bughz/3proxy
1
0
Fork 0
mirror of https://github.com/3proxy/3proxy.git synced 2026-04-29 07:30:11 +08:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Compare commits

base: bughz:0.9.6
Branches Tags
bughz:master
bughz:test-ci
bughz:devel
bughz:0.8
bughz:0.7
bughz:0.9.6
bughz:0.9.5
bughz:0.9.4
bughz:0.9.3
bughz:0.9.2
bughz:0.9.1
bughz:0.9.0
bughz:0.9.0-rc
bughz:0.8.13
bughz:0.8.12
bughz:0.8.11
bughz:0.8.10
bughz:0.8.9
bughz:3proxy-0.8.8
bughz:0.8.8
bughz:3proxy-0.8.7
bughz:3proxy-0.8.6
bughz:3proxy-0.8.5
bughz:3proxy-0.8.4
bughz:3proxy-0.8.3
bughz:3proxy-0.8.2
bughz:3proxy-0.7.1.4
bughz:3proxy-0.8.1
bughz:3proxy-0.8.0
bughz:3proxy-0.8-pre
bughz:3proxy-0.7.1.3
bughz:3proxy-0.7.1.2
bughz:v0.7.1.2
bughz:v0.7.1.1
bughz:v0.7.1
bughz:v0.7
..
compare: bughz:master
Branches Tags
bughz:master
bughz:test-ci
bughz:devel
bughz:0.8
bughz:0.7
bughz:0.9.6
bughz:0.9.5
bughz:0.9.4
bughz:0.9.3
bughz:0.9.2
bughz:0.9.1
bughz:0.9.0
bughz:0.9.0-rc
bughz:0.8.13
bughz:0.8.12
bughz:0.8.11
bughz:0.8.10
bughz:0.8.9
bughz:3proxy-0.8.8
bughz:0.8.8
bughz:3proxy-0.8.7
bughz:3proxy-0.8.6
bughz:3proxy-0.8.5
bughz:3proxy-0.8.4
bughz:3proxy-0.8.3
bughz:3proxy-0.8.2
bughz:3proxy-0.7.1.4
bughz:3proxy-0.8.1
bughz:3proxy-0.8.0
bughz:3proxy-0.8-pre
bughz:3proxy-0.7.1.3
bughz:3proxy-0.7.1.2
bughz:v0.7.1.2
bughz:v0.7.1.1
bughz:v0.7.1
bughz:v0.7

54 Commits
0.9.6 ... master

Author SHA1 Message Date
Vladimir Dubrovin
b1ac46da79 Remove linux futext implementation
Some checks are pending
Build Win32 3proxy-lite with Watcom / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
Build Win32 3proxy with MSVC / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
Build Win64 3proxy with MSVC / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
Build Win-arm64 3proxy with MSVC / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-28 18:06:54 +03:00
Vladimir Dubrovin
d125261e8c fix: hashtables on recsize < 4 2026-04-28 16:32:30 +03:00
Vladimir Dubrovin
a4527783d6 Correctly process half-closed connections; add grace sleep before closing sockets 2026-04-28 16:15:18 +03:00
Vladimir Dubrovin
fb70d06d3e Add linger sleep on connection close 2026-04-28 14:55:37 +03:00
Vladimir Dubrovin
57d687fcb8 add 3proxy_crypt man 2026-04-28 14:41:14 +03:00
Vladimir Dubrovin
ada24a98ec Use semaphore/mutex insted of pipe for threads sync 2026-04-28 14:00:15 +03:00
Vladimir Dubrovin
ba2584cebf change 3proxy.cfg.3 to 3proxy.cfg.5 2026-04-28 12:34:53 +03:00
Vladimir Dubrovin
05096c222a Return standalone udppm; do not build standalone modules by default in cmake 
Allow to set prefix in cmake, 3proxy_ by default
 2026-04-28 12:21:11 +03:00
Vladimir Dubrovin
6c3c5f31a2 Update mans
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-27 21:11:25 +03:00
Vladimir Dubrovin
319a74de06 Update proxymain.c 2026-04-27 20:12:28 +03:00
Vladimir Dubrovin
e088a5d7f9 Remove udppm from build 2026-04-27 20:05:34 +03:00
Vladimir Dubrovin
f01c8bfee9 Code cleanup 2026-04-27 19:58:34 +03:00
Vladimir Dubrovin
a7cdfa578d split auth.c 2026-04-27 15:30:35 +03:00
Vladimir Dubrovin
d52701518d udppm switched to hashtable and supports multiple connections; no standalone udppm 2026-04-27 15:12:39 +03:00
Vladimir Dubrovin
7ddea44ffd Fix: blake crypt
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-27 13:23:32 +03:00
Vladimir Dubrovin
760a521df8 remove pwl_mutex
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-26 20:43:13 +03:00
Vladimir Dubrovin
62ceb36157 Use hashtables for password lists 2026-04-26 20:38:58 +03:00
Vladimir Dubrovin
62be3c7b5b cash the hash for auth cache 2026-04-26 19:56:38 +03:00
Vladimir Dubrovin
85c431b96e Merge branch 'master' of https://github.com/3proxy/3proxy 2026-04-25 11:52:57 +03:00
Vladimir Dubrovin
90c312f4cd Changelog added 2026-04-25 11:52:54 +03:00
Vladimir Dubrovin
451b3d180c Allow hashtables to grow index
Some checks failed
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
2026-04-24 21:08:57 +03:00
Vladimir Dubrovin
f63a83f554 Fix blake2 for watcom 2026-04-24 18:13:30 +03:00
Vladimir Dubrovin
6b61cfde4c Fix for older Windows (7 and below) / VC 2026-04-24 17:04:03 +03:00
Vladimir Dubrovin
e6c3427cab fix hashtable init
Some checks failed
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
2026-04-22 12:02:20 +03:00
Vladimir Dubrovin
4f0f3c81e1 add 'cacheacl' auth type, dstaddr, dstport, dsthost, dstoper, srvaddr and srvport authcache types; allow to configure authcache by service 
'auth cacheacl ...' is identical to 'auth cache ...' except ACL is not checked for cached authentication. dstaddr, dstport, dsthost and dstoper (operation) are intended to be used with cacheacl. For example

authcache user,ip,password,dstaddr 600
auth cacheacl iponly strong

allows user to access destination ip without ACL/password revalidation if he has cached attempt to the same ip from the same ip with the same username and password.

srvaddr, srvport are useful to only match with cached attempts to the same `internal` address / service port.
 2026-04-21 21:49:52 +03:00
Vladimir Dubrovin
bfbbf1f446 Fix FilePlugin warnings
Some checks failed
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
2026-04-21 16:28:28 +03:00
Vladimir Dubrovin
b79906da02 Add FilePlugin to builds 2026-04-21 16:23:23 +03:00
Vladimir Dubrovin
68ef9dcc59 Fix Windows compilation 2026-04-21 16:10:17 +03:00
Vladimir Dubrovin
3957210609 Allow different hash lengths; fix bug on hashtable grow 2026-04-20 18:49:53 +03:00
Vladimir Dubrovin
ee00956b74 hash username/password with terminators 2026-04-20 11:59:58 +03:00
Vladimir Dubrovin
083a70393f Minor hashtable refactor 2026-04-20 10:40:38 +03:00
Vladimir Dubrovin
d9b1493260 Fix hashadd
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-19 19:22:22 +03:00
Vladimir Dubrovin
7102afe856 authcache switched to hashtables, overflow fixed 
- authcache switched to use hashtables, size parameter added
- overflow fixed on hashinit
- hashtable prefers new values on insert if table is full
- hashtable is able to compact/grow
 2026-04-19 19:16:33 +03:00
Vladimir Dubrovin
a3729354b8 Allow hashtable to grow
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-18 17:24:01 +03:00
Vladimir Dubrovin
45796f66c7 Cleanup 3proxy_crypt 2026-04-18 15:47:07 +03:00
Vladimir Dubrovin
260cbf7a3d Use uint32_t for hashtable indicies 2026-04-18 15:36:14 +03:00
Vladimir Dubrovin
bba9871ed8 Use 3proxy_crypt instead of mycrypt 2026-04-18 15:19:06 +03:00
Vladimir Dubrovin
f1af44f3a9 Refactor hashtables to use indices instead of pointers, use blake2 as a hash, mycrypt renamed to 3proxy_crypt 2026-04-18 15:12:43 +03:00
Vladimir Dubrovin
4ee7f71fb9 Использовать tablesize в хештаблице 2026-04-17 21:15:21 +03:00
Vladimir Dubrovin
98604b5421 Add hashcompact 2026-04-17 20:40:27 +03:00
Vladimir Dubrovin
a0d580b36d move hashtable/resolve/sql functions to separate files 2026-04-17 19:29:50 +03:00
Vladimir Dubrovin
4c0e3a1bac Check OpenSSL version for SNI/TLS 1.3/alpn
Some checks failed
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
2026-04-14 17:36:35 +03:00
Vladimir Dubrovin
454f5e1d54 -Ne / -Ni description added to man
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-13 21:37:46 +03:00
Vladimir Dubrovin
c4ac696919 Update documentation for parent tcps/https/etc 2026-04-13 21:32:04 +03:00
Vladimir Dubrovin
afbdad0ac7 Fix for first in chain https/tcps parent 2026-04-13 21:09:46 +03:00
Vladimir Dubrovin
a1a65c3fd5 ssl_client_mode = 3 added, allow 'secure' parent types ending with 's': https, tcps, socks5s, connect+s, etc. 
example:

plugin SSLPlugin.ld.so ssl_plugin

allow user1
parent 1000 http 1.1.1.1 1111
allow user2
parent 1000 https 2.2.2.2 2222
ssl_client_mode 3
ssl_client
proxy

With ssl_client_mode 3 TLS is only handshaked for https parent type and is not handshaked for http parent.
 2026-04-13 20:53:38 +03:00
Vladimir Dubrovin
2fd536781f Add unix sockets to man 2026-04-13 11:54:24 +03:00
Vladimir Dubrovin
878a432481 Support unix socket for parent and tcppm; abstract (fileless) unix sockets for linux support
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details 
Use unix:/path/to/socket, e.g.

tcppm 1234 unix:/path/to/socket 1234

Under linux abstract sockets are supported with '@' prefix, e.g.

parent 1000 http unix:@virtual.3proxy.socket 1111

Destination port numbers are not used in tcppm/parent, but you must specify any positive value to match the syntaxis.
 2026-04-12 19:18:15 +03:00
Vladimir Dubrovin
3f92dc7355 Fix dockerfiles
Some checks are pending
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
2026-04-12 15:18:20 +03:00
Vladimir Dubrovin
bae96b0823 Support plugins in chroot in Dockerfile.busybox 2026-04-12 14:55:54 +03:00
Vladimir Dubrovin
f77f65ac4e Fix: SOCKSv5 parent reply parsing for domain name address 2026-04-12 14:16:48 +03:00
Vladimir Dubrovin
2d6eeff5f3 FIx typos, update documentation 2026-04-12 13:58:42 +03:00
Vladimir Dubrovin
c206349ee2 Support unix sockets for internal and -i 
Example configuration:

log
auto -iunix:/path/to/3proxy.sock

test with

curl --unix-socket /path/to/3proxy.sock https://3proxy.ru
 2026-04-12 00:30:35 +03:00
Vladimir Dubrovin
77b0dc3397 Documentation update
Some checks failed
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI Linux / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI MacOS / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI Windows / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (macos-15) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (ubuntu-latest) (push) Waiting to run
Details
C/C++ CI cmake / ${{ matrix.target }} (windows-2022) (push) Waiting to run
Details
RPM/DEB build aarch64 / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled
Details
RPM/DEB build armhf / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
RPM/DEB build x86-64 / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled
Details
Build Win32 3proxy-lite with Watcom / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
Build Win32 3proxy with MSVC / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
Build Win64 3proxy with MSVC / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
Build Win-arm64 3proxy with MSVC / ${{ matrix.target }} (windows-2022) (push) Has been cancelled
Details
2026-04-11 14:47:09 +03:00
117 changed files with 5231 additions and 3212 deletions
Show Stats Expand all files Collapse all files

4
.github/workflows/build-watcom.yml vendored
View File

@ -45,7 +45,7 @@ jobs:
mkdir dist\3proxy\doc\ru
mkdir dist\3proxy\doc\html
mkdir dist\3proxy\doc\html\plugins
mkdir dist\3proxy\doc\html\man3
mkdir dist\3proxy\doc\html\man5
mkdir dist\3proxy\doc\html\man8
mkdir dist\3proxy\doc\devel
copy bin\3proxy.exe dist\3proxy\bin\
@ -57,7 +57,7 @@ jobs:
copy doc\html\*.* dist\3proxy\doc\html\
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
copy doc\devel\*.rtf dist\3proxy\doc\devel\
copy copying dist\3proxy\
copy authors dist\3proxy\

4
.github/workflows/build-win32.yml vendored
View File

@ -51,7 +51,7 @@ jobs:
mkdir dist\3proxy\doc\ru
mkdir dist\3proxy\doc\html
mkdir dist\3proxy\doc\html\plugins
mkdir dist\3proxy\doc\html\man3
mkdir dist\3proxy\doc\html\man5
mkdir dist\3proxy\doc\html\man8
mkdir dist\3proxy\doc\devel
copy bin\3proxy.exe dist\3proxy\bin\
@ -63,7 +63,7 @@ jobs:
copy doc\html\*.* dist\3proxy\doc\html\
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
copy doc\devel\*.rtf dist\3proxy\doc\devel\
copy copying dist\3proxy\
copy authors dist\3proxy\

4
.github/workflows/build-win64.yml vendored
View File

@ -53,7 +53,7 @@ jobs:
mkdir dist\3proxy\doc\ru
mkdir dist\3proxy\doc\html
mkdir dist\3proxy\doc\html\plugins
mkdir dist\3proxy\doc\html\man3
mkdir dist\3proxy\doc\html\man5
mkdir dist\3proxy\doc\html\man8
mkdir dist\3proxy\doc\devel
copy bin\3proxy.exe dist\3proxy\bin64\
@ -65,7 +65,7 @@ jobs:
copy doc\html\*.* dist\3proxy\doc\html\
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
copy doc\devel\*.rtf dist\3proxy\doc\devel\
copy copying dist\3proxy\
copy authors dist\3proxy\

4
.github/workflows/build-winarm64.yml vendored
View File

@ -51,7 +51,7 @@ jobs:
mkdir dist\3proxy\doc\ru
mkdir dist\3proxy\doc\html
mkdir dist\3proxy\doc\html\plugins
mkdir dist\3proxy\doc\html\man3
mkdir dist\3proxy\doc\html\man5
mkdir dist\3proxy\doc\html\man8
mkdir dist\3proxy\doc\devel
copy bin\3proxy.exe dist\3proxy\bin64\
@ -63,7 +63,7 @@ jobs:
copy doc\html\*.* dist\3proxy\doc\html\
copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
copy doc\devel\*.rtf dist\3proxy\doc\devel\
copy copying dist\3proxy\
copy authors dist\3proxy\

2
.github/workflows/c-cpp-cmake.yml vendored
View File

@ -2,7 +2,7 @@ name: C/C++ CI cmake
on:
push:
branches: [ "master" ]
branches: [ "master", "unix_socket" ]
paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ]
pull_request:
branches: [ "master" ]

9
.gitignore vendored
View File

@ -258,3 +258,12 @@ pip-log.txt
#Mr Developer
.mr.developer.cfg
CLAUDE.md
bin/3proxy_crypt
bin/3proxy_ftppr
bin/3proxy_pop3p
bin/3proxy_proxy
bin/3proxy_smtpp
bin/3proxy_socks
bin/3proxy_tcppm
bin/3proxy_tlspr
bin/3proxy_udppm

11
CHANGELOG Normal file
View File

@ -0,0 +1,11 @@
3proxy-0.9.6 Released April, 11 2026
+ ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios.
+ HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header.
+ tlspr is supported in auto
+ tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI
+ maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems
+ -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5
+ cmake environment added
! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy
! Multiple minor bugfixes

11
CHANGELOG.rus Normal file
View File

@ -0,0 +1,11 @@
3proxy-0.9.6 Вышел 11 Апреля 2026
+ В SSLPlugin добавлены ssl_client и множество опций конфигурации, код SSLPlugin значительно улучшен и исправлен. См. https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy теперь может использоваться как замена stunnel во многих сценариях.
+ Поддержка прокси-протокола HAProxy v1 на стороне клиента и сервера. Добавлена опция -H для сервиса, чтобы ожидать заголовок прокси-протокола HA v1. Используйте тип родителя ha: parent 1000 ha 0.0.0.0 0 для отправки заголовка v1.
+ tlspr поддерживается в режиме auto
+ tlspr поддерживает опцию -s, которая разбивает HELLO-пакет для предотвращения обнаружения SNI некоторыми DPI
+ Добавлена опция конфигурации maxseg и поддержка флага сокета TCP_MAXSEG. Устанавливает максимальный размер TCP-сегмента для решения проблем с обнаружением PathMTU
+ Добавлены опции -Ne / -Ni для указания внешнего/внутреннего NAT-адреса для SOCKSv5
+ Добавлено окружение cmake
! Внешняя библиотека pcre2 (pcre2-8) используется для PCRE, код pcre удалён из 3proxy
! Множество мелких исправлений ошибок

146
CMakeLists.txt
View File

@ -54,6 +54,28 @@ option(3PROXY_USE_SPLICE "Use Linux splice() for zero-copy (Linux only)" ON)
option(3PROXY_USE_POLL "Use poll() instead of select() (Unix only)" ON)
option(3PROXY_USE_WSAPOLL "Use WSAPoll instead of select() (Windows only)" ON)
option(3PROXY_USE_NETFILTER "Enable Linux netfilter support (Linux only)" ON)
option(3PROXY_USE_UNIX_SOCKETS "Enable Unix domain socket support (Unix only)" ON)
# Binary name prefix for standalone modules and crypt (default: 3proxy_)
# For crypt: if prefix is empty, "my" is used instead ( mycrypt)
set(3PROXY_BINARY_PREFIX "3proxy_" CACHE STRING "Prefix for standalone module and crypt binary names")
# Standalone module build options (OFF by default)
option(3PROXY_BUILD_ALL "Build all standalone binaries" OFF)
option(3PROXY_BUILD_PROXY "Build standalone proxy binary" OFF)
option(3PROXY_BUILD_SOCKS "Build standalone socks binary" OFF)
option(3PROXY_BUILD_POP3P "Build standalone pop3p binary" OFF)
option(3PROXY_BUILD_SMTPP "Build standalone smtpp binary" OFF)
option(3PROXY_BUILD_FTPPR "Build standalone ftppr binary" OFF)
option(3PROXY_BUILD_TCPPM "Build standalone tcppm binary" OFF)
option(3PROXY_BUILD_UDPPM "Build standalone udppm binary" OFF)
option(3PROXY_BUILD_TLSPR "Build standalone tlspr binary" OFF)
if(3PROXY_BUILD_ALL)
foreach(_M PROXY SOCKS POP3P SMTPP FTPPR TCPPM UDPPM TLSPR)
set(3PROXY_BUILD_${_M} ON)
endforeach()
endif()
# Output directory
set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
@ -159,10 +181,15 @@ elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
add_compile_definitions(WITH_NETFILTER)
endif()
if(3PROXY_USE_UNIX_SOCKETS)
add_compile_definitions(WITH_UN)
endif()
set(DEFAULT_PLUGINS
StringsPlugin
TrafficPlugin
TransparentPlugin
FilePlugin
)
elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD")
@ -176,10 +203,15 @@ elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD")
add_compile_options(-fno-strict-aliasing)
endif()
if(3PROXY_USE_UNIX_SOCKETS)
add_compile_definitions(WITH_UN)
endif()
set(DEFAULT_PLUGINS
StringsPlugin
TrafficPlugin
TransparentPlugin
FilePlugin
)
else()
@ -188,10 +220,15 @@ else()
add_compile_options(-fno-strict-aliasing)
endif()
if(3PROXY_USE_UNIX_SOCKETS)
add_compile_definitions(WITH_UN)
endif()
set(DEFAULT_PLUGINS
StringsPlugin
TrafficPlugin
TransparentPlugin
FilePlugin
)
endif()
@ -269,17 +306,25 @@ endif()
set(3PROXY_CORE_SOURCES
src/3proxy.c
src/auth.c
src/acl.c
src/limiter.c
src/redirect.c
src/authradius.c
src/hash.c
src/hashtables.c
src/resolve.c
src/sql.c
src/conf.c
src/datatypes.c
src/plugins.c
src/stringtable.c
)
# MD4/MD5 sources for mycrypt
# MD4/MD5/BLAKE2 sources for 3proxy_crypt
set(MD_SOURCES
src/libs/md4.c
src/libs/md5.c
src/libs/blake2b-ref.c
)
# ============================================================================
@ -304,7 +349,7 @@ target_include_directories(base64_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
# These are used by the main 3proxy executable
# ============================================================================
# Server modules object library (without WITHMAIN)
# Server modules object library (without WITHMAIN, without UDP)
add_library(srv_modules OBJECT
src/proxy.c
src/pop3p.c
@ -315,13 +360,17 @@ add_library(srv_modules OBJECT
src/auto.c
src/socks.c
src/webadmin.c
src/udppm.c
src/dnspr.c
)
target_include_directories(srv_modules PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}/src
)
# UDP port mapper server module (without WITHMAIN)
add_library(srvudppm_obj OBJECT src/udppm.c)
target_include_directories(srvudppm_obj PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}/src
)
# mainfunc object (proxymain.c compiled with MODULEMAINFUNC=mainfunc for 3proxy)
add_library(mainfunc OBJECT src/proxymain.c)
@ -332,9 +381,9 @@ target_compile_definitions(mainfunc PRIVATE MODULEMAINFUNC=mainfunc)
add_library(ftp_obj OBJECT src/ftp.c)
target_include_directories(ftp_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
# mycrypt object for 3proxy (without WITHMAIN)
add_library(mycrypt_obj OBJECT src/mycrypt.c)
target_include_directories(mycrypt_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
# 3proxy_crypt object for 3proxy (without WITHMAIN)
add_library(3proxy_crypt_obj OBJECT src/3proxy_crypt.c)
target_include_directories(3proxy_crypt_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
# ============================================================================
# Main 3proxy executable
@ -345,11 +394,12 @@ add_executable(3proxy
${3PROXY_CORE_SOURCES}
${MD_SOURCES}
$<TARGET_OBJECTS:srv_modules>
$<TARGET_OBJECTS:srvudppm_obj>
$<TARGET_OBJECTS:mainfunc>
$<TARGET_OBJECTS:common_obj>
$<TARGET_OBJECTS:base64_obj>
$<TARGET_OBJECTS:ftp_obj>
$<TARGET_OBJECTS:mycrypt_obj>
$<TARGET_OBJECTS:3proxy_crypt_obj>
)
target_include_directories(3proxy PRIVATE
@ -382,21 +432,31 @@ elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
endif()
endif()
# Build mycrypt utility
add_executable(mycrypt
src/mycrypt.c
# Build 3proxy_crypt utility
add_executable(3proxy_crypt
src/3proxy_crypt.c
${MD_SOURCES}
$<TARGET_OBJECTS:base64_obj>
)
target_compile_definitions(mycrypt PRIVATE WITHMAIN)
target_include_directories(mycrypt PRIVATE
target_compile_definitions(3proxy_crypt PRIVATE WITHMAIN)
target_include_directories(3proxy_crypt PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}/src
${CMAKE_CURRENT_SOURCE_DIR}/src/libs
)
target_link_libraries(mycrypt PRIVATE Threads::Threads)
target_link_libraries(3proxy_crypt PRIVATE Threads::Threads)
if("${3PROXY_BINARY_PREFIX}" STREQUAL "")
set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "mycrypt")
else()
set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "${3PROXY_BINARY_PREFIX}crypt")
endif()
# Build standalone proxy executables
foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
string(TOUPPER "${PROXY_NAME}" _MODULE_OPT)
if(NOT 3PROXY_BUILD_${_MODULE_OPT})
continue()
endif()
if(PROXY_NAME STREQUAL "ftppr" OR PROXY_NAME STREQUAL "proxy")
# ftppr and proxy use ftp_obj
add_executable(${PROXY_NAME}
@ -411,6 +471,10 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
)
endif()
set_target_properties(${PROXY_NAME} PROPERTIES
OUTPUT_NAME "${3PROXY_BINARY_PREFIX}${PROXY_NAME}"
)
target_include_directories(${PROXY_NAME} PRIVATE
${CMAKE_CURRENT_SOURCE_DIR}/src
)
@ -420,6 +484,10 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
NOPORTMAP
)
if(NOT PROXY_NAME STREQUAL "udppm")
target_compile_definitions(${PROXY_NAME} PRIVATE NOUDPMAIN)
endif()
target_link_libraries(${PROXY_NAME} PRIVATE Threads::Threads)
if(PROXY_NAME STREQUAL "proxy")
@ -437,6 +505,10 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
if(PROXY_NAME STREQUAL "proxy" OR PROXY_NAME STREQUAL "smtpp")
target_sources(${PROXY_NAME} PRIVATE $<TARGET_OBJECTS:base64_obj>)
endif()
if(PROXY_NAME STREQUAL "udppm")
target_sources(${PROXY_NAME} PRIVATE src/hash.c)
endif()
endforeach()
# Plugin output directory
@ -480,10 +552,19 @@ if(PAM_FOUND)
endif()
# Installation rules
install(TARGETS 3proxy mycrypt proxy socks pop3p smtpp ftppr tcppm udppm tlspr
install(TARGETS 3proxy 3proxy_crypt
RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
)
foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
string(TOUPPER "${PROXY_NAME}" _MODULE_OPT)
if(3PROXY_BUILD_${_MODULE_OPT})
install(TARGETS ${PROXY_NAME}
RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
)
endif()
endforeach()
# Install plugins
file(GLOB PLUGINFILES "${PLUGIN_OUTPUT_DIR}/*${PLUGIN_SUFFIX}")
if(WIN32)
@ -617,10 +698,32 @@ endif()
# Install man pages
if(NOT WIN32)
file(GLOB MAN3_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.3")
file(GLOB MAN8_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.8")
install(FILES ${MAN3_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man3)
install(FILES ${MAN8_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
# Config man page (section 5) no prefix
file(GLOB MAN5_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.5")
install(FILES ${MAN5_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man5)
# Main 3proxy man page no prefix
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy.8"
DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
)
# 3proxy_crypt man page no prefix (already has 3proxy_)
if(EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy_crypt.8")
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy_crypt.8"
DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
)
endif()
# Module man pages installed with binary prefix only if module is built
foreach(_MAN proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
string(TOUPPER "${_MAN}" _MODULE_OPT)
if(3PROXY_BUILD_${_MODULE_OPT})
set(_MAN_SRC "${CMAKE_CURRENT_SOURCE_DIR}/man/${_MAN}.8")
if(EXISTS "${_MAN_SRC}")
install(FILES "${_MAN_SRC}"
DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
RENAME "${3PROXY_BINARY_PREFIX}${_MAN}.8"
)
endif()
endif()
endforeach()
endif()
# Summary
@ -654,3 +757,10 @@ message(STATUS " ODBC: ${ODBC_FOUND}")
message(STATUS "")
message(STATUS " Plugins to build: ${ALL_PLUGINS}")
message(STATUS "")
message(STATUS " Standalone modules:")
message(STATUS " Binary prefix: \"${3PROXY_BINARY_PREFIX}\"")
foreach(_M proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
string(TOUPPER "${_M}" _MO)
message(STATUS " BUILD_${_MO}: ${3PROXY_BUILD_${_MO}}")
endforeach()
message(STATUS "")

57
Dockerfile.busybox Normal file
View File

@ -0,0 +1,57 @@
# 3proxy.full is fully functional 3proxy build based on busybox:glibc
#
# Examples are for podman, for docker change 'podman' to 'docker'
#
#to build:
# podman build -f Dockerfile.busybox -t 3proxy.busybox .
#to run:
#
# echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
# echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy --name 3proxy.busybox 3proxy.busybox
#
# use "log" without pathname in config to log to stdout.
# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config)
# symlinked as /lib and /lib64 in both root and chroot configurations, so no need
# to specify full path to plugin. SSLPlugin is supported.
#
# Since 0.9.6 image is distroless, no reason to use chroot, chroot
# configuration is supported for compatibility only.
FROM docker.io/gcc AS buildenv
COPY . 3proxy
RUN cd 3proxy &&\
apt --assume-yes update && apt --assume-yes install libssl-dev libpcre2-dev &&\
make -f Makefile.Linux &&\
strip bin/3proxy &&\
strip bin/*so &&\
mkdir /dist &&\
mkdir /dist/etc &&\
mkdir /dist/etc/3proxy &&\
mkdir /dist/bin &&\
mkdir /dist/usr &&\
mkdir /dist/usr/local &&\
mkdir /dist/usr/local/3proxy &&\
mkdir /dist/usr/local/3proxy/conf &&\
mkdir /dist/usr/local/3proxy/libexec &&\
cp bin/3proxy /dist/bin &&\
cp bin/*.so /dist/usr/local/3proxy/libexec &&\
cp scripts/3proxy.cfg.inchroot /dist/etc/3proxy/3proxy.cfg
RUN cd /dist &&\
ln -s /lib lib64 &&\
ln -s /lib usr/lib &&\
ln -s /lib usr/lib64 &&\
cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec &&\
cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\
cp "/lib/`gcc -dumpmachine`"/libcrypto.so.* /dist/usr/local/3proxy/libexec &&\
cp "/lib/`gcc -dumpmachine`"/libssl.so.* /dist/usr/local/3proxy/libexec &&\
cp "/lib/`gcc -dumpmachine`"/libpcre2-8.so.* /dist/usr/local/3proxy/libexec &&\
cp "/lib/`gcc -dumpmachine`"/libz.so.* /dist/usr/local/3proxy/libexec &&\
cp "/lib/`gcc -dumpmachine`"/libzstd.so.* /dist/usr/local/3proxy/libexec &&\
ls -lR /dist
FROM docker.io/busybox:glibc
COPY --from=buildenv /dist /
RUN ln -sf /usr/local/3proxy/libexec/* /lib/ && cd /usr/local/3proxy/ && ln -s libexec lib && ln -s libexec lib64 && mkdir usr && ln -s libexec usr/lib && ln -s libexec usr//lib64
CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"]

8
Dockerfile.full
View File

@ -1,6 +1,6 @@
# 3proxy.full is fully functional 3proxy build based on busybox:glibc
# 3proxy.full is fully functional distroless 3proxy build
#
# Example are for podman, for docker change 'podman' to 'docker'
# Examples are for podman, for docker change 'podman' to 'docker'
#
#to build:
# podman build -f Dockerfile.full -t 3proxy.full .
@ -8,7 +8,7 @@
#
# echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
# echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full
# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy --name 3proxy.full 3proxy.full
#
# use "log" without pathname in config to log to stdout.
# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config)
@ -16,7 +16,7 @@
# to specify full path to plugin. SSLPlugin is supported.
#
# Since 0.9.6 image is distroless, no reason to use chroot, chroot
# configuration is supported for compatility only.
# configuration is supported for compatibility only.
FROM docker.io/gcc AS buildenv

22
Makefile.FreeBSD
View File

@ -5,9 +5,12 @@
# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
BUILDDIR = ../bin/
PREFIX ?= 3proxy_
CRYPT_PREFIX ?= $(PREFIX)
MANDIR ?= /usr/share/man
CC ?= cc
CFLAGS := -c -fno-strict-aliasing -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL $(CFLAGS)
CFLAGS := -c -fno-strict-aliasing -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_UN $(CFLAGS)
COUT = -o
LN ?= ${CC}
LDFLAGS += -pthread -fno-strict-aliasing
@ -29,7 +32,7 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak
TYPECOMMAND = cat
COMPATLIBS =
MAKEFILE = Makefile.FreeBSD
PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
ifeq ($(OPENSSL_CHECK), true)
LIBS += -l crypto -l ssl
@ -49,14 +52,25 @@ include Makefile.inc
install: all
if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi
install bin/3proxy /usr/local/3proxy/bin/3proxy
install bin/mycrypt /usr/local/3proxy/bin/mycrypt
install bin/$(CRYPT_PREFIX)crypt /usr/local/3proxy/bin/$(CRYPT_PREFIX)crypt
for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
if [ -f bin/$(PREFIX)$$f ]; then install bin/$(PREFIX)$$f /usr/local/3proxy/bin/$(PREFIX)$$f; fi; \
done
install scripts/rc.d/3proxy /usr/local/etc/rc.d/3proxy
install scripts/add3proxyuser.sh /usr/local/3proxy/bin/
if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then /usr/local/3proxy/3proxy.cfg already exists ; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then echo /usr/local/3proxy/3proxy.cfg already exists; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi
touch /usr/local/3proxy/passwd
touch /usr/local/3proxy/counters
touch /usr/local/3proxy/bandlimiters
install -d $(MANDIR)/man8
install -m 644 man/3proxy.8 $(MANDIR)/man8/3proxy.8
for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
if [ -f man/$$f.8 ]; then install -m 644 man/$$f.8 $(MANDIR)/man8/$(PREFIX)$$f.8; fi; \
done
install -m 644 man/3proxy_crypt.8 $(MANDIR)/man8
install -d $(MANDIR)/man5
install -m 644 man/3proxy.cfg.5 $(MANDIR)/man5/3proxy.cfg.5
echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user
allplugins:

36
Makefile.Linux
View File

@ -5,9 +5,11 @@
# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
BUILDDIR = ../bin/
PREFIX ?= 3proxy_
CRYPT_PREFIX ?= $(PREFIX)
CC ?= gcc
CFLAGS := -g -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER $(CFLAGS)
CFLAGS := -g -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -D WITH_UN $(CFLAGS)
COUT = -o
LN ?= ${CC}
DCFLAGS ?=
@ -32,7 +34,7 @@ MAKEFILE = Makefile.Linux
#LIBS = -lcrypto -lssl -ldl
LIBS ?= -ldl
#PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
ifeq ($(OPENSSL_CHECK), true)
LIBS += -l crypto -l ssl
@ -61,14 +63,15 @@ INSTALL = /usr/bin/install
INSTALL_BIN = $(INSTALL) -m 755
INSTALL_DATA = $(INSTALL) -m 644
INSTALL_OBJS = bin/3proxy \
bin/ftppr \
bin/mycrypt \
bin/pop3p \
bin/proxy \
bin/socks \
bin/tcppm \
bin/udppm \
bin/tlspr
bin/$(CRYPT_PREFIX)crypt \
bin/$(PREFIX)ftppr \
bin/$(PREFIX)pop3p \
bin/$(PREFIX)proxy \
bin/$(PREFIX)smtpp \
bin/$(PREFIX)socks \
bin/$(PREFIX)tcppm \
bin/$(PREFIX)tlspr \
bin/$(PREFIX)udppm
INSTALL_CFG = scripts/3proxy.cfg.chroot
@ -82,8 +85,7 @@ INSTALL_SYSTEMD_SCRIPT = scripts/3proxy.service
CHROOTDIR = $(DESTDIR)$(chroot_prefix)/3proxy
CHROOTREL = ../..$(chroot_prefix)/3proxy
MANDIR1 = $(DESTDIR)$(man_prefix)/man/man1
MANDIR3 = $(DESTDIR)$(man_prefix)/man/man3
MANDIR5 = $(DESTDIR)$(man_prefix)/man/man5
MANDIR8 = $(DESTDIR)$(man_prefix)/man/man8
BINDIR = $(DESTDIR)$(exec_prefix)/bin
ETCDIR = $(DESTDIR)/etc/3proxy
@ -126,10 +128,14 @@ install-etc: install-etc-dir install-etc-default-config
done;
install-man:
$(INSTALL_BIN) -d $(MANDIR3)
$(INSTALL_BIN) -d $(MANDIR5)
$(INSTALL_BIN) -d $(MANDIR8)
$(INSTALL_DATA) man/*.3 $(MANDIR3)
$(INSTALL_DATA) man/*.8 $(MANDIR8)
$(INSTALL_DATA) man/3proxy.cfg.5 $(MANDIR5)
$(INSTALL_DATA) man/3proxy.8 $(MANDIR8)
for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
if [ -f man/$$f.8 ]; then $(INSTALL_DATA) man/$$f.8 $(MANDIR8)/$(PREFIX)$$f.8; fi; \
done
$(INSTALL_DATA) man/3proxy_crypt.8 $(MANDIR8)
install-init:
$(INSTALL_BIN) -d $(INITDDIR)

2
Makefile.Solaris
View File

@ -6,7 +6,7 @@
# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
BUILDDIR = ../bin/
CC = cc
CC ?= cc
CFLAGS = -xO3 -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL
COUT = -o ./
LN = $(CC)

36
Makefile.Solaris-gcc
View File

@ -1,36 +0,0 @@
#
# 3 proxy Makefile for Solaris/gcc
#
#
# remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC
# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
BUILDDIR = ../bin/
CC = gcc
CFLAGS = -O2 -fno-strict-aliasing -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL
COUT = -o ./
LN = $(CC)
LDFLAGS = -O3
DCFLAGS = -fPIC
DLFLAGS = -shared
DLSUFFICS = .ld.so
LIBS = -lpthread -lsocket -lnsl -lresolv -ldl
LIBSPREFIX = -l
LIBSSUFFIX =
LNOUT = -o ./
EXESUFFICS =
OBJSUFFICS = .o
DEFINEOPTION = -D
COMPFILES = *~
REMOVECOMMAND = rm -f
AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
TYPECOMMAND = cat
COMPATLIBS =
MAKEFILE = Makefile.Solaris-gcc
PLUGINS = StringsPlugin TrafficPlugin
include Makefile.inc
allplugins:
@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; cd ../.. ; done

