diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..84da8d0
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+ - package-ecosystem: github-actions
+ directory: /
+ schedule:
+ interval: weekly
+
+ - package-ecosystem: docker
+ directory: /
+ schedule:
+ interval: weekly
diff --git a/.github/workflows/build-rpm-arm64.yml b/.github/workflows/build-rpm-arm64.yml
index f5aa94e..43c7eb9 100644
--- a/.github/workflows/build-rpm-arm64.yml
+++ b/.github/workflows/build-rpm-arm64.yml
@@ -1,8 +1,13 @@
name: RPM/DEB build aarch64
on:
+ release:
+ types: [published]
workflow_dispatch:
+permissions:
+ contents: write
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -12,7 +17,7 @@ jobs:
- ubuntu-24.04-arm
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
- name: env
run: |
pwd
@@ -42,11 +47,17 @@ jobs:
rpmbuild -ba 3proxy-$RELEASE.spec
cd $ret
mv ~/rpmbuild/RPMS/aarch64/3proxy-$RELEASE-1.aarch64.rpm 3proxy-$RELEASE.arm64.rpm
- - name: Get artifact arp
- uses: actions/upload-artifact@v6
+ - name: Get artifact rpm
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-arm64.rpm"
path: "*.rpm"
+ - name: Upload rpm to release
+ if: github.event_name == 'release'
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.arm64.rpm
- name: debbuild
run: |
ret=`pwd`
@@ -63,7 +74,13 @@ jobs:
cd $ret
cp ~/debian/3proxy_$RELEASE-"$VERSION"_arm64.deb ./3proxy-$RELEASE.arm64.deb
- name: Get artifact deb
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-arm64.deb"
path: "*.deb"
+ - name: Upload deb to release
+ if: github.event_name == 'release'
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.arm64.deb
diff --git a/.github/workflows/build-rpm-armhf.yml b/.github/workflows/build-rpm-armhf.yml
index b7f33fa..363266b 100644
--- a/.github/workflows/build-rpm-armhf.yml
+++ b/.github/workflows/build-rpm-armhf.yml
@@ -1,8 +1,13 @@
name: RPM/DEB build armhf
on:
+ release:
+ types: [published]
workflow_dispatch:
+permissions:
+ contents: write
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -12,7 +17,7 @@ jobs:
- ubuntu-latest
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
- name: env
run: |
pwd
@@ -66,14 +71,20 @@ jobs:
export CC=$CC
export RPATH=/usr/arm-linux-gnueabihf/lib:$RPATH
export LD_LIBRARY_PATH=/usr/arm-linux-gnueabihf/lib:$LD_LIBRARY_PATH
- rpmbuild -ba --define "PAMLIB pam0g" --define "_arch arm" --define "cross yes" --target=arm-linux-gnueabi 3proxy-$RELEASE.spec
+ rpmbuild -ba --define "PAMLIB pam0g" --define "_arch arm" --define "cross yes" --target=arm-linux-gnueabihf 3proxy-$RELEASE.spec
cd $ret
mv ~/rpmbuild/RPMS/arm/3proxy-$RELEASE-1.arm.rpm 3proxy-$RELEASE.arm.rpm
- - name: Get artifact
- uses: actions/upload-artifact@v6
+ - name: Get artifact rpm
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-arm.rpm"
path: "*.rpm"
+ - name: Upload rpm to release
+ if: github.event_name == 'release'
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.arm.rpm
- name: debbuild
run: |
ret=`pwd`
@@ -96,7 +107,13 @@ jobs:
cd $ret
cp ~/debian/3proxy_$RELEASE-"$VERSION"_armhf.deb ./3proxy-$RELEASE.arm.deb
- name: Get artifact deb
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-arm.deb"
path: "*.deb"
+ - name: Upload deb to release
+ if: github.event_name == 'release'
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.arm.deb
diff --git a/.github/workflows/build-rpm-x86-64.yml b/.github/workflows/build-rpm-x86-64.yml
index c4295a5..2a5c6e0 100644
--- a/.github/workflows/build-rpm-x86-64.yml
+++ b/.github/workflows/build-rpm-x86-64.yml
@@ -1,8 +1,13 @@
name: RPM/DEB build x86-64
on:
+ release:
+ types: [published]
workflow_dispatch:
+permissions:
+ contents: write
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -12,7 +17,7 @@ jobs:
- ubuntu-latest
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
- name: env
run: |
pwd
@@ -43,10 +48,16 @@ jobs:
cd $ret
mv ~/rpmbuild/RPMS/x86_64/3proxy-$RELEASE-1.x86_64.rpm 3proxy-$RELEASE.x86_64.rpm
- name: Get artifact rpm
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-x86_64.rpm"
path: "*.rpm"
+ - name: Upload rpm to release
+ if: github.event_name == 'release'
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.x86_64.rpm
- name: debbuild
run: |
ret=`pwd`
@@ -63,8 +74,14 @@ jobs:
cd $ret
cp ~/debian/3proxy_$RELEASE-"$VERSION"_amd64.deb ./3proxy-$RELEASE.x86_64.deb
- name: Get artifact deb
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-x86_64.deb"
path: "*.deb"
+ - name: Upload deb to release
+ if: github.event_name == 'release'
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.x86_64.deb
diff --git a/.github/workflows/build-watcom.yml b/.github/workflows/build-watcom.yml
index 1e472a2..9f6e1ed 100644
--- a/.github/workflows/build-watcom.yml
+++ b/.github/workflows/build-watcom.yml
@@ -1,8 +1,13 @@
name: Build Win32 3proxy-lite with Watcom
on:
+ release:
+ types: [published]
workflow_dispatch:
+permissions:
+ contents: write
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -12,11 +17,11 @@ jobs:
- windows-2022
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
# - name: configure
# run: ./configure
- name: Setup Open Watcom
- uses: open-watcom/setup-watcom@v0
+ uses: open-watcom/setup-watcom@v1
- name: set date
run: |
$NOW = Get-Date -Format "yyMMddHHmmss"
@@ -73,7 +78,18 @@ jobs:
copy README.md dist\3proxy\
copy rus.3ps dist\3proxy\
- name: Get artifact
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-lite"
path: dist/
+ - name: Create zip
+ if: github.event_name == 'release'
+ shell: pwsh
+ run: Compress-Archive -Path dist/* -DestinationPath 3proxy-${{ env.RELEASE }}-lite.zip
+ - name: Upload to release
+ if: github.event_name == 'release'
+ shell: bash
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}-lite.zip
diff --git a/.github/workflows/build-win32.yml b/.github/workflows/build-win32.yml
index 367595d..15c5f38 100644
--- a/.github/workflows/build-win32.yml
+++ b/.github/workflows/build-win32.yml
@@ -1,8 +1,13 @@
name: Build Win32 3proxy with MSVC
on:
+ release:
+ types: [published]
workflow_dispatch:
+permissions:
+ contents: write
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -12,7 +17,7 @@ jobs:
