# 你可以从该 URL 下载这个配置文件: https://blankmagic.github.io/Surge/Profile.conf

[General]
# --- 通用设置 (GENERAL) ---
# 混合网络 (Hybrid Network): 并发使用 Wi-Fi 与移动数据以降低首次连接延迟
all-hybrid = false
# Enhanced Wi-Fi Assist: 当 Wi-Fi 信号不佳时切换数据网络
wifi-assist = true
# 游戏优化：在系统高负载时优先处理 UDP 数据包
udp-priority = true

# --- 延迟测试 (Latency Benchmark) ---
# 互联网测试 URL
internet-test-url = http://www.apple.com/library/test/success.html
# 代理测试 URL
proxy-test-url = http://cp.cloudflare.com/generate_204
# 测试超时 (秒)
test-timeout = 3
# GeoIP 数据库
geoip-maxmind-url = https://github.com/Hackl0us/GeoIP2-CN/raw/release/Country.mmdb
# IPv6 支持 (IPv6 Support) 
ipv6 = false
ipv6-vif = off

# --- 兼容性与路由 (Compatibility & Routing) ---
# 兼容模式 (0: 默认; 4: VIF Proxy; 5: 不声明为默认路由以解决特殊 App 识别 VPN 状态问题)
compatibility-mode = 0
# 跳过代理列表：这些地址将直接由系统处理，不进入 Surge 引擎
skip-proxy = 192.168.0.0/24, 10.0.0.0/8, 172.16.0.0/12, 127.0.0.1, localhost, *.local, *.crashlytics.com
# 排除简单主机名
exclude-simple-hostnames = true
# 强制地址返回真实 IP (常用于 STUN/NAT 穿透及特定解析)
always-real-ip = dns.msftncsi.com, *.srv.nintendo.net, *.stun.playstation.net, xbox.*.microsoft.com, *.xboxlive.com, *.turn.twilio.com, *.stun.twilio.com, stun.syncthing.net, stun.*, lancache.steamcontent.com, 127.*.*.*.sslip.io, 127-*-*-*.sslip.io, *.127.*.*.*.sslip.io, *-127-*-*-*.sslip.io, 127.*.*.*.nip.io, 127-*-*-*.nip.io, *.127.*.*.*.nip.io, *-127-*-*-*.nip.io

# --- DNS 配置 (DNS Resolution) ---
# 传统 DNS 服务器
dns-server = 223.5.5.5, 223.6.6.6, 119.29.29.29
# 加密 DNS (DoH/DoQ)
encrypted-dns-server = https://doh.pub/dns-query, https://dns.alidns.com/dns-query
# 使加密 DNS 请求遵循出站策略（关闭可获得更好性能）
encrypted-dns-follow-outbound-mode = false
# 读取系统 Hosts 并优先命中本地映射
read-etc-hosts = true
# 代理请求本地映射 (Local DNS Mapping): 若 Host 命中则直接返回，避免远端解析延迟
use-local-host-item-for-proxy = true
# 劫持所有发往 53 端口的传统 DNS 请求：针对部分强行硬编码使用公共 DNS 的智能硬件
hijack-dns = *:53

# --- Wi-Fi 访问 (Wi-Fi Access) ---
# 允许 Wi-Fi 访问：开启后本机可作为局域网代理服务器
allow-wifi-access = false
wifi-access-http-port = 6152
wifi-access-socks5-port = 6153
# 允许热点共享
allow-hotspot-access = true

# --- 远程控制 (REMOTE CONTROLLER) ---
# 外部控制器访问密钥与端口 (建议将 127.0.0.1 修改为 0.0.0.0 以允许局域网管理)
external-controller-access = key@127.0.0.1:6160
# HTTP API 及其 Web 面板配置
http-api = key@127.0.0.1:6166
http-api-tls = true
http-api-web-dashboard = true

