Update documentation

2026-05-01 16:30:11 +08:00 · 2026-04-30 19:11:17 +03:00 · 2026-04-30 19:11:17 +03:00 · ac20f189c8
commit ac20f189c8
parent 043f0dd8ab
8 changed files with 587 additions and 56 deletions
--- a/doc/html/howtoe.html
+++ b/doc/html/howtoe.html
@ -33,8 +33,9 @@
 		<li><a href="#NAMES">How to resolve names through a parent proxy</a></li>
 		<li><a href="#ISFTP">How to set up an FTP proxy</a></li>
 		<li><a href="#TLSPR">How to set up an SNI proxy (tlspr)</a></li>
-		<li><a href="#SSLPLUGIN">How to set up TLS/SSL with SSLPlugin (https proxy, mTLS)</a></li>
+		<li><a href="#SSLPLUGIN">How to set up TLS/SSL (https proxy, mTLS)</a></li>
-		<li><a href="#CERTIFICATES">How to create CA and certificates for SSLPlugin</a></li>
+		<li><a href="#CERTIFICATES">How to create CA and certificates for SSL</a></li>
 		<li><a href="#PCRE">How to use PCRE filtering (regular expressions)</a></li>
 		<li><A HREF="#AUTH">How to limit service access</A>
 		<li><A HREF="#USERS">How to create a user list</A>
 		<li><A HREF="#ACL">How to limit user access to resources</A>
@ -639,9 +640,12 @@ allow *
 proxy
 </pre>
  </p>
-		<li><a name="SSLPLUGIN"><i>How to set up TLS/SSL with SSLPlugin (https proxy, mTLS)</i></a>
+		<li><a name="SSLPLUGIN"><i>How to set up TLS/SSL (https proxy, mTLS)</i></a>
 <p>
-SSLPlugin provides TLS/SSL support for 3proxy. It can be used to:
+Since version 0.9.7, SSL/TLS support is built into 3proxy when compiled with OpenSSL
 (WITH_SSL). Previously available as SSLPlugin, the functionality is now integrated
 into the main binary. The plugin line is no longer required.
 SSL/TLS support can be used to:
 <ul>
 <li>Create an https:// proxy (TLS-encrypted connection between client and proxy)</li>
 <li>Implement MITM for TLS traffic inspection</li>
@ -654,7 +658,6 @@ SSLPlugin provides TLS/SSL support for 3proxy. It can be used to:
 <br>To create an https:// proxy, you need a server certificate and key. The certificate must not be self-signed
 and should contain Subject Alternative Names (SAN) for the proxy hostname/IP.
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_serv
@ -670,7 +673,6 @@ Configure clients to use https://proxy-host:3129/ as the proxy URL.
 <b>Client certificate authentication (mTLS):</b>
 <br>To require clients to authenticate with a certificate, use ssl_server_verify and provide the CA certificate:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
@ -685,7 +687,6 @@ Only clients with a valid certificate signed by the CA can connect.
 <b>MITM for TLS traffic inspection:</b>
 <br>To intercept and decrypt TLS traffic, you need a CA certificate to generate spoofed server certificates:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
 ssl_server_ca_key /etc/3proxy/certs/ca.key
 ssl_client_verify
@ -703,7 +704,6 @@ Without ssl_client_verify, the proxy is vulnerable to MITM attacks.
 <b>TLS client (connect to upstream via TLS):</b>
 <br>To connect to upstream servers via TLS with client certificate authentication:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_client_cert /etc/3proxy/certs/client.crt
 ssl_client_key /etc/3proxy/certs/client.key
 ssl_client_verify
@ -715,7 +715,6 @@ proxy -p3128
 <b>Conditional TLS for parent proxy (ssl_client_mode 3):</b>
 <br>With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). This allows mixing secure and non-secure parent proxies in the same configuration:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_client_mode 3
@ -734,7 +733,7 @@ ssl_nocli
 <p>
 This creates an HTTPS proxy (ssl_serv) that accepts TLS connections from clients. For parent proxy connections, user1's traffic goes through an https parent with TLS encryption (secure type), while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
 </p>
-		<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSLPlugin</i></a>
+		<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSL</i></a>
 <p>
 <b>Creating a Certificate Authority (CA):</b>
 <br>For MITM or mTLS, you need a CA. Generate a CA private key and certificate:
@ -849,6 +848,65 @@ openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
 openssl pkcs12 -export -out client.p12 -passout pass: \
    -inkey client.key -in client.crt -certfile ca.crt
 </pre>
 		<li><a name="PCRE"><i>How to use PCRE filtering (regular expressions)</i></a>
 <p>
 Since version 0.9.7, PCRE (Perl Compatible Regular Expressions) filtering is built into
 3proxy when compiled with PCRE2 support (WITH_PCRE). Previously available as PCREPlugin,
 the functionality is now integrated into the main binary. The plugin line is no longer required.
 </p>
 <p>
 PCRE filtering can be used to create matching and replacement rules with regular expressions
 for client requests, client and server headers, and client and server data.
 </p>
 <p>
 <b>Commands:</b>
 </p><pre>
 pcre TYPE FILTER_ACTION REGEXP [ACE]
 pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
 pcre_extend FILTER_ACTION [ACE]
 pcre_options OPTION1 [...]
