Update year

change config example
howto update
2026-04-13 00:10:11 +08:00 · 2026-04-05 13:29:33 +03:00 · 2026-04-05 13:12:26 +03:00 · 2026-04-05 13:05:34 +03:00 · 2026-04-05 12:49:03 +03:00 · 2026-04-05 12:46:57 +03:00
13 changed files with 773 additions and 29 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -509,10 +509,22 @@ if(NOT WIN32)
    install(FILES scripts/add3proxyuser.sh DESTINATION ${CMAKE_INSTALL_BINDIR})
 endif()
-# Install service files (systemd, init.d, or rc.d)
+# Install service files (systemd, launchd, init.d, or rc.d)
 if(NOT WIN32)
-    if(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD")
+    if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
-        # BSD/macOS - install rc.d script
+        # macOS - install launchd plist
        configure_file(
            ${CMAKE_CURRENT_SOURCE_DIR}/scripts/org.3proxy.3proxy.plist.in
            ${CMAKE_CURRENT_BINARY_DIR}/org.3proxy.3proxy.plist
            @ONLY
        )
        install(FILES ${CMAKE_CURRENT_BINARY_DIR}/org.3proxy.3proxy.plist
            DESTINATION /Library/LaunchDaemons
        )
        message(STATUS "  launchd: YES (/Library/LaunchDaemons)")
    elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|OpenBSD|NetBSD")
        # BSD - install rc.d script
        set(RCD_DIR "/usr/local/etc/rc.d")
        configure_file(
@ -566,7 +578,12 @@ if(NOT WIN32)
            message(STATUS "  systemd: YES (${SYSTEMD_UNIT_DIR})")
        else()
            # No systemd - install init.d script
-            install(FILES scripts/init.d/3proxy.sh
+            configure_file(
                ${CMAKE_CURRENT_SOURCE_DIR}/scripts/init.d/3proxy.in
                ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init
                @ONLY
            )
            install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init
                DESTINATION /etc/init.d
                RENAME 3proxy
                PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
@ -576,7 +593,12 @@ if(NOT WIN32)
        endif()
    else()
        # Other Unix - install init.d script
-        install(FILES scripts/init.d/3proxy.sh
+        configure_file(
            ${CMAKE_CURRENT_SOURCE_DIR}/scripts/init.d/3proxy.in
            ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init
            @ONLY
        )
        install(FILES ${CMAKE_CURRENT_BINARY_DIR}/3proxy.init
            DESTINATION /etc/init.d
            RENAME 3proxy
            PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
@ -584,6 +606,18 @@ if(NOT WIN32)
        message(STATUS "  init.d: YES (/etc/init.d)")
    endif()
    # Create proxy user and group during installation
    install(FILES scripts/postinstall.sh
        DESTINATION ${CMAKE_INSTALL_BINDIR}
        PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE
    )
    install(CODE "
        execute_process(
            COMMAND ${CMAKE_INSTALL_FULL_BINDIR}/postinstall.sh
            RESULT_VARIABLE POSTINSTALL_RESULT
        )
    ")
 endif()
 # Install man pages
--- a/51
+++ b/51
@ -21,10 +21,10 @@ Devel branch - 3proxy 10 (don't use it)
 * Windows installation
-3proxy --install 
+3proxy [path_to_config_file] --install 
 	installs and starts proxy as Windows service
-	(config file should be located in the same directory)
+	(config file should be located in the same directory or may be optionally specified)
 3proxy --remove 
@ -33,7 +33,7 @@ Devel branch - 3proxy 10 (don't use it)
 * To build in Linux
-install git and build-essential packages, use
+With Makefile:
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
@ -41,6 +41,7 @@ ln -s Makefile.Linux Makefile
 make
 sudo make install
 Default configuration (for Linux/Unix):
 3proxy uses 2 configuration files:
 /etc/3proxy/3proxy.cfg (before-chroot). This configuration file is executed before chroot and should not be modified.
@ -58,15 +59,59 @@ usage: /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidt
 or modify /etc/3proxy/conf/ files directly.
 With CMake:
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 mkdir build && cd build
 cmake ..
 cmake --build .
 sudo cmake --install .
 CMake does not use chroot configuration, config file is /etc/3proxy/3proxy.cfg
 * For MacOS X / FreeBSD / *BSD
 With Makefile:
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 ln -s Makefile.FreeBSD Makefile
 make
 (binaries are in bin/ directory)
 With CMake (recommended):
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 mkdir build && cd build
 cmake ..
 cmake --build .
 sudo cmake --install .
 This installs binaries to /usr/local/bin/, configuration to /etc/3proxy/,
 plugins to /usr/local/lib/3proxy/, rc scripts to rc.d for BSD and launchd plist to /Library/LaunchDaemons/ for MacOS.
 Service management on macOS:
 # Load and start service
 sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
 # Stop service
 sudo launchctl stop org.3proxy.3proxy
 # Start service
 sudo launchctl start org.3proxy.3proxy
 # Unload and disable service
 sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
 Features:
  1. General
 	+ IPv6 support for incoming and outgoing connection,
--- a/cfg/3proxy.cfg.sample
+++ b/cfg/3proxy.cfg.sample
@ -137,14 +137,6 @@ dnspr
 # this is just an alternative form fo giving external and internal address
 # allows you to read this addresses from files
 auth strong
 # We want to protect internal interface
 deny * * 127.0.0.1,192.168.1.1
 # and llow HTTP and HTTPS traffic.
 allow * * * 80-88,8080-8088 HTTP
 allow * * * 443,8443 HTTPS
 proxy -n
 auth none
 # pop3p will be used without any authentication. It's bad choice
 # because it's possible to use pop3p to access any port
@ -160,16 +152,6 @@ tcppm 25 mail.my.provider 25
 # It's very userfull for services like DNS but not for some massive services
 # like multimedia streams or online games.
 auth strong
 flush
 allow 3APA3A,test
 maxconn 20
 socks
 # for socks we will use password authentication and different access control -
 # we flush previously configured ACL list and create new one to allow users
 # test and 3APA3A to connect from any location
 auth strong
 flush
 internal 127.0.0.1
@ -199,3 +181,21 @@ admin
 # now we needn't any root rights. We can chroot and setgid/setuid.
 auth strong
 flush
 # We want to protect internal interface
 deny * * 127.0.0.1,192.168.1.1
 # and llow HTTP and HTTPS traffic.
 allow * * * 80-88,8080-8088 HTTP
 allow * * * 443,8443 HTTPS
 proxy -n
 flush
 allow 3APA3A,test
 maxconn 20
 socks
 # for socks we will use password authentication and different access control -
 # we flush previously configured ACL list and create new one to allow users
 # test and 3APA3A to connect from any location
--- a/doc/html/howtoe.html
+++ b/doc/html/howtoe.html
@ -12,6 +12,7 @@
 	<ul>
 		<li><A HREF="#INSTNT">How to install/remove 3proxy under Windows NT/2000/XP</A>
 		<li><A HREF="#INSTUNIX">How to install/remove 3proxy under Unix/Linux</A>
 		<li><A HREF="#INSTMACOS">How to install/remove 3proxy under macOS</A>
 		<li><A HREF="#INSTDOCKER">How to use 3proxy with Docker</A>
 	</ul>
 	<li><A HREF="#SERVER">Server configuration</A>
@ -32,6 +33,8 @@
 		<li><a href="#NAMES">How to resolve names through a parent proxy</a></li>
 		<li><a href="#ISFTP">How to set up an FTP proxy</a></li>
 		<li><a href="#TLSPR">How to set up an SNI proxy (tlspr)</a></li>
 		<li><a href="#SSLPLUGIN">How to set up TLS/SSL with SSLPlugin (https proxy, mTLS)</a></li>
 		<li><a href="#CERTIFICATES">How to create CA and certificates for SSLPlugin</a></li>
 		<li><A HREF="#AUTH">How to limit service access</A>
 		<li><A HREF="#USERS">How to create a user list</A>
 		<li><A HREF="#ACL">How to limit user access to resources</A>
@ -182,6 +185,51 @@ Add 3proxy to the system startup scripts or use systemd:
 sudo systemctl enable 3proxy
 sudo systemctl start 3proxy
 </pre>
 </p>
 		<li><A NAME="INSTMACOS">How to install/remove 3proxy under macOS</A>
 <p>
 <b>Using CMake (recommended):</b>
 <pre>
 mkdir build && cd build
 cmake ..
 cmake --build .
 sudo cmake --install .
