bughz/3proxy
1
0
Fork 0
mirror of https://github.com/3proxy/3proxy.git synced 2026-05-13 13:30:12 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity
963 Commits 4 Branches 31 Tags 3.3 MiB
6963af7614
Commit Graph

622 Commits

Author SHA1 Message Date
Vladimir Dubrovin
4f0f3c81e1 add 'cacheacl' auth type, dstaddr, dstport, dsthost, dstoper, srvaddr and srvport authcache types; allow to configure authcache by service 
'auth cacheacl ...' is identical to 'auth cache ...' except ACL is not checked for cached authentication. dstaddr, dstport, dsthost and dstoper (operation) are intended to be used with cacheacl. For example

authcache user,ip,password,dstaddr 600
auth cacheacl iponly strong

allows user to access destination ip without ACL/password revalidation if he has cached attempt to the same ip from the same ip with the same username and password.

srvaddr, srvport are useful to only match with cached attempts to the same `internal` address / service port.
 2026-04-21 21:49:52 +03:00
Vladimir Dubrovin
bfbbf1f446 Fix FilePlugin warnings
Some checks failed
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
2026-04-21 16:28:28 +03:00
Vladimir Dubrovin
68ef9dcc59 Fix Windows compilation 2026-04-21 16:10:17 +03:00
Vladimir Dubrovin
3957210609 Allow different hash lengths; fix bug on hashtable grow 2026-04-20 18:49:53 +03:00
Vladimir Dubrovin
ee00956b74 hash username/password with terminators 2026-04-20 11:59:58 +03:00
Vladimir Dubrovin
083a70393f Minor hashtable refactor 2026-04-20 10:40:38 +03:00
Vladimir Dubrovin
d9b1493260 Fix hashadd
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-19 19:22:22 +03:00
Vladimir Dubrovin
7102afe856 authcache switched to hashtables, overflow fixed 
- authcache switched to use hashtables, size parameter added
- overflow fixed on hashinit
- hashtable prefers new values on insert if table is full
- hashtable is able to compact/grow
 2026-04-19 19:16:33 +03:00
Vladimir Dubrovin
a3729354b8 Allow hashtable to grow
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-18 17:24:01 +03:00
Vladimir Dubrovin
45796f66c7 Cleanup 3proxy_crypt 2026-04-18 15:47:07 +03:00
Vladimir Dubrovin
260cbf7a3d Use uint32_t for hashtable indicies 2026-04-18 15:36:14 +03:00
Vladimir Dubrovin
f1af44f3a9 Refactor hashtables to use indices instead of pointers, use blake2 as a hash, mycrypt renamed to 3proxy_crypt 2026-04-18 15:12:43 +03:00
Vladimir Dubrovin
4ee7f71fb9 Использовать tablesize в хештаблице 2026-04-17 21:15:21 +03:00
Vladimir Dubrovin
98604b5421 Add hashcompact 2026-04-17 20:40:27 +03:00
Vladimir Dubrovin
a0d580b36d move hashtable/resolve/sql functions to separate files 2026-04-17 19:29:50 +03:00
Vladimir Dubrovin
4c0e3a1bac Check OpenSSL version for SNI/TLS 1.3/alpn
Some checks failed
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
2026-04-14 17:36:35 +03:00
Vladimir Dubrovin
afbdad0ac7 Fix for first in chain https/tcps parent 2026-04-13 21:09:46 +03:00
Vladimir Dubrovin
a1a65c3fd5 ssl_client_mode = 3 added, allow 'secure' parent types ending with 's': https, tcps, socks5s, connect+s, etc. 
example:

plugin SSLPlugin.ld.so ssl_plugin

allow user1
parent 1000 http 1.1.1.1 1111
allow user2
parent 1000 https 2.2.2.2 2222
ssl_client_mode 3
ssl_client
proxy

With ssl_client_mode 3 TLS is only handshaked for https parent type and is not handshaked for http parent.
 2026-04-13 20:53:38 +03:00
Vladimir Dubrovin
878a432481 Support unix socket for parent and tcppm; abstract (fileless) unix sockets for linux support
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details 
Use unix:/path/to/socket, e.g.

tcppm 1234 unix:/path/to/socket 1234

Under linux abstract sockets are supported with '@' prefix, e.g.

