Proxy Policy
A proxy policy indicates forwarding the request to another proxy server. Chute supports HTTP/HTTPS/SOCKS5/SOCKS5-TLS/SS/SSR/Trojan/VMess/VLESS/AnyTLS/TUIC/Hysteria2/WireGuard/ShadowTLS/SSH proxy protocols.
Section [Proxy] declares proxy policies. You can create multiple proxies for different rules.
Example:
[Proxy]
ProxyHTTP = http, 1.2.3.4, 443, username, password
ProxyHTTPS = https, 1.2.3.4, 443, username, password, sni=example.com, skip-cert-verify=false
ProxySOCKS5 = socks5, 1.2.3.4, 443, username, password
ProxySOCKS5TLS = socks5-tls, 1.2.3.4, 443, username, password, sni=example.com, skip-cert-verify=false
SS = ss, 1.2.3.4, 443, method, password, obfs=post
SSR = ssr, 1.2.3.4, 443, method, password, protocol=auth_chain_f, protocol_param=user:pass, obfs=http_pose, obfs_param=example.com
Trojan = trojan, 1.2.3.4, 443, password=password, sni=example.com, skip-cert-verify=false, ws=true
VMess = vmess, 1.2.3.4, 443, uuid=uuid, sni=example.com, tls=true, ws=true
VLESS = vless, 1.2.3.4, 443, uuid=uuid, sni=example.com, xtls=true
AnyTLS = anytls, 1.2.3.4, 443, password, sni=example.com
TUIC = tuic, 1.2.3.4, 443, uuid=uuid, password=password, sni=example.com
Hysteria2 = hysteria2, 1.2.3.4, 443, auth=password, sni=example.com, up=10, down=100
WireGuard = wireguard, private-key=base64key, peer-public-key=base64key, section-name=wg0, self-ip=10.0.0.2
ShadowTLS = shadowtls, 1.2.3.4, 443, password=password, sni=example.com, skip-cert-verify=false, fingerprint=chrome
SSH = ssh, 1.2.3.4, 22, root, password=pw
SCHEME = scheme, ssr://....
Parameters
| Type | Username | Password | Method | TLS | XTLS | Websocket | QUIC |
|---|---|---|---|---|---|---|---|
| HTTP | √ | √ | |||||
| HTTPS | √ | √ | TLS | ||||
| Socks | √ | √ | |||||
| Socks5-TLS | √ | √ | TLS | ||||
| Shadowsocks | √ | Method, OBFS | |||||
| ShadowsocksR | √ | Method, Protocol, OBFS | |||||
| Trojan | √ | √ | TLS | WS, gRPC | |||
| VMess | uuid | TLS | WS, gRPC | ||||
| VLESS | uuid | TLS | XTLS | WS, gRPC | |||
| AnyTLS | √ | TLS | |||||
| TUIC | uuid | √ | TLS | √ | |||
| Hysteria2 | auth | TLS | √ | ||||
| WireGuard | private-key | Native WireGuard | |||||
| ShadowTLS | √ | TLS, Fingerprint | |||||
| SSH | √ | Auth |
Parameter for proxy with TLS
tls: Optional.
tls=true
Enable TLS transportation.
skip-cert-verify: Optional
skip-cert-verify=true
If this option is enabled, Chute will not verify the server's certificate.
sni (Default: hostname)
sni=exmaple.com
You may customize Server Name Indication (SNI) during TLS handshank. Use sni=off to turn off SNI completely. By defualt Chute will send SNI with hostname like most browsers.
Parameter for proxy with Shadowsocks
method: Required.
Current support:
rc4-md5
aes-128-cfb
aes-192-cfb
aes-256-cfb
aes-128-ctr
aes-192-ctr
aes-256-ctr
bf-cfb
camellia-128-cfb
camellia-192-cfb
camellia-256-cfb
salsa20
chacha20
chacha20-ietf
aes-128-gcm
aes-192-gcm
aes-256-gcm
chacha20-ietf-poly1305
xchacha20-ietf-poly1305
Shadowsocks 2022 Methods
Chute supports the Shadowsocks 2022 protocol, which uses BLAKE3-based key derivation and AEAD ciphers. The method name determines the cipher suite:
2022-blake3-aes-128-gcm
2022-blake3-aes-256-gcm
2022-blake3-chacha20-poly1305
Password format:
The password field for SS2022 consists of one or two base64-encoded keys, separated by : (colon).
