Extract source code files from 3proxy.tgz (with WinZip or another utility). Use nmake /f Makefile.msvc command
See How to compile 3proxy with Visual C++ Use Makefile.intl instead of Makefile.msvc
Extract source files from 3proxy.tgz (for example with tar -xzf 3proxy.tgz command if you have tar installed) Use make -f Makefile.win command. If you want to use POSIX emulation Cygwin library (normally you shouldn't) - use make -f Makefile.unix instead. Windows specific things (like installing as service) will not be available if compiled with Cygwin emulation.
make -f Makefile.Linuxfor Linux or Cygwin, Makefile.Solaris* (depending on compiler version) for Solaris and Makefile.unix for different Unix-like OS. On BSD derivered systems make sure to use GNU make, sometimes it's called gmake instead of make.
Unpack 3proxy.zip to any directory, for example c:\Program Files\3proxy. If needed, create directory for storing log files, ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (See Server configuration). If you use 3proxy before 0.6 Add
servicestring into 3proxy.cfg. Now, start command prompt (cmd.exe). Change directory to 3proxy installation and run 3proxy.exe --install:
D:\>C: C:\>cd C:\Program Files\3proxy C:\Program Files\3proxy>3proxy.exe --installNow, you should have 3proxy service installed and running. If service is not started, remove "service" string from 3proxy.cfg, run 3proxy.exe manually and correct all errors.
To remove 3proxy run 3proxy --remove:
D:\>C: C:\>cd C:\Program Files\3proxy C:\Program Files\3proxy>net stop 3proxy C:\Program Files\3proxy>3proxy.exe --removeNow you can simply remove 3proxy installation directory.
Unpack 3proxy.zip to any directory, for example c:\Program Files\3proxy. If needed, create directory for storing log files, ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (See Server configuration). Remove string
servicefrom 3proxy.cfg and add
daemonif you want 3proxy to run in background. Create shortcut for 3proxy.exe and place it in autostart or add to registry with regedit.exe:
Complie 3proxy (see Compilation). Copy executables to any appropriate location (for example /usr/local/3proxy/sbin for servers and /usr/local/3proxy/bin for utilities). Create /usr/local/etc/3proxy.cfg. (see Server configuration). You can change default configuration file location by specifing configuration file in 3proxy command line. Add 3proxy to system startup scripts.
Valid configuration file is required.
Most probable reasons for non-working limitations: 'auth none' or no auth is used. For any ACL based feature one of 'iponly', 'nbname' or 'strong' auths required. Sequence of commands may be invalid. Commands are executed one-by-one and 'proxy', 'tcppm', 'socks' or another service commands must follow valid configuration. Invalid sequence of ACLs. First matching ACL is used (except of internal redirections, see below). If ACL contains at least one records last record is assumed to be 'deny *'.
Possible reasons for 3proxy starts manually but fails to start as a service:
3proxy --install full_path_to_configuration_file
Both internal and external IPs are IPs of the host running 3proxy itself. This configuration option is usefull in situation 3proxy is running on the border host with 2 (or more) connections: e.g. LAN and WAN with different IPs
LAN connection +-------------+ Internet connection LAN <-------------->| 3proxy host |<-------------------> INTERNET ^+-------------+^ | | Internal IP External IPIf 3proxy is used on the host with single connection, both internal and external are usually same IP.
Check you use system DSN. Check SQL request is valid. The best way to check is to make file or stdout logging, get SQL request from log file or console and execute this request manually. Under Unix, you may also want to adjust 'stacksize' parameter.
Proxy can not access destination directly over IPv6 if client requests IPv4 address. To access IPv6 destination, either IPv6 address or hostname must be used in request. Best solution is to enable option to resolve hostnames via proxy on client side.
default stacksize may be insufficient, if some non-default plugins are used (e.g. PAM and ODBC on Linux) or if compiled on some platforms with invalid system defined values (few versionds of FreeBSD on amd64). Problem can be resolved with 'stacksize' command or '-S' option starting 3proxy 0.8.4.
Server configuration example 3proxy.cfg.sample is in any 3proxy distribution.
3proxy can log to stdout, file, ODBC datasource and syslog (Unix/Linux/Cygwin only). For using ODBC under Unix/Linux you must compile 3proxy with Unix ODBC libraries, see Compilation. You can control logging from 3proxy.cfg for all services or you can control logging of individual service, for example /usr/local/sbin/socks -l/var/log/socks.log starts SOCKS proxy with logging to file. For universal proxy (3proxy) log file rotation and archiving is supported. Log type is defined with "log" configuration file command or with -l switch on individual service invokation. log or -l is stdout logging.