parent 1000 http unix:@virtual.3proxy.socket 1111

Destination port numbers are not used in tcppm/parent, but you must specify any positive value to match the syntaxis.
 2026-04-12 19:18:15 +03:00
Vladimir Dubrovin
f77f65ac4e Fix: SOCKSv5 parent reply parsing for domain name address 2026-04-12 14:16:48 +03:00
Vladimir Dubrovin
2d6eeff5f3 FIx typos, update documentation 2026-04-12 13:58:42 +03:00
Vladimir Dubrovin
c206349ee2 Support unix sockets for internal and -i 
Example configuration:

log
auto -iunix:/path/to/3proxy.sock

test with

curl --unix-socket /path/to/3proxy.sock https://3proxy.ru
 2026-04-12 00:30:35 +03:00
Vladimir Dubrovin
a2641cb103 Push as 0.9.6 2026-04-11 13:06:43 +03:00
Vladimir Dubrovin
238ed094dd Support building without standard resolvers (NOSTDRESOLVE) 
build from stra
 2026-04-11 12:22:38 +03:00
Vladimir Dubrovin
825563ad85 Detailed warnings for 'plugin' command errors 2026-04-10 19:30:22 +03:00
Vladimir Dubrovin
0c8be907e9 -Ne / -Ni options added to specify external / internal NAT address
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-10 15:01:43 +03:00
Vladimir Dubrovin
8cb8be1be8 Fix warnings 2026-04-08 21:13:45 +03:00
Vladimir Dubrovin
0381461495 Use PRI/SCN modifiers where possible 2026-04-08 21:13:31 +03:00
Vladimir Dubrovin
483542b914 Use uint32_t/uint16_t instead of unsigned long / unsigned short where required 2026-04-08 21:13:18 +03:00
Vladimir Dubrovin
855c04d8f6 Uodate build environment 2026-04-08 21:12:51 +03:00
Vladimir Dubrovin
d8161e94b5 Update year 2026-04-08 19:21:31 +03:00
Vladimir Dubrovin
c6eddc69a1 remove unsued variables 2026-04-08 19:21:30 +03:00
Vladimir Dubrovin
758c290092 Fix CONNECT_TO usage 2026-04-08 19:21:30 +03:00
Vladimir Dubrovin
2e534c7794 Add cmake environment 2026-04-08 19:21:30 +03:00
Vladimir Dubrovin
237fa15e36 Fix external libraries 2026-04-08 19:21:30 +03:00
Vladimir Dubrovin
6f1bb65841 Update workflows and makefiles (11 commits squashed) 2026-04-08 19:21:30 +03:00
Vladimir Dubrovin
238b314c90 switch PCREPlugin to PCRE2 2026-04-08 19:21:29 +03:00
BDBSAlive6one6
5e92822900 fix(PamAuth): добавлен вызов pam_acct_mgmt(), исправлен pam_start() (#1203) 
Добавлен вызов pam_acct_mgmt() после pam_authenticate() для проверки
прав доступа на уровне PAM (HBAC, истечение пароля, блокировка учётки)
Исправлена передача реального username в pam_start() вместо '3proxy@'

---

Added pam_acct_mgmt() call after pam_authenticate() to enable PAM
account checks (HBAC, password expiration, account lockout).
Fixed pam_start() to pass actual username instead of hardcoded '3proxy@'
Tested with FreeIPA 4.12 + SSSD Rocky Linux 9
 2026-04-08 19:21:29 +03:00
Vladimir Dubrovin
7299bcc0e2 Move timeouts from conf 2026-04-08 19:21:29 +03:00
Vladimir Dubrovin
c34d29b7dd Do not use applink.c 2026-04-08 19:21:29 +03:00
Vladimir Dubrovin
499c4240ad Fix TrafficPlugin 2026-04-08 19:21:28 +03:00
Vladimir Dubrovin
a5fce1a2f6 compile PCRE on Windows 2026-04-08 19:21:28 +03:00
Vladimir Dubrovin
c05023ab6d Correct SSL functions for Windows 2026-04-08 19:21:27 +03:00
Vladimir Dubrovin
28724187fb Use external PCRE library 2026-04-08 19:21:27 +03:00
Vladimir Dubrovin
35db214b78 Use external PCRE library 2026-04-08 19:21:27 +03:00
Vladimir Dubrovin
92f170fca2 Fix warning 2026-04-08 19:21:27 +03:00
Vladimir Dubrovin
00d2ecbc31 Use 64 bit arithmetics for rate limits 2026-04-08 19:21:27 +03:00
Vladimir Dubrovin
8292ec21a7 remove SSL_shutdown 2026-04-08 19:21:27 +03:00
Vladimir Dubrovin
ef318bff67 Use quit shutdown for SSL to prevent races 2026-04-08 19:21:27 +03:00
Vladimir Dubrovin
128386723a Fix potential use-after-free on filters, add SSL_shutdown in SSLPlugin 2026-04-08 19:21:27 +03:00
Vladimir Dubrovin
acc6db59a3 SNI break (DPI bypass) added 
-s option to tlspr (or tls type redirect), requires TCP_NODELAY to be set

