
    #       This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled
    #       in this mode.
    # 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
    #       if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
    #       re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
    #       That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
    # 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
    #       DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
    #       go through dae, dae cannot split traffic by domain.
    # 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
    #       domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
    dial_mode: domain

    # Allow insecure TLS certificates. It is not recommended to turn it on unless you have to.
    allow_insecure: false

    # Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
    # in high latency LAN network.
    sniffing_timeout: 100ms

    # TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
    tls_implementation: tls

    # The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
    # See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
    utls_imitate: chrome_auto

    # Multipath TCP (MPTCP) support. If is true, dae will try to use MPTCP to connect all nodes, but it will only take
    # effects when the node supports MPTCP. It can use for load balance and failover to multiple interfaces and IPs.
    mptcp: false

    # The maximum bandwidth for accessing the Internet. It is useful for some specific protocols (e.g., Hysteria2),
    # which will perform better with bandwith information provided. The unit can be b, kb, mb, gb, tb or bytes per second.
    # supported formats: https://v2.hysteria.network/docs/advanced/Full-Client-Config/#bandwidth
    bandwidth_max_tx: '200 mbps' # uplink, or '200 m' or '200 mb' or '200 mbps' or 25000000(which is 200/8*1000*1000)
    bandwidth_max_rx: '1 gbps' # downlink, or '1 g' or '1 gb' or '1 gbps' or 125000000(which is 1000/8*1000*1000)
}

# Subscriptions defined here will be resolved as nodes and merged as a part of the global node pool.
# Support to give the subscription a tag, and filter nodes from a given subscription in the group section.
subscription {
    # Add your subscription links here.
    my_sub: 'https://www.example.com/subscription/link'
    another_sub: 'https://example.com/another_sub'
    'https://example.com/no_tag_link'
    'file://relative/path/to/mysub.sub' # Put subscription content in /etc/dae/relative/path/to/mysub.sub
}

# Nodes defined here will be merged as a part of the global node pool.
node {
    # Add your node links here.
    # Support socks5, http, https, ss, ssr, vmess, vless, trojan, tuic, juicity, hysteria2, etc.
    # Full support list: https://github.com/daeuniverse/dae/blob/main/docs/en/proxy-protocols.md
    'socks5://localhost:1080'
    mylink: 'ss://LINK'
    node1: 'vmess://LINK'
    node2: 'vless://LINK'
    chains: 'tuic://LINK -> vmess://LINK'
    hysteria2: 'hysteria2://password@server-ip:port/?sni=domain'
}

# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
dns {
    # For example, if ipversion_prefer is 4 and the domain name has both type A and type AAAA records, the dae will only
    # respond to type A queries and response empty answer to type AAAA queries.
    #ipversion_prefer: 4

    # Give a fixed ttl for domains. Zero means that dae will request to upstream every time and not cache DNS results
    # for these domains.
    #fixed_domain_ttl {
    #    ddns.example.org: 10
    #    test.example.org: 3600
    #}

    upstream {
        # Value can be scheme://host:port, where the scheme can be tcp/udp/tcp+udp/h3/http3/quic/https/tls.
        # If the protocol is h3/http3/https, it supports setting a custom path, that is, the format can be "protocol://host:port/custom path".
        # If host is a domain and has both IPv4 and IPv6 record, dae will automatically choose
        # IPv4 or IPv6 to use according to group policy (such as min latency policy).
        # Please make sure DNS traffic will go through and be forwarded by dae, which is REQUIRED for domain routing.
        # If dial_mode is "ip", the upstream DNS answer SHOULD NOT be polluted, so domestic public DNS is not recommended.

        alidns: 'udp://dns.alidns.com:53'
        googledns: 'tcp+udp://dns.google:53'

        # alih3: 'h3://dns.alidns.com:443'
        # alih3_path: 'h3://dns.alidns.com:443/dns-query'
        # alihttp3: 'http3://dns.alidns.com:443'
        # alihttp3_path: 'http3://dns.alidns.com:443/dns-query'
        # ali_quic: 'quic://dns.alidns.com:853'

