Skip to content


ACL, often used in combination with outbounds, is a very powerful feature of the Hysteria server that allows you to customize the way client's requests are handled. For example, you can use ACL to block certain addresses, or to use different outbounds for different websites.


A valid ACL rule must be in one of the following formats:

  • outbound(address)
  • outbound(address, proto/port)
  • outbound(address, proto/port, hijack_address)
  • # This is a comment

Address types

The address field can be one of the following:

  • A single IPv4/IPv6 address, e.g. or 2606:4700:4700::1111
  • An IPv4/IPv6 CIDR, e.g. or 2001:db8::/32
  • A domain name, e.g. (does not include subdomains)
  • A domain name with wildcard, e.g. * or *.google.*
  • A domain suffix, e.g. (matches and all its subdomains)
  • GeoIP country code, e.g. geoip:cn or geoip:us
  • GeoSite category, e.g. geosite:netflix or geosite:google (supports attributes, e.g. geosite:google@cn)
  • all - match all addresses. Usually placed at the end as the default rule for everything else.

To see what's available as GeoSite categories, check here:


  • tcp or tcp/* - match all TCP ports
  • udp or udp/* - match all UDP ports
  • tcp/80 - match TCP port 80
  • udp/53 - match UDP port 53
  • udp/20000-30000 - match UDP ports 20000 to 30000
  • */443 - match TCP and UDP port 443
  • *, */* or omitted - match both protocols and all ports

Hijack address

When specified, the connection matching this rule will be hijacked to the specified address. The hijack address must be an IPv4/IPv6 address, not a domain name.

Matching behavior

Domain and IP matching

When handling domain-based requests, Hysteria first resolves the domain and then attempts to match against both domain and IP rules. This means that a rule based on an IP address will apply to all connections that ultimately lead to that IP, regardless of whether the client request used an IP address or a domain name.

Rule order

The rules are guaranteed to be matched in a top-to-bottom order. The first rule that matches the request will be used. If no rule matches, the default outbound (the first one in the outbounds list) will be used.

Built-in outbounds

Unless explicitly overridden in the outbounds list, Hysteria comes with the following built-in outbounds:

  • direct - direct outbound using default configuration (auto, no bind)
  • reject - reject the connection
  • default - use the first outbound in the outbounds list; if the list is empty, equivalent to direct


Assume the following outbounds list:

  - name: v4_only
    type: direct
      mode: 4
  - name: v6_only
    type: direct
      mode: 6
  - name: some_proxy
    type: socks5
# Use the v6_only outbound for Google

# Use the v4_only outbound for Twitter

# Use the some_proxy outbound for

# Non-English IDN domains are also supported

# Block QUIC protocol
reject(all, udp/443)

# Block SMTP protocol
reject(all, tcp/25)

# Block China and North Korea

# Block Facebook and Google Ads

# Block some random ranges

# Hijack to and use default (first) outbound
default(, *,

# Hijack to and use default (first) outbound, but UDP 53 only
default(, udp/53,

# Direct all other connections

NOTE: ACL is fully usable without custom outbounds. The built-in outbounds are always available, even if you have an empty outbound list. In fact, one of the most common uses of ACL is just to block some addresses: