Advanced Config · Estimated reading 12 mins

ACL4SSR rule subscription setup:
Netflix, Disney+ routing and ad blocking together

Stop pasting brittle rule dumps. Wire the ACL4SSR community YAML into Mihomo with remote rule-providers, split streaming traffic into its own selector, layer optional BanAD rejects up front, and align DNS so DRM-heavy apps stop fighting your proxy.

ACL4SSR · Rule provider · Netflix · Disney+ · Ad block

1 Why hand-written rules do not scale

Rule-based proxies such as Mihomo and Clash Premium decide where each connection goes by walking an ordered list of match expressions. When that list only contains a dozen lines you wrote yourself, maintenance feels easy. The moment you try to cover major streaming platforms, multinational CDNs, mobile ad networks, and ever-shifting tracker domains, the same list explodes into thousands of lines that rot within weeks. Copying random snippets from forums without a refresh strategy is even worse: stale domains send traffic down the wrong path, break TLS handshakes, or leak DNS queries outside your tunnel.

Rule providers solve the operational side of that problem. Instead of pasting giant rule blocks into your main configuration file, you declare small remote sources that the core downloads on a schedule, stores locally, and expands at runtime. The ACL4SSR project on GitHub is one of the longest-running community collections aimed at Chinese-network scenarios, but its Clash fragments are useful anywhere you want opinionated splits between domestic CDNs, foreign media, and aggressive advertisement domains. This guide shows how to subscribe to those fragments with rule-providers, wire them into proxy-groups, and keep Netflix and Disney+ traffic on a clean outbound while optional BanAD lists strip common trackers—without pretending that rules alone can fix licensing or billing restrictions on the streaming side.

Nothing here replaces your subscription nodes, legal obligations, or provider terms of service. ACL4SSR is a third-party rule collection; you should audit URLs before deployment and snapshot working revisions if you run unattended servers. The YAML below targets cores that understand Mihomo/Clash.Meta rule-provider syntax. Desktop users can paste the same structure into Clash Verge Rev or similar clients; only the file path and UI import flow change.

2 How ACL4SSR maps to Clash primitives

ACL4SSR publishes machine-readable YAML files under its Clash/Providers tree. Files such as BanAD.yaml and BanProgramAD.yaml bundle classical rules that resolve to REJECT policies when referenced with RULE-SET. Streaming-oriented fragments like Providers/Ruleset/Netflix.yaml and Providers/Ruleset/DisneyPlus.yaml enumerate domains and keywords those platforms use for playback and telemetry. Broader buckets such as ProxyMedia.yaml group additional foreign media properties so you do not have to import every service one by one during early tuning.

Classical YAML providers wrap their payload under a top-level payload key. Mihomo expects you to fetch them with type: http, mark behavior: classical, and set format: yaml so the downloader knows how to parse the file. The interval field controls how often the client re-fetches each list; 86400 seconds (one day) matches most community guidance, though lab environments can shorten it while debugging. Local path values cache the download next to your configuration directory, which keeps startups fast and preserves last-known-good copies when GitHub throttles raw requests.

Streaming unlock is a two-layer problem. Rules only ensure that Netflix or Disney+ hostnames traverse the proxy interface you select. The exit node must still satisfy the service’s region and fraud checks, and your DNS strategy must not return poisoned answers that send the app to a CDN edge in the wrong country. If you skip DNS alignment, you can observe the classic symptom: the browser loads the marketing page, yet the player fails with obscure DRM or geolocation errors even though the rule list is perfect.

3 Prerequisites and safety checks

Before editing configuration, confirm the client core supports remote rule providers and RULE-SET rules. Mihomo 1.18.x and current Clash Verge Rev builds satisfy that requirement. Set mode: rule in the root of your YAML; global mode bypasses the fine-grained logic you are about to add. Ensure you already have at least one working outbound in the proxies section or through proxy-providers; otherwise the new groups reference names that point nowhere. If you still need to convert a non-Clash subscription into YAML first, skim the tooling section on our Clash documentation page before returning here.

