Skip to content

Concepts

Server modes

UA3F uses server modes to decide how traffic enters the rewrite pipeline.

ModeHow it worksTypical use
HTTPHTTP proxyApplications explicitly configured with an HTTP proxy
SOCKS5SOCKS5 proxyClash, browsers, or proxy chains
TPROXYnetfilter TPROXYLinux/OpenWrt transparent proxy while preserving original destinations
REDIRECTnetfilter REDIRECTLinux/OpenWrt transparent proxy with simpler routing
NFQUEUEnetfilter NFQUEUENetwork-layer queue processing for UA2F-like scenarios

Rewrite modes

ModeBehavior
GLOBALRewrite User-Agent for all requests
DIRECTForward traffic without rewriting
RULEMatch header-rewrite, body-rewrite, and url-redirect rules

Most production configurations should use RULE, because it lets you treat specific domains, headers, ports, or URLs differently.

Rule matching

Rules are evaluated from top to bottom. After a match, evaluation stops by default. Set continue: true to continue evaluating later rules.

Common match types:

TypeDescription
DOMAIN / DOMAIN-SUFFIX / DOMAIN-KEYWORDMatch the destination domain
DOMAIN-SETMatch a domain set
IP-CIDR / SRC-IPMatch destination or source IP
DEST-PORTMatch destination port
HEADER-KEYWORD / HEADER-REGEXMatch request headers
URL-REGEXMatch the full URL with a regular expression
FINALFallback rule

Rule actions

ActionDescription
DIRECTPass through without rewriting
REPLACEReplace a header value
REPLACE-REGEXReplace only the regular-expression match
ADDAdd a header
DELETEDelete a header
REJECTReject the request
DROPDrop the request
REDIRECT-302 / REDIRECT-307Return an HTTP redirect
REDIRECT-HEADERRewrite request headers to redirect transparently

HTTPS MitM

Plain proxying can only inspect HTTP. To rewrite HTTPS headers or bodies, enable mitm for selected hostnames and make clients trust the CA used by UA3F.

Keep the hostname list narrow so the trusted CA is only used where rewriting is required.

Released under the GPL-3.0 license.