Documentation update

This commit is contained in:
Vladimir Dubrovin 2026-07-04 11:51:40 +03:00
parent 4f99443750
commit 6b944f3fa9
10 changed files with 88 additions and 441 deletions

View File

@ -87,7 +87,7 @@ jobs:
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\ copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\ copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\ copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
copy doc\html\devel\*.rtf dist\3proxy\doc\html\devel\ copy doc\html\devel\*.* dist\3proxy\doc\html\devel\
copy copying dist\3proxy\ copy copying dist\3proxy\
copy authors dist\3proxy\ copy authors dist\3proxy\
copy README.md dist\3proxy\ copy README.md dist\3proxy\

View File

@ -86,7 +86,7 @@ jobs:
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\ copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\ copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\ copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
copy doc\html\devel\*.rtf dist\3proxy\doc\html\devel\ copy doc\html\devel\*.* dist\3proxy\doc\html\devel\
copy copying dist\3proxy\ copy copying dist\3proxy\
copy authors dist\3proxy\ copy authors dist\3proxy\
copy README.md dist\3proxy\ copy README.md dist\3proxy\

View File

@ -552,8 +552,7 @@ username ignored. <br>
Appropriate for most cases <b><br> Appropriate for most cases <b><br>
useronly</b> - authentication by username without checking useronly</b> - authentication by username without checking
for any password with authorization by ACLs. Useful for e.g. for any password with authorization by ACLs. Useful for e.g.
SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as SOCKSv4 proxy. <b><br>
a username) <b><br>
dnsname</b> - authentication by DNS hostname with dnsname</b> - authentication by DNS hostname with
authorization by ACLs. The DNS hostname is resolved via a authorization by ACLs. The DNS hostname is resolved via a
PTR (reverse) record and validated (the resolved name must PTR (reverse) record and validated (the resolved name must
@ -564,6 +563,12 @@ strong</b> - username/password authentication required. It
will work with SOCKSv5, FTP, POP3 and HTTP proxy. <b><br> will work with SOCKSv5, FTP, POP3 and HTTP proxy. <b><br>
cache</b> - cached authentication, may be used with cache</b> - cached authentication, may be used with
&acute;authcache&acute;. <b><br> &acute;authcache&acute;. <b><br>
cacheacl</b> - cached authentication, same as <b>cache</b>
but the ACL authorization result is also cached and not
re-evaluated on each request. Faster than <b>cache</b>, but
ACL changes do not take effect for cached users until the
cache entry expires. Use <b>cache</b> if ACLs may change
during the cache lifetime. <b><br>
radius</b> - authentication with RADIUS. <br> radius</b> - authentication with RADIUS. <br>
Plugins may add additional authentication types.</p> Plugins may add additional authentication types.</p>
@ -598,10 +603,20 @@ user,password</b> - both username and password are checked
against cached ones. <b><br> against cached ones. <b><br>
limit</b> - limit user to use only one ip, &acute;ip&acute; limit</b> - limit user to use only one ip, &acute;ip&acute;
and &acute;user&acute; are required <b><br> and &acute;user&acute; are required <b><br>
ack</b> - only use cached auth if user access service with acl</b> - only use cached auth if user access service with
same ACL <b><br> same ACL <b><br>
