Update year

CMakeLists.txt

@@ -509,10 +509,22 @@ if(NOT WIN32)
     install(FILES scripts/add3proxyuser.sh DESTINATION ${CMAKE_INSTALL_BINDIR})
 endif()
 
-# Install service files (systemd, init.d, or rc.d)
+# Install service files (systemd, launchd, init.d, or rc.d)
 if(NOT WIN32)
-    if(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD")
-        # BSD/macOS - install rc.d script
+    if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
+        # macOS - install launchd plist
+        configure_file(
+            ${CMAKE_CURRENT_SOURCE_DIR}/scripts/org.3proxy.3proxy.plist.in
+            ${CMAKE_CURRENT_BINARY_DIR}/org.3proxy.3proxy.plist
+            @ONLY
+        )
+        install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.3proxy.3proxy.plist
+            DESTINATION /Library/LaunchDaemons
+        )
+
+        message(STATUS "  launchd: YES (/Library/LaunchDaemons)")
+    elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|OpenBSD|NetBSD")
+        # BSD - install rc.d script
         set(RCD_DIR "/usr/local/etc/rc.d")
 
         configure_file(
@@ -566,7 +578,12 @@ if(NOT WIN32)
             message(STATUS "  systemd: YES (${SYSTEMD_UNIT_DIR})")
         else()
             # No systemd - install init.d script
-            install(FILES scripts/init.d/3proxy.sh
+            configure_file(
+                ${CMAKE_CURRENT_SOURCE_DIR}/scripts/init.d/3proxy.in
+                ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init
+                @ONLY
+            )
+            install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init
                 DESTINATION /etc/init.d
                 RENAME 3proxy
                 PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
@@ -576,7 +593,12 @@ if(NOT WIN32)
         endif()
     else()
         # Other Unix - install init.d script
-        install(FILES scripts/init.d/3proxy.sh
+        configure_file(
+            ${CMAKE_CURRENT_SOURCE_DIR}/scripts/init.d/3proxy.in
+            ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init
+            @ONLY
+        )
+        install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init
             DESTINATION /etc/init.d
             RENAME 3proxy
             PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
@@ -584,6 +606,18 @@ if(NOT WIN32)
 
         message(STATUS "  init.d: YES (/etc/init.d)")
     endif()
+
+    # Create proxy user and group during installation
+    install(FILES scripts/postinstall.sh
+        DESTINATION ${CMAKE_INSTALL_BINDIR}
+        PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
+    )
+    install(CODE "
+        execute_process(
+            COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/postinstall.sh
+            RESULT_VARIABLE POSTINSTALL_RESULT
+        )
+    ")
 endif()
 
 # Install man pages

README

@@ -21,10 +21,10 @@ Devel branch - 3proxy 10 (don't use it)
 
 * Windows installation
 
-3proxy --install 
+3proxy [path_to_config_file] --install 
 	
 	installs and starts proxy as Windows service
-	(config file should be located in the same directory)
+	(config file should be located in the same directory or may be optionally specified)
 
 3proxy --remove 
 
@@ -33,7 +33,7 @@ Devel branch - 3proxy 10 (don't use it)
 
 * To build in Linux
 
-install git and build-essential packages, use
+With Makefile:
 
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
@@ -41,6 +41,7 @@ ln -s Makefile.Linux Makefile
 make
 sudo make install
 
+
 Default configuration (for Linux/Unix):
 3proxy uses 2 configuration files:
 /etc/3proxy/3proxy.cfg (before-chroot). This configuration file is executed before chroot and should not be modified.
@@ -58,15 +59,59 @@ usage: /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidt
 
 or modify /etc/3proxy/conf/ files directly.
 
+
+With CMake:
+
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+mkdir build && cd build
+cmake ..
+cmake --build .
+sudo cmake --install .
+
+
+CMake does not use chroot configuration, config file is /etc/3proxy/3proxy.cfg
+
 * For MacOS X / FreeBSD / *BSD
 
+With Makefile:
+
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 ln -s Makefile.FreeBSD Makefile
 make
 
+
 (binaries are in bin/ directory)
 
+With CMake (recommended):
+
+git clone https://github.com/z3apa3a/3proxy
+cd 3proxy
+mkdir build && cd build
+cmake ..
+cmake --build .
+sudo cmake --install .
+
+
+This installs binaries to /usr/local/bin/, configuration to /etc/3proxy/,
+plugins to /usr/local/lib/3proxy/, rc scripts to rc.d for BSD and launchd plist to /Library/LaunchDaemons/ for MacOS.
+
+Service management on macOS:
+
+# Load and start service
+sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
+
+# Stop service
+sudo launchctl stop org.3proxy.3proxy
+
+# Start service
+sudo launchctl start org.3proxy.3proxy
+
+# Unload and disable service
+sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
+
+
  Features:
   1. General
 	+ IPv6 support for incoming and outgoing connection,

cfg/3proxy.cfg.sample

@@ -137,14 +137,6 @@ dnspr
 # this is just an alternative form fo giving external and internal address
 # allows you to read this addresses from files
 
-auth strong
-# We want to protect internal interface
-deny * * 127.0.0.1,192.168.1.1
-# and llow HTTP and HTTPS traffic.
-allow * * * 80-88,8080-8088 HTTP
-allow * * * 443,8443 HTTPS
-proxy -n
-
 auth none
 # pop3p will be used without any authentication. It's bad choice
 # because it's possible to use pop3p to access any port
@@ -160,16 +152,6 @@ tcppm 25 mail.my.provider 25
 # It's very userfull for services like DNS but not for some massive services
 # like multimedia streams or online games.
 
-auth strong
-flush
-allow 3APA3A,test
-maxconn 20
-socks
-# for socks we will use password authentication and different access control -
-# we flush previously configured ACL list and create new one to allow users
-# test and 3APA3A to connect from any location
-
-
 auth strong
 flush
 internal 127.0.0.1
@@ -199,3 +181,21 @@ admin
 # now we needn't any root rights. We can chroot and setgid/setuid.
 
 
+auth strong
+flush
+# We want to protect internal interface
+deny * * 127.0.0.1,192.168.1.1
+# and llow HTTP and HTTPS traffic.
+allow * * * 80-88,8080-8088 HTTP
+allow * * * 443,8443 HTTPS
+proxy -n
+
+flush
+allow 3APA3A,test
+maxconn 20
+socks
+# for socks we will use password authentication and different access control -
+# we flush previously configured ACL list and create new one to allow users
+# test and 3APA3A to connect from any location
+
+

doc/html/howtoe.html

@@ -12,6 +12,7 @@
 	<ul>
 		<li><A HREF="#INSTNT">How to install/remove 3proxy under Windows NT/2000/XP</A>
 		<li><A HREF="#INSTUNIX">How to install/remove 3proxy under Unix/Linux</A>
+		<li><A HREF="#INSTMACOS">How to install/remove 3proxy under macOS</A>
 		<li><A HREF="#INSTDOCKER">How to use 3proxy with Docker</A>
 	</ul>
 	<li><A HREF="#SERVER">Server configuration</A>
@@ -32,6 +33,8 @@
 		<li><a href="#NAMES">How to resolve names through a parent proxy</a></li>
 		<li><a href="#ISFTP">How to set up an FTP proxy</a></li>
 		<li><a href="#TLSPR">How to set up an SNI proxy (tlspr)</a></li>
+		<li><a href="#SSLPLUGIN">How to set up TLS/SSL with SSLPlugin (https proxy, mTLS)</a></li>
+		<li><a href="#CERTIFICATES">How to create CA and certificates for SSLPlugin</a></li>
 		<li><A HREF="#AUTH">How to limit service access</A>
 		<li><A HREF="#USERS">How to create a user list</A>
 		<li><A HREF="#ACL">How to limit user access to resources</A>
@@ -182,6 +185,51 @@ Add 3proxy to the system startup scripts or use systemd:
 sudo systemctl enable 3proxy
 sudo systemctl start 3proxy
 </pre>
+</p>
+		<li><A NAME="INSTMACOS">How to install/remove 3proxy under macOS</A>
+<p>
+<b>Using CMake (recommended):</b>
+<pre>
+mkdir build && cd build
+cmake ..
+cmake --build .
+sudo cmake --install .
+</pre>
+This installs:
+<ul>
+<li>Binaries to <code>/usr/local/bin/</code></li>
+<li>Configuration to <code>/etc/3proxy/</code></li>
+<li>Plugins to <code>/usr/local/lib/3proxy/</code></li>
+<li>Launchd plist to <code>/Library/LaunchDaemons/org.3proxy.3proxy.plist</code></li>
+</ul>
+</p>
+<p>
+<b>Using Makefile:</b>
+<pre>
+ln -sf Makefile.FreeBSD Makefile
+make
+sudo make install
+</pre>
+This installs binaries to <code>/usr/local/3proxy/bin/</code> and configuration to <code>/usr/local/etc/3proxy/</code>.
+</p>
+<p>
+<b>Service management with launchd:</b>
+<br>After installation via cmake, the service can be managed with launchctl:
+<pre>
+# Load and start the service
+sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
+
+# Stop the service
+sudo launchctl stop org.3proxy.3proxy
+
+# Start the service
+sudo launchctl start org.3proxy.3proxy
+
+# Unload and disable the service
+sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
+</pre>
+The service runs as user <code>proxy</code> (created during installation).
+Configuration file: <code>/etc/3proxy/3proxy.cfg</code>
 </p>
 		<li><A NAME="INSTDOCKER">How to use 3proxy with Docker</A>
 <p>
@@ -593,6 +641,193 @@ allow *
 proxy
 </pre>
   </p>
+		<li><a name="SSLPLUGIN"><i>How to set up TLS/SSL with SSLPlugin (https proxy, mTLS)</i></a>
+<p>
+SSLPlugin provides TLS/SSL support for 3proxy. It can be used to:
+<ul>
+<li>Create an https:// proxy (TLS-encrypted connection between client and proxy)</li>
+<li>Implement MITM for TLS traffic inspection</li>
+<li>Connect to upstream servers via TLS with client certificate authentication</li>
+<li>Require client certificate authentication (mTLS)</li>
+</ul>
+</p>
+<p>
+<b>Creating an https:// proxy:</b>
+<br>To create an https:// proxy, you need a server certificate and key. The certificate must not be self-signed
+and should contain Subject Alternative Names (SAN) for the proxy hostname/IP.
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_serv
+proxy -p3129
+ssl_noserv
+proxy -p3128
+</pre>
+<p>
+This creates an https:// proxy on port 3129 and an http:// proxy on port 3128.
+Configure clients to use https://proxy-host:3129/ as the proxy URL.
+</p>
+<p>
+<b>Client certificate authentication (mTLS):</b>
+<br>To require clients to authenticate with a certificate, use ssl_server_verify and provide the CA certificate:
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_server_ca_file /etc/3proxy/certs/ca.crt
+ssl_server_verify
+ssl_serv
+proxy -p3129
+</pre>
+<p>
+Only clients with a valid certificate signed by the CA can connect.
+</p>
+<p>
+<b>MITM for TLS traffic inspection:</b>
+<br>To intercept and decrypt TLS traffic, you need a CA certificate to generate spoofed server certificates:
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_server_ca_file /etc/3proxy/certs/ca.crt
+ssl_server_ca_key /etc/3proxy/certs/ca.key
+ssl_client_verify
+ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
+ssl_mitm
+proxy -p3128
+ssl_nomitm
+proxy -p3129
+</pre>
+<p>
+The CA certificate must be trusted by clients. ssl_client_verify ensures the real server certificates are validated.
+Without ssl_client_verify, the proxy is vulnerable to MITM attacks.
+</p>
+<p>
+<b>TLS client (connect to upstream via TLS):</b>
+<br>To connect to upstream servers via TLS with client certificate authentication:
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_client_cert /etc/3proxy/certs/client.crt
+ssl_client_key /etc/3proxy/certs/client.key
+ssl_client_verify
+ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
+ssl_cli
+proxy -p3128
+</pre>
+		<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSLPlugin</i></a>
+<p>
+<b>Creating a Certificate Authority (CA):</b>
+<br>For MITM or mTLS, you need a CA. Generate a CA private key and certificate:
+</p><pre>
+# Generate CA private key
+openssl genrsa -out ca.key 4096
+
+# Generate CA certificate (valid for 10 years)
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=My CA" \
+    -out ca.crt
+</pre>
+<p>
+For MITM, import ca.crt into client browsers/OS as a trusted root CA.
+</p>
+<p>
+<b>Creating a server certificate for https:// proxy:</b>
+<br>The server certificate must have proper Subject Alternative Names (SAN):
+</p><pre>
+# Generate server private key
+openssl genrsa -out server.key 2048
+
+# Create a certificate signing request (CSR)
+openssl req -new -key server.key \
+    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=proxy.example.com" \
+    -out server.csr
+
+# Create extensions file for SAN
+cat > server.ext << 'EOF'
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = proxy.example.com
+DNS.2 = proxy
+IP.1 = 192.168.1.100
+EOF
+
+# Sign the certificate with CA
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 365 -sha256 \
+    -extfile server.ext
+</pre>
+<p>
+For a public https:// proxy, use a CA like Let's Encrypt instead of self-signed.
+</p>
+<p>
+<b>Creating a client certificate for mTLS:</b>
+</p><pre>
+# Generate client private key
+openssl genrsa -out client1.key 2048
+
+# Create CSR
+openssl req -new -key client1.key \
+    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=client1" \
+    -out client1.csr
+
+# Create extensions file
+cat > client.ext << 'EOF'
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment
+extendedKeyUsage = clientAuth
+EOF
+
+# Sign with CA
+openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out client1.crt -days 365 -sha256 \
+    -extfile client.ext
+
+# Create PKCS#12 bundle for browser import
+openssl pkcs12 -export -out client1.p12 \
+    -inkey client1.key -in client1.crt -certfile ca.crt
+</pre>
+<p>
+Import client1.p12 into the client browser or OS certificate store.
+</p>
+<p>
+<b>Quick setup script for development/testing:</b>
+</p><pre>
+#!/bin/sh
+# Creates CA, server, and client certificates for SSLPlugin testing
+
+# CA
+openssl genrsa -out ca.key 4096
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+    -subj "/CN=3proxy CA" -out ca.crt
+
+# Server
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -subj "/CN=localhost" -out server.csr
+cat > server.ext << 'EOF'
+basicConstraints=CA:FALSE
+keyUsage = keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = DNS:localhost,DNS:proxy,IP:127.0.0.1
+EOF
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
+
+# Client
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -subj "/CN=client" -out client.csr
+cat > client.ext << 'EOF'
+basicConstraints=CA:FALSE
+extendedKeyUsage = clientAuth
+EOF
+openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out client.crt -days 365 -sha256 -extfile client.ext
+openssl pkcs12 -export -out client.p12 -passout pass: \
+    -inkey client.key -in client.crt -certfile ca.crt
+</pre>
 		<li><A NAME="AUTH">How to limit service access</A>
 <p>
 First, always specify the internal interface to accept incoming connections with the

