Fixes in 0.5.3j ! Fixed: double free() if OPEN is issued twice in ftppr, reported by xiaojunli.air. 0.6 branch is not affected. Impact is believed to be DoS. Fixes in 0.5.3i ! Fixed: traffic counting and bandwidth limitation Fixes in 0.5.3h !! Serious buffer overflow fixed on transparent requests handling ! Fixed traffic limiting for limits >4GB Fixes in 0.5.3g ! Previous fixes were not backported completely from 0.6 ! Fixed ident string should not be freed for openlog() to prevent garabase in syslog(). Fixes in 0.5.3f ! Fixed SOCKSv4 for parent proxy Fixes in 0.5.3e ! Fixed POST request problem with NTLM authentication Fixes in 0.5.3d ! Fixed endless loop on 'udppm -s' Fixes in 0.5.3c ! Fixed aborted download on some requests Fixes in 0.5.3b ! Fixed double 3xx reply on USER command in ftppr. Fixes in 0.5.3a ! 64-bit pointer arythnmetics problem fix applied to ntlm.c (requested by Mike Frysinger) 14.10.2006 Fixes backported from 0.6 as 0.5.3: !! Fixed: NTLM authentication doesn't work for NT-encoded passwords and may cause account blocking (reported by boris16 at tut.by) ! Fixed: offer NTLM authentication before basic ! Fixed: buffered input may double some data on empty reads + FTP diagnostics improved for FTP login problems ! SOCKS BIND/UDPASSOC problems fixed (based on Artem Rebrov's patch) ! Fixed: endless loop on configuration parsing if ACL weekdays are given as a comma delimited list (reported Andrey S. Alexeenko). 10.03.2006 Changes backported to 0.5.2 10.03.2006 ! Fixed: CONNECT with http parent + bandlimout / nobandlimout implemented ! Copyrights and banners fixed 08.03.2006 ! Minor poll() code cleanup 06.03.2006 ! Socks 4a name resolution fixed ! Name resolution function was not cleared after configuration reload 03.03.06 ! Print comments in traffic report 26.02.06 ! Check POLLERR / POLLHUP for revents 21.02.06 + "monitor" command added to reload 3proxy if monitored file changes 13.02.06 ! Some files are renamed for autotools compatibility 07.02.06 ! Fixed: insufficient timeout on buffers flushing, leads to loss of data if connection to client is worse than connection to server. 06.02.06 + -b (bufsize) parameter added to every service ! flushing improved to prevent data loss at the end of output 03.02.06 ! Documentation corrected 10.01.06 + Documentation updated ! Buffered UDP data loss on exit is fixed for sockmap 30.12.05 ! Minor interface fixes 27.12.05 + English FAQ added 20.12.05 ! Fixed: crash on counters in webadmin if "NONE" counter rotation type is used. 09.12.05 ! Use bind port from BIND request for SOCKSv5 server 30.11.05 ! Do not buffer UDP packets 30.11.05 ! Do not drop connection on unknown command 29.11.05 ! Do not drop connection on POP3 CAPA. 28.11.05 ! Fixed: recv() may be called with small buffer on UDPPM 23.11.05 ! Fixed: programming bug in $ file inclusing ! Fixed: webadmin conter type uses stack for return value 17.11.05 + Makefile.Solaris added, thanks to 'pqr'. ! Cleaned pointer conversion warnings 15.11.05 ! define PTHREAD_STACK_MIN if not defined to compile under Solaris ! S_NONE renamed to S_NOSERVICE to compile under Solaris 14.11.05 ! Linger period is set to STRING_L (60 sec default) 10.10.05 ! Add some grace period to shutdown services before exit 03.10.05 ! Linger added to FTP socket to avoid data loss on socket close 29.09.05 + Added H (hour) and C (minute) routation support to countin 22.08.05 ! Fixed: UDP resolver (nserver) fails to resolve name if reply contains no additional records (for example dnscache from djbdns). 06.08.05 !!Workaround added for Windows XP SP2 / Windows 2003 SP1 problem with 2 selects on single datagram socket. udppm -s and dnspr hang on random time while sending packets to client, sometimes causing client timeouts. 05.08.05 ! Fixed problem with UDP mappings ! Workaround for strange Windows XP bug with sendto() delay for 2 secs if no select() was performed on socket 30.07.05 ! Error handling on SOCKSv5 parent improved 28.07.05 + Support for parent SOCKS4b/SOCKS5b (broken implementation with shortened server reply) added. I never saw such server by they say there are. socks4b, socks5b options for parent proxy. 22.07.05 + Name resolution for parent CONNECT, SOCKSv5 and SOCKSv4a proxy server added, should work with "fakeresolve" option (connect+, socks4+ socks5+ options for parent proxy). 13.07.05 ! Fixed: reading behind allocated memory in myrand() entropy gathering function (leads to occasional craches) intrdoduced on June, 20. 12.07.05 ! Use client port only for portmappers ! Code reviewed for possible double close() 10.07.05 ! Improved quote handling in config files. No any string can be quoted (for example Thi"s is a test" is same as "This is a test", fixed a problem with using quotes with $ macro. 