- windows-2022
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
# - name: configure
# run: ./configure
- name: set date
@@ -42,12 +47,20 @@ jobs:
run: |
$pfx_cert_byte = [System.Convert]::FromBase64String("${{ secrets.WINDOWS_CERTIFICATE }}")
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\cert.pfx", $pfx_cert_byte)
+ - name: Extract public certificate
+ shell: pwsh
+ env:
+ CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+ run: |
+ $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("${{ github.workspace }}\cert.pfx", "$env:CERT_PASSWORD")
+ [System.IO.File]::WriteAllBytes("${{ github.workspace }}\3proxy.crt", $cert.Export("Cert"))
- name: Sign
shell: pwsh
+ env:
+ CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
run: |
$signtool = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" | Sort-Object { [version]$_.Directory.Parent.Name } -Descending | Select-Object -First 1).FullName
- & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy.exe"
- & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy_crypt.exe"
+ Get-ChildItem bin\*.exe, bin\*.dll | ForEach-Object { & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "$env:CERT_PASSWORD" /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName }
- name: make dist dir
shell: cmd
run: |
@@ -78,8 +91,20 @@ jobs:
copy authors dist\3proxy\
copy README.md dist\3proxy\
copy rus.3ps dist\3proxy\
+ copy 3proxy.crt dist\3proxy\
- name: Get artifact
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
- name: "3proxy-${{ env.RELEASE }}"
+ name: "3proxy-${{ env.RELEASE }}-x86"
path: dist/
+ - name: Create zip
+ if: github.event_name == 'release'
+ shell: pwsh
+ run: Compress-Archive -Path dist/* -DestinationPath 3proxy-${{ env.RELEASE }}-x86.zip
+ - name: Upload to release
+ if: github.event_name == 'release'
+ shell: bash
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}-x86.zip
diff --git a/.github/workflows/build-win64.yml b/.github/workflows/build-win64.yml
index 055c57d..5c3e5b3 100644
--- a/.github/workflows/build-win64.yml
+++ b/.github/workflows/build-win64.yml
@@ -1,8 +1,13 @@
name: Build Win64 3proxy with MSVC
on:
+ release:
+ types: [published]
workflow_dispatch:
+permissions:
+ contents: write
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -12,7 +17,7 @@ jobs:
- windows-2022
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
# - name: configure
# run: ./configure
- name: set date
@@ -43,12 +48,20 @@ jobs:
run: |
$pfx_cert_byte = [System.Convert]::FromBase64String("${{ secrets.WINDOWS_CERTIFICATE }}")
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\cert.pfx", $pfx_cert_byte)
+ - name: Extract public certificate
+ shell: pwsh
+ env:
+ CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+ run: |
+ $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("${{ github.workspace }}\cert.pfx", "$env:CERT_PASSWORD")
+ [System.IO.File]::WriteAllBytes("${{ github.workspace }}\3proxy.crt", $cert.Export("Cert"))
- name: Sign
shell: pwsh
+ env:
+ CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
run: |
$signtool = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" | Sort-Object { [version]$_.Directory.Parent.Name } -Descending | Select-Object -First 1).FullName
- & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy.exe"
- & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy_crypt.exe"
+ Get-ChildItem bin\*.exe, bin\*.dll | ForEach-Object { & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "$env:CERT_PASSWORD" /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName }
- name: make dist dir
shell: cmd
run: |
@@ -74,13 +87,25 @@ jobs:
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
- copy doc\html\devel\*.rtf dist\3proxy\doc\html\devel\
+ copy doc\html\devel\*.* dist\3proxy\doc\html\devel\
copy copying dist\3proxy\
copy authors dist\3proxy\
copy README.md dist\3proxy\
copy rus.3ps dist\3proxy\
+ copy 3proxy.crt dist\3proxy\
- name: Get artifact
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-x64"
path: dist/
+ - name: Create zip
+ if: github.event_name == 'release'
+ shell: pwsh
+ run: Compress-Archive -Path dist/* -DestinationPath 3proxy-${{ env.RELEASE }}-x64.zip
+ - name: Upload to release
+ if: github.event_name == 'release'
+ shell: bash
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}-x64.zip
diff --git a/.github/workflows/build-winarm64.yml b/.github/workflows/build-winarm64.yml
index 4c8dd7c..b6dfc0f 100644
--- a/.github/workflows/build-winarm64.yml
+++ b/.github/workflows/build-winarm64.yml
@@ -1,8 +1,13 @@
name: Build Win-arm64 3proxy with MSVC
on:
+ release:
+ types: [published]
workflow_dispatch:
+permissions:
+ contents: write
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -12,7 +17,7 @@ jobs:
- windows-2022
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
# - name: configure
# run: ./configure
- name: set date
@@ -42,12 +47,20 @@ jobs:
run: |
$pfx_cert_byte = [System.Convert]::FromBase64String("${{ secrets.WINDOWS_CERTIFICATE }}")
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\cert.pfx", $pfx_cert_byte)
+ - name: Extract public certificate
+ shell: pwsh
+ env:
+ CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
+ run: |
+ $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("${{ github.workspace }}\cert.pfx", "$env:CERT_PASSWORD")
+ [System.IO.File]::WriteAllBytes("${{ github.workspace }}\3proxy.crt", $cert.Export("Cert"))
- name: Sign
shell: pwsh
+ env:
+ CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
run: |
$signtool = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" | Sort-Object { [version]$_.Directory.Parent.Name } -Descending | Select-Object -First 1).FullName
- & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy.exe"
- & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy_crypt.exe"
+ Get-ChildItem bin\*.exe, bin\*.dll | ForEach-Object { & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "$env:CERT_PASSWORD" /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName }
- name: make dist dir
shell: cmd
run: |
@@ -73,13 +86,25 @@ jobs:
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
- copy doc\html\devel\*.rtf dist\3proxy\doc\html\devel\
+ copy doc\html\devel\*.* dist\3proxy\doc\html\devel\
copy copying dist\3proxy\
copy authors dist\3proxy\
copy README.md dist\3proxy\
copy rus.3ps dist\3proxy\
+ copy 3proxy.crt dist\3proxy\
- name: Get artifact
- uses: actions/upload-artifact@v6
+ uses: actions/upload-artifact@v7
with:
name: "3proxy-${{ env.RELEASE }}-arm64"
path: dist/
+ - name: Create zip
+ if: github.event_name == 'release'
+ shell: pwsh
+ run: Compress-Archive -Path dist/* -DestinationPath 3proxy-${{ env.RELEASE }}-arm64.zip
+ - name: Upload to release
+ if: github.event_name == 'release'
+ shell: bash
+ env:
+ GH_TOKEN: ${{ github.token }}
+ TAG: ${{ github.event.release.tag_name }}
+ run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}-arm64.zip
diff --git a/.github/workflows/c-cpp-Linux.yml b/.github/workflows/c-cpp-Linux.yml
index 9883d6a..c293dbd 100644
--- a/.github/workflows/c-cpp-Linux.yml
+++ b/.github/workflows/c-cpp-Linux.yml
@@ -2,13 +2,14 @@ name: C/C++ CI Linux
on:
push:
- branches: [ "master" ]
paths: [ '**.c', '**.h', 'Makefile.Linux', '.github/configs', '.github/workflows/c-cpp-Linux.yml' ]
pull_request:
- branches: [ "master" ]
- paths: [ '**.c', '**.h', 'Makefile.Linux', '.github/configs', '.github/workflows/c-cpp-Linux.yml' ]
+ paths: [ "**.c", "**.h", "Makefile.Linux", ".github/configs", ".github/workflows/c-cpp-Linux.yml" ]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -19,7 +20,7 @@ jobs:
- ubuntu-24.04-arm
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
# - name: configure
# run: ./configure
- name: Linux libraries
diff --git a/.github/workflows/c-cpp-MacOS.yml b/.github/workflows/c-cpp-MacOS.yml
index b23cd04..e29069e 100644
--- a/.github/workflows/c-cpp-MacOS.yml
+++ b/.github/workflows/c-cpp-MacOS.yml
@@ -2,13 +2,14 @@ name: C/C++ CI MacOS
on:
push:
- branches: [ "master" ]
paths: [ '**.c', '**.h', 'Makefile.FreeBSD', '.github/configs', '.github/workflows/c-cpp-MacOS.yml' ]
pull_request:
- branches: [ "master" ]
- paths: [ '**.c', '**.h', 'Makefile.FreeBSD', '.github/configs', '.github/workflows/c-cpp-MacOS.yml' ]
+ paths: [ "**.c", "**.h", "Makefile.FreeBSD", ".github/configs", ".github/workflows/c-cpp-MacOS.yml" ]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -18,7 +19,7 @@ jobs:
- macos-15
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
# - name: configure
# run: ./configure
- name: Mac libraries
diff --git a/.github/workflows/c-cpp-Windows.yml b/.github/workflows/c-cpp-Windows.yml
index b4a0ff4..49b9307 100644
--- a/.github/workflows/c-cpp-Windows.yml
+++ b/.github/workflows/c-cpp-Windows.yml
@@ -2,13 +2,14 @@ name: C/C++ CI Windows
on:
push:
- branches: [ "master" ]
paths: [ '**.c', '**.h', 'Makefile.msvc', '.github/configs', '.github/workflows/c-cpp-Windows.yml' ]
pull_request:
- branches: [ "master" ]
- paths: [ '**.c', '**.h', 'Makefile.msvc', '.github/configs', '.github/workflows/c-cpp-Windows.yml' ]
+ paths: [ "**.c", "**.h", "Makefile.msvc", ".github/configs", ".github/workflows/c-cpp-Windows.yml" ]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -18,7 +19,7 @@ jobs:
- windows-2022
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
- name: install Windows libraries
run: vcpkg install pcre2:x64-windows && c:\msys64\usr\bin\pacman.exe -S --noconfirm mingw-w64-x86_64-pcre2 mingw-w64-x86_64-openssl
- name: make Windows
diff --git a/.github/workflows/c-cpp-cmake.yml b/.github/workflows/c-cpp-cmake.yml
index be7dcc7..1777668 100644
--- a/.github/workflows/c-cpp-cmake.yml
+++ b/.github/workflows/c-cpp-cmake.yml
@@ -2,13 +2,14 @@ name: C/C++ CI cmake
on:
push:
- branches: [ "master", "unix_socket" ]
paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ]
pull_request:
- branches: [ "master" ]
- paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ]
+ paths: [ "**.c", "**.h", "**.cmake", "CMakeLists.txt", ".github/configs", ".github/workflows/c-cpp-cmake.yml" ]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
ci:
name: "${{ matrix.target }}"
@@ -21,7 +22,7 @@ jobs:
- windows-2022
runs-on: ${{ matrix.target }}
steps:
- - uses: actions/checkout@v5
+ - uses: actions/checkout@v7
# - name: configure
# run: ./configure
- name: Linux libraries
diff --git a/.github/workflows/docker-ghcr.yml b/.github/workflows/docker-ghcr.yml
new file mode 100644
index 0000000..abff4bb
--- /dev/null
+++ b/.github/workflows/docker-ghcr.yml
@@ -0,0 +1,99 @@
+name: Build Docker images (GHCR)
+
+on:
+ release:
+ types: [published]
+ workflow_dispatch:
+
+permissions:
+ contents: read
+ packages: write
+ id-token: write
+
+env:
+ REGISTRY: ghcr.io
+ IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+ build:
+ name: Build and push Docker images
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v7
+
+ - name: Determine tags
+ id: tags
+ env:
+ RELEASE_TAG: ${{ github.event.release.tag_name }}
+ IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+ run: |
+ if [[ "$RELEASE_TAG" != "" ]]; then
+ RELEASE="${RELEASE_TAG#v}"
+ echo "minimal=${IMAGE}:${RELEASE}.minimal,${IMAGE}:minimal" >> "$GITHUB_OUTPUT"
+ echo "busybox=${IMAGE}:${RELEASE}.busybox,${IMAGE}:busybox" >> "$GITHUB_OUTPUT"
+ echo "full=${IMAGE}:${RELEASE},${IMAGE}:latest" >> "$GITHUB_OUTPUT"
+ else
+ DATETIME=$(date +%d%m%y%H%M%S)
+ BRANCH=$(echo "${GITHUB_REF#refs/heads/}" | tr "/" "-")
+ echo "minimal=${IMAGE}:${DATETIME}-${BRANCH}.minimal,${IMAGE}:${BRANCH}.minimal" >> "$GITHUB_OUTPUT"
+ echo "busybox=${IMAGE}:${DATETIME}-${BRANCH}.busybox,${IMAGE}:${BRANCH}.busybox" >> "$GITHUB_OUTPUT"
+ echo "full=${IMAGE}:${DATETIME}-${BRANCH},${IMAGE}:${BRANCH}" >> "$GITHUB_OUTPUT"
+ fi
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v4
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v4
+
+ - name: Install cosign
+ uses: sigstore/cosign-installer@v3
+
+ - name: Login to GHCR
+ if: github.event_name != 'pull_request'
+ uses: docker/login-action@v4
+ with:
+ registry: ${{ env.REGISTRY }}
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Build and push minimal
+ uses: docker/build-push-action@v7
+ with:
+ context: .