# --- 进阶设置 (ADVANCED) ---
# 日志等级（日常用 notify，排查问题改 info）
loglevel = notify
# 命中 REJECT 策略时显示错误页
show-error-page-for-reject = true
# 强制让 Surge 将 TCP 连接视为 HTTP 请求
force-http-engine-hosts = *.ott.cibntv.net, 123.59.31.1, 119.18.193.135, 122.14.246.33, 175.102.178.52, 116.253.24.*, 175.6.26.*, 220.169.153.*

# TUN 路由排除
# 排除局域网段，确保内网穿透与设备互访正常
# 包含：10.0.0.0/8、172.16.0.0/12、192.168.0.0/16 等标准私网网段
tun-excluded-routes = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 255.255.255.255/32
# 当代理节点不支持 UDP 转发时的回退行为
udp-policy-not-supported-behaviour = REJECT
# 代理请求是否限制在局域网内
proxy-restricted-to-lan = false

[Proxy]
# 直接连接
DIRECT = direct
# 示例节点
# SS-Server = ss, 1.2.3.4, 443, aes-256-gcm, your-password, obfs=http, obfs-host=example.com
# Trojan-Server = trojan, 1.2.3.4, 443, password=your-password, sni=example.com, alpn=h2,http/1.1
# VMess-Server = vmess, 1.2.3.4, 443, username=your-uuid, tls=true, sni=example.com, alpn=h2,http/1.1

[Proxy Group]
# --- 用户交互策略组 (Top-Level Groups) ---

# 最终兜底策略：未命中任何规则时的行为
Final = select, Proxy🪁, DIRECT

# 主代理选择组
Proxy🪁 = select, 🇺🇸 America, 🇭🇰 Hong Kong, 🇸🇬 Singapore, 🇨🇳 Fallback, policy-path=https://your-sub.com/sub?target=Surge , update-interval=86400 //policy-path=你的订阅地址

# 国内直连开关
CN = select, DIRECT

# 智能 SSID 切换组：根据 Wi-Fi 环境自动改变出站策略
# Home⛺️ = subnet, default = Proxy🪁, "SSID:MyHome_WiFi" = DIRECT, "TYPE:CELLULAR" = Proxy🪁

# 应用分流策略
AI = select, "🇭🇰 Hong Kong", "🇺🇸 America", "🇸🇬 Singapore"
Netflix = select, 🇺🇸 America, 🇭🇰 Hong Kong, 🇸🇬 Singapore, 🇨🇳 Fallback
Twitter = select, 🇺🇸 America, Proxy🪁
Telegram = select, 🇭🇰 Hong Kong, 🇸🇬 Singapore, hybrid=off
Apple = select, DIRECT, Proxy🪁
AdBlock = select, REJECT, DIRECT, REJECT-DROP

# --- 节点筛选与子策略组 (Hidden) ---
🇺🇸 America = smart, include-other-group=Proxy🪁, policy-regex-filter=美国, interval=600, tolerance=100, evaluate-before-use=true, hidden=true
🇭🇰 Hong Kong = smart, include-other-group=Proxy🪁, policy-regex-filter=(港|HK), interval=-1, tolerance=100, persistent=true, hidden=true
🇸🇬 Singapore = smart, include-other-group=Proxy🪁, policy-regex-filter=(新加坡|狮城), interval=-1, tolerance=100, persistent=true, hidden=true
🇨🇳 Fallback = fallback, include-other-group=Proxy🪁, policy-regex-filter=台湾, timeout=3, interval=600, evaluate-before-use=true, hidden=true
[Rule]
# --- 自定义规则 (Custom Rules) ---
# Sub-Store 的 Web 页面
DOMAIN-SUFFIX,vercel.app,Proxy🪁
# 国内 ASN 直连
IP-ASN,4134,DIRECT,no-resolve
IP-ASN,4837,DIRECT,no-resolve
# 银行类服务：禁用混合网络以防 IP 漂移导致登录失效
DOMAIN-SUFFIX,cmbchina.com,DIRECT,hybrid=off
# 屏蔽 HTTP3/QUIC：部分 ISP 对 UDP 443 限速严重，强制回退至 TCP
AND,((PROTOCOL,UDP),(DEST-PORT,443)),REJECT-NO-DROP