 </pre>
 <p>
 <ul>
 <li><b>TYPE</b> - type of filtered data (comma-delimited list):
 <ul>
 <li><b>request</b> - content of the client's request (e.g., HTTP GET request string)
 <li><b>cliheader</b> - content of the client request headers
 <li><b>srvheader</b> - content of the server's reply headers
 <li><b>clidata</b> - data received from the client (e.g., HTTP POST data)
 <li><b>srvdata</b> - data received from the server (e.g., HTML page)
 </ul>
 <li><b>FILTER_ACTION</b> - action on match:
 <ul>
 <li><b>allow</b> - allow this request without checking the rest of the rules
 <li><b>deny</b> - deny this request without checking the rest of the rules
 <li><b>dunno</b> - continue with the rest of the rules (useful with pcre_rewrite)
 </ul>
 <li><b>REGEXP</b> - PCRE (Perl) regular expression. Use * if no regexp matching is required.
 <li><b>REWRITE_EXPRESSION</b> - substitution string. May contain Perl-style substrings
 $1, $2, etc. $0 means the whole matched string. \r and \n may be used to insert new lines.
 <li><b>ACE</b> - access control entry (user names, source IPs, destination IPs, ports, etc.),
 identical to allow/deny/bandlimin commands. The regular expression is only matched if the ACL
 matches the connection data.
 </ul>
 </p>
 <p>
 <b>Examples:</b>
 </p><pre>
 # Block requests containing specific keywords for certain users
 pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
 # Block responses with specific content type
 pcre srvheader deny "Content-type: application"
 # Replace content in both directions (censorship)
 pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
 pcre_extend deny * 192.168.0.1/16
 </pre>
 <p>
 <b>Note:</b> Regular expressions don't require authentication and cannot replace
 authentication and/or allow/deny ACLs.
 </p>
 		<li><A NAME="AUTH">How to limit service access</A>
 <p>
 First, always specify the internal interface to accept incoming connections with the
--- a/doc/html/howtor.html
+++ b/doc/html/howtor.html
@ -33,8 +33,9 @@
    <li><a href="#NAMES">Как разрешать имена на родительском прокси?</a></li>
    <li><a href="#ISFTP">Как настроить FTP прокси?</a></li>
    <li><a href="#TLSPR">Как настроить SNI proxy (tlspr)</a></li>
-    <li><a href="#SSLPLUGIN">Как настроить TLS/SSL с помощью SSLPlugin (https прокси, mTLS)</a></li>
+    <li><a href="#SSLPLUGIN">Как настроить TLS/SSL (https прокси, mTLS)</a></li>
-    <li><a href="#CERTIFICATES">Как создать CA и сертификаты для SSLPlugin</a></li>
+    <li><a href="#CERTIFICATES">Как создать CA и сертификаты для SSL</a></li>
    <li><a href="#PCRE">Как использовать PCRE-фильтрацию (регулярные выражения)</a></li>
    <li><a href="#AUTH">Как ограничить доступ к службе</a>
    <li><a href="#USERS">Как создать список пользователей</a>
    <li><a href="#ACL">Как ограничить доступ пользователей к ресурсам</a>
@ -648,9 +649,12 @@ proxy
 </pre>
  </p>
-  <li><a name="SSLPLUGIN"><i>Как настроить TLS/SSL с помощью SSLPlugin (https прокси, mTLS)</i></a>
+  <li><a name="SSLPLUGIN"><i>Как настроить TLS/SSL (https прокси, mTLS)</i></a>
 <p>
-SSLPlugin обеспечивает поддержку TLS/SSL для 3proxy. Он может использоваться для:
+Начиная с версии 0.9.7 поддержка TLS/SSL встроена в 3proxy при компиляции с OpenSSL
 (WITH_SSL). Ранее доступная как SSLPlugin, функциональность теперь интегрирована
 в основной бинарный файл. Строка plugin больше не нужна.
 TLS/SSL может использоваться для:
 <ul>
 <li>Создания https:// прокси (TLS-шифрованное соединение между клиентом и прокси)</li>
 <li>Реализации MITM для инспекции TLS-трафика</li>
@ -663,7 +667,6 @@ SSLPlugin обеспечивает поддержку TLS/SSL для 3proxy. О
 <br>Для создания https:// прокси требуется сертификат и ключ сервера. Сертификат не должен быть самоподписанным
 и должен содержать альтернативные имена (SAN) для имени хоста/IP прокси.