+ file: Dockerfile.minimal
+ platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.tags.outputs.minimal }}
+
+ - name: Build and push busybox
+ uses: docker/build-push-action@v7
+ with:
+ context: .
+ file: Dockerfile.busybox
+ platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.tags.outputs.busybox }}
+
+ - name: Build and push full
+ uses: docker/build-push-action@v7
+ with:
+ context: .
+ file: Dockerfile.full
+ platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.tags.outputs.full }}
+
+ - name: Sign images
+ if: github.event_name != 'pull_request'
+ env:
+ TAGS_MINIMAL: ${{ steps.tags.outputs.minimal }}
+ TAGS_BUSYBOX: ${{ steps.tags.outputs.busybox }}
+ TAGS_FULL: ${{ steps.tags.outputs.full }}
+ run: |
+ IFS=',' read -ra TAGS <<< "$TAGS_MINIMAL,$TAGS_BUSYBOX,$TAGS_FULL"
+ for tag in "${TAGS[@]}"; do
+ cosign sign --yes "$tag"
+ done
+
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
new file mode 100644
index 0000000..2658f91
--- /dev/null
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,95 @@
+name: Build Docker images (Docker Hub)
+
+on:
+ release:
+ types: [published]
+ workflow_dispatch:
+
+permissions:
+ contents: read
+ id-token: write
+
+env:
+ REGISTRY: docker.io
+ IMAGE_NAME: 3proxy/3proxy
+
+jobs:
+ build:
+ name: Build and push Docker images
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v7
+
+ - name: Determine tags
+ id: tags
+ env:
+ RELEASE_TAG: ${{ github.event.release.tag_name }}
+ run: |
+ if [[ "$RELEASE_TAG" != "" ]]; then
+ RELEASE="${RELEASE_TAG#v}"
+ echo "minimal=${REGISTRY}/${IMAGE_NAME}:${RELEASE}.minimal,${REGISTRY}/${IMAGE_NAME}:minimal" >> "$GITHUB_OUTPUT"
+ echo "busybox=${REGISTRY}/${IMAGE_NAME}:${RELEASE}.busybox,${REGISTRY}/${IMAGE_NAME}:busybox" >> "$GITHUB_OUTPUT"
+ echo "full=${REGISTRY}/${IMAGE_NAME}:${RELEASE},${REGISTRY}/${IMAGE_NAME}:latest" >> "$GITHUB_OUTPUT"
+ else
+ DATETIME=$(date +%d%m%y%H%M%S)
+ BRANCH=$(echo "${GITHUB_REF#refs/heads/}" | tr "/" "-")
+ echo "minimal=${REGISTRY}/${IMAGE_NAME}:${DATETIME}-${BRANCH}.minimal,${REGISTRY}/${IMAGE_NAME}:${BRANCH}.minimal" >> "$GITHUB_OUTPUT"
+ echo "busybox=${REGISTRY}/${IMAGE_NAME}:${DATETIME}-${BRANCH}.busybox,${REGISTRY}/${IMAGE_NAME}:${BRANCH}.busybox" >> "$GITHUB_OUTPUT"
+ echo "full=${REGISTRY}/${IMAGE_NAME}:${DATETIME}-${BRANCH},${REGISTRY}/${IMAGE_NAME}:${BRANCH}" >> "$GITHUB_OUTPUT"
+ fi
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v4
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v4
+
+ - name: Install cosign
+ uses: sigstore/cosign-installer@v3
+
+ - name: Login to Docker Hub
+ if: github.event_name != 'pull_request'
+ uses: docker/login-action@v4
+ with:
+ username: ${{ secrets.DOCKERHUB_USERNAME }}
+ password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+ - name: Build and push minimal
+ uses: docker/build-push-action@v7
+ with:
+ context: .
+ file: Dockerfile.minimal
+ platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.tags.outputs.minimal }}
+
+ - name: Build and push busybox
+ uses: docker/build-push-action@v7
+ with:
+ context: .
+ file: Dockerfile.busybox
+ platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.tags.outputs.busybox }}
+
+ - name: Build and push full
+ uses: docker/build-push-action@v7
+ with:
+ context: .
+ file: Dockerfile.full
+ platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.tags.outputs.full }}
+
+ - name: Sign images
+ if: github.event_name != 'pull_request'
+ env:
+ TAGS_MINIMAL: ${{ steps.tags.outputs.minimal }}
+ TAGS_BUSYBOX: ${{ steps.tags.outputs.busybox }}
+ TAGS_FULL: ${{ steps.tags.outputs.full }}
+ run: |
+ IFS=',' read -ra TAGS <<< "$TAGS_MINIMAL,$TAGS_BUSYBOX,$TAGS_FULL"
+ for tag in "${TAGS[@]}"; do
+ cosign sign --yes "$tag"
+ done
diff --git a/CHANGELOG b/CHANGELOG
index 747638d..ad99846 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,11 +1,25 @@
-3proxy-0.9.6 Released April, 11 2026
+3proxy-0.9.7 Released July, 4 2026
-+ ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios.
-+ HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header.
