github.com/AntonOrnatskyi/goproxy@v0.0.0-20190205095733-4526a9fa18b4/README.md (about) 1 <img src="https://github.com/AntonOrnatskyi/goproxy/blob/master/docs/images/logo.jpg?raw=true" width="200"/> 2 Proxy is a high performance HTTP, HTTPS, HTTPS, websocket, TCP, UDP, Socks5, ss proxy server implemented by golang. It supports parent proxy,nat forward,TCP/UDP port forwarding, SSH transfer, TLS encrypted transmission, protocol conversion. you can expose a local server behind a NAT or firewall to the internet, secure DNS proxy. 3 4 [Download](https://github.com/AntonOrnatskyi/goproxy/releases) 5 6 --- 7 8 [![stable](https://img.shields.io/badge/stable-stable-green.svg)](https://github.com/AntonOrnatskyi/goproxy/) [![license](https://img.shields.io/github/license/AntonOrnatskyi/goproxy.svg?style=plastic)]() [![download_count](https://img.shields.io/github/downloads/AntonOrnatskyi/goproxy/total.svg?style=plastic)](https://github.com/AntonOrnatskyi/goproxy/releases) [![download](https://img.shields.io/github/release/AntonOrnatskyi/goproxy.svg?style=plastic)](https://github.com/AntonOrnatskyi/goproxy/releases) 9 10 **[中文手册](/README_ZH.md)** 11 12 **[Full-platform graphical interface version](/gui/README.md)** 13 14 **[Full platform SDK](https://github.com/AntonOrnatskyi/goproxy-sdk/blob/master/README.md)** 15 16 **[GoProxy special authorization](/AUTHORIZATION.md)** 17 18 ### How to contribute to the code (Pull Request)? 19 20 Pull Request is welcomed. 21 First, you need to clone the project to your account, and then modify the code on the dev branch. 22 Finally, Pull Request to dev branch of goproxy project, and contribute code for efficiency. 23 PR needs to explain what changes have been made and why you change them. 24 25 ### Features 26 - chain-style proxy: the program itself can be a primary proxy, and if a parent proxy is set, it can be used as a second level proxy or even a N level proxy. 27 - Encrypted communication: if the program is not a primary proxy, and the parent proxy is also the program, then it can communicate with the parent proxy by encryption. The TLS encryption is high-intensity encryption, and it is safe and featureless. 28 - Intelligent HTTP, SOCKS5 proxy: the program will automatically determine whether the site which it access is blocked, if the site is blocked, the program will use parent proxy (the premise is you set up a parent proxy) to access the site. If the site isn't blocked, in order to speed up the access, the program will directly access the site and don't use parent proxy. 29 - The black-and-white list of domain: It is very flexible to control the way which you visite site. 30 - Cross platform: no mater what the os (such as Linux, windows, and even Raspberry Pi) you use, you always can use proxy well. 31 - Multi protocol support: the program support HTTP (S), TCP, UDP, Websocket, SOCKS5 proxy. 32 - The TCP/UDP port forwarding is supported. 33 - Nat forwarding in different network is supported: the program support TCP protocol and UDP protocol. 34 - SSH forwarding: HTTP (S), SOCKS5 proxy support SSH transfer, parent Linux server does not need any server, a local proxy can be happy to access the Internet. 35 - [KCP](https://github.com/xtaci/kcp-go) protocol is supported: HTTP (S), SOCKS5 proxy supports the KCP protocol which can transmit data, reduce latency, and improve the browsing experience. 36 - The integrated external API, HTTP (S): SOCKS5 proxy authentication can be integrated with the external HTTP API, which can easily control the user's access through the external system. 37 - Reverse proxy: goproxy supports directly parsing the domain to proxy monitor IP, and then proxy will help you to access the HTTP (S) site that you need to access. 38 - Transparent proxy: with the iptables, goproxy can directly forward the 80 and 443 port's traffic to proxy in the gateway, and can realize the unaware intelligent router proxy. 39 - Protocol conversion: The existing HTTP (S) or SOCKS5 or ss proxy can be converted to a proxy which support HTTP (S), SOCKS5 and ss by one port, if the converted SOCKS5 and ss proxy's parent proxy is SOCKS5, which can support the UDP function.Also support powerful cascading authentication. 40 - Custom underlying encrypted transmission, HTTP(s)\sps\socks proxy can encrypt TCP data through TLS standard encryption and KCP protocol encryption. In addition, it also supports custom encryption after TLS and KCP. That is to say, custom encryption and tls|kcp can be used together. The internal uses AES256 encryption, and it only needs to define one password by yourself when is used. 41 - Low level compression and efficient transmission,The HTTP(s)\sps\socks proxy can encrypt TCP data through a custom encryption and TLS standard encryption and KCP protocol encryption, and can also compress the data after encryption. That is to say, the compression and custom encryption and tls|kcp can be used together. 42 - The secure DNS proxy, Through the DNS proxy provided by the local proxy, you can encrypted communicate with the father proxy to realize the DNS query of security and pollution prevention. 43 - Load balance,High availability,HTTP(S)\SOCKS5\SPS proxy support Superior load balance and high availability. Multiple superiors repeat -P parameters. 44 - Designated exporting IP,HTTP(S)\SOCKS5\SPS proxy supports the client to connect with the entry IP,Using the entry IP as the exporting IP to visit the target website。If the entry IP is the intranet IP,Exporting IP will not use entry IP 45 - Support speed limit. HTTP (S) \SOCKS5\SPS proxy supports speed limit. 46 - SOCKS5 proxy supports cascade authentication. 47 - Certificate parameters use base64 data. By default, the - C, - K parameters are the path of the CRT certificate and key file. If “base64://” begins, the subsequent data is thought to be Base64 encoded which will be decoded and used. 48 49 ### Why need these? 50 - Because for some reason, we cannot access our services elsewhere. We can build a secure tunnel to access our services through multiple connected proxy nodes. 51 - WeChat interface is developed locally, which is convenient to debug. 52 - Remote access to intranet machines. 53 - Play with partners in a LAN game. 54 - something used to be played only in the LAN, now it can be played anywhere. 55 - Instead of 剑内网通,显IP内网通,花生壳,frp and so on. 56 - ... 57 58 59 This page is the v6.0 manual, and the other version of the manual can be checked by the following [link](docs/old-release.md). 60 61 62 ### How to find the organization? 63 [Click to join the proxy group of gitter](https://gitter.im/go-proxy/Lobby?utm_source=share-link&utm_medium=link&utm_campaign=share-link) 64 [Click to join the proxy group of telegram](https://t.me/joinchat/GYHXghCDSBmkKZrvu4wIdQ) 65 66 67 ### Installation 68 - [Quick installation](#quick-installation) 69 - [Manual installation](#manual-installation) 70 - [Docker installation](#docker-installation) 71 72 ### First use must read 73 - [Environmental Science](#environmental-science) 74 - [Use configuration file](#use-configuration-file) 75 - [Debug output](#debug-output) 76 - [Using log files](#using-log-files) 77 - [Daemon mode](#daemon-mode) 78 - [Monitor mode](#monitor-mode) 79 - [Generating a communication certificate file](#generating-a-communication-certificate-file) 80 - [Safety advice](#safety-advice) 81 82 ### Manual catalogues 83 - [Load balance and high available](#load-balance-and-high-available) 84 - [1.HTTP proxy](#1http-proxy) 85 - [1.1 Common HTTP proxy](#11common-http-proxy) 86 - [1.2 Common HTTP second level proxy](#12common-http-second-level-proxy) 87 - [1.3 HTTP second level proxy(encrypted)](#13http-second-level-encrypted-proxy) 88 - [1.4 HTTP third level proxy(encrypted)](#14http-third-level-encrypted-proxy) 89 - [1.5 Basic Authentication](#15basic-authentication) 90 - [1.6 HTTP proxy traffic force to go to parent http proxy](#16http-proxy-traffic-force-to-go-to-parent-http-proxy) 91 - [1.7 Transfer through SSH](#17transfer-through-ssh) 92 - [1.7.1 The way of username and password](#171the-way-of-username-and-password) 93 - [1.7.2 The way of username and key](#172the-way-of-username-and-key) 94 - [1.8 KCP protocol transmission](#18kcp-protocol-transmission) 95 - [1.9 HTTP(S) reverse proxy](#19http-reverse-proxy) 96 - [1.10 HTTP(S) transparent proxy](#110http-transparent-proxy) 97 - [1.11 Custom DNS](#111custom-dns) 98 - [1.12 Custom encryption](#112-custom-encryption) 99 - [1.13 Compressed transmission](#113-compressed-transmission) 100 - [1.14 load balance](#114-load-balance) 101 - [1.15 speed limit](#115-speed-limit) 102 - [1.16 Designated exporting IP](#116-designated-export-ip) 103 - [1.17 Certificate parameters using Base64 data](#117-certificate-parameters-using-Base64-data) 104 - [1.18 Intelligent mode](#118-intelligent-mode) 105 - [1.19 View help](#119view-help) 106 - [2.TCP proxy](#2tcp-proxy) 107 - [2.1 Common TCP first level proxy](#21common-tcp-first-level-proxy) 108 - [2.2 Common TCP second level proxy](#22common-tcp-second-level-proxy) 109 - [2.3 Common TCP third level proxy](#23common-tcp-third-level-proxy) 110 - [2.4 TCP second level encrypted proxy](#24tcp-second-level-encrypted-proxy) 111 - [2.5 TCP third level encrypted proxy](#25tcp-third-level-encrypted-proxy) 112 - [2.6 Connect parents proxy through other proxy](#26connect-parents-proxy-through-other-proxy) 113 - [2.7 View help](#27view-help) 114 - [3.UDP proxy](#3udp-proxy) 115 - [3.1 Common UDP first level proxy](#31common-udp-first-level-proxy) 116 - [3.2 Common UDP second level proxy](#32common-udp-second-level-proxy) 117 - [3.3 Common UDP third