-lfilenamespecify filename for logging
log &connstringspecifies ODBC connection string, connstring is in format datasource,username,password (2 last are optional of datasource does not require or already has authentication information). Also, you must specify logformat to build SQL query, to insert recod into log, see How to setup logging format
Rotation and archiving may be set up with log, rotate � archiver commands
log filename LOGTYPEsets rotation type. LOGTYPE may be:
rotate NUMBERspecifies number of files in rotation (that is how many files to keep).
archiver EXT COMMAND PARAMETERSSets external archiver. EXT is extention of archived files (for example zip, gz, Z, rar etc) COMMAND and PARAMETERS are command to execute and command line PARAMETERS. Originale file is not deleted by 3proxy, this work is left for archiver. You can pass original filename to archiver with %F macro and archive filename with %A. Examples are located in 3proxy.cfg.sample
Since 0.3 version log format may be set with "logformat" command. First symbol of log format specifies format of date and time and should be L (LOCAL) or G (GMT - Grinwitch Meridian Time). Format string may contains some macro substitutions:
logformat "L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"generates something like
1042454727.0296 SOCK4.1080 000 3APA3A 127.0.0.1:4739 220.127.116.11:4739 505 18735 1 GET http://3proxy.org/ HTTP/1.1
(no line breaks)
If ODBC used, logformat should specify SQL command, to insert record into log, for example
logformat "-\'+_GINSERT INTO proxystat VALUES (%t, '%c', '%U', %I)"
Just make format of 3proxy logs compatible with format supported by your
favourite log analizer. Examples of compatible logformats are:
For Squid access.log:
"- +_G%t.%. %D %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown"or, more compatible format without %D
"- +_G%t.%. 1 %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown"ISA 2000 proxy WEBEXTD.LOG (fields are TAB-delimited):
"- + L%C %U Unknown Y %Y-%m-%d %H:%M:%S w3proxy 3PROXY - %n %R %r %D %O %I http TCP %1-1T %2-2T - - %E - - -"ISA 2004 proxy WEB.w3c (fields are TAB-delimited):
"- + L%C %U Unknown %Y-%m-%d %H:%M:%S 3PROXY - %n %R %r %D %O %I http %1-1T %2-2T - %E - - Internal External 0x0 Allowed"ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
"- + L%C %U unnknown:0:0.0 N %Y-%m-%d %H:%M:%S fwsrv 3PROXY - %n %R %r %D %O %I %r TCP Connect - - - %E - - - - -"HTTPD standard log (Apache and others):
"-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" %E %I"or more compatible without error code
"-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" 200 %I"
3proxy is distributed in 2 variants: as a set of standalone modules (proxy,
socks, pop3p, tcppm, udppm) and as universal proxy server. These services are
absolutely independant, and if you use 3proxy you needn't any of standalone
Standalone modules are only configurable via command line interface while 3proxy uses configuration file. Many functions, such as ODBC logging, log rotation, access control, etc are only available in 3proxy, not in standalone proxies. Standalone module may be started from command line, for example:
$/sbin/socks -l/var/log/socks.log -i127.0.0.1Starts SOCKS server binded to localhost ip, port 1080 with logging to /var/log/socks.log. You can get help for any standalone service with -? command line option.
If 3proxy is used you should start all services in 3proxy.cfg file. 3proxy.cfg is executed by 3proxy as a batch file. Example of 3proxy.cfg and command syntaxys can be found in 3proxy.cfg.sample.
log /var/log/3proxy.log D rotate 30 internal 127.0.0.1 external 192.168.1.1 proxy socks -p3129 pop3pStarts 3 services: HTTP PROXY, SOCKS and POP3 PROXY. Each listens localhost interface with default port (3128 for HTTP, 1080 for SOCKS and 110 for POP3P) except socks started with port 3129. All logs are in file /var/log/3proxy.log (with daily date modification and rotation). 30 last files are stored.
-i options specifies internal interface, -p - listening port. No space are allowed. To bind 'proxy' service to port 8080 on interfaces 192.168.1.1 and 192.168.2.1 use
proxy -p8080 -i192.168.1.1 proxy -p8080 -i192.168.2.1
A: Use one of http, connect+, socks4+ or socks5+ as a parent type. 3proxy itself still performs a name resolution, it's required e.g. to ACLs matching. So, if no name resolution must be performed by 3proxy itself add a command
fakeresolvethis command resolves any name to 127.0.0.2 address.