doc/html/howtor.html

@@ -12,6 +12,7 @@
   <ul>
     <li><a href="#INSTNT">Как установить/удалить 3proxy под Windows NT/2000/XP/2003 как службу</a>
     <li><a href="#INSTUNIX">Как установить/удалить 3proxy под Unix/Linux</a>
+    <li><a href="#INSTMACOS">Как установить/удалить 3proxy под macOS</a>
     <li><a href="#INSTDOCKER">Как использовать 3proxy с Docker</a>
   </ul>
   <li><a href="#SERVER">Конфигурация сервера</a>
@@ -32,6 +33,8 @@
     <li><a href="#NAMES">Как разрешать имена на родительском прокси?</a></li>
     <li><a href="#ISFTP">Как настроить FTP прокси?</a></li>
     <li><a href="#TLSPR">Как настроить SNI proxy (tlspr)</a></li>
+    <li><a href="#SSLPLUGIN">Как настроить TLS/SSL с помощью SSLPlugin (https прокси, mTLS)</a></li>
+    <li><a href="#CERTIFICATES">Как создать CA и сертификаты для SSLPlugin</a></li>
     <li><a href="#AUTH">Как ограничить доступ к службе</a>
     <li><a href="#USERS">Как создать список пользователей</a>
     <li><a href="#ACL">Как ограничить доступ пользователей к ресурсам</a>
@@ -178,6 +181,48 @@
   sudo systemctl enable 3proxy
   sudo systemctl start 3proxy</pre>
   </p>
+  <li><a name="INSTMACOS"><i>Как установить/удалить 3proxy под macOS</i></a>
+  <p>
+  <b>С помощью CMake (рекомендуется):</b>
+  <pre>
+  mkdir build && cd build
+  cmake ..
+  cmake --build .
+  sudo cmake --install .</pre>
+  Это установит:
+  <ul>
+  <li>Исполняемые файлы в <code>/usr/local/bin/</code></li>
+  <li>Конфигурацию в <code>/etc/3proxy/</code></li>
+  <li>Плагины в <code>/usr/local/lib/3proxy/</code></li>
+  <li>Launchd plist в <code>/Library/LaunchDaemons/org.3proxy.3proxy.plist</code></li>
+  </ul>
+  </p>
+  <p>
+  <b>С помощью Makefile:</b>
+  <pre>
+  ln -sf Makefile.FreeBSD Makefile
+  make
+  sudo make install</pre>
+  Это установит исполняемые файлы в <code>/usr/local/3proxy/bin/</code> и конфигурацию в <code>/usr/local/etc/3proxy/</code>.
+  </p>
+  <p>
+  <b>Управление службой через launchd:</b>
+  <br>После установки через cmake службой можно управлять с помощью launchctl:
+  <pre>
+  # Загрузить и запустить службу
+  sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
+
+  # Остановить службу
+  sudo launchctl stop org.3proxy.3proxy
+
+  # Запустить службу
+  sudo launchctl start org.3proxy.3proxy
+
+  # Выгрузить и отключить службу
+  sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist</pre>
+  Служба запускается от имени пользователя <code>proxy</code> (создаётся при установке).
+  Файл конфигурации: <code>/etc/3proxy/3proxy.cfg</code>
+  </p>
   <li><a name="INSTDOCKER"><i>Как использовать 3proxy с Docker</i></a>
   <p>
   <b>Использование готовых образов из GitHub Container Registry:</b>
@@ -604,6 +649,194 @@ proxy
 </pre>
   </p>
 
