Forwarded from Surge's Changelog
#iOS #TestFlight
Surge 5 5.21.0 (2930) is ready to test on iOS.
What to Test:
- SOCKS 代理连接迁移至新架构,保证各参数行为一致
- 修正编辑策略组时错误信息无法显示的问题
- 再次修正部分低 MTU 网络下使用 QUIC 出现的问题
Surge 5 5.21.0 (2930) is ready to test on iOS.
What to Test:
- SOCKS 代理连接迁移至新架构,保证各参数行为一致
- 修正编辑策略组时错误信息无法显示的问题
- 再次修正部分低 MTU 网络下使用 QUIC 出现的问题
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2459
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
4. MITM still requires hostname configuration to be activated, but the
5. Added the parameter
* The
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Version 5.4.0-2459
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
ecn=true parameter for a TUIC policy.* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
force-http-engine-hosts parameter.2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
force-http-engine-hosts.4. MITM still requires hostname configuration to be activated, but the
tcp-connection parameter is no longer needed and will be effective for TCP requests by default.5. Added the parameter
always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.* The
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
PROTOCOL,HTTPS rule.* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
auto, while it will not be allowed for other proxy protocols under auto.* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2460
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
4. MITM still requires hostname configuration to be activated, but the
5. Added the parameter
* The
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Version 5.4.0-2460
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
ecn=true parameter for a TUIC policy.* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
force-http-engine-hosts parameter.2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
force-http-engine-hosts.4. MITM still requires hostname configuration to be activated, but the
tcp-connection parameter is no longer needed and will be effective for TCP requests by default.5. Added the parameter
always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.* The
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
PROTOCOL,HTTPS rule.* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
auto, while it will not be allowed for other proxy protocols under auto.* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2461
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
4. MITM still requires hostname configuration to be activated, but the
5. Added the parameter
* The
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Version 5.4.0-2461
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
ecn=true parameter for a TUIC policy.* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
force-http-engine-hosts parameter.2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
force-http-engine-hosts.4. MITM still requires hostname configuration to be activated, but the
tcp-connection parameter is no longer needed and will be effective for TCP requests by default.5. Added the parameter
always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.* The
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
PROTOCOL,HTTPS rule.* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
auto, while it will not be allowed for other proxy protocols under auto.* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Forwarded from Surge's Changelog
#iOS #TestFlight
Surge 5 5.21.0 (2931) is ready to test on iOS.
What to Test:
- 由于架构变化,移除了 WireGuard 的 IP/TCP 层转发功能
- 当多个 WireGuard 配置使用了同一个私钥时进行警告,这种配置会导致冲突
- 由于请求的首数据包时间不可控(如高 CPU 占用时),导致即使 300ms 的超时也有可能使得部分请求无法被嗅探回退 TCP 转发。
该版本中,由 force-http-engine-hosts 和 [MITM] hostname 配置所触发的嗅探,超时时间延长至 3s。
- 由于 [MITM] hostname 参数现在也可对 SNI 生效,且 SNI 中并不包含端口号,所以当非 443 端口的 HTTPS 请求被开启嗅探后,MITM 配置即使未指定端口号,也会因匹配 SNI 而启动。
如果只希望对标准主机名匹配,而不对 SNI 进行匹配,可写为 example.com:443
- 修正 UI 上多个开关无法关闭的问题
Surge 5 5.21.0 (2931) is ready to test on iOS.
What to Test:
- 由于架构变化,移除了 WireGuard 的 IP/TCP 层转发功能
- 当多个 WireGuard 配置使用了同一个私钥时进行警告,这种配置会导致冲突
- 由于请求的首数据包时间不可控(如高 CPU 占用时),导致即使 300ms 的超时也有可能使得部分请求无法被嗅探回退 TCP 转发。
该版本中,由 force-http-engine-hosts 和 [MITM] hostname 配置所触发的嗅探,超时时间延长至 3s。
- 由于 [MITM] hostname 参数现在也可对 SNI 生效,且 SNI 中并不包含端口号,所以当非 443 端口的 HTTPS 请求被开启嗅探后,MITM 配置即使未指定端口号,也会因匹配 SNI 而启动。
如果只希望对标准主机名匹配,而不对 SNI 进行匹配,可写为 example.com:443
- 修正 UI 上多个开关无法关闭的问题
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2462
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
4. MITM still requires hostname configuration to be activated, but the
5. Added the parameter
* The
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Version 5.4.0-2462
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
ecn=true parameter for a TUIC policy.* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
force-http-engine-hosts parameter.2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
force-http-engine-hosts.4. MITM still requires hostname configuration to be activated, but the
tcp-connection parameter is no longer needed and will be effective for TCP requests by default.5. Added the parameter
always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.* The
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
PROTOCOL,HTTPS rule.* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
auto, while it will not be allowed for other proxy protocols under auto.* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Forwarded from Surge's Changelog
#iOS #TestFlight
Surge 5 5.21.0 (2932) is ready to test on iOS.
