Configuration Field Reference#

This reference lists user-writable fields by configuration block. It is not a recommended configuration template, but a manual for looking up field meanings and effects. Whether a field ultimately takes effect also depends on the platform, protocol type, and combination constraints. If a field is not supported by the current protocol/platform, Link1 reports an error during configuration compilation.

Top-Level Fields#

Field	Meaning	Actual effect
`port`	HTTP explicit proxy port	Accepts only HTTP proxy requests; clients must explicitly configure an HTTP proxy.
`socks-port`	SOCKS5 explicit proxy port	Accepts only SOCKS5 requests; whether domain names are passed to Link1 depends on the client.
`redir-port`	Linux REDIRECT transparent proxy port	Requires iptables/nftables to forward TCP traffic.
`tproxy-port`	Linux TPROXY transparent proxy port	Requires Linux policy routing; suitable for TCP/UDP transparent proxying.
`mixed-port`	Mixed HTTP/SOCKS5 proxy port	The most recommended entry point for beginners; one port serves both HTTP proxy and SOCKS5.
`allow-lan`	Allow LAN access	More secure when false; when true, other devices can connect to Link1 listening ports.
`bind-address`	Listen bind address	`127.0.0.1` is local-only; `*`/`0.0.0.0` opens on all network interfaces.
`authentication`	Inbound username and password	HTTP/SOCKS clients must authenticate, usually in the format `user:pass`.
`skip-auth-prefixes`	Source IP prefixes that skip authentication	Exempts trusted local/inner-network sources from authentication.
`lan-allowed-ips`	Allowed LAN source IPs	Reduces the LAN exposure surface.
`lan-disallowed-ips`	Denied LAN source IPs	Excludes untrusted devices.
`mode`	Routing mode	Commonly `rule`; affects default routing behavior.
`unified-delay`	Unified delay metric	Affects the statistics used for health checks and delay display.
`log-level`	Log level	Controls output verbosity; can be temporarily raised for troubleshooting.
`ipv6`	Global IPv6 switch	Affects outbound and DNS IPv6 availability.
`find-process-mode`	Process lookup mode	Affects whether PROCESS/UID rules can obtain process metadata.
`ruleset-membership-cache-size`	Rule set membership cache size	Improves RULE-SET matching performance; too large increases memory usage.
`interface-name`	Global outbound network interface	Used as the default network interface binding for supported protocols.
`routing-mark`	Global Linux routing mark	Used as the default mark for supported protocols.
`inbound-tfo`	Inbound TCP Fast Open	Reduces inbound TCP handshake overhead on supported platforms.
`inbound-mptcp`	Inbound MPTCP	Enables Multipath TCP on supported platforms.
`ss-config`	Shadowsocks template import compatibility field	Template import is not implemented; the configuration is rejected.
`vmess-config`	VMess template import compatibility field	Template import is not implemented; the configuration is rejected.
`geo-auto-update`	Automatically update Geo data	When enabled, updates GeoIP/GeoSite/ASN resources at the configured interval.
`geo-update-interval`	Geo update interval	Unit: hours; affects automatic update frequency.
`geodata-mode`	GeoData mode	Enables GeoIP/GeoSite data mode.
`geodata-loader`	GeoData loader	Supports `memconservative`/`memc`.
`geosite-matcher`	GeoSite matcher	Supports `mph`, `hybrid`, and `succinct`; default is `mph`.
`geox-url`	Geo resource URLs	Specifies geoip/mmdb/asn/geosite download URLs.
`global-client-fingerprint`	Global TLS fingerprint	Used as the default ClientHello fingerprint for supported protocols.
`global-ua`	Global User-Agent	Used as the default UA for HTTP clients such as provider fetching.
`etag-support`	HTTP provider ETag support	Reduces repeated downloads; works with Last-Modified/cache.
`disable-keep-alive`	Disable HTTP keep-alive	Affects connection reuse for providers/HTTP clients.
`keep-alive-idle`	TCP keepalive idle	Controls how long a connection is idle before keepalive starts.
`keep-alive-interval`	TCP keepalive interval	Controls the interval between keepalive probes.
`profile`	State persistence configuration	Controls whether selections and Fake-IP are persisted.
`tls`	Global TLS service configuration	Server-side TLS materials for listeners and other services.
`experimental`	Experimental switches	Affects advanced behaviors such as QUIC/GSO/ECN/IP4P.
`ntp`	NTP configuration	Used for time synchronization-related capabilities.
`iptables`	iptables helper configuration	Used in router/transparent proxy scenarios.
`tuic-server`	TUIC server compatibility field	Not supported; the configuration is rejected.
`clash-for-android`	Android compatibility configuration	Mobile/compatibility display fields.
`tunnels`	Tunnel compatibility field	Not supported; the configuration is rejected.
`listeners`	Protocol server listeners	Declares inbound services such as VLESS/Hysteria2.
`tun`	TUN inbound configuration	Uses a virtual network interface to take over system traffic.
`app-proxy`	Application transparent proxy	Desktop entry point for transparent takeover by application/process.
`sniffer`	Sniffing configuration	Recovers domain names from HTTP/TLS/QUIC traffic.
`rules`	Routing rules	Determines the connection outbound in order.
`sub-rules`	Sub-rules	Reuses or segments rule execution flows.
`rule-sets`	Inline/resolved rule sets	Referenced by RULE-SET, TUN route sets, and similar features.
`rule-providers`	Rule providers	Loads rule sets from HTTP/File/Inline.
`proxy-providers`	Proxy providers	Generates nodes from subscriptions, files, inline definitions, or WARP.
`hosts-providers`	hosts providers	Loads hosts from external sources.
`proxies`	Static outbound nodes	Manually defined nodes.
`proxy-groups`	Proxy groups	Combines nodes and selects an outbound.
`hosts`	Static hosts	Fixed mappings from domain names to IP addresses.
`dns`	DNS configuration	Resolution, Fake-IP, and DNS routing.
`http-engine`	HTTP Engine	MITM, rewrite, Mock, and Capture.
`device-discovery`	Device discovery	Enriches source IPs with LAN device information.

