Remove linux futext implementation

Allow to set prefix in cmake, 3proxy_ by default

.github/workflows/build-watcom.yml

@@ -45,7 +45,7 @@ jobs:
        mkdir dist\3proxy\doc\ru
        mkdir dist\3proxy\doc\html
        mkdir dist\3proxy\doc\html\plugins
-       mkdir dist\3proxy\doc\html\man3
+       mkdir dist\3proxy\doc\html\man5
        mkdir dist\3proxy\doc\html\man8
        mkdir dist\3proxy\doc\devel
        copy bin\3proxy.exe dist\3proxy\bin\
@@ -57,7 +57,7 @@ jobs:
        copy doc\html\*.* dist\3proxy\doc\html\
        copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
        copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
-       copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
+       copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
        copy doc\devel\*.rtf dist\3proxy\doc\devel\
        copy copying dist\3proxy\
        copy authors dist\3proxy\

.github/workflows/build-win32.yml

@@ -51,7 +51,7 @@ jobs:
        mkdir dist\3proxy\doc\ru
        mkdir dist\3proxy\doc\html
        mkdir dist\3proxy\doc\html\plugins
-       mkdir dist\3proxy\doc\html\man3
+       mkdir dist\3proxy\doc\html\man5
        mkdir dist\3proxy\doc\html\man8
        mkdir dist\3proxy\doc\devel
        copy bin\3proxy.exe dist\3proxy\bin\
@@ -63,7 +63,7 @@ jobs:
        copy doc\html\*.* dist\3proxy\doc\html\
        copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
        copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
-       copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
+       copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
        copy doc\devel\*.rtf dist\3proxy\doc\devel\
        copy copying dist\3proxy\
        copy authors dist\3proxy\

.github/workflows/build-win64.yml

@@ -53,7 +53,7 @@ jobs:
        mkdir dist\3proxy\doc\ru
        mkdir dist\3proxy\doc\html
        mkdir dist\3proxy\doc\html\plugins
-       mkdir dist\3proxy\doc\html\man3
+       mkdir dist\3proxy\doc\html\man5
        mkdir dist\3proxy\doc\html\man8
        mkdir dist\3proxy\doc\devel
        copy bin\3proxy.exe dist\3proxy\bin64\
@@ -65,7 +65,7 @@ jobs:
        copy doc\html\*.* dist\3proxy\doc\html\
        copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
        copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
-       copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
+       copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
        copy doc\devel\*.rtf dist\3proxy\doc\devel\
        copy copying dist\3proxy\
        copy authors dist\3proxy\

.github/workflows/build-winarm64.yml

@@ -51,7 +51,7 @@ jobs:
        mkdir dist\3proxy\doc\ru
        mkdir dist\3proxy\doc\html
        mkdir dist\3proxy\doc\html\plugins
-       mkdir dist\3proxy\doc\html\man3
+       mkdir dist\3proxy\doc\html\man5
        mkdir dist\3proxy\doc\html\man8
        mkdir dist\3proxy\doc\devel
        copy bin\3proxy.exe dist\3proxy\bin64\
@@ -63,7 +63,7 @@ jobs:
        copy doc\html\*.* dist\3proxy\doc\html\
        copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
        copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
-       copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
+       copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
        copy doc\devel\*.rtf dist\3proxy\doc\devel\
        copy copying dist\3proxy\
        copy authors dist\3proxy\

.github/workflows/c-cpp-cmake.yml

@@ -2,7 +2,7 @@ name: C/C++ CI cmake
 
 on:
   push:
-    branches: [ "master" ]
+    branches: [ "master", "unix_socket" ]
     paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ]
   pull_request:
     branches: [ "master" ]

.gitignore

@@ -258,3 +258,12 @@ pip-log.txt
 #Mr Developer
 .mr.developer.cfg
 CLAUDE.md
+bin/3proxy_crypt
+bin/3proxy_ftppr
+bin/3proxy_pop3p
+bin/3proxy_proxy
+bin/3proxy_smtpp
+bin/3proxy_socks
+bin/3proxy_tcppm
+bin/3proxy_tlspr
+bin/3proxy_udppm

CHANGELOG

@@ -0,0 +1,11 @@
+3proxy-0.9.6 Released April, 11 2026
+
++ ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios.
++ HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header.
++ tlspr is supported in auto
++ tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI
++ maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems
++ -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5
++ cmake environment added
+! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy
+! Multiple minor bugfixes

CHANGELOG.rus

@@ -0,0 +1,11 @@
+3proxy-0.9.6 Вышел 11 Апреля 2026
+
++ В SSLPlugin добавлены ssl_client и множество опций конфигурации, код SSLPlugin значительно улучшен и исправлен. См. https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy теперь может использоваться как замена stunnel во многих сценариях.
++ Поддержка прокси-протокола HAProxy v1 на стороне клиента и сервера. Добавлена опция -H для сервиса, чтобы ожидать заголовок прокси-протокола HA v1. Используйте тип родителя ha: parent 1000 ha 0.0.0.0 0 для отправки заголовка v1.
++ tlspr поддерживается в режиме auto
++ tlspr поддерживает опцию -s, которая разбивает HELLO-пакет для предотвращения обнаружения SNI некоторыми DPI
++ Добавлена опция конфигурации maxseg и поддержка флага сокета TCP_MAXSEG. Устанавливает максимальный размер TCP-сегмента для решения проблем с обнаружением PathMTU
++ Добавлены опции -Ne / -Ni для указания внешнего/внутреннего NAT-адреса для SOCKSv5
++ Добавлено окружение cmake
+! Внешняя библиотека pcre2 (pcre2-8) используется для PCRE, код pcre удалён из 3proxy
+! Множество мелких исправлений ошибок

CMakeLists.txt

@@ -54,6 +54,28 @@ option(3PROXY_USE_SPLICE "Use Linux splice() for zero-copy (Linux only)" ON)
 option(3PROXY_USE_POLL "Use poll() instead of select() (Unix only)" ON)
 option(3PROXY_USE_WSAPOLL "Use WSAPoll instead of select() (Windows only)" ON)
 option(3PROXY_USE_NETFILTER "Enable Linux netfilter support (Linux only)" ON)
+option(3PROXY_USE_UNIX_SOCKETS "Enable Unix domain socket support (Unix only)" ON)
+
+# Binary name prefix for standalone modules and crypt (default: 3proxy_)
+# For crypt: if prefix is empty, "my" is used instead (→ mycrypt)
+set(3PROXY_BINARY_PREFIX "3proxy_" CACHE STRING "Prefix for standalone module and crypt binary names")
+
+# Standalone module build options (OFF by default)
+option(3PROXY_BUILD_ALL   "Build all standalone binaries"   OFF)
+option(3PROXY_BUILD_PROXY  "Build standalone proxy binary"  OFF)
+option(3PROXY_BUILD_SOCKS  "Build standalone socks binary"  OFF)
+option(3PROXY_BUILD_POP3P  "Build standalone pop3p binary"  OFF)
+option(3PROXY_BUILD_SMTPP  "Build standalone smtpp binary"  OFF)
+option(3PROXY_BUILD_FTPPR  "Build standalone ftppr binary"  OFF)
+option(3PROXY_BUILD_TCPPM  "Build standalone tcppm binary"  OFF)
+option(3PROXY_BUILD_UDPPM  "Build standalone udppm binary"  OFF)
+option(3PROXY_BUILD_TLSPR  "Build standalone tlspr binary"  OFF)
+
+if(3PROXY_BUILD_ALL)
+    foreach(_M PROXY SOCKS POP3P SMTPP FTPPR TCPPM UDPPM TLSPR)
+        set(3PROXY_BUILD_${_M} ON)
+    endforeach()
+endif()
 
 # Output directory
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
@@ -159,10 +181,15 @@ elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
         add_compile_definitions(WITH_NETFILTER)
     endif()
 
+    if(3PROXY_USE_UNIX_SOCKETS)
+        add_compile_definitions(WITH_UN)
+    endif()
+
     set(DEFAULT_PLUGINS
         StringsPlugin
         TrafficPlugin
         TransparentPlugin
+        FilePlugin
     )
 
 elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD")
@@ -176,10 +203,15 @@ elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD")
         add_compile_options(-fno-strict-aliasing)
     endif()
 
+    if(3PROXY_USE_UNIX_SOCKETS)
+        add_compile_definitions(WITH_UN)
+    endif()
+
     set(DEFAULT_PLUGINS
         StringsPlugin
         TrafficPlugin
         TransparentPlugin
+        FilePlugin
     )
 
 else()
@@ -188,10 +220,15 @@ else()
         add_compile_options(-fno-strict-aliasing)
     endif()
 
+    if(3PROXY_USE_UNIX_SOCKETS)
+        add_compile_definitions(WITH_UN)
+    endif()
+
     set(DEFAULT_PLUGINS
         StringsPlugin
         TrafficPlugin
         TransparentPlugin
+        FilePlugin
     )
 endif()
 
@@ -269,17 +306,25 @@ endif()
 set(3PROXY_CORE_SOURCES
     src/3proxy.c
     src/auth.c
+    src/acl.c
+    src/limiter.c
+    src/redirect.c
     src/authradius.c
+    src/hash.c
+    src/hashtables.c
+    src/resolve.c
+    src/sql.c
     src/conf.c
     src/datatypes.c
     src/plugins.c
     src/stringtable.c
 )
 
-# MD4/MD5 sources for mycrypt
+# MD4/MD5/BLAKE2 sources for 3proxy_crypt
 set(MD_SOURCES
     src/libs/md4.c
     src/libs/md5.c
+    src/libs/blake2b-ref.c
 )
 
 # ============================================================================
@@ -304,7 +349,7 @@ target_include_directories(base64_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
 # These are used by the main 3proxy executable
 # ============================================================================
 
-# Server modules object library (without WITHMAIN)
+# Server modules object library (without WITHMAIN, without UDP)
 add_library(srv_modules OBJECT
     src/proxy.c
     src/pop3p.c
@@ -315,13 +360,17 @@ add_library(srv_modules OBJECT
     src/auto.c
     src/socks.c
     src/webadmin.c
-    src/udppm.c
     src/dnspr.c
 )
 
 target_include_directories(srv_modules PRIVATE
     ${CMAKE_CURRENT_SOURCE_DIR}/src
 )
+# UDP port mapper server module (without WITHMAIN)
+add_library(srvudppm_obj OBJECT src/udppm.c)
+target_include_directories(srvudppm_obj PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}/src
+)
 
 # mainfunc object (proxymain.c compiled with MODULEMAINFUNC=mainfunc for 3proxy)
 add_library(mainfunc OBJECT src/proxymain.c)
@@ -332,9 +381,9 @@ target_compile_definitions(mainfunc PRIVATE MODULEMAINFUNC=mainfunc)
 add_library(ftp_obj OBJECT src/ftp.c)
 target_include_directories(ftp_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
 
-# mycrypt object for 3proxy (without WITHMAIN)
+# 3proxy_crypt object for 3proxy (without WITHMAIN)
-add_library(mycrypt_obj OBJECT src/mycrypt.c)
+add_library(3proxy_crypt_obj OBJECT src/3proxy_crypt.c)
-target_include_directories(mycrypt_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
+target_include_directories(3proxy_crypt_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
 
 # ============================================================================
 # Main 3proxy executable
@@ -345,11 +394,12 @@ add_executable(3proxy
     ${3PROXY_CORE_SOURCES}
     ${MD_SOURCES}
     $<TARGET_OBJECTS:srv_modules>
+    $<TARGET_OBJECTS:srvudppm_obj>
     $<TARGET_OBJECTS:mainfunc>
     $<TARGET_OBJECTS:common_obj>
     $<TARGET_OBJECTS:base64_obj>
     $<TARGET_OBJECTS:ftp_obj>
-    $<TARGET_OBJECTS:mycrypt_obj>
+    $<TARGET_OBJECTS:3proxy_crypt_obj>
 )
 
 target_include_directories(3proxy PRIVATE
@@ -382,21 +432,31 @@ elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
     endif()
 endif()
 
-# Build mycrypt utility
+# Build 3proxy_crypt utility
-add_executable(mycrypt
+add_executable(3proxy_crypt
-    src/mycrypt.c
+    src/3proxy_crypt.c
     ${MD_SOURCES}
     $<TARGET_OBJECTS:base64_obj>
 )
-target_compile_definitions(mycrypt PRIVATE WITHMAIN)
+target_compile_definitions(3proxy_crypt PRIVATE WITHMAIN)
-target_include_directories(mycrypt PRIVATE
+target_include_directories(3proxy_crypt PRIVATE
     ${CMAKE_CURRENT_SOURCE_DIR}/src
     ${CMAKE_CURRENT_SOURCE_DIR}/src/libs
 )
-target_link_libraries(mycrypt PRIVATE Threads::Threads)
+target_link_libraries(3proxy_crypt PRIVATE Threads::Threads)
+if("${3PROXY_BINARY_PREFIX}" STREQUAL "")
+    set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "mycrypt")
+else()
+    set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "${3PROXY_BINARY_PREFIX}crypt")
+endif()
 
 # Build standalone proxy executables
 foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
+    string(TOUPPER "${PROXY_NAME}" _MODULE_OPT)
+    if(NOT 3PROXY_BUILD_${_MODULE_OPT})
+        continue()
+    endif()
+
     if(PROXY_NAME STREQUAL "ftppr" OR PROXY_NAME STREQUAL "proxy")
         # ftppr and proxy use ftp_obj
         add_executable(${PROXY_NAME}
@@ -411,6 +471,10 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
         )
     endif()
 
+    set_target_properties(${PROXY_NAME} PROPERTIES
+        OUTPUT_NAME "${3PROXY_BINARY_PREFIX}${PROXY_NAME}"
+    )
+
     target_include_directories(${PROXY_NAME} PRIVATE
         ${CMAKE_CURRENT_SOURCE_DIR}/src
     )
@@ -420,6 +484,10 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
         NOPORTMAP
     )
 
+    if(NOT PROXY_NAME STREQUAL "udppm")
+        target_compile_definitions(${PROXY_NAME} PRIVATE NOUDPMAIN)
+    endif()
+
     target_link_libraries(${PROXY_NAME} PRIVATE Threads::Threads)
 
     if(PROXY_NAME STREQUAL "proxy")
@@ -437,6 +505,10 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
     if(PROXY_NAME STREQUAL "proxy" OR PROXY_NAME STREQUAL "smtpp")
         target_sources(${PROXY_NAME} PRIVATE $<TARGET_OBJECTS:base64_obj>)
     endif()
+
+    if(PROXY_NAME STREQUAL "udppm")
+        target_sources(${PROXY_NAME} PRIVATE src/hash.c)
+    endif()
 endforeach()
 
 # Plugin output directory
@@ -480,10 +552,19 @@ if(PAM_FOUND)
 endif()
 
 # Installation rules
-install(TARGETS 3proxy mycrypt proxy socks pop3p smtpp ftppr tcppm udppm tlspr
+install(TARGETS 3proxy 3proxy_crypt
     RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
 )
 
+foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
+    string(TOUPPER "${PROXY_NAME}" _MODULE_OPT)
+    if(3PROXY_BUILD_${_MODULE_OPT})
+        install(TARGETS ${PROXY_NAME}
+            RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
+        )
+    endif()
+endforeach()
+
 # Install plugins
 file(GLOB PLUGINFILES "${PLUGIN_OUTPUT_DIR}/*${PLUGIN_SUFFIX}")
 if(WIN32)
@@ -617,10 +698,32 @@ endif()
 
 # Install man pages
 if(NOT WIN32)
-    file(GLOB MAN3_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.3")
+    # Config man page (section 5) — no prefix
-    file(GLOB MAN8_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.8")
+    file(GLOB MAN5_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.5")
-    install(FILES ${MAN3_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man3)
+    install(FILES ${MAN5_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man5)
-    install(FILES ${MAN8_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
+    # Main 3proxy man page — no prefix
+    install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy.8"
+        DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
+    )
+    # 3proxy_crypt man page — no prefix (already has 3proxy_)
+    if(EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy_crypt.8")
+        install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy_crypt.8"
+            DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
+        )
+    endif()
+    # Module man pages — installed with binary prefix only if module is built
+    foreach(_MAN proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
+        string(TOUPPER "${_MAN}" _MODULE_OPT)
+        if(3PROXY_BUILD_${_MODULE_OPT})
+            set(_MAN_SRC "${CMAKE_CURRENT_SOURCE_DIR}/man/${_MAN}.8")
+            if(EXISTS "${_MAN_SRC}")
+                install(FILES "${_MAN_SRC}"
+                    DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
+                    RENAME "${3PROXY_BINARY_PREFIX}${_MAN}.8"
+                )
+            endif()
+        endif()
+    endforeach()
 endif()
 
 # Summary
@@ -654,3 +757,10 @@ message(STATUS "    ODBC:    ${ODBC_FOUND}")
 message(STATUS "")
 message(STATUS "  Plugins to build: ${ALL_PLUGINS}")
 message(STATUS "")
+message(STATUS "  Standalone modules:")
+message(STATUS "    Binary prefix:   \"${3PROXY_BINARY_PREFIX}\"")
+foreach(_M proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
+    string(TOUPPER "${_M}" _MO)
+    message(STATUS "    BUILD_${_MO}: ${3PROXY_BUILD_${_MO}}")
+endforeach()
+message(STATUS "")

Dockerfile.busybox

@@ -0,0 +1,57 @@
+# 3proxy.full is fully functional 3proxy build based on busybox:glibc
+#
+# Examples are for podman, for docker change 'podman' to 'docker'
+#
+#to build:
+# podman build -f Dockerfile.busybox -t 3proxy.busybox .
+#to run:
+#
+# echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
+# echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
+# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy --name 3proxy.busybox 3proxy.busybox
+#
+# use "log" without pathname in config to log to stdout.
+# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config)
+# symlinked as /lib and /lib64 in both root and chroot configurations, so no need
+# to specify full path to plugin. SSLPlugin is supported.
+#
+# Since 0.9.6 image is distroless, no reason to use chroot, chroot
+# configuration is supported for compatibility only.
+
+
+FROM docker.io/gcc AS buildenv
+COPY . 3proxy
+RUN cd 3proxy &&\
+ apt --assume-yes update && apt --assume-yes install libssl-dev libpcre2-dev &&\
+ make -f Makefile.Linux &&\
+ strip bin/3proxy &&\
+ strip bin/*so &&\
+ mkdir /dist &&\
+ mkdir /dist/etc &&\
+ mkdir /dist/etc/3proxy &&\
+ mkdir /dist/bin &&\
+ mkdir /dist/usr &&\
+ mkdir /dist/usr/local &&\
+ mkdir /dist/usr/local/3proxy &&\
+ mkdir /dist/usr/local/3proxy/conf &&\
+ mkdir /dist/usr/local/3proxy/libexec &&\
+ cp bin/3proxy /dist/bin &&\
+ cp bin/*.so /dist/usr/local/3proxy/libexec &&\
+ cp scripts/3proxy.cfg.inchroot /dist/etc/3proxy/3proxy.cfg
+RUN cd /dist &&\
+ ln -s /lib lib64 &&\
+ ln -s /lib usr/lib &&\
+ ln -s /lib usr/lib64 &&\
+ cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libcrypto.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libssl.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libpcre2-8.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libz.so.* /dist/usr/local/3proxy/libexec &&\
+ cp "/lib/`gcc -dumpmachine`"/libzstd.so.* /dist/usr/local/3proxy/libexec &&\
+ ls -lR /dist
+
+FROM docker.io/busybox:glibc
+COPY --from=buildenv /dist /
+RUN ln -sf /usr/local/3proxy/libexec/* /lib/ && cd /usr/local/3proxy/ && ln -s libexec lib && ln -s libexec lib64 && mkdir usr && ln -s libexec usr/lib && ln -s libexec usr//lib64
+CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"]

Dockerfile.full

@@ -1,6 +1,6 @@
-# 3proxy.full is fully functional 3proxy build based on busybox:glibc
+# 3proxy.full is fully functional distroless 3proxy build
 #
-# Example are for podman, for docker change 'podman' to 'docker'
+# Examples are for podman, for docker change 'podman' to 'docker'
 #
 #to build:
 # podman build -f Dockerfile.full -t 3proxy.full .
@@ -8,7 +8,7 @@
 #
 # echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
 # echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
-# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full
+# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy --name 3proxy.full 3proxy.full
 #
 # use "log" without pathname in config to log to stdout.
 # plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config)
@@ -16,7 +16,7 @@
 # to specify full path to plugin. SSLPlugin is supported.
 #
 # Since 0.9.6 image is distroless, no reason to use chroot, chroot
-# configuration is supported for compatility only.
+# configuration is supported for compatibility only.
 
 
 FROM docker.io/gcc AS buildenv

Makefile.FreeBSD

@@ -5,9 +5,12 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 
 BUILDDIR = ../bin/
+PREFIX ?= 3proxy_
+CRYPT_PREFIX ?= $(PREFIX)
+MANDIR ?= /usr/share/man
 CC ?= cc
 
-CFLAGS := -c -fno-strict-aliasing -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL $(CFLAGS)
+CFLAGS := -c -fno-strict-aliasing -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_UN  $(CFLAGS)
 COUT = -o 
 LN ?= ${CC}
 LDFLAGS += -pthread -fno-strict-aliasing 
@@ -29,7 +32,7 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.FreeBSD
-PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
+PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
 OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
     LIBS += -l crypto -l ssl
@@ -49,14 +52,25 @@ include Makefile.inc
 install: all
 	if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi
 	install bin/3proxy /usr/local/3proxy/bin/3proxy
-	install bin/mycrypt /usr/local/3proxy/bin/mycrypt
+	install bin/$(CRYPT_PREFIX)crypt /usr/local/3proxy/bin/$(CRYPT_PREFIX)crypt
+	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
+	  if [ -f bin/$(PREFIX)$$f ]; then install bin/$(PREFIX)$$f /usr/local/3proxy/bin/$(PREFIX)$$f; fi; \
+	done
 	install scripts/rc.d/3proxy /usr/local/etc/rc.d/3proxy
 	install scripts/add3proxyuser.sh /usr/local/3proxy/bin/
-	if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then /usr/local/3proxy/3proxy.cfg already exists ; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
+	if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then echo /usr/local/3proxy/3proxy.cfg already exists; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
 	if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi
 	touch /usr/local/3proxy/passwd
 	touch /usr/local/3proxy/counters
 	touch /usr/local/3proxy/bandlimiters
+	install -d $(MANDIR)/man8
+	install -m 644 man/3proxy.8 $(MANDIR)/man8/3proxy.8
+	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
+	  if [ -f man/$$f.8 ]; then install -m 644 man/$$f.8 $(MANDIR)/man8/$(PREFIX)$$f.8; fi; \
+	done
+	install -m 644 man/3proxy_crypt.8 $(MANDIR)/man8
+	install -d $(MANDIR)/man5
+	install -m 644 man/3proxy.cfg.5 $(MANDIR)/man5/3proxy.cfg.5
 	echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user
 
 allplugins:

Makefile.Linux

@@ -5,9 +5,11 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 
 BUILDDIR = ../bin/
+PREFIX ?= 3proxy_
+CRYPT_PREFIX ?= $(PREFIX)
 CC ?= gcc
 
-CFLAGS := -g  -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER $(CFLAGS)
+CFLAGS := -g  -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -D WITH_UN $(CFLAGS)
 COUT = -o 
 LN ?= ${CC}
 DCFLAGS ?= 
@@ -32,7 +34,7 @@ MAKEFILE = Makefile.Linux
 #LIBS = -lcrypto -lssl -ldl 
 LIBS ?= -ldl 
 #PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
-PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
+PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
 OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
     LIBS += -l crypto -l ssl
@@ -61,14 +63,15 @@ INSTALL		= /usr/bin/install
 INSTALL_BIN	= $(INSTALL) -m 755
 INSTALL_DATA	= $(INSTALL) -m 644
 INSTALL_OBJS	= bin/3proxy \
-		  bin/ftppr \
+		  bin/$(CRYPT_PREFIX)crypt \
-		  bin/mycrypt \
+		  bin/$(PREFIX)ftppr \
-		  bin/pop3p \
+		  bin/$(PREFIX)pop3p \
-		  bin/proxy \
+		  bin/$(PREFIX)proxy \
-		  bin/socks \
+		  bin/$(PREFIX)smtpp \
-		  bin/tcppm \
+		  bin/$(PREFIX)socks \
-		  bin/udppm \
+		  bin/$(PREFIX)tcppm \
-		  bin/tlspr
+		  bin/$(PREFIX)tlspr \
+		  bin/$(PREFIX)udppm
 		  
 
 INSTALL_CFG	 = scripts/3proxy.cfg.chroot
@@ -82,8 +85,7 @@ INSTALL_SYSTEMD_SCRIPT = scripts/3proxy.service
 
 CHROOTDIR	= $(DESTDIR)$(chroot_prefix)/3proxy
 CHROOTREL	= ../..$(chroot_prefix)/3proxy
-MANDIR1		= $(DESTDIR)$(man_prefix)/man/man1
+MANDIR5		= $(DESTDIR)$(man_prefix)/man/man5
-MANDIR3		= $(DESTDIR)$(man_prefix)/man/man3
 MANDIR8		= $(DESTDIR)$(man_prefix)/man/man8
 BINDIR		= $(DESTDIR)$(exec_prefix)/bin
 ETCDIR		= $(DESTDIR)/etc/3proxy
@@ -126,10 +128,14 @@ install-etc: install-etc-dir install-etc-default-config
 	done;
 
 install-man:
-	$(INSTALL_BIN) -d $(MANDIR3)
+	$(INSTALL_BIN) -d $(MANDIR5)
 	$(INSTALL_BIN) -d $(MANDIR8)
-	$(INSTALL_DATA) man/*.3 $(MANDIR3)
+	$(INSTALL_DATA) man/3proxy.cfg.5 $(MANDIR5)
-	$(INSTALL_DATA) man/*.8 $(MANDIR8)
+	$(INSTALL_DATA) man/3proxy.8 $(MANDIR8)
+	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
+	  if [ -f man/$$f.8 ]; then $(INSTALL_DATA) man/$$f.8 $(MANDIR8)/$(PREFIX)$$f.8; fi; \
+	done
+	$(INSTALL_DATA) man/3proxy_crypt.8 $(MANDIR8)
 
 install-init:
 	$(INSTALL_BIN) -d $(INITDDIR)

Makefile.Solaris

@@ -6,7 +6,7 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 
 BUILDDIR = ../bin/
-CC = cc
+CC ?= cc
 CFLAGS = -xO3 -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL
 COUT = -o ./
 LN = $(CC)

Makefile.Solaris-gcc

@@ -1,36 +0,0 @@
-#
-# 3 proxy Makefile for Solaris/gcc
-#
-#
-# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC
-# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
-
-
-BUILDDIR = ../bin/
-CC = gcc
-CFLAGS = -O2 -fno-strict-aliasing -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL
-COUT = -o ./
-LN = $(CC)
-LDFLAGS = -O3
-DCFLAGS = -fPIC
-DLFLAGS = -shared
-DLSUFFICS = .ld.so
-LIBS = -lpthread -lsocket -lnsl -lresolv -ldl
-LIBSPREFIX = -l
-LIBSSUFFIX = 
-LNOUT = -o ./
-EXESUFFICS =
-OBJSUFFICS = .o
-DEFINEOPTION = -D
-COMPFILES = *~
-REMOVECOMMAND = rm -f
-AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
-TYPECOMMAND = cat
-COMPATLIBS =
-MAKEFILE = Makefile.Solaris-gcc
-PLUGINS = StringsPlugin TrafficPlugin
-
-include Makefile.inc
-
-allplugins:
-	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done

Makefile.am

@@ -1,2 +0,0 @@
-SUBDIRS = src man
-EXTRA_DIST = doc cfg

Makefile.debug

@@ -1,24 +0,0 @@
-#
-# 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake)
-#
-
-BUILDDIR = ../bin/
-CC = cl
-CFLAGS = /FD /MDd /nologo /W3 /ZI /Wp64 /GS /Gs /RTCsu /EHs- /GA /GF /DEBUG  /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32"  /c
-COUT = /Fo
-LN = link
-LDFLAGS = /nologo /subsystem:console /machine:I386 /DEBUG
-LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib
-LNOUT = /out:
-EXESUFFICS = .exe
-OBJSUFFICS = .obj
-DEFINEOPTION = /D 
-COMPFILES = *.pch *.idb
-REMOVECOMMAND = del 2>NUL >NUL
-TYPECOMMAND = type
-COMPATLIBS =
-MAKEFILE = Makefile.debug
-
-include Makefile.inc
-
-allplugins:

Makefile.openwrt-mips

@@ -1,113 +0,0 @@
-#
-# 3 proxy Makefile for GCC/Linux/Cygwin
-#
-#
-# remove -DNOODBC from CFLAGS and add -lodbc to LIBS to compile with ODBC
-# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
-
-BUILDDIR = ../bin/
-CC = mips-openwrt-linux-gcc
-
-CFLAGS ?= -g -O2 -fno-strict-aliasing -c -pthread -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER
-COUT = -o 
-LN = $(CC)
-DCFLAGS = -fPIC
-LDFLAGS ?= -O2 -fno-strict-aliasing -pthread -s
-DLFLAGS = -shared
-DLSUFFICS = .ld.so
-# -lpthreads may be reuqired on some platforms instead of -pthreads
-LIBSPREFIX = -l
-LIBSSUFFIX = 
-LNOUT = -o 
-EXESUFFICS =
-OBJSUFFICS = .o
-DEFINEOPTION = -D
-COMPFILES = *~
-REMOVECOMMAND = rm -f
-AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
-TYPECOMMAND = cat
-COMPATLIBS =
-MAKEFILE = Makefile.openwrt-mips
-# PamAuth requires libpam, you may require pam-devel package to be installed
-# SSLPlugin requires  -lcrypto -lssl
-#LIBS = -lcrypto -lssl -ldl 
-LIBS ?= -ldl 
-#PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
-PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
-OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
-ifeq ($(OPENSSL_CHECK), true)
-    LIBS += -l crypto -l ssl
-    PLUGINS += SSLPlugin
-endif
-PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
-ifeq ($(PCRE_CHECK), true)
-    PLUGINS += PCREPlugin
-endif
-PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
-ifeq ($(PAM_CHECK), true)
-    PLUGINS += PamAuth
-endif
-
-include Makefile.inc
-
-allplugins:
-	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
-
-DESTDIR		=
-prefix		= /usr/local
-exec_prefix	= $(prefix)
-man_prefix	= $(prefix)/share
-
-INSTALL		= /usr/bin/install
-INSTALL_BIN	= $(INSTALL) -m 755
-INSTALL_DATA	= $(INSTALL) -m 644
-INSTALL_OBJS	= src/3proxy \
-		  src/ftppr \
-		  src/mycrypt \
-		  src/pop3p \
-		  src/proxy \
-		  src/socks \
-		  src/tcppm \
-		  src/udppm
-		  
-
-INSTALL_CFG_OBJS = scripts/3proxy.cfg \
-		   scripts/add3proxyuser.sh
-INSTALL_CFG_DEST = config
-
-INSTALL_CFG_OBJS2 = passwd counters bandlimiters
-
-MANDIR1		= $(DESTDIR)$(man_prefix)/man/man1
-MANDIR3		= $(DESTDIR)$(man_prefix)/man/man3
-MANDIR8		= $(DESTDIR)$(man_prefix)/man/man8
-BINDIR		= $(DESTDIR)$(exec_prefix)/bin
-ETCDIR		= $(DESTDIR)$(prefix)/etc/3proxy
-
-install-bin:
-	$(INSTALL_BIN) -d $(BINDIR)
-	$(INSTALL_BIN) -s $(INSTALL_OBJS) $(BINDIR)
-
-install-etc-dir:
-	$(INSTALL_BIN) -d $(ETCDIR)
-
-install-etc-default-config:
-	if [ -f $(ETCDIR)/$(INSTALL_CFG_DEST) ]; then \
-	   : ; \
-	else \
-	   $(INSTALL_DATA) $(INSTALL_CFG_OBJS) $(ETCDIR)/$(INSTALL_CFG_DEST) \
-	fi
-
-install-etc: install-etc-dir
-	for file in $(INSTALL_CFG_OBJS2); \
-	do \
-	  touch $(ETCDIR)/$$file; chmod 0600 $(ETCDIR)/$$file; \
-	done;
-
-install-man:
-	$(INSTALL_BIN) -d $(MANDIR3)
-	$(INSTALL_BIN) -d $(MANDIR8)
-	$(INSTALL_DATA) man/*.3 $(MANDIR3)
-	$(INSTALL_DATA) man/*.8 $(MANDIR8)
-
-install: install-bin install-etc install-man
-

Makefile.unix

@@ -6,10 +6,13 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 
 BUILDDIR = ../bin/
+PREFIX ?= 3proxy_
+CRYPT_PREFIX ?= $(PREFIX)
+MANDIR ?= /usr/share/man
 CC ?= gcc
 
 # you may need -L/usr/pkg/lib for older NetBSD versions
-CFLAGS := -g -O2 -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL $(CFLAGS)
+CFLAGS := -g -O2 -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_UN $(CFLAGS)
 COUT = -o 
 LN ?= $(CC)
 LDFLAGS ?= -O2 -fno-strict-aliasing -pthread
@@ -31,7 +34,7 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.unix
-PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
+PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
 OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
     LIBS += -l crypto -l ssl
@@ -51,14 +54,25 @@ include Makefile.inc
 install: all
 	if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi
 	install bin/3proxy /usr/local/3proxy/bin/3proxy
-    install bin/mycrypt /usr/local/3proxy/bin/mycrypt
+	install bin/$(CRYPT_PREFIX)crypt /usr/local/3proxy/bin/$(CRYPT_PREFIX)crypt
+	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
+	  if [ -f bin/$(PREFIX)$$f ]; then install bin/$(PREFIX)$$f /usr/local/3proxy/bin/$(PREFIX)$$f; fi; \
+	done
 	install scripts/rc.d/3proxy /usr/local/etc/rc.d/3proxy
 	install scripts/add3proxyuser.sh /usr/local/3proxy/bin/
-    if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then /usr/local/3proxy/3proxy.cfg already exists ; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
+	if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then echo /usr/local/3proxy/3proxy.cfg already exists; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
 	if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi
 	touch /usr/local/3proxy/passwd
 	touch /usr/local/3proxy/counters
 	touch /usr/local/3proxy/bandlimiters
+	install -d $(MANDIR)/man8
+	install -m 644 man/3proxy.8 $(MANDIR)/man8/3proxy.8
+	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
+	  if [ -f man/$$f.8 ]; then install -m 644 man/$$f.8 $(MANDIR)/man8/$(PREFIX)$$f.8; fi; \
+	done
+	install -m 644 man/3proxy_crypt.8 $(MANDIR)/man8
+	install -d $(MANDIR)/man5
+	install -m 644 man/3proxy.cfg.5 $(MANDIR)/man5/3proxy.cfg.5
 	echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user
 
 allplugins:

Makefile.win

@@ -26,7 +26,7 @@ REMOVECOMMAND = rm -f
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.win
-PLUGINS := utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin
+PLUGINS := utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin FilePlugin
 VERFILE := 3proxyres.o $(VERFILE)
 VERSION := $(VERSION)
 VERSIONDEP := 3proxyres.o $(VERSIONDEP)

README

@@ -1,276 +0,0 @@
-# 3APA3A 3proxy tiny proxy server
-(c) 2002-2025 by Vladimir '3APA3A' Dubrovin <3proxy@3proxy.org>
-
-
-Branches:
-Master (stable) branch - 3proxy 0.9 
-Devel branch - 3proxy 10 (don't use it)
-
-
-* Download
-	Binaries and sources for released (master) versions (Windows, Linux):
-	https://github.com/z3APA3A/3proxy/releases
-
-	Docker images:
-	https://hub.docker.com/r/3proxy/3proxy
-	Archive of old versions: https://github.com/z3APA3A/3proxy-archive
-
-* Documentation
-	Documentation (man pages and HTML) available with download, on https://3proxy.org/
-	and in github wiki https://github.com/3proxy/3proxy/wiki
-
-* Windows installation
-
-3proxy [path_to_config_file] --install 
-	
-	installs and starts proxy as Windows service
-	(config file should be located in the same directory or may be optionally specified)
-
-3proxy --remove 
-
-	removes the service (should be stopped before via
-	'net stop 3proxy').
-
-* To build in Linux
-
-With Makefile:
-
-git clone https://github.com/z3apa3a/3proxy
-cd 3proxy
-ln -s Makefile.Linux Makefile
-make
-sudo make install
-
-
-Default configuration (for Linux/Unix):
-3proxy uses 2 configuration files:
-/etc/3proxy/3proxy.cfg (before-chroot). This configuration file is executed before chroot and should not be modified.
-/usr/local/3proxy/conf/3proxy.cfg symlinked from /etc/3proxy/conf/3proxy.cfg (after-chroot) is a main configuration file. Modify this file, if required.
-All paths in /usr/local/3proxy/conf/3proxy.cfg are relative to chroot directory (/usr/local/3proxy). For future versions it's planned to move
-3proxy chroot direcory to /var.
-Log files are created in /usr/local/3proxy/logs symlinked from /var/log/3proxy.
-By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default.
-
-use /etc/3proxy/conf/add3proxyuser.sh script to add users.
-
-usage: /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth]
-        day_limit - traffic limit in MB per day
-        bandwidth - bandwith in bits per second 1048576 = 1Mbps
-
-or modify /etc/3proxy/conf/ files directly.
-
-
-With CMake:
-
-git clone https://github.com/z3apa3a/3proxy
-cd 3proxy
-mkdir build && cd build
-cmake ..
-cmake --build .
-sudo cmake --install .
-
-
-CMake does not use chroot configuration, config file is /etc/3proxy/3proxy.cfg
-
-* For MacOS X / FreeBSD / *BSD
-
-With Makefile:
-
-git clone https://github.com/z3apa3a/3proxy
-cd 3proxy
-ln -s Makefile.FreeBSD Makefile
-make
-
-
-(binaries are in bin/ directory)
-
-With CMake (recommended):
-
-git clone https://github.com/z3apa3a/3proxy
-cd 3proxy
-mkdir build && cd build
-cmake ..
-cmake --build .
-sudo cmake --install .
-
-
-This installs binaries to /usr/local/bin/, configuration to /etc/3proxy/,
-plugins to /usr/local/lib/3proxy/, rc scripts to rc.d for BSD and launchd plist to /Library/LaunchDaemons/ for MacOS.
-
-Service management on macOS:
-
-# Load and start service
-sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
-
-# Stop service
-sudo launchctl stop org.3proxy.3proxy
-
-# Start service
-sudo launchctl start org.3proxy.3proxy
-
-# Unload and disable service
-sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
-
-
- Features:
-  1. General
-	+ IPv6 support for incoming and outgoing connection,
-	  can be used as a proxy between IPv4 and IPv6 networks
-	  in either direction.
-	+ HTTP/1.1 Proxy with keep-alive client and server support,
-          transparent proxy support.
-	+ HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY)
-	+ Anonymous and random client IP emulation for HTTP proxy mode
-	+ FTP over HTTP support.
-	+ DNS caching with built-in resolver
-	+ DNS proxy
-	+ DNS over TCP support, redirecting DNS traffic via parent
-	  proxy
-	+ SOCKSv4/4.5 Proxy
-	+ SOCKSv5 Proxy
-	+ SOCKSv5 UDP and BIND support (fully compatible with
-	  SocksCAP/FreeCAP for UDP)
-	+ Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP
-	+ SNI proxy (based on TLS hostname)
-	+ TLS (SSL) server - may be used as https:// type proxy
-	+ POP3 Proxy
-	+ FTP proxy
-	+ TCP port mapper (port forwarding)
-	+ UDP port mapper (port forwarding)
-	+ SMTP proxy
-	+ Threaded application (no child process).
-	+ Web administration and statistics
-	+ Plugins for functionality extension
-	+ Native 32/64 bit application
-  2. Proxy chaining and network connections
-	+ Can be used as a bridge between client and different proxy type
-	  (e.g. convert incoming HTTP proxy request from client to SOCKSv5
-	  request to parent server).
-	+ Connect back proxy support to bypass firewalls
-	+ Parent proxy support for any type of incoming connection
-	+ Username/password authentication for parent proxy(s).
-	+ HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support
-	+ Random parent selection
-	+ Chain building (multihop proxing)
-	+ Load balancing between few network connections by choosing network
-	  interface
-  3. Logging
-	+ tuneable log format compatible with any log parser
-	+ stdout logging
-	+ file logging
-	+ syslog logging (Unix)
-	+ ODBC logging
-	+ RADIUS accounting
-	+ log file rotation
-	+ automatic log file processing with external archiver (for files)
-	+ Character filtering for log files
-	+ different log files for different servces are supported
-  4. Access control
-	+ ACL-driven Access control by username, source IP,
-	destination IP/hostname, destination port and destination action
-	(POST, PUT, GET, etc), weekday and daytime.
-	+ ACL-driven (user/source/destination/protocol/weekday/daytime or
-	combined) bandwith limitation for incoming and (!)outgoing trafic.
-	+ ACL-driven traffic limitation per day, week or month for incoming and
-	outgoing traffic
-	+ Connection limitation and ratelimting
-	+ User authentication by username / password
-	+ RADIUS Authentication and Authorization
-	+ User authentication by DNS hostname
-	+ Authentication cache with possibility to limit user to single IP address
-	+ Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP
-	+ Cleartext or encrypted (crypt/MD5 or NT) passwords.
-	+ Connection redirection
-	+ Access control by requested action (CONNECT/BIND, 
-	  HTTP GET/POST/PUT/HEAD/OTHER).
-	+ All access control entries now support weekday and time limitations
-	+ Hostnames and * templates are supported instead of IP address
-  5. Extensions
-	+ Regular expression filtering (with PCRE2) via PCREPlugin
-	+ Authentication with Windows username/password (cleartext only)
-	+ SSL/TLS decryptions with certificate spoofing
-	+ Transparent redirection support for Linux and *BSD
-  6. Configuration
-	+ support for configuration files
-	+ support for includes in configuration files
-	+ interface binding
-	+ socket options
-	+ running as daemon process
-	+ utility for automated networks list building
-	+ configuration reload on any file change
-     Unix
-	+ support for chroot
-	+ support for setgid
-	+ support for setuid
-	+ support for signals (SIGUSR1 to reload configuration)
-     Windows
-	+ support --install as service
-	+ support --remove as service
-	+ support for service START, STOP, PAUSE and CONTINUE commands (on
-	PAUSE no new connection accepted, but active connections still in
-	progress, on CONTINUE configuration is reloaded)
-     Windows 95/98/ME
-	+ support --install as service
-	+ support --remove as service
-  6. Compilation
-	+ MSVC (static)
-	+ OpenWatcom (static)
-	+ Intel Windows Compiler (msvcrt.dll)
-	+ Windows/gcc (msvcrt.dll)
-	+ Cygwin/gcc (cygwin.dll)
-	+ Unix/gcc
-	+ Unix/ccc
-	+ Solaris
-	+ Mac OS X, iPhone OS
-	+ Linux and derivered systems
-	+ Lite version for Windows 95/98/NT/2000/XP/2003
-	+ 32 bit and 64 bit versions for Windows Vista and above, Windows 2008 server and above 
-
-3proxy    	Combined proxy server may be used as
-		executable or service (supports installation and removal).
-		It uses config file to read it's configuration (see
-		3proxy.cfg.sample for details).
-		3proxy.exe is all-in-one, it doesn't require all others .exe
-		to work.
-		See 3proxy.cfg.sample for examples, see man 3proxy.cfg
-
-proxy    	HTTP proxy server, binds to port 3128
-ftppr    	FTP proxy server, binds to port 21
-socks    	SOCKS 4/5 proxy server, binds to port 1080
-ftppr		FTP proxy server, please do not mess it with FTP over HTTP
-		proxy used in browsers
-pop3p    	POP3 proxy server, binds to port 110. You must specify
-		POP3 username as username@target.host.ip[:port]
-		port is 110 by default.
-		Exmple: in Username configuration for you e-mail reader
-		set someuser@pop.example.org, to obtains mail for someuser
-		from pop.somehost.ru via proxy.
-smtpp    	SMTP proxy server, binds to port 25. You must specify
-		SMTP username as username@target.host.ip[:port]
-		port is 25 by default.
-		Exmple: in Username configuration for you e-mail reader
-		set someuser@mail.example.org, to send mail as someuser
-		via mail.somehost.ru via proxy.
-tcppm    	TCP port mapping. Maps some TCP port on local machine to
-		TCP port on remote host.
-tlspr    	TLS proxy (SNI proxy) - sniffs hostname from TLS handshake
-udppm    	UDP port mapping. Maps some UDP port on local machine to
-		UDP port on remote machine. Only one user simulationeously
-		can use UDP mapping, so it cann't be used for public service
-		in large networks. It's OK to use it to map to DNS server
-		in small network or to map Counter-Strike server for single
-		client (you can use few mappings on different ports for
-		different clients in last case).
-mycrypt    	Program to obtain crypted password fro cleartext. Supports
-		both MD5/crypt and NT password.
-			mycrypt password
-		produces NT password
-			mycrypt salt password
-		produces MD5/crypt password with salt "salt".
-
-
-Run utility with --help option for command line reference.
-
-Latest version is available from https://3proxy.org/
-
-Want to donate the project? https://3proxy.org/donations/

README.md

@@ -0,0 +1,303 @@
+# 3APA3A 3proxy tiny proxy server
+
+(c) 2002-2025 by Vladimir '3APA3A' Dubrovin <3APA3A@security.nnov.ru>
+
+## Branches
+
+- **Master** (stable) branch - 3proxy 0.9
+- **Devel** branch - 3proxy 10 (don't use it)
+
+## Download
+
+Binaries and sources for released (master) versions (Windows, Linux):
+https://github.com/z3APA3A/3proxy/releases
+
+Docker images:
+https://hub.docker.com/r/3proxy/3proxy
+
+Archive of old versions:
+https://github.com/z3APA3A/3proxy-archive
+
+## Documentation
+
+Documentation (man pages and HTML) available with download, on https://3proxy.org/ and in github wiki https://github.com/3proxy/3proxy/wiki
+
+## Windows Installation
+
+Install and start proxy as Windows service:
+
+```bash
+3proxy [path_to_config_file] --install
+```
+
+Config file should be located in the same directory or may be optionally specified.
+
+Remove the service (should be stopped before via `net stop 3proxy`):
+
+```bash
+3proxy --remove
+```
+
+## Building on Linux
+
+### With Makefile
+
+```bash
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+ln -s Makefile.Linux Makefile
+make
+sudo make install
+```
+
+### Default Configuration (Linux/Unix)
+
+3proxy uses 2 configuration files:
+- `/etc/3proxy/3proxy.cfg` (before-chroot) - This configuration file is executed before chroot and should not be modified.
+- `/usr/local/3proxy/conf/3proxy.cfg` symlinked from `/etc/3proxy/conf/3proxy.cfg` (after-chroot) - Main configuration file. Modify this file if required.
+
+All paths in `/usr/local/3proxy/conf/3proxy.cfg` are relative to chroot directory (`/usr/local/3proxy`). For future versions it's planned to move 3proxy chroot directory to `/var`.
+
+Log files are created in `/usr/local/3proxy/logs` symlinked from `/var/log/3proxy`.
+
+By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default.
+
+### Adding Users
+
+Use `/etc/3proxy/conf/add3proxyuser.sh` script to add users:
+
+```bash
+/etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth]
+```
+
+Parameters:
+- `day_limit` - traffic limit in MB per day
+- `bandwidth` - bandwidth in bits per second (1048576 = 1Mbps)
+
+Or modify `/etc/3proxy/conf/` files directly.
+
+### With CMake
+
+```bash
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+mkdir build && cd build
+cmake ..
+cmake --build .
+sudo cmake --install .
+```
+
+CMake does not use chroot configuration, config file is `/etc/3proxy/3proxy.cfg`
+
+## MacOS X / FreeBSD / *BSD
+
+### With Makefile
+
+```bash
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+ln -s Makefile.FreeBSD Makefile
+make
+```
+
+Binaries are in `bin/` directory.
+
+### With CMake (recommended)
+
+```bash
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+mkdir build && cd build
+cmake ..
+cmake --build .
+sudo cmake --install .
+```
+
+This installs:
+- Binaries to `/usr/local/bin/`
+- Configuration to `/etc/3proxy/`
+- Plugins to `/usr/local/lib/3proxy/`
+- rc scripts to `rc.d` for BSD
+- launchd plist to `/Library/LaunchDaemons/` for MacOS
+
+### Service Management on macOS
+
+```bash
+# Load and start service
+sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
+
+# Stop service
+sudo launchctl stop org.3proxy.3proxy
+
+# Start service
+sudo launchctl start org.3proxy.3proxy
+
+# Unload and disable service
+sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
+```
+
+## Features
+
+### 1. General
+
+- IPv4 / IPv6 support for incoming and outgoing connection, can be used as a proxy between IPv4 and IPv6 networks in either direction
+- Unix domain sockets support
+- HTTP/1.1 Proxy with keep-alive client and server support, transparent proxy support
+- HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY)
+- Anonymous and random client IP emulation for HTTP proxy mode
+- FTP over HTTP support
+- DNS caching with built-in resolver
+- DNS proxy
+- DNS over TCP support, redirecting DNS traffic via parent proxy
+- SOCKSv4/4.5 Proxy
+- SOCKSv5 Proxy
+- SOCKSv5 UDP and BIND support (fully compatible with SocksCAP/FreeCAP for UDP)
+- Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP
+- SNI proxy (based on TLS hostname)
+- TLS (SSL) server and client, 3proxy may be used as https:// type proxy or stunnel replacement
+- POP3 Proxy
+- FTP proxy
+- TCP port mapper (port forwarding)
+- UDP port mapper (port forwarding)
+- SMTP proxy
+- Threaded application (no child process)
+- Web administration and statistics
+- Plugins for functionality extension
+- Native 32/64 bit application
+
+### 2. Proxy Chaining and Network Connections
+
+- Can be used as a bridge between client and different proxy type (e.g. convert incoming HTTP proxy request from client to SOCKSv5 request to parent server)
+- Connect back proxy support to bypass firewalls
+- Parent proxy support for any type of incoming connection
+- Username/password authentication for parent proxy(s)
+- HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support
+- Random parent selection
+- Chain building (multihop proxing)
+- Load balancing between few network connections by choosing network interface
+
+### 3. Logging
+
+- Tuneable log format compatible with any log parser
+- stdout logging
+- File logging
+- Syslog logging (Unix)
+- ODBC logging
+- RADIUS accounting
+- Log file rotation
+- Automatic log file processing with external archiver (for files)
+- Character filtering for log files
+- Different log files for different services are supported
+
+### 4. Access Control
+
+- ACL-driven Access control by username, source IP, destination IP/hostname, destination port and destination action (POST, PUT, GET, etc), weekday and daytime
+- ACL-driven (user/source/destination/protocol/weekday/daytime or combined) bandwidth limitation for incoming and (!)outgoing traffic
+- ACL-driven traffic limitation per day, week or month for incoming and outgoing traffic
+- Connection limitation and ratelimiting
+- User authentication by username / password
+- RADIUS Authentication and Authorization
+- User authentication by DNS hostname
+- Authentication cache with possibility to limit user to single IP address
+- Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP
+- Cleartext or encrypted passwords
+- Connection redirection
+- Access control by requested action (CONNECT/BIND, HTTP GET/POST/PUT/HEAD/OTHER)
+- All access control entries now support weekday and time limitations
+- Hostnames and * templates are supported instead of IP address
+
+### 5. Extensions
+
+- Regular expression filtering (with PCRE2) via PCREPlugin
+- Authentication with Windows username/password (cleartext only)
+- SSL/TLS decryptions with certificate spoofing
+- Transparent redirection support for Linux and *BSD
+
+### 6. Configuration
+
+- Support for configuration files
+- Support for includes in configuration files
+- Interface binding
+- Socket options
+- Running as daemon process
+- Utility for automated networks list building
+- Configuration reload on any file change
+
+**Unix:**
+- Support for chroot
+- Support for setgid
+- Support for setuid
+- Support for signals (SIGUSR1 to reload configuration)
+
+**Windows:**
+- Support `--install` as service
+- Support `--remove` as service
+- Support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress, on CONTINUE configuration is reloaded)
+
+**Windows 95/98/ME:**
+- Support `--install` as service
+- Support `--remove` as service
+
+### 7. Compilation
+
+- MSVC (static)
+- OpenWatcom (static)
+- Intel Windows Compiler (msvcrt.dll)
+- Windows/gcc (msvcrt.dll)
+- Cygwin/gcc (cygwin.dll)
+- Unix/gcc
+- Unix/ccc
+- Solaris
+- Mac OS X, iPhone OS
+- Linux and derived systems
+- Lite version for Windows 95/98/NT/2000/XP/2003
+- 32 bit and 64 bit versions for Windows Vista and above, Windows 2008 server and above
+
+## Executables
+
+### 3proxy
+Combined proxy server may be used as executable or service (supports installation and removal). It uses config file to read its configuration (see `3proxy.cfg.sample` for details). `3proxy.exe` is all-in-one, it doesn't require all others .exe to work. See `3proxy.cfg.sample` for examples, see `man 3proxy.cfg`
+
+### proxy
+HTTP proxy server, binds to port 3128
+
+### ftppr
+FTP proxy server, binds to port 21. Please do not mess it with FTP over HTTP proxy used in browsers
+
+### socks
+SOCKS 4/5 proxy server, binds to port 1080
+
+### pop3p
+POP3 proxy server, binds to port 110. You must specify POP3 username as `username@popserver[:port]` (port is 110 by default).
+
+Example: in Username configuration for your e-mail reader set `someuser@pop.somehost.ru`, to obtain mail for someuser from pop.somehost.ru via proxy.
+
+### smtpp
+SMTP proxy server, binds to port 25. You must specify SMTP username as `username@smtpserver[:port]` (port is 25 by default).
+
+Example: in Username configuration for your e-mail reader set `someuser@mail.somehost.ru`, to send mail as someuser via mail.somehost.ru via proxy.
+
+### tcppm
+TCP port mapping. Maps some TCP port on local machine to TCP port on remote host.
+
+### tlspr
+TLS proxy (SNI proxy) - sniffs hostname from TLS handshake
+
+### udppm
+UDP port mapping. Maps some UDP port on local machine to UDP port on remote machine. Only one user simultaneously can use UDP mapping, so it can't be used for public service in large networks. It's OK to use it to map to DNS server in small network or to map Counter-Strike server for single client (you can use few mappings on different ports for different clients in last case).
+
+### 3proxy_crypt
+Program to obtain crypted password for cleartext. Supports both salted and NT password.
+
+```bash
+3proxy_crypt password          # produces NT password
+3proxy_crypt salt password     # produces password hash with salt "salt"
+```
+
+---
+
+Run utility with `--help` option for command line reference.
+
+Latest version is available from https://3proxy.org/
+
+Want to donate the project? https://3proxy.org/donations/

cfg/3proxy.cfg.sample

@@ -2,7 +2,7 @@
 # Yes, 3proxy.cfg can be executable, in this case you should place
 # something like
 #config /usr/local/3proxy/3proxy.cfg
-# to show which configuration 3proxy should re-read on realod.
+# to show which configuration 3proxy should re-read on reload.
 
 #system "echo Hello world!"
 # you may use system to execute some external command if proxy starts
@@ -24,7 +24,7 @@ timeouts 1 5 30 60 180 1800 15 60
 # Here we can change timeout values
 
 users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1"
-# note that "" required, overvise $... is treated as include file name.
+# note that "" required, otherwise $... is treated as include file name.
 # $1$qwer$CHFTUFGqkjue9HyhcMHEe1 is 'test' in MD5 crypt format.
 #users $/usr/local/etc/3proxy/passwd
 # this example shows you how to include passwd file. For included files
@@ -39,7 +39,7 @@ service
 
 #log /var/log/3proxy/log D
 log c:\3proxy\logs\3proxy.log D
-# log allows to specify log file location and rotation, D means logfile
+# log allows you to specify log file location and rotation, D means logfile
 # is created daily
 
 #logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
@@ -60,7 +60,7 @@ log c:\3proxy\logs\3proxy.log D
 #
 #Compatible with ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
 #
-#"-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r	%D	%O	%I	%r	TCP	Connect	-	-	-	%E	-	-	-	-	-"
+#"-	+ L%C	%U	unknown:0:0.0	N	%Y-%m-%d	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r	%D	%O	%I	%r	TCP	Connect	-	-	-	%E	-	-	-	-	-"
 #
 #Compatible with HTTPD standard log (Apache and others)
 #
@@ -90,7 +90,7 @@ auth iponly
 # auth specifies type of user authentication. If you specify none proxy
 # will not do anything to check name of the user. If you specify
 # nbname proxy will send NetBIOS name request packet to UDP/137 of
-# client and parse request for NetBIOS name of messanger service.
+# client and parse request for NetBIOS name of messenger service.
 # Strong means that proxy will check password. For strong authentication
 # unknown user will not be allowed to use proxy regardless of ACL.
 # If you do not want username to be checked but wanna ACL to work you should
@@ -102,7 +102,7 @@ auth iponly
 #parent 1000 http 192.168.1.2 80 * * * 80
 #allow * 192.168.1.0/24 * 25,53,110,20-21,1024-65535
 # we will allow everything if username matches ADMINISTRATOR or root or
-# client ip is 127.0.0.1 or 192.168.1.1. Overwise we will redirect any request
+# client ip is 127.0.0.1 or 192.168.1.1. Otherwise we will redirect any request
 # to port 80 to our Web-server 192.168.0.2.
 # We will allow any outgoing connections from network 192.168.1.0/24 to
 # SMTP, POP3, FTP, DNS and unprivileged ports.
@@ -124,7 +124,7 @@ internal 192.168.1.1
 # have open proxy in your network in this case.
 
 auth none
-# no authentication is requires
+# no authentication is required
 
 dnspr
 
@@ -134,7 +134,7 @@ dnspr
 
 #external $./external.ip
 #internal $./internal.ip
-# this is just an alternative form fo giving external and internal address
+# this is just an alternative form for giving external and internal address
 # allows you to read this addresses from files
 
 auth none
@@ -149,7 +149,7 @@ tcppm 25 mail.my.provider 25
 # Now we can use our proxy as SMTP and DNS server.
 # -s switch for UDP means "single packet" service - instead of setting
 # association for period of time association will only be set for 1 packet.
-# It's very userfull for services like DNS but not for some massive services
+# It's very useful for services like DNS but not for some massive services
 # like multimedia streams or online games.
 
 auth strong
@@ -158,7 +158,7 @@ internal 127.0.0.1
 allow 3APA3A 127.0.0.1
 maxconn 3
 admin
-#only allow acces to admin interface for user 3APA3A from 127.0.0.1 address
+#only allow access to admin interface for user 3APA3A from 127.0.0.1 address
 #via 127.0.0.1 address.
 
 # map external 80 and 443 ports to internal Web server
@@ -178,14 +178,14 @@ admin
 #chroot /usr/local/jail
 #setgid 65535
 #setuid 65535
-# now we needn't any root rights. We can chroot and setgid/setuid.
+# now we no longer need root rights. We can chroot and setgid/setuid.
 
 
 auth strong
 flush
 # We want to protect internal interface
 deny * * 127.0.0.1,192.168.1.1
-# and llow HTTP and HTTPS traffic.
+# and allow HTTP and HTTPS traffic.
 allow * * * 80-88,8080-8088 HTTP
 allow * * * 443,8443 HTTPS
 proxy -n

debian/3proxy.manpages

@@ -1,10 +1,11 @@
 man/3proxy.8
-man/3proxy.cfg.3
+man/3proxy.cfg.5
-man/ftppr.8
+man/3proxy_ftppr.8
-man/pop3p.8
+man/3proxy_pop3p.8
-man/tlspr.8
+man/3proxy_tlspr.8
-man/proxy.8
+man/3proxy_proxy.8
-man/smtpp.8
+man/3proxy_smtpp.8
-man/socks.8
+man/3proxy_socks.8
-man/tcppm.8
+man/3proxy_tcppm.8
-man/udppm.8
+man/3proxy_udppm.8
+man/3proxy_crypt.8

doc/changelog/0/7/0

@@ -0,0 +1,26 @@
+
+3proxy 0.7
+
+This release is partially forced: while no new significant functions are
+added, 0.7 is code is much more stable and less buggy than 0.6. Since
+there is no new development for a long time, except few minor bugfixes,
+I decided to finally release 0.7. You may want it if you:
+
+    Use HTTP proxy
+    Use 3proxy under *BSD/Mac OS X/iPhone OS
+    Use plugins, specially traffic related ones, like PCRE.
+
+I have no time for active developement. There are interesting features
+in nearly ready state, e.g. SSL support / SSL decryption via
+certificates spoofing, NAT support and SSL auto-detection. You can step
+into development, if you are interested.
+
+There are some configuration changes:
+
+    auth iponly is now default (because most misconfigurations were
+    because of default auth none)
+    maxconn is now 500 by default (because WebKit browsers ignore
+    standards and create a lot of connections even if proxy is configured)
+    NTLM is disabled by default (-n options, -n1 to enable) because
+    NTLMv1 is disabled by default in Windows since Vista and there is no
+    NTLMv2 library with compatible license. Report me, if any.

doc/changelog/0/7/1

@@ -0,0 +1,35 @@
+3proxy-0.7.1.4
+
+!! Fix transparent flag not reset after keep-alive connection, can lead to
+
+
+3proxy-0.7.1.3
+
+! traffic displayed incorrectly
+! archiver doesn't add suffix if logname contains macro
+! fix potential race condition on configuration reload
+! fix FTP over HTTP authentication
+
+
+3proxy-0.7.1.2
+
+! Request / header size limitation relaxed for HTTP proxy
+
+
+3proxy 0.7.1.1
+
+! Linux compilation issues resolved
+
+
+3proxy 0.7.1
+
+Minor improvements and bugfixes:
+
++ Windows icons added
++ Warnings added for most common misconfigurations
++ ftppr NLSD command supported
+! Ignore NTLM handshake if NTLM is not enabled
+!! memcpy replaced with memmove for overlapped region
+! better EINTR handling on *nix
+! FTP proxy debugging output removed (introduced in 0.7), binding for data connection corrected
+! memory leak fixed in ldapauth plugin

doc/changelog/0/8/0

@@ -0,0 +1,9 @@
++ IPv6 support
++ back connect support
++ name resolution over TCP, parent proxy support for dnspr
++ SSLPlugin for TLS/SSL traffic decryption
+! multiple race conditions fixed
+! reduced memory usage
+! Generate Forwarded: header instead of X-Forwarded-For:
+! Default name resolution is non-blocking in *nix
+! multiple race conditions fixed on configuration reload

doc/changelog/0/8/1

@@ -0,0 +1 @@
+!!Fix: destination IP may be not checked against ACL

doc/changelog/0/8/10

@@ -0,0 +1,2 @@
+! Fix: parent proxy can be used in some cases where it shouldn't
+! Fix: bandlimiters may not work for older connections on configuration reload

doc/changelog/0/8/11

@@ -0,0 +1,9 @@
+Minor bugfixes / improvements:
+! Fixed: deadlock on insufficient resources
+! Fixed: race condition in ssl_plugin
+! Fixed: minor memory leak on configuration reload
+! Fixed: recursion detection was not working
+! Fixed: %n for IPv6 in logging terminates log record
+! Fixed: reverse PTR validation (required for dnsauth)
+! Fixed: error on external 0.0.0.0 for NOIPV6 (light version)
++ Better support for IPv6 in ftppr

doc/changelog/0/8/12

@@ -0,0 +1,5 @@
+Bugfixes:
+! Fixed hostname support in SOCKSv5 UDP portmapping
+! -fno-strict-aliasing added to gcc options (compiling without this option can lead to unpredictable issues under Debian with gcc 6 and potentially others)
+! Fixed LDAP plugin compilation issues (LDAP plugin is still listed as unsupported though)
+and some minor fixes and improvements.

doc/changelog/0/8/13

@@ -0,0 +1,3 @@
+Bugfixes:
+!! Fixed out-of-bound write and few minor bugs on configuration saving in admin
+! fixed: $ is not correctly handled in the beginning of quoted line on configuration parsing

doc/changelog/0/8/2

@@ -0,0 +1,3 @@
+!! Fix transparent flag not reset after keep-alive connection, can lead to DoS by authenticated user.
+! Do not use SO_REUSEADDR by default (leads to random 00013 errors under some glibc versions)
+! Use SASIZE() instead of sizeof() in bind() for FreeBSD compatibility

doc/changelog/0/8/3

@@ -0,0 +1 @@
+! fixed: use SASIZE() instead of sizeof() in connect() for FreeBSD compatibility

doc/changelog/0/8/4

@@ -0,0 +1,5 @@
++ Build PamPlugin on *nix
++ stacksize and -S options, stacksize defaults changed for FreeBSD
++ extip redirection type added
+! SSL plugin fix to correct handling of certificates path
+! fixed random errors on IPv6 connect

doc/changelog/0/8/5

@@ -0,0 +1 @@
+!Fix: mutex was used prior to initialization on 'log' command processing

doc/changelog/0/8/6

@@ -0,0 +1 @@
+! Fix: random 00012 errors in some configurations

doc/changelog/0/8/7

@@ -0,0 +1,15 @@
+! Fix 'daemon' command for Linux
+! Fix 'extip' redirections 00009 errors
+! Fix counters for older Win platforms
+! Resolve logging race conditions
+! attempt to fix pam_auth race conditions
+! FTP proxy workaround for broken gethostname() on some libc limplementations
+! authcache IP matching corrected
+! fix SOCKSv5 BIND/UDP ASSOC
+! use setreuid/setregid instead of setuid / setgid
+
++ OpenWatcom makefiles for Windows
++ -u2 support for proxy
++ support %i in logformat
++ force/noforce configuration commands to disconnect / do not disconnect clients if nolonger match ACL after configuration change
++ support longer external passwords

doc/changelog/0/8/8

@@ -0,0 +1,3 @@
+!! Fix resolver for non-compressed reply parsing (on mixed-case sensitive resolvers)
+! Fix plugins export on OpenWatcom compiler (light version)
+! Fix SOCKSv5

doc/changelog/0/8/9

@@ -0,0 +1 @@
+! Fix: tcppm may fail if used with parent proxy

doc/changelog/0/9/0

@@ -0,0 +1,6 @@
++ Socket options, interface binding
++ Connection limiting / connection rate limiting
++ RADIUS support (beta)
++ Zero copy (splice) support for Linux
++ Possibility to limit user to single IP (via authentication cache)
+! bugfixes, improvements

doc/changelog/0/9/1

@@ -0,0 +1,8 @@
+Bugfixes:
+! Fixed: socket may be closed before all data received/sent
+! Fixed: bandlimin non-working
+! Fixed: countall/nocountall
+! Fixed: few race conditions
+
+Improvements:
++ deb/rpm build, systemd support (experimental)

doc/changelog/0/9/2

@@ -0,0 +1,9 @@
+Bugfixes:
+! Fixed: bandwidth limiters (once again)
+! Fixed: data filtering plugins (PCREPlugin, SSLPlugin). SSLPlugin use on Linux requires to disable splice (-s0)
+! FIxed: standalone proxies do not react on HUP (Ctrl+C) in Linux/Unix
+! Fixed: few minor bugs
+
+Improvements:
++ deb for arm platforms (experimental)
++ Openssl 1.1 support for SSLPlugin

doc/changelog/0/9/3

@@ -0,0 +1,11 @@
+Bugfixes:
+! Fixed: systemd description file (proxy may fail to start after reboot or via systemctl)
+! Fixed: group/account creation in installation scripts
+! Fixed: countall/nocounall do not work in some configurations
+! Fixed: counters do not work if counter file is not specified
+! Fixed: counters without rotation (type N) are incorrectly shown in web admin interface
+! Fixed: %n may be incomplete or missed in long log records
+! Fixed: connect back functionality does not work
+
+Improvements:
++ Docker builds

doc/changelog/0/9/4

@@ -0,0 +1,4 @@
+! Fix: invalid handling of '-' character in ACL hostname
+! Fix: minor bugfixes and improvements
++ parentretry command added (defaults to 2) to retry connections to parent proxies
+- icqpr related code (OSCAR proxy) removed, due to drop of OSCAR support by messengers

doc/changelog/0/9/5

@@ -0,0 +1,7 @@
+!! Security fix: proxy can potentially crash on on some platforms due to overlapping regions in strcpy() (thanks to @lenix123 for reporting)
++ new proxy service type: `tlspr` - SNI proxy, may also be used as parent `tls` type, sniffs hostname from TLS handhake, read more in https://github.com/3proxy/3proxy/wiki/tlspr https://github.com/3proxy/3proxy/wiki/How-To-(incomplete)#TLSPR
++ new proxy service type: `auto` - autodetect proxy type between `proxy` and `socks`
++ SSLPlugin is rewritten, production-ready, supports TLS (SSL) server (may be used to create https:// type proxy), certificates checks and cypher options, see https://github.com/3proxy/3proxy/wiki/SSLPlugin
++ -g option is added for grace delay to reduce CPU load, see https://github.com/3proxy/3proxy/wiki/High-Load
+! Multiple minor bugfixes
+! More supported sockets options

doc/changelog/0/9/6

@@ -0,0 +1,9 @@
++ ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios.
++ HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header.
++ tlspr is supported in auto
++ tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI
++ maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems
++ -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5
++ cmake environment added
+! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy
+! Multiple minor bugfixes

doc/html/howtoe.html

@@ -49,6 +49,8 @@
 		<li><a href="#NSCACHING">How to configure name resolution and DNS caching</a>
 		<li><a href="#IPV6">How to use IPv6</a>
 		<li><a href="#CONNBACK">How to use connect back</a>
+		<li><a href="#HAPROXY">How to use HAProxy PROXY protocol</a>
+		<li><a href="#MAXSEG">How to set TCP maximum segment size (MSS)</a>
 	</ul>
 	<li><A HREF="#CLIENT">Client configuration</A>
 	<li><A HREF="#ADMIN">Administering and information analysis</A>
@@ -498,7 +500,7 @@ ISA 2004 proxy WEB.w3c (fields are TAB-delimited):
 </pre>
 ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
 <pre>
-&quot;-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d
+&quot;-	+ L%C	%U	unknown:0:0.0	N	%Y-%m-%d
 	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r
 	%D	%O	%I	%r	TCP	Connect	-	-
 	-	%E	-	-	-	-	-&quot;
@@ -709,6 +711,29 @@ ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
 ssl_cli
 proxy -p3128
 </pre>
+<p>
+<b>Conditional TLS for parent proxy (ssl_client_mode 3):</b>
+<br>With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). This allows mixing secure and non-secure parent proxies in the same configuration:
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_client_mode 3
+
+auth strong
+allow user1
+parent 1000 https parent1.example.com 443
+allow user2
+parent 1000 socks5 parent2.example.com 1080
+ssl_serv
+ssl_cli
+proxy -p3128
+ssl_noserv
+ssl_nocli
+</pre>
+<p>
+This creates an HTTPS proxy (ssl_serv) that accepts TLS connections from clients. For parent proxy connections, user1's traffic goes through an https parent with TLS encryption (secure type), while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
+</p>
 		<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSLPlugin</i></a>
 <p>
 <b>Creating a Certificate Authority (CA):</b>
@@ -944,7 +969,7 @@ or
 <pre>
 users $"c:\Program Files\3proxy\passwords"
 </pre>
-It's possible to create NT and crypt passwords with the mycrypt utility included
+It's possible to create NT and crypt passwords with the 3proxy_crypt utility included
 in the distribution.
 <br>The user list is system-wide. To manage user access to a specific service, use ACLs.
 </p>
@@ -1278,6 +1303,53 @@ allowed traffic in megabytes (MB). nocountin allows you to set exclusions.
   allow * * 1.1.1.1
   tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
   For browser settings, the proxy is host.dyndns.example.org:3128.
+  </p>
+  <li><a name="HAPROXY"><i>How to use HAProxy PROXY protocol</i></a>
+  <p>
+  3proxy supports HAProxy PROXY protocol v1 for both receiving and sending client
+  IP information. This is useful when 3proxy is behind a load balancer or when
+  passing client information to a parent proxy.
+  </p>
+  <p>
+  <b>Receiving PROXY protocol header:</b>
+  <br>Use the <code>-H</code> option to make 3proxy expect a PROXY protocol v1 header
+  on incoming connections. This allows 3proxy to receive the real client IP address
+  from HAProxy or another load balancer:
+  </p><pre>
+proxy -H -p3128
+socks -H -p1080
+</pre>
+  <p>
+  The PROXY protocol header must be sent before any protocol-specific data.
+  </p>
+  <p>
+  <b>Sending PROXY protocol header to parent proxy:</b>
+  <br>Use the <code>ha</code> parent type to send a PROXY protocol v1 header to
+  the parent proxy. This must be the last parent in the chain:
+  </p><pre>
+allow *
+parent 1000 ha
+parent 1000 socks5 parent.example.com 1080
+socks
+</pre>
+  <p>
+  This configuration sends the client IP information to the SOCKS5 parent proxy
+  via the PROXY protocol.
+  </p>
+  <li><a name="MAXSEG"><i>How to set TCP maximum segment size (MSS)</i></a>
+  <p>
+  Use the <code>maxseg</code> command to set the TCP maximum segment size (MSS)
+  for outgoing connections. This can be useful to work around path MTU discovery
+  issues or to optimize traffic for specific network conditions:
+  </p><pre>
+maxseg 1400
+proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
+</pre>
+  <p>
+  The value is specified in bytes. This setting uses the TCP_MAXSEG socket option
+  and may not be supported on all platforms. A typical use case is to reduce MSS
+  to avoid fragmentation in VPN tunnels or to work around MTU issues with certain
+  network paths.
   </p>
 	</ul>
 

doc/html/howtor.html

@@ -48,6 +48,8 @@
     <li><a href="#NSCACHING">Как управлять разрешением имен и кэшированием DNS</a>
     <li><a href="#IPV6">Как использовать IPv6</a>
     <li><a href="#CONNBACK">Как использовать connect back</a>
+    <li><a href="#HAPROXY">Как использовать протокол HAProxy PROXY</a>
+    <li><a href="#MAXSEG">Как установить максимальный размер сегмента TCP (MSS)</a>
   </ul>
   <li><a href="#CLIENT">Конфигурация и настройка клиентов</a>
   <ul>
@@ -511,7 +513,7 @@
   -	Internal	External	0x0	Allowed&quot;</pre>
   Формат ISA 2000/2004 firewall FWSEXTD.log (поля разделены табуляцией):
   <pre>
-  &quot;-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d
+  &quot;-	+ L%C	%U	unknown:0:0.0	N	%Y-%m-%d
   %H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r
   %D	%O	%I	%r	TCP	Connect	-	-
   -	%E	-	-	-	-	-&quot;</pre>
@@ -718,6 +720,29 @@ ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
 ssl_cli
 proxy -p3128
 </pre>
+<p>
+<b>Условное TLS для parent прокси (ssl_client_mode 3):</b>
+<br>При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). Это позволяет смешивать защищённые и незащищённые родительские прокси в одной конфигурации:
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_client_mode 3
+
+auth strong
+allow user1
+parent 1000 https parent1.example.com 443
+allow user2
+parent 1000 socks5 parent2.example.com 1080
+ssl_serv
+ssl_cli
+proxy -p3128
+ssl_noserv
+ssl_nocli
+</pre>
+<p>
+Создаётся HTTPS-прокси (ssl_serv), принимающий TLS-соединения от клиентов. Для соединений с родительским прокси трафик user1 идёт через https родитель с TLS-шифрованием (защищённый тип), а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
+</p>
   <li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSLPlugin</i></a>
 <p>
 <b>Создание удостоверяющего центра (CA):</b>
@@ -958,7 +983,7 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
   или
   <pre>
   users $"c:\Program Files\3proxy\passwords"</pre>
-  Шифрованные NT и crypt пароли можно создавать с помощью утилиты mycrypt.
+  Шифрованные NT и crypt пароли можно создавать с помощью утилиты 3proxy_crypt.
   <br>Список пользователей един для всех служб. Разграничение доступа по службам
   необходимо производить с помощью списков доступа.
   </p>
@@ -1336,6 +1361,54 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
   tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
   В настройках браузера указывается host.dyndns.example.org:3128.
   </p>
+  <li><a name="HAPROXY"><i>Как использовать протокол HAProxy PROXY</i></a>
+  <p>
+  3proxy поддерживает протокол HAProxy PROXY v1 как для приёма, так и для
+  отправки информации об IP-адресе клиента. Это полезно, когда 3proxy находится
+  за балансировщиком нагрузки или при передаче информации о клиенте родительскому прокси.
+  </p>
+  <p>
+  <b>Приём заголовка PROXY протокола:</b>
+  <br>Используйте опцию <code>-H</code>, чтобы 3proxy ожидал заголовок PROXY протокола v1
+  на входящих соединениях. Это позволяет 3proxy получать реальный IP-адрес клиента
+  от HAProxy или другого балансировщика нагрузки:
+  </p><pre>
+proxy -H -p3128
+socks -H -p1080
+</pre>
+  <p>
+  Заголовок PROXY протокола должен быть отправлен до любых протокольных данных.
+  </p>
+  <p>
+  <b>Отправка заголовка PROXY протокола родительскому прокси:</b>
+  <br>Используйте тип родительского прокси <code>ha</code> для отправки заголовка
+  PROXY протокола v1 родительскому прокси. Это должен быть последний родитель в цепочке:
+  </p><pre>
+allow *
+parent 1000 ha
+parent 1000 socks5 parent.example.com 1080
+socks
+</pre>
+  <p>
+  Эта конфигурация отправляет информацию об IP-адресе клиента SOCKS5 родительскому
+  прокси через PROXY протокол.
+  </p>
+  <li><a name="MAXSEG"><i>Как установить максимальный размер сегмента TCP (MSS)</i></a>
+  <p>
+  Используйте команду <code>maxseg</code> для установки максимального размера
+  сегмента TCP (MSS) для исходящих соединений. Это может быть полезно для обхода
+  проблем с Path MTU Discovery или для оптимизации трафика в специфических
+  сетевых условиях:
+  </p><pre>
+maxseg 1400
+proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
+</pre>
+  <p>
+  Значение указывается в байтах. Эта настройка использует опцию сокета TCP_MAXSEG
+  и может не поддерживаться на всех платформах. Типичный случай использования -
+  уменьшение MSS для избежания фрагментации в VPN туннелях или для обхода проблем
+  с MTU на определённых сетевых путях.
+  </p>
 </ul>
 <hr>
 <li><a name="CLIENT"><b>Конфигурация клиентов</b></a>

doc/html/index.html

@@ -4,6 +4,7 @@
 <a href="howtoe.html">How To (English, very incomplete)</a><br>
 <a href="howtor.html">How To (Russian)</a><br>
 <h3>Man pages:</h3>
+<br><A HREF="man8/3proxy_crypt.8.html">3proxy_crypt.8</A>
 <br><A HREF="man8/3proxy.8.html">3proxy.8</A>
 <br><A HREF="man8/ftppr.8.html">ftppr.8</A>
 <br><A HREF="man8/pop3p.8.html">pop3p.8</A>
@@ -13,5 +14,5 @@
 <br><A HREF="man8/tcppm.8.html">tcppm.8</A>
 <br><A HREF="man8/tlspr.8.html">tlspr.8</A>
 <br><A HREF="man8/udppm.8.html">udppm.8</A>
-<br><A HREF="man3/3proxy.cfg.3.html">3proxy.cfg.3</A>
+<br><A HREF="man5/3proxy.cfg.5.html">3proxy.cfg.5</A>
 </body></html>

doc/html/man5/3proxy.cfg.5.html

@@ -84,10 +84,10 @@ smtpp</b> [options] <b><br>
 ftppr</b> [options] <b><br>
 admin</b> [options] <b><br>
 dnspr</b> [options] <b><br>
-tcppm</b> [options] &lt;SRCPORT&gt; &lt;DSTADDR&gt;
+tcppm</b> [options] <i>&lt;SRCPORT&gt; &lt;DSTADDR&gt;
-&lt;DSTPORT&gt; <b><br>
+&lt;DSTPORT&gt;</i> <b><br>
-udppm</b> [options] &lt;SRCPORT&gt; &lt;DSTADDR&gt;
+udppm</b> [options] <i>&lt;SRCPORT&gt; &lt;DSTADDR&gt;
-&lt;DSTPORT&gt; <br>
+&lt;DSTPORT&gt;</i> <br>
 Descriptions: <b><br>
 proxy</b> HTTP/HTTPS proxy (default port 3128) <b><br>
 socks</b> SOCKS 4/4.5/5 proxy (default port 1080) <b><br>
@@ -101,19 +101,24 @@ smtpp</b> SMTP proxy (default port 25) <b><br>
 ftppr</b> FTP proxy (default port 21) <b><br>
 admin</b> Web interface (default port 80) <b><br>
 dnspr</b> caching DNS proxy (default port 53) <b><br>
-tcppm</b> TCP portmapper <b><br>
+tcppm</b> TCP portmapper. Destination address (DSTADDR) can
+be a Unix domain socket using the syntax
+<i>unix:/path/to/socket</i> (e.g., tcppm 8080
+unix:/var/run/app.sock 0). On Linux, abstract sockets use
+<i>unix:@socketname</i> syntax. When using Unix socket
+destination, the port number is ignored but must be
+specified for syntax compatibility. <b><br>
 udppm</b> UDP portmapper</p>
 
 <p style="margin-left:6%; margin-top: 1em">Options: <b><br>
--pNUMBER</b> change default server port to NUMBER <b><br>
+-p</b><i>NUMBER</i> change default server port to NUMBER
--n</b> disable NTLM authentication (required if passwords
+<b><br>
-are stored in Unix crypt format). <b><br>
+
--n1</b> enable NTLMv1 authentication. <b><br>
+-g(</b><i>GRACE_TRAFF</i><b>,</b><i>GRACE_NUM</i><b>,</b><i>GRACE_DELAY</i>)
--g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)</b> delay GRACE_DELAY
+delay GRACE_DELAY milliseconds before polling if average
-milliseconds before polling if average polling size is below
+polling size is below GRACE_TRAFF bytes and GRACE_NUM read
-GRACE_TRAFF bytes and GRACE_NUM read operations in a single
+operations in a single direction are detected within 1
-direction are detected within 1 second. Useful to minimize
+second. Useful to minimize polling <b>-s</b> <br>
-polling <b>-s</b> <br>
 (for admin) secure, allow only secure operations, currently
 only traffic counters view without ability to reset. <br>
 (for dnspr) simple, do not use resolver and 3proxy cache,
@@ -136,35 +141,37 @@ packed in IPv6 in IPV6_V6ONLY compatible way. <b><br>
 resolvable <b><br>
 -64</b> Resolve IPv4 addresses if IPv6 address is not
 resolvable <b><br>
--RHOST:port</b> listen on given local HOST:port for incoming
+-R</b><i>HOST</i><b>:</b><i>port</i> listen on given local
-connections instead of making remote outgoing connection.
+HOST:port for incoming connections instead of making remote
-Can be used with another 3proxy service running -r option
+outgoing connection. Can be used with another 3proxy service
-for connect back functionality. Most commonly used with
+running -r option for connect back functionality. Most
-tcppm. HOST can be given as IP or hostname, useful in case
+commonly used with tcppm. HOST can be given as IP or
-of dynamic DNS. <b><br>
+hostname, useful in case of dynamic DNS. <b><br>
--rHOST:port</b> connect to given remote HOST:port instead of
+-r</b><i>HOST</i><b>:</b><i>port</i> connect to given remote
-listening local connection on -p or default port. Can be
+HOST:port instead of listening local connection on -p or
-used with another 3proxy service running -R option for
+default port. Can be used with another 3proxy service
-connect back functionality. Most commonly used with proxy or
+running -R option for connect back functionality. Most
-socks. HOST can be given as IP or hostname, useful in case
+commonly used with proxy or socks. HOST can be given as IP
-of dynamic DNS. <b><br>
+or hostname, useful in case of dynamic DNS. <b><br>
--ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS,
+-oc</b><i>OPTIONS</i><b>, -os</b><i>OPTIONS</i><b>,
--oROPTIONS</b> options for proxy-to-client (oc),
+-ol</b><i>OPTIONS</i><b>, -or</b><i>OPTIONS</i><b>,
-proxy-to-server (os), proxy listening (ol), connect back
+-oR</b><i>OPTIONS</i> options for proxy-to-client
-client (or), connect back listening (oR) sockets. Options
+(<b>-oc</b>), proxy-to-server (<b>-os</b>), proxy listening
-like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK,
+(<b>-ol</b>), connect back client (<b>-or</b>), connect back
-TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR,
+listening (<b>-oR</b>) sockets. Options like TCP_CORK,
-SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT,
+TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS,
-SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
+USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT,
-<b><br>
+SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE,
--DiINTERFACE, -DeINTERFACE</b> bind internal interface /
+SO_DONTROUTE may be supported depending on OS. <b><br>
-external interface to given INTERFACE (e.g. eth0) if
+-Di</b><i>INTERFACE</i><b>, -De</b><i>INTERFACE</i> bind
-SO_BINDTODEVICE is supported by the system. You may need to
+internal (<b>-Di</b>) / external (<b>-De</b>) interface to
-run as root or have CAP_NET_RAW capability in order to bind
+given INTERFACE (e.g. eth0) if <b>SO_BINDTODEVICE</b> is
-to an interface, depending on the system, so this option may
+supported by the system. You may need to run as root or have
+<b>CAP_NET_RAW</b> capability in order to bind to an
+interface, depending on the system, so this option may
 require root privileges and can be incompatible with some
-configuration commands like chroot and setuid (and daemon if
+configuration commands like <b>chroot</b> and <b>setuid</b>
-setcap is used). <b><br>
+(and <b>daemon</b> if setcap is used). <b><br>
 -e</b> External address. IP address of the interface the
 proxy should initiate connections from. External IP must be
 specified if you need incoming connections. By default the
@@ -172,11 +179,23 @@ system will decide which address to use in accordance with
 the routing table. <b><br>
 -i</b> Internal address. IP address the proxy accepts
 connections to. By default, connections to any interface are
-accepted. <b><br>
+accepted. Unix domain sockets can be specified with
--N</b> (for socks) External NAT address 3proxy reports to
+<i>-iunix:/path/to/socket</i> syntax. On Linux, abstract
-client for BIND and UDPASSOC By default external address is
+sockets use <i>-iunix:@socketname</i> syntax. <b><br>
-reported. It&rsquo;s only useful in the case of IP-IP NAT
+-Ne</b> (for socks) External NAT address (between 3proxy and
-(will not work for PAT) <br>
+destination server) to report to client for CONNECT and
+BIND. By default external address is reported. It&rsquo;s
+only useful in the case of IP-IP NAT (will not work for
+PAT). <b><br>
+-Ni</b> (for socks) Internal NAT address (between client and
+3proxy) to report to client for UDPASSOC. By default
+internal address is reported. It&rsquo;s only useful in the
+case of IP-IP NAT (will not work for PAT). <b><br>
+-H</b> (for all services) Expect HAProxy PROXY protocol v1
+header on incoming connection. This allows the proxy to
+receive real client IP address from HAProxy or other load
+balancer that supports the PROXY protocol. The header must
+be sent before any protocol-specific data. <br>
 Also, all options mentioned for <b>proxy</b>(8)
 <b>socks</b>(8) <b>pop3p</b>(8) <b>tcppm</b>(8)
 <b>udppm</b>(8) <b>ftppr</b>(8) <br>
@@ -189,10 +208,10 @@ proxy access must be authenticated, you can specify username
 as proxy_username:proxy_password:POP3_username@pop3server
 <br>
 DNS proxy resolves any types of records but only hostnames
-are cached. It requires nserver/nscache to be configured. If
+are cached. It requires <b>nserver</b>/<b>nscache</b> to be
-nserver is configured as TCP, redirections are applied on
+configured. If <b>nserver</b> is configured as TCP,
-connection, so parent proxy may be used to resolve names to
+redirections are applied on connection, so parent proxy may
-IP. <br>
+be used to resolve names to IP. <br>
 FTP proxy can be used as FTP server in any FTP client or
 configured as FTP proxy on a client with FTP proxy support.
 Username format is one of <br>
@@ -206,11 +225,11 @@ authentication use proxyuser:proxypassword:FTPuser as FTP
 username, otherwise do not change original FTP user name</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>include</b>
-&lt;path&gt; <br>
+<i>&lt;path&gt;</i> <br>
 Include config file</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>config</b>
-&lt;path&gt; <br>
+<i>&lt;path&gt;</i> <br>
 Path to configuration file to use on 3proxy restart or to
 save configuration.</p>
 
@@ -226,20 +245,20 @@ using it.</p>
 End of configuration</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>log</b>
-[[@|&amp;]logfile] [&lt;LOGTYPE&gt;] <br>
+[[@|&amp;]<i>logfile</i>] [<i>&lt;LOGTYPE&gt;</i>] <br>
 sets logfile for all gateways <br>
 @ (for Unix) use syslog, filename is used as ident name <br>
 &amp; use ODBC, filename consists of comma-delimited
 datasource,username,password (username and password are
 optional) <br>
 radius - use RADIUS for logging <br>
-LOGTYPE is one of: <br>
+LOGTYPE is one of: <b><br>
-c Minutely <br>
+c</b> Minutely <b><br>
-H Hourly <br>
+H</b> Hourly <b><br>
-D Daily <br>
+D</b> Daily <b><br>
-W Weekly (starting from Sunday) <br>
+W</b> Weekly (starting from Sunday) <b><br>
-M Monthly <br>
+M</b> Monthly <b><br>
-Y Annually <br>
+Y</b> Annually <br>
 if logfile is not specified logging goes to stdout. You can
 specify individual logging options for gateway by using -l
 option in gateway configuration. <br>
@@ -252,12 +271,12 @@ Grinwitch time zone for all time-based format
 specificators.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>rotate</b>
-&lt;n&gt; <br>
+<i>&lt;n&gt;</i> <br>
 how many archived log files to keep</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>logformat</b>
-&lt;format&gt; <br>
+<i>&lt;format&gt;</i> <br>
 Format for log record. First symbol in format must be L
 (local time) or G (absolute Grinwitch time). It can be
 preceeded with -XXX+Y where XXX is list of characters to be
@@ -314,7 +333,8 @@ l_service, l_in, l_out, l_descr) values (&acute;%d-%m-%Y
 &acute;%T&acute;)&quot;</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>logdump</b>
-&lt;in_traffic_limit&gt; &lt;out_traffic_limit&gt; <br>
+<i>&lt;in_traffic_limit&gt; &lt;out_traffic_limit&gt;</i>
+<br>
 Immediately creates additional log records if given amount
 of incoming/outgoing traffic is achieved for connection,
 without waiting for connection to finish. It may be useful
@@ -323,7 +343,7 @@ server shutdown.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>delimchar</b>
-&lt;char&gt; <br>
+<i>&lt;char&gt;</i> <br>
 Sets the delimiter character used to separate username from
 hostname in proxy authentication strings (e.g. for FTP, POP3
 proxies). Default is &acute;@&acute;. For example, to use
@@ -331,48 +351,50 @@ proxies). Default is &acute;@&acute;. For example, to use
 to contain the &acute;@&acute; character.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>archiver</b>
-&lt;ext&gt; &lt;commandline&gt; <br>
+<i>&lt;ext&gt; &lt;commandline&gt;</i> <br>
 Archiver to use for log files. &lt;ext&gt; is file extension
 produced by archiver. Filename will be last argument to
 archiver, optionally you can use %A as produced archive name
 and %F as filename.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>timeouts</b>
-&lt;BYTE_SHORT&gt; &lt;BYTE_LONG&gt; &lt;STRING_SHORT&gt;
+<i>&lt;BYTE_SHORT&gt; &lt;BYTE_LONG&gt; &lt;STRING_SHORT&gt;
 &lt;STRING_LONG&gt; &lt;CONNECTION_SHORT&gt;
 &lt;CONNECTION_LONG&gt; &lt;DNS&gt; &lt;CHAIN&gt;
-&lt;CONNECT&gt; &lt;CONNECTBACK&gt; <br>
+&lt;CONNECT&gt; &lt;CONNECTBACK&gt;</i> <br>
 Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15,
-60, 15, 5. <br>
+60, 15, 5. <b><br>
-BYTE_SHORT short timeout for single byte, is usually used
+BYTE_SHORT</b> short timeout for single byte, is usually
-for receiving single byte from stream. <br>
+used for receiving single byte from stream. <b><br>
-BYTE_LONG long timeout for single byte, is usually used for
+BYTE_LONG</b> long timeout for single byte, is usually used
-receiving first byte in frame (for example first byte in
+for receiving first byte in frame (for example first byte in
-socks request). <br>
+socks request). <b><br>
-STRING_SHORT short timeout, for character string within
+STRING_SHORT</b> short timeout, for character string within
-stream (for example to wait between 2 HTTP headers) <br>
+stream (for example to wait between 2 HTTP headers) <b><br>
-STRING_LONG long timeout, for first string in stream (for
+STRING_LONG</b> long timeout, for first string in stream
-example to wait for HTTP request). <br>
+(for example to wait for HTTP request). <b><br>
-CONNECTION_SHORT inactivity timeout for short connections
+CONNECTION_SHORT</b> inactivity timeout for short
-(HTTP, POP3, etc). <br>
+connections (HTTP, POP3, etc). <b><br>
-CONNECTION_LONG inactivity timeout for long connection
+CONNECTION_LONG</b> inactivity timeout for long connection
-(SOCKS, portmappers, etc). <br>
+(SOCKS, portmappers, etc). <b><br>
-DNS timeout for DNS request before requesting next server
+DNS</b> timeout for DNS request before requesting next
+server <b><br>
+CHAIN</b> timeout for reading data from chained connection
 <br>
-CHAIN timeout for reading data from chained connection <br>
 default timeouts 1 5 30 60 180 1800 15 60 15 5</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>maxseg</b>
-&lt;value&gt; <br>
+<i>&lt;value&gt;</i> <br>
 Sets TCP maximum segment size (MSS) for outgoing
 connections. This can be used to work around path MTU
 discovery issues or to optimize traffic for specific network
 conditions.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>radius</b>
-&lt;NAS_SECRET&gt;
+<i>&lt;NAS_SECRET&gt;
-&lt;radius_server_1[:port][/local_address_1]&gt;
+&lt;radius_server_1</i>[:<i>port</i>][/<i>local_address_1</i>]
-&lt;radius_server_2[:port][/local_address_2]&gt; <br>
+<i>&lt;radius_server_2</i>[:<i>port</i>][/<i>local_address_2</i>]
+<br>
 Configures RADIUS servers to be used for logging and
 authentication (log and auth types must be set to radius).
 port and local address to use with given server may be
@@ -391,12 +413,12 @@ CONNECT), Login-TCP-Port: (requested port), Login-IPv6-Host
 / Login-IP-Host: (requested IP). <br>
 Supported reply attributes for authentication:
 Framed-IP-Address / Framed-IPv6-Address (IP to assign to
-user), Reply-Message. Use authcache to speedup
+user), Reply-Message. Use <b>authcache</b> to speedup
 authentication. RADIUS feature is currently
 experimental.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>nserver</b>
-&lt;ipaddr&gt;[:port][/tcp] <br>
+<i>&lt;ipaddr&gt;</i>[:<i>port</i>][/<i>tcp</i>] <br>
 Nameserver to use for name resolutions. If none specified
 system routines for name resolution is used. Optional port
 number may be specified. If optional /tcp is added to IP
@@ -404,33 +426,36 @@ address, name resolution is performed over TCP.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>authnserver</b>
-&lt;ipaddr&gt;[:port][/tcp] <br>
+<i>&lt;ipaddr&gt;</i>[:<i>port</i>][/<i>tcp</i>] <br>
 Nameserver to use for DNS-based authentication (e.g. dnsname
 auth type). If not specified, nserver is used. The syntax is
 the same as for nserver.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>nscache</b>
-&lt;cachesize&gt; <b>nscache6</b> &lt;cachesize&gt; <br>
+<i>&lt;cachesize&gt;</i> <b>nscache6</b>
-Cache &lt;cachesize&gt; records for name resolution (nscache
+<i>&lt;cachesize&gt;</i> <br>
-for IPv4, nscache6 for IPv6). The cache size should usually
+Cache <i>&lt;cachesize&gt;</i> records for name resolution
-be large enough (for example, 65536).</p>
+(<b>nscache</b> for IPv4, <b>nscache6</b> for IPv6). The
+cache size should usually be large enough (for example,
+65536).</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>nsrecord</b>
-&lt;hostname&gt; &lt;hostaddr&gt; <br>
+<i>&lt;hostname&gt; &lt;hostaddr&gt;</i> <br>
-Adds static record to nscache. nscache must be enabled. If
+Adds static record to nscache. <b>nscache</b> must be
-0.0.0.0 is used as a hostaddr host will never resolve, it
+enabled. If 0.0.0.0 is used as a hostaddr host will never
-can be used to blacklist something or together with
+resolve, it can be used to blacklist something or together
-<b>dialer</b> command to set up UDL for dialing.</p>
+with <b>dialer</b> command to set up UDL for dialing.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>fakeresolve</b>
 <br>
 All names are resolved to the 127.0.0.2 address. Useful if
-all requests are redirected to a parent proxy with http,
+all requests are redirected to a parent proxy with
-socks4+, connect+ or socks5+.</p>
+<b>http</b>, <b>socks4+</b>, <b>connect+</b> or
+<b>socks5+</b>.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>dialer</b>
-&lt;progname&gt; <br>
+<i>&lt;progname&gt;</i> <br>
 Execute progname if external name can&acute;t be resolved.
 Hint: if you use nscache, dialer may not work, because names
 will be resolved through cache. In this case you can use
@@ -438,34 +463,43 @@ something like http://dial.right.now/ from browser to set up
 connection.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>internal</b>
-&lt;ipaddr&gt; <br>
+<i>&lt;ipaddr&gt;</i> <br>
 sets ip address of internal interface. This IP address will
 be used to bind gateways. Alternatively you can use -i
 option for individual gateways. Since 0.8 version, IPv6
-address may be used.</p>
+address may be used. <br>
+Unix domain sockets are supported with the syntax
+<i>unix:/path/to/socket</i> (e.g., internal
+unix:/var/run/3proxy.sock). On Linux, abstract (fileless)
+Unix sockets are supported with the syntax
+<i>unix:@socketname</i> (e.g., internal unix:@3proxy). When
+using Unix sockets, the socket file is automatically created
+and removed on service start/stop.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>external</b>
-&lt;ipaddr&gt; <br>
+<i>&lt;ipaddr&gt;</i> <br>
 sets ip address of external interface. This IP address will
 be source address for all connections made by proxy.
 Alternatively you can use -e option to specify individual
-address for gateway. Since 0.8 version External or -e can be
+address for gateway. Since 0.8 version External or <b>-e</b>
-given twice: once with IPv4 and once with IPv6 address.</p>
+can be given twice: once with IPv4 and once with IPv6
+address.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>maxconn</b>
-&lt;number&gt; <br>
+<i>&lt;number&gt;</i> <br>
 sets the maximum number of simultaneous connections to each
 service started after this command at the network level.
 Default is 100. <br>
-To limit clients, use connlim instead. maxconn will silently
+To limit clients, use <b>connlim</b> instead. <b>maxconn</b>
-ignore new connections, while connlim will report back to
+will silently ignore new connections, while <b>connlim</b>
-the client that the connection limit has been reached.</p>
+will report back to the client that the connection limit has
+been reached.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>backlog</b>
 <br>
 sets the listening socket backlog of new connections.
-Default is 1 + maxconn/8. Maximum value is capped by kernel
+Default is 1 + <b>maxconn</b>/8. Maximum value is capped by
-tunable somaxconn.</p>
+kernel tunable somaxconn.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>service</b>
 <br>
@@ -479,35 +513,35 @@ reinstall the service.</p>
 <br>
 Should be specified to close the console. Do not use
 &acute;daemon&acute; with &acute;service&acute;. At least
-under FreeBSD, &acute;daemon&acute; should precede any proxy
+under FreeBSD, <b>daemon</b> should precede any proxy
 service and log commands to avoid socket problems. Always
 place it in the beginning of the configuration file.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>auth</b>
-&lt;authtype&gt; [...] <br>
+<i>&lt;authtype&gt;</i> [...] <br>
-Type of user authorization. Currently supported: <br>
+Type of user authorization. Currently supported: <b><br>
-none - no authentication or authorization required. <br>
+none</b> - no authentication or authorization required. <br>
 Note: if auth is none, any IP-based limitation, redirection,
 etc. will not work. This is the default authentication type
-<br>
+<b><br>
-iponly - authentication by access control list with username
+iponly</b> - authentication by access control list with
-ignored. <br>
+username ignored. <br>
-Appropriate for most cases <br>
+Appropriate for most cases <b><br>
-useronly - authentication by username without checking for
+useronly</b> - authentication by username without checking
-any password with authorization by ACLs. Useful for e.g.
+for any password with authorization by ACLs. Useful for e.g.
 SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as
-a username) <br>
+a username) <b><br>
-dnsname - authentication by DNS hostname with authorization
+dnsname</b> - authentication by DNS hostname with
-by ACLs. The DNS hostname is resolved via a PTR (reverse)
+authorization by ACLs. The DNS hostname is resolved via a
-record and validated (the resolved name must resolve to the
+PTR (reverse) record and validated (the resolved name must
-same IP address). It&acute;s recommended to use authcache by
+resolve to the same IP address). It&acute;s recommended to
-IP for this authentication. NB: there is no password check;
+use authcache by IP for this authentication. NB: there is no
-the name may be spoofed. <br>
+password check; the name may be spoofed. <b><br>
-strong - username/password authentication required. It will
+strong</b> - username/password authentication required. It
-work with SOCKSv5, FTP, POP3 and HTTP proxy. <br>
+will work with SOCKSv5, FTP, POP3 and HTTP proxy. <b><br>
-cache - cached authentication, may be used with
+cache</b> - cached authentication, may be used with
-&acute;authcache&acute;. <br>
+&acute;authcache&acute;. <b><br>
-radius - authentication with RADIUS. <br>
+radius</b> - authentication with RADIUS. <br>
 Plugins may add additional authentication types.</p>
 
 <p style="margin-left:6%; margin-top: 1em">It&acute;s
@@ -525,38 +559,39 @@ shared ones.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>authcache</b>
-&lt;cachtype&gt; &lt;cachtime&gt; <br>
+<i>&lt;cachtype&gt; &lt;cachtime&gt; &lt;cachesize&gt;</i>
+<br>
 Cache authentication information for a given amount of time
-(cachetime) in seconds. Cachetype is one of: <br>
+(cachetime) in seconds. cachesize limits number of cache
-ip - after successful authentication all connections during
+entries. Cachetype is one of: <b><br>
-caching time from same IP are assigned to the same user,
+ip</b> - after successful authentication all connections
-username is not requested. <br>
+during caching time from same IP are assigned to the same
-ip,user username is requested and all connections from the
+user, username is not requested. <b><br>
-same IP are assigned to the same user without actual
+ip,user</b> username is requested and all connections from
-authentication. <br>
+the same IP are assigned to the same user without actual
-user - same as above, but IP is not checked. <br>
+authentication. <b><br>
-user,password - both username and password are checked
+user</b> - same as above, but IP is not checked. <b><br>
-against cached ones. <br>
+user,password</b> - both username and password are checked
-limit - limit user to use only one ip, &acute;ip&acute; and
+against cached ones. <b><br>
-&acute;user&acute; are required <br>
+limit</b> - limit user to use only one ip, &acute;ip&acute;
-acl - only use cached auth if user access service with same
+and &acute;user&acute; are required <b><br>
-ACL <br>
+ack</b> - only use cached auth if user access service with
-ext - cache external IP <br>
+same ACL <b><br>
-Use auth type &acute;cache&acute; for cached
+ext</b> - cache external IP <br>
-authentication</p>
+Use auth type <b>cache</b> for cached authentication</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>allow</b>
-&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
+<i>&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
-deny</b> &lt;userlist&gt; &lt;sourcelist&gt;
+deny</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
+&lt;timeperiodslist&gt;</i> <b><br>
-redirect</b> &lt;ip&gt; &lt;port&gt; &lt;userlist&gt;
+redirect</b> <i>&lt;ip&gt; &lt;port&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <br>
+&lt;timeperiodslist&gt;</i> <br>
 Access control entries. All lists are comma-separated, no
 spaces are allowed. Usernames are case sensitive (if used
 with authtype nbname username must be in uppercase). Source
@@ -582,27 +617,28 @@ should either bind proxy to appropriate interface only or to
 use ip filters.</p>
 
 <p style="margin-left:6%; margin-top: 1em">Operation is one
-of: <br>
+of: <b><br>
-CONNECT establish outgoing TCP connection <br>
+CONNECT</b> establish outgoing TCP connection <b><br>
-BIND bind TCP port for listening <br>
+BIND</b> bind TCP port for listening <b><br>
-UDPASSOC make UDP association <br>
+UDPASSOC</b> make UDP association <b><br>
-ICMPASSOC make ICMP association (for future use) <br>
+ICMPASSOC</b> make ICMP association (for future use) <b><br>
-HTTP_GET HTTP GET request <br>
+HTTP_GET</b> HTTP GET request <b><br>
-HTTP_PUT HTTP PUT request <br>
+HTTP_PUT</b> HTTP PUT request <b><br>
-HTTP_POST HTTP POST request <br>
+HTTP_POST</b> HTTP POST request <b><br>
-HTTP_HEAD HTTP HEAD request <br>
+HTTP_HEAD</b> HTTP HEAD request <b><br>
-HTTP_CONNECT HTTP CONNECT request <br>
+HTTP_CONNECT</b> HTTP CONNECT request <b><br>
-HTTP_OTHER over HTTP request <br>
+HTTP_OTHER</b> over HTTP request <b><br>
-HTTP matches any HTTP request except HTTP_CONNECT <br>
+HTTP</b> matches any HTTP request except HTTP_CONNECT
-HTTPS same as HTTP_CONNECT <br>
+<b><br>
-FTP_GET FTP get request <br>
+HTTPS</b> same as HTTP_CONNECT <b><br>
-FTP_PUT FTP put request <br>
+FTP_GET</b> FTP get request <b><br>
-FTP_LIST FTP list request <br>
+FTP_PUT</b> FTP put request <b><br>
-FTP_DATA FTP data connection. Note: FTP_DATA requires access
+FTP_LIST</b> FTP list request <b><br>
-to dynamic non-privileged (1024-65535) ports on the remote
+FTP_DATA</b> FTP data connection. Note: FTP_DATA requires
-side. <br>
+access to dynamic non-privileged (1024-65535) ports on the
-FTP matches any FTP/FTP Data request <br>
+remote side. <b><br>
-ADMIN access to administration interface</p>
+FTP</b> matches any FTP/FTP Data request <b><br>
+ADMIN</b> access to administration interface</p>
 
 <p style="margin-left:6%; margin-top: 1em">Weekdays are
 week day numbers or periods, 0 or 7 means Sunday, 1 is
@@ -613,8 +649,8 @@ HH:MM:SS-HH:MM:SS format. For example,
 hours.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>parent</b>
-&lt;weight&gt; &lt;type&gt; &lt;ip&gt; &lt;port&gt;
+<i>&lt;weight&gt; &lt;type&gt; &lt;ip&gt; &lt;port&gt;
-&lt;username&gt; &lt;password&gt; <br>
+&lt;username&gt; &lt;password&gt;</i> <br>
 this command must follow &quot;allow&quot; rule. It extends
 last allow rule to build proxy chain. Proxies may be
 grouped. Proxy inside the group is selected randomly. If few
@@ -643,41 +679,51 @@ pipelined (keep-alive) requests in the same connection use
 the same chain.</p>
 
 <p style="margin-left:6%; margin-top: 1em">type is one of:
-<br>
+<b><br>
-extip does not actually redirect the request; it sets the
+extip</b> does not actually redirect the request; it sets
-external address for this request to &lt;ip&gt;. It can be
+the external address for this request to <i>&lt;ip&gt;</i>.
-chained with another parent type. It&rsquo;s useful to set
+It can be chained with another parent type. It&rsquo;s
-the external IP based on ACL or make it random. <br>
+useful to set the external IP based on ACL or make it
-tcp simply redirect connection. TCP is always last in chain.
+random. <b><br>
-This type of proxy is a simple TCP redirection, it does not
+tcp</b> simply redirect connection. TCP is always last in
-support parent authentication. <br>
+chain. This type of proxy is a simple TCP redirection, it
-http redirect to HTTP proxy. HTTP is always the last chain.
+does not support parent authentication. <b><br>
-It should only be used with http (proxy) service, if used
+http</b> redirect to HTTP proxy. HTTP is always the last
-with different service, it works as tcp redirection. <br>
+chain. It should only be used with http (proxy) service, if
-pop3 redirect to POP3 proxy (only local redirection is
+used with different service, it works as tcp redirection.
-supported, can only be used as a first hop in chaining) <br>
+<b><br>
-ftp redirect to FTP proxy (only local redirection is
+pop3</b> redirect to POP3 proxy (only local redirection is
-supported, can only be used as a first hop in chaining) <br>
+supported, can only be used as a first hop in chaining)
-connect parent is HTTP CONNECT method proxy <br>
+<b><br>
-connect+ parent is HTTP CONNECT proxy with name resolution
+ftp</b> redirect to FTP proxy (only local redirection is
-(hostname is used instead of IP if available) <br>
+supported, can only be used as a first hop in chaining)
-socks4 parent is SOCKSv4 proxy <br>
+<b><br>
-socks4+ parent is SOCKSv4 proxy with name resolution
+connect</b> parent is HTTP CONNECT method proxy <b><br>
-(SOCKSv4a) <br>
+connect+</b> parent is HTTP CONNECT proxy with name
-socks5 parent is SOCKSv5 proxy <br>
+resolution (hostname is used instead of IP if available)
-socks5+ parent is SOCKSv5 proxy with name resolution <br>
+<b><br>
-socks4b parent is SOCKS4b (broken SOCKSv4 implementation
+socks4</b> parent is SOCKSv4 proxy <b><br>
+socks4+</b> parent is SOCKSv4 proxy with name resolution
+(SOCKSv4a) <b><br>
+socks5</b> parent is SOCKSv5 proxy <b><br>
+socks5+</b> parent is SOCKSv5 proxy with name resolution
+<b><br>
+socks4b</b> parent is SOCKS4b (broken SOCKSv4 implementation
 with shortened server reply; I never saw this kind of
 server, but they say there are some). Normally you should
 not use this option. Do not confuse this option with
-SOCKSv4a (socks4+). <br>
+SOCKSv4a (<b>socks4+</b>). <b><br>
-socks5b parent is SOCKS5b (broken SOCKSv5 implementation
+socks5b</b> parent is SOCKS5b (broken SOCKSv5 implementation
 with shortened server reply. I think you will never find it
 useful). Never use this option unless you know exactly you
-need it. <br>
+need it. <b><br>
-admin redirect request to local &acute;admin&acute; service
+admin</b> redirect request to local &acute;admin&acute;
-(with -s parameter). <br>
+service (with -s parameter). <b><br>
-Use &quot;+&quot; proxy only with &quot;fakeresolve&quot;
+ha</b> send HAProxy PROXY protocol v1 header to parent
+proxy. Must be the last in the proxy chain. Useful for
+passing client IP information to the parent proxy. Example:
+parent 1000 ha <br>
+Use &quot;+&quot; proxy only with <b>fakeresolve</b>
 option</p>
 
 <p style="margin-left:6%; margin-top: 1em">IP and port are
@@ -690,7 +736,15 @@ special case of local redirection, it works only with
 redirected to different service, <b>ftp</b> locally
 redirects to <b>ftppr pop3</b> locally redirects to <b>pop3p
 http</b> locally redirects to <b>proxy admin</b> locally
-redirects to the admin -s service.</p>
+redirects to the admin -s service. <br>
+Unix domain sockets can be used instead of IP address with
+the syntax <i>unix:/path/to/socket</i> (e.g., parent 1000
+socks5 unix:/var/run/parent.sock 1080). On Linux, abstract
+(fileless) Unix sockets are supported with
+<i>unix:@socketname</i> syntax (e.g., parent 1000 http
+unix:@parent.proxy 3128). When using Unix sockets, the port
+number is ignored but must be specified for syntax
+compatibility.</p>
 
 <p style="margin-left:6%; margin-top: 1em">Main purpose of
 local redirections is to have the requested resource (URL or
@@ -711,26 +765,26 @@ HTTP proxy, local HTTP proxy parses requests and allows only
 GET and POST requests. <br>
 parent 1000 http 1.2.3.4 0 <br>
 Changes the external address for a given connection to
-1.2.3.4 (equivalent to -e1.2.3.4) <br>
+1.2.3.4 (equivalent to <b>-e1.2.3.4</b>) <br>
 Optional username and password are used to authenticate on
 parent proxy. Username of &acute;*&acute; means username
 must be supplied by user.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>parentretries</b>
-&lt;number&gt; <br>
+<i>&lt;number&gt;</i> <br>
 Number of retries to connect to parent proxy. Default is
 1.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>nolog</b>
-&lt;n&gt; <br>
+<i>&lt;n&gt;</i> <br>
 extends last allow or deny command to prevent logging, e.g.
 <br>
 allow * * 192.168.1.1 <br>
 nolog</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>weight</b>
-&lt;n&gt; <br>
+<i>&lt;n&gt;</i> <br>
 extends last allow or deny command to set weight for this
 request <br>
 allow * * 192.168.1.1 <br>
@@ -748,30 +802,31 @@ connections.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>bandlimin</b>
-&lt;rate&gt; &lt;userlist&gt; &lt;sourcelist&gt;
+<i>&lt;rate&gt; &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
+&lt;timeperiodslist&gt;</i> <b><br>
-nobandlimin</b> &lt;userlist&gt; &lt;sourcelist&gt;
+nobandlimin</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
+&lt;timeperiodslist&gt;</i> <b><br>
-bandlimout</b> &lt;rate&gt; &lt;userlist&gt;
+bandlimout</b> <i>&lt;rate&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
+&lt;timeperiodslist&gt;</i> <b><br>
-nobandlimout</b> &lt;userlist&gt; &lt;sourcelist&gt;
+nobandlimout</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <br>
+&lt;timeperiodslist&gt;</i> <br>
-bandlim sets a bandwidth limitation filter to &lt;rate&gt;
+bandlim sets a bandwidth limitation filter to
-bps (bits per second). If you want to specify bytes per
+<i>&lt;rate&gt;</i> bps (bits per second). If you want to
-second, multiply your value by 8. bandlim rules act in the
+specify bytes per second, multiply your value by 8. bandlim
-same manner as allow/deny rules, except for one thing:
+rules act in the same manner as allow/deny rules, except for
-bandwidth limiting is applied to all services, not to some
+one thing: bandwidth limiting is applied to all services,
-specific service. bandlimin and nobandlimin apply to
+not to some specific service. <b>bandlimin</b> and
-incoming traffic <br>
+<b>nobandlimin</b> apply to incoming traffic <b><br>
-bandlimout and nobandlimout apply to outgoing traffic <br>
+bandlimout</b> and <b>nobandlimout</b> apply to outgoing
+traffic <br>
 If you want to ratelimit your clients with IPs
 192.168.10.16/30 (4 addresses) to 57600 bps, you have to
 specify 4 rules like <br>
@@ -789,53 +844,54 @@ nobandlimin * * * 110 <br>
 before the rest of bandlim rules.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>connlim</b>
-&lt;rate&gt; &lt;period&gt; &lt;userlist&gt;
+<i>&lt;rate&gt; &lt;period&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
+&lt;timeperiodslist&gt;</i> <b><br>
-noconnlim</b> &lt;userlist&gt; &lt;sourcelist&gt;
+noconnlim</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <br>
+&lt;timeperiodslist&gt;</i> <br>
 connlim sets connections rate limit per time period for
 traffic pattern controlled by ACL. Period is in seconds. If
-period is 0, connlim limits a number of parallel
+period is 0, <b>connlim</b> limits a number of parallel
 connections. <br>
 connlim 100 60 * 127.0.0.1 <br>
 allows 100 connections per minute for 127.0.0.1. <br>
 connlim 20 0 * 127.0.0.1 <br>
 allows 20 simultaneous connections for 127.0.0.1. <br>
-Like with bandlimin, if an individual limit is required per
+Like with <b>bandlimin</b>, if an individual limit is
-client, a separate rule must be added for every client. Like
+required per client, a separate rule must be added for every
-with nobandlimin, noconnlim adds an exception.</p>
+client. Like with nobandlimin, noconnlim adds an
+exception.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>counter</b>
-&lt;filename&gt; &lt;reporttype&gt; &lt;reportname&gt;
+<i>&lt;filename&gt; &lt;reporttype&gt;
-<b><br>
+&lt;reportname&gt;</i> <b><br>
-countin</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
+countin</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
-nocountin</b> &lt;userlist&gt; &lt;sourcelist&gt;
+nocountin</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
+&lt;timeperiodslist&gt;</i> <b><br>
-countout</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
+countout</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
-nocountout</b> &lt;userlist&gt; &lt;sourcelist&gt;
+nocountout</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt; <b><br>
+&lt;timeperiodslist&gt;</i> <b><br>
-countall</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
+countall</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
-nocountall</b> &lt;userlist&gt; &lt;sourcelist&gt;
+nocountall</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</p>
+&lt;timeperiodslist&gt;</i></p>
 
 <p style="margin-left:6%; margin-top: 1em">counter,
 countin, nocountin, countout, nocountout, countall,
@@ -848,45 +904,33 @@ not preserved in the counter file (that is, if the proxy is
 restarted, all counters with 0 are flushed); otherwise, it
 should be a unique sequential number which points to the
 position of the counter within the file. Type specifies a
-type of counter. Type is one of: <br>
+type of counter. Type is one of: <b><br>
-H - counter is reset hourly <br>
+H</b> - counter is reset hourly <b><br>
-D - counter is reset daily <br>
+D</b> - counter is reset daily <b><br>
-W - counter is reset weekly <br>
+W</b> - counter is reset weekly <b><br>
-M - counter is reset monthly <br>
+M</b> - counter is reset monthly <br>
 reporttype/reportname may be used to generate traffic
 reports. Reporttype is one of D, W, M, H (hourly) and
 reportname specifies the filename template for reports. The
 report is a text file with counter values in the format:
-<br>
+<i><br>
-&lt;COUNTERNUMBER&gt; &lt;TRAF&gt; <br>
+&lt;COUNTERNUMBER&gt; &lt;TRAF&gt;</i> <br>
 The rest of parameters is identical to
-bandlim/nobandlim.</p>
+<b>bandlim</b>/<b>nobandlim</b>.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>users</b>
-username[:pwtype:password] ... <br>
+<i>username</i>[:<i>pwtype</i>:<i>password</i>] ... <br>
 pwtype is one of: <br>
-none (empty) - use system authentication <br>
+none (empty) - use system authentication <b><br>
-CL - password is cleartext <br>
+CL</b> - password is cleartext <b><br>
-CR - password is crypt-style password <br>
+CR</b> - password is crypt-style password <b><br>
-NT - password is NT password (in hex) <br>
+NT</b> - password is NT password (in hex) <br>
-LM - password is LM password (in hex) <br>
 example: <br>
 users test1:CL:password1
 &quot;test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49.&quot; <br>
-users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63</p>
+users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 <br>
-
+Note: double quotes are required because the password
-<table width="100%" border="0" rules="none" frame="void"
+contains a $ sign.</p>
-       cellspacing="0" cellpadding="0">
-<tr valign="top" align="left">
-<td width="6%"></td>
-
-
-<p>Note: double quotes are required because the password
-contains a $ sign.</p></td>
-<td width="88%"></td>
-<td width="6%">
-</td></tr>
-</table>
 
 <p style="margin-left:6%; margin-top: 1em"><b>flush</b>
 <br>
@@ -901,42 +945,43 @@ socks <br>
 sets different ACLs for <b>pop3p</b> and <b>socks</b></p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>system</b>
-&lt;command&gt; <br>
+<i>&lt;command&gt;</i> <br>
 execute system command</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>pidfile</b>
-&lt;filename&gt; <br>
+<i>&lt;filename&gt;</i> <br>
 write pid of current process to file. It can be used to
 manipulate 3proxy with signals under Unix. Currently next
 signals are available:</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>monitor</b>
-&lt;filename&gt; <br>
+<i>&lt;filename&gt;</i> <br>
 If file monitored changes in modification time or size,
 3proxy reloads configuration within one minute. Any number
 of files may be monitored.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>setuid</b>
-&lt;uid&gt; <br>
+<i>&lt;uid&gt;</i> <br>
 calls setuid(uid), uid can be numeric or since 0.9 username.
 Unix only. Warning: under some Linux kernels setuid() works
 for current thread only. It makes it impossible to suid for
 all threads.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>setgid</b>
-&lt;gid&gt; <br>
+<i>&lt;gid&gt;</i> <br>
 calls setgid(gid), gid can be numeric or since 0.9
 groupname. Unix only.</p>
 
 <p style="margin-left:6%; margin-top: 1em"><b>chroot</b>
-&lt;path&gt; [&lt;uid&gt;] [&lt;gid&gt;] <br>
+<i>&lt;path&gt;</i> [<i>&lt;uid&gt;</i>]
+[<i>&lt;gid&gt;</i>] <br>
 calls chroot(path) and sets gid/uid. Unix only. uid/gid
 supported since 0.9, can be numeric or
 username/groupname</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>stacksize</b>
-&lt;value_to_add_to_default_stack_size&gt; <br>
+<i>&lt;value_to_add_to_default_stack_size&gt;</i> <br>
 Change the default size for thread stacks. May be required
 in some situations, e.g. with non-default plugins, or on
 some platforms (some FreeBSD versions may require adjusting
@@ -955,8 +1000,8 @@ negative values.</p>
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>plugin</b>
-&lt;path_to_shared_library&gt; &lt;function_to_call&gt;
+<i>&lt;path_to_shared_library&gt;
-[&lt;arg1&gt; ...] <br>
+&lt;function_to_call&gt;</i> [<i>&lt;arg1&gt;</i> ...] <br>
 Loads specified library and calls given export function with
 given arguments, as <br>
 int functions_to_call(struct pluginlink * pl, int argc, char
@@ -966,7 +1011,7 @@ function_to_call must return 0 in case of success, value
 
 
 <p style="margin-left:6%; margin-top: 1em"><b>filtermaxsize</b>
-&lt;max_size_of_data_to_filter&gt; <br>
+<i>&lt;max_size_of_data_to_filter&gt;</i> <br>
 If Content-length (or another data length) is greater than
 the given value, no data filtering will be performed through
 filtering plugins to avoid data corruption and/or

doc/html/man8/3proxy.8.html

@@ -195,7 +195,7 @@ to <b>3proxy@3proxy.org</b></p>
 </h2>
 
 
-<p style="margin-left:6%; margin-top: 1em">3proxy.cfg(3),
+<p style="margin-left:6%; margin-top: 1em">3proxy.cfg(5),
 proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
 kill(1), syslogd(8), <br>
 https://3proxy.org/</p>

doc/html/man8/3proxy_crypt.8.html

@@ -0,0 +1,168 @@
+<!-- Creator     : groff version 1.24.1 -->
+<html>
+<head>
+
+</head>
+<body>
+
+<h1 align="center">3proxy_crypt</h1>
+
+<a href="#NAME">NAME</a><br>
+<a href="#SYNOPSIS">SYNOPSIS</a><br>
+<a href="#DESCRIPTION">DESCRIPTION</a><br>
+<a href="#OPTIONS">OPTIONS</a><br>
+<a href="#EXAMPLE">EXAMPLE</a><br>
+<a href="#NOTES">NOTES</a><br>
+<a href="#BUGS">BUGS</a><br>
+<a href="#SEE ALSO">SEE ALSO</a><br>
+<a href="#AUTHORS">AUTHORS</a><br>
+
+<hr>
+
+
+<h2>NAME
+<a name="NAME"></a>
+</h2>
+
+
+
+<p style="margin-left:6%; margin-top: 1em"><b>3proxy_crypt</b>
+- utility to generate encrypted passwords for 3proxy</p>
+
+<h2>SYNOPSIS
+<a name="SYNOPSIS"></a>
+</h2>
+
+
+
+<p style="margin-left:6%; margin-top: 1em"><b>3proxy_crypt</b>
+<i>password</i> <b><br>
+3proxy_crypt</b> <i>salt password</i></p>
+
+<h2>DESCRIPTION
+<a name="DESCRIPTION"></a>
+</h2>
+
+
+
+<p style="margin-left:6%; margin-top: 1em"><i><b>3proxy_crypt</b></i>
+is a utility to generate encrypted password hashes for use
+with 3proxy configuration. Encrypted passwords allow the
+system to avoid storing passwords in cleartext in
+configuration files.</p>
+
+<p style="margin-left:6%; margin-top: 1em">When invoked
+with a single argument, it produces an NT password hash
+(MD4-based, suitable for NTLM authentication). The output is
+prefixed with <b>NT:</b>.</p>
+
+<p style="margin-left:6%; margin-top: 1em">When invoked
+with two arguments (salt and password), it produces a
+BLAKE2b password hash. The salt length is limited to 64
+characters. The output is prefixed with <b>CR:</b>.</p>
+
+<p style="margin-left:6%; margin-top: 1em">The resulting
+hash can be used in the 3proxy configuration file with the
+<b>users</b> directive instead of a cleartext password.</p>
+
+<h2>OPTIONS
+<a name="OPTIONS"></a>
+</h2>
+
+
+
+<p style="margin-left:6%; margin-top: 1em"><i>password</i></p>
+
+<p style="margin-left:15%;">Cleartext password to
+encrypt.</p>
+
+<table width="100%" border="0" rules="none" frame="void"
+       cellspacing="0" cellpadding="0">
+<tr valign="top" align="left">
+<td width="6%"></td>
+<td width="5%">
+
+
+<p><i>salt</i></p></td>
+<td width="4%"></td>
+<td width="65%">
+
+
+<p>Salt string for BLAKE2b hashing (max 64 characters).</p></td>
+<td width="20%">
+</td></tr>
+</table>
+
+<h2>EXAMPLE
+<a name="EXAMPLE"></a>
+</h2>
+
+
+<p style="margin-left:6%; margin-top: 1em">Generate NT
+password hash:</p>
+
+<p style="margin-left:15%;">3proxy_crypt
+MySecretPassword</p>
+
+<p style="margin-left:6%;">Result:</p>
+
+
+<p style="margin-left:15%;">NT:3F7E6D8D96E8E7A9B0C1D2E3F4A5B6C7</p>
+
+<p style="margin-left:6%;">Generate BLAKE2b password hash
+with salt:</p>
+
+<p style="margin-left:15%;">3proxy_crypt MySalt
+MySecretPassword</p>
+
+<p style="margin-left:6%;">Result:</p>
+
+<p style="margin-left:15%;">CR:$3$MySalt$...</p>
+
+<p style="margin-left:6%;">Using in 3proxy.cfg:</p>
+
+<p style="margin-left:15%;">users
+user1:CR:$3$MySalt$...</p>
+
+<h2>NOTES
+<a name="NOTES"></a>
+</h2>
+
+
+<p style="margin-left:6%; margin-top: 1em">The NT hash uses
+the RSA MD4 Message-Digest Algorithm. The BLAKE2b hash uses
+the BLAKE2 cryptographic hash function.</p>
+
+<p style="margin-left:6%; margin-top: 1em">When a password
+hash is prefixed with <b>NT:</b> or <b>CR:</b>, 3proxy uses
+the corresponding algorithm to verify passwords instead of
+comparing cleartext strings.</p>
+
+<h2>BUGS
+<a name="BUGS"></a>
+</h2>
+
+
+<p style="margin-left:6%; margin-top: 1em">Report all bugs
+to <b>3proxy@3proxy.org</b></p>
+
+<h2>SEE ALSO
+<a name="SEE ALSO"></a>
+</h2>
+
+
+<p style="margin-left:6%; margin-top: 1em">3proxy(8),
+3proxy.cfg(5), <br>
+https://3proxy.org/</p>
+
+<h2>AUTHORS
+<a name="AUTHORS"></a>
+</h2>
+
+
+<p style="margin-left:6%; margin-top: 1em">3proxy is
+designed by Vladimir 3APA3A Dubrovin
+(<i>3proxy@3proxy.org</i>)</p>
+<hr>
+</body>
+</html>

doc/html/man8/ftppr.8.html

@@ -128,7 +128,11 @@ accordance with the routing table.</p></td></tr>
 
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe.</p></td></tr>
+interface are accepted. It&acute;s usually unsafe. Unix
+domain sockets can be specified with
+<i>-iunix:/path/to/socket</i> syntax (e.g.,
+-iunix:/var/run/ftppr.sock). On Linux, abstract sockets use
+<i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="3%">
@@ -194,7 +198,7 @@ with FTP proxy support, configure <i>internal_ip</i> and
 FTP proxy support, use <i>internal_ip</i> and <i>port</i> as
 the FTP server. The address of the real FTP server must be
 configured as a part of the FTP username. The format for the
-username is <i>username</i><b>@</b><i>server</i>, where
+username is <i>username</i>@<i>server</i>, where
 <i>server</i> is the address of the FTP server and
 <i>username</i> is the user&acute;s login on this FTP
 server. The login itself may contain an &acute;@&acute;

doc/html/man8/pop3p.8.html

@@ -128,7 +128,11 @@ accordance with the routing table.</p></td></tr>
 
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe.</p></td></tr>
+interface are accepted. It&acute;s usually unsafe. Unix
+domain sockets can be specified with
+<i>-iunix:/path/to/socket</i> syntax (e.g.,
+-iunix:/var/run/pop3p.sock). On Linux, abstract sockets use
+<i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="3%">
@@ -192,8 +196,8 @@ MUA (Mail User Agent) with POP3 support. Set the client to
 use <i>internal_ip</i> and <i>port</i> as a POP3 server. The
 address of the real POP3 server must be configured as a part
 of the POP3 username. The format for the username is
-<i>username</i><b>@</b><i>server</i>, where <i>server</i> is
+<i>username</i>@<i>server</i>, where <i>server</i> is the
-the address of the POP3 server and <i>username</i> is the
+address of the POP3 server and <i>username</i> is the
 user&acute;s login on this POP3 server. The login itself may
 contain an &acute;@&acute; sign. Only cleartext
 authentication is supported, because challenge-response

doc/html/man8/proxy.8.html

@@ -127,7 +127,11 @@ accordance with the routing table.</p></td></tr>
 
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe.</p></td></tr>
+interface are accepted. It&acute;s usually unsafe. Unix
+domain sockets can be specified with
+<i>-iunix:/path/to/socket</i> syntax (e.g.,
+-iunix:/var/run/proxy.sock). On Linux, abstract sockets use
+<i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="4%">

doc/html/man8/smtpp.8.html

@@ -128,7 +128,11 @@ accordance with the routing table.</p></td></tr>
 
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe.</p></td></tr>
+interface are accepted. It&acute;s usually unsafe. Unix
+domain sockets can be specified with
+<i>-iunix:/path/to/socket</i> syntax (e.g.,
+-iunix:/var/run/smtpp.sock). On Linux, abstract sockets use
+<i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="3%">
@@ -192,7 +196,7 @@ MUA (Mail User Agent) with SMTP authentication support. Set
 the client to use <i>internal_ip</i> and <i>port</i> as an
 SMTP server. The address of the real SMTP server must be
 configured as a part of the SMTP username. The format for
-the username is <i>username</i><b>@</b><i>server</i>, where
+the username is <i>username</i>@<i>server</i>, where
 <i>server</i> is the address of the SMTP server and
 <i>username</i> is the user&acute;s login on this SMTP
 server. The login itself may contain an &acute;@&acute;

doc/html/man8/socks.8.html

@@ -162,7 +162,11 @@ and does not work with port translation.</p></td></tr>
 
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe.</p></td></tr>
+interface are accepted. It&acute;s usually unsafe. Unix
+domain sockets can be specified with
+<i>-iunix:/path/to/socket</i> syntax (e.g.,
+-iunix:/var/run/socks.sock). On Linux, abstract sockets use
+<i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="4%">

doc/html/man8/tcppm.8.html

@@ -116,7 +116,11 @@ accordance with the routing table.</p></td></tr>
 
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe.</p></td></tr>
+interface are accepted. It&acute;s usually unsafe. Unix
+domain sockets can be specified with
+<i>-iunix:/path/to/socket</i> syntax (e.g.,
+-iunix:/var/run/tcppm.sock). On Linux, abstract sockets use
+<i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="3%">
@@ -160,12 +164,18 @@ connections on</p>
 <p style="margin-left:6%;"><i>remote_host</i></p>
 
 <p style="margin-left:15%;">- IP address of the host the
-connection is forwarded to</p>
+connection is forwarded to. Unix domain sockets can be
+specified with the syntax <i>unix:/path/to/socket</i> (e.g.,
+unix:/var/run/app.sock). On Linux, abstract (fileless) Unix
+sockets use the syntax <i>unix:@socketname</i> (e.g.,
+unix:@app.socket).</p>
 
 <p style="margin-left:6%;"><i>remote_port</i></p>
 
 <p style="margin-left:15%;">- remote port the connection is
-forwarded to</p>
+forwarded to. Ignored when using Unix socket destination,
+but must be specified (use any positive value) for syntax
+compatibility.</p>
 
 <h2>CLIENTS
 <a name="CLIENTS"></a>

doc/html/man8/tlspr.8.html

@@ -132,7 +132,11 @@ accordance with the routing table.</p></td></tr>
 
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe.</p></td></tr>
+interface are accepted. It&acute;s usually unsafe. Unix
+domain sockets can be specified with
+<i>-iunix:/path/to/socket</i> syntax (e.g.,
+-iunix:/var/run/tlspr.sock). On Linux, abstract sockets use
+<i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="4%">

doc/html/plugins/SSLPlugin.html

@@ -44,7 +44,7 @@ ssl_cli (or ssl_client) - establish TLS connection to upstream server for servic
 <br><b>ssl_client_ca_store</b> /path/to/castore - CA store for ssl_client_verify (OpenSSL 3.0+)
 <br><b>ssl_client_sni</b> hostname - SNI hostname to send to upstream server (overrides the requested hostname)
 <br><b>ssl_client_alpn</b> protocol1 protocol2 ... - ALPN protocols to negotiate with upstream server (e.g., ssl_client_alpn h2 http/1.1)
-<br><b>ssl_client_mode</b> mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data
+<br><b>ssl_client_mode</b> mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's')
 <br><b>ssl_certcache</b> /path/to/cache/ - location for the generated MITM certificates cache, optional if ssl_server_ca_file / ssl_server_ca_key are configured.
 The cache may contain 3 files: 3proxy.pem - public
 self-signed certificates (used if ssl_server_ca_file is not configured),
@@ -89,6 +89,26 @@ proxy -p3128
 </pre>
 Creates an HTTP proxy that connects to upstream servers via TLS with client certificate authentication.
 
+<h4>Conditional TLS for parent proxy (ssl_client_mode 3):</h4>
+<pre>
+plugin /path/to/SSLPlugin.so ssl_plugin
+ssl_server_cert /path/to/server.crt
+ssl_server_key /path/to/key
+ssl_client_mode 3
+
+auth strong
+allow user1
+parent 1000 https parent1.example.com 443
+allow user2
+parent 1000 socks5 parent2.example.com 1080
+ssl_serv
+ssl_cli
+proxy -p3128
+ssl_noserv
+ssl_nocli
+</pre>
+Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_serv). With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). In this example, user1's traffic goes through an https parent proxy with TLS encryption, while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
+
 <h4>mTLS example (require client certificate):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin

doc/html/plugins/SSLPlugin.ru.html

@@ -44,7 +44,7 @@ ssl_cli (или ssl_client) - устанавливать TLS-соединени
 <br><b>ssl_client_ca_store</b> /path/to/castore - хранилище CA-сертификатов для ssl_client_verify (OpenSSL 3.0+)
 <br><b>ssl_client_sni</b> hostname - SNI-имя хоста для отправки вышестоящему серверу (переопределяет запрошенное имя хоста)
 <br><b>ssl_client_alpn</b> протокол1 протокол2 ... - ALPN-протоколы для согласования с вышестоящим сервером (например, ssl_client_alpn h2 http/1.1)
-<br><b>ssl_client_mode</b> режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных
+<br><b>ssl_client_mode</b> режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных, 3 - только для защищённых типов parent прокси (заканчивающихся на 's')
 <br><b>ssl_certcache</b> /path/to/cache/ - расположение кеша сгенерированных MITM-сертификатов. Кеш может содержать
 файлы 3proxy.pem, 3proxy.key, server.key, которые используются как ssl_server_ca_file,
 ssl_server_ca_key и ssl_server_key соответственно, если они не заданы. Если server.key не задан,
@@ -86,6 +86,26 @@ proxy -p3128
 </pre>
 Создается HTTP-прокси, который соединяется с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату.
 
+<h4>Условное TLS для parent прокси (ssl_client_mode 3):</h4>
+<pre>
+plugin /path/to/SSLPlugin.so ssl_plugin
+ssl_server_cert /path/to/server.crt
+ssl_server_key /path/to/key
+ssl_client_mode 3
+
+auth strong
+allow user1
+parent 1000 https parent1.example.com 443
+allow user2
+parent 1000 socks5 parent2.example.com 1080
+ssl_serv
+ssl_cli
+proxy -p3128
+ssl_noserv
+ssl_nocli
+</pre>
+Создается HTTP-прокси на порту 3128, использующий TLS для клиентских соединений (ssl_serv). При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). В данном примере трафик user1 идёт через https родительский прокси с TLS-шифрованием, а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
+
 <h4>Пример mTLS (требование клиентского сертификата):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin

man/3proxy.8

@@ -140,7 +140,7 @@ configuration file
 Report all bugs to
 .BR 3proxy@3proxy.org
 .SH SEE ALSO
-3proxy.cfg(3), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
+3proxy.cfg(5), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
 kill(1), syslogd(8),
 .br
 https://3proxy.org/

man/3proxy.cfg.5

@@ -1,4 +1,4 @@
-.TH 3proxy.cfg "8" "January 2019" "3proxy 0.9" "Universal proxy server"
+.TH 3proxy.cfg "5" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B 3proxy.cfg
 3proxy configuration file
@@ -69,11 +69,11 @@ Recursion is not allowed.
 .br
 .B tcppm
 [options]
-<SRCPORT> <DSTADDR> <DSTPORT>
+\fI<SRCPORT>\fR \fI<DSTADDR>\fR \fI<DSTPORT>\fR
 .br
 .B udppm
 [options]
-<SRCPORT> <DSTADDR> <DSTPORT>
+\fI<SRCPORT>\fR \fI<DSTADDR>\fR \fI<DSTPORT>\fR
 .br
  Descriptions:
 .br
@@ -105,7 +105,13 @@ Web interface (default port 80)
 caching DNS proxy (default port 53)
 .br
 .B tcppm
-TCP portmapper
+TCP portmapper. Destination address (DSTADDR) can be a Unix domain socket
+using the syntax
+.I unix:/path/to/socket
+(e.g., tcppm 8080 unix:/var/run/app.sock 0). On Linux, abstract sockets use
+.I unix:@socketname
+syntax. When using Unix socket destination, the port number is ignored
+but must be specified for syntax compatibility.
 .br
 .B udppm
 UDP portmapper
@@ -113,16 +119,10 @@ UDP portmapper
 .br
  Options:
 .br
-.B -pNUMBER
+.B -p\fINUMBER\fR
 change default server port to NUMBER
 .br
-.B -n
+.B -g(\fIGRACE_TRAFF\fB,\fIGRACE_NUM\fB,\fIGRACE_DELAY\fR)
-disable NTLM authentication (required if passwords are stored in Unix crypt format).
-.br
-.B -n1
-enable NTLMv1 authentication.
-.br
-.B -g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)
 delay GRACE_DELAY milliseconds before polling if average polling size is below GRACE_TRAFF bytes and GRACE_NUM read operations in a single direction are detected within 1 second. Useful to minimize polling
 .B -s
  (for admin) secure, allow only secure operations, currently only traffic counters
@@ -159,18 +159,18 @@ Resolve IPv6 addresses if IPv4 address is not resolvable
 .B -64
 Resolve IPv4 addresses if IPv6 address is not resolvable
 .br
-.B -RHOST:port
+.B -R\fIHOST\fB:\fIport\fR
 listen on given local HOST:port for incoming connections instead of making remote outgoing connection. Can be used with another 3proxy service running -r option for connect back functionality. Most commonly used with tcppm. HOST can be given as IP or hostname, useful in case of dynamic DNS.
 .br
-.B -rHOST:port
+.B -r\fIHOST\fB:\fIport\fR
 connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS.
 .br
-.B -ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS, -oROPTIONS
+.B -oc\fIOPTIONS\fB, -os\fIOPTIONS\fB, -ol\fIOPTIONS\fB, -or\fIOPTIONS\fB, -oR\fIOPTIONS\fR
-options for proxy-to-client (oc), proxy-to-server (os), proxy listening (ol), connect back client (or), connect back listening (oR) sockets.
+options for proxy-to-client (\fB-oc\fR), proxy-to-server (\fB-os\fR), proxy listening (\fB-ol\fR), connect back client (\fB-or\fR), connect back listening (\fB-oR\fR) sockets.
 Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
 .br
-.B -DiINTERFACE, -DeINTERFACE
+.B -Di\fIINTERFACE\fB, -De\fIINTERFACE\fR
-bind internal interface / external interface to given INTERFACE (e.g. eth0) if SO_BINDTODEVICE is supported by the system. You may need to run as root or have CAP_NET_RAW capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like chroot and setuid (and daemon if setcap is used).
+bind internal (\fB-Di\fR) / external (\fB-De\fR) interface to given INTERFACE (e.g. eth0) if \fBSO_BINDTODEVICE\fR is supported by the system. You may need to run as root or have \fBCAP_NET_RAW\fR capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like \fBchroot\fR and \fBsetuid\fR (and \fBdaemon\fR if setcap is used).
 .br
 .B -e
 External address. IP address of the interface the proxy should initiate connections
@@ -181,11 +181,23 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted.
+Unix domain sockets can be specified with
+.I -iunix:/path/to/socket
+syntax. On Linux, abstract sockets use
+.I -iunix:@socketname
+syntax. 
 .br
-.B -N
+.B -Ne
-(for socks) External NAT address 3proxy reports to client for BIND and UDPASSOC
+(for socks) External NAT address (between 3proxy and destination server) to report to client for CONNECT and BIND. By default external address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
-By default external address is reported. It's only useful in the case
+.br
-of IP-IP NAT (will not work for PAT)
+.B -Ni
+(for socks) Internal NAT address (between client and 3proxy) to report to client for UDPASSOC. By default internal address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
+.br
+.B -H
+(for all services) Expect HAProxy PROXY protocol v1 header on incoming connection.
+This allows the proxy to receive real client IP address from HAProxy or other
+load balancer that supports the PROXY protocol. The header must be sent before
+any protocol-specific data.
 .br
  Also, all options mentioned for 
 .BR proxy (8)
@@ -204,7 +216,7 @@ pop3username@pop3server. If POP3 proxy access must be authenticated, you can
 specify username as proxy_username:proxy_password:POP3_username@pop3server
 .br
  DNS proxy resolves any types of records but only hostnames are cached. It
-requires nserver/nscache to be configured. If nserver is configured as TCP,
+requires \fBnserver\fR/\fBnscache\fR to be configured. If \fBnserver\fR is configured as TCP,
 redirections are applied on connection, so parent proxy may be used to resolve
 names to IP.
 .br
@@ -220,14 +232,14 @@ proxy on a client with FTP proxy support. Username format is one of
  Please note, if you use FTP client interface for FTP proxy do not add FTPpassword and FTPServer to username, because FTP client does it for you. That is, if you use 3proxy with authentication use proxyuser:proxypassword:FTPuser as FTP username, otherwise do not change original FTP user name
 
 .br
-.B include
+.BR include
-<path>
+\fI<path>\fR
 .br
  Include config file
 
 .br
-.B config
+.BR config
-<path>
+\fI<path>\fR
 .br
  Path to configuration file to use on 3proxy restart or to save configuration.
 
@@ -246,8 +258,8 @@ alternate config file. Think twice before using it.
  End of configuration
 
 .br
-.B log
+.BR log
-[[@|&]logfile] [<LOGTYPE>]
+[[@|&]\fIlogfile\fR] [\fI<LOGTYPE>\fR]
 .br
  sets logfile for all gateways
 .br
@@ -259,17 +271,17 @@ alternate config file. Think twice before using it.
 .br
  LOGTYPE is one of:
 .br
-  c Minutely
+  \fBc\fR Minutely
 .br
-  H Hourly
+  \fBH\fR Hourly
 .br
-  D Daily
+  \fBD\fR Daily
 .br
-  W Weekly (starting from Sunday)
+  \fBW\fR Weekly (starting from Sunday)
 .br
-  M Monthly
+  \fBM\fR Monthly
 .br
-  Y Annually
+  \fBY\fR Annually
 .br
  if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using -l
 option in gateway configuration.
@@ -280,13 +292,13 @@ As with "logformat" filename must begin with \'L\' or \'G\' to specify Local or
 Grinwitch time zone for all time-based format specificators.
 
 .br
-.B rotate
+.BR rotate
-<n>
+\fI<n>\fR
  how many archived log files to keep
 
 .br
-.B logformat
+.BR logformat
-<format>
+\fI<format>\fR
 .br
  Format for log record. First symbol in format must be L (local time)
 or G (absolute Grinwitch time). 
@@ -368,8 +380,8 @@ with space and all time based elemnts are in local time zone.
  logformat "-\'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values (\'%d-%m-%Y %H:%M:%S\', \'%U\', \'%N\', %I, %O, \'%T\')"
 
 .br
-.B logdump
+.BR logdump
-<in_traffic_limit> <out_traffic_limit>
+\fI<in_traffic_limit>\fR \fI<out_traffic_limit>\fR
 .br
  Immediately creates additional log records if given amount of incoming/outgoing
 traffic is achieved for connection, without waiting for connection to finish.
@@ -377,56 +389,56 @@ It may be useful to prevent information about long-lasting downloads on server
 shutdown.
 
 .br
-.B delimchar
+.BR delimchar
-<char>
+\fI<char>\fR
 .br
  Sets the delimiter character used to separate username from hostname in proxy
 authentication strings (e.g. for FTP, POP3 proxies). Default is \'@\'. For example,
 to use \'#\' instead: delimchar #. This allows usernames to contain the \'@\' character.
 
 .br
-.B archiver
+.BR archiver
-<ext> <commandline>
+\fI<ext>\fR \fI<commandline>\fR
 .br
  Archiver to use for log files. <ext> is file extension produced by
 archiver. Filename will be last argument to archiver, optionally you
 can use %A as produced archive name and %F as filename.
 
 .br
-.B timeouts
+.BR timeouts
-<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> <STRING_LONG> <CONNECTION_SHORT> <CONNECTION_LONG> <DNS> <CHAIN> <CONNECT> <CONNECTBACK>
+\fI<BYTE_SHORT>\fR \fI<BYTE_LONG>\fR \fI<STRING_SHORT>\fR \fI<STRING_LONG>\fR \fI<CONNECTION_SHORT>\fR \fI<CONNECTION_LONG>\fR \fI<DNS>\fR \fI<CHAIN>\fR \fI<CONNECT>\fR \fI<CONNECTBACK>\fR
 .br
  Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15, 60, 15, 5.
 .br
- BYTE_SHORT short timeout for single byte, is usually used for receiving single byte from stream.
+ \fBBYTE_SHORT\fR short timeout for single byte, is usually used for receiving single byte from stream.
 .br
- BYTE_LONG long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
+ \fBBYTE_LONG\fR long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
 .br
- STRING_SHORT short timeout, for character string within stream (for example to wait between 2 HTTP headers)
+ \fBSTRING_SHORT\fR short timeout, for character string within stream (for example to wait between 2 HTTP headers)
 .br
- STRING_LONG long timeout, for first string in stream (for example to wait for HTTP request).
+ \fBSTRING_LONG\fR long timeout, for first string in stream (for example to wait for HTTP request).
 .br
- CONNECTION_SHORT inactivity timeout for short connections (HTTP, POP3, etc).
+ \fBCONNECTION_SHORT\fR inactivity timeout for short connections (HTTP, POP3, etc).
 .br
- CONNECTION_LONG inactivity timeout for long connection (SOCKS, portmappers, etc).
+ \fBCONNECTION_LONG\fR inactivity timeout for long connection (SOCKS, portmappers, etc).
 .br
- DNS timeout for DNS request before requesting next server
+ \fBDNS\fR timeout for DNS request before requesting next server
 .br
- CHAIN timeout for reading data from chained connection
+ \fBCHAIN\fR timeout for reading data from chained connection
 .br
  default timeouts 1 5 30 60 180 1800 15 60 15 5
 
 .br
-.B maxseg
+.BR maxseg
-<value>
+\fI<value>\fR
 .br
  Sets TCP maximum segment size (MSS) for outgoing connections. This can be used
 to work around path MTU discovery issues or to optimize traffic for specific
 network conditions.
 
 .br
-.B radius 
+.BR radius
-<NAS_SECRET> <radius_server_1[:port][/local_address_1]> <radius_server_2[:port][/local_address_2]>
+\fI<NAS_SECRET>\fR \fI<radius_server_1\fR[:\fIport\fR][/\fIlocal_address_1\fR]\fR \fI<radius_server_2\fR[:\fIport\fR][/\fIlocal_address_2\fR]\fR
 .br
  Configures RADIUS servers to be used for logging and authentication (log and auth types
 must be set to radius). port and local address to use with given server may be specified.
@@ -445,11 +457,11 @@ Login-IPv6-Host / Login-IP-Host: (requested IP).
 .br
  Supported reply attributes for authentication:
 Framed-IP-Address / Framed-IPv6-Address (IP to assign to user), Reply-Message.
-Use authcache to speedup authentication. RADIUS feature is currently experimental.
+Use \fBauthcache\fR to speedup authentication. RADIUS feature is currently experimental.
 
 .br
-.B nserver
+.BR nserver
-<ipaddr>[:port][/tcp]
+\fI<ipaddr>\fR[:\fIport\fR][/\fItcp\fR]
 .br
  Nameserver to use for name resolutions. If none specified
 system routines for name resolution is
@@ -458,27 +470,27 @@ If optional /tcp is added to IP address, name resolution is
 performed over TCP.
 
 .br
-.B authnserver
+.BR authnserver
-<ipaddr>[:port][/tcp]
+\fI<ipaddr>\fR[:\fIport\fR][/\fItcp\fR]
 .br
  Nameserver to use for DNS-based authentication (e.g. dnsname auth type).
 If not specified, nserver is used. The syntax is the same as for nserver.
 
 .br
-.B nscache
+.BR nscache
-<cachesize>
+\fI<cachesize>\fR
-.B nscache6
+.BR nscache6
-<cachesize>
+\fI<cachesize>\fR
 .br
- Cache <cachesize> records for name resolution (nscache for IPv4,
+ Cache \fI<cachesize>\fR records for name resolution (\fBnscache\fR for IPv4,
-nscache6 for IPv6). The cache size should usually be large enough
+\fBnscache6\fR for IPv6). The cache size should usually be large enough
 (for example, 65536).
 
 .br
-.B nsrecord
+.BR nsrecord
-<hostname> <hostaddr>
+\fI<hostname>\fR \fI<hostaddr>\fR
 .br
- Adds static record to nscache. nscache must be enabled. If 0.0.0.0
+ Adds static record to nscache. \fBnscache\fR must be enabled. If 0.0.0.0
 is used as a hostaddr host will never resolve, it can be used to
 blacklist something or together with 
 .B dialer
@@ -488,11 +500,11 @@ command to set up UDL for dialing.
 .B fakeresolve
 .br
  All names are resolved to the 127.0.0.2 address. Useful if all requests are
-redirected to a parent proxy with http, socks4+, connect+ or socks5+.
+redirected to a parent proxy with \fBhttp\fR, \fBsocks4+\fR, \fBconnect+\fR or \fBsocks5+\fR.
 
 .br
-.B dialer
+.BR dialer
-<progname>
+\fI<progname>\fR
 .br
  Execute progname if external name can\'t be resolved.
 Hint: if you use nscache, dialer may not work, because names will
@@ -501,38 +513,46 @@ http://dial.right.now/ from browser to set up connection.
 
 
 .br
-.B internal
+.BR internal
-<ipaddr>
+\fI<ipaddr>\fR
 .br
  sets ip address of internal interface. This IP address will be used
 to bind gateways. Alternatively you can use -i option for individual
 gateways. Since 0.8 version, IPv6 address may be used.
+.br
+Unix domain sockets are supported with the syntax
+.I unix:/path/to/socket
+(e.g., internal unix:/var/run/3proxy.sock). On Linux, abstract (fileless)
+Unix sockets are supported with the syntax
+.I unix:@socketname
+(e.g., internal unix:@3proxy). When using Unix sockets, the socket file
+is automatically created and removed on service start/stop.
 
 .br
-.B external
+.BR external
-<ipaddr>
+\fI<ipaddr>\fR
 .br
  sets ip address of external interface. This IP address will be source
 address for all connections made by proxy. Alternatively you can use -e
 option to specify individual address for gateway. Since 0.8 version
-External or -e can be given twice: once with IPv4 and once with IPv6 address.
+External or \fB-e\fR can be given twice: once with IPv4 and once with IPv6 address.
    
 .br
-.B maxconn
+.BR maxconn
-<number>
+\fI<number>\fR
 .br
  sets the maximum number of simultaneous connections to each service
 started after this command at the network level. Default is 100.
 .br
- To limit clients, use connlim instead. maxconn will silently ignore
+ To limit clients, use \fBconnlim\fR instead. \fBmaxconn\fR will silently ignore
-new connections, while connlim will report back to the client that
+new connections, while \fBconnlim\fR will report back to the client that
 the connection limit has been reached.
 