2
Makefile.am
View File

@ -1,2 +0,0 @@
SUBDIRS = src man
EXTRA_DIST = doc cfg

24
Makefile.debug
View File

@ -1,24 +0,0 @@
#
# 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake)
#
BUILDDIR = ../bin/
CC = cl
CFLAGS = /FD /MDd /nologo /W3 /ZI /Wp64 /GS /Gs /RTCsu /EHs- /GA /GF /DEBUG /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /c
COUT = /Fo
LN = link
LDFLAGS = /nologo /subsystem:console /machine:I386 /DEBUG
LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib
LNOUT = /out:
EXESUFFICS = .exe
OBJSUFFICS = .obj
DEFINEOPTION = /D
COMPFILES = *.pch *.idb
REMOVECOMMAND = del 2>NUL >NUL
TYPECOMMAND = type
COMPATLIBS =
MAKEFILE = Makefile.debug
include Makefile.inc
allplugins:

113
Makefile.openwrt-mips
View File

@ -1,113 +0,0 @@
#
# 3 proxy Makefile for GCC/Linux/Cygwin
#
#
# remove -DNOODBC from CFLAGS and add -lodbc to LIBS to compile with ODBC
# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
BUILDDIR = ../bin/
CC = mips-openwrt-linux-gcc
CFLAGS ?= -g -O2 -fno-strict-aliasing -c -pthread -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER
COUT = -o
LN = $(CC)
DCFLAGS = -fPIC
LDFLAGS ?= -O2 -fno-strict-aliasing -pthread -s
DLFLAGS = -shared
DLSUFFICS = .ld.so
# -lpthreads may be reuqired on some platforms instead of -pthreads
LIBSPREFIX = -l
LIBSSUFFIX =
LNOUT = -o
EXESUFFICS =
OBJSUFFICS = .o
DEFINEOPTION = -D
COMPFILES = *~
REMOVECOMMAND = rm -f
AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
TYPECOMMAND = cat
COMPATLIBS =
MAKEFILE = Makefile.openwrt-mips
# PamAuth requires libpam, you may require pam-devel package to be installed
# SSLPlugin requires -lcrypto -lssl
#LIBS = -lcrypto -lssl -ldl
LIBS ?= -ldl
#PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
ifeq ($(OPENSSL_CHECK), true)
LIBS += -l crypto -l ssl
PLUGINS += SSLPlugin
endif
PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
ifeq ($(PCRE_CHECK), true)
PLUGINS += PCREPlugin
endif
PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
ifeq ($(PAM_CHECK), true)
PLUGINS += PamAuth
endif
include Makefile.inc
allplugins:
@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ; cd ../.. ; done
DESTDIR =
prefix = /usr/local
exec_prefix = $(prefix)
man_prefix = $(prefix)/share
INSTALL = /usr/bin/install
INSTALL_BIN = $(INSTALL) -m 755
INSTALL_DATA = $(INSTALL) -m 644
INSTALL_OBJS = src/3proxy \
src/ftppr \
src/mycrypt \
src/pop3p \
src/proxy \
src/socks \
src/tcppm \
src/udppm
INSTALL_CFG_OBJS = scripts/3proxy.cfg \
scripts/add3proxyuser.sh
INSTALL_CFG_DEST = config
INSTALL_CFG_OBJS2 = passwd counters bandlimiters
MANDIR1 = $(DESTDIR)$(man_prefix)/man/man1
MANDIR3 = $(DESTDIR)$(man_prefix)/man/man3
MANDIR8 = $(DESTDIR)$(man_prefix)/man/man8
BINDIR = $(DESTDIR)$(exec_prefix)/bin
ETCDIR = $(DESTDIR)$(prefix)/etc/3proxy
install-bin:
$(INSTALL_BIN) -d $(BINDIR)
$(INSTALL_BIN) -s $(INSTALL_OBJS) $(BINDIR)
install-etc-dir:
$(INSTALL_BIN) -d $(ETCDIR)
install-etc-default-config:
if [ -f $(ETCDIR)/$(INSTALL_CFG_DEST) ]; then \
: ; \
else \
$(INSTALL_DATA) $(INSTALL_CFG_OBJS) $(ETCDIR)/$(INSTALL_CFG_DEST) \
fi
install-etc: install-etc-dir
for file in $(INSTALL_CFG_OBJS2); \
do \
touch $(ETCDIR)/$$file; chmod 0600 $(ETCDIR)/$$file; \
done;
install-man:
$(INSTALL_BIN) -d $(MANDIR3)
$(INSTALL_BIN) -d $(MANDIR8)
$(INSTALL_DATA) man/*.3 $(MANDIR3)
$(INSTALL_DATA) man/*.8 $(MANDIR8)
install: install-bin install-etc install-man

22
Makefile.unix
View File

@ -6,10 +6,13 @@
# library support. Add -DSAFESQL for poorely written ODBC library / drivers.
BUILDDIR = ../bin/
PREFIX ?= 3proxy_
CRYPT_PREFIX ?= $(PREFIX)
MANDIR ?= /usr/share/man
CC ?= gcc
# you may need -L/usr/pkg/lib for older NetBSD versions
CFLAGS := -g -O2 -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL $(CFLAGS)
CFLAGS := -g -O2 -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_UN $(CFLAGS)
COUT = -o
LN ?= $(CC)
LDFLAGS ?= -O2 -fno-strict-aliasing -pthread
@ -31,7 +34,7 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak
TYPECOMMAND = cat
COMPATLIBS =
MAKEFILE = Makefile.unix
PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
ifeq ($(OPENSSL_CHECK), true)
LIBS += -l crypto -l ssl
@ -51,14 +54,25 @@ include Makefile.inc
install: all
if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi
install bin/3proxy /usr/local/3proxy/bin/3proxy
install bin/mycrypt /usr/local/3proxy/bin/mycrypt
install bin/$(CRYPT_PREFIX)crypt /usr/local/3proxy/bin/$(CRYPT_PREFIX)crypt
for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
if [ -f bin/$(PREFIX)$$f ]; then install bin/$(PREFIX)$$f /usr/local/3proxy/bin/$(PREFIX)$$f; fi; \
done
install scripts/rc.d/3proxy /usr/local/etc/rc.d/3proxy
install scripts/add3proxyuser.sh /usr/local/3proxy/bin/
if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then /usr/local/3proxy/3proxy.cfg already exists ; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then echo /usr/local/3proxy/3proxy.cfg already exists; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi
touch /usr/local/3proxy/passwd
touch /usr/local/3proxy/counters
touch /usr/local/3proxy/bandlimiters
install -d $(MANDIR)/man8
install -m 644 man/3proxy.8 $(MANDIR)/man8/3proxy.8
for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
if [ -f man/$$f.8 ]; then install -m 644 man/$$f.8 $(MANDIR)/man8/$(PREFIX)$$f.8; fi; \
done
install -m 644 man/3proxy_crypt.8 $(MANDIR)/man8
install -d $(MANDIR)/man5
install -m 644 man/3proxy.cfg.5 $(MANDIR)/man5/3proxy.cfg.5
echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user
allplugins:

2
Makefile.win
View File

@ -26,7 +26,7 @@ REMOVECOMMAND = rm -f
TYPECOMMAND = cat
COMPATLIBS =
MAKEFILE = Makefile.win
PLUGINS := utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin
PLUGINS := utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin FilePlugin
VERFILE := 3proxyres.o $(VERFILE)
VERSION := $(VERSION)
VERSIONDEP := 3proxyres.o $(VERSIONDEP)

276
README
View File

@ -1,276 +0,0 @@
# 3APA3A 3proxy tiny proxy server
(c) 2002-2025 by Vladimir '3APA3A' Dubrovin <3proxy@3proxy.org>
Branches:
Master (stable) branch - 3proxy 0.9
Devel branch - 3proxy 10 (don't use it)
* Download
Binaries and sources for released (master) versions (Windows, Linux):
https://github.com/z3APA3A/3proxy/releases
Docker images:
https://hub.docker.com/r/3proxy/3proxy
Archive of old versions: https://github.com/z3APA3A/3proxy-archive
* Documentation
Documentation (man pages and HTML) available with download, on https://3proxy.org/
and in github wiki https://github.com/3proxy/3proxy/wiki
* Windows installation
3proxy [path_to_config_file] --install
installs and starts proxy as Windows service
(config file should be located in the same directory or may be optionally specified)
3proxy --remove
removes the service (should be stopped before via
'net stop 3proxy').
* To build in Linux
With Makefile:
git clone https://github.com/z3apa3a/3proxy
cd 3proxy
ln -s Makefile.Linux Makefile
make
sudo make install
Default configuration (for Linux/Unix):
3proxy uses 2 configuration files:
/etc/3proxy/3proxy.cfg (before-chroot). This configuration file is executed before chroot and should not be modified.
/usr/local/3proxy/conf/3proxy.cfg symlinked from /etc/3proxy/conf/3proxy.cfg (after-chroot) is a main configuration file. Modify this file, if required.
All paths in /usr/local/3proxy/conf/3proxy.cfg are relative to chroot directory (/usr/local/3proxy). For future versions it's planned to move
3proxy chroot direcory to /var.
Log files are created in /usr/local/3proxy/logs symlinked from /var/log/3proxy.
By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default.
use /etc/3proxy/conf/add3proxyuser.sh script to add users.
usage: /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth]
day_limit - traffic limit in MB per day
bandwidth - bandwith in bits per second 1048576 = 1Mbps
or modify /etc/3proxy/conf/ files directly.
With CMake:
git clone https://github.com/z3apa3a/3proxy
cd 3proxy
mkdir build && cd build
cmake ..
cmake --build .
sudo cmake --install .
CMake does not use chroot configuration, config file is /etc/3proxy/3proxy.cfg
* For MacOS X / FreeBSD / *BSD
With Makefile:
git clone https://github.com/z3apa3a/3proxy
cd 3proxy
ln -s Makefile.FreeBSD Makefile
make
(binaries are in bin/ directory)
With CMake (recommended):
git clone https://github.com/z3apa3a/3proxy
cd 3proxy
mkdir build && cd build
cmake ..
cmake --build .
sudo cmake --install .
This installs binaries to /usr/local/bin/, configuration to /etc/3proxy/,
plugins to /usr/local/lib/3proxy/, rc scripts to rc.d for BSD and launchd plist to /Library/LaunchDaemons/ for MacOS.
Service management on macOS:
# Load and start service
sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
# Stop service
sudo launchctl stop org.3proxy.3proxy
# Start service
sudo launchctl start org.3proxy.3proxy
# Unload and disable service
sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
Features:
1. General
+ IPv6 support for incoming and outgoing connection,
can be used as a proxy between IPv4 and IPv6 networks
in either direction.
+ HTTP/1.1 Proxy with keep-alive client and server support,
transparent proxy support.
+ HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY)
+ Anonymous and random client IP emulation for HTTP proxy mode
+ FTP over HTTP support.
+ DNS caching with built-in resolver
+ DNS proxy
+ DNS over TCP support, redirecting DNS traffic via parent
proxy
+ SOCKSv4/4.5 Proxy
+ SOCKSv5 Proxy
+ SOCKSv5 UDP and BIND support (fully compatible with
SocksCAP/FreeCAP for UDP)
+ Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP
+ SNI proxy (based on TLS hostname)
+ TLS (SSL) server - may be used as https:// type proxy
+ POP3 Proxy
+ FTP proxy
+ TCP port mapper (port forwarding)
+ UDP port mapper (port forwarding)
+ SMTP proxy
+ Threaded application (no child process).
+ Web administration and statistics
+ Plugins for functionality extension
+ Native 32/64 bit application
2. Proxy chaining and network connections
+ Can be used as a bridge between client and different proxy type
(e.g. convert incoming HTTP proxy request from client to SOCKSv5
request to parent server).
+ Connect back proxy support to bypass firewalls
+ Parent proxy support for any type of incoming connection
+ Username/password authentication for parent proxy(s).
+ HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support
+ Random parent selection
+ Chain building (multihop proxing)
+ Load balancing between few network connections by choosing network
interface
3. Logging
+ tuneable log format compatible with any log parser
+ stdout logging
+ file logging
+ syslog logging (Unix)
+ ODBC logging
+ RADIUS accounting
+ log file rotation
+ automatic log file processing with external archiver (for files)
+ Character filtering for log files
+ different log files for different servces are supported
4. Access control
+ ACL-driven Access control by username, source IP,
destination IP/hostname, destination port and destination action
(POST, PUT, GET, etc), weekday and daytime.
+ ACL-driven (user/source/destination/protocol/weekday/daytime or
combined) bandwith limitation for incoming and (!)outgoing trafic.
+ ACL-driven traffic limitation per day, week or month for incoming and
outgoing traffic
+ Connection limitation and ratelimting
+ User authentication by username / password
+ RADIUS Authentication and Authorization
+ User authentication by DNS hostname
+ Authentication cache with possibility to limit user to single IP address
+ Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP
+ Cleartext or encrypted (crypt/MD5 or NT) passwords.
+ Connection redirection
+ Access control by requested action (CONNECT/BIND,
HTTP GET/POST/PUT/HEAD/OTHER).
+ All access control entries now support weekday and time limitations
+ Hostnames and * templates are supported instead of IP address
5. Extensions
+ Regular expression filtering (with PCRE2) via PCREPlugin
+ Authentication with Windows username/password (cleartext only)
+ SSL/TLS decryptions with certificate spoofing
+ Transparent redirection support for Linux and *BSD
6. Configuration
+ support for configuration files
+ support for includes in configuration files
+ interface binding
+ socket options
+ running as daemon process
+ utility for automated networks list building
+ configuration reload on any file change
Unix
+ support for chroot
+ support for setgid
+ support for setuid
+ support for signals (SIGUSR1 to reload configuration)
Windows
+ support --install as service
+ support --remove as service
+ support for service START, STOP, PAUSE and CONTINUE commands (on
PAUSE no new connection accepted, but active connections still in
progress, on CONTINUE configuration is reloaded)
Windows 95/98/ME
+ support --install as service
+ support --remove as service
6. Compilation
+ MSVC (static)
+ OpenWatcom (static)
+ Intel Windows Compiler (msvcrt.dll)
+ Windows/gcc (msvcrt.dll)
+ Cygwin/gcc (cygwin.dll)
+ Unix/gcc
+ Unix/ccc
+ Solaris
+ Mac OS X, iPhone OS
+ Linux and derivered systems
+ Lite version for Windows 95/98/NT/2000/XP/2003
+ 32 bit and 64 bit versions for Windows Vista and above, Windows 2008 server and above
3proxy Combined proxy server may be used as
executable or service (supports installation and removal).
It uses config file to read it's configuration (see
3proxy.cfg.sample for details).
3proxy.exe is all-in-one, it doesn't require all others .exe
to work.
See 3proxy.cfg.sample for examples, see man 3proxy.cfg
proxy HTTP proxy server, binds to port 3128
ftppr FTP proxy server, binds to port 21
socks SOCKS 4/5 proxy server, binds to port 1080
ftppr FTP proxy server, please do not mess it with FTP over HTTP
proxy used in browsers
pop3p POP3 proxy server, binds to port 110. You must specify
POP3 username as username@target.host.ip[:port]
port is 110 by default.
Exmple: in Username configuration for you e-mail reader
set someuser@pop.example.org, to obtains mail for someuser
from pop.somehost.ru via proxy.
smtpp SMTP proxy server, binds to port 25. You must specify
SMTP username as username@target.host.ip[:port]
port is 25 by default.
Exmple: in Username configuration for you e-mail reader
set someuser@mail.example.org, to send mail as someuser
via mail.somehost.ru via proxy.
tcppm TCP port mapping. Maps some TCP port on local machine to
TCP port on remote host.
tlspr TLS proxy (SNI proxy) - sniffs hostname from TLS handshake
udppm UDP port mapping. Maps some UDP port on local machine to
UDP port on remote machine. Only one user simulationeously
can use UDP mapping, so it cann't be used for public service
in large networks. It's OK to use it to map to DNS server
in small network or to map Counter-Strike server for single
client (you can use few mappings on different ports for
different clients in last case).
mycrypt Program to obtain crypted password fro cleartext. Supports
both MD5/crypt and NT password.
mycrypt password
produces NT password
mycrypt salt password
produces MD5/crypt password with salt "salt".
Run utility with --help option for command line reference.
Latest version is available from https://3proxy.org/
Want to donate the project? https://3proxy.org/donations/

303
README.md Normal file
View File

@ -0,0 +1,303 @@
# 3APA3A 3proxy tiny proxy server
(c) 2002-2025 by Vladimir '3APA3A' Dubrovin <3APA3A@security.nnov.ru>
## Branches
- **Master** (stable) branch - 3proxy 0.9
- **Devel** branch - 3proxy 10 (don't use it)
## Download
Binaries and sources for released (master) versions (Windows, Linux):
https://github.com/z3APA3A/3proxy/releases
Docker images:
https://hub.docker.com/r/3proxy/3proxy
Archive of old versions:
https://github.com/z3APA3A/3proxy-archive
## Documentation
Documentation (man pages and HTML) available with download, on https://3proxy.org/ and in github wiki https://github.com/3proxy/3proxy/wiki
## Windows Installation
Install and start proxy as Windows service:
```bash
3proxy [path_to_config_file] --install
```
Config file should be located in the same directory or may be optionally specified.
Remove the service (should be stopped before via `net stop 3proxy`):
```bash
3proxy --remove
```
## Building on Linux
### With Makefile
```bash
git clone https://github.com/z3apa3a/3proxy
cd 3proxy
ln -s Makefile.Linux Makefile
make
sudo make install
```
### Default Configuration (Linux/Unix)
3proxy uses 2 configuration files:
- `/etc/3proxy/3proxy.cfg` (before-chroot) - This configuration file is executed before chroot and should not be modified.
- `/usr/local/3proxy/conf/3proxy.cfg` symlinked from `/etc/3proxy/conf/3proxy.cfg` (after-chroot) - Main configuration file. Modify this file if required.
All paths in `/usr/local/3proxy/conf/3proxy.cfg` are relative to chroot directory (`/usr/local/3proxy`). For future versions it's planned to move 3proxy chroot directory to `/var`.
Log files are created in `/usr/local/3proxy/logs` symlinked from `/var/log/3proxy`.
By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default.
### Adding Users
Use `/etc/3proxy/conf/add3proxyuser.sh` script to add users:
```bash
/etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth]
```
Parameters:
- `day_limit` - traffic limit in MB per day
- `bandwidth` - bandwidth in bits per second (1048576 = 1Mbps)
Or modify `/etc/3proxy/conf/` files directly.
### With CMake
```bash
git clone https://github.com/z3apa3a/3proxy
cd 3proxy
mkdir build && cd build
cmake ..
cmake --build .
sudo cmake --install .
```
CMake does not use chroot configuration, config file is `/etc/3proxy/3proxy.cfg`
## MacOS X / FreeBSD / *BSD
### With Makefile
```bash
git clone https://github.com/z3apa3a/3proxy
cd 3proxy
ln -s Makefile.FreeBSD Makefile
make
```
Binaries are in `bin/` directory.
### With CMake (recommended)
```bash
git clone https://github.com/z3apa3a/3proxy
cd 3proxy
mkdir build && cd build
cmake ..
cmake --build .
sudo cmake --install .
```
This installs:
- Binaries to `/usr/local/bin/`
- Configuration to `/etc/3proxy/`
- Plugins to `/usr/local/lib/3proxy/`
- rc scripts to `rc.d` for BSD
- launchd plist to `/Library/LaunchDaemons/` for MacOS
### Service Management on macOS
```bash
# Load and start service
sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
# Stop service
sudo launchctl stop org.3proxy.3proxy
# Start service
sudo launchctl start org.3proxy.3proxy
# Unload and disable service
sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
```
## Features
### 1. General
- IPv4 / IPv6 support for incoming and outgoing connection, can be used as a proxy between IPv4 and IPv6 networks in either direction
- Unix domain sockets support
- HTTP/1.1 Proxy with keep-alive client and server support, transparent proxy support
- HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY)
- Anonymous and random client IP emulation for HTTP proxy mode
- FTP over HTTP support
- DNS caching with built-in resolver
- DNS proxy
- DNS over TCP support, redirecting DNS traffic via parent proxy
- SOCKSv4/4.5 Proxy
- SOCKSv5 Proxy
- SOCKSv5 UDP and BIND support (fully compatible with SocksCAP/FreeCAP for UDP)
- Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP
- SNI proxy (based on TLS hostname)
- TLS (SSL) server and client, 3proxy may be used as https:// type proxy or stunnel replacement
- POP3 Proxy
- FTP proxy
- TCP port mapper (port forwarding)
- UDP port mapper (port forwarding)
- SMTP proxy
- Threaded application (no child process)
- Web administration and statistics
- Plugins for functionality extension
- Native 32/64 bit application
### 2. Proxy Chaining and Network Connections
- Can be used as a bridge between client and different proxy type (e.g. convert incoming HTTP proxy request from client to SOCKSv5 request to parent server)
- Connect back proxy support to bypass firewalls
- Parent proxy support for any type of incoming connection
- Username/password authentication for parent proxy(s)
- HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support
- Random parent selection
- Chain building (multihop proxing)
- Load balancing between few network connections by choosing network interface
### 3. Logging
- Tuneable log format compatible with any log parser
- stdout logging
- File logging
- Syslog logging (Unix)
- ODBC logging
- RADIUS accounting
- Log file rotation
- Automatic log file processing with external archiver (for files)
- Character filtering for log files
- Different log files for different services are supported
### 4. Access Control
- ACL-driven Access control by username, source IP, destination IP/hostname, destination port and destination action (POST, PUT, GET, etc), weekday and daytime
- ACL-driven (user/source/destination/protocol/weekday/daytime or combined) bandwidth limitation for incoming and (!)outgoing traffic
- ACL-driven traffic limitation per day, week or month for incoming and outgoing traffic
- Connection limitation and ratelimiting
- User authentication by username / password
- RADIUS Authentication and Authorization
- User authentication by DNS hostname
- Authentication cache with possibility to limit user to single IP address
- Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP
- Cleartext or encrypted passwords
- Connection redirection
- Access control by requested action (CONNECT/BIND, HTTP GET/POST/PUT/HEAD/OTHER)
- All access control entries now support weekday and time limitations
- Hostnames and * templates are supported instead of IP address
### 5. Extensions
- Regular expression filtering (with PCRE2) via PCREPlugin
- Authentication with Windows username/password (cleartext only)
- SSL/TLS decryptions with certificate spoofing
- Transparent redirection support for Linux and *BSD
### 6. Configuration
- Support for configuration files
- Support for includes in configuration files
- Interface binding
- Socket options
- Running as daemon process
- Utility for automated networks list building
- Configuration reload on any file change
**Unix:**
- Support for chroot
- Support for setgid
- Support for setuid
- Support for signals (SIGUSR1 to reload configuration)
**Windows:**
- Support `--install` as service
- Support `--remove` as service
- Support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress, on CONTINUE configuration is reloaded)
**Windows 95/98/ME:**
- Support `--install` as service
- Support `--remove` as service
### 7. Compilation
- MSVC (static)
- OpenWatcom (static)
- Intel Windows Compiler (msvcrt.dll)
- Windows/gcc (msvcrt.dll)
- Cygwin/gcc (cygwin.dll)
- Unix/gcc
- Unix/ccc
- Solaris
- Mac OS X, iPhone OS
- Linux and derived systems
- Lite version for Windows 95/98/NT/2000/XP/2003
- 32 bit and 64 bit versions for Windows Vista and above, Windows 2008 server and above
## Executables
### 3proxy
Combined proxy server may be used as executable or service (supports installation and removal). It uses config file to read its configuration (see `3proxy.cfg.sample` for details). `3proxy.exe` is all-in-one, it doesn't require all others .exe to work. See `3proxy.cfg.sample` for examples, see `man 3proxy.cfg`
### proxy
HTTP proxy server, binds to port 3128
### ftppr
FTP proxy server, binds to port 21. Please do not mess it with FTP over HTTP proxy used in browsers
### socks
SOCKS 4/5 proxy server, binds to port 1080
### pop3p
POP3 proxy server, binds to port 110. You must specify POP3 username as `username@popserver[:port]` (port is 110 by default).
Example: in Username configuration for your e-mail reader set `someuser@pop.somehost.ru`, to obtain mail for someuser from pop.somehost.ru via proxy.
### smtpp
SMTP proxy server, binds to port 25. You must specify SMTP username as `username@smtpserver[:port]` (port is 25 by default).
Example: in Username configuration for your e-mail reader set `someuser@mail.somehost.ru`, to send mail as someuser via mail.somehost.ru via proxy.
### tcppm
TCP port mapping. Maps some TCP port on local machine to TCP port on remote host.
### tlspr
TLS proxy (SNI proxy) - sniffs hostname from TLS handshake
### udppm
UDP port mapping. Maps some UDP port on local machine to UDP port on remote machine. Only one user simultaneously can use UDP mapping, so it can't be used for public service in large networks. It's OK to use it to map to DNS server in small network or to map Counter-Strike server for single client (you can use few mappings on different ports for different clients in last case).
### 3proxy_crypt
Program to obtain crypted password for cleartext. Supports both salted and NT password.
```bash
3proxy_crypt password # produces NT password
3proxy_crypt salt password # produces password hash with salt "salt"
```
---
Run utility with `--help` option for command line reference.
Latest version is available from https://3proxy.org/
Want to donate the project? https://3proxy.org/donations/

24
cfg/3proxy.cfg.sample
View File

@ -2,7 +2,7 @@
# Yes, 3proxy.cfg can be executable, in this case you should place
# something like
#config /usr/local/3proxy/3proxy.cfg
# to show which configuration 3proxy should re-read on realod.
# to show which configuration 3proxy should re-read on reload.
#system "echo Hello world!"
# you may use system to execute some external command if proxy starts
@ -24,7 +24,7 @@ timeouts 1 5 30 60 180 1800 15 60
# Here we can change timeout values
users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1"
# note that "" required, overvise $... is treated as include file name.
# note that "" required, otherwise $... is treated as include file name.
# $1$qwer$CHFTUFGqkjue9HyhcMHEe1 is 'test' in MD5 crypt format.
#users $/usr/local/etc/3proxy/passwd
# this example shows you how to include passwd file. For included files
@ -39,7 +39,7 @@ service
#log /var/log/3proxy/log D
log c:\3proxy\logs\3proxy.log D
# log allows to specify log file location and rotation, D means logfile
# log allows you to specify log file location and rotation, D means logfile
# is created daily
#logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
@ -60,7 +60,7 @@ log c:\3proxy\logs\3proxy.log D
#
#Compatible with ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
#
#"- + L%C %U unnknown:0:0.0 N %Y-%m-%d %H:%M:%S fwsrv 3PROXY - %n %R %r %D %O %I %r TCP Connect - - - %E - - - - -"
#"- + L%C %U unknown:0:0.0 N %Y-%m-%d %H:%M:%S fwsrv 3PROXY - %n %R %r %D %O %I %r TCP Connect - - - %E - - - - -"
#
#Compatible with HTTPD standard log (Apache and others)
#
@ -90,7 +90,7 @@ auth iponly
# auth specifies type of user authentication. If you specify none proxy
# will not do anything to check name of the user. If you specify
# nbname proxy will send NetBIOS name request packet to UDP/137 of
# client and parse request for NetBIOS name of messanger service.
# client and parse request for NetBIOS name of messenger service.
# Strong means that proxy will check password. For strong authentication
# unknown user will not be allowed to use proxy regardless of ACL.
# If you do not want username to be checked but wanna ACL to work you should
@ -102,7 +102,7 @@ auth iponly
#parent 1000 http 192.168.1.2 80 * * * 80
#allow * 192.168.1.0/24 * 25,53,110,20-21,1024-65535
# we will allow everything if username matches ADMINISTRATOR or root or
# client ip is 127.0.0.1 or 192.168.1.1. Overwise we will redirect any request
# client ip is 127.0.0.1 or 192.168.1.1. Otherwise we will redirect any request
# to port 80 to our Web-server 192.168.0.2.
# We will allow any outgoing connections from network 192.168.1.0/24 to
# SMTP, POP3, FTP, DNS and unprivileged ports.
@ -124,7 +124,7 @@ internal 192.168.1.1
# have open proxy in your network in this case.
auth none
# no authentication is requires
# no authentication is required
dnspr
@ -134,7 +134,7 @@ dnspr
#external $./external.ip
#internal $./internal.ip
# this is just an alternative form fo giving external and internal address
# this is just an alternative form for giving external and internal address
# allows you to read this addresses from files
auth none
@ -149,7 +149,7 @@ tcppm 25 mail.my.provider 25
# Now we can use our proxy as SMTP and DNS server.
# -s switch for UDP means "single packet" service - instead of setting
# association for period of time association will only be set for 1 packet.
# It's very userfull for services like DNS but not for some massive services
# It's very useful for services like DNS but not for some massive services
# like multimedia streams or online games.
auth strong
@ -158,7 +158,7 @@ internal 127.0.0.1
allow 3APA3A 127.0.0.1
maxconn 3
admin
#only allow acces to admin interface for user 3APA3A from 127.0.0.1 address
#only allow access to admin interface for user 3APA3A from 127.0.0.1 address
#via 127.0.0.1 address.
# map external 80 and 443 ports to internal Web server
@ -178,14 +178,14 @@ admin
#chroot /usr/local/jail
#setgid 65535
#setuid 65535
# now we needn't any root rights. We can chroot and setgid/setuid.
# now we no longer need root rights. We can chroot and setgid/setuid.
auth strong
flush
# We want to protect internal interface
deny * * 127.0.0.1,192.168.1.1
# and llow HTTP and HTTPS traffic.
# and allow HTTP and HTTPS traffic.
allow * * * 80-88,8080-8088 HTTP
allow * * * 443,8443 HTTPS
proxy -n

19
debian/3proxy.manpages vendored
View File

@ -1,10 +1,11 @@
man/3proxy.8
man/3proxy.cfg.3
man/ftppr.8
man/pop3p.8
man/tlspr.8
man/proxy.8
man/smtpp.8
man/socks.8
man/tcppm.8
man/udppm.8
man/3proxy.cfg.5
man/3proxy_ftppr.8
man/3proxy_pop3p.8
man/3proxy_tlspr.8
man/3proxy_proxy.8
man/3proxy_smtpp.8
man/3proxy_socks.8
man/3proxy_tcppm.8
man/3proxy_udppm.8
man/3proxy_crypt.8

26
doc/changelog/0/7/0 Normal file
View File

@ -0,0 +1,26 @@
3proxy 0.7
This release is partially forced: while no new significant functions are
added, 0.7 is code is much more stable and less buggy than 0.6. Since
there is no new development for a long time, except few minor bugfixes,
I decided to finally release 0.7. You may want it if you:
Use HTTP proxy
Use 3proxy under *BSD/Mac OS X/iPhone OS
Use plugins, specially traffic related ones, like PCRE.
I have no time for active developement. There are interesting features
in nearly ready state, e.g. SSL support / SSL decryption via
certificates spoofing, NAT support and SSL auto-detection. You can step
into development, if you are interested.
There are some configuration changes:
auth iponly is now default (because most misconfigurations were
because of default auth none)
maxconn is now 500 by default (because WebKit browsers ignore
standards and create a lot of connections even if proxy is configured)
NTLM is disabled by default (-n options, -n1 to enable) because
NTLMv1 is disabled by default in Windows since Vista and there is no
NTLMv2 library with compatible license. Report me, if any.

35
doc/changelog/0/7/1 Normal file
View File

@ -0,0 +1,35 @@
3proxy-0.7.1.4
!! Fix transparent flag not reset after keep-alive connection, can lead to
3proxy-0.7.1.3
! traffic displayed incorrectly
! archiver doesn't add suffix if logname contains macro
! fix potential race condition on configuration reload
! fix FTP over HTTP authentication
3proxy-0.7.1.2
! Request / header size limitation relaxed for HTTP proxy
3proxy 0.7.1.1
! Linux compilation issues resolved
3proxy 0.7.1
Minor improvements and bugfixes:
+ Windows icons added
+ Warnings added for most common misconfigurations
+ ftppr NLSD command supported
! Ignore NTLM handshake if NTLM is not enabled
!! memcpy replaced with memmove for overlapped region
! better EINTR handling on *nix
! FTP proxy debugging output removed (introduced in 0.7), binding for data connection corrected
! memory leak fixed in ldapauth plugin

9
doc/changelog/0/8/0 Normal file
View File

@ -0,0 +1,9 @@
+ IPv6 support
+ back connect support
+ name resolution over TCP, parent proxy support for dnspr
+ SSLPlugin for TLS/SSL traffic decryption
! multiple race conditions fixed
! reduced memory usage
! Generate Forwarded: header instead of X-Forwarded-For:
! Default name resolution is non-blocking in *nix
! multiple race conditions fixed on configuration reload

1
doc/changelog/0/8/1 Normal file
View File

@ -0,0 +1 @@
!!Fix: destination IP may be not checked against ACL

2
doc/changelog/0/8/10 Normal file
View File

@ -0,0 +1,2 @@
! Fix: parent proxy can be used in some cases where it shouldn't
! Fix: bandlimiters may not work for older connections on configuration reload

9
doc/changelog/0/8/11 Normal file
View File

@ -0,0 +1,9 @@
Minor bugfixes / improvements:
! Fixed: deadlock on insufficient resources
! Fixed: race condition in ssl_plugin
! Fixed: minor memory leak on configuration reload
! Fixed: recursion detection was not working
! Fixed: %n for IPv6 in logging terminates log record
! Fixed: reverse PTR validation (required for dnsauth)
! Fixed: error on external 0.0.0.0 for NOIPV6 (light version)
+ Better support for IPv6 in ftppr

5
doc/changelog/0/8/12 Normal file
View File

@ -0,0 +1,5 @@
Bugfixes:
! Fixed hostname support in SOCKSv5 UDP portmapping
! -fno-strict-aliasing added to gcc options (compiling without this option can lead to unpredictable issues under Debian with gcc 6 and potentially others)
! Fixed LDAP plugin compilation issues (LDAP plugin is still listed as unsupported though)
and some minor fixes and improvements.