level proxy](#33common-udp-third-level-proxy) 118 - [3.4 UDP second level encrypted proxy](#34udp-second-level-encrypted-proxy) 119 - [3.5 UDP third level encrypted proxy](#35udp-third-level-encrypted-proxy) 120 - [3.6 View help](#36view-help) 121 - [4.Nat forward](#4nat-forward) 122 - [4.1 Principle explanation](#41principle-explanation) 123 - [4.2 TCP common usage](#42tcp-common-usage) 124 - [4.3 Local development of WeChat interface](#43local-development-of-wechat-interface) 125 - [4.4 UDP common usage](#44udp-common-usage) 126 - [4.5 Advanced usage 1](#45advanced-usage-1) 127 - [4.6 Advanced usage 2](#46advanced-usage-2) 128 - [4.7 -r parameters of server](#47-r-parameters-of-server) 129 - [4.8 Server and client connect bridge through proxy](#48server-and-client-connect-bridge-through-proxy) 130 - [4.9 View help](#49view-help) 131 - [5.SOCKS5 proxy](#5socks5-proxy) 132 - [5.1 Common SOCKS5 proxy](#51common-socks5-proxy) 133 - [5.2 Common SOCKS5 second level proxy](#52common-socks5-second-level-proxy) 134 - [5.3 SOCKS5 second level proxy(encrypted)](#53socks-second-level-encrypted-proxy) 135 - [5.4 SOCKS third level proxy(encrypted)](#54socks-third-level-encrypted-proxy) 136 - [5.5 SOCKS proxy traffic force to go to parent socks proxy](#55socks-proxy-traffic-force-to-go-to-parent-socks-proxy) 137 - [5.6 Transfer through SSH](#56transfer-through-ssh) 138 - [5.6.1 The way of username and password](#561the-way-of-username-and-password) 139 - [5.6.2 The way of username and key](#562the-way-of-username-and-key) 140 - [5.7 Authentication](#57authentication) 141 - [5.8 KCP protocol transmission](#58kcp-protocol-transmission) 142 - [5.9 Custom DNS](#59custom-dns) 143 - [5.10 Custom encryption](#510custom-encryption) 144 - [5.11 Compressed transmission](#511compressed-transmission) 145 - [5.12 load balance](#512-load-balance) 146 - [5.13 speed limit](#513-speed-limit) 147 - [5.14 Designated exporting IP](#514-designated-exporting-ip) 148 - [5.15 Cascade authentication](#515-cascade-authentication) 149 - [5.16 Certificate parameters using Base64 data](#516-certificate-parameters-using-base64-data) 150 - [5.17 Intelligent mode](#517-intelligent-mode) 151 - [5.18 View help](#518view-help) 152 - [6.Proxy protocol conversion](#6proxy-protocol-conversion) 153 - [6.1 Functional introduction](#61functional-introduction) 154 - [6.2 HTTP(S) to HTTP(S) + SOCKS5](#62http-to-http-socks5) 155 - [6.3 SOCKS5 to HTTP(S) + SOCKS5](#63socks5-to-http-socks5) 156 - [6.4 SS to HTTP(S)+SOCKS5+SS](#64-ss-to-httpssocks5ss) 157 - [6.5 Chain style connection](#65chain-style-connection) 158 - [6.6 Listening on multiple ports](#66listening-on-multiple-ports) 159 - [6.7 Authentication](#67authentication) 160 - [6.8 Custom encryption](#68-custom-encryption) 161 - [6.9 Compressed transmission](#69-compressed-transmission) 162 - [6.10 Disable-protocol](#610-disable-protocol) 163 - [6.11 speed limit](#611-speed-limit) 164 - [6.12 Designated exporting IP](#612-designated-exporting-ip) 165 - [6.13 Certificate parameters using Base64 data](#613-certificate-parameters-using-base64-data) 166 - [6.14 View Help](#614view-help) 167 - [7.KCP Configuration](#7kcp-configuration) 168 - [7.1 Configuration introduction](#71configuration-introduction) 169 - [7.2 Configuration details](#72configuration-details) 170 - [8.DNS anti pollution server](#8dns-anti-pollution-server) 171 - [8.1 Introduction](#81introduction) 172 - [8.2 Use examples](#82use-examples) 173 174 175 176 ### Fast Start 177 tips:all operations require root permissions. 178 #### Quick installation 179 #### **0. If your VPS is linux64, you can complete the automatic installation and configuration by the following sentence.** 180 ```shell 181 curl -L https://raw.githubusercontent.com/AntonOrnatskyi/goproxy/master/install_auto.sh | bash 182 ``` 183 The installation is completed, the configuration directory is /etc/proxy, For more detailed usage, please refer to the manual above to further understand the functions you want to use. 184 If the installation fails or your VPS is not a linux64 system, please follow the semi-automatic step below: 185 186 #### Manual installation 187 188 #### **1.Download proxy** 189 Download address: https://github.com/AntonOrnatskyi/goproxy/releases 190 ```shell 191 cd /root/proxy/ 192 wget https://github.com/AntonOrnatskyi/goproxy/releases/download/v6.0/proxy-linux-amd64.tar.gz 193 194 ``` 195 #### **2.Download the automatic installation script** 196 ```shell 197 cd /root/proxy/ 198 wget https://raw.githubusercontent.com/AntonOrnatskyi/goproxy/master/install.sh 199 chmod +x install.sh 200 ./install.sh 201 ``` 202 203 #### Docker installation 204 205 [docker](https://hub.docker.com/r/AntonOrnatskyi/goproxy) 206 207 Dockerfile root of project uses multistage build and alpine project to comply with best practices. Uses golang 1.10.3 for building as noted in the project README.md and will be pretty small image. total extracted size will be 17.3MB for goproxy latest version. 208 209 The default build process builds the master branch (latest commits/ cutting edge), and it can be configured to build specific version, just edit Dockerfile before build, following builds release version 6.0: 210 211 ``` 212 ARG GOPROXY_VERSION=v6.0 213 ``` 214 215 To Run: 216 1. Clone the repository and cd into it. 217 ``` 218 sudo docker build . 219 ``` 220 2. Tag the image: 221 ``` 222 sudo docker tag <id from previous step> snail007/goproxy:latest 223 ``` 224 3. Run! 225 Just put your arguments to proxy binary in the OPTS environmental variable (this is just a sample http proxy): 226 ``` 227 sudo docker run -d --restart=always --name goproxy -e OPTS="http -p :33080" -p 33080:33080 snail007/goproxy:latest 228 ``` 229 4. View logs: 230 ``` 231 sudo docker logs -f goproxy 232 ``` 233 234 235 ## **First use must be read** 236 237 ### **Environmental Science** 238 The following tutorial defaults system is Linux, the program is proxy and all operations require root permissions. 239 If the system are windows, please use proxy.exe. 240 241 ### **Use configuration file** 242 The following tutorial is to introduce the useage by the command line parameters, or by reading the configuration file to get the parameters. 243 The specific format is to specify a configuration file by the @ symbol, for example, ./proxy @configfile.txt. 244 configfile.txt's format: The first line is the subcommand name, and the second line begins a new line: the long format of the parameter = the parameter value, there is no space and double quotes before and after. 245 The long format of the parameter's beginning is --, the short format of the parameter's beginning is -. If you don't know which short form corresponds to the long format, please look at the help command. 246 For example, the contents of configfile.txt are as follows: 247 ```shell 248 http 249 --local-type=tcp 250 --local=:33080 251 ``` 252 ### **Debug output** 253 By default, the log output information does not contain the number of file lines. In some cases, in order to eliminate and positione the program problem, You can use the --debug parameter to output the number of lines of code and the wrong time. 254 255 ### **Using log files** 256 By default, the log is displayed directly on the console, and if you want to save it to the file, you can use the --log parameter. 257 for example, --log proxy.log, The log will be exported to proxy.log file which is easy to troubleshoot. 258 259 ### **Generating a communication certificate file** 260 HTTP, TCP, UDP proxy process will communicate with parent proxy. In order to secure, we use encrypted communication. Of course, we can choose not to encrypted communication. All communication with parent proxy in this tutorial is encrypted, requiring certificate files. 261 262 1.Generate signed certificates and key files through the following commands. 263 `./proxy keygen -C proxy` 264 The certificate file proxy.crt and key file proxy.key will be generated under the current directory. 265 266 2.Through the following commands, use the signed certificate proxy.crt and key file proxy.key to issue new certificates: goproxy.crt and goproxy.key. 267 `./proxy keygen -s -C proxy -c goproxy` 268 The certificate file goproxy.crt and key file goproxy.key will be generated under the current program directory. 269 270 3.By default, the domain name in the certificate is a random domain and can be specified using the `-n test.com` parameter. 271 272 4.More usage:`proxy keygen --help`。 273 274 ### **Daemon mode** 275 After the default execution of proxy, if you want to keep proxy running, you can't close the command line. 276 If you want to run proxy in the daemon mode, the command line can be shut down, just add the --daemon parameter at the end of the command. 277 for example: `./proxy http -t tcp -p "0.0.0.0:38080" --daemon` 278 279 ### **Monitor mode** 280 Monitor mode parameter --forever, for example: `proxy http --forever`, 281 Proxy will fork subprocess, then monitor the child process, if the subprocess exits, restarts the subprocess after 5 seconds. 282 This parameter, with the parameter --daemon and the log parameter --log, can guarantee that the proxy has been ran in the background and not exited accidentally. 283 And you can see the output log of proxy through the log file. 284 for example: `proxy http -p ":9090" --forever --log proxy.log --daemon` 285 286 ### **Safety advice** 287 When vps is behind the NAT, the network card IP on VPS is an internal network IP, and then you can add the VPS's external network IP to prevent the dead cycle by -g parameter. 