There is FTP over HTTP (what is called FTP proxy in browsers) and FTP over FTP �ப� (what is called FTP proxy in file managers and FTP clients). For browsers, there is no need to start additional proxy service, 'proxy' supports FTP over HTTP, configure 'proxy' port as an FTP proxy. For ftp clients and file managers use ftppr. FTP proxy supports both active and passive mode with client, but always use passive mode with FTP servers.
First, always specify internal interface to accept incoming connection with 'internal' configuration command or '-i' service command. (See How to start any of proxy services (HTTP, SOCKS etc)). If no internal interface is specified your proxy will act as open one.
It's also important to specify external interface to prevent access to internal network with 'external' or -e.
3proxy with configuration files allows to use authentication and authorization for user's access. Authentication is possible by username/password or user's NetBIOS name. Authentication type is specified by 'auth' command.
auth noneDisables both authentication and authorization. You can not use ACLs.
auth iponlySpecifies no authentication, ACLs authorization is used.
auth nbnameAuthentication by NetBIOS name + ACLs. NetBIOS name of 'messenger' service is obrained before ACL validation. If no name is obtained it's assumed to be empty. Messenger is started by default in Windows NT/2000/XP. For Win9x WinPopUP need to be launched. This type of authentication may be spoofed by privileged local user.
auth strongAuthentication by username/password. If user is not registered his access is denied regardless of ACLs.
Different services can have different authentication levels.
auth none pop3p auth iponly proxy auth strong socksIt's possible to authorize access by client IP address, IP address or requested resource, target port, time, etc after authentication. (See How to limit resource access).
Since 0.6 version double authentication is possible, e.g.
auth iponly strong allow * * 192.168.0.0/16 allow user1,user2 proxystrong authentication will only be used if ACL requires username to deside if access must be granted. That is, in example, strong username authentication is not required to access 192.168.0.0/16
0.6 version introduces authentication (username) caching to increase productivity. It's recommended to use authentication caching with resource or time consuming authentication types, such as nbname or external plugins (WindowsAuthentication). Caching can be set with 'authcache' command with 2 parameters: caching type and caching time (in seconds). Caching type defines the type of cached access: 'ip' - after successful authentication all connections during caching time from same IP are assigned to the same user, username is not requested. "ip,user" - username is requested and all connections from the same IP are assigned to the same user without actual authentication. "user" - same as above, but IP is not checked. "user,password" - username and password are checked against cached ones. For authentication special authentication type 'cache' must be used. Example:
authcache ip 60 auth cache strong windows proxy -nPlease note, that caching affects security. Never use caching for access to critical resources, such as web administration.
authcache can be used to bind user's sessions to ip with 'limit' option, with
autchcache ip,user,pass,limit 120 auth cache stronguser will not be able to use more than a single IP during cache time (120 sec).
Userslist is created with 'users' command.
users USERDESC ...With a single command it's possible to define few users, or you can use few 'users' commands. USERDESC is user description. Description consists of three semicolon delimited parts - login, password type and
users admin:CL:bigsecret test:CL:password test1:CL:password1 users "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49." users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63Please note the usage of quotation sign: it's required to comment out $ sign overwise used as a file inclusion macro. Next password types are available:
users $"c:\Program Files\3proxy\passwords"It's possible to create NT and crypt passwords with mycrypt utility included in distribution.
Commands allow, deny and flush are used to manage ACLs:
allow <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist> <weekdaylist> <timeperiodlist>
deny <userlist> <sourcelist> <targetlist> <weekdaylist> <timeperiodlist>
Redirections are usefull to e.g. forward requests from specific clients
to different servers or proxy server. Additionally, redirections are usefull
to convert proxy interface from ont format to another, e.g. requests from
SOCKS proxy can be redirected to parent HTTP proxy, or SOCKSv5 client can be
redirected to SOCKSv4 proxy.
Because 3proxy understand "transparent" web request, it can be used as an intermediate software between HTTP proxy and NAT server for transparent HTTP forwarding, because it can convert "Web server" request issued by client to "proxy request" required by proxy server. A simplest redirection is:
auth iponly allow * parent 1000 http 192.168.1.1 3128 proxyAll trafiic of HTTP proxy is redirected to parent proxy 192.168.1.1 port 3128.
auth iponly allow * * * 80 parent 1000 http 0.0.0.0 0 allow * * * 21 parent 1000 ftp 0.0.0.0 0 allow * * * 110 parent 1000 pop3 0.0.0.0 0 socksIn this case all SOCKS traffic with destination port 80 is forwarded to local 'proxy' service, destination port 21 to 'ftppr' and 110 to 'pop3pr'. There is no need to run these services expicitly. Local redirections are usefull if you want to see and control via ACLs protocol specific parameters, e.g. filenames requests thorugh FTP while clients are using SOCKS.
