Questions, comments, bugreports and feature requests #3

[z3APA3A]

For feature requests and bugreports please create an issue.
If you have any questions or comments you can create an issue or write to 3proxy@3proxy.ru.
Please read at least FAQ and How To before asking:
https://3proxy.org/doc/
https://3proxy.org/documents/

begins in #395 #11

[APX403]

- Question about roundrobin -

Hello !

I would like to know if it's possible to randomly assign an output proxy ?

For example I have two working proxy on that configuration (one different port for each proxy : 7185 & 7186, each proxy on a different network interface : ups185 & ups186)

log /var/log/3proxy.log

logformat "L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"

auth iponly strong

authcache user 3600

nscache 65536

flush
users "user:CL:password"
allow user

proxy -a -i192.168.0.73 -p7185 -Deups185
proxy -a -i192.168.0.73 -p7186 -Deups186

Is it possible to assign these two proxy on the same port and randomly select one or the other as the output ?

                           ----- proxy with interface ups185 ----- 
User ----- 3proxy server --|                                      |------ output connexion (IP randomly selected between ups185 and ups186)
                           ----- proxy with interface ups186 ----- 

I hope you will understand my question, thanks a lot for this great proxy server 👍

[z3APA3A]

Use
parent WEIGHT extip IP 0 ...
this parent type sets external address of outgoing request to IP with probability of WEIGHT/1000. Some examples may be found in https://3proxy.ru/highload.asp

[APX403]

But is it possible using interface names ? Because all my interfaces have the same IPs and I cannot change it (it's 4G dongles)

[z3APA3A]

in this case start few 'proxy' bound to different interfaces
proxy -i127.0.0.1 -pport1 -DeINTERFACE1
proxy -i127.0.0.1 -pport2 -DeINTERFACE2
and use
parent WEIGHT1 http 127.0.0.1 port1
parent WEIGHT2 http 127.0.0.1 port2
proxy must be running as root. But I strongly advise to use IP binding + source routing

[APX403]

Thanks so much for your help !!

[APX403]

Hello !

I would like to deny an IP to connect to the proxy, how can I achieve that ?

I already tried :

deny * THE_IP_ADDRESS *

But it didn't worked, I still se connexion from that IP in my logs.

Thanks a lot

[z3APA3A]

It probably means either the sequence of commands is wrong (e.g. you have matching allow rule prior to deny) or you have auth none or you did not applied configuration after changes.

[APX403]

Hello !

Is it possible to show a custom HTML page instead of HTTP error code ? (403, 502, 500...)

If not do you think is it hard to implement by editing the source code ?

Thanks a lot :)

[z3APA3A]

@APX403
See https://3proxy.ru/plugins/StringsPlugin/
There is an example for .3ps file in 3proxy distribution.

[fluxxset]

how can i redirect http traffic of domain list to another proxy ?

[ezbik]

@fluxx03

allow ....
parent ....

[z3APA3A]

parent is applied to preceeding allow command, that is in this configuration

allow * * list1
parent 1000 parent1 ...
allow * * list2
parent 1000 parent ...
allow *

list1 is redirected via parent1, list2 via parent2 and the rest of the traffic is not redirected.

[mrgharabaghi]

Hello

I'm using ProxyCap and PuTTY in order to send UDP connections from Windows apps to my 3proxy SOCKS server.

1. ProxyCap sends UDP connections to PuTTY.
2. PuTTY is used for SSH connection to my VPS (CentOS 8).
3. UDP connections are tunneled from PuTTY to the VPS on port 1080.

TCP connections work perfectly, but UDP connections are not established.
Is there a problem with my config?

https://www.proxycap.com/faq.html

Does ProxyCap support UDP?
ProxyCap can redirect UDP through a SOCKS5 or a Shadowsocks proxy or a chain of UDP capable proxies. The required condition is that UDP relay must be enabled on the proxy server. Also, if you want to run streaming software or online games from behind a proxy you need to ensure that the connection to the proxy is fast enough.