01.07.05 + Added RSA copyright text to 'mycrypt' to allow binary redistribution for this tool only. 22.06.05 + try to use same (unprivileged) port as client for outgoing connections for portmappers ! admin -s now only shows counters related to user ! Fixed: impossible to set traffic limit to even number of GB 20.06.05 ! -a option corrected again (had inverted action) + -a1 option added to report random information about client IP + -s option added to 'admin' to allow safe-only commands (user mode) 26.05.2005 ! -a option corrected 25.05.2005 + 'Y' (annually) option added to counters, logfile rotations, etc + -a (anonymous) option added to proxy server 21.05.2005 ! socks: only allow UDP mapping from same IP with control connection ! socks: always log network parameters for control connection ! check timeout to be below 2000000 20.05.2005 ! invalid sendto() argument fixed (may affect UDP mapping and sometimes TCP under very rare configurations) ! set sasize before sendto ! socks checks requested address to be non-zero ! socks checks requested port to be non-zero ! socks: do not change UDP client parameters before UDP packet received 19.05.2005 + 'include' command added to 3proxy (include one config file from another config file) ! handle EAGAIN on send()/recv() 18.05.2005 ! More detailed problem code in mapping code 17.05.2005 ! Fixed typo with dnspr logging 16.05.2005 + dnspr can now resolve records different from hostname (request is proxied to first DNS server in the list, reply is not cached). 14.05.2005 ! Fixed: mishandled socket error in dnspr code 13.05.2005 ! Few minor fixes in HTTP proxy code (timeout in initial handshake lefts some garbage in request buffer). ! Fixed short timeout in FTP proxy code ! Mapping code is changed to leave unsent data on buffer 06.05.2005 ! Prevent race conditions with 100% CPU usage in socksmap (introduced 30.04) 03.05.2005 ! Fixed: double free() in authentication (probably introduced on 04.04) ! Changed to POLLIN/POLLOUT/POLLPRI for more compatibility 30.04.2005 ! Fixed: double free() in FTP over HTTP (probably introduced on 04.04) ! Fixed: in very rare situation may loose some data at the and of connection 27.04.2005 ! stack size increased (reported problems under some OSs) ! Fixed: -l option for service executable leads to NULL-pointer reference !!! Moved from select() to poll() on *nix. Please upgrade your Makefiles. 25.04.2005 ! set thread stack size explicitly to prevent problems with some Linux 2.6 kernels. 22.04.2005 ! Never fallback to gethostbyname() if nameservers are configured to prevent locking on *nix platforms !!Fixed: name resolution is called while mutex is locked in HTTP proxy leading to long lasting blocking. 21.04.2005 ! Fixed: dnspr returns A record of invalid class (fails with some resolvers) !! Socket I/O is now non-blocking 19.04.2005 ! bandlimits changed to avoid floating point operations 11.04.2005 + Log if new connections delayed because of too many accepted connections 04.04.2005 ! Fixed few minor rare memory leaks 03.04.2005 ! Fixed: HTTP proxy should ignore Content-Length for 304 response 14.03.2005 ! MD5 password hashin within mycrypt utility fixed ! dnspr logging now shows DNS server IP instead of resolved IP, resolver IP is shown in additional info 11.02.2005 ! Configuration reload removed from signal handler 31.01.2005 ! Limit for maximum log string size increased to ~4K ! large FD_SETSIZE and FD_SETSIZE check is not required under Windows 28.01.2005 ! Fixed: -s options for udppm 17.01.2005 ! Fixed: invalid IP may appear in logs and bandlimits on redirection 13.01.2005 + fakeresolve option added 21.12.2004 ! Fixed: traffic limits are set improperly for traffic over 1Gb 11.12.2004 ! 0.6 development started 11.12.2004 Commited as 0.5b 11/12/2004 3[APA3A]tiny proxy 0.5b New features marked with !. Features: 1. General + HTTP/1.1 Proxy with keep-alive client and server support, transparent proxy support. + FTP over HTTP support. + DNS caching with built-in resolver + HTTPS (CONNECT) proxy + SOCKSv4/4.5 Proxy + SOCKSv5 Proxy ! UDP and bind support for SOCKSv5 (fully compatible with SocksCAP/FreeCAP for UDP) + Transparent SOCKS->HTTP redirection ! Transparent SOCKS->FTP redirection ! Transparent SOCKS->POP3 redirection + POP3 Proxy ! FTP proxy ! DNS proxy + TCP port mapper + UDP port mapper + Threaded application (no child process). ! Web administration and statistics 2. Proxy chaining + Parent proxy support for any type of incoming connection + Username/password authentication for parent proxy(s). + HTTPS/SOCKS4/SOCKS5 and redirection parent support + Random parent selection + Chain building (multihop proxing) 3. Logging + turnable log format compatible with any log parser + stdout logging + file logging + syslog logging (Unix) + ODBC logging (Windows and Unix) + log file rotation (hourly, daily, weekly, monthly) + automatic log file comperssion with external archiver (for files) + automatic removal of older log files ! Character filtering for log files ! different log files for different servces are supported 4. Access control + ACL-driven (user/source/destination/protocol/weekday/daytime or combined) bandwith limitation + ACL-driven (user/source/destination/protocol/weekday/daytime or combined) traffic limitation per day, week or month + User authorization by NetBIOS messanger name + Access control by username, source IP, destination IP, destination port and destination action (POST, PUT, GET, etc), weekday and daytime. + Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP + Cleartext or encrypted (crypt/MD5 or NT) passwords. + Connection redirection + Access control by requested action (CONNECT/BIND, HTTP GET/POST/PUT/HEAD/OTHER). ! NTLM authentication for HTTP proxy access ! All access controle entries now support weekday and daytime limitations. 5. Configuration + support for configuration files + support for includes in configuration files + interface binding + running as daemon process + utility for automated networks list building Unix + support for chroot + support for setgid + support for setuid ! support for signals Windows NT/2K/XP/2K3 + support --install as service + support --remove as service + support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress, on CONTINUE configuration is reloaded) Windows 95/98/ME ! support --install as service ! support --remove as service 6. Compilation + MSVC (msvcrt.dll) + Intel Windows Compiler (msvcrt.dll) + Windows/gcc (msvcrt.dll) + Cygwin/gcc (cygwin.dll) + Unix/gcc + Unix/ccc Known bugs: report to 3proxy@security.nnov.ru Planned for future (0.6) release: - External modules API - Addon URL, antiviral, HTTP cache filters modules, authentication modules for different protocols (RADIUS, PAM, integrated system, etc). $Id: Changelog,v 1.154 2006/03/08 18:44:00 vlad Exp $ 11.12.2004 + man page for 3proxy.cfg added 09.12.2004 ! restarting SQL on reloading configuration 08.12.2004 ! Typo fixed in sockmap preventing portmappers from functioning 06.12.2004 + Network input is now buffered, decreasing CPU usage - Debugging printf() removed from ftppr 30.11.2004 !! Fixed: memory content may be leaked on FTP error in HTTP proxy ! Few race conditions with double socket closing fixed in FTP proxy + Content-Length is checked to do not allow traffic overdraft via HTTP proxy + Connection now can be aborted due to traffic limit (code 90) 24.11.2004 ! 333 error removed - no longer required 23.11.2004 ! Deadlock in checkACL() (introduced 18.11) fixed 20.11.2004 ! All mutex operation are now atomic to prvent deadlocks ! Race conditions with bamdlimits on reload fixed 18.11.2004 ! Mutex logic overwritten, should clear reload races completely ! Fixed socket leak on some failed FTP operations ! FD_SETSIZE increased, check for FD_SETSIZE added 04.11.2004 ! Fixed: Maxconn limitation doesn't work, may lead to resource exhaustion attacks ! Fixed: reference to unallocated memory if fails to create new thread (may lead to crash together with previous bug). 03.11.2004 ! Fixed: Wrong type for "ace.users" in datatypes.c ! Partially fixed: race conditions on reload in alwaysauth() 02.11.2004 ! race condition in sql_init on reload fixed ! minor code cleanup ! typo with SQL deadlock introduced on last fix fixed ! checked few memory allocation calls missed with debug library (myalloc) 30.10.2004 ! Fixed: minor memory leak on SQL error 28.10.2004 + HTTP parent redirection for FTP requests 23.10.2004 ! Fixed: access to free()'d memory in ODBC functions after few configuration reloads ! Configuration reload is more (but not yet completely) thread safe now. 17.10.2004 ! Fixed: Content-Type: missed in web interface 16.10.2004 ! Fixed: log may show invalid IP/port for parent proxy connection 12.10.2004 - Debug printing to stdout in webadmin removed 11.10.2004 ! Race conditions fixed, could cause 3proxy to crash on configuration reload 28.09.2004 ! Limitation for maximum string length in config file removed (for included files) 26.09.2004 ! Typo corrected preventing compilation under *nix 18.09.2004 ! URL decoding corrected (affect HTTP over FTP clients) + "writable" command added to allow config modification via Web interface + Config file can be edited via web interface 14.09.2004 ! Crash on HTTP redirections introduced on 08.09 fixed. 11.09.2004 + Weekday based access control is now possible + Time based access control added ! Speed improved in ACL checks 08.09.2004 + * can be used as external username with a meaning of username should be requested from user. + %n1-n2T is now available in logformat to log only few field of service specific text + -t (silent start) option added 20.08.2004 ! Yesterday fix was broken, corrected. 19.08.2004 ! Fixed: target address is logged instead of proxy address in a case of redirection 09.08.2004 ! Fixed: under *nix if service fails to bind() port for few hours it falls into endless loop with logging and high CPU usage. 03.08.2004 ! Fixed: select() changes tv value on some Linux kernels (100% CPU usage) 02.08.2004 ! Fixed: wrong initialization for counter descriptor (causes some stdout noise). ! Fixed: no HTTP proxy diagnostic message if host name doesn't resolve ! Fixed: NULL pointer crash if no format specified 30.07.2004 ! Few bugs with counters and bandlimits introduced yesterday fixed 29.07.2004 ! Fixed few memory leaks on restart ! Some code cleanup for configuration information storing + Statistics extended + Added "Zombie" threads support (service thread waiting for child shutdown to exit). + Every service can now have different log format and character filtering + It's now possible to set logformat for service from command line 28.07.2004 ! Fixed: ACLs are not cleared on reload ! Fixed: bind() warnings on reload under *nix !! Fixed potential race conditions DoS on some Unix systems with thread exit on aborted connection (accept(): Software caused connection abort) 24.07.2004 + Web interface shows information about all currently running services and clients (plain format just for debugging, will be rewrtitten later) 23.07.2004 ! Fixed: wrong external ip/port in logs sometimes on internal redirection + HowTo and FAQ (Russian) added to