Q: What is it for?A: To have control based on request and to have URLs and another protocol specific parameters to be logged.
Q: What are restrictions?A: It's hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends username, but not password), for SOCKSv5 only cleartext password authentication is supported.
Q: What are advantages?A: You need only to setup SOCKS proxy in browser settings. You can use socksifier, i.e. FreeCAP or SocksCAP with application which is not proxy aware.
Q: How to setup?A: You should specify parent proxy with IP of 0.0.0.0 and port 0. Examples:
auth iponly allow * * * 80,8080-8088 parent 1000 http 0.0.0.0 0 allow * * * 80,8080-8088 #redirect ports 80 and 8080-8088 to local HTTP proxy #Second allow is required, because ACLs are checked #twice: first time by socks and second by http proxy. allow * * * 21,2121 parent 1000 ftp 0.0.0.0 0 allow * * * 21,2121 #redirect ports 21 and 2121 to local #ftp proxy allow * #allow rest of connections directly socks #now let socks server to start
Q: How it affects different ACL rulesA: After local redirections rules are applied again to protocol-level request. Redirection rule itself is skipped. It makes it possible to redirect request again on the external proxy depending on request itself.
allow * * * 80,8080-8088 parent 1000 http 0.0.0.0 0 #redirect http traffic to internal proxy allow * * $c:\3proxy\local.nets 80,8080-8088 #allow direct access to local.nets networks allow * * * 80,8080-8088 parent 1000 http proxy.3proxy.org 3128 #use parent caching proxy for rest of the networks allow * #allow direct connections for rest of socks #requests
Proxy itself doesn't manage network level routing. The only way to control outgoing channel is to select external interface. It's possible to make external interface (what is usually selected with 'external' command or '-e' option) random by using local redirection with external port 0.
auth iponly allow * parent 500 http 10.1.1.101 0 parent 500 http 10.2.1.102 0Now external interface is randomly selected with 0.5 probability between 10.1.1.101 and 10.2.1.102. To work as expected, different default routes must between 2 interfaces. used
If both interface addresses are in same network, e.g. 10.1.1.101 and 10.1.1.102 and you want to select random gateway between 10.1.1.1 and 10.1.1.2, you must control it by using routing table, in case there is no default gateway route for Windows:
route add -p 10.1.1.1 10.1.1.101 route add -p 10.1.1.2 10.1.1.102 route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.1 route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.2If you have no second address yet, just add it. Under Linux/Unix it's better to use source routing.
parent command may also be used to build a proxy chains. In this case few 'parent' commands are used for single 'allow' rule with different weights (first argument of parent command). Chain may contain any number of proxy servers, but it should be noted that every hope significantly reduces productivity. It's possible to mix different types of proxy within single chain: HTTPS (HTTP connect), SOCKS4, SOCKS5. Weight different from 1000 is used to build random chains. if weight W is below 1000, this proxy will be used as a next chain hop with probability of W/1000. That is, if the weight is 250 probability this proxy will be used for the next hope is 25%. 'parent' records with common weight of 1000 establish a group, one of these record will be used for the hop with probability according to weight. Warning: each group must have a weight even of 1000. As follows, common weight of all 'parent' records must also be even of 1000. If common weight of 'parent' records in te chain is 3000, chain has 3 hops and must be formed of 3 groups. Example:
allow * parent 500 socks5 192.168.1.1 1080 parent 500 connect 192.168.10.1 3128In this case we have 1 parent proxy (1 hop) which is randomely choosen between 2 hosts: 192.168.1.1 and 192.168.10.1. 2 records form a single group.
allow * * * 80 parent 1000 socks5 192.168.10.1 1080 parent 1000 connect 192.168.20.1 3128 parent 300 socks4 192.168.30.1 1080 parent 700 socks5 192.168.40.1 1080In this case we have 3 groups (3 hops in the chain). First hop is 192.168.10.1, second hop is 192.168.20.1 and 3rd one is either 192.168.30.1 with probability of 30% or 192.168.40.1 with probability of 70%.