`geox-url` Fields#

Field	Meaning	Actual effect
`geoip`	GeoIP dat URL	Affects the data source for `GEOIP` rules.
`mmdb`	MMDB URL	Affects the data source for GeoIP/mmdb.
`asn`	ASN mmdb URL	Affects `IP-ASN`/`SRC-IP-ASN`.
`geosite`	GeoSite dat URL	Affects `GEOSITE` rules.

`profile` Fields#

Field	Meaning	Actual effect
`store-selected`	Persist proxy group selections	Restores select group selections after restart.
`store-fake-ip`	Persist Fake-IP mappings	Tries to keep domain-IP mappings after restart.

`tls` Fields#

Field	Meaning	Actual effect
`certificate`	Server certificate	Used by listeners or other server-side TLS services.
`private-key`	Server private key	Must match the certificate.
`client-auth-type`	Client certificate authentication type	Used in mTLS scenarios.
`client-auth-cert`	Client CA/certificate	mTLS verification.
`ech-key`	ECH key	ECH server capability.
`custom-certifactes`	Custom trusted certificates	Field name keeps the compatible spelling.

`experimental` Fields#

Field	Meaning	Practical impact
`dialer-ip4p-convert`	Enable IP4P conversion	Experimental dialing behavior.

`ntp` Fields#

Field	Meaning	Practical impact
`enable`	Enable NTP	Related to time synchronization.
`server`	NTP server	Target server.
`port`	NTP port	Common default for NTP is 123.
`interval`	Sync interval	Affects sync frequency.
`dialer-proxy`	Outbound used by NTP	Access NTP through the specified proxy.
`write-to-system`	Write to system time	Requires permissions and affects the system clock.

`iptables` Fields#

Field	Meaning	Practical impact
`enable`	Enable iptables helper	Helper configuration for transparent proxying.
`inbound-interface`	Inbound interface	Specifies which interface to take over traffic from.
`bypass`	Bypass addresses	Do not enter the transparent proxy.
`dns-redirect`	DNS redirect	Redirect DNS queries to Link1.

`clash-for-android` Fields#

Field	Meaning	Practical impact
`append-system-dns`	Append system DNS	Android compatibility behavior.
`ui-subtitle-pattern`	UI subtitle template	Used for display.

