How to contribute to the code (Pull Request)?
Pull Request is welcomed.
First, you need to clone the project to your account, and then modify the code on the dev branch.
Finally, Pull Request to dev branch of goproxy project, and contribute code for efficiency.
PR needs to explain what changes have been made and why you change them.
Features
- chain-style proxy: the program itself can be a primary proxy, and if a parent proxy is set, it can be used as a second level proxy or even a N level proxy.
- Encrypted communication: if the program is not a primary proxy, and the parent proxy is also the program, then it can communicate with the parent proxy by encryption. The TLS encryption is high-intensity encryption, and it is safe and featureless.
- Intelligent HTTP, SOCKS5 proxy: the program will automatically determine whether the site which it access is blocked, if the site is blocked, the program will use parent proxy (the premise is you set up a parent proxy) to access the site. If the site isn't blocked, in order to speed up the access, the program will directly access the site and don't use parent proxy.
- The black-and-white list of domain: It is very flexible to control the way which you visite site.
- Cross platform: no mater what the os (such as Linux, windows, and even Raspberry Pi) you use, you always can use proxy well.
- Multi protocol support: the program support HTTP (S), TCP, UDP, Websocket, SOCKS5 proxy.
- The TCP/UDP port forwarding is supported.
- Nat forwarding in different network is supported: the program support TCP protocol and UDP protocol.
- SSH forwarding: HTTP (S), SOCKS5 proxy support SSH transfer, parent Linux server does not need any server, a local proxy can be happy to access the Internet.
- KCP protocol is supported: HTTP (S), SOCKS5 proxy supports the KCP protocol which can transmit data, reduce latency, and improve the browsing experience.
- The integrated external API, HTTP (S): SOCKS5 proxy authentication can be integrated with the external HTTP API, which can easily control the user's access through the external system.
- Reverse proxy: goproxy supports directly parsing the domain to proxy monitor IP, and then proxy will help you to access the HTTP (S) site that you need to access.
- Transparent proxy: with the iptables, goproxy can directly forward the 80 and 443 port's traffic to proxy in the gateway, and can realize the unaware intelligent router proxy.
- Protocol conversion: The existing HTTP (S) or SOCKS5 or ss proxy can be converted to a proxy which support HTTP (S), SOCKS5 and ss by one port, if the converted SOCKS5 and ss proxy's parent proxy is SOCKS5, which can support the UDP function.Also support powerful cascading authentication.
- Custom underlying encrypted transmission, HTTP(s)\sps\socks proxy can encrypt TCP data through TLS standard encryption and KCP protocol encryption. In addition, it also supports custom encryption after TLS and KCP. That is to say, custom encryption and tls|kcp can be used together. The internal uses AES256 encryption, and it only needs to define one password by yourself when is used.
- Low level compression and efficient transmission,The HTTP(s)\sps\socks proxy can encrypt TCP data through a custom encryption and TLS standard encryption and KCP protocol encryption, and can also compress the data after encryption. That is to say, the compression and custom encryption and tls|kcp can be used together.
- The secure DNS proxy, Through the DNS proxy provided by the local proxy, you can encrypted communicate with the father proxy to realize the DNS query of security and pollution prevention.
- Load balance,High availability,HTTP(S)\SOCKS5\SPS proxy support Superior load balance and high availability. Multiple superiors repeat -P parameters.
- Designated exporting IP,HTTP(S)\SOCKS5\SPS proxy supports the client to connect with the entry IP,Using the entry IP as the exporting IP to visit the target website。If the entry IP is the intranet IP,Exporting IP will not use entry IP
- Support speed limit. HTTP (S) \SOCKS5\SPS proxy supports speed limit.
- SOCKS5 proxy supports cascade authentication.
- Certificate parameters use base64 data. By default, the - C, - K parameters are the path of the CRT certificate and key file. If “base64://” begins, the subsequent data is thought to be Base64 encoded which will be decoded and used.
Why need these?
- Because for some reason, we cannot access our services elsewhere. We can build a secure tunnel to access our services through multiple connected proxy nodes.
- WeChat interface is developed locally, which is convenient to debug.
- Remote access to intranet machines.
- Play with partners in a LAN game.
- something used to be played only in the LAN, now it can be played anywhere.
- Instead of 剑内网通,显IP内网通,花生壳,frp and so on.
- ...
This page is the v6.0 manual, and the other version of the manual can be checked by the following link.
