3proxy free proxy server


[EN] 3proxy
no-pyccku

  • 3APA3A 3proxy tiny proxy server HowTo
    Under construction, very incomplete

  • Proxy server installation and removal

    • How to install/remove 3proxy under Windows NT/2000/XP

      Unpack 3proxy.zip to any directory, for example c:\Program Files\3proxy. If needed, create directory for storing log files, ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (See Server configuration). If you use 3proxy before 0.6 Add

      service
      
      string into 3proxy.cfg. Now, start command prompt (cmd.exe). Change directory to 3proxy installation and run 3proxy.exe --install:
      D:\>C:
      C:\>cd C:\Program Files\3proxy
      C:\Program Files\3proxy>3proxy.exe --install
      
      Now, you should have 3proxy service installed and running. If service is not started, remove "service" string from 3proxy.cfg, run 3proxy.exe manually and correct all errors.

      To remove 3proxy run 3proxy --remove:

      D:\>C:
      C:\>cd C:\Program Files\3proxy
      C:\Program Files\3proxy>net stop 3proxy
      C:\Program Files\3proxy>3proxy.exe --remove
      
      Now you can simply remove 3proxy installation directory.

    • How to install/remove 3proxy under Windows 95/98/ME

      Unpack 3proxy.zip to any directory, for example c:\Program Files\3proxy. If needed, create directory for storing log files, ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (See Server configuration). Remove string

      service
      
      from 3proxy.cfg and add
      daemon
      
      if you want 3proxy to run in background. Create shortcut for 3proxy.exe and place it in autostart or add to registry with regedit.exe:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      Type: String
      3proxy = "c:\Program Files\3proxy.exe" "C:\Program Files\3proxy.cfg"
      You must use quotes if path contains space. If neccessary, restart Windows. If service is not started, check log. Remove "daemon" command from 3proxy.cfg, start 3proxy.exe manually and correct all errors.

    • How to install/remove 3proxy under Unix/Linux

      Complie 3proxy (see Compilation). Copy executables to any appropriate location (for example /usr/local/3proxy/sbin for servers and /usr/local/3proxy/bin for utilities). Create /usr/local/etc/3proxy.cfg. (see Server configuration). You can change default configuration file location by specifing configuration file in 3proxy command line. Add 3proxy to system startup scripts.


  • Server configuration

    • Where to find configuration example

      Server configuration example 3proxy.cfg.sample is in any 3proxy distribution.

    • How to set up logging

      3proxy can log to stdout, file, ODBC datasource and syslog (Unix/Linux/Cygwin only). For using ODBC under Unix/Linux you must compile 3proxy with Unix ODBC libraries, see Compilation. You can control logging from 3proxy.cfg for all services or you can control logging of individual service, for example /usr/local/sbin/socks -l/var/log/socks.log starts SOCKS proxy with logging to file. For universal proxy (3proxy) log file rotation and archiving is supported. Log type is defined with "log" configuration file command or with -l switch on individual service invokation. log or -l is stdout logging.

      	log filename
      
      and
      	-lfilename
      
      specify filename for logging
      	log @ident
      
      and
      	[email protected]
      
      specify ident for syslog logging. If filename within "log" command contains '%' characters, it's processes as format specificator (see "logformat"). E.g. log c:\3proxy\logs\%y%m%d.log D creates file like c:\3proxy\logs\060729.log, date is generated based on local time.
      	log &connstring
      
      specifies ODBC connection string, connstring is in format datasource,username,password (2 last are optional of datasource does not require or already has authentication information). Also, you must specify logformat to build SQL query, to insert recod into log, see How to setup logging format

      Rotation and archiving may be set up with log, rotate archiver commands

      	log filename LOGTYPE
      
      sets rotation type. LOGTYPE may be:
      • M, monthely
      • W, weekly
      • D, daily
      • H, hourly
      • , minutely
      	rotate NUMBER
      
      specifies number of files in rotation (that is how many files to keep).
      	archiver EXT COMMAND PARAMETERS
      