`dns` Fields#

Field	Meaning	Practical impact
`enable`	Enable DNS	When disabled, DNS/Fake-IP does not take effect.
`prefer-h3`	Prefer HTTP/3 for DoH	Affects `https://` DNS upstreams.
`listen`	DNS listen address	Used for queries from the system/router/TUN DNS hijack.
`ipv6`	DNS IPv6	Returns AAAA records; also affected by global IPv6.
`ipv6-timeout`	IPv6 query timeout	Wait time for dual-stack resolution, in milliseconds.
`enhanced-mode`	Enhanced mode	`normal` or `fake-ip`.
`fake-ip-range`	IPv4 Fake-IP pool	Restores domains for transparent proxying.
`fake-ip-range6`	IPv6 Fake-IP pool	IPv6 Fake-IP.
`fake-ip-filter`	Fake-IP exclusion list	Returns real IPs for matched domains.
`fake-ip-filter-mode`	Fake-IP filter mode	Usually blacklist.
`fake-ip-ttl`	Fake-IP TTL	Affects client cache.
`fallback`	Fallback DNS	Used with fallback-filter.
`fallback-filter`	fallback conditions	Determines when to use fallback.
`cache-algorithm`	Cache algorithm	Affects DNS cache eviction.
`cache-max-size`	Cache size	Affects memory usage and hit rate.
`default-nameserver`	bootstrap DNS	Resolves the domains of DoH/DoT upstreams themselves.
`nameserver`	Default DNS	Upstream for normal resolution.
`proxy-server-nameserver`	Proxy server DNS	Resolves `proxies[].server`.
`proxy-server-nameserver-policy`	Proxy server DNS policy	Specifies proxy server DNS by domain.
`direct-nameserver`	Direct DNS	Resolution for the direct path.
`direct-nameserver-follow-policy`	direct DNS follows policy	Affects DNS routing for direct domains.
`respect-rules`	DNS respects rules	Makes the DNS query outbound closer to the final route.
`use-hosts`	Use configured hosts	Enables top-level `hosts`.
`use-system-hosts`	Use system hosts	Enables the system hosts file.
`nameserver-policy`	DNS routing policy	Specifies DNS by domain/geosite/rule-set.

`dns.fallback-filter` Fields#

Field	Meaning	Practical impact
`geoip`	Match by GeoIP	Uses fallback when the returned IP does not match geoip-code.
`geoip-code`	GeoIP code	Common default is CN.
`geosite`	GeoSite condition	Triggers when the domain belongs to a category.
`domain`	Domain condition	Triggers when the domain pattern is matched.
`ipcidr`	IP CIDR condition	Triggers when the returned IP falls within the subnet.