-+ tlspr is supported in auto
-+ tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI
-+ maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems
-+ -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5
-+ cmake environment added
-! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy
-! Multiple minor bugfixes
\ No newline at end of file
++ PCRE2 and SSL/TLS code moved from plugins into main 3proxy binary; dynamic linking with ssl/pcre by default, STATIC/LIBSTATIC options for static linking
++ Unix sockets support for parent proxies, tcppm, internal listeners and -i option; abstract (fileless) unix sockets on Linux
++ ssl_client_mode = 3 to use 'secure' parent types: https, tcps, socks5s, connect+s, etc.
++ New authcache types: cacheacl, dstaddr, dstport, dsthost, dstoper, srvaddr, srvport; authcache is now configurable per service
++ Hashtables for password lists and authcache, faster password lookups
++ 3proxy_crypt: new internal password hashing replacing mycrypt
++ udppm switched to hashtables and supports multiple connections
++ SOCKSv5 UDP parent support; -Ne/-Ni NAT options
++ Docker images for more platforms, signed; DLLs signed; public cert added to build
++ Grace sleep and linger on connection close; correctly process half-closed connections
++ Allow setting internal/external network namespaces on Linux
+- icqpr/OSCAR code removed
+! Fix: invalid error in SSL server handshake could break service state
+! Fix: invalid offset in datafilters
+! Fix: invalid socket in poll() could break sockmap() on Windows
+! Fix: deadlock in ftppr
+! Fix: crash on standalone services
+! Fix: non-initialized mutex crash under Windows
+! Fix: socks v5 parent with no auth
+! Fix: hanging connections in sockmap; unneeded poll in sockmap
+! Fix: symbols collision with OpenSSL could lead to crash
+! Fix: compatibility with older SSL versions and older Windows (7 and below)
+! Multiple minor bugfixes and code cleanup
diff --git a/CHANGELOG.rus b/CHANGELOG.rus
index a0da305..c01e782 100644
--- a/CHANGELOG.rus
+++ b/CHANGELOG.rus
@@ -1,11 +1,25 @@
-3proxy-0.9.6 Вышел 11 Апреля 2026
+3proxy-0.9.7 Вышел 4 Июля 2026
-+ В SSLPlugin добавлены ssl_client и множество опций конфигурации, код SSLPlugin значительно улучшен и исправлен. См. https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy теперь может использоваться как замена stunnel во многих сценариях.
-+ Поддержка прокси-протокола HAProxy v1 на стороне клиента и сервера. Добавлена опция -H для сервиса, чтобы ожидать заголовок прокси-протокола HA v1. Используйте тип родителя ha: parent 1000 ha 0.0.0.0 0 для отправки заголовка v1.
-+ tlspr поддерживается в режиме auto
-+ tlspr поддерживает опцию -s, которая разбивает HELLO-пакет для предотвращения обнаружения SNI некоторыми DPI
-+ Добавлена опция конфигурации maxseg и поддержка флага сокета TCP_MAXSEG. Устанавливает максимальный размер TCP-сегмента для решения проблем с обнаружением PathMTU
-+ Добавлены опции -Ne / -Ni для указания внешнего/внутреннего NAT-адреса для SOCKSv5
-+ Добавлено окружение cmake
-! Внешняя библиотека pcre2 (pcre2-8) используется для PCRE, код pcre удалён из 3proxy
-! Множество мелких исправлений ошибок
\ No newline at end of file
++ Код PCRE2 и SSL/TLS перенесён из плагинов в основной бинарный файл 3proxy; по умолчанию динамическое связывание с ssl/pcre, опции STATIC/LIBSTATIC для статического связывания
++ Поддержка unix-сокетов для родительских прокси, tcppm, внутренних слушателей и опции -i; абстрактные (безфайловые) unix-сокеты в Linux
++ ssl_client_mode = 3 для использования «безопасных» типов родителя: https, tcps, socks5s, connect+s и т.д.
++ Новые типы authcache: cacheacl, dstaddr, dstport, dsthost, dstoper, srvaddr, srvport; authcache настраивается для каждого сервиса
++ Хеш-таблицы для списков паролей и authcache, более быстрый поиск паролей
++ 3proxy_crypt: новое внутреннее хеширование паролей, заменяющее mycrypt
++ udppm переведён на хеш-таблицы и поддерживает множество соединений
++ Поддержка UDP-родителя для SOCKSv5; опции NAT -Ne/-Ni
++ Docker-образы для большего числа платформ, подписанные; подписанные DLL; публичный сертификат добавлен в сборку
++ Grace sleep и linger при закрытии соединения; корректная обработка полузакрытых соединений
++ Разрешено задавать внутренние/внешние сетевые пространства имён (network namespaces) в Linux
+- Код icqpr/OSCAR удалён
+! Исправление: некорректная ошибка в SSL server handshake могла ломать состояние сервиса
+! Исправление: некорректное смещение в datafilters
+! Исправление: некорректный сокет в poll() мог ломать sockmap() в Windows
+! Исправление: взаимоблокировка (deadlock) в ftppr
+! Исправление: падение на standalone-сервисах
+! Исправление: падение из-за неинициализированного mutex в Windows
+! Исправление: родитель socks v5 без аутентификации
+! Исправление: зависающие соединения в sockmap; лишний poll в sockmap
+! Исправление: конфликт символов с OpenSSL мог приводить к падению
+! Исправление: совместимость со старыми версиями SSL и старыми версиями Windows (7 и ниже)
+! Множество мелких исправлений и очистка кода
diff --git a/CMakeLists.txt b/CMakeLists.txt
index db41fe4..8ca40e3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -661,16 +661,18 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
endforeach()
# Install plugins
-file(GLOB PLUGINFILES "${PLUGIN_OUTPUT_DIR}/*${PLUGIN_SUFFIX}")
+# Use install(DIRECTORY ... FILES_MATCHING) so the glob resolves at install
+# time, after plugin targets have been built. A configure-time file(GLOB)
+# would run before any plugin exists and install nothing.
