#Mac #Beta

Version 5.4.0-2408

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.
* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.
* Other improvements.

#Mac #Beta

Version 5.4.0-2409

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.
* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.
* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2884) is ready to test on iOS.

What to Test:

一直以来 Surge iOS/macOS 都是使用的代理优先，VIF 为补充的方式接管系统请求。这样做有几个好处：

1. 代理模式接管时，App 和 Surge 间使用的是 loopback socket 通讯，由于不需要在 userspace 进行 TCP 重组装，代理接管模式比 VIF 模式更高效。
2. 当请求通过 HTTP 代理模式被接管时，说明这个请求一定是 HTTP/HTTPS 协议（HTTP CONNECT 模式下可能有些许例外）。这使得 Surge 可以直接使用 HTTP/MITM 引擎进行处理。而如果由 VIF 接管，则并没有方法绝对确认这是否是 HTTP/HTTPS 协议，只能靠端口号/数据包特征进行猜测。
3. 使用 HTTP 引擎接管除了可以使用修改功能外，还可以使得 Surge 在建立向外的连接时，在连接建立阶段便发出客户端首个数据包，即 0-RTT，降低握手延迟。

但是越来越多的 App 开始检测系统代理设置并拒绝工作，这是一种既不专业也无必要的安全措施，一方面来说代理设置在一些大型企业中是一种很常见的配置，另一方面即使不设置代理，也可以通过 VIF 甚至上级路由劫持或修改流量。如果 App 在意流量安全，应该正确使用 Certificate Pinning 等安全手段，而非在代理设置上为难用户。

但是由于使用代理的用户量确实过少使得无法影响厂商决策，我们不得不进行妥协。Surge iOS 将调整为 VIF 接管优先的工作模式以绕过该问题。目前测试阶段将强制切换为该模式，之后将重新开放代理模式优先选项。如果某 app 在该版本后无法正常工作请反馈。

于此同时，还优化了 VIF 引擎的工作方式以应对该变化：

1. 发往 80/443 端口的请求，会等待客户端发送第一个数据包后，判断是否为有效的 HTTP/TLS 请求决定处理方式，若非有效的 HTTP 请求，或 300ms 内未收到首个数据包，则回退至 TCP 转发模式。因此对于使用 80 端口的请求，不再需要配置 force-http-engine-hosts 参数。

2. 将自动识别 TLS Client Hello 消息并提取 SNI，下个版本将增加针对 SNI 的规则和 MITM 主机名匹配。

其他说明：

1. 目前仅对 80/443 端口开启了协议自识别，因为部分协议是由服务端先发送数据，如 SSH、IMAP、FTP，等待客户端数据再进行后续工作的流程将对这些请求造成不必要的延迟。其余端口的 HTTP 请求若需要由 HTTP 引擎处理依然需要配置 force-http-engine-hosts。

2. MITM 依然需要配置主机名以开启，但是不再需要 tcp-connection 参数，将默认对 TCP 请求生效。

3. 本次调整后，由于 VIF 接管的 HTTP/HTTPS 请求将自动由 HTTP 引擎处理，对比原来手动配置 VIF Only 兼容模式的方式，HTTP/HTTPS 请求的握手延迟会有所下降。（因为可以正确识别与构造 early data 完成 0-RTT 握手。原先仅在代理模式下支持）

#iOS #TestFlight

Surge 5 5.21.0 (2885) is ready to test on iOS.

What to Test:

完成针对 SNI 的 MITM 启动匹配，现在当 SNI 出现于 MITM 列表时将能够开启 MITM。

#iOS #TestFlight

Surge 5 5.21.0 (2887) is ready to test on iOS.

What to Test:

- DOMAIN、DOMAIN-SUFFIX、DOMAIN-KEYWORD 规则新增可选参数 extended-matching。开启该参数后，该规则将同时尝试匹配 SNI 和 HTTP Host Header （或 :authority）中的字段。
Tips：如果想仅对 SNI 生效，可使用逻辑规则 AND 配合 PROTOCOL,HTTPS 规则。

- 新增网络优化选项开关：代理接管优先。开启后将恢复先前版本的代理接管模式。
注：该选项实际会修改 compatibility-mode 为 1。为避免误解，原本的兼容模式选项设置与跳过代理设置 UI 已移除，但依然可通过文本进行配置。

compatibility-mode 字段的值对应为：
0: Auto（旧版本下等于1，新版本下等于3）
1: System Proxy + VIF
2: System Proxy Only
3: VIF Only
4: System Proxy (via VIF) + VIF
5: System Proxy + VIF (No Default Route)

- 由 HTTP CONNECT 传入的连接也支持上个版本加入的自动 HTTP/TLS 协议识别了
- 新增参数 always-raw-tcp-hosts，用于强行关闭对特定主机名的主动协议探测，与 force-http-engine-hosts 参数的书写方法一致。
- 修正无效的证书可能导致密钥库界面崩溃的问题
- 修正策略组页面的 Ponte 设备选项可能不显示文字的问题
- 高级设置中增加了 Include Cellular Services 和 Include APNS 选项的 UI。

#iOS #TestFlight

Surge 5 5.21.0 (2888) is ready to test on iOS.