3proxy supports bandwidth filters. To manage filters bandlimin/bandlimout and nobandlimin/nobandlimout. 'in' means incoming and 'out' - outgoing traffic.
bandlimin <bitrate> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
nobandlimin <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
bandlimin 57600 * 192.168.10.16 bandlimin 57600 * 192.168.10.17 bandlimin 57600 * 192.168.10.18 bandlimin 57600 * 192.168.10.19Create 4 separete pipes for 4 client with emulation of modem connection.
bandlimin 57600 * 192.168.10.16/30Create single pipe for all 4 clients. That is 4 clients share modem connection. In this example:
nobandlimin * * * 110 bandlimin 57600 * 192.168.10.16/32mail traffic from POP3 servers bypasses the pipe and has no bandwidth limitation.
counter <filename> <type> <reportpath>
countin <number> <type> <amount> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
nocountin <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
countout <number> <type> <amount> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
nocountout <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
You can set traffic limit per day (D), week (W), month (M), year (Y) or absolute ('N'), as specified by 'type' argument of counterin command. Traffic information is stored in binary file specified by 'filename' argument. countersutil utility can be used to manage this file. reportpath specifies location of text reports, type parameter of 'counter' command controls how often text reports are created. amount is amount of allowed traffic in Megabytes (MB). nocountin allows you to set exclusions.
3proxy accounts protocol level traffic. Provider counts channel or IP-level traffic with network and transport headers. In additions, 3proxy doesn't counts DNS resolutions, pings, floods, scans, etc. It makes approx. 10% of difference. That's why you should have 15% reserve if you use 3proxy to limit your traffic. If difference with your provider is significantly above 10% you should look for traffic avoiding proxy server, for example connections through NAT, traffic originated from the host with proxy installed, traffic from server applications, etc.
For name resolution and caching use commands nserver, nscache / nscache6 and nsrecord.
nserver 192.168.1.2 nserver 192.168.1.3:5353/tcpsets DNS resolvers. 192.168.1.3 will be used via TCP/5353 (instead of default UDP/53) only if 192.168.1.2 fails. Up to 5 nservers may be specified. If no nserver is configured, default system name resolution functions are used.
nscache 65535 nscache6 65535sets name cache size for IPv4 and IPv6. Name cache must be large enouth, if presents. name cache is only used if nserver is configured.
nsrecord server.mycompany.example.com 192.168.1.1 nsrecord www.porno.com 127.0.0.2 ... deny * * 127.0.0.2adds static nsrecords. Also, static nsrecords are used for dnspr, unless -s option is specified. Since 0.8 version, parent proxy may be configured for dnspr.
IPv6 is supported since 0.8. Please note, some proxy protolos, e.g. SOCKSv4,
do not support IPv6. SOCKSv5 supports IPv6 with special request type (must be
implemented by client).
3proxy supports proxying from IPv4 and IPv6 networks to IPv4, IPv6 and mixed networks. IPv6 address may be used in internal, external, parent commands, ACLs, -i and -e options,etc. external command and -e options may be given twice for each service - once with IPv4 and once with IPv6 address. internal can be given only once, to bind to all IPv4 and IPv6 addresses use [0:0:0:0:0:0:0:0] or [::].
Any service may be configured with -4, -46, -64, -6 options to specify decied priority for name to IPv4/IPv6 address resolution (IPv4 only, IPv4 priority, IPv6 priority, IPv6 only).
In example, users needs access from external network to proxy server located on the host 192.168.1.2. This host can not be accessed from external network, but it has access to external network with with external address 18.104.22.168. Also, user has access to the host 22.214.171.124 (IP address may be dynamic) with hostname host.dyndns.example.org via external network. User needs 2 instances of 3proxy, first one on the host 192.168.1.2 with config
users user:CL:password auth strong allow user proxy -rhost.dyndns.example.org:1234second one on the host.dyndns.example.org (126.96.36.199) with config
auth iponly allow * * 188.8.131.52 tcppm -R0.0.0.0:1234 3128 184.108.40.206 3128For browser settings proxy is host.dyndns.example.org:3128.
Latest version of 3proxy may be obtained here. New version may have changes and incompatibilities with previous one in files format or commands. Please, read CHANGELOG file and another documentation before installing new version.
If installed as system service, 3proxy understands Windows service commands for START, STOP, PAUSE and RESUME. If service is PAUSEd, no new connections are accepted while older connections are processed. Currently there is no support for dynamic configuration change, so, you have to restart service completely if you have changed any configuration. You can control 3proxy service via "Services" administration ot via "net" command:
net start 3proxy net stop 3proxy net pause 3proxy net continue 3proxy
Ask it in Github. Don't try to ask something before reading this document.