ACL, often used in combination with outbounds, is a very powerful feature of the Hysteria server that allows you to customize the way client's requests are handled. For example, you can use ACL to block certain addresses, or to use different outbounds for different websites.
A valid ACL rule must be in one of the following formats:
outbound(address, proto/port, hijack_address)
# This is a comment
address field can be one of the following:
- A single IPv4/IPv6 address, e.g.
- An IPv4/IPv6 CIDR, e.g.
- A domain name, e.g.
example.com(does not include subdomains)
- A domain name with wildcard, e.g.
- A domain suffix, e.g.
example.comand all its subdomains)
- GeoIP country code, e.g.
- GeoSite category, e.g.
geosite:google(supports attributes, e.g.
all- match all addresses. Usually placed at the end as the default rule for everything else.
To see what's available as GeoSite categories, check here:
tcp/*- match all TCP ports
udp/*- match all UDP ports
tcp/80- match TCP port 80
udp/53- match UDP port 53
*/443- match TCP and UDP port 443
*/*or omitted - match both protocols and all ports
When specified, the connection matching this rule will be hijacked to the specified address. The hijack address must be an IPv4/IPv6 address, not a domain name.
Domain and IP matching
When handling domain-based requests, Hysteria first resolves the domain and then attempts to match against both domain and IP rules. This means that a rule based on an IP address will apply to all connections that ultimately lead to that IP, regardless of whether the client request used an IP address or a domain name.
The rules are guaranteed to be matched in a top-to-bottom order. The first rule that matches the request will be used. If no rule matches, the default outbound (the first one in the outbounds list) will be used.
Unless explicitly overridden in the outbounds list, Hysteria comes with the following built-in outbounds:
direct- direct outbound using default configuration (
auto, no bind)
reject- reject the connection
default- use the first outbound in the outbounds list; if the list is empty, equivalent to
Assume the following outbounds list:
# Use the v6_only outbound for Google v6_only(suffix:google.com) # Use the v4_only outbound for Twitter v4_only(suffix:twitter.com) # Use the some_proxy outbound for ipinfo.io some_proxy(ipinfo.io) # Non-English IDN domains are also supported v6_only(战狼*.中国) # Block QUIC protocol reject(all, udp/443) # Block SMTP protocol reject(all, tcp/25) # Block China and North Korea reject(geoip:cn) reject(geoip:kp) # Block Facebook and Google Ads reject(geosite:facebook) reject(geosite:google@ads) # Block some random ranges reject(18.104.22.168/8) reject(2601::/20) # Hijack 22.214.171.124 to 126.96.36.199 and use default (first) outbound default(188.8.131.52, *, 184.108.40.206) # Hijack 220.127.116.11 to 18.104.22.168 and use default (first) outbound, but UDP 53 only default(22.214.171.124, udp/53, 126.96.36.199) # Direct all other connections direct(all)
NOTE: ACL is fully usable without custom outbounds. The built-in outbounds are always available, even if you have an empty outbound list. In fact, one of the most common uses of ACL is just to block some addresses: