mirror of
https://github.com/3proxy/3proxy.git
synced 2026-07-16 17:30:11 +08:00
Merge branch 'master' into test-ci
This commit is contained in:
commit
ba37fb2a37
11
.github/dependabot.yml
vendored
Normal file
11
.github/dependabot.yml
vendored
Normal file
@ -0,0 +1,11 @@
|
||||
version: 2
|
||||
updates:
|
||||
- package-ecosystem: github-actions
|
||||
directory: /
|
||||
schedule:
|
||||
interval: weekly
|
||||
|
||||
- package-ecosystem: docker
|
||||
directory: /
|
||||
schedule:
|
||||
interval: weekly
|
||||
25
.github/workflows/build-rpm-arm64.yml
vendored
25
.github/workflows/build-rpm-arm64.yml
vendored
@ -1,8 +1,13 @@
|
||||
name: RPM/DEB build aarch64
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -12,7 +17,7 @@ jobs:
|
||||
- ubuntu-24.04-arm
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
- name: env
|
||||
run: |
|
||||
pwd
|
||||
@ -42,11 +47,17 @@ jobs:
|
||||
rpmbuild -ba 3proxy-$RELEASE.spec
|
||||
cd $ret
|
||||
mv ~/rpmbuild/RPMS/aarch64/3proxy-$RELEASE-1.aarch64.rpm 3proxy-$RELEASE.arm64.rpm
|
||||
- name: Get artifact arp
|
||||
uses: actions/upload-artifact@v6
|
||||
- name: Get artifact rpm
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-arm64.rpm"
|
||||
path: "*.rpm"
|
||||
- name: Upload rpm to release
|
||||
if: github.event_name == 'release'
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.arm64.rpm
|
||||
- name: debbuild
|
||||
run: |
|
||||
ret=`pwd`
|
||||
@ -63,7 +74,13 @@ jobs:
|
||||
cd $ret
|
||||
cp ~/debian/3proxy_$RELEASE-"$VERSION"_arm64.deb ./3proxy-$RELEASE.arm64.deb
|
||||
- name: Get artifact deb
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-arm64.deb"
|
||||
path: "*.deb"
|
||||
- name: Upload deb to release
|
||||
if: github.event_name == 'release'
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.arm64.deb
|
||||
|
||||
27
.github/workflows/build-rpm-armhf.yml
vendored
27
.github/workflows/build-rpm-armhf.yml
vendored
@ -1,8 +1,13 @@
|
||||
name: RPM/DEB build armhf
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -12,7 +17,7 @@ jobs:
|
||||
- ubuntu-latest
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
- name: env
|
||||
run: |
|
||||
pwd
|
||||
@ -66,14 +71,20 @@ jobs:
|
||||
export CC=$CC
|
||||
export RPATH=/usr/arm-linux-gnueabihf/lib:$RPATH
|
||||
export LD_LIBRARY_PATH=/usr/arm-linux-gnueabihf/lib:$LD_LIBRARY_PATH
|
||||
rpmbuild -ba --define "PAMLIB pam0g" --define "_arch arm" --define "cross yes" --target=arm-linux-gnueabi 3proxy-$RELEASE.spec
|
||||
rpmbuild -ba --define "PAMLIB pam0g" --define "_arch arm" --define "cross yes" --target=arm-linux-gnueabihf 3proxy-$RELEASE.spec
|
||||
cd $ret
|
||||
mv ~/rpmbuild/RPMS/arm/3proxy-$RELEASE-1.arm.rpm 3proxy-$RELEASE.arm.rpm
|
||||
- name: Get artifact
|
||||
uses: actions/upload-artifact@v6
|
||||
- name: Get artifact rpm
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-arm.rpm"
|
||||
path: "*.rpm"
|
||||
- name: Upload rpm to release
|
||||
if: github.event_name == 'release'
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.arm.rpm
|
||||
- name: debbuild
|
||||
run: |
|
||||
ret=`pwd`
|
||||
@ -96,7 +107,13 @@ jobs:
|
||||
cd $ret
|
||||
cp ~/debian/3proxy_$RELEASE-"$VERSION"_armhf.deb ./3proxy-$RELEASE.arm.deb
|
||||
- name: Get artifact deb
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-arm.deb"
|
||||
path: "*.deb"
|
||||
- name: Upload deb to release
|
||||
if: github.event_name == 'release'
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.arm.deb
|
||||
|
||||
23
.github/workflows/build-rpm-x86-64.yml
vendored
23
.github/workflows/build-rpm-x86-64.yml
vendored
@ -1,8 +1,13 @@
|
||||
name: RPM/DEB build x86-64
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -12,7 +17,7 @@ jobs:
|
||||
- ubuntu-latest
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
- name: env
|
||||
run: |
|
||||
pwd
|
||||
@ -43,10 +48,16 @@ jobs:
|
||||
cd $ret
|
||||
mv ~/rpmbuild/RPMS/x86_64/3proxy-$RELEASE-1.x86_64.rpm 3proxy-$RELEASE.x86_64.rpm
|
||||
- name: Get artifact rpm
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-x86_64.rpm"
|
||||
path: "*.rpm"
|
||||
- name: Upload rpm to release
|
||||
if: github.event_name == 'release'
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.x86_64.rpm
|
||||
- name: debbuild
|
||||
run: |
|
||||
ret=`pwd`
|
||||
@ -63,8 +74,14 @@ jobs:
|
||||
cd $ret
|
||||
cp ~/debian/3proxy_$RELEASE-"$VERSION"_amd64.deb ./3proxy-$RELEASE.x86_64.deb
|
||||
- name: Get artifact deb
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-x86_64.deb"
|
||||
path: "*.deb"
|
||||
- name: Upload deb to release
|
||||
if: github.event_name == 'release'
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}.x86_64.deb
|
||||
|
||||
|
||||
22
.github/workflows/build-watcom.yml
vendored
22
.github/workflows/build-watcom.yml
vendored
@ -1,8 +1,13 @@
|
||||
name: Build Win32 3proxy-lite with Watcom
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -12,11 +17,11 @@ jobs:
|
||||
- windows-2022
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
# - name: configure
|
||||
# run: ./configure
|
||||
- name: Setup Open Watcom
|
||||
uses: open-watcom/setup-watcom@v0
|
||||
uses: open-watcom/setup-watcom@v1
|
||||
- name: set date
|
||||
run: |
|
||||
$NOW = Get-Date -Format "yyMMddHHmmss"
|
||||
@ -73,7 +78,18 @@ jobs:
|
||||
copy README.md dist\3proxy\
|
||||
copy rus.3ps dist\3proxy\
|
||||
- name: Get artifact
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-lite"
|
||||
path: dist/
|
||||
- name: Create zip
|
||||
if: github.event_name == 'release'
|
||||
shell: pwsh
|
||||
run: Compress-Archive -Path dist/* -DestinationPath 3proxy-${{ env.RELEASE }}-lite.zip
|
||||
- name: Upload to release
|
||||
if: github.event_name == 'release'
|
||||
shell: bash
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}-lite.zip
|
||||
|
||||
35
.github/workflows/build-win32.yml
vendored
35
.github/workflows/build-win32.yml
vendored
@ -1,8 +1,13 @@
|
||||
name: Build Win32 3proxy with MSVC
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -12,7 +17,7 @@ jobs:
|
||||
- windows-2022
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
# - name: configure
|
||||
# run: ./configure
|
||||
- name: set date
|
||||
@ -42,12 +47,20 @@ jobs:
|
||||
run: |
|
||||
$pfx_cert_byte = [System.Convert]::FromBase64String("${{ secrets.WINDOWS_CERTIFICATE }}")
|
||||
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\cert.pfx", $pfx_cert_byte)
|
||||
- name: Extract public certificate
|
||||
shell: pwsh
|
||||
env:
|
||||
CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
||||
run: |
|
||||
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("${{ github.workspace }}\cert.pfx", "$env:CERT_PASSWORD")
|
||||
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\3proxy.crt", $cert.Export("Cert"))
|
||||
- name: Sign
|
||||
shell: pwsh
|
||||
env:
|
||||
CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
||||
run: |
|
||||
$signtool = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" | Sort-Object { [version]$_.Directory.Parent.Name } -Descending | Select-Object -First 1).FullName
|
||||
& $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy.exe"
|
||||
& $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy_crypt.exe"
|
||||
Get-ChildItem bin\*.exe, bin\*.dll | ForEach-Object { & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "$env:CERT_PASSWORD" /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName }
|
||||
- name: make dist dir
|
||||
shell: cmd
|
||||
run: |
|
||||
@ -78,8 +91,20 @@ jobs:
|
||||
copy authors dist\3proxy\
|
||||
copy README.md dist\3proxy\
|
||||
copy rus.3ps dist\3proxy\
|
||||
copy 3proxy.crt dist\3proxy\
|
||||
- name: Get artifact
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}"
|
||||
name: "3proxy-${{ env.RELEASE }}-x86"
|
||||
path: dist/
|
||||
- name: Create zip
|
||||
if: github.event_name == 'release'
|
||||
shell: pwsh
|
||||
run: Compress-Archive -Path dist/* -DestinationPath 3proxy-${{ env.RELEASE }}-x86.zip
|
||||
- name: Upload to release
|
||||
if: github.event_name == 'release'
|
||||
shell: bash
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}-x86.zip
|
||||
|
||||
35
.github/workflows/build-win64.yml
vendored
35
.github/workflows/build-win64.yml
vendored
@ -1,8 +1,13 @@
|
||||
name: Build Win64 3proxy with MSVC
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -12,7 +17,7 @@ jobs:
|
||||
- windows-2022
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
# - name: configure
|
||||
# run: ./configure
|
||||
- name: set date
|
||||
@ -43,12 +48,20 @@ jobs:
|
||||
run: |
|
||||
$pfx_cert_byte = [System.Convert]::FromBase64String("${{ secrets.WINDOWS_CERTIFICATE }}")
|
||||
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\cert.pfx", $pfx_cert_byte)
|
||||
- name: Extract public certificate
|
||||
shell: pwsh
|
||||
env:
|
||||
CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
||||
run: |
|
||||
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("${{ github.workspace }}\cert.pfx", "$env:CERT_PASSWORD")
|
||||
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\3proxy.crt", $cert.Export("Cert"))
|
||||
- name: Sign
|
||||
shell: pwsh
|
||||
env:
|
||||
CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
||||
run: |
|
||||
$signtool = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" | Sort-Object { [version]$_.Directory.Parent.Name } -Descending | Select-Object -First 1).FullName
|
||||
& $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy.exe"
|
||||
& $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy_crypt.exe"
|
||||
Get-ChildItem bin\*.exe, bin\*.dll | ForEach-Object { & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "$env:CERT_PASSWORD" /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName }
|
||||
- name: make dist dir
|
||||
shell: cmd
|
||||
run: |
|
||||
@ -74,13 +87,25 @@ jobs:
|
||||
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
|
||||
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
|
||||
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
|
||||
copy doc\html\devel\*.rtf dist\3proxy\doc\html\devel\
|
||||
copy doc\html\devel\*.* dist\3proxy\doc\html\devel\
|
||||
copy copying dist\3proxy\
|
||||
copy authors dist\3proxy\
|
||||
copy README.md dist\3proxy\
|
||||
copy rus.3ps dist\3proxy\
|
||||
copy 3proxy.crt dist\3proxy\
|
||||
- name: Get artifact
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-x64"
|
||||
path: dist/
|
||||
- name: Create zip
|
||||
if: github.event_name == 'release'
|
||||
shell: pwsh
|
||||
run: Compress-Archive -Path dist/* -DestinationPath 3proxy-${{ env.RELEASE }}-x64.zip
|
||||
- name: Upload to release
|
||||
if: github.event_name == 'release'
|
||||
shell: bash
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}-x64.zip
|
||||
|
||||
35
.github/workflows/build-winarm64.yml
vendored
35
.github/workflows/build-winarm64.yml
vendored
@ -1,8 +1,13 @@
|
||||
name: Build Win-arm64 3proxy with MSVC
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -12,7 +17,7 @@ jobs:
|
||||
- windows-2022
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
# - name: configure
|
||||
# run: ./configure
|
||||
- name: set date
|
||||
@ -42,12 +47,20 @@ jobs:
|
||||
run: |
|
||||
$pfx_cert_byte = [System.Convert]::FromBase64String("${{ secrets.WINDOWS_CERTIFICATE }}")
|
||||
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\cert.pfx", $pfx_cert_byte)
|
||||
- name: Extract public certificate
|
||||
shell: pwsh
|
||||
env:
|
||||
CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
||||
run: |
|
||||
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("${{ github.workspace }}\cert.pfx", "$env:CERT_PASSWORD")
|
||||
[System.IO.File]::WriteAllBytes("${{ github.workspace }}\3proxy.crt", $cert.Export("Cert"))
|
||||
- name: Sign
|
||||
shell: pwsh
|
||||
env:
|
||||
CERT_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
||||
run: |
|
||||
$signtool = (Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\*\x64\signtool.exe" | Sort-Object { [version]$_.Directory.Parent.Name } -Descending | Select-Object -First 1).FullName
