SOCKSTRACE fixed

Added:
-H option - expect HAProxy proxy v1 header, e.g. `proxy -H`

parent ha type - send HAProxy proxy v1 header (must be last in redirection), e.g.

allow *
parent 1000 ha
parent 1000 proxy 1.2.3.4 3128
socks

.github/workflows/c-cpp.yml

@@ -0,0 +1,50 @@
+name: C/C++ CI
+
+on:
+  push:
+    branches: [ "master" ]
+    paths: [ '**.c', '**.h', 'Makefile.**', '.github/configs', '.github/workflows/c-cpp.yml' ]
+  pull_request:
+    branches: [ "master" ]
+    paths: [ '**.c', '**.h', 'Makefile.**', '.github/configs', '.github/workflows/c-cpp.yml' ]
+
+jobs:
+  ci:
+    name: "${{ matrix.target }}"
+    strategy:
+      matrix:
+        target:
+          - ubuntu-latest
+          - ubuntu-24.04-arm
+          - macos-15
+          - windows-2022
+    runs-on: ${{ matrix.target }}
+    steps:
+    - uses: actions/checkout@v4
+#    - name: configure
+#      run: ./configure
+    - name: ln Linux
+      if: ${{ startsWith(matrix.target, 'ubuntu') }}
+      run: ln -s Makefile.Linux Makefile
+    - name: ln Mac
+      if: ${{ startsWith(matrix.target, 'macos') }}
+      run: ln -s Makefile.FreeBSD Makefile
+    - name: ln Windows
+      if: ${{ startsWith(matrix.target, 'windows') }}
+      run: copy Makefile.win Makefile
+    - name: dirs Windows
+      if: ${{ startsWith(matrix.target, 'windows') }}
+      run: cmd /C 'echo LIBS := -L "c:/program files/openssl/lib" $(LIBS) >>Makefile.win && echo CFLAGS := -I "c:/program files/openssl/include" $(CFLAGS) >>Makefile.win && type Makefile.win'
+    - name: SSLPlugin Linux
+      if: ${{ startsWith(matrix.target, 'ubuntu') }}
+      run: 'echo PLUGINS := $(PLUGINS) SSLPlugin >>Makefile & echo LIBS := $(LIBS) -lcrypto -lssl >>Makefile'
+    - name: make
+      run: make
+    - name: mkdir
+      if: ${{ startsWith(matrix.target, 'ubuntu') }}
+      run: mkdir ~/3proxy
+    - name: make install
+      if: ${{ startsWith(matrix.target, 'ubuntu') }}
+      run: make DESTDIR=~/3proxy install
+    - name: make clean
+      run: make clean

.gitignore

@@ -5,7 +5,23 @@
 *.pydevproject
 .project
 .metadata
-bin/
+*.exe
+*.dll
+*.exp
+*.lib
+*.key
+*.pem
+*.so
+bin/3proxy
+bin/proxy
+bin/socks
+bin/tcppm
+bin/udppm
+bin/pop3p
+bin/smtpp
+bin/ftppr
+bin/mycrypt
+bin/tlspr
 bin64/
 dll/
 tmp/
@@ -18,6 +34,9 @@ tmp/
 *.err
 res
 version.c
+version
+version.sh
+buildlinux.sh
 3proxy.res
 
 src/3proxy
@@ -37,8 +56,7 @@ doc/html/man3/
 doc/html/man8/
 *.var
 verfile.sh
-Makefile
-Changelog
+/Makefile
 copytgz.sh
 *~.nib
 local.properties
@@ -77,7 +95,6 @@ local.properties
 [Rr]elease/
 x64/
 build/
-[Bb]in/
 [Oo]bj/
 
 # MSTest test Results

Dockerfile.full

@@ -0,0 +1,55 @@
+# 3proxy.full is fully functional 3proxy build based on busibox:glibc
+#
+#to  build:
+# docker build -f Dockerfile.full -t 3proxy.full .
+#to run:
+# by default 3proxy uses safe chroot environment with chroot to /usr/local/3proxy with uid/gid 65535/65535 and expects
+# configuration file to be placed in /usr/local/etc/3proxy.
+# Paths in configuration file must be relative to /usr/local/3proxy, that is use /logs instead of 
+# /usr/local/3proxy/logs. nserver in chroot is required for DNS resolution. An example:
+#
+# echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
+# echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
+# docker run -p 3129:3129 -v /path/to/local/config/directory:/usr/local/3proxy/conf -name 3proxy.full 3proxy.full
+#
+# /path/to/local/config/directory in this example must conrain 3proxy.cfg
+# if you need 3proxy to be executed without chroot with root permissions, replace /etc/3proxy/3proxy.cfg by e.g. mounting config
+# dir to /etc/3proxy ot by providing config file /etc/3proxy/3proxy.cfg
+# docker run -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full
+#
+# use "log" without pathname in config to log to stdout.
+# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config).
+
+
+FROM gcc AS buildenv
+COPY . 3proxy
+RUN cd 3proxy &&\
+ echo "">> Makefile.Linux &&\
+ echo PLUGINS = StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin SSLPlugin>>Makefile.Linux &&\
+ echo LIBS = -l:libcrypto.a -l:libssl.a -ldl >>Makefile.Linux &&\
+ make -f Makefile.Linux &&\
+ strip bin/3proxy &&\
+ strip bin/StringsPlugin.ld.so &&\
+ strip bin/TrafficPlugin.ld.so &&\
+ strip bin/PCREPlugin.ld.so &&\
+ strip bin/TransparentPlugin.ld.so &&\
+ strip bin/SSLPlugin.ld.so &&\
+ mkdir /usr/local/lib/3proxy &&\
+ cp "/lib/`gcc -dumpmachine`"/libdl.so.* /usr/local/lib/3proxy/
+
+FROM busybox:glibc
+COPY --from=buildenv /usr/local/lib/3proxy/libdl.so.* /lib/
+COPY --from=buildenv 3proxy/bin/3proxy /bin/
+COPY --from=buildenv 3proxy/bin/*.ld.so /usr/local/3proxy/libexec/
+RUN mkdir /usr/local/3proxy/logs &&\
+ mkdir /usr/local/3proxy/conf &&\
+ chown -R 65535:65535 /usr/local/3proxy &&\
+ chmod -R 550  /usr/local/3proxy &&\
+ chmod 750  /usr/local/3proxy/logs &&\
+ chmod -R 555 /usr/local/3proxy/libexec &&\
+ chown -R root /usr/local/3proxy/libexec &&\
+ mkdir /etc/3proxy/ &&\
+ echo chroot /usr/local/3proxy 65535 65535 >/etc/3proxy/3proxy.cfg &&\
+ echo include /conf/3proxy.cfg >>/etc/3proxy/3proxy.cfg &&\
+ chmod 440  /etc/3proxy/3proxy.cfg
+CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"]

Dockerfile.minimal

@@ -0,0 +1,41 @@
+# dockerfile for "interactive" minimal 3proxy execution, no configuration mounting is required, configuration
+# is accepted from stdin. Use "end" command to indicate the end of configuration. Use "log" for stdout logging.
+#
+# This is busybox based docker with only 3proxy static executable and empty non-writable "run" directory.
+#
+# "plugin" is not supported
+#
+# Build:
+#
+# docker build -f Dockerfile.minimal -t 3proxy.minimal .
+#
+# Run example:
+#
+# docker run -i -p 3129:3129 --name 3proxy 3proxy.minimal  
+#or
+# docker start -i 3proxy
+#<chroot run 65535 65535
+#<nserver 8.8.8.8
+#<nscache 65535
+#<log
+#<proxy -p3129
+#<end
+#
+# use "chroot run 65536 65536" in config for safe chroot environment. nserver is required for DNS resolutions in chroot.
+
+
+FROM gcc AS buildenv
+COPY . 3proxy
+RUN cd 3proxy &&\
+ echo "">>Makefile.Linux &&\
+ echo LDFLAGS = -fPIC -O2 -fno-strict-aliasing -pthread >>Makefile.Linux &&\
+ echo PLUGINS = >>Makefile.Linux &&\
+ echo LIBS = >>Makefile.Linux &&\
+ echo CFLAGS = -g  -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -DNOPLUGINS >>Makefile.Linux &&\
+ make -f Makefile.Linux &&\
+ strip bin/3proxy
+ 
+FROM busybox:glibc
+COPY --from=buildenv 3proxy/bin/3proxy /bin/3proxy
+RUN mkdir /run && chmod 555 /run
+CMD ["/bin/3proxy"]

Makefile.FreeBSD

@@ -0,0 +1,49 @@
+#
+# 3 proxy Makefile for GCC/Unix
+#
+# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC
+# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
+
+BUILDDIR = ../bin/
+CC ?= cc
+
+CFLAGS += -c -fno-strict-aliasing -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL
+COUT = -o 
+LN ?= ${CC}
+LDFLAGS += -pthread -fno-strict-aliasing 
+# -lpthreads may be reuiured on some platforms instead of -pthreads
+# -ldl or -lld may be required for some platforms
+DCFLAGS = -fPIC
+DLFLAGS = -shared
+DLSUFFICS = .so
+LIBS =
+LIBSPREFIX = -l
+LIBSSUFFIX = 
+LNOUT = -o 
+EXESUFFICS =
+OBJSUFFICS = .o
+DEFINEOPTION = -D
+COMPFILES = *~
+REMOVECOMMAND = rm -f
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -perm +111 -delete) || true
+TYPECOMMAND = cat
+COMPATLIBS =
+MAKEFILE = Makefile.FreeBSD
+PLUGINS = StringsPlugin TrafficPlugin PCREPlugin PamAuth TransparentPlugin
+
+include Makefile.inc
+
+install: all
+	if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi
+	install bin/3proxy /usr/local/3proxy/bin/3proxy
+	install bin/mycrypt /usr/local/3proxy/bin/mycrypt
+	install scripts/add3proxyuser.sh /usr/local/3proxy/bin/
+	if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then /usr/local/3proxy/3proxy.cfg already exists ; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
+	if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi
+	touch /usr/local/3proxy/passwd
+	touch /usr/local/3proxy/counters
+	touch /usr/local/3proxy/bandlimiters
+	echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user
+
+allplugins:
+	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done

Makefile.Linux

@@ -7,14 +7,14 @@
 # remove -DNOODBC from CFLAGS and add -lodbc to LIBS to compile with ODBC
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 
-BUILDDIR =
+BUILDDIR = ../bin/
 CC = gcc
 
-CFLAGS = -g -O2 -fno-strict-aliasing -c -pthread -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL
+CFLAGS = -g  -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER
 COUT = -o 
-LN = gcc
-DCFLAGS = -fpic
-LDFLAGS = -O2 -fno-strict-aliasing -pthread
+LN = $(CC)
+DCFLAGS = 
+LDFLAGS = -fPIC -O2 -fno-strict-aliasing -pthread
 DLFLAGS = -shared
 DLSUFFICS = .ld.so
 # -lpthreads may be reuqired on some platforms instead of -pthreads
@@ -26,6 +26,7 @@ OBJSUFFICS = .o
 DEFINEOPTION = -D
 COMPFILES = *~
 REMOVECOMMAND = rm -f
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.Linux
@@ -42,54 +43,77 @@ allplugins:
 	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
 
 DESTDIR		=
-prefix		= /usr/local
+prefix		= 
 exec_prefix	= $(prefix)
-man_prefix	= $(prefix)/share
+man_prefix	= /usr/share
+chroot_prefix	= /usr/local
 
 INSTALL		= /usr/bin/install
 INSTALL_BIN	= $(INSTALL) -m 755
 INSTALL_DATA	= $(INSTALL) -m 644
-INSTALL_OBJS	= src/3proxy \
-		  src/dighosts \
-		  src/ftppr \
-		  src/mycrypt \
-		  src/pop3p \
-		  src/proxy \
-		  src/socks \
-		  src/tcppm \
-		  src/udppm
+INSTALL_OBJS	= bin/3proxy \
+		  bin/ftppr \
+		  bin/mycrypt \
+		  bin/pop3p \
+		  bin/proxy \
+		  bin/socks \
+		  bin/tcppm \
+		  bin/udppm \
+		  bin/tlspr
 		  
 
+INSTALL_CFG	 = scripts/3proxy.cfg.chroot
 INSTALL_CFG_OBJS = scripts/3proxy.cfg \
 		   scripts/add3proxyuser.sh
-INSTALL_CFG_DEST = config
 
-INSTALL_CFG_OBJS2 = passwd counters bandlimiters
+INSTALL_CFG_OBJS2 = counters bandlimiters
 
+INSTALL_INITD_SCRIPT = scripts/init.d/3proxy.sh
+INSTALL_SYSTEMD_SCRIPT = scripts/3proxy.service
+
+CHROOTDIR	= $(DESTDIR)$(chroot_prefix)/3proxy
+CHROOTREL	= ../..$(chroot_prefix)/3proxy
 MANDIR1		= $(DESTDIR)$(man_prefix)/man/man1
 MANDIR3		= $(DESTDIR)$(man_prefix)/man/man3
 MANDIR8		= $(DESTDIR)$(man_prefix)/man/man8
 BINDIR		= $(DESTDIR)$(exec_prefix)/bin
-ETCDIR		= $(DESTDIR)$(prefix)/etc/3proxy
+ETCDIR		= $(DESTDIR)/etc/3proxy
+INITDDIR	= $(DESTDIR)/etc/init.d
+RUNBASE		= $(DESTDIR)/var/run
+RUNDIR		= $(RUNBASE)/3proxy
+LOGBASE		= $(DESTDIR)/var/log
+LOGDIR		= $(LOGBASE)/3proxy
+INSTALL_CFG_DEST = $(ETCDIR)/conf
+SYSTEMDDIR	= $(DESTDIR)/usr/lib/systemd/system/
 
 install-bin:
 	$(INSTALL_BIN) -d $(BINDIR)
 	$(INSTALL_BIN) -s $(INSTALL_OBJS) $(BINDIR)
+	$(INSTALL_BIN) -s bin/*.ld.so $(CHROOTDIR)/libexec
+	chmod -R a-w $(CHROOTDIR)/libexec
 
 install-etc-dir:
 	$(INSTALL_BIN) -d $(ETCDIR)
 
+install-chroot-dir:
+	$(INSTALL_BIN) -d $(CHROOTDIR)
+	$(INSTALL_BIN) -d $(CHROOTDIR)/conf
+	$(INSTALL_BIN) -d $(CHROOTDIR)/logs
+	$(INSTALL_BIN) -d $(CHROOTDIR)/count
+	$(INSTALL_BIN) -d $(CHROOTDIR)/libexec
+	chmod -R o-rwx $(CHROOTDIR)
+
 install-etc-default-config:
-	if [ -f $(ETCDIR)/$(INSTALL_CFG_DEST) ]; then \
-	   : ; \
-	else \
-	   $(INSTALL_DATA) $(INSTALL_CFG_OBJS) $(ETCDIR)/$(INSTALL_CFG_DEST) \
+	if [ ! -d $(INSTALL_CFG_DEST) ]; then \
+	   ln -s $(CHROOTREL)/conf $(INSTALL_CFG_DEST); \
+	   $(INSTALL_BIN) $(INSTALL_CFG) $(ETCDIR)/3proxy.cfg; \
+	   $(INSTALL_BIN) $(INSTALL_CFG_OBJS) $(INSTALL_CFG_DEST); \
 	fi
 
-install-etc: install-etc-dir
+install-etc: install-etc-dir install-etc-default-config
 	for file in $(INSTALL_CFG_OBJS2); \
 	do \
-	  touch $(ETCDIR)/$$file; chmod 0600 $(ETCDIR)/$$file; \
+	  touch $(INSTALL_CFG_DEST)/$$file; chmod 0600 $(INSTALL_CFG_DEST)/$$file; \
 	done;
 
 install-man:
@@ -98,5 +122,23 @@ install-man:
 	$(INSTALL_DATA) man/*.3 $(MANDIR3)
 	$(INSTALL_DATA) man/*.8 $(MANDIR8)
 
-install: install-bin install-etc install-man
+install-init:
+	$(INSTALL_BIN) -d $(INITDDIR)
+	$(INSTALL_BIN) $(INSTALL_INITD_SCRIPT) $(INITDDIR)/3proxy
+	$(INSTALL_BIN) -d $(SYSTEMDDIR)
+	$(INSTALL_DATA) $(INSTALL_SYSTEMD_SCRIPT) $(SYSTEMDDIR)
 
+install-run:
+	$(INSTALL_BIN) -d $(RUNDIR)
+
+install-log:
+	$(INSTALL_BIN) -d $(LOGBASE)
+	@if [ ! -d $(LOGDIR) ]; then \
+	 ln -s $(CHROOTREL)/logs $(LOGDIR);\
+	fi
+
+install: install-chroot-dir install-bin install-etc install-log install-man install-run install-init
+	@if [ "$(DESTDIR)" = "" ]; then \
+	 sh scripts/debian/preinst; \
+	 sh scripts/debian/postinst; \
+	fi

Makefile.Solaris

@@ -7,13 +7,13 @@
 # remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 
-BUILDDIR =
+BUILDDIR = ../bin/
 CC = cc
 CFLAGS = -xO3 -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL
 COUT = -o ./
-LN = cc
+LN = $(CC)
 LDFLAGS = -xO3
-DCFLAGS = -fpic
+DCFLAGS = -fPIC
 DLFLAGS = -shared
 DLSUFFICS = .ld.so
 LIBS = -lpthread -lsocket -lnsl -lresolv -ldl
@@ -25,10 +25,11 @@ OBJSUFFICS = .o
 DEFINEOPTION = -D
 COMPFILES = *~
 REMOVECOMMAND = rm -f
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.Solaris
-PLUGINS = StringsPlugin TrafficPlugin PCREPlugin
+PLUGINS = StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin
 
 include Makefile.inc
 

Makefile.Solaris-gcc

@@ -8,13 +8,13 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 
 
-BUILDDIR =
+BUILDDIR = ../bin/
 CC = gcc
 CFLAGS = -O2 -fno-strict-aliasing -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL
 COUT = -o ./
-LN = gcc
+LN = $(CC)
 LDFLAGS = -O3
-DCFLAGS = -fpic
+DCFLAGS = -fPIC
 DLFLAGS = -shared
 DLSUFFICS = .ld.so
 LIBS = -lpthread -lsocket -lnsl -lresolv -ldl
@@ -26,6 +26,7 @@ OBJSUFFICS = .o
 DEFINEOPTION = -D
 COMPFILES = *~
 REMOVECOMMAND = rm -f
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.Solaris-gcc

Makefile.inc

@@ -3,10 +3,11 @@
 #
 
 all:
-	$(TYPECOMMAND) $(MAKEFILE) > src/Makefile.var
+	@$(TYPECOMMAND) $(MAKEFILE) > src/Makefile.var
 	@cd src && $(MAKE)
 
 clean:
-	@$(REMOVECOMMAND) *$(OBJSUFFICS) $(COMPFILES)
-	@cd src && $(MAKE) clean
+	@cd src && $(REMOVECOMMAND) *$(OBJSUFFICS) $(COMPFILES) && cd ..
+	@$(AFTERCLEAN)
+	
 

Makefile.llvm

@@ -10,13 +10,13 @@
 
 BUILDDIR = ../bin/
 CC = clang
-CFLAGS = -O2 -fno-strict-aliasing -c -pthread -static -DWITH_STD_MALLOC -DNOIPV6
+CFLAGS = -O2 -fno-strict-aliasing -c -pthread -DWITH_STD_MALLOC -DWITH_WSAPOLL
 COUT = -o 
-LN = clang
-LDFLAGS = -O2 -fno-strict-aliasing -static -s
+LN = $(CC)
+LDFLAGS = -O2 -fno-strict-aliasing -s
 DLFLAGS = -shared
 DLSUFFICS = .dll
-LIBS = -lws2_32 -lodbc32 -ladvapi32
+LIBS = -lws2_32 -lodbc32 -ladvapi32 -luser32 -lcrypto -lssl
 LIBSPREFIX = -l
 LIBSSUFFIX = 
 LNOUT = -o 
@@ -25,12 +25,22 @@ OBJSUFFICS = .o
 DEFINEOPTION = -D
 COMPFILES = *.tmp
 REMOVECOMMAND = rm -f
+AFTERCLEAN = find src/ -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete
 TYPECOMMAND = cat
 COMPATLIBS =
-MAKEFILE = Makefile.win
-PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin
+MAKEFILE = Makefile.llvm
+PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin SSLPlugin
+VERFILE := 3proxy.res $(VERFILE)
+VERSION := $(VERSION)
+VERSIONDEP := 3proxy.res $(VERSIONDEP)
+BUILDDATE := $(BUILDDATE)
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find . -type f -name "*.res" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 
 include Makefile.inc
 
+3proxy.res:
+	llvm-rc 3proxy.rc
+
 allplugins:
-	for /D %%i in ($(PLUGINS)) do (copy Makefile plugins\%%i && copy Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.o &&cd ..\..)
+	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
+

Makefile.msvc

@@ -8,13 +8,13 @@
 
 BUILDDIR = ../bin/
 CC = cl
-CFLAGS = /nologo /MT /W3 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "WITH_STD_MALLOC" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /Fp"proxy.pch" /FD /c
+CFLAGS = /nologo /MT /W3 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "WITH_STD_MALLOC" /D "WITH_WSAPOLL" /D "NDEBUG" /D "WIN32" /D "WITH_SSL" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /Fp"proxy.pch" /FD /c $(VERSION) $(BUILDDATE)
 COUT = /Fo
 LN = link
 LDFLAGS =  /nologo /subsystem:console /incremental:no /machine:I386
 DLFLAGS = /DLL
 DLSUFFICS = .dll
-LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib libeay32MT.lib ssleay32MT.lib
+LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib Crypt32.lib  libcrypto.lib libssl.lib
 LIBSOLD = libeay32MT.lib ssleay32MT.lib
 LIBSPREFIX = 
 LIBSSUFFIX = .lib
@@ -24,20 +24,21 @@ EXESUFFICS = .exe
 OBJSUFFICS = .obj
 DEFINEOPTION = /D 
 COMPFILES = *.pch *.idb
-REMOVECOMMAND = del 2>NUL >NUL
+REMOVECOMMAND = del
 TYPECOMMAND = type
 COMPATLIBS =
 MAKEFILE = Makefile.msvc
 PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin FilePlugin SSLPlugin
-VERFILE = $(VERFILE)
+VERFILE = 3proxy.res $(VERFILE)
+VERSION = $(VERSION)
+VERSIONDEP = 3proxy.res $(VERSIONDEP)
+BUILDDATE = $(BUILDDATE)
+AFTERCLEAN = if exist src\*.res (del src\*.res) && if exist src\*.err (del src\*.err)
 
 include Makefile.inc
 
-../3proxy.res:
-	rc /fo../3proxy.res ../3proxy.rc
-
-3proxyres.obj: ../3proxy.res
-	cvtres /out:3proxyres.obj /MACHINE:I386 ../3proxy.res
+3proxy.res:
+	rc 3proxy.rc
 
 allplugins:
 	for /D %%i in ($(PLUGINS)) do (copy Makefile plugins\%%i && copy Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.obj *.idb &&cd ..\..)

Makefile.msvc64

@@ -8,14 +8,14 @@
 
 BUILDDIR = ../bin64/
 CC = cl
-CFLAGS = /nologo /MT /W3 /Ox /EHs- /GS /GA /GF /D "MSVC" /D "WITH_STD_MALLOC" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /Fp"proxy.pch" /FD /c
+CFLAGS = /nologo /MT /W3 /Ox /EHs- /GS /GA /GF /D "MSVC" /D "WITH_STD_MALLOC" /D "WITH_SSL" /D "WITH_WSAPOLL" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /Fp"proxy.pch" /FD /c $(VERSION) $(BUILDDATE)
 COUT = /Fo
 LN = link
 LDFLAGS = /nologo /subsystem:console /incremental:no /machine:x64
 DLFLAGS = /DLL
 DLSUFFICS = .dll
-LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib libeay32MT.lib ssleay32MT.lib
-LIBSOLD = libeay32MT.lib ssleay32MT.lib
+LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib Crypt32.lib libcrypto.lib libssl.lib
+LIBSOLD = libeay32.lib ssleay32.lib
 LIBSPREFIX = 
 LIBSSUFFIX = .lib
 LIBEXT = .lib
@@ -27,20 +27,15 @@ COMPFILES = *.pch *.idb
 REMOVECOMMAND = del 2>NUL >NUL
 TYPECOMMAND = type
 COMPATLIBS =
-MAKEFILE = Makefile.msvc64
+VERFILE = 3proxy.res $(VERFILE)
+VERSIONDEP = 3proxy.res $(VERSIONDEP)
 PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin FilePlugin SSLPlugin
-VERFILE = $(VERFILE)
-
-#../3proxy.res:
-#	rc /fo../3proxy.res ../3proxy.rc
-
-#3proxyres.obj: ../3proxy.res
-#	cvtres /out:3proxyres.obj /MACHINE:X64 ../3proxy.res
+AFTERCLEAN = del src\*.res
 
 include Makefile.inc
 
-../3proxy.res:
-	rc /fo../3proxy.res ../3proxy.rc
+3proxy.res:
+	rc 3proxy.rc
 
 3proxyres.obj: ../3proxy.res
 	cvtres /out:3proxyres.obj /machine:x64 ../3proxy.res

Makefile.msvcARM64

@@ -0,0 +1,48 @@
+#
+# 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake)
+#
+# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc
+# libraries
+#
+# Add /DSAFESQL to CFLAGS if you are using poorely written/tested ODBC driver
+
+BUILDDIR = ../bin64/
+CC = cl
+CFLAGS = /nologo /MT /W3 /Ox /EHs- /GS /GA /GF /D "MSVC" /D "WITH_STD_MALLOC" /D "WITH_WSAPOLL" /D "WITH_SSL" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /Fp"proxy.pch" /FD /c $(VERSION) $(BUILDDATE)
+COUT = /Fo
+LN = link
+LDFLAGS = /nologo /subsystem:console /incremental:no /machine:arm64
+DLFLAGS = /DLL
+DLSUFFICS = .dll
+LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib kernel32.lib Gdi32.lib libcrypto.lib libssl.lib
+LIBSOLD =
+LIBSPREFIX = 
+LIBSSUFFIX = .lib
+LIBEXT = .lib
+LNOUT = /out:
+EXESUFFICS = .exe
+OBJSUFFICS = .obj
+DEFINEOPTION = /D 
+COMPFILES = *.pch *.idb
+REMOVECOMMAND = del 2>NUL >NUL
+TYPECOMMAND = type
+COMPATLIBS =
+MAKEFILE = Makefile.msvcARM64
+PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin FilePlugin SSLPlugin
+VERFILE = 3proxy.res $(VERFILE)
+VERSIONDEP = 3proxy.res $(VERSIONDEP)
+AFTERCLEAN = del src\*.res
+
+
+include Makefile.inc
+
+3proxy.res:
+	rc 3proxy.rc
+
+3proxyres.obj: ../3proxy.res
+	cvtres /out:3proxyres.obj /machine:x64 ../3proxy.res
+
+
+allplugins:
+	for /D %%i in ($(PLUGINS)) do (copy Makefile plugins\%%i && copy Makefile.var plugins\%%i && cd plugins\%%i && nmake && del *.obj *.idb &&cd ..\..)
+

Makefile.msvcCE

@@ -8,7 +8,7 @@
 
 BUILDDIR = ../bin/
 CC = cl
-CFLAGS = /DARM /D "NOODBC" /nologo /MT /W3 /Wp64 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "_WINCE" /D "WITH_STD_MALLOC" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /Fp"proxy.pch" /FD /c
+CFLAGS = /DARM /D "NOODBC" /nologo /MT /W3 /Wp64 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "_WINCE" /D "WITH_STD_MALLOC" /D "NDEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /Fp"proxy.pch" /FD /c
 COUT = /Fo
 LN = link
 LDFLAGS = /nologo /subsystem:console /incremental:no

Makefile.openwrt-mips

@@ -0,0 +1,102 @@
+#
+# 3 proxy Makefile for GCC/Linux/Cygwin
+#
+# You can try to remove -DWITH_STD_MALLOC to CFLAGS to use optimized malloc
+# libraries
+#
+# remove -DNOODBC from CFLAGS and add -lodbc to LIBS to compile with ODBC
+# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
+
+BUILDDIR = ../bin/
+CC = mips-openwrt-linux-gcc
+
+CFLAGS = -g -O2 -fno-strict-aliasing -c -pthread -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER
+COUT = -o 
+LN = $(CC)
+DCFLAGS = -fPIC
+LDFLAGS = -O2 -fno-strict-aliasing -pthread -s
+DLFLAGS = -shared
+DLSUFFICS = .ld.so
+# -lpthreads may be reuqired on some platforms instead of -pthreads
+LIBSPREFIX = -l
+LIBSSUFFIX = 
+LNOUT = -o 
+EXESUFFICS =
+OBJSUFFICS = .o
+DEFINEOPTION = -D
+COMPFILES = *~
+REMOVECOMMAND = rm -f
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
+TYPECOMMAND = cat
+COMPATLIBS =
+MAKEFILE = Makefile.openwrt-mips
+# PamAuth requires libpam, you may require pam-devel package to be installed
+# SSLPlugin requires  -lcrypto -lssl
+#LIBS = -lcrypto -lssl -ldl 
+LIBS = -ldl 
+#PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
+PLUGINS = StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin
+
+include Makefile.inc
+
+allplugins:
+	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
+
+DESTDIR		=
+prefix		= /usr/local
+exec_prefix	= $(prefix)
+man_prefix	= $(prefix)/share
+
+INSTALL		= /usr/bin/install
+INSTALL_BIN	= $(INSTALL) -m 755
+INSTALL_DATA	= $(INSTALL) -m 644
+INSTALL_OBJS	= src/3proxy \
+		  src/ftppr \
+		  src/mycrypt \
+		  src/pop3p \
+		  src/proxy \
+		  src/socks \
+		  src/tcppm \
+		  src/udppm
+		  
+
+INSTALL_CFG_OBJS = scripts/3proxy.cfg \
+		   scripts/add3proxyuser.sh
+INSTALL_CFG_DEST = config
+
+INSTALL_CFG_OBJS2 = passwd counters bandlimiters
+
+MANDIR1		= $(DESTDIR)$(man_prefix)/man/man1
+MANDIR3		= $(DESTDIR)$(man_prefix)/man/man3
+MANDIR8		= $(DESTDIR)$(man_prefix)/man/man8
+BINDIR		= $(DESTDIR)$(exec_prefix)/bin
+ETCDIR		= $(DESTDIR)$(prefix)/etc/3proxy
+
+install-bin:
+	$(INSTALL_BIN) -d $(BINDIR)
+	$(INSTALL_BIN) -s $(INSTALL_OBJS) $(BINDIR)
+
+install-etc-dir:
+	$(INSTALL_BIN) -d $(ETCDIR)
+
+install-etc-default-config:
+	if [ -f $(ETCDIR)/$(INSTALL_CFG_DEST) ]; then \
+	   : ; \
+	else \
+	   $(INSTALL_DATA) $(INSTALL_CFG_OBJS) $(ETCDIR)/$(INSTALL_CFG_DEST) \
+	fi
+
+install-etc: install-etc-dir
+	for file in $(INSTALL_CFG_OBJS2); \
+	do \
+	  touch $(ETCDIR)/$$file; chmod 0600 $(ETCDIR)/$$file; \
+	done;
+
+install-man:
+	$(INSTALL_BIN) -d $(MANDIR3)
+	$(INSTALL_BIN) -d $(MANDIR8)
+	$(INSTALL_DATA) man/*.3 $(MANDIR3)
+	$(INSTALL_DATA) man/*.8 $(MANDIR8)
+
+install: install-bin install-etc install-man
+

Makefile.unix

@@ -7,17 +7,17 @@
 # remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 
-BUILDDIR =
+BUILDDIR = ../bin/
 CC = gcc
 
 # you may need -L/usr/pkg/lib for older NetBSD versions
 CFLAGS = -g -O2 -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL
 COUT = -o 
-LN = gcc
+LN = $(CC)
 LDFLAGS = -O2 -fno-strict-aliasing -pthread
 # -lpthreads may be reuqired on some platforms instead of -pthreads
 # -ldl or -lld may be required for some platforms
-DCFLAGS = -fpic
+DCFLAGS = -fPIC
 DLFLAGS = -shared
 DLSUFFICS = .ld.so
 LIBS =
@@ -29,17 +29,18 @@ OBJSUFFICS = .o
 DEFINEOPTION = -D
 COMPFILES = *~
 REMOVECOMMAND = rm -f
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.unix
-PLUGINS = StringsPlugin TrafficPlugin PCREPlugin PamAuth
+PLUGINS = StringsPlugin TrafficPlugin PCREPlugin PamAuth TransparentPlugin
 
 include Makefile.inc
 
 install: all
 	if [ ! -d /usr/local/etc/3proxy/bin ]; then mkdir -p /usr/local/etc/3proxy/bin/; fi
-	install src/3proxy /usr/local/etc/3proxy/bin/3proxy
-	install src/mycrypt /usr/local/etc/3proxy/bin/mycrypt
+	install bin/3proxy /usr/local/etc/3proxy/bin/3proxy
+	install bin/mycrypt /usr/local/etc/3proxy/bin/mycrypt
 	install scripts/rc.d/proxy.sh /usr/local/etc/rc.d/proxy.sh
 	install scripts/add3proxyuser.sh /usr/local/etc/3proxy/bin/
 	if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then

Makefile.unix-install

@@ -6,15 +6,14 @@ man_prefix	= $(prefix)/share
 INSTALL		= /usr/bin/install
 INSTALL_BIN	= $(INSTALL) -m 755
 INSTALL_DATA	= $(INSTALL) -m 644
-INSTALL_OBJS	= src/3proxy \
-		  src/dighosts \
-		  src/ftppr \
-		  src/mycrypt \
-		  src/pop3p \
-		  src/proxy \
-		  src/socks \
-		  src/tcppm \
-		  src/udppm \
+INSTALL_OBJS	= bin/3proxy \
+		  bin/ftppr \
+		  bin/mycrypt \
+		  bin/pop3p \
+		  bin/proxy \
+		  bin/socks \
+		  bin/tcppm \
+		  bin/udppm \
 		  scripts/add3proxyuser.sh
 
 INSTALL_CFG_OBJS = scripts/3proxy.cfg

Makefile.watcom

@@ -8,7 +8,7 @@
 
 BUILDDIR = ../bin/
 CC = cl
-CFLAGS = /nologo /Ox /MT /D "NOIPV6" /D "NODEBUG" /D "NOODBC" /D"WATCOM" /D "MSVC" /D "WITH_STD_MALLOC" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /c
+CFLAGS = /nologo /Ox /MT /D "NOIPV6" /D "NODEBUG" /D "NOODBC" /D "NORADIUS" /D"WATCOM" /D "MSVC" /D "WITH_STD_MALLOC" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /D "PRINTF_INT64_MODIFIER=\"I64\"" /c $(VERSION) $(BUILDDATE)
 COUT = /Fo
 LN = link
 LDFLAGS = /nologo /subsystem:console /incremental:no 
@@ -30,14 +30,43 @@ COMPATLIBS =
 MAKEFILE = Makefile.watcom
 PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin
 VERFILE = $(VERFILE)
+VERSION = $(VERSION)
+VERSIONDEP = 3proxy.res $(VERSIONDEP)
+BUILDDATE = $(BUILDDATE)
 
 include Makefile.inc
 
-../3proxy.res:
-	rc /fo../3proxy.res ../3proxy.rc
-
-3proxyres.obj: ../3proxy.res
-	cvtres /out:3proxyres.obj ../3proxy.res
+3proxy.res:
+	rc 3proxy.rc
 
 allplugins:
-	call ../makeplugins.bat	
+	copy Makefile plugins\utf8tocp1251
+	copy Makefile.var plugins\utf8tocp1251
+	cd plugins\utf8tocp1251
+	nmake
+	del *.obj *.idb
+	cd ../../
+	copy Makefile plugins\WindowsAuthentication
+	copy Makefile.var plugins\WindowsAuthentication
+	cd plugins\WindowsAuthentication
+	nmake
+	del *.obj *.idb
+	cd ../../
+	copy Makefile plugins\TrafficPlugin
+	copy Makefile.var plugins\TrafficPlugin
+	cd plugins\TrafficPlugin
+	nmake
+	del *.obj *.idb
+	cd ../../
+	copy Makefile plugins\StringsPlugin
+	copy Makefile.var plugins\StringsPlugin
+	cd plugins\StringsPlugin
+	nmake
+	del *.obj *.idb
+	cd ../../
+	copy Makefile plugins\PCREPlugin
+	copy Makefile.var plugins\PCREPlugin
+	cd plugins\PCREPlugin
+	nmake
+	del *.obj *.idb
+	cd ../../

Makefile.win

@@ -10,13 +10,13 @@
 
 BUILDDIR = ../bin/
 CC = gcc
-CFLAGS = -O2 -s -c -mthreads -DWITH_STD_MALLOC -DNOIPV6
+CFLAGS = -O2 -s -c -mthreads -DWITH_STD_MALLOC -DWITH_WSAPOLL 
 COUT = -o 
 LN = gcc
 LDFLAGS = -O2 -s -mthreads
 DLFLAGS = -shared
 DLSUFFICS = .dll
-LIBS = -lws2_32 -lodbc32 -ladvapi32
+LIBS = -lws2_32 -lodbc32 -ladvapi32 -luser32 -lcrypto -lssl
 LIBSPREFIX = -l
 LIBSSUFFIX = 
 LNOUT = -o 
@@ -28,9 +28,18 @@ REMOVECOMMAND = rm -f
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.win
-PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin
+PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin PCREPlugin SSLPLugin
+VERFILE := 3proxyres.o $(VERFILE)
+VERSION := $(VERSION)
+VERSIONDEP := 3proxyres.o $(VERSIONDEP)
+BUILDDATE := $(BUILDDATE)
+AFTERCLEAN = (find . -type f -name "*.o" -delete && find . -type f -name "*.res" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 
 include Makefile.inc
 
+3proxyres.o:
+	windres 3proxy.rc -o 3proxyres.o
+
 allplugins:
-	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;  rm *.o ; cd ../.. ; done
+	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
+

Makefile.winCE

@@ -10,7 +10,7 @@
 
 BUILDDIR = ../bin/
 CC = /opt/cegcc/arm-wince-cegcc/bin/gcc
-CFLAGS = -O2 -s -c -mthreads -DWITH_STD_MALLOC -DNOODBC -D_WINCE -D_WIN32 -D__USE_W32_SOCKETS
+CFLAGS = -O2 -s -c -mthreads -DWITH_STD_MALLOC -DNOODBC -D_WINCE -D_WIN32 -DNORADIUS -D__USE_W32_SOCKETS
 COUT = -o 
 LN = /opt/cegcc/arm-wince-cegcc/bin/gcc
 LDFLAGS = -O2 -s -mthreads

README

@@ -1,86 +1,155 @@
-/*
-   3APA3A 3proxy tiny proxy server
-   (c) 2002-2016 by Vladimir '3APA3A' Dubrovin <3proxy@3proxy.ru>
+# 3APA3A 3proxy tiny proxy server
+(c) 2002-2025 by Vladimir '3APA3A' Dubrovin <3proxy@3proxy.org>
 
-   please read License Agreement
-*/
 
-Please read doc/html/index.html and man pages.
+Branches:
+Master (stable) branch - 3proxy 0.9 
+Devel branch - 3proxy 10 (don't use it)
+
+
+* Download
+	Binaries and sources for released (master) versions (Windows, Linux):
+	https://github.com/z3APA3A/3proxy/releases
+
+	Docker images:
+	https://hub.docker.com/repository/docker/3proxy/3proxy
+	Archive of old versions: https://github.com/z3APA3A/3proxy-archive
+
+* Documentation
+	Documentation (man pages and HTML) available with download, on https://3proxy.org/
+	and in github wiki https://github.com/3proxy/3proxy/wiki
+
+* Windows installation
+
+3proxy --install 
+	
+	installs and starts proxy as Windows service
+	(config file should be located in the same directory)
+
+3proxy --remove 
+
+	removes the service (should be stopped before via
+	'net stop 3proxy').
+
+* To build in Linux
+
+install git and build-essential packages, use
+
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+ln -s Makefile.Linux Makefile
+make
+sudo make install
+
+Default configuration (for Linux/Unix):
+3proxy uses 2 configuration files:
+/etc/3proxy/3proxy.cfg (before-chroot). This configuration file is executed before chroot and should not be modified.
+/usr/local/3proxy/conf/3proxy.cfg symlinked from /etc/3proxy/conf/3proxy.cfg (after-chroot) is a main configuration file. Modify this file, if required.
+All paths in /usr/local/3proxy/conf/3proxy.cfg are relative to chroot directory (/usr/local/3proxy). For future versions it's planned to move
+3proxy chroot direcory to /var.
+Log files are created in /usr/local/3proxy/logs symlinked from /var/log/3proxy.
+By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default.
+
+use /etc/3proxy/conf/add3proxyuser.sh script to add users.
+
+usage: /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth]
+        day_limit - traffic limit in MB per day
+        bandwidth - bandwith in bits per second 1048576 = 1Mbps
+
+or modify /etc/3proxy/conf/ files directly.
+
+* For MacOS X / FreeBSD / *BSD
+
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+ln -s Makefile.FreeBSD Makefile
+make
+
+(binaries are in bin/ directory)
 
  Features:
   1. General
+	+ IPv6 support for incoming and outgoing connection,
+	  can be used as a proxy between IPv4 and IPv6 networks
+	  in either direction.
 	+ HTTP/1.1 Proxy with keep-alive client and server support,
           transparent proxy support.
-	+ Anonymous and random client emulation HTTP proxy mode
+	+ HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY)
+	+ Anonymous and random client IP emulation for HTTP proxy mode
 	+ FTP over HTTP support.
 	+ DNS caching with built-in resolver
-	+ HTTPS (CONNECT) proxy
+	+ DNS proxy
+	+ DNS over TCP support, redirecting DNS traffic via parent
+	  proxy
 	+ SOCKSv4/4.5 Proxy
 	+ SOCKSv5 Proxy
-	+ UDP and bind support for SOCKSv5 (fully compatible with
+	+ SOCKSv5 UDP and BIND support (fully compatible with
 	  SocksCAP/FreeCAP for UDP)
-	+ Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP, ICQ
+	+ Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP
+	+ SNI proxy (based on TLS hostname)
+	+ TLS (SSL) server - may be used as https:// type proxy
 	+ POP3 Proxy
 	+ FTP proxy
-	+ DNS proxy
-	+ TCP port mapper
-	+ UDP port mapper
+	+ TCP port mapper (port forwarding)
+	+ UDP port mapper (port forwarding)
 	+ SMTP proxy
-	+ ICQ/AOL proxy
 	+ Threaded application (no child process).
 	+ Web administration and statistics
 	+ Plugins for functionality extension
-	+ Native 64 bit application for 64 bit OS, including 64-bit editions of
-	  Windows.
-	+ IPv6 support
+	+ Native 32/64 bit application
   2. Proxy chaining and network connections
+	+ Can be used as a bridge between client and different proxy type
+	  (e.g. convert incoming HTTP proxy request from client to SOCKSv5
+	  request to parent server).
 	+ Connect back proxy support to bypass firewalls
 	+ Parent proxy support for any type of incoming connection
 	+ Username/password authentication for parent proxy(s).
-	+ HTTPS/SOCKS4/SOCKS5 and redirection parent support
+	+ HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support
 	+ Random parent selection
 	+ Chain building (multihop proxing)
 	+ Load balancing between few network connections by choosing network
 	  interface
   3. Logging
-	+ turnable log format compatible with any log parser
+	+ tuneable log format compatible with any log parser
 	+ stdout logging
 	+ file logging
 	+ syslog logging (Unix)
 	+ ODBC logging
-	+ log file rotation (hourly, daily, weekly, monthly)
-	+ automatic log file comperssion with external archiver (for files)
-	+ automatic removal of older log files
+	+ RADIUS accounting
+	+ log file rotation
+	+ automatic log file processing with external archiver (for files)
 	+ Character filtering for log files
 	+ different log files for different servces are supported
   4. Access control
+	+ ACL-driven Access control by username, source IP,
+	destination IP/hostname, destination port and destination action
+	(POST, PUT, GET, etc), weekday and daytime.
 	+ ACL-driven (user/source/destination/protocol/weekday/daytime or
 	combined) bandwith limitation for incoming and (!)outgoing trafic.
-	+ ACL-driven (user/source/destination/protocol/weekday/daytime or
-	combined) traffic limitation per day, week or month for incoming and
-	  (!) outgoing traffic
-	+ User authentication by DNS hostname
+	+ ACL-driven traffic limitation per day, week or month for incoming and
+	outgoing traffic
+	+ Connection limitation and ratelimting
 	+ User authentication by username / password
-	+ Access control by username, source IP, destination IP, destination
-	port and destination action (POST, PUT, GET, etc), weekday and daytime.
+	+ RADIUS Authentication and Authorization
+	+ User authentication by DNS hostname
+	+ Authentication cache with possibility to limit user to single IP address
 	+ Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP
 	+ Cleartext or encrypted (crypt/MD5 or NT) passwords.
 	+ Connection redirection
 	+ Access control by requested action (CONNECT/BIND, 
 	  HTTP GET/POST/PUT/HEAD/OTHER).
-	+ NTLM (v1 only) authentication for HTTP proxy access
 	+ All access control entries now support weekday and time limitations
 	+ Hostnames and * templates are supported instead of IP address
   5. Extensions
 	+ Regular expression filtering (with PCRE) via PCREPlugin
-	  currently HTTP traffic only for URLs, HTTP headers and HTTP data.
-	+ Authentication with Windows username/password (cleartext only!)
+	+ Authentication with Windows username/password (cleartext only)
 	+ SSL/TLS decryptions with certificate spoofing
-	+ NAT support under Linux
+	+ Transparent redirection support for Linux and *BSD
   6. Configuration
 	+ support for configuration files
 	+ support for includes in configuration files
 	+ interface binding
+	+ socket options
 	+ running as daemon process
 	+ utility for automated networks list building
 	+ configuration reload on any file change
@@ -88,7 +157,7 @@ Please read doc/html/index.html and man pages.
 	+ support for chroot
 	+ support for setgid
 	+ support for setuid
-	+ support for signals
+	+ support for signals (SIGUSR1 to reload configuration)
      Windows
 	+ support --install as service
 	+ support --remove as service
@@ -100,6 +169,7 @@ Please read doc/html/index.html and man pages.
 	+ support --remove as service
   6. Compilation
 	+ MSVC (static)
+	+ OpenWatcom (static)
 	+ Intel Windows Compiler (msvcrt.dll)
 	+ Windows/gcc (msvcrt.dll)
 	+ Cygwin/gcc (cygwin.dll)
@@ -115,13 +185,10 @@ Please read doc/html/index.html and man pages.
 		executable or service (supports installation and removal).
 		It uses config file to read it's configuration (see
 		3proxy.cfg.sample for details).
-		--install installs and starts proxy as Windows service
-		(config file should be located in the same directory)
-		--remove removes the service (should be stopped before via
-		'net stop 3proxy').
 		3proxy.exe is all-in-one, it doesn't require all others .exe
 		to work.
 		See 3proxy.cfg.sample for examples, see man 3proxy.cfg
+
 proxy    	HTTP proxy server, binds to port 3128
 ftppr    	FTP proxy server, binds to port 21
 socks    	SOCKS 4/5 proxy server, binds to port 1080
@@ -131,19 +198,17 @@ pop3p    	POP3 proxy server, binds to port 110. You must specify
 		POP3 username as username@target.host.ip[:port]
 		port is 110 by default.
 		Exmple: in Username configuration for you e-mail reader
-		set someuser@pop.somehost.ru, to obtains mail for someuser
+		set someuser@pop.example.org, to obtains mail for someuser
 		from pop.somehost.ru via proxy.
 smtpp    	SMTP proxy server, binds to port 25. You must specify
 		SMTP username as username@target.host.ip[:port]
 		port is 25 by default.
 		Exmple: in Username configuration for you e-mail reader
-		set someuser@mail.somehost.ru, to send mail as someuser
+		set someuser@mail.example.org, to send mail as someuser
 		via mail.somehost.ru via proxy.
-icqpr    	ICQ/AIM proxy. Maps some TCP port to TCP port of ICQ
-		server and performs packets translation. Example:
-		icqpr 5190 login.icq.com 5190
 tcppm    	TCP port mapping. Maps some TCP port on local machine to
 		TCP port on remote host.
+tlspr    	TLS proxy (SNI proxy) - sniffs hostname from TLS handshake
 udppm    	UDP port mapping. Maps some UDP port on local machine to
 		UDP port on remote machine. Only one user simulationeously
 		can use UDP mapping, so it cann't be used for public service
@@ -157,11 +222,10 @@ mycrypt    	Program to obtain crypted password fro cleartext. Supports
 		produces NT password
 			mycrypt salt password
 		produces MD5/crypt password with salt "salt".
-dighosts    	Utility for building networks list from web page.
 
 
 Run utility with --help option for command line reference.
 
-Latest version is available from http://3proxy.ru/
+Latest version is available from https://3proxy.org/
 
-Want to donate the project? http://3proxy.ru/donations/
+Want to donate the project? https://3proxy.org/donations/

RELEASE

@@ -0,0 +1 @@
+0.9.5

Release.notes

@@ -1,106 +0,0 @@
-08/04/2014 3[APA3A]tiny proxy 0.7
-
- Features:
-  1. General
-	+ HTTP/1.1 Proxy with keep-alive client and server support,
-          transparent proxy support.
-	+ Anonymous and random client emulation HTTP proxy mode
-	+ FTP over HTTP support.
-	+ DNS caching with built-in resolver
-	+ HTTPS (CONNECT) proxy
-	+ SOCKSv4/4.5 Proxy
-	+ SOCKSv5 Proxy
-	+ UDP and bind support for SOCKSv5 (fully compatible with
-	  SocksCAP/FreeCAP for UDP)
-	+ Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP, ICQ
-	+ POP3 Proxy
-	+ FTP proxy
-	+ DNS proxy
-	+ TCP port mapper
-	+ UDP port mapper
-	+ SMTP proxy
-	+ ICQ/AOL proxy
-	+ MSN proxy
-	+ Threaded application (no child process).
-	+ Web administration and statistics
-	+ Plugins for functionality extension
-	+ Native 64 bit application for 64 bit OS, including 64-bit editions of
-	  Windows XP, Vista, 2003, 2008.
-  2. Proxy chaining and network connections
-	+ Parent proxy support for any type of incoming connection
-	+ Username/password authentication for parent proxy(s).
-	+ HTTPS/SOCKS4/SOCKS5 and redirection parent support
-	+ Random parent selection
-	+ Chain building (multihop proxing)
-	+ Load balancing between few network connections by choosing network
-	  interface
-  3. Logging
-	+ turnable log format compatible with any log parser
-	+ stdout logging
-	+ file logging
-	+ syslog logging (Unix)
-	+ ODBC logging (Windows and Unix)
-	+ log file rotation (hourly, daily, weekly, monthly)
-	+ automatic log file comperssion with external archiver (for files)
-	+ automatic removal of older log files
-	+ Character filtering for log files
-	+ different log files for different servces are supported
-  4. Access control
-	+ ACL-driven (user/source/destination/protocol/weekday/daytime or
-	combined) bandwith limitation for incoming and (!)outgoing trafic.
-	+ ACL-driven (user/source/destination/protocol/weekday/daytime or
-	combined) traffic limitation per day, week or month for incoming and
-	  (!) outgoing traffic
-	+ User authorization by NetBIOS messanger name
-	+ Access control by username, source IP, destination IP, destination
-	port and destination action (POST, PUT, GET, etc), weekday and daytime.
-	+ Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP
-	+ Cleartext or encrypted (crypt/MD5 or NT) passwords.
-	+ Connection redirection
-	+ Access control by requested action (CONNECT/BIND, 
-	  HTTP GET/POST/PUT/HEAD/OTHER).
-	+ NTLM (v1 only) authentication for HTTP proxy access
-	+ All access control entries now support weekday and time limitations
-	+ Hostnames and * templates are supported instead of IP address
-  5. Extensions
-	+ Regular expression filtering (with PCRE) via PCREPlugin
-	  currently HTTP traffic only for URLs, HTTP headers and HTTP data.
-	+ Authentication with Windows username/password (cleartext only!)
-  6. Configuration
-	+ support for configuration files
-	+ support for includes in configuration files
-	+ interface binding
-	+ running as daemon process
-	+ utility for automated networks list building
-	+ configuration reload on any file change
-     Unix
-	+ support for chroot
-	+ support for setgid
-	+ support for setuid
-	+ support for signals
-     Windows NT/2K/XP/2K3
-	+ support --install as service
-	+ support --remove as service
-	+ support for service START, STOP, PAUSE and CONTINUE commands (on
-	PAUSE no new connection accepted, but active connections still in
-	progress, on CONTINUE configuration is reloaded)
-     Windows 95/98/ME
-	+ support --install as service
-	+ support --remove as service
-  6. Compilation
-	+ MSVC (static)
-	+ Intel Windows Compiler (msvcrt.dll)
-	+ Windows/gcc (msvcrt.dll)
-	+ Cygwin/gcc (cygwin.dll)
-	+ Unix/gcc
-	+ Unix/ccc
-	+ Solaris
-	+ Mac OS X, iPhone OS
-
-
- Planned for future (0.8) release:
-   - SSL handling / SSL decryption by certificate spoofing
-   - NAT support under *nix
-   - Addon antiviral, HTTP cache filters modules, authentication
-     modules for different protocols (RADIUS, PAM etc).
-

authors

@@ -1 +1 @@
-(c) 2002-2014 by Vladimir '3APA3A' Dubrovin <3proxy@3proxy.ru>
+(c) 2002-2025 by Vladimir '3APA3A' Dubrovin <vlad@3proxy.org>

bin/.gitignore

@@ -0,0 +1,2 @@
+*.cfg
+*.old

copying

@@ -1,12 +1,8 @@
-3proxy 0.7 Public License Agreement
+3proxy 0.9 Public License Agreement
 
-(c) 2000-2014 by 3APA3A (3APA3A@security.nnov.ru)
-(c) 2000-2014 by SecurityVulns.com (http://3proxy.ru/)
-(c) 2000-2014 by Vladimir Dubrovin (vlad@sandy.ru)
-
-This software uses:
-  RSA Data Security, Inc. MD4 Message-Digest Algorithm
-  RSA Data Security, Inc. MD5 Message-Digest Algorithm
+(c) 2000-2025 by 3APA3A (3APA3A@3proxy.ru)
+(c) 2000-2025 by 3proxy.org (https://3proxy.org/)
+(c) 2000-2025 by Vladimir Dubrovin (vlad@3proxy.org)
 
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
@@ -39,23 +35,23 @@ are met (BSD style license):
 Instead of this license, you can also use and redistribute this software under
 terms of compatible license, including:
 
-1. Apache License, Version 2.0
+1. Apache License, Version 2.0 or (at your option) any later version
    You may obtain a copy of the License at
 
-	http://www.apache.org/licenses/LICENSE-2.0
+	https://www.apache.org/licenses/LICENSE-2.0
 
 2. GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    You may obtain a copy of the License at
 
-	http://www.gnu.org/licenses/gpl.txt
+	https://www.gnu.org/licenses/gpl.txt
 
 3. GNU Lesser General Public License as published by the
    Free Software Foundation; either version 2.1 of the License, or
    (at your option) any later version.
    You may obtain a copy of the License at
 
-	http://www.gnu.org/licenses/lgpl.txt
+	https://www.gnu.org/licenses/lgpl.txt
 
 

debian/3proxy.manpages

@@ -0,0 +1,10 @@
+man/3proxy.8
+man/3proxy.cfg.3
+man/ftppr.8
+man/tlspr.8
+man/pop3p.8
+man/proxy.8
+man/smtpp.8
+man/socks.8
+man/tcppm.8
+man/udppm.8

debian/changelog

@@ -0,0 +1,18 @@
+3proxy (0.9.3-210629140419) buster; urgency=medium
+ 
+  *3proxy 0.9.3 build
+ 
+ -- z3APA3A <3apa3a@3proxy.org>  Thu, 01 Jul 2021 19:48:44 +0300
+
+3proxy (0.9.3-1) buster; urgency=medium
+
+  *3proxy 0.9.3 initial build
+
+ -- z3APA3A <3apa3a@3proxy.org>  Thu, 03 Dec 2020 21:13:58 +0300
+
+3proxy (0.9.2-1) buster; urgency=medium
+
+  *3proxy 0.9.2 initial build
+
+ -- z3APA3A <3apa3a@3proxy.org>  Thu, 19 Nov 2020 19:19:19 +0300
+

debian/compat

@@ -0,0 +1 @@
+9

debian/conffiles

@@ -0,0 +1,4 @@
+/usr/local/3proxy/conf/3proxy.cfg
+/usr/local/3proxy/conf/add3proxyuser.sh
+/usr/local/3proxy/conf/bandlimiters
+/usr/local/3proxy/conf/counters

debian/control

@@ -0,0 +1,18 @@
+Source: 3proxy
+Maintainer: z3APA3A <3apa3a@3proxy.org>
+Section: net
+Priority: optional
+Standards-Version: 4.0.0
+Build-Depends: debhelper (>=10)
+Homepage: https://3proxy.org/
+Vcs-Git: https://github.com/z3APA3A/3proxy
+Vcs-Browser: https://github.com/z3APA3A/3proxy
+
+Package: 3proxy
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: tiny free proxy server
+ 3Proxy tiny free proxy server is really tiny freeware proxy servers set. 
+ It includes HTTP proxy with HTTPS and FTP support, SOCKSv4/SOCKSv4.5/SOCKSv5 proxy (socks/socks.exe), POP3 proxy, SMTP proxy, FTP proxy, caching DNS proxy, TCP and UDP portmappers.
+ You can use every proxy as a standalone program (socks, proxy, tcppm, udppm, pop3p) or use combined program (3proxy). Combined proxy additionally supports features like access control, bandwidth limiting, limiting daily/weekly/monthly traffic amount, proxy chaining, log rotation, syslog and ODBC logging, etc.
+ It's created to be small, simple and yet very functional. 

