Options:
--pNUMBER change default server port to NUMBER
--n disable NTLM authentication (required if passwords
-are stored in Unix crypt format).
--n1 enable NTLMv1 authentication.
--g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY) delay GRACE_DELAY
-milliseconds before polling if average polling size is below
-GRACE_TRAFF bytes and GRACE_NUM read operations in a single
-direction are detected within 1 second. Useful to minimize
-polling -s
+-pNUMBER change default server port to NUMBER
+
+
+-g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)
+delay GRACE_DELAY milliseconds before polling if average
+polling size is below GRACE_TRAFF bytes and GRACE_NUM read
+operations in a single direction are detected within 1
+second. Useful to minimize polling -s
(for admin) secure, allow only secure operations, currently
only traffic counters view without ability to reset.
(for dnspr) simple, do not use resolver and 3proxy cache,
@@ -142,35 +141,37 @@ packed in IPv6 in IPV6_V6ONLY compatible way.
resolvable
-64 Resolve IPv4 addresses if IPv6 address is not
resolvable
--RHOST:port listen on given local HOST:port for incoming
-connections instead of making remote outgoing connection.
-Can be used with another 3proxy service running -r option
-for connect back functionality. Most commonly used with
-tcppm. HOST can be given as IP or hostname, useful in case
-of dynamic DNS.
--rHOST:port connect to given remote HOST:port instead of
-listening local connection on -p or default port. Can be
-used with another 3proxy service running -R option for
-connect back functionality. Most commonly used with proxy or
-socks. HOST can be given as IP or hostname, useful in case
-of dynamic DNS.
--ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS,
--oROPTIONS options for proxy-to-client (oc),
-proxy-to-server (os), proxy listening (ol), connect back
-client (or), connect back listening (oR) sockets. Options
-like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK,
-TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR,
-SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT,
-SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
-
--DiINTERFACE, -DeINTERFACE bind internal interface /
-external interface to given INTERFACE (e.g. eth0) if
-SO_BINDTODEVICE is supported by the system. You may need to
-run as root or have CAP_NET_RAW capability in order to bind
-to an interface, depending on the system, so this option may
+-RHOST:port listen on given local
+HOST:port for incoming connections instead of making remote
+outgoing connection. Can be used with another 3proxy service
+running -r option for connect back functionality. Most
+commonly used with tcppm. HOST can be given as IP or
+hostname, useful in case of dynamic DNS.
+-rHOST:port connect to given remote
+HOST:port instead of listening local connection on -p or
+default port. Can be used with another 3proxy service
+running -R option for connect back functionality. Most
+commonly used with proxy or socks. HOST can be given as IP
+or hostname, useful in case of dynamic DNS.
+-ocOPTIONS, -osOPTIONS,
+-olOPTIONS, -orOPTIONS,
+-oROPTIONS options for proxy-to-client
+(-oc), proxy-to-server (-os), proxy listening
+(-ol), connect back client (-or), connect back
+listening (-oR) sockets. Options like TCP_CORK,
+TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS,
+USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT,
+SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE,
+SO_DONTROUTE may be supported depending on OS.
+-DiINTERFACE, -DeINTERFACE bind
+internal (-Di) / external (-De) interface to
+given INTERFACE (e.g. eth0) if SO_BINDTODEVICE is
+supported by the system. You may need to run as root or have
+CAP_NET_RAW capability in order to bind to an
+interface, depending on the system, so this option may
require root privileges and can be incompatible with some
-configuration commands like chroot and setuid (and daemon if
-setcap is used).
+configuration commands like chroot and setuid
+(and daemon if setcap is used).
-e External address. IP address of the interface the
proxy should initiate connections from. External IP must be
specified if you need incoming connections. By default the
@@ -207,10 +208,10 @@ proxy access must be authenticated, you can specify username
as proxy_username:proxy_password:POP3_username@pop3server
DNS proxy resolves any types of records but only hostnames
-are cached. It requires nserver/nscache to be configured. If
-nserver is configured as TCP, redirections are applied on
-connection, so parent proxy may be used to resolve names to
-IP.
+are cached. It requires nserver/nscache to be
+configured. If nserver is configured as TCP,
+redirections are applied on connection, so parent proxy may
+be used to resolve names to IP.
FTP proxy can be used as FTP server in any FTP client or
configured as FTP proxy on a client with FTP proxy support.
