Showing preview only (4,550K chars total). Download the full file or copy to clipboard to get everything.
Repository: snail007/goproxy
Branch: master
Commit: e6d6a821db80
Files: 119
Total size: 4.3 MB
Directory structure:
gitextract_ojsql542/
├── .gitignore
├── CHANGELOG
├── ISSUE_TEMPLATE.md
├── LICENSE
├── README.md
├── README_ZH.md
├── VERSION
├── ad.txt
├── blocked
├── config.go
├── direct
├── docker/
│ ├── Dockerfile
│ ├── Shanghai
│ ├── build.sh
│ └── ca-certificates.crt
├── docs/
│ ├── 404.html
│ ├── categories/
│ │ ├── goproxy手册/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── index.html
│ │ ├── index.xml
│ │ ├── 架构解说/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── 细说层级/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ └── 默认分类/
│ │ ├── index.html
│ │ ├── index.xml
│ │ └── page/
│ │ └── 1/
│ │ └── index.html
│ ├── css/
│ │ └── styles.css
│ ├── index.html
│ ├── index.xml
│ ├── manual/
│ │ ├── index.html
│ │ ├── manual.md
│ │ └── zh/
│ │ ├── index.html
│ │ └── manual.md
│ ├── page/
│ │ ├── 1/
│ │ │ └── index.html
│ │ ├── 2/
│ │ │ └── index.html
│ │ ├── about/
│ │ │ └── index.html
│ │ ├── categories/
│ │ │ └── index.html
│ │ ├── faq/
│ │ │ └── goproxy常见问题解答/
│ │ │ └── index.html
│ │ ├── free_vs_commercial/
│ │ │ └── index.html
│ │ ├── free_vs_commercial_en/
│ │ │ └── index.html
│ │ ├── index.html
│ │ ├── index.xml
│ │ └── page/
│ │ └── 1/
│ │ └── index.html
│ ├── posts/
│ │ ├── cloudflare/
│ │ │ └── index.html
│ │ ├── domain-cf/
│ │ │ └── index.html
│ │ ├── http-nat-cdn/
│ │ │ └── index.html
│ │ ├── http_cdn_ws/
│ │ │ └── index.html
│ │ ├── index.html
│ │ ├── index.xml
│ │ ├── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ └── windows-global-proxy-using-dns/
│ │ └── index.html
│ ├── robots.txt
│ ├── sitemap.xml
│ ├── tags/
│ │ ├── cdn/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── cloudflare/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── commercial/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── domain/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── index.html
│ │ ├── index.xml
│ │ ├── tcp/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── ws/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── 全局代理/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── 内网穿透/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ └── 商业版/
│ │ ├── index.html
│ │ ├── index.xml
│ │ └── page/
│ │ └── 1/
│ │ └── index.html
│ └── usage/
│ ├── first/
│ │ └── index.html
│ ├── index.html
│ ├── index.xml
│ ├── page/
│ │ └── 1/
│ │ └── index.html
│ └── tcp/
│ └── index.html
├── dr.txt
├── go.mod
├── gui/
│ ├── README.md
│ └── README_ZH.md
├── hosts
├── install.sh
├── install_auto.sh
├── install_auto_commercial.sh
├── install_commercial.sh
├── main.go
├── resolve.rules
├── rewriter.rules
├── rhttp.toml
├── services/
│ ├── args.go
│ ├── http.go
│ ├── service.go
│ ├── tcp.go
│ ├── tunnel_bridge.go
│ ├── tunnel_client.go
│ ├── tunnel_server.go
│ └── udp.go
├── uninstall.sh
└── utils/
├── functions.go
├── io-limiter.go
├── map.go
├── pool.go
├── serve-channel.go
└── structs.go
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
/.idea
/goproxy
/go.sum
================================================
FILE: CHANGELOG
================================================
proxy更新日志
v7.5
1.http(s)\socks\sps 增加了本地监听单向tls支持.
2.socks5协议兼容了更多不标准的客户端.
3.可以使用第三方安卓客户端对接proxy的socks5服务了,支持认证.
4.修复了多处不能正常使用ipv6的bug.
v7.4
1.优化了命令行kcp参数的设置,help命令不再强制显示,只有拥有kcp功能的模块才会显示.
2.内部增加了插件机制,拓展功能十分方便.
3.重构了对配置文件的解析,不再限制参数格式,书写更简单.
4.内网穿透增加了http协议的增强支持,增加了--http-host参数,可以强制设置http头部的HOST字段值.
HTTP请求客户端会使用server的ip和端口去设置HOST字段,但是与期望的后端实际HOST不一样,这样就造成了tcp是通的,
但后端依赖HOST字段定位虚拟主机就不能工作.现在用--http-host参数强制设置http头部的HOST字段值为后端实际的
域名和端口即可轻松解决.
v7.3
1.重构了SPS的SS功能,go版本ss,全网唯一一家支持最全加密方式,支持如下:
aes-128-cfb , aes-128-ctr , aes-128-gcm , aes-192-cfb , aes-192-ctr , aes-192-gcm , aes-256-cfb ,
aes-256-ctr , aes-256-gcm , bf-cfb , cast5-cfb , chacha20 , chacha20-ietf , chacha20-ietf-poly1305 ,
des-cfb , rc4-md5 , rc4-md5-6 , salsa20 , xchacha20
2.修复某些情况下,--forever可能不能预期工作的问题.
3.修复在某些特殊Linux系统下启动失败的问题.
4.重构了核心服务管理代码,提升了效率.
5.优化了dns功能,支持多个上级负载均衡和高可用,上级写法和SPS的-P参数一致.
6.修复了--forever和--deamon存在的资源清理隐患问题.
7.优化了更新,提升了稳定性.
8.http认证某些特殊情况下不能正常工作的问题.
9.优化了所有服务的资源释放,避免某些情况下导致异常的问题.
10.SDK得到大量优化,不再会出现并发启动和停止在某些情况下导致异常的问题.
v7.2
1.sps功能增加了不再强制指定一个上级,当上级为空,sps本身即可完成完整的代理功能.
如果指定了上级那么就和之前一样使用上级连接目标,
2.修复了dns,加密传输-z和-Z参数不能正常工作的问题.
3.优化了启动速度,提升了稳定性.
4.取消发布几乎没人使用的平台上的二进制.
v7.1
1.socks/http(s)/sps代理,负载均衡里面的权重标志符号由`@`变更为`#`.
2.sps支持同时使用不同类型的上级,比如你可以用sps同时使用socks,http,ss三种类型的上级,
详细情况请看手册`设置单独认证信息`和`设置单独认证信息的协议类型`
3.sps代理,上级设置单独认证信息里面的用户名和密码不再使用base64编码,变更为标准的URLEncode编码.
4.修复了所有服务在某些情况下不能正常停止服务释放资源的问题.
5.重构了部分代码,运行更加高效.
6.socks/http(s)/sps代理增加了域名黑名单支持,用--stop参数指定一个域名列表文件,
那么当用户连接文件里面这些域名的时候连接就会被断开.域名文件内容格式参见手册:"域名黑名单".
7.针对windows增加了隐藏界面的启动脚本,bootstrap.bat里面可以设置参数,start.vbs是启动脚本.
8.增加了一个广告域名列表文件40000+个域名,已经打包在发布的版本压缩包内.
v7.0
1.修复了socks代理,上级为ssh的时候,不能正常工作的问题.
v6.9
1.修复了sps的start潜在的crash问题.
2.sps代理增加了--parent-tls-single参数用来支持单向tls上级。
3.sps代理增加了对单个上级认证信息的支持,如果没有单独设置,就使用全局-A设置.
现在上级格式: -P YTpi#2.2.2.2:33080@1
说明:
YTpi 是经过base64编码的认证信息,比如是http(s)/socks原始认证信息a:b,用户是a密码是b,base64编码之后是:YTpi
如果是ss,那么a就是加密方法,b是密码,比如:aes-192-cfb:your_pass,base64编码之后是:YWVzLTE5Mi1jZmI6eW91cl9wYXNz
# 是间隔符号,如果有认证信息,必须有#,没有认证信息可以省略#.
2.2.2.2:33080 是上级地址
@1 是设置权重,可以参考手册权重部分.
4.修复了socks5代理错误处理超时的问题.
5.修复了http(s)代理错误处理-Z的问题.
v6.8
1.HTTP(S)\SOCKS5代理,API认证功能,发送给认证接口的参数增加了本地IP,local_ip字段,
代表用户访问的是本地服务器的哪个IP.
2.fix #194 , fix #134 , 代理更稳定.
3.增加了一波英文文档.
v6.6
1.优化了limitconn的关闭逻辑,释放更多资源.
2.http(s)\socks代理增加了--intelligent,智能模式设置,可以是intelligent|direct|parent三者之一,
默认是:intelligent.每个值的含义如下.
--intelligent=direct,不在blocked里面的目标都直连.
--intelligent=parent,不在direct里面的目标都走上级.
--intelligent=intelligent,blocked和direct里面都没有的目标,智能判断是否使用上级访问目标.
v6.5
1.修复了合并企业版遗留的一些bug.
v6.4
1.http(s)代理增加了--jumper参数,可以穿透外部代理连接上级.
2.优化了socks5代理UDP功能可能存在的内存占用过多问题.
3.优化了jumper,避免某些情况下不能正确返回错误的问题.
4.sps代理增加了--jumper参数,可以穿透外部代理连接上级.
5.修复了--debug不能正常工作的问题.
v6.3
1.fixed #156
2.修复DNS代理,没有定时保存缓存结果到文件.重启会降低查询速度.
v6.2
1.修复encrypt.Conn释放内存,导致的潜在panic问题.
2.修复了basic认证,处理认证文件没有正确处理注释的bug.
3.修正了ssh中转手册参数-A调整为-D.
v6.1
1.黑白名单支持设置顶级域了,比如:com,匹配所有的.com域名
2.优化TCPS内存释放.
3.优化了域名检查.
4.内网穿透增加了TCPS和TOU协议,
TCPS提供了多种自定义加密TCP方式传输.
TOU提供了TCP over UDP,多种自定义加密UDP方式传输TCP数据.
5.优化了DST,防止意外crash.
6.修复了mapx的Keys()方法的bug导致内网穿透bridge不稳定的问题.
7.修复了部分服务不能绑定IPv6地址的bug.
v6.0 企业版开源啦
本次更新主要是把企业版开源,把企业版代码合并到现在的开源goproxy当中,继续遵循GPLv3,免费开源,
之所以直接跳过5.x,用6.0版本号是为了与现有开源版本做一个明显的区分,下面功能主要来自企业版.
企业版代码结构更合理,核心与开源版本有很大区别,与此同时企业版有一个core开发库,基于此库可以
几行代码实现自己高度定制化的各种网络安全传输服务器和客户端和代理服务器与客户端.与此同时企
业版独创了TCPS协议,处于应用层和TCP层之间,可以为应用提供透明化的安全传输功能,另外还对dst协
议进行了一些改造,集成到goproxy中,实现了tcp over udp功能,那么除了kcp之外现在还可以选择dst
作为底层的tcp over udp的传输.下一步加入插件机制,定制功能可以使用插件方式开发了,热插拔,
不需要修改goproxy二进制,可以插件so或者dylib注入.
1.预编译的二进制增加了armv8支持.
2.预编译的mipsle和mips二进制增加了softfloat支持.
3.优化连接HTTP(s)上级代理的CONNECT指令,附带更多的信息.
4.重构了内网穿透的UDP功能,性能大幅度提升,可以愉快的与异地基友玩依赖UDP的局域网游戏了.
5.重构了UDP端口映射,性能大幅度提升.
6.HTTP(S)\SOCKS5\SPS代理支持上级负载均衡,可以同时指定多个上级.
7.SPS支持HTTP(S)\SOCKS5\SS协议相互转换.
8.HTTP(S)\SOCKS5\SPS代理支持限速.
9.HTTP(S)\SOCKS5代理支持指定出口IP.
10.SOCKS5代理支持级联认证.
11.修复了tclient可能意外退出的bug.
12.优化了错误捕获,防止意外crash.
13.优化了停止服务,释放内存.
v5.4
1.优化了获取本地IP信息导致CPU过高的问题.
2.所有服务都增加了--nolog参数,可以关闭日志输出,节省CPU.
3.优化sdk,支持并发启动/关闭操作.
4.修复了多连接版本的内网穿透,tserver连接不能正确释放的bug.
5.内网穿透增加了client/tclient和server/tserver使用代理连接bridge/tbridge的功能,详细内容参考手册.
6.TCP端口映射(TCP代理)增加了使用代理连接上级的功能,详细内容参考手册.
v5.3
1.优化了socks_client握手端口判断,避免了sstap测试UDP失败的问题.
v5.2
1.修复了HTTP(S)\SPS反向代理无法正常工作的问题.
2.优化了智能判断,减少不必要的DNS解析.
3.重构了SOCKS和SPS的UDP功能,基于UDP的游戏加速嗖嗖的.
v5.1
1.优化了kcp默认mtu配置,调整为450.
2.优化了HTTP(S)\SOCKS5代理智能判断,更加精确。
3.fix #97 , 修复了RemoveProxyHeaders方法忽略了第一行的bug。
4.修复了-g参数长格式没有连接符号的bug.
5.重构了证书生成功能,不再有任何外部依赖,任何平台都可以独立生成证书.
v5.0
1.修复了SPS多端口无效的bug.
2.增加了DNS代理功能,提供安全无污染的DNS解析.
v4.9
1.修复了HTTP Basic代理返回不合适的头部,导致浏览器不会弹框,个别代理插件无法认证的问题.
2.内网穿透切换smux到yamux.
3.优化了HTTP(S)\SOCKS5代理--always的处理逻辑.
v4.8
1.优化了SPS连接HTTP上级的指令,避免了某些代理不响应的问题.
2.SPS功能增加了参数:
--disable-http:禁用http(s)代理
--disable-socks:禁用socks代理
默认都是false(开启).
3.重构了部分代码的日志部分,保证了日志按着预期输出.
4.修复了sps\http代理初始化服务的时机不正确,导致nil异常的bug.
5.优化了sps日志输出.
6.--debug参数增加了Profiling功能,可以保存cpu,内存等多种调试数据到文件.
7.优化了服务注册,避免了不必要的内存开销.
8.增加了Dockerfile和docker安装手册.
9.优化了ioCopy避免了内存泄漏,大大提升了内存占用的稳定性.
v4.7
1.增加了基于gomobile的sdk,对android/ios/windows/linux/mac提供SDK支持.
2.优化了bridge的日志,增加了client和server的掉线日志.
3.优化了sps读取http(s)代理响应的缓冲大小,同时优化了CONNECT请求,
避免了某些代理服务器返回过多数据导致不能正常通讯的问题.
4.去除了鸡肋连接池功能.
5.优化了所有服务代码,方便对sdk提供支持.
6.增加了SDK手册.
7.增加了GUI客户端(windows/web/android/ios)介绍主页.
8.SPS\HTTP(s)\Socks代理增加了自定义加密传输,只需要通过参数-z和-Z设置一个密码即可.
9.SPS\HTTP(s)\Socks代理增加了压缩传输,只需要通过参数-m和-M设置即可.
10.手册增加了SPS\HTTP(s)\Socks自定义加密的使用示例.
11.手册增加了SPS\HTTP(s)\Socks压缩传输的使用示例.
12.优化了多链接版本的内网穿透,融合了多链接和smux的优点,即能够拥有大的吞吐量,
同时又具备mux的心跳机制保证了链接的稳定性.
13.手册增加了大量配图.
14.优化了socks代理udp上级的设置逻辑,智能判断parent上级填充udp parent.
15.优化了项目文件夹结构,使用源码可以直接go get.
v4.6
1.sps,http(s),socks5,内网穿透都做了大量的超时优化处理,更加稳定.
2.sps增加了强大的树形级联认证支持,可以轻松构建你的认证代理网络.
3.手册增加了6.6对sps认证功能的介绍.
v4.5
1.优化了mux内网穿透连接管理逻辑,增强了稳定性.
2.mux内网穿透增加了tcp和kcp协议支持,之前是tls,现在支持三种协议tcp,tls,kcp.
3.keygen参数增加了用法: proxy keygen usage.
4.http(s)/socks5代理,tls增加了自签名证书支持.
5.建议升级.
v4.4
1.增加了协议转换sps功能,代理协议转换使用的是sps子命令(socks+https的缩写),
sps本身不提供代理功能,只是接受代理请求"转换并转发"给已经存在的http(s)代理
或者socks5代理;sps可以把已经存在的http(s)代理或者socks5代理转换为一个端口
同时支持http(s)和socks5代理,而且http(s)代理支持正向代理和反向代理(SNI),转
换后的SOCKS5代理不支持UDP功能;另外对于已经存在的http(s)代理或者socks5代理,
支持tls、tcp、kcp三种模式,支持链式连接,也就是可以多个sps结点层级连接构建
加密通道。
2.增加了对KCP传输参数的配置,多达17个参数可以自由的配置对kcp传输效率调优。
3.内网穿透功能,server和client增加了--session-count参数,可以设置server每个
监听端口到bridge打开的session数量,可以设置client到bridge打开的session数量,
之前都是1个,现在性能提升N倍,N就是你自己设置的--session-count,这个参数很大
程度上解决了多路复用的拥塞问题,v4.4开始默认10个。
v4.3
1.优化了参数keygen生成证书逻辑,避免证书出现特征。
2.http(s)和socks代理增加了--dns-address和--dns-ttl参数。
用于自己指定proxy访问域名的时候使用的dns(--dns-address)以及解析结果缓存时间(--dns-ttl)秒数,
避免系统dns对proxy的干扰,另外缓存功能还能减少dns解析时间提高访问速度。
3.优化了http代理的basic认证逻辑。
提示:
v4.3生成的证书不适用于v4.2及以下版本。
v4.2
1.优化了内网穿透,避免了client意外下线,导致链接信息残留的问题.
2.http代理增加了SNI支持,现在http(s)代理模式支持反向代理,支持http(s)透明代理.
3.增加了英文手册.
v4.1
1.优化了http(s),socks5代理中的域名智能判断,如果是内网IP,直接走本地网络,提升浏览体验,
同时优化了检查机制,判断更快.
2.http代理basic认证增加了对https协议的支持,现在basic认证可以控制所有http(s)流量了.
3.项目代码增加了依赖类库vendor目录,clone下来就能go build,再也不用担心go get依赖类库
失败导致不能编译了.
v4.0
1.内网穿透三端重构了一个multiplexing版本,使用github.com/xtaci/smux实现了tcp链接的多路复用,
鼎鼎大名的kcp-go底层就是使用的这个库,基于kcp-go的双边加速工具kcptun的广泛使用已经很好
的验证来该库的强大与稳定。multiplexing版的内网穿透对应的子命令分别是server,client,bridge
使用方式和参数与之前的子命令tserver,tclient,tserver完全一样,另外server,client增加了
压缩传输参数--c,使用压缩传输速度更快。
v3.9
1.增加了守护运行参数--forever,比如: proxy http --forever ,
proxy会fork子进程,然后监控子进程,如果子进程异常退出,5秒后重启子进程.
该参数配合后台运行参数--daemon和日志参数--log,可以保障proxy一直在后台执行不会因为意外退出,
而且可以通过日志文件看到proxy的输出日志内容.
比如: proxy http -p ":9090" --forever --log proxy.log --daemon
v3.8
1.增加了日志输出到文件--log参数,比如: --log proxy.log,日志就会输出到proxy.log方便排除问题.
v3.7
1.修复了socks代理不能正常和上级代理通讯的问题.
v3.6
1.http(s),socks代理,集成了外部HTTP API认证,可以通过外部API对用户名和密码进行认证.
2.手册http(s),socks代理认证部分增加了集成外部HTTP API认证的使用说明.
v3.5
1.优化了kcp参数,速度有所提升.
2.修复了socks无法正常工作的问题.
3.修正了文档中的一些描述.
4.tcp代理增加了kcp协议传输数据.
5.优化了死循环检查,增加了添加本地IP参数,当VPS在nat设备后面,
vps上网卡IP都是内网IP,这个时候可以通过-g参数添加vps的外网ip防止死循环.
6.增加了--daemon参数,可以后台运行程序哟.
v3.4
1.socks5代理新增了用户名密码验证支持.
2.socks5,http(s)代理增加了kcp传输协议支持.
3.优化了内网穿透的心跳机制.
v3.3
1.修复了socks代理模式对证书文件的判断逻辑.
2.增强了http代理,socks代理的ssh中转模式的稳定性.
3.socks代理tls,tcp模式新增了CMD_ASSOCIATE(udp)支持.socks代理ssh模式不支持udp.
4.修复了http代理某些情况下会崩溃的bug.
v3.2
1.内网穿透功能server端-r参数增加了协议和key设置.
2.手册增加了对-r参数的详细说明.
3.修复了普通模式也检查证书文件的bug.
4.增加了Socks5支持,目前只支持TCP协议,不支持UDP协议.
5.Socks5上级代理支持ssh中转,linux服务器不需要任何服务端,本地一个proxy即可开心上网.
6.http(s)代理增加了ssh中转支持,linux服务器不需要任何服务端,本地一个proxy即可开心上网.
v3.1
1.优化了内网穿透功能,bridge,client和server只需要启动一个即可。
server端启动的时候可以指定client端要暴露的一个或者多个端口。
2.修复了重复解析命令行参数的问题。
3.手册增加了微信接口本地开发的示例。
4.增加了配置文件使用说明.
v3.0
1.此次更新不兼容2.x版本,重构了全部代码,架构更合理,利于功能模块的增加与维护。
2.增加了代理死循环检查,增强了安全性。
3.增加了反向代理模式(即:内网穿透),支持TCP和UDP两种协议,可以把任何局域网的机器A所在网络的任何端。
暴露到任何局域网的机器B的本地端口或暴露到任何公网VPS上。
4.正向代理增加了UDP模式支持。
v2.2
1.增加了强制使用上级代理参数always.可以使所有流量都走上级代理。
2.增加了定时检查网络是否正常,可以在本地网络不稳定的时候修复连接池状态,提升代理访问体验。
3.http代理增加了对ipv6地址的支持。
v2.1
1.增加了http basic验证功能,可以对http代理协议设置basic验证,用户名和密码支持来自文件或者命令行。
2.优化了域名检查方法,避免空连接的出现。
3.修复了连接上级代理超时参数传递错误导致超时过大的问题。
4.增加了连接池状态监测,如果上级代理或者网络出现问题,会及时重新初始化连接池,防止大量无效连接,降低浏览体验。
5.增加了对系统kill信号的捕获,可以在收到系统kill信号之后执行清理释放连接的操作.避免出现大量CLOSE_WAIT。
v2.0
1.增加了连接池功能,大幅提高了通过上级代理访问的速度。
2.HTTP代理模式,优化了请求URL的获取逻辑,可以支持:http,https,websocke。
3.增加了TCP代理模式,支持是否加密通讯。
4.优化了链接关闭逻辑,避免出现大量CLOSE_WAIT。
5.增加了黑白名单机制,更自由快速的访问。
6.优化了网站Block机制检测,判断更准确。
v1.0
1.始发版本,可以代理http,https。
================================================
FILE: ISSUE_TEMPLATE.md
================================================
# 为避免浪费时间,一切不按着issue模版填写的问题,一律默认忽略处理,谢谢合作!
# Avoid waste time, any report not match the issue template will be ignored.
## Expected Behavior
<!--- Tell us what should happen -->
## Current Behavior
<!--- Tell us what happens instead of the expected behavior -->
## Possible Solution
<!--- Not obligatory, but suggest a fix/reason for the bug, -->
## Steps to Reproduce
<!--- Provide a link to a live example, or an unambiguous set of steps to -->
<!--- reproduce this bug. Include code to reproduce, if relevant -->
1.
1.
1.
1.
## Context (Environment)
<!--- How has this issue affected you? What are you trying to accomplish? -->
<!--- Providing context helps us come up with a solution that is most useful in the real world -->
1. proxy version is : v?
1. full command is :?
1. system is :
1. full log is: ?
<!--- Provide a general summary of the issue in the Title above -->
## Detailed Description
<!--- Provide a detailed description of the change or addition you are proposing -->
## Possible Implementation
<!--- Not obligatory, but suggest an idea for implementing addition or change -->
================================================
FILE: LICENSE
================================================
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
{one line to give the program's name and a brief idea of what it does.}
Copyright (C) {year} {name of author}
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
{project} Copyright (C) {year} {fullname}
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<http://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<http://www.gnu.org/philosophy/why-not-lgpl.html>.
================================================
FILE: README.md
================================================
## GOPROXY Introduction
<div align="center">
<img src="https://mirrors.goproxyauth.com/https://raw.githubusercontent.com/snail007/goproxy/master/doc/images/logo.jpg" width="500" height="auto"/>
[](https://github.com/snail007/goproxy/) []() [](https://github.com/snail007/goproxy/releases) [](https://github.com/snail007/goproxy/releases)
---
The GoProxy is a high-performance http proxy, https proxy, socks5 proxy, ss proxy, websocket proxies, tcp proxies, udp proxies, game shield, game proxies. Support forward proxies, reverse proxy, transparent proxy, internet nat proxies, https proxy load balancing, http proxy load balancing , socks5 proxies load balancing, socket proxy load balancing, ss proxy load balancing, TCP / UDP port mapping, SSH transit, TLS encrypted transmission, protocol conversion, anti-pollution DNS proxy, API authentication, speed limit, limit connection. Reverse proxies to help you expose a local server behind a NAT or firewall to the internet so that you or your visitors can access it directly and easily.
</div>
---
## 中文用户请看 *中文说明*,中文与英文内容的安装等资源链接是不一样的,谢谢合作!
### [Official Website](https://www.goproxy.win/)
### [官方网站](https://www.goproxy.win/)
### [点击我观看视频教程](https://space.bilibili.com/472844633)
- [中文 README ](https://github.com/snail007/goproxy/blob/master/README_ZH.md)
- [使用手册](https://snail007.goproxyauth.com/goproxy/manual/zh/)
- [下载地址](https://github.com/snail007/goproxy/releases)
- [Download](https://github.com/snail007/goproxy/releases)
- [Desktop Edition](https://github.com/snail007/proxy_admin_free)
- [Android Global Edition](https://github.com/snail007/goproxy-ss-plugin-android)
- [Android Server Edition](https://github.com/snail007/goproxy-android)
- [SDK](https://github.com/snail007/goproxy-sdk)
- [GORPOXY Manual](https://snail007.github.io/goproxy/manual/)
- [GORPOXY Tutorial](https://snail007.github.io/goproxy)
- [Free version VS commercial version](https://snail007.github.io/goproxy/page/free_vs_commercial/)
### ProxyAdmin Demo
And ProxyAdmin is a powerful web console of snail007/goproxy .