 .br
 .B backlog
 .br
  sets the listening socket backlog of new connections. Default is
-1 + maxconn/8. Maximum value is capped by kernel tunable somaxconn.
+1 + \fBmaxconn\fR/8. Maximum value is capped by kernel tunable somaxconn.
 
 .br
 .B service
@@ -546,40 +566,40 @@ to reinstall the service.
 .B daemon
 .br
  Should be specified to close the console. Do not use \'daemon\' with \'service\'.
-At least under FreeBSD, \'daemon\' should precede any proxy service
+At least under FreeBSD, \fBdaemon\fR should precede any proxy service
 and log commands to avoid socket problems. Always place it in the beginning
 of the configuration file.
 
 .br
-.B auth
+.BR auth
-<authtype> [...]
+\fI<authtype>\fR [...]
 .br
  Type of user authorization. Currently supported:
 .br
- none - no authentication or authorization required.
+ \fBnone\fR - no authentication or authorization required.
 .br
  Note: if auth is none, any IP-based limitation, redirection, etc. will not work.
 This is the default authentication type
 .br
- iponly - authentication by access control list with username ignored.
+ \fBiponly\fR - authentication by access control list with username ignored.
  Appropriate for most cases
 .br
- useronly - authentication by username without checking for any password with
+ \fBuseronly\fR - authentication by username without checking for any password with
 authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN /
 AOL screen name as a username)
 .br
- dnsname - authentication by DNS hostname with authorization by ACLs.
+ \fBdnsname\fR - authentication by DNS hostname with authorization by ACLs.
 The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved
 name must resolve to the same IP address). It\'s recommended to use authcache by
 IP for this authentication.
 NB: there is no password check; the name may be spoofed.
 .br
- strong - username/password authentication required. It will work with
+ \fBstrong\fR - username/password authentication required. It will work with
 SOCKSv5, FTP, POP3 and HTTP proxy. 
 .br
- cache - cached authentication, may be used with \'authcache\'.
+ \fBcache\fR - cached authentication, may be used with \'authcache\'.
 .br
- radius - authentication with RADIUS.
+ \fBradius\fR - authentication with RADIUS.
 .br
  Plugins may add additional authentication types.
 
@@ -596,42 +616,43 @@ IP-based authentication for dedicated laptops and request a username/password fo
 shared ones.
 
 .br
-.B authcache
+.BR authcache
-<cachtype> <cachtime>
+\fI<cachtype>\fR \fI<cachtime>\fR \fI<cachesize>\fR
 .br
  Cache authentication information for a given amount of time (cachetime) in seconds.
+cachesize limits number of cache entries.
 Cachetype is one of:
 .br
- ip - after successful authentication all connections during caching time
+ \fBip\fR - after successful authentication all connections during caching time
 from same IP are assigned to the same user, username is not requested.
 .br
- ip,user username is requested and all connections from the same IP are
+ \fBip,user\fR username is requested and all connections from the same IP are
 assigned to the same user without actual authentication.
 .br
- user - same as above, but IP is not checked. 
+ \fBuser\fR - same as above, but IP is not checked.
 .br
- user,password - both username and password are checked against cached ones.
+ \fBuser,password\fR - both username and password are checked against cached ones.
 .br
- limit - limit user to use only one ip, \'ip\' and \'user\' are required
+ \fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required
 .br
- acl - only use cached auth if user access service with same ACL 
+ \fBack\fR - only use cached auth if user access service with same ACL
 .br
- ext - cache external IP
+ \fBext\fR - cache external IP
 .br
-Use auth type \'cache\' for cached authentication
+Use auth type \fBcache\fR for cached authentication
 
 .br
-.B allow
+.BR allow
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B deny
+.BR deny
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B redirect
+.BR redirect
-<ip> <port> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<ip>\fR \fI<port>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
  Access control entries. All lists are comma-separated, no spaces are
 allowed. Usernames are case sensitive (if used with authtype nbname
@@ -660,42 +681,42 @@ to appropriate interface only or to use ip filters.
 .br
  Operation is one of:
 .br
- CONNECT establish outgoing TCP connection
+ \fBCONNECT\fR establish outgoing TCP connection
 .br
- BIND bind TCP port for listening
+ \fBBIND\fR bind TCP port for listening
 .br
- UDPASSOC make UDP association
+ \fBUDPASSOC\fR make UDP association
 .br
- ICMPASSOC make ICMP association (for future use)
+ \fBICMPASSOC\fR make ICMP association (for future use)
 .br
- HTTP_GET HTTP GET request
+ \fBHTTP_GET\fR HTTP GET request
 .br
- HTTP_PUT HTTP PUT request
+ \fBHTTP_PUT\fR HTTP PUT request
 .br
- HTTP_POST HTTP POST request
+ \fBHTTP_POST\fR HTTP POST request
 .br
- HTTP_HEAD HTTP HEAD request
+ \fBHTTP_HEAD\fR HTTP HEAD request
 .br
- HTTP_CONNECT HTTP CONNECT request
+ \fBHTTP_CONNECT\fR HTTP CONNECT request
 .br
- HTTP_OTHER over HTTP request
+ \fBHTTP_OTHER\fR over HTTP request
 .br
- HTTP matches any HTTP request except HTTP_CONNECT
+ \fBHTTP\fR matches any HTTP request except HTTP_CONNECT
 .br
- HTTPS same as HTTP_CONNECT
+ \fBHTTPS\fR same as HTTP_CONNECT
 .br
- FTP_GET FTP get request
+ \fBFTP_GET\fR FTP get request
 .br
- FTP_PUT FTP put request
+ \fBFTP_PUT\fR FTP put request
 .br
- FTP_LIST FTP list request
+ \fBFTP_LIST\fR FTP list request
 .br
- FTP_DATA FTP data connection. Note: FTP_DATA requires access to dynamic
+ \fBFTP_DATA\fR FTP data connection. Note: FTP_DATA requires access to dynamic
 non-privileged (1024-65535) ports on the remote side.
 .br
- FTP matches any FTP/FTP Data request
+ \fBFTP\fR matches any FTP/FTP Data request
 .br
- ADMIN access to administration interface
+ \fBADMIN\fR access to administration interface
 
 .br
  Weekdays are week day numbers or periods, 0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday.
@@ -704,8 +725,8 @@ non-privileged (1024-65535) ports on the remote side.
 periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.
 
 .br
-.B parent
+.BR parent
-<weight> <type> <ip> <port> <username> <password>
+\fI<weight>\fR \fI<type>\fR \fI<ip>\fR \fI<port>\fR \fI<username>\fR \fI<password>\fR
 .br
  this command must follow "allow" rule. It extends last allow rule to
 build proxy chain. Proxies may be grouped. Proxy inside the
@@ -742,41 +763,45 @@ with probability of 0.7) for outgoing web connections. Chains are only applied t
 .br
  type is one of:
 .br
- extip does not actually redirect the request; it sets the external address for this request to <ip>. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random.
+ \fBextip\fR does not actually redirect the request; it sets the external address for this request to \fI<ip>\fR. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random.
 .br
- tcp simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
+ \fBtcp\fR simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
 .br
- http redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
+ \fBhttp\fR redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
 if used with different service, it works as tcp redirection.
 .br
- pop3 redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
+ \fBpop3\fR redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
 .br
- ftp redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
+ \fBftp\fR redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
 .br
- connect parent is HTTP CONNECT method proxy
+ \fBconnect\fR parent is HTTP CONNECT method proxy
 .br
- connect+ parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
+ \fBconnect+\fR parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
 .br
- socks4 parent is SOCKSv4 proxy
+ \fBsocks4\fR parent is SOCKSv4 proxy
 .br
- socks4+ parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
+ \fBsocks4+\fR parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
 .br
- socks5 parent is SOCKSv5 proxy
+ \fBsocks5\fR parent is SOCKSv5 proxy
 .br
- socks5+ parent is SOCKSv5 proxy with name resolution
+ \fBsocks5+\fR parent is SOCKSv5 proxy with name resolution
 .br
- socks4b parent is SOCKS4b (broken SOCKSv4 implementation with shortened
+ \fBsocks4b\fR parent is SOCKS4b (broken SOCKSv4 implementation with shortened
 server reply; I never saw this kind of server, but they say there are some).
 Normally you should not use this option. Do not confuse this option with
-SOCKSv4a (socks4+).
+SOCKSv4a (\fBsocks4+\fR).
 .br
- socks5b parent is SOCKS5b (broken SOCKSv5 implementation with shortened
+ \fBsocks5b\fR parent is SOCKS5b (broken SOCKSv5 implementation with shortened
 server reply. I think you will never find it useful). Never use this option
 unless you know exactly you need it.
 .br
- admin redirect request to local \'admin\' service (with -s parameter).
+ \fBadmin\fR redirect request to local \'admin\' service (with -s parameter).
 .br
- Use "+" proxy only with "fakeresolve" option
+\fBha\fR send HAProxy PROXY protocol v1 header to parent proxy. Must be the last
+in the proxy chain. Useful for passing client IP information to the parent proxy.
+Example: parent 1000 ha
+.br
+Use "+" proxy only with \fBfakeresolve\fR option
 .br
 
  IP and port are ip addres and port of parent proxy server.
@@ -797,6 +822,14 @@ locally redirects to
 .B proxy
 .B admin
 locally redirects to the admin -s service.
+.br
+Unix domain sockets can be used instead of IP address with the syntax
+.I unix:/path/to/socket
+(e.g., parent 1000 socks5 unix:/var/run/parent.sock 1080). On Linux,
+abstract (fileless) Unix sockets are supported with
+.I unix:@socketname
+syntax (e.g., parent 1000 http unix:@parent.proxy 3128). When using Unix
+sockets, the port number is ignored but must be specified for syntax compatibility.
 
 .br
  Main purpose of local redirections is to have the requested resource
@@ -820,21 +853,21 @@ local HTTP proxy parses requests and allows only GET and POST requests.
 .br
  parent 1000 http 1.2.3.4 0
 .br
- Changes the external address for a given connection to 1.2.3.4 (equivalent to -e1.2.3.4)
+ Changes the external address for a given connection to 1.2.3.4 (equivalent to \fB-e1.2.3.4\fR)
 .br
  Optional username and password are used to authenticate on parent
 proxy. Username of \'*\' means username must be supplied by user.
 
 .br
-.B parentretries
+.BR parentretries
-<number>
+\fI<number>\fR
 .br
  Number of retries to connect to parent proxy. Default is 1.
 
 
 .br
-.B nolog
+.BR nolog
-<n>
+\fI<n>\fR
 .br
  extends last allow or deny command to prevent logging, e.g.
 .br
@@ -844,8 +877,8 @@ nolog
 
 
 .br
-.B weight
+.BR weight
-<n>
+\fI<n>\fR
 .br
  extends last allow or deny command to set weight for this request
 .br
@@ -867,30 +900,30 @@ is removed, old connections which do not match current are closed.
 noforce allows to keep previously authenticated connections.
 
 .br
-.B bandlimin
+.BR bandlimin
-<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<rate>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nobandlimin
+.BR nobandlimin
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B bandlimout
+.BR bandlimout
-<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<rate>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nobandlimout
+.BR nobandlimout
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
- bandlim sets a bandwidth limitation filter to <rate> bps (bits per second).
+ bandlim sets a bandwidth limitation filter to \fI<rate>\fR bps (bits per second).
 If you want to specify bytes per second, multiply your value by 8.
 bandlim rules act in the same manner as allow/deny rules, except for
 one thing: bandwidth limiting is applied to all services, not to some
 specific service. 
-bandlimin and nobandlimin apply to incoming traffic
+\fBbandlimin\fR and \fBnobandlimin\fR apply to incoming traffic
 .br
-bandlimout and nobandlimout apply to outgoing traffic
+\fBbandlimout\fR and \fBnobandlimout\fR apply to outgoing traffic
 .br
 If you want to ratelimit your clients with IPs 192.168.10.16/30 (4
 addresses) to 57600 bps, you have to specify 4 rules like
@@ -915,17 +948,17 @@ If you want, for example, to limit all speed except access to POP3, you can use
  before the rest of bandlim rules.
 
 .br
-.B connlim
+.BR connlim
-<rate> <period> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<rate>\fR \fI<period>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B noconnlim
+.BR noconnlim
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
  connlim sets connections rate limit per time period for traffic
 pattern controlled by ACL. Period is in seconds. If period is 0,
-connlim limits a number of parallel connections.
+\fBconnlim\fR limits a number of parallel connections.
 .br
  connlim 100 60 * 127.0.0.1
 .br
@@ -935,39 +968,39 @@ connlim limits a number of parallel connections.
 .br
  allows 20 simultaneous connections for 127.0.0.1.
 .br
- Like with bandlimin, if an individual limit is required per client, a separate
+ Like with \fBbandlimin\fR, if an individual limit is required per client, a separate
 rule must be added for every client. Like with nobandlimin, noconnlim adds an
 exception.
 
 
 
 .br
-.B counter
+.BR counter
-<filename> <reporttype> <reportname>
+\fI<filename>\fR \fI<reporttype>\fR \fI<reportname>\fR
 .br
-.B countin
+.BR countin
-<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nocountin
+.BR nocountin
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B countout
+.BR countout
-<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nocountout
+.BR nocountout
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B countall
+.BR countall
-<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
-.B nocountall
+.BR nocountall
-<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
+\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
-<weekdayslist> <timeperiodslist>
+\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
 .br
 
  counter, countin, nocountin, countout, nocountout, countall,
@@ -981,38 +1014,36 @@ should be a unique sequential number which points to the position of
 the counter within the file.
 Type specifies a type of counter. Type is one of:
 .br
- H - counter is reset hourly
+ \fBH\fR - counter is reset hourly
 .br
- D - counter is reset daily
+ \fBD\fR - counter is reset daily
 .br
- W - counter is reset weekly
+ \fBW\fR - counter is reset weekly
 .br
- M - counter is reset monthly
+ \fBM\fR - counter is reset monthly
 .br
  reporttype/reportname may be used to generate traffic reports.
 Reporttype is one of D, W, M, H (hourly) and reportname specifies the filename
 template for reports. The report is a text file with counter values in
 the format:
 .br
- <COUNTERNUMBER> <TRAF>
+ \fI<COUNTERNUMBER>\fR \fI<TRAF>\fR
 .br
- The rest of parameters is identical to bandlim/nobandlim.
+ The rest of parameters is identical to \fBbandlim\fR/\fBnobandlim\fR.
 
 .br
-.B users
+.BR users
-username[:pwtype:password] ...
+\fIusername\fR[:\fIpwtype\fR:\fIpassword\fR] ...
 .br
  pwtype is one of:
 .br
  none (empty) - use system authentication
 .br
- CL - password is cleartext
+ \fBCL\fR - password is cleartext
 .br
- CR - password is crypt-style password
+ \fBCR\fR - password is crypt-style password
 .br
- NT - password is NT password (in hex)
+ \fBNT\fR - password is NT password (in hex)
-.br
- LM - password is LM password (in hex)
 .br
  example:
 .br
@@ -1044,48 +1075,48 @@ and
 .B socks
 
 .br
-.B system
+.BR system
-<command>
+\fI<command>\fR
 .br
  execute system command
 
 .br
-.B pidfile
+.BR pidfile
-<filename>
+\fI<filename>\fR
 .br
  write pid of current process to file. It can be used to manipulate
 3proxy with signals under Unix. Currently next signals are available:
 
 .br
-.B monitor
+.BR monitor
-<filename>
+\fI<filename>\fR
 .br
  If file monitored changes in modification time or size, 3proxy reloads
 configuration within one minute. Any number of files may be monitored.
 
 .br
-.B setuid
+.BR setuid
-<uid>
+\fI<uid>\fR
 .br
  calls setuid(uid), uid can be numeric or since 0.9 username. Unix only. Warning: under some Linux
 kernels setuid() works for current thread only. It makes it impossible to suid
 for all threads.
 
 .br
-.B setgid
+.BR setgid
-<gid>
+\fI<gid>\fR
 .br
  calls setgid(gid), gid can be numeric or since 0.9 groupname. Unix only.
 
 .br
-.B chroot
+.BR chroot
-<path> [<uid>] [<gid>]
+\fI<path>\fR [\fI<uid>\fR] [\fI<gid>\fR]
 .br
  calls chroot(path) and sets gid/uid. Unix only. uid/gid supported since 0.9, can be numeric or username/groupname
 
 .br
-.B stacksize
+.BR stacksize
-<value_to_add_to_default_stack_size>
+\fI<value_to_add_to_default_stack_size>\fR
 .br
  Change the default size for thread stacks. May be required in some situations,
 e.g. with non-default plugins, or on some platforms (some FreeBSD versions
@@ -1100,8 +1131,8 @@ memory shortage, you can try to experiment with negative values.
 .SH PLUGINS
 
 .br
-.B plugin
+.BR plugin
-<path_to_shared_library> <function_to_call> [<arg1> ...]
+\fI<path_to_shared_library>\fR \fI<function_to_call>\fR [\fI<arg1>\fR ...]
 .br
  Loads specified library and calls given export function with given arguments,
 as 
@@ -1111,8 +1142,8 @@ as
  function_to_call must return 0 in case of success, value > 0 to indicate error.
 
 .br
-.B filtermaxsize
+.BR filtermaxsize
-<max_size_of_data_to_filter>
+\fI<max_size_of_data_to_filter>\fR
 .br
  If Content-length (or another data length) is greater than the given value, no
 data filtering will be performed through filtering plugins to avoid data

man/3proxy_crypt.8

@@ -0,0 +1,81 @@
+.TH 3proxy_crypt "8" "April 2026" "3proxy 0.9" "Universal proxy server"
+.SH NAME
+.B 3proxy_crypt
+\- utility to generate encrypted passwords for 3proxy
+.SH SYNOPSIS
+.B 3proxy_crypt
+.I password
+.br
+.B 3proxy_crypt
+.I salt password
+.SH DESCRIPTION
+.B 3proxy_crypt
+is a utility to generate encrypted password hashes for use with 3proxy
+configuration. Encrypted passwords allow the system to avoid storing
+passwords in cleartext in configuration files.
+.PP
+When invoked with a single argument, it produces an NT password hash
+(MD4-based, suitable for NTLM authentication). The output is prefixed with
+.BR NT: .
+.PP
+When invoked with two arguments (salt and password), it produces a BLAKE2b
+password hash. The salt length is limited to 64 characters. The output is
+prefixed with
+.BR CR: .
+.PP
+The resulting hash can be used in the 3proxy configuration file with the
+.B users
+directive instead of a cleartext password.
+.SH OPTIONS
+.TP
+.I password
+Cleartext password to encrypt.
+.TP
+.I salt
+Salt string for BLAKE2b hashing (max 64 characters).
+.SH EXAMPLE
+.TP
+Generate NT password hash:
+.RS
+3proxy_crypt MySecretPassword
+.RE
+.TP
+Result:
+.RS
+NT:3F7E6D8D96E8E7A9B0C1D2E3F4A5B6C7
+.RE
+.TP
+Generate BLAKE2b password hash with salt:
+.RS
+3proxy_crypt MySalt MySecretPassword
+.RE
+.TP
+Result:
+.RS
+CR:$3$MySalt$...
+.RE
+.TP
+Using in 3proxy.cfg:
+.RS
+users user1:CR:$3$MySalt$...
+.RE
+.SH NOTES
+The NT hash uses the RSA MD4 Message-Digest Algorithm. The BLAKE2b hash
+uses the BLAKE2 cryptographic hash function.
+.PP
+When a password hash is prefixed with
+.B NT:
+or
+.BR CR: ,
+3proxy uses the corresponding algorithm to verify passwords instead of
+comparing cleartext strings.
+.SH BUGS
+Report all bugs to
+.BR 3proxy@3proxy.org
+.SH SEE ALSO
+3proxy(8), 3proxy.cfg(5),
+.br
+https://3proxy.org/
+.SH AUTHORS
+3proxy is designed by Vladimir 3APA3A Dubrovin
+.RI ( 3proxy@3proxy.org )

man/ftppr.8

@@ -36,6 +36,11 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
+Unix domain sockets can be specified with
+.I -iunix:/path/to/socket
+syntax (e.g., -iunix:/var/run/ftppr.sock). On Linux, abstract sockets use
+.I -iunix:@socketname
+syntax.
 .TP
 .B -h
 Default destination. It's used if the target address is not specified by the user.
@@ -68,7 +73,7 @@ and
 .IR port
 as the FTP server. The address of the real FTP server must be configured as a part of
 the FTP username. The format for the username is
-.IR username \fB@ server ,
+.IR username @ server ,
 where
 .I server
 is the address of the FTP server and

man/pop3p.8

@@ -36,6 +36,11 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
+Unix domain sockets can be specified with
+.I -iunix:/path/to/socket
+syntax (e.g., -iunix:/var/run/pop3p.sock). On Linux, abstract sockets use
+.I -iunix:@socketname
+syntax.
 .TP
 .B -p
 Port. Port proxy listens for incoming connections. Default is 110.
@@ -62,7 +67,7 @@ and
 .IR port
 as a POP3 server. The address of the real POP3 server must be configured as a part of
 the POP3 username. The format for the username is
-.IR username \fB@ server ,
+.IR username @ server ,
 where
 .I server
 is the address of the POP3 server and

man/proxy.8

@@ -34,6 +34,11 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
+Unix domain sockets can be specified with
+.I -iunix:/path/to/socket
+syntax (e.g., -iunix:/var/run/proxy.sock). On Linux, abstract sockets use
+.I -iunix:@socketname
+syntax.
 .TP
 .B -a
 Anonymous. Hide information about client.

man/smtpp.8

@@ -36,6 +36,11 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
+Unix domain sockets can be specified with
+.I -iunix:/path/to/socket
+syntax (e.g., -iunix:/var/run/smtpp.sock). On Linux, abstract sockets use
+.I -iunix:@socketname
+syntax.
 .TP
 .B -p
 Port. Port proxy listens for incoming connections. Default is 25.
@@ -63,7 +68,7 @@ and
 .IR port
 as an SMTP server. The address of the real SMTP server must be configured as a part of
 the SMTP username. The format for the username is
-.IR username \fB@ server ,
+.IR username @ server ,
 where
 .I server
 is the address of the SMTP server and

man/socks.8

@@ -49,6 +49,11 @@ of IP-IP NAT and does not work with port translation.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
+Unix domain sockets can be specified with
+.I -iunix:/path/to/socket
+syntax (e.g., -iunix:/var/run/socks.sock). On Linux, abstract sockets use
+.I -iunix:@socketname
+syntax.
 .TP
 .B -p
 Port. Port proxy listens for incoming connections. Default is 1080.

man/tcppm.8

@@ -31,6 +31,11 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
+Unix domain sockets can be specified with
+.I -iunix:/path/to/socket
+syntax (e.g., -iunix:/var/run/tcppm.sock). On Linux, abstract sockets use
+.I -iunix:@socketname
+syntax.
 .TP
 .B -l
 Log. By default logging is to stdout. If
@@ -50,10 +55,18 @@ crashes.
 - port tcppm accepts connections on
 .TP
 .I remote_host
-- IP address of the host the connection is forwarded to
+- IP address of the host the connection is forwarded to. Unix domain sockets
+can be specified with the syntax
+.I unix:/path/to/socket
+(e.g., unix:/var/run/app.sock). On Linux, abstract (fileless) Unix sockets
+use the syntax
+.I unix:@socketname
+(e.g., unix:@app.socket).
 .TP
 .I remote_port
-- remote port the connection is forwarded to
+- remote port the connection is forwarded to. Ignored when using Unix socket
+destination, but must be specified (use any positive value) for syntax
+compatibility.
 .SH CLIENTS
 Any TCP-based application can be used as a client. Use
 .I internal_ip

man/tlspr.8

@@ -36,6 +36,11 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
+Unix domain sockets can be specified with
+.I -iunix:/path/to/socket
+syntax (e.g., -iunix:/var/run/tlspr.sock). On Linux, abstract sockets use
+.I -iunix:@socketname
+syntax.
 .TP
 .B -a
 Anonymous. Hide information about client.

scripts/add3proxyuser.sh

@@ -6,10 +6,10 @@ if [ $3 ]; then
 	echo countin \"`wc -l /etc/3proxy/conf/counters|awk '{print $1}'`/$1\" D $3 $1 >> /etc/3proxy/conf/counters
 fi
 if [ $2 ]; then  
-	echo $1:`/bin/mycrypt $$ $2` >> /etc/3proxy/conf/passwd
+	echo $1:`/bin/3proxy_crypt $$ $2` >> /etc/3proxy/conf/passwd
 else
 	echo usage: $0 username password [day_limit] [bandwidth]
 	echo "	"day_limit - traffic limit in MB per day
-	echo "	"bandwidth - bandwith in bits per second 1048576 = 1Mbps
+	echo "	"bandwidth - bandwidth in bits per second 1048576 = 1Mbps
 fi
 

scripts/rh/3proxy.spec

@@ -32,14 +32,15 @@ make clean
 
 %files
 /bin/3proxy
-/bin/ftppr
+/bin/3proxy_crypt
-/bin/mycrypt
+/bin/3proxy_ftppr
-/bin/pop3p
+/bin/3proxy_pop3p
-/bin/proxy
+/bin/3proxy_proxy
-/bin/socks
+/bin/3proxy_smtpp
-/bin/tcppm
+/bin/3proxy_socks
-/bin/udppm
+/bin/3proxy_tcppm
-/bin/tlspr
+/bin/3proxy_tlspr
+/bin/3proxy_udppm
 %config(noreplace) /etc/3proxy/3proxy.cfg
 /etc/3proxy/conf
 /etc/init.d/3proxy
@@ -49,7 +50,7 @@ make clean
 %config(noreplace) /usr/local/3proxy/conf/bandlimiters
 %config(noreplace) /usr/local/3proxy/conf/counters
 /usr/local/3proxy/libexec/*.ld.so
-/usr/share/man/man3/*
+/usr/share/man/man5/3proxy.cfg.5
 /usr/share/man/man8/*
 /var/log/3proxy
 

src/3proxy.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
@@ -66,9 +66,9 @@ void __stdcall CommandHandler( DWORD dwCommand )
 	Sleep(2000);
         SetStatus( SERVICE_STOPPED, 0, 0 );
 #ifndef NOODBC
-	pthread_mutex_lock(&log_mutex);
+	_3proxy_mutex_lock(&log_mutex);
 	close_sql();
-	pthread_mutex_unlock(&log_mutex);
+	_3proxy_mutex_unlock(&log_mutex);
 #endif
         break;
     case SERVICE_CONTROL_PAUSE:
@@ -118,13 +118,6 @@ void mysigpause (int sig){
 
 void mysigterm (int sig){
 	conf.paused++;
-	usleep(999*SLEEPTIME);
-	usleep(999*SLEEPTIME);
-#ifndef NOODBC
-	pthread_mutex_lock(&log_mutex);
-	close_sql();
-	pthread_mutex_unlock(&log_mutex);
-#endif
 	conf.timetoexit = 1;
 }
 
@@ -141,8 +134,10 @@ int timechanged (time_t oldtime, time_t newtime, ROTATION lt){
 	struct tm tmold;
 	struct tm *tm;
 	tm = localtime(&oldtime);
+	if(!tm) return 0;
 	tmold = *tm;
 	tm = localtime(&newtime);
+	if(!tm) return 0;
 	switch(lt){
 		case MINUTELY:
 			if(tm->tm_min != tmold.tm_min)return 1;
@@ -214,18 +209,18 @@ void dumpcounters(struct trafcount *tlin, int counterd){
 
 
 	cheader.updated = conf.time;
-	lseek(counterd, 0, SEEK_SET);
+	if(lseek(counterd, 0, SEEK_SET) >= 0 && write(counterd, &cheader, sizeof(struct counter_header))){}
-	if(write(counterd, &cheader, sizeof(struct counter_header))){}
 	for(tl=tlin; tl; tl = tl->next){
 		if(tl->number){
-			lseek(counterd, 
+			if(lseek(counterd, 
 				sizeof(struct counter_header) + (tl->number - 1) * sizeof(struct counter_record),
-				SEEK_SET);
+				SEEK_SET) >= 0){
 			    crecord.traf64 = tl->traf64;
 			    crecord.cleared = tl->cleared;
 			    crecord.updated = tl->updated;
 			    if(write(counterd, &crecord, sizeof(struct counter_record))){}
 			}
+		}
 		if(tl->type!=NEVER && timechanged(tl->cleared, conf.time, tl->type)){
 			tl->cleared = conf.time;
 			tl->traf64 = 0;
@@ -267,10 +262,12 @@ void cyclestep(void){
 	}
 	if(timechanged(basetime, conf.time, DAILY)) {
 		tm = localtime(&conf.time);
+		if(tm){
 			wday = (1 << tm->tm_wday);
 			tm->tm_hour = tm->tm_min = tm->tm_sec = 0;
 			basetime = mktime(tm);
 		}
+	}
 	if(conf.logname) {
 		if(timechanged(conf.logtime, conf.time, conf.logtype)) {
 			if(conf.stdlog) conf.stdlog = freopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.time), "a", conf.stdlog);
@@ -508,31 +505,30 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 	return 1;
   }
 
-  pthread_mutex_init(&config_mutex, NULL);
+  _3proxy_mutex_init(&config_mutex);
-  pthread_mutex_init(&bandlim_mutex, NULL);
+  _3proxy_mutex_init(&bandlim_mutex);
-  pthread_mutex_init(&connlim_mutex, NULL);
+  _3proxy_mutex_init(&connlim_mutex);
-  pthread_mutex_init(&hash_mutex, NULL);
+  _3proxy_mutex_init(&tc_mutex);
-  pthread_mutex_init(&tc_mutex, NULL);
+  _3proxy_mutex_init(&log_mutex);
-  pthread_mutex_init(&pwl_mutex, NULL);
-  pthread_mutex_init(&log_mutex, NULL);
 #ifndef NORADIUS
-  pthread_mutex_init(&rad_mutex, NULL);
+  _3proxy_mutex_init(&rad_mutex);
 #endif
 #ifdef _WIN32
-  if(!CreatePipe(&conf.threadinit[0], &conf.threadinit[1], NULL, 1)){
+  conf.threadinit = CreateSemaphore(NULL, 0, 1, NULL);
-#else
+  if(!conf.threadinit){
-  if(pipe(conf.threadinit)) {
+    fprintf(stderr, "semaphore init failed\n");
-#endif
-    fprintf(stderr, "CreatePipe failed\n");
     return 1;
-  };
+  }
+#else
+  _3proxy_mutex_init(&conf.threadinit);
+#endif
 
   freeconf(&conf);
   res = readconfig(fp);
   conf.version++;
 
   if(res) RETURN(res);
-  if(!writable)fclose(fp);
+  if(!writable){fclose(fp); fp = NULL;}
 
 #ifdef _WIN32
   
@@ -563,6 +559,7 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 
 CLEARRETURN:
 
+ if(fp && fp != stdin) {fclose(fp); fp = NULL;}
  return 0;
 
 }

src/3proxy_crypt.c

@@ -1,12 +1,15 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
 
 */
+#ifndef WITHMAIN
 #include "libs/md5.h"
+#endif
 #include "libs/md4.h"
+#include "libs/blake2.h"
 #include <string.h>
 
 #define MD5_SIZE 16
@@ -64,20 +67,21 @@ unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPasswor
 unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsigned char *passwd){
 
  const unsigned char *ep;
- if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
+ unsigned char	*magic;
-	static unsigned char	*magic = (unsigned char *)"$1$";	
  unsigned char  *p;
  const unsigned char *sp;
  unsigned char	final[MD5_SIZE];
-	int sl,pl,i;
+ int sl;
-	MD5_CTX	ctx,ctx1;
  unsigned long l;
 
-	/* Refine the Salt first */
+#ifndef WITHMAIN
-	sp = salt +3;
+ if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
+	MD5_CTX	ctx,ctx1;
+	int pl, i;
 
-	/* get the length of the true salt */
+	sp = salt +3;
 	sl = (int)(ep - sp);
+	magic = (unsigned char *)"$1$";
 
 	MD5Init(&ctx);
 
@@ -109,10 +113,6 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
 		else
 		    MD5Update(&ctx, pw, 1);
 
-	/* Now make the output string */
-	strcpy((char *)passwd,(char *)magic);
-	strncat((char *)passwd,(char *)sp,sl);
-	strcat((char *)passwd,"$");
 
 	MD5Final(final,&ctx);
 
@@ -141,6 +141,26 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
 		MD5Final(final,&ctx1);
 	}
 
+
+	/* Don't leave anything around in vm they could use. */
+	memset(final,0,sizeof final);
+ }
+ else
+#endif
+  if(salt[0] == '$' && salt[1] == '3' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
+    sp = salt +3;
+    sl = (int)(ep - sp);
+    magic = (unsigned char *)"$3$";
+    blake2b(final, MD5_SIZE, pw, strlen((char *)pw), sp, sl);
+ }
+ else {
+	*passwd = 0;
+	return passwd;
+ }
+
+ strcpy((char *)passwd,(char *)magic);
+ strncat((char *)passwd,(char *)sp,sl);
+ strcat((char *)passwd,"$");
  p = passwd + strlen((char *)passwd);
 
  l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
@@ -156,13 +176,6 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
  l =                    final[11]                ;
  _crypt_to64(p,l,2); p += 2;
  *p = '\0';
-
-	/* Don't leave anything around in vm they could use. */
-	memset(final,0,sizeof final);
- }
- else {
-	*passwd = 0;
- }
  return passwd;
 }
 
@@ -176,7 +189,7 @@ int main(int argc, char* argv[]){
 		fprintf(stderr, "usage: \n"
 			"\t%s <password>\n"
 			"\t%s <salt> <password>\n"
-			"Performs NT crypt if no salt specified, MD5 crypt with salt\n"
+			"Performs NT crypt if no salt specified, BLAKE2 crypt with salt\n"
 			"This software uses:\n"
 			"  RSA Data Security, Inc. MD4 Message-Digest Algorithm\n"
 			"  RSA Data Security, Inc. MD5 Message-Digest Algorithm\n",
@@ -190,7 +203,7 @@ int main(int argc, char* argv[]){
 	else {
 		i = (int)strlen((char *)argv[1]);
 		if (i > 64) argv[1][64] = 0;
-		sprintf((char *)buf, "$1$%s$", argv[1]);
+		sprintf((char *)buf, "$3$%s$", argv[1]);
 		printf("CR:%s\n", mycrypt((unsigned char *)argv[2], buf, buf+256));
 	}
 	return 0;

src/Makefile.inc

@@ -2,8 +2,7 @@
 # 3 proxy common Makefile
 #
 
-all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)mycrypt$(EXESUFFICS) $(BUILDDIR)pop3p$(EXESUFFICS) $(BUILDDIR)smtpp$(EXESUFFICS) $(BUILDDIR)ftppr$(EXESUFFICS) $(BUILDDIR)tcppm$(EXESUFFICS) $(BUILDDIR)tlspr$(EXESUFFICS) $(BUILDDIR)udppm$(EXESUFFICS) $(BUILDDIR)socks$(EXESUFFICS) $(BUILDDIR)proxy$(EXESUFFICS) allplugins
+all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS) $(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS) $(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS) $(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS) $(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS) $(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS) $(BUILDDIR)$(PREFIX)socks$(EXESUFFICS) $(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS) allplugins
-
 
 sockmap$(OBJSUFFICS): sockmap.c proxy.h structures.h
 	$(CC) $(CFLAGS) sockmap.c
@@ -27,62 +26,60 @@ sockgetchar$(OBJSUFFICS): sockgetchar.c proxy.h structures.h
 	$(CC) $(CFLAGS) sockgetchar.c
 
 proxy$(OBJSUFFICS): proxy.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)ANONYMOUS proxy.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)ANONYMOUS $(DEFINEOPTION)NOUDPMAIN proxy.c
 
 pop3p$(OBJSUFFICS): pop3p.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP pop3p.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN pop3p.c
 
 smtpp$(OBJSUFFICS): smtpp.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP smtpp.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN smtpp.c
 
 ftppr$(OBJSUFFICS): ftppr.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP ftppr.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN ftppr.c
 
 tcppm$(OBJSUFFICS): tcppm.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tcppm.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP $(DEFINEOPTION)NOUDPMAIN tcppm.c
-
-tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tlspr.c
-
-
-socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP socks.c
 
 udppm$(OBJSUFFICS): udppm.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP udppm.c
 
+tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP $(DEFINEOPTION)NOUDPMAIN tlspr.c
+
+
+socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN socks.c
+
 3proxy$(OBJSUFFICS): 3proxy.c proxy.h structures.h
 	$(CC) $(CFLAGS) 3proxy.c
 
-$(BUILDDIR)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
+$(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
+$(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
+$(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
+$(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 
-$(BUILDDIR)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+$(BUILDDIR)$(PREFIX)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+$(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+$(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) hash$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) hash$(OBJSUFFICS) $(LIBS)
 
-$(BUILDDIR)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+$(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 
 mainfunc$(OBJSUFFICS): proxy.h structures.h proxymain.c
 	$(CC) $(COUT)mainfunc$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)MODULEMAINFUNC=mainfunc proxymain.c
 
-
-
 srvproxy$(OBJSUFFICS): proxy.c proxy.h structures.h
 	$(CC) $(COUT)srvproxy$(OBJSUFFICS) $(CFLAGS) proxy.c
 
@@ -119,6 +116,24 @@ srvdnspr$(OBJSUFFICS): dnspr.c proxy.h structures.h
 auth$(OBJSUFFICS): auth.c proxy.h structures.h
 	$(CC) $(COUT)auth$(OBJSUFFICS) $(CFLAGS) auth.c
 
+acl$(OBJSUFFICS): acl.c proxy.h structures.h
+	$(CC) $(COUT)acl$(OBJSUFFICS) $(CFLAGS) acl.c
+
+limiter$(OBJSUFFICS): limiter.c proxy.h structures.h
+	$(CC) $(COUT)limiter$(OBJSUFFICS) $(CFLAGS) limiter.c
+
+redirect$(OBJSUFFICS): redirect.c proxy.h structures.h
+	$(CC) $(COUT)redirect$(OBJSUFFICS) $(CFLAGS) redirect.c
+
+hash$(OBJSUFFICS): hash.c proxy.h structures.h
+	$(CC) $(COUT)hash$(OBJSUFFICS) $(CFLAGS) hash.c
+
+hashtables$(OBJSUFFICS): hashtables.c proxy.h structures.h
+	$(CC) $(COUT)hashtables$(OBJSUFFICS) $(CFLAGS) hashtables.c
+
+resolve$(OBJSUFFICS): resolve.c proxy.h structures.h
+	$(CC) $(COUT)resolve$(OBJSUFFICS) $(CFLAGS) resolve.c
+
 authradius$(OBJSUFFICS): authradius.c proxy.h structures.h
 	$(CC) $(COUT)authradius$(OBJSUFFICS) $(CFLAGS) authradius.c
 
@@ -131,15 +146,11 @@ log$(OBJSUFFICS): log.c proxy.h structures.h
 datatypes$(OBJSUFFICS): datatypes.c proxy.h structures.h
 	$(CC) $(COUT)datatypes$(OBJSUFFICS) $(CFLAGS) datatypes.c
 
-mycrypt$(OBJSUFFICS): mycrypt.c
+3proxy_crypt$(OBJSUFFICS): 3proxy_crypt.c
-	$(CC) $(COUT)mycrypt$(OBJSUFFICS) $(CFLAGS) mycrypt.c
+	$(CC) $(COUT)3proxy_crypt$(OBJSUFFICS) $(CFLAGS) 3proxy_crypt.c
-
-mycryptmain$(OBJSUFFICS): mycrypt.c
-	$(CC) $(COUT)mycryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN mycrypt.c
-
-$(BUILDDIR)mycrypt$(EXESUFFICS): md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)mycrypt$(EXESUFFICS) $(LDFLAGS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) base64$(OBJSUFFICS) mycryptmain$(OBJSUFFICS)
 
+3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c
+	$(CC) $(COUT)3proxy_cryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN 3proxy_crypt.c
 
 md4$(OBJSUFFICS):  libs/md4.h libs/md4.c
 	$(CC) $(COUT)md4$(OBJSUFFICS) $(CFLAGS) libs/md4.c
@@ -147,9 +158,15 @@ md4$(OBJSUFFICS):  libs/md4.h libs/md4.c
 md5$(OBJSUFFICS):  libs/md5.h libs/md5.c
 	$(CC) $(COUT)md5$(OBJSUFFICS) $(CFLAGS) libs/md5.c
 
+blake2$(OBJSUFFICS):  libs/blake2.h libs/blake2-impl.h libs/blake2b-ref.c
+	$(CC) $(COUT)blake2$(OBJSUFFICS) $(CFLAGS) libs/blake2b-ref.c
+
+$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS): md4$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
+	$(LN) $(LNOUT)$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(LDFLAGS) md4$(OBJSUFFICS) blake2$(OBJSUFFICS) base64$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS)
+
 stringtable$(OBJSUFFICS):  stringtable.c
 	$(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c
 
-$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycrypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
+$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
-	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) mycrypt$(OBJSUFFICS) md5$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
 

src/acl.c

@@ -0,0 +1,168 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+int IPInentry(struct sockaddr *sa, struct iplist *ipentry){
+	int addrlen;
+	unsigned char *ip, *ipf, *ipt;
+
+
+	if(!sa || ! ipentry || *SAFAMILY(sa) != ipentry->family) return 0;
+
+	ip = (unsigned char *)SAADDR(sa);
+	ipf = (unsigned char *)&ipentry->ip_from;
+	ipt = (unsigned char *)&ipentry->ip_to;
+
+
+	addrlen = SAADDRLEN(sa);
+
+	if(memcmp(ip,ipf,addrlen) < 0 || memcmp(ip,ipt,addrlen) > 0) return 0;
+	return 1;
+
+}
+
+int ACLmatches(struct ace* acentry, struct clientparam * param){
+	struct userlist * userentry;
+	struct iplist *ipentry;
+	struct portlist *portentry;
+	struct period *periodentry;
+	unsigned char * username;
+	struct hostname * hstentry=NULL;
+	int i;
+	int match = 0;
+
+	username = param->username?param->username:(unsigned char *)"-";
+	if(acentry->src) {
+	 for(ipentry = acentry->src; ipentry; ipentry = ipentry->next)
+		if(IPInentry((struct sockaddr *)&param->sincr, ipentry)) {
+			break;
+		}
+	 if(!ipentry) return 0;
+	}
+	if((acentry->dst && (!SAISNULL(&param->req) || param->operation == UDPASSOC || param->operation==BIND)) || (acentry->dstnames && param->hostname)) {
+	 for(ipentry = acentry->dst; ipentry; ipentry = ipentry->next)
+		if(IPInentry((struct sockaddr *)&param->req, ipentry)) {
+			break;
+		}
+	 if(!ipentry) {
+		 if(acentry->dstnames && param->hostname){
+			for(i=0; param->hostname[i]; i++){
+				param->hostname[i] = tolower(param->hostname[i]);
+			}
+			while(i > 5 && param->hostname[i-1] == '.') param->hostname[i-1] = 0;
+			for(hstentry = acentry->dstnames; hstentry; hstentry = hstentry->next){
+				int lname, lhost;
+				switch(hstentry->matchtype){
+					case 0:
+#ifndef _WIN32
+					if(strcasestr((char *)param->hostname, (char *)hstentry->name)) match = 1;
+#else
+					if(strstr((char *)param->hostname, (char *)hstentry->name)) match = 1;
+#endif
+					break;
+
+					case 1:
+					if(!strncasecmp((char *)param->hostname, (char *)hstentry->name, strlen((char *)hstentry->name)))
+						match = 1;
+					break;
+
+					case 2:
+					lname = strlen((char *)hstentry->name);
+					lhost = strlen((char *)param->hostname);
+					if(lhost > lname){
+						if(!strncasecmp((char *)param->hostname + (lhost - lname),
+							(char *)hstentry->name,
+							lname))
+								match = 1;
+					}
+					break;
+
+					default:
+					if(!strcasecmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
+					break;
+        			}
+				if(match) break;
+			}
+		 }
+	 }
+	 if(!ipentry && !hstentry) return 0;
+	}
+	if(acentry->ports && (*SAPORT(&param->req) || param->operation == UDPASSOC || param->operation == BIND)) {
+	 for (portentry = acentry->ports; portentry; portentry = portentry->next)
+		if(ntohs(*SAPORT(&param->req)) >= portentry->startport &&
+			   ntohs(*SAPORT(&param->req)) <= portentry->endport) {
+			break;
+		}
+		if(!portentry) return 0;
+	}
+	if(acentry->wdays){
+		if(!(acentry -> wdays & wday)) return 0;
+	}
+	if(acentry->periods){
+	 int start_time = (int)(param->time_start - basetime);
+	 for(periodentry = acentry->periods; periodentry; periodentry = periodentry -> next)
+		if(start_time >= periodentry->fromtime && start_time < periodentry->totime){
+			break;
+		}
+		if(!periodentry) return 0;
+	}
+	if(acentry->users){
+	 for(userentry = acentry->users; userentry; userentry = userentry->next)
+		if(!strcmp((char *)username, (char *)userentry->user)){
+			break;
+		}
+	 if(!userentry) return 0;
+	}
+	if(acentry->operation) {
+		if((acentry->operation & param->operation) != param->operation){
+				 return 0;
+		}
+	}
+	if(acentry->weight && (acentry->weight < param->weight)) return 0;
+	return 1;
+}
+
+
+int checkACL(struct clientparam * param){
+	struct ace* acentry;
+
+	if(!param->srv->acl) {
+		return 0;
+	}
+	for(acentry = param->srv->acl; acentry; acentry = acentry->next) {
+		if(ACLmatches(acentry, param)) {
+			param->nolog = acentry->nolog;
+			param->weight = acentry->weight;
+			if(acentry->action == 2) {
+				struct ace dup;
+				int res=60,i=0;
+
+				if(param->operation < 256 && !(param->operation & CONNECT)){
+					continue;
+				}
+				if(param->redirected && acentry->chains && SAISNULL(&acentry->chains->addr) && !*SAPORT(&acentry->chains->addr)) {
+					continue;
+				}
+				if(param->remsock != INVALID_SOCKET) {
+					return 0;
+				}
+				for(; i < conf.parentretries; i++){
+					dup = *acentry;
+					res = handleredirect(param, &dup);
+					if(!res) break;
+					if(param->remsock != INVALID_SOCKET) param->srv->so._closesocket(param->sostate, param->remsock);
+					param->remsock = INVALID_SOCKET;
+				}
+				return res;
+			}
+			return acentry->action;
+		}
+	}
+	return 3;
+}

src/authradius.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2000-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
@@ -166,7 +166,7 @@ static int ntry = 0;
 int nradservers = 0;
 char radiussecret[64]="";
 
-pthread_mutex_t rad_mutex;
+_3proxy_mutex_t rad_mutex;
 
 void md5_calc(unsigned char *output, unsigned char *input,
 		     unsigned int inputlen);
@@ -306,11 +306,7 @@ int radsend(struct clientparam * param, int auth, int stop){
 	int total_length;
 	int len;
 	int op;
-#ifdef NOIPV6
+	PROXYSOCKADDRTYPE     saremote;
-	struct  sockaddr_in     saremote;
-#else
-	struct  sockaddr_in6     saremote;
-#endif
 	struct pollfd fds[1];
 	char vector[AUTH_VECTOR_LEN];
 	radius_packet_t packet, rpacket;
@@ -331,11 +327,11 @@ int radsend(struct clientparam * param, int auth, int stop){
 	memset(&packet, 0, sizeof(packet));
 
 
-	pthread_mutex_lock(&rad_mutex);
+	_3proxy_mutex_lock(&rad_mutex);
 	if(auth)random_vector(packet.vector, param);
 
 	id = ((ntry++) & 0xff);
-	pthread_mutex_unlock(&rad_mutex);
+	_3proxy_mutex_unlock(&rad_mutex);
 
 	packet.code = auth?PW_AUTHENTICATION_REQUEST:PW_ACCOUNTING_REQUEST;
 	packet.id=id;

src/auto.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement

src/common.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
@@ -22,10 +22,15 @@ int randomizer = 1;
 
 
  void daemonize(void){
-	if(fork() > 0) {
+	pid_t pid = fork();
+	if(pid > 0) {
 		usleep(SLEEPTIME);
 		_exit(0); 
 	}
+	if(pid < 0) {
+		perror("fork()");
+		return;
+	}
 	setsid();
  }
 
@@ -33,36 +38,38 @@ int randomizer = 1;
 
 unsigned char **stringtable = NULL;
 
-#ifdef WITH_LINUX_FUTEX
+#ifdef WITH_UN
-int sys_futex(void *addr1, int op, int val1, struct timespec *timeout, void *addr2, int val3)
+void make_un(const unsigned char *path, struct sockaddr_un * sun){
-{
+        memset(sun, 0, sizeof(*sun));
-	return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3);
+        sun->sun_family = AF_UNIX;
-}
+        strncpy(sun->sun_path, (char *)path, sizeof(sun->sun_path) - 1);
-int mutex_lock(int *val)
+        if(*path == '@')*sun->sun_path = 0;
-{
-	int c;
-	if ((c = __sync_val_compare_and_swap(val, 0, 1)) != 0)
-		do {
-			if(c == 2 || __sync_val_compare_and_swap(val, 1, 2) != 0)
-				sys_futex(val, FUTEX_WAIT_PRIVATE, 2, NULL, NULL, 0);
-		} while ((c = __sync_val_compare_and_swap(val, 0, 2)) != 0);
-	
-	return 0;
-}
-
-int mutex_unlock(int *val)
-{
-	if(__sync_fetch_and_sub (val, 1) != 1){
-		*val = 0;
-		sys_futex(val, FUTEX_WAKE_PRIVATE, 1, NULL, NULL, 0);
-	}
-	
-	
-	return 0;
 }
 #endif
 
+
 int myinet_ntop(int af, void *src, char *dst, socklen_t size){
+#ifdef WITH_UN
+ if(af == AF_UNIX){
+	struct sockaddr_un *sun = (struct sockaddr_un *)src;
+	int ephemeral = 0;
+	char *path = sun->sun_path;
+	char *basename;
+	if(!path[0] && path[1]){
+	    ephemeral = 1;
+	    *dst++ = '@';
+	    path++;
+	}
+	basename  = strrchr(path, '/');
+	if(basename) basename++;
+	else basename = path;
+	if(size > 0){
+		strncpy(dst, basename, (size > 40) ? 40 : size - (ephemeral + 1));
+		dst[((size > 40) ? 40 : size - (ephemeral + 1))] = 0;
+	}
+	return (int)strlen(dst);
+ }
+#endif
 #ifndef NOIPV6
  if(af != AF_INET6){
 #endif
@@ -108,7 +115,11 @@ int timeouts[12] = {
 };
 
 struct extparam conf = {
-	.threadinit = {0, 0},
+#ifdef _WIN32
+	.threadinit = NULL,
+#else
+	.threadinit = 0,
+#endif
 	.timeouts = timeouts,
 	.acl = NULL,
 	.conffile = NULL,
@@ -213,6 +224,7 @@ int
 	FD_ZERO(&writefd);
 	FD_ZERO(&oobfd);
 	for(i=0; i<nfds; i++){
+		if(fds[i].fd >= FD_SETSIZE) continue;
 		if((fds[i].events&POLLIN))FD_SET(fds[i].fd, &readfd);
 		if((fds[i].events&POLLOUT))FD_SET(fds[i].fd, &writefd);
 		if((fds[i].events&POLLPRI))FD_SET(fds[i].fd, &oobfd);
@@ -221,6 +233,7 @@ int
 	}
 	if((num = select(((int)(maxfd))+1, &readfd, &writefd, &oobfd, &tv)) < 1) return num;
 	for(i=0; i<nfds; i++){
+		if(fds[i].fd >= FD_SETSIZE) continue;
 		if(FD_ISSET(fds[i].fd, &readfd)) fds[i].revents |= POLLIN;
 		if(FD_ISSET(fds[i].fd, &writefd)) fds[i].revents |= POLLOUT;
 		if(FD_ISSET(fds[i].fd, &oobfd)) fds[i].revents |= POLLPRI;
@@ -524,14 +537,14 @@ int connectwithpoll(struct clientparam *param, SOCKET sock, struct sockaddr *sa,
 		fcntl(sock,F_SETFL, O_NONBLOCK | fcntl(sock,F_GETFL));
 #endif
 		if(param?param->srv->so._connect(param->sostate, sock,sa,size) : so._connect(so.state, sock,sa,size)) {
-			if(errno != EAGAIN && errno != EINPROGRESS) return (13);
+			if(errno != EAGAIN && errno != EINPROGRESS) return 13;
 		}
 		if(!errno) return 0;
 	        memset(fds, 0, sizeof(fds));
 	        fds[0].fd = sock;
 	        fds[0].events = POLLOUT;
 		if((param?param->srv->so._poll(param->sostate, fds, 1, to*1000):so._poll(so.state, fds, 1, to*1000)) <= 0 || !(fds[0].revents & POLLOUT) || (fds[0].revents & (POLLERR|POLLHUP))) {
-			return (13);
+			return 13;
 		}
 		return 0;
 }
@@ -561,8 +574,17 @@ int doconnect(struct clientparam * param){
 		memcpy(SAADDR(&param->sinsr), SAADDR(&param->req), SAADDRLEN(&param->req)); 
 	}
 	if(!*SAPORT(&param->sinsr))*SAPORT(&param->sinsr) = *SAPORT(&param->req);
-	if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&param->sinsr), SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {return (11);}
+	if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&param->sinsr), SOCK_STREAM, 
+#ifdef WITH_UN
+	    *SAFAMILY(&param->sinsr) == AF_UNIX? 0 :
+#endif
+	    IPPROTO_TCP
+	)) == INVALID_SOCKET) {return (11);}
 	if(SAISNULL(&param->sinsl)){
+#ifdef WITH_UN
+	    if(*SAFAMILY(&param->sinsr) == AF_UNIX) param->sinsl = param->sinsr;
+	    else 
+#endif
 #ifndef NOIPV6
 		if(*SAFAMILY(&param->sinsr) == AF_INET6) param->sinsl = param->srv->extsa6;
 		else
@@ -602,6 +624,9 @@ int doconnect(struct clientparam * param){
 	    if(*SAFAMILY(&param->sinsl) == AF_INET6 && param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_IPV6, IPV6_BOUND_IF, &idx, sizeof(idx))) return 12;
 #endif
 	}
+#endif
+#ifdef WITH_UN
+	if(*SAFAMILY(&param->sinsl) != AF_UNIX)
 #endif
 	if(param->srv->so._bind(param->sostate, param->remsock, (struct sockaddr*)&param->sinsl, SASIZE(&param->sinsl))==-1) {
 		return 12;
@@ -637,7 +662,7 @@ int scanaddr(const unsigned char *s, uint32_t * ip, uint32_t * mask) {
 
 RESOLVFUNC resolvfunc = NULL;
 #ifndef _WIN32
-pthread_mutex_t gethostbyname_mutex;
+_3proxy_mutex_t gethostbyname_mutex;
 int ghbn_init = 0;
 #endif
 
@@ -693,10 +718,10 @@ uint32_t getip(unsigned char *name){
 #ifndef NOSTDRESOLVE
 #if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
 	if(!ghbn_init){
-		pthread_mutex_init(&gethostbyname_mutex, NULL);
+		_3proxy_mutex_init(&gethostbyname_mutex);
 		ghbn_init++;
 	}
-	pthread_mutex_lock(&gethostbyname_mutex);
+	_3proxy_mutex_lock(&gethostbyname_mutex);
 #endif
 	hp=gethostbyname((char *)name);
 	if (!hp && conf.demanddialprog) {
@@ -705,7 +730,7 @@ uint32_t getip(unsigned char *name){
 	}
 	retval = hp?*(uint32_t *)hp->h_addr:0;
 #if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
-	pthread_mutex_unlock(&gethostbyname_mutex);
+	_3proxy_mutex_unlock(&gethostbyname_mutex);
 #endif
 #ifdef GETHOSTBYNAME_R
 #undef gethostbyname

src/conf.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
@@ -20,12 +20,10 @@
 #define DEFAULTCONFIG conf.stringtable[25]
 #endif
 
-pthread_mutex_t bandlim_mutex;
+_3proxy_mutex_t bandlim_mutex;
-pthread_mutex_t connlim_mutex;
+_3proxy_mutex_t connlim_mutex;
-pthread_mutex_t tc_mutex;
+_3proxy_mutex_t tc_mutex;
-pthread_mutex_t pwl_mutex;
+_3proxy_mutex_t config_mutex;
-pthread_mutex_t hash_mutex;
-pthread_mutex_t config_mutex;
 
 int haveerror = 0;
 int linenum = 0;
@@ -154,7 +152,6 @@ int start_proxy_thread(struct child * chp){
 #ifdef _WIN32
   HANDLE h;
 #endif
-  char r[1];
 
 #ifdef _WIN32
 #ifndef _WINCE
@@ -167,16 +164,15 @@ int start_proxy_thread(struct child * chp){
 	pthread_attr_init(&pa);
 	pthread_attr_setstacksize(&pa,PTHREAD_STACK_MIN + (32768+conf.stacksize));
 	pthread_attr_setdetachstate(&pa,PTHREAD_CREATE_DETACHED);
+	_3proxy_mutex_lock(&conf.threadinit);
 	pthread_create(&thread, &pa, startsrv, (void *)chp);
 	pthread_attr_destroy(&pa);
 #endif
 #ifdef _WIN32
-	ReadFile(conf.threadinit[0], r, 1, NULL, NULL);
+	WaitForSingleObject(conf.threadinit, INFINITE);
 #else
-	while(read(conf.threadinit[0], r, 1) !=1) if(errno != EINTR) {
+	_3proxy_mutex_lock(&conf.threadinit);
-	    fprintf(stderr, "pipe failed\n");
+	_3proxy_mutex_unlock(&conf.threadinit);
-	    return 40;
-	}
 #endif
 	if(haveerror)  {
 		fprintf(stderr, "Service not started on line: %d%s\n", linenum, haveerror == 2? ": insufficient memory":"");
@@ -197,7 +193,7 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_PROXY;
 		childdef.helpmessage = " -n - no NTLM support\n";
 #ifdef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize)){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize)){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, proxy may run very slow\n", linenum);
 		}
 #endif
@@ -230,7 +226,7 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_SOCKS;
 		childdef.helpmessage = " -n - no NTLM support\n";
 #ifdef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize)){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize)){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, socks may run very slow\n", linenum);
 		}
 #endif
@@ -276,7 +272,7 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_DNSPR;
 		childdef.helpmessage = " -s - simple DNS forwarding - do not use 3proxy resolver / name cache\n";
 #ifndef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize) || resolvfunc == fakeresolver){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize) || resolvfunc == fakeresolver){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, dnspr will not work as expected\n", linenum);
 		}
 #endif
@@ -285,6 +281,12 @@ static int h_proxy(int argc, unsigned char ** argv){
 }
 
 static int h_internal(int argc, unsigned char ** argv){
+#ifdef WITH_UN
+	if(!strncmp((char *)argv[1], "unix:", 5)){
+		make_un(argv[1] +5, (struct sockaddr_un *)&conf.intsa);
+	}
+	else
+#endif
 		getip46(46, argv[1], (struct sockaddr *)&conf.intsa);
 	return 0;
 }
@@ -292,7 +294,7 @@ static int h_internal(int argc, unsigned char ** argv){
 static int h_external(int argc, unsigned char ** argv){
 	int res;
 #ifndef NOIPV6
-	struct sockaddr_in6 sa6;
+	PROXYSOCKADDRTYPE sa6;
 	memset(&sa6, 0, sizeof(sa6));
 	res = getip46(46, argv[1], (struct sockaddr *)&sa6);
 	if(!res) return 1;
@@ -335,10 +337,10 @@ static int h_log(int argc, unsigned char ** argv){
 		else if(*argv[1]=='&'){
 			conf.logfunc = logsql;
 			if(notchanged) return 0;
-			pthread_mutex_lock(&log_mutex);
+			_3proxy_mutex_lock(&log_mutex);
 			close_sql();
 			init_sql((char *)argv[1]+1);
-			pthread_mutex_unlock(&log_mutex);
+			_3proxy_mutex_unlock(&log_mutex);
 		}
 #endif
 #ifndef NORADIUS
@@ -439,18 +441,6 @@ static int h_counter(int argc, unsigned char **argv){
 			fprintf(stderr, "Not a counter file %s, line %d\n", argv[1], linenum);
 			return 2;
 		}
-#ifdef _TIME64_T_DEFINED
-#ifdef _MAX__TIME64_T
-#define MAX_COUNTER_TIME (_MAX__TIME64_T)
-#elif defined (MAX__TIME64_T)
-#define MAX_COUNTER_TIME (MAX__TIME64_T)
-#else
-#define MAX_COUNTER_TIME (0x793406fff)
-#endif 
-#else
-#define MAX_COUNTER_TIME ((sizeof(time_t)>4)?(time_t)0x793406fff:(time_t)0x7fffffff)
-#endif
-
 		if(ch1.updated < 0 || ch1.updated >= MAX_COUNTER_TIME){
 			fprintf(stderr, "Invalid or corrupted counter file %s. Use countersutil utility to convert from older version\n", argv[1]);
 			return 3;
@@ -526,44 +516,43 @@ static int h_auth(int argc, unsigned char **argv){
 }
 
 static int h_users(int argc, unsigned char **argv){
+    static char dummy;
     int j;
     unsigned char *arg;
-  struct passwords *pwl = NULL;
+    char *pw[2];
 
     for (j = 1; j < argc; j++) {
-		if(!(pwl = myalloc(sizeof(struct passwords)))) {
-			return(21);
-		}
-		memset(pwl, 0, sizeof(struct passwords));
-
         arg = (unsigned char *)strchr((char *)argv[j], ':');
-		if(!arg||!arg[1]||!arg[2]||arg[3]!=':')	{
+        if (!arg) continue;
-			pwl->user = (unsigned char *)mystrdup((char *)argv[j]);
-			pwl->pwtype = SYS;
-		}
-		else {
         *arg = 0;
-			pwl->user = (unsigned char *)mystrdup((char *)argv[j]);
+        pw[0] = (char *)argv[j];
 
-			if((arg[1] == 'C' && arg[2] == 'L' && (pwl->pwtype = CL)) ||
+        if (arg[1] && arg[2] && arg[3] == ':') {
-				(arg[1] == 'C' && arg[2] == 'R' && (pwl->pwtype = CR)) ||
+            pw[1] = (char *)(arg + 4);
-				(arg[1] == 'N' && arg[2] == 'T' && (pwl->pwtype = NT)) ||
+            if (arg[1] == 'N' && arg[2] == 'T') {
-				(arg[1] == 'L' && arg[2] == 'M' && (pwl->pwtype = LM))){
+                if (!pwnt_table.ihashtable && inithashtable(&pwnt_table, 16, 32, 1048576))
-				pwl->password = (unsigned char *)mystrdup((char *)arg+4);
+                    return 3;
+                hashadd(&pwnt_table, pw, &dummy, MAX_COUNTER_TIME);
+                continue;
             }
-			else {
+            if (arg[1] == 'C' && arg[2] == 'R') {
-				pwl->password = (unsigned char *) mystrdup((char *)arg + 1);
+                if (!pwcr_table.ihashtable && inithashtable(&pwcr_table, 16, 32, 1048576))
-				pwl->pwtype = UN;
+                    return 3;
+                hashadd(&pwcr_table, pw[0], pw[1], MAX_COUNTER_TIME);
+                continue;
             }
-			if(!pwl->password) return 3;
+            if (arg[1] == 'C' && arg[2] == 'L') {
+                /* fall through to CL handling below */
+            } else {
+                continue;
+            }
+        } else {
+            pw[1] = (char *)(arg + 1);
         }
-		if(!pwl->user) return 21;
-		pthread_mutex_lock(&pwl_mutex);
-		pwl->next = conf.pwl;
-		conf.pwl = pwl;
-		pthread_mutex_unlock(&pwl_mutex);
-
 
+        if (!pw_table.ihashtable && inithashtable(&pw_table, 16, 32, 1048576))
+            return 3;
+        hashadd(&pw_table, pw, &dummy, MAX_COUNTER_TIME);
     }
     return 0;
 }
@@ -590,7 +579,7 @@ static int h_maxconn(int argc, unsigned char **argv){
 
 static int h_backlog(int argc, unsigned char **argv){
 	conf.backlog = atoi((char *)argv[1]);
-	if(conf.maxchild < 0) {
+	if(conf.backlog < 0) {
 		return(1);
 	}
 	return 0;
@@ -649,14 +638,14 @@ static int h_fakeresolve(int argc, unsigned char **argv){
 }
 
 static int h_nscache(int argc, unsigned char **argv){
-  int res;
+  unsigned res;
 
-	res = atoi((char *)argv[1]);
+	res = (unsigned)atoi((char *)argv[1]);
 	if(res < 256) {
 		fprintf(stderr, "Invalid NS cache size: %d\n", res);
 		return 1;
 	}
-	if(inithashtable(&dns_table, (unsigned)res)){
+	if(dns_table.growlimit != res && inithashtable(&dns_table, (res >> 2), (res >> 2), res)){
 		fprintf(stderr, "Failed to initialize NS cache\n");
 		return 2;
 	}
@@ -672,14 +661,14 @@ static int h_parentretries(int argc, unsigned char **argv){
 }
 
 static int h_nscache6(int argc, unsigned char **argv){
-  int res;
+  unsigned res;
 
-	res = atoi((char *)argv[1]);
+	res = (unsigned)atoi((char *)argv[1]);
 	if(res < 256) {
 		fprintf(stderr, "Invalid NS cache size: %d\n", res);
 		return 1;
 	}
-	if(inithashtable(&dns6_table, (unsigned)res)){
+	if(dns6_table.growlimit != res &&inithashtable(&dns6_table, (res>>2), (res>>2), res)){
 		fprintf(stderr, "Failed to initialize NS cache\n");
 		return 2;
 	}
@@ -687,11 +676,7 @@ static int h_nscache6(int argc, unsigned char **argv){
 }
 
 static int h_nsrecord(int argc, unsigned char **argv){
-#ifndef NOIPV6
+	PROXYSOCKADDRTYPE sa;
-	struct sockaddr_in6 sa;
-#else
-	struct sockaddr_in sa;
-#endif
 	memset(&sa, 0, sizeof(sa));
 	if(!getip46(46, argv[2], (struct sockaddr *)&sa)) return 1;
 
@@ -771,7 +756,7 @@ struct redirdesc redirs[] = {
 static int h_parent(int argc, unsigned char **argv){
   struct ace *acl = NULL;
   struct chain *chains;
-  char * cidr;
+  char * cidr = NULL;
   int i;
 
 	acl = conf.acl;
@@ -790,23 +775,45 @@ static int h_parent(int argc, unsigned char **argv){
 	chains->weight = (unsigned)atoi((char *)argv[1]);
 	if(chains->weight == 0 || chains->weight >1000) {
 		fprintf(stderr, "Chaining error: bad chain weight %u line %d\n", chains->weight, linenum);
+		myfree(chains);
 		return(3);
 	}
 	for(i = 0; redirs[i].name ; i++){
-	    if(!strcmp((char *)argv[2], redirs[i].name)) {
+	    int len;
+	    len = strlen(redirs[i].name);
+	    if(!strncmp((char *)argv[2], redirs[i].name, len)
+		&& (argv[2][len] == 0 || (argv[2][len] == 's' && argv[2][len+1] == 0))
+	    ) {
 		chains->type = redirs[i].redir;
+		if(argv[2][len] == 's') chains->secure = 1;
 		break;
 	    }
 	}
 	if(!redirs[i].name) {
 		fprintf(stderr, "Chaining error: bad chain type (%s)\n", argv[2]);
+		myfree(chains);
 		return(4);
 	}
+#ifdef WITH_UN
+	if(!strncmp((char *)argv[3], "unix:", 5)){
+	    make_un(argv[3] + 5, (struct sockaddr_un*)&chains->addr);
+	}
+	else {
+#endif
 	cidr = strchr((char *)argv[3], '/');
 	if(cidr) *cidr = 0;
-	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) return (5);
+	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) {
+		myfree(chains);
+		return (5);
+	}
+#ifdef WITH_UN
+	}
+#endif
 	chains->exthost = (unsigned char *)mystrdup((char *)argv[3]);
-	if(!chains->exthost) return 21;
+	if(!chains->exthost) {
+		myfree(chains);
+		return 21;
+	}
 	if(cidr){
 		*cidr = '/';
 		chains->cidr = atoi(cidr + 1);
@@ -842,11 +849,7 @@ static int h_nolog(int argc, unsigned char **argv){
 }
 
 int scanipl(unsigned char *arg, struct iplist *dst){
-#ifndef NOIPV6
+	PROXYSOCKADDRTYPE sa;
-	struct sockaddr_in6 sa;
-#else
-	struct sockaddr_in sa;
-#endif
         char * slash, *dash;
 	int masklen, addrlen;
 	int res;
@@ -1223,7 +1226,10 @@ static int h_ace(int argc, unsigned char **argv){
 		}
 		memset(acl->chains, 0, sizeof(struct chain));
 		acl->chains->type = R_HTTP;
-		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) return 5;
+		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) {
+			freeacl(acl);
+			return 5;
+		}
 		*SAPORT(&acl->chains->addr) = htons((uint16_t)atoi((char *)argv[2]));
 		acl->chains->weight = 1000;
 	case ALLOW:
@@ -1251,7 +1257,7 @@ static int h_ace(int argc, unsigned char **argv){
 			sscanf((char *)argv[1], "%u", &ncl->rate);
 			sscanf((char *)argv[2], "%u", &ncl->period);
 		}
-		pthread_mutex_lock(&connlim_mutex);
+		_3proxy_mutex_lock(&connlim_mutex);
 		if(!conf.connlimiter){
 			conf.connlimiter = ncl;
 		}
@@ -1261,7 +1267,7 @@ static int h_ace(int argc, unsigned char **argv){
 			for(cli = conf.connlimiter; cli->next; cli = cli->next);
 			cli->next = ncl;
 		}
-		pthread_mutex_unlock(&connlim_mutex);			
+		_3proxy_mutex_unlock(&connlim_mutex);			
 		break;
 
 	case BANDLIM:
@@ -1283,7 +1289,7 @@ static int h_ace(int argc, unsigned char **argv){
 				return(4);
 			}
 		}
-		pthread_mutex_lock(&bandlim_mutex);
+		_3proxy_mutex_lock(&bandlim_mutex);
 		if(!strcmp((char *)argv[0], "bandlimin") || !strcmp((char *)argv[0], "nobandlimin")){
 			if(!conf.bandlimiter){
 				conf.bandlimiter = nbl;
@@ -1307,7 +1313,7 @@ static int h_ace(int argc, unsigned char **argv){
 			}
 		}
 		conf.bandlimver++;
-		pthread_mutex_unlock(&bandlim_mutex);			
+		_3proxy_mutex_unlock(&bandlim_mutex);			
 		break;
 
 	case COUNTIN:
@@ -1359,7 +1365,7 @@ static int h_ace(int argc, unsigned char **argv){
 				}
 			}
 		}
-		pthread_mutex_lock(&tc_mutex);
+		_3proxy_mutex_lock(&tc_mutex);
 		if(!conf.trafcounter){
 			conf.trafcounter = tl;
 		}
@@ -1369,7 +1375,7 @@ static int h_ace(int argc, unsigned char **argv){
 			for(ntl = conf.trafcounter; ntl->next; ntl = ntl->next);
 			ntl->next = tl;
 		}
-		pthread_mutex_unlock(&tc_mutex);
+		_3proxy_mutex_unlock(&tc_mutex);
 			
 	}
 	return 0;
@@ -1397,21 +1403,6 @@ static int h_delimchar(int argc, unsigned char **argv){
 static int h_radius(int argc, unsigned char **argv){
 	uint16_t port;
 
-/*
-	int oldrad;
-#ifdef NOIPV6
-	struct  sockaddr_in bindaddr;
-#else
-	struct  sockaddr_in6 bindaddr;
-#endif
-
-	oldrad = nradservers;
-	nradservers = 0;
-	for(; oldrad; oldrad--){
-		if(radiuslist[oldrad].logsock >= 0) so._closesocket(radiuslist[oldrad].logsock);
-		radiuslist[oldrad].logsock = -1;
-	}
-*/
 	memset(radiuslist, 0, sizeof(radiuslist));
 	if(strlen((char *)argv[1]) > 63) argv[1][63] = 0;
 	strcpy(radiussecret, (char *)argv[1]);
@@ -1422,21 +1413,18 @@ static int h_radius(int argc, unsigned char **argv){
 			s++;
 		}
 		if( !getip46(46, argv[nradservers + 2], (struct sockaddr *)&radiuslist[nradservers].authaddr)) return 1;
-		if( s && !getip46(46, (unsigned char *)s+1, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
+		if( s && !getip46(46, (unsigned char *)s, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
 		if(!*SAPORT(&radiuslist[nradservers].authaddr))*SAPORT(&radiuslist[nradservers].authaddr) = htons(1812);
 		port = ntohs(*SAPORT(&radiuslist[nradservers].authaddr));
 		radiuslist[nradservers].logaddr = radiuslist[nradservers].authaddr;
  	        *SAPORT(&radiuslist[nradservers].logaddr) = htons(port+1);
-/*
-		bindaddr = radiuslist[nradservers].localaddr;
-		if ((radiuslist[nradservers].logsock = so._socket(SASOCK(&radiuslist[nradservers].logaddr), SOCK_DGRAM, 0)) < 0) return 2;
-		if (so._bind(radiuslist[nradservers].logsock, (struct sockaddr *)&bindaddr, SASIZE(&bindaddr))) return 3;
-*/
 	}
 	return 0;
 }
 #endif
 static int h_authcache(int argc, unsigned char **argv){
+	int authcachesize = 0;
+
 	conf.authcachetype = 0;
 	if(strstr((char *) *(argv + 1), "ip")) conf.authcachetype |= 1;
 	if(strstr((char *) *(argv + 1), "user")) conf.authcachetype |= 2;
@@ -1444,9 +1432,21 @@ static int h_authcache(int argc, unsigned char **argv){
 	if(strstr((char *) *(argv + 1), "limit")) conf.authcachetype |= 8;
 	if(strstr((char *) *(argv + 1), "acl")) conf.authcachetype |= 16;
 	if(strstr((char *) *(argv + 1), "ext")) conf.authcachetype |= 32;
+	if(strstr((char *) *(argv + 1), "dstaddr")) conf.authcachetype |= 64;
+	if(strstr((char *) *(argv + 1), "dstport")) conf.authcachetype |= 128;
+	if(strstr((char *) *(argv + 1), "dsthost")) conf.authcachetype |= 256;
+	if(strstr((char *) *(argv + 1), "dstoper")) conf.authcachetype |= 512;
+	if(strstr((char *) *(argv + 1), "srvaddr")) conf.authcachetype |= 1024;
+	if(strstr((char *) *(argv + 1), "srvport")) conf.authcachetype |= 2048;
 	if(argc > 2) conf.authcachetime = (unsigned) atoi((char *) *(argv + 2));
+	if(argc > 3) authcachesize  = (unsigned) atoi((char *) *(argv + 3));
 	if(!conf.authcachetype) conf.authcachetype = 6;
 	if(!conf.authcachetime) conf.authcachetime = 600;
+	if(!authcachesize) authcachesize = 65536*4;
+	if(auth_table.growlimit != authcachesize && inithashtable(&auth_table, authcachesize < 1024? authcachesize:1024, authcachesize < 1024? authcachesize:1024, authcachesize)){
+		fprintf(stderr, "Failed to initialize auth cache\n");
+		return 2;
+	}
 	return 0;
 }
 
