Update documentation

doc/html/howtoe.html

@@ -33,8 +33,9 @@
 		<li><a href="#NAMES">How to resolve names through a parent proxy</a></li>
 		<li><a href="#ISFTP">How to set up an FTP proxy</a></li>
 		<li><a href="#TLSPR">How to set up an SNI proxy (tlspr)</a></li>
-		<li><a href="#SSLPLUGIN">How to set up TLS/SSL with SSLPlugin (https proxy, mTLS)</a></li>
+		<li><a href="#SSLPLUGIN">How to set up TLS/SSL (https proxy, mTLS)</a></li>
-		<li><a href="#CERTIFICATES">How to create CA and certificates for SSLPlugin</a></li>
+		<li><a href="#CERTIFICATES">How to create CA and certificates for SSL</a></li>
+		<li><a href="#PCRE">How to use PCRE filtering (regular expressions)</a></li>
 		<li><A HREF="#AUTH">How to limit service access</A>
 		<li><A HREF="#USERS">How to create a user list</A>
 		<li><A HREF="#ACL">How to limit user access to resources</A>
@@ -639,9 +640,12 @@ allow *
 proxy
 </pre>
   </p>
-		<li><a name="SSLPLUGIN"><i>How to set up TLS/SSL with SSLPlugin (https proxy, mTLS)</i></a>
+		<li><a name="SSLPLUGIN"><i>How to set up TLS/SSL (https proxy, mTLS)</i></a>
 <p>
-SSLPlugin provides TLS/SSL support for 3proxy. It can be used to:
+Since version 0.9.7, SSL/TLS support is built into 3proxy when compiled with OpenSSL
+(WITH_SSL). Previously available as SSLPlugin, the functionality is now integrated
+into the main binary. The plugin line is no longer required.
+SSL/TLS support can be used to:
 <ul>
 <li>Create an https:// proxy (TLS-encrypted connection between client and proxy)</li>
 <li>Implement MITM for TLS traffic inspection</li>
@@ -654,7 +658,6 @@ SSLPlugin provides TLS/SSL support for 3proxy. It can be used to:
 <br>To create an https:// proxy, you need a server certificate and key. The certificate must not be self-signed
 and should contain Subject Alternative Names (SAN) for the proxy hostname/IP.
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_serv
@@ -670,7 +673,6 @@ Configure clients to use https://proxy-host:3129/ as the proxy URL.
 <b>Client certificate authentication (mTLS):</b>
 <br>To require clients to authenticate with a certificate, use ssl_server_verify and provide the CA certificate:
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
@@ -685,7 +687,6 @@ Only clients with a valid certificate signed by the CA can connect.
 <b>MITM for TLS traffic inspection:</b>
 <br>To intercept and decrypt TLS traffic, you need a CA certificate to generate spoofed server certificates:
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
 ssl_server_ca_key /etc/3proxy/certs/ca.key
 ssl_client_verify
@@ -703,7 +704,6 @@ Without ssl_client_verify, the proxy is vulnerable to MITM attacks.
 <b>TLS client (connect to upstream via TLS):</b>
 <br>To connect to upstream servers via TLS with client certificate authentication:
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_client_cert /etc/3proxy/certs/client.crt
 ssl_client_key /etc/3proxy/certs/client.key
 ssl_client_verify
@@ -715,7 +715,6 @@ proxy -p3128
 <b>Conditional TLS for parent proxy (ssl_client_mode 3):</b>
 <br>With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). This allows mixing secure and non-secure parent proxies in the same configuration:
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_client_mode 3
@@ -734,7 +733,7 @@ ssl_nocli
 <p>
 This creates an HTTPS proxy (ssl_serv) that accepts TLS connections from clients. For parent proxy connections, user1's traffic goes through an https parent with TLS encryption (secure type), while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
 </p>
-		<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSLPlugin</i></a>
+		<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSL</i></a>
 <p>
 <b>Creating a Certificate Authority (CA):</b>
 <br>For MITM or mTLS, you need a CA. Generate a CA private key and certificate:
@@ -849,6 +848,65 @@ openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
 openssl pkcs12 -export -out client.p12 -passout pass: \
     -inkey client.key -in client.crt -certfile ca.crt
 </pre>
+		<li><a name="PCRE"><i>How to use PCRE filtering (regular expressions)</i></a>
+<p>
+Since version 0.9.7, PCRE (Perl Compatible Regular Expressions) filtering is built into
+3proxy when compiled with PCRE2 support (WITH_PCRE). Previously available as PCREPlugin,
+the functionality is now integrated into the main binary. The plugin line is no longer required.
+</p>
+<p>
+PCRE filtering can be used to create matching and replacement rules with regular expressions
+for client requests, client and server headers, and client and server data.
+</p>
+<p>
+<b>Commands:</b>
+</p><pre>
+pcre TYPE FILTER_ACTION REGEXP [ACE]
+pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
+pcre_extend FILTER_ACTION [ACE]
+pcre_options OPTION1 [...]
+</pre>
+<p>
+<ul>
+<li><b>TYPE</b> - type of filtered data (comma-delimited list):
+ <ul>
+ <li><b>request</b> - content of the client's request (e.g., HTTP GET request string)
+ <li><b>cliheader</b> - content of the client request headers
+ <li><b>srvheader</b> - content of the server's reply headers
+ <li><b>clidata</b> - data received from the client (e.g., HTTP POST data)
+ <li><b>srvdata</b> - data received from the server (e.g., HTML page)
+ </ul>
+<li><b>FILTER_ACTION</b> - action on match:
+ <ul>
+ <li><b>allow</b> - allow this request without checking the rest of the rules
+ <li><b>deny</b> - deny this request without checking the rest of the rules
+ <li><b>dunno</b> - continue with the rest of the rules (useful with pcre_rewrite)
+ </ul>
+<li><b>REGEXP</b> - PCRE (Perl) regular expression. Use * if no regexp matching is required.
+<li><b>REWRITE_EXPRESSION</b> - substitution string. May contain Perl-style substrings
+$1, $2, etc. $0 means the whole matched string. \r and \n may be used to insert new lines.
+<li><b>ACE</b> - access control entry (user names, source IPs, destination IPs, ports, etc.),
+identical to allow/deny/bandlimin commands. The regular expression is only matched if the ACL
+matches the connection data.
+</ul>
+</p>
+<p>
+<b>Examples:</b>
+</p><pre>
+# Block requests containing specific keywords for certain users
+pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
+
+# Block responses with specific content type
+pcre srvheader deny "Content-type: application"
+
+# Replace content in both directions (censorship)
+pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
+pcre_extend deny * 192.168.0.1/16
+</pre>
+<p>
+<b>Note:</b> Regular expressions don't require authentication and cannot replace
+authentication and/or allow/deny ACLs.
+</p>
 		<li><A NAME="AUTH">How to limit service access</A>
 <p>
 First, always specify the internal interface to accept incoming connections with the