### What can it do?
- Chained proxies, the program itself can be used as an proxies, and if it is set up, it can be used as a secondary proxies or even an N-level proxies.
- Communication encryption, if the program is not a level one proxies, and the upper level proxies is also the program, then the communication between the upper level proxies and the upper level proxies can be encrypted, and the underlying tls high-intensity encryption is used, and the security is featureless.
- Smart HTTP, SOCKS5 proxy, will automatically determine whether the visited website is blocked. If it is blocked, it will use the upstream proxies (provided that the upstream proxies is configured) to access the website; if the visited website is not blocked, in order to speed up the access, the proxies will Direct access to the website without using a upstream proxies.
- Domain name black and white list, more free to control the way the website is accessed.
- Cross-platform, whether you are windows, linux, mac, or even raspberry pie, you can run the proxy very well.
- Multi-protocol support, support for HTTP(S), TCP, UDP, Websocket, SOCKS5 proxy.
- TCP/UDP port forwarding.
- Support intranet penetration, protocol supports TCP and UDP.
- SSH relay, HTTP (S), SOCKS5 proxy supports SSH relay, the upper Linux server does not need any server, a local proxy can be happy online.
- [KCP](https://github.com/xtaci/kcp-go) protocol support, HTTP(S), SOCKS5, SPS proxy supports KCP protocol to transmit data, reduce latency and improve browsing experience.
- Dynamic selection of upstream proxies, through the external API, HTTP (S), SOCKS5, SPS proxies can achieve user-based or IP-based speed limit, connection limit, dynamic access to upstream.
- Flexible upstream allocation, HTTP(S), SOCKS5 proxy can implement user- or IP-based speed limit, connection limit, and upper-level through configuration files.
- Transparent HTTP (S) proxy, in conjunction with iptables, forwards the outgoing 80, 443 traffic directly to the proxy at the gateway, enabling non-aware intelligent router proxy.
- Protocol conversion, which can convert existing HTTP(S) or SOCKS5 or SS proxy into one port and support HTTP(S) and SOCKS5 and SS proxy at the same time. Converted SOCKS5 and SS proxy. If the upstream is SOCKS5 proxy, then UDP is supported. Features while supporting powerful cascading authentication.
- Custom underlying encrypted transmission, http(s)\sps\socks proxy can encrypt tcp data via tls standard encryption and kcp protocol on top of tcp, in addition to support custom encryption after tls and kcp, that is Said custom encryption and tls|kcp can be used in combination, the internal AES256 encryption, you only need to define a password when you use it.
- Underlying compression efficient transmission, http(s)\sps\socks proxy can encrypt tcp data through custom encryption and tls standard encryption and kcp protocol on tcp, and can also compress data after encryption, that is, compression function And custom encryption and tls|kcp can be used in combination.
- Secure DNS proxy, which can secure and prevent pollution DNS queries through encrypted proxy communication between the DNS proxy server provided by the local proxy and the upstream proxy.
- Load balancing, high availability, HTTP(S)\SOCKS5\SPS proxies supports upstream load balancing and high availability, and multiple upstream repeat-P parameters can be used.
- Specify the egress IP. The HTTP(S)\SOCKS5\SPS\TCP proxy supports the client to connect with the ingress IP, and uses the ingress IP as the egress IP to access the target website. If the ingress IP is an intranet IP, the egress IP does not use the ingress IP.
- Support speed limit, HTTP(S)\SOCKS5\SPS\TCP proxy supports speed limit.
- SOCKS5 proxies supports cascading certification.
- The certificate parameter uses base64 data. By default, the -C, -K parameter is the path of the crt certificate and the key file. If it is the beginning of base64://, then the latter data is considered to be base64 encoded and will be used after decoding.
- Support client IP black and white list, more secure control of client access to proxy service, if black and white list is set at the same time, then only whitelist is effective. Socks / HTTP(S) / SPS / TCP / UDP / DNS / intranet NAT The bridge/intranet NAT the tbridge and supports the client IP black and white list.
- Range ports listen on, HTTP(S)\SOCKS5\SPS\TCP proxy supports port range listening, avoiding starting too many processes and improving performance.
### Why do you need it?
- When for some reason we are unable to access our services elsewhere, we can establish a secure tunnel to access our services through multiple connected proxy nodes.
- WeChat interface is developed locally for easy debugging.
- Remote access to intranet machines.
- Play LAN games with your friends.
- I used to play only on the LAN, and now I can play anywhere.
- Replace the sword inside Netnet, show IP internal Netcom, peanut shell and other tools.
- ..
The manual on this page applies to the latest version of goproxy. Other versions may not be applicable. Please use the command according to your own instructions.
### Joining the organization
[Click to join the Telegram](https://t.me/snail007_goproxy)
## Download and install
### Quick installation
0. If your VPS is a Linux 64-bit system, you only need to execute the following sentence to complete the automatic installation and configuration.
Tip: All operations require root privileges.
The free version performs this:
```shell
bash -c "$(curl -s -L https://raw.githubusercontent.com/snail007/goproxy/master/install_auto.sh)"
```
The commercial version performs this:
```shell
bash -c "$(curl -s -L https://raw.githubusercontent.com/snail007/goproxy/master/install_auto_commercial.sh)"
```
The installation is complete, the configuration directory is /etc/proxy. For more detailed usage, please refer to the manual directory above to learn more about the features you want to use.
If the installation fails or your vps is not a linux64-bit system, follow the semi-automatic steps below to install:
### Manual installation
1. Download the proxy
Download address: https://github.com/snail007/goproxy/releases/latest
Let's take v7.9 as an example. If you have the latest version, please use the latest version of the link. Note that the version number in the download link below is the latest version number.
The free version performs this:
```shell
cd /root/proxy/
wget https://github.com/snail007/goproxy/releases/download/v7.9/proxy-linux-amd64.tar.gz
```
The commercial version performs this:
```shell
cd /root/proxy/
wget https://github.com/snail007/goproxy/releases/download/v7.9/proxy-linux-amd64_commercial.tar.gz
```
2. Download the automatic installation script
The free version performs this:
```shell
cd /root/proxy/
wget https://raw.githubusercontent.com/snail007/goproxy/master/install.sh
chmod +x install.sh
./install.sh
```
The commercial version performs this:
```shell
cd /root/proxy/
wget https://raw.githubusercontent.com/snail007/goproxy/master/install_commercial.sh
chmod +x install_commercial.sh
./install_commercial.sh
```
## UPDATE
proxy update use mirror to download, if your update has error with mirror, you can set an environment variable `UPDATE_MIRROR=false`
Windows: `set UPDATE_MIRROR=false` then `proxy update`
Linux: `export UPDATE_MIRROR=false` then `proxy update`
### Linux
```shell
proxy update
```
Force update.
```shell
proxy update -f
```
### Windows
For example `proxy` placed in `c:\gp\proxy`.
```bat
c:\
cd gp
proxy update
```
Force update.
```shell
c:\
cd gp
proxy update -f
```
## License
Proxy is licensed under GPLv3 license.
## Contact
Official Telegram Group: [goproxy](https://t.me/snail007_goproxy)
### Source code declaration
The author of this project found that a large number of developers based on the project for secondary development or using a large number of core code of the project without complying with the GPLv3 agreement, which seriously violates the original intention of using the GPLv3 open source agreement in this project. In view of this situation, the project adopts the source. The code delays the release strategy, to a certain extent, to curb these behaviors that do not respect open source and do not respect the labor results of others.
This project will continue to update the iterations and continue to release the full platform binary program, providing you with powerful and convenient proxies tools.
If you have customized, business needs, please send an email to `arraykeys@gmail.com`
## Goproxy Manual
## How to Install
### 1. Linux Install
[click me get Linux installation](https://github.com/snail007/goproxy/blob/master/README_ZH.md#%E4%B8%8B%E8%BD%BD%E5%AE%89%E8%A3%85-goproxy)
### 2. MacOS Install
[click me get MacOS installation](https://github.com/snail007/proxy_admin_free/blob/master/README_ZH.md#%E8%A7%86%E9%A2%91%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B)
### 3. Windows Install
[click me get Windows installation](https://github.com/snail007/proxy_admin_free/blob/master/README_ZH.md#%E8%A7%86%E9%A2%91%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B)
### 4. Others Install
[click me get Windows installation](https://github.com/snail007/goproxy/blob/master/README_ZH.md#%E6%89%8B%E5%8A%A8%E5%AE%89%E8%A3%85-goproxy)
## Purchase Commercial Edition
This manual describes the functions, all of which are included in the commercial version; the free version of advanced
functional parameters such as authentication is not included;
If you encounter some commands when you use the free version to execute some commands, a prompt similar to the following
xxx parameter does not exist, indicating that this parameter is a function of the commercial version.
`err: unknown long flag '-a'`
Comparison between the features of the free version and the commercial version, detailed operations on how to purchase
and use the commercial
version [please click here to view](https://snail007.goproxyauth.com/goproxy/page/free_vs_commercial_en/)
## First Start
### 1. Environment
The manual tutorial, the default system is linux, the program is proxy; all operations require root privileges;
If you are windows, please use the windows version of proxy.exe.
### 2. Using configuration files
The next tutorial will introduce the usage method through the command line parameters, or you can get the parameters by reading the configuration file.
The specific format is to specify the configuration file by the @ symbol, for example: proxy @configfile.txt
The format in configfile.txt is that the first line is the name of the subcommand, and the second line starts with one parameter per line.
Format: `parameter Parameter value`, direct write parameter without parameter value, for example: --nolog
For example, the contents of configfile.txt are as follows:
```shell
Http
-t tcp
-p :33080
--forever
```
### 3. Debug output
By default, the information output by the log does not include the number of file lines. In some cases, in order to troubleshoot the program, the problem is quickly located.
You can use the --debug parameter to output the number of lines of code and milliseconds.
### 4. Using log files
By default, the log is displayed directly in the console. If you want to save to a file, you can use the --log parameter.
For example: --log proxy.log, the log will be output to the proxy.log to facilitate troubleshooting.
Logging INFO and WARN by default, you can set `--warn` to output warn logging only.
### 5. Generate the certificate file required for encrypted communication
The http, tcp, udp proxy process communicates with the upstream. For security, we use encrypted communication. Of course, we can choose not to encrypt the communication. All the communication and the upstream communication in this tutorial are encrypted, and the certificate file is required.
1. Generate a self-signed certificate and key file with the following command.
`proxy keygen -C proxy`
The certificate file proxy.crt and the key file proxy.key will be generated under the current program directory.
2. Use the following command to generate a new certificate using the self-signed certificate proxy.crt and the key file proxy.key: goproxy.crt and goproxy.key.
`proxy keygen -s -C proxy -c goproxy`
The certificate file goproxy.crt and the key file goproxy.key will be generated under the current program directory.
3. By default, the domain name inside the certificate is random and can be specified using the `-n test.com` parameter.
4. More usage: `proxy keygen --help`.
### 6. Running in the background
After the proxy is executed by default, you cannot close the command line if you want to keep the proxy running.
If you want to run the proxy in the background, the command line can be closed, just add the --daemon parameter at the end of the command.
For example:
`proxy http -t tcp -p "0.0.0.0:38080" --daemon`
### 7. Guardian running
The daemon runs the parameter --forever, for example: `proxy http --forever` ,
The proxy will fork the child process, and then monitor the child process. If the child process exits abnormally, restart the child process after 5 seconds.
This parameter is matched with the background running parameter --daemon and log parameter --log, which can guarantee that the proxy will always execute in the background without accidentally exiting.
And you can see the output log content of the proxy through the log file.
For example: `proxy http -p ":9090" --forever --log proxy.log --daemon`
### 8. Security advice
When the VPS is behind the nat device, the vps network interface IP is the intranet IP. At this time, you can use the -g parameter to add the vps external network ip to prevent the infinite loop.
Suppose your vps external network ip is 23.23.23.23. The following command sets 23.23.23.23 with the -g parameter.
`proxy http -g "23.23.23.23"`
### 9. Load balancing and high availability
The HTTP(S)\SOCKS5\SPS proxy supports upper-level load balancing and high availability, and multiple upstream repeat-P parameters can be used.
The load balancing policy supports five types, which can be specified by the `--lb-method` parameter:
Roundrobin used in turn
Leastconn uses the minimum number of connections
Leasttime uses the least connection time
Hash uses a fixed upstream based on the client address
Weight Select a upstream according to the weight and number of connections of each upstream
prompt:
1. The load balancing check interval can be set by `--lb-retrytime` in milliseconds.
2. The load balancing connection timeout can be set by `--lb-timeout` in milliseconds.
3. If the load balancing policy is weight, the -P format is: 2.2.2.2: 3880?w=1, where 1 is the weight and an integer greater than 0.
4. If the load balancing policy is hash, the default is to select the upstream based on the client address. You can select the upstream by using the destination address of the access `--lb-hashtarget`.
5. The TCP proxies has no parameter `--lb-hashtarget`.
6. Default is load balancing + high availability mode. If the parameter `--lb-onlyha` is used, only the high availability mode is used, then a node is selected according to the load balancing strategy, and this node will be used until it is not alive, then another node will be selected for using, thus cycling.
7. If the all nodes are not alive, a random node will be selected for using.
### 10. Agent springboard jump
Http (s) agent, SPS agent, intranet penetration, tcp agent support the connection of upstreams through intermediate third-party agents,
The parameters are: --jumper, all the formats are as follows:
```text
http://username:password@host:port
http://host:port
https://username:password@host:port
https://host:port
socks5://username:password@host:port
socks5://host:port
socks5s://username:password@host:port
socks5s://host:port
ss://method:password@host:port
```
Http,socks5 represents the normal http and socks5 proxy.
Https,socks5s represents the http and socks5 agents protected by tls.
That is http proxy over TLS, socks over TLS.
### 11. Domain Name Black and White List
The socks/http(s)/sps proxy supports domain name black and white lists.
Use the --stop parameter to specify a domain name blacklist file, then the connection will be disconnected when the user connects these domains in the file.
Specify a domain name whitelist file with the --only parameter, then the connection will be disconnected when the user connects to a domain other than those domains in the file.
If both --stop and --only are set, then only --only will work.
The format of the black and white domain name list file is as follows:
```text
**.baidu.com
*.taobao.com
A.com
192.168.1.1
192.168.*.*
?.qq.com
```
Description:
1. One domain name per line, domain name writing supports wildcards `*` and `?`, `*` represents any number of characters, `?` represents an arbitrary character,
2.`**.baidu.com` Matches no matter how many levels all suffixes are ..baidu.com`.
3.`*.taobao.com` The matching suffix is the third-level domain name of `.taobao.com`.
4. It can also be an IP address directly.
5.`#` at the beginning of the comment.
### 12. Port Black List
socks/http(s)/sps proxy all support port blacklist.
Use the `--stop-port` parameter to specify a port blacklist file, then when the user connects to the ports in the file, the connection can be made.
The port blacklist file content format is as follows:
```text
3306
22
```
Note:
1. One port per line.
2. The ones starting with `#` are comments.
### 13. Client IP Blacklist and Whitelist
socks/http(s)/sps/tcp/udp/dns/ intranet penetration bridge/intranet penetration tbridge, support client IP black and white list.
Use the --ip-deny parameter to specify a client IP blacklist list file, then the connection will be disconnected when the user's IP is in this file.
Use the --ip-allow parameter to specify a client IP whitelist file, then the connection will be disconnected when the user's IP is not in the file.
If both --ip-deny and --ip-allow are set, then only --ip-allow will work.
The format of the client IP blacklist and whitelist file is as follows:
```text
192.168.1.1
192.168.*.*
192.168.1?.*
```
Description:
1. One domain name per domain, domain name writing supports wildcards `*` and `?`, `*` represents any number of characters, `?` represents an arbitrary character.
2.`#` at the beginning of the comment.
### 14. Protocol loading file
There are many places in the proxy's various proxy functions to set a file. For example: --blocked Specifies a domain name list file that goes directly to the upper level. The parameter value is the path of the file.
If the parameter supports the protocol loading file, the file path can be not only the file path, but also:
a. The base64 encoding at the beginning of "base64://" indicates the contents of the above file, for example: base64://ajfpoajsdfa=
b. "str://" at the beginning of the English comma separated multiple, such as: str://xxx, yyy
The proxy's blocked, direct, stop, only, hosts, resolve.rules, rewriter.rules, ip.allow, ip.deny files support protocol loading.
### 15. Concurrent client connections
socks5\sps\http proxies, the parameter that controls the number of concurrent client connections is: `--max-conns-rate`, which controls the maximum number of client connections per second, default: 20, 0 is unlimited
### 16. Listen on multiple ports
"tcp / http / socks / sps" supports listen on multiple ports and range ports.
Under normal circumstances, it is sufficient to listen on one port, but if you need to listen on multiple ports, the -p parameter is supported.
The format is: `-p 0.0.0.0:80,0.0.0.0:443,.0.0.0.0:8000-9000,:5000-6000`, more The bindings can be separated by commas.
## 1.HTTP Proxies
### 1.1. Ordinary level HTTP proxy
`proxy http -t tcp -p "0.0.0.0:38080"`
Listen port argument `-p` can be:
```text
-p ":8081" listen on 8081
-p ":8081,:8082" listen on 8081 and 8082
-p ":8081,:8082,:9000-9999" listen on 8081 and 8082 and 9000 and 9001 to 9999, 1002 total ports
```
### 1.2. Ordinary secondary HTTP proxy
Use local port 8090, assuming the upstream HTTP proxy is `22.22.22.22:8080`
`proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `
We can also specify the black and white list file of the website domain name, one domain name per line, the matching rule is the rightmost match, for example: baidu.com, the match is *.*.baidu.com, the blacklist domain name goes directly to the upstream agent, whitelist The domain name does not go to the upstream agent.
`proxy http -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -b blocked.txt -d direct.txt`
### 1.3.HTTP secondary agent (encryption)
> Note: The `proxy.crt` and `proxy.key` used by the secondary proxy should be consistent with the primary proxy.
Level 1 HTTP proxy (VPS, IP: 22.22.22.22)
`proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`
Secondary HTTP proxy (local Linux)
`proxy http -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
Then access the local port 8080 is to access the proxy port 38080 on the VPS.
Secondary HTTP proxy (local windows)
`proxy.exe http -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
Then set your windos system, the proxy that needs to go through the proxy Internet program is http mode, the address is: 127.0.0.1, the port is: 8080, the program can access the Internet through vps through the encrypted channel.
### 1.4.HTTP Level 3 Agent (Encryption)
Level 1 HTTP proxy VPS_01, IP: 22.22.22.22
`proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`
Secondary HTTP proxy VPS_02, IP: 33.33.33.33
`proxy http -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
Level 3 HTTP proxy (local)
`proxy http -t tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key`
Then accessing the local port 8080 is to access the proxy port 38080 on the primary HTTP proxy.
### 1.5.Basic certification
For the proxy HTTP protocol, we can perform Basic authentication. The authenticated username and password can be specified on the command line.
`proxy http -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"`
For multiple users, repeat the -a parameter.
It can also be placed in a file in the format of a "username:password" and then specified with -F.
`proxy http -t tcp -p ":33080" -F auth-file.txt`
In addition, the http(s) proxy also integrates external HTTP API authentication. We can specify an http url interface address with the --auth-url parameter.
Then when there is a user connection, the proxy will request the url in GET mode, and bring the following four parameters. If the HTTP status code 204 is returned, the authentication is successful.
In other cases, the authentication failed.
For example:
`proxy http -t tcp -p ":33080" --auth-url "http://test.com/auth.php"`
When the user connects, the proxy will request the url ("http://test.com/auth.php") in GET mode.
Take five parameters: user, pass, ip, local_ip, target:
Http://test.com/auth.php?user={USER}&pass={PASS}&ip={IP}&local_ip={LOCAL_IP}&target={TARGET}
User: username
Pass: password
Ip: User's IP, for example: 192.168.1.200
Local_ip: IP of the server accessed by the user, for example: 3.3.3.3
Target: URL accessed by the user, for example: http://demo.com:80/1.html or https://www.baidu.com:80
If there is no -a or -F or --auth-url parameter, the Basic authentication is turned off.
### 1.6. HTTP proxy traffic is forced to go to the upper HTTP proxy
By default, the proxy will intelligently determine whether a website domain name is inaccessible. If it is not accessible, it will go to the upper level HTTP proxy. With --always, all HTTP proxy traffic can be forced to go to the upper HTTP proxy.
`proxy http --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
### 1.7.HTTP(S) via SSH relay
Description: The principle of ssh transfer is to use the forwarding function of ssh, that is, after you connect to ssh, you can access the target address through ssh proxy.
Suppose there is: vps
- IP is 2.2.2.2, ssh port is 22, ssh username is: user, ssh user password is: demo
- The user's ssh private key name is user.key
#### *1.7.1 How to ssh username and password*
Local HTTP(S) proxy port 28080, executing:
`proxy http -T ssh -P "2.2.2.2:22" -u user -D demo -t tcp -p ":28080"`
#### *1.7.2 How to ssh username and key*
Local HTTP(S) proxy port 28080, executing:
`proxy http -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"`
### 1.8.KCP protocol transmission
The KCP protocol requires the --kcp-key parameter to set a password for encrypting and decrypting data.
Level 1 HTTP proxy (VPS, IP: 22.22.22.22)
`proxy http -t kcp -p ":38080" --kcp-key mypassword`
Secondary HTTP proxy (local Linux)
`proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`
Then access the local port 8080 is to access the proxy port 38080 on the VPS, the data is transmitted through the kcp protocol, note that the kcp is the udp protocol, so the firewall needs to release the 380p udp protocol.
### 1.9 HTTP(S) Reverse Proxy
The proxy not only supports the proxy setting in other software, but also provides proxy services for other software. It also supports directly parsing the requested website domain name to the proxy listening ip, and then the proxy listens to the 80 and 443 ports, then the proxy will automatically You proxy access to the HTTP(S) website you need to access.
How to use:
On the "last level proxy proxy" machine, because the proxy is to be disguised as all websites, the default HTTP port of the website is 80, HTTPS is 443, and the proxy can listen to ports 80 and 443. Parameters -p multiple addresses with commas segmentation.
`proxy http -t tcp -p :80,:443`
This command starts a proxy agent on the machine, and listens to ports 80 and 443 at the same time. It can be used as a normal proxy, or directly resolve the domain name that needs to be proxyed to the IP of this machine.
If there is a upstream agent, then refer to the above tutorial to set the upstream, the use is exactly the same.
`proxy http -t tcp -p :80,:443 -T tls -P "2.2.2.2:33080" -C proxy.crt -K proxy.key`
Note:
The DNS resolution result of the server where the proxy is located cannot be affected by the custom resolution,
otherwise it will be infinite loop. The proxy proxy should specify the `--dns-address 8.8.8.8` parameter.
### 1.10 HTTP(S) Transparent Proxy
This mode needs to have a certain network foundation. If the related concepts are not understood, please search for it yourself.
Assuming the proxy is now running on the router, the startup command is as follows:
`proxy http -t tcp -p :33080 -T tls -P "2.2.2.2:33090" -C proxy.crt -K proxy.key`
Then add the iptables rule, here are the reference rules:
```shell
#Upper proxy server IP address:
Proxy_server_ip=2.2.2.2
#路由器Running port for proxy listening:
Proxy_local_port=33080
#The following does not need to be modified
#create a new chain named PROXY
Iptables -t nat -N PROXY
# Ignore your PROXY server's addresses
# It's very IMPORTANT, just be careful.
Iptables -t nat -A PROXY -d $proxy_server_ip -j RETURN
# Ignore LANs IP address
Iptables -t nat -A PROXY -d 0.0.0.0/8 -j RETURN
Iptables -t nat -A PROXY -d 10.0.0.0/8 -j RETURN
Iptables -t nat -A PROXY -d 127.0.0.0/8 -j RETURN
Iptables -t nat -A PROXY -d 169.254.0.0/16 -j RETURN
Iptables -t nat -A PROXY -d 172.16.0.0/12 -j RETURN
Iptables -t nat -A PROXY -d 192.168.0.0/16 -j RETURN
Iptables -t nat -A PROXY -d 224.0.0.0/4 -j RETURN
Iptables -t nat -A PROXY -d 240.0.0.0/4 -j RETURN
# Anything to port 80 443 should be redirected to PROXY's local port
Iptables -t nat -A PROXY -p tcp --dport 80 -j REDIRECT --to-ports $proxy_local_port
Iptables -t nat -A PROXY -p tcp --dport 443 -j REDIRECT --to-ports $proxy_local_port
# Apply the rules to nat client
Iptables -t nat -A PREROUTING -p tcp -j PROXY
# Apply the rules to localhost
Iptables -t nat -A OUTPUT -p tcp -j PROXY
```
- Clear the entire chain iptables -F Chain names such as iptables -t nat -F PROXY
- Delete the specified user-defined chain iptables -X chain name such as iptables -t nat -X PROXY
- Remove rules from the selected chain iptables -D chain name Rule details such as iptables -t nat -D PROXY -d 223.223.192.0/255.255.240.0 -j RETURN
### 1.11 Custom DNS
--dns-address and --dns-ttl parameters, used to specify the dns (--dns-address) used by the proxy to access the domain name.
And the analysis result cache time (--dns-ttl) seconds, to avoid system dns interference to the proxy, in addition to the cache function can also reduce the dns resolution time to improve access speed.
For example:
`proxy http -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`
`--dns-address` supports multiple dns addresses, load balancing, separated by comma. For example: `--dns-address "1.1.1.1:53,8.8.8.8:53"`
You can also use the parameter `--dns-interface` to specify the bandwidth used for dns resolution,
for example: `--dns-interface eth0`, dns resolution will use the eth0 bandwidth, this parameter must be set to `--dns-address` to be effective.