`tun` Fields#

Field	Meaning	Practical impact
`enable`	Enable TUN	Creates/uses a virtual network interface.
`backend`	TUN backend	`auto`/`native`/`packet-tunnel`.
`stack`	TUN protocol stack	`light` by default; `gvisor` keeps the legacy gVisor stack.
`auto-route`	Auto route	Routes system traffic into TUN.
`auto-redirect`	Auto redirect	Helper for transparent takeover on Linux/Android.
`auto-redirect-input-mark`	Inbound mark	Used by auto-redirect.
`auto-redirect-output-mark`	Outbound mark	Used by auto-redirect.
`auto-redirect-iproute2-fallback-rule-index`	fallback rule index	Must be smaller than iproute2-rule-index.
`auto-detect-interface`	Auto-detect interface	Reduces the need to manually specify the outbound interface.
`dns-hijack`	DNS hijack rules	Routes DNS queries into Link1.
`device`	TUN device name	Commonly used with the native backend.
`mtu`	MTU	Default is 1500; affects fragmentation and throughput.
`strict-route`	Strict route	Reduces leak risk, but may affect LAN access.
`loopback-address`	Loopback address list	loopback IP only.
`gso`	Enable GSO	Linux data-plane performance optimization.
`gso-max-size`	Maximum GSO size	Requires `gso=true`.
`udp-timeout`	UDP timeout	Default is 300 seconds.
`disable-icmp-forwarding`	Disable ICMP forwarding	Affects ping/ICMP behavior.
`file-descriptor`	Externally passed fd	For platform integration scenarios.
`recvmsgx`	Darwin recvmsgx	Darwin stack optimization.
`sendmsgx`	Darwin sendmsgx	Darwin stack optimization.
`iproute2-table-index`	Routing table ID	Linux policy routing.
`iproute2-rule-index`	rule priority	Linux policy routing.
`endpoint-independent-nat`	Endpoint-independent NAT	Changes UDP NAT reuse.
`route-address-set`	Takeover rule set	References an ipcidr rule-set.
`route-exclude-address-set`	Exclusion rule set	References an ipcidr rule-set.
`route-address`	Takeover CIDR	Only take over these subnets.
`route-exclude-address`	Excluded CIDR	Protects LAN/reserved addresses.
`include-interface`	Include interfaces	Selects which interfaces' traffic enters TUN.
`exclude-interface`	Exclude interfaces	Selects which interfaces' traffic does not enter TUN.
`include-uid`	Include UID	Linux/Android.
`include-uid-range`	Include UID range	Format: `start:end`.
`exclude-uid`	Exclude UID	Linux/Android.
`exclude-uid-range`	Exclude UID range	Format: `start:end`.
`exclude-src-port`	Exclude source ports	Port list.
`exclude-src-port-range`	Exclude source port range	Format: `start:end`.
`exclude-dst-port`	Exclude destination ports	Port list.
`exclude-dst-port-range`	Exclude destination port range	Format: `start:end`.
`include-android-user`	Include Android user	Android only.
`include-package`	Include package names	Android only.
`exclude-package`	Exclude package names	Android only.
`inet4-address`	TUN IPv4 address	Can be derived from Fake-IP when empty.
`inet6-address`	TUN IPv6 address	IPv6 TUN address.
`inet4-route-address`	IPv4 takeover routes	IPv4 only.
`inet6-route-address`	IPv6 takeover routes	IPv6 only.
`inet4-route-exclude-address`	IPv4 excluded routes	IPv4 only.
`inet6-route-exclude-address`	IPv6 excluded routes	IPv6 only.

`sniffer` Fields#

Field	Meaning	Practical Effect
`enable`	Enable sniffing	HTTP/TLS/QUIC domain recognition.
`override-destination`	Override destination	Controls whether a sniffed domain rewrites the actual outbound destination; when disabled, the sniffed domain can still be recorded for rules/observability.
`force-dns-mapping`	Force DNS mapping	Restores domains together with Fake-IP/DNS.
`parse-pure-ip`	Parse pure IP	Attempts processing for IP targets.
`sniffing`	Compatible enable list	Declares HTTP/TLS/QUIC.
`port-whitelist`	Port allowlist	Sniffs only specified ports.
`sniff`	Per-protocol configuration	HTTP/TLS/QUIC sub-configuration.
`force-domain`	Force domains	Domain patterns that force sniffing even when a target host already exists; does not bypass `override-destination`.
`skip-domain`	Skip domains	Domains not to sniff/override.
`skip-src-address`	Skip source addresses	Skips by source IP prefix.
`skip-dst-address`	Skip destination addresses	Skips by destination IP prefix.

`sniffer.sniff.*` Fields#

Field	Meaning	Practical Effect
`ports`	Port list	Specifies sniffing ports for this protocol.
`override-destination`	Protocol-level override	Overrides the global override-destination.

`hosts-providers.*` Fields#

Field	Meaning	Practical Effect
`type`	provider type	`http` or `file`.
`path`	Local path	Used for file reads or http cache.
`url`	HTTP URL	Download URL for an http provider.
`interval`	Refresh interval	In seconds.
`dialer-proxy`	Download outbound	Uses the specified proxy to fetch.
`proxy`	Compatible field for download outbound	Same purpose.
`header`	HTTP request headers	Authentication/UA.
`size-limit`	Size limit	Limits the response body.

`rule-providers.*` Fields#

Field	Meaning	Practical Effect
`type`	provider type	`http`/`file`/`inline`.
`behavior`	Rule behavior	`domain`/`ipcidr`/`classical`.
`format`	Format	`yaml`/`text`/`mrs`.
`url`	HTTP URL	Download for an http provider.
`path`	Local path	File or cache.
`interval`	Refresh interval	In seconds.
`proxy`	Download outbound	Specifies the outbound used to fetch the provider.
`header`	HTTP request headers	Authentication/UA.
`payload`	Inline rules	Used by inline.
`size-limit`	Size limit	Limits downloaded content.

