3proxy.cfg +3proxy configuration file
+ +Common
+structure:
+Configuration file is a text file 3proxy reads configuration
+from. Each line of the file is a command executed
+immediately, as if it were given from the console. The
+sequence of commands is important. The configuration file is
+actually a script for the 3proxy executable. Each line of
+the file is treated as a blank (space or tab) separated
+command line. Additional space characters are ignored. Think
+about 3proxy as "application level router" with
+console interface.
Comments:
+Any line beginning with a space character or ´#´
+character is a comment. It´s ignored. <LF>s are
+ignored. <CR> is the end of a command.
Quotation:
+The quotation character is " (double quote). Quotation
+must be used to quote spaces or other special characters. To
+use a quotation character inside a quoted string, the
+character must be doubled (BASIC convention). For example,
+to use HELLO "WORLD" as an argument, you should
+write it as "HELLO ""WORLD""".
+Good practice is to quote any argument you use.
File inclusion:
+
+You can include file by using $FILENAME macro (replace
+FILENAME with a path to file, for example
+$/usr/local/etc/3proxy/conf.incl or
+$"c:\\Program Files\3proxy\include.cfg" Quotation
+is required in last example because path contains space
+character. For included file <CR> (end of line
+characters) is treated as space character (arguments
+delimiter instead of end of command delimiter). Thus,
+include files are only useful to store long single-line
+commands (like userlist, network lists, etc). To use dollar
+sign somewhere in argument it must be quoted. Recursion is
+not allowed.
Next commands +start gateway services:
+ +proxy
+[options]
+socks [options]
+pop3p [options]
+smtpp [options]
+ftppr [options]
+admin [options]
+dnspr [options]
+tcppm [options] <SRCPORT> <DSTADDR>
+<DSTPORT>
+udppm [options] <SRCPORT> <DSTADDR>
+<DSTPORT>
+Descriptions:
+proxy HTTP/HTTPS proxy (default port 3128)
+socks SOCKS 4/4.5/5 proxy (default port 1080)
+tlspr SNI proxy (destination address is taken from TLS
+handshake), may be used to redirect any TLS-based traffic
+
+auto Proxy with protocol autoselection between proxy /
+socks / tlspr
+pop3p POP3 proxy (default port 110)
+smtpp SMTP proxy (default port 25)
+ftppr FTP proxy (default port 21)
+admin Web interface (default port 80)
+dnspr caching DNS proxy (default port 53)
+tcppm TCP portmapper
+udppm UDP portmapper
Options:
+-pNUMBER change default server port to NUMBER
+-n disable NTLM authentication (required if passwords
+are stored in Unix crypt format).
+-n1 enable NTLMv1 authentication.
+-g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY) delay GRACE_DELAY
+milliseconds before polling if average polling size is below
+GRACE_TRAFF bytes and GRACE_NUM read operations in a single
+direction are detected within 1 second. Useful to minimize
+polling -s
+(for admin) secure, allow only secure operations, currently
+only traffic counters view without ability to reset.
+(for dnspr) simple, do not use resolver and 3proxy cache,
+always use external DNS server.
+(for udppm) singlepacket, expect only one packet from both
+client and server
+-u Never ask for username/password
+-u2 (for socks) require username/password in
+authentication methods
+-a (for proxy) anonymous proxy (no information about
+client reported)
+-a1 (for proxy) anonymous proxy (random client
+information reported)
+-a2 (for proxy) generate Via: and X-Forwarded-For:
+instead of Forwarded:
+-6 Only resolve IPv6 addresses. IPv4 addresses are
+packed in IPv6 in IPV6_V6ONLY compatible way.
+-4 Only resolve IPv4 addresses
+-46 Resolve IPv6 addresses if IPv4 address is not
+resolvable
+-64 Resolve IPv4 addresses if IPv6 address is not
+resolvable
+-RHOST:port listen on given local HOST:port for incoming
+connections instead of making remote outgoing connection.
+Can be used with another 3proxy service running -r option
+for connect back functionality. Most commonly used with
+tcppm. HOST can be given as IP or hostname, useful in case
+of dynamic DNS.
+-rHOST:port connect to given remote HOST:port instead of
+listening local connection on -p or default port. Can be
+used with another 3proxy service running -R option for
+connect back functionality. Most commonly used with proxy or
+socks. HOST can be given as IP or hostname, useful in case
+of dynamic DNS.
+-ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS,
+-oROPTIONS options for proxy-to-client (oc),
+proxy-to-server (os), proxy listening (ol), connect back
+client (or), connect back listening (oR) sockets. Options
+like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK,
+TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR,
+SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT,
+SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
+
+-DiINTERFACE, -DeINTERFACE bind internal interface /
+external interface to given INTERFACE (e.g. eth0) if
+SO_BINDTODEVICE is supported by the system. You may need to
+run as root or have CAP_NET_RAW capability in order to bind
+to an interface, depending on the system, so this option may
+require root privileges and can be incompatible with some
+configuration commands like chroot and setuid (and daemon if
+setcap is used).
+-e External address. IP address of the interface the
+proxy should initiate connections from. External IP must be
+specified if you need incoming connections. By default the
+system will decide which address to use in accordance with
+the routing table.
+-i Internal address. IP address the proxy accepts
+connections to. By default, connections to any interface are
+accepted.
+-N (for socks) External NAT address 3proxy reports to
+client for BIND and UDPASSOC By default external address is
+reported. It’s only useful in the case of IP-IP NAT
+(will not work for PAT)
+Also, all options mentioned for proxy(8)
+socks(8) pop3p(8) tcppm(8)
+udppm(8) ftppr(8)
+are also supported.
+Portmapping services listen at SRCPORT and connect to
+DSTADDR:DSTPORT HTTP and SOCKS proxies are standard.
+POP3 proxy must be configured as POP3 server and requires
+username in the form of: pop3username@pop3server. If POP3
+proxy access must be authenticated, you can specify username
+as proxy_username:proxy_password:POP3_username@pop3server
+
+DNS proxy resolves any types of records but only hostnames
+are cached. It requires nserver/nscache to be configured. If
+nserver is configured as TCP, redirections are applied on
+connection, so parent proxy may be used to resolve names to
+IP.
+FTP proxy can be used as FTP server in any FTP client or
+configured as FTP proxy on a client with FTP proxy support.