### 1.12 Custom encryption
The proxy's http(s) proxy can encrypt tcp data via tls standard encryption and kcp protocol on top of tcp, in addition to support customization after tls and kcp.
Encryption, that is to say, custom encryption and tls|kcp can be used in combination. The internal use of AES256 encryption, you only need to define a password when you use it.
Encryption is divided into two parts, one is whether the local (-z) encryption and decryption, and the other is whether the transmission with the upstream (-Z) is encrypted or decrypted.
Custom encryption requires both ends to be proxy. The following two levels and three levels are used as examples:
Secondary instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy http -t tcp -z demo_password -p :7777`
Local secondary execution:
`proxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted transmission with the upstream.
Three-level instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy http -t tcp -z demo_password -p :7777`
Execute on the secondary vps (ip: 3.3.3.3):
`proxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888`
Local three-level execution:
`proxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted transmission with the upstream.
### 1.13 Compressed transmission
The proxy http(s) proxy can encrypt tcp data through tls standard encryption and kcp protocol on top of tcp, and can also compress data before custom encryption.
That is to say, compression and custom encryption and tls|kcp can be used in combination. Compression is divided into two parts, one part is local (-m) compression transmission.
Part of it is compressed with the upstream (-M) transmission.
Compression requires both sides to be proxy. Compression also protects (encrypted) data to a certain extent. The following uses Level 2 and Level 3 as examples:
Secondary instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy http -t tcp -m -p :7777`
Local secondary execution:
`proxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through compression with the upstream.
Three-level instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy http -t tcp -m -p :7777`
Execute on the secondary vps (ip: 3.3.3.3):
`proxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888`
Local three-level execution:
`proxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through compression with the upstream.
### 1.14 Load Balancing
The HTTP(S) proxy supports upper-level load balancing, and multiple upstream repeat-P parameters can be used.
`proxy http --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080`
### 1.14.1 Setting the retry interval and timeout time
`proxy http --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp - p :33080`
### 1.14.2 Setting weights
`proxy http --lb-method=weight -T tcp -P 1.1.1.1:33080?w=1 -P 2.1.1.1:33080?w=2 -P 3.1.1.1:33080?w=1 -t tcp - p :33080`
### 1.14.3 Use the target address to select the upstream
`proxy http --lb-hashtarget --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp -p :33080`
### 1.15 Speed limit
The speed limit is 100K, which can be specified by the `-l` parameter, for example: 100K 2000K 1M . 0 means no limit.
`proxy http -t tcp -p 2.2.2.2:33080 -l 100K`
### 1.16 Specifying Outgoing IP
The `--bind-listen` parameter can be used to open the client connection with the portal IP, and use the portal IP as the outgoing IP to access the target website. If the incorrect IP is bound, the proxy will not work. At this point, the proxy will try to bind the target without binding the IP, and the log will prompt.
`proxy http -t tcp -p 2.2.2.2:33080 --bind-listen`
#### Flexible Outgoing IP
Although the above `--bind-listen` parameter can specify the outgoing IP, the `entry IP` and the `outgoing IP` cannot be referenced artificially. If you want the ingress IP and the egress IP to be different, you can use the `--bind-ip` parameter, format: `IP:port`, for example: `1.1.1.1:8080`, `[2000:0:0:0:0 :0:0:1]:8080`. For multiple binding requirements, the `--bind-ip` parameter can be repeated.
For example, this machine has IP `5.5.5.5`, `6.6.6.6`, and monitors two ports `8888` and `7777`, the command is as follows:
`Proxy tcp -t tcp -p :8888,:7777 --bind-ip 5.5.5.5:7777 --bind-ip 6.6.6.6:8888 -T tcp -P 2.2.2.2:3322`
Then the client access port `7777`, the outgoing IP is `5.5.5.5`, access port `8888`, the outgoing IP is `6.6.6.6`, if both `--bind-ip` and `--bind- are set at the same time listen`,`--bind-ip` has higher priority.
s
In addition, the `IP` part of the `--bind-ip` parameter supports specifying the `network interface name`, `wildcards`, and more than one can be specified. The detailed description is as follows:
- Specify the network interface name, such as: `--bind-ip eth0:7777`, and then the client accesses the `7777` port, and the egress IP is the IP of the eth0 network interface.
- The network interface name supports wildcards, such as: `--bind-ip eth0.*:7777`, then the client accesses the port `7777`, and the egress IP is randomly selected from the IP of the network interface starting with `eth0.`.
- IP supports wildcards, such as: `--bind-ip 192.168.?.*:777`, then the client accesses the `7777` port, the outgoing IP is all the IPs of the machine, and matches the IP of `192.168.?.*` A randomly selected one.
- It can also be several combinations of network interface name and IP, and several selective divisions using half-width, such as: `-bind-ip pppoe??,192.168.?.*:7777`, and then the client accesses the `7777` port , The outgoing IP is the machine's network interface name matching `pppoe??`
It is randomly selected from the IP matching `192.168.?.*` in the machine IP.
- The wildcard character `*` represents 0 to any character, `? `Represents 1 character.
- If the IP of the network interface changes, it will take effect in real time.
- You can use the `--bind-refresh` parameter to specify the interval to refresh the local network interface information, the default is `5`, the unit is second.
### 1.17 Certificate parameters use base64 data
By default, the -C, -K parameter is the path to the crt certificate and the key file.
If it is the beginning of base64://, then the latter data is considered to be base64 encoded and will be used after decoding.
### 1.18 Intelligent mode
Intelligent mode setting, can be one of intelligent|direct|parent.
The default is: parent.
The meaning of each value is as follows:
`--intelligent=direct`, the targets in the blocked are not directly connected.
`--intelligent=parent`, the target that is not in the direct is going to the higher level.
`--intelligent=intelligent`, blocked and direct have no targets, intelligently determine whether to use the upstream access target.
### 1.19 Help
`proxy help http`
## 2.TCP Proxies
### 2.1. Ordinary level TCP proxy
Local execution:
`proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22"`
Then access the local port 33080 is to access port 22 of 192.168.22.33.
The `-p` parameter supports :
```text
-p ":8081" listen on 8081
-p ":8081,:8082" listen on 8081 and 8082
-p ":8081,:8082,:9000-9999" listen on 8081 and 8082 and 9000, 9001 to 9999 for a total of 1002 ports
```
If the number of local listening ports is greater than 1, the corresponding upper port corresponding to the local port will be connected, and the port in `-P` will be ignored.
If you need a connection from all ports, connect to the upper specified port, you can add the parameter `--lock-port`.
such as:
`proxy tcp -p ":33080-33085" -T tcp -P "192.168.22.33:0"`
Then the connection of the `33080` port will connect to the `33080` port of 192.168.22.33, and the other ports are similar. The local and upper ports are the same. At this time, the port in the parameter `-P` uses `0`.
If you want to connect the ports of `33080`, `33081`, etc. to the `22` port of 192.168.22.33, you can add the parameter `--lock-port`.
`proxy tcp -p ":33080-33085" -T tcp -P "192.168.22.33:22" --lock-port`
### 2.2. Ordinary secondary TCP proxy
VPS (IP: 22.22.2.33) is executed:
`proxy tcp -p ":33080" -T tcp -P "127.0.0.1:8080"`
Local execution:
`proxy tcp -p ":23080" -T tcp -P "22.22.22.33:33080"`
Then access the local port 23080 is to access port 8020 of 22.22.22.33.
### 2.3. Ordinary three-level TCP proxy
Primary TCP proxy VPS_01, IP: 22.22.22.22
`proxy tcp -p ":38080" -T tcp -P "66.66.66.66:8080"`
Secondary TCP proxy VPS_02, IP: 33.33.33.33
`proxy tcp -p ":28080" -T tcp -P "22.22.22.22:38080"`
Level 3 TCP proxy (local)
`proxy tcp -p ":8080" -T tcp -P "33.33.33.33:28080"`
Then access the local port 8080 is to access the port 8080 of 66.66.66.66 through the encrypted TCP tunnel.
### 2.4. Encrypting secondary TCP proxy
VPS (IP: 22.22.2.33) is executed:
`proxy tcp -t tls -p ":33080" -T tcp -P "127.0.0.1:8080" -C proxy.crt -K proxy.key`
Local execution:
`proxy tcp -p ":23080" -T tls -P "22.22.22.33:33080" -C proxy.crt -K proxy.key`
Then access the local port 23080 is to access the port 8080 of 22.22.22.33 through the encrypted TCP tunnel.
### 2.5.Encrypting Level 3 TCP Agent
Primary TCP proxy VPS_01, IP: 22.22.22.22
`proxy tcp -t tls -p ":38080" -T tcp -P "66.66.66.66:8080" -C proxy.crt -K proxy.key`
Secondary TCP proxy VPS_02, IP: 33.33.33.33
`proxy tcp -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
Level 3 TCP proxy (local)
`proxy tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key`
Then access the local port 8080 is to access the port 8080 of 66.66.66.66 through the encrypted TCP tunnel.
### 2.6 Connecting to a upstream through a proxy
Sometimes the network where the proxy is located cannot directly access the external network. You need to use an https or socks5 proxy to access the Internet. Then this time
The -J parameter can help you to connect the proxy to the peer-P through the https or socks5 proxy when mapping the proxy tcp port, mapping the external port to the local.
The -J parameter format is as follows:
Https proxy writing:
The proxy needs authentication, username: username password: password
Https://username:password@host:port
Agent does not require authentication
Https://host:port
Socks5 proxy writing:
The proxy needs authentication, username: username password: password
Socks5://username:password@host:port
Agent does not require authentication
Socks5://host:port
Host: the IP or domain name of the proxy
Port: the port of the proxy
### 2.7 Specify Outgoing IP
When the TCP proxy is a superior type (parameter: -T) is tcp, it supports the specified outgoing IP. Using
the `--bind-listen` parameter, you can open the client to connect with the portal IP, and use the portal IP as the
outgoing IP to access the target website. If an incorrect IP is bound, the proxy will not work, the proxy will try to
bind the target without binding the IP, and the log will prompt.
`proxy tcp -p ":33080" -T tcp -P" 192.168.22.33:22" -B`
#### Flexible Outgoing IP
Although the above `--bind-listen` parameter can specify the outgoing IP, the `entry IP` and the ` outgoing IP` cannot be referenced artificially. If you want the ingress IP to be different from the egress IP, you can use the `--bind-ip` parameter, format: `IP:port`, for example: `1.1.1.1:8080`
, `[2000:0:0:0:0:0:0:1]:8080`. For multiple binding requirements, you can repeat the `--bind-ip` parameter identification.
For example, this machine has IP `5.5.5.5`, `6.6.6.6`, and monitors two ports `8888` and `7777`, the command is as follows:
`Proxy tcp -t tcp -p :8888,:7777 --bind-ip 5.5.5.5:7777 --bind-ip 6.6.6.6:8888 -T tcp -P 2.2.2.2:3322`
Then the client access port `7777`, the outgoing IP is `5.5.5.5`, access port `8888`, the outgoing IP is `6.6.6.6`, if both `--bind-ip` and `--bind- are set at the same time listen`,`--bind-ip` has higher priority.
In addition, the `IP` part of the `--bind-ip` parameter supports specifying the `network interface name`, `wildcards`, and more than one can be specified. The detailed description is as follows:
- Specify the network interface name, such as: `--bind-ip eth0:7777`, then the client accesses the `7777` port, and the egress IP is the IP of the eth0 network interface.
- The network interface name supports wildcards, for example: `--bind-ip eth0.*:7777`, then the client accesses
the `7777` port, and the egress IP is a randomly selected one of the network interface IPs starting with `eth0.`.
- IP supports wildcards, such as: `--bind-ip 192.168.?.*:7777`, then the client accesses the `7777` port, and the
outgoing IP is all the IPs of the machine, matching the IP of `192.168.?.*` A randomly selected one.
- It can also be multiple combinations of network interface name and IP, separated by half-width commas, such
as: `--bind-ip pppoe??,192.168.?.*:7777`, then the client accesses the port `7777`, The outgoing IP is the machine's
network interface name matching `pppoe??`
It is a randomly selected one among all IPs of the machine that matches `192.168.?.*`.
- The wildcard character `*` represents 0 to any number of characters, and `?` represents 1 character.
- If the IP of the network interface changes, it will take effect in real time.
- You can use the `--bind-refresh` parameter to specify the interval to refresh the local network interface information, the default is `5`, the unit is second.
### 2.8 Speed limit, connections limit
- **Limit count of connections**
The parameter `--max-conns` can limit the maximum number of connections per port.
For example, limit the maximum number of connections per port to 1000:
`proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22" --max-conns 1000`
- **Limit tcp connection rate**
The parameter `--rate-limit` can limit the rate of each tcp connection.
For example, limit the rate of each tcp connection to 100k/s:
`proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22" --rate-limit 100k`
- **Limit client IP total rate**
The parameter `--ip-rate` limit the total rate of each client IP.
For example, limit the total IP rate of each client to 1M/s:
`proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22" --ip-rate 1M`
- **Limit port total rate**
The parameter `--port-rate` limit the total rate of each service port.
For example, limit the total rate of each port to 10M/s:
`proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22" --port-rate 10M`
- **Joint Speed Limit**
`--rate-limit` and (`--ip-rate` or `--port-rate`) can be used together.
Both limit the total rate and limit the rate of a single tcp.
### 2.9 Compressed transmission
`--c` controls whether to compress transmission between local and client, default false;` --C` controls whether to compress transmission between local and upstream, default false.
Examples:
VPS (IP: 22.22.22.33) implementation:
`proxy tcp -t tcp --c -p ":33080" -T tcp -P "127.0.0.1:8080"`
Local execution:
`proxy tcp -t tcp -p ":23080" -T tcp -P "22.22.22.33:33080" --C`
### 2.10 View Help
`proxy help tcp`
## 3.UDP Proxies
### 3.1. Ordinary UDP proxy
Local execution:
`proxy udp -p ":5353" -T udp -P "8.8.8.8:53"`
Then access the local UDP: 5353 port is to access 8.8.8.8 UDP: 53 port.
The `-p` parameter supports :
```text
-p ":8081" listen on 8081
-p ":8081,:8082" listen on 8081 and 8082
-p ":8081,:8082,:9000-9999" listen on 8081 and 8082 and 9000, 9001 to 9999 for a total of 1002 ports
```
If the number of local listening ports is greater than 1, the corresponding upper port corresponding to the local port will be connected, and the port in `-P` will be ignored.
If you need a connection from all ports, connect to the upper specified port, you can add the parameter `--lock-port`.
such as:
`proxy udp -p ":33080-33085" -T udp -P "192.168.22.33:0"`
Then the connection of the `33080` port will connect to the `33080` port of 192.168.22.33, and the other ports are similar. The local and upper ports are the same. At this time, the port in the parameter `-P` uses `0`.
If you want to connect the ports of `33080`, `33081`, etc. to the `2222` port of 192.168.22.33, you can add the parameter `--lock-port`.
`proxy udp -p ":33080-33085" -T udp -P "192.168.22.33:2222" --lock-port`
### 3.2. Ordinary secondary UDP proxy
VPS (IP: 22.22.2.33) is executed:
`proxy tcp -p ":33080" -T udp -P "8.8.8.8:53"`
Local execution:
`proxy udp -p ":5353" -T tcp -P "22.22.22.33:33080"`
Then access the local UDP: 5353 port is through the TCP tunnel, through the VPS access 8.8.8.8 UDP: 53 port.
### 3.3. Ordinary three-level UDP proxy
Primary TCP proxy VPS_01, IP: 22.22.22.22
`proxy tcp -p ":38080" -T udp -P "8.8.8.8:53"`
Secondary TCP proxy VPS_02, IP: 33.33.33.33
`proxy tcp -p ":28080" -T tcp -P "22.22.22.22:38080"`
Level 3 TCP proxy (local)
`proxy udp -p ":5353" -T tcp -P "33.33.33.33:28080"`
Then access to the local 5353 port is through the TCP tunnel, through the VPS to access port 8.8.8.8.
### 3.4. Encrypting secondary UDP proxy
VPS (IP: 22.22.2.33) is executed:
`proxy tcp -t tls -p ":33080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`
Local execution:
`proxy udp -p ":5353" -T tls -P "22.22.22.33:33080" -C proxy.crt -K proxy.key`
Then access the local UDP: 5353 port is through the encrypted TCP tunnel, through the VPS access 8.8.8.8 UDP: 53 port.
### 3.5. Encryption Level 3 UDP Agent
Primary TCP proxy VPS_01, IP: 22.22.22.22
`proxy tcp -t tls -p ":38080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key`
Secondary TCP proxy VPS_02, IP: 33.33.33.33
`proxy tcp -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
Level 3 TCP proxy (local)
`proxy udp -p ":5353" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key`
Then access the local 5353 port is to access the 8.8.8.8 port 53 through VPS_01 through the encrypted TCP tunnel.
### 3.6 Specify Outgoing IP
When the UDP upstream proxies (parameter: -T) is udp, it supports the specified outgoing IP. Using the `--bind-listen` parameter, you can open the client to connect with the server IP, and use the server IP as the outgoing IP to access the target. If an incorrect IP is bound, the proxy will not work.
`proxy udp -p ":33080" -T udp -P "192.168.22.33:2222" -B`
### 3.7 Help
`proxy help udp`
## 4. Expose Intranet
### 4.1 principle description
Intranet penetration, divided into two versions, "multi-link version" and "multiplexed version", generally like a web service, this service is not a long-term connection, it is recommended to use "multi-link version", if it is to keep long The time connection suggests using a "multiplexed version."
1. Multi-link version, the corresponding sub-command is tserver, tclient, tbridge.
1. Multiplexed version, the corresponding subcommand is server, client, bridge.
1. The parameters of the multi-link version and the multiplex version are exactly the same.
1. The multiplexed version of the server, client can open the compressed transmission, the parameter is --c.
1. server, client either open compression, or not open, can not open only one.
The following tutorial uses the "multiplexed version" as an example to illustrate how to use it.
The intranet penetration consists of three parts: client, server, and bridge; client and server actively connect to the bridge for bridging.
### 4.2 TCP common usage
Background:
- Company Machine A provides web service port 80
- There is a VPS, public network IP: 22.22.22.22
Demand:
At home, you can access the port 80 of company machine A by accessing port 28080 of the VPS.
Steps:
Execute on vps
`proxy bridge -p ":33080" -C proxy.crt -K proxy.key`
`proxy server -r ":28080@:80" -P "127.0.0.1:33080" -C proxy.crt -K proxy.key`
1. Execute on company machine A
`proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key`
Complete
### 4.3 WeChat interface local development
Background:
- Your own notebook provides nginx service port 80
- There is a VPS, public network IP: 22.22.22.22
Demand:
Fill in the address in the webpage callback interface configuration of WeChat's development account: http://22.22.22.22/calback.php
Then you can access the calback.php under the 80 port of the notebook. If you need to bind the domain name, you can use your own domain name.
For example: wx-dev.xxx.com resolves to 22.22.22.22, and then in your own notebook nginx
Configure the domain name wx-dev.xxx.com to the specific directory.
Steps:
1. Execute on vps to ensure that port 80 of vps is not occupied by other programs.
`proxy bridge -p ":33080" -C proxy.crt -K proxy.key`
`proxy server -r ":80@:80" -P "22.22.22.22:33080" -C proxy.crt -K proxy.key`
1. Execute on your laptop
`proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key`
Complete
### 4.4 UDP common usage
Background:
- Company Machine A provides DNS resolution service, UDP: port 53
- There is a VPS, public network IP: 22.22.22.22
Demand:
At home, you can use the company machine A to perform domain name resolution services by setting the local dns to 22.22.22.22.
Steps:
Execute on vps
`proxy bridge -p ":33080" -C proxy.crt -K proxy.key`
`proxy server --udp -r ":53@:53" -P "127.0.0.1:33080" -C proxy.crt -K proxy.key`
1. Execute on company machine A
`proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key`
Complete
### 4.5 advanced usage one
Background:
- Company Machine A provides web service port 80
- There is a VPS, public network IP: 22.22.22.22
Demand:
In order to be safe, I don't want to have access to the company machine A on the VPS, and I can access the port 28080 of the machine at home.
Access to port 80 of company machine A via an encrypted tunnel.
Steps:
Execute on vps
`proxy bridge -p ":33080" -C proxy.crt -K proxy.key`
1. Execute on company machine A
`proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key`
1. Execute on your home computer
`proxy server -r ":28080@:80" -P "22.22.22.22:33080" -C proxy.crt -K proxy.key`
Complete
### 4.6 Advanced Usage II
Tip:
If multiple clients are connected to the same bridge at the same time, you need to specify a different key, which can be set by the --k parameter, and --k can be any unique string.
Just be the only one on the same bridge.
When the server is connected to the bridge, if there are multiple clients connecting to the same bridge at the same time, you need to use the --k parameter to select the client.
Expose multiple ports by repeating the -r parameter. The format of -r is: "local IP: local port @clientHOST:client port".
Background:
- Company Machine A provides web service port 80, ftp service port 21
- There is a VPS, public network IP: 22.22.22.22
Demand:
At home, you can access the port 80 of company machine A by accessing port 28080 of the VPS.
At home, I can access the 21 port of company machine A by accessing port 29090 of the VPS.
Steps:
Execute on vps
`proxy bridge -p ":33080" -C proxy.crt -K proxy.key`
`proxy server -r ":28080@:80" -r ":29090@:21" --k test -P "127.0.0.1:33080" -C proxy.crt -K proxy.key`
1. Execute on company machine A
`proxy client --k test -P "22.22.22.22:33080" -C proxy.crt -K proxy.key`
Complete
### 4.7.server -r parameter
The full format of -r is: `PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT`
4.7.1. Protocol PROTOCOL: tcp or udp.
For example: `-r "udp://:10053@:53" -r "tcp://:10800@:1080" -r ":8080@:80"`
If the --udp parameter is specified, PROTOCOL defaults to udp, then:`-r ":8080@:80"` defaults to udp;
If the --udp parameter is not specified, PROTOCOL defaults to tcp, then: `-r ":8080@:80"` defaults to tcp;
4.7.2. CLIENT_KEY: The default is default.
For example: -r "udp://:10053@[test1]:53" -r "tcp://:10800@[test2]:1080" -r ":8080@:80"
If the --k parameter is specified, such as --k test, then: `-r ":8080@:80"`CLIENT_KEY defaults to test;
If the --k parameter is not specified, then: `-r ":8080@:80"`CLIENT_KEY defaults to default;
4.7.3. LOCAL_IP is empty. The default is: `0.0.0.0`, CLIENT_LOCAL_HOST is empty. The default is: `127.0.0.1`;
### 4.8.server and client connect bridge through proxy
Sometimes the network where the server or client is located cannot directly access the external network. You need to use an https or socks5 proxy to access the Internet. Then this time
The -J parameter can help you to connect the server or client to the bridge via https or socks5.
The -J parameter format is as follows:
Https proxy writing:
The proxy needs authentication, username: username password: password
Https://username:password@host:port
Agent does not require authentication
Https://host:port
Socks5 proxy writing:
The proxy needs authentication, username: username password: password
Socks5://username:password@host:port
Agent does not require authentication
Socks5://host:port
Host: the IP or domain name of the proxy
Port: the port of the proxy
### 4.9. Expose HTTP service
Usually the HTTP request client will use the server's ip and port to set the HOST field, but it is not the same as the expected backend actual HOST, which causes tcp to be passed.However, the backend relies on the HOST field to locate the virtual host and it will not work. Now use the `--http-host` parameter to force the HOST field value of the http header to be the actual value of the backend.Domain names and ports can be easily solved. After using the `--http-host` parameter, two headers will be added to the header of each HTTP request. The `X-Forwarded-For` and `X-Real-IP` values are the client IP, so the backend http service can easily obtain the real IP address of the client.
The format of the `server`-http-host parameter is as follows:
`--http-host www.test.com:80@2200`, if the server listens to multiple ports, just repeat the `--http-host` parameter to set the HOST for each port.
Example:
For example, the client local nginx, 127.0.0.1:80 provides a web service, which is bound to a domain name `local.com`.
Then the server startup parameters can be as follows:
`proxy server -P :30000 -r :2500@127.0.0.1:80 --http-host local.com@2500`
Explanation:
`-r :2500@127.0.0.1:80` and `--http-host local.com:80@2500` The 2500 port is the port that the server listens locally.
When the http protocol is used to request the ip:2500 port of the server, the header HOST field of http will be set to `local.com`.
### 4.10 About traffic statistics
If you start a server docking peer separately, it is the proxy-admin control panel. You need to create a new mapping in the upper-level control panel to obtain the ID of the mapping rule.
Then start the server and add the parameter --server-id=the ID of the mapping rule to count the traffic.
### 4.11 About p2p
Intranet penetration support When the server and client network conditions are met, the server and client are directly connected through p2p. The opening method is:
When starting the bridge, server, client, add the `--p2p` parameter. The server's -r parameter can be used to enable p2p (ptcp and pudp) for the port.
If the p2p hole fails between the server and the client, the bridge transfer data is automatically switched.
### 4.12 Client key whitelist
The intranet penetrating bridge can set the client key whitelist. The parameter is --client-keys. The format can be:
a. File name, file content One client key can only contain the alphanumeric underscore, which is the value of the client startup parameter --k. Only the client key can connect to the whitelist client. The line starting with # is a comment.
b. The base64 encoding at the beginning of "base64://" is the content of the file described in a above, for example: base64://ajfpoajsdfa=
c. "str://" multiple keywords separated by a comma at the beginning, such as: str://default,company,school
The default is empty, allowing all keys.
### 4.13 Network NAT Type Judgment
Senat type judgment, easy to check whether the network supports p2p, you can execute: `proxy tools -a nattype`
### 4.14 Help
`proxy help bridge`
`proxy help server`
`proxy help client`
## 5.SOCKS5 Proxies
prompt:
SOCKS5 proxy, support CONNECT, UDP protocol, does not support BIND, supports username and password authentication.