|
||||
& $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy.exe"
|
||||
& $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 "bin\3proxy_crypt.exe"
|
||||
Get-ChildItem bin\*.exe, bin\*.dll | ForEach-Object { & $signtool sign /f "${{ github.workspace }}\cert.pfx" /p "$env:CERT_PASSWORD" /tr http://timestamp.digicert.com /td sha256 /fd sha256 $_.FullName }
|
||||
- name: make dist dir
|
||||
shell: cmd
|
||||
run: |
|
||||
@ -73,13 +86,25 @@ jobs:
|
||||
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
|
||||
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
|
||||
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
|
||||
copy doc\html\devel\*.rtf dist\3proxy\doc\html\devel\
|
||||
copy doc\html\devel\*.* dist\3proxy\doc\html\devel\
|
||||
copy copying dist\3proxy\
|
||||
copy authors dist\3proxy\
|
||||
copy README.md dist\3proxy\
|
||||
copy rus.3ps dist\3proxy\
|
||||
copy 3proxy.crt dist\3proxy\
|
||||
- name: Get artifact
|
||||
uses: actions/upload-artifact@v6
|
||||
uses: actions/upload-artifact@v7
|
||||
with:
|
||||
name: "3proxy-${{ env.RELEASE }}-arm64"
|
||||
path: dist/
|
||||
- name: Create zip
|
||||
if: github.event_name == 'release'
|
||||
shell: pwsh
|
||||
run: Compress-Archive -Path dist/* -DestinationPath 3proxy-${{ env.RELEASE }}-arm64.zip
|
||||
- name: Upload to release
|
||||
if: github.event_name == 'release'
|
||||
shell: bash
|
||||
env:
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
TAG: ${{ github.event.release.tag_name }}
|
||||
run: gh release upload "$TAG" 3proxy-${{ env.RELEASE }}-arm64.zip
|
||||
|
||||
9
.github/workflows/c-cpp-Linux.yml
vendored
9
.github/workflows/c-cpp-Linux.yml
vendored
@ -2,13 +2,14 @@ name: C/C++ CI Linux
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "master" ]
|
||||
paths: [ '**.c', '**.h', 'Makefile.Linux', '.github/configs', '.github/workflows/c-cpp-Linux.yml' ]
|
||||
pull_request:
|
||||
branches: [ "master" ]
|
||||
paths: [ '**.c', '**.h', 'Makefile.Linux', '.github/configs', '.github/workflows/c-cpp-Linux.yml' ]
|
||||
paths: [ "**.c", "**.h", "Makefile.Linux", ".github/configs", ".github/workflows/c-cpp-Linux.yml" ]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -19,7 +20,7 @@ jobs:
|
||||
- ubuntu-24.04-arm
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
# - name: configure
|
||||
# run: ./configure
|
||||
- name: Linux libraries
|
||||
|
||||
9
.github/workflows/c-cpp-MacOS.yml
vendored
9
.github/workflows/c-cpp-MacOS.yml
vendored
@ -2,13 +2,14 @@ name: C/C++ CI MacOS
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "master" ]
|
||||
paths: [ '**.c', '**.h', 'Makefile.FreeBSD', '.github/configs', '.github/workflows/c-cpp-MacOS.yml' ]
|
||||
pull_request:
|
||||
branches: [ "master" ]
|
||||
paths: [ '**.c', '**.h', 'Makefile.FreeBSD', '.github/configs', '.github/workflows/c-cpp-MacOS.yml' ]
|
||||
paths: [ "**.c", "**.h", "Makefile.FreeBSD", ".github/configs", ".github/workflows/c-cpp-MacOS.yml" ]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -18,7 +19,7 @@ jobs:
|
||||
- macos-15
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
# - name: configure
|
||||
# run: ./configure
|
||||
- name: Mac libraries
|
||||
|
||||
9
.github/workflows/c-cpp-Windows.yml
vendored
9
.github/workflows/c-cpp-Windows.yml
vendored
@ -2,13 +2,14 @@ name: C/C++ CI Windows
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "master" ]
|
||||
paths: [ '**.c', '**.h', 'Makefile.msvc', '.github/configs', '.github/workflows/c-cpp-Windows.yml' ]
|
||||
pull_request:
|
||||
branches: [ "master" ]
|
||||
paths: [ '**.c', '**.h', 'Makefile.msvc', '.github/configs', '.github/workflows/c-cpp-Windows.yml' ]
|
||||
paths: [ "**.c", "**.h", "Makefile.msvc", ".github/configs", ".github/workflows/c-cpp-Windows.yml" ]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -18,7 +19,7 @@ jobs:
|
||||
- windows-2022
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
- name: install Windows libraries
|
||||
run: vcpkg install pcre2:x64-windows && c:\msys64\usr\bin\pacman.exe -S --noconfirm mingw-w64-x86_64-pcre2 mingw-w64-x86_64-openssl
|
||||
- name: make Windows
|
||||
|
||||
9
.github/workflows/c-cpp-cmake.yml
vendored
9
.github/workflows/c-cpp-cmake.yml
vendored
@ -2,13 +2,14 @@ name: C/C++ CI cmake
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "master", "unix_socket" ]
|
||||
paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ]
|
||||
pull_request:
|
||||
branches: [ "master" ]
|
||||
paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ]
|
||||
paths: [ "**.c", "**.h", "**.cmake", "CMakeLists.txt", ".github/configs", ".github/workflows/c-cpp-cmake.yml" ]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
ci:
|
||||
name: "${{ matrix.target }}"
|
||||
@ -21,7 +22,7 @@ jobs:
|
||||
- windows-2022
|
||||
runs-on: ${{ matrix.target }}
|
||||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
- uses: actions/checkout@v7
|
||||
# - name: configure
|
||||
# run: ./configure
|
||||
- name: Linux libraries
|
||||
|
||||
99
.github/workflows/docker-ghcr.yml
vendored
Normal file
99
.github/workflows/docker-ghcr.yml
vendored
Normal file
@ -0,0 +1,99 @@
|
||||
name: Build Docker images (GHCR)
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
id-token: write
|
||||
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
IMAGE_NAME: ${{ github.repository }}
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and push Docker images
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v7
|
||||
|
||||
- name: Determine tags
|
||||
id: tags
|
||||
env:
|
||||
RELEASE_TAG: ${{ github.event.release.tag_name }}
|
||||
IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||
run: |
|
||||
if [[ "$RELEASE_TAG" != "" ]]; then
|
||||
RELEASE="${RELEASE_TAG#v}"
|
||||
echo "minimal=${IMAGE}:${RELEASE}.minimal,${IMAGE}:minimal" >> "$GITHUB_OUTPUT"
|
||||
echo "busybox=${IMAGE}:${RELEASE}.busybox,${IMAGE}:busybox" >> "$GITHUB_OUTPUT"
|
||||
echo "full=${IMAGE}:${RELEASE},${IMAGE}:latest" >> "$GITHUB_OUTPUT"
|
||||
else
|
||||
DATETIME=$(date +%d%m%y%H%M%S)
|
||||
BRANCH=$(echo "${GITHUB_REF#refs/heads/}" | tr "/" "-")
|
||||
echo "minimal=${IMAGE}:${DATETIME}-${BRANCH}.minimal,${IMAGE}:${BRANCH}.minimal" >> "$GITHUB_OUTPUT"
|
||||
echo "busybox=${IMAGE}:${DATETIME}-${BRANCH}.busybox,${IMAGE}:${BRANCH}.busybox" >> "$GITHUB_OUTPUT"
|
||||
echo "full=${IMAGE}:${DATETIME}-${BRANCH},${IMAGE}:${BRANCH}" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v4
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@v3
|
||||
|
||||
- name: Login to GHCR
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: docker/login-action@v4
|
||||
with:
|
||||
registry: ${{ env.REGISTRY }}
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Build and push minimal
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
context: .
|
||||
file: Dockerfile.minimal
|
||||
platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.tags.outputs.minimal }}
|
||||
|
||||
- name: Build and push busybox
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
context: .
|
||||
file: Dockerfile.busybox
|
||||
platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.tags.outputs.busybox }}
|
||||
|
||||
- name: Build and push full
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
context: .
|
||||
file: Dockerfile.full
|
||||
platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.tags.outputs.full }}
|
||||
|
||||
- name: Sign images
|
||||
if: github.event_name != 'pull_request'
|
||||
env:
|
||||
TAGS_MINIMAL: ${{ steps.tags.outputs.minimal }}
|
||||
TAGS_BUSYBOX: ${{ steps.tags.outputs.busybox }}
|
||||
TAGS_FULL: ${{ steps.tags.outputs.full }}
|
||||
run: |
|
||||
IFS=',' read -ra TAGS <<< "$TAGS_MINIMAL,$TAGS_BUSYBOX,$TAGS_FULL"
|
||||
for tag in "${TAGS[@]}"; do
|
||||
cosign sign --yes "$tag"
|
||||
done
|
||||
|
||||
95
.github/workflows/docker.yml
vendored
Normal file
95
.github/workflows/docker.yml
vendored
Normal file
@ -0,0 +1,95 @@
|
||||
name: Build Docker images (Docker Hub)
|
||||
|
||||
on:
|
||||
release:
|
||||
types: [published]
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
id-token: write
|
||||
|
||||
env:
|
||||
REGISTRY: docker.io
|
||||
IMAGE_NAME: 3proxy/3proxy
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build and push Docker images
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v7
|
||||
|
||||
- name: Determine tags
|
||||
id: tags
|
||||
env:
|
||||
RELEASE_TAG: ${{ github.event.release.tag_name }}
|
||||
run: |
|
||||
if [[ "$RELEASE_TAG" != "" ]]; then
|
||||
RELEASE="${RELEASE_TAG#v}"
|
||||
echo "minimal=${REGISTRY}/${IMAGE_NAME}:${RELEASE}.minimal,${REGISTRY}/${IMAGE_NAME}:minimal" >> "$GITHUB_OUTPUT"
|
||||
echo "busybox=${REGISTRY}/${IMAGE_NAME}:${RELEASE}.busybox,${REGISTRY}/${IMAGE_NAME}:busybox" >> "$GITHUB_OUTPUT"
|
||||
echo "full=${REGISTRY}/${IMAGE_NAME}:${RELEASE},${REGISTRY}/${IMAGE_NAME}:latest" >> "$GITHUB_OUTPUT"
|
||||
else
|
||||
DATETIME=$(date +%d%m%y%H%M%S)
|
||||
BRANCH=$(echo "${GITHUB_REF#refs/heads/}" | tr "/" "-")
|
||||
echo "minimal=${REGISTRY}/${IMAGE_NAME}:${DATETIME}-${BRANCH}.minimal,${REGISTRY}/${IMAGE_NAME}:${BRANCH}.minimal" >> "$GITHUB_OUTPUT"
|
||||
echo "busybox=${REGISTRY}/${IMAGE_NAME}:${DATETIME}-${BRANCH}.busybox,${REGISTRY}/${IMAGE_NAME}:${BRANCH}.busybox" >> "$GITHUB_OUTPUT"
|
||||
echo "full=${REGISTRY}/${IMAGE_NAME}:${DATETIME}-${BRANCH},${REGISTRY}/${IMAGE_NAME}:${BRANCH}" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v4
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v4
|
||||
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@v3
|
||||
|
||||
- name: Login to Docker Hub
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: docker/login-action@v4
|
||||
with:
|
||||
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||
|
||||
- name: Build and push minimal
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
context: .
|
||||
file: Dockerfile.minimal
|
||||
platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.tags.outputs.minimal }}
|
||||
|
||||
- name: Build and push busybox
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
context: .
|
||||
file: Dockerfile.busybox
|
||||
platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.tags.outputs.busybox }}
|
||||
|
||||
- name: Build and push full
|
||||
uses: docker/build-push-action@v7
|
||||
with:
|
||||
context: .
|
||||
file: Dockerfile.full
|
||||
platforms: linux/amd64,linux/arm64,linux/arm/v7,ppc64le
|
||||
push: ${{ github.event_name != 'pull_request' }}
|
||||
tags: ${{ steps.tags.outputs.full }}
|
||||
|
||||
- name: Sign images
|
||||
if: github.event_name != 'pull_request'
|
||||
env:
|
||||
TAGS_MINIMAL: ${{ steps.tags.outputs.minimal }}
|
||||
TAGS_BUSYBOX: ${{ steps.tags.outputs.busybox }}
|
||||
TAGS_FULL: ${{ steps.tags.outputs.full }}
|
||||
run: |
|
||||
IFS=',' read -ra TAGS <<< "$TAGS_MINIMAL,$TAGS_BUSYBOX,$TAGS_FULL"
|
||||
for tag in "${TAGS[@]}"; do
|
||||
cosign sign --yes "$tag"
|
||||
done
|
||||
34
CHANGELOG
34
CHANGELOG
@ -1,11 +1,25 @@
|
||||
3proxy-0.9.6 Released April, 11 2026
|
||||
3proxy-0.9.7 Released July, 4 2026
|
||||
|
||||
+ ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios.
|
||||
+ HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header.
|
||||
+ tlspr is supported in auto
|
||||
+ tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI
|
||||
+ maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems
|
||||
+ -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5
|
||||
+ cmake environment added
|
||||
! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy
|
||||
! Multiple minor bugfixes
|
||||
+ PCRE2 and SSL/TLS code moved from plugins into main 3proxy binary; dynamic linking with ssl/pcre by default, STATIC/LIBSTATIC options for static linking
|
||||
+ Unix sockets support for parent proxies, tcppm, internal listeners and -i option; abstract (fileless) unix sockets on Linux
|
||||
+ ssl_client_mode = 3 to use 'secure' parent types: https, tcps, socks5s, connect+s, etc.
|
||||
+ New authcache types: cacheacl, dstaddr, dstport, dsthost, dstoper, srvaddr, srvport; authcache is now configurable per service
|
||||
+ Hashtables for password lists and authcache, faster password lookups
|
||||
+ 3proxy_crypt: new internal password hashing replacing mycrypt
|
||||
+ udppm switched to hashtables and supports multiple connections
|
||||
+ SOCKSv5 UDP parent support; -Ne/-Ni NAT options
|
||||
+ Docker images for more platforms, signed; DLLs signed; public cert added to build
|
||||
+ Grace sleep and linger on connection close; correctly process half-closed connections
|
||||
+ Allow setting internal/external network namespaces on Linux
|
||||
- icqpr/OSCAR code removed
|
||||
! Fix: invalid error in SSL server handshake could break service state
|
||||
! Fix: invalid offset in datafilters
|
||||
! Fix: invalid socket in poll() could break sockmap() on Windows
|
||||
! Fix: deadlock in ftppr
|
||||
! Fix: crash on standalone services
|
||||
! Fix: non-initialized mutex crash under Windows
|
||||
! Fix: socks v5 parent with no auth
|
||||
! Fix: hanging connections in sockmap; unneeded poll in sockmap
|
||||
! Fix: symbols collision with OpenSSL could lead to crash
|
||||
! Fix: compatibility with older SSL versions and older Windows (7 and below)
|
||||
! Multiple minor bugfixes and code cleanup
|
||||
|
||||
@ -1,11 +1,25 @@
|
||||
3proxy-0.9.6 Вышел 11 Апреля 2026
|
||||
3proxy-0.9.7 Вышел 4 Июля 2026
|
||||
|
||||
+ В SSLPlugin добавлены ssl_client и множество опций конфигурации, код SSLPlugin значительно улучшен и исправлен. См. https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy теперь может использоваться как замена stunnel во многих сценариях.
|
||||
+ Поддержка прокси-протокола HAProxy v1 на стороне клиента и сервера. Добавлена опция -H для сервиса, чтобы ожидать заголовок прокси-протокола HA v1. Используйте тип родителя ha: parent 1000 ha 0.0.0.0 0 для отправки заголовка v1.
|
||||
+ tlspr поддерживается в режиме auto
|
||||
+ tlspr поддерживает опцию -s, которая разбивает HELLO-пакет для предотвращения обнаружения SNI некоторыми DPI
|
||||
+ Добавлена опция конфигурации maxseg и поддержка флага сокета TCP_MAXSEG. Устанавливает максимальный размер TCP-сегмента для решения проблем с обнаружением PathMTU
|
||||
+ Добавлены опции -Ne / -Ni для указания внешнего/внутреннего NAT-адреса для SOCKSv5
|
||||
+ Добавлено окружение cmake
|
||||
! Внешняя библиотека pcre2 (pcre2-8) используется для PCRE, код pcre удалён из 3proxy
|
||||
! Множество мелких исправлений ошибок
|
||||
+ Код PCRE2 и SSL/TLS перенесён из плагинов в основной бинарный файл 3proxy; по умолчанию динамическое связывание с ssl/pcre, опции STATIC/LIBSTATIC для статического связывания
|
||||
+ Поддержка unix-сокетов для родительских прокси, tcppm, внутренних слушателей и опции -i; абстрактные (безфайловые) unix-сокеты в Linux
|
||||
+ ssl_client_mode = 3 для использования «безопасных» типов родителя: https, tcps, socks5s, connect+s и т.д.
|
||||
+ Новые типы authcache: cacheacl, dstaddr, dstport, dsthost, dstoper, srvaddr, srvport; authcache настраивается для каждого сервиса
|
||||
+ Хеш-таблицы для списков паролей и authcache, более быстрый поиск паролей
|
||||
+ 3proxy_crypt: новое внутреннее хеширование паролей, заменяющее mycrypt
|
||||
+ udppm переведён на хеш-таблицы и поддерживает множество соединений
|
||||
+ Поддержка UDP-родителя для SOCKSv5; опции NAT -Ne/-Ni
|
||||
+ Docker-образы для большего числа платформ, подписанные; подписанные DLL; публичный сертификат добавлен в сборку
|
||||
+ Grace sleep и linger при закрытии соединения; корректная обработка полузакрытых соединений
|
||||
+ Разрешено задавать внутренние/внешние сетевые пространства имён (network namespaces) в Linux
|
||||
- Код icqpr/OSCAR удалён
|
||||
! Исправление: некорректная ошибка в SSL server handshake могла ломать состояние сервиса
|
||||
! Исправление: некорректное смещение в datafilters
|
||||
! Исправление: некорректный сокет в poll() мог ломать sockmap() в Windows
|
||||
! Исправление: взаимоблокировка (deadlock) в ftppr
|
||||
! Исправление: падение на standalone-сервисах
|
||||
! Исправление: падение из-за неинициализированного mutex в Windows
|
||||
! Исправление: родитель socks v5 без аутентификации
|
||||
! Исправление: зависающие соединения в sockmap; лишний poll в sockmap
|
||||
! Исправление: конфликт символов с OpenSSL мог приводить к падению
|
||||
! Исправление: совместимость со старыми версиями SSL и старыми версиями Windows (7 и ниже)
|
||||
! Множество мелких исправлений и очистка кода
|
||||
|
||||
@ -661,16 +661,18 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
|
||||
endforeach()
|
||||
|
||||
# Install plugins
|
||||
file(GLOB PLUGINFILES "${PLUGIN_OUTPUT_DIR}/*${PLUGIN_SUFFIX}")
|
||||
# Use install(DIRECTORY ... FILES_MATCHING) so the glob resolves at install
|
||||
# time, after plugin targets have been built. A configure-time file(GLOB)
|
||||
# would run before any plugin exists and install nothing.
|
||||
if(WIN32)
|
||||
install(FILES
|
||||
${PLUGINFILES}
|
||||
install(DIRECTORY ${PLUGIN_OUTPUT_DIR}/
|
||||
DESTINATION ${CMAKE_INSTALL_BINDIR}
|
||||
FILES_MATCHING PATTERN "*${PLUGIN_SUFFIX}"
|
||||
)
|
||||
else()
|
||||
install(FILES
|
||||
${PLUGINFILES}
|
||||
install(DIRECTORY ${PLUGIN_OUTPUT_DIR}/
|
||||
DESTINATION ${CMAKE_INSTALL_LIBDIR}/3proxy
|
||||
FILES_MATCHING PATTERN "*${PLUGIN_SUFFIX}"
|
||||
)
|
||||
endif()
|
||||
|
||||
|
||||
@ -44,8 +44,7 @@ RUN cd /dist &&\
|
||||
ln -s /lib usr/lib64
|
||||
RUN cp /lib/ld-*.so.* /dist/usr/local/3proxy/libexec || true
|
||||
RUN cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec || true
|
||||
RUN cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\
|
||||
ls -lR /dist
|
||||
RUN cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec
|
||||
|
||||
FROM docker.io/busybox:glibc
|
||||
COPY --from=buildenv /dist /
|
||||
|
||||
@ -54,8 +54,7 @@ RUN cd /dist/usr/local/3proxy/ &&\
|
||||
RUN cd /dist/usr/local/3proxy/usr &&\
|
||||
ln -s ../libexec lib &&\
|
||||
ln -s ../libexec lib64 &&\
|
||||
strip /dist/usr/local/3proxy/libexec/*.so &&\
|
||||
ls -lR /dist
|
||||
strip /dist/usr/local/3proxy/libexec/*.so
|
||||
|
||||
FROM scratch
|
||||
COPY --from=buildenv /dist /
|
||||
|
||||
132
README.md
132
README.md
@ -2,27 +2,101 @@
|
||||
|
||||
(c) 2002-2026 by Vladimir '3APA3A' Dubrovin <vlad@3proxy.org>
|
||||
|
||||
## Branches
|
||||
## Repository
|
||||
|
||||
### Branches
|
||||
|
||||
- **Master** (stable) branch - 3proxy 0.9
|
||||
- **Devel** branch - 3proxy 10 (don't use it)
|
||||
|
||||
## Download
|
||||
### Binaries (deb / rpm / Windows zip)
|
||||
|
||||
Binaries and sources for released (master) versions (Windows, Linux):
|
||||
https://github.com/z3APA3A/3proxy/releases
|
||||
https://github.com/3proxy/3proxy/releases
|
||||
|
||||
### Docker images
|
||||
|
||||
Docker images:
|
||||
https://hub.docker.com/r/3proxy/3proxy
|
||||
https://github.com/3proxy/3proxy/pkgs/container/3proxy
|
||||
|
||||
### Archive of old versions
|
||||
|
||||
Archive of old versions:
|
||||
https://github.com/z3APA3A/3proxy-archive
|
||||
|
||||
## Documentation
|
||||
|
||||
### Documentation
|
||||
|
||||
Documentation (man pages and HTML) available with download, on https://3proxy.org/ and in github wiki https://github.com/3proxy/3proxy/wiki
|
||||
|
||||
## Windows Installation
|
||||
## Docker images
|
||||
|
||||
3 docker configurations are provided, default (full) also tagged as `:latest`, `:busybox` and `:minimal`, all refer to newest stable version. Except busybox, images are distroless and contain only binaries, you can not sh inside the container. `:busybox` contains busybox shell.
|
||||
|
||||
### Default image (`:latest`):
|
||||
|
||||
Full installation requires to mount /etc/3proxy/3proxy.cfg files.
|
||||
|
||||
For docker, config can be provided via `docker config`
|
||||
|
||||
```
|
||||
echo "log
|
||||
nserver 8.8.8.8
|
||||
nscache 65536
|
||||
proxy -p3129" | docker config create 3proxy
|
||||
docker run --read-only -p 3129:3129 --config source=3proxy,target=/etc/3proxy/3proxy.cfg --name 3proxy.full docker.io/3proxy/3proxy
|
||||
```
|
||||
|
||||
`podman` does not support `config` as above.
|
||||
Mounts may be used as config alternative. `podman` used in example below can be replaced with `docker`:
|
||||
|
||||
```
|
||||
echo "log
|
||||
nserver 8.8.8.8
|
||||
nscache 65536
|
||||
proxy -p3129" >/path/to/local/config/directory/3proxy.cfg
|
||||
podman run --read-only -p 3129:3129 -v /path/to/local/config/directory/3proxy.cfg:/etc/3proxy/3proxy.cfg --name 3proxy.full 3proxy.full
|
||||
```
|
||||
|
||||
|
||||
use `log` without pathname in config to log to stdout.
|
||||
plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config) and since 0.9.6 symlinked by /lib and /lib64 in both chroot and non-chroot configurations, so no full path is required in `plugin` command. Use e.g. `plugin SSLPlugin.ls.so ssl_plugin`. SSLPlugin is supported since 0.9.6. Some proxy types (e.g. SOCKSv5 UDPASSCOC, SOCKSv5 BIND functionality, ftp proxy) require access to ephemeral port, you may use e.g. -`-network host` mode or `-P` for `docker run`.
|
||||
|
||||
since 0.9.6 images are distroless (except :busybox) it's recommended to use with read only file system, there are no benefits from chroot. For compatibility, you still can use chroot installation by mounting directory with 3proxy.cfg to /usr/local/3proxy/config.
|
||||
|
||||
### Busybox image (`:busybox`):
|
||||
|
||||
`full` with busybox added, to allow `sh` and few more commands like `sed` inside container. All libraries are in /lib, so chroot configuration can not use plugins.
|
||||
|
||||
### Interactive `:minimal` image:
|
||||
|
||||
Dockerfile for "interactive" minimal 3proxy execution, no configuration mounting is required, configuration
|
||||
is accepted from stdin. Use `end` command to indicate the end of configuration. Use `log` for stdout logging.
|
||||
|
||||
|
||||
`plugin` is not supported, `nserver` or `fakeresolve` are mandatory, because system resolver is not supported, no support for RADIUS and IPv6.
|
||||
|
||||
Run example:
|
||||
|
||||
`docker run --read-only -i -p 3129:3129 --name 3proxy docker.io/3proxy/3proxy:minimal`
|
||||
or
|
||||
`docker start -ai 3proxy` to start existing container
|
||||
|
||||
send this to standard input (example):
|
||||
```
|
||||
nserver 8.8.8.8
|
||||
nscache 65535
|
||||
log
|
||||
proxy -p3129
|
||||
end
|
||||
```
|
||||
`nserver` is required for DNS resolutions.
|
||||
|
||||
Some proxy types (e.g. SOCKSv5 UDPASSCOC, SOCKSv5 BIND functionality, ftp proxy) require access to ephemeral port, you may use e.g. `--network host` mode or `-P` to `docker run`.
|
||||
|
||||
`:minimal` without version specified uses current stable version.
|
||||
|
||||
## Building and installation
|
||||
|
||||
### Windows Installation
|
||||
|
||||
Install and start proxy as Windows service:
|
||||
|
||||
@ -38,9 +112,9 @@ Remove the service (should be stopped before via `net stop 3proxy`):
|
||||
3proxy --remove
|
||||
```
|
||||
|
||||
## Building on Linux
|
||||
### Building and installation on Linux
|
||||
|
||||
### With Makefile
|
||||
#### With Makefile
|
||||
|
||||
```bash
|
||||
git clone https://github.com/z3apa3a/3proxy
|
||||
@ -50,9 +124,9 @@ make
|
||||
sudo make install
|
||||
```
|
||||
|
||||
### Default Configuration (Linux/Unix)
|
||||
#### Default Configuration (for Makefile.Linux installation)
|
||||
|
||||
3proxy uses 2 configuration files:
|
||||
3proxy uses 2 configuration files in :
|
||||
- `/etc/3proxy/3proxy.cfg` (before-chroot) - This configuration file is executed before chroot and should not be modified.
|
||||
- `/usr/local/3proxy/conf/3proxy.cfg` symlinked from `/etc/3proxy/conf/3proxy.cfg` (after-chroot) - Main configuration file. Modify this file if required.
|
||||
|
||||
@ -62,12 +136,12 @@ Log files are created in `/usr/local/3proxy/logs` symlinked from `/var/log/3prox
|
||||
|
||||
By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default.
|
||||
|
||||
### Adding Users
|
||||
#### Adding Users
|
||||
|
||||
Use `/etc/3proxy/conf/add3proxyuser.sh` script to add users:
|
||||
Use `add3proxyuser` script to add users:
|
||||
|
||||
```bash
|
||||
/etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth]
|
||||
add3proxyuser username password [day_limit] [bandwidth]
|
||||
```
|
||||
|
||||
Parameters:
|
||||
@ -76,7 +150,7 @@ Parameters:
|
||||
|
||||
Or modify `/etc/3proxy/conf/` files directly.
|
||||
|
||||
### With CMake
|
||||
#### With CMake
|
||||
|
||||
```bash
|
||||
git clone https://github.com/z3apa3a/3proxy
|
||||
@ -89,9 +163,9 @@ sudo cmake --install .
|
||||
|
||||
CMake does not use chroot configuration, config file is `/etc/3proxy/3proxy.cfg`
|
||||
|
||||
## MacOS X / FreeBSD / *BSD
|
||||
### MacOS X / FreeBSD / *BSD
|
||||
|
||||
### With Makefile
|
||||
#### With Makefile
|
||||
|
||||
```bash
|
||||
git clone https://github.com/z3apa3a/3proxy
|
||||
@ -102,7 +176,7 @@ make
|
||||
|
||||
Binaries are in `bin/` directory.
|
||||
|
||||
### With CMake (recommended)
|
||||
#### With CMake (recommended)
|
||||
|
||||
```bash
|
||||
git clone https://github.com/z3apa3a/3proxy
|
||||
@ -120,7 +194,7 @@ This installs:
|
||||
- rc scripts to `rc.d` for BSD
|
||||
- launchd plist to `/Library/LaunchDaemons/` for MacOS
|
||||
|
||||
### Service Management on macOS
|
||||
#### Service Management on macOS
|
||||
|
||||
```bash
|
||||
# Load and start service
|
||||
@ -136,6 +210,8 @@ sudo launchctl start org.3proxy.3proxy
|
||||
sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Features
|
||||
|
||||
### 1. General
|
||||
@ -258,32 +334,32 @@ sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
|
||||
### 3proxy
|
||||
Combined proxy server may be used as executable or service (supports installation and removal). It uses config file to read its configuration (see `3proxy.cfg.sample` for details). `3proxy.exe` is all-in-one, it doesn't require all others .exe to work. See `3proxy.cfg.sample` for examples, see `man 3proxy.cfg`
|
||||
|
||||
### proxy
|
||||
### 3proxy_proxy
|
||||
HTTP proxy server, binds to port 3128
|
||||
|
||||
### ftppr
|
||||
### 3proxy_ftppr
|
||||
FTP proxy server, binds to port 21. Please do not mess it with FTP over HTTP proxy used in browsers
|
||||
|
||||
### socks
|
||||
### 3proxy_socks
|
||||
SOCKS 4/5 proxy server, binds to port 1080
|
||||
|
||||
### pop3p
|
||||
### 3proxy_pop3p
|
||||
POP3 proxy server, binds to port 110. You must specify POP3 username as `username@popserver[:port]` (port is 110 by default).
|
||||
|
||||
Example: in Username configuration for your e-mail reader set `someuser@pop.somehost.ru`, to obtain mail for someuser from pop.somehost.ru via proxy.
|
||||
|
||||
### smtpp
|
||||
### 3proxy_smtpp
|
||||
SMTP proxy server, binds to port 25. You must specify SMTP username as `username@smtpserver[:port]` (port is 25 by default).
|
||||
|
||||
Example: in Username configuration for your e-mail reader set `someuser@mail.somehost.ru`, to send mail as someuser via mail.somehost.ru via proxy.
|
||||
|
||||
### tcppm
|
||||
### 3proxy_tcppm
|
||||
TCP port mapping. Maps some TCP port on local machine to TCP port on remote host.
|
||||
|
||||
### tlspr
|
||||
### 3proxy_tlspr
|
||||
TLS proxy (SNI proxy) - sniffs hostname from TLS handshake
|
||||
|
||||
### udppm
|
||||
### 3proxy_udppm
|
||||
UDP port mapping. Maps some UDP port on local machine to UDP port on remote machine. Only one user simultaneously can use UDP mapping, so it can't be used for public service in large networks. It's OK to use it to map to DNS server in small network or to map Counter-Strike server for single client (you can use few mappings on different ports for different clients in last case).
|
||||
|
||||
### 3proxy_crypt
|
||||
|
||||
6
debian/changelog
vendored
6
debian/changelog
vendored
@ -1,3 +1,9 @@
|
||||
3proxy (0.9.7-1) buster; urgency=medium
|
||||
|
||||
*3proxy 0.9.7 initial build
|
||||
|
||||
-- z3APA3A <3apa3a@3proxy.org> Sat, 04 Jul 2026 11:55:03 +0300
|
||||
|
||||
3proxy (0.9.6-1) buster; urgency=medium
|
||||
|
||||
*3proxy 0.9.6 initial build
|
||||
|
||||
4
debian/postinst
vendored
4
debian/postinst
vendored
@ -1,6 +1,6 @@
|
||||
[ -f /bin/add3proxyuser ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@3PROXY_CONFDIR@|/etc/3proxy/conf|g' -e 's|@CRYPT_PREFIX@|3proxy_|g' /bin/add3proxyuser; \
|
||||
[ -f /etc/init.d/3proxy ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' /etc/init.d/3proxy; \
|
||||
[ -f /usr/lib/systemd/system/3proxy.service ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' /usr/lib/systemd/system/3proxy.service; \
|
||||
[ -f /etc/init.d/3proxy ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' -e 's|USER=proxy|USER=root|g' /etc/init.d/3proxy; \
|
||||
[ -f /usr/lib/systemd/system/3proxy.service ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' -e 's|User=proxy|User=root|g' /usr/lib/systemd/system/3proxy.service; \
|
||||
|
||||
if [ -d /etc/3proxy ]; then \
|
||||
chmod -R o-rwx /etc/3proxy; \
|
||||
|
||||
23
doc/changelog/0/9/7
Normal file
23
doc/changelog/0/9/7
Normal file
@ -0,0 +1,23 @@
|
||||
+ PCRE2 and SSL/TLS code moved from plugins into main 3proxy binary; dynamic linking with ssl/pcre by default, STATIC/LIBSTATIC options for static linking
|
||||
+ Unix sockets support for parent proxies, tcppm, internal listeners and -i option; abstract (fileless) unix sockets on Linux
|
||||
+ ssl_client_mode = 3 to use 'secure' parent types: https, tcps, socks5s, connect+s, etc.
|
||||
+ New authcache types: cacheacl, dstaddr, dstport, dsthost, dstoper, srvaddr, srvport; authcache is now configurable per service
|
||||
+ Hashtables for password lists and authcache, faster password lookups
|
||||
+ 3proxy_crypt: new internal password hashing replacing mycrypt
|
||||
+ udppm switched to hashtables and supports multiple connections
|
||||
+ SOCKSv5 UDP parent support; -Ne/-Ni NAT options
|
||||
+ Docker images for more platforms, signed; DLLs signed; public cert added to build
|
||||
+ Grace sleep and linger on connection close; correctly process half-closed connections
|
||||
+ Allow setting internal/external network namespaces on Linux
|
||||
- icqpr/OSCAR code removed
|
||||
! Fix: invalid error in SSL server handshake could break service state
|
||||
! Fix: invalid offset in datafilters
|
||||
! Fix: invalid socket in poll() could break sockmap() on Windows
|
||||
! Fix: deadlock in ftppr
|
||||
! Fix: crash on standalone services
|
||||
! Fix: non-initialized mutex crash under Windows
|
||||
! Fix: socks v5 parent with no auth
|
||||
! Fix: hanging connections in sockmap; unneeded poll in sockmap
|
||||
! Fix: symbols collision with OpenSSL could lead to crash
|
||||
! Fix: compatibility with older SSL versions and older Windows (7 and below)
|
||||
! Multiple minor bugfixes and code cleanup
|
||||
@ -552,8 +552,7 @@ username ignored. <br>
|
||||
Appropriate for most cases <b><br>
|
||||
useronly</b> - authentication by username without checking
|
||||
for any password with authorization by ACLs. Useful for e.g.
|
||||
SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as
|
||||
a username) <b><br>
|
||||
SOCKSv4 proxy. <b><br>
|
||||
dnsname</b> - authentication by DNS hostname with
|
||||
authorization by ACLs. The DNS hostname is resolved via a
|
||||
PTR (reverse) record and validated (the resolved name must
|
||||
@ -564,6 +563,12 @@ strong</b> - username/password authentication required. It
|
||||
will work with SOCKSv5, FTP, POP3 and HTTP proxy. <b><br>
|
||||
cache</b> - cached authentication, may be used with
|
||||
´authcache´. <b><br>
|
||||
cacheacl</b> - cached authentication, same as <b>cache</b>
|
||||
but the ACL authorization result is also cached and not
|
||||
re-evaluated on each request. Faster than <b>cache</b>, but
|
||||
ACL changes do not take effect for cached users until the
|
||||
cache entry expires. Use <b>cache</b> if ACLs may change
|
||||
during the cache lifetime. <b><br>
|
||||
radius</b> - authentication with RADIUS. <br>
|
||||
Plugins may add additional authentication types.</p>
|
||||
|
||||
@ -598,10 +603,20 @@ user,password</b> - both username and password are checked
|
||||
against cached ones. <b><br>
|
||||
limit</b> - limit user to use only one ip, ´ip´
|
||||
and ´user´ are required <b><br>
|
||||
ack</b> - only use cached auth if user access service with
|
||||
acl</b> - only use cached auth if user access service with
|
||||
same ACL <b><br>
|
||||
ext</b> - cache external IP <br>
|
||||
Use auth type <b>cache</b> for cached authentication</p>
|
||||
ext</b> - cache external IP <b><br>
|
||||
dstaddr</b> - cache by destination IP address <b><br>
|
||||
dstport</b> - cache by destination port <b><br>
|
||||
dsthost</b> - cache by destination hostname <b><br>
|
||||
dstoper</b> - cache by destination operation (e.g. HTTP
|
||||
method) <b><br>
|
||||
srvaddr</b> - cache by service (listener) address <b><br>
|
||||
srvport</b> - cache by service (listener) port <br>
|
||||
Multiple types can be combined (e.g.
|
||||
<b>ip,user,dstaddr,dstport</b>). <br>
|
||||
Use auth type <b>cache</b> (or <b>cacheacl</b>) for cached
|
||||
authentication</p>
|
||||
|
||||
<p style="margin-left:6%; margin-top: 1em"><b>allow</b>
|
||||
<i><userlist> <sourcelist> <targetlist>
|
||||
@ -746,8 +761,14 @@ ha</b> send HAProxy PROXY protocol v1 header to parent
|
||||
proxy. Must be the last in the proxy chain. Useful for
|
||||
passing client IP information to the parent proxy. Example:
|
||||
parent 1000 ha <br>
|
||||
Use "+" proxy only with <b>fakeresolve</b>
|
||||
option</p>
|
||||
Use "+" proxy only with <b>fakeresolve</b> option
|
||||
<br>
|
||||
Any parent type above can be suffixed with <b>s</b> (e.g.
|
||||
<b>https</b>, <b>tcps</b>, <b>socks5s</b>, <b>connect+s</b>)
|
||||
to establish a TLS-encrypted connection to the parent proxy.
|
||||
Requires SSL/TLS support (WITH_SSL) and is used with
|
||||
<b>ssl_client_mode 3</b>, which only handshakes TLS for
|
||||
<b>s</b>-suffixed parents.</p>
|
||||
|
||||
<p style="margin-left:6%; margin-top: 1em">IP and port are
|
||||
ip addres and port of parent proxy server. If IP is zero, ip
|
||||
@ -946,12 +967,16 @@ The rest of parameters is identical to
|
||||
pwtype is one of: <br>
|
||||
none (empty) - use system authentication <b><br>
|
||||
CL</b> - password is cleartext <b><br>
|
||||
CR</b> - password is crypt-style password <b><br>
|
||||
CR</b> - password is crypt-style password. <b>$1$</b> prefix
|
||||
uses MD5-crypt (requires OpenSSL), <b>$3$</b> prefix uses
|
||||
BLAKE2b-crypt (always available, see <b>3proxy_crypt</b>(8))
|
||||
<b><br>
|
||||
NT</b> - password is NT password (in hex) <br>
|
||||
example: <br>
|
||||
users test1:CL:password1
|
||||
"test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49." <br>
|
||||
users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 <br>
|
||||
users "test4:CR:$3$salt$G47yV9w...." <br>
|
||||
Note: double quotes are required because the password
|
||||
contains a $ sign.</p>
|
||||
|
||||
@ -1268,8 +1293,8 @@ to <b>3proxy@3proxy.org</b></p>
|
||||
|
||||
|
||||
<p style="margin-left:6%; margin-top: 1em">3proxy(8),
|
||||
proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
|
||||
syslogd(8), <br>
|
||||
3proxy_crypt(8), proxy(8), ftppr(8), socks(8), pop3p(8),
|
||||
smtpp(8), tlspr(8), tcppm(8), udppm(8), syslogd(8), <br>
|
||||
https://3proxy.org/</p>
|
||||
|
||||
<h2>AUTHORS
|
||||
|
||||
@ -232,6 +232,20 @@ with TLS 1.3)</p></td></tr>
|
||||
<td width="4%">
|
||||
|
||||
|
||||
<p style="margin-top: 1em"><b>-s</b></p></td>
|
||||
<td width="5%"></td>
|
||||
<td width="85%">
|
||||
|
||||
|
||||
<p style="margin-top: 1em">Split the TLS Client HELLO
|
||||
packet across multiple TCP segments to make SNI-based DPI
|
||||
detection harder. An optional numeric value can follow (e.g.