if(WIN32)
- install(FILES
- ${PLUGINFILES}
+ install(DIRECTORY ${PLUGIN_OUTPUT_DIR}/
DESTINATION ${CMAKE_INSTALL_BINDIR}
+ FILES_MATCHING PATTERN "*${PLUGIN_SUFFIX}"
)
else()
- install(FILES
- ${PLUGINFILES}
+ install(DIRECTORY ${PLUGIN_OUTPUT_DIR}/
DESTINATION ${CMAKE_INSTALL_LIBDIR}/3proxy
+ FILES_MATCHING PATTERN "*${PLUGIN_SUFFIX}"
)
endif()
diff --git a/Dockerfile.busybox b/Dockerfile.busybox
index 8bff530..af1ffab 100644
--- a/Dockerfile.busybox
+++ b/Dockerfile.busybox
@@ -44,8 +44,7 @@ RUN cd /dist &&\
ln -s /lib usr/lib64
RUN cp /lib/ld-*.so.* /dist/usr/local/3proxy/libexec || true
RUN cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec || true
-RUN cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\
- ls -lR /dist
+RUN cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec
FROM docker.io/busybox:glibc
COPY --from=buildenv /dist /
diff --git a/Dockerfile.full b/Dockerfile.full
index 829aaa4..33f6f51 100644
--- a/Dockerfile.full
+++ b/Dockerfile.full
@@ -54,8 +54,7 @@ RUN cd /dist/usr/local/3proxy/ &&\
RUN cd /dist/usr/local/3proxy/usr &&\
ln -s ../libexec lib &&\
ln -s ../libexec lib64 &&\
- strip /dist/usr/local/3proxy/libexec/*.so &&\
- ls -lR /dist
+ strip /dist/usr/local/3proxy/libexec/*.so
FROM scratch
COPY --from=buildenv /dist /
diff --git a/README.md b/README.md
index f1a613f..914c33e 100644
--- a/README.md
+++ b/README.md
@@ -2,27 +2,101 @@
(c) 2002-2026 by Vladimir '3APA3A' Dubrovin
Appropriate for most cases
useronly - authentication by username without checking
for any password with authorization by ACLs. Useful for e.g.
-SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as
-a username)
+SOCKSv4 proxy.
dnsname - authentication by DNS hostname with
authorization by ACLs. The DNS hostname is resolved via a
PTR (reverse) record and validated (the resolved name must
@@ -564,6 +563,12 @@ strong - username/password authentication required. It
will work with SOCKSv5, FTP, POP3 and HTTP proxy.
cache - cached authentication, may be used with
´authcache´.
+cacheacl - cached authentication, same as cache
+but the ACL authorization result is also cached and not
+re-evaluated on each request. Faster than cache, but
+ACL changes do not take effect for cached users until the
+cache entry expires. Use cache if ACLs may change
+during the cache lifetime.
radius - authentication with RADIUS.
Plugins may add additional authentication types.
allow
<userlist> <sourcelist> <targetlist>
@@ -746,8 +761,14 @@ ha send HAProxy PROXY protocol v1 header to parent
proxy. Must be the last in the proxy chain. Useful for
passing client IP information to the parent proxy. Example:
parent 1000 ha
-Use "+" proxy only with fakeresolve
-option
IP and port are
ip addres and port of parent proxy server. If IP is zero, ip
@@ -946,12 +967,16 @@ The rest of parameters is identical to
pwtype is one of:
none (empty) - use system authentication
CL - password is cleartext
-CR - password is crypt-style password
+CR - password is crypt-style password. $1$ prefix
+uses MD5-crypt (requires OpenSSL), $3$ prefix uses
+BLAKE2b-crypt (always available, see 3proxy_crypt(8))
+
NT - password is NT password (in hex)
example:
users test1:CL:password1
"test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
+users "test4:CR:$3$salt$G47yV9w...."
Note: double quotes are required because the password
contains a $ sign.
3proxy(8),
-proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
-syslogd(8),
+3proxy_crypt(8), proxy(8), ftppr(8), socks(8), pop3p(8),
+smtpp(8), tlspr(8), tcppm(8), udppm(8), syslogd(8),
https://3proxy.org/
-s
Split the TLS Client HELLO +packet across multiple TCP segments to make SNI-based DPI +detection harder. An optional numeric value can follow (e.g. +-s1) to control the splitting behaviour.
-l
Note: Since version 0.9.7, PCRE filtering is built into 3proxy and does not require -a separate plugin. All pcre_* commands are available directly when 3proxy is compiled with -PCRE2 support (WITH_PCRE). The plugin line is no longer needed.
- -This filtering functionality can be used to create matching and replacement -rules with regular expressions for client requests, client and -server headers, and client and server data. It adds 3 additional -configuration commands:
- --pcre TYPE FILTER_ACTION REGEXP [ACE] -pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE] -pcre_extend FILTER_ACTION [ACE] -pcre_options OPTION1 [...] --pcre - allows applying a rule for matching -
-pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16 -pcre srvheader deny "Content-type: application" -pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser -pcre_extend deny * 192.168.0.1/16 -- -© Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/PCREPlugin.ru.html b/doc/html/plugins/PCREPlugin.ru.html deleted file mode 100644 index cff579e..0000000 --- a/doc/html/plugins/PCREPlugin.ru.html +++ /dev/null @@ -1,89 +0,0 @@ -
Примечание: Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy и не требует -отдельного плагина. Все команды pcre_* доступны напрямую при компиляции 3proxy с поддержкой -PCRE2 (WITH_PCRE). Строка plugin больше не нужна.
- -Фильтрующий плагин используется для создания правил поиска и замены -регулярных выражений в запросе, заголовков запроса и ответа и данных. -Добавляет поддержку 3х новых команд в файле конфигурации:
- --pcre TYPE FILTER_ACTION REGEXP [ACE] -pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE] -pcre_extend FILTER_ACTION [ACE] -pcre_options OPTION1 [...] --pcre - позволяет искать совпадения -
-pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16 -pcre srvheader deny "Content-type: application" -pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser -pcre_extend deny * 192.168.0.1/16 -- -© Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/SSLPlugin.html b/doc/html/plugins/SSLPlugin.html deleted file mode 100644 index b33c070..0000000 --- a/doc/html/plugins/SSLPlugin.html +++ /dev/null @@ -1,124 +0,0 @@ -
Note: Since version 0.9.7, SSL/TLS support is built into 3proxy and does not require -a separate plugin. All ssl_* commands are available directly when 3proxy is compiled with -OpenSSL support (WITH_SSL). The plugin line is no longer needed.
- -SSL/TLS support can be used to transparently decrypt SSL/TLS data, provide TLS encryption -for proxy traffic, and authenticate using client certificates.