doc/html/howtor.html

@@ -33,8 +33,9 @@
     <li><a href="#NAMES">Как разрешать имена на родительском прокси?</a></li>
     <li><a href="#ISFTP">Как настроить FTP прокси?</a></li>
     <li><a href="#TLSPR">Как настроить SNI proxy (tlspr)</a></li>
-    <li><a href="#SSLPLUGIN">Как настроить TLS/SSL с помощью SSLPlugin (https прокси, mTLS)</a></li>
+    <li><a href="#SSLPLUGIN">Как настроить TLS/SSL (https прокси, mTLS)</a></li>
-    <li><a href="#CERTIFICATES">Как создать CA и сертификаты для SSLPlugin</a></li>
+    <li><a href="#CERTIFICATES">Как создать CA и сертификаты для SSL</a></li>
+    <li><a href="#PCRE">Как использовать PCRE-фильтрацию (регулярные выражения)</a></li>
     <li><a href="#AUTH">Как ограничить доступ к службе</a>
     <li><a href="#USERS">Как создать список пользователей</a>
     <li><a href="#ACL">Как ограничить доступ пользователей к ресурсам</a>
@@ -648,9 +649,12 @@ proxy
 </pre>
   </p>
 
-  <li><a name="SSLPLUGIN"><i>Как настроить TLS/SSL с помощью SSLPlugin (https прокси, mTLS)</i></a>
+  <li><a name="SSLPLUGIN"><i>Как настроить TLS/SSL (https прокси, mTLS)</i></a>
 <p>
-SSLPlugin обеспечивает поддержку TLS/SSL для 3proxy. Он может использоваться для:
+Начиная с версии 0.9.7 поддержка TLS/SSL встроена в 3proxy при компиляции с OpenSSL
+(WITH_SSL). Ранее доступная как SSLPlugin, функциональность теперь интегрирована
+в основной бинарный файл. Строка plugin больше не нужна.
+TLS/SSL может использоваться для:
 <ul>
 <li>Создания https:// прокси (TLS-шифрованное соединение между клиентом и прокси)</li>
 <li>Реализации MITM для инспекции TLS-трафика</li>
@@ -663,7 +667,6 @@ SSLPlugin обеспечивает поддержку TLS/SSL для 3proxy. О
 <br>Для создания https:// прокси требуется сертификат и ключ сервера. Сертификат не должен быть самоподписанным
 и должен содержать альтернативные имена (SAN) для имени хоста/IP прокси.
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_serv
@@ -679,7 +682,6 @@ proxy -p3128
 <b>Аутентификация по клиентскому сертификату (mTLS):</b>
 <br>Чтобы требовать от клиентов аутентификацию по сертификату, используйте ssl_server_verify и укажите CA-сертификат:
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
@@ -694,7 +696,6 @@ proxy -p3129
 <b>MITM для инспекции TLS-трафика:</b>
 <br>Для перехвата и расшифровки TLS-трафика требуется CA-сертификат для генерации подделанных серверных сертификатов:
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
 ssl_server_ca_key /etc/3proxy/certs/ca.key
 ssl_client_verify
@@ -712,7 +713,6 @@ CA-сертификат должен быть доверенным для кли
 <b>TLS-клиент (соединение с вышестоящим сервером через TLS):</b>
 <br>Для соединения с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату:
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_client_cert /etc/3proxy/certs/client.crt
 ssl_client_key /etc/3proxy/certs/client.key
 ssl_client_verify
@@ -724,7 +724,6 @@ proxy -p3128
 <b>Условное TLS для parent прокси (ssl_client_mode 3):</b>
 <br>При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). Это позволяет смешивать защищённые и незащищённые родительские прокси в одной конфигурации:
 </p><pre>
-plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_client_mode 3
@@ -743,7 +742,7 @@ ssl_nocli
 <p>
 Создаётся HTTPS-прокси (ssl_serv), принимающий TLS-соединения от клиентов. Для соединений с родительским прокси трафик user1 идёт через https родитель с TLS-шифрованием (защищённый тип), а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
 </p>
-  <li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSLPlugin</i></a>
+  <li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSL</i></a>
 <p>
 <b>Создание удостоверяющего центра (CA):</b>
 <br>Для MITM или mTLS требуется CA. Сгенерируйте закрытый ключ CA и сертификат:
@@ -859,6 +858,66 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
     -inkey client.key -in client.crt -certfile ca.crt
 </pre>
 