debian/copyright

@@ -0,0 +1,20 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: 3proxy
+Upstream-Contact: 3proxy@3proxy.org
+Source: https://3proxy.org/
+
+Files: *
+Copyright: 2000-2020 3APA3A, Vladimir Dubrovin, 3proxy.org
+License: BSD-3-clause or Apache or GPL-2+ or LGPL-2+
+
+Files: src/libs/md*.*
+Copyright: 1990,1991,1992  RSA Data Security, Inc
+License: public-domain
+
+Files: src/libs/regex.*
+Copyright: Henry Spencer
+License: public-domain
+
+Files: src/libs/smbdes.c
+Copyright: Andrew Tridgell 1998
+License: GPL-2+

debian/postinst

@@ -0,0 +1,43 @@
+if [ ! -f /usr/local/3proxy/conf/passwd ]; then \
+ touch /usr/local/3proxy/conf/passwd;\
+fi
+chown -R proxy:proxy /usr/local/3proxy
+chmod 550  /usr/local/3proxy/
+chmod 550  /usr/local/3proxy/conf/
+chmod 440  /usr/local/3proxy/conf/*
+if /bin/systemctl >/dev/null 2>&1; then \
+ /usr/sbin/update-rc.d 3proxy disable || true; \
+ /usr/sbin/chkconfig 3proxy off || true; \
+ /bin/systemctl enable 3proxy.service; \
+elif [ -x /usr/sbin/update-rc.d ]; then \
+ /usr/sbin/update-rc.d 3proxy defaults; \
+ /usr/sbin/update-rc.d 3proxy enable; \
+elif [ -x /usr/sbin/chkconfig ]; then \
+ /usr/sbin/chkconfig 3proxy on; \
+fi
+
+echo ""
+echo 3proxy installed.
+if /bin/systemctl >/dev/null 2>&1; then \
+ /bin/systemctl stop 3proxy.service \
+ /bin/systemctl start 3proxy.service \
+ echo use ;\
+ echo "  "systemctl start 3proxy.service ;\
+ echo to start proxy ;\
+ echo "  "systemctl stop 3proxy.service ;\
+ echo to stop proxy ;\
+elif [ -x /usr/sbin/service ]; then \
+ /usr/sbin/service 3proxy stop  || true;\
+ /usr/sbin/service 3proxy start  || true;\
+ echo "  "service 3proxy start ;\
+ echo to start proxy ;\
+ echo "  "service 3proxy stop ;\
+ echo to stop proxy ;\
+fi
+echo "  "/usr/local/3proxy/conf/add3proxyuser.sh
+echo to add users
+echo ""
+echo Default config uses Google\'s DNS.
+echo It\'s recommended to use provider supplied DNS or install local recursor, e.g. pdns-recursor.
+echo Configure preferred DNS in /usr/local/3proxy/conf/3proxy.cfg.
+echo run \'/usr/local/3proxy/conf/add3proxyuser.sh admin password\' to configure \'admin\' user

debian/preinst

@@ -0,0 +1,4 @@
+if [ -x /usr/sbin/useradd ]; then \
+ /usr/bin/getent group proxy >/dev/null || (/usr/sbin/groupadd -f -r proxy || true); \
+ /usr/bin/getent passwd proxy >/dev/null || (/usr/sbin/useradd -Mr -s /bin/false -g proxy -c 3proxy proxy || true); \
+fi

debian/rules

@@ -0,0 +1,16 @@
+#!/usr/bin/make -f
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	ln -s Makefile.Linux Makefile || true
+	dh_auto_build
+
+override_dh_auto_clean:
+	find src/ -type f -name "*.o" -delete
+	find src/ -type f -name "Makefile.var" -delete
+	find bin/ -type f -executable -delete
+	rm -f Makefile
+
+override_dh_usrlocal:

debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

doc/html/faqe.html

@@ -1,163 +1,2 @@
-<h3>Why ... doesn't work?</h3>
 
-<p><i>Q: Why does nothing work?</i></p>
-A: Valid configuration file is required.
-
-<p><i>Q: Why restrictions (redirections, limits, etc) do not work?</i></p>
-A: Most probable reasons: 'auth none' or no auth is used. For any ACL based feature one of 'iponly', 'nbname' or 'strong' auths required. Sequence of commands may be invalid. Commands are executed one-by-one and 'proxy', 'tcppm', 'socks' or another service commands must follow valid configuration. Invalid sequence of ACLs. First matching ACL is used (except of internal redirections, see below). If ACL contains at least one records last record is assumed to be 'deny *'.
-
-<p><i>Q: Why doesn't 3proxy work as service under Windows?</i></p>
-Possible reasons:
-<ul>
-<li>'service' command absents in configuration file. Command is required for
-3proxy.exe to behave as system service in 3proxy 0.5.2 and prior.
-<li>there are relative paths in configuration file for included files,
-log files, etc. Always use absolute paths. For example
-$"c:\3proxy\networks.local" instead of  $networks.local. For debugging remove
-'service' and 'daemon', log to stdout an try to execute 3proxy from command
-line from some different directory (for example from disk root).
-<li>SYSTEM account doesn't have access to executable file, configuration files,
-log files, etc.
-<li>configuration files is not located in default path (3proxy.cfg in same
-location with 3proxy.exe). For alternative configuration file location use
-<pre>
-3proxy --install full_path_to_configuration_file
-</pre>
-<li>user has no rights to install or start service
-<li>service is already installed and/or started
-
-</ul>
-
-<p><A NAME="INTEXT"><i>Q: Why doesn't internal and external commands work as expected</i></A></li></p>
-A: Check your expectations first.
-Both internal and external IPs are IPs of the host running 3proxy itself.
-This configuration option is usefull in situation 3proxy is running on the
-border host with 2 (or more) connections: e.g. LAN and WAN with different IPs
-<pre>
-     LAN connection +-------------+ Internet connection
-LAN <-------------->| 3proxy host |<-------------------> INTERNET
-                   ^+-------------+^
-	           |               |
-              Internal IP       External IP
-</pre>
-If 3proxy is used on the host with single connection, both internal and
-external are usually same IP.
-<br>Internal should exist and be UP on the moment 3proxy is started and
-should never be disconnected/DOWN. If this interface is periodically
-disconnected (e.g. direct link between 2 hosts), do not specify internal
-address or use 0.0.0.0 instead. In this case, if you have 2 or more
-interfaces you must use firewall (preferably) or 3proxy ACLs to avoid open
-proxy situation. 
-<br>
-External IP (if specified) must exist in the momet 3proxy
-serves client request. If external interface is no specified (or 0.0.0.0),
-system select external IP. It may be possible to access resources of internal
-network, to prevent this use ACLs. In addition, SOCKSv5 will not support BIND
-operation, required for incoming connections (this operation is quite rarely
-implemented in SOCKSv5 clients and usually is not required). In case of
-dynamic address, do not specify external or use external 0.0.0.0 or, if
-external address is required, create a script to determine current external
-IP and save it to file, and use external "$path_to_file" with "monitor" command
-to automatically reload configuration on address change.
-
-<p><i>Q: Why doesn't ODBC loggind work?</i></p>
-A: Check you use system DSN. 
-Check SQL request is valid. 
-The best way to check is to make file or stdout logging, get SQL request from log file or console and execute this request manually.
-Under Unix, you may also want to adjust 'stacksize' parameter.
-
-<p><i>Q: Why proxy crash on request processing?</a></i></p>
-<i>A:</i> default stacksize may be insufficient, if some non-default plugins
-  are used (e.g. PAM and ODBC on Linux) or if compiled on some platforms with
-  invalid system defined values (few versionds of FreeBSD on amd64).
-  Problem can be resolved with 'stacksize' command or '-S' option starting 3proxy 0.8.4.
-
-
-<p><i>Q: Why doesn't APOP/CRAM-MD5 authentication work with POP3 proxy?</i></p>
-A: Any Challenge-response authentication require challenge to be transmitted from server. Pop3p doesn't know which server to use before authentication, it makes it impossible to obtain challenge. You can encrypt your POP3 communications with TLS (i.e. stunnel) or IPSec.
-
-<h3>Redirection to local proxy</h3>
-
-<p><i>Q: What is it for?</i></p>
-A: To have control based on request and to have URLs and another protocol specific parameters to be logged.
-
-<p><i>Q: What are restrictions?</i></p>
-A: It's hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends username, but not password), for SOCKSv5 only cleartext password authentication is supported.
-
-<p><i>Q: What are advantages?</i></p>
-A: You need only to setup SOCKS proxy in browser settings. You can use socksifier, i.e. FreeCAP or SocksCAP with application which is not proxy aware.
-
-<p><i>Q: How to setup?</i></p>
-A: You should specify parent proxy with IP of 0.0.0.0 and port 0. Examples:
-<pre>
-auth iponly
-allow * * * 80,8080-8088
-parent 1000 http 0.0.0.0 0
-allow * * * 80,8080-8088
-#redirect ports 80 and 8080-8088 to local HTTP proxy
-#Second allow is required, because ACLs are checked
-#twice: first time by socks and second by http proxy.
-
-allow * * * 21,2121
-parent 1000 ftp 0.0.0.0 0
-allow * * * 21,2121
-#redirect ports 21 and 2121 to local 
-#ftp proxy
-
-
-allow *
-#allow rest of connections directly
-
-socks
-#now let socks server to start
-</pre>
-
-<p><i>Q: How it affects different ACL rules?</i></p>
-A: After local redirections rules are applied again to protocol-level request. Redirection rule itself is skipped. It makes it possible to redirect request again on the external proxy depending on request itself.
-<pre>
-allow * * * 80,8080-8088
-parent 1000 http 0.0.0.0 0
-#redirect http traffic to internal proxy
-
-allow * * $c:\3proxy\local.nets 80,8080-8088
-#allow direct access to local.nets networks
-allow * * * 80,8080-8088
-parent 1000 http proxy.3proxy.ru 3128
-#use parent caching proxy for rest of the networks
-
-allow *
-#allow direct connections for rest of socks
-#requests
-</pre>
-
-<h3>Can I ...?</h3>
-
-<p><i>Q: Is it possible to resolve names through parent proxy?</i></p>
-A: Yes, use 'proxy', 'connect+', 'socks4+' or 'socks5+' as parent proxy type.
-3proxy itself requires name resolutions for ACL checks, so, if it's impossible
-to resolve names from 3proxy host, use
-<pre>
-fakeresolve
-</pre>
-command. Fakeresolve resolves any name to 127.0.0.2.
-
-
-<p><i>Q: Can I use 3proxy as FTP proxy?</i></p>
-A: There are two kinds of FTP proxy supported: FTP over HTTP support (known as FTP proxy inside Internet Explorer, Mozilla and another browsers) and real FTP proxy (usable in Far and different FTP clients). Both are supported in 3proxy: first one as a part of HTTP 'proxy' and second one as 'ftppr'.
-
-<p><i>Q: Can I bind any 3proxy service to non-default port?</i></p>
-A: proxy -p8080
-
-<h3>Why so ...?</h3>
-
-<p><i>Q: Why traffic accounting is incomplete? It differs for what my provider (or another accounting application) shows to me?</i></p>
-A: 3proxy accounts protocol level traffic. Provider counts channel or IP-level traffic with network and transport headers. In additions, 3proxy doesn't counts DNS resolutions, pings, floods, scans, etc. It makes approx. 10% of difference. That's why you should have 15% reserve if you use 3proxy to limit your traffic. If difference with your provider is significantly above 10% you should look for traffic avoiding proxy server, for example connections through NAT, traffic originated from the host with proxy installed, traffic from server applications, etc.
-
-<p><i>Q: Why configuration is so difficult and non-intuitive?</i></p>
-A: Configuration format is created in a way it's easy to parse and matches to internal 3proxy structures. In addition, there are some older things left for compatibility to be cleaned in 3proxy release. And last, I think it's easy and intuitive.
-
-<p><i>Q: Why the code is so difficult and non-intuitive?</i></p>
-A: First, I'm not programmer. Second, 3proxy was 'proof of concept' in reply for some conference post. Request was to write proxy server in 100 lines of code. First version of 3proxy had less, with HTTP and SOCKS support and portmappers. Third, there are peoples who want to use 3proxy code in trojans. I don't want to help them.  Fourth, the aim is to support different platforms. It's well known - the worse code is, the better it compiles.
-
-<p><i>Q: Why do you use insecure strcpy, sprintf, etc?</i></p>
-A: Why not? I try to use insecure function in secure manner. You're welcome to look for vulnerabilities.
+<H2><A href="hotoe.html">See HowTo:</a></H2>

doc/html/faqr.html

@@ -1,288 +1,2 @@
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-3APA3A 3proxy tiny proxy server Frequently Asked Questions (FAQ)
-<ul>
-  <li><a href="#TROUBLE">Почему не работает...</a></li>
-  <ul>
-    <li><a href="#NOTHING">Q: Почему ничего не работает?</a></li>
-    <li><a href="#LIMITS">Q: Почему не работают ограничения доступа (перенаправления, ограничения по скорости, трафику и т.д.)?</a></li>
-    <li><a href="#SERVICE">Q: Почему 3proxy не запускается как служба?</a></li>
-    <li><a href="#INTEXT">Q: Почему не получается указать internal и external?</a></li>
-    <li><a href="#ODBC">Q: Почему не работает ведение журналов в ODBC?</a></li>
-    <li><a href="#CHAP">Q: Почему не поддерживаются APOP и CRAM-MD5 в POP3 прокси?</a></li>
-    <li><a href="#CRASH">Q: Почему прокси крэшится при обработке запроса?</a></li>
-  </ul>
-  <li><a href="#SOCKSREDIR">Перенаправление socks соединений в локальный прокси</a></li>
-  <ul>
-    <li><a href="#REDIR">Q: Для чего это надо?</a></li>
-    <li><a href="#REDIRLIMIT">Q: Какие недостатки?</a></li>
-    <li><a href="#REDIRADV">Q: Какие преимущества?</a></li>
-    <li><a href="#REDIRHOW">Q: Как настраивается?</a></li>
-    <li><a href="#REDIINTER">Q: Как взаимодействует с другими правилами в ACL?</a></li>
-  </ul>
-  <li><a href="#ISIT">А есть ли...</a></li>
-  <ul>
-    <li><a href="#NAMES">Можно ли разрешать имена на родительском прокси?</a></li>
-    <li><a href="#ISFTP">Существует ли сейчас поддержка FTP прокси в продукте?</a></li>
-    <li><a href="#PORT">Каким образом можно прибиндить сервисы на свой порт, к примеру, HTTP прокси к 8080, а не 3128 как по-умолчанию?</a></li>
-    <li><a href="#BANDLIM">Как ограничить ширину канала?</a></li>
-  </ul>
-  <li><a href="#BRRR">Почему так криво...</a></li>
-  <ul>
-    <li><a href="#TRAF">Почему так криво считается трафик? Не совпадает с ...</a></li>
-    <li><a href="#CONFIG">Почему такая кривая конфигурация и ничерта не понятно?</a></li>
-    <li><a href="#CODE">Почему так криво написан код?</a>
-    <li><a href="#UNSAFE">Почему так много strcpy, sprintf и т.д., это ж дыры!</a>
-  </ul>
-</ul>
-<hr>
-<li><b><a name="TROUBLE">Почему не работает...<a></b></li>
-<ul>
-  <li><a name="NOTHING"><i>Q: Почему ничего не работает?</i></a></li>
-  <p>
-  <i>A:</i> Потому что для работы нужен правильный файл конфигурации.
-  </p>
-  <li><a name="LIMITS"><i>Q: Почему не работают ограничения доступа (перенаправления, ограничения по скорости,
-  трафику и т.д.)?</i></a></li>
-  <p>
-  <i>A:</i> Обычные ошибки - использование auth none (для работы любых
-  функций, основанных на ACL, требуется auth iponly, nbname или strong),
-  нарушение порядка ввода команд (команды выполняются последовательно,
-  запуск сервиса proxy, socks, tcppm и т.д. должен осуществляться после
-  того, как указана его конфигурация), неправильный порядок записей в ACL
-  (записи просматриваются последовательно до первой, удовлетворяющей
-  критериям). Если в ACL имеется хотя бы одна запись, то считается, что
-  последняя запись в ACL - это неявная deny *.
-  </p>
-  <li><a name="SERVICE"><i>Q: Почему 3proxy не запускается как служба?</i></a></li>
-  <p>
-  <i>A:</i> Наиболее вероятные причины:
-  <ul>
-    <li>Отсутствие команды service в файле конфигурации - команда необходима в 3proxy 0.5.2 и более ранних, чтобы 3proxy вел себя как системная служба Windows
-    <li>Использование относительных (неполных) путей файлов в файле конфигурации
-    При использовании файлов журналов, файлов вставок ($filename) используйте
-    полные пути, например, $"c:\3proxy\include files\networks.local". Тоже самое
-    относится к файлам журналов и любым другим.
-    Для отладки лучше запускать 3proxy с ведением журнала на стандартный вывод.
-    Не забудьте в таком случае отключить daemon и service в файле конфигурации.
-    Для чистоты эксперимента запускать 3proxy из коммандной строки в таком случае
-    следует, находясь в другой папке.
-    <li>Отсутствие у системной записи прав на доступ к исполняемому файлу, каким-либо файлам конфигурации, журнала и т.п.
-    <li>Отсутствие файла конфигурации по стандартному расположению -
-    3proxy.cfg в одном каталоге с исполняемым файлом. Если файл расположен по
-    другому пути, необходимо использовать команду
-    <pre>
-    3proxy --install path_to_configuration_file</pre>
-    <li>Отсутствие у пользователя прав на установку или запуск службы
-    <li>Служба уже установлена или запущена
-  </ul>
-  </p>
-  <li><a name="INTEXT"><i>Q: Почему не получается указать internal и external?</i></a></li></li>
-  <p>
-  <i>A:</i> Убедитесь, что выправильно понимаете что такое internal и external адреса.
-  Оба адреса - это адреса, принадлежищие хосту, на котором установлен 3proxy.
-  Эта опция конфигурации необходима в классической ситуации, когда 3proxy
-  установлен на граничном компьютере с двумя (или более) подключениями:
-  <pre>
-       LAN connection +-------------+ Internet connection
-  LAN <-------------->| 3proxy host |<-------------------> INTERNET
-                     ^+-------------+^
-                     |               |
-               Internal IP      External IP</pre>
-  Если 3proxy работает на хосте с одним интерфейсом, то его адрес будет и
-  internal и external.
-  <br>Интерфейс с адресом internal должен существовать и быть рабочим на момент
-  запуска 3proxy, и не должен отключаться. Если internal интерфейс
-  периодически отключается, то не следует его указывать, или можно указать адрес
-  0.0.0.0. При этом прокси будет принимать запросы на всех интерфейсах, поэтому
-  при наличии нескольких интерфейсов для ограничения доступа следует использовать
-  фаервол или хотя бы ACL.
-  </p>
-  <p>
-  Интерфейс с адресом external, если он указан, должен быть рабочим на момент
-  получения запроса клиента. При отсутствии external или адресе 0.0.0.0 внешний
-  адрес будет выбираться системой при установке соединения. При этом, может быть
-  возможность доступа через прокси к ресурсам локальной сети, поэтому для
-  предотвращения несанкционированного доступа следует использовать ACL. Кроме
-  того, могут быть проблемы с приемом входящих соединений через SOCKSv5
-  (SOCKSv5 используется в клиентах исключительно редко).
-  В случае, если адрес динамический, можно либо не
-  указывать external, либо использовать адрес 0.0.0.0, либо, если необходима
-  поддержка входящих соединений в SOCKSv5, использовать скрипт,
-  который будет получать текущий адрес и сохранять его в файл, который будет
-  отслуживаться через команду monitor.
-  </p>
-  <li><a name="ODBC"><i>Q: Почему не работает ведение журналов в ODBC?</i></a></li>
-  <p>
-  <i>A:</i> Убедитесь, что используется системный, а не
-  пользовательский DSN. Убедитесь, что выполняется правильный SQL запрос. Наиболее
-  распространенная проблема связана с отсутствием кавычек или неправильным
-  форматом данных. Самый простой способ - сделать ведение журнала в файл или
-  на стандартный вывод, просмотреть выдаваемые SQL запросы и попробовать
-  дать такой запрос вручную.
-  </p> 
-  <li><a name="CHAP"><i>Q: Почему не поддерживаются APOP и CRAM-MD5 в POP3 прокси?</i></a></li>
-  <p>
-  <i>A:</i> Любая challenge-response аутентификация, к которым относятся APOP
-  и CRAM-MD5, требует, чтобы со стороны сервера был передан уникальный challenge.
-  До начала аутентификации POP3 прокси не знает, к какому серверу следует
-  подключаться для получения Challenge, поэтому challenge-response в принципе
-  невозможен. Защитить соединение можно с помощью TLS (например, stunnel) или
-  IPSec.
-  </p>
-  <li><a name="CRASH"><i>Q: Почему прокси крэшится при обработке запроса?</a></i></li>
-  <p>
-  <i>A:</i> Возможно, недостаточен размер стека потока по-умолчанию, это может
-  быть при использовани каких-либо сторонних плагинов (PAM, ODBC) или на
-  некоторых платформах (некоторые версии FreeBSD на amd64). Можно решить
-  проблему с помощью опции 'stacksize' или '-S', поддерживаемых в 0.8.4 и выше.
-  </p>
-</ul>
-<hr>
-<li><b><a name="SOCKSREDIR">Перенаправление socks соединений в локальный прокси</a></b></li>
-<ul>
-  <li><a name="REDIR"><i>Q: Для чего это надо?</i></a></li>
-  <p>
-  <i>A:</i> Чтобы иметь в логах URL запросов, если пользователь SOCKS пользуется
-  Web, FTP или POP3.
-  </p>
-  <li><a name="REDIRLIMIT"><i>Q: Какие недостатки?</i></a></li>
-  <p>
-  <i>A:</i> Перенапраление невозможно для web-серверов или FTP, висящих на
-  нестандартных портах, для SOCKSv4 не поддрживается авторизация с
-  паролем (IE поддерживает только SOCKSv4), но при этом IE передает
-  имя пользователя по SOCKSv4 (имя, с которым пользователь вошел в систему).
-  Для SOCKSv5 не поддерживается NTLM авторизация, пароли передаются в открытом
-  тексте.
-  </p>
-  <li><a name="REDIRADV"><i>Q: Какие преимущества?</i></a></li>
-  <p>
-  <i>A:</i> Достаточно в настройках IE только указать адрес SOCKS прокси. В
-  больших сетях можно для этого использовать WPAD (автоматическое
-  обнаружение прокси). В 3proxy достаточно запускать только одну службу
-  (socks). Если используется только Internet Explorer, то можно
-  автоматически получать имя пользователя в логах, не запрашивая
-  логин/пароль.
-  </p>
-  <li><a name="REDIRHOW"><i>Q: Как настраивается?</i></a></li>
-  <p>
-  <i>A:</i> Указывается parent http proxy со специальным адресом 0.0.0.0 и портом
-  0. Пример:
-  <pre>
-  allow * * * 80,8080-8088
-  parent 1000 http 0.0.0.0 0
-  allow * * * 80,8080-8088
-  #перенаправить соединения по портам 80 и 8080-8088 в локальный
-  #http прокси. Вторая команда allow необходима, т.к. контроль доступа
-  #осуществляется 2 раза - на уровне socks и на уровне HTTP прокси
-  allow * * * 21,2121
-  parent 1000 ftp 0.0.0.0 0
-  allow * * * 21,2121
-  #перенаправить соединения по портам 21 и 2121 в локальный
-  #ftp прокси
-  allow *
-  #пустить все соединения напрямую
-  socks</pre>
-  </p>
-  <li><a name="REDIINTER"><i>Q: Как взаимодействует с другими правилами в ACL?</i></a></li>
-  <p>
-  <i>A:</i> После внутреннего перенаправления правила рассматриваются еще раз за
-  исключением самого правила с перенаправлением (т.е. обработка правил не
-  прекращается). Это позволяет сделать дальнейшие перенаправления на
-  внешний прокси. По этой же причине локальное перенаправление не должно
-  быть последним правилом (т.е. должно быть еще хотя бы правило allow,
-  чтобы разрешить внешние соединения через HTTP прокси).
-  Например,
-  <pre>
-  allow * * * 80,8080-8088
-  parent 1000 http 0.0.0.0 0
-  #перенаправить во внутренний прокси
-  allow * * $c:\3proxy\local.nets 80,8080-8088
-  #разрешить прямой web-доступ к сетям из local.nets
-  allow * * * 80,8080-8088
-  parent 1000 http proxy.3proxy.ru 3128
-  #все остальные веб-запросы перенаправить на внешний прокси-сервер
-  allow *
-  #разрешить socks-запросы по другим портам</pre>
-  </p>
-</ul>
-<hr>
-<li><b><a name="ISIT">А есть ли...</a></b></li>
-<ul>
-  <li><a name="NAMES"><i>Q: Можно ли разрешать имена на родительском прокси?</i></a></li>
-  <p>
-  <i>A:</i> Можно. Для этого надо использовать тип родительского прокси http,
-  connect+, socks4+ и socks5+. Однако, при это надо помнить, что самому 3proxy
-  требуется разрешение имени для управления ACL. Поэтому, если с прокси-хоста
-  не работают разрешения имени, необходимо в конфигурации дать команду
-  <pre>
-  fakeresolve</pre>
-  которая разрешает любое имя в адрес 127.0.0.2.
-  </p>
-  <li><a name="ISFTP"><i>Q: Существует ли сейчас поддержка FTP прокси в продукте?</i></a></li>
-  <p>
-  Есть поддержка как FTP через HTTP (то, что называется FTP прокси в Internet
-  Explorer, Netscape, Opera) так и настоящего FTP прокси (то, что называется
-  FTP proxy в FAR и FTP клиентах).
-  </p>
-  <li><a name="PORT"><i>Q: Каким образом можно прибиндить сервисы на свой порт, к примеру, HTTP прокси к 8080, а не 3128 как по-умолчанию?</i></a></li>
-  <p>
-  А:
-  <pre>
-  proxy -p8080</pre>
-  </p>
-  <li><a name="BANDLIM"><i>Q: Как ограничить ширину канала?</i></a></li>
-  <p>
-  <i>A:</i> Читайте HowTo <a href="http://3proxy.ru/howtor.asp#BANDLIM">http://3proxy.ru/howtor.asp#BANDLIM</a>
-  </p>
-</ul>
-<hr>
-<li><b><a name="BRRR">Почему так криво...</a></b></li>
-<ul>
-  <li><a name="TRAF"><i>Q: Почему так криво считается трафик? Не совпадает с ...</i></a></li>
-  <p>
-  <i>A:</i> Следует учитывать, что 3proxy считает трафик только на прикладном уровне и
-  только проходящий через прокси-сервер. Провайдеры и другие средства учета
-  трафика считают трафик на сетевом уровне, что уже дает расхождение порядка 10%
-  за счет информации из заголовков пакетов. Кроме того, часть трафика, как
-  минимум DNS-разрешения, различный флудовый трафик и т.д. идут мимо прокси.
-  Уровень "шумового" трафика в Internet сейчас составляет порядка 50KB/день на
-  каждый реальный IP адрес, но может сильно варьироваться в зависимости от сети,
-  наличия открытых портов, реакции на ping-запросы и текущего уровня вирусной
-  активности. По этим причинам, если 3proxy используется чтобы не "выжрать"
-  трафик, выделенный провайдером, всегда следует делать некий запас порядка
-  15%.
-  </p>
-  <p>
-  Если на одной с 3proxy машине имеются какие-либо сервисы или
-  работает пользователь, то их трафик не проходит через proxy-сервер и так же
-  не будет учтен. Если где-то есть NAT, то клиенты, выходящие через NAT мимо
-  прокси, так же останутся неучтенными. Если расхождение с провайдером превышает
-  10% - нужно искать причину именно в этом.
-  </p>
-  <li><a name="CONFIG"><i>Q: Почему такая кривая конфигурация и ничерта не понятно?</i></a></li>
-  <p>
-  <i>A:</i> Есть несколько причин. Во-первых, до выхода релиза (т.е. версии 1.0) я буду изо
-  всех сил добиваться совместимости конфигурации между версиями. Во-вторых,
-  конфигурация сделана так, чтобы ее можно было легко разбирать программно.
-  В-третьих, все там понятно. При желании. Если знать как все работает.
-  </p>
-  <li><a name="CODE"><i>Q: Почему так криво написан код?</i></a></li>
-  <p>
-  <i>A:</i> Есть несколько причин. Во-первых, я не программист. Во-вторых, 3proxy изначально
-  писался на коленке (в отет на &quot;слабо&quot; в одной из конференций). Никто
-  не мог предположить, что им кто-то реально будет пользоваться. В-третьих, у многих
-  возникает желание разобраться в коде 3proxy чтобы внедрить его в какой-нибудь
-  троян. Очень не хочется облегчать эту задачу. В-четвертых, мне надо добиться
-  компиляции кода в как можно большем числе систем. Замечено, что чем кривее код в
-  C, тем он лучше переносится.
-  </p>
-  <li><a name="UNSAFE"><i>Q: Почему так много strcpy, sprintf и т.д., это ж дыры!</i></a><li>
-  <p>
-  <i>A:</i> Есть несколько причин. Во-первых, несмотря на дурной тон использования этих
-  функций, они наиболее совместимы между разными системами и компиляторами.
-  Во-вторых, само по себе их использование не означает присутствие дыры, если их
-  параметры должным образом контролируются. Найдете дыру - обязательно сообщите.
-  В третьих, может быть я уберу их перед конечным релизом, чтобы никого не
-  пугать.
-  </p>
-</ul>
+
+<H2><A href="hotoe.html">См. HowTo</a></H2>

doc/html/highload.html

@@ -0,0 +1,300 @@
+<h3>Optimizing 3proxy for high load</h3>
+<p>Precaution 1: 3proxy was not initially developed for high load and is positioned as a SOHO product, the main reason is "one connection - one thread" model 3proxy uses. 3proxy is known to work with above 200,000 connections under proper configuration, but use it in production environment under high loads at your own risk and do not expect too much.
+<p>Precaution 2: This documentation is incomplete and is not sufficient. High loads may require very specific system tuning including, but not limited to specific or cusomized kernels, builds, settings, sysctls, options, etc. All this is not covered by this documentation.
+
+<h4>Configuring 'maxconn'</h4>
+
+A number of simulatineous connections per service is limited by 'maxconn' option.
+Default maxconn value since 3proxy 0.8 is 500. You may want to set 'maxconn'
+to higher value. Under this configuration:
+<pre>
+maxconn 1000
+proxy -p3129
+proxy -p3128
+socks
+</pre>
+maxconn for every service is 1000, and there are 3 services running
+(2 proxy and 1 socks), so, for all services there can be up to 3000
+simulatineous connections to 3proxy.
+<p>Avoid setting 'maxconn' to arbitrary high value, it should be carefully
+choosen to protect system and proxy from resources exhaution. Setting maxconn
+above resources available can lead to denial of service conditions.
+<h4>Understanding resources requirements</h4>
+Each running service require:
+<ul>
+<li>1*thread (process)
+<li>1*socket (file descriptor)
+<li>1 stack memory segment + some heap memory, ~64K-128K depending on the system
+</ul>
+Each connected client require:
+<ul>
+<li>1*thread (process)
+<li>2*socket (file descriptor). For FTP 4 sockets are required. 
+<br>Under linux since 0.9 splice() is used. It's much more effective, but requires
+<br>2*socket (file descriptor) + 2*pipe (file descriptors) = 4 file descriptors.
+<br>For FTP 4 sockets and 2 pipes are required with splice().
+<br>Up to 128K (up to 256K in the case of splice()) of kernel buffers memory. This is theoretical maximum, actual numbers depend on connection quality and traffic amount.
+<br>1 additional socket (file descriptor) during name resolution for non-cached names
+<br>1 additional socket during authentication or logging for RADIUS authentication or logging.
+<li>1*ephemeral port (3*ephemeral ports for FTP connection).
+<li>1 stack memory segment of ~32K-128K depending on the system + at least 16K and up to few MB (for 'proxy' and 'ftppr') of heap memory. If you are short of memory, prefer 'socks' to 'proxy' and 'ftppr'.
+<li>a lot of system buffers, specially in the case of slow network connections.
+</ul>
+Also, additional resources like system buffers are required for network activity.
+
+<h4>Setting ulimits</h4>
+
+Hard and soft ulimits must be set above calculated requirements. Under Linux, you can
+check limits of running process with
+<pre>
+cat /proc/PID/limits
+</pre>
+where PID is a pid of the process. 
+Validate ulimits match your expectation, especially if you run 3proxy under dedicated account
+by adding e.g.
+<pre>
+system "ulimit -Ha >>/tmp/3proxy.ulim.hard"
+system "ulimit -Sa >>/tmp/3proxy.ulim.soft"
+</pre>
+in the beginning (before first service started) and the end of config file.
+Make both hard restart (that is kill and start 3proxy process) and soft restart
+by sending SIGUSR1 to 3proxy process, check ulimits recorded to files match your
+expecation. In systemd based distros (e.g. latest Debian / Ubuntu) changing limits.conf
+is not enough, limits must be ajusted in systemd configuration, e.g. by setting
+<pre>
+DefaultLimitDATA=infinity
+DefaultLimitSTACK=infinity
+DefaultLimitCORE=infinity
+DefaultLimitRSS=infinity
+DefaultLimitNOFILE=102400
+DefaultLimitAS=infinity
+DefaultLimitNPROC=10240
+DefaultLimitMEMLOCK=infinity
+</pre>
+in user.conf / system.conf
+
+<h4>Extending system limitation</h4>
+
+Check manuals / documentation for your system limitations e.g. system-wide limit for number of open files
+(fs.file-max in Linux). You may need to change sysctls or even rebuild the kernel from source.
+<p>
+To help with socket-based system-dependant settings, since 0.9-devel 3proxy supports different
+socket options which can be set via -ol option for listening socket, -oc for proxy-to-client
+socket and -os for proxy-to-server socket. Example:
+<pre>
+proxy -olSO_REUSEADDR,SO_REUSEPORT -ocTCP_TIMESTAMPS,TCP_NODELAY -osTCP_NODELAY
+</pre>
+available options are system dependant.
+
+<h4>Using 3proxy in virtual environment</h4>
+
+If 3proxy is used in VPS environment, there can be additional limitations. 
+For example, kernel resources / system CPU usage / IOCTLs can be limited in a different way, and this can become a bottleneck. 
+Since 0.9 devel, 3proxy uses splice() by default on Linux, splice() prevents network traffic from being copied from
+kernel space to 3proxy process and generally increases throughput, epecially in the case of high volume traffic. It especially
+true for virtual environment (it can improve thoughput up to 10 times) unless there are additional kernel limitations.
+Since some work is moved to kernel, it requires up to 2 times more kernel resources in terms of CPU, memory and IOCTLs.
+If your hosting additionally limits kernel resources (you can see it as nearly 100% CPU usage without any real CPU activity for
+any application which performs IOCTLS), use -s0 option to disable splice() usage for given service e.g.
+<pre> 
+socks -s0
+</pre>
+
+<h4>Extending ephemeral port range</h4>
+
+Check ephemeral port range for your system and extend it to the number of the
+ports required.
+Ephimeral range is always limited to maximum number of ports (64K). To extend the
+number of outgoing connections above this limit, extending ephemeral port range
+is not enough, you need additional actions:
+<ol>
+<li> Configure multiple outgoing IPs
+<li> Make sure 3proxy is configured to use different outgoing IP by either setting
+external IP via RADIUS
+<pre>
+radius secret 1.2.3.4
+auth radius
+proxy
+</pre>
+or by using multiple services with different external
+interfaces, example:
+<pre>
+allow user1,user11,user111
+proxy -p1111 -e1.1.1.1
+flush
+allow user2,user22,user222
+proxy -p2222 -e2.2.2.2
+flush
+allow user3,user33,user333
+proxy -p3333 -e3.3.3.3
+flush
+allow user4,user44,user444
+proxy -p4444 -e4.4.4.4
+flush
+</pre>
+or via "parent extip" rotation,
+e.g.
+<pre>
+allow user1,user11,user111
+parent 1000 extip 1.1.1.1 0
+allow user2,user22,user222
+parent 1000 extip 2.2.2.2 0
+allow user3,user33,user333
+parent 1000 extip 3.3.3.3 0
+allow user4,user44,user444
+parent 1000 extip 4.4.4.4 0
+proxy
+</pre>
+or
+<pre>
+allow *
+parent 250 extip 1.1.1.1 0
+parent 250 extip 2.2.2.2 0
+parent 250 extip 3.3.3.3 0
+parent 250 extip 4.4.4.4 0
+socks
+</pre>
+<pre>
+</pre>
+Under latest Linux version you can also start multiple services with different
+external addresses on the single port with SO_REUSEPORT on listening socket to
+evenly distribute incoming connections between outgoing interfaces:
+<pre>
+socks -olSO_REUSEPORT -p3128 -e 1.1.1.1
+socks -olSO_REUSEPORT -p3128 -e 2.2.2.2
+socks -olSO_REUSEPORT -p3128 -e 3.3.3.3
+socks -olSO_REUSEPORT -p3128 -e 4.4.4.4
+</pre>
+for Web browsing last two examples are not recommended, because same client can get
+different external address for different requests, you should choose external
+interface with user-based rules instead.
+<li> You may need additional system dependant actions to use same port on different IPs,
+usually by adding SO_REUSEADDR (SO_PORT_SCALABILITY for Windows) socket option to
+external socket. This option can be set (since 0.9 devel) with -os option:
+<pre>
+proxy -p3128 -e1.2.3.4 -osSO_REUSEADDR
+</pre>
+Behavior for SO_REUSEADDR and SO_REUSEPORT is different between different system,
+even between different kernel versions and can lead to unexpected results.
+Specifics is described <a href="https://stackoverflow.com/questions/14388706/socket-options-so-reuseaddr-and-so-reuseport-how-do-they-differ-do-they-mean-t">here</a>.
+Use this options only if actually required and if you fully understand possible
+consiquences. E.g. SO_REUSEPORT can help to establish more connections than the
+number of the client port available, but it can also lead to situation connections
+are randomely fail due to ip+port pairs collision if remote or local system 
+doesn't support this trick.
+</ol>
+
+<h4>Setting stacksize</h4>
+
+'stacksize' is a size added to all stack allocations and can be both positive and
+negative. Stack is required in functions call. 3proxy itself doesn't require large
+stack, but it can be required if some
+purely-written libc, 3rd party libraries or system functions called. There is known\
+dirty code in Unix ODBC
+implementations, build-in DNS resolvers, especially in the case of IPv6 and large
+number of interfaces. Under most 64-bit system extending stacksize will lead
+to additional memory space usage, but do not require actual commited memory,
+so you can inrease stacksize to relatively large value (e.g. 1024000) without
+the need to add additional phisical memory,
+but it's system/libc dependant and requires additional testing under your
+installation. Don't forget about memory related ulimts.
+<p>For 32-bit systems address space can be a bottlneck you should consider. If
+you're short of address space you can try to use negative stack size.
+
+<h4>Known system issues</h4>
+
+There are known race condition issues in Linux / glibc resolver. The probability
+of race condition arises under configuration with IPv6, large number of interfaces
+or IP addresses or resolvers configured. In this case, install local recursor and
+use 3proxy built-in resolver (nserver / nscache / nscache6).
+<h4>Do not use public resolvers</h4>
+Public resolvers like ones from Google have ratelimits. For large number of
+requests install local caching recursor (ISC bind named, PowerDNS recursor, etc).
+
+<h4>Avoid large lists</h4>
+
+Currently, 3proxy is not optimized to use large ACLs, user lists, etc. All lists
+are processed lineary. In devel version you can use RADIUS authentication to avoid
+user lists and ACLs in 3proxy itself. Also, RADIUS allows to easily set outgoing IP
+on per-user basis or more sophisicated logics.
+RADIUS is a new beta feature, test it before using in production.
+
+<h4>Avoid changing configuration too often</h4>
+
+Every configuration reload requires additional resources. Do not do frequent
+changes, like users addition/deletaion via connfiguration, use alternative
+authentication methods instead, like RADIUS.
+
+<h4>Consider using 'noforce'</h4>
+
+'force' behaviour (default) re-authenticates all connections after
+configuration reload, it may be resource consuming on large number of
+connections. Consider adding 'noforce' command before services started
+to prevent connections reauthentication.
+
+<h4>Do not monitor configuration files directly</h4>
+
+Using configuration file directly in 'monitor' can lead to race condition where
+configuration is reloaded while file is being written.
+To avoid race conditions:
+<ol>
+<li> Update config files only if there is no lock file
+<li> Create lock file then 3proxy configuration is updated, e.g. with
+"touch /some/path/3proxy/3proxy.lck". If you generate config files
+asynchronously, e.g. by user's request via web, you should consider
+implementing existance checking and file creation as atomic operation.
+<li>add
+<pre>
+system "rm /some/path/3proxy/3proxy.lck"
+</pre>
+at the end of config file to remove it after configuration is successfully loaded
+<li> Use a dedicated version file to monitor, e.g.
+<pre>
+monitor "/some/path/3proxy/3proxy.ver"
+</pre>
+<li> After config is updated, change version file for 3proxy to reload configuration,
+e.g. with "touch /some/path/3proxy/3proxy.ver".
+</ol>
+
+<h4>Use TCP_NODELAY to speed-up connections with small amount of data</h4>
+
+If most requests require exchange with a small amount of data in a both ways
+without the need for bandwidth, e.g. messengers or small web request,
+you can eliminate Nagle's algorithm delay with TCP_NODELAY flag. Usage example:
+<pre>
+proxy -osTCP_NODELAY -ocTCP_NODELAY
+</pre>
+sets TCP_NODELAY for client (oc) and server (os) connections.
+<p>Do not use TCP_NODELAY on slow connections with high delays and then
+connection bandwidth is a bottleneck.
+
+<h4>Use splice to speedup large data amount transfers</h4>
+
+splice() allows to copy data between connections without copying to process
+addres space. It can speedup proxy on high bandwidth connections, if most
+connections require large data transfers. Splice is enabled by default on Linux
+since 0.9, "-s0" disables splice usage. Example:
+<pre>
+proxy -s0
+</pre>
+Splice is only available on Linux. Splice requires more system buffers and file descriptors,
+and produces more IOCTLs but reduces process memory and overall CPU usage.
+Disable splice if there is a lot of short-living connections with no bandwidth
+requirements.
+<p>Use splice only on high-speed connections (e.g. 10GBE), if processor, memory speed or
+system bus are bottlenecks.
+<p>TCP_NODELAY and splice are not contrary to each over and should be combined on
+high-speed connections.
+
+<h4>Add grace delay to reduce system calls<h4>
+
+<pre>proxy -g8000,3,10</pre>
+First parameter is average read size we want to keep, second parameter is
+minimal number of packets in the same direction to apply algorythm,
+last value is delay added after polling and prior to reading data.
+An example above adds 10 millisecond delay before reading data if average
+polling size is below 8000 bytes and 3 read operations are made in the same
+direction. It's specially usefule with splice. <pre>logdump 1 1</pre> is useful
+to see how grace delays work, choose delay value to avoid filling the read
+pipe/buffer (typically 64K) but keep the request sizes close to chosen average
+on large file upload/download.

doc/html/howtoe.html

@@ -8,7 +8,6 @@
 		<li><A HREF="#INTL">How to compile 3proxy with Intel C Compiler under Windows</A>
 		<li><A HREF="#GCCWIN">How to compile 3proxy with GCC under Windows</A>
 		<li><A HREF="#GCCUNIX">How to compile 3proxy with GCC under Unix/Linux</A>
-		<li><A HREF="#CCCUNIX">How to compile 3proxy with Compaq C Compiler under Unix/Linux</A>
 	</ul>
 	<li><A HREF="#INSTALL">Proxy server installation and removal</A>
 	<ul>
@@ -18,20 +17,32 @@
 	</ul>
 	<li><A HREF="#SERVER">Server configuration</A>
 	<ul>
-		<li><A HREF="#SAMPLE">Where to find configuration example</A>
+  <li><a href="#NOTHING">How to make 3proxy start</a></li>
+    <li><a href="#LIMITS">How to make limitation (access, bandwidth, traffic, connections) work</a></li>
+    <li><a href="#SERVICE">How to make 3proxy to run as a service</a></li>
+    <li><a href="#INTEXT">How to understand internal and external</a></li>
+    <li><a href="#ODBC">How to make ODBC logging work?</a></li>
+    <li><a href="#IPV6">How to make IPv6 work</a></li>
+    <li><a href="#CRASH">How to fix 3proxy crashes</a></li>
+  		<li><A HREF="#SAMPLE">Where to find configuration example</A>
 		<li><A HREF="#LOGGING">How to set up logging</A>
 		<li><A HREF="#LOGFORMAT">How to setup logging format</A>
 		<li><A HREF="#LOGANALIZERS">How to use log analizers with 3proxy</A>
 		<li><A HREF="#LAUNCH">How to start any of proxy services (HTTP, SOCKS etc)</A>
-		<li><A HREF="#BIND">How to bind service to specific interface and port?</A>
+		<li><a href="#BIND">How to bind service to specific interface or port</a>
+		<li><a href="#NAMES">How to resolve names through a parent proxy</a></li>
+		<li><a href="#ISFTP">How to setup FTP proxy</a></li>
+		<li><a href="#TLSPR">How to setup SNI proxy (tlspr)</a></li>
 		<li><A HREF="#AUTH">How to limit service access</A>
 		<li><A HREF="#USERS">How to create user list</A>
 		<li><A HREF="#ACL">How to limit user access to resources</A>
 		<li><A HREF="#REDIR">How to manage redirections</A>
+		<li><a href="#SOCKSREDIR">How to manage local redirections</a>
 		<li><A HREF="#ROUNDROBIN">How to balance traffic between few external channgels?</A>
 		<li><A HREF="#CHAIN">How to manage proxy chains</A>
 		<li><A HREF="#BANDLIM">How to limit bandwidth</A>
 		<li><A HREF="#TRAFLIM">How to limit traffic amount</A>
+		<li><a href="#TRAF">How to fix incorrect traffic accounting</a>
 		<li><A HREF="#NETLIST">How to build network lists</A>
 		<li><a href="#NSCACHING">How to configure name resolution and DNS caching</a>
 		<li><a href="#IPV6">How to use IPv6</a>
@@ -84,12 +95,6 @@ shouldn't have problems under different Solaris, BSD or linux compatible systems
 For different systems you may be required to patch Makefile or even source codes.
 If you want to use ODBC support, make sure to install ODBC for unix, remove -DNOODBC
 option from makefile compiler options and add ODBC library to linker variable.
-</p>
-	</ul>
-<hr>
-		<li><A NAME="CCCUNIX">How to compile 3proxy with Compaq C Compiler under Unix/Linux</A></li>
-<p>
-See <A HREF="#GCCUNIX">How to compile 3proxy with GCC under Unix/Linux</A>, use Makefile.ccc instead of Makefile.unix.
 </p>
 	</ul>
 <hr>
@@ -164,6 +169,83 @@ Add 3proxy to system startup scripts.
 	<li><A NAME="SERVER">Server configuration</A>
 <p>
 	<ul>
+  <li><a name="NOTHING">How to make 3proxy start</a>
+<p>Valid configuration file is required.
+
+    <li><a name="IMITS">How to make limitation (access, bandwidth, traffic, connections) work</a>
+<p> Most probable reasons for non-working limitations: 'auth none' or no auth is used. For any ACL based feature one of 'iponly', 'nbname' or 'strong' auths required. Sequence of commands may be invalid. Commands are executed one-by-one and 'proxy', 'tcppm', 'socks' or another service commands must follow valid configuration. Invalid sequence of ACLs. First matching ACL is used (except of internal redirections, see below). If ACL contains at least one records last record is assumed to be 'deny *'.
+
+    <li><a name="SERVICE">How to make 3proxy to run as a service</a>
+<p>Possible reasons for 3proxy starts manually but fails to start as a service:
+<ul>
+<li>there are relative paths in configuration file for included files,
+log files, etc. Always use absolute paths. For example
+$"c:\3proxy\networks.local" instead of  $networks.local. For debugging remove
+'service' and 'daemon', log to stdout an try to execute 3proxy from command
+line from some different directory (for example from disk root).
+<li>SYSTEM account doesn't have access to executable file, configuration files,
+log files, etc.
+<li>configuration files is not located in default path (3proxy.cfg in same
+location with 3proxy.exe). For alternative configuration file location use
+<pre>
+3proxy --install full_path_to_configuration_file
+</pre>
+<li>user has no rights to install or start service
+<li>service is already installed and/or started
+
+</ul>
+
+<p><A NAME="INTEXT">How to understant internal and external</A>
+<p>
+Both internal and external IPs are IPs of the host running 3proxy itself.
+This configuration option is usefull in situation 3proxy is running on the
+border host with 2 (or more) connections: e.g. LAN and WAN with different IPs
+<pre>
+     LAN connection +-------------+ Internet connection
+LAN <-------------->| 3proxy host |<-------------------> INTERNET
+                   ^+-------------+^
+	           |               |
+              Internal IP       External IP
+</pre>
+If 3proxy is used on the host with single connection, both internal and
+external are usually same IP.
+<br>Internal should exist and be UP on the moment 3proxy is started and
+should never be disconnected/DOWN. If this interface is periodically
+disconnected (e.g. direct link between 2 hosts), do not specify internal
+address or use 0.0.0.0 instead. In this case, if you have 2 or more
+interfaces you must use firewall (preferably) or 3proxy ACLs to avoid open
+proxy situation. 
+<br>
+External IP (if specified) must exist in the momet 3proxy
+serves client request. If external interface is no specified (or 0.0.0.0),
+system select external IP. It may be possible to access resources of internal
+network, to prevent this use ACLs. In addition, SOCKSv5 will not support BIND
+operation, required for incoming connections (this operation is quite rarely
+implemented in SOCKSv5 clients and usually is not required). In case of
+dynamic address, do not specify external or use external 0.0.0.0 or, if
+external address is required, create a script to determine current external
+IP and save it to file, and use external "$path_to_file" with "monitor" command
+to automatically reload configuration on address change.
+
+    <li><a name="ODBC">How to make ODBC logging work?</a>
+<p>
+Check you use system DSN. 
+Check SQL request is valid. 
+The best way to check is to make file or stdout logging, get SQL request from log file or console and execute this request manually.
+Under Unix, you may also want to adjust 'stacksize' parameter.
+
+    <li><a name="IPV6">How to make IPv6 work</a>
+<p> Proxy can not access destination directly over IPv6 if client requests IPv4 address.
+To access IPv6 destination, either IPv6 address or hostname  must be used in request.
+Best solution is to enable option to resolve hostnames via proxy on client side.
+
+    <li><a name="CRASH">How to fix 3proxy crashes</a>
+<p> default stacksize may be insufficient, if some non-default plugins
+  are used (e.g. PAM and ODBC on Linux) or if compiled on some platforms with
+  invalid system defined values (few versionds of FreeBSD on amd64).
+  Problem can be resolved with 'stacksize' command or '-S' option starting 3proxy 0.8.4.
+
+
 		<li><A NAME="SAMPLE">Where to find configuration example</A>
 <p>
 Server configuration example 3proxy.cfg.sample is in any 3proxy distribution.
@@ -219,7 +301,7 @@ sets rotation type. LOGTYPE may be:
 	<li>W, weekly
 	<li>D, daily
 	<li>H, hourly
-	<li>‘, minutely
+	<li>C, minutely
 </ul>
 <pre>
 	rotate NUMBER
@@ -280,7 +362,7 @@ logformat "L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
 </pre>
 	generates something like
 <p><font face="courier">
-1042454727.0296 SOCK4.1080 000 3APA3A 127.0.0.1:4739 195.122.226.28:4739 505 18735 1 GET http://3proxy.ru/ HTTP/1.1
+1042454727.0296 SOCK4.1080 000 3APA3A 127.0.0.1:4739 195.122.226.28:4739 505 18735 1 GET http://3proxy.org/ HTTP/1.1
 </font>
 <br>(no line breaks)
 </p>
@@ -382,6 +464,53 @@ proxy -p8080 -i192.168.1.1
 proxy -p8080 -i192.168.2.1
 </pre>
 </p>
+  <li><a name="NAMES">How to resolve names through a parent proxy</a></li>
+  <p>
+  <i>A:</i> Use one of proxy, connect+, socks4+ or socks5+ as a parent type. 3proxy
+  itself still performs a name resolution, it's required e.g. to ACLs matching.
+  So, if no name resolution must be performed by 3proxy itself add a command
+  <pre>
+  fakeresolve</pre>
+  this command resolves any name to 127.0.0.2 address.
+  </p>
+  <li><a name="ISFTP"><i>How to setup FTP proxy</i></a></li>
+  <p>
+  There is FTP over HTTP (what is called FTP proxy in browsers) and FTP over FTP ¯à®ªá¨
+  (what is called FTP proxy in file managers and FTP clients). For browsers, there is no need to start additional
+  proxy service, 'proxy' supports FTP over HTTP, configure 'proxy' port as an FTP proxy. For ftp clients and file
+  managers use ftppr. FTP proxy supports both active and passive mode with client, but always use passive mode with FTP servers.
+  </p>
+  <li><a name="TLSPR"><i>How to setup SNI proxy (tlspr)</i></a></li>
+  <p>
+    SNI proxy can be used to transparently redirect any TLS traffic with external router or local redirection rules. It can also be used
+    to extract hostnames from TLS to use in ACLs in combination with SOCKS or HTTP(s) proxy and/or Transparent plugin. It can also be used to require TLS or mTLS between services. TLS hadshake contains no
+    port information, if tlspr is used as a standalone service, destination port may be either detected with Transparent plugin or configured with -P option (default 443).
+  </p><p>    
+    -c option is used  to specify level of TLS check:    
+</p><pre>
+0 (default) - allow non-TLS traffic
+1 - require TLS, only check client HELLO packet
+2 - require TLS, check both client and server HELLO
+3 - require TLS, check server send certificate (not compatible with TLS 1.3)
+4 - require mutual TLS, check server send certificate request and client sends certificate (not compatible with TLS 1.3)    
+</pre>
+<p>
+configuration examples:
+1. port 1443 may be used to redirect traffic to destination port 143). SNI is used to find destination host
+<pre>
+tlspr -p1443 -P443 -c1
+</pre>
+2. used as parent tls to detect destination hostname from TLS in socks
+<pre>
+allow * * * 80
+parent 1000 http 0.0.0.0 0
+allow * * * * CONNECT
+parent 1000 tls 0.0.0.0 0
+deny * * some.not.allowed.host
+allow *
+socks
+</pre>
+  </p>
 		<li><A NAME="AUTH">How to limit service access</A>
 <p>
 First, always specify internal interface to accept incoming connection with
@@ -461,7 +590,12 @@ proxy -n
 </p>
 Please note, that caching affects security. Never use caching for access to
 critical resources, such as web administration.
-
+  <p>authcache can be used to bind user's sessions to ip with 'limit' option, with
+  <pre>
+  autchcache ip,user,pass,limit 120
+  auth cache strong</pre>
+  user will not be able to use more than a single IP during cache time (120 sec).
+  </p>
 		<li><A NAME="USERS">How to create user list</A>
 <p>
 Userslist is created with 'users' command.
@@ -513,7 +647,7 @@ allow &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&
 'flush' command is used to finish with existing ACL and to start new one.
 It's required to have different ACLs for different services.
 'allow' is used to allow connection and 'deny' to deny connection. 'allow'
-command can be extended by 'parent' command to manage redirections (see <A NAME="REDIR">How to manage redirections</A>)). If ACL
+command can be extended by 'parent' command to manage redirections (see <A href="#REDIR">How to manage redirections</A>)). If ACL
 is empty it allow everything. If ACL is not empty, first matching ACL entry
 is searched for user request and ACL action (allow or deny) performed. If
 no matching record found, connection is denied and user will be asked to
@@ -602,6 +736,60 @@ no need to run these services expicitly. Local redirections are usefull if
 you want to see and control via ACLs protocol specific parameters, e.g.
 filenames requests thorugh FTP while clients are using SOCKS.
 </p>
+    <li><a name="SOCKSREDIR">Š ª ã¯à ¢«ïâì «®ª «ì­ë¬¨ ¯¥à¥­ ¯à ¢«¥­¨ï¬¨</a>
+<p>
+<p><i>Q: What is it for?</i></p>
+A: To have control based on request and to have URLs and another protocol specific parameters to be logged.
+
+<p><i>Q: What are restrictions?</i></p>
+A: It's hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends username, but not password), for SOCKSv5 only cleartext password authentication is supported.
+
+<p><i>Q: What are advantages?</i></p>
+A: You need only to setup SOCKS proxy in browser settings. You can use socksifier, i.e. FreeCAP or SocksCAP with application which is not proxy aware.
+
+<p><i>Q: How to setup?</i></p>
+A: You should specify parent proxy with IP of 0.0.0.0 and port 0. Examples:
+<pre>
+auth iponly
+allow * * * 80,8080-8088
+parent 1000 http 0.0.0.0 0
+allow * * * 80,8080-8088
+#redirect ports 80 and 8080-8088 to local HTTP proxy
+#Second allow is required, because ACLs are checked
+#twice: first time by socks and second by http proxy.
+
+allow * * * 21,2121
+parent 1000 ftp 0.0.0.0 0
+allow * * * 21,2121
+#redirect ports 21 and 2121 to local 
+#ftp proxy
+
+
+allow *
+#allow rest of connections directly
+
+socks
+#now let socks server to start
+</pre>
+
+<p><i>Q: How it affects different ACL rules</i></p>
+A: After local redirections rules are applied again to protocol-level request. Redirection rule itself is skipped. It makes it possible to redirect request again on the external proxy depending on request itself.
+<pre>
+allow * * * 80,8080-8088
+parent 1000 http 0.0.0.0 0
+#redirect http traffic to internal proxy
+
+allow * * $c:\3proxy\local.nets 80,8080-8088
+#allow direct access to local.nets networks
+allow * * * 80,8080-8088
+parent 1000 http proxy.3proxy.org 3128
+#use parent caching proxy for rest of the networks
+
+allow *
+#allow direct connections for rest of socks
+#requests
+</pre>
+
 		<li><A NAME="ROUNDROBIN">How to balance traffic between few external channgels?</A>
 <p>
 Proxy itself doesn't manage network level routing. The only way to control
@@ -717,30 +905,9 @@ reportpath specifies location of text reports, type parameter of 'counter'
 command controls how often text reports are created. amount is amount of
 allowed traffic in Megabytes (MB). nocountin allows you to set exclusions.
 </p>
-		<li><A NAME="NETLIST">How to build network lists</A>
-<p>Networks or users lists are often very huge. 3proxy doesn't currently
-supports user groups, but ones can be created by the means of include files.
-You can store comma-delimited lists of networks or users in the separate
-file and use $ macro to insert this list into 3proxy.cfg.
-3proxy comes with 'dighosts'
-utility. This utility helps to grab the list of the network from HTTP page.
-It may be usefull to e.g. obtain a regullary updated list of local networks
-from ISP's server. A network list can be either in form of NETWORK MASK,
-e.g. 192.168.1.0 255.255.255.0 or NETWORK/LENGTH, e.g. 192.168.1.0/24. You can
-launch dighosts from 3proxy.cfg to be executed on every 3proxy startup or
-configuration reload:
-<pre>
-system "dighosts http://provider/network.html local.networks"
-allow * * $local.networks
-allow *
-parent 1000 proxy.provider 3128 *
-proxy
-flush
-</pre>
-In this example we obtain list of local networks from provider's page to
-local.networks file, allow direct access to these networks and redirect all
-connection to external networks to provider's proxy.
-</p>
+  <li><a name="TRAF"><i>How to fix incorrect traffic accounting</i></a>
+
+  <p>3proxy accounts protocol level traffic. Provider counts channel or IP-level traffic with network and transport headers. In additions, 3proxy doesn't counts DNS resolutions, pings, floods, scans, etc. It makes approx. 10% of difference. That's why you should have 15% reserve if you use 3proxy to limit your traffic. If difference with your provider is significantly above 10% you should look for traffic avoiding proxy server, for example connections through NAT, traffic originated from the host with proxy installed, traffic from server applications, etc.
   <li><a name="NSCACHING"><i>How to configure name resolution and DNS caching</i></a>
   <p>
   For name resolution and caching use commands nserver, nscache / nscache6 and nsrecord.
@@ -812,7 +979,7 @@ connection to external networks to provider's proxy.
 		<li><A NAME="NEWVERSION">How to obtain latest 3proxy version</A>
 <p>
 Latest version of 3proxy may be obtained
-<A HREF="http://3proxy.ru/">here</A>.
+<A HREF="https://3proxy.org/">here</A>.
 New version may have changes and incompatibilities with previous one in files
 format or commands. Please, read CHANGELOG file and another documentation
 before installing new version.
@@ -865,6 +1032,16 @@ You can control 3proxy service via "Services" administration ot via "net" comman
 		<li>50-69 - SOCKS5 PROXY REDIRECTION ERRORS
 		<li>70-79 PARENT PROXY CONNECTION ERRORS (identical to 1x)
 		<li>90-99 - established connection errors
+<li>since 0.9
+    <li>90 - unexpected system error (should not happen)
+    <li>91 - unexpected poll error (should not happen)
+    <li>92 - connection terminated by timeout (see timeouts)
+    <li>93 - connection terminated by ratelimit-related timeout or due to errors limit
+    <li>94 - connection termination by server or client with unsent data
+    <li>95 - dirty connection termination by client (or networking issue)
+    <li>96 - dirty connection termination by server (or networking issue)
+    <li>97 - dirty connection termination by both client and server (probably networking issue)
+<li>prior to 0.9:
 		<li>90 - socket error or connection broken
 		<li>91 - TCP/IP common failure
 		<li>92 - connection timed out
@@ -888,7 +1065,7 @@ You can control 3proxy service via "Services" administration ot via "net" comman
 <hr>
 	<li><A NAME="QUEST">How To ask quiestion not in How To?</A>
 <p>
-	Ask it in <A HREF="http://3proxy.ru/board4.html">3proxy forum</A>.
+	Ask it in <A HREF="https://github.com/z3APA3A/3proxy/issues">Github</A>.
 	Don't try to ask something before reading this document.
  </ul>
 

doc/html/howtor.html

@@ -1,5 +1,5 @@
-3APA3A 3proxy tiny proxy server HowTo
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+3APA3A 3proxy tiny proxy server HowTo
 <br>В стадии разработки
 <ul>
   <li><a href="#COMPILE">Компиляция</a>
@@ -18,25 +18,35 @@
   </ul>
   <li><a href="#SERVER">Конфигурация сервера</a>
   <ul>
+    <li><a href="#NOTHING">Как заставить 3proxy запускаться</a></li>
+    <li><a href="#LIMITS">Как заставить ограничения (по ширине канала, трафику, ACL и. т.п.) работать</a></li>
+    <li><a href="#SERVICE">Как заставить 3proxy запускаться как службу</a></li>
+    <li><a href="#INTEXT">Как разобраться с internal и external</a></li>
+    <li><a href="#ODBC">Как починить ведение журналов в ODBC?</a></li>
+    <li><a href="#IPV6">Как заставить IPv6 работать</a></li>
+    <li><a href="#CRASH">Как сделать чтобы 3proxy не крешился</a></li>
     <li><a href="#SAMPLE">Как посмотреть пример файла конфигурации</a>
     <li><a href="#LOGGING">Как настроить ведение журнала</a>
     <li><a href="#LOGFORMAT">Как настроить формат журнала</a>
     <li><a href="#LOGANALIZERS">Как использовать лог-анализаторы с 3proxy</a>
     <li><a href="#LAUNCH">Как запустить конкретную службу (HTTP, SOCKS и т.д)</a>
     <li><a href="#BIND">Как повесить службу на определенный интерфейс или порт</a>
+    <li><a href="#NAMES">Как разрешать имена на родительском прокси?</a></li>
+    <li><a href="#ISFTP">Как настроить FTP прокси?</a></li>
+    <li><a href="#TLSPR">Как настроить SNI proxy (tlspr)</a></li>
     <li><a href="#AUTH">Как ограничить доступ к службе</a>
     <li><a href="#USERS">Как создать список пользователей</a>
     <li><a href="#ACL">Как ограничить доступ пользователей к ресурсам</a>
     <li><a href="#REDIR">Как управлять перенаправлениями</a>
+    <li><a href="#SOCKSREDIR">Как управлять локальными перенаправлениями</a>
     <li><a href="#ROUNDROBIN">Как организовать балансировку между несколькими каналами</a>
     <li><a href="#CHAIN">Как составлять цепочки прокси</a>
     <li><a href="#BANDLIM">Как ограничивать скорости приема</a>
     <li><a href="#TRAFLIM">Как ограничивать объем принимаемого трафика</a>
-    <li><a href="#NETLIST">Как строить списки сетей</a>
+    <li><a href="#TRAF">Как пофиксить некорректный подсчет трафика</a></li>
     <li><a href="#NSCACHING">Как управлять разрешением имен и кэшированием DNS</a>
     <li><a href="#IPV6">Как использовать IPv6</a>
     <li><a href="#CONNBACK">Как использовать connect back</a>
-    <li><a href="#DEMANDDIAL">Как устанавливать соединение по требованию</a>
   </ul>
   <li><a href="#CLIENT">Конфигурация и настройка клиентов</a>
   <ul>
@@ -172,6 +182,101 @@
 <li><a name="SERVER"><b>Конфигурация сервера</b></a>
 <p>
 <ul>
+  <li><a name="NOTHING">Как заставить прокси работать</a></li>
+  <p>
+	Для работы требуется корректный файл конфигурации. Если прокси не запускается, значит в конфигурации есть ошибка.
+  </p>
+  <li><a name="LIMITS">Как заставить работать ограничения (контроль доступа, ограничения ширины канала, счетчики и т.п.)</a></li>
+  <p>
+  <i>A:</i> Обычные ошибки - использование auth none (для работы любых
+  функций, основанных на ACL, требуется auth iponly, nbname или strong),
+  нарушение порядка ввода команд (команды выполняются последовательно,
+  запуск сервиса proxy, socks, tcppm и т.д. должен осуществляться после
+  того, как указана его конфигурация), неправильный порядок записей в ACL
+  (записи просматриваются последовательно до первой, удовлетворяющей
+  критериям). Если в ACL имеется хотя бы одна запись, то считается, что
+  последняя запись в ACL - это неявная deny *.
+  </p>
+  <li><a name="SERVICE">Как починить запуск 3proxy службой</a></li>
+  <p>
+  Чаще всего 3proxy не запускается службой (но запускается вручную) по одной из следующих причин:
+  <ul>
+    <li>Использование относительных (неполных) путей файлов в файле конфигурации
+    При использовании файлов журналов, файлов вставок ($filename) используйте
+    полные пути, например, $"c:\3proxy\include files\networks.local". Тоже самое
+    относится к файлам журналов и любым другим.
+    Для отладки лучше запускать 3proxy с ведением журнала на стандартный вывод.
+    Не забудьте в таком случае отключить daemon и service в файле конфигурации.
+    Для чистоты эксперимента запускать 3proxy из коммандной строки в таком случае
+    следует, находясь в другой папке.
+    <li>Отсутствие у системной записи прав на доступ к исполняемому файлу, каким-либо файлам конфигурации, журнала и т.п.
+    <li>Отсутствие файла конфигурации по стандартному расположению -
+    3proxy.cfg в одном каталоге с исполняемым файлом. Если файл расположен по
+    другому пути, необходимо использовать команду
+    <pre>
+    3proxy --install path_to_configuration_file</pre>
+    <li>Отсутствие у пользователя прав на установку или запуск службы
+    <li>Служба уже установлена или запущена
+  </ul>
+  </p>
+  <li><a name="INTEXT">Как разобраться с internal и external</a></li></li>
+  <p>
+  Убедитесь, что выправильно понимаете что такое internal и external адреса.
+  Оба адреса - это адреса, принадлежищие хосту, на котором установлен 3proxy.
+  Эта опция конфигурации необходима в классической ситуации, когда 3proxy
+  установлен на граничном компьютере с двумя (или более) подключениями:
+  <pre>
+       LAN connection +-------------+ Internet connection
+  LAN <-------------->| 3proxy host |<-------------------> INTERNET
+                     ^+-------------+^
+                     |               |
+               Internal IP      External IP</pre>
+  Если 3proxy работает на хосте с одним интерфейсом, то его адрес будет и
+  internal и external.
+  <br>Интерфейс с адресом internal должен существовать и быть рабочим на момент
+  запуска 3proxy, и не должен отключаться. Если internal интерфейс
+  периодически отключается, то не следует его указывать, или можно указать адрес
+  0.0.0.0. При этом прокси будет принимать запросы на всех интерфейсах, поэтому
+  при наличии нескольких интерфейсов для ограничения доступа следует использовать
+  фаервол или хотя бы ACL.
+  </p>
+  <p>
+  Интерфейс с адресом external, если он указан, должен быть рабочим на момент
+  получения запроса клиента. При отсутствии external или адресе 0.0.0.0 внешний
+  адрес будет выбираться системой при установке соединения. При этом, может быть
+  возможность доступа через прокси к ресурсам локальной сети, поэтому для
+  предотвращения несанкционированного доступа следует использовать ACL. Кроме
+  того, могут быть проблемы с приемом входящих соединений через SOCKSv5
+  (SOCKSv5 используется в клиентах исключительно редко).
+  В случае, если адрес динамический, можно либо не
+  указывать external, либо использовать адрес 0.0.0.0, либо, если необходима
+  поддержка входящих соединений в SOCKSv5, использовать скрипт,
+  который будет получать текущий адрес и сохранять его в файл, который будет
+  отслуживаться через команду monitor.
+  </p>
+  <li><a name="ODBC">Как починить ведение журналов в ODBC</a></li>
+  <p>
+  Убедитесь, что используется системный, а не
+  пользовательский DSN. Убедитесь, что выполняется правильный SQL запрос. Наиболее
+  распространенная проблема связана с отсутствием кавычек или неправильным
+  форматом данных. Самый простой способ - сделать ведение журнала в файл или
+  на стандартный вывод, просмотреть выдаваемые SQL запросы и попробовать
+  дать такой запрос вручную.
+  </p> 
+  <li><a name="IPv6">Как починить IPv6</a></li>
+  <p>
+  Прокси не может обращаться напрямую к IPv6 сети если в запросе от клиента
+  указан IPv4. В запросе от клиента должен быть IPv6 адрес или имя хоста, чаще
+  всего это решается включением опции разрешения имен через прокси-сервер на стороне
+  клиента.
+  </p> 
+  <li><a name="CRASH">Как починить падения 3proxy</a></li>
+  <p>
+  Возможно, недостаточен размер стека потока по-умолчанию, это может
+  быть при использовани каких-либо сторонних плагинов (PAM, ODBC) или на
+  некоторых платформах (некоторые версии FreeBSD на amd64). Можно решить
+  проблему с помощью опции 'stacksize' или '-S', поддерживаемых в 0.8.4 и выше.
+  </p>
   <li><a name="SAMPLE"><i>Как посмотреть пример файла конфигурации</i></a>
   <p>
   Пример файла конфигурации 3proxy.cfg.sample поставляется с любым дистрибутивом
@@ -225,7 +330,7 @@
     <li>W, еженедельная ротация
     <li>D, ежедневная ротация
     <li>H, ежечасная ротация
-    <li>С, ежеминутная ротация
+    <li>C, ежеминутная ротация
   </ul>
   <pre>
   rotate NUMBER</pre>
@@ -386,6 +491,59 @@
   <pre>
   proxy -p8080 -i192.168.1.1
   proxy -p8080 -i192.168.2.1</pre>
+  <li><a name="NAMES"><i>Как разрешать имена на родительском прокси?</i></a></li>
+  <p>
+  <i>A:</i> Для этого надо использовать тип родительского прокси http,
+  connect+, socks4+ и socks5+. Однако, при это надо помнить, что самому 3proxy
+  требуется разрешение имени для управления ACL. Поэтому, если с прокси-хоста
+  не работают разрешения имени, необходимо в конфигурации дать команду
+  <pre>
+  fakeresolve</pre>
+  которая разрешает любое имя в адрес 127.0.0.2.
+  </p>
+  <li><a name="ISFTP"><i>Как настроить FTP прокси?</i></a></li>
+  <p>
+  Есть поддержка как FTP через HTTP (то, что называется FTP прокси в браузерах) так и настоящего FTP прокси (то, что называется
+  FTP proxy в командных оболочках и FTP клиентах). В браузерах в качестве FTP прокси следует прописывать порт службы proxy,
+  т.е. FTP организован
+  через http прокси, дополнительного прокси поднимать не надо. Для FTP-клиентов необходимо поднять ftppr. FTP прокси всегда работает
+  с FTP сервером в пассивном режиме.
+  </p>
+    <li><a name="TLSPR"><i>Как настроить SNI proxy (tlspr)</i></a></li>
+  <p>
+ 
+    SNI proxy может быть использовать для транспарентного перенаправления любого TLS трафика (например HTTPS) на внешнем маршрутизаторе
+    или локальными правилами. Так же можно использовать его для извлечения имени хоста из TLS хендшейка с целью логгирования или использования в ACL.
+    Еще одна задача которую может решать модуль - требование наличия TLS или mTLS (mutual TLS).
+    Если tlspr используется как отдельный сервис без исползования плагина Transparent, то необходимо задать порт назначения через опцию -T (по умолчанию 443),
+    т.к. TLS хендшейк не содержит информации о порте назначения.
+  </p><p>    
+    -c контролирует уровень требования к TLS:
+</p><pre>
+0 (по умолчанию) - пропустить трафик без TLS
+1 - требовать TLS, проверять наличие client HELLO
+2 - требовать TLS, проверять наличие client и server HELLO
+3 - требовать TLS, проверять наличие серверного сертификата (не совместим с TLS 1.3+)
+4 - требовать взаимный (mutual) TLS, проверять что сервер запрашивает сертификат и клиент его отправляет (не совместим с TLS 1.3+)    
+</pre>
+<p>
+примеры конфигурации:
+1. Порт 1443 можно использовать для перенаправления в него HTTPS трафика по порту 443 (например с внешнего маршрутизатора)
+<pre>
+tlspr -p1443 -P443 -c1
+</pre>
+2. tlspr используется как родительский прокси в SOCKS чтобы обнаруживать реальный hostname назначения (даже если запрашивается подклюение по IP адресу)
+<pre>
+allow * * * 80
+parent 1000 http 0.0.0.0 0
+allow * * * * CONNECT
+parent 1000 tls 0.0.0.0 0
+deny * * some.not.allowed.host
+allow *
+socks
+</pre>
+  </p>
+
   <li><a name="AUTH"><i>Как ограничить доступ к службе</i></a>
   <p>
   Во-первых, для ограничения доступа необходимо указать внутренний интерфейс,
@@ -469,6 +627,13 @@
   использовать кэширование для доступа к критичным ресурсам, в частности к
   интерфейсу администрирования.
   </p>
+  <p>authcache так же может использоваться для привязки сессий пользователя к ip с
+  с помощью опции limit
+  <pre>
+  autchcache ip,user,pass,limit 120
+  auth cache strong</pre>
+  запретит пользователю использовать более одного адреса в течении времени кеширования.
+  </p>
   <li><a name="USERS"><i>Как создать список пользователей</i></a>
   <p>
   Список пользователей задается с помощью команды users. 
@@ -607,6 +772,74 @@
   того, чтобы видеть в логах записи о посещаемых пользвоателем ресурсах и
   загружаемых файлах даже в том случае, если он подключается через SOCKS.
   </p>
+<li><a name="SOCKSREDIR">Как управлять локальными перенаправлениями</a>
+<p>
+<ul>
+  <li><a name="REDIR"><i>Q: Для чего это надо?</i></a></li>
+  <p>
+  <i>A:</i> Чтобы иметь в логах URL запросов, если пользователь SOCKS пользуется
+  Web, FTP или POP3.
+  </p>
+  <li><a name="REDIRLIMIT"><i>Q: Какие недостатки?</i></a></li>
+  <p>
+  <i>A:</i> Перенапраление невозможно для web-серверов или FTP, висящих на
+  нестандартных портах, для SOCKSv4 не поддрживается авторизация с
+  паролем (IE поддерживает только SOCKSv4), но при этом IE передает
+  имя пользователя по SOCKSv4 (имя, с которым пользователь вошел в систему).
+  Для SOCKSv5 не поддерживается NTLM авторизация, пароли передаются в открытом
+  тексте.
+  </p>
+  <li><a name="REDIRADV"><i>Q: Какие преимущества?</i></a></li>
+  <p>
+  <i>A:</i> Достаточно в настройках IE только указать адрес SOCKS прокси. В
+  больших сетях можно для этого использовать WPAD (автоматическое
+  обнаружение прокси). В 3proxy достаточно запускать только одну службу
+  (socks). Если используется только Internet Explorer, то можно
+  автоматически получать имя пользователя в логах, не запрашивая
+  логин/пароль.
+  </p>
+  <li><a name="REDIRHOW"><i>Q: Как настраивается?</i></a></li>
+  <p>
+  <i>A:</i> Указывается parent http proxy со специальным адресом 0.0.0.0 и портом
+  0. Пример:
+  <pre>
+  allow * * * 80,8080-8088
+  parent 1000 http 0.0.0.0 0
+  allow * * * 80,8080-8088
+  #перенаправить соединения по портам 80 и 8080-8088 в локальный
+  #http прокси. Вторая команда allow необходима, т.к. контроль доступа
+  #осуществляется 2 раза - на уровне socks и на уровне HTTP прокси
+  allow * * * 21,2121
+  parent 1000 ftp 0.0.0.0 0
+  allow * * * 21,2121
+  #перенаправить соединения по портам 21 и 2121 в локальный
+  #ftp прокси
+  allow *
+  #пустить все соединения напрямую
+  socks</pre>
+  </p>
+  <li><a name="REDIINTER"><i>Q: Как взаимодействует с другими правилами в ACL?</i></a></li>
+  <p>
+  <i>A:</i> После внутреннего перенаправления правила рассматриваются еще раз за
+  исключением самого правила с перенаправлением (т.е. обработка правил не
+  прекращается). Это позволяет сделать дальнейшие перенаправления на
+  внешний прокси. По этой же причине локальное перенаправление не должно
+  быть последним правилом (т.е. должно быть еще хотя бы правило allow,
+  чтобы разрешить внешние соединения через HTTP прокси).
+  Например,
+  <pre>
+  allow * * * 80,8080-8088
+  parent 1000 http 0.0.0.0 0
+  #перенаправить во внутренний прокси
+  allow * * $c:\3proxy\local.nets 80,8080-8088
+  #разрешить прямой web-доступ к сетям из local.nets
+  allow * * * 80,8080-8088
+  parent 1000 http proxy.3proxy.ru 3128
+  #все остальные веб-запросы перенаправить на внешний прокси-сервер
+  allow *
+  #разрешить socks-запросы по другим портам</pre>
+  </p>
+</ul>
   <li><a name="ROUNDROBIN"><i>Как организовать балансировку между несоклькими каналами</i></a>
   <p>
   Сам по себе прокси не может управлять маршрутизацией пакетов сетевого уровня.
@@ -735,33 +968,26 @@
   <br>
   amount - объем трафика на указанный период в мегабайтах.
   </p>
-  <li><a name="NETLIST"><i>Как строить списки сетей</i></a>
+  <li><a name="TRAF">Как пофиксить некорректный подсчет трафика</a>
   <p>
-  Очень часто списки сетей и пользователей бывают достаточно громоздкими.
-  3proxy не поддерживает создание групп, но позволяет включение файлов. Это
-  означает, что для удобства администрирования выгодно хранить списки
-  пользователей и списки сетей в отдельных файлах и при необходимости дать
-  пользователю доступ к тому или иному ресурсу, править файл со списком
-  пользователей или сетей вместо того, чтобы править сам файл 3proxy.cfg. В файле
-  3proxy.cfg файл со списком можно включить с помощью макроса $.
-  Поскольку в 3proxy есть ограничения на максимальный размер элемента
-  конфигурации, большие списки следует разбивать на несколько файлов и
-  использовать несколько записей списка контроля доступом.
-  В комплекте с 3proxy поставляется утилита dighosts, которая позволяет построить
-  список сетей по странице Web. Утилита осуществляет поиск адресов на Web-странице
-  в формате АДРЕС МАСКА или АДРЕС/ДЛИНА. Утилиту dighosts можно вызвать во время
-  старта 3proxy, используя команду system. Например:
-  <pre>
-  system "dighosts http://provider/network.html local.networks"
-  allow * * $local.networks
-  allow *
-  parent 1000 proxy.provider 3128 *
-  proxy
-  flush</pre>
-  В данном случае в файле local.networks генерируется список локальных сетей по
-  странице networklist.html. Далее используется список контроля доступа для того,
-  чтобы разрешить локальному прокси-серверу доступ к локальным сетям напрямую,
-  а все остальные запросы перенаправить на прокси-сервер провайдера.
+  Следует учитывать, что 3proxy считает трафик только на прикладном уровне и
+  только проходящий через прокси-сервер. Провайдеры и другие средства учета
+  трафика считают трафик на сетевом уровне, что уже дает расхождение порядка 10%
+  за счет информации из заголовков пакетов. Кроме того, часть трафика, как
+  минимум DNS-разрешения, различный флудовый трафик и т.д. идут мимо прокси.
+  Уровень "шумового" трафика в Internet сейчас составляет порядка 50KB/день на
+  каждый реальный IP адрес, но может сильно варьироваться в зависимости от сети,
+  наличия открытых портов, реакции на ping-запросы и текущего уровня вирусной
+  активности. По этим причинам, если 3proxy используется чтобы не "выжрать"
+  трафик, выделенный провайдером, всегда следует делать некий запас порядка
+  15%.
+  </p>
+  <p>
+  Если на одной с 3proxy машине имеются какие-либо сервисы или
+  работает пользователь, то их трафик не проходит через proxy-сервер и так же
+  не будет учтен. Если где-то есть NAT, то клиенты, выходящие через NAT мимо
+  прокси, так же останутся неучтенными. Если расхождение с провайдером превышает
+  10% - нужно искать причину именно в этом.
   </p>
   <li><a name="NSCACHING"><i>Как управлять разрешением имен и кэшированием DNS</i></a>
   <p>
@@ -820,19 +1046,6 @@
   tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
   В настройках браузера указывается host.dyndns.example.org:3128.
   </p>	
-  <li><a name="DEMANDDIAL"><i>Как устанавливать соединение по требованию</i></a>
-  <p>
-  Команда dialer задает программу, которая будет запускаться при
-  невозможности разрешить имя компьютера, например:
-  <pre>
-  dialer "rasdial PROVIDER"</pre>
-  (описание rasdial можно найти на сервере поддержки Microsoft).
-  Есть два аспекта: невозможность разрешения имени еще не свидетельствует
-  об отсутствии соединения (это должна учитывать вызываемая программа),
-  при использовании nscache имя может разрешиться при отсутствии
-  соединения. В таких случаях полезно запрашивать заведомо несуществующий
-  ресурс, например, http://dial.right.now/.
-  </p>	
 </ul>
 <hr>
 <li><a name="CLIENT"><b>Конфигурация клиентов</b></a>
@@ -889,9 +1102,9 @@
   прокси-серверы для доступа к разным ресурсам. Эта возможность разбирается в
   статьях
   <br>Microsoft: Q296591 A Description of the Automatic Discovery Feature
-  <br><a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;296591">http://support.microsoft.com/default.aspx?scid=kb;EN-US;296591</a>
+  <br><a href="https://support.microsoft.com/default.aspx?scid=kb;EN-US;296591">http://support.microsoft.com/default.aspx?scid=kb;EN-US;296591</a>
   <br>Netscape: Navigator Proxy Auto-Config File Format
-  <br><a href="http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html">http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html</a>
+  <br><a href="https://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html">http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html</a>
   <li><a name="FTP"><i>Как настраивать FTP клиент</i></a>
   <p>
   Настройка FTP клиента для работы через SOCKS прокси не отличается от настройки
@@ -947,20 +1160,14 @@
   </p>
   <li><a name="CAP"><i>Как использовать 3proxy с программой, не поддерживающей работу с прокси-сервером</i></a>
   <p>
-  Можно использовать любую программу-редиректор, например,
-  <a href="http://www.socks.permeo.com">SocksCAP</a> или
-  <a href="http://www.freecap.ru">FreeCAP</a>. 3proxy поддерживает исходящие
+  Можно использовать любую программу-редиректор. 3proxy поддерживает исходящие
   и обратные TCP и UDP соединения, но редиректоры могут иметь свои ограничения,
   кроме того, некоторые плохо написаные приложения не поддаются "соксификации".
   Если программе требуется обращаться к небольшому набору серверов 
   (например, игровых), то проблему можно решить с помощью портмаппинга.
   <li><a name="GAMES"><i>Как использовать 3proxy с играми</i></a>
   <p>
-  Оптимальный варинт - использовать соксификатор (<a href="#CAP">Как использовать
-  3proxy с программой, не поддерживающей работу с прокси-сервером</a>). 
-  <a href="http://www.freecap.ru/">FreeCap 3.13 </a> проверен с играми на движке
-  Unreal (включая Unreal Tournament), Half-Life (включая Counter-Strike) и
-  другими. Если по каким-то причинам соксификатор не работает или недоступен,
+  Если по каким-то причинам соксификатор не работает или недоступен,
   то необходимо использовать отображения портов (обычно игры, 
   кроме mood-подобных, работают по протоколу UDP, надо использовать udppm).
   Нужно иметь ввиду, что для udppm требуется отдельный маппинг для каждого
@@ -985,7 +1192,7 @@
   <li><a name="NEWVERSION"><i>Где взять свежую версию</i></a>
   <p>
   Свежую версию всегда можно взять
-  <a href="http://3proxy.ru/">здесь</a>. Обратите внимание,
+  <a href="https://3proxy.ru/">здесь</a>. Обратите внимание,
   что в новой версии может измениться порядок лицензирования или команды
   конфигурации, поэтому прежде чем устанавливать новую версии программы
   обязательно ознакомьтесь с документацией.
@@ -1039,6 +1246,18 @@
     <li>50-69 - ошибки перенаправления SOCKS5
     <li>70-79 ошибки установки родительского соединения, аналогичны 1x
     <li>90-99 - ошибки разрыва соединения
+    <li>с версии 0.9
+    <li>90 - неожиданная системная ошибка (не должно происходить)
+    <li>91 - ошибка poll (не должно происходить)
+    <li>92 - соединение прервано по таймауту на сетевую операцию (см. timeouts)
+    <li>93 - соединение прервано по таймауту связанному с рейтлимитом или из-за превышения числа ошибок
+    <li>94 - клиент или сервер закрыли соединение или произошла сетевая ошибка, остались неотправленные данные
+    <li>95 - клиент "грязно" закрыл соединение или сетевая ошибка
+    <li>96 - сервер "грязно" закрыл соединение или сетевая ошибка
+    <li>97 - клиент и сервер "грязно" закрыли соединение или сетевая ошибка
+    <li>98 - исчерпан лимит данных сервера (не должно быть в журнале)
+    <li>99 - исчерпан лимит данных клиента (не должно быть в журнале)
+    <li>до версии 0.9
     <li>90 - ошибка сокета или соединение неожиданно прервано
     <li>91 - общий сбой стека TCP/IP
     <li>92 - соединение прервано по таймауту
@@ -1062,7 +1281,7 @@
 <hr>
 <li><a name="QUEST"><b>Как задать вопрос, которого нет в HowTo</b></a>
 <p>
-Задайте его на <a href="http://3proxy.ru/board3.html">форуме</a>.
+Задайте его на <a href="https://github.com/z3APA3A/3proxy/issues">Github</a>.
 Только не пытайтесь задавать какие-либо вопросы, если вы просто не поняли этот
 HowTo.
 </ul> 

doc/html/index.html

@@ -3,17 +3,15 @@
 <a href="highload.html">Optimizing 3proxy for high loads</a><br> 
 <a href="howtoe.html">How To (English, very incomplete)</a><br> 
 <a href="howtor.html">How To (Russian)</a><br> 
-<a href="faqe.html">FAQ (English)</a><br> 
-<a href="faqr.html">FAQ (Russian)</a> 
 <h3>Man pages:</h> 
 <br><A HREF="man8/3proxy.8.html">3proxy.8</A> 
 <br><A HREF="man8/ftppr.8.html">ftppr.8</A> 
-<br><A HREF="man8/icqpr.8.html">icqpr.8</A> 
 <br><A HREF="man8/pop3p.8.html">pop3p.8</A> 
 <br><A HREF="man8/proxy.8.html">proxy.8</A> 
 <br><A HREF="man8/smtpp.8.html">smtpp.8</A> 
 <br><A HREF="man8/socks.8.html">socks.8</A> 
 <br><A HREF="man8/tcppm.8.html">tcppm.8</A> 
+<br><A HREF="man8/tlspr.8.html">tlspr.8</A> 
 <br><A HREF="man8/udppm.8.html">udppm.8</A> 
 <br><A HREF="man3/3proxy.cfg.3.html">3proxy.cfg.3</A> 
 </body></html> 

doc/html/plugins/SSLPlugin.html

@@ -1,34 +1,64 @@
 <h3>3proxy SSL/TLS plugin</h3>
 
-Plugin can be used to transparently decypher SSL/TLS data. Plugin should never be used in production environment due to
-potential securiy reasons.
+Plugin can be used to transparently decypher SSL/TLS data and TLS encryption for  proxy traffic.
 
-<pre>
-ssl_certcache PATH_TO_CACHE
-ssl_mitm
-ssl_nomitm
-</pre>
-ssl_certcache - path to certificates cache. For transparent spoofing cache must contain 3 files: 3proxy.pem - public
-self-signed certificates, 3proxy.key - key for public certificates, server.key - this key will be used to generates
-spoofed certificates.
-Generated certificates will be placed to the same path.
-<br>ssl_mitm - spoof certificates for services started below
+
+
+<h4>For transparent certificate spoofing:</h4>
+
+<br>ssl_mitm - spoof certificates for services started below. Usage without ssl_client_verify is insecure.
 <br>ssl_nomitm - do not spoof certificates for services started below
 
+<h4>To protect traffic to server (https:// proxy) - since 0.9.5 version</h4>
+ssl_serv - require TLS connection for services below
+<br>ssl_noserv - do not require TLS connection for services below
 
-<h4>Example:</h4>
+Parameters:
+<br>ssl_server_cert /path/to/cert - Server certificate (should not be selfsigned and must contain Alternative name) for ssl_serv
+<br>ssl_server_key /path/to/key - Server ceritifacte key for ssl_server_cert or generated mitm certificate
+<br>ssl_client_ciphersuites ciphersuites_list - TLS client ciphers for TLS 1.3, e.g. ssl_client_ciphersuites TLS_AES_128_GCM_SHA256
+<br>ssl_server_ciphersuites ciphersuites_list - TLS server ciphers for TLS 1.3
+<br>ssl_client_cipher_list ciphersuites_list - TLS client ciphers for TLS 1.2 and below , e.g. ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+<br>ssl_server_cipher_list ciphersuites_list - TLS server ciphers for TLS 1.2 and below
+<br>ssl_client_min_proto_version tls_version - TLS client min TLS version (e.g. TLSv1.2)
+<br>ssl_server_min_proto_version tls_version - TLS server min TLS version (e.g. TLSv1.2)
+<br>ssl_client_max_proto_version tls_version - TLS client max TLS version (e.g. TLSv1.2)
+<br>ssl_server_max_proto_version tls_version - TLS server max TLS version (e.g. TLSv1.2)
+<br>ssl_client_verify - verify certificate for upstream server in TLS client functionality (used with ssl_mitm)
+<br>ssl_client_no_verify - do not verify certificate for upstream server in TLS client functionality (default)
+<br>ssl_server_ca_file /path/to/cafile - CA certificate file for mitm
+<br>ssl_server_ca_key /path/to/cakey - key for ssl_server_ca_file mitm CA
+<br>ssl_client_ca_file, ssl_client_ca_dir, ssl_client_ca_store - locations for root CAs used with ssl_client_verify for TLS client
+<br>ssl_certcache /path/to/cache/ - location for generated mitm certificates cache, optional, if ssl_server_ca_file / ssl_server_ca_key are configured.
+Cache may contain 3 files: 3proxy.pem - public
+self-signed certificates (used if ssl_server_ca_file is not configured), 
+3proxy.key - key for public certificates, used if ssl_server_ca_keyserver.key is not configured, server.key - this key is used if ssl_server_key is not configured to generates
+spoofed certificates. If server.key is absent, 3proxy.key is used to generate certificates.
+Generated certificates are placed to the same path.
+
+
+<h4>mitm example:</h4>
 <pre>
 plugin /path/to/SslPlugin.dll ssl_plugin
-ssl_certcache /path/to/cache/
+ssl_server_ca_file /path/to/cafile
+ssl_server_ca_key /path/to/cakey
 ssl_mitm
 proxy -p3128
 ssl_nomitm
 proxy -p3129
 </pre>
+mitm's traffic with spoofed ceritifacate for port 3128 proxy.
 
-<h4>Download:</h4>
-<ul>
- <li>Plugin included into 3proxy 0.8
-</ul>
+<h4>https:// proxy example:</h4>
+<pre>
+plugin /path/to/SSLPlugin.so ssl_plugin
+ssl_server_cert path_to_cert
+ssl_server_key path_to_key
+ssl_serv
+proxy -p33128
+ssl_noserv
+proxy -p3128
+</pre>
+creates https:// proxy on 33128 and http:// proxy on 3128
 
 &copy; Vladimir Dubrovin, License: BSD style

doc/html/plugins/SSLPlugin.ru.html

@@ -1,32 +1,61 @@
-<h3>Плагин SSL/TLS для 3proxy</h3>
+<h3>3proxy SSL/TLS плагин</h3>
 
-Плагин используется для транспарентной дешифровки SSL-трафика с подменой сертификата.
-Плагин не должен использоваться в рабочем окружении, т.к. его использование дает возможность обхода проверок SSL.
+Плагин можно использовать для перехвата и дешифровки SSL/TLS трафика и для шифрования трафика прокси-сервера
+
+<h4>Для транспаретной перехватки трафика (mitm):</h4>
+
+<br>ssl_mitm - подменять сертификаты для сервисов стартованных ниже. Не безопасно использовать без ssl_client_verify.
+<br>ssl_nomitm - не подменять сертификаты для сервисов стартованных ниже.
 
 
-<pre>
-ssl_certcache PATH_TO_CACHE
-ssl_mitm
-ssl_nomitm
-</pre>
-ssl_certcache - путь к кэшу сертификатов. Для транспорентной подмены сертификатов в кэше должно находиться 3 файла: 3proxy.pem - публичный
-самоподписанный сертификат, 3proxy.key - ключ от этого сертификата, server.key - ключ с которым будут генерироваться подменные сертификаты.
-Сгенерированные сертификаты будут помещаться в этот же каталог.
-<br>ssl_mitm - подменять сертитфикаты для запущенных ниже сервисов
-<br>ssl_nomitm - не подменять сертитфикаты для запущенных ниже сервисов
+<h4>Для защиты трафика прокси-сервера (например https:// proxy) - начиная с 0.9.5</h4>
+ssl_serv - включает TLS для соединений к сервисам ниже
+<br>ssl_noserv - отключает TLS для соединений к сервисам ниже
 
+Параметры:
+<br>ssl_server_cert /path/to/cert - сертификат сервера, не должен быть самоподписаным, имя CN должно содержаться в альтернативных именах - используется для ssl_serv
+<br>ssl_server_key /path/to/key - ключ сертификата сервера для ssl_server_cert или сгенерированного сертификата ssl_mitm
+<br>ssl_client_ciphersuites ciphersuites_list - наборы шифрова TLS для TLS 1.3, пример ssl_client_ciphersuites TLS_AES_128_GCM_SHA256
+<br>ssl_server_ciphersuites ciphersuites_list - наборы шифрова TLS для TLS 1.3
+<br>ssl_client_cipher_list ciphersuites_list - наборы шифрова TLS для TLS 1.2 и ниже, пример ssl_client_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+<br>ssl_server_cipher_list ciphersuites_list - наборы шифрова TLS для TLS 1.2 и ниже
+<br>ssl_client_min_proto_version tls_version - минимальная версия TLS клиента (например ssl_client_min_proto_version TLSv1.2)
+<br>ssl_server_min_proto_version tls_version - минимальная версия TLS сервера
+<br>ssl_client_max_proto_version tls_version - максимальная версия TLS клиента
+<br>ssl_server_max_proto_version tls_version - максимальная версия TLS сервера
+<br>ssl_client_verify - проверять сертификат сервера назначения (используется с ssl_mitm)
+<br>ssl_client_no_verify - не проверять сертификат сервера назначения
+<br>ssl_server_ca_file /path/to/cafile - CA сертификат для ssl_mitm
+<br>ssl_server_ca_key /path/to/cakey - ключ CA сертификата  ssl_server_ca_file mitm
+<br>ssl_client_ca_file, ssl_client_ca_dir, ssl_client_ca_store - расположения корневых сертификатов ssl_client_verify
+<br>ssl_certcache /path/to/cache/ - расположение кеша сгенерированных сертификатов ssl_mitm. Кеш может содержать
+файлы 3proxy.pem, 3proxy.key server.key, которые используются как ssl_server_ca_file,
+ssl_server_ca_key и ssl_server_key соответственно если они не заданы. Если server.key не задан,
+3proxy.key используется для генерации серверного сертификата.
 
-<h4>Пример:</h4>
+<h4>Пример mitm:</h4>
 <pre>
 plugin /path/to/SslPlugin.dll ssl_plugin
-ssl_certcache /path/to/cache/
+ssl_server_ca_file /path/to/cafile
+ssl_server_ca_key /path/to/cakey
 ssl_mitm
 proxy -p3128
 ssl_nomitm
 proxy -p3129
 </pre>
+Перехватывается трафик в прокси на порту 3128
 
-<h4>Загрузить:</h4>
-<ul>
- <li>Плагин включен в дистрибутив 3proxy 0.8
-</ul>
+<h4>Пример конфигурации https:// прокси (curl -x https://...):</h4>
+<pre>
+plugin /path/to/SSLPlugin.so ssl_plugin
+ssl_server_cert path_to_cert
+ssl_server_key path_to_key
+ssl_serv
+proxy -p33128
+ssl_noserv
+proxy -p3128
+</pre>
+На порту 33128 создается https:// прокси (не путать с CONNECT прокси aka HTTPS over HTTP прокси), на порту 3128
+создается http:// прокси (может пропуска в т.ч. и HTTPS коннекты)
+
+&copy; Vladimir Dubrovin, License: BSD style

doc/html/plugins/StringsPlugin.ru.html

@@ -1,4 +1,4 @@
-<h3>Плагин подмены строк 3proxy</h3>
+<h3>Плагин подмены строк 3proxy</h3>
 
 Используется, в частности, для руссификации сообщений выдаваемых 3proxy.
 Для корректной работы требуется 0.6 версия 3proxy. 

doc/html/plugins/TrafficPlugin.ru.html

@@ -1,4 +1,4 @@
-<h3>Плагин коррекции траффика 3proxy</h3>
+<h3>Плагин коррекции траффика 3proxy</h3>
 Как известно, 3proxy считает траффик не сетевой, а прикладной.
 Обычно прикладной траффик немного меньше (примерно на 10%) чем сетевой,
 однако в некоторых случаях, например когда пользователи сети играют в

doc/html/plugins/TransparentPlugin.html

@@ -1,4 +1,4 @@
-<h3>3proxy TransparentPlugin plugin (Linux only)</h3>
+<h3>3proxy TransparentPlugin plugin (Linux/BSD only)</h3>
 
 Plugin can turn 3proxy into transparent proxy for virtually any TCP-based protocol
 and use all 3proxy features - redirections, parent proxies, ACLs, traffic limitations,
@@ -13,7 +13,10 @@ allow * * * 80
 parent 1000 http 0.0.0.0 0
 allow *
 parent 1000 socks5 SOCKS5_IP SOCKS5_PORT USER PASSWORD
+transparent
 tcppm -iLOCAL_IP 12345 127.0.0.1 11111
+notransparent
+proxy
 </pre>
 Now, any TCP traffic transparently redirected to port 12345 will be routed via
 parent SOCKSv5 proxy and logged, all URLs for web requests are visible in logs.

doc/html/plugins/TransparentPlugin.ru.html

@@ -1,4 +1,4 @@
-<h3>Плагин TransparentPlugin 3proxy (только для Linux)</h3>
+<h3>Плагин TransparentPlugin 3proxy (только для Linux/BSD)</h3>
 
 Плагин превращает 3proxy в транспарентный прокси для практически любых TCP-соединений
 и позволяет прозрачно для клиентов использовать весь фунционал прокси - редиректоры,
@@ -15,7 +15,10 @@ allow * * * 80
 parent 1000 http 0.0.0.0 0
 allow *
 parent 1000 socks5 SOCKS5_IP SOCKS5_PORT USER PASSWORD
+transparent
 tcppm -iLOCAL_IP 12345 127.0.0.1 11111
+notransparent
+proxy
 </pre>
 Теперь любые TCP-соединения транспарентно перенаправленные в локальный порт 12345 
 будут прологгированы и перенаправлены в родительский SOCKSv5 proxy, при этом для

doc/html/plugins/WindowsAuthentication.ru.html

@@ -1,4 +1,4 @@
-<h3>Плагин аутентификации Windows для 3proxy</h3>
+<h3>Плагин аутентификации Windows для 3proxy</h3>
 Поддерживается только аутентификация открытым текстом в домене или на локальной машине Windows.
 <h4>Использование</h4>
 <ol>

man/3proxy.8

@@ -1,4 +1,4 @@
-.TH 3proxy "8" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH 3proxy "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B 3proxy
 \- 3[APA3A] tiny proxy server, or trivial proxy server, or free proxy
@@ -138,14 +138,14 @@ wget to automate this task.
 configuration file
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy.cfg(3), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
 kill(1), syslogd(8),
 .br
-http://3proxy.ru/
+https://3proxy.org/
 .SH TRIVIA
 3APA3A is pronounced as \`\`zaraza\'\'.
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

man/3proxy.cfg.3

@@ -1,7 +1,7 @@
-.TH 3proxy.cfg "3" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH 3proxy.cfg "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B 3proxy.cfg
-\- 3proxy configuration file
+3proxy configuration file
 .SH DESCRIPTION
  Common structure:
 .br
@@ -25,7 +25,7 @@ ignored. <LF>s are ignored. <CR> is end of command.
  Quotation character is " (double quote). Quotation must be used to quote
 spaces or another special characters. To use quotation character inside
 quotation character must be dubbed (BASIC convention). For example to use
-HELLO "WORLD" as an argument you should use it as "HELLO ""WORLD"""\.
+HELLO "WORLD" as an argument you should use it as "HELLO ""WORLD""".
 Good practice is to quote any argument you use.
 
 .br
@@ -33,7 +33,7 @@ Good practice is to quote any argument you use.
 .br
  You can include file by using $FILENAME macro (replace FILENAME with a path
 to file, for example $/usr/local/etc/3proxy/conf.incl or 
- $"c:\\Program Files\\3proxy\\include.cfg" Quotation is
+ $"c:\\\\Program Files\\3proxy\\include.cfg" Quotation is
 required in last example because path contains space character. 
 For included file <CR> (end of line characters) is treated as space character
 (arguments delimiter instead of end of command delimiter). 
@@ -44,95 +44,105 @@ Recursion is not allowed.
 
 .br
  Next commands start gateway services:
-.br
 
 .br
-.B   proxy
+.B proxy
 [options]
 .br
-.B   socks
+.B socks
 [options]
 .br
-.B   pop3p
+.B pop3p
 [options]
 .br
-.B   ftppr
+.B ftppr
 [options]
 .br
-.B   admin
+.B admin
 [options]
 .br
-.B   dnspr
+.B dnspr
 [options]
 .br
-.B   tcppm
+.B tcppm
 [options]
 <SRCPORT> <DSTADDR> <DSTPORT>
 .br
-.B   udppm
+.B udppm
 [options]
 <SRCPORT> <DSTADDR> <DSTPORT>
 .br
  Descriptions:
 .br
 .B proxy
-\- HTTP/HTTPS proxy (default port 3128)
+HTTP/HTTPS proxy (default port 3128)
 .br
 .B socks
-\- SOCKS 4/4.5/5 proxy (default port 1080)
+SOCKS 4/4.5/5 proxy (default port 1080)
+.br
+.B tlspr
+SNI proxy (destination address is taken from TLS handshake), may be used to redirect any TLS-based traffic
+.br
+.B auto
+Proxy with protocol autoselection between proxy / socks / tlspr 
 .br
 .B pop3p
-\- POP3 proxy (default port 110)
+POP3 proxy (default port 110)
+.br
+.B smtpp
+SMTP proxy (default port 25)
 .br
 .B ftppr
-\- FTP proxy (default port 21)
+FTP proxy (default port 21)
 .br
 .B admin
-\- Web interface (default port 80)
+Web interface (default port 80)
 .br
 .B dnspr
-\- caching DNS proxy (default port 53)
+caching DNS proxy (default port 53)
 .br
 .B tcppm
-\- TCP portmapper
+TCP portmapper
 .br
 .B udppm
-\- UDP portmapper
-.br
+UDP portmapper
 
+.br
  Options:
 .br
 .B -pNUMBER
 change default server port to NUMBER
 .br
 .B -n
-disable NTLM authentication (required if passwords are stored in Unix crypt format.
+disable NTLM authentication (required if passwords are stored in Unix crypt format).
 .br
 .B -n1
 enable NTLMv1 authentication.
 .br
+.B -g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)
+delay GRACE_DELAY  milliseconds before polling if average polling size below  GRACE_TRAFF bytes and GRACE_NUM read operations in single directions are detected within 1 second. Useful to minimize polling
 .B -s
-(for admin) - secure, allow only secure operations (currently only traffic counters
-view without ability to reset).
+ (for admin) secure, allow only secure operations, currently only traffic counters
+view without ability to reset.
 .br
-(for dnspr) - simple, do not use 'resolver' and 3proxy cache, always use external DNS server.
+ (for dnspr) simple, do not use resolver and 3proxy cache, always use external DNS server.
 .br
-(for udppm) - singlepacket, expect only one packet from both client and server
+ (for udppm) singlepacket, expect only one packet from both client and server
 .br
 .B -u
 Never ask for username/password
 .br
 .B -u2
-(socks) require username/password in authentication methods
+(for socks) require username/password in authentication methods
 .br
 .B -a
-(for proxy) - anonymous proxy (no information about client reported)
+(for proxy) anonymous proxy (no information about client reported)
 .br
 .B -a1
-(for proxy) - anonymous proxy (random client information reported)
+(for proxy) anonymous proxy (random client information reported)
 .br
 .B -a2
-(for proxy) - generate Via: and X-Forwared-For: instead of Forwarded:
+(for proxy) generate Via: and X-Forwared-For: instead of Forwarded:
 .br
 .B -6
 Only resolve IPv6 addresses. IPv4 addresses are packed in IPv6 in IPV6_V6ONLY compatible way.
@@ -151,6 +161,28 @@ listen on given local HOST:port for incoming connections instead of making remot
 .br
 .B -rHOST:port
 connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS.
+.br
+.B -ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS, -oROPTIONS
+options for proxy-to-client (oc), proxy-to-server (os), proxy listening (ol), connect back client (or), connect back listening (oR) sockets.
+Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
+.br
+.B -DiINTERFACE, -DeINTERFACE
+bind internal interface / external inteface to given INTERFACE (e.g. eth0) if SO_BINDTODEVICE supported by system. You may need to run as root or to have CAP_NET_RAW capability in order to bind to interface, depending on system, so this option may require root privileges and can be incompatible with some configuraton commands like chroot and setuid (and daemon if setcap is used).
+.br
+.B -e
+External address. IP address of interface proxy should initiate connections
+from. External IP must be specified if you need incoming connections.
+By default system will deside which address to use in accordance
+with routing table.
+.br
+.B -i
+Internal address. IP address proxy accepts connections to.
+By default connection to any interface is accepted. 
+.br
+.B -N
+(for socks) External NAT address 3proxy reports to client for BIND and UDPASSOC
+By default external address is reported. It's only useful in the case
+of IP-IP NAT (will not work for PAT)
 .br
  Also, all options mentioned for 
 .BR proxy (8)
@@ -200,8 +232,9 @@ proxy on a client with FTP proxy support. Username format is one of
 .B writable
 .br
  ReOpens configuration file for write access via Web interface,
-and re-reads it. Usually should be first command on config file
-but in combination with "config" it can be used anywhere to open
+and rereads it. Usually should be first command on config file
+but in combination with config
+it can be used anywhere to open
 alternate config file. Think twice before using it.
 
 .br
@@ -215,26 +248,28 @@ alternate config file. Think twice before using it.
 .br
  sets logfile for all gateways
 .br
- @ - (for Unix) use syslog, filename is used as ident name
+ @ (for Unix) use syslog, filename is used as ident name
 .br
- & - use ODBC, filename consists of comma-delimited datasource,username,password (username and password are optional)
+ & use ODBC, filename consists of comma-delimited datasource,username,password (username and password are optional)
+.br
+ radius - use RADIUS for logging
 .br
  LOGTYPE is one of:
 .br
-  M - Monthly
+  M Monthly
 .br
-  W - Weekly (starting from Sunday)
+  W Weekly (starting from Sunday)
 .br
-  D - Daily
+  D Daily
 .br
-  H - Hourly
+  H Hourly
 .br
- if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using
--l option in gateway configuration.
+ if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using -l
+option in gateway configuration.
 .br
- "log" command supports same format specifications for filename template
-as "logformat" (if filename contains '%' sign it's believed to be template).
-As with "logformat" filename must begin with 'L' or 'G' to specify Local or
+ log command supports same format specifications for filename template
+as "logformat" (if filename contains \'%\' sign it\'s believed to be template).
+As with "logformat" filename must begin with \'L\' or \'G\' to specify Local or
 Grinwitch time zone for all time-based format specificators.
 
 .br
@@ -257,73 +292,73 @@ with space and all time based elemnts are in local time zone.
  You can use:
 
 .br
-  %y - Year in 2 digit format
+  %y Year in 2 digit format
 .br
-  %Y - Year in 4 digit format
+  %Y Year in 4 digit format
 .br
-  %m - Month number
+  %m Month number
 .br
-  %o - Month abbriviature
+  %o Month abbriviature
 .br
-  %d - Day
+  %d Day
 .br
-  %H - Hour
+  %H Hour
 .br
-  %M - Minute
+  %M Minute
 .br
-  %S - Second
+  %S Second
 .br
-  %t - Timstamp (in seconds since 01-Jan-1970)
+  %t Timstamp (in seconds since 01-Jan-1970)
 .br
-  %. - milliseconds
+  %. milliseconds
 .br
-  %z - timeZone (from Grinvitch)
+  %z timeZone (from Grinvitch)
 .br
-  %D - request duration (in milliseconds)
+  %D request duration (in milliseconds)
 .br
-  %b - average send rate per request (in Bytes per second) this speed is typically below connection speed shown by download manager.
+  %b average send rate per request (in Bytes per second) this speed is typically below connection speed shown by download manager.
 .br
-  %B - average receive rate per request (in Bytes per second) this speed is typically below connection speed shown by download manager.
+  %B average receive rate per request (in Bytes per second) this speed is typically below connection speed shown by download manager.
 .br
-  %U - Username
+  %U Username
 .br
-  %N - service Name
+  %N service Name
 .br
-  %p - service Port
+  %p service Port
 .br
-  %E - Error code
+  %E Error code
 .br
-  %C - Client IP
+  %C Client IP
 .br
-  %c - Client port
+  %c Client port
 .br
-  %R - Remote IP
+  %R Remote IP
 .br
-  %r - Remote port
+  %r Remote port
 .br
-  %i - Internal IP used to accept client connection
+  %i Internal IP used to accept client connection
 .br
-  %e - External IP used to establish connection
+  %e External IP used to establish connection
 .br
-  %Q - Requested IP
+  %Q Requested IP
 .br
-  %q - Requested port
+  %q Requested port
 .br
-  %n - requested hostname
+  %n requested hostname
 .br
-  %I - bytes In
+  %I bytes In
 .br
-  %O - bytes Out
+  %O bytes Out
 .br
-  %h - Hops (redirections) count
+  %h Hops (redirections) count
 .br
-  %T - service specific Text
+  %T service specific Text
 .br
-  %N1-N2T - (N1 and N2 are positive numbers) - log only fields from N1 thorugh N2 of service specific text
+  %N1-N2T (N1 and N2 are positive numbers) log only fields from N1 thorugh N2 of service specific text
 .br
- in case of ODBC logging logformat specifies SQL statement, for exmample:
+ in the case of ODBC logging logformat specifies SQL statement, for exmample:
 .br
-   logformat "-'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values ('%d-%m-%Y %H:%M:%S', '%U', '%N', %I, %O, '%T')"
+ logformat "-\'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values (\'%d-%m-%Y %H:%M:%S\', \'%U\', \'%N\', %I, %O, \'%T\')"
 
 .br
 .B logdump
@@ -344,36 +379,59 @@ can use %A as produced archive name and %F as filename.
 
 .br
 .B timeouts
-<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> <STRING_LONG> <CONNECTION_SHORT> <CONNECTION_LONG> <DNS> <CHAIN>
+<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> <STRING_LONG> <CONNECTION_SHORT> <CONNECTION_LONG> <DNS> <CHAIN> <CONNECT> <CONNECTBACK>
 .br
- Sets timeout values
+ Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15, 60, 15, 5.
 .br
-  BYTE_SHORT - short timeout for single byte, is usually used for receiving single byte from stream.
+ BYTE_SHORT short timeout for single byte, is usually used for receiving single byte from stream.
 .br
-  BYTE_LONG - long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
+ BYTE_LONG long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
 .br
-  STRING_SHORT - short timeout, for character string within stream (for example to wait between 2 HTTP headers)
+ STRING_SHORT short timeout, for character string within stream (for example to wait between 2 HTTP headers)
 .br
-  STRING_LONG - long timeout, for first string in stream (for example to wait for HTTP request).
+ STRING_LONG long timeout, for first string in stream (for example to wait for HTTP request).
 .br
-  CONNECTION_SHORT - inactivity timeout for short connections (HTTP, POP3, etc).
+ CONNECTION_SHORT inactivity timeout for short connections (HTTP, POP3, etc).
 .br
-  CONNECTION_LONG - inactivity timeout for long connection (SOCKS, portmappers, etc).
+ CONNECTION_LONG inactivity timeout for long connection (SOCKS, portmappers, etc).
 .br
-  DNS - timeout for DNS request before requesting next server
+ DNS timeout for DNS request before requesting next server
 .br
-  CHAIN - timeout for reading data from chained connection
+ CHAIN timeout for reading data from chained connection
 .br
+ default timeouts 1 5 30 60 180 1800 15 60 15 5
+
+.br
+.B radius 
+<NAS_SECRET> <radius_server_1[:port][/local_address_1]> <radius_server_2[:port][/local_address_2]>
+.br
+ Configures RADIUS servers to be used for logging and authentication (log and auth types
+must be set to radius). port and local address to use with given server may be specified.
+.br
+ Attributes within request: User-Name, Password: (username and password if presented by client),
+Service Type: Authenticate-Only,
+NAS-Port-Type: NAS-Port-Virtual,
+NAS-Port-ID: (proxy service port, e.g. 1080),
+NAS-IPv6-Address / NAS-IP-Address: (proxy interface accessed by client),
+NAS-Identifier: (text identifing proxy, e.g. PROXY or SOCKSv5),
+Framed-IPv6-Address / Framed-IP-Address: (IP address of the client),
+Called-Station-ID: (requested Hostname, if presents),
+Login-Service: (type of request, e.g. 1001 - SOCKS CONNECT, 1010 - HTTP GET, 1013 - HTTP CONNECT),
+Login-TCP-Port: (requested port),
+Login-IPv6-Host / Login-IP-Host: (requested IP). 
+.br
+ Supported reply attributes for authentication:
+Framed-IP-Address / Framed-IPv6-Address (IP to assign to user), Reply-Message.
+Use authcache to speedup authentication. RADIUS feature is currently experimental.
 
 .br
 .B nserver
 <ipaddr>[:port][/tcp]
 .br
-Nameserver to use for name resolutions. If none specified 
-or name server fails system routines for name resolution will be
-used. It's better to specify nserver because gethostbyname() may
-be thread unsafe. Optional port number may be specified.
-If optional /tcp is added to IP address, name resolution will be
+ Nameserver to use for name resolutions. If none specified 
+system routines for name resolution is
+used. Optional port number may be specified.
+If optional /tcp is added to IP address, name resolution is
 performed over TCP.
 
 .br
@@ -406,7 +464,7 @@ redirected to parent proxy with http, socks4+, connect+ or socks5+.
 .B dialer
 <progname>
 .br
- Execute progname if external name can't be resolved.
+ Execute progname if external name can\'t be resolved.
 Hint: if you use nscache, dialer may not work, because names will
 be resolved through cache. In this case you can use something like
 http://dial.right.now/ from browser to set up connection.
@@ -425,16 +483,26 @@ gateways. Since 0.8 version, IPv6 address may be used.
 <ipaddr>
 .br
  sets ip address of external interface. This IP address will be source
-address for all connections made by proxy. Alternatively you can use
--e option to specify individual address for gateway. Since 0.8 version
+address for all connections made by proxy. Alternatively you can use -e
+option to specify individual address for gateway. Since 0.8 version
 External or -e can be given twice: once with IPv4 and once with IPv6 address.
    
 .br
 .B maxconn
 <number>
 .br
- sets maximum number of simulationeous connections to each services
-started after this command. Default is 100.
+ sets maximum number of simulationeous connections to each service
+started after this command on network level. Default is 100.
+.br
+ To limit clients, use connlim instead. maxconn will silently ignore
+new connections, while connlim will report back to the client that
+the connection limit has been reached.
+
+.br
+.B backlog
+.br
+ sets the listening socket backlog of new connections. Default is
+1 + maxconn/8. Maximum value is capped by kernel tunable somaxconn.
 
 .br
 .B service
@@ -447,8 +515,8 @@ to reinstall service.
 .br
 .B daemon
 .br
- Should be specified to close console. Do not use 'daemon' with 'service'.
-At least under FreeBSD 'daemon' should preceed any proxy service
+ Should be specified to close console. Do not use \'daemon\' with \'service\'.
+At least under FreeBSD \'daemon\' should preceed any proxy service
 and log commands to avoid sockets problem. Always place it in the beginning
 of the configuration file.
 
@@ -458,39 +526,41 @@ of the configuration file.
 .br
  Type of user authorization. Currently supported:
 .br
-  none - no authentication or authorization required.
+ none - no authentication or authorization required.
 .br
  Note: is auth is none any ip based limitation, redirection, etc will not work. 
 This is default authentication type
 .br
-  iponly - authentication by access control list with username ignored.
+ iponly - authentication by access control list with username ignored.
  Appropriate for most cases
 .br
-  useronly - authentication by username without checking for any password with
+ useronly - authentication by username without checking for any password with
 authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN /
 AOL screen name as a username)
 .br
-  dnsname - authentication by DNS hostnname with authorization by ACLs.
+ dnsname - authentication by DNS hostnname with authorization by ACLs.
 DNS hostname is resolved via PTR (reverse) record and validated (resolved
-name must resolve to same IP address). It's recommended to use authcache by
+name must resolve to same IP address). It\'s recommended to use authcache by
 ip for this authentication.
 NB: there is no any password check, name may be spoofed.
 .br
-  strong - username/password authentication required. It will work with
+ strong - username/password authentication required. It will work with
 SOCKSv5, FTP, POP3 and HTTP proxy. 
 .br
-  cache - cached authentication, may be used with 'authcache'.
+ cache - cached authentication, may be used with \'authcache\'.
+.br
+ radius - authentication with RADIUS.
 .br
  Plugins may add additional authentication types.
-.br
 
- It's possible to use few authentication types in the same commands. E.g.
 .br
-auth iponly strong
+ It\'s possible to use few authentication types in the same commands. E.g.
 .br
- In this case 'strong' authentication will be used only in case resource
-access can not be performed with 'iponly' authentication, that is username is
-required in ACL. It's usefull to protect access to some resources with
+ auth iponly strong
+.br
+ In this case \'strong\' authentication will be used only in case resource
+access can not be performed with \'iponly\' authentication, that is username is
+required in ACL. It\'s usefull to protect access to some resources with
 password allowing passwordless access to another resources, or to use
 IP-based authentication for dedicated laptops and request username/password for
 shared ones.
@@ -502,17 +572,23 @@ shared ones.
  Cache authentication information to given amount of time (cachetime) in seconds.
 Cahtype is one of:
 .br
-  ip - after successful authentication all connections during caching time
+ ip - after successful authentication all connections during caching time
 from same IP are assigned to the same user, username is not requested.
 .br
-  ip,user username is requested and all connections from the same IP are
+ ip,user username is requested and all connections from the same IP are
 assigned to the same user without actual authentication.
 .br
-  user - same as above, but IP is not checked. 
+ user - same as above, but IP is not checked. 
 .br
-  user,password - both username and password are checked against cached ones.
+ user,password - both username and password are checked against cached ones.
 .br
-Use auth type 'cache' for cached authentication
+ limit - limit user to use only one ip, \'ip\' and \'user\' are required
+.br
+ acl - only use cached auth if user access service with same ACL 
+.br
+ ext - cache external IP
+.br
+Use auth type \'cache\' for cached authentication
 
 .br
 .B allow
@@ -526,13 +602,13 @@ Use auth type 'cache' for cached authentication
  Access control entries. All lists are comma-separated, no spaces are
 allowed. Usernames are case sensitive (if used with authtype nbname
 username must be in uppercase). Source and target lists may contain
-IP addresses (W.X.Y.Z), ranges A.B.C.D - W.X.Y.Z (since 0.8) or CIDRs
-(W.X.Y.Z/L). Since 0.6, targetlist may also contain host names,
-instead of addresses. It's possible to use wildmask in
-the begginning and in the the end of hostname, e.g. *badsite.com or
-*badcontent*. Hostname is only checked if hostname presents in request.
-Targetportlist may contain ports (X) or port ranges lists (X-Y). For any field
-* sign means "ANY" If access list is empty it's assumed to be
+IP addresses (W.X.Y.Z), ranges A.B.C.D - W.X.Y.Z (since 0.8) or CIDRs (W.X.Y.Z/L). 
+Since 0.6, targetlist may also contain host names,
+instead of addresses. It\'s possible to use wildmask in
+the begginning and in the the end of hostname, e.g. *badsite.com or *badcontent*.
+Hostname is only checked if hostname presents in request.
+Targetportlist may contain ports (X) or port ranges lists (X-Y). For any field *
+sign means ANY. If access list is empty it\'s assumed to be
 .br
  allow *
 .br
@@ -540,56 +616,59 @@ Targetportlist may contain ports (X) or port ranges lists (X-Y). For any field
 .br
  deny *
 .br
- You may want explicitly add "deny *" to the end of access list to prevent
-HTTP proxy from requesting user's password.
+ You may want explicitly add deny * to the end of access list to prevent
+HTTP proxy from requesting user\'s password.
 Access lists are checked after user have requested any resource.
 If you want 3proxy to reject connections from specific addresses
 immediately without any conditions you should either bind proxy
 to appropriate interface only or to use ip filters.
-.br
 
-Operation is one of:
 .br
-  CONNECT - establish outgoing TCP connection
+ Operation is one of:
 .br
-  BIND - bind TCP port for listening
+ CONNECT establish outgoing TCP connection
 .br
-  UDPASSOC - make UDP association
+ BIND bind TCP port for listening
 .br
-  ICMPASSOC - make ICMP association (for future use)
+ UDPASSOC make UDP association
 .br
-  HTTP_GET - HTTP GET request
+ ICMPASSOC make ICMP association (for future use)
 .br
-  HTTP_PUT - HTTP PUT request
+ HTTP_GET HTTP GET request
 .br
-  HTTP_POST - HTTP POST request
+ HTTP_PUT HTTP PUT request
 .br
-  HTTP_HEAD - HTTP HEAD request
+ HTTP_POST HTTP POST request
 .br
-  HTTP_CONNECT - HTTP CONNECT request
+ HTTP_HEAD HTTP HEAD request
 .br
-  HTTP_OTHER - over HTTP request
+ HTTP_CONNECT HTTP CONNECT request
 .br
-  HTTP - matches any HTTP request except HTTP_CONNECT
+ HTTP_OTHER over HTTP request
 .br
-  HTTPS - same as HTTP_CONNECT
+ HTTP matches any HTTP request except HTTP_CONNECT
 .br
-  FTP_GET - FTP get request
+ HTTPS same as HTTP_CONNECT
 .br
-  FTP_PUT - FTP put request
+ FTP_GET FTP get request
 .br
-  FTP_LIST - FTP list request
+ FTP_PUT FTP put request
 .br
-  FTP_DATA - FTP data connection. Note: FTP_DATA requires access to dynamic
+ FTP_LIST FTP list request
+.br
+ FTP_DATA FTP data connection. Note: FTP_DATA requires access to dynamic
 non-ptivileged (1024-65535) ports on remote side.
 .br
-  FTP - matches any FTP/FTP Data request
+ FTP matches any FTP/FTP Data request
 .br
-  ADMIN - access to administration interface
+ ADMIN access to administration interface
+
 .br
- Weeksdays are week days numbers or periods, 0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday. Timeperiodlists is a list of time
+ Weeksdays are week days numbers or periods, 0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday.
+.br
+ Timeperiodlists is a list of time
 periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.
-	
+
 .br
 .B parent
 <weight> <type> <ip> <port> <username> <password>
@@ -624,51 +703,52 @@ connections. These 2 proxies form 1 group (summarized weight is 1000).
 .br
  creates chain of 3 proxies: 192.168.10.1, 192.168.20.1 and third
 is (192.168.30.1 with probability of 0.3 or 192.168.40.1
-with probability of 0.7) for outgoing web connections.
+with probability of 0.7) for outgoing web connections. Chains are only applied to new connections, pipelined (keep-alive) requests in the same connection use the same chain.
 
 .br
  type is one of:
 .br
-  tcp - simply redirect connection. TCP is always last in chain.
+ extip does not actully redirect request, it sets external address for this request to <ip>. It can be chained with another parent types. It's usefaul to set external IP based on ACL or make it random.
 .br
-  http - redirect to HTTP proxy. HTTP is always last chain.
+ tcp simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
 .br
-  pop3 - redirect to POP3 proxy (only local redirection is supported, can not be
-used for chaining)
+ http redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
+if used with different service, it works as tcp redirection.
 .br
-  ftp - redirect to FTP proxy (only local redirection is supported, can not be
-used for chaining)
+ pop3 redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
 .br
-  connect - parent is HTTP CONNECT method proxy
+ ftp redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
 .br
-  connect+ - parent is HTTP CONNECT proxy with name resolution
+ connect parent is HTTP CONNECT method proxy
 .br
-  socks4 - parent is SOCKSv4 proxy
+ connect+ parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
 .br
-  socks4+ - parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
+ socks4 parent is SOCKSv4 proxy
 .br
-  socks5 - parent is SOCKSv5 proxy
+ socks4+ parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
 .br
-  socks5+ - parent is SOCKSv5 proxy with name resolution
+ socks5 parent is SOCKSv5 proxy
 .br
-  socks4b - parent is SOCKS4b (broken SOCKSv4 implementation with shortened
+ socks5+ parent is SOCKSv5 proxy with name resolution
+.br
+ socks4b parent is SOCKS4b (broken SOCKSv4 implementation with shortened
 server reply. I never saw this kind ofservers byt they say there are).
 Normally you should not use this option. Do not mess this option with
 SOCKSv4a (socks4+).
 .br
-  socks5b - parent is SOCKS5b (broken SOCKSv5 implementation with shortened
+ socks5b parent is SOCKS5b (broken SOCKSv5 implementation with shortened
 server reply. I think you will never find it useful). Never use this option
 unless you know exactly you need it.
 .br
-  admin - redirect request to local 'admin' service (with -s parameter).
+ admin redirect request to local \'admin\' service (with -s parameter).
 .br
  Use "+" proxy only with "fakeresolve" option
 .br
 
  IP and port are ip addres and port of parent proxy server.
 If IP is zero, ip is taken from original request, only port is changed.
-If port is zero, it's taken from original request, only IP is changed.
-If both IP and port are zero - it's a special case of local redirection,
+If port is zero, it\'s taken from original request, only IP is changed.
+If both IP and port are zero - it\'s a special case of local redirection,
 it works only with
 .B socks
 proxy. In case of local redirection request is redirected to different service, 
@@ -683,14 +763,14 @@ locally redurects to
 .B proxy
 .B admin
 locally redirects to admin -s service.
-.br
 
+.br
  Main purpose of local redirections is to have requested resource
 (URL or POP3 username) logged and protocol-specific filters to be applied.
-In case of local redirection ACLs are revied twice: first, by SOCKS proxy up to
-'parent' command and then with gateway service connection is
-redirected (HTTP, FTP or POP3) after 'parent' command. It means,
-additional 'allow' command is required for redirected requests, for
+In case of local redirection ACLs are revied twice: first, by SOCKS proxy up to \'parent\'
+command and then with gateway service connection is
+redirected (HTTP, FTP or POP3) after \'parent\' command. It means,
+additional \'allow\' command is required for redirected requests, for
 example:
 .br
  allow * * * 80
@@ -706,11 +786,10 @@ local HTTP proxy parses requests and allows only GET and POST requests.
 .br
  parent 1000 http 1.2.3.4 0
 .br
- Changes external address for given connection to 1.2.3.4
-(an equivalent to -e1.2.3.4)
+ Changes external address for given connection to 1.2.3.4 (an equivalent to -e1.2.3.4)
 .br
  Optional username and password are used to authenticate on parent
-proxy. Username of '*' means username must be supplied by user.
+proxy. Username of \'*\' means username must be supplied by user.
 
 
 .br
@@ -745,29 +824,33 @@ nolog
  If force is specified for service, configuration reload will require all current
 sessions of this service to be re-authenticated. If ACL is changed or user account
 is removed, old connections which do not match current are closed.
- noforce allows to keep previously authenticated connections.
+noforce allows to keep previously authenticated connections.
 
 .br
 .B bandlimin
 <rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
 .br
 .B nobandlimin
 <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
 .br
 .B bandlimout
 <rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
 .br
 .B nobandlimout
 <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
 .br
  bandlim sets bandwith limitation filter to <rate> bps (bits per second)
-(if you want to specife bytes per second - multiply your value to 8).
+If you want to specife bytes per second - multiply your value to 8.
 bandlim rules act in a same manner as allow/deny rules except
 one thing: bandwidth limiting is applied to all services, not to some
 specific service. 
 bandlimin and nobandlimin applies to incoming traffic
 bandlimout and nobandlimout applies to outgoing traffic
-If tou want to ratelimit your clients with ip's 192.168.10.16/30 (4
+If tou want to ratelimit your clients with IPs 192.168.10.16/30 (4
 addresses) to 57600 bps you have to specify 4 rules like
 .br
  bandlimin 57600 * 192.168.10.16
@@ -789,31 +872,71 @@ if you want, for example, to limit all speed ecept access to POP3 you can use
 .br
  before the rest of bandlim rules.
 
+.br
+.B connlim
+<rate> <period> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
+.br
+.B noconnlim
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
+.br
+ connlim sets connections rate limit per time period for traffic
+pattern controlled by ACL. Period is in seconds. If period is 0,
+connlim limits a number of parallel connections.
+.br
+ connlim 100 60 * 127.0.0.1
+.br
+ allows 100 connections per minute for 127.0.0.1.
+.br
+ connlim 20 0 * 127.0.0.1
+.br
+ allows 20 simulationeous connections for 127.0.0.1.
+.br
+ Like with bandlimin, if individual limit is required per client, separate
+rule mustbe added for every client. Like with nobanlimin, noconnlim adds an
+exception.
+
+
+
 .br
 .B counter
 <filename> <reporttype> <repotname>
 .br
 .B countin
 <number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
 .br
 .B nocountin
 <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
 .br
 .B countout
 <number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
 .br
 .B nocountout
 <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
+.br
+.B countall
+<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
+.br
+.B nocountall
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+<weekdayslist> <timeperiodslist>
 .br
 
- counter, countin, nocountin, countout, noucountout  commands are 
-used to set traffic limit
+ counter, countin, nocountin, countout, noucountout, countall,
+nocountall commands are used to set traffic limit
 in MB for period of time (day, week or month). Filename is a path
 to a special file where traffic information is permanently stored.
 number is sequential number of record in this file. If number is 0
-no traffic information  on this counter is saved in file (that is
-if proxy restarted all information is loosed) overwise it should be
-unique sequential number.
+this counter is not preserved in counter file (that is
+if proxy restarted all counters with 0 are flushed) overwise it
+should be unique sequential number which points to position of
+the couter within the file.
 Type specifies a type of counter. Type is one of:
 .br
  H - counter is resetted hourly
@@ -839,13 +962,13 @@ username[:pwtype:password] ...
 .br
  pwtype is one of:
 .br
-  none (empty) - use system authentication
+ none (empty) - use system authentication
 .br
-  CL - password is cleartext
+ CL - password is cleartext
 .br
-  CR - password is crypt-style password
+ CR - password is crypt-style password
 .br
-  NT - password is NT password (in hex)
+ NT - password is NT password (in hex)
 .br
  example:
 .br
@@ -900,35 +1023,36 @@ configuration within one minute. Any number of files may be monitored.
 .B setuid
 <uid>
 .br
- calls setuid(uid), uid must be numeric. Unix only. Warning: under some Linux
-kernels setuid() works onle for current thread. It makes it impossible to suid
+ calls setuid(uid), uid can be numeric or since 0.9 username. Unix only. Warning: under some Linux
+kernels setuid() works for current thread only. It makes it impossible to suid
 for all threads.
 
 .br
 .B setgid
 <gid>
 .br
- calls setgid(gid), gid must be numeric. Unix only.
+ calls setgid(gid), gid can be numeric or since 0.9 groupname. Unix only.
 
 .br
 .B chroot
-<path>
+<path> [<uid>] [<gid>]
 .br
- calls chroot(path). Unix only.
+ calls chroot(path) and sets gid/uid. Unix only. uid/gid supported since 0.9, can be numeric or username/groupname
 
 .br
 .B stacksize
 <value_to_add_to_default_stack_size>
 .br
  Change default size for threads stack. May be required in some situation,
- e.g. with non-default plugins, on on some platforms (some FreeBSD version
- may require adjusting stack size due to invalid defined value in system
- header files, this value is also oftent reqruied to be changed for ODBC and
- PAM support on Linux. If you experience 3proxy
- crash on request processing, try to set some positive value. You may start with
- stacksize 65536 
- and then find the minimal value for service to work. If you experience
- memory shortage, you can try to experiment with negative values.
+e.g. with non-default plugins, on on some platforms (some FreeBSD version
+may require adjusting stack size due to invalid defined value in system
+header files, this value is also oftent reqruied to be changed for ODBC and
+PAM support on Linux. If you experience 3proxy
+crash on request processing, try to set some positive value. You may start with
+stacksize 65536 
+and then find the minimal value for service to work. If you experience
+memory shortage, you can try to experiment with negative values.
+
 .SH PLUGINS
 
 .br
@@ -952,13 +1076,13 @@ corruption and/or Content-Length chaging. Default is 1MB (1048576).
 
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), syslogd(8),
 .br
-http://3proxy.ru/
+ https://3proxy.org/
 .SH TRIVIA
 3APA3A is pronounced as \`\`zaraza\'\'.
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

man/ftppr.8

@@ -1,4 +1,4 @@
-.TH ftppr "8" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH ftppr "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B ftppr
 \- FTP proxy gateway service
@@ -77,11 +77,11 @@ is user\'s login on this FTP server. Login itself may contain \'@\' sign.
 Only cleartext authentication is currently supported.
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), proxy(8), pop3p(8), socks(8), tcppm(8), udppm(8), syslogd(8),
 .br
-http://3proxy.ru/
+https://3proxy.org/
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

man/icqpr.8

@@ -1,80 +0,0 @@
-.TH icqpr "8" "January 2016" "3proxy 0.8" "Universal proxy server"
-.SH NAME
-.B icqpr
-\- ICQ (AOL OSCAR) proxy
-.SH SYNOPSIS
-.BR "icqpr " [ -d ]
-.IB \fR[ -l \fR[ \fR[ @ \fR] logfile \fR]]
-.IB \fR[ -i internal_ip\fR]
-.IB \fR[ -e external_ip\fR]
-.I local_port remote_host remote_port
-.SH DESCRIPTION
-.B icqpr
-forwards ICQ connections from local to remote ICQ host. Most usual is
-.B icqpr 5190 login.icq.com 5190
-Also, icqpr adds UIN / AOL screen name as a username. It makes it possible
-to control user's access to ICQ/AOL by UIN/screen name (use
-.B auth useronly
-in 3proxy).
-.SH OPTIONS
-.TP
-.B -I
-Inetd mode. Standalone service only.
-.TP
-.B -d
-Daemonise. Detach service from console and run in the background.
-.TP
-.B -t
-Be silenT. Do not log start/stop/accept error records.
-.TP
-.B -e
-External address. IP address of interface proxy should initiate connections
-from. 
-By default system will deside which address to use in accordance
-with routing table.
-.TP
-.B -i
-Internal address. IP address proxy accepts connections to.
-By default connection to any interface is accepted. It\'s usually unsafe.
-.TP
-.B -l
-Log. By default logging is to stdout. If
-.I logfile
-is specified logging is to file. Under Unix, if
-.RI \' @ \'
-preceeds
-.IR logfile ,
-syslog is used for logging.
-.TP
-.B -S
-Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy
-crashes.
-.SH ARGUMENTS
-.TP
-.I local_port
-- port icqpr accepts connection
-.TP
-.I remote_host
-- IP address of the host connection is forwarded to
-.TP
-.I remote_port
-- remote port connection is forwarded to
-.SH CLIENTS
-You can use any ICQ/AOL client where server address configuration is supported
-or spoof login server name (e.g. login.icq.com) with IP address of proxy server
-via DNS record or hosts file. Transparent redirection is also possible. Use
-.I internal_ip
-and
-.I local_port
-as a destination in client application. Connection is forwarded to
-.IR remote_host : remote_port
-.SH BUGS
-Report all bugs to
-.BR 3proxy@3proxy.ru
-.SH SEE ALSO
-3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8), syslogd(8),
-.br
-http://3proxy.ru/
-.SH AUTHORS
-3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )

man/pop3p.8

@@ -1,4 +1,4 @@
-.TH pop3p "8" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH pop3p "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B pop3p
 \- POP3 proxy gateway service
@@ -73,11 +73,11 @@ authentication (APOP, CRAM-MD5, etc) requires challenge from server before
 we know which server to connect.
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), ftppr(8), proxy(8), socks(8), tcppm(8), udppm(8), syslogd(8),
 .br
-http://3proxy.ru/
+https://3proxy.org/
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

man/proxy.8

@@ -1,4 +1,4 @@
-.TH proxy "8" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH proxy "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B proxy
 \- HTTP proxy gateway service
@@ -68,11 +68,11 @@ limit clients, use
 instead.
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8), syslogd(8),
 .br
-http://3proxy.ru/
+https://3proxy.org/
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

man/smtpp.8

@@ -1,4 +1,4 @@
-.TH smtpp "8" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH smtpp "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B smtpp
 \- SMTP proxy gateway service
@@ -74,11 +74,11 @@ authentication (CRAM-MD5, SPA, etc) requires challenge from server before
 we know which server to connect.
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), ftppr(8), proxy(8), socks(8), tcppm(8), udppm(8), syslogd(8),
 .br
-http://3proxy.ru/
+https://3proxy.org/
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

man/socks.8

@@ -1,4 +1,4 @@
-.TH socks "8" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH socks "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B socks
 \- SOCKS 4/4.5/5 gateway service
@@ -33,6 +33,11 @@ from. External IP must be specified if you need incoming connections.
 By default system will deside which address to use in accordance
 with routing table.
 .TP
+.B -N
+External NAT address 3proxy reports to client for BIND and UDPASSOC
+By default external address is reported. It's only useful in the case
+of IP-IP NAT (will not work for PAT)
+.TP
 .B -i
 Internal address. IP address proxy accepts connections to.
 By default connection to any interface is accepted. It\'s usually unsafe.
@@ -69,11 +74,11 @@ sufficient privileges). If you need to control access use
 instead.
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), proxy(8), ftppr(8), pop3p(8), tcppm(8), udppm(8), syslogd(8),
 .br
-http://3proxy.ru/
+https://3proxy.org/
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

man/tcppm.8

@@ -1,4 +1,4 @@
-.TH tcppm "8" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH tcppm "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B tcppm
 \- TCP port mapper
@@ -63,11 +63,11 @@ as a destination in client application. Connection is forwarded to
 .IR remote_host : remote_port
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8), syslogd(8),
 .br
-http://3proxy.ru/
+https://3proxy.org/
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

man/tlspr.8

@@ -0,0 +1,86 @@
+.TH tlspr "8" "May 2024" "3proxy 0.9" "Universal proxy server"
+.SH NAME
+.B tlspr
+\- SNI proxy gateway service
+.SH SYNOPSIS
+.BR "tlspr " [ -d ][ -a ]
+.IB \fR[ -l \fR[ \fR[ @ \fR] logfile \fR]]
+.IB \fR[ -p listening_port\fR]
+.IB \fR[ -P destination_port\fR]
+.IB \fR[ -c tls_check_level\fR]
+.IB \fR[ -i internal_ip\fR]
+.IB \fR[ -e external_ip\fR]
+.SH DESCRIPTION
+.B proxy
+is SNI gateway service (destination host is taken from TLS handshake). Destination port must be specified via -P option (or it may be detected with Transparent plugin).
+.SH OPTIONS
+.TP
+.B -I
+Inetd mode. Standalone service only.
+.TP
+.B -d
+Daemonise. Detach service from console and run in the background.
+.TP
+.B -t
+Be silenT. Do not log start/stop/accept error records.
+.TP
+.B -u
+Never ask for username authentication
+.TP
+.B -e
+External address. IP address of interface proxy should initiate connections
+from. 
+By default system will deside which address to use in accordance
+with routing table.
+.TP
+.B -i
+Internal address. IP address proxy accepts connections to.
+By default connection to any interface is accepted. It\'s usually unsafe.
+.TP
+.B -a
+Anonymous. Hide information about client.
+.TP
+.B -a1
+Anonymous. Show fake information about client.
+.TP
+.B -p
+listening_port. Port proxy listens for incoming connections. Default is 1443.
+.TP
+.B -P
+destination_port. Port to establish outgoing connections. One is required unless Transparent plugin is not used because TLS handshake does not contain port information. Default is 443.
+.TP
+.B -c
+TLS_CHECK_LEVEL. 0 (default) - allow non-TLS traffic to pass, 1 - require TLS, only check client HELLO packet, 2 - require TLS, check both client and server HELLO, 3 - require TLS, check server send certificate (not compatible with TLS 1.3), 4 - require mutual TLS, check server send certificate request and client sends certificate (not compatible with TLS 1.3)
+.TP
+.B -l
+Log. By default logging is to stdout. If
+.I logfile
+is specified logging is to file. Under Unix, if
+.RI \' @ \'
+preceeds
+.IR logfile ,
+syslog is used for logging.
+.TP
+.B -S
+Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy
+crashes.
+.SH CLIENTS
+You should use client with HTTP proxy support or configure router to redirect
+HTTP traffic to proxy (transparent proxy). Configure client to connect to
+.I internal_ip
+and
+.IR port .
+HTTPS support allows to use almost any TCP based protocol. If you need to
+limit clients, use 
+.BR 3proxy (8)
+instead.
+.SH BUGS
+Report all bugs to
+.BR 3proxy@3proxy.org
+.SH SEE ALSO
+3proxy(8), ftppr(8), proxy(8), socks(8), pop3p(8), smtpp(8), tcppm(8), udppm(8), syslogd(8),
+.br
+https://3proxy.org/
+.SH AUTHORS
+3proxy is designed by Vladimir 3APA3A Dubrovin
+.RI ( 3proxy@3proxy.org )

man/udppm.8

@@ -1,4 +1,4 @@
-.TH udppm "8" "January 2016" "3proxy 0.8" "Universal proxy server"
+.TH udppm "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B udppm
 \- UDP port mapper
@@ -69,11 +69,11 @@ as a destination in client application. All datagrams are forwarded to
 .IR remote_host : remote_port
 .SH BUGS
 Report all bugs to
-.BR 3proxy@3proxy.ru
+.BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), proxy(8), ftppr(8), socks(8), pop3p(8), udppm(8), syslogd(8),
 .br
-http://3proxy.ru/
+https://3proxy.org/
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
-.RI ( 3proxy@3proxy.ru )
+.RI ( 3proxy@3proxy.org )

rus.3ps

@@ -95,7 +95,7 @@ value {\n
 [end]
 <br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />\n
 <pre><font size='-2'><b>
-(c)3APA3A, Владимир Дубровин и <A href='http://3proxy.ru/'>3proxy.ru</A>\n
+(c)3APA3A, Владимир Дубровин и <A href='https://3proxy.ru/'>3proxy.ru</A>\n
 </b></font>\n
 </td></tr></table></body></html>
 [end]
@@ -112,7 +112,7 @@ value {\n
 [/--admin--]
 [--proxy--]
 HTTP/1.0 400 Bad Request\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>400 Bad Request</title></head>\n
@@ -122,7 +122,7 @@ Content-type: text/html; charset=utf-8\n
 </html>\n
 [end]
 HTTP/1.0 502 Bad Gateway\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>502 Bad Gateway</title></head>\n
@@ -131,7 +131,7 @@ Content-type: text/html; charset=utf-8\n
 </body></html>\n
 [end]
 HTTP/1.0 503 Service Unavailable\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>503 Service Unavailable</title></head>\n
@@ -140,7 +140,7 @@ Content-type: text/html; charset=utf-8\n
 </h3></body></html>\n
 [end]
 HTTP/1.0 503 Service Unavailable\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>503 Service Unavailable</title></head>\n
@@ -149,7 +149,7 @@ Content-type: text/html; charset=utf-8\n
 </h3></body></html>\n
 [end]
 HTTP/1.0 501 Not Implemented\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>501 Not Implemented</title></head>\n
@@ -158,7 +158,7 @@ Content-type: text/html; charset=utf-8\n
 </h3></body></html>\n
 [end]
 HTTP/1.0 502 Bad Gateway\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>502 Bad Gateway</title></head>\n
@@ -167,7 +167,7 @@ Content-type: text/html; charset=utf-8\n
 </h3></body></html>\n",
 [end]
 HTTP/1.0 500 Internal Error\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>500 Internal Error</title></head>\n
@@ -177,7 +177,7 @@ Content-type: text/html; charset=utf-8\n
 [end]
 HTTP/1.0 407 Proxy Authentication Required\n
 Proxy-Authenticate: Basic realm="proxy", encoding="utf-8"\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>407 Proxy Authentication Required</title></head>\n
@@ -191,7 +191,7 @@ HTTP/1.0 200 Connection established\n
 Content-Type: text/html\n\n
 [end]
 HTTP/1.0 404 Not Found\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>404 Not Found</title></head>\n
@@ -200,7 +200,7 @@ Content-type: text/html; charset=utf-8\n
 </h3></body></html>\n
 [end]	
 HTTP/1.0 403 Forbidden\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>403 Access Denied</title></head>\n
@@ -212,7 +212,7 @@ Content-type: text/html; charset=utf-8\n
 HTTP/1.0 407 Proxy Authentication Required\n
 Proxy-Authenticate: NTLM\n
 Proxy-Authenticate: basic realm="proxy", encoding="utf-8"\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>407 Proxy Authentication Required</title></head>\n
@@ -221,18 +221,18 @@ Content-type: text/html; charset=utf-8\n
 </h3></body></html>\n
 [end]
 HTTP/1.0 407 Proxy Authentication Required\n
-Proxy-Connection: keep-alive\n
+Connection: keep-alive\n
 Content-Length: 0\n
 Proxy-Authenticate: NTLM 
 [end]
 HTTP/1.0 403 Forbidden\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=us-ascii\n
 \n
 <pre>
 [end]
 HTTP/1.0 503 Service Unavailable\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>503 Service Unavailable</title></head>\n
@@ -242,7 +242,7 @@ Content-type: text/html; charset=utf-8\n
 [end]
 HTTP/1.0 401 Authentication Required\n
 WWW-Authenticate: basic realm="FTP Server", encoding="utf-8"\n
-Proxy-Connection: close\n
+Connection: close\n
 Content-type: text/html; charset=utf-8\n
 \n
 <html><head><title>401 FTP Server requires authentication</title></head>\n

scripts/3proxy-linux-install.sh

@@ -0,0 +1,985 @@
+#!/bin/bash
+# 3proxy build and install script for Debian Linux 
+# Release 2.0 at 29.12.2016
+# (с) Evgeniy Solovyev 
+# mail-to: eugen-soloviov@yandex.ru
+
+ScriptPath=""
+Src3proxyDirPath=""
+ScriptName=""
+ScriptFullName=""
+SourceRoot=""
+
+ResourcesData=""
+
+
+ProxyVersion=""
+LasestProxyVersion=""
+LasestProxyVersionLink=""
+UseSudo=0
+PacketFiles=""
+NeedSourceUpdate=0
+
+
+main()
+{
+	local msgNewVersion
+	local msgInsertYorN
+	
+	VarsInit
+	LoadResources
+	CheckRunConditions
+	
+	if [ $UseSudo == 1 ]
+	then
+		sudo bash "${0}"
+		exit $?
+	fi
+	
+	CheckLocation
+	GetLasestVersionInfo
+	
+	SourceDownloadOrUpdate
+	
+	cd "${SourceRoot}"
+	
+	Build3Proxy
+	BinInstall
+	ManInstall
+	CreateLogDir
+	CopyConfig
+	SetInit
+	Pack3proxyFiles
+}
+
+VarsInit()
+{
+	cd `dirname $0`
+	ScriptPath="${PWD}"
+	ScriptName=`basename $0`
+	ScriptFullName="${ScriptPath}/${ScriptName}"
+}
+
+CheckLocation()
+{
+	Src3proxyDirPath="${ScriptPath}"
+	
+	if echo ${ScriptPath} | grep -e "/scripts$"
+	then
+		if [ -e "../src/version.h" ]
+		then
+			ProxyVersion=`cat "../src/version.h" | awk '/VERSION/ { gsub("\"", "\n"); print; exit }' | grep "3proxy"`
+			cd ../
+			SourceRoot="${PWD}"
+			cd ../
+			Src3proxyDirPath="${PWD}"
+			cd "${ScriptPath}"
+		fi
+	fi
+}
+
+GetLasestVersionInfo()
+{
+	local Githublink
+	local msg
+	
+	Githublink=`wget https://github.com/3proxy/3proxy/releases/latest -O /dev/stdout |
+	awk '/<a.+href=.+\.tar\.gz/ { gsub("\"", "\n"); print; exit }' |
+	grep -e ".tar.gz"`
+	if [ $? != 0 ]
+	then
+		msg=`GetResource "msgInternetConnectionError"`
+		echo -e "${msg}"
+		exit 255
+	fi
+	
+	LasestProxyVersionLink="https://github.com${Githublink}"
+
+	LasestProxyVersion=`basename "${Githublink}" | awk 'gsub(".tar.gz", "") { print "3proxy-" $0 }'`
+}
+
+CheckRunConditions()
+{
+	local UserName
+	local answer
+	local msg
+	local msgContinueWork
+	local msgInsertYorN
+	
+	UserName=`whoami`
+	
+	if [  $UID != 0 ]
+	then
+		if [ `CheckPacketInstall "sudo"` == 0 ]
+		then
+			msg=`GetResource "msgSudoNotInstalled"`
+			echo -e "${msg}"
+			exit 255
+		fi
+		
+		UseSudo=1
+		
+		if [ -z `cat /etc/group | grep -e "^sudo" | grep "${UserName}"`  ]
+		then
+			msg=`GetResource "msgUserNotMemberOfSudoGroup"`
+			echo -e "${msg}"
+			exit 255
+		fi
+		
+		if [ `env | grep -e ^http_proxy` != "" ]
+		then
+			msg=`GetResource "msgSystemUseProxy"`
+			echo -e "${msg}"
+			
+			msgContinueWork=`GetResource "msgDoYouWishContinue"`
+			msgInsertYorN=`GetResource "msgPleaseInsertYorN"`
+			
+			while true; do
+				read -s -n1 -p "${msgContinueWork}" answer
+				case $answer in
+					[Yy]* ) echo -ne "\n";break;;
+					[Nn]* ) echo -ne "\n"; sleep 0; exit 0;;
+					* ) echo -e "${msgInsertYorN}";;
+				esac
+			done
+		
+		fi
+	fi
+	
+}
+
+DonwnloadSource()
+{
+	if [ ! -e "${Src3proxyDirPath}/${LasestProxyVersion}.tar.gz" ] 
+	then
+		wget "${LasestProxyVersionLink}" -O "${Src3proxyDirPath}/${LasestProxyVersion}.tar.gz"
+	fi
+	
+	ProxyVersion="${LasestProxyVersion}"
+}
+
+UnpackSource()
+{
+	if [ ! -d "${Src3proxyDirPath}/${LasestProxyVersion}" ]
+	then
+		tar -xvf "${Src3proxyDirPath}/${LasestProxyVersion}.tar.gz" -C "${Src3proxyDirPath}"
+	fi
+	
+	SourceRoot="${Src3proxyDirPath}/${LasestProxyVersion}"
+}
+
+SourceDownloadOrUpdate()
+{
+	if [ -z "${ProxyVersion}" ]
+	then
+		NeedSourceUpdate=1
+	else
+		if [ "${ProxyVersion}" != "${LasestProxyVersion}" ]
+		then
+			msgNewVersion=`GetResource "msgNewVersion"`
+			msgInsertYorN=`GetResource "msgPleaseInsertYorN"`
+			
+			echo -ne "\a"
+			
+			while true; do
+				read -s -n1 -p "${msgNewVersion}" answer
+				case $answer in
+					[Yy]* ) echo -ne "\n"; NeedSourceUpdate=1; sleep 0; break;;
+					[Nn]* ) echo -ne "\n"; NeedSourceUpdate=0; sleep 0; break;;
+					* ) echo -e "${msgInsertYorN}";;
+				esac
+			done
+		fi
+	fi
+	
+	if [ $NeedSourceUpdate == 1 ]
+	then
+		DonwnloadSource
+		UnpackSource
+	fi
+}
+
+Build3Proxy()
+{
+	local msg
+	
+	if [ `CheckPacketInstall "build-essential"` == 0 ]
+	then
+		apt-get -y install build-essential
+	fi
+	
+	if [ `CheckPacketInstall "build-essential"` == 0 ]
+	then
+		msg=`GetResource "msgBuildEssentialNotInstalled"`
+		echo -e "${msg}"
+		
+		exit 255
+	fi
+	
+	make -f Makefile.Linux
+}
+
+
+BinInstall()
+{
+	local binlist
+	local liblist
+	
+	if [! -d bin]
+	then
+		mkdir bin
+	fi
+	
+	cd bin
+	
+	binlist=`ls -l --time-style="+%d.%m.%Y %H:%m" | awk '$1 ~ /x$/ && $1 ~ /^[^d]/ && $8 !~ /\.so$/ { print $8 }'`
+	
+	for file in $binlist
+	do
+		cp -vf "${file}" /usr/bin
+		PacketFiles=`echo -e "${PacketFiles}\n/usr/bin/${file}"`
+	done
+	
+	liblist=`ls -l --time-style="+%d.%m.%Y %H:%m" | awk '$1 ~ /x$/ && $1 ~ /^[^d]/ && $8 ~ /\.so$/ { print $8 }'`
+
+	for file in $liblist
+	do
+		cp -vf "${file}" /usr/lib
+		PacketFiles=`echo -e "${PacketFiles}\n/usr/lib/${file}"`
+	done
+
+	cd ..
+}
+
+ManInstall()
+{
+	local man3list
+	local man8list
+	
+	cd man
+	
+	man3list=`ls -l --time-style="+%d.%m.%Y %H:%m" | awk '$8 ~ /\.3$/ { print $8 }'`
+	gzip -vfk $man3list
+	
+	man3list=`echo "${man3list}" | awk '{ print $1 ".gz" }'`
+	
+	for file in $man3list
+	do
+		mv -vf "${file}" /usr/share/man/man3
+		PacketFiles="${PacketFiles}\n/usr/share/man/man3/${file}" 
+	done
+	
+	man8list=`ls -l --time-style="+%d.%m.%Y %H:%m" | awk '$8 ~ /\.8$/ { print $8 }'`
+	
+	gzip -vfk $man8list
+	
+	man8list=`echo "${man8list}" | awk '{ print $1 ".gz" }'`
+	
+	for file in $man8list
+	do
+		mv -vf "${file}" /usr/share/man/man8
+		PacketFiles=`echo -e "${PacketFiles}\n/usr/share/man/man8/${file}"`
+	done
+	
+	cd ..
+}
+
+
+CreateLogDir()
+{
+	local LogDir
+	LogDir="/var/log/3proxy"
+	
+	if [ ! -d  "${LogDir}" ]
+	then
+		mkdir "${LogDir}"
+	fi
+	
+	chown nobody:nogroup "${LogDir}"
+	chmod 775 "${LogDir}"
+	PacketFiles="${PacketFiles}\n${LogDir}" 
+}
+
+
+CopyConfig()
+{
+	local ConfigDir
+	ConfigDir="/etc/3proxy"
+	
+	if [ ! -d  "${ConfigDir}" ]
+	then
+		mkdir "${ConfigDir}"
+	fi
+	
+	LoadGlobalResource "ConfigFile" > "${ConfigDir}/3proxy.cfg"
+
+	PacketFiles=`echo -e "${PacketFiles}\n${ConfigDir}/3proxy.cfg"`
+}
+
+
+SetInit()
+{
+	LoadGlobalResource "InitScript" > "/etc/init.d/3proxy"
+	chown root:root "/etc/init.d/3proxy"
+	chmod 755 "/etc/init.d/3proxy"
+	
+	PacketFiles=`echo -e "${PacketFiles}\n/etc/init.d/3proxy"`
+	update-rc.d 3proxy defaults
+}
+
+Pack3proxyFiles()
+{
+	local CPU_Arc
+	CPU_Arc=`uname -m`
+	cd ../
+	tar -czPpvf "${ProxyVersion}-${CPU_Arc}.tar.gz" $PacketFiles
+}
+
+LoadResources()
+{
+	local StartRow
+	local EndRow
+	local LngLabel
+	local msgResourceErr="\aError! Script could not find resources!"
+	
+	if env | grep -q 'LANG=ru_RU.UTF-8' 
+	then
+		LngLabel="RU"
+#LngLabel="EN"
+	else
+		LngLabel="EN"
+	fi
+	
+	StartRow=`cat "${ScriptFullName}" | awk "/^#Resources_${LngLabel}/ { print NR; exit}"`
+	
+	if [ -z "${StartRow}" ]
+	then
+		echo -e "${msgResourceErr}"
+		exit 255
+	fi
+	
+	EndRow=`cat "${ScriptFullName}" | awk "NR > ${StartRow} && /^#Resources_${LngLabel}_end/ { print NR; exit}"`
+	
+	if [ -z "${EndRow}" ]
+	then
+		echo -e "${msgResourceErr}"
+		exit 255
+	fi
+	
+	ResourcesData=`cat "${ScriptFullName}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'`
+}
+
+
+# $1 - Name of Resource
+GetResource()
+{
+	local StartRow
+	local EndRow
+	local msgResourceErr="\aError! Script could not find resource \"${1}\"!"
+	
+	StartRow=`echo "${ResourcesData}" | awk "/^#Resource=${1}/ { print NR; exit}"`
+	
+	if [ -z "${StartRow}" ]
+	then
+		echo -e "${msgResourceErr}" > /dev/stderr
+		exit 255
+	fi
+	
+	EndRow=`echo "${ResourcesData}" | awk "NR > ${StartRow} && /^#endResource=${1}/ { print NR; exit}"`
+	
+	if [ -z "${EndRow}" ]
+	then
+		echo -e "${msgResourceErr}" > /dev/stderr
+		exit 255
+	fi
+	
+	echo "${ResourcesData}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'
+}
+
+
+# $1 - Name of Resource
+LoadGlobalResource()
+{
+	local StartRow
+	local EndRow
+	local LngLabel
+	local msgResourceErr="\aError! Script could not find resource \"${1}\"!"
+	
+	
+	StartRow=`cat "${ScriptFullName}" | awk "/^#Resource=${1}/ { print NR; exit}"`
+	
+	if [ -z "${StartRow}" ]
+	then
+		echo -e "${msgResourceErr}" > /dev/stderr
+		exit 255
+	fi
+	
+	EndRow=`cat "${ScriptFullName}" | awk "NR > ${StartRow} && /^#endResource=${1}/ { print NR; exit}"`
+	
+	if [ -z "${EndRow}" ]
+	then
+		echo -e "${msgResourceErr}" > /dev/stderr
+		exit 255
+	fi
+	
+	cat "${ScriptFullName}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'
+}
+
+
+CheckPacketInstall()
+{
+	if [ `dpkg -l ${1} 2>&1 | wc -l` -le 1 ]  
+	then
+		echo 0
+		return
+	fi
+	if [ `dpkg -l ${1} | grep -e ^un | wc -l` == 1 ]
+	then
+		echo 0
+		return
+	fi
+	
+	echo 1
+}
+
+main
+exit 0
+
+#Resources_EN
+
+#Resource=msgSudoNotInstalled
+\aThe script is running under the account a non-privileged user.
+"Sudo" package is not installed in the system.
+The script can not continue, as the execution of operations,
+requiring rights "root" - is not possible!
+Please run the script under the account "root",
+or install and configure "sudo" package!
+#endResource=msgSudoNotInstalled
+
+#Resource=msgUserNotMemberOfSudoGroup
+\aThe script is running under account a non-privileged user.
+The account of the current user is not included in the "sudo" group!
+The script can not continue, as the execution of operations,
+requiring rights "root" - is not possible!
+Please run the script under the account "root",
+or configure "sudo" package!
+#endResource=msgUserNotMemberOfSudoGroup
+
+#Resource=msgSystemUseProxy
+\aAttention! The operating system uses proxy-server.
+For correctly work of package manager "apt" 
+in the file "/etc/sudoers" should be present line:
+Defaults env_keep = "http_proxy https_proxy"
+#endResource=msgSystemUseProxy
+
+#Resource=msgDoYouWishContinue
+Do you wish to the script continued executing? (y/n):
+#endResource=msgDoYouWishContinue
+
+#Resource=msgPleaseInsertYorN
+\a\nPlease insert "y" or "n"!
+#endResource=msgPleaseInsertYorN
+
+#Resource=msgInternetConnectionError
+\aError downloading "https://github.com/z3APA3A/3proxy/releases/latest"!
+Please check the settings of the Internet connection.
+#endResource=msgInternetConnectionError
+
+#Resource=msgNewVersion
+The new version of "3proxy" detected, do you want download it?
+#endResource=msgNewVersion
+
+#Resource=msgBuildEssentialNotInstalled
+\aPackage "build-essential" was not installed.
+The installation can not be continued!
+#endResource=msgBuildEssentialNotInstalled
+
+#Resources_EN_end
+
+#Resources_RU
+
+#Resource=msgSudoNotInstalled
+\aСкрипт запущен под учётной записью обычного пользователя.
+В системе не установлен пакет "sudo".
+Скрипт не может продолжить работу, так как выполнение операций,
+требующих прав "root" - не представляется возможным!
+Пожалуйста, запустите скрипт под учётной записью "root", 
+либо установите и настройте пакет "sudo"!
+#endResource=msgSudoNotInstalled
+
+#Resource=msgUserNotMemberOfSudoGroup
+\aСкрипт запущен под учётной записью обычного пользователя.
+Учётная запись текущего пользователя не включена в группу "sudo"!
+Скрипт не может продолжить работу, так как выполнение операций,
+требующих прав "root" - не представляется возможным!
+Пожалуйста, запустите скрипт под учётной записью "root", 
+либо настройте пакет "sudo"!
+#endResource=msgUserNotMemberOfSudoGroup
+
+#Resource=msgSystemUseProxy
+\aВнимание! В системе используется прокси-сервер.
+Чтобы менеджер пакетов "apt" работал корректно,
+в файле "/etc/sudoers" должна присутствовать строка:
+Defaults env_keep = "http_proxy https_proxy"
+#endResource=msgSystemUseProxy
+
+#Resource=msgDoYouWishContinue
+Хотите чтобы скрипт дальше продолжил работу? (y/n):
+#endResource=msgDoYouWishContinue
+
+#Resource=msgPleaseInsertYorN
+\a\nПожалуйста введите "y" или "n"!
+#endResource=msgPleaseInsertYorN
+
+#Resource=msgInternetConnectionError
+\aОшибка закачки "https://github.com/z3APA3A/3proxy/releases/latest"!
+Пожалуйста, проверьте настройки интернет соединения.
+#endResource=msgInternetConnectionError
+
+#Resource=msgNewVersion
+Обнаружена новая версия "3proxy", скачать её (y/n)?
+#endResource=msgNewVersion
+
+#Resource=msgBuildEssentialNotInstalled
+\aПакет "build-essential" не был установлен.
+Дальнейшая установка не может быть продолжена!
+#endResource=msgBuildEssentialNotInstalled
+
+#Resources_RU_end
+
+
+#Resource=ConfigFile
+noconfig
+# If in this file have line "noconfig", then 3proxy not to be runned!
+# For usung this configuration file 3proxy you must to delete 
+# or comment out the line with "noconfig".
+
+daemon
+# Parameter "daemon" - means run 3proxy as daemon
+
+
+pidfile /tmp/3proxy.pid
+# PID file location 
+# This parameter must have the same value as 
+# the variable "PidFile" in  the script "/etc/init.d/3proxy"
+
+
+# Configuration file location
+config /etc/3proxy/3proxy.cfg
+
+
+internal 127.0.0.1
+# Internal is address of interface proxy will listen for incoming requests
+# 127.0.0.1 means only localhost will be able to use this proxy. This is
+# address you should specify for clients as proxy IP.
+# You MAY use 0.0.0.0 but you shouldn't, because it's a chance for you to
+# have open proxy in your network in this case.
+
+external 192.168.0.1
+# External is address 3proxy uses for outgoing connections. 0.0.0.0 means any
+# interface. Using 0.0.0.0 is not good because it allows to connect to 127.0.0.1
+
+
+# DNS IP addresses
+nserver 8.8.8.8
+nserver 8.8.4.4
+
+
+# DNS cache size
+nscache 65536
+
+# Timeouts settings
+timeouts 1 5 30 60 180 1800 15 60
+
+
+# log file location
+log /var/log/3proxy/3proxy.log D
+
+# log file format
+logformat "L%C - %U [%d-%o-%Y %H:%M:%S %z] ""%T"" %E %I %O %N/%R:%r"
+
+archiver gz /usr/bin/gzip %F
+# If archiver specified log file will be compressed after closing.
+# you should specify extension, path to archiver and command line, %A will be
+# substituted with archive file name, %f - with original file name.
+# Original file will not be removed, so archiver should care about it.
+
+rotate 30
+# We will keep last 30 log files
+
+proxy -p3128
+# Run http/https proxy on port 3128
+
+auth none
+# No authentication is requires
+
+setgid 65534
+setuid 65534
+# Run 3proxy under account "nobody" with group "nobody"
+#endResource=ConfigFile
+
+
+#Resource=InitScript
+#!/bin/sh
+#
+# 3proxy daemon control script
+#
+### BEGIN INIT INFO
+# Provides:          3proxy
+# Required-Start:    $network $remote_fs $syslog
+# Required-Stop:     $network $remote_fs $syslog
+# Should-Start:      $named
+# Should-Stop:       $named
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: 3proxy HTTP Proxy
+### END INIT INFO
+
+
+ScriptName="3proxy"
+ScriptFullName="/etc/init.d/3proxy"
+
+ConfigFile="/etc/3proxy/3proxy.cfg"
+LogDir="/var/log/3proxy"
+PidFile="/tmp/3proxy.pid"
+
+ResourcesData=""
+
+main()
+{
+	LoadResources
+	
+	if [ ! -d "${LogDir}" ]
+	then
+		mkdir -p "${LogDir}";
+	fi
+	
+	case "$1" in
+		start)		Start ;;
+		stop)		Stop ;;
+		restart)	Stop; Start ;;
+		status)		Status ;;
+		*)			ShowHelp;;
+	esac
+}
+
+Start()
+{
+	local msg
+	local ProxyPID
+	
+	if [ ! -f "${ConfigFile}" ]
+	then
+		msg=`GetResource "msgConfigFileNotFound"`
+		printf "${msg}" "${ConfigFile}"
+		return
+	fi
+	
+	if cat "${ConfigFile}" | grep -qe "^noconfig"
+	then
+		msg=`GetResource "msgNoconfigDetected"`
+		printf "${msg}" "${ConfigFile}"
+		return
+	fi
+	
+	ProxyPID=`Get3proxyPID`
+	
+	if [ ! -z "${ProxyPID}" ]
+	then
+		msg=`GetResource "msg3proxyAlreadyRunning"`
+		printf "${msg}" "${ProxyPID}"
+		return
+	fi
+	
+	3proxy "${ConfigFile}"
+	sleep 1
+	
+	ProxyPID=`Get3proxyPID`
+	
+	if [ ! -f "${PidFile}" ] 
+	then
+		msg=`GetResource "msg3proxyStartProblems"`
+		printf "${msg}"
+		return
+	fi
+	
+	if [ `cat "${PidFile}"` != "${ProxyPID}" ]
+	then
+		msg=`GetResource "msg3proxyStartProblems"`
+		printf "${msg}"
+		return
+	fi
+	
+	msg=`GetResource "msg3proxyStartedSuccessfully"`
+	printf "${msg}" `date +%d-%m-%Y" "%H:%M:%S` "${ProxyPID}"
+
+}
+
+Stop()
+{
+	local msg
+	local ProxyPID
+	
+	ProxyPID=`Get3proxyPID`
+	
+	if [ -f "${PidFile}" ] 
+	then
+		if [ `cat "${PidFile}"` = "${ProxyPID}" ]
+		then
+			kill -9 "${ProxyPID}"
+			rm -f "${PidFile}"
+			
+			msg=`GetResource "msg3proxyStoppedSuccessfully"`
+			printf "${msg}" `date +%d-%m-%Y" "%H:%M:%S`
+			
+			return
+		fi
+	fi
+	
+	if [ -z "${ProxyPID}" ]
+	then
+		msg=`GetResource "msg3proxyProxyNotDetected"`
+		printf "${msg}"
+		
+		return
+	fi
+	
+	pkill -o 3proxy
+	
+	msg=`GetResource "msg3proxyStoppedByKillall"`
+	printf "${msg}" `date +%d-%m-%Y" "%H:%M:%S` "${PidFile}"
+	
+}
+
+Status()
+{
+	local msg
+	local ProxyPID
+	
+	if [ -f "${PidFile}" ] 
+	then
+		msg=`GetResource "msgPidFileExists"`
+		printf "${msg}" "${PidFile}" `cat "${PidFile}"`
+	else
+		msg=`GetResource "msgPidFileNotExists"`
+		printf "${msg}" "${PidFile}"
+	fi
+	
+	ProxyPID=`Get3proxyPID`
+	
+	if [ ! -z  "${ProxyPID}" ]
+	then
+		msg=`GetResource "msg3proxyProcessDetected"`
+		printf "${msg}"
+		ps -ef | awk '$8 ~ /^3proxy/ { print "User: " $1 "\tPID: " $2 }'
+	else
+		msg=`GetResource "msg3proxyProcessNotDetected"`
+		printf "${msg}"
+	fi
+}
+
+ShowHelp()
+{
+	local msg
+	
+	msg=`GetResource "msg3proxyHelp"`
+	printf "${msg}" "${ScriptFullName}" "${ScriptName}"
+}
+
+Get3proxyPID()
+{
+	ps -ef | awk '$8 ~ /^3proxy/ { print $2; exit }'
+}
+
+LoadResources()
+{
+	local StartRow
+	local EndRow
+	local LngLabel
+	local msgResourceErr="\aError! Script could not find resources!"
+	
+	if env | grep -q 'LANG=ru_RU.UTF-8' 
+	then
+		LngLabel="RU"
+	else
+		LngLabel="EN"
+	fi
+	
+	StartRow=`cat "${ScriptFullName}" | awk "/^#Resources_${LngLabel}/ { print NR; exit}"`
+	
+	if [ -z "${StartRow}" ]
+	then
+		echo -e "${msgResourceErr}"
+		exit 255
+	fi
+	
+	EndRow=`cat "${ScriptFullName}" | awk "NR > ${StartRow} && /^#Resources_${LngLabel}_end/ { print NR; exit}"`
+	
+	if [ -z "${EndRow}" ]
+	then
+		echo -e "${msgResourceErr}"
+		exit 255
+	fi
+	
+	ResourcesData=`cat "${ScriptFullName}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'`
+}
+
+# $1 - Name of Resource
+GetResource()
+{
+	local StartRow
+	local EndRow
+	local msgResourceErr="\aError! Script could not find resource \"${1}\"!"
+	
+	StartRow=`echo "${ResourcesData}" | awk "/^#Resource=${1}/ { print NR; exit}"`
+	
+	if [ -z "${StartRow}" ]
+	then
+		echo -e "${msgResourceErr}" > /dev/stderr
+		exit 255
+	fi
+	
+	EndRow=`echo "${ResourcesData}" | awk "NR > ${StartRow} && /^#endResource=${1}/ { print NR; exit}"`
+	
+	if [ -z "${EndRow}" ]
+	then
+		echo -e "${msgResourceErr}" > /dev/stderr
+		exit 255
+	fi
+	
+	echo "${ResourcesData}" | awk -v StartRow="${StartRow}" -v EndRow="${EndRow}" 'NR > StartRow && NR < EndRow { print $0 }'
+}
+
+
+main $@
+exit 0;
+
+#Resources_EN
+
+#Resource=msg3proxyHelp
+Usage:
+\t%s {start|stop|restart}
+or
+\tservice %s {start|stop|restart|status}\\n
+#endResource=msg3proxyHelp
+
+#Resource=msgConfigFileNotFound
+\a3proxy configuration file - "%s" is not found!\\n
+#endResource=msgConfigFileNotFound
+
+#Resource=msgNoconfigDetected
+Parameter "noconfig" found in 3proxy configuration file -
+"% s" !
+To run 3proxy this parameter should be disabled.\\n
+#endResource=msgNoconfigDetected
+
+#Resource=msg3proxyAlreadyRunning
+\a3proxy already running PID: %s\\n
+#endResource=msg3proxyAlreadyRunning
+
+#Resource=msg3proxyStartProblems
+With the start of 3proxy, something is wrong! 
+Use: service 3proxy status\\n
+#endResource=msg3proxyStartProblems
+
+#Resource=msg3proxyStartedSuccessfully
+[ %s %s ] 3proxy started successfully! PID: %s\\n
+#endResource=msg3proxyStartedSuccessfully
+
+#Resource=msg3proxyStoppedSuccessfully
+[ %s %s ] 3proxy stopped successfully!\\n
+#endResource=msg3proxyStoppedSuccessfully
+
+#Resource=msg3proxyProxyNotDetected
+Process "3proxy" is not detected!\\n
+#endResource=msg3proxyProxyNotDetected
+
+#Resource=msg3proxyStoppedByKillall
+[ %s %s ] Command "pkill -o 3proxy" was executed,
+because process number was not stored in "%s",
+but in fact 3proxy was runned!\\n
+#endResource=msg3proxyStoppedByKillall
+
+#Resource=msgPidFileExists
+File "%s" exists. It contains the PID: %s\\n
+#endResource=msgPidFileExists
+
+#Resource=msgPidFileNotExists
+File "%s" not found, that is, PID 3proxy was not stored!\\n
+#endResource=msgPidFileNotExists
+
+#Resource=msg3proxyProcessDetected
+Process 3proxy detected:\\n
+#endResource=msg3proxyProcessDetected
+
+#Resource=msg3proxyProcessNotDetected
+Processes of 3proxy is not found!\\n
+#endResource=msg3proxyProcessNotDetected
+
+#Resources_EN_end
+
+
+#Resources_RU
+
+#Resource=msg3proxyHelp
+Используйте:
+\t%s {start|stop|restart}
+или
+\tservice %s {start|stop|restart|status}\\n
+#endResource=msg3proxyHelp
+
+#Resource=msgConfigFileNotFound
+\aФайл конфигурации 3proxy - "%s", не найден!\\n
+#endResource=msgConfigFileNotFound
+
+#Resource=msgNoconfigDetected
+\aОбнаружен параметр "noconfig" в файле конфигурации 3proxy -
+"%s" !
+Для запуска 3proxy этот параметр нужно отключить.\\n
+#endResource=msgNoconfigDetected
+
+#Resource=msg3proxyAlreadyRunning
+\a3proxy уже запущен PID: %s\\n
+#endResource=msg3proxyAlreadyRunning
+
+#Resource=msg3proxyStartProblems
+\aСо стартом 3proxy, что-то не так!
+Используйте: service 3proxy status\\n
+#endResource=msg3proxyStartProblems
+
+#Resource=msg3proxyStartedSuccessfully
+[ %s %s ] 3proxy успешно стартовал! PID: %s\\n
+#endResource=msg3proxyStartedSuccessfully
+
+#Resource=msg3proxyStoppedSuccessfully
+[ %s %s ] 3proxy успешно остановлен!\\n
+#endResource=msg3proxyStoppedSuccessfully
+
+#Resource=msg3proxyProxyNotDetected
+Процесс "3proxy" не обнаружен!\\n
+#endResource=msg3proxyProxyNotDetected
+
+#Resource=msg3proxyStoppedByKillall
+[ %s %s ] Выполнена команда "pkill -o 3proxy",
+т.к. номер процесса не записан в "%s",
+но по факту 3proxy рабатал!\\n
+#endResource=msg3proxyStoppedByKillall
+
+#Resource=msgPidFileExists
+Файл "%s" есть. Он содержит PID: %s\\n
+#endResource=msgPidFileExists
+
+#Resource=msgPidFileNotExists
+Файл "%s" не найден, т.е. PID 3proxy не был сохранён!\\n
+#endResource=msgPidFileNotExists
+
+#Resource=msg3proxyProcessDetected
+Обнаружен процесс 3proxy:\\n
+#endResource=msg3proxyProcessDetected
+
+#Resource=msg3proxyProcessNotDetected
+Процессов 3proxy не обнаружено!\\n
+#endResource=msg3proxyProcessNotDetected
+
+#Resources_RU_end
+#endResource=InitScript

scripts/3proxy.cfg

@@ -1,23 +1,18 @@
-#!/usr/local/etc/3proxy/bin/3proxy
-daemon
-pidfile /usr/local/etc/3proxy/3proxy.pid
 nscache 65536
-nserver 127.0.0.1
+nserver 8.8.8.8
+nserver 8.8.4.4
 
-config /usr/local/etc/3proxy/3proxy.cfg
-monitor /usr/local/etc/3proxy/3proxy.cfg
-monitor /usr/local/etc/3proxy/counters
-monitor /usr/local/etc/3proxy/passwd
-monitor /usr/local/etc/3proxy/bandlimiters
+config /conf/3proxy.cfg
+monitor /conf/3proxy.cfg
 
-log /var/log/3proxy/log D
+log /logs/3proxy-%y%m%d.log D
 rotate 60
-counter /usr/local/etc/3proxy/3proxy.3cf
+counter /count/3proxy.3cf
 
-users $/usr/local/etc/3proxy/passwd
+users $/conf/passwd
 
-include /usr/local/etc/3proxy/counters
-include /usr/local/etc/3proxy/bandlimiters
+include /conf/counters
+include /conf/bandlimiters
 
 auth strong
 deny * * 127.0.0.1
@@ -28,5 +23,3 @@ flush
 allow admin
 
 admin -p8080
-
-

scripts/3proxy.cfg.chroot

@@ -0,0 +1,4 @@
+#!/bin/3proxy
+#daemon
+chroot /usr/local/3proxy proxy proxy
+include /conf/3proxy.cfg

scripts/3proxy.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=3proxy tiny proxy server
+Documentation=man:3proxy(1)
+After=network.target
+
+[Service]
+Environment=CONFIGFILE=/etc/3proxy/3proxy.cfg
+ExecStart=/bin/3proxy ${CONFIGFILE}
+ExecReload=/bin/kill -SIGUSR1 $MAINPID
+KillMode=process
+Restart=on-failure
+RestartSec=60s
+LimitNOFILE=65536
+LimitNPROC=32768
+RuntimeDirectory=3proxy
+
+[Install]
+WantedBy=multi-user.target
+Alias=3proxy.service

scripts/add3proxyuser.sh

@@ -1,10 +1,15 @@
 #!/bin/sh
 if [ $4 ]; then  
-	echo $1:`/usr/local/etc/3proxy/bin/mycrypt $$ $2` >> /usr/local/etc/3proxy/passwd
-	echo countin \"`wc -l /usr/local/etc/3proxy/counters|awk '{print $1}'`/$1\" D $3 $1 >> /usr/local/etc/3proxy/counters
-	echo bandlimin $4 $1 >> /usr/local/etc/3proxy/bandlimiters
+	echo bandlimin $4 $1 >> /etc/3proxy/conf/bandlimiters
+fi
+if [ $3 ]; then  
+	echo countin \"`wc -l /etc/3proxy/conf/counters|awk '{print $1}'`/$1\" D $3 $1 >> /etc/3proxy/conf/counters
+fi
+if [ $2 ]; then  
+	echo $1:`/bin/mycrypt $$ $2` >> /etc/3proxy/conf/passwd
 else
-	echo usage: $0 username password day_limit bandwidth
+	echo usage: $0 username password [day_limit] [bandwidth]
 	echo "	"day_limit - traffic limit in MB per day
 	echo "	"bandwidth - bandwith in bits per second 1048576 = 1Mbps
 fi
+

scripts/debian/3proxy.manpages

@@ -0,0 +1,10 @@
+man/3proxy.8
+man/3proxy.cfg.3
+man/ftppr.8
+man/pop3p.8
+man/tlspr.8
+man/proxy.8
+man/smtpp.8
+man/socks.8
+man/tcppm.8
+man/udppm.8

scripts/debian/changelog

@@ -0,0 +1,24 @@
+3proxy (0.9.5-1) buster; urgency=medium
+
+  *3proxy 0.9.5 initial build
+
+ -- z3APA3A <3apa3a@3proxy.org>  Sun, 09 Mar 2025 15:55:48 +0300
+
+3proxy (0.9.4-1) buster; urgency=medium
+
+  *3proxy 0.9.4 initial build
+
+ -- z3APA3A <3apa3a@3proxy.org>  Fri, 02 Jul 2021 00:47:00 +0300
+
+3proxy (0.9.3-1) buster; urgency=medium
+
+  *3proxy 0.9.3 initial build
+
+ -- z3APA3A <3apa3a@3proxy.org>  Thu, 03 Dec 2020 21:13:58 +0300
+
+3proxy (0.9.2-1) buster; urgency=medium
+
+  *3proxy 0.9.2 initial build
+
+ -- z3APA3A <3apa3a@3proxy.org>  Thu, 19 Nov 2020 19:19:19 +0300
+

scripts/debian/compat

@@ -0,0 +1 @@
+9

scripts/debian/conffiles

@@ -0,0 +1,4 @@
+/usr/local/3proxy/conf/3proxy.cfg
+/usr/local/3proxy/conf/add3proxyuser.sh
+/usr/local/3proxy/conf/bandlimiters
+/usr/local/3proxy/conf/counters

scripts/debian/control

@@ -0,0 +1,18 @@
+Source: 3proxy
+Maintainer: z3APA3A <3apa3a@3proxy.org>
+Section: net
+Priority: optional
+Standards-Version: 4.0.0
+Build-Depends: debhelper (>=10)
+Homepage: https://3proxy.org/
+Vcs-Git: https://github.com/z3APA3A/3proxy
+Vcs-Browser: https://github.com/z3APA3A/3proxy
+
+Package: 3proxy
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: tiny free proxy server
+ 3Proxy tiny free proxy server is really tiny freeware proxy servers set. 
+ It includes HTTP proxy with HTTPS and FTP support, SOCKSv4/SOCKSv4.5/SOCKSv5 proxy (socks/socks.exe), POP3 proxy, SMTP proxy, FTP proxy, caching DNS proxy, TCP and UDP portmappers.
+ You can use every proxy as a standalone program (socks, proxy, tcppm, udppm, pop3p) or use combined program (3proxy). Combined proxy additionally supports features like access control, bandwidth limiting, limiting daily/weekly/monthly traffic amount, proxy chaining, log rotation, syslog and ODBC logging, etc.
+ It's created to be small, simple and yet very functional. 

scripts/debian/copyright

@@ -0,0 +1,20 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: 3proxy
+Upstream-Contact: 3proxy@3proxy.org
+Source: https://3proxy.org/
+
+Files: *
+Copyright: 2000-2020 3APA3A, Vladimir Dubrovin, 3proxy.org
+License: BSD-3-clause or Apache or GPL-2+ or LGPL-2+
+
+Files: src/libs/md*.*
+Copyright: 1990,1991,1992  RSA Data Security, Inc
+License: public-domain
+
+Files: src/libs/regex.*
+Copyright: Henry Spencer
+License: public-domain
+
+Files: src/libs/smbdes.c
+Copyright: Andrew Tridgell 1998
+License: GPL-2+

scripts/debian/postinst

@@ -0,0 +1,43 @@
+if [ ! -f /usr/local/3proxy/conf/passwd ]; then \
+ touch /usr/local/3proxy/conf/passwd;\
+fi
+chown -R proxy:proxy /usr/local/3proxy
+chmod 550  /usr/local/3proxy/
+chmod 550  /usr/local/3proxy/conf/
+chmod 440  /usr/local/3proxy/conf/*
+if /bin/systemctl >/dev/null 2>&1; then \
+ /usr/sbin/update-rc.d 3proxy disable || true; \
+ /usr/sbin/chkconfig 3proxy off || true; \
+ /bin/systemctl enable 3proxy.service; \
+elif [ -x /usr/sbin/update-rc.d ]; then \
+ /usr/sbin/update-rc.d 3proxy defaults; \
+ /usr/sbin/update-rc.d 3proxy enable; \
+elif [ -x /usr/sbin/chkconfig ]; then \
+ /usr/sbin/chkconfig 3proxy on; \
+fi
+
+echo ""
+echo 3proxy installed.
+if /bin/systemctl >/dev/null 2>&1; then \
+ /bin/systemctl stop 3proxy.service \
+ /bin/systemctl start 3proxy.service \
+ echo use ;\
+ echo "  "systemctl start 3proxy.service ;\
+ echo to start proxy ;\
+ echo "  "systemctl stop 3proxy.service ;\
+ echo to stop proxy ;\
+elif [ -x /usr/sbin/service ]; then \
+ /usr/sbin/service 3proxy stop  || true;\
+ /usr/sbin/service 3proxy start  || true;\
+ echo "  "service 3proxy start ;\
+ echo to start proxy ;\
+ echo "  "service 3proxy stop ;\
+ echo to stop proxy ;\
+fi
+echo "  "/usr/local/3proxy/conf/add3proxyuser.sh
+echo to add users
+echo ""
+echo Default config uses Google\'s DNS.
+echo It\'s recommended to use provider supplied DNS or install local recursor, e.g. pdns-recursor.
+echo Configure preferred DNS in /usr/local/3proxy/conf/3proxy.cfg.
+echo run \'/usr/local/3proxy/conf/add3proxyuser.sh admin password\' to configure \'admin\' user

scripts/debian/preinst

@@ -0,0 +1,4 @@
+if [ -x /usr/sbin/useradd ]; then \
+ /usr/bin/getent group proxy >/dev/null || (/usr/sbin/groupadd -f -r proxy || true); \
+ /usr/bin/getent passwd proxy >/dev/null || (/usr/sbin/useradd -Mr -s /bin/false -g proxy -c 3proxy proxy || true); \
+fi

scripts/debian/rules

@@ -0,0 +1,16 @@
+#!/usr/bin/make -f
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	ln -s Makefile.Linux Makefile || true
+	dh_auto_build
+
+override_dh_auto_clean:
+	find src/ -type f -name "*.o" -delete
+	find src/ -type f -name "Makefile.var" -delete
+	find bin/ -type f -executable -delete
+	rm -f Makefile
+
+override_dh_usrlocal:

scripts/debian/source/format

@@ -0,0 +1 @@
+3.0 (quilt)

scripts/init.d/3proxy.sh

@@ -0,0 +1,56 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          3proxy
+# Required-Start:    
+# Required-Stop:     
+# Should-Start:      
+# Should-Stop:       
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start/stop 3proxy
+# Description:       Start/stop 3proxy, tiny proxy server
+### END INIT INFO
+# chkconfig: 2345 20 80
+# description: 3proxy tiny proxy server
+
+case "$1" in
+   start)    
+       echo Starting 3Proxy
+   
+       /bin/mkdir -p /var/run/3proxy
+       /bin/3proxy /etc/3proxy/3proxy.cfg &
+   
+       RETVAL=$?
+       echo
+       [ $RETVAL ]    
+       ;;
+
+   stop)
+       echo Stopping 3Proxy
+       if [ -f /var/run/3proxy/3proxy.pid ]; then
+	       /bin/kill `cat /var/run/3proxy/3proxy.pid`
+       else
+               /usr/bin/killall 3proxy
+       fi
+   
+       RETVAL=$?
+       echo
+       [ $RETVAL ]
+       ;;
+
+   restart|reload)
+       echo Reloading 3Proxy
+       if [ -f /var/run/3proxy/3proxy.pid ]; then
+	       /bin/kill -s USR1 `cat /var/run/3proxy/3proxy.pid`
+       else
+               /usr/bin/killall -s USR1 3proxy
+       fi
+       ;;
+
+
+   *)
+       echo Usage: $0 "{start|stop|restart}"
+       exit 1
+esac
+exit 0 
+

scripts/install-unix.sh

@@ -3,8 +3,8 @@ cd ..
 cp Makefile.unix Makefile
 make
 if [ ! -d /usr/local/etc/3proxy/bin ]; then mkdir -p /usr/local/etc/3proxy/bin/; fi
-install src/3proxy /usr/local/etc/3proxy/bin/3proxy
-install src/mycrypt /usr/local/etc/3proxy/bin/mycrypt
+install bin/3proxy /usr/local/bin/3proxy
+install bin/mycrypt /usr/local/bin/mycrypt
 install scripts/rc.d/proxy.sh /usr/local/etc/rc.d/proxy.sh
 install scripts/add3proxyuser.sh /usr/local/etc/3proxy/bin/
 if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then
@@ -19,3 +19,4 @@ else
  touch /usr/local/etc/3proxy/bandlimiters
  echo Run /usr/local/etc/3proxy/bin/add3proxyuser.sh to add \'admin\' user
 fi
+

scripts/rc.d/proxy.sh

@@ -1,48 +0,0 @@
-#!/bin/sh
-#
-# chkconfig: 2345 20 80
-# description: 3proxy tiny proxy server
-#              
-#
-# 
-#
-
-case "$1" in
-   start)    
-       echo Starting 3Proxy
-   
-       /usr/local/etc/3proxy/bin/3proxy /usr/local/etc/3proxy/3proxy.cfg
-   
-       RETVAL=$?
-       echo
-       [ $RETVAL ]    
-       ;;
-
-   stop)
-       echo Stopping 3Proxy
-       if [ /usr/local/etc/3proxy/3proxy.pid ]; then
-	       /bin/kill `cat /usr/local/etc/3proxy/3proxy.pid`
-       else
-               /usr/bin/killall 3proxy
-       fi
-   
-       RETVAL=$?
-       echo
-       [ $RETVAL ]
-       ;;
-
-   restart|reload)
-       echo Reloading 3Proxy
-       if [ /usr/local/etc/3proxy/3proxy.pid ]; then
-	       /bin/kill -s USR1 `cat /usr/local/etc/3proxy/3proxy.pid`
-       else
-               /usr/bin/killall -s USR1 3proxy
-       fi
-       ;;
-
-
-   *)
-       echo Usage: $0 "{start|stop|restart}"
-       exit 1
-esac
-exit 0 

scripts/rh/3proxy.spec

@@ -0,0 +1,127 @@
+Name:           3proxy
+Version:        0.9.5
+Release:        1
+Summary:        3proxy tiny proxy server
+License:        GPL/LGPL/Apache/BSD
+URL:            https://3proxy.org/
+Vendor:         3proxy.org 3proxy@3proxy.org
+Prefix:         %{_prefix}
+Packager: 	z3APA3A
+Source:		https://github.com/%{packager}/%{name}/archive/%{version}.tar.gz
+
+%description
+3proxy is lightweight yet powerful proxy server
+
+%prep
+%setup -q -n %{name}-%{version}
+ln -s Makefile.Linux Makefile
+
+%build
+make
+
+%install
+make DESTDIR=%buildroot install
+
+%clean
+make clean
+
+
+%files
+/bin/3proxy
+/bin/ftppr
+/bin/mycrypt
+/bin/pop3p
+/bin/proxy
+/bin/socks
+/bin/tcppm
+/bin/udppm
+/bin/tlspr
+%config(noreplace) /etc/3proxy/3proxy.cfg
+/etc/3proxy/conf
+/etc/init.d/3proxy
+/usr/lib/systemd/system/3proxy.service
+%config(noreplace) /usr/local/3proxy/conf/3proxy.cfg
+%config(noreplace) /usr/local/3proxy/conf/add3proxyuser.sh
+%config(noreplace) /usr/local/3proxy/conf/bandlimiters
+%config(noreplace) /usr/local/3proxy/conf/counters
+/usr/local/3proxy/libexec/PCREPlugin.ld.so
+/usr/local/3proxy/libexec/StringsPlugin.ld.so
+/usr/local/3proxy/libexec/TrafficPlugin.ld.so
+/usr/local/3proxy/libexec/TransparentPlugin.ld.so
+%if "%{_arch}" == "arm"
+/usr/share/man/man3/3proxy.cfg.3
+/usr/share/man/man8/3proxy.8
+/usr/share/man/man8/ftppr.8
+/usr/share/man/man8/pop3p.8
+/usr/share/man/man8/proxy.8
+/usr/share/man/man8/smtpp.8
+/usr/share/man/man8/socks.8
+/usr/share/man/man8/tcppm.8
+/usr/share/man/man8/udppm.8
+/usr/share/man/man8/tlspr.8
+%else
+/usr/share/man/man3/3proxy.cfg.3.gz
+/usr/share/man/man8/3proxy.8.gz
+/usr/share/man/man8/ftppr.8.gz
+/usr/share/man/man8/pop3p.8.gz
+/usr/share/man/man8/proxy.8.gz
+/usr/share/man/man8/smtpp.8.gz
+/usr/share/man/man8/socks.8.gz
+/usr/share/man/man8/tcppm.8.gz
+/usr/share/man/man8/udppm.8.gz
+/usr/share/man/man8/tlspr.8.gz
+%endif
+/var/log/3proxy
+
+%doc doc/*
+
+%pre
+if [ -x /usr/sbin/useradd ]; then \
+ /usr/bin/getent group proxy >/dev/null || (/usr/sbin/groupadd -f -r proxy || true); \
+ /usr/bin/getent passwd proxy >/dev/null || (/usr/sbin/useradd -Mr -s /bin/false -g proxy -c 3proxy proxy || true); \
+fi
+
+%post
+if [ ! -f /usr/local/3proxy/conf/passwd ]; then \
+ touch /usr/local/3proxy/conf/passwd;\
+fi
+chown -R proxy:proxy /usr/local/3proxy
+chmod 550  /usr/local/3proxy/
+chmod 550  /usr/local/3proxy/conf/
+chmod 440  /usr/local/3proxy/conf/*
+if /bin/systemctl >/dev/null 2>&1; then \
+ /usr/sbin/update-rc.d 3proxy disable || true; \
+ /usr/sbin/chkconfig 3proxy off || true; \
+ /bin/systemctl enable 3proxy.service; \
+elif [ -x /usr/sbin/update-rc.d ]; then \
+ /usr/sbin/update-rc.d 3proxy defaults; \
+ /usr/sbin/update-rc.d 3proxy enable; \
+elif [ -x /usr/sbin/chkconfig ]; then \
+ /usr/sbin/chkconfig 3proxy on; \
+fi
+
+echo ""
+echo 3proxy installed.
+if /bin/systemctl >/dev/null 2>&1; then \
+ /bin/systemctl stop 3proxy.service \
+ /bin/systemctl start 3proxy.service \
+ echo use ;\
+ echo "  "systemctl start 3proxy.service ;\
+ echo to start proxy ;\
+ echo "  "systemctl stop 3proxy.service ;\
+ echo to stop proxy ;\
+elif [ -x /usr/sbin/service ]; then \
+ /usr/sbin/service 3proxy stop  || true;\
+ /usr/sbin/service 3proxy start  || true;\
+ echo "  "service 3proxy start ;\
+ echo to start proxy ;\
+ echo "  "service 3proxy stop ;\
+ echo to stop proxy ;\
+fi
+echo "  "/usr/local/3proxy/conf/add3proxyuser.sh
+echo to add users
+echo ""
+echo Default config uses Google\'s DNS.
+echo It\'s recommended to use provider supplied DNS or install local recursor, e.g. pdns-recursor.
+echo Configure preferred DNS in /usr/local/3proxy/conf/3proxy.cfg.
+echo run \'/usr/local/3proxy/conf/add3proxyuser.sh admin password\' to configure \'admin\' user

src/3proxy.c

@@ -1,6 +1,6 @@
 /*
    3APA3A simpliest proxy server
-   (c) 2002-2008 by ZARAZA <3APA3A@security.nnov.ru>
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
 
@@ -12,6 +12,11 @@
 #ifndef NOPLUGINS
 #include <dlfcn.h>
 #endif
+#else
+#ifdef WITH_SSL
+#include <openssl/applink.c>
+#endif
+
 #endif
 
 #ifndef DEFAULTCONFIG
@@ -271,16 +276,8 @@ void cyclestep(void){
 	}
 	if(conf.logname) {
 		if(timechanged(conf.logtime, conf.time, conf.logtype)) {
-			FILE *fp;
-			fp = fopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.time), "a");
-			if (fp) {
-				pthread_mutex_lock(&log_mutex);
-				fclose(conf.stdlog);
-				conf.stdlog = fp;
-				pthread_mutex_unlock(&log_mutex);
-			}
-			fseek(stdout, 0L, SEEK_END);
-			usleep(SLEEPTIME);
+			if(conf.stdlog) conf.stdlog = freopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.time), "a", conf.stdlog);
+			else conf.stdlog = fopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.time), "a");
 			conf.logtime = conf.time;
 			if(conf.logtype != NONE && conf.rotate) {
 				int t;
@@ -508,6 +505,7 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 #else
 	fprintf(stderr,	"\n if conffile is missing, configuration is expected from stdin\n");
 #endif
+	fprintf(stderr, "available socket options:\n\t%s\n", printopts("\n\t"));
 	fprintf(stderr, "\n%s %s\n%s\n", conf.stringtable[2], conf.stringtable[3], copyright);
 
 	return 1;
@@ -515,10 +513,14 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 
   pthread_mutex_init(&config_mutex, NULL);
   pthread_mutex_init(&bandlim_mutex, NULL);
+  pthread_mutex_init(&connlim_mutex, NULL);
   pthread_mutex_init(&hash_mutex, NULL);
   pthread_mutex_init(&tc_mutex, NULL);
   pthread_mutex_init(&pwl_mutex, NULL);
   pthread_mutex_init(&log_mutex, NULL);
+#ifndef NORADIUS
+  pthread_mutex_init(&rad_mutex, NULL);
+#endif
 
   freeconf(&conf);
   res = readconfig(fp);

src/3proxy.rc

@@ -1,6 +1,8 @@
+#include "version.h"
+
 1 VERSIONINFO
-FILEVERSION 0,8,13,0
-PRODUCTVERSION 0,8,13,0
+FILEVERSION MAJOR3PROXY,SUBMAJOR3PROXY,MINOR3PROXY,SUBMINOR3PROXY
+PRODUCTVERSION MAJOR3PROXY,SUBMAJOR3PROXY,MINOR3PROXY,SUBMINOR3PROXY
 FILETYPE 1
 FILESUBTYPE 0x0L
 BEGIN
@@ -8,15 +10,15 @@ BEGIN
     BEGIN
         BLOCK "040904E4"
         BEGIN
-            VALUE "Comments", "3proxy - tiny proxy server, http://3proxy.ru/\0"
+            VALUE "Comments", "3proxy - tiny proxy server, https://3proxy.org/\0"
             VALUE "CompanyName", "Vladimir Dubrovin\0"
             VALUE "FileDescription", "3proxy - tiny proxy server\0"
-            VALUE "FileVersion", "0.8.13\0"
+            VALUE "FileVersion", RELEASE3PROXY
             VALUE "InternalName", "3proxy\0"
-            VALUE "LegalCopyright", "Copyright (C) 2002-2019 Vladimir Dubrovin\0"
+            VALUE "LegalCopyright", "Copyright (C) 2002-" YEAR3PROXY " Vladimir Dubrovin\0"
             VALUE "OriginalFilename", "3proxy.exe\0"
             VALUE "ProductName", "3proxy\0"
-            VALUE "ProductVersion", "0.8.13\0"
+            VALUE "ProductVersion", RELEASE3PROXY
         END
     END
     BLOCK "VarFileInfo"

src/Makefile.inc

@@ -2,7 +2,7 @@
 # 3 proxy common Makefile
 #
 
-all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)mycrypt$(EXESUFFICS) $(BUILDDIR)dighosts$(EXESUFFICS) $(BUILDDIR)pop3p$(EXESUFFICS) $(BUILDDIR)smtpp$(EXESUFFICS) $(BUILDDIR)ftppr$(EXESUFFICS) $(BUILDDIR)tcppm$(EXESUFFICS) $(BUILDDIR)icqpr$(EXESUFFICS) $(BUILDDIR)udppm$(EXESUFFICS) $(BUILDDIR)socks$(EXESUFFICS) $(BUILDDIR)proxy$(EXESUFFICS) allplugins
+all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)mycrypt$(EXESUFFICS) $(BUILDDIR)pop3p$(EXESUFFICS) $(BUILDDIR)smtpp$(EXESUFFICS) $(BUILDDIR)ftppr$(EXESUFFICS) $(BUILDDIR)tcppm$(EXESUFFICS) $(BUILDDIR)tlspr$(EXESUFFICS) $(BUILDDIR)udppm$(EXESUFFICS) $(BUILDDIR)socks$(EXESUFFICS) $(BUILDDIR)proxy$(EXESUFFICS) allplugins
 
 
 sockmap$(OBJSUFFICS): sockmap.c proxy.h structures.h
@@ -11,9 +11,6 @@ sockmap$(OBJSUFFICS): sockmap.c proxy.h structures.h
 common$(OBJSUFFICS): common.c proxy.h structures.h
 	$(CC) $(CFLAGS) common.c
 
-myalloc$(OBJSUFFICS): myalloc.c proxy.h structures.h
-	$(CC) $(CFLAGS) myalloc.c
-
 plugins$(OBJSUFFICS): plugins.c proxy.h structures.h
 	$(CC) $(CFLAGS) plugins.c
 
@@ -44,8 +41,9 @@ ftppr$(OBJSUFFICS): ftppr.c proxy.h structures.h proxymain.c
 tcppm$(OBJSUFFICS): tcppm.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tcppm.c
 
-icqpr$(OBJSUFFICS): icqpr.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP icqpr.c
+tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tlspr.c
+
 
 socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP socks.c
@@ -56,29 +54,29 @@ udppm$(OBJSUFFICS): udppm.c proxy.h structures.h proxymain.c
 3proxy$(OBJSUFFICS): 3proxy.c proxy.h structures.h
 	$(CC) $(CFLAGS) 3proxy.c
 
-$(BUILDDIR)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS)  myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+$(BUILDDIR)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+$(BUILDDIR)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)icqpr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) icqpr$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)icqpr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) icqpr$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+$(BUILDDIR)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+$(BUILDDIR)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
 mainfunc$(OBJSUFFICS): proxy.h structures.h proxymain.c
 	$(CC) $(COUT)mainfunc$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)MODULEMAINFUNC=mainfunc proxymain.c
@@ -100,8 +98,11 @@ srvftppr$(OBJSUFFICS): ftppr.c proxy.h structures.h
 srvtcppm$(OBJSUFFICS): tcppm.c proxy.h structures.h
 	$(CC) $(COUT)srvtcppm$(OBJSUFFICS) $(CFLAGS) tcppm.c
 
-srvicqpr$(OBJSUFFICS): icqpr.c proxy.h structures.h
-	$(CC) $(COUT)srvicqpr$(OBJSUFFICS) $(CFLAGS) icqpr.c
+srvtlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h
+	$(CC) $(COUT)srvtlspr$(OBJSUFFICS) $(CFLAGS) tlspr.c
+
+srvauto$(OBJSUFFICS): auto.c proxy.h structures.h
+	$(CC) $(COUT)srvauto$(OBJSUFFICS) $(CFLAGS) auto.c
 
 srvsocks$(OBJSUFFICS): socks.c proxy.h structures.h
 	$(CC) $(COUT)srvsocks$(OBJSUFFICS) $(CFLAGS) socks.c
@@ -118,21 +119,21 @@ srvdnspr$(OBJSUFFICS): dnspr.c proxy.h structures.h
 auth$(OBJSUFFICS): auth.c proxy.h structures.h
 	$(CC) $(COUT)auth$(OBJSUFFICS) $(CFLAGS) auth.c
 
+authradius$(OBJSUFFICS): authradius.c proxy.h structures.h
+	$(CC) $(COUT)authradius$(OBJSUFFICS) $(CFLAGS) authradius.c
+
 conf$(OBJSUFFICS): conf.c proxy.h structures.h
 	$(CC) $(COUT)conf$(OBJSUFFICS) $(CFLAGS) conf.c
 
+log$(OBJSUFFICS): log.c proxy.h structures.h
+	$(CC) $(COUT)log$(OBJSUFFICS) $(CFLAGS) log.c
+
 datatypes$(OBJSUFFICS): datatypes.c proxy.h structures.h
 	$(CC) $(COUT)datatypes$(OBJSUFFICS) $(CFLAGS) datatypes.c
 
 mycrypt$(OBJSUFFICS): mycrypt.c
 	$(CC) $(COUT)mycrypt$(OBJSUFFICS) $(CFLAGS) mycrypt.c
 
-dighosts$(OBJSUFFICS): dighosts.c
-	$(CC) $(COUT)dighosts$(OBJSUFFICS) $(CFLAGS) dighosts.c
-
-$(BUILDDIR)dighosts$(EXESUFFICS): dighosts$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS)  $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)dighosts$(EXESUFFICS) $(LDFLAGS) dighosts$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
-
 mycryptmain$(OBJSUFFICS): mycrypt.c
 	$(CC) $(COUT)mycryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN mycrypt.c
 
@@ -143,20 +144,12 @@ $(BUILDDIR)mycrypt$(EXESUFFICS): md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycryptmain$(
 md4$(OBJSUFFICS):  libs/md4.h libs/md4.c
 	$(CC) $(COUT)md4$(OBJSUFFICS) $(CFLAGS) libs/md4.c
 
-smbdes$(OBJSUFFICS):  libs/smbdes.c
-	$(CC) $(COUT)smbdes$(OBJSUFFICS) $(CFLAGS) libs/smbdes.c
-
 md5$(OBJSUFFICS):  libs/md5.h libs/md5.c
 	$(CC) $(COUT)md5$(OBJSUFFICS) $(CFLAGS) libs/md5.c
 
-ntlm$(OBJSUFFICS):  ntlm.c
-	$(CC) $(COUT)ntlm$(OBJSUFFICS) $(CFLAGS) ntlm.c
-
 stringtable$(OBJSUFFICS):  stringtable.c
 	$(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c
 
-$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvicqpr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycrypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) smbdes$(OBJSUFFICS) ntlm$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvicqpr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) myalloc$(OBJSUFFICS) common$(OBJSUFFICS) mycrypt$(OBJSUFFICS) md5$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) smbdes$(OBJSUFFICS) ntlm$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycrypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
+	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) mycrypt$(OBJSUFFICS) md5$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-clean:
-	@$(REMOVECOMMAND) *$(OBJSUFFICS) $(COMPFILES)

src/auth.c

@@ -1,6 +1,6 @@
 /*
    3APA3A simpliest proxy server
-   (c) 2002-2008 by ZARAZA <3APA3A@security.nnov.ru>
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
 
@@ -9,7 +9,7 @@
 #include "proxy.h"
 
 
-int clientnegotiate(struct chain * redir, struct clientparam * param, struct sockaddr * addr){
+int clientnegotiate(struct chain * redir, struct clientparam * param, struct sockaddr * addr, unsigned char * hostname){
 	unsigned char *buf;
 	unsigned char *username;
 	int res;
@@ -22,6 +22,7 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 	if (!param->srvbufsize){
 		param->srvbufsize = SRVBUFSIZE;
 		param->srvbuf = myalloc(param->srvbufsize);
+		if(!param->srvbuf) return 21;
 	}
 	buf = param->srvbuf;
 	username = buf + 2048;
@@ -40,11 +41,11 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 		case R_CONNECTP:
 		{
 			len = sprintf((char *)buf, "CONNECT ");
-			if(redir->type == R_CONNECTP && param->hostname) {
+			if(redir->type == R_CONNECTP && hostname) {
 				char * needreplace;
-				needreplace = strchr((char *)param->hostname, ':');
+				needreplace = strchr((char *)hostname, ':');
 				if(needreplace) buf[len++] = '[';
-				len += sprintf((char *)buf + len, "%.256s", (char *)param->hostname);
+				len += sprintf((char *)buf + len, "%.256s", (char *)hostname);
 				if(needreplace) buf[len++] = ']';
 			}
 			else {
@@ -53,16 +54,16 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 				if(*SAFAMILY(addr) == AF_INET6) buf[len++] = ']';
 			}
 			len += sprintf((char *)buf + len,
-				":%hu HTTP/1.0\r\nProxy-Connection: keep-alive\r\n", ntohs(*SAPORT(addr)));
+				":%hu HTTP/1.0\r\nConnection: keep-alive\r\n", ntohs(*SAPORT(addr)));
 			if(user){
-				len += sprintf((char *)buf + len, "Proxy-authorization: basic ");
+				len += sprintf((char *)buf + len, "Proxy-Authorization: Basic ");
 				sprintf((char *)username, "%.128s:%.128s", user, pass?pass:(unsigned char *)"");
 				en64(username, buf+len, (int)strlen((char *)username));
 				len = (int)strlen((char *)buf);
 				len += sprintf((char *)buf + len, "\r\n");
 			}
 			len += sprintf((char *)buf + len, "\r\n");
-			if(socksend(param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != (int)strlen((char *)buf))
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != (int)strlen((char *)buf))
 				return 31;
 			param->statssrv64+=len;
 			param->nwrites++;
@@ -82,7 +83,7 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 			buf[0] = 4;
 			buf[1] = 1;
 			memcpy(buf+2, SAPORT(addr), 2);
-			if(redir->type == R_SOCKS4P && param->hostname) {
+			if(redir->type == R_SOCKS4P && hostname) {
 				buf[4] = buf[5] = buf[6] = 0;
 				buf[7] = 3;
 			}
@@ -91,15 +92,15 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 			len = (int)strlen((char *)user) + 1;
 			memcpy(buf+8, user, len);
 			len += 8;
-			if(redir->type == R_SOCKS4P && param->hostname) {
+			if(redir->type == R_SOCKS4P && hostname) {
 				int hostnamelen;
 
-				hostnamelen = (int)strlen((char *)param->hostname) + 1;
+				hostnamelen = (int)strlen((char *)hostname) + 1;
 				if(hostnamelen > 255) hostnamelen = 255;
-				memcpy(buf+len, param->hostname, hostnamelen);
+				memcpy(buf+len, hostname, hostnamelen);
 				len += hostnamelen;
 			}
-			if(socksend(param->remsock, buf, len, conf.timeouts[CHAIN_TO]) < len){
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) < len){
 				return 41;
 			}
 			param->statssrv64+=len;
@@ -122,7 +123,7 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 			buf[0] = 5;
 			buf[1] = 1;
 			buf[2] = user? 2 : 0;
-			if(socksend(param->remsock, buf, 3, conf.timeouts[CHAIN_TO]) != 3){
+			if(socksend(param, param->remsock, buf, 3, conf.timeouts[CHAIN_TO]) != 3){
 				return 51;
 			}
 			param->statssrv64+=len;
@@ -144,7 +145,7 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 				buf[inbuf] = pass?(unsigned char)strlen((char *)pass):0;
 				if(pass)memcpy(buf+inbuf+1, pass, buf[inbuf]);
 				inbuf += buf[inbuf] + 1;
-				if(socksend(param->remsock, buf, inbuf, conf.timeouts[CHAIN_TO]) != inbuf){
+				if(socksend(param, param->remsock, buf, inbuf, conf.timeouts[CHAIN_TO]) != inbuf){
 					return 51;
 				}
 				param->statssrv64+=inbuf;
@@ -159,12 +160,12 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 			buf[0] = 5;
 			buf[1] = 1;
 			buf[2] = 0;
-			if(redir->type == R_SOCKS5P && param->hostname) {
+			if(redir->type == R_SOCKS5P && hostname) {
 				buf[3] = 3;
-				len = (int)strlen((char *)param->hostname);
+				len = (int)strlen((char *)hostname);
 				if(len > 255) len = 255;
 				buf[4] = len;
-				memcpy(buf + 5, param->hostname, len);
+				memcpy(buf + 5, hostname, len);
 				len += 5;
 			}
 			else {
@@ -175,7 +176,7 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 			}
 			memcpy(buf+len, SAPORT(addr), 2);
 			len += 2;
-			if(socksend(param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != len){
+			if(socksend(param, param->remsock, buf, len, conf.timeouts[CHAIN_TO]) != len){
 				return 51;
 			}
 			param->statssrv64+=len;
@@ -195,9 +196,10 @@ int clientnegotiate(struct chain * redir, struct clientparam * param, struct soc
 				    break;
 			    return 59;
 			case 3:
-			    if (sockgetlinebuf(param, SERVER, buf, 256, 0, conf.timeouts[CHAIN_TO]) > 1)
-				    break;
-			    return 59;
+			    if (sockgetlinebuf(param, SERVER, buf, 1, EOF, conf.timeouts[CHAIN_TO]) != 1) return 59;
+			    len = (unsigned char)buf[0];
+			    if (sockgetlinebuf(param, SERVER, buf, len, EOF, conf.timeouts[CHAIN_TO]) != len) return 59;
+			    break;
 			case 4:
 			    if (sockgetlinebuf(param, SERVER, buf, 18, EOF, conf.timeouts[CHAIN_TO]) == 18)
 				    break;
@@ -220,6 +222,7 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 	int weight = 1000;
 	int res;
 	int done = 0;
+	int ha = 0;
 	struct chain * cur;
 	struct chain * redir = NULL;
 	int r2;
@@ -252,10 +255,31 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 		if(!connected){
 			if(cur->type == R_EXTIP){
 				param->sinsl = cur->addr;
+				if(SAISNULL(&param->sinsl))param->sinsl = param->sincr;
+#ifndef NOIPV6
+				else if(cur->cidr && *SAFAMILY(&param->sinsl) == AF_INET6){
+					uint16_t c;
+					int i;
+
+					for(i = 0; i < 8; i++){
+						if(i==4)myrand(&param->sincr, sizeof(param->sincr));
+						else if(i==6) myrand(&param->req, sizeof(param->req));
+
+						if(i*16 >= cur->cidr) ((uint16_t *)SAADDR(&param->sinsl))[i] |= rand();
+						else if ((i+1)*16 >  cur->cidr){
+							c = rand();
+							c >>= (cur->cidr - (i*16));
+							c |= ntohs(((uint16_t *)SAADDR(&param->sinsl))[i]);
+							((uint16_t *)SAADDR(&param->sinsl))[i] = htons(c);
+						}
+					}
+				}
+#endif
 				if(cur->next)continue;
 				return 0;
 			}
 			else if(SAISNULL(&cur->addr) && !*SAPORT(&cur->addr)){
+				int i;
 				if(cur->extuser){
 					if(param->extusername)
 						myfree(param->extusername);
@@ -267,27 +291,18 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 					}
 					if(*cur->extuser == '*' && !param->username) return 4;
 				}
-				switch(cur->type){
-					case R_POP3:
-						param->redirectfunc = pop3pchild;
-						break;
-					case R_FTP:
-						param->redirectfunc = ftpprchild;
-						break;
-					case R_ADMIN:
-						param->redirectfunc = adminchild;
-						break;
-					case R_ICQ:
-						param->redirectfunc = icqprchild;
-						break;
-					case R_SMTP:
-						param->redirectfunc = smtppchild;
-						break;
-					default:
-						param->redirectfunc = proxychild;
+				
+				for(i=0; redirs[i].name; i++){
+				    if(cur->type == redirs[i].redir) {
+					param->redirectfunc = redirs[i].func;
+					break;
+				    }
+				}
+				if(cur->type == R_HA){
+				    ha = 1;
 				}
 				if(cur->next)continue;
-				return 0;
+				if(!ha) return 0;
 			}
 			else if(!*SAPORT(&cur->addr) && !SAISNULL(&cur->addr)) {
 				unsigned short port = *SAPORT(&param->sinsr);
@@ -300,11 +315,26 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 			}
 
 			if((res = alwaysauth(param))){
-				return (res == 10)? res : 60+res;
+				return (res >= 10)? res : 60+res;
+			}
+			if(ha) {
+			    char buf[128];
+			    int len; 
+			    len = sprintf(buf, "PROXY %s ",
+				*SAFAMILY(&param->sincr) == AF_INET6 ? "TCP6" : "TCP4");
+			    len += myinet_ntop(*SAFAMILY(&param->sincr), SAADDR(&param->sincr), buf+len, sizeof(param->sincr));
+			    buf[len++] = ' ';
+			    len += myinet_ntop(*SAFAMILY(&param->sincl), SAADDR(&param->sincl), buf+len, sizeof(param->sincl));
+			    len += sprintf(buf + len, " %hu %hu\r\n",
+				ntohs(*SAPORT(&param->sincr)),
+				ntohs(*SAPORT(&param->sincl))
+			    );
+			    if(socksend(param, param->remsock, (unsigned char *)buf, len, conf.timeouts[CHAIN_TO])!=len) return 39;
+			    return 0;
 			}
 		}
 		else {
-			res = (redir)?clientnegotiate(redir, param, (struct sockaddr *)&cur->addr):0;
+			res = (redir)?clientnegotiate(redir, param, (struct sockaddr *)&cur->addr, cur->exthost):0;
 			if(res) return res;
 		}
 		redir = cur;
@@ -327,7 +357,7 @@ int handleredirect(struct clientparam * param, struct ace * acentry){
 	}
 
 	if(!connected || !redir) return 0;
-	return clientnegotiate(redir, param, (struct sockaddr *)&param->req);
+	return clientnegotiate(redir, param, (struct sockaddr *)&param->req, param->hostname);
 }
 
 int IPInentry(struct sockaddr *sa, struct iplist *ipentry){
@@ -367,7 +397,7 @@ int ACLmatches(struct ace* acentry, struct clientparam * param){
 		}
 	 if(!ipentry) return 0;
 	}
-	if((acentry->dst && !SAISNULL(&param->req)) || (acentry->dstnames && param->hostname)) {
+	if((acentry->dst && (!SAISNULL(&param->req) || param->operation == UDPASSOC || param->operation==BIND)) || (acentry->dstnames && param->hostname)) {
 	 for(ipentry = acentry->dst; ipentry; ipentry = ipentry->next)
 		if(IPInentry((struct sockaddr *)&param->req, ipentry)) {
 			break;
@@ -379,21 +409,34 @@ int ACLmatches(struct ace* acentry, struct clientparam * param){
 			}
 			while(i > 5 && param->hostname[i-1] == '.') param->hostname[i-1] = 0;
 			for(hstentry = acentry->dstnames; hstentry; hstentry = hstentry->next){
+				int lname, lhost;
 				switch(hstentry->matchtype){
 					case 0:
+#ifndef _WIN32
+					if(strcasestr((char *)param->hostname, (char *)hstentry->name)) match = 1;
+#else
 					if(strstr((char *)param->hostname, (char *)hstentry->name)) match = 1;
+#endif
 					break;
 
 					case 1:
-					if(strstr((char *)param->hostname, (char *)hstentry->name) == (char *)param->hostname) match = 1;
+					if(!strncasecmp((char *)param->hostname, (char *)hstentry->name, strlen((char *)hstentry->name)))
+						match = 1;
 					break;
 
 					case 2:
-					if(strstr((char *)param->hostname, (char *)hstentry->name) == (char *)(param->hostname + i - (strlen((char *)hstentry->name)))) match = 1;
+					lname = strlen((char *)hstentry->name);
+					lhost = strlen((char *)param->hostname);
+					if(lhost > lname){
+						if(!strncasecmp((char *)param->hostname + (lhost - lname),
+							(char *)hstentry->name,
+							lname))
+								match = 1;
+					}
 					break;
 
 					default:
-					if(!strcmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
+					if(!strcasecmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
 					break;
         			}
 				if(match) break;
@@ -402,7 +445,7 @@ int ACLmatches(struct ace* acentry, struct clientparam * param){
 	 }
 	 if(!ipentry && !hstentry) return 0;
 	}
-	if(acentry->ports && *SAPORT(&param->req)) {
+	if(acentry->ports && (*SAPORT(&param->req) || param->operation == UDPASSOC || param->operation == BIND)) {
 	 for (portentry = acentry->ports; portentry; portentry = portentry->next)
 		if(ntohs(*SAPORT(&param->req)) >= portentry->startport &&
 			   ntohs(*SAPORT(&param->req)) <= portentry->endport) {
@@ -437,9 +480,69 @@ int ACLmatches(struct ace* acentry, struct clientparam * param){
 	return 1;
 }
 
+
+int startconnlims (struct clientparam *param){
+	struct connlim * ce;
+	time_t delta;
+	uint64_t rating;
+	int ret = 0;
+
+	param->connlim = 1;
+	pthread_mutex_lock(&connlim_mutex);
+	for(ce = conf.connlimiter; ce; ce = ce->next) {
+		if(ACLmatches(ce->ace, param)){
+			if(ce->ace->action == NOCONNLIM)break;
+			if(!ce->period){
+				if(ce->rate <= ce->rating) {
+					ret = 1;
+					break;
+				}
+				ce->rating++;
+				continue;
+			}
+			delta = conf.time - ce->basetime;
+			if(ce->period <= delta || ce->basetime > conf.time){
+				ce->basetime = conf.time;
+				ce->rating = 0x100000;
+				continue;
+			}
+			rating = delta? ((ce->rating * (ce->period - delta)) / ce->period) + 0x100000 : ce->rating + 0x100000;
+			if (rating > (ce->rate<<20)) {
+				ret = 2;
+				break;
+			}
+			ce->rating = rating;
+			ce->basetime = conf.time;
+		}
+	}
+	pthread_mutex_unlock(&connlim_mutex);
+	return ret;
+}
+
+void stopconnlims (struct clientparam *param){
+	struct connlim * ce;
+
+	pthread_mutex_lock(&connlim_mutex);
+	for(ce = conf.connlimiter; ce; ce = ce->next) {
+		if(ACLmatches(ce->ace, param)){
+			if(ce->ace->action == NOCONNLIM)break;
+			if(!ce->period && ce->rating){
+				ce->rating--;
+				continue;
+			}
+		}
+	}
+	pthread_mutex_unlock(&connlim_mutex);
+}
+
 static void initbandlims (struct clientparam *param){
 	struct bandlim * be;
 	int i;
+
+	param->bandlimfunc = NULL;
+	param->bandlims[0] = NULL;
+	param->bandlimsout[0] = NULL;
+	if(!conf.bandlimfunc || (!conf.bandlimiter && !conf.bandlimiterout)) return;
 	for(i=0, be = conf.bandlimiter; be && i<MAXBANDLIMS; be = be->next) {
 		if(ACLmatches(be->ace, param)){
 			if(be->ace->action == NOBANDLIM) {
@@ -460,11 +563,12 @@ static void initbandlims (struct clientparam *param){
 		}
 	}
 	if(i<MAXBANDLIMS)param->bandlimsout[i] = NULL;
+	param->bandlimver = conf.bandlimver;
 }
 
 unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout){
 	unsigned sleeptime = 0, nsleeptime;
-	unsigned long sec;
+	time_t sec;
 	unsigned msec;
 	unsigned now;
 	int i;
@@ -485,14 +589,9 @@ unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nb
 	
 	if(!nbytesin && !nbytesout) return 0;
 	pthread_mutex_lock(&bandlim_mutex);
-	if(param->paused != conf.paused && param->bandlimver != conf.paused){
-		if(!conf.bandlimfunc){
-			param->bandlimfunc = NULL;
-			pthread_mutex_unlock(&bandlim_mutex);
-			return 0;
-		}
+	if(param->bandlimver != conf.bandlimver){
 		initbandlims(param);
-		param->bandlimver = conf.paused;
+		param->bandlimver = conf.bandlimver;
 	}
 	for(i=0; nbytesin&& i<MAXBANDLIMS && param->bandlims[i]; i++){
 		if( !param->bandlims[i]->basetime || 
@@ -504,12 +603,12 @@ unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nb
 			param->bandlims[i]->nexttime = 0;
 			continue;
 		}
-		now = ((sec - param->bandlims[i]->basetime) * 1000000) + msec;
+		now = (unsigned)((sec - param->bandlims[i]->basetime) * 1000000) + msec;
 		nsleeptime = (param->bandlims[i]->nexttime > now)?
 			param->bandlims[i]->nexttime - now : 0;
 		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
 		param->bandlims[i]->basetime = sec;
-		param->bandlims[i]->nexttime = msec + nsleeptime + ((param->bandlims[i]->rate > 1000000)? ((nbytesin/32)*(256000000/param->bandlims[i]->rate)) : (nbytesin * (8000000/param->bandlims[i]->rate)));
+		param->bandlims[i]->nexttime = msec + nsleeptime + ((nbytesin > 512)? ((nbytesin+32)/64)*(((64*8*1000000)/param->bandlims[i]->rate)) : ((nbytesin+1) * (8*1000000))/param->bandlims[i]->rate);
 	}
 	for(i=0; nbytesout && i<MAXBANDLIMS && param->bandlimsout[i]; i++){
 		if( !param->bandlimsout[i]->basetime || 
@@ -521,12 +620,12 @@ unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nb
 			param->bandlimsout[i]->nexttime = 0;
 			continue;
 		}
-		now = ((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
+		now = (unsigned)((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
 		nsleeptime = (param->bandlimsout[i]->nexttime > now)?
 			param->bandlimsout[i]->nexttime - now : 0;
 		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
 		param->bandlimsout[i]->basetime = sec;
-		param->bandlimsout[i]->nexttime = msec + nsleeptime + ((param->bandlimsout[i]->rate > 1000000)? ((nbytesout/32)*(256000000/param->bandlimsout[i]->rate)) : (nbytesout * (8000000/param->bandlimsout[i]->rate)));
+		param->bandlimsout[i]->nexttime = msec + nsleeptime + ((nbytesout > 512)? ((nbytesout+32)/64)*((64*8*1000000)/param->bandlimsout[i]->rate) : ((nbytesout+1)* (8*1000000))/param->bandlimsout[i]->rate);
 	}
 	pthread_mutex_unlock(&bandlim_mutex);
 	return sleeptime/1000;
@@ -539,27 +638,28 @@ void trafcountfunc(struct clientparam *param){
 	pthread_mutex_lock(&tc_mutex);
 	for(tc = conf.trafcounter; tc; tc = tc->next) {
 		if(ACLmatches(tc->ace, param)){
-			time_t t;
-			if(tc->ace->action == NOCOUNTIN) break;
-			if(tc->ace->action != COUNTIN) {
+
+			if(tc->ace->action == NOCOUNTIN) {
+				countout = 1;
+				break;
+			}
+			if(tc->ace->action == NOCOUNTALL) break;
+			if(tc->ace->action != COUNTIN && tc->ace->action != COUNTALL) {
 				countout = 1;
 				continue;
 			}
 			tc->traf64 += param->statssrv64;
-			time(&t);
-			tc->updated = t;
+			tc->updated = conf.time;
 		}
 	}
 	if(countout) for(tc = conf.trafcounter; tc; tc = tc->next) {
 		if(ACLmatches(tc->ace, param)){
-			time_t t;
-			if(tc->ace->action == NOCOUNTOUT) break;
-			if(tc->ace->action != COUNTOUT) {
+			if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
+			if(tc->ace->action != COUNTOUT && tc->ace->action != COUNTALL ) {
 				continue;
 			}
 			tc->traf64 += param->statscli64;
-			time(&t);
-			tc->updated = t;
+			tc->updated = conf.time;
 		}
 	}
 
@@ -571,37 +671,55 @@ int alwaysauth(struct clientparam * param){
 	struct trafcount * tc;
 	int countout = 0;
 
+
+	if(conf.connlimiter && !param->connlim  && startconnlims(param)) return 10;
 	res = doconnect(param);
 	if(!res){
-		initbandlims(param);
-		for(tc = conf.trafcounter; tc; tc = tc->next) {
-			if(tc->disabled) continue;
-			if(ACLmatches(tc->ace, param)){
-				if(tc->ace->action == NOCOUNTIN) break;
-				if(tc->ace->action != COUNTIN) {
-					countout = 1;
-					continue;
-				}
-			
-				if(tc->traflim64 <= tc->traf64) return 10;
-				param->trafcountfunc = conf.trafcountfunc;
-				param->maxtrafin64 = tc->traflim64 - tc->traf64; 
-			}
-		}
-		if(countout)for(tc = conf.trafcounter; tc; tc = tc->next) {
-			if(tc->disabled) continue;
-			if(ACLmatches(tc->ace, param)){
-				if(tc->ace->action == NOCOUNTOUT) break;
-				if(tc->ace->action != COUNTOUT) {
-					continue;
-				}
-			
-				if(tc->traflim64 <= tc->traf64) return 10;
-				param->trafcountfunc = conf.trafcountfunc;
-				param->maxtrafout64 = tc->traflim64 - tc->traf64; 
-			}
+		if(conf.bandlimfunc && (conf.bandlimiter||conf.bandlimiterout)){
+			pthread_mutex_lock(&bandlim_mutex);
+			initbandlims(param);
+			pthread_mutex_unlock(&bandlim_mutex);
 		}
 
+		if(conf.trafcountfunc && conf.trafcounter) {
+			pthread_mutex_lock(&tc_mutex);
+			for(tc = conf.trafcounter; tc; tc = tc->next) {
+				if(tc->disabled) continue;
+				if(ACLmatches(tc->ace, param)){
+					if(tc->ace->action == NOCOUNTIN) {
+						countout = 1;
+						break;
+					}
+					if(tc->ace->action == NOCOUNTALL) break;
+					if(tc->ace->action != COUNTIN) {
+						countout = 1;
+						if(tc->ace->action != COUNTALL) continue;
+					}
+					if(tc->traflim64 <= tc->traf64) {
+					    pthread_mutex_unlock(&tc_mutex);
+					    return 10;
+					}
+					param->trafcountfunc = conf.trafcountfunc;
+					param->maxtrafin64 = tc->traflim64 - tc->traf64; 
+				}
+			}
+			if(countout)for(tc = conf.trafcounter; tc; tc = tc->next) {
+				if(tc->disabled) continue;
+				if(ACLmatches(tc->ace, param)){
+					if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
+					if(tc->ace->action != COUNTOUT && tc->ace->action !=  COUNTALL) {
+						continue;
+					}
+					if(tc->traflim64 <= tc->traf64) {
+					    pthread_mutex_unlock(&tc_mutex);
+					    return 10;
+					}
+					param->trafcountfunc = conf.trafcountfunc;
+					param->maxtrafout64 = tc->traflim64 - tc->traf64; 
+				}
+			}
+			pthread_mutex_unlock(&tc_mutex);
+		}
 	}
 	return res;
 }
@@ -610,7 +728,7 @@ int checkACL(struct clientparam * param){
 	struct ace* acentry;
 
 	if(!param->srv->acl) {
-		return alwaysauth(param);
+		return 0;
 	}
 	for(acentry = param->srv->acl; acentry; acentry = acentry->next) {
 		if(ACLmatches(acentry, param)) {
@@ -618,6 +736,7 @@ int checkACL(struct clientparam * param){
 			param->weight = acentry->weight;
 			if(acentry->action == 2) {
 				struct ace dup;
+				int res=60,i=0;
 
 				if(param->operation < 256 && !(param->operation & CONNECT)){
 					continue;
@@ -625,8 +744,17 @@ int checkACL(struct clientparam * param){
 				if(param->redirected && acentry->chains && SAISNULL(&acentry->chains->addr) && !*SAPORT(&acentry->chains->addr)) {
 					continue;
 				}
-				dup = *acentry;
-				return handleredirect(param, &dup);
+				if(param->remsock != INVALID_SOCKET) {
+					return 0;
+				}
+				for(; i < conf.parentretries; i++){
+					dup = *acentry;
+					res = handleredirect(param, &dup);
+					if(!res) break;
+					if(param->remsock != INVALID_SOCKET) param->srv->so._closesocket(param->sostate, param->remsock);
+					param->remsock = INVALID_SOCKET;
+				}
+				return res;
 			}
 			return acentry->action;
 		}
@@ -639,14 +767,14 @@ struct authcache {
 	char * password;
 	time_t expires;
 #ifndef NOIPV6
-	struct sockaddr_in6 sa;
+	struct sockaddr_in6 sa, sinsl;
 #else
-	struct sockaddr_in sa;
+	struct sockaddr_in sa, sinsl;
 #endif
+	struct ace *acl;
 	struct authcache *next;
 } *authc = NULL;
 
-
 int cacheauth(struct clientparam * param){
 	struct authcache *ac, *last=NULL;
 
@@ -668,15 +796,30 @@ int cacheauth(struct clientparam * param){
 			continue;
 			
 		}
-		if(((!(conf.authcachetype&2)) || (param->username && ac->username && !strcmp(ac->username, (char *)param->username))) &&
-		   ((!(conf.authcachetype&1)) || (*SAFAMILY(&ac->sa) ==  *SAFAMILY(&param->sincr) && !memcmp(SAADDR(&ac->sa), SAADDR(&param->sincr), SAADDRLEN(&ac->sa)))) && 
-		   (!(conf.authcachetype&4) || (ac->password && param->password && !strcmp(ac->password, (char *)param->password)))) {
-			if(param->username){
-				myfree(param->username);
+		if(
+		 (!(conf.authcachetype&2) || (param->username && ac->username && !strcmp(ac->username, (char *)param->username))) &&
+		 (!(conf.authcachetype&4) || (ac->password && param->password && !strcmp(ac->password, (char *)param->password))) &&
+		 (!(conf.authcachetype&16) || (ac->acl == param->srv->acl))
+		) {
+
+			if(!(conf.authcachetype&1)
+				|| ((*SAFAMILY(&ac->sa) ==  *SAFAMILY(&param->sincr) 
+				   && !memcmp(SAADDR(&ac->sa), SAADDR(&param->sincr), SAADDRLEN(&ac->sa))))){
+
+				if(conf.authcachetype&32) {
+					param->sinsl = ac->sinsl;
+				}
+				if(param->username){
+					myfree(param->username);
+				}
+				param->username = (unsigned char *)mystrdup(ac->username);
+				pthread_mutex_unlock(&hash_mutex);
+				return 0;
+			}
+			else if ((conf.authcachetype&1) && (conf.authcachetype&8)) {
+				pthread_mutex_unlock(&hash_mutex);
+				return 10;
 			}
-			param->username = (unsigned char *)mystrdup(ac->username);
-			pthread_mutex_unlock(&hash_mutex);
-			return 0;
 		}
 		last = ac;
 		ac = ac->next;
@@ -702,9 +845,12 @@ int doauth(struct clientparam * param){
 			if(conf.authcachetype && authfuncs->authenticate && authfuncs->authenticate != cacheauth && param->username && (!(conf.authcachetype&4) || (!param->pwtype && param->password))){
 				pthread_mutex_lock(&hash_mutex);
 				for(ac = authc; ac; ac = ac->next){
-					if((!(conf.authcachetype&2) || !strcmp(ac->username, (char *)param->username)) &&
+					if(
+					   (!(conf.authcachetype&2) || !strcmp(ac->username, (char *)param->username)) &&
 					   (!(conf.authcachetype&1) || (*SAFAMILY(&ac->sa) ==  *SAFAMILY(&param->sincr) && !memcmp(SAADDR(&ac->sa), SAADDR(&param->sincr), SAADDRLEN(&ac->sa))))  &&
-					   (!(conf.authcachetype&4) || (ac->password && !strcmp(ac->password, (char *)param->password)))) {
+					   (!(conf.authcachetype&4) || (ac->password && !strcmp(ac->password, (char *)param->password))) &&
+					   (!(conf.authcachetype&16) || (ac->acl == param->srv->acl))
+					) {
 						ac->expires = conf.time + conf.authcachetime;
 						if(strcmp(ac->username, (char *)param->username)){
 							tmp = ac->username;
@@ -717,6 +863,11 @@ int doauth(struct clientparam * param){
 							myfree(tmp);
 						}
 						ac->sa = param->sincr;
+						if(conf.authcachetype&32) {
+							ac->sinsl = param-> sinsl;
+							*SAPORT(&ac->sinsl) = 0;
+						}
+
 						break;
 					}
 				}
@@ -728,6 +879,10 @@ int doauth(struct clientparam * param){
 						ac->sa = param->sincr;
 						ac->password = NULL;
 						if((conf.authcachetype&4) && param->password) ac->password = mystrdup((char *)param->password);
+						if(conf.authcachetype&32) {
+							ac->sinsl = param->sinsl;
+							*SAPORT(&ac->sinsl) = 0;
+						}
 					}
 					ac->next = authc;
 					authc = ac;
@@ -737,6 +892,7 @@ int doauth(struct clientparam * param){
 			break;
 		}
 		if(res > ret) ret = res;
+		if(ret > 9) return ret;
 	}
 	if(!res){
 		return alwaysauth(param);
@@ -815,15 +971,6 @@ int strongauth(struct clientparam * param){
 				else if (!param->pwtype && param->password && !strcmp((char *)param->password, (char *)pwl->password)){
 					break;
 				}
-#ifndef NOCRYPT
-				else if (param->pwtype == 2 && param->password) {
-					ntpwdhash(buf, pwl->password, 0);
-					mschap(buf, param->password, buf + 16);
-					if(!memcmp(buf+16, param->password+8, 24)) {
-						break;
-					}
-				}
-#endif
 				pthread_mutex_unlock(&pwl_mutex);
 				return 6;
 #ifndef NOCRYPT
@@ -837,13 +984,6 @@ int strongauth(struct clientparam * param){
 				if(param->password && !param->pwtype && !memcmp(pwl->password, ntpwdhash(buf,param->password, 1), 32)) {
 					break;
 				}
-				else if (param->pwtype == 2){
-					fromhex(pwl->password, buf, 16);
-					mschap(buf, param->password, buf + 16);
-					if(!memcmp(buf + 16, param->password+8, 24)) {
-						break;
-					}
-				}
 				pthread_mutex_unlock(&pwl_mutex);
 				return 8;
 #endif				
@@ -859,6 +999,7 @@ int strongauth(struct clientparam * param){
 	return 5;
 }
 
+int radauth(struct clientparam * param);
 
 struct auth authfuncs[] = {
 	{authfuncs+1, NULL, NULL, ""},
@@ -867,8 +1008,13 @@ struct auth authfuncs[] = {
 	{authfuncs+4, dnsauth, checkACL, "dnsname"},
 	{authfuncs+5, strongauth, checkACL, "strong"},
 	{authfuncs+6, cacheauth, checkACL, "cache"},
-	{authfuncs+7, NULL, NULL, "none"},
-
+#ifndef NORADIUS
+#define AUTHOFFSET 1
+	{authfuncs+7, radauth, checkACL, "radius"},
+#else
+#define AUTHOFFSET 0
+#endif
+	{authfuncs+7+AUTHOFFSET, NULL, NULL, "none"},
 	{NULL, NULL, NULL, ""}
 };
 
@@ -1082,10 +1228,10 @@ unsigned long udpresolve(int af, unsigned char * name, unsigned char * value, un
 			usetcp = nservers[i].usetcp;
 			*SAFAMILY(sinsl) = *SAFAMILY(&nservers[i].addr);
 		}
-		if((sock=so._socket(SASOCK(sinsl), usetcp?SOCK_STREAM:SOCK_DGRAM, usetcp?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) break;
-		if(so._bind(sock,(struct sockaddr *)sinsl,SASIZE(sinsl))){
-			so._shutdown(sock, SHUT_RDWR);
-			so._closesocket(sock);
+		if((sock=so._socket(so.state, SASOCK(sinsl), usetcp?SOCK_STREAM:SOCK_DGRAM, usetcp?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) break;
+		if(so._bind(so.state, sock,(struct sockaddr *)sinsl,SASIZE(sinsl))){
+			so._shutdown(so.state, sock, SHUT_RDWR);
+			so._closesocket(so.state, sock);
 			break;
 		}
 		if(makeauth && !SAISNULL(&authnserver.addr)){
@@ -1095,11 +1241,17 @@ unsigned long udpresolve(int af, unsigned char * name, unsigned char * value, un
 			*sinsr = nservers[i].addr;
 		}
 		if(usetcp){
-			if(so._connect(sock,(struct sockaddr *)sinsr,SASIZE(sinsr))) {
-				so._shutdown(sock, SHUT_RDWR);
-				so._closesocket(sock);
+			if(connectwithpoll(NULL, sock,(struct sockaddr *)sinsr,SASIZE(sinsr),CONNECT_TO)) {
+				so._shutdown(so.state, sock, SHUT_RDWR);
+				so._closesocket(so.state, sock);
 				break;
 			}
+#ifdef TCP_NODELAY
+			{
+				int opt = 1;
+				setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&opt, sizeof(opt));
+			}
+#endif
 		}
 		len = (int)strlen((char *)name);
 		
@@ -1131,15 +1283,15 @@ unsigned long udpresolve(int af, unsigned char * name, unsigned char * value, un
 			len+=2;
 		}
 
-		if(socksendto(sock, (struct sockaddr *)sinsr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000) != len){
-			so._shutdown(sock, SHUT_RDWR);
-			so._closesocket(sock);
+		if(socksendto(NULL, sock, (struct sockaddr *)sinsr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000) != len){
+			so._shutdown(so.state, sock, SHUT_RDWR);
+			so._closesocket(so.state, sock);
 			continue;
 		}
 		if(param) param->statscli64 += len;
-		len = sockrecvfrom(sock, (struct sockaddr *)sinsr, buf, 4096, conf.timeouts[DNS_TO]*1000);
-		so._shutdown(sock, SHUT_RDWR);
-		so._closesocket(sock);
+		len = sockrecvfrom(NULL, sock, (struct sockaddr *)sinsr, buf, 4096, conf.timeouts[DNS_TO]*1000);
+		so._shutdown(so.state, sock, SHUT_RDWR);
+		so._closesocket(so.state, sock);
 		if(len <= 13) {
 			continue;
 		}
@@ -1149,7 +1301,7 @@ unsigned long udpresolve(int af, unsigned char * name, unsigned char * value, un
 			us = ntohs(*(unsigned short*)buf);
 			len-=2;
 			buf+=2;
-			if(us > 4096 || us < len || (us > len && sockrecvfrom(sock, (struct sockaddr *)sinsr, buf+len, us-len, conf.timeouts[DNS_TO]*1000) != us-len)) {
+			if(us > 4096 || us < len || (us > len && sockrecvfrom(NULL, sock, (struct sockaddr *)sinsr, buf+len, us-len, conf.timeouts[DNS_TO]*1000) != us-len)) {
 				continue;
 			}
 		}
@@ -1186,7 +1338,8 @@ unsigned long udpresolve(int af, unsigned char * name, unsigned char * value, un
 				}
 				ttl = ntohl(*(unsigned long *)(buf + k + 6));
 				memcpy(value, buf + k + 12, af == AF_INET6? 16:4);
-				if(ttl < 60 || ttl > (3600*12)) ttl = 300;
+				if(ttl < 0 || ttl > (3600*12)) ttl = 3600*12;
+				if(!ttl) ttl = 1;
 				hashadd(af == AF_INET6?&dns6_table:&dns_table, name, value, conf.time+ttl);
 				if(retttl) *retttl = ttl;
 				return 1;
@@ -1334,6 +1487,8 @@ void sqlerr (char *buf){
 	pthread_mutex_unlock(&log_mutex);
 }
 
+unsigned char statbuf[8192];
+
 void logsql(struct clientparam * param, const unsigned char *s) {
 	SQLRETURN ret;
 	int len;
@@ -1341,35 +1496,35 @@ void logsql(struct clientparam * param, const unsigned char *s) {
 
 	if(param->nolog) return;
 	pthread_mutex_lock(&log_mutex);
-	len = dobuf(param, tmpbuf, s, (unsigned char *)"\'");
+	len = dobuf(param, statbuf, s, (unsigned char *)"\'");
 
 	if(attempt > 5){
 		time_t t;
 
 		t = time(0);
 		if (t - attempt_time < 180){
-			sqlerr((char *)tmpbuf);
+			sqlerr((char *)statbuf);
 			return;
 		}
 	}
 	if(!hstmt){
 		if(!init_sql(sqlstring)) {
-			sqlerr((char *)tmpbuf);
+			sqlerr((char *)statbuf);
 			return;
 		}
 	}
 	if(hstmt){
-		ret = SQLExecDirect(hstmt, (SQLCHAR *)tmpbuf, (SQLINTEGER)len);
+		ret = SQLExecDirect(hstmt, (SQLCHAR *)statbuf, (SQLINTEGER)len);
 		if(ret != SQL_SUCCESS && ret != SQL_SUCCESS_WITH_INFO){
 			close_sql();
 			if(!init_sql(sqlstring)){
-				sqlerr((char *)tmpbuf);
+				sqlerr((char *)statbuf);
 				return;
 			}
 			if(hstmt) {
-				ret = SQLExecDirect(hstmt, (SQLCHAR *)tmpbuf, (SQLINTEGER)len);
+				ret = SQLExecDirect(hstmt, (SQLCHAR *)statbuf, (SQLINTEGER)len);
 				if(ret != SQL_SUCCESS && ret != SQL_SUCCESS_WITH_INFO){
-					sqlerr((char *)tmpbuf);
+					sqlerr((char *)statbuf);
 					return;
 				}
 				attempt = 0;
@@ -1381,4 +1536,3 @@ void logsql(struct clientparam * param, const unsigned char *s) {
 }
 
 #endif
- 

src/authradius.c

@@ -0,0 +1,671 @@
+/*
+   3APA3A simpliest proxy server
+   (c) 2000-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
+#ifndef NORADIUS
+#include "proxy.h"
+#include "libs/md5.h"
+
+#define AUTH_VECTOR_LEN         16
+#define MAX_STRING_LEN          254
+#define PW_AUTH_UDP_PORT        1645
+
+#define PW_TYPE_STRING			0
+#define PW_TYPE_INTEGER			1
+#define PW_TYPE_IPADDR			2
+#define PW_TYPE_DATE			3
+#define PW_TYPE_ABINARY			4
+#define PW_TYPE_OCTETS			5
+
+#define	PW_AUTHENTICATION_REQUEST	1
+#define	PW_AUTHENTICATION_ACK		2
+#define	PW_AUTHENTICATION_REJECT	3
+#define	PW_ACCOUNTING_REQUEST		4
+#define	PW_ACCOUNTING_RESPONSE		5
+#define	PW_ACCOUNTING_STATUS		6
+#define PW_PASSWORD_REQUEST		7
+
+
+#define	PW_USER_NAME			1
+#define	PW_PASSWORD			2
+#define	PW_CHAP_PASSWORD		3
+#define	PW_NAS_IP_ADDRESS		4
+#define	PW_NAS_PORT_ID			5
+#define	PW_SERVICE_TYPE			6
+#define	PW_FRAMED_PROTOCOL		7
+#define	PW_FRAMED_IP_ADDRESS		8
+#define	PW_FRAMED_IP_NETMASK		9
+#define	PW_FRAMED_ROUTING		10
+#define	PW_FILTER_ID			11
+#define	PW_FRAMED_MTU			12
+#define	PW_FRAMED_COMPRESSION		13
+#define	PW_LOGIN_IP_HOST		14
+#define	PW_LOGIN_SERVICE		15
+#define	PW_LOGIN_TCP_PORT		16
+#define PW_OLD_PASSWORD			17
+#define PW_REPLY_MESSAGE		18
+#define PW_CALLBACK_NUMBER		19
+#define PW_CALLBACK_ID			20
+#define PW_FRAMED_ROUTE			22
+#define PW_FRAMED_IPXNET		23
+#define PW_STATE			24
+#define PW_CLASS			25
+#define PW_VENDOR_SPECIFIC		26
+#define PW_SESSION_TIMEOUT		27
+#define PW_IDLE_TIMEOUT			28
+#define PW_CALLED_STATION_ID		30
+#define PW_CALLING_STATION_ID		31
+#define PW_NAS_IDENTIFIER		32
+#define PW_PROXY_STATE			33
+
+#define PW_ACCT_STATUS_TYPE		40
+#define PW_ACCT_DELAY_TIME		41
+#define PW_ACCT_INPUT_OCTETS		42
+#define PW_ACCT_OUTPUT_OCTETS		43
+#define PW_ACCT_SESSION_ID		44
+#define PW_ACCT_AUTHENTIC		45
+#define PW_ACCT_SESSION_TIME		46
+#define PW_ACCT_INPUT_PACKETS		47
+#define PW_ACCT_OUTPUT_PACKETS		48
+#define PW_ACCT_TERMINATE_CAUSE		49
+
+#define PW_EVENT_TIMESTAMP		55
+
+#define PW_CHAP_CHALLENGE		60
+#define PW_NAS_PORT_TYPE		61
+#define PW_PORT_LIMIT			62
+
+#define PW_ARAP_PASSWORD		70
+#define PW_ARAP_FEATURES		71
+#define PW_ARAP_ZONE_ACCESS		72
+#define PW_ARAP_SECURITY		73
+#define PW_ARAP_SECURITY_DATA		74
+#define PW_PASSWORD_RETRY		75
+#define PW_PROMPT			76
+#define PW_CONNECT_INFO			77
+#define PW_CONFIGURATION_TOKEN		78
+#define PW_EAP_MESSAGE                  79
+#define PW_MESSAGE_AUTHENTICATOR        80
+
+#define PW_ARAP_CHALLENGE_RESPONSE	84
+#define PW_NAS_PORT_ID_STRING  		87
+#define PW_FRAMED_POOL			89
+
+#define PW_NAS_IPV6_ADDRESS		95
+#define	PW_LOGIN_IPV6_HOST		98
+#define	PW_FRAMED_IPV6_ADDRESS		168
+
+#define PW_FALL_THROUGH			500
+#define PW_ADD_PORT_TO_IP_ADDRESS	501
+#define PW_EXEC_PROGRAM			502
+#define PW_EXEC_PROGRAM_WAIT		503
+
+#define PW_AUTHTYPE			1000
+#define PW_PREFIX			1003
+#define PW_SUFFIX			1004
+#define PW_GROUP			1005
+#define PW_CRYPT_PASSWORD		1006
+#define PW_CONNECT_RATE			1007
+#define PW_ADD_PREFIX			1008
+#define PW_ADD_SUFFIX			1009
+#define PW_EXPIRATION			1010
+#define PW_USER_CATEGORY		1029
+#define PW_GROUP_NAME			1030
+#define PW_HUNTGROUP_NAME		1031
+#define PW_SIMULTANEOUS_USE		1034
+#define PW_STRIP_USER_NAME		1035
+#define PW_HINT				1040
+#define PAM_AUTH_ATTR			1041
+#define PW_LOGIN_TIME			1042
+#define PW_STRIPPED_USER_NAME		1043
+#define PW_CURRENT_TIME			1044
+#define PW_REALM			1045
+#define PW_NO_SUCH_ATTRIBUTE		1046
+#define PW_PACKET_TYPE			1047
+#define PW_PROXY_TO_REALM      		1048
+#define PW_REPLICATE_TO_REALM  		1049
+#define PW_ACCT_SESSION_START_TIME	1050
+#define PW_ACCT_UNIQUE_SESSION_ID	1051
+#define PW_CLIENT_IP_ADDRESS		1052
+#define LDAP_USERDN			1053
+#define PW_NS_MTA_MD5_PASSWORD		1054
+#define PW_SQL_USER_NAME  		1055
+
+#define	PW_LOGIN_USER			1
+#define	PW_FRAMED_USER			2
+#define	PW_CALLBACK_LOGIN_USER		3
+#define	PW_CALLBACK_FRAMED_USER		4
+#define PW_OUTBOUND_USER		5
+#define PW_ADMINISTRATIVE_USER		6
+#define PW_NAS_PROMPT_USER		7
+#define PW_AUTHENTICATE_ONLY		8
+#define PW_CALLBACK_NAS_PROMPT		9
+
+#define PW_NAS_PORT_ASYNC		0
+#define PW_NAS_PORT_SYNC		1
+#define PW_NAS_PORT_ISDN		2
+#define PW_NAS_PORT_ISDN_V120		3
+#define PW_NAS_PORT_ISDN_V110		4
+#define PW_NAS_PORT_VIRTUAL		5
+
+#define PW_STATUS_START			1
+#define PW_STATUS_STOP			2
+#define PW_STATUS_ALIVE			3
+#define PW_STATUS_ACCOUNTING_ON		7
+#define PW_STATUS_ACCOUNTING_OFF	8
+
+
+
+struct radserver radiuslist[MAXRADIUS];
+
+static int ntry = 0;
+int nradservers = 0;
+char radiussecret[64]="";
+
+pthread_mutex_t rad_mutex;
+
+void md5_calc(unsigned char *output, unsigned char *input,
+		     unsigned int inputlen);
+
+
+char *strNcpy(char *dest, const char *src, int n)
+{
+	if (n > 0)
+		strncpy(dest, src, n);
+	else
+		n = 1;
+	dest[n - 1] = 0;
+
+	return dest;
+}
+
+void md5_calc(unsigned char *output, unsigned char *input,
+		     unsigned int inlen)
+{
+	MD5_CTX	context;
+
+	MD5Init(&context);
+	MD5Update(&context, input, inlen);
+	MD5Final(output, &context);
+}
+
+
+
+
+static uint8_t random_vector_pool[AUTH_VECTOR_LEN*2];
+
+
+
+
+static int calc_replydigest(char *packet, char *original, const char *secret, int len)
+{
+	int		secretlen;
+	uint8_t		calc_digest[AUTH_VECTOR_LEN];
+	uint8_t         calc_vector[AUTH_VECTOR_LEN];
+
+	memcpy(calc_vector, packet + 4, AUTH_VECTOR_LEN);
+	memcpy(packet + 4, original, AUTH_VECTOR_LEN);
+	secretlen = strlen(secret);
+	memcpy(packet + len, secret, secretlen);
+	md5_calc(calc_digest, (u_char *)packet, len + secretlen);
+
+	/*
+	 *	Return 0 if OK, 2 if not OK.
+	 */
+	return	memcmp(calc_vector, calc_digest, AUTH_VECTOR_LEN) ? 2 : 0;
+}
+
+#define AUTH_PASS_LEN (16)
+int rad_pwencode(char *passwd, int *pwlen, const char *secret, const char *vector)
+{
+	uint8_t	buffer[AUTH_VECTOR_LEN + MAX_STRING_LEN + 1];
+	char	digest[AUTH_VECTOR_LEN];
+	int	i, n, secretlen;
+	int	len;
+
+	len = strlen(passwd);
+	if (len > 128) len = 128;
+	*pwlen = len;
+	if (len % AUTH_PASS_LEN != 0) {
+		n = AUTH_PASS_LEN - (len % AUTH_PASS_LEN);
+		for (i = len; n > 0; n--, i++)
+			passwd[i] = 0;
+		len = *pwlen = i;
+	}
+
+	secretlen = strlen(secret);
+	memcpy(buffer, secret, secretlen);
+	memcpy(buffer + secretlen, vector, AUTH_VECTOR_LEN);
+	md5_calc((u_char *)digest, buffer, secretlen + AUTH_VECTOR_LEN);
+
+	for (i = 0; i < AUTH_PASS_LEN; i++)
+		passwd[i] ^= digest[i];
+
+	if (len <= AUTH_PASS_LEN) return 0;
+
+	for (n = 0; n < 128 && n <= (len - AUTH_PASS_LEN); n += AUTH_PASS_LEN) { 
+		memcpy(buffer + secretlen, passwd + n, AUTH_PASS_LEN);
+		md5_calc((u_char *)digest, buffer, secretlen + AUTH_PASS_LEN);
+		for (i = 0; i < AUTH_PASS_LEN; i++)
+			passwd[i + n + AUTH_PASS_LEN] ^= digest[i];
+	}
+
+	return 0;
+}
+
+
+void random_vector(uint8_t *vector, struct clientparam *param)
+{
+	int		i;
+	static int	did_random = 0;
+	static int	counter = 0;
+
+	if (!did_random) {
+
+		ntry = (int)basetime;
+		for (i = 0; i < (int)sizeof(random_vector_pool); i++) {
+			random_vector_pool[i] += myrand((void *) &param->msec_start, sizeof(param->msec_start)) & 0xff;
+		}
+		did_random = 1;
+
+	}
+
+	counter++;
+	random_vector_pool[AUTH_VECTOR_LEN] += (counter & 0xff);
+	md5_calc((u_char *) random_vector_pool,
+			(u_char *) random_vector_pool,
+			sizeof(random_vector_pool));
+
+	md5_calc((u_char *) vector,
+			(u_char *) random_vector_pool,
+			sizeof(random_vector_pool));
+}
+
+
+typedef struct radius_packet_t {
+  uint8_t       code;
+  uint8_t       id;
+  uint16_t      length;
+  uint8_t       vector[AUTH_VECTOR_LEN];
+  uint8_t       data[4096];
+} radius_packet_t;
+          
+#define RETURN(xxx) { res = xxx; goto CLEANRET; }
+
+int radsend(struct clientparam * param, int auth, int stop){
+
+	int loop;
+	int id;
+	int res = 4;
+	SOCKET sockfd = -1;
+	unsigned char *ptr;
+	int total_length;
+	int len;
+	int op;
+#ifdef NOIPV6
+	struct  sockaddr_in     saremote;
+#else
+	struct  sockaddr_in6     saremote;
+#endif
+	struct pollfd fds[1];
+	char vector[AUTH_VECTOR_LEN];
+	radius_packet_t packet, rpacket;
+	SASIZETYPE salen;
+	int data_len;
+	uint8_t	*vendor_len;
+	int count=0;
+	uint8_t *attr;
+	long vendor=0;
+	int vendorlen=0;
+	char buf[64];
+
+
+	if(!nradservers) {
+		return 4;
+	}
+
+	memset(&packet, 0, sizeof(packet));
+
+
+	pthread_mutex_lock(&rad_mutex);
+	if(auth)random_vector(packet.vector, param);
+
+	id = ((ntry++) & 0xff);
+	pthread_mutex_unlock(&rad_mutex);
+
+	packet.code = auth?PW_AUTHENTICATION_REQUEST:PW_ACCOUNTING_REQUEST;
+	packet.id=id;
+	ptr = packet.data;
+	total_length = 0;
+
+	/* Service Type */
+	*ptr++ =  auth?PW_SERVICE_TYPE:PW_ACCT_STATUS_TYPE;
+	*ptr++ = 6;
+	(*(uint32_t *)ptr)=htonl(auth?PW_AUTHENTICATE_ONLY:stop?PW_STATUS_STOP:PW_STATUS_START);
+	ptr+=4;
+	total_length+=6;
+
+	/* Acct-Session-Id */
+	sprintf(buf, "%u.%u.%u", (unsigned)param->time_start, (unsigned)param->msec_start, (unsigned)param->threadid);
+        len = strlen(buf);
+	*ptr++ =  PW_ACCT_SESSION_ID;
+	*ptr++ = 2+len;
+	memcpy(ptr, buf, len);
+	ptr+=len;
+	total_length+=len+2;
+
+	/* NAS-Port-Type */
+	*ptr++ =  PW_NAS_PORT_TYPE;
+	*ptr++ = 6;
+	(*(uint32_t *)ptr)=htonl(PW_NAS_PORT_VIRTUAL);
+	ptr+=4;
+	total_length+=6;
+
+	/* NAS-Port */
+	*ptr++ =  PW_NAS_PORT_ID;
+	*ptr++ = 6;
+	(*(uint32_t *)ptr)=htonl((uint32_t)ntohs((*SAPORT(&param->srv->intsa))));
+	ptr+=4;
+	total_length+=6;
+
+
+	if(*SAFAMILY(&param->sincl) == AF_INET6){
+	/* NAS-IPv6-Address */
+	    *ptr++ =  PW_NAS_IPV6_ADDRESS;
+	    *ptr++ = 18;
+	}
+	else {
+	/* NAS-IP-Address */
+	    *ptr++ =  PW_NAS_IP_ADDRESS;
+	    *ptr++ = 6;
+	}
+	len = SAADDRLEN(&param->sincl);
+	memcpy(ptr, SAADDR(&param->sincl), len);
+	ptr += len;
+	total_length += (2+len);
+
+	/* NAS-Identifier */
+	if(conf.stringtable){
+		*ptr++ = PW_NAS_IDENTIFIER;
+		len = strlen((char *)conf.stringtable[SERVICES+param->service]);
+		*ptr++ = (2 + len);
+		memcpy(ptr, conf.stringtable[SERVICES+param->service], len);
+		ptr += len;
+		total_length+=(len+2);
+	}
+
+	if(*SAFAMILY(&param->sincr) == AF_INET6){
+	/* Framed-IPv6-Address */
+	    *ptr++ =  PW_FRAMED_IPV6_ADDRESS;
+	    *ptr++ = 18;
+	}
+	else {
+	/* Framed-IP-Address */
+	    *ptr++ =  PW_FRAMED_IP_ADDRESS;
+	    *ptr++ = 6;
+	}
+	len = SAADDRLEN(&param->sincr);
+	memcpy(ptr, SAADDR(&param->sincr), len);
+	ptr += len;
+	total_length += (2+len);
+
+	/* Called-Station-ID */
+	if(param->hostname){
+		*ptr++ = PW_CALLED_STATION_ID;
+		len = strlen((char *)param->hostname);
+		*ptr++ = (2 + len);
+		memcpy(ptr, param->hostname, len);
+		ptr += len;
+		total_length+=(len+2);
+	}
+
+	/* Login-Service */
+	*ptr++ =  PW_LOGIN_SERVICE;
+	*ptr++ = 6;
+	(*(uint32_t *)ptr)=htonl(param->operation<<8);
+	ptr+=4;
+	total_length+=6;
+
+	/* Login-TCP-Port */
+	*ptr++ =  PW_LOGIN_TCP_PORT;
+	*ptr++ = 6;
+	(*(uint32_t *)ptr)=htonl((uint32_t)ntohs((*SAPORT(&param->req))));
+	ptr+=4;
+	total_length+=6;
+
+
+	if(*SAFAMILY(&param->req) == AF_INET6){
+	/* Login-IPv6-Host */
+	    *ptr++ =  PW_LOGIN_IPV6_HOST;
+	    *ptr++ = 18;
+	}
+	else {
+	/* Login-IP-Host */
+	    *ptr++ =  PW_LOGIN_IP_HOST;
+	    *ptr++ = 6;
+	}
+	len = SAADDRLEN(&param->req);
+	memcpy(ptr, SAADDR(&param->req), len);
+	ptr += len;
+	total_length += (2+len);
+
+
+	/* Username */
+	if(param->username){
+	    len = strlen((char *)param->username);
+	    if(len>128)len=128;
+	    *ptr++ = PW_USER_NAME;
+	    *ptr++ = len + 2;
+	    memcpy(ptr, param->username, len);
+	    ptr+=len;
+	    total_length += (len+2);
+	}
+	
+	if(stop){
+		/* Acct-Input-Octets */
+		*ptr++ =  PW_ACCT_INPUT_OCTETS;
+		*ptr++ = 6;
+		(*(uint32_t *)ptr)=htonl((uint32_t)param->statssrv64);
+		ptr+=4;
+		total_length+=6;
+		/* Acct-Output-Octets */
+		*ptr++ =  PW_ACCT_OUTPUT_OCTETS;
+		*ptr++ = 6;
+		(*(uint32_t *)ptr)=htonl((uint32_t)param->statscli64);
+		ptr+=4;
+		total_length+=6;
+		/* Acct-Input-Packets */
+		*ptr++ =  PW_ACCT_INPUT_PACKETS;
+		*ptr++ = 6;
+		(*(uint32_t *)ptr)=htonl((uint32_t)param->nreads);
+		ptr+=4;
+		total_length+=6;
+		/* Acct-Output-Packets */
+		*ptr++ =  PW_ACCT_OUTPUT_PACKETS;
+		*ptr++ = 6;
+		(*(uint32_t *)ptr)=htonl((uint32_t)param->nwrites);
+		ptr+=4;
+		total_length+=6;
+		/* Acct-Session-Time */
+		*ptr++ =  PW_ACCT_SESSION_TIME;
+		*ptr++ = 6;
+		(*(uint32_t *)ptr)=htonl((uint32_t)(time(0) - param->time_start));
+		ptr+=4;
+		total_length+=6;
+	}
+	
+	if(auth && param->password){
+    	    len = strlen((char *)param->password);
+	    if(len > 128) len = 128;
+	    *ptr++ = PW_PASSWORD;
+	    ptr++;
+	    memcpy(ptr, param->password, len);
+	    rad_pwencode((char *)ptr,
+		     &len,
+		     radiussecret, 
+		     (char *)packet.vector);
+	    *(ptr-1) = len + 2;
+	    ptr+=len;
+	    total_length+= (len+2);
+	}
+
+	total_length+=(4+AUTH_VECTOR_LEN);
+	packet.length = htons(total_length);
+	
+	if(!auth){
+		len = strlen(radiussecret);
+		memcpy(ptr,radiussecret,len);
+		md5_calc(packet.vector, (u_char *)&packet, total_length + len);
+	}
+	memcpy(vector, packet.vector, AUTH_VECTOR_LEN);
+	
+	for (loop = 0; loop < nradservers && loop < MAXRADIUS; loop++) {
+		SOCKET remsock;
+
+
+		saremote = auth?radiuslist[loop].authaddr : radiuslist[loop].logaddr;
+#ifdef NOIPV6
+		if(*SAFAMILY(&saremote)!= AF_INET) {
+			continue;
+		}
+#else
+		if(*SAFAMILY(&saremote)!= AF_INET && *SAFAMILY(&saremote)!= AF_INET6){
+			continue;
+		}
+#endif
+
+/*
+		if(auth) {
+*/
+			if(sockfd >= 0) so._closesocket(so.state, sockfd);
+			if ((sockfd = so._socket(so.state, SASOCK(&saremote), SOCK_DGRAM, 0)) < 0) {
+			    return 4;
+			}
+			remsock = sockfd;
+/*
+		}
+		else remsock = radiuslist[loop].logsock;
+*/
+		so._bind(so.state, remsock,(struct sockaddr *)&radiuslist[loop].localaddr,SASIZE(&radiuslist[loop].localaddr));
+		len = so._sendto(so.state, remsock, (char *)&packet, total_length, 0,
+		      (struct sockaddr *)&saremote, sizeof(saremote));
+		if(len != ntohs(packet.length)){
+			continue;
+		}
+
+	        memset(fds, 0, sizeof(fds));
+	        fds[0].fd = remsock;
+	        fds[0].events = POLLIN;
+		if(so._poll(so.state, fds, 1, conf.timeouts[SINGLEBYTE_L]*1000) <= 0) {
+			continue;
+		}
+
+		salen = sizeof(saremote);
+				
+		data_len = so._recvfrom(so.state, remsock, (char *)&rpacket, sizeof(packet)-16,
+			0, (struct sockaddr *)&saremote, &salen);
+
+
+		if (data_len < 20) {
+			continue;
+		}
+
+		if( auth && rpacket.code != PW_AUTHENTICATION_ACK &&
+		    rpacket.code != PW_AUTHENTICATION_REJECT ){
+			continue;
+		}
+		if( !auth && rpacket.code != PW_ACCOUNTING_RESPONSE){
+			continue;
+		}
+
+		if (calc_replydigest((char *)&rpacket, (char *)packet.vector, radiussecret,
+			data_len) ){
+			continue;
+		}
+
+		total_length = ntohs(rpacket.length);
+		if (data_len != total_length) {
+			continue;
+		}
+
+		if(!auth) RETURN(0);
+
+		attr = rpacket.data;
+		count = total_length - 20;
+		vendor_len = 0;
+
+		while (count >= 2) {
+			if (!vendor && attr[0] == 0) {
+				break;
+			}
+		
+	       		if (attr[1] < 2) {
+				break;
+			}
+
+			if(!vendor && attr[0] == PW_VENDOR_SPECIFIC) {
+				if (attr[1] < 6 || count < 6) RETURN(4);
+				vendorlen = attr[1]-6;
+				vendor = htonl(*((int*)(attr +2)));
+				count -= 6;
+				attr += 6;
+				continue;
+			}
+	
+			if (!vendor && attr[0] == PW_FRAMED_IP_ADDRESS && attr[1] == 6) {
+				*SAFAMILY(&param->sinsl) = AF_INET;
+				memcpy(SAADDR(&param->sinsl), attr+2, 4);
+			}
+
+			else if (!vendor && attr[0] == PW_FRAMED_IPV6_ADDRESS && attr[1] == 18) {
+				*SAFAMILY(&param->sinsl) = AF_INET6;
+				memcpy(SAADDR(&param->sinsl), attr+2, 16);
+			}
+			else if (!vendor && attr[0] == PW_REPLY_MESSAGE && attr[1] >= 3 && isdigit(attr[2])) {
+				res = 0;
+				for(len = 2; len < attr[1] && isdigit(attr[len]); len++) res = (res * 10) + (attr[len] - '0');
+			}
+
+			count -= attr[1];
+			if(vendorlen) {
+				vendorlen -= attr[1];
+				if (!vendorlen) vendor = 0;
+				else if (vendorlen < 0) RETURN(4);
+			}
+			attr += attr[1];
+		}
+
+		if (count !=0 || vendorlen!=0) {
+			continue;
+		}
+
+		if(rpacket.code == PW_AUTHENTICATION_REJECT) RETURN (res);
+		if(rpacket.code == PW_AUTHENTICATION_ACK) RETURN(0);
+		res = 4;
+	}
+CLEANRET:
+	if(sockfd >= 0) so._closesocket(so.state, sockfd);
+	return res;
+}
+
+int radauth(struct clientparam * param){
+	int res;
+	/*radsend(param, 0, 0);*/
+	res = radsend(param, 1, 0);
+	if(!res && param->srv->logfunc == logradius)radsend(param, 0, 0);
+	return res;
+}
+
+void logradius(struct clientparam * param, const unsigned char *s) {
+	radsend(param, 0, 1);
+	if(param->trafcountfunc)(*param->trafcountfunc)(param);
+	clearstat(param);
+}
+
+
+
+#endif

src/auto.c

@@ -0,0 +1,29 @@
+/*
+   3APA3A simpliest proxy server
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+
+void * autochild(struct clientparam* param) {
+    int len;
+
+    if(!param->clibuf){
+	if(!(param->clibuf = myalloc(SRVBUFSIZE))) return 0;
+	param->clibufsize = SRVBUFSIZE;
+	param->clioffset = param->cliinbuf = 0;
+    }
+    len = sockfillbuffcli(param, 1, CONNECTION_S);
+    if (len != 1){
+	param->res = 801;
+	dolog(param, (unsigned char *)"");
+    }
+    if(*param->clibuf == 4 || *param->clibuf == 5) return sockschild(param);
+    if(*param->clibuf == 22) return tlsprchild(param);
+    return proxychild(param);
+}
+

src/base64.c

@@ -1,9 +1,9 @@
 /*
- * Copyright (c) 2000-2008 3APA3A
- *
- * please read License Agreement
- *
- */
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
 
 #include <string.h>
 

src/common.c

@@ -1,6 +1,6 @@
 /*
    3APA3A simpliest proxy server
-   (c) 2002-2008 by ZARAZA <3APA3A@security.nnov.ru>
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
 
@@ -15,6 +15,8 @@ char * copyright = COPYRIGHT;
 
 int randomizer = 1;
 
+
+
 #ifndef _WIN32
  pthread_attr_t pa;
 
@@ -31,6 +33,35 @@ int randomizer = 1;
 
 unsigned char **stringtable = NULL;
 
+#ifdef WITH_LINUX_FUTEX
+int sys_futex(void *addr1, int op, int val1, struct timespec *timeout, void *addr2, int val3)
+{
+	return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3);
+}
+int mutex_lock(int *val)
+{
+	int c;
+	if ((c = __sync_val_compare_and_swap(val, 0, 1)) != 0)
+		do {
+			if(c == 2 || __sync_val_compare_and_swap(val, 1, 2) != 0)
+				sys_futex(val, FUTEX_WAIT_PRIVATE, 2, NULL, NULL, 0);
+		} while ((c = __sync_val_compare_and_swap(val, 0, 2)) != 0);
+	
+	return 0;
+}
+
+int mutex_unlock(int *val)
+{
+	if(__sync_fetch_and_sub (val, 1) != 1){
+		*val = 0;
+		sys_futex(val, FUTEX_WAKE_PRIVATE, 1, NULL, NULL, 0);
+	}
+	
+	
+	return 0;
+}
+#endif
+
 int myinet_ntop(int af, void *src, char *dst, socklen_t size){
 #ifndef NOIPV6
  if(af != AF_INET6){
@@ -62,18 +93,17 @@ char *rotations[] = {
 
 
 struct extparam conf = {
-	{1, 5, 30, 60, 180, 1800, 15, 60, 0, 0},
+	{1, 5, 30, 60, 180, 1800, 15, 60, 15, 5, 0, 0},
 	NULL,
 	NULL,
 	NULL, NULL,
 	NULL,
 	NULL,
-#ifdef __FreeBSD__
-	8192, 
-#else
+	NULL,
 	0,
-#endif
-	0, -1, 0, 0, 0, 0, 0, 500, 0, 0, 0, 0, 0,
+	0, -1, 0, 0, 0, 0, 
+	0, 500, 0, 0, 0, 0, 0, 0, 2,
+	0, 0, 0,
 	6, 600,
 	1048576,
 	NULL, NULL,
@@ -108,19 +138,20 @@ char* NULLADDR="\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
 
 int myrand(void * entropy, int len){
 	int i;
-	unsigned short init;
+	uint16_t init;
 
 	init = randomizer;
 	for(i=0; i < len/2; i++){
-		init ^= ((unsigned short *)entropy)[i];
+		init ^= ((uint16_t *)entropy)[i];
 	}
-	srand(init);
+	srand(rand()+init);
 	randomizer = rand();
 	return rand();
 	
 }
 
 #ifndef WITH_POLL
+#ifndef WITH_WSAPOLL
 int  
 #ifdef _WIN32
  WINAPI
@@ -156,32 +187,143 @@ int
 	return num;
 }
 #endif
+#endif
+
+
+#ifdef _WIN32
+    SOCKET WINAPI def_socket(void* state, int domain, int type, int protocol){
+        return socket(domain, type, protocol);
+    }
+    SOCKET WINAPI def_accept(void* state, SOCKET s, struct sockaddr * addr, int * addrlen){
+	return accept(s, addr, addrlen);
+    }
+    int WINAPI def_bind(void* state, SOCKET s, const struct sockaddr *addr, int addrlen){
+	return bind(s, addr, addrlen);
+    }
+    int WINAPI def_listen(void* state, SOCKET s, int backlog){
+	return listen(s, backlog);
+    }
+    int WINAPI def_connect(void* state, SOCKET s, const struct sockaddr *name, int namelen){
+	return connect(s, name, namelen);
+    }
+    int WINAPI def_getpeername(void* state, SOCKET s, struct sockaddr * name, int * namelen){
+	return getpeername(s, name, namelen);
+    }
+    int WINAPI def_getsockname(void* state, SOCKET s, struct sockaddr * name, int * namelen){
+	return 	getsockname(s, name, namelen);
+    }
+    int WINAPI def_getsockopt(void* state, SOCKET s, int level, int optname, char * optval, int * optlen){
+	return getsockopt(s, level, optname, optval, optlen);
+    }
+    int WINAPI def_setsockopt(void* state, SOCKET s, int level, int optname, const char *optval, int optlen){
+	return setsockopt(s, level, optname, optval, optlen);
+    }
+    int WINAPI def_poll(void* state, struct pollfd *fds, unsigned int nfds, int timeout){
+#ifndef WITH_POLL
+#ifndef WITH_WSAPOLL
+	return mypoll(fds, nfds, timeout);
+#else
+	return WSAPoll(fds, nfds, timeout);
+#endif
+#else
+	return poll(fds, nfds, timeout);
+#endif
+    }
+    int WINAPI def_send(void* state, SOCKET s, const char *msg, int len, int flags){
+	return send(s, msg, len, flags);
+    }
+    int WINAPI def_sendto(void* state, SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen){
+        return sendto(s, msg, len, flags, to, tolen);
+    }
+        
+    int WINAPI def_recv(void* state, SOCKET s, char *buf, int len, int flags){
+	return recv(s, buf, len, flags);
+    }
+    int WINAPI def_recvfrom(void* state, SOCKET s, char * buf, int len, int flags, struct sockaddr * from, int * fromlen){
+	return recvfrom(s, buf, len, flags, from, fromlen);
+    }
+    int WINAPI def_shutdown(void* state, SOCKET s, int how){
+	return shutdown(s, how);
+    }
+    int WINAPI def_closesocket(void* state, SOCKET s){
+	return closesocket(s);
+    }
+#else
+    SOCKET def_socket(void* state, int domain, int type, int protocol){
+        return socket(domain, type, protocol);
+    }
+    SOCKET def_accept(void* state, SOCKET s, struct sockaddr * addr, socklen_t* addrlen){
+	return accept(s, addr, addrlen);
+    }
+    int def_bind(void* state, SOCKET s, const struct sockaddr *addr, socklen_t addrlen){
+	return bind(s, addr, addrlen);
+    }
+    int def_getpeername(void* state, SOCKET s, struct sockaddr * name, socklen_t* namelen){
+	return getpeername(s, name, namelen);
+    }
+    int def_getsockname(void* state, SOCKET s, struct sockaddr * name, socklen_t* namelen){
+	return 	getsockname(s, name, namelen);
+    }
+    int def_listen(void* state, SOCKET s, int backlog){
+	return listen(s, backlog);
+    }
+    int def_connect(void* state, SOCKET s, const struct sockaddr *name, socklen_t namelen){
+	return connect(s, name, namelen);
+    }
+    int def_getsockopt(void* state, SOCKET s, int level, int optname, void * optval, socklen_t * optlen){
+	return getsockopt(s, level, optname, optval, optlen);
+    }
+    int def_setsockopt(void* state, int s, int level, int optname, const void *optval, socklen_t optlen){
+	return setsockopt(s, level, optname, optval, optlen);
+    }
+
+    int def_poll(void* state, struct pollfd *fds, nfds_t nfds, int timeout){
+#ifndef WITH_POLL
+	return mypoll(fds, nfds, timeout);
+#else
+	return poll(fds, nfds, timeout);
+#endif
+    }
+
+    ssize_t def_send(void* state, SOCKET s, const void *msg, size_t len, int flags){
+	return send(s, msg, len, flags);
+    }
+    ssize_t def_sendto(void* state, SOCKET s, const void *msg, size_t len, int flags, const struct sockaddr *to, socklen_t tolen){
+	return sendto(s, msg, len, flags, to, tolen);
+    }
+    ssize_t def_recv(void* state, SOCKET s, void *buf, size_t len, int flags){
+	return recv(s, buf, len, flags);
+    }
+    ssize_t def_recvfrom(void* state, SOCKET s, void * buf, size_t len, int flags, struct sockaddr * from, socklen_t* fromlen){
+	return recvfrom(s, buf, len, flags, from, fromlen);
+    }
+    int def_shutdown(void* state, SOCKET s, int how){
+	return shutdown(s, how);
+    }
+    int def_closesocket(void* state, SOCKET s){
+	return close(s);
+    }
+#endif
 
 struct sockfuncs so = {
-	socket,
-	accept,
-	bind,
-	listen,
-	connect,
-	getpeername,
-	getsockname,
-	getsockopt,
-	setsockopt,
-#ifdef WITH_POLL
-	poll,
-#else
-	mypoll,
-#endif
-	(void *)send,
-	(void *)sendto,
-	(void *)recv,
-	(void *)recvfrom,
-	shutdown,
-#ifdef _WIN32
-	closesocket
-#else
-	close
-#endif
+	NULL,
+	NULL,
+	def_socket,
+	def_accept,
+	def_bind,
+	def_listen,
+	def_connect,
+	def_getpeername,
+	def_getsockname,
+	def_getsockopt,
+	def_setsockopt,
+	def_poll,
+	def_send,
+	def_sendto,
+	def_recv,
+	def_recvfrom,
+	def_shutdown,
+	def_closesocket
 };
 
 #ifdef _WINCE
@@ -258,7 +400,10 @@ int parsehostname(char *hostname, struct clientparam *param, unsigned short port
 
 	if(!hostname || !*hostname)return 2;
 	if(*hostname == '[') se=strchr(hostname, ']');
-	if ( (sp = strchr(se?se:hostname, ':'))  && !strchr(sp+1, ':')) *sp = 0;
+	if ((sp = strchr(se?se:hostname, ':'))) {
+		if(strchr(sp+1, ':'))sp = NULL;
+		else *sp = 0;
+	}
 	if(se){
 		*se = 0;
 	}
@@ -327,324 +472,28 @@ int parseconnusername(char *username, struct clientparam *param, int extpasswd,
 	return 0;
 }
 
-void clearstat(struct clientparam * param) {
 
+int connectwithpoll(struct clientparam *param, SOCKET sock, struct sockaddr *sa, SASIZETYPE size, int to){
+		struct pollfd fds[1];
 #ifdef _WIN32
-	struct timeb tb;
-
-	ftime(&tb);
-	param->time_start = (time_t)tb.time;
-	param->msec_start = (unsigned)tb.millitm;
-
+		unsigned long ul = 1;
+		ioctlsocket(sock, FIONBIO, &ul);
 #else
-	struct timeval tv;
-	struct timezone tz;
-	gettimeofday(&tv, &tz);
-
-	param->time_start = (time_t)tv.tv_sec;
-	param->msec_start = (tv.tv_usec / 1000);
+		fcntl(sock,F_SETFL, O_NONBLOCK | fcntl(sock,F_GETFL));
 #endif
-	param->statscli64 = param->statssrv64 = param->nreads = param->nwrites =
-		param->nconnects = 0;
-}
-
-
-char months[12][4] = {
-	"Jan", "Feb", "Mar", "Apr", "May", "Jun",
-	"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
-};
-
-
-int dobuf2(struct clientparam * param, unsigned char * buf, const unsigned char *s, const unsigned char * doublec, struct tm* tm, char * format){
-	int i, j;
-	int len;
-	time_t sec;
-	unsigned msec;
-
-	long timezone;
-	unsigned delay;
-
-
-
-#ifdef _WIN32
-	struct timeb tb;
-
-	ftime(&tb);
-	sec = (time_t)tb.time;
-	msec = (unsigned)tb.millitm;
-	timezone = tm->tm_isdst*60 - tb.timezone;
-
-#else
-	struct timeval tv;
-	struct timezone tz;
-	gettimeofday(&tv, &tz);
-
-	sec = (time_t)tv.tv_sec;
-	msec = tv.tv_usec / 1000;
-#ifdef _SOLARIS
-	timezone = -altzone / 60;
-#else
-	timezone = tm->tm_gmtoff / 60;
-#endif
-#endif
-
-	delay = param->time_start?((unsigned) ((sec - param->time_start))*1000 + msec) - param->msec_start : 0;
-	*buf = 0;
-	for(i=0, j=0; format[j] && i < 4040; j++){
-		if(format[j] == '%' && format[j+1]){
-			j++;
-			switch(format[j]){
-				case '%':
-				 buf[i++] = '%';
-				 break;
-				case 'y':
-				 sprintf((char *)buf+i, "%.2d", tm->tm_year%100);
-				 i+=2;
-				 break;
-				case 'Y':
-				 sprintf((char *)buf+i, "%.4d", tm->tm_year+1900);
-				 i+=4;
-				 break;
-				case 'm':
-				 sprintf((char *)buf+i, "%.2d", tm->tm_mon+1);
-				 i+=2;
-				 break;
-				case 'o':
-				 sprintf((char *)buf+i, "%s", months[tm->tm_mon]);
-				 i+=3;
-				 break;
-				case 'd':
-				 sprintf((char *)buf+i, "%.2d", tm->tm_mday);
-				 i+=2;
-				 break;
-				case 'H':
-				 sprintf((char *)buf+i, "%.2d", tm->tm_hour);
-				 i+=2;
-				 break;
-				case 'M':
-				 sprintf((char *)buf+i, "%.2d", tm->tm_min);
-				 i+=2;
-				 break;
-				case 'S':
-				 sprintf((char *)buf+i, "%.2d", tm->tm_sec);
-				 i+=2;
-				 break;
-				case 't':
-				 sprintf((char *)buf+i, "%.10u", (unsigned)sec);
-				 i+=10;
-				 break;
-				case 'b':
-				 i+=sprintf((char *)buf+i, "%u", delay?(unsigned)(param->statscli64 * 1000./delay):0);
-				 break;
-				case 'B':
-				 i+=sprintf((char *)buf+i, "%u", delay?(unsigned)(param->statssrv64 * 1000./delay):0);
-				 break;				 
-				case 'D':
-				 i+=sprintf((char *)buf+i, "%u", delay);
-				 break;
-				case '.':
-				 sprintf((char *)buf+i, "%.3u", msec);
-				 i+=3;
-				 break;
-				case 'z':
-				 sprintf((char *)buf+i, "%+.2ld%.2u", timezone / 60, (unsigned)(timezone%60));
-				 i+=5;
-				 break;
-				case 'U':
-				 if(param->username && *param->username){
-					for(len = 0; i< 4000 && param->username[len]; len++){
-					 buf[i] = param->username[len];
-					 if(param->srv->nonprintable && (buf[i] < 0x20 || strchr((char *)param->srv->nonprintable, buf[i]))) buf[i] = param->srv->replace;
-					 if(doublec && strchr((char *)doublec, buf[i])) {
-						buf[i+1] = buf[i];
-						i++;
-					 }
-					 i++;
-					}
-				 }
-				 else {
-					buf[i++] = '-';
-				 }
-				 break;
-				case 'n':
-					len = param->hostname? (int)strlen((char *)param->hostname) : 0;
-					if (len > 0 && !strchr((char *)param->hostname, ':')) for(len = 0; param->hostname[len] && i < 256; len++, i++){
-						buf[i] = param->hostname[len];
-					 	if(param->srv->nonprintable && (buf[i] < 0x20 || strchr((char *)param->srv->nonprintable, buf[i]))) buf[i] = param->srv->replace;
-						if(doublec && strchr((char *)doublec, buf[i])) {
-							buf[i+1] = buf[i];
-							i++;
-						}
-					}
-					else {
-						buf[i++] = '[';
-						i += myinet_ntop(*SAFAMILY(&param->req), SAADDR(&param->req), (char *)buf + i, 64);
-						buf[i++] = ']';
-					}
-					break;
-
-				case 'N':
-				 if(param->service < 15) {
-					 len = (conf.stringtable)? (int)strlen((char *)conf.stringtable[SERVICES + param->service]) : 0;
-					 if(len > 20) len = 20;
-					 memcpy(buf+i, (len)?conf.stringtable[SERVICES + param->service]:(unsigned char*)"-", (len)?len:1);
-					 i += (len)?len:1;
-				 }
-				 break;
-				case 'E':
-				 sprintf((char *)buf+i, "%.05d", param->res);
-				 i += 5;
-				 break;
-				case 'T':
-				 if(s){
-					for(len = 0; i<4000 && s[len]; len++){
-					 buf[i] = s[len];
-					 if(param->srv->nonprintable && (buf[i] < 0x20 || strchr((char *)param->srv->nonprintable, buf[i]))) buf[i] = param->srv->replace;
-					 if(doublec && strchr((char *)doublec, buf[i])) {
-						buf[i+1] = buf[i];
-						i++;
-					 }
-					 i++;
-					}
-				 }
-				 break;
-				case 'e':
-				 i += myinet_ntop(*SAFAMILY(&param->sinsl), SAADDR(&param->sinsl), (char *)buf + i, 64);
-				 break;
-				case 'i':
-				 i += myinet_ntop(*SAFAMILY(&param->sincl), SAADDR(&param->sincl), (char *)buf + i, 64);
-				 break;
-				case 'C':
-				 i += myinet_ntop(*SAFAMILY(&param->sincr), SAADDR(&param->sincr), (char *)buf + i, 64);
-				 break;
-				case 'R':
-				 i += myinet_ntop(*SAFAMILY(&param->sinsr), SAADDR(&param->sinsr), (char *)buf + i, 64);
-				 break;
-				case 'Q':
-				 i += myinet_ntop(*SAFAMILY(&param->req), SAADDR(&param->req), (char *)buf + i, 64);
-				 break;
-				case 'p':
-				 sprintf((char *)buf+i, "%hu", ntohs(*SAPORT(&param->srv->intsa)));
-				 i += (int)strlen((char *)buf+i);
-				 break;
-				case 'c':
-				 sprintf((char *)buf+i, "%hu", ntohs(*SAPORT(&param->sincr)));
-				 i += (int)strlen((char *)buf+i);
-				 break;
-				case 'r':
-				 sprintf((char *)buf+i, "%hu", ntohs(*SAPORT(&param->sinsr)));
-				 i += (int)strlen((char *)buf+i);
-				 break;
-				case 'q':
-				 sprintf((char *)buf+i, "%hu", ntohs(*SAPORT(&param->req)));
-				 i += (int)strlen((char *)buf+i);
-				 break;
-				case 'I':
-				 sprintf((char *)buf+i, "%"PRINTF_INT64_MODIFIER"u", param->statssrv64);
-				 i += (int)strlen((char *)buf+i);
-				 break;
-				case 'O':
-				 sprintf((char *)buf+i, "%"PRINTF_INT64_MODIFIER"u", param->statscli64);
-				 i += (int)strlen((char *)buf+i);
-				 break;
-				case 'h':
-				 sprintf((char *)buf+i, "%d", param->redirected);
-				 i += (int)strlen((char *)buf+i);
-				 break;
-				case '1':
-				case '2':
-				case '3':
-				case '4':
-				case '5':
-				case '6':
-				case '7':
-				case '8':
-				case '9':
-					{
-						int k, pmin=0, pmax=0;
-						for (k = j; isnumber(format[k]); k++);
-						if(format[k] == '-' && isnumber(format[k+1])){
-							pmin = atoi(format + j) - 1;
-							k++;
-							pmax = atoi(format + k) -1;
-							for (; isnumber(format[k]); k++);
-							j = k;
-						}
-						if(!s || format[k]!='T') break;
-						for(k = 0, len = 0; s[len] && i < 4000; len++){
-							if(isspace(s[len])){
-								k++;
-								while(isspace(s[len+1]))len++;
-								if(k == pmin) continue;
-							}
-							if(k>=pmin && k<=pmax) {
-								buf[i] = s[len];
-								if(param->srv->nonprintable && (buf[i] < 0x20 || strchr((char *)param->srv->nonprintable, buf[i]))) buf[i] = param->srv->replace;
-								if(doublec && strchr((char *)doublec, buf[i])) {
-									buf[i+1] = buf[i];
-									i++;
-				 				}
-								i++;
-							}
-						}
-						break;
-
-					}
-				default:
-				 buf[i++] = format[j];
-			}
+		if(param?param->srv->so._connect(param->sostate, sock,sa,size) : so._connect(so.state, sock,sa,size)) {
+			if(errno != EAGAIN && errno != EINPROGRESS) return (13);
 		}
-		else buf[i++] = format[j];
-	}
-	buf[i] = 0;
-	return i;
+		if(!errno) return 0;
+	        memset(fds, 0, sizeof(fds));
+	        fds[0].fd = sock;
+	        fds[0].events = POLLOUT|POLLIN;
+		if((param?param->srv->so._poll(param->sostate, fds, 1, to*1000):so._poll(so.state, fds, 1, to*1000)) <= 0 || !(fds[0].revents & POLLOUT)) {
+			return (13);
+		}
+		return 0;
 }
 
-int dobuf(struct clientparam * param, unsigned char * buf, const unsigned char *s, const unsigned char * doublec){
-	struct tm* tm;
-	int i;
-	char * format;
-	time_t t;
-
-	time(&t);
-	if(!param) return 0;
-	if(param->trafcountfunc)(*param->trafcountfunc)(param);
-	format = (char *)param->srv->logformat;
-	if(!format) format = "G%y%m%d%H%M%S.%. %p %E %U %C:%c %R:%r %O %I %h %T";
-	tm = (*format == 'G' || *format == 'g')?
-		gmtime(&t) : localtime(&t);
-	i = dobuf2(param, buf, s, doublec, tm, format + 1);
-	clearstat(param);
-	return i;
-}
-
-void lognone(struct clientparam * param, const unsigned char *s) {
-	if(param->trafcountfunc)(*param->trafcountfunc)(param);
-	clearstat(param);
-}
-unsigned char tmpbuf[8192];
-
-void logstdout(struct clientparam * param, const unsigned char *s) {
-	FILE *log;
-
-	pthread_mutex_lock(&log_mutex);
-	log = param->srv->stdlog?param->srv->stdlog:conf.stdlog?conf.stdlog:stdout;
-	dobuf(param, tmpbuf, s, NULL);
-	if(!param->nolog)if(fprintf(log, "%s\n", tmpbuf) < 0) {
-		perror("printf()");
-	};
-	if(log != conf.stdlog)fflush(log);
-	pthread_mutex_unlock(&log_mutex);
-}
-#ifndef _WIN32
-void logsyslog(struct clientparam * param, const unsigned char *s) {
-
-	pthread_mutex_lock(&log_mutex);
-	dobuf(param, tmpbuf, s, NULL);
-	if(!param->nolog)syslog(LOG_INFO, "%s", tmpbuf);
-	pthread_mutex_unlock(&log_mutex);
-}
-#endif
 
 int doconnect(struct clientparam * param){
  SASIZETYPE size;
@@ -657,7 +506,7 @@ int doconnect(struct clientparam * param){
 	return 0;
  if (param->remsock != INVALID_SOCKET){
 	size = sizeof(param->sinsr);
-	if(so._getpeername(param->remsock, (struct sockaddr *)&param->sinsr, &size)==-1) {return (15);}
+	if(param->srv->so._getpeername(param->sostate, param->remsock, (struct sockaddr *)&param->sinsr, &size)==-1) {return (14);}
  }
  else {
 	struct linger lg = {1,conf.timeouts[SINGLEBYTE_S]};
@@ -670,23 +519,7 @@ int doconnect(struct clientparam * param){
 		memcpy(SAADDR(&param->sinsr), SAADDR(&param->req), SAADDRLEN(&param->req)); 
 	}
 	if(!*SAPORT(&param->sinsr))*SAPORT(&param->sinsr) = *SAPORT(&param->req);
-	if ((param->remsock=so._socket(SASOCK(&param->sinsr), SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {return (11);}
-	so._setsockopt(param->remsock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
-#ifdef REUSE
-	{
-		int opt;
-
-#ifdef SO_REUSEADDR
-		opt = 1;
-		so._setsockopt(param->remsock, SOL_SOCKET, SO_REUSEADDR, (char *)&opt, sizeof(int));
-#endif
-#ifdef SO_REUSEPORT
-		opt = 1;
-		so._setsockopt(param->remsock, SOL_SOCKET, SO_REUSEPORT, (unsigned char *)&opt, sizeof(int));
-#endif
-	}
-#endif
-
+	if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&param->sinsr), SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {return (11);}
 	if(SAISNULL(&param->sinsl)){
 #ifndef NOIPV6
 		if(*SAFAMILY(&param->sinsr) == AF_INET6) param->sinsl = param->srv->extsa6;
@@ -695,26 +528,50 @@ int doconnect(struct clientparam * param){
 			param->sinsl = param->srv->extsa;
 	}
 	*SAPORT(&param->sinsl) = 0;
-	if(so._bind(param->remsock, (struct sockaddr*)&param->sinsl, SASIZE(&param->sinsl))==-1) {
+	setopts(param->remsock, param->srv->srvsockopts);
+
+	param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
+#ifdef REUSE
+	{
+		int opt;
+
+#ifdef SO_REUSEADDR
+		opt = 1;
+		param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_REUSEADDR, (char *)&opt, sizeof(int));
+#endif
+#ifdef SO_REUSEPORT
+		opt = 1;
+		param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_REUSEPORT, (unsigned char *)&opt, sizeof(int));
+#endif
+	}
+#endif
+#if defined SO_BINDTODEVICE
+	if(param->srv->obindtodevice) {
+		if(param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_BINDTODEVICE, param->srv->obindtodevice, strlen(param->srv->obindtodevice) + 1))
+			return 12;
+	}
+#elif defined IP_BOUND_IF
+	if(param->srv->obindtodevice) {
+	    int idx;
+	    idx = if_nametoindex(param->srv->obindtodevice);
+	    if(!idx || (*SAFAMILY(&param->sinsl) == AF_INET && param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_IP, IP_BOUND_IF, &idx, sizeof(idx))))
+			return 12;
+#ifndef NOIPV6
+	    if(*SAFAMILY(&param->sinsl) == AF_INET6 && param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_IPV6, IPV6_BOUND_IF, &idx, sizeof(idx))) return 12;
+#endif
+	}
+#endif
+	if(param->srv->so._bind(param->sostate, param->remsock, (struct sockaddr*)&param->sinsl, SASIZE(&param->sinsl))==-1) {
 		return 12;
 	}
 	
 	if(param->operation >= 256 || (param->operation & CONNECT)){
-#ifdef _WIN32
-		unsigned long ul = 1;
-#endif
-		if(so._connect(param->remsock,(struct sockaddr *)&param->sinsr,SASIZE(&param->sinsr))) {
-			return (13);
+		if(connectwithpoll(param, param->remsock,(struct sockaddr *)&param->sinsr,SASIZE(&param->sinsr),CONNECT_TO)) {
+			return 13;
 		}
-		param->nconnects++;
-#ifdef _WIN32
-		ioctlsocket(param->remsock, FIONBIO, &ul);
-#else
-		fcntl(param->remsock,F_SETFL,O_NONBLOCK);
-#endif
 	}
 	size = sizeof(param->sinsl);
-	if(so._getsockname(param->remsock, (struct sockaddr *)&param->sinsl, &size)==-1) {return (15);}
+	if(param->srv->so._getsockname(param->sostate, param->remsock, (struct sockaddr *)&param->sinsl, &size)==-1) {return (15);}
  }
  return 0;
 }
@@ -806,11 +663,42 @@ unsigned long getip(unsigned char *name){
 }
 #endif
 
+int afdetect(unsigned char *name){
+	int ndots=0, ncols=0, nhex=0;
+	int i;
+
+	for(i=0; name[i]; i++){
+		if(name[i] == '.'){
+			if(++ndots > 3) {
+				return -1;
+			}
+		}
+		else if(name[i] == ':'){
+			if(++ncols > 7) {
+				return -1;
+			}
+		}
+		else if(name[i] == '%' || (name[i] >= 'a' && name[i] <= 'f') || (name[i] >= 'A' && name[i] <= 'F')){
+			nhex++;
+		}
+		else if(name[i] <'0' || name[i] >'9') {
+				return -1;
+		}
+	}
+	if(ndots == 3 && ncols == 0 && nhex == 0){
+		return AF_INET;
+	}
+	if(ncols >= 2) {
+		return AF_INET6;
+	}
+	return -1;
+
+}
+
 unsigned long getip46(int family, unsigned char *name,  struct sockaddr *sa){
 #ifndef NOIPV6
-	int ndots=0, ncols=0, nhex=0;
+	int detect;
 	struct addrinfo *ai, hint;
-	int i;
         RESOLVFUNC tmpresolv;
 
 	if(!sa) return 0;
@@ -822,34 +710,15 @@ unsigned long getip46(int family, unsigned char *name,  struct sockaddr *sa){
 #endif
 #ifndef NOIPV6
 	}
-	for(i=0; name[i]; i++){
-		if(name[i] == '.'){
-			if(++ndots > 3) {
-				break;
-			}
-		}
-		else if(name[i] == ':'){
-			if(++ncols > 7) {
-				break;
-			}
-		}
-		else if(name[i] == '%' || (name[i] >= 'a' && name[i] <= 'f') || (name[i] >= 'A' && name[i] <= 'F')){
-			nhex++;
-		}
-		else if(name[i] <'0' || name[i] >'9') {
-			break;
-		}
-	}
-	if(!name[i]){
-		if(ndots == 3 && ncols == 0 && nhex == 0){
-			*SAFAMILY(sa)=(family == 6)?AF_INET6 : AF_INET;
-			return inet_pton(*SAFAMILY(sa), (char *)name, SAADDR(sa))? *SAFAMILY(sa) : 0; 
-		}
-		if(ncols >= 2) {
-			*SAFAMILY(sa)=AF_INET6;
-			return inet_pton(AF_INET6, (char *)name, SAADDR(sa))?(family==4? 0:AF_INET6) : 0;
-		}
+
+	detect = afdetect(name);
+	if(detect != -1){
+		if(family == 4 && detect != AF_INET) return 0;
+		*SAFAMILY(sa) = (family == 6)? AF_INET6 : detect;
+		return inet_pton(*SAFAMILY(sa), (char *)name, SAADDR(sa))>0? *SAFAMILY(sa) : 0; 
 	}
+
+
 	if((tmpresolv = resolvfunc)){
 		int f = (family == 6 || family == 64)?AF_INET6:AF_INET;
 		*SAFAMILY(sa) = f;

src/conf.c

@@ -1,6 +1,16 @@
+/*
+   3APA3A simpliest proxy server
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
 #include "proxy.h"
 #ifndef _WIN32
 #include <sys/resource.h>
+#include <pwd.h>
+#include <grp.h>
 #ifndef NOPLUGINS
 #include <dlfcn.h>
 #endif
@@ -11,6 +21,7 @@
 #endif
 
 pthread_mutex_t bandlim_mutex;
+pthread_mutex_t connlim_mutex;
 pthread_mutex_t tc_mutex;
 pthread_mutex_t pwl_mutex;
 pthread_mutex_t hash_mutex;
@@ -150,14 +161,14 @@ int start_proxy_thread(struct child * chp){
 	if(h)CloseHandle(h);
 #else
 	pthread_attr_init(&pa);
-	pthread_attr_setstacksize(&pa,PTHREAD_STACK_MIN + (16384+conf.stacksize));
+	pthread_attr_setstacksize(&pa,PTHREAD_STACK_MIN + (32768+conf.stacksize));
 	pthread_attr_setdetachstate(&pa,PTHREAD_CREATE_DETACHED);
 	pthread_create(&thread, &pa, startsrv, (void *)chp);
 	pthread_attr_destroy(&pa);
 #endif
 	while(conf.threadinit)usleep(SLEEPTIME);
 	if(haveerror)  {
-		fprintf(stderr, "Service not started on line: %d\n", linenum);
+		fprintf(stderr, "Service not started on line: %d%s\n", linenum, haveerror == 2? ": insufficient memory":"");
 		return(40);
 	}
 	return 0;
@@ -213,6 +224,13 @@ static int h_proxy(int argc, unsigned char ** argv){
 		}
 #endif
 	}
+	else if(!strcmp((char *)argv[0], "auto")) {
+		childdef.pf = autochild;
+		childdef.port = 8080;
+		childdef.isudp = 0;
+		childdef.service = S_AUTO;
+		childdef.helpmessage = "";
+	}
 	else if(!strcmp((char *)argv[0], "tcppm")) {
 		childdef.pf = tcppmchild;
 		childdef.port = 0;
@@ -220,22 +238,13 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_TCPPM;
 		childdef.helpmessage = "";
 	}
-	else if(!strcmp((char *)argv[0], "icqpr")) {
-		childdef.pf = icqprchild;
-		childdef.port = 0;
+	else if(!strcmp((char *)argv[0], "tlspr")) {
+		childdef.pf = tlsprchild;
+		childdef.port = 1443;
 		childdef.isudp = 0;
-		childdef.service = S_ICQPR;
+		childdef.service = S_TLSPR;
 		childdef.helpmessage = "";
 	}
-/*
-	else if(!strcmp((char *)argv[0], "msnpr")) {
-		childdef.pf = msnprchild;
-		childdef.port = 0;
-		childdef.isudp = 0;
-		childdef.service = S_MSNPR;
-		childdef.helpmessage = "";
-	}
-*/
 	else if(!strcmp((char *)argv[0], "udppm")) {
 		childdef.pf = udppmchild;
 		childdef.port = 0;
@@ -284,53 +293,67 @@ static int h_external(int argc, unsigned char ** argv){
 	return 0;
 }
 
+
 static int h_log(int argc, unsigned char ** argv){ 
 	unsigned char tmpbuf[8192];
-	conf.logfunc = logstdout;
-	if(conf.logtarget){
+	int notchanged = 0;
+
+
+	havelog = 1;
+	if(argc > 1 && conf.logtarget && !strcmp((char *)conf.logtarget, (char *)argv[1])) {
+		notchanged = 1;
+	}
+	if(!notchanged && conf.logtarget){
 		myfree(conf.logtarget);
 		conf.logtarget = NULL;
 	}
 	if(argc > 1) {
-		conf.logtarget = (unsigned char *)mystrdup((char *)argv[1]);
+		if(!strcmp((char *) argv[1], "/dev/null")) {
+			conf.logfunc = lognone;
+			return 0;
+		}
+		if(!notchanged) conf.logtarget = (unsigned char *)mystrdup((char *)argv[1]);
 		if(*argv[1]=='@'){
 #ifndef _WIN32
-			openlog((char *)conf.logtarget+1, LOG_PID, LOG_DAEMON);
 			conf.logfunc = logsyslog;
+			if(notchanged) return 0;
+			openlog((char *)conf.logtarget+1, LOG_PID, LOG_DAEMON);
 #endif
 		}
 #ifndef NOODBC
 		else if(*argv[1]=='&'){
+			conf.logfunc = logsql;
+			if(notchanged) return 0;
 			pthread_mutex_lock(&log_mutex);
 			close_sql();
 			init_sql((char *)argv[1]+1);
 			pthread_mutex_unlock(&log_mutex);
-			conf.logfunc = logsql;
+		}
+#endif
+#ifndef NORADIUS
+		else if(!strcmp((char *)argv[1],"radius")){
+			conf.logfunc = logradius;
 		}
 #endif
 		else {
-			FILE *fp;
 			if(argc > 2) {
 				conf.logtype = getrotate(*argv[2]);
 			}
+			conf.logfunc = logstdout;
+			if(notchanged) return 0;
 			conf.logtime = time(0);
 			if(conf.logname)myfree(conf.logname);
 			conf.logname = (unsigned char *)mystrdup((char *)argv[1]);
-			fp = fopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.logtime), "a");
-			if(!fp){
+			if(conf.stdlog) conf.stdlog = freopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.logtime), "a", conf.stdlog);
+			else conf.stdlog = fopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.logtime), "a");
+			if(!conf.stdlog){
 				perror((char *)tmpbuf);
 				return 1;
 			}
-			else {
-				if(conf.stdlog)fclose(conf.stdlog);
-				conf.stdlog = fp;
-#ifdef _WINCE
-				freopen(tmpbuf, "w", stdout);
-				freopen(tmpbuf, "w", stderr);
-#endif
-			}
+
 		}
 	}
+	else conf.logfunc = logstdout;
 	return 0;
 }
 
@@ -363,6 +386,7 @@ static int h_daemon(int argc, unsigned char **argv){
 static int h_config(int argc, unsigned char **argv){
 	if(conf.conffile)myfree(conf.conffile);
 	conf.conffile = mystrdup((char *)argv[1]);
+	if(!conf.conffile) return 21;
 	return 0;
 }
 
@@ -394,7 +418,6 @@ static int h_archiver(int argc, unsigned char **argv){
 static int h_counter(int argc, unsigned char **argv){
 	struct counter_header ch1;
 	if(conf.counterd >=0)close(conf.counterd);
-	if(!conf.trafcountfunc) conf.trafcountfunc = trafcountfunc;
 	conf.counterd = open((char *)argv[1], O_BINARY|O_RDWR|O_CREAT, 0660);
 	if(conf.counterd<0){
 		fprintf(stderr, "Unable to open counter file %s, line %d\n", argv[1], linenum);
@@ -437,8 +460,9 @@ static int h_rotate(int argc, unsigned char **argv){
 }
 
 static int h_logformat(int argc, unsigned char **argv){
-	if(conf.logformat) myfree(conf.logformat);
+	unsigned char * old = conf.logformat;
 	conf.logformat = (unsigned char *)mystrdup((char *)argv[1]);
+	if(old) myfree(old);
 	return 0;
 }
 
@@ -468,6 +492,9 @@ static int h_auth(int argc, unsigned char **argv){
 	  for(au = authfuncs; au; au=au->next){
 		if(!strcmp((char *)argv[argc], au->desc)){
 			newau = myalloc(sizeof(struct auth));
+			if(!newau) {
+				return 21;
+			}
 			newau->next = conf.authfuncs;
 			conf.authfuncs = newau;
 			conf.authfuncs->desc = au->desc;
@@ -489,8 +516,7 @@ static int h_users(int argc, unsigned char **argv){
 
 	for (j = 1; j<argc; j++) {
 		if(!(pwl = myalloc(sizeof(struct passwords)))) {
-			fprintf(stderr, "No memory for PWL entry, line %d\n", linenum);
-			return(1);
+			return(21);
 		}
 		memset(pwl, 0, sizeof(struct passwords));
 
@@ -502,6 +528,7 @@ static int h_users(int argc, unsigned char **argv){
 		else {
 			*arg = 0;
 			pwl->user = (unsigned char *)mystrdup((char *)argv[j]);
+
 			if((arg[1] == 'C' && arg[2] == 'L' && (pwl->pwtype = CL)) ||
 				(arg[1] == 'C' && arg[2] == 'R' && (pwl->pwtype = CR)) ||
 				(arg[1] == 'N' && arg[2] == 'T' && (pwl->pwtype = NT)) ||
@@ -512,7 +539,9 @@ static int h_users(int argc, unsigned char **argv){
 				pwl->password = (unsigned char *) mystrdup((char *)arg + 1);
 				pwl->pwtype = UN;
 			}
+			if(!pwl->password) return 3;
 		}
+		if(!pwl->user) return 21;
 		pthread_mutex_lock(&pwl_mutex);
 		pwl->next = conf.pwl;
 		conf.pwl = pwl;
@@ -543,6 +572,14 @@ static int h_maxconn(int argc, unsigned char **argv){
 	return 0;
 }
 
+static int h_backlog(int argc, unsigned char **argv){
+	conf.backlog = atoi((char *)argv[1]);
+	if(conf.maxchild < 0) {
+		return(1);
+	}
+	return 0;
+}
+
 static int h_flush(int argc, unsigned char **argv){
 	freeacl(conf.acl);
 	conf.acl = NULL;
@@ -609,6 +646,15 @@ static int h_nscache(int argc, unsigned char **argv){
 	}
 	return 0;
 }
+
+static int h_parentretries(int argc, unsigned char **argv){
+  int res;
+
+	res = atoi((char *)argv[1]);
+	if(res > 0) conf.parentretries = res;
+	return 0;
+}
+
 static int h_nscache6(int argc, unsigned char **argv){
   int res;
 
@@ -669,21 +715,48 @@ static int h_monitor(int argc, unsigned char **argv){
   struct filemon * fm;
 
 	fm = myalloc(sizeof (struct filemon));
+	if(!fm) return 21;
 	if(stat((char *)argv[1], &fm->sb)){
 		myfree(fm);
 		fprintf(stderr, "Warning: file %s doesn't exist on line %d\n", argv[1], linenum);
 	}
 	else {
 		fm->path = mystrdup((char *)argv[1]);
+		if(!fm->path) return 21;
 		fm->next = conf.fmon;
 		conf.fmon = fm;
 	}
 	return 0;
 }
 
+
+struct redirdesc redirs[] = {
+    {R_TCP, "tcp", tcppmchild},
+    {R_CONNECT, "connect", proxychild},
+    {R_SOCKS4, "socks4", sockschild},
+    {R_SOCKS5, "socks5", sockschild},
+    {R_HTTP, "http", proxychild},
+    {R_POP3, "pop3", pop3pchild},
+    {R_SMTP, "smtp", smtppchild},
+    {R_FTP, "ftp", ftpprchild},
+    {R_CONNECTP, "connect+", proxychild},
+    {R_SOCKS4P, "socks4+", sockschild},
+    {R_SOCKS5P, "socks5+", sockschild},
+    {R_SOCKS4B, "socks4b", sockschild},
+    {R_SOCKS5B, "socks5b", sockschild},
+    {R_ADMIN, "admin", adminchild},
+    {R_EXTIP, "extip", NULL},
+    {R_TLS, "tls", tlsprchild},
+    {R_HA, "ha", NULL},
+    {R_DNS, "dns", dnsprchild},
+    {0, NULL, NULL}
+};
+
 static int h_parent(int argc, unsigned char **argv){
   struct ace *acl = NULL;
   struct chain *chains;
+  char * cidr;
+  int i;
 
 	acl = conf.acl;
 	while(acl && acl->next) acl = acl->next;
@@ -693,50 +766,47 @@ static int h_parent(int argc, unsigned char **argv){
 	}
 	acl->action = 2;
 
-	chains = NULL;
-	if(!acl->chains) {
-		chains = acl->chains = myalloc(sizeof(struct chain));
-	}
-	else {
-		chains = acl->chains;
-		while(chains->next)chains = chains->next;
-		chains->next = myalloc(sizeof(struct chain));
-		chains = chains->next;
+	chains = myalloc(sizeof(struct chain));
+	if(!chains){
+		return(21);
 	}
 	memset(chains, 0, sizeof(struct chain));
-	if(!chains){
-		fprintf(stderr, "Chainig error: unable to allocate memory for chain\n");
-		return(2);
-	}
 	chains->weight = (unsigned)atoi((char *)argv[1]);
 	if(chains->weight == 0 || chains->weight >1000) {
 		fprintf(stderr, "Chaining error: bad chain weight %u line %d\n", chains->weight, linenum);
 		return(3);
 	}
-	if(!strcmp((char *)argv[2], "tcp"))chains->type = R_TCP;
-	else if(!strcmp((char *)argv[2], "http"))chains->type = R_HTTP;
-	else if(!strcmp((char *)argv[2], "connect"))chains->type = R_CONNECT;
-	else if(!strcmp((char *)argv[2], "socks4"))chains->type = R_SOCKS4;
-	else if(!strcmp((char *)argv[2], "socks5"))chains->type = R_SOCKS5;
-	else if(!strcmp((char *)argv[2], "connect+"))chains->type = R_CONNECTP;
-	else if(!strcmp((char *)argv[2], "socks4+"))chains->type = R_SOCKS4P;
-	else if(!strcmp((char *)argv[2], "socks5+"))chains->type = R_SOCKS5P;
-	else if(!strcmp((char *)argv[2], "socks4b"))chains->type = R_SOCKS4B;
-	else if(!strcmp((char *)argv[2], "socks5b"))chains->type = R_SOCKS5B;
-	else if(!strcmp((char *)argv[2], "pop3"))chains->type = R_POP3;
-	else if(!strcmp((char *)argv[2], "ftp"))chains->type = R_FTP;
-	else if(!strcmp((char *)argv[2], "admin"))chains->type = R_ADMIN;
-	else if(!strcmp((char *)argv[2], "icq"))chains->type = R_ICQ;
-	else if(!strcmp((char *)argv[2], "extip"))chains->type = R_EXTIP;
-	else if(!strcmp((char *)argv[2], "smtp"))chains->type = R_SMTP;
-	else {
+	for(i = 0; redirs[i].name ; i++){
+	    if(!strcmp((char *)argv[2], redirs[i].name)) {
+		chains->type = redirs[i].redir;
+		break;
+	    }
+	}
+	if(!redirs[i].name) {
 		fprintf(stderr, "Chaining error: bad chain type (%s)\n", argv[2]);
 		return(4);
 	}
-	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) return 5;
+	cidr = strchr((char *)argv[3], '/');
+	if(cidr) *cidr = 0;
+	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) return (5);
+	chains->exthost = (unsigned char *)mystrdup((char *)argv[3]);
+	if(!chains->exthost) return 21;
+	if(cidr){
+		*cidr = '/';
+		chains->cidr = atoi(cidr + 1);
+	}
 	*SAPORT(&chains->addr) = htons((unsigned short)atoi((char *)argv[4]));
 	if(argc > 5) chains->extuser = (unsigned char *)mystrdup((char *)argv[5]);
 	if(argc > 6) chains->extpass = (unsigned char *)mystrdup((char *)argv[6]);
+	if(!acl->chains) {
+		acl->chains = chains;
+	}
+	else {
+		struct chain *tmpchain;
+
+		for(tmpchain = acl->chains; tmpchain->next; tmpchain = tmpchain->next);
+		tmpchain->next = chains;
+	}
 	return 0;
 	
 }
@@ -750,7 +820,7 @@ static int h_nolog(int argc, unsigned char **argv){
 		return(1);
 	}
 	while(acl->next) acl = acl->next;
-	if(!strcmp((char *)argv[0],"nolog")) acl->nolog = 1;
+	if(argc == 1) acl->nolog = 1;
 	else acl->weight = atoi((char*)argv[1]);
 	return 0;
 }
@@ -763,13 +833,23 @@ int scanipl(unsigned char *arg, struct iplist *dst){
 #endif
         char * slash, *dash;
 	int masklen, addrlen;
+	int res;
+
 	if((slash = strchr((char *)arg, '/'))) *slash = 0;
 	if((dash = strchr((char *)arg,'-'))) *dash = 0;
 	
-	if(!getip46(46, arg, (struct sockaddr *)&sa)) return 1;
+	if(afdetect(arg) == -1) {
+		if(slash)*slash = '/';
+		if(dash)*dash = '-';
+		return 1;
+	}
+	res = getip46(46, arg, (struct sockaddr *)&sa);
+	if(dash)*dash = '-';
+	if(!res) return 1;
 	memcpy(&dst->ip_from, SAADDR(&sa), SAADDRLEN(&sa));
 	dst->family = *SAFAMILY(&sa);
 	if(dash){
+		if(afdetect((unsigned char *)dash+1) == -1) return 1;
 		if(!getip46(46, (unsigned char *)dash+1, (struct sockaddr *)&sa)) return 2;
 		memcpy(&dst->ip_to, SAADDR(&sa), SAADDRLEN(&sa));
 		if(*SAFAMILY(&sa) != dst->family || memcmp(&dst->ip_to, &dst->ip_from, SAADDRLEN(&sa)) < 0) return 3;
@@ -777,6 +857,7 @@ int scanipl(unsigned char *arg, struct iplist *dst){
 	}
 	memcpy(&dst->ip_to, &dst->ip_from, SAADDRLEN(&sa));
 	if(slash){
+		*slash = '/';
 		addrlen = SAADDRLEN(&sa);
 		masklen = atoi(slash+1);
 		if(masklen < 0 || masklen > (addrlen*8)) return 4;
@@ -826,6 +907,7 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 				}
 				memset(userl, 0, sizeof(struct userlist));
 				userl->user=(unsigned char*)mystrdup((char *)arg);
+				if(!userl->user) return NULL;
 			} while((arg = (unsigned char *)strtok((char *)NULL, ",")));
 		}
 		if(argc > 1  && strcmp("*", (char *)argv[1])) {
@@ -854,9 +936,11 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 			do {
 			 int arglen;
 			 unsigned char *pattern;
+			 struct iplist tmpip={NULL};
 			 
 			 arglen = (int)strlen((char *)arg);
-			 if(arglen > 0 && (arg[arglen-1] < '0' || arg[arglen-1] > '9')){
+			 if(scanipl(arg, &tmpip)){
+				if(!arglen) continue;
 				if(!acl->dstnames) {
 					acl->dstnames = hostnamel = myalloc(sizeof(struct hostname));
 				}
@@ -900,11 +984,7 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 					fprintf(stderr, "No memory for ACL entry, line %d\n", linenum);
 					return(NULL);
 				}
-				memset(ipl, 0, sizeof(struct iplist));
-				if (scanipl(arg, ipl)) {
-						fprintf(stderr, "Invalid IP, IP range or CIDR, line %d\n", linenum);
-						return(NULL);
-				}
+				*ipl = tmpip;
 			 }
 			}while((arg = (unsigned char *)strtok((char *)NULL, ",")));
 		}
@@ -991,9 +1071,6 @@ struct ace * make_ace (int argc, unsigned char ** argv){
 				else if(!strcmp((char *)arg, "DNSRESOLVE")){
 					acl->operation |= DNSRESOLVE;
 				}
-				else if(!strcmp((char *)arg, "ICQ")){
-					acl->operation |= IM_ICQ;
-				}
 				else {
 					fprintf(stderr, "Unknown operation type: %s line %d\n", arg, linenum);
 					return(NULL);
@@ -1068,6 +1145,7 @@ static int h_ace(int argc, unsigned char **argv){
   struct ace *acl = NULL;
   struct bandlim * nbl;
   struct trafcount * tl;
+  struct connlim * ncl;
 
 	if(!strcmp((char *)argv[0], "allow")){
 		res = ALLOW;
@@ -1100,6 +1178,20 @@ static int h_ace(int argc, unsigned char **argv){
 	else if(!strcmp((char *)argv[0], "nocountout")){
 		res = NOCOUNTOUT;
 	}
+	else if(!strcmp((char *)argv[0], "countall")){
+		res = COUNTALL;
+		offset = 3;
+	}
+	else if(!strcmp((char *)argv[0], "nocountall")){
+		res = NOCOUNTALL;
+	}
+	else if(!strcmp((char *)argv[0], "connlim")){
+		res = CONNLIM;
+		offset = 2;
+	}
+	else if(!strcmp((char *)argv[0], "noconnlim")){
+		res = NOCONNLIM;
+	}
 	acl = make_ace(argc - (offset+1), argv + (offset + 1));
 	if(!acl) {
 		fprintf(stderr, "Unable to parse ACL entry, line %d\n", linenum);
@@ -1109,18 +1201,15 @@ static int h_ace(int argc, unsigned char **argv){
 	switch(acl->action){
 	case REDIRECT:
 		acl->chains = myalloc(sizeof(struct chain));
-		memset(acl->chains, 0, sizeof(struct chain)); 
 		if(!acl->chains) {
-			fprintf(stderr, "No memory for ACL entry, line %d\n", linenum);
-			return(2);
+			freeacl(acl);
+			return(21);
 		}
+		memset(acl->chains, 0, sizeof(struct chain)); 
 		acl->chains->type = R_HTTP;
 		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) return 5;
 		*SAPORT(&acl->chains->addr) = htons((unsigned short)atoi((char *)argv[2]));
 		acl->chains->weight = 1000;
-		acl->chains->extuser = NULL;
-		acl->chains->extpass = NULL;
-		acl->chains->next = NULL;
 	case ALLOW:
 	case DENY:
 		if(!conf.acl){
@@ -1133,19 +1222,47 @@ static int h_ace(int argc, unsigned char **argv){
 			acei->next = acl;
 		}
 		break;
+	case CONNLIM:
+	case NOCONNLIM:
+		ncl = myalloc(sizeof(struct connlim));
+		if(!ncl) {
+			freeacl(acl);
+			return(21);
+		}
+		memset(ncl, 0, sizeof(struct connlim));
+		ncl->ace = acl;
+		if(acl->action == CONNLIM) {
+			sscanf((char *)argv[1], "%u", &ncl->rate);
+			sscanf((char *)argv[2], "%u", &ncl->period);
+		}
+		pthread_mutex_lock(&connlim_mutex);
+		if(!conf.connlimiter){
+			conf.connlimiter = ncl;
+		}
+		else {
+			struct connlim * cli;
+
+			for(cli = conf.connlimiter; cli->next; cli = cli->next);
+			cli->next = ncl;
+		}
+		pthread_mutex_unlock(&connlim_mutex);			
+		break;
+
 	case BANDLIM:
 	case NOBANDLIM:
 
 		nbl = myalloc(sizeof(struct bandlim));
 		if(!nbl) {
-			fprintf(stderr, "No memory to create band limit filter\n");
-			return(3);
+			freeacl(acl);
+			return(21);
 		}
 		memset(nbl, 0, sizeof(struct bandlim));
 		nbl->ace = acl;
 		if(acl->action == BANDLIM) {
 			sscanf((char *)argv[1], "%u", &nbl->rate);
 			if(nbl->rate < 300) {
+				myfree(nbl);
+				freeacl(acl);
 				fprintf(stderr, "Wrong bandwidth specified, line %d\n", linenum);
 				return(4);
 			}
@@ -1173,7 +1290,7 @@ static int h_ace(int argc, unsigned char **argv){
 				bli->next = nbl;
 			}
 		}
-
+		conf.bandlimver++;
 		pthread_mutex_unlock(&bandlim_mutex);			
 		break;
 
@@ -1181,15 +1298,18 @@ static int h_ace(int argc, unsigned char **argv){
 	case NOCOUNTIN:
 	case COUNTOUT:
 	case NOCOUNTOUT:
+	case COUNTALL:
+	case NOCOUNTALL:
+		if(!conf.trafcountfunc) conf.trafcountfunc = trafcountfunc;
 		tl = myalloc(sizeof(struct trafcount));
 		if(!tl) {
-			fprintf(stderr, "No memory to create traffic limit filter\n");
-			return(5);
+			freeacl(acl);
+			return(21);
 		}
 		memset(tl, 0, sizeof(struct trafcount));
 		tl->ace = acl;
 	
-		if((acl->action == COUNTIN)||(acl->action == COUNTOUT)) {
+		if((acl->action == COUNTIN)||(acl->action == COUNTOUT)||(acl->action == COUNTALL)) {
 			unsigned long lim;
 
 			tl->comment = ( char *)argv[1];
@@ -1202,6 +1322,8 @@ static int h_ace(int argc, unsigned char **argv){
 			tl->type = getrotate(*argv[2]);
 			tl->traflim64 =  ((uint64_t)lim)*(1024*1024);
 			if(!tl->traflim64) {
+				myfree(tl);
+				freeacl(acl);
 				fprintf(stderr, "Wrong traffic limit specified, line %d\n", linenum);
 				return(6);
 			}
@@ -1253,11 +1375,58 @@ static int h_delimchar(int argc, unsigned char **argv){
 	return 0;
 }
 
+
+#ifndef NORADIUS
+static int h_radius(int argc, unsigned char **argv){
+	unsigned short port;
+
+/*
+	int oldrad;
+#ifdef NOIPV6
+	struct  sockaddr_in bindaddr;
+#else
+	struct  sockaddr_in6 bindaddr;
+#endif
+
+	oldrad = nradservers;
+	nradservers = 0;
+	for(; oldrad; oldrad--){
+		if(radiuslist[oldrad].logsock >= 0) so._closesocket(radiuslist[oldrad].logsock);
+		radiuslist[oldrad].logsock = -1;
+	}
+*/
+	memset(radiuslist, 0, sizeof(radiuslist));
+	if(strlen((char *)argv[1]) > 63) argv[1][63] = 0;
+	strcpy(radiussecret, (char *)argv[1]);
+	for( nradservers=0; nradservers < MAXRADIUS && nradservers < argc -2; nradservers++){
+		char *s = 0;
+		if((s=strchr((char *)argv[nradservers + 2], '/'))){
+			*s = 0;
+			s++;
+		}
+		if( !getip46(46, argv[nradservers + 2], (struct sockaddr *)&radiuslist[nradservers].authaddr)) return 1;
+		if( s && !getip46(46, (unsigned char *)s+1, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
+		if(!*SAPORT(&radiuslist[nradservers].authaddr))*SAPORT(&radiuslist[nradservers].authaddr) = htons(1812);
+		port = ntohs(*SAPORT(&radiuslist[nradservers].authaddr));
+		radiuslist[nradservers].logaddr = radiuslist[nradservers].authaddr;
+ 	        *SAPORT(&radiuslist[nradservers].logaddr) = htons(port+1);
+/*
+		bindaddr = radiuslist[nradservers].localaddr;
+		if ((radiuslist[nradservers].logsock = so._socket(SASOCK(&radiuslist[nradservers].logaddr), SOCK_DGRAM, 0)) < 0) return 2;
+		if (so._bind(radiuslist[nradservers].logsock, (struct sockaddr *)&bindaddr, SASIZE(&bindaddr))) return 3;
+*/
+	}
+	return 0;
+}
+#endif
 static int h_authcache(int argc, unsigned char **argv){
 	conf.authcachetype = 0;
 	if(strstr((char *) *(argv + 1), "ip")) conf.authcachetype |= 1;
 	if(strstr((char *) *(argv + 1), "user")) conf.authcachetype |= 2;
 	if(strstr((char *) *(argv + 1), "pass")) conf.authcachetype |= 4;
+	if(strstr((char *) *(argv + 1), "limit")) conf.authcachetype |= 8;
+	if(strstr((char *) *(argv + 1), "acl")) conf.authcachetype |= 16;
+	if(strstr((char *) *(argv + 1), "ext")) conf.authcachetype |= 32;
 	if(argc > 2) conf.authcachetime = (unsigned) atoi((char *) *(argv + 2));
 	if(!conf.authcachetype) conf.authcachetype = 6;
 	if(!conf.authcachetime) conf.authcachetime = 600;
@@ -1303,9 +1472,23 @@ static int h_plugin(int argc, unsigned char **argv){
 }
 
 #ifndef _WIN32
+
+uid_t strtouid(unsigned char *str){
+ uid_t res = 0;
+
+	if(!isnumber(*(char *)str)){
+		struct passwd *pw;
+		pw = getpwnam((char *)str);
+		if(pw) res = pw->pw_uid;
+	}
+	else res = atoi((char *)str);
+	return res;
+}
+
+
 static int h_setuid(int argc, unsigned char **argv){
-  int res;
-	res = atoi((char *)argv[1]);
+  uid_t res = 0;
+	res = strtouid(argv[1]);
 	if(!res || setreuid(res,res)) {
 		fprintf(stderr, "Unable to set uid %d", res);
 		return(1);
@@ -1313,10 +1496,22 @@ static int h_setuid(int argc, unsigned char **argv){
 	return 0;
 }
 
-static int h_setgid(int argc, unsigned char **argv){
-  int res;
+gid_t strtogid(unsigned char *str){
+  gid_t res = 0;
 
-	res = atoi((char *)argv[1]);
+	if(!isnumber(*(char *)str)){
+		struct group *gr;
+		gr = getgrnam((char *)str);
+		if(gr) res = gr->gr_gid;
+	}
+	else res = atoi((char *)str);
+	return res;
+}
+
+static int h_setgid(int argc, unsigned char **argv){
+  gid_t res = 0;
+
+	res = strtogid(argv[1]);
 	if(!res || setregid(res,res)) {
 		fprintf(stderr, "Unable to set gid %d", res);
 		return(1);
@@ -1326,6 +1521,22 @@ static int h_setgid(int argc, unsigned char **argv){
 
 
 static int h_chroot(int argc, unsigned char **argv){
+	uid_t uid = 0;
+	gid_t gid = 0;
+	if(argc > 2) {
+		uid = strtouid(argv[2]);
+		if(!uid){
+			fprintf(stderr, "Unable to resolve uid %s", argv[2]);
+			return(2);
+		}
+        }
+	if(argc > 3) {
+		gid = strtogid(argv[3]);
+		if(!gid){
+			fprintf(stderr, "Unable to resolve gid %s", argv[3]);
+			return(3);
+		}
+        }
 	if(!chrootp){
 		char *p;
 		if(chroot((char *)argv[1])) {
@@ -1338,7 +1549,17 @@ static int h_chroot(int argc, unsigned char **argv){
 			*p = 0;
 		}
 		chrootp = mystrdup((char *)argv[1]);
+		if(!chrootp) return 21;
 	}
+	if (gid && setregid(gid,gid)) {
+		fprintf(stderr, "Unable to set gid %d", (int)gid);
+		return(4);
+	}
+	if (uid && setreuid(uid,uid)) {
+		fprintf(stderr, "Unable to set uid %d", (int)uid);
+		return(5);
+	}
+	chdir("/");
 	return 0;
 }
 #endif
@@ -1348,7 +1569,7 @@ struct commands specificcommands[]={
 #ifndef _WIN32
 	{specificcommands+1, "setuid", h_setuid, 2, 2},
 	{specificcommands+2, "setgid", h_setgid, 2, 2},
-	{specificcommands+3, "chroot", h_chroot, 2, 2},
+	{specificcommands+3, "chroot", h_chroot, 2, 4},
 #endif
 	{NULL, 		"", h_noop, 1, 0}
 };
@@ -1376,7 +1597,7 @@ struct commands commandhandlers[]={
 	{commandhandlers+20, "logformat", h_logformat, 2, 2},
 	{commandhandlers+21, "timeouts", h_timeouts, 2, 0},
 	{commandhandlers+22, "auth", h_auth, 2, 0},
-	{commandhandlers+23, "users", h_users, 2, 0},
+	{commandhandlers+23, "users", h_users, 1, 0},
 	{commandhandlers+24, "maxconn", h_maxconn, 2, 2},
 	{commandhandlers+25, "flush", h_flush, 1, 1},
 	{commandhandlers+26, "nserver", h_nserver, 2, 2},
@@ -1400,20 +1621,29 @@ struct commands commandhandlers[]={
 	{commandhandlers+44, "nocountin", h_ace, 1, 0},
 	{commandhandlers+45, "countout", h_ace, 4, 0},
 	{commandhandlers+46, "nocountout", h_ace, 1, 0},
-	{commandhandlers+47, "plugin", h_plugin, 3, 0},
-	{commandhandlers+48, "logdump", h_logdump, 2, 3},
-	{commandhandlers+49, "filtermaxsize", h_filtermaxsize, 2, 2},
-	{commandhandlers+50, "nolog", h_nolog, 1, 1},
-	{commandhandlers+51, "weight", h_nolog, 2, 2},
-	{commandhandlers+52, "authcache", h_authcache, 2, 3},
-	{commandhandlers+53, "smtpp", h_proxy, 1, 0},
-	{commandhandlers+54, "icqpr", h_proxy, 4, 0},
-	{commandhandlers+55, "msnpr", h_proxy, 4, 0},
-	{commandhandlers+56, "delimchar",h_delimchar, 2, 2},
-	{commandhandlers+57, "authnserver", h_authnserver, 2, 2},
-	{commandhandlers+58, "stacksize", h_stacksize, 2, 2},
-	{commandhandlers+59, "force", h_force, 1, 1},
-	{commandhandlers+60, "noforce", h_noforce, 1, 1},
+	{commandhandlers+47, "countall", h_ace, 4, 0},
+	{commandhandlers+48, "nocountall", h_ace, 1, 0},
+	{commandhandlers+49, "connlim", h_ace, 4, 0},
+	{commandhandlers+50, "noconnlim", h_ace, 1, 0},
+	{commandhandlers+51, "plugin", h_plugin, 3, 0},
+	{commandhandlers+52, "logdump", h_logdump, 2, 3},
+	{commandhandlers+53, "filtermaxsize", h_filtermaxsize, 2, 2},
+	{commandhandlers+54, "nolog", h_nolog, 1, 1},
+	{commandhandlers+55, "weight", h_nolog, 2, 2},
+	{commandhandlers+56, "authcache", h_authcache, 2, 3},
+	{commandhandlers+57, "smtpp", h_proxy, 1, 0},
+	{commandhandlers+58, "delimchar",h_delimchar, 2, 2},
+	{commandhandlers+59, "authnserver", h_authnserver, 2, 2},
+	{commandhandlers+60, "stacksize", h_stacksize, 2, 2},
+	{commandhandlers+61, "force", h_force, 1, 1},
+	{commandhandlers+62, "noforce", h_noforce, 1, 1},
+	{commandhandlers+63, "parentretries", h_parentretries, 2, 2},
+	{commandhandlers+64,  "auto", h_proxy, 1, 0},
+	{commandhandlers+65, "backlog", h_backlog, 2, 2},
+	{commandhandlers+66,  "tlspr", h_proxy, 1, 0},
+#ifndef NORADIUS
+	{commandhandlers+67, "radius", h_radius, 3, 0},
+#endif
 	{specificcommands, 	 "", h_noop, 1, 0}
 };
 
@@ -1534,7 +1764,7 @@ int readconfig(FILE * fp){
 	argc = parsestr (buf, argv, NPARAMS-1, &buf, &inbuf, &bufsize);
 	if(argc < 1) {
 		fprintf(stderr, "Parse error line %d\n", linenum);
-		return(21);
+		return(11);
 	}
 	argv[argc] = NULL;
 	if(!strcmp((char *)argv[0], "end") && argc == 1) {	
@@ -1585,6 +1815,7 @@ void freepwl(struct passwords *pwl){
 void freeconf(struct extparam *confp){
  struct bandlim * bl;
  struct bandlim * blout;
+ struct connlim * cl;
  struct trafcount * tc;
  struct passwords *pw;
  struct ace *acl;
@@ -1614,7 +1845,12 @@ void freeconf(struct extparam *confp){
  confp->bandlimiter = NULL;
  confp->bandlimiterout = NULL;
  confp->bandlimfunc = NULL;
+ confp->bandlimver++;
  pthread_mutex_unlock(&bandlim_mutex);
+ pthread_mutex_lock(&connlim_mutex);
+ cl = confp->connlimiter;
+ confp->connlimiter = NULL;
+ pthread_mutex_unlock(&connlim_mutex);
 
  pthread_mutex_lock(&pwl_mutex);
  pw = confp->pwl;
@@ -1622,14 +1858,18 @@ void freeconf(struct extparam *confp){
  pthread_mutex_unlock(&pwl_mutex);
 
 
+/*
  logtarget = confp->logtarget;
  confp->logtarget = NULL;
- logformat = confp->logformat;
- confp->logformat = NULL;
  logname = confp->logname;
  confp->logname = NULL;
+*/
+ confp->logfunc = lognone;
+ logformat = confp->logformat;
+ confp->logformat = NULL;
  confp->rotate = 0;
  confp->logtype = NONE;
+ confp->logtime = confp->time = 0;
 
  archiverc = confp->archiverc;
  confp->archiverc = 0;
@@ -1646,13 +1886,12 @@ void freeconf(struct extparam *confp){
 #endif
  *SAFAMILY(&confp->intsa) = AF_INET;
  *SAFAMILY(&confp->extsa) = AF_INET;
- confp->singlepacket = 0;
  confp->maxchild = 100;
+ confp->backlog = 0;
  resolvfunc = NULL;
  numservers = 0;
  acl = confp->acl;
  confp->acl = NULL;
- confp->logtime = confp->time = 0;
 
  usleep(SLEEPTIME);
 
@@ -1671,6 +1910,7 @@ void freeconf(struct extparam *confp){
  freepwl(pw);
  for(; bl; bl = (struct bandlim *) itfree(bl, bl->next)) freeacl(bl->ace);
  for(; blout; blout = (struct bandlim *) itfree(blout, blout->next))freeacl(blout->ace);
+ for(; cl; cl = (struct connlim *) itfree(cl, cl->next)) freeacl(cl->ace);
 
  if(counterd != -1) {
 	close(counterd);
@@ -1678,12 +1918,14 @@ void freeconf(struct extparam *confp){
  for(; fm; fm = (struct filemon *)itfree(fm, fm->next)){
 	if(fm->path) myfree(fm->path);
  }
+/*
  if(logtarget) {
 	myfree(logtarget);
  }
  if(logname) {
 	myfree(logname);
  }
+*/
  if(logformat) {
 	myfree(logformat);
  }
@@ -1691,13 +1933,14 @@ void freeconf(struct extparam *confp){
 	for(i = 0; i < archiverc; i++) myfree(archiver[i]);
 	myfree(archiver);
  }
-
+ havelog = 0;
 }
 
 int reload (void){
 	FILE *fp;
 	int error = -2;
 
+	pthread_mutex_lock(&config_mutex);
 	conf.paused++;
 	freeconf(&conf);
 	conf.paused++;
@@ -1711,5 +1954,6 @@ int reload (void){
 		}
 		if(!writable)fclose(fp);
 	}
+	pthread_mutex_unlock(&config_mutex);
 	return error;
 }

src/datatypes.c

@@ -1,9 +1,9 @@
 /*
- * Copyright (c) 2000-2008 3APA3A
- *
- * please read License Agreement
- *
- */
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
 
 #include "proxy.h"
 
@@ -325,24 +325,12 @@ static void * ef_chain_next(struct node * node){
 }
 
 static void * ef_chain_type(struct node * node){
-	switch (((struct chain *)node->value) -> type) {
-		case R_TCP:
-			return "tcp";
-		case R_CONNECT:
-			return "connect";
-		case R_SOCKS4:
-			return "socks4";
-		case R_SOCKS5:
-			return "socks5";
-		case R_HTTP:
-			return "http";
-		case R_FTP:
-			return "ftp";
-		case R_POP3:
-			return "pop3";
-		default:
-			return "";
+	int i;
+	
+	for(i=0; redirs[i].name; i++){
+	    if(((struct chain *)node->value) -> type == redirs[i].redir) return redirs[i].name;
 	}
+	return "";
 }
 
 static void * ef_chain_addr(struct node * node){
@@ -365,28 +353,11 @@ static void * ef_ace_next(struct node * node){
 	return ((struct ace *)node->value) -> next;
 }
 
+
+char * aceaction (int action);
+
 static void * ef_ace_type(struct node * node){
-	switch (((struct ace *)node->value) -> action) {
-		case ALLOW:
-		case REDIRECT:
-			return "allow";
-		case DENY:
-			return "deny";
-		case BANDLIM:
-			return "bandlim";
-		case NOBANDLIM:
-			return "nobandlim";
-		case COUNTIN:
-			return "countin";
-		case NOCOUNTIN:
-			return "nocountin";
-		case COUNTOUT:
-			return "countout";
-		case NOCOUNTOUT:
-			return "nocountout";
-		default:
-			return "unknown";
-	}
+	return aceaction(((struct ace *)node->value) -> action);
 }
 
 
@@ -520,6 +491,9 @@ static void * ef_server_childcount(struct node * node){
 
 static void * ef_server_log(struct node * node){
 	if(((struct srvparam *)node->value) -> logfunc == lognone)	return "none";
+#ifndef NORADIUS
+	else if(((struct srvparam *)node->value) -> logfunc == logradius)	return "radius";
+#endif
 	else if(((struct srvparam *)node->value) -> logfunc == logstdout)
 		return (((struct srvparam *)node->value) -> logtarget)?"file":"stdout";
 #ifndef _WIN32
@@ -648,6 +622,14 @@ static void * ef_client_threadid(struct node * node){
 	return &((struct clientparam *)node->value) -> threadid;
 }
 
+static void * ef_client_clisock(struct node * node){
+	return &((struct clientparam *)node->value) -> clisock;
+}
+
+static void * ef_client_remsock(struct node * node){
+	return &((struct clientparam *)node->value) -> remsock;
+}
+
 static void * ef_client_starttime(struct node * node){
 	return &((struct clientparam *)node->value) -> time_start;
 }
@@ -785,6 +767,8 @@ static struct property prop_client[] = {
 	{prop_client + 17, "maxtrafin", ef_client_maxtrafin64, TYPE_UNSIGNED64, "maximum traffic allowed for download"},
 	{prop_client + 18, "maxtrafout", ef_client_maxtrafout64, TYPE_UNSIGNED64, "maximum traffic allowed for upload"},
 	{prop_client + 19, "pwtype", ef_client_pwtype, TYPE_INTEGER, "type of client password"},
+	{prop_client + 20, "clisock", ef_client_clisock, TYPE_INTEGER, "client socket"},
+	{prop_client + 21, "remsock", ef_client_remsock, TYPE_INTEGER, "remote socket"},
 	{NULL, "next", ef_client_next, TYPE_CLIENT, "next"}
 
 	

src/dighosts.c

@@ -1,141 +0,0 @@
-/*
- * Copyright (c) 2000-2008 3APA3A
- *
- * please read License Agreement
- *
- */
-
-#include "proxy.h"
-pthread_mutex_t log_mutex;
-
-
-int sockgetchar(SOCKET sock, int timeosec, int timeousec){
- unsigned char buf;
- fd_set fds;
- struct timeval tv;
-
- tv.tv_sec = timeosec;
- tv.tv_usec = timeousec;
- FD_ZERO(&fds);
- FD_SET(sock, &fds);
- if (select (((int)sock)+1, &fds, NULL, NULL, &tv)!=1) return EOF;
- if (recv(sock, (char *)&buf, 1, 0)!=1) return EOF;
- return((int)buf);
-}
-
-
-int sockgetline(SOCKET sock, unsigned char * buf, int bufsize, int delim, int to){
- int c;
- int i=0, tos, tou;
- if(bufsize<2) return 0;
- c = sockgetchar(sock, to, 0);
- if (c == EOF) {
-	return 0;
- }
- tos = to/16;
- tou = ((to * 1000) / bufsize)%1000;
- do {
-	buf[i++] = c;
-	if(delim != EOF && c == delim) break;
- }while(i < bufsize && (c = sockgetchar(sock, tos, tou)) != EOF);
- return i;
-}
-
-
-unsigned char request[] = "GET %.1024s HTTP/1.0\r\nHost: %.256s\r\n\r\n";
-
-int main(int argc, char *argv[]){
-	unsigned char *host, *hostend;
-	SOCKET sock;
-	struct sockaddr_in sa;
-	FILE *fp;
-	unsigned char buf[16000];
-	int i;
-	unsigned x,y,z,w,cidr, x1,y1,z1,w1, mask;
-	int first = 1;
-
-#ifdef _WIN32
- WSADATA wd;
- WSAStartup(MAKEWORD( 1, 1 ), &wd);
-#endif
-
-	if(argc < 3 || argc > 4 || (argc == 4 && (argv[1][0] != '-' || argv[1][1] != 'm'))) {
-		fprintf(stderr, "Usage: %s [-m] <URL> <FILE>\n"
-				" program retrieves requested <URL> and builds comma delimited list of networks\n"
-				" list than stored in <FILE>\n"
-				" networks are searched in xxx.yyy.zzz.www/cidr format\n"
-				" switches:\n"
-				"  -m networks are searched in xxx.yyy.zzz.www mmm.mmm.mmm.mmm format\n"
-				"\n(c)2002 by 3APA3A\n",
-				argv[0]);
-		return 1;
-	}
-	if(strncasecmp(argv[argc-2], "http://", 7)) {
-		fprintf(stderr, "URL must be HTTP://\n");
-		return 2;
-	}
-	hostend = (unsigned char *)strchr((char *)argv[argc-2] + 7, '/');
-	if(!hostend) {
-		fprintf(stderr, "Wrong URL syntaxis\n");
-		return 3;
-	}
-	*hostend = 0;
-	if(!(host = (unsigned char *)strdup((char *)argv[argc-2] + 7))) {
-		return 4;
-	}
-	*hostend = '/';
-	if(!getip46(4, host, (struct sockaddr *)&sa)) {
-		fprintf(stderr, "Unable to resolve %s\n", host);
-		return 5;
-	}
-	sa.sin_port = htons(80);
-	if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) return 6;
-	sprintf((char *)buf, (char *)request, hostend, host);
-	if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))) {
-		fprintf(stderr, "Unable to connect: %s\n", host);
-		return 8;
-	}
-	if(send(sock, (char *)buf, (int)strlen((char *)buf), 0) != (int)strlen((char *)buf)) return 9;
-	while( (i = sockgetline(sock, buf, sizeof(buf) - 1, '\n', 30)) > 2);
-	if(i<1) return 9;
-	if(!(fp = fopen(argv[argc-1], "w"))) {
-		fprintf(stderr, "Unable to open: %s\n", argv[2]);
-		return 7;
-	}
-	while( (i = sockgetline(sock, buf, sizeof(buf) - 1, '\n', 30)) > 0){
-		buf[i] = 0;
-		for(i = 0; buf[i]; i++){
-			if((buf[i]<'0' || buf[i] > '9') && buf[i] != '.' && buf[i] != '/')buf[i] = ' ';
-		}
-		if(argc == 3){
-			if((i=sscanf((char *)buf, "%u.%u.%u.%u/%u", &x, &y, &z, &w, &cidr)) == 5 &&
-					x<256 && y<256 && z<256 && w<256 &&
-					cidr <= 32){
-				if(!first)fprintf(fp, ",");
-				fprintf(fp, "%u.%u.%u.%u/%u", x, y, z, w, cidr);
-				first = 0;
-			}
-		}
-		else{
-			if((i = sscanf((char *)buf, "%u.%u.%u.%u %u.%u.%u.%u", &x, &y, &z, &w, &x1, &y1, &z1, &w1)) == 8 &&
-					x<256 && y<256 && z<256 && w<256 &&
-					x1<256 && y1<256 && z1<256 && w1<256
-					){
-				mask = (x1<<24)|(y1<<16)|(z1<<8)|w1;
-				for(cidr = 0; cidr <= 32; cidr++)if((((unsigned long)(0xFFFFFFFF))<<(32-cidr)) == mask) break;
-				if(cidr > 32) continue;
-				if(!first)fprintf(fp, ",");
-				fprintf(fp, "%u.%u.%u.%u/%u", x, y, z, w, cidr);
-				first = 0;
-			}
-		}
-	}
-	shutdown(sock, SHUT_RDWR);
-#ifdef _WIN32
-	closesocket(sock);
-#else
-	close(sock);
-#endif
-	fclose(fp);
-	return 0;
-}

src/dnspr.c

@@ -1,6 +1,6 @@
 /*
    3APA3A simpliest proxy server
-   (c) 2002-2008 by ZARAZA <3APA3A@security.nnov.ru>
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
 
@@ -39,16 +39,16 @@ void * dnsprchild(struct clientparam* param) {
  }
  buf = bbuf+2;
  size = sizeof(param->sincr);
- i = so._recvfrom(param->srv->srvsock, (char *)buf, BUFSIZE, 0, (struct sockaddr *)&param->sincr, &size); 
+ i = param->srv->so._recvfrom(param->sostate, param->srv->srvsock, (char *)buf, BUFSIZE, 0, (struct sockaddr *)&param->sincr, &size); 
  size = sizeof(param->sinsl);
  getsockname(param->srv->srvsock, (struct sockaddr *)&param->sincl, &size);
 #ifdef _WIN32
-	if((param->clisock=so._socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {
+	if((param->clisock=param->srv->so._socket(param->sostate, AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == INVALID_SOCKET) {
 		RETURN(818);
 	}
 	ioctlsocket(param->clisock, FIONBIO, &ul);
-	if(so._setsockopt(param->clisock, SOL_SOCKET, SO_REUSEADDR, (char *)&ul, sizeof(int))) {RETURN(820);};
-	if(so._bind(param->clisock,(struct sockaddr *)&param->sincl,SASIZE(&param->sincl))) {
+	if(param->srv->so._setsockopt(param->sostate, param->clisock, SOL_SOCKET, SO_REUSEADDR, (char *)&ul, sizeof(int))) {RETURN(820);};
+	if(param->srv->so._bind(param->sostate, param->clisock,(struct sockaddr *)&param->sincl,SASIZE(&param->sincl))) {
 		RETURN(822);
 	}
 
@@ -130,17 +130,17 @@ void * dnsprchild(struct clientparam* param) {
 	else ip = 0;
  }
  if(!ip && numservers){
-	if((param->remsock=so._socket(SASOCK(&nservers[0].addr), nservers[0].usetcp? SOCK_STREAM:SOCK_DGRAM, nservers[0].usetcp?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) {
+	if((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&nservers[0].addr), nservers[0].usetcp? SOCK_STREAM:SOCK_DGRAM, nservers[0].usetcp?IPPROTO_TCP:IPPROTO_UDP)) == INVALID_SOCKET) {
 		RETURN(818);
 	}
 	memset(&param->sinsl, 0, sizeof(param->sinsl));
 	*SAFAMILY(&param->sinsl) = *SAFAMILY(&nservers[0].addr);
-	if(so._bind(param->remsock,(struct sockaddr *)&param->sinsl,SASIZE(&param->sinsl))) {
+	if(param->srv->so._bind(param->sostate, param->remsock,(struct sockaddr *)&param->sinsl,SASIZE(&param->sinsl))) {
 		RETURN(819);
 	}
 	param->sinsr = nservers[0].addr;
 	if(nservers[0].usetcp) {
-		if(so._connect(param->remsock,(struct sockaddr *)&param->sinsr,SASIZE(&param->sinsr))) RETURN(830);
+		if(connectwithpoll(param, param->remsock,(struct sockaddr *)&param->sinsr,SASIZE(&param->sinsr),CONNECT_TO)) RETURN(830);
 		buf-=2;
 		*(unsigned short*)buf = htons(i);
 		i+=2;
@@ -153,12 +153,12 @@ void * dnsprchild(struct clientparam* param) {
 #endif
 	}
 
-	if(socksendto(param->remsock, (struct sockaddr *)&param->sinsr, buf, i, conf.timeouts[SINGLEBYTE_L]*1000) != i){
+	if(socksendto(param, param->remsock, (struct sockaddr *)&param->sinsr, buf, i, conf.timeouts[SINGLEBYTE_L]*1000) != i){
 		RETURN(820);
 	}
 	param->statscli64 += i;
 	param->nwrites++;
-	len = sockrecvfrom(param->remsock, (struct sockaddr *)&param->sinsr, buf, BUFSIZE, conf.timeouts[DNS_TO]*1000);
+	len = sockrecvfrom(param, param->remsock, (struct sockaddr *)&param->sinsr, buf, BUFSIZE, conf.timeouts[DNS_TO]*1000);
 	if(len <= 13) {
 		RETURN(821);
 	}
@@ -174,7 +174,7 @@ void * dnsprchild(struct clientparam* param) {
 		if(len != us) RETURN(832);
 	}
 	if(buf[6] || buf[7]){
-		if(socksendto(param->clisock, (struct sockaddr *)&param->sincr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000) != len){
+		if(socksendto(param, param->clisock, (struct sockaddr *)&param->sincr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000) != len){
 			RETURN(822);
 		}
 		RETURN(0);
@@ -185,7 +185,7 @@ void * dnsprchild(struct clientparam* param) {
 	buf[2] = 0x85;
 	buf[3] = 0x83;
  }
- res = socksendto(param->clisock, (struct sockaddr *)&param->sincr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000); 
+ res = socksendto(param, param->clisock, (struct sockaddr *)&param->sincr, buf, len, conf.timeouts[SINGLEBYTE_L]*1000); 
  if(res != len){RETURN(819);}
  if(!ip) {RETURN(888);}
 
@@ -198,7 +198,7 @@ CLEANRET:
 	if((ip && type == 0x01) || type == 0x1c){
 		myinet_ntop(type == 0x01? AF_INET:AF_INET6, addr, (char *)buf+strlen((char *)buf), 64);
 	}
-	(*param->srv->logfunc)(param, buf);
+	dolog(param, buf);
  }
  if(bbuf)myfree(bbuf);
  if(host)myfree(host);

src/ftp.c

@@ -1,8 +1,8 @@
 /*
- * Copyright (c) 2002-2008 3APA3A
- *
- * please read License Agreement
- *
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
  */
 
 #include "proxy.h"
@@ -29,7 +29,7 @@ int ftplogin(struct clientparam *param, char *nbuf, int *innbuf) {
 		return 702;
 	}
 	sprintf(buf, "USER %.128s\r\n", param->extusername?param->extusername:(unsigned char *)"anonymous");
-	if((int)socksend(param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
+	if((int)socksend(param, param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
 		return 703;
 	}
 	param->statscli64 += (int)strlen(buf);
@@ -46,7 +46,7 @@ int ftplogin(struct clientparam *param, char *nbuf, int *innbuf) {
 					param->extpassword:(unsigned char *)"")
 				:(unsigned char *)"3proxy@");
 		res = (int)strlen(buf);
-		if((int)socksend(param->remsock, (unsigned char *)buf, res, conf.timeouts[STRING_S]) != (int)strlen(buf)){
+		if((int)socksend(param, param->remsock, (unsigned char *)buf, res, conf.timeouts[STRING_S]) != (int)strlen(buf)){
 			return 705;
 		}
 	param->statscli64 += res;
@@ -77,7 +77,7 @@ int ftpcd(struct clientparam *param, unsigned char* path, char *nbuf, int *innbu
 	int inbuf = 0;
 
 	sprintf(buf, "CWD %.512s\r\n", path);
-	if((int)socksend(param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
+	if((int)socksend(param, param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
 		return 711;
 	}
 	param->statscli64 += (int)strlen(buf);
@@ -110,7 +110,7 @@ int ftpres(struct clientparam *param, unsigned char * buf, int l){
 int ftpsyst(struct clientparam *param, unsigned char *buf, unsigned len){
 	int i;
 
-	if(socksend(param->remsock, (unsigned char *)"SYST\r\n", 6, conf.timeouts[STRING_S]) != 6){
+	if(socksend(param, param->remsock, (unsigned char *)"SYST\r\n", 6, conf.timeouts[STRING_S]) != 6){
 		return 721;
 	}
 	param->statscli64 += 6;
@@ -121,7 +121,7 @@ int ftpsyst(struct clientparam *param, unsigned char *buf, unsigned len){
 	buf[3] = 0;
 	if(atoi((char *)buf)/100 != 2) return 723;
 	buf[i-2] = 0;
-	strcpy((char *)buf, (char *)buf+4);
+	memmove((char *)buf, (char *)buf+4, strlen((char *)buf+4)+1);
 	return 0;
 }
 
@@ -129,7 +129,7 @@ int ftppwd(struct clientparam *param, unsigned char *buf, unsigned len){
 	int i;
 	char *b, *e;
 
-	if(socksend(param->remsock, (unsigned char *)"PWD\r\n", 5, conf.timeouts[STRING_S]) != 5){
+	if(socksend(param, param->remsock, (unsigned char *)"PWD\r\n", 5, conf.timeouts[STRING_S]) != 5){
 		return 731;
 	}
 	param->statscli64 += 5;
@@ -145,7 +145,7 @@ int ftppwd(struct clientparam *param, unsigned char *buf, unsigned len){
 		b++;
 		*e = 0;
 	}
-	strcpy((char *)buf, b);
+	memmove((char *)buf, b, strlen(b)+1);
 	return 0;
 }
 
@@ -154,7 +154,7 @@ int ftptype(struct clientparam *param, unsigned char* f_type){
 	int i;
 
 	sprintf(buf, "TYPE %.512s\r\n", f_type);
-	if((int)socksend(param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
+	if((int)socksend(param, param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
 		return 741;
 	}
 	param->statscli64 += (int)strlen(buf);
@@ -176,7 +176,7 @@ SOCKET ftpdata(struct clientparam *param){
 	unsigned short b5, b6;
 	SASIZETYPE sasize;
 
-	if(socksend(param->remsock, (unsigned char *)"PASV\r\n", 6, conf.timeouts[STRING_S]) != 6){
+	if(socksend(param, param->remsock, (unsigned char *)"PASV\r\n", 6, conf.timeouts[STRING_S]) != 6){
 		return INVALID_SOCKET;
 	}
 	param->statscli64 += 6;
@@ -189,9 +189,9 @@ SOCKET ftpdata(struct clientparam *param){
 	if(!(sb = strchr(buf+4, '(')) || !(se= strchr(sb, ')'))) return INVALID_SOCKET;
 	if(sscanf(sb+1, "%lu,%lu,%lu,%lu,%hu,%hu", &b1, &b2, &b3, &b4, &b5, &b6)!=6) return INVALID_SOCKET;
 	sasize = sizeof(param->sinsl);
-	if(so._getsockname(param->remsock, (struct sockaddr *)&param->sinsl, &sasize)){return INVALID_SOCKET;}
+	if(param->srv->so._getsockname(param->sostate, param->remsock, (struct sockaddr *)&param->sinsl, &sasize)){return INVALID_SOCKET;}
 	sasize = sizeof(param->sinsr);
-	if(so._getpeername(param->remsock, (struct sockaddr *)&param->sinsr, &sasize)){return INVALID_SOCKET;}
+	if(param->srv->so._getpeername(param->sostate, param->remsock, (struct sockaddr *)&param->sinsr, &sasize)){return INVALID_SOCKET;}
 	rem = param->remsock;
 	param->remsock = INVALID_SOCKET;
 	param->req = param->sinsr;
@@ -201,7 +201,7 @@ SOCKET ftpdata(struct clientparam *param){
 	param->operation = FTP_DATA;
 	if((param->res = (*param->srv->authfunc)(param))) {
 		if(param->remsock != INVALID_SOCKET) {
-			so._closesocket(param->remsock);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 			param->remsock = INVALID_SOCKET;
 		}
 		memset(&param->sinsl, 0, sizeof(param->sinsl));
@@ -227,8 +227,8 @@ SOCKET ftpcommand(struct clientparam *param, unsigned char * command, unsigned c
 	sprintf(buf, "%.15s%s%.512s\r\n", command, arg?
 		(unsigned char *)" ":(unsigned char *)"", 
 		arg?arg:(unsigned char *)"");
-	if((int)socksend(param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
-		so._closesocket(s);
+	if((int)socksend(param, param->remsock, (unsigned char *)buf, (int)strlen(buf), conf.timeouts[STRING_S]) != (int)strlen(buf)){
+		param->srv->so._closesocket(param->sostate, s);
 		return INVALID_SOCKET;
 	}
 	param->statscli64 += (int)strlen(buf);
@@ -236,11 +236,11 @@ SOCKET ftpcommand(struct clientparam *param, unsigned char * command, unsigned c
 	while((i = sockgetlinebuf(param, SERVER, (unsigned char *)buf, sizeof(buf) - 1, '\n', conf.timeouts[STRING_L])) > 0 && (i < 3 || !isnumber(*buf) || buf[3] == '-')){
 	}
 	if(i < 3) {
-		so._closesocket(s);
+		param->srv->so._closesocket(param->sostate, s);
 		return INVALID_SOCKET;
 	}
 	if(buf[0] != '1') {
-		so._closesocket(s);
+		param->srv->so._closesocket(param->sostate, s);
 		return INVALID_SOCKET;
 	}
 	return s;

src/ftppr.c

@@ -1,6 +1,6 @@
 /*
    3APA3A simpliest proxy server
-   (c) 2002-2008 by ZARAZA <3APA3A@security.nnov.ru>
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
 
@@ -29,7 +29,7 @@ void * ftpprchild(struct clientparam* param) {
  param->operation = CONNECT;
  lg.l_onoff = 1;
  lg.l_linger = conf.timeouts[STRING_L];;
- if(socksend(param->ctrlsock, (unsigned char *)"220 Ready\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (801);}
+ if(socksend(param, param->ctrlsock, (unsigned char *)"220 Ready\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (801);}
  for(;;){
 	i = sockgetlinebuf(param, CLIENT, buf, BUFSIZE - 10, '\n', conf.timeouts[CONNECTION_S]);
 	if(!i) {
@@ -44,13 +44,13 @@ void * ftpprchild(struct clientparam* param) {
 	if (!strncasecmp((char *)buf, "OPEN ", 5)){
 		if(parsehostname((char *)buf+5, param, 21)){RETURN(803);}
 		if(param->remsock != INVALID_SOCKET) {
-			so._shutdown(param->remsock, SHUT_RDWR);
-			so._closesocket(param->remsock);
+			param->srv->so._shutdown(param->sostate, param->remsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 			param->remsock = INVALID_SOCKET;
 		}
 		if((res = (*param->srv->authfunc)(param))) {RETURN(res);}
 		param->ctrlsocksrv = param->remsock;
-		if(socksend(param->ctrlsock, (unsigned char *)"220 Ready\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (801);}
+		if(socksend(param, param->ctrlsock, (unsigned char *)"220 Ready\r\n", 11, conf.timeouts[STRING_S])!=11) {RETURN (801);}
 		status = 1;
 	}
 	else if (!strncasecmp((char *)buf, "USER ", 5)){
@@ -59,7 +59,7 @@ void * ftpprchild(struct clientparam* param) {
 			if((res = (*param->srv->authfunc)(param))) {RETURN(res);}
 			param->ctrlsocksrv = param->remsock;
 		}
-		if(socksend(param->ctrlsock, (unsigned char *)"331 ok\r\n", 8, conf.timeouts[STRING_S])!=8) {RETURN (807);}
+		if(socksend(param, param->ctrlsock, (unsigned char *)"331 ok\r\n", 8, conf.timeouts[STRING_S])!=8) {RETURN (807);}
 		status = 2;
 
 	}
@@ -68,7 +68,7 @@ void * ftpprchild(struct clientparam* param) {
 		inbuf = BUFSIZE;
 		res = ftplogin(param, (char *)buf, &inbuf);
 		param->res = res;
-		if(inbuf && inbuf != BUFSIZE && socksend(param->ctrlsock, buf, inbuf, conf.timeouts[STRING_S])!=inbuf) {RETURN (807);}
+		if(inbuf && inbuf != BUFSIZE && socksend(param, param->ctrlsock, buf, inbuf, conf.timeouts[STRING_S])!=inbuf) {RETURN (807);}
 		if(!res) status = 3;
 		sprintf((char *)buf, "%.128s@%.128s%c%hu", param->extusername, param->hostname, (ntohs(*SAPORT(&param->sinsr))==21)?0:':', ntohs(*SAPORT(&param->sinsr)));
 		req = mystrdup((char *)buf);
@@ -105,27 +105,27 @@ void * ftpprchild(struct clientparam* param) {
 		}
 #endif
 		if(sc != INVALID_SOCKET) {
-			so._shutdown(sc, SHUT_RDWR);
-			so._closesocket(sc);
+			param->srv->so._shutdown(param->sostate, sc, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, sc);
 			sc = INVALID_SOCKET;
 		}
 		if(ss != INVALID_SOCKET) {
-			so._shutdown(ss, SHUT_RDWR);
-			so._closesocket(ss);
+			param->srv->so._shutdown(param->sostate, ss, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, ss);
 			ss = INVALID_SOCKET;
 		}
 		if(clidatasock != INVALID_SOCKET) {
-			so._shutdown(clidatasock, SHUT_RDWR);
-			so._closesocket(clidatasock);
+			param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, clidatasock);
 			clidatasock = INVALID_SOCKET;
 		}
 		if ((clidatasock=socket(SASOCK(&param->sincl), SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {RETURN(821);}
 		*SAPORT(&param->sincl) = 0;
-		if(so._bind(clidatasock, (struct sockaddr *)&param->sincl, SASIZE(&param->sincl))){RETURN(822);}
+		if(param->srv->so._bind(param->sostate, clidatasock, (struct sockaddr *)&param->sincl, SASIZE(&param->sincl))){RETURN(822);}
 		if (pasv) {
-			if(so._listen(clidatasock, 1)) {RETURN(823);}
+			if(param->srv->so._listen(param->sostate, clidatasock, 1)) {RETURN(823);}
 			sasize = sizeof(param->sincl);
-			if(so._getsockname(clidatasock, (struct sockaddr *)&param->sincl, &sasize)){RETURN(824);}
+			if(param->srv->so._getsockname(param->sostate, clidatasock, (struct sockaddr *)&param->sincl, &sasize)){RETURN(824);}
 			if(pasv == 1){
 				if(*SAFAMILY(&param->sincl) == AF_INET)
 					sprintf((char *)buf, "227 OK (%u,%u,%u,%u,%u,%u)\r\n",
@@ -153,8 +153,8 @@ void * ftpprchild(struct clientparam* param) {
 
 			if(sscanf((char *)buf+5, "%lu,%lu,%lu,%lu,%hu,%hu", &b1, &b2, &b3, &b4, &b5, &b6)!=6) {RETURN(828);}
 			*SAPORT(&param->sincr) = htons((unsigned short)((b5<<8)^b6));
-			if(so._connect(clidatasock, (struct sockaddr *)&param->sincr, SASIZE(&param->sincr))) {
-				so._closesocket(clidatasock);
+			if(connectwithpoll(param, clidatasock, (struct sockaddr *)&param->sincr, SASIZE(&param->sincr),CONNECT_TO)) {
+				param->srv->so._closesocket(param->sostate, clidatasock);
 				clidatasock = INVALID_SOCKET;
 				RETURN(826);
 			}
@@ -173,7 +173,7 @@ void * ftpprchild(struct clientparam* param) {
 			if(action != PASS) RETURN(879);
 		}
 #endif
-		if(socksend(param->ctrlsock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S])!=(int)strlen((char *)buf)) {RETURN (825);}
+		if(socksend(param, param->ctrlsock, buf, (int)strlen((char *)buf), conf.timeouts[STRING_S])!=(int)strlen((char *)buf)) {RETURN (825);}
 		status = 4;
 	}
 	else if (status == 4 && (
@@ -208,15 +208,15 @@ void * ftpprchild(struct clientparam* param) {
 			fds.fd = clidatasock;
 			fds.events = POLLIN;
 
-			res = so._poll (&fds, 1, conf.timeouts[STRING_L]*1000);
+			res = param->srv->so._poll (param->sostate, &fds, 1, conf.timeouts[STRING_L]*1000);
 			if(res != 1) {
 				RETURN(857);
 			}
 			sasize = sizeof(param->sincr);
-			ss = so._accept(clidatasock, (struct sockaddr *)&param->sincr, &sasize);
+			ss = param->srv->so._accept(param->sostate, clidatasock, (struct sockaddr *)&param->sincr, &sasize);
 			if (ss == INVALID_SOCKET) { RETURN (858);}
-			so._shutdown(clidatasock, SHUT_RDWR);
-			so._closesocket(clidatasock);
+			param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, clidatasock);
 			clidatasock = ss;
 			ss = INVALID_SOCKET;
 		}
@@ -226,20 +226,20 @@ void * ftpprchild(struct clientparam* param) {
 		status = 3;
 		ss = ftpcommand(param, buf, arg? buf+5 : NULL);
 		if (ss == INVALID_SOCKET) {
-			so._shutdown(clidatasock, SHUT_RDWR);
-			so._closesocket(clidatasock);
+			param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, clidatasock);
 			clidatasock = INVALID_SOCKET;
 			
-			if(socksend(param->ctrlsock, (unsigned char *)"550 err\r\n", 9, conf.timeouts[STRING_S])!=9) {RETURN (831);}
+			if(socksend(param, param->ctrlsock, (unsigned char *)"550 err\r\n", 9, conf.timeouts[STRING_S])!=9) {RETURN (831);}
 			continue;
 		}
 
-		if(socksend(param->ctrlsock, (unsigned char *)"125 data\r\n", 10, conf.timeouts[STRING_S]) != 10) {
+		if(socksend(param, param->ctrlsock, (unsigned char *)"125 data\r\n", 10, conf.timeouts[STRING_S]) != 10) {
 			param->remsock = INVALID_SOCKET;
 			RETURN (832);
 		}
 		if(param->srvoffset < param->srvinbuf)while((i = sockgetlinebuf(param, SERVER, buf, BUFSIZE, '\n', 0)) > 3){
-			if(socksend(param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN(833);}
+			if(socksend(param, param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN(833);}
 			if(isnumber(*buf) && buf[3] != '-') {
 				ressent = 1;
 				break;
@@ -247,17 +247,17 @@ void * ftpprchild(struct clientparam* param) {
 		}
 		sc = param->remsock;
 		param->remsock = ss;
-		so._setsockopt(param->remsock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
-		so._setsockopt(clidatasock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
+		param->srv->so._setsockopt(param->sostate, param->remsock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
+		param->srv->so._setsockopt(param->sostate, clidatasock, SOL_SOCKET, SO_LINGER, (char *)&lg, sizeof(lg));
 		param->clisock = clidatasock;
-		res = sockmap(param, conf.timeouts[CONNECTION_S]);
+		res = mapsocket(param, conf.timeouts[CONNECTION_S]);
 		if(param->remsock != INVALID_SOCKET) {
-			so._shutdown (param->remsock, SHUT_RDWR);
-			so._closesocket(param->remsock);
+			param->srv->so._shutdown (param->sostate, param->remsock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->remsock);
 		}
 		if(param->clisock != INVALID_SOCKET) {
-			so._shutdown (param->clisock, SHUT_RDWR);
-			so._closesocket(param->clisock);
+			param->srv->so._shutdown (param->sostate, param->clisock, SHUT_RDWR);
+			param->srv->so._closesocket(param->sostate, param->clisock);
 		}
 		param->clisock = param->ctrlsock;
 		param->remsock = sc;
@@ -266,7 +266,7 @@ void * ftpprchild(struct clientparam* param) {
 		clidatasock = INVALID_SOCKET;
 		if(!ressent){
 			while((i = sockgetlinebuf(param, SERVER, buf, BUFSIZE, '\n', conf.timeouts[STRING_L])) > 3){
-				if(socksend(param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN(833);}
+				if(socksend(param, param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN(833);}
 				if(isnumber(*buf) && buf[3] != '-') break;
 			}
 			if(i < 3) {RETURN(834);}
@@ -274,7 +274,7 @@ void * ftpprchild(struct clientparam* param) {
 	}
 	else {
 		if(status < 3) {
-			if(socksend(param->remsock, (unsigned char *)"530 login\r\n", 11, conf.timeouts[STRING_S])!=1) {RETURN (810);}
+			if(socksend(param, param->remsock, (unsigned char *)"530 login\r\n", 11, conf.timeouts[STRING_S])!=1) {RETURN (810);}
 			continue;
 		}
 		if(!strncasecmp((char *)buf, "QUIT", 4)) status = 5;
@@ -282,41 +282,41 @@ void * ftpprchild(struct clientparam* param) {
 		i = (int)strlen((char *)buf);
 		buf[i++] = '\r';
 		buf[i++] = '\n';
-		if(socksend(param->remsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN (811);}
+		if(socksend(param, param->remsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN (811);}
  param->statscli64+=(i);
 		param->nwrites++;
 		while((i = sockgetlinebuf(param, SERVER, buf, BUFSIZE, '\n', conf.timeouts[STRING_L])) > 0){
-			if(socksend(param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN (812);}
+			if(socksend(param, param->ctrlsock, buf, i, conf.timeouts[STRING_S])!=i) {RETURN (812);}
 			if(i > 4 && isnumber(*buf) && buf[3] != '-') break;
 		}
 		if(status == 5) {RETURN (0);}
 		if(i < 3) {RETURN (813);}
 	}
 	sasize = sizeof(param->sincr);
-	if(so._getpeername(param->ctrlsock, (struct sockaddr *)&param->sincr, &sasize)){RETURN(819);}
+	if(param->srv->so._getpeername(param->sostate, param->ctrlsock, (struct sockaddr *)&param->sincr, &sasize)){RETURN(819);}
 	if(req && (param->statscli64 || param->statssrv64)){
-		(*param->srv->logfunc)(param, (unsigned char *)req);
+		dolog(param, (unsigned char *)req);
 	}
  }
 
 CLEANRET:
 
  if(sc != INVALID_SOCKET) {
-	so._shutdown(sc, SHUT_RDWR);
-	so._closesocket(sc);
+	param->srv->so._shutdown(param->sostate, sc, SHUT_RDWR);
+	param->srv->so._closesocket(param->sostate, sc);
  }
  if(ss != INVALID_SOCKET) {
-	so._shutdown(ss, SHUT_RDWR);
-	so._closesocket(ss);
+	param->srv->so._shutdown(param->sostate, ss, SHUT_RDWR);
+	param->srv->so._closesocket(param->sostate, ss);
  }
  if(clidatasock != INVALID_SOCKET) {
-	so._shutdown(clidatasock, SHUT_RDWR);
-	so._closesocket(clidatasock);
+	param->srv->so._shutdown(param->sostate, clidatasock, SHUT_RDWR);
+	param->srv->so._closesocket(param->sostate, clidatasock);
  }
  sasize = sizeof(param->sincr);
- so._getpeername(param->ctrlsock, (struct sockaddr *)&param->sincr, &sasize);
+ param->srv->so._getpeername(param->sostate, param->ctrlsock, (struct sockaddr *)&param->sincr, &sasize);
  if(param->res != 0 || param->statscli64 || param->statssrv64 ){
-	(*param->srv->logfunc)(param, (unsigned char *)((req && (param->res > 802))? req:NULL));
+	dolog(param, (unsigned char *)((req && (param->res > 802))? req:NULL));
  }
  if(req) myfree(req);
  if(buf) myfree(buf);

src/icqpr.c

@@ -1,529 +0,0 @@
-/*
-   3APA3A simpliest proxy server
-   (c) 2002-2008 by ZARAZA <3APA3A@security.nnov.ru>
-
-   please read License Agreement
-
-*/
-
-#include "proxy.h"
-
-#ifndef PORTMAP
-#define PORTMAP
-#endif
-#define RETURN(xxx) { param->res = xxx; goto CLEANRET; }
-
-static void hexdump(unsigned char *data, int len){
-	for(; len; data++, len--){
-		printf("%02x", (unsigned)*data);
-	}
-	printf("\n");
-}
-
-struct flap_header {
-	unsigned char id;
-	unsigned char chan;
-	unsigned short seq;
-	unsigned short size;
-	char data[1];
-};
-
-struct snack_header {
-	unsigned family;
-	unsigned short flags;
-	unsigned id;
-	char data[1];
-};
-
-struct tlv_header {
-	unsigned short type;
-	unsigned short size;
-	char data[1];
-};
-
-
-typedef enum {
-	ONBEGIN = 0,
-	ONCHAN,
-	ONSEQ1,
-	ONSEQ2,
-	ONSIZE1,
-	ONSIZE2,
-	ONDATA
-} ICQSTATE;
-
-struct icqstate {
-	ICQSTATE state;
-	int leftinstate;
-	unsigned short seq;
-	unsigned short srvseq;
-	unsigned short gotseq;
-	unsigned short resyncseq;
-	char channel;
-};
-
-
-
-
-
-typedef enum {
-	ICQUNKNOWN,
-	ICQCLEAR,
-	ICQMD5,
-	ICQCOOKIE
-} LOGINTYPE;
-
-
-struct icq_cookie {
-	struct icq_cookie *next;
-	char *id;
-	int size;
-	char * cookie;
-	char * connectstring;
-};
-
-static struct icq_cookie *icq_cookies = NULL;
-pthread_mutex_t icq_cookie_mutex;
-int icq_cookie_mutex_init = 0;
-
-
-static void icq_clear(void *fo){
-};
-
-static void addbuffer(int increment, struct clientparam * param, unsigned char ** buf_p, int * bufsize_p, int * length_p){
-	int bufsize = *length_p + increment + 40;
-	unsigned char *newbuf;
-	int len = 0;
-
-	
-	if(bufsize > *bufsize_p){
-		newbuf = myalloc(bufsize);
-		if(!newbuf) return;
-		memcpy(newbuf, *buf_p, *length_p);
-		myfree(*buf_p);
-		*buf_p = newbuf;
-		*bufsize_p = bufsize;
-	}
-	if(increment) len = sockrecvfrom(param->remsock, (struct sockaddr *)&param->sinsr, *buf_p + *length_p, increment, conf.timeouts[STRING_S]*1000);
-	if(len > 0) {
-		*length_p += len;
-		param->nreads++;
-		param->statssrv64 += len;
-	}
-	return;
-}
-
-
-
-static int searchcookie(struct clientparam *param, struct flap_header * flap, int len, int * dif, struct tlv_header *tlv, int extra){
- struct icq_cookie *ic;
- char smallbuf[64];
- struct tlv_header *bostlv = NULL;
- struct sockaddr_in sa;
- SASIZETYPE size = sizeof(sa);
- int movelen = 0;
-
-	if(!icq_cookie_mutex_init){
-		pthread_mutex_init(&icq_cookie_mutex, NULL);
-		icq_cookie_mutex_init = 1;
-	}
-	pthread_mutex_lock(&icq_cookie_mutex);
-	for(ic = icq_cookies; ic; ic = ic->next)if(!strcmp((char *)param->username, ic->id))break;
-	if(!ic){
-		ic = myalloc(sizeof(struct icq_cookie));
-		memset(ic, 0, sizeof(struct icq_cookie));
-		ic->id = mystrdup((char *)param->username);
-		ic->next = icq_cookies;
-		icq_cookies = ic;
-	}
-	for(; ntohs(tlv->size) < 65500 && len >= (ntohs(tlv->size) + 4); len -= (ntohs(tlv->size) + 4), tlv = (struct tlv_header *)(tlv->data + ntohs(tlv->size))){
-		if(ntohs(tlv->type) == 0x0006){
-			if(ic->cookie)myfree(ic->cookie);
-			ic->cookie = myalloc(ntohs(tlv->size));
-			memcpy(ic->cookie, tlv->data, ntohs(tlv->size));
-			ic->size = tlv->size;
-		}
-		else if(ntohs(tlv->type) == 0x0005){
-			if(ic->connectstring)myfree(ic->connectstring);
-			ic->connectstring = myalloc(ntohs(tlv->size)+1);
-			memcpy(ic->connectstring, tlv->data, ntohs(tlv->size));
-			ic->connectstring[ntohs(tlv->size)] = 0;
-			bostlv = tlv;
-			movelen = extra + (len - 4) - ntohs(bostlv->size);
-		}
-
-	}
-	if(!ic->connectstring || !ic->cookie){
-		if(ic->cookie)myfree(ic->cookie);
-		if(ic->connectstring)myfree(ic->connectstring);
-		ic->cookie = NULL;
-		ic->connectstring = NULL;
-		ic->size = 0;
-		bostlv = NULL;
-	}
-	pthread_mutex_unlock(&icq_cookie_mutex);
-	if(bostlv){
-		if(so._getsockname(param->clisock, (struct sockaddr *)&sa, &size)==-1) return 1;
-		len = myinet_ntop(*SAFAMILY(&sa),SAADDR(&sa), smallbuf, 64);
-		if(strchr(ic->connectstring, ':'))sprintf(smallbuf+len, ":%hu", ntohs(sa.sin_port));
-		len = (int)strlen(smallbuf);
-		*dif = len - (int)ntohs(bostlv->size);
-		if(*dif != 0 && movelen > 0){
-			memmove(bostlv->data + len, bostlv->data + ntohs(bostlv->size), movelen);
-		}
-		memcpy(bostlv->data, smallbuf, len);
-		bostlv->size = htons(len);
-		len = ((int)ntohs(flap->size)) + *dif;
-		flap->size = htons(len);
-	}
-	return 0;
-}
-
-
-static FILTER_ACTION icq_srv(void *fc, struct clientparam * param, unsigned char ** buf_p, int * bufsize_p, int ioffset, int * length_p){
-	unsigned char * start = *buf_p + ioffset;
-	int len = *length_p - ioffset;
-	struct icqstate *state = (struct icqstate *)fc;
-	int size;
-	int offset;
-
-	while (len > 0){
-		switch(state->state){
-		case ONBEGIN:
-
-			if((*start) == 0x2A) {
-				if(len < 6){
-					offset = (int)(start - *buf_p);
-					addbuffer(6-len, param, buf_p, bufsize_p, length_p);
-					start = *buf_p + offset;
-					len = (int)(*buf_p + *length_p - start);
-
-				}
-				state->state = ONCHAN;
-			}
-			else {
-				if(!state->leftinstate)param->srv->logfunc(param, (unsigned char *)"Warning: need resync");
-				state->leftinstate++;
-				if(state->leftinstate > 65535){
-					param->srv->logfunc(param, (unsigned char *)"Out of Sync");
-					return REJECT;
-				}
-			}
-			start++;
-			len--;
-			break;
-		case ONCHAN:
-			if (*start >= 10){
-				param->srv->logfunc(param, (unsigned char *)"Warning: Wrong channel");
-				state->state = ONBEGIN;
-			}
-			else {
-				state->state = ONSEQ1;
-				state->channel = *start;
-				start++;
-				len--;
-			}
-			break;
-		case ONSEQ1:
-			state->gotseq =  (((unsigned)*start) << 8);
-			state->state = ONSEQ2; 
-			*(start) = (state->seq>>8);
-			start++;
-			len--;
-			break;
-		case ONSEQ2:
-			state->gotseq += *start;
-			if(state->gotseq != state->srvseq){
-				unsigned char smallbuf[64];
-				if(((state->gotseq < state->srvseq) || ((state->gotseq - state->srvseq) > 10 )) && (!state->resyncseq || state->gotseq != state->resyncseq)){
-					sprintf((char *)smallbuf, "Warning: Wrong sequence, expected: %04hx got: %04hx", state->srvseq, state->gotseq);
-					param->srv->logfunc(param, smallbuf);
-					state->state = ONBEGIN;
-					state->resyncseq = state->gotseq;
-					break;
-				}
-				sprintf((char *)smallbuf, "Warning: %d flaps are lost on resync", state->gotseq - state->srvseq );
-				param->srv->logfunc(param, smallbuf);
-				state->srvseq = state->gotseq;
-				*(start-1) = (state->seq>>8);
-			}
-			*start = (state->seq & 0x00FF);
-			state->srvseq = state->srvseq + 1;
-			state->seq = state->seq + 1;
-			state->state = ONSIZE1; 
-			start++;
-			len--;
-			break;
-		case ONSIZE1:
-			state->leftinstate = (((unsigned)(*start))<<8);
-			state->state = ONSIZE2;
-			start++;
-			len--;
-			break;
-		case ONSIZE2:
-			state->leftinstate += *start;
-			state->state = (state->leftinstate)?ONDATA:ONBEGIN;
-			start++;
-			len--;
-			if(state->leftinstate > 30 && state->channel == 2) {
-
-				if(len < state->leftinstate) {
-					offset = (int)(start - *buf_p);
-					addbuffer(state->leftinstate - len, param, buf_p, bufsize_p, length_p);
-					start = *buf_p + offset;
-					len = (int)(*length_p - offset);
-
-				}
-				size = 0;
-				if ((start[4] & 0x80)) {
-					size = htons(*(unsigned short *)(start+10)) + 2;
-					if(size > 8) size = 0;
-				}
-				if (start[0] == 0 && start[1] == 1 &&
-				    ((start[2] == 0 && start[3] == 5) || (start[2] == 1 && start[3] == 2))){
-					int dif = 0;
-
-					offset = (int)(start - *buf_p);
-					addbuffer(0, param, buf_p, bufsize_p, length_p);
-					start = *buf_p + offset;
-					searchcookie(param, (struct flap_header *) (start-6), state->leftinstate-(size+10), &dif, (struct tlv_header *) (start + size + 10), len - state->leftinstate);
-					*length_p += dif;
-					start += (state->leftinstate + dif);
-					len -= state->leftinstate;
-					state->leftinstate = 0;
-					state->state = ONBEGIN;
-				}
-			}
-			break;
-		
-		case ONDATA:
-			size = (state->leftinstate > len)? len : state->leftinstate;
-			
-			start += size;
-			len -= size;
-			state->leftinstate -= size;
-			if(!state->leftinstate) {
-				state->state = ONBEGIN;
-			}
-			break;
-		}
-	}
-	
-	return CONTINUE;
-}
-
-static struct filter icqfilter = {
-	NULL,
-	"icqfilter",
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	NULL,
-	*icq_srv,
-	*icq_clear,
-	NULL
-};
-
-
-static int readflap(struct clientparam * param, int direction, unsigned char *buf, int buflen){
- int i, len;
-
- struct flap_header *flap = (struct flap_header *)buf;
-
- i = sockgetlinebuf(param, direction, buf, 6, EOF, conf.timeouts[STRING_L]);
- if(i!=6) return 1;
- if(flap->id != 0x2a) return 2;
- len = ntohs(flap->size);
- if(len > buflen-6) return 3;
- i = sockgetlinebuf(param, direction, (unsigned char *)flap->data, len, EOF, conf.timeouts[STRING_S]);
- if(len != i) return 4;
- return 0;
-
-}
-
-#define flap ((struct flap_header *)buf)
-#define snack ((struct snack_header *)(buf+6))
-void * icqprchild(struct clientparam* param) {
- int res;
- unsigned char tmpsend[1024];
- unsigned char *buf;
- int i,j,len,len1;
- int offset = 0;
- int buflen = 16384;
- LOGINTYPE logintype = ICQUNKNOWN;
- int greet = 0;
- struct icq_cookie *ic;
- struct tlv_header *tlv;
- struct icqstate mystate =  {
-	ONBEGIN, 
-	0, 0, 0, 
-	0
- };
- struct filterp icqfilterp = {
-	&icqfilter,
-	(void *)&mystate
- };
- struct filterp  **newfilters;
- char handshake[] = {'\052',  '\001', '\000', '\000', '\000', '\004', '\000', '\000', '\000', '\001'};
-
- 
-
- memcpy(tmpsend, handshake, 10);
- if(socksend(param->clisock, tmpsend, 10, conf.timeouts[STRING_S])!=10) {RETURN (1101);}
- buf = myalloc(65600);
-
- if((res = readflap(param, CLIENT, buf, 1000))) {RETURN (1180 + res);}
- if(ntohs(flap->size) == 4 || ntohs(flap->size) == 12){
-	tmpsend[2] = buf[2];
-	tmpsend[3] = buf[3];
-	greet = 1;
-	if(readflap(param, CLIENT, buf, 65550)) {RETURN (110);}
- }
- if(flap->chan != 1 && (flap->chan != 2 || snack->family != htonl(0x00170006))){
-	RETURN(1104);
- }
-
- len = ntohs(flap->size);
- if(flap->chan == 1){
-	tlv = (struct tlv_header *)(flap->data + 4);
-	len -= 4;
- }
- else {
-	tlv = (struct tlv_header *)(flap->data + 10);
-	len -= 10;
- } 
-
- for(; len >= (ntohs(tlv->size) + 4); len -= (ntohs(tlv->size) + 4), tlv = (struct tlv_header *)(tlv->data + ntohs(tlv->size))){
-	switch(ntohs(tlv->type)){
-	case 0x0001:
-		if(flap->chan == 2 && !logintype)logintype = ICQMD5;
-		if(!param->username){
-			param->username = myalloc(ntohs(tlv->size) + 1);
-			for(i=0, j=0; i < ntohs(tlv->size); i++){
-				if(!isspace(tlv->data[i]))param->username[j++]=tolower(tlv->data[i]);
-			}
-			param->username[j] = 0;
-		}
-		break;
-	case 0x0002:
-		logintype = ICQCLEAR;
-		break;
-	case 0x0006:
-		logintype = ICQCOOKIE;
-
-		for(ic = icq_cookies; ic; ic=ic->next){
-			if(ic->size && ic->size == tlv->size && !memcmp(ic->cookie, tlv->data, ntohs(tlv->size))){
-				parsehostname((char *)ic->connectstring, param, ntohs(param->srv->targetport));
-				if(!param->username && ic->id) param->username = (unsigned char *)mystrdup(ic->id);
-				break;
-			}
-		}
-		if(!ic) RETURN(1132);
-		break;
-	}
- }
- if(!logintype) RETURN(1133);
- if(logintype != ICQCOOKIE) {
-	parsehostname((char *)param->srv->target, param, ntohs(param->srv->targetport));
- }
- param->operation = CONNECT;
- res = (*param->srv->authfunc)(param);
- if(res) {RETURN(res);}
-
- if(greet){
-	if(socksend(param->remsock, tmpsend, 10, conf.timeouts[STRING_S])!=10) {RETURN (1105);}
-	param->statscli64 += 10;
- }
- if(readflap(param, SERVER, tmpsend, 1024)) {RETURN (1111);}
- param->statssrv64 += (ntohs(((struct flap_header *)tmpsend)->size) + 6);
- mystate.srvseq = ntohs(((struct flap_header *)tmpsend)->seq) + 1;
- mystate.seq = 1;
- len = ntohs(flap->size) + 6;
- if((res=handledatfltcli(param,  &buf, &buflen, offset, &len))!=PASS) RETURN(res);
- if(socksend(param->remsock, buf+offset, len, conf.timeouts[STRING_S])!=(ntohs(flap->size)+6)) {RETURN (1106);}
- offset = 0;
- param->statscli64 += len;
-
- if(logintype == ICQMD5) {
-	if(readflap(param, SERVER, buf, 65550)) {RETURN (1112);}
-	mystate.srvseq = ntohs(flap->seq) + 1;
-	flap->seq = htons(mystate.seq);
-	mystate.seq++;
-	len = ntohs(flap->size) + 6;
-	if((res=handledatfltsrv(param,  &buf, &buflen, offset, &len))!=PASS) RETURN(res);
-	if(socksend(param->clisock, buf+offset, len, conf.timeouts[STRING_S])!=len) {RETURN (1113);}
-	offset = 0;
-
-	if(readflap(param, CLIENT, buf, 65550)) {RETURN (1114);}
-	len = ntohs(flap->size) + 6;
-	if((res=handledatfltcli(param,  &buf, &buflen, offset, &len))!=PASS) RETURN(res);
-	if(socksend(param->remsock, buf+offset, len, conf.timeouts[STRING_S])!=len) {RETURN (1115);}
-	param->statscli64 += len;
-	offset = 0;
- }
- if(logintype != ICQCOOKIE) {
-	if(readflap(param, SERVER, buf, 65550)) {RETURN (1116);}
-	mystate.srvseq = ntohs(flap->seq) + 1;
-	flap->seq = htons(mystate.seq);
-	mystate.seq++;
-	len = ntohs(flap->size);
-
-	if(!param->username) {RETURN (1117);}
-	if(flap->chan == 1 || flap->chan == 4){
-		if(flap->data[0] == 0 && flap->data[1] == 0 && flap->data[2] == 0 && flap->data[3] == 1){
-			tlv = (struct tlv_header *)(flap->data + 4);
-			len -= 4;
-		}
-		else 
-			tlv = (struct tlv_header *)(flap->data);
-	}
-	else {
-		tlv = (struct tlv_header *)(flap->data + 10);
-		len -= 10;
-	} 
-
-	len1 = ntohs(flap->size);
-	if(searchcookie(param, flap, len, &len1, tlv, 0)){RETURN (1118);}
-
-	len = ntohs(flap->size) + 6;
-	if((res=handledatfltsrv(param,  &buf, &buflen, offset, &len))!=PASS) RETURN(res);
-	if(socksend(param->clisock, buf+offset, len, conf.timeouts[STRING_S])!=len) {RETURN (1117);}
-	offset = 0;
- }
-
- param->ndatfilterssrv++;
- newfilters = myalloc(param->ndatfilterssrv * sizeof(struct filterp *));
- if(param->ndatfilterssrv > 1){
-	memcpy(newfilters, param->datfilterssrv, (param->ndatfilterssrv - 1) * sizeof(struct filterp *));
-	myfree(param->datfilterssrv);
- }
- param->datfilterssrv = newfilters;
- newfilters[param->ndatfilterssrv - 1] = &icqfilterp;
-
- param->res = sockmap(param, conf.timeouts[CONNECTION_L]);
-
- param->ndatfilterssrv--;
-
-CLEANRET:
- 
- 
- (*param->srv->logfunc)(param, NULL);
- freeparam(param);
- if(buf) myfree(buf);
- return (NULL);
-}
-
-#ifdef WITHMAIN
-struct proxydef childdef = {
-	icqprchild,
-	0,
-	0,
-	S_ICQPR,
-	""
-};
-#include "proxymain.c"
-#endif

src/libs/regex.h

@@ -1,74 +0,0 @@
-/*
-
-  Minimal version of Henry Spencer's regex library 
-  with minor modifications
-
-*/
-
-
-#ifndef _REGEX_H_
-#define	_REGEX_H_
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-typedef off_t regoff_t;
-typedef struct {
-	int re_magic;
-	size_t re_nsub;		/* number of parenthesized subexpressions */
-	const char *re_endp;	/* end pointer for REG_PEND */
-	struct re_guts *re_g;	/* none of your business :-) */
-} regex_t;
-typedef struct {
-	regoff_t rm_so;		/* start of match */
-	regoff_t rm_eo;		/* end of match */
-} regmatch_t;
-
-
-extern int regcomp(regex_t *, const char *, int);
-#define	REG_BASIC	0000
-#define	REG_EXTENDED	0001
-#define	REG_ICASE	0002
-#define	REG_NOSUB	0004
-#define	REG_NEWLINE	0010
-#define	REG_NOSPEC	0020
-#define	REG_PEND	0040
-#define	REG_DUMP	0200
-
-
-#define	REG_OKAY	 0
-#define	REG_NOMATCH	 1
-#define	REG_BADPAT	 2
-#define	REG_ECOLLATE	 3
-#define	REG_ECTYPE	 4
-#define	REG_EESCAPE	 5
-#define	REG_ESUBREG	 6
-#define	REG_EBRACK	 7
-#define	REG_EPAREN	 8
-#define	REG_EBRACE	 9
-#define	REG_BADBR	10
-#define	REG_ERANGE	11
-#define	REG_ESPACE	12
-#define	REG_BADRPT	13
-#define	REG_EMPTY	14
-#define	REG_ASSERT	15
-#define	REG_INVARG	16
-#define	REG_ATOI	255	/* convert name to number (!) */
-#define	REG_ITOA	0400	/* convert number to name (!) */
-
-
-extern int regexec(const regex_t *, const char *, size_t, regmatch_t [], int);
-#define	REG_NOTBOL	00001
-#define	REG_NOTEOL	00002
-#define	REG_STARTEND	00004
-#define	REG_TRACE	00400	/* tracing of execution */
-#define	REG_LARGE	01000	/* force large representation */
-#define	REG_BACKR	02000	/* force use of backref code */
-
-
-extern void regfree(regex_t *);
-
-#ifdef __cplusplus
-}
-#endif
-#endif

src/libs/smbdes.c

@@ -1,321 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   a partial implementation of DES designed for use in the 
-   SMB authentication protocol
-
-   Copyright (C) Andrew Tridgell 1998
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include <string.h>
-#include <ctype.h>
-
-
-#define uchar unsigned char
-
-static const uchar perm1[56] = {57, 49, 41, 33, 25, 17,  9,
-			 1, 58, 50, 42, 34, 26, 18,
-			10,  2, 59, 51, 43, 35, 27,
-			19, 11,  3, 60, 52, 44, 36,
-			63, 55, 47, 39, 31, 23, 15,
-			 7, 62, 54, 46, 38, 30, 22,
-			14,  6, 61, 53, 45, 37, 29,
-			21, 13,  5, 28, 20, 12,  4};
-
-static const uchar perm2[48] = {14, 17, 11, 24,  1,  5,
-                         3, 28, 15,  6, 21, 10,
-                        23, 19, 12,  4, 26,  8,
-                        16,  7, 27, 20, 13,  2,
-                        41, 52, 31, 37, 47, 55,
-                        30, 40, 51, 45, 33, 48,
-                        44, 49, 39, 56, 34, 53,
-                        46, 42, 50, 36, 29, 32};
-
-static const uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10,  2,
-			60, 52, 44, 36, 28, 20, 12,  4,
-			62, 54, 46, 38, 30, 22, 14,  6,
-			64, 56, 48, 40, 32, 24, 16,  8,
-			57, 49, 41, 33, 25, 17,  9,  1,
-			59, 51, 43, 35, 27, 19, 11,  3,
-			61, 53, 45, 37, 29, 21, 13,  5,
-			63, 55, 47, 39, 31, 23, 15,  7};
-
-static const uchar perm4[48] = {   32,  1,  2,  3,  4,  5,
-                            4,  5,  6,  7,  8,  9,
-                            8,  9, 10, 11, 12, 13,
-                           12, 13, 14, 15, 16, 17,
-                           16, 17, 18, 19, 20, 21,
-                           20, 21, 22, 23, 24, 25,
-                           24, 25, 26, 27, 28, 29,
-                           28, 29, 30, 31, 32,  1};
-
-static const uchar perm5[32] = {      16,  7, 20, 21,
-                              29, 12, 28, 17,
-                               1, 15, 23, 26,
-                               5, 18, 31, 10,
-                               2,  8, 24, 14,
-                              32, 27,  3,  9,
-                              19, 13, 30,  6,
-                              22, 11,  4, 25};
-
-
-static const uchar perm6[64] ={ 40,  8, 48, 16, 56, 24, 64, 32,
-                        39,  7, 47, 15, 55, 23, 63, 31,
-                        38,  6, 46, 14, 54, 22, 62, 30,
-                        37,  5, 45, 13, 53, 21, 61, 29,
-                        36,  4, 44, 12, 52, 20, 60, 28,
-                        35,  3, 43, 11, 51, 19, 59, 27,
-                        34,  2, 42, 10, 50, 18, 58, 26,
-                        33,  1, 41,  9, 49, 17, 57, 25};
-
-
-static const uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
-
-static const uchar sbox[8][4][16] = {
-	{{14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7},
-	 {0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8},
-	 {4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0},
-	 {15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13}},
-
-	{{15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10},
-	 {3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5},
-	 {0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15},
-	 {13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9}},
-
-	{{10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8},
-	 {13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1},
-	 {13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7},
-	 {1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12}},
-
-	{{7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15},
-	 {13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9},
-	 {10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4},
-	 {3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14}},
-
-	{{2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9},
-	 {14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6},
-	 {4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14},
-	 {11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3}},
-
-	{{12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11},
-	 {10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8},
-	 {9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6},
-	 {4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13}},
-
-	{{4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1},
-	 {13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6},
-	 {1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2},
-	 {6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12}},
-
-	{{13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7},
-	 {1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2},
-	 {7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8},
-	 {2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11}}};
-
-static void permute(char *out, const char *in, const uchar *p, int n)
-{
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = in[p[i]-1];
-}
-
-static void lshift(char *d, int count, int n)
-{
-	char out[64];
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = d[(i+count)%n];
-	for (i=0;i<n;i++)
-		d[i] = out[i];
-}
-
-static void concat(char *out, char *in1, char *in2, int l1, int l2)
-{
-	while (l1--)
-		*out++ = *in1++;
-	while (l2--)
-		*out++ = *in2++;
-}
-
-static void xor(char *out, char *in1, char *in2, int n)
-{
-	int i;
-	for (i=0;i<n;i++)
-		out[i] = in1[i] ^ in2[i];
-}
-
-static void dohash(char *out, char *in, char *key)
-{
-	int i, j, k;
-	char pk1[56];
-	char c[28];
-	char d[28];
-	char cd[56];
-	char ki[16][48];
-	char pd1[64];
-	char l[32], r[32];
-	char rl[64];
-
-	permute(pk1, key, perm1, 56);
-
-	for (i=0;i<28;i++)
-		c[i] = pk1[i];
-	for (i=0;i<28;i++)
-		d[i] = pk1[i+28];
-
-	for (i=0;i<16;i++) {
-		lshift(c, sc[i], 28);
-		lshift(d, sc[i], 28);
-
-		concat(cd, c, d, 28, 28); 
-		permute(ki[i], cd, perm2, 48); 
-	}
-
-	permute(pd1, in, perm3, 64);
-
-	for (j=0;j<32;j++) {
-		l[j] = pd1[j];
-		r[j] = pd1[j+32];
-	}
-
-	for (i=0;i<16;i++) {
-		char er[48];
-		char erk[48];
-		char b[8][6];
-		char cb[32];
-		char pcb[32];
-		char r2[32];
-
-		permute(er, r, perm4, 48);
-
-		xor(erk, er, ki[i], 48);
-
-		for (j=0;j<8;j++)
-			for (k=0;k<6;k++)
-				b[j][k] = erk[j*6 + k];
-
-		for (j=0;j<8;j++) {
-			int m, n;
-			m = (b[j][0]<<1) | b[j][5];
-
-			n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4]; 
-
-			for (k=0;k<4;k++) 
-				b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0; 
-		}
-
-		for (j=0;j<8;j++)
-			for (k=0;k<4;k++)
-				cb[j*4+k] = b[j][k];
-		permute(pcb, cb, perm5, 32);
-
-		xor(r2, l, pcb, 32);
-
-		for (j=0;j<32;j++)
-			l[j] = r[j];
-
-		for (j=0;j<32;j++)
-			r[j] = r2[j];
-	}
-
-	concat(rl, r, l, 32, 32);
-
-	permute(out, rl, perm6, 64);
-}
-
-static void str_to_key(unsigned char *str,unsigned char *key)
-{
-	int i;
-
-	key[0] = str[0]>>1;
-	key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
-	key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
-	key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
-	key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
-	key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
-	key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
-	key[7] = str[6]&0x7F;
-	for (i=0;i<8;i++) {
-		key[i] = (key[i]<<1);
-	}
-}
-
-
-static void smbhash(unsigned char *out, const unsigned char *in, unsigned char *key)
-{
-	int i;
-	char outb[64];
-	char inb[64];
-	char keyb[64];
-	unsigned char key2[8];
-
-	str_to_key(key, key2);
-
-	for (i=0;i<64;i++) {
-		inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
-		keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
-		outb[i] = 0;
-	}
-
-	dohash(outb, inb, keyb);
-
-	for (i=0;i<8;i++) {
-		out[i] = 0;
-	}
-
-	for (i=0;i<64;i++) {
-		if (outb[i])
-			out[i/8] |= (1<<(7-(i%8)));
-	}
-}
-
-/*
- *	Converts the password to uppercase, and creates the LM
- *	password hash.
- */
-void lmpwdhash(const unsigned char *password,unsigned char *lmhash)
-{
-	int i;
-	unsigned char p14[14];
-	static unsigned char sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
-
-	memset(p14, 0, sizeof(p14));
-	for (i = 0; i < 14 && password[i]; i++) {
-		p14[i] = toupper((int) password[i]);
-	}
-
-	smbhash(lmhash, sp8, p14);
-	smbhash(lmhash+8, sp8, p14+7);
-}
-
-/*
- *	Take the NT or LM password, and return the MSCHAP response
- *
- *	The win_password MUST be exactly 16 bytes long.
- */
-void mschap(const unsigned char *win_password,
-		 const unsigned char *challenge, unsigned char *response)
-{
-	unsigned char p21[21];
-
-	memset(p21, 0, sizeof(p21));
-	memcpy(p21, win_password, 16);
-
-	smbhash(response, challenge, p21);
-	smbhash(response+8, challenge, p21+7);
-	smbhash(response+16, challenge, p21+14);
-}

src/log.c

@@ -0,0 +1,354 @@
+/*
+   3APA3A simpliest proxy server
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
+
+
+
+#include "proxy.h"
+pthread_mutex_t log_mutex;
+int havelog = 0;
+
+
+struct clientparam logparam;
+struct srvparam logsrv;
+
+
+
+void dolog(struct clientparam * param, const unsigned char *s){
+	static int init = 0;
+
+	if(param)param->srv->logfunc(param, s);
+	else {
+		if(!init){
+			srvinit(&logsrv, &logparam);
+			init = 1;
+		}
+		logstdout(&logparam, s);
+	}
+}
+
+
+void clearstat(struct clientparam * param) {
+
+#ifdef _WIN32
+	struct timeb tb;
+
+	ftime(&tb);
+	param->time_start = (time_t)tb.time;
+	param->msec_start = (unsigned)tb.millitm;
+
+#else
+	struct timeval tv;
+	struct timezone tz;
+	gettimeofday(&tv, &tz);
+
+	param->time_start = (time_t)tv.tv_sec;
+	param->msec_start = (tv.tv_usec / 1000);
+#endif
+	param->statscli64 = param->statssrv64 = param->nreads = param->nwrites =
+		param->nconnects = 0;
+}
+
+
+char months[12][4] = {
+	"Jan", "Feb", "Mar", "Apr", "May", "Jun",
+	"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
+};
+
+
+int dobuf2(struct clientparam * param, unsigned char * buf, const unsigned char *s, const unsigned char * doublec, struct tm* tm, char * format){
+	int i, j;
+	int len;
+	time_t sec;
+	unsigned msec;
+
+	long timezone;
+	unsigned delay;
+
+
+
+#ifdef _WIN32
+	struct timeb tb;
+
+	ftime(&tb);
+	sec = (time_t)tb.time;
+	msec = (unsigned)tb.millitm;
+	timezone = tm->tm_isdst*60 - tb.timezone;
+
+#else
+	struct timeval tv;
+	struct timezone tz;
+	gettimeofday(&tv, &tz);
+
+	sec = (time_t)tv.tv_sec;
+	msec = tv.tv_usec / 1000;
+#ifdef _SOLARIS
+	timezone = -altzone / 60;
+#else
+	timezone = tm->tm_gmtoff / 60;
+#endif
+#endif
+
+	delay = param->time_start?((unsigned) ((sec - param->time_start))*1000 + msec) - param->msec_start : 0;
+	*buf = 0;
+	for(i=0, j=0; format[j] && i < 4040; j++){
+		if(format[j] == '%' && format[j+1]){
+			j++;
+			switch(format[j]){
+				case '%':
+				 buf[i++] = '%';
+				 break;
+				case 'y':
+				 sprintf((char *)buf+i, "%.2d", tm->tm_year%100);
+				 i+=2;
+				 break;
+				case 'Y':
+				 sprintf((char *)buf+i, "%.4d", tm->tm_year+1900);
+				 i+=4;
+				 break;
+				case 'm':
+				 sprintf((char *)buf+i, "%.2d", tm->tm_mon+1);
+				 i+=2;
+				 break;
+				case 'o':
+				 sprintf((char *)buf+i, "%s", months[tm->tm_mon]);
+				 i+=3;
+				 break;
+				case 'd':
+				 sprintf((char *)buf+i, "%.2d", tm->tm_mday);
+				 i+=2;
+				 break;
+				case 'H':
+				 sprintf((char *)buf+i, "%.2d", tm->tm_hour);
+				 i+=2;
+				 break;
+				case 'M':
+				 sprintf((char *)buf+i, "%.2d", tm->tm_min);
+				 i+=2;
+				 break;
+				case 'S':
+				 sprintf((char *)buf+i, "%.2d", tm->tm_sec);
+				 i+=2;
+				 break;
+				case 't':
+				 sprintf((char *)buf+i, "%.10u", (unsigned)sec);
+				 i+=10;
+				 break;
+				case 'b':
+				 i+=sprintf((char *)buf+i, "%u", delay?(unsigned)(param->statscli64 * 1000./delay):0);
+				 break;
+				case 'B':
+				 i+=sprintf((char *)buf+i, "%u", delay?(unsigned)(param->statssrv64 * 1000./delay):0);
+				 break;				 
+				case 'D':
+				 i+=sprintf((char *)buf+i, "%u", delay);
+				 break;
+				case '.':
+				 sprintf((char *)buf+i, "%.3u", msec);
+				 i+=3;
+				 break;
+				case 'z':
+				 sprintf((char *)buf+i, "%+.2ld%.2u", timezone / 60, (unsigned)(timezone%60));
+				 i+=5;
+				 break;
+				case 'U':
+				 if(param->username && *param->username){
+					for(len = 0; i< 4000 && param->username[len]; len++){
+					 buf[i] = param->username[len];
+					 if(param->srv->nonprintable && (buf[i] < 0x20 || strchr((char *)param->srv->nonprintable, buf[i]))) buf[i] = param->srv->replace;
+					 if(doublec && strchr((char *)doublec, buf[i])) {
+						buf[i+1] = buf[i];
+						i++;
+					 }
+					 i++;
+					}
+				 }
+				 else {
+					buf[i++] = '-';
+				 }
+				 break;
+				case 'n':
+					len = param->hostname? (int)strlen((char *)param->hostname) : 0;
+					if (len > 0 && !strchr((char *)param->hostname, ':')) for(len = 0; param->hostname[len] && i < 4000; len++, i++){
+						buf[i] = param->hostname[len];
+					 	if(param->srv->nonprintable && (buf[i] < 0x20 || strchr((char *)param->srv->nonprintable, buf[i]))) buf[i] = param->srv->replace;
+						if(doublec && strchr((char *)doublec, buf[i])) {
+							buf[i+1] = buf[i];
+							i++;
+						}
+					}
+					else {
+						buf[i++] = '[';
+						i += myinet_ntop(*SAFAMILY(&param->req), SAADDR(&param->req), (char *)buf + i, 64);
+						buf[i++] = ']';
+					}
+					break;
+
+				case 'N':
+				 if(param->service < 15) {
+					 len = (conf.stringtable)? (int)strlen((char *)conf.stringtable[SERVICES + param->service]) : 0;
+					 if(len > 20) len = 20;
+					 memcpy(buf+i, (len)?conf.stringtable[SERVICES + param->service]:(unsigned char*)"-", (len)?len:1);
+					 i += (len)?len:1;
+				 }
+				 break;
+				case 'E':
+				 sprintf((char *)buf+i, "%.05d", param->res);
+				 i += 5;
+				 break;
+				case 'T':
+				 if(s){
+					for(len = 0; i<4000 && s[len]; len++){
+					 buf[i] = s[len];
+					 if(param->srv->nonprintable && (buf[i] < 0x20 || strchr((char *)param->srv->nonprintable, buf[i]))) buf[i] = param->srv->replace;
+					 if(doublec && strchr((char *)doublec, buf[i])) {
+						buf[i+1] = buf[i];
+						i++;
+					 }
+					 i++;
+					}
+				 }
+				 break;
+				case 'e':
+				 i += myinet_ntop(*SAFAMILY(&param->sinsl), SAADDR(&param->sinsl), (char *)buf + i, 64);
+				 break;
+				case 'i':
+				 i += myinet_ntop(*SAFAMILY(&param->sincl), SAADDR(&param->sincl), (char *)buf + i, 64);
+				 break;
+				case 'C':
+				 i += myinet_ntop(*SAFAMILY(&param->sincr), SAADDR(&param->sincr), (char *)buf + i, 64);
+				 break;
+				case 'R':
+				 i += myinet_ntop(*SAFAMILY(&param->sinsr), SAADDR(&param->sinsr), (char *)buf + i, 64);
+				 break;
+				case 'Q':
+				 i += myinet_ntop(*SAFAMILY(&param->req), SAADDR(&param->req), (char *)buf + i, 64);
+				 break;
+				case 'p':
+				 sprintf((char *)buf+i, "%hu", ntohs(*SAPORT(&param->srv->intsa)));
+				 i += (int)strlen((char *)buf+i);
+				 break;
+				case 'c':
+				 sprintf((char *)buf+i, "%hu", ntohs(*SAPORT(&param->sincr)));
+				 i += (int)strlen((char *)buf+i);
+				 break;
+				case 'r':
+				 sprintf((char *)buf+i, "%hu", ntohs(*SAPORT(&param->sinsr)));
+				 i += (int)strlen((char *)buf+i);
+				 break;
+				case 'q':
+				 sprintf((char *)buf+i, "%hu", ntohs(*SAPORT(&param->req)));
+				 i += (int)strlen((char *)buf+i);
+				 break;
+				case 'L':
+				 sprintf((char *)buf+i, "%"PRINTF_INT64_MODIFIER"u", param->cycles);
+				 i += (int)strlen((char *)buf+i);
+				 break;
+				case 'I':
+				 sprintf((char *)buf+i, "%"PRINTF_INT64_MODIFIER"u", param->statssrv64);
+				 i += (int)strlen((char *)buf+i);
+				 break;
+				case 'O':
+				 sprintf((char *)buf+i, "%"PRINTF_INT64_MODIFIER"u", param->statscli64);
+				 i += (int)strlen((char *)buf+i);
+				 break;
+				case 'h':
+				 sprintf((char *)buf+i, "%d", param->redirected);
+				 i += (int)strlen((char *)buf+i);
+				 break;
+				case '1':
+				case '2':
+				case '3':
+				case '4':
+				case '5':
+				case '6':
+				case '7':
+				case '8':
+				case '9':
+					{
+						int k, pmin=0, pmax=0;
+						for (k = j; isnumber(format[k]); k++);
+						if(format[k] == '-' && isnumber(format[k+1])){
+							pmin = atoi(format + j) - 1;
+							k++;
+							pmax = atoi(format + k) -1;
+							for (; isnumber(format[k]); k++);
+							j = k;
+						}
+						if(!s || format[k]!='T') break;
+						for(k = 0, len = 0; s[len] && i < 4000; len++){
+							if(isspace(s[len])){
+								k++;
+								while(isspace(s[len+1]))len++;
+								if(k == pmin) continue;
+							}
+							if(k>=pmin && k<=pmax) {
+								buf[i] = s[len];
+								if(param->srv->nonprintable && (buf[i] < 0x20 || strchr((char *)param->srv->nonprintable, buf[i]))) buf[i] = param->srv->replace;
+								if(doublec && strchr((char *)doublec, buf[i])) {
+									buf[i+1] = buf[i];
+									i++;
+				 				}
+								i++;
+							}
+						}
+						break;
+
+					}
+				default:
+				 buf[i++] = format[j];
+			}
+		}
+		else buf[i++] = format[j];
+	}
+	buf[i] = 0;
+	return i;
+}
+
+int dobuf(struct clientparam * param, unsigned char * buf, const unsigned char *s, const unsigned char * doublec){
+	struct tm* tm;
+	int i;
+	char * format;
+	time_t t;
+
+	time(&t);
+	if(!param) return 0;
+	if(param->trafcountfunc)(*param->trafcountfunc)(param);
+	format = param->srv->logformat?(char *)param->srv->logformat : DEFLOGFORMAT;
+	tm = (*format == 'G' || *format == 'g')?
+		gmtime(&t) : localtime(&t);
+	i = dobuf2(param, buf, s, doublec, tm, format + 1);
+	clearstat(param);
+	return i;
+}
+
+void lognone(struct clientparam * param, const unsigned char *s) {
+	if(param->trafcountfunc)(*param->trafcountfunc)(param);
+	clearstat(param);
+}
+
+void logstdout(struct clientparam * param, const unsigned char *s) {
+	FILE *log;
+	unsigned char tmpbuf[8192];
+
+	dobuf(param, tmpbuf, s, NULL);
+	log = param->srv->stdlog?param->srv->stdlog:conf.stdlog?conf.stdlog:stdout;
+	if(!param->nolog)if(fprintf(log, "%s\n", tmpbuf) < 0) {
+		perror("printf()");
+	};
+	if(log != conf.stdlog)fflush(log);
+}
+#ifndef _WIN32
+void logsyslog(struct clientparam * param, const unsigned char *s) {
+
+	unsigned char tmpbuf[8192];
+	dobuf(param, tmpbuf, s, NULL);
+	if(!param->nolog)syslog(LOG_INFO, "%s", tmpbuf);
+}
+#endif
+