 </pre>
 This installs:
 <ul>
 <li>Binaries to <code>/usr/local/bin/</code></li>
 <li>Configuration to <code>/etc/3proxy/</code></li>
 <li>Plugins to <code>/usr/local/lib/3proxy/</code></li>
 <li>Launchd plist to <code>/Library/LaunchDaemons/org.3proxy.3proxy.plist</code></li>
 </ul>
 </p>
 <p>
 <b>Using Makefile:</b>
 <pre>
 ln -sf Makefile.FreeBSD Makefile
 make
 sudo make install
 </pre>
 This installs binaries to <code>/usr/local/3proxy/bin/</code> and configuration to <code>/usr/local/etc/3proxy/</code>.
 </p>
 <p>
 <b>Service management with launchd:</b>
 <br>After installation via cmake, the service can be managed with launchctl:
 <pre>
 # Load and start the service
 sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
 # Stop the service
 sudo launchctl stop org.3proxy.3proxy
 # Start the service
 sudo launchctl start org.3proxy.3proxy
 # Unload and disable the service
 sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
 </pre>
 The service runs as user <code>proxy</code> (created during installation).
 Configuration file: <code>/etc/3proxy/3proxy.cfg</code>
 </p>
 		<li><A NAME="INSTDOCKER">How to use 3proxy with Docker</A>
 <p>
@ -593,6 +641,193 @@ allow *
 proxy
 </pre>
  </p>
 		<li><a name="SSLPLUGIN"><i>How to set up TLS/SSL with SSLPlugin (https proxy, mTLS)</i></a>
 <p>
 SSLPlugin provides TLS/SSL support for 3proxy. It can be used to:
 <ul>
 <li>Create an https:// proxy (TLS-encrypted connection between client and proxy)</li>
 <li>Implement MITM for TLS traffic inspection</li>
 <li>Connect to upstream servers via TLS with client certificate authentication</li>
 <li>Require client certificate authentication (mTLS)</li>
 </ul>
 </p>
 <p>
 <b>Creating an https:// proxy:</b>
 <br>To create an https:// proxy, you need a server certificate and key. The certificate must not be self-signed
 and should contain Subject Alternative Names (SAN) for the proxy hostname/IP.
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_serv
 proxy -p3129
 ssl_noserv
 proxy -p3128
 </pre>
 <p>
 This creates an https:// proxy on port 3129 and an http:// proxy on port 3128.
 Configure clients to use https://proxy-host:3129/ as the proxy URL.
 </p>
 <p>
 <b>Client certificate authentication (mTLS):</b>
 <br>To require clients to authenticate with a certificate, use ssl_server_verify and provide the CA certificate:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
 ssl_server_verify
 ssl_serv
 proxy -p3129
 </pre>
 <p>
 Only clients with a valid certificate signed by the CA can connect.
 </p>
 <p>
 <b>MITM for TLS traffic inspection:</b>
 <br>To intercept and decrypt TLS traffic, you need a CA certificate to generate spoofed server certificates:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
 ssl_server_ca_key /etc/3proxy/certs/ca.key
 ssl_client_verify
 ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
 ssl_mitm
 proxy -p3128
 ssl_nomitm
 proxy -p3129
 </pre>
 <p>
 The CA certificate must be trusted by clients. ssl_client_verify ensures the real server certificates are validated.
 Without ssl_client_verify, the proxy is vulnerable to MITM attacks.
 </p>
 <p>
 <b>TLS client (connect to upstream via TLS):</b>
 <br>To connect to upstream servers via TLS with client certificate authentication:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_client_cert /etc/3proxy/certs/client.crt
 ssl_client_key /etc/3proxy/certs/client.key
 ssl_client_verify
 ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
 ssl_cli
 proxy -p3128
 </pre>
 		<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSLPlugin</i></a>
 <p>
 <b>Creating a Certificate Authority (CA):</b>
 <br>For MITM or mTLS, you need a CA. Generate a CA private key and certificate:
 </p><pre>
 # Generate CA private key
 openssl genrsa -out ca.key 4096
 # Generate CA certificate (valid for 10 years)
 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=My CA" \
    -out ca.crt
 </pre>
 <p>
 For MITM, import ca.crt into client browsers/OS as a trusted root CA.
 </p>
 <p>
 <b>Creating a server certificate for https:// proxy:</b>
 <br>The server certificate must have proper Subject Alternative Names (SAN):
 </p><pre>
 # Generate server private key
 openssl genrsa -out server.key 2048
 # Create a certificate signing request (CSR)
 openssl req -new -key server.key \
    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=proxy.example.com" \
    -out server.csr
 # Create extensions file for SAN
 cat > server.ext << 'EOF'
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = proxy.example.com
 DNS.2 = proxy
 IP.1 = 192.168.1.100
 EOF
 # Sign the certificate with CA
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out server.crt -days 365 -sha256 \
    -extfile server.ext
 </pre>
 <p>
 For a public https:// proxy, use a CA like Let's Encrypt instead of self-signed.