Single-user mode (one key):
SS2022 = ss, 1.2.3.4, 443, 2022-blake3-aes-256-gcm, "base64-key"
Multi-user mode with identity headers (two keys):
For 2022-blake3-aes-128-gcm and 2022-blake3-aes-256-gcm, you can provide an identity header key and a user key, separated by ::
SS2022 = ss, 1.2.3.4, 443, 2022-blake3-aes-256-gcm, "header-base64-key:user-base64-key"
Each key is a base64-encoded string (supports both standard and URL-safe base64). The key lengths required:
| Method | User Key Length | Header Key Length |
|---|---|---|
2022-blake3-aes-128-gcm |
16 bytes | 16 bytes |
2022-blake3-aes-256-gcm |
32 bytes | 32 bytes |
2022-blake3-chacha20-poly1305 |
32 bytes | N/A (no identity header support) |
Generate a key:
openssl rand -base64 32
Note: SS2022 methods do not support the
obfsparameter. The2022-blake3-chacha20-poly1305method does not support multi-user mode.
obfs: Optional.
Current support:
tls
http
Parameter for proxy with ShadowsocksR/ShadowsocksRR/ShadowsocksR-Akarin
method: Required.
Current support:
rc4
rc4-md5-6
rc4-md5
aes-128-cfb
aes-192-cfb
aes-256-cfb
aes-128-ctr
aes-192-ctr
aes-256-ctr
bf-cfb
camellia-128-cfb
camellia-192-cfb
camellia-256-cfb
cast5-cfb
des-cfb
idea-cfb
rc2-cfb
seed-cfb
salsa20
chacha20
chacha20-ietf
protocol: Optional.
Current support:
origin
auth_sha1
auth_sha1_v2
auth_sha1_v4
auth_aes128_md5
auth_aes128_sha1
auth_chain_a
auth_chain_b
auth_chain_c
auth_chain_d
auth_chain_e
auth_chain_f
auth_akarin_rand
auth_akarin_spec_a
protocol_param: Optional.
obfs: Optional.
Current support:
plain
http_simple
http_post
tls1.2_ticket_auth
obfs_param: Optional.
Parameter for proxy with WebSocket
ws: Optional.
ws=true
Enable WebSocket transportation.
ws-path: Optional.
ws-path=/exmaple
Change the path of the WebSocket HTTP request.
ws-headers: Optional.
ws-headers=Header1:Value1|Header2:Value2
Modify the HTTP header of WebSocket HTTP request.
Parameter for proxy with gRPC
gRPC transport is available for Trojan, VMess, and VLESS protocols. It uses HTTP/2-based gRPC framing over TLS, which can help bypass certain network restrictions.
grpc: Optional.
grpc=true
Enable gRPC transportation. Requires TLS to be enabled.
grpc-service-name: Optional.
grpc-service-name=MyService
Specify the gRPC service name/path for multiplexing. Defaults to the standard service name if not set.
grpc-multi-mode: Optional.
grpc-multi-mode=true
Enable multi-mode for gRPC, which allows multiple streams to share a single gRPC connection for better performance.
Example with VMess and gRPC:
VMess = vmess, 1.2.3.4, 443, uuid=uuid, tls=true, grpc=true, grpc-service-name=GunService, sni=example.com
Parameter for proxy with XTLS
xtls: Optional.
xtls=true
Enable XTLS transportation. Only xtls-rprx-direct flow is supported.
skip-cert-verify: Optional
skip-cert-verify=true
Same as TLS.
sni (Default: hostname)
sni=exmaple.com
Same as TLS.
Parameter for proxy with REALITY
REALITY is a TLS-based obfuscation technique that makes proxy traffic indistinguishable from regular TLS traffic to a real website. It can be used with VLESS and Trojan protocols.
reality: Optional.
reality=true
Enable REALITY obfuscation. Requires a target server that will act as the camouflage destination.
short-id: Optional.
short-id=abcd1234
A short identifier used for REALITY authentication. Typically a hex string.
server-name: Optional.
server-name=www.microsoft.com
The SNI (Server Name Indication) to present during the TLS handshake. This should be a real, commonly-accessed website for best camouflage effect. The target server's certificate must match this name.
fingerprint: Optional.
fingerprint=chrome
TLS client fingerprint to mimic. Supported values include chrome, firefox, safari, ios, edge, 360, qq. Using a common browser fingerprint helps avoid detection.
spiderx: Optional.
spiderx=/path
Custom path for REALITY spider camouflage.
Example with VLESS:
VLESS = vless, 1.2.3.4, 443, uuid=uuid, reality=true, server-name=www.microsoft.com, short-id=abcd, fingerprint=chrome
Note: REALITY does not use a traditional certificate. The connection uses the camouflage server's real certificate.
TCP Fast Open (Experimental)
tfo: Optional
tfo=true
More information of TCP fast open could be read in Wikipedia. Enable TCP fast open may could unexpected connection fail.
Parameter for proxy with AnyTLS
AnyTLS is a TLS-based proxy protocol with padding obfuscation.