+Username format is one of
+FTPuser@FTPServer
+FTPuser:FTPpassword@FTPserver
+proxyuser:proxypassword:FTPuser:FTPpassword@FTPserver
+Please note, if you use FTP client interface for FTP proxy
+do not add FTPpassword and FTPServer to username, because
+FTP client does it for you. That is, if you use 3proxy with
+authentication use proxyuser:proxypassword:FTPuser as FTP
+username, otherwise do not change original FTP user name
include
+<path>
+Include config file
config
+<path>
+Path to configuration file to use on 3proxy restart or to
+save configuration.
writable
+
+ReOpens configuration file for write access via Web
+interface, and rereads it. Usually should be first command
+on config file but in combination with config it can be used
+anywhere to open alternate config file. Think twice before
+using it.
end
+End of configuration
log
+[[@|&]logfile] [<LOGTYPE>]
+sets logfile for all gateways
+@ (for Unix) use syslog, filename is used as ident name
+& use ODBC, filename consists of comma-delimited
+datasource,username,password (username and password are
+optional)
+radius - use RADIUS for logging
+LOGTYPE is one of:
+c Minutely
+H Hourly
+D Daily
+W Weekly (starting from Sunday)
+M Monthly
+Y Annually
+if logfile is not specified logging goes to stdout. You can
+specify individual logging options for gateway by using -l
+option in gateway configuration.
+log command supports same format specifications for filename
+template as "logformat" (if filename contains
+´%´ sign it´s believed to be template). As
+with "logformat" filename must begin with
+´L´ or ´G´ to specify Local or
+Grinwitch time zone for all time-based format
+specificators.
rotate
+<n>
+how many archived log files to keep
logformat
+<format>
+Format for log record. First symbol in format must be L
+(local time) or G (absolute Grinwitch time). It can be
+preceeded with -XXX+Y where XXX is list of characters to be
+filtered in user input (any non-printable characters are
+filtered too in this case) and Y is replacement character.
+For example, "-,%+ L" in the beginning of
+logformat means comma and percent are replaced with space
+and all time based elemnts are in local time zone.
+You can use:
%y Year in 2
+digit format
+%Y Year in 4 digit format
+%m Month number
+%o Month abbreviation
+%d Day
+%H Hour
+%M Minute
+%S Second
+%t Timestamp (in seconds since 01-Jan-1970)
+%. milliseconds
+%z time zone (from Greenwich)
+%D request duration (in milliseconds)
+%b average send rate per request (in bytes per second); this
+speed is typically below the connection speed shown by the
+download manager.
+%B average receive rate per request (in bytes per second);
+this speed is typically below the connection speed shown by
+the download manager.
+%U Username
+%N service Name
+%p service Port
+%E Error code
+%C Client IP
+%c Client port
+%R Remote IP
+%r Remote port
+%i Internal IP used to accept client connection
+%e External IP used to establish connection
+%Q Requested IP
+%q Requested port
+%n requested hostname
+%I bytes In
+%O bytes Out
+%h Hops (redirections) count
+%T service specific Text
+%N1-N2T (N1 and N2 are positive numbers) log only fields
+from N1 through N2 of service-specific text
+In the case of ODBC logging, logformat specifies an SQL
+statement, for example:
+logformat "-´+_Linsert into log (l_date, l_user,
+l_service, l_in, l_out, l_descr) values (´%d-%m-%Y
+%H:%M:%S´, ´%U´, ´%N´, %I, %O,
+´%T´)"
logdump
+<in_traffic_limit> <out_traffic_limit>
+Immediately creates additional log records if given amount
+of incoming/outgoing traffic is achieved for connection,
+without waiting for connection to finish. It may be useful
+to prevent information about long-lasting downloads on
+server shutdown.
delimchar
+<char>
+Sets the delimiter character used to separate username from
+hostname in proxy authentication strings (e.g. for FTP, POP3
+proxies). Default is ´@´. For example, to use
+´#´ instead: delimchar #. This allows usernames
+to contain the ´@´ character.
archiver
+<ext> <commandline>
+Archiver to use for log files. <ext> is file extension
+produced by archiver. Filename will be last argument to
+archiver, optionally you can use %A as produced archive name
+and %F as filename.
timeouts
+<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT>
+<STRING_LONG> <CONNECTION_SHORT>
+<CONNECTION_LONG> <DNS> <CHAIN>
+<CONNECT> <CONNECTBACK>
+Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15,
+60, 15, 5.
+BYTE_SHORT short timeout for single byte, is usually used
+for receiving single byte from stream.
+BYTE_LONG long timeout for single byte, is usually used for
+receiving first byte in frame (for example first byte in
+socks request).
+STRING_SHORT short timeout, for character string within
+stream (for example to wait between 2 HTTP headers)
+STRING_LONG long timeout, for first string in stream (for
+example to wait for HTTP request).
+CONNECTION_SHORT inactivity timeout for short connections
+(HTTP, POP3, etc).
+CONNECTION_LONG inactivity timeout for long connection
+(SOCKS, portmappers, etc).
+DNS timeout for DNS request before requesting next server
+
+CHAIN timeout for reading data from chained connection
+default timeouts 1 5 30 60 180 1800 15 60 15 5
maxseg
+<value>
+Sets TCP maximum segment size (MSS) for outgoing
+connections. This can be used to work around path MTU
+discovery issues or to optimize traffic for specific network
+conditions.
radius
+<NAS_SECRET>
+<radius_server_1[:port][/local_address_1]>
+<radius_server_2[:port][/local_address_2]>
+Configures RADIUS servers to be used for logging and
+authentication (log and auth types must be set to radius).
+port and local address to use with given server may be
+specified.
+Attributes within request: User-Name, Password: (username
+and password if presented by client), Service Type:
+Authenticate-Only, NAS-Port-Type: NAS-Port-Virtual,
+NAS-Port-ID: (proxy service port, e.g. 1080),
+NAS-IPv6-Address / NAS-IP-Address: (proxy interface accessed
+by client), NAS-Identifier: (text identifing proxy, e.g.
+PROXY or SOCKSv5), Framed-IPv6-Address / Framed-IP-Address:
+(IP address of the client), Called-Station-ID: (requested
+Hostname, if presents), Login-Service: (type of request,
+e.g. 1001 - SOCKS CONNECT, 1010 - HTTP GET, 1013 - HTTP
+CONNECT), Login-TCP-Port: (requested port), Login-IPv6-Host
+/ Login-IP-Host: (requested IP).
