#iOS #TestFlight

Surge 5 5.21.0 (2888) is ready to test on iOS.

What to Test:

修正在使用开启 TFO 的代理时，当首个数据段过大时造成的数据发送不完整的问题

细节：
加入协议自识别后，Telegram 的伪 TLS 协议也可以使用 0-RTT/TFO 加速，但是由于 Telegram 产生的首个数据段超过了标准 MTU(1500B) 可容纳的大小，导致 Surge 未能正确将该数据段完全发送。

#iOS #TestFlight

Surge 5 5.21.0 (2890) is ready to test on iOS.

What to Test:

- 修正逻辑规则中的 extended-matching 标记在写入配置时会丢失的问题
- 提高了 HTTP 引擎的兼容性，修正了与某些不太规范的自实现 HTTP 客户端的兼容性问题（如抖音）
- udp-policy-not-supported-behaviour 参数加入了 UI 设置。

- 新版本默认使用仅 VIF 接管后，部分 App 和浏览器开始尝试使用 QUIC/UDP 建立连接。然而通过 TCP-based 的代理转发 QUIC 流量可能出现性能问题以及不必要的流量浪费。但是直连时 QUIC 又有其优势。而如果想自行编写规则仅阻止发往代理的 QUIC 流量将非常复杂。

因此，所有代理策略新增参数 block-quic，可设置为 auto（默认）、on、off。开启后，在使用该策略时若遇到 QUIC 流量，将自动使用 REJECT-NO-DROP 使其回退 HTTPS/TCP 连接。

对于 TUIC/Hysteria/WireGuard/Vector(Ponte) 协议，auto 下将允许 QUIC 流量，其余代理协议 auto 下为不允许。

- 对于命中了 MITM 主机名的 QUIC 流量，同样将自动拒绝。

由于近期增加了许多功能和参数，有用户询问新的参数推荐怎样配置。我们在设计中就已尽量保证，所有参数在默认情况下均为我们推荐的设置。所以除非你有明确使用某参数的需求，不配置参数（即不修改配置、UI 上保留默认值）就是最为推荐的设置。

但诸如 ECN、TFO 等需要网络环境支持的参数除外，需要自行测试网络支持后手动开启。

#iOS #TestFlight

Surge 5 5.21.0 (2891) is ready to test on iOS.

What to Test:

- 修正 block-quic 参数未能被正确读取的问题（再次提示，没有特殊需要的情况下不建议修改该参数）

#iOS #TestFlight

Surge 5 5.21.0 (2892) is ready to test on iOS.

What to Test:

- 修正 block-quic 参数 UI 调整后无法正确写入的问题
- Hysteria 协议的 block-quic 默认行为调整为阻止。因为目前的 Hysteria2 协议并不能正确转发 QUIC 流量，需等待后续服务端更新。

#Mac #Beta

Version 5.4.0-2410

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#tvOS #TestFlight

Surge 5 5.21.0 (2893) is ready to test on tvOS.

What to Test:

同步最近 iOS 版本的更新内容，详见 iOS 版本更新日志。

另外，我们开通了新的 Telegram Channel 用于快速发布测试版本更新信息：
https://t.me/SurgeTestFlightFeed

#iOS #TestFlight

Surge 5 5.21.0 (2900) is ready to test on iOS.

What to Test:

我们开通了新的 Telegram Channel 用于快速发布测试版本更新信息：
https://t.me/SurgeTestFlightFeed

- 对 Ponte 策略进行测试时，测试 URL 由 proxy-test-url 改为 internet-test-url。
- 支持了 IPv6 网络下的 ECN。
- 根据 WireGuard 协议标准推荐，现在 WireGuard 的握手数据包将打上 0x88 (AF41) 的 DSCP 标记以增加成功率。
- 通过 WireGuard 转发 UDP 数据包时，支持 tunnel 内数据包保留 TOS(DSCP/ECN) 标记了。
- 根据 WireGuard 协议标准推荐，Surge 将复制 tunnel 内数据包的 ECN 标记到 tunnel 外数据包上。收到含有 ECN 标记的数据包时，将严格按照 RFC6040 进行合并处理。（需要为 WG 策略配置 ecn=true）

Bug 修正：
- 在对使用 IP 地址直连的 HTTPS 请求进行 MITM 时，不应将 IP 地址作为 SNI 发送，这可能导致出现兼容性问题。
- WireGuard 策略无法通过 UI 修改 block-udp 参数
- 修正最近版本加入 ECN 支持后导致 TUIC/Vector 协议无法进行 PMTU，性能略微降低，且无法承载 QUIC 流量的问题

#Mac #Beta

Version 5.4.0-2417

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2419

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2904) is ready to test on iOS.

What to Test:

Bug 修正：
- 在部分低 MTU 网络下无法正确发出 QUIC 请求。
- 最近版本修改架构后，Snell/TUIC/Hysteria2 等支持连接复用的代理协议每个请求都会重建会话。

#Mac #Beta

Version 5.4.0-2420

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2423

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2424

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2425

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2908) is ready to test on iOS.

What to Test:

- 修正了多个小错误
- 优化了对一些非标准协议的兼容性（如 Telegram 持续 Loading 的问题，待确认是否有效）
- 优化了 TUIC-v5/Hysteria2 的 UDP 转发，加快了 ACK 的速度，解决一些情况下可能出现的降速问题

#Mac #Beta

Version 5.4.0-2426

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2427

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2909) is ready to test on iOS.

What to Test:

- 修正崩溃
- QUIC 相关优化

#Mac #Beta

Version 5.4.0-2429

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2431

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.