288 Assuming that your VPS outer external network IP is 23.23.23.23, the following command sets the 23.23.23.23 through the -g parameter. 289 `./proxy http -g "23.23.23.23"` 290 291 ### **Load balance and high available** 292 HTTP(S)\SOCKS5\SPS proxy support Superior load balance and high availability. Multiple superiors repeat -P parameters. 293 Load balancing have 5 kinds of policy, It can be specified by the `--lb-method` parameter.: 294 roundrobin take turns 295 leastconn Using minimum connection number 296 leasttime Use minimum connection time 297 hash Use the client address to calculate a fixed superior 298 weight According to the weight and connection number of each superior, choose a superior 299 Tips: 300 The load balance check interval can be set by `--lb-retrytime`, unit milliseconds. 301 Load balancing connection timeout can be set by `--lb-timeout`, unit milliseconds. 302 If the load balance policy is weighted (weight), the -P format is: 2.2.2.2:3880@1,1 is the weight which is greater than 0. 303 If the load balance strategy is hash, the default is to select the parent based on the client address, and the parent can be selected by switching `- lb-hashtarget', using the access destination address. 304 305 ### **1.HTTP proxy** 306 #### **1.1.common HTTP proxy** 307 ![1.1](/docs/images/http-1.png) 308 `./proxy http -t tcp -p "0.0.0.0:38080"` 309 310 #### **1.2.Common HTTP second level proxy** 311 ![1.2](/docs/images/http-2.png) 312 Using local port 8090, assume the parent HTTP proxy is: `22.22.22.22:8080` 313 `./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" ` 314 The connection pool is closed by default. If you want to speed up access speed, -L can open the connection pool, the 10 is the size of the connection pool, and the 0 is closed. 315 It is not good to stability of connection pool when the network is not good. 316 `./proxy http -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -L 10` 317 We can also specify the black and white list files of the domain name, one line for one domain name. The matching rule is the most right-hand matching, for example, baidu.com, which matches *.*.baidu.com. The domain name of the blacklist is directly headed by the parent proxy, and the domain name of the white list does not go to the parent proxy. 318 `./proxy http -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -b blocked.txt -d direct.txt` 319 320 #### **1.3.HTTP second level encrypted proxy** 321 ![1.3](/docs/images/http-tls-2.png) 322 HTTP first level proxy(VPS,IP:22.22.22.22) 323 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key` 324 325 HTTP second level proxy(local Linux) 326 `./proxy http -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 327 accessing the local 8080 port is accessing the proxy port 38080 above VPS. 328 329 HTTP second level proxy(local windows) 330 `./proxy.exe http -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 331 In your windows system, the mode of the program that needs to surf the Internet by proxy is setted up as HTTP mode, the address is 127.0.0.1, the port is: 8080, the program can go through the encrypted channel through VPS to surf on the internet. 332 333 #### **1.4.HTTP third level encrypted proxy** 334 ![1.4](/docs/images/http-tls-3.png) 335 HTTP first level proxy VPS_01,IP:22.22.22.22 336 `./proxy http -t tls -p ":38080" -C proxy.crt -K proxy.key` 337 HTTP second level proxy VPS_02,IP:33.33.33.33 338 `./proxy http -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 339 HTTP third level proxy(local) 340 `./proxy http -t tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key` 341 Then access to the local 8080 port is access to the HTTP first level proxy which port is 38080. 342 343 #### **1.5.Basic Authentication** 344 We can do Basic authentication for the HTTP proxy, The authenticated username and password can be specified at the command line. 345 `./proxy http -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"` 346 If you need multiple users, repeat the -a parameters. 347 You can also be placed in a file, which is a line, a ‘username: password’, and then specified in -F. 348 `./proxy http -t tcp -p ":33080" -F auth-file.txt` 349 350 In addition, the HTTP (s) proxy also integrates external HTTP API authentication, and we can specify a HTTP URL interface address by the --auth-url parameter. 351 When somebody connect the proxy, which will request this URL by GET way, with the following four parameters, and if the HTTP state code 204 is returned, the authentication is successful. 352 In other cases, authentication failed. 353 for example: 354 `./proxy http -t tcp -p ":33080" --auth-url "http://test.com/auth.php"` 355 When the user connecte the proxy, which will request this URL by GET way("http://test.com/auth.php"), 356 with user, pass, IP, and target four parameters: 357 http://test.com/auth.php?user={USER}&pass={PASS}&ip={IP}&target={TARGET} 358 user:username 359 pass:password 360 ip:user's IP,for example: 192.168.1.200 361 target:URL user connect to, for example: http://demo.com:80/1.html or https://www.baidu.com:80 362 363 If there is no -a or -F or --auth-url parameters, Basic authentication is closed. 364 365 #### **1.6.HTTP proxy traffic force to go to parent http proxy** 366 By default, proxy will intelligently judge whether a domain name can be accessed. If it cannot be accessed, it will access to parent HTTP proxy. 367 Through --always, all HTTP proxy traffic can be coercion to the parent HTTP proxy. 368 `./proxy http --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 369 370 #### **1.7.Transfer through SSH** 371 ![1.7](/docs/images/http-ssh-1.png) 372 Explanation: the principle of SSH transfer is to take advantage of SSH's forwarding function, which is, after you connect to SSH, you can access to the target address through the SSH proxy. 373 Suppose there is a vps 374 - IP is 2.2.2.2, ssh port is 22, ssh username is user, ssh password is demo 375 - The SSH private key of the user is user.key 376 377 ##### ***1.7.1.The way of username and password*** 378 Local HTTP (S) proxy use 28080 port,excute: 379 `./proxy http -T ssh -P "2.2.2.2:22" -u user -A demo -t tcp -p ":28080"` 380 ##### ***1.7.2.The way of username and key*** 381 Local HTTP (S) proxy use 28080 port,excute: 382 `./proxy http -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"` 383 384 #### **1.8.KCP protocol transmission** 385 ![1.8](/docs/images/http-kcp.png) 386 The KCP protocol requires a --kcp-key parameter to set a password which can encrypt and decrypt data. 387 388 Http first level proxy(VPS,IP:22.22.22.22) 389 `./proxy http -t kcp -p ":38080" --kcp-key mypassword` 390 391 Http second level proxy(os is Linux) 392 `./proxy http -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword` 393 Then access to the local 8080 port is access to the proxy's port 38080 on the VPS, and the data is transmitted through the KCP protocol. 394 #### **1.9.HTTP reverse proxy** 395 ![1.9](/docs/images/fxdl.png) 396 Proxy supports not only set up a proxy through in other software, to provide services for other software, but support the request directly to the website domain to proxy monitor IP when proxy monitors 80 and 443 ports, then proxy will automatically access to the HTTP proxy access website for you. 397 398 How to use: 399 On the last level proxy computer, because proxy is disguised as all websites and the default port of HTTP is 80, HTTPS is 443, the proxy listens to 80 and 443 port. Parameters -p multiple addresses are separated by commas. 400 `./proxy http -t tcp -p :80,:443` 401 402 This command starts a proxy on the computer, and listens to 80 and 443 ports. It can be used as a common proxy and it can directly resolve the domain that needs proxy to the IP of the computer. 403 404 If a parent proxy exist, you can refer to the above tutorial to set up a parent. The way of use is exactly the same. 405 `./proxy http -t tcp -p :80,:443 -T tls -P "2.2.2.2:33080" -C proxy.crt -K proxy.key` 406 407 Notice: 408 The result of the DNS parsing of the server in which proxy is located can not affected by a custom parsing, if not, it is dead cycle. 409 410 #### **1.10.HTTP transparent proxy** 411 The mode needs a certain network knowledge, if the related concepts don't understand, you must search it by yourself. 412 Assuming that proxy is now running on the router, the boot command is as follows: 413 `./proxy http -t tcp -p :33080 -T tls -P "2.2.2.2:33090" -C proxy.crt -K proxy.key` 414 415 Then the iptables rule is added, and the following rule is a reference rule: 416 ```shell 417 #IP of parent proxy: 418 proxy_server_ip=2.2.2.2 419 420 #Proxy that the router runs monitor the port: 421 proxy_local_port=33080 422 423 #The following don't need to be modified 424 #create a new chain named PROXY 425 iptables -t nat -N PROXY 426 427 # Ignore your PROXY server's addresses 428 # It's very IMPORTANT, just be careful. 