SurgeTeam @TPCTPCTPC Thank you for the insult but it's all done. I did a private research, it's all achieved and integrated.
I had to use other software by combining NEXTDNS CLI, SSL ENFORCER, ProxyCap (which uses lo0) with Surge (acting as the filter without activating Enhanced Mode & System proxy) so that all the browsers listens to Surge while ProxyCap handles the Simple hostnames that bypasses Surge Proxy service. The ProxyCap uses a KEXT itself and it's serving as the enhanced Mode for Surge by adding a redirect rule to ProxyCap: "all programs" on "all ports" and "hostnames" on :80 and :443 go through 127.0.0.1:6152 and 127.0.0.1:6153 respectively. By doing this, Proxycap hooks all the sockets and traffic and pushes them to Surge.
I enabled TLS 1.3 on my mac by following the steps below:
⁃ Type sudo su - root to become a root user
⁃ Type defaults write /Library/Preferences/com.apple.networkd tcp_connect_enable_tls13 1
⁃ Restart MacOS
In SSL ENFORCER, I selected only TLS 1.2 and TLS1.3, I unchecked other SSL and TLS versions, I allowed all Cypher Suites and included monitoring SSL on all ports but I added the following exclusions:
For Processes: bypass
For hostnames: bypass
NEXTDNS CLI adds loopback 127.0.0.1 to Host which is then Proxied by ProxyCap automatically via my SSH Tunnels.
In surge file, I added:
dns-server = 127.0.0.1
hijack-dns = *:53
encrypted-dns-follow-outbound-mode = true
encrypted-dns-skip-cert-verification = false
encrypted-dns-server = https://dns.nextdns.io/bhb82e/dns-query
socks5-listen = 127.0.0.1:6153, 127.0.0.1:6155
http-listen = 127.0.0.1:6152, 127.0.0.1:6154
MainProxy = socks5, 18.104.22.168, 1080, username=?????, password=?????, interface=lo0, allow-other-interface=false, ip-version=v4-only
Proxycap Interface = direct, interface=lo0, allow-other-interface=false, ip-version=v4-only
Among several rules, I added: just to explain
IN-PORT,6152, Proxycap Interface
IN-PORT,6153, Proxycap Interface
Then, SSL Enforcer encrypts all transportation of traffic at the system level including WebKit/Safari (no more mixed contents, all unsecured contents are blocked or upgraded to the HTTPS forcefully) while Surge, then, decrypts all on port 80 so that OCSP requests and Certificate signing are done successfully without an invalid certificate chain.
- MacOS does not provide an option to enforce Safari/webkit to make connections using only TLS 1.2 and TLS 1.3 which I have now achieved with this set-up (see pictures )
- With NEXTDNS Cli, I do not have to Skip certificate Verification which is very secured.
- I was able to achieve UDP relay with this configuration for a proxy that does not support UDP
- I was able to tunnel some browsers and applications to use "Proxycap Interface" by listening to SURGE on :6152 and :6153 while those on :6155 and :6154 uses MainProxy.
- Surge sees the proxy IP address connected on ProxyCap as EXTERNAL IP.
- Because Surge does not have a direct connection with the Wi-Fi interface (en0) anymore which I verified by monitoring the traffic statistics in SURGE for 3 days and using the following URLs to track at intervals:
- Lastly, Surge now gets internet access from lo0 which is the ProxyCap interface while the Proxycap Interface uses the Wi-Fi (en0). And I'm happy I got this right.
It's a complex set up but:
"If you can think it, you can achieve it"