2026-04-12 16:00:11 +08:00
6 changed files with 72 additions and 85 deletions
--- a/Dockerfile.full
+++ b/Dockerfile.full
@ -1,66 +1,56 @@
 # 3proxy.full is fully functional 3proxy build based on busybox:glibc
 #
-# Example are for podman, for docker change 'podman' to 'docker'
-#
 #to  build:
-# podman build -f Dockerfile.full -t 3proxy.full .
+# docker build -f Dockerfile.full -t 3proxy.full .
 #to run:
+# by default 3proxy uses safe chroot environment with chroot to /usr/local/3proxy with uid/gid 65535/65535 and expects
+# configuration file to be placed in /usr/local/etc/3proxy.
+# Paths in configuration file must be relative to /usr/local/3proxy, that is use /logs instead of 
+# /usr/local/3proxy/logs. nserver in chroot is required for DNS resolution. An example:
 #
 # echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
 # echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
-# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full
+# docker run -p 3129:3129 -v /path/to/local/config/directory:/usr/local/3proxy/conf -name 3proxy.full 3proxy.full
+#
+# /path/to/local/config/directory in this example must conrain 3proxy.cfg
+# if you need 3proxy to be executed without chroot with root permissions
+# replace /etc/3proxy/3proxy.cfg by e.g. mounting config
+# dir to /etc/3proxy ot by providing config file /etc/3proxy/3proxy.cfg
+# some plugins like SSLPLugin / pamauth also conflict with chroot and must
+# be started prior to chroot.
+# docker run -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full
 #
 # use "log" without pathname in config to log to stdout.
-# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config)
-# symlinked as /lib and /lib64 in both root and chroot configurations, so no need
-# to specify full path to plugin. SSLPlugin is supported.
-#
-# Since 0.9.6 image is distroless, no reason to use chroot, chroot
-# configuration is supported for compatility only.
+# plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config).


-FROM docker.io/gcc AS buildenv
+FROM gcc AS buildenv
 COPY . 3proxy
 RUN cd 3proxy &&\
- apt --assume-yes update && apt --assume-yes install libssl-dev libpcre2-dev &&\
+ apt update && apt install libssl-dev libpam-dev libpcre2-dev &&\
 make -f Makefile.Linux &&\
 strip bin/3proxy &&\
- mkdir /dist &&\
- mkdir /dist/etc &&\
- mkdir /dist/etc/3proxy &&\
- mkdir /dist/bin &&\
- mkdir /dist/usr &&\
- mkdir /dist/usr/local &&\
- mkdir /dist/usr/local/3proxy &&\
- mkdir /dist/usr/local/3proxy/libexec &&\
- mkdir /dist/usr/local/3proxy/conf &&\
- cp bin/3proxy /dist/bin &&\
- cp bin/*.so /dist/usr/local/3proxy/libexec &&\
- cp scripts/3proxy.cfg.inchroot /dist/etc/3proxy/3proxy.cfg
-RUN cd /dist &&\
- ln -s /usr/local/3proxy/libexec lib64 &&\
- ln -s /usr/local/3proxy/libexec lib &&\
- ln -s /usr/local/3proxy/libexec usr/lib &&\
- ln -s /usr/local/3proxy/libexec usr/lib64 &&\
- ln -s /usr/local/3proxy/libexec /dist/usr/local/3proxy/libexec/`gcc -dumpmachine` &&\
- cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec &&\
- cp "/lib/`gcc -dumpmachine`"/libc.so.* /dist/usr/local/3proxy/libexec &&\
- cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\
- cp "/lib/`gcc -dumpmachine`"/libcrypto.so.* /dist/usr/local/3proxy/libexec &&\
- cp "/lib/`gcc -dumpmachine`"/libssl.so.* /dist/usr/local/3proxy/libexec &&\
- cp "/lib/`gcc -dumpmachine`"/libpcre2-8.so.* /dist/usr/local/3proxy/libexec &&\
- cp "/lib/`gcc -dumpmachine`"/libz.so.* /dist/usr/local/3proxy/libexec &&\
- cp "/lib/`gcc -dumpmachine`"/libzstd.so.* /dist/usr/local/3proxy/libexec
-RUN cd /dist/usr/local/3proxy/ &&\
- ln -s libexec lib &&\
- ln -s libexec lib64 &&\
- mkdir usr
-RUN cd /dist/usr/local/3proxy/usr &&\
- ln -s ../libexec lib &&\
- ln -s ../libexec lib64 &&\
- strip /dist/usr/local/3proxy/libexec/*.so &&\
- ls -lR /dist
+ strip bin/StringsPlugin.ld.so &&\
+ strip bin/TrafficPlugin.ld.so &&\
+ strip bin/PCREPlugin.ld.so &&\
+ strip bin/TransparentPlugin.ld.so &&\
+ strip bin/SSLPlugin.ld.so &&\
+ mkdir /usr/local/lib/3proxy &&\
+ cp "/lib/`gcc -dumpmachine`"/libdl.so.* /usr/local/lib/3proxy/