Username format is one of
@@ -224,11 +225,11 @@ authentication use proxyuser:proxypassword:FTPuser as FTP
username, otherwise do not change original FTP user name
include
-<path>
+<path>
Include config file
config
-<path>
+<path>
Path to configuration file to use on 3proxy restart or to
save configuration.
log
-[[@|&]logfile] [<LOGTYPE>]
+[[@|&]logfile] [<LOGTYPE>]
sets logfile for all gateways
@ (for Unix) use syslog, filename is used as ident name
& use ODBC, filename consists of comma-delimited
datasource,username,password (username and password are
optional)
radius - use RADIUS for logging
-LOGTYPE is one of:
-c Minutely
-H Hourly
-D Daily
-W Weekly (starting from Sunday)
-M Monthly
-Y Annually
+LOGTYPE is one of:
+c Minutely
+H Hourly
+D Daily
+W Weekly (starting from Sunday)
+M Monthly
+Y Annually
if logfile is not specified logging goes to stdout. You can
specify individual logging options for gateway by using -l
option in gateway configuration.
@@ -270,12 +271,12 @@ Grinwitch time zone for all time-based format
specificators.
rotate
-<n>
+<n>
how many archived log files to keep
logformat
-<format>
+<format>
Format for log record. First symbol in format must be L
(local time) or G (absolute Grinwitch time). It can be
preceeded with -XXX+Y where XXX is list of characters to be
@@ -332,7 +333,8 @@ l_service, l_in, l_out, l_descr) values (´%d-%m-%Y
´%T´)"
logdump
-<in_traffic_limit> <out_traffic_limit>
+<in_traffic_limit> <out_traffic_limit>
+
Immediately creates additional log records if given amount
of incoming/outgoing traffic is achieved for connection,
without waiting for connection to finish. It may be useful
@@ -341,7 +343,7 @@ server shutdown.
delimchar
-<char>
+<char>
Sets the delimiter character used to separate username from
hostname in proxy authentication strings (e.g. for FTP, POP3
proxies). Default is ´@´. For example, to use
@@ -349,48 +351,50 @@ proxies). Default is ´@´. For example, to use
to contain the ´@´ character.
archiver
-<ext> <commandline>
+<ext> <commandline>
Archiver to use for log files. <ext> is file extension
produced by archiver. Filename will be last argument to
archiver, optionally you can use %A as produced archive name
and %F as filename.
timeouts
-<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT>
+<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT>
<STRING_LONG> <CONNECTION_SHORT>
<CONNECTION_LONG> <DNS> <CHAIN>
-<CONNECT> <CONNECTBACK>
+<CONNECT> <CONNECTBACK>
Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15,
-60, 15, 5.
-BYTE_SHORT short timeout for single byte, is usually used
-for receiving single byte from stream.
-BYTE_LONG long timeout for single byte, is usually used for
-receiving first byte in frame (for example first byte in
-socks request).
-STRING_SHORT short timeout, for character string within
-stream (for example to wait between 2 HTTP headers)
-STRING_LONG long timeout, for first string in stream (for
-example to wait for HTTP request).
-CONNECTION_SHORT inactivity timeout for short connections
-(HTTP, POP3, etc).
-CONNECTION_LONG inactivity timeout for long connection
-(SOCKS, portmappers, etc).
-DNS timeout for DNS request before requesting next server
+60, 15, 5.
+BYTE_SHORT short timeout for single byte, is usually
+used for receiving single byte from stream.
+BYTE_LONG long timeout for single byte, is usually used
+for receiving first byte in frame (for example first byte in
+socks request).
+STRING_SHORT short timeout, for character string within
+stream (for example to wait between 2 HTTP headers)
+STRING_LONG long timeout, for first string in stream
+(for example to wait for HTTP request).
+CONNECTION_SHORT inactivity timeout for short
+connections (HTTP, POP3, etc).
+CONNECTION_LONG inactivity timeout for long connection
+(SOCKS, portmappers, etc).
+DNS timeout for DNS request before requesting next
+server
+CHAIN timeout for reading data from chained connection
-CHAIN timeout for reading data from chained connection
default timeouts 1 5 30 60 180 1800 15 60 15 5
maxseg
-<value>
+<value>
Sets TCP maximum segment size (MSS) for outgoing
connections. This can be used to work around path MTU
discovery issues or to optimize traffic for specific network
conditions.
radius
-<NAS_SECRET>
-<radius_server_1[:port][/local_address_1]>
-<radius_server_2[:port][/local_address_2]>
+<NAS_SECRET>
+<radius_server_1[:port][/local_address_1]
+<radius_server_2[:port][/local_address_2]
+
Configures RADIUS servers to be used for logging and
authentication (log and auth types must be set to radius).
port and local address to use with given server may be
@@ -409,12 +413,12 @@ CONNECT), Login-TCP-Port: (requested port), Login-IPv6-Host
/ Login-IP-Host: (requested IP).
Supported reply attributes for authentication:
Framed-IP-Address / Framed-IPv6-Address (IP to assign to
-user), Reply-Message. Use authcache to speedup
+user), Reply-Message. Use authcache to speedup
authentication. RADIUS feature is currently
experimental.
nserver
-<ipaddr>[:port][/tcp]
+<ipaddr>[:port][/tcp]
Nameserver to use for name resolutions. If none specified
system routines for name resolution is used. Optional port
number may be specified. If optional /tcp is added to IP
@@ -422,33 +426,36 @@ address, name resolution is performed over TCP.
authnserver
-<ipaddr>[:port][/tcp]
+<ipaddr>[:port][/tcp]
Nameserver to use for DNS-based authentication (e.g. dnsname
auth type). If not specified, nserver is used. The syntax is
the same as for nserver.
nscache
-<cachesize> nscache6 <cachesize>
-Cache <cachesize> records for name resolution (nscache
-for IPv4, nscache6 for IPv6). The cache size should usually
-be large enough (for example, 65536).
nsrecord
-<hostname> <hostaddr>
-Adds static record to nscache. nscache must be enabled. If
-0.0.0.0 is used as a hostaddr host will never resolve, it
-can be used to blacklist something or together with
-dialer command to set up UDL for dialing.
fakeresolve
All names are resolved to the 127.0.0.2 address. Useful if
-all requests are redirected to a parent proxy with http,
-socks4+, connect+ or socks5+.
dialer
-<progname>
+<progname>
Execute progname if external name can´t be resolved.
Hint: if you use nscache, dialer may not work, because names
will be resolved through cache. In this case you can use
@@ -456,7 +463,7 @@ something like http://dial.right.now/ from browser to set up
connection.
internal
-<ipaddr>
+<ipaddr>
sets ip address of internal interface. This IP address will
be used to bind gateways. Alternatively you can use -i
option for individual gateways. Since 0.8 version, IPv6
@@ -470,27 +477,29 @@ using Unix sockets, the socket file is automatically created
and removed on service start/stop.
external
-<ipaddr>
+<ipaddr>
sets ip address of external interface. This IP address will
be source address for all connections made by proxy.
Alternatively you can use -e option to specify individual
-address for gateway. Since 0.8 version External or -e can be
-given twice: once with IPv4 and once with IPv6 address.
maxconn
-<number>
+<number>
sets the maximum number of simultaneous connections to each
service started after this command at the network level.
Default is 100.
-To limit clients, use connlim instead. maxconn will silently
-ignore new connections, while connlim will report back to
-the client that the connection limit has been reached.
backlog
sets the listening socket backlog of new connections.
-Default is 1 + maxconn/8. Maximum value is capped by kernel
-tunable somaxconn.
service
@@ -504,35 +513,35 @@ reinstall the service.
auth
-<authtype> [...]
-Type of user authorization. Currently supported:
-none - no authentication or authorization required.
+<authtype> [...]
+Type of user authorization. Currently supported:
+none - no authentication or authorization required.
Note: if auth is none, any IP-based limitation, redirection,
etc. will not work. This is the default authentication type
-
-iponly - authentication by access control list with username
-ignored.
-Appropriate for most cases
-useronly - authentication by username without checking for
-any password with authorization by ACLs. Useful for e.g.
+
+iponly - authentication by access control list with
+username ignored.
+Appropriate for most cases
+useronly - authentication by username without checking
+for any password with authorization by ACLs. Useful for e.g.
SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as
-a username)
-dnsname - authentication by DNS hostname with authorization
-by ACLs. The DNS hostname is resolved via a PTR (reverse)
-record and validated (the resolved name must resolve to the
-same IP address). It´s recommended to use authcache by
-IP for this authentication. NB: there is no password check;
-the name may be spoofed.
-strong - username/password authentication required. It will
-work with SOCKSv5, FTP, POP3 and HTTP proxy.
-cache - cached authentication, may be used with
-´authcache´.
-radius - authentication with RADIUS.
+a username)
+dnsname - authentication by DNS hostname with
+authorization by ACLs. The DNS hostname is resolved via a
+PTR (reverse) record and validated (the resolved name must
+resolve to the same IP address). It´s recommended to
+use authcache by IP for this authentication. NB: there is no
+password check; the name may be spoofed.
+strong - username/password authentication required. It
+will work with SOCKSv5, FTP, POP3 and HTTP proxy.
+cache - cached authentication, may be used with
+´authcache´.
+radius - authentication with RADIUS.
Plugins may add additional authentication types.
It´s @@ -550,38 +559,39 @@ shared ones.
authcache
-<cachtype> <cachtime>
+<cachtype> <cachtime> <cachesize>
+
Cache authentication information for a given amount of time
-(cachetime) in seconds. Cachetype is one of:
-ip - after successful authentication all connections during
-caching time from same IP are assigned to the same user,
-username is not requested.
-ip,user username is requested and all connections from the
-same IP are assigned to the same user without actual
-authentication.
-user - same as above, but IP is not checked.
-user,password - both username and password are checked
-against cached ones.
-limit - limit user to use only one ip, ´ip´ and
-´user´ are required
-acl - only use cached auth if user access service with same
-ACL
-ext - cache external IP
-Use auth type ´cache´ for cached
-authentication
allow
-<userlist> <sourcelist> <targetlist>
+<userlist> <sourcelist> <targetlist>
<targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
-deny <userlist> <sourcelist>
+<weekdayslist> <timeperiodslist>
+deny <userlist> <sourcelist>
<targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
-redirect <ip> <port> <userlist>
+<timeperiodslist>
+redirect <ip> <port> <userlist>
<sourcelist> <targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
+<timeperiodslist>
Access control entries. All lists are comma-separated, no
spaces are allowed. Usernames are case sensitive (if used
with authtype nbname username must be in uppercase). Source
@@ -607,27 +617,28 @@ should either bind proxy to appropriate interface only or to
use ip filters.
Operation is one
-of:
-CONNECT establish outgoing TCP connection
-BIND bind TCP port for listening
-UDPASSOC make UDP association
-ICMPASSOC make ICMP association (for future use)
-HTTP_GET HTTP GET request
-HTTP_PUT HTTP PUT request
-HTTP_POST HTTP POST request
-HTTP_HEAD HTTP HEAD request
-HTTP_CONNECT HTTP CONNECT request
-HTTP_OTHER over HTTP request
-HTTP matches any HTTP request except HTTP_CONNECT
-HTTPS same as HTTP_CONNECT
-FTP_GET FTP get request
-FTP_PUT FTP put request
-FTP_LIST FTP list request
-FTP_DATA FTP data connection. Note: FTP_DATA requires access
-to dynamic non-privileged (1024-65535) ports on the remote
-side.
-FTP matches any FTP/FTP Data request
-ADMIN access to administration interface
Weekdays are week day numbers or periods, 0 or 7 means Sunday, 1 is @@ -638,8 +649,8 @@ HH:MM:SS-HH:MM:SS format. For example, hours.
parent
-<weight> <type> <ip> <port>
-<username> <password>
+<weight> <type> <ip> <port>
+<username> <password>
this command must follow "allow" rule. It extends
last allow rule to build proxy chain. Proxies may be
grouped. Proxy inside the group is selected randomly. If few
@@ -668,45 +679,51 @@ pipelined (keep-alive) requests in the same connection use
the same chain.
type is one of:
-
-extip does not actually redirect the request; it sets the
-external address for this request to <ip>. It can be
-chained with another parent type. It’s useful to set
-the external IP based on ACL or make it random.
-tcp simply redirect connection. TCP is always last in chain.
-This type of proxy is a simple TCP redirection, it does not
-support parent authentication.
-http redirect to HTTP proxy. HTTP is always the last chain.
-It should only be used with http (proxy) service, if used
-with different service, it works as tcp redirection.