ext</b> - cache external IP <br> ext</b> - cache external IP <b><br>
Use auth type <b>cache</b> for cached authentication</p> dstaddr</b> - cache by destination IP address <b><br>
dstport</b> - cache by destination port <b><br>
dsthost</b> - cache by destination hostname <b><br>
dstoper</b> - cache by destination operation (e.g. HTTP
method) <b><br>
srvaddr</b> - cache by service (listener) address <b><br>
srvport</b> - cache by service (listener) port <br>
Multiple types can be combined (e.g.
<b>ip,user,dstaddr,dstport</b>). <br>
Use auth type <b>cache</b> (or <b>cacheacl</b>) for cached
authentication</p>
<p style="margin-left:6%; margin-top: 1em"><b>allow</b> <p style="margin-left:6%; margin-top: 1em"><b>allow</b>
<i>&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt; <i>&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
@ -746,8 +761,14 @@ ha</b> send HAProxy PROXY protocol v1 header to parent
proxy. Must be the last in the proxy chain. Useful for proxy. Must be the last in the proxy chain. Useful for
passing client IP information to the parent proxy. Example: passing client IP information to the parent proxy. Example:
parent 1000 ha <br> parent 1000 ha <br>
Use &quot;+&quot; proxy only with <b>fakeresolve</b> Use &quot;+&quot; proxy only with <b>fakeresolve</b> option
option</p> <br>
Any parent type above can be suffixed with <b>s</b> (e.g.
<b>https</b>, <b>tcps</b>, <b>socks5s</b>, <b>connect+s</b>)
to establish a TLS-encrypted connection to the parent proxy.
Requires SSL/TLS support (WITH_SSL) and is used with
<b>ssl_client_mode 3</b>, which only handshakes TLS for
<b>s</b>-suffixed parents.</p>
<p style="margin-left:6%; margin-top: 1em">IP and port are <p style="margin-left:6%; margin-top: 1em">IP and port are
ip addres and port of parent proxy server. If IP is zero, ip ip addres and port of parent proxy server. If IP is zero, ip
@ -946,12 +967,16 @@ The rest of parameters is identical to
pwtype is one of: <br> pwtype is one of: <br>
none (empty) - use system authentication <b><br> none (empty) - use system authentication <b><br>
CL</b> - password is cleartext <b><br> CL</b> - password is cleartext <b><br>
CR</b> - password is crypt-style password <b><br> CR</b> - password is crypt-style password. <b>$1$</b> prefix
uses MD5-crypt (requires OpenSSL), <b>$3$</b> prefix uses
BLAKE2b-crypt (always available, see <b>3proxy_crypt</b>(8))
<b><br>
NT</b> - password is NT password (in hex) <br> NT</b> - password is NT password (in hex) <br>
example: <br> example: <br>
users test1:CL:password1 users test1:CL:password1
&quot;test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49.&quot; <br> &quot;test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49.&quot; <br>
users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 <br> users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 <br>
users &quot;test4:CR:$3$salt$G47yV9w....&quot; <br>
Note: double quotes are required because the password Note: double quotes are required because the password
contains a $ sign.</p> contains a $ sign.</p>
@ -1268,8 +1293,8 @@ to <b>3proxy@3proxy.org</b></p>
<p style="margin-left:6%; margin-top: 1em">3proxy(8), <p style="margin-left:6%; margin-top: 1em">3proxy(8),
proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), 3proxy_crypt(8), proxy(8), ftppr(8), socks(8), pop3p(8),
syslogd(8), <br> smtpp(8), tlspr(8), tcppm(8), udppm(8), syslogd(8), <br>
https://3proxy.org/</p> https://3proxy.org/</p>
<h2>AUTHORS <h2>AUTHORS