|
||||
<b>-s1</b>) to control the splitting behaviour.</p></td></tr>
|
||||
<tr valign="top" align="left">
|
||||
<td width="6%"></td>
|
||||
<td width="4%">
|
||||
|
||||
|
||||
<p style="margin-top: 1em"><b>-l</b></p></td>
|
||||
<td width="5%"></td>
|
||||
<td width="85%">
|
||||
|
||||
@ -1,90 +0,0 @@
|
||||
<h3>3proxy PCRE (Perl Compatible Regular Expressions) Filtering</h3>
|
||||
|
||||
<p><b>Note:</b> Since version 0.9.7, PCRE filtering is built into 3proxy and does not require
|
||||
a separate plugin. All pcre_* commands are available directly when 3proxy is compiled with
|
||||
PCRE2 support (WITH_PCRE). The plugin line is no longer needed.</p>
|
||||
|
||||
<p>This filtering functionality can be used to create matching and replacement
|
||||
rules with regular expressions for client requests, client and
|
||||
server headers, and client and server data. It adds 3 additional
|
||||
configuration commands:</p>
|
||||
|
||||
<pre>
|
||||
pcre TYPE FILTER_ACTION REGEXP [ACE]
|
||||
pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
|
||||
pcre_extend FILTER_ACTION [ACE]
|
||||
pcre_options OPTION1 [...]
|
||||
</pre>
|
||||
pcre - allows applying a rule for matching
|
||||
<br>pcre_rewrite - in addition to 'pcre', allows substituting substrings
|
||||
<br>pcre_extend - extends the ACL of the last pcre or pcre_rewrite command by
|
||||
adding an additional ACE (like with allow/deny configuration commands).
|
||||
<br>pcre_options - allows setting matching options. Available options are:
|
||||
PCRE_CASELESS,
|
||||
PCRE_MULTILINE,
|
||||
PCRE_DOTALL,
|
||||
PCRE_EXTENDED,
|
||||
PCRE_ANCHORED,
|
||||
PCRE_DOLLAR_ENDONLY,
|
||||
PCRE_EXTRA,
|
||||
PCRE_NOTBOL,
|
||||
PCRE_NOTEOL,
|
||||
PCRE_UNGREEDY,
|
||||
PCRE_NOTEMPTY,
|
||||
PCRE_UTF8,
|
||||
PCRE_NO_AUTO_CAPTURE,
|
||||
PCRE_NO_UTF8_CHECK,
|
||||
PCRE_AUTO_CALLOUT,
|
||||
PCRE_PARTIAL,
|
||||
PCRE_DFA_SHORTEST,
|
||||
PCRE_DFA_RESTART,
|
||||
PCRE_FIRSTLINE,
|
||||
PCRE_DUPNAMES,
|
||||
PCRE_NEWLINE_CR,
|
||||
PCRE_NEWLINE_LF,
|
||||
PCRE_NEWLINE_CRLF,
|
||||
PCRE_NEWLINE_ANY,
|
||||
PCRE_NEWLINE_ANYCRLF,
|
||||
PCRE_BSR_ANYCRLF,
|
||||
PCRE_BSR_UNICODE
|
||||
|
||||
<ul>
|
||||
<li>TYPE - type of filtered data. May contain one or more
|
||||
(comma-delimited list) values:
|
||||
<ul>
|
||||
<li>request - content of the client's request, e.g., the HTTP GET request string.
|
||||
(known problem: changing the request string doesn't change the IP of the host to connect to)
|
||||
<li>cliheader - content of the client request headers, e.g., HTTP request headers.
|
||||
<li>srvheader - content of the server's reply headers, e.g., HTTP status and headers.
|
||||
<li>clidata - data received from the client, e.g., HTTP POST request data
|
||||
<li>srvdata - data received from the server, e.g., an HTML page
|
||||
</ul>
|
||||
<li>FILTER_ACTION - action on match
|
||||
<ul><li>allow - allow this request without checking the rest of the rules for the given type
|
||||
<li>deny - deny this request without checking the rest of the rules
|
||||
<li>dunno - continue with the rest of the rules (useful with pcre_rewrite)
|
||||
</ul>
|
||||
<li>REGEXP - PCRE (Perl) regular expression. Use * if no regexp matching
|
||||
is required.
|
||||
<li>REWRITE_EXPRESSION - substitution string. May contain Perl-style
|
||||
substrings
|
||||
(not tested) $1, $2. $0 means the whole matched string. \r and \n may be used
|
||||
to insert new strings; the string may be empty ("").
|
||||
<li>ACE - access control entry (user names, source IPs, destination IPs,
|
||||
ports, etc.), absolutely identical to allow/deny/bandlimin commands.
|
||||
The regular expression is only matched if the ACL matches the connection data.
|
||||
Warning:
|
||||
Regular expressions don't require authentication and cannot replace
|
||||
authentication and/or allow/deny ACLs.
|
||||
</ul>
|
||||
|
||||
|
||||
<h4>Example:</h4>
|
||||
<pre>
|
||||
pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
|
||||
pcre srvheader deny "Content-type: application"
|
||||
pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
|
||||
pcre_extend deny * 192.168.0.1/16
|
||||
</pre>
|
||||
|
||||
© Vladimir Dubrovin, License: BSD style
|
||||
@ -1,89 +0,0 @@
|
||||
<h3>Фильтрация PCRE (Perl Compatible Regular Expressions) в 3proxy</h3>
|
||||
|
||||
<p><b>Примечание:</b> Начиная с версии 0.9.7 фильтрация PCRE встроена в 3proxy и не требует
|
||||
отдельного плагина. Все команды pcre_* доступны напрямую при компиляции 3proxy с поддержкой
|
||||
PCRE2 (WITH_PCRE). Строка plugin больше не нужна.</p>
|
||||
|
||||
<p>Фильтрующий плагин используется для создания правил поиска и замены
|
||||
регулярных выражений в запросе, заголовков запроса и ответа и данных.
|
||||
Добавляет поддержку 3х новых команд в файле конфигурации:</p>
|
||||
|
||||
<pre>
|
||||
pcre TYPE FILTER_ACTION REGEXP [ACE]
|
||||
pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
|
||||
pcre_extend FILTER_ACTION [ACE]
|
||||
pcre_options OPTION1 [...]
|
||||
</pre>
|
||||
pcre - позволяет искать совпадения
|
||||
<br>pcre_rewrite - дополнительно позволяет производить замену подстрок
|
||||
<br>pcre_extend - расширяет ACL последней команды pcre или pcre_rewrite путем
|
||||
добавления еще одной ACE (аналогично списку правил allow/deny).
|
||||
<br>pcre_options - позволяет устанавливать опции поиска, доступны следующие опции:
|
||||
PCRE_CASELESS,
|
||||
PCRE_MULTILINE,
|
||||
PCRE_DOTALL,
|
||||
PCRE_EXTENDED,
|
||||
PCRE_ANCHORED,
|
||||
PCRE_DOLLAR_ENDONLY,
|
||||
PCRE_EXTRA,
|
||||
PCRE_NOTBOL,
|
||||
PCRE_NOTEOL,
|
||||
PCRE_UNGREEDY,
|
||||
PCRE_NOTEMPTY,
|
||||
PCRE_UTF8,
|
||||
PCRE_NO_AUTO_CAPTURE,
|
||||
PCRE_NO_UTF8_CHECK,
|
||||
PCRE_AUTO_CALLOUT,
|
||||
PCRE_PARTIAL,
|
||||
PCRE_DFA_SHORTEST,
|
||||
PCRE_DFA_RESTART,
|
||||
PCRE_FIRSTLINE,
|
||||
PCRE_DUPNAMES,
|
||||
PCRE_NEWLINE_CR,
|
||||
PCRE_NEWLINE_LF,
|
||||
PCRE_NEWLINE_CRLF,
|
||||
PCRE_NEWLINE_ANY,
|
||||
PCRE_NEWLINE_ANYCRLF,
|
||||
PCRE_BSR_ANYCRLF,
|
||||
PCRE_BSR_UNICODE
|
||||
|
||||
|
||||
<ul>
|
||||
<li>TYPE - тип фильтруемых данных. Может содержать одно или
|
||||
несколько (список через запятую) значений:
|
||||
<ul>
|
||||
<li>request - содержимое запроса клиента (например строка HTTP GET-запроса).
|
||||
(в настоящий момент изменение запроса не приводит к изменению адреса запрашиваемого хоста)
|
||||
<li>cliheader - содержимое заголовков запроса клиента, например заголовки HTTP
|
||||
<li>srvheader - содержимое заголовков ответа сервера, например заголовки HTTP
|
||||
<li>clidata - данные полученные от клиента, например данные POST-запроса
|
||||
<li>srvdata - данные полученные от сервера, например содержимое HTML-страницы
|
||||
</ul>
|
||||
<li>FILTER_ACTION - действие при совпадении. Может принимать значение
|
||||
<ul><li>allow - разрешить данный запрос без просмотра дальнейших правил
|
||||
<li>deny - запретить данный запрос без просмотра дальнейших правил
|
||||
<li>dunno - продолжить анализ правил (полезно для pcre_rewrite)
|
||||
</ul>
|
||||
<li>REGEXP - регулярное выражение в формате PCRE (perl). Используйте * если не
|
||||
требуется проерка регулярного выражения.
|
||||
<li>REWRITE_EXPRESSION - строка замены. Может содержать макроподстановки
|
||||
(не тестировалось) $1, $2 и т.д. аналогично perl. $0 - полная найденная
|
||||
подстрока. В строке замены можно использовать сочетания \r, \n для вставки
|
||||
новых строк. Строка может быть пустой ("").
|
||||
<li>ACE - Список контроля доступа (имя пользователя, IP источника, IP назначения, порт и т.д.),
|
||||
полностью аналогичный ACE в командах allow, deny, bandlimin и т.п. Регулярное
|
||||
выражение проверяется только при совпадении ACE с запросом. ВНИМАНИЕ:
|
||||
использование регулярных выражений не требует авторизации и не заменяет ее.
|
||||
Авторизацию необходимо конфигурировать отдельно.
|
||||
</ul>
|
||||
|
||||
|
||||
<h4>Пример:</h4>
|
||||
<pre>
|
||||
pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
|
||||
pcre srvheader deny "Content-type: application"
|
||||
pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
|
||||
pcre_extend deny * 192.168.0.1/16
|
||||
</pre>
|
||||
|
||||
© Vladimir Dubrovin, License: BSD style
|
||||
@ -1,124 +0,0 @@
|
||||
<h3>3proxy SSL/TLS Support</h3>
|
||||
|
||||
<p><b>Note:</b> Since version 0.9.7, SSL/TLS support is built into 3proxy and does not require
|
||||
a separate plugin. All ssl_* commands are available directly when 3proxy is compiled with
|
||||
OpenSSL support (WITH_SSL). The plugin line is no longer needed.</p>
|
||||
|
||||
<p>SSL/TLS support can be used to transparently decrypt SSL/TLS data, provide TLS encryption
|
||||
for proxy traffic, and authenticate using client certificates.</p>
|
||||
|
||||
<h4>For transparent certificate spoofing (MITM):</h4>
|
||||
|
||||
<br>ssl_mitm - spoof certificates for services started below. Usage without ssl_client_verify is insecure.
|
||||
<br>ssl_nomitm - do not spoof certificates for services started below
|
||||
|
||||
<h4>To protect traffic to the server (https:// proxy):</h4>
|
||||
|
||||
ssl_serv (or ssl_server) - require TLS connection from clients for services below
|
||||
<br>ssl_noserv (or ssl_noserver) - do not require TLS connection from clients for services below
|
||||
|
||||
<h4>To use TLS for upstream connections:</h4>
|
||||
|
||||
ssl_cli (or ssl_client) - establish TLS connection to upstream server for services below
|
||||
<br>ssl_nocli (or ssl_noclient) - do not establish TLS connection to upstream server for services below
|
||||
|
||||
<h4>Parameters:</h4>
|
||||
|
||||
<br><b>ssl_server_cert</b> /path/to/cert - Server certificate (should not be self-signed and must contain an Alternative Name) for ssl_serv
|
||||
<br><b>ssl_server_key</b> /path/to/key - Server certificate key for ssl_server_cert or generated MITM certificate
|
||||
<br><b>ssl_client_cert</b> /path/to/cert - Client certificate for authentication on upstream server (used with ssl_cli)
|
||||
<br><b>ssl_client_key</b> /path/to/key - Client certificate key for ssl_client_cert
|
||||
<br><b>ssl_client_ciphersuites</b> ciphersuites_list - TLS client ciphers for TLS 1.3, e.g., ssl_client_ciphersuites TLS_AES_128_GCM_SHA256
|
||||
<br><b>ssl_server_ciphersuites</b> ciphersuites_list - TLS server ciphers for TLS 1.3
|
||||
<br><b>ssl_client_cipher_list</b> ciphers_list - TLS client ciphers for TLS 1.2 and below, e.g., ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||
<br><b>ssl_server_cipher_list</b> ciphers_list - TLS server ciphers for TLS 1.2 and below
|
||||
<br><b>ssl_client_min_proto_version</b> tls_version - TLS client minimum TLS version (e.g., TLSv1.2)
|
||||
<br><b>ssl_server_min_proto_version</b> tls_version - TLS server minimum TLS version (e.g., TLSv1.2)
|
||||
<br><b>ssl_client_max_proto_version</b> tls_version - TLS client maximum TLS version (e.g., TLSv1.2)
|
||||
<br><b>ssl_server_max_proto_version</b> tls_version - TLS server maximum TLS version (e.g., TLSv1.2)
|
||||
<br><b>ssl_client_verify</b> - verify the certificate for the upstream server in TLS client functionality (used with ssl_mitm or ssl_cli)
|
||||
<br><b>ssl_client_no_verify</b> - do not verify the certificate for the upstream server in TLS client functionality (default)
|
||||
<br><b>ssl_server_verify</b> - require client certificate authentication (mTLS) for ssl_serv
|
||||
<br><b>ssl_server_no_verify</b> - do not require client certificate (default)
|
||||
<br><b>ssl_server_ca_file</b> /path/to/cafile - CA certificate file for MITM
|
||||
<br><b>ssl_server_ca_key</b> /path/to/cakey - key for ssl_server_ca_file MITM CA
|
||||
<br><b>ssl_server_ca_dir</b> /path/to/cadir - CA directory for ssl_server_verify
|
||||
<br><b>ssl_server_ca_store</b> /path/to/castore - CA store for ssl_server_verify (OpenSSL 3.0+)
|
||||
<br><b>ssl_client_ca_file</b> /path/to/cafile - CA file for ssl_client_verify
|
||||
<br><b>ssl_client_ca_dir</b> /path/to/cadir - CA directory for ssl_client_verify
|
||||
<br><b>ssl_client_ca_store</b> /path/to/castore - CA store for ssl_client_verify (OpenSSL 3.0+)
|
||||
<br><b>ssl_client_sni</b> hostname - SNI hostname to send to upstream server (overrides the requested hostname)
|
||||
<br><b>ssl_client_alpn</b> protocol1 protocol2 ... - ALPN protocols to negotiate with upstream server (e.g., ssl_client_alpn h2 http/1.1)
|
||||
<br><b>ssl_client_mode</b> mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's')
|
||||
<br><b>ssl_certcache</b> /path/to/cache/ - location for the generated MITM certificates cache, optional if ssl_server_ca_file / ssl_server_ca_key are configured.