-pop3 redirect to POP3 proxy (only local redirection is
-supported, can only be used as a first hop in chaining)
-ftp redirect to FTP proxy (only local redirection is
-supported, can only be used as a first hop in chaining)
-connect parent is HTTP CONNECT method proxy
-connect+ parent is HTTP CONNECT proxy with name resolution
-(hostname is used instead of IP if available)
-socks4 parent is SOCKSv4 proxy
-socks4+ parent is SOCKSv4 proxy with name resolution
-(SOCKSv4a)
-socks5 parent is SOCKSv5 proxy
-socks5+ parent is SOCKSv5 proxy with name resolution
-socks4b parent is SOCKS4b (broken SOCKSv4 implementation
+
+extip does not actually redirect the request; it sets
+the external address for this request to <ip>.
+It can be chained with another parent type. It’s
+useful to set the external IP based on ACL or make it
+random.
+tcp simply redirect connection. TCP is always last in
+chain. This type of proxy is a simple TCP redirection, it
+does not support parent authentication.
+http redirect to HTTP proxy. HTTP is always the last
+chain. It should only be used with http (proxy) service, if
+used with different service, it works as tcp redirection.
+
+pop3 redirect to POP3 proxy (only local redirection is
+supported, can only be used as a first hop in chaining)
+
+ftp redirect to FTP proxy (only local redirection is
+supported, can only be used as a first hop in chaining)
+
+connect parent is HTTP CONNECT method proxy
+connect+ parent is HTTP CONNECT proxy with name
+resolution (hostname is used instead of IP if available)
+
+socks4 parent is SOCKSv4 proxy
+socks4+ parent is SOCKSv4 proxy with name resolution
+(SOCKSv4a)
+socks5 parent is SOCKSv5 proxy
+socks5+ parent is SOCKSv5 proxy with name resolution
+
+socks4b parent is SOCKS4b (broken SOCKSv4 implementation
with shortened server reply; I never saw this kind of
server, but they say there are some). Normally you should
not use this option. Do not confuse this option with
-SOCKSv4a (socks4+).
-socks5b parent is SOCKS5b (broken SOCKSv5 implementation
+SOCKSv4a (socks4+).
+socks5b parent is SOCKS5b (broken SOCKSv5 implementation
with shortened server reply. I think you will never find it
useful). Never use this option unless you know exactly you
-need it.
-admin redirect request to local ´admin´ service
-(with -s parameter).
-ha send HAProxy PROXY protocol v1 header to parent proxy.
-Must be the last in the proxy chain. Useful for passing
-client IP information to the parent proxy. Example: parent
-1000 ha
-Use "+" proxy only with "fakeresolve"
+need it.
+admin redirect request to local ´admin´
+service (with -s parameter).
+ha send HAProxy PROXY protocol v1 header to parent
+proxy. Must be the last in the proxy chain. Useful for
+passing client IP information to the parent proxy. Example:
+parent 1000 ha
+Use "+" proxy only with fakeresolve
option
IP and port are
@@ -748,26 +765,26 @@ HTTP proxy, local HTTP proxy parses requests and allows only
GET and POST requests.
parent 1000 http 1.2.3.4 0
Changes the external address for a given connection to
-1.2.3.4 (equivalent to -e1.2.3.4)
+1.2.3.4 (equivalent to -e1.2.3.4)
Optional username and password are used to authenticate on
parent proxy. Username of ´*´ means username
must be supplied by user.
parentretries
-<number>
+<number>
Number of retries to connect to parent proxy. Default is
1.
nolog
-<n>
+<n>
extends last allow or deny command to prevent logging, e.g.
allow * * 192.168.1.1
nolog
weight
-<n>
+<n>
extends last allow or deny command to set weight for this
request
allow * * 192.168.1.1
@@ -785,30 +802,31 @@ connections.
bandlimin
-<rate> <userlist> <sourcelist>
+<rate> <userlist> <sourcelist>
<targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
-nobandlimin <userlist> <sourcelist>
+<timeperiodslist>
+nobandlimin <userlist> <sourcelist>
<targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
-bandlimout <rate> <userlist>
+<timeperiodslist>
+bandlimout <rate> <userlist>
<sourcelist> <targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
-nobandlimout <userlist> <sourcelist>
+<timeperiodslist>
+nobandlimout <userlist> <sourcelist>
<targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
-bandlim sets a bandwidth limitation filter to <rate>
-bps (bits per second). If you want to specify bytes per
-second, multiply your value by 8. bandlim rules act in the
-same manner as allow/deny rules, except for one thing:
-bandwidth limiting is applied to all services, not to some
-specific service. bandlimin and nobandlimin apply to
-incoming traffic
-bandlimout and nobandlimout apply to outgoing traffic
+<timeperiodslist>
+bandlim sets a bandwidth limitation filter to
+<rate> bps (bits per second). If you want to
+specify bytes per second, multiply your value by 8. bandlim
+rules act in the same manner as allow/deny rules, except for
+one thing: bandwidth limiting is applied to all services,
+not to some specific service. bandlimin and
+nobandlimin apply to incoming traffic
+bandlimout and nobandlimout apply to outgoing
+traffic
If you want to ratelimit your clients with IPs
192.168.10.16/30 (4 addresses) to 57600 bps, you have to
specify 4 rules like
@@ -826,53 +844,54 @@ nobandlimin * * * 110
before the rest of bandlim rules.
