Rule
Chute can forward requests to another proxy server or connect to the host directly, depending on customized rules.
Priority
Rules are matched from the first one to the last one, in the order they appear in the config file. In other words, rules at the top of the list have higher priority than latter ones.
Composition
Each rule consists of 3 parts: rule type, a traffic matcher (except for FINAL rule), and a proxy policy: TYPE, VALUE, POLICY. Example: DOMAIN-SUFFIX,apple.com, DIRECT IP-CIDR, 192.168.0.0/16,ProxyA
Proxy policy must be named under one of a policy names, including a proxy, a policy group, DIRECT, or REJECT. Rules must end with a FINAL rule to define the default behavior.
Example:
[Rule]
DOMAIN-SUFFIX,company.com,ProxyA
DOMAIN-KEYWORD,google,DIRECT
GEOIP,US,DIRECT
IP-CIDR,192.168.0.0/16,DIRECT
FINAL,ProxyB
Rule Types
Domain-based Rules
| Type | Syntax | Matches |
|---|---|---|
| DOMAIN | DOMAIN,www.apple.com,Proxy |
Exact domain match |
| DOMAIN-SUFFIX | DOMAIN-SUFFIX,apple.com,Proxy |
Domain suffix match |
| DOMAIN-KEYWORD | DOMAIN-KEYWORD,google,Proxy |
Domain contains keyword |
| DOMAIN-WILDCARD | DOMAIN-WILDCARD,*.apple.com,Proxy |
Wildcard domain match |
| DOMAIN-REGEX | DOMAIN-REGEX,^mail\..+\.com$,Proxy |
Domain regex match |
| DOMAIN-SET | DOMAIN-SET,my-set,DIRECT |
Named domain set from file/URL |
IP-based Rules
| Type | Syntax | Matches |
|---|---|---|
| IP-CIDR | IP-CIDR,192.168.0.0/16,DIRECT |
IP address in CIDR range |
| IP-CIDR6 | IP-CIDR6,2001:db8::/32,DIRECT |
IPv6 address in CIDR range |
| GEOIP | GEOIP,US,DIRECT |
Country code from GeoIP database |
| IP-ASN | IP-ASN,13335,DIRECT |
IP address belongs to ASN |
HTTP-level Rules
| Type | Syntax | Matches |
|---|---|---|
| USER-AGENT | USER-AGENT,Instagram*,DIRECT |
User-Agent header |
| URL-REGEX | URL-REGEX,^http://google\.com,DIRECT |
URL matches regex |
| PROTOCOL | PROTOCOL,HTTPS,Proxy |
Detected protocol (HTTP/HTTPS/TLS/SSH/etc.) |
Process Rules (Mac Only)
| Type | Syntax | Matches |
|---|---|---|
| PROCESS-NAME | PROCESS-NAME,Telegram,Proxy |
Process name (wildcard matching) |
| PROCESS-PATH | PROCESS-PATH,/Applications/Safari.app,Proxy |
Full process path |
| PROCESS-NAME-REGEX | PROCESS-NAME-REGEX,^Safari$,DIRECT |
Process name (regex matching) |
Port & Source Rules
| Type | Syntax | Matches |
|---|---|---|
| DEST-PORT | DEST-PORT,80,DIRECT |
Destination port |
| SRC-IP | SRC-IP,192.168.20.100,DIRECT |
Source IP address |
| SRC-PORT | SRC-PORT,52345,DIRECT |
Source port |
| IN-PORT | IN-PORT,6152,DIRECT |
Incoming proxy port on Chute |
Advanced Matching Rules
| Type | Syntax | Matches |
|---|---|---|
| SUBNET | SUBNET,TYPE:WIFI,Proxy |
Network subnet attributes (TYPE, BSSID, SSID, ROUTER) |
| HOSTNAME-TYPE | HOSTNAME-TYPE,AAAA,Proxy |
DNS record type (A/AAAA/etc.) |
| IN-TYPE | IN-TYPE,SOCKS5,Proxy |
Inbound connection type (HTTP/SOCKS5/TUN) |
| IN-USER | IN-USER,user1,Proxy |
Inbound authentication username |
| IN-NAME | IN-NAME,my-proxy,Proxy |
Inbound proxy server name |
Logical Combination Rules
| Type | Syntax | Matches |
|---|---|---|
| AND | AND,((DOMAIN,example.com),(DEST-PORT,443)),Proxy |
All sub-rules match |
| OR | OR,((DOMAIN,example.com),(DOMAIN,test.com)),Proxy |
Any sub-rule matches |
| NOT | NOT,((DOMAIN,example.com)),Proxy |
Sub-rule does NOT match |
Special Rules
| Type | Syntax | Matches |
|---|---|---|
| RULE-SET | RULE-SET,SYSTEM,DIRECT |
Bundle of rules from file, URL, or built-in sets |
| FINAL | FINAL,ProxyB |
Default when no other rule matches (must be last) |
Options
no-resolve
When a GEOIP, IP-CIDR, or IP-ASN rule is encountered, Chute will send a DNS question to check if the hostname of request is a domain. You can select no-resolve option to skip this rule for a request with domain.
GEOIP,US,DIRECT,no-resolve
IP-CIDR,172.16.0.0/12,DIRECT,no-resolve
Notice: If some domains can't be resolved by local DNS server, please make sure there is no IP-based rule in front of the rule which matches that domain. Otherwise the rule testing will fail due to a DNS error. You can use
no-resolveto solve the issue too.
force-remote-dns
Force DNS resolution through remote proxy server instead of local DNS.
Domain Set
Chute supports defining named domain sets from external files or URLs, usable with DOMAIN-SET rule type. Each line in the domain set file contains a rule declaration without the policy.