+  <li><a name="PCRE"><i>Как использовать PCRE-фильтрацию (регулярные выражения)</i></a>
+<p>
+Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy при компиляции с поддержкой
+PCRE2 (WITH_PCRE). Ранее доступная как PCREPlugin, функциональность теперь интегрирована
+в основной бинарный файл. Строка plugin больше не нужна.
+</p>
+<p>
+PCRE-фильтрация может использоваться для создания правил поиска и замены с регулярными
+выражениями для запросов клиентов, заголовков клиента и сервера, а также данных.
+</p>
+<p>
+<b>Команды:</b>
+</p><pre>
+pcre TYPE FILTER_ACTION REGEXP [ACE]
+pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
+pcre_extend FILTER_ACTION [ACE]
+pcre_options OPTION1 [...]
+</pre>
+<p>
+<ul>
+<li><b>TYPE</b> - тип фильтруемых данных (список через запятую):
+ <ul>
+ <li><b>request</b> - содержимое запроса клиента (например, строка HTTP GET-запроса)
+ <li><b>cliheader</b> - содержимое заголовков запроса клиента
+ <li><b>srvheader</b> - содержимое заголовков ответа сервера
+ <li><b>clidata</b> - данные полученные от клиента (например, данные POST-запроса)
+ <li><b>srvdata</b> - данные полученные от сервера (например, HTML-страница)
+ </ul>
+<li><b>FILTER_ACTION</b> - действие при совпадении:
+ <ul>
+ <li><b>allow</b> - разрешить запрос без проверки остальных правил
+ <li><b>deny</b> - запретить запрос без проверки остальных правил
+ <li><b>dunno</b> - продолжить проверку правил (полезно для pcre_rewrite)
+ </ul>
+<li><b>REGEXP</b> - регулярное выражение PCRE (Perl). Используйте * если проверка не требуется.
+<li><b>REWRITE_EXPRESSION</b> - строка замены. Может содержать Perl-подстановки
+$1, $2 и т.д. $0 - вся найденная подстрока. \r и \n для вставки новых строк.
+<li><b>ACE</b> - элемент списка контроля доступа (имена пользователей, IP источника,
+IP назначения, порты и т.д.), аналогичный командам allow/deny/bandlimin.
+Регулярное выражение проверяется только при совпадении ACL с данными соединения.
+</ul>
+</p>
+<p>
+<b>Примеры:</b>
+</p><pre>
+# Блокировать запросы с определёнными ключевыми словами для некоторых пользователей
+pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
+
+# Блокировать ответы с определённым content-type
+pcre srvheader deny "Content-type: application"
+
+# Замена содержимого в обоих направлениях (цензура)
+pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
+pcre_extend deny * 192.168.0.1/16
+</pre>
+<p>
+<b>Примечание:</b> Регулярные выражения не требуют авторизации и не могут заменить
+авторизацию и/или ACL allow/deny.
+</p>
+
   <li><a name="AUTH"><i>Как ограничить доступ к службе</i></a>
   <p>
   Во-первых, для ограничения доступа необходимо указать внутренний интерфейс,

doc/html/man5/3proxy.cfg.5.html

@@ -10,6 +10,14 @@
 <a href="#NAME">NAME</a><br>
 <a href="#DESCRIPTION">DESCRIPTION</a><br>
 <a href="#PLUGINS">PLUGINS</a><br>
+<a href="#SSL/TLS SUPPORT">SSL/TLS SUPPORT</a><br>
+<a href="#MITM Commands">MITM Commands</a><br>
+<a href="#Server TLS Commands">Server TLS Commands</a><br>
+<a href="#Client TLS Commands">Client TLS Commands</a><br>
+<a href="#SSL Parameters">SSL Parameters</a><br>
+<a href="#PCRE FILTERING">PCRE FILTERING</a><br>
+<a href="#PCRE Commands">PCRE Commands</a><br>
+<a href="#PCRE Parameters">PCRE Parameters</a><br>
 <a href="#BUGS">BUGS</a><br>
 <a href="#SEE ALSO">SEE ALSO</a><br>
 <a href="#TRIVIA">TRIVIA</a><br>
@@ -1017,6 +1025,220 @@ the given value, no data filtering will be performed through
 filtering plugins to avoid data corruption and/or
 Content-Length changing. Default is 1MB (1048576).</p>
 
