Failed to start service no error 3proxy

Failed to create service no error 3proxy Extract source code files from 3proxy.tgz (with WinZip or another utility). Use nmake /f Makefile.msvc command See How to compile 3proxy with Visual C++ Use Makefile.intl instead of Makefile.msvc Extract source files from 3proxy.tgz (for example with tar -xzf 3proxy.tgz command if you have tar installed) Use […]

Failed to create service no error 3proxy

Extract source code files from 3proxy.tgz (with WinZip or another utility). Use nmake /f Makefile.msvc command

See How to compile 3proxy with Visual C++ Use Makefile.intl instead of Makefile.msvc

Extract source files from 3proxy.tgz (for example with tar -xzf 3proxy.tgz command if you have tar installed) Use make -f Makefile.win command. If you want to use POSIX emulation Cygwin library (normally you shouldn’t) — use make -f Makefile.unix instead. Windows specific things (like installing as service) will not be available if compiled with Cygwin emulation.

Use for Linux or Cygwin, Makefile.Solaris* (depending on compiler version) for Solaris and Makefile.unix for different Unix-like OS. On BSD derivered systems make sure to use GNU make, sometimes it’s called gmake instead of make.
Compilation is tested under FreeBSD/i386, NetBSD/i386, OpenBSD/i386, RH Linux/Alpha, Debian/i386, Gentoo/i386, Gentoo/PPC, Solaris/x86 but you shouldn’t have problems under different Solaris, BSD or linux compatible systems. For different systems you may be required to patch Makefile or even source codes. If you want to use ODBC support, make sure to install ODBC for unix, remove -DNOODBC option from makefile compiler options and add ODBC library to linker variable.

Unpack 3proxy.zip to any directory, for example c:Program Files3proxy. If needed, create directory for storing log files, ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (See Server configuration). If you use 3proxy before 0.6 Add string into 3proxy.cfg. Now, start command prompt (cmd.exe). Change directory to 3proxy installation and run 3proxy.exe —install: Now, you should have 3proxy service installed and running. If service is not started, remove «service» string from 3proxy.cfg, run 3proxy.exe manually and correct all errors.

To remove 3proxy run 3proxy —remove: Now you can simply remove 3proxy installation directory.

Unpack 3proxy.zip to any directory, for example c:Program Files3proxy. If needed, create directory for storing log files, ODBC sources, etc. Create 3proxy.cfg in the 3proxy installation directory (See Server configuration). Remove string from 3proxy.cfg and add if you want 3proxy to run in background. Create shortcut for 3proxy.exe and place it in autostart or add to registry with regedit.exe:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Type: String
3proxy = «c:Program Files3proxy.exe» «C:Program Files3proxy.cfg»
You must use quotes if path contains space. If neccessary, restart Windows. If service is not started, check log. Remove «daemon» command from 3proxy.cfg, start 3proxy.exe manually and correct all errors.

Complie 3proxy (see Compilation). Copy executables to any appropriate location (for example /usr/local/3proxy/sbin for servers and /usr/local/3proxy/bin for utilities). Create /usr/local/etc/3proxy.cfg. (see Server configuration). You can change default configuration file location by specifing configuration file in 3proxy command line. Add 3proxy to system startup scripts.

Most probable reasons for non-working limitations: ‘auth none’ or no auth is used. For any ACL based feature one of ‘iponly’, ‘nbname’ or ‘strong’ auths required. Sequence of commands may be invalid. Commands are executed one-by-one and ‘proxy’, ‘tcppm’, ‘socks’ or another service commands must follow valid configuration. Invalid sequence of ACLs. First matching ACL is used (except of internal redirections, see below). If ACL contains at least one records last record is assumed to be ‘deny *’.
How to make 3proxy to run as a service

Possible reasons for 3proxy starts manually but fails to start as a service:

  • there are relative paths in configuration file for included files, log files, etc. Always use absolute paths. For example $»c:3proxynetworks.local» instead of $networks.local. For debugging remove ‘service’ and ‘daemon’, log to stdout an try to execute 3proxy from command line from some different directory (for example from disk root).
  • SYSTEM account doesn’t have access to executable file, configuration files, log files, etc.
  • configuration files is not located in default path (3proxy.cfg in same location with 3proxy.exe). For alternative configuration file location use
  • user has no rights to install or start service
  • service is already installed and/or started

Both internal and external IPs are IPs of the host running 3proxy itself. This configuration option is usefull in situation 3proxy is running on the border host with 2 (or more) connections: e.g. LAN and WAN with different IPs If 3proxy is used on the host with single connection, both internal and external are usually same IP.
Internal should exist and be UP on the moment 3proxy is started and should never be disconnected/DOWN. If this interface is periodically disconnected (e.g. direct link between 2 hosts), do not specify internal address or use 0.0.0.0 instead. In this case, if you have 2 or more interfaces you must use firewall (preferably) or 3proxy ACLs to avoid open proxy situation.
External IP (if specified) must exist in the momet 3proxy serves client request. If external interface is no specified (or 0.0.0.0), system select external IP. It may be possible to access resources of internal network, to prevent this use ACLs. In addition, SOCKSv5 will not support BIND operation, required for incoming connections (this operation is quite rarely implemented in SOCKSv5 clients and usually is not required). In case of dynamic address, do not specify external or use external 0.0.0.0 or, if external address is required, create a script to determine current external IP and save it to file, and use external «$path_to_file» with «monitor» command to automatically reload configuration on address change.
How to make ODBC logging work?

Check you use system DSN. Check SQL request is valid. The best way to check is to make file or stdout logging, get SQL request from log file or console and execute this request manually. Under Unix, you may also want to adjust ‘stacksize’ parameter.
How to make IPv6 work

Proxy can not access destination directly over IPv6 if client requests IPv4 address. To access IPv6 destination, either IPv6 address or hostname must be used in request. Best solution is to enable option to resolve hostnames via proxy on client side.
How to fix 3proxy crashes

default stacksize may be insufficient, if some non-default plugins are used (e.g. PAM and ODBC on Linux) or if compiled on some platforms with invalid system defined values (few versionds of FreeBSD on amd64). Problem can be resolved with ‘stacksize’ command or ‘-S’ option starting 3proxy 0.8.4.
Where to find configuration example

Server configuration example 3proxy.cfg.sample is in any 3proxy distribution.

3proxy can log to stdout, file, ODBC datasource and syslog (Unix/Linux/Cygwin only). For using ODBC under Unix/Linux you must compile 3proxy with Unix ODBC libraries, see Compilation. You can control logging from 3proxy.cfg for all services or you can control logging of individual service, for example /usr/local/sbin/socks -l/var/log/socks.log starts SOCKS proxy with logging to file. For universal proxy (3proxy) log file rotation and archiving is supported. Log type is defined with «log» configuration file command or with -l switch on individual service invokation. log or -l is stdout logging. and specify filename for logging and specify ident for syslog logging. If filename within «log» command contains ‘%’ characters, it’s processes as format specificator (see «logformat»). E.g. log c:3proxylogs%y%m%d.log D creates file like c:3proxylogs60729.log, date is generated based on local time. specifies ODBC connection string, connstring is in format datasource,username,password (2 last are optional of datasource does not require or already has authentication information). Also, you must specify logformat to build SQL query, to insert recod into log, see How to setup logging format

Rotation and archiving may be set up with log, rotate � archiver commands sets rotation type. LOGTYPE may be:

  • M, monthely
  • W, weekly
  • D, daily
  • H, hourly
  • C, minutely

specifies number of files in rotation (that is how many files to keep). Sets external archiver. EXT is extention of archived files (for example zip, gz, Z, rar etc) COMMAND and PARAMETERS are command to execute and command line PARAMETERS. Originale file is not deleted by 3proxy, this work is left for archiver. You can pass original filename to archiver with %F macro and archive filename with %A. Examples are located in 3proxy.cfg.sample

Since 0.3 version log format may be set with «logformat» command. First symbol of log format specifies format of date and time and should be L (LOCAL) or G (GMT — Grinwitch Meridian Time). Format string may contains some macro substitutions:

  • %y — Year (2 digits)
  • %Y — Year (4 digits)
  • %m — Month (2 digits)
  • %o — mOnth (3 letter abbriviation)
  • %d — Day (2 digits)
  • %H — Hour (2 digits)
  • %M — Minute (2 digits)
  • %S — Second (2 digits)
  • %t — Timestamp (seconds since January, 1 1970 00:00:00 GMT)
  • %. — Milliseconds
  • %z — Timezone in mail format (from GMT, ‘+’ east, ‘-‘ west HHMM), For example Moscow winter time is +0300.
  • %U — Username (‘-‘ if unknown).
  • %N — Service name (PROXY, SOCKS, POP3P, etc)
  • %p — Service port
  • %E — Error code (see. Log error codes reference)
  • %C — client IP
  • %c — client port
  • %R — target IP
  • %r — target port
  • %e — external IP address used to establish connection
  • %Q — requested IP
  • %q — requested port
  • %I — bytes received from target
  • %O — bytes sent to target
  • %n — host name from request
  • %h — hops before target (if redirection or chaning is used). see How to use chains and parent proxies)
  • %T — service specific text (for example URL requested). %X-YT where X and Y are positive numbers, only displays fields (space delimited) X to Y of the text. An example is %1-2T.

Example: generates something like

1042454727.0296 SOCK4.1080 000 3APA3A 127.0.0.1:4739 195.122.226.28:4739 505 18735 1 GET http://3proxy.org/ HTTP/1.1
(no line breaks)

If ODBC used, logformat should specify SQL command, to insert record into log, for example

(no line breaks)
-’+_ instructs to replace characters and ‘ with _

Just make format of 3proxy logs compatible with format supported by your favourite log analizer. Examples of compatible logformats are:
For Squid access.log:

«- +_G%t.%. %D %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown»

or, more compatible format without %D ISA 2000 proxy WEBEXTD.LOG (fields are TAB-delimited): ISA 2004 proxy WEB.w3c (fields are TAB-delimited): ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited): HTTPD standard log (Apache and others):

or more compatible without error code

3proxy is distributed in 2 variants: as a set of standalone modules (proxy, socks, pop3p, tcppm, udppm) and as universal proxy server. These services are absolutely independant, and if you use 3proxy you needn’t any of standalone modules.
Standalone modules are only configurable via command line interface while 3proxy uses configuration file. Many functions, such as ODBC logging, log rotation, access control, etc are only available in 3proxy, not in standalone proxies. Standalone module may be started from command line, for example: Starts SOCKS server binded to localhost ip, port 1080 with logging to /var/log/socks.log. You can get help for any standalone service with -? command line option.

If 3proxy is used you should start all services in 3proxy.cfg file. 3proxy.cfg is executed by 3proxy as a batch file. Example of 3proxy.cfg and command syntaxys can be found in 3proxy.cfg.sample. Starts 3 services: HTTP PROXY, SOCKS and POP3 PROXY. Each listens localhost interface with default port (3128 for HTTP, 1080 for SOCKS and 110 for POP3P) except socks started with port 3129. All logs are in file /var/log/3proxy.log (with daily date modification and rotation). 30 last files are stored.

-i options specifies internal interface, -p — listening port. No space are allowed. To bind ‘proxy’ service to port 8080 on interfaces 192.168.1.1 and 192.168.2.1 use

A: Use one of http, connect+, socks4+ or socks5+ as a parent type. 3proxy itself still performs a name resolution, it’s required e.g. to ACLs matching. So, if no name resolution must be performed by 3proxy itself add a command this command resolves any name to 127.0.0.2 address.

There is FTP over HTTP (what is called FTP proxy in browsers) and FTP over FTP �ப� (what is called FTP proxy in file managers and FTP clients). For browsers, there is no need to start additional proxy service, ‘proxy’ supports FTP over HTTP, configure ‘proxy’ port as an FTP proxy. For ftp clients and file managers use ftppr. FTP proxy supports both active and passive mode with client, but always use passive mode with FTP servers.

First, always specify internal interface to accept incoming connection with ‘internal’ configuration command or ‘-i’ service command. (See How to start any of proxy services (HTTP, SOCKS etc)). If no internal interface is specified your proxy will act as open one.

It’s also important to specify external interface to prevent access to internal network with ‘external’ or -e.

3proxy with configuration files allows to use authentication and authorization for user’s access. Authentication is possible by username/password or user’s NetBIOS name. Authentication type is specified by ‘auth’ command. Disables both authentication and authorization. You can not use ACLs. Specifies no authentication, ACLs authorization is used. Authentication by NetBIOS name + ACLs. NetBIOS name of ‘messenger’ service is obrained before ACL validation. If no name is obtained it’s assumed to be empty. Messenger is started by default in Windows NT/2000/XP. For Win9x WinPopUP need to be launched. This type of authentication may be spoofed by privileged local user. Authentication by username/password. If user is not registered his access is denied regardless of ACLs.

Different services can have different authentication levels. It’s possible to authorize access by client IP address, IP address or requested resource, target port, time, etc after authentication. (See How to limit resource access).

Since 0.6 version double authentication is possible, e.g. strong authentication will only be used if ACL requires username to deside if access must be granted. That is, in example, strong username authentication is not required to access 192.168.0.0/16

0.6 version introduces authentication (username) caching to increase productivity. It’s recommended to use authentication caching with resource or time consuming authentication types, such as nbname or external plugins (WindowsAuthentication). Caching can be set with ‘authcache’ command with 2 parameters: caching type and caching time (in seconds). Caching type defines the type of cached access: ‘ip’ — after successful authentication all connections during caching time from same IP are assigned to the same user, username is not requested. «ip,user» — username is requested and all connections from the same IP are assigned to the same user without actual authentication. «user» — same as above, but IP is not checked. «user,password» — username and password are checked against cached ones. For authentication special authentication type ‘cache’ must be used. Example:

Please note, that caching affects security. Never use caching for access to critical resources, such as web administration.

authcache can be used to bind user’s sessions to ip with ‘limit’ option, with user will not be able to use more than a single IP during cache time (120 sec).

Userslist is created with ‘users’ command. With a single command it’s possible to define few users, or you can use few ‘users’ commands. USERDESC is user description. Description consists of three semicolon delimited parts — login, password type and Please note the usage of quotation sign: it’s required to comment out $ sign overwise used as a file inclusion macro. Next password types are available:

  • No password type: use system authentication.
  • CL — cleartext password
  • CR — crypt password, only MD5 crypt passwords are supported
  • NT — NT-hashed (MD4) passwords in hex, as used in pwdump or SAMBA

NT and crypt passwords can be used to import accounts from Windows/SAMBA or Unix. For Windows you can use pwdump family of utilities. It’s convenient to store accounts apart and include account file with $ macro. Because for included files newlines are treated as a space, it’s possible to use atandard passwd file format: or It’s possible to create NT and crypt passwords with mycrypt utility included in distribution.
Userlist is system-wide. To manage user access to specific service use ACLs.

Commands allow, deny and flush are used to manage ACLs:

allow
deny
flush

‘flush’ command is used to finish with existing ACL and to start new one. It’s required to have different ACLs for different services. ‘allow’ is used to allow connection and ‘deny’ to deny connection. ‘allow’ command can be extended by ‘parent’ command to manage redirections (see How to manage redirections)). If ACL is empty it allow everything. If ACL is not empty, first matching ACL entry is searched for user request and ACL action (allow or deny) performed. If no matching record found, connection is denied and user will be asked to re-authenticate (requested for username/password). To prevent this request add ‘deny *’ to the end of list.