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_serv
@ -679,7 +682,6 @@ proxy -p3128
 <b>Аутентификация по клиентскому сертификату (mTLS):</b>
 <br>Чтобы требовать от клиентов аутентификацию по сертификату, используйте ssl_server_verify и укажите CA-сертификат:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
@ -694,7 +696,6 @@ proxy -p3129
 <b>MITM для инспекции TLS-трафика:</b>
 <br>Для перехвата и расшифровки TLS-трафика требуется CA-сертификат для генерации подделанных серверных сертификатов:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
 ssl_server_ca_key /etc/3proxy/certs/ca.key
 ssl_client_verify
@ -712,7 +713,6 @@ CA-сертификат должен быть доверенным для кли
 <b>TLS-клиент (соединение с вышестоящим сервером через TLS):</b>
 <br>Для соединения с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_client_cert /etc/3proxy/certs/client.crt
 ssl_client_key /etc/3proxy/certs/client.key
 ssl_client_verify
@ -724,7 +724,6 @@ proxy -p3128
 <b>Условное TLS для parent прокси (ssl_client_mode 3):</b>
 <br>При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). Это позволяет смешивать защищённые и незащищённые родительские прокси в одной конфигурации:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_client_mode 3
@ -743,7 +742,7 @@ ssl_nocli
 <p>
 Создаётся HTTPS-прокси (ssl_serv), принимающий TLS-соединения от клиентов. Для соединений с родительским прокси трафик user1 идёт через https родитель с TLS-шифрованием (защищённый тип), а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
 </p>
-  <li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSLPlugin</i></a>
+  <li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSL</i></a>
 <p>
 <b>Создание удостоверяющего центра (CA):</b>
 <br>Для MITM или mTLS требуется CA. Сгенерируйте закрытый ключ CA и сертификат:
@ -859,6 +858,66 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
    -inkey client.key -in client.crt -certfile ca.crt
 </pre>
  <li><a name="PCRE"><i>Как использовать PCRE-фильтрацию (регулярные выражения)</i></a>
 <p>
 Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy при компиляции с поддержкой
 PCRE2 (WITH_PCRE). Ранее доступная как PCREPlugin, функциональность теперь интегрирована
 в основной бинарный файл. Строка plugin больше не нужна.
 </p>
 <p>
 PCRE-фильтрация может использоваться для создания правил поиска и замены с регулярными
 выражениями для запросов клиентов, заголовков клиента и сервера, а также данных.
 </p>
 <p>
 <b>Команды:</b>
 </p><pre>
 pcre TYPE FILTER_ACTION REGEXP [ACE]
 pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
 pcre_extend FILTER_ACTION [ACE]
 pcre_options OPTION1 [...]
 </pre>
 <p>
 <ul>
 <li><b>TYPE</b> - тип фильтруемых данных (список через запятую):
 <ul>
 <li><b>request</b> - содержимое запроса клиента (например, строка HTTP GET-запроса)
 <li><b>cliheader</b> - содержимое заголовков запроса клиента
 <li><b>srvheader</b> - содержимое заголовков ответа сервера
 <li><b>clidata</b> - данные полученные от клиента (например, данные POST-запроса)
 <li><b>srvdata</b> - данные полученные от сервера (например, HTML-страница)
 </ul>
 <li><b>FILTER_ACTION</b> - действие при совпадении:
 <ul>
 <li><b>allow</b> - разрешить запрос без проверки остальных правил
 <li><b>deny</b> - запретить запрос без проверки остальных правил
 <li><b>dunno</b> - продолжить проверку правил (полезно для pcre_rewrite)
 </ul>
 <li><b>REGEXP</b> - регулярное выражение PCRE (Perl). Используйте * если проверка не требуется.
 <li><b>REWRITE_EXPRESSION</b> - строка замены. Может содержать Perl-подстановки
 $1, $2 и т.д. $0 - вся найденная подстрока. \r и \n для вставки новых строк.
 <li><b>ACE</b> - элемент списка контроля доступа (имена пользователей, IP источника,
 IP назначения, порты и т.д.), аналогичный командам allow/deny/bandlimin.
 Регулярное выражение проверяется только при совпадении ACL с данными соединения.
 </ul>
 </p>
 <p>
 <b>Примеры:</b>
 </p><pre>
 # Блокировать запросы с определёнными ключевыми словами для некоторых пользователей
 pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
 # Блокировать ответы с определённым content-type
 pcre srvheader deny "Content-type: application"
 # Замена содержимого в обоих направлениях (цензура)
 pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
 pcre_extend deny * 192.168.0.1/16
 </pre>
 <p>
 <b>Примечание:</b> Регулярные выражения не требуют авторизации и не могут заменить
 авторизацию и/или ACL allow/deny.
 </p>
  <li><a name="AUTH"><i>Как ограничить доступ к службе</i></a>
  <p>