What to Test:
- 修正上个版本使用 WireGuard 可能崩溃的问题
Surge 5 5.21.0 (2932) is ready to test on iOS.
What to Test:
- 修正上个版本使用 WireGuard 可能崩溃的问题
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2463
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
4. MITM still requires hostname configuration to be activated, but the
5. Added the parameter
* The
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Version 5.4.0-2463
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
ecn=true parameter for a TUIC policy.* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
force-http-engine-hosts parameter.2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
force-http-engine-hosts.4. MITM still requires hostname configuration to be activated, but the
tcp-connection parameter is no longer needed and will be effective for TCP requests by default.5. Added the parameter
always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.* The
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
PROTOCOL,HTTPS rule.* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
auto, while it will not be allowed for other proxy protocols under auto.* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2464
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
4. MITM still requires hostname configuration to be activated, but the
5. Added the parameter
* The
* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Version 5.4.0-2464
* The HTTP capture function has been significantly improved, with the addition of automatic shutdown and MITM automatic activation features. At the same time, related settings are no longer written into the main configuration.
* New proxy protocol supported: Hysteria2. Please visit the project page for more information. https://github.com/apernet/hysteria. Proxy declaration example:
Proxy = hysteria2, 1.2.3.4, 443, password=pwd, download-bandwidth=100.* Completed support for ECN (Explicit Congestion Notification) of Vector (Surge Ponte) and TUIC protocols, significantly improving bandwidth performance in poor network environments.
* Due to compatibility issues, this function is turned off by default. Please enable it by configuring the
ecn=true parameter for a TUIC policy.* Added automatic recognition of HTTP/HTTPS protocols
1. Requests sent to ports 80/443 will wait for the client to send the first data packet and then determine whether it is a valid HTTP/HTTPS request to decide how to handle it. If it is not a valid HTTP request, or if the first packet is not received within 300ms, it will fall back to TCP forwarding mode. Therefore, for requests using port 80, there is no longer a need to configure the
force-http-engine-hosts parameter.2. Automatically recognizes the TLS Client Hello message and extracts SNI, adding rules for SNI and MITM hostname matching.
3. Protocol auto-recognition is only enabled for ports 80/443 because some protocols are initiated by the server sending data first, such as SSH, IMAP, FTP. Waiting for client data before proceeding will cause unnecessary delays for these requests. HTTP requests on other ports that need to be handled by the HTTP engine still need to be configured with
force-http-engine-hosts.4. MITM still requires hostname configuration to be activated, but the
tcp-connection parameter is no longer needed and will be effective for TCP requests by default.5. Added the parameter
always-raw-tcp-hosts, which forcibly shuts down active protocol detection for specific hostnames. It is written in the same way as the force-http-engine-hosts parameter.* The
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules have added an optional parameter extended-matching. When this parameter is set, the rule will also try to match both the SNI and the HTTP Host Header (or :authority).* Tips: If you want it to be effective only for SNI, you can use the AND logic rule combined with the
PROTOCOL,HTTPS rule.* Since forwarding QUIC traffic through TCP-based proxies can lead to performance issues and traffic waste, all proxy policies have added a
block-quic parameter, which can be set to auto (default), on, or off. When enabled, if QUIC traffic is encountered while using this policy, it will automatically use REJECT-NO-DROP to revert to HTTPS/TCP connections.* For the TUIC/WireGuard/Vector(Ponte) protocols, QUIC traffic will be allowed under
auto, while it will not be allowed for other proxy protocols under auto.* For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* Improved compatibility of the HTTP engine and fixed compatibility issues with some non-standard self-implemented HTTP clients.
* Other improvements.
Forwarded from Surge TestFlight Feed
Forwarded from Surge TestFlight Feed
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2467
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
- Added a parameter called
* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Version 5.4.0-2467
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules add an optional parameter called extended-matching. When this parameter is enabled, the rule will try to match both the SNI and the HTTP Host Header (or :authority).- Added a parameter called
always-raw-tcp-hosts, used to forcibly turn off active protocol detection for specific hostnames.* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
[Replica] section has been deprecated.- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
proxy-test-url to internet-test-url.- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
ecn=true must be set for the strategy).- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2468
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
- Added a parameter called
* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Version 5.4.0-2468
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules add an optional parameter called extended-matching. When this parameter is enabled, the rule will try to match both the SNI and the HTTP Host Header (or :authority).- Added a parameter called
always-raw-tcp-hosts, used to forcibly turn off active protocol detection for specific hostnames.* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
[Replica] section has been deprecated.- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
proxy-test-url to internet-test-url.- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
ecn=true must be set for the strategy).- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Forwarded from Surge's Changelog
#iOS #TestFlight
Surge 5 5.21.0 (2940) is ready to test on iOS.
What to Test:
- 调整了自动更新模块的逻辑,再更新失败后自动重试
- 修正 HTTP 捕获关闭后,请求列表中依然会出现先前保存的请求
- Surge Ponte 错误信息优化
- Surge Ponte 页面的设备选项里新增进入远程控制器的选项
- 修正 MITM 在一些特定情况下的失败无法产生 MITM Failed 记录的问题
- 文案补全
5.8.0 RC2
Surge 5 5.21.0 (2940) is ready to test on iOS.