- --ssl_server_ca_file /path/to/cafile -ssl_server_ca_key /path/to/cakey -ssl_mitm -proxy -p3128 -ssl_nomitm -proxy -p3129 --MITM's traffic with a spoofed certificate for the port 3128 proxy. - -
-ssl_server_cert path_to_cert -ssl_server_key path_to_key -ssl_serv -proxy -p33128 -ssl_noserv -proxy -p3128 --Creates an https:// proxy on port 33128 and an http:// proxy on port 3128 - -
-ssl_client_cert /path/to/client.crt -ssl_client_key /path/to/client.key -ssl_client_verify -ssl_client_ca_file /path/to/ca.crt -ssl_cli -proxy -p3128 --Creates an HTTP proxy that connects to upstream servers via TLS with client certificate authentication. - -
-ssl_server_cert /path/to/server.crt -ssl_server_key /path/to/key -ssl_client_mode 3 - -auth strong -allow user1 -parent 1000 https parent1.example.com 443 -allow user2 -parent 1000 socks5 parent2.example.com 1080 -ssl_serv -ssl_cli -proxy -p3128 -ssl_noserv -ssl_nocli --Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_serv). With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). In this example, user1's traffic goes through an https parent proxy with TLS encryption, while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps. - -
-ssl_server_cert /path/to/server.crt -ssl_server_key /path/to/server.key -ssl_server_ca_file /path/to/ca.crt -ssl_server_verify -ssl_serv -proxy -p3128 --Creates an https:// proxy that requires client certificate authentication. - -© Vladimir Dubrovin, License: BSD style diff --git a/doc/html/plugins/SSLPlugin.ru.html b/doc/html/plugins/SSLPlugin.ru.html deleted file mode 100644 index dc9238b..0000000 --- a/doc/html/plugins/SSLPlugin.ru.html +++ /dev/null @@ -1,120 +0,0 @@ -
Примечание: Начиная с версии 0.9.7 поддержка SSL/TLS встроена в 3proxy и не требует -отдельного плагина. Все команды ssl_* доступны напрямую при компиляции 3proxy с поддержкой -OpenSSL (WITH_SSL). Строка plugin больше не нужна.
- -Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика, для шифрования трафика прокси-сервера и аутентификации с помощью клиентских сертификатов.
- --ssl_server_ca_file /path/to/cafile -ssl_server_ca_key /path/to/cakey -ssl_mitm -proxy -p3128 -ssl_nomitm -proxy -p3129 --Перехватывается трафик в прокси на порту 3128. - -
-ssl_server_cert path_to_cert -ssl_server_key path_to_key -ssl_serv -proxy -p33128 -ssl_noserv -proxy -p3128 --На порту 33128 создается https:// прокси, на порту 3128 - http:// прокси. - -
-ssl_client_cert /path/to/client.crt -ssl_client_key /path/to/client.key -ssl_client_verify -ssl_client_ca_file /path/to/ca.crt -ssl_cli -proxy -p3128 --Создается HTTP-прокси, который соединяется с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату. - -
-ssl_server_cert /path/to/server.crt -ssl_server_key /path/to/key -ssl_client_mode 3 - -auth strong -allow user1 -parent 1000 https parent1.example.com 443 -allow user2 -parent 1000 socks5 parent2.example.com 1080 -ssl_serv -ssl_cli -proxy -p3128 -ssl_noserv -ssl_nocli --Создается HTTP-прокси на порту 3128, использующий TLS для клиентских соединений (ssl_serv). При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). В данном примере трафик user1 идёт через https родительский прокси с TLS-шифрованием, а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps. - -
-ssl_server_cert /path/to/server.crt -ssl_server_key /path/to/server.key -ssl_server_ca_file /path/to/ca.crt -ssl_server_verify -ssl_serv -proxy -p3128 --Создается https:// прокси, требующий аутентификацию по клиентскому сертификату. - -© Vladimir Dubrovin, License: BSD style diff --git a/man/3proxy.cfg.5 b/man/3proxy.cfg.5 index f536b41..d238a65 100644 --- a/man/3proxy.cfg.5 +++ b/man/3proxy.cfg.5 @@ -591,8 +591,7 @@ This is the default authentication type Appropriate for most cases .br \fBuseronly\fR - authentication by username without checking for any password with -authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN / -AOL screen name as a username) +authorization by ACLs. Useful for e.g. SOCKSv4 proxy. .br \fBdnsname\fR - authentication by DNS hostname with authorization by ACLs. The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved @@ -604,6 +603,11 @@ NB: there is no password check; the name may be spoofed. SOCKSv5, FTP, POP3 and HTTP proxy. .br \fBcache\fR - cached authentication, may be used with \'authcache\'. +.br + \fBcacheacl\fR - cached authentication, same as \fBcache\fR but the ACL +authorization result is also cached and not re-evaluated on each request. Faster +than \fBcache\fR, but ACL changes do not take effect for cached users until the +cache entry expires. Use \fBcache\fR if ACLs may change during the cache lifetime. .br \fBradius\fR - authentication with RADIUS. .br @@ -641,11 +645,25 @@ assigned to the same user without actual authentication. .br \fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required .br - \fBack\fR - only use cached auth if user access service with same ACL + \fBacl\fR - only use cached auth if user access service with same ACL .br \fBext\fR - cache external IP .br -Use auth type \fBcache\fR for cached authentication + \fBdstaddr\fR - cache by destination IP address +.br + \fBdstport\fR - cache by destination port +.br + \fBdsthost\fR - cache by destination hostname +.br + \fBdstoper\fR - cache by destination operation (e.g. HTTP method) +.br + \fBsrvaddr\fR - cache by service (listener) address +.br + \fBsrvport\fR - cache by service (listener) port +.br +Multiple types can be combined (e.g. \fBip,user,dstaddr,dstport\fR). +.br +Use auth type \fBcache\fR (or \fBcacheacl\fR) for cached authentication .br .BR allow @@ -808,6 +826,12 @@ in the proxy chain. Useful for passing client IP information to the parent proxy Example: parent 1000 ha .br Use "+" proxy only with \fBfakeresolve\fR option +.br +Any parent type above can be suffixed