documentation, documentation corrected 22.07.2004 + Added logging options for request duration and average send/recieve speed per request 20.07.2004 ! Changed default password for anonymous FTP ! Improved diagnostic messages for FTP over HTTP errors 19.07.2004 ! Changed FTP behaviour for some RFC ignorant sites 17.07.2004 + services and clients are now registered for future extensions ! counters show wrong result problem introduced yesterday fixed ! fixed descriptor leak on configuration reload ! fixed theoretical problem with client number limitations ! few theoretical mutex leaks fixed 16.07.2004 + 3proxy can now read configuration from stdin under *nix, 3proxy.cfg can be executable + 'config' command added to allow 3proxy reload configuration in chroot'ed environment or if configured from stdin. + 'end' command added + Man pages in HTML added 14.07.2004 ! Minor casting issues, Unix compilation issues fixed + counters sample added 13.07.2004 + Configuration improved and repacked 08.07.2004 ! Problem introduced yesteday (after rotation logs do not print to logfile) fixed. 07.07.2004 ! Fixed FTP behaviour on RFC ignoring FTP sites (ftp.drweb.ru). ! Config file example updated with FTP proxy service configuration + Logging changed to allow personal log files for every service (without rotation) and to work on older FreeBSD systems. 05.07.2004 ! Fixed call to free'ed memory (could cause crash on reloading 3proxy configuration in 0.5b-devel after 28.06.2004) 30.06.2004 ! Fixed redirection crash if parent username/password is not specified ! Fixed documentation buf (%h instead of %n for hostname in logformat) 28.06.2004 ! Minor changes in error messages generation 25.06.2004 ! distributive repacked, some Russian documentation by Kirill Lopuchov added 24.06.2004 ! realm sometimes is not shown in proxy-authentication 23.06.2004 ! fixed maxconn parameter was not set to default value on proxy reload. ! fixed typo in pop3p causing it to fail 22.06.2004 ! ftppr.c typo corrected, preventing compilation under unix. 19.06.2004 + FTP proxy (compatible with both USER and OPEN mode). Redirection to FTP proxy from SOCKS 18.06.2004 + Local redirection to POP3 proxy is now awailable. ! Fixed race conditions with double socket closing in POP3 proxy 17.06.2004 !! Threading problem causing minor memory leak and preventing 3proxy from functioning under few OS versions (including Linux) after some number of requests fixed. 16.06.2004 ! Authentication problem introduced on 05.06 fixed 15.06.2004 ! FTP over HTTP proxy supports spaces, quotes and 0x255 in filenames. !! Potential security risk fixed: FTP password may appear in log if URL ftp://user:password@server is used. 09.06.2004 ! NTLM is enabled by default. Use proxy -n to disable NTLM for proxy service (for example, if crypt passwords are used). 05.06.2004 !! Potential security leak fixed: POP3 proxy password can appear in log if proxy username is configured as proxyuser:proxypassword:pop3user@pop3server in POP3 client program ! Child invocation code rewritten to avoid code dupclication. 27.05.2004 ! Reloading is now fast (new thread starts before old one dies) ! Milliseconds are printed as .3 (not .4) in logs 22.05.2004 + Reload command added to Web interface and SIGUSR1 handling ! Problem fixed: no mode is given to open() with O_CREAT for counter files, counter file can be created as read only under Windows or with invalid mask under Unix. ! Do not fail if bind() fails ! Setsockopt for integer options corrected ! REUSEADDR added to avoid "Address already in use" problem if restarted under Unix 18.05.2004 + Installation/removal as a service under Windows 95/98/ME now supported. 17.05.2004 ! Fixed: 3proxy hangs on socket error during config reading 14.05.2004 ! For HTTP proxy NTLM authentication both ntlm and basic are now advertized to client for compatibility ! Optimization parameters are changed and stack protection is turned on for MSVC (Windows default) compilation. ! Fixed: exiting thread shows last client IP in log 27.04.2004 ! Fixed: Microsoft domain authentication to web server may fail via transparent HTTP proxy with some IE versions. ! HTTP HEAD now recognized 23.04.2004 ! Fixed compilation issues under Unix 22.04.2004 + Configuration now can be dynamically reloaded with net pause 3proxy / net continue 3proxy or by sending SIGPAUSE twice without breaking connections ! 3proxy is now distributed compiled with Microsoft Visual C++, thanx to MS for releasing "Microsoft Visual C++ Toolkit 2003" for free. ! Few bugs introduced in latest versions (username/password for parent proxy, dnspr and single packet UDP are fixed) 13.04.2004 + NTLM authentication for proxy server (yes, it works under *nix). It will not work with crypt password, only CL or NT. Use proxy -n to allow NTLM. ! potential DoS (NULL pointer) condition fixed in configuration with crypted passwords 08.04.2004 + %n (hostname) added to logformat 05.04.04 ! compilation problem under Unix fixed 01.04.04 ! problem with portmappers fixed (introduced on last modification) 20.03.04 + FTP messages are shown now ! FTP problem with links with absolute paths fixed ! No more authentication requested for user if ACL denies access to resource in HTTP proxy. ! ACLs are now stored in predefined container. It's required for future improvement (Cisco-like ACL configuration and configuration reload without restarting proxy). As a backside, number of ACLs is now limited to 256. ! Function for configuration reading implemented for future improvements. 