View File

@ -232,6 +232,20 @@ with TLS 1.3)</p></td></tr>
<td width="4%"> <td width="4%">
<p style="margin-top: 1em"><b>-s</b></p></td>
<td width="5%"></td>
<td width="85%">
<p style="margin-top: 1em">Split the TLS Client HELLO
packet across multiple TCP segments to make SNI-based DPI
detection harder. An optional numeric value can follow (e.g.
<b>-s1</b>) to control the splitting behaviour.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">
<p style="margin-top: 1em"><b>-l</b></p></td> <p style="margin-top: 1em"><b>-l</b></p></td>
<td width="5%"></td> <td width="5%"></td>
<td width="85%"> <td width="85%">

View File

@ -1,90 +0,0 @@
<h3>3proxy PCRE (Perl Compatible Regular Expressions) Filtering</h3>
<p><b>Note:</b> Since version 0.9.7, PCRE filtering is built into 3proxy and does not require
a separate plugin. All pcre_* commands are available directly when 3proxy is compiled with
PCRE2 support (WITH_PCRE). The plugin line is no longer needed.</p>
<p>This filtering functionality can be used to create matching and replacement
rules with regular expressions for client requests, client and
server headers, and client and server data. It adds 3 additional
configuration commands:</p>
<pre>
pcre TYPE FILTER_ACTION REGEXP [ACE]
pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
pcre_extend FILTER_ACTION [ACE]
pcre_options OPTION1 [...]
</pre>
pcre - allows applying a rule for matching
<br>pcre_rewrite - in addition to 'pcre', allows substituting substrings
<br>pcre_extend - extends the ACL of the last pcre or pcre_rewrite command by
adding an additional ACE (like with allow/deny configuration commands).
<br>pcre_options - allows setting matching options. Available options are:
PCRE_CASELESS,
PCRE_MULTILINE,
PCRE_DOTALL,
PCRE_EXTENDED,
PCRE_ANCHORED,
PCRE_DOLLAR_ENDONLY,
PCRE_EXTRA,
PCRE_NOTBOL,
PCRE_NOTEOL,
PCRE_UNGREEDY,
PCRE_NOTEMPTY,
PCRE_UTF8,
PCRE_NO_AUTO_CAPTURE,
PCRE_NO_UTF8_CHECK,
PCRE_AUTO_CALLOUT,
PCRE_PARTIAL,
PCRE_DFA_SHORTEST,
PCRE_DFA_RESTART,
PCRE_FIRSTLINE,
PCRE_DUPNAMES,
PCRE_NEWLINE_CR,
PCRE_NEWLINE_LF,
PCRE_NEWLINE_CRLF,
PCRE_NEWLINE_ANY,
PCRE_NEWLINE_ANYCRLF,
PCRE_BSR_ANYCRLF,
PCRE_BSR_UNICODE
<ul>
<li>TYPE - type of filtered data. May contain one or more
(comma-delimited list) values:
<ul>
<li>request - content of the client's request, e.g., the HTTP GET request string.
(known problem: changing the request string doesn't change the IP of the host to connect to)
<li>cliheader - content of the client request headers, e.g., HTTP request headers.
<li>srvheader - content of the server's reply headers, e.g., HTTP status and headers.
<li>clidata - data received from the client, e.g., HTTP POST request data
<li>srvdata - data received from the server, e.g., an HTML page
</ul>
<li>FILTER_ACTION - action on match
<ul><li>allow - allow this request without checking the rest of the rules for the given type
<li>deny - deny this request without checking the rest of the rules
<li>dunno - continue with the rest of the rules (useful with pcre_rewrite)
</ul>
<li>REGEXP - PCRE (Perl) regular expression. Use * if no regexp matching
is required.
<li>REWRITE_EXPRESSION - substitution string. May contain Perl-style
substrings
(not tested) $1, $2. $0 means the whole matched string. \r and \n may be used
to insert new strings; the string may be empty ("").
<li>ACE - access control entry (user names, source IPs, destination IPs,
ports, etc.), absolutely identical to allow/deny/bandlimin commands.
The regular expression is only matched if the ACL matches the connection data.
Warning:
Regular expressions don't require authentication and cannot replace
authentication and/or allow/deny ACLs.
</ul>
<h4>Example:</h4>
<pre>
pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
pcre srvheader deny "Content-type: application"
pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
pcre_extend deny * 192.168.0.1/16
</pre>
&copy; Vladimir Dubrovin, License: BSD style