connlim
-<rate> <period> <userlist>
+<rate> <period> <userlist>
<sourcelist> <targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
-noconnlim <userlist> <sourcelist>
+<timeperiodslist>
+noconnlim <userlist> <sourcelist>
<targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
+<timeperiodslist>
connlim sets connections rate limit per time period for
traffic pattern controlled by ACL. Period is in seconds. If
-period is 0, connlim limits a number of parallel
+period is 0, connlim limits a number of parallel
connections.
connlim 100 60 * 127.0.0.1
allows 100 connections per minute for 127.0.0.1.
connlim 20 0 * 127.0.0.1
allows 20 simultaneous connections for 127.0.0.1.
-Like with bandlimin, if an individual limit is required per
-client, a separate rule must be added for every client. Like
-with nobandlimin, noconnlim adds an exception.
counter
-<filename> <reporttype> <reportname>
-
-countin <number> <type> <limit>
+<filename> <reporttype>
+<reportname>
+countin <number> <type> <limit>
<userlist> <sourcelist> <targetlist>
<targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
-nocountin <userlist> <sourcelist>
+<weekdayslist> <timeperiodslist>
+nocountin <userlist> <sourcelist>
<targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
-countout <number> <type> <limit>
+<timeperiodslist>
+countout <number> <type> <limit>
<userlist> <sourcelist> <targetlist>
<targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
-nocountout <userlist> <sourcelist>
+<weekdayslist> <timeperiodslist>
+nocountout <userlist> <sourcelist>
<targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
-countall <number> <type> <limit>
+<timeperiodslist>
+countall <number> <type> <limit>
<userlist> <sourcelist> <targetlist>
<targetportlist> <operationlist>
-<weekdayslist> <timeperiodslist>
-nocountall <userlist> <sourcelist>
+<weekdayslist> <timeperiodslist>
+nocountall <userlist> <sourcelist>
<targetlist> <targetportlist>
<operationlist> <weekdayslist>
-<timeperiodslist>
counter,
countin, nocountin, countout, nocountout, countall,
@@ -885,48 +904,34 @@ not preserved in the counter file (that is, if the proxy is
restarted, all counters with 0 are flushed); otherwise, it
should be a unique sequential number which points to the
position of the counter within the file. Type specifies a
-type of counter. Type is one of:
-H - counter is reset hourly
-D - counter is reset daily
-W - counter is reset weekly
-M - counter is reset monthly
+type of counter. Type is one of:
+H - counter is reset hourly
+D - counter is reset daily
+W - counter is reset weekly
+M - counter is reset monthly
reporttype/reportname may be used to generate traffic
reports. Reporttype is one of D, W, M, H (hourly) and
reportname specifies the filename template for reports. The
report is a text file with counter values in the format:
-
-<COUNTERNUMBER> <TRAF>
+
+<COUNTERNUMBER> <TRAF>
The rest of parameters is identical to
-bandlim/nobandlim.
users
-username[:pwtype:password] ...
+username[:pwtype:password] ...
pwtype is one of:
-none (empty) - use system authentication
-CL - password is cleartext
-CR - password is crypt-style password
-NT - password is NT password (in hex)
-LM - password is LM password (in hex)
+none (empty) - use system authentication
+CL - password is cleartext
+CR - password is crypt-style password
+NT - password is NT password (in hex)
example:
users test1:CL:password1
"test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
-users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
| - - - | - | - |
flush
-
+users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
+Note: double quotes are required because the password
+contains a $ sign.