12.03.2004 ! error text generation changed for pthread_create (use return code instead of errno). Memory leak on failed pthread_create fixed. 02.03.2004 ! Transparent proxy fixed to work with ports different from 80. ! Workarond for Internet Explorer invalid Host: header bug 28.02.2004 + -+ options added to logformat for character filtering ! ' character now filtered only if logged via ODBC ! few bugs fixed in ODBC logging reliability code. Now 3proxy should better handle broken database connections. 26.02.2004 ! user32 added to library list for MSVC 24.02.2004 ! Ask installation confirmation before installation 23.02.2004 ! ttl now is real for DNS proxy proxy reply 21.02.2004 + dnspr - DNS caching proxy added to 3proxy module. Listens on UDP/53 and answers hostname requests. Requires nserver/nscache to be configured. ! 3proxy wanrs user if installed as Windows service ! 3proxy child threads are now started faster 22.01.2004 ! mutex deadlock fixed if gethostbyname() is used under Unix 19.01.2004 ! compilation issue fixed for MSVC (definition inside code) 15.01.2004 ! bug fixed in configuration reading getip() called befor WSAStartup (thanks to Kerd) ! bug fixed with parent CONNECT proxy (thanks to Kerd) 11.01.2003 + Few man pages added 06.01.2003 + now it's possible to use "" inside quotation for double quote sign (for example "say ""hello world""" 04.01.2004 + maxconn configuration option added 19.12.2003 + New "safe" memory allocation library implemented. It may slow down performance but is thread safe and never cause memory fragmentation. ! Memory leak in redirection SOCKS->HTTP fixed 11.12.2003 ! Memory leak in UDPPM fixed 29.11.2003 + Copyrights added to banners !! Few signed/unsigned mismatches fixed (including potentially dangerous) 27.11.2003 ! 'redirect' now can be used with hostname instead of ip address 21.11.2003 ! POP3 proxy bug fixed 04.11.2003 ! '@' situation in username for POP3 proxy corrected (pop3name@pop3realm@pop3server) 03.11.2003 ! One more bug with 'archiver' causing 3proxy to crash on log archieving fixed 29.10.2003 ! Some threading safety is added for logging (inet_ntoa and ODBC re-initialisation) 28.10.2003 ! Bug causing daily log filename to work as weekly fixed ! 'daemon' example moved to beginning of configuration file 16.10.2003 + pidfile configuration option added + processing for SIGCONT (pause/resume) and SIGTERM (termination) added under Unix 01.10.2003 ! Weekly log filename now is generated by the date of last Sunday. ! Do not strip executable for Unix (must be stripped during installation). 21.09.2003 ! Bug fixed in "log" command processing (wrong buffer was used for filename generation) 16.09.2003 ! socksmapping algorythm changed to handle incomlete send() (for *BSD). 15.09.2003 ! mutex added to gethostbyname() to avoid thread unsafety. It slows down proxy if no nserver configured (it MUST be for *nix!) but prevents crashing on active usage. ! signal() handling is added for SIGPIPE. It seems to be some race conditions on FreeBSD between send() and gethostbyname() somewhere causing SIGPIPE on gethostbyname(). 13.09.2003 ! NULL reference corrected if rotate is given without archiver 11.09.2003 ! Few additional checks added for open()/fopen() to do not crash on invalid files in config ! Buffer moved from stack to heap in socks.c to eliminate crash on FreeBSD 10.09.2003 ! Bug in SOCKSv5 UDP mapping corrected. Now it works fine (checked with Unreal Tournament) with both SocksCAP and FreeCAP. 06.08.2003 ! Algorithm for SOCKS5 bind/udp assoc port selection is now intellegent enough to allow server applications to use same port number on socks server if available and not denied by access list ! SOCKS5 bind/udp assoc now matches incoming connections/packet with IP address from request in accordance to RFC 1928 to improve security 04.08.2003 !!! Bug fixed sometimes causing 3proxy to crash if parent proxy is used !!! UDP associate finaly completed and is fully functional (tested with SocksCAP on Unreal Tournament). !!! TCP bind code re-checked, and is probably working (doesn't work on SocksCAP because of SocksCAP bug !!! Socket leak on nbname auth fixed 21.07.03 + Web administration module created + Dynamic enable/disable for counters now available via web interface 19/07/2003 3[APA3A]tiny proxy 0.4 New features marked with !. Features: 1. General + HTTP/1.1 Proxy with keep-alive client and server support, transparent proxy support. ! FTP over HTTP support. ! DNS caching + HTTPS (CONNECT) proxy + SOCKSv4 Proxy + SOCKSv5 Proxy (TCP only) + Transparent SOCKS->HTTP redirection + POP3 Proxy + TCP port mapper + UDP port mapper + Threaded application (no child process). 