  • — comma delimited list of users
  • — comma delimited list of source (client) networks. Networks can be defined as single IP address or in CIDR form xxx.yyy.zzz.mmm/l, where l — is the length of network mask (a number of non-zero bits). 192.168.1.0/24 means network with 255.255.255.0 mask.
  • — comma delimited list of target (server) networks. In 3proxy 0.6 and above it’s allowed to use hostnames with wildmasks in targetlist. Wildmask may only present in the begginning or at the end of the hostname, e.g. 192.168.0.0/16,www.example.com,*wrongsite.com,*wrongcontent*.
  • — comma delimited list of ports. I It’s possible to define port ranges with -, e.g. 80,1024-65535 means port 80 and all unprivileged ports.
  • — the list of allowed actions
    CONNECT — establish outgoing TCP connection. e.g. POP3 or SOCKSv5
    BIND — allow incoming TCP connection (SOCKSv5)
    UDPASSOC — create UDP association (SOCKSv5)
    ICMPASSOC — create ICMP association (not implemented)
    HTTP_GET — HTTP GET request (HTTP proxy)
    HTTP_PUT — HTTP PUT request (HTTP proxy)
    HTTP_POST — HTTP POST request (HTTP proxy)
    HTTP_HEAD — HTTP HEAD request (HTTP proxy)
    HTTP_CONNECT — HTTP CONNECT, aka HTTPS request (HTTP proxy)
    HTTP_OTHER — another HTTP request (HTTP proxy)
    HTTP — any HTTP request except HTTP_CONNECT (HTTP proxy)
    HTTPS — alias to HTTP_CONNECT (HTTP proxy)
    FTP_GET — FTP get request (http, ftp proxy)
    FTP_PUT — FTP put request (ftp proxy)
    FTP_LIST — FTP list request (http, ftp proxy)
    FTP — any FTP request
    ADMIN — administration interface access
  • — week days numbers or periods (0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday).
  • — a list of time periods in HH:MM:SS-HH:MM:SS format. For example, 00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.
  • * in ACL means «any». Usage examples could be found in 3proxy.cfg.sample.

    Redirections are usefull to e.g. forward requests from specific clients to different servers or proxy server. Additionally, redirections are usefull to convert proxy interface from ont format to another, e.g. requests from SOCKS proxy can be redirected to parent HTTP proxy, or SOCKSv5 client can be redirected to SOCKSv4 proxy.
    Because 3proxy understand «transparent» web request, it can be used as an intermediate software between HTTP proxy and NAT server for transparent HTTP forwarding, because it can convert «Web server» request issued by client to «proxy request» required by proxy server. A simplest redirection is: All trafiic of HTTP proxy is redirected to parent proxy 192.168.1.1 port 3128.
    If port number is ‘0’, IP address from ‘parent’ is used as external address for this connection (that is like -eIP, but only for connections matching ‘allow’).
    Special case of redirection are local redirections. In this case both IP is 0.0.0.0 and port is 0. It’s only usseful with SOCKS service. In this case no new connection is established, but request is parsed by corresponding local service. E.g.: In this case all SOCKS traffic with destination port 80 is forwarded to local ‘proxy’ service, destination port 21 to ‘ftppr’ and 110 to ‘pop3pr’. There is no need to run these services expicitly. Local redirections are usefull if you want to see and control via ACLs protocol specific parameters, e.g. filenames requests thorugh FTP while clients are using SOCKS.

    Q: What is it for?

    A: To have control based on request and to have URLs and another protocol specific parameters to be logged.

    Q: What are restrictions?

    A: It’s hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends username, but not password), for SOCKSv5 only cleartext password authentication is supported.

    Q: What are advantages?

    A: You need only to setup SOCKS proxy in browser settings. You can use socksifier, i.e. FreeCAP or SocksCAP with application which is not proxy aware.

    A: You should specify parent proxy with IP of 0.0.0.0 and port 0. Examples:

    Q: How it affects different ACL rules

    A: After local redirections rules are applied again to protocol-level request. Redirection rule itself is skipped. It makes it possible to redirect request again on the external proxy depending on request itself.
    How to balance traffic between few external channgels?

    Proxy itself doesn’t manage network level routing. The only way to control outgoing channel is to select external interface. It’s possible to make external interface (what is usually selected with ‘external’ command or ‘-e’ option) random by using local redirection with external port 0. Now external interface is randomly selected with 0.5 probability between 10.1.1.101 and 10.2.1.102. To work as expected, different default routes must between 2 interfaces. used

    If both interface addresses are in same network, e.g. 10.1.1.101 and 10.1.1.102 and you want to select random gateway between 10.1.1.1 and 10.1.1.2, you must control it by using routing table, in case there is no default gateway route for Windows: If you have no second address yet, just add it. Under Linux/Unix it’s better to use source routing.

    parent command may also be used to build a proxy chains. In this case few ‘parent’ commands are used for single ‘allow’ rule with different weights (first argument of parent command). Chain may contain any number of proxy servers, but it should be noted that every hope significantly reduces productivity. It’s possible to mix different types of proxy within single chain: HTTPS (HTTP connect), SOCKS4, SOCKS5. Weight different from 1000 is used to build random chains. if weight W is below 1000, this proxy will be used as a next chain hop with probability of W/1000. That is, if the weight is 250 probability this proxy will be used for the next hope is 25%. ‘parent’ records with common weight of 1000 establish a group, one of these record will be used for the hop with probability according to weight. Warning: each group must have a weight even of 1000. As follows, common weight of all ‘parent’ records must also be even of 1000. If common weight of ‘parent’ records in te chain is 3000, chain has 3 hops and must be formed of 3 groups. Example: In this case we have 1 parent proxy (1 hop) which is randomely choosen between 2 hosts: 192.168.1.1 and 192.168.10.1. 2 records form a single group. In this case we have 3 groups (3 hops in the chain). First hop is 192.168.10.1, second hop is 192.168.20.1 and 3rd one is either 192.168.30.1 with probability of 30% or 192.168.40.1 with probability of 70%.

    3proxy supports bandwidth filters. To manage filters bandlimin/bandlimout and nobandlimin/nobandlimout. ‘in’ means incoming and ‘out’ — outgoing traffic.

    Commands are applied to all services. Imagine bandwidth filters as a series of pipes. Bitrate is a pipe’s width and ACLs controls the flow thorugh this pipe. Create 4 separete pipes for 4 client with emulation of modem connection. Create single pipe for all 4 clients. That is 4 clients share modem connection. In this example: mail traffic from POP3 servers bypasses the pipe and has no bandwidth limitation.

    You can set traffic limit per day (D), week (W), month (M), year (Y) or absolute (‘N’), as specified by ‘type’ argument of counterin command. Traffic information is stored in binary file specified by ‘filename’ argument. countersutil utility can be used to manage this file. reportpath specifies location of text reports, type parameter of ‘counter’ command controls how often text reports are created. amount is amount of allowed traffic in Megabytes (MB). nocountin allows you to set exclusions.

    3proxy accounts protocol level traffic. Provider counts channel or IP-level traffic with network and transport headers. In additions, 3proxy doesn’t counts DNS resolutions, pings, floods, scans, etc. It makes approx. 10% of difference. That’s why you should have 15% reserve if you use 3proxy to limit your traffic. If difference with your provider is significantly above 10% you should look for traffic avoiding proxy server, for example connections through NAT, traffic originated from the host with proxy installed, traffic from server applications, etc.
    How to configure name resolution and DNS caching

    For name resolution and caching use commands nserver, nscache / nscache6 and nsrecord. sets DNS resolvers. 192.168.1.3 will be used via TCP/5353 (instead of default UDP/53) only if 192.168.1.2 fails. Up to 5 nservers may be specified. If no nserver is configured, default system name resolution functions are used. sets name cache size for IPv4 and IPv6. Name cache must be large enouth, if presents. name cache is only used if nserver is configured. adds static nsrecords. Also, static nsrecords are used for dnspr, unless -s option is specified. Since 0.8 version, parent proxy may be configured for dnspr.