|
||||
The cache may contain 3 files: 3proxy.pem - public
|
||||
self-signed certificates (used if ssl_server_ca_file is not configured),
|
||||
3proxy.key - key for public certificates, used if ssl_server_ca_key is not configured, server.key - this key is used if ssl_server_key is not configured to generate
|
||||
spoofed certificates. If server.key is absent, 3proxy.key is used to generate certificates.
|
||||
Generated certificates are placed in the same path.
|
||||
|
||||
|
||||
<h4>MITM example:</h4>
|
||||
<pre>
|
||||
ssl_server_ca_file /path/to/cafile
|
||||
ssl_server_ca_key /path/to/cakey
|
||||
ssl_mitm
|
||||
proxy -p3128
|
||||
ssl_nomitm
|
||||
proxy -p3129
|
||||
</pre>
|
||||
MITM's traffic with a spoofed certificate for the port 3128 proxy.
|
||||
|
||||
<h4>https:// proxy example:</h4>
|
||||
<pre>
|
||||
ssl_server_cert path_to_cert
|
||||
ssl_server_key path_to_key
|
||||
ssl_serv
|
||||
proxy -p33128
|
||||
ssl_noserv
|
||||
proxy -p3128
|
||||
</pre>
|
||||
Creates an https:// proxy on port 33128 and an http:// proxy on port 3128
|
||||
|
||||
<h4>TLS client example (connect to upstream via TLS):</h4>
|
||||
<pre>
|
||||
ssl_client_cert /path/to/client.crt
|
||||
ssl_client_key /path/to/client.key
|
||||
ssl_client_verify
|
||||
ssl_client_ca_file /path/to/ca.crt
|
||||
ssl_cli
|
||||
proxy -p3128
|
||||
</pre>
|
||||
Creates an HTTP proxy that connects to upstream servers via TLS with client certificate authentication.
|
||||
|
||||
<h4>Conditional TLS for parent proxy (ssl_client_mode 3):</h4>
|
||||
<pre>
|
||||
ssl_server_cert /path/to/server.crt
|
||||
ssl_server_key /path/to/key
|
||||
ssl_client_mode 3
|
||||
|
||||
auth strong
|
||||
allow user1
|
||||
parent 1000 https parent1.example.com 443
|
||||
allow user2
|
||||
parent 1000 socks5 parent2.example.com 1080
|
||||
ssl_serv
|
||||
ssl_cli
|
||||
proxy -p3128
|
||||
ssl_noserv
|
||||
ssl_nocli
|
||||
</pre>
|
||||
Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_serv). With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). In this example, user1's traffic goes through an https parent proxy with TLS encryption, while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
|
||||
|
||||
<h4>mTLS example (require client certificate):</h4>
|
||||
<pre>
|
||||
ssl_server_cert /path/to/server.crt
|
||||
ssl_server_key /path/to/server.key
|
||||
ssl_server_ca_file /path/to/ca.crt
|
||||
ssl_server_verify
|
||||
ssl_serv
|
||||
proxy -p3128
|
||||
</pre>
|
||||
Creates an https:// proxy that requires client certificate authentication.
|
||||
|
||||
© Vladimir Dubrovin, License: BSD style
|
||||
@ -1,120 +0,0 @@
|
||||
<h3>3proxy SSL/TLS поддержка</h3>
|
||||
|
||||
<p><b>Примечание:</b> Начиная с версии 0.9.7 поддержка SSL/TLS встроена в 3proxy и не требует
|
||||
отдельного плагина. Все команды ssl_* доступны напрямую при компиляции 3proxy с поддержкой
|
||||
OpenSSL (WITH_SSL). Строка plugin больше не нужна.</p>
|
||||
|
||||
<p>Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика, для шифрования трафика прокси-сервера и аутентификации с помощью клиентских сертификатов.</p>
|
||||
|
||||
<h4>Для прозрачного перехвата трафика (MITM):</h4>
|
||||
|
||||
<br>ssl_mitm - подменять сертификаты для сервисов, запущенных ниже. Использование без ssl_client_verify небезопасно.
|
||||
<br>ssl_nomitm - не подменять сертификаты для сервисов, запущенных ниже.
|
||||
|
||||
<h4>Для защиты трафика прокси-сервера (https:// proxy):</h4>
|
||||
|
||||
ssl_serv (или ssl_server) - требовать TLS-соединение от клиентов для сервисов, запущенных ниже
|
||||
<br>ssl_noserv (или ssl_noserver) - не требовать TLS-соединение от клиентов для сервисов, запущенных ниже
|
||||
|
||||
<h4>Для использования TLS при соединении к вышестоящему серверу:</h4>
|
||||
|
||||
ssl_cli (или ssl_client) - устанавливать TLS-соединение к вышестоящему серверу для сервисов, запущенных ниже
|
||||
<br>ssl_nocli (или ssl_noclient) - не устанавливать TLS-соединение к вышестоящему серверу для сервисов, запущенных ниже
|
||||
|
||||
<h4>Параметры:</h4>
|
||||
|
||||
<br><b>ssl_server_cert</b> /path/to/cert - сертификат сервера (не должен быть самоподписанным, должен содержать альтернативные имена) для ssl_serv
|
||||
<br><b>ssl_server_key</b> /path/to/key - ключ сертификата сервера для ssl_server_cert или сгенерированного MITM-сертификата
|
||||
<br><b>ssl_client_cert</b> /path/to/cert - клиентский сертификат для аутентификации на вышестоящем сервере (используется с ssl_cli)
|
||||
<br><b>ssl_client_key</b> /path/to/key - ключ клиентского сертификата для ssl_client_cert
|
||||
<br><b>ssl_client_ciphersuites</b> ciphersuites_list - наборы шифров TLS для TLS 1.3 (клиент), пример: ssl_client_ciphersuites TLS_AES_128_GCM_SHA256
|
||||
<br><b>ssl_server_ciphersuites</b> ciphersuites_list - наборы шифров TLS для TLS 1.3 (сервер)
|
||||
<br><b>ssl_client_cipher_list</b> ciphers_list - наборы шифров TLS для TLS 1.2 и ниже (клиент), пример: ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
|
||||
<br><b>ssl_server_cipher_list</b> ciphers_list - наборы шифров TLS для TLS 1.2 и ниже (сервер)
|
||||
<br><b>ssl_client_min_proto_version</b> tls_version - минимальная версия TLS клиента (например, ssl_client_min_proto_version TLSv1.2)
|
||||
<br><b>ssl_server_min_proto_version</b> tls_version - минимальная версия TLS сервера
|
||||
<br><b>ssl_client_max_proto_version</b> tls_version - максимальная версия TLS клиента
|
||||
<br><b>ssl_server_max_proto_version</b> tls_version - максимальная версия TLS сервера
|
||||
<br><b>ssl_client_verify</b> - проверять сертификат вышестоящего сервера (используется с ssl_mitm или ssl_cli)
|
||||
<br><b>ssl_client_no_verify</b> - не проверять сертификат вышестоящего сервера (по умолчанию)
|
||||
<br><b>ssl_server_verify</b> - требовать клиентский сертификат (mTLS) для ssl_serv
|
||||
<br><b>ssl_server_no_verify</b> - не требовать клиентский сертификат (по умолчанию)
|
||||
<br><b>ssl_server_ca_file</b> /path/to/cafile - файл CA-сертификата для MITM
|
||||
<br><b>ssl_server_ca_key</b> /path/to/cakey - ключ CA-сертификата ssl_server_ca_file для MITM
|
||||
<br><b>ssl_server_ca_dir</b> /path/to/cadir - директория CA-сертификатов для ssl_server_verify
|
||||
<br><b>ssl_server_ca_store</b> /path/to/castore - хранилище CA-сертификатов для ssl_server_verify (OpenSSL 3.0+)
|
||||
<br><b>ssl_client_ca_file</b> /path/to/cafile - файл CA-сертификатов для ssl_client_verify
|
||||
<br><b>ssl_client_ca_dir</b> /path/to/cadir - директория CA-сертификатов для ssl_client_verify
|
||||
<br><b>ssl_client_ca_store</b> /path/to/castore - хранилище CA-сертификатов для ssl_client_verify (OpenSSL 3.0+)
|
||||
<br><b>ssl_client_sni</b> hostname - SNI-имя хоста для отправки вышестоящему серверу (переопределяет запрошенное имя хоста)
|
||||
<br><b>ssl_client_alpn</b> протокол1 протокол2 ... - ALPN-протоколы для согласования с вышестоящим сервером (например, ssl_client_alpn h2 http/1.1)
|
||||
<br><b>ssl_client_mode</b> режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных, 3 - только для защищённых типов parent прокси (заканчивающихся на 's')
|
||||
<br><b>ssl_certcache</b> /path/to/cache/ - расположение кеша сгенерированных MITM-сертификатов. Кеш может содержать
|
||||
файлы 3proxy.pem, 3proxy.key, server.key, которые используются как ssl_server_ca_file,
|
||||
ssl_server_ca_key и ssl_server_key соответственно, если они не заданы. Если server.key не задан,
|
||||
3proxy.key используется для генерации серверного сертификата.
|
||||
|
||||
<h4>Пример MITM:</h4>
|
||||
<pre>
|
||||
ssl_server_ca_file /path/to/cafile
|
||||
ssl_server_ca_key /path/to/cakey
|
||||
ssl_mitm
|
||||
proxy -p3128
|
||||
ssl_nomitm
|
||||
proxy -p3129
|
||||
</pre>
|
||||
Перехватывается трафик в прокси на порту 3128.
|
||||
|
||||
<h4>Пример конфигурации https:// прокси:</h4>
|
||||
<pre>
|
||||
ssl_server_cert path_to_cert
|
||||
ssl_server_key path_to_key
|
||||
ssl_serv
|
||||
proxy -p33128
|
||||
ssl_noserv
|
||||
proxy -p3128
|
||||
</pre>
|
||||
На порту 33128 создается https:// прокси, на порту 3128 - http:// прокси.
|
||||
|
||||
<h4>Пример TLS-клиента (соединение к вышестоящему серверу через TLS):</h4>
|
||||
<pre>
|
||||
ssl_client_cert /path/to/client.crt
|
||||
ssl_client_key /path/to/client.key
|
||||
ssl_client_verify
|
||||
ssl_client_ca_file /path/to/ca.crt
|
||||
ssl_cli
|
||||
proxy -p3128
|
||||
</pre>
|
||||
Создается HTTP-прокси, который соединяется с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату.
|
||||
|
||||
<h4>Условное TLS для parent прокси (ssl_client_mode 3):</h4>
|
||||
<pre>
|
||||
ssl_server_cert /path/to/server.crt
|
||||
ssl_server_key /path/to/key
|
||||
ssl_client_mode 3
|
||||
|
||||
auth strong
|
||||
allow user1
|
||||
parent 1000 https parent1.example.com 443
|
||||
allow user2
|
||||
parent 1000 socks5 parent2.example.com 1080
|
||||
ssl_serv
|
||||
ssl_cli
|
||||
proxy -p3128
|
||||
ssl_noserv
|
||||
ssl_nocli
|
||||
</pre>
|
||||
Создается HTTP-прокси на порту 3128, использующий TLS для клиентских соединений (ssl_serv). При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). В данном примере трафик user1 идёт через https родительский прокси с TLS-шифрованием, а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
|
||||
|
||||
<h4>Пример mTLS (требование клиентского сертификата):</h4>
|
||||
<pre>
|
||||
ssl_server_cert /path/to/server.crt
|
||||
ssl_server_key /path/to/server.key
|
||||
ssl_server_ca_file /path/to/ca.crt
|
||||
ssl_server_verify
|
||||
ssl_serv
|
||||
proxy -p3128
|
||||
</pre>
|
||||
Создается https:// прокси, требующий аутентификацию по клиентскому сертификату.
|
||||
|
||||
© Vladimir Dubrovin, License: BSD style
|
||||
@ -591,8 +591,7 @@ This is the default authentication type
|
||||
Appropriate for most cases
|
||||
.br
|
||||
\fBuseronly\fR - authentication by username without checking for any password with
|
||||
authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN /
|
||||
AOL screen name as a username)
|
||||
authorization by ACLs. Useful for e.g. SOCKSv4 proxy.