-FROM scratch
-COPY --from=buildenv /dist /
+FROM busybox:glibc
+COPY --from=buildenv /usr/local/lib/3proxy/libdl.so.* /lib/
+COPY --from=buildenv 3proxy/bin/3proxy /bin/
+COPY --from=buildenv 3proxy/bin/*.ld.so /usr/local/3proxy/libexec/
+RUN mkdir /usr/local/3proxy/logs &&\
+ mkdir /usr/local/3proxy/conf &&\
+ chown -R 65535:65535 /usr/local/3proxy &&\
+ chmod -R 550  /usr/local/3proxy &&\
+ chmod 750  /usr/local/3proxy/logs &&\
+ chmod -R 555 /usr/local/3proxy/libexec &&\
+ chown -R root /usr/local/3proxy/libexec &&\
+ mkdir /etc/3proxy/ &&\
+ echo chroot /usr/local/3proxy 65535 65535 >/etc/3proxy/3proxy.cfg &&\
+ echo include /conf/3proxy.cfg >>/etc/3proxy/3proxy.cfg &&\
+ chmod 440  /etc/3proxy/3proxy.cfg
 CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"]
--- a/Dockerfile.minimal
+++ b/Dockerfile.minimal
@ -1,38 +1,41 @@
 # dockerfile for "interactive" minimal 3proxy execution, no configuration mounting is required, configuration
 # is accepted from stdin. Use "end" command to indicate the end of configuration. Use "log" for stdout logging.
 #
-# Examples are for podman. For docker change 'podman' to 'docker'.
+# This is busybox based docker with only 3proxy static executable and empty non-writable "run" directory.
 #
-# This is busybox based docker with only 3proxy static executable.
-#
-# Limitations for minimal version:
-# no support for plugins, IPv6, RADIUS, system resolver.
-# 'nserver' or 'fakeresolve' are mandatory in configuration.
+# "plugin" is not supported
 #
 # Build:
 #
-# podman build -f Dockerfile.minimal -t 3proxy.minimal .
+# docker build -f Dockerfile.minimal -t 3proxy.minimal .
 #
 # Run example:
 #
-# podman run --read-only -i -p 3129:3129 --name 3proxy 3proxy.minimal  
+# docker run -i -p 3129:3129 --name 3proxy 3proxy.minimal  
 #or
-# podman start -ai 3proxy
+# docker start -i 3proxy
+#<chroot run 65535 65535
 #<nserver 8.8.8.8
 #<nscache 65535
 #<log
 #<proxy -p3129
 #<end
 #
+# use "chroot run 65536 65536" in config for safe chroot environment. nserver is required for DNS resolutions in chroot.