View File

@ -1,89 +0,0 @@
<h3>Фильтрация PCRE (Perl Compatible Regular Expressions) в 3proxy</h3>
<p><b>Примечание:</b> Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy и не требует
отдельного плагина. Все команды pcre_* доступны напрямую при компиляции 3proxy с поддержкой
PCRE2 (WITH_PCRE). Строка plugin больше не нужна.</p>
<p>Фильтрующий плагин используется для создания правил поиска и замены
регулярных выражений в запросе, заголовков запроса и ответа и данных.
Добавляет поддержку 3х новых команд в файле конфигурации:</p>
<pre>
pcre TYPE FILTER_ACTION REGEXP [ACE]
pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
pcre_extend FILTER_ACTION [ACE]
pcre_options OPTION1 [...]
</pre>
pcre - позволяет искать совпадения
<br>pcre_rewrite - дополнительно позволяет производить замену подстрок
<br>pcre_extend - расширяет ACL последней команды pcre или pcre_rewrite путем
добавления еще одной ACE (аналогично списку правил allow/deny).
<br>pcre_options - позволяет устанавливать опции поиска, доступны следующие опции:
PCRE_CASELESS,
PCRE_MULTILINE,
PCRE_DOTALL,
PCRE_EXTENDED,
PCRE_ANCHORED,
PCRE_DOLLAR_ENDONLY,
PCRE_EXTRA,
PCRE_NOTBOL,
PCRE_NOTEOL,
PCRE_UNGREEDY,
PCRE_NOTEMPTY,
PCRE_UTF8,
PCRE_NO_AUTO_CAPTURE,
PCRE_NO_UTF8_CHECK,
PCRE_AUTO_CALLOUT,
PCRE_PARTIAL,
PCRE_DFA_SHORTEST,
PCRE_DFA_RESTART,
PCRE_FIRSTLINE,
PCRE_DUPNAMES,
PCRE_NEWLINE_CR,
PCRE_NEWLINE_LF,
PCRE_NEWLINE_CRLF,
PCRE_NEWLINE_ANY,
PCRE_NEWLINE_ANYCRLF,
PCRE_BSR_ANYCRLF,
PCRE_BSR_UNICODE
<ul>
<li>TYPE - тип фильтруемых данных. Может содержать одно или
несколько (список через запятую) значений:
<ul>
<li>request - содержимое запроса клиента (например строка HTTP GET-запроса).
(в настоящий момент изменение запроса не приводит к изменению адреса запрашиваемого хоста)
<li>cliheader - содержимое заголовков запроса клиента, например заголовки HTTP
<li>srvheader - содержимое заголовков ответа сервера, например заголовки HTTP
<li>clidata - данные полученные от клиента, например данные POST-запроса
<li>srvdata - данные полученные от сервера, например содержимое HTML-страницы
</ul>
<li>FILTER_ACTION - действие при совпадении. Может принимать значение
<ul><li>allow - разрешить данный запрос без просмотра дальнейших правил
<li>deny - запретить данный запрос без просмотра дальнейших правил
<li>dunno - продолжить анализ правил (полезно для pcre_rewrite)
</ul>
<li>REGEXP - регулярное выражение в формате PCRE (perl). Используйте * если не
требуется проерка регулярного выражения.
<li>REWRITE_EXPRESSION - строка замены. Может содержать макроподстановки
(не тестировалось) $1, $2 и т.д. аналогично perl. $0 - полная найденная
подстрока. В строке замены можно использовать сочетания \r, \n для вставки
новых строк. Строка может быть пустой ("").
<li>ACE - Список контроля доступа (имя пользователя, IP источника, IP назначения, порт и т.д.),
полностью аналогичный ACE в командах allow, deny, bandlimin и т.п. Регулярное
выражение проверяется только при совпадении ACE с запросом. ВНИМАНИЕ:
использование регулярных выражений не требует авторизации и не заменяет ее.
Авторизацию необходимо конфигурировать отдельно.
</ul>
<h4>Пример:</h4>
<pre>
pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
pcre srvheader deny "Content-type: application"
pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
pcre_extend deny * 192.168.0.1/16
</pre>
&copy; Vladimir Dubrovin, License: BSD style