What to Test:

修正在使用开启 TFO 的代理时，当首个数据段过大时造成的数据发送不完整的问题

细节：
加入协议自识别后，Telegram 的伪 TLS 协议也可以使用 0-RTT/TFO 加速，但是由于 Telegram 产生的首个数据段超过了标准 MTU(1500B) 可容纳的大小，导致 Surge 未能正确将该数据段完全发送。

#iOS #TestFlight

Surge 5 5.21.0 (2890) is ready to test on iOS.

What to Test:

- 修正逻辑规则中的 extended-matching 标记在写入配置时会丢失的问题
- 提高了 HTTP 引擎的兼容性，修正了与某些不太规范的自实现 HTTP 客户端的兼容性问题（如抖音）
- udp-policy-not-supported-behaviour 参数加入了 UI 设置。

- 新版本默认使用仅 VIF 接管后，部分 App 和浏览器开始尝试使用 QUIC/UDP 建立连接。然而通过 TCP-based 的代理转发 QUIC 流量可能出现性能问题以及不必要的流量浪费。但是直连时 QUIC 又有其优势。而如果想自行编写规则仅阻止发往代理的 QUIC 流量将非常复杂。

因此，所有代理策略新增参数 block-quic，可设置为 auto（默认）、on、off。开启后，在使用该策略时若遇到 QUIC 流量，将自动使用 REJECT-NO-DROP 使其回退 HTTPS/TCP 连接。

对于 TUIC/Hysteria/WireGuard/Vector(Ponte) 协议，auto 下将允许 QUIC 流量，其余代理协议 auto 下为不允许。

- 对于命中了 MITM 主机名的 QUIC 流量，同样将自动拒绝。

由于近期增加了许多功能和参数，有用户询问新的参数推荐怎样配置。我们在设计中就已尽量保证，所有参数在默认情况下均为我们推荐的设置。所以除非你有明确使用某参数的需求，不配置参数（即不修改配置、UI 上保留默认值）就是最为推荐的设置。

但诸如 ECN、TFO 等需要网络环境支持的参数除外，需要自行测试网络支持后手动开启。

#iOS #TestFlight

Surge 5 5.21.0 (2891) is ready to test on iOS.

What to Test:

- 修正 block-quic 参数未能被正确读取的问题（再次提示，没有特殊需要的情况下不建议修改该参数）

#iOS #TestFlight

Surge 5 5.21.0 (2892) is ready to test on iOS.

What to Test:

- 修正 block-quic 参数 UI 调整后无法正确写入的问题
- Hysteria 协议的 block-quic 默认行为调整为阻止。因为目前的 Hysteria2 协议并不能正确转发 QUIC 流量，需等待后续服务端更新。

#Mac #Beta

Version 5.4.0-2410

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#tvOS #TestFlight

Surge 5 5.21.0 (2893) is ready to test on tvOS.

What to Test:

同步最近 iOS 版本的更新内容，详见 iOS 版本更新日志。

另外，我们开通了新的 Telegram Channel 用于快速发布测试版本更新信息：
https://t.me/SurgeTestFlightFeed

#iOS #TestFlight

Surge 5 5.21.0 (2900) is ready to test on iOS.

What to Test:

我们开通了新的 Telegram Channel 用于快速发布测试版本更新信息：
https://t.me/SurgeTestFlightFeed

- 对 Ponte 策略进行测试时，测试 URL 由 proxy-test-url 改为 internet-test-url。
- 支持了 IPv6 网络下的 ECN。
- 根据 WireGuard 协议标准推荐，现在 WireGuard 的握手数据包将打上 0x88 (AF41) 的 DSCP 标记以增加成功率。
- 通过 WireGuard 转发 UDP 数据包时，支持 tunnel 内数据包保留 TOS(DSCP/ECN) 标记了。
- 根据 WireGuard 协议标准推荐，Surge 将复制 tunnel 内数据包的 ECN 标记到 tunnel 外数据包上。收到含有 ECN 标记的数据包时，将严格按照 RFC6040 进行合并处理。（需要为 WG 策略配置 ecn=true）

Bug 修正：
- 在对使用 IP 地址直连的 HTTPS 请求进行 MITM 时，不应将 IP 地址作为 SNI 发送，这可能导致出现兼容性问题。
- WireGuard 策略无法通过 UI 修改 block-udp 参数
- 修正最近版本加入 ECN 支持后导致 TUIC/Vector 协议无法进行 PMTU，性能略微降低，且无法承载 QUIC 流量的问题

#Mac #Beta

Version 5.4.0-2417

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2419

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2904) is ready to test on iOS.

What to Test:

Bug 修正：
- 在部分低 MTU 网络下无法正确发出 QUIC 请求。
- 最近版本修改架构后，Snell/TUIC/Hysteria2 等支持连接复用的代理协议每个请求都会重建会话。

#Mac #Beta

Version 5.4.0-2420

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2423

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2424

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2425

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.