        # h3_custom_path: 'h3://dns.example.com:443/custom-path'
        # http3_custom_path: 'http3://dns.example.com:443/custom-path'

        # ali_doh: 'https://dns.alidns.com:443'
        # ali_dot: 'tls://dns.alidns.com:853'

        # doh_custom_path: 'https://dns.example.com:443/custom-path'
    }
    routing {
        # According to the request of dns query, decide to use which DNS upstream.
        # Match rules from top to bottom.
        request {
            # Lookup China mainland domains using alidns, otherwise googledns.
            qname(geosite:cn) -> alidns
            # fallback is also called default.
            fallback: googledns
        }
    }
#    routing {
#        # According to the request of dns query, decide to use which DNS upstream.
#        # Match rules from top to bottom.
#        request {
#            # fallback is also called default.
#            fallback: alidns
#        }
#        # According to the response of dns query, decide to accept or re-lookup using another DNS upstream.
#        # Match rules from top to bottom.
#        response {
#            # Trusted upstream. Always accept its result.
#            upstream(googledns) -> accept
#            # Possibly polluted, re-lookup using googledns.
#            ip(geoip:private) && !qname(geosite:cn) -> googledns
#            # fallback is also called default.
#            fallback: accept
#        }
#    }
}

# Node group (outbound).
group {
    my_group {
        # No filter. Use all nodes.

        # Randomly select a node from the group for every connection.
        #policy: random

        # Select the first node from the group for every connection.
        #policy: fixed(0)

        # Select the node with min last latency from the group for every connection.
        #policy: min

        # Select the node with min moving average of latencies from the group for every connection.
        policy: min_moving_avg
    }

    group2 {
        # Filter nodes from the global node pool defined by the subscription and node section above.
        #filter: subtag(my_sub) && !name(keyword: 'ExpireAt:')
        # Multiple filters indicate 'or' logic.
        #filter: subtag(regex: '^my_', another_sub) && !name(keyword: 'ExpireAt:')

        # Filter nodes from the global node pool defined by tag.
        #filter: name(node1, node2)

        # Filter nodes and give a fixed latency offset to archive latency-based failover.
        # In this example, there is bigger possibility to choose US node even if original latency of US node is higher.
        filter: name(HK_node)
        filter: name(US_node) [add_latency: -500ms]

        # Select the node with min average of the last 10 latencies from the group for every connection.
        policy: min_avg10
    }

    steam {
        # Filter nodes from the global node pool defined by the subscription and node section above.
        filter: subtag(my_sub) && !name(keyword: 'ExpireAt:')
        # Select the node with min moving average of latencies from the group for every connection.
        policy: min_moving_avg

        # Override tcp_check_url in global.
        tcp_check_url: 'http://test.steampowered.com'
        # Override tcp_check_http_method in global
        #tcp_check_http_method: HEAD
        # Override udp_check_dns in global
        #udp_check_dns: 'dns.google:53,8.8.8.8,2001:4860:4860::8888'
        # Override check_interval in global
        #check_interval: 30s
        # Override check_tolerance in global
        #check_tolerance: 50ms
    }
}

# See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
routing {
    ### Preset rules.

    # Network managers in localhost should be direct to avoid false negative network connectivity check when binding to
    # WAN.
    pname(NetworkManager) -> direct

    # Put it in the front to prevent broadcast, multicast and other packets that should be sent to the LAN from being
    # forwarded by the proxy.
    # "dip" means destination IP.
    dip(224.0.0.0/3, 'ff00::/8') -> direct

    # This line allows you to access private addresses directly instead of via your proxy. If you really want to access
    # private addresses in your proxy host network, modify the below line.
    dip(geoip:private) -> direct

    ### Write your rules below.

    # Disable h3 because it usually consumes too much cpu/mem resources.
    l4proto(udp) && dport(443) -> block
    dip(geoip:cn) -> direct
    domain(geosite:cn) -> direct
    

    fallback: my_group
}