3
doc/changelog/0/8/13 Normal file
View File

@ -0,0 +1,3 @@
Bugfixes:
!! Fixed out-of-bound write and few minor bugs on configuration saving in admin
! fixed: $ is not correctly handled in the beginning of quoted line on configuration parsing

3
doc/changelog/0/8/2 Normal file
View File

@ -0,0 +1,3 @@
!! Fix transparent flag not reset after keep-alive connection, can lead to DoS by authenticated user.
! Do not use SO_REUSEADDR by default (leads to random 00013 errors under some glibc versions)
! Use SASIZE() instead of sizeof() in bind() for FreeBSD compatibility

1
doc/changelog/0/8/3 Normal file
View File

@ -0,0 +1 @@
! fixed: use SASIZE() instead of sizeof() in connect() for FreeBSD compatibility

5
doc/changelog/0/8/4 Normal file
View File

@ -0,0 +1,5 @@
+ Build PamPlugin on *nix
+ stacksize and -S options, stacksize defaults changed for FreeBSD
+ extip redirection type added
! SSL plugin fix to correct handling of certificates path
! fixed random errors on IPv6 connect

1
doc/changelog/0/8/5 Normal file
View File

@ -0,0 +1 @@
!Fix: mutex was used prior to initialization on 'log' command processing

1
doc/changelog/0/8/6 Normal file
View File

@ -0,0 +1 @@
! Fix: random 00012 errors in some configurations

15
doc/changelog/0/8/7 Normal file
View File

@ -0,0 +1,15 @@
! Fix 'daemon' command for Linux
! Fix 'extip' redirections 00009 errors
! Fix counters for older Win platforms
! Resolve logging race conditions
! attempt to fix pam_auth race conditions
! FTP proxy workaround for broken gethostname() on some libc limplementations
! authcache IP matching corrected
! fix SOCKSv5 BIND/UDP ASSOC
! use setreuid/setregid instead of setuid / setgid
+ OpenWatcom makefiles for Windows
+ -u2 support for proxy
+ support %i in logformat
+ force/noforce configuration commands to disconnect / do not disconnect clients if nolonger match ACL after configuration change
+ support longer external passwords

3
doc/changelog/0/8/8 Normal file
View File

@ -0,0 +1,3 @@
!! Fix resolver for non-compressed reply parsing (on mixed-case sensitive resolvers)
! Fix plugins export on OpenWatcom compiler (light version)
! Fix SOCKSv5

1
doc/changelog/0/8/9 Normal file
View File

@ -0,0 +1 @@
! Fix: tcppm may fail if used with parent proxy

6
doc/changelog/0/9/0 Normal file
View File

@ -0,0 +1,6 @@
+ Socket options, interface binding
+ Connection limiting / connection rate limiting
+ RADIUS support (beta)
+ Zero copy (splice) support for Linux
+ Possibility to limit user to single IP (via authentication cache)
! bugfixes, improvements

8
doc/changelog/0/9/1 Normal file
View File

@ -0,0 +1,8 @@
Bugfixes:
! Fixed: socket may be closed before all data received/sent
! Fixed: bandlimin non-working
! Fixed: countall/nocountall
! Fixed: few race conditions
Improvements:
+ deb/rpm build, systemd support (experimental)

9
doc/changelog/0/9/2 Normal file
View File

@ -0,0 +1,9 @@
Bugfixes:
! Fixed: bandwidth limiters (once again)
! Fixed: data filtering plugins (PCREPlugin, SSLPlugin). SSLPlugin use on Linux requires to disable splice (-s0)
! FIxed: standalone proxies do not react on HUP (Ctrl+C) in Linux/Unix
! Fixed: few minor bugs
Improvements:
+ deb for arm platforms (experimental)
+ Openssl 1.1 support for SSLPlugin

11
doc/changelog/0/9/3 Normal file
View File

@ -0,0 +1,11 @@
Bugfixes:
! Fixed: systemd description file (proxy may fail to start after reboot or via systemctl)
! Fixed: group/account creation in installation scripts
! Fixed: countall/nocounall do not work in some configurations
! Fixed: counters do not work if counter file is not specified
! Fixed: counters without rotation (type N) are incorrectly shown in web admin interface
! Fixed: %n may be incomplete or missed in long log records
! Fixed: connect back functionality does not work
Improvements:
+ Docker builds

4
doc/changelog/0/9/4 Normal file
View File

@ -0,0 +1,4 @@
! Fix: invalid handling of '-' character in ACL hostname
! Fix: minor bugfixes and improvements
+ parentretry command added (defaults to 2) to retry connections to parent proxies
- icqpr related code (OSCAR proxy) removed, due to drop of OSCAR support by messengers

7
doc/changelog/0/9/5 Normal file
View File

@ -0,0 +1,7 @@
!! Security fix: proxy can potentially crash on on some platforms due to overlapping regions in strcpy() (thanks to @lenix123 for reporting)
+ new proxy service type: `tlspr` - SNI proxy, may also be used as parent `tls` type, sniffs hostname from TLS handhake, read more in https://github.com/3proxy/3proxy/wiki/tlspr https://github.com/3proxy/3proxy/wiki/How-To-(incomplete)#TLSPR
+ new proxy service type: `auto` - autodetect proxy type between `proxy` and `socks`
+ SSLPlugin is rewritten, production-ready, supports TLS (SSL) server (may be used to create https:// type proxy), certificates checks and cypher options, see https://github.com/3proxy/3proxy/wiki/SSLPlugin
+ -g option is added for grace delay to reduce CPU load, see https://github.com/3proxy/3proxy/wiki/High-Load
! Multiple minor bugfixes
! More supported sockets options

9
doc/changelog/0/9/6 Normal file
View File

@ -0,0 +1,9 @@
+ ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios.
+ HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header.
+ tlspr is supported in auto
+ tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI
+ maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems
+ -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5
+ cmake environment added
! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy
! Multiple minor bugfixes

76
doc/html/howtoe.html
View File

@ -49,6 +49,8 @@
<li><a href="#NSCACHING">How to configure name resolution and DNS caching</a>
<li><a href="#IPV6">How to use IPv6</a>
<li><a href="#CONNBACK">How to use connect back</a>
<li><a href="#HAPROXY">How to use HAProxy PROXY protocol</a>
<li><a href="#MAXSEG">How to set TCP maximum segment size (MSS)</a>
</ul>
<li><A HREF="#CLIENT">Client configuration</A>
<li><A HREF="#ADMIN">Administering and information analysis</A>
@ -498,7 +500,7 @@ ISA 2004 proxy WEB.w3c (fields are TAB-delimited):
</pre>
ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
<pre>
&quot;- + L%C %U unnknown:0:0.0 N %Y-%m-%d
&quot;- + L%C %U unknown:0:0.0 N %Y-%m-%d
%H:%M:%S fwsrv 3PROXY - %n %R %r
%D %O %I %r TCP Connect - -
- %E - - - - -&quot;
@ -709,6 +711,29 @@ ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
ssl_cli
proxy -p3128
</pre>
<p>
<b>Conditional TLS for parent proxy (ssl_client_mode 3):</b>
<br>With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). This allows mixing secure and non-secure parent proxies in the same configuration:
</p><pre>
plugin /path/to/SSLPlugin.ld.so ssl_plugin
ssl_server_cert /etc/3proxy/certs/server.crt
ssl_server_key /etc/3proxy/certs/server.key
ssl_client_mode 3
auth strong
allow user1
parent 1000 https parent1.example.com 443
allow user2
parent 1000 socks5 parent2.example.com 1080
ssl_serv
ssl_cli
proxy -p3128
ssl_noserv
ssl_nocli
</pre>
<p>
This creates an HTTPS proxy (ssl_serv) that accepts TLS connections from clients. For parent proxy connections, user1's traffic goes through an https parent with TLS encryption (secure type), while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
</p>
<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSLPlugin</i></a>
<p>
<b>Creating a Certificate Authority (CA):</b>
@ -944,7 +969,7 @@ or
<pre>
users $"c:\Program Files\3proxy\passwords"
</pre>
It's possible to create NT and crypt passwords with the mycrypt utility included
It's possible to create NT and crypt passwords with the 3proxy_crypt utility included
in the distribution.
<br>The user list is system-wide. To manage user access to a specific service, use ACLs.
</p>
@ -1278,6 +1303,53 @@ allowed traffic in megabytes (MB). nocountin allows you to set exclusions.
allow * * 1.1.1.1
tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
For browser settings, the proxy is host.dyndns.example.org:3128.
</p>
<li><a name="HAPROXY"><i>How to use HAProxy PROXY protocol</i></a>
<p>
3proxy supports HAProxy PROXY protocol v1 for both receiving and sending client
IP information. This is useful when 3proxy is behind a load balancer or when
passing client information to a parent proxy.
</p>
<p>
<b>Receiving PROXY protocol header:</b>
<br>Use the <code>-H</code> option to make 3proxy expect a PROXY protocol v1 header
on incoming connections. This allows 3proxy to receive the real client IP address
from HAProxy or another load balancer:
</p><pre>
proxy -H -p3128
socks -H -p1080
</pre>
<p>
The PROXY protocol header must be sent before any protocol-specific data.
</p>
<p>
<b>Sending PROXY protocol header to parent proxy:</b>
<br>Use the <code>ha</code> parent type to send a PROXY protocol v1 header to
the parent proxy. This must be the last parent in the chain:
</p><pre>
allow *
parent 1000 ha
parent 1000 socks5 parent.example.com 1080
socks
</pre>
<p>
This configuration sends the client IP information to the SOCKS5 parent proxy
via the PROXY protocol.
</p>
<li><a name="MAXSEG"><i>How to set TCP maximum segment size (MSS)</i></a>
<p>
Use the <code>maxseg</code> command to set the TCP maximum segment size (MSS)
for outgoing connections. This can be useful to work around path MTU discovery
issues or to optimize traffic for specific network conditions:
</p><pre>
maxseg 1400
proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
</pre>
<p>
The value is specified in bytes. This setting uses the TCP_MAXSEG socket option
and may not be supported on all platforms. A typical use case is to reduce MSS
to avoid fragmentation in VPN tunnels or to work around MTU issues with certain
network paths.
</p>
</ul>

77
doc/html/howtor.html
View File

@ -48,6 +48,8 @@
<li><a href="#NSCACHING">Как управлять разрешением имен и кэшированием DNS</a>
<li><a href="#IPV6">Как использовать IPv6</a>
<li><a href="#CONNBACK">Как использовать connect back</a>
<li><a href="#HAPROXY">Как использовать протокол HAProxy PROXY</a>
<li><a href="#MAXSEG">Как установить максимальный размер сегмента TCP (MSS)</a>
</ul>
<li><a href="#CLIENT">Конфигурация и настройка клиентов</a>
<ul>
@ -511,7 +513,7 @@
- Internal External 0x0 Allowed&quot;</pre>
Формат ISA 2000/2004 firewall FWSEXTD.log (поля разделены табуляцией):
<pre>
&quot;- + L%C %U unnknown:0:0.0 N %Y-%m-%d
&quot;- + L%C %U unknown:0:0.0 N %Y-%m-%d
%H:%M:%S fwsrv 3PROXY - %n %R %r
%D %O %I %r TCP Connect - -
- %E - - - - -&quot;</pre>
@ -718,6 +720,29 @@ ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
ssl_cli
proxy -p3128
</pre>
<p>
<b>Условное TLS для parent прокси (ssl_client_mode 3):</b>
<br>При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). Это позволяет смешивать защищённые и незащищённые родительские прокси в одной конфигурации:
</p><pre>
plugin /path/to/SSLPlugin.ld.so ssl_plugin
ssl_server_cert /etc/3proxy/certs/server.crt
ssl_server_key /etc/3proxy/certs/server.key
ssl_client_mode 3
auth strong
allow user1
parent 1000 https parent1.example.com 443
allow user2
parent 1000 socks5 parent2.example.com 1080
ssl_serv
ssl_cli
proxy -p3128
ssl_noserv
ssl_nocli
</pre>
<p>
Создаётся HTTPS-прокси (ssl_serv), принимающий TLS-соединения от клиентов. Для соединений с родительским прокси трафик user1 идёт через https родитель с TLS-шифрованием (защищённый тип), а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
</p>
<li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSLPlugin</i></a>
<p>
<b>Создание удостоверяющего центра (CA):</b>
@ -958,7 +983,7 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
или
<pre>
users $"c:\Program Files\3proxy\passwords"</pre>
Шифрованные NT и crypt пароли можно создавать с помощью утилиты mycrypt.
Шифрованные NT и crypt пароли можно создавать с помощью утилиты 3proxy_crypt.
<br>Список пользователей един для всех служб. Разграничение доступа по службам
необходимо производить с помощью списков доступа.
</p>
@ -1336,6 +1361,54 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
В настройках браузера указывается host.dyndns.example.org:3128.
</p>
<li><a name="HAPROXY"><i>Как использовать протокол HAProxy PROXY</i></a>
<p>
3proxy поддерживает протокол HAProxy PROXY v1 как для приёма, так и для
отправки информации об IP-адресе клиента. Это полезно, когда 3proxy находится
за балансировщиком нагрузки или при передаче информации о клиенте родительскому прокси.
</p>
<p>
<b>Приём заголовка PROXY протокола:</b>
<br>Используйте опцию <code>-H</code>, чтобы 3proxy ожидал заголовок PROXY протокола v1
на входящих соединениях. Это позволяет 3proxy получать реальный IP-адрес клиента
от HAProxy или другого балансировщика нагрузки:
</p><pre>
proxy -H -p3128
socks -H -p1080
</pre>
<p>
Заголовок PROXY протокола должен быть отправлен до любых протокольных данных.
</p>
<p>
<b>Отправка заголовка PROXY протокола родительскому прокси:</b>
<br>Используйте тип родительского прокси <code>ha</code> для отправки заголовка
PROXY протокола v1 родительскому прокси. Это должен быть последний родитель в цепочке:
</p><pre>
allow *
parent 1000 ha
parent 1000 socks5 parent.example.com 1080
socks
</pre>
<p>
Эта конфигурация отправляет информацию об IP-адресе клиента SOCKS5 родительскому
прокси через PROXY протокол.
</p>
<li><a name="MAXSEG"><i>Как установить максимальный размер сегмента TCP (MSS)</i></a>
<p>
Используйте команду <code>maxseg</code> для установки максимального размера
сегмента TCP (MSS) для исходящих соединений. Это может быть полезно для обхода
проблем с Path MTU Discovery или для оптимизации трафика в специфических
сетевых условиях:
</p><pre>
maxseg 1400
proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
</pre>
<p>
Значение указывается в байтах. Эта настройка использует опцию сокета TCP_MAXSEG
и может не поддерживаться на всех платформах. Типичный случай использования -
уменьшение MSS для избежания фрагментации в VPN туннелях или для обхода проблем
с MTU на определённых сетевых путях.
</p>
</ul>
<hr>
<li><a name="CLIENT"><b>Конфигурация клиентов</b></a>

3
doc/html/index.html
View File

@ -4,6 +4,7 @@
<a href="howtoe.html">How To (English, very incomplete)</a><br>
<a href="howtor.html">How To (Russian)</a><br>
<h3>Man pages:</h3>
<br><A HREF="man8/3proxy_crypt.8.html">3proxy_crypt.8</A>
<br><A HREF="man8/3proxy.8.html">3proxy.8</A>
<br><A HREF="man8/ftppr.8.html">ftppr.8</A>
<br><A HREF="man8/pop3p.8.html">pop3p.8</A>
@ -13,5 +14,5 @@
<br><A HREF="man8/tcppm.8.html">tcppm.8</A>
<br><A HREF="man8/tlspr.8.html">tlspr.8</A>
<br><A HREF="man8/udppm.8.html">udppm.8</A>
<br><A HREF="man3/3proxy.cfg.3.html">3proxy.cfg.3</A>
<br><A HREF="man5/3proxy.cfg.5.html">3proxy.cfg.5</A>
</body></html>

633
doc/html/man3/3proxy.cfg.3.html → doc/html/man5/3proxy.cfg.5.html
View File

@ -84,10 +84,10 @@ smtpp</b> [options] <b><br>
ftppr</b> [options] <b><br>
admin</b> [options] <b><br>
dnspr</b> [options] <b><br>
tcppm</b> [options] &lt;SRCPORT&gt; &lt;DSTADDR&gt;
&lt;DSTPORT&gt; <b><br>
udppm</b> [options] &lt;SRCPORT&gt; &lt;DSTADDR&gt;
&lt;DSTPORT&gt; <br>
tcppm</b> [options] <i>&lt;SRCPORT&gt; &lt;DSTADDR&gt;
&lt;DSTPORT&gt;</i> <b><br>
udppm</b> [options] <i>&lt;SRCPORT&gt; &lt;DSTADDR&gt;
&lt;DSTPORT&gt;</i> <br>
Descriptions: <b><br>
proxy</b> HTTP/HTTPS proxy (default port 3128) <b><br>
socks</b> SOCKS 4/4.5/5 proxy (default port 1080) <b><br>
@ -101,19 +101,24 @@ smtpp</b> SMTP proxy (default port 25) <b><br>
ftppr</b> FTP proxy (default port 21) <b><br>
admin</b> Web interface (default port 80) <b><br>
dnspr</b> caching DNS proxy (default port 53) <b><br>
tcppm</b> TCP portmapper <b><br>
tcppm</b> TCP portmapper. Destination address (DSTADDR) can
be a Unix domain socket using the syntax
<i>unix:/path/to/socket</i> (e.g., tcppm 8080
unix:/var/run/app.sock 0). On Linux, abstract sockets use
<i>unix:@socketname</i> syntax. When using Unix socket
destination, the port number is ignored but must be
specified for syntax compatibility. <b><br>
udppm</b> UDP portmapper</p>
<p style="margin-left:6%; margin-top: 1em">Options: <b><br>
-pNUMBER</b> change default server port to NUMBER <b><br>
-n</b> disable NTLM authentication (required if passwords
are stored in Unix crypt format). <b><br>
-n1</b> enable NTLMv1 authentication. <b><br>
-g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)</b> delay GRACE_DELAY
milliseconds before polling if average polling size is below
GRACE_TRAFF bytes and GRACE_NUM read operations in a single
direction are detected within 1 second. Useful to minimize
polling <b>-s</b> <br>
-p</b><i>NUMBER</i> change default server port to NUMBER
<b><br>
-g(</b><i>GRACE_TRAFF</i><b>,</b><i>GRACE_NUM</i><b>,</b><i>GRACE_DELAY</i>)
delay GRACE_DELAY milliseconds before polling if average
polling size is below GRACE_TRAFF bytes and GRACE_NUM read
operations in a single direction are detected within 1
second. Useful to minimize polling <b>-s</b> <br>
(for admin) secure, allow only secure operations, currently
only traffic counters view without ability to reset. <br>
(for dnspr) simple, do not use resolver and 3proxy cache,
@ -136,35 +141,37 @@ packed in IPv6 in IPV6_V6ONLY compatible way. <b><br>
resolvable <b><br>
-64</b> Resolve IPv4 addresses if IPv6 address is not
resolvable <b><br>
-RHOST:port</b> listen on given local HOST:port for incoming
connections instead of making remote outgoing connection.
Can be used with another 3proxy service running -r option
for connect back functionality. Most commonly used with
tcppm. HOST can be given as IP or hostname, useful in case
of dynamic DNS. <b><br>
-rHOST:port</b> connect to given remote HOST:port instead of
listening local connection on -p or default port. Can be
used with another 3proxy service running -R option for
connect back functionality. Most commonly used with proxy or
socks. HOST can be given as IP or hostname, useful in case
of dynamic DNS. <b><br>
-ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS,
-oROPTIONS</b> options for proxy-to-client (oc),
proxy-to-server (os), proxy listening (ol), connect back
client (or), connect back listening (oR) sockets. Options
like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK,
TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR,
SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT,
SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
<b><br>
-DiINTERFACE, -DeINTERFACE</b> bind internal interface /
external interface to given INTERFACE (e.g. eth0) if
SO_BINDTODEVICE is supported by the system. You may need to
run as root or have CAP_NET_RAW capability in order to bind
to an interface, depending on the system, so this option may
-R</b><i>HOST</i><b>:</b><i>port</i> listen on given local
HOST:port for incoming connections instead of making remote
outgoing connection. Can be used with another 3proxy service
running -r option for connect back functionality. Most
commonly used with tcppm. HOST can be given as IP or
hostname, useful in case of dynamic DNS. <b><br>
-r</b><i>HOST</i><b>:</b><i>port</i> connect to given remote
HOST:port instead of listening local connection on -p or
default port. Can be used with another 3proxy service
running -R option for connect back functionality. Most
commonly used with proxy or socks. HOST can be given as IP
or hostname, useful in case of dynamic DNS. <b><br>
-oc</b><i>OPTIONS</i><b>, -os</b><i>OPTIONS</i><b>,
-ol</b><i>OPTIONS</i><b>, -or</b><i>OPTIONS</i><b>,
-oR</b><i>OPTIONS</i> options for proxy-to-client
(<b>-oc</b>), proxy-to-server (<b>-os</b>), proxy listening
(<b>-ol</b>), connect back client (<b>-or</b>), connect back
listening (<b>-oR</b>) sockets. Options like TCP_CORK,
TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS,
USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT,
SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE,
SO_DONTROUTE may be supported depending on OS. <b><br>
-Di</b><i>INTERFACE</i><b>, -De</b><i>INTERFACE</i> bind
internal (<b>-Di</b>) / external (<b>-De</b>) interface to
given INTERFACE (e.g. eth0) if <b>SO_BINDTODEVICE</b> is
supported by the system. You may need to run as root or have
<b>CAP_NET_RAW</b> capability in order to bind to an
interface, depending on the system, so this option may
require root privileges and can be incompatible with some
configuration commands like chroot and setuid (and daemon if
setcap is used). <b><br>
configuration commands like <b>chroot</b> and <b>setuid</b>
(and <b>daemon</b> if setcap is used). <b><br>
-e</b> External address. IP address of the interface the
proxy should initiate connections from. External IP must be
specified if you need incoming connections. By default the
@ -172,11 +179,23 @@ system will decide which address to use in accordance with
the routing table. <b><br>
-i</b> Internal address. IP address the proxy accepts
connections to. By default, connections to any interface are
accepted. <b><br>
-N</b> (for socks) External NAT address 3proxy reports to
client for BIND and UDPASSOC By default external address is
reported. It&rsquo;s only useful in the case of IP-IP NAT
(will not work for PAT) <br>
accepted. Unix domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax. On Linux, abstract
sockets use <i>-iunix:@socketname</i> syntax. <b><br>
-Ne</b> (for socks) External NAT address (between 3proxy and
destination server) to report to client for CONNECT and
BIND. By default external address is reported. It&rsquo;s
only useful in the case of IP-IP NAT (will not work for
PAT). <b><br>
-Ni</b> (for socks) Internal NAT address (between client and
3proxy) to report to client for UDPASSOC. By default
internal address is reported. It&rsquo;s only useful in the
case of IP-IP NAT (will not work for PAT). <b><br>
-H</b> (for all services) Expect HAProxy PROXY protocol v1
header on incoming connection. This allows the proxy to
receive real client IP address from HAProxy or other load
balancer that supports the PROXY protocol. The header must
be sent before any protocol-specific data. <br>
Also, all options mentioned for <b>proxy</b>(8)
<b>socks</b>(8) <b>pop3p</b>(8) <b>tcppm</b>(8)
<b>udppm</b>(8) <b>ftppr</b>(8) <br>
@ -189,10 +208,10 @@ proxy access must be authenticated, you can specify username
as proxy_username:proxy_password:POP3_username@pop3server
<br>
DNS proxy resolves any types of records but only hostnames
are cached. It requires nserver/nscache to be configured. If
nserver is configured as TCP, redirections are applied on
connection, so parent proxy may be used to resolve names to
IP. <br>
are cached. It requires <b>nserver</b>/<b>nscache</b> to be
configured. If <b>nserver</b> is configured as TCP,
redirections are applied on connection, so parent proxy may
be used to resolve names to IP. <br>
FTP proxy can be used as FTP server in any FTP client or
configured as FTP proxy on a client with FTP proxy support.
Username format is one of <br>
@ -206,11 +225,11 @@ authentication use proxyuser:proxypassword:FTPuser as FTP
username, otherwise do not change original FTP user name</p>
<p style="margin-left:6%; margin-top: 1em"><b>include</b>
&lt;path&gt; <br>
<i>&lt;path&gt;</i> <br>
Include config file</p>
<p style="margin-left:6%; margin-top: 1em"><b>config</b>
&lt;path&gt; <br>
<i>&lt;path&gt;</i> <br>
Path to configuration file to use on 3proxy restart or to
save configuration.</p>
@ -226,20 +245,20 @@ using it.</p>
End of configuration</p>
<p style="margin-left:6%; margin-top: 1em"><b>log</b>
[[@|&amp;]logfile] [&lt;LOGTYPE&gt;] <br>
[[@|&amp;]<i>logfile</i>] [<i>&lt;LOGTYPE&gt;</i>] <br>
sets logfile for all gateways <br>
@ (for Unix) use syslog, filename is used as ident name <br>
&amp; use ODBC, filename consists of comma-delimited
datasource,username,password (username and password are
optional) <br>
radius - use RADIUS for logging <br>
LOGTYPE is one of: <br>
c Minutely <br>
H Hourly <br>
D Daily <br>
W Weekly (starting from Sunday) <br>
M Monthly <br>
Y Annually <br>
LOGTYPE is one of: <b><br>
c</b> Minutely <b><br>
H</b> Hourly <b><br>
D</b> Daily <b><br>
W</b> Weekly (starting from Sunday) <b><br>
M</b> Monthly <b><br>
Y</b> Annually <br>
if logfile is not specified logging goes to stdout. You can
specify individual logging options for gateway by using -l
option in gateway configuration. <br>
@ -252,12 +271,12 @@ Grinwitch time zone for all time-based format
specificators.</p>
<p style="margin-left:6%; margin-top: 1em"><b>rotate</b>
&lt;n&gt; <br>
<i>&lt;n&gt;</i> <br>
how many archived log files to keep</p>
<p style="margin-left:6%; margin-top: 1em"><b>logformat</b>
&lt;format&gt; <br>
<i>&lt;format&gt;</i> <br>
Format for log record. First symbol in format must be L
(local time) or G (absolute Grinwitch time). It can be
preceeded with -XXX+Y where XXX is list of characters to be
@ -314,7 +333,8 @@ l_service, l_in, l_out, l_descr) values (&acute;%d-%m-%Y
&acute;%T&acute;)&quot;</p>
<p style="margin-left:6%; margin-top: 1em"><b>logdump</b>
&lt;in_traffic_limit&gt; &lt;out_traffic_limit&gt; <br>
<i>&lt;in_traffic_limit&gt; &lt;out_traffic_limit&gt;</i>
<br>
Immediately creates additional log records if given amount
of incoming/outgoing traffic is achieved for connection,
without waiting for connection to finish. It may be useful
@ -323,7 +343,7 @@ server shutdown.</p>
<p style="margin-left:6%; margin-top: 1em"><b>delimchar</b>
&lt;char&gt; <br>
<i>&lt;char&gt;</i> <br>
Sets the delimiter character used to separate username from
hostname in proxy authentication strings (e.g. for FTP, POP3
proxies). Default is &acute;@&acute;. For example, to use
@ -331,48 +351,50 @@ proxies). Default is &acute;@&acute;. For example, to use
to contain the &acute;@&acute; character.</p>
<p style="margin-left:6%; margin-top: 1em"><b>archiver</b>
&lt;ext&gt; &lt;commandline&gt; <br>
<i>&lt;ext&gt; &lt;commandline&gt;</i> <br>
Archiver to use for log files. &lt;ext&gt; is file extension
produced by archiver. Filename will be last argument to
archiver, optionally you can use %A as produced archive name
and %F as filename.</p>
<p style="margin-left:6%; margin-top: 1em"><b>timeouts</b>
&lt;BYTE_SHORT&gt; &lt;BYTE_LONG&gt; &lt;STRING_SHORT&gt;
<i>&lt;BYTE_SHORT&gt; &lt;BYTE_LONG&gt; &lt;STRING_SHORT&gt;
&lt;STRING_LONG&gt; &lt;CONNECTION_SHORT&gt;
&lt;CONNECTION_LONG&gt; &lt;DNS&gt; &lt;CHAIN&gt;
&lt;CONNECT&gt; &lt;CONNECTBACK&gt; <br>
&lt;CONNECT&gt; &lt;CONNECTBACK&gt;</i> <br>
Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15,
60, 15, 5. <br>
BYTE_SHORT short timeout for single byte, is usually used
for receiving single byte from stream. <br>
BYTE_LONG long timeout for single byte, is usually used for
receiving first byte in frame (for example first byte in
socks request). <br>
STRING_SHORT short timeout, for character string within
stream (for example to wait between 2 HTTP headers) <br>
STRING_LONG long timeout, for first string in stream (for
example to wait for HTTP request). <br>
CONNECTION_SHORT inactivity timeout for short connections
(HTTP, POP3, etc). <br>
CONNECTION_LONG inactivity timeout for long connection
(SOCKS, portmappers, etc). <br>
DNS timeout for DNS request before requesting next server
60, 15, 5. <b><br>
BYTE_SHORT</b> short timeout for single byte, is usually
used for receiving single byte from stream. <b><br>
BYTE_LONG</b> long timeout for single byte, is usually used
for receiving first byte in frame (for example first byte in
socks request). <b><br>
STRING_SHORT</b> short timeout, for character string within
stream (for example to wait between 2 HTTP headers) <b><br>
STRING_LONG</b> long timeout, for first string in stream
(for example to wait for HTTP request). <b><br>
CONNECTION_SHORT</b> inactivity timeout for short
connections (HTTP, POP3, etc). <b><br>
CONNECTION_LONG</b> inactivity timeout for long connection
(SOCKS, portmappers, etc). <b><br>
DNS</b> timeout for DNS request before requesting next
server <b><br>
CHAIN</b> timeout for reading data from chained connection
<br>
CHAIN timeout for reading data from chained connection <br>
default timeouts 1 5 30 60 180 1800 15 60 15 5</p>
<p style="margin-left:6%; margin-top: 1em"><b>maxseg</b>
&lt;value&gt; <br>
<i>&lt;value&gt;</i> <br>
Sets TCP maximum segment size (MSS) for outgoing
connections. This can be used to work around path MTU
discovery issues or to optimize traffic for specific network
conditions.</p>
<p style="margin-left:6%; margin-top: 1em"><b>radius</b>
&lt;NAS_SECRET&gt;
&lt;radius_server_1[:port][/local_address_1]&gt;
&lt;radius_server_2[:port][/local_address_2]&gt; <br>
<i>&lt;NAS_SECRET&gt;
&lt;radius_server_1</i>[:<i>port</i>][/<i>local_address_1</i>]
<i>&lt;radius_server_2</i>[:<i>port</i>][/<i>local_address_2</i>]
<br>
Configures RADIUS servers to be used for logging and
authentication (log and auth types must be set to radius).
port and local address to use with given server may be
@ -391,12 +413,12 @@ CONNECT), Login-TCP-Port: (requested port), Login-IPv6-Host
/ Login-IP-Host: (requested IP). <br>
Supported reply attributes for authentication:
Framed-IP-Address / Framed-IPv6-Address (IP to assign to
user), Reply-Message. Use authcache to speedup
user), Reply-Message. Use <b>authcache</b> to speedup
authentication. RADIUS feature is currently
experimental.</p>
<p style="margin-left:6%; margin-top: 1em"><b>nserver</b>
&lt;ipaddr&gt;[:port][/tcp] <br>
<i>&lt;ipaddr&gt;</i>[:<i>port</i>][/<i>tcp</i>] <br>
Nameserver to use for name resolutions. If none specified
system routines for name resolution is used. Optional port
number may be specified. If optional /tcp is added to IP
@ -404,33 +426,36 @@ address, name resolution is performed over TCP.</p>
<p style="margin-left:6%; margin-top: 1em"><b>authnserver</b>
&lt;ipaddr&gt;[:port][/tcp] <br>
<i>&lt;ipaddr&gt;</i>[:<i>port</i>][/<i>tcp</i>] <br>
Nameserver to use for DNS-based authentication (e.g. dnsname
auth type). If not specified, nserver is used. The syntax is
the same as for nserver.</p>
<p style="margin-left:6%; margin-top: 1em"><b>nscache</b>
&lt;cachesize&gt; <b>nscache6</b> &lt;cachesize&gt; <br>
Cache &lt;cachesize&gt; records for name resolution (nscache
for IPv4, nscache6 for IPv6). The cache size should usually
be large enough (for example, 65536).</p>
<i>&lt;cachesize&gt;</i> <b>nscache6</b>
<i>&lt;cachesize&gt;</i> <br>
Cache <i>&lt;cachesize&gt;</i> records for name resolution
(<b>nscache</b> for IPv4, <b>nscache6</b> for IPv6). The
cache size should usually be large enough (for example,
65536).</p>
<p style="margin-left:6%; margin-top: 1em"><b>nsrecord</b>
&lt;hostname&gt; &lt;hostaddr&gt; <br>
Adds static record to nscache. nscache must be enabled. If
0.0.0.0 is used as a hostaddr host will never resolve, it
can be used to blacklist something or together with
<b>dialer</b> command to set up UDL for dialing.</p>
<i>&lt;hostname&gt; &lt;hostaddr&gt;</i> <br>
Adds static record to nscache. <b>nscache</b> must be
enabled. If 0.0.0.0 is used as a hostaddr host will never
resolve, it can be used to blacklist something or together
with <b>dialer</b> command to set up UDL for dialing.</p>
<p style="margin-left:6%; margin-top: 1em"><b>fakeresolve</b>
<br>
All names are resolved to the 127.0.0.2 address. Useful if
all requests are redirected to a parent proxy with http,
socks4+, connect+ or socks5+.</p>
all requests are redirected to a parent proxy with
<b>http</b>, <b>socks4+</b>, <b>connect+</b> or
<b>socks5+</b>.</p>
<p style="margin-left:6%; margin-top: 1em"><b>dialer</b>
&lt;progname&gt; <br>
<i>&lt;progname&gt;</i> <br>
Execute progname if external name can&acute;t be resolved.
Hint: if you use nscache, dialer may not work, because names
will be resolved through cache. In this case you can use
@ -438,34 +463,43 @@ something like http://dial.right.now/ from browser to set up
connection.</p>
<p style="margin-left:6%; margin-top: 1em"><b>internal</b>
&lt;ipaddr&gt; <br>
<i>&lt;ipaddr&gt;</i> <br>
sets ip address of internal interface. This IP address will
be used to bind gateways. Alternatively you can use -i
option for individual gateways. Since 0.8 version, IPv6
address may be used.</p>
address may be used. <br>
Unix domain sockets are supported with the syntax
<i>unix:/path/to/socket</i> (e.g., internal
unix:/var/run/3proxy.sock). On Linux, abstract (fileless)
Unix sockets are supported with the syntax
<i>unix:@socketname</i> (e.g., internal unix:@3proxy). When
using Unix sockets, the socket file is automatically created
and removed on service start/stop.</p>
<p style="margin-left:6%; margin-top: 1em"><b>external</b>
&lt;ipaddr&gt; <br>
<i>&lt;ipaddr&gt;</i> <br>
sets ip address of external interface. This IP address will
be source address for all connections made by proxy.
Alternatively you can use -e option to specify individual
address for gateway. Since 0.8 version External or -e can be
given twice: once with IPv4 and once with IPv6 address.</p>
address for gateway. Since 0.8 version External or <b>-e</b>
can be given twice: once with IPv4 and once with IPv6
address.</p>
<p style="margin-left:6%; margin-top: 1em"><b>maxconn</b>
&lt;number&gt; <br>
<i>&lt;number&gt;</i> <br>
sets the maximum number of simultaneous connections to each
service started after this command at the network level.
Default is 100. <br>
To limit clients, use connlim instead. maxconn will silently
ignore new connections, while connlim will report back to
the client that the connection limit has been reached.</p>
To limit clients, use <b>connlim</b> instead. <b>maxconn</b>
will silently ignore new connections, while <b>connlim</b>
will report back to the client that the connection limit has
been reached.</p>
<p style="margin-left:6%; margin-top: 1em"><b>backlog</b>
<br>
sets the listening socket backlog of new connections.
Default is 1 + maxconn/8. Maximum value is capped by kernel
tunable somaxconn.</p>
Default is 1 + <b>maxconn</b>/8. Maximum value is capped by
kernel tunable somaxconn.</p>
<p style="margin-left:6%; margin-top: 1em"><b>service</b>
<br>
@ -479,35 +513,35 @@ reinstall the service.</p>
<br>
Should be specified to close the console. Do not use
&acute;daemon&acute; with &acute;service&acute;. At least
under FreeBSD, &acute;daemon&acute; should precede any proxy
under FreeBSD, <b>daemon</b> should precede any proxy
service and log commands to avoid socket problems. Always
place it in the beginning of the configuration file.</p>
<p style="margin-left:6%; margin-top: 1em"><b>auth</b>
&lt;authtype&gt; [...] <br>
Type of user authorization. Currently supported: <br>
none - no authentication or authorization required. <br>
<i>&lt;authtype&gt;</i> [...] <br>
Type of user authorization. Currently supported: <b><br>
none</b> - no authentication or authorization required. <br>
Note: if auth is none, any IP-based limitation, redirection,
etc. will not work. This is the default authentication type
<br>
iponly - authentication by access control list with username
ignored. <br>
Appropriate for most cases <br>
useronly - authentication by username without checking for
any password with authorization by ACLs. Useful for e.g.
<b><br>
iponly</b> - authentication by access control list with
username ignored. <br>
Appropriate for most cases <b><br>
useronly</b> - authentication by username without checking
for any password with authorization by ACLs. Useful for e.g.
SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as
a username) <br>
dnsname - authentication by DNS hostname with authorization
by ACLs. The DNS hostname is resolved via a PTR (reverse)
record and validated (the resolved name must resolve to the
same IP address). It&acute;s recommended to use authcache by
IP for this authentication. NB: there is no password check;
the name may be spoofed. <br>
strong - username/password authentication required. It will
work with SOCKSv5, FTP, POP3 and HTTP proxy. <br>
cache - cached authentication, may be used with
&acute;authcache&acute;. <br>
radius - authentication with RADIUS. <br>
a username) <b><br>
dnsname</b> - authentication by DNS hostname with
authorization by ACLs. The DNS hostname is resolved via a
PTR (reverse) record and validated (the resolved name must
resolve to the same IP address). It&acute;s recommended to
use authcache by IP for this authentication. NB: there is no
password check; the name may be spoofed. <b><br>
strong</b> - username/password authentication required. It
will work with SOCKSv5, FTP, POP3 and HTTP proxy. <b><br>
cache</b> - cached authentication, may be used with
&acute;authcache&acute;. <b><br>
radius</b> - authentication with RADIUS. <br>
Plugins may add additional authentication types.</p>
<p style="margin-left:6%; margin-top: 1em">It&acute;s
@ -525,38 +559,39 @@ shared ones.</p>
<p style="margin-left:6%; margin-top: 1em"><b>authcache</b>
&lt;cachtype&gt; &lt;cachtime&gt; <br>
<i>&lt;cachtype&gt; &lt;cachtime&gt; &lt;cachesize&gt;</i>
<br>
Cache authentication information for a given amount of time
(cachetime) in seconds. Cachetype is one of: <br>
ip - after successful authentication all connections during
caching time from same IP are assigned to the same user,
username is not requested. <br>
ip,user username is requested and all connections from the
same IP are assigned to the same user without actual
authentication. <br>
user - same as above, but IP is not checked. <br>
user,password - both username and password are checked
against cached ones. <br>
limit - limit user to use only one ip, &acute;ip&acute; and
&acute;user&acute; are required <br>
acl - only use cached auth if user access service with same
ACL <br>
ext - cache external IP <br>
Use auth type &acute;cache&acute; for cached
authentication</p>
(cachetime) in seconds. cachesize limits number of cache
entries. Cachetype is one of: <b><br>
ip</b> - after successful authentication all connections
during caching time from same IP are assigned to the same
user, username is not requested. <b><br>
ip,user</b> username is requested and all connections from
the same IP are assigned to the same user without actual
authentication. <b><br>
user</b> - same as above, but IP is not checked. <b><br>
user,password</b> - both username and password are checked
against cached ones. <b><br>
limit</b> - limit user to use only one ip, &acute;ip&acute;
and &acute;user&acute; are required <b><br>
ack</b> - only use cached auth if user access service with
same ACL <b><br>
ext</b> - cache external IP <br>
Use auth type <b>cache</b> for cached authentication</p>
<p style="margin-left:6%; margin-top: 1em"><b>allow</b>
&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
<i>&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
&lt;targetportlist&gt; &lt;operationlist&gt;
&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
deny</b> &lt;userlist&gt; &lt;sourcelist&gt;
&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
deny</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
&lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <b><br>
redirect</b> &lt;ip&gt; &lt;port&gt; &lt;userlist&gt;
&lt;timeperiodslist&gt;</i> <b><br>
redirect</b> <i>&lt;ip&gt; &lt;port&gt; &lt;userlist&gt;
&lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <br>
&lt;timeperiodslist&gt;</i> <br>
Access control entries. All lists are comma-separated, no
spaces are allowed. Usernames are case sensitive (if used
with authtype nbname username must be in uppercase). Source
@ -582,27 +617,28 @@ should either bind proxy to appropriate interface only or to
use ip filters.</p>
<p style="margin-left:6%; margin-top: 1em">Operation is one
of: <br>
CONNECT establish outgoing TCP connection <br>
BIND bind TCP port for listening <br>
UDPASSOC make UDP association <br>
ICMPASSOC make ICMP association (for future use) <br>
HTTP_GET HTTP GET request <br>
HTTP_PUT HTTP PUT request <br>
HTTP_POST HTTP POST request <br>
HTTP_HEAD HTTP HEAD request <br>
HTTP_CONNECT HTTP CONNECT request <br>
HTTP_OTHER over HTTP request <br>
HTTP matches any HTTP request except HTTP_CONNECT <br>
HTTPS same as HTTP_CONNECT <br>
FTP_GET FTP get request <br>
FTP_PUT FTP put request <br>
FTP_LIST FTP list request <br>
FTP_DATA FTP data connection. Note: FTP_DATA requires access
to dynamic non-privileged (1024-65535) ports on the remote
side. <br>
FTP matches any FTP/FTP Data request <br>
ADMIN access to administration interface</p>
of: <b><br>
CONNECT</b> establish outgoing TCP connection <b><br>
BIND</b> bind TCP port for listening <b><br>
UDPASSOC</b> make UDP association <b><br>
ICMPASSOC</b> make ICMP association (for future use) <b><br>
HTTP_GET</b> HTTP GET request <b><br>
HTTP_PUT</b> HTTP PUT request <b><br>
HTTP_POST</b> HTTP POST request <b><br>
HTTP_HEAD</b> HTTP HEAD request <b><br>
HTTP_CONNECT</b> HTTP CONNECT request <b><br>
HTTP_OTHER</b> over HTTP request <b><br>
HTTP</b> matches any HTTP request except HTTP_CONNECT
<b><br>
HTTPS</b> same as HTTP_CONNECT <b><br>
FTP_GET</b> FTP get request <b><br>
FTP_PUT</b> FTP put request <b><br>
FTP_LIST</b> FTP list request <b><br>
FTP_DATA</b> FTP data connection. Note: FTP_DATA requires
access to dynamic non-privileged (1024-65535) ports on the
remote side. <b><br>
FTP</b> matches any FTP/FTP Data request <b><br>
ADMIN</b> access to administration interface</p>
<p style="margin-left:6%; margin-top: 1em">Weekdays are
week day numbers or periods, 0 or 7 means Sunday, 1 is
@ -613,8 +649,8 @@ HH:MM:SS-HH:MM:SS format. For example,
hours.</p>
<p style="margin-left:6%; margin-top: 1em"><b>parent</b>
&lt;weight&gt; &lt;type&gt; &lt;ip&gt; &lt;port&gt;
&lt;username&gt; &lt;password&gt; <br>
<i>&lt;weight&gt; &lt;type&gt; &lt;ip&gt; &lt;port&gt;
&lt;username&gt; &lt;password&gt;</i> <br>
this command must follow &quot;allow&quot; rule. It extends
last allow rule to build proxy chain. Proxies may be
grouped. Proxy inside the group is selected randomly. If few
@ -643,41 +679,51 @@ pipelined (keep-alive) requests in the same connection use
the same chain.</p>
<p style="margin-left:6%; margin-top: 1em">type is one of:
<br>
extip does not actually redirect the request; it sets the
external address for this request to &lt;ip&gt;. It can be
chained with another parent type. It&rsquo;s useful to set
the external IP based on ACL or make it random. <br>
tcp simply redirect connection. TCP is always last in chain.
This type of proxy is a simple TCP redirection, it does not
support parent authentication. <br>
http redirect to HTTP proxy. HTTP is always the last chain.
It should only be used with http (proxy) service, if used
with different service, it works as tcp redirection. <br>
pop3 redirect to POP3 proxy (only local redirection is
supported, can only be used as a first hop in chaining) <br>
ftp redirect to FTP proxy (only local redirection is
supported, can only be used as a first hop in chaining) <br>
connect parent is HTTP CONNECT method proxy <br>
connect+ parent is HTTP CONNECT proxy with name resolution
(hostname is used instead of IP if available) <br>
socks4 parent is SOCKSv4 proxy <br>
socks4+ parent is SOCKSv4 proxy with name resolution
(SOCKSv4a) <br>
socks5 parent is SOCKSv5 proxy <br>
socks5+ parent is SOCKSv5 proxy with name resolution <br>
socks4b parent is SOCKS4b (broken SOCKSv4 implementation
<b><br>
extip</b> does not actually redirect the request; it sets
the external address for this request to <i>&lt;ip&gt;</i>.
It can be chained with another parent type. It&rsquo;s
useful to set the external IP based on ACL or make it
random. <b><br>
tcp</b> simply redirect connection. TCP is always last in
chain. This type of proxy is a simple TCP redirection, it
does not support parent authentication. <b><br>
http</b> redirect to HTTP proxy. HTTP is always the last
chain. It should only be used with http (proxy) service, if
used with different service, it works as tcp redirection.
<b><br>
pop3</b> redirect to POP3 proxy (only local redirection is
supported, can only be used as a first hop in chaining)
<b><br>
ftp</b> redirect to FTP proxy (only local redirection is
supported, can only be used as a first hop in chaining)
<b><br>
connect</b> parent is HTTP CONNECT method proxy <b><br>
connect+</b> parent is HTTP CONNECT proxy with name
resolution (hostname is used instead of IP if available)
<b><br>
socks4</b> parent is SOCKSv4 proxy <b><br>
socks4+</b> parent is SOCKSv4 proxy with name resolution
(SOCKSv4a) <b><br>
socks5</b> parent is SOCKSv5 proxy <b><br>
socks5+</b> parent is SOCKSv5 proxy with name resolution
<b><br>
socks4b</b> parent is SOCKS4b (broken SOCKSv4 implementation
with shortened server reply; I never saw this kind of
server, but they say there are some). Normally you should
not use this option. Do not confuse this option with
SOCKSv4a (socks4+). <br>
socks5b parent is SOCKS5b (broken SOCKSv5 implementation
SOCKSv4a (<b>socks4+</b>). <b><br>
socks5b</b> parent is SOCKS5b (broken SOCKSv5 implementation
with shortened server reply. I think you will never find it
useful). Never use this option unless you know exactly you
need it. <br>
admin redirect request to local &acute;admin&acute; service
(with -s parameter). <br>
Use &quot;+&quot; proxy only with &quot;fakeresolve&quot;
need it. <b><br>
admin</b> redirect request to local &acute;admin&acute;
service (with -s parameter). <b><br>
ha</b> send HAProxy PROXY protocol v1 header to parent
proxy. Must be the last in the proxy chain. Useful for
passing client IP information to the parent proxy. Example:
parent 1000 ha <br>
Use &quot;+&quot; proxy only with <b>fakeresolve</b>
option</p>
<p style="margin-left:6%; margin-top: 1em">IP and port are
@ -690,7 +736,15 @@ special case of local redirection, it works only with
redirected to different service, <b>ftp</b> locally
redirects to <b>ftppr pop3</b> locally redirects to <b>pop3p
http</b> locally redirects to <b>proxy admin</b> locally
redirects to the admin -s service.</p>
redirects to the admin -s service. <br>
Unix domain sockets can be used instead of IP address with
the syntax <i>unix:/path/to/socket</i> (e.g., parent 1000
socks5 unix:/var/run/parent.sock 1080). On Linux, abstract
(fileless) Unix sockets are supported with
<i>unix:@socketname</i> syntax (e.g., parent 1000 http
unix:@parent.proxy 3128). When using Unix sockets, the port
number is ignored but must be specified for syntax
compatibility.</p>
<p style="margin-left:6%; margin-top: 1em">Main purpose of
local redirections is to have the requested resource (URL or
@ -711,26 +765,26 @@ HTTP proxy, local HTTP proxy parses requests and allows only
GET and POST requests. <br>
parent 1000 http 1.2.3.4 0 <br>
Changes the external address for a given connection to
1.2.3.4 (equivalent to -e1.2.3.4) <br>
1.2.3.4 (equivalent to <b>-e1.2.3.4</b>) <br>
Optional username and password are used to authenticate on
parent proxy. Username of &acute;*&acute; means username
must be supplied by user.</p>
<p style="margin-left:6%; margin-top: 1em"><b>parentretries</b>
&lt;number&gt; <br>
<i>&lt;number&gt;</i> <br>
Number of retries to connect to parent proxy. Default is
1.</p>
<p style="margin-left:6%; margin-top: 1em"><b>nolog</b>
&lt;n&gt; <br>
<i>&lt;n&gt;</i> <br>
extends last allow or deny command to prevent logging, e.g.
<br>
allow * * 192.168.1.1 <br>
nolog</p>
<p style="margin-left:6%; margin-top: 1em"><b>weight</b>
&lt;n&gt; <br>
<i>&lt;n&gt;</i> <br>
extends last allow or deny command to set weight for this
request <br>
allow * * 192.168.1.1 <br>
@ -748,30 +802,31 @@ connections.</p>
<p style="margin-left:6%; margin-top: 1em"><b>bandlimin</b>
&lt;rate&gt; &lt;userlist&gt; &lt;sourcelist&gt;
<i>&lt;rate&gt; &lt;userlist&gt; &lt;sourcelist&gt;
&lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <b><br>
nobandlimin</b> &lt;userlist&gt; &lt;sourcelist&gt;
&lt;timeperiodslist&gt;</i> <b><br>
nobandlimin</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
&lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <b><br>
bandlimout</b> &lt;rate&gt; &lt;userlist&gt;
&lt;timeperiodslist&gt;</i> <b><br>
bandlimout</b> <i>&lt;rate&gt; &lt;userlist&gt;
&lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <b><br>
nobandlimout</b> &lt;userlist&gt; &lt;sourcelist&gt;
&lt;timeperiodslist&gt;</i> <b><br>
nobandlimout</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
&lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <br>
bandlim sets a bandwidth limitation filter to &lt;rate&gt;
bps (bits per second). If you want to specify bytes per
second, multiply your value by 8. bandlim rules act in the
same manner as allow/deny rules, except for one thing:
bandwidth limiting is applied to all services, not to some
specific service. bandlimin and nobandlimin apply to
incoming traffic <br>
bandlimout and nobandlimout apply to outgoing traffic <br>
&lt;timeperiodslist&gt;</i> <br>
bandlim sets a bandwidth limitation filter to
<i>&lt;rate&gt;</i> bps (bits per second). If you want to
specify bytes per second, multiply your value by 8. bandlim
rules act in the same manner as allow/deny rules, except for
one thing: bandwidth limiting is applied to all services,
not to some specific service. <b>bandlimin</b> and
<b>nobandlimin</b> apply to incoming traffic <b><br>
bandlimout</b> and <b>nobandlimout</b> apply to outgoing
traffic <br>
If you want to ratelimit your clients with IPs
192.168.10.16/30 (4 addresses) to 57600 bps, you have to
specify 4 rules like <br>
@ -789,53 +844,54 @@ nobandlimin * * * 110 <br>
before the rest of bandlim rules.</p>
<p style="margin-left:6%; margin-top: 1em"><b>connlim</b>
&lt;rate&gt; &lt;period&gt; &lt;userlist&gt;
<i>&lt;rate&gt; &lt;period&gt; &lt;userlist&gt;
&lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <b><br>
noconnlim</b> &lt;userlist&gt; &lt;sourcelist&gt;
&lt;timeperiodslist&gt;</i> <b><br>
noconnlim</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
&lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <br>
&lt;timeperiodslist&gt;</i> <br>
connlim sets connections rate limit per time period for
traffic pattern controlled by ACL. Period is in seconds. If
period is 0, connlim limits a number of parallel
period is 0, <b>connlim</b> limits a number of parallel
connections. <br>
connlim 100 60 * 127.0.0.1 <br>
allows 100 connections per minute for 127.0.0.1. <br>
connlim 20 0 * 127.0.0.1 <br>
allows 20 simultaneous connections for 127.0.0.1. <br>
Like with bandlimin, if an individual limit is required per
client, a separate rule must be added for every client. Like
with nobandlimin, noconnlim adds an exception.</p>
Like with <b>bandlimin</b>, if an individual limit is
required per client, a separate rule must be added for every
client. Like with nobandlimin, noconnlim adds an
exception.</p>
<p style="margin-left:6%; margin-top: 1em"><b>counter</b>
&lt;filename&gt; &lt;reporttype&gt; &lt;reportname&gt;
<b><br>
countin</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
<i>&lt;filename&gt; &lt;reporttype&gt;
&lt;reportname&gt;</i> <b><br>
countin</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
&lt;targetportlist&gt; &lt;operationlist&gt;
&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
nocountin</b> &lt;userlist&gt; &lt;sourcelist&gt;
&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
nocountin</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
&lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <b><br>
countout</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
&lt;timeperiodslist&gt;</i> <b><br>
countout</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
&lt;targetportlist&gt; &lt;operationlist&gt;
&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
nocountout</b> &lt;userlist&gt; &lt;sourcelist&gt;
&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
nocountout</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
&lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt; <b><br>
countall</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
&lt;timeperiodslist&gt;</i> <b><br>
countall</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
&lt;targetportlist&gt; &lt;operationlist&gt;
&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
nocountall</b> &lt;userlist&gt; &lt;sourcelist&gt;
&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
nocountall</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
&lt;targetlist&gt; &lt;targetportlist&gt;
&lt;operationlist&gt; &lt;weekdayslist&gt;
&lt;timeperiodslist&gt;</p>
&lt;timeperiodslist&gt;</i></p>
<p style="margin-left:6%; margin-top: 1em">counter,
countin, nocountin, countout, nocountout, countall,
@ -848,45 +904,33 @@ not preserved in the counter file (that is, if the proxy is
restarted, all counters with 0 are flushed); otherwise, it
should be a unique sequential number which points to the
position of the counter within the file. Type specifies a
type of counter. Type is one of: <br>
H - counter is reset hourly <br>
D - counter is reset daily <br>
W - counter is reset weekly <br>
M - counter is reset monthly <br>
type of counter. Type is one of: <b><br>
H</b> - counter is reset hourly <b><br>
D</b> - counter is reset daily <b><br>
W</b> - counter is reset weekly <b><br>
M</b> - counter is reset monthly <br>
reporttype/reportname may be used to generate traffic
reports. Reporttype is one of D, W, M, H (hourly) and
reportname specifies the filename template for reports. The
report is a text file with counter values in the format:
<br>
&lt;COUNTERNUMBER&gt; &lt;TRAF&gt; <br>
<i><br>
&lt;COUNTERNUMBER&gt; &lt;TRAF&gt;</i> <br>
The rest of parameters is identical to
bandlim/nobandlim.</p>
<b>bandlim</b>/<b>nobandlim</b>.</p>
<p style="margin-left:6%; margin-top: 1em"><b>users</b>
username[:pwtype:password] ... <br>
<i>username</i>[:<i>pwtype</i>:<i>password</i>] ... <br>
pwtype is one of: <br>
none (empty) - use system authentication <br>
CL - password is cleartext <br>
CR - password is crypt-style password <br>
NT - password is NT password (in hex) <br>
LM - password is LM password (in hex) <br>
none (empty) - use system authentication <b><br>
CL</b> - password is cleartext <b><br>
CR</b> - password is crypt-style password <b><br>
NT</b> - password is NT password (in hex) <br>
example: <br>
users test1:CL:password1
&quot;test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49.&quot; <br>
users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<p>Note: double quotes are required because the password
contains a $ sign.</p></td>
<td width="88%"></td>
<td width="6%">
</td></tr>
</table>
users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 <br>
Note: double quotes are required because the password
contains a $ sign.</p>
<p style="margin-left:6%; margin-top: 1em"><b>flush</b>
<br>
@ -901,42 +945,43 @@ socks <br>
sets different ACLs for <b>pop3p</b> and <b>socks</b></p>
<p style="margin-left:6%; margin-top: 1em"><b>system</b>
&lt;command&gt; <br>
<i>&lt;command&gt;</i> <br>
execute system command</p>
<p style="margin-left:6%; margin-top: 1em"><b>pidfile</b>
&lt;filename&gt; <br>
<i>&lt;filename&gt;</i> <br>
write pid of current process to file. It can be used to
manipulate 3proxy with signals under Unix. Currently next
signals are available:</p>
<p style="margin-left:6%; margin-top: 1em"><b>monitor</b>
&lt;filename&gt; <br>
<i>&lt;filename&gt;</i> <br>
If file monitored changes in modification time or size,
3proxy reloads configuration within one minute. Any number
of files may be monitored.</p>
<p style="margin-left:6%; margin-top: 1em"><b>setuid</b>
&lt;uid&gt; <br>
<i>&lt;uid&gt;</i> <br>
calls setuid(uid), uid can be numeric or since 0.9 username.
Unix only. Warning: under some Linux kernels setuid() works
for current thread only. It makes it impossible to suid for
all threads.</p>
<p style="margin-left:6%; margin-top: 1em"><b>setgid</b>
&lt;gid&gt; <br>
<i>&lt;gid&gt;</i> <br>
calls setgid(gid), gid can be numeric or since 0.9
groupname. Unix only.</p>
<p style="margin-left:6%; margin-top: 1em"><b>chroot</b>
&lt;path&gt; [&lt;uid&gt;] [&lt;gid&gt;] <br>
<i>&lt;path&gt;</i> [<i>&lt;uid&gt;</i>]
[<i>&lt;gid&gt;</i>] <br>
calls chroot(path) and sets gid/uid. Unix only. uid/gid
supported since 0.9, can be numeric or
username/groupname</p>
<p style="margin-left:6%; margin-top: 1em"><b>stacksize</b>
&lt;value_to_add_to_default_stack_size&gt; <br>
<i>&lt;value_to_add_to_default_stack_size&gt;</i> <br>
Change the default size for thread stacks. May be required
in some situations, e.g. with non-default plugins, or on
some platforms (some FreeBSD versions may require adjusting
@ -955,8 +1000,8 @@ negative values.</p>
<p style="margin-left:6%; margin-top: 1em"><b>plugin</b>
&lt;path_to_shared_library&gt; &lt;function_to_call&gt;
[&lt;arg1&gt; ...] <br>
<i>&lt;path_to_shared_library&gt;
&lt;function_to_call&gt;</i> [<i>&lt;arg1&gt;</i> ...] <br>
Loads specified library and calls given export function with
given arguments, as <br>
int functions_to_call(struct pluginlink * pl, int argc, char
@ -966,7 +1011,7 @@ function_to_call must return 0 in case of success, value
<p style="margin-left:6%; margin-top: 1em"><b>filtermaxsize</b>
&lt;max_size_of_data_to_filter&gt; <br>
<i>&lt;max_size_of_data_to_filter&gt;</i> <br>
If Content-length (or another data length) is greater than
the given value, no data filtering will be performed through
filtering plugins to avoid data corruption and/or

2
doc/html/man8/3proxy.8.html
View File

@ -195,7 +195,7 @@ to <b>3proxy@3proxy.org</b></p>
</h2>
<p style="margin-left:6%; margin-top: 1em">3proxy.cfg(3),
<p style="margin-left:6%; margin-top: 1em">3proxy.cfg(5),
proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
kill(1), syslogd(8), <br>
https://3proxy.org/</p>

168
doc/html/man8/3proxy_crypt.8.html Normal file
View File

@ -0,0 +1,168 @@
<!-- Creator : groff version 1.24.1 -->
<html>
<head>
</head>
<body>
<h1 align="center">3proxy_crypt</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSIS">SYNOPSIS</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#OPTIONS">OPTIONS</a><br>
<a href="#EXAMPLE">EXAMPLE</a><br>
<a href="#NOTES">NOTES</a><br>
<a href="#BUGS">BUGS</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<a href="#AUTHORS">AUTHORS</a><br>
<hr>
<h2>NAME
<a name="NAME"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em"><b>3proxy_crypt</b>
- utility to generate encrypted passwords for 3proxy</p>
<h2>SYNOPSIS
<a name="SYNOPSIS"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em"><b>3proxy_crypt</b>
<i>password</i> <b><br>
3proxy_crypt</b> <i>salt password</i></p>
<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em"><i><b>3proxy_crypt</b></i>
is a utility to generate encrypted password hashes for use
with 3proxy configuration. Encrypted passwords allow the
system to avoid storing passwords in cleartext in
configuration files.</p>
<p style="margin-left:6%; margin-top: 1em">When invoked
with a single argument, it produces an NT password hash
(MD4-based, suitable for NTLM authentication). The output is
prefixed with <b>NT:</b>.</p>
<p style="margin-left:6%; margin-top: 1em">When invoked
with two arguments (salt and password), it produces a
BLAKE2b password hash. The salt length is limited to 64
characters. The output is prefixed with <b>CR:</b>.</p>
<p style="margin-left:6%; margin-top: 1em">The resulting
hash can be used in the 3proxy configuration file with the
<b>users</b> directive instead of a cleartext password.</p>
<h2>OPTIONS
<a name="OPTIONS"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em"><i>password</i></p>
<p style="margin-left:15%;">Cleartext password to
encrypt.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="6%"></td>
<td width="5%">
<p><i>salt</i></p></td>
<td width="4%"></td>
<td width="65%">
<p>Salt string for BLAKE2b hashing (max 64 characters).</p></td>
<td width="20%">
</td></tr>
</table>
<h2>EXAMPLE
<a name="EXAMPLE"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em">Generate NT
password hash:</p>
<p style="margin-left:15%;">3proxy_crypt
MySecretPassword</p>
<p style="margin-left:6%;">Result:</p>
<p style="margin-left:15%;">NT:3F7E6D8D96E8E7A9B0C1D2E3F4A5B6C7</p>
<p style="margin-left:6%;">Generate BLAKE2b password hash
with salt:</p>
<p style="margin-left:15%;">3proxy_crypt MySalt
MySecretPassword</p>
<p style="margin-left:6%;">Result:</p>
<p style="margin-left:15%;">CR:$3$MySalt$...</p>
<p style="margin-left:6%;">Using in 3proxy.cfg:</p>
<p style="margin-left:15%;">users
user1:CR:$3$MySalt$...</p>
<h2>NOTES
<a name="NOTES"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em">The NT hash uses
the RSA MD4 Message-Digest Algorithm. The BLAKE2b hash uses
the BLAKE2 cryptographic hash function.</p>
<p style="margin-left:6%; margin-top: 1em">When a password
hash is prefixed with <b>NT:</b> or <b>CR:</b>, 3proxy uses
the corresponding algorithm to verify passwords instead of
comparing cleartext strings.</p>
<h2>BUGS
<a name="BUGS"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em">Report all bugs
to <b>3proxy@3proxy.org</b></p>
<h2>SEE ALSO
<a name="SEE ALSO"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em">3proxy(8),
3proxy.cfg(5), <br>
https://3proxy.org/</p>
<h2>AUTHORS
<a name="AUTHORS"></a>
</h2>
<p style="margin-left:6%; margin-top: 1em">3proxy is
designed by Vladimir 3APA3A Dubrovin
(<i>3proxy@3proxy.org</i>)</p>
<hr>
</body>
</html>

8
doc/html/man8/ftppr.8.html
View File

@ -128,7 +128,11 @@ accordance with the routing table.</p></td></tr>
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe.</p></td></tr>
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/ftppr.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
@ -194,7 +198,7 @@ with FTP proxy support, configure <i>internal_ip</i> and
FTP proxy support, use <i>internal_ip</i> and <i>port</i> as
the FTP server. The address of the real FTP server must be
configured as a part of the FTP username. The format for the
username is <i>username</i><b>@</b><i>server</i>, where
username is <i>username</i>@<i>server</i>, where
<i>server</i> is the address of the FTP server and
<i>username</i> is the user&acute;s login on this FTP
server. The login itself may contain an &acute;@&acute;

10
doc/html/man8/pop3p.8.html
View File

@ -128,7 +128,11 @@ accordance with the routing table.</p></td></tr>
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe.</p></td></tr>
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/pop3p.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
@ -192,8 +196,8 @@ MUA (Mail User Agent) with POP3 support. Set the client to
use <i>internal_ip</i> and <i>port</i> as a POP3 server. The
address of the real POP3 server must be configured as a part
of the POP3 username. The format for the username is
<i>username</i><b>@</b><i>server</i>, where <i>server</i> is
the address of the POP3 server and <i>username</i> is the
<i>username</i>@<i>server</i>, where <i>server</i> is the
address of the POP3 server and <i>username</i> is the
user&acute;s login on this POP3 server. The login itself may
contain an &acute;@&acute; sign. Only cleartext
authentication is supported, because challenge-response

6
doc/html/man8/proxy.8.html
View File

@ -127,7 +127,11 @@ accordance with the routing table.</p></td></tr>
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe.</p></td></tr>
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/proxy.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">

8
doc/html/man8/smtpp.8.html
View File

@ -128,7 +128,11 @@ accordance with the routing table.</p></td></tr>
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe.</p></td></tr>
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/smtpp.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
@ -192,7 +196,7 @@ MUA (Mail User Agent) with SMTP authentication support. Set
the client to use <i>internal_ip</i> and <i>port</i> as an
SMTP server. The address of the real SMTP server must be
configured as a part of the SMTP username. The format for
the username is <i>username</i><b>@</b><i>server</i>, where
the username is <i>username</i>@<i>server</i>, where
<i>server</i> is the address of the SMTP server and
<i>username</i> is the user&acute;s login on this SMTP
server. The login itself may contain an &acute;@&acute;

6
doc/html/man8/socks.8.html
View File

@ -162,7 +162,11 @@ and does not work with port translation.</p></td></tr>
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe.</p></td></tr>
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/socks.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">

16
doc/html/man8/tcppm.8.html
View File

@ -116,7 +116,11 @@ accordance with the routing table.</p></td></tr>
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe.</p></td></tr>
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/tcppm.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="3%">
@ -160,12 +164,18 @@ connections on</p>
<p style="margin-left:6%;"><i>remote_host</i></p>
<p style="margin-left:15%;">- IP address of the host the
connection is forwarded to</p>
connection is forwarded to. Unix domain sockets can be
specified with the syntax <i>unix:/path/to/socket</i> (e.g.,
unix:/var/run/app.sock). On Linux, abstract (fileless) Unix
sockets use the syntax <i>unix:@socketname</i> (e.g.,
unix:@app.socket).</p>
<p style="margin-left:6%;"><i>remote_port</i></p>
<p style="margin-left:15%;">- remote port the connection is
forwarded to</p>
forwarded to. Ignored when using Unix socket destination,
but must be specified (use any positive value) for syntax
compatibility.</p>
<h2>CLIENTS
<a name="CLIENTS"></a>

6
doc/html/man8/tlspr.8.html
View File

@ -132,7 +132,11 @@ accordance with the routing table.</p></td></tr>
<p style="margin-top: 1em">Internal address. IP address the
proxy accepts connections to. By default, connections to any
interface are accepted. It&acute;s usually unsafe.</p></td></tr>
interface are accepted. It&acute;s usually unsafe. Unix
domain sockets can be specified with
<i>-iunix:/path/to/socket</i> syntax (e.g.,
-iunix:/var/run/tlspr.sock). On Linux, abstract sockets use
<i>-iunix:@socketname</i> syntax.</p></td></tr>
<tr valign="top" align="left">
<td width="6%"></td>
<td width="4%">

22
doc/html/plugins/SSLPlugin.html
View File

@ -44,7 +44,7 @@ ssl_cli (or ssl_client) - establish TLS connection to upstream server for servic
<br><b>ssl_client_ca_store</b> /path/to/castore - CA store for ssl_client_verify (OpenSSL 3.0+)
<br><b>ssl_client_sni</b> hostname - SNI hostname to send to upstream server (overrides the requested hostname)
<br><b>ssl_client_alpn</b> protocol1 protocol2 ... - ALPN protocols to negotiate with upstream server (e.g., ssl_client_alpn h2 http/1.1)
<br><b>ssl_client_mode</b> mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data
<br><b>ssl_client_mode</b> mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's')
<br><b>ssl_certcache</b> /path/to/cache/ - location for the generated MITM certificates cache, optional if ssl_server_ca_file / ssl_server_ca_key are configured.
The cache may contain 3 files: 3proxy.pem - public
self-signed certificates (used if ssl_server_ca_file is not configured),
@ -89,6 +89,26 @@ proxy -p3128
</pre>
Creates an HTTP proxy that connects to upstream servers via TLS with client certificate authentication.
<h4>Conditional TLS for parent proxy (ssl_client_mode 3):</h4>
<pre>
plugin /path/to/SSLPlugin.so ssl_plugin
ssl_server_cert /path/to/server.crt
ssl_server_key /path/to/key
ssl_client_mode 3
auth strong
allow user1
parent 1000 https parent1.example.com 443
allow user2
parent 1000 socks5 parent2.example.com 1080
ssl_serv
ssl_cli
proxy -p3128
ssl_noserv
ssl_nocli
</pre>
Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_serv). With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). In this example, user1's traffic goes through an https parent proxy with TLS encryption, while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
<h4>mTLS example (require client certificate):</h4>
<pre>
plugin /path/to/SSLPlugin.so ssl_plugin

22
doc/html/plugins/SSLPlugin.ru.html
View File

@ -44,7 +44,7 @@ ssl_cli (или ssl_client) - устанавливать TLS-соединени
<br><b>ssl_client_ca_store</b> /path/to/castore - хранилище CA-сертификатов для ssl_client_verify (OpenSSL 3.0+)
<br><b>ssl_client_sni</b> hostname - SNI-имя хоста для отправки вышестоящему серверу (переопределяет запрошенное имя хоста)
<br><b>ssl_client_alpn</b> протокол1 протокол2 ... - ALPN-протоколы для согласования с вышестоящим сервером (например, ssl_client_alpn h2 http/1.1)
<br><b>ssl_client_mode</b> режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных
<br><b>ssl_client_mode</b> режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных, 3 - только для защищённых типов parent прокси (заканчивающихся на 's')
<br><b>ssl_certcache</b> /path/to/cache/ - расположение кеша сгенерированных MITM-сертификатов. Кеш может содержать
файлы 3proxy.pem, 3proxy.key, server.key, которые используются как ssl_server_ca_file,
ssl_server_ca_key и ssl_server_key соответственно, если они не заданы. Если server.key не задан,
@ -86,6 +86,26 @@ proxy -p3128
</pre>
Создается HTTP-прокси, который соединяется с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату.
<h4>Условное TLS для parent прокси (ssl_client_mode 3):</h4>
<pre>
plugin /path/to/SSLPlugin.so ssl_plugin
ssl_server_cert /path/to/server.crt
ssl_server_key /path/to/key
ssl_client_mode 3
auth strong
allow user1
parent 1000 https parent1.example.com 443
allow user2
parent 1000 socks5 parent2.example.com 1080
ssl_serv
ssl_cli
proxy -p3128
ssl_noserv
ssl_nocli
</pre>
Создается HTTP-прокси на порту 3128, использующий TLS для клиентских соединений (ssl_serv). При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). В данном примере трафик user1 идёт через https родительский прокси с TLS-шифрованием, а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
<h4>Пример mTLS (требование клиентского сертификата):</h4>
<pre>
plugin /path/to/SSLPlugin.so ssl_plugin

2
man/3proxy.8
View File

@ -140,7 +140,7 @@ configuration file
Report all bugs to
.BR 3proxy@3proxy.org
.SH SEE ALSO
3proxy.cfg(3), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
3proxy.cfg(5), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
kill(1), syslogd(8),
.br
https://3proxy.org/

495
man/3proxy.cfg.3 → man/3proxy.cfg.5
View File

@ -1,4 +1,4 @@
.TH 3proxy.cfg "8" "January 2019" "3proxy 0.9" "Universal proxy server"
.TH 3proxy.cfg "5" "January 2019" "3proxy 0.9" "Universal proxy server"
.SH NAME
.B 3proxy.cfg
3proxy configuration file
@ -69,11 +69,11 @@ Recursion is not allowed.
.br
.B tcppm
[options]
<SRCPORT> <DSTADDR> <DSTPORT>
\fI<SRCPORT>\fR \fI<DSTADDR>\fR \fI<DSTPORT>\fR
.br
.B udppm
[options]
<SRCPORT> <DSTADDR> <DSTPORT>
\fI<SRCPORT>\fR \fI<DSTADDR>\fR \fI<DSTPORT>\fR
.br
Descriptions:
.br
@ -105,7 +105,13 @@ Web interface (default port 80)
caching DNS proxy (default port 53)
.br
.B tcppm
TCP portmapper
TCP portmapper. Destination address (DSTADDR) can be a Unix domain socket
using the syntax
.I unix:/path/to/socket
(e.g., tcppm 8080 unix:/var/run/app.sock 0). On Linux, abstract sockets use
.I unix:@socketname
syntax. When using Unix socket destination, the port number is ignored
but must be specified for syntax compatibility.
.br
.B udppm
UDP portmapper
@ -113,16 +119,10 @@ UDP portmapper
.br
Options:
.br
.B -pNUMBER
.B -p\fINUMBER\fR
change default server port to NUMBER
.br
.B -n
disable NTLM authentication (required if passwords are stored in Unix crypt format).
.br
.B -n1
enable NTLMv1 authentication.
.br
.B -g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)
.B -g(\fIGRACE_TRAFF\fB,\fIGRACE_NUM\fB,\fIGRACE_DELAY\fR)
delay GRACE_DELAY milliseconds before polling if average polling size is below GRACE_TRAFF bytes and GRACE_NUM read operations in a single direction are detected within 1 second. Useful to minimize polling
.B -s
(for admin) secure, allow only secure operations, currently only traffic counters
@ -159,18 +159,18 @@ Resolve IPv6 addresses if IPv4 address is not resolvable
.B -64
Resolve IPv4 addresses if IPv6 address is not resolvable
.br
.B -RHOST:port
.B -R\fIHOST\fB:\fIport\fR
listen on given local HOST:port for incoming connections instead of making remote outgoing connection. Can be used with another 3proxy service running -r option for connect back functionality. Most commonly used with tcppm. HOST can be given as IP or hostname, useful in case of dynamic DNS.
.br
.B -rHOST:port
.B -r\fIHOST\fB:\fIport\fR
connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS.
.br
.B -ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS, -oROPTIONS
options for proxy-to-client (oc), proxy-to-server (os), proxy listening (ol), connect back client (or), connect back listening (oR) sockets.
.B -oc\fIOPTIONS\fB, -os\fIOPTIONS\fB, -ol\fIOPTIONS\fB, -or\fIOPTIONS\fB, -oR\fIOPTIONS\fR
options for proxy-to-client (\fB-oc\fR), proxy-to-server (\fB-os\fR), proxy listening (\fB-ol\fR), connect back client (\fB-or\fR), connect back listening (\fB-oR\fR) sockets.
Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
.br
.B -DiINTERFACE, -DeINTERFACE
bind internal interface / external interface to given INTERFACE (e.g. eth0) if SO_BINDTODEVICE is supported by the system. You may need to run as root or have CAP_NET_RAW capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like chroot and setuid (and daemon if setcap is used).
.B -Di\fIINTERFACE\fB, -De\fIINTERFACE\fR
bind internal (\fB-Di\fR) / external (\fB-De\fR) interface to given INTERFACE (e.g. eth0) if \fBSO_BINDTODEVICE\fR is supported by the system. You may need to run as root or have \fBCAP_NET_RAW\fR capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like \fBchroot\fR and \fBsetuid\fR (and \fBdaemon\fR if setcap is used).
.br
.B -e
External address. IP address of the interface the proxy should initiate connections
@ -181,11 +181,23 @@ with the routing table.
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax. On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.br
.B -N
(for socks) External NAT address 3proxy reports to client for BIND and UDPASSOC
By default external address is reported. It's only useful in the case
of IP-IP NAT (will not work for PAT)
.B -Ne
(for socks) External NAT address (between 3proxy and destination server) to report to client for CONNECT and BIND. By default external address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
.br
.B -Ni
(for socks) Internal NAT address (between client and 3proxy) to report to client for UDPASSOC. By default internal address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
.br
.B -H
(for all services) Expect HAProxy PROXY protocol v1 header on incoming connection.
This allows the proxy to receive real client IP address from HAProxy or other
load balancer that supports the PROXY protocol. The header must be sent before
any protocol-specific data.
.br
Also, all options mentioned for
.BR proxy (8)
@ -204,7 +216,7 @@ pop3username@pop3server. If POP3 proxy access must be authenticated, you can
specify username as proxy_username:proxy_password:POP3_username@pop3server
.br
DNS proxy resolves any types of records but only hostnames are cached. It
requires nserver/nscache to be configured. If nserver is configured as TCP,
requires \fBnserver\fR/\fBnscache\fR to be configured. If \fBnserver\fR is configured as TCP,
redirections are applied on connection, so parent proxy may be used to resolve
names to IP.
.br
@ -220,14 +232,14 @@ proxy on a client with FTP proxy support. Username format is one of
Please note, if you use FTP client interface for FTP proxy do not add FTPpassword and FTPServer to username, because FTP client does it for you. That is, if you use 3proxy with authentication use proxyuser:proxypassword:FTPuser as FTP username, otherwise do not change original FTP user name
.br
.B include
<path>
.BR include
\fI<path>\fR
.br
Include config file
.br
.B config
<path>
.BR config
\fI<path>\fR
.br
Path to configuration file to use on 3proxy restart or to save configuration.
@ -246,8 +258,8 @@ alternate config file. Think twice before using it.
End of configuration
.br
.B log
[[@|&]logfile] [<LOGTYPE>]
.BR log
[[@|&]\fIlogfile\fR] [\fI<LOGTYPE>\fR]
.br
sets logfile for all gateways
.br
@ -259,17 +271,17 @@ alternate config file. Think twice before using it.
.br
LOGTYPE is one of:
.br
c Minutely
\fBc\fR Minutely
.br
H Hourly
\fBH\fR Hourly
.br
D Daily
\fBD\fR Daily
.br
W Weekly (starting from Sunday)
\fBW\fR Weekly (starting from Sunday)
.br
M Monthly
\fBM\fR Monthly
.br
Y Annually
\fBY\fR Annually
.br
if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using -l
option in gateway configuration.
@ -280,13 +292,13 @@ As with "logformat" filename must begin with \'L\' or \'G\' to specify Local or
Grinwitch time zone for all time-based format specificators.
.br
.B rotate
<n>
.BR rotate
\fI<n>\fR
how many archived log files to keep
.br
.B logformat
<format>
.BR logformat
\fI<format>\fR
.br
Format for log record. First symbol in format must be L (local time)
or G (absolute Grinwitch time).
@ -368,8 +380,8 @@ with space and all time based elemnts are in local time zone.
logformat "-\'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values (\'%d-%m-%Y %H:%M:%S\', \'%U\', \'%N\', %I, %O, \'%T\')"
.br
.B logdump
<in_traffic_limit> <out_traffic_limit>
.BR logdump
\fI<in_traffic_limit>\fR \fI<out_traffic_limit>\fR
.br
Immediately creates additional log records if given amount of incoming/outgoing
traffic is achieved for connection, without waiting for connection to finish.
@ -377,56 +389,56 @@ It may be useful to prevent information about long-lasting downloads on server
shutdown.
.br
.B delimchar
<char>
.BR delimchar
\fI<char>\fR
.br
Sets the delimiter character used to separate username from hostname in proxy
authentication strings (e.g. for FTP, POP3 proxies). Default is \'@\'. For example,
to use \'#\' instead: delimchar #. This allows usernames to contain the \'@\' character.
.br
.B archiver
<ext> <commandline>
.BR archiver
\fI<ext>\fR \fI<commandline>\fR
.br
Archiver to use for log files. <ext> is file extension produced by
archiver. Filename will be last argument to archiver, optionally you
can use %A as produced archive name and %F as filename.
.br
.B timeouts
<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> <STRING_LONG> <CONNECTION_SHORT> <CONNECTION_LONG> <DNS> <CHAIN> <CONNECT> <CONNECTBACK>
.BR timeouts
\fI<BYTE_SHORT>\fR \fI<BYTE_LONG>\fR \fI<STRING_SHORT>\fR \fI<STRING_LONG>\fR \fI<CONNECTION_SHORT>\fR \fI<CONNECTION_LONG>\fR \fI<DNS>\fR \fI<CHAIN>\fR \fI<CONNECT>\fR \fI<CONNECTBACK>\fR
.br
Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15, 60, 15, 5.
.br
BYTE_SHORT short timeout for single byte, is usually used for receiving single byte from stream.
\fBBYTE_SHORT\fR short timeout for single byte, is usually used for receiving single byte from stream.
.br
BYTE_LONG long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
\fBBYTE_LONG\fR long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
.br
STRING_SHORT short timeout, for character string within stream (for example to wait between 2 HTTP headers)
\fBSTRING_SHORT\fR short timeout, for character string within stream (for example to wait between 2 HTTP headers)
.br
STRING_LONG long timeout, for first string in stream (for example to wait for HTTP request).
\fBSTRING_LONG\fR long timeout, for first string in stream (for example to wait for HTTP request).
.br
CONNECTION_SHORT inactivity timeout for short connections (HTTP, POP3, etc).
\fBCONNECTION_SHORT\fR inactivity timeout for short connections (HTTP, POP3, etc).
.br
CONNECTION_LONG inactivity timeout for long connection (SOCKS, portmappers, etc).
\fBCONNECTION_LONG\fR inactivity timeout for long connection (SOCKS, portmappers, etc).
.br
DNS timeout for DNS request before requesting next server
\fBDNS\fR timeout for DNS request before requesting next server
.br
CHAIN timeout for reading data from chained connection
\fBCHAIN\fR timeout for reading data from chained connection
.br
default timeouts 1 5 30 60 180 1800 15 60 15 5
.br
.B maxseg
<value>
.BR maxseg
\fI<value>\fR
.br
Sets TCP maximum segment size (MSS) for outgoing connections. This can be used
to work around path MTU discovery issues or to optimize traffic for specific
network conditions.
.br
.B radius
<NAS_SECRET> <radius_server_1[:port][/local_address_1]> <radius_server_2[:port][/local_address_2]>
.BR radius
\fI<NAS_SECRET>\fR \fI<radius_server_1\fR[:\fIport\fR][/\fIlocal_address_1\fR]\fR \fI<radius_server_2\fR[:\fIport\fR][/\fIlocal_address_2\fR]\fR
.br
Configures RADIUS servers to be used for logging and authentication (log and auth types
must be set to radius). port and local address to use with given server may be specified.
@ -445,11 +457,11 @@ Login-IPv6-Host / Login-IP-Host: (requested IP).
.br
Supported reply attributes for authentication:
Framed-IP-Address / Framed-IPv6-Address (IP to assign to user), Reply-Message.
Use authcache to speedup authentication. RADIUS feature is currently experimental.
Use \fBauthcache\fR to speedup authentication. RADIUS feature is currently experimental.
.br
.B nserver
<ipaddr>[:port][/tcp]
.BR nserver
\fI<ipaddr>\fR[:\fIport\fR][/\fItcp\fR]
.br
Nameserver to use for name resolutions. If none specified
system routines for name resolution is
@ -458,27 +470,27 @@ If optional /tcp is added to IP address, name resolution is
performed over TCP.
.br
.B authnserver
<ipaddr>[:port][/tcp]
.BR authnserver
\fI<ipaddr>\fR[:\fIport\fR][/\fItcp\fR]
.br
Nameserver to use for DNS-based authentication (e.g. dnsname auth type).
If not specified, nserver is used. The syntax is the same as for nserver.
.br
.B nscache
<cachesize>
.B nscache6
<cachesize>
.BR nscache
\fI<cachesize>\fR
.BR nscache6
\fI<cachesize>\fR
.br
Cache <cachesize> records for name resolution (nscache for IPv4,
nscache6 for IPv6). The cache size should usually be large enough
Cache \fI<cachesize>\fR records for name resolution (\fBnscache\fR for IPv4,
\fBnscache6\fR for IPv6). The cache size should usually be large enough
(for example, 65536).
.br
.B nsrecord
<hostname> <hostaddr>
.BR nsrecord
\fI<hostname>\fR \fI<hostaddr>\fR
.br
Adds static record to nscache. nscache must be enabled. If 0.0.0.0
Adds static record to nscache. \fBnscache\fR must be enabled. If 0.0.0.0
is used as a hostaddr host will never resolve, it can be used to
blacklist something or together with
.B dialer
@ -488,11 +500,11 @@ command to set up UDL for dialing.
.B fakeresolve
.br
All names are resolved to the 127.0.0.2 address. Useful if all requests are
redirected to a parent proxy with http, socks4+, connect+ or socks5+.
redirected to a parent proxy with \fBhttp\fR, \fBsocks4+\fR, \fBconnect+\fR or \fBsocks5+\fR.
.br
.B dialer
<progname>
.BR dialer
\fI<progname>\fR
.br
Execute progname if external name can\'t be resolved.
Hint: if you use nscache, dialer may not work, because names will
@ -501,38 +513,46 @@ http://dial.right.now/ from browser to set up connection.
.br
.B internal
<ipaddr>
.BR internal
\fI<ipaddr>\fR
.br
sets ip address of internal interface. This IP address will be used
to bind gateways. Alternatively you can use -i option for individual
gateways. Since 0.8 version, IPv6 address may be used.
.br
Unix domain sockets are supported with the syntax
.I unix:/path/to/socket
(e.g., internal unix:/var/run/3proxy.sock). On Linux, abstract (fileless)
Unix sockets are supported with the syntax
.I unix:@socketname
(e.g., internal unix:@3proxy). When using Unix sockets, the socket file
is automatically created and removed on service start/stop.
.br
.B external
<ipaddr>
.BR external
\fI<ipaddr>\fR
.br
sets ip address of external interface. This IP address will be source
address for all connections made by proxy. Alternatively you can use -e
option to specify individual address for gateway. Since 0.8 version
External or -e can be given twice: once with IPv4 and once with IPv6 address.
External or \fB-e\fR can be given twice: once with IPv4 and once with IPv6 address.
.br
.B maxconn
<number>
.BR maxconn
\fI<number>\fR
.br
sets the maximum number of simultaneous connections to each service
started after this command at the network level. Default is 100.
.br
To limit clients, use connlim instead. maxconn will silently ignore
new connections, while connlim will report back to the client that
To limit clients, use \fBconnlim\fR instead. \fBmaxconn\fR will silently ignore
new connections, while \fBconnlim\fR will report back to the client that
the connection limit has been reached.
.br
.B backlog
.br
sets the listening socket backlog of new connections. Default is
1 + maxconn/8. Maximum value is capped by kernel tunable somaxconn.
1 + \fBmaxconn\fR/8. Maximum value is capped by kernel tunable somaxconn.
.br
.B service
@ -546,40 +566,40 @@ to reinstall the service.
.B daemon
.br
Should be specified to close the console. Do not use \'daemon\' with \'service\'.
At least under FreeBSD, \'daemon\' should precede any proxy service
At least under FreeBSD, \fBdaemon\fR should precede any proxy service
and log commands to avoid socket problems. Always place it in the beginning
of the configuration file.
.br
.B auth
<authtype> [...]
.BR auth
\fI<authtype>\fR [...]
.br
Type of user authorization. Currently supported:
.br
none - no authentication or authorization required.
\fBnone\fR - no authentication or authorization required.
.br
Note: if auth is none, any IP-based limitation, redirection, etc. will not work.
This is the default authentication type
.br
iponly - authentication by access control list with username ignored.
\fBiponly\fR - authentication by access control list with username ignored.
Appropriate for most cases
.br
useronly - authentication by username without checking for any password with
\fBuseronly\fR - authentication by username without checking for any password with
authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN /
AOL screen name as a username)
.br
dnsname - authentication by DNS hostname with authorization by ACLs.
\fBdnsname\fR - authentication by DNS hostname with authorization by ACLs.
The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved
name must resolve to the same IP address). It\'s recommended to use authcache by
IP for this authentication.
NB: there is no password check; the name may be spoofed.
.br
strong - username/password authentication required. It will work with
\fBstrong\fR - username/password authentication required. It will work with
SOCKSv5, FTP, POP3 and HTTP proxy.
.br
cache - cached authentication, may be used with \'authcache\'.
\fBcache\fR - cached authentication, may be used with \'authcache\'.
.br
radius - authentication with RADIUS.
\fBradius\fR - authentication with RADIUS.
.br
Plugins may add additional authentication types.
@ -596,42 +616,43 @@ IP-based authentication for dedicated laptops and request a username/password fo
shared ones.
.br
.B authcache
<cachtype> <cachtime>
.BR authcache
\fI<cachtype>\fR \fI<cachtime>\fR \fI<cachesize>\fR
.br
Cache authentication information for a given amount of time (cachetime) in seconds.
cachesize limits number of cache entries.
Cachetype is one of:
.br
ip - after successful authentication all connections during caching time
\fBip\fR - after successful authentication all connections during caching time
from same IP are assigned to the same user, username is not requested.
.br
ip,user username is requested and all connections from the same IP are
\fBip,user\fR username is requested and all connections from the same IP are
assigned to the same user without actual authentication.
.br
user - same as above, but IP is not checked.
\fBuser\fR - same as above, but IP is not checked.
.br
user,password - both username and password are checked against cached ones.
\fBuser,password\fR - both username and password are checked against cached ones.
.br
limit - limit user to use only one ip, \'ip\' and \'user\' are required
\fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required
.br
acl - only use cached auth if user access service with same ACL
\fBack\fR - only use cached auth if user access service with same ACL
.br
ext - cache external IP
\fBext\fR - cache external IP
.br
Use auth type \'cache\' for cached authentication
Use auth type \fBcache\fR for cached authentication
.br
.B allow
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR allow
\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B deny
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR deny
\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B redirect
<ip> <port> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR redirect
\fI<ip>\fR \fI<port>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
Access control entries. All lists are comma-separated, no spaces are
allowed. Usernames are case sensitive (if used with authtype nbname
@ -660,42 +681,42 @@ to appropriate interface only or to use ip filters.
.br
Operation is one of:
.br
CONNECT establish outgoing TCP connection
\fBCONNECT\fR establish outgoing TCP connection
.br
BIND bind TCP port for listening
\fBBIND\fR bind TCP port for listening
.br
UDPASSOC make UDP association
\fBUDPASSOC\fR make UDP association
.br
ICMPASSOC make ICMP association (for future use)
\fBICMPASSOC\fR make ICMP association (for future use)
.br
HTTP_GET HTTP GET request
\fBHTTP_GET\fR HTTP GET request
.br
HTTP_PUT HTTP PUT request
\fBHTTP_PUT\fR HTTP PUT request
.br
HTTP_POST HTTP POST request
\fBHTTP_POST\fR HTTP POST request
.br
HTTP_HEAD HTTP HEAD request
\fBHTTP_HEAD\fR HTTP HEAD request
.br
HTTP_CONNECT HTTP CONNECT request
\fBHTTP_CONNECT\fR HTTP CONNECT request
.br
HTTP_OTHER over HTTP request
\fBHTTP_OTHER\fR over HTTP request
.br
HTTP matches any HTTP request except HTTP_CONNECT
\fBHTTP\fR matches any HTTP request except HTTP_CONNECT
.br
HTTPS same as HTTP_CONNECT
\fBHTTPS\fR same as HTTP_CONNECT
.br
FTP_GET FTP get request
\fBFTP_GET\fR FTP get request
.br
FTP_PUT FTP put request
\fBFTP_PUT\fR FTP put request
.br
FTP_LIST FTP list request
\fBFTP_LIST\fR FTP list request
.br
FTP_DATA FTP data connection. Note: FTP_DATA requires access to dynamic
\fBFTP_DATA\fR FTP data connection. Note: FTP_DATA requires access to dynamic
non-privileged (1024-65535) ports on the remote side.
.br
FTP matches any FTP/FTP Data request
\fBFTP\fR matches any FTP/FTP Data request
.br
ADMIN access to administration interface
\fBADMIN\fR access to administration interface
.br
Weekdays are week day numbers or periods, 0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday.
@ -704,8 +725,8 @@ non-privileged (1024-65535) ports on the remote side.
periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.
.br
.B parent
<weight> <type> <ip> <port> <username> <password>
.BR parent
\fI<weight>\fR \fI<type>\fR \fI<ip>\fR \fI<port>\fR \fI<username>\fR \fI<password>\fR
.br
this command must follow "allow" rule. It extends last allow rule to
build proxy chain. Proxies may be grouped. Proxy inside the
@ -742,41 +763,45 @@ with probability of 0.7) for outgoing web connections. Chains are only applied t
.br
type is one of:
.br
extip does not actually redirect the request; it sets the external address for this request to <ip>. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random.
\fBextip\fR does not actually redirect the request; it sets the external address for this request to \fI<ip>\fR. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random.
.br
tcp simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
\fBtcp\fR simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
.br
http redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
\fBhttp\fR redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
if used with different service, it works as tcp redirection.
.br
pop3 redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
\fBpop3\fR redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
.br
ftp redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
\fBftp\fR redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
.br
connect parent is HTTP CONNECT method proxy
\fBconnect\fR parent is HTTP CONNECT method proxy
.br
connect+ parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
\fBconnect+\fR parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
.br
socks4 parent is SOCKSv4 proxy
\fBsocks4\fR parent is SOCKSv4 proxy
.br
socks4+ parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
\fBsocks4+\fR parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
.br
socks5 parent is SOCKSv5 proxy
\fBsocks5\fR parent is SOCKSv5 proxy
.br
socks5+ parent is SOCKSv5 proxy with name resolution
\fBsocks5+\fR parent is SOCKSv5 proxy with name resolution
.br
socks4b parent is SOCKS4b (broken SOCKSv4 implementation with shortened
\fBsocks4b\fR parent is SOCKS4b (broken SOCKSv4 implementation with shortened
server reply; I never saw this kind of server, but they say there are some).
Normally you should not use this option. Do not confuse this option with
SOCKSv4a (socks4+).
SOCKSv4a (\fBsocks4+\fR).
.br
socks5b parent is SOCKS5b (broken SOCKSv5 implementation with shortened
\fBsocks5b\fR parent is SOCKS5b (broken SOCKSv5 implementation with shortened
server reply. I think you will never find it useful). Never use this option
unless you know exactly you need it.
.br
admin redirect request to local \'admin\' service (with -s parameter).
\fBadmin\fR redirect request to local \'admin\' service (with -s parameter).
.br
Use "+" proxy only with "fakeresolve" option
\fBha\fR send HAProxy PROXY protocol v1 header to parent proxy. Must be the last
in the proxy chain. Useful for passing client IP information to the parent proxy.
Example: parent 1000 ha
.br
Use "+" proxy only with \fBfakeresolve\fR option
.br
IP and port are ip addres and port of parent proxy server.
@ -797,6 +822,14 @@ locally redirects to
.B proxy
.B admin
locally redirects to the admin -s service.
.br
Unix domain sockets can be used instead of IP address with the syntax
.I unix:/path/to/socket
(e.g., parent 1000 socks5 unix:/var/run/parent.sock 1080). On Linux,
abstract (fileless) Unix sockets are supported with
.I unix:@socketname
syntax (e.g., parent 1000 http unix:@parent.proxy 3128). When using Unix
sockets, the port number is ignored but must be specified for syntax compatibility.
.br
Main purpose of local redirections is to have the requested resource
@ -820,21 +853,21 @@ local HTTP proxy parses requests and allows only GET and POST requests.
.br
parent 1000 http 1.2.3.4 0
.br
Changes the external address for a given connection to 1.2.3.4 (equivalent to -e1.2.3.4)
Changes the external address for a given connection to 1.2.3.4 (equivalent to \fB-e1.2.3.4\fR)
.br
Optional username and password are used to authenticate on parent
proxy. Username of \'*\' means username must be supplied by user.
.br
.B parentretries
<number>
.BR parentretries
\fI<number>\fR
.br
Number of retries to connect to parent proxy. Default is 1.
.br
.B nolog
<n>
.BR nolog
\fI<n>\fR
.br
extends last allow or deny command to prevent logging, e.g.
.br
@ -844,8 +877,8 @@ nolog
.br
.B weight
<n>
.BR weight
\fI<n>\fR
.br
extends last allow or deny command to set weight for this request
.br
@ -867,30 +900,30 @@ is removed, old connections which do not match current are closed.
noforce allows to keep previously authenticated connections.
.br
.B bandlimin
<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR bandlimin
\fI<rate>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B nobandlimin
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR nobandlimin
\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B bandlimout
<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR bandlimout
\fI<rate>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B nobandlimout
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR nobandlimout
\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
bandlim sets a bandwidth limitation filter to <rate> bps (bits per second).
bandlim sets a bandwidth limitation filter to \fI<rate>\fR bps (bits per second).
If you want to specify bytes per second, multiply your value by 8.
bandlim rules act in the same manner as allow/deny rules, except for
one thing: bandwidth limiting is applied to all services, not to some
specific service.
bandlimin and nobandlimin apply to incoming traffic
\fBbandlimin\fR and \fBnobandlimin\fR apply to incoming traffic
.br
bandlimout and nobandlimout apply to outgoing traffic
\fBbandlimout\fR and \fBnobandlimout\fR apply to outgoing traffic
.br
If you want to ratelimit your clients with IPs 192.168.10.16/30 (4
addresses) to 57600 bps, you have to specify 4 rules like
@ -915,17 +948,17 @@ If you want, for example, to limit all speed except access to POP3, you can use
before the rest of bandlim rules.
.br
.B connlim
<rate> <period> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR connlim
\fI<rate>\fR \fI<period>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B noconnlim
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR noconnlim
\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
connlim sets connections rate limit per time period for traffic
pattern controlled by ACL. Period is in seconds. If period is 0,
connlim limits a number of parallel connections.
\fBconnlim\fR limits a number of parallel connections.
.br
connlim 100 60 * 127.0.0.1
.br
@ -935,39 +968,39 @@ connlim limits a number of parallel connections.
.br
allows 20 simultaneous connections for 127.0.0.1.
.br
Like with bandlimin, if an individual limit is required per client, a separate
Like with \fBbandlimin\fR, if an individual limit is required per client, a separate
rule must be added for every client. Like with nobandlimin, noconnlim adds an
exception.
.br
.B counter
<filename> <reporttype> <reportname>
.BR counter
\fI<filename>\fR \fI<reporttype>\fR \fI<reportname>\fR
.br
.B countin
<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR countin
\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B nocountin
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR nocountin
\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B countout
<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR countout
\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B nocountout
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR nocountout
\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B countall
<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR countall
\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
.B nocountall
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
<weekdayslist> <timeperiodslist>
.BR nocountall
\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
.br
counter, countin, nocountin, countout, nocountout, countall,
@ -981,38 +1014,36 @@ should be a unique sequential number which points to the position of
the counter within the file.
Type specifies a type of counter. Type is one of:
.br
H - counter is reset hourly
\fBH\fR - counter is reset hourly
.br
D - counter is reset daily
\fBD\fR - counter is reset daily
.br
W - counter is reset weekly
\fBW\fR - counter is reset weekly
.br
M - counter is reset monthly
\fBM\fR - counter is reset monthly
.br
reporttype/reportname may be used to generate traffic reports.
Reporttype is one of D, W, M, H (hourly) and reportname specifies the filename
template for reports. The report is a text file with counter values in
the format:
.br
<COUNTERNUMBER> <TRAF>
\fI<COUNTERNUMBER>\fR \fI<TRAF>\fR
.br
The rest of parameters is identical to bandlim/nobandlim.
The rest of parameters is identical to \fBbandlim\fR/\fBnobandlim\fR.
.br
.B users
username[:pwtype:password] ...
.BR users
\fIusername\fR[:\fIpwtype\fR:\fIpassword\fR] ...
.br
pwtype is one of:
.br
none (empty) - use system authentication
.br
CL - password is cleartext
\fBCL\fR - password is cleartext
.br
CR - password is crypt-style password
\fBCR\fR - password is crypt-style password
.br
NT - password is NT password (in hex)
.br
LM - password is LM password (in hex)
\fBNT\fR - password is NT password (in hex)
.br
example:
.br
@ -1044,48 +1075,48 @@ and
.B socks
.br
.B system
<command>
.BR system
\fI<command>\fR
.br
execute system command
.br
.B pidfile
<filename>
.BR pidfile
\fI<filename>\fR
.br
write pid of current process to file. It can be used to manipulate
3proxy with signals under Unix. Currently next signals are available:
.br
.B monitor
<filename>
.BR monitor
\fI<filename>\fR
.br
If file monitored changes in modification time or size, 3proxy reloads
configuration within one minute. Any number of files may be monitored.
.br
.B setuid
<uid>
.BR setuid
\fI<uid>\fR
.br
calls setuid(uid), uid can be numeric or since 0.9 username. Unix only. Warning: under some Linux
kernels setuid() works for current thread only. It makes it impossible to suid
for all threads.
.br
.B setgid
<gid>
.BR setgid
\fI<gid>\fR
.br
calls setgid(gid), gid can be numeric or since 0.9 groupname. Unix only.
.br
.B chroot
<path> [<uid>] [<gid>]
.BR chroot
\fI<path>\fR [\fI<uid>\fR] [\fI<gid>\fR]
.br
calls chroot(path) and sets gid/uid. Unix only. uid/gid supported since 0.9, can be numeric or username/groupname
.br
.B stacksize
<value_to_add_to_default_stack_size>
.BR stacksize
\fI<value_to_add_to_default_stack_size>\fR
.br
Change the default size for thread stacks. May be required in some situations,
e.g. with non-default plugins, or on some platforms (some FreeBSD versions
@ -1100,8 +1131,8 @@ memory shortage, you can try to experiment with negative values.
.SH PLUGINS
.br
.B plugin
<path_to_shared_library> <function_to_call> [<arg1> ...]
.BR plugin
\fI<path_to_shared_library>\fR \fI<function_to_call>\fR [\fI<arg1>\fR ...]
.br
Loads specified library and calls given export function with given arguments,
as
@ -1111,8 +1142,8 @@ as
function_to_call must return 0 in case of success, value > 0 to indicate error.
.br
.B filtermaxsize
<max_size_of_data_to_filter>
.BR filtermaxsize
\fI<max_size_of_data_to_filter>\fR
.br
If Content-length (or another data length) is greater than the given value, no
data filtering will be performed through filtering plugins to avoid data

81
man/3proxy_crypt.8 Normal file
View File

@ -0,0 +1,81 @@
.TH 3proxy_crypt "8" "April 2026" "3proxy 0.9" "Universal proxy server"
.SH NAME
.B 3proxy_crypt
\- utility to generate encrypted passwords for 3proxy
.SH SYNOPSIS
.B 3proxy_crypt
.I password
.br
.B 3proxy_crypt
.I salt password
.SH DESCRIPTION
.B 3proxy_crypt
is a utility to generate encrypted password hashes for use with 3proxy
configuration. Encrypted passwords allow the system to avoid storing
passwords in cleartext in configuration files.
.PP
When invoked with a single argument, it produces an NT password hash
(MD4-based, suitable for NTLM authentication). The output is prefixed with
.BR NT: .
.PP
When invoked with two arguments (salt and password), it produces a BLAKE2b
password hash. The salt length is limited to 64 characters. The output is
prefixed with
.BR CR: .
.PP
The resulting hash can be used in the 3proxy configuration file with the
.B users
directive instead of a cleartext password.
.SH OPTIONS
.TP
.I password
Cleartext password to encrypt.
.TP
.I salt
Salt string for BLAKE2b hashing (max 64 characters).
.SH EXAMPLE
.TP
Generate NT password hash:
.RS
3proxy_crypt MySecretPassword
.RE
.TP
Result:
.RS
NT:3F7E6D8D96E8E7A9B0C1D2E3F4A5B6C7
.RE
.TP
Generate BLAKE2b password hash with salt:
.RS
3proxy_crypt MySalt MySecretPassword
.RE
.TP
Result:
.RS
CR:$3$MySalt$...
.RE
.TP
Using in 3proxy.cfg:
.RS
users user1:CR:$3$MySalt$...
.RE
.SH NOTES
The NT hash uses the RSA MD4 Message-Digest Algorithm. The BLAKE2b hash
uses the BLAKE2 cryptographic hash function.
.PP
When a password hash is prefixed with
.B NT:
or
.BR CR: ,
3proxy uses the corresponding algorithm to verify passwords instead of
comparing cleartext strings.
.SH BUGS
Report all bugs to
.BR 3proxy@3proxy.org
.SH SEE ALSO
3proxy(8), 3proxy.cfg(5),
.br
https://3proxy.org/
.SH AUTHORS
3proxy is designed by Vladimir 3APA3A Dubrovin
.RI ( 3proxy@3proxy.org )

7
man/ftppr.8
View File

@ -36,6 +36,11 @@ with the routing table.
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax (e.g., -iunix:/var/run/ftppr.sock). On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.TP
.B -h
Default destination. It's used if the target address is not specified by the user.
@ -68,7 +73,7 @@ and
.IR port
as the FTP server. The address of the real FTP server must be configured as a part of
the FTP username. The format for the username is
.IR username \fB@ server ,
.IR username @ server ,
where
.I server
is the address of the FTP server and

7
man/pop3p.8
View File

@ -36,6 +36,11 @@ with the routing table.
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax (e.g., -iunix:/var/run/pop3p.sock). On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.TP
.B -p
Port. Port proxy listens for incoming connections. Default is 110.
@ -62,7 +67,7 @@ and
.IR port
as a POP3 server. The address of the real POP3 server must be configured as a part of
the POP3 username. The format for the username is
.IR username \fB@ server ,
.IR username @ server ,
where
.I server
is the address of the POP3 server and

5
man/proxy.8
View File

@ -34,6 +34,11 @@ with the routing table.
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax (e.g., -iunix:/var/run/proxy.sock). On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.TP
.B -a
Anonymous. Hide information about client.

7
man/smtpp.8
View File

@ -36,6 +36,11 @@ with the routing table.
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax (e.g., -iunix:/var/run/smtpp.sock). On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.TP
.B -p
Port. Port proxy listens for incoming connections. Default is 25.
@ -63,7 +68,7 @@ and
.IR port
as an SMTP server. The address of the real SMTP server must be configured as a part of
the SMTP username. The format for the username is
.IR username \fB@ server ,
.IR username @ server ,
where
.I server
is the address of the SMTP server and

5
man/socks.8
View File

@ -49,6 +49,11 @@ of IP-IP NAT and does not work with port translation.
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax (e.g., -iunix:/var/run/socks.sock). On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.TP
.B -p
Port. Port proxy listens for incoming connections. Default is 1080.

17
man/tcppm.8
View File

@ -31,6 +31,11 @@ with the routing table.
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax (e.g., -iunix:/var/run/tcppm.sock). On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.TP
.B -l
Log. By default logging is to stdout. If
@ -50,10 +55,18 @@ crashes.
- port tcppm accepts connections on
.TP
.I remote_host
- IP address of the host the connection is forwarded to
- IP address of the host the connection is forwarded to. Unix domain sockets
can be specified with the syntax
.I unix:/path/to/socket
(e.g., unix:/var/run/app.sock). On Linux, abstract (fileless) Unix sockets
use the syntax
.I unix:@socketname
(e.g., unix:@app.socket).
.TP
.I remote_port
- remote port the connection is forwarded to
- remote port the connection is forwarded to. Ignored when using Unix socket
destination, but must be specified (use any positive value) for syntax
compatibility.
.SH CLIENTS
Any TCP-based application can be used as a client. Use
.I internal_ip

5
man/tlspr.8
View File

@ -36,6 +36,11 @@ with the routing table.
.B -i
Internal address. IP address the proxy accepts connections to.
By default, connections to any interface are accepted. It\'s usually unsafe.
Unix domain sockets can be specified with
.I -iunix:/path/to/socket
syntax (e.g., -iunix:/var/run/tlspr.sock). On Linux, abstract sockets use
.I -iunix:@socketname
syntax.
.TP
.B -a
Anonymous. Hide information about client.

4
scripts/add3proxyuser.sh
View File

@ -6,10 +6,10 @@ if [ $3 ]; then
echo countin \"`wc -l /etc/3proxy/conf/counters|awk '{print $1}'`/$1\" D $3 $1 >> /etc/3proxy/conf/counters
fi
if [ $2 ]; then
echo $1:`/bin/mycrypt $$ $2` >> /etc/3proxy/conf/passwd
echo $1:`/bin/3proxy_crypt $$ $2` >> /etc/3proxy/conf/passwd
else
echo usage: $0 username password [day_limit] [bandwidth]
echo " "day_limit - traffic limit in MB per day
echo " "bandwidth - bandwith in bits per second 1048576 = 1Mbps
echo " "bandwidth - bandwidth in bits per second 1048576 = 1Mbps
fi

19
scripts/rh/3proxy.spec
View File

@ -32,14 +32,15 @@ make clean
%files
/bin/3proxy
/bin/ftppr
/bin/mycrypt
/bin/pop3p
/bin/proxy
/bin/socks
/bin/tcppm
/bin/udppm
/bin/tlspr
/bin/3proxy_crypt
/bin/3proxy_ftppr
/bin/3proxy_pop3p
/bin/3proxy_proxy
/bin/3proxy_smtpp
/bin/3proxy_socks
/bin/3proxy_tcppm
/bin/3proxy_tlspr
/bin/3proxy_udppm
%config(noreplace) /etc/3proxy/3proxy.cfg
/etc/3proxy/conf
/etc/init.d/3proxy
@ -49,7 +50,7 @@ make clean
%config(noreplace) /usr/local/3proxy/conf/bandlimiters
%config(noreplace) /usr/local/3proxy/conf/counters
/usr/local/3proxy/libexec/*.ld.so
/usr/share/man/man3/*
/usr/share/man/man5/3proxy.cfg.5
/usr/share/man/man8/*
/var/log/3proxy

55
src/3proxy.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
@ -66,9 +66,9 @@ void __stdcall CommandHandler( DWORD dwCommand )
Sleep(2000);
SetStatus( SERVICE_STOPPED, 0, 0 );
#ifndef NOODBC
pthread_mutex_lock(&log_mutex);
_3proxy_mutex_lock(&log_mutex);
close_sql();
pthread_mutex_unlock(&log_mutex);
_3proxy_mutex_unlock(&log_mutex);
#endif
break;
case SERVICE_CONTROL_PAUSE:
@ -118,13 +118,6 @@ void mysigpause (int sig){
void mysigterm (int sig){
conf.paused++;
usleep(999*SLEEPTIME);
usleep(999*SLEEPTIME);
#ifndef NOODBC
pthread_mutex_lock(&log_mutex);
close_sql();
pthread_mutex_unlock(&log_mutex);
#endif
conf.timetoexit = 1;
}
@ -141,8 +134,10 @@ int timechanged (time_t oldtime, time_t newtime, ROTATION lt){
struct tm tmold;
struct tm *tm;
tm = localtime(&oldtime);
if(!tm) return 0;
tmold = *tm;
tm = localtime(&newtime);
if(!tm) return 0;
switch(lt){
case MINUTELY:
if(tm->tm_min != tmold.tm_min)return 1;
@ -214,18 +209,18 @@ void dumpcounters(struct trafcount *tlin, int counterd){
cheader.updated = conf.time;
lseek(counterd, 0, SEEK_SET);
if(write(counterd, &cheader, sizeof(struct counter_header))){}
if(lseek(counterd, 0, SEEK_SET) >= 0 && write(counterd, &cheader, sizeof(struct counter_header))){}
for(tl=tlin; tl; tl = tl->next){
if(tl->number){
lseek(counterd,
if(lseek(counterd,
sizeof(struct counter_header) + (tl->number - 1) * sizeof(struct counter_record),
SEEK_SET);
SEEK_SET) >= 0){
crecord.traf64 = tl->traf64;
crecord.cleared = tl->cleared;
crecord.updated = tl->updated;
if(write(counterd, &crecord, sizeof(struct counter_record))){}
}
}
if(tl->type!=NEVER && timechanged(tl->cleared, conf.time, tl->type)){
tl->cleared = conf.time;
tl->traf64 = 0;
@ -267,10 +262,12 @@ void cyclestep(void){
}
if(timechanged(basetime, conf.time, DAILY)) {
tm = localtime(&conf.time);
if(tm){
wday = (1 << tm->tm_wday);
tm->tm_hour = tm->tm_min = tm->tm_sec = 0;
basetime = mktime(tm);
}
}
if(conf.logname) {
if(timechanged(conf.logtime, conf.time, conf.logtype)) {
if(conf.stdlog) conf.stdlog = freopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.time), "a", conf.stdlog);
@ -508,31 +505,30 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
return 1;
}
pthread_mutex_init(&config_mutex, NULL);
pthread_mutex_init(&bandlim_mutex, NULL);
pthread_mutex_init(&connlim_mutex, NULL);
pthread_mutex_init(&hash_mutex, NULL);
pthread_mutex_init(&tc_mutex, NULL);
pthread_mutex_init(&pwl_mutex, NULL);
pthread_mutex_init(&log_mutex, NULL);
_3proxy_mutex_init(&config_mutex);
_3proxy_mutex_init(&bandlim_mutex);
_3proxy_mutex_init(&connlim_mutex);
_3proxy_mutex_init(&tc_mutex);
_3proxy_mutex_init(&log_mutex);
#ifndef NORADIUS
pthread_mutex_init(&rad_mutex, NULL);
_3proxy_mutex_init(&rad_mutex);
#endif
#ifdef _WIN32
if(!CreatePipe(&conf.threadinit[0], &conf.threadinit[1], NULL, 1)){
#else
if(pipe(conf.threadinit)) {
#endif
fprintf(stderr, "CreatePipe failed\n");
conf.threadinit = CreateSemaphore(NULL, 0, 1, NULL);
if(!conf.threadinit){
fprintf(stderr, "semaphore init failed\n");
return 1;
};
}
#else
_3proxy_mutex_init(&conf.threadinit);
#endif
freeconf(&conf);
res = readconfig(fp);
conf.version++;
if(res) RETURN(res);
if(!writable)fclose(fp);
if(!writable){fclose(fp); fp = NULL;}
#ifdef _WIN32
@ -563,6 +559,7 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
CLEARRETURN:
if(fp && fp != stdin) {fclose(fp); fp = NULL;}
return 0;
}