      Sets external archiver. EXT is extention of archived files (for example zip, gz, Z, rar etc) COMMAND and PARAMETERS are command to execute and command line PARAMETERS. Originale file is not deleted by 3proxy, this work is left for archiver. You can pass original filename to archiver with %F macro and archive filename with %A. Examples are located in 3proxy.cfg.sample

    • How to setup logging format

      Since 0.3 version log format may be set with "logformat" command. First symbol of log format specifies format of date and time and should be L (LOCAL) or G (GMT - Grinwitch Meridian Time). Format string may contains some macro substitutions:

      • %y - Year (2 digits)
      • %Y - Year (4 digits)
      • %m - Month (2 digits)
      • %o - mOnth (3 letter abbriviation)
      • %d - Day (2 digits)
      • %H - Hour (2 digits)
      • %M - Minute (2 digits)
      • %S - Second (2 digits)
      • %t - Timestamp (seconds since January, 1 1970 00:00:00 GMT)
      • %. - Milliseconds
      • %z - Timezone in mail format (from GMT, '+' east, '-' west HHMM), For example Moscow winter time is +0300.
      • %U - Username ('-' if unknown).
      • %N - Service name (PROXY, SOCKS, POP3P, etc)
      • %p - Service port
      • %E - Error code (see. Log error codes reference)
      • %C - client IP
      • %c - client port
      • %R - target IP
      • %r - target port
      • %e - external IP address used to establish connection
      • %Q - requested IP
      • %q - requested port
      • %I - bytes received from target
      • %O - bytes sent to target
      • %n - host name from request
      • %h - hops before target (if redirection or chaning is used). see How to use chains and parent proxies)
      • %T - service specific text (for example URL requested). %X-YT where X and Y are positive numbers, only displays fields (space delimited) X to Y of the text. An example is %1-2T.
      Example:
      logformat "L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
      
      generates something like

      1042454727.0296 SOCK4.1080 000 3APA3A 127.0.0.1:4739 195.122.226.28:4739 505 18735 1 GET http://3proxy.ru/ HTTP/1.1
      (no line breaks)

      If ODBC used, logformat should specify SQL command, to insert record into log, for example

      logformat "-\'+_GINSERT INTO proxystat  VALUES (%t, '%c', '%U', %I)"

      (no line breaks)
      -\'+_ instructs to replace characters \ and ' with _

    • How to use log analizers with 3proxy

      Just make format of 3proxy logs compatible with format supported by your favourite log analizer. Examples of compatible logformats are:
      For Squid access.log:

      "- +_G%t.%. %D %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown"

      or, more compatible format without %D
      "- +_G%t.%.      1 %C TCP_MISS/200 %I %1-1T %2-2T %U
       DIRECT/%R application/unknown"
      
      ISA 2000 proxy WEBEXTD.LOG (fields are TAB-delimited):
      "-	+ L%C	%U	Unknown	Y	%Y-%m-%d	%H:%M:%S
      	w3proxy	3PROXY	-	%n	%R	%r	%D
      	%O	%I	http	TCP	%1-1T	%2-2T	-	-
      	%E	-	-	-"
      
      ISA 2004 proxy WEB.w3c (fields are TAB-delimited):
      "-	+ L%C	%U	Unknown	%Y-%m-%d	%H:%M:%S
      	3PROXY	-	%n	%R	%r	%D	%O
      	%I	http	%1-1T	%2-2T	-	%E	-
      	-	Internal	External	0x0	Allowed"
      
      ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
      "-	+ L%C	%U	unnknown:0:0.0	N	%Y-%m-%d
      	%H:%M:%S	fwsrv	3PROXY	-	%n	%R	%r
      	%D	%O	%I	%r	TCP	Connect	-	-
      	-	%E	-	-	-	-	-"
      
      HTTPD standard log (Apache and others):

      "-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" %E %I"

      or more compatible without error code

      "-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" 200 %I"

    • How to start any of proxy services (HTTP, SOCKS etc)

      3proxy is distributed in 2 variants: as a set of standalone modules (proxy, socks, pop3p, tcppm, udppm) and as universal proxy server. These services are absolutely independant, and if you use 3proxy you needn't any of standalone modules.
      Standalone modules are only configurable via command line interface while 3proxy uses configuration file. Many functions, such as ODBC logging, log rotation, access control, etc are only available in 3proxy, not in standalone proxies. Standalone module may be started from command line, for example:

      $/sbin/socks -l/var/log/socks.log -i127.0.0.1
      
      Starts SOCKS server binded to localhost ip, port 1080 with logging to /var/log/socks.log. You can get help for any standalone service with -? command line option.

