Skip to content

Configuration

UA3F supports YAML configuration files, environment variables, and command-line flags. Configuration is merged with this priority:

text
defaults < YAML file < environment variables < command-line flags

When the same option is set in multiple places, the higher-priority source wins. A practical setup is to keep stable settings in YAML, deployment-specific settings in environment variables, and temporary debugging changes in command-line flags.

Usage

Start with a configuration file:

sh
ua3f -c /path/to/config.yaml

Generate a template configuration:

sh
ua3f -g

Override with environment variables:

sh
UA3F_SERVER_MODE=SOCKS5 UA3F_PORT=1080 ua3f

Override with command-line flags:

sh
ua3f --mode SOCKS5 --bind 127.0.0.1 --port 1080 --ua FFF

Basic service

Basic service options control UA3F's server mode, listen address, port, and log level.

yaml
server-mode: SOCKS5
bind-address: 127.0.0.1
port: 1080
log-level: info
include-lan-routes: false
FeatureYAMLCLI flagEnvironment variableDefault
Config file path--c, --config--
Server modeserver-mode-m, --modeUA3F_SERVER_MODESOCKS5
Listen addressbind-address-b, --bindUA3F_BIND_ADDRESS127.0.0.1
Listen portport-p, --portUA3F_PORT1080
Log levellog-level-l, --log-levelUA3F_LOG_LEVELinfo
Include LAN routesinclude-lan-routes--include-lan-routesUA3F_INCLUDE_LAN_ROUTESfalse
Show version--v, --version--
Generate template config--g, --generate-config--

server-mode accepts HTTP, SOCKS5, TPROXY, REDIRECT, and NFQUEUE.

HTTP rewrite

HTTP rewrite options control global User-Agent replacement and rewrite mode.

yaml
rewrite-mode: GLOBAL
user-agent: "FFF"
user-agent-regex: ""
user-agent-partial-replace: false
FeatureYAMLCLI flagEnvironment variableDefault
Rewrite moderewrite-mode-x, --rewrite-modeUA3F_REWRITE_MODEGLOBAL
User-Agent valueuser-agent-f, --uaUA3F_PAYLOAD_UAFFF
User-Agent regexuser-agent-regex-r, --ua-regexUA3F_UA_REGEXempty
Partial regex replacementuser-agent-partial-replace-s, --partialUA3F_PARTIAL_REPLACEfalse

rewrite-mode accepts GLOBAL, DIRECT, and RULE. See HTTP Rewrite for mode behavior.

Rewrite rules

Rule configuration is used only when rewrite-mode: RULE is enabled. YAML is better for maintained configs; CLI flags and environment variables accept JSON strings for automation.

yaml
rewrite-mode: RULE

header-rewrite:
  - type: DOMAIN-SUFFIX
    match-value: "example.com"
    action: REPLACE
    rewrite-direction: REQUEST
    rewrite-header: "User-Agent"
    rewrite-value: "FFF"

body-rewrite:
  - type: URL-REGEX
    match-value: "^http://example.com"
    action: REPLACE-REGEX
    rewrite-direction: RESPONSE
    rewrite-regex: "OldString"
    rewrite-value: "NewString"

url-redirect:
  - type: URL-REGEX
    match-value: "^http://example.com/old"
    action: REDIRECT-302
    rewrite-regex: "^http://example.com/old(.*)"
    rewrite-value: "http://example.com/new$1"
FeatureYAMLCLI flagEnvironment variable
Header rewrite rulesheader-rewrite--header-rewriteUA3F_HEADER_REWRITE
Body rewrite rulesbody-rewrite--body-rewriteUA3F_BODY_REWRITE
URL redirect rulesurl-redirect--url-redirectUA3F_URL_REDIRECT

CLI JSON example:

sh
ua3f --rewrite-mode RULE \
  --header-rewrite '[{"type":"FINAL","action":"REPLACE","rewrite_header":"User-Agent","rewrite_value":"FFF"}]'

See Match Rules and Rewrite Actions for rule fields, match types, and actions.

