2026-04-29 07:30:11 +08:00
117 changed files with 3210 additions and 5229 deletions
--- a/.github/workflows/build-watcom.yml
+++ b/.github/workflows/build-watcom.yml
@ -45,7 +45,7 @@ jobs:
       mkdir dist\3proxy\doc\ru
       mkdir dist\3proxy\doc\html
       mkdir dist\3proxy\doc\html\plugins
-       mkdir dist\3proxy\doc\html\man5
+       mkdir dist\3proxy\doc\html\man3
       mkdir dist\3proxy\doc\html\man8
       mkdir dist\3proxy\doc\devel
       copy bin\3proxy.exe dist\3proxy\bin\
@ -57,7 +57,7 @@ jobs:
       copy doc\html\*.* dist\3proxy\doc\html\
       copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
       copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
-       copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
+       copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
       copy doc\devel\*.rtf dist\3proxy\doc\devel\
       copy copying dist\3proxy\
       copy authors dist\3proxy\
--- a/.github/workflows/build-win32.yml
+++ b/.github/workflows/build-win32.yml
@ -51,7 +51,7 @@ jobs:
       mkdir dist\3proxy\doc\ru
       mkdir dist\3proxy\doc\html
       mkdir dist\3proxy\doc\html\plugins
-       mkdir dist\3proxy\doc\html\man5
+       mkdir dist\3proxy\doc\html\man3
       mkdir dist\3proxy\doc\html\man8
       mkdir dist\3proxy\doc\devel
       copy bin\3proxy.exe dist\3proxy\bin\
@ -63,7 +63,7 @@ jobs:
       copy doc\html\*.* dist\3proxy\doc\html\
       copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
       copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
-       copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
+       copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
       copy doc\devel\*.rtf dist\3proxy\doc\devel\
       copy copying dist\3proxy\
       copy authors dist\3proxy\
--- a/.github/workflows/build-win64.yml
+++ b/.github/workflows/build-win64.yml
@ -53,7 +53,7 @@ jobs:
       mkdir dist\3proxy\doc\ru
       mkdir dist\3proxy\doc\html
       mkdir dist\3proxy\doc\html\plugins
-       mkdir dist\3proxy\doc\html\man5
+       mkdir dist\3proxy\doc\html\man3
       mkdir dist\3proxy\doc\html\man8
       mkdir dist\3proxy\doc\devel
       copy bin\3proxy.exe dist\3proxy\bin64\
@ -65,7 +65,7 @@ jobs:
       copy doc\html\*.* dist\3proxy\doc\html\
       copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
       copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
-       copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
+       copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
       copy doc\devel\*.rtf dist\3proxy\doc\devel\
       copy copying dist\3proxy\
       copy authors dist\3proxy\
--- a/.github/workflows/build-winarm64.yml
+++ b/.github/workflows/build-winarm64.yml
@ -51,7 +51,7 @@ jobs:
       mkdir dist\3proxy\doc\ru
       mkdir dist\3proxy\doc\html
       mkdir dist\3proxy\doc\html\plugins
-       mkdir dist\3proxy\doc\html\man5
+       mkdir dist\3proxy\doc\html\man3
       mkdir dist\3proxy\doc\html\man8
       mkdir dist\3proxy\doc\devel
       copy bin\3proxy.exe dist\3proxy\bin64\
@ -63,7 +63,7 @@ jobs:
       copy doc\html\*.* dist\3proxy\doc\html\
       copy doc\html\plugins\*.* dist\3proxy\doc\html\plugins\
       copy doc\html\man8\*.* dist\3proxy\doc\html\man8\
-       copy doc\html\man5\*.* dist\3proxy\doc\html\man5\
+       copy doc\html\man3\*.* dist\3proxy\doc\html\man3\
       copy doc\devel\*.rtf dist\3proxy\doc\devel\
       copy copying dist\3proxy\
       copy authors dist\3proxy\
--- a/.github/workflows/c-cpp-cmake.yml
+++ b/.github/workflows/c-cpp-cmake.yml
@ -2,7 +2,7 @@ name: C/C++ CI cmake
 on:
  push:
-    branches: [ "master", "unix_socket" ]
+    branches: [ "master" ]
    paths: [ '**.c', '**.h', '**.cmake', 'CMakeLists.txt', '.github/configs', '.github/workflows/c-cpp-cmake.yml' ]
  pull_request:
    branches: [ "master" ]
--- a/.gitignore
+++ b/.gitignore
@ -258,12 +258,3 @@ pip-log.txt
 #Mr Developer
 .mr.developer.cfg
 CLAUDE.md
 bin/3proxy_crypt
 bin/3proxy_ftppr
 bin/3proxy_pop3p
 bin/3proxy_proxy
 bin/3proxy_smtpp
 bin/3proxy_socks
 bin/3proxy_tcppm
 bin/3proxy_tlspr
 bin/3proxy_udppm
--- a/11
+++ b/11
@ -1,11 +0,0 @@
 3proxy-0.9.6 Released April, 11 2026
 + ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios.
 + HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header.
 + tlspr is supported in auto
 + tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI
 + maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems
 + -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5
 + cmake environment added
 ! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy
 ! Multiple minor bugfixes
--- a/CHANGELOG.rus
+++ b/CHANGELOG.rus
@ -1,11 +0,0 @@
 3proxy-0.9.6 Вышел 11 Апреля 2026
 + В SSLPlugin добавлены ssl_client и множество опций конфигурации, код SSLPlugin значительно улучшен и исправлен. См. https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy теперь может использоваться как замена stunnel во многих сценариях.
 + Поддержка прокси-протокола HAProxy v1 на стороне клиента и сервера. Добавлена опция -H для сервиса, чтобы ожидать заголовок прокси-протокола HA v1. Используйте тип родителя ha: parent 1000 ha 0.0.0.0 0 для отправки заголовка v1.
 + tlspr поддерживается в режиме auto
 + tlspr поддерживает опцию -s, которая разбивает HELLO-пакет для предотвращения обнаружения SNI некоторыми DPI
 + Добавлена опция конфигурации maxseg и поддержка флага сокета TCP_MAXSEG. Устанавливает максимальный размер TCP-сегмента для решения проблем с обнаружением PathMTU
 + Добавлены опции -Ne / -Ni для указания внешнего/внутреннего NAT-адреса для SOCKSv5
 + Добавлено окружение cmake
 ! Внешняя библиотека pcre2 (pcre2-8) используется для PCRE, код pcre удалён из 3proxy
 ! Множество мелких исправлений ошибок
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -54,28 +54,6 @@ option(3PROXY_USE_SPLICE "Use Linux splice() for zero-copy (Linux only)" ON)
 option(3PROXY_USE_POLL "Use poll() instead of select() (Unix only)" ON)
 option(3PROXY_USE_WSAPOLL "Use WSAPoll instead of select() (Windows only)" ON)
 option(3PROXY_USE_NETFILTER "Enable Linux netfilter support (Linux only)" ON)
 option(3PROXY_USE_UNIX_SOCKETS "Enable Unix domain socket support (Unix only)" ON)
 # Binary name prefix for standalone modules and crypt (default: 3proxy_)
 # For crypt: if prefix is empty, "my" is used instead (→ mycrypt)
 set(3PROXY_BINARY_PREFIX "3proxy_" CACHE STRING "Prefix for standalone module and crypt binary names")
 # Standalone module build options (OFF by default)
 option(3PROXY_BUILD_ALL   "Build all standalone binaries"   OFF)
 option(3PROXY_BUILD_PROXY  "Build standalone proxy binary"  OFF)
 option(3PROXY_BUILD_SOCKS  "Build standalone socks binary"  OFF)
 option(3PROXY_BUILD_POP3P  "Build standalone pop3p binary"  OFF)
 option(3PROXY_BUILD_SMTPP  "Build standalone smtpp binary"  OFF)
 option(3PROXY_BUILD_FTPPR  "Build standalone ftppr binary"  OFF)
 option(3PROXY_BUILD_TCPPM  "Build standalone tcppm binary"  OFF)
 option(3PROXY_BUILD_UDPPM  "Build standalone udppm binary"  OFF)
 option(3PROXY_BUILD_TLSPR  "Build standalone tlspr binary"  OFF)
 if(3PROXY_BUILD_ALL)
    foreach(_M PROXY SOCKS POP3P SMTPP FTPPR TCPPM UDPPM TLSPR)
        set(3PROXY_BUILD_${_M} ON)
    endforeach()
 endif()
 # Output directory
 set(CMAKE_RUNTIME_OUTPUT_DIRECTORY ${CMAKE_BINARY_DIR}/bin)
@ -181,15 +159,10 @@ elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
        add_compile_definitions(WITH_NETFILTER)
    endif()
    if(3PROXY_USE_UNIX_SOCKETS)
        add_compile_definitions(WITH_UN)
    endif()
    set(DEFAULT_PLUGINS
        StringsPlugin
        TrafficPlugin
        TransparentPlugin
        FilePlugin
    )
 elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD")
@ -203,15 +176,10 @@ elseif(CMAKE_SYSTEM_NAME MATCHES "FreeBSD|Darwin|OpenBSD|NetBSD")
        add_compile_options(-fno-strict-aliasing)
    endif()
    if(3PROXY_USE_UNIX_SOCKETS)
        add_compile_definitions(WITH_UN)
    endif()
    set(DEFAULT_PLUGINS
        StringsPlugin
        TrafficPlugin
        TransparentPlugin
        FilePlugin
    )
 else()
@ -220,15 +188,10 @@ else()
        add_compile_options(-fno-strict-aliasing)
    endif()
    if(3PROXY_USE_UNIX_SOCKETS)
        add_compile_definitions(WITH_UN)
    endif()
    set(DEFAULT_PLUGINS
        StringsPlugin
        TrafficPlugin
        TransparentPlugin
        FilePlugin
    )
 endif()
@ -306,25 +269,17 @@ endif()
 set(3PROXY_CORE_SOURCES
    src/3proxy.c
    src/auth.c
    src/acl.c
    src/limiter.c
    src/redirect.c
    src/authradius.c
    src/hash.c
    src/hashtables.c
    src/resolve.c
    src/sql.c
    src/conf.c
    src/datatypes.c
    src/plugins.c
    src/stringtable.c
 )
-# MD4/MD5/BLAKE2 sources for 3proxy_crypt
+# MD4/MD5 sources for mycrypt
 set(MD_SOURCES
    src/libs/md4.c
    src/libs/md5.c
    src/libs/blake2b-ref.c
 )
 # ============================================================================
@ -349,7 +304,7 @@ target_include_directories(base64_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
 # These are used by the main 3proxy executable
 # ============================================================================
-# Server modules object library (without WITHMAIN, without UDP)
+# Server modules object library (without WITHMAIN)
 add_library(srv_modules OBJECT
    src/proxy.c
    src/pop3p.c
@ -360,17 +315,13 @@ add_library(srv_modules OBJECT
    src/auto.c
    src/socks.c
    src/webadmin.c
    src/udppm.c
    src/dnspr.c
 )
 target_include_directories(srv_modules PRIVATE
    ${CMAKE_CURRENT_SOURCE_DIR}/src
 )
 # UDP port mapper server module (without WITHMAIN)
 add_library(srvudppm_obj OBJECT src/udppm.c)
 target_include_directories(srvudppm_obj PRIVATE
    ${CMAKE_CURRENT_SOURCE_DIR}/src
 )
 # mainfunc object (proxymain.c compiled with MODULEMAINFUNC=mainfunc for 3proxy)
 add_library(mainfunc OBJECT src/proxymain.c)
@ -381,9 +332,9 @@ target_compile_definitions(mainfunc PRIVATE MODULEMAINFUNC=mainfunc)
 add_library(ftp_obj OBJECT src/ftp.c)
 target_include_directories(ftp_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
-# 3proxy_crypt object for 3proxy (without WITHMAIN)
+# mycrypt object for 3proxy (without WITHMAIN)
-add_library(3proxy_crypt_obj OBJECT src/3proxy_crypt.c)
+add_library(mycrypt_obj OBJECT src/mycrypt.c)
-target_include_directories(3proxy_crypt_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
+target_include_directories(mycrypt_obj PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)
 # ============================================================================
 # Main 3proxy executable
@ -394,12 +345,11 @@ add_executable(3proxy
    ${3PROXY_CORE_SOURCES}
    ${MD_SOURCES}
    $<TARGET_OBJECTS:srv_modules>
    $<TARGET_OBJECTS:srvudppm_obj>
    $<TARGET_OBJECTS:mainfunc>
    $<TARGET_OBJECTS:common_obj>
    $<TARGET_OBJECTS:base64_obj>
    $<TARGET_OBJECTS:ftp_obj>
-    $<TARGET_OBJECTS:3proxy_crypt_obj>
+    $<TARGET_OBJECTS:mycrypt_obj>
 )
 target_include_directories(3proxy PRIVATE
@ -432,31 +382,21 @@ elseif(CMAKE_SYSTEM_NAME STREQUAL "Linux")
    endif()
 endif()
-# Build 3proxy_crypt utility
+# Build mycrypt utility
-add_executable(3proxy_crypt
+add_executable(mycrypt
-    src/3proxy_crypt.c
+    src/mycrypt.c
    ${MD_SOURCES}
    $<TARGET_OBJECTS:base64_obj>
 )
-target_compile_definitions(3proxy_crypt PRIVATE WITHMAIN)
+target_compile_definitions(mycrypt PRIVATE WITHMAIN)
-target_include_directories(3proxy_crypt PRIVATE
+target_include_directories(mycrypt PRIVATE
    ${CMAKE_CURRENT_SOURCE_DIR}/src
    ${CMAKE_CURRENT_SOURCE_DIR}/src/libs
 )
-target_link_libraries(3proxy_crypt PRIVATE Threads::Threads)
+target_link_libraries(mycrypt PRIVATE Threads::Threads)
 if("${3PROXY_BINARY_PREFIX}" STREQUAL "")
    set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "mycrypt")
 else()
    set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "${3PROXY_BINARY_PREFIX}crypt")
 endif()
 # Build standalone proxy executables
 foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
    string(TOUPPER "${PROXY_NAME}" _MODULE_OPT)
    if(NOT 3PROXY_BUILD_${_MODULE_OPT})
        continue()
    endif()
    if(PROXY_NAME STREQUAL "ftppr" OR PROXY_NAME STREQUAL "proxy")
        # ftppr and proxy use ftp_obj
        add_executable(${PROXY_NAME}
@ -471,10 +411,6 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
        )
    endif()
    set_target_properties(${PROXY_NAME} PROPERTIES
        OUTPUT_NAME "${3PROXY_BINARY_PREFIX}${PROXY_NAME}"
    )
    target_include_directories(${PROXY_NAME} PRIVATE
        ${CMAKE_CURRENT_SOURCE_DIR}/src
    )
@ -484,10 +420,6 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
        NOPORTMAP
    )
    if(NOT PROXY_NAME STREQUAL "udppm")
        target_compile_definitions(${PROXY_NAME} PRIVATE NOUDPMAIN)
    endif()
    target_link_libraries(${PROXY_NAME} PRIVATE Threads::Threads)
    if(PROXY_NAME STREQUAL "proxy")
@ -505,10 +437,6 @@ foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
    if(PROXY_NAME STREQUAL "proxy" OR PROXY_NAME STREQUAL "smtpp")
        target_sources(${PROXY_NAME} PRIVATE $<TARGET_OBJECTS:base64_obj>)
    endif()
    if(PROXY_NAME STREQUAL "udppm")
        target_sources(${PROXY_NAME} PRIVATE src/hash.c)
    endif()
 endforeach()
 # Plugin output directory
@ -552,19 +480,10 @@ if(PAM_FOUND)
 endif()
 # Installation rules
-install(TARGETS 3proxy 3proxy_crypt
+install(TARGETS 3proxy mycrypt proxy socks pop3p smtpp ftppr tcppm udppm tlspr
    RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
 )
 foreach(PROXY_NAME proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
    string(TOUPPER "${PROXY_NAME}" _MODULE_OPT)
    if(3PROXY_BUILD_${_MODULE_OPT})
        install(TARGETS ${PROXY_NAME}
            RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
        )
    endif()
 endforeach()
 # Install plugins
 file(GLOB PLUGINFILES "${PLUGIN_OUTPUT_DIR}/*${PLUGIN_SUFFIX}")
 if(WIN32)
@ -698,32 +617,10 @@ endif()
 # Install man pages
 if(NOT WIN32)
-    # Config man page (section 5) — no prefix
+    file(GLOB MAN3_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.3")
-    file(GLOB MAN5_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.5")
+    file(GLOB MAN8_FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/*.8")
-    install(FILES ${MAN5_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man5)
+    install(FILES ${MAN3_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man3)
-    # Main 3proxy man page — no prefix
+    install(FILES ${MAN8_FILES} DESTINATION ${CMAKE_INSTALL_MANDIR}/man8)
    install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy.8"
        DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
    )
    # 3proxy_crypt man page — no prefix (already has 3proxy_)
    if(EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy_crypt.8")
        install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/man/3proxy_crypt.8"
            DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
        )
    endif()
    # Module man pages — installed with binary prefix only if module is built
    foreach(_MAN proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
        string(TOUPPER "${_MAN}" _MODULE_OPT)
        if(3PROXY_BUILD_${_MODULE_OPT})
            set(_MAN_SRC "${CMAKE_CURRENT_SOURCE_DIR}/man/${_MAN}.8")
            if(EXISTS "${_MAN_SRC}")
                install(FILES "${_MAN_SRC}"
                    DESTINATION ${CMAKE_INSTALL_MANDIR}/man8
                    RENAME "${3PROXY_BINARY_PREFIX}${_MAN}.8"
                )
            endif()
        endif()
    endforeach()
 endif()
 # Summary
@ -757,10 +654,3 @@ message(STATUS "    ODBC:    ${ODBC_FOUND}")
 message(STATUS "")
 message(STATUS "  Plugins to build: ${ALL_PLUGINS}")
 message(STATUS "")
 message(STATUS "  Standalone modules:")
 message(STATUS "    Binary prefix:   \"${3PROXY_BINARY_PREFIX}\"")
 foreach(_M proxy socks pop3p smtpp ftppr tcppm udppm tlspr)
    string(TOUPPER "${_M}" _MO)
    message(STATUS "    BUILD_${_MO}: ${3PROXY_BUILD_${_MO}}")
 endforeach()
 message(STATUS "")
--- a/Dockerfile.busybox
+++ b/Dockerfile.busybox
@ -1,57 +0,0 @@
 # 3proxy.full is fully functional 3proxy build based on busybox:glibc
 #
 # Examples are for podman, for docker change 'podman' to 'docker'
 #
 #to build:
 # podman build -f Dockerfile.busybox -t 3proxy.busybox .
 #to run:
 #
 # echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
 # echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
 # podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy --name 3proxy.busybox 3proxy.busybox
 #
 # use "log" without pathname in config to log to stdout.
 # plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config)
 # symlinked as /lib and /lib64 in both root and chroot configurations, so no need
 # to specify full path to plugin. SSLPlugin is supported.
 #
 # Since 0.9.6 image is distroless, no reason to use chroot, chroot
 # configuration is supported for compatibility only.
 FROM docker.io/gcc AS buildenv
 COPY . 3proxy
 RUN cd 3proxy &&\
 apt --assume-yes update && apt --assume-yes install libssl-dev libpcre2-dev &&\
 make -f Makefile.Linux &&\
 strip bin/3proxy &&\
 strip bin/*so &&\
 mkdir /dist &&\
 mkdir /dist/etc &&\
 mkdir /dist/etc/3proxy &&\
 mkdir /dist/bin &&\
 mkdir /dist/usr &&\
 mkdir /dist/usr/local &&\
 mkdir /dist/usr/local/3proxy &&\
 mkdir /dist/usr/local/3proxy/conf &&\
 mkdir /dist/usr/local/3proxy/libexec &&\
 cp bin/3proxy /dist/bin &&\
 cp bin/*.so /dist/usr/local/3proxy/libexec &&\
 cp scripts/3proxy.cfg.inchroot /dist/etc/3proxy/3proxy.cfg
 RUN cd /dist &&\
 ln -s /lib lib64 &&\
 ln -s /lib usr/lib &&\
 ln -s /lib usr/lib64 &&\
 cp /lib64/ld-*.so.* /dist/usr/local/3proxy/libexec &&\
 cp "/lib/`gcc -dumpmachine`"/libdl.so.* /dist/usr/local/3proxy/libexec &&\
 cp "/lib/`gcc -dumpmachine`"/libcrypto.so.* /dist/usr/local/3proxy/libexec &&\
 cp "/lib/`gcc -dumpmachine`"/libssl.so.* /dist/usr/local/3proxy/libexec &&\
 cp "/lib/`gcc -dumpmachine`"/libpcre2-8.so.* /dist/usr/local/3proxy/libexec &&\
 cp "/lib/`gcc -dumpmachine`"/libz.so.* /dist/usr/local/3proxy/libexec &&\
 cp "/lib/`gcc -dumpmachine`"/libzstd.so.* /dist/usr/local/3proxy/libexec &&\
 ls -lR /dist
 FROM docker.io/busybox:glibc
 COPY --from=buildenv /dist /
 RUN ln -sf /usr/local/3proxy/libexec/* /lib/ && cd /usr/local/3proxy/ && ln -s libexec lib && ln -s libexec lib64 && mkdir usr && ln -s libexec usr/lib && ln -s libexec usr//lib64
 CMD ["/bin/3proxy", "/etc/3proxy/3proxy.cfg"]
--- a/Dockerfile.full
+++ b/Dockerfile.full
@ -1,6 +1,6 @@
-# 3proxy.full is fully functional distroless 3proxy build
+# 3proxy.full is fully functional 3proxy build based on busybox:glibc
 #
-# Examples are for podman, for docker change 'podman' to 'docker'
+# Example are for podman, for docker change 'podman' to 'docker'
 #
 #to  build:
 # podman build -f Dockerfile.full -t 3proxy.full .
@ -8,7 +8,7 @@
 #
 # echo nserver 8.8.8.8 >/path/to/local/config/directory/3proxy.cfg
 # echo proxy -p3129 >>/path/to/local/config/directory/3proxy.cfg
-# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy --name 3proxy.full 3proxy.full
+# podman run --read-only -p 3129:3129 -v /path/to/local/config/directory:/etc/3proxy -name 3proxy.full 3proxy.full
 #
 # use "log" without pathname in config to log to stdout.
 # plugins are located in /usr/local/3proxy/libexec (/libexec for chroot config)
@ -16,7 +16,7 @@
 # to specify full path to plugin. SSLPlugin is supported.
 #
 # Since 0.9.6 image is distroless, no reason to use chroot, chroot
-# configuration is supported for compatibility only.
+# configuration is supported for compatility only.
 FROM docker.io/gcc AS buildenv
--- a/Makefile.FreeBSD
+++ b/Makefile.FreeBSD
@ -5,12 +5,9 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 BUILDDIR = ../bin/
 PREFIX ?= 3proxy_
 CRYPT_PREFIX ?= $(PREFIX)
 MANDIR ?= /usr/share/man
 CC ?= cc
-CFLAGS := -c -fno-strict-aliasing -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_UN  $(CFLAGS)
+CFLAGS := -c -fno-strict-aliasing -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL $(CFLAGS)
 COUT = -o 
 LN ?= ${CC}
 LDFLAGS += -pthread -fno-strict-aliasing 
@ -32,7 +29,7 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.FreeBSD
-PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
+PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
 OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
    LIBS += -l crypto -l ssl
@ -52,25 +49,14 @@ include Makefile.inc
 install: all
 	if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi
 	install bin/3proxy /usr/local/3proxy/bin/3proxy
-	install bin/$(CRYPT_PREFIX)crypt /usr/local/3proxy/bin/$(CRYPT_PREFIX)crypt
+	install bin/mycrypt /usr/local/3proxy/bin/mycrypt
 	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
 	  if [ -f bin/$(PREFIX)$$f ]; then install bin/$(PREFIX)$$f /usr/local/3proxy/bin/$(PREFIX)$$f; fi; \
 	done
 	install scripts/rc.d/3proxy /usr/local/etc/rc.d/3proxy
 	install scripts/add3proxyuser.sh /usr/local/3proxy/bin/
-	if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then echo /usr/local/3proxy/3proxy.cfg already exists; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
+	if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then /usr/local/3proxy/3proxy.cfg already exists ; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
 	if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi
 	touch /usr/local/3proxy/passwd
 	touch /usr/local/3proxy/counters
 	touch /usr/local/3proxy/bandlimiters
 	install -d $(MANDIR)/man8
 	install -m 644 man/3proxy.8 $(MANDIR)/man8/3proxy.8
 	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
 	  if [ -f man/$$f.8 ]; then install -m 644 man/$$f.8 $(MANDIR)/man8/$(PREFIX)$$f.8; fi; \
 	done
 	install -m 644 man/3proxy_crypt.8 $(MANDIR)/man8
 	install -d $(MANDIR)/man5
 	install -m 644 man/3proxy.cfg.5 $(MANDIR)/man5/3proxy.cfg.5
 	echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user
 allplugins:
--- a/Makefile.Linux
+++ b/Makefile.Linux
@ -5,11 +5,9 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 BUILDDIR = ../bin/
 PREFIX ?= 3proxy_
 CRYPT_PREFIX ?= $(PREFIX)
 CC ?= gcc
-CFLAGS := -g  -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER -D WITH_UN $(CFLAGS)
+CFLAGS := -g  -fPIC -O2 -fno-strict-aliasing -c -pthread -DWITHSPLICE -D_GNU_SOURCE -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER $(CFLAGS)
 COUT = -o 
 LN ?= ${CC}
 DCFLAGS ?= 
@ -34,7 +32,7 @@ MAKEFILE = Makefile.Linux
 #LIBS = -lcrypto -lssl -ldl 
 LIBS ?= -ldl 
 #PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
-PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
+PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
 OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
    LIBS += -l crypto -l ssl
@ -63,15 +61,14 @@ INSTALL		= /usr/bin/install
 INSTALL_BIN	= $(INSTALL) -m 755
 INSTALL_DATA	= $(INSTALL) -m 644
 INSTALL_OBJS	= bin/3proxy \
-		  bin/$(CRYPT_PREFIX)crypt \
+		  bin/ftppr \
-		  bin/$(PREFIX)ftppr \
+		  bin/mycrypt \
-		  bin/$(PREFIX)pop3p \
+		  bin/pop3p \
-		  bin/$(PREFIX)proxy \
+		  bin/proxy \
-		  bin/$(PREFIX)smtpp \
+		  bin/socks \
-		  bin/$(PREFIX)socks \
+		  bin/tcppm \
-		  bin/$(PREFIX)tcppm \
+		  bin/udppm \
-		  bin/$(PREFIX)tlspr \
+		  bin/tlspr
 		  bin/$(PREFIX)udppm
 INSTALL_CFG	 = scripts/3proxy.cfg.chroot
@ -85,7 +82,8 @@ INSTALL_SYSTEMD_SCRIPT = scripts/3proxy.service
 CHROOTDIR	= $(DESTDIR)$(chroot_prefix)/3proxy
 CHROOTREL	= ../..$(chroot_prefix)/3proxy
-MANDIR5		= $(DESTDIR)$(man_prefix)/man/man5
+MANDIR1		= $(DESTDIR)$(man_prefix)/man/man1
 MANDIR3		= $(DESTDIR)$(man_prefix)/man/man3
 MANDIR8		= $(DESTDIR)$(man_prefix)/man/man8
 BINDIR		= $(DESTDIR)$(exec_prefix)/bin
 ETCDIR		= $(DESTDIR)/etc/3proxy
@ -128,14 +126,10 @@ install-etc: install-etc-dir install-etc-default-config
 	done;
 install-man:
-	$(INSTALL_BIN) -d $(MANDIR5)
+	$(INSTALL_BIN) -d $(MANDIR3)
 	$(INSTALL_BIN) -d $(MANDIR8)
-	$(INSTALL_DATA) man/3proxy.cfg.5 $(MANDIR5)
+	$(INSTALL_DATA) man/*.3 $(MANDIR3)
-	$(INSTALL_DATA) man/3proxy.8 $(MANDIR8)
+	$(INSTALL_DATA) man/*.8 $(MANDIR8)
 	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
 	  if [ -f man/$$f.8 ]; then $(INSTALL_DATA) man/$$f.8 $(MANDIR8)/$(PREFIX)$$f.8; fi; \
 	done
 	$(INSTALL_DATA) man/3proxy_crypt.8 $(MANDIR8)
 install-init:
 	$(INSTALL_BIN) -d $(INITDDIR)
--- a/Makefile.Solaris
+++ b/Makefile.Solaris
@ -6,7 +6,7 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 BUILDDIR = ../bin/
-CC ?= cc
+CC = cc
 CFLAGS = -xO3 -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL
 COUT = -o ./
 LN = $(CC)
--- a/Makefile.Solaris-gcc
+++ b/Makefile.Solaris-gcc
@ -0,0 +1,36 @@
 #
 # 3 proxy Makefile for Solaris/gcc
 #
 #
 # remove -DNOODBC from CFLAGS and add -lodbc to LDFLAGS to compile with ODBC
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 BUILDDIR = ../bin/
 CC = gcc
 CFLAGS = -O2 -fno-strict-aliasing -c -D_SOLARIS -D_THREAD_SAFE -DGETHOSTBYNAME_R -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL
 COUT = -o ./
 LN = $(CC)
 LDFLAGS = -O3
 DCFLAGS = -fPIC
 DLFLAGS = -shared
 DLSUFFICS = .ld.so
 LIBS = -lpthread -lsocket -lnsl -lresolv -ldl
 LIBSPREFIX = -l
 LIBSSUFFIX = 
 LNOUT = -o ./
 EXESUFFICS =
 OBJSUFFICS = .o
 DEFINEOPTION = -D
 COMPFILES = *~
 REMOVECOMMAND = rm -f
 AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.Solaris-gcc
 PLUGINS = StringsPlugin TrafficPlugin
 include Makefile.inc
 allplugins:
 	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
--- a/Makefile.am
+++ b/Makefile.am
@ -0,0 +1,2 @@
 SUBDIRS = src man
 EXTRA_DIST = doc cfg
--- a/Makefile.debug
+++ b/Makefile.debug
@ -0,0 +1,24 @@
 #
 # 3 proxy Makefile for Microsoft Visual C compiler (for both make and nmake)
 #
 BUILDDIR = ../bin/
 CC = cl
 CFLAGS = /FD /MDd /nologo /W3 /ZI /Wp64 /GS /Gs /RTCsu /EHs- /GA /GF /DEBUG  /D "_DEBUG" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "_WIN32"  /c
 COUT = /Fo
 LN = link
 LDFLAGS = /nologo /subsystem:console /machine:I386 /DEBUG
 LIBS = ws2_32.lib advapi32.lib odbc32.lib user32.lib
 LNOUT = /out:
 EXESUFFICS = .exe
 OBJSUFFICS = .obj
 DEFINEOPTION = /D 
 COMPFILES = *.pch *.idb
 REMOVECOMMAND = del 2>NUL >NUL
 TYPECOMMAND = type
 COMPATLIBS =
 MAKEFILE = Makefile.debug
 include Makefile.inc
 allplugins:
--- a/Makefile.openwrt-mips
+++ b/Makefile.openwrt-mips
@ -0,0 +1,113 @@
 #
 # 3 proxy Makefile for GCC/Linux/Cygwin
 #
 #
 # remove -DNOODBC from CFLAGS and add -lodbc to LIBS to compile with ODBC
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 BUILDDIR = ../bin/
 CC = mips-openwrt-linux-gcc
 CFLAGS ?= -g -O2 -fno-strict-aliasing -c -pthread -DGETHOSTBYNAME_R -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_NETFILTER
 COUT = -o 
 LN = $(CC)
 DCFLAGS = -fPIC
 LDFLAGS ?= -O2 -fno-strict-aliasing -pthread -s
 DLFLAGS = -shared
 DLSUFFICS = .ld.so
 # -lpthreads may be reuqired on some platforms instead of -pthreads
 LIBSPREFIX = -l
 LIBSSUFFIX = 
 LNOUT = -o 
 EXESUFFICS =
 OBJSUFFICS = .o
 DEFINEOPTION = -D
 COMPFILES = *~
 REMOVECOMMAND = rm -f
 AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Makefile.var" -delete && find bin/ -type f -executable -delete) || true
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.openwrt-mips
 # PamAuth requires libpam, you may require pam-devel package to be installed
 # SSLPlugin requires  -lcrypto -lssl
 #LIBS = -lcrypto -lssl -ldl 
 LIBS ?= -ldl 
 #PLUGINS = SSLPlugin StringsPlugin TrafficPlugin PCREPlugin TransparentPlugin PamAuth
 PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
 OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
    LIBS += -l crypto -l ssl
    PLUGINS += SSLPlugin
 endif
 PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include <pcre2.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pcre2-8 -o testpcre - 2>/dev/null && rm testpcre && echo true||echo false)
 ifeq ($(PCRE_CHECK), true)
    PLUGINS += PCREPlugin
 endif
 PAM_CHECK = $(shell echo "\#include <security/pam_appl.h>\\n int main(){return 0;}" | tr -d \\\\ | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false)
 ifeq ($(PAM_CHECK), true)
    PLUGINS += PamAuth
 endif
 include Makefile.inc
 allplugins:
 	@list='$(PLUGINS)'; for p in $$list; do cp Makefile Makefile.var plugins/$$p; cd plugins/$$p ; make ;	cd ../.. ; done
 DESTDIR		=
 prefix		= /usr/local
 exec_prefix	= $(prefix)
 man_prefix	= $(prefix)/share
 INSTALL		= /usr/bin/install
 INSTALL_BIN	= $(INSTALL) -m 755
 INSTALL_DATA	= $(INSTALL) -m 644
 INSTALL_OBJS	= src/3proxy \
 		  src/ftppr \
 		  src/mycrypt \
 		  src/pop3p \
 		  src/proxy \
 		  src/socks \
 		  src/tcppm \
 		  src/udppm
 INSTALL_CFG_OBJS = scripts/3proxy.cfg \
 		   scripts/add3proxyuser.sh
 INSTALL_CFG_DEST = config
 INSTALL_CFG_OBJS2 = passwd counters bandlimiters
 MANDIR1		= $(DESTDIR)$(man_prefix)/man/man1
 MANDIR3		= $(DESTDIR)$(man_prefix)/man/man3
 MANDIR8		= $(DESTDIR)$(man_prefix)/man/man8
 BINDIR		= $(DESTDIR)$(exec_prefix)/bin
 ETCDIR		= $(DESTDIR)$(prefix)/etc/3proxy
 install-bin:
 	$(INSTALL_BIN) -d $(BINDIR)
 	$(INSTALL_BIN) -s $(INSTALL_OBJS) $(BINDIR)
 install-etc-dir:
 	$(INSTALL_BIN) -d $(ETCDIR)
 install-etc-default-config:
 	if [ -f $(ETCDIR)/$(INSTALL_CFG_DEST) ]; then \
 	   : ; \
 	else \
 	   $(INSTALL_DATA) $(INSTALL_CFG_OBJS) $(ETCDIR)/$(INSTALL_CFG_DEST) \
 	fi
 install-etc: install-etc-dir
 	for file in $(INSTALL_CFG_OBJS2); \
 	do \
 	  touch $(ETCDIR)/$$file; chmod 0600 $(ETCDIR)/$$file; \
 	done;
 install-man:
 	$(INSTALL_BIN) -d $(MANDIR3)
 	$(INSTALL_BIN) -d $(MANDIR8)
 	$(INSTALL_DATA) man/*.3 $(MANDIR3)
 	$(INSTALL_DATA) man/*.8 $(MANDIR8)
 install: install-bin install-etc install-man
--- a/Makefile.unix
+++ b/Makefile.unix
@ -6,13 +6,10 @@
 # library support. Add -DSAFESQL for poorely written ODBC library / drivers.
 BUILDDIR = ../bin/
 PREFIX ?= 3proxy_
 CRYPT_PREFIX ?= $(PREFIX)
 MANDIR ?= /usr/share/man
 CC ?= gcc
 # you may need -L/usr/pkg/lib for older NetBSD versions
-CFLAGS := -g -O2 -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL -DWITH_UN $(CFLAGS)
+CFLAGS := -g -O2 -fno-strict-aliasing -c -pthread -D_THREAD_SAFE -D_REENTRANT -DNOODBC  -DFD_SETSIZE=4096 -DWITH_POLL $(CFLAGS)
 COUT = -o 
 LN ?= $(CC)
 LDFLAGS ?= -O2 -fno-strict-aliasing -pthread
@ -34,7 +31,7 @@ AFTERCLEAN = (find . -type f -name "*.o" -delete && find src/ -type f -name "Mak
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.unix
-PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin
+PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin
 OPENSSL_CHECK = $(shell echo "\#include <openssl/ssl.h>\\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false)
 ifeq ($(OPENSSL_CHECK), true)
    LIBS += -l crypto -l ssl
@ -54,25 +51,14 @@ include Makefile.inc
 install: all
    if [ ! -d "/usr/local/3proxy/bin" ]; then mkdir -p /usr/local/3proxy/bin/; fi
    install bin/3proxy /usr/local/3proxy/bin/3proxy
-	install bin/$(CRYPT_PREFIX)crypt /usr/local/3proxy/bin/$(CRYPT_PREFIX)crypt
+    install bin/mycrypt /usr/local/3proxy/bin/mycrypt
 	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
 	  if [ -f bin/$(PREFIX)$$f ]; then install bin/$(PREFIX)$$f /usr/local/3proxy/bin/$(PREFIX)$$f; fi; \
 	done
    install scripts/rc.d/3proxy /usr/local/etc/rc.d/3proxy
    install scripts/add3proxyuser.sh /usr/local/3proxy/bin/
-	if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then echo /usr/local/3proxy/3proxy.cfg already exists; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
+    if [ -s /usr/local/etc/3proxy/3proxy.cfg ]; then /usr/local/3proxy/3proxy.cfg already exists ; else install scripts/3proxy.cfg /usr/local/etc/3proxy/; fi
    if [ ! -d /var/log/3proxy/ ]; then mkdir /var/log/3proxy/; fi
    touch /usr/local/3proxy/passwd
    touch /usr/local/3proxy/counters
    touch /usr/local/3proxy/bandlimiters
 	install -d $(MANDIR)/man8
 	install -m 644 man/3proxy.8 $(MANDIR)/man8/3proxy.8
 	for f in proxy socks pop3p smtpp ftppr tcppm udppm tlspr; do \
 	  if [ -f man/$$f.8 ]; then install -m 644 man/$$f.8 $(MANDIR)/man8/$(PREFIX)$$f.8; fi; \
 	done
 	install -m 644 man/3proxy_crypt.8 $(MANDIR)/man8
 	install -d $(MANDIR)/man5
 	install -m 644 man/3proxy.cfg.5 $(MANDIR)/man5/3proxy.cfg.5
    echo Run /usr/local/3proxy/bin/add3proxyuser.sh to add \'admin\' user
 allplugins:
--- a/Makefile.win
+++ b/Makefile.win
@ -26,7 +26,7 @@ REMOVECOMMAND = rm -f
 TYPECOMMAND = cat
 COMPATLIBS =
 MAKEFILE = Makefile.win
-PLUGINS := utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin FilePlugin
+PLUGINS := utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin
 VERFILE := 3proxyres.o $(VERFILE)
 VERSION := $(VERSION)
 VERSIONDEP := 3proxyres.o $(VERSIONDEP)
--- a/276
+++ b/276
@ -0,0 +1,276 @@
 # 3APA3A 3proxy tiny proxy server
 (c) 2002-2025 by Vladimir '3APA3A' Dubrovin <3proxy@3proxy.org>
 Branches:
 Master (stable) branch - 3proxy 0.9 
 Devel branch - 3proxy 10 (don't use it)
 * Download
 	Binaries and sources for released (master) versions (Windows, Linux):
 	https://github.com/z3APA3A/3proxy/releases
 	Docker images:
 	https://hub.docker.com/r/3proxy/3proxy
 	Archive of old versions: https://github.com/z3APA3A/3proxy-archive
 * Documentation
 	Documentation (man pages and HTML) available with download, on https://3proxy.org/
 	and in github wiki https://github.com/3proxy/3proxy/wiki
 * Windows installation
 3proxy [path_to_config_file] --install 
 	installs and starts proxy as Windows service
 	(config file should be located in the same directory or may be optionally specified)
 3proxy --remove 
 	removes the service (should be stopped before via
 	'net stop 3proxy').