      If 3proxy is used you should start all services in 3proxy.cfg file. 3proxy.cfg is executed by 3proxy as a batch file. Example of 3proxy.cfg and command syntaxys can be found in 3proxy.cfg.sample.

      log /var/log/3proxy.log D
      rotate 30
      internal 127.0.0.1
      external 192.168.1.1
      proxy
      socks -p3129
      pop3p 
      
      Starts 3 services: HTTP PROXY, SOCKS and POP3 PROXY. Each listens localhost interface with default port (3128 for HTTP, 1080 for SOCKS and 110 for POP3P) except socks started with port 3129. All logs are in file /var/log/3proxy.log (with daily date modification and rotation). 30 last files are stored.

    • How to bind service to specific interface and port?

      -i options specifies internal interface, -p - listening port. No space are allowed. To bind 'proxy' service to port 8080 on interfaces 192.168.1.1 and 192.168.2.1 use

      proxy -p8080 -i192.168.1.1
      proxy -p8080 -i192.168.2.1
      

    • How to limit service access

      First, always specify internal interface to accept incoming connection with 'internal' configuration command or '-i' service command. (See How to start any of proxy services (HTTP, SOCKS etc)). If no internal interface is specified your proxy will act as open one.

      It's also important to specify external interface to prevent access to internal network with 'external' or -e.

      3proxy with configuration files allows to use authentication and authorization for user's access. Authentication is possible by username/password or user's NetBIOS name. Authentication type is specified by 'auth' command.

      auth none
      
      Disables both authentication and authorization. You can not use ACLs.
      auth iponly
      
      Specifies no authentication, ACLs authorization is used.
      auth nbname
      
      Authentication by NetBIOS name + ACLs. NetBIOS name of 'messenger' service is obrained before ACL validation. If no name is obtained it's assumed to be empty. Messenger is started by default in Windows NT/2000/XP. For Win9x WinPopUP need to be launched. This type of authentication may be spoofed by privileged local user.
      auth strong
      
      Authentication by username/password. If user is not registered his access is denied regardless of ACLs.

      Different services can have different authentication levels.

      auth none
      pop3p
      auth iponly
      proxy
      auth strong
      socks
      
      It's possible to authorize access by client IP address, IP address or requested resource, target port, time, etc after authentication. (See How to limit resource access).

      Since 0.6 version double authentication is possible, e.g.

      auth iponly strong
      allow * * 192.168.0.0/16
      allow user1,user2
      proxy
      
      strong authentication will only be used if ACL requires username to deside if access must be granted. That is, in example, strong username authentication is not required to access 192.168.0.0/16

      0.6 version introduces authentication (username) caching to increase productivity. It's recommended to use authentication caching with resource or time consuming authentication types, such as nbname or external plugins (WindowsAuthentication). Caching can be set with 'authcache' command with 2 parameters: caching type and caching time (in seconds). Caching type defines the type of cached access: 'ip' - after successful authentication all connections during caching time from same IP are assigned to the same user, username is not requested. "ip,user" - username is requested and all connections from the same IP are assigned to the same user without actual authentication. "user" - same as above, but IP is not checked. "user,password" - username and password are checked against cached ones. For authentication special authentication type 'cache' must be used. Example:

      authcache ip 60
      auth cache strong windows
      proxy -n
      

      Please note, that caching affects security. Never use caching for access to critical resources, such as web administration.
    • How to create user list

      Userslist is created with 'users' command.

      users USERDESC ...
      