429 430 iptables -t nat -A PROXY -d $proxy_server_ip -j RETURN 431 432 # Ignore LANs IP address 433 iptables -t nat -A PROXY -d 0.0.0.0/8 -j RETURN 434 iptables -t nat -A PROXY -d 10.0.0.0/8 -j RETURN 435 iptables -t nat -A PROXY -d 127.0.0.0/8 -j RETURN 436 iptables -t nat -A PROXY -d 169.254.0.0/16 -j RETURN 437 iptables -t nat -A PROXY -d 172.16.0.0/12 -j RETURN 438 iptables -t nat -A PROXY -d 192.168.0.0/16 -j RETURN 439 iptables -t nat -A PROXY -d 224.0.0.0/4 -j RETURN 440 iptables -t nat -A PROXY -d 240.0.0.0/4 -j RETURN 441 442 # Anything to port 80 443 should be redirected to PROXY's local port 443 iptables -t nat -A PROXY -p tcp --dport 80 -j REDIRECT --to-ports $proxy_local_port 444 iptables -t nat -A PROXY -p tcp --dport 443 -j REDIRECT --to-ports $proxy_local_port 445 446 # Apply the rules to nat client 447 iptables -t nat -A PREROUTING -p tcp -j PROXY 448 # Apply the rules to localhost 449 iptables -t nat -A OUTPUT -p tcp -j PROXY 450 ``` 451 - Clearing the whole chain command is iptables -F chain name, such as iptables -t NAT -F PROXY 452 - Deleting the specified chain that user defined command is iptables -X chain name, such as iptables -t NAT -X PROXY 453 - Deleting the rules of the chain command is iptables -D chain name from the selected chain, such as iptables -t nat -D PROXY -d 223.223.192.0/255.255.240.0 -j RETURN 454 455 #### **1.11.Custom DNS** 456 --dns-address and --dns-ttl parameters can be used to specify DNS(--dns-address) when you use proxy to access to a domain. 457 they also can specify dns result cache time (--dns-ttl) which unit is second. they can avoid the interference of system DNS to proxy. cache can reduce DNS resolution time and increase access speed. 458 for example: 459 `./proxy http -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300` 460 461 #### **1.12 Custom encryption** 462 HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted. 463 Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples: 464 465 **two level example** 466 First level VPS (ip:2.2.2.2) execution: 467 `proxy http -t tcp -z demo_password -p :7777` 468 Local second level execution: 469 `proxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080` 470 through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy. 471 472 **three level example** 473 First level VPS (ip:2.2.2.2) execution: 474 `proxy http -t tcp -z demo_password -p :7777` 475 Second level VPS (ip:2.2.2.2) execution: 476 `proxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 477 Local third level execution: 478 `proxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080` 479 through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy. 480 481 #### **1.13 Compressed transmission** 482 HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption. 483 That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission. 484 The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples: 485 486 **two level example** 487 First level VPS (ip:2.2.2.2) execution: 488 `proxy http -t tcp -m -p :7777` 489 Local second level execution: 490 `proxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080` 491 through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy. 492 493 494 **three level example** 495 First level VPS (ip:2.2.2.2) execution: 496 `proxy http -t tcp -m -p :7777` 497 Second level VPS (ip:3.3.3.3) execution: 498 `proxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 499 Local third level execution: 500 `proxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080` 501 through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy. 502 503 ### **1.14 Load balance** 504 HTTP (S) proxy supports superior load balance, and multiple -P parameters can be repeated by multiple superiors. 505 `proxy http --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080` 506 507 #### **1.14.1 Set retry interval and timeout time** 508 `proxy http --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp -p :33080` 509 510 #### **1.14.2 Set weight** 511 `proxy http --lb-method=weight -T tcp -P 1.1.1.1:33080@1 -P 2.1.1.1:33080@2 -P 3.1.1.1:33080@1 -t tcp -p :33080` 512 513 #### **1.14.3 Use target address to select superior** 514 `proxy http --lb-hashtarget --lb-method=leasttime -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp -p :33080` 515 516 ### **1.15 Speed limit** 517 The speed limit is 100K, which can be specified through the `-l` parameter, for example: 100K 1.5M. 0 means unlimited. 518 `proxy http -t tcp -p 2.2.2.2:33080 -l 100K` 519 520 ### **1.16 Designated exporting IP** 521 The `--bind-listen` parameter open the client's ability to access the target site with an entry IP connection, using the entry IP as the exporting IP. If the entry IP is the intranet IP, the exporting IP will not use the entry IP.. 522 `proxy http -t tcp -p 2.2.2.2:33080 --bind-listen` 523 524 ### **1.17 Certificate parameters using Base64 data** 525 By default, the -C and -K parameters are the paths of CRT certificates and key files, 526 If it is the beginning of base64://, then it is considered that the data behind is Base64 encoded and will be used after decoding. 527 528 #### **1.18 Intelligent mode** 529 Intelligent mode setting which can be one of intelligent|direct|parent. 530 default:intelligent. 531 The meaning of each value is as follows: 532 `--intelligent=direct`, Targets that are not in blocked directly connected. 533 `--intelligent=parent`, Targets that are not in direct connect to parent proxy. 534 `--intelligent=intelligent`, Targets that are not in direct and blocked Neither can intelligently judge on whether to connetc parent proxy. 535 536 #### **1.19.view help** 537 `./proxy help http` 538 539 ### **2.TCP proxy** 540 541 #### **2.1.Common TCP first level proxy** 542 ![2.1](/docs/images/tcp-1.png) 543 Local execution: 544 `./proxy tcp -p ":33080" -T tcp -P "192.168.22.33:22" -L 0` 545 Then access to the local 33080 port is the 22 port of access to 192.168.22.33. 546 547 #### **2.2.Common TCP second level proxy** 548 ![2.2](/docs/images/tcp-2.png) 549 VPS(IP:22.22.22.33) execute: 550 `./proxy tcp -p ":33080" -T tcp -P "127.0.0.1:8080" -L 0` 551 local execution: 552 `./proxy tcp -p ":23080" -T tcp -P "22.22.22.33:33080"` 553 Then access to the local 23080 port is the 8080 port of access to 22.22.22.33. 554 555 #### **2.3.Common TCP third level proxy** 556 ![2.3](/docs/images/tcp-3.png) 557 TCP first level proxy VPS_01,IP:22.22.22.22 558 `./proxy tcp -p ":38080" -T tcp -P "66.66.66.66:8080" -L 0` 559 TCP second level proxy VPS_02,IP:33.33.33.33 560 `./proxy tcp -p ":28080" -T tcp -P "22.22.22.22:38080"` 561 TCP third level proxy (local) 562 `./proxy tcp -p ":8080" -T tcp -P "33.33.33.33:28080"` 563 Then access to the local 8080 port is to access the 8080 port of the 66.66.66.66 by encrypting the TCP tunnel. 564 565 #### **2.4.TCP second level encrypted proxy** 566 ![2.4](/docs/images/tcp-tls-2.png) 567 VPS(IP:22.22.22.33) execute: 568 `./proxy tcp --tls -p ":33080" -T tcp -P "127.0.0.1:8080" -L 0 -C proxy.crt -K proxy.key` 569 local execution: 570 `./proxy tcp -p ":23080" -T tls -P "22.22.22.33:33080" -C proxy.crt -K proxy.key` 571 Then access to the local 23080 port is to access the 8080 port of the 22.22.22.33 by encrypting the TCP tunnel. 572 573 #### **2.5.TCP third level encrypted proxy** 574 ![2.5](/docs/images/tcp-tls-3.png) 575 TCP first level proxy VPS_01,IP:22.22.22.22 576 `./proxy tcp --tls -p ":38080" -T tcp -P "66.66.66.66:8080" -C proxy.crt -K proxy.key` 577 TCP second level proxy VPS_02,IP:33.33.33.33 578 `./proxy tcp --tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 579 TCP third level proxy (local) 580 `./proxy tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key` 581 Then access to the local 8080 port is to access the 8080 port of the 66.66.66.66 by encrypting the TCP tunnel. 582 583 #### **2.6.Connect parents proxy through other proxy** 584 Sometimes the proxy network can not directly access the external network,which need to use a HTTPS or Socks5 proxy to access the Internet. then The -J parameter can help you connect to the parent proxy through the HTTPS or Socks5 proxy when proxy's TCP port is mapped, which can map external port to local. 585 -J param format: 586 587 https proxy: 588 proxy need authentication,username: username password:password 589 https://username:password@host:port 590 proxy don't need authentication 591 https://host:port 592 593 socks5 proxy: 594 proxy need authentication,username: username password:password 595 socks5://username:password@host:port 596 proxy don't need authentication 597 socks5://host:port 598 599 host:proxy's domain or ip 600 port:proxy's port 601 602 #### **2.7.view help** 603 `./proxy help tcp` 604 605 ### **3.UDP proxy** 606 607 #### **3.1.Common UDP first level proxy** 608 ![3.1](/docs/images/udp-1.png) 609 local execution: 610 `./proxy udp -p ":5353" -T udp -P "8.8.8.8:53"` 611 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8. 612 613 #### **3.2.Common UDP second level proxy** 614 ![3.2](/docs/images/udp-2.png) 615 VPS(IP:22.22.22.33) execute: 616 `./proxy tcp -p ":33080" -T udp -P "8.8.8.8:53"` 617 local execution: 618 `./proxy udp -p ":5353" -T tcp -P "22.22.22.33:33080"` 619 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8 through the TCP tunnel. 620 621 #### **3.3.Common UDP third level proxy** 622 ![3.3](/docs/images/udp-3.png) 623 TCP first level proxy VPS_01,IP:22.22.22.22 624 `./proxy tcp -p ":38080" -T udp -P "8.8.8.8:53"` 625 TCP second level proxy VPS_02,IP:33.33.33.33 626 `./proxy tcp -p ":28080" -T tcp -P "22.22.22.22:38080"` 627 TCP third level proxy (local) 628 `./proxy udp -p ":5353" -T tcp -P "33.33.33.33:28080"` 629 Then access to the local 5353 port is access to the 53 port of the 8.8.8.8 through the TCP tunnel. 630 631 #### **3.4.UDP second level encrypted proxy** 632 ![3.4](/docs/images/udp-tls-2.png) 633 VPS(IP:22.22.22.33) execute: 634 `./proxy tcp --tls -p ":33080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key` 635 local execution: 636 `./proxy udp -p ":5353" -T tls -P "22.22.22.33:33080" -C proxy.crt -K proxy.key` 637 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8 by the encrypting TCP tunnel. 