***The udp function of socks5 is turned off by default, and can be turned on by `--udp`. The default is a random port for handshake, and performance can be improved by fixing a port.
Set by parameter `--udp-port 0`, `0` represents a free port is randomly selected, or you can manually specify a specific port. ***
### 5.1. Ordinary SOCKS5 Agent
`proxy socks -t tcp -p "0.0.0.0:38080"`
Listen port argument `-p` can be:
```text
-p ":8081" listen on 8081
-p ":8081,:8082" listen on 8081 and 8082
-p ":8081,:8082,:9000-9999" listen on 8081 and 8082 and 9000 and 9001 to 9999, 1002 total ports
```
### 5.2. Ordinary secondary SOCKS5 agent
Use local port 8090, assuming the upstream SOCKS5 proxy is `22.22.22.22:8080`
`proxy socks -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `
We can also specify the black and white list file of the website domain name, one domain name and one domain name, the matching rule is the rightmost match, for example: baidu.com, the match is *.*.baidu.com, the blacklist domain name domain name goes directly to the upstream agent, white The domain name of the list does not go to the upstream agent; if the domain name is in the blacklist and in the whitelist, the blacklist works.
`proxy socks -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -b blocked.txt -d direct.txt`
### 5.3. SOCKS Level 2 Agent (Encryption)
Level 1 SOCKS proxy (VPS, IP: 22.22.22.22)
`proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`
Secondary SOCKS proxy (local Linux)
`proxy socks -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
Then access the local port 8080 is to access the proxy port 38080 on the VPS.
Secondary SOCKS proxy (local windows)
`proxy.exe socks -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
Then set your windos system, the proxy that needs to go through the proxy Internet program is the socks5 mode, the address is: 127.0.0.1, the port is: 8080, the program can access the Internet through vps through the encrypted channel.
### 5.4. SOCKS Level 3 Agent (Encryption)
Level 1 SOCKS proxy VPS_01, IP: 22.22.22.22
`proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key`
Secondary SOCKS proxy VPS_02, IP: 33.33.33.33
`proxy socks -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
Level 3 SOCKS proxy (local)
`proxy socks -t tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key`
Then accessing the local port 8080 is to access the proxy port 38080 on the first-level SOCKS proxy.
### 5.5. SOCKS proxy traffic is forced to go to the upper level SOCKS proxy
By default, the proxy will intelligently determine whether a website domain name is inaccessible. If it is not accessible, it will go to the upstream SOCKS proxy. With --always, all SOCKS proxy traffic can be forced to go to the upper SOCKS proxy.
`proxy socks --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
### 5.6. SOCKS via SSH relay
Description: The principle of ssh transfer is to use the forwarding function of ssh, that is, after you connect to ssh, you can access the target address through ssh proxy.
Suppose there is: vps
- IP is 2.2.2.2, ssh port is 22, ssh username is: user, ssh user password is: demo
- The user's ssh private key name is user.key
#### *5.6.1 How to ssh username and password*
Local SOCKS5 proxy port 28080, execute:
`proxy socks -T ssh -P "2.2.2.2:22" -u user -D demo -t tcp -p ":28080"`
#### *5.6.2 How to ssh username and key*
Local SOCKS5 proxy port 28080, execute:
`proxy socks -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"`
Then access the local port 28080 is to access the target address through the VPS.
### 5.7. Certification
For the socks5 proxy protocol, we can perform username and password authentication. The authenticated username and password can be specified on the command line.
`proxy socks -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"`
For multiple users, repeat the -a parameter.
It can also be placed in a file in the format of a "username:password" and then specified with -F.
`proxy socks -t tcp -p ":33080" -F auth-file.txt`
In addition, the socks5 agent also integrates external HTTP API authentication. We can specify an http url interface address with the --auth-url parameter.
Then when there is a user connection, the proxy will request the url in GET mode, with the following three parameters. If the HTTP status code 204 is returned, the authentication is successful.
In other cases, the authentication failed.
For example:
`proxy socks -t tcp -p ":33080" --auth-url "http://test.com/auth.php"`
When the user connects, the proxy will request the url ("http://test.com/auth.php") in GET mode.
Bring four parameters: user, pass, ip, local_ip:
Http://test.com/auth.php?user={USER}&pass={PASS}&ip={IP}&local_ip={LOCAL_IP}
User: username
Pass: password
Ip: User's IP, for example: 192.168.1.200
Local_ip: IP of the server accessed by the user, for example: 3.3.3.3
If there is no -a or -F or --auth-url parameter, the authentication is turned off.
### 5.8.KCP protocol transmission
The KCP protocol requires the --kcp-key parameter to set a password for encrypting and decrypting data.
Level 1 HTTP proxy (VPS, IP: 22.22.22.22)
`proxy socks -t kcp -p ":38080" --kcp-key mypassword`
Secondary HTTP proxy (local Linux)
`proxy socks -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`
Then access the local port 8080 is to access the proxy port 38080 on the VPS, the data is transmitted through the kcp protocol.
### 5.9. Custom DNS
--dns-address and --dns-ttl parameters, used to specify the dns (--dns-address) used by the proxy to access the domain name.
And the analysis result cache time (--dns-ttl) seconds, to avoid system dns interference to the proxy, in addition to the cache function can also reduce the dns resolution time to improve access speed.
For example:
`proxy socks -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`
You can also use the parameter `--dns-interface` to specify the bandwidth used for dns resolution,
for example: `--dns-interface eth0`, dns resolution will use the eth0 bandwidth, this parameter must be set to `--dns-address` to be effective.
### 5.10 Custom Encryption
The proxy's socks proxy can encrypt tcp data through tls standard encryption and kcp protocol on top of tcp. In addition, it supports custom encryption after tls and kcp, which means that custom encryption and tls|kcp can be used together. The internal use of AES256 encryption, you only need to define a password when you use it.
Encryption is divided into two parts, one is whether the local (-z) encryption and decryption, and the other is whether the transmission with the upstream (-Z) is encrypted or decrypted.
Custom encryption requires both sides to be proxy.
The following two levels, three levels for example:
Secondary instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy socks -t tcp -z demo_password -p :7777`
Local secondary execution:
`proxy socks -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted transmission with the upstream.
Three-level instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy socks -t tcp -z demo_password -p :7777`
Execute on the secondary vps (ip: 3.3.3.3):
`proxy socks -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888`
Local three-level execution:
`proxy socks -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted transmission with the upstream.
### 5.11 Compressed transmission
The proxy's socks proxy can encrypt tcp data through custom encryption and tls standard encryption and kcp protocol on top of tcp. It can also be used before custom encryption.
Compress the data, that is, the compression function and the custom encryption and tls|kcp can be used in combination, and the compression is divided into two parts.
Part of it is local (-m) compression transmission, and part is whether the transmission with the upstream (-M) is compressed.
Compression requires both sides to be proxy, and compression also protects (encrypts) data to some extent.
The following two levels, three levels for example:
Secondary instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy socks -t tcp -m -p :7777`
Local secondary execution:
`proxy socks -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through compression with the upstream.
Three-level instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy socks -t tcp -m -p :7777`
Execute on the secondary vps (ip: 3.3.3.3):
`proxy socks -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888`
Local three-level execution:
`proxy socks -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through compression with the upstream.
### 5.12 Load Balancing
The SOCKS proxy supports the upper-level load balancing, and multiple upstream repeat-P parameters can be used.
`proxy socks --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp`
### 5.12.1 Setting the retry interval and timeout time
`proxy socks --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp`
### 5.12.2 Setting weights
`proxy socks --lb-method=weight -T tcp -P 1.1.1.1:33080?w=1 -P 2.1.1.1:33080?w=2 -P 3.1.1.1:33080?w=1 -p :33080 -t tcp`
### 5.12.3 Use the target address to select the upstream
`proxy socks --lb-hashtarget --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp`
### 5.13 Speed limit
The speed limit is 100K, which can be specified by the `-l` parameter, for example: 100K 2000K 1M . 0 means no limit.
`proxy socks -t tcp -p 2.2.2.2:33080 -l 100K`
### 5.14 Specifying Outgoing IP
The `--bind-listen` parameter can be used to open the client connection with the portal IP, and use the portal IP as the outgoing IP to access the target website. If the ingress IP is an intranet IP, the egress IP does not use the ingress IP.
`proxy socks -t tcp -p 2.2.2.2:33080 --bind-listen`
#### Flexible Outgoing IP
Although the above `--bind-listen` parameter can specify the outgoing IP, the `entry IP` and ` outgoing IP` cannot be interfered by humans. If you want the ingress IP to be different from the egress IP, you can use the `--bind-ip` parameter, format: `IP:port`, for example: `1.1.1.1:8080`
, `[2000:0:0:0:0:0:0:1]:8080`. For multiple binding requirements, you can repeat the `--bind-ip` parameter.
For example, the machine has IP `5.5.5.5`, `6.6.6.6`, and monitors two ports `8888` and `7777`, the command is as follows:
`proxy socks -t tcp -p :8888,:7777 --bind-ip 5.5.5.5:7777 --bind-ip 6.6.6.6:8888`
Then the client access port `7777`, the outgoing IP is `5.5.5.5`, access port `8888`, the outgoing IP is `6.6.6.6`, if both `--bind-ip` and `--bind- are set at the same time listen`,`--bind-ip` has higher priority.
In addition, the `IP` part of the `--bind-ip` parameter supports specifying the `network interface name`, `wildcards`, and more than one. The details are as follows:
- Specify the network interface name, such as: `--bind-ip eth0:7777`, then the client accesses the `7777` port, and the egress IP is the IP of the eth0 network interface.
- The network interface name supports wildcards, for example: `--bind-ip eth0.*:7777`, then the client accesses
the `7777` port, and the egress IP is a randomly selected one of the network interface IPs starting with `eth0.`.
- IP supports wildcards, such as: `--bind-ip 192.168.?.*:7777`, then the client accesses the `7777` port, and the
outgoing IP is all the IPs of the machine, matching the IP of `192.168.?.*` A randomly selected one.
- It can also be multiple combinations of network interface name and IP, separated by half-width commas, such
as: `--bind-ip pppoe??,192.168.?.*:7777`, then the client accesses the port `7777`, The outgoing IP is the machine's
network interface name matching `pppoe??`
It is a randomly selected one among all IPs of the machine that matches `192.168.?.*`.
- The wildcard character `*` represents 0 to any number of characters, and `?` represents 1 character.
- If the IP of the network interface changes, it will take effect in real time.
- You can use the `--bind-refresh` parameter to specify the interval to refresh the local network interface information, the default is `5`, the unit is second.
### 5.15 Cascade Certification
SOCKS5 supports cascading authentication, and -A can set upstream authentication information.
upstream:
`proxy socks -t tcp -p 2.2.2.2:33080 -a user:pass`
local:
`proxy socks -T tcp -P 2.2.2.2:33080 -A user:pass -t tcp -p :33080`
### 5.16 Certificate parameters use base64 data
By default, the -C, -K parameter is the path to the crt certificate and the key file.
If it is the beginning of base64://, then the latter data is considered to be base64 encoded and will be used after decoding.
### 5.17 Intelligent mode
Intelligent mode setting, can be one of intelligent|direct|parent.
The default is: parent.
The meaning of each value is as follows:
`--intelligent=direct`, the targets in the blocked are not directly connected.
`--intelligent=parent`, the target that is not in the direct is going to the higher level.
`--intelligent=intelligent`, blocked and direct have no targets, intelligently determine whether to use the upstream
access target.
### 5.18 Fixed UDP PORT
By default, the port number of the UDP function of socks5, the proxy is installed in the `rfc1982 draft` request, which
is randomly specified during the protocol handshake process and does not need to be specified in advance.
However, in some cases, you need to fix the UDP function port. You can use the parameter `--udp-port port number` to fix
the port number of the UDP function. For example:
`proxy socks -t tcp -p "0.0.0.0:38080" --udp-port 38080`
### 5.19 UDP Compatibility Mode
By default, the UDP functionality of the SOCKS5 proxy in the proxy operates in accordance with the SOCKS5 RFC 1928
specification. However, there are certain SOCKS5 clients that do not adhere to the specified rules. To ensure
compatibility with such clients, the `--udp-compat` parameter can be added to activate the compatibility mode for SOCKS5
UDP functionality.
Additionally, the `-udp-gc` parameter can be utilized to set the maximum idle time for UDP. When this time threshold is
exceeded, UDP connections will be released.
### 5.20 Help
`proxy help socks`
## 6.SPS Protocol Convert
### 6.1 Function introduction
The proxy protocol conversion uses the sps subcommand. The sps itself does not provide the proxy function. It only
accepts the proxy request to "convert and forward" to the existing http(s) proxy or the socks5 proxy or ss proxy; the
sps can put the existing http(s) proxy or socks5 proxy or ss proxy is converted to a port that supports both http(s) and
socks5 and ss proxies, and the http(s) proxy supports forward proxy and reverse proxy (SNI), converted SOCKS5 proxy, UDP
function is still supported when the upper level is SOCKS5 or SS; in addition, for the existing http(s) proxy or socks5
proxy, three modes of tls, tcp, and kcp are supported, and chain connection is supported, that is, multiple sps node
levels can be supported. The connection builds an encrypted channel.
The encryption methods supported by the `ss` function are: aes-128-cfb, aes-128-ctr, aes-128-gcm, aes-192-cfb,
aes-192-ctr, aes-192-gcm, aes-256- Cfb , aes-256-ctr , aes-256-gcm , bf-cfb , cast5-cfb , chacha20 , chacha20-ietf ,
chacha20-ietf-poly1305 , des-cfb , rc4-md5 , rc4-md5-6 , salsa20 , Xchacha20
Listen port argument `-p` can be:
```text
-p ":8081" listen on 8081
-p ":8081,:8082" listen on 8081 and 8082
-p ":8081,:8082,:9000-9999" listen on 8081 and 8082 and 9000 and 9001 to 9999, 1002 total ports
```
The udp function of ss is turned off by default and can be turned on by `--ssudp`. The udp function of socks5 is turned off by default and can be turned on by `--udp`, The default is a random port for handshake, and performance can be improved by fixing a port.
Set by parameter `--udp-port 0`, `0` represents a free port is randomly selected, or you can manually specify a specific port.
### 6.2 HTTP(S) to HTTP(S)+SOCKS5+SS
Suppose there is already a normal http(s) proxy: 127.0.0.1:8080. Now we turn it into a common proxy that supports both http(s) and socks5 and ss. The converted local port is 18080, ss encryption: Aes-192-cfb, ss password: pass.
The command is as follows:
`proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass`
Suppose there is already a tls http(s) proxy: 127.0.0.1:8080. Now we turn it into a normal proxy that supports both http(s) and socks5 and ss. The converted local port is 18080, and tls requires a certificate file. , ss encryption: aes-192-cfb, ss password: pass.
The command is as follows:
`proxy sps -S http -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key -h aes-192-cfb -j pass`
Suppose there is already a kcp http(s) proxy (password is: demo123): 127.0.0.1:8080, now we turn it into a normal proxy that supports both http(s) and socks5 and ss. The converted local port is 18080, ss encryption: aes-192-cfb, ss password: pass.
The command is as follows:
`proxy sps -S http -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123 -h aes-192-cfb -j pass`
### 6.3 SOCKS5 to HTTP(S)+SOCKS5+SS
Suppose there is already a normal socks5 proxy: 127.0.0.1:8080, now we turn it into a common proxy that supports both http(s) and socks5 and ss. The converted local port is 18080, ss encryption: aes-192 -cfb, ss password: pass.
The command is as follows:
`proxy sps -S socks -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass`
Suppose there is already a tls socks5 proxy: 127.0.0.1:8080, now we turn it into a common proxy that supports both http(s) and socks5 and ss. The converted local port is 18080, tls requires certificate file, ss encryption Mode: aes-192-cfb, ss password: pass.
The command is as follows:
`proxy sps -S socks -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key -h aes-192-cfb -j pass`
Suppose there is already a kcp socks5 proxy (password: demo123): 127.0.0.1:8080, now we turn it into a common proxy that supports both http(s) and socks5 and ss. The converted local port is 18080, ss Encryption method: aes-192-cfb, ss password: pass.
The command is as follows:
`proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123 -h aes-192-cfb -j pass`
### 6.4 SS to HTTP(S)+SOCKS5+SS
SPS upstream and local support ss protocol, the upstream can be SPS or standard ss service.
SPS locally provides HTTP(S)\SOCKS5\SPS three defaults. When the upstream is SOCKS5, the converted SOCKS5 and SS support UDP.
Suppose there is already a normal SS or SPS proxy (ss is enabled, encryption: aes-256-cfb, password: demo): 127.0.0.1:8080, now we turn it to support both http(s) and socks5 and The ordinary proxy of ss, the converted local port is 18080, the converted ss encryption mode: aes-192-cfb, ss password: pass.
The command is as follows:
`proxy sps -S ss -H aes-256-cfb -J pass -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass`.
### 6.5 Chained connection
The above mentioned multiple sps nodes can be connected to build encrypted channels in a hierarchical connection, assuming the following vps and the home PC.
Vps01:2.2.2.2
Vps02:3.3.3.3
Now we want to use pc and vps01 and vps02 to build an encrypted channel. This example uses tls encryption or kcp. Accessing local 18080 port on the PC is to access the local 8080 port of vps01.
First on vps01 (2.2.2.2) we run a locally accessible http(s) proxy and execute:
`proxy http -t tcp -p 127.0.0.1:8080`
Then run a sps node on vps01 (2.2.2.2) and execute:
`proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tls -p :8081 -C proxy.crt -K proxy.key`
Then run a sps node on vps02 (3.3.3.3) and execute:
`proxy sps -S http -T tls -P 2.2.2.2:8081 -t tls -p :8082 -C proxy.crt -K proxy.key`
Then run a sps node on the pc and execute:
`proxy sps -S http -T tls -P 3.3.3.3:8082 -t tcp -p :18080 -C proxy.crt -K proxy.key`
carry out.
### 6.6 Authentication
Sps supports http(s)\socks5 proxy authentication, which can be cascaded and has four important pieces of information:
1: The user sends the authentication information `user-auth`.
2: Set the local authentication information `local-auth`.
3: Set the connection authentication information 'parent-auth` used by the upstream.
4: The authentication information `auth-info-to-parent` that is finally sent to the upstream.
Their situation is as follows:
| User-auth | local-auth | parent-auth | auth-info-to-paren |
|-----------|------------|-------------|--------------------|
| Yes / No | Yes | Yes | From parent-auth |
| Yes / No | No | Yes | From parent-auth |
| Yes / No | Yes | No | No |
| No | No | No | No |
| Yes | No | No | From user-auth |
For the sps proxy we can perform username and password authentication. The authenticated username and password can be specified on the command line.
`proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1:0:0:" -a "user2:pass2:0:0: "`
For multiple users, repeat the -a parameter.
Can also be placed in a file, the format is one line a `username: password: number of connections: rate: upstream`, and then specified with -F.
`proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -F auth-file.txt`
If the upstream has authentication, the lower level can set the authentication information with the -A parameter, for example:
upstream: `proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1:0:0:" -a "user2:pass2:0: 0:"`
Subordinate: `proxy sps -S http -T tcp -P 127.0.0.1:8080 -A "user1:pass1" -t tcp -p ":33080" `
For more details on certification, please refer to `9.API Certification` and `10.Local Certification`
### 6.7 Multiple Upstream
If there are multiple upstreams, they can be specified by multiple -Ps.
such as:
`proxy sps -P http://127.0.0.1:3100 -P socks5://127.0.0.1:3200`
The complete format of `-P` is as follows:
`protocol://a:b@2.2.2.2:33080#1`
Each section is explained below:
`protocol://` is the protocol type, possible types and contains the following:
```text
Http is equivalent to -S http -T tcp
Https is equivalent to -S http -T tls --parent-tls-single , which is http(s) proxy over TLS
Https2 is equivalent to -S http -T tls
Socks5 is equivalent to -S socks -T tcp
Socks5s is equivalent to -S socks -T tls --parent-tls-single , which is socks over TLS
Socks5s2 is equivalent to -S socks -T tls
Ss is equivalent to -S ss -T tcp
Httpws is equivalent to -S http -T ws
Httpwss is equivalent to -S http -T wss
Socks5ws is equivalent to -S socks -T ws
Socks5wss is equivalent to -S socks -T wss
```
`a:b` is the username and password of the proxy authentication. If it is ss, `a` is the encryption method, `b` is the password, and no username password can be left blank, for example: `http://2.2.2.2:33080` If the username and password are protected, special symbols can be encoded using urlencode.
`2.2.2.2:33080` is the upstream address, the format is: `IP (or domain name): port `, if the underlying is ws/wss protocol can also bring the path, such as: `2.2.2.2: 33080/ws`;
You can also set the `encryption method` and `password` of `ws\wss` by appending the query parameters `m` and `k`, for example: `2.2.2.2:33080/ws?m=aes-192-cfb&k=password`
`#1` When multiple upper-level load balancing is a weighting strategy, the weights are rarely used.
### 6.8 Custom Encryption
The proxy sps proxy can encrypt tcp data through tls standard encryption and kcp protocol on top of tcp, in addition to support after tls and kcp
Custom encryption, that is, custom encryption and tls|kcp can be used in combination, internally using AES256 encryption, only need to define it when using
A password can be used, the encryption is divided into two parts, one part is whether the local (-z) encryption and decryption, and the part is the encryption and decryption with the upstream (-Z) transmission.
Custom encryption requires both sides to be proxy.
The following two levels, three levels for example:
Suppose there is already an http(s) proxy: `6.6.6.6:6666`
Secondary instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`
Local secondary execution:
`proxy sps -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted transmission with the upstream.
Three-level instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777`
Execute on the secondary vps (ip: 3.3.3.3):
`proxy sps -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888`
Local three-level execution:
`proxy sps -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted transmission with the upstream.
### 6.9 Compressed transmission
The proxy sps proxy can encrypt tcp data through custom encryption and tls standard encryption and kcp protocol on top of tcp. It can also be used before custom encryption.
Compress the data, that is, the compression function and the custom encryption and tls|kcp can be used in combination, and the compression is divided into two parts.
Part of it is local (-m) compression transmission, and part is whether the transmission with the upstream (-M) is compressed.
Compression requires both sides to be proxy, and compression also protects (encrypts) data to some extent.
The following two levels, three levels for example:
Secondary instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy sps -t tcp -m -p :7777`
Local secondary execution:
`proxy sps -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through compression with the upstream.
Three-level instance
Execute on level 1 vps (ip: 2.2.2.2):
`proxy sps -t tcp -m -p :7777`
Execute on the secondary vps (ip: 3.3.3.3):
`proxy sps -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888`
Local three-level execution:
`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`
In this way, when the website is accessed through the local agent 8080, the target website is accessed through compression with the upstream.
### 6.10 Disabling the protocol
By default, SPS supports http(s) and socks5 two proxy protocols. We can disable a protocol by parameter.
For example:
1. Disable the HTTP(S) proxy function to retain only the SOCKS5 proxy function, parameter: `--disable-http`.
`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http`
1. Disable the SOCKS5 proxy function to retain only the HTTP(S) proxy function, parameter: `--disable-socks`.
`proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-socks`
### 6.11 Speed limit
Suppose there is a SOCKS5 upstream:
`proxy socks -p 2.2.2.2:33080 -z password -t tcp`
SPS lower level, speed limit 100K
`proxy sps -S socks -P 2.2.2.2:33080 -T tcp -Z password -l 100K -t tcp -p :33080`
It can be specified by the `-l` parameter, for example: 100K 2000K 1M . 0 means no limit.
### 6.12 Specifying Outgoing IP
The `--bind-listen` parameter can be used to open the client connection with the portal IP, and use the portal IP as the outgoing IP to access the target website. If the ingress IP is an intranet IP, the egress IP does not use the ingress IP.
`proxy sps -S socks -P 2.2.2.2:33080 -T tcp -Z password -l 100K -t tcp --bind-listen -p :33080`
#### Flexible Outgoing IP
Although the above `--bind-listen` parameter can specify the outgoing IP, the `entry IP` and ` outgoing IP` cannot be interfered by humans. If you want the ingress IP to be different from the egress IP, you can use the `--bind-ip` parameter, format: `IP:port`, for example: `1.1.1.1:8080`
, `[2000:0:0:0:0:0:0:1]:8080`. For multiple binding requirements, you can repeat the `--bind-ip` parameter.
For example, the machine has IP `5.5.5.5`, `6.6.6.6`, and monitors two ports `8888` and `7777`, the command is as follows:
`proxy sps -t tcp -p :8888,:7777 --bind-ip 5.5.5.5:7777 --bind-ip 6.6.6.6:8888`
Then the client access port `7777`, the outgoing IP is `5.5.5.5`, access port `8888`, the outgoing IP is `6.6.6.6`, if both `--bind-ip` and `--bind- are set at the same time listen`,`--bind-ip` has higher priority.
In addition, the `IP` part of the `--bind-ip` parameter supports specifying the `network interface name`, `wildcards`, and more than one. The details are as follows:
- Specify the network interface name, such as: `--bind-ip eth0:7777`, then the client accesses the `7777` port, and the egress IP is the IP of the eth0 network interface.
- The network interface name supports wildcards, for example: `--bind-ip eth0.*:7777`, then the client accesses
the `7777` port, and the egress IP is a randomly selected one of the network interface IPs starting with `eth0.`.
- IP supports wildcards, such as: `--bind-ip 192.168.?.*:7777`, then the client accesses the `7777` port, and the
outgoing IP is all the IPs of the machine, matching the IP of `192.168.?.*` A randomly selected one.
- It can also be multiple combinations of network interface name and IP, separated by half-width commas, such
as: `--bind-ip pppoe??,192.168.?.*:7777`, then the client accesses the port `7777`, The outgoing IP is the machine's
network interface name matching `pppoe??`
It is a randomly selected one among all IPs of the machine that matches `192.168.?.*`.
- The wildcard character `*` represents 0 to any number of characters, and `?` represents 1 character.
- If the IP of the network interface changes, it will take effect in real time.