  Во-первых, для ограничения доступа необходимо указать внутренний интерфейс,
--- a/doc/html/man5/3proxy.cfg.5.html
+++ b/doc/html/man5/3proxy.cfg.5.html
@ -10,6 +10,14 @@
 <a href="#NAME">NAME</a><br>
 <a href="#DESCRIPTION">DESCRIPTION</a><br>
 <a href="#PLUGINS">PLUGINS</a><br>
 <a href="#SSL/TLS SUPPORT">SSL/TLS SUPPORT</a><br>
 <a href="#MITM Commands">MITM Commands</a><br>
 <a href="#Server TLS Commands">Server TLS Commands</a><br>
 <a href="#Client TLS Commands">Client TLS Commands</a><br>
 <a href="#SSL Parameters">SSL Parameters</a><br>
 <a href="#PCRE FILTERING">PCRE FILTERING</a><br>
 <a href="#PCRE Commands">PCRE Commands</a><br>
 <a href="#PCRE Parameters">PCRE Parameters</a><br>
 <a href="#BUGS">BUGS</a><br>
 <a href="#SEE ALSO">SEE ALSO</a><br>
 <a href="#TRIVIA">TRIVIA</a><br>
@ -1017,6 +1025,220 @@ the given value, no data filtering will be performed through
 filtering plugins to avoid data corruption and/or
 Content-Length changing. Default is 1MB (1048576).</p>
 <h2>SSL/TLS SUPPORT
 <a name="SSL/TLS SUPPORT"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em">SSL/TLS support
 is built into 3proxy (since 0.9.7) when compiled with
 OpenSSL (WITH_SSL). Previously available as SSLPlugin, the
 functionality is now integrated into the main binary. The
 plugin line is no longer required.</p>
 <p style="margin-left:6%; margin-top: 1em">SSL/TLS can be
 used for: - transparent MITM (Man-in-the-Middle) for TLS
 traffic inspection - https:// proxy (TLS-encrypted
 connection between client and proxy) - TLS client
 connections to upstream servers with certificate
 authentication - mTLS (mutual TLS) requiring client
 certificates</p>
 <h3>MITM Commands
 <a name="MITM Commands"></a>
 </h3>
 <p style="margin-left:6%; margin-top: 1em"><b>ssl_mitm</b>
 - spoof certificates for services started below. Usage
 without ssl_client_verify is insecure. <b><br>
 ssl_nomitm</b> - do not spoof certificates for services
 started below</p>
 <h3>Server TLS Commands
 <a name="Server TLS Commands"></a>
 </h3>
 <p style="margin-left:6%; margin-top: 1em"><b>ssl_serv</b>
 (or ssl_server) - require TLS connection from clients for
 services below <b><br>
 ssl_noserv</b> (or ssl_noserver) - do not require TLS
 connection from clients for services below</p>
 <h3>Client TLS Commands
 <a name="Client TLS Commands"></a>
 </h3>
 <p style="margin-left:6%; margin-top: 1em"><b>ssl_cli</b>
 (or ssl_client) - establish TLS connection to upstream
 server for services below <b><br>
 ssl_nocli</b> (or ssl_noclient) - do not establish TLS
 connection to upstream server for services below</p>
 <h3>SSL Parameters
 <a name="SSL Parameters"></a>
 </h3>
 <p style="margin-left:6%; margin-top: 1em"><b>ssl_server_cert</b>
 <i>/path/to/cert</i> - Server certificate (should not be
 self-signed, must contain SAN) for ssl_serv <b><br>
 ssl_server_key</b> <i>/path/to/key</i> - Server certificate
 key for ssl_server_cert or generated MITM certificate
 <b><br>
 ssl_client_cert</b> <i>/path/to/cert</i> - Client
 certificate for authentication on upstream server (used with
 ssl_cli) <b><br>
 ssl_client_key</b> <i>/path/to/key</i> - Client certificate
 key for ssl_client_cert <b><br>
 ssl_client_ciphersuites</b> <i>ciphersuites_list</i> - TLS
 client ciphers for TLS 1.3 <b><br>
 ssl_server_ciphersuites</b> <i>ciphersuites_list</i> - TLS
 server ciphers for TLS 1.3 <b><br>
 ssl_client_cipher_list</b> <i>ciphers_list</i> - TLS client
 ciphers for TLS 1.2 and below <b><br>
 ssl_server_cipher_list</b> <i>ciphers_list</i> - TLS server
 ciphers for TLS 1.2 and below <b><br>
 ssl_client_min_proto_version</b> <i>tls_version</i> - TLS
 client minimum TLS version (e.g., TLSv1.2) <b><br>
 ssl_server_min_proto_version</b> <i>tls_version</i> - TLS
 server minimum TLS version <b><br>
 ssl_client_max_proto_version</b> <i>tls_version</i> - TLS
 client maximum TLS version <b><br>
 ssl_server_max_proto_version</b> <i>tls_version</i> - TLS
 server maximum TLS version <b><br>
 ssl_client_verify</b> - verify the certificate for the
 upstream server (used with ssl_mitm or ssl_cli) <b><br>
 ssl_client_no_verify</b> - do not verify the certificate for
 the upstream server (default) <b><br>
 ssl_server_verify</b> - require client certificate
 authentication (mTLS) for ssl_serv <b><br>
 ssl_server_no_verify</b> - do not require client certificate
 (default) <b><br>
 ssl_server_ca_file</b> <i>/path/to/cafile</i> - CA
 certificate file for MITM <b><br>
 ssl_server_ca_key</b> <i>/path/to/cakey</i> - key for