    IPv6 is supported since 0.8. Please note, some proxy protolos, e.g. SOCKSv4, do not support IPv6. SOCKSv5 supports IPv6 with special request type (must be implemented by client).
    3proxy supports proxying from IPv4 and IPv6 networks to IPv4, IPv6 and mixed networks. IPv6 address may be used in internal, external, parent commands, ACLs, -i and -e options,etc. external command and -e options may be given twice for each service — once with IPv4 and once with IPv6 address. internal can be given only once, to bind to all IPv4 and IPv6 addresses use [0:0:0:0:0:0:0:0] or [::].
    Any service may be configured with -4, -46, -64, -6 options to specify decied priority for name to IPv4/IPv6 address resolution (IPv4 only, IPv4 priority, IPv6 priority, IPv6 only).

    In example, users needs access from external network to proxy server located on the host 192.168.1.2. This host can not be accessed from external network, but it has access to external network with with external address 1.1.1.1. Also, user has access to the host 2.2.2.2 (IP address may be dynamic) with hostname host.dyndns.example.org via external network. User needs 2 instances of 3proxy, first one on the host 192.168.1.2 with config second one on the host.dyndns.example.org (2.2.2.2) with config For browser settings proxy is host.dyndns.example.org:3128.

    Latest version of 3proxy may be obtained here. New version may have changes and incompatibilities with previous one in files format or commands. Please, read CHANGELOG file and another documentation before installing new version.

    If installed as system service, 3proxy understands Windows service commands for START, STOP, PAUSE and RESUME. If service is PAUSEd, no new connections are accepted while older connections are processed. Currently there is no support for dynamic configuration change, so, you have to restart service completely if you have changed any configuration. You can control 3proxy service via «Services» administration ot via «net» command:

    • 0 — Operation successfully complited (connection was closed by one of peers)
    • 1-9 — AUTHENTICATION ERRORS
    • 1 — Access denied by ACL (deny)
    • 2 — Redirection (should not appear)
    • 3 — No ACL found, denied by default
    • 4 — auth=strong and no username in request
    • 5 — auth=strong and no matching username in configuration
    • 6 — User found, wrong password (cleartext)
    • 7 — User found, wrong password (crypt)
    • 8 — User found, wrong password (NT)
    • 9 — Redirection data not found (should not appear)
    • 10 — Traffic limit exceeded
    • 11-19 — CONNECTION ERRORS
    • 11 — failed to create socket()
    • 12 — failed to bind()
    • 13 — failed to connect()
    • 14 — failed to getpeername()
    • 20-29 — COMMON ERRORS
    • 21 — memory allocation failed
    • 30-39 — CONNECT PROXY REDIRECTION ERRORS
    • 31 — failed to request HTTP CONNECT proxy
    • 32 — CONNECT proxy connection timed out or wrong reply
    • 33 — CONNECT proxy fails to establish connection
    • 34 — CONNECT proxy timed out or closed connection
    • 40-49 — SOCKS4 PROXY REDIRECTION ERRORS
    • 50-69 — SOCKS5 PROXY REDIRECTION ERRORS
    • 70-79 PARENT PROXY CONNECTION ERRORS (identical to 1x)
    • 90-99 — established connection errors
    • since 0.9
    • 90 — unexpected system error (should not happen)
    • 91 — unexpected poll error (should not happen)
    • 92 — connection terminated by timeout (see timeouts)
    • 93 — connection terminated by ratelimit-related timeout or due to errors limit
    • 94 — connection termination by server or client with unsent data
    • 95 — dirty connection termination by client (or networking issue)
    • 96 — dirty connection termination by server (or networking issue)
    • 97 — dirty connection termination by both client and server (probably networking issue)
    • prior to 0.9:
    • 90 — socket error or connection broken
    • 91 — TCP/IP common failure
    • 92 — connection timed out
    • 93 — error on reading data from server
    • 94 — error on reading data from client
    • 95 — timeout from bandlimin/bandlimout limitations
    • 96 — error on sending data to client
    • 97 — error on sending data to server
    • 98 — server data limit (should not appear)
    • 99 — client data limit (should not appear)
    • 100 — HOST NOT FOUND
    • 200-299 — UDP portmapper specific bugs
    • 300-399 — TCP portmapper specific bugs
    • 400-499 — SOCKS proxy specific bugs
    • 500-599 — HTTP proxy specific bugs
    • 600-699 — POP3 proxy specific bugs
    • 999 — NOT IMPLEMENTED

    Ask it in Github. Don’t try to ask something before reading this document.

    Источник

    How to set up logging

    3proxy can log to stdout, file, ODBC datasource and
    syslog (Unix/Linux/Cygwin only). For using ODBC under Unix/Linux you must
    compile 3proxy with Unix ODBC libraries, see Compilation.
    You can control logging from 3proxy.cfg for all services or you can control
    logging of individual service, for example
    /usr/local/sbin/socks -l/var/log/socks.log starts SOCKS proxy with logging to file.
    For universal proxy (3proxy) log file rotation and archiving is supported.
    Log type is defined with «log» configuration file command or with
    -l switch on individual service invokation. log or -l is stdout logging.

    	log filename
    

    and

    	-lfilename
    

    specify filename for logging

    	log @ident
    

    and

    	[email protected]
    

    specify ident for syslog logging. If filename within «log» command contains
    ‘%’ characters, it’s processes as format specificator (see «logformat»). E.g.
    log c:3proxylogs%y%m%d.log D creates file like c:3proxylogs60729.log,
    date is generated based on local time.

    	log &connstring
    

    specifies ODBC connection string, connstring is in format
    datasource,username,password (2 last are optional of
    datasource does not require or already has authentication information).
    Also, you must specify logformat to build SQL query, to insert recod into
    log, see How to setup logging format

    Rotation and archiving may be set up with log, rotate � archiver commands

    	log filename LOGTYPE
    

    sets rotation type. LOGTYPE may be:

    • M, monthely
    • W, weekly
    • D, daily
    • H, hourly
    • C, minutely
    	rotate NUMBER
    

    specifies number of files in rotation (that is how many files to keep).

    	archiver EXT COMMAND PARAMETERS
    

    Sets external archiver. EXT is extention of archived files
    (for example zip, gz, Z, rar etc) COMMAND and PARAMETERS are command
    to execute and command line PARAMETERS. Originale file is not deleted by
    3proxy, this work is left for archiver.
    You can pass original filename to archiver with %F macro and archive filename with %A.
    Examples are located in
    3proxy.cfg.sample

    How to setup logging format

    Since 0.3 version log format may be set with «logformat» command.
    First symbol of log format specifies format of date and time and
    should be L (LOCAL) or G (GMT — Grinwitch Meridian Time). Format
    string may contains some macro substitutions:

    • %y — Year (2 digits)
    • %Y — Year (4 digits)
    • %m — Month (2 digits)
    • %o — mOnth (3 letter abbriviation)
    • %d — Day (2 digits)
    • %H — Hour (2 digits)
    • %M — Minute (2 digits)
    • %S — Second (2 digits)
    • %t — Timestamp (seconds since January, 1 1970 00:00:00 GMT)
    • %. — Milliseconds
    • %z — Timezone in mail format (from GMT, ‘+’ east, ‘-‘ west HHMM), For example Moscow winter time is +0300.
    • %U — Username (‘-‘ if unknown).
    • %N — Service name (PROXY, SOCKS, POP3P, etc)
    • %p — Service port
    • %E — Error code (see. Log error codes reference)
    • %C — client IP
    • %c — client port
    • %R — target IP
    • %r — target port
    • %e — external IP address used to establish connection
    • %Q — requested IP
    • %q — requested port
    • %I — bytes received from target
    • %O — bytes sent to target
    • %n — host name from request
    • %h — hops before target (if redirection or chaning is used).
      see How to use chains and parent proxies)
    • %T — service specific text (for example URL requested). %X-YT
      where X and Y are positive numbers, only displays fields
      (space delimited) X to Y of the text. An example is %1-2T.