Common `proxies[]` Fields#

Field	Meaning	Practical Effect
`name`	Node name	Referenced by rules, proxy groups, `dialer-proxy`, and dynamic DNS schemes.
`type`	Node type	Determines the semantics of subsequent fields; see the outbound protocols section for common values.
`server` / `port`	Upstream address	Remote proxy, VPN, or tunnel endpoint.
`udp`	UDP capability switch	Enables/disables UDP forwarding for protocols that support UDP.
`dialer-proxy`	Upstream dialer outbound	Connects this node to its own upstream through another outbound first; if the capability is invalid, compilation fails instead of being silently ignored.
`interface-name` / `routing-mark`	Underlying socket binding	Used only when dialing the upstream directly; some protocols disallow these fields after `dialer-proxy` is set.
`ip-version`	IP family preference for resolution/dialing	Takes effect only for protocols that support this socket option.
`tfo` / `mptcp`	TCP socket capabilities	Takes effect only when both the platform and protocol support them.
`skip-cert-verify`	Skip certificate verification	Used by TLS/QUIC protocols; use with caution in production.
`sni` / `servername`	TLS name	Changes the upstream TLS/QUIC handshake domain.
`alpn`	ALPN list	Affects HTTP/2, HTTP/3, or protocol negotiation.
`client-fingerprint` / `fingerprint`	TLS fingerprint	Affects ClientHello or certificate fingerprint verification; requires protocol support.

L3/VPN Fields for `proxies[]`#

Field	Applicable Types	Practical Effect
`remote-dns-resolve`	`wireguard`, `masque`, `tailscale`, `openvpn`, `atrust`, `feilian`, `easyconnect`	Defaults to true. When the target is still a domain, DNS resolution is preferably performed by the VPN/tunnel runtime; if there is no pushed/configured DNS, an error is reported instead of silently falling back to local DNS.
`dns`	`wireguard`, `masque`, `openvpn`, etc.	Manually specifies in-tunnel DNS; for OpenVPN, DNS pushed by the server overrides the manual value.
`route-rule-set`	`tailscale`, `openvpn`, enterprise VPN	Exposes a dynamic route rule set; defaults to `$<proxy-name>` if not explicitly configured.
`auto-route`	`tailscale`, `openvpn`, enterprise VPN	Defaults to true; automatically inserts the dynamic `RULE-SET` before `MATCH`.
`accept-routes`	`tailscale`	Whether to accept routes distributed by the tailnet control plane. Defaults to true.
`exit-node`	`tailscale`	Uses the specified Tailscale exit node.
`exit-node-allow-lan-access`	`tailscale`	Preserves local LAN access when using an exit node.
`state-dir`	`tailscale`	Uses a file-based state directory; if unset, the Link1 state store is used.
`control-url`	`tailscale`	Tailscale/Headscale control-plane URL.
`ip` / `ipv6`	`wireguard`, `masque`, `openvpn`	Local tunnel address.
`allowed-ips` / `peers`	`wireguard`	WireGuard peer routes and peer list.
`reserved.bytes`	WARP WireGuard	WARP reserved bytes.
`remotes[]`	`openvpn`	Multiple OpenVPN remote candidates.
`tls-auth` / `tls-crypt` / `tls-crypt-v2`	`openvpn`	OpenVPN control-channel protection; the three are mutually exclusive.