638 639 #### **3.5.UDP third level encrypted proxy** 640 ![3.5](/docs/images/udp-tls-3.png) 641 TCP first level proxy VPS_01,IP:22.22.22.22 642 `./proxy tcp --tls -p ":38080" -T udp -P "8.8.8.8:53" -C proxy.crt -K proxy.key` 643 TCP second level proxy VPS_02,IP:33.33.33.33 644 `./proxy tcp --tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 645 TCP third level proxy (local) 646 `./proxy udp -p ":5353" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key` 647 Then access to the local UDP:5353 port is access to the UDP:53 port of the 8.8.8.8 by the encrypting TCP tunnel. 648 649 #### **3.6.view help** 650 `./proxy help udp` 651 652 ### **4.Nat forward** 653 #### **4.1、Principle explanation** 654 Nat forward, is divided into two versions, "multi-link version" and "multiplexed version", generally like web services Which is not a long time to connect the service recommende "multi-link version", if you want to keep long Time connection, "multiplexed version" is recommended. 655 1. Multilink version, the corresponding subcommand is tserver,tclient,tbridge。 656 1. Multiplexed version, the corresponding subcommand is server,client,bridge。 657 1. the parameters and use of Multilink version and multiplexed is exactly the same. 658 1. **Multiplexed version of the server, client can open the compressed transmission, the parameter is --c.** 659 1. **Server, client or both are open compression, either do not open, can not only open one.** 660 661 The following tutorial uses "Multiplexing Versions" as an example to illustrate how to use it. 662 Nat forward consists of three parts: client-side, server-side, bridge-side; client and server take the initiative to connect the bridge to bridge. 663 When the user access the server side, the process is: 664 1. Server and bridge initiative to establish a link; 665 1. Then the bridge notifies the client to connect the bridge, and connects the intranet target port; 666 1. Then bind the client to the bridge and client to the internal network port connection; 667 1. Then the bridge of the client over the connection and server-side connection binding; 668 1. The entire channel is completed; 669 670 #### **4.2.TCP common usage** 671 Background: 672 - The company computer A provides the 80 port of the web service 673 - There is one VPS, which public IP is 22.22.22.22 674 675 Demand: 676 You can access the 80 port of the company's computer by access to VPS's 28080 port when you are at home. 677 678 Procedure: 679 1. Execute on VPS 680 `./proxy bridge -p ":33080" -C proxy.crt -K proxy.key` 681 `./proxy server -r ":28080@:80" -P "127.0.0.1:33080" -C proxy.crt -K proxy.key` 682 683 1. Execute on the company's computer A 684 `./proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key` 685 686 1. complete 687 688 #### **4.3.Local development of WeChat interface** 689 Background: 690 - My own computer provides the 80 port of nginx service 691 - There is one VPS, which public IP is 22.22.22.22 692 693 Demand: 694 Fill out the Web callback interface configuration address of WeChat Development Account: http://22.22.22.22/calback.php 695 Then you can access the calback.php under the 80 port of the computer, and if you need to bind the domain name, you can use your own domain name. 696 for example: Wx-dev.xxx.com is resolved to 22.22.22.22, and then configure the domain name wx-dev.xxx.com into a specific directory in the nginx of your own computer. 697 698 699 Procedure: 700 1. Execute on VPS and ensure that the 80 port of VPS is not occupied by other programs. 701 `./proxy bridge -p ":33080" -C proxy.crt -K proxy.key` 702 `./proxy server -r ":80@:80" -P "22.22.22.22:33080" -C proxy.crt -K proxy.key` 703 704 1. Execute it on your own computer 705 `./proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key` 706 707 1. compolete 708 709 #### **4.4.UDP common usage** 710 Background: 711 - The company computer A provides the DNS resolution, the UDP:53 port. 712 - There is one VPS, which public IP is 22.22.22.22. 713 714 Demand: 715 You can use the company computer A for domain name resolution services by setting up local DNS as 22.22.22.22 at home. 716 717 Procedure: 718 1. Execute on VPS 719 `./proxy bridge -p ":33080" -C proxy.crt -K proxy.key` 720 `./proxy server --udp -r ":53@:53" -P "127.0.0.1:33080" -C proxy.crt -K proxy.key` 721 722 1. Execute on the company's computer A 723 `./proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key` 724 725 1. compolete 726 727 #### **4.5.Advanced usage 1** 728 Background: 729 - The company computer A provides the 80 port of the web service 730 - There is one VPS, which public IP is 22.22.22.22 731 732 Demand: 733 For security, it doesn't want to be able to access the company's computer A on VPS. At home, it can access the 80 port of the company's computer A through the encrypted tunnel by accessing the 28080 port of you own computer. 734 735 Procedure: 736 1. Execute on VPS 737 `./proxy bridge -p ":33080" -C proxy.crt -K proxy.key` 738 739 1. Execute on the company's computer A 740 `./proxy client -P "22.22.22.22:33080" -C proxy.crt -K proxy.key` 741 742 1. Execute it on your own computer 743 `./proxy server -r ":28080@:80" -P "22.22.22.22:33080" -C proxy.crt -K proxy.key` 744 745 1. compolete 746 747 #### **4.6.Advanced usage 2** 748 Tips: 749 If there are multiple client connected to the same bridge at the same time, you need to specify different key, which can be set by --k parameter. --k must be a unique string on the same bridge. 750 When server is connected to bridge, if multiple client is connected to the same bridge at the same time, you need to use the --k parameter to select client. 751 Repeating -r parameters can expose multiple ports: -r format is "local IP: local port @clientHOST:client port". 752 753 Background: 754 - The company computer A provides the web service 80 port and the FTP service 21 port 755 - There is one VPS, which public IP is 22.22.22.22 756 757 Demand: 758 You can access the 80 port of the company's computer by access to VPS's 28080 port at home. 759 You can access the 21 port of the company's computer by access to VPS's 29090 port at home. 760 761 Procedure: 762 1. Execute on VPS 763 `./proxy bridge -p ":33080" -C proxy.crt -K proxy.key` 764 `./proxy server -r ":28080@:80" -r ":29090@:21" --k test -P "127.0.0.1:33080" -C proxy.crt -K proxy.key` 765 766 1. Execute on the company's computer A 767 `./proxy client --k test -P "22.22.22.22:33080" -C proxy.crt -K proxy.key` 768 769 1. complete 770 771 #### **4.7.-r parameters of server** 772 The full format of the -r is:`PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT` 773 774 4.7.1.PROTOCOL is tcp or udp. 775 for example: `-r "udp://:10053@:53" -r "tcp://:10800@:1080" -r ":8080@:80"` 776 If the --udp parameter is specified, PROTOCOL is UDP by default, then `-r ":8080@:80"` is UDP. 777 If the --udp parameter is not specified, PROTOCOL is TCP by default, then `-r ":8080@:80"` is TCP. 778 779 4.7.2.CLIENT_KEY by default is 'default'. 780 for example: -r "udp://:10053@[test1]:53" -r "tcp://:10800@[test2]:1080" -r ":8080@:80" 781 If the --k parameter is specified, such as --k test, then `-r ":8080@:80"` CLIENT_KEY is 'test'. 782 If the --k parameter is not specified,then `-r ":8080@:80"`CLIENT_KEY is 'default'. 783 784 4.7.3.LOCAL_IP is empty which means LOCAL_IP is `0.0.0.0`, CLIENT_LOCAL_HOST is empty which means LOCAL_IP is `127.0.0.1`. 785 786 #### **4.8.server and client connect bridge through proxy** 787 Sometimes the server or client can not directly access the external network,which need to use a HTTPS or Socks5 proxy to access the Internet. then The -J parameter can help server and client connect to the bridge through the HTTPS or Socks5 proxy. 788 -J param format: 789 790 https proxy: 791 proxy need authentication,username: username password:password 792 https://username:password@host:port 793 proxy don't need authentication 794 https://host:port 795 796 socks5 proxy: 797 proxy need authentication,username: username password:password 798 socks5://username:password@host:port 799 proxy don't need authentication 800 socks5://host:port 801 802 host:proxy's domain or ip 803 port:proxy's port 804 805 #### **4.9.view help** 806 `./proxy help bridge` 807 `./proxy help server` 808 `./proxy help client` 809 810 ### **5.SOCKS5 proxy** 811 Tips: SOCKS5 proxy, support CONNECT, UDP protocol and don't support BIND and support username password authentication. 812 #### **5.1.Common SOCKS5 proxy** 813 `./proxy socks -t tcp -p "0.0.0.0:38080"` 814 815 #### **5.2.Common SOCKS5 second level proxy** 816 ![5.2](/docs/images/socks-2.png) 817 ![5.2](/docs/images/5.2.png) 818 Using local port 8090, assume that the parent SOCKS5 proxy is `22.22.22.22:8080` 819 `./proxy socks -t tcp -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" ` 820 We can also specify the black and white list files of the domain name, one line for one domain name. The matching rule is the most right-hand matching. For example, baidu.com is *.*.baidu.com, the domain name of the blacklist is directly accessed by the parent proxy, and the domain name of the white list does not access to the parent proxy. 