 * To build in Linux
 With Makefile:
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 ln -s Makefile.Linux Makefile
 make
 sudo make install
 Default configuration (for Linux/Unix):
 3proxy uses 2 configuration files:
 /etc/3proxy/3proxy.cfg (before-chroot). This configuration file is executed before chroot and should not be modified.
 /usr/local/3proxy/conf/3proxy.cfg symlinked from /etc/3proxy/conf/3proxy.cfg (after-chroot) is a main configuration file. Modify this file, if required.
 All paths in /usr/local/3proxy/conf/3proxy.cfg are relative to chroot directory (/usr/local/3proxy). For future versions it's planned to move
 3proxy chroot direcory to /var.
 Log files are created in /usr/local/3proxy/logs symlinked from /var/log/3proxy.
 By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default.
 use /etc/3proxy/conf/add3proxyuser.sh script to add users.
 usage: /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth]
        day_limit - traffic limit in MB per day
        bandwidth - bandwith in bits per second 1048576 = 1Mbps
 or modify /etc/3proxy/conf/ files directly.
 With CMake:
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 mkdir build && cd build
 cmake ..
 cmake --build .
 sudo cmake --install .
 CMake does not use chroot configuration, config file is /etc/3proxy/3proxy.cfg
 * For MacOS X / FreeBSD / *BSD
 With Makefile:
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 ln -s Makefile.FreeBSD Makefile
 make
 (binaries are in bin/ directory)
 With CMake (recommended):
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 mkdir build && cd build
 cmake ..
 cmake --build .
 sudo cmake --install .
 This installs binaries to /usr/local/bin/, configuration to /etc/3proxy/,
 plugins to /usr/local/lib/3proxy/, rc scripts to rc.d for BSD and launchd plist to /Library/LaunchDaemons/ for MacOS.
 Service management on macOS:
 # Load and start service
 sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
 # Stop service
 sudo launchctl stop org.3proxy.3proxy
 # Start service
 sudo launchctl start org.3proxy.3proxy
 # Unload and disable service
 sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
 Features:
  1. General
 	+ IPv6 support for incoming and outgoing connection,
 	  can be used as a proxy between IPv4 and IPv6 networks
 	  in either direction.
 	+ HTTP/1.1 Proxy with keep-alive client and server support,
          transparent proxy support.
 	+ HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY)
 	+ Anonymous and random client IP emulation for HTTP proxy mode
 	+ FTP over HTTP support.
 	+ DNS caching with built-in resolver
 	+ DNS proxy
 	+ DNS over TCP support, redirecting DNS traffic via parent
 	  proxy
 	+ SOCKSv4/4.5 Proxy
 	+ SOCKSv5 Proxy
 	+ SOCKSv5 UDP and BIND support (fully compatible with
 	  SocksCAP/FreeCAP for UDP)
 	+ Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP
 	+ SNI proxy (based on TLS hostname)
 	+ TLS (SSL) server - may be used as https:// type proxy
 	+ POP3 Proxy
 	+ FTP proxy
 	+ TCP port mapper (port forwarding)
 	+ UDP port mapper (port forwarding)
 	+ SMTP proxy
 	+ Threaded application (no child process).
 	+ Web administration and statistics
 	+ Plugins for functionality extension
 	+ Native 32/64 bit application
  2. Proxy chaining and network connections
 	+ Can be used as a bridge between client and different proxy type
 	  (e.g. convert incoming HTTP proxy request from client to SOCKSv5
 	  request to parent server).
 	+ Connect back proxy support to bypass firewalls
 	+ Parent proxy support for any type of incoming connection
 	+ Username/password authentication for parent proxy(s).
 	+ HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support
 	+ Random parent selection
 	+ Chain building (multihop proxing)
 	+ Load balancing between few network connections by choosing network
 	  interface
  3. Logging
 	+ tuneable log format compatible with any log parser
 	+ stdout logging
 	+ file logging
 	+ syslog logging (Unix)
 	+ ODBC logging
 	+ RADIUS accounting
 	+ log file rotation
 	+ automatic log file processing with external archiver (for files)
 	+ Character filtering for log files
 	+ different log files for different servces are supported
  4. Access control
 	+ ACL-driven Access control by username, source IP,
 	destination IP/hostname, destination port and destination action
 	(POST, PUT, GET, etc), weekday and daytime.
 	+ ACL-driven (user/source/destination/protocol/weekday/daytime or
 	combined) bandwith limitation for incoming and (!)outgoing trafic.
 	+ ACL-driven traffic limitation per day, week or month for incoming and
 	outgoing traffic
 	+ Connection limitation and ratelimting
 	+ User authentication by username / password
 	+ RADIUS Authentication and Authorization
 	+ User authentication by DNS hostname
 	+ Authentication cache with possibility to limit user to single IP address
 	+ Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP
 	+ Cleartext or encrypted (crypt/MD5 or NT) passwords.
 	+ Connection redirection
 	+ Access control by requested action (CONNECT/BIND, 
 	  HTTP GET/POST/PUT/HEAD/OTHER).
 	+ All access control entries now support weekday and time limitations
 	+ Hostnames and * templates are supported instead of IP address
  5. Extensions
 	+ Regular expression filtering (with PCRE2) via PCREPlugin
 	+ Authentication with Windows username/password (cleartext only)
 	+ SSL/TLS decryptions with certificate spoofing
 	+ Transparent redirection support for Linux and *BSD
  6. Configuration
 	+ support for configuration files
 	+ support for includes in configuration files
 	+ interface binding
 	+ socket options
 	+ running as daemon process
 	+ utility for automated networks list building
 	+ configuration reload on any file change
     Unix
 	+ support for chroot
 	+ support for setgid
 	+ support for setuid
 	+ support for signals (SIGUSR1 to reload configuration)
     Windows
 	+ support --install as service
 	+ support --remove as service
 	+ support for service START, STOP, PAUSE and CONTINUE commands (on
 	PAUSE no new connection accepted, but active connections still in
 	progress, on CONTINUE configuration is reloaded)
     Windows 95/98/ME
 	+ support --install as service
 	+ support --remove as service
  6. Compilation
 	+ MSVC (static)
 	+ OpenWatcom (static)
 	+ Intel Windows Compiler (msvcrt.dll)
 	+ Windows/gcc (msvcrt.dll)
 	+ Cygwin/gcc (cygwin.dll)
 	+ Unix/gcc
 	+ Unix/ccc
 	+ Solaris
 	+ Mac OS X, iPhone OS
 	+ Linux and derivered systems
 	+ Lite version for Windows 95/98/NT/2000/XP/2003
 	+ 32 bit and 64 bit versions for Windows Vista and above, Windows 2008 server and above 
 3proxy    	Combined proxy server may be used as
 		executable or service (supports installation and removal).
 		It uses config file to read it's configuration (see
 		3proxy.cfg.sample for details).
 		3proxy.exe is all-in-one, it doesn't require all others .exe
 		to work.
 		See 3proxy.cfg.sample for examples, see man 3proxy.cfg
 proxy    	HTTP proxy server, binds to port 3128
 ftppr    	FTP proxy server, binds to port 21
 socks    	SOCKS 4/5 proxy server, binds to port 1080
 ftppr		FTP proxy server, please do not mess it with FTP over HTTP
 		proxy used in browsers
 pop3p    	POP3 proxy server, binds to port 110. You must specify
 		POP3 username as username@target.host.ip[:port]
 		port is 110 by default.
 		Exmple: in Username configuration for you e-mail reader
 		set someuser@pop.example.org, to obtains mail for someuser
 		from pop.somehost.ru via proxy.
 smtpp    	SMTP proxy server, binds to port 25. You must specify
 		SMTP username as username@target.host.ip[:port]
 		port is 25 by default.
 		Exmple: in Username configuration for you e-mail reader
 		set someuser@mail.example.org, to send mail as someuser
 		via mail.somehost.ru via proxy.
 tcppm    	TCP port mapping. Maps some TCP port on local machine to
 		TCP port on remote host.
 tlspr    	TLS proxy (SNI proxy) - sniffs hostname from TLS handshake
 udppm    	UDP port mapping. Maps some UDP port on local machine to
 		UDP port on remote machine. Only one user simulationeously
 		can use UDP mapping, so it cann't be used for public service
 		in large networks. It's OK to use it to map to DNS server
 		in small network or to map Counter-Strike server for single
 		client (you can use few mappings on different ports for
 		different clients in last case).
 mycrypt    	Program to obtain crypted password fro cleartext. Supports
 		both MD5/crypt and NT password.
 			mycrypt password
 		produces NT password
 			mycrypt salt password
 		produces MD5/crypt password with salt "salt".
 Run utility with --help option for command line reference.
 Latest version is available from https://3proxy.org/
 Want to donate the project? https://3proxy.org/donations/
--- a/README.md
+++ b/README.md
@ -1,303 +0,0 @@
 # 3APA3A 3proxy tiny proxy server
 (c) 2002-2025 by Vladimir '3APA3A' Dubrovin <3APA3A@security.nnov.ru>
 ## Branches
 - **Master** (stable) branch - 3proxy 0.9
 - **Devel** branch - 3proxy 10 (don't use it)
 ## Download
 Binaries and sources for released (master) versions (Windows, Linux):
 https://github.com/z3APA3A/3proxy/releases
 Docker images:
 https://hub.docker.com/r/3proxy/3proxy
 Archive of old versions:
 https://github.com/z3APA3A/3proxy-archive
 ## Documentation
 Documentation (man pages and HTML) available with download, on https://3proxy.org/ and in github wiki https://github.com/3proxy/3proxy/wiki
 ## Windows Installation
 Install and start proxy as Windows service:
 ```bash
 3proxy [path_to_config_file] --install
 ```
 Config file should be located in the same directory or may be optionally specified.
 Remove the service (should be stopped before via `net stop 3proxy`):
 ```bash
 3proxy --remove
 ```
 ## Building on Linux
 ### With Makefile
 ```bash
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 ln -s Makefile.Linux Makefile
 make
 sudo make install
 ```
 ### Default Configuration (Linux/Unix)
 3proxy uses 2 configuration files:
 - `/etc/3proxy/3proxy.cfg` (before-chroot) - This configuration file is executed before chroot and should not be modified.
 - `/usr/local/3proxy/conf/3proxy.cfg` symlinked from `/etc/3proxy/conf/3proxy.cfg` (after-chroot) - Main configuration file. Modify this file if required.
 All paths in `/usr/local/3proxy/conf/3proxy.cfg` are relative to chroot directory (`/usr/local/3proxy`). For future versions it's planned to move 3proxy chroot directory to `/var`.
 Log files are created in `/usr/local/3proxy/logs` symlinked from `/var/log/3proxy`.
 By default, socks is started on 0.0.0.0:1080 and proxy on 0.0.0.0:3128 with basic auth, no users are added by default.
 ### Adding Users
 Use `/etc/3proxy/conf/add3proxyuser.sh` script to add users:
 ```bash
 /etc/3proxy/conf/add3proxyuser.sh username password [day_limit] [bandwidth]
 ```
 Parameters:
 - `day_limit` - traffic limit in MB per day
 - `bandwidth` - bandwidth in bits per second (1048576 = 1Mbps)
 Or modify `/etc/3proxy/conf/` files directly.
 ### With CMake
 ```bash
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 mkdir build && cd build
 cmake ..
 cmake --build .
 sudo cmake --install .
 ```
 CMake does not use chroot configuration, config file is `/etc/3proxy/3proxy.cfg`
 ## MacOS X / FreeBSD / *BSD
 ### With Makefile
 ```bash
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 ln -s Makefile.FreeBSD Makefile
 make
 ```
 Binaries are in `bin/` directory.
 ### With CMake (recommended)
 ```bash
 git clone https://github.com/z3apa3a/3proxy
 cd 3proxy
 mkdir build && cd build
 cmake ..
 cmake --build .
 sudo cmake --install .
 ```
 This installs:
 - Binaries to `/usr/local/bin/`
 - Configuration to `/etc/3proxy/`
 - Plugins to `/usr/local/lib/3proxy/`
 - rc scripts to `rc.d` for BSD
 - launchd plist to `/Library/LaunchDaemons/` for MacOS
 ### Service Management on macOS
 ```bash
 # Load and start service
 sudo launchctl load /Library/LaunchDaemons/org.3proxy.3proxy.plist
 # Stop service
 sudo launchctl stop org.3proxy.3proxy
 # Start service
 sudo launchctl start org.3proxy.3proxy
 # Unload and disable service
 sudo launchctl unload /Library/LaunchDaemons/org.3proxy.3proxy.plist
 ```
 ## Features
 ### 1. General
 - IPv4 / IPv6 support for incoming and outgoing connection, can be used as a proxy between IPv4 and IPv6 networks in either direction
 - Unix domain sockets support
 - HTTP/1.1 Proxy with keep-alive client and server support, transparent proxy support
 - HTTPS (CONNECT) proxy (compatible with HTTP/2 / SPDY)
 - Anonymous and random client IP emulation for HTTP proxy mode
 - FTP over HTTP support
 - DNS caching with built-in resolver
 - DNS proxy
 - DNS over TCP support, redirecting DNS traffic via parent proxy
 - SOCKSv4/4.5 Proxy
 - SOCKSv5 Proxy
 - SOCKSv5 UDP and BIND support (fully compatible with SocksCAP/FreeCAP for UDP)
 - Transparent SOCKS redirection for HTTP, POP3, FTP, SMTP
 - SNI proxy (based on TLS hostname)
 - TLS (SSL) server and client, 3proxy may be used as https:// type proxy or stunnel replacement
 - POP3 Proxy
 - FTP proxy
 - TCP port mapper (port forwarding)
 - UDP port mapper (port forwarding)
 - SMTP proxy
 - Threaded application (no child process)
 - Web administration and statistics
 - Plugins for functionality extension
 - Native 32/64 bit application
 ### 2. Proxy Chaining and Network Connections
 - Can be used as a bridge between client and different proxy type (e.g. convert incoming HTTP proxy request from client to SOCKSv5 request to parent server)
 - Connect back proxy support to bypass firewalls
 - Parent proxy support for any type of incoming connection
 - Username/password authentication for parent proxy(s)
 - HTTPS/SOCKS4/SOCKS5 and ip/port redirection parent support
 - Random parent selection
 - Chain building (multihop proxing)
 - Load balancing between few network connections by choosing network interface
 ### 3. Logging
 - Tuneable log format compatible with any log parser
 - stdout logging
 - File logging
 - Syslog logging (Unix)
 - ODBC logging
 - RADIUS accounting
 - Log file rotation
 - Automatic log file processing with external archiver (for files)
 - Character filtering for log files
 - Different log files for different services are supported
 ### 4. Access Control
 - ACL-driven Access control by username, source IP, destination IP/hostname, destination port and destination action (POST, PUT, GET, etc), weekday and daytime
 - ACL-driven (user/source/destination/protocol/weekday/daytime or combined) bandwidth limitation for incoming and (!)outgoing traffic
 - ACL-driven traffic limitation per day, week or month for incoming and outgoing traffic
 - Connection limitation and ratelimiting
 - User authentication by username / password
 - RADIUS Authentication and Authorization
 - User authentication by DNS hostname
 - Authentication cache with possibility to limit user to single IP address
 - Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP
 - Cleartext or encrypted passwords
 - Connection redirection
 - Access control by requested action (CONNECT/BIND, HTTP GET/POST/PUT/HEAD/OTHER)
 - All access control entries now support weekday and time limitations
 - Hostnames and * templates are supported instead of IP address
 ### 5. Extensions
 - Regular expression filtering (with PCRE2) via PCREPlugin
 - Authentication with Windows username/password (cleartext only)
 - SSL/TLS decryptions with certificate spoofing
 - Transparent redirection support for Linux and *BSD
 ### 6. Configuration
 - Support for configuration files
 - Support for includes in configuration files
 - Interface binding
 - Socket options
 - Running as daemon process
 - Utility for automated networks list building
 - Configuration reload on any file change
 **Unix:**
 - Support for chroot
 - Support for setgid
 - Support for setuid
 - Support for signals (SIGUSR1 to reload configuration)
 **Windows:**
 - Support `--install` as service
 - Support `--remove` as service
 - Support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress, on CONTINUE configuration is reloaded)
 **Windows 95/98/ME:**
 - Support `--install` as service
 - Support `--remove` as service
 ### 7. Compilation
 - MSVC (static)
 - OpenWatcom (static)
 - Intel Windows Compiler (msvcrt.dll)
 - Windows/gcc (msvcrt.dll)
 - Cygwin/gcc (cygwin.dll)
 - Unix/gcc
 - Unix/ccc
 - Solaris
 - Mac OS X, iPhone OS
 - Linux and derived systems
 - Lite version for Windows 95/98/NT/2000/XP/2003
 - 32 bit and 64 bit versions for Windows Vista and above, Windows 2008 server and above
 ## Executables
 ### 3proxy
 Combined proxy server may be used as executable or service (supports installation and removal). It uses config file to read its configuration (see `3proxy.cfg.sample` for details). `3proxy.exe` is all-in-one, it doesn't require all others .exe to work. See `3proxy.cfg.sample` for examples, see `man 3proxy.cfg`
 ### proxy
 HTTP proxy server, binds to port 3128
 ### ftppr
 FTP proxy server, binds to port 21. Please do not mess it with FTP over HTTP proxy used in browsers
 ### socks
 SOCKS 4/5 proxy server, binds to port 1080
 ### pop3p
 POP3 proxy server, binds to port 110. You must specify POP3 username as `username@popserver[:port]` (port is 110 by default).
 Example: in Username configuration for your e-mail reader set `someuser@pop.somehost.ru`, to obtain mail for someuser from pop.somehost.ru via proxy.
 ### smtpp
 SMTP proxy server, binds to port 25. You must specify SMTP username as `username@smtpserver[:port]` (port is 25 by default).
 Example: in Username configuration for your e-mail reader set `someuser@mail.somehost.ru`, to send mail as someuser via mail.somehost.ru via proxy.
 ### tcppm
 TCP port mapping. Maps some TCP port on local machine to TCP port on remote host.
 ### tlspr
 TLS proxy (SNI proxy) - sniffs hostname from TLS handshake
 ### udppm
 UDP port mapping. Maps some UDP port on local machine to UDP port on remote machine. Only one user simultaneously can use UDP mapping, so it can't be used for public service in large networks. It's OK to use it to map to DNS server in small network or to map Counter-Strike server for single client (you can use few mappings on different ports for different clients in last case).
 ### 3proxy_crypt
 Program to obtain crypted password for cleartext. Supports both salted and NT password.
 ```bash
 3proxy_crypt password          # produces NT password
 3proxy_crypt salt password     # produces password hash with salt "salt"
 ```
 ---
 Run utility with `--help` option for command line reference.
 Latest version is available from https://3proxy.org/
 Want to donate the project? https://3proxy.org/donations/
--- a/cfg/3proxy.cfg.sample
+++ b/cfg/3proxy.cfg.sample
@ -2,7 +2,7 @@
 # Yes, 3proxy.cfg can be executable, in this case you should place
 # something like
 #config /usr/local/3proxy/3proxy.cfg
-# to show which configuration 3proxy should re-read on reload.
+# to show which configuration 3proxy should re-read on realod.
 #system "echo Hello world!"
 # you may use system to execute some external command if proxy starts
@ -24,7 +24,7 @@ timeouts 1 5 30 60 180 1800 15 60
 # Here we can change timeout values
 users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1"
-# note that "" required, otherwise $... is treated as include file name.
+# note that "" required, overvise $... is treated as include file name.
 # $1$qwer$CHFTUFGqkjue9HyhcMHEe1 is 'test' in MD5 crypt format.
 #users $/usr/local/etc/3proxy/passwd
 # this example shows you how to include passwd file. For included files
@ -39,7 +39,7 @@ service
 #log /var/log/3proxy/log D
 log c:\3proxy\logs\3proxy.log D
-# log allows you to specify log file location and rotation, D means logfile
+# log allows to specify log file location and rotation, D means logfile
 # is created daily
 #logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
@ -60,7 +60,7 @@ log c:\3proxy\logs\3proxy.log D
 #
 #Compatible with ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
 #
-#"-	+ L%C	%U	unknown:0:0.0	N	%Y-%m-%d	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r	%D	%O	%I	%r	TCP	Connect	-	-	-	%E	-	-	-	-	-"
+#"-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r	%D	%O	%I	%r	TCP	Connect	-	-	-	%E	-	-	-	-	-"
 #
 #Compatible with HTTPD standard log (Apache and others)
 #
@ -90,7 +90,7 @@ auth iponly
 # auth specifies type of user authentication. If you specify none proxy
 # will not do anything to check name of the user. If you specify
 # nbname proxy will send NetBIOS name request packet to UDP/137 of
-# client and parse request for NetBIOS name of messenger service.
+# client and parse request for NetBIOS name of messanger service.
 # Strong means that proxy will check password. For strong authentication
 # unknown user will not be allowed to use proxy regardless of ACL.
 # If you do not want username to be checked but wanna ACL to work you should
@ -102,7 +102,7 @@ auth iponly
 #parent 1000 http 192.168.1.2 80 * * * 80
 #allow * 192.168.1.0/24 * 25,53,110,20-21,1024-65535
 # we will allow everything if username matches ADMINISTRATOR or root or
-# client ip is 127.0.0.1 or 192.168.1.1. Otherwise we will redirect any request
+# client ip is 127.0.0.1 or 192.168.1.1. Overwise we will redirect any request
 # to port 80 to our Web-server 192.168.0.2.
 # We will allow any outgoing connections from network 192.168.1.0/24 to
 # SMTP, POP3, FTP, DNS and unprivileged ports.
@ -124,7 +124,7 @@ internal 192.168.1.1
 # have open proxy in your network in this case.
 auth none
-# no authentication is required
+# no authentication is requires
 dnspr
@ -134,7 +134,7 @@ dnspr
 #external $./external.ip
 #internal $./internal.ip
-# this is just an alternative form for giving external and internal address
+# this is just an alternative form fo giving external and internal address
 # allows you to read this addresses from files
 auth none
@ -149,7 +149,7 @@ tcppm 25 mail.my.provider 25
 # Now we can use our proxy as SMTP and DNS server.
 # -s switch for UDP means "single packet" service - instead of setting
 # association for period of time association will only be set for 1 packet.
-# It's very useful for services like DNS but not for some massive services
+# It's very userfull for services like DNS but not for some massive services
 # like multimedia streams or online games.
 auth strong
@ -158,7 +158,7 @@ internal 127.0.0.1
 allow 3APA3A 127.0.0.1
 maxconn 3
 admin
-#only allow access to admin interface for user 3APA3A from 127.0.0.1 address
+#only allow acces to admin interface for user 3APA3A from 127.0.0.1 address
 #via 127.0.0.1 address.
 # map external 80 and 443 ports to internal Web server
@ -178,14 +178,14 @@ admin
 #chroot /usr/local/jail
 #setgid 65535
 #setuid 65535
-# now we no longer need root rights. We can chroot and setgid/setuid.
+# now we needn't any root rights. We can chroot and setgid/setuid.
 auth strong
 flush
 # We want to protect internal interface
 deny * * 127.0.0.1,192.168.1.1
-# and allow HTTP and HTTPS traffic.
+# and llow HTTP and HTTPS traffic.
 allow * * * 80-88,8080-8088 HTTP
 allow * * * 443,8443 HTTPS
 proxy -n
--- a/debian/3proxy.manpages
+++ b/debian/3proxy.manpages
@ -1,11 +1,10 @@
 man/3proxy.8
-man/3proxy.cfg.5
+man/3proxy.cfg.3
-man/3proxy_ftppr.8
+man/ftppr.8
-man/3proxy_pop3p.8
+man/pop3p.8
-man/3proxy_tlspr.8
+man/tlspr.8
-man/3proxy_proxy.8
+man/proxy.8
-man/3proxy_smtpp.8
+man/smtpp.8
-man/3proxy_socks.8
+man/socks.8
-man/3proxy_tcppm.8
+man/tcppm.8
-man/3proxy_udppm.8
+man/udppm.8
 man/3proxy_crypt.8
--- a/doc/changelog/0/7/0
+++ b/doc/changelog/0/7/0
@ -1,26 +0,0 @@
 3proxy 0.7
 This release is partially forced: while no new significant functions are
 added, 0.7 is code is much more stable and less buggy than 0.6. Since
 there is no new development for a long time, except few minor bugfixes,
 I decided to finally release 0.7. You may want it if you:
    Use HTTP proxy
    Use 3proxy under *BSD/Mac OS X/iPhone OS
    Use plugins, specially traffic related ones, like PCRE.
 I have no time for active developement. There are interesting features
 in nearly ready state, e.g. SSL support / SSL decryption via
 certificates spoofing, NAT support and SSL auto-detection. You can step
 into development, if you are interested.
 There are some configuration changes:
    auth iponly is now default (because most misconfigurations were
    because of default auth none)
    maxconn is now 500 by default (because WebKit browsers ignore
    standards and create a lot of connections even if proxy is configured)
    NTLM is disabled by default (-n options, -n1 to enable) because
    NTLMv1 is disabled by default in Windows since Vista and there is no
    NTLMv2 library with compatible license. Report me, if any.
--- a/doc/changelog/0/7/1
+++ b/doc/changelog/0/7/1
@ -1,35 +0,0 @@
 3proxy-0.7.1.4
 !! Fix transparent flag not reset after keep-alive connection, can lead to
 3proxy-0.7.1.3
 ! traffic displayed incorrectly
 ! archiver doesn't add suffix if logname contains macro
 ! fix potential race condition on configuration reload
 ! fix FTP over HTTP authentication
 3proxy-0.7.1.2
 ! Request / header size limitation relaxed for HTTP proxy
 3proxy 0.7.1.1
 ! Linux compilation issues resolved
 3proxy 0.7.1
 Minor improvements and bugfixes:
 + Windows icons added
 + Warnings added for most common misconfigurations
 + ftppr NLSD command supported
 ! Ignore NTLM handshake if NTLM is not enabled
 !! memcpy replaced with memmove for overlapped region
 ! better EINTR handling on *nix
 ! FTP proxy debugging output removed (introduced in 0.7), binding for data connection corrected
 ! memory leak fixed in ldapauth plugin
--- a/doc/changelog/0/8/0
+++ b/doc/changelog/0/8/0
@ -1,9 +0,0 @@
 + IPv6 support
 + back connect support
 + name resolution over TCP, parent proxy support for dnspr
 + SSLPlugin for TLS/SSL traffic decryption
 ! multiple race conditions fixed
 ! reduced memory usage
 ! Generate Forwarded: header instead of X-Forwarded-For:
 ! Default name resolution is non-blocking in *nix
 ! multiple race conditions fixed on configuration reload
--- a/doc/changelog/0/8/1
+++ b/doc/changelog/0/8/1
@ -1 +0,0 @@
 !!Fix: destination IP may be not checked against ACL
--- a/doc/changelog/0/8/10
+++ b/doc/changelog/0/8/10
@ -1,2 +0,0 @@
 ! Fix: parent proxy can be used in some cases where it shouldn't
 ! Fix: bandlimiters may not work for older connections on configuration reload
--- a/doc/changelog/0/8/11
+++ b/doc/changelog/0/8/11
@ -1,9 +0,0 @@
 Minor bugfixes / improvements:
 ! Fixed: deadlock on insufficient resources
 ! Fixed: race condition in ssl_plugin
 ! Fixed: minor memory leak on configuration reload
 ! Fixed: recursion detection was not working
 ! Fixed: %n for IPv6 in logging terminates log record
 ! Fixed: reverse PTR validation (required for dnsauth)
 ! Fixed: error on external 0.0.0.0 for NOIPV6 (light version)
 + Better support for IPv6 in ftppr
--- a/doc/changelog/0/8/12
+++ b/doc/changelog/0/8/12
@ -1,5 +0,0 @@
 Bugfixes:
 ! Fixed hostname support in SOCKSv5 UDP portmapping
 ! -fno-strict-aliasing added to gcc options (compiling without this option can lead to unpredictable issues under Debian with gcc 6 and potentially others)
 ! Fixed LDAP plugin compilation issues (LDAP plugin is still listed as unsupported though)
 and some minor fixes and improvements.
--- a/doc/changelog/0/8/13
+++ b/doc/changelog/0/8/13
@ -1,3 +0,0 @@
 Bugfixes:
 !! Fixed out-of-bound write and few minor bugs on configuration saving in admin
 ! fixed: $ is not correctly handled in the beginning of quoted line on configuration parsing
--- a/doc/changelog/0/8/2
+++ b/doc/changelog/0/8/2
@ -1,3 +0,0 @@
 !! Fix transparent flag not reset after keep-alive connection, can lead to DoS by authenticated user.
 ! Do not use SO_REUSEADDR by default (leads to random 00013 errors under some glibc versions)
 ! Use SASIZE() instead of sizeof() in bind() for FreeBSD compatibility
--- a/doc/changelog/0/8/3
+++ b/doc/changelog/0/8/3
@ -1 +0,0 @@
 ! fixed: use SASIZE() instead of sizeof() in connect() for FreeBSD compatibility
--- a/doc/changelog/0/8/4
+++ b/doc/changelog/0/8/4
@ -1,5 +0,0 @@
 + Build PamPlugin on *nix
 + stacksize and -S options, stacksize defaults changed for FreeBSD
 + extip redirection type added
 ! SSL plugin fix to correct handling of certificates path
 ! fixed random errors on IPv6 connect
--- a/doc/changelog/0/8/5
+++ b/doc/changelog/0/8/5
@ -1 +0,0 @@
 !Fix: mutex was used prior to initialization on 'log' command processing
--- a/doc/changelog/0/8/6
+++ b/doc/changelog/0/8/6
@ -1 +0,0 @@
 ! Fix: random 00012 errors in some configurations
--- a/doc/changelog/0/8/7
+++ b/doc/changelog/0/8/7
@ -1,15 +0,0 @@
 ! Fix 'daemon' command for Linux
 ! Fix 'extip' redirections 00009 errors
 ! Fix counters for older Win platforms
 ! Resolve logging race conditions
 ! attempt to fix pam_auth race conditions
 ! FTP proxy workaround for broken gethostname() on some libc limplementations
 ! authcache IP matching corrected
 ! fix SOCKSv5 BIND/UDP ASSOC
 ! use setreuid/setregid instead of setuid / setgid
 + OpenWatcom makefiles for Windows
 + -u2 support for proxy
 + support %i in logformat
 + force/noforce configuration commands to disconnect / do not disconnect clients if nolonger match ACL after configuration change
 + support longer external passwords
--- a/doc/changelog/0/8/8
+++ b/doc/changelog/0/8/8
@ -1,3 +0,0 @@
 !! Fix resolver for non-compressed reply parsing (on mixed-case sensitive resolvers)
 ! Fix plugins export on OpenWatcom compiler (light version)
 ! Fix SOCKSv5
--- a/doc/changelog/0/8/9
+++ b/doc/changelog/0/8/9
@ -1 +0,0 @@
 ! Fix: tcppm may fail if used with parent proxy
--- a/doc/changelog/0/9/0
+++ b/doc/changelog/0/9/0
@ -1,6 +0,0 @@
 + Socket options, interface binding
 + Connection limiting / connection rate limiting
 + RADIUS support (beta)
 + Zero copy (splice) support for Linux
 + Possibility to limit user to single IP (via authentication cache)
 ! bugfixes, improvements
--- a/doc/changelog/0/9/1
+++ b/doc/changelog/0/9/1
@ -1,8 +0,0 @@
 Bugfixes:
 ! Fixed: socket may be closed before all data received/sent
 ! Fixed: bandlimin non-working
 ! Fixed: countall/nocountall
 ! Fixed: few race conditions
 Improvements:
 + deb/rpm build, systemd support (experimental)
--- a/doc/changelog/0/9/2
+++ b/doc/changelog/0/9/2
@ -1,9 +0,0 @@
 Bugfixes:
 ! Fixed: bandwidth limiters (once again)
 ! Fixed: data filtering plugins (PCREPlugin, SSLPlugin). SSLPlugin use on Linux requires to disable splice (-s0)
 ! FIxed: standalone proxies do not react on HUP (Ctrl+C) in Linux/Unix
 ! Fixed: few minor bugs
 Improvements:
 + deb for arm platforms (experimental)
 + Openssl 1.1 support for SSLPlugin
--- a/doc/changelog/0/9/3
+++ b/doc/changelog/0/9/3
@ -1,11 +0,0 @@
 Bugfixes:
 ! Fixed: systemd description file (proxy may fail to start after reboot or via systemctl)
 ! Fixed: group/account creation in installation scripts
 ! Fixed: countall/nocounall do not work in some configurations
 ! Fixed: counters do not work if counter file is not specified
 ! Fixed: counters without rotation (type N) are incorrectly shown in web admin interface
 ! Fixed: %n may be incomplete or missed in long log records
 ! Fixed: connect back functionality does not work
 Improvements:
 + Docker builds
--- a/doc/changelog/0/9/4
+++ b/doc/changelog/0/9/4
@ -1,4 +0,0 @@
 ! Fix: invalid handling of '-' character in ACL hostname
 ! Fix: minor bugfixes and improvements
 + parentretry command added (defaults to 2) to retry connections to parent proxies
 - icqpr related code (OSCAR proxy) removed, due to drop of OSCAR support by messengers
--- a/doc/changelog/0/9/5
+++ b/doc/changelog/0/9/5
@ -1,7 +0,0 @@
 !! Security fix: proxy can potentially crash on on some platforms due to overlapping regions in strcpy() (thanks to @lenix123 for reporting)
 + new proxy service type: `tlspr` - SNI proxy, may also be used as parent `tls` type, sniffs hostname from TLS handhake, read more in https://github.com/3proxy/3proxy/wiki/tlspr https://github.com/3proxy/3proxy/wiki/How-To-(incomplete)#TLSPR
 + new proxy service type: `auto` - autodetect proxy type between `proxy` and `socks`
 + SSLPlugin is rewritten, production-ready, supports TLS (SSL) server (may be used to create https:// type proxy), certificates checks and cypher options, see https://github.com/3proxy/3proxy/wiki/SSLPlugin
 + -g option is added for grace delay to reduce CPU load, see https://github.com/3proxy/3proxy/wiki/High-Load
 ! Multiple minor bugfixes
 ! More supported sockets options
--- a/doc/changelog/0/9/6
+++ b/doc/changelog/0/9/6
@ -1,9 +0,0 @@
 + ssl_client and multiple configuration options added to SSLPlugin, SSLPlugin code significantly improved and bugfixed. See https://github.com/3proxy/3proxy/wiki/SSLPlugin. 3proxy can now be used as stunnel replacement for many scenarios.
 + HAProxy proxy protocol v1 support as client and server, add -H option for service to expect HA proxy v1 protocol header, use ha parent type: parent 1000 ha 0.0.0.0 0 to send v1 header.
 + tlspr is supported in auto
 + tlspr supports -s option, it breaks HELLO packet to prevent some DPIs from detecting SNI
 + maxseg configuration option and TCP_MAXSEG socket flag support added. It sets maximum size of TCP segment to fix PathMTU discovery problems
 + -Ne / -Ni options added to specify external / internal NAT address for SOCKSv5
 + cmake environment added
 ! External pcre2 (pcre2-8) library is used for PCRE, pcre code is removed from 3proxy
 ! Multiple minor bugfixes
--- a/doc/html/howtoe.html
+++ b/doc/html/howtoe.html
@ -49,8 +49,6 @@
 		<li><a href="#NSCACHING">How to configure name resolution and DNS caching</a>
 		<li><a href="#IPV6">How to use IPv6</a>
 		<li><a href="#CONNBACK">How to use connect back</a>
 		<li><a href="#HAPROXY">How to use HAProxy PROXY protocol</a>
 		<li><a href="#MAXSEG">How to set TCP maximum segment size (MSS)</a>
 	</ul>
 	<li><A HREF="#CLIENT">Client configuration</A>
 	<li><A HREF="#ADMIN">Administering and information analysis</A>
@ -500,7 +498,7 @@ ISA 2004 proxy WEB.w3c (fields are TAB-delimited):
 </pre>
 ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
 <pre>
-&quot;-	+ L%C	%U	unknown:0:0.0	N	%Y-%m-%d
+&quot;-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d
 	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r
 	%D	%O	%I	%r	TCP	Connect	-	-
 	-	%E	-	-	-	-	-&quot;
@ -711,29 +709,6 @@ ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
 ssl_cli
 proxy -p3128
 </pre>
 <p>
 <b>Conditional TLS for parent proxy (ssl_client_mode 3):</b>
 <br>With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). This allows mixing secure and non-secure parent proxies in the same configuration:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_client_mode 3
 auth strong
 allow user1
 parent 1000 https parent1.example.com 443
 allow user2
 parent 1000 socks5 parent2.example.com 1080
 ssl_serv
 ssl_cli
 proxy -p3128
 ssl_noserv
 ssl_nocli
 </pre>
 <p>
 This creates an HTTPS proxy (ssl_serv) that accepts TLS connections from clients. For parent proxy connections, user1's traffic goes through an https parent with TLS encryption (secure type), while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
 </p>
 		<li><a name="CERTIFICATES"><i>How to create CA and certificates for SSLPlugin</i></a>
 <p>
 <b>Creating a Certificate Authority (CA):</b>
@ -969,7 +944,7 @@ or
 <pre>
 users $"c:\Program Files\3proxy\passwords"
 </pre>
-It's possible to create NT and crypt passwords with the 3proxy_crypt utility included
+It's possible to create NT and crypt passwords with the mycrypt utility included
 in the distribution.
 <br>The user list is system-wide. To manage user access to a specific service, use ACLs.
 </p>
@ -1303,53 +1278,6 @@ allowed traffic in megabytes (MB). nocountin allows you to set exclusions.
  allow * * 1.1.1.1
  tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
  For browser settings, the proxy is host.dyndns.example.org:3128.
  </p>
  <li><a name="HAPROXY"><i>How to use HAProxy PROXY protocol</i></a>
  <p>
  3proxy supports HAProxy PROXY protocol v1 for both receiving and sending client
  IP information. This is useful when 3proxy is behind a load balancer or when
  passing client information to a parent proxy.
  </p>
  <p>
  <b>Receiving PROXY protocol header:</b>
  <br>Use the <code>-H</code> option to make 3proxy expect a PROXY protocol v1 header
  on incoming connections. This allows 3proxy to receive the real client IP address
  from HAProxy or another load balancer:
  </p><pre>
 proxy -H -p3128
 socks -H -p1080
 </pre>
  <p>
  The PROXY protocol header must be sent before any protocol-specific data.
  </p>
  <p>
  <b>Sending PROXY protocol header to parent proxy:</b>
  <br>Use the <code>ha</code> parent type to send a PROXY protocol v1 header to
  the parent proxy. This must be the last parent in the chain:
  </p><pre>
 allow *
 parent 1000 ha
 parent 1000 socks5 parent.example.com 1080
 socks
 </pre>
  <p>
  This configuration sends the client IP information to the SOCKS5 parent proxy
  via the PROXY protocol.
  </p>
  <li><a name="MAXSEG"><i>How to set TCP maximum segment size (MSS)</i></a>
  <p>
  Use the <code>maxseg</code> command to set the TCP maximum segment size (MSS)
  for outgoing connections. This can be useful to work around path MTU discovery
  issues or to optimize traffic for specific network conditions:
  </p><pre>
 maxseg 1400
 proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
 </pre>
  <p>
  The value is specified in bytes. This setting uses the TCP_MAXSEG socket option
  and may not be supported on all platforms. A typical use case is to reduce MSS
  to avoid fragmentation in VPN tunnels or to work around MTU issues with certain
  network paths.
  </p>	
 	</ul>
--- a/doc/html/howtor.html
+++ b/doc/html/howtor.html
@ -48,8 +48,6 @@
    <li><a href="#NSCACHING">Как управлять разрешением имен и кэшированием DNS</a>
    <li><a href="#IPV6">Как использовать IPv6</a>
    <li><a href="#CONNBACK">Как использовать connect back</a>
    <li><a href="#HAPROXY">Как использовать протокол HAProxy PROXY</a>
    <li><a href="#MAXSEG">Как установить максимальный размер сегмента TCP (MSS)</a>
  </ul>
  <li><a href="#CLIENT">Конфигурация и настройка клиентов</a>
  <ul>
@ -513,7 +511,7 @@
  -	Internal	External	0x0	Allowed&quot;</pre>
  Формат ISA 2000/2004 firewall FWSEXTD.log (поля разделены табуляцией):
  <pre>
-  &quot;-	+ L%C	%U	unknown:0:0.0	N	%Y-%m-%d
+  &quot;-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d
  %H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r
  %D	%O	%I	%r	TCP	Connect	-	-
  -	%E	-	-	-	-	-&quot;</pre>
@ -720,29 +718,6 @@ ssl_client_ca_file /etc/ssl/certs/ca-certificates.crt
 ssl_cli
 proxy -p3128
 </pre>
 <p>
 <b>Условное TLS для parent прокси (ssl_client_mode 3):</b>
 <br>При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). Это позволяет смешивать защищённые и незащищённые родительские прокси в одной конфигурации:
 </p><pre>
 plugin /path/to/SSLPlugin.ld.so ssl_plugin
 ssl_server_cert /etc/3proxy/certs/server.crt
 ssl_server_key /etc/3proxy/certs/server.key
 ssl_client_mode 3
 auth strong
 allow user1
 parent 1000 https parent1.example.com 443
 allow user2
 parent 1000 socks5 parent2.example.com 1080
 ssl_serv
 ssl_cli
 proxy -p3128
 ssl_noserv
 ssl_nocli
 </pre>
 <p>
 Создаётся HTTPS-прокси (ssl_serv), принимающий TLS-соединения от клиентов. Для соединений с родительским прокси трафик user1 идёт через https родитель с TLS-шифрованием (защищённый тип), а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
 </p>
  <li><a name="CERTIFICATES"><i>Как создать CA и сертификаты для SSLPlugin</i></a>
 <p>
 <b>Создание удостоверяющего центра (CA):</b>
@ -983,7 +958,7 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
  или
  <pre>
  users $"c:\Program Files\3proxy\passwords"</pre>
-  Шифрованные NT и crypt пароли можно создавать с помощью утилиты 3proxy_crypt.
+  Шифрованные NT и crypt пароли можно создавать с помощью утилиты mycrypt.
  <br>Список пользователей един для всех служб. Разграничение доступа по службам
  необходимо производить с помощью списков доступа.
  </p>
@ -1361,54 +1336,6 @@ openssl pkcs12 -export -out client.p12 -passout pass: \
  tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128</pre>
  В настройках браузера указывается host.dyndns.example.org:3128.
  </p>	
  <li><a name="HAPROXY"><i>Как использовать протокол HAProxy PROXY</i></a>
  <p>
  3proxy поддерживает протокол HAProxy PROXY v1 как для приёма, так и для
  отправки информации об IP-адресе клиента. Это полезно, когда 3proxy находится
  за балансировщиком нагрузки или при передаче информации о клиенте родительскому прокси.
  </p>
  <p>
  <b>Приём заголовка PROXY протокола:</b>
  <br>Используйте опцию <code>-H</code>, чтобы 3proxy ожидал заголовок PROXY протокола v1
  на входящих соединениях. Это позволяет 3proxy получать реальный IP-адрес клиента
  от HAProxy или другого балансировщика нагрузки:
  </p><pre>
 proxy -H -p3128
 socks -H -p1080
 </pre>
  <p>
  Заголовок PROXY протокола должен быть отправлен до любых протокольных данных.
  </p>
  <p>
  <b>Отправка заголовка PROXY протокола родительскому прокси:</b>
  <br>Используйте тип родительского прокси <code>ha</code> для отправки заголовка
  PROXY протокола v1 родительскому прокси. Это должен быть последний родитель в цепочке:
  </p><pre>
 allow *
 parent 1000 ha
 parent 1000 socks5 parent.example.com 1080
 socks
 </pre>
  <p>
  Эта конфигурация отправляет информацию об IP-адресе клиента SOCKS5 родительскому
  прокси через PROXY протокол.
  </p>
  <li><a name="MAXSEG"><i>Как установить максимальный размер сегмента TCP (MSS)</i></a>
  <p>
  Используйте команду <code>maxseg</code> для установки максимального размера
  сегмента TCP (MSS) для исходящих соединений. Это может быть полезно для обхода
  проблем с Path MTU Discovery или для оптимизации трафика в специфических
  сетевых условиях:
  </p><pre>
 maxseg 1400
 proxy -p3128 -OcTCP_NODELAY,TCP_MAXSEG -OsTCP_NODELAY,TCP_MAXSEG
 </pre>
  <p>
  Значение указывается в байтах. Эта настройка использует опцию сокета TCP_MAXSEG
  и может не поддерживаться на всех платформах. Типичный случай использования -
  уменьшение MSS для избежания фрагментации в VPN туннелях или для обхода проблем
  с MTU на определённых сетевых путях.
  </p>
 </ul>
 <hr>
 <li><a name="CLIENT"><b>Конфигурация клиентов</b></a>
--- a/doc/html/index.html
+++ b/doc/html/index.html
@ -4,7 +4,6 @@
 <a href="howtoe.html">How To (English, very incomplete)</a><br>
 <a href="howtor.html">How To (Russian)</a><br>
 <h3>Man pages:</h3>
 <br><A HREF="man8/3proxy_crypt.8.html">3proxy_crypt.8</A>
 <br><A HREF="man8/3proxy.8.html">3proxy.8</A>
 <br><A HREF="man8/ftppr.8.html">ftppr.8</A>
 <br><A HREF="man8/pop3p.8.html">pop3p.8</A>
@ -14,5 +13,5 @@
 <br><A HREF="man8/tcppm.8.html">tcppm.8</A>
 <br><A HREF="man8/tlspr.8.html">tlspr.8</A>
 <br><A HREF="man8/udppm.8.html">udppm.8</A>
-<br><A HREF="man5/3proxy.cfg.5.html">3proxy.cfg.5</A>
+<br><A HREF="man3/3proxy.cfg.3.html">3proxy.cfg.3</A>
 </body></html>
--- a/doc/html/man3/3proxy.cfg.3.html
+++ b/doc/html/man3/3proxy.cfg.3.html
@ -84,10 +84,10 @@ smtpp</b> [options] <b><br>
 ftppr</b> [options] <b><br>
 admin</b> [options] <b><br>
 dnspr</b> [options] <b><br>
-tcppm</b> [options] <i>&lt;SRCPORT&gt; &lt;DSTADDR&gt;
+tcppm</b> [options] &lt;SRCPORT&gt; &lt;DSTADDR&gt;
-&lt;DSTPORT&gt;</i> <b><br>
+&lt;DSTPORT&gt; <b><br>
-udppm</b> [options] <i>&lt;SRCPORT&gt; &lt;DSTADDR&gt;
+udppm</b> [options] &lt;SRCPORT&gt; &lt;DSTADDR&gt;
-&lt;DSTPORT&gt;</i> <br>
+&lt;DSTPORT&gt; <br>
 Descriptions: <b><br>
 proxy</b> HTTP/HTTPS proxy (default port 3128) <b><br>
 socks</b> SOCKS 4/4.5/5 proxy (default port 1080) <b><br>
@ -101,24 +101,19 @@ smtpp</b> SMTP proxy (default port 25) <b><br>
 ftppr</b> FTP proxy (default port 21) <b><br>
 admin</b> Web interface (default port 80) <b><br>
 dnspr</b> caching DNS proxy (default port 53) <b><br>
-tcppm</b> TCP portmapper. Destination address (DSTADDR) can
+tcppm</b> TCP portmapper <b><br>
 be a Unix domain socket using the syntax
 <i>unix:/path/to/socket</i> (e.g., tcppm 8080
 unix:/var/run/app.sock 0). On Linux, abstract sockets use
 <i>unix:@socketname</i> syntax. When using Unix socket
 destination, the port number is ignored but must be
 specified for syntax compatibility. <b><br>
 udppm</b> UDP portmapper</p>
 <p style="margin-left:6%; margin-top: 1em">Options: <b><br>
-p</b><i>NUMBER</i> change default server port to NUMBER
+-pNUMBER</b> change default server port to NUMBER <b><br>
-<b><br>
+-n</b> disable NTLM authentication (required if passwords
-
+are stored in Unix crypt format). <b><br>
-g(</b><i>GRACE_TRAFF</i><b>,</b><i>GRACE_NUM</i><b>,</b><i>GRACE_DELAY</i>)
+-n1</b> enable NTLMv1 authentication. <b><br>
-delay GRACE_DELAY milliseconds before polling if average
+-g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)</b> delay GRACE_DELAY
-polling size is below GRACE_TRAFF bytes and GRACE_NUM read
+milliseconds before polling if average polling size is below
-operations in a single direction are detected within 1
+GRACE_TRAFF bytes and GRACE_NUM read operations in a single
-second. Useful to minimize polling <b>-s</b> <br>
+direction are detected within 1 second. Useful to minimize
 polling <b>-s</b> <br>
 (for admin) secure, allow only secure operations, currently
 only traffic counters view without ability to reset. <br>
 (for dnspr) simple, do not use resolver and 3proxy cache,
@ -141,37 +136,35 @@ packed in IPv6 in IPV6_V6ONLY compatible way. <b><br>
 resolvable <b><br>
 -64</b> Resolve IPv4 addresses if IPv6 address is not
 resolvable <b><br>
-R</b><i>HOST</i><b>:</b><i>port</i> listen on given local
+-RHOST:port</b> listen on given local HOST:port for incoming
-HOST:port for incoming connections instead of making remote
+connections instead of making remote outgoing connection.
-outgoing connection. Can be used with another 3proxy service
+Can be used with another 3proxy service running -r option
-running -r option for connect back functionality. Most
+for connect back functionality. Most commonly used with
-commonly used with tcppm. HOST can be given as IP or
+tcppm. HOST can be given as IP or hostname, useful in case
-hostname, useful in case of dynamic DNS. <b><br>
+of dynamic DNS. <b><br>
-r</b><i>HOST</i><b>:</b><i>port</i> connect to given remote
+-rHOST:port</b> connect to given remote HOST:port instead of
-HOST:port instead of listening local connection on -p or
+listening local connection on -p or default port. Can be
-default port. Can be used with another 3proxy service
+used with another 3proxy service running -R option for
-running -R option for connect back functionality. Most
+connect back functionality. Most commonly used with proxy or
-commonly used with proxy or socks. HOST can be given as IP
+socks. HOST can be given as IP or hostname, useful in case
-or hostname, useful in case of dynamic DNS. <b><br>
+of dynamic DNS. <b><br>
-oc</b><i>OPTIONS</i><b>, -os</b><i>OPTIONS</i><b>,
+-ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS,
-ol</b><i>OPTIONS</i><b>, -or</b><i>OPTIONS</i><b>,
+-oROPTIONS</b> options for proxy-to-client (oc),
-oR</b><i>OPTIONS</i> options for proxy-to-client
+proxy-to-server (os), proxy listening (ol), connect back
-(<b>-oc</b>), proxy-to-server (<b>-os</b>), proxy listening
+client (or), connect back listening (oR) sockets. Options
-(<b>-ol</b>), connect back client (<b>-or</b>), connect back
+like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK,
-listening (<b>-oR</b>) sockets. Options like TCP_CORK,
+TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR,
-TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS,
+SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT,
-USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT,
+SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
-SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE,
+<b><br>
-SO_DONTROUTE may be supported depending on OS. <b><br>
+-DiINTERFACE, -DeINTERFACE</b> bind internal interface /
-Di</b><i>INTERFACE</i><b>, -De</b><i>INTERFACE</i> bind
+external interface to given INTERFACE (e.g. eth0) if
-internal (<b>-Di</b>) / external (<b>-De</b>) interface to
+SO_BINDTODEVICE is supported by the system. You may need to
-given INTERFACE (e.g. eth0) if <b>SO_BINDTODEVICE</b> is
+run as root or have CAP_NET_RAW capability in order to bind
-supported by the system. You may need to run as root or have
+to an interface, depending on the system, so this option may
 <b>CAP_NET_RAW</b> capability in order to bind to an
 interface, depending on the system, so this option may
 require root privileges and can be incompatible with some
-configuration commands like <b>chroot</b> and <b>setuid</b>
+configuration commands like chroot and setuid (and daemon if
-(and <b>daemon</b> if setcap is used). <b><br>
+setcap is used). <b><br>
 -e</b> External address. IP address of the interface the
 proxy should initiate connections from. External IP must be
 specified if you need incoming connections. By default the
@ -179,23 +172,11 @@ system will decide which address to use in accordance with
 the routing table. <b><br>
 -i</b> Internal address. IP address the proxy accepts
 connections to. By default, connections to any interface are
-accepted. Unix domain sockets can be specified with
+accepted. <b><br>
-<i>-iunix:/path/to/socket</i> syntax. On Linux, abstract
+-N</b> (for socks) External NAT address 3proxy reports to
-sockets use <i>-iunix:@socketname</i> syntax. <b><br>
+client for BIND and UDPASSOC By default external address is
-Ne</b> (for socks) External NAT address (between 3proxy and
+reported. It&rsquo;s only useful in the case of IP-IP NAT
-destination server) to report to client for CONNECT and
+(will not work for PAT) <br>
 BIND. By default external address is reported. It&rsquo;s
 only useful in the case of IP-IP NAT (will not work for
 PAT). <b><br>
 -Ni</b> (for socks) Internal NAT address (between client and
 3proxy) to report to client for UDPASSOC. By default
 internal address is reported. It&rsquo;s only useful in the
 case of IP-IP NAT (will not work for PAT). <b><br>
 -H</b> (for all services) Expect HAProxy PROXY protocol v1
 header on incoming connection. This allows the proxy to
 receive real client IP address from HAProxy or other load
 balancer that supports the PROXY protocol. The header must
 be sent before any protocol-specific data. <br>
 Also, all options mentioned for <b>proxy</b>(8)
 <b>socks</b>(8) <b>pop3p</b>(8) <b>tcppm</b>(8)
 <b>udppm</b>(8) <b>ftppr</b>(8) <br>
@ -208,10 +189,10 @@ proxy access must be authenticated, you can specify username
 as proxy_username:proxy_password:POP3_username@pop3server
 <br>
 DNS proxy resolves any types of records but only hostnames
-are cached. It requires <b>nserver</b>/<b>nscache</b> to be
+are cached. It requires nserver/nscache to be configured. If
-configured. If <b>nserver</b> is configured as TCP,
+nserver is configured as TCP, redirections are applied on
-redirections are applied on connection, so parent proxy may
+connection, so parent proxy may be used to resolve names to
-be used to resolve names to IP. <br>
+IP. <br>
 FTP proxy can be used as FTP server in any FTP client or
 configured as FTP proxy on a client with FTP proxy support.
 Username format is one of <br>
@ -225,11 +206,11 @@ authentication use proxyuser:proxypassword:FTPuser as FTP
 username, otherwise do not change original FTP user name</p>
 <p style="margin-left:6%; margin-top: 1em"><b>include</b>
-<i>&lt;path&gt;</i> <br>
+&lt;path&gt; <br>
 Include config file</p>
 <p style="margin-left:6%; margin-top: 1em"><b>config</b>
-<i>&lt;path&gt;</i> <br>
+&lt;path&gt; <br>
 Path to configuration file to use on 3proxy restart or to
 save configuration.</p>
@ -245,20 +226,20 @@ using it.</p>
 End of configuration</p>
 <p style="margin-left:6%; margin-top: 1em"><b>log</b>
-[[@|&amp;]<i>logfile</i>] [<i>&lt;LOGTYPE&gt;</i>] <br>
+[[@|&amp;]logfile] [&lt;LOGTYPE&gt;] <br>
 sets logfile for all gateways <br>
@ (for Unix) use syslog, filename is used as ident name <br>
 &amp; use ODBC, filename consists of comma-delimited
 datasource,username,password (username and password are
 optional) <br>
 radius - use RADIUS for logging <br>
-LOGTYPE is one of: <b><br>
+LOGTYPE is one of: <br>
-c</b> Minutely <b><br>
+c Minutely <br>
-H</b> Hourly <b><br>
+H Hourly <br>
-D</b> Daily <b><br>
+D Daily <br>
-W</b> Weekly (starting from Sunday) <b><br>
+W Weekly (starting from Sunday) <br>
-M</b> Monthly <b><br>
+M Monthly <br>
-Y</b> Annually <br>
+Y Annually <br>
 if logfile is not specified logging goes to stdout. You can
 specify individual logging options for gateway by using -l
 option in gateway configuration. <br>
@ -271,12 +252,12 @@ Grinwitch time zone for all time-based format
 specificators.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>rotate</b>
-<i>&lt;n&gt;</i> <br>
+&lt;n&gt; <br>
 how many archived log files to keep</p>
 <p style="margin-left:6%; margin-top: 1em"><b>logformat</b>
-<i>&lt;format&gt;</i> <br>
+&lt;format&gt; <br>
 Format for log record. First symbol in format must be L
 (local time) or G (absolute Grinwitch time). It can be
 preceeded with -XXX+Y where XXX is list of characters to be
@ -333,8 +314,7 @@ l_service, l_in, l_out, l_descr) values (&acute;%d-%m-%Y
 &acute;%T&acute;)&quot;</p>
 <p style="margin-left:6%; margin-top: 1em"><b>logdump</b>
-<i>&lt;in_traffic_limit&gt; &lt;out_traffic_limit&gt;</i>
+&lt;in_traffic_limit&gt; &lt;out_traffic_limit&gt; <br>
 <br>
 Immediately creates additional log records if given amount
 of incoming/outgoing traffic is achieved for connection,
 without waiting for connection to finish. It may be useful
@ -343,7 +323,7 @@ server shutdown.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>delimchar</b>
-<i>&lt;char&gt;</i> <br>
+&lt;char&gt; <br>
 Sets the delimiter character used to separate username from
 hostname in proxy authentication strings (e.g. for FTP, POP3
 proxies). Default is &acute;@&acute;. For example, to use
@ -351,50 +331,48 @@ proxies). Default is &acute;@&acute;. For example, to use
 to contain the &acute;@&acute; character.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>archiver</b>
-<i>&lt;ext&gt; &lt;commandline&gt;</i> <br>
+&lt;ext&gt; &lt;commandline&gt; <br>
 Archiver to use for log files. &lt;ext&gt; is file extension
 produced by archiver. Filename will be last argument to
 archiver, optionally you can use %A as produced archive name
 and %F as filename.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>timeouts</b>
-<i>&lt;BYTE_SHORT&gt; &lt;BYTE_LONG&gt; &lt;STRING_SHORT&gt;
+&lt;BYTE_SHORT&gt; &lt;BYTE_LONG&gt; &lt;STRING_SHORT&gt;
 &lt;STRING_LONG&gt; &lt;CONNECTION_SHORT&gt;
 &lt;CONNECTION_LONG&gt; &lt;DNS&gt; &lt;CHAIN&gt;
-&lt;CONNECT&gt; &lt;CONNECTBACK&gt;</i> <br>
+&lt;CONNECT&gt; &lt;CONNECTBACK&gt; <br>
 Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15,
-60, 15, 5. <b><br>
+60, 15, 5. <br>
-BYTE_SHORT</b> short timeout for single byte, is usually
+BYTE_SHORT short timeout for single byte, is usually used
-used for receiving single byte from stream. <b><br>
+for receiving single byte from stream. <br>
-BYTE_LONG</b> long timeout for single byte, is usually used
+BYTE_LONG long timeout for single byte, is usually used for
-for receiving first byte in frame (for example first byte in
+receiving first byte in frame (for example first byte in
-socks request). <b><br>
+socks request). <br>
-STRING_SHORT</b> short timeout, for character string within
+STRING_SHORT short timeout, for character string within
-stream (for example to wait between 2 HTTP headers) <b><br>
+stream (for example to wait between 2 HTTP headers) <br>
-STRING_LONG</b> long timeout, for first string in stream
+STRING_LONG long timeout, for first string in stream (for
-(for example to wait for HTTP request). <b><br>
+example to wait for HTTP request). <br>
-CONNECTION_SHORT</b> inactivity timeout for short
+CONNECTION_SHORT inactivity timeout for short connections
-connections (HTTP, POP3, etc). <b><br>
+(HTTP, POP3, etc). <br>
-CONNECTION_LONG</b> inactivity timeout for long connection
+CONNECTION_LONG inactivity timeout for long connection
-(SOCKS, portmappers, etc). <b><br>
+(SOCKS, portmappers, etc). <br>
-DNS</b> timeout for DNS request before requesting next
+DNS timeout for DNS request before requesting next server
 server <b><br>
 CHAIN</b> timeout for reading data from chained connection
 <br>
 CHAIN timeout for reading data from chained connection <br>
 default timeouts 1 5 30 60 180 1800 15 60 15 5</p>
 <p style="margin-left:6%; margin-top: 1em"><b>maxseg</b>
-<i>&lt;value&gt;</i> <br>
+&lt;value&gt; <br>
 Sets TCP maximum segment size (MSS) for outgoing
 connections. This can be used to work around path MTU
 discovery issues or to optimize traffic for specific network
 conditions.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>radius</b>
-<i>&lt;NAS_SECRET&gt;
+&lt;NAS_SECRET&gt;
-&lt;radius_server_1</i>[:<i>port</i>][/<i>local_address_1</i>]
+&lt;radius_server_1[:port][/local_address_1]&gt;
-<i>&lt;radius_server_2</i>[:<i>port</i>][/<i>local_address_2</i>]
+&lt;radius_server_2[:port][/local_address_2]&gt; <br>
 <br>
 Configures RADIUS servers to be used for logging and
 authentication (log and auth types must be set to radius).
 port and local address to use with given server may be
@ -413,12 +391,12 @@ CONNECT), Login-TCP-Port: (requested port), Login-IPv6-Host
 / Login-IP-Host: (requested IP). <br>
 Supported reply attributes for authentication:
 Framed-IP-Address / Framed-IPv6-Address (IP to assign to
-user), Reply-Message. Use <b>authcache</b> to speedup
+user), Reply-Message. Use authcache to speedup
 authentication. RADIUS feature is currently
 experimental.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>nserver</b>
-<i>&lt;ipaddr&gt;</i>[:<i>port</i>][/<i>tcp</i>] <br>
+&lt;ipaddr&gt;[:port][/tcp] <br>
 Nameserver to use for name resolutions. If none specified
 system routines for name resolution is used. Optional port
 number may be specified. If optional /tcp is added to IP
@ -426,36 +404,33 @@ address, name resolution is performed over TCP.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>authnserver</b>
-<i>&lt;ipaddr&gt;</i>[:<i>port</i>][/<i>tcp</i>] <br>
+&lt;ipaddr&gt;[:port][/tcp] <br>
 Nameserver to use for DNS-based authentication (e.g. dnsname
 auth type). If not specified, nserver is used. The syntax is
 the same as for nserver.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>nscache</b>
-<i>&lt;cachesize&gt;</i> <b>nscache6</b>
+&lt;cachesize&gt; <b>nscache6</b> &lt;cachesize&gt; <br>
-<i>&lt;cachesize&gt;</i> <br>
+Cache &lt;cachesize&gt; records for name resolution (nscache
-Cache <i>&lt;cachesize&gt;</i> records for name resolution
+for IPv4, nscache6 for IPv6). The cache size should usually
-(<b>nscache</b> for IPv4, <b>nscache6</b> for IPv6). The
+be large enough (for example, 65536).</p>
 cache size should usually be large enough (for example,
 65536).</p>
 <p style="margin-left:6%; margin-top: 1em"><b>nsrecord</b>
-<i>&lt;hostname&gt; &lt;hostaddr&gt;</i> <br>
+&lt;hostname&gt; &lt;hostaddr&gt; <br>
-Adds static record to nscache. <b>nscache</b> must be
+Adds static record to nscache. nscache must be enabled. If
-enabled. If 0.0.0.0 is used as a hostaddr host will never
+0.0.0.0 is used as a hostaddr host will never resolve, it
-resolve, it can be used to blacklist something or together
+can be used to blacklist something or together with
-with <b>dialer</b> command to set up UDL for dialing.</p>
+<b>dialer</b> command to set up UDL for dialing.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>fakeresolve</b>
 <br>
 All names are resolved to the 127.0.0.2 address. Useful if
-all requests are redirected to a parent proxy with
+all requests are redirected to a parent proxy with http,
-<b>http</b>, <b>socks4+</b>, <b>connect+</b> or
+socks4+, connect+ or socks5+.</p>
 <b>socks5+</b>.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>dialer</b>
-<i>&lt;progname&gt;</i> <br>
+&lt;progname&gt; <br>
 Execute progname if external name can&acute;t be resolved.
 Hint: if you use nscache, dialer may not work, because names
 will be resolved through cache. In this case you can use
@ -463,43 +438,34 @@ something like http://dial.right.now/ from browser to set up
 connection.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>internal</b>
-<i>&lt;ipaddr&gt;</i> <br>
+&lt;ipaddr&gt; <br>
 sets ip address of internal interface. This IP address will
 be used to bind gateways. Alternatively you can use -i
 option for individual gateways. Since 0.8 version, IPv6
-address may be used. <br>
+address may be used.</p>
 Unix domain sockets are supported with the syntax
 <i>unix:/path/to/socket</i> (e.g., internal
 unix:/var/run/3proxy.sock). On Linux, abstract (fileless)
 Unix sockets are supported with the syntax
 <i>unix:@socketname</i> (e.g., internal unix:@3proxy). When
 using Unix sockets, the socket file is automatically created
 and removed on service start/stop.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>external</b>
-<i>&lt;ipaddr&gt;</i> <br>
+&lt;ipaddr&gt; <br>
 sets ip address of external interface. This IP address will
 be source address for all connections made by proxy.
 Alternatively you can use -e option to specify individual
-address for gateway. Since 0.8 version External or <b>-e</b>
+address for gateway. Since 0.8 version External or -e can be
-can be given twice: once with IPv4 and once with IPv6
+given twice: once with IPv4 and once with IPv6 address.</p>
 address.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>maxconn</b>
-<i>&lt;number&gt;</i> <br>
+&lt;number&gt; <br>
 sets the maximum number of simultaneous connections to each
 service started after this command at the network level.
 Default is 100. <br>
-To limit clients, use <b>connlim</b> instead. <b>maxconn</b>
+To limit clients, use connlim instead. maxconn will silently
-will silently ignore new connections, while <b>connlim</b>
+ignore new connections, while connlim will report back to
-will report back to the client that the connection limit has
+the client that the connection limit has been reached.</p>
 been reached.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>backlog</b>
 <br>
 sets the listening socket backlog of new connections.
-Default is 1 + <b>maxconn</b>/8. Maximum value is capped by
+Default is 1 + maxconn/8. Maximum value is capped by kernel
-kernel tunable somaxconn.</p>
+tunable somaxconn.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>service</b>
 <br>
@ -513,35 +479,35 @@ reinstall the service.</p>
 <br>
 Should be specified to close the console. Do not use
 &acute;daemon&acute; with &acute;service&acute;. At least
-under FreeBSD, <b>daemon</b> should precede any proxy
+under FreeBSD, &acute;daemon&acute; should precede any proxy
 service and log commands to avoid socket problems. Always
 place it in the beginning of the configuration file.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>auth</b>
-<i>&lt;authtype&gt;</i> [...] <br>
+&lt;authtype&gt; [...] <br>
-Type of user authorization. Currently supported: <b><br>
+Type of user authorization. Currently supported: <br>
-none</b> - no authentication or authorization required. <br>
+none - no authentication or authorization required. <br>
 Note: if auth is none, any IP-based limitation, redirection,
 etc. will not work. This is the default authentication type
-<b><br>
+<br>
-iponly</b> - authentication by access control list with
+iponly - authentication by access control list with username
-username ignored. <br>
+ignored. <br>
-Appropriate for most cases <b><br>
+Appropriate for most cases <br>
-useronly</b> - authentication by username without checking
+useronly - authentication by username without checking for
-for any password with authorization by ACLs. Useful for e.g.
+any password with authorization by ACLs. Useful for e.g.
 SOCKSv4 proxy and icqpr (icqpr set UIN / AOL screen name as
-a username) <b><br>
+a username) <br>
-dnsname</b> - authentication by DNS hostname with
+dnsname - authentication by DNS hostname with authorization
-authorization by ACLs. The DNS hostname is resolved via a
+by ACLs. The DNS hostname is resolved via a PTR (reverse)
-PTR (reverse) record and validated (the resolved name must
+record and validated (the resolved name must resolve to the
-resolve to the same IP address). It&acute;s recommended to
+same IP address). It&acute;s recommended to use authcache by
-use authcache by IP for this authentication. NB: there is no
+IP for this authentication. NB: there is no password check;
-password check; the name may be spoofed. <b><br>
+the name may be spoofed. <br>
-strong</b> - username/password authentication required. It
+strong - username/password authentication required. It will
-will work with SOCKSv5, FTP, POP3 and HTTP proxy. <b><br>
+work with SOCKSv5, FTP, POP3 and HTTP proxy. <br>
-cache</b> - cached authentication, may be used with
+cache - cached authentication, may be used with
-&acute;authcache&acute;. <b><br>
+&acute;authcache&acute;. <br>
-radius</b> - authentication with RADIUS. <br>
+radius - authentication with RADIUS. <br>
 Plugins may add additional authentication types.</p>
 <p style="margin-left:6%; margin-top: 1em">It&acute;s
@ -559,39 +525,38 @@ shared ones.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>authcache</b>
-<i>&lt;cachtype&gt; &lt;cachtime&gt; &lt;cachesize&gt;</i>
+&lt;cachtype&gt; &lt;cachtime&gt; <br>
 <br>
 Cache authentication information for a given amount of time
-(cachetime) in seconds. cachesize limits number of cache
+(cachetime) in seconds. Cachetype is one of: <br>
-entries. Cachetype is one of: <b><br>
+ip - after successful authentication all connections during
-ip</b> - after successful authentication all connections
+caching time from same IP are assigned to the same user,
-during caching time from same IP are assigned to the same
+username is not requested. <br>
-user, username is not requested. <b><br>
+ip,user username is requested and all connections from the
-ip,user</b> username is requested and all connections from
+same IP are assigned to the same user without actual
-the same IP are assigned to the same user without actual
+authentication. <br>
-authentication. <b><br>
+user - same as above, but IP is not checked. <br>
-user</b> - same as above, but IP is not checked. <b><br>
+user,password - both username and password are checked
-user,password</b> - both username and password are checked
+against cached ones. <br>
-against cached ones. <b><br>
+limit - limit user to use only one ip, &acute;ip&acute; and
-limit</b> - limit user to use only one ip, &acute;ip&acute;
+&acute;user&acute; are required <br>
-and &acute;user&acute; are required <b><br>
+acl - only use cached auth if user access service with same
-ack</b> - only use cached auth if user access service with
+ACL <br>
-same ACL <b><br>
+ext - cache external IP <br>
-ext</b> - cache external IP <br>
+Use auth type &acute;cache&acute; for cached
-Use auth type <b>cache</b> for cached authentication</p>
+authentication</p>
 <p style="margin-left:6%; margin-top: 1em"><b>allow</b>
-<i>&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
+&lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
-deny</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
+deny</b> &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <b><br>
+&lt;timeperiodslist&gt; <b><br>
-redirect</b> <i>&lt;ip&gt; &lt;port&gt; &lt;userlist&gt;
+redirect</b> &lt;ip&gt; &lt;port&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <br>
+&lt;timeperiodslist&gt; <br>
 Access control entries. All lists are comma-separated, no
 spaces are allowed. Usernames are case sensitive (if used
 with authtype nbname username must be in uppercase). Source
@ -617,28 +582,27 @@ should either bind proxy to appropriate interface only or to
 use ip filters.</p>
 <p style="margin-left:6%; margin-top: 1em">Operation is one
-of: <b><br>
+of: <br>
-CONNECT</b> establish outgoing TCP connection <b><br>
+CONNECT establish outgoing TCP connection <br>
-BIND</b> bind TCP port for listening <b><br>
+BIND bind TCP port for listening <br>
-UDPASSOC</b> make UDP association <b><br>
+UDPASSOC make UDP association <br>
-ICMPASSOC</b> make ICMP association (for future use) <b><br>
+ICMPASSOC make ICMP association (for future use) <br>
-HTTP_GET</b> HTTP GET request <b><br>
+HTTP_GET HTTP GET request <br>
-HTTP_PUT</b> HTTP PUT request <b><br>
+HTTP_PUT HTTP PUT request <br>
-HTTP_POST</b> HTTP POST request <b><br>
+HTTP_POST HTTP POST request <br>
-HTTP_HEAD</b> HTTP HEAD request <b><br>
+HTTP_HEAD HTTP HEAD request <br>
-HTTP_CONNECT</b> HTTP CONNECT request <b><br>
+HTTP_CONNECT HTTP CONNECT request <br>
-HTTP_OTHER</b> over HTTP request <b><br>
+HTTP_OTHER over HTTP request <br>
-HTTP</b> matches any HTTP request except HTTP_CONNECT
+HTTP matches any HTTP request except HTTP_CONNECT <br>
-<b><br>
+HTTPS same as HTTP_CONNECT <br>
-HTTPS</b> same as HTTP_CONNECT <b><br>
+FTP_GET FTP get request <br>
-FTP_GET</b> FTP get request <b><br>
+FTP_PUT FTP put request <br>
-FTP_PUT</b> FTP put request <b><br>
+FTP_LIST FTP list request <br>
-FTP_LIST</b> FTP list request <b><br>
+FTP_DATA FTP data connection. Note: FTP_DATA requires access
-FTP_DATA</b> FTP data connection. Note: FTP_DATA requires
+to dynamic non-privileged (1024-65535) ports on the remote
-access to dynamic non-privileged (1024-65535) ports on the
+side. <br>
-remote side. <b><br>
+FTP matches any FTP/FTP Data request <br>
-FTP</b> matches any FTP/FTP Data request <b><br>
+ADMIN access to administration interface</p>
 ADMIN</b> access to administration interface</p>
 <p style="margin-left:6%; margin-top: 1em">Weekdays are
 week day numbers or periods, 0 or 7 means Sunday, 1 is
@ -649,8 +613,8 @@ HH:MM:SS-HH:MM:SS format. For example,
 hours.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>parent</b>
-<i>&lt;weight&gt; &lt;type&gt; &lt;ip&gt; &lt;port&gt;
+&lt;weight&gt; &lt;type&gt; &lt;ip&gt; &lt;port&gt;
-&lt;username&gt; &lt;password&gt;</i> <br>
+&lt;username&gt; &lt;password&gt; <br>
 this command must follow &quot;allow&quot; rule. It extends
 last allow rule to build proxy chain. Proxies may be
 grouped. Proxy inside the group is selected randomly. If few
@ -679,51 +643,41 @@ pipelined (keep-alive) requests in the same connection use
 the same chain.</p>
 <p style="margin-left:6%; margin-top: 1em">type is one of:
-<b><br>
+<br>
-extip</b> does not actually redirect the request; it sets
+extip does not actually redirect the request; it sets the
-the external address for this request to <i>&lt;ip&gt;</i>.
+external address for this request to &lt;ip&gt;. It can be
-It can be chained with another parent type. It&rsquo;s
+chained with another parent type. It&rsquo;s useful to set
-useful to set the external IP based on ACL or make it
+the external IP based on ACL or make it random. <br>
-random. <b><br>
+tcp simply redirect connection. TCP is always last in chain.
-tcp</b> simply redirect connection. TCP is always last in
+This type of proxy is a simple TCP redirection, it does not
-chain. This type of proxy is a simple TCP redirection, it
+support parent authentication. <br>
-does not support parent authentication. <b><br>
+http redirect to HTTP proxy. HTTP is always the last chain.
-http</b> redirect to HTTP proxy. HTTP is always the last
+It should only be used with http (proxy) service, if used
-chain. It should only be used with http (proxy) service, if
+with different service, it works as tcp redirection. <br>
-used with different service, it works as tcp redirection.
+pop3 redirect to POP3 proxy (only local redirection is
-<b><br>
+supported, can only be used as a first hop in chaining) <br>
-pop3</b> redirect to POP3 proxy (only local redirection is
+ftp redirect to FTP proxy (only local redirection is
-supported, can only be used as a first hop in chaining)
+supported, can only be used as a first hop in chaining) <br>
-<b><br>
+connect parent is HTTP CONNECT method proxy <br>
-ftp</b> redirect to FTP proxy (only local redirection is
+connect+ parent is HTTP CONNECT proxy with name resolution
-supported, can only be used as a first hop in chaining)
+(hostname is used instead of IP if available) <br>
-<b><br>
+socks4 parent is SOCKSv4 proxy <br>
-connect</b> parent is HTTP CONNECT method proxy <b><br>
+socks4+ parent is SOCKSv4 proxy with name resolution
-connect+</b> parent is HTTP CONNECT proxy with name
+(SOCKSv4a) <br>
-resolution (hostname is used instead of IP if available)
+socks5 parent is SOCKSv5 proxy <br>
-<b><br>
+socks5+ parent is SOCKSv5 proxy with name resolution <br>
-socks4</b> parent is SOCKSv4 proxy <b><br>
+socks4b parent is SOCKS4b (broken SOCKSv4 implementation
 socks4+</b> parent is SOCKSv4 proxy with name resolution
 (SOCKSv4a) <b><br>
 socks5</b> parent is SOCKSv5 proxy <b><br>
 socks5+</b> parent is SOCKSv5 proxy with name resolution
 <b><br>
 socks4b</b> parent is SOCKS4b (broken SOCKSv4 implementation
 with shortened server reply; I never saw this kind of
 server, but they say there are some). Normally you should
 not use this option. Do not confuse this option with
-SOCKSv4a (<b>socks4+</b>). <b><br>
+SOCKSv4a (socks4+). <br>
-socks5b</b> parent is SOCKS5b (broken SOCKSv5 implementation
+socks5b parent is SOCKS5b (broken SOCKSv5 implementation
 with shortened server reply. I think you will never find it
 useful). Never use this option unless you know exactly you
-need it. <b><br>
+need it. <br>
-admin</b> redirect request to local &acute;admin&acute;
+admin redirect request to local &acute;admin&acute; service
-service (with -s parameter). <b><br>
+(with -s parameter). <br>
-ha</b> send HAProxy PROXY protocol v1 header to parent
+Use &quot;+&quot; proxy only with &quot;fakeresolve&quot;
 proxy. Must be the last in the proxy chain. Useful for
 passing client IP information to the parent proxy. Example:
 parent 1000 ha <br>
 Use &quot;+&quot; proxy only with <b>fakeresolve</b>
 option</p>
 <p style="margin-left:6%; margin-top: 1em">IP and port are
@ -736,15 +690,7 @@ special case of local redirection, it works only with
 redirected to different service, <b>ftp</b> locally
 redirects to <b>ftppr pop3</b> locally redirects to <b>pop3p
 http</b> locally redirects to <b>proxy admin</b> locally
-redirects to the admin -s service. <br>
+redirects to the admin -s service.</p>
 Unix domain sockets can be used instead of IP address with
 the syntax <i>unix:/path/to/socket</i> (e.g., parent 1000
 socks5 unix:/var/run/parent.sock 1080). On Linux, abstract
 (fileless) Unix sockets are supported with
 <i>unix:@socketname</i> syntax (e.g., parent 1000 http
 unix:@parent.proxy 3128). When using Unix sockets, the port
 number is ignored but must be specified for syntax
 compatibility.</p>
 <p style="margin-left:6%; margin-top: 1em">Main purpose of
 local redirections is to have the requested resource (URL or
@ -765,26 +711,26 @@ HTTP proxy, local HTTP proxy parses requests and allows only
 GET and POST requests. <br>
 parent 1000 http 1.2.3.4 0 <br>
 Changes the external address for a given connection to
-1.2.3.4 (equivalent to <b>-e1.2.3.4</b>) <br>
+1.2.3.4 (equivalent to -e1.2.3.4) <br>
 Optional username and password are used to authenticate on
 parent proxy. Username of &acute;*&acute; means username
 must be supplied by user.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>parentretries</b>
-<i>&lt;number&gt;</i> <br>
+&lt;number&gt; <br>
 Number of retries to connect to parent proxy. Default is
 1.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>nolog</b>
-<i>&lt;n&gt;</i> <br>
+&lt;n&gt; <br>
 extends last allow or deny command to prevent logging, e.g.