View File

@ -1,124 +0,0 @@
<h3>3proxy SSL/TLS Support</h3>
<p><b>Note:</b> Since version 0.9.7, SSL/TLS support is built into 3proxy and does not require
a separate plugin. All ssl_* commands are available directly when 3proxy is compiled with
OpenSSL support (WITH_SSL). The plugin line is no longer needed.</p>
<p>SSL/TLS support can be used to transparently decrypt SSL/TLS data, provide TLS encryption
for proxy traffic, and authenticate using client certificates.</p>
<h4>For transparent certificate spoofing (MITM):</h4>
<br>ssl_mitm - spoof certificates for services started below. Usage without ssl_client_verify is insecure.
<br>ssl_nomitm - do not spoof certificates for services started below
<h4>To protect traffic to the server (https:// proxy):</h4>
ssl_serv (or ssl_server) - require TLS connection from clients for services below
<br>ssl_noserv (or ssl_noserver) - do not require TLS connection from clients for services below
<h4>To use TLS for upstream connections:</h4>
ssl_cli (or ssl_client) - establish TLS connection to upstream server for services below
<br>ssl_nocli (or ssl_noclient) - do not establish TLS connection to upstream server for services below
<h4>Parameters:</h4>
<br><b>ssl_server_cert</b> /path/to/cert - Server certificate (should not be self-signed and must contain an Alternative Name) for ssl_serv
<br><b>ssl_server_key</b> /path/to/key - Server certificate key for ssl_server_cert or generated MITM certificate
<br><b>ssl_client_cert</b> /path/to/cert - Client certificate for authentication on upstream server (used with ssl_cli)
<br><b>ssl_client_key</b> /path/to/key - Client certificate key for ssl_client_cert
<br><b>ssl_client_ciphersuites</b> ciphersuites_list - TLS client ciphers for TLS 1.3, e.g., ssl_client_ciphersuites TLS_AES_128_GCM_SHA256
<br><b>ssl_server_ciphersuites</b> ciphersuites_list - TLS server ciphers for TLS 1.3
<br><b>ssl_client_cipher_list</b> ciphers_list - TLS client ciphers for TLS 1.2 and below, e.g., ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
<br><b>ssl_server_cipher_list</b> ciphers_list - TLS server ciphers for TLS 1.2 and below
<br><b>ssl_client_min_proto_version</b> tls_version - TLS client minimum TLS version (e.g., TLSv1.2)
<br><b>ssl_server_min_proto_version</b> tls_version - TLS server minimum TLS version (e.g., TLSv1.2)
<br><b>ssl_client_max_proto_version</b> tls_version - TLS client maximum TLS version (e.g., TLSv1.2)
<br><b>ssl_server_max_proto_version</b> tls_version - TLS server maximum TLS version (e.g., TLSv1.2)
<br><b>ssl_client_verify</b> - verify the certificate for the upstream server in TLS client functionality (used with ssl_mitm or ssl_cli)
<br><b>ssl_client_no_verify</b> - do not verify the certificate for the upstream server in TLS client functionality (default)
<br><b>ssl_server_verify</b> - require client certificate authentication (mTLS) for ssl_serv
<br><b>ssl_server_no_verify</b> - do not require client certificate (default)
<br><b>ssl_server_ca_file</b> /path/to/cafile - CA certificate file for MITM
<br><b>ssl_server_ca_key</b> /path/to/cakey - key for ssl_server_ca_file MITM CA
<br><b>ssl_server_ca_dir</b> /path/to/cadir - CA directory for ssl_server_verify
<br><b>ssl_server_ca_store</b> /path/to/castore - CA store for ssl_server_verify (OpenSSL 3.0+)
<br><b>ssl_client_ca_file</b> /path/to/cafile - CA file for ssl_client_verify
<br><b>ssl_client_ca_dir</b> /path/to/cadir - CA directory for ssl_client_verify
<br><b>ssl_client_ca_store</b> /path/to/castore - CA store for ssl_client_verify (OpenSSL 3.0+)
<br><b>ssl_client_sni</b> hostname - SNI hostname to send to upstream server (overrides the requested hostname)
<br><b>ssl_client_alpn</b> protocol1 protocol2 ... - ALPN protocols to negotiate with upstream server (e.g., ssl_client_alpn h2 http/1.1)
<br><b>ssl_client_mode</b> mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's')
<br><b>ssl_certcache</b> /path/to/cache/ - location for the generated MITM certificates cache, optional if ssl_server_ca_file / ssl_server_ca_key are configured.
The cache may contain 3 files: 3proxy.pem - public
self-signed certificates (used if ssl_server_ca_file is not configured),
3proxy.key - key for public certificates, used if ssl_server_ca_key is not configured, server.key - this key is used if ssl_server_key is not configured to generate
spoofed certificates. If server.key is absent, 3proxy.key is used to generate certificates.
Generated certificates are placed in the same path.
<h4>MITM example:</h4>
<pre>
ssl_server_ca_file /path/to/cafile
ssl_server_ca_key /path/to/cakey
ssl_mitm
proxy -p3128
ssl_nomitm
proxy -p3129
</pre>
MITM's traffic with a spoofed certificate for the port 3128 proxy.
<h4>https:// proxy example:</h4>
<pre>
ssl_server_cert path_to_cert
ssl_server_key path_to_key
ssl_serv
proxy -p33128
ssl_noserv
proxy -p3128
</pre>
Creates an https:// proxy on port 33128 and an http:// proxy on port 3128
<h4>TLS client example (connect to upstream via TLS):</h4>
<pre>
ssl_client_cert /path/to/client.crt
ssl_client_key /path/to/client.key
ssl_client_verify
ssl_client_ca_file /path/to/ca.crt
ssl_cli
proxy -p3128
</pre>
Creates an HTTP proxy that connects to upstream servers via TLS with client certificate authentication.
<h4>Conditional TLS for parent proxy (ssl_client_mode 3):</h4>
<pre>
ssl_server_cert /path/to/server.crt
ssl_server_key /path/to/key
ssl_client_mode 3
auth strong
allow user1
parent 1000 https parent1.example.com 443
allow user2
parent 1000 socks5 parent2.example.com 1080
ssl_serv
ssl_cli
proxy -p3128
ssl_noserv
ssl_nocli
</pre>
Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_serv). With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). In this example, user1's traffic goes through an https parent proxy with TLS encryption, while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
<h4>mTLS example (require client certificate):</h4>
<pre>
ssl_server_cert /path/to/server.crt
ssl_server_key /path/to/server.key
ssl_server_ca_file /path/to/ca.crt
ssl_server_verify
ssl_serv
proxy -p3128
</pre>
Creates an https:// proxy that requires client certificate authentication.
&copy; Vladimir Dubrovin, License: BSD style