+<h2>SSL/TLS SUPPORT
+<a name="SSL/TLS SUPPORT"></a>
+</h2>
+
+
+<p style="margin-left:6%; margin-top: 1em">SSL/TLS support
+is built into 3proxy (since 0.9.7) when compiled with
+OpenSSL (WITH_SSL). Previously available as SSLPlugin, the
+functionality is now integrated into the main binary. The
+plugin line is no longer required.</p>
+
+<p style="margin-left:6%; margin-top: 1em">SSL/TLS can be
+used for: - transparent MITM (Man-in-the-Middle) for TLS
+traffic inspection - https:// proxy (TLS-encrypted
+connection between client and proxy) - TLS client
+connections to upstream servers with certificate
+authentication - mTLS (mutual TLS) requiring client
+certificates</p>
+
+<h3>MITM Commands
+<a name="MITM Commands"></a>
+</h3>
+
+
+<p style="margin-left:6%; margin-top: 1em"><b>ssl_mitm</b>
+- spoof certificates for services started below. Usage
+without ssl_client_verify is insecure. <b><br>
+ssl_nomitm</b> - do not spoof certificates for services
+started below</p>
+
+<h3>Server TLS Commands
+<a name="Server TLS Commands"></a>
+</h3>
+
+
+<p style="margin-left:6%; margin-top: 1em"><b>ssl_serv</b>
+(or ssl_server) - require TLS connection from clients for
+services below <b><br>
+ssl_noserv</b> (or ssl_noserver) - do not require TLS
+connection from clients for services below</p>
+
+<h3>Client TLS Commands
+<a name="Client TLS Commands"></a>
+</h3>
+
+
+<p style="margin-left:6%; margin-top: 1em"><b>ssl_cli</b>
+(or ssl_client) - establish TLS connection to upstream
+server for services below <b><br>
+ssl_nocli</b> (or ssl_noclient) - do not establish TLS
+connection to upstream server for services below</p>
+
+<h3>SSL Parameters
+<a name="SSL Parameters"></a>
+</h3>
+
+
+
+<p style="margin-left:6%; margin-top: 1em"><b>ssl_server_cert</b>
+<i>/path/to/cert</i> - Server certificate (should not be
+self-signed, must contain SAN) for ssl_serv <b><br>
+ssl_server_key</b> <i>/path/to/key</i> - Server certificate
+key for ssl_server_cert or generated MITM certificate
+<b><br>
+ssl_client_cert</b> <i>/path/to/cert</i> - Client
+certificate for authentication on upstream server (used with
+ssl_cli) <b><br>
+ssl_client_key</b> <i>/path/to/key</i> - Client certificate
+key for ssl_client_cert <b><br>
+ssl_client_ciphersuites</b> <i>ciphersuites_list</i> - TLS
+client ciphers for TLS 1.3 <b><br>
+ssl_server_ciphersuites</b> <i>ciphersuites_list</i> - TLS
+server ciphers for TLS 1.3 <b><br>
+ssl_client_cipher_list</b> <i>ciphers_list</i> - TLS client
+ciphers for TLS 1.2 and below <b><br>
+ssl_server_cipher_list</b> <i>ciphers_list</i> - TLS server
+ciphers for TLS 1.2 and below <b><br>
+ssl_client_min_proto_version</b> <i>tls_version</i> - TLS
+client minimum TLS version (e.g., TLSv1.2) <b><br>
+ssl_server_min_proto_version</b> <i>tls_version</i> - TLS
+server minimum TLS version <b><br>
+ssl_client_max_proto_version</b> <i>tls_version</i> - TLS
+client maximum TLS version <b><br>
+ssl_server_max_proto_version</b> <i>tls_version</i> - TLS
+server maximum TLS version <b><br>
+ssl_client_verify</b> - verify the certificate for the
+upstream server (used with ssl_mitm or ssl_cli) <b><br>
+ssl_client_no_verify</b> - do not verify the certificate for
+the upstream server (default) <b><br>
+ssl_server_verify</b> - require client certificate
+authentication (mTLS) for ssl_serv <b><br>
+ssl_server_no_verify</b> - do not require client certificate
+(default) <b><br>
+ssl_server_ca_file</b> <i>/path/to/cafile</i> - CA
+certificate file for MITM <b><br>
+ssl_server_ca_key</b> <i>/path/to/cakey</i> - key for
+ssl_server_ca_file MITM CA <b><br>
+ssl_server_ca_dir</b> <i>/path/to/cadir</i> - CA directory
+for ssl_server_verify <b><br>
+ssl_server_ca_store</b> <i>/path/to/castore</i> - CA store
+for ssl_server_verify (OpenSSL 3.0+) <b><br>
+ssl_client_ca_file</b> <i>/path/to/cafile</i> - CA file for
+ssl_client_verify <b><br>
+ssl_client_ca_dir</b> <i>/path/to/cadir</i> - CA directory
+for ssl_client_verify <b><br>
+ssl_client_ca_store</b> <i>/path/to/castore</i> - CA store
+for ssl_client_verify (OpenSSL 3.0+) <b><br>
+ssl_client_sni</b> <i>hostname</i> - SNI hostname to send to
+upstream server <b><br>
+ssl_client_alpn</b> <i>protocol1 protocol2 ...</i> - ALPN