auth iponly
allow *
parent 1000 tls 0.0.0.0 0
allow *
proxy -s -i127.0.0.1 -ocTCP_NODELAY -osTCP_NODELAY -p1443
 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
251660940e Fixed: crash on invalid configuration file 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
7e4504997e Fixed: memory corruptions on config parsing 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
8d8ee23385 ssl_client_mode added, code cleanup 
ssl_client_mode
0 (default) - handshake immediately after connect() (with first parent or with destination if there is no parent)
1 - handshake with destination server (handshake after connection via parents is established)
2 - handshake after data channel is established (e.g. after CONNECT)
 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
7e47d5bd92 ssl_client_alpn added 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
7fce892391 Use SSL_connect / SSL_accept in non-blocking mode 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
23551e53bf Fixed: allow ssl server and client on the same service 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
35406e6b61 client_sni command added; do not send hostname from request as SNI in SSL client configuration 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
26534e9cbd Close SSL on shutdown 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
2cd0a34fd5 maxseg / TCP_MAXSEG support added 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
d67a052aa8 Fixed: invalid config value initializers 2026-04-08 19:21:26 +03:00
Alexey Suslov
280c7c8976 Fix HTTPS proxy for HTTPS addresses (#1175) 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
bc7e9b2ac6 Fix: -P option for tlspr 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
5355af3112 Fix: WSAPoll fail in some Windows versions after e525ce913e 2026-04-08 19:21:26 +03:00
Vladimir Dubrovin
7b4e8b6d6b Fixed: ssl_server_cert doesn't read full certificate chain 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
e945890613 Fixed: CONNECT does not work in standalone 'proxy' binary 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
5c7cc3c9b2 Fixed: Failed connect may result in success response on some Windows versions 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
6e55af7f48 Fixed: invalid timeout in socksendto / sockrecvfrom 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
8d744e16fb Convert PAMAUTH.TXT to UTF-8 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
af25cb460f Fixed service name detection for auto / tlspr 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
2508b89d96 Avoid sleep on service thread sync 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
09a3ddeeac SOCKSTRACE fixed 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
66bdd86c6b ssl_server_verify, ssl_server_ca_dir, ssl_server_ca_store added, ssl_server / ssl_client aliases added to ssl_serv / ssl_cli 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
b624da443a ssl_noserv fixed, ssl_cli/ssl_nocli/ssl_client_cert/ssl_client_key added 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
3c51af3737 Remove legacy NTLMv1 code 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
7e7a0d4336 Support HAProxy proxy v1 protocol 
Added:
-H option - expect HAProxy proxy v1 header, e.g. `proxy -H`

parent ha type - send HAProxy proxy v1 header (must be last in redirection), e.g.

allow *
parent 1000 ha
parent 1000 proxy 1.2.3.4 3128
socks
 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
e373d84717 Support tlspr in auto 2026-04-08 19:21:25 +03:00
Vladimir Dubrovin
8d58e2618e make compatible with openssl 1.x 2026-04-08 19:21:24 +03:00
Vladimir Dubrovin
1bfa64303a rsa.h not required 2026-04-08 19:21:24 +03:00
Vladimir Dubrovin
81224b6708 Use PCRE_STATIC pcre_plugin.c 2026-04-08 19:21:24 +03:00
Vladimir Dubrovin
6944a012d9 use PCRE_STATIC 2026-04-08 19:21:24 +03:00
z3apa3a
bc92819572 Fix tlspr for compatibility with older compileres 2025-03-09 19:16:35 +03:00
z3apa3a
2900b80d88 Prepare for 0.9.5 release 2025-03-09 17:29:17 +03:00
z3apa3a
74134db09e Fix ssl_plugin for Windows 2025-03-09 17:22:18 +03:00
Vladimir Dubrovin
6387bed4f2 Replace strcpy with memmove for overlapping regions 2024-12-20 14:38:58 +03:00
Vladimir Dubrovin
cf6946cc8b Fix: IPv6 address may be invalid on some plafrorms for SOCKSv5 UDP ASSOCIATE 2024-07-18 12:50:59 +03:00
Vladimir Dubrovin
ab8db00b1f Fix type for ssl_poll 2024-06-04 19:26:34 +03:00
Vladimir Dubrovin
94dfa195db char * / unsigned char * conversions fixed 2024-05-31 19:53:28 +03:00
Vladimir Dubrovin
013d4bc333 tlspr (SNI proxy) implemented 
Options -cN - level of TLS check
default - allow non-TLS traffic
1 - require TLS, only check client HELLO packet
2 - require TLS, check both client and server HELLO
3 - require TLS, check server send certificate (not compatible with TLS 1.3)
4 - require mutual TLS, check server send certificate request and client sends certificate (not compatible with TLS 1.3)
-P - default port

