1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
| # load all dae files placed in ./config.d/
include {
config.d/*.dae
}
global {
##### Software options.
# tproxy port to listen on. It is NOT a HTTP/SOCKS port, and is just used by eBPF program.
# In normal case, you do not need to use it.
tproxy_port: 12345
# Set it true to protect tproxy port from unsolicited traffic. Set it false to allow users to use self-managed
# iptables tproxy rules.
tproxy_port_protect: true
# Set non-zero value to enable pprof.
pprof_port: 0
# If not zero, traffic sent from dae will be set SO_MARK. It is useful to avoid traffic loop with iptables tproxy
# rules.
so_mark_from_dae: 0
# Log level: error, warn, info, debug, trace.
log_level: info
# Disable waiting for network before pulling subscriptions.
disable_waiting_network: false
# Enable fast redirect for local TCP connections. There is a known kernel issue that breaks certain clients/proxies, such as nadoo/glider. Users may enable this experimental option at their own risks.
enable_local_tcp_fast_redirect: false
##### Interface and kernel options.
# The LAN interface to bind. Use it if you want to proxy LAN.
# Multiple interfaces split by ",".
lan_interface: eth1
# The WAN interface to bind. Use it if you want to proxy localhost.
# Multiple interfaces split by ",". Use "auto" to auto detect.
wan_interface: auto
# Automatically configure Linux kernel parameters like ip_forward and send_redirects. Check out
# https://github.com/daeuniverse/dae/blob/main/docs/en/user-guide/kernel-parameters.md to see what will dae do.
auto_config_kernel_parameter: true
##### Node connectivity check.
# Host of URL should have both IPv4 and IPv6 if you have double stack in local.
# First is URL, others are IP addresses if given.
# Considering traffic consumption, it is recommended to choose a site with anycast IP and less response.
#tcp_check_url: 'http://cp.cloudflare.com'
tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
# The HTTP request method to `tcp_check_url`. Use 'HEAD' by default because some server implementations bypass
# accounting for this kind of traffic.
tcp_check_http_method: HEAD
# This DNS will be used to check UDP connectivity of nodes. And if dns_upstream below contains tcp, it also be used to check
# TCP DNS connectivity of nodes.
# First is URL, others are IP addresses if given.
# This DNS should have both IPv4 and IPv6 if you have double stack in local.
#udp_check_dns: 'dns.google.com:53'
udp_check_dns: 'dns.google.com:53,8.8.8.8,2001:4860:4860::8888'
check_interval: 120s
# G/oup will switch node only when new_latency <= old_latency - tolerance.
check_tolerance: 50ms
##### Connecting options.
# Optional values of dial_mode are:
# 1. "ip". Dial proxy using the IP from DNS directly. This allows your ipv4, ipv6 to choose the optimal path
# respectively, and makes the IP version requested by the application meet expectations. For example, if you
# use curl -4 ip.sb, you will request IPv4 via proxy and get a IPv4 echo. And curl -6 ip.sb will request IPv6.
# This may solve some wierd full-cone problem if your are be your node support that. Sniffing will be disabled
# in this mode.
# 2. "domain". Dial proxy using the domain from sniffing. This will relieve DNS pollution problem to a great extent
# if have impure DNS environment. Generally, this mode brings faster proxy response time because proxy will
# re-resolve the domain in remote, thus get better IP result to connect. This policy does not impact routing.
# That is to say, domain rewrite will be after traffic split of routing and dae will not re-route it.
# 3. "domain+". Based on domain mode but do not check the reality of sniffed domain. It is useful for users whose
# DNS requests do not go through dae but want faster proxy response time. Notice that, if DNS requests do not
# go through dae, dae cannot split traffic by domain.
# 4. "domain++". Based on domain+ mode but force to re-route traffic using sniffed domain to partially recover
# domain based traffic split ability. It doesn't work for direct traffic and consumes more CPU resources.
dial_mode: domain+
# Timeout to waiting for first data sending for sniffing. It is always 0 if dial_mode is ip. Set it higher is useful
# in high latency LAN network.
sniffing_timeout: 100ms
# TLS implementation. tls is to use Go's crypto/tls. utls is to use uTLS, which can imitate browser's Client Hello.
tls_implementation: tls
# The Client Hello ID for uTLS to imitate. This takes effect only if tls_implementation is utls.
# See more: https://github.com/daeuniverse/dae/blob/331fa23c16/component/outbound/transport/tls/utls.go#L17
utls_imitate: chrome_auto
}
# dns sniff see: /etc/dae/config.d/dns.dae
# node and group: see /etc/dae/config.d/nodes.dae
# routing: see /etc/dae/config.d/route.dae
|