+flush
empty the active access list. The access list must be
flushed every time you create a new access list for a new
service. For example:
@@ -938,42 +943,43 @@ socks
sets different ACLs for pop3p and socks
system
-<command>
+<command>
execute system command
pidfile
-<filename>
+<filename>
write pid of current process to file. It can be used to
manipulate 3proxy with signals under Unix. Currently next
signals are available:
monitor
-<filename>
+<filename>
If file monitored changes in modification time or size,
3proxy reloads configuration within one minute. Any number
of files may be monitored.
setuid
-<uid>
+<uid>
calls setuid(uid), uid can be numeric or since 0.9 username.
Unix only. Warning: under some Linux kernels setuid() works
for current thread only. It makes it impossible to suid for
all threads.
setgid
-<gid>
+<gid>
calls setgid(gid), gid can be numeric or since 0.9
groupname. Unix only.
chroot
-<path> [<uid>] [<gid>]
+<path> [<uid>]
+[<gid>]
calls chroot(path) and sets gid/uid. Unix only. uid/gid
supported since 0.9, can be numeric or
username/groupname
stacksize
-<value_to_add_to_default_stack_size>
+<value_to_add_to_default_stack_size>
Change the default size for thread stacks. May be required
in some situations, e.g. with non-default plugins, or on
some platforms (some FreeBSD versions may require adjusting
@@ -992,8 +998,8 @@ negative values.
plugin
-<path_to_shared_library> <function_to_call>
-[<arg1> ...]
+<path_to_shared_library>
+<function_to_call> [<arg1> ...]
Loads specified library and calls given export function with
given arguments, as
int functions_to_call(struct pluginlink * pl, int argc, char
@@ -1003,7 +1009,7 @@ function_to_call must return 0 in case of success, value
filtermaxsize
-<max_size_of_data_to_filter>
+<max_size_of_data_to_filter>
If Content-length (or another data length) is greater than
the given value, no data filtering will be performed through
filtering plugins to avoid data corruption and/or
diff --git a/doc/html/man8/ftppr.8.html b/doc/html/man8/ftppr.8.html
index 9485db6..84cb984 100644
--- a/doc/html/man8/ftppr.8.html
+++ b/doc/html/man8/ftppr.8.html
@@ -198,7 +198,7 @@ with FTP proxy support, configure internal_ip and
FTP proxy support, use internal_ip and port as
the FTP server. The address of the real FTP server must be
configured as a part of the FTP username. The format for the
-username is username@server, where
+username is username@server, where
server is the address of the FTP server and
username is the user´s login on this FTP
server. The login itself may contain an ´@´
diff --git a/doc/html/man8/pop3p.8.html b/doc/html/man8/pop3p.8.html
index 53d2963..2ceb3dd 100644
--- a/doc/html/man8/pop3p.8.html
+++ b/doc/html/man8/pop3p.8.html
@@ -196,8 +196,8 @@ MUA (Mail User Agent) with POP3 support. Set the client to
use internal_ip and port as a POP3 server. The
address of the real POP3 server must be configured as a part
of the POP3 username. The format for the username is
-username@server, where server is
-the address of the POP3 server and username is the
+username@server, where server is the
+address of the POP3 server and username is the
user´s login on this POP3 server. The login itself may
contain an ´@´ sign. Only cleartext
authentication is supported, because challenge-response
diff --git a/doc/html/man8/smtpp.8.html b/doc/html/man8/smtpp.8.html
index cb21849..8fcacaf 100644
--- a/doc/html/man8/smtpp.8.html
+++ b/doc/html/man8/smtpp.8.html
@@ -196,7 +196,7 @@ MUA (Mail User Agent) with SMTP authentication support. Set
the client to use internal_ip and port as an
SMTP server. The address of the real SMTP server must be
configured as a part of the SMTP username. The format for
-the username is username@server, where
+the username is username@server, where
server is the address of the SMTP server and
username is the user´s login on this SMTP
server. The login itself may contain an ´@´
diff --git a/man/3proxy.cfg.3 b/man/3proxy.cfg.3
index 9122080..7812e57 100644
--- a/man/3proxy.cfg.3
+++ b/man/3proxy.cfg.3
@@ -1,4 +1,4 @@
-.TH 3proxy.cfg "8" "January 2019" "3proxy 0.9" "Universal proxy server"
+.TH 3proxy.cfg "5" "January 2019" "3proxy 0.9" "Universal proxy server"
.SH NAME
.B 3proxy.cfg
3proxy configuration file
@@ -69,11 +69,11 @@ Recursion is not allowed.
.br
.B tcppm
[options]
-