Transport and QUIC Fields for `proxies[]`#

Field	Applicable Types	Practical Effect
`network`	VMess/VLESS/Trojan/MASQUE, etc.	Selects the underlying transport; MASQUE supports `h3`/`http3`/`quic` and `h2`/`http2`.
`http-opts` / `ws-opts` / `h2-opts` / `grpc-opts` / `xhttp-opts`	VMess/VLESS/Trojan, etc.	Corresponding HTTP/WebSocket/HTTP2/gRPC/xHTTP transport parameters.
`reality-opts` / `ech-opts`	TLS protocols	REALITY / ECH configuration.
`congestion-controller`	QUIC/MASQUE/TrustTunnel/TUIC, etc.	QUIC congestion control; common values are `cubic`, `new_reno`, `bbr`, and `brutal`.
`bbr-profile`	QUIC protocols that support BBR	BBR parameter profile: `standard`, `conservative`, `aggressive`; requires or automatically selects `congestion-controller=bbr`, and reports an error if protocol restrictions are not met.
`cwnd`	QUIC/MASQUE/TrustTunnel/TUIC, etc.	Initial congestion window.
`up` / `down`	Hysteria/TUIC/MASQUE brutal, etc.	Bandwidth hints or input for brutal congestion control.
`handshake-mode`	MASQUE/WARP MASQUE	MASQUE handshake compatibility mode; regular MASQUE supports `strict`/`compat`, while WARP manual top-level does not.
`mtu`	L3/QUIC tunnels	Tunnel MTU.
`realm-opts`	`hysteria2` outbound and Hysteria2 listener	Realm forwarding configuration; requires `server-url`, `token`, `realm-id`, and `stun-servers`, and cannot be used with `ports`.

`proxies[].realm-opts` Fields#

Field	Meaning	Actual effect
`enable`	Enable Realm	Validates against the Realm configuration when true or when any subfield is non-empty.
`server-url`	Realm service URL	Control plane address; required.
`token`	Realm token	Authentication token; required.
`realm-id`	Realm ID	Selects a specific realm; required.
`stun-servers`	STUN servers	At least one is required, used for NAT detection/negotiation.
`sni`	Realm TLS SNI	TLS name for the Realm control plane.
`skip-cert-verify`	Skip Realm certificate verification	Use only for debugging or controlled environments.
`fingerprint`	Realm certificate fingerprint	Certificate pinning.
`certificate` / `private-key`	Realm client certificate	Configure as a pair.
`alpn`	Realm ALPN	Realm TLS negotiation.
`proxy`	Realm control plane egress	Egress used to access the Realm control plane; not the same as the node's own `dialer-proxy`.

`proxy-groups[]` Fields#

Field	Meaning	Actual effect
`name`	Group name	Referenced by rules.
`type`	Group type	`select`/`url-test`/`smart`/`fallback`/`load-balance`/`relay`.
`proxies`	Member nodes	Static references.
`use`	Referenced provider	Imports provider nodes.
`url`	Probe URL	Health check.
`interval`	Probe interval	Seconds.
`timeout`	Probe timeout	Milliseconds.
`lazy`	Lazy probing	Probe only when needed.
`max-failed-times`	Failure threshold	Affects availability.
`disable-udp`	Disable UDP	Disables UDP at the group level.
`interface-name`	Bind network interface	Default socket option for group members.
`routing-mark`	routing mark	Linux policy routing.
`include-all`	Include all nodes	Static + provider.
`include-all-proxies`	Include all static nodes	Excludes providers.
`include-all-providers`	Include all provider nodes	Excludes static nodes.
`filter`	Member filter	Keep by name regex.
`exclude-filter`	Member exclusion	Exclude by name regex.
`exclude-type`	Type exclusion	Exclude by protocol type.
`expected-status`	Expected status code	Health check success condition.
`health-check`	Nested health check	Overrides url/interval/timeout/lazy/expected-status.
`hidden`	Hide in UI	For display purposes.
`icon`	UI icon	For display purposes.
`tolerance`	Latency tolerance	Debouncing for url-test.
`strategy`	Load strategy	Used by load-balance.

`proxy-groups[].health-check` Fields#

Field	Meaning	Actual effect
`url`	Probe URL	Defaults to `http://www.gstatic.com/generate_204`.
`interval`	Probe interval	Defaults to 300 seconds.
`timeout`	Probe timeout	Defaults to 5000 milliseconds.
`lazy`	Lazy probing	Probe only when needed.
`expected-status`	Expected status code	Can be 204 or range semantics.