Decide whether you want hard advertisement blocking. BanAD lists are convenient, but they can interfere with partner links, in-app purchase flows, or obscure SaaS dashboards that reuse advertising domains. Many households keep BanAD enabled on laptops while leaving set-top boxes on a lighter profile. You can always comment out the RULE-SET lines tied to BanAD if a specific application misbehaves, then reload the daemon.

Downloaded rule files may contain comments in Chinese because the upstream repository annotates each fragment. Those comments do not affect parsing; they simply document the maintainer’s intent. Keep UTF-8 encoding when saving your master YAML, especially on Windows editors that default to legacy code pages.

4 Declare ACL4SSR rule providers

The following block wires five HTTP providers: two advertisement lists, two streaming-specific lists, and the bundled foreign media list. URLs point to the master branch on GitHub; if you need immutability, pin a commit hash in the URL instead of master. Adjust path locations to match your folder layout; Mihomo creates missing parent directories in many builds, but verifying disk permissions avoids silent failures on hardened servers.

YAML snippet 
rule-providers:
  acl4ssr-banad:
    type: http
    behavior: classical
    format: yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/BanAD.yaml"
    path: ./ruleset/acl4ssr-banad.yaml
    interval: 86400

  acl4ssr-banprogramad:
    type: http
    behavior: classical
    format: yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/BanProgramAD.yaml"
    path: ./ruleset/acl4ssr-banprogramad.yaml
    interval: 86400

  acl4ssr-netflix:
    type: http
    behavior: classical
    format: yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/Netflix.yaml"
    path: ./ruleset/acl4ssr-netflix.yaml
    interval: 86400

  acl4ssr-disneyplus:
    type: http
    behavior: classical
    format: yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/Ruleset/DisneyPlus.yaml"
    path: ./ruleset/acl4ssr-disneyplus.yaml
    interval: 86400

  acl4ssr-proxymedia:
    type: http
    behavior: classical
    format: yaml
    url: "https://raw.githubusercontent.com/ACL4SSR/ACL4SSR/master/Clash/Providers/ProxyMedia.yaml"
    path: ./ruleset/acl4ssr-proxymedia.yaml
    interval: 86400
Pinning revisions: For production servers, replace master with a specific commit SHA in each url after you test that snapshot. You trade automatic freshness for deterministic deployments, which is often the right call when you manage many identical nodes.

5 Add proxy groups for streaming and defaults

Create a dedicated selector (or url-test) group that contains only the nodes you trust for streaming. Netflix and Disney+ both react poorly to datacenter IPs that hop regions daily, so label a stable residential or specialty line if your provider offers one. A second general group can hold automatic url-test outbounds for daily browsing. Keeping the separation explicit prevents aggressive health checks from bouncing a television session every few minutes.

The sample below assumes you already defined proxies named Node-A and Node-B. Replace those tokens with real names from your subscription. The Streaming group is a select type so you can manually pick the country that matches each service account. The Proxy group remains your everyday catch-all.

YAML snippet 
proxy-groups:
  - name: Streaming
    type: select
    proxies:
      - Node-A
      - Node-B
      - DIRECT

  - name: Proxy
    type: select
    proxies:
      - Node-A
      - Node-B
      - DIRECT

Advanced readers can swap Streaming to url-test with tuned interval and tolerance values, but remember that automated switching mid-playback may reset DRM sessions. For family setups, manual selection remains the least surprising option.

6 Order the rules section deliberately

Clash evaluates rules from top to bottom and stops at the first match. Advertisement rules should appear before generic proxy rules so marketing domains never waste bandwidth on your paid exit. Streaming-specific RULE-SET entries should come before broad foreign media sets; otherwise ProxyMedia might capture overlapping domains and send them through a different policy than you expect. Always keep a final MATCH line as the safety net.

The snippet below applies BanAD lists with REJECT, routes Netflix and Disney+ through the Streaming group, sends the wider media bundle through the same group for consistency, and falls back to your general Proxy group before GEOIP logic. Tailor the GEOIP line to your region; users outside China may delete GEOIP,CN,DIRECT or replace it with their own split.