|
||||
.br
|
||||
\fBdnsname\fR - authentication by DNS hostname with authorization by ACLs.
|
||||
The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved
|
||||
@ -604,6 +603,11 @@ NB: there is no password check; the name may be spoofed.
|
||||
SOCKSv5, FTP, POP3 and HTTP proxy.
|
||||
.br
|
||||
\fBcache\fR - cached authentication, may be used with \'authcache\'.
|
||||
.br
|
||||
\fBcacheacl\fR - cached authentication, same as \fBcache\fR but the ACL
|
||||
authorization result is also cached and not re-evaluated on each request. Faster
|
||||
than \fBcache\fR, but ACL changes do not take effect for cached users until the
|
||||
cache entry expires. Use \fBcache\fR if ACLs may change during the cache lifetime.
|
||||
.br
|
||||
\fBradius\fR - authentication with RADIUS.
|
||||
.br
|
||||
@ -641,11 +645,25 @@ assigned to the same user without actual authentication.
|
||||
.br
|
||||
\fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required
|
||||
.br
|
||||
\fBack\fR - only use cached auth if user access service with same ACL
|
||||
\fBacl\fR - only use cached auth if user access service with same ACL
|
||||
.br
|
||||
\fBext\fR - cache external IP
|
||||
.br
|
||||
Use auth type \fBcache\fR for cached authentication
|
||||
\fBdstaddr\fR - cache by destination IP address
|
||||
.br
|
||||
\fBdstport\fR - cache by destination port
|
||||
.br
|
||||
\fBdsthost\fR - cache by destination hostname
|
||||
.br
|
||||
\fBdstoper\fR - cache by destination operation (e.g. HTTP method)
|
||||
.br
|
||||
\fBsrvaddr\fR - cache by service (listener) address
|
||||
.br
|
||||
\fBsrvport\fR - cache by service (listener) port
|
||||
.br
|
||||
Multiple types can be combined (e.g. \fBip,user,dstaddr,dstport\fR).
|
||||
.br
|
||||
Use auth type \fBcache\fR (or \fBcacheacl\fR) for cached authentication
|
||||
|
||||
.br
|
||||
.BR allow
|
||||
@ -808,6 +826,12 @@ in the proxy chain. Useful for passing client IP information to the parent proxy
|
||||
Example: parent 1000 ha
|
||||
.br
|
||||
Use "+" proxy only with \fBfakeresolve\fR option
|
||||
.br
|
||||
Any parent type above can be suffixed with \fBs\fR (e.g. \fBhttps\fR,
|
||||
\fBtcps\fR, \fBsocks5s\fR, \fBconnect+s\fR) to establish a TLS-encrypted
|
||||
connection to the parent proxy. Requires SSL/TLS support (WITH_SSL) and is
|
||||
used with \fBssl_client_mode 3\fR, which only handshakes TLS for \fBs\fR-suffixed
|
||||
parents.
|
||||
.br
|
||||
|
||||
IP and port are ip addres and port of parent proxy server.
|
||||
@ -1047,7 +1071,9 @@ the format:
|
||||
.br
|
||||
\fBCL\fR - password is cleartext
|
||||
.br
|
||||
\fBCR\fR - password is crypt-style password
|
||||
\fBCR\fR - password is crypt-style password. \fB$1$\fR prefix uses MD5-crypt
|
||||
(requires OpenSSL), \fB$3$\fR prefix uses BLAKE2b-crypt (always available, see
|
||||
.BR 3proxy_crypt (8))
|
||||
.br
|
||||
\fBNT\fR - password is NT password (in hex)
|
||||
.br
|
||||
@ -1056,6 +1082,8 @@ the format:
|
||||
users test1:CL:password1 "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
|
||||
.br
|
||||
users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
|
||||
.br
|
||||
users "test4:CR:$3$salt$G47yV9w...."
|
||||
.br
|
||||
Note: double quotes are required because the password contains a $ sign.
|
||||
|
||||
@ -1356,7 +1384,7 @@ authentication and/or allow/deny ACLs.
|
||||
Report all bugs to
|
||||
.BR 3proxy@3proxy.org
|
||||
.SH SEE ALSO
|
||||
3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), syslogd(8),
|
||||
3proxy(8), 3proxy_crypt(8), proxy(8), ftppr(8), socks(8), pop3p(8), smtpp(8), tlspr(8), tcppm(8), udppm(8), syslogd(8),
|
||||
.br
|
||||
https://3proxy.org/
|
||||
.SH AUTHORS
|
||||
|
||||
@ -75,6 +75,9 @@ destination_port. Port to establish outgoing connections. Required unless the Tr
|
||||
.B -c
|
||||
TLS_CHECK_LEVEL. 0 (default) - allow non-TLS traffic to pass, 1 - require TLS, only check client HELLO packet, 2 - require TLS, check both client and server HELLO, 3 - require TLS, check that the server sends a certificate (not compatible with TLS 1.3), 4 - require mutual TLS, check that the server sends a certificate request and the client sends a certificate (not compatible with TLS 1.3)
|
||||
.TP
|
||||
.B -s
|
||||
Split the TLS Client HELLO packet across multiple TCP segments to make SNI-based DPI detection harder. An optional numeric value can follow (e.g. \fB-s1\fR) to control the splitting behaviour.
|
||||
.TP
|
||||
.B -l
|
||||
Log. By default logging is to stdout. If
|
||||
.I logfile
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
Name: 3proxy
|
||||
Version: 0.9.6
|
||||
Version: 0.9.7
|
||||
Release: 1%{?dist}
|
||||
Summary: 3proxy tiny proxy server
|
||||
License: GPL/LGPL/Apache/BSD
|
||||
@ -67,8 +67,8 @@ if [ ! -f /usr/local/3proxy/conf/passwd ]; then \
|
||||
touch /usr/local/3proxy/conf/passwd;\
|
||||
fi
|
||||
[ -f /bin/add3proxyuser ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@3PROXY_CONFDIR@|/etc/3proxy/conf|g' -e 's|@CRYPT_PREFIX@|3proxy_|g' /bin/add3proxyuser; \
|
||||
[ -f /etc/init.d/3proxy ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' /etc/init.d/3proxy; \
|
||||
[ -f /usr/lib/systemd/system/3proxy.service ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' /usr/lib/systemd/system/3proxy.service; \
|
||||
[ -f /etc/init.d/3proxy ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' -e 's|USER=proxy|USER=root|g' /etc/init.d/3proxy; \
|
||||
[ -f /usr/lib/systemd/system/3proxy.service ] && sed -i -e 's|@CMAKE_INSTALL_FULL_BINDIR@|/bin|g' -e 's|@CMAKE_INSTALL_FULL_SYSCONFDIR@|/etc|g' -e 's|User=proxy|User=root|g' /usr/lib/systemd/system/3proxy.service; \
|
||||
if [ -d /etc/3proxy ]; then \
|
||||
chown -R proxy:proxy /etc/3proxy; \
|
||||
chmod -R o-rwx /etc/3proxy; \
|
||||
|
||||
15
src/auth.c
15
src/auth.c
@ -72,31 +72,32 @@ int alwaysauth(struct clientparam * param){
|
||||
int cacheauth(struct clientparam * param){
|
||||
struct authcache ac;
|
||||
uint32_t ttl;
|
||||
unsigned type = param->srv->authcachetype;
|
||||
|
||||
|
||||
if(
|
||||
((conf.authcachetype & 2) && !param->username) ||
|
||||
((conf.authcachetype & 4) && !param->password) ||
|
||||
((type & 2) && !param->username) ||
|
||||
((type & 4) && !param->password) ||
|
||||
(
|
||||
(conf.authcachetype & 1) && *SAFAMILY(¶m->sincr) != AF_INET
|
||||
(type & 1) && *SAFAMILY(¶m->sincr) != AF_INET
|
||||
#ifndef NOIPv6
|
||||
&& *SAFAMILY(¶m->sincr) != AF_INET6
|
||||
#endif
|
||||
) || (!hashresolv(&auth_table, param, &ac, &ttl))) {
|
||||
return 4;
|
||||
}
|
||||
if((conf.authcachetype & 1) &&(conf.authcachetype & 8) &&
|
||||
if((type & 1) &&(type & 8) &&
|
||||
(ac.sincr_family != *SAFAMILY(¶m->sincr) ||
|
||||
memcmp(ac.sincr_addr, SAADDR(¶m->sincr), SAADDRLEN(¶m->sincr))
|
||||
)) {
|
||||
return 10;
|
||||
}
|
||||
|
||||
if(!(conf.authcachetype&2) && *ac.username){
|
||||
if(!(type&2) && *ac.username){
|
||||
if(param->username) free(param->username);
|
||||
param->username = (unsigned char *)strdup((char *)ac.username);
|
||||
}
|
||||
if((conf.authcachetype & 32)){
|
||||
if((type & 32)){
|
||||
memset(¶m->sinsl, 0, sizeof(param->sinsl));
|
||||
*(SAFAMILY(¶m->sinsl)) = ac.sinsl_family;
|
||||
memcpy(SAADDR(¶m->sinsl), ac.sinsl_addr, SAADDRLEN(¶m->sinsl));
|
||||
@ -116,7 +117,7 @@ int doauth(struct clientparam * param){
|
||||
if(authfuncs->authorize &&
|
||||
(res = (*authfuncs->authorize)(param)))
|
||||
return res;
|
||||
if(conf.authcachetype && authfuncs->authenticate && authfuncs->authenticate != cacheauth && param->username && (!(conf.authcachetype&4) || (!param->pwtype && param->password))){
|
||||
if(param->srv->authcachetype && authfuncs->authenticate && authfuncs->authenticate != cacheauth && param->username && (!(param->srv->authcachetype&4) || (!param->pwtype && param->password))){
|
||||
struct authcache ac={.username=""};
|
||||
|
||||
if(param->username) {
|
||||
|
||||
@ -17,6 +17,8 @@ char * copyright = COPYRIGHT;
|
||||
# define MYRAND_ARC4RANDOM 1
|
||||
#elif defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 36)))
|
||||
# define MYRAND_ARC4RANDOM 1
|
||||
#elif defined(__GLIBC__) && ((__GLIBC__ < 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ < 25)))
|
||||
# define MYRAND_FALLBACK 1
|
||||
#elif defined(__linux__)
|
||||
# define MYRAND_GETRANDOM 1
|
||||
# include <sys/random.h>
|
||||
|
||||
@ -147,9 +147,9 @@ void * dnsprchild(struct clientparam* param) {
|
||||
}
|
||||
else {
|
||||
#ifdef _WIN32
|
||||
/* ioctlsocket(param->remsock, FIONBIO, &ul); */
|
||||
ioctlsocket(param->remsock, FIONBIO, &ul);
|
||||
#else
|
||||
/* fcntl(param->remsock,F_SETFL,O_NONBLOCK); */
|
||||
fcntl(param->remsock, F_SETFL, O_NONBLOCK | fcntl(param->remsock, F_GETFL));
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
@ -215,6 +215,11 @@ void * ftpprchild(struct clientparam* param) {
|
||||
sasize = sizeof(param->sincr);
|
||||
ss = param->srv->so._accept(param->sostate, clidatasock, (struct sockaddr *)¶m->sincr, &sasize);
|
||||
if (ss == INVALID_SOCKET) { RETURN (858);}
|
||||
#ifdef _WIN32
|
||||
{ unsigned long ul = 1; ioctlsocket(ss, FIONBIO, &ul); }
|
||||
#else
|
||||
fcntl(ss, F_SETFL, O_NONBLOCK | fcntl(ss, F_GETFL));
|
||||
#endif
|
||||
param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
|
||||
param->srv->so._closesocket(param->sostate, clidatasock);
|
||||
clidatasock = ss;
|
||||
|
||||
@ -17,6 +17,12 @@ static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *ha
|
||||
}
|
||||
|
||||
static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
|
||||
struct clientparam *param = (struct clientparam *)index;
|
||||
|
||||
memcpy(hash, param->hash, ht->hash_size);
|
||||
}
|
||||
|
||||
void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
|
||||
blake2b_state S;
|
||||
struct clientparam *param = (struct clientparam *)index;
|
||||
unsigned type = param->srv->authcachetype;
|
||||
@ -62,12 +68,7 @@ static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *has
|
||||
if((type & 2048))blake2b_update(&S, SAPORT(¶m->srv->intsa), 2);
|
||||
blake2b_final(&S, hash, ht->hash_size);
|
||||
}
|
||||
}
|
||||
|
||||
void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
|
||||
struct clientparam *param = (struct clientparam *)index;
|
||||
|
||||
memcpy(hash, param->hash, ht->hash_size);
|
||||
memcpy(param->hash, hash, ht->hash_size);
|
||||
}
|
||||
|
||||
static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){
|
||||
|
||||