55
src/mycrypt.c → src/3proxy_crypt.c
View File

@ -1,12 +1,15 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
*/
#ifndef WITHMAIN
#include "libs/md5.h"
#endif
#include "libs/md4.h"
#include "libs/blake2.h"
#include <string.h>
#define MD5_SIZE 16
@ -64,20 +67,21 @@ unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPasswor
unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsigned char *passwd){
const unsigned char *ep;
if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
static unsigned char *magic = (unsigned char *)"$1$";
unsigned char *magic;
unsigned char *p;
const unsigned char *sp;
unsigned char final[MD5_SIZE];
int sl,pl,i;
MD5_CTX ctx,ctx1;
int sl;
unsigned long l;
/* Refine the Salt first */
sp = salt +3;
#ifndef WITHMAIN
if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
MD5_CTX ctx,ctx1;
int pl, i;
/* get the length of the true salt */
sp = salt +3;
sl = (int)(ep - sp);
magic = (unsigned char *)"$1$";
MD5Init(&ctx);
@ -109,10 +113,6 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
else
MD5Update(&ctx, pw, 1);
/* Now make the output string */
strcpy((char *)passwd,(char *)magic);
strncat((char *)passwd,(char *)sp,sl);
strcat((char *)passwd,"$");
MD5Final(final,&ctx);
@ -141,6 +141,26 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
MD5Final(final,&ctx1);
}
/* Don't leave anything around in vm they could use. */
memset(final,0,sizeof final);
}
else
#endif
if(salt[0] == '$' && salt[1] == '3' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
sp = salt +3;
sl = (int)(ep - sp);
magic = (unsigned char *)"$3$";
blake2b(final, MD5_SIZE, pw, strlen((char *)pw), sp, sl);
}
else {
*passwd = 0;
return passwd;
}
strcpy((char *)passwd,(char *)magic);
strncat((char *)passwd,(char *)sp,sl);
strcat((char *)passwd,"$");
p = passwd + strlen((char *)passwd);
l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
@ -156,13 +176,6 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
l = final[11] ;
_crypt_to64(p,l,2); p += 2;
*p = '\0';
/* Don't leave anything around in vm they could use. */
memset(final,0,sizeof final);
}
else {
*passwd = 0;
}
return passwd;
}
@ -176,7 +189,7 @@ int main(int argc, char* argv[]){
fprintf(stderr, "usage: \n"
"\t%s <password>\n"
"\t%s <salt> <password>\n"
"Performs NT crypt if no salt specified, MD5 crypt with salt\n"
"Performs NT crypt if no salt specified, BLAKE2 crypt with salt\n"
"This software uses:\n"
" RSA Data Security, Inc. MD4 Message-Digest Algorithm\n"
" RSA Data Security, Inc. MD5 Message-Digest Algorithm\n",
@ -190,7 +203,7 @@ int main(int argc, char* argv[]){
else {
i = (int)strlen((char *)argv[1]);
if (i > 64) argv[1][64] = 0;
sprintf((char *)buf, "$1$%s$", argv[1]);
sprintf((char *)buf, "$3$%s$", argv[1]);
printf("CR:%s\n", mycrypt((unsigned char *)argv[2], buf, buf+256));
}
return 0;

101
src/Makefile.inc
View File

@ -2,8 +2,7 @@
# 3 proxy common Makefile
#
all: $(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)mycrypt$(EXESUFFICS) $(BUILDDIR)pop3p$(EXESUFFICS) $(BUILDDIR)smtpp$(EXESUFFICS) $(BUILDDIR)ftppr$(EXESUFFICS) $(BUILDDIR)tcppm$(EXESUFFICS) $(BUILDDIR)tlspr$(EXESUFFICS) $(BUILDDIR)udppm$(EXESUFFICS) $(BUILDDIR)socks$(EXESUFFICS) $(BUILDDIR)proxy$(EXESUFFICS) allplugins
all: $(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS) $(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS) $(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS) $(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS) $(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS) $(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS) $(BUILDDIR)$(PREFIX)socks$(EXESUFFICS) $(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS) allplugins
sockmap$(OBJSUFFICS): sockmap.c proxy.h structures.h
$(CC) $(CFLAGS) sockmap.c
@ -27,62 +26,60 @@ sockgetchar$(OBJSUFFICS): sockgetchar.c proxy.h structures.h
$(CC) $(CFLAGS) sockgetchar.c
proxy$(OBJSUFFICS): proxy.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)ANONYMOUS proxy.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)ANONYMOUS $(DEFINEOPTION)NOUDPMAIN proxy.c
pop3p$(OBJSUFFICS): pop3p.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP pop3p.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN pop3p.c
smtpp$(OBJSUFFICS): smtpp.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP smtpp.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN smtpp.c
ftppr$(OBJSUFFICS): ftppr.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP ftppr.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN ftppr.c
tcppm$(OBJSUFFICS): tcppm.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tcppm.c
tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tlspr.c
socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP socks.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP $(DEFINEOPTION)NOUDPMAIN tcppm.c
udppm$(OBJSUFFICS): udppm.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP udppm.c
tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP $(DEFINEOPTION)NOUDPMAIN tlspr.c
socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN socks.c
3proxy$(OBJSUFFICS): 3proxy.c proxy.h structures.h
$(CC) $(CFLAGS) 3proxy.c
$(BUILDDIR)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
$(LN) $(LNOUT)$(BUILDDIR)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
$(LN) $(LNOUT)$(BUILDDIR)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
$(LN) $(LNOUT)$(BUILDDIR)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
$(LN) $(LNOUT)$(BUILDDIR)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
$(BUILDDIR)$(PREFIX)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
$(BUILDDIR)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
$(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
$(BUILDDIR)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
$(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) hash$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) hash$(OBJSUFFICS) $(LIBS)
$(BUILDDIR)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
$(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
mainfunc$(OBJSUFFICS): proxy.h structures.h proxymain.c
$(CC) $(COUT)mainfunc$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)MODULEMAINFUNC=mainfunc proxymain.c
srvproxy$(OBJSUFFICS): proxy.c proxy.h structures.h
$(CC) $(COUT)srvproxy$(OBJSUFFICS) $(CFLAGS) proxy.c
@ -119,6 +116,24 @@ srvdnspr$(OBJSUFFICS): dnspr.c proxy.h structures.h
auth$(OBJSUFFICS): auth.c proxy.h structures.h
$(CC) $(COUT)auth$(OBJSUFFICS) $(CFLAGS) auth.c
acl$(OBJSUFFICS): acl.c proxy.h structures.h
$(CC) $(COUT)acl$(OBJSUFFICS) $(CFLAGS) acl.c
limiter$(OBJSUFFICS): limiter.c proxy.h structures.h
$(CC) $(COUT)limiter$(OBJSUFFICS) $(CFLAGS) limiter.c
redirect$(OBJSUFFICS): redirect.c proxy.h structures.h
$(CC) $(COUT)redirect$(OBJSUFFICS) $(CFLAGS) redirect.c
hash$(OBJSUFFICS): hash.c proxy.h structures.h
$(CC) $(COUT)hash$(OBJSUFFICS) $(CFLAGS) hash.c
hashtables$(OBJSUFFICS): hashtables.c proxy.h structures.h
$(CC) $(COUT)hashtables$(OBJSUFFICS) $(CFLAGS) hashtables.c
resolve$(OBJSUFFICS): resolve.c proxy.h structures.h
$(CC) $(COUT)resolve$(OBJSUFFICS) $(CFLAGS) resolve.c
authradius$(OBJSUFFICS): authradius.c proxy.h structures.h
$(CC) $(COUT)authradius$(OBJSUFFICS) $(CFLAGS) authradius.c
@ -131,15 +146,11 @@ log$(OBJSUFFICS): log.c proxy.h structures.h
datatypes$(OBJSUFFICS): datatypes.c proxy.h structures.h
$(CC) $(COUT)datatypes$(OBJSUFFICS) $(CFLAGS) datatypes.c
mycrypt$(OBJSUFFICS): mycrypt.c
$(CC) $(COUT)mycrypt$(OBJSUFFICS) $(CFLAGS) mycrypt.c
mycryptmain$(OBJSUFFICS): mycrypt.c
$(CC) $(COUT)mycryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN mycrypt.c
$(BUILDDIR)mycrypt$(EXESUFFICS): md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)mycrypt$(EXESUFFICS) $(LDFLAGS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) base64$(OBJSUFFICS) mycryptmain$(OBJSUFFICS)
3proxy_crypt$(OBJSUFFICS): 3proxy_crypt.c
$(CC) $(COUT)3proxy_crypt$(OBJSUFFICS) $(CFLAGS) 3proxy_crypt.c
3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c
$(CC) $(COUT)3proxy_cryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN 3proxy_crypt.c
md4$(OBJSUFFICS): libs/md4.h libs/md4.c
$(CC) $(COUT)md4$(OBJSUFFICS) $(CFLAGS) libs/md4.c
@ -147,9 +158,15 @@ md4$(OBJSUFFICS): libs/md4.h libs/md4.c
md5$(OBJSUFFICS): libs/md5.h libs/md5.c
$(CC) $(COUT)md5$(OBJSUFFICS) $(CFLAGS) libs/md5.c
blake2$(OBJSUFFICS): libs/blake2.h libs/blake2-impl.h libs/blake2b-ref.c
$(CC) $(COUT)blake2$(OBJSUFFICS) $(CFLAGS) libs/blake2b-ref.c
$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS): md4$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
$(LN) $(LNOUT)$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(LDFLAGS) md4$(OBJSUFFICS) blake2$(OBJSUFFICS) base64$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS)
stringtable$(OBJSUFFICS): stringtable.c
$(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c
$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycrypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE) 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) mycrypt$(OBJSUFFICS) md5$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE) 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)

168
src/acl.c Normal file
View File

@ -0,0 +1,168 @@
/*
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
*/
#include "proxy.h"
int IPInentry(struct sockaddr *sa, struct iplist *ipentry){
int addrlen;
unsigned char *ip, *ipf, *ipt;
if(!sa || ! ipentry || *SAFAMILY(sa) != ipentry->family) return 0;
ip = (unsigned char *)SAADDR(sa);
ipf = (unsigned char *)&ipentry->ip_from;
ipt = (unsigned char *)&ipentry->ip_to;
addrlen = SAADDRLEN(sa);
if(memcmp(ip,ipf,addrlen) < 0 || memcmp(ip,ipt,addrlen) > 0) return 0;
return 1;
}
int ACLmatches(struct ace* acentry, struct clientparam * param){
struct userlist * userentry;
struct iplist *ipentry;
struct portlist *portentry;
struct period *periodentry;
unsigned char * username;
struct hostname * hstentry=NULL;
int i;
int match = 0;
username = param->username?param->username:(unsigned char *)"-";
if(acentry->src) {
for(ipentry = acentry->src; ipentry; ipentry = ipentry->next)
if(IPInentry((struct sockaddr *)&param->sincr, ipentry)) {
break;
}
if(!ipentry) return 0;
}
if((acentry->dst && (!SAISNULL(&param->req) || param->operation == UDPASSOC || param->operation==BIND)) || (acentry->dstnames && param->hostname)) {
for(ipentry = acentry->dst; ipentry; ipentry = ipentry->next)
if(IPInentry((struct sockaddr *)&param->req, ipentry)) {
break;
}
if(!ipentry) {
if(acentry->dstnames && param->hostname){
for(i=0; param->hostname[i]; i++){
param->hostname[i] = tolower(param->hostname[i]);
}
while(i > 5 && param->hostname[i-1] == '.') param->hostname[i-1] = 0;
for(hstentry = acentry->dstnames; hstentry; hstentry = hstentry->next){
int lname, lhost;
switch(hstentry->matchtype){
case 0:
#ifndef _WIN32
if(strcasestr((char *)param->hostname, (char *)hstentry->name)) match = 1;
#else
if(strstr((char *)param->hostname, (char *)hstentry->name)) match = 1;
#endif
break;
case 1:
if(!strncasecmp((char *)param->hostname, (char *)hstentry->name, strlen((char *)hstentry->name)))
match = 1;
break;
case 2:
lname = strlen((char *)hstentry->name);
lhost = strlen((char *)param->hostname);
if(lhost > lname){
if(!strncasecmp((char *)param->hostname + (lhost - lname),
(char *)hstentry->name,
lname))
match = 1;
}
break;
default:
if(!strcasecmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
break;
}
if(match) break;
}
}
}
if(!ipentry && !hstentry) return 0;
}
if(acentry->ports && (*SAPORT(&param->req) || param->operation == UDPASSOC || param->operation == BIND)) {
for (portentry = acentry->ports; portentry; portentry = portentry->next)
if(ntohs(*SAPORT(&param->req)) >= portentry->startport &&
ntohs(*SAPORT(&param->req)) <= portentry->endport) {
break;
}
if(!portentry) return 0;
}
if(acentry->wdays){
if(!(acentry -> wdays & wday)) return 0;
}
if(acentry->periods){
int start_time = (int)(param->time_start - basetime);
for(periodentry = acentry->periods; periodentry; periodentry = periodentry -> next)
if(start_time >= periodentry->fromtime && start_time < periodentry->totime){
break;
}
if(!periodentry) return 0;
}
if(acentry->users){
for(userentry = acentry->users; userentry; userentry = userentry->next)
if(!strcmp((char *)username, (char *)userentry->user)){
break;
}
if(!userentry) return 0;
}
if(acentry->operation) {
if((acentry->operation & param->operation) != param->operation){
return 0;
}
}
if(acentry->weight && (acentry->weight < param->weight)) return 0;
return 1;
}
int checkACL(struct clientparam * param){
struct ace* acentry;
if(!param->srv->acl) {
return 0;
}
for(acentry = param->srv->acl; acentry; acentry = acentry->next) {
if(ACLmatches(acentry, param)) {
param->nolog = acentry->nolog;
param->weight = acentry->weight;
if(acentry->action == 2) {
struct ace dup;
int res=60,i=0;
if(param->operation < 256 && !(param->operation & CONNECT)){
continue;
}
if(param->redirected && acentry->chains && SAISNULL(&acentry->chains->addr) && !*SAPORT(&acentry->chains->addr)) {
continue;
}
if(param->remsock != INVALID_SOCKET) {
return 0;
}
for(; i < conf.parentretries; i++){
dup = *acentry;
res = handleredirect(param, &dup);
if(!res) break;
if(param->remsock != INVALID_SOCKET) param->srv->so._closesocket(param->sostate, param->remsock);
param->remsock = INVALID_SOCKET;
}
return res;
}
return acentry->action;
}
}
return 3;
}

1425
src/auth.c
View File

File diff suppressed because it is too large Load Diff

14
src/authradius.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2000-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
@ -166,7 +166,7 @@ static int ntry = 0;
int nradservers = 0;
char radiussecret[64]="";
pthread_mutex_t rad_mutex;
_3proxy_mutex_t rad_mutex;
void md5_calc(unsigned char *output, unsigned char *input,
unsigned int inputlen);
@ -306,11 +306,7 @@ int radsend(struct clientparam * param, int auth, int stop){
int total_length;
int len;
int op;
#ifdef NOIPV6
struct sockaddr_in saremote;
#else
struct sockaddr_in6 saremote;
#endif
PROXYSOCKADDRTYPE saremote;
struct pollfd fds[1];
char vector[AUTH_VECTOR_LEN];
radius_packet_t packet, rpacket;
@ -331,11 +327,11 @@ int radsend(struct clientparam * param, int auth, int stop){
memset(&packet, 0, sizeof(packet));
pthread_mutex_lock(&rad_mutex);
_3proxy_mutex_lock(&rad_mutex);
if(auth)random_vector(packet.vector, param);
id = ((ntry++) & 0xff);
pthread_mutex_unlock(&rad_mutex);
_3proxy_mutex_unlock(&rad_mutex);
packet.code = auth?PW_AUTHENTICATION_REQUEST:PW_ACCOUNTING_REQUEST;
packet.id=id;

2
src/auto.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement

97
src/common.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
@ -22,10 +22,15 @@ int randomizer = 1;
void daemonize(void){
if(fork() > 0) {
pid_t pid = fork();
if(pid > 0) {
usleep(SLEEPTIME);
_exit(0);
}
if(pid < 0) {
perror("fork()");
return;
}
setsid();
}
@ -33,36 +38,38 @@ int randomizer = 1;
unsigned char **stringtable = NULL;
#ifdef WITH_LINUX_FUTEX
int sys_futex(void *addr1, int op, int val1, struct timespec *timeout, void *addr2, int val3)
{
return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3);
}
int mutex_lock(int *val)
{
int c;
if ((c = __sync_val_compare_and_swap(val, 0, 1)) != 0)
do {
if(c == 2 || __sync_val_compare_and_swap(val, 1, 2) != 0)
sys_futex(val, FUTEX_WAIT_PRIVATE, 2, NULL, NULL, 0);
} while ((c = __sync_val_compare_and_swap(val, 0, 2)) != 0);
return 0;
}
int mutex_unlock(int *val)
{
if(__sync_fetch_and_sub (val, 1) != 1){
*val = 0;
sys_futex(val, FUTEX_WAKE_PRIVATE, 1, NULL, NULL, 0);
}
return 0;
#ifdef WITH_UN
void make_un(const unsigned char *path, struct sockaddr_un * sun){
memset(sun, 0, sizeof(*sun));
sun->sun_family = AF_UNIX;
strncpy(sun->sun_path, (char *)path, sizeof(sun->sun_path) - 1);
if(*path == '@')*sun->sun_path = 0;
}
#endif
int myinet_ntop(int af, void *src, char *dst, socklen_t size){
#ifdef WITH_UN
if(af == AF_UNIX){
struct sockaddr_un *sun = (struct sockaddr_un *)src;
int ephemeral = 0;
char *path = sun->sun_path;
char *basename;
if(!path[0] && path[1]){
ephemeral = 1;
*dst++ = '@';
path++;
}
basename = strrchr(path, '/');
if(basename) basename++;
else basename = path;
if(size > 0){
strncpy(dst, basename, (size > 40) ? 40 : size - (ephemeral + 1));
dst[((size > 40) ? 40 : size - (ephemeral + 1))] = 0;
}
return (int)strlen(dst);
}
#endif
#ifndef NOIPV6
if(af != AF_INET6){
#endif
@ -108,7 +115,11 @@ int timeouts[12] = {
};
struct extparam conf = {
.threadinit = {0, 0},
#ifdef _WIN32
.threadinit = NULL,
#else
.threadinit = 0,
#endif
.timeouts = timeouts,
.acl = NULL,
.conffile = NULL,
@ -213,6 +224,7 @@ int
FD_ZERO(&writefd);
FD_ZERO(&oobfd);
for(i=0; i<nfds; i++){
if(fds[i].fd >= FD_SETSIZE) continue;
if((fds[i].events&POLLIN))FD_SET(fds[i].fd, &readfd);
if((fds[i].events&POLLOUT))FD_SET(fds[i].fd, &writefd);
if((fds[i].events&POLLPRI))FD_SET(fds[i].fd, &oobfd);
@ -221,6 +233,7 @@ int
}
if((num = select(((int)(maxfd))+1, &readfd, &writefd, &oobfd, &tv)) < 1) return num;
for(i=0; i<nfds; i++){
if(fds[i].fd >= FD_SETSIZE) continue;
if(FD_ISSET(fds[i].fd, &readfd)) fds[i].revents |= POLLIN;
if(FD_ISSET(fds[i].fd, &writefd)) fds[i].revents |= POLLOUT;
if(FD_ISSET(fds[i].fd, &oobfd)) fds[i].revents |= POLLPRI;
@ -524,14 +537,14 @@ int connectwithpoll(struct clientparam *param, SOCKET sock, struct sockaddr *sa,
fcntl(sock,F_SETFL, O_NONBLOCK | fcntl(sock,F_GETFL));
#endif
if(param?param->srv->so._connect(param->sostate, sock,sa,size) : so._connect(so.state, sock,sa,size)) {
if(errno != EAGAIN && errno != EINPROGRESS) return (13);
if(errno != EAGAIN && errno != EINPROGRESS) return 13;
}
if(!errno) return 0;
memset(fds, 0, sizeof(fds));
fds[0].fd = sock;
fds[0].events = POLLOUT;
if((param?param->srv->so._poll(param->sostate, fds, 1, to*1000):so._poll(so.state, fds, 1, to*1000)) <= 0 || !(fds[0].revents & POLLOUT) || (fds[0].revents & (POLLERR|POLLHUP))) {
return (13);
return 13;
}
return 0;
}
@ -561,8 +574,17 @@ int doconnect(struct clientparam * param){
memcpy(SAADDR(&param->sinsr), SAADDR(&param->req), SAADDRLEN(&param->req));
}
if(!*SAPORT(&param->sinsr))*SAPORT(&param->sinsr) = *SAPORT(&param->req);
if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&param->sinsr), SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {return (11);}
if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&param->sinsr), SOCK_STREAM,
#ifdef WITH_UN
*SAFAMILY(&param->sinsr) == AF_UNIX? 0 :
#endif
IPPROTO_TCP
)) == INVALID_SOCKET) {return (11);}
if(SAISNULL(&param->sinsl)){
#ifdef WITH_UN
if(*SAFAMILY(&param->sinsr) == AF_UNIX) param->sinsl = param->sinsr;
else
#endif
#ifndef NOIPV6
if(*SAFAMILY(&param->sinsr) == AF_INET6) param->sinsl = param->srv->extsa6;
else
@ -602,6 +624,9 @@ int doconnect(struct clientparam * param){
if(*SAFAMILY(&param->sinsl) == AF_INET6 && param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_IPV6, IPV6_BOUND_IF, &idx, sizeof(idx))) return 12;
#endif
}
#endif
#ifdef WITH_UN
if(*SAFAMILY(&param->sinsl) != AF_UNIX)
#endif
if(param->srv->so._bind(param->sostate, param->remsock, (struct sockaddr*)&param->sinsl, SASIZE(&param->sinsl))==-1) {
return 12;
@ -637,7 +662,7 @@ int scanaddr(const unsigned char *s, uint32_t * ip, uint32_t * mask) {
RESOLVFUNC resolvfunc = NULL;
#ifndef _WIN32
pthread_mutex_t gethostbyname_mutex;
_3proxy_mutex_t gethostbyname_mutex;
int ghbn_init = 0;
#endif
@ -693,10 +718,10 @@ uint32_t getip(unsigned char *name){
#ifndef NOSTDRESOLVE
#if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
if(!ghbn_init){
pthread_mutex_init(&gethostbyname_mutex, NULL);
_3proxy_mutex_init(&gethostbyname_mutex);
ghbn_init++;
}
pthread_mutex_lock(&gethostbyname_mutex);
_3proxy_mutex_lock(&gethostbyname_mutex);
#endif
hp=gethostbyname((char *)name);
if (!hp && conf.demanddialprog) {
@ -705,7 +730,7 @@ uint32_t getip(unsigned char *name){
}
retval = hp?*(uint32_t *)hp->h_addr:0;
#if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
pthread_mutex_unlock(&gethostbyname_mutex);
_3proxy_mutex_unlock(&gethostbyname_mutex);
#endif
#ifdef GETHOSTBYNAME_R
#undef gethostbyname

254
src/conf.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
@ -20,12 +20,10 @@
#define DEFAULTCONFIG conf.stringtable[25]
#endif
pthread_mutex_t bandlim_mutex;
pthread_mutex_t connlim_mutex;
pthread_mutex_t tc_mutex;
pthread_mutex_t pwl_mutex;
pthread_mutex_t hash_mutex;
pthread_mutex_t config_mutex;
_3proxy_mutex_t bandlim_mutex;
_3proxy_mutex_t connlim_mutex;
_3proxy_mutex_t tc_mutex;
_3proxy_mutex_t config_mutex;
int haveerror = 0;
int linenum = 0;
@ -154,7 +152,6 @@ int start_proxy_thread(struct child * chp){
#ifdef _WIN32
HANDLE h;
#endif
char r[1];
#ifdef _WIN32
#ifndef _WINCE
@ -167,16 +164,15 @@ int start_proxy_thread(struct child * chp){
pthread_attr_init(&pa);
pthread_attr_setstacksize(&pa,PTHREAD_STACK_MIN + (32768+conf.stacksize));
pthread_attr_setdetachstate(&pa,PTHREAD_CREATE_DETACHED);
_3proxy_mutex_lock(&conf.threadinit);
pthread_create(&thread, &pa, startsrv, (void *)chp);
pthread_attr_destroy(&pa);
#endif
#ifdef _WIN32
ReadFile(conf.threadinit[0], r, 1, NULL, NULL);
WaitForSingleObject(conf.threadinit, INFINITE);
#else
while(read(conf.threadinit[0], r, 1) !=1) if(errno != EINTR) {
fprintf(stderr, "pipe failed\n");
return 40;
}
_3proxy_mutex_lock(&conf.threadinit);
_3proxy_mutex_unlock(&conf.threadinit);
#endif
if(haveerror) {
fprintf(stderr, "Service not started on line: %d%s\n", linenum, haveerror == 2? ": insufficient memory":"");
@ -197,7 +193,7 @@ static int h_proxy(int argc, unsigned char ** argv){
childdef.service = S_PROXY;
childdef.helpmessage = " -n - no NTLM support\n";
#ifdef NOIPV6
if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize)){
if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize)){
fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, proxy may run very slow\n", linenum);
}
#endif
@ -230,7 +226,7 @@ static int h_proxy(int argc, unsigned char ** argv){
childdef.service = S_SOCKS;
childdef.helpmessage = " -n - no NTLM support\n";
#ifdef NOIPV6
if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize)){
if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize)){
fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, socks may run very slow\n", linenum);
}
#endif
@ -276,7 +272,7 @@ static int h_proxy(int argc, unsigned char ** argv){
childdef.service = S_DNSPR;
childdef.helpmessage = " -s - simple DNS forwarding - do not use 3proxy resolver / name cache\n";
#ifndef NOIPV6
if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize) || resolvfunc == fakeresolver){
if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize) || resolvfunc == fakeresolver){
fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, dnspr will not work as expected\n", linenum);
}
#endif
@ -285,6 +281,12 @@ static int h_proxy(int argc, unsigned char ** argv){
}
static int h_internal(int argc, unsigned char ** argv){
#ifdef WITH_UN
if(!strncmp((char *)argv[1], "unix:", 5)){
make_un(argv[1] +5, (struct sockaddr_un *)&conf.intsa);
}
else
#endif
getip46(46, argv[1], (struct sockaddr *)&conf.intsa);
return 0;
}
@ -292,7 +294,7 @@ static int h_internal(int argc, unsigned char ** argv){
static int h_external(int argc, unsigned char ** argv){
int res;
#ifndef NOIPV6
struct sockaddr_in6 sa6;
PROXYSOCKADDRTYPE sa6;
memset(&sa6, 0, sizeof(sa6));
res = getip46(46, argv[1], (struct sockaddr *)&sa6);
if(!res) return 1;
@ -335,10 +337,10 @@ static int h_log(int argc, unsigned char ** argv){
else if(*argv[1]=='&'){
conf.logfunc = logsql;
if(notchanged) return 0;
pthread_mutex_lock(&log_mutex);
_3proxy_mutex_lock(&log_mutex);
close_sql();
init_sql((char *)argv[1]+1);
pthread_mutex_unlock(&log_mutex);
_3proxy_mutex_unlock(&log_mutex);
}
#endif
#ifndef NORADIUS
@ -439,18 +441,6 @@ static int h_counter(int argc, unsigned char **argv){
fprintf(stderr, "Not a counter file %s, line %d\n", argv[1], linenum);
return 2;
}
#ifdef _TIME64_T_DEFINED
#ifdef _MAX__TIME64_T
#define MAX_COUNTER_TIME (_MAX__TIME64_T)
#elif defined (MAX__TIME64_T)
#define MAX_COUNTER_TIME (MAX__TIME64_T)
#else
#define MAX_COUNTER_TIME (0x793406fff)
#endif
#else
#define MAX_COUNTER_TIME ((sizeof(time_t)>4)?(time_t)0x793406fff:(time_t)0x7fffffff)
#endif
if(ch1.updated < 0 || ch1.updated >= MAX_COUNTER_TIME){
fprintf(stderr, "Invalid or corrupted counter file %s. Use countersutil utility to convert from older version\n", argv[1]);
return 3;
@ -526,44 +516,43 @@ static int h_auth(int argc, unsigned char **argv){
}
static int h_users(int argc, unsigned char **argv){
static char dummy;
int j;
unsigned char *arg;
struct passwords *pwl = NULL;
char *pw[2];
for (j = 1; j < argc; j++) {
if(!(pwl = myalloc(sizeof(struct passwords)))) {
return(21);
}
memset(pwl, 0, sizeof(struct passwords));
arg = (unsigned char *)strchr((char *)argv[j], ':');
if(!arg||!arg[1]||!arg[2]||arg[3]!=':') {
pwl->user = (unsigned char *)mystrdup((char *)argv[j]);
pwl->pwtype = SYS;
}
else {
if (!arg) continue;
*arg = 0;
pwl->user = (unsigned char *)mystrdup((char *)argv[j]);
pw[0] = (char *)argv[j];
if((arg[1] == 'C' && arg[2] == 'L' && (pwl->pwtype = CL)) ||
(arg[1] == 'C' && arg[2] == 'R' && (pwl->pwtype = CR)) ||
(arg[1] == 'N' && arg[2] == 'T' && (pwl->pwtype = NT)) ||
(arg[1] == 'L' && arg[2] == 'M' && (pwl->pwtype = LM))){
pwl->password = (unsigned char *)mystrdup((char *)arg+4);
if (arg[1] && arg[2] && arg[3] == ':') {
pw[1] = (char *)(arg + 4);
if (arg[1] == 'N' && arg[2] == 'T') {
if (!pwnt_table.ihashtable && inithashtable(&pwnt_table, 16, 32, 1048576))
return 3;
hashadd(&pwnt_table, pw, &dummy, MAX_COUNTER_TIME);
continue;
}
else {
pwl->password = (unsigned char *) mystrdup((char *)arg + 1);
pwl->pwtype = UN;
if (arg[1] == 'C' && arg[2] == 'R') {
if (!pwcr_table.ihashtable && inithashtable(&pwcr_table, 16, 32, 1048576))
return 3;
hashadd(&pwcr_table, pw[0], pw[1], MAX_COUNTER_TIME);
continue;
}
if(!pwl->password) return 3;
if (arg[1] == 'C' && arg[2] == 'L') {
/* fall through to CL handling below */
} else {
continue;
}
} else {
pw[1] = (char *)(arg + 1);
}
if(!pwl->user) return 21;
pthread_mutex_lock(&pwl_mutex);
pwl->next = conf.pwl;
conf.pwl = pwl;
pthread_mutex_unlock(&pwl_mutex);
if (!pw_table.ihashtable && inithashtable(&pw_table, 16, 32, 1048576))
return 3;
hashadd(&pw_table, pw, &dummy, MAX_COUNTER_TIME);
}
return 0;
}
@ -590,7 +579,7 @@ static int h_maxconn(int argc, unsigned char **argv){
static int h_backlog(int argc, unsigned char **argv){
conf.backlog = atoi((char *)argv[1]);
if(conf.maxchild < 0) {
if(conf.backlog < 0) {
return(1);
}
return 0;
@ -649,14 +638,14 @@ static int h_fakeresolve(int argc, unsigned char **argv){
}
static int h_nscache(int argc, unsigned char **argv){
int res;
unsigned res;
res = atoi((char *)argv[1]);
res = (unsigned)atoi((char *)argv[1]);
if(res < 256) {
fprintf(stderr, "Invalid NS cache size: %d\n", res);
return 1;
}
if(inithashtable(&dns_table, (unsigned)res)){
if(dns_table.growlimit != res && inithashtable(&dns_table, (res >> 2), (res >> 2), res)){
fprintf(stderr, "Failed to initialize NS cache\n");
return 2;
}
@ -672,14 +661,14 @@ static int h_parentretries(int argc, unsigned char **argv){
}
static int h_nscache6(int argc, unsigned char **argv){
int res;
unsigned res;
res = atoi((char *)argv[1]);
res = (unsigned)atoi((char *)argv[1]);
if(res < 256) {
fprintf(stderr, "Invalid NS cache size: %d\n", res);
return 1;
}
if(inithashtable(&dns6_table, (unsigned)res)){
if(dns6_table.growlimit != res &&inithashtable(&dns6_table, (res>>2), (res>>2), res)){
fprintf(stderr, "Failed to initialize NS cache\n");
return 2;
}
@ -687,11 +676,7 @@ static int h_nscache6(int argc, unsigned char **argv){
}
static int h_nsrecord(int argc, unsigned char **argv){
#ifndef NOIPV6
struct sockaddr_in6 sa;
#else
struct sockaddr_in sa;
#endif
PROXYSOCKADDRTYPE sa;
memset(&sa, 0, sizeof(sa));
if(!getip46(46, argv[2], (struct sockaddr *)&sa)) return 1;
@ -771,7 +756,7 @@ struct redirdesc redirs[] = {
static int h_parent(int argc, unsigned char **argv){
struct ace *acl = NULL;
struct chain *chains;
char * cidr;
char * cidr = NULL;
int i;
acl = conf.acl;
@ -790,23 +775,45 @@ static int h_parent(int argc, unsigned char **argv){
chains->weight = (unsigned)atoi((char *)argv[1]);
if(chains->weight == 0 || chains->weight >1000) {
fprintf(stderr, "Chaining error: bad chain weight %u line %d\n", chains->weight, linenum);
myfree(chains);
return(3);
}
for(i = 0; redirs[i].name ; i++){
if(!strcmp((char *)argv[2], redirs[i].name)) {
int len;
len = strlen(redirs[i].name);
if(!strncmp((char *)argv[2], redirs[i].name, len)
&& (argv[2][len] == 0 || (argv[2][len] == 's' && argv[2][len+1] == 0))
) {
chains->type = redirs[i].redir;
if(argv[2][len] == 's') chains->secure = 1;
break;
}
}
if(!redirs[i].name) {
fprintf(stderr, "Chaining error: bad chain type (%s)\n", argv[2]);
myfree(chains);
return(4);
}
#ifdef WITH_UN
if(!strncmp((char *)argv[3], "unix:", 5)){
make_un(argv[3] + 5, (struct sockaddr_un*)&chains->addr);
}
else {
#endif
cidr = strchr((char *)argv[3], '/');
if(cidr) *cidr = 0;
if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) return (5);
if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) {
myfree(chains);
return (5);
}
#ifdef WITH_UN
}
#endif
chains->exthost = (unsigned char *)mystrdup((char *)argv[3]);
if(!chains->exthost) return 21;
if(!chains->exthost) {
myfree(chains);
return 21;
}
if(cidr){
*cidr = '/';
chains->cidr = atoi(cidr + 1);
@ -842,11 +849,7 @@ static int h_nolog(int argc, unsigned char **argv){
}
int scanipl(unsigned char *arg, struct iplist *dst){
#ifndef NOIPV6
struct sockaddr_in6 sa;
#else
struct sockaddr_in sa;
#endif
PROXYSOCKADDRTYPE sa;
char * slash, *dash;
int masklen, addrlen;
int res;
@ -1223,7 +1226,10 @@ static int h_ace(int argc, unsigned char **argv){
}
memset(acl->chains, 0, sizeof(struct chain));
acl->chains->type = R_HTTP;
if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) return 5;
if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) {
freeacl(acl);
return 5;
}
*SAPORT(&acl->chains->addr) = htons((uint16_t)atoi((char *)argv[2]));
acl->chains->weight = 1000;
case ALLOW:
@ -1251,7 +1257,7 @@ static int h_ace(int argc, unsigned char **argv){
sscanf((char *)argv[1], "%u", &ncl->rate);
sscanf((char *)argv[2], "%u", &ncl->period);
}
pthread_mutex_lock(&connlim_mutex);
_3proxy_mutex_lock(&connlim_mutex);
if(!conf.connlimiter){
conf.connlimiter = ncl;
}
@ -1261,7 +1267,7 @@ static int h_ace(int argc, unsigned char **argv){
for(cli = conf.connlimiter; cli->next; cli = cli->next);
cli->next = ncl;
}
pthread_mutex_unlock(&connlim_mutex);
_3proxy_mutex_unlock(&connlim_mutex);
break;
case BANDLIM:
@ -1283,7 +1289,7 @@ static int h_ace(int argc, unsigned char **argv){
return(4);
}
}
pthread_mutex_lock(&bandlim_mutex);
_3proxy_mutex_lock(&bandlim_mutex);
if(!strcmp((char *)argv[0], "bandlimin") || !strcmp((char *)argv[0], "nobandlimin")){
if(!conf.bandlimiter){
conf.bandlimiter = nbl;
@ -1307,7 +1313,7 @@ static int h_ace(int argc, unsigned char **argv){
}
}
conf.bandlimver++;
pthread_mutex_unlock(&bandlim_mutex);
_3proxy_mutex_unlock(&bandlim_mutex);
break;
case COUNTIN:
@ -1359,7 +1365,7 @@ static int h_ace(int argc, unsigned char **argv){
}
}
}
pthread_mutex_lock(&tc_mutex);
_3proxy_mutex_lock(&tc_mutex);
if(!conf.trafcounter){
conf.trafcounter = tl;
}
@ -1369,7 +1375,7 @@ static int h_ace(int argc, unsigned char **argv){
for(ntl = conf.trafcounter; ntl->next; ntl = ntl->next);
ntl->next = tl;
}
pthread_mutex_unlock(&tc_mutex);
_3proxy_mutex_unlock(&tc_mutex);
}
return 0;
@ -1397,21 +1403,6 @@ static int h_delimchar(int argc, unsigned char **argv){
static int h_radius(int argc, unsigned char **argv){
uint16_t port;
/*
int oldrad;
#ifdef NOIPV6
struct sockaddr_in bindaddr;
#else
struct sockaddr_in6 bindaddr;
#endif
oldrad = nradservers;
nradservers = 0;
for(; oldrad; oldrad--){
if(radiuslist[oldrad].logsock >= 0) so._closesocket(radiuslist[oldrad].logsock);
radiuslist[oldrad].logsock = -1;
}
*/
memset(radiuslist, 0, sizeof(radiuslist));
if(strlen((char *)argv[1]) > 63) argv[1][63] = 0;
strcpy(radiussecret, (char *)argv[1]);
@ -1422,21 +1413,18 @@ static int h_radius(int argc, unsigned char **argv){
s++;
}
if( !getip46(46, argv[nradservers + 2], (struct sockaddr *)&radiuslist[nradservers].authaddr)) return 1;
if( s && !getip46(46, (unsigned char *)s+1, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
if( s && !getip46(46, (unsigned char *)s, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
if(!*SAPORT(&radiuslist[nradservers].authaddr))*SAPORT(&radiuslist[nradservers].authaddr) = htons(1812);
port = ntohs(*SAPORT(&radiuslist[nradservers].authaddr));
radiuslist[nradservers].logaddr = radiuslist[nradservers].authaddr;
*SAPORT(&radiuslist[nradservers].logaddr) = htons(port+1);
/*
bindaddr = radiuslist[nradservers].localaddr;
if ((radiuslist[nradservers].logsock = so._socket(SASOCK(&radiuslist[nradservers].logaddr), SOCK_DGRAM, 0)) < 0) return 2;
if (so._bind(radiuslist[nradservers].logsock, (struct sockaddr *)&bindaddr, SASIZE(&bindaddr))) return 3;
*/
}
return 0;
}
#endif
static int h_authcache(int argc, unsigned char **argv){
int authcachesize = 0;
conf.authcachetype = 0;
if(strstr((char *) *(argv + 1), "ip")) conf.authcachetype |= 1;
if(strstr((char *) *(argv + 1), "user")) conf.authcachetype |= 2;
@ -1444,9 +1432,21 @@ static int h_authcache(int argc, unsigned char **argv){
if(strstr((char *) *(argv + 1), "limit")) conf.authcachetype |= 8;
if(strstr((char *) *(argv + 1), "acl")) conf.authcachetype |= 16;
if(strstr((char *) *(argv + 1), "ext")) conf.authcachetype |= 32;
if(strstr((char *) *(argv + 1), "dstaddr")) conf.authcachetype |= 64;
if(strstr((char *) *(argv + 1), "dstport")) conf.authcachetype |= 128;
if(strstr((char *) *(argv + 1), "dsthost")) conf.authcachetype |= 256;
if(strstr((char *) *(argv + 1), "dstoper")) conf.authcachetype |= 512;
if(strstr((char *) *(argv + 1), "srvaddr")) conf.authcachetype |= 1024;
if(strstr((char *) *(argv + 1), "srvport")) conf.authcachetype |= 2048;
if(argc > 2) conf.authcachetime = (unsigned) atoi((char *) *(argv + 2));
if(argc > 3) authcachesize = (unsigned) atoi((char *) *(argv + 3));
if(!conf.authcachetype) conf.authcachetype = 6;
if(!conf.authcachetime) conf.authcachetime = 600;
if(!authcachesize) authcachesize = 65536*4;
if(auth_table.growlimit != authcachesize && inithashtable(&auth_table, authcachesize < 1024? authcachesize:1024, authcachesize < 1024? authcachesize:1024, authcachesize)){
fprintf(stderr, "Failed to initialize auth cache\n");
return 2;
}
return 0;
}
@ -1653,7 +1653,7 @@ struct commands commandhandlers[]={
{commandhandlers+53, "filtermaxsize", h_filtermaxsize, 2, 2},
{commandhandlers+54, "nolog", h_nolog, 1, 1},
{commandhandlers+55, "weight", h_nolog, 2, 2},
{commandhandlers+56, "authcache", h_authcache, 2, 3},
{commandhandlers+56, "authcache", h_authcache, 2, 4},
{commandhandlers+57, "smtpp", h_proxy, 1, 0},
{commandhandlers+58, "delimchar",h_delimchar, 2, 2},
{commandhandlers+59, "authnserver", h_authnserver, 2, 2},
@ -1717,8 +1717,8 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
*str = 0;
space = 1;
if(incbegin){
argc--;
if((fd = open((char *)incbegin+1, O_RDONLY)) <= 0){
if(argc) argc--;
if((fd = open((char *)incbegin+1, O_RDONLY)) < 0){
fprintf(stderr, "Failed to open %s\n", incbegin+1);
return -1;
}
@ -1731,7 +1731,7 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
}
}
len = 0;
if(argm[argc]!=(incbegin+1)) {
if(argc > 0 && argm[argc]!=(incbegin+1)) {
len = (int)strlen((char *)argm[argc]);
memmove(buf+*inbuf, argm[argc], len);
}
@ -1807,7 +1807,11 @@ int readconfig(FILE * fp){
res = 1;
for(cm = commandhandlers; cm; cm = cm->next){
if(!strcmp((char *)argv[0], (char *)cm->command) && argc >= cm->minargs && (!cm->maxargs || argc <= cm->maxargs)){
if(!strcmp((char *)argv[0], (char *)cm->command)){
if(argc < cm->minargs || (cm->maxargs && argc > cm->maxargs)){
fprintf(stderr, "Command: '%s' wrong number of arguments , line %d\n", argv[0], linenum);
return(linenum);
}
res = (*cm->handler)(argc, argv);
if(res > 0){
fprintf(stderr, "Command: '%s' failed with code %d, line %d\n", argv[0], res, linenum);
@ -1841,7 +1845,6 @@ void freeconf(struct extparam *confp){
struct bandlim * blout;
struct connlim * cl;
struct trafcount * tc;
struct passwords *pw;
struct ace *acl;
struct filemon *fm;
int counterd, archiverc;
@ -1853,33 +1856,31 @@ void freeconf(struct extparam *confp){
pthread_mutex_lock(&tc_mutex);
_3proxy_mutex_lock(&tc_mutex);
confp->trafcountfunc = NULL;
tc = confp->trafcounter;
confp->trafcounter = NULL;
counterd = confp->counterd;
confp->counterd = -1;
confp->countertype = NONE;
pthread_mutex_unlock(&tc_mutex);
_3proxy_mutex_unlock(&tc_mutex);
pthread_mutex_lock(&bandlim_mutex);
_3proxy_mutex_lock(&bandlim_mutex);
bl = confp->bandlimiter;
blout = confp->bandlimiterout;
confp->bandlimiter = NULL;
confp->bandlimiterout = NULL;
confp->bandlimfunc = NULL;
confp->bandlimver++;
pthread_mutex_unlock(&bandlim_mutex);
pthread_mutex_lock(&connlim_mutex);
_3proxy_mutex_unlock(&bandlim_mutex);
_3proxy_mutex_lock(&connlim_mutex);
cl = confp->connlimiter;
confp->connlimiter = NULL;
pthread_mutex_unlock(&connlim_mutex);
pthread_mutex_lock(&pwl_mutex);
pw = confp->pwl;
confp->pwl = NULL;
pthread_mutex_unlock(&pwl_mutex);
_3proxy_mutex_unlock(&connlim_mutex);
destroyhashtable(&pw_table);
destroyhashtable(&pwnt_table);
destroyhashtable(&pwcr_table);
confp->logfunc = lognone;
logformat = confp->logformat;
@ -1924,7 +1925,6 @@ void freeconf(struct extparam *confp){
freeacl(acl);
freepwl(pw);
for(; bl; bl = (struct bandlim *) itfree(bl, bl->next)) freeacl(bl->ace);
for(; blout; blout = (struct bandlim *) itfree(blout, blout->next))freeacl(blout->ace);
for(; cl; cl = (struct connlim *) itfree(cl, cl->next)) freeacl(cl->ace);
@ -1949,7 +1949,7 @@ int reload (void){
FILE *fp;
int error = -2;
pthread_mutex_lock(&config_mutex);
_3proxy_mutex_lock(&config_mutex);
conf.paused++;
freeconf(&conf);
conf.paused++;
@ -1963,6 +1963,6 @@ int reload (void){
}
if(!writable)fclose(fp);
}
pthread_mutex_unlock(&config_mutex);
_3proxy_mutex_unlock(&config_mutex);
return error;
}

