Basics
This page covers the flat top-level keys of the YAML document — listener ports, access control, networking flags, and routing-mode selection. They all live directly on RawConfig and are wired through to runtime in config/config.go.
Options
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
port | int | 0 | 0 | <port> | HTTP-proxy listen port. 0 disables. |
socks-port | int | 0 | 0 | <port> | SOCKS5 listen port. 0 disables. |
redir-port | int | 0 | 0 | <port> | Linux REDIRECT inbound port (iptables NAT). 0 disables. |
tproxy-port | int | 0 | 0 | <port> | Linux TPROXY inbound port (iptables mangle). 0 disables. |
mixed-port | int | 0 | 0 | <port> | Multiplexed port serving HTTP and SOCKS5 on the same listener. 0 disables. |
inbound-tfo | bool | false | true | false | Enable TCP Fast Open on inbound listeners (Linux only). |
inbound-mptcp | bool | false | true | false | Enable Multipath TCP on inbound listeners (Linux only). |
authentication | []string | [] | <user:pass> | Allow-list of HTTP/SOCKS authentication credentials. Empty disables auth. |
skip-auth-prefixes | []netip.Prefix | [] | <CIDR> | Source-IP prefixes that bypass authentication. |
lan-allowed-ips | []netip.Prefix | [] | <CIDR> | When allow-lan is true, restrict access to these source-IP prefixes. |
lan-disallowed-ips | []netip.Prefix | [] | <CIDR> | When allow-lan is true, deny access from these source-IP prefixes. |
allow-lan | bool | false | true | false | Bind listeners on 0.0.0.0 / :: instead of 127.0.0.1. |
bind-address | string | * | * | <address> | Override the bind address; * matches the allow-lan choice. |
mode | T.TunnelMode | rule | rule | global | direct | Tunnel decision policy. `rule` uses the rules list; `global` sends everything through GLOBAL; `direct` bypasses proxies entirely. |
unified-delay | bool | false | true | false | Subtract the TLS handshake time from the URL-test latency so latency comparison is fair across proxies. |
ipv6 | bool | false | true | false | Master IPv6 toggle. When false, AAAA records are filtered out and IPv6 routing is disabled. |
interface-name | string | (auto) | <interface> | Bind all outbound dials to this interface (e.g. eth0). |
routing-mark | int | 0 | <uint32> | Linux SO_MARK applied to outbound sockets. 0 disables. |
tcp-concurrent | bool | false | true | false | Race A and AAAA dials for each connection and use whichever connects first (Happy Eyeballs style). |
find-process-mode | process.FindProcessMode | strict | strict | always | off | How aggressively to look up the originating process for routing (`PROCESS-NAME` rules). |
global-client-fingerprint | string | (removed) | <utls fingerprint> | Removed and ignored. Set `client-fingerprint` directly on each proxy instead. |
global-ua | string | clash.meta/<version> | <string> | Default User-Agent for subscription and asset downloads. |
etag-support | bool | true | true | false | Honor ETag headers when refetching subscription URLs. |
keep-alive-idle | int | 0 | <seconds> | TCP keepalive idle time. 0 falls back to the OS default. |
keep-alive-interval | int | 0 | <seconds> | TCP keepalive probe interval. 0 falls back to the OS default. |
disable-keep-alive | bool | false | true | false | Disable TCP keepalive entirely. |
Source: config/config.go:393-460 · pinned at v1.19.27 (5184081)
Example
yaml
mode: rule
mixed-port: 7890
allow-lan: false
bind-address: '*'
ipv6: false
unified-delay: true
tcp-concurrent: true
find-process-mode: strict
global-ua: my-mihomo/1.0
keep-alive-idle: 600
keep-alive-interval: 30Notes
port/socks-port/mixed-portare mutually compatible — you can expose all three, but doubling up the HTTP role on bothportandmixed-portwastes a listener.- The
bind-addressvalue*is special-cased: it means "use the currentallow-landecision" (0.0.0.0if true,127.0.0.1if false). find-process-mode: alwaysmakes the router invoke the per-platform process-lookup syscall on every connection, which is expensive on busy macOS / Windows systems. Preferstrict(the default) unless PROCESS-NAME rules are critical.global-client-fingerprinthas been removed: it is now parsed but ignored. Setclient-fingerprintdirectly on each proxy entry instead.- The config file may be age-encrypted. Before parsing the YAML, mihomo attempts to decrypt the file with
age; if it is encrypted, it is decrypted transparently at load and the plaintext YAML is parsed as usual. Plain (unencrypted) config files are loaded unchanged.
Source: config/config.go:393-460 · v1.19.27 (5184081)