- You can use the `--bind-refresh` parameter to specify the interval to refresh the local network interface information, the default is `5`, the unit is second.
### 6.13 Certificate parameters use base64 data
By default, the -C, -K parameter is the path to the crt certificate and the key file.
If it is the beginning of base64://, then the latter data is considered to be base64 encoded and will be used after decoding.
### 6.14 Independent Service
A sps port can complete the full-featured proxy `http\socks\ss` function.
The following command is to open the http(s)\ss\socks service with one click, and enable the udp of socks5 and the udp of ss at the same time.
`proxy sps -p: 33080 --ssudp --udp --udp-port 0`
### 6.15 Target Redirection
The https(s)\socks5\ss proxy function provided by the sps function, the client connects to the specified "target" through the sps proxy. This "target" is generally a website or an arbitrary tcp address.
The website "target" is generally foo.com: 80, foo.com: 443, sps supports the use of the --rewrite parameter to specify a "target" redirection rule file, redirect the target, the client is non-perceived,
For example, if you redirect to "target": demo.com:80 to 192.168.0.12:80, then the client visits the website demo.com, in fact, the website service provided by 192.168.0.12.
Example of a "target" redirection rule file:
```text
# example
Www.a.com:80 10.0.0.2:8080
**.b.com:80 10.0.0.2:80
192.168.0.11:80 10.0.0.2:8080
```
When sps is an independent service, an additional local socks5 service will be opened to occupy a random port. Now the parameter `--self-port` can be manually specified when needed. The default is 0 to use random.
### 6.16 Fixed UDP PORT
By default, the port number of the UDP function of ss's socks5 is specified by the `rfc1982 draft`. It is randomly specified during the protocol handshake process and does not need to be specified in advance.
However, in some cases, you need to fix the UDP function port. You can fix the port number of the UDP function by the parameter `--udp-port port_number`, for example:
`proxy sps -t tcp -p "0.0.0.0:38080" --udp-port 38081`
It should be noted that the ss function of sps also has UDP function, and the UDP port of ss is the same as the tcp port, so avoid the conflict between the UDP port of socks5 and the UDP port of ss.
To specify a port that is different from the tcp port.
### 6.17 Iptables Transparent Proxy
The sps mode supports the iptables transparent forwarding support of the Linux system, which is commonly referred to as the iptables transparent proxy. If a iptables transparent proxy is performed on the gateway device, the device that is connected through the gateway can realize a non-aware proxy.
Example start command:
`proxy sps --redir -p :8888 -P httpws: //1.1.1.1:33080`
Here it is assumed that there is an http superior proxy 1.1.1.1:33080, which uses ws to transmit data.
Then add iptables rules, here are the reference rules:
```shell
#upstream proxy server IP address:
proxy_server_ip = 1.1.1.1
#Router running proxy listening port:
proxy_local_port = 33080
#There is no need to modify the following
#create a new chain named PROXY
iptables -t nat -N PROXY
#Ignore your PROXY server's addresses
#It's very IMPORTANT, just be careful。
iptables -t nat -A PROXY -d $proxy_server_ip -j RETURN
#Ignore LANs IP address
iptables -t nat -A PROXY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A PROXY -d 10.0.0.0/8 -j RETURN
iptables -t nat -A PROXY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A PROXY -d 169.254.0.0/16 -j RETURN
iptables -t nat -A PROXY -d 172.16.0.0/12 -j RETURN
iptables -t nat -A PROXY -d 192.168.0.0/16 -j RETURN
iptables -t nat -A PROXY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A PROXY -d 240.0.0.0/4 -j RETURN
#Anything to port 80 443 should be redirected to PROXY's local port
iptables -t nat -A PROXY -p tcp -j REDIRECT --to-ports $proxy_local_port
#Apply the rules to nat client
iptables -t nat -A PREROUTING -p tcp -j PROXY
#Apply the rules to localhost
iptables -t nat -A OUTPUT -p tcp -j PROXY
```
- Clear the entire chain iptables -F chain name such as iptables -t nat -F PROXY
- Delete the specified user-defined chain iptables -X chain name e.g. iptables -t nat -X PROXY
- Delete rule from selected chain iptables -D chain name rule details e.g. iptables -t nat -D PROXY -d
223.223.192.0/255.255.240.0 -j RETURN
### 6.19 UDP Compatibility Mode
By default, the UDP functionality of the SOCKS5 proxy in the proxy operates in accordance with the SOCKS5 RFC 1928
specification. However, there are certain SOCKS5 clients that do not adhere to the specified rules. To ensure
compatibility with such clients, the `--udp-compat` parameter can be added to activate the compatibility mode for SOCKS5
UDP functionality.
Additionally, the `-udp-gc` parameter can be utilized to set the maximum idle time for UDP. When this time threshold is
exceeded, UDP connections will be released.
### 6.20 Custom DNS
The `--dns-address` and `--dns-ttl` parameters are used to specify the dns used by the proxy to access the domain name (`--dns-address`)
As well as the number of seconds for caching the parsing results (--dns-ttl) to avoid the interference of the system dns on the proxy.
The additional caching function can also reduce the dns parsing time and improve the access speed.
Translation:
`Agent sps -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`
You can also use the parameter `--dns-interface` to specify the bandwidth used for dns resolution,
for example: `--dns-interface eth0`, dns resolution will use the eth0 bandwidth, this parameter must be set to `--dns-address` to be effective.
### 6.21 Domain Name Sniffing
When a user client connects to the proxy using the SOCKS5 or HTTP proxy protocol, if the client connects with a domain name,
the client can choose to resolve the domain name locally or through the proxy. If the client resolves the domain name locally
and lets the proxy connect to the resolved IP, then the connection target obtained in the "API authentication" parameters will
be the IP or empty.
To avoid this situation, proxy provides a domain name sniffing feature. When the client connects to the SPS proxy, whether
through "HTTP proxy" or "SOCKS5 proxy", if the client accesses an http or https website, proxy will sniff the domain name
from the transmitted data. The sniffed domain name will be placed in the `sniff_domain` parameter of the "traffic reporting"
API, so the domain name can be obtained through the "traffic reporting" API.
To enable domain name sniffing, you can use the `--sniff-domain` parameter.
### 6.22 Help
`proxy help sps`
## 7.KCP Configuration
### 7.1 Configuration Introduction
Many functions of the proxy support the kcp protocol. Any function that uses the kcp protocol supports the configuration
parameters described here.
Therefore, the KCP configuration parameters are introduced here.
### 7.2 Detailed configuration
There are a total of 17 KCP configuration parameters, you can not set them, they have default values, if for the best effect,
You need to configure the parameters according to your own network conditions. Because the kcp configuration is complex, it requires a certain network basics.
If you want to get more detailed configuration and explanation of kcp parameters, please search for yourself. The command line name for each parameter, along with the default values and simple function descriptions are as follows:
```
--kcp-key="secrect" pre-shared secret between client and server
--kcp-method="aes" encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish,
Twofish, cast5, 3des, tea, xtea, xor, sm4, none
--kcp-mode="fast" profiles: fast3, fast2, fast, normal, manual
--kcp-mtu=1350 set maximum transmission unit for UDP packets
--kcp-sndwnd=1024 set send window size(num of packets)
--kcp-rcvwnd=1024 set receive window size(num of packets)
--kcp-ds=10 set reed-solomon erasure coding - datashard
--kcp-ps=3 set reed-solomon erasure coding - parityshard
--kcp-dscp=0 set DSCP(6bit)
--kcp-nocomp disable compression
--kcp-acknodelay be carefull! flush ack immediately when a packet is received
--kcp-nodelay=0 be carefull!
--kcp-interval=50 be carefull!
--kcp-resend=0 be carefull!
--kcp-nc=0 be carefull! no congestion
--kcp-sockbuf=4194304 be carefull!
--kcp-keepalive=10 be carefull!
```
Tip:
Parameters: -- four fast3, fast2, fast, normal modes in kcp-mode,
Equivalent to setting the following four parameters:
Normal:`--nodelay=0 --interval=40 --resend=2 --nc=1`
Fast :`--nodelay=0 --interval=30 --resend=2 --nc=1`
Fast2:`--nodelay=1 --interval=20 --resend=2 --nc=1`
Fast3:`--nodelay=1 --interval=10 --resend=2 --nc=1`
## 8. Security DNS
### 8.1 Introduction
DNS is known as the service provided by UDP port 53, but with the development of the network, some well-known DNS servers also support TCP mode dns query, such as Google's 8.8.8.8, the DNS anti-pollution server principle of the proxy is to start a proxy DNS proxy locally. Server, which uses TCP to perform dns query through the upstream agent. If it communicates with the upstream agent, it can perform secure and pollution-free DNS resolution. It also supports independent services, concurrent parsing, and enhanced enhanced hosts file function to support flexible concurrent parsing and forwarding.
Dns resolution order:
1. Use the parameter --hosts to parse.
2. If the domain name to be resolved is not found in 1, it is parsed using the parameter --forward rule.
3. The domain name to be resolved is not found in 1 and 2, and the default --default parsing is used. The default default behavior parameter values are three: proxy, direct, and system.
The three parameter values are explained as follows:
Proxy: The domain name is resolved by the dns server specified by the -q parameter.
Direct: Connect to the dns server specified by the -q parameter to resolve the domain name through the local network.
System: resolves the domain name through the system dns.
Tip:
The host file format specified by the --hosts parameter is the same as the system hosts file, and the domain name supports wildcards. You can refer to the hosts file.
The parsing forwarding rule file specified by the --forward parameter can be referenced to the resolve.rules file. The domain name supports wildcards. It supports multiple dns servers for each domain name to be parsed concurrently. Whoever resolves the fastest resolution will use the resolution result.
The -q parameter can specify multiple remote dns servers to perform concurrent parsing. Whoever resolves the fastest parsing success, the default is: 1.1.1.1, 8.8.8.8, 9.9.9.9, multiple comma-separated,
For example, you can also bring ports: 1.1.1.1, 8.8.8.8#53, 9.9.9.9
If you are a standalone service, you don't need a upstream:
Can perform:
`proxy dns --default system -p :5353`
Or
`proxy dns --default direct -p :5353`
### 8.2 Example of use
#### 8.2.1 Normal HTTP(S) upstream agent
Suppose there is a upstream agent: 2.2.2.2:33080
Local execution:
`proxy dns -S http -T tcp -P 2.2.2.2:33080 -p :53`
Then the local UDP port 53 provides DNS resolution.
#### 8.2.2 Ordinary SOCKS5 upstream agent
Suppose there is a upstream agent: 2.2.2.2:33080
Local execution:
`proxy dns -S socks -T tcp -P 2.2.2.2:33080 -p :53`
Then the local UDP port 53 provides DNS resolution.
#### 8.2.3 TLS encrypted HTTP(S) upstream agent
Suppose there is a upstream agent: 2.2.2.2:33080
The commands executed by the upstream agent are:
`proxy http -t tls -C proxy.crt -K proxy.key -p :33080`
Local execution:
`proxy dns -S http -T tls -P 2.2.2.2:33080 -C proxy.crt -K proxy.key -p :53`
Then the local UDP port 53 provides a secure anti-pollution DNS resolution function.
#### 8.2.4 TLS-encrypted SOCKS5 upstream agent
Suppose there is a upstream agent: 2.2.2.2:33080
The commands executed by the upstream agent are:
`proxy socks -t tls -C proxy.crt -K proxy.key -p :33080`
Local execution:
`proxy dns -S socks -T tls -P 2.2.2.2:33080 -C proxy.crt -K proxy.key -p :53`
Then the local UDP port 53 provides a secure anti-pollution DNS resolution function.
#### 8.2.5 KCP encrypted HTTP(S) upstream agent
Suppose there is a upstream agent: 2.2.2.2:33080
The commands executed by the upstream agent are:
`proxy http -t kcp -p :33080`
Local execution:
`proxy dns -S http -T kcp -P 2.2.2.2:33080 -p :53`
Then the local UDP port 53 provides a secure anti-pollution DNS resolution function.
#### 8.2.6 KCP encrypted SOCKS5 upstream agent
Suppose there is a upstream agent: 2.2.2.2:33080
The commands executed by the upstream agent are:
`proxy socks -t kcp -p :33080`
Local execution:
`proxy dns -S socks -T kcp -P 2.2.2.2:33080 -p :53`
Then the local UDP port 53 provides a secure anti-pollution DNS resolution function.
#### 8.2.7 Custom encrypted HTTP(S) upstream agent
Suppose there is a upstream agent: 2.2.2.2:33080
The commands executed by the upstream agent are:
`proxy http -t tcp -p :33080 -z password`
Local execution:
`proxy dns -S http -T tcp -Z password -P 2.2.2.2:33080 -p :53`
Then the local UDP port 53 provides a secure anti-pollution DNS resolution function.
#### 8.2.8 Custom encrypted SOCKS5 upstream agent
Suppose there is a upstream agent: 2.2.2.2:33080
The commands executed by the upstream agent are:
`proxy socks -t kcp -p :33080 -z password`
Local execution:
`proxy dns -S socks -T tcp -Z password -P 2.2.2.2:33080 -p :53`
Then the local UDP port 53 provides a secure anti-pollution DNS resolution function.
## 9.API Authentication
The proxy's http(s)/socks5/sps proxy function supports user-to-agent access via the API.
### What can I do through the API?
- User dimension, which controls the single connection rate and controls the maximum number of connections, max connections count per seconds (QPS).
- IP dimension, which controls the single connection rate and controls the maximum number of connections, max connections count per seconds (QPS).
- Dynamic upstream, can dynamically obtain its upstream from the API according to the user or client IP, and support http(s)/socks5/ss upstream.
- Authenticate every connection, regardless of whether client authentication is required.
- Cache authentication results, time can be set to reduce API pressure.
- Limit the total bandwidth speed by `user` or `client ip` or `server port`.
#### Specific use
The proxy's http(s)/socks5/sps proxy API function is controlled by three parameters: `--auth-url` and `--auth-nouser` and `--auth-cache`.
The parameter `--auth-url` is the HTTP API interface address. When the client connects, the proxy will request the url in GET mode, with the following parameters. If the HTTP status code 204 is returned, the authentication is successful. In other cases, the authentication fails.
An example of a complete request API:
`http://test.com/auth.php?user=a&pass=b&client_addr=127.0.0.1:49892&local_addr=127.0.0.1:8100&target=http%3A%2F%2Fwww.baidu.com&service=http&sps=0`
#### Parameter Description
`user and pass` When the proxy turns on authentication, here is the username and password provided by the client.
`client_addr` The address used by the client to access the proxy, format IP: port.
`local_addr` The proxy address accessed by the client, format IP: port.
`service` Proxy type, divided into: http, socks.
Whether the `sps` proxy is provided by sps, 1: yes, 0: no.
`target` The target to be accessed by the client. If it is an http(s) proxy, the target is the specific url accessed; if it is a socks5 proxy, the target is empty.
#### Example
Suppose --auth-url http://127.0.0.1:333/auth.php points to a php interface address.
The contents of auth.php are as follows:
```php
<?php
#all users and password
$alluser=[
"user1"=>"pass1",
"user2"=>"pass2",
"user3"=>"pass3",
"user4"=>"pass4",
];
$proxy_ip=$_GET['local_addr'];
$user_ip=$_GET['client_addr'];
$service=$_GET['service'];
$is_sps=$_GET['sps']=='1';
$user=$_GET['user'];
$pass=$_GET['pass'];
$target=$_GET['target'];
//business checking
//....
$ok=false;
foreach ($alluser as $dbuser => $dbpass) {
if ($user==$dbuser&&$pass==$dbpass){
$ok=true;
break;
}
}
//set the authentication result
if($ok){
header("userconns:1000");
header("ipconns:2000");
header("userrate:3000");
header("iprate:8000");
header("userqps:5");
header("ipqps:2");
header("upstream:http://127.0.0.1:3500?parent-type=tcp");
header("outgoing:1.1.1.1");
header("userTotalRate:1024000");
//header("ipTotalRate:10240");
//header("portTotalRate:10240");
//header("RotationTime:60");
header("HTTP/1.1 204 No Content");
}
```
#### HTTP HEADER Explanation
`userconns`: The maximum number of connections for the user, not limited to 0 or not set this header.
`ipconns`: The maximum number of connections for the user IP, not limited to 0 or not set this header.
`userrate`: User's single TCP connection rate limit, in bytes/second, is not limited to 0 or does not set this header.
`iprate`: The single TCP connection rate limit of the client IP, in bytes/second, not limited to 0 or not set this
header.
`userqps`: The maximum number of connections per second (QPS) for the user, not limited to 0 or not set this header.
`ipqps`: The maximum number of connections per second (QPS) for the client IP, not limited to 0 or not set this
header.
`upstream`: The upstream used, not empty, or not set this header.
`outgoing`: The outgoing IP used. This setting is only effective when the upstream is empty.
The IP set here must be owned by the machine where the proxy is located, otherwise, the proxy will not function
properly.
Starting from version `v13.2`, `outgoing` supports multiple subnet formats separated by commas. The proxy will randomly
select an IP from the subnet as the outgoing IP. This randomness will also be keep when authentication cache is
enabled.
The following formats are supported for subnets:
1. Format: `192.168.1.1`, Description: Single IP, IPv4
1. Format: `3001:cb2::`, Description: Single IP, IPv6
1. Format: `192.168.1.1/24`, Description: CIDR format subnet, IPv4
1. Format: `3001:cb2::/126`, Description: CIDR format subnet, IPv6
1. Format: `192.168.1.1-192.168.1.200`, Description: IP range, IPv4
1. Format: `2311:ca2::-2311:ca2::10`, Description: IP range, IPv6
Example: `192.16.1.1,192.161.1.2,192.168.1.2-192.168.1.255`
`userTotalRate`: Limit the `user` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set
this header.
`ipTotalRate`:Limit the `client ip` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set
this header.
`portTotalRate`:Limit the `server port` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not
set this header.
`RotationTime`: `(requires version >= v13.2)` Controls the time interval, in seconds, for randomly selecting the
outgoing IP.
Leave it blank or unset this header if not needed.When the outgoing returned by the API is a subnet, and if you don't
want the proxy
to randomly select a new IP for each client connection, you can use this parameter to control the time interval for
random IP selection.
If within the interval period, the previously selected IP will be used. If the API does not return the `RotationTime`
header
or if `RotationTime` is set to 0, the proxy will randomly select an IP from the outgoing subnet as the outgoing IP for
each client connection.
#### Details of total bandwidth speed limitation
1. `userrate`、`iprate` and `userTotalRate`、`ipTotalRate`、`portTotalRate` can be set at same time,
for example: set `userrate` with 1024000 to limit the user's total bandwidth speed to 1M/s of user's all tcp connections. And set `userrate` with 102400 to limit the user one tcp connection speed to 100K/s.
2. if `userTotalRate`、`ipTotalRate` 、`portTotalRate` set at same time, the valid order is : `userTotalRate` -> `ipTotalRate` -> `portTotalRate`
3. if `userTotalRate`、`portTotalRate` set at same time, and set `--auth-nouser`,all clients that not send username will be as an "empty username" user,they are using a same limiter.
#### Tips
1. By default, `--auth-url` is required to provide the user name and password. If you do not need the client to provide the username and password, and authenticate, you can add `--auth-nouser`. The visit will still access the authentication address `--auth-url` for authentication. Only the $user authentication username and the $pass authentication password received in the php interface are empty when client didn't send username and password.
2. Connection limit priority: User authentication file limit - "File ip.limit limit -" API user limit - "API IP limit -" command line global connection limit.
3. Rate Limit Priority: User Authentication File Rate Limit - "File ip.limit Rate Limit -" API User Rate Limit - "API IP Rate Limit - "Command Line Global Rate Limit.
4. The upstream obtains the priority: the upstream of the user authentication file - the file ip.limit upstream-"API
upstream-" command line specifies the upstream.
5. `--auth-cache` authentication cache, cache the authentication result for a certain period of time, improve
performance, reduce the pressure on the authentication interface, --auth-cache unit seconds, default 0, set 0 to
close the cache.
6. By default, `--auth-cache` only caches the results of successful authentication and does not cache the results of
failed authentication. If you need to cache the failed authentication results for a certain period of time,
It can be set through the parameter `-auth-fail-cache` to improve performance and reduce the pressure on the
authentication interface. The unit of --auth-fail-cache is seconds. The default is 0. Setting 0 turns off the cache.
#### upstream detailed description
1. When the parameter `sps` is 0.
When the service is http, upstream only supports http(s) proxy, and does not support authentication.
If authentication is required, it can be replaced by sps. Format:
`http://127.0.0.1:3100?argk=argv`
When the service is a socks, the upstream only supports the socks5 proxy. The format is:
`socks5://127.0.0.1:3100?argk=argv`
Explanation: `http://`,`socks5://` is fixed, `127.0.0.1:3100` is the address of the upstream
2. When `sps` is 1.
Upstream supports socks5, http(s) proxy, support authentication, format: `protocol://a:b@2.2.2.2:33080?argk=argv`, please refer to SPS chapter for details, **multiple upstreams** , the description of the `-P` parameter.
3. Parameters, `?` followed by `argk=argv` are parameters: parameter name = parameter value, multiple parameters are connected with `&`.
All the supported parameters are as follows, and the meaning of the command line with the same name is the same.
1. parent-type : upper-level transport type, support tcp, tls, ws, wss
2. parent-ws-method: The encryption method of the upper-level ws transmission type, the supported value is the same as the value range supported by the command line.
3. parent-ws-password: The upper-level ws transmission type encryption password, the alphanumeric password
4. parent-tls-single : Whether the upper-level tls transport type is a one-way tls, which can be: true | false
5. timeout : timeout for establishing tcp connection, number, in milliseconds
6. ca : The base64-encoded string of the upper-level tls transport type ca certificate file.
7. cert : The base64 encoded string of the higher level tls transport type certificate file.
8. key : The base64 encoded string of the higher-level tls transport type certificate key file.
9. luminati:if upstram is luminati proxies,value can be: true or false。
4.Upstream supports multiple instances, regardless of whether SPS is 1 or 0, and they are separated by semicolons ;.
When connecting to an upstream, by default, one upstream is randomly chosen. However, it supports setting the weight
parameter for each upstream.
If the weight is set for any upstream, all upstreams must have the weight parameter set. The weight must be greater than
0;
otherwise, the weight is considered invalid, and random selection is applied.
This selection logic is also working after the authentication cache is enabled.
Examples of multiple upstreams:
1. Example without weight settings: `http://127.0.0.1:3100?argk=argv;http://127.0.0.2:3100?argk=argv`
2. Example with weight settings: `http://127.0.0.1:3100?argk=argv&weight=10;http://127.0.0.2:3100?argk=argv&weight=20`
Weight selection logic:
When a weight is set for an upstream, it divides the total weight among the upstreams based on their order.
For example, if there are two upstreams with weights 10 and 20 respectively, the total weight is 30.
The first upstream's weight range is 1-10, and the second upstream's weight range is 11-30.
This logic extends to more upstreams. Each time, a random number within the total weight range is chosen,
and the corresponding upstream is selected based on this number's range.
### Traffic report / Traffic limit / Traffic statistics
The proxy's http (s) / socks5 / sps / tcp / udp proxy function supports traffic reporting. You can set an http interface address through the parameter `--traffic-url`.
The proxy will report the traffic used for this connection to this address.Specifically, the proxy sends an HTTP to GET request to the HTTP URL address set by `--traffic-url`.
There are two reporting modes, which can be specified by the `--traffic-mode` parameter. It can be reported in the normal mode or in the fast mode.
1. Report in `normal` normal mode
When the connection is released, the proxy will report the traffic used for this connection to this `--traffic-url`
address.
2. Report in `fast` mode
For each connection that has been established, the proxy will `timely` report the traffic generated by this
connection to this` --traffic-url` address.
`Timing` defaults to 5 seconds, and you can modify` Timing` to the appropriate number of seconds via the
parameter `--traffic-interval`.
3. Report in `fast` global mode
By default, if the API can't handle high concurrency report access, you can use the fast global mode,
Use the parameter `--fast-global` to open, this parameter is only valid when `--traffic-mode=fast`. In fast global
mode, for a `--traffic-url`,
no matter how many concurrent connections there are, only have one reporter, and the reporting interval is 5 seconds.
In this mode, the reporting request method is `POST`, `Content-Type` is `application/json`, the post body data
is `JSON Array`, example: `[{},{}]`, the keys of object in the array are same with the
following `Reqeust parameter description`.
4. The traffic reporting function combined with the above API authentication function can control the user's traffic
usage in real time. The traffic is reported to the interface. The interface writes the traffic data to the database,
and then the authentication API queries the database to determine the traffic usage and determine whether the user
can be successfully authenticated.
The following is a complete URL request example:
`http://127.0.0.1:33088/user/traffic?bytes=337&client_addr=127.0.0.1%3A51035&id=http&server_addr =127.0.0.1%3A33088&target_addr=myip.ipip.net%3A80&username=a&sniff_domain=myip.ipip.net`
**Request parameter description:**
`id`: service id flag.
`server_addr`: proxies's address requested by the client, format: IP: port.
`client_addr`: client address, format: IP: port.
`target_addr`: target address, format: "IP: port", when tcp / udp proxy, this is empty.
`username`: proxy authentication user name, this is empty when tcp / udp proxy.
`bytes`: the number of traffic bytes used by the user.
`out_local_addr`: outgoing tcp connection's local address,format: IP: port.
`out_remote_addr`: outgoing tcp connection's remote address,format: IP: port.
`upstream`: upstream used by outgoing tcp connection, if none upstream be used, it's empty.
`sniff_domain`: This parameter is only available when the SPS function is enabled and the `--sniff-domain` option is used. The "sniff_domain" parameter is the sniffed domain name, in the format: domain or domain:port; this parameter only has a value when the client accesses an http/https URL, otherwise it is empty.
#### Tips
The `--traffic-url` URL must response the HTTP status code` 204`. Only when the traffic is reported will the report be considered successful, and if it response other status codes, it will be considered that the reported traffic failed, and the log will be output.
#### traffic flow
### Disconnect the user's connection
The proxy's http (s) / socks5 / sps proxy function supports a control interface, which can be specified by the parameter --control-url http interface address,
Then the proxy will interval send all the usernames or client IPs currently connected to the proxy to this URL. Specifically, the proxy sends an HTTP to POST request to the HTTP URL address set by --control-url.
`interval` defaults to 30 seconds, this value can be modified via the --control-sleep parameter.
When the user expires, or the user's traffic has been used up, the authentication API can only control the user cannot create a new connection, but the connection with the proxy has been established and the connection cannot be immediately disconnected.
Then this problem can be solved through the control interface. The control interface will return the content through the control interface in the slowest `interval` time, and the end is invalid when the user establishes the connection.
#### Request Description
An HTTP POST request will be sent to the control. The interface `form` has three fields: interface, ip, conns, and the `conns` field requires a user whose proxy version is greater than proxy `12.2`.
`user` The username currently connected to the agent, multiple separated by commas, for example: user1, user2
`ip` The client IP is connected to the proxy, and multiple clients using English are split addresses, for example: 1.1.1.1, 2.2.2.2
`conns` The tcp connection information currently connecting to the proxy port to transmit data. The conns value is a json string, the format is a sequence of connections, the element is an object, the object contains the details of the connection,
conns format: `[{"id":"ab7bf1f10501d6f7","client":"127.0.0.1:62112","server":"127.0.0.1:9092","user":""}]`
Object field description: id: connection id, client: client's unique IP address and port, server: client's IP and no port access, user's connection authentication (null if any)
#### Response Data Description
The data returned by the control interface is invalid user and IP or connection. The format is a json object data. There are three fields user, ip, and conns. The `conns` field requires the proxy version greater than or equal to `12.2`.
Format: `{"user":"a,b","ip":"",conns:["ab7bf1f10501d6f7","cb7bf1f10501d6f7"]}`
`user`: The username currently connected to the proxy, multiple separated by commas, not left blank, for example: user1, user2
`ip`: The ip address of the client currently connected to the proxy, multiple separated by commas, not left blank, for example: 1.1.1.1, 2.2.2.2
`conns`: is an array, the element is a connection id, this id is the id field of the connection object in conns in the above `Request Description`.
Introduce:
- The connection established by the returned user and ip will be disconnected by the proxy.
- Connections matching the returned conns will be disconnected by the proxy.
- If the returned data contains both: user or ip, and conns, then the user or ip will be ignored, and only the connection matching conns will be disconnected.
- When the connection is closed, if the authentication cache is enabled, the `user` or `IP` authentication cache will be cleared.
#### Example
Suppose --control-url `http://127.0.0.1:33088/user/control.php` points to a PHP interface address.
The content of control.php is as follows:
```php
<?php
#revcieve proxy post data
$userArr=explode(",",$_POST['user']);
$ipArr=$_GET['ip'];
//invalid users array
$badUsers=[];
foreach ($userArr as $user) {
//logic business, push invalid user into $badUsers
$badUsers[]=$user;
}
$data=["user"=>implode(","$badUsers),"ip"=>"","conns"=>[]];
echo json_encode($data);
```
## 10. Authentication
The proxy http(s)/socks5/sps proxy function supports the user to access the proxy pair through the configuration file, and supports the http(s) proxy ``Proxy Basic proxy authentication` and the socks5 proxy authentication.
### start using
The proxy's http(s)/socks5/sps proxy function can pass
`--auth-file`, `--max-conns`, `--ip-limit`, `--rate-limit`, `-a` These five parameters control.
#### Detailed explanation of parameters
##### `--auth-file`
The authenticated user name and password file. This parameter specifies a file, one line per rule, in the format: "username: password: number of connections: rate: upstream".
`Connection number` is the maximum number of connections for the user. The 'rate' is the maximum speed of each tcp connection of the user. The unit is: byte/second. The upper level is the upper level used by the user.
Not only can the authenticated user be set by `--auth-file`, but also the `-a` parameter can be set directly. Multiple users can repeat multiple `-a` parameters.
For example: `proxy http -a a:b:0:0: -a c:d:0:0:`
Example explanation:
For example: `user:pass:100:10240:http://192.168.1.1:3100`
`user` is the authentication username
`pass` is the authentication user password (cannot contain a colon:)
`100` is the maximum number of connections for this user, not limited to write 0
`10240` is the rate limit of this user's single tcp connection, the unit is: byte / sec, no limit write 0
`http://192.168.1.1:3100` is the upstream used by this user, no space is left blank
##### `--max-conns`
Limit the maximum number of global connections for the proxy service, a number, 0 is unrestricted, default is 0.
##### `--ip-limit`
Controls the number of connections and connection rate of the client IP. This parameter specifies a file, one rule per line, and the beginning of # is gaze.
The sample file ip.limit, the rule format is as follows:
`127.0.0.1:100:10240:http://192.168.1.1:3100`
Rule interpretation:
`127.0.0.1` is the IP to be restricted
`100` is the maximum number of connections for this IP, not limited to write 0
`10240` is the rate limit of IP single tcp connection, the unit is: byte / s, no limit write 0
`http://192.168.1.1:3100` is the upstream used by this IP, and it is not left blank.
##### `--rate-limit`
Limit the speed of each tcp connection of the service, for example: 100K 2000K 1M . 0 means unlimited, default 0.
## 11. Cluster
The proxy supports the cluster management. The proxy is installed on each machine node as an agent, with the control panel [`proxyadmin cluster edition`] (https://github.com/snail007/proxy-admin-cluster) Unified management of proxy services on massive machines.
If the proxy is to be run as an agent, assume that the cluster port address of the control panel is: `1.1.1.1: 55333`.
The command example is as follows:
`proxy agent -k xxx -c 1.1.1.1:55333 -i test`
Command explanation:
agent: is a function parameter, which means running agent mode.
-k : The encryption and decryption key for communication with `proxyadmin cluster edition`. This key is set in the configuration file of` proxyadmin cluster edition`.
-c : The cluster port address of `proxyadmin cluster edition`, format: IP:port.
-i : The unique identifier of the agent ensures that each agent is different. The "unique identifier" specified here is used when adding a node to the control panel. The IP is filled with this "unique identifier".
If -i is not specified, the default is empty, and the control panel adds the IP field to fill in: the agent's internet IP.
-u: proxy parameter, empty by default. You can specify an agent, and the agent will communicate with the cluster through this agent.
The format is the same as that of `--jumper`. For details, please refer to the `--jumper` part of the manual.
notice:
When the client service is configured in the control panel, all nodes use the same key, which leads to only one client working. To solve this problem,
Client service parameters can use placeholders: `{AGENT_ID}` to refer to the agent’s id as the client’s key, so as to ensure that each client has a unique key.
For example, client service parameters:
`client -T tcp -P 1.1.1.1:30000 --k {AGENT_ID}`
## 12. http, https website reverse proxy
The proxy can reverse proxy http and https websites.
The supported features are as follows:
- http and https are converted to each other.
- multiple upstream.
- upstream load balance.
- upstream high available.
- path mapping.
- path protection.
- alias names of bindings.
Example, configure file:`rhttp.toml`。
```shell
proxy rhttp -c rhttp.toml
```
For detail usage, please refer to the configuration file [rhttp.toml](https://github.com/snail007/goproxy/blob/master/rhttp.toml), which has a complete configuration description.
================================================
FILE: README_ZH.md
================================================
## GOPROXY简介
<div align="center">
<img src="https://mirrors.goproxyauth.com/https://raw.githubusercontent.com/snail007/goproxy/master/doc/images/logo.jpg" width="500" height="auto"/>
[](https://github.com/snail007/goproxy/) []() [](https://github.com/snail007/goproxy/releases) [](https://github.com/snail007/goproxy/releases)
---
GoProxy是一款轻量级、功能强大、高性能的http代理、https代理、socks5代理、内网穿透代理服务器、ss代理、游戏盾、游戏代理,支持API代理认证。websocket代理、tcp代理、udp代理、socket代理、高防服务器。支持正向代理、反向代理、透明代理、TCP内网穿透、UDP内网穿透、HTTP内网穿透、HTTPS内网穿透、https代理负载均衡、http代理负载均衡、socks5代理负载均衡、socket代理负载均衡、ss代理负载均衡、TCP/UDP端口映射、SSH中转、TLS加密传输、协议转换、防污染DNS代理,限速,限连接数。官方QQ交流群: 608062193。
</div>
---
### [官方网站](https://www.goproxy.win/)
### [点击我观看视频教程](https://space.bilibili.com/472844633)
- [下载地址](https://github.com/snail007/goproxy/releases)
- [参考手册](https://snail007.goproxyauth.com/goproxy/manual/zh/)
- [桌面版](https://github.com/snail007/proxy_admin_free/blob/master/README_ZH.md)
- [安卓全局代理版](https://github.com/snail007/goproxy-ss-plugin-android)
- [安卓全能代理版](https://github.com/snail007/goproxy-android)
- [安卓内网穿透客户端](https://github.com/snail007/lanass)
- [SDK](https://github.com/snail007/goproxy-sdk)
- [GORPOXY实战教程](https://snail007.goproxyauth.com/goproxy/)
- [免费版VS商业版(安装、激活)](https://snail007.goproxyauth.com/goproxy/page/free_vs_commercial/)
## 国内下载
请在github的下载链接前面加上: `https://mirrors.goproxyauth.com/` 。
比如`v10.4`的github下载链接是:
`https://github.com/snail007/goproxy/releases/download/v10.4/proxy-linux-amd64.tar.gz`
那么国内下载地址就是:
`https://mirrors.goproxyauth.com/https://github.com/snail007/goproxy/releases/download/v10.4/proxy-linux-amd64.tar.gz`
此地址也适用于wget,curl直接命令行下载。
## ProxyAdmin介绍预览(这不是goproxy,是控制面板友情链接;安装使用goproxy请往下看,谢谢!)
`ProxyAdmin` 是强大的代理服务工具 snail007/goproxy 的控制面板,运行了它,一秒让你的服务器变为强大的代理服务器,友好的交互界面,小白也能轻松上手,让你用起来得心应手,心情舒畅。
### goproxy能干什么?
- 链式代理,程序本身可以作为一级代理,如果设置了上级代理那么可以作为二级代理,乃至N级代理。
- 通讯加密,如果程序不是一级代理,而且上级代理也是本程序,那么可以加密和上级代理之间的通讯,采用底层tls高强度加密,安全无特征。
- 智能HTTP代理,HTTPS代理,SOCKS5代理,会自动判断访问的网站是否屏蔽,如果被屏蔽那么就会使用上级代理(前提是配置了上级代理)访问网站;如果访问的网站没有被屏蔽,为了加速访问,代理会直接访问网站,不使用上级代理。
- 域名黑白名单,更加自由的控制网站的访问方式。
- 跨平台性,无论你是windows,linux,还是mac,甚至是树莓派,都可以很好的运行proxy。
- 多协议支持,支持HTTP(S),TCP,UDP,Websocket,SOCKS5代理。
- TCP/UDP端口转发。
- 游戏盾,游戏代理,高防服务器。
- 内网穿透,P2P传输,协议支持TCP和UDP,针对HTTP的优化穿透。
- SSH中转,HTTP(S),SOCKS5代理支持SSH中转,上级Linux服务器不需要任何服务端,本地一个proxy即可开心上网。
- [KCP](https://github.com/xtaci/kcp-go)协议支持,HTTP(S),SOCKS5代理支持KCP协议传输数据,降低延迟,提升浏览体验。
- 动态选择上级代理,通过外部API,HTTP(S),SOCKS5,SPS代理可以实现基于用户或者IP的限速,连接数限制,动态获取上级。
- 灵活的上级分配,HTTP(S),SOCKS5,SPS代理可以通过配置文件实现基于用户或者IP的限速,连接数限制,指定上级。
- 反向代理,支持直接把域名解析到proxy监听的ip,然后proxy就会帮你代理访问需要访问的HTTP(S)网站。
- 透明HTTP(S)代理,配合iptables,在网关直接把出去的80,443方向的流量转发到proxy,就能实现无感知的智能路由器代理。
- 协议转换,可以把已经存在的HTTP(S)或SOCKS5或SS代理转换为一个端口同时支持HTTP(S)和SOCKS5和SS代理,转换后的SOCKS5和SS代理如果上级是SOCKS5代理,那么支持UDP功能,同时支持强大的级联认证功能。
- 自定义底层加密传输,http(s)\sps\socks代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行自定义加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义一个密码即可。
- 底层压缩高效传输,http(s)\sps\socks代理在tcp之上可以通过自定义加密和tls标准加密以及kcp协议加密tcp数据,在加密之后还可以对数据进行压缩,也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的。
- 安全的DNS代理,可以通过本地的proxy提供的DNS代理服务器与上级代理加密通讯实现安全防污染的DNS查询。
- 负载均衡,高可用,HTTP(S)\SOCKS5\SPS代理支持上级负载均衡和高可用,多个上级重复-P参数即可。
- 指定出口IP,HTTP(S)\SOCKS5\SPS代理支持客户端用入口IP连接过来的,就用入口IP作为出口IP访问目标网站的功能。如果入口IP是内网IP,出口IP不会使用入口IP
- 支持限速,HTTP(S)\SOCKS5\SPS\TCP代理支持限速。
- 支持限连接数,HTTP(S)\SOCKS5\SPS\TCP代理支持限连接数。
- SOCKS5代理支持级联认证。
- 证书参数使用base64数据,默认情况下-C,-K参数是crt证书和key文件的路径,如果是base64://开头,那么就认为后面的数据是base64编码的,会解码后使用。
- 支持客户端IP黑白名单,更加安全的控制客户端对代理服务的访问,如果黑白名单同时设置,那么只有白名单生效。socks/http(s)/sps/tcp/udp/dns/内网穿透bridge/内网穿透tbridge,都支持客户端IP黑白名单。
- 端口范围批量监听,HTTP(S)\SOCKS5\SPS\TCP代理支持指定端口范围监听,避免启动过多进程,提高性能。
### 为什么需要它?
- 当由于某某原因,我们不能访问我们在其它地方的服务,我们可以通过多个相连的proxy节点建立起一个安全的隧道访问我们的服务。
- 微信接口本地开发,方便调试。
- 远程访问内网机器。
- 和小伙伴一起玩局域网游戏。
- 以前只能在局域网玩的,现在可以在任何地方玩。
- 替代圣剑内网通,显IP内网通,花生壳之类的工具。
- 有大量IP资源,想变现,对外提供IP代理服务。
- 有大量拨号VPS,想对外提供IP代理服务。
- 公司安全要求,审计员工对互联网的访问。
- 想要一个高性能稳定的,认证功能齐全的代理服务。
- 想一个固定入口,实现动态IP出口。
- ..。
本页手册适用于最新版goproxy,其他版本可能有的地方不再适用,请自己根据命令帮助使用。
### 加入组织
[点击加入 Telegram 交流群](https://t.me/snail007_goproxy)
## 下载安装 goproxy
### 快速安装 goproxy
如果你的VPS是linux64位的系统,那么只需要执行下面一句,就可以完成自动安装和配置.
提示:所有操作需要root权限。
免费版执行这个:
```shell
bash -c "$(curl -s -L https://mirrors.goproxyauth.com/https://github.com/snail007/goproxy/blob/master/install_auto.sh)" @ cn
```
商业版执行这个:
```shell
bash -c "$(curl -s -L https://mirrors.goproxyauth.com/https://github.com/snail007/goproxy/blob/master/install_auto_commercial.sh)" @ cn
```
安装完成,配置目录是/etc/proxy,更详细的使用方法请参考上面的手册目录,进一步了解你想要使用的功能。
如果安装失败或者你的vps不是linux64位系统,请按照下面的半自动步骤安装:
### 手动安装 goproxy
1.下载goproxy
根据你的平台和CPU类型选择,下载地址: https://github.com/snail007/goproxy/releases ,
这里以 `proxy-linux-amd64.tar.gz` `v10.4` 为例,具体使用的时候,请根据你的平台和CPU类型选择具体文件名称.
免费版执行这个:
```shell
cd /root/proxy/
wget https://mirrors.goproxyauth.com/https://github.com/snail007/goproxy/releases/download/v10.4/proxy-linux-amd64.tar.gz
```
商业版执行这个:
```shell
cd /root/proxy/
wget https://mirrors.goproxyauth.com/https://github.com/snail007/goproxy/releases/download/v10.4/proxy-linux-amd64_commercial.tar.gz
```
2.下载自动安装脚本
免费版执行这个:
```shell
cd /root/proxy/
wget https://mirrors.goproxyauth.com/https://raw.githubusercontent.com/snail007/goproxy/master/install.sh
chmod +x install.sh
./install.sh
```
商业版执行这个:
```shell
cd /root/proxy/
wget https://mirrors.goproxyauth.com/https://raw.githubusercontent.com/snail007/goproxy/master/install_commercial.sh
chmod +x install_commercial.sh
./install_commercial.sh
```
## 升级更新
更新默认使用镜像地址下载,如果使用镜像无法更新,可以设置环境变量:`UPDATE_MIRROR=false`,禁用镜像下载。
Windows: 先执行 `set UPDATE_MIRROR=false` 然后执行 `proxy update`
Linux: 先执行 `export UPDATE_MIRROR=false` 然后执行 `proxy update`
### Linux
用`root`打开一个终端,如果proxy不再系统PATH里面,需要cd进入proxy目录执行`./proxy`。
下面假设proxy在/usr/bin/proxy,执行用的是`proxy`。
```shell
proxy update
```
已经安装了最新的版本,默认不会更新,如果想强制更新加上 -f 参数即可。
```shell
proxy update -f
```
### Windows
用`管理员`权限打开命令提示符窗口,如果proxy不再系统PATH里面,需要cd进入proxy目录执行。
这里假设proxy在c:\gp\proxy,根据你的情况调整命令。
```bat
c:\
cd gp
proxy update
```
已经安装了最新的版本,默认不会更新,如果想强制更新加上 -f 参数即可。
```shell
c:\
cd gp
proxy update -f
```
## TODO
- http,socks代理多个上级负载均衡?
- http(s)代理增加pac支持?
- 欢迎加群反馈..。
## License
Proxy is licensed under GPLv3 license。
## Contact
官方QQ交流群: 608062193
## Donation
如果proxy帮助你解决了很多问题,你可以通过下面的捐赠更好的支持proxy。
<img src="https://mirrors.goproxyauth.com/https://raw.githubusercontent.com/snail007/goproxy/master/doc/images/alipay.jpg" width="200" height="auto"/>
<img src="https://mirrors.goproxyauth.com/https://raw.githubusercontent.com/snail007/goproxy/master/doc/images/wxpay.jpg" width="200" height="auto"/>
### 源代码申明
本项目作者发现大量的开发者基于本项目进行二次开发或使用大量本项目核心代码而不遵循GPLv3协议,这严重违背了本项目使用GPLv3开源协议的初衷,鉴于这种情况,本项目采取源代码延迟发布策略,在一定程度上遏制这些不尊重开源,不尊重他人劳动成果的行为。
本项目会持续更新迭代,持续发布全平台的二进制程序,给大家提供强大便捷的代理工具。
如果你有定制,商业需求请发邮件至`arraykeys@gmail.com`
## goproxy使用手册
## 如何安装
### 1. Linux安装
[点击查看Linux安装教程](https://github.com/snail007/goproxy/blob/master/README_ZH.md#%E4%B8%8B%E8%BD%BD%E5%AE%89%E8%A3%85-goproxy)
### 2. 苹果Mac系统安装
[点击查看苹果Mac系统安装教程](https://github.com/snail007/proxy_admin_free/blob/master/README_ZH.md#%E8%A7%86%E9%A2%91%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B)
### 3. Windows安装
为了方便操作,推荐Windows用户使用proxy-admin面板,[点击查看Windows安装教程](https://github.com/snail007/proxy_admin_free/blob/master/README_ZH.md#%E8%A7%86%E9%A2%91%E5%AE%89%E8%A3%85%E6%95%99%E7%A8%8B)
当然你也可以使用命令行goproxy[点击查看手动安装](https://github.com/snail007/goproxy/blob/master/README_ZH.md#%E6%89%8B%E5%8A%A8%E5%AE%89%E8%A3%85-goproxy)
### 4. 其它平台安装
[点击查看其它安装教程](https://github.com/snail007/goproxy/blob/master/README_ZH.md#%E6%89%8B%E5%8A%A8%E5%AE%89%E8%A3%85-goproxy)
## 免费版、商业版说明
本手册描述功能,`proxyadmin商业版`和`goproxy商业版`全部包含;认证等高级功能参数免费版和VIP控制面板不包含;
如果您用`goproxy免费版`执行某些命令或者`proxyadmin 免费版`、`proxyadmin VIP版`服务启动失败的时候遇到,类似如下xxx参数不存在的提示,说明这个参数是商业版的功能,您需要下载并购买商业版授权才能使用.
` err : unknown short flag '-a'`
以下软件都是相互独立使用,没有依赖关系,需要购买的也是分别单独购买使用。
| 软件名称 | 免费版功能 | 商业版功能 | 购买使用 | 特点 | 传送门 |
|:----------------|:-----:|:-----:|:----:|:-----------------------------------------------------------------------------------------------:|:----------------------------------------------------------:|
| proxyadmin 免费版 | √ | x | x | Web界面操作,支持Linux,Windows,macOS,免费使用,服务数量有限制,适合个人,小白和白嫖党 | [下载安装](https://github.com/snail007/proxy_admin_free) |
| proxyadmin VIP版 | √ | x | √ | Web界面操作,支持更多平台,功能和免费版一样,服务数量无限制,适合个体户或者小集体 | [下载安装](https://github.com/snail007/proxy-admin-vip) |
| proxyadmin 商业版 | √ | √ | √ | Web界面操作,支持更多平台,无限制,适合集体或公司对外提供服务 | [下载安装](https://github.com/snail007/proxy-admin-commercial) |
| proxyadmin 集群版 | √ | √ | √ | Web界面操作,支持Linux,Windows,macOS,无限制,配合`goproxy 商业版`,可以实现以组为单位,管理海量机器上的proxy服务,适合有大量机器的集体或公司对外提供服务 | [下载安装](https://github.com/snail007/proxy-admin-cluster) |
| goproxy 免费版 | √ | x | x | 命令行操作,全平台支持,免费使用,稳定且灵活,适合一切熟悉命令行的大佬或集体或公司白嫖,自用或者大规模部署对外服务 | [下载安装](https://github.com/snail007/goproxy) |
| goproxy 商业版 | √ | √ | √ | 命令行操作,全平台支持,稳定且灵活,适合集体或公司大规模部署对外提供服务 | [下载安装](https://github.com/snail007/goproxy) |
关于免费版功能和商业版功能对比请看这里,[`免费版`和`商业版`功能对比](https://snail007.goproxyauth.com/goproxy/page/free_vs_commercial/).
[商业版激活绑定教程](https://snail007.goproxyauth.com/goproxy/page/free_vs_commercial/)
提示:
**免费和付费软件均没有额外技术支持,不按着手册操作的一切问题请自行解决。付费软件免费享有`手册功能`使用指导和`首次安装配置`指导。**
## FAQ
[别点我](https://snail007.goproxyauth.com/goproxy/page/faq/goproxy%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98%E8%A7%A3%E7%AD%94/)
## 首次使用必看,谢谢!!!
### 1. 环境
该手册教程,默认系统是linux,程序是proxy;所有操作需要root权限;
如果你的是windows,请使用windows版本的proxy.exe即可。
### 2. 使用配置文件
接下来的教程都是通过命令行参数介绍使用方法,也可以通过读取配置文件获取参数。
具体格式是通过@符号指定配置文件,例如:proxy @configfile.txt
configfile.txt里面的格式是,第一行是子命令名称,第二行开始一行一个参数,
格式:`参数 参数值`,没有参数值的直接写参数,比如:--nolog
比如configfile.txt内容如下:
```shell
http
-t tcp
-p :33080
--forever
```
### 3. 调试输出
默认情况下,日志输出的信息不包含文件行数,某些情况下为了排除程序问题,快速定位问题,
可以使用--debug参数,输出代码行数和毫秒时间。
### 4. 使用日志文件
默认情况下,日志是直接在控制台显示出来的,如果要保存到文件,可以使用--log参数,
比如: --log proxy.log,日志就会输出到proxy.log方便排除问题。
默认会输出info和warn日志,如果只关注warn日志,可以使用`--warn`参数,只输出warn日志。
### 5. 生成加密通讯需要的证书文件
http(s)代理、tcp代理、udp代理、socks5代理、内网穿透等功能和上级通讯的时候,为了安全我们采用TLS加密通讯,当然可以选择不加密通信通讯,本教程所有和上级通讯都采用加密,需要证书文件。
***所有端必须使用相同的proxy.crt和proxy.key***
1.通过下面的命令生成自签名的证书和key文件。
`proxy keygen -C proxy`
会在当前程序目录下面生成证书文件proxy.crt和key文件proxy.key。
2.通过下面的命令生,使用自签名证书proxy.crt和key文件proxy.key签发新证书:goproxy.crt和goproxy.key。
`proxy keygen -s -C proxy -c goproxy`
会在当前程序目录下面生成证书文件goproxy.crt和key文件goproxy.key。
3.默认情况下证书的里面的域名是随机的,可以使用`-n test.com`参数指定。
4.更多用法:`proxy keygen --help`。
### 6. 后台运行
默认执行proxy之后,如果要保持proxy运行,不能关闭命令行。
如果想在后台运行proxy,命令行可以关闭,只需要在命令最后加上--daemon参数即可。
比如:
`proxy http -t tcp -p "0.0.0.0:38080" --daemon`
### 7. 守护运行
守护运行参数--forever,比如: `proxy http --forever` ,
proxy会fork子进程,然后监控子进程,如果子进程异常退出,5秒后重启子进程。
该参数配合后台运行参数--daemon和日志参数--log,可以保障proxy一直在后台执行不会因为意外退出,
而且可以通过日志文件看到proxy的输出日志内容。
比如: `proxy http -p ":9090" --forever --log proxy.log --daemon`
### 8. 安全建议
当VPS在nat设备后面,vps上网卡IP都是内网IP,这个时候可以通过-g参数添加vps的外网ip防止死循环。
假设你的vps外网ip是23.23.23.23,下面命令通过-g参数设置23.23.23.23
`proxy http -g "23.23.23.23"`
### 9. 负载均衡和高可用
HTTP(S)\SOCKS5\SPS\TCP代理支持上级负载均衡和高可用,多个上级重复-P参数即可。
负载均衡策略支持5种,可以通过`--lb-method`参数指定:
roundrobin 轮流使用
leastconn 使用最小连接数的
leasttime 使用连接时间最小的
hash 使用根据客户端地址计算出一个固定上级
weight 根据每个上级的权重和连接数情况,选择出一个上级
提示:
1.负载均衡检查时间间隔可以通过`--lb-retrytime`设置,单位毫秒
2.负载均衡连接超时时间可以通过`--lb-timeout`设置,单位毫秒
3.如果负载均衡策略是权重(weight),-P格式为:2.2.2.2:3880?w=1,1就是权重,大于0的整数。
4.如果负载均衡策略是hash,默认是根据客户端地址选择上级,可以通过开关`--lb-hashtarget`使用访问的目标地址选择上级。
5.TCP代理没有参数`--lb-hashtarget`.
6.默认是负载均衡+高可用模式,如果使用了参数`--lb-onlyha`就只使用高可用模式,依据负载均衡策略选择一个节点,之后就一直使用这个节点,直到这个节点不再存活,那么会依据负载均衡策略再选择一个节点使用,以此循环.
7.如果检查节点全部不再存活,那么每次连接都会随机选取一个节点使用.
### 10. 代理跳板跳转
http(s)代理,SPS代理,内网穿透,tcp代理都支持通过中间第三方代理连接上级,
参数是:--jumper,所有格式如下:
```text
http://username:password@host:port
http://host:port
https://username:password@host:port
https://host:port
socks5://username:password@host:port
socks5://host:port
socks5s://username:password@host:port
socks5s://host:port
ss://method:password@host:port
```
http,socks5代表的是普通的http和socks5代理。
https,socks5s代表的是通过tls保护的http和socks5代理,
也就是http代理 over TLS , socks over TLS。
### 11. 域名黑白名单
socks/http(s)/sps代理都支持域名黑白名单。
用--stop参数指定一个域名黑名单列表文件,那么当用户连接文件里面这些域名的时候连接就会被断开。
用--only参数指定一个域名白名单列表文件,那么当用户连接文件里面这些域名之外的域名的时候连接就会被断开。
如果同时设置了--stop和--only,那么只有--only会起作用。
黑白域名名单文件内容格式如下:
```text
**.baidu.com
*.taobao.com
a.com
192.168.1.1
192.168.*.*
?.qq.com
```
说明:
1.一行一个域名,域名写法支持通配符`*`和`?`,`*`代表任意个字符,`?`代表一个任意字符,
2.`**.baidu.com` 匹配无论是多少级所有后缀是`.baidu.com`的域名。
3.`*.taobao.com` 匹配后缀是`.taobao.com`的三级域名。
4.还可以直接是IP地址。
5.`#`开头的为注释。
### 12. 端口黑名单
socks/http(s)/sps代理都支持端口黑名单。
用--stop-port参数指定一个端口黑名单列表文件,那么当用户连接文件里面这些端口的时候连接就会被断开。
端口黑名单文件内容格式如下:
```text
3306
22
```
说明:
1.一行一个端口。
2.`#`开头的为注释。
### 13. 客户端IP黑白名单
socks/http(s)/sps/tcp/udp/dns/内网穿透bridge/内网穿透tbridge,都支持客户端IP黑白名单。
用--ip-deny参数指定一个客户端IP黑名单列表文件,那么当用户的IP在这个文件里面的时候连接就会被断开。
用--ip-allow参数指定一个客户端IP白名单列表文件,那么当用户的IP不在这个文件里面的时候连接就会被断开。
如果同时设置了--ip-deny和--ip-allow,那么只有--ip-allow会起作用。
客户端IP黑白名单文件内容格式如下:
```text
192.168.1.1
192.168.*.*
192.168.1?.*
```
说明:
1.一行一个域名,域名写法支持通配符`*`和`?`,`*`代表任意个字符,`?`代表一个任意字符。
2.`#`开头的为注释。
### 14. 协议加载文件
proxy的各种代理功能里面很多地方都有参数设置一个文件,比如:--blocked 指定一个直接走上级的域名列表文件,参数值是文件的路径,
如果参数支持协议加载文件,那么文件路径不仅可以是文件路径,还可以是:
a.“base64://”开头的base64编码的上面说明的文件内容,比如:base64://ajfpoajsdfa=
b.”str://“开头的英文逗号分割的多个,比如:str://xxx,yyy
proxy的blocked,direct,stop,only,hosts,resolve.rules,rewriter.rules,ip.allow,ip.deny 文件支持协议加载。
### 15. 客户端并发连接数
socks5\sps\http代理,控制客户端并发连接数参数是:`--max-conns-rate`,控制每秒客户端的最大连接数,默认20, 0为不限制.
### 16. 监听多个端口
`tcp/http/socks/sps`支持同时监听多个端口以及范围端口。 一般情况下监听一个端口就可以,不过如果需要同时监听多个两个端口,或者范围端口,那么-p参数是支持的,
格式是:`-p 0.0.0.0:80,0.0.0.0:443,0.0.0.0:8000-9000,:5000-6000`,多个绑定用逗号分隔即可。
## 1.HTTP代理
### 1.1.普通一级HTTP代理
`proxy http -t tcp -p "0.0.0.0:38080"`
-p参数支持的写法:
```text
-p ":8081" 监听8081
-p ":8081,:8082" 监听8081和8082
-p ":8081,:8082,:9000-9999" 监听8081和8082以及9000,9001至9999,共1002个端口
```
### 1.2.普通二级HTTP代理
使用本地端口8090,假设上级HTTP代理是`22.22.22.22:8080`
`proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" `
我们还可以指定网站域名的黑白名单文件,一行一个域名,匹配规则是最右匹配,比如:baidu.com,匹配的是*.*.baidu.com,黑名单的域名直接走上级代理,白名单的域名不走上级代理。
`proxy http -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -b blocked.txt -d direct.txt`
### 1.3.HTTP二级代理(加密)
> 注意: 后面二级代理使用的`proxy.crt`和`proxy.key`应与一级代理一致
一级HTTP代理(VPS,IP:22.22.22.22)
`proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`
二级HTTP代理(本地Linux)
`proxy http -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
那么访问本地的8080端口就是访问VPS上面的代理端口38080。
二级HTTP代理(本地windows)
`proxy.exe http -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
然后设置你的windos系统中,需要通过代理上网的程序的代理为http模式,地址为:127.0.0.1,端口为:8080,程序即可通过加密通道通过vps上网。
### 1.4.HTTP三级代理(加密)
一级HTTP代理VPS_01,IP:22.22.22.22
`proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key`
二级HTTP代理VPS_02,IP:33.33.33.33
`proxy http -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
三级HTTP代理(本地)
`proxy http -t tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key`
那么访问本地的8080端口就是访问一级HTTP代理上面的代理端口38080。
### 1.5.Basic认证,API认证
请参考`9.API认证` 和 `10.本地认证`
### 1.6.HTTP代理流量强制走上级HTTP代理
默认情况下,proxy会智能判断一个网站域名是否无法访问,如果无法访问才走上级HTTP代理.通过--always可以使全部HTTP代理流量强制走上级HTTP代理。
`proxy http --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key`
### 1.7.HTTP(S)通过SSH中转
说明:ssh中转的原理是利用了ssh的转发功能,就是你连接上ssh之后,可以通过ssh代理访问目标地址。
假设有:vps
- IP是2.2.2.2, ssh端口是22, ssh用户名是:user, ssh用户密码是:demo
- 用户user的ssh私钥名称是user.key
#### *1.7.1 ssh用户名和密码的方式*
本地HTTP(S)代理28080端口,执行:
`proxy http -T ssh -P "2.2.2.2:22" -u user -A demo -t tcp -p ":28080"`
#### *1.7.2 ssh用户名和密钥的方式*
本地HTTP(S)代理28080端口,执行:
`proxy http -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"`
### 1.8.KCP协议传输
KCP协议需要--kcp-key参数设置一个密码用于加密解密数据
一级HTTP代理(VPS,IP:22.22.22.22)
`proxy http -t kcp -p ":38080" --kcp-key mypassword`
二级HTTP代理(本地Linux)
`proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword`
那么访问本地的8080端口就是访问VPS上面的代理端口38080,数据通过kcp协议传输,注意kcp走的是udp协议协议,所以防火墙需放开38080的udp协议。
### 1.9 HTTP(S)反向代理
proxy不仅支持在其他软件里面通过设置代理的方式,为其他软件提供代理服务,而且支持直接把请求的网站域名解析到proxy监听的ip上,然后proxy监听80和443端口,那么proxy就会自动为你代理访问需要访问的HTTP(S)网站。
使用方式:
在"最后一级proxy代理"的机器上,因为proxy要伪装成所有网站,网站默认的端口HTTP是80,HTTPS是443,让proxy监听80和443端口即可.参数-p多个地址用逗号分割。
`proxy http -t tcp -p :80,:443`
这个命令就在机器上启动了一个proxy代理,同时监听80和443端口,既可以当作普通的代理使用,也可以直接把需要代理的域名解析到这个机器的IP上。
如果有上级代理那么参照上面教程设置上级即可,使用方式完全一样。
`proxy http -t tcp -p :80,:443 -T tls -P "2.2.2.2:33080" -C proxy.crt -K proxy.key`
注意:
proxy所在的服务器的DNS解析结果不能受到自定义的解析影响,不然就死循环了,proxy代理最好指定`--dns-address 8.8.8.8`参数。
### 1.10 HTTP(S)透明代理
该模式需要具有一定的网络基础,相关概念不懂的请自行搜索解决。
假设proxy现在在路由器上运行,启动命令如下:
`proxy http -t tcp -p :33080 -T tls -P "2.2.2.2:33090" -C proxy.crt -K proxy.key`
然后添加iptables规则,下面是参考规则:
```shell
#上级proxy服务端服务器IP地址:
proxy_server_ip=2.2.2.2
#路由器运行proxy监听的端口:
proxy_local_port=33080
#下面的就不用修改了
#create a new chain named PROXY
iptables -t nat -N PROXY
# Ignore your PROXY server's addresses
# It's very IMPORTANT, just be careful。
iptables -t nat -A PROXY -d $proxy_server_ip -j RETURN
# Ignore LANs IP address
iptables -t nat -A PROXY -d 0.0.0.0/8 -j RETURN
iptables -t nat -A PROXY -d 10.0.0.0/8 -j RETURN
iptables -t nat -A PROXY -d 127.0.0.0/8 -j RETURN
iptables -t nat -A PROXY -d 169.254.0.0/16 -j RETURN
iptables -t nat -A PROXY -d 172.16.0.0/12 -j RETURN
iptables -t nat -A PROXY -d 192.168.0.0/16 -j RETURN
iptables -t nat -A PROXY -d 224.0.0.0/4 -j RETURN
iptables -t nat -A PROXY -d 240.0.0.0/4 -j RETURN
# Anything to port 80 443 should be redirected to PROXY's local port
iptables -t nat -A PROXY -p tcp --dport 80 -j REDIRECT --to-ports $proxy_local_port
iptables -t nat -A PROXY -p tcp --dport 443 -j REDIRECT --to-ports $proxy_local_port
# Apply the rules to nat client
iptables -t nat -A PREROUTING -p tcp -j PROXY
# Apply the rules to localhost
iptables -t nat -A OUTPUT -p tcp -j PROXY
```
- 清空整个链 iptables -F 链名比如iptables -t nat -F PROXY
- 删除指定的用户自定义链 iptables -X 链名 比如 iptables -t nat -X PROXY
- 从所选链中删除规则 iptables -D 链名 规则详情 比如 iptables -t nat -D PROXY -d 223.223.192.0/255.255.240.0 -j RETURN
### 1.11 自定义DNS
--dns-address和--dns-ttl参数,用于自己指定proxy访问域名的时候使用的dns(--dns-address)
以及解析结果缓存时间(--dns-ttl)秒数,避免系统dns对proxy的干扰,另外缓存功能还能减少dns解析时间提高访问速度。
比如:
`proxy http -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300`
`--dns-address` 支持设置多个dns地址,负载均衡,英文半角逗号分割。比如:--dns-address "1.1.1.1:53,8.8.8.8:53"
还可以用参数`--dns-interface`指定dns解析使用的网卡,比如:`--dns-interface eth0`,dns解析就会走eth0网卡,此参数必须设置`--dns-address`才有效。
### 1.12 自定义加密
proxy的http(s)代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,除此之外还支持在tls和kcp之后进行自定义
加密,也就是说自定义加密和tls|kcp是可以联合使用的,内部采用AES256加密,使用的时候只需要自己定义一个密码即可,
加密分为两个部分,一部分是本地(-z)是否加密解密,一部分是与上级(-Z)传输是否加密解密。
自定义加密要求两端都是proxy才可以,下面分别用二级,三级为例:
二级实例
一级vps(ip:2.2.2.2)上执行:
`proxy http -t tcp -z demo_password -p :7777`
本地二级执行:
`proxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080`
这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站。
三级实例
一级vps(ip:2.2.2.2)上执行:
`proxy http -t tcp -z demo_password -p :7777`
二级vps(ip:3.3.3.3)上执行:
`proxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888`
本地三级执行:
`proxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080`
这样通过本地代理8080访问网站的时候就是通过与上级加密传输访问目标网站。
### 1.13 压缩传输
proxy的http(s)代理在tcp之上可以通过tls标准加密以及kcp协议加密tcp数据,在自定义加密之前还可以对数据进行压缩,
也就是说压缩功能和自定义加密和tls|kcp是可以联合使用的,压缩分为两个部分,一部分是本地(-m)是否压缩传输,
一部分是与上级(-M)传输是否压缩。
压缩要求两端都是proxy才可以,压缩也在一定程度上保护了(加密)数据,下面分别用二级,三级为例:
二级实例
一级vps(ip:2.2.2.2)上执行:
`proxy http -t tcp -m -p :7777`
本地二级执行:
`proxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080`
这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站。
三级实例
一级vps(ip:2.2.2.2)上执行:
`proxy http -t tcp -m -p :7777`
二级vps(ip:3.3.3.3)上执行:
`proxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888`
本地三级执行:
`proxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080`
这样通过本地代理8080访问网站的时候就是通过与上级压缩传输访问目标网站。
### 1.14 负载均衡
HTTP(S)代理支持上级负载均衡,多个上级重复-P参数即可。
`proxy http --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080`
### 1.14.1 设置重试间隔和超时时间
`proxy http --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp -p :33080`
### 1.14.2 设置权重
`proxy http --lb-method=weight -T tcp -P 1.1.1.1:33080?w=1 -P 2.1.1.1:33080?w=2 -P 3.1.1.1:33080?w=1 -t tcp -p :33080`
### 1.14.3 使用目标地址选择上级
`proxy http --lb-hashtarget --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp -p :33080`
### 1.15 限速
限速100K,通过`-l`参数即可指定,比如:100K 2000K 1M . 0意味着无限制。
`proxy http -t tcp -p 2.2.2.2:33080 -l 100K`
### 1.16 指定出口IP
`--bind-liste
gitextract_ojsql542/
├── .gitignore
├── CHANGELOG
├── ISSUE_TEMPLATE.md
├── LICENSE
├── README.md
├── README_ZH.md
├── VERSION
├── ad.txt
├── blocked
├── config.go
├── direct
├── docker/
│ ├── Dockerfile
│ ├── Shanghai
│ ├── build.sh
│ └── ca-certificates.crt
├── docs/
│ ├── 404.html
│ ├── categories/
│ │ ├── goproxy手册/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── index.html
│ │ ├── index.xml
│ │ ├── 架构解说/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── 细说层级/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ └── 默认分类/
│ │ ├── index.html
│ │ ├── index.xml
│ │ └── page/
│ │ └── 1/
│ │ └── index.html
│ ├── css/
│ │ └── styles.css
│ ├── index.html
│ ├── index.xml
│ ├── manual/
│ │ ├── index.html
│ │ ├── manual.md
│ │ └── zh/
│ │ ├── index.html
│ │ └── manual.md
│ ├── page/
│ │ ├── 1/
│ │ │ └── index.html
│ │ ├── 2/
│ │ │ └── index.html
│ │ ├── about/
│ │ │ └── index.html
│ │ ├── categories/
│ │ │ └── index.html
│ │ ├── faq/
│ │ │ └── goproxy常见问题解答/
│ │ │ └── index.html
│ │ ├── free_vs_commercial/
│ │ │ └── index.html
│ │ ├── free_vs_commercial_en/
│ │ │ └── index.html
│ │ ├── index.html
│ │ ├── index.xml
│ │ └── page/
│ │ └── 1/
│ │ └── index.html
│ ├── posts/
│ │ ├── cloudflare/
│ │ │ └── index.html
│ │ ├── domain-cf/
│ │ │ └── index.html
│ │ ├── http-nat-cdn/
│ │ │ └── index.html
│ │ ├── http_cdn_ws/
│ │ │ └── index.html
│ │ ├── index.html
│ │ ├── index.xml
│ │ ├── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ └── windows-global-proxy-using-dns/
│ │ └── index.html
│ ├── robots.txt
│ ├── sitemap.xml
│ ├── tags/
│ │ ├── cdn/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── cloudflare/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── commercial/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── domain/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── index.html
│ │ ├── index.xml
│ │ ├── tcp/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── ws/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── 全局代理/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ ├── 内网穿透/
│ │ │ ├── index.html
│ │ │ ├── index.xml
│ │ │ └── page/
│ │ │ └── 1/
│ │ │ └── index.html
│ │ └── 商业版/
│ │ ├── index.html
│ │ ├── index.xml
│ │ └── page/
│ │ └── 1/
│ │ └── index.html
│ └── usage/
│ ├── first/
│ │ └── index.html
│ ├── index.html
│ ├── index.xml
│ ├── page/
│ │ └── 1/
│ │ └── index.html
│ └── tcp/
│ └── index.html
├── dr.txt
├── go.mod
├── gui/
│ ├── README.md
│ └── README_ZH.md
├── hosts
├── install.sh
├── install_auto.sh
├── install_auto_commercial.sh
├── install_commercial.sh
├── main.go
├── resolve.rules
├── rewriter.rules
├── rhttp.toml
├── services/
│ ├── args.go
│ ├── http.go
│ ├── service.go
│ ├── tcp.go
│ ├── tunnel_bridge.go
│ ├── tunnel_client.go
│ ├── tunnel_server.go
│ └── udp.go
├── uninstall.sh
└── utils/
├── functions.go
├── io-limiter.go
├── map.go
├── pool.go
├── serve-channel.go
└── structs.go
SYMBOL INDEX (190 symbols across 16 files)
FILE: config.go
function initConfig (line 19) | func initConfig() (err error) {
function poster (line 120) | func poster() {
function tlsBytes (line 132) | func tlsBytes(cert, key string) (certBytes, keyBytes []byte) {
FILE: main.go
constant APP_VERSION (line 12) | APP_VERSION = "3.0"
function main (line 14) | func main() {
function Clean (line 21) | func Clean(s *services.Service) {
FILE: services/args.go
constant TYPE_TCP (line 7) | TYPE_TCP = "tcp"
constant TYPE_UDP (line 8) | TYPE_UDP = "udp"
constant TYPE_HTTP (line 9) | TYPE_HTTP = "http"
constant TYPE_TLS (line 10) | TYPE_TLS = "tls"
constant CONN_CONTROL (line 11) | CONN_CONTROL = uint8(1)
constant CONN_SERVER (line 12) | CONN_SERVER = uint8(2)
constant CONN_CLIENT (line 13) | CONN_CLIENT = uint8(3)
type Args (line 16) | type Args struct
type TunnelServerArgs (line 22) | type TunnelServerArgs struct
type TunnelClientArgs (line 28) | type TunnelClientArgs struct
type TunnelBridgeArgs (line 34) | type TunnelBridgeArgs struct
type TCPArgs (line 38) | type TCPArgs struct
method Protocol (line 70) | func (a *TCPArgs) Protocol() string {
type HTTPArgs (line 47) | type HTTPArgs struct
type UDPArgs (line 62) | type UDPArgs struct
FILE: services/http.go
type HTTP (line 13) | type HTTP struct
method InitService (line 28) | func (s *HTTP) InitService() {
method StopService (line 34) | func (s *HTTP) StopService() {
method Start (line 39) | func (s *HTTP) Start(args interface{}) (err error) {
method Clean (line 63) | func (s *HTTP) Clean() {
method callback (line 66) | func (s *HTTP) callback(inConn net.Conn) {
method OutToTCP (line 109) | func (s *HTTP) OutToTCP(useProxy bool, address string, inConn *net.Con...
method OutToUDP (line 150) | func (s *HTTP) OutToUDP(inConn *net.Conn) (err error) {
method InitOutConnPool (line 153) | func (s *HTTP) InitOutConnPool() {
method InitBasicAuth (line 168) | func (s *HTTP) InitBasicAuth() (err error) {
method IsBasicAuth (line 185) | func (s *HTTP) IsBasicAuth() bool {
method IsDeadLoop (line 188) | func (s *HTTP) IsDeadLoop(inLocalAddr string, host string) bool {
function NewHTTP (line 20) | func NewHTTP() Service {
FILE: services/service.go
type Service (line 9) | type Service interface
type ServiceItem (line 13) | type ServiceItem struct
function Regist (line 21) | func Regist(name string, s Service, args interface{}) {
function Run (line 28) | func Run(name string) (service *ServiceItem, err error) {
FILE: services/tcp.go
type TCP (line 15) | type TCP struct
method InitService (line 26) | func (s *TCP) InitService() {
method StopService (line 29) | func (s *TCP) StopService() {
method Start (line 34) | func (s *TCP) Start(args interface{}) (err error) {
method Clean (line 59) | func (s *TCP) Clean() {
method callback (line 62) | func (s *TCP) callback(inConn net.Conn) {
method OutToTCP (line 84) | func (s *TCP) OutToTCP(inConn *net.Conn) (err error) {
method OutToUDP (line 108) | func (s *TCP) OutToUDP(inConn *net.Conn) (err error) {
method InitOutConnPool (line 156) | func (s *TCP) InitOutConnPool() {
function NewTCP (line 20) | func NewTCP() Service {
FILE: services/tunnel_bridge.go
type BridgeItem (line 15) | type BridgeItem struct
type TunnelBridge (line 22) | type TunnelBridge struct
method InitService (line 34) | func (s *TunnelBridge) InitService() {
method Check (line 37) | func (s *TunnelBridge) Check() {
method StopService (line 43) | func (s *TunnelBridge) StopService() {
method Start (line 46) | func (s *TunnelBridge) Start(args interface{}) (err error) {
method Clean (line 99) | func (s *TunnelBridge) Clean() {
method ClientConn (line 102) | func (s *TunnelBridge) ClientConn(inConn *net.Conn, key string) {
method ServerConn (line 106) | func (s *TunnelBridge) ServerConn(inConn *net.Conn, key string) {
method ClientControlConn (line 110) | func (s *TunnelBridge) ClientControlConn(inConn *net.Conn, key string) {
method ConnChn (line 120) | func (s *TunnelBridge) ConnChn(key string, typ uint8) (chn chan *net.C...
method ChnDeamon (line 139) | func (s *TunnelBridge) ChnDeamon(item *BridgeItem) {
function NewTunnelBridge (line 27) | func NewTunnelBridge() Service {
FILE: services/tunnel_client.go
type TunnelClient (line 15) | type TunnelClient struct
method InitService (line 25) | func (s *TunnelClient) InitService() {
method Check (line 27) | func (s *TunnelClient) Check() {
method StopService (line 37) | func (s *TunnelClient) StopService() {
method Start (line 39) | func (s *TunnelClient) Start(args interface{}) (err error) {
method Clean (line 77) | func (s *TunnelClient) Clean() {
method GetInConn (line 80) | func (s *TunnelClient) GetInConn(typ uint8) (outConn net.Conn, err err...
method GetConn (line 100) | func (s *TunnelClient) GetConn() (conn net.Conn, err error) {
method ServeUDP (line 108) | func (s *TunnelClient) ServeUDP() {
method processUDPPacket (line 136) | func (s *TunnelClient) processUDPPacket(inConn *net.Conn, srcAddr stri...
method ServeConn (line 172) | func (s *TunnelClient) ServeConn() {
function NewTunnelClient (line 19) | func NewTunnelClient() Service {
FILE: services/tunnel_server.go
type TunnelServer (line 18) | type TunnelServer struct
method InitService (line 37) | func (s *TunnelServer) InitService() {
method Check (line 40) | func (s *TunnelServer) Check() {
method StopService (line 50) | func (s *TunnelServer) StopService() {
method Start (line 52) | func (s *TunnelServer) Start(args interface{}) (err error) {
method Clean (line 107) | func (s *TunnelServer) Clean() {
method GetOutConn (line 110) | func (s *TunnelServer) GetOutConn() (outConn net.Conn, err error) {
method GetConn (line 130) | func (s *TunnelServer) GetConn() (conn net.Conn, err error) {
method UDPConnDeamon (line 138) | func (s *TunnelServer) UDPConnDeamon() {
function NewTunnelServer (line 24) | func NewTunnelServer() Service {
type UDPItem (line 31) | type UDPItem struct
FILE: services/udp.go
type UDP (line 17) | type UDP struct
method InitService (line 30) | func (s *UDP) InitService() {
method StopService (line 35) | func (s *UDP) StopService() {
method Start (line 40) | func (s *UDP) Start(args interface{}) (err error) {
method Clean (line 62) | func (s *UDP) Clean() {
method callback (line 65) | func (s *UDP) callback(packet []byte, localAddr, srcAddr *net.UDPAddr) {
method GetConn (line 86) | func (s *UDP) GetConn(connKey string) (conn net.Conn, isNew bool, err ...
method OutToTCP (line 101) | func (s *UDP) OutToTCP(packet []byte, localAddr, srcAddr *net.UDPAddr)...
method OutToUDP (line 162) | func (s *UDP) OutToUDP(packet []byte, localAddr, srcAddr *net.UDPAddr)...
method InitOutConnPool (line 197) | func (s *UDP) InitOutConnPool() {
function NewUDP (line 24) | func NewUDP() Service {
FILE: utils/functions.go
function IoBind (line 25) | func IoBind(dst io.ReadWriter, src io.ReadWriter, fn func(isSrcErr bool,...
function ioCopy (line 79) | func ioCopy(dst io.Writer, src io.Reader, fn ...func(count int)) (writte...
function TlsConnectHost (line 108) | func TlsConnectHost(host string, timeout int, certBytes, keyBytes []byte...
function TlsConnect (line 114) | func TlsConnect(host string, port, timeout int, certBytes, keyBytes []by...
function getRequestTlsConfig (line 125) | func getRequestTlsConfig(certBytes, keyBytes []byte) (conf *tls.Config, ...
function ConnectHost (line 145) | func ConnectHost(hostAndPort string, timeout int) (conn net.Conn, err er...
function ListenTls (line 149) | func ListenTls(ip string, port int, certBytes, keyBytes []byte) (ln *net...
function PathExists (line 172) | func PathExists(_path string) bool {
function HTTPGet (line 179) | func HTTPGet(URL string, timeout int) (err error) {
function CloseConn (line 197) | func CloseConn(conn *net.Conn) {
function Keygen (line 203) | func Keygen() (err error) {
function GetAllInterfaceAddr (line 220) | func GetAllInterfaceAddr() ([]net.IP, error) {
function UDPPacket (line 264) | func UDPPacket(srcAddr string, packet []byte) []byte {
function ReadUDPPacket (line 275) | func ReadUDPPacket(conn *net.Conn) (srcAddr string, packet []byte, err e...
FILE: utils/io-limiter.go
constant burstLimit (line 11) | burstLimit = 1000 * 1000 * 1000
type Reader (line 13) | type Reader struct
method SetRateLimit (line 58) | func (s *Reader) SetRateLimit(bytesPerSec float64) {
method Read (line 64) | func (s *Reader) Read(p []byte) (int, error) {
type Writer (line 19) | type Writer struct
method SetRateLimit (line 79) | func (s *Writer) SetRateLimit(bytesPerSec float64) {
method Write (line 85) | func (s *Writer) Write(p []byte) (int, error) {
function NewReader (line 26) | func NewReader(r io.Reader) *Reader {
function NewReaderWithContext (line 34) | func NewReaderWithContext(r io.Reader, ctx context.Context) *Reader {
function NewWriter (line 42) | func NewWriter(w io.Writer) *Writer {
function NewWriterWithContext (line 50) | func NewWriterWithContext(w io.Writer, ctx context.Context) *Writer {
FILE: utils/map.go
type ConcurrentMap (line 12) | type ConcurrentMap
method GetShard (line 30) | func (m ConcurrentMap) GetShard(key string) *ConcurrentMapShared {
method MSet (line 34) | func (m ConcurrentMap) MSet(data map[string]interface{}) {
method Set (line 44) | func (m ConcurrentMap) Set(key string, value interface{}) {
method Upsert (line 59) | func (m ConcurrentMap) Upsert(key string, value interface{}, cb Upsert...
method SetIfAbsent (line 70) | func (m ConcurrentMap) SetIfAbsent(key string, value interface{}) bool {
method Get (line 83) | func (m ConcurrentMap) Get(key string) (interface{}, bool) {
method Count (line 94) | func (m ConcurrentMap) Count() int {
method Has (line 106) | func (m ConcurrentMap) Has(key string) bool {
method Remove (line 117) | func (m ConcurrentMap) Remove(key string) {
method Pop (line 126) | func (m ConcurrentMap) Pop(key string) (v interface{}, exists bool) {
method IsEmpty (line 137) | func (m ConcurrentMap) IsEmpty() bool {
method Iter (line 150) | func (m ConcurrentMap) Iter() <-chan Tuple {
method IterBuffered (line 158) | func (m ConcurrentMap) IterBuffered() <-chan Tuple {
method Items (line 212) | func (m ConcurrentMap) Items() map[string]interface{} {
method IterCb (line 231) | func (m ConcurrentMap) IterCb(fn IterCb) {
method Keys (line 243) | func (m ConcurrentMap) Keys() []string {
method MarshalJSON (line 274) | func (m ConcurrentMap) MarshalJSON() ([]byte, error) {
type ConcurrentMapShared (line 15) | type ConcurrentMapShared struct
function NewConcurrentMap (line 21) | func NewConcurrentMap() ConcurrentMap {
type UpsertCb (line 56) | type UpsertCb
type Tuple (line 142) | type Tuple struct
function snapshot (line 173) | func snapshot(m ConcurrentMap) (chans []chan Tuple) {
function fanIn (line 196) | func fanIn(chans []chan Tuple, out chan Tuple) {
type IterCb (line 227) | type IterCb
function fnv32 (line 285) | func fnv32(key string) uint32 {
FILE: utils/pool.go
type ConnPool (line 10) | type ConnPool interface
type poolConfig (line 16) | type poolConfig struct
function NewConnPool (line 24) | func NewConnPool(poolConfig poolConfig) (pool ConnPool, err error) {
type netPool (line 40) | type netPool struct
method initAutoFill (line 46) | func (p *netPool) initAutoFill(async bool) (err error) {
method Get (line 94) | func (p *netPool) Get() (conn interface{}, err error) {
method Put (line 118) | func (p *netPool) Put(conn interface{}) {
method ReleaseAll (line 133) | func (p *netPool) ReleaseAll() {
method Len (line 143) | func (p *netPool) Len() (length int) {
FILE: utils/serve-channel.go
type ServerChannel (line 10) | type ServerChannel struct
method SetErrAcceptHandler (line 27) | func (sc *ServerChannel) SetErrAcceptHandler(fn func(err error)) {
method ListenTls (line 30) | func (sc *ServerChannel) ListenTls(certBytes, keyBytes []byte, fn func...
method ListenTCP (line 62) | func (sc *ServerChannel) ListenTCP(fn func(conn net.Conn)) (err error) {
method ListenUDP (line 94) | func (sc *ServerChannel) ListenUDP(fn func(packet []byte, localAddr, s...
function NewServerChannel (line 18) | func NewServerChannel(ip string, port int) ServerChannel {
FILE: utils/structs.go
type Checker (line 17) | type Checker struct
method loadMap (line 56) | func (c *Checker) loadMap(f string) (dataMap ConcurrentMap) {
method start (line 73) | func (c *Checker) start() {
method isNeedCheck (line 104) | func (c *Checker) isNeedCheck(item CheckerItem) bool {
method IsBlocked (line 114) | func (c *Checker) IsBlocked(address string) (blocked bool, failN, succ...
method domainIsInMap (line 133) | func (c *Checker) domainIsInMap(address string, blockedMap bool) bool {
method Add (line 156) | func (c *Checker) Add(address string, isHTTPS bool, method, URL string...
type CheckerItem (line 24) | type CheckerItem struct
function NewChecker (line 38) | func NewChecker(timeout int, interval int64, blockedFile, directFile str...
type BasicAuth (line 176) | type BasicAuth struct
method AddFromFile (line 185) | func (ba *BasicAuth) AddFromFile(file string) (n int, err error) {
method Add (line 204) | func (ba *BasicAuth) Add(userpassArr []string) (n int) {
method Check (line 215) | func (ba *BasicAuth) Check(userpass string) (ok bool) {
method Total (line 224) | func (ba *BasicAuth) Total() (n int) {
function NewBasicAuth (line 180) | func NewBasicAuth() BasicAuth {
type HTTPRequest (line 229) | type HTTPRequest struct
method HTTP (line 279) | func (req *HTTPRequest) HTTP() (err error) {
method HTTPS (line 294) | func (req *HTTPRequest) HTTPS() (err error) {
method HTTPSReply (line 300) | func (req *HTTPRequest) HTTPSReply() (err error) {
method IsHTTPS (line 304) | func (req *HTTPRequest) IsHTTPS() bool {
method BasicAuth (line 308) | func (req *HTTPRequest) BasicAuth() (err error) {
method getHTTPURL (line 340) | func (req *HTTPRequest) getHTTPURL() (URL string, err error) {
method getHeader (line 351) | func (req *HTTPRequest) getHeader(key string) (val string, err error) {
method addPortIfNot (line 369) | func (req *HTTPRequest) addPortIfNot() (newHost string) {
function NewHTTPRequest (line 240) | func NewHTTPRequest(inConn *net.Conn, bufSize int, isBasicAuth bool, bas...
type OutPool (line 383) | type OutPool struct
method getConn (line 431) | func (op *OutPool) getConn() (conn interface{}, err error) {
method initPoolDeamon (line 444) | func (op *OutPool) initPoolDeamon() {
function NewOutPool (line 393) | func NewOutPool(dur int, isTLS bool, certBytes, keyBytes []byte, address...
Condensed preview — 119 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (4,785K chars).
[
{
"path": ".gitignore",
"chars": 23,
"preview": "/.idea\n/goproxy\n/go.sum"
},
{
"path": "CHANGELOG",
"chars": 9231,
"preview": "proxy更新日志\n\nv7.5\n1.http(s)\\socks\\sps 增加了本地监听单向tls支持.\n2.socks5协议兼容了更多不标准的客户端.\n3.可以使用第三方安卓客户端对接proxy的socks5服务了,支持认证.\n4.修复了多"
},
{
"path": "ISSUE_TEMPLATE.md",
"chars": 1104,
"preview": "# 为避免浪费时间,一切不按着issue模版填写的问题,一律默认忽略处理,谢谢合作!\n# Avoid waste time, any report not match the issue template will be ignored.\n"
},
{
"path": "LICENSE",
"chars": 35141,
"preview": " GNU GENERAL PUBLIC LICENSE\n Version 3, 29 June 2007\n\n Copyright (C) 2007 Free "
},
{
"path": "README.md",
"chars": 131238,
"preview": "## GOPROXY Introduction\n\n<div align=\"center\">\n<img src=\"https://mirrors.goproxyauth.com/https://raw.githubusercontent.co"
},
{
"path": "README_ZH.md",
"chars": 78320,
"preview": "## GOPROXY简介\n\n<div align=\"center\">\n<img src=\"https://mirrors.goproxyauth.com/https://raw.githubusercontent.com/snail007/"
},
{
"path": "VERSION",
"chars": 3,
"preview": "7.6"
},
{
"path": "ad.txt",
"chars": 1264238,
"preview": "127.0.0.1 0.nextyourcontent.com\n127.0.0.1 00-gov.cn\n127.0.0.1 0024aaaa.com\n127.0.0.1 003store.com\n127.0.0.1 006.freecoun"
},
{
"path": "blocked",
"chars": 67179,
"preview": "0rz.tw\n0to255.com\n0zz0.com\n1-apple.com.tw\n1000dosok.ru\n1000giri.net\n1024.inc.gs\n10conditionsoflove.com\n10musume.com\n10yo"
},
{
"path": "config.go",
"chars": 6983,
"preview": "package main\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"log\"\n\t\"os\"\n\t\"github.com/snail007/goproxy/services\"\n\t\"github.com/snail007/go"
},
{
"path": "direct",
"chars": 5050,
"preview": "07073.com\n10010.com\n100ye.com\n114la.com\n115.com\n120ask.com\n126.com\n126.net\n1616.net\n163.com\n17173.com\n1778.com\n178.com\n1"
},
{
"path": "docker/Dockerfile",
"chars": 163,
"preview": "# alpine, busybox, scratch\nFROM scratch\nCOPY proxy /\nCOPY Shanghai /etc/localtime/\nCOPY ca-certificates.crt /etc/ssl/cer"
},
{
"path": "docker/build.sh",
"chars": 422,
"preview": "#!/bin/bash\nset -e\nver=$1\nif [ -z \"$ver\" ]; then\n echo -e \"example:\\n./build.sh 10.0\"\nexit\nfi\nCLEAN=\"goproxy proxy\"\nrm "
},
{
"path": "docker/ca-certificates.crt",
"chars": 198540,
"preview": "-----BEGIN CERTIFICATE-----\nMIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcNAQEFBQAwQjESMBAGA1UE\nAwwJQUNDVlJBSVoxMRAwDgYDVQQ"
},
{
"path": "docs/404.html",
"chars": 3016,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/categories/goproxy手册/index.html",
"chars": 8403,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/categories/goproxy手册/index.xml",
"chars": 1424,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/categories/goproxy手册/page/1/index.html",
"chars": 430,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/categories/goproxy%E6%89%8B%E5%86%8C/</title>"
},
{
"path": "docs/categories/index.html",
"chars": 7692,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/categories/index.xml",
"chars": 2094,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/categories/架构解说/index.html",
"chars": 7539,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/categories/架构解说/index.xml",
"chars": 1031,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/categories/架构解说/page/1/index.html",
"chars": 463,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/categories/%E6%9E%B6%E6%9E%84%E8%A7%A3%E8%AF%"
},
{
"path": "docs/categories/细说层级/index.html",
"chars": 7539,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/categories/细说层级/index.xml",
"chars": 1031,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/categories/细说层级/page/1/index.html",
"chars": 463,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/categories/%E7%BB%86%E8%AF%B4%E5%B1%82%E7%BA%"
},
{
"path": "docs/categories/默认分类/index.html",
"chars": 13595,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/categories/默认分类/index.xml",
"chars": 4471,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/categories/默认分类/page/1/index.html",
"chars": 463,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/categories/%E9%BB%98%E8%AE%A4%E5%88%86%E7%B1%"
},
{
"path": "docs/css/styles.css",
"chars": 4145,
"preview": "html {\n font-size: 18px;\n}\n\n@media (max-width: 768px) {\n html {\n font-size: 15px;\n }\n}\n\nbody {\n font-size: inhe"
},
{
"path": "docs/index.html",
"chars": 15014,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/index.xml",
"chars": 5756,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/manual/index.html",
"chars": 14659,
"preview": "\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <title>GOPROXY Manual</title>\n <meta name=\"descript"
},
{
"path": "docs/manual/manual.md",
"chars": 120053,
"preview": "## How to Install\n\n### 1. Linux Install\n\n[click me get Linux installation](https://github.com/snail007/goproxy/blob/mast"
},
{
"path": "docs/manual/zh/index.html",
"chars": 79085,
"preview": "\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <title>GOPROXY 使用文档</title>\n <meta name=\"descriptio"
},
{
"path": "docs/manual/zh/manual.md",
"chars": 70913,
"preview": "## 如何安装\n\n### 1. Linux安装\n\n[点击查看Linux安装教程](https://github.com/snail007/goproxy/blob/master/README_ZH.md#%E4%B8%8B%E8%BD%BD"
},
{
"path": "docs/page/1/index.html",
"chars": 319,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/</title><link rel=\"canonical\" href=\"https://s"
},
{
"path": "docs/page/2/index.html",
"chars": 8054,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/page/about/index.html",
"chars": 10551,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/page/categories/index.html",
"chars": 11310,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/page/faq/goproxy常见问题解答/index.html",
"chars": 11981,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/page/free_vs_commercial/index.html",
"chars": 19172,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/page/free_vs_commercial_en/index.html",
"chars": 22692,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/page/index.html",
"chars": 10759,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/page/index.xml",
"chars": 2981,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/page/page/1/index.html",
"chars": 334,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/page/</title><link rel=\"canonical\" href=\"http"
},
{
"path": "docs/posts/cloudflare/index.html",
"chars": 11692,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/posts/domain-cf/index.html",
"chars": 14353,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/posts/http-nat-cdn/index.html",
"chars": 12143,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/posts/http_cdn_ws/index.html",
"chars": 14770,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/posts/index.html",
"chars": 10736,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/posts/index.xml",
"chars": 2671,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/posts/page/1/index.html",
"chars": 337,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/posts/</title><link rel=\"canonical\" href=\"htt"
},
{
"path": "docs/posts/windows-global-proxy-using-dns/index.html",
"chars": 12686,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/robots.txt",
"chars": 13,
"preview": "User-agent: *"
},
{
"path": "docs/sitemap.xml",
"chars": 5273,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<urlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\"\n x"
},
{
"path": "docs/tags/cdn/index.html",
"chars": 9943,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/cdn/index.xml",
"chars": 2234,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/cdn/page/1/index.html",
"chars": 346,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/cdn/</title><link rel=\"canonical\" href=\""
},
{
"path": "docs/tags/cloudflare/index.html",
"chars": 8451,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/cloudflare/index.xml",
"chars": 1440,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/cloudflare/page/1/index.html",
"chars": 367,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/cloudflare/</title><link rel=\"canonical\""
},
{
"path": "docs/tags/commercial/index.html",
"chars": 8118,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/commercial/index.xml",
"chars": 1446,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/commercial/page/1/index.html",
"chars": 367,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/commercial/</title><link rel=\"canonical\""
},
{
"path": "docs/tags/domain/index.html",
"chars": 7706,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/domain/index.xml",
"chars": 1037,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/domain/page/1/index.html",
"chars": 355,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/domain/</title><link rel=\"canonical\" hre"
},
{
"path": "docs/tags/index.html",
"chars": 8328,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/index.xml",
"chars": 3456,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/tcp/index.html",
"chars": 7616,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/tcp/index.xml",
"chars": 980,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/tcp/page/1/index.html",
"chars": 346,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/tcp/</title><link rel=\"canonical\" href=\""
},
{
"path": "docs/tags/ws/index.html",
"chars": 8967,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/ws/index.xml",
"chars": 1746,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/ws/page/1/index.html",
"chars": 343,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/ws/</title><link rel=\"canonical\" href=\"h"
},
{
"path": "docs/tags/全局代理/index.html",
"chars": 7774,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/全局代理/index.xml",
"chars": 1120,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/全局代理/page/1/index.html",
"chars": 445,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/%E5%85%A8%E5%B1%80%E4%BB%A3%E7%90%86/</t"
},
{
"path": "docs/tags/内网穿透/index.html",
"chars": 7758,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/内网穿透/index.xml",
"chars": 1112,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/内网穿透/page/1/index.html",
"chars": 445,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/%E5%86%85%E7%BD%91%E7%A9%BF%E9%80%8F/</t"
},
{
"path": "docs/tags/商业版/index.html",
"chars": 8907,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/tags/商业版/index.xml",
"chars": 1888,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/tags/商业版/page/1/index.html",
"chars": 418,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/tags/%E5%95%86%E4%B8%9A%E7%89%88/</title><lin"
},
{
"path": "docs/usage/first/index.html",
"chars": 14057,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/usage/index.html",
"chars": 8335,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "docs/usage/index.xml",
"chars": 1356,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\" standalone=\"yes\" ?>\n<rss version=\"2.0\" xmlns:atom=\"http://www.w3.org/2005/Atom\">\n "
},
{
"path": "docs/usage/page/1/index.html",
"chars": 337,
"preview": "<!DOCTYPE html><html><head><title>https://snail007.goproxyauth.com/goproxy/usage/</title><link rel=\"canonical\" href=\"htt"
},
{
"path": "docs/usage/tcp/index.html",
"chars": 11991,
"preview": "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n<meta name=\"pinterest\" content=\"nopin\">\n<meta name=\"viewport\""
},
{
"path": "dr.txt",
"chars": 1960239,
"preview": "07073.com\n10010.com\n100ye.com\n114la.com\n115.com\n120ask.com\n126.com\n126.net\n1616.net\n163.com\n17173.com\n1778.com\n178.com\n1"
},
{
"path": "go.mod",
"chars": 353,
"preview": "module github.com/snail007/goproxy\n\ngo 1.16\n\nrequire (\n\tgithub.com/alecthomas/template v0.0.0-20190718012654-fb15b899a75"
},
{
"path": "gui/README.md",
"chars": 792,
"preview": "# Proxy-GUI\nBased on the proxy platform SDK, the author and many enthusiasts have developed the GUI version of the proxy"
},
{
"path": "gui/README_ZH.md",
"chars": 569,
"preview": "# Proxy-GUI\n基于proxy的各平台SDK,作者和众多热心人士开发了各平台的GUI版本的proxy,下面分平台介绍. \n\n## Windows\n\n- 官方java版本,项目主页:[goproxy-jui](https://git"
},
{
"path": "hosts",
"chars": 222,
"preview": "# domain support wildcard and comment line stared with #\n# **.google.com match all domain subfix with .google.com\n# *.yo"
},
{
"path": "install.sh",
"chars": 892,
"preview": "#!/bin/bash\nF=\"proxy-linux-amd64.tar.gz\"\nmanual=\"https://snail007.host900.com/goproxy/manual/\"\nset -e\nWORKDIR=\"/tmp/prox"
},
{
"path": "install_auto.sh",
"chars": 1266,
"preview": "#!/bin/bash\nif [ \"$1\" == \"cn\" ]; then\n MIRROR=\"https://mirrors.goproxyauth.com/\"\nfi\nF=\"proxy-linux-amd64.tar.gz\"\nset -e"
},
{
"path": "install_auto_commercial.sh",
"chars": 1286,
"preview": "#!/bin/bash\nMIRROR=\"\"\nif [ \"$1\" == \"cn\" ]; then\n MIRROR=\"https://mirrors.goproxyauth.com/\"\nfi\nF=\"proxy-linux-amd64_comm"
},
{
"path": "install_commercial.sh",
"chars": 903,
"preview": "#!/bin/bash\nF=\"proxy-linux-amd64_commercial.tar.gz\"\nmanual=\"https://snail007.host900.com/goproxy/manual/\"\nset -e\nWORKDIR"
},
{
"path": "main.go",
"chars": 636,
"preview": "package main\n\nimport (\n\t\"fmt\"\n\t\"github.com/snail007/goproxy/services\"\n\t\"log\"\n\t\"os\"\n\t\"os/signal\"\n\t\"syscall\"\n)\n\nconst APP_"
},
{
"path": "resolve.rules",
"chars": 533,
"preview": "# domain support wildcard and comment line stared with #\n# **.google.com match all domain subfix with .google.com\n# *.yo"
},
{
"path": "rewriter.rules",
"chars": 100,
"preview": "# example\nwww.a.com:80 10.0.0.2:8080\n**.b.com:80 10.0.0.2:80\n192.168.0.11:80 10.0.0.2:8080"
},
{
"path": "rhttp.toml",
"chars": 3646,
"preview": "# minimal example\n[[host]]\nbind=\"http://demo.com/\"\ntarget=\"https://127.0.0.1:9090/\"\nupstream=\"127.0.0.1:9090\"\n\n# example"
},
{
"path": "services/args.go",
"chars": 1442,
"preview": "package services\n\n// tcp := app.Command(\"tcp\", \"proxy on tcp mode\")\n// t := tcp.Flag(\"tcp-timeout\", \"tcp timeout millise"
},
{
"path": "services/http.go",
"chars": 5559,
"preview": "package services\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"net\"\n\t\"github.com/snail007/goproxy/utils\"\n\t\"runtime/debug\"\n\t\"strconv\"\n)"
},
{
"path": "services/service.go",
"chars": 865,
"preview": "package services\n\nimport (\n\t\"fmt\"\n\t\"log\"\n\t\"runtime/debug\"\n)\n\ntype Service interface {\n\tStart(args interface{}) (err erro"
},
{
"path": "services/tcp.go",
"chars": 4567,
"preview": "package services\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"net\"\n\t\"github.com/snail007/goproxy/utils\"\n\t\"runtime/debug\"\n\t\"time\"\n\n\t\"s"
},
{
"path": "services/tunnel_bridge.go",
"chars": 4927,
"preview": "package services\n\nimport (\n\t\"bufio\"\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"github.com/snail007/goproxy/utils\"\n\t\"strco"
},
{
"path": "services/tunnel_client.go",
"chars": 5436,
"preview": "package services\n\nimport (\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"encoding/binary\"\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"net\"\n\t\"github.com/snail007/go"
},
{
"path": "services/tunnel_server.go",
"chars": 5575,
"preview": "package services\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"encoding/binary\"\n\t\"io\"\n\t\"log\"\n\t\"net\"\n\t\"github.com/snail007/"
},
{
"path": "services/udp.go",
"chars": 5925,
"preview": "package services\n\nimport (\n\t\"bufio\"\n\t\"fmt\"\n\t\"hash/crc32\"\n\t\"io\"\n\t\"log\"\n\t\"net\"\n\t\"github.com/snail007/goproxy/utils\"\n\t\"runt"
},
{
"path": "uninstall.sh",
"chars": 56,
"preview": "#!/bin/bash\nrm -rf /usr/bin/proxy\necho \"uninstall done\"\n"
},
{
"path": "utils/functions.go",
"chars": 8482,
"preview": "package utils\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"crypto/x509\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n"
},
{
"path": "utils/io-limiter.go",
"chars": 2090,
"preview": "package utils\n\nimport (\n\t\"context\"\n\t\"io\"\n\t\"time\"\n\n\t\"golang.org/x/time/rate\"\n)\n\nconst burstLimit = 1000 * 1000 * 1000\n\nty"
},
{
"path": "utils/map.go",
"chars": 7863,
"preview": "package utils\n\nimport (\n\t\"encoding/json\"\n\t\"sync\"\n)\n\nvar SHARD_COUNT = 32\n\n// A \"thread\" safe map of type string:Anything"
},
{
"path": "utils/pool.go",
"chars": 2590,
"preview": "package utils\n\nimport (\n\t\"log\"\n\t\"sync\"\n\t\"time\"\n)\n\n//ConnPool to use\ntype ConnPool interface {\n\tGet() (conn interface{}, "
},
{
"path": "utils/serve-channel.go",
"chars": 2929,
"preview": "package utils\n\nimport (\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"runtime/debug\"\n)\n\ntype ServerChannel struct {\n\tip string\n\tp"
},
{
"path": "utils/structs.go",
"chars": 11180,
"preview": "package utils\n\nimport (\n\t\"bytes\"\n\t\"crypto/tls\"\n\t\"encoding/base64\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/ioutil\"\n\t\"log\"\n\t\"net\"\n\t\"net/url\"\n\t\"s"
}
]
// ... and 1 more files (download for full content)
About this extraction
This page contains the full source code of the snail007/goproxy GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 119 files (4.3 MB), approximately 1.1M tokens, and a symbol index with 190 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.