 ssl_server_ca_file MITM CA <b><br>
 ssl_server_ca_dir</b> <i>/path/to/cadir</i> - CA directory
 for ssl_server_verify <b><br>
 ssl_server_ca_store</b> <i>/path/to/castore</i> - CA store
 for ssl_server_verify (OpenSSL 3.0+) <b><br>
 ssl_client_ca_file</b> <i>/path/to/cafile</i> - CA file for
 ssl_client_verify <b><br>
 ssl_client_ca_dir</b> <i>/path/to/cadir</i> - CA directory
 for ssl_client_verify <b><br>
 ssl_client_ca_store</b> <i>/path/to/castore</i> - CA store
 for ssl_client_verify (OpenSSL 3.0+) <b><br>
 ssl_client_sni</b> <i>hostname</i> - SNI hostname to send to
 upstream server <b><br>
 ssl_client_alpn</b> <i>protocol1 protocol2 ...</i> - ALPN
 protocols to negotiate with upstream server <b><br>
 ssl_client_mode</b> <i>mode</i> - when to establish TLS
 connection: 0 - on connect (default), 1 - after
 authentication, 2 - before data, 3 - only for secure parent
 types (ending with &rsquo;s&rsquo;) <b><br>
 ssl_certcache</b> <i>/path/to/cache/</i> - location for the
 generated MITM certificates cache</p>
 <h2>PCRE FILTERING
 <a name="PCRE FILTERING"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em">PCRE (Perl
 Compatible Regular Expressions) filtering is built into
 3proxy (since 0.9.7) when compiled with PCRE2 support
 (WITH_PCRE). Previously available as PCREPlugin, the
 functionality is now integrated into the main binary. The
 plugin line is no longer required.</p>
 <p style="margin-left:6%; margin-top: 1em">PCRE filtering
 allows creating matching and replacement rules with regular
 expressions for client requests, headers, and data.</p>
 <h3>PCRE Commands
 <a name="PCRE Commands"></a>
 </h3>
 <p style="margin-left:6%; margin-top: 1em"><b>pcre</b>
 <i>TYPE FILTER_ACTION REGEXP [ACE]</i> <br>
 Apply a rule for matching regular expression. <b><br>
 pcre_rewrite</b> <i>TYPE FILTER_ACTION REGEXP
 REWRITE_EXPRESSION [ACE]</i> <br>
 Match and replace with rewrite expression. <b><br>
 pcre_extend</b> <i>FILTER_ACTION [ACE]</i> <br>
 Extend the ACL of the last pcre or pcre_rewrite command by
 adding an additional ACE. <b><br>
 pcre_options</b> <i>OPTION1 [OPTION2 ...]</i> <br>
 Set matching options. Both PCRE2 native options and PCRE
 compatibility options are supported. PCRE options are mapped
 to their PCRE2 equivalents for backward compatibility. <br>
 PCRE2 options: PCRE2_CASELESS, PCRE2_MULTILINE,
 PCRE2_DOTALL, PCRE2_EXTENDED, PCRE2_DOLLAR_ENDONLY,
 PCRE2_UNGREEDY, PCRE2_UTF, PCRE2_UCP, PCRE2_NO_AUTO_CAPTURE,
 PCRE2_FIRSTLINE, PCRE2_DUPNAMES, PCRE2_MATCH_UNSET_BACKREF,
 PCRE2_ALT_BSUX, PCRE2_ALT_CIRCUMFLEX, PCRE2_ALT_VERBNAMES,
 PCRE2_USE_OFFSET_LIMIT, PCRE2_EXTENDED_MORE, PCRE2_LITERAL,
 PCRE2_MATCH_INVALID_UTF. <br>
 PCRE compatibility options: PCRE_CASELESS, PCRE_MULTILINE,
 PCRE_DOTALL, PCRE_EXTENDED, PCRE_ANCHORED,
 PCRE_DOLLAR_ENDONLY, PCRE_EXTRA, PCRE_NOTBOL, PCRE_NOTEOL,
 PCRE_UNGREEDY, PCRE_NOTEMPTY, PCRE_UTF8,
 PCRE_NO_AUTO_CAPTURE, PCRE_NO_UTF8_CHECK, PCRE_AUTO_CALLOUT,
 PCRE_PARTIAL, PCRE_DFA_SHORTEST, PCRE_DFA_RESTART,
 PCRE_FIRSTLINE, PCRE_DUPNAMES, PCRE_NEWLINE_CR,
 PCRE_NEWLINE_LF, PCRE_NEWLINE_CRLF, PCRE_NEWLINE_ANY,
 PCRE_NEWLINE_ANYCRLF, PCRE_BSR_ANYCRLF,
 PCRE_BSR_UNICODE.</p>
 <h3>PCRE Parameters
 <a name="PCRE Parameters"></a>
 </h3>
 <p style="margin-left:6%; margin-top: 1em">TYPE - type of
 filtered data (comma-delimited list): <br>
 request - content of the client&rsquo;s request (e.g., HTTP
 GET request string) <br>
 cliheader - content of the client request headers <br>
 srvheader - content of the server&rsquo;s reply headers <br>
 clidata - data received from the client (e.g., HTTP POST
 data) <br>
 srvdata - data received from the server (e.g., HTML
 page)</p>
 <p style="margin-left:6%; margin-top: 1em">FILTER_ACTION -
 action on match: <br>
 allow - allow this request without checking the rest of the
 rules <br>
 deny - deny this request without checking the rest of the
 rules <br>
 dunno - continue with the rest of the rules (useful with
 pcre_rewrite)</p>
 <p style="margin-left:6%; margin-top: 1em">REGEXP - PCRE
 (Perl) regular expression. Use * if no regexp matching is
 required.</p>
 <p style="margin-left:6%; margin-top: 1em">REWRITE_EXPRESSION
 - substitution string. May contain Perl-style substrings $1,
 $2, etc. $0 means the whole matched string. \r and \n may be
 used to insert new lines; the string may be empty
 (&quot;&quot;).</p>
 <p style="margin-left:6%; margin-top: 1em">ACE - access
 control entry (user names, source IPs, destination IPs,
 ports, etc.), identical to allow/deny/bandlimin commands.
