# mihomo/Clash Proxy: Status & Troubleshooting

## Check if mihomo is running

mihomo may run as a systemd service OR as a standalone process. Check both:

```bash
# Standalone process (common)
ss -tlnp | grep -E '7890|7891|7892|9090'

# Systemd service
systemctl is-active mihomo
```

If `ss` shows mihomo listening on port 7890, it's running — regardless of systemd status.

## Port reference

| Port  | Purpose              |
|-------|----------------------|
| 7890  | Mixed (HTTP+SOCKS5)  |
| 7891  | HTTP only            |
| 7892  | SOCKS5 only          |
| 9090  | REST API / Dashboard |

## Check proxy config via API

```bash
# Current config (ports, mode, etc.)
curl -s http://127.0.0.1:9090/configs | python3 -m json.tool

# Active proxy groups and selected nodes
curl -s http://127.0.0.1:9090/proxies | python3 -c "
import json,sys
d=json.load(sys.stdin)
for name,info in d.get('proxies',{}).items():
    t = info.get('type','')
    if t in ('Selector','URLTest','Fallback','LoadBalance'):
        print(f'{name} ({t}): {info.get(\"now\",\"?\")}')
"
```

## Check direct vs proxy IP

```bash
# Direct IP (bypasses proxy)
curl -s http://ip-api.com/json

# Proxy outgoing IP — may fail if curl uses gnutls (see pitfall)
curl -s -x http://127.0.0.1:7890 https://api.ipify.org?format=json
```

## Pitfall: curl TLS error (exit code 35) through mihomo

If `curl` was compiled with **gnutls** (not openssl), HTTPS through mihomo proxy
may fail with exit code 35 (TLS handshake error). This is a known incompatibility.

```bash
# Check curl's TLS backend
curl --version | head -1
# Look for: "OpenSSL" (works) vs "GnuTLS" (broken through proxy)
```

**Workarounds:**
- Use `wget` instead: `wget -qO- -e use_proxy=yes -e http_proxy=127.0.0.1:7890 https://...`
- Use a statically-compiled curl (e.g. from conda or nix)
- For GitHub downloads: use `gh` CLI (Go binary, native TLS)

### Proven: `gh api` for GitHub tarball download

When `git clone`, `git fetch`, `curl`, `wget`, and Python `requests` all fail through mihomo due to gnutls TLS issues, `gh api` succeeds because it's a Go binary with its own TLS stack:

```bash
# 1. Authenticate (one-time)
echo "YOUR_TOKEN" | gh auth login --with-token

# 2. Download repo tarball for a specific branch
gh api repos/OWNER/REPO/tarball/BRANCH > /tmp/repo.tar.gz

# 3. Extract
cd /tmp && tar xzf repo.tar.gz
# Creates directory like OWNER-REPO-HASH/
```

No proxy env vars needed — `gh` handles auth and transport itself.