 </p>
 <p>
 <b>Creating a client certificate for mTLS:</b>
 </p><pre>
 # Generate client private key
 openssl genrsa -out client1.key 2048
 # Create CSR
 openssl req -new -key client1.key \
    -subj "/C=US/ST=State/L=City/O=MyOrg/CN=client1" \
    -out client1.csr
 # Create extensions file
 cat > client.ext << 'EOF'
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment
 extendedKeyUsage = clientAuth
 EOF
 # Sign with CA
 openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out client1.crt -days 365 -sha256 \
    -extfile client.ext
 # Create PKCS#12 bundle for browser import
 openssl pkcs12 -export -out client1.p12 \
    -inkey client1.key -in client1.crt -certfile ca.crt
 </pre>
 <p>
 Import client1.p12 into the client browser or OS certificate store.
 </p>
 <p>
 <b>Quick setup script for development/testing:</b>
 </p><pre>
 #!/bin/sh
 # Creates CA, server, and client certificates for SSLPlugin testing
 # CA
 openssl genrsa -out ca.key 4096
 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
    -subj "/CN=3proxy CA" -out ca.crt
 # Server
 openssl genrsa -out server.key 2048
 openssl req -new -key server.key -subj "/CN=localhost" -out server.csr
 cat > server.ext << 'EOF'
 basicConstraints=CA:FALSE
 keyUsage = keyEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = DNS:localhost,DNS:proxy,IP:127.0.0.1
 EOF
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
 # Client
 openssl genrsa -out client.key 2048
 openssl req -new -key client.key -subj "/CN=client" -out client.csr
 cat > client.ext << 'EOF'
 basicConstraints=CA:FALSE
 extendedKeyUsage = clientAuth
 EOF
 openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out client.crt -days 365 -sha256 -extfile client.ext
 openssl pkcs12 -export -out client.p12 -passout pass: \
    -inkey client.key -in client.crt -certfile ca.crt
 </pre>
 		<li><A NAME="AUTH">How to limit service access</A>
 <p>
 First, always specify the internal interface to accept incoming connections with the
--- a/doc/html/howtor.html
+++ b/doc/html/howtor.html
@ -12,6 +12,7 @@
  <ul>
    <li><a href="#INSTNT">Как установить/удалить 3proxy под Windows NT/2000/XP/2003 как службу</a>
    <li><a href="#INSTUNIX">Как установить/удалить 3proxy под Unix/Linux</a>
    <li><a href="#INSTMACOS">Как установить/удалить 3proxy под macOS</a>
    <li><a href="#INSTDOCKER">Как использовать 3proxy с Docker</a>
  </ul>
  <li><a href="#SERVER">Конфигурация сервера</a>
@ -32,6 +33,8 @@
    <li><a href="#NAMES">Как разрешать имена на родительском прокси?</a></li>
    <li><a href="#ISFTP">Как настроить FTP прокси?</a></li>
    <li><a href="#TLSPR">Как настроить SNI proxy (tlspr)</a></li>
    <li><a href="#SSLPLUGIN">Как настроить TLS/SSL с помощью SSLPlugin (https прокси, mTLS)</a></li>
    <li><a href="#CERTIFICATES">Как создать CA и сертификаты для SSLPlugin</a></li>
    <li><a href="#AUTH">Как ограничить доступ к службе</a>
    <li><a href="#USERS">Как создать список пользователей</a>
    <li><a href="#ACL">Как ограничить доступ пользователей к ресурсам</a>
@ -178,6 +181,48 @@
  sudo systemctl enable 3proxy
  sudo systemctl start 3proxy</pre>
  </p>
  <li><a name="INSTMACOS"><i>Как установить/удалить 3proxy под macOS</i></a>
  <p>
  <b>С помощью CMake (рекомендуется):</b>
  <pre>
  mkdir build && cd build
  cmake ..
  cmake --build .
  sudo cmake --install .</pre>
  Это установит:
  <ul>
  <li>Исполняемые файлы в <code>/usr/local/bin/</code></li>
  <li>Конфигурацию в <code>/etc/3proxy/</code></li>
  <li>Плагины в <code>/usr/local/lib/3proxy/</code></li>
  <li>Launchd plist в <code>/Library/LaunchDaemons/org.3proxy.3proxy.plist</code></li>
  </ul>
  </p>
  <p>
  <b>С помощью Makefile:</b>
  <pre>
  ln -sf Makefile.FreeBSD Makefile
  make
  sudo make install</pre>
  Это установит исполняемые файлы в <code>/usr/local/3proxy/bin/</code> и конфигурацию в <code>/usr/local/etc/3proxy/</code>.