2. Proxy chaining + Parent proxy support for any type of incoming connection + Username/password authentication for parent proxy(s). + HTTPS/SOCKS4/SOCKS5 and redirection parent support + Random parent selecttion + Chain building (multihop proxing) 3. Logging + turnable log format + stdout logging + file logging + syslog logging (Unix) + ODBC logging (Windows and Unix) + log file rotation (hourly, daily, weekly, monthly) + automatic log file comperssion with external archiver (for files) + automatic removal of older log files 4. Access control ! ACL-driven (user/source/destination/protocol or combined) bandwith limitation ! ACL-driven (user/source/destination/protocol or combined) traffic limitation per day, week or month + User authorization by NetBIOS messanger name + Access control by username, source IP, destination IP, destination port and destination action (POST, PUT, GET, etc). + Access control by username/password for SOCKSv5 and HTTP/HTTPS/FTP + Cleartext or encrypted (crypt/MD5 or NT) passwords. + Connection redirection + Access control by requested action (CONNECT/BIND, HTTP GET/POST/PUT/HEAD/OTHER). 5. Configuration + support for configuration files + support for includes in configuration files + interface binding + running as daemon process + utility for automated networks list building Unix + support for chroot + support for setgid + support for setuid NT + support --install as service + support --remove as service + support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress) 6. Compilation + MSVC (msvcrt.dll) + Intel Windows Compiler (msvcrt.dll) + Windows/gcc (msvcrt.dll) + Cygwin/gcc (cygwin.dll) + Unix/gcc + Unix/ccc Known bugs: - udppm doesn't work if compiled with cygwin. Cygwin doesn't support recvfrom()/sendto() on connected socket, so recv/send is used instead... Not a big deal anyway. Planned for future release: - Web interface for configuration - Signal handling on Unix (for stop/pause/resume/configuration change) - External filter API - Addon URL, antiviral, HTTP cache filters 17.07.03 + ODBC changed to re-establish broken connection 11.06.03 ! #ifndef NOSQL changed to NOODBC 22.05.03 + strong auth now supported for POP3 proxy. Now, username can be in format proxy_username:proxy_password:POP3_username@pop3server 30.04.03 ! redirect function now do not change code of traffic limit error 24.04.2003 ! -M changed to -D for *nix makefiles 18.04.2003 ! HTTPS behaviour breaked by latest patches restored 15.04.2003 ! fixed handling of special characters and non-existing files in FTP over HTTP proxy. 12.04.2003 ! fixed behaviour of HTTP proxy on RFC-incompatible web servers (banners exchanges, price.ru, etc) - they terminate string with \n instead of \r\n. 10.04.2003 + nsrecord and dialer commands added ! Name resolution now occures right before authorization to prevent unauthenticated users from performing NS lookups and demand dial. 05.04.2003 + N (Never) option value added for counters refreshing 29.03.2003 + !!! FTP support for HTTP proxy added. 25.03.2003 ! Socks 4 bug fixed (was visible in Netscape) + Socks 4.5 support added (not tested) ! !! UDP portmapper code fixed 24.03.2003 ! Timeout, close on closed socket and FD bugs fixed in UDPPM 21.03.2003 + Proxy-Authorization now works for CONNECT (HTTPS proxy). 07.03.2003 ! counter command extended to allow traffic reports 02.03.2003 ! Bandwidth/Traffic limiting problems fixed ! gethostbyname() argument limited to 256 characters. It may be significant for Windows 27.02.2003 + !!! Traffic limitting feature added (counter/countin/nocountin) 26.02.2003 ! nobandlim processing changed ! bandlim/nobamdlim commands renamed to bandlimin/nobandlimin 22.02.2003 + !!! Bandwidth limiting features added (bandlim and nobandlim commands) 18.02.2003 + Mutext support added for inter-thread data access. Should improve stability. - debugging printf() removed from proxy, typo fixed in auth.c 10.02.2003 ! Changed to use WSASocket()/WSAAccept() instead of socket()/accept() under Windows 30.01.2003 ! Version of gcc changed (3.2). + nscache option added to 3proxy configuration for DNS cache. For a while caching is primitive (with no expiration). 27.01.2003 - \n removed from perror() calls 27/01/2003 3[APA3A]tiny proxy 0.3b. New features are marked with !. Features: 1. General + HTTP/1.1 Proxy with keep-alive client and server support, transparent proxy support. ! HTTPS (CONNECT) proxy + SOCKSv4 Proxy + SOCKSv5 Proxy (TCP only) ! Transparent SOCKS->HTTP redirection + POP3 Proxy + TCP port mapper + UDP port mapper + Threaded application (no child process). 2. Proxy chaining ! Parent proxy support for any type of incoming connection ! Username/password authentication for parent proxy(s). ! HTTPS/SOCKS4/SOCKS5 and redirection parent support ! Random parent select ! Chain building (multihop proxing) 3. Logging ! turnable log format + stdout logging + file logging + syslog logging (Unix) ! ODBC logging (Windows) + log file rotation (hourly, daily, weekly, monthly) + automatic log file comperssion with external archiver (for files) + automatic removal of older log files 4. Access control + User authorization by NetBIOS messanger name + Access control by username, source IP, destination IP and destination port + Access control by username/password for SOCKSv5 and HTTP + Cleartext or encrypted (crypt/MD5 or NT) passwords. + Connection redirection ! Access control by requested action (CONNECT/BIND, HTTP GET/POST/PUT/HEAD/OTHER). 