In this release, we completely refactored the policy group functionality, bringing the following changes:
1.
The url-test/fallback/load-balance policy group can no longer be configured with a specific testing URL but with a global testing URL or a policy-configured testing URL. The policy's test results can be used directly in all policy group decisions, eliminating the need to retest each policy group individually.
2.
All types of policy groups support mixed nesting. The only requirement is that no circular references can be used.
3.
When a group policy is used as a sub-policy of the url-test/fallback/load-balance group.
The latency of the select/url-test/fallback/ssid group is the latency of the selected policy.
The latency of the load-balance group is the average of the latencies of all available policies.
4.
The timeout parameter of a policy group marks policies with latency exceeding this parameter as unavailable when making decisions for the group. But the maximum time taken to test the policy group is controlled by the global test-timeout parameter. (Default is 5s)
5.
When testing a group due to decision making, all sub-policies that the group may use are tested, including sub-policies of the sub-policy group.
6.
You may use no-alert=true parameter to suppress notifications for particular groups.
Cloud Notification
You can receive the notifications on iOS devices. Enable this option first and then configure it on Surge iOS. The two device must use a same iCloud account.
All URL resources now support URLs with a username and password (e.g. https://user:[email protected]), including managed profile, external resources, and importing profile form URL.
You may switch among the main views with shortcut keys.
If use-local-host-item-for-proxy is true, Surge sends the proxy request with the IP address defined in the [Host] section, instead of the original domain.
Changes in Load Balance Group
load-balance group now supports connectivity testing before being used. Add 'url' parameter to enable it.
Parameters 'timeout', 'interval' and 'evaluate-before-use' are also available.
Minor Changes
Surge will send an ICMP port unreachable message if UDP forwarding fails.
Eliminate unnecessary local DNS lookup while forwarding UDP traffic to a proxy server.
Fixed a bug that connecting to Surge iOS via USB is not working in Surge Dashboard.
Surge Mac supports SSID suspend now. The system proxy and enhanced mode will be temporarily suspended under specified SSIDs.
The name of WiFi can be an SSID, a BSSID, or a gateway IP address.
No UI configuration in the current version.
REJECT-DROP
REJECT-DROP policy is now effective to proxy connections. The connections matched with a REJECT-DROP policy will be closed in 60-120s later without any data returned.
Global Proxy
You may now select and view sub-policy for policy groups while using the global proxy mode.
DOMAIN-SET is just like RULE-SET. But it is designed a large number of rules and highly efficient.
Unlike RULE-SET, you can only write hostnames (domain or IP address) in it. One hostname per line.
You may use "." prefix to include all sub-domains.
Changes in SRC-IP
SRC-IP rule now supports IP-CIDR for both IPv4 and IPv6.
Changes in DNS over HTTPS
From this version, if DNS-over-HTTPS is configured, the traditional DNS will only be used to test the connectivity and resolve the domain in the DOH URL.
The DNS over HTTPS now has a separate parameter: doh-server. The DOH servers in 'dns-server' will be moved to the new parameter after saving.
The legacy DNS is always required now.
DOH can be matched with rule 'PROTOCOL,DOH' now.
Added a new parameter 'doh-follow-outbound-mode'. In the previous version, the DOH client follows the system proxy settings. From this version, all DOH requests will use DIRECT policy by default. If 'doh-follow-outbound-mode' is set, the DOH requests will follow the outbound mode settings regardless of the system proxy settings.
We are refactoring the HTTP client for DOH and scripting. Please feedback if you encounter any issue.
Changes in Scripting
Added a simple view to test the script. You may find it in the Window menu.
Minor Changes
Fixed a crash in Dashboard while using search.
Bug fixes.
Known Issues
You may not configure DOH with UI in this version temporarily.
New feature: Module, which can override the current profile with a set of settings. Highly flexible for diverse purposes. See the post in the community for more information: https://community.nssurge.com/d/225-module.
You may enable modules in the menu now.
You may view the detail of a module by double clicking.
Supports pattern filter for Dashboard requests.
Added a new rule type: PROTOCOL. The possible values are HTTP, HTTPS, SOCKS, SNELL, TCP, UDP.
You may now use UI to add and edit load-balance group.
DNS over HTTP (DoH) now uses DNS wireformat by default. You may configure doh-format=json in [General] to continue using JSON format.
Remote Dashboard now upgraded to Remote Controller. You may use Surge iOS to select policy group, toggle HTTP capture/MitM, and switch outbound mode remotely.
The comment lines in the text config won't lost after editing with UI.
You may open the new connection window of Dashboard by holding the Option key while clicking the Dashboard item in the main menu.
Proxy editing view now supports VMess protocol and all misc options.
A new option 'persistent' has been added to the load-balance group. (aka PCC, per connection classifier) When 'persistent=true' is set, a same hostname will always get the same policy.
You can now use a script to modify the response headers and status code.
Dashboard
USB module has been refactored to improve stability. Also, you may choose the device from multiple USB devices now.
MitM
HTTP and MitM engine has been refactored. Please report if you encounter any issues.
You can now use URL-REGEX rule for MitM connections.
You may use prefix '-' to exclude domains for MitM. Example:
[MITM]
hostname = -*.apple.com, -*.icloud.com, *
MitM hostname list now supports port number. By default only the connections to port 443 will be decrypted. Use suffix :port to enable MitM for other ports. Use suffix :0 to enable MitM for all ports on the hostname.
URL rewrite type 'header' is now available for MitM connections. You may also use it to rewrite a plain HTTP request to an HTTPS request.
Misc
You can now enable/disable a rule.
Added a small indicator in the menu icon for Metered Network Mode.</lo>
Added main switches for rewrite and scripting.
Supports TCP SACKs for Surge VIF.
New general option: force-http-engine-hosts. You can force Surge to treat a raw TCP connection as an HTTP connection, to enable high-level functions such as URL-REGEX rules, rewrite and scripting. This option uses the same format as [MITM] hostname option.
New option for url-test/fallback group: evaluate-before-use. By default, the requests before a connection evaluation will use the first policy in the list and trigger the evaluate. Enable the option to delay the requests until the evaluation completed.
CPU usage optimizations (50% reduced for high throughout).
Enabled Hardened Runtime to get enhanced security protections in macOS Mojave.
Add more notes for rule evaluating stage.
WeChat.app may flood ping when network is unstable, which causes a high CPU usage of Surge. We added a mechanism to limit ICMP throughput in this version.
Surge will automatically track system proxy settings now. When Surge is no longer the default proxy, the status icon will turn grey and a notification will raise.
Notifications presented by Surge will be removed from Notification Center automatically.
The interval of attempts to refresh managed config changes to one hour from one minute. (After config expired)
Supports new encryption methods for shadowsocks-libev 3.0.
Optimized Dashboard performance.
Supports TCP Fast Open for shadowsocks proxy. You need add "tfo=true" flag in [Proxy] section to enable the feature. You may use benchmark to confirm TFO is working.
You can sort benchmark results now.
You may choose to reload config after managed config updated.