  </p>
  <p>
  <b>Управление службой через launchd:</b>
  <br>После установки через cmake службой можно управлять с помощью launchctl:
  <pre>
  # Загрузить и запустить службу
  sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
  # Остановить службу
  sudo launchctl stop org.3proxy.3proxy
  # Запустить службу
  sudo launchctl start org.3proxy.3proxy
  # Выгрузить и отключить службу
  sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist</pre>
  Служба запускается от имени пользователя <code>proxy</code> (создаётся при установке).
  Файл конфигурации: <code>/etc/3proxy/3proxy.cfg</code>
  </p>
  <li><a name="INSTDOCKER"><i>Как использовать 3proxy с Docker</i></a>
  <p>
  <b>Использование готовых образов из GitHub Container Registry:</b>
@ -604,6 +649,194 @@ proxy
 </pre>
  </p>
  <li><a name="SSLPLUGIN"><i>Как настроить TLS/SSL с помощью SSLPlugin (https прокси, mTLS)</i></a>
 <p>
 SSLPlugin обеспечивает поддержку TLS/SSL для 3proxy. Он может использоваться для:
 <ul>
 <li>Создания https:// прокси (TLS-шифрованное соединение между клиентом и прокси)</li>
 <li>Реализации MITM для инспекции TLS-трафика</li>
 <li>Соединения с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату</li>
 <li>Требования аутентификации по клиентскому сертификату (mTLS)</li>
 </ul>
 </p>
 <p>
 <b>Создание https:// прокси:</b>
 <br>Для создания https:// прокси требуется сертификат и ключ сервера. Сертификат не должен быть самоподписанным
 и должен содержать альтернативные имена (SAN) для имени хоста/IP прокси.
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_serv
 proxy -p3129
 ssl_noserv
 proxy -p3128
 </pre>
 <p>
 Создаётся https:// прокси на порту 3129 и http:// прокси на порту 3128.
 Настройте клиенты на использование https://proxy-host:3129/ в качестве URL прокси.
 </p>
 <p>
 <b>Аутентификация по клиентскому сертификату (mTLS):</b>
 <br>Чтобы требовать от клиентов аутентификацию по сертификату, используйте ssl_server_verify и укажите CA-сертификат:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
 ssl_server_verify
 ssl_serv
 proxy -p3129
 </pre>
 <p>
 Только клиенты с действительным сертификатом, подписанным CA, смогут подключиться.
 </p>
 <p>
 <b>MITM для инспекции TLS-трафика:</b>
 <br>Для перехвата и расшифровки TLS-трафика требуется CA-сертификат для генерации подделанных серверных сертификатов:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_ca_file /etc/3proxy/certs/ca.crt
 ssl_server_ca_key /etc/3proxy/certs/ca.key
 ssl_client_verify
 ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
 ssl_mitm
 proxy -p3128
 ssl_nomitm
 proxy -p3129
 </pre>
 <p>
 CA-сертификат должен быть доверенным для клиентов. ssl_client_verify обеспечивает проверку реальных серверных сертификатов.
 Без ssl_client_verify прокси уязвим для MITM-атак.
 </p>
 <p>
 <b>TLS-клиент (соединение с вышестоящим сервером через TLS):</b>
 <br>Для соединения с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_client_cert /etc/3proxy/certs/client.crt
 ssl_client_key /etc/3proxy/certs/client.key
 ssl_client_verify
 ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
 ssl_cli
 proxy -p3128
 </pre>
  <li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSLPlugin</i></a>
 <p>
 <b>Создание удостоверяющего центра (CA):</b>
 <br>Для MITM или mTLS требуется CA. Сгенерируйте закрытый ключ CA и сертификат:
 </p><pre>
 # Генерация закрытого ключа CA
 openssl genrsa -out ca.key 4096
 # Генерация сертификата CA (действителен 10 лет)
 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=My CA" \
    -out ca.crt
 </pre>
 <p>
 Для MITM импортируйте ca.crt в браузеры/ОС клиентов как доверенный корневой CA.