+Supported reply attributes for authentication:
+Framed-IP-Address / Framed-IPv6-Address (IP to assign to
+user), Reply-Message. Use authcache to speedup
+authentication. RADIUS feature is currently
+experimental.
nserver
+<ipaddr>[:port][/tcp]
+Nameserver to use for name resolutions. If none specified
+system routines for name resolution is used. Optional port
+number may be specified. If optional /tcp is added to IP
+address, name resolution is performed over TCP.
authnserver
+<ipaddr>[:port][/tcp]
+Nameserver to use for DNS-based authentication (e.g. dnsname
+auth type). If not specified, nserver is used. The syntax is
+the same as for nserver.
nscache
+<cachesize> nscache6 <cachesize>
+Cache <cachesize> records for name resolution (nscache
+for IPv4, nscache6 for IPv6). The cache size should usually
+be large enough (for example, 65536).
nsrecord
+<hostname> <hostaddr>
+Adds static record to nscache. nscache must be enabled. If
+0.0.0.0 is used as a hostaddr host will never resolve, it
+can be used to blacklist something or together with
+dialer command to set up UDL for dialing.
fakeresolve
+
+All names are resolved to the 127.0.0.2 address. Useful if
+all requests are redirected to a parent proxy with http,
+socks4+, connect+ or socks5+.
dialer
+<progname>
+Execute progname if external name can´t be resolved.
+Hint: if you use nscache, dialer may not work, because names
+will be resolved through cache. In this case you can use
+something like http://dial.right.now/ from browser to set up
+connection.
internal
+<ipaddr>
+sets ip address of internal interface. This IP address will
+be used to bind gateways. Alternatively you can use -i
+option for individual gateways. Since 0.8 version, IPv6
+address may be used.
external
+<ipaddr>
+sets ip address of external interface. This IP address will
+be source address for all connections made by proxy.
+Alternatively you can use -e option to specify individual
+address for gateway. Since 0.8 version External or -e can be
+given twice: once with IPv4 and once with IPv6 address.
maxconn
+<number>
+sets the maximum number of simultaneous connections to each
+service started after this command at the network level.
+Default is 100.
+To limit clients, use connlim instead. maxconn will silently
+ignore new connections, while connlim will report back to
+the client that the connection limit has been reached.
backlog
+
+sets the listening socket backlog of new connections.
+Default is 1 + maxconn/8. Maximum value is capped by kernel
+tunable somaxconn.
service
+
+(deprecated). Indicates that 3proxy should behave as a
+Windows 95/98/NT/2000/XP service; has no effect under Unix.
+Not required for 3proxy 0.6 and above. If you upgraded from
+a previous version of 3proxy, use --remove and --install to
+reinstall the service.
daemon
+
+Should be specified to close the console. Do not use
+´daemon´ with ´service´. At least
+under FreeBSD, ´daemon´ should precede any proxy
+service and log commands to avoid socket problems. Always
+place it in the beginning of the configuration file.
auth
+<authtype> [...]
+Type of user authorization. Currently supported:
+none - no authentication or authorization required.
+Note: if auth is none, any IP-based limitation, redirection,
+etc. will not work. This is the default authentication type
+
+iponly - authentication by access control list with username
+ignored.
+Appropriate for most cases
+useronly - authentication by username without checking for
+any password with authorization by ACLs. Useful for e.g.
+SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as
+a username)
+dnsname - authentication by DNS hostname with authorization
+by ACLs. The DNS hostname is resolved via a PTR (reverse)
+record and validated (the resolved name must resolve to the
+same IP address). It´s recommended to use authcache by
+IP for this authentication. NB: there is no password check;
+the name may be spoofed.
+strong - username/password authentication required. It will
+work with SOCKSv5, FTP, POP3 and HTTP proxy.
+cache - cached authentication, may be used with
+´authcache´.
+radius - authentication with RADIUS.
+Plugins may add additional authentication types.
It´s
+possible to use multiple authentication types in the same
+command. E.g.
+auth iponly strong
+In this case, ´strong´ authentication will be
+used only if resource access cannot be performed with
+´iponly´ authentication, that is, a username is
+required in the ACL. It´s useful to protect access to
+some resources with a password while allowing passwordless
+access to other resources, or to use IP-based authentication
+for dedicated laptops and request a username/password for
+shared ones.
authcache
+<cachtype> <cachtime>
+Cache authentication information for a given amount of time
+(cachetime) in seconds. Cachetype is one of:
+ip - after successful authentication all connections during
+caching time from same IP are assigned to the same user,
+username is not requested.
+ip,user username is requested and all connections from the
+same IP are assigned to the same user without actual
+authentication.
+user - same as above, but IP is not checked.
+user,password - both username and password are checked
+against cached ones.
+limit - limit user to use only one ip, ´ip´ and
+´user´ are required
+acl - only use cached auth if user access service with same
+ACL
+ext - cache external IP
+Use auth type ´cache´ for cached
+authentication
allow
+<userlist> <sourcelist> <targetlist>
+<targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
+deny <userlist> <sourcelist>
+<targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+redirect <ip> <port> <userlist>
+<sourcelist> <targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+Access control entries. All lists are comma-separated, no
+spaces are allowed. Usernames are case sensitive (if used
+with authtype nbname username must be in uppercase). Source
+and target lists may contain IP addresses (W.X.Y.Z), ranges
+A.B.C.D - W.X.Y.Z (since 0.8) or CIDRs (W.X.Y.Z/L). Since
+0.6, the targetlist may also contain host names, instead of
+addresses. It´s possible to use a wildmask in the
+beginning and at the end of the hostname, e.g. *badsite.com
+or *badcontent*. The hostname is only checked if a hostname
+is present in the request. Targetportlist may contain ports
+(X) or port ranges lists (X-Y). For any field * sign means
+ANY. If access list is empty it´s assumed to be
+allow *
+If access list is not empty last item in access list is
+assumed to be
+deny *
+You may want explicitly add deny * to the end of access list
+to prevent HTTP proxy from requesting user´s password.
+Access lists are checked after user have requested any
+resource. If you want 3proxy to reject connections from
+specific addresses immediately without any conditions you
+should either bind proxy to appropriate interface only or to
+use ip filters.