      With a single command it's possible to define few users, or you can use few 'users' commands. USERDESC is user description. Description consists of three semicolon delimited parts - login, password type and
      users admin:CL:bigsecret test:CL:password test1:CL:password1
      users "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
      users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
      
      Please note the usage of quotation sign: it's required to comment out $ sign overwise used as a file inclusion macro. Next password types are available:
      • No password type: use system authentication.
      • CL - cleartext password
      • CR - crypt password, only MD5 crypt passwords are supported
      • NT - NT-hashed (MD4) passwords in hex, as used in pwdump or SAMBA
      NT and crypt passwords can be used to import accounts from Windows/SAMBA or Unix. For Windows you can use pwdump family of utilities. It's convenient to store accounts apart and include account file with $ macro. Because for included files newlines are treated as a space, it's possible to use atandard passwd file format:
      users $/etc/.3proxypasswd
      
      or
      users $"c:\Program Files\3proxy\passwords"
      
      It's possible to create NT and crypt passwords with mycrypt utility included in distribution.
      Userlist is system-wide. To manage user access to specific service use ACLs.

    • How to limit user access to resources

      Commands allow, deny and flush are used to manage ACLs:

      allow <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist> <weekdaylist> <timeperiodlist>
      deny <userlist> <sourcelist> <targetlist> <weekdaylist> <timeperiodlist>
      flush

      'flush' command is used to finish with existing ACL and to start new one. It's required to have different ACLs for different services. 'allow' is used to allow connection and 'deny' to deny connection. 'allow' command can be extended by 'parent' command to manage redirections (see How to manage redirections)). If ACL is empty it allow everything. If ACL is not empty, first matching ACL entry is searched for user request and ACL action (allow or deny) performed. If no matching record found, connection is denied and user will be asked to re-authenticate (requested for username/password). To prevent this request add 'deny *' to the end of list.
      • <userlist> - comma delimited list of users
      • <sourcelist> - comma delimited list of source (client) networks. Networks can be defined as single IP address or in CIDR form xxx.yyy.zzz.mmm/l, where l - is the length of network mask (a number of non-zero bits). 192.168.1.0/24 means network with 255.255.255.0 mask.
      • <targetlist> - comma delimited list of target (server) networks. In 3proxy 0.6 and above it's allowed to use hostnames with wildmasks in targetlist. Wildmask may only present in the begginning or at the end of the hostname, e.g. 192.168.0.0/16,www.example.com,*wrongsite.com,*wrongcontent*.
      • <targetportlist> - comma delimited list of ports. I It's possible to define port ranges with -, e.g. 80,1024-65535 means port 80 and all unprivileged ports.
      • <commandlist> - the list of allowed actions
        CONNECT - establish outgoing TCP connection. e.g. POP3 or SOCKSv5
        BIND - allow incoming TCP connection (SOCKSv5)
        UDPASSOC - create UDP association (SOCKSv5)
        ICMPASSOC - create ICMP association (not implemented)
        HTTP_GET - HTTP GET request (HTTP proxy)
        HTTP_PUT - HTTP PUT request (HTTP proxy)
        HTTP_POST - HTTP POST request (HTTP proxy)
        HTTP_HEAD - HTTP HEAD request (HTTP proxy)
        HTTP_CONNECT - HTTP CONNECT, aka HTTPS request (HTTP proxy)
        HTTP_OTHER - another HTTP request (HTTP proxy)
        HTTP - any HTTP request except HTTP_CONNECT (HTTP proxy)
        HTTPS - alias to HTTP_CONNECT (HTTP proxy)
        FTP_GET - FTP get request (http, ftp proxy)
        FTP_PUT - FTP put request (ftp proxy)
        FTP_LIST - FTP list request (http, ftp proxy)
        FTP - any FTP request
        ADMIN - administration interface access

      • <weeksdays> - week days numbers or periods (0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday).
      • <timeperiodlists> - a list of time periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.
      * in ACL means "any". Usage examples could be found in 3proxy.cfg.sample.