 The regular expression is only matched if the ACL matches
 the connection data. Warning: Regular expressions
 don&rsquo;t require authentication and cannot replace
 authentication and/or allow/deny ACLs.</p>
 <h2>BUGS
 <a name="BUGS"></a>
 </h2>
--- a/doc/html/plugins/PCREPlugin.html
+++ b/doc/html/plugins/PCREPlugin.html
@ -1,10 +1,13 @@
 <h3>3proxy PCRE (Perl Compatible Regular Expressions) Filtering</h3>
-<h3>3proxy Perl Compatible Regular Expressions (PCRE) Plugin</h3>
+<p><b>Note:</b> Since version 0.9.7, PCRE filtering is built into 3proxy and does not require
 a separate plugin. All pcre_* commands are available directly when 3proxy is compiled with
 PCRE2 support (WITH_PCRE). The plugin line is no longer needed.</p>
-This filtering plugin can be used to create matching and replacement
+<p>This filtering functionality can be used to create matching and replacement
 rules with regular expressions for client requests, client and
 server headers, and client and server data. It adds 3 additional
-configuration commands:
+configuration commands:</p>
 <pre>
 pcre TYPE FILTER_ACTION REGEXP [ACE]
@ -78,16 +81,10 @@ authentication and/or allow/deny ACLs.
 <h4>Example:</h4>
 <pre>
 plugin PCREPlugin.dll pcre_plugin
 pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
 pcre srvheader deny "Content-type: application"
 pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
 pcre_extend deny * 192.168.0.1/16
 </pre>
-<h4>Download:</h4>
+&copy; Vladimir Dubrovin, License: BSD style
 <ul>
 <li>Plugin is included in the 3proxy 0.6 binary and source distribution
 <li>Example configuration (by Dennis Garber): <A HREF="NoPornLitest.cfg.txt">NoPornLitest.cfg</A>
 </li></ul>
--- a/doc/html/plugins/PCREPlugin.ru.html
+++ b/doc/html/plugins/PCREPlugin.ru.html
@ -1,8 +1,12 @@
-<h3>Плагин регулярных выражений совместимых с Perl (PCRE) для 3proxy</h3>
+<h3>Фильтрация PCRE (Perl Compatible Regular Expressions) в 3proxy</h3>
-Фильтрующий плагин используется для создания правил поиска и замены
+<p><b>Примечание:</b> Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy и не требует
 отдельного плагина. Все команды pcre_* доступны напрямую при компиляции 3proxy с поддержкой
 PCRE2 (WITH_PCRE). Строка plugin больше не нужна.</p>
 <p>Фильтрующий плагин используется для создания правил поиска и замены
 регулярных выражений в запросе, заголовков запроса и ответа и данных.
-Добавляет поддержку 3х новых команд в файле конфигурации:
+Добавляет поддержку 3х новых команд в файле конфигурации:</p>
 <pre>
 pcre TYPE FILTER_ACTION REGEXP [ACE]
@ -76,15 +80,10 @@ PCRE_BSR_UNICODE
 <h4>Пример:</h4>
 <pre>
 plugin PCREPlugin.dll pcre_plugin
 pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
 pcre srvheader deny "Content-type: application"
 pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
 pcre_extend deny * 192.168.0.1/16
 </pre>
-<h4>Загрузить:</h4>
+&copy; Vladimir Dubrovin, License: BSD style
 <ul>
 <li>Плагин включен в дистрибутив 3proxy 0.6
 <li>Пример конфигурации (by Dennis Garber): <A HREF="NoPornLitest.cfg.txt">NoPornLitest.cfg</A>
 </li></ul>
--- a/doc/html/plugins/SSLPlugin.html
+++ b/doc/html/plugins/SSLPlugin.html
@ -1,6 +1,11 @@
-<h3>3proxy SSL/TLS Plugin</h3>
+<h3>3proxy SSL/TLS Support</h3>
-This plugin can be used to transparently decrypt SSL/TLS data, provide TLS encryption for proxy traffic, and authenticate using client certificates.
+<p><b>Note:</b> Since version 0.9.7, SSL/TLS support is built into 3proxy and does not require
 a separate plugin. All ssl_* commands are available directly when 3proxy is compiled with
 OpenSSL support (WITH_SSL). The plugin line is no longer needed.</p>
 <p>SSL/TLS support can be used to transparently decrypt SSL/TLS data, provide TLS encryption
 for proxy traffic, and authenticate using client certificates.</p>
 <h4>For transparent certificate spoofing (MITM):</h4>
@ -55,7 +60,6 @@ Generated certificates are placed in the same path.
 <h4>MITM example:</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_ca_file /path/to/cafile
 ssl_server_ca_key /path/to/cakey
 ssl_mitm
@ -67,7 +71,6 @@ MITM's traffic with a spoofed certificate for the port 3128 proxy.
 <h4>https:// proxy example:</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert path_to_cert
 ssl_server_key path_to_key
 ssl_serv
@ -79,7 +82,6 @@ Creates an https:// proxy on port 33128 and an http:// proxy on port 3128
 <h4>TLS client example (connect to upstream via TLS):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_client_cert /path/to/client.crt
 ssl_client_key /path/to/client.key
 ssl_client_verify
@ -91,7 +93,6 @@ Creates an HTTP proxy that connects to upstream servers via TLS with client cert
 <h4>Conditional TLS for parent proxy (ssl_client_mode 3):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/key
 ssl_client_mode 3
@ -111,7 +112,6 @@ Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_ser
 <h4>mTLS example (require client certificate):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/server.key
 ssl_server_ca_file /path/to/ca.crt
--- a/doc/html/plugins/SSLPlugin.ru.html
+++ b/doc/html/plugins/SSLPlugin.ru.html
@ -1,6 +1,10 @@
-<h3>3proxy SSL/TLS плагин</h3>
+<h3>3proxy SSL/TLS поддержка</h3>
-Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика, для шифрования трафика прокси-сервера и аутентификации с помощью клиентских сертификатов.