 </p>
 <p>
 <b>Создание серверного сертификата для https:// прокси:</b>
 <br>Серверный сертификат должен иметь правильные альтернативные имена (SAN):
 </p><pre>
 # Генерация закрытого ключа сервера
 openssl genrsa -out server.key 2048
 # Создание запроса на подпись сертификата (CSR)
 openssl req -new -key server.key \
    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=proxy.example.com" \
    -out server.csr
 # Создание файла расширений для SAN
 cat > server.ext << 'EOF'
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = proxy.example.com
 DNS.2 = proxy
 IP.1 = 192.168.1.100
 EOF
 # Подписание сертификата CA
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out server.crt -days 365 -sha256 \
    -extfile server.ext
 </pre>
 <p>
 Для публичного https:// прокси используйте CA вроде Let's Encrypt вместо самоподписанного.
 </p>
 <p>
 <b>Создание клиентского сертификата для mTLS:</b>
 </p><pre>
 # Генерация закрытого ключа клиента
 openssl genrsa -out client1.key 2048
 # Создание CSR
 openssl req -new -key client1.key \
    -subj "/C=RU/ST=Region/L=City/O=MyOrg/CN=client1" \
    -out client1.csr
 # Создание файла расширений
 cat > client.ext << 'EOF'
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment
 extendedKeyUsage = clientAuth
 EOF
 # Подписание CA
 openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out client1.crt -days 365 -sha256 \
    -extfile client.ext
 # Создание PKCS#12 для импорта в браузер
 openssl pkcs12 -export -out client1.p12 \
    -inkey client1.key -in client1.crt -certfile ca.crt
 </pre>
 <p>
 Импортируйте client1.p12 в хранилище сертификатов браузера или ОС клиента.
 </p>
 <p>
 <b>Скрипт быстрой настройки для разработки/тестирования:</b>
 </p><pre>
 #!/bin/sh
 # Создаёт CA, серверный и клиентский сертификаты для тестирования SSLPlugin
 # CA
 openssl genrsa -out ca.key 4096
 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
    -subj "/CN=3proxy CA" -out ca.crt
 # Сервер
 openssl genrsa -out server.key 2048
 openssl req -new -key server.key -subj "/CN=localhost" -out server.csr
 cat > server.ext << 'EOF'
 basicConstraints=CA:FALSE
 keyUsage = keyEncipherment
 extendedKeyUsage = serverAuth
 subjectAltName = DNS:localhost,DNS:proxy,IP:127.0.0.1
 EOF
 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.ext
 # Клиент
 openssl genrsa -out client.key 2048
 openssl req -new -key client.key -subj "/CN=client" -out client.csr
 cat > client.ext << 'EOF'
 basicConstraints=CA:FALSE
 extendedKeyUsage = clientAuth
 EOF
 openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out client.crt -days 365 -sha256 -extfile client.ext
 openssl pkcs12 -export -out client.p12 -passout pass: \
    -inkey client.key -in client.crt -certfile ca.crt
 </pre>
  <li><a name="AUTH"><i>Как ограничить доступ к службе</i></a>
  <p>
  Во-первых, для ограничения доступа необходимо указать внутренний интерфейс,
--- a/scripts/3proxy.cfg
+++ b/scripts/3proxy.cfg
@ -1,2 +1,4 @@
 #!/usr/local/bin/3proxy
-#path to plugins:
+
 #use standard syslog logging
 log @3proxy
--- a/scripts/3proxy.service.in
+++ b/scripts/3proxy.service.in
@ -4,6 +4,9 @@ Documentation=man:3proxy(1)
 After=network.target
 [Service]
 Type=simple
 User=proxy
 Group=proxy
 Environment=CONFIGFILE=/etc/3proxy/3proxy.cfg
 ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/3proxy ${CONFIGFILE}
 ExecReload=/bin/kill -SIGUSR1 $MAINPID
@ -13,6 +16,7 @@ RestartSec=60s
 LimitNOFILE=65536
 LimitNPROC=32768
 RuntimeDirectory=3proxy
 RuntimeDirectoryMode=0755
 [Install]
 WantedBy=multi-user.target
--- a/scripts/3proxy.tmpfiles.in
+++ b/scripts/3proxy.tmpfiles.in
@ -1,3 +1,3 @@
 # tmpfiles.d configuration for 3proxy
 # This creates the runtime directory for 3proxy
-d /run/3proxy 0755 root root -
+d /run/3proxy 0755 proxy proxy -
--- a/scripts/init.d/3proxy.in
+++ b/scripts/init.d/3proxy.in
@ -0,0 +1,109 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          3proxy