    Example:

    logformat "L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
    

    generates something like


    1042454727.0296 SOCK4.1080 000 3APA3A 127.0.0.1:4739 195.122.226.28:4739 505 18735 1 GET http://3proxy.org/ HTTP/1.1


    (no line breaks)

    If ODBC used, logformat should specify SQL command,
    to insert record into log, for example

    logformat "-'+_GINSERT INTO proxystat  VALUES (%t, '%c', '%U', %I)"

    (no line breaks)

    -‘+_ instructs to replace characters and ‘ with _

    A: Use one of http, connect+, socks4+ or socks5+ as a parent type. 3proxy
    itself still performs a name resolution, it’s required e.g. to ACLs matching.
    So, if no name resolution must be performed by 3proxy itself add a command

      fakeresolve

    this command resolves any name to 127.0.0.2 address.

  • How to setup FTP proxy
  • There is FTP over HTTP (what is called FTP proxy in browsers) and FTP over FTP �ப�
    (what is called FTP proxy in file managers and FTP clients). For browsers, there is no need to start additional
    proxy service, ‘proxy’ supports FTP over HTTP, configure ‘proxy’ port as an FTP proxy. For ftp clients and file
    managers use ftppr. FTP proxy supports both active and passive mode with client, but always use passive mode with FTP servers.

  • How to limit service access

    First, always specify internal interface to accept incoming connection with
    ‘internal’ configuration command or ‘-i’ service command. (See
    How to start any of proxy services (HTTP, SOCKS etc)). If
    no internal interface is specified your proxy will act as open one.

    It’s also important to specify external interface to prevent access to
    internal network with ‘external’ or -e.

    3proxy with configuration files allows to use authentication and
    authorization for user’s access. Authentication is possible by
    username/password or user’s NetBIOS name. Authentication type is specified by
    ‘auth’ command.

    auth none
    

    Disables both authentication and authorization. You can not use ACLs.

    auth iponly
    

    Specifies no authentication, ACLs authorization is used.

    auth nbname
    

    Authentication by NetBIOS name + ACLs. NetBIOS name of ‘messenger’ service
    is obrained before ACL validation. If no name is obtained it’s assumed to be
    empty. Messenger is started by default in Windows NT/2000/XP. For Win9x
    WinPopUP need to be launched. This type of authentication may be spoofed
    by privileged local user.

    auth strong
    

    Authentication by username/password. If user is not registered his
    access is denied regardless of ACLs.

    Different services can have different authentication levels.

    auth none
    pop3p
    auth iponly
    proxy
    auth strong
    socks
    

    It’s possible to authorize access by client IP address, IP address or requested resource,
    target port, time, etc after authentication.
    (See How to limit resource access).

    Since 0.6 version double authentication is possible, e.g.

    auth iponly strong
    allow * * 192.168.0.0/16
    allow user1,user2
    proxy
    

    strong authentication will only be used if ACL requires username to deside if
    access must be granted. That is, in example, strong username authentication
    is not required to access 192.168.0.0/16

    0.6 version introduces authentication (username) caching to increase
    productivity. It’s recommended to use authentication caching with resource
    or time consuming authentication types, such as nbname or external plugins
    (WindowsAuthentication).
    Caching can be set with ‘authcache’ command with 2 parameters: caching type
    and caching time (in seconds). Caching type defines the type of cached access:
    ‘ip’ — after successful authentication all connections during caching time
    from same IP are assigned to the same user, username is not requested.
    «ip,user» — username is requested and all connections from the same IP are
    assigned to the same user without actual authentication. «user» — same as above,
    but IP is not checked. «user,password» — username and password are checked
    against cached ones. For authentication special authentication type ‘cache’
    must be used.
    Example:

    authcache ip 60
    auth cache strong windows
    proxy -n
    

    Please note, that caching affects security. Never use caching for access to
    critical resources, such as web administration.

    authcache can be used to bind user’s sessions to ip with ‘limit’ option, with

      autchcache ip,user,pass,limit 120
      auth cache strong

    user will not be able to use more than a single IP during cache time (120 sec).

  • How to create user list

    Userslist is created with ‘users’ command.

    users USERDESC ...
    

    With a single command it’s possible to define few users, or you
    can use few ‘users’ commands. USERDESC is user description. Description
    consists of three semicolon delimited parts — login, password type and

    users admin:CL:bigsecret test:CL:password test1:CL:password1
    users "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
    users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
    

    Please note the usage of quotation sign: it’s required to comment out $ sign
    overwise used as a file inclusion macro.
    Next password types are available:

    • No password type: use system authentication.
    • CL — cleartext password
    • CR — crypt password, only MD5 crypt passwords are supported
    • NT — NT-hashed (MD4) passwords in hex, as used in pwdump or SAMBA

    NT and crypt passwords can be used to import accounts from Windows/SAMBA or
    Unix. For Windows you can use pwdump family of utilities.
    It’s convenient to store accounts apart and include account file with $ macro.
    Because for included files newlines are treated as a space, it’s possible to
    use atandard passwd file format:

    users $/etc/.3proxypasswd
    

    or

    users $"c:Program Files3proxypasswords"
    

    It’s possible to create NT and crypt passwords with mycrypt utility included
    in distribution.

    Userlist is system-wide. To manage user access to specific service use ACLs.

  • How to limit user access to resources

    Commands allow, deny and flush are used to manage ACLs:


    allow <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist> <weekdaylist> <timeperiodlist>

    deny <userlist> <sourcelist> <targetlist> <weekdaylist> <timeperiodlist>

    flush

    ‘flush’ command is used to finish with existing ACL and to start new one.
    It’s required to have different ACLs for different services.
    ‘allow’ is used to allow connection and ‘deny’ to deny connection. ‘allow’
    command can be extended by ‘parent’ command to manage redirections (see How to manage redirections)). If ACL
    is empty it allow everything. If ACL is not empty, first matching ACL entry
    is searched for user request and ACL action (allow or deny) performed. If
    no matching record found, connection is denied and user will be asked to
    re-authenticate (requested for username/password). To prevent this request
    add ‘deny *’ to the end of list.