with \fBs\fR (e.g. \fBhttps\fR, +\fBtcps\fR, \fBsocks5s\fR, \fBconnect+s\fR) to establish a TLS-encrypted +connection to the parent proxy. Requires SSL/TLS support (WITH_SSL) and is +used with \fBssl_client_mode 3\fR, which only handshakes TLS for \fBs\fR-suffixed +parents. .br IP and port are ip addres and port of parent proxy server. @@ -1047,7 +1071,9 @@ the format: .br \fBCL\fR - password is cleartext .br - \fBCR\fR - password is crypt-style password + \fBCR\fR - password is crypt-style password. \fB$1$\fR prefix uses MD5-crypt +(requires OpenSSL), \fB$3$\fR prefix uses BLAKE2b-crypt (always available, see +.BR 3proxy_crypt (8)) .br \fBNT\fR - password is NT password (in hex) .br @@ -1056,6 +1082,8 @@ the format: users test1:CL:password1 "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49." .br users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 +.br + users "test4:CR:$3$salt$G47yV9w...." .br Note: double quotes are required because the password contains a $ sign. @@ -1356,7 +1384,7 @@ authentication and/or allow/deny ACLs. Report all bugs to .BR 3proxy@3proxy.org .SH SEE ALSO -3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), syslogd(8), +3proxy(8), 3proxy_crypt(8), proxy(8), ftppr(8), socks(8), pop3p(8), smtpp(8), tlspr(8), tcppm(8), udppm(8), syslogd(8), .br https://3proxy.org/ .SH AUTHORS diff --git a/man/tlspr.8 b/man/tlspr.8 index d9a30c9..ede7847 100644 --- a/man/tlspr.8 +++ b/man/tlspr.8 @@ -75,6 +75,9 @@ destination_port. Port to establish outgoing connections. Required unless the Tr .B -c TLS_CHECK_LEVEL. 0 (default) - allow non-TLS traffic to pass, 1 - require TLS, only check client HELLO packet, 2 - require TLS, check both client and server HELLO, 3 - require TLS, check that the server sends a certificate (not compatible with TLS 1.3), 4 - require mutual TLS, check that the server sends a certificate request and the client sends a certificate (not compatible with TLS 1.3) .TP +.B -s +Split the TLS Client HELLO packet across multiple TCP segments to make SNI-based DPI detection harder. An optional numeric value can follow (e.g. \fB-s1\fR) to control the splitting behaviour. +.TP .B -l Log. By default logging is to stdout. If .I logfile diff --git a/scripts/rh/3proxy.spec b/scripts/rh/3proxy.spec index bd537ef..aa4ba22 100644 --- a/scripts/rh/3proxy.spec +++ b/scripts/rh/3proxy.spec @@ -1,5 +1,5 @@ Name: 3proxy -Version: 0.9.6 +Version: 0.9.7 Release: 1%{?dist} Summary: 3proxy tiny proxy server License: GPL/LGPL/Apache/BSD @@ -67,8 +67,8 @@ if [ ! -f /usr/local/3proxy/conf/passwd ]; then \ touch /usr/local/3proxy/conf/passwd;\ fi [ -f /bin/add3proxyuser ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@3PROXY_CONFDIR@|/etc/3proxy/conf|g' -e 's|@CRYPT_PREFIX@|3proxy_|g' /bin/add3proxyuser; \ -[ -f /etc/init.d/3proxy ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' /etc/init.d/3proxy; \ -[ -f /usr/lib/systemd/system/3proxy.service ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' /usr/lib/systemd/system/3proxy.service; \ +[ -f /etc/init.d/3proxy ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' -e 's|USER=proxy|USER=root|g' /etc/init.d/3proxy; \ +[ -f /usr/lib/systemd/system/3proxy.service ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' -e 's|User=proxy|User=root|g' /usr/lib/systemd/system/3proxy.service; \ if [ -d /etc/3proxy ]; then \ chown -R proxy:proxy /etc/3proxy; \ chmod -R o-rwx /etc/3proxy; \ diff --git a/src/auth.c b/src/auth.c index 68b9bdc..cfb04ee 100644 --- a/src/auth.c +++ b/src/auth.c @@ -72,31 +72,32 @@ int alwaysauth(struct clientparam * param){ int cacheauth(struct clientparam * param){ struct authcache ac; uint32_t ttl; + unsigned type = param->srv->authcachetype; if( - ((conf.authcachetype & 2) && !param->username) || - ((conf.authcachetype & 4) && !param->password) || + ((type & 2) && !param->username) || + ((type & 4) && !param->password) || ( - (conf.authcachetype & 1) && *SAFAMILY(¶m->sincr) != AF_INET + (type & 1) && *SAFAMILY(¶m->sincr) != AF_INET #ifndef NOIPv6 && *SAFAMILY(¶m->sincr) != AF_INET6 #endif ) || (!hashresolv(&auth_table, param, &ac, &ttl))) { return 4; } - if((conf.authcachetype & 1) &&(conf.authcachetype & 8) && + if((type & 1) &&(type & 8) && (ac.sincr_family != *SAFAMILY(¶m->sincr) || memcmp(ac.sincr_addr, SAADDR(¶m->sincr), SAADDRLEN(¶m->sincr)) )) { return 10; } - if(!(conf.authcachetype&2) && *ac.username){ + if(!(type&2) && *ac.username){ if(param->username) free(param->username); param->username = (unsigned char *)strdup((char *)ac.username); } - if((conf.authcachetype & 32)){ + if((type & 32)){ memset(¶m->sinsl, 0, sizeof(param->sinsl)); *(SAFAMILY(¶m->sinsl)) = ac.sinsl_family; memcpy(SAADDR(¶m->sinsl), ac.sinsl_addr, SAADDRLEN(¶m->sinsl)); @@ -116,7 +117,7 @@ int doauth(struct clientparam * param){ if(authfuncs->authorize && (res = (*authfuncs->authorize)(param))) return res; - if(conf.authcachetype && authfuncs->authenticate && authfuncs->authenticate != cacheauth && param->username && (!(conf.authcachetype&4) || (!param->pwtype && param->password))){ + if(param->srv->authcachetype && authfuncs->authenticate && authfuncs->authenticate != cacheauth && param->username && (!(param->srv->authcachetype&4) || (!param->pwtype && param->password))){ struct authcache ac={.username=""}; if(param->username) { diff --git a/src/common.c b/src/common.c index 9b251a2..3444dcd 100644 --- a/src/common.c +++ b/src/common.c @@ -17,6 +17,8 @@ char * copyright = COPYRIGHT; # define MYRAND_ARC4RANDOM 1 #elif defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 36))) # define MYRAND_ARC4RANDOM 1 +#elif defined(__GLIBC__) && ((__GLIBC__ < 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ < 25))) +# define MYRAND_FALLBACK 1 #elif defined(__linux__) # define MYRAND_GETRANDOM 1 # include