821 `./proxy socks -p "0.0.0.0:8090" -T tcp -P "22.22.22.22:8080" -b blocked.txt -d direct.txt` 822 823 #### **5.3.SOCKS second level encrypted proxy** 824 ![5.3](/docs/images/socks-tls-2.png) 825 SOCKS5 first level proxy(VPS,IP:22.22.22.22) 826 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key` 827 828 SOCKS5 second level proxy(local Linux) 829 `./proxy socks -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 830 Then access to the local 8080 port is access to the proxy port 38080 above VPS. 831 832 SOCKS5 second level proxy(local windows) 833 `./proxy.exe socks -t tcp -p ":8080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 834 Then set up your windows system, the proxy that needs to surf the Internet by proxy is Socks5 mode, the address is: 127.0.0.1, the port is: 8080. the program can surf the Internet through the encrypted channel which is running on VPS. 835 836 #### **5.4.SOCKS third level encrypted proxy** 837 ![5.4](/docs/images/socks-tls-3.png) 838 SOCKS5 first level proxy VPS_01,IP:22.22.22.22 839 `./proxy socks -t tls -p ":38080" -C proxy.crt -K proxy.key` 840 SOCKS5 second level proxy VPS_02,IP:33.33.33.33 841 `./proxy socks -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 842 SOCKS5 third level proxy(local) 843 `./proxy socks -t tcp -p ":8080" -T tls -P "33.33.33.33:28080" -C proxy.crt -K proxy.key` 844 Then access to the local 8080 port is access to the proxy port 38080 above the SOCKS first level proxy. 845 846 #### **5.5.SOCKS proxy traffic force to go to parent socks proxy** 847 By default, proxy will intelligently judge whether a domain name can be accessed. If it cannot be accessed, it will go to parent SOCKS proxy. Through --always parameter, all SOCKS proxy traffic can be coercion to the parent SOCKS proxy. 848 `./proxy socks --always -t tls -p ":28080" -T tls -P "22.22.22.22:38080" -C proxy.crt -K proxy.key` 849 850 #### **5.6.Transfer through SSH** 851 ![5.6](/docs/images/socks-ssh.png) 852 Explanation: the principle of SSH transfer is to take advantage of SSH's forwarding function, which is, after you connect to SSH, you can access the target address by the SSH. 853 Suppose there is a vps 854 - IP is 2.2.2.2, SSH port is 22, SSH username is user, SSH password is Demo 855 - The SSH private key name of the user is user.key 856 857 ##### ***5.6.1.The way of username and password*** 858 Local SOCKS5 proxy 28080 port, execute: 859 `./proxy socks -T ssh -P "2.2.2.2:22" -u user -A demo -t tcp -p ":28080"` 860 ##### ***5.6.2.The way of username and key*** 861 Local SOCKS5 proxy 28080 port, execute: 862 `./proxy socks -T ssh -P "2.2.2.2:22" -u user -S user.key -t tcp -p ":28080"` 863 864 Then access to the local 28080 port is to access the target address through VPS. 865 866 #### **5.7.Authentication** 867 For socks5 proxy protocol we can use username and password authentication, username and password authentication can be specified on the command line. 868 `./proxy socks -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"` 869 If you need multiple users, repeat the -a parameters. 870 You can also be placed in a file, which is a line, a ‘username: password’, and then specified in -F. 871 `./proxy socks -t tcp -p ":33080" -F auth-file.txt` 872 873 In addition, socks5 proxy also integrates external HTTP API authentication, we can specify a http url interface address through the --auth-url parameter, 874 Then when the user is connected, the proxy request this url by get way, with the following three parameters, if the return HTTP status code 204, on behalf of the authentication is successful. 875 In other cases, the authentication fails. 876 for example: 877 `./proxy socks -t tcp -p ":33080" --auth-url "http://test.com/auth.php"` 878 When the user is connected, the proxy will request this URL ("http://test.com/auth.php") by GET way. 879 With user, pass, IP, three parameters: 880 http://test.com/auth.php?user={USER}&pass={PASS}&ip={IP} 881 user:username 882 pass:password 883 ip: user's IP, for example: 192.168.1.200 884 885 If there is no -a or -F or --auth-url parameters, it means to turn off the authentication. 886 887 #### **5.8.KCP protocol transmission** 888 The KCP protocol requires a --kcp-key parameter which can set a password to encrypt and decrypt data. 889 890 HTTP first level proxy(VPS,IP:22.22.22.22) 891 `./proxy socks -t kcp -p ":38080" --kcp-key mypassword` 892 893 HTTP two level proxy(local os is Linux) 894 `./proxy socks -t tcp -p ":8080" -T kcp -P "22.22.22.22:38080" --kcp-key mypassword` 895 Then access to the local 8080 port is access to the proxy port 38080 on the VPS, and the data is transmitted through the KCP protocol. 896 897 #### **5.9.Custom DNS** 898 --dns-address and --dns-ttl parameters can be used to specify DNS(--dns-address) when you use proxy to access to a domain. 899 they also can specify dns result cache time (--dns-ttl) which unit is second. they can avoid the interference of system DNS to proxy. cache can reduce DNS resolution time and increase access speed. 900 for example: 901 `./proxy socks -p ":33080" --dns-address "8.8.8.8:53" --dns-ttl 300` 902 903 #### **5.10.Custom encryption** 904 HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted. 905 Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples: 906 907 **two level example** 908 First level VPS (ip:2.2.2.2) execution: 909 `proxy socks -t tcp -z demo_password -p :7777` 910 Local second level execution: 911 `proxy socks -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080` 912 through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy. 913 914 **three level example** 915 First level VPS (ip:2.2.2.2) execution: 916 `proxy socks -t tcp -z demo_password -p :7777` 917 Second level VPS (ip:2.2.2.2) execution: 918 `proxy socks -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 919 Local third level execution: 920 `proxy socks -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080` 921 through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy. 922 923 #### **5.11.Compressed transmission** 924 HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption. 925 That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission. 926 The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples: 927 928 **two level example** 929 First level VPS (ip:2.2.2.2) execution: 930 `proxy socks -t tcp -m -p :7777` 931 Local second level execution: 932 `proxy socks -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080` 933 through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy. 934 935 936 **three level example** 937 First level VPS (ip:2.2.2.2) execution: 938 `proxy socks -t tcp -m -p :7777` 939 Second level VPS (ip:3.3.3.3) execution: 940 `proxy socks -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 941 Local third level execution: 942 `proxy socks -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080` 943 through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy. 944 945 #### **5.12 Load balance** 946 SOCKS proxy supports the load balancing of superior authorities, and the -P parameters can be repeated by multiple superiors. 947 `proxy socks --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp` 948 949 #### **5.12.1 Set retry interval and timeout time** 950 `proxy socks --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp` 951 952 #### **5.12.2 Set weight** 953 `proxy socks --lb-method=weight -T tcp -P 1.1.1.1:33080@1 -P 2.1.1.1:33080@2 -P 3.1.1.1:33080@1 -p :33080 -t tcp` 954 955 #### **5.12.3 Use target address to select parent proxy** 956 `proxy socks --lb-hashtarget --lb-method=leasttime -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp` 957 958 #### **5.13 Speed limit** 959 The speed limit is 100K, which can be specified through the -l parameter, for example: 100K 1.5M. 0 means unlimited. 960 `proxy socks -t tcp -p 2.2.2.2:33080 -l 100K` 961 962 #### **5.14 Designated exporting IP** 963 The `- bind-listen` parameter opens the client's ability to access the target site with an entry IP connection, using the entry IP as the exporting IP. If the entry IP is the intranet IP, the exporting IP will not use the entry IP.. 964 `proxy socks -t tcp -p 2.2.2.2:33080 --bind-listen` 965 966 #### **5.15 Cascade authentication** 967 SOCKS5 supports cascading authentication, and -A can set up parents proxy's authentication information.. 968 parents proxy: 969 `proxy socks -t tcp -p 2.2.2.2:33080 -a user:pass` 970 localhost: 971 `proxy socks -T tcp -P 2.2.2.2:33080 -A user:pass -t tcp -p :33080` 972 973 #### **5.16 Certificate parameters using Base64 data** 974 By default, the -C and -K parameters are the paths of CRT certificates and key files, 975 If it is the beginning of base64://, then it is considered that the data behind is Base64 encoded and will be used after decoding. 976 977 #### **5.17 Intelligent mode** 978 Intelligent mode setting which can be one of intelligent|direct|parent. 979 default:intelligent. 980 The meaning of each value is as follows: 981 `--intelligent=direct`, Targets that are not in blocked directly connected. 982 `--intelligent=parent`, Targets that are not in direct connect to parent proxy. 983 `--intelligent=intelligent`, Targets that are not in direct and blocked Neither can intelligently judge on whether to connetc parent proxy. 984 985 #### **5.18.view help** 986 `./proxy help socks` 987 988 ### **6.Proxy protocol conversion** 989 990 #### **6.1.Functional introduction** 991 The proxy protocol conversion use the SPS subcommand, SPS itself does not provide the proxy function, just accept the proxy request and then converse protocol and forwarded to the existing HTTP (s) or Socks5 proxy. SPS can use existing HTTP (s) or Socks5 proxy converse to support HTTP (s) and Socks5 HTTP (s) proxy at the same time by one port, and proxy supports forward and reverse proxy (SNI), SOCKS5 proxy which is also does support UDP when parent is Socks5. in addition to the existing HTTP or Socks5 proxy, which supports TLS, TCP, KCP three modes and chain-style connection. That is more than one SPS node connection can build encryption channel. 