Concepts
Server modes
UA3F uses server modes to decide how traffic enters the rewrite pipeline.
| Mode | How it works | Typical use |
|---|---|---|
HTTP | HTTP proxy | Applications explicitly configured with an HTTP proxy |
SOCKS5 | SOCKS5 proxy | Clash, browsers, or proxy chains |
TPROXY | netfilter TPROXY | Linux/OpenWrt transparent proxy while preserving original destinations |
REDIRECT | netfilter REDIRECT | Linux/OpenWrt transparent proxy with simpler routing |
NFQUEUE | netfilter NFQUEUE | Network-layer queue processing for UA2F-like scenarios |
Rewrite modes
| Mode | Behavior |
|---|---|
GLOBAL | Rewrite User-Agent for all requests |
DIRECT | Forward traffic without rewriting |
RULE | Match header-rewrite, body-rewrite, and url-redirect rules |
Most production configurations should use RULE, because it lets you treat specific domains, headers, ports, or URLs differently.
Rule matching
Rules are evaluated from top to bottom. After a match, evaluation stops by default. Set continue: true to continue evaluating later rules.
Common match types:
| Type | Description |
|---|---|
DOMAIN / DOMAIN-SUFFIX / DOMAIN-KEYWORD | Match the destination domain |
DOMAIN-SET | Match a domain set |
IP-CIDR / SRC-IP | Match destination or source IP |
DEST-PORT | Match destination port |
HEADER-KEYWORD / HEADER-REGEX | Match request headers |
URL-REGEX | Match the full URL with a regular expression |
FINAL | Fallback rule |
Rule actions
| Action | Description |
|---|---|
DIRECT | Pass through without rewriting |
REPLACE | Replace a header value |
REPLACE-REGEX | Replace only the regular-expression match |
ADD | Add a header |
DELETE | Delete a header |
REJECT | Reject the request |
DROP | Drop the request |
REDIRECT-302 / REDIRECT-307 | Return an HTTP redirect |
REDIRECT-HEADER | Rewrite request headers to redirect transparently |
HTTPS MitM
Plain proxying can only inspect HTTP. To rewrite HTTPS headers or bodies, enable mitm for selected hostnames and make clients trust the CA used by UA3F.
Keep the hostname list narrow so the trusted CA is only used where rewriting is required.
