Q: Why does nothing work?A: Valid configuration file is required.
Q: Why restrictions (redirections, limits, etc) do not work?A: Most probable reasons: 'auth none' or no auth is used. For any ACL based feature one of 'iponly', 'nbname' or 'strong' auths required. Sequence of commands may be invalid. Commands are executed one-by-one and 'proxy', 'tcppm', 'socks' or another service commands must follow valid configuration. Invalid sequence of ACLs. First matching ACL is used (except of internal redirections, see below). If ACL contains at least one records last record is assumed to be 'deny *'.
Q: Why doesn't 3proxy work as service under Windows?Possible reasons:
3proxy --install full_path_to_configuration_file
LAN connection +-------------+ Internet connection LAN <-------------->| 3proxy host |<-------------------> INTERNET ^+-------------+^ | | Internal IP External IPIf 3proxy is used on the host with single connection, both internal and external are usually same IP.
Q: Why doesn't ODBC loggind work?A: Check you use system DSN. Check SQL request is valid. The best way to check is to make file or stdout logging, get SQL request from log file or console and execute this request manually. Under Unix, you may also want to adjust 'stacksize' parameter.
Q: Why doesn't IPv6 work?A: Proxy can not access destination directly over IPv6 if client requests IPv4 address. To access IPv6 destination, either IPv6 address or hostname must be used in request. Best solution is to enable option to resolve hostnames via proxy on client side.
Q: Why proxy crash on request processing?A: default stacksize may be insufficient, if some non-default plugins are used (e.g. PAM and ODBC on Linux) or if compiled on some platforms with invalid system defined values (few versionds of FreeBSD on amd64). Problem can be resolved with 'stacksize' command or '-S' option starting 3proxy 0.8.4.
Q: Why doesn't APOP/CRAM-MD5 authentication work with POP3 proxy?A: Any Challenge-response authentication require challenge to be transmitted from server. Pop3p doesn't know which server to use before authentication, it makes it impossible to obtain challenge. You can encrypt your POP3 communications with TLS (i.e. stunnel) or IPSec.
Q: What is it for?A: To have control based on request and to have URLs and another protocol specific parameters to be logged.
Q: What are restrictions?A: It's hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends username, but not password), for SOCKSv5 only cleartext password authentication is supported.
Q: What are advantages?A: You need only to setup SOCKS proxy in browser settings. You can use socksifier, i.e. FreeCAP or SocksCAP with application which is not proxy aware.
Q: How to setup?A: You should specify parent proxy with IP of 0.0.0.0 and port 0. Examples:
auth iponly allow * * * 80,8080-8088 parent 1000 http 0.0.0.0 0 allow * * * 80,8080-8088 #redirect ports 80 and 8080-8088 to local HTTP proxy #Second allow is required, because ACLs are checked #twice: first time by socks and second by http proxy. allow * * * 21,2121 parent 1000 ftp 0.0.0.0 0 allow * * * 21,2121 #redirect ports 21 and 2121 to local #ftp proxy allow * #allow rest of connections directly socks #now let socks server to start
Q: How it affects different ACL rules?A: After local redirections rules are applied again to protocol-level request. Redirection rule itself is skipped. It makes it possible to redirect request again on the external proxy depending on request itself.
allow * * * 80,8080-8088 parent 1000 http 0.0.0.0 0 #redirect http traffic to internal proxy allow * * $c:\3proxy\local.nets 80,8080-8088 #allow direct access to local.nets networks allow * * * 80,8080-8088 parent 1000 http proxy.3proxy.ru 3128 #use parent caching proxy for rest of the networks allow * #allow direct connections for rest of socks #requests
Q: Is it possible to resolve names through parent proxy?A: Yes, use 'proxy', 'connect+', 'socks4+' or 'socks5+' as parent proxy type. 3proxy itself requires name resolutions for ACL checks, so, if it's impossible to resolve names from 3proxy host, use
fakeresolvecommand. Fakeresolve resolves any name to 127.0.0.2.
Q: Can I use 3proxy as FTP proxy?A: There are two kinds of FTP proxy supported: FTP over HTTP support (known as FTP proxy inside Internet Explorer, Mozilla and another browsers) and real FTP proxy (usable in Far and different FTP clients). Both are supported in 3proxy: first one as a part of HTTP 'proxy' and second one as 'ftppr'.
Q: Can I bind any 3proxy service to non-default port?A: proxy -p8080
Q: Why traffic accounting is incomplete? It differs for what my provider (or another accounting application) shows to me?A: 3proxy accounts protocol level traffic. Provider counts channel or IP-level traffic with network and transport headers. In additions, 3proxy doesn't counts DNS resolutions, pings, floods, scans, etc. It makes approx. 10% of difference. That's why you should have 15% reserve if you use 3proxy to limit your traffic. If difference with your provider is significantly above 10% you should look for traffic avoiding proxy server, for example connections through NAT, traffic originated from the host with proxy installed, traffic from server applications, etc.
Q: Why configuration is so difficult and non-intuitive?A: Configuration format is created in a way it's easy to parse and matches to internal 3proxy structures. In addition, there are some older things left for compatibility to be cleaned in 3proxy release. And last, I think it's easy and intuitive.
Q: Why the code is so difficult and non-intuitive?A: First, I'm not programmer. Second, 3proxy was 'proof of concept' in reply for some conference post. Request was to write proxy server in 100 lines of code. First version of 3proxy had less, with HTTP and SOCKS support and portmappers. Third, there are peoples who want to use 3proxy code in trojans. I don't want to help them. Fourth, the aim is to support different platforms. It's well known - the worse code is, the better it compiles.
Q: Why do you use insecure strcpy, sprintf, etc?A: Why not? I try to use insecure function in secure manner. You're welcome to look for vulnerabilities.