Operation is one
+of:
+CONNECT establish outgoing TCP connection
+BIND bind TCP port for listening
+UDPASSOC make UDP association
+ICMPASSOC make ICMP association (for future use)
+HTTP_GET HTTP GET request
+HTTP_PUT HTTP PUT request
+HTTP_POST HTTP POST request
+HTTP_HEAD HTTP HEAD request
+HTTP_CONNECT HTTP CONNECT request
+HTTP_OTHER over HTTP request
+HTTP matches any HTTP request except HTTP_CONNECT
+HTTPS same as HTTP_CONNECT
+FTP_GET FTP get request
+FTP_PUT FTP put request
+FTP_LIST FTP list request
+FTP_DATA FTP data connection. Note: FTP_DATA requires access
+to dynamic non-privileged (1024-65535) ports on the remote
+side.
+FTP matches any FTP/FTP Data request
+ADMIN access to administration interface
Weekdays are
+week day numbers or periods, 0 or 7 means Sunday, 1 is
+Monday, 1-5 means Monday through Friday.
+Timeperiodlists is a list of time periods in
+HH:MM:SS-HH:MM:SS format. For example,
+00:00:00-08:00:00,17:00:00-24:00:00 lists non-working
+hours.
parent
+<weight> <type> <ip> <port>
+<username> <password>
+this command must follow "allow" rule. It extends
+last allow rule to build proxy chain. Proxies may be
+grouped. Proxy inside the group is selected randomly. If few
+groups are specified one proxy is randomly picked from each
+group and chain of proxies is created (that is second proxy
+connected through first one and so on). Weight is used to
+group proxies. Weight is a number between 1 and 1000.
+Weights are summed and proxies are grouped together until
+the weight of the group is 1000. That is:
+allow *
+parent 500 socks5 192.168.10.1 1080
+parent 500 connect 192.168.10.1 3128
+makes 3proxy to randomly choose between 2 proxies for all
+outgoing connections. These 2 proxies form 1 group
+(summarized weight is 1000).
+allow * * * 80
+parent 1000 socks5 192.168.10.1 1080
+parent 1000 connect 192.168.20.1 3128
+parent 300 socks4 192.168.30.1 1080
+parent 700 socks5 192.168.40.1 1080
+creates chain of 3 proxies: 192.168.10.1, 192.168.20.1 and
+third is (192.168.30.1 with probability of 0.3 or
+192.168.40.1 with probability of 0.7) for outgoing web
+connections. Chains are only applied to new connections,
+pipelined (keep-alive) requests in the same connection use
+the same chain.
type is one of:
+
+extip does not actually redirect the request; it sets the
+external address for this request to <ip>. It can be
+chained with another parent type. It’s useful to set
+the external IP based on ACL or make it random.
+tcp simply redirect connection. TCP is always last in chain.
+This type of proxy is a simple TCP redirection, it does not
+support parent authentication.
+http redirect to HTTP proxy. HTTP is always the last chain.
+It should only be used with http (proxy) service, if used
+with different service, it works as tcp redirection.
+pop3 redirect to POP3 proxy (only local redirection is
+supported, can only be used as a first hop in chaining)
+ftp redirect to FTP proxy (only local redirection is
+supported, can only be used as a first hop in chaining)
+connect parent is HTTP CONNECT method proxy
+connect+ parent is HTTP CONNECT proxy with name resolution
+(hostname is used instead of IP if available)
+socks4 parent is SOCKSv4 proxy
+socks4+ parent is SOCKSv4 proxy with name resolution
+(SOCKSv4a)
+socks5 parent is SOCKSv5 proxy
+socks5+ parent is SOCKSv5 proxy with name resolution
+socks4b parent is SOCKS4b (broken SOCKSv4 implementation
+with shortened server reply; I never saw this kind of
+server, but they say there are some). Normally you should
+not use this option. Do not confuse this option with
+SOCKSv4a (socks4+).
+socks5b parent is SOCKS5b (broken SOCKSv5 implementation
+with shortened server reply. I think you will never find it
+useful). Never use this option unless you know exactly you
+need it.
+admin redirect request to local ´admin´ service
+(with -s parameter).
+Use "+" proxy only with "fakeresolve"
+option
IP and port are +ip addres and port of parent proxy server. If IP is zero, ip +is taken from original request, only port is changed. If +port is zero, it´s taken from original request, only +IP is changed. If both IP and port are zero - it´s a +special case of local redirection, it works only with +socks proxy. In case of local redirection request is +redirected to different service, ftp locally +redirects to ftppr pop3 locally redirects to pop3p +http locally redirects to proxy admin locally +redirects to the admin -s service.
+ +Main purpose of
+local redirections is to have the requested resource (URL or
+POP3 username) logged and protocol-specific filters applied.
+In case of local redirection, ACLs are reviewed twice:
+first, by the SOCKS proxy up to the ´parent´
+command and then by the gateway service the connection is
+redirected to (HTTP, FTP or POP3) after the
+´parent´ command. It means an additional
+´allow´ command is required for redirected
+requests, for example:
+allow * * * 80
+parent 1000 http 0.0.0.0 0
+allow * * * 80 HTTP_GET,HTTP_POST
+socks
+redirects all SOCKS requests with target port 80 to local
+HTTP proxy, local HTTP proxy parses requests and allows only
+GET and POST requests.
+parent 1000 http 1.2.3.4 0
+Changes the external address for a given connection to
+1.2.3.4 (equivalent to -e1.2.3.4)
+Optional username and password are used to authenticate on
+parent proxy. Username of ´*´ means username
+must be supplied by user.
parentretries
+<number>
+Number of retries to connect to parent proxy. Default is
+1.
nolog
+<n>
+extends last allow or deny command to prevent logging, e.g.