Config:

pidfile /usr/local/etc/3proxy/3proxy.pid
nserver 1.1.1.1
nserver 8.8.8.8
nscache 65536

# timeouts 1 5 30 60 180 1800 15 60
log
logformat "G%d-%m-%Y %H:%M:%S | %U | %C:%c | %R:%r | %Q:%q | %O | %I | %n | %T | %E"
rotate 30
auth none
maxconn 100
allow *
socks -p1080
flush

UDP Logs:

13-04-2022 18:40:57 | - | 127.0.0.1:45008 | 0.0.0.0:0 | 0.0.0.0:0 | 0 | 0 | 0.0.0.0 | UDPMAP 0.0.0.0:0 | 00000
13-04-2022 18:40:58 | - | 127.0.0.1:45010 | 0.0.0.0:0 | 0.0.0.0:0 | 0 | 0 | 0.0.0.0 | UDPMAP 0.0.0.0:0 | 00000

TCP Logs:

13-04-2022 18:47:43 | - | 127.0.0.1:44994 | 162.159.136.232:443 | 162.159.136.232:443 | 19107 | 383673 | 162.159.136.232 | CONNECT 162.159.136.232:443 | 00000
13-04-2022 18:47:51 | - | 127.0.0.1:45014 | 162.159.129.235:443 | 162.159.129.235:443 | 1041 | 4083 | 162.159.129.235 | CONNECT 162.159.129.235:443 | 00000

Rules Config:

Proxy Config:

PuTTY Config:

[mrgharabaghi]

Testing with SocksCap v4.7:

UDP proxy test log:

[09:32:24]  Testing started...
[09:32:24]  Address: 127.0.0.1:3333
[09:32:24]  Proxy type: SOCKS 5
[09:32:24]  Username: [empty]
[09:32:24]  Password: [empty]
[09:32:24]  Testing UDP Associate of proxy server...
[09:32:24]  Connecting to proxy server...
[09:32:24]  Connection established.
[09:32:24]  Testing UDP Associate...
[09:32:24]  Proxy server bound on 127.0.0.1:46320 for udp relay.
[09:32:24]  Testing data transmission...
[09:32:24]  The UDP transmission testing was failed. <===============================
[09:32:24]  Testing proxy server latency...
[09:32:24]  The network latency of 127.0.0.1 was 2ms.
[09:32:24]  Testing Finished.

TCP proxy test log:

[09:33:56]  Testing started...
[09:33:56]  Address: 127.0.0.1:3333
[09:33:56]  Proxy type: SOCKS 5
[09:33:56]  Username: [empty]
[09:33:56]  Password: [empty]
[09:33:56]  Connecting to proxy server...
[09:33:56]  Connection established.
[09:33:56]  Testing Connection through the proxy server...
[09:33:56]  Connection to http://global.bing.com/ established through the proxy server.
[09:33:56]  Testing data transmission...
[09:33:56]  Sent: 305 bytes
[09:33:56]  Got correct response (length: 50 bytes).
[09:33:56]  Testing proxy server latency...
[09:33:56]  The network latency of 127.0.0.1 was 2ms.
[09:33:56]  Testing Finished.

[z3APA3A]

According to this log, 3proxy received control (TCP) connection and accepted UDPASSOC command, but no UDP traffic reached 3proxy. You can add
logdump 1
to see every UDP packet you are receiving. Also, it may be required to set internal and external for proxy to be able to report external IP to client.

[mrgharabaghi]

How to set internal and external?

socks -i0.0.0.0 -e0.0.0.0 -p1080

Like this?

[z3APA3A]

real IP address is expected instead of 0.0.0.0 here, because proxy reports this IP to client, so it can use it to accept incoming traffic.

[mrgharabaghi]

Real public IP (v4) of my VPS?
Which one of them do I have to use for internal and external?