`http-engine` Fields#

Field	Meaning	Actual effect
`enabled`	Enable HTTP Engine	Rules do not run when disabled.
`defaults`	Default limits	Default values for body/JQ/script.
`mitm`	MITM configuration	HTTPS decryption.
`force-http-engine`	Force-processing list	Sends specific hosts/patterns to HTTP Engine.
`downstream-h3-proxy`	Downstream H3 proxy	Affects HTTP/3 from clients to Link1.
`upstream-h3`	Upstream H3 policy	`off`/`hinted`/`aggressive`.
`capture`	Capture configuration	Records flow/body.
`scripts`	Script sources	Referenced by QuickJS rules.
`rules`	Rule set	URL/Header/Body/JSON/JQ/Script/Mock/Route.

Nested `http-engine` Fields#

Field	Meaning	Actual effect
`defaults.body-max-size`	Default body limit	Do not read/process beyond this limit.
`defaults.jq-timeout`	Default JQ timeout	Limits JQ execution.
`defaults.script-timeout`	Default script timeout	Limits QuickJS execution.
`defaults.script-memory-limit`	Default script memory	Limits QuickJS memory.
`defaults.on-error`	Default error policy	`fail-open` or `fail-closed`.
`mitm.enabled`	Enable MITM	Decrypts matching HTTPS traffic.
`mitm.ca-cert`	CA certificate source	file/inline/managed.
`mitm.ca-key`	CA private key source	file/inline/managed.
`mitm.hosts`	MITM host list	Decrypts only matched hosts.
`mitm.h2`	Enable H2	Leaf certificates/downstream HTTP/2.
`mitm.leaf-cache-max-entries`	Number of cached leaf certificates	Reduces certificate generation overhead.
`capture.enabled`	Enable capture	Records HTTP flows.
`capture.max-flows`	Maximum number of flows	Controls memory usage.
`capture.body-preview-bytes`	Body preview size	Shown in lists.
`capture.store-full-body`	Save full body	Consumes disk space.
`capture.full-body-max-bytes`	Full body limit	Limits size written to disk.
`capture.spool-dir`	Spool directory	Location where bodies are written to disk.
`scripts.name`	Script name	Referenced by rules.
`scripts.source`	Script source	file/inline/inline-base64.
`source.file`	File source	Reads text/script from a file.
`source.inline`	Inline text	Writes content directly.
`source.inline-base64`	base64 text	Suitable for binary data/special characters.
`pem.file`	PEM file	Certificate/private key file.
`pem.inline-pem`	Inline PEM	Writes PEM directly.
`pem.inline-base64`	base64 PEM	base64-encoded PEM.
`pem.managed`	App-managed CA ID	For example `ca-managed`; created, saved, and referenced by the Link1 App.

`http-engine.rules.*.match` Fields#

Field	Meaning	Actual effect
`view`	View/stage	Matches by HTTP Engine view.
`url`	Exact URL match	Matches the full URL.
`url-regex`	URL regex	Regex match on the full URL.
`scheme`	scheme list	http/https.
`host`	Host match	Target host.
`path`	Path match	Request path.
`path-regex`	Path regex	Regex path.
`query`	query match	URL query.
`query-regex`	query regex	Regex query.
`method`	Method list	GET/POST, etc.
`content-type`	Content-Type	By content type.
`user-agent`	User-Agent	Exact/list.
`user-agent-regex`	User-Agent regex	Regex UA.
`header`	header match	By header value.
`header-regex`	header regex	By header regex.
`cookie`	cookie match	By cookie.
`cookie-regex`	cookie regex	By cookie regex.
`protocol`	Protocol	HTTP protocol/version.
`entry-point`	Entry point	By inbound entry point.

`http-engine.rules` Fields#

Field	Meaning	Practical effect
`url-rewrite`	URL rewrite rules	rewrite/redirect/reject.
`header-rewrite`	Header rewrite	Request/response header operations.
`body-rewrite`	Body text rewrite	String or regex replacement.
`json-transform`	JSON transform	Structured JSON modification.
`jq`	JQ rules	Process JSON with JQ expressions.
`script`	QuickJS rules	Run scripts to process requests/responses.
`mock`	Mock response	Return a fake response directly.
`route`	HTTP route marker	Marks an outbound for an HTTP flow entering HTTP Engine.