+
+allow * * 192.168.1.1
+nolog
weight
+<n>
+extends last allow or deny command to set weight for this
+request
+allow * * 192.168.1.1
+weight 100
+Weight may be used for different purposes.
force
+noforce
+If force is specified for service, configuration reload will
+require all current sessions of this service to be
+re-authenticated. If ACL is changed or user account is
+removed, old connections which do not match current are
+closed. noforce allows to keep previously authenticated
+connections.
bandlimin
+<rate> <userlist> <sourcelist>
+<targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+nobandlimin <userlist> <sourcelist>
+<targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+bandlimout <rate> <userlist>
+<sourcelist> <targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+nobandlimout <userlist> <sourcelist>
+<targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+bandlim sets a bandwidth limitation filter to <rate>
+bps (bits per second). If you want to specify bytes per
+second, multiply your value by 8. bandlim rules act in the
+same manner as allow/deny rules, except for one thing:
+bandwidth limiting is applied to all services, not to some
+specific service. bandlimin and nobandlimin apply to
+incoming traffic
+bandlimout and nobandlimout apply to outgoing traffic
+If you want to ratelimit your clients with IPs
+192.168.10.16/30 (4 addresses) to 57600 bps, you have to
+specify 4 rules like
+bandlimin 57600 * 192.168.10.16
+bandlimin 57600 * 192.168.10.17
+bandlimin 57600 * 192.168.10.18
+bandlimin 57600 * 192.168.10.19
+and each of your clients will have a 56K channel. If you
+specify
+bandlimin 57600 * 192.168.10.16/30
+you will have a 56K channel shared between all clients. If
+you want, for example, to limit all speed except access to
+POP3, you can use
+nobandlimin * * * 110
+before the rest of bandlim rules.
connlim
+<rate> <period> <userlist>
+<sourcelist> <targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+noconnlim <userlist> <sourcelist>
+<targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+connlim sets connections rate limit per time period for
+traffic pattern controlled by ACL. Period is in seconds. If
+period is 0, connlim limits a number of parallel
+connections.
+connlim 100 60 * 127.0.0.1
+allows 100 connections per minute for 127.0.0.1.
+connlim 20 0 * 127.0.0.1
+allows 20 simultaneous connections for 127.0.0.1.
+Like with bandlimin, if an individual limit is required per
+client, a separate rule must be added for every client. Like
+with nobandlimin, noconnlim adds an exception.
counter
+<filename> <reporttype> <reportname>
+
+countin <number> <type> <limit>
+<userlist> <sourcelist> <targetlist>
+<targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
+nocountin <userlist> <sourcelist>
+<targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+countout <number> <type> <limit>
+<userlist> <sourcelist> <targetlist>
+<targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
+nocountout <userlist> <sourcelist>
+<targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
+countall <number> <type> <limit>
+<userlist> <sourcelist> <targetlist>
+<targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
+nocountall <userlist> <sourcelist>
+<targetlist> <targetportlist>
+<operationlist> <weekdayslist>
+<timeperiodslist>
counter,
+countin, nocountin, countout, nocountout, countall,
+nocountall commands are used to set a traffic limit in MB
+for a period of time (day, week or month). Filename is a
+path to a special file where traffic information is
+permanently stored. The number is the sequential number of
+the record in this file. If the number is 0, this counter is
+not preserved in the counter file (that is, if the proxy is
+restarted, all counters with 0 are flushed); otherwise, it
+should be a unique sequential number which points to the
+position of the counter within the file. Type specifies a
+type of counter. Type is one of:
+H - counter is reset hourly
+D - counter is reset daily
+W - counter is reset weekly
+M - counter is reset monthly
+reporttype/reportname may be used to generate traffic
+reports. Reporttype is one of D, W, M, H (hourly) and
+reportname specifies the filename template for reports. The
+report is a text file with counter values in the format:
+
+<COUNTERNUMBER> <TRAF>
+The rest of parameters is identical to
+bandlim/nobandlim.
users
+username[:pwtype:password] ...
+pwtype is one of:
+none (empty) - use system authentication
+CL - password is cleartext
+CR - password is crypt-style password
+NT - password is NT password (in hex)
+LM - password is LM password (in hex)
+example:
+users test1:CL:password1
+"test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
+users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
| + + + | + | + |
flush
+
+empty the active access list. The access list must be
+flushed every time you create a new access list for a new
+service. For example:
+allow *
+pop3p
+flush
+allow * 192.168.1.0/24
+socks
+sets different ACLs for pop3p and socks
system
+<command>
+execute system command
pidfile
+<filename>
+write pid of current process to file. It can be used to
+manipulate 3proxy with signals under Unix. Currently next
+signals are available:
monitor
+<filename>
+If file monitored changes in modification time or size,
+3proxy reloads configuration within one minute. Any number
+of files may be monitored.
setuid
+<uid>
+calls setuid(uid), uid can be numeric or since 0.9 username.
+Unix only. Warning: under some Linux kernels setuid() works
+for current thread only. It makes it impossible to suid for
+all threads.
setgid
+<gid>
+calls setgid(gid), gid can be numeric or since 0.9
+groupname. Unix only.
chroot
+<path> [<uid>] [<gid>]
+calls chroot(path) and sets gid/uid. Unix only. uid/gid
+supported since 0.9, can be numeric or
+username/groupname
stacksize
+<value_to_add_to_default_stack_size>
+Change the default size for thread stacks. May be required
+in some situations, e.g. with non-default plugins, or on
+some platforms (some FreeBSD versions may require adjusting
+the stack size due to an incorrectly defined value in system
+header files; this value is also often required to be
+changed for ODBC and PAM support on Linux). If you
+experience 3proxy crash on request processing, try to set
+some positive value. You may start with stacksize 65536 and
+then find the minimal value for the service to work. If you
+experience memory shortage, you can try to experiment with
+negative values.
plugin
+<path_to_shared_library> <function_to_call>
+[<arg1> ...]
+Loads specified library and calls given export function with
+given arguments, as
+int functions_to_call(struct pluginlink * pl, int argc, char
+* argv[]);
+function_to_call must return 0 in case of success, value
+> 0 to indicate error.
filtermaxsize
+<max_size_of_data_to_filter>
+If Content-length (or another data length) is greater than
+the given value, no data filtering will be performed through
+filtering plugins to avoid data corruption and/or
+Content-Length changing. Default is 1MB (1048576).
Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
+syslogd(8),
+https://3proxy.org/
3APA3A is +pronounced as ``zaraza´´.
+ +3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+3proxy - +3[APA3A] tiny proxy server, or trivial proxy server, or free +proxy server
+ +3proxy
+[config_file]
+3proxy [--install]
+3proxy [--remove]
3proxy is +a universal proxy server. It can be used to provide internal +users with fully controllable access to external resources +or to provide external users with access to internal +resources. 3proxy is not developed to replace +squid(8), but it can extend the functionality of an +existing caching proxy. It can be used to route requests +between different types of clients and proxy servers. Think +about it as application level gateway with configuration +like hardware router has for network layer. It can establish +multiple gateways with HTTP and HTTPS proxy with FTP over +HTTP support, SOCKS v4, v4.5 and v5, POP3 proxy, UDP and TCP +portmappers. Each gateway is started from the configuration +file like an independent service proxy(8) +socks(8) pop3p(8) tcppm(8) +udppm(8) ftppr(8) dnspr but +3proxy is not a kind of wrapper or superserver for +these daemons. It just has the same code compiled in, but +provides much more functionality. SOCKSv5 implementation +allows you to use 3proxy with any UDP or TCP based client +applications designed without proxy support (with +SocksCAP, FreeCAP or another client-side +redirector under Windows or with a socksification library +under Unix). So you can play your favourite games, listen to +music, exchange files and messages and even accept incoming +connections behind a proxy server.