 # Required-Start:    $network $local_fs
 # Required-Stop:     $network $local_fs
 # Should-Start:
 # Should-Stop:
 # Default-Start:     2 3 4 5
 # Default-Stop:      0 1 6
 # Short-Description: Start/stop 3proxy
 # Description:       Start/stop 3proxy, tiny proxy server
 ### END INIT INFO
 # chkconfig: 2345 20 80
 # description: 3proxy tiny proxy server
 DAEMON=@CMAKE_INSTALL_FULL_BINDIR@/3proxy
 CONFIGFILE=/etc/3proxy/3proxy.cfg
 PIDFILE=/var/run/3proxy/3proxy.pid
 USER=proxy
 GROUP=proxy
 # Source function library if available
 if [ -f /etc/init.d/functions ]; then
    . /etc/init.d/functions
 fi
 case "$1" in
   start)
       echo -n "Starting 3Proxy: "
       if [ ! -d /var/run/3proxy ]; then
           mkdir -p /var/run/3proxy
           chown $USER:$GROUP /var/run/3proxy 2>/dev/null || true
       fi
       if command -v start-stop-daemon >/dev/null 2>&1; then
           # Debian/Ubuntu style
           start-stop-daemon --start --quiet --pidfile $PIDFILE \
               --chuid $USER:$GROUP --exec $DAEMON -- $CONFIGFILE
       elif [ -f /etc/init.d/functions ]; then
           # RedHat/CentOS style
           daemon --user=$USER $DAEMON $CONFIGFILE
       else
           # Fallback
           su -s /bin/sh $USER -c "$DAEMON $CONFIGFILE"
       fi
       RETVAL=$?
       echo
       [ $RETVAL = 0 ] && touch /var/lock/subsys/3proxy
       ;;
   stop)
       echo -n "Stopping 3Proxy: "
       if command -v start-stop-daemon >/dev/null 2>&1; then
           # Debian/Ubuntu style
           start-stop-daemon --stop --quiet --pidfile $PIDFILE
       elif [ -f /etc/init.d/functions ]; then
           # RedHat/CentOS style
           killproc -p $PIDFILE $DAEMON
       else
           # Fallback
           if [ -f $PIDFILE ]; then
               kill `cat $PIDFILE` 2>/dev/null
           else
               killall 3proxy 2>/dev/null
           fi
       fi
       RETVAL=$?
       echo
       [ $RETVAL = 0 ] && rm -f /var/lock/subsys/3proxy
       ;;
   restart|reload)
       echo -n "Reloading 3Proxy: "
       if [ -f $PIDFILE ]; then
           kill -s USR1 `cat $PIDFILE` 2>/dev/null
           RETVAL=$?
       else
           echo "PID file not found, cannot reload"
           RETVAL=1
       fi
       echo
       ;;
   status)
       if command -v status >/dev/null 2>&1; then
           status -p $PIDFILE $DAEMON
       elif [ -f $PIDFILE ]; then
           if kill -0 `cat $PIDFILE` 2>/dev/null; then
               echo "3proxy is running (pid `cat $PIDFILE`)"
               RETVAL=0
           else
               echo "3proxy is dead but pid file exists"
               RETVAL=1
           fi
       else
           echo "3proxy is not running"
           RETVAL=3
       fi
       ;;
   *)
       echo "Usage: $0 {start|stop|restart|reload|status}"
       exit 1
 esac
 exit ${RETVAL:-0}
--- a/scripts/org.3proxy.3proxy.plist.in
+++ b/scripts/org.3proxy.3proxy.plist.in
@ -0,0 +1,35 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
    <key>Label</key>
    <string>org.3proxy.3proxy</string>
    <key>ProgramArguments</key>
    <array>
        <string>@CMAKE_INSTALL_FULL_BINDIR@/3proxy</string>
        <string>/etc/3proxy/3proxy.cfg</string>
    </array>
    <key>UserName</key>
    <string>proxy</string>
    <key>GroupName</key>
    <string>proxy</string>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
    <key>StandardOutPath</key>
    <string>/var/log/3proxy.log</string>
    <key>StandardErrorPath</key>
    <string>/var/log/3proxy.log</string>
    <key>SoftResourceLimits</key>
    <dict>
        <key>NumberOfFiles</key>
        <integer>65536</integer>
    </dict>
    <key>HardResourceLimits</key>
    <dict>
        <key>NumberOfFiles</key>
        <integer>65536</integer>
    </dict>
 </dict>
 </plist>
--- a/scripts/postinstall.sh
+++ b/scripts/postinstall.sh
@ -0,0 +1,45 @@
 #!/bin/sh
 # Post-install script for 3proxy
 # Creates proxy user and group if they don't exist
 set -e
 # Check if user already exists
 if id proxy >/dev/null 2>&1; then
    echo "User 'proxy' already exists"
    exit 0
 fi
 echo "Creating proxy user and group..."