How to find the organization?
Click to join the proxy group of gitter Click to join the proxy group of telegram
Installation
First use must read
Manual catalogues
Fast Start
tips:all operations require root permissions.
Quick installation
0. If your VPS is linux64, you can complete the automatic installation and configuration by the following sentence.
The installation is completed, the configuration directory is /etc/proxy, For more detailed usage, please refer to the manual above to further understand the functions you want to use.
If the installation fails or your VPS is not a linux64 system, please follow the semi-automatic step below:
Manual installation
1.Download proxy
2.Download the automatic installation script
Docker installation
Dockerfile root of project uses multistage build and alpine project to comply with best practices. Uses golang 1.10.3 for building as noted in the project README.md and will be pretty small image. total extracted size will be 17.3MB for goproxy latest version.
The default build process builds the master branch (latest commits/ cutting edge), and it can be configured to build specific version, just edit Dockerfile before build, following builds release version 6.0:
ARG GOPROXY_VERSION=v6.0
To Run:
- Clone the repository and cd into it.
sudo docker build .
- Tag the image:
sudo docker tag <id from previous step> snail007/goproxy:latest
- Run! Just put your arguments to proxy binary in the OPTS environmental variable (this is just a sample http proxy):
sudo docker run -d --restart=always --name goproxy -e OPTS="http -p :33080" -p 33080:33080 snail007/goproxy:latest
- View logs:
sudo docker logs -f goproxy
First use must be read
Environmental Science
The following tutorial defaults system is Linux, the program is proxy and all operations require root permissions.
If the system are windows, please use proxy.exe.
Use configuration file
The following tutorial is to introduce the useage by the command line parameters, or by reading the configuration file to get the parameters.
The specific format is to specify a configuration file by the @ symbol, for example, ./proxy @configfile.txt.
configfile.txt's format: The first line is the subcommand name, and the second line begins a new line: the long format of the parameter = the parameter value, there is no space and double quotes before and after.
The long format of the parameter's beginning is --, the short format of the parameter's beginning is -. If you don't know which short form corresponds to the long format, please look at the help command.
For example, the contents of configfile.txt are as follows:
Debug output
By default, the log output information does not contain the number of file lines. In some cases, in order to eliminate and positione the program problem, You can use the --debug parameter to output the number of lines of code and the wrong time.
Using log files
By default, the log is displayed directly on the console, and if you want to save it to the file, you can use the --log parameter.
for example, --log proxy.log, The log will be exported to proxy.log file which is easy to troubleshoot.
Generating a communication certificate file
HTTP, TCP, UDP proxy process will communicate with parent proxy. In order to secure, we use encrypted communication. Of course, we can choose not to encrypted communication. All communication with parent proxy in this tutorial is encrypted, requiring certificate files.
./proxy keygen -C proxy
./proxy keygen -s -C proxy -c goproxy
-n test.com
proxy keygen --help
Daemon mode
./proxy http -t tcp -p "0.0.0.0:38080" --daemon
Monitor mode
proxy http --foreverproxy http -p ":9090" --forever --log proxy.log --daemon
Safety advice
./proxy http -g "23.23.23.23"
Load balance and high available
--lb-method--lb-retrytime--lb-timeout
1.HTTP proxy
1.1.common HTTP proxy
./proxy http -t tcp -p "0.0.0.0:38080"
1.2.Common HTTP second level proxy
22.22.22.22:8080./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -L 10./proxy http -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -b blocked.txt -d direct.txt
1.3.HTTP second level encrypted proxy
./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key
./proxy http -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key
./proxy.exe http -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key
1.4.HTTP third level encrypted proxy
./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key./proxy http -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key./proxy http -t tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key
1.5.Basic Authentication
./proxy http -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"./proxy http -t tcp -p ":33080" -F auth-file.txt
./proxy http -t tcp -p ":33080" --auth-url "http://test.com/auth.php"
If there is no -a or -F or --auth-url parameters, Basic authentication is closed.
1.6.HTTP proxy traffic force to go to parent http proxy
./proxy http --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key
1.7.Transfer through SSH
Explanation: the principle of SSH transfer is to take advantage of SSH's forwarding function, which is, after you connect to SSH, you can access to the target address through the SSH proxy.