    • <userlist> — comma delimited list of users
    • <sourcelist> — comma delimited list of source (client) networks.
      Networks can be defined as single IP address or in CIDR form
      xxx.yyy.zzz.mmm/l, where l — is the length of network mask
      (a number of non-zero bits). 192.168.1.0/24
      means network with 255.255.255.0 mask.
    • <targetlist> — comma delimited list of target (server) networks.
      In 3proxy 0.6 and above it’s allowed to use hostnames with wildmasks
      in targetlist. Wildmask may only present in the begginning or at the
      end of the hostname, e.g.
      192.168.0.0/16,www.example.com,*wrongsite.com,*wrongcontent*.
    • <targetportlist> — comma delimited list of ports. I
      It’s possible to define port ranges with -, e.g. 80,1024-65535
      means port 80 and all unprivileged ports.
    • <commandlist> — the list of allowed actions

      CONNECT — establish outgoing TCP connection. e.g. POP3 or SOCKSv5

      BIND — allow incoming TCP connection (SOCKSv5)

      UDPASSOC — create UDP association (SOCKSv5)

      ICMPASSOC — create ICMP association (not implemented)

      HTTP_GET — HTTP GET request (HTTP proxy)

      HTTP_PUT — HTTP PUT request (HTTP proxy)

      HTTP_POST — HTTP POST request (HTTP proxy)

      HTTP_HEAD — HTTP HEAD request (HTTP proxy)

      HTTP_CONNECT — HTTP CONNECT, aka HTTPS request (HTTP proxy)

      HTTP_OTHER — another HTTP request (HTTP proxy)

      HTTP — any HTTP request except HTTP_CONNECT (HTTP proxy)

      HTTPS — alias to HTTP_CONNECT (HTTP proxy)

      FTP_GET — FTP get request (http, ftp proxy)

      FTP_PUT — FTP put request (ftp proxy)

      FTP_LIST — FTP list request (http, ftp proxy)

      FTP — any FTP request

      ADMIN — administration interface access
    • <weeksdays> — week days numbers or periods (0 or 7 means Sunday, 1 is Monday, 1-5 means Monday through Friday).
    • <timeperiodlists> — a list of time periods in HH:MM:SS-HH:MM:SS format. For example,
      00:00:00-08:00:00,17:00:00-24:00:00 lists non-working hours.

    * in ACL means «any».
    Usage examples could be found in 3proxy.cfg.sample.

  • How to manage redirections

    Redirections are usefull to e.g. forward requests from specific clients
    to different servers or proxy server. Additionally, redirections are usefull
    to convert proxy interface from ont format to another, e.g. requests from
    SOCKS proxy can be redirected to parent HTTP proxy, or SOCKSv5 client can be
    redirected to SOCKSv4 proxy.

    Because 3proxy understand «transparent» web request, it can be used as an
    intermediate software between HTTP proxy and NAT server for transparent HTTP
    forwarding, because it can convert «Web server» request issued by client to
    «proxy request» required by proxy server. A simplest redirection is:

    auth iponly
    allow *
    parent 1000 http 192.168.1.1 3128
    proxy
    

    All trafiic of HTTP proxy is redirected to parent proxy 192.168.1.1 port 3128.

    If port number is ‘0’, IP address from ‘parent’ is used as external address
    for this connection (that is like -eIP, but only for connections matching
    ‘allow’).

    Special case of redirection are local redirections. In this case both IP is
    0.0.0.0 and port is 0. It’s only usseful with SOCKS service. In this case no
    new connection is established, but request is parsed by corresponding local
    service. E.g.:

    auth iponly
    allow * * * 80
    parent 1000 http 0.0.0.0 0
    allow * * * 21
    parent 1000 ftp 0.0.0.0 0
    allow * * * 110
    parent 1000 pop3 0.0.0.0 0
    socks
    

    In this case all SOCKS traffic with destination port 80 is forwarded to local
    ‘proxy’ service, destination port 21 to ‘ftppr’ and 110 to ‘pop3pr’. There is
    no need to run these services expicitly. Local redirections are usefull if
    you want to see and control via ACLs protocol specific parameters, e.g.
    filenames requests thorugh FTP while clients are using SOCKS.

  • ��� �ࠢ���� ������묨 ��७��ࠢ����ﬨ

    Q: What is it for?

    A: To have control based on request and to have URLs and another protocol specific parameters to be logged.

    Q: What are restrictions?

    A: It’s hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends username, but not password), for SOCKSv5 only cleartext password authentication is supported.

    Q: What are advantages?

    A: You need only to setup SOCKS proxy in browser settings. You can use socksifier, i.e. FreeCAP or SocksCAP with application which is not proxy aware.

    Q: How to setup?

    A: You should specify parent proxy with IP of 0.0.0.0 and port 0. Examples:

    auth iponly
    allow * * * 80,8080-8088
    parent 1000 http 0.0.0.0 0
    allow * * * 80,8080-8088
    #redirect ports 80 and 8080-8088 to local HTTP proxy
    #Second allow is required, because ACLs are checked
    #twice: first time by socks and second by http proxy.
    
    allow * * * 21,2121
    parent 1000 ftp 0.0.0.0 0
    allow * * * 21,2121
    #redirect ports 21 and 2121 to local 
    #ftp proxy
    
    
    allow *
    #allow rest of connections directly
    
    socks
    #now let socks server to start
    

    Q: How it affects different ACL rules

    A: After local redirections rules are applied again to protocol-level request. Redirection rule itself is skipped. It makes it possible to redirect request again on the external proxy depending on request itself.

    allow * * * 80,8080-8088
    parent 1000 http 0.0.0.0 0
    #redirect http traffic to internal proxy
    
    allow * * $c:3proxylocal.nets 80,8080-8088
    #allow direct access to local.nets networks
    allow * * * 80,8080-8088
    parent 1000 http proxy.3proxy.org 3128
    #use parent caching proxy for rest of the networks
    
    allow *
    #allow direct connections for rest of socks
    #requests
    
  • How to balance traffic between few external channgels?

    Proxy itself doesn’t manage network level routing. The only way to control
    outgoing channel is to select external interface. It’s possible to make
    external interface (what is usually selected with ‘external’ command or
    ‘-e’ option) random by using local redirection with external port 0.

    auth iponly
    allow *
    parent 500 http 10.1.1.101 0
    parent 500 http 10.2.1.102 0
    

    Now external interface is randomly selected with 0.5 probability between
    10.1.1.101 and 10.2.1.102. To work as expected, different default routes
    must between 2 interfaces.
    used

    If both interface addresses are in same network, e.g. 10.1.1.101 and 10.1.1.102
    and you want to select random gateway between 10.1.1.1 and 10.1.1.2, you must
    control it by using routing table, in case there is no default gateway route
    for Windows:

     route add -p 10.1.1.1 10.1.1.101
     route add -p 10.1.1.2 10.1.1.102
     route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.1
     route add -p 0.0.0.0 mask 0.0.0.0 192.168.1.2
    

    If you have no second address yet, just add it. Under Linux/Unix it’s better
    to use source routing.

  • How to manage proxy chains

    parent command may also be used to build a proxy chains. In this case
    few ‘parent’ commands are used for single ‘allow’ rule with different
    weights (first argument of parent command). Chain may contain any number
    of proxy servers, but it should be noted that every hope significantly
    reduces productivity. It’s possible to mix different types of proxy within
    single chain: HTTPS (HTTP connect), SOCKS4, SOCKS5. Weight different from
    1000 is used to build random chains. if weight W is below 1000, this proxy
    will be used as a next chain hop with probability of W/1000. That is, if
    the weight is 250 probability this proxy will be used for the next hope is
    25%. ‘parent’ records with common weight of 1000 establish a group, one of
    these record will be used for the hop with probability according to weight.
    Warning: each group must have a weight even of 1000. As follows, common
    weight of all ‘parent’ records must also be even of 1000. If common weight
    of ‘parent’ records in te chain is 3000, chain has 3 hops and must be formed
    of 3 groups. Example:

    allow *
    parent 500 socks5 192.168.1.1 1080
    parent 500 connect 192.168.10.1 3128
    

    In this case we have 1 parent proxy (1 hop) which is randomely choosen between
    2 hosts: 192.168.1.1 and 192.168.10.1. 2 records form a single group.

    allow * * * 80
    parent 1000 socks5 192.168.10.1 1080
    parent 1000 connect 192.168.20.1 3128
    parent 300 socks4 192.168.30.1 1080
    parent 700 socks5 192.168.40.1 1080
    

    In this case we have 3 groups (3 hops in the chain). First hop is 192.168.10.1,
    second hop is 192.168.20.1 and 3rd one is either 192.168.30.1 with probability
    of 30% or 192.168.40.1 with probability of 70%.