992 993 #### **6.2.HTTP(S) to HTTP(S) + SOCKS5** 994 Suppose there is a common HTTP (s) proxy: 127.0.0.1:8080. Now we turn it into a common proxy that supports HTTP (s), Socks5 and ss at the same time. The local port after transformation is 18080. ss's Encryption method is aes-192-cfb and its password is pass. 995 command: 996 `./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass` 997 998 Suppose that there is a TLS HTTP (s) proxy: 127.0.0.1:8080. Now we turn it into a common proxy that supports HTTP (s), Socks5 and ss at the same time. The local port after transformation is 18080, TLS needs certificate file,ss's Encryption method is aes-192-cfb and its password is pass. 999 command: 1000 `./proxy sps -S http -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key -h aes-192-cfb -j pass` 1001 1002 Suppose there is a KCP HTTP (s) proxy (password: demo123): 127.0.0.1:8080. Now we turn it into a common proxy that supports HTTP (s), Socks5 and ss at the same time. The local port after transformation is 18080. ss's Encryption method is aes-192-cfb and its password is pass. 1003 command: 1004 `./proxy sps -S http -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123 -h aes-192-cfb -j pass` 1005 1006 #### **6.3.SOCKS5 to HTTP(S) + SOCKS5** 1007 Suppose there is a common Socks5 proxy: 127.0.0.1:8080, now we turn it into a common proxy that supports HTTP (s), Socks5 and ss at the same time, and the local port after transformation is 18080. ss's Encryption method is aes-192-cfb and its password is pass. 1008 command: 1009 `./proxy sps -S socks -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass` 1010 1011 Suppose there is a TLS Socks5 proxy: 127.0.0.1:8080. Now we turn it into a common proxy that supports HTTP (s), Socks5 and ss at the same time. The local port after transformation is 18080, TLS needs certificate file. ss's Encryption method is aes-192-cfb and its password is pass. 1012 command: 1013 `./proxy sps -S socks -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key -h aes-192-cfb -j pass` 1014 1015 Suppose there is a KCP Socks5 proxy (password: demo123): 127.0.0.1:8080, now we turn it into a common proxy that supports HTTP (s), Socks5 and ss at the same time, and the local port after transformation is 18080. ss's Encryption method is aes-192-cfb and its password is pass. 1016 command: 1017 `./proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123 -h aes-192-cfb -j pass` 1018 1019 #### **6.4 SS to HTTP(S)+SOCKS5+SS** 1020 SPS support the SS protocol with the local authorities. The parent proxy can be SPS or standard SS services. 1021 By default, SPS provides three proxies, HTTP (S), SOCKS5 and SPS. the converted SOCKS5 and SS support UDP when the parent proxy is SOCKS5. 1022 Suppose there is an ordinary SS or SPS proxy (open SS, encryption: aes-256-cfb, password: Demo):127.0.0.1:8080,Now we turn it into a common proxy that supports both http (s) and Socks5 and ss. The converted local port is 18080, and the converted ss encryption mode is aes-192-cfb, ss password:pass. 1023 command: 1024 `./proxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123` `./proxy sps -S ss -H aes-256-cfb -J pass -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass`. 1025 1026 #### **6.5.Chain style connection** 1027 ![6.4](/docs/images/sps-tls.png) 1028 It is mentioned above that multiple SPS nodes can be connected to build encrypted channels, assuming you have the following VPS and a PC. 1029 vps01:2.2.2.2 1030 vps02:3.3.3.3 1031 Now we want to use PC and vps01 and vps02 to build an encrypted channel. In this example, TLS is used. KCP also supports encryption in addition to TLS. and accessing to local 18080 port on PC is accessing to the local 8080 ports of vps01. 1032 First, on vps01 (2.2.2.2), we run a HTTP (s) proxy that only can be accessed locally,excute: 1033 `./proxy -t tcp -p 127.0.0.1:8080` 1034 1035 Then run a SPS node on vps01 (2.2.2.2),excute: 1036 `./proxy -S http -T tcp -P 127.0.0.1:8080 -t tls -p :8081 -C proxy.crt -K proxy.key` 1037 1038 Then run a SPS node on vps02 (3.3.3.3),excute: 1039 `./proxy -S http -T tls -P 2.2.2.2:8081 -t tls -p :8082 -C proxy.crt -K proxy.key` 1040 1041 Then run a SPS node on the PC,excute: 1042 `./proxy -S http -T tls -P 3.3.3.3:8082 -t tcp -p :18080 -C proxy.crt -K proxy.key` 1043 1044 finish。 1045 1046 #### **6.6.Listening on multiple ports** 1047 In general, listening one port is enough, but if you need to monitor 80 and 443 ports at the same time as a reverse proxy, the -p parameter can support it. 1048 The format is:`-p 0.0.0.0:80,0.0.0.0:443`, Multiple bindings are separated by a comma. 1049 1050 #### **6.7.Authentication** 1051 SPS supports HTTP(s)\socks5 proxy authentication, which can concatenate authentication, there are four important information: 1052 1:Users send authentication information`user-auth`。 1053 2:Local authentication information set up`local-auth`。 1054 3:Set the authentication information accessing to the father proxy`parent-auth`。 1055 4:The final authentication information sent to the father proxy`auth-info-to-parent`。 1056 The relationship between them is as follows: 1057 1058 | user-auth | local-auth | parent-auth | auth-info-to-paren 1059 | ------ | ------ | ------ | ------ 1060 | yes/no | yes | yes | come from parent-auth 1061 | yes/no | no | yes | come from parent-auth 1062 | yes/no | yes | no | no 1063 | no | no | no | no 1064 | yes | no | no | come from user-auth 1065 1066 For SPS proxy we can have username and password to authenticate, and the authentication username and password can be specified on the command line 1067 `./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"` 1068 if there are multiple users, repeat the -a parameters. 1069 It can also be placed in a file, which is a line to a username: password, and then specified in -F parameter. 1070 `./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -F auth-file.txt` 1071 1072 If the father proxy is authenticated, the lower level can set the authentication information through the -A parameters, such as: 1073 father proxy:`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" -a "user1:pass1" -a "user2:pass2"` 1074 local proxy:`./proxy sps -S http -T tcp -P 127.0.0.1:8080 -A "user1:pass1" -t tcp -p ":33080" ` 1075 1076 In addition, SPS proxy, local authentication is integrated with external HTTP API authentication, and we can specify a HTTP URL interface address through the --auth-url parameter, 1077 Then, when there is a user connection, proxy will request this URL by GET way, with the following four parameters, and if the HTTP state code 204 is returned, the authentication is successful. 1078 Other cases consider authentication failure. 1079 for example: 1080 `./proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p ":33080" --auth-url "http://test.com/auth.php"` 1081 When the user is connected, proxy will request this URL by GET way("http://test.com/auth.php"), 1082 Four parameters with user, pass, IP, and target: 1083 http://test.com/auth.php?user={USER}&pass={PASS}&ip={IP}&target={TARGET} 1084 user:username 1085 pass:password 1086 ip:user's ip,for example:192.168.1.200 1087 target: if the client is the HTTP (s) proxy request, this represents the complete URL of the request, and the other cases are empty. 1088 1089 If there is no -a or -F or --auth-url parameters, local authentication is closed. 1090 If there is no -A parameter, the connection to the father proxy does not use authentication. 1091 1092 **Setting up separate authentication information** 1093 1094 If there are many different parent proxys and their passwords are the same or different, then authentication information can be set for each parent proxy. 1095 At the same time, a global authentication information can be set with the - A parameter. If a parent proxy does not set the authentication information separately, the global authentication information can be used. 1096 Authentication information is written together with parent proxy. 1097 format: YTpi#2.2.2.2:33080@1 1098 Explain: 1099 YTpi is the Authentication information encoded by Base64, For example, http (s)/socks original authentication information, a:b,the user is a and the password is b, which is YTpi after Base64 encoding. 1100 if it is ss, A is the encryption method and B is the password, for example, aes-192-cfb:your_pass, which is YWVzLTE5Mi1jZmI6eW91cl9wYXNz after Base64 encoding. 1101 \# is an interval symbol. If there is authentication information, there must be #. No authentication information can be omitted # 1102 2.2.2.2:33080 is parent proxy's address 1103 @1 is weights, Nothing can be omitted. Detailed instructions can be referred to in the manual.***weights*** 1104 1105 #### **6.8 Custom encryption** 1106 HTTP(s) proxy can encrypt TCP data by TLS standard encryption and KCP protocol encryption, in addition to supporting custom encryption after TLS and KCP, That is to say, custom encryption and tls|kcp can be combined to use. The internal AES256 encryption is used, and it only needs to define one password by yourself. Encryption is divided into two parts, the one is whether the local (-z) is encrypted and decrypted, the other is whether the parents (-Z) is encrypted and decrypted. 1107 Custom encryption requires both ends are proxy. Next, we use two level example and three level example as examples: 1108 Suppose there is already a HTTP (s) proxy:`6.6.6.6:6666` 1109 1110 **two level example** 1111 First level VPS (ip:2.2.2.2) execution: 1112 `proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777` 1113 Local second level execution: 1114 `proxy sps -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080` 1115 through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy. 1116 1117 **three level example** 1118 First level VPS (ip:2.2.2.2) execution: 1119 `proxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777` 1120 Second level VPS (ip:2.2.2.2) execution: 1121 `proxy sps -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888` 1122 Local third level execution: 1123 `proxy sps -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080` 1124 through this way, When you visits the website by local proxy 8080, it visits the target website by encryption transmission with the parents proxy. 