YAML snippet 
rules:
  - RULE-SET,acl4ssr-banad,REJECT
  - RULE-SET,acl4ssr-banprogramad,REJECT
  - RULE-SET,acl4ssr-netflix,Streaming
  - RULE-SET,acl4ssr-disneyplus,Streaming
  - RULE-SET,acl4ssr-proxymedia,Streaming
  - GEOIP,CN,DIRECT
  - MATCH,Proxy
False positives: If legitimate software fails to reach update servers, temporarily disable the BanAD RULE-SET lines, reload, and capture which domain triggered the block using the client log. Add a higher-priority DOMAIN exception if you need a permanent fix.

7 DNS, FakeIP, and streaming reality checks

Streaming services combine TLS SNI inspection on the CDN side with DNS-derived geolocation hints. If your DNS resolver returns answers from an ISP in country A while the TCP flow exits in country B, APIs may downgrade video quality or refuse playback entirely. Align FakeIP or redir-host modes with the rule sets you import, and make sure fallback DNS servers match the privacy profile you want. Our dedicated walkthrough on Mihomo DNS leak prevention expands the moving parts with paste-ready examples.

TUN mode complicates the picture slightly because it intercepts system-wide DNS. After enabling TUN, confirm the streaming device actually queries through Mihomo instead of a hard-coded resolver on the local router. Corporate networks that inject their own DNS may require explicit dns-hijack directives. If you are running a split tunnel on Clash Verge Rev TUN mode, revisit the bypass list so local NAS or printer traffic stays untouched while the television uses the tunnel.

Remember that rules cannot override account-level restrictions. A Netflix profile registered in one region may still display a smaller catalog when viewed overseas, and Disney+ availability varies by country regardless of proxy quality. Treat routing as a technical prerequisite, not a guarantee of every title.

8 Troubleshooting checklist

  • Downloads stuck at zero percent: Verify outbound connectivity to raw.githubusercontent.com, watch for captive portals, and inspect whether your provider blocks GitHub assets during peak hours.
  • Rule-sets never appear in the UI: Confirm path directories are writable and that YAML indentation uses spaces, not tabs.
  • Streaming works in browser but fails on TV apps: Many televisions ignore system proxies; switch the entire device subnet through TUN or a gateway that forces DNS to Mihomo.
  • Unexpected REJECT events: Cross-check BanAD hits in the live log before blaming your streaming nodes; whitelist domains as needed.
  • High CPU after import: Extremely large merged lists can increase matching cost. Trim unused providers or lengthen interval if the client spends too long parsing updates.

9 Wrap-up

You now have a reproducible pattern: pull ACL4SSR fragments with remote rule providers, isolate streaming traffic inside its own selector, optionally layer advertisement rejection ahead of those rules, and finish with sane GEOIP and MATCH fallbacks. The maintenance burden shifts from editing thousands of lines by hand to occasionally reviewing upstream changes and pinning commits when you need stability. Compared with one-off copy-paste jobs, scheduled downloads keep edge domains fresher without manual git pulls on every laptop in the house.

Graphical clients still win when you want visual log tails, one-click profile switching, and integrated subscription renewals. Clash Verge Rev wraps the same Mihomo engine this article assumes, so the YAML you crafted remains portable between headless servers and everyday desktops. When you want that polish without living inside a text editor, grab an up-to-date build for your platform and import the profile you just hardened.

→ Download Clash for free and experience the difference

Tags: ACL4SSR Rule provider Netflix Disney+ Ad blocking Mihomo
Clash client logo for ACL4SSR rule provider setup

Clash Verge Rev

Next-gen Clash client · Free and open source

Import the same rule-providers and proxy-groups through a visual profile editor: live connection logs, quick policy switches, and TUN when you need every app—not just the browser—to respect Netflix and Disney+ routing.

TUN full traffic takeover Mihomo high-performance core Precise rule routing DNS leak helpers Multi-subscription management
Windows macOS Linux

Related reading

Core tutorial

Clash Verge Rev TUN mode: route terminal, Git, and Docker through one proxy

 DNS

Prevent DNS leaks with DoH, DoT, and FakeIP on the Mihomo core