 <br>
 allow * * 192.168.1.1 <br>
 nolog</p>
 <p style="margin-left:6%; margin-top: 1em"><b>weight</b>
-<i>&lt;n&gt;</i> <br>
+&lt;n&gt; <br>
 extends last allow or deny command to set weight for this
 request <br>
 allow * * 192.168.1.1 <br>
@ -802,31 +748,30 @@ connections.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>bandlimin</b>
-<i>&lt;rate&gt; &lt;userlist&gt; &lt;sourcelist&gt;
+&lt;rate&gt; &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <b><br>
+&lt;timeperiodslist&gt; <b><br>
-nobandlimin</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
+nobandlimin</b> &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <b><br>
+&lt;timeperiodslist&gt; <b><br>
-bandlimout</b> <i>&lt;rate&gt; &lt;userlist&gt;
+bandlimout</b> &lt;rate&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <b><br>
+&lt;timeperiodslist&gt; <b><br>
-nobandlimout</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
+nobandlimout</b> &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <br>
+&lt;timeperiodslist&gt; <br>
-bandlim sets a bandwidth limitation filter to
+bandlim sets a bandwidth limitation filter to &lt;rate&gt;
-<i>&lt;rate&gt;</i> bps (bits per second). If you want to
+bps (bits per second). If you want to specify bytes per
-specify bytes per second, multiply your value by 8. bandlim
+second, multiply your value by 8. bandlim rules act in the
-rules act in the same manner as allow/deny rules, except for
+same manner as allow/deny rules, except for one thing:
-one thing: bandwidth limiting is applied to all services,
+bandwidth limiting is applied to all services, not to some
-not to some specific service. <b>bandlimin</b> and
+specific service. bandlimin and nobandlimin apply to
-<b>nobandlimin</b> apply to incoming traffic <b><br>
+incoming traffic <br>
-bandlimout</b> and <b>nobandlimout</b> apply to outgoing
+bandlimout and nobandlimout apply to outgoing traffic <br>
 traffic <br>
 If you want to ratelimit your clients with IPs
 192.168.10.16/30 (4 addresses) to 57600 bps, you have to
 specify 4 rules like <br>
@ -844,54 +789,53 @@ nobandlimin * * * 110 <br>
 before the rest of bandlim rules.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>connlim</b>
-<i>&lt;rate&gt; &lt;period&gt; &lt;userlist&gt;
+&lt;rate&gt; &lt;period&gt; &lt;userlist&gt;
 &lt;sourcelist&gt; &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <b><br>
+&lt;timeperiodslist&gt; <b><br>
-noconnlim</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
+noconnlim</b> &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <br>
+&lt;timeperiodslist&gt; <br>
 connlim sets connections rate limit per time period for
 traffic pattern controlled by ACL. Period is in seconds. If
-period is 0, <b>connlim</b> limits a number of parallel
+period is 0, connlim limits a number of parallel
 connections. <br>
 connlim 100 60 * 127.0.0.1 <br>
 allows 100 connections per minute for 127.0.0.1. <br>
 connlim 20 0 * 127.0.0.1 <br>
 allows 20 simultaneous connections for 127.0.0.1. <br>
-Like with <b>bandlimin</b>, if an individual limit is
+Like with bandlimin, if an individual limit is required per
-required per client, a separate rule must be added for every
+client, a separate rule must be added for every client. Like
-client. Like with nobandlimin, noconnlim adds an
+with nobandlimin, noconnlim adds an exception.</p>
 exception.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>counter</b>
-<i>&lt;filename&gt; &lt;reporttype&gt;
+&lt;filename&gt; &lt;reporttype&gt; &lt;reportname&gt;
-&lt;reportname&gt;</i> <b><br>
+<b><br>
-countin</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
+countin</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
-nocountin</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
+nocountin</b> &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <b><br>
+&lt;timeperiodslist&gt; <b><br>
-countout</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
+countout</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
-nocountout</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
+nocountout</b> &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i> <b><br>
+&lt;timeperiodslist&gt; <b><br>
-countall</b> <i>&lt;number&gt; &lt;type&gt; &lt;limit&gt;
+countall</b> &lt;number&gt; &lt;type&gt; &lt;limit&gt;
 &lt;userlist&gt; &lt;sourcelist&gt; &lt;targetlist&gt;
 &lt;targetportlist&gt; &lt;operationlist&gt;
-&lt;weekdayslist&gt; &lt;timeperiodslist&gt;</i> <b><br>
+&lt;weekdayslist&gt; &lt;timeperiodslist&gt; <b><br>
-nocountall</b> <i>&lt;userlist&gt; &lt;sourcelist&gt;
+nocountall</b> &lt;userlist&gt; &lt;sourcelist&gt;
 &lt;targetlist&gt; &lt;targetportlist&gt;
 &lt;operationlist&gt; &lt;weekdayslist&gt;
-&lt;timeperiodslist&gt;</i></p>
+&lt;timeperiodslist&gt;</p>
 <p style="margin-left:6%; margin-top: 1em">counter,
 countin, nocountin, countout, nocountout, countall,
@ -904,33 +848,45 @@ not preserved in the counter file (that is, if the proxy is
 restarted, all counters with 0 are flushed); otherwise, it
 should be a unique sequential number which points to the
 position of the counter within the file. Type specifies a
-type of counter. Type is one of: <b><br>
+type of counter. Type is one of: <br>
-H</b> - counter is reset hourly <b><br>
+H - counter is reset hourly <br>
-D</b> - counter is reset daily <b><br>
+D - counter is reset daily <br>
-W</b> - counter is reset weekly <b><br>
+W - counter is reset weekly <br>
-M</b> - counter is reset monthly <br>
+M - counter is reset monthly <br>
 reporttype/reportname may be used to generate traffic
 reports. Reporttype is one of D, W, M, H (hourly) and
 reportname specifies the filename template for reports. The
 report is a text file with counter values in the format:
-<i><br>
+<br>
-&lt;COUNTERNUMBER&gt; &lt;TRAF&gt;</i> <br>
+&lt;COUNTERNUMBER&gt; &lt;TRAF&gt; <br>
 The rest of parameters is identical to
-<b>bandlim</b>/<b>nobandlim</b>.</p>
+bandlim/nobandlim.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>users</b>
-<i>username</i>[:<i>pwtype</i>:<i>password</i>] ... <br>
+username[:pwtype:password] ... <br>
 pwtype is one of: <br>
-none (empty) - use system authentication <b><br>
+none (empty) - use system authentication <br>
-CL</b> - password is cleartext <b><br>
+CL - password is cleartext <br>
-CR</b> - password is crypt-style password <b><br>
+CR - password is crypt-style password <br>
-NT</b> - password is NT password (in hex) <br>
+NT - password is NT password (in hex) <br>
 LM - password is LM password (in hex) <br>
 example: <br>
 users test1:CL:password1
 &quot;test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49.&quot; <br>
-users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 <br>
+users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63</p>
-Note: double quotes are required because the password
+
-contains a $ sign.</p>
+<table width="100%" border="0" rules="none" frame="void"
       cellspacing="0" cellpadding="0">
 <tr valign="top" align="left">
 <td width="6%"></td>
 <p>Note: double quotes are required because the password
 contains a $ sign.</p></td>
 <td width="88%"></td>
 <td width="6%">
 </td></tr>
 </table>
 <p style="margin-left:6%; margin-top: 1em"><b>flush</b>
 <br>
@ -945,43 +901,42 @@ socks <br>
 sets different ACLs for <b>pop3p</b> and <b>socks</b></p>
 <p style="margin-left:6%; margin-top: 1em"><b>system</b>
-<i>&lt;command&gt;</i> <br>
+&lt;command&gt; <br>
 execute system command</p>
 <p style="margin-left:6%; margin-top: 1em"><b>pidfile</b>
-<i>&lt;filename&gt;</i> <br>
+&lt;filename&gt; <br>
 write pid of current process to file. It can be used to
 manipulate 3proxy with signals under Unix. Currently next
 signals are available:</p>
 <p style="margin-left:6%; margin-top: 1em"><b>monitor</b>
-<i>&lt;filename&gt;</i> <br>
+&lt;filename&gt; <br>
 If file monitored changes in modification time or size,
 3proxy reloads configuration within one minute. Any number
 of files may be monitored.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>setuid</b>
-<i>&lt;uid&gt;</i> <br>
+&lt;uid&gt; <br>
 calls setuid(uid), uid can be numeric or since 0.9 username.
 Unix only. Warning: under some Linux kernels setuid() works
 for current thread only. It makes it impossible to suid for
 all threads.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>setgid</b>
-<i>&lt;gid&gt;</i> <br>
+&lt;gid&gt; <br>
 calls setgid(gid), gid can be numeric or since 0.9
 groupname. Unix only.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>chroot</b>
-<i>&lt;path&gt;</i> [<i>&lt;uid&gt;</i>]
+&lt;path&gt; [&lt;uid&gt;] [&lt;gid&gt;] <br>
 [<i>&lt;gid&gt;</i>] <br>
 calls chroot(path) and sets gid/uid. Unix only. uid/gid
 supported since 0.9, can be numeric or
 username/groupname</p>
 <p style="margin-left:6%; margin-top: 1em"><b>stacksize</b>
-<i>&lt;value_to_add_to_default_stack_size&gt;</i> <br>
+&lt;value_to_add_to_default_stack_size&gt; <br>
 Change the default size for thread stacks. May be required
 in some situations, e.g. with non-default plugins, or on
 some platforms (some FreeBSD versions may require adjusting
@ -1000,8 +955,8 @@ negative values.</p>
 <p style="margin-left:6%; margin-top: 1em"><b>plugin</b>
-<i>&lt;path_to_shared_library&gt;
+&lt;path_to_shared_library&gt; &lt;function_to_call&gt;
-&lt;function_to_call&gt;</i> [<i>&lt;arg1&gt;</i> ...] <br>
+[&lt;arg1&gt; ...] <br>
 Loads specified library and calls given export function with
 given arguments, as <br>
 int functions_to_call(struct pluginlink * pl, int argc, char
@ -1011,7 +966,7 @@ function_to_call must return 0 in case of success, value
 <p style="margin-left:6%; margin-top: 1em"><b>filtermaxsize</b>
-<i>&lt;max_size_of_data_to_filter&gt;</i> <br>
+&lt;max_size_of_data_to_filter&gt; <br>
 If Content-length (or another data length) is greater than
 the given value, no data filtering will be performed through
 filtering plugins to avoid data corruption and/or
--- a/doc/html/man8/3proxy.8.html
+++ b/doc/html/man8/3proxy.8.html
@ -195,7 +195,7 @@ to <b>3proxy@3proxy.org</b></p>
 </h2>
-<p style="margin-left:6%; margin-top: 1em">3proxy.cfg(5),
+<p style="margin-left:6%; margin-top: 1em">3proxy.cfg(3),
 proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
 kill(1), syslogd(8), <br>
 https://3proxy.org/</p>
--- a/doc/html/man8/3proxy_crypt.8.html
+++ b/doc/html/man8/3proxy_crypt.8.html
@ -1,168 +0,0 @@
 <!-- Creator     : groff version 1.24.1 -->
 <html>
 <head>
 </head>
 <body>
 <h1 align="center">3proxy_crypt</h1>
 <a href="#NAME">NAME</a><br>
 <a href="#SYNOPSIS">SYNOPSIS</a><br>
 <a href="#DESCRIPTION">DESCRIPTION</a><br>
 <a href="#OPTIONS">OPTIONS</a><br>
 <a href="#EXAMPLE">EXAMPLE</a><br>
 <a href="#NOTES">NOTES</a><br>
 <a href="#BUGS">BUGS</a><br>
 <a href="#SEE ALSO">SEE ALSO</a><br>
 <a href="#AUTHORS">AUTHORS</a><br>
 <hr>
 <h2>NAME
 <a name="NAME"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em"><b>3proxy_crypt</b>
 - utility to generate encrypted passwords for 3proxy</p>
 <h2>SYNOPSIS
 <a name="SYNOPSIS"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em"><b>3proxy_crypt</b>
 <i>password</i> <b><br>
 3proxy_crypt</b> <i>salt password</i></p>
 <h2>DESCRIPTION
 <a name="DESCRIPTION"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em"><i><b>3proxy_crypt</b></i>
 is a utility to generate encrypted password hashes for use
 with 3proxy configuration. Encrypted passwords allow the
 system to avoid storing passwords in cleartext in
 configuration files.</p>
 <p style="margin-left:6%; margin-top: 1em">When invoked
 with a single argument, it produces an NT password hash
 (MD4-based, suitable for NTLM authentication). The output is
 prefixed with <b>NT:</b>.</p>
 <p style="margin-left:6%; margin-top: 1em">When invoked
 with two arguments (salt and password), it produces a
 BLAKE2b password hash. The salt length is limited to 64
 characters. The output is prefixed with <b>CR:</b>.</p>
 <p style="margin-left:6%; margin-top: 1em">The resulting
 hash can be used in the 3proxy configuration file with the
 <b>users</b> directive instead of a cleartext password.</p>
 <h2>OPTIONS
 <a name="OPTIONS"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em"><i>password</i></p>
 <p style="margin-left:15%;">Cleartext password to
 encrypt.</p>
 <table width="100%" border="0" rules="none" frame="void"
       cellspacing="0" cellpadding="0">
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="5%">
 <p><i>salt</i></p></td>
 <td width="4%"></td>
 <td width="65%">
 <p>Salt string for BLAKE2b hashing (max 64 characters).</p></td>
 <td width="20%">
 </td></tr>
 </table>
 <h2>EXAMPLE
 <a name="EXAMPLE"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em">Generate NT
 password hash:</p>
 <p style="margin-left:15%;">3proxy_crypt
 MySecretPassword</p>
 <p style="margin-left:6%;">Result:</p>
 <p style="margin-left:15%;">NT:3F7E6D8D96E8E7A9B0C1D2E3F4A5B6C7</p>
 <p style="margin-left:6%;">Generate BLAKE2b password hash
 with salt:</p>
 <p style="margin-left:15%;">3proxy_crypt MySalt
 MySecretPassword</p>
 <p style="margin-left:6%;">Result:</p>
 <p style="margin-left:15%;">CR:$3$MySalt$...</p>
 <p style="margin-left:6%;">Using in 3proxy.cfg:</p>
 <p style="margin-left:15%;">users
 user1:CR:$3$MySalt$...</p>
 <h2>NOTES
 <a name="NOTES"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em">The NT hash uses
 the RSA MD4 Message-Digest Algorithm. The BLAKE2b hash uses
 the BLAKE2 cryptographic hash function.</p>
 <p style="margin-left:6%; margin-top: 1em">When a password
 hash is prefixed with <b>NT:</b> or <b>CR:</b>, 3proxy uses
 the corresponding algorithm to verify passwords instead of
 comparing cleartext strings.</p>
 <h2>BUGS
 <a name="BUGS"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em">Report all bugs
 to <b>3proxy@3proxy.org</b></p>
 <h2>SEE ALSO
 <a name="SEE ALSO"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em">3proxy(8),
 3proxy.cfg(5), <br>
 https://3proxy.org/</p>
 <h2>AUTHORS
 <a name="AUTHORS"></a>
 </h2>
 <p style="margin-left:6%; margin-top: 1em">3proxy is
 designed by Vladimir 3APA3A Dubrovin
 (<i>3proxy@3proxy.org</i>)</p>
 <hr>
 </body>
 </html>
--- a/doc/html/man8/ftppr.8.html
+++ b/doc/html/man8/ftppr.8.html
@ -128,11 +128,7 @@ accordance with the routing table.</p></td></tr>
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe. Unix
+interface are accepted. It&acute;s usually unsafe.</p></td></tr>
 domain sockets can be specified with
 <i>-iunix:/path/to/socket</i> syntax (e.g.,
 -iunix:/var/run/ftppr.sock). On Linux, abstract sockets use
 <i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="3%">
@ -198,7 +194,7 @@ with FTP proxy support, configure <i>internal_ip</i> and
 FTP proxy support, use <i>internal_ip</i> and <i>port</i> as
 the FTP server. The address of the real FTP server must be
 configured as a part of the FTP username. The format for the
-username is <i>username</i>@<i>server</i>, where
+username is <i>username</i><b>@</b><i>server</i>, where
 <i>server</i> is the address of the FTP server and
 <i>username</i> is the user&acute;s login on this FTP
 server. The login itself may contain an &acute;@&acute;
--- a/doc/html/man8/pop3p.8.html
+++ b/doc/html/man8/pop3p.8.html
@ -128,11 +128,7 @@ accordance with the routing table.</p></td></tr>
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe. Unix
+interface are accepted. It&acute;s usually unsafe.</p></td></tr>
 domain sockets can be specified with
 <i>-iunix:/path/to/socket</i> syntax (e.g.,
 -iunix:/var/run/pop3p.sock). On Linux, abstract sockets use
 <i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="3%">
@ -196,8 +192,8 @@ MUA (Mail User Agent) with POP3 support. Set the client to
 use <i>internal_ip</i> and <i>port</i> as a POP3 server. The
 address of the real POP3 server must be configured as a part
 of the POP3 username. The format for the username is
-<i>username</i>@<i>server</i>, where <i>server</i> is the
+<i>username</i><b>@</b><i>server</i>, where <i>server</i> is
-address of the POP3 server and <i>username</i> is the
+the address of the POP3 server and <i>username</i> is the
 user&acute;s login on this POP3 server. The login itself may
 contain an &acute;@&acute; sign. Only cleartext
 authentication is supported, because challenge-response
--- a/doc/html/man8/proxy.8.html
+++ b/doc/html/man8/proxy.8.html
@ -127,11 +127,7 @@ accordance with the routing table.</p></td></tr>
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe. Unix
+interface are accepted. It&acute;s usually unsafe.</p></td></tr>
 domain sockets can be specified with
 <i>-iunix:/path/to/socket</i> syntax (e.g.,
 -iunix:/var/run/proxy.sock). On Linux, abstract sockets use
 <i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="4%">
--- a/doc/html/man8/smtpp.8.html
+++ b/doc/html/man8/smtpp.8.html
@ -128,11 +128,7 @@ accordance with the routing table.</p></td></tr>
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe. Unix
+interface are accepted. It&acute;s usually unsafe.</p></td></tr>
 domain sockets can be specified with
 <i>-iunix:/path/to/socket</i> syntax (e.g.,
 -iunix:/var/run/smtpp.sock). On Linux, abstract sockets use
 <i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="3%">
@ -196,7 +192,7 @@ MUA (Mail User Agent) with SMTP authentication support. Set
 the client to use <i>internal_ip</i> and <i>port</i> as an
 SMTP server. The address of the real SMTP server must be
 configured as a part of the SMTP username. The format for
-the username is <i>username</i>@<i>server</i>, where
+the username is <i>username</i><b>@</b><i>server</i>, where
 <i>server</i> is the address of the SMTP server and
 <i>username</i> is the user&acute;s login on this SMTP
 server. The login itself may contain an &acute;@&acute;
--- a/doc/html/man8/socks.8.html
+++ b/doc/html/man8/socks.8.html
@ -162,11 +162,7 @@ and does not work with port translation.</p></td></tr>
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe. Unix
+interface are accepted. It&acute;s usually unsafe.</p></td></tr>
 domain sockets can be specified with
 <i>-iunix:/path/to/socket</i> syntax (e.g.,
 -iunix:/var/run/socks.sock). On Linux, abstract sockets use
 <i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="4%">
--- a/doc/html/man8/tcppm.8.html
+++ b/doc/html/man8/tcppm.8.html
@ -116,11 +116,7 @@ accordance with the routing table.</p></td></tr>
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe. Unix
+interface are accepted. It&acute;s usually unsafe.</p></td></tr>
 domain sockets can be specified with
 <i>-iunix:/path/to/socket</i> syntax (e.g.,
 -iunix:/var/run/tcppm.sock). On Linux, abstract sockets use
 <i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="3%">
@ -164,18 +160,12 @@ connections on</p>
 <p style="margin-left:6%;"><i>remote_host</i></p>
 <p style="margin-left:15%;">- IP address of the host the
-connection is forwarded to. Unix domain sockets can be
+connection is forwarded to</p>
 specified with the syntax <i>unix:/path/to/socket</i> (e.g.,
 unix:/var/run/app.sock). On Linux, abstract (fileless) Unix
 sockets use the syntax <i>unix:@socketname</i> (e.g.,
 unix:@app.socket).</p>
 <p style="margin-left:6%;"><i>remote_port</i></p>
 <p style="margin-left:15%;">- remote port the connection is
-forwarded to. Ignored when using Unix socket destination,
+forwarded to</p>
 but must be specified (use any positive value) for syntax
 compatibility.</p>
 <h2>CLIENTS
 <a name="CLIENTS"></a>
--- a/doc/html/man8/tlspr.8.html
+++ b/doc/html/man8/tlspr.8.html
@ -132,11 +132,7 @@ accordance with the routing table.</p></td></tr>
 <p style="margin-top: 1em">Internal address. IP address the
 proxy accepts connections to. By default, connections to any
-interface are accepted. It&acute;s usually unsafe. Unix
+interface are accepted. It&acute;s usually unsafe.</p></td></tr>
 domain sockets can be specified with
 <i>-iunix:/path/to/socket</i> syntax (e.g.,
 -iunix:/var/run/tlspr.sock). On Linux, abstract sockets use
 <i>-iunix:@socketname</i> syntax.</p></td></tr>
 <tr valign="top" align="left">
 <td width="6%"></td>
 <td width="4%">
--- a/doc/html/plugins/SSLPlugin.html
+++ b/doc/html/plugins/SSLPlugin.html
@ -44,7 +44,7 @@ ssl_cli (or ssl_client) - establish TLS connection to upstream server for servic
 <br><b>ssl_client_ca_store</b> /path/to/castore - CA store for ssl_client_verify (OpenSSL 3.0+)
 <br><b>ssl_client_sni</b> hostname - SNI hostname to send to upstream server (overrides the requested hostname)
 <br><b>ssl_client_alpn</b> protocol1 protocol2 ... - ALPN protocols to negotiate with upstream server (e.g., ssl_client_alpn h2 http/1.1)
-<br><b>ssl_client_mode</b> mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data, 3 - only for secure parent types (ending with 's')
+<br><b>ssl_client_mode</b> mode - when to establish TLS connection: 0 - on connect (default), 1 - after authentication, 2 - before data
 <br><b>ssl_certcache</b> /path/to/cache/ - location for the generated MITM certificates cache, optional if ssl_server_ca_file / ssl_server_ca_key are configured.
 The cache may contain 3 files: 3proxy.pem - public
 self-signed certificates (used if ssl_server_ca_file is not configured),
@ -89,26 +89,6 @@ proxy -p3128
 </pre>
 Creates an HTTP proxy that connects to upstream servers via TLS with client certificate authentication.
 <h4>Conditional TLS for parent proxy (ssl_client_mode 3):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/key
 ssl_client_mode 3
 auth strong
 allow user1
 parent 1000 https parent1.example.com 443
 allow user2
 parent 1000 socks5 parent2.example.com 1080
 ssl_serv
 ssl_cli
 proxy -p3128
 ssl_noserv
 ssl_nocli
 </pre>
 Creates an HTTP proxy on port 3128 that uses TLS for client connections (ssl_serv). With ssl_client_mode 3, TLS handshake to parent proxy is performed only if the parent type ends with 's' (secure types). In this example, user1's traffic goes through an https parent proxy with TLS encryption, while user2's traffic goes through a regular socks5 parent without TLS. Secure parent types include: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
 <h4>mTLS example (require client certificate):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
--- a/doc/html/plugins/SSLPlugin.ru.html
+++ b/doc/html/plugins/SSLPlugin.ru.html
@ -44,7 +44,7 @@ ssl_cli (или ssl_client) - устанавливать TLS-соединени
 <br><b>ssl_client_ca_store</b> /path/to/castore - хранилище CA-сертификатов для ssl_client_verify (OpenSSL 3.0+)
 <br><b>ssl_client_sni</b> hostname - SNI-имя хоста для отправки вышестоящему серверу (переопределяет запрошенное имя хоста)
 <br><b>ssl_client_alpn</b> протокол1 протокол2 ... - ALPN-протоколы для согласования с вышестоящим сервером (например, ssl_client_alpn h2 http/1.1)
-<br><b>ssl_client_mode</b> режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных, 3 - только для защищённых типов parent прокси (заканчивающихся на 's')
+<br><b>ssl_client_mode</b> режим - когда устанавливать TLS-соединение: 0 - при подключении (по умолчанию), 1 - после аутентификации, 2 - перед передачей данных
 <br><b>ssl_certcache</b> /path/to/cache/ - расположение кеша сгенерированных MITM-сертификатов. Кеш может содержать
 файлы 3proxy.pem, 3proxy.key, server.key, которые используются как ssl_server_ca_file,
 ssl_server_ca_key и ssl_server_key соответственно, если они не заданы. Если server.key не задан,
@ -86,26 +86,6 @@ proxy -p3128
 </pre>
 Создается HTTP-прокси, который соединяется с вышестоящими серверами через TLS с аутентификацией по клиентскому сертификату.
 <h4>Условное TLS для parent прокси (ssl_client_mode 3):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
 ssl_server_cert /path/to/server.crt
 ssl_server_key /path/to/key
 ssl_client_mode 3
 auth strong
 allow user1
 parent 1000 https parent1.example.com 443
 allow user2
 parent 1000 socks5 parent2.example.com 1080
 ssl_serv
 ssl_cli
 proxy -p3128
 ssl_noserv
 ssl_nocli
 </pre>
 Создается HTTP-прокси на порту 3128, использующий TLS для клиентских соединений (ssl_serv). При ssl_client_mode 3 TLS-рукопожатие с родительским прокси выполняется только если тип parent прокси заканчивается на 's' (защищённые типы). В данном примере трафик user1 идёт через https родительский прокси с TLS-шифрованием, а трафик user2 — через обычный socks5 родитель без TLS. Защищённые типы parent прокси: tcps, https, connects, connect+s, socks4s, socks5s, socks4+s, socks5+s, pop3s, smtps, ftps.
 <h4>Пример mTLS (требование клиентского сертификата):</h4>
 <pre>
 plugin /path/to/SSLPlugin.so ssl_plugin
--- a/man/3proxy.8
+++ b/man/3proxy.8
@ -140,7 +140,7 @@ configuration file
 Report all bugs to
 .BR 3proxy@3proxy.org
 .SH SEE ALSO
-3proxy.cfg(5), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
+3proxy.cfg(3), proxy(8), ftppr(8), socks(8), pop3p(8), tcppm(8), udppm(8),
 kill(1), syslogd(8),
 .br
 https://3proxy.org/
--- a/man/3proxy.cfg.3
+++ b/man/3proxy.cfg.3
@ -1,4 +1,4 @@
-.TH 3proxy.cfg "5" "January 2019" "3proxy 0.9" "Universal proxy server"
+.TH 3proxy.cfg "8" "January 2019" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B 3proxy.cfg
 3proxy configuration file
@ -69,11 +69,11 @@ Recursion is not allowed.
 .br
 .B tcppm
 [options]
-\fI<SRCPORT>\fR \fI<DSTADDR>\fR \fI<DSTPORT>\fR
+<SRCPORT> <DSTADDR> <DSTPORT>
 .br
 .B udppm
 [options]
-\fI<SRCPORT>\fR \fI<DSTADDR>\fR \fI<DSTPORT>\fR
+<SRCPORT> <DSTADDR> <DSTPORT>
 .br
 Descriptions:
 .br
@ -105,13 +105,7 @@ Web interface (default port 80)
 caching DNS proxy (default port 53)
 .br
 .B tcppm
-TCP portmapper. Destination address (DSTADDR) can be a Unix domain socket
+TCP portmapper
 using the syntax
 .I unix:/path/to/socket
 (e.g., tcppm 8080 unix:/var/run/app.sock 0). On Linux, abstract sockets use
 .I unix:@socketname
 syntax. When using Unix socket destination, the port number is ignored
 but must be specified for syntax compatibility.
 .br
 .B udppm
 UDP portmapper
@ -119,10 +113,16 @@ UDP portmapper
 .br
 Options:
 .br
-.B -p\fINUMBER\fR
+.B -pNUMBER
 change default server port to NUMBER
 .br
-.B -g(\fIGRACE_TRAFF\fB,\fIGRACE_NUM\fB,\fIGRACE_DELAY\fR)
+.B -n
 disable NTLM authentication (required if passwords are stored in Unix crypt format).
 .br
 .B -n1
 enable NTLMv1 authentication.
 .br
 .B -g(GRACE_TRAFF,GRACE_NUM,GRACE_DELAY)
 delay GRACE_DELAY milliseconds before polling if average polling size is below GRACE_TRAFF bytes and GRACE_NUM read operations in a single direction are detected within 1 second. Useful to minimize polling
 .B -s
 (for admin) secure, allow only secure operations, currently only traffic counters
@ -159,18 +159,18 @@ Resolve IPv6 addresses if IPv4 address is not resolvable
 .B -64
 Resolve IPv4 addresses if IPv6 address is not resolvable
 .br
-.B -R\fIHOST\fB:\fIport\fR
+.B -RHOST:port
 listen on given local HOST:port for incoming connections instead of making remote outgoing connection. Can be used with another 3proxy service running -r option for connect back functionality. Most commonly used with tcppm. HOST can be given as IP or hostname, useful in case of dynamic DNS.
 .br
-.B -r\fIHOST\fB:\fIport\fR
+.B -rHOST:port
 connect to given remote HOST:port instead of listening local connection on -p or default port. Can be used with another 3proxy service running -R option for connect back functionality. Most commonly used with proxy or socks. HOST can be given as IP or hostname, useful in case of dynamic DNS.
 .br
-.B -oc\fIOPTIONS\fB, -os\fIOPTIONS\fB, -ol\fIOPTIONS\fB, -or\fIOPTIONS\fB, -oR\fIOPTIONS\fR
+.B -ocOPTIONS, -osOPTIONS, -olOPTIONS, -orOPTIONS, -oROPTIONS
-options for proxy-to-client (\fB-oc\fR), proxy-to-server (\fB-os\fR), proxy listening (\fB-ol\fR), connect back client (\fB-or\fR), connect back listening (\fB-oR\fR) sockets.
+options for proxy-to-client (oc), proxy-to-server (os), proxy listening (ol), connect back client (or), connect back listening (oR) sockets.
 Options like TCP_CORK, TCP_NODELAY, TCP_DEFER_ACCEPT, TCP_QUICKACK, TCP_TIMESTAMPS, USE_TCP_FASTOPEN, SO_REUSEADDR, SO_REUSEPORT, SO_PORT_SCALABILITY, SO_REUSE_UNICASTPORT, SO_KEEPALIVE, SO_DONTROUTE may be supported depending on OS.
 .br
-.B -Di\fIINTERFACE\fB, -De\fIINTERFACE\fR
+.B -DiINTERFACE, -DeINTERFACE
-bind internal (\fB-Di\fR) / external (\fB-De\fR) interface to given INTERFACE (e.g. eth0) if \fBSO_BINDTODEVICE\fR is supported by the system. You may need to run as root or have \fBCAP_NET_RAW\fR capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like \fBchroot\fR and \fBsetuid\fR (and \fBdaemon\fR if setcap is used).
+bind internal interface / external interface to given INTERFACE (e.g. eth0) if SO_BINDTODEVICE is supported by the system. You may need to run as root or have CAP_NET_RAW capability in order to bind to an interface, depending on the system, so this option may require root privileges and can be incompatible with some configuration commands like chroot and setuid (and daemon if setcap is used).
 .br
 .B -e
 External address. IP address of the interface the proxy should initiate connections
@ -181,23 +181,11 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. 
 Unix domain sockets can be specified with
 .I -iunix:/path/to/socket
 syntax. On Linux, abstract sockets use
 .I -iunix:@socketname
 syntax. 
 .br
-.B -Ne
+.B -N
-(for socks) External NAT address (between 3proxy and destination server) to report to client for CONNECT and BIND. By default external address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
+(for socks) External NAT address 3proxy reports to client for BIND and UDPASSOC
-.br
+By default external address is reported. It's only useful in the case
-.B -Ni
+of IP-IP NAT (will not work for PAT)
 (for socks) Internal NAT address (between client and 3proxy) to report to client for UDPASSOC. By default internal address is reported. It's only useful in the case of IP-IP NAT (will not work for PAT).
 .br
 .B -H
 (for all services) Expect HAProxy PROXY protocol v1 header on incoming connection.
 This allows the proxy to receive real client IP address from HAProxy or other
 load balancer that supports the PROXY protocol. The header must be sent before
 any protocol-specific data.
 .br
 Also, all options mentioned for 
 .BR proxy (8)
@ -216,7 +204,7 @@ pop3username@pop3server. If POP3 proxy access must be authenticated, you can
 specify username as proxy_username:proxy_password:POP3_username@pop3server
 .br
 DNS proxy resolves any types of records but only hostnames are cached. It
-requires \fBnserver\fR/\fBnscache\fR to be configured. If \fBnserver\fR is configured as TCP,
+requires nserver/nscache to be configured. If nserver is configured as TCP,
 redirections are applied on connection, so parent proxy may be used to resolve
 names to IP.
 .br
@ -232,14 +220,14 @@ proxy on a client with FTP proxy support. Username format is one of
 Please note, if you use FTP client interface for FTP proxy do not add FTPpassword and FTPServer to username, because FTP client does it for you. That is, if you use 3proxy with authentication use proxyuser:proxypassword:FTPuser as FTP username, otherwise do not change original FTP user name
 .br
-.BR include
+.B include
-\fI<path>\fR
+<path>
 .br
 Include config file
 .br
-.BR config
+.B config
-\fI<path>\fR
+<path>
 .br
 Path to configuration file to use on 3proxy restart or to save configuration.
@ -258,8 +246,8 @@ alternate config file. Think twice before using it.
 End of configuration
 .br
-.BR log
+.B log
-[[@|&]\fIlogfile\fR] [\fI<LOGTYPE>\fR]
+[[@|&]logfile] [<LOGTYPE>]
 .br
 sets logfile for all gateways
 .br
@ -271,17 +259,17 @@ alternate config file. Think twice before using it.
 .br
 LOGTYPE is one of:
 .br
-  \fBc\fR Minutely
+  c Minutely
 .br
-  \fBH\fR Hourly
+  H Hourly
 .br
-  \fBD\fR Daily
+  D Daily
 .br
-  \fBW\fR Weekly (starting from Sunday)
+  W Weekly (starting from Sunday)
 .br
-  \fBM\fR Monthly
+  M Monthly
 .br
-  \fBY\fR Annually
+  Y Annually
 .br
 if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using -l
 option in gateway configuration.
@ -292,13 +280,13 @@ As with "logformat" filename must begin with \'L\' or \'G\' to specify Local or
 Grinwitch time zone for all time-based format specificators.
 .br
-.BR rotate
+.B rotate
-\fI<n>\fR
+<n>
 how many archived log files to keep
 .br
-.BR logformat
+.B logformat
-\fI<format>\fR
+<format>
 .br
 Format for log record. First symbol in format must be L (local time)
 or G (absolute Grinwitch time). 
@ -380,8 +368,8 @@ with space and all time based elemnts are in local time zone.
 logformat "-\'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values (\'%d-%m-%Y %H:%M:%S\', \'%U\', \'%N\', %I, %O, \'%T\')"
 .br
-.BR logdump
+.B logdump
-\fI<in_traffic_limit>\fR \fI<out_traffic_limit>\fR
+<in_traffic_limit> <out_traffic_limit>
 .br
 Immediately creates additional log records if given amount of incoming/outgoing
 traffic is achieved for connection, without waiting for connection to finish.
@ -389,56 +377,56 @@ It may be useful to prevent information about long-lasting downloads on server
 shutdown.
 .br
-.BR delimchar
+.B delimchar
-\fI<char>\fR
+<char>
 .br
 Sets the delimiter character used to separate username from hostname in proxy
 authentication strings (e.g. for FTP, POP3 proxies). Default is \'@\'. For example,
 to use \'#\' instead: delimchar #. This allows usernames to contain the \'@\' character.
 .br
-.BR archiver
+.B archiver
-\fI<ext>\fR \fI<commandline>\fR
+<ext> <commandline>
 .br
 Archiver to use for log files. <ext> is file extension produced by
 archiver. Filename will be last argument to archiver, optionally you
 can use %A as produced archive name and %F as filename.
 .br
-.BR timeouts
+.B timeouts
-\fI<BYTE_SHORT>\fR \fI<BYTE_LONG>\fR \fI<STRING_SHORT>\fR \fI<STRING_LONG>\fR \fI<CONNECTION_SHORT>\fR \fI<CONNECTION_LONG>\fR \fI<DNS>\fR \fI<CHAIN>\fR \fI<CONNECT>\fR \fI<CONNECTBACK>\fR
+<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> <STRING_LONG> <CONNECTION_SHORT> <CONNECTION_LONG> <DNS> <CHAIN> <CONNECT> <CONNECTBACK>
 .br
 Sets timeout values, defaults 1, 5, 30, 60, 180, 1800, 15, 60, 15, 5.
 .br
- \fBBYTE_SHORT\fR short timeout for single byte, is usually used for receiving single byte from stream.
+ BYTE_SHORT short timeout for single byte, is usually used for receiving single byte from stream.
 .br
- \fBBYTE_LONG\fR long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
+ BYTE_LONG long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
 .br
- \fBSTRING_SHORT\fR short timeout, for character string within stream (for example to wait between 2 HTTP headers)
+ STRING_SHORT short timeout, for character string within stream (for example to wait between 2 HTTP headers)
 .br
- \fBSTRING_LONG\fR long timeout, for first string in stream (for example to wait for HTTP request).
+ STRING_LONG long timeout, for first string in stream (for example to wait for HTTP request).
 .br
- \fBCONNECTION_SHORT\fR inactivity timeout for short connections (HTTP, POP3, etc).
+ CONNECTION_SHORT inactivity timeout for short connections (HTTP, POP3, etc).
 .br
- \fBCONNECTION_LONG\fR inactivity timeout for long connection (SOCKS, portmappers, etc).
+ CONNECTION_LONG inactivity timeout for long connection (SOCKS, portmappers, etc).
 .br
- \fBDNS\fR timeout for DNS request before requesting next server
+ DNS timeout for DNS request before requesting next server
 .br
- \fBCHAIN\fR timeout for reading data from chained connection
+ CHAIN timeout for reading data from chained connection
 .br
 default timeouts 1 5 30 60 180 1800 15 60 15 5
 .br
-.BR maxseg
+.B maxseg
-\fI<value>\fR
+<value>
 .br
 Sets TCP maximum segment size (MSS) for outgoing connections. This can be used
 to work around path MTU discovery issues or to optimize traffic for specific
 network conditions.
 .br
-.BR radius
+.B radius 
-\fI<NAS_SECRET>\fR \fI<radius_server_1\fR[:\fIport\fR][/\fIlocal_address_1\fR]\fR \fI<radius_server_2\fR[:\fIport\fR][/\fIlocal_address_2\fR]\fR
+<NAS_SECRET> <radius_server_1[:port][/local_address_1]> <radius_server_2[:port][/local_address_2]>
 .br
 Configures RADIUS servers to be used for logging and authentication (log and auth types
 must be set to radius). port and local address to use with given server may be specified.
@ -457,11 +445,11 @@ Login-IPv6-Host / Login-IP-Host: (requested IP).
 .br
 Supported reply attributes for authentication:
 Framed-IP-Address / Framed-IPv6-Address (IP to assign to user), Reply-Message.
-Use \fBauthcache\fR to speedup authentication. RADIUS feature is currently experimental.
+Use authcache to speedup authentication. RADIUS feature is currently experimental.
 .br
-.BR nserver
+.B nserver
-\fI<ipaddr>\fR[:\fIport\fR][/\fItcp\fR]
+<ipaddr>[:port][/tcp]
 .br
 Nameserver to use for name resolutions. If none specified
 system routines for name resolution is
@ -470,27 +458,27 @@ If optional /tcp is added to IP address, name resolution is
 performed over TCP.
 .br
-.BR authnserver
+.B authnserver
-\fI<ipaddr>\fR[:\fIport\fR][/\fItcp\fR]
+<ipaddr>[:port][/tcp]
 .br
 Nameserver to use for DNS-based authentication (e.g. dnsname auth type).
 If not specified, nserver is used. The syntax is the same as for nserver.
 .br
-.BR nscache
+.B nscache
-\fI<cachesize>\fR
+<cachesize>
-.BR nscache6
+.B nscache6
-\fI<cachesize>\fR
+<cachesize>
 .br
- Cache \fI<cachesize>\fR records for name resolution (\fBnscache\fR for IPv4,
+ Cache <cachesize> records for name resolution (nscache for IPv4,
-\fBnscache6\fR for IPv6). The cache size should usually be large enough
+nscache6 for IPv6). The cache size should usually be large enough
 (for example, 65536).
 .br
-.BR nsrecord
+.B nsrecord
-\fI<hostname>\fR \fI<hostaddr>\fR
+<hostname> <hostaddr>
 .br
- Adds static record to nscache. \fBnscache\fR must be enabled. If 0.0.0.0
+ Adds static record to nscache. nscache must be enabled. If 0.0.0.0
 is used as a hostaddr host will never resolve, it can be used to
 blacklist something or together with 
 .B dialer
@ -500,11 +488,11 @@ command to set up UDL for dialing.
 .B fakeresolve
 .br
 All names are resolved to the 127.0.0.2 address. Useful if all requests are
-redirected to a parent proxy with \fBhttp\fR, \fBsocks4+\fR, \fBconnect+\fR or \fBsocks5+\fR.
+redirected to a parent proxy with http, socks4+, connect+ or socks5+.