`http-engine` Rule Action Fields#

Field	Meaning	Practical effect
`name`	Rule name	Used for identification and logs.
`direction`	Direction	`request` or `response`.
`action`	Action	Used by URL rewrite.
`operations`	Operation list	Used by header/body rules.
`op`	Operation type	set/del/replace, etc.
`key`	header key	Header operation.
`value`	Value	Setting/JSON value.
`pattern`	Regex	replace-regex.
`replacement`	Replacement value	replace-regex/rewrite.
`from`	Original text	body replace.
`to`	New text	body replace.
`require-body`	Require body	How to handle when there is no body.
`max-size`	Maximum body size	Do not process if exceeded.
`on-error`	Error policy	fail-open/fail-closed.
`when`	JSON predicate	Execute only when matched.
`ops`	JSON sub-operations	JSON transform.
`path`	JSON path or URL path	Depends on context.
`eq`	Equals	JSON predicate.
`neq`	Not equal	JSON predicate.
`in`	In list	JSON predicate.
`not-in`	Not in list	JSON predicate.
`exists`	Existence check	JSON predicate.
`field`	Array element field	filter-array where.
`all`	All conditions	Nested where.
`equals`	Current value comparison	replace-if-eq.
`expression`	JQ expression	JQ rules.
`variables`	JQ variables	Passed into the expression.
`engine`	Script engine	`quickjs`.
`script`	Script name	References scripts.
`binary-body-mode`	Binary body	Script rules.
`timeout`	Timeout	JQ/script.
`memory-limit`	Memory limit	script.
`arguments`	Script arguments	map string.
`response`	Mock response	status/headers/body.
`status`	HTTP status code	URL redirect/mock.
`headers`	HTTP headers	Mock response.
`body`	Inline body	Mock.
`body-file`	body file	Mock.
`body-base64`	base64 body	Mock.
`tiny-gif`	tiny gif	Mock image placeholder.
`outbound`	Outbound name	route rule.
`type`	Action type	URL rewrite action.
`location`	Redirect address	redirect.

`device-discovery` Fields#

Field	Meaning	Practical effect
`enable`	Enable device discovery	Adds device information for connection source IPs.
`passive-listen`	Passive listening	Discovers devices through weak signals such as ARP/mDNS/SSDP/NetBIOS.
`active-probe`	Active probing	Actively probes LAN devices.
`weak-hints`	Weak hints	Allows device hints that are not strongly confirmed.
`cache`	Cache configuration	Controls device/address TTL and counts.
`probe`	Probe configuration	Controls concurrency, timeout, and minimum interval.
`interfaces`	Interface filtering	Specifies included/excluded network interfaces.

`device-discovery.cache` Fields#

Field	Meaning	Practical effect
`max-devices`	Maximum devices	Limits memory usage.
`max-addresses`	Maximum addresses	Limits addresses per device.
`device-ttl`	Device TTL	Expiration time for device information.
`address-ttl`	Address TTL	Expiration time for address bindings.

`device-discovery.probe` Fields#

Field	Meaning	Practical effect
`min-gap`	Minimum probe interval	Avoids frequent probing.
`timeout`	Probe timeout	Wait time for a single probe.
`concurrency`	Concurrency	Controls probe load.

`device-discovery.interfaces` Fields#

Field	Meaning	Practical effect
`include`	Included interfaces	Discover only on these interfaces.
`exclude`	Excluded interfaces	Skip these interfaces.

Configuration Field Reference#

Top-Level Fields#

geox-url Fields#

profile Fields#

tls Fields#

experimental Fields#

ntp Fields#

iptables Fields#

clash-for-android Fields#

dns Fields#

dns.fallback-filter Fields#

tun Fields#

sniffer Fields#

sniffer.sniff.* Fields#

hosts-providers.* Fields#

rule-providers.* Fields#

Common proxies[] Fields#

L3/VPN Fields for proxies[]#

Transport and QUIC Fields for proxies[]#

proxies[].realm-opts Fields#

proxy-groups[] Fields#

proxy-groups[].health-check Fields#

http-engine Fields#

Nested http-engine Fields#

http-engine.rules.*.match Fields#

http-engine.rules Fields#

http-engine Rule Action Fields#

device-discovery Fields#

device-discovery.cache Fields#

device-discovery.probe Fields#

device-discovery.interfaces Fields#