-FROM docker.io/gcc AS buildenv
+
+FROM gcc AS buildenv
 COPY . 3proxy
 RUN cd 3proxy &&\
- export "LDFLAGS=-static" &&\
- export "CFLAGS=-DNOPLUGINS -DNORADIUS -DNOIPV6 -DNOODBC -DNOCRYPT -DNOSTDRESOLVE" &&\
- make -f Makefile.Linux PLUGINS= LIBS= &&\
+ echo "">>Makefile.Linux &&\
+ echo LDFLAGS = -fPIC -O2 -fno-strict-aliasing -pthread >>Makefile.Linux &&\
+ echo PLUGINS = >>Makefile.Linux &&\
+ echo LIBS = >>Makefile.Linux &&\
+ echo CFLAGS = -g  -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC -DWITH_STD_MALLOC -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -DNOPLUGINS >>Makefile.Linux &&\
+ make -f Makefile.Linux &&\
 strip bin/3proxy
 
-FROM scratch
+FROM busybox:glibc
 COPY --from=buildenv 3proxy/bin/3proxy /bin/3proxy
+RUN mkdir /run && chmod 555 /run
 CMD ["/bin/3proxy"]
--- a/Makefile.FreeBSD
+++ b/Makefile.FreeBSD
@ -30,19 +30,19 @@ TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.FreeBSD
 PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
-OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
+OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
    LIBS += -l crypto -l ssl
    PLUGINS += SSLPlugin
 endif
-PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false)
-ifeq ($(PCRE_CHECK), true)
-    PLUGINS += PCREPlugin
-endif
-PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false)
+PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
 ifeq ($(PAM_CHECK), true)
    PLUGINS += PamAuth
 endif
+PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
+ifeq ($(PCRE_CHECK), true)
+    PLUGINS += PCREPlugin
+endif

 include Makefile.inc

--- a/Makefile.Linux
+++ b/Makefile.Linux
@ -33,16 +33,16 @@ MAKEFILE = Makefile.Linux
 LIBS ?= -ldl 
 #PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
 PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
-OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
+OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
    LIBS += -l crypto -l ssl
    PLUGINS += SSLPlugin
 endif
-PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false)
+PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
 ifeq ($(PCRE_CHECK), true)
    PLUGINS += PCREPlugin
 endif
-PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false)
+PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
 ifeq ($(PAM_CHECK), true)
    PLUGINS += PamAuth
 endif
--- a/Makefile.unix
+++ b/Makefile.unix
@ -32,20 +32,19 @@ TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.unix
 PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
-OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
+OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
    LIBS += -l crypto -l ssl
    PLUGINS += SSLPlugin
 endif
-PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false)
-ifeq ($(PCRE_CHECK), true)
-    PLUGINS += PCREPlugin
-endif
-PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpam.o - 2>/dev/null && $(CC) $(LDFLAGS) -o testpam testpam.o -lpam 2>/dev/null && rm testpam testpam.o && echo true||echo false)
+PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
 ifeq ($(PAM_CHECK), true)
    PLUGINS += PamAuth
 endif
-
+PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
+ifeq ($(PCRE_CHECK), true)
+    PLUGINS += PCREPlugin
+endif
 include Makefile.inc

 install: all
--- a/src/common.c
+++ b/src/common.c
@ -641,7 +641,7 @@ pthread_mutex_t gethostbyname_mutex;
 int ghbn_init = 0;
 #endif

-#ifndef NOSTDRESOLVE
+
 #ifdef GETHOSTBYNAME_R
 struct hostent * my_gethostbyname(char *name, char *buf, struct hostent *hp){
 	struct hostent *result;
@ -656,7 +656,6 @@ struct hostent * my_gethostbyname(char *name, char *buf, struct hostent *hp){
 #endif
 }
 #endif
-#endif

 #ifdef NOIPV6
 uint32_t getip(unsigned char *name){
@ -690,7 +689,6 @@ uint32_t getip(unsigned char *name){
 		if(conf.demanddialprog) system(conf.demanddialprog);
 		return (*tmpresolv)(AF_INET, name, (unsigned char *)&retval)?retval:0;
 	}
-#ifndef NOSTDRESOLVE
 #if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
 	if(!ghbn_init){
 		pthread_mutex_init(&gethostbyname_mutex, NULL);
@ -709,9 +707,6 @@ uint32_t getip(unsigned char *name){
 #endif
 #ifdef GETHOSTBYNAME_R
 #undef gethostbyname
-#endif
-#else
-	retval=0;
 #endif
 	return retval;
 }