2
src/dnspr.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement

2
src/ftppr.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement

316
src/hash.c Normal file
View File

@ -0,0 +1,316 @@
#include "proxy.h"
struct hashentry {
time_t expires;
uint32_t inext;
char value[4];
};
static uint32_t hashindex(unsigned tablesize, const uint8_t* hash){
return (*(unsigned *)hash) % tablesize;
}
void destroyhashtable(struct hashtable *ht){
_3proxy_mutex_lock(&ht->hash_mutex);
if(ht->ihashtable){
myfree(ht->ihashtable);
ht->ihashtable = NULL;
}
if(ht->hashvalues){
myfree(ht->hashvalues);
ht->hashvalues = NULL;
}
if(ht->hashhashvalues){
myfree(ht->hashhashvalues);
ht->hashhashvalues = NULL;
}
ht->poolsize = 0;
ht->tablesize = 0;
ht->ihashempty = 0;
_3proxy_mutex_unlock(&ht->hash_mutex);
_3proxy_mutex_destroy(&ht->hash_mutex);
}
#define hvalue(ht,I) ((struct hashentry *)(ht->hashvalues + (I-1)*(sizeof(struct hashentry) + ht->recsize - 4)))
#define hhash(ht,I) ((ht->hashhashvalues + (I-1)*(ht->hash_size)))
int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, unsigned growlimit){
unsigned i;
clock_t c;
#ifdef _WIN32
struct timeb tb;
ftime(&tb);
#else
struct timeval tb;
struct timezone tz;
gettimeofday(&tb, &tz);
#endif
c = clock();
if(tablesize < 2 || poolsize < tablesize || growlimit < poolsize) return 1;
if(ht->ihashtable){
_3proxy_mutex_lock(&ht->hash_mutex);
if(ht->ihashtable){
myfree(ht->ihashtable);
ht->ihashtable = NULL;
}
if(ht->hashvalues){
myfree(ht->hashvalues);
ht->hashvalues = NULL;
}
if(ht->hashhashvalues){
myfree(ht->hashhashvalues);
ht->hashhashvalues = NULL;
}
ht->poolsize = 0;
ht->tablesize = 0;
}
else {
_3proxy_mutex_init(&ht->hash_mutex);
_3proxy_mutex_lock(&ht->hash_mutex);
}
if(!(ht->ihashtable = myalloc(tablesize * sizeof(uint32_t)))
|| !(ht->hashvalues = myalloc(poolsize * (sizeof(struct hashentry) + ht->recsize - 4)))
|| !(ht->hashhashvalues = myalloc(poolsize * ht->hash_size))
){
myfree(ht->ihashtable);
ht->ihashtable = NULL;
myfree(ht->hashvalues);
ht->hashvalues = NULL;
_3proxy_mutex_unlock(&ht->hash_mutex);
return 3;
}
ht->poolsize = poolsize;
ht->tablesize = tablesize;
ht->growlimit = growlimit;
memset(ht->ihashtable, 0, ht->tablesize * sizeof(uint32_t));
memset(ht->hashvalues, 0, ht->poolsize * (sizeof(struct hashentry) + ht->recsize - 4));
for(i = 1; i < ht->poolsize; i++) {
hvalue(ht,i)->inext = i+1;
}
ht->ihashempty = 1;
_3proxy_mutex_unlock(&ht->hash_mutex);
return 0;
}
static void hashcompact(struct hashtable *ht){
int i;
uint32_t he, *hep;
if((conf.time - ht->compacted) < 300 || !ht->tablesize || !ht->poolsize || ht->ihashempty) return;
for(i = 0; i < ht->tablesize; i++){
for(hep = ht->ihashtable + i; (he = *hep) != 0; ){
if(hvalue(ht,he)->expires < conf.time ) {
(*hep) = hvalue(ht,he)->inext;
hvalue(ht,he)->expires = 0;
hvalue(ht,he)->inext = ht->ihashempty;
ht->ihashempty = he;
}
else hep=&(hvalue(ht,he)->inext);
}
}
ht->compacted = conf.time;
if(ht->ihashempty) return;
}
static void hashgrow(struct hashtable *ht){
unsigned newsize = (ht->poolsize + (ht->poolsize >> 1));
unsigned i;
void * newvalues;
if(!ht->tablesize || !ht->poolsize) return;
if(ht->poolsize / ht->tablesize < 4) hashcompact(ht);
if(ht->ihashempty) return;
if(ht->poolsize >= ht->growlimit) return;
if(newsize > ht->growlimit) newsize = ht->growlimit;
newvalues = myrealloc(ht->hashvalues, newsize * (sizeof(struct hashentry) + ht->recsize - 4));
if(!newvalues) return;
ht->hashvalues = newvalues;
newvalues = myrealloc(ht->hashhashvalues, newsize * ht->hash_size);
if(!newvalues) return;
ht->hashhashvalues = newvalues;
memset(ht->hashvalues + (ht->poolsize * (sizeof(struct hashentry) + ht->recsize - 4)), 0, (newsize - ht->poolsize) * (sizeof(struct hashentry) + ht->recsize - 4));
for(i = ht->poolsize + 1; i < newsize; i++) {
hvalue(ht,i)->inext = i+1;
}
hvalue(ht,newsize)->inext = ht->ihashempty;
ht->ihashempty = ht->poolsize + 1;
ht->poolsize = newsize;
if (ht->poolsize / ht->tablesize > 10) {
unsigned newtablesize = ht->poolsize / 3;
uint32_t *newitable = myalloc(newtablesize * sizeof(uint32_t));
if (newitable) {
unsigned j;
memset(newitable, 0, newtablesize * sizeof(uint32_t));
for (j = 0; j < ht->tablesize; j++) {
uint32_t he = ht->ihashtable[j];
while (he) {
uint32_t next = hvalue(ht, he)->inext;
unsigned idx = hashindex(newtablesize, hhash(ht, he));
hvalue(ht, he)->inext = newitable[idx];
newitable[idx] = he;
he = next;
}
}
myfree(ht->ihashtable);
ht->ihashtable = newitable;
ht->tablesize = newtablesize;
}
}
}
void hashadd(struct hashtable *ht, void* name, void* value, time_t expires){
uint32_t hen, he;
uint32_t *hep;
int overwrite = 0;
uint8_t hash[MAX_HASH_SIZE];
uint32_t index;
uint32_t last = 0;
if(!ht||!value||!name||!ht->ihashtable) {
return;
}
ht->index2hash_add(ht, name, hash);
_3proxy_mutex_lock(&ht->hash_mutex);
index = hashindex(ht->tablesize, hash);
for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
if(hvalue(ht,he)->expires < conf.time || !memcmp(hash, hhash(ht,he), ht->hash_size)) {
(*hep) = hvalue(ht,he)->inext;
hvalue(ht,he)->expires = 0;
hvalue(ht,he)->inext = ht->ihashempty;
ht->ihashempty = he;
}
else {
hep=&(hvalue(ht,he)->inext);
last = he;
}
}
if(!ht->ihashempty){
hashgrow(ht);
}
if(ht->ihashempty){
hen = ht->ihashempty;
ht->ihashempty = hvalue(ht,ht->ihashempty)->inext;
hvalue(ht,hen)->inext = ht->ihashtable[index];
ht->ihashtable[index] = hen;
}
else {
hen = last;
}
if(hen){
memcpy(hhash(ht,hen), hash, ht->hash_size);
memcpy(hvalue(ht,hen)->value, value, ht->recsize);
hvalue(ht,hen)->expires = expires;
}
_3proxy_mutex_unlock(&ht->hash_mutex);
}
int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl){
uint8_t hash[MAX_HASH_SIZE];
uint32_t *hep;
uint32_t he;
uint32_t index;
if(!ht || !ht->ihashtable || !name) {
return 0;
}
ht->index2hash_search(ht,name, hash);
_3proxy_mutex_lock(&ht->hash_mutex);
index = hashindex(ht->tablesize, hash);
for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
if(hvalue(ht, he)->expires < conf.time) {
(*hep) = hvalue(ht,he)->inext;
hvalue(ht,he)->expires = 0;
hvalue(ht,he)->inext = ht->ihashempty;
ht->ihashempty = he;
}
else if(!memcmp(hash, hhash(ht,he), ht->hash_size)){
if(ttl) *ttl = (uint32_t)(hvalue(ht,he)->expires - conf.time);
memcpy(value, hvalue(ht,he)->value, ht->recsize);
_3proxy_mutex_unlock(&ht->hash_mutex);
return 1;
}
else hep=&(hvalue(ht,he)->inext);
}
_3proxy_mutex_unlock(&ht->hash_mutex);
return 0;
}
void hashdelete(struct hashtable *ht, void *name){
uint8_t hash[MAX_HASH_SIZE];
uint32_t *hep;
uint32_t he;
uint32_t index;
if(!ht || !ht->ihashtable || !name) {
return;
}
ht->index2hash_search(ht, name, hash);
_3proxy_mutex_lock(&ht->hash_mutex);
index = hashindex(ht->tablesize, hash);
for(hep = ht->ihashtable + index; (he = *hep) != 0; ){
if((hvalue(ht, he)->expires && hvalue(ht, he)->expires < conf.time) || !memcmp(hash, hhash(ht, he), ht->hash_size)) {
(*hep) = hvalue(ht, he)->inext;
hvalue(ht, he)->expires = 0;
hvalue(ht, he)->inext = ht->ihashempty;
ht->ihashempty = he;
}
else hep = &(hvalue(ht, he)->inext);
}
_3proxy_mutex_unlock(&ht->hash_mutex);
}
#define MURMUR_C1 0xcc9e2d51u
#define MURMUR_C2 0x1b873593u
uint32_t murmurhash3(const void *key, int len, uint32_t seed) {
const uint8_t *data = (const uint8_t *)key;
const int nblocks = len / 4;
uint32_t h = seed;
int i;
const uint32_t *blocks = (const uint32_t *)(data);
const uint8_t *tail = data + nblocks * 4;
uint32_t k;
for (i = 0; i < nblocks; i++) {
memcpy(&k, blocks + i, sizeof(k));
k *= MURMUR_C1;
k = (k << 15) | (k >> 17);
k *= MURMUR_C2;
h ^= k;
h = (h << 13) | (h >> 19);
h = h * 5 + 0xe6546b64u;
}
k = 0;
switch (len & 3) {
case 3: k ^= (uint32_t)tail[2] << 16; /* fall through */
case 2: k ^= (uint32_t)tail[1] << 8; /* fall through */
case 1: k ^= (uint32_t)tail[0];
k *= MURMUR_C1;
k = (k << 15) | (k >> 17);
k *= MURMUR_C2;
h ^= k;
}
h ^= (uint32_t)len;
h ^= h >> 16;
h *= 0x85ebca6bu;
h ^= h >> 13;
h *= 0xc2b2ae35u;
h ^= h >> 16;
return h;
}

99
src/hashtables.c Normal file
View File

@ -0,0 +1,99 @@
#include "proxy.h"
#include "libs/blake2.h"
static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *hash){
char* name = index;
blake2b(hash, ht->hash_size, index, strlen((const char*)index), NULL, 0);
}
static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
blake2b_state S;
struct clientparam *param = (struct clientparam *)index;
unsigned type = param->srv->authcachetype;
blake2b_init(&S, ht->hash_size);
if((type & 2) && param->username)blake2b_update(&S, param->username, strlen((const char *)param->username) + 1);
if((type & 4) && param->password)blake2b_update(&S, param->password, strlen((const char *)param->password) + 1);
if((type & 1) && !(type & 8))blake2b_update(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
if((type & 16))blake2b_update(&S, &param->srv->acl, sizeof(param->srv->acl));
if((type & 64))blake2b_update(&S, SAADDR(&param->req), SAADDRLEN(&param->req));
if((type & 128))blake2b_update(&S, SAPORT(&param->req), 2);
if((type & 256) && param->hostname)blake2b_update(&S, param->hostname, strlen((const char *)param->hostname) + 1);
if((type & 512))blake2b_update(&S, &param->operation, sizeof(param->operation));
if((type & 1024))blake2b_update(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
if((type & 2048))blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
blake2b_final(&S, hash, ht->hash_size);
memcpy(param->hash, hash, ht->hash_size);
}
void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
struct clientparam *param = (struct clientparam *)index;
memcpy(hash, param->hash, ht->hash_size);
}
static void user2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
struct clientparam *param = (struct clientparam *)index;
blake2b(hash, ht->hash_size, param->username, strlen((const char *)param->username), NULL, 0);
}
static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){
struct clientparam *param = (struct clientparam *)index;
blake2b_state S;
blake2b_init(&S, ht->hash_size);
blake2b_update(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
blake2b_update(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
blake2b_update(&S, SAPORT(&param->sincr), 2);
blake2b_final(&S, hash, ht->hash_size);
}
static void pw2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
char ** pw = (char **)index;
blake2b_state S;
blake2b_init(&S, ht->hash_size);
if(pw[0])blake2b_update(&S, pw[0], strlen(pw[0]) + 1);
if(pw[1])blake2b_update(&S, pw[1], strlen(pw[1]) + 1);
blake2b_final(&S, hash, ht->hash_size);
}
static void pw2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
struct clientparam *param = (struct clientparam *)index;
char *pw[2] = {(char *)param->username, (char *)param->password};
pw2hash_add(ht, pw, hash);
}
static void pwnt2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
char ** pw = (char **)index;
blake2b_state S;
blake2b_init(&S, ht->hash_size);
if(pw[0])blake2b_update(&S, pw[0], strlen(pw[0]) + 1);
if(pw[1])blake2b_update(&S, pw[1], strlen(pw[1]) + 1);
blake2b_final(&S, hash, ht->hash_size);
}
static void pwnt2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
struct clientparam *param = (struct clientparam *)index;
unsigned char pass[40];
char *pw[2] = {(char *)param->username, (char *)pass};
ntpwdhash(pass, param->password, 1);
pwnt2hash_add(ht, pw, hash);
}
struct hashtable dns_table = {char_index2hash, char_index2hash, 4, 12};
struct hashtable dns6_table = {char_index2hash, char_index2hash, 16, 12};
struct hashtable auth_table = {param2hash_add, param2hash_search, sizeof(struct authcache), 12};
struct hashtable pw_table = {pw2hash_add, pw2hash_search, 0, 12};
struct hashtable pwnt_table = {pwnt2hash_add, pwnt2hash_search, 0, 12};
struct hashtable pwcr_table = {char_index2hash, user2hash_search, 64, 12};

160
src/libs/blake2-impl.h Normal file
View File

@ -0,0 +1,160 @@
/*
BLAKE2 reference source code package - reference C implementations
Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the
terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
your option. The terms of these licenses can be found at:
- CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
- OpenSSL license : https://www.openssl.org/source/license.html
- Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
More information about the BLAKE2 hash function can be found at
https://blake2.net.
*/
#ifndef BLAKE2_IMPL_H
#define BLAKE2_IMPL_H
#include <stdint.h>
#include <string.h>
#if !defined(__cplusplus) && (!defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L)
#if defined(_MSC_VER)
#define BLAKE2_INLINE __inline
#elif defined(__GNUC__)
#define BLAKE2_INLINE __inline__
#else
#define BLAKE2_INLINE
#endif
#else
#define BLAKE2_INLINE inline
#endif
static BLAKE2_INLINE uint32_t load32( const void *src )
{
#if defined(NATIVE_LITTLE_ENDIAN)
uint32_t w;
memcpy(&w, src, sizeof w);
return w;
#else
const uint8_t *p = ( const uint8_t * )src;
return (( uint32_t )( p[0] ) << 0) |
(( uint32_t )( p[1] ) << 8) |
(( uint32_t )( p[2] ) << 16) |
(( uint32_t )( p[3] ) << 24) ;
#endif
}
static BLAKE2_INLINE uint64_t load64( const void *src )
{
#if defined(NATIVE_LITTLE_ENDIAN)
uint64_t w;
memcpy(&w, src, sizeof w);
return w;
#else
const uint8_t *p = ( const uint8_t * )src;
return (( uint64_t )( p[0] ) << 0) |
(( uint64_t )( p[1] ) << 8) |
(( uint64_t )( p[2] ) << 16) |
(( uint64_t )( p[3] ) << 24) |
(( uint64_t )( p[4] ) << 32) |
(( uint64_t )( p[5] ) << 40) |
(( uint64_t )( p[6] ) << 48) |
(( uint64_t )( p[7] ) << 56) ;
#endif
}
static BLAKE2_INLINE uint16_t load16( const void *src )
{
#if defined(NATIVE_LITTLE_ENDIAN)
uint16_t w;
memcpy(&w, src, sizeof w);
return w;
#else
const uint8_t *p = ( const uint8_t * )src;
return ( uint16_t )((( uint32_t )( p[0] ) << 0) |
(( uint32_t )( p[1] ) << 8));
#endif
}
static BLAKE2_INLINE void store16( void *dst, uint16_t w )
{
#if defined(NATIVE_LITTLE_ENDIAN)
memcpy(dst, &w, sizeof w);
#else
uint8_t *p = ( uint8_t * )dst;
*p++ = ( uint8_t )w; w >>= 8;
*p++ = ( uint8_t )w;
#endif
}
static BLAKE2_INLINE void store32( void *dst, uint32_t w )
{
#if defined(NATIVE_LITTLE_ENDIAN)
memcpy(dst, &w, sizeof w);
#else
uint8_t *p = ( uint8_t * )dst;
p[0] = (uint8_t)(w >> 0);
p[1] = (uint8_t)(w >> 8);
p[2] = (uint8_t)(w >> 16);
p[3] = (uint8_t)(w >> 24);
#endif
}
static BLAKE2_INLINE void store64( void *dst, uint64_t w )
{
#if defined(NATIVE_LITTLE_ENDIAN)
memcpy(dst, &w, sizeof w);
#else
uint8_t *p = ( uint8_t * )dst;
p[0] = (uint8_t)(w >> 0);
p[1] = (uint8_t)(w >> 8);
p[2] = (uint8_t)(w >> 16);
p[3] = (uint8_t)(w >> 24);
p[4] = (uint8_t)(w >> 32);
p[5] = (uint8_t)(w >> 40);
p[6] = (uint8_t)(w >> 48);
p[7] = (uint8_t)(w >> 56);
#endif
}
static BLAKE2_INLINE uint64_t load48( const void *src )
{
const uint8_t *p = ( const uint8_t * )src;
return (( uint64_t )( p[0] ) << 0) |
(( uint64_t )( p[1] ) << 8) |
(( uint64_t )( p[2] ) << 16) |
(( uint64_t )( p[3] ) << 24) |
(( uint64_t )( p[4] ) << 32) |
(( uint64_t )( p[5] ) << 40) ;
}
static BLAKE2_INLINE void store48( void *dst, uint64_t w )
{
uint8_t *p = ( uint8_t * )dst;
p[0] = (uint8_t)(w >> 0);
p[1] = (uint8_t)(w >> 8);
p[2] = (uint8_t)(w >> 16);
p[3] = (uint8_t)(w >> 24);
p[4] = (uint8_t)(w >> 32);
p[5] = (uint8_t)(w >> 40);
}
static BLAKE2_INLINE uint32_t rotr32( const uint32_t w, const unsigned c )
{
return ( w >> c ) | ( w << ( 32 - c ) );
}
static BLAKE2_INLINE uint64_t rotr64( const uint64_t w, const unsigned c )
{
return ( w >> c ) | ( w << ( 64 - c ) );
}
/* prevents compiler optimizing out memset() */
static BLAKE2_INLINE void secure_zero_memory(void *v, size_t n)
{
static void *(*const volatile memset_v)(void *, int, size_t) = &memset;
memset_v(v, 0, n);
}
#endif

197
src/libs/blake2.h Normal file
View File

@ -0,0 +1,197 @@
/*
BLAKE2 reference source code package - reference C implementations
Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the
terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
your option. The terms of these licenses can be found at:
- CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
- OpenSSL license : https://www.openssl.org/source/license.html
- Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
More information about the BLAKE2 hash function can be found at
https://blake2.net.
*/
#ifndef BLAKE2_H
#define BLAKE2_H
#include <stddef.h>
#include <stdint.h>
#if defined(WATCOM)
#define BLAKE2_PACKED(x) _Packed x
#elif defined(_MSC_VER)
#define BLAKE2_PACKED(x) __pragma(pack(push, 1)) x __pragma(pack(pop))
#else
#define BLAKE2_PACKED(x) x __attribute__((packed))
#endif
#if defined(__cplusplus)
extern "C" {
#endif
enum blake2s_constant
{
BLAKE2S_BLOCKBYTES = 64,
BLAKE2S_OUTBYTES = 32,
BLAKE2S_KEYBYTES = 32,
BLAKE2S_SALTBYTES = 8,
BLAKE2S_PERSONALBYTES = 8
};
enum blake2b_constant
{
BLAKE2B_BLOCKBYTES = 128,
BLAKE2B_OUTBYTES = 64,
BLAKE2B_KEYBYTES = 64,
BLAKE2B_SALTBYTES = 16,
BLAKE2B_PERSONALBYTES = 16
};
typedef struct blake2s_state__
{
uint32_t h[8];
uint32_t t[2];
uint32_t f[2];
uint8_t buf[BLAKE2S_BLOCKBYTES];
size_t buflen;
size_t outlen;
uint8_t last_node;
} blake2s_state;
typedef struct blake2b_state__
{
uint64_t h[8];
uint64_t t[2];
uint64_t f[2];
uint8_t buf[BLAKE2B_BLOCKBYTES];
size_t buflen;
size_t outlen;
uint8_t last_node;
} blake2b_state;
typedef struct blake2sp_state__
{
blake2s_state S[8][1];
blake2s_state R[1];
uint8_t buf[8 * BLAKE2S_BLOCKBYTES];
size_t buflen;
size_t outlen;
} blake2sp_state;
typedef struct blake2bp_state__
{
blake2b_state S[4][1];
blake2b_state R[1];
uint8_t buf[4 * BLAKE2B_BLOCKBYTES];
size_t buflen;
size_t outlen;
} blake2bp_state;
BLAKE2_PACKED(struct blake2s_param__
{
uint8_t digest_length; /* 1 */
uint8_t key_length; /* 2 */
uint8_t fanout; /* 3 */
uint8_t depth; /* 4 */
uint32_t leaf_length; /* 8 */
uint32_t node_offset; /* 12 */
uint16_t xof_length; /* 14 */
uint8_t node_depth; /* 15 */
uint8_t inner_length; /* 16 */
/* uint8_t reserved[0]; */
uint8_t salt[BLAKE2S_SALTBYTES]; /* 24 */
uint8_t personal[BLAKE2S_PERSONALBYTES]; /* 32 */
});
typedef struct blake2s_param__ blake2s_param;
BLAKE2_PACKED(struct blake2b_param__
{
uint8_t digest_length; /* 1 */
uint8_t key_length; /* 2 */
uint8_t fanout; /* 3 */
uint8_t depth; /* 4 */
uint32_t leaf_length; /* 8 */
uint32_t node_offset; /* 12 */
uint32_t xof_length; /* 16 */
uint8_t node_depth; /* 17 */
uint8_t inner_length; /* 18 */
uint8_t reserved[14]; /* 32 */
uint8_t salt[BLAKE2B_SALTBYTES]; /* 48 */
uint8_t personal[BLAKE2B_PERSONALBYTES]; /* 64 */
});
typedef struct blake2b_param__ blake2b_param;
typedef struct blake2xs_state__
{
blake2s_state S[1];
blake2s_param P[1];
} blake2xs_state;
typedef struct blake2xb_state__
{
blake2b_state S[1];
blake2b_param P[1];
} blake2xb_state;
/* Padded structs result in a compile-time error */
enum {
BLAKE2_DUMMY_1 = 1/(int)(sizeof(blake2s_param) == BLAKE2S_OUTBYTES),
BLAKE2_DUMMY_2 = 1/(int)(sizeof(blake2b_param) == BLAKE2B_OUTBYTES)
};
/* Streaming API */
int blake2s_init( blake2s_state *S, size_t outlen );
int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen );
int blake2s_init_param( blake2s_state *S, const blake2s_param *P );
int blake2s_update( blake2s_state *S, const void *in, size_t inlen );
int blake2s_final( blake2s_state *S, void *out, size_t outlen );
int blake2b_init( blake2b_state *S, size_t outlen );
int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );
int blake2b_init_param( blake2b_state *S, const blake2b_param *P );
int blake2b_update( blake2b_state *S, const void *in, size_t inlen );
int blake2b_final( blake2b_state *S, void *out, size_t outlen );
int blake2sp_init( blake2sp_state *S, size_t outlen );
int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen );
int blake2sp_update( blake2sp_state *S, const void *in, size_t inlen );
int blake2sp_final( blake2sp_state *S, void *out, size_t outlen );
int blake2bp_init( blake2bp_state *S, size_t outlen );
int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen );
int blake2bp_update( blake2bp_state *S, const void *in, size_t inlen );
int blake2bp_final( blake2bp_state *S, void *out, size_t outlen );
/* Variable output length API */
int blake2xs_init( blake2xs_state *S, const size_t outlen );
int blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen );
int blake2xs_update( blake2xs_state *S, const void *in, size_t inlen );
int blake2xs_final(blake2xs_state *S, void *out, size_t outlen);
int blake2xb_init( blake2xb_state *S, const size_t outlen );
int blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen );
int blake2xb_update( blake2xb_state *S, const void *in, size_t inlen );
int blake2xb_final(blake2xb_state *S, void *out, size_t outlen);
/* Simple API */
int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
int blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
/* This is simply an alias for blake2b */
int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
#if defined(__cplusplus)
}
#endif
#endif