AnyTLS = anytls, 1.2.3.4, 443, password, sni=example.com, skip-cert-verify=false, padding-scheme=ux
password: Required.
The password/passphrase used for authentication.
sni (Default: hostname)
sni=exmaple.com
Same as TLS.
skip-cert-verify: Optional
skip-cert-verify=true
Same as TLS.
padding-scheme: Optional
padding-scheme=ux
Specify the TLS record padding scheme. Supported values: ux.
Multiple padding layers can be configured by specifying the number of layers and per-layer schemes:
AnyTLS = anytls, 1.2.3.4, 443, password, sni=example.com, stop=2, 0=ux, 1=ux
| Parameter | Description |
|---|---|
stop |
Number of padding scheme layers |
0, 1, 2, ... |
Padding scheme for each layer (numeric keys) |
Parameter for proxy with TUIC
TUIC is a QUIC-based proxy protocol offering multiplexed TCP and UDP relay.
TUIC = tuic, 1.2.3.4, 443, uuid=uuid, password=password, sni=example.com, skip-cert-verify=false, alpn=h3
uuid: Required.
The UUID for authentication.
password: Required.
The password for authentication.
sni (Default: hostname)
sni=exmaple.com
Same as TLS.
skip-cert-verify: Optional
skip-cert-verify=true
Same as TLS.
alpn: Optional
alpn=h3
Specify the ALPN string for QUIC connection.
Parameter for proxy with Hysteria2
Hysteria2 is a QUIC-based proxy protocol with Brutal congestion control for high-throughput scenarios.
Hysteria2 = hysteria2, 1.2.3.4, 443, auth=password, sni=example.com, skip-cert-verify=false, up=10, down=100, alpn=h3
auth: Required.
The authentication password/token.
sni (Default: hostname)
sni=exmaple.com
Same as TLS.
skip-cert-verify: Optional
skip-cert-verify=true
Same as TLS.
up: Optional (Mbps)
up=10
Upload bandwidth in Mbps.
down: Optional (Mbps)
down=100
Download bandwidth in Mbps.
alpn: Optional
alpn=h3
Specify the ALPN string for QUIC connection.
obfs: Optional
obfs=salamander
Enable Salamander obfuscation for the QUIC traffic. Salamander uses BLAKE2b-256 XOR to obfuscate QUIC packets, making them resistant to DPI (Deep Packet Inspection).
obfs-password: Optional
obfs-password=your-obfuscation-key
The password/key used for Salamander obfuscation. Required when obfs=salamander is set.
Parameter for proxy with WireGuard
WireGuard is a modern VPN protocol. Chute supports WireGuard as an outbound proxy policy, either inline or by referencing a named [WireGuard] section.
Inline configuration:
WireGuard = wireguard, private-key=base64key, peer-public-key=base64key, self-ip=10.0.0.2, server=1.2.3.4, port=51820
Section reference (recommended):
WireGuard = wireguard, section-name=wg0
See WireGuard Configuration for [WireGuard] section syntax.
private-key: Required (inline only).
Base64-encoded WireGuard private key.
peer-public-key: Required (inline only).
Base64-encoded WireGuard peer public key.
self-ip: Optional (inline).
Local IP address assigned to the WireGuard interface (e.g. 10.0.0.2).
self-ipv6: Optional (inline).
Local IPv6 address assigned to the WireGuard interface.
server: Optional (inline).
Remote WireGuard server address.
port: Optional (inline).
Remote WireGuard server port.
preshared-key: Optional.
Base64-encoded pre-shared key for post-quantum resistance.
keepalive: Optional (seconds).
keepalive=25
Persistent keepalive interval for NAT traversal.
mtu: Optional.
mtu=1420
MTU for the WireGuard interface.
reserved-bits: Optional.
reserved-bits=0,1,2
Reserved bits for WireGuard handshake.
Parameter for proxy with ShadowTLS
ShadowTLS is a TLS-based proxy protocol that encapsulates traffic within a standard TLS 1.3 session. It uses a password-based handshake after the TLS handshake to authenticate and establish the proxy connection.
ShadowTLS = shadowtls, 1.2.3.4, 443, password=password, sni=example.com, skip-cert-verify=false, fingerprint=chrome
password: Required.
The password used for the ShadowTLS handshake authentication.
sni (Default: hostname)
sni=example.com
Same as TLS.
skip-cert-verify: Optional
skip-cert-verify=true
Same as TLS.
fingerprint: Optional
fingerprint=chrome
TLS client fingerprint to mimic. Supported values include chrome, firefox, safari, ios, edge, 360, qq. Using a common browser fingerprint helps avoid detection.
Parameter for proxy with SSH
See SSH Proxy for full documentation.