 # Determine which commands are available
 if command -v groupadd >/dev/null 2>&1; then
    # Linux (shadow-utils)
    groupadd -r proxy 2>/dev/null || true
    useradd -r -g proxy -d /var/run/3proxy -s /usr/sbin/nologin proxy 2>/dev/null || true
 elif command -v addgroup >/dev/null 2>&1; then
    # Alpine Linux / BusyBox
    addgroup -S proxy 2>/dev/null || true
    adduser -S -D -H -G proxy -s /sbin/nologin proxy 2>/dev/null || true
 elif command -v pw >/dev/null 2>&1; then
    # FreeBSD
    pw groupadd proxy 2>/dev/null || true
    pw useradd proxy -g proxy -d /var/run/3proxy -s /usr/sbin/nologin 2>/dev/null || true
 elif command -v dscl >/dev/null 2>&1; then
    # macOS
    dscl . create /Groups/proxy 2>/dev/null || true
    dscl . create /Users/proxy 2>/dev/null || true
    dscl . create /Users/proxy UserShell /usr/bin/false 2>/dev/null || true
    dscl . create /Users/proxy NFSHomeDirectory /var/run/3proxy 2>/dev/null || true
 else
    echo "Warning: Could not create proxy user - no suitable user management tool found"
    exit 0
 fi
 if id proxy >/dev/null 2>&1; then
    echo "User 'proxy' created successfully"
 else
    echo "Warning: Failed to create user 'proxy'"
 fi
 exit 0
--- a/scripts/rc.d/3proxy.in
+++ b/scripts/rc.d/3proxy.in
@ -13,6 +13,7 @@ command="@CMAKE_INSTALL_FULL_BINDIR@/3proxy"
 pidfile="/var/run/3proxy/${name}.pid"
 command_args="${3proxy_config:-/etc/3proxy/3proxy.cfg}"
 required_files="${3proxy_config:-/etc/3proxy/3proxy.cfg}"
 command_user="proxy:proxy"
 start_precmd="3proxy_precmd"
@ -20,6 +21,7 @@ start_precmd="3proxy_precmd"
 {
    if [ ! -d /var/run/3proxy ]; then
        mkdir -p /var/run/3proxy
        chown proxy:proxy /var/run/3proxy
    fi
 }
--- a/src/version.h
+++ b/src/version.h
@ -9,4 +9,4 @@
 #define MINOR3PROXY 5
 #define SUBMINOR3PROXY 0
 #define RELEASE3PROXY "3proxy-0.9.5(" BUILDDATE ")\0"
-#define YEAR3PROXY "2025"
+#define YEAR3PROXY "2026"
Author	SHA1	Message	Date
Vladimir Dubrovin	7092ecae71	Update year Some checks failed C/C++ CI / ${{ matrix.target }} (macos-15) (push) Has been cancelled Details C/C++ CI / ${{ matrix.target }} (ubuntu-24.04-arm) (push) Has been cancelled Details C/C++ CI / ${{ matrix.target }} (ubuntu-latest) (push) Has been cancelled Details C/C++ CI / ${{ matrix.target }} (windows-2022) (push) Has been cancelled Details	2026-04-05 13:29:33 +03:00
Vladimir Dubrovin	97ecabc80c	change config example	2026-04-05 13:12:26 +03:00
Vladimir Dubrovin	4777ce51ae	howto update	2026-04-05 13:05:34 +03:00
Vladimir Dubrovin	f72c6f5baa	Update README	2026-04-05 12:49:03 +03:00
Vladimir Dubrovin	dc83562700	Use syslog for non-chroot configuration, support MacOS launchd	2026-04-05 12:46:57 +03:00