379
src/libs/blake2b-ref.c Normal file
View File

@ -0,0 +1,379 @@
/*
BLAKE2 reference source code package - reference C implementations
Copyright 2012, Samuel Neves <sneves@dei.uc.pt>. You may use this under the
terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
your option. The terms of these licenses can be found at:
- CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
- OpenSSL license : https://www.openssl.org/source/license.html
- Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0
More information about the BLAKE2 hash function can be found at
https://blake2.net.
*/
#include <stdint.h>
#include <string.h>
#include <stdio.h>
#include "blake2.h"
#include "blake2-impl.h"
static const uint64_t blake2b_IV[8] =
{
0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
};
static const uint8_t blake2b_sigma[12][16] =
{
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } ,
{ 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } ,
{ 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } ,
{ 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } ,
{ 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } ,
{ 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } ,
{ 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } ,
{ 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } ,
{ 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } ,
{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } ,
{ 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }
};
static void blake2b_set_lastnode( blake2b_state *S )
{
S->f[1] = (uint64_t)-1;
}
/* Some helper functions, not necessarily useful */
static int blake2b_is_lastblock( const blake2b_state *S )
{
return S->f[0] != 0;
}
static void blake2b_set_lastblock( blake2b_state *S )
{
if( S->last_node ) blake2b_set_lastnode( S );
S->f[0] = (uint64_t)-1;
}
static void blake2b_increment_counter( blake2b_state *S, const uint64_t inc )
{
S->t[0] += inc;
S->t[1] += ( S->t[0] < inc );
}
static void blake2b_init0( blake2b_state *S )
{
size_t i;
memset( S, 0, sizeof( blake2b_state ) );
for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
}
/* init xors IV with input parameter block */
int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
{
const uint8_t *p = ( const uint8_t * )( P );
size_t i;
blake2b_init0( S );
/* IV XOR ParamBlock */
for( i = 0; i < 8; ++i )
S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
S->outlen = P->digest_length;
return 0;
}
int blake2b_init( blake2b_state *S, size_t outlen )
{
blake2b_param P[1];
if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
P->digest_length = (uint8_t)outlen;
P->key_length = 0;
P->fanout = 1;
P->depth = 1;
store32( &P->leaf_length, 0 );
store32( &P->node_offset, 0 );
store32( &P->xof_length, 0 );
P->node_depth = 0;
P->inner_length = 0;
memset( P->reserved, 0, sizeof( P->reserved ) );
memset( P->salt, 0, sizeof( P->salt ) );
memset( P->personal, 0, sizeof( P->personal ) );
return blake2b_init_param( S, P );
}
int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen )
{
blake2b_param P[1];
if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1;
P->digest_length = (uint8_t)outlen;
P->key_length = (uint8_t)keylen;
P->fanout = 1;
P->depth = 1;
store32( &P->leaf_length, 0 );
store32( &P->node_offset, 0 );
store32( &P->xof_length, 0 );
P->node_depth = 0;
P->inner_length = 0;
memset( P->reserved, 0, sizeof( P->reserved ) );
memset( P->salt, 0, sizeof( P->salt ) );
memset( P->personal, 0, sizeof( P->personal ) );
if( blake2b_init_param( S, P ) < 0 ) return -1;
{
uint8_t block[BLAKE2B_BLOCKBYTES];
memset( block, 0, BLAKE2B_BLOCKBYTES );
memcpy( block, key, keylen );
blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
}
return 0;
}
#define G(r,i,a,b,c,d) \
do { \
a = a + b + m[blake2b_sigma[r][2*i+0]]; \
d = rotr64(d ^ a, 32); \
c = c + d; \
b = rotr64(b ^ c, 24); \
a = a + b + m[blake2b_sigma[r][2*i+1]]; \
d = rotr64(d ^ a, 16); \
c = c + d; \
b = rotr64(b ^ c, 63); \
} while(0)
#define ROUND(r) \
do { \
G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
G(r,2,v[ 2],v[ 6],v[10],v[14]); \
G(r,3,v[ 3],v[ 7],v[11],v[15]); \
G(r,4,v[ 0],v[ 5],v[10],v[15]); \
G(r,5,v[ 1],v[ 6],v[11],v[12]); \
G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
} while(0)
static void blake2b_compress( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] )
{
uint64_t m[16];
uint64_t v[16];
size_t i;
for( i = 0; i < 16; ++i ) {
m[i] = load64( block + i * sizeof( m[i] ) );
}
for( i = 0; i < 8; ++i ) {
v[i] = S->h[i];
}
v[ 8] = blake2b_IV[0];
v[ 9] = blake2b_IV[1];
v[10] = blake2b_IV[2];
v[11] = blake2b_IV[3];
v[12] = blake2b_IV[4] ^ S->t[0];
v[13] = blake2b_IV[5] ^ S->t[1];
v[14] = blake2b_IV[6] ^ S->f[0];
v[15] = blake2b_IV[7] ^ S->f[1];
ROUND( 0 );
ROUND( 1 );
ROUND( 2 );
ROUND( 3 );
ROUND( 4 );
ROUND( 5 );
ROUND( 6 );
ROUND( 7 );
ROUND( 8 );
ROUND( 9 );
ROUND( 10 );
ROUND( 11 );
for( i = 0; i < 8; ++i ) {
S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
}
}
#undef G
#undef ROUND
int blake2b_update( blake2b_state *S, const void *pin, size_t inlen )
{
const unsigned char * in = (const unsigned char *)pin;
if( inlen > 0 )
{
size_t left = S->buflen;
size_t fill = BLAKE2B_BLOCKBYTES - left;
if( inlen > fill )
{
S->buflen = 0;
memcpy( S->buf + left, in, fill ); /* Fill buffer */
blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
blake2b_compress( S, S->buf ); /* Compress */
in += fill; inlen -= fill;
while(inlen > BLAKE2B_BLOCKBYTES) {
blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES);
blake2b_compress( S, in );
in += BLAKE2B_BLOCKBYTES;
inlen -= BLAKE2B_BLOCKBYTES;
}
}
memcpy( S->buf + S->buflen, in, inlen );
S->buflen += inlen;
}
return 0;
}
int blake2b_final( blake2b_state *S, void *out, size_t outlen )
{
uint8_t buffer[BLAKE2B_OUTBYTES] = {0};
size_t i;
if( out == NULL || outlen < S->outlen )
return -1;
if( blake2b_is_lastblock( S ) )
return -1;
blake2b_increment_counter( S, S->buflen );
blake2b_set_lastblock( S );
memset( S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */
blake2b_compress( S, S->buf );
for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
memcpy( out, buffer, S->outlen );
secure_zero_memory(buffer, sizeof(buffer));
return 0;
}
/* inlen, at least, should be uint64_t. Others can be size_t. */
int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )
{
blake2b_state S[1];
/* Verify parameters */
if ( NULL == in && inlen > 0 ) return -1;
if ( NULL == out ) return -1;
if( NULL == key && keylen > 0 ) return -1;
if( !outlen || outlen > BLAKE2B_OUTBYTES ) return -1;
if( keylen > BLAKE2B_KEYBYTES ) return -1;
if( keylen > 0 )
{
if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;
}
else
{
if( blake2b_init( S, outlen ) < 0 ) return -1;
}
blake2b_update( S, ( const uint8_t * )in, inlen );
blake2b_final( S, out, outlen );
return 0;
}
int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {
return blake2b(out, outlen, in, inlen, key, keylen);
}
#if defined(SUPERCOP)
int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen )
{
return blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 );
}
#endif
#if defined(BLAKE2B_SELFTEST)
#include <string.h>
#include "blake2-kat.h"
int main( void )
{
uint8_t key[BLAKE2B_KEYBYTES];
uint8_t buf[BLAKE2_KAT_LENGTH];
size_t i, step;
for( i = 0; i < BLAKE2B_KEYBYTES; ++i )
key[i] = ( uint8_t )i;
for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )
buf[i] = ( uint8_t )i;
/* Test simple API */
for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )
{
uint8_t hash[BLAKE2B_OUTBYTES];
blake2b( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES );
if( 0 != memcmp( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
{
goto fail;
}
}
/* Test streaming API */
for(step = 1; step < BLAKE2B_BLOCKBYTES; ++step) {
for (i = 0; i < BLAKE2_KAT_LENGTH; ++i) {
uint8_t hash[BLAKE2B_OUTBYTES];
blake2b_state S;
uint8_t * p = buf;
size_t mlen = i;
int err = 0;
if( (err = blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {
goto fail;
}
while (mlen >= step) {
if ( (err = blake2b_update(&S, p, step)) < 0 ) {
goto fail;
}
mlen -= step;
p += step;
}
if ( (err = blake2b_update(&S, p, mlen)) < 0) {
goto fail;
}
if ( (err = blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {
goto fail;
}
if (0 != memcmp(hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES)) {
goto fail;
}
}
}
puts( "ok" );
return 0;
fail:
puts("error");
return -1;
}
#endif

204
src/limiter.c Normal file
View File

@ -0,0 +1,204 @@
/*
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
*/
#include "proxy.h"
int startconnlims (struct clientparam *param){
struct connlim * ce;
time_t delta;
uint64_t rating;
int ret = 0;
param->connlim = 1;
_3proxy_mutex_lock(&connlim_mutex);
for(ce = conf.connlimiter; ce; ce = ce->next) {
if(ACLmatches(ce->ace, param)){
if(ce->ace->action == NOCONNLIM)break;
if(!ce->period){
if(ce->rate <= ce->rating) {
ret = 1;
break;
}
ce->rating++;
continue;
}
delta = conf.time - ce->basetime;
if(ce->period <= delta || ce->basetime > conf.time){
ce->basetime = conf.time;
ce->rating = 0x100000;
continue;
}
rating = delta? ((ce->rating * (ce->period - delta)) / ce->period) + 0x100000 : ce->rating + 0x100000;
if (rating > (ce->rate<<20)) {
ret = 2;
break;
}
ce->rating = rating;
ce->basetime = conf.time;
}
}
if(ret) {
struct connlim * cee;
for(cee = conf.connlimiter; cee != ce; cee = cee->next) {
if(ACLmatches(cee->ace, param) && !cee->period && cee->rating) {
cee->rating--;
}
}
param->connlim = 0;
}
_3proxy_mutex_unlock(&connlim_mutex);
return ret;
}
void stopconnlims (struct clientparam *param){
struct connlim * ce;
_3proxy_mutex_lock(&connlim_mutex);
for(ce = conf.connlimiter; ce; ce = ce->next) {
if(ACLmatches(ce->ace, param)){
if(ce->ace->action == NOCONNLIM)break;
if(!ce->period && ce->rating){
ce->rating--;
continue;
}
}
}
_3proxy_mutex_unlock(&connlim_mutex);
}
void initbandlims (struct clientparam *param){
struct bandlim * be;
int i;
param->bandlimfunc = NULL;
param->bandlims[0] = NULL;
param->bandlimsout[0] = NULL;
if(!conf.bandlimfunc || (!conf.bandlimiter && !conf.bandlimiterout)) return;
for(i=0, be = conf.bandlimiter; be && i<MAXBANDLIMS; be = be->next) {
if(ACLmatches(be->ace, param)){
if(be->ace->action == NOBANDLIM) {
break;
}
param->bandlims[i++] = be;
param->bandlimfunc = conf.bandlimfunc;
}
}
if(i<MAXBANDLIMS)param->bandlims[i] = NULL;
for(i=0, be = conf.bandlimiterout; be && i<MAXBANDLIMS; be = be->next) {
if(ACLmatches(be->ace, param)){
if(be->ace->action == NOBANDLIM) {
break;
}
param->bandlimsout[i++] = be;
param->bandlimfunc = conf.bandlimfunc;
}
}
if(i<MAXBANDLIMS)param->bandlimsout[i] = NULL;
param->bandlimver = conf.bandlimver;
}
unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout){
unsigned sleeptime = 0, nsleeptime;
time_t sec;
unsigned msec;
unsigned now;
int i;
#ifdef _WIN32
struct timeb tb;
ftime(&tb);
sec = (unsigned)tb.time;
msec = (unsigned)tb.millitm*1000;
#else
struct timeval tv;
gettimeofday(&tv, NULL);
sec = tv.tv_sec;
msec = tv.tv_usec;
#endif
if(!nbytesin && !nbytesout) return 0;
_3proxy_mutex_lock(&bandlim_mutex);
if(param->bandlimver != conf.bandlimver){
initbandlims(param);
param->bandlimver = conf.bandlimver;
}
for(i=0; nbytesin&& i<MAXBANDLIMS && param->bandlims[i]; i++){
if( !param->bandlims[i]->basetime ||
param->bandlims[i]->basetime > sec ||
param->bandlims[i]->basetime < (sec - 120)
)
{
param->bandlims[i]->basetime = sec;
param->bandlims[i]->nexttime = 0;
continue;
}
now = (unsigned)((sec - param->bandlims[i]->basetime) * 1000000) + msec;
nsleeptime = (param->bandlims[i]->nexttime > now)?
param->bandlims[i]->nexttime - now : 0;
sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
param->bandlims[i]->basetime = sec;
param->bandlims[i]->nexttime = msec + nsleeptime + (((uint64_t)nbytesin * 8 * 1000000) / param->bandlims[i]->rate);
}
for(i=0; nbytesout && i<MAXBANDLIMS && param->bandlimsout[i]; i++){
if( !param->bandlimsout[i]->basetime ||
param->bandlimsout[i]->basetime > sec ||
param->bandlimsout[i]->basetime < (sec - 120)
)
{
param->bandlimsout[i]->basetime = sec;
param->bandlimsout[i]->nexttime = 0;
continue;
}
now = (unsigned)((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
nsleeptime = (param->bandlimsout[i]->nexttime > now)?
param->bandlimsout[i]->nexttime - now : 0;
sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
param->bandlimsout[i]->basetime = sec;
param->bandlimsout[i]->nexttime = msec + nsleeptime + ((nbytesout > 512)? ((nbytesout+32)/64)*((64*8*1000000)/param->bandlimsout[i]->rate) : ((nbytesout+1)* (8*1000000))/param->bandlimsout[i]->rate);
}
_3proxy_mutex_unlock(&bandlim_mutex);
return sleeptime/1000;
}
void trafcountfunc(struct clientparam *param){
struct trafcount * tc;
int countout = 0;
_3proxy_mutex_lock(&tc_mutex);
for(tc = conf.trafcounter; tc; tc = tc->next) {
if(ACLmatches(tc->ace, param)){
if(tc->ace->action == NOCOUNTIN) {
countout = 1;
break;
}
if(tc->ace->action == NOCOUNTALL) break;
if(tc->ace->action != COUNTIN && tc->ace->action != COUNTALL) {
countout = 1;
continue;
}
tc->traf64 += param->statssrv64;
tc->updated = conf.time;
}
}
if(countout) for(tc = conf.trafcounter; tc; tc = tc->next) {
if(ACLmatches(tc->ace, param)){
if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
if(tc->ace->action != COUNTOUT && tc->ace->action != COUNTALL ) {
continue;
}
tc->traf64 += param->statscli64;
tc->updated = conf.time;
}
}
_3proxy_mutex_unlock(&tc_mutex);
}

4
src/log.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
@ -10,7 +10,7 @@
#include "proxy.h"
pthread_mutex_t log_mutex;
_3proxy_mutex_t log_mutex;
int havelog = 0;

66
src/plugins.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
@ -11,8 +11,6 @@
unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout);
void trafcountfunc(struct clientparam *param);
int checkACL(struct clientparam * param);
void nametohash(const unsigned char * name, unsigned char *hash, unsigned char *rnd);
unsigned hashindex(struct hashtable *ht, const unsigned char* hash);
void decodeurl(unsigned char *s, int allowcr);
int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned char ** buff, int *inbuf, int *bufsize);
struct ace * make_ace (int argc, unsigned char ** argv);
@ -45,38 +43,34 @@ struct symbol symbols[] = {
{symbols+18, "ipauth", (void *) ipauth},
{symbols+19, "strongauth", (void *) strongauth},
{symbols+20, "checkACL", (void *) checkACL},
{symbols+21, "nametohash", (void *) nametohash},
{symbols+22, "hashindex", (void *) hashindex},
{symbols+23, "nservers", (void *) nservers},
{symbols+24, "udpresolve", (void *) udpresolve},
{symbols+25, "bandlim_mutex", (void *) &bandlim_mutex},
{symbols+26, "tc_mutex", (void *) &tc_mutex},
{symbols+27, "hash_mutex", (void *) &hash_mutex},
{symbols+28, "pwl_mutex", (void *) &pwl_mutex},
{symbols+29, "linenum", (void *) &linenum},
{symbols+30, "proxy_stringtable", (void *) proxy_stringtable},
{symbols+31, "en64", (void *) en64},
{symbols+32, "de64", (void *) de64},
{symbols+33, "tohex", (void *) tohex},
{symbols+34, "fromhex", (void *) fromhex},
{symbols+35, "dnspr", (void *) dnsprchild},
{symbols+36, "pop3p", (void *) pop3pchild},
{symbols+37, "proxy", (void *) proxychild},
{symbols+38, "socks", (void *) sockschild},
{symbols+39, "tcppm", (void *) tcppmchild},
{symbols+40, "udppm", (void *) udppmchild},
{symbols+41, "admin", (void *) adminchild},
{symbols+42, "ftppr", (void *) ftpprchild},
{symbols+43, "smtpp", (void *) smtppchild},
{symbols+44, "auto", (void *) smtppchild},
{symbols+45, "tlspr", (void *) smtppchild},
{symbols+46, "authfuncs", (void *) &authfuncs},
{symbols+47, "commandhandlers", (void *) &commandhandlers},
{symbols+48, "decodeurl", (void *) decodeurl},
{symbols+49, "parsestr", (void *) parsestr},
{symbols+50, "make_ace", (void *) make_ace},
{symbols+51, "freeacl", (void *) freeacl},
{symbols+52, "handleredirect", (void *) handleredirect},
{symbols+21, "nservers", (void *) nservers},
{symbols+22, "udpresolve", (void *) udpresolve},
{symbols+23, "bandlim_mutex", (void *) &bandlim_mutex},
{symbols+24, "tc_mutex", (void *) &tc_mutex},
{symbols+25, "linenum", (void *) &linenum},
{symbols+26, "proxy_stringtable", (void *) proxy_stringtable},
{symbols+27, "en64", (void *) en64},
{symbols+28, "de64", (void *) de64},
{symbols+29, "tohex", (void *) tohex},
{symbols+30, "fromhex", (void *) fromhex},
{symbols+31, "dnspr", (void *) dnsprchild},
{symbols+32, "pop3p", (void *) pop3pchild},
{symbols+33, "proxy", (void *) proxychild},
{symbols+34, "socks", (void *) sockschild},
{symbols+35, "tcppm", (void *) tcppmchild},
{symbols+36, "udppm", (void *) udppmchild},
{symbols+37, "admin", (void *) adminchild},
{symbols+38, "ftppr", (void *) ftpprchild},
{symbols+39, "smtpp", (void *) smtppchild},
{symbols+40, "auto", (void *) smtppchild},
{symbols+41, "tlspr", (void *) smtppchild},
{symbols+42, "authfuncs", (void *) &authfuncs},
{symbols+43, "commandhandlers", (void *) &commandhandlers},
{symbols+44, "decodeurl", (void *) decodeurl},
{symbols+45, "parsestr", (void *) parsestr},
{symbols+46, "make_ace", (void *) make_ace},
{symbols+47, "freeacl", (void *) freeacl},
{symbols+48, "handleredirect", (void *) handleredirect},
{NULL, "", NULL}
};
@ -111,8 +105,6 @@ struct pluginlink pluginlink = {
ACLmatches,
alwaysauth,
checkACL,
nametohash,
hashindex,
en64,
de64,
tohex,

75
src/plugins/FilePlugin/FilePlugin.c
View File

@ -45,7 +45,7 @@ extern "C" {
static struct pluginlink * pl;
static pthread_mutex_t file_mutex;
static _3proxy_mutex_t file_mutex;
unsigned long preview = 0;
@ -207,7 +207,7 @@ static void closefiles(struct fp_stream *fps){
static int searchsocket(SOCKET s, struct fp_stream **pfps){
struct fp_stream *fps = NULL;
int ret = 0;
pthread_mutex_lock(&file_mutex);
_3proxy_mutex_lock(&file_mutex);
for(fps = fp_streams; fps; fps = fps->next){
if(fps->fpd.cp->clisock == s) {
ret = 1;
@ -222,7 +222,7 @@ static int searchsocket(SOCKET s, struct fp_stream **pfps){
break;
}
}
pthread_mutex_unlock(&file_mutex);
_3proxy_mutex_unlock(&file_mutex);
*pfps = fps;
return ret;
}
@ -235,7 +235,7 @@ static void freecallback(struct fp_stream * fps, struct fp_callback * fpc){
static void removefps(struct fp_stream * fps){
if(!fp_streams) return;
pthread_mutex_lock(&file_mutex);
_3proxy_mutex_lock(&file_mutex);
if(fp_streams == fps)fp_streams = fps->next;
else {
struct fp_stream *fps2;
@ -248,7 +248,7 @@ static void removefps(struct fp_stream * fps){
}
}
pthread_mutex_unlock(&file_mutex);
_3proxy_mutex_unlock(&file_mutex);
if(fps->callbacks){
freecallback(fps, fps->callbacks);
fps->callbacks = 0;
@ -287,7 +287,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
case GOT_SMTP_REQ:
case GOT_SMTP_DATA:
fps->state = FLUSH_DATA;
pl->socksend(fps->fpd.cp->sostate,fps->fpd.cp->clisock, fp_stringtable[1], (int)strlen(fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
pl->socksend(fps->fpd.cp->sostate,fps->fpd.cp->clisock, (unsigned char *)fp_stringtable[1], (int)strlen((char *)fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
fps->state = state;
break;
case GOT_HTTP_REQUEST:
@ -299,7 +299,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
case GOT_HTTP_SRVDATA:
if(!fps->serversent){
fps->state = FLUSH_DATA;
pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, fp_stringtable[0], (int)strlen(fp_stringtable[0]), pl->conf->timeouts[STRING_S]);
pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, (unsigned char *)fp_stringtable[0], (int)strlen((char *)fp_stringtable[0]), pl->conf->timeouts[STRING_S]);
fps->state = state;
}
break;
@ -307,7 +307,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
case GOT_FTP_REQ:
case GOT_FTP_SRVDATA:
fps->state = FLUSH_DATA;
pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->ctrlsock, fp_stringtable[1], (int)strlen(fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->ctrlsock, (unsigned char *)fp_stringtable[1], (int)strlen((char *)fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
fps->state = state;
break;
default:
@ -359,7 +359,7 @@ static int copyfdtosock(struct fp_stream * fps, DIRECTION which, long len){
if(fps->serversent >= fps->srvhdrwritten){
sprintf(fps->buf, "%lx\r\n", len);
sendchunk = (int)strlen(fps->buf);
if(pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, fps->buf, sendchunk, pl->conf->timeouts[STRING_S]) != sendchunk){
if(pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, (unsigned char *)fps->buf, sendchunk, pl->conf->timeouts[STRING_S]) != sendchunk){
return -4;
}
}
@ -398,20 +398,24 @@ static int copyfdtosock(struct fp_stream * fps, DIRECTION which, long len){
#endif
return -3;
}
if(pl->socksend(fps->fpd.cp->sostate, sock, fps->buf, res, pl->conf->timeouts[STRING_S]) != res) {
if(pl->socksend(fps->fpd.cp->sostate, sock, (unsigned char *)fps->buf, res, pl->conf->timeouts[STRING_S]) != res) {
return -4;
}
len -= res;
}
if(sendchunk){
if(pl->socksend(fps->fpd.cp->sostate, sock, "\r\n", 2, pl->conf->timeouts[STRING_S]) != 2)
if(pl->socksend(fps->fpd.cp->sostate, sock, (unsigned char *)"\r\n", 2, pl->conf->timeouts[STRING_S]) != 2)
return -4;
}
fps->state = state;
return 0;
}
#ifdef _WIN32
static int WINAPI fp_poll(void *state, struct pollfd *fds, unsigned int nfds, int timeout){
#else
static int fp_poll(void *state, struct pollfd *fds, nfds_t nfds, int timeout){
#endif
struct fp_stream *fps = NULL;
int res;
unsigned i;
@ -458,7 +462,11 @@ static int WINAPI fp_poll(void *state, struct pollfd *fds, unsigned int nfds, in
return sso._poll(sso.state, fds, nfds, timeout);
}
static fp_ssize_t WINAPI fp_send(void *state, SOCKET s, const char *msg, fp_size_t len, int flags){
#ifdef _WIN32
static int WINAPI fp_send(void *state, SOCKET s, const char *msg, int len, int flags){
#else
static fp_ssize_t fp_send(void *state, SOCKET s, const void *msg, size_t len, int flags){
#endif
struct fp_stream *fps = NULL;
int res;
res = searchsocket(s, &fps);
@ -499,7 +507,7 @@ static fp_ssize_t WINAPI fp_send(void *state, SOCKET s, const char *msg, fp_size
int hasnonzero = 0, i;
for(i=0; i < len; i++){
char c = msg[i];
char c = ((char *)msg)[i];
if(c == '\r' || c == '\n') continue;
if((c<'0'|| c>'9') && (c<'A' || c>'F') && (c<'a' || c>'f')) {
@ -542,7 +550,12 @@ static fp_ssize_t WINAPI fp_send(void *state, SOCKET s, const char *msg, fp_size
}
return sso._send(sso.state, s, msg, len, flags);
}
static fp_ssize_t WINAPI fp_sendto(void *state, SOCKET s, const void *msg, int len, int flags, const struct sockaddr *to, fp_size_t tolen){
#ifdef _WIN32
static int WINAPI fp_sendto(void *state, SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen
#else
static fp_ssize_t fp_sendto(void *state, SOCKET s, const void *msg, fp_size_t len, int flags, const struct sockaddr *to, SASIZETYPE tolen
#endif
){
struct fp_stream *fps = NULL;
int res;
res = searchsocket(s, &fps);
@ -660,10 +673,20 @@ static fp_ssize_t WINAPI fp_sendto(void *state, SOCKET s, const void *msg, int l
}
return sso._sendto(sso.state, s, msg, len, flags, to, tolen);
}
static fp_ssize_t WINAPI fp_recv(void *state, SOCKET s, void *buf, fp_size_t len, int flags){
#ifdef _WIN32
static int WINAPI fp_recv(void *state, SOCKET s, char *buf, int len, int flags
#else
static fp_ssize_t fp_recv(void *state, SOCKET s, void *buf, fp_size_t len, int flags
#endif
){
return sso._recv(sso.state, s, buf, len, flags);
}
static fp_ssize_t WINAPI fp_recvfrom(void *state, SOCKET s, void * buf, fp_size_t len, int flags, struct sockaddr * from, fp_size_t * fromlen){
#ifdef _WIN32
static int WINAPI fp_recvfrom(void *state, SOCKET s, char *buf, int len, int flags, struct sockaddr * from, int * fromlen
#else
static fp_ssize_t fp_recvfrom(void *state, SOCKET s, void *buf, fp_size_t len, int flags, struct sockaddr * from, SASIZETYPE * fromlen
#endif
){
return sso._recvfrom(sso.state, s, buf, len, flags, from, fromlen);
}
static int WINAPI fp_shutdown(void *state, SOCKET s, int how){
@ -731,7 +754,7 @@ static int fp_registercallback (int what, int max_size, int preview_size, struct
fpc->max_size = max_size;
fpc->data = data;
fpc->callback = cb;
pthread_mutex_lock(&file_mutex);
_3proxy_mutex_lock(&file_mutex);
fps = addfps(cp);
if(fps){
fpc->next = fps->callbacks;
@ -740,7 +763,7 @@ static int fp_registercallback (int what, int max_size, int preview_size, struct
if(preview_size > fps->preview_size) fps->preview_size = preview_size;
}
else free(fpc);
pthread_mutex_unlock(&file_mutex);
_3proxy_mutex_unlock(&file_mutex);
return fps?1:0;
}
@ -754,9 +777,9 @@ static void * fp_open(void * idata, struct srvparam * param){
static FILTER_ACTION fp_client(void *fo, struct clientparam * param, void** fc){
pthread_mutex_lock(&file_mutex);
_3proxy_mutex_lock(&file_mutex);
(*fc) = (void *)addfps(param);
pthread_mutex_unlock(&file_mutex);
_3proxy_mutex_unlock(&file_mutex);
return CONTINUE;
}
@ -766,7 +789,7 @@ static FILTER_ACTION fp_request(void *fc, struct clientparam * param, unsigned c
closefiles(FC);
FC->state = 0;
}
processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
if(FC->what &FP_REJECT) return REJECT;
FC->state = GOT_HTTP_REQUEST;
genpaths(FC);
@ -778,13 +801,13 @@ static FILTER_ACTION fp_request(void *fc, struct clientparam * param, unsigned c
static FILTER_ACTION fp_hcli(void *fc, struct clientparam * param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p){
if(fc && param->service == S_SMTPP) {
processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
if(FC->what & FP_REJECT) return REJECT;
if(!FC->state)genpaths(FC);
FC->state = GOT_SMTP_REQ;
}
if(fc && param->service == S_FTPPR) {
processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
if(FC->what & FP_REJECT) return REJECT;
genpaths(FC);
FC->state = GOT_FTP_REQ;
@ -852,7 +875,7 @@ static int h_cachedir(int argc, unsigned char **argv){
char * dirp;
size_t len;
dirp = (argc > 1)? argv[1] : getenv("TEMP");
dirp = (argc > 1)? (char *)argv[1] : getenv("TEMP");
len = strlen(dirp);
if(!dirp || !len || len > 200 || strchr(dirp, '%')) {
fprintf(stderr, "FilePlugin: invalid directory path: %s\n", dirp);
@ -869,7 +892,7 @@ static int h_cachedir(int argc, unsigned char **argv){
}
static int h_preview(int argc, unsigned char **argv){
preview = atoi(argv[1]);
preview = atoi((char *)argv[1]);
return 0;
}
@ -890,7 +913,7 @@ static int file_loaded=0;
int argc, char** argv){
if(!file_loaded){
pthread_mutex_init(&file_mutex, NULL);
_3proxy_mutex_init(&file_mutex);
file_loaded = 1;
pl = pluginlink;
memcpy(&sso, pl->so, sizeof(struct sockfuncs));

12
src/plugins/PCREPlugin/pcre_plugin.c
View File

@ -21,7 +21,7 @@ extern "C" {
static struct pluginlink * pl;
static pthread_mutex_t pcre_mutex;
static _3proxy_mutex_t pcre_mutex;
static struct filter pcre_first_filter = {
@ -112,7 +112,7 @@ struct pcre_filter_data {
};
static void pcre_data_free(struct pcre_filter_data *pcrefd){
pthread_mutex_lock(&pcre_mutex);
_3proxy_mutex_lock(&pcre_mutex);
pcrefd->users--;
if(!pcrefd->users){
if(pcrefd->match_data) pcre2_match_data_free(pcrefd->match_data);
@ -121,7 +121,7 @@ static void pcre_data_free(struct pcre_filter_data *pcrefd){
if(pcrefd->replace) pl->freefunc(pcrefd->replace);
pl->freefunc(pcrefd);
}
pthread_mutex_unlock(&pcre_mutex);
_3proxy_mutex_unlock(&pcre_mutex);
}
@ -130,9 +130,9 @@ static void pcre_data_free(struct pcre_filter_data *pcrefd){
static void* pcre_filter_open(void * idata, struct srvparam * param){
#define pcrefd ((struct pcre_filter_data *)idata)
if(idata){
pthread_mutex_lock(&pcre_mutex);
_3proxy_mutex_lock(&pcre_mutex);
pcrefd->users++;
pthread_mutex_unlock(&pcre_mutex);
_3proxy_mutex_unlock(&pcre_mutex);
}
#undef pcrefd
return idata;
@ -517,7 +517,7 @@ PLUGINAPI int PLUGINCALL pcre_plugin (struct pluginlink * pluginlink,
pcre_options = 0;
if(!pcre_loaded){
pcre_loaded = 1;
pthread_mutex_init(&pcre_mutex, NULL);
_3proxy_mutex_init(&pcre_mutex);
regexp_symbols[2].next = pl->symbols.next;
pl->symbols.next = regexp_symbols;
pcre_commandhandlers[3].next = pl->commandhandlers->next;

8
src/plugins/PamAuth/pamauth.c
View File

@ -12,7 +12,7 @@ Kirill Lopuchov <lopuchov@mail.ru>
#include <security/pam_appl.h>
pthread_mutex_t pam_mutex;
_3proxy_mutex_t pam_mutex;
static int already_loaded = 0;
@ -89,7 +89,7 @@ static int pamfunc(struct clientparam *param)
/*start process auth */
conv.appdata_ptr = (char *) param->password;
pthread_mutex_lock(&pam_mutex);
_3proxy_mutex_lock(&pam_mutex);
if (!pamh)
{
retval = pam_start ((char *)service, (char *)param->username, &conv, &pamh);
@ -113,7 +113,7 @@ static int pamfunc(struct clientparam *param)
retval = pam_end (pamh, retval);
if (retval != PAM_SUCCESS)
{ pamh = NULL; }
pthread_mutex_unlock(&pam_mutex);
_3proxy_mutex_unlock(&pam_mutex);
return rc;
@ -140,7 +140,7 @@ PLUGINAPI int PLUGINCALL start(struct pluginlink * pluginlink, int argc, unsigne
already_loaded = 1;
pthread_mutex_init(&pam_mutex, NULL);
_3proxy_mutex_init(&pam_mutex);
pamauth.authenticate = pamfunc;
pamauth.authorize = pluginlink->checkACL;
pamauth.desc = "pam";

16
src/plugins/SSLPlugin/my_ssl.c
View File

@ -32,7 +32,7 @@ typedef struct _ssl_conn {
SSL *ssl;
} ssl_conn;
pthread_mutex_t ssl_file_mutex;
_3proxy_mutex_t ssl_file_mutex;
static char errbuf[256];
@ -229,15 +229,15 @@ void _ssl_cert_free(SSL_CERT cert)
/* This array will store all of the mutexes available to OpenSSL. */
static pthread_mutex_t *mutex_buf= NULL;
static _3proxy_mutex_t *mutex_buf= NULL;
static void locking_function(int mode, int n, const char * file, int line)
{
if (mode & CRYPTO_LOCK)
pthread_mutex_lock(mutex_buf + n);
_3proxy_mutex_lock(mutex_buf + n);
else
pthread_mutex_unlock(mutex_buf + n);
_3proxy_mutex_unlock(mutex_buf + n);
}
static unsigned long id_function(void)
@ -253,11 +253,11 @@ int thread_setup(void)
{
int i;
mutex_buf = malloc(CRYPTO_num_locks( ) * sizeof(pthread_mutex_t));
mutex_buf = malloc(CRYPTO_num_locks( ) * sizeof(_3proxy_mutex_t));
if (!mutex_buf)
return 0;
for (i = 0; i < CRYPTO_num_locks( ); i++)
pthread_mutex_init(mutex_buf +i, NULL);
_3proxy_mutex_init(mutex_buf +i);
CRYPTO_set_id_callback(id_function);
CRYPTO_set_locking_callback(locking_function);
return 1;
@ -272,7 +272,7 @@ int thread_cleanup(void)
CRYPTO_set_id_callback(NULL);
CRYPTO_set_locking_callback(NULL);
for (i = 0; i < CRYPTO_num_locks( ); i++)
pthread_mutex_destroy(mutex_buf +i);
_3proxy_mutex_destroy(mutex_buf +i);
free(mutex_buf);
mutex_buf = NULL;
return 1;
@ -291,7 +291,7 @@ void ssl_init()
thread_setup();
SSLeay_add_ssl_algorithms();
SSL_load_error_strings();
pthread_mutex_init(&ssl_file_mutex, NULL);
_3proxy_mutex_init(&ssl_file_mutex);
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
}
}

27
src/plugins/SSLPlugin/ssl_plugin.c
View File

@ -274,11 +274,12 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config,
*errSSL = getSSLErr();
return NULL;
}
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL
if(hostname && *hostname)SSL_set_tlsext_host_name(conn->ssl, hostname);
#endif
do {
struct pollfd fds[1] = {{}};
struct pollfd fds[1] = {{INVALID_SOCKET}};
int sslerr;
err = SSL_connect(conn->ssl);
@ -349,7 +350,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
SSL_set_fd(conn->ssl, s);
do {
struct pollfd fds[1] = {{}};
struct pollfd fds[1] = {{INVALID_SOCKET}};
int sslerr;
err = SSL_accept(conn->ssl);
@ -520,7 +521,9 @@ SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_ke
if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
#endif
if(config->server_verify){
if(config->server_ca_file || config->server_ca_dir){
SSL_CTX_load_verify_locations(ctx, config->server_ca_file, config->server_ca_dir);
@ -672,8 +675,12 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
if(sc->client_min_proto_version)SSL_CTX_set_min_proto_version(sc->srv_ctx, sc->client_min_proto_version);
if(sc->client_max_proto_version)SSL_CTX_set_max_proto_version(sc->srv_ctx, sc->client_max_proto_version);
if(sc->client_cipher_list)SSL_CTX_set_cipher_list(sc->srv_ctx, sc->client_cipher_list);
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
if(sc->client_ciphersuites)SSL_CTX_set_ciphersuites(sc->srv_ctx, sc->client_ciphersuites);
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10200000L
if(sc->client_alpn_protos.protos_len)SSL_CTX_set_alpn_protos(sc->srv_ctx, sc->client_alpn_protos.protos, sc->client_alpn_protos.protos_len);
#endif
if(sc->client_verify){
if(sc->client_ca_file || sc->client_ca_dir){
SSL_CTX_load_verify_locations(sc->srv_ctx, sc->client_ca_file, sc->client_ca_dir);
@ -759,6 +766,14 @@ static FILTER_ACTION ssl_filter_predata(void *fc, struct clientparam * param){
return PASS;
}
static FILTER_ACTION ssl_parent(struct clientparam * param){
if(PCONF->cli && client_mode == 3) {
if(docli(param)) {
return REJECT;
}
}
return PASS;
}
static void ssl_filter_clear(void *state){
struct clientparam *param;
@ -1158,6 +1173,10 @@ static struct commands ssl_commandhandlers[] = {
{NULL, "ssl_certcache", h_certcache, 2, 2},
};
static struct symbol ssl_symbols[] = {
{NULL, "ssl_parent", (void *)&ssl_parent},
};
#ifdef WATCOM
#pragma aux ssl_plugin "*" parm caller [ ] value struct float struct routine [eax] modify [eax ecx edx]
@ -1221,6 +1240,8 @@ PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink,
ssl_init();
ssl_commandhandlers[(sizeof(ssl_commandhandlers)/sizeof(struct commands))-1].next = pl->commandhandlers->next;
pl->commandhandlers->next = ssl_commandhandlers;
ssl_symbols[0].next = pl->symbols.next;
pl->symbols.next = ssl_symbols;
}
tcppmfunc = (PROXYFUNC)pl->findbyname("tcppm");

2
src/plugins/TrafficPlugin/ReadMe.txt
View File

@ -63,5 +63,5 @@ plugin "TrafficPlugin.dll" start debug
/////////////////////////////////////////////////////////////////////////////
Copyright:
(c) Maslov Michael aka Flexx(rus) All rights reserved.
Plugin was writen on Visual C++ 6.0 SP5
Plugin was written on Visual C++ 6.0 SP5
Using structures.h from 3proxy distr.

4
src/plugins/TransparentPlugin/transparent_plugin.c
View File

@ -1,5 +1,5 @@
/*
3APA3A simpliest proxy server
3APA3A simplest proxy server
(c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
please read License Agreement
@ -58,8 +58,10 @@ static FILTER_ACTION transparent_filter_client(void *fo, struct clientparam * pa
return REJECT;
#endif
#else
if(*SAFAMILY(&param->sincl) == AF_INET || *SAFAMILY(&param->sincl) == AF_INET6){
param->req = param->sincl;
param->sincl = param->srv->intsa;
}
#endif
pl->myinet_ntop(*SAFAMILY(&param->req), SAADDR(&param->req), (char *)addrbuf, sizeof(addrbuf));
if(param->hostname) pl->freefunc(param->hostname);

Some files were not shown because too many files have changed in this diff Show More