View File

@ -1,120 +0,0 @@
<h3>3proxy SSL/TLS поддержка</h3>
<p><b>Примечание:</b> Начиная с версии 0.9.7 поддержка SSL/TLS встроена в 3proxy и не требует
отдельного плагина. Все команды ssl_* доступны напрямую при компиляции 3proxy с поддержкой
OpenSSL (WITH_SSL). Строка plugin больше не нужна.</p>
<p>Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика, для шифрования трафика прокси-сервера и аутентификации с помощью клиентских сертификатов.</p>
<h4>Для прозрачного перехвата трафика (MITM):</h4>
<br>ssl_mitm - подменять сертификаты для сервисов, запущенных ниже. Использование без ssl_client_verify небезопасно.
<br>ssl_nomitm - не подменять сертификаты для сервисов, запущенных ниже.
<h4>Для защиты трафика прокси-сервера (https:// proxy):</h4>
ssl_serv (или ssl_server) - требовать TLS-соединение от клиентов для сервисов, запущенных ниже
<br>ssl_noserv (или ssl_noserver) - не требовать TLS-соединение от клиентов для сервисов, запущенных ниже
<h4>Для использования TLS при соединении к вышестоящему серверу:</h4>
ssl_cli (или ssl_client) - устанавливать TLS-соединение к вышестоящему серверу для сервисов, запущенных ниже
<br>ssl_nocli (или ssl_noclient) - не устанавливать TLS-соединение к вышестоящему серверу для сервисов, запущенных ниже
<h4>Параметры:</h4>
<br><b>ssl_server_cert</b> /path/to/cert - сертификат сервера (не должен быть самоподписанным, должен содержать альтернативные имена) для ssl_serv
<br><b>ssl_server_key</b> /path/to/key - ключ сертификата сервера для ssl_server_cert или сгенерированного MITM-сертификата
<br><b>ssl_client_cert</b> /path/to/cert - клиентский сертификат для аутентификации на вышестоящем сервере (используется с ssl_cli)
<br><b>ssl_client_key</b> /path/to/key - ключ клиентского сертификата для ssl_client_cert
<br><b>ssl_client_ciphersuites</b> ciphersuites_list - наборы шифров TLS для TLS 1.3 (клиент), пример: ssl_client_ciphersuites TLS_AES_128_GCM_SHA256
<br><b>ssl_server_ciphersuites</b> ciphersuites_list - наборы шифров TLS для TLS 1.3 (сервер)
<br><b>ssl_client_cipher_list</b> ciphers_list - наборы шифров TLS для TLS 1.2 и ниже (клиент), пример: ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
<br><b>ssl_server_cipher_list</b> ciphers_list - наборы шифров TLS для TLS 1.2 и ниже (сервер)
<br><b>ssl_client_min_proto_version</b> tls_version - минимальная версия TLS клиента (например, ssl_client_min_proto_version TLSv1.2)
<br><b>ssl_server_min_proto_version</b> tls_version - минимальная версия TLS сервера
<br><b>ssl_client_max_proto_version</b> tls_version - максимальная версия TLS клиента
<br><b>ssl_server_max_proto_version</b> tls_version - максимальная версия TLS сервера
<br><b>ssl_client_verify</b> - проверять сертификат вышестоящего сервера (используется с ssl_mitm или ssl_cli)
<br><b>ssl_client_no_verify</b> - не проверять сертификат вышестоящего сервера (по умолчанию)
<br><b>ssl_server_verify</b> - требовать клиентский сертификат (mTLS) для ssl_serv
<br><b>ssl_server_no_verify</b> - не требовать клиентский сертификат (по умолчанию)
<br><b>ssl_server_ca_file</b> /path/to/cafile - файл CA-сертификата для MITM