+protocols to negotiate with upstream server <b><br>
+ssl_client_mode</b> <i>mode</i> - when to establish TLS
+connection: 0 - on connect (default), 1 - after
+authentication, 2 - before data, 3 - only for secure parent
+types (ending with &rsquo;s&rsquo;) <b><br>
+ssl_certcache</b> <i>/path/to/cache/</i> - location for the
+generated MITM certificates cache</p>
+
+<h2>PCRE FILTERING
+<a name="PCRE FILTERING"></a>
+</h2>
+
+
+<p style="margin-left:6%; margin-top: 1em">PCRE (Perl
+Compatible Regular Expressions) filtering is built into
+3proxy (since 0.9.7) when compiled with PCRE2 support
+(WITH_PCRE). Previously available as PCREPlugin, the
+functionality is now integrated into the main binary. The
+plugin line is no longer required.</p>
+
+<p style="margin-left:6%; margin-top: 1em">PCRE filtering
+allows creating matching and replacement rules with regular
+expressions for client requests, headers, and data.</p>
+
+<h3>PCRE Commands
+<a name="PCRE Commands"></a>
+</h3>
+
+
+<p style="margin-left:6%; margin-top: 1em"><b>pcre</b>
+<i>TYPE FILTER_ACTION REGEXP [ACE]</i> <br>
+Apply a rule for matching regular expression. <b><br>
+pcre_rewrite</b> <i>TYPE FILTER_ACTION REGEXP
+REWRITE_EXPRESSION [ACE]</i> <br>
+Match and replace with rewrite expression. <b><br>
+pcre_extend</b> <i>FILTER_ACTION [ACE]</i> <br>
+Extend the ACL of the last pcre or pcre_rewrite command by
+adding an additional ACE. <b><br>
+pcre_options</b> <i>OPTION1 [OPTION2 ...]</i> <br>
+Set matching options. Both PCRE2 native options and PCRE
+compatibility options are supported. PCRE options are mapped
+to their PCRE2 equivalents for backward compatibility. <br>
+PCRE2 options: PCRE2_CASELESS, PCRE2_MULTILINE,
+PCRE2_DOTALL, PCRE2_EXTENDED, PCRE2_DOLLAR_ENDONLY,
+PCRE2_UNGREEDY, PCRE2_UTF, PCRE2_UCP, PCRE2_NO_AUTO_CAPTURE,
+PCRE2_FIRSTLINE, PCRE2_DUPNAMES, PCRE2_MATCH_UNSET_BACKREF,
+PCRE2_ALT_BSUX, PCRE2_ALT_CIRCUMFLEX, PCRE2_ALT_VERBNAMES,
+PCRE2_USE_OFFSET_LIMIT, PCRE2_EXTENDED_MORE, PCRE2_LITERAL,
+PCRE2_MATCH_INVALID_UTF. <br>
+PCRE compatibility options: PCRE_CASELESS, PCRE_MULTILINE,
+PCRE_DOTALL, PCRE_EXTENDED, PCRE_ANCHORED,
+PCRE_DOLLAR_ENDONLY, PCRE_EXTRA, PCRE_NOTBOL, PCRE_NOTEOL,
+PCRE_UNGREEDY, PCRE_NOTEMPTY, PCRE_UTF8,
+PCRE_NO_AUTO_CAPTURE, PCRE_NO_UTF8_CHECK, PCRE_AUTO_CALLOUT,
+PCRE_PARTIAL, PCRE_DFA_SHORTEST, PCRE_DFA_RESTART,
+PCRE_FIRSTLINE, PCRE_DUPNAMES, PCRE_NEWLINE_CR,
+PCRE_NEWLINE_LF, PCRE_NEWLINE_CRLF, PCRE_NEWLINE_ANY,
+PCRE_NEWLINE_ANYCRLF, PCRE_BSR_ANYCRLF,
+PCRE_BSR_UNICODE.</p>
+
+<h3>PCRE Parameters
+<a name="PCRE Parameters"></a>
+</h3>
+
+
+<p style="margin-left:6%; margin-top: 1em">TYPE - type of
+filtered data (comma-delimited list): <br>
+request - content of the client&rsquo;s request (e.g., HTTP
+GET request string) <br>
+cliheader - content of the client request headers <br>
+srvheader - content of the server&rsquo;s reply headers <br>
+clidata - data received from the client (e.g., HTTP POST
+data) <br>
+srvdata - data received from the server (e.g., HTML
+page)</p>
+
+<p style="margin-left:6%; margin-top: 1em">FILTER_ACTION -
+action on match: <br>
+allow - allow this request without checking the rest of the
+rules <br>
+deny - deny this request without checking the rest of the
+rules <br>
+dunno - continue with the rest of the rules (useful with
+pcre_rewrite)</p>
+
+<p style="margin-left:6%; margin-top: 1em">REGEXP - PCRE
+(Perl) regular expression. Use * if no regexp matching is
+required.</p>
+
+
+<p style="margin-left:6%; margin-top: 1em">REWRITE_EXPRESSION
+- substitution string. May contain Perl-style substrings $1,
+$2, etc. $0 means the whole matched string. \r and \n may be
+used to insert new lines; the string may be empty
+(&quot;&quot;).</p>
+
+<p style="margin-left:6%; margin-top: 1em">ACE - access
+control entry (user names, source IPs, destination IPs,
+ports, etc.), identical to allow/deny/bandlimin commands.
+The regular expression is only matched if the ACL matches
+the connection data. Warning: Regular expressions
+don&rsquo;t require authentication and cannot replace
+authentication and/or allow/deny ACLs.</p>
+
 <h2>BUGS
 <a name="BUGS"></a>
 </h2>