 .br
-.BR dialer
+.B dialer
-\fI<progname>\fR
+<progname>
 .br
 Execute progname if external name can\'t be resolved.
 Hint: if you use nscache, dialer may not work, because names will
@ -513,46 +501,38 @@ http://dial.right.now/ from browser to set up connection.
 .br
-.BR internal
+.B internal
-\fI<ipaddr>\fR
+<ipaddr>
 .br
 sets ip address of internal interface. This IP address will be used
 to bind gateways. Alternatively you can use -i option for individual
 gateways. Since 0.8 version, IPv6 address may be used.
 .br
 Unix domain sockets are supported with the syntax
 .I unix:/path/to/socket
 (e.g., internal unix:/var/run/3proxy.sock). On Linux, abstract (fileless)
 Unix sockets are supported with the syntax
 .I unix:@socketname
 (e.g., internal unix:@3proxy). When using Unix sockets, the socket file
 is automatically created and removed on service start/stop.
 .br
-.BR external
+.B external
-\fI<ipaddr>\fR
+<ipaddr>
 .br
 sets ip address of external interface. This IP address will be source
 address for all connections made by proxy. Alternatively you can use -e
 option to specify individual address for gateway. Since 0.8 version
-External or \fB-e\fR can be given twice: once with IPv4 and once with IPv6 address.
+External or -e can be given twice: once with IPv4 and once with IPv6 address.
 .br
-.BR maxconn
+.B maxconn
-\fI<number>\fR
+<number>
 .br
 sets the maximum number of simultaneous connections to each service
 started after this command at the network level. Default is 100.
 .br
- To limit clients, use \fBconnlim\fR instead. \fBmaxconn\fR will silently ignore
+ To limit clients, use connlim instead. maxconn will silently ignore
-new connections, while \fBconnlim\fR will report back to the client that
+new connections, while connlim will report back to the client that
 the connection limit has been reached.
 .br
 .B backlog
 .br
 sets the listening socket backlog of new connections. Default is
-1 + \fBmaxconn\fR/8. Maximum value is capped by kernel tunable somaxconn.
+1 + maxconn/8. Maximum value is capped by kernel tunable somaxconn.
 .br
 .B service
@ -566,40 +546,40 @@ to reinstall the service.
 .B daemon
 .br
 Should be specified to close the console. Do not use \'daemon\' with \'service\'.
-At least under FreeBSD, \fBdaemon\fR should precede any proxy service
+At least under FreeBSD, \'daemon\' should precede any proxy service
 and log commands to avoid socket problems. Always place it in the beginning
 of the configuration file.
 .br
-.BR auth
+.B auth
-\fI<authtype>\fR [...]
+<authtype> [...]
 .br
 Type of user authorization. Currently supported:
 .br
- \fBnone\fR - no authentication or authorization required.
+ none - no authentication or authorization required.
 .br
 Note: if auth is none, any IP-based limitation, redirection, etc. will not work.
 This is the default authentication type
 .br
- \fBiponly\fR - authentication by access control list with username ignored.
+ iponly - authentication by access control list with username ignored.
 Appropriate for most cases
 .br
- \fBuseronly\fR - authentication by username without checking for any password with
+ useronly - authentication by username without checking for any password with
 authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN /
 AOL screen name as a username)
 .br
- \fBdnsname\fR - authentication by DNS hostname with authorization by ACLs.
+ dnsname - authentication by DNS hostname with authorization by ACLs.
 The DNS hostname is resolved via a PTR (reverse) record and validated (the resolved
 name must resolve to the same IP address). It\'s recommended to use authcache by
 IP for this authentication.
 NB: there is no password check; the name may be spoofed.
 .br
- \fBstrong\fR - username/password authentication required. It will work with
+ strong - username/password authentication required. It will work with
 SOCKSv5, FTP, POP3 and HTTP proxy. 
 .br
- \fBcache\fR - cached authentication, may be used with \'authcache\'.
+ cache - cached authentication, may be used with \'authcache\'.
 .br
- \fBradius\fR - authentication with RADIUS.
+ radius - authentication with RADIUS.
 .br
 Plugins may add additional authentication types.
@ -616,43 +596,42 @@ IP-based authentication for dedicated laptops and request a username/password fo
 shared ones.
 .br
-.BR authcache
+.B authcache
-\fI<cachtype>\fR \fI<cachtime>\fR \fI<cachesize>\fR
+<cachtype> <cachtime>
 .br
 Cache authentication information for a given amount of time (cachetime) in seconds.
 cachesize limits number of cache entries.
 Cachetype is one of:
 .br
- \fBip\fR - after successful authentication all connections during caching time
+ ip - after successful authentication all connections during caching time
 from same IP are assigned to the same user, username is not requested.
 .br
- \fBip,user\fR username is requested and all connections from the same IP are
+ ip,user username is requested and all connections from the same IP are
 assigned to the same user without actual authentication.
 .br
- \fBuser\fR - same as above, but IP is not checked.
+ user - same as above, but IP is not checked. 
 .br
- \fBuser,password\fR - both username and password are checked against cached ones.
+ user,password - both username and password are checked against cached ones.
 .br
- \fBlimit\fR - limit user to use only one ip, \'ip\' and \'user\' are required
+ limit - limit user to use only one ip, \'ip\' and \'user\' are required
 .br
- \fBack\fR - only use cached auth if user access service with same ACL
+ acl - only use cached auth if user access service with same ACL 
 .br
- \fBext\fR - cache external IP
+ ext - cache external IP
 .br
-Use auth type \fBcache\fR for cached authentication
+Use auth type \'cache\' for cached authentication
 .br
-.BR allow
+.B allow
-\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR deny
+.B deny
-\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR redirect
+.B redirect
-\fI<ip>\fR \fI<port>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<ip> <port> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
 Access control entries. All lists are comma-separated, no spaces are
 allowed. Usernames are case sensitive (if used with authtype nbname
@ -681,42 +660,42 @@ to appropriate interface only or to use ip filters.
 .br
 Operation is one of:
 .br
- \fBCONNECT\fR establish outgoing TCP connection
+ CONNECT establish outgoing TCP connection
 .br
- \fBBIND\fR bind TCP port for listening
+ BIND bind TCP port for listening
 .br
- \fBUDPASSOC\fR make UDP association
+ UDPASSOC make UDP association
 .br
- \fBICMPASSOC\fR make ICMP association (for future use)
+ ICMPASSOC make ICMP association (for future use)
 .br
- \fBHTTP_GET\fR HTTP GET request
+ HTTP_GET HTTP GET request
 .br
- \fBHTTP_PUT\fR HTTP PUT request
+ HTTP_PUT HTTP PUT request
 .br
- \fBHTTP_POST\fR HTTP POST request
+ HTTP_POST HTTP POST request
 .br
- \fBHTTP_HEAD\fR HTTP HEAD request
+ HTTP_HEAD HTTP HEAD request
 .br
- \fBHTTP_CONNECT\fR HTTP CONNECT request
+ HTTP_CONNECT HTTP CONNECT request
 .br
- \fBHTTP_OTHER\fR over HTTP request
+ HTTP_OTHER over HTTP request
 .br
- \fBHTTP\fR matches any HTTP request except HTTP_CONNECT
+ HTTP matches any HTTP request except HTTP_CONNECT
 .br
- \fBHTTPS\fR same as HTTP_CONNECT
+ HTTPS same as HTTP_CONNECT
 .br
- \fBFTP_GET\fR FTP get request
+ FTP_GET FTP get request
 .br
- \fBFTP_PUT\fR FTP put request
+ FTP_PUT FTP put request
 .br
- \fBFTP_LIST\fR FTP list request
+ FTP_LIST FTP list request
 .br
- \fBFTP_DATA\fR FTP data connection. Note: FTP_DATA requires access to dynamic
+ FTP_DATA FTP data connection. Note: FTP_DATA requires access to dynamic
 non-privileged (1024-65535) ports on the remote side.
 .br
- \fBFTP\fR matches any FTP/FTP Data request
+ FTP matches any FTP/FTP Data request
 .br
- \fBADMIN\fR access to administration interface
+ ADMIN access to administration interface
 .br
 Weekdays are week day numbers or periods, 0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday.
@ -725,8 +704,8 @@ non-privileged (1024-65535) ports on the remote side.
 periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.
 .br
-.BR parent
+.B parent
-\fI<weight>\fR \fI<type>\fR \fI<ip>\fR \fI<port>\fR \fI<username>\fR \fI<password>\fR
+<weight> <type> <ip> <port> <username> <password>
 .br
 this command must follow "allow" rule. It extends last allow rule to
 build proxy chain. Proxies may be grouped. Proxy inside the
@ -763,45 +742,41 @@ with probability of 0.7) for outgoing web connections. Chains are only applied t
 .br
 type is one of:
 .br
- \fBextip\fR does not actually redirect the request; it sets the external address for this request to \fI<ip>\fR. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random.
+ extip does not actually redirect the request; it sets the external address for this request to <ip>. It can be chained with another parent type. It's useful to set the external IP based on ACL or make it random.
 .br
- \fBtcp\fR simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
+ tcp simply redirect connection. TCP is always last in chain. This type of proxy is a simple TCP redirection, it does not support parent authentication.
 .br
- \fBhttp\fR redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
+ http redirect to HTTP proxy. HTTP is always the last chain. It should only be used with http (proxy) service,
 if used with different service, it works as tcp redirection.
 .br
- \fBpop3\fR redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
+ pop3 redirect to POP3 proxy (only local redirection is supported, can only be used as a first hop in chaining)
 .br
- \fBftp\fR redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
+ ftp redirect to FTP proxy (only local redirection is supported, can only be used as a first hop in chaining)
 .br
- \fBconnect\fR parent is HTTP CONNECT method proxy
+ connect parent is HTTP CONNECT method proxy
 .br
- \fBconnect+\fR parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
+ connect+ parent is HTTP CONNECT proxy with name resolution (hostname is used instead of IP if available)
 .br
- \fBsocks4\fR parent is SOCKSv4 proxy
+ socks4 parent is SOCKSv4 proxy
 .br
- \fBsocks4+\fR parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
+ socks4+ parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
 .br
- \fBsocks5\fR parent is SOCKSv5 proxy
+ socks5 parent is SOCKSv5 proxy
 .br
- \fBsocks5+\fR parent is SOCKSv5 proxy with name resolution
+ socks5+ parent is SOCKSv5 proxy with name resolution
 .br
- \fBsocks4b\fR parent is SOCKS4b (broken SOCKSv4 implementation with shortened
+ socks4b parent is SOCKS4b (broken SOCKSv4 implementation with shortened
 server reply; I never saw this kind of server, but they say there are some).
 Normally you should not use this option. Do not confuse this option with
-SOCKSv4a (\fBsocks4+\fR).
+SOCKSv4a (socks4+).
 .br
- \fBsocks5b\fR parent is SOCKS5b (broken SOCKSv5 implementation with shortened
+ socks5b parent is SOCKS5b (broken SOCKSv5 implementation with shortened
 server reply. I think you will never find it useful). Never use this option
 unless you know exactly you need it.
 .br
- \fBadmin\fR redirect request to local \'admin\' service (with -s parameter).
+ admin redirect request to local \'admin\' service (with -s parameter).
 .br
-\fBha\fR send HAProxy PROXY protocol v1 header to parent proxy. Must be the last
+ Use "+" proxy only with "fakeresolve" option
 in the proxy chain. Useful for passing client IP information to the parent proxy.
 Example: parent 1000 ha
 .br
 Use "+" proxy only with \fBfakeresolve\fR option
 .br
 IP and port are ip addres and port of parent proxy server.
@ -822,14 +797,6 @@ locally redirects to
 .B proxy
 .B admin
 locally redirects to the admin -s service.
 .br
 Unix domain sockets can be used instead of IP address with the syntax
 .I unix:/path/to/socket
 (e.g., parent 1000 socks5 unix:/var/run/parent.sock 1080). On Linux,
 abstract (fileless) Unix sockets are supported with
 .I unix:@socketname
 syntax (e.g., parent 1000 http unix:@parent.proxy 3128). When using Unix
 sockets, the port number is ignored but must be specified for syntax compatibility.
 .br
 Main purpose of local redirections is to have the requested resource
@ -853,21 +820,21 @@ local HTTP proxy parses requests and allows only GET and POST requests.
 .br
 parent 1000 http 1.2.3.4 0
 .br
- Changes the external address for a given connection to 1.2.3.4 (equivalent to \fB-e1.2.3.4\fR)
+ Changes the external address for a given connection to 1.2.3.4 (equivalent to -e1.2.3.4)
 .br
 Optional username and password are used to authenticate on parent
 proxy. Username of \'*\' means username must be supplied by user.
 .br
-.BR parentretries
+.B parentretries
-\fI<number>\fR
+<number>
 .br
 Number of retries to connect to parent proxy. Default is 1.
 .br
-.BR nolog
+.B nolog
-\fI<n>\fR
+<n>
 .br
 extends last allow or deny command to prevent logging, e.g.
 .br
@ -877,8 +844,8 @@ nolog
 .br
-.BR weight
+.B weight
-\fI<n>\fR
+<n>
 .br
 extends last allow or deny command to set weight for this request
 .br
@ -900,30 +867,30 @@ is removed, old connections which do not match current are closed.
 noforce allows to keep previously authenticated connections.
 .br
-.BR bandlimin
+.B bandlimin
-\fI<rate>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR nobandlimin
+.B nobandlimin
-\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR bandlimout
+.B bandlimout
-\fI<rate>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR nobandlimout
+.B nobandlimout
-\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
- bandlim sets a bandwidth limitation filter to \fI<rate>\fR bps (bits per second).
+ bandlim sets a bandwidth limitation filter to <rate> bps (bits per second).
 If you want to specify bytes per second, multiply your value by 8.
 bandlim rules act in the same manner as allow/deny rules, except for
 one thing: bandwidth limiting is applied to all services, not to some
 specific service. 
-\fBbandlimin\fR and \fBnobandlimin\fR apply to incoming traffic
+bandlimin and nobandlimin apply to incoming traffic
 .br
-\fBbandlimout\fR and \fBnobandlimout\fR apply to outgoing traffic
+bandlimout and nobandlimout apply to outgoing traffic
 .br
 If you want to ratelimit your clients with IPs 192.168.10.16/30 (4
 addresses) to 57600 bps, you have to specify 4 rules like
@ -948,17 +915,17 @@ If you want, for example, to limit all speed except access to POP3, you can use
 before the rest of bandlim rules.
 .br
-.BR connlim
+.B connlim
-\fI<rate>\fR \fI<period>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<rate> <period> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR noconnlim
+.B noconnlim
-\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
 connlim sets connections rate limit per time period for traffic
 pattern controlled by ACL. Period is in seconds. If period is 0,
-\fBconnlim\fR limits a number of parallel connections.
+connlim limits a number of parallel connections.
 .br
 connlim 100 60 * 127.0.0.1
 .br
@ -968,39 +935,39 @@ pattern controlled by ACL. Period is in seconds. If period is 0,
 .br
 allows 20 simultaneous connections for 127.0.0.1.
 .br
- Like with \fBbandlimin\fR, if an individual limit is required per client, a separate
+ Like with bandlimin, if an individual limit is required per client, a separate
 rule must be added for every client. Like with nobandlimin, noconnlim adds an
 exception.
 .br
-.BR counter
+.B counter
-\fI<filename>\fR \fI<reporttype>\fR \fI<reportname>\fR
+<filename> <reporttype> <reportname>
 .br
-.BR countin
+.B countin
-\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR nocountin
+.B nocountin
-\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR countout
+.B countout
-\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR nocountout
+.B nocountout
-\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR countall
+.B countall
-\fI<number>\fR \fI<type>\fR \fI<limit>\fR \fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
-.BR nocountall
+.B nocountall
-\fI<userlist>\fR \fI<sourcelist>\fR \fI<targetlist>\fR \fI<targetportlist>\fR \fI<operationlist>\fR
+<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
-\fI<weekdayslist>\fR \fI<timeperiodslist>\fR
+<weekdayslist> <timeperiodslist>
 .br
 counter, countin, nocountin, countout, nocountout, countall,
@ -1014,36 +981,38 @@ should be a unique sequential number which points to the position of
 the counter within the file.
 Type specifies a type of counter. Type is one of:
 .br
- \fBH\fR - counter is reset hourly
+ H - counter is reset hourly
 .br
- \fBD\fR - counter is reset daily
+ D - counter is reset daily
 .br
- \fBW\fR - counter is reset weekly
+ W - counter is reset weekly
 .br
- \fBM\fR - counter is reset monthly
+ M - counter is reset monthly
 .br
 reporttype/reportname may be used to generate traffic reports.
 Reporttype is one of D, W, M, H (hourly) and reportname specifies the filename
 template for reports. The report is a text file with counter values in
 the format:
 .br
- \fI<COUNTERNUMBER>\fR \fI<TRAF>\fR
+ <COUNTERNUMBER> <TRAF>
 .br
- The rest of parameters is identical to \fBbandlim\fR/\fBnobandlim\fR.
+ The rest of parameters is identical to bandlim/nobandlim.
 .br
-.BR users
+.B users
-\fIusername\fR[:\fIpwtype\fR:\fIpassword\fR] ...
+username[:pwtype:password] ...
 .br
 pwtype is one of:
 .br
 none (empty) - use system authentication
 .br
- \fBCL\fR - password is cleartext
+ CL - password is cleartext
 .br
- \fBCR\fR - password is crypt-style password
+ CR - password is crypt-style password
 .br
- \fBNT\fR - password is NT password (in hex)
+ NT - password is NT password (in hex)
 .br
 LM - password is LM password (in hex)
 .br
 example:
 .br
@ -1075,48 +1044,48 @@ and
 .B socks
 .br
-.BR system
+.B system
-\fI<command>\fR
+<command>
 .br
 execute system command
 .br
-.BR pidfile
+.B pidfile
-\fI<filename>\fR
+<filename>
 .br
 write pid of current process to file. It can be used to manipulate
 3proxy with signals under Unix. Currently next signals are available:
 .br
-.BR monitor
+.B monitor
-\fI<filename>\fR
+<filename>
 .br
 If file monitored changes in modification time or size, 3proxy reloads
 configuration within one minute. Any number of files may be monitored.
 .br
-.BR setuid
+.B setuid
-\fI<uid>\fR
+<uid>
 .br
 calls setuid(uid), uid can be numeric or since 0.9 username. Unix only. Warning: under some Linux
 kernels setuid() works for current thread only. It makes it impossible to suid
 for all threads.
 .br
-.BR setgid
+.B setgid
-\fI<gid>\fR
+<gid>
 .br
 calls setgid(gid), gid can be numeric or since 0.9 groupname. Unix only.
 .br
-.BR chroot
+.B chroot
-\fI<path>\fR [\fI<uid>\fR] [\fI<gid>\fR]
+<path> [<uid>] [<gid>]
 .br
 calls chroot(path) and sets gid/uid. Unix only. uid/gid supported since 0.9, can be numeric or username/groupname
 .br
-.BR stacksize
+.B stacksize
-\fI<value_to_add_to_default_stack_size>\fR
+<value_to_add_to_default_stack_size>
 .br
 Change the default size for thread stacks. May be required in some situations,
 e.g. with non-default plugins, or on some platforms (some FreeBSD versions
@ -1131,8 +1100,8 @@ memory shortage, you can try to experiment with negative values.
 .SH PLUGINS
 .br
-.BR plugin
+.B plugin
-\fI<path_to_shared_library>\fR \fI<function_to_call>\fR [\fI<arg1>\fR ...]
+<path_to_shared_library> <function_to_call> [<arg1> ...]
 .br
 Loads specified library and calls given export function with given arguments,
 as 
@ -1142,8 +1111,8 @@ as
 function_to_call must return 0 in case of success, value > 0 to indicate error.
 .br
-.BR filtermaxsize
+.B filtermaxsize
-\fI<max_size_of_data_to_filter>\fR
+<max_size_of_data_to_filter>
 .br
 If Content-length (or another data length) is greater than the given value, no
 data filtering will be performed through filtering plugins to avoid data
--- a/man/3proxy_crypt.8
+++ b/man/3proxy_crypt.8
@ -1,81 +0,0 @@
 .TH 3proxy_crypt "8" "April 2026" "3proxy 0.9" "Universal proxy server"
 .SH NAME
 .B 3proxy_crypt
 \- utility to generate encrypted passwords for 3proxy
 .SH SYNOPSIS
 .B 3proxy_crypt
 .I password
 .br
 .B 3proxy_crypt
 .I salt password
 .SH DESCRIPTION
 .B 3proxy_crypt
 is a utility to generate encrypted password hashes for use with 3proxy
 configuration. Encrypted passwords allow the system to avoid storing
 passwords in cleartext in configuration files.
 .PP
 When invoked with a single argument, it produces an NT password hash
 (MD4-based, suitable for NTLM authentication). The output is prefixed with
 .BR NT: .
 .PP
 When invoked with two arguments (salt and password), it produces a BLAKE2b
 password hash. The salt length is limited to 64 characters. The output is
 prefixed with
 .BR CR: .
 .PP
 The resulting hash can be used in the 3proxy configuration file with the
 .B users
 directive instead of a cleartext password.
 .SH OPTIONS
 .TP
 .I password
 Cleartext password to encrypt.
 .TP
 .I salt
 Salt string for BLAKE2b hashing (max 64 characters).
 .SH EXAMPLE
 .TP
 Generate NT password hash:
 .RS
 3proxy_crypt MySecretPassword
 .RE
 .TP
 Result:
 .RS
 NT:3F7E6D8D96E8E7A9B0C1D2E3F4A5B6C7
 .RE
 .TP
 Generate BLAKE2b password hash with salt:
 .RS
 3proxy_crypt MySalt MySecretPassword
 .RE
 .TP
 Result:
 .RS
 CR:$3$MySalt$...
 .RE
 .TP
 Using in 3proxy.cfg:
 .RS
 users user1:CR:$3$MySalt$...
 .RE
 .SH NOTES
 The NT hash uses the RSA MD4 Message-Digest Algorithm. The BLAKE2b hash
 uses the BLAKE2 cryptographic hash function.
 .PP
 When a password hash is prefixed with
 .B NT:
 or
 .BR CR: ,
 3proxy uses the corresponding algorithm to verify passwords instead of
 comparing cleartext strings.
 .SH BUGS
 Report all bugs to
 .BR 3proxy@3proxy.org
 .SH SEE ALSO
 3proxy(8), 3proxy.cfg(5),
 .br
 https://3proxy.org/
 .SH AUTHORS
 3proxy is designed by Vladimir 3APA3A Dubrovin
 .RI ( 3proxy@3proxy.org )
--- a/man/ftppr.8
+++ b/man/ftppr.8
@ -36,11 +36,6 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
 Unix domain sockets can be specified with
 .I -iunix:/path/to/socket
 syntax (e.g., -iunix:/var/run/ftppr.sock). On Linux, abstract sockets use
 .I -iunix:@socketname
 syntax.
 .TP
 .B -h
 Default destination. It's used if the target address is not specified by the user.
@ -73,7 +68,7 @@ and
 .IR port
 as the FTP server. The address of the real FTP server must be configured as a part of
 the FTP username. The format for the username is
-.IR username @ server ,
+.IR username \fB@ server ,
 where
 .I server
 is the address of the FTP server and
--- a/man/pop3p.8
+++ b/man/pop3p.8
@ -36,11 +36,6 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
 Unix domain sockets can be specified with
 .I -iunix:/path/to/socket
 syntax (e.g., -iunix:/var/run/pop3p.sock). On Linux, abstract sockets use
 .I -iunix:@socketname
 syntax.
 .TP
 .B -p
 Port. Port proxy listens for incoming connections. Default is 110.
@ -67,7 +62,7 @@ and
 .IR port
 as a POP3 server. The address of the real POP3 server must be configured as a part of
 the POP3 username. The format for the username is
-.IR username @ server ,
+.IR username \fB@ server ,
 where
 .I server
 is the address of the POP3 server and
--- a/man/proxy.8
+++ b/man/proxy.8
@ -34,11 +34,6 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
 Unix domain sockets can be specified with
 .I -iunix:/path/to/socket
 syntax (e.g., -iunix:/var/run/proxy.sock). On Linux, abstract sockets use
 .I -iunix:@socketname
 syntax.
 .TP
 .B -a
 Anonymous. Hide information about client.
--- a/man/smtpp.8
+++ b/man/smtpp.8
@ -36,11 +36,6 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
 Unix domain sockets can be specified with
 .I -iunix:/path/to/socket
 syntax (e.g., -iunix:/var/run/smtpp.sock). On Linux, abstract sockets use
 .I -iunix:@socketname
 syntax.
 .TP
 .B -p
 Port. Port proxy listens for incoming connections. Default is 25.
@ -68,7 +63,7 @@ and
 .IR port
 as an SMTP server. The address of the real SMTP server must be configured as a part of
 the SMTP username. The format for the username is
-.IR username @ server ,
+.IR username \fB@ server ,
 where
 .I server
 is the address of the SMTP server and
--- a/man/socks.8
+++ b/man/socks.8
@ -49,11 +49,6 @@ of IP-IP NAT and does not work with port translation.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
 Unix domain sockets can be specified with
 .I -iunix:/path/to/socket
 syntax (e.g., -iunix:/var/run/socks.sock). On Linux, abstract sockets use
 .I -iunix:@socketname
 syntax.
 .TP
 .B -p
 Port. Port proxy listens for incoming connections. Default is 1080.
--- a/man/tcppm.8
+++ b/man/tcppm.8
@ -31,11 +31,6 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
 Unix domain sockets can be specified with
 .I -iunix:/path/to/socket
 syntax (e.g., -iunix:/var/run/tcppm.sock). On Linux, abstract sockets use
 .I -iunix:@socketname
 syntax.
 .TP
 .B -l
 Log. By default logging is to stdout. If
@ -55,18 +50,10 @@ crashes.
 - port tcppm accepts connections on
 .TP
 .I remote_host
- IP address of the host the connection is forwarded to. Unix domain sockets
+- IP address of the host the connection is forwarded to
 can be specified with the syntax
 .I unix:/path/to/socket
 (e.g., unix:/var/run/app.sock). On Linux, abstract (fileless) Unix sockets
 use the syntax
 .I unix:@socketname
 (e.g., unix:@app.socket).
 .TP
 .I remote_port
- remote port the connection is forwarded to. Ignored when using Unix socket
+- remote port the connection is forwarded to
 destination, but must be specified (use any positive value) for syntax
 compatibility.
 .SH CLIENTS
 Any TCP-based application can be used as a client. Use
 .I internal_ip
--- a/man/tlspr.8
+++ b/man/tlspr.8
@ -36,11 +36,6 @@ with the routing table.
 .B -i
 Internal address. IP address the proxy accepts connections to.
 By default, connections to any interface are accepted. It\'s usually unsafe.
 Unix domain sockets can be specified with
 .I -iunix:/path/to/socket
 syntax (e.g., -iunix:/var/run/tlspr.sock). On Linux, abstract sockets use
 .I -iunix:@socketname
 syntax.
 .TP
 .B -a
 Anonymous. Hide information about client.
--- a/scripts/add3proxyuser.sh
+++ b/scripts/add3proxyuser.sh
@ -6,10 +6,10 @@ if [ $3 ]; then
 	echo countin \"`wc -l /etc/3proxy/conf/counters|awk '{print $1}'`/$1\" D $3 $1 >> /etc/3proxy/conf/counters
 fi
 if [ $2 ]; then  
-	echo $1:`/bin/3proxy_crypt $$ $2` >> /etc/3proxy/conf/passwd
+	echo $1:`/bin/mycrypt $$ $2` >> /etc/3proxy/conf/passwd
 else
 	echo usage: $0 username password [day_limit] [bandwidth]
 	echo "	"day_limit - traffic limit in MB per day
-	echo "	"bandwidth - bandwidth in bits per second 1048576 = 1Mbps
+	echo "	"bandwidth - bandwith in bits per second 1048576 = 1Mbps
 fi
--- a/scripts/rh/3proxy.spec
+++ b/scripts/rh/3proxy.spec
@ -32,15 +32,14 @@ make clean
 %files
 /bin/3proxy
-/bin/3proxy_crypt
+/bin/ftppr
-/bin/3proxy_ftppr
+/bin/mycrypt
-/bin/3proxy_pop3p
+/bin/pop3p
-/bin/3proxy_proxy
+/bin/proxy
-/bin/3proxy_smtpp
+/bin/socks
-/bin/3proxy_socks
+/bin/tcppm
-/bin/3proxy_tcppm
+/bin/udppm
-/bin/3proxy_tlspr
+/bin/tlspr
 /bin/3proxy_udppm
 %config(noreplace) /etc/3proxy/3proxy.cfg
 /etc/3proxy/conf
 /etc/init.d/3proxy
@ -50,7 +49,7 @@ make clean
 %config(noreplace) /usr/local/3proxy/conf/bandlimiters
 %config(noreplace) /usr/local/3proxy/conf/counters
 /usr/local/3proxy/libexec/*.ld.so
-/usr/share/man/man5/3proxy.cfg.5
+/usr/share/man/man3/*
 /usr/share/man/man8/*
 /var/log/3proxy
--- a/src/3proxy.c
+++ b/src/3proxy.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
@ -66,9 +66,9 @@ void __stdcall CommandHandler( DWORD dwCommand )
 	Sleep(2000);
        SetStatus( SERVICE_STOPPED, 0, 0 );
 #ifndef NOODBC
-	_3proxy_mutex_lock(&log_mutex);
+	pthread_mutex_lock(&log_mutex);
 	close_sql();
-	_3proxy_mutex_unlock(&log_mutex);
+	pthread_mutex_unlock(&log_mutex);
 #endif
        break;
    case SERVICE_CONTROL_PAUSE:
@ -118,6 +118,13 @@ void mysigpause (int sig){
 void mysigterm (int sig){
 	conf.paused++;
 	usleep(999*SLEEPTIME);
 	usleep(999*SLEEPTIME);
 #ifndef NOODBC
 	pthread_mutex_lock(&log_mutex);
 	close_sql();
 	pthread_mutex_unlock(&log_mutex);
 #endif
 	conf.timetoexit = 1;
 }
@ -134,10 +141,8 @@ int timechanged (time_t oldtime, time_t newtime, ROTATION lt){
 	struct tm tmold;
 	struct tm *tm;
 	tm = localtime(&oldtime);
 	if(!tm) return 0;
 	tmold = *tm;
 	tm = localtime(&newtime);
 	if(!tm) return 0;
 	switch(lt){
 		case MINUTELY:
 			if(tm->tm_min != tmold.tm_min)return 1;
@ -209,18 +214,18 @@ void dumpcounters(struct trafcount *tlin, int counterd){
 	cheader.updated = conf.time;
-	if(lseek(counterd, 0, SEEK_SET) >= 0 && write(counterd, &cheader, sizeof(struct counter_header))){}
+	lseek(counterd, 0, SEEK_SET);
 	if(write(counterd, &cheader, sizeof(struct counter_header))){}
 	for(tl=tlin; tl; tl = tl->next){
 		if(tl->number){
-			if(lseek(counterd, 
+			lseek(counterd, 
 				sizeof(struct counter_header) + (tl->number - 1) * sizeof(struct counter_record),
-				SEEK_SET) >= 0){
+				SEEK_SET);
 			crecord.traf64 = tl->traf64;
 			crecord.cleared = tl->cleared;
 			crecord.updated = tl->updated;
 			if(write(counterd, &crecord, sizeof(struct counter_record))){}
 		}
 		}
 		if(tl->type!=NEVER && timechanged(tl->cleared, conf.time, tl->type)){
 			tl->cleared = conf.time;
 			tl->traf64 = 0;
@ -262,12 +267,10 @@ void cyclestep(void){
 	}
 	if(timechanged(basetime, conf.time, DAILY)) {
 		tm = localtime(&conf.time);
 		if(tm){
 		wday = (1 << tm->tm_wday);
 		tm->tm_hour = tm->tm_min = tm->tm_sec = 0;
 		basetime = mktime(tm);
 	}
 	}
 	if(conf.logname) {
 		if(timechanged(conf.logtime, conf.time, conf.logtype)) {
 			if(conf.stdlog) conf.stdlog = freopen((char *)dologname (tmpbuf, conf.logname, NULL, conf.logtype, conf.time), "a", conf.stdlog);
@ -505,30 +508,31 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 	return 1;
  }
-  _3proxy_mutex_init(&config_mutex);
+  pthread_mutex_init(&config_mutex, NULL);
-  _3proxy_mutex_init(&bandlim_mutex);
+  pthread_mutex_init(&bandlim_mutex, NULL);
-  _3proxy_mutex_init(&connlim_mutex);
+  pthread_mutex_init(&connlim_mutex, NULL);
-  _3proxy_mutex_init(&tc_mutex);
+  pthread_mutex_init(&hash_mutex, NULL);
-  _3proxy_mutex_init(&log_mutex);
+  pthread_mutex_init(&tc_mutex, NULL);
  pthread_mutex_init(&pwl_mutex, NULL);
  pthread_mutex_init(&log_mutex, NULL);
 #ifndef NORADIUS
-  _3proxy_mutex_init(&rad_mutex);
+  pthread_mutex_init(&rad_mutex, NULL);
 #endif
 #ifdef _WIN32
-  conf.threadinit = CreateSemaphore(NULL, 0, 1, NULL);
+  if(!CreatePipe(&conf.threadinit[0], &conf.threadinit[1], NULL, 1)){
  if(!conf.threadinit){
    fprintf(stderr, "semaphore init failed\n");
    return 1;
  }
 #else
-  _3proxy_mutex_init(&conf.threadinit);
+  if(pipe(conf.threadinit)) {
 #endif
    fprintf(stderr, "CreatePipe failed\n");
    return 1;
  };
  freeconf(&conf);
  res = readconfig(fp);
  conf.version++;
  if(res) RETURN(res);
-  if(!writable){fclose(fp); fp = NULL;}
+  if(!writable)fclose(fp);
 #ifdef _WIN32
@ -559,7 +563,6 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int
 CLEARRETURN:
 if(fp && fp != stdin) {fclose(fp); fp = NULL;}
 return 0;
 }
--- a/src/Makefile.inc
+++ b/src/Makefile.inc
@ -2,7 +2,8 @@
 # 3 proxy common Makefile
 #
-all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS) $(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS) $(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS) $(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS) $(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS) $(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS) $(BUILDDIR)$(PREFIX)socks$(EXESUFFICS) $(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS) allplugins
+all:	$(BUILDDIR)3proxy$(EXESUFFICS) $(BUILDDIR)mycrypt$(EXESUFFICS) $(BUILDDIR)pop3p$(EXESUFFICS) $(BUILDDIR)smtpp$(EXESUFFICS) $(BUILDDIR)ftppr$(EXESUFFICS) $(BUILDDIR)tcppm$(EXESUFFICS) $(BUILDDIR)tlspr$(EXESUFFICS) $(BUILDDIR)udppm$(EXESUFFICS) $(BUILDDIR)socks$(EXESUFFICS) $(BUILDDIR)proxy$(EXESUFFICS) allplugins
 sockmap$(OBJSUFFICS): sockmap.c proxy.h structures.h
 	$(CC) $(CFLAGS) sockmap.c
@ -26,60 +27,62 @@ sockgetchar$(OBJSUFFICS): sockgetchar.c proxy.h structures.h
 	$(CC) $(CFLAGS) sockgetchar.c
 proxy$(OBJSUFFICS): proxy.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)ANONYMOUS $(DEFINEOPTION)NOUDPMAIN proxy.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)ANONYMOUS proxy.c
 pop3p$(OBJSUFFICS): pop3p.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN pop3p.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP pop3p.c
 smtpp$(OBJSUFFICS): smtpp.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN smtpp.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP smtpp.c
 ftppr$(OBJSUFFICS): ftppr.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN ftppr.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP ftppr.c
 tcppm$(OBJSUFFICS): tcppm.c proxy.h structures.h proxymain.c
-	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP $(DEFINEOPTION)NOUDPMAIN tcppm.c
+	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tcppm.c
 tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP tlspr.c
 socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP socks.c
 udppm$(OBJSUFFICS): udppm.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP udppm.c
 tlspr$(OBJSUFFICS): tlspr.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)PORTMAP $(DEFINEOPTION)NOUDPMAIN tlspr.c
 socks$(OBJSUFFICS): socks.c proxy.h structures.h proxymain.c
 	$(CC) $(CFLAGS) $(DEFINEOPTION)WITHMAIN $(DEFINEOPTION)NOPORTMAP $(DEFINEOPTION)NOUDPMAIN socks.c
 3proxy$(OBJSUFFICS): 3proxy.c proxy.h structures.h
 	$(CC) $(CFLAGS) 3proxy.c
-$(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
+$(BUILDDIR)proxy$(EXESUFFICS): sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)proxy$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) proxy$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
-$(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
+$(BUILDDIR)pop3p$(EXESUFFICS): sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)pop3p$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) pop3p$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
-$(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
+$(BUILDDIR)smtpp$(EXESUFFICS): sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) base64$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)smtpp$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) smtpp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) base64$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
-$(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
+$(BUILDDIR)ftppr$(EXESUFFICS): sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) ftp$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) $(COMPATLIBS)
-	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)ftppr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) ftppr$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) ftp$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
-$(BUILDDIR)$(PREFIX)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+$(BUILDDIR)socks$(EXESUFFICS): sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)socks$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) socks$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
-$(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+$(BUILDDIR)tcppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)tcppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tcppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
-$(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) hash$(OBJSUFFICS)
+$(BUILDDIR)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) hash$(OBJSUFFICS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
-$(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
+$(BUILDDIR)udppm$(EXESUFFICS): sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS)
-	$(LN) $(LNOUT)$(BUILDDIR)$(PREFIX)tlspr$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) tlspr$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)udppm$(EXESUFFICS) $(LDFLAGS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) udppm$(OBJSUFFICS) log$(OBJSUFFICS) common$(OBJSUFFICS) $(LIBS)