    • How to manage redirections

      Redirections are usefull to e.g. forward requests from specific clients to different servers or proxy server. Additionally, redirections are usefull to convert proxy interface from ont format to another, e.g. requests from SOCKS proxy can be redirected to parent HTTP proxy, or SOCKSv5 client can be redirected to SOCKSv4 proxy.
      Because 3proxy understand "transparent" web request, it can be used as an intermediate software between HTTP proxy and NAT server for transparent HTTP forwarding, because it can convert "Web server" request issued by client to "proxy request" required by proxy server. A simplest redirection is:

      auth iponly
      allow *
      parent 1000 http 192.168.1.1 3128
      proxy
      
      All trafiic of HTTP proxy is redirected to parent proxy 192.168.1.1 port 3128.
      If port number is '0', IP address from 'parent' is used as external address for this connection (that is like -eIP, but only for connections matching 'allow').
      Special case of redirection are local redirections. In this case both IP is 0.0.0.0 and port is 0. It's only usseful with SOCKS service. In this case no new connection is established, but request is parsed by corresponding local service. E.g.:
      auth iponly
      allow * * * 80
      parent 1000 http 0.0.0.0 0
      allow * * * 21
      parent 1000 ftp 0.0.0.0 0
      allow * * * 110
      parent 1000 pop3 0.0.0.0 0
      socks
      
      In this case all SOCKS traffic with destination port 80 is forwarded to local 'proxy' service, destination port 21 to 'ftppr' and 110 to 'pop3pr'. There is no need to run these services expicitly. Local redirections are usefull if you want to see and control via ACLs protocol specific parameters, e.g. filenames requests thorugh FTP while clients are using SOCKS.

    • How to balance traffic between few external channgels?

      Proxy itself doesn't manage network level routing. The only way to control outgoing channel is to select external interface. It's possible to make external interface (what is usually selected with 'external' command or '-e' option) random by using local redirection with external port 0.

      auth iponly
      allow *
      parent 500 http 10.1.1.101 0
      parent 500 http 10.2.1.102 0
      
      Now external interface is randomly selected with 0.5 probability between 10.1.1.101 and 10.2.1.102. To work as expected, different default routes must between 2 interfaces. used

      If both interface addresses are in same network, e.g. 10.1.1.101 and 10.1.1.102 and you want to select random gateway between 10.1.1.1 and 10.1.1.2, you must control it by using routing table, in case there is no default gateway route for Windows:

       route add -p 10.1.1.1 10.1.1.101
       route add -p 10.1.1.2 10.1.1.102
       route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.1
       route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.2
      
      If you have no second address yet, just add it. Under Linux/Unix it's better to use source routing.

    • How to manage proxy chains

      parent command may also be used to build a proxy chains. In this case few 'parent' commands are used for single 'allow' rule with different weights (first argument of parent command). Chain may contain any number of proxy servers, but it should be noted that every hope significantly reduces productivity. It's possible to mix different types of proxy within single chain: HTTPS (HTTP connect), SOCKS4, SOCKS5. Weight different from 1000 is used to build random chains. if weight W is below 1000, this proxy will be used as a next chain hop with probability of W/1000. That is, if the weight is 250 probability this proxy will be used for the next hope is 25%. 'parent' records with common weight of 1000 establish a group, one of these record will be used for the hop with probability according to weight. Warning: each group must have a weight even of 1000. As follows, common weight of all 'parent' records must also be even of 1000. If common weight of 'parent' records in te chain is 3000, chain has 3 hops and must be formed of 3 groups. Example:

      allow *
      parent 500 socks5 192.168.1.1 1080
      parent 500 connect 192.168.10.1 3128
      
      In this case we have 1 parent proxy (1 hop) which is randomely choosen between 2 hosts: 192.168.1.1 and 192.168.10.1. 2 records form a single group.
      allow * * * 80
      parent 1000 socks5 192.168.10.1 1080
      parent 1000 connect 192.168.20.1 3128
      parent 300 socks4 192.168.30.1 1080
      parent 700 socks5 192.168.40.1 1080
      
      In this case we have 3 groups (3 hops in the chain). First hop is 192.168.10.1, second hop is 192.168.20.1 and 3rd one is either 192.168.30.1 with probability of 30% or 192.168.40.1 with probability of 70%.