5. Configuration + support for configuration files + support for includes in configuration files + interface binding + running as daemon process ! utility for networks list building Unix + support for chroot + support for setgid + support for setuid NT + support --install as service + support --remove as service + support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress) 6. Compilation + MSVC (msvcrt.dll) ! Intel Windows Compiler (msvcrt.dll) + Windows/gcc (msvcrt.dll) + Cygwin/gcc (cygwin.dll) + Unix/gcc ! Unix/ccc Known bugs: - udppm doesn't work if compiled with cygwin. Cygwin doesn't support recvfrom()/sendto() on connected socket, so recv/send is used instead... Not a big deal anyway. Planned for future release: - FTP proxy support - Web interface for configuration - Signal handling on Unix (for stop/pause/resume/configuration change) - External filter API - Addon trafficshape, URL, antiviral, HTTP cache filters 27.01.2003 !!!!!!!!!!!!!!!!!!! ! Tagging as 0.3b ! !!!!!!!!!!!!!!!!!!! 24.01.2003 - Fixed to use INVALID_SOCKET instead of -1 (for Windows compatibility) - Fixed problem with threading support under gcc. Now ODBC logging seems to work always. ! strncasecmp removed. Changed to use strnicmp for Windows. 21.01.2003 ! 0.3 development frozen to only bugfixes - bug fixed causing 3proxy to crash with NULL pointer reference on transparent web redirection - SQL support removed from default (gcc) compilation 20.01.2003 + ODBC logging (yeah!). For a while it works stable only if compiled with MSVC or Intel compiler. 17.01.2003 - bug introduced yesterday into CONNECT code cleaned 16.01.2003 + timeouts command added 13.01.2003 - daemonizing code changed to work correctly on buggy libc (FreeBSD) (pthread_* doesn't work after daemon()) - logging code changed to work correctly on buggy libc (FreeBSD 4.4) (freopen "a" mode doesn't work as expected on stdout) 12.01.2003 ! License is changed to prohibit modification and commercial use 11.01.2003 ! All makefiles are made uniform + Makefiles for Compaq C complier (Makefile.ccc) and Intel C Compiler for Windows (Makefile.intl) added + Makefile.msvc added for Microsoft Visual C Compiler ! proxy.dsp removed 10.01.2003 + Now checked to compile with Compaq C Compiler under linux on alpha platform + logformat configuration command added for custom log entry format ! Unix version changed to use gettimeofday instead of ftime to avoid -lcompat issue. 09.01.2003 ! Randomizer changed for proxy chaining ! Code cleaned: Makefile, signed/unsigned conversions, etc. ! Typo fixed preventing from compilation under *nix 08.01.2003 + dateformat command added ! Log format changed!!! + Control for different operations (CONNECT,BIND,HTTP_*, etc) added to ACL, see 3proxy.cfg.sample 25.12.2002 + Proxy chaining now is fully operational!!!!! + SOCKSv4 and SOCKSv5 client code added for chaining + HTTP connect authentication added for chaining + Parent authentication for HTTP proxy added - Problem with "Connection: close" resolved (if HTTP server time outs or closes connection). 24.12.2002 + Proxy chaining works!!! (for a while only HTTP CONNECT proxies are supported and no parent authentication). Logging is updated to include number of redirections (parent proxies) in square brackets. See config.sample for example of "parent" command. 23.12.2002 ! Transparent proxy operations improved, logging corrected + Added base code for proxy chaining ! Redirection code rewritten 23.12.2002 + UDP ASSOCIATE added (but not tested) to SOCKS. ! Additional logging added to socks proxy + Local HTTP proxy redirection added (for SOCKS). 01.12.2002 ! closesock() problem _finally_ patched... 30.11.2002 ! Makefile.unix corrected ! Do not process $ in included files for 3proxy.cfg ! Common error codes are unified 29.11.2002 + nserver example added to 3proxy.cfg.sample 28.11.2002 - fixed closesock() instead of close() call on 3proxy.cfg included files for native Windows. 27.11.2002 ! Minor changes in docummentation + dighosts utility added 22.11.2002 - Few problems corrected in logfiles rotation 20.11.2002 - SOCKSv5 bind() reply corrected. 19.11.2002 + internal resolver added to avoid usage of thread unsafe gethostbyname(). nserver configuration option added to config file. ! HTTP proxy behaviour slightly changed to be more compatible. 06/11/2002 3[APA3A]tiny proxy 0.2b Initial release. Features: 1. General + HTTP/1.1 Proxy with keep-alive client and server support, transparent proxy support. + SOCKSv4 Proxy + SOCKSv5 Proxy (TCP only) + POP3 Proxy + TCP port mapper + UDP port mapper + Threaded application (no child process). 2. Logging + stdout logging + file logging + syslog logging (Unix) + log file rotation (hourly, daily, weekly, monthly) + automatic log file comperssion with external archiver (for files) + automatic removal of older log files 3. Access control + User authorization by NetBIOS messanger name + Access control by username, source IP, destination IP and destination port + Access control by username/password for SOCKSv5 and HTTP + Cleartext or encrypted (crypt/MD5 or NT) passwords. 