Clash Config File config.yaml Comprehensive Guide
The power of Clash lies in its highly customizable configuration system. Whether it is the open-source core (Clash Meta) or various GUI clients (Clash for Windows, Clash Verge, etc.), its core operating logic is determined by the config.yaml file.
Mastering the writing of configuration files allows you to precisely control the direction of network traffic, realizing advanced functions such as ad blocking, domestic and foreign traffic splitting, and automatic failover.
💡 Tip
Clash configuration files use YAML syntax. YAML is very sensitive to indentation. You must use spaces for indentation (usually 2 spaces), and Tab keys are strictly prohibited.
1. General Settings
This part determines the basic running behavior of Clash, such as listening ports, allowing LAN connections, log levels, etc.
# HTTP(S) proxy port
port: 7890
# SOCKS5 proxy port
socks-port: 7891
# Mixed port (HTTP and SOCKS5 share one port), usually recommended to use this instead of the above two
mixed-port: 7890
# Allow other devices in the LAN to connect (required for mobile phones/TV boxes to connect to computer proxy)
allow-lan: true
# Bind IP, only effective when allow-lan is true
# '*' means bind all network cards, or specify a specific IP such as 192.168.1.100
bind-address: '*'
# Running mode
# rule: Rule mode (most common, traffic direction based on rules)
# global: Global mode (all traffic goes through proxy)
# direct: Direct mode (all traffic does not go through proxy)
mode: rule
# Log level
# info / warning / error / debug / silent
log-level: info
# Whether to enable IPv6 support
ipv6: false
# External controller (API), mainly for panel control (such as Dashboard)
external-controller: 127.0.0.1:9090
# Secret for external controller (optional)
secret: ""2. DNS Configuration (DNS)
DNS is the most complex and critical part of Clash configuration. Incorrect DNS configuration can lead to slow access to domestic websites, inability to access, or DNS pollution.
dns:
# Whether to enable Clash built-in DNS server
enable: true
# Listening port (port for handling DNS requests)
listen: 0.0.0.0:53
# Running mode
# fake-ip: Returns virtual IP, greatly improves response speed, prevents DNS pollution (recommended)
# redir-host: Real IP resolution, more traditional, but may be slower in some environments
enhanced-mode: fake-ip
# Fake-IP filter pool (these domains will not return Fake-IP, but real resolution)
# Usually used to solve the problem that some LAN devices or specific applications cannot identify Fake-IP
fake-ip-filter:
- '*.lan'
- '*.local'
- localhost.ptlogin2.qq.com
# Default DNS, used to resolve the IP of DoH/DoT domain names filled in nameserver below
# Must be in IP format, try to use stable domestic DNS
default-nameserver:
- 223.5.5.5
- 119.29.29.29
# Main DNS servers
# Search process: Clash will concurrently initiate resolution requests to all servers here
nameserver:
- https://doh.pub/dns-query
- https://dns.alidns.com/dns-query
# Fallback DNS servers
# Only when the resolution result of the server in nameserver is a foreign IP (non-CN),
# will the resolution result in fallback be adopted (usually fallback fills in foreign DNS)
# Logic: Request nameserver and fallback at the same time -> Get nameserver result -> Determine if it is CN IP -> If yes, return directly, otherwise wait for fallback result
fallback:
- https://1.1.1.1/dns-query
- https://dns.google/dns-query
# Forced fallback domains
# Regardless of whether the nameserver result is a CN IP, as long as the domain name matches the list, it must wait for the fallback result
fallback-filter:
geoip: true # As long as the geographical location of the IP resolved by nameserver is not CN, use fallback result
ipcidr: # IPs in this network segment are considered polluted, forced to use fallback
- 240.0.0.0/43. Proxies
Here, specific proxy server information is defined. Usually automatically generated by subscription, it is not recommended to fill in manually one by one. But understanding the format helps to troubleshoot problems.
proxies:
- name: "Shadowsocks Node"
type: ss
server: server.com
port: 443
cipher: chacha20-ietf-poly1305
password: "password"
udp: true
- name: "VMess Node"
type: vmess
server: server.com
port: 443
uuid: "uuid-string"
alterId: 0
cipher: auto
# network: ws
# ws-opts:
# path: /path
# headers:
# Host: v2ray.com
- name: "Trojan Node"
type: trojan
server: server.com
port: 443
password: "password"
udp: true
sni: example.com4. Proxy Groups
Strategy groups are the soul of Clash. Through it, you can "package" different nodes into a strategy for rules to reference.