 mainfunc$(OBJSUFFICS): proxy.h structures.h proxymain.c
 	$(CC) $(COUT)mainfunc$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)MODULEMAINFUNC=mainfunc proxymain.c
 srvproxy$(OBJSUFFICS): proxy.c proxy.h structures.h
 	$(CC) $(COUT)srvproxy$(OBJSUFFICS) $(CFLAGS) proxy.c
@ -116,24 +119,6 @@ srvdnspr$(OBJSUFFICS): dnspr.c proxy.h structures.h
 auth$(OBJSUFFICS): auth.c proxy.h structures.h
 	$(CC) $(COUT)auth$(OBJSUFFICS) $(CFLAGS) auth.c
 acl$(OBJSUFFICS): acl.c proxy.h structures.h
 	$(CC) $(COUT)acl$(OBJSUFFICS) $(CFLAGS) acl.c
 limiter$(OBJSUFFICS): limiter.c proxy.h structures.h
 	$(CC) $(COUT)limiter$(OBJSUFFICS) $(CFLAGS) limiter.c
 redirect$(OBJSUFFICS): redirect.c proxy.h structures.h
 	$(CC) $(COUT)redirect$(OBJSUFFICS) $(CFLAGS) redirect.c
 hash$(OBJSUFFICS): hash.c proxy.h structures.h
 	$(CC) $(COUT)hash$(OBJSUFFICS) $(CFLAGS) hash.c
 hashtables$(OBJSUFFICS): hashtables.c proxy.h structures.h
 	$(CC) $(COUT)hashtables$(OBJSUFFICS) $(CFLAGS) hashtables.c
 resolve$(OBJSUFFICS): resolve.c proxy.h structures.h
 	$(CC) $(COUT)resolve$(OBJSUFFICS) $(CFLAGS) resolve.c
 authradius$(OBJSUFFICS): authradius.c proxy.h structures.h
 	$(CC) $(COUT)authradius$(OBJSUFFICS) $(CFLAGS) authradius.c
@ -146,11 +131,15 @@ log$(OBJSUFFICS): log.c proxy.h structures.h
 datatypes$(OBJSUFFICS): datatypes.c proxy.h structures.h
 	$(CC) $(COUT)datatypes$(OBJSUFFICS) $(CFLAGS) datatypes.c
-3proxy_crypt$(OBJSUFFICS): 3proxy_crypt.c
+mycrypt$(OBJSUFFICS): mycrypt.c
-	$(CC) $(COUT)3proxy_crypt$(OBJSUFFICS) $(CFLAGS) 3proxy_crypt.c
+	$(CC) $(COUT)mycrypt$(OBJSUFFICS) $(CFLAGS) mycrypt.c
 mycryptmain$(OBJSUFFICS): mycrypt.c
 	$(CC) $(COUT)mycryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN mycrypt.c
 $(BUILDDIR)mycrypt$(EXESUFFICS): md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
 	$(LN) $(LNOUT)$(BUILDDIR)mycrypt$(EXESUFFICS) $(LDFLAGS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) base64$(OBJSUFFICS) mycryptmain$(OBJSUFFICS)
 3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c
 	$(CC) $(COUT)3proxy_cryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN 3proxy_crypt.c
 md4$(OBJSUFFICS):  libs/md4.h libs/md4.c
 	$(CC) $(COUT)md4$(OBJSUFFICS) $(CFLAGS) libs/md4.c
@ -158,15 +147,9 @@ md4$(OBJSUFFICS):  libs/md4.h libs/md4.c
 md5$(OBJSUFFICS):  libs/md5.h libs/md5.c
 	$(CC) $(COUT)md5$(OBJSUFFICS) $(CFLAGS) libs/md5.c
 blake2$(OBJSUFFICS):  libs/blake2.h libs/blake2-impl.h libs/blake2b-ref.c
 	$(CC) $(COUT)blake2$(OBJSUFFICS) $(CFLAGS) libs/blake2b-ref.c
 $(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS): md4$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) base64$(OBJSUFFICS)
 	$(LN) $(LNOUT)$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(LDFLAGS) md4$(OBJSUFFICS) blake2$(OBJSUFFICS) base64$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS)
 stringtable$(OBJSUFFICS):  stringtable.c
 	$(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c
-$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
+$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) mycrypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP)
-	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
+	$(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE)  3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) authradius$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) mycrypt$(OBJSUFFICS) md5$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS)
--- a/src/acl.c
+++ b/src/acl.c
@ -1,168 +0,0 @@
 /*
   3APA3A simplest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
 */
 #include "proxy.h"
 int IPInentry(struct sockaddr *sa, struct iplist *ipentry){
 	int addrlen;
 	unsigned char *ip, *ipf, *ipt;
 	if(!sa || ! ipentry || *SAFAMILY(sa) != ipentry->family) return 0;
 	ip = (unsigned char *)SAADDR(sa);
 	ipf = (unsigned char *)&ipentry->ip_from;
 	ipt = (unsigned char *)&ipentry->ip_to;
 	addrlen = SAADDRLEN(sa);
 	if(memcmp(ip,ipf,addrlen) < 0 || memcmp(ip,ipt,addrlen) > 0) return 0;
 	return 1;
 }
 int ACLmatches(struct ace* acentry, struct clientparam * param){
 	struct userlist * userentry;
 	struct iplist *ipentry;
 	struct portlist *portentry;
 	struct period *periodentry;
 	unsigned char * username;
 	struct hostname * hstentry=NULL;
 	int i;
 	int match = 0;
 	username = param->username?param->username:(unsigned char *)"-";
 	if(acentry->src) {
 	 for(ipentry = acentry->src; ipentry; ipentry = ipentry->next)
 		if(IPInentry((struct sockaddr *)&param->sincr, ipentry)) {
 			break;
 		}
 	 if(!ipentry) return 0;
 	}
 	if((acentry->dst && (!SAISNULL(&param->req) || param->operation == UDPASSOC || param->operation==BIND)) || (acentry->dstnames && param->hostname)) {
 	 for(ipentry = acentry->dst; ipentry; ipentry = ipentry->next)
 		if(IPInentry((struct sockaddr *)&param->req, ipentry)) {
 			break;
 		}
 	 if(!ipentry) {
 		 if(acentry->dstnames && param->hostname){
 			for(i=0; param->hostname[i]; i++){
 				param->hostname[i] = tolower(param->hostname[i]);
 			}
 			while(i > 5 && param->hostname[i-1] == '.') param->hostname[i-1] = 0;
 			for(hstentry = acentry->dstnames; hstentry; hstentry = hstentry->next){
 				int lname, lhost;
 				switch(hstentry->matchtype){
 					case 0:
 #ifndef _WIN32
 					if(strcasestr((char *)param->hostname, (char *)hstentry->name)) match = 1;
 #else
 					if(strstr((char *)param->hostname, (char *)hstentry->name)) match = 1;
 #endif
 					break;
 					case 1:
 					if(!strncasecmp((char *)param->hostname, (char *)hstentry->name, strlen((char *)hstentry->name)))
 						match = 1;
 					break;
 					case 2:
 					lname = strlen((char *)hstentry->name);
 					lhost = strlen((char *)param->hostname);
 					if(lhost > lname){
 						if(!strncasecmp((char *)param->hostname + (lhost - lname),
 							(char *)hstentry->name,
 							lname))
 								match = 1;
 					}
 					break;
 					default:
 					if(!strcasecmp((char *)param->hostname, (char *)hstentry->name)) match = 1;
 					break;
        			}
 				if(match) break;
 			}
 		 }
 	 }
 	 if(!ipentry && !hstentry) return 0;
 	}
 	if(acentry->ports && (*SAPORT(&param->req) || param->operation == UDPASSOC || param->operation == BIND)) {
 	 for (portentry = acentry->ports; portentry; portentry = portentry->next)
 		if(ntohs(*SAPORT(&param->req)) >= portentry->startport &&
 			   ntohs(*SAPORT(&param->req)) <= portentry->endport) {
 			break;
 		}
 		if(!portentry) return 0;
 	}
 	if(acentry->wdays){
 		if(!(acentry -> wdays & wday)) return 0;
 	}
 	if(acentry->periods){
 	 int start_time = (int)(param->time_start - basetime);
 	 for(periodentry = acentry->periods; periodentry; periodentry = periodentry -> next)
 		if(start_time >= periodentry->fromtime && start_time < periodentry->totime){
 			break;
 		}
 		if(!periodentry) return 0;
 	}
 	if(acentry->users){
 	 for(userentry = acentry->users; userentry; userentry = userentry->next)
 		if(!strcmp((char *)username, (char *)userentry->user)){
 			break;
 		}
 	 if(!userentry) return 0;
 	}
 	if(acentry->operation) {
 		if((acentry->operation & param->operation) != param->operation){
 				 return 0;
 		}
 	}
 	if(acentry->weight && (acentry->weight < param->weight)) return 0;
 	return 1;
 }
 int checkACL(struct clientparam * param){
 	struct ace* acentry;
 	if(!param->srv->acl) {
 		return 0;
 	}
 	for(acentry = param->srv->acl; acentry; acentry = acentry->next) {
 		if(ACLmatches(acentry, param)) {
 			param->nolog = acentry->nolog;
 			param->weight = acentry->weight;
 			if(acentry->action == 2) {
 				struct ace dup;
 				int res=60,i=0;
 				if(param->operation < 256 && !(param->operation & CONNECT)){
 					continue;
 				}
 				if(param->redirected && acentry->chains && SAISNULL(&acentry->chains->addr) && !*SAPORT(&acentry->chains->addr)) {
 					continue;
 				}
 				if(param->remsock != INVALID_SOCKET) {
 					return 0;
 				}
 				for(; i < conf.parentretries; i++){
 					dup = *acentry;
 					res = handleredirect(param, &dup);
 					if(!res) break;
 					if(param->remsock != INVALID_SOCKET) param->srv->so._closesocket(param->sostate, param->remsock);
 					param->remsock = INVALID_SOCKET;
 				}
 				return res;
 			}
 			return acentry->action;
 		}
 	}
 	return 3;
 }
--- a/src/auth.c
+++ b/src/auth.c
--- a/src/authradius.c
+++ b/src/authradius.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2000-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
@ -166,7 +166,7 @@ static int ntry = 0;
 int nradservers = 0;
 char radiussecret[64]="";
-_3proxy_mutex_t rad_mutex;
+pthread_mutex_t rad_mutex;
 void md5_calc(unsigned char *output, unsigned char *input,
 		     unsigned int inputlen);
@ -306,7 +306,11 @@ int radsend(struct clientparam * param, int auth, int stop){
 	int total_length;
 	int len;
 	int op;
-	PROXYSOCKADDRTYPE     saremote;
+#ifdef NOIPV6
 	struct  sockaddr_in     saremote;
 #else
 	struct  sockaddr_in6     saremote;
 #endif
 	struct pollfd fds[1];
 	char vector[AUTH_VECTOR_LEN];
 	radius_packet_t packet, rpacket;
@ -327,11 +331,11 @@ int radsend(struct clientparam * param, int auth, int stop){
 	memset(&packet, 0, sizeof(packet));
-	_3proxy_mutex_lock(&rad_mutex);
+	pthread_mutex_lock(&rad_mutex);
 	if(auth)random_vector(packet.vector, param);
 	id = ((ntry++) & 0xff);
-	_3proxy_mutex_unlock(&rad_mutex);
+	pthread_mutex_unlock(&rad_mutex);
 	packet.code = auth?PW_AUTHENTICATION_REQUEST:PW_ACCOUNTING_REQUEST;
 	packet.id=id;
--- a/src/auto.c
+++ b/src/auto.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
--- a/src/common.c
+++ b/src/common.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
@ -22,15 +22,10 @@ int randomizer = 1;
 void daemonize(void){
-	pid_t pid = fork();
+	if(fork() > 0) {
 	if(pid > 0) {
 		usleep(SLEEPTIME);
 		_exit(0); 
 	}
 	if(pid < 0) {
 		perror("fork()");
 		return;
 	}
 	setsid();
 }
@ -38,38 +33,36 @@ int randomizer = 1;
 unsigned char **stringtable = NULL;
-#ifdef WITH_UN
+#ifdef WITH_LINUX_FUTEX
-void make_un(const unsigned char *path, struct sockaddr_un * sun){
+int sys_futex(void *addr1, int op, int val1, struct timespec *timeout, void *addr2, int val3)
-        memset(sun, 0, sizeof(*sun));
+{
-        sun->sun_family = AF_UNIX;
+	return syscall(SYS_futex, addr1, op, val1, timeout, addr2, val3);
-        strncpy(sun->sun_path, (char *)path, sizeof(sun->sun_path) - 1);
+}
-        if(*path == '@')*sun->sun_path = 0;
+int mutex_lock(int *val)
 {
 	int c;
 	if ((c = __sync_val_compare_and_swap(val, 0, 1)) != 0)
 		do {
 			if(c == 2 || __sync_val_compare_and_swap(val, 1, 2) != 0)
 				sys_futex(val, FUTEX_WAIT_PRIVATE, 2, NULL, NULL, 0);
 		} while ((c = __sync_val_compare_and_swap(val, 0, 2)) != 0);
 	return 0;
 }
 int mutex_unlock(int *val)
 {
 	if(__sync_fetch_and_sub (val, 1) != 1){
 		*val = 0;
 		sys_futex(val, FUTEX_WAKE_PRIVATE, 1, NULL, NULL, 0);
 	}
 	return 0;
 }
 #endif
 int myinet_ntop(int af, void *src, char *dst, socklen_t size){
 #ifdef WITH_UN
 if(af == AF_UNIX){
 	struct sockaddr_un *sun = (struct sockaddr_un *)src;
 	int ephemeral = 0;
 	char *path = sun->sun_path;
 	char *basename;
 	if(!path[0] && path[1]){
 	    ephemeral = 1;
 	    *dst++ = '@';
 	    path++;
 	}
 	basename  = strrchr(path, '/');
 	if(basename) basename++;
 	else basename = path;
 	if(size > 0){
 		strncpy(dst, basename, (size > 40) ? 40 : size - (ephemeral + 1));
 		dst[((size > 40) ? 40 : size - (ephemeral + 1))] = 0;
 	}
 	return (int)strlen(dst);
 }
 #endif
 #ifndef NOIPV6
 if(af != AF_INET6){
 #endif 
@ -115,11 +108,7 @@ int timeouts[12] = {
 };
 struct extparam conf = {
-#ifdef _WIN32
+	.threadinit = {0, 0},
 	.threadinit = NULL,
 #else
 	.threadinit = 0,
 #endif
 	.timeouts = timeouts,
 	.acl = NULL,
 	.conffile = NULL,
@ -224,7 +213,6 @@ int
 	FD_ZERO(&writefd);
 	FD_ZERO(&oobfd);
 	for(i=0; i<nfds; i++){
 		if(fds[i].fd >= FD_SETSIZE) continue;
 		if((fds[i].events&POLLIN))FD_SET(fds[i].fd, &readfd);
 		if((fds[i].events&POLLOUT))FD_SET(fds[i].fd, &writefd);
 		if((fds[i].events&POLLPRI))FD_SET(fds[i].fd, &oobfd);
@ -233,7 +221,6 @@ int
 	}
 	if((num = select(((int)(maxfd))+1, &readfd, &writefd, &oobfd, &tv)) < 1) return num;
 	for(i=0; i<nfds; i++){
 		if(fds[i].fd >= FD_SETSIZE) continue;
 		if(FD_ISSET(fds[i].fd, &readfd)) fds[i].revents |= POLLIN;
 		if(FD_ISSET(fds[i].fd, &writefd)) fds[i].revents |= POLLOUT;
 		if(FD_ISSET(fds[i].fd, &oobfd)) fds[i].revents |= POLLPRI;
@ -537,14 +524,14 @@ int connectwithpoll(struct clientparam *param, SOCKET sock, struct sockaddr *sa,
 		fcntl(sock,F_SETFL, O_NONBLOCK | fcntl(sock,F_GETFL));
 #endif
 		if(param?param->srv->so._connect(param->sostate, sock,sa,size) : so._connect(so.state, sock,sa,size)) {
-			if(errno != EAGAIN && errno != EINPROGRESS) return 13;
+			if(errno != EAGAIN && errno != EINPROGRESS) return (13);
 		}
 		if(!errno) return 0;
 	        memset(fds, 0, sizeof(fds));
 	        fds[0].fd = sock;
 	        fds[0].events = POLLOUT;
 		if((param?param->srv->so._poll(param->sostate, fds, 1, to*1000):so._poll(so.state, fds, 1, to*1000)) <= 0 || !(fds[0].revents & POLLOUT) || (fds[0].revents & (POLLERR|POLLHUP))) {
-			return 13;
+			return (13);
 		}
 		return 0;
 }
@ -574,17 +561,8 @@ int doconnect(struct clientparam * param){
 		memcpy(SAADDR(&param->sinsr), SAADDR(&param->req), SAADDRLEN(&param->req)); 
 	}
 	if(!*SAPORT(&param->sinsr))*SAPORT(&param->sinsr) = *SAPORT(&param->req);
-	if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&param->sinsr), SOCK_STREAM, 
+	if ((param->remsock=param->srv->so._socket(param->sostate, SASOCK(&param->sinsr), SOCK_STREAM, IPPROTO_TCP)) == INVALID_SOCKET) {return (11);}
 #ifdef WITH_UN
 	    *SAFAMILY(&param->sinsr) == AF_UNIX? 0 :
 #endif
 	    IPPROTO_TCP
 	)) == INVALID_SOCKET) {return (11);}
 	if(SAISNULL(&param->sinsl)){
 #ifdef WITH_UN
 	    if(*SAFAMILY(&param->sinsr) == AF_UNIX) param->sinsl = param->sinsr;
 	    else 
 #endif
 #ifndef NOIPV6
 		if(*SAFAMILY(&param->sinsr) == AF_INET6) param->sinsl = param->srv->extsa6;
 		else
@ -624,9 +602,6 @@ int doconnect(struct clientparam * param){
 	    if(*SAFAMILY(&param->sinsl) == AF_INET6 && param->srv->so._setsockopt(param->sostate, param->remsock, IPPROTO_IPV6, IPV6_BOUND_IF, &idx, sizeof(idx))) return 12;
 #endif
 	}
 #endif
 #ifdef WITH_UN
 	if(*SAFAMILY(&param->sinsl) != AF_UNIX)
 #endif
 	if(param->srv->so._bind(param->sostate, param->remsock, (struct sockaddr*)&param->sinsl, SASIZE(&param->sinsl))==-1) {
 		return 12;
@ -662,7 +637,7 @@ int scanaddr(const unsigned char *s, uint32_t * ip, uint32_t * mask) {
 RESOLVFUNC resolvfunc = NULL;
 #ifndef _WIN32
-_3proxy_mutex_t gethostbyname_mutex;
+pthread_mutex_t gethostbyname_mutex;
 int ghbn_init = 0;
 #endif
@ -718,10 +693,10 @@ uint32_t getip(unsigned char *name){
 #ifndef NOSTDRESOLVE
 #if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
 	if(!ghbn_init){
-		_3proxy_mutex_init(&gethostbyname_mutex);
+		pthread_mutex_init(&gethostbyname_mutex, NULL);
 		ghbn_init++;
 	}
-	_3proxy_mutex_lock(&gethostbyname_mutex);
+	pthread_mutex_lock(&gethostbyname_mutex);
 #endif
 	hp=gethostbyname((char *)name);
 	if (!hp && conf.demanddialprog) {
@ -730,7 +705,7 @@ uint32_t getip(unsigned char *name){
 	}
 	retval = hp?*(uint32_t *)hp->h_addr:0;
 #if !defined(_WIN32) && !defined(GETHOSTBYNAME_R)
-	_3proxy_mutex_unlock(&gethostbyname_mutex);
+	pthread_mutex_unlock(&gethostbyname_mutex);
 #endif
 #ifdef GETHOSTBYNAME_R
 #undef gethostbyname
--- a/src/conf.c
+++ b/src/conf.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
@ -20,10 +20,12 @@
 #define DEFAULTCONFIG conf.stringtable[25]
 #endif
-_3proxy_mutex_t bandlim_mutex;
+pthread_mutex_t bandlim_mutex;
-_3proxy_mutex_t connlim_mutex;
+pthread_mutex_t connlim_mutex;
-_3proxy_mutex_t tc_mutex;
+pthread_mutex_t tc_mutex;
-_3proxy_mutex_t config_mutex;
+pthread_mutex_t pwl_mutex;
 pthread_mutex_t hash_mutex;
 pthread_mutex_t config_mutex;
 int haveerror = 0;
 int linenum = 0;
@ -152,6 +154,7 @@ int start_proxy_thread(struct child * chp){
 #ifdef _WIN32
  HANDLE h;
 #endif
  char r[1];
 #ifdef _WIN32
 #ifndef _WINCE
@ -164,15 +167,16 @@ int start_proxy_thread(struct child * chp){
 	pthread_attr_init(&pa);
 	pthread_attr_setstacksize(&pa,PTHREAD_STACK_MIN + (32768+conf.stacksize));
 	pthread_attr_setdetachstate(&pa,PTHREAD_CREATE_DETACHED);
 	_3proxy_mutex_lock(&conf.threadinit);
 	pthread_create(&thread, &pa, startsrv, (void *)chp);
 	pthread_attr_destroy(&pa);
 #endif
 #ifdef _WIN32
-	WaitForSingleObject(conf.threadinit, INFINITE);
+	ReadFile(conf.threadinit[0], r, 1, NULL, NULL);
 #else
-	_3proxy_mutex_lock(&conf.threadinit);
+	while(read(conf.threadinit[0], r, 1) !=1) if(errno != EINTR) {
-	_3proxy_mutex_unlock(&conf.threadinit);
+	    fprintf(stderr, "pipe failed\n");
 	    return 40;
 	}
 #endif
 	if(haveerror)  {
 		fprintf(stderr, "Service not started on line: %d%s\n", linenum, haveerror == 2? ": insufficient memory":"");
@ -193,7 +197,7 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_PROXY;
 		childdef.helpmessage = " -n - no NTLM support\n";
 #ifdef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize)){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize)){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, proxy may run very slow\n", linenum);
 		}
 #endif
@ -226,7 +230,7 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_SOCKS;
 		childdef.helpmessage = " -n - no NTLM support\n";
 #ifdef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize)){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize)){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, socks may run very slow\n", linenum);
 		}
 #endif
@ -272,7 +276,7 @@ static int h_proxy(int argc, unsigned char ** argv){
 		childdef.service = S_DNSPR;
 		childdef.helpmessage = " -s - simple DNS forwarding - do not use 3proxy resolver / name cache\n";
 #ifndef NOIPV6
-		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.poolsize) || resolvfunc == fakeresolver){
+		if(!resolvfunc || (resolvfunc == myresolver && !dns_table.hashsize) || resolvfunc == fakeresolver){
 			fprintf(stderr, "[line %d] Warning: no nserver/nscache configured, dnspr will not work as expected\n", linenum);
 		}
 #endif
@ -281,12 +285,6 @@ static int h_proxy(int argc, unsigned char ** argv){
 }
 static int h_internal(int argc, unsigned char ** argv){
 #ifdef WITH_UN
 	if(!strncmp((char *)argv[1], "unix:", 5)){
 		make_un(argv[1] +5, (struct sockaddr_un *)&conf.intsa);
 	}
 	else
 #endif
 	getip46(46, argv[1], (struct sockaddr *)&conf.intsa);
 	return 0;
 }
@ -294,7 +292,7 @@ static int h_internal(int argc, unsigned char ** argv){
 static int h_external(int argc, unsigned char ** argv){
 	int res;
 #ifndef NOIPV6
-	PROXYSOCKADDRTYPE sa6;
+	struct sockaddr_in6 sa6;
 	memset(&sa6, 0, sizeof(sa6));
 	res = getip46(46, argv[1], (struct sockaddr *)&sa6);
 	if(!res) return 1; 
@ -337,10 +335,10 @@ static int h_log(int argc, unsigned char ** argv){
 		else if(*argv[1]=='&'){
 			conf.logfunc = logsql;
 			if(notchanged) return 0;
-			_3proxy_mutex_lock(&log_mutex);
+			pthread_mutex_lock(&log_mutex);
 			close_sql();
 			init_sql((char *)argv[1]+1);
-			_3proxy_mutex_unlock(&log_mutex);
+			pthread_mutex_unlock(&log_mutex);
 		}
 #endif
 #ifndef NORADIUS
@ -441,6 +439,18 @@ static int h_counter(int argc, unsigned char **argv){
 			fprintf(stderr, "Not a counter file %s, line %d\n", argv[1], linenum);
 			return 2;
 		}
 #ifdef _TIME64_T_DEFINED
 #ifdef _MAX__TIME64_T
 #define MAX_COUNTER_TIME (_MAX__TIME64_T)
 #elif defined (MAX__TIME64_T)
 #define MAX_COUNTER_TIME (MAX__TIME64_T)
 #else
 #define MAX_COUNTER_TIME (0x793406fff)
 #endif 
 #else
 #define MAX_COUNTER_TIME ((sizeof(time_t)>4)?(time_t)0x793406fff:(time_t)0x7fffffff)
 #endif
 		if(ch1.updated < 0 || ch1.updated >= MAX_COUNTER_TIME){
 			fprintf(stderr, "Invalid or corrupted counter file %s. Use countersutil utility to convert from older version\n", argv[1]);
 			return 3;
@ -516,43 +526,44 @@ static int h_auth(int argc, unsigned char **argv){
 }
 static int h_users(int argc, unsigned char **argv){
    static char dummy;
  int j;
  unsigned char *arg;
-    char *pw[2];
+  struct passwords *pwl = NULL;
 	for (j = 1; j<argc; j++) {
 		if(!(pwl = myalloc(sizeof(struct passwords)))) {
 			return(21);
 		}
 		memset(pwl, 0, sizeof(struct passwords));
 		arg = (unsigned char *)strchr((char *)argv[j], ':');
-        if (!arg) continue;
+		if(!arg||!arg[1]||!arg[2]||arg[3]!=':')	{
 			pwl->user = (unsigned char *)mystrdup((char *)argv[j]);
 			pwl->pwtype = SYS;
 		}
 		else {
 			*arg = 0;
-        pw[0] = (char *)argv[j];
+			pwl->user = (unsigned char *)mystrdup((char *)argv[j]);
-        if (arg[1] && arg[2] && arg[3] == ':') {
+			if((arg[1] == 'C' && arg[2] == 'L' && (pwl->pwtype = CL)) ||
-            pw[1] = (char *)(arg + 4);
+				(arg[1] == 'C' && arg[2] == 'R' && (pwl->pwtype = CR)) ||
-            if (arg[1] == 'N' && arg[2] == 'T') {
+				(arg[1] == 'N' && arg[2] == 'T' && (pwl->pwtype = NT)) ||
-                if (!pwnt_table.ihashtable && inithashtable(&pwnt_table, 16, 32, 1048576))
+				(arg[1] == 'L' && arg[2] == 'M' && (pwl->pwtype = LM))){
-                    return 3;
+				pwl->password = (unsigned char *)mystrdup((char *)arg+4);
                hashadd(&pwnt_table, pw, &dummy, MAX_COUNTER_TIME);
                continue;
 			}
-            if (arg[1] == 'C' && arg[2] == 'R') {
+			else {
-                if (!pwcr_table.ihashtable && inithashtable(&pwcr_table, 16, 32, 1048576))
+				pwl->password = (unsigned char *) mystrdup((char *)arg + 1);
-                    return 3;
+				pwl->pwtype = UN;
                hashadd(&pwcr_table, pw[0], pw[1], MAX_COUNTER_TIME);
                continue;
 			}
-            if (arg[1] == 'C' && arg[2] == 'L') {
+			if(!pwl->password) return 3;
                /* fall through to CL handling below */
            } else {
                continue;
            }
        } else {
            pw[1] = (char *)(arg + 1);
 		}
 		if(!pwl->user) return 21;
 		pthread_mutex_lock(&pwl_mutex);
 		pwl->next = conf.pwl;
 		conf.pwl = pwl;
 		pthread_mutex_unlock(&pwl_mutex);
        if (!pw_table.ihashtable && inithashtable(&pw_table, 16, 32, 1048576))
            return 3;
        hashadd(&pw_table, pw, &dummy, MAX_COUNTER_TIME);
 	}
 	return 0;
 }
@ -579,7 +590,7 @@ static int h_maxconn(int argc, unsigned char **argv){
 static int h_backlog(int argc, unsigned char **argv){
 	conf.backlog = atoi((char *)argv[1]);
-	if(conf.backlog < 0) {
+	if(conf.maxchild < 0) {
 		return(1);
 	}
 	return 0;
@ -638,14 +649,14 @@ static int h_fakeresolve(int argc, unsigned char **argv){
 }
 static int h_nscache(int argc, unsigned char **argv){
-  unsigned res;
+  int res;
-	res = (unsigned)atoi((char *)argv[1]);
+	res = atoi((char *)argv[1]);
 	if(res < 256) {
 		fprintf(stderr, "Invalid NS cache size: %d\n", res);
 		return 1;
 	}
-	if(dns_table.growlimit != res && inithashtable(&dns_table, (res >> 2), (res >> 2), res)){
+	if(inithashtable(&dns_table, (unsigned)res)){
 		fprintf(stderr, "Failed to initialize NS cache\n");
 		return 2;
 	}
@ -661,14 +672,14 @@ static int h_parentretries(int argc, unsigned char **argv){
 }
 static int h_nscache6(int argc, unsigned char **argv){
-  unsigned res;
+  int res;
-	res = (unsigned)atoi((char *)argv[1]);
+	res = atoi((char *)argv[1]);
 	if(res < 256) {
 		fprintf(stderr, "Invalid NS cache size: %d\n", res);
 		return 1;
 	}
-	if(dns6_table.growlimit != res &&inithashtable(&dns6_table, (res>>2), (res>>2), res)){
+	if(inithashtable(&dns6_table, (unsigned)res)){
 		fprintf(stderr, "Failed to initialize NS cache\n");
 		return 2;
 	}
@ -676,7 +687,11 @@ static int h_nscache6(int argc, unsigned char **argv){
 }
 static int h_nsrecord(int argc, unsigned char **argv){
-	PROXYSOCKADDRTYPE sa;
+#ifndef NOIPV6
 	struct sockaddr_in6 sa;
 #else
 	struct sockaddr_in sa;
 #endif
 	memset(&sa, 0, sizeof(sa));
 	if(!getip46(46, argv[2], (struct sockaddr *)&sa)) return 1;
@ -756,7 +771,7 @@ struct redirdesc redirs[] = {
 static int h_parent(int argc, unsigned char **argv){
  struct ace *acl = NULL;
  struct chain *chains;
-  char * cidr = NULL;
+  char * cidr;
  int i;
 	acl = conf.acl;
@ -775,45 +790,23 @@ static int h_parent(int argc, unsigned char **argv){
 	chains->weight = (unsigned)atoi((char *)argv[1]);
 	if(chains->weight == 0 || chains->weight >1000) {
 		fprintf(stderr, "Chaining error: bad chain weight %u line %d\n", chains->weight, linenum);
 		myfree(chains);
 		return(3);
 	}
 	for(i = 0; redirs[i].name ; i++){
-	    int len;
+	    if(!strcmp((char *)argv[2], redirs[i].name)) {
 	    len = strlen(redirs[i].name);
 	    if(!strncmp((char *)argv[2], redirs[i].name, len)
 		&& (argv[2][len] == 0 || (argv[2][len] == 's' && argv[2][len+1] == 0))
 	    ) {
 		chains->type = redirs[i].redir;
 		if(argv[2][len] == 's') chains->secure = 1;
 		break;
 	    }
 	}
 	if(!redirs[i].name) {
 		fprintf(stderr, "Chaining error: bad chain type (%s)\n", argv[2]);
 		myfree(chains);
 		return(4);
 	}
 #ifdef WITH_UN
 	if(!strncmp((char *)argv[3], "unix:", 5)){
 	    make_un(argv[3] + 5, (struct sockaddr_un*)&chains->addr);
 	}
 	else {
 #endif
 	cidr = strchr((char *)argv[3], '/');
 	if(cidr) *cidr = 0;
-	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) {
+	if(!getip46(46, argv[3], (struct sockaddr *)&chains->addr)) return (5);
 		myfree(chains);
 		return (5);
 	}
 #ifdef WITH_UN
 	}
 #endif
 	chains->exthost = (unsigned char *)mystrdup((char *)argv[3]);
-	if(!chains->exthost) {
+	if(!chains->exthost) return 21;
 		myfree(chains);
 		return 21;
 	}
 	if(cidr){
 		*cidr = '/';
 		chains->cidr = atoi(cidr + 1);
@ -849,7 +842,11 @@ static int h_nolog(int argc, unsigned char **argv){
 }
 int scanipl(unsigned char *arg, struct iplist *dst){
-	PROXYSOCKADDRTYPE sa;
+#ifndef NOIPV6
 	struct sockaddr_in6 sa;
 #else
 	struct sockaddr_in sa;
 #endif
        char * slash, *dash;
 	int masklen, addrlen;
 	int res;
@ -1226,10 +1223,7 @@ static int h_ace(int argc, unsigned char **argv){
 		}
 		memset(acl->chains, 0, sizeof(struct chain));
 		acl->chains->type = R_HTTP;
-		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) {
+		if(!getip46(46, argv[1], (struct sockaddr *)&acl->chains->addr)) return 5;
 			freeacl(acl);
 			return 5;
 		}
 		*SAPORT(&acl->chains->addr) = htons((uint16_t)atoi((char *)argv[2]));
 		acl->chains->weight = 1000;
 	case ALLOW:
@ -1257,7 +1251,7 @@ static int h_ace(int argc, unsigned char **argv){
 			sscanf((char *)argv[1], "%u", &ncl->rate);
 			sscanf((char *)argv[2], "%u", &ncl->period);
 		}
-		_3proxy_mutex_lock(&connlim_mutex);
+		pthread_mutex_lock(&connlim_mutex);
 		if(!conf.connlimiter){
 			conf.connlimiter = ncl;
 		}
@ -1267,7 +1261,7 @@ static int h_ace(int argc, unsigned char **argv){
 			for(cli = conf.connlimiter; cli->next; cli = cli->next);
 			cli->next = ncl;
 		}
-		_3proxy_mutex_unlock(&connlim_mutex);			
+		pthread_mutex_unlock(&connlim_mutex);			
 		break;
 	case BANDLIM:
@ -1289,7 +1283,7 @@ static int h_ace(int argc, unsigned char **argv){
 				return(4);
 			}
 		}
-		_3proxy_mutex_lock(&bandlim_mutex);
+		pthread_mutex_lock(&bandlim_mutex);
 		if(!strcmp((char *)argv[0], "bandlimin") || !strcmp((char *)argv[0], "nobandlimin")){
 			if(!conf.bandlimiter){
 				conf.bandlimiter = nbl;
@ -1313,7 +1307,7 @@ static int h_ace(int argc, unsigned char **argv){
 			}
 		}
 		conf.bandlimver++;
-		_3proxy_mutex_unlock(&bandlim_mutex);			
+		pthread_mutex_unlock(&bandlim_mutex);			
 		break;
 	case COUNTIN:
@ -1365,7 +1359,7 @@ static int h_ace(int argc, unsigned char **argv){
 				}
 			}
 		}
-		_3proxy_mutex_lock(&tc_mutex);
+		pthread_mutex_lock(&tc_mutex);
 		if(!conf.trafcounter){
 			conf.trafcounter = tl;
 		}
@ -1375,7 +1369,7 @@ static int h_ace(int argc, unsigned char **argv){
 			for(ntl = conf.trafcounter; ntl->next; ntl = ntl->next);
 			ntl->next = tl;
 		}
-		_3proxy_mutex_unlock(&tc_mutex);
+		pthread_mutex_unlock(&tc_mutex);
 	}
 	return 0;
@ -1403,6 +1397,21 @@ static int h_delimchar(int argc, unsigned char **argv){
 static int h_radius(int argc, unsigned char **argv){
 	uint16_t port;
 /*
 	int oldrad;
 #ifdef NOIPV6
 	struct  sockaddr_in bindaddr;
 #else
 	struct  sockaddr_in6 bindaddr;
 #endif
 	oldrad = nradservers;
 	nradservers = 0;
 	for(; oldrad; oldrad--){
 		if(radiuslist[oldrad].logsock >= 0) so._closesocket(radiuslist[oldrad].logsock);
 		radiuslist[oldrad].logsock = -1;
 	}
 */
 	memset(radiuslist, 0, sizeof(radiuslist));
 	if(strlen((char *)argv[1]) > 63) argv[1][63] = 0;
 	strcpy(radiussecret, (char *)argv[1]);
@ -1413,18 +1422,21 @@ static int h_radius(int argc, unsigned char **argv){
 			s++;
 		}
 		if( !getip46(46, argv[nradservers + 2], (struct sockaddr *)&radiuslist[nradservers].authaddr)) return 1;
-		if( s && !getip46(46, (unsigned char *)s, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
+		if( s && !getip46(46, (unsigned char *)s+1, (struct sockaddr *)&radiuslist[nradservers].localaddr)) return 2;
 		if(!*SAPORT(&radiuslist[nradservers].authaddr))*SAPORT(&radiuslist[nradservers].authaddr) = htons(1812);
 		port = ntohs(*SAPORT(&radiuslist[nradservers].authaddr));
 		radiuslist[nradservers].logaddr = radiuslist[nradservers].authaddr;
 	        *SAPORT(&radiuslist[nradservers].logaddr) = htons(port+1);
 /*
 		bindaddr = radiuslist[nradservers].localaddr;
 		if ((radiuslist[nradservers].logsock = so._socket(SASOCK(&radiuslist[nradservers].logaddr), SOCK_DGRAM, 0)) < 0) return 2;
 		if (so._bind(radiuslist[nradservers].logsock, (struct sockaddr *)&bindaddr, SASIZE(&bindaddr))) return 3;
 */
 	}
 	return 0;
 }
 #endif
 static int h_authcache(int argc, unsigned char **argv){
 	int authcachesize = 0;
 	conf.authcachetype = 0;
 	if(strstr((char *) *(argv + 1), "ip")) conf.authcachetype |= 1;
 	if(strstr((char *) *(argv + 1), "user")) conf.authcachetype |= 2;
@ -1432,21 +1444,9 @@ static int h_authcache(int argc, unsigned char **argv){
 	if(strstr((char *) *(argv + 1), "limit")) conf.authcachetype |= 8;
 	if(strstr((char *) *(argv + 1), "acl")) conf.authcachetype |= 16;
 	if(strstr((char *) *(argv + 1), "ext")) conf.authcachetype |= 32;
 	if(strstr((char *) *(argv + 1), "dstaddr")) conf.authcachetype |= 64;
 	if(strstr((char *) *(argv + 1), "dstport")) conf.authcachetype |= 128;
 	if(strstr((char *) *(argv + 1), "dsthost")) conf.authcachetype |= 256;
 	if(strstr((char *) *(argv + 1), "dstoper")) conf.authcachetype |= 512;
 	if(strstr((char *) *(argv + 1), "srvaddr")) conf.authcachetype |= 1024;
 	if(strstr((char *) *(argv + 1), "srvport")) conf.authcachetype |= 2048;
 	if(argc > 2) conf.authcachetime = (unsigned) atoi((char *) *(argv + 2));
 	if(argc > 3) authcachesize  = (unsigned) atoi((char *) *(argv + 3));
 	if(!conf.authcachetype) conf.authcachetype = 6;
 	if(!conf.authcachetime) conf.authcachetime = 600;
 	if(!authcachesize) authcachesize = 65536*4;
 	if(auth_table.growlimit != authcachesize && inithashtable(&auth_table, authcachesize < 1024? authcachesize:1024, authcachesize < 1024? authcachesize:1024, authcachesize)){
 		fprintf(stderr, "Failed to initialize auth cache\n");
 		return 2;
 	}
 	return 0;
 }
@ -1653,7 +1653,7 @@ struct commands commandhandlers[]={
 	{commandhandlers+53, "filtermaxsize", h_filtermaxsize, 2, 2},
 	{commandhandlers+54, "nolog", h_nolog, 1, 1},
 	{commandhandlers+55, "weight", h_nolog, 2, 2},
-	{commandhandlers+56, "authcache", h_authcache, 2, 4},
+	{commandhandlers+56, "authcache", h_authcache, 2, 3},
 	{commandhandlers+57, "smtpp", h_proxy, 1, 0},
 	{commandhandlers+58, "delimchar",h_delimchar, 2, 2},
 	{commandhandlers+59, "authnserver", h_authnserver, 2, 2},
@ -1717,8 +1717,8 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
 				*str = 0;
 				space = 1;
 				if(incbegin){
-					if(argc) argc--;
+					argc--;
-					if((fd = open((char *)incbegin+1, O_RDONLY)) < 0){
+					if((fd = open((char *)incbegin+1, O_RDONLY)) <= 0){
 						fprintf(stderr, "Failed to open %s\n", incbegin+1);
 						return -1;
 					}
@ -1731,7 +1731,7 @@ int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned cha
 						}
 					}
 					len = 0;
-					if(argc > 0 && argm[argc]!=(incbegin+1)) {
+					if(argm[argc]!=(incbegin+1)) {
 						len = (int)strlen((char *)argm[argc]);
 						memmove(buf+*inbuf, argm[argc], len);
 					}
@ -1807,11 +1807,7 @@ int readconfig(FILE * fp){
 	res = 1;
 	for(cm = commandhandlers; cm; cm = cm->next){
-		if(!strcmp((char *)argv[0], (char *)cm->command)){
+		if(!strcmp((char *)argv[0], (char *)cm->command) && argc >= cm->minargs && (!cm->maxargs || argc <= cm->maxargs)){
 		    if(argc < cm->minargs || (cm->maxargs && argc > cm->maxargs)){
 			fprintf(stderr, "Command: '%s' wrong number of arguments , line %d\n", argv[0], linenum);
 			return(linenum);
 		    }
 			res = (*cm->handler)(argc, argv);
 			if(res > 0){
 				fprintf(stderr, "Command: '%s' failed with code %d, line %d\n", argv[0], res, linenum);
@ -1845,6 +1841,7 @@ void freeconf(struct extparam *confp){
 struct bandlim * blout;
 struct connlim * cl;
 struct trafcount * tc;
 struct passwords *pw;
 struct ace *acl;
 struct filemon *fm;
 int counterd, archiverc;
@ -1856,31 +1853,33 @@ void freeconf(struct extparam *confp){
- _3proxy_mutex_lock(&tc_mutex);
+ pthread_mutex_lock(&tc_mutex);
 confp->trafcountfunc = NULL;
 tc = confp->trafcounter;
 confp->trafcounter = NULL;
 counterd = confp->counterd;
 confp->counterd = -1;
 confp->countertype = NONE;
- _3proxy_mutex_unlock(&tc_mutex);
+ pthread_mutex_unlock(&tc_mutex);
- _3proxy_mutex_lock(&bandlim_mutex);
+ pthread_mutex_lock(&bandlim_mutex);
 bl = confp->bandlimiter;
 blout = confp->bandlimiterout;
 confp->bandlimiter = NULL;
 confp->bandlimiterout = NULL;
 confp->bandlimfunc = NULL;
 confp->bandlimver++;
- _3proxy_mutex_unlock(&bandlim_mutex);
+ pthread_mutex_unlock(&bandlim_mutex);
- _3proxy_mutex_lock(&connlim_mutex);
+ pthread_mutex_lock(&connlim_mutex);
 cl = confp->connlimiter;
 confp->connlimiter = NULL;
- _3proxy_mutex_unlock(&connlim_mutex);
+ pthread_mutex_unlock(&connlim_mutex);
 pthread_mutex_lock(&pwl_mutex);
 pw = confp->pwl;
 confp->pwl = NULL;
 pthread_mutex_unlock(&pwl_mutex);
 destroyhashtable(&pw_table);
 destroyhashtable(&pwnt_table);
 destroyhashtable(&pwcr_table);
 confp->logfunc = lognone;
 logformat = confp->logformat;
@ -1925,6 +1924,7 @@ void freeconf(struct extparam *confp){
 freeacl(acl);
 freepwl(pw);
 for(; bl; bl = (struct bandlim *) itfree(bl, bl->next)) freeacl(bl->ace);
 for(; blout; blout = (struct bandlim *) itfree(blout, blout->next))freeacl(blout->ace);
 for(; cl; cl = (struct connlim *) itfree(cl, cl->next)) freeacl(cl->ace);
@ -1949,7 +1949,7 @@ int reload (void){
 	FILE *fp;
 	int error = -2;
-	_3proxy_mutex_lock(&config_mutex);
+	pthread_mutex_lock(&config_mutex);
 	conf.paused++;
 	freeconf(&conf);
 	conf.paused++;
@ -1963,6 +1963,6 @@ int reload (void){
 		}
 		if(!writable)fclose(fp);
 	}
-	_3proxy_mutex_unlock(&config_mutex);
+	pthread_mutex_unlock(&config_mutex);
 	return error;
 }
--- a/src/dnspr.c
+++ b/src/dnspr.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
--- a/src/ftppr.c
+++ b/src/ftppr.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
--- a/src/hash.c
+++ b/src/hash.c
@ -1,316 +0,0 @@
 #include "proxy.h"
 struct hashentry {
        time_t expires;
        uint32_t inext;
        char value[4];
 };
 static uint32_t hashindex(unsigned tablesize, const uint8_t* hash){
    return (*(unsigned *)hash) % tablesize;
 }
 void destroyhashtable(struct hashtable *ht){
    _3proxy_mutex_lock(&ht->hash_mutex);
    if(ht->ihashtable){
 	myfree(ht->ihashtable);
 	ht->ihashtable = NULL;
    }
    if(ht->hashvalues){
 	myfree(ht->hashvalues);
 	ht->hashvalues = NULL;
    }
    if(ht->hashhashvalues){
 	myfree(ht->hashhashvalues);
 	ht->hashhashvalues = NULL;
    }
    ht->poolsize = 0;
    ht->tablesize = 0;
    ht->ihashempty = 0;
    _3proxy_mutex_unlock(&ht->hash_mutex);
    _3proxy_mutex_destroy(&ht->hash_mutex);
 }
 #define hvalue(ht,I) ((struct hashentry *)(ht->hashvalues + (I-1)*(sizeof(struct hashentry) + ht->recsize - 4)))
 #define hhash(ht,I) ((ht->hashhashvalues + (I-1)*(ht->hash_size)))