<br><b>ssl_server_ca_key</b> /path/to/cakey - ключ CA-сертификата ssl_server_ca_file для MITM
<br><b>ssl_server_ca_dir</b> /path/to/cadir - директория CA-сертификатов для ssl_server_verify
<br><b>ssl_server_ca_store</b> /path/to/castore - хранилище CA-сертификатов для ssl_server_verify (OpenSSL 3.0+)
<br><b>ssl_client_ca_file</b> /path/to/cafile - файл CA-сертификатов для ssl_client_verify
<br><b>ssl_client_ca_dir</b> /path/to/cadir - директория CA-сертификатов для ssl_client_verify
<br><b>ssl_client_ca_store</b> /path/to/castore - хранилище CA-сертификатов для ssl_client_verify (OpenSSL 3.0+)
<br><b>ssl_client_sni</b> hostname - SNI-имя хоста для отправки вышестоящему серверу (переопределяет запрошенное имя хоста)
<br><b>ssl_client_alpn</b> протокол1 протокол2 ... - ALPN-протоколы для согласования с вышестоящим сервером (например, ssl_client_alpn h2 http/1.1)
<br><b>ssl_client_mode</b> режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных, 3 - только для защищённых типов parent прокси (заканчивающихся на 's')
<br><b>ssl_certcache</b> /path/to/cache/ - расположение кеша сгенерированных MITM-сертификатов. Кеш может содержать
файлы 3proxy.pem, 3proxy.key, server.key, которые используются как ssl_server_ca_file,
ssl_server_ca_key и ssl_server_key соответственно, если они не заданы. Если server.key не задан,
3proxy.key используется для генерации серверного сертификата.
<h4>Пример MITM:</h4>
<pre>
ssl_server_ca_file /path/to/cafile
ssl_server_ca_key /path/to/cakey
ssl_mitm
proxy -p3128
ssl_nomitm
proxy -p3129
</pre>
Перехватывается трафик в прокси на порту 3128.
<h4>Пример конфигурации https:// прокси:</h4>
<pre>
ssl_server_cert path_to_cert
ssl_server_key path_to_key
ssl_serv
proxy -p33128
ssl_noserv
proxy -p3128
</pre>
На порту 33128 создается https:// прокси, на порту 3128 - http:// прокси.
<h4>Пример TLS-клиента (соединение к вышестоящему серверу через TLS):</h4>
<pre>
ssl_client_cert /path/to/client.crt
ssl_client_key /path/to/client.key
ssl_client_verify
ssl_client_ca_file /path/to/ca.crt
ssl_cli
proxy -p3128
</pre>
Создается HTTP-прокси, который соединяется с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату.
<h4>Условное TLS для parent прокси (ssl_client_mode 3):</h4>
<pre>
ssl_server_cert /path/to/server.crt
ssl_server_key /path/to/key
ssl_client_mode 3
auth strong
allow user1
parent 1000 https parent1.example.com 443
allow user2
parent 1000 socks5 parent2.example.com 1080
ssl_serv
ssl_cli
proxy -p3128
ssl_noserv
ssl_nocli
</pre>
Создается HTTP-прокси на порту 3128, использующий TLS для клиентских соединений (ssl_serv). При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). В данном примере трафик user1 идёт через https родительский прокси с TLS-шифрованием, а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
<h4>Пример mTLS (требование клиентского сертификата):</h4>
<pre>
ssl_server_cert /path/to/server.crt
ssl_server_key /path/to/server.key
ssl_server_ca_file /path/to/ca.crt
ssl_server_verify
ssl_serv
proxy -p3128
</pre>
Создается https:// прокси, требующий аутентификацию по клиентскому сертификату.
&copy; Vladimir Dubrovin, License: BSD style