[root@centos-m bin]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 49.49.11.25  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 8d21::8400:ff:fea8:37ee  prefixlen 64  scopeid 0x20<link>
        inet6 5q84:4f8:c17:2ee1::1  prefixlen 64  scopeid 0x0<global>
        ether 84:22:01:b5:24:ee  txqueuelen 1000  (Ethernet)
        RX packets 219762  bytes 178787521 (170.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 197160  bytes 153595981 (146.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 114266  bytes 139918426 (133.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 114266  bytes 139918426 (133.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 34:45:11:e1:a8:26  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[z3APA3A]

Internal is an address you expecting client connection to come to (an address you specify as proxy address), external is an address you expect outgoing connection to go from, probably it's real IP.
https://3proxy.ru/howtoe.asp#INTEXT

[mrgharabaghi]

# LOCAL_HOST = 127.0.0.1
# MY_VPS_IP = 1.2.3.4
socks -iLOCAL_HOST -eMY_VPS_IP -p1080

Does not work with the above config.
I guess this problem is related to 3proxy, because I tested with 2 different software (ProxyCap and SocksCap) and 3proxy can't receive UDP traffic.
Do you have any VPS that I can test UDP traffic with ProxyCap?

[z3APA3A]

UDPASSOC works in latest versions. Check firewall issues. UDPASSOC requires access to ephemeral UDP ports.

[mrgharabaghi]

1. I checked the ports in the file below and their value is 32768 60999
   CentOS 8: vi /proc/sys/net/ipv4/ip_local_port_range

2. firewall-cmd --permanent --zone=public --add-port=32768-60999/udp

3. My VPS is in the Hetzner data center and I removed all the firewalls.
   I there any relation between GRE and ESP protocol to 3proxy?
   Should I have open these two protocols in VPS?

4. The last thing I did it is I disabled my Windows 10 Antivirus (ESET Nod32).
   But still, I got nothing from UDP.

14-04-2022 14:57:03 | - | 127.0.0.1:41638 | 0.0.0.0:0 | 0.0.0.0:0 | 0 | 0 | 0.0.0.0 | UDPMAP 0.0.0.0:0 | 00000

[z3APA3A]

Try to eliminate putty and use sockscap directly with 3proxy (internal interface in this case must be set to real IP address)

[z3APA3A]

you can also check the traffic with tcpdmp on internal interface to see if any UDP packets are received by proxy.

[mrgharabaghi]

Thank you so much.

Try to eliminate putty and use sockscap directly with 3proxy (internal interface in this case must be set to real IP address)

Works well on port 1080 with eliminating PuTTY.

14-04-2022 16:40:24 | sss | 173.285.56.354:57087 | 185.179.203.231:50003 | 0.0.0.0:0 | 74 | 0 | 0.0.0.0 | UDPMAP 0.0.0.0:0 | 00000

1. I checked the ports in the file below and their value is 32768 60999
   CentOS 8: vi /proc/sys/net/ipv4/ip_local_port_range

2. firewall-cmd --permanent --zone=public --add-port=32768-60999/udp

As I said, the UDP ports on the server side should be open otherwise, no communication will be received.

And now I have to find a way to make that connection through PuTTY.

[mrgharabaghi]

Do you have any suggestions for sending UDP and TCP traffic using PuTTY?
For example:
Sending TCP using PuTTY and sending UDP the other way.

[mrgharabaghi]

In SocksCap I create a proxy (IP: 127.0.0.1:1080) which sends the requests to PuTTY.
After UDPASSOC process, the client sends the UDP requests to 127.0.0.1.
This is exactly my problem.
Is there a way to tell the client: For UDP requests instead of 127.0.0.1, you have to request from 44.32.255.80.
Actually the 44.32.255.80 is my VPS IP which I open 32768-60999/udp ports.

[z3APA3A]

Probably sshd does not support UDP or does not support parent SOCKSv5 for UDP
https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-January/035662.html

[mrgharabaghi]

Except %I and %O, is there a way to measure all bandwidth in one proxy or socks session?
The values of %I and %O are not the same as a file that the client downloaded.

[z3APA3A]

in the case of https, proxy does not see specific file, it only can see connection between client and server. Single connection may be used for many requests.

[bagusnl]

Hi, I'm curious on how to do external failover with 3proxy
My current usecase for 3proxy is just a simple redirect proxy to make use of different internet connection with certain apps (using proxifier) and websites (using SmartProxy extensions).

nscache 65536
service
log C:\Users\bagusnl_reg\AppData\Roaming\3proxy\3proxy.log D
rotate 7
auth none
allow 127.0.0.1
internal 127.0.0.1
external 192.168.100.10
proxy -p6520
socks -p6530

It works great, just a simple problem is when the interface 3proxy uses down (not fully interface down, just the internet fails), it will still force that external IP to do the requests. Is there a way to failover that external from currently 192.168.100.10 to default interface (using 0.0.0.0) or even another interface IP?

Thanks

[ezbik]

@bagusnl I would've defined 2 ports in 3proxy (e.g. 10000 for access via custom interface and 10001 via default gateway) and then would've installed glider https://github.com/nadoo/glider and ran it with this recipe

glider -verbose -listen :16000 \
 -forward http://localhost:10000 \
  -forward http://localhost:10001 \
 -strategy ha -checkinterval=5 \ 
-'check=http://www.msftconnecttest.com/connecttest.txt#expect=200'

so it listens on 16000 , checks 2 endpoints, and when 1st is down, uses 2nd for outgoing routing.

[koshev-msk]

Hi! How build 3proxy with mbedtls library? It possible? Thanks.

[z3APA3A]

3proxy itself does not require and does not depend on TLS library, only SSLPlugin requires TLS and it uses OpenSSL. Generally, in order to use mbedtls you need to rewrite SSLPlugin to use mbedtls.

[APX403]

Hello @z3APA3A, I hope you are doing good !

I have a quick question reguarding the logs for the SOCKS protocol :

When using HTTPS we are able to see the domains in the logs but sadly with SOCKS protocol we only see a list of IP address and our ACL to block specifics domains seems to not work

Logs example :

1667713296.979 PROXY.5005 00000 user 193.38.250.94:52006 209.197.3.8:80 246 191 0 CONNECT_209.197.3.8:80_HTTP/1.1
1667713305.598 PROXY.5005 00000 user 193.38.250.94:52009 143.204.231.66:443 749 3388 0 CONNECT_143.204.231.66:443_HTTP/1.1
1667713371.548 PROXY.5005 00000 user 193.38.250.94:51994 143.204.231.40:443 932 16488 0 CONNECT_143.204.231.40:443_HTTP/1.1
1667713425.608 PROXY.5005 00000 user 193.38.250.94:52015 143.204.231.17:443 749 3388 0 CONNECT_143.204.231.17:443_HTTP/1.1
1667713545.651 PROXY.5005 00000 user 193.38.250.94:52021 143.204.231.66:443 749 3388 0 CONNECT_143.204.231.66:443_HTTP/1.1
1667713664.735 PROXY.5005 00000 user 193.38.250.94:52012 143.204.231.127:443 933 1973 0 CONNECT_143.204.231.127:443_HTTP/1.1
1667713665.626 PROXY.5005 00000 user 193.38.250.94:52026 143.204.231.17:443 749 3388 0 CONNECT_143.204.231.17:443_HTTP/1.1
1667713672.513 PROXY.5005 00000 user 193.38.250.94:52018 143.204.231.93:443 932 16438 0 CONNECT_143.204.231.93:443_HTTP/1.1
1667713785.783 PROXY.5005 00000 user 193.38.250.94:52032 143.204.231.12:443 749 3388 0 CONNECT_143.204.231.12:443_HTTP/1.1

Is there any way to force DNS resolution on proxy server side ?

Thanks a lot for your help 👍

[ezbik]

Is there any way to force DNS resolution on proxy server side ?

yes, indeed, socks5 allows a client resolve DNS on its side, and initiate connection to an IP.

I personally solved your issue by transparently redirecting HTTP\HTTPS traffic after 3proxy to Sniproxy, which accepts web traffic and analyzes it (HTTP by Host header, HTTPS by TLS SNI name) and makes a decision, bypass or block.

[z3APA3A]

Use --socks5-hostname or socks5h:// proxy URI for curl.

[Niek]

Is it possible to use a https parent? I have a proxy provider that allows only HTTPS connect. Equivalent curl command:

curl -x https:/user:pass@proxy:port

[z3APA3A]

If you mean additional TLS for client to proxy connection, there is no way to do it in 3proxy currently, you can install stunnel with parent proxy as remote end and set local end of stunnel as parent proxy

[psadev]

Hello @z3APA3A

I tried to use the new feature auto for SOCKS+HTTP protocol on one port but there's a bug.
When a user makes a request using an unsupported protocol, like SOCKS4, 3proxy crashes and the whole service autorestarts.

We have a simple setup with custom auth and SOCKS4 request is sent with curl:
curl -x socks4://<PROXY_URI> RESOURCE_URI

[APX403]

Hello @z3APA3A I hope you are doing good !

There is a things that I am not able to understand properly, when we are using our 3proxy proxies with curl we see in the logs that it use HTTP/1.1 with CONNECT

Is it a normal thing or a configuration problem ? Why does it not use HTTP/2.0 by default ?

Thanks a lot for your help

[z3APA3A]

CONNECT is a command which instructs proxy to establish connection, HTTP version is not important here, so there is no reason to upgrade connection to HTTP/2. Client handshakes another HTTP session inside established connection, so it can use HTTP/2 with destination server.

[avirex123]

Hi

is it possible to ban several websites that contain the word "bank"? Any URL containing the word bank and how to insert it in deny?

deny *

Thanks a lot for your support!

[z3APA3A]

@avirex123

deny * * *bank*

to reject bank in hostname. If you need to filter URIs, you need PCREPlugin + SSLPlugin + install custom root certificate for every client, because most sites are currently https and request is sent inside TLS.

[sudo-sandwich]

Is it possible to manually rotate the logs using logrotate or something similar?

[z3APA3A]

mv log file, in config add

log /some/tmp/file
log /real/log/location

to force 3proxy to close and open log file and re-read configuration, or just change the name of log file.

P.S.
For any systems except Windows I recommend to use syslog logging, e.g.
log @proxy

[barraponto]

What is the default log format? It emits logs like this:

230906143447.409 8080 00000 - 127.0.0.1:45324 34.223.124.45:80 156 4305 0 GET http://neverssl.com/ HTTP/1.1

[z3APA3A]

3proxy/src/proxy.h

Line 142 in 5e2b2a3

#define DEFLOGFORMAT "G%y%m%d%H%M%S.%. %p %E %U %C:%c %R:%r %O %I %h %T"

[bottookku]

как сделать так чтобы два интернет интерфейса работали одновременно source routing?

[botzill]

Hi.

How can only allow request from specific IPs, I have:

auth none


allow * * 1.1.1.1
allow * * 1.1.1.2
allow * * 1.1.1.3

deny *

proxy -p4444 -i1.1.1.1 -e1.1.1.1 -osTCP_NODELAY -ocTCP_NODELAY
proxy -p4444 -i1.1.1.2 -e1.1.1.2 -osTCP_NODELAY -ocTCP_NODELAY

is this correct? as I still can get traffic from other IPs.

thanks

[z3APA3A]

@botzill In your example you limit destination IP (3rd parameter) rather than source IP (2nd parameter), see description or allow / deny

[z3APA3A]

@bottookku можно выбирать интерфейс через -De, но лучше source routing.