 int inithashtable(struct hashtable *ht, unsigned tablesize, unsigned poolsize, unsigned growlimit){
    unsigned i;
    clock_t c;
 #ifdef _WIN32
    struct timeb tb;
    ftime(&tb);
 #else
    struct timeval tb;
    struct timezone tz;
    gettimeofday(&tb, &tz);
 #endif
    c = clock();
    if(tablesize < 2 || poolsize < tablesize || growlimit < poolsize) return 1;
    if(ht->ihashtable){
        _3proxy_mutex_lock(&ht->hash_mutex);
 	if(ht->ihashtable){
 	    myfree(ht->ihashtable);
 	    ht->ihashtable = NULL;
 	}
 	if(ht->hashvalues){
 	    myfree(ht->hashvalues);
 	    ht->hashvalues = NULL;
 	}
 	if(ht->hashhashvalues){
 	    myfree(ht->hashhashvalues);
 	    ht->hashhashvalues = NULL;
 	}
 	ht->poolsize = 0;
 	ht->tablesize = 0;
    }
    else {
 	_3proxy_mutex_init(&ht->hash_mutex);
        _3proxy_mutex_lock(&ht->hash_mutex);
    }
    if(!(ht->ihashtable = myalloc(tablesize *  sizeof(uint32_t)))
    || !(ht->hashvalues = myalloc(poolsize * (sizeof(struct hashentry) + ht->recsize - 4)))
    || !(ht->hashhashvalues = myalloc(poolsize * ht->hash_size))
    ){
 	myfree(ht->ihashtable);
 	ht->ihashtable = NULL;
 	myfree(ht->hashvalues);
 	ht->hashvalues = NULL;
 	_3proxy_mutex_unlock(&ht->hash_mutex);
 	return 3;
    }
    ht->poolsize = poolsize;
    ht->tablesize = tablesize;
    ht->growlimit = growlimit;
    memset(ht->ihashtable, 0, ht->tablesize * sizeof(uint32_t));
    memset(ht->hashvalues, 0, ht->poolsize * (sizeof(struct hashentry) + ht->recsize - 4));
    for(i = 1; i < ht->poolsize; i++) {
 	hvalue(ht,i)->inext = i+1;
    }
    ht->ihashempty = 1;
    _3proxy_mutex_unlock(&ht->hash_mutex);
    return 0;
 }
 static void hashcompact(struct hashtable *ht){
    int i;
    uint32_t he, *hep;
    if((conf.time - ht->compacted) < 300 || !ht->tablesize || !ht->poolsize || ht->ihashempty) return;
    for(i = 0; i < ht->tablesize; i++){
 	for(hep = ht->ihashtable + i; (he = *hep) != 0; ){
 	    if(hvalue(ht,he)->expires < conf.time ) {
 		(*hep) = hvalue(ht,he)->inext;
 		hvalue(ht,he)->expires = 0;
 		hvalue(ht,he)->inext = ht->ihashempty;
 		ht->ihashempty = he;
 	    }
 	    else hep=&(hvalue(ht,he)->inext);
 	}
    }
    ht->compacted = conf.time;
    if(ht->ihashempty) return;
 }
 static void hashgrow(struct hashtable *ht){
    unsigned newsize = (ht->poolsize + (ht->poolsize >> 1));
    unsigned i;
    void * newvalues;
    if(!ht->tablesize || !ht->poolsize) return;
    if(ht->poolsize / ht->tablesize < 4) hashcompact(ht);
    if(ht->ihashempty) return;
    if(ht->poolsize >= ht->growlimit) return;
    if(newsize > ht->growlimit) newsize = ht->growlimit;
    newvalues = myrealloc(ht->hashvalues, newsize * (sizeof(struct hashentry) + ht->recsize - 4));
    if(!newvalues) return;
    ht->hashvalues = newvalues;
    newvalues = myrealloc(ht->hashhashvalues, newsize * ht->hash_size);
    if(!newvalues) return;
    ht->hashhashvalues = newvalues;
    memset(ht->hashvalues + (ht->poolsize * (sizeof(struct hashentry) + ht->recsize - 4)), 0, (newsize - ht->poolsize) * (sizeof(struct hashentry) + ht->recsize - 4));
    for(i = ht->poolsize + 1; i < newsize; i++) {
 	hvalue(ht,i)->inext = i+1;
    }
    hvalue(ht,newsize)->inext = ht->ihashempty;
    ht->ihashempty = ht->poolsize + 1;
    ht->poolsize = newsize;
    if (ht->poolsize / ht->tablesize > 10) {
        unsigned newtablesize = ht->poolsize / 3;
        uint32_t *newitable = myalloc(newtablesize * sizeof(uint32_t));
        if (newitable) {
            unsigned j;
            memset(newitable, 0, newtablesize * sizeof(uint32_t));
            for (j = 0; j < ht->tablesize; j++) {
                uint32_t he = ht->ihashtable[j];
                while (he) {
                    uint32_t next = hvalue(ht, he)->inext;
                    unsigned idx = hashindex(newtablesize, hhash(ht, he));
                    hvalue(ht, he)->inext = newitable[idx];
                    newitable[idx] = he;
                    he = next;
                }
            }
            myfree(ht->ihashtable);
            ht->ihashtable = newitable;
            ht->tablesize = newtablesize;
        }
    }
 }
 void hashadd(struct hashtable *ht, void* name, void* value, time_t expires){
    uint32_t hen, he;
    uint32_t *hep;
    int overwrite = 0;
    uint8_t hash[MAX_HASH_SIZE];
    uint32_t index;
    uint32_t last = 0;
    if(!ht||!value||!name||!ht->ihashtable) {
 	return;
    }
    ht->index2hash_add(ht, name, hash);
    _3proxy_mutex_lock(&ht->hash_mutex);
    index = hashindex(ht->tablesize, hash);
    for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
 	if(hvalue(ht,he)->expires < conf.time || !memcmp(hash, hhash(ht,he), ht->hash_size)) {
 	    (*hep) = hvalue(ht,he)->inext;
 	    hvalue(ht,he)->expires = 0;
 	    hvalue(ht,he)->inext = ht->ihashempty;
 	    ht->ihashempty = he;
 	}
 	else {
 	    hep=&(hvalue(ht,he)->inext);
 	    last = he;
 	}
    }
    if(!ht->ihashempty){
 	hashgrow(ht);
    }
    if(ht->ihashempty){
 	hen = ht->ihashempty;
 	ht->ihashempty = hvalue(ht,ht->ihashempty)->inext;
 	hvalue(ht,hen)->inext = ht->ihashtable[index];
 	ht->ihashtable[index] = hen;
    }
    else {
 	hen = last;
    }
    if(hen){
 	memcpy(hhash(ht,hen), hash, ht->hash_size);
 	memcpy(hvalue(ht,hen)->value, value, ht->recsize);
 	hvalue(ht,hen)->expires = expires;
    }
    _3proxy_mutex_unlock(&ht->hash_mutex);
 }
 int hashresolv(struct hashtable *ht, void* name, void* value, uint32_t *ttl){
    uint8_t hash[MAX_HASH_SIZE];
    uint32_t *hep;
    uint32_t he;
    uint32_t index;
    if(!ht || !ht->ihashtable || !name) {
 	return 0;
    }
    ht->index2hash_search(ht,name, hash);
    _3proxy_mutex_lock(&ht->hash_mutex);
    index = hashindex(ht->tablesize, hash);
    for(hep = ht->ihashtable + index; (he = *hep)!=0; ){
 	if(hvalue(ht, he)->expires < conf.time) {
 	    (*hep) = hvalue(ht,he)->inext;
 	    hvalue(ht,he)->expires = 0;
 	    hvalue(ht,he)->inext = ht->ihashempty;
 	    ht->ihashempty = he;
 	}
 	else if(!memcmp(hash, hhash(ht,he), ht->hash_size)){
 	    if(ttl) *ttl = (uint32_t)(hvalue(ht,he)->expires - conf.time);
 	    memcpy(value, hvalue(ht,he)->value, ht->recsize);
 	    _3proxy_mutex_unlock(&ht->hash_mutex);
 	    return 1;
 	}
 	else hep=&(hvalue(ht,he)->inext);
    }
    _3proxy_mutex_unlock(&ht->hash_mutex);
    return 0;
 }
 void hashdelete(struct hashtable *ht, void *name){
    uint8_t hash[MAX_HASH_SIZE];
    uint32_t *hep;
    uint32_t he;
    uint32_t index;
    if(!ht || !ht->ihashtable || !name) {
 	return;
    }
    ht->index2hash_search(ht, name, hash);
    _3proxy_mutex_lock(&ht->hash_mutex);
    index = hashindex(ht->tablesize, hash);
    for(hep = ht->ihashtable + index; (he = *hep) != 0; ){
 	if((hvalue(ht, he)->expires && hvalue(ht, he)->expires < conf.time) || !memcmp(hash, hhash(ht, he), ht->hash_size)) {
 	    (*hep) = hvalue(ht, he)->inext;
 	    hvalue(ht, he)->expires = 0;
 	    hvalue(ht, he)->inext = ht->ihashempty;
 	    ht->ihashempty = he;
 	}
 	else hep = &(hvalue(ht, he)->inext);
    }
    _3proxy_mutex_unlock(&ht->hash_mutex);
 }
 #define MURMUR_C1 0xcc9e2d51u
 #define MURMUR_C2 0x1b873593u
 uint32_t murmurhash3(const void *key, int len, uint32_t seed) {
    const uint8_t *data = (const uint8_t *)key;
    const int nblocks = len / 4;
    uint32_t h = seed;
    int i;
    const uint32_t *blocks = (const uint32_t *)(data);
    const uint8_t *tail = data + nblocks * 4;
    uint32_t k;
    for (i = 0; i < nblocks; i++) {
        memcpy(&k, blocks + i, sizeof(k));
        k *= MURMUR_C1;
        k = (k << 15) | (k >> 17);
        k *= MURMUR_C2;
        h ^= k;
        h = (h << 13) | (h >> 19);
        h = h * 5 + 0xe6546b64u;
    }
    k = 0;
    switch (len & 3) {
        case 3: k ^= (uint32_t)tail[2] << 16; /* fall through */
        case 2: k ^= (uint32_t)tail[1] << 8;  /* fall through */
        case 1: k ^= (uint32_t)tail[0];
                k *= MURMUR_C1;
                k = (k << 15) | (k >> 17);
                k *= MURMUR_C2;
                h ^= k;
    }
    h ^= (uint32_t)len;
    h ^= h >> 16;
    h *= 0x85ebca6bu;
    h ^= h >> 13;
    h *= 0xc2b2ae35u;
    h ^= h >> 16;
    return h;
 }
--- a/src/hashtables.c
+++ b/src/hashtables.c
@ -1,99 +0,0 @@
 #include "proxy.h"
 #include "libs/blake2.h"
 static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *hash){
    char* name = index;
    blake2b(hash, ht->hash_size, index, strlen((const char*)index), NULL, 0);
 }
 static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
    blake2b_state S;
    struct clientparam *param = (struct clientparam *)index;
    unsigned type = param->srv->authcachetype;
    blake2b_init(&S, ht->hash_size);
    if((type & 2) && param->username)blake2b_update(&S, param->username, strlen((const char *)param->username) + 1);
    if((type & 4) && param->password)blake2b_update(&S, param->password, strlen((const char *)param->password) + 1);
    if((type & 1) && !(type & 8))blake2b_update(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
    if((type & 16))blake2b_update(&S, &param->srv->acl, sizeof(param->srv->acl));
    if((type & 64))blake2b_update(&S, SAADDR(&param->req), SAADDRLEN(&param->req));
    if((type & 128))blake2b_update(&S, SAPORT(&param->req), 2);
    if((type & 256) && param->hostname)blake2b_update(&S, param->hostname, strlen((const char *)param->hostname) + 1);
    if((type & 512))blake2b_update(&S, &param->operation, sizeof(param->operation));
    if((type & 1024))blake2b_update(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
    if((type & 2048))blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
    blake2b_final(&S, hash, ht->hash_size);
    memcpy(param->hash, hash, ht->hash_size);
 }
 void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
    struct clientparam *param = (struct clientparam *)index;
    memcpy(hash, param->hash, ht->hash_size);
 }
 static void user2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
    struct clientparam *param = (struct clientparam *)index;
    blake2b(hash, ht->hash_size, param->username, strlen((const char *)param->username), NULL, 0);
 }
 static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){
    struct clientparam *param = (struct clientparam *)index;
    blake2b_state S;
    blake2b_init(&S, ht->hash_size);
    blake2b_update(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
    blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
    blake2b_update(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
    blake2b_update(&S, SAPORT(&param->sincr), 2);
    blake2b_final(&S, hash, ht->hash_size);
 }
 static void pw2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
    char ** pw = (char **)index;
    blake2b_state S;
    blake2b_init(&S, ht->hash_size);
    if(pw[0])blake2b_update(&S, pw[0], strlen(pw[0]) + 1);
    if(pw[1])blake2b_update(&S, pw[1], strlen(pw[1]) + 1);
    blake2b_final(&S, hash, ht->hash_size);
 }
 static void pw2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
    struct clientparam *param  = (struct clientparam *)index;
    char *pw[2] = {(char *)param->username, (char *)param->password};
    pw2hash_add(ht, pw, hash);
 }
 static void pwnt2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){
    char ** pw = (char **)index;
    blake2b_state S;
    blake2b_init(&S, ht->hash_size);
    if(pw[0])blake2b_update(&S, pw[0], strlen(pw[0]) + 1);
    if(pw[1])blake2b_update(&S, pw[1], strlen(pw[1]) + 1);
    blake2b_final(&S, hash, ht->hash_size);
 }
 static void pwnt2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
    struct clientparam *param  = (struct clientparam *)index;
    unsigned char pass[40];    
    char *pw[2] = {(char *)param->username, (char *)pass};
    ntpwdhash(pass, param->password, 1);
    pwnt2hash_add(ht, pw, hash);
 }
 struct hashtable dns_table = {char_index2hash, char_index2hash, 4, 12};
 struct hashtable dns6_table = {char_index2hash, char_index2hash, 16, 12};
 struct hashtable auth_table = {param2hash_add, param2hash_search, sizeof(struct authcache), 12};
 struct hashtable pw_table = {pw2hash_add, pw2hash_search, 0, 12};
 struct hashtable pwnt_table = {pwnt2hash_add, pwnt2hash_search, 0, 12};
 struct hashtable pwcr_table = {char_index2hash, user2hash_search, 64, 12};
--- a/src/libs/blake2-impl.h
+++ b/src/libs/blake2-impl.h
@ -1,160 +0,0 @@
 /*
   BLAKE2 reference source code package - reference C implementations
   Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.  You may use this under the
   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
   your option.  The terms of these licenses can be found at:
   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
   - OpenSSL license   : https://www.openssl.org/source/license.html
   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
   More information about the BLAKE2 hash function can be found at
   https://blake2.net.
 */
 #ifndef BLAKE2_IMPL_H
 #define BLAKE2_IMPL_H
 #include <stdint.h>
 #include <string.h>
 #if !defined(__cplusplus) && (!defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L)
  #if   defined(_MSC_VER)
    #define BLAKE2_INLINE __inline
  #elif defined(__GNUC__)
    #define BLAKE2_INLINE __inline__
  #else
    #define BLAKE2_INLINE
  #endif
 #else
  #define BLAKE2_INLINE inline
 #endif
 static BLAKE2_INLINE uint32_t load32( const void *src )
 {
 #if defined(NATIVE_LITTLE_ENDIAN)
  uint32_t w;
  memcpy(&w, src, sizeof w);
  return w;
 #else
  const uint8_t *p = ( const uint8_t * )src;
  return (( uint32_t )( p[0] ) <<  0) |
         (( uint32_t )( p[1] ) <<  8) |
         (( uint32_t )( p[2] ) << 16) |
         (( uint32_t )( p[3] ) << 24) ;
 #endif
 }
 static BLAKE2_INLINE uint64_t load64( const void *src )
 {
 #if defined(NATIVE_LITTLE_ENDIAN)
  uint64_t w;
  memcpy(&w, src, sizeof w);
  return w;
 #else
  const uint8_t *p = ( const uint8_t * )src;
  return (( uint64_t )( p[0] ) <<  0) |
         (( uint64_t )( p[1] ) <<  8) |
         (( uint64_t )( p[2] ) << 16) |
         (( uint64_t )( p[3] ) << 24) |
         (( uint64_t )( p[4] ) << 32) |
         (( uint64_t )( p[5] ) << 40) |
         (( uint64_t )( p[6] ) << 48) |
         (( uint64_t )( p[7] ) << 56) ;
 #endif
 }
 static BLAKE2_INLINE uint16_t load16( const void *src )
 {
 #if defined(NATIVE_LITTLE_ENDIAN)
  uint16_t w;
  memcpy(&w, src, sizeof w);
  return w;
 #else
  const uint8_t *p = ( const uint8_t * )src;
  return ( uint16_t )((( uint32_t )( p[0] ) <<  0) |
                      (( uint32_t )( p[1] ) <<  8));
 #endif
 }
 static BLAKE2_INLINE void store16( void *dst, uint16_t w )
 {
 #if defined(NATIVE_LITTLE_ENDIAN)
  memcpy(dst, &w, sizeof w);
 #else
  uint8_t *p = ( uint8_t * )dst;
  *p++ = ( uint8_t )w; w >>= 8;
  *p++ = ( uint8_t )w;
 #endif
 }
 static BLAKE2_INLINE void store32( void *dst, uint32_t w )
 {
 #if defined(NATIVE_LITTLE_ENDIAN)
  memcpy(dst, &w, sizeof w);
 #else
  uint8_t *p = ( uint8_t * )dst;
  p[0] = (uint8_t)(w >>  0);
  p[1] = (uint8_t)(w >>  8);
  p[2] = (uint8_t)(w >> 16);
  p[3] = (uint8_t)(w >> 24);
 #endif
 }
 static BLAKE2_INLINE void store64( void *dst, uint64_t w )
 {
 #if defined(NATIVE_LITTLE_ENDIAN)
  memcpy(dst, &w, sizeof w);
 #else
  uint8_t *p = ( uint8_t * )dst;
  p[0] = (uint8_t)(w >>  0);
  p[1] = (uint8_t)(w >>  8);
  p[2] = (uint8_t)(w >> 16);
  p[3] = (uint8_t)(w >> 24);
  p[4] = (uint8_t)(w >> 32);
  p[5] = (uint8_t)(w >> 40);
  p[6] = (uint8_t)(w >> 48);
  p[7] = (uint8_t)(w >> 56);
 #endif
 }
 static BLAKE2_INLINE uint64_t load48( const void *src )
 {
  const uint8_t *p = ( const uint8_t * )src;
  return (( uint64_t )( p[0] ) <<  0) |
         (( uint64_t )( p[1] ) <<  8) |
         (( uint64_t )( p[2] ) << 16) |
         (( uint64_t )( p[3] ) << 24) |
         (( uint64_t )( p[4] ) << 32) |
         (( uint64_t )( p[5] ) << 40) ;
 }
 static BLAKE2_INLINE void store48( void *dst, uint64_t w )
 {
  uint8_t *p = ( uint8_t * )dst;
  p[0] = (uint8_t)(w >>  0);
  p[1] = (uint8_t)(w >>  8);
  p[2] = (uint8_t)(w >> 16);
  p[3] = (uint8_t)(w >> 24);
  p[4] = (uint8_t)(w >> 32);
  p[5] = (uint8_t)(w >> 40);
 }
 static BLAKE2_INLINE uint32_t rotr32( const uint32_t w, const unsigned c )
 {
  return ( w >> c ) | ( w << ( 32 - c ) );
 }
 static BLAKE2_INLINE uint64_t rotr64( const uint64_t w, const unsigned c )
 {
  return ( w >> c ) | ( w << ( 64 - c ) );
 }
 /* prevents compiler optimizing out memset() */
 static BLAKE2_INLINE void secure_zero_memory(void *v, size_t n)
 {
  static void *(*const volatile memset_v)(void *, int, size_t) = &memset;
  memset_v(v, 0, n);
 }
 #endif
--- a/src/libs/blake2.h
+++ b/src/libs/blake2.h
@ -1,197 +0,0 @@
 /*
   BLAKE2 reference source code package - reference C implementations
   Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.  You may use this under the
   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
   your option.  The terms of these licenses can be found at:
   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
   - OpenSSL license   : https://www.openssl.org/source/license.html
   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
   More information about the BLAKE2 hash function can be found at
   https://blake2.net.
 */
 #ifndef BLAKE2_H
 #define BLAKE2_H
 #include <stddef.h>
 #include <stdint.h>
 #if defined(WATCOM)
 #define BLAKE2_PACKED(x) _Packed x
 #elif defined(_MSC_VER)
 #define BLAKE2_PACKED(x) __pragma(pack(push, 1)) x __pragma(pack(pop))
 #else
 #define BLAKE2_PACKED(x) x __attribute__((packed))
 #endif
 #if defined(__cplusplus)
 extern "C" {
 #endif
  enum blake2s_constant
  {
    BLAKE2S_BLOCKBYTES = 64,
    BLAKE2S_OUTBYTES   = 32,
    BLAKE2S_KEYBYTES   = 32,
    BLAKE2S_SALTBYTES  = 8,
    BLAKE2S_PERSONALBYTES = 8
  };
  enum blake2b_constant
  {
    BLAKE2B_BLOCKBYTES = 128,
    BLAKE2B_OUTBYTES   = 64,
    BLAKE2B_KEYBYTES   = 64,
    BLAKE2B_SALTBYTES  = 16,
    BLAKE2B_PERSONALBYTES = 16
  };
  typedef struct blake2s_state__
  {
    uint32_t h[8];
    uint32_t t[2];
    uint32_t f[2];
    uint8_t  buf[BLAKE2S_BLOCKBYTES];
    size_t   buflen;
    size_t   outlen;
    uint8_t  last_node;
  } blake2s_state;
  typedef struct blake2b_state__
  {
    uint64_t h[8];
    uint64_t t[2];
    uint64_t f[2];
    uint8_t  buf[BLAKE2B_BLOCKBYTES];
    size_t   buflen;
    size_t   outlen;
    uint8_t  last_node;
  } blake2b_state;
  typedef struct blake2sp_state__
  {
    blake2s_state S[8][1];
    blake2s_state R[1];
    uint8_t       buf[8 * BLAKE2S_BLOCKBYTES];
    size_t        buflen;
    size_t        outlen;
  } blake2sp_state;
  typedef struct blake2bp_state__
  {
    blake2b_state S[4][1];
    blake2b_state R[1];
    uint8_t       buf[4 * BLAKE2B_BLOCKBYTES];
    size_t        buflen;
    size_t        outlen;
  } blake2bp_state;
  BLAKE2_PACKED(struct blake2s_param__
  {
    uint8_t  digest_length; /* 1 */
    uint8_t  key_length;    /* 2 */
    uint8_t  fanout;        /* 3 */
    uint8_t  depth;         /* 4 */
    uint32_t leaf_length;   /* 8 */
    uint32_t node_offset;  /* 12 */
    uint16_t xof_length;    /* 14 */
    uint8_t  node_depth;    /* 15 */
    uint8_t  inner_length;  /* 16 */
    /* uint8_t  reserved[0]; */
    uint8_t  salt[BLAKE2S_SALTBYTES]; /* 24 */
    uint8_t  personal[BLAKE2S_PERSONALBYTES];  /* 32 */
  });
  typedef struct blake2s_param__ blake2s_param;
  BLAKE2_PACKED(struct blake2b_param__
  {
    uint8_t  digest_length; /* 1 */
    uint8_t  key_length;    /* 2 */
    uint8_t  fanout;        /* 3 */
    uint8_t  depth;         /* 4 */
    uint32_t leaf_length;   /* 8 */
    uint32_t node_offset;   /* 12 */
    uint32_t xof_length;    /* 16 */
    uint8_t  node_depth;    /* 17 */
    uint8_t  inner_length;  /* 18 */
    uint8_t  reserved[14];  /* 32 */
    uint8_t  salt[BLAKE2B_SALTBYTES]; /* 48 */
    uint8_t  personal[BLAKE2B_PERSONALBYTES];  /* 64 */
  });
  typedef struct blake2b_param__ blake2b_param;
  typedef struct blake2xs_state__
  {
    blake2s_state S[1];
    blake2s_param P[1];
  } blake2xs_state;
  typedef struct blake2xb_state__
  {
    blake2b_state S[1];
    blake2b_param P[1];
  } blake2xb_state;
  /* Padded structs result in a compile-time error */
  enum {
    BLAKE2_DUMMY_1 = 1/(int)(sizeof(blake2s_param) == BLAKE2S_OUTBYTES),
    BLAKE2_DUMMY_2 = 1/(int)(sizeof(blake2b_param) == BLAKE2B_OUTBYTES)
  };
  /* Streaming API */
  int blake2s_init( blake2s_state *S, size_t outlen );
  int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen );
  int blake2s_init_param( blake2s_state *S, const blake2s_param *P );
  int blake2s_update( blake2s_state *S, const void *in, size_t inlen );
  int blake2s_final( blake2s_state *S, void *out, size_t outlen );
  int blake2b_init( blake2b_state *S, size_t outlen );
  int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen );
  int blake2b_init_param( blake2b_state *S, const blake2b_param *P );
  int blake2b_update( blake2b_state *S, const void *in, size_t inlen );
  int blake2b_final( blake2b_state *S, void *out, size_t outlen );
  int blake2sp_init( blake2sp_state *S, size_t outlen );
  int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen );
  int blake2sp_update( blake2sp_state *S, const void *in, size_t inlen );
  int blake2sp_final( blake2sp_state *S, void *out, size_t outlen );
  int blake2bp_init( blake2bp_state *S, size_t outlen );
  int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen );
  int blake2bp_update( blake2bp_state *S, const void *in, size_t inlen );
  int blake2bp_final( blake2bp_state *S, void *out, size_t outlen );
  /* Variable output length API */
  int blake2xs_init( blake2xs_state *S, const size_t outlen );
  int blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen );
  int blake2xs_update( blake2xs_state *S, const void *in, size_t inlen );
  int blake2xs_final(blake2xs_state *S, void *out, size_t outlen);
  int blake2xb_init( blake2xb_state *S, const size_t outlen );
  int blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen );
  int blake2xb_update( blake2xb_state *S, const void *in, size_t inlen );
  int blake2xb_final(blake2xb_state *S, void *out, size_t outlen);
  /* Simple API */
  int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
  int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
  int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
  int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
  int blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
  int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
  /* This is simply an alias for blake2b */
  int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen );
 #if defined(__cplusplus)
 }
 #endif
 #endif
--- a/src/libs/blake2b-ref.c
+++ b/src/libs/blake2b-ref.c
@ -1,379 +0,0 @@
 /*
   BLAKE2 reference source code package - reference C implementations
   Copyright 2012, Samuel Neves <sneves@dei.uc.pt>.  You may use this under the
   terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at
   your option.  The terms of these licenses can be found at:
   - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0
   - OpenSSL license   : https://www.openssl.org/source/license.html
   - Apache 2.0        : http://www.apache.org/licenses/LICENSE-2.0
   More information about the BLAKE2 hash function can be found at
   https://blake2.net.
 */
 #include <stdint.h>
 #include <string.h>
 #include <stdio.h>
 #include "blake2.h"
 #include "blake2-impl.h"
 static const uint64_t blake2b_IV[8] =
 {
  0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL,
  0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL,
  0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL,
  0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
 };
 static const uint8_t blake2b_sigma[12][16] =
 {
  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 } ,
  { 11,  8, 12,  0,  5,  2, 15, 13, 10, 14,  3,  6,  7,  1,  9,  4 } ,
  {  7,  9,  3,  1, 13, 12, 11, 14,  2,  6,  5, 10,  4,  0, 15,  8 } ,
  {  9,  0,  5,  7,  2,  4, 10, 15, 14,  1, 11, 12,  6,  8,  3, 13 } ,
  {  2, 12,  6, 10,  0, 11,  8,  3,  4, 13,  7,  5, 15, 14,  1,  9 } ,
  { 12,  5,  1, 15, 14, 13,  4, 10,  0,  7,  6,  3,  9,  2,  8, 11 } ,
  { 13, 11,  7, 14, 12,  1,  3,  9,  5,  0, 15,  4,  8,  6,  2, 10 } ,
  {  6, 15, 14,  9, 11,  3,  0,  8, 12,  2, 13,  7,  1,  4, 10,  5 } ,
  { 10,  2,  8,  4,  7,  6,  1,  5, 15, 11,  9, 14,  3, 12, 13 , 0 } ,
  {  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15 } ,
  { 14, 10,  4,  8,  9, 15, 13,  6,  1, 12,  0,  2, 11,  7,  5,  3 }
 };
 static void blake2b_set_lastnode( blake2b_state *S )
 {
  S->f[1] = (uint64_t)-1;
 }
 /* Some helper functions, not necessarily useful */
 static int blake2b_is_lastblock( const blake2b_state *S )
 {
  return S->f[0] != 0;
 }
 static void blake2b_set_lastblock( blake2b_state *S )
 {
  if( S->last_node ) blake2b_set_lastnode( S );
  S->f[0] = (uint64_t)-1;
 }
 static void blake2b_increment_counter( blake2b_state *S, const uint64_t inc )
 {
  S->t[0] += inc;
  S->t[1] += ( S->t[0] < inc );
 }
 static void blake2b_init0( blake2b_state *S )
 {
  size_t i;
  memset( S, 0, sizeof( blake2b_state ) );
  for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i];
 }
 /* init xors IV with input parameter block */
 int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
 {
  const uint8_t *p = ( const uint8_t * )( P );
  size_t i;
  blake2b_init0( S );
  /* IV XOR ParamBlock */
  for( i = 0; i < 8; ++i )
    S->h[i] ^= load64( p + sizeof( S->h[i] ) * i );
  S->outlen = P->digest_length;
  return 0;
 }
 int blake2b_init( blake2b_state *S, size_t outlen )
 {
  blake2b_param P[1];
  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
  P->digest_length = (uint8_t)outlen;
  P->key_length    = 0;
  P->fanout        = 1;
  P->depth         = 1;
  store32( &P->leaf_length, 0 );
  store32( &P->node_offset, 0 );
  store32( &P->xof_length, 0 );
  P->node_depth    = 0;
  P->inner_length  = 0;
  memset( P->reserved, 0, sizeof( P->reserved ) );
  memset( P->salt,     0, sizeof( P->salt ) );
  memset( P->personal, 0, sizeof( P->personal ) );
  return blake2b_init_param( S, P );
 }
 int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen )
 {
  blake2b_param P[1];
  if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1;
  if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1;
  P->digest_length = (uint8_t)outlen;
  P->key_length    = (uint8_t)keylen;
  P->fanout        = 1;
  P->depth         = 1;
  store32( &P->leaf_length, 0 );
  store32( &P->node_offset, 0 );
  store32( &P->xof_length, 0 );
  P->node_depth    = 0;
  P->inner_length  = 0;
  memset( P->reserved, 0, sizeof( P->reserved ) );
  memset( P->salt,     0, sizeof( P->salt ) );
  memset( P->personal, 0, sizeof( P->personal ) );
  if( blake2b_init_param( S, P ) < 0 ) return -1;
  {
    uint8_t block[BLAKE2B_BLOCKBYTES];
    memset( block, 0, BLAKE2B_BLOCKBYTES );
    memcpy( block, key, keylen );
    blake2b_update( S, block, BLAKE2B_BLOCKBYTES );
    secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */
  }
  return 0;
 }
 #define G(r,i,a,b,c,d)                      \
  do {                                      \
    a = a + b + m[blake2b_sigma[r][2*i+0]]; \
    d = rotr64(d ^ a, 32);                  \
    c = c + d;                              \
    b = rotr64(b ^ c, 24);                  \
    a = a + b + m[blake2b_sigma[r][2*i+1]]; \
    d = rotr64(d ^ a, 16);                  \
    c = c + d;                              \
    b = rotr64(b ^ c, 63);                  \
  } while(0)
 #define ROUND(r)                    \
  do {                              \
    G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \
    G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \
    G(r,2,v[ 2],v[ 6],v[10],v[14]); \
    G(r,3,v[ 3],v[ 7],v[11],v[15]); \
    G(r,4,v[ 0],v[ 5],v[10],v[15]); \
    G(r,5,v[ 1],v[ 6],v[11],v[12]); \
    G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \
    G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \
  } while(0)
 static void blake2b_compress( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] )
 {
  uint64_t m[16];
  uint64_t v[16];
  size_t i;
  for( i = 0; i < 16; ++i ) {
    m[i] = load64( block + i * sizeof( m[i] ) );
  }
  for( i = 0; i < 8; ++i ) {
    v[i] = S->h[i];
  }
  v[ 8] = blake2b_IV[0];
  v[ 9] = blake2b_IV[1];
  v[10] = blake2b_IV[2];
  v[11] = blake2b_IV[3];
  v[12] = blake2b_IV[4] ^ S->t[0];
  v[13] = blake2b_IV[5] ^ S->t[1];
  v[14] = blake2b_IV[6] ^ S->f[0];
  v[15] = blake2b_IV[7] ^ S->f[1];
  ROUND( 0 );
  ROUND( 1 );
  ROUND( 2 );
  ROUND( 3 );
  ROUND( 4 );
  ROUND( 5 );
  ROUND( 6 );
  ROUND( 7 );
  ROUND( 8 );
  ROUND( 9 );
  ROUND( 10 );
  ROUND( 11 );
  for( i = 0; i < 8; ++i ) {
    S->h[i] = S->h[i] ^ v[i] ^ v[i + 8];
  }
 }
 #undef G
 #undef ROUND
 int blake2b_update( blake2b_state *S, const void *pin, size_t inlen )
 {
  const unsigned char * in = (const unsigned char *)pin;
  if( inlen > 0 )
  {
    size_t left = S->buflen;
    size_t fill = BLAKE2B_BLOCKBYTES - left;
    if( inlen > fill )
    {
      S->buflen = 0;
      memcpy( S->buf + left, in, fill ); /* Fill buffer */
      blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
      blake2b_compress( S, S->buf ); /* Compress */
      in += fill; inlen -= fill;
      while(inlen > BLAKE2B_BLOCKBYTES) {
        blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES);
        blake2b_compress( S, in );
        in += BLAKE2B_BLOCKBYTES;
        inlen -= BLAKE2B_BLOCKBYTES;
      }
    }
    memcpy( S->buf + S->buflen, in, inlen );
    S->buflen += inlen;
  }
  return 0;
 }
 int blake2b_final( blake2b_state *S, void *out, size_t outlen )
 {
  uint8_t buffer[BLAKE2B_OUTBYTES] = {0};
  size_t i;
  if( out == NULL || outlen < S->outlen )
    return -1;
  if( blake2b_is_lastblock( S ) )
    return -1;
  blake2b_increment_counter( S, S->buflen );
  blake2b_set_lastblock( S );
  memset( S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */
  blake2b_compress( S, S->buf );
  for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */
    store64( buffer + sizeof( S->h[i] ) * i, S->h[i] );
  memcpy( out, buffer, S->outlen );
  secure_zero_memory(buffer, sizeof(buffer));
  return 0;
 }
 /* inlen, at least, should be uint64_t. Others can be size_t. */
 int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen )
 {
  blake2b_state S[1];
  /* Verify parameters */
  if ( NULL == in && inlen > 0 ) return -1;
  if ( NULL == out ) return -1;
  if( NULL == key && keylen > 0 ) return -1;
  if( !outlen || outlen > BLAKE2B_OUTBYTES ) return -1;
  if( keylen > BLAKE2B_KEYBYTES ) return -1;
  if( keylen > 0 )
  {
    if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1;
  }
  else
  {
    if( blake2b_init( S, outlen ) < 0 ) return -1;
  }
  blake2b_update( S, ( const uint8_t * )in, inlen );
  blake2b_final( S, out, outlen );
  return 0;
 }
 int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) {
  return blake2b(out, outlen, in, inlen, key, keylen);
 }
 #if defined(SUPERCOP)
 int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen )
 {
  return blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 );
 }
 #endif
 #if defined(BLAKE2B_SELFTEST)
 #include <string.h>
 #include "blake2-kat.h"
 int main( void )
 {
  uint8_t key[BLAKE2B_KEYBYTES];
  uint8_t buf[BLAKE2_KAT_LENGTH];
  size_t i, step;
  for( i = 0; i < BLAKE2B_KEYBYTES; ++i )
    key[i] = ( uint8_t )i;
  for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )
    buf[i] = ( uint8_t )i;
  /* Test simple API */
  for( i = 0; i < BLAKE2_KAT_LENGTH; ++i )
  {
    uint8_t hash[BLAKE2B_OUTBYTES];
    blake2b( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES );
    if( 0 != memcmp( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) )
    {
      goto fail;
    }
  }
  /* Test streaming API */
  for(step = 1; step < BLAKE2B_BLOCKBYTES; ++step) {
    for (i = 0; i < BLAKE2_KAT_LENGTH; ++i) {
      uint8_t hash[BLAKE2B_OUTBYTES];
      blake2b_state S;
      uint8_t * p = buf;
      size_t mlen = i;
      int err = 0;
      if( (err = blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) {
        goto fail;
      }
      while (mlen >= step) {
        if ( (err = blake2b_update(&S, p, step)) < 0 ) {
          goto fail;
        }
        mlen -= step;
        p += step;
      }
      if ( (err = blake2b_update(&S, p, mlen)) < 0) {
        goto fail;
      }
      if ( (err = blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) {
        goto fail;
      }
      if (0 != memcmp(hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES)) {
        goto fail;
      }
    }
  }
  puts( "ok" );
  return 0;
 fail:
  puts("error");
  return -1;
 }
 #endif
--- a/src/limiter.c
+++ b/src/limiter.c
@ -1,204 +0,0 @@
 /*
   3APA3A simplest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
 */
 #include "proxy.h"
 int startconnlims (struct clientparam *param){
 	struct connlim * ce;
 	time_t delta;
 	uint64_t rating;
 	int ret = 0;
 	param->connlim = 1;
 	_3proxy_mutex_lock(&connlim_mutex);
 	for(ce = conf.connlimiter; ce; ce = ce->next) {
 		if(ACLmatches(ce->ace, param)){
 			if(ce->ace->action == NOCONNLIM)break;
 			if(!ce->period){
 				if(ce->rate <= ce->rating) {
 					ret = 1;
 					break;
 				}
 				ce->rating++;
 				continue;
 			}
 			delta = conf.time - ce->basetime;
 			if(ce->period <= delta || ce->basetime > conf.time){
 				ce->basetime = conf.time;
 				ce->rating = 0x100000;
 				continue;
 			}
 			rating = delta? ((ce->rating * (ce->period - delta)) / ce->period) + 0x100000 : ce->rating + 0x100000;
 			if (rating > (ce->rate<<20)) {
 				ret = 2;
 				break;
 			}
 			ce->rating = rating;
 			ce->basetime = conf.time;
 		}
 	}
 	if(ret) {
 		struct connlim * cee;
 		for(cee = conf.connlimiter; cee != ce; cee = cee->next) {
 			if(ACLmatches(cee->ace, param) && !cee->period && cee->rating) {
 				cee->rating--;
 			}
 		}
 		param->connlim = 0;
 	}
 	_3proxy_mutex_unlock(&connlim_mutex);
 	return ret;
 }
 void stopconnlims (struct clientparam *param){
 	struct connlim * ce;
 	_3proxy_mutex_lock(&connlim_mutex);
 	for(ce = conf.connlimiter; ce; ce = ce->next) {
 		if(ACLmatches(ce->ace, param)){
 			if(ce->ace->action == NOCONNLIM)break;
 			if(!ce->period && ce->rating){
 				ce->rating--;
 				continue;
 			}
 		}
 	}
 	_3proxy_mutex_unlock(&connlim_mutex);
 }
 void initbandlims (struct clientparam *param){
 	struct bandlim * be;
 	int i;
 	param->bandlimfunc = NULL;
 	param->bandlims[0] = NULL;
 	param->bandlimsout[0] = NULL;
 	if(!conf.bandlimfunc || (!conf.bandlimiter && !conf.bandlimiterout)) return;
 	for(i=0, be = conf.bandlimiter; be && i<MAXBANDLIMS; be = be->next) {
 		if(ACLmatches(be->ace, param)){
 			if(be->ace->action == NOBANDLIM) {
 				break;
 			}
 			param->bandlims[i++] = be;
 			param->bandlimfunc = conf.bandlimfunc;
 		}
 	}
 	if(i<MAXBANDLIMS)param->bandlims[i] = NULL;
 	for(i=0, be = conf.bandlimiterout; be && i<MAXBANDLIMS; be = be->next) {
 		if(ACLmatches(be->ace, param)){
 			if(be->ace->action == NOBANDLIM) {
 				break;
 			}
 			param->bandlimsout[i++] = be;
 			param->bandlimfunc = conf.bandlimfunc;
 		}
 	}
 	if(i<MAXBANDLIMS)param->bandlimsout[i] = NULL;
 	param->bandlimver = conf.bandlimver;
 }
 unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout){
 	unsigned sleeptime = 0, nsleeptime;
 	time_t sec;
 	unsigned msec;
 	unsigned now;
 	int i;
 #ifdef _WIN32
 	struct timeb tb;
 	ftime(&tb);
 	sec = (unsigned)tb.time;
 	msec = (unsigned)tb.millitm*1000;
 #else
 	struct timeval tv;
 	gettimeofday(&tv, NULL);
 	sec = tv.tv_sec;
 	msec = tv.tv_usec;
 #endif
 	if(!nbytesin && !nbytesout) return 0;
 	_3proxy_mutex_lock(&bandlim_mutex);
 	if(param->bandlimver != conf.bandlimver){
 		initbandlims(param);
 		param->bandlimver = conf.bandlimver;
 	}
 	for(i=0; nbytesin&& i<MAXBANDLIMS && param->bandlims[i]; i++){
 		if( !param->bandlims[i]->basetime ||
 			param->bandlims[i]->basetime > sec ||
 			param->bandlims[i]->basetime < (sec - 120)
 		  )
 		{
 			param->bandlims[i]->basetime = sec;
 			param->bandlims[i]->nexttime = 0;
 			continue;
 		}
 		now = (unsigned)((sec - param->bandlims[i]->basetime) * 1000000) + msec;
 		nsleeptime = (param->bandlims[i]->nexttime > now)?