Suppose there is a vps
- IP is 2.2.2.2, ssh port is 22, ssh username is user, ssh password is demo
- The SSH private key of the user is user.key
1.7.1.The way of username and password
./proxy http -T ssh -P "2.2.2.2:22" -u user -A demo -t tcp -p ":28080"
1.7.2.The way of username and key
./proxy http -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"
1.8.KCP protocol transmission
The KCP protocol requires a --kcp-key parameter to set a password which can encrypt and decrypt data.
./proxy http -t kcp -p ":38080" --kcp-key mypassword
./proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword
1.9.HTTP reverse proxy
Proxy supports not only set up a proxy through in other software, to provide services for other software, but support the request directly to the website domain to proxy monitor IP when proxy monitors 80 and 443 ports, then proxy will automatically access to the HTTP proxy access website for you.
./proxy http -t tcp -p :80,:443
This command starts a proxy on the computer, and listens to 80 and 443 ports. It can be used as a common proxy and it can directly resolve the domain that needs proxy to the IP of the computer.
./proxy http -t tcp -p :80,:443 -T tls -P "2.2.2.2:33080" -C proxy.crt -K proxy.key
Notice:
The result of the DNS parsing of the server in which proxy is located can not affected by a custom parsing, if not, it is dead cycle.
1.10.HTTP transparent proxy
./proxy http -t tcp -p :33080 -T tls -P "2.2.2.2:33090" -C proxy.crt -K proxy.key
Then the iptables rule is added, and the following rule is a reference rule:
- Clearing the whole chain command is iptables -F chain name, such as iptables -t NAT -F PROXY
- Deleting the specified chain that user defined command is iptables -X chain name, such as iptables -t NAT -X PROXY
- Deleting the rules of the chain command is iptables -D chain name from the selected chain, such as iptables -t nat -D PROXY -d 223.223.192.0/255.255.240.0 -j RETURN
1.11.Custom DNS
./proxy http -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300
1.12 Custom encryption
HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted.
Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples:
proxy http -t tcp -z demo_password -p :7777proxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080
proxy http -t tcp -z demo_password -p :7777proxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888proxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080
1.13 Compressed transmission
HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption.
That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission.
The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:
proxy http -t tcp -m -p :7777proxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080
proxy http -t tcp -m -p :7777proxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888proxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080
1.14 Load balance
proxy http --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080
1.14.1 Set retry interval and timeout time
proxy http --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp -p :33080
1.14.2 Set weight
proxy http --lb-method=weight -T tcp -P 1.1.1.1:33080@1 -P 2.1.1.1:33080@2 -P 3.1.1.1:33080@1 -t tcp -p :33080
1.14.3 Use target address to select superior
proxy http --lb-hashtarget --lb-method=leasttime -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp -p :33080
1.15 Speed limit
-lproxy http -t tcp -p 2.2.2.2:33080 -l 100K
1.16 Designated exporting IP
- bind-listenproxy http -t tcp -p 2.2.2.2:33080 --bind-listen
1.17 Certificate parameters using Base64 data
By default, the -C and -K parameters are the paths of CRT certificates and key files, If it is the beginning of base64://, then it is considered that the data behind is Base64 encoded and will be used after decoding.
1.18.view help
./proxy help http
2.TCP proxy
2.1.Common TCP first level proxy
./proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22" -L 0
2.2.Common TCP second level proxy
./proxy tcp -p ":33080" -T tcp -P "127.0.0.1:8080" -L 0./proxy tcp -p ":23080" -T tcp -P "22.22.22.33:33080"
2.3.Common TCP third level proxy
./proxy tcp -p ":38080" -T tcp -P "66.66.66.66:8080" -L 0./proxy tcp -p ":28080" -T tcp -P "22.22.22.22:38080"./proxy tcp -p ":8080" -T tcp -P "33.33.33.33:28080"
2.4.TCP second level encrypted proxy
./proxy tcp --tls -p ":33080" -T tcp -P "127.0.0.1:8080" -L 0 -C proxy.crt -K proxy.key./proxy tcp -p ":23080" -T tls -P "22.22.22.33:33080" -C proxy.crt -K proxy.key
2.5.TCP third level encrypted proxy
./proxy tcp --tls -p ":38080" -T tcp -P "66.66.66.66:8080" -C proxy.crt -K proxy.key./proxy tcp --tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key./proxy tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key
2.6.Connect parents proxy through other proxy
Sometimes the proxy network can not directly access the external network,which need to use a HTTPS or Socks5 proxy to access the Internet. then The -J parameter can help you connect to the parent proxy through the HTTPS or Socks5 proxy when proxy's TCP port is mapped, which can map external port to local.