@ -18,6 +18,19 @@ DWORD WINAPI threadfunc(LPVOID p) {
|
||||
void * threadfunc (void *p) {
|
||||
#endif
|
||||
int i = -1;
|
||||
#ifdef MODULEMAINFUNC
|
||||
if(makefilters(param->srv, param) > CONTINUE){
|
||||
#ifndef NOUDPMAIN
|
||||
if(param->srv->service == S_UDPPM) _3proxy_sem_unlock(udpinit);
|
||||
#endif
|
||||
freeparam(param);
|
||||
#ifdef _WIN32
|
||||
return 0;
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
#endif
|
||||
if(param->srv->cbsock != INVALID_SOCKET){
|
||||
SASIZETYPE size = sizeof(param->sinsr);
|
||||
struct pollfd fds;
|
||||
@ -1020,6 +1033,7 @@ int MODULEMAINFUNC (int argc, char** argv){
|
||||
if(hashresolv(&udp_table, &defparam, &toparam, NULL)) {
|
||||
int i, len=0;
|
||||
|
||||
if(!toparam->bandlimfunc || !(*toparam->bandlimfunc)(toparam, 0, srv.udplen)){
|
||||
if(toparam->udp_nhops){
|
||||
for(i=1; i < toparam->udp_nhops; i++){
|
||||
len+=socks5_udp_build_hdr(srv.udpbuf2+len, &toparam->udp_relay[i-1]);
|
||||
@ -1031,6 +1045,7 @@ int MODULEMAINFUNC (int argc, char** argv){
|
||||
srv.so._sendto(toparam->sostate, toparam->remsock, (char *)srv.udpbuf2, len, 0, (struct sockaddr *)&toparam->sinsr, SASIZE(&toparam->sinsr));
|
||||
toparam->statscli64 += srv.udplen;
|
||||
toparam->nwrites++;
|
||||
}
|
||||
_3proxy_sem_unlock(udpinit);
|
||||
continue;
|
||||
}
|
||||
@ -1052,17 +1067,6 @@ int MODULEMAINFUNC (int argc, char** argv){
|
||||
if(defparam.hostname)newparam->hostname=(unsigned char *)strdup((char *)defparam.hostname);
|
||||
clearstat(newparam);
|
||||
if(!isudp) newparam->clisock = new_sock;
|
||||
#ifndef STDMAIN
|
||||
if(makefilters(&srv, newparam) > CONTINUE){
|
||||
freeparam(newparam);
|
||||
#ifndef NOUDPMAIN
|
||||
if(isudp) {
|
||||
_3proxy_sem_unlock(udpinit);
|
||||
}
|
||||
#endif
|
||||
continue;
|
||||
}
|
||||
#endif
|
||||
newparam->prev = newparam->next = NULL;
|
||||
error = 0;
|
||||
_3proxy_mutex_lock(&srv.counter_mutex);
|
||||
@ -1097,6 +1101,11 @@ int MODULEMAINFUNC (int argc, char** argv){
|
||||
if(newparam->prev) newparam->prev->next = newparam->next;
|
||||
else srv.child = newparam->next;
|
||||
if(newparam->next) newparam->next->prev = newparam->prev;
|
||||
if(newparam->clisock != INVALID_SOCKET){
|
||||
srv.so._shutdown(srv.so.state, newparam->clisock, SHUT_RDWR);
|
||||
srv.so._closesocket(srv.so.state, newparam->clisock);
|
||||
newparam->clisock = INVALID_SOCKET;
|
||||
}
|
||||
newparam->srv = NULL;
|
||||
#ifndef NOUDPMAIN
|
||||
if(isudp){
|
||||
@ -1287,6 +1296,7 @@ void freeparam(struct clientparam * param) {
|
||||
#ifndef STDMAIN
|
||||
if(param->srv->service == S_UDPPM) hashdelete(&udp_table, param);
|
||||
#endif
|
||||
if(param->prev || param->next || param->srv->child == param){
|
||||
if(param->prev){
|
||||
param->prev->next = param->next;
|
||||
}
|
||||
@ -1296,6 +1306,7 @@ void freeparam(struct clientparam * param) {
|
||||
param->next->prev = param->prev;
|
||||
}
|
||||
(param->srv->childcount)--;
|
||||
}
|
||||
_3proxy_mutex_unlock(¶m->srv->counter_mutex);
|
||||
}
|
||||
if(param->clibuf) free(param->clibuf);
|
||||
|
||||
@ -201,7 +201,7 @@ log(logbuf);
|
||||
log("send to server from buf");
|
||||
#endif
|
||||
if(!param->nolongdatfilter){
|
||||
action = handledatfltcli(param, ¶m->clibuf, (int *)¶m->clibufsize, param->cliinbuf - res, (int *)¶m->cliinbuf);
|
||||
action = handledatfltcli(param, ¶m->clibuf, (int *)¶m->clibufsize, param->clioffset, (int *)¶m->cliinbuf);
|
||||
if(action == HANDLED){
|
||||
RETURN(0);
|
||||
}
|
||||
@ -247,7 +247,7 @@ log("done send to server from buf");
|
||||
log("send to client from buf");
|
||||
#endif
|
||||
if(!param->nolongdatfilter){
|
||||
action = handledatfltsrv(param, ¶m->srvbuf, (int *)¶m->srvbufsize, param->srvinbuf - res, (int *)¶m->srvinbuf);
|
||||
action = handledatfltsrv(param, ¶m->srvbuf, (int *)¶m->srvbufsize, param->srvoffset, (int *)¶m->srvinbuf);
|
||||
if(action == HANDLED){
|
||||
RETURN(0);
|
||||
}
|
||||
@ -544,6 +544,7 @@ log("done read from server to buf");
|
||||
}
|
||||
// if(!CLIENTTERMREAD || !CLIENTTERMWRITE){
|
||||
if(!after){
|
||||
fds[fdsc].fd = param->clisock;
|
||||
if(fromclient && !CLIENTTERMREAD && !FROMCLIENT && ((
|
||||
#ifdef WITHSPLICE
|
||||
!usesplice &&
|
||||
@ -603,6 +604,7 @@ log("ready to write to client");
|
||||
|
||||
// if(!SERVERTERMREAD || !SERVERTERMWRITE){
|
||||
if(!after){
|
||||
fds[fdsc].fd = param->remsock;
|
||||
if(fromserver && !SERVERTERMREAD && !FROMSERVER && ((
|
||||
#ifdef WITHSPLICE
|
||||
!usesplice &&
|
||||
|
||||
10
src/socks.c
10
src/socks.c
@ -255,6 +255,11 @@ void * sockschild(struct clientparam* param) {
|
||||
if(switch_ns(param->srv, param->srv->o_nsfd)) {RETURN(11);}
|
||||
#endif
|
||||
if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(¶m->req), SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {RETURN (11);}
|
||||
#ifdef _WIN32
|
||||
{ unsigned long ul = 1; ioctlsocket(param->remsock, FIONBIO, &ul); }
|
||||
#else
|
||||
fcntl(param->remsock, F_SETFL, O_NONBLOCK | fcntl(param->remsock, F_GETFL));
|
||||
#endif
|
||||
}
|
||||
|
||||
if(command > 1) {
|
||||
@ -275,6 +280,11 @@ fflush(stderr);
|
||||
#endif
|
||||
param->clisock = param->srv->so._socket(param->sostate, SASOCK(¶m->sincr), SOCK_DGRAM, IPPROTO_UDP);
|
||||
if(param->clisock == INVALID_SOCKET) {RETURN(11);}
|
||||
#ifdef _WIN32
|
||||
{ unsigned long ul = 1; ioctlsocket(param->clisock, FIONBIO, &ul); }
|
||||
#else
|
||||
fcntl(param->clisock, F_SETFL, O_NONBLOCK | fcntl(param->clisock, F_GETFL));
|
||||
#endif
|
||||
sin = param->sincl;
|
||||
*SAPORT(&sin) = 0;
|
||||
if(param->srv->so._bind(param->sostate, param->clisock,(struct sockaddr *)&sin,SASIZE(&sin))) {RETURN (12);}
|
||||
|
||||
11
src/ssl.c
11
src/ssl.c
@ -338,7 +338,11 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
|
||||
return NULL;
|
||||
}
|
||||
|
||||
SSL_set_fd(conn->ssl, s);
|
||||
if(!SSL_set_fd(conn->ssl, s)){
|
||||
*errSSL = getSSLErr();
|
||||
ssl_conn_free(conn);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
do {
|
||||
struct pollfd fds[1] = {{INVALID_SOCKET}};
|
||||
@ -509,6 +513,7 @@ SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_ke
|
||||
SSL_CTX_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
SSL_CTX_set_session_id_context(ctx, (const unsigned char *)"3proxy", 6);
|
||||
if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
|
||||
if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
|
||||
if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
|
||||
@ -786,7 +791,7 @@ static void ssl_filter_close(void *fo){
|
||||
X509_free(CONFIG->server_cert);
|
||||
}
|
||||
if ( CONFIG->client_cert != NULL ) {
|
||||
X509_free(CONFIG->server_cert);
|
||||
X509_free(CONFIG->client_cert);
|
||||
}
|
||||
if ( CONFIG->CA_key != NULL ) {
|
||||
EVP_PKEY_free(CONFIG->CA_key);
|
||||
@ -795,7 +800,7 @@ static void ssl_filter_close(void *fo){
|
||||
EVP_PKEY_free(CONFIG->server_key);
|
||||
}
|
||||
if ( CONFIG->client_key != NULL ) {
|
||||
EVP_PKEY_free(CONFIG->server_key);
|
||||
EVP_PKEY_free(CONFIG->client_key);
|
||||
}
|
||||
if ( CONFIG->srv_ctx != NULL ) {
|
||||
SSL_CTX_free(CONFIG->srv_ctx);
|
||||
|
||||
@ -61,6 +61,7 @@ void * udppmchild(struct clientparam* param) {
|
||||
if(!(param->srvbuf = malloc(UDPBUFSIZE)))RETURN(11);
|
||||
param->srvbufsize = UDPBUFSIZE;
|
||||
}
|
||||
if(!param->bandlimfunc || !(*param->bandlimfunc)(param, 0, param->srv->udplen)){
|
||||
if(param->udp_nhops){
|
||||
for(i=1; i < param->udp_nhops; i++){
|
||||
len+=socks5_udp_build_hdr(param->srvbuf+len, ¶m->udp_relay[i-1]);
|
||||
@ -70,10 +71,11 @@ void * udppmchild(struct clientparam* param) {
|
||||
memcpy(param->srvbuf+len, param->srv->udpbuf, param->srv->udplen > UDPBUFSIZE - len?UDPBUFSIZE - len : param->srv->udplen);
|
||||
len += param->srv->udplen > UDPBUFSIZE - len?UDPBUFSIZE - len : param->srv->udplen;
|
||||
param->srv->so._sendto(param->sostate, param->remsock, (char *)param->srvbuf, len, 0, (struct sockaddr *)¶m->sinsr, SASIZE(¶m->sinsr));
|
||||
_3proxy_sem_unlock(udpinit);
|
||||
param->statscli64 += param->srvinbuf;
|
||||
param->srvinbuf = 0;
|
||||
param->nwrites++;
|
||||
}
|
||||
_3proxy_sem_unlock(udpinit);
|
||||
param->srvinbuf = 0;
|
||||
param->clisock = param->srv->srvsock;
|
||||
param->waitserver64 = 0x7fffffffffffffff;
|
||||
param->res = udpsockmap(param, conf.timeouts[STRING_L]);
|
||||
|
||||
@ -106,6 +106,7 @@ int udpsockmap(struct clientparam *param, int timeo)
|
||||
len = param->srv->so._recvfrom(param->sostate, param->clisock,
|
||||
(char *)param->srvbuf + recvoff, UDPBUFSIZE - recvoff,
|
||||
0, (struct sockaddr *)&sin, &sasize);
|
||||
if (len < 0 && (errno == EAGAIN || errno == EINTR)) continue;
|
||||
if (len <= 0) return 482;
|
||||
|
||||
if (SAADDRLEN(&sin) != SAADDRLEN(¶m->sincr) ||
|
||||
@ -123,6 +124,8 @@ int udpsockmap(struct clientparam *param, int timeo)
|
||||
continue;
|
||||
}
|
||||
|
||||
if(param->bandlimfunc && (*param->bandlimfunc)(param, 0, len)) continue;
|
||||
|
||||
if (nhops == 0) {
|
||||
int i;
|
||||
if (len < 10 || param->srvbuf[0] || param->srvbuf[1] || param->srvbuf[2])
|
||||
@ -182,6 +185,7 @@ int udpsockmap(struct clientparam *param, int timeo)
|
||||
len = param->srv->so._recvfrom(param->sostate, param->remsock,
|
||||
(char *)param->srvbuf + hdrsize, UDPBUFSIZE - hdrsize, 0,
|
||||
(struct sockaddr *)&from, &sasize);
|
||||
if (len < 0 && (errno == EAGAIN || errno == EINTR)) continue;
|
||||
if (len <= 0) return 486;
|
||||
if (nhops >= 1) {
|
||||
if (!SAISNULL(¶m->sinsr) && *SAPORT(¶m->sinsr)) {
|
||||
@ -193,6 +197,7 @@ int udpsockmap(struct clientparam *param, int timeo)
|
||||
}
|
||||
param->statssrv64 += len;
|
||||
param->nreads++;
|
||||
if(param->bandlimfunc && (*param->bandlimfunc)(param, len, 0)) continue;
|
||||
sendlen = len;
|
||||
if (nhops == 0) {
|
||||
param->srvbuf[0] = param->srvbuf[1] = param->srvbuf[2] = 0;
|
||||
|
||||
@ -1,14 +1,14 @@
|
||||
#ifndef VERSION
|
||||
#define VERSION "3proxy-0.9.6"
|
||||
#define VERSION "3proxy-0.9.7"
|
||||
#endif
|
||||
#ifndef BUILDDATE
|
||||
#define BUILDDATE ""
|
||||
#endif
|
||||
#define MAJOR3PROXY 0
|
||||
#define SUBMAJOR3PROXY 9
|
||||
#define MINOR3PROXY 6
|
||||
#define MINOR3PROXY 7
|
||||
#define SUBMINOR3PROXY 0
|
||||
#define RELEASE3PROXY "3proxy-0.9.6(" BUILDDATE ")\0"
|
||||
#define RELEASE3PROXY "3proxy-0.9.7(" BUILDDATE ")\0"
|
||||
#ifndef YEAR3PROXY
|
||||
#define YEAR3PROXY "2026"
|
||||
#endif
|
||||
|
||||
Loading…
Reference in New Issue
Block a user