+ +dnspr +does not exist as an independent service. It’s a DNS +caching proxy (it requires nscache and nserver +to be set in the configuration. Only A-records are cached. +Please note that this caching is mostly a ’hack’ +and has nothing to do with a real DNS server, but it works +perfectly for SOHO networks.
+ +3proxy supports +access control lists (ACL) like network router. Source and +destination networks and destination port can be specified. +In addition, usernames and gateway action (for example GET +or POST) can be used in ACLs. In order to filter request on +username basis user must be authenticated somehow. There are +few authentication types including password authentication +and authentication by NetBIOS name for Windows clients +(it´s very like ident authentication). Depending on +ACL action request can be allowed, denied or redirected to +another host or to another proxy server or even to a chain +of proxy servers.
+ +It supports +different types of logging: to logfiles, syslog(3) +(only under Unix) or to an ODBC database. Logging format is +tunable to provide compatibility with existing log file +parsers. It makes it possible to use 3proxy with IIS, ISA, +Apache or Squid log parsers.
+ +config_file
+ +Name of config file. See
+3proxy.cfg(3) for configuration file format. Under
+Windows, if config_file is not specified, 3proxy
+looks for a file named 3proxy.cfg in the default
+location (in the same directory as the executable file and
+in the current directory). Under Unix, if no config file is
+specified, 3proxy reads configuration from stdin. It makes
+it possible to use the 3proxy.cfg file as an executable
+script just by setting +x mode and adding
+#!/usr/local/3proxy/3proxy
+as a first line in 3proxy.cfg
--install
+ +(Windows NT family only) +install 3proxy as a system service
+ +--remove
+ +(Windows NT family only) remove +3proxy from system services
+ +Under Unix there
+are a few signals 3proxy catches. See kill(1).
+
+SIGTERM
clean up connections and +exit
+ +SIGPAUSE
+ +stop accepting new connections, +on second signal - start and re-read configuration
+ +SIGCONT
+ +start to accept new +connections
+ +SIGUSR1
+ +reload configuration
+ +Under Windows,
+if 3proxy is installed as a service you can use
+standard service management to start, stop, pause and
+continue the 3proxy service, for example:
+net start 3proxy
+net stop 3proxy
+net pause 3proxy
+net continue 3proxy
Web admin +service can also be used to reload configuration. Use wget +to automate this task.
+ +/usr/local/3proxy/3proxy.cfg +(3proxy.cfg)
+ +3proxy configuration +file
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy.cfg(3),
+proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
+kill(1), syslogd(8),
+https://3proxy.org/
3APA3A is +pronounced as ``zaraza´´.
+ +3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+ftppr - +FTP proxy gateway service
+ +ftppr +[-d] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip] +[-hdefault_ip[:port]]
+ +ftppr is +FTP gateway service to allow internal users to access +external FTP servers.
+ +| + |
+
+
+ -I |
++ |
+
+
+ Inetd mode. Standalone service +only. |
| + |
+
+
+ -d |
++ |
+
+
+ Daemonize. Detach service from +console and run in the background. |
| + |
+
+
+ -t |
++ |
+
+
+ Be silenT. Do not log +start/stop/accept error records. |
| + |
+
+
+ -u |
++ |
+
+
+ Never look for username +authentication. |
| + |
+
+
+ -e |
++ |
+
+
+ External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table. |
| + |
+
+
+ -i |
++ |
+
+
+ Internal address. IP address the +proxy accepts connections to. By default, connections to any +interface are accepted. It´s usually unsafe. |
| + |
+
+
+ -h |
++ |
+
+
+ Default destination. It’s +used if the target address is not specified by the user. |
| + |
+
+
+ -p |
++ |
+
+
+ Port. Port proxy listens for +incoming connections. Default is 21. |
| + |
+
+
+ -l |
++ |
+
+
+ Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging. |
| + |
+
+
+ -S |
++ |
+
+
+ Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes. |
You can use any +FTP client, regardless of FTP proxy support. For a client +with FTP proxy support, configure internal_ip and +port in the FTP proxy parameters. For clients without +FTP proxy support, use internal_ip and port as +the FTP server. The address of the real FTP server must be +configured as a part of the FTP username. The format for the +username is username@server, where +server is the address of the FTP server and +username is the user´s login on this FTP +server. The login itself may contain an ´@´ +sign. Only cleartext authentication is currently +supported.
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+proxy(8), pop3p(8), socks(8), tcppm(8), udppm(8),
+syslogd(8),
+https://3proxy.org/
3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+pop3p - +POP3 proxy gateway service
+ +pop3p +[-d] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip] +[-hdefault_ip[:port]]
+ +pop3p is +POP3 gateway service to allow internal users to access +external POP3 servers.
+ +| + |
+
+
+ -I |
++ |
+
+
+ Inetd mode. Standalone service +only. |
| + |
+
+
+ -d |
++ |
+
+
+ Daemonize. Detach service from +console and run in the background. |
| + |
+
+
+ -t |
++ |
+
+
+ Be silenT. Do not log +start/stop/accept error records. |
| + |
+
+
+ -u |
++ |
+
+
+ Never look for username +authentication. |
| + |
+
+
+ -e |
++ |
+
+
+ External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table. |
| + |
+
+
+ -i |
++ |
+
+
+ Internal address. IP address the +proxy accepts connections to. By default, connections to any +interface are accepted. It´s usually unsafe. |
| + |
+
+
+ -p |
++ |
+
+
+ Port. Port proxy listens for +incoming connections. Default is 110. |
| + |
+
+
+ -h |
++ |
+
+
+ Default destination. It’s +used if the target address is not specified by the user. |
| + |
+
+
+ -l |
++ |
+
+
+ Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging. |
| + |
+
+
+ -S |
++ |
+
+
+ Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes. |
You can use any +MUA (Mail User Agent) with POP3 support. Set the client to +use internal_ip and port as a POP3 server. The +address of the real POP3 server must be configured as a part +of the POP3 username. The format for the username is +username@server, where server is +the address of the POP3 server and username is the +user´s login on this POP3 server. The login itself may +contain an ´@´ sign. Only cleartext +authentication is supported, because challenge-response +authentication (APOP, CRAM-MD5, etc.) requires a challenge +from the server before we know which server to connect +to.