-J param format:
https proxy:
proxy need authentication,username: username password:password
https://username:password@host:port
proxy don't need authentication
https://host:port
socks5 proxy: proxy need authentication,username: username password:password
socks5://username:password@host:port proxy don't need authentication
socks5://host:port
host:proxy's domain or ip port:proxy's port
2.7.view help
./proxy help tcp
3.UDP proxy
3.1.Common UDP first level proxy
./proxy udp -p ":5353" -T udp -P "8.8.8.8:53"
3.2.Common UDP second level proxy
./proxy tcp -p ":33080" -T udp -P "8.8.8.8:53"./proxy udp -p ":5353" -T tcp -P "22.22.22.33:33080"
3.3.Common UDP third level proxy
./proxy tcp -p ":38080" -T udp -P "8.8.8.8:53"./proxy tcp -p ":28080" -T tcp -P "22.22.22.22:38080"./proxy udp -p ":5353" -T tcp -P "33.33.33.33:28080"
3.4.UDP second level encrypted proxy
./proxy tcp --tls -p ":33080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key./proxy udp -p ":5353" -T tls -P "22.22.22.33:33080" -C proxy.crt -K proxy.key
3.5.UDP third level encrypted proxy
./proxy tcp --tls -p ":38080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key./proxy tcp --tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key./proxy udp -p ":5353" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key
3.6.view help
./proxy help udp
4.Nat forward
4.1、Principle explanation
Nat forward, is divided into two versions, "multi-link version" and "multiplexed version", generally like web services Which is not a long time to connect the service recommende "multi-link version", if you want to keep long Time connection, "multiplexed version" is recommended.
- Multilink version, the corresponding subcommand is tserver,tclient,tbridge。
- Multiplexed version, the corresponding subcommand is server,client,bridge。
- the parameters and use of Multilink version and multiplexed is exactly the same.
- Multiplexed version of the server, client can open the compressed transmission, the parameter is --c.
- Server, client or both are open compression, either do not open, can not only open one.
The following tutorial uses "Multiplexing Versions" as an example to illustrate how to use it.
Nat forward consists of three parts: client-side, server-side, bridge-side; client and server take the initiative to connect the bridge to bridge.
When the user access the server side, the process is:
- Server and bridge initiative to establish a link;
- Then the bridge notifies the client to connect the bridge, and connects the intranet target port;
- Then bind the client to the bridge and client to the internal network port connection;
- Then the bridge of the client over the connection and server-side connection binding;
- The entire channel is completed;
4.2.TCP common usage
Background:
- The company computer A provides the 80 port of the web service
- There is one VPS, which public IP is 22.22.22.22
Demand:
You can access the 80 port of the company's computer by access to VPS's 28080 port when you are at home.
Procedure:
./proxy bridge -p ":33080" -C proxy.crt -K proxy.key./proxy server -r ":28080@:80" -P "127.0.0.1:33080" -C proxy.crt -K proxy.key./proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key
4.3.Local development of WeChat interface
Background:
- My own computer provides the 80 port of nginx service
- There is one VPS, which public IP is 22.22.22.22
Demand:
Fill out the Web callback interface configuration address of WeChat Development Account: http://22.22.22.22/calback.php Then you can access the calback.php under the 80 port of the computer, and if you need to bind the domain name, you can use your own domain name. for example: Wx-dev.xxx.com is resolved to 22.22.22.22, and then configure the domain name wx-dev.xxx.com into a specific directory in the nginx of your own computer.
Procedure:
./proxy bridge -p ":33080" -C proxy.crt -K proxy.key./proxy server -r ":80@:80" -P "22.22.22.22:33080" -C proxy.crt -K proxy.key./proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key
4.4.UDP common usage
Background:
- The company computer A provides the DNS resolution, the UDP:53 port.
- There is one VPS, which public IP is 22.22.22.22.
Demand:
You can use the company computer A for domain name resolution services by setting up local DNS as 22.22.22.22 at home.
Procedure:
./proxy bridge -p ":33080" -C proxy.crt -K proxy.key./proxy server --udp -r ":53@:53" -P "127.0.0.1:33080" -C proxy.crt -K proxy.key./proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key
4.5.Advanced usage 1
Background:
- The company computer A provides the 80 port of the web service
- There is one VPS, which public IP is 22.22.22.22
Demand:
For security, it doesn't want to be able to access the company's computer A on VPS. At home, it can access the 80 port of the company's computer A through the encrypted tunnel by accessing the 28080 port of you own computer.
