Sniffer
The sniffer block looks at the early bytes of each connection to recover a destination hostname when DNS context is unavailable (typically because the client opened a connection directly to an IP). The result feeds routing rules and fake-IP cleanup.
Options
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
enable | bool | false | true | false | Turn connection sniffing on. When off, the rest of the block is ignored. |
override-destination | bool | false | true | false | Replace the destination IP in the connection metadata with the sniffed hostname. When true, routing rules see the hostname instead of the raw IP. |
sniffing | []string | [] | tls | http | quic | Sniffers to enable. Deprecated — prefer the per-protocol `sniff` map below. |
force-domain | []string | [] | <domain pattern> | Force sniffing on connections to these destinations even if the protocol is already known. |
skip-src-address | []string | [] | <CIDR> | Never sniff connections originating from these source addresses. |
skip-dst-address | []string | [] | <CIDR> | Never sniff connections destined to these addresses. |
skip-domain | []string | [] | <domain pattern> | Never overwrite the destination if the sniffed value matches one of these patterns. |
port-whitelist | []string | [] | <port> | <port-range> | Only sniff connections whose destination port falls in this list. Empty list means all ports. |
force-dns-mapping | bool | false | true | false | When a fake-IP lookup fails to map back, fall back to sniffing to recover the hostname. |
parse-pure-ip | bool | false | true | false | Sniff connections whose destination is already an IP literal (i.e., no DNS lookup happened). |
sniff | map[string]RawSniffingConfig | {} | { "TLS": {...}, "HTTP": {...}, "QUIC": {...} } | Per-protocol sniffer configuration. Keys are TLS, HTTP, or QUIC; values are `RawSniffingConfig` blocks with port-overrides. |
Source: config/config.go:364-377 · pinned at v1.19.27 (5184081)
Example
yaml
sniffer:
enable: true
override-destination: true
parse-pure-ip: true
force-dns-mapping: true
skip-domain:
- +.push.apple.com
sniff:
TLS:
ports: [443, 8443]
HTTP:
ports: [80, 8080]
override-destination: true
QUIC:
ports: [443]Notes
sniffing(the array) is the legacy form; thesniffmap is the preferred shape because it carries per-protocol port lists.- Always include high-volume CDN domains in
skip-domainto keep the proxy chain stable; otherwise SNI churn can flap proxy selection.
Source: config/config.go:364-377 · v1.19.27 (5184081)