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+ftppr(8), proxy(8), socks(8), tcppm(8), udppm(8),
+syslogd(8),
+https://3proxy.org/
3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+proxy - +HTTP proxy gateway service
+ +proxy +[-d][-a] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip]
+ +proxy is +HTTP gateway service with HTTPS and FTP over HTTPS +support.
+ +| + |
+
+
+ -I |
++ |
+
+
+ Inetd mode. Standalone service +only. |
| + |
+
+
+ -d |
++ |
+
+
+ Daemonize. Detach service from +console and run in the background. |
| + |
+
+
+ -t |
++ |
+
+
+ Be silenT. Do not log +start/stop/accept error records. |
| + |
+
+
+ -u |
++ |
+
+
+ Never ask for username +authentication |
| + |
+
+
+ -e |
++ |
+
+
+ External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table. |
| + |
+
+
+ -i |
++ |
+
+
+ Internal address. IP address the +proxy accepts connections to. By default, connections to any +interface are accepted. It´s usually unsafe. |
| + |
+
+
+ -a |
++ |
+
+
+ Anonymous. Hide information +about client. |
| + |
+
+
+ -a1 |
++ |
+
+
+ Anonymous. Show fake information +about client. |
| + |
+
+
+ -p |
++ |
+
+
+ Port. Port proxy listens for +incoming connections. Default is 3128. |
| + |
+
+
+ -l |
++ |
+
+
+ Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ preceeds +logfile, syslog is used for logging. |
| + |
+
+
+ -S |
++ |
+
+
+ Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes. |
You should use a +client with HTTP proxy support or configure a router to +redirect HTTP traffic to the proxy (transparent proxy). +Configure the client to connect to internal_ip and +port. HTTPS support allows you to use almost any +TCP-based protocol. If you need to limit clients, use +3proxy(8) instead.
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
+syslogd(8),
+https://3proxy.org/
3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+smtpp - +SMTP proxy gateway service
+ +smtpp +[-d] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip] +[-hdefault_ip[:port]]
+ +smtpp is +SMTP gateway service to allow internal users to access +external SMTP servers.
+ +| + |
+
+
+ -I |
++ |
+
+
+ Inetd mode. Standalone service +only. |
| + |
+
+
+ -d |
++ |
+
+
+ Daemonize. Detach service from +console and run in the background. |
| + |
+
+
+ -t |
++ |
+
+
+ Be silenT. Do not log +start/stop/accept error records. |
| + |
+
+
+ -u |
++ |
+
+
+ Never look for username +authentication. |
| + |
+
+
+ -e |
++ |
+
+
+ External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table. |
| + |
+
+
+ -i |
++ |
+
+
+ Internal address. IP address the +proxy accepts connections to. By default, connections to any +interface are accepted. It´s usually unsafe. |
| + |
+
+
+ -p |
++ |
+
+
+ Port. Port proxy listens for +incoming connections. Default is 25. |
| + |
+
+
+ -h |
++ |
+
+
+ Default destination. It’s +used if the target address is not specified by the user. |
| + |
+
+
+ -l |
++ |
+
+
+ Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging. |
| + |
+
+
+ -S |
++ |
+
+
+ Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes. |
You can use any +MUA (Mail User Agent) with SMTP authentication support. Set +the client to use internal_ip and port as an +SMTP server. The address of the real SMTP server must be +configured as a part of the SMTP username. The format for +the username is username@server, where +server is the address of the SMTP server and +username is the user´s login on this SMTP +server. The login itself may contain an ´@´ +sign. Only cleartext authentication is supported, because +challenge-response authentication (CRAM-MD5, SPA, etc.) +requires a challenge from the server before we know which +server to connect to.
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+ftppr(8), proxy(8), socks(8), tcppm(8), udppm(8),
+syslogd(8),
+https://3proxy.org/
3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+socks - +SOCKS 4/4.5/5 gateway service
+ +socks +[-d] [-l[[@]logfile]] +[-pport] [-iinternal_ip] +[-eexternal_ip]
+ +socks is +SOCKS server. It supports SOCKSv4, SOCKSv4.5 (extension to +v4 for server side name resolution) and SOCKSv5. SOCKSv5 +specification allows both outgoing and reverse TCP +connections and UDP portmapping.
+ +| + |
+
+
+ -I |
++ |
+
+
+ Inetd mode. Standalone service +only. |
| + |
+
+
+ -d |
++ |
+
+
+ Daemonize. Detach service from +console and run in the background. |
| + |
+
+
+ -t |
++ |
+
+
+ Be silenT. Do not log +start/stop/accept error records. |
| + |
+
+
+ -u |
++ |
+
+
+ Never ask for username +authentication |
| + |
+
+
+ -e |
++ |
+
+
+ External address. IP address of +the interface the proxy should initiate connections from. +External IP must be specified if you need incoming +connections. By default, the system will decide which +address to use in accordance with the routing table. |
| + |
+
+
+ -N |
++ |
+
+
+ External NAT address 3proxy +reports to client for BIND and UDPASSOC. By default, the +external address is reported. It’s only useful in the +case of IP-IP NAT (will not work for PAT). |
| + |
+
+
+ -i |
++ |
+
+
+ Internal address. IP address the +proxy accepts connections to. By default, connections to any +interface are accepted. It´s usually unsafe. |
| + |
+
+
+ -p |
++ |
+
+
+ Port. Port proxy listens for +incoming connections. Default is 1080. |
| + |
+
+
+ -l |
++ |
+
+
+ Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ preceeds +logfile, syslog is used for logging. |
| + |
+
+
+ -S |
++ |
+
+
+ Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes. |
You should use a +client with SOCKS support or use some socksification support +(for example SocksCAP or FreeCAP). Configure +client to use internal_ip and port. SOCKS +allows you to use almost any application protocol without +limitation. This implementation also allows you to open +privileged ports on the server (if socks has sufficient +privileges). If you need to control access, use +3proxy(8) instead.