    • How to limit bandwidth

      3proxy supports bandwidth filters. To manage filters bandlimin/bandlimout and nobandlimin/nobandlimout. 'in' means incoming and 'out' - outgoing traffic.

      bandlimin <bitrate> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
      nobandlimin <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>

      Commands are applied to all services. Imagine bandwidth filters as a series of pipes. Bitrate is a pipe's width and ACLs controls the flow thorugh this pipe.
        bandlimin 57600 * 192.168.10.16
        bandlimin 57600 * 192.168.10.17
        bandlimin 57600 * 192.168.10.18
        bandlimin 57600 * 192.168.10.19
      
      Create 4 separete pipes for 4 client with emulation of modem connection.
        bandlimin 57600 * 192.168.10.16/30
      
      Create single pipe for all 4 clients. That is 4 clients share modem connection. In this example:
        nobandlimin * * * 110
        bandlimin 57600 * 192.168.10.16/32
      
      mail traffic from POP3 servers bypasses the pipe and has no bandwidth limitation.

    • How to limit traffic amount

      counter <filename> <type> <reportpath>
      countin <number> <type> <amount> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
      nocountin <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
      countout <number> <type> <amount> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>
      nocountout <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>

      You can set traffic limit per day (D), week (W), month (M), year (Y) or absolute ('N'), as specified by 'type' argument of counterin command. Traffic information is stored in binary file specified by 'filename' argument. countersutil utility can be used to manage this file. reportpath specifies location of text reports, type parameter of 'counter' command controls how often text reports are created. amount is amount of allowed traffic in Megabytes (MB). nocountin allows you to set exclusions.

    • How to build network lists

      Networks or users lists are often very huge. 3proxy doesn't currently supports user groups, but ones can be created by the means of include files. You can store comma-delimited lists of networks or users in the separate file and use $ macro to insert this list into 3proxy.cfg. 3proxy comes with 'dighosts' utility. This utility helps to grab the list of the network from HTTP page. It may be usefull to e.g. obtain a regullary updated list of local networks from ISP's server. A network list can be either in form of NETWORK MASK, e.g. 192.168.1.0 255.255.255.0 or NETWORK/LENGTH, e.g. 192.168.1.0/24. You can launch dighosts from 3proxy.cfg to be executed on every 3proxy startup or configuration reload:

      system "dighosts http://provider/network.html local.networks"
      allow * * $local.networks
      allow *
      parent 1000 proxy.provider 3128 *
      proxy
      flush
      
      In this example we obtain list of local networks from provider's page to local.networks file, allow direct access to these networks and redirect all connection to external networks to provider's proxy.

    • How to configure name resolution and DNS caching

      For name resolution and caching use commands nserver, nscache / nscache6 and nsrecord.

        nserver 192.168.1.2
        nserver 192.168.1.3:5353/tcp
      sets DNS resolvers. 192.168.1.3 will be used via TCP/5353 (instead of default UDP/53) only if 192.168.1.2 fails. Up to 5 nservers may be specified. If no nserver is configured, default system name resolution functions are used.
        nscache 65535
        nscache6 65535
      sets name cache size for IPv4 and IPv6. Name cache must be large enouth, if presents. name cache is only used if nserver is configured.
        nsrecord server.mycompany.example.com 192.168.1.1
        nsrecord www.porno.com 127.0.0.2
        ...
        deny * * 127.0.0.2
      adds static nsrecords. Also, static nsrecords are used for dnspr, unless -s option is specified. Since 0.8 version, parent proxy may be configured for dnspr.

    • How to use IPv6

      IPv6 is supported since 0.8. Please note, some proxy protolos, e.g. SOCKSv4, do not support IPv6. SOCKSv5 supports IPv6 with special request type (must be implemented by client).
      3proxy supports proxying from IPv4 and IPv6 networks to IPv4, IPv6 and mixed networks. IPv6 address may be used in internal, external, parent commands, ACLs, -i and -e options,etc. external command and -e options may be given twice for each service - once with IPv4 and once with IPv6 address. internal can be given only once, to bind to all IPv4 and IPv6 addresses use [0:0:0:0:0:0:0:0] or [::].
      Any service may be configured with -4, -46, -64, -6 options to specify decied priority for name to IPv4/IPv6 address resolution (IPv4 only, IPv4 priority, IPv6 priority, IPv6 only).

    • How to use connect back

      In example, users needs access from external network to proxy server located on the host 192.168.1.2. This host can not be accessed from external network, but it has access to external network with with external address 1.1.1.1. Also, user has access to the host 2.2.2.2 (IP address may be dynamic) with hostname host.dyndns.example.org via external network. User needs 2 instances of 3proxy, first one on the host 192.168.1.2 with config

        users user:CL:password
        auth strong
        allow user
        proxy -rhost.dyndns.example.org:1234
      second one on the host.dyndns.example.org (2.2.2.2) with config
        auth iponly
        allow * * 1.1.1.1
        tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128
      For browser settings proxy is host.dyndns.example.org:3128.


  • Client configuration


  • Administering and information analisys

    • How to obtain latest 3proxy version

      Latest version of 3proxy may be obtained here. New version may have changes and incompatibilities with previous one in files format or commands. Please, read CHANGELOG file and another documentation before installing new version.

    • How to control 3proxy service under Windows NT/2000/XP

      If installed as system service, 3proxy understands Windows service commands for START, STOP, PAUSE and RESUME. If service is PAUSEd, no new connections are accepted while older connections are processed. Currently there is no support for dynamic configuration change, so, you have to restart service completely if you have changed any configuration. You can control 3proxy service via "Services" administration ot via "net" command:

      	net start 3proxy
      	net stop 3proxy
      	net pause 3proxy
      	net continue 3proxy
      

    • Log error codes reference

      • 0 - Operation successfully complited (connection was closed by one of peers)
      • 1-9 - AUTHENTICATION ERRORS
      • 1 - Access denied by ACL (deny)
      • 2 - Redirection (should not appear)
      • 3 - No ACL found, denied by default
      • 4 - auth=strong and no username in request
      • 5 - auth=strong and no matching username in configuration
      • 6 - User found, wrong password (cleartext)
      • 7 - User found, wrong password (crypt)
      • 8 - User found, wrong password (NT)
      • 9 - Redirection data not found (should not appear)
      • 10 - Traffic limit exceeded
      • 11-19 - CONNECTION ERRORS
      • 11 - failed to create socket()
      • 12 - failed to bind()
      • 13 - failed to connect()
      • 14 - failed to getpeername()
      • 20-29 - COMMON ERRORS
      • 21 - memory allocation failed
      • 30-39 - CONNECT PROXY REDIRECTION ERRORS
      • 31 - failed to request HTTP CONNECT proxy
      • 32 - CONNECT proxy connection timed out or wrong reply
      • 33 - CONNECT proxy fails to establish connection
      • 34 - CONNECT proxy timed out or closed connection
      • 40-49 - SOCKS4 PROXY REDIRECTION ERRORS
      • 50-69 - SOCKS5 PROXY REDIRECTION ERRORS
      • 70-79 PARENT PROXY CONNECTION ERRORS (identical to 1x)
      • 90-99 - established connection errors
      • 90 - socket error or connection broken
      • 91 - TCP/IP common failure
      • 92 - connection timed out
      • 93 - error on reading data from server
      • 94 - error on reading data from client
      • 95 - timeout from bandlimin/bandlimout limitations
      • 96 - error on sending data to client
      • 97 - error on sending data to server
      • 98 - server data limit (should not appear)
      • 99 - client data limit (should not appear)
      • 100 - HOST NOT FOUND
      • 200-299 - UDP portmapper specific bugs
      • 300-399 - TCP portmapper specific bugs
      • 400-499 - SOCKS proxy specific bugs
      • 500-599 - HTTP proxy specific bugs
      • 600-699 - POP3 proxy specific bugs
      • 999 - NOT IMPLEMENTED


  • How To ask quiestion not in How To?

    Ask it in 3proxy forum. Don't try to ask something before reading this document.

 
About | Terms of use | Privacy Policy
© Securityvulns, 3APA3A, Vladimir Dubrovin