# Telegram 优化
AND,((PROCESS-NAME,Telegram), (OR,((IP-CIDR,0.0.0.0/8), (IP-CIDR,224.0.0.0/4)))),REJECT

# 外部资源更新监测
AND,((DOMAIN,raw.githubusercontent.com), (DOMAIN-SUFFIX,github.io), (USER-AGENT,Surge/*)),Final,notification-text="♻️ External Resources Updating",notification-interval=3600

# 视频 UDP 屏蔽 (防止 YouTube 缓冲异常) 
AND,((DOMAIN-SUFFIX,googlevideo.com), (DOMAIN-SUFFIX,gvt1.com), (DOMAIN-SUFFIX,cdninstagram.com), (PROTOCOL,UDP)),REJECT

# 隐私保护
DOMAIN,prpr.96110.cn.com,DIRECT
DOMAIN-KEYWORD,96110,REJECT
DOMAIN-SUFFIX,gjfzpt.cn,REJECT

# --- 进程规则 (Process Management for Mac) ---
PROCESS-NAME,aria2c,DIRECT
PROCESS-NAME,fdm,DIRECT
PROCESS-NAME,Folx,DIRECT
PROCESS-NAME,Thunder,DIRECT
PROCESS-NAME,Transmission,DIRECT

# --- 规则集引用 (Rule Sets) ---
# 广告/隐私保护
DOMAIN-SET,https://ruleset.skk.moe/List/domainset/reject.conf,AdBlock
RULE-SET,https://ruleset.skk.moe/List/non_ip/reject-drop.conf,REJECT-DROP
RULE-SET,https://ruleset.skk.moe/List/non_ip/reject.conf,AdBlock
RULE-SET,https://ruleset.skk.moe/List/ip/reject.conf,REJECT-DROP
# AI
RULE-SET,https://blankmagic.github.io/Surge/rule/ai.list,AI
# Netflix
RULE-SET,https://blankmagic.github.io/Surge/rule/netflix.list,Netflix
# Twitter
RULE-SET,https://blankmagic.github.io/Surge/rule/twitter.list,Twitter
# Telegram
RULE-SET,https://blankmagic.github.io/Surge/rule/telegram.list,Telegram
# 全球代理 (被墙列表)
RULE-SET,https://blankmagic.github.io/Surge/rule/blocked.list,Proxy🪁
# 国内直连（国内白名单)
RULE-SET,https://blankmagic.github.io/Surge/rule/domestic.list,DIRECT
# Apple 相关
DOMAIN,apps.apple.com,Proxy🪁
DOMAIN-KEYWORD,buy.itunes.apple.com,Proxy🪁
DOMAIN-SUFFIX,ls.apple.com,DIRECT // Apple Maps
DOMAIN-SUFFIX,store.apple.com,DIRECT // Apple Store Online
RULE-SET,https://blankmagic.github.io/Surge/rule/apple.list,Apple

# --- 邮件服务直连预设 (Mail Service Bypass) ---
# 域名后缀规则：匹配特定的邮件分发域名
DOMAIN-SUFFIX,smtp,DIRECT
# URL 正则匹配规则：识别 SMTP 协议握手特征
# 扫描外发请求中的 SMTP 关键指令（如 HELO）及邮件头特征（如 Subject）
# 作用：避免由于代理服务器封禁 25/465 端口导致的邮件发送失败，同时防止触发邮件服务商的 IP 异地登录风控
URL-REGEX,(Subject|HELO|SMTP),DIRECT
# 端口增强规则 (建议补充)
# 针对标准邮件传输端口（25, 465, 587）进行强制直连，这是比 URL-REGEX 更底层的保障
OR,((DEST-PORT,25), (DEST-PORT,465), (DEST-PORT,587)),DIRECT

# --- 全局分流 (Outbound Flow) ---
RULE-SET,LAN,DIRECT
GEOIP,CN,DIRECT,no-resolve
# 最终命中规则（Final Rule）
FINAL,Final,dns-failed