 			param->bandlims[i]->nexttime - now : 0;
 		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
 		param->bandlims[i]->basetime = sec;
 		param->bandlims[i]->nexttime = msec + nsleeptime + (((uint64_t)nbytesin * 8 * 1000000) / param->bandlims[i]->rate);
 	}
 	for(i=0; nbytesout && i<MAXBANDLIMS && param->bandlimsout[i]; i++){
 		if( !param->bandlimsout[i]->basetime ||
 			param->bandlimsout[i]->basetime > sec ||
 			param->bandlimsout[i]->basetime < (sec - 120)
 		  )
 		{
 			param->bandlimsout[i]->basetime = sec;
 			param->bandlimsout[i]->nexttime = 0;
 			continue;
 		}
 		now = (unsigned)((sec - param->bandlimsout[i]->basetime) * 1000000) + msec;
 		nsleeptime = (param->bandlimsout[i]->nexttime > now)?
 			param->bandlimsout[i]->nexttime - now : 0;
 		sleeptime = (nsleeptime > sleeptime)? nsleeptime : sleeptime;
 		param->bandlimsout[i]->basetime = sec;
 		param->bandlimsout[i]->nexttime = msec + nsleeptime + ((nbytesout > 512)? ((nbytesout+32)/64)*((64*8*1000000)/param->bandlimsout[i]->rate) : ((nbytesout+1)* (8*1000000))/param->bandlimsout[i]->rate);
 	}
 	_3proxy_mutex_unlock(&bandlim_mutex);
 	return sleeptime/1000;
 }
 void trafcountfunc(struct clientparam *param){
 	struct trafcount * tc;
 	int countout = 0;
 	_3proxy_mutex_lock(&tc_mutex);
 	for(tc = conf.trafcounter; tc; tc = tc->next) {
 		if(ACLmatches(tc->ace, param)){
 			if(tc->ace->action == NOCOUNTIN) {
 				countout = 1;
 				break;
 			}
 			if(tc->ace->action == NOCOUNTALL) break;
 			if(tc->ace->action != COUNTIN && tc->ace->action != COUNTALL) {
 				countout = 1;
 				continue;
 			}
 			tc->traf64 += param->statssrv64;
 			tc->updated = conf.time;
 		}
 	}
 	if(countout) for(tc = conf.trafcounter; tc; tc = tc->next) {
 		if(ACLmatches(tc->ace, param)){
 			if(tc->ace->action == NOCOUNTOUT || tc->ace->action == NOCOUNTALL) break;
 			if(tc->ace->action != COUNTOUT && tc->ace->action != COUNTALL ) {
 				continue;
 			}
 			tc->traf64 += param->statscli64;
 			tc->updated = conf.time;
 		}
 	}
 	_3proxy_mutex_unlock(&tc_mutex);
 }
--- a/src/log.c
+++ b/src/log.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
@ -10,7 +10,7 @@
 #include "proxy.h"
-_3proxy_mutex_t log_mutex;
+pthread_mutex_t log_mutex;
 int havelog = 0;
--- a/src/3proxy_crypt.c
+++ b/src/3proxy_crypt.c
@ -1,15 +1,12 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
 */
 #ifndef WITHMAIN
 #include "libs/md5.h"
 #endif
 #include "libs/md4.h"
 #include "libs/blake2.h"
 #include <string.h>
 #define MD5_SIZE 16
@ -67,21 +64,20 @@ unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPasswor
 unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsigned char *passwd){
 const unsigned char *ep;
- unsigned char	*magic;
+ if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
 	static unsigned char	*magic = (unsigned char *)"$1$";	
 	unsigned char  *p;
 	const unsigned char *sp;
 	unsigned char	final[MD5_SIZE];
- int sl;
+	int sl,pl,i;
 	MD5_CTX	ctx,ctx1;
 	unsigned long l;
-#ifndef WITHMAIN
+	/* Refine the Salt first */
 if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
 	MD5_CTX	ctx,ctx1;
 	int pl, i;
 	sp = salt +3;
 	/* get the length of the true salt */
 	sl = (int)(ep - sp);
 	magic = (unsigned char *)"$1$";
 	MD5Init(&ctx);
@ -113,6 +109,10 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
 		else
 		    MD5Update(&ctx, pw, 1);
 	/* Now make the output string */
 	strcpy((char *)passwd,(char *)magic);
 	strncat((char *)passwd,(char *)sp,sl);
 	strcat((char *)passwd,"$");
 	MD5Final(final,&ctx);
@ -141,26 +141,6 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
 		MD5Final(final,&ctx1);
 	}
 	/* Don't leave anything around in vm they could use. */
 	memset(final,0,sizeof final);
 }
 else
 #endif
  if(salt[0] == '$' && salt[1] == '3' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) {
    sp = salt +3;
    sl = (int)(ep - sp);
    magic = (unsigned char *)"$3$";
    blake2b(final, MD5_SIZE, pw, strlen((char *)pw), sp, sl);
 }
 else {
 	*passwd = 0;
 	return passwd;
 }
 strcpy((char *)passwd,(char *)magic);
 strncat((char *)passwd,(char *)sp,sl);
 strcat((char *)passwd,"$");
 	p = passwd + strlen((char *)passwd);
 	l = (final[ 0]<<16) | (final[ 6]<<8) | final[12];
@ -176,6 +156,13 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
 	l =                    final[11]                ;
 	_crypt_to64(p,l,2); p += 2;
 	*p = '\0';
 	/* Don't leave anything around in vm they could use. */
 	memset(final,0,sizeof final);
 }
 else {
 	*passwd = 0;
 }
 return passwd;
 }
@ -189,7 +176,7 @@ int main(int argc, char* argv[]){
 		fprintf(stderr, "usage: \n"
 			"\t%s <password>\n"
 			"\t%s <salt> <password>\n"
-			"Performs NT crypt if no salt specified, BLAKE2 crypt with salt\n"
+			"Performs NT crypt if no salt specified, MD5 crypt with salt\n"
 			"This software uses:\n"
 			"  RSA Data Security, Inc. MD4 Message-Digest Algorithm\n"
 			"  RSA Data Security, Inc. MD5 Message-Digest Algorithm\n",
@ -203,7 +190,7 @@ int main(int argc, char* argv[]){
 	else {
 		i = (int)strlen((char *)argv[1]);
 		if (i > 64) argv[1][64] = 0;
-		sprintf((char *)buf, "$3$%s$", argv[1]);
+		sprintf((char *)buf, "$1$%s$", argv[1]);
 		printf("CR:%s\n", mycrypt((unsigned char *)argv[2], buf, buf+256));
 	}
 	return 0;
--- a/src/plugins.c
+++ b/src/plugins.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
@ -11,6 +11,8 @@
 unsigned bandlimitfunc(struct clientparam *param, unsigned nbytesin, unsigned nbytesout);
 void trafcountfunc(struct clientparam *param);
 int checkACL(struct clientparam * param);
 void nametohash(const unsigned char * name, unsigned char *hash, unsigned char *rnd);
 unsigned hashindex(struct hashtable *ht, const unsigned char* hash);
 void decodeurl(unsigned char *s, int allowcr);
 int parsestr (unsigned char *str, unsigned char **argm, int nitems, unsigned char ** buff, int *inbuf, int *bufsize);
 struct ace * make_ace (int argc, unsigned char ** argv);
@ -43,34 +45,38 @@ struct symbol symbols[] = {
 	{symbols+18, "ipauth", (void *) ipauth},
 	{symbols+19, "strongauth", (void *) strongauth},
 	{symbols+20, "checkACL", (void *) checkACL},
-	{symbols+21, "nservers", (void *) nservers},
+	{symbols+21, "nametohash", (void *) nametohash},
-	{symbols+22, "udpresolve", (void *) udpresolve},
+	{symbols+22, "hashindex", (void *) hashindex},
-	{symbols+23, "bandlim_mutex", (void *) &bandlim_mutex},
+	{symbols+23, "nservers", (void *) nservers},
-	{symbols+24, "tc_mutex", (void *) &tc_mutex},
+	{symbols+24, "udpresolve", (void *) udpresolve},
-	{symbols+25, "linenum", (void *) &linenum},
+	{symbols+25, "bandlim_mutex", (void *) &bandlim_mutex},
-	{symbols+26, "proxy_stringtable", (void *) proxy_stringtable},
+	{symbols+26, "tc_mutex", (void *) &tc_mutex},
-	{symbols+27, "en64", (void *) en64},
+	{symbols+27, "hash_mutex", (void *) &hash_mutex},
-	{symbols+28, "de64", (void *) de64},
+	{symbols+28, "pwl_mutex", (void *) &pwl_mutex},
-	{symbols+29, "tohex", (void *) tohex},
+	{symbols+29, "linenum", (void *) &linenum},
-	{symbols+30, "fromhex", (void *) fromhex},
+	{symbols+30, "proxy_stringtable", (void *) proxy_stringtable},
-	{symbols+31, "dnspr", (void *) dnsprchild},
+	{symbols+31, "en64", (void *) en64},
-	{symbols+32, "pop3p", (void *) pop3pchild},
+	{symbols+32, "de64", (void *) de64},
-	{symbols+33, "proxy", (void *) proxychild},
+	{symbols+33, "tohex", (void *) tohex},
-	{symbols+34, "socks", (void *) sockschild},
+	{symbols+34, "fromhex", (void *) fromhex},
-	{symbols+35, "tcppm", (void *) tcppmchild},
+	{symbols+35, "dnspr", (void *) dnsprchild},
-	{symbols+36, "udppm", (void *) udppmchild},
+	{symbols+36, "pop3p", (void *) pop3pchild},
-	{symbols+37, "admin", (void *) adminchild},
+	{symbols+37, "proxy", (void *) proxychild},
-	{symbols+38, "ftppr", (void *) ftpprchild},
+	{symbols+38, "socks", (void *) sockschild},
-	{symbols+39, "smtpp", (void *) smtppchild},
+	{symbols+39, "tcppm", (void *) tcppmchild},
-	{symbols+40, "auto", (void *) smtppchild},
+	{symbols+40, "udppm", (void *) udppmchild},
-	{symbols+41, "tlspr", (void *) smtppchild},
+	{symbols+41, "admin", (void *) adminchild},
-	{symbols+42, "authfuncs", (void *) &authfuncs},
+	{symbols+42, "ftppr", (void *) ftpprchild},
-	{symbols+43, "commandhandlers", (void *) &commandhandlers},
+	{symbols+43, "smtpp", (void *) smtppchild},
-	{symbols+44, "decodeurl", (void *) decodeurl},
+	{symbols+44, "auto", (void *) smtppchild},
-	{symbols+45, "parsestr", (void *) parsestr},
+	{symbols+45, "tlspr", (void *) smtppchild},
-	{symbols+46, "make_ace", (void *) make_ace},
+	{symbols+46, "authfuncs", (void *) &authfuncs},
-	{symbols+47, "freeacl", (void *) freeacl},
+	{symbols+47, "commandhandlers", (void *) &commandhandlers},
-	{symbols+48, "handleredirect", (void *) handleredirect},
+	{symbols+48, "decodeurl", (void *) decodeurl},
 	{symbols+49, "parsestr", (void *) parsestr},
 	{symbols+50, "make_ace", (void *) make_ace},
 	{symbols+51, "freeacl", (void *) freeacl},
 	{symbols+52, "handleredirect", (void *) handleredirect},
 	{NULL, "", NULL}
 };
@ -105,6 +111,8 @@ struct pluginlink pluginlink = {
 	ACLmatches,		
 	alwaysauth,
 	checkACL,
 	nametohash,
 	hashindex,
 	en64,
 	de64,
 	tohex,
--- a/src/plugins/FilePlugin/FilePlugin.c
+++ b/src/plugins/FilePlugin/FilePlugin.c
@ -45,7 +45,7 @@ extern "C" {
 static struct pluginlink * pl;
-static _3proxy_mutex_t file_mutex;
+static pthread_mutex_t file_mutex;
 unsigned long preview = 0;
@ -207,7 +207,7 @@ static void closefiles(struct fp_stream *fps){
 static int searchsocket(SOCKET s, struct fp_stream **pfps){
 	struct fp_stream *fps = NULL;
 	int ret = 0;
-	_3proxy_mutex_lock(&file_mutex);
+	pthread_mutex_lock(&file_mutex);
 	for(fps = fp_streams; fps; fps = fps->next){
 		if(fps->fpd.cp->clisock == s) {
 			ret = 1;
@ -222,7 +222,7 @@ static int searchsocket(SOCKET s, struct fp_stream **pfps){
 			break;
 		}
 	}
-	_3proxy_mutex_unlock(&file_mutex);
+	pthread_mutex_unlock(&file_mutex);
 	*pfps = fps;
 	return ret;
 }
@ -235,7 +235,7 @@ static void freecallback(struct fp_stream * fps, struct fp_callback * fpc){
 static void removefps(struct fp_stream * fps){
 	if(!fp_streams) return;
-	_3proxy_mutex_lock(&file_mutex);
+	pthread_mutex_lock(&file_mutex);
 	if(fp_streams == fps)fp_streams = fps->next;
 	else {
 		struct fp_stream *fps2;
@ -248,7 +248,7 @@ static void removefps(struct fp_stream * fps){
 		}
 	}
-	_3proxy_mutex_unlock(&file_mutex);
+	pthread_mutex_unlock(&file_mutex);
 	if(fps->callbacks){
 		freecallback(fps, fps->callbacks);
 		fps->callbacks = 0;
@ -287,7 +287,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case  GOT_SMTP_REQ:
 			case  GOT_SMTP_DATA:
 				fps->state = FLUSH_DATA;
-				pl->socksend(fps->fpd.cp->sostate,fps->fpd.cp->clisock, (unsigned char *)fp_stringtable[1], (int)strlen((char *)fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
+				pl->socksend(fps->fpd.cp->sostate,fps->fpd.cp->clisock, fp_stringtable[1], (int)strlen(fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
 				fps->state = state;
 				break;
 			case GOT_HTTP_REQUEST:
@ -299,7 +299,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case GOT_HTTP_SRVDATA:
 				if(!fps->serversent){
 					fps->state = FLUSH_DATA;
-					pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, (unsigned char *)fp_stringtable[0], (int)strlen((char *)fp_stringtable[0]), pl->conf->timeouts[STRING_S]);
+					pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, fp_stringtable[0], (int)strlen(fp_stringtable[0]), pl->conf->timeouts[STRING_S]);
 					fps->state = state;
 				}
 				break;
@ -307,7 +307,7 @@ void processcallbacks(struct fp_stream *fps, int what, char *msg, int size){
 			case GOT_FTP_REQ:
 			case GOT_FTP_SRVDATA:
 				fps->state = FLUSH_DATA;
-				pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->ctrlsock, (unsigned char *)fp_stringtable[1], (int)strlen((char *)fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
+				pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->ctrlsock, fp_stringtable[1], (int)strlen(fp_stringtable[1]), pl->conf->timeouts[STRING_S]);
 				fps->state = state;
 				break;
 			default:
@ -359,7 +359,7 @@ static int copyfdtosock(struct fp_stream * fps, DIRECTION which, long len){
 			if(fps->serversent >= fps->srvhdrwritten){
 				sprintf(fps->buf, "%lx\r\n", len);
 				sendchunk = (int)strlen(fps->buf);
-				if(pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, (unsigned char *)fps->buf, sendchunk, pl->conf->timeouts[STRING_S]) != sendchunk){
+				if(pl->socksend(fps->fpd.cp->sostate, fps->fpd.cp->clisock, fps->buf, sendchunk, pl->conf->timeouts[STRING_S]) != sendchunk){
 					return -4;
 				}
 			} 
@ -398,24 +398,20 @@ static int copyfdtosock(struct fp_stream * fps, DIRECTION which, long len){
 #endif
 			return -3;
 		}
-		if(pl->socksend(fps->fpd.cp->sostate, sock, (unsigned char *)fps->buf, res, pl->conf->timeouts[STRING_S]) != res) {
+		if(pl->socksend(fps->fpd.cp->sostate, sock, fps->buf, res, pl->conf->timeouts[STRING_S]) != res) {
 			return -4;
 		}
 		len -= res;
 	}
 	if(sendchunk){
-		if(pl->socksend(fps->fpd.cp->sostate, sock, (unsigned char *)"\r\n", 2, pl->conf->timeouts[STRING_S]) != 2)
+		if(pl->socksend(fps->fpd.cp->sostate, sock, "\r\n", 2, pl->conf->timeouts[STRING_S]) != 2)
 			return -4;
 	}
 	fps->state = state;
 	return 0;
 }
 #ifdef _WIN32
 static int WINAPI fp_poll(void *state, struct pollfd *fds, unsigned int nfds, int timeout){
 #else
 static int fp_poll(void *state, struct pollfd *fds, nfds_t nfds, int timeout){
 #endif
 struct fp_stream *fps = NULL;
 int res;
 unsigned i;
@ -462,11 +458,7 @@ static int fp_poll(void *state, struct pollfd *fds, nfds_t nfds, int timeout){
 return sso._poll(sso.state, fds, nfds, timeout);
 }
-#ifdef _WIN32
+static fp_ssize_t WINAPI fp_send(void *state, SOCKET s, const char *msg, fp_size_t len, int flags){
 static int WINAPI fp_send(void *state, SOCKET s, const char *msg, int len, int flags){
 #else
 static fp_ssize_t fp_send(void *state, SOCKET s, const void *msg, size_t len, int flags){
 #endif
 struct fp_stream *fps = NULL;
 int res;
 res = searchsocket(s, &fps);
@ -507,7 +499,7 @@ static fp_ssize_t fp_send(void *state, SOCKET s, const void *msg, size_t len, in
 		int hasnonzero = 0, i;
 		for(i=0; i < len; i++){
-			char c = ((char *)msg)[i];
+			char c = msg[i];
 			if(c == '\r' || c == '\n') continue;
 			if((c<'0'|| c>'9') && (c<'A' || c>'F') && (c<'a' || c>'f')) {
@ -550,12 +542,7 @@ static fp_ssize_t fp_send(void *state, SOCKET s, const void *msg, size_t len, in
 }
 return sso._send(sso.state, s, msg, len, flags);
 }
-#ifdef _WIN32
+static fp_ssize_t WINAPI fp_sendto(void *state, SOCKET s, const void *msg, int len, int flags, const struct sockaddr *to, fp_size_t tolen){
 static int WINAPI fp_sendto(void *state, SOCKET s, const char *msg, int len, int flags, const struct sockaddr *to, int tolen
 #else
 static fp_ssize_t fp_sendto(void *state, SOCKET s, const void *msg, fp_size_t len, int flags, const struct sockaddr *to, SASIZETYPE tolen
 #endif
 ){
 struct fp_stream *fps = NULL;
 int res;
 res = searchsocket(s, &fps);
@ -673,20 +660,10 @@ static fp_ssize_t fp_sendto(void *state, SOCKET s, const void *msg, fp_size_t le
 }
 return sso._sendto(sso.state, s, msg, len, flags, to, tolen);
 }
-#ifdef _WIN32
+static fp_ssize_t WINAPI fp_recv(void *state, SOCKET s, void *buf, fp_size_t len, int flags){
 static int WINAPI fp_recv(void *state, SOCKET s, char *buf, int len, int flags
 #else
 static fp_ssize_t fp_recv(void *state, SOCKET s, void *buf, fp_size_t len, int flags
 #endif
 ){
 return sso._recv(sso.state, s, buf, len, flags);
 }
-#ifdef _WIN32
+static fp_ssize_t WINAPI fp_recvfrom(void *state, SOCKET s, void * buf, fp_size_t len, int flags, struct sockaddr * from, fp_size_t * fromlen){
 static int WINAPI fp_recvfrom(void *state, SOCKET s, char *buf, int len, int flags, struct sockaddr * from, int * fromlen
 #else
 static fp_ssize_t fp_recvfrom(void *state, SOCKET s, void *buf, fp_size_t len, int flags, struct sockaddr * from, SASIZETYPE * fromlen
 #endif
 ){
 return sso._recvfrom(sso.state, s, buf, len, flags, from, fromlen);
 }
 static int WINAPI fp_shutdown(void *state, SOCKET s, int how){
@ -754,7 +731,7 @@ static int fp_registercallback (int what, int max_size, int preview_size, struct
 fpc->max_size = max_size;
 fpc->data = data;
 fpc->callback = cb;
- _3proxy_mutex_lock(&file_mutex);
+ pthread_mutex_lock(&file_mutex);
 fps = addfps(cp);
 if(fps){
 	 fpc->next = fps->callbacks;
@ -763,7 +740,7 @@ static int fp_registercallback (int what, int max_size, int preview_size, struct
 	 if(preview_size > fps->preview_size) fps->preview_size = preview_size;
 }
 else free(fpc);
- _3proxy_mutex_unlock(&file_mutex);
+ pthread_mutex_unlock(&file_mutex);
 return fps?1:0;
 }
@ -777,9 +754,9 @@ static void * fp_open(void * idata, struct srvparam * param){
 static FILTER_ACTION fp_client(void *fo, struct clientparam * param, void** fc){
-	_3proxy_mutex_lock(&file_mutex);
+	pthread_mutex_lock(&file_mutex);
 	(*fc) = (void *)addfps(param);
-	_3proxy_mutex_unlock(&file_mutex);
+	pthread_mutex_unlock(&file_mutex);
 	return CONTINUE;
 }
@ -789,7 +766,7 @@ static FILTER_ACTION fp_request(void *fc, struct clientparam * param, unsigned c
 			closefiles(FC);
 			FC->state = 0;
 		}
-		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
 		if(FC->what &FP_REJECT) return REJECT;
 		FC->state = GOT_HTTP_REQUEST;
 		genpaths(FC);
@ -801,13 +778,13 @@ static FILTER_ACTION fp_request(void *fc, struct clientparam * param, unsigned c
 static FILTER_ACTION fp_hcli(void *fc, struct clientparam * param, unsigned char ** buf_p, int * bufsize_p, int offset, int * length_p){
 	if(fc && param->service == S_SMTPP) {
-		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
 		if(FC->what & FP_REJECT) return REJECT;
 		if(!FC->state)genpaths(FC);
 		FC->state = GOT_SMTP_REQ;
 	}
 	if(fc && param->service == S_FTPPR) {
-		processcallbacks(FC, FP_CALLONREQUEST, (char *)*buf_p + offset, *length_p - offset);
+		processcallbacks(FC, FP_CALLONREQUEST, *buf_p + offset, *length_p - offset);
 		if(FC->what & FP_REJECT) return REJECT;
 		genpaths(FC);
 		FC->state = GOT_FTP_REQ;
@ -875,7 +852,7 @@ static int h_cachedir(int argc, unsigned char **argv){
 	char * dirp;
 	size_t len;
-	dirp = (argc > 1)? (char *)argv[1] : getenv("TEMP");
+	dirp = (argc > 1)? argv[1] : getenv("TEMP");
 	len = strlen(dirp);
 	if(!dirp || !len || len > 200 || strchr(dirp, '%')) {
 		fprintf(stderr, "FilePlugin: invalid directory path: %s\n", dirp);
@ -892,7 +869,7 @@ static int h_cachedir(int argc, unsigned char **argv){
 }
 static int h_preview(int argc, unsigned char **argv){
-	preview = atoi((char *)argv[1]);
+	preview = atoi(argv[1]);
 	return 0;
 }
@ -913,7 +890,7 @@ static int file_loaded=0;
 					 int argc, char** argv){
 	if(!file_loaded){
-		_3proxy_mutex_init(&file_mutex);
+		pthread_mutex_init(&file_mutex, NULL);
 		file_loaded = 1;
 		pl = pluginlink;
 		memcpy(&sso, pl->so, sizeof(struct sockfuncs));
--- a/src/plugins/PCREPlugin/pcre_plugin.c
+++ b/src/plugins/PCREPlugin/pcre_plugin.c
@ -21,7 +21,7 @@ extern "C" {
 static struct pluginlink * pl;
-static _3proxy_mutex_t pcre_mutex;
+static pthread_mutex_t pcre_mutex;
 static struct filter pcre_first_filter = {
@ -112,7 +112,7 @@ struct pcre_filter_data {
 };
 static void pcre_data_free(struct pcre_filter_data *pcrefd){
-	_3proxy_mutex_lock(&pcre_mutex);
+	pthread_mutex_lock(&pcre_mutex);
 	pcrefd->users--;
 	if(!pcrefd->users){
 		if(pcrefd->match_data) pcre2_match_data_free(pcrefd->match_data);
@ -121,7 +121,7 @@ static void pcre_data_free(struct pcre_filter_data *pcrefd){
 		if(pcrefd->replace) pl->freefunc(pcrefd->replace);
 		pl->freefunc(pcrefd);
 	}
-	_3proxy_mutex_unlock(&pcre_mutex);
+	pthread_mutex_unlock(&pcre_mutex);
 }
@ -130,9 +130,9 @@ static void pcre_data_free(struct pcre_filter_data *pcrefd){
 static void* pcre_filter_open(void * idata, struct srvparam * param){
 #define pcrefd ((struct pcre_filter_data *)idata)
 	if(idata){
-		_3proxy_mutex_lock(&pcre_mutex);
+		pthread_mutex_lock(&pcre_mutex);
 		pcrefd->users++;
-		_3proxy_mutex_unlock(&pcre_mutex);
+		pthread_mutex_unlock(&pcre_mutex);
 	}
 #undef pcrefd
 	return idata;
@ -517,7 +517,7 @@ PLUGINAPI int PLUGINCALL pcre_plugin (struct pluginlink * pluginlink,
 	pcre_options = 0;
 	if(!pcre_loaded){
 		pcre_loaded = 1;
-		_3proxy_mutex_init(&pcre_mutex);
+		pthread_mutex_init(&pcre_mutex, NULL);
 		regexp_symbols[2].next = pl->symbols.next;
 		pl->symbols.next = regexp_symbols;
 		pcre_commandhandlers[3].next = pl->commandhandlers->next;
--- a/src/plugins/PamAuth/pamauth.c
+++ b/src/plugins/PamAuth/pamauth.c
@ -12,7 +12,7 @@ Kirill Lopuchov <lopuchov@mail.ru>
 #include <security/pam_appl.h>
-_3proxy_mutex_t pam_mutex;
+pthread_mutex_t pam_mutex;
 static int         already_loaded = 0;
@ -89,7 +89,7 @@ static int pamfunc(struct clientparam *param)
  /*start process auth */  
  conv.appdata_ptr = (char *) param->password;
-  _3proxy_mutex_lock(&pam_mutex);
+  pthread_mutex_lock(&pam_mutex);
  if (!pamh)
    {
 	retval = pam_start ((char *)service, (char *)param->username, &conv, &pamh);
@ -113,7 +113,7 @@ static int pamfunc(struct clientparam *param)
      retval = pam_end (pamh, retval);
   if (retval != PAM_SUCCESS)
      {  pamh = NULL;   }
-  _3proxy_mutex_unlock(&pam_mutex);
+  pthread_mutex_unlock(&pam_mutex);
  return rc;
@ -140,7 +140,7 @@ PLUGINAPI int PLUGINCALL start(struct pluginlink * pluginlink, int argc, unsigne
 already_loaded = 1;
- _3proxy_mutex_init(&pam_mutex);
+ pthread_mutex_init(&pam_mutex, NULL);
 pamauth.authenticate = pamfunc;
 pamauth.authorize = pluginlink->checkACL;
 pamauth.desc = "pam";
--- a/src/plugins/SSLPlugin/my_ssl.c
+++ b/src/plugins/SSLPlugin/my_ssl.c
@ -32,7 +32,7 @@ typedef struct _ssl_conn {
 	SSL *ssl;
 } ssl_conn;
-_3proxy_mutex_t ssl_file_mutex;
+pthread_mutex_t ssl_file_mutex;
 static char errbuf[256];
@ -229,15 +229,15 @@ void _ssl_cert_free(SSL_CERT cert)
 /* This array will store all of the mutexes available to OpenSSL. */ 
-static _3proxy_mutex_t *mutex_buf= NULL;
+static pthread_mutex_t *mutex_buf= NULL;
 static void locking_function(int mode, int n, const char * file, int line)
 {
  if (mode & CRYPTO_LOCK)
-    _3proxy_mutex_lock(mutex_buf + n);
+    pthread_mutex_lock(mutex_buf + n);
  else
-    _3proxy_mutex_unlock(mutex_buf + n);
+    pthread_mutex_unlock(mutex_buf + n);
 }
 static unsigned long id_function(void)
@ -253,11 +253,11 @@ int thread_setup(void)
 {
  int i;
-  mutex_buf = malloc(CRYPTO_num_locks(  ) * sizeof(_3proxy_mutex_t));
+  mutex_buf = malloc(CRYPTO_num_locks(  ) * sizeof(pthread_mutex_t));
  if (!mutex_buf)
    return 0;
  for (i = 0;  i < CRYPTO_num_locks(  );  i++)
-    _3proxy_mutex_init(mutex_buf +i);
+    pthread_mutex_init(mutex_buf +i, NULL);
  CRYPTO_set_id_callback(id_function);
  CRYPTO_set_locking_callback(locking_function);
  return 1;
@ -272,7 +272,7 @@ int thread_cleanup(void)
  CRYPTO_set_id_callback(NULL);
  CRYPTO_set_locking_callback(NULL);
  for (i = 0;  i < CRYPTO_num_locks(  );  i++)
-    _3proxy_mutex_destroy(mutex_buf +i);
+    pthread_mutex_destroy(mutex_buf +i);
  free(mutex_buf);
  mutex_buf = NULL;
  return 1;
@ -291,7 +291,7 @@ void ssl_init()
 	    thread_setup();
 	    SSLeay_add_ssl_algorithms();
 	    SSL_load_error_strings();
-	    _3proxy_mutex_init(&ssl_file_mutex);
+	    pthread_mutex_init(&ssl_file_mutex, NULL);
 	    bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	}
 }
--- a/src/plugins/SSLPlugin/ssl_plugin.c
+++ b/src/plugins/SSLPlugin/ssl_plugin.c
@ -274,12 +274,11 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config,
 	*errSSL = getSSLErr();
 	return NULL;
    }
 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL
    if(hostname && *hostname)SSL_set_tlsext_host_name(conn->ssl, hostname);
-#endif
+
    do {
-	struct pollfd fds[1] = {{INVALID_SOCKET}};
+	struct pollfd fds[1] = {{}};
 	int sslerr;
 	err = SSL_connect(conn->ssl);
@ -350,7 +349,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert
    SSL_set_fd(conn->ssl, s);
    do {
-	struct pollfd fds[1] = {{INVALID_SOCKET}};
+	struct pollfd fds[1] = {{}};
 	int sslerr;
 	err = SSL_accept(conn->ssl);
@ -521,9 +520,7 @@ SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_ke
    if(config->server_min_proto_version)SSL_CTX_set_min_proto_version(ctx, config->server_min_proto_version);
    if(config->server_max_proto_version)SSL_CTX_set_max_proto_version(ctx, config->server_max_proto_version);
    if(config->server_cipher_list)SSL_CTX_set_cipher_list(ctx, config->server_cipher_list);
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
    if(config->server_ciphersuites)SSL_CTX_set_ciphersuites(ctx, config->server_ciphersuites);
 #endif
    if(config->server_verify){
                if(config->server_ca_file || config->server_ca_dir){
                    SSL_CTX_load_verify_locations(ctx, config->server_ca_file, config->server_ca_dir);
@ -675,12 +672,8 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){
 	    if(sc->client_min_proto_version)SSL_CTX_set_min_proto_version(sc->srv_ctx, sc->client_min_proto_version);
 	    if(sc->client_max_proto_version)SSL_CTX_set_max_proto_version(sc->srv_ctx, sc->client_max_proto_version);
 	    if(sc->client_cipher_list)SSL_CTX_set_cipher_list(sc->srv_ctx, sc->client_cipher_list);
 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
 	    if(sc->client_ciphersuites)SSL_CTX_set_ciphersuites(sc->srv_ctx, sc->client_ciphersuites);
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x10200000L
 	    if(sc->client_alpn_protos.protos_len)SSL_CTX_set_alpn_protos(sc->srv_ctx, sc->client_alpn_protos.protos, sc->client_alpn_protos.protos_len);
 #endif
 	    if(sc->client_verify){
 		if(sc->client_ca_file || sc->client_ca_dir){
 		    SSL_CTX_load_verify_locations(sc->srv_ctx, sc->client_ca_file, sc->client_ca_dir);
@ -766,14 +759,6 @@ static FILTER_ACTION ssl_filter_predata(void *fc, struct clientparam * param){
 	return PASS;
 }
 static FILTER_ACTION ssl_parent(struct clientparam * param){
 	if(PCONF->cli && client_mode == 3) {
 	    if(docli(param)) {
 		return REJECT;
 	    }
 	}
 	return PASS;
 }
 static void ssl_filter_clear(void *state){
    struct clientparam *param;
@ -1173,10 +1158,6 @@ static struct commands ssl_commandhandlers[] = {
 	{NULL, "ssl_certcache", h_certcache, 2, 2},
 };
 static struct symbol ssl_symbols[] = {
        {NULL, "ssl_parent", (void *)&ssl_parent},
 };
 #ifdef WATCOM
 #pragma aux ssl_plugin "*" parm caller [ ] value struct float struct routine [eax] modify [eax ecx edx]
@ -1240,8 +1221,6 @@ PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink,
 		ssl_init();
 		ssl_commandhandlers[(sizeof(ssl_commandhandlers)/sizeof(struct commands))-1].next = pl->commandhandlers->next;
 		pl->commandhandlers->next = ssl_commandhandlers;
 		ssl_symbols[0].next = pl->symbols.next;
 		pl->symbols.next = ssl_symbols;
 	}
 	tcppmfunc = (PROXYFUNC)pl->findbyname("tcppm");	
--- a/src/plugins/TrafficPlugin/ReadMe.txt
+++ b/src/plugins/TrafficPlugin/ReadMe.txt
@ -63,5 +63,5 @@ plugin "TrafficPlugin.dll" start debug
 /////////////////////////////////////////////////////////////////////////////
 Copyright:
 (c) Maslov Michael aka Flexx(rus) All rights reserved.
- Plugin was written on Visual C++ 6.0 SP5
+ Plugin was writen on Visual C++ 6.0 SP5
 Using structures.h from 3proxy distr.
--- a/src/plugins/TransparentPlugin/transparent_plugin.c
+++ b/src/plugins/TransparentPlugin/transparent_plugin.c
@ -1,5 +1,5 @@
 /*
-   3APA3A simplest proxy server
+   3APA3A simpliest proxy server
   (c) 2002-2021 by Vladimir Dubrovin <3proxy@3proxy.org>
   please read License Agreement
@ -58,10 +58,8 @@ static FILTER_ACTION transparent_filter_client(void *fo, struct clientparam * pa
 	return REJECT;
 #endif
 #else
 	if(*SAFAMILY(&param->sincl) == AF_INET || *SAFAMILY(&param->sincl) == AF_INET6){
 	param->req = param->sincl;
 	param->sincl = param->srv->intsa;
 	}
 #endif
 	pl->myinet_ntop(*SAFAMILY(&param->req), SAADDR(&param->req), (char *)addrbuf, sizeof(addrbuf));
 	if(param->hostname) pl->freefunc(param->hostname);
--- a/Show More
+++ b/Show More
		`@ -1 +0,0 @@`
			`!!Fix: destination IP may be not checked against ACL`
		`@ -1,2 +0,0 @@`
			`! Fix: parent proxy can be used in some cases where it shouldn't`
			`! Fix: bandlimiters may not work for older connections on configuration reload`
		`@ -1 +0,0 @@`
			`! fixed: use SASIZE() instead of sizeof() in connect() for FreeBSD compatibility`
		`@ -1 +0,0 @@`
			`!Fix: mutex was used prior to initialization on 'log' command processing`
		`@ -1 +0,0 @@`
			`! Fix: random 00012 errors in some configurations`
		`@ -1 +0,0 @@`
			`! Fix: tcppm may fail if used with parent proxy`