doc/html/plugins/PCREPlugin.html

@@ -1,10 +1,13 @@
+<h3>3proxy PCRE (Perl Compatible Regular Expressions) Filtering</h3>
 
-<h3>3proxy Perl Compatible Regular Expressions (PCRE) Plugin</h3>
+<p><b>Note:</b> Since version 0.9.7, PCRE filtering is built into 3proxy and does not require
+a separate plugin. All pcre_* commands are available directly when 3proxy is compiled with
+PCRE2 support (WITH_PCRE). The plugin line is no longer needed.</p>
 
-This filtering plugin can be used to create matching and replacement
+<p>This filtering functionality can be used to create matching and replacement
 rules with regular expressions for client requests, client and
 server headers, and client and server data. It adds 3 additional
-configuration commands:
+configuration commands:</p>
 
 <pre>
 pcre TYPE FILTER_ACTION REGEXP [ACE]
@@ -78,16 +81,10 @@ authentication and/or allow/deny ACLs.
 
 <h4>Example:</h4>
 <pre>
-plugin PCREPlugin.dll pcre_plugin
 pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
 pcre srvheader deny "Content-type: application"
 pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
 pcre_extend deny * 192.168.0.1/16
 </pre>
 
-<h4>Download:</h4>
+&copy; Vladimir Dubrovin, License: BSD style
-<ul>
- <li>Plugin is included in the 3proxy 0.6 binary and source distribution
- <li>Example configuration (by Dennis Garber): <A HREF="NoPornLitest.cfg.txt">NoPornLitest.cfg</A>
-</li></ul>
-

doc/html/plugins/PCREPlugin.ru.html

@@ -1,8 +1,12 @@
-<h3>Плагин регулярных выражений совместимых с Perl (PCRE) для 3proxy</h3>
+<h3>Фильтрация PCRE (Perl Compatible Regular Expressions) в 3proxy</h3>
 
-Фильтрующий плагин используется для создания правил поиска и замены
+<p><b>Примечание:</b> Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy и не требует
+отдельного плагина. Все команды pcre_* доступны напрямую при компиляции 3proxy с поддержкой
+PCRE2 (WITH_PCRE). Строка plugin больше не нужна.</p>
+
+<p>Фильтрующий плагин используется для создания правил поиска и замены
 регулярных выражений в запросе, заголовков запроса и ответа и данных.
-Добавляет поддержку 3х новых команд в файле конфигурации:
+Добавляет поддержку 3х новых команд в файле конфигурации:</p>
 
 <pre>
 pcre TYPE FILTER_ACTION REGEXP [ACE]
@@ -30,7 +34,7 @@ PCRE_UTF8,
 PCRE_NO_AUTO_CAPTURE,
 PCRE_NO_UTF8_CHECK,
 PCRE_AUTO_CALLOUT,
-PCRE_PARTIAL,     
+PCRE_PARTIAL,
 PCRE_DFA_SHORTEST,
 PCRE_DFA_RESTART,
 PCRE_FIRSTLINE,
@@ -58,7 +62,7 @@ PCRE_BSR_UNICODE
 <li>FILTER_ACTION - действие при совпадении. Может принимать значение
  <ul><li>allow - разрешить данный запрос без просмотра дальнейших правил
  <li>deny - запретить данный запрос без просмотра дальнейших правил
- <li>dunno - продолжить анализ правил (полезно для pcre_rewrite) 
+ <li>dunno - продолжить анализ правил (полезно для pcre_rewrite)
  </ul>
 <li>REGEXP - регулярное выражение в формате PCRE (perl). Используйте * если не
 требуется проерка регулярного выражения.
@@ -76,15 +80,10 @@ PCRE_BSR_UNICODE
 
 <h4>Пример:</h4>
 <pre>
-plugin PCREPlugin.dll pcre_plugin
 pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
 pcre srvheader deny "Content-type: application"
 pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
 pcre_extend deny * 192.168.0.1/16
 </pre>
 
-<h4>Загрузить:</h4>
+&copy; Vladimir Dubrovin, License: BSD style
-<ul>
- <li>Плагин включен в дистрибутив 3proxy 0.6
- <li>Пример конфигурации (by Dennis Garber): <A HREF="NoPornLitest.cfg.txt">NoPornLitest.cfg</A>
-</li></ul>

doc/html/plugins/SSLPlugin.html

@@ -1,6 +1,11 @@
-<h3>3proxy SSL/TLS Plugin</h3>
+<h3>3proxy SSL/TLS Support</h3>
 
-This plugin can be used to transparently decrypt SSL/TLS data, provide TLS encryption for proxy traffic, and authenticate using client certificates.
+<p><b>Note:</b> Since version 0.9.7, SSL/TLS support is built into 3proxy and does not require
+a separate plugin. All ssl_* commands are available directly when 3proxy is compiled with
+OpenSSL support (WITH_SSL). The plugin line is no longer needed.</p>
+
+<p>SSL/TLS support can be used to transparently decrypt SSL/TLS data, provide TLS encryption
+for proxy traffic, and authenticate using client certificates.</p>
 
 <h4>For transparent certificate spoofing (MITM):</h4>
 
@@ -55,7 +60,6 @@ Generated certificates are placed in the same path.
 
 <h4>MITM example:</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_ca_file /path/to/cafile
 ssl_server_ca_key /path/to/cakey
 ssl_mitm
@@ -67,7 +71,6 @@ MITM's traffic with a spoofed certificate for the port 3128 proxy.
 
 <h4>https:// proxy example:</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert path_to_cert
 ssl_server_key path_to_key
 ssl_serv
@@ -79,7 +82,6 @@ Creates an https:// proxy on port 33128 and an http:// proxy on port 3128
 
 <h4>TLS client example (connect to upstream via TLS):</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_client_cert /path/to/client.crt
 ssl_client_key /path/to/client.key
 ssl_client_verify
@@ -91,7 +93,6 @@ Creates an HTTP proxy that connects to upstream servers via TLS with client cert
 
 <h4>Conditional TLS for parent proxy (ssl_client_mode 3):</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/key
 ssl_client_mode 3
@@ -111,7 +112,6 @@ Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_ser
 
 <h4>mTLS example (require client certificate):</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/server.key
 ssl_server_ca_file /path/to/ca.crt

doc/html/plugins/SSLPlugin.ru.html

@@ -1,6 +1,10 @@
-<h3>3proxy SSL/TLS плагин</h3>
+<h3>3proxy SSL/TLS поддержка</h3>
 
-Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика, для шифрования трафика прокси-сервера и аутентификации с помощью клиентских сертификатов.
+<p><b>Примечание:</b> Начиная с версии 0.9.7 поддержка SSL/TLS встроена в 3proxy и не требует
+отдельного плагина. Все команды ssl_* доступны напрямую при компиляции 3proxy с поддержкой
+OpenSSL (WITH_SSL). Строка plugin больше не нужна.</p>
+
+<p>Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика, для шифрования трафика прокси-сервера и аутентификации с помощью клиентских сертификатов.</p>
 
 <h4>Для прозрачного перехвата трафика (MITM):</h4>
 
@@ -52,7 +56,6 @@ ssl_server_ca_key и ssl_server_key соответственно, если он
 
 <h4>Пример MITM:</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_ca_file /path/to/cafile
 ssl_server_ca_key /path/to/cakey
 ssl_mitm
@@ -64,7 +67,6 @@ proxy -p3129
 
 <h4>Пример конфигурации https:// прокси:</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert path_to_cert
 ssl_server_key path_to_key
 ssl_serv
@@ -76,7 +78,6 @@ proxy -p3128
 
 <h4>Пример TLS-клиента (соединение к вышестоящему серверу через TLS):</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_client_cert /path/to/client.crt
 ssl_client_key /path/to/client.key
 ssl_client_verify
@@ -88,7 +89,6 @@ proxy -p3128
 
 <h4>Условное TLS для parent прокси (ssl_client_mode 3):</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/key
 ssl_client_mode 3
@@ -108,7 +108,6 @@ ssl_nocli
 
 <h4>Пример mTLS (требование клиентского сертификата):</h4>
 <pre>
-plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/server.key
 ssl_server_ca_file /path/to/ca.crt

man/3proxy.cfg.5

@@ -1135,7 +1135,7 @@ memory shortage, you can try to experiment with negative values.
 \fI<path_to_shared_library>\fR \fI<function_to_call>\fR [\fI<arg1>\fR ...]
 .br
  Loads specified library and calls given export function with given arguments,
-as 
+as
 .br
  int functions_to_call(struct pluginlink * pl, int argc, char * argv[]);
 .br
@@ -1149,6 +1149,203 @@ as
 data filtering will be performed through filtering plugins to avoid data
 corruption and/or Content-Length changing. Default is 1MB (1048576).
 