  • How to limit bandwidth

    3proxy supports bandwidth filters. To manage filters bandlimin/bandlimout and
    nobandlimin/nobandlimout. ‘in’ means incoming and ‘out’ — outgoing traffic.


    bandlimin <bitrate> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>

    nobandlimin <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>

    Commands are applied to all services. Imagine bandwidth filters as a series of
    pipes. Bitrate is a pipe’s width and ACLs controls the flow thorugh this pipe.

      bandlimin 57600 * 192.168.10.16
      bandlimin 57600 * 192.168.10.17
      bandlimin 57600 * 192.168.10.18
      bandlimin 57600 * 192.168.10.19
    

    Create 4 separete pipes for 4 client with emulation of modem connection.

      bandlimin 57600 * 192.168.10.16/30
    

    Create single pipe for all 4 clients. That is 4 clients share modem connection.
    In this example:

      nobandlimin * * * 110
      bandlimin 57600 * 192.168.10.16/32
    

    mail traffic from POP3 servers bypasses the pipe and has no bandwidth
    limitation.

  • How to limit traffic amount


    counter <filename> <type> <reportpath>

    countin <number> <type> <amount> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>

    nocountin <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>

    countout <number> <type> <amount> <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>

    nocountout <userlist> <sourcelist> <targetlist> <targetportlist> <commandlist>

    You can set traffic limit per day (D), week (W), month (M), year (Y) or
    absolute (‘N’), as specified by ‘type’ argument of counterin command.
    Traffic information is stored in binary file specified by ‘filename’ argument.
    countersutil utility can be used to manage this file.
    reportpath specifies location of text reports, type parameter of ‘counter’
    command controls how often text reports are created. amount is amount of
    allowed traffic in Megabytes (MB). nocountin allows you to set exclusions.

  • How to fix incorrect traffic accounting

    3proxy accounts protocol level traffic. Provider counts channel or IP-level traffic with network and transport headers. In additions, 3proxy doesn’t counts DNS resolutions, pings, floods, scans, etc. It makes approx. 10% of difference. That’s why you should have 15% reserve if you use 3proxy to limit your traffic. If difference with your provider is significantly above 10% you should look for traffic avoiding proxy server, for example connections through NAT, traffic originated from the host with proxy installed, traffic from server applications, etc.

  • How to configure name resolution and DNS caching

    For name resolution and caching use commands nserver, nscache / nscache6 and nsrecord.

      nserver 192.168.1.2
      nserver 192.168.1.3:5353/tcp

    sets DNS resolvers. 192.168.1.3 will be used via TCP/5353 (instead of default UDP/53)
    only if 192.168.1.2 fails. Up to 5 nservers may be specified.
    If no nserver is configured, default system name resolution functions are used.

      nscache 65535
      nscache6 65535

    sets name cache size for IPv4 and IPv6. Name cache must be large enouth, if presents.
    name cache is only used if nserver is configured.

      nsrecord server.mycompany.example.com 192.168.1.1
      nsrecord www.porno.com 127.0.0.2
      ...
      deny * * 127.0.0.2

    adds static nsrecords. Also, static nsrecords are used for dnspr, unless -s option is specified.
    Since 0.8 version, parent proxy may be configured for dnspr.

  • How to use IPv6

    IPv6 is supported since 0.8. Please note, some proxy protolos, e.g. SOCKSv4,
    do not support IPv6. SOCKSv5 supports IPv6 with special request type (must be
    implemented by client).

    3proxy supports proxying from IPv4 and IPv6 networks to IPv4,
    IPv6 and mixed networks. IPv6 address may be used in
    internal, external, parent commands, ACLs, -i and -e options,etc.
    external command and -e options may be given twice for each service — once with IPv4
    and once with IPv6 address. internal can be given only once, to bind to all IPv4 and
    IPv6 addresses use [0:0:0:0:0:0:0:0] or [::].

    Any service may be configured with -4, -46, -64, -6 options to specify decied
    priority for name to IPv4/IPv6 address resolution (IPv4 only, IPv4 priority,
    IPv6 priority, IPv6 only).

  • How to use connect back

    In example, users needs access from external network to proxy server located
    on the host 192.168.1.2. This host can not be accessed from external network,
    but it has access to external network with with external address 1.1.1.1.
    Also, user has access to the host 2.2.2.2 (IP address may be dynamic) with
    hostname host.dyndns.example.org via external network. User needs 2 instances
    of 3proxy, first one on the host 192.168.1.2 with config

      users user:CL:password
      auth strong
      allow user
      proxy -rhost.dyndns.example.org:1234

    second one on the host.dyndns.example.org (2.2.2.2) with config

      auth iponly
      allow * * 1.1.1.1
      tcppm -R0.0.0.0:1234 3128 1.1.1.1 3128

    For browser settings proxy is host.dyndns.example.org:3128.

  • eoksum

    3Proxy on Windows Server 2012 R2 — Failed to create service: No error

    Hi there

    I tried installing 3Proxy as service and enabling it on Windows Server 2012 64 bit (Shell as PowerShell) but I keep getting this error below:

    PS C:UsersAdministratorDesktop3probin64> .3proxy.exe —install C:UsersAdministratorDesktop3pro3proxy.cfg
    Failed to create service: No error
    PS C:UsersAdministratorDesktop3probin64>

    I need to use this as IPv6 proxy for my /32 range please help

    Thank you

    z3APA3A

    https://3proxy.ru/faqe.asp

    Q: Why doesn’t 3proxy work as service under Windows?
    Possible reasons:

    there are relative paths in configuration file for included files, log files, etc. Always use absolute paths. For example $"c:3proxynetworks.local" instead of $networks.local. For debugging remove 'service' and 'daemon', log to stdout an try to execute 3proxy from command line from some different directory (for example from disk root).
    SYSTEM account doesn't have access to executable file, configuration files, log files, etc.
    configuration files is not located in default path (3proxy.cfg in same location with 3proxy.exe). For alternative configuration file location use
    
    3proxy --install full_path_to_configuration_file
    
    user has no rights to install or start service
    service is already installed and/or started 
    

    Service with SYSTEM account can not access C:UsersAdministrator

    unoexperto

    I have same problem folks. I tried it on Win 7 and Win 10. What am I missing ?

    C:Program Files (x86)3proxybin64>3proxy --install "C:Program Files (x86)3proxybin643proxy.cfg"
    Failed to create service: No error
    

    z3APA3A

    There are few possible reason:

    1. You are not using elevated privileges. Run 3proxy —install from command prompt with elevated privileges.
    2. 3proxy service is alreadt installed

    Установлен 3proxy-0.6

    [root@AltLinux ~]# chkconfig 3proxy --list
    3proxy          0:off   1:off   2:on    3:on    4:on    5:on    6:off
    Однако (при свежеперезагуженной системе):

    [root@AltLinux ~]# service 3proxy status
    3proxy is dead, but stale PID file exists
    Причём, если  при этом сделать:

    [root@AltLinux ~]# 3proxy & то пользователи в и-нет выходят, трафик считается — красота не земная.
    Подскажите пожалуйста, что изменить/поправить или что почитать на эту тему?

    2.6.30-std-def-alt15, 5.1/branch
    Был установлен и снесён alterator-squid с зависимостями. Может, от них какие-то «хвосты» мешают?


    Записан


    Вы читали README к пакету? Конфигурационный файл под себя корректировали?


    Записан


    Спасибо за оперативный ответ.

    Вы читали README к пакету?

    До этого — нет, не читал. (~ год назад ставил на 4.1 — заработало сразу)
    Прочитал. Ничего не понял. Буду разбираться.

    Конфигурационный файл под себя корректировали?

    3proxy.conf ? Да, конечно. Он ещё не окончательный, но вполне рабочий.
    1.5 месяца назад перешли с usergate на 3proxy под win с целью перевести шлюз на Alt c 3proxy максимально прозрачно для пользователей.