Procedure:
./proxy bridge -p ":33080" -C proxy.crt -K proxy.key./proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key./proxy server -r ":28080@:80" -P "22.22.22.22:33080" -C proxy.crt -K proxy.key
4.6.Advanced usage 2
Tips:
If there are multiple client connected to the same bridge at the same time, you need to specify different key, which can be set by --k parameter. --k must be a unique string on the same bridge.
When server is connected to bridge, if multiple client is connected to the same bridge at the same time, you need to use the --k parameter to select client.
Repeating -r parameters can expose multiple ports: -r format is "local IP: local port @clientHOST:client port".
Background:
- The company computer A provides the web service 80 port and the FTP service 21 port
- There is one VPS, which public IP is 22.22.22.22
Demand:
You can access the 80 port of the company's computer by access to VPS's 28080 port at home.
You can access the 21 port of the company's computer by access to VPS's 29090 port at home.
Procedure:
./proxy bridge -p ":33080" -C proxy.crt -K proxy.key./proxy server -r ":28080@:80" -r ":29090@:21" --k test -P "127.0.0.1:33080" -C proxy.crt -K proxy.key./proxy client --k test -P "22.22.22.22:33080" -C proxy.crt -K proxy.key
4.7.-r parameters of server
PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT
-r "udp://:10053@:53" -r "tcp://:10800@:1080" -r ":8080@:80"-r ":8080@:80"-r ":8080@:80"
-r ":8080@:80"-r ":8080@:80"
0.0.0.0127.0.0.1
4.8.server and client connect bridge through proxy
Sometimes the server or client can not directly access the external network,which need to use a HTTPS or Socks5 proxy to access the Internet. then The -J parameter can help server and client connect to the bridge through the HTTPS or Socks5 proxy.
-J param format:
https proxy:
proxy need authentication,username: username password:password
https://username:password@host:port
proxy don't need authentication
https://host:port
socks5 proxy: proxy need authentication,username: username password:password
socks5://username:password@host:port proxy don't need authentication
socks5://host:port
host:proxy's domain or ip port:proxy's port
4.9.view help
./proxy help bridge./proxy help server./proxy help client
5.SOCKS5 proxy
Tips: SOCKS5 proxy, support CONNECT, UDP protocol and don't support BIND and support username password authentication.
5.1.Common SOCKS5 proxy
./proxy socks -t tcp -p "0.0.0.0:38080"
5.2.Common SOCKS5 second level proxy
22.22.22.22:8080./proxy socks -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080"./proxy socks -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -b blocked.txt -d direct.txt
5.3.SOCKS second level encrypted proxy
./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key
./proxy socks -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key
./proxy.exe socks -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key
5.4.SOCKS third level encrypted proxy
./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key./proxy socks -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key./proxy socks -t tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key
5.5.SOCKS proxy traffic force to go to parent socks proxy
./proxy socks --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key
5.6.Transfer through SSH
Explanation: the principle of SSH transfer is to take advantage of SSH's forwarding function, which is, after you connect to SSH, you can access the target address by the SSH. Suppose there is a vps
- IP is 2.2.2.2, SSH port is 22, SSH username is user, SSH password is Demo
- The SSH private key name of the user is user.key
5.6.1.The way of username and password
./proxy socks -T ssh -P "2.2.2.2:22" -u user -A demo -t tcp -p ":28080"
5.6.2.The way of username and key
./proxy socks -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"
Then access to the local 28080 port is to access the target address through VPS.
5.7.Authentication
./proxy socks -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"./proxy socks -t tcp -p ":33080" -F auth-file.txt
./proxy socks -t tcp -p ":33080" --auth-url "http://test.com/auth.php"
If there is no -a or -F or --auth-url parameters, it means to turn off the authentication.
5.8.KCP protocol transmission
The KCP protocol requires a --kcp-key parameter which can set a password to encrypt and decrypt data.