What to Test:
- 调整了自动更新模块的逻辑,再更新失败后自动重试
- 修正 HTTP 捕获关闭后,请求列表中依然会出现先前保存的请求
- Surge Ponte 错误信息优化
- Surge Ponte 页面的设备选项里新增进入远程控制器的选项
- 修正 MITM 在一些特定情况下的失败无法产生 MITM Failed 记录的问题
- 文案补全
5.8.0 RC2
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2469
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
- Added a parameter called
* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Version 5.4.0-2469
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules add an optional parameter called extended-matching. When this parameter is enabled, the rule will try to match both the SNI and the HTTP Host Header (or :authority).- Added a parameter called
always-raw-tcp-hosts, used to forcibly turn off active protocol detection for specific hostnames.* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
[Replica] section has been deprecated.- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
proxy-test-url to internet-test-url.- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
ecn=true must be set for the strategy).- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Forwarded from Surge's Changelog
#iOS #TestFlight
Surge 5 5.21.0 (2941) is ready to test on iOS.
What to Test:
- 修正有时会错误创建 MITM Failed 记录的问题
- 修正有时请求可能会错误保持连接的问题
- 修正 UI 无法正确写入 Subnet Settings 的多个 DNS 服务器的问题
- 修正 Widget 部分文案未能正确显示中文的问题
5.8.0 RC3
Surge 5 5.21.0 (2941) is ready to test on iOS.
What to Test:
- 修正有时会错误创建 MITM Failed 记录的问题
- 修正有时请求可能会错误保持连接的问题
- 修正 UI 无法正确写入 Subnet Settings 的多个 DNS 服务器的问题
- 修正 Widget 部分文案未能正确显示中文的问题
5.8.0 RC3
Forwarded from Surge's Changelog
#iOS #TestFlight
Surge 5 5.21.0 (2942) is ready to test on iOS.
What to Test:
- 再次修正了模块可能不会自动更新的问题
5.8.0 RC4
Surge 5 5.21.0 (2942) is ready to test on iOS.
What to Test:
- 再次修正了模块可能不会自动更新的问题
5.8.0 RC4
Forwarded from Surge's Changelog
#Mac #Beta
Version 5.4.0-2470
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
- Added a parameter called
* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Version 5.4.0-2470
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules add an optional parameter called extended-matching. When this parameter is enabled, the rule will try to match both the SNI and the HTTP Host Header (or :authority).- Added a parameter called
always-raw-tcp-hosts, used to forcibly turn off active protocol detection for specific hostnames.* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
[Replica] section has been deprecated.- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
proxy-test-url to internet-test-url.- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
ecn=true must be set for the strategy).- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Forwarded from Surge's Changelog
#Mac #Release
Version 5.4.0-2470
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
- Added a parameter called
* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Version 5.4.0-2470
#### New Features
* Protocol sniffing
Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge.
-
DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules add an optional parameter called extended-matching. When this parameter is enabled, the rule will try to match both the SNI and the HTTP Host Header (or :authority).- Added a parameter called
always-raw-tcp-hosts, used to forcibly turn off active protocol detection for specific hostnames.* New proxy protocol support: Hysteria 2
Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC.
* Automatic QUIC blocking
Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected.
* ECN (Explicit Congestion Notification) support for QUIC-based protocols
Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol.
#### Optimizations
- Reworked HTTP capture functionality
- The related settings are no longer stored in the configuration, the
[Replica] section has been deprecated.- Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests.
- Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off).
- Added an option to only save HTTP/HTTPS requests after turning on the capture switch.
- Improved compatibility with some non-standard protocols.
- When testing the Ponte policy, the test URL has been changed from
proxy-test-url to internet-test-url.- Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate.
- When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel.
- Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (
ecn=true must be set for the strategy).- UDP NAT can close the UDP session early based on ICMP messages.
- Improved PMTU support for QUIC.
#### Bug Fixes
- Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates.
- After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment.
- Fixed the issue where invalid certificates might cause the key store interface to crash.
- When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues.
- Other bug fixes.
Forwarded from Surge TestFlight Feed
正式版版本更新
· Surge iOS 5.8.0 正式版本已在 App Store 上线,预计数小时后可进行更新。
· Surge Mac 5.4.0 正式版本也已一同发布。
· Surge tvOS 5.8.0 版本由于审核中的一些细节问题暂未上线,预计将在数日内解决。
· 在线文档已为本次更新进行了完善。
· Surge iOS 5.8.0 正式版本已在 App Store 上线,预计数小时后可进行更新。
· Surge Mac 5.4.0 正式版本也已一同发布。
· Surge tvOS 5.8.0 版本由于审核中的一些细节问题暂未上线,预计将在数日内解决。
· 在线文档已为本次更新进行了完善。