1125 1126 #### **6.9 Compressed transmission** 1127 HTTP(s) proxy can encrypt TCP data through TCP standard encryption and KCP protocol encryption, and can also compress data before custom encryption. 1128 That is to say, compression and custom encryption and tls|kcp can be used together, compression is divided into two parts, the one is whether the local (-z) is compressed transmission, the other is whether the parents (-Z) is compressed transmission. 1129 The compression requires both ends are proxy. Compression also protects the (encryption) data in certain extent. we use two level example and three level example as examples: 1130 1131 **two level example** 1132 First level VPS (ip:2.2.2.2) execution: 1133 `proxy sps -t tcp -m -p :7777` 1134 Local second level execution: 1135 `proxy sps -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080` 1136 through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy. 1137 1138 **three level example** 1139 First level VPS (ip:2.2.2.2) execution: 1140 `proxy sps -t tcp -m -p :7777` 1141 Second level VPS (ip:3.3.3.3) execution: 1142 `proxy sps -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888` 1143 Local third level execution: 1144 `proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080` 1145 through this way, When you visits the website by local proxy 8080, it visits the target website by compressed transmission with the parents proxy. 1146 1147 #### **6.10 Disable protocol** 1148 By default, SPS's port supports two proxy protocols, http (s) and socks5, and we can disable a protocol with parameters. 1149 for example: 1150 1.Disable the HTTP (S) proxy, retaining only the SOCKS5 proxy,parameter:`--disable-http`. 1151 `proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http` 1152 1.Disable the SOCKS5 proxy, retaining only the HTTP (S) proxy,parameter:`--disable-socks`. 1153 `proxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http` 1154 1155 #### **6.11 Speed limit** 1156 Suppose there has a SOCKS5 parent proxy: 1157 `proxy socks -p 2.2.2.2:33080 -z password -t tcp` 1158 SPS lower speed limit 100K 1159 `proxy sps -S socks -P 2.2.2.2:33080 -T tcp -Z password -l 100K -t tcp -p :33080` 1160 It can be specified through the `-l` parameter, for example: 100K 1.5M. 0 means unlimited. 1161 1162 #### **6.12 Designated exporting IP** 1163 The `- bind-listen` parameter opens the client's ability to access the target site with an entry IP connection, using the entry IP as the exporting IP. If the entry IP is the intranet IP, the exporting IP will not use the entry IP. 1164 `proxy sps -S socks -P 2.2.2.2:33080 -T tcp -Z password -l 100K -t tcp --bind-listen -p :33080` 1165 1166 #### **6.13 Certificate parameters using Base64 data** 1167 By default, the -C and -K parameters are the paths of CRT certificates and key files, 1168 If it is the beginning of base64://, then it is considered that the data behind is Base64 encoded and will be used after decoding. 1169 1170 #### **6.14.view help** 1171 `./proxy help sps` 1172 1173 ### **7.KCP Configuration** 1174 1175 #### **7.1.Configuration introduction** 1176 Many functions of the proxy support the KCP protocol, and all the functions that can use the KCP protocol support the configuration parameters introduced here. 1177 So here is a unified introduction to the KCP configuration parameters. 1178 1179 #### **7.2.Configuration details** 1180 The number of KCP configuration parameters is 17, you don't have to set up them. they all have the default value, if for the best effect, 1181 You need to configure the parameters according to your own network conditions. Due to the complexity of KCP configuration, a certain network basic knowledge is required, 1182 If you want to get a more detailed configuration and explanation of the KCP parameters, search for yourself. The command line name for each parameter, as well as the default and simple functions, are described as follows: 1183 ``` 1184 --kcp-key="secrect" pre-shared secret between client and server 1185 --kcp-method="aes" encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish, 1186 twofish, cast5, 3des, tea, xtea, xor, sm4, none 1187 --kcp-mode="secrect" profiles: fast3, fast2, fast, normal, manual 1188 --kcp-mtu=1350 set maximum transmission unit for UDP packets 1189 --kcp-sndwnd=1024 set send window size(num of packets) 1190 --kcp-rcvwnd=1024 set receive window size(num of packets) 1191 --kcp-ds=10 set reed-solomon erasure coding - datashard 1192 --kcp-ps=3 set reed-solomon erasure coding - parityshard 1193 --kcp-dscp=0 set DSCP(6bit) 1194 --kcp-nocomp disable compression 1195 --kcp-acknodelay be carefull! flush ack immediately when a packet is received 1196 --kcp-nodelay=0 be carefull! 1197 --kcp-interval=50 be carefull! 1198 --kcp-resend=0 be carefull! 1199 --kcp-nc=0 be carefull! no congestion 1200 --kcp-sockbuf=4194304 be carefull! 1201 --kcp-keepalive=10 be carefull! 1202 ``` 1203 1204 ### **8.DNS anti pollution server** 1205 1206 #### **8.1.Introduction** 1207 It is well known that DNS is a service which use UDP protocol and 53 port,But with the development of network, some well-known DNS servers also support TCP protocol's DNS query,such as google's 8.8.8.8,Proxy's DNS anti pollution server theory is starting a local DNS proxy server,It uses TCP to conduct DNS queries through father proxy. If it encrypted communicate with father proxy,Then you can make a safe and pollution-free DNS analysis. 1208 1209 #### **8.2.Use examples** 1210 1211 ***8.2.1 common HTTP(S) father proxy*** 1212 Suppose there is a father proxy:2.2.2.2:33080 1213 local execution: 1214 `proxy dns -S http -T tcp -P 2.2.2.2:33080 -p :53` 1215 Then the local UDP port 53 provides the DNS analysis. 1216 1217 ***8.2.2 common SOCKS5 father proxy*** 1218 Suppose there is a father proxy:2.2.2.2:33080 1219 local execution: 1220 `proxy dns -S socks -T tcp -P 2.2.2.2:33080 -p :53` 1221 Then the local UDP port 53 provides the DNS analysis. 1222 1223 ***8.2.3 TLS encrypted HTTP(S) father proxy*** 1224 Suppose there is a father proxy:2.2.2.2:33080 1225 The orders executed by father proxy: 1226 `proxy http -t tls -C proxy.crt -K proxy.key -p :33080` 1227 local execution: 1228 `proxy dns -S http -T tls -P 2.2.2.2:33080 -C proxy.crt -K proxy.key -p :53` 1229 Then the local UDP port 53 provides a security and anti pollution DNS analysis. 1230 1231 ***8.2.4 TLS encrypted SOCKS5 father proxy*** 1232 Suppose there is a father proxy:2.2.2.2:33080 1233 The orders executed by father proxy: 1234 `proxy socks -t tls -C proxy.crt -K proxy.key -p :33080` 1235 local execution: 1236 `proxy dns -S socks -T tls -P 2.2.2.2:33080 -C proxy.crt -K proxy.key -p :53` 1237 Then the local UDP port 53 provides a security and anti pollution DNS analysis. 1238 1239 ***8.2.5 KCP encrypted HTTP(S) father proxy*** 1240 Suppose there is a father proxy:2.2.2.2:33080 1241 The orders executed by father proxy: 1242 `proxy http -t kcp -p :33080` 1243 local execution: 1244 `proxy dns -S http -T kcp -P 2.2.2.2:33080 -p :53` 1245 Then the local UDP port 53 provides a security and anti pollution DNS analysis. 1246 1247 ***8.2.6 KCP encrypted SOCKS5 father proxy*** 1248 Suppose there is a father proxy:2.2.2.2:33080 1249 The orders executed by father proxy: 1250 `proxy socks -t kcp -p :33080` 1251 local execution: 1252 `proxy dns -S socks -T kcp -P 2.2.2.2:33080 -p :53` 1253 Then the local UDP port 53 provides a security and anti pollution DNS analysis. 1254 1255 ***8.2.7 Custom encrypted HTTP(S) father proxy*** 1256 Suppose there is a father proxy:2.2.2.2:33080 1257 The orders executed by father proxy: 1258 `proxy http -t tcp -p :33080 -z password` 1259 local execution: 1260 `proxy dns -S http -T tcp -Z password -P 2.2.2.2:33080 -p :53` 1261 Then the local UDP port 53 provides a security and anti pollution DNS analysis. 1262 1263 ***8.2.8 Custom encrypted SOCKS5 father proxy*** 1264 Suppose there is a father proxy:2.2.2.2:33080 1265 The orders executed by father proxy: 1266 `proxy socks -t kcp -p :33080 -z password` 1267 local execution: 1268 `proxy dns -S socks -T tcp -Z password -P 2.2.2.2:33080 -p :53` 1269 Then the local UDP port 53 provides a security and anti pollution DNS analysis. 1270 1271 ### TODO 1272 - HTTP, socks proxy which has multi parents proxy load balancing? 1273 - HTTP (s) proxy support PAC? 1274 - Welcome joining group feedback... 1275 1276 ### How to use the source code? 1277 1278 Recommend go1.10.1. 1279 `go get github.com/AntonOrnatskyi/goproxy` 1280 use command cd to enter your go SRC directory 1281 then cd to enter `github.com/AntonOrnatskyi/goproxy`. 1282 Direct compilation:`go build -o proxy` 1283 execution: `go run *.go` 1284 `utils` is a toolkit, and `service` is a specific service class. 1285 1286 ### License 1287 Proxy is licensed under GPLv3 license. 1288 1289 ### Contact 1290 proxy QQ group: 793015219 , 189618940 (full) 1291 1292 ### Donation 1293 if proxy help you a lot,you can support us by: 1294 1295 ### AliPay 1296 <img src="https://github.com/AntonOrnatskyi/goproxy/blob/master/docs/images/alipay.jpg?raw=true" width="200"/> 1297 1298 ### Wechat Pay 1299 <img src="https://github.com/AntonOrnatskyi/goproxy/blob/master/docs/images/wxpay.jpg?raw=true" width="200"/>