./proxy socks -t kcp -p ":38080" --kcp-key mypassword
./proxy socks -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword
5.9.Custom DNS
./proxy socks -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300
5.10.Custom encryption
HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted. Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples:
proxy socks -t tcp -z demo_password -p :7777proxy socks -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080
proxy socks -t tcp -z demo_password -p :7777proxy socks -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888proxy socks -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080
5.11.Compressed transmission
HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption. That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission. The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:
proxy socks -t tcp -m -p :7777proxy socks -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080
proxy socks -t tcp -m -p :7777proxy socks -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888proxy socks -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080
5.12 Load balance
proxy socks --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp
5.12.1 Set retry interval and timeout time
proxy socks --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp
5.12.2 Set weight
proxy socks --lb-method=weight -T tcp -P 1.1.1.1:33080@1 -P 2.1.1.1:33080@2 -P 3.1.1.1:33080@1 -p :33080 -t tcp
5.12.3 Use target address to select parent proxy
proxy socks --lb-hashtarget --lb-method=leasttime -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp
5.13 Speed limit
proxy socks -t tcp -p 2.2.2.2:33080 -l 100K
5.14 Designated exporting IP
- bind-listenproxy socks -t tcp -p 2.2.2.2:33080 --bind-listen
5.15 Cascade authentication
proxy socks -t tcp -p 2.2.2.2:33080 -a user:passproxy socks -T tcp -P 2.2.2.2:33080 -A user:pass -t tcp -p :33080
5.16 Certificate parameters using Base64 data
By default, the -C and -K parameters are the paths of CRT certificates and key files,
If it is the beginning of base64://, then it is considered that the data behind is Base64 encoded and will be used after decoding..
5.17.view help
./proxy help socks
6.Proxy protocol conversion
6.1.Functional introduction
The proxy protocol conversion use the SPS subcommand, SPS itself does not provide the proxy function, just accept the proxy request and then converse protocol and forwarded to the existing HTTP (s) or Socks5 proxy. SPS can use existing HTTP (s) or Socks5 proxy converse to support HTTP (s) and Socks5 HTTP (s) proxy at the same time by one port, and proxy supports forward and reverse proxy (SNI), SOCKS5 proxy which is also does support UDP when parent is Socks5. in addition to the existing HTTP or Socks5 proxy, which supports TLS, TCP, KCP three modes and chain-style connection. That is more than one SPS node connection can build encryption channel.
6.2.HTTP(S) to HTTP(S) + SOCKS5
./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass
./proxy sps -S http -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key -h aes-192-cfb -j pass
./proxy sps -S http -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123 -h aes-192-cfb -j pass
6.3.SOCKS5 to HTTP(S) + SOCKS5
./proxy sps -S socks -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass
./proxy sps -S socks -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key -h aes-192-cfb -j pass
./proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123 -h aes-192-cfb -j pass
6.4 SS to HTTP(S)+SOCKS5+SS
./proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123./proxy sps -S ss -H aes-256-cfb -J pass -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass
6.5.Chain style connection
./proxy -t tcp -p 127.0.0.1:8080
./proxy -S http -T tcp -P 127.0.0.1:8080 -t tls -p :8081 -C proxy.crt -K proxy.key
./proxy -S http -T tls -P 2.2.2.2:8081 -t tls -p :8082 -C proxy.crt -K proxy.key
./proxy -S http -T tls -P 3.3.3.3:8082 -t tcp -p :18080 -C proxy.crt -K proxy.key
finish。
6.6.Listening on multiple ports
-p 0.0.0.0:80,0.0.0.0:443
6.7.Authentication
user-authlocal-authparent-authauth-info-to-parent
user-auth | local-auth | parent-auth | auth-info-to-paren |
---|---|---|---|
yes/no | yes | yes | come from parent-auth |
yes/no | no | yes | come from parent-auth |
yes/no | yes | no | no |
no | no | no | no |
yes | no | no | come from user-auth |
./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -F auth-file.txt
./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"./proxy sps -S http -T tcp -P 127.0.0.1:8080 -A "user1:pass1" -t tcp -p ":33080"
./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" --auth-url "http://test.com/auth.php"
If there is no -a or -F or --auth-url parameters, local authentication is closed.
If there is no -A parameter, the connection to the father proxy does not use authentication.