+  <li><a name="SSLPLUGIN"><i>Как настроить TLS/SSL с помощью SSLPlugin (https прокси, mTLS)</i></a>
+<p>
+SSLPlugin обеспечивает поддержку TLS/SSL для 3proxy. Он может использоваться для:
+<ul>
+<li>Создания https:// прокси (TLS-шифрованное соединение между клиентом и прокси)</li>
+<li>Реализации MITM для инспекции TLS-трафика</li>
+<li>Соединения с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату</li>
+<li>Требования аутентификации по клиентскому сертификату (mTLS)</li>
+</ul>
+</p>
+<p>
+<b>Создание https:// прокси:</b>
+<br>Для создания https:// прокси требуется сертификат и ключ сервера. Сертификат не должен быть самоподписанным
+и должен содержать альтернативные имена (SAN) для имени хоста/IP прокси.
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_serv
+proxy -p3129
+ssl_noserv
+proxy -p3128
+</pre>
+<p>
+Создаётся https:// прокси на порту 3129 и http:// прокси на порту 3128.
+Настройте клиенты на использование https://proxy-host:3129/ в качестве URL прокси.
+</p>
+<p>
+<b>Аутентификация по клиентскому сертификату (mTLS):</b>
+<br>Чтобы требовать от клиентов аутентификацию по сертификату, используйте ssl_server_verify и укажите CA-сертификат:
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_server_cert /etc/3proxy/certs/server.crt
+ssl_server_key /etc/3proxy/certs/server.key
+ssl_server_ca_file /etc/3proxy/certs/ca.crt
+ssl_server_verify
+ssl_serv
+proxy -p3129
+</pre>
+<p>
+Только клиенты с действительным сертификатом, подписанным CA, смогут подключиться.
+</p>
+<p>
+<b>MITM для инспекции TLS-трафика:</b>
+<br>Для перехвата и расшифровки TLS-трафика требуется CA-сертификат для генерации подделанных серверных сертификатов:
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_server_ca_file /etc/3proxy/certs/ca.crt
+ssl_server_ca_key /etc/3proxy/certs/ca.key
+ssl_client_verify
+ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
+ssl_mitm
+proxy -p3128
+ssl_nomitm
+proxy -p3129
+</pre>
+<p>
+CA-сертификат должен быть доверенным для клиентов. ssl_client_verify обеспечивает проверку реальных серверных сертификатов.
+Без ssl_client_verify прокси уязвим для MITM-атак.
+</p>
+<p>
+<b>TLS-клиент (соединение с вышестоящим сервером через TLS):</b>
+<br>Для соединения с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату:
+</p><pre>
+plugin /path/to/SSLPlugin.ld.so ssl_plugin
+ssl_client_cert /etc/3proxy/certs/client.crt
+ssl_client_key /etc/3proxy/certs/client.key
+ssl_client_verify
+ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
+ssl_cli
+proxy -p3128
+</pre>
+  <li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSLPlugin</i></a>
+<p>
+<b>Создание удостоверяющего центра (CA):</b>
+<br>Для MITM или mTLS требуется CA. Сгенерируйте закрытый ключ CA и сертификат:
+</p><pre>
+# Генерация закрытого ключа CA
+openssl genrsa -out ca.key 4096
+
+# Генерация сертификата CA (действителен 10 лет)
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=My CA" \
+    -out ca.crt
+</pre>
+<p>
+Для MITM импортируйте ca.crt в браузеры/ОС клиентов как доверенный корневой CA.
+</p>
+<p>
+<b>Создание серверного сертификата для https:// прокси:</b>
+<br>Серверный сертификат должен иметь правильные альтернативные имена (SAN):
+</p><pre>
+# Генерация закрытого ключа сервера
+openssl genrsa -out server.key 2048
+
+# Создание запроса на подпись сертификата (CSR)
+openssl req -new -key server.key \
+    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=proxy.example.com" \
+    -out server.csr
+
+# Создание файла расширений для SAN
+cat > server.ext << 'EOF'
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = proxy.example.com
+DNS.2 = proxy
+IP.1 = 192.168.1.100
+EOF
+
+# Подписание сертификата CA
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 365 -sha256 \
+    -extfile server.ext
+</pre>
+<p>
+Для публичного https:// прокси используйте CA вроде Let's Encrypt вместо самоподписанного.
+</p>
+<p>
+<b>Создание клиентского сертификата для mTLS:</b>
+</p><pre>
+# Генерация закрытого ключа клиента
+openssl genrsa -out client1.key 2048
+
+# Создание CSR
+openssl req -new -key client1.key \
+    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=client1" \
+    -out client1.csr
+
+# Создание файла расширений
+cat > client.ext << 'EOF'
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment
+extendedKeyUsage = clientAuth
+EOF
+
+# Подписание CA
+openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out client1.crt -days 365 -sha256 \
+    -extfile client.ext
+
+# Создание PKCS#12 для импорта в браузер
+openssl pkcs12 -export -out client1.p12 \
+    -inkey client1.key -in client1.crt -certfile ca.crt
+</pre>
+<p>
+Импортируйте client1.p12 в хранилище сертификатов браузера или ОС клиента.
+</p>
+<p>
+<b>Скрипт быстрой настройки для разработки/тестирования:</b>
+</p><pre>
+#!/bin/sh
+# Создаёт CA, серверный и клиентский сертификаты для тестирования SSLPlugin
+
+# CA
+openssl genrsa -out ca.key 4096
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
+    -subj "/CN=3proxy CA" -out ca.crt
+
+# Сервер
+openssl genrsa -out server.key 2048
+openssl req -new -key server.key -subj "/CN=localhost" -out server.csr
+cat > server.ext << 'EOF'
+basicConstraints=CA:FALSE
+keyUsage = keyEncipherment
+extendedKeyUsage = serverAuth
+subjectAltName = DNS:localhost,DNS:proxy,IP:127.0.0.1
+EOF
+openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
+
+# Клиент
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -subj "/CN=client" -out client.csr
+cat > client.ext << 'EOF'
+basicConstraints=CA:FALSE
+extendedKeyUsage = clientAuth
+EOF
+openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
+    -CAcreateserial -out client.crt -days 365 -sha256 -extfile client.ext
+openssl pkcs12 -export -out client.p12 -passout pass: \
+    -inkey client.key -in client.crt -certfile ca.crt
+</pre>
+
   <li><a name="AUTH"><i>Как ограничить доступ к службе</i></a>
   <p>
   Во-первых, для ограничения доступа необходимо указать внутренний интерфейс,

scripts/3proxy.cfg

@@ -1,2 +1,4 @@
 #!/usr/local/bin/3proxy
-#path to plugins:
+
+#use standard syslog logging
+log @3proxy