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+proxy(8), ftppr(8), pop3p(8), tcppm(8), udppm(8),
+syslogd(8),
+https://3proxy.org/
3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+tcppm - +TCP port mapper
+ +tcppm +[-d] [-l[[@]logfile]] +[-iinternal_ip] [-eexternal_ip] +local_port remote_host remote_port
+ +tcppm +forwards connections from local to remote TCP port
+ +| + |
+
+
+ -I |
++ |
+
+
+ Inetd mode. Standalone service +only. |
| + |
+
+
+ -d |
++ |
+
+
+ Daemonize. Detach service from +console and run in the background. |
| + |
+
+
+ -t |
++ |
+
+
+ Be silenT. Do not log +start/stop/accept error records. |
| + |
+
+
+ -e |
++ |
+
+
+ External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table. |
| + |
+
+
+ -i |
++ |
+
+
+ Internal address. IP address the +proxy accepts connections to. By default, connections to any +interface are accepted. It´s usually unsafe. |
| + |
+
+
+ -l |
++ |
+
+
+ Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging. |
| + |
+
+
+ -S |
++ |
+
+
+ Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes. |
local_port
+ +- port tcppm accepts +connections on
+ +remote_host
+ +- IP address of the host the +connection is forwarded to
+ +remote_port
+ +- remote port the connection is +forwarded to
+ +Any TCP-based +application can be used as a client. Use internal_ip +and local_port as the destination in the client +application. The connection is forwarded to +remote_host:remote_port
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8),
+syslogd(8),
+https://3proxy.org/
3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+tlspr - +SNI proxy gateway service
+ +tlspr +[-d][-a] [-l[[@]logfile]] +[-plistening_port] +[-Pdestination_port] +[-ctls_check_level] +[-iinternal_ip] +[-eexternal_ip]
+ +tlspr is +an SNI gateway service (destination host is taken from TLS +handshake). The destination port must be specified via the +-P option (or it may be detected with the Transparent +plugin).
+ +| + |
+
+
+ -I |
++ |
+
+
+ Inetd mode. Standalone service +only. |
| + |
+
+
+ -d |
++ |
+
+
+ Daemonize. Detach service from +console and run in the background. |
| + |
+
+
+ -t |
++ |
+
+
+ Be silenT. Do not log +start/stop/accept error records. |
| + |
+
+
+ -u |
++ |
+
+
+ Never ask for username +authentication |
| + |
+
+
+ -e |
++ |
+
+
+ External address. IP address of +the interface the proxy should initiate connections from. By +default, the system will decide which address to use in +accordance with the routing table. |
| + |
+
+
+ -i |
++ |
+
+
+ Internal address. IP address the +proxy accepts connections to. By default, connections to any +interface are accepted. It´s usually unsafe. |
| + |
+
+
+ -a |
++ |
+
+
+ Anonymous. Hide information +about client. |
| + |
+
+
+ -a1 |
++ |
+
+
+ Anonymous. Show fake information +about client. |
| + |
+
+
+ -p |
++ |
+
+
+ listening_port. Port proxy +listens for incoming connections. Default is 1443. |
| + |
+
+
+ -P |
++ |
+
+
+ destination_port. Port to +establish outgoing connections. Required unless the +Transparent plugin is used, because the TLS handshake does +not contain port information. Default is 443. |
| + |
+
+
+ -c |
++ |
+
+
+ TLS_CHECK_LEVEL. 0 (default) - +allow non-TLS traffic to pass, 1 - require TLS, only check +client HELLO packet, 2 - require TLS, check both client and +server HELLO, 3 - require TLS, check that the server sends a +certificate (not compatible with TLS 1.3), 4 - require +mutual TLS, check that the server sends a certificate +request and the client sends a certificate (not compatible +with TLS 1.3) |
| + |
+
+
+ -l |
++ |
+
+
+ Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging. |
| + |
+
+
+ -S |
++ |
+
+
+ Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes. |
You should use a +client with TLS support or configure a router to redirect +TLS traffic to the proxy (transparent proxy). Configure the +client to connect to internal_ip and port. If +you need to limit clients, use 3proxy(8) instead.
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+ftppr(8), proxy(8), socks(8), pop3p(8), smtpp(8), tcppm(8),
+udppm(8), syslogd(8),
+https://3proxy.org/
3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+udppm - +UDP port mapper
+ +udppm +[-ds] [-l[[@]logfile]] +[-iinternal_ip] [-eexternal_ip] +local_port remote_host remote_port
+ +udppm +forwards datagrams from local to remote UDP port
+ +| + |
+
+
+ -I |
++ |
+
+
+ Inetd mode. Standalone service +only. |
| + |
+
+
+ -d |
++ |
+
+
+ Daemonize. Detach service from +console and run in the background. |
| + |
+
+
+ -t |
++ |
+
+
+ Be silenT. Do not log +start/stop/accept error records. |
| + |
+
+
+ -e |
++ |
+
+
+ External address. IP address of +the interface the proxy should initiate datagrams from. By +default, the system will decide which address to use in +accordance with the routing table. |
| + |
+
+
+ -i |
++ |
+
+
+ Internal address. IP address the +proxy accepts datagrams to. By default, connections to any +interface are accepted. It´s usually unsafe. |
| + |
+
+
+ -l |
++ |
+
+
+ Log. By default logging is to +stdout. If logfile is specified logging is to file. +Under Unix, if ´@´ precedes +logfile, syslog is used for logging. |
| + |
+
+
+ -s |
++ |
+
+
+ Single packet. By default, only +one client can use the udppm service, but if -s is +specified, only one packet will be forwarded between client +and server. This allows the service to be shared between +multiple clients for single-packet services (for example, +name lookups). |
| + |
+
+
+ -S |
++ |
+
+
+ Increase or decrease stack size. +You may want to try something like -S8192 if you experience +3proxy crashes. |
local_port
+ +- port udppm accepts datagrams +on
+ +remote_host
+ +- IP address of the host +datagrams are forwarded to
+ +remote_port
+ +- remote port datagrams are +forwarded to
+ +Any UDP-based +application can be used as a client. Use internal_ip +and local_port as the destination in the client +application. All datagrams are forwarded to +remote_host:remote_port
+ +Report all bugs +to 3proxy@3proxy.org
+ +3proxy(8),
+proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8),
+syslogd(8),
+https://3proxy.org/
3proxy is +designed by Vladimir 3APA3A Dubrovin +(3proxy@3proxy.org)
+