6.8 Custom encryption
6.6.6.6:6666
proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777proxy sps -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080
proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777proxy sps -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888proxy sps -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080
6.9 Compressed transmission
HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption. That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission. The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples:
proxy sps -t tcp -m -p :7777proxy sps -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080
proxy sps -t tcp -m -p :7777proxy sps -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080
6.10 Disable protocol
--disable-httpproxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http--disable-socksproxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http
6.11 Speed limit
proxy socks -p 2.2.2.2:33080 -z password -t tcpproxy sps -S socks -P 2.2.2.2:33080 -T tcp -Z password -l 100K -t tcp -p :33080-l
6.12 Designated exporting IP
- bind-listenproxy sps -S socks -P 2.2.2.2:33080 -T tcp -Z password -l 100K -t tcp --bind-listen -p :33080
6.13 Certificate parameters using Base64 data
By default, the -C and -K parameters are the paths of CRT certificates and key files, If it is the beginning of base64://, then it is considered that the data behind is Base64 encoded and will be used after decoding.
6.14.view help
./proxy help sps
7.KCP Configuration
7.1.Configuration introduction
Many functions of the proxy support the KCP protocol, and all the functions that can use the KCP protocol support the configuration parameters introduced here.
So here is a unified introduction to the KCP configuration parameters.
7.2.Configuration details
The number of KCP configuration parameters is 17, you don't have to set up them. they all have the default value, if for the best effect, You need to configure the parameters according to your own network conditions. Due to the complexity of KCP configuration, a certain network basic knowledge is required,
If you want to get a more detailed configuration and explanation of the KCP parameters, search for yourself. The command line name for each parameter, as well as the default and simple functions, are described as follows:
--kcp-key="secrect" pre-shared secret between client and server
--kcp-method="aes" encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish,
twofish, cast5, 3des, tea, xtea, xor, sm4, none
--kcp-mode="secrect" profiles: fast3, fast2, fast, normal, manual
--kcp-mtu=1350 set maximum transmission unit for UDP packets
--kcp-sndwnd=1024 set send window size(num of packets)
--kcp-rcvwnd=1024 set receive window size(num of packets)
--kcp-ds=10 set reed-solomon erasure coding - datashard
--kcp-ps=3 set reed-solomon erasure coding - parityshard
--kcp-dscp=0 set DSCP(6bit)
--kcp-nocomp disable compression
--kcp-acknodelay be carefull! flush ack immediately when a packet is received
--kcp-nodelay=0 be carefull!
--kcp-interval=50 be carefull!
--kcp-resend=0 be carefull!
--kcp-nc=0 be carefull! no congestion
--kcp-sockbuf=4194304 be carefull!
--kcp-keepalive=10 be carefull!
8.DNS anti pollution server
8.1.Introduction
It is well known that DNS is a service which use UDP protocol and 53 port,But with the development of network, some well-known DNS servers also support TCP protocol's DNS query,such as google's 8.8.8.8,Proxy's DNS anti pollution server theory is starting a local DNS proxy server,It uses TCP to conduct DNS queries through father proxy. If it encrypted communicate with father proxy,Then you can make a safe and pollution-free DNS analysis.
8.2.Use examples
proxy dns -S http -T tcp -P 2.2.2.2:33080 -p :53
proxy dns -S socks -T tcp -P 2.2.2.2:33080 -p :53
proxy http -t tls -C proxy.crt -K proxy.key -p :33080proxy dns -S http -T tls -P 2.2.2.2:33080 -C proxy.crt -K proxy.key -p :53
proxy socks -t tls -C proxy.crt -K proxy.key -p :33080proxy dns -S socks -T tls -P 2.2.2.2:33080 -C proxy.crt -K proxy.key -p :53
proxy http -t kcp -p :33080proxy dns -S http -T kcp -P 2.2.2.2:33080 -p :53
proxy socks -t kcp -p :33080proxy dns -S socks -T kcp -P 2.2.2.2:33080 -p :53
proxy http -t tcp -p :33080 -z passwordproxy dns -S http -T tcp -Z password -P 2.2.2.2:33080 -p :53
proxy socks -t kcp -p :33080 -z passwordproxy dns -S socks -T tcp -Z password -P 2.2.2.2:33080 -p :53
TODO
- HTTP, socks proxy which has multi parents proxy load balancing?
- HTTP (s) proxy support PAC?
- Welcome joining group feedback...
How to use the source code?
go get github.com/snail007/goproxygithub.com/snail007/goproxygo build -o proxygo run *.goutilsservice
License
Proxy is licensed under GPLv3 license.
Contact
proxy QQ group:189618940
Donation
if proxy help you a lot,you can support us by: