#iOS #TestFlight

Surge 5 5.21.0 (2892) is ready to test on iOS.

What to Test:

- 修正 block-quic 参数 UI 调整后无法正确写入的问题
- Hysteria 协议的 block-quic 默认行为调整为阻止。因为目前的 Hysteria2 协议并不能正确转发 QUIC 流量，需等待后续服务端更新。

#Mac #Beta

Version 5.4.0-2410

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#tvOS #TestFlight

Surge 5 5.21.0 (2893) is ready to test on tvOS.

What to Test:

同步最近 iOS 版本的更新内容，详见 iOS 版本更新日志。

另外，我们开通了新的 Telegram Channel 用于快速发布测试版本更新信息：
https://t.me/SurgeTestFlightFeed

#iOS #TestFlight

Surge 5 5.21.0 (2900) is ready to test on iOS.

What to Test:

我们开通了新的 Telegram Channel 用于快速发布测试版本更新信息：
https://t.me/SurgeTestFlightFeed

- 对 Ponte 策略进行测试时，测试 URL 由 proxy-test-url 改为 internet-test-url。
- 支持了 IPv6 网络下的 ECN。
- 根据 WireGuard 协议标准推荐，现在 WireGuard 的握手数据包将打上 0x88 (AF41) 的 DSCP 标记以增加成功率。
- 通过 WireGuard 转发 UDP 数据包时，支持 tunnel 内数据包保留 TOS(DSCP/ECN) 标记了。
- 根据 WireGuard 协议标准推荐，Surge 将复制 tunnel 内数据包的 ECN 标记到 tunnel 外数据包上。收到含有 ECN 标记的数据包时，将严格按照 RFC6040 进行合并处理。（需要为 WG 策略配置 ecn=true）

Bug 修正：
- 在对使用 IP 地址直连的 HTTPS 请求进行 MITM 时，不应将 IP 地址作为 SNI 发送，这可能导致出现兼容性问题。
- WireGuard 策略无法通过 UI 修改 block-udp 参数
- 修正最近版本加入 ECN 支持后导致 TUIC/Vector 协议无法进行 PMTU，性能略微降低，且无法承载 QUIC 流量的问题

#Mac #Beta

Version 5.4.0-2417

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2419

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2904) is ready to test on iOS.

What to Test:

Bug 修正：
- 在部分低 MTU 网络下无法正确发出 QUIC 请求。
- 最近版本修改架构后，Snell/TUIC/Hysteria2 等支持连接复用的代理协议每个请求都会重建会话。

#Mac #Beta

Version 5.4.0-2420

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2423

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2424

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2425

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2908) is ready to test on iOS.

What to Test:

- 修正了多个小错误
- 优化了对一些非标准协议的兼容性（如 Telegram 持续 Loading 的问题，待确认是否有效）
- 优化了 TUIC-v5/Hysteria2 的 UDP 转发，加快了 ACK 的速度，解决一些情况下可能出现的降速问题

#Mac #Beta

Version 5.4.0-2426

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2427

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2909) is ready to test on iOS.

What to Test:

- 修正崩溃
- QUIC 相关优化

#Mac #Beta

Version 5.4.0-2429

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2431

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#Mac #Beta

Version 5.4.0-2432

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2911) is ready to test on iOS.

What to Test:

- 修正崩溃
- 调整了 QUIC 的一些流控参数，优化 TUIC/Vector 在一些网络情况下的带宽表现

#Mac #Beta

Version 5.4.0-2433

* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.

* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example: Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.

* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the ecn=true parameter for a TUIC policy.

* Added automatic recognition of HTTP/HTTPS protocols

1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the force-http-engine-hosts parameter.
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with force-http-engine-hosts.
4. MITM still requires hostname configuration to be activated, but the tcp-connection parameter is no longer needed and will be effective for TCP requests by default.
5. Added the parameter always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.

* The DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the PROTOCOL,HTTPS rule.

* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.

* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under auto, while it will not be allowed for other proxy protocols under auto.

* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.

* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.

* Other improvements.

#iOS #TestFlight

Surge 5 5.21.0 (2914) is ready to test on iOS.

What to Test:

- 为避免 UDP NAT 超时干扰 QUIC 会话，会话闲置超时时间延迟到 180s
- 崩溃修正