    Записан


    Установлен 3proxy-0.6
    [root@AltLinux ~]# chkconfig 3proxy --list
    3proxy          0:off   1:off   2:on    3:on    4:on    5:on    6:off
    Однако (при свежеперезагуженной системе):
    [root@AltLinux ~]# service 3proxy status
    3proxy is dead, but stale PID file exists
    Причём, если  при этом сделать:
    [root@AltLinux ~]# 3proxy & то пользователи в и-нет выходят, трафик считается — красота не земная.
    Подскажите пожалуйста, что изменить/поправить или что почитать на эту тему?

    2.6.30-std-def-alt15, 5.1/branch
    Был установлен и снесён alterator-squid с зависимостями. Может, от них какие-то «хвосты» мешают?

    Раз уж пошел разговор про этот прокси, хочу сразу спросить:

    1. Нужно ли удалять squid?
    2. Как установить 3proxy? Есть какие то инструкции? Мог бы установить его из репозитория, но там старая версия.


    Записан


    Раз уж пошел разговор про этот прокси, хочу сразу спросить:

    1. Нужно ли удалять squid?
    2. Как установить 3proxy? Есть какие то инструкции? Мог бы установить его из репозитория, но там старая версия.

    1 Уже уверен, что не обязательно, главное, что бы squid и 3proxy слушали разные порты. Но для «научиться» лучше ставить на чистой
    машине.
    2 Установка стандартная: apt-get install 3proxy  :D Толковая инструкция: http://bozza.ru/art-94.html Я понял.  :)
    Для «научиться» подойдёт версия из любого ALT-овского репозитория, для «работать» можно и на 5.1 перейти, ну или у автора с сайта взять, скомпилировать. ( я попробовал, просто для тренировки, получилось :)   )

    Всё вышеизложенное — ИМХО  ;)


    Записан


    …. скомпилировать. ( я попробовал, просто для тренировки, получилось :)   )

    Скомпилировать… это пока не для меня.

    А если просто выключить squid не удаляя его? Это же будет тоже самое.

    У меня как раз сервак для тестов. Чистый.


    Записан


    /etc/init.d/squid stop
    Остановит демон
    update-rc.d -f squid remove
    удалит автозагрузку демона.


    Записан


    /etc/init.d/squid stop
    Остановит демон
    update-rc.d -f squid remove
    удалит автозагрузку демона.

    Пожалуйста, не давайте советов, актуальных для Debian!

    [root@c249 sample]# update-rc.d
    -bash: update-rc.d: command not found
    Правильный способ выключения автозапуска службы Squid в ALT Linux:

    chkconfig squid off


    Записан

    Андрей Черепанов (cas@)


    Правильный способ выключения автозапуска службы Squid в ALT Linux:

    Ага. Спасибо. Поставил 3proxy. Попутно разобрался с тем, что такое уровни, как запускаютсяперезапускаются демоны, разобрался с командой netstat ))

    Прокси прослушивает внутренний интерфейс 192.168.0.100 и порт на нем 3128. Выставляю настройки прокси в браузере на клиенте, а запрос авторизации не появляется. Что не так?

    Пингуется 192.168.0.1 нормально.
    Конфиг оставил по умолчанию, только поменял IP внутреннего интерфейса.


    Записан


    Прокси прослушивает внутренний интерфейс 192.168.0.100 и порт на нем 3128. Выставляю настройки прокси в браузере на клиенте, а запрос авторизации не появляется. Что не так?

    Читайте документацию по выставлению режима авторизации на прокси. Скорее всего, выставлено «без аутентификации».


    Записан

    Андрей Черепанов (cas@)


    Приверил весь конфиг. Действительно, не была включена авторизация. Поменял значение на strong, но это не особо помогло.


    Записан


    попробуй так (от рута):

    service 3proxy stop
    3proxy &
    Должно получиться. И придём к тому с чего начали: «3proxy не работает как сервис»  :(

    to ruslandh
    В README-ALT.UTF8 говорится о altbag #11942, но он на https://bugzilla.altlinux.org/ имеет статус CLOSED FIXED
    Тем не менее заменил в /etc/sysconfig/3proxy USER=_3proxy на USER=root
    Как и ожидалось, это не помогло.
    Как отсутствовал инет при «service 3proxy start» так и отсутствует.
    Как от появлялся при «service 3proxy stop | 3proxy &» так и появляется.
    Вешать баг?


    Записан


    Вешайте конечно. А в Сизифе не более новая версия? Может там уже нет этой баги (просто цейтнот самому взглянуть)?


    Записан


    А у меня, кстати, нормально встал 3proxy. В репозитории оказалась свежая версия. Установился, запустился он нормально.


    Записан



    Записан


    • Печать

    Страницы: [1] 2  Все   Вниз

    Тема: 3proxy проблема на старте  (Прочитано 3145 раз)

    0 Пользователей и 1 Гость просматривают эту тему.

    Оффлайн
    gajet

    Всем привет!

    Помогите разобраться вот в чём. При старте 3proxy на одном из серверов у меня возникает следующие:

    root@pr2:/usr/local/etc/3proxy/bin# /etc/init.d/proxy start
    Starting 3Proxy
    /etc/init.d/proxy: 14: /etc/init.d/@@#*!: /*sr/local/etc/3proxy/bin/3proxy: not found

    Так получилось, что у меня 3 сервера с проксёй под разные нужды, установка на всех трёх была идентична, но на последнем произошла ошибка.

    Подскажите в какую сторону начинать рыть. Спасибо.


    Оффлайн
    fisher74

    cat /etc/init.d/proxy Особое внимание на 14 строку


    Оффлайн
    gajet

    cat /etc/init.d/proxy Особое внимание на 14 строку

    в том то и дело что в 14:

    /usr/local/etc/3proxy/bin/3proxy /usr/local/etc/3proxy/3proxy.cfg
    Но все права и пути перепроверял много раз с учётом мониторинга в cfg других файлов, ошибки там никакой нет.


    Оффлайн
    Karl500

    Вы именно cat’ом получили эту 14-ю строку? Или посмотрели в редакторе, в котором и создавали файл?


    Оффлайн
    fisher74

    Ну и чтобы ускорить решение проблемы показывайте выхлоп
    ls -l /usr/local/etc/3proxy/bin/3proxy


    Оффлайн
    gajet

    Вы именно cat’ом получили эту 14-ю строку? Или посмотрели в редакторе, в котором и создавали файл?

    да «cat»ом

    Ну и чтобы ускорить решение проблемы показывайте выхлоп
    ls -l /usr/local/etc/3proxy/bin/3proxy

    root@pr2:/# ls -l /usr/local/etc/3proxy/bin/3proxy
    -rwxr-xr-x 1 root root 504816 Oct  3  2011 /usr/local/etc/3proxy/bin/3proxy
    готово.


    Оффлайн
    gajet

    Ни у кого нет идей?

    Может есть возможность списаться со мной в скайпе и помочь решить проблему, что называется в онлайне?
    skype: gajet_stream


    Оффлайн
    fisher74

    А какие могут быть идеи, гадая на кофейной гуще. Хотя бы покажите содержимое /etc/init.d/proxy

    cat /etc/init.d/proxy


    Оффлайн
    andwer07

    А может бинарник не той архитектуры? Исполняемый файл для i386 на x64 не запускается, тоже пишет file not found (притом, что файл существует и имеет соответствующие права).


    rapidsp


    Оффлайн
    AnrDaemon

    rapidsp, в сопливом детстве на такие заявления было принято говорить «а за базар ответишь?»
    Там же, кстати, есть и родной форум, на котором отвечают разработчики.

    Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

    Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…


    rapidsp

    « Последнее редактирование: 19 Ноября 2013, 00:38:51 от rapidsp »


    Оффлайн
    AnrDaemon

    А дата выхода procmail v3.22 