Clash-Merge-Script/ClashScript.yaml at main · ForestSun2023/Clash-Merge-Script · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# ==============================================================================
# @file       Minimalist Clash Meta Configuration (YAML Template)
# @version    2.3.0 (Professional Documented Edition)
# @purpose    Self-hosting Node Protection, DNS Leak Prevention, Routing Optimization
# @author     [ForestSun2023/Clash-Merge-Script]
# ==============================================================================

# ==============================================================================
# [1] Core System Settings (内核基础引擎配置)
# ==============================================================================
mode: rule
mixed-port: 20112
log-level: silent          # [Performance] 保持静默，大幅减少磁盘写入
ipv6: false                # [Network] 关闭 IPv6 解析，杜绝双栈 IP 泄露
allow-lan: false           # [Security] 禁用局域网共享，防止内网扫描
unified-delay: true        # [UX] 统一延迟计算，还原真实连通性
tcp-concurrent: false      # [Security] 保持关闭，避免被 CDN 防火墙误判为 CC 攻击
find-process-mode: strict  # [Security] 严格进程识别，保障 BT 隔离拦截绝对生效

# ==============================================================================
# [2] TUN Interface (虚拟网卡与全局劫持)
# ==============================================================================
tun:
  enable: true
  stack: Mixed
  auto-route: true
  auto-detect-interface: true
  dns-hijack:
    - "any:53"
    - "tcp://any:53"       # [Security] 补全 TCP DNS 劫持防线

# ==============================================================================
# [3] Advanced DNS Architecture (高阶防污染 DNS)
# ==============================================================================
dns:
  enable: true
  ipv6: false
  use-system-hosts: true
  enhanced-mode: redir-host # [Architecture] 坚守 redir-host，确保 BT Tracker 不受 Fake-IP 干扰
  fake-ip-range: 198.18.0.1/16
  fake-ip-filter: ["*.lan", "*.localdomain", "*.localhost", "*.home.arpa"]

  # [Anti-Deadlock] 专用于解析代理节点域名的 DNS，防止冷启动死锁
  proxy-server-nameserver:
    - https://223.5.5.5/dns-query
    - https://doh.pub/dns-query

  # [Routing] 默认请求送交远端节点通过 Google DNS 处理
  nameserver:
    - tls://8.8.8.8#🚀 节点选择

  # [Routing] 策略分流：国内域名强制就近直连解析
  nameserver-policy:
    rule-set:GEOSITE-CN: https://223.5.5.5/dns-query#🎯 全球直连
    rule-set:geolocation-!cn: tls://8.8.8.8#🚀 节点选择

# ==============================================================================
# [4] Traffic Sniffer (应用层嗅探)
# ==============================================================================
sniffer:
  enable: true
  force-dns-mapping: true
  parse-pure-ip: true
  sniff:
    HTTP: {ports: [80, 8080-8880]}
    TLS: {ports: [443, 8443]}
    QUIC: {ports: [443, 8443]}

# ==============================================================================
# [5] Providers (订阅与高性能二进制规则库)
# ==============================================================================
proxy-providers:
  ☁️ 自建订阅:
    type: http
    url: "https://在此处填入你的订阅链接"
    path: ./proxies/my_nodes.yaml
    interval: 3600
    health-check: {enable: true, interval: 300, url: https://www.gstatic.com/generate_204}

# [Performance] 全量使用 .mrs 格式，加载速度提升约 5 倍
rule-providers:
  google: {type: http, url: https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@meta/geo/geosite/google.mrs, behavior: domain, format: mrs, proxy: 🎯 全球直连, interval: 86400}
  category-ads-all: {type: http, url: https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@meta/geo/geosite/category-ads-all.mrs, behavior: domain, format: mrs, proxy: 🎯 全球直连, interval: 86400}
  GEOIP-Private: {type: http, url: https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@meta/geo/geoip/private.mrs, behavior: ipcidr, format: mrs, proxy: 🎯 全球直连, interval: 86400}
  GEOIP-CN: {type: http, url: https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@meta/geo/geoip/cn.mrs, behavior: ipcidr, format: mrs, proxy: 🎯 全球直连, interval: 86400}
  GEOSITE-Private: {type: http, url: https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@meta/geo/geosite/private.mrs, behavior: domain, format: mrs, proxy: 🎯 全球直连, interval: 86400}
  GEOSITE-CN: {type: http, url: https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@meta/geo/geosite/cn.mrs, behavior: domain, format: mrs, proxy: 🎯 全球直连, interval: 86400}
  geolocation-!cn: {type: http, url: https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@meta/geo/geosite/geolocation-!cn.mrs, behavior: domain, format: mrs, proxy: 🎯 全球直连, interval: 86400}

# ==============================================================================
# [6] Proxy Groups (策略分发)
# ==============================================================================
proxy-groups:
  - {name: 🚀 节点选择, type: select, use: [☁️ 自建订阅], proxies: [🎈 自动选择]}
  - {name: 🎈 自动选择, type: url-test, use: [☁️ 自建订阅], url: https://www.gstatic.com/generate_204, interval: 300, tolerance: 150}
  - {name: 🎯 全球直连, type: select, proxies: [DIRECT, REJECT]}
  - {name: 🛑 全球拦截, type: select, proxies: [REJECT, DIRECT]}
  - {name: 🐟 漏网之鱼, type: select, proxies: [🚀 节点选择, 🎯 全球直连]}

# ==============================================================================
# [7] Routing Rules (核心路由引擎) - 注意：引擎自上而下匹配，顺序不可随意变动
# ==============================================================================
rules:
  # --- 阶段一：高危资产保护 (VPS Protection & Privacy) ---
  # [DMCA-Block] 精准识别 P2P 软件，强制直连，防止版权投诉导致 VPS 删机
  - PROCESS-NAME,qBittorrent,🎯 全球直连
  - PROCESS-NAME,BitComet,🎯 全球直连
  - PROCESS-NAME,Thunder,🎯 全球直连
  - AND,((NETWORK,udp),(DST-PORT,6881-6889)),🎯 全球直连

  # [WebRTC-Block] 物理级阻断 STUN UDP 探测，实现浏览器 IP 零泄露
  - AND,((NETWORK,udp),(DST-PORT,3478)),🛑 全球拦截
  - AND,((NETWORK,udp),(DST-PORT,19302)),🛑 全球拦截
  - AND,((NETWORK,udp),(DST-PORT,5349)),🛑 全球拦截
  - AND,((DST-PORT,443),(NETWORK,udp)),🛑 全球拦截

  # --- 阶段二：应用层净化 (Functionality) ---
  - RULE-SET,google,🚀 节点选择
  - RULE-SET,category-ads-all,🛑 全球拦截

  # --- 阶段三：域名极速分流 (Domain Routing) ---
  # 优先匹配域名，避免触发底层 IP 解析导致的无效延迟
  - RULE-SET,GEOSITE-Private,🎯 全球直连
  - RULE-SET,GEOSITE-CN,🎯 全球直连
  - RULE-SET,geolocation-!cn,🚀 节点选择

  # --- 阶段四：IP 兜底分流 (IP Routing) ---
  # 必须携带 no-resolve 参数，遇到域名请求直接跳过，防止阻塞网络
  - RULE-SET,GEOIP-Private,🎯 全球直连,no-resolve
  - RULE-SET,GEOIP-CN,🎯 全球直连,no-resolve

  - MATCH,🐟 漏网之鱼