scripts/3proxy.service.in

@@ -4,6 +4,9 @@ Documentation=man:3proxy(1)
 After=network.target
 
 [Service]
+Type=simple
+User=proxy
+Group=proxy
 Environment=CONFIGFILE=/etc/3proxy/3proxy.cfg
 ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/3proxy ${CONFIGFILE}
 ExecReload=/bin/kill -SIGUSR1 $MAINPID
@@ -13,6 +16,7 @@ RestartSec=60s
 LimitNOFILE=65536
 LimitNPROC=32768
 RuntimeDirectory=3proxy
+RuntimeDirectoryMode=0755
 
 [Install]
 WantedBy=multi-user.target

scripts/3proxy.tmpfiles.in

@@ -1,3 +1,3 @@
 # tmpfiles.d configuration for 3proxy
 # This creates the runtime directory for 3proxy
-d /run/3proxy 0755 root root -
+d /run/3proxy 0755 proxy proxy -

scripts/init.d/3proxy.in

@@ -0,0 +1,109 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          3proxy
+# Required-Start:    $network $local_fs
+# Required-Stop:     $network $local_fs
+# Should-Start:
+# Should-Stop:
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start/stop 3proxy
+# Description:       Start/stop 3proxy, tiny proxy server
+### END INIT INFO
+# chkconfig: 2345 20 80
+# description: 3proxy tiny proxy server
+
+DAEMON=@CMAKE_INSTALL_FULL_BINDIR@/3proxy
+CONFIGFILE=/etc/3proxy/3proxy.cfg
+PIDFILE=/var/run/3proxy/3proxy.pid
+USER=proxy
+GROUP=proxy
+
+# Source function library if available
+if [ -f /etc/init.d/functions ]; then
+    . /etc/init.d/functions
+fi
+
+case "$1" in
+   start)
+       echo -n "Starting 3Proxy: "
+
+       if [ ! -d /var/run/3proxy ]; then
+           mkdir -p /var/run/3proxy
+           chown $USER:$GROUP /var/run/3proxy 2>/dev/null || true
+       fi
+
+       if command -v start-stop-daemon >/dev/null 2>&1; then
+           # Debian/Ubuntu style
+           start-stop-daemon --start --quiet --pidfile $PIDFILE \
+               --chuid $USER:$GROUP --exec $DAEMON -- $CONFIGFILE
+       elif [ -f /etc/init.d/functions ]; then
+           # RedHat/CentOS style
+           daemon --user=$USER $DAEMON $CONFIGFILE
+       else
+           # Fallback
+           su -s /bin/sh $USER -c "$DAEMON $CONFIGFILE"
+       fi
+
+       RETVAL=$?
+       echo
+       [ $RETVAL = 0 ] && touch /var/lock/subsys/3proxy
+       ;;
+
+   stop)
+       echo -n "Stopping 3Proxy: "
+
+       if command -v start-stop-daemon >/dev/null 2>&1; then
+           # Debian/Ubuntu style
+           start-stop-daemon --stop --quiet --pidfile $PIDFILE
+       elif [ -f /etc/init.d/functions ]; then
+           # RedHat/CentOS style
+           killproc -p $PIDFILE $DAEMON
+       else
+           # Fallback
+           if [ -f $PIDFILE ]; then
+               kill `cat $PIDFILE` 2>/dev/null
+           else
+               killall 3proxy 2>/dev/null
+           fi
+       fi
+
+       RETVAL=$?
+       echo
+       [ $RETVAL = 0 ] && rm -f /var/lock/subsys/3proxy
+       ;;
+
+   restart|reload)
+       echo -n "Reloading 3Proxy: "
+       if [ -f $PIDFILE ]; then
+           kill -s USR1 `cat $PIDFILE` 2>/dev/null
+           RETVAL=$?
+       else
+           echo "PID file not found, cannot reload"
+           RETVAL=1
+       fi
+       echo
+       ;;
+
+   status)
+       if command -v status >/dev/null 2>&1; then
+           status -p $PIDFILE $DAEMON
+       elif [ -f $PIDFILE ]; then
+           if kill -0 `cat $PIDFILE` 2>/dev/null; then
+               echo "3proxy is running (pid `cat $PIDFILE`)"
+               RETVAL=0
+           else
+               echo "3proxy is dead but pid file exists"
+               RETVAL=1
+           fi
+       else
+           echo "3proxy is not running"
+           RETVAL=3
+       fi
+       ;;
+
+   *)
+       echo "Usage: $0 {start|stop|restart|reload|status}"
+       exit 1
+esac
+exit ${RETVAL:-0}