@@ -1653,7 +1653,7 @@ struct commands commandhandlers[]={
 	{commandhandlers+53, "filtermaxsize", h_filtermaxsize, 2, 2},
 	{commandhandlers+54, "nolog", h_nolog, 1, 1},
 	{commandhandlers+55, "weight", h_nolog, 2, 2},
-	{commandhandlers+56, "authcache", h_authcache, 2, 3},
+	{commandhandlers+56, "authcache", h_authcache, 2, 4},
 	{commandhandlers+57, "smtpp", h_proxy, 1, 0},
 	{commandhandlers+58, "delimchar",h_delimchar, 2, 2},
 	{commandhandlers+59, "authnserver", h_authnserver, 2, 2},
@@ -1717,8 +1717,8 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
 				*str = 0;
 				space = 1;
 				if(incbegin){
-					argc--;
+					if(argc) argc--;
-					if((fd = open((char *)incbegin+1, O_RDONLY)) <= 0){
+					if((fd = open((char *)incbegin+1, O_RDONLY)) < 0){
 						fprintf(stderr, "Failed to open %s\n", incbegin+1);
 						return -1;
 					}
@@ -1731,7 +1731,7 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
 						}
 					}
 					len = 0;
-					if(argm[argc]!=(incbegin+1)) {
+					if(argc > 0 && argm[argc]!=(incbegin+1)) {
 						len = (int)strlen((char *)argm[argc]);
 						memmove(buf+*inbuf, argm[argc], len);
 					}
@@ -1807,7 +1807,11 @@ int readconfig(FILE * fp){
 
 	res = 1;
 	for(cm = commandhandlers; cm; cm = cm->next){
-		if(!strcmp((char *)argv[0], (char *)cm->command) && argc >= cm->minargs && (!cm->maxargs || argc <= cm->maxargs)){
+		if(!strcmp((char *)argv[0], (char *)cm->command)){
+		    if(argc < cm->minargs || (cm->maxargs && argc > cm->maxargs)){
+			fprintf(stderr, "Command: '%s' wrong number of arguments , line %d\n", argv[0], linenum);
+			return(linenum);
+		    }
 		    res = (*cm->handler)(argc, argv);
 		    if(res > 0){
 			fprintf(stderr, "Command: '%s' failed with code %d, line %d\n", argv[0], res, linenum);
@@ -1841,7 +1845,6 @@ void freeconf(struct extparam *confp){
  struct bandlim * blout;
  struct connlim * cl;
  struct trafcount * tc;
- struct passwords *pw;
  struct ace *acl;
  struct filemon *fm;
  int counterd, archiverc;
@@ -1853,33 +1856,31 @@ void freeconf(struct extparam *confp){
 
 
 
- pthread_mutex_lock(&tc_mutex);
+ _3proxy_mutex_lock(&tc_mutex);
  confp->trafcountfunc = NULL;
  tc = confp->trafcounter;
  confp->trafcounter = NULL;
  counterd = confp->counterd;
  confp->counterd = -1;
  confp->countertype = NONE;
- pthread_mutex_unlock(&tc_mutex);
+ _3proxy_mutex_unlock(&tc_mutex);
 
- pthread_mutex_lock(&bandlim_mutex);
+ _3proxy_mutex_lock(&bandlim_mutex);
  bl = confp->bandlimiter;
  blout = confp->bandlimiterout;
  confp->bandlimiter = NULL;
  confp->bandlimiterout = NULL;
  confp->bandlimfunc = NULL;
  confp->bandlimver++;
- pthread_mutex_unlock(&bandlim_mutex);
+ _3proxy_mutex_unlock(&bandlim_mutex);
- pthread_mutex_lock(&connlim_mutex);
+ _3proxy_mutex_lock(&connlim_mutex);
  cl = confp->connlimiter;
  confp->connlimiter = NULL;
- pthread_mutex_unlock(&connlim_mutex);
+ _3proxy_mutex_unlock(&connlim_mutex);
-
- pthread_mutex_lock(&pwl_mutex);
- pw = confp->pwl;
- confp->pwl = NULL;
- pthread_mutex_unlock(&pwl_mutex);
 
+ destroyhashtable(&pw_table);
+ destroyhashtable(&pwnt_table);
+ destroyhashtable(&pwcr_table);
 
  confp->logfunc = lognone;
  logformat = confp->logformat;
@@ -1924,7 +1925,6 @@ void freeconf(struct extparam *confp){
 
  
  freeacl(acl);
- freepwl(pw);
  for(; bl; bl = (struct bandlim *) itfree(bl, bl->next)) freeacl(bl->ace);
  for(; blout; blout = (struct bandlim *) itfree(blout, blout->next))freeacl(blout->ace);
  for(; cl; cl = (struct connlim *) itfree(cl, cl->next)) freeacl(cl->ace);
@@ -1949,7 +1949,7 @@ int reload (void){
 	FILE *fp;
 	int error = -2;
 
-	pthread_mutex_lock(&config_mutex);
+	_3proxy_mutex_lock(&config_mutex);
 	conf.paused++;
 	freeconf(&conf);
 	conf.paused++;
@@ -1963,6 +1963,6 @@ int reload (void){
 		}
 		if(!writable)fclose(fp);
 	}
-	pthread_mutex_unlock(&config_mutex);
+	_3proxy_mutex_unlock(&config_mutex);
 	return error;
 }

src/dnspr.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement

src/ftppr.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement

src/hash.c

@@ -0,0 +1,316 @@
+#include "proxy.h"
+
+struct hashentry {
+        time_t expires;
+        uint32_t inext;
+        char value[4];
+};
+
+static uint32_t hashindex(unsigned tablesize, const uint8_t* hash){
+    return (*(unsigned *)hash) % tablesize;
+}
+
+
+void destroyhashtable(struct hashtable *ht){
+    _3proxy_mutex_lock(&ht->hash_mutex);
+    if(ht->ihashtable){
+	myfree(ht->ihashtable);
+	ht->ihashtable = NULL;
+    }
+    if(ht->hashvalues){
+	myfree(ht->hashvalues);
+	ht->hashvalues = NULL;
+    }
+    if(ht->hashhashvalues){
+	myfree(ht->hashhashvalues);
+	ht->hashhashvalues = NULL;
+    }
+    ht->poolsize = 0;
+    ht->tablesize = 0;
+    ht->ihashempty = 0;
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+    _3proxy_mutex_destroy(&ht->hash_mutex);
+}
+
+#define hvalue(ht,I) ((struct hashentry *)(ht->hashvalues + (I-1)*(sizeof(struct hashentry) + ht->recsize - 4)))
+#define hhash(ht,I) ((ht->hashhashvalues + (I-1)*(ht->hash_size)))
+
+int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, unsigned growlimit){
+    unsigned i;
+    clock_t c;
+
+#ifdef _WIN32
+    struct timeb tb;
+
+    ftime(&tb);
+
+#else
+    struct timeval tb;
+    struct timezone tz;
+    gettimeofday(&tb, &tz);
+#endif
+    c = clock();
+
+    if(tablesize < 2 || poolsize < tablesize || growlimit < poolsize) return 1;
+    if(ht->ihashtable){
+        _3proxy_mutex_lock(&ht->hash_mutex);
+	if(ht->ihashtable){
+	    myfree(ht->ihashtable);
+	    ht->ihashtable = NULL;
+	}
+	if(ht->hashvalues){
+	    myfree(ht->hashvalues);
+	    ht->hashvalues = NULL;
+	}
+	if(ht->hashhashvalues){
+	    myfree(ht->hashhashvalues);
+	    ht->hashhashvalues = NULL;
+	}
+	ht->poolsize = 0;
+	ht->tablesize = 0;
+    }
+    else {
+	_3proxy_mutex_init(&ht->hash_mutex);
+        _3proxy_mutex_lock(&ht->hash_mutex);
+    }
+    if(!(ht->ihashtable = myalloc(tablesize *  sizeof(uint32_t)))
+    || !(ht->hashvalues = myalloc(poolsize * (sizeof(struct hashentry) + ht->recsize - 4)))
+    || !(ht->hashhashvalues = myalloc(poolsize * ht->hash_size))
+    ){
+	myfree(ht->ihashtable);
+	ht->ihashtable = NULL;
+	myfree(ht->hashvalues);
+	ht->hashvalues = NULL;
+	_3proxy_mutex_unlock(&ht->hash_mutex);
+	return 3;
+    }
+    ht->poolsize = poolsize;
+    ht->tablesize = tablesize;
+    ht->growlimit = growlimit;
+    memset(ht->ihashtable, 0, ht->tablesize * sizeof(uint32_t));
+    memset(ht->hashvalues, 0, ht->poolsize * (sizeof(struct hashentry) + ht->recsize - 4));
+
+    for(i = 1; i < ht->poolsize; i++) {
+	hvalue(ht,i)->inext = i+1;
+    }
+    ht->ihashempty = 1;
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+    return 0;
+}
+
+static void hashcompact(struct hashtable *ht){
+    int i;
+    uint32_t he, *hep;
+    
+    if((conf.time - ht->compacted) < 300 || !ht->tablesize || !ht->poolsize || ht->ihashempty) return;
+    for(i = 0; i < ht->tablesize; i++){
+	for(hep = ht->ihashtable + i; (he = *hep) != 0; ){
+	    if(hvalue(ht,he)->expires < conf.time ) {
+		(*hep) = hvalue(ht,he)->inext;
+		hvalue(ht,he)->expires = 0;
+		hvalue(ht,he)->inext = ht->ihashempty;
+		ht->ihashempty = he;
+	    }
+	    else hep=&(hvalue(ht,he)->inext);
+	}
+    }
+    ht->compacted = conf.time;
+    if(ht->ihashempty) return;
+}
+
+static void hashgrow(struct hashtable *ht){
+    unsigned newsize = (ht->poolsize + (ht->poolsize >> 1));
+    unsigned i;
+    void * newvalues;
+    
+    if(!ht->tablesize || !ht->poolsize) return;
+    if(ht->poolsize / ht->tablesize < 4) hashcompact(ht);
+    if(ht->ihashempty) return;
+    if(ht->poolsize >= ht->growlimit) return;
+    if(newsize > ht->growlimit) newsize = ht->growlimit;
+    newvalues = myrealloc(ht->hashvalues, newsize * (sizeof(struct hashentry) + ht->recsize - 4));
+    if(!newvalues) return;
+    ht->hashvalues = newvalues;
+    newvalues = myrealloc(ht->hashhashvalues, newsize * ht->hash_size);
+    if(!newvalues) return;
+    ht->hashhashvalues = newvalues;
+    memset(ht->hashvalues + (ht->poolsize * (sizeof(struct hashentry) + ht->recsize - 4)), 0, (newsize - ht->poolsize) * (sizeof(struct hashentry) + ht->recsize - 4));
+    for(i = ht->poolsize + 1; i < newsize; i++) {
+	hvalue(ht,i)->inext = i+1;
+    }
+    hvalue(ht,newsize)->inext = ht->ihashempty;
+    ht->ihashempty = ht->poolsize + 1;
+    ht->poolsize = newsize;
+    if (ht->poolsize / ht->tablesize > 10) {
+        unsigned newtablesize = ht->poolsize / 3;
+        uint32_t *newitable = myalloc(newtablesize * sizeof(uint32_t));
+        if (newitable) {
+            unsigned j;
+            memset(newitable, 0, newtablesize * sizeof(uint32_t));
+            for (j = 0; j < ht->tablesize; j++) {
+                uint32_t he = ht->ihashtable[j];
+                while (he) {
+                    uint32_t next = hvalue(ht, he)->inext;
+                    unsigned idx = hashindex(newtablesize, hhash(ht, he));
+                    hvalue(ht, he)->inext = newitable[idx];
+                    newitable[idx] = he;
+                    he = next;
+                }
+            }
+            myfree(ht->ihashtable);
+            ht->ihashtable = newitable;
+            ht->tablesize = newtablesize;
+        }
+    }
+}
+
+
+
+void hashadd(struct hashtable *ht, void* name, void* value, time_t expires){
+    uint32_t hen, he;
+    uint32_t *hep;
+    int overwrite = 0;
+    uint8_t hash[MAX_HASH_SIZE];
+    uint32_t index;
+    uint32_t last = 0;
+    
+    if(!ht||!value||!name||!ht->ihashtable) {
+	return;
+    }
+
+    ht->index2hash_add(ht, name, hash);
+    _3proxy_mutex_lock(&ht->hash_mutex);
+    index = hashindex(ht->tablesize, hash);
+
+    for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
+	if(hvalue(ht,he)->expires < conf.time || !memcmp(hash, hhash(ht,he), ht->hash_size)) {
+	    (*hep) = hvalue(ht,he)->inext;
+	    hvalue(ht,he)->expires = 0;
+	    hvalue(ht,he)->inext = ht->ihashempty;
+	    ht->ihashempty = he;
+	}
+	else {
+	    hep=&(hvalue(ht,he)->inext);
+	    last = he;
+	}
+    }
+
+    if(!ht->ihashempty){
+	hashgrow(ht);
+    }
+
+    if(ht->ihashempty){
+	hen = ht->ihashempty;
+	ht->ihashempty = hvalue(ht,ht->ihashempty)->inext;
+	hvalue(ht,hen)->inext = ht->ihashtable[index];
+	ht->ihashtable[index] = hen;
+    }
+    else {
+	hen = last;
+    }
+    if(hen){
+	memcpy(hhash(ht,hen), hash, ht->hash_size);
+	memcpy(hvalue(ht,hen)->value, value, ht->recsize);
+	hvalue(ht,hen)->expires = expires;
+    }
+
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+}
+
+int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl){
+    uint8_t hash[MAX_HASH_SIZE];
+    uint32_t *hep;
+    uint32_t he;
+    uint32_t index;
+
+    if(!ht || !ht->ihashtable || !name) {
+	return 0;
+    }
+    ht->index2hash_search(ht,name, hash);
+    _3proxy_mutex_lock(&ht->hash_mutex);
+    index = hashindex(ht->tablesize, hash);
+    for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
+	if(hvalue(ht, he)->expires < conf.time) {
+	    (*hep) = hvalue(ht,he)->inext;
+	    hvalue(ht,he)->expires = 0;
+	    hvalue(ht,he)->inext = ht->ihashempty;
+	    ht->ihashempty = he;
+	}
+	else if(!memcmp(hash, hhash(ht,he), ht->hash_size)){
+	    if(ttl) *ttl = (uint32_t)(hvalue(ht,he)->expires - conf.time);
+	    memcpy(value, hvalue(ht,he)->value, ht->recsize);
+	    _3proxy_mutex_unlock(&ht->hash_mutex);
+	    return 1;
+	}
+	else hep=&(hvalue(ht,he)->inext);
+    }
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+    return 0;
+}
+
+void hashdelete(struct hashtable *ht, void *name){
+    uint8_t hash[MAX_HASH_SIZE];
+    uint32_t *hep;
+    uint32_t he;
+    uint32_t index;
+
+    if(!ht || !ht->ihashtable || !name) {
+	return;
+    }
+    ht->index2hash_search(ht, name, hash);
+    _3proxy_mutex_lock(&ht->hash_mutex);
+    index = hashindex(ht->tablesize, hash);
+    for(hep = ht->ihashtable + index; (he = *hep) != 0; ){
+	if((hvalue(ht, he)->expires && hvalue(ht, he)->expires < conf.time) || !memcmp(hash, hhash(ht, he), ht->hash_size)) {
+	    (*hep) = hvalue(ht, he)->inext;
+	    hvalue(ht, he)->expires = 0;
+	    hvalue(ht, he)->inext = ht->ihashempty;
+	    ht->ihashempty = he;
+	}
+	else hep = &(hvalue(ht, he)->inext);
+    }
+    _3proxy_mutex_unlock(&ht->hash_mutex);
+}
+
+#define MURMUR_C1 0xcc9e2d51u
+#define MURMUR_C2 0x1b873593u
+
+uint32_t murmurhash3(const void *key, int len, uint32_t seed) {
+    const uint8_t *data = (const uint8_t *)key;
+    const int nblocks = len / 4;
+    uint32_t h = seed;
+    int i;
+    const uint32_t *blocks = (const uint32_t *)(data);
+    const uint8_t *tail = data + nblocks * 4;
+    uint32_t k;
+
+    for (i = 0; i < nblocks; i++) {
+        memcpy(&k, blocks + i, sizeof(k));
+        k *= MURMUR_C1;
+        k = (k << 15) | (k >> 17);
+        k *= MURMUR_C2;
+        h ^= k;
+        h = (h << 13) | (h >> 19);
+        h = h * 5 + 0xe6546b64u;
+    }
+
+    k = 0;
+    switch (len & 3) {
+        case 3: k ^= (uint32_t)tail[2] << 16; /* fall through */
+        case 2: k ^= (uint32_t)tail[1] << 8;  /* fall through */
+        case 1: k ^= (uint32_t)tail[0];
+                k *= MURMUR_C1;
+                k = (k << 15) | (k >> 17);
+                k *= MURMUR_C2;
+                h ^= k;
+    }
+
+    h ^= (uint32_t)len;
+    h ^= h >> 16;
+    h *= 0x85ebca6bu;
+    h ^= h >> 13;
+    h *= 0xc2b2ae35u;
+    h ^= h >> 16;
+
+    return h;
+}

src/hashtables.c

@@ -0,0 +1,99 @@
+#include "proxy.h"
+#include "libs/blake2.h"
+
+
+static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *hash){
+    char* name = index;
+
+    blake2b(hash, ht->hash_size, index, strlen((const char*)index), NULL, 0);
+}
+
+static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
+    blake2b_state S;
+    struct clientparam *param = (struct clientparam *)index;
+    unsigned type = param->srv->authcachetype;
+
+    blake2b_init(&S, ht->hash_size);
+    if((type & 2) && param->username)blake2b_update(&S, param->username, strlen((const char *)param->username) + 1);
+    if((type & 4) && param->password)blake2b_update(&S, param->password, strlen((const char *)param->password) + 1);
+    if((type & 1) && !(type & 8))blake2b_update(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
+    if((type & 16))blake2b_update(&S, &param->srv->acl, sizeof(param->srv->acl));
+    if((type & 64))blake2b_update(&S, SAADDR(&param->req), SAADDRLEN(&param->req));
+    if((type & 128))blake2b_update(&S, SAPORT(&param->req), 2);
+    if((type & 256) && param->hostname)blake2b_update(&S, param->hostname, strlen((const char *)param->hostname) + 1);
+    if((type & 512))blake2b_update(&S, &param->operation, sizeof(param->operation));
+    if((type & 1024))blake2b_update(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
+    if((type & 2048))blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
+    blake2b_final(&S, hash, ht->hash_size);
+    memcpy(param->hash, hash, ht->hash_size);
+}
+
+void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+
+    memcpy(hash, param->hash, ht->hash_size);
+}
+
+static void user2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+    blake2b(hash, ht->hash_size, param->username, strlen((const char *)param->username), NULL, 0);
+}
+
+static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param = (struct clientparam *)index;
+    blake2b_state S;
+    blake2b_init(&S, ht->hash_size);
+    blake2b_update(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
+    blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
+    blake2b_update(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
+    blake2b_update(&S, SAPORT(&param->sincr), 2);
+    blake2b_final(&S, hash, ht->hash_size);
+}
+
+static void pw2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
+    char ** pw = (char **)index;
+    blake2b_state S;
+    
+    blake2b_init(&S, ht->hash_size);
+    if(pw[0])blake2b_update(&S, pw[0], strlen(pw[0]) + 1);
+    if(pw[1])blake2b_update(&S, pw[1], strlen(pw[1]) + 1);
+    blake2b_final(&S, hash, ht->hash_size);
+}
+
+
+static void pw2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param  = (struct clientparam *)index;
+
+    char *pw[2] = {(char *)param->username, (char *)param->password};
+    
+    pw2hash_add(ht, pw, hash);
+}
+
+static void pwnt2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
+    char ** pw = (char **)index;
+    blake2b_state S;
+    
+    blake2b_init(&S, ht->hash_size);
+    if(pw[0])blake2b_update(&S, pw[0], strlen(pw[0]) + 1);
+    if(pw[1])blake2b_update(&S, pw[1], strlen(pw[1]) + 1);
+    blake2b_final(&S, hash, ht->hash_size);
+}
+
+
+static void pwnt2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
+    struct clientparam *param  = (struct clientparam *)index;
+    unsigned char pass[40];    
+    char *pw[2] = {(char *)param->username, (char *)pass};
+
+    ntpwdhash(pass, param->password, 1);
+    pwnt2hash_add(ht, pw, hash);
+}
+
+
+
+struct hashtable dns_table = {char_index2hash, char_index2hash, 4, 12};
+struct hashtable dns6_table = {char_index2hash, char_index2hash, 16, 12};
+struct hashtable auth_table = {param2hash_add, param2hash_search, sizeof(struct authcache), 12};
+struct hashtable pw_table = {pw2hash_add, pw2hash_search, 0, 12};
+struct hashtable pwnt_table = {pwnt2hash_add, pwnt2hash_search, 0, 12};
+struct hashtable pwcr_table = {char_index2hash, user2hash_search, 64, 12};

src/libs/blake2-impl.h

@@ -0,0 +1,160 @@
+/*
+   BLAKE2 reference source code package - reference C implementations
+
+   Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.  You may use this under the
+   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
+   your option.  The terms of these licenses can be found at:
+
+   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+   - OpenSSL license   : https://www.openssl.org/source/license.html
+   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+
+   More information about the BLAKE2 hash function can be found at
+   https://blake2.net.
+*/
+#ifndef BLAKE2_IMPL_H
+#define BLAKE2_IMPL_H
+
+#include <stdint.h>
+#include <string.h>
+
+#if !defined(__cplusplus) && (!defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L)
+  #if   defined(_MSC_VER)
+    #define BLAKE2_INLINE __inline
+  #elif defined(__GNUC__)
+    #define BLAKE2_INLINE __inline__
+  #else
+    #define BLAKE2_INLINE
+  #endif
+#else
+  #define BLAKE2_INLINE inline
+#endif
+
+static BLAKE2_INLINE uint32_t load32( const void *src )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  uint32_t w;
+  memcpy(&w, src, sizeof w);
+  return w;
+#else
+  const uint8_t *p = ( const uint8_t * )src;
+  return (( uint32_t )( p[0] ) <<  0) |
+         (( uint32_t )( p[1] ) <<  8) |
+         (( uint32_t )( p[2] ) << 16) |
+         (( uint32_t )( p[3] ) << 24) ;
+#endif
+}
+
+static BLAKE2_INLINE uint64_t load64( const void *src )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  uint64_t w;
+  memcpy(&w, src, sizeof w);
+  return w;
+#else
+  const uint8_t *p = ( const uint8_t * )src;
+  return (( uint64_t )( p[0] ) <<  0) |
+         (( uint64_t )( p[1] ) <<  8) |
+         (( uint64_t )( p[2] ) << 16) |
+         (( uint64_t )( p[3] ) << 24) |
+         (( uint64_t )( p[4] ) << 32) |
+         (( uint64_t )( p[5] ) << 40) |
+         (( uint64_t )( p[6] ) << 48) |
+         (( uint64_t )( p[7] ) << 56) ;
+#endif
+}
+
+static BLAKE2_INLINE uint16_t load16( const void *src )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  uint16_t w;
+  memcpy(&w, src, sizeof w);
+  return w;
+#else
+  const uint8_t *p = ( const uint8_t * )src;
+  return ( uint16_t )((( uint32_t )( p[0] ) <<  0) |
+                      (( uint32_t )( p[1] ) <<  8));
+#endif
+}
+
+static BLAKE2_INLINE void store16( void *dst, uint16_t w )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  memcpy(dst, &w, sizeof w);
+#else
+  uint8_t *p = ( uint8_t * )dst;
+  *p++ = ( uint8_t )w; w >>= 8;
+  *p++ = ( uint8_t )w;
+#endif
+}
+
+static BLAKE2_INLINE void store32( void *dst, uint32_t w )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  memcpy(dst, &w, sizeof w);
+#else
+  uint8_t *p = ( uint8_t * )dst;
+  p[0] = (uint8_t)(w >>  0);
+  p[1] = (uint8_t)(w >>  8);
+  p[2] = (uint8_t)(w >> 16);
+  p[3] = (uint8_t)(w >> 24);
+#endif
+}
+
+static BLAKE2_INLINE void store64( void *dst, uint64_t w )
+{
+#if defined(NATIVE_LITTLE_ENDIAN)
+  memcpy(dst, &w, sizeof w);
+#else
+  uint8_t *p = ( uint8_t * )dst;
+  p[0] = (uint8_t)(w >>  0);
+  p[1] = (uint8_t)(w >>  8);
+  p[2] = (uint8_t)(w >> 16);
+  p[3] = (uint8_t)(w >> 24);
+  p[4] = (uint8_t)(w >> 32);
+  p[5] = (uint8_t)(w >> 40);
+  p[6] = (uint8_t)(w >> 48);
+  p[7] = (uint8_t)(w >> 56);
+#endif
+}
+
+static BLAKE2_INLINE uint64_t load48( const void *src )
+{
+  const uint8_t *p = ( const uint8_t * )src;
+  return (( uint64_t )( p[0] ) <<  0) |
+         (( uint64_t )( p[1] ) <<  8) |
+         (( uint64_t )( p[2] ) << 16) |
+         (( uint64_t )( p[3] ) << 24) |
+         (( uint64_t )( p[4] ) << 32) |
+         (( uint64_t )( p[5] ) << 40) ;
+}
+
+static BLAKE2_INLINE void store48( void *dst, uint64_t w )
+{
+  uint8_t *p = ( uint8_t * )dst;
+  p[0] = (uint8_t)(w >>  0);
+  p[1] = (uint8_t)(w >>  8);
+  p[2] = (uint8_t)(w >> 16);
+  p[3] = (uint8_t)(w >> 24);
+  p[4] = (uint8_t)(w >> 32);
+  p[5] = (uint8_t)(w >> 40);
+}
+
+static BLAKE2_INLINE uint32_t rotr32( const uint32_t w, const unsigned c )
+{
+  return ( w >> c ) | ( w << ( 32 - c ) );
+}
+
+static BLAKE2_INLINE uint64_t rotr64( const uint64_t w, const unsigned c )
+{
+  return ( w >> c ) | ( w << ( 64 - c ) );
+}
+
+/* prevents compiler optimizing out memset() */
+static BLAKE2_INLINE void secure_zero_memory(void *v, size_t n)
+{
+  static void *(*const volatile memset_v)(void *, int, size_t) = &memset;
+  memset_v(v, 0, n);
+}
+
+#endif

src/libs/blake2.h

@@ -0,0 +1,197 @@
+/*
+   BLAKE2 reference source code package - reference C implementations
+
+   Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.  You may use this under the
+   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
+   your option.  The terms of these licenses can be found at:
+
+   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+   - OpenSSL license   : https://www.openssl.org/source/license.html
+   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+
+   More information about the BLAKE2 hash function can be found at
+   https://blake2.net.
+*/
+#ifndef BLAKE2_H
+#define BLAKE2_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#if defined(WATCOM)
+#define BLAKE2_PACKED(x) _Packed x
+#elif defined(_MSC_VER)
+#define BLAKE2_PACKED(x) __pragma(pack(push, 1)) x __pragma(pack(pop))
+#else
+#define BLAKE2_PACKED(x) x __attribute__((packed))
+#endif
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+  enum blake2s_constant
+  {
+    BLAKE2S_BLOCKBYTES = 64,
+    BLAKE2S_OUTBYTES   = 32,
+    BLAKE2S_KEYBYTES   = 32,
+    BLAKE2S_SALTBYTES  = 8,
+    BLAKE2S_PERSONALBYTES = 8
+  };
+
+  enum blake2b_constant
+  {
+    BLAKE2B_BLOCKBYTES = 128,
+    BLAKE2B_OUTBYTES   = 64,
+    BLAKE2B_KEYBYTES   = 64,
+    BLAKE2B_SALTBYTES  = 16,
+    BLAKE2B_PERSONALBYTES = 16
+  };
+
+  typedef struct blake2s_state__
+  {
+    uint32_t h[8];
+    uint32_t t[2];
+    uint32_t f[2];
+    uint8_t  buf[BLAKE2S_BLOCKBYTES];
+    size_t   buflen;
+    size_t   outlen;
+    uint8_t  last_node;
+  } blake2s_state;
+
+  typedef struct blake2b_state__
+  {
+    uint64_t h[8];
+    uint64_t t[2];
+    uint64_t f[2];
+    uint8_t  buf[BLAKE2B_BLOCKBYTES];
+    size_t   buflen;
+    size_t   outlen;
+    uint8_t  last_node;
+  } blake2b_state;
+
+  typedef struct blake2sp_state__
+  {
+    blake2s_state S[8][1];
+    blake2s_state R[1];
+    uint8_t       buf[8 * BLAKE2S_BLOCKBYTES];
+    size_t        buflen;
+    size_t        outlen;
+  } blake2sp_state;
+
+  typedef struct blake2bp_state__
+  {
+    blake2b_state S[4][1];
+    blake2b_state R[1];
+    uint8_t       buf[4 * BLAKE2B_BLOCKBYTES];
+    size_t        buflen;
+    size_t        outlen;
+  } blake2bp_state;
+
+
+  BLAKE2_PACKED(struct blake2s_param__
+  {
+    uint8_t  digest_length; /* 1 */
+    uint8_t  key_length;    /* 2 */
+    uint8_t  fanout;        /* 3 */
+    uint8_t  depth;         /* 4 */
+    uint32_t leaf_length;   /* 8 */
+    uint32_t node_offset;  /* 12 */
+    uint16_t xof_length;    /* 14 */
+    uint8_t  node_depth;    /* 15 */
+    uint8_t  inner_length;  /* 16 */
+    /* uint8_t  reserved[0]; */
+    uint8_t  salt[BLAKE2S_SALTBYTES]; /* 24 */
+    uint8_t  personal[BLAKE2S_PERSONALBYTES];  /* 32 */
+  });
+
+  typedef struct blake2s_param__ blake2s_param;
+
+  BLAKE2_PACKED(struct blake2b_param__
+  {
+    uint8_t  digest_length; /* 1 */
+    uint8_t  key_length;    /* 2 */
+    uint8_t  fanout;        /* 3 */
+    uint8_t  depth;         /* 4 */
+    uint32_t leaf_length;   /* 8 */
+    uint32_t node_offset;   /* 12 */
+    uint32_t xof_length;    /* 16 */
+    uint8_t  node_depth;    /* 17 */
+    uint8_t  inner_length;  /* 18 */
+    uint8_t  reserved[14];  /* 32 */
+    uint8_t  salt[BLAKE2B_SALTBYTES]; /* 48 */
+    uint8_t  personal[BLAKE2B_PERSONALBYTES];  /* 64 */
+  });
+
+  typedef struct blake2b_param__ blake2b_param;
+
+  typedef struct blake2xs_state__
+  {
+    blake2s_state S[1];
+    blake2s_param P[1];
+  } blake2xs_state;
+
+  typedef struct blake2xb_state__
+  {
+    blake2b_state S[1];
+    blake2b_param P[1];
+  } blake2xb_state;
+
+  /* Padded structs result in a compile-time error */
+  enum {
+    BLAKE2_DUMMY_1 = 1/(int)(sizeof(blake2s_param) == BLAKE2S_OUTBYTES),
+    BLAKE2_DUMMY_2 = 1/(int)(sizeof(blake2b_param) == BLAKE2B_OUTBYTES)
+  };
+
+  /* Streaming API */
+  int blake2s_init( blake2s_state *S, size_t outlen );
+  int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen );
+  int blake2s_init_param( blake2s_state *S, const blake2s_param *P );
+  int blake2s_update( blake2s_state *S, const void *in, size_t inlen );
+  int blake2s_final( blake2s_state *S, void *out, size_t outlen );
+
+  int blake2b_init( blake2b_state *S, size_t outlen );
+  int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );
+  int blake2b_init_param( blake2b_state *S, const blake2b_param *P );
+  int blake2b_update( blake2b_state *S, const void *in, size_t inlen );
+  int blake2b_final( blake2b_state *S, void *out, size_t outlen );
+
+  int blake2sp_init( blake2sp_state *S, size_t outlen );
+  int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen );
+  int blake2sp_update( blake2sp_state *S, const void *in, size_t inlen );
+  int blake2sp_final( blake2sp_state *S, void *out, size_t outlen );
+
+  int blake2bp_init( blake2bp_state *S, size_t outlen );
+  int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen );
+  int blake2bp_update( blake2bp_state *S, const void *in, size_t inlen );
+  int blake2bp_final( blake2bp_state *S, void *out, size_t outlen );
+
+  /* Variable output length API */
+  int blake2xs_init( blake2xs_state *S, const size_t outlen );
+  int blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen );
+  int blake2xs_update( blake2xs_state *S, const void *in, size_t inlen );
+  int blake2xs_final(blake2xs_state *S, void *out, size_t outlen);
+
+  int blake2xb_init( blake2xb_state *S, const size_t outlen );
+  int blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen );
+  int blake2xb_update( blake2xb_state *S, const void *in, size_t inlen );
+  int blake2xb_final(blake2xb_state *S, void *out, size_t outlen);
+
+  /* Simple API */
+  int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+  int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+
+  int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+  int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+
+  int blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+  int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+
+  /* This is simply an alias for blake2b */
+  int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif

src/libs/blake2b-ref.c

@@ -0,0 +1,379 @@
+/*
+   BLAKE2 reference source code package - reference C implementations
+
+   Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.  You may use this under the
+   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
+   your option.  The terms of these licenses can be found at:
+
+   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
+   - OpenSSL license   : https://www.openssl.org/source/license.html
+   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
+
+   More information about the BLAKE2 hash function can be found at
+   https://blake2.net.
+*/
+
+#include <stdint.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "blake2.h"
+#include "blake2-impl.h"
+
+static const uint64_t blake2b_IV[8] =
+{
+  0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
+  0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
+  0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
+  0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
+};
+
+static const uint8_t blake2b_sigma[12][16] =
+{
+  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
+  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 } ,
+  { 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 } ,
+  {  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 } ,
+  {  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 } ,
+  {  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 } ,
+  { 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 } ,
+  { 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 } ,
+  {  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 } ,
+  { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 } ,
+  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
+  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 }
+};
+
+
+static void blake2b_set_lastnode( blake2b_state *S )
+{
+  S->f[1] = (uint64_t)-1;
+}
+
+/* Some helper functions, not necessarily useful */
+static int blake2b_is_lastblock( const blake2b_state *S )
+{
+  return S->f[0] != 0;
+}
+
+static void blake2b_set_lastblock( blake2b_state *S )
+{
+  if( S->last_node ) blake2b_set_lastnode( S );
+
+  S->f[0] = (uint64_t)-1;
+}
+
+static void blake2b_increment_counter( blake2b_state *S, const uint64_t inc )
+{
+  S->t[0] += inc;
+  S->t[1] += ( S->t[0] < inc );
+}
+
+static void blake2b_init0( blake2b_state *S )
+{
+  size_t i;
+  memset( S, 0, sizeof( blake2b_state ) );
+
+  for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
+}
+
+/* init xors IV with input parameter block */
+int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
+{
+  const uint8_t *p = ( const uint8_t * )( P );
+  size_t i;
+
+  blake2b_init0( S );
+
+  /* IV XOR ParamBlock */
+  for( i = 0; i < 8; ++i )
+    S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
+
+  S->outlen = P->digest_length;
+  return 0;
+}
+
+
+
+int blake2b_init( blake2b_state *S, size_t outlen )
+{
+  blake2b_param P[1];
+
+  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
+
+  P->digest_length = (uint8_t)outlen;
+  P->key_length    = 0;
+  P->fanout        = 1;
+  P->depth         = 1;
+  store32( &P->leaf_length, 0 );
+  store32( &P->node_offset, 0 );
+  store32( &P->xof_length, 0 );
+  P->node_depth    = 0;
+  P->inner_length  = 0;
+  memset( P->reserved, 0, sizeof( P->reserved ) );
+  memset( P->salt,     0, sizeof( P->salt ) );
+  memset( P->personal, 0, sizeof( P->personal ) );
+  return blake2b_init_param( S, P );
+}
+
+
+int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen )
+{
+  blake2b_param P[1];
+
+  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
+
+  if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1;
+
+  P->digest_length = (uint8_t)outlen;
+  P->key_length    = (uint8_t)keylen;
+  P->fanout        = 1;
+  P->depth         = 1;
+  store32( &P->leaf_length, 0 );
+  store32( &P->node_offset, 0 );
+  store32( &P->xof_length, 0 );
+  P->node_depth    = 0;
+  P->inner_length  = 0;
+  memset( P->reserved, 0, sizeof( P->reserved ) );
+  memset( P->salt,     0, sizeof( P->salt ) );
+  memset( P->personal, 0, sizeof( P->personal ) );
+
+  if( blake2b_init_param( S, P ) < 0 ) return -1;
+
+  {
+    uint8_t block[BLAKE2B_BLOCKBYTES];
+    memset( block, 0, BLAKE2B_BLOCKBYTES );
+    memcpy( block, key, keylen );
+    blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
+    secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
+  }
+  return 0;
+}
+
+#define G(r,i,a,b,c,d)                      \
+  do {                                      \
+    a = a + b + m[blake2b_sigma[r][2*i+0]]; \
+    d = rotr64(d ^ a, 32);                  \
+    c = c + d;                              \
+    b = rotr64(b ^ c, 24);                  \
+    a = a + b + m[blake2b_sigma[r][2*i+1]]; \
+    d = rotr64(d ^ a, 16);                  \
+    c = c + d;                              \
+    b = rotr64(b ^ c, 63);                  \
+  } while(0)
+
+#define ROUND(r)                    \
+  do {                              \
+    G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
+    G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
+    G(r,2,v[ 2],v[ 6],v[10],v[14]); \
+    G(r,3,v[ 3],v[ 7],v[11],v[15]); \
+    G(r,4,v[ 0],v[ 5],v[10],v[15]); \
+    G(r,5,v[ 1],v[ 6],v[11],v[12]); \
+    G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
+    G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
+  } while(0)
+
+static void blake2b_compress( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] )
+{
+  uint64_t m[16];
+  uint64_t v[16];
+  size_t i;
+
+  for( i = 0; i < 16; ++i ) {
+    m[i] = load64( block + i * sizeof( m[i] ) );
+  }
+
+  for( i = 0; i < 8; ++i ) {
+    v[i] = S->h[i];
+  }
+
+  v[ 8] = blake2b_IV[0];
+  v[ 9] = blake2b_IV[1];
+  v[10] = blake2b_IV[2];
+  v[11] = blake2b_IV[3];
+  v[12] = blake2b_IV[4] ^ S->t[0];
+  v[13] = blake2b_IV[5] ^ S->t[1];
+  v[14] = blake2b_IV[6] ^ S->f[0];
+  v[15] = blake2b_IV[7] ^ S->f[1];
+
+  ROUND( 0 );
+  ROUND( 1 );
+  ROUND( 2 );
+  ROUND( 3 );
+  ROUND( 4 );
+  ROUND( 5 );
+  ROUND( 6 );
+  ROUND( 7 );
+  ROUND( 8 );
+  ROUND( 9 );
+  ROUND( 10 );
+  ROUND( 11 );
+
+  for( i = 0; i < 8; ++i ) {
+    S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
+  }
+}
+
+#undef G
+#undef ROUND
+
+int blake2b_update( blake2b_state *S, const void *pin, size_t inlen )
+{
+  const unsigned char * in = (const unsigned char *)pin;
+  if( inlen > 0 )
+  {
+    size_t left = S->buflen;
+    size_t fill = BLAKE2B_BLOCKBYTES - left;
+    if( inlen > fill )
+    {
+      S->buflen = 0;
+      memcpy( S->buf + left, in, fill ); /* Fill buffer */
+      blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
+      blake2b_compress( S, S->buf ); /* Compress */
+      in += fill; inlen -= fill;
+      while(inlen > BLAKE2B_BLOCKBYTES) {
+        blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES);
+        blake2b_compress( S, in );
+        in += BLAKE2B_BLOCKBYTES;
+        inlen -= BLAKE2B_BLOCKBYTES;
+      }
+    }
+    memcpy( S->buf + S->buflen, in, inlen );
+    S->buflen += inlen;
+  }
+  return 0;
+}
+
+int blake2b_final( blake2b_state *S, void *out, size_t outlen )
+{
+  uint8_t buffer[BLAKE2B_OUTBYTES] = {0};
+  size_t i;
+
+  if( out == NULL || outlen < S->outlen )
+    return -1;
+
+  if( blake2b_is_lastblock( S ) )
+    return -1;
+
+  blake2b_increment_counter( S, S->buflen );
+  blake2b_set_lastblock( S );
+  memset( S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */
+  blake2b_compress( S, S->buf );
+
+  for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
+    store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
+
+  memcpy( out, buffer, S->outlen );
+  secure_zero_memory(buffer, sizeof(buffer));
+  return 0;
+}
+
+/* inlen, at least, should be uint64_t. Others can be size_t. */
+int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )
+{
+  blake2b_state S[1];
+
+  /* Verify parameters */
+  if ( NULL == in && inlen > 0 ) return -1;
+
+  if ( NULL == out ) return -1;
+
+  if( NULL == key && keylen > 0 ) return -1;
+
+  if( !outlen || outlen > BLAKE2B_OUTBYTES ) return -1;
+
+  if( keylen > BLAKE2B_KEYBYTES ) return -1;
+
+  if( keylen > 0 )
+  {
+    if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;
+  }
+  else
+  {
+    if( blake2b_init( S, outlen ) < 0 ) return -1;
+  }
+
+  blake2b_update( S, ( const uint8_t * )in, inlen );
+  blake2b_final( S, out, outlen );
+  return 0;
+}
+
+int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {
+  return blake2b(out, outlen, in, inlen, key, keylen);
+}
+
+#if defined(SUPERCOP)
+int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen )
+{
+  return blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 );
+}
+#endif
+
+#if defined(BLAKE2B_SELFTEST)
+#include <string.h>
+#include "blake2-kat.h"
+int main( void )
+{
+  uint8_t key[BLAKE2B_KEYBYTES];
+  uint8_t buf[BLAKE2_KAT_LENGTH];
+  size_t i, step;
+
+  for( i = 0; i < BLAKE2B_KEYBYTES; ++i )
+    key[i] = ( uint8_t )i;
+
+  for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )
+    buf[i] = ( uint8_t )i;
+
+  /* Test simple API */
+  for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )
+  {
+    uint8_t hash[BLAKE2B_OUTBYTES];
+    blake2b( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES );
+
+    if( 0 != memcmp( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
+    {
+      goto fail;
+    }
+  }
+
+  /* Test streaming API */
+  for(step = 1; step < BLAKE2B_BLOCKBYTES; ++step) {
+    for (i = 0; i < BLAKE2_KAT_LENGTH; ++i) {
+      uint8_t hash[BLAKE2B_OUTBYTES];
+      blake2b_state S;
+      uint8_t * p = buf;
+      size_t mlen = i;
+      int err = 0;
+
+      if( (err = blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {
+        goto fail;
+      }
+
+      while (mlen >= step) {
+        if ( (err = blake2b_update(&S, p, step)) < 0 ) {
+          goto fail;
+        }
+        mlen -= step;
+        p += step;
+      }
+      if ( (err = blake2b_update(&S, p, mlen)) < 0) {
+        goto fail;
+      }
+      if ( (err = blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {
+        goto fail;
+      }
+
+      if (0 != memcmp(hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES)) {
+        goto fail;
+      }
+    }
+  }
+
+  puts( "ok" );
+  return 0;
+fail:
+  puts("error");
+  return -1;
+}
+#endif