+<p><b>Примечание:</b> Начиная с версии 0.9.7 поддержка SSL/TLS встроена в 3proxy и не требует
 отдельного плагина. Все команды ssl_* доступны напрямую при компиляции 3proxy с поддержкой
 OpenSSL (WITH_SSL). Строка plugin больше не нужна.</p>
 <p>Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика, для шифрования трафика прокси-сервера и аутентификации с помощью клиентских сертификатов.</p>
 <h4>Для прозрачного перехвата трафика (MITM):</h4>
@ -52,7 +56,6 @@ ssl_server_ca_key и ssl_server_key соответственно, если он
 <h4>Пример MITM:</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_ca_file /path/to/cafile
 ssl_server_ca_key /path/to/cakey
 ssl_mitm
@ -64,7 +67,6 @@ proxy -p3129
 <h4>Пример конфигурации https:// прокси:</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert path_to_cert
 ssl_server_key path_to_key
 ssl_serv
@ -76,7 +78,6 @@ proxy -p3128
 <h4>Пример TLS-клиента (соединение к вышестоящему серверу через TLS):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_client_cert /path/to/client.crt
 ssl_client_key /path/to/client.key
 ssl_client_verify
@ -88,7 +89,6 @@ proxy -p3128
 <h4>Условное TLS для parent прокси (ssl_client_mode 3):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/key
 ssl_client_mode 3
@ -108,7 +108,6 @@ ssl_nocli
 <h4>Пример mTLS (требование клиентского сертификата):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/server.key
 ssl_server_ca_file /path/to/ca.crt
--- a/man/3proxy.cfg.5
+++ b/man/3proxy.cfg.5
@ -1149,6 +1149,203 @@ as
 data filtering will be performed through filtering plugins to avoid data
 corruption and/or Content-Length changing. Default is 1MB (1048576).
 .SH SSL/TLS SUPPORT
 SSL/TLS support is built into 3proxy (since 0.9.7) when compiled with OpenSSL
 (WITH_SSL). Previously available as SSLPlugin, the functionality is now integrated
 into the main binary. The plugin line is no longer required.
 SSL/TLS can be used for:
 - transparent MITM (Man-in-the-Middle) for TLS traffic inspection
 - https:// proxy (TLS-encrypted connection between client and proxy)
 - TLS client connections to upstream servers with certificate authentication
 - mTLS (mutual TLS) requiring client certificates
 .SS MITM Commands
 .br
 .BR ssl_mitm
 - spoof certificates for services started below. Usage without ssl_client_verify is insecure.
 .br
 .BR ssl_nomitm
 - do not spoof certificates for services started below
 .SS Server TLS Commands
 .br
 .BR ssl_serv
 (or ssl_server) - require TLS connection from clients for services below
 .br
 .BR ssl_noserv
 (or ssl_noserver) - do not require TLS connection from clients for services below
 .SS Client TLS Commands
 .br
 .BR ssl_cli
 (or ssl_client) - establish TLS connection to upstream server for services below
 .br
 .BR ssl_nocli
 (or ssl_noclient) - do not establish TLS connection to upstream server for services below
 .SS SSL Parameters
 .br
 .BR ssl_server_cert
 \fI/path/to/cert\fR - Server certificate (should not be self-signed, must contain SAN) for ssl_serv
 .br
 .BR ssl_server_key
 \fI/path/to/key\fR - Server certificate key for ssl_server_cert or generated MITM certificate
 .br
 .BR ssl_client_cert
 \fI/path/to/cert\fR - Client certificate for authentication on upstream server (used with ssl_cli)
 .br
 .BR ssl_client_key
 \fI/path/to/key\fR - Client certificate key for ssl_client_cert
 .br
 .BR ssl_client_ciphersuites
 \fIciphersuites_list\fR - TLS client ciphers for TLS 1.3
 .br
 .BR ssl_server_ciphersuites
 \fIciphersuites_list\fR - TLS server ciphers for TLS 1.3
 .br
 .BR ssl_client_cipher_list
 \fIciphers_list\fR - TLS client ciphers for TLS 1.2 and below
 .br
 .BR ssl_server_cipher_list
 \fIciphers_list\fR - TLS server ciphers for TLS 1.2 and below
 .br
 .BR ssl_client_min_proto_version
 \fItls_version\fR - TLS client minimum TLS version (e.g., TLSv1.2)
 .br
 .BR ssl_server_min_proto_version
 \fItls_version\fR - TLS server minimum TLS version
 .br
 .BR ssl_client_max_proto_version
 \fItls_version\fR - TLS client maximum TLS version
 .br
 .BR ssl_server_max_proto_version
 \fItls_version\fR - TLS server maximum TLS version
 .br
 .BR ssl_client_verify
 - verify the certificate for the upstream server (used with ssl_mitm or ssl_cli)
 .br
 .BR ssl_client_no_verify
 - do not verify the certificate for the upstream server (default)
 .br
 .BR ssl_server_verify
 - require client certificate authentication (mTLS) for ssl_serv
 .br
 .BR ssl_server_no_verify
 - do not require client certificate (default)
 .br
 .BR ssl_server_ca_file
 \fI/path/to/cafile\fR - CA certificate file for MITM
 .br
 .BR ssl_server_ca_key
 \fI/path/to/cakey\fR - key for ssl_server_ca_file MITM CA
 .br
 .BR ssl_server_ca_dir
 \fI/path/to/cadir\fR - CA directory for ssl_server_verify
 .br
 .BR ssl_server_ca_store
 \fI/path/to/castore\fR - CA store for ssl_server_verify (OpenSSL 3.0+)
 .br
 .BR ssl_client_ca_file
 \fI/path/to/cafile\fR - CA file for ssl_client_verify
 .br
 .BR ssl_client_ca_dir
 \fI/path/to/cadir\fR - CA directory for ssl_client_verify
 .br
 .BR ssl_client_ca_store
 \fI/path/to/castore\fR - CA store for ssl_client_verify (OpenSSL 3.0+)
 .br
 .BR ssl_client_sni
 \fIhostname\fR - SNI hostname to send to upstream server
 .br
 .BR ssl_client_alpn
 \fIprotocol1 protocol2 ...\fR - ALPN protocols to negotiate with upstream server
 .br
 .BR ssl_client_mode
 \fImode\fR - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's')
 .br
 .BR ssl_certcache
 \fI/path/to/cache/\fR - location for the generated MITM certificates cache
 .SH PCRE FILTERING
 PCRE (Perl Compatible Regular Expressions) filtering is built into 3proxy
 (since 0.9.7) when compiled with PCRE2 support (WITH_PCRE). Previously
 available as PCREPlugin, the functionality is now integrated into the main
 binary. The plugin line is no longer required.