scripts/org.3proxy.3proxy.plist.in

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>org.3proxy.3proxy</string>
+    <key>ProgramArguments</key>
+    <array>
+        <string>@CMAKE_INSTALL_FULL_BINDIR@/3proxy</string>
+        <string>/etc/3proxy/3proxy.cfg</string>
+    </array>
+    <key>UserName</key>
+    <string>proxy</string>
+    <key>GroupName</key>
+    <string>proxy</string>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <true/>
+    <key>StandardOutPath</key>
+    <string>/var/log/3proxy.log</string>
+    <key>StandardErrorPath</key>
+    <string>/var/log/3proxy.log</string>
+    <key>SoftResourceLimits</key>
+    <dict>
+        <key>NumberOfFiles</key>
+        <integer>65536</integer>
+    </dict>
+    <key>HardResourceLimits</key>
+    <dict>
+        <key>NumberOfFiles</key>
+        <integer>65536</integer>
+    </dict>
+</dict>
+</plist>

scripts/postinstall.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+# Post-install script for 3proxy
+# Creates proxy user and group if they don't exist
+
+set -e
+
+# Check if user already exists
+if id proxy >/dev/null 2>&1; then
+    echo "User 'proxy' already exists"
+    exit 0
+fi
+
+echo "Creating proxy user and group..."
+
+# Determine which commands are available
+if command -v groupadd >/dev/null 2>&1; then
+    # Linux (shadow-utils)
+    groupadd -r proxy 2>/dev/null || true
+    useradd -r -g proxy -d /var/run/3proxy -s /usr/sbin/nologin proxy 2>/dev/null || true
+elif command -v addgroup >/dev/null 2>&1; then
+    # Alpine Linux / BusyBox
+    addgroup -S proxy 2>/dev/null || true
+    adduser -S -D -H -G proxy -s /sbin/nologin proxy 2>/dev/null || true
+elif command -v pw >/dev/null 2>&1; then
+    # FreeBSD
+    pw groupadd proxy 2>/dev/null || true
+    pw useradd proxy -g proxy -d /var/run/3proxy -s /usr/sbin/nologin 2>/dev/null || true
+elif command -v dscl >/dev/null 2>&1; then
+    # macOS
+    dscl . create /Groups/proxy 2>/dev/null || true
+    dscl . create /Users/proxy 2>/dev/null || true
+    dscl . create /Users/proxy UserShell /usr/bin/false 2>/dev/null || true
+    dscl . create /Users/proxy NFSHomeDirectory /var/run/3proxy 2>/dev/null || true
+else
+    echo "Warning: Could not create proxy user - no suitable user management tool found"
+    exit 0
+fi
+
+if id proxy >/dev/null 2>&1; then
+    echo "User 'proxy' created successfully"
+else
+    echo "Warning: Failed to create user 'proxy'"
+fi
+
+exit 0

scripts/rc.d/3proxy.in

@@ -13,6 +13,7 @@ command="@CMAKE_INSTALL_FULL_BINDIR@/3proxy"
 pidfile="/var/run/3proxy/${name}.pid"
 command_args="${3proxy_config:-/etc/3proxy/3proxy.cfg}"
 required_files="${3proxy_config:-/etc/3proxy/3proxy.cfg}"
+command_user="proxy:proxy"
 
 start_precmd="3proxy_precmd"
 
@@ -20,6 +21,7 @@ start_precmd="3proxy_precmd"
 {
     if [ ! -d /var/run/3proxy ]; then
         mkdir -p /var/run/3proxy
+        chown proxy:proxy /var/run/3proxy
     fi
 }
 

src/version.h

@@ -9,4 +9,4 @@
 #define MINOR3PROXY 5
 #define SUBMINOR3PROXY 0
 #define RELEASE3PROXY "3proxy-0.9.5(" BUILDDATE ")\0"
-#define YEAR3PROXY "2025"
+#define YEAR3PROXY "2026"