+.SH SSL/TLS SUPPORT
+SSL/TLS support is built into 3proxy (since 0.9.7) when compiled with OpenSSL
+(WITH_SSL). Previously available as SSLPlugin, the functionality is now integrated
+into the main binary. The plugin line is no longer required.
+
+SSL/TLS can be used for:
+- transparent MITM (Man-in-the-Middle) for TLS traffic inspection
+- https:// proxy (TLS-encrypted connection between client and proxy)
+- TLS client connections to upstream servers with certificate authentication
+- mTLS (mutual TLS) requiring client certificates
+
+.SS MITM Commands
+.br
+.BR ssl_mitm
+- spoof certificates for services started below. Usage without ssl_client_verify is insecure.
+.br
+.BR ssl_nomitm
+- do not spoof certificates for services started below
+
+.SS Server TLS Commands
+.br
+.BR ssl_serv
+(or ssl_server) - require TLS connection from clients for services below
+.br
+.BR ssl_noserv
+(or ssl_noserver) - do not require TLS connection from clients for services below
+
+.SS Client TLS Commands
+.br
+.BR ssl_cli
+(or ssl_client) - establish TLS connection to upstream server for services below
+.br
+.BR ssl_nocli
+(or ssl_noclient) - do not establish TLS connection to upstream server for services below
+
+.SS SSL Parameters
+.br
+.BR ssl_server_cert
+\fI/path/to/cert\fR - Server certificate (should not be self-signed, must contain SAN) for ssl_serv
+.br
+.BR ssl_server_key
+\fI/path/to/key\fR - Server certificate key for ssl_server_cert or generated MITM certificate
+.br
+.BR ssl_client_cert
+\fI/path/to/cert\fR - Client certificate for authentication on upstream server (used with ssl_cli)
+.br
+.BR ssl_client_key
+\fI/path/to/key\fR - Client certificate key for ssl_client_cert
+.br
+.BR ssl_client_ciphersuites
+\fIciphersuites_list\fR - TLS client ciphers for TLS 1.3
+.br
+.BR ssl_server_ciphersuites
+\fIciphersuites_list\fR - TLS server ciphers for TLS 1.3
+.br
+.BR ssl_client_cipher_list
+\fIciphers_list\fR - TLS client ciphers for TLS 1.2 and below
+.br
+.BR ssl_server_cipher_list
+\fIciphers_list\fR - TLS server ciphers for TLS 1.2 and below
+.br
+.BR ssl_client_min_proto_version
+\fItls_version\fR - TLS client minimum TLS version (e.g., TLSv1.2)
+.br
+.BR ssl_server_min_proto_version
+\fItls_version\fR - TLS server minimum TLS version
+.br
+.BR ssl_client_max_proto_version
+\fItls_version\fR - TLS client maximum TLS version
+.br
+.BR ssl_server_max_proto_version
+\fItls_version\fR - TLS server maximum TLS version
+.br
+.BR ssl_client_verify
+- verify the certificate for the upstream server (used with ssl_mitm or ssl_cli)
+.br
+.BR ssl_client_no_verify
+- do not verify the certificate for the upstream server (default)
+.br
+.BR ssl_server_verify
+- require client certificate authentication (mTLS) for ssl_serv
+.br
+.BR ssl_server_no_verify
+- do not require client certificate (default)
+.br
+.BR ssl_server_ca_file
+\fI/path/to/cafile\fR - CA certificate file for MITM
+.br
+.BR ssl_server_ca_key
+\fI/path/to/cakey\fR - key for ssl_server_ca_file MITM CA
+.br
+.BR ssl_server_ca_dir
+\fI/path/to/cadir\fR - CA directory for ssl_server_verify
+.br
+.BR ssl_server_ca_store
+\fI/path/to/castore\fR - CA store for ssl_server_verify (OpenSSL 3.0+)
+.br
+.BR ssl_client_ca_file
+\fI/path/to/cafile\fR - CA file for ssl_client_verify
+.br
+.BR ssl_client_ca_dir
+\fI/path/to/cadir\fR - CA directory for ssl_client_verify
+.br
+.BR ssl_client_ca_store
+\fI/path/to/castore\fR - CA store for ssl_client_verify (OpenSSL 3.0+)
+.br
+.BR ssl_client_sni
+\fIhostname\fR - SNI hostname to send to upstream server
+.br
+.BR ssl_client_alpn
+\fIprotocol1 protocol2 ...\fR - ALPN protocols to negotiate with upstream server
+.br
+.BR ssl_client_mode
+\fImode\fR - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's')
+.br
+.BR ssl_certcache
+\fI/path/to/cache/\fR - location for the generated MITM certificates cache
+
+.SH PCRE FILTERING
+PCRE (Perl Compatible Regular Expressions) filtering is built into 3proxy
+(since 0.9.7) when compiled with PCRE2 support (WITH_PCRE). Previously
+available as PCREPlugin, the functionality is now integrated into the main
+binary. The plugin line is no longer required.
+
+PCRE filtering allows creating matching and replacement rules with regular
+expressions for client requests, headers, and data.
+
+.SS PCRE Commands
+.br
+.BR pcre
+\fITYPE FILTER_ACTION REGEXP [ACE]\fR
+.br
+Apply a rule for matching regular expression.
+.br
+.BR pcre_rewrite
+\fITYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]\fR
+.br
+Match and replace with rewrite expression.
+.br
+.BR pcre_extend
+\fIFILTER_ACTION [ACE]\fR
+.br
+Extend the ACL of the last pcre or pcre_rewrite command by adding an additional ACE.
+.br
+.BR pcre_options
+\fIOPTION1 [OPTION2 ...]\fR
+.br
+Set matching options. Both PCRE2 native options and PCRE compatibility options
+are supported. PCRE options are mapped to their PCRE2 equivalents for backward
+compatibility.
+.br
+PCRE2 options: PCRE2_CASELESS, PCRE2_MULTILINE, PCRE2_DOTALL, PCRE2_EXTENDED,
+PCRE2_DOLLAR_ENDONLY, PCRE2_UNGREEDY, PCRE2_UTF, PCRE2_UCP, PCRE2_NO_AUTO_CAPTURE,
+PCRE2_FIRSTLINE, PCRE2_DUPNAMES, PCRE2_MATCH_UNSET_BACKREF, PCRE2_ALT_BSUX,
+PCRE2_ALT_CIRCUMFLEX, PCRE2_ALT_VERBNAMES, PCRE2_USE_OFFSET_LIMIT, PCRE2_EXTENDED_MORE,
+PCRE2_LITERAL, PCRE2_MATCH_INVALID_UTF.
+.br
+PCRE compatibility options: PCRE_CASELESS, PCRE_MULTILINE, PCRE_DOTALL, PCRE_EXTENDED,
+PCRE_ANCHORED, PCRE_DOLLAR_ENDONLY, PCRE_EXTRA, PCRE_NOTBOL, PCRE_NOTEOL, PCRE_UNGREEDY,
+PCRE_NOTEMPTY, PCRE_UTF8, PCRE_NO_AUTO_CAPTURE, PCRE_NO_UTF8_CHECK, PCRE_AUTO_CALLOUT,
+PCRE_PARTIAL, PCRE_DFA_SHORTEST, PCRE_DFA_RESTART, PCRE_FIRSTLINE, PCRE_DUPNAMES,
+PCRE_NEWLINE_CR, PCRE_NEWLINE_LF, PCRE_NEWLINE_CRLF, PCRE_NEWLINE_ANY, PCRE_NEWLINE_ANYCRLF,
+PCRE_BSR_ANYCRLF, PCRE_BSR_UNICODE.
+
+.SS PCRE Parameters
+TYPE - type of filtered data (comma-delimited list):
+.br
+ request - content of the client's request (e.g., HTTP GET request string)
+.br
+ cliheader - content of the client request headers
+.br
+ srvheader - content of the server's reply headers
+.br
+ clidata - data received from the client (e.g., HTTP POST data)
+.br
+ srvdata - data received from the server (e.g., HTML page)
+
+FILTER_ACTION - action on match:
+.br
+ allow - allow this request without checking the rest of the rules
+.br
+ deny - deny this request without checking the rest of the rules
+.br
+ dunno - continue with the rest of the rules (useful with pcre_rewrite)
+
+REGEXP - PCRE (Perl) regular expression. Use * if no regexp matching is required.
+
+REWRITE_EXPRESSION - substitution string. May contain Perl-style substrings
+$1, $2, etc. $0 means the whole matched string. \er and \en may be used
+to insert new lines; the string may be empty ("").
+
+ACE - access control entry (user names, source IPs, destination IPs, ports, etc.),
+identical to allow/deny/bandlimin commands. The regular expression is only
+matched if the ACL matches the connection data.
+Warning: Regular expressions don't require authentication and cannot replace
+authentication and/or allow/deny ACLs.
+
 .SH BUGS
 Report all bugs to
 .BR 3proxy@3proxy.org