Common strategy group types:
- select: Manual selection.
- url-test: Automatic speed test, choose the node with the lowest latency.
- fallback: Failover, detect in order, if the first one fails, automatically switch to the second one.
- load-balance: Load balancing.
proxy-groups:
# 1. Node Selection Group (Manual Switch)
- name: 🚀 Proxy
type: select
proxies:
- ♻️ Auto
- 🇭🇰 HK Node
- 🇺🇸 US Node
- DIRECT # Direct connection
# 2. Auto Speed Test Group (Use whichever is faster)
- name: ♻️ Auto
type: url-test
url: http://www.gstatic.com/generate_204 # Test address
interval: 300 # Test interval (seconds)
tolerance: 50 # Tolerance (ms), switch only when the delay difference between new and old nodes is greater than this value to prevent frequent jumping
proxies:
- 🇭🇰 HK Node
- 🇺🇸 US Node
# 3. Nodes here are usually names defined in proxies above
# Can also reference other group names (nesting strategy groups)
- name: 🍎 Apple
type: select
proxies:
- DIRECT
- 🚀 Proxy5. Rules
Rules determine which strategy group the access goes through. Clash matches rules in order from top to bottom, and stops once a match is successful.
Basic Syntax: Type,Parameter,Strategy Group
rules:
# 1. Domain Keyword Match
- DOMAIN-KEYWORD,google,🚀 Proxy
# 2. Domain Suffix Match (Most Common)
- DOMAIN-SUFFIX,youtube.com,🚀 Proxy
- DOMAIN-SUFFIX,cn,DIRECT # All ending with .cn direct connect
# 3. Full Domain Match
- DOMAIN,www.baidu.com,DIRECT
# 4. GEOIP Database Match (Country Code)
# Only matches when DNS resolution result is CN IP
# If no-resolve is enabled, DNS resolution is not performed, directly skipped (for IP rules)
- GEOIP,CN,DIRECT
- GEOIP,US,🚀 Proxy
# 5. IP CIDR Match
- IP-CIDR,127.0.0.0/8,DIRECT
- IP-CIDR,192.168.0.0/16,DIRECT
# 6. Source IP Match (Specific devices in LAN go through specific nodes)
- SRC-IP-CIDR,192.168.1.201/32,DIRECT
# 7. Port Match
- DST-PORT,80,DIRECT
# 8. Final Match (Must be placed at the end)
# If none of the above match, go through this
- MATCH,🐟 Final6. Rule Providers (Advanced)
When there are thousands of rules, writing them in config.yaml can be very bloated and difficult to maintain. rule-providers allow you to reference external rule files (local or remote) and update them like strategy groups.
rule-providers:
# Define a rule set named "reject_list"
reject_list:
type: http
behavior: domain
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/reject.txt"
path: ./ruleset/reject.list
interval: 86400 # Auto update interval (seconds)
# Define domestic IP rule set
cn_ip:
type: http
behavior: ipcidr
url: "https://cdn.jsdelivr.net/gh/Loyalsoldier/clash-rules@release/cncidr.txt"
path: ./ruleset/cncidr.list
interval: 86400
rules:
# Reference Provider in Rules
- RULE-SET,reject_list,REJECT
- RULE-SET,cn_ip,DIRECT
- GEOIP,CN,DIRECT
- MATCH,🚀 Proxy7. Configuration Structure Summary
If you want to write from scratch, you can refer to this simple rule template: Clash Simple Config Template.
⚠️ Precautions
- Indentation: Ensure correct hierarchy, sub-items indented by two spaces.
- Colon: Usually a space follows the colon (
key: value). - Encoding: Ensure the file is saved in
UTF-8encoding, otherwise Chinese comments or node names will be garbled.