Misc Options
[General]
ipv6 = true
loglevel = notify
skip-proxy = 127.0.0.1, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 100.64.0.0/10, localhost, *.local
tun-excluded-routes = 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
tun-included-routes = 192.168.1.12/32
Common Options
Enable full IPv6 support (Default: true)
ipv6 = true
loglevel (Default: warning)
loglevel = notify
One of none, fatal, warning, notify, info or verbose. It's not recommended to enable verbose in daily use because this will slow down the performance significantly.
skip-proxy
skip-proxy = 127.0.0.1, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 100.64.0.0/10, localhost, *.local
In iOS version, this option forces connections to these domain/IP ranges to be handled by Chute TUN, instead of Chute proxy. In macOS version, these settings will be applied to system when "Set as System Proxy" is enabled. This option is used to fix compatibility problems with some apps.
- To specify a single domain, enter the domain name - for example, apple.com.
- To specify all websites on a domain, use an asterisk before the domain name - for example, *apple.com.
- To specify a specific part of a domain, specify each part - for example, store.apple.com.
- To specify hosts or networks by IP addresses, enter a specific IP address such as 192.168.2.11 or an address range, such as 192.168.2.* or 192.168.2.0/24.
Notice: If you enter an IP address or address range, you will only be able to bypass the proxy when you connect to that host using that address, not when you connect to the host by a domain name that resolves to that address.
Interrupt Existing Connections
interrupt-exist-connections = true
When enabled, changing the selected policy in any policy group (via URL Test, Fallback, Load Balance, SSID, or manual selection) will gracefully tear down existing connections that were using the old policy. This ensures connections use the newly selected proxy immediately rather than lingering on the old one.
Each affected connection is closed gracefully with a 3-second timeout before being force-closed.
Default:
false. This is a global setting — it affects all policy groups.
Network Framework (macOS / tvOS)
network-framework = true
Enable Apple Network.framework for outbound connections. This is enabled by default on macOS and tvOS, and disabled on iOS. Using Network.framework can provide better performance and modern TLS stack integration on supported platforms.
Default:
trueon macOS/tvOS,falseon iOS.
Exclude Simple Hostnames
exclude-simple-hostnames = true
When enabled, requests to simple hostnames (single-label names without a dot, e.g. localhost) bypass proxy rules and are resolved locally. This helps avoid unnecessary DNS lookups for local network names.
Default:
false.
Disable Database Record
disable-db-record = true
When enabled, Chute stops writing traffic records to the local database. This can improve performance and reduce storage usage, but traffic history will not be available in Chute Dashboard.
Default:
false.
Menu Bar Speed Display (Mac Only)
menu-bar-show-speed = true
When enabled, Chute Mac shows the current upload and download speed in the menu bar.
Default:
false.
Hijack Other DNS Servers
hijack-dns = 8.8.8.8:53
By default, Chute only returns fake IP addresses for DNS queries sent to Chute DNS address (198.18.0.2). Queries which are sent to standard DNS will be simply forwarded.
Some devices or softwares always use a hardcode DNS server. (For example, Google Speakers always use 8.8.8.8). You may use this option to hijack the query to get a fake address.
You may usehijack-dns = *:53to hijack all DNS queries.
Excluded Routes
tun-excluded-routes = 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
Chute VIF can only process TCP and UDP protocols. Use this option to bypass specific IP ranges to allow all traffic to pass through.
Notice: This option only works for the VIF (utun) type of Enhanced Mode — it has no effect when using the PacketTunnel VPN type. Requests handled by Chute Proxy Server will not be affected. Combine 'skip-proxy' and 'tun-excluded-routes' to make sure that certain HTTP traffic bypasses Chute.
This option might cause a system error ENOMEM (Cannot allocate memory). It seems a bug in iOS system. Please do not use this option if possible.
Included Routes
tun-included-routes = 192.168.1.12/32
By default, the Chute VIF interface will declare itself as the default route. But since the Wi-Fi interface has a smaller route, some traffic may not go through the Chute VIF interface. Use this option to add a smaller route.
Note: This option only works for the VIF (utun) type of Enhanced Mode — it has no effect when using the PacketTunnel VPN type.
Protocol Sniffing
sniffing-enabled = true
sniffing-timeout = 100
Chute can detect the actual protocol of a connection by inspecting the initial bytes. This enables rules like PROTOCOL,HTTPS,Proxy to work correctly even for non-HTTP inbound connections.
sniffing-enabled (Default: false)
sniffing-enabled = true
Enable protocol detection for TCP connections.
sniffing-timeout (Default: 100ms)
sniffing-timeout = 200
Maximum time in milliseconds to wait for the initial data to determine the protocol. Increase this value if protocol detection fails on slow connections.