examples:

1.
tlspr -p1443 -P443 -c1
(port 1443 may be used to redirect traffic to destination port 143). SNI is used to find destination host

2.
allow * * * 80
parent 1000 http 0.0.0.0 0
allow * * * * CONNECT
parent 1000 tls 0.0.0.0 0
deny * * some.not.allowed.host
allow *
socks

attempts to take destination hostname from SNI in SOCKS
 2024-05-20 13:01:38 +03:00
Vladimir Dubrovin
d347f0a058 More TLS commands added, ssl_srvkey / ssl_srvfile renamed 
ssl_server_cert - certificate for SSL server (rename from ssl_srvkey)
ssl_server_key - key for ssl_server_cert of generated mirm certificate (renamed from ssl_srvkey)
ssl_server_ca_file - CA file for mitm
ssl_server_ca_key - key for mitm CA
ssl_client_ca_file, ssl_client_ca_dir, ssl_client_ca_store - locations for root CAs used with ssl_client_verify for TLS client
ssl_certcache is not optional, if ssl_server_ca_file / ssl_server_ca_key are configured
 2024-03-10 16:20:42 +03:00
Vladimir Dubrovin
a316622a85 Added multiple TLS configuration parameters for SSLPlugin 
ssl_client_ciphersuites - TLS client ciphers for TLS 1.3, e.g. ssl_client_ciphersuites TLS_AES_128_GCM_SHA256
ssl_server_ciphersuites - TLS server ciphers for TLS 1.3
ssl_client_cipher_list - TLS client ciphers for TLS 1.2 and below , e.g. ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl_server_cipher_list - TLS server ciphers for TLS 1.2 and below
ssl_client_min_proto_version - TLS client min TLS version (e.g. TLSv1.2)
ssl_server_min_proto_version - TLS server min TLS version (e.g. TLSv1.2)
ssl_client_max_proto_version - TLS client max TLS version (e.g. TLSv1.2)
ssl_server_max_proto_version - TLS server max TLS version (e.g. TLSv1.2)
ssl_client_verify - verify certificate for upstream server in TLS client functionality
ssl_client_no_verify - do not verify certificate for upstream server in TLS client functionality (default)
 2024-03-10 13:36:40 +03:00
Vladimir Dubrovin
d87241c487 Keep TLS server context 2024-03-09 18:37:44 +03:00
Vladimir Dubrovin
144af547fb Keep TLS client context between requests 2024-03-09 16:23:03 +03:00
Vladimir Dubrovin
35d1de6f5e Ffix use-after-free in freeparam 2024-02-22 17:30:50 +03:00
Vladimir Dubrovin
161cbbd452 fix crash on insufficient memory 2024-02-18 23:54:31 +03:00
Vladimir Dubrovin
067fdd7f95 support ssl_serv / ssl_noserv commands 
example:
plugin /path/to/SSLPlugin.so ssl_plugin
ssl_srvcert path_to_cert
ssl_srvkey path_to_key
ssl_serv
proxy -p33128
ssl_noserv
proxy -p3128
 2024-02-18 23:42:09 +03:00
Vladimir Dubrovin
d77e528847 minor fixes 2024-02-18 20:18:31 +03:00
Vladimir Dubrovin
2b4d8e67e4 Do not store CA cert subject 2024-02-18 19:53:35 +03:00
Vladimir Dubrovin
375e3a74d0 call local socket function 2024-02-18 19:41:45 +03:00
Vladimir Dubrovin
6dc145b16b initial commit to TLS refactoring 2024-02-18 19:07:09 +03:00