API server

The API server provides runtime status, logs, and configuration reload endpoints.

yaml
api-server: "127.0.0.1:9000"
api-server-secret: "change-me"
FeatureYAMLCLI flagEnvironment variableDefault
API listen addressapi-server--api-serverUA3F_API_SERVERempty, disabled
API auth secretapi-server-secret--api-server-secretUA3F_API_SERVER_SECRETempty, no auth

When api-server-secret is set, pass it as a Bearer token:

sh
curl -H "Authorization: Bearer change-me" http://127.0.0.1:9000/version

L3 rewrite

L3 rewrite adjusts network-layer characteristics such as TTL, IPID, TCP Timestamp, TCP Initial Window, and QUIC blocking. Prefer the l3-rewrite block. Top-level ttl, ipid, tcp_timestamp, and tcp_initial_window remain supported and are merged with l3-rewrite.

yaml
l3-rewrite:
  ttl: true
  ipid: true
  tcpts: true
  tcpwin: true
  block-quic: true
  bpf-offload: true
FeaturePreferred YAMLCompatible YAMLCLI flagEnvironment variableDefault
TTL rewritel3-rewrite.ttlttl--ttl, --l3-rewrite-ttlUA3F_L3_REWRITE_TTL, UA3F_TTLfalse
IPID rewritel3-rewrite.ipidipid--ipid, --l3-rewrite-ipidUA3F_L3_REWRITE_IPID, UA3F_IPIDfalse
Delete TCP Timestampl3-rewrite.tcptstcp_timestamp--tcpts, --l3-rewrite-tcptsUA3F_L3_REWRITE_TCPTS, UA3F_TCPTSfalse
TCP Initial Window rewritel3-rewrite.tcpwintcp_initial_window--tcpwin, --l3-rewrite-tcpwinUA3F_L3_REWRITE_TCPWIN, UA3F_TCP_INIT_WINDOWfalse
QUIC blockingl3-rewrite.block-quic---block-quicUA3F_L3_REWRITE_BLOCK_QUICfalse
L3 eBPF accelerationl3-rewrite.bpf-offload---l3-rewrite-bpf-offloadUA3F_L3_REWRITE_BPF_OFFLOADfalse

L3 eBPF acceleration requires Linux kernel >= 5.15. See L3 Rewrite and eBPF Acceleration.

Desync

Desync enables TCP segment reordering and TCP obfuscation injection.

yaml
desync:
  reorder: false
  reorder-bytes: 8
  reorder-packets: 1500
  inject: false
  inject-ttl: 3
  desync-ports: ""
FeatureYAMLCLI flagEnvironment variableDefault
TCP segment reorderingdesync.reorder--desync-reorderUA3F_DESYNC_REORDERfalse
Reordered segment bytesdesync.reorder-bytes--desync-reorder-bytesUA3F_DESYNC_REORDER_BYTES8
Reordered packet sizedesync.reorder-packets--desync-reorder-packetsUA3F_DESYNC_REORDER_PACKETS1500
TCP obfuscation injectiondesync.inject--desync-injectUA3F_DESYNC_INJECTfalse
Injected packet TTLdesync.inject-ttl--desync-inject-ttlUA3F_DESYNC_INJECT_TTL3
Effective portsdesync.desync-ports--desync-portsUA3F_DESYNC_PORTSempty

See Desync.

MitM

MitM decrypts selected HTTPS hostnames so HTTP rewrite rules can operate on them. Enable it only for trusted targets that need HTTPS rewriting. Clients must trust the CA used by UA3F.

yaml
mitm:
  enabled: false
  hostname: "*.httpbin.com, example.com:8000"
  ca-p12: ""
  ca-p12-base64: ""
  ca-passphrase: ""
  insecure-skip-verify: false
FeatureYAMLCLI flagEnvironment variableDefault
Enable MitMmitm.enabled--mitmUA3F_MITM_ENABLEDfalse
Target hostnamesmitm.hostname--mitm-hostnameUA3F_MITM_HOSTNAMEempty
PKCS#12 CA filemitm.ca-p12--mitm-ca-p12UA3F_MITM_CA_P12empty
Base64 PKCS#12 CAmitm.ca-p12-base64--mitm-ca-p12-base64UA3F_MITM_CA_P12_BASE64empty
CA passphrasemitm.ca-passphrase--mitm-ca-passphraseUA3F_MITM_CA_PASSPHRASEempty
Skip upstream certificate verificationmitm.insecure-skip-verify--mitm-insecure-skip-verifyUA3F_MITM_INSECURE_SKIP_VERIFYfalse

See HTTPS MitM.

Generic BPF offload

UA3F also keeps a top-level BPF offload switch:

yaml
bpf-offload: false
FeatureYAMLCLI flagEnvironment variableDefault
Generic BPF offloadbpf-offload--bpf-offloadUA3F_BPF_OFFLOADfalse

For L3 rewrite, prefer l3-rewrite.bpf-offload.

Released under the GPL-3.0 license.