Bypass TUN
bypass-tun = 192.168.0.0/16, 10.0.0.0/8
Similar to skip-proxy, but works at the TUN/VIF routing level. Connections to these IP ranges will bypass the TUN interface entirely and go through the system network stack directly.
Note: This option only works for the VIF (utun) type of Enhanced Mode. It has no effect when using the PacketTunnel VPN type.
Show Error Page for Reject
show-error-page-for-reject = true
When enabled, Chute returns a user-friendly error page for rejected requests instead of simply dropping the connection.
Optimistic DNS
optimistic-dns = true
When enabled, Chute returns the cached DNS result immediately while refreshing the record in the background. This reduces connection latency at the cost of possibly returning stale DNS records.
Allow Wi-Fi Access
allow-wifi-access = true
When enabled in a cellular/metered context, Chute will continue to function over Wi-Fi connections. This is macOS-specific.
Managed Configuration
Chute supports remotely managed configuration through the #!MANAGED-CONFIG header at the top of the configuration file:
#!MANAGED-CONFIG https://example.com/config.conf interval=86400 strict=false
| Parameter | Required | Default | Description |
|---|---|---|---|
<url> |
Yes | — | URL to fetch the configuration from |
interval |
No | 86400 (24h) | Update interval in seconds |
strict |
No | false | When true, the managed config cannot be overridden locally |
Chute will periodically re-fetch the configuration from the specified URL and apply it. Local edits to a strict managed config are not persisted.
Replica / Traffic Recording
The [Replica] section controls traffic recording behavior and filtering:
[Replica]
hide-apple-request = true
hide-udp = true
hide-crashlytics-request = true
use-keyword-filter = false
keyword-filter = example
| Key | Type | Default | Description |
|---|---|---|---|
hide-apple-request |
Boolean | false | Hide Apple service requests from the traffic log |
hide-udp |
Boolean | false | Hide UDP traffic from the traffic log |
hide-crashlytics-request |
Boolean | false | Hide Crashlytics requests from the traffic log |
use-keyword-filter |
Boolean | false | Enable keyword-based traffic filtering |
keyword-filter |
String | — | Comma-separated keywords to filter traffic records |
The
replicakey in[General](replica = true) enables traffic recording. Use the[Replica]section to filter what gets recorded.
HTTP Control API and Web UI
[General]
external-http-controller = 127.0.0.1:9090
external-http-secret = your-secret-token
external-http-ui = true
external-http-cors = false
Chute provides an embedded HTTP control API and web-based management UI, similar to Clash and Surge dashboards. The API exposes kernel status, traffic, connections, DNS, policy controls, and configuration management through REST endpoints.
external-http-controller (Default: disabled)
external-http-controller = 127.0.0.1:9090
The address and port for the HTTP control server. Use 127.0.0.1 for local-only access. Binding to 0.0.0.0 or a non-loopback address enables remote access and requires a non-empty external-http-secret.
external-http-secret (Default: empty)
external-http-secret = your-secret-token
The Bearer token used for API authentication. Requests must include the header Authorization: Bearer <secret>. Required when the controller is bound to a non-loopback address or when remote access is desired.
external-http-ui (Default: true)
external-http-ui = true
When enabled, Chute serves an embedded Web UI at the controller address. The Web UI provides an overview dashboard, connection management, DNS inspection, traffic monitoring, policy controls, and configuration editing. Set to false to keep the API enabled while disabling the UI.
external-http-cors (Default: false)
external-http-cors = true
Enable CORS (Cross-Origin Resource Sharing) headers on API responses. Useful when the Web UI or third-party tools need to access the API from a different origin.
API Endpoints:
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/status |
Runtime status, ports, uptime |
GET |
/api/traffic |
Global and per-policy traffic counters |
GET |
/api/connections |
Current active connections |
DELETE |
/api/connections/:id |
Close a connection |
GET |
/api/connections/history |
Historical connection records |
GET |
/api/dns |
DNS cache records |
DELETE |
/api/dns/cache |
Purge DNS cache |
GET |
/api/config |
Current configuration |
PUT |
/api/config |
Reload configuration |
GET |
/api/policies |
Policy groups and current selection |
PUT |
/api/policies/:group |
Change policy group selection |
PUT |
/api/mode |
Set outbound mode |
GET |
/api/features |
Feature switch states |
PUT |
/api/features/mitm |
Toggle MITM |
PUT |
/api/features/record-traffic |
Toggle traffic recording |
Note: This feature is disabled by default. The API uses JSON responses with the format
{"ok": true, "data": {...}}for success and{"ok": false, "error": {"code": "...", "message": "..."}}for errors.