[Host]
# AliPay & Taobao (使用阿里 DNS 解析其特定 CDN)
*.taobao.com = server:223.5.5.5
*.tmall.com = server:223.5.5.5
*.alipay.com = server:223.5.5.5
*.alicdn.com = server:223.5.5.5
*.aliyun.com = server:223.5.5.5
# Tencent & JD (使用腾讯 DNS 解析其业务域名)
*.jd.com = server:119.29.29.29
*.qq.com = server:119.29.29.29
*.tencent.com = server:119.29.29.29
*.weixin.com = server:119.29.29.29
# NetEase & Bilibili
*.bilibili.com = server:119.29.29.29
hdslb.com = server:119.29.29.29
*.163.com = server:119.29.29.29
*.netease.com = server:119.29.29.29
# Xiaomi
*.mi.com = server:223.5.5.5
*.xiaomi.com = server:223.5.5.5
# 特殊加速：TestFlight 解析优化 (使用 Google DNS 往往能解决加载转圈问题)
*.testflight.apple.com = server:8.8.4.4

# FCM 推送加速 (Google Core)
mtalk.google.com = 108.177.125.188
dl.google.com = server:119.29.29.29
update.googleapis.com = server:119.29.29.29

# 路由器管理
# 涵盖：华硕、小米、TP-Link、腾达、领势、网件、群晖等
*.lan = server:system
*.local = server:system
router.asus.com = server:system
www.miwifi.com = server:system
miwifi.com = server:system
router.synology.com = server:system

tplogin.cn = server:system
melogin.cn = server:system
falogin.cn = server:system
tplinklogin.net = server:system
orbilogin.com = server:system
routerlogin.net = server:system

# 确保 AdGuard 等本地拦截软件不与 Surge 引擎发生解析回路
injections.adguard.org = server:system
local.adguard.org = server:system
*.bogon = server:system
# CUSTOM HOST

[URL Rewrite]
# 屏蔽常见的分析与追踪
^https?://.*/(track|analytics|stat)/ REJECT
# 域名跳转：g.cn -> google.com
^https?://(www.)?(g|google)\.cn https://www.google.com 307
# 部分电商平台强制 HTTPS
^https?:\/\/(www.)?taobao\.com\/ https://taobao.com/ 302
^https?:\/\/(www.)?jd\.com\/ https://www.jd.com/ 302
# AbeamTV Unlock
^https?://api\.abema\.io/v\d/ip/check - reject
# CUSTOM URL

[Header Rewrite]
# 逻辑：通过强制将 Accept-Language 替换为 en-us，规避 GitHub 对特定区域请求的 429 频率限制
# 适用范围：GitHub 主站、Raw 资源、Gist 代码片段
http-request ^https://(www\.)?github\.com/ header-replace Accept-Language "en-us"
http-request ^https://(raw|gist)\.githubusercontent\.com/ header-replace Accept-Language "en-us"

[SSID Setting]
# 数据网络 TFO 策略：建议强制关闭移动数据的 TFO 以免运营商干扰
TYPE:CELLULAR tfo-behaviour=force-disabled
# 特定网络环境下自动暂停 Surge (SSID 名称需手动替换)
"SSID_NEED_SUSPEND" suspend=true

[MITM]
# 开启 HTTP/2 解密
h2 = true
# 你需要先在 Surge APP 内生成并安装 CA 证书
# 忽略服务端证书错误 (适用于自签名证书环境)
skip-server-cert-verify = true
# 主机名解密列表 (扩展通配符)
hostname = %APPEND% g.cn, www.g.cn, google.cn, www.google.cn, api.abema.io, union.click.jd.com, github.com, *.githubusercontent.com, -CUSTOMMitM

[Panel]
# 脚本面板：一键刷新 DNS
flushDNS = script-name=flushDNS,update-interval=-1

[Script]
# DNS 工具脚本
flushDNS = type=generic,timeout=10,script-path=https://raw.githubusercontent.com/zZPiglet/Task/master/asset/flushDNS.js,argument=icon=wand.and.stars.inverse&color=#3d3d5b