View File

@ -591,8 +591,7 @@ This is the default authentication type
Appropriate for most cases Appropriate for most cases
.br .br
\fBuseronly\fR - authentication by username without checking for any password with \fBuseronly\fR - authentication by username without checking for any password with
authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN / authorization by ACLs. Useful for e.g. SOCKSv4 proxy.
AOL screen name as a username)
.br .br
\fBdnsname\fR - authentication by DNS hostname with authorization by ACLs. \fBdnsname\fR - authentication by DNS hostname with authorization by ACLs.
The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved
@ -604,6 +603,11 @@ NB: there is no password check; the name may be spoofed.
SOCKSv5, FTP, POP3 and HTTP proxy. SOCKSv5, FTP, POP3 and HTTP proxy.
.br .br
\fBcache\fR - cached authentication, may be used with \'authcache\'. \fBcache\fR - cached authentication, may be used with \'authcache\'.
.br
\fBcacheacl\fR - cached authentication, same as \fBcache\fR but the ACL
authorization result is also cached and not re-evaluated on each request. Faster
than \fBcache\fR, but ACL changes do not take effect for cached users until the
cache entry expires. Use \fBcache\fR if ACLs may change during the cache lifetime.
.br .br
\fBradius\fR - authentication with RADIUS. \fBradius\fR - authentication with RADIUS.
.br .br
@ -641,11 +645,25 @@ assigned to the same user without actual authentication.
.br .br
\fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required \fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required
.br .br
\fBack\fR - only use cached auth if user access service with same ACL \fBacl\fR - only use cached auth if user access service with same ACL
.br .br
\fBext\fR - cache external IP \fBext\fR - cache external IP
.br .br
Use auth type \fBcache\fR for cached authentication \fBdstaddr\fR - cache by destination IP address
.br
\fBdstport\fR - cache by destination port
.br
\fBdsthost\fR - cache by destination hostname
.br
\fBdstoper\fR - cache by destination operation (e.g. HTTP method)
.br
\fBsrvaddr\fR - cache by service (listener) address
.br
\fBsrvport\fR - cache by service (listener) port
.br
Multiple types can be combined (e.g. \fBip,user,dstaddr,dstport\fR).
.br
Use auth type \fBcache\fR (or \fBcacheacl\fR) for cached authentication
.br .br
.BR allow .BR allow
@ -808,6 +826,12 @@ in the proxy chain. Useful for passing client IP information to the parent proxy
Example: parent 1000 ha Example: parent 1000 ha
.br .br
Use "+" proxy only with \fBfakeresolve\fR option Use "+" proxy only with \fBfakeresolve\fR option
.br
Any parent type above can be suffixed with \fBs\fR (e.g. \fBhttps\fR,
\fBtcps\fR, \fBsocks5s\fR, \fBconnect+s\fR) to establish a TLS-encrypted
connection to the parent proxy. Requires SSL/TLS support (WITH_SSL) and is
used with \fBssl_client_mode 3\fR, which only handshakes TLS for \fBs\fR-suffixed
parents.
.br .br
IP and port are ip addres and port of parent proxy server. IP and port are ip addres and port of parent proxy server.
@ -1047,7 +1071,9 @@ the format:
.br .br
\fBCL\fR - password is cleartext \fBCL\fR - password is cleartext
.br .br
\fBCR\fR - password is crypt-style password \fBCR\fR - password is crypt-style password. \fB$1$\fR prefix uses MD5-crypt
(requires OpenSSL), \fB$3$\fR prefix uses BLAKE2b-crypt (always available, see
.BR 3proxy_crypt (8))
.br .br
\fBNT\fR - password is NT password (in hex) \fBNT\fR - password is NT password (in hex)
.br .br
@ -1056,6 +1082,8 @@ the format:
users test1:CL:password1 "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49." users test1:CL:password1 "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
.br .br
users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
.br
users "test4:CR:$3$salt$G47yV9w...."
.br .br
Note: double quotes are required because the password contains a $ sign. Note: double quotes are required because the password contains a $ sign.
@ -1356,7 +1384,7 @@ authentication and/or allow/deny ACLs.
Report all bugs to Report all bugs to
.BR 3proxy@3proxy.org .BR 3proxy@3proxy.org
.SH SEE ALSO .SH SEE ALSO
3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), syslogd(8), 3proxy(8), 3proxy_crypt(8), proxy(8), ftppr(8), socks(8), pop3p(8), smtpp(8), tlspr(8), tcppm(8), udppm(8), syslogd(8),
.br .br
https://3proxy.org/ https://3proxy.org/
.SH AUTHORS .SH AUTHORS

View File

@ -75,6 +75,9 @@ destination_port. Port to establish outgoing connections. Required unless the Tr
.B -c .B -c
TLS_CHECK_LEVEL. 0 (default) - allow non-TLS traffic to pass, 1 - require TLS, only check client HELLO packet, 2 - require TLS, check both client and server HELLO, 3 - require TLS, check that the server sends a certificate (not compatible with TLS 1.3), 4 - require mutual TLS, check that the server sends a certificate request and the client sends a certificate (not compatible with TLS 1.3) TLS_CHECK_LEVEL. 0 (default) - allow non-TLS traffic to pass, 1 - require TLS, only check client HELLO packet, 2 - require TLS, check both client and server HELLO, 3 - require TLS, check that the server sends a certificate (not compatible with TLS 1.3), 4 - require mutual TLS, check that the server sends a certificate request and the client sends a certificate (not compatible with TLS 1.3)
.TP .TP
.B -s
Split the TLS Client HELLO packet across multiple TCP segments to make SNI-based DPI detection harder. An optional numeric value can follow (e.g. \fB-s1\fR) to control the splitting behaviour.
.TP
.B -l .B -l
Log. By default logging is to stdout. If Log. By default logging is to stdout. If
.I logfile .I logfile