4. Configuration + support for configuration files + support for includes in configuration files + interface binding + running as daemon process Unix + support for chroot + support for setgid + support for setuid NT + support --install as service + support --remove as service + support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress) 5. Compilation + Microsoft VC++ (msvcrt.dll) + Windows/gcc (msvcrt.dll) + Cygwin/gcc (cygwin.dll) + Unix/gcc Known bugs: - udppm doesn't work if compiled with cygwin. Cygwin doesn't support recvfrom()/sendto() on connected socket, so recv/send is used instead... Not a big deal anyway. - socks5 doesn't work with UDP Not implemented yet Planned for future release: - UDP implementation in SOCKSv5 - Signal handling on Unix (for pause/resume) - External filter API - Addon trafficshape, URL, antiviral, HTTP cache filters 06.11.2002 !!MARK IT 0.2beta ! Using UPX to compress 3proxy.exe 02.11.2002 + HTTP proxy now supports kepp-alive connections to HTTP server or proxy. It dramatically decreases number of outgoing connections and amount of DNS traffic. 01.11.2002 + Now proxy can catch Web server style requests. It means proxy may be used as a transparent proxy. Yes. It means you can redirect SOCKS requests with target 80 to HTTP proxy. ! Port check in ACL fixed ! Now proxy catches redirection by changed destination IP or port. If you redirect request to web server make sure it supports proxy style requests (IIS and Apache do). + HTTP proxy supports keep-alive. Now number of threads required significantly reduced. + HTTP CONNECT fully supported (both direct and redirected to another proxy). Now you can use our proxy for HTTPs. Or for spam :) Don't forget to set ACL for outgoing ports, cause now ports are not limited. 26.10.2002 + mycrypt utility added for making crypted passwords in NT and crypt/MD5 ! ACL check for strong auth corrected + HTTP proxy support for authentication (basic). Now you can use strong username/password authentication with proxy module. + Error messages added for HTTP proxy 25.10.2002 + NT passwords are now supported in 3proxy.cfg ! Public License Agreement changed to be more clear 24.10.2002 ! Fixed handle leak because of missed CloseHandle for threads in Windows 23.10.2002 ! Fixed POP3 proxy bug ! Strong auth changed to allow rules with * for username + MD5 crypt format passwords is now supported... Do we ever need DES? I will not implement blowfish - it's huge and rarely used. + More comments added to 3proxy.cfg.sample 21.10.2002 ! Fixed strongauth problem - ACL was not checked for authenticated SOCKSv5 users 16.10.2002 + Added support for SOCKSv5 cleartext password authentication + "strong" authentication is now OK (use it only for SOCKS) + added "users" config file command to specify username and password. Only cleartext for a while. 20.09.2002 ! Minor improvements in socket operations 17.09.2002 ! HTTP proxy changed to do not strip hostname from URI if target port is not 80. It allows to redirect requests to another proxy as well as redirect to different Web server via ACL. It will work for most servers (IIS, Apache) if target redirected to non-standard port of Web server, but may fail in some rare cases. Redirection to proxy should always work OK except if proxy is on TCP/80. + Added "redirect" ACL command. You can redirect request to another destination if ACL entry matches (that is by target or source IP, target port, username). ! Fixed documentation bug in 3proxy.cfg.sample ("authtype" instead of "auth") ! Fixed bug causing server to exit in native Win32 mode if "service" configuration option is not configured ! Outgoing SOCKS connections are handled in common way now. 07.09.2002 + added binding to external interface for outgoing connections ! Fixed bug causing username check in ACL always fail + Added ACL check for UDP map + Added "Single packet" services to UDP portmap (-s switch). Allows unlimited number of clients to be handled by portmapper for single-packet services (like DNS). 06.09.2002 3[APA3A]tiny proxy 0.1b initial release Features: 1. General + HTTP/1.0 Proxy + SOCKSv4 Proxy + SOCKSv5 Proxy (TCP only) + POP3 Proxy + TCP port mapper + UDP port mapper + Threaded application (no child process). 2. Logging + stdout logging + file logging + syslog logging (Unix) + log file rotation (hourly, daily, weekly, monthly) + automatic log file comperssion with external archiver (for files) + automatic removal of older log files 3. Access control + User authorization by NetBIOS messanger name + Access control by username, source IP, destination IP and destination port 4. Configuration + support for configuration files + support for includes in configuration files + interface binding + running as daemon process Unix + support for chroot + support for setgid + support for setuid NT + support --install as service + support --remove as service + support for service START, STOP, PAUSE and CONTINUE commands (on PAUSE no new connection accepted, but active connections still in progress) 5. Compilation + Microsoft VC++ (msvcrt.dll) + Windows/gcc (msvcrt.dll) + Cygwin/gcc (cygwin.dll) + Unix/gcc Known bugs: - udppm doesn't work if compiled with cygwin. Cygwin doesn't support recvfrom()/sendto() on connected socket, so recv/send is used instead... Not a big deal anyway. - udppm works without authentication Will be patched later. - socks5 doesn't work with UDP Not implemented yet Planned for future release: - Improvements to UDP portmapping - UDP implementation in SOCKSv5 - Ident authorization - SOCKSv5 password authentication - Signal handling on Unix (for pause/resume) - External filter API - Addon trafficshape, URL, antiviral, HTTP cache filters - HTTP/1.1 support $Id: Changelog,v 1.154 2006/03/08 18:44:00 vlad Exp $