 PCRE filtering allows creating matching and replacement rules with regular
 expressions for client requests, headers, and data.
 .SS PCRE Commands
 .br
 .BR pcre
 \fITYPE FILTER_ACTION REGEXP [ACE]\fR
 .br
 Apply a rule for matching regular expression.
 .br
 .BR pcre_rewrite
 \fITYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]\fR
 .br
 Match and replace with rewrite expression.
 .br
 .BR pcre_extend
 \fIFILTER_ACTION [ACE]\fR
 .br
 Extend the ACL of the last pcre or pcre_rewrite command by adding an additional ACE.
 .br
 .BR pcre_options
 \fIOPTION1 [OPTION2 ...]\fR
 .br
 Set matching options. Both PCRE2 native options and PCRE compatibility options
 are supported. PCRE options are mapped to their PCRE2 equivalents for backward
 compatibility.
 .br
 PCRE2 options: PCRE2_CASELESS, PCRE2_MULTILINE, PCRE2_DOTALL, PCRE2_EXTENDED,
 PCRE2_DOLLAR_ENDONLY, PCRE2_UNGREEDY, PCRE2_UTF, PCRE2_UCP, PCRE2_NO_AUTO_CAPTURE,
 PCRE2_FIRSTLINE, PCRE2_DUPNAMES, PCRE2_MATCH_UNSET_BACKREF, PCRE2_ALT_BSUX,
 PCRE2_ALT_CIRCUMFLEX, PCRE2_ALT_VERBNAMES, PCRE2_USE_OFFSET_LIMIT, PCRE2_EXTENDED_MORE,
 PCRE2_LITERAL, PCRE2_MATCH_INVALID_UTF.
 .br
 PCRE compatibility options: PCRE_CASELESS, PCRE_MULTILINE, PCRE_DOTALL, PCRE_EXTENDED,
 PCRE_ANCHORED, PCRE_DOLLAR_ENDONLY, PCRE_EXTRA, PCRE_NOTBOL, PCRE_NOTEOL, PCRE_UNGREEDY,
 PCRE_NOTEMPTY, PCRE_UTF8, PCRE_NO_AUTO_CAPTURE, PCRE_NO_UTF8_CHECK, PCRE_AUTO_CALLOUT,
 PCRE_PARTIAL, PCRE_DFA_SHORTEST, PCRE_DFA_RESTART, PCRE_FIRSTLINE, PCRE_DUPNAMES,
 PCRE_NEWLINE_CR, PCRE_NEWLINE_LF, PCRE_NEWLINE_CRLF, PCRE_NEWLINE_ANY, PCRE_NEWLINE_ANYCRLF,
 PCRE_BSR_ANYCRLF, PCRE_BSR_UNICODE.
 .SS PCRE Parameters
 TYPE - type of filtered data (comma-delimited list):
 .br
 request - content of the client's request (e.g., HTTP GET request string)
 .br
 cliheader - content of the client request headers
 .br
 srvheader - content of the server's reply headers
 .br
 clidata - data received from the client (e.g., HTTP POST data)
 .br
 srvdata - data received from the server (e.g., HTML page)
 FILTER_ACTION - action on match:
 .br
 allow - allow this request without checking the rest of the rules
 .br
 deny - deny this request without checking the rest of the rules
 .br
 dunno - continue with the rest of the rules (useful with pcre_rewrite)
 REGEXP - PCRE (Perl) regular expression. Use * if no regexp matching is required.
 REWRITE_EXPRESSION - substitution string. May contain Perl-style substrings
 $1, $2, etc. $0 means the whole matched string. \er and \en may be used
 to insert new lines; the string may be empty ("").
 ACE - access control entry (user names, source IPs, destination IPs, ports, etc.),
 identical to allow/deny/bandlimin commands. The regular expression is only
 matched if the ACL matches the connection data.
 Warning: Regular expressions don't require authentication and cannot replace
 authentication and/or allow/deny ACLs.
 .SH BUGS
 Report all bugs to
 .BR 3proxy@3proxy.org