src/limiter.c

@@ -0,0 +1,204 @@
+/*
+   3APA3A simplest proxy server
+   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
+
+   please read License Agreement
+
+*/
+
+#include "proxy.h"
+
+int startconnlims (struct clientparam *param){
+	struct connlim * ce;
+	time_t delta;
+	uint64_t rating;
+	int ret = 0;
+
+	param->connlim = 1;
+	_3proxy_mutex_lock(&connlim_mutex);
+	for(ce = conf.connlimiter; ce; ce = ce->next) {
+		if(ACLmatches(ce->ace, param)){
+			if(ce->ace->action == NOCONNLIM)break;
+			if(!ce->period){
+				if(ce->rate <= ce->rating) {
+					ret = 1;
+					break;
+				}
+				ce->rating++;
+				continue;
+			}
+			delta = conf.time - ce->basetime;
+			if(ce->period <= delta || ce->basetime > conf.time){
+				ce->basetime = conf.time;
+				ce->rating = 0x100000;
+				continue;
+			}
+			rating = delta? ((ce->rating * (ce->period - delta)) / ce->period) + 0x100000 : ce->rating + 0x100000;
+			if (rating > (ce->rate<<20)) {
+				ret = 2;
+				break;
+			}
+			ce->rating = rating;
+			ce->basetime = conf.time;
+		}
+	}
+	if(ret) {
+		struct connlim * cee;
+		for(cee = conf.connlimiter; cee != ce; cee = cee->next) {
+			if(ACLmatches(cee->ace, param) && !cee->period && cee->rating) {
+				cee->rating--;
+			}
+		}
+		param->connlim = 0;
+	}
+	_3proxy_mutex_unlock(&connlim_mutex);
+	return ret;
+}
+
+void stopconnlims (struct clientparam *param){
+	struct connlim * ce;
+
+	_3proxy_mutex_lock(&connlim_mutex);
+	for(ce = conf.connlimiter; ce; ce = ce->next) {
+		if(ACLmatches(ce->ace, param)){
+			if(ce->ace->action == NOCONNLIM)break;
+			if(!ce->period && ce->rating){
+				ce->rating--;
+				continue;
+			}
+		}
+	}
+	_3proxy_mutex_unlock(&connlim_mutex);
+}
+
+void initbandlims (struct clientparam *param){
+	struct bandlim * be;
+	int i;
+
+	param->bandlimfunc = NULL;
+	param->bandlims[0] = NULL;
+	param->bandlimsout[0] = NULL;
+	if(!conf.bandlimfunc || (!conf.bandlimiter && !conf.bandlimiterout)) return;
+	for(i=0, be = conf.bandlimiter; be && i<MAXBANDLIMS; be = be->next) {
+		if(ACLmatches(be->ace, param)){
+			if(be->ace->action == NOBANDLIM) {
+				break;
+			}
+			param->bandlims[i++] = be;
+			param->bandlimfunc = conf.bandlimfunc;
+		}
+	}
+	if(i<MAXBANDLIMS)param->bandlims[i] = NULL;
+	for(i=0, be = conf.bandlimiterout; be && i<MAXBANDLIMS; be = be->next) {
+		if(ACLmatches(be->ace, param)){
+			if(be->ace->action == NOBANDLIM) {
+				break;
+			}
+			param->bandlimsout[i++] = be;
+			param->bandlimfunc = conf.bandlimfunc;
+		}
+	}
+	if(i<MAXBANDLIMS)param->bandlimsout[i] = NULL;
+	param->bandlimver = conf.bandlimver;
+}
+
+unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout){
+	unsigned sleeptime = 0, nsleeptime;
+	time_t sec;
+	unsigned msec;
+	unsigned now;
+	int i;
+
+#ifdef _WIN32
+	struct timeb tb;
+
+	ftime(&tb);
+	sec = (unsigned)tb.time;
+	msec = (unsigned)tb.millitm*1000;
+#else
+	struct timeval tv;
+	gettimeofday(&tv, NULL);
+
+	sec = tv.tv_sec;
+	msec = tv.tv_usec;
+#endif
+
+	if(!nbytesin && !nbytesout) return 0;
+	_3proxy_mutex_lock(&bandlim_mutex);
+	if(param->bandlimver != conf.bandlimver){
+		initbandlims(param);
+		param->bandlimver = conf.bandlimver;
+	}
+	for(i=0; nbytesin&& i<MAXBANDLIMS && param->bandlims[i]; i++){
+		if( !param->bandlims[i]->basetime ||
+			param->bandlims[i]->basetime > sec ||
+			param->bandlims[i]->basetime < (sec - 120)
+		  )
+		{
+			param->bandlims[i]->basetime = sec;
+			param->bandlims[i]->nexttime = 0;
+			continue;
+		}
+		now = (unsigned)((sec - param->bandlims[i]->basetime) * 1000000) + msec;
+		nsleeptime = (param->bandlims[i]->nexttime > now)?
+			param->bandlims[i]->nexttime - now : 0;
+		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
+		param->bandlims[i]->basetime = sec;
+		param->bandlims[i]->nexttime = msec + nsleeptime + (((uint64_t)nbytesin * 8 * 1000000) / param->bandlims[i]->rate);
+	}
+	for(i=0; nbytesout && i<MAXBANDLIMS && param->bandlimsout[i]; i++){
+		if( !param->bandlimsout[i]->basetime ||
+			param->bandlimsout[i]->basetime > sec ||
+			param->bandlimsout[i]->basetime < (sec - 120)
+		  )
+		{
+			param->bandlimsout[i]->basetime = sec;
+			param->bandlimsout[i]->nexttime = 0;
+			continue;
+		}
+		now = (unsigned)((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
+		nsleeptime = (param->bandlimsout[i]->nexttime > now)?
+			param->bandlimsout[i]->nexttime - now : 0;
+		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
+		param->bandlimsout[i]->basetime = sec;
+		param->bandlimsout[i]->nexttime = msec + nsleeptime + ((nbytesout > 512)? ((nbytesout+32)/64)*((64*8*1000000)/param->bandlimsout[i]->rate) : ((nbytesout+1)* (8*1000000))/param->bandlimsout[i]->rate);
+	}
+	_3proxy_mutex_unlock(&bandlim_mutex);
+	return sleeptime/1000;
+}
+
+void trafcountfunc(struct clientparam *param){
+	struct trafcount * tc;
+	int countout = 0;
+
+	_3proxy_mutex_lock(&tc_mutex);
+	for(tc = conf.trafcounter; tc; tc = tc->next) {
+		if(ACLmatches(tc->ace, param)){
+
+			if(tc->ace->action == NOCOUNTIN) {
+				countout = 1;
+				break;
+			}
+			if(tc->ace->action == NOCOUNTALL) break;
+			if(tc->ace->action != COUNTIN && tc->ace->action != COUNTALL) {
+				countout = 1;
+				continue;
+			}
+			tc->traf64 += param->statssrv64;
+			tc->updated = conf.time;
+		}
+	}
+	if(countout) for(tc = conf.trafcounter; tc; tc = tc->next) {
+		if(ACLmatches(tc->ace, param)){
+			if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
+			if(tc->ace->action != COUNTOUT && tc->ace->action != COUNTALL ) {
+				continue;
+			}
+			tc->traf64 += param->statscli64;
+			tc->updated = conf.time;
+		}
+	}
+
+	_3proxy_mutex_unlock(&tc_mutex);
+}
+

src/log.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
@@ -10,7 +10,7 @@
 
 
 #include "proxy.h"
-pthread_mutex_t log_mutex;
+_3proxy_mutex_t log_mutex;
 int havelog = 0;
 
 

src/plugins.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
@@ -11,8 +11,6 @@
 unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout);
 void trafcountfunc(struct clientparam *param);
 int checkACL(struct clientparam * param);
-void nametohash(const unsigned char * name, unsigned char *hash, unsigned char *rnd);
-unsigned hashindex(struct hashtable *ht, const unsigned char* hash);
 void decodeurl(unsigned char *s, int allowcr);
 int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned char ** buff, int *inbuf, int *bufsize);
 struct ace * make_ace (int argc, unsigned char ** argv);
@@ -45,38 +43,34 @@ struct symbol symbols[] = {
 	{symbols+18, "ipauth", (void *) ipauth},
 	{symbols+19, "strongauth", (void *) strongauth},
 	{symbols+20, "checkACL", (void *) checkACL},
-	{symbols+21, "nametohash", (void *) nametohash},
+	{symbols+21, "nservers", (void *) nservers},
-	{symbols+22, "hashindex", (void *) hashindex},
+	{symbols+22, "udpresolve", (void *) udpresolve},
-	{symbols+23, "nservers", (void *) nservers},
+	{symbols+23, "bandlim_mutex", (void *) &bandlim_mutex},
-	{symbols+24, "udpresolve", (void *) udpresolve},
+	{symbols+24, "tc_mutex", (void *) &tc_mutex},
-	{symbols+25, "bandlim_mutex", (void *) &bandlim_mutex},
+	{symbols+25, "linenum", (void *) &linenum},
-	{symbols+26, "tc_mutex", (void *) &tc_mutex},
+	{symbols+26, "proxy_stringtable", (void *) proxy_stringtable},
-	{symbols+27, "hash_mutex", (void *) &hash_mutex},
+	{symbols+27, "en64", (void *) en64},
-	{symbols+28, "pwl_mutex", (void *) &pwl_mutex},
+	{symbols+28, "de64", (void *) de64},
-	{symbols+29, "linenum", (void *) &linenum},
+	{symbols+29, "tohex", (void *) tohex},
-	{symbols+30, "proxy_stringtable", (void *) proxy_stringtable},
+	{symbols+30, "fromhex", (void *) fromhex},
-	{symbols+31, "en64", (void *) en64},
+	{symbols+31, "dnspr", (void *) dnsprchild},
-	{symbols+32, "de64", (void *) de64},
+	{symbols+32, "pop3p", (void *) pop3pchild},
-	{symbols+33, "tohex", (void *) tohex},
+	{symbols+33, "proxy", (void *) proxychild},
-	{symbols+34, "fromhex", (void *) fromhex},
+	{symbols+34, "socks", (void *) sockschild},
-	{symbols+35, "dnspr", (void *) dnsprchild},
+	{symbols+35, "tcppm", (void *) tcppmchild},
-	{symbols+36, "pop3p", (void *) pop3pchild},
+	{symbols+36, "udppm", (void *) udppmchild},
-	{symbols+37, "proxy", (void *) proxychild},
+	{symbols+37, "admin", (void *) adminchild},
-	{symbols+38, "socks", (void *) sockschild},
+	{symbols+38, "ftppr", (void *) ftpprchild},
-	{symbols+39, "tcppm", (void *) tcppmchild},
+	{symbols+39, "smtpp", (void *) smtppchild},
-	{symbols+40, "udppm", (void *) udppmchild},
+	{symbols+40, "auto", (void *) smtppchild},
-	{symbols+41, "admin", (void *) adminchild},
+	{symbols+41, "tlspr", (void *) smtppchild},
-	{symbols+42, "ftppr", (void *) ftpprchild},
+	{symbols+42, "authfuncs", (void *) &authfuncs},
-	{symbols+43, "smtpp", (void *) smtppchild},
+	{symbols+43, "commandhandlers", (void *) &commandhandlers},
-	{symbols+44, "auto", (void *) smtppchild},
+	{symbols+44, "decodeurl", (void *) decodeurl},
-	{symbols+45, "tlspr", (void *) smtppchild},
+	{symbols+45, "parsestr", (void *) parsestr},
-	{symbols+46, "authfuncs", (void *) &authfuncs},
+	{symbols+46, "make_ace", (void *) make_ace},
-	{symbols+47, "commandhandlers", (void *) &commandhandlers},
+	{symbols+47, "freeacl", (void *) freeacl},
-	{symbols+48, "decodeurl", (void *) decodeurl},
+	{symbols+48, "handleredirect", (void *) handleredirect},
-	{symbols+49, "parsestr", (void *) parsestr},
-	{symbols+50, "make_ace", (void *) make_ace},
-	{symbols+51, "freeacl", (void *) freeacl},
-	{symbols+52, "handleredirect", (void *) handleredirect},
 	{NULL, "", NULL}
 };
 
@@ -111,8 +105,6 @@ struct pluginlink pluginlink = {
 	ACLmatches,		
 	alwaysauth,
 	checkACL,
-	nametohash,
-	hashindex,
 	en64,
 	de64,
 	tohex,

src/plugins/FilePlugin/FilePlugin.c

@@ -45,7 +45,7 @@ extern "C" {
 
 static struct pluginlink * pl;
 
-static pthread_mutex_t file_mutex;
+static _3proxy_mutex_t file_mutex;
 
 unsigned long preview = 0;
 
@@ -207,7 +207,7 @@ static void closefiles(struct fp_stream *fps){
 static int searchsocket(SOCKET s, struct fp_stream **pfps){
 	struct fp_stream *fps = NULL;
 	int ret = 0;
-	pthread_mutex_lock(&file_mutex);
+	_3proxy_mutex_lock(&file_mutex);
 	for(fps = fp_streams; fps; fps = fps->next){
 		if(fps->fpd.cp->clisock == s) {
 			ret = 1;
@@ -222,7 +222,7 @@ static int searchsocket(SOCKET s, struct fp_stream **pfps){
 			break;
 		}
 	}
-	pthread_mutex_unlock(&file_mutex);
+	_3proxy_mutex_unlock(&file_mutex);
 	*pfps = fps;
 	return ret;
 }
@@ -235,7 +235,7 @@ static void freecallback(struct fp_stream * fps, struct fp_callback * fpc){
 
 static void removefps(struct fp_stream * fps){
 	if(!fp_streams) return;
-	pthread_mutex_lock(&file_mutex);
+	_3proxy_mutex_lock(&file_mutex);
 	if(fp_streams == fps)fp_streams = fps->next;
 	else {
 		struct fp_stream *fps2;
@@ -248,7 +248,7 @@ static void removefps(struct fp_stream * fps){
 		}
 		
 	}
-	pthread_mutex_unlock(&file_mutex);
+	_3proxy_mutex_unlock(&file_mutex);
 	if(fps->callbacks){
 		freecallback(fps, fps->callbacks);
 		fps->callbacks = 0;
@@ -287,7 +287,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case  GOT_SMTP_REQ:
 			case  GOT_SMTP_DATA:
 				fps->state = FLUSH_DATA;
-				pl->socksend(fps->fpd.cp->sostate,fps->fpd.cp->clisock, fp_stringtable[1], (int)strlen(fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
+				pl->socksend(fps->fpd.cp->sostate,fps->fpd.cp->clisock, (unsigned char *)fp_stringtable[1], (int)strlen((char *)fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
 				fps->state = state;
 				break;
 			case GOT_HTTP_REQUEST:
@@ -299,7 +299,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case GOT_HTTP_SRVDATA:
 				if(!fps->serversent){
 					fps->state = FLUSH_DATA;
-					pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, fp_stringtable[0], (int)strlen(fp_stringtable[0]), pl->conf->timeouts[STRING_S]);
+					pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, (unsigned char *)fp_stringtable[0], (int)strlen((char *)fp_stringtable[0]), pl->conf->timeouts[STRING_S]);
 					fps->state = state;
 				}
 				break;
@@ -307,7 +307,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case GOT_FTP_REQ:
 			case GOT_FTP_SRVDATA:
 				fps->state = FLUSH_DATA;
-				pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->ctrlsock, fp_stringtable[1], (int)strlen(fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
+				pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->ctrlsock, (unsigned char *)fp_stringtable[1], (int)strlen((char *)fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
 				fps->state = state;
 				break;
 			default:
@@ -359,7 +359,7 @@ static int copyfdtosock(struct fp_stream * fps, DIRECTION which, long len){
 			if(fps->serversent >= fps->srvhdrwritten){
 				sprintf(fps->buf, "%lx\r\n", len);
 				sendchunk = (int)strlen(fps->buf);
-				if(pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, fps->buf, sendchunk, pl->conf->timeouts[STRING_S]) != sendchunk){
+				if(pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, (unsigned char *)fps->buf, sendchunk, pl->conf->timeouts[STRING_S]) != sendchunk){
 					return -4;
 				}
 			} 
@@ -398,20 +398,24 @@ static int copyfdtosock(struct fp_stream * fps, DIRECTION which, long len){
 #endif
 			return -3;
 		}
-		if(pl->socksend(fps->fpd.cp->sostate, sock, fps->buf, res, pl->conf->timeouts[STRING_S]) != res) {
+		if(pl->socksend(fps->fpd.cp->sostate, sock, (unsigned char *)fps->buf, res, pl->conf->timeouts[STRING_S]) != res) {
 			return -4;
 		}
 		len -= res;
 	}
 	if(sendchunk){
-		if(pl->socksend(fps->fpd.cp->sostate, sock, "\r\n", 2, pl->conf->timeouts[STRING_S]) != 2)
+		if(pl->socksend(fps->fpd.cp->sostate, sock, (unsigned char *)"\r\n", 2, pl->conf->timeouts[STRING_S]) != 2)
 			return -4;
 	}
 	fps->state = state;
 	return 0;
 }
 
+#ifdef _WIN32
 static int WINAPI fp_poll(void *state, struct pollfd *fds, unsigned int nfds, int timeout){
+#else
+static int fp_poll(void *state, struct pollfd *fds, nfds_t nfds, int timeout){
+#endif
  struct fp_stream *fps = NULL;
  int res;
  unsigned i;
@@ -458,7 +462,11 @@ static int WINAPI fp_poll(void *state, struct pollfd *fds, unsigned int nfds, in
  return sso._poll(sso.state, fds, nfds, timeout);
 }
 
-static fp_ssize_t WINAPI fp_send(void *state, SOCKET s, const char *msg, fp_size_t len, int flags){
+#ifdef _WIN32
+static int WINAPI fp_send(void *state, SOCKET s, const char *msg, int len, int flags){
+#else
+static fp_ssize_t fp_send(void *state, SOCKET s, const void *msg, size_t len, int flags){
+#endif
  struct fp_stream *fps = NULL;
  int res;
  res = searchsocket(s, &fps);
@@ -499,7 +507,7 @@ static fp_ssize_t WINAPI fp_send(void *state, SOCKET s, const char *msg, fp_size
 		int hasnonzero = 0, i;
 		
 		for(i=0; i < len; i++){
-			char c = msg[i];
+			char c = ((char *)msg)[i];
 
 			if(c == '\r' || c == '\n') continue;
 			if((c<'0'|| c>'9') && (c<'A' || c>'F') && (c<'a' || c>'f')) {
@@ -542,7 +550,12 @@ static fp_ssize_t WINAPI fp_send(void *state, SOCKET s, const char *msg, fp_size
  }
  return sso._send(sso.state, s, msg, len, flags);
 }
-static fp_ssize_t WINAPI fp_sendto(void *state, SOCKET s, const void *msg, int len, int flags, const struct sockaddr *to, fp_size_t tolen){
+#ifdef _WIN32
+static int WINAPI fp_sendto(void *state, SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen
+#else
+static fp_ssize_t fp_sendto(void *state, SOCKET s, const void *msg, fp_size_t len, int flags, const struct sockaddr *to, SASIZETYPE tolen
+#endif
+){
  struct fp_stream *fps = NULL;
  int res;
  res = searchsocket(s, &fps);
@@ -660,10 +673,20 @@ static fp_ssize_t WINAPI fp_sendto(void *state, SOCKET s, const void *msg, int l
  }
  return sso._sendto(sso.state, s, msg, len, flags, to, tolen);
 }
-static fp_ssize_t WINAPI fp_recv(void *state, SOCKET s, void *buf, fp_size_t len, int flags){
+#ifdef _WIN32
+static int WINAPI fp_recv(void *state, SOCKET s, char *buf, int len, int flags
+#else
+static fp_ssize_t fp_recv(void *state, SOCKET s, void *buf, fp_size_t len, int flags
+#endif
+){
  return sso._recv(sso.state, s, buf, len, flags);
 }
-static fp_ssize_t WINAPI fp_recvfrom(void *state, SOCKET s, void * buf, fp_size_t len, int flags, struct sockaddr * from, fp_size_t * fromlen){
+#ifdef _WIN32
+static int WINAPI fp_recvfrom(void *state, SOCKET s, char *buf, int len, int flags, struct sockaddr * from, int * fromlen
+#else
+static fp_ssize_t fp_recvfrom(void *state, SOCKET s, void *buf, fp_size_t len, int flags, struct sockaddr * from, SASIZETYPE * fromlen
+#endif
+){
  return sso._recvfrom(sso.state, s, buf, len, flags, from, fromlen);
 }
 static int WINAPI fp_shutdown(void *state, SOCKET s, int how){
@@ -731,7 +754,7 @@ static int fp_registercallback (int what, int max_size, int preview_size, struct
  fpc->max_size = max_size;
  fpc->data = data;
  fpc->callback = cb;
- pthread_mutex_lock(&file_mutex);
+ _3proxy_mutex_lock(&file_mutex);
  fps = addfps(cp);
  if(fps){
 	 fpc->next = fps->callbacks;
@@ -740,7 +763,7 @@ static int fp_registercallback (int what, int max_size, int preview_size, struct
 	 if(preview_size > fps->preview_size) fps->preview_size = preview_size;
  }
  else free(fpc);
- pthread_mutex_unlock(&file_mutex);
+ _3proxy_mutex_unlock(&file_mutex);
  return fps?1:0;
 }
 
@@ -754,9 +777,9 @@ static void * fp_open(void * idata, struct srvparam * param){
 
 static FILTER_ACTION fp_client(void *fo, struct clientparam * param, void** fc){
 
-	pthread_mutex_lock(&file_mutex);
+	_3proxy_mutex_lock(&file_mutex);
 	(*fc) = (void *)addfps(param);
-	pthread_mutex_unlock(&file_mutex);
+	_3proxy_mutex_unlock(&file_mutex);
 	return CONTINUE;
 }
 
@@ -766,7 +789,7 @@ static FILTER_ACTION fp_request(void *fc, struct clientparam * param, unsigned c
 			closefiles(FC);
 			FC->state = 0;
 		}
-		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
 		if(FC->what &FP_REJECT) return REJECT;
 		FC->state = GOT_HTTP_REQUEST;
 		genpaths(FC);
@@ -778,13 +801,13 @@ static FILTER_ACTION fp_request(void *fc, struct clientparam * param, unsigned c
 
 static FILTER_ACTION fp_hcli(void *fc, struct clientparam * param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p){
 	if(fc && param->service == S_SMTPP) {
-		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
 		if(FC->what & FP_REJECT) return REJECT;
 		if(!FC->state)genpaths(FC);
 		FC->state = GOT_SMTP_REQ;
 	}
 	if(fc && param->service == S_FTPPR) {
-		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
 		if(FC->what & FP_REJECT) return REJECT;
 		genpaths(FC);
 		FC->state = GOT_FTP_REQ;
@@ -852,7 +875,7 @@ static int h_cachedir(int argc, unsigned char **argv){
 	char * dirp;
 	size_t len;
 
-	dirp = (argc > 1)? argv[1] : getenv("TEMP");
+	dirp = (argc > 1)? (char *)argv[1] : getenv("TEMP");
 	len = strlen(dirp);
 	if(!dirp || !len || len > 200 || strchr(dirp, '%')) {
 		fprintf(stderr, "FilePlugin: invalid directory path: %s\n", dirp);
@@ -869,7 +892,7 @@ static int h_cachedir(int argc, unsigned char **argv){
 }
 
 static int h_preview(int argc, unsigned char **argv){
-	preview = atoi(argv[1]);
+	preview = atoi((char *)argv[1]);
 	return 0;
 }
 
@@ -890,7 +913,7 @@ static int file_loaded=0;
 					 int argc, char** argv){
 
 	if(!file_loaded){
-		pthread_mutex_init(&file_mutex, NULL);
+		_3proxy_mutex_init(&file_mutex);
 		file_loaded = 1;
 		pl = pluginlink;
 		memcpy(&sso, pl->so, sizeof(struct sockfuncs));

src/plugins/PCREPlugin/pcre_plugin.c

@@ -21,7 +21,7 @@ extern "C" {
 
 static struct pluginlink * pl;
 
-static pthread_mutex_t pcre_mutex;
+static _3proxy_mutex_t pcre_mutex;
 
 
 static struct filter pcre_first_filter = {
@@ -112,7 +112,7 @@ struct pcre_filter_data {
 };
 
 static void pcre_data_free(struct pcre_filter_data *pcrefd){
-	pthread_mutex_lock(&pcre_mutex);
+	_3proxy_mutex_lock(&pcre_mutex);
 	pcrefd->users--;
 	if(!pcrefd->users){
 		if(pcrefd->match_data) pcre2_match_data_free(pcrefd->match_data);
@@ -121,7 +121,7 @@ static void pcre_data_free(struct pcre_filter_data *pcrefd){
 		if(pcrefd->replace) pl->freefunc(pcrefd->replace);
 		pl->freefunc(pcrefd);
 	}
-	pthread_mutex_unlock(&pcre_mutex);
+	_3proxy_mutex_unlock(&pcre_mutex);
 }
 
 
@@ -130,9 +130,9 @@ static void pcre_data_free(struct pcre_filter_data *pcrefd){
 static void* pcre_filter_open(void * idata, struct srvparam * param){
 #define pcrefd ((struct pcre_filter_data *)idata)
 	if(idata){
-		pthread_mutex_lock(&pcre_mutex);
+		_3proxy_mutex_lock(&pcre_mutex);
 		pcrefd->users++;
-		pthread_mutex_unlock(&pcre_mutex);
+		_3proxy_mutex_unlock(&pcre_mutex);
 	}
 #undef pcrefd
 	return idata;
@@ -517,7 +517,7 @@ PLUGINAPI int PLUGINCALL pcre_plugin (struct pluginlink * pluginlink,
 	pcre_options = 0;
 	if(!pcre_loaded){
 		pcre_loaded = 1;
-		pthread_mutex_init(&pcre_mutex, NULL);
+		_3proxy_mutex_init(&pcre_mutex);
 		regexp_symbols[2].next = pl->symbols.next;
 		pl->symbols.next = regexp_symbols;
 		pcre_commandhandlers[3].next = pl->commandhandlers->next;

src/plugins/PamAuth/pamauth.c

@@ -12,7 +12,7 @@ Kirill Lopuchov <lopuchov@mail.ru>
 #include <security/pam_appl.h>
 
 
-pthread_mutex_t pam_mutex;
+_3proxy_mutex_t pam_mutex;
 
 static int         already_loaded = 0;
 
@@ -89,7 +89,7 @@ static int pamfunc(struct clientparam *param)
   /*start process auth */  
   conv.appdata_ptr = (char *) param->password;
 
-  pthread_mutex_lock(&pam_mutex);
+  _3proxy_mutex_lock(&pam_mutex);
   if (!pamh)
     {
 	retval = pam_start ((char *)service, (char *)param->username, &conv, &pamh);
@@ -113,7 +113,7 @@ static int pamfunc(struct clientparam *param)
       retval = pam_end (pamh, retval);
    if (retval != PAM_SUCCESS)
       {  pamh = NULL;   }
-  pthread_mutex_unlock(&pam_mutex);
+  _3proxy_mutex_unlock(&pam_mutex);
 
   return rc;
 
@@ -140,7 +140,7 @@ PLUGINAPI int PLUGINCALL start(struct pluginlink * pluginlink, int argc, unsigne
 
  already_loaded = 1;
     
- pthread_mutex_init(&pam_mutex, NULL);
+ _3proxy_mutex_init(&pam_mutex);
  pamauth.authenticate = pamfunc;
  pamauth.authorize = pluginlink->checkACL;
  pamauth.desc = "pam";

src/plugins/SSLPlugin/my_ssl.c

@@ -32,7 +32,7 @@ typedef struct _ssl_conn {
 	SSL *ssl;
 } ssl_conn;
 
-pthread_mutex_t ssl_file_mutex;
+_3proxy_mutex_t ssl_file_mutex;
 
 
 static char errbuf[256];
@@ -229,15 +229,15 @@ void _ssl_cert_free(SSL_CERT cert)
 
  
 /* This array will store all of the mutexes available to OpenSSL. */ 
-static pthread_mutex_t *mutex_buf= NULL;
+static _3proxy_mutex_t *mutex_buf= NULL;
  
  
 static void locking_function(int mode, int n, const char * file, int line)
 {
   if (mode & CRYPTO_LOCK)
-    pthread_mutex_lock(mutex_buf + n);
+    _3proxy_mutex_lock(mutex_buf + n);
   else
-    pthread_mutex_unlock(mutex_buf + n);
+    _3proxy_mutex_unlock(mutex_buf + n);
 }
  
 static unsigned long id_function(void)
@@ -253,11 +253,11 @@ int thread_setup(void)
 {
   int i;
  
-  mutex_buf = malloc(CRYPTO_num_locks(  ) * sizeof(pthread_mutex_t));
+  mutex_buf = malloc(CRYPTO_num_locks(  ) * sizeof(_3proxy_mutex_t));
   if (!mutex_buf)
     return 0;
   for (i = 0;  i < CRYPTO_num_locks(  );  i++)
-    pthread_mutex_init(mutex_buf +i, NULL);
+    _3proxy_mutex_init(mutex_buf +i);
   CRYPTO_set_id_callback(id_function);
   CRYPTO_set_locking_callback(locking_function);
   return 1;
@@ -272,7 +272,7 @@ int thread_cleanup(void)
   CRYPTO_set_id_callback(NULL);
   CRYPTO_set_locking_callback(NULL);
   for (i = 0;  i < CRYPTO_num_locks(  );  i++)
-    pthread_mutex_destroy(mutex_buf +i);
+    _3proxy_mutex_destroy(mutex_buf +i);
   free(mutex_buf);
   mutex_buf = NULL;
   return 1;
@@ -291,7 +291,7 @@ void ssl_init()
 	    thread_setup();
 	    SSLeay_add_ssl_algorithms();
 	    SSL_load_error_strings();
-	    pthread_mutex_init(&ssl_file_mutex, NULL);
+	    _3proxy_mutex_init(&ssl_file_mutex);
 	    bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	}
 }

src/plugins/SSLPlugin/ssl_plugin.c

@@ -274,11 +274,12 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config,
 	*errSSL = getSSLErr();
 	return NULL;
     }
+#if OPENSSL_VERSION_NUMBER >= 0x0090806fL
     if(hostname && *hostname)SSL_set_tlsext_host_name(conn->ssl, hostname);
-
+#endif
 
     do {
-	struct pollfd fds[1] = {{}};
+	struct pollfd fds[1] = {{INVALID_SOCKET}};
 	int sslerr;
 
 	err = SSL_connect(conn->ssl);
@@ -349,7 +350,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
     SSL_set_fd(conn->ssl, s);
 
     do {
-	struct pollfd fds[1] = {{}};
+	struct pollfd fds[1] = {{INVALID_SOCKET}};
 	int sslerr;
 
 	err = SSL_accept(conn->ssl);
@@ -520,7 +521,9 @@ SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_ke
     if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
     if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
     if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
     if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
+#endif
     if(config->server_verify){
                 if(config->server_ca_file || config->server_ca_dir){
                     SSL_CTX_load_verify_locations(ctx, config->server_ca_file, config->server_ca_dir);
@@ -672,8 +675,12 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 	    if(sc->client_min_proto_version)SSL_CTX_set_min_proto_version(sc->srv_ctx, sc->client_min_proto_version);
 	    if(sc->client_max_proto_version)SSL_CTX_set_max_proto_version(sc->srv_ctx, sc->client_max_proto_version);
 	    if(sc->client_cipher_list)SSL_CTX_set_cipher_list(sc->srv_ctx, sc->client_cipher_list);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
 	    if(sc->client_ciphersuites)SSL_CTX_set_ciphersuites(sc->srv_ctx, sc->client_ciphersuites);
+#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
 	    if(sc->client_alpn_protos.protos_len)SSL_CTX_set_alpn_protos(sc->srv_ctx, sc->client_alpn_protos.protos, sc->client_alpn_protos.protos_len);
+#endif
 	    if(sc->client_verify){
 		if(sc->client_ca_file || sc->client_ca_dir){
 		    SSL_CTX_load_verify_locations(sc->srv_ctx, sc->client_ca_file, sc->client_ca_dir);
@@ -759,6 +766,14 @@ static FILTER_ACTION ssl_filter_predata(void *fc, struct clientparam * param){
 	return PASS;
 }
 
+static FILTER_ACTION ssl_parent(struct clientparam * param){
+	if(PCONF->cli && client_mode == 3) {
+	    if(docli(param)) {
+		return REJECT;
+	    }
+	}
+	return PASS;
+}
 
 static void ssl_filter_clear(void *state){
     struct clientparam *param;
@@ -1158,6 +1173,10 @@ static struct commands ssl_commandhandlers[] = {
 	{NULL, "ssl_certcache", h_certcache, 2, 2},
 };
 
+static struct symbol ssl_symbols[] = {
+        {NULL, "ssl_parent", (void *)&ssl_parent},
+};
+
 
 #ifdef WATCOM
 #pragma aux ssl_plugin "*" parm caller [ ] value struct float struct routine [eax] modify [eax ecx edx]
@@ -1221,6 +1240,8 @@ PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink,
 		ssl_init();
 		ssl_commandhandlers[(sizeof(ssl_commandhandlers)/sizeof(struct commands))-1].next = pl->commandhandlers->next;
 		pl->commandhandlers->next = ssl_commandhandlers;
+		ssl_symbols[0].next = pl->symbols.next;
+		pl->symbols.next = ssl_symbols;
 	}
 
 	tcppmfunc = (PROXYFUNC)pl->findbyname("tcppm");	

src/plugins/TrafficPlugin/ReadMe.txt

@@ -63,5 +63,5 @@ plugin "TrafficPlugin.dll" start debug
 /////////////////////////////////////////////////////////////////////////////
 Copyright:
  (c) Maslov Michael aka Flexx(rus) All rights reserved.
- Plugin was writen on Visual C++ 6.0 SP5
+ Plugin was written on Visual C++ 6.0 SP5
  Using structures.h from 3proxy distr.

src/plugins/TransparentPlugin/transparent_plugin.c

@@ -1,5 +1,5 @@
 /*
-   3APA3A simpliest proxy server
+   3APA3A simplest proxy server
    (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
 
    please read License Agreement
@@ -58,8 +58,10 @@ static FILTER_ACTION transparent_filter_client(void *fo, struct clientparam * pa
 	return REJECT;
 #endif
 #else
+	if(*SAFAMILY(&param->sincl) == AF_INET || *SAFAMILY(&param->sincl) == AF_INET6){
 	    param->req = param->sincl;
 	    param->sincl = param->srv->intsa;
+	}
 #endif
 	pl->myinet_ntop(*SAFAMILY(&param->req), SAADDR(&param->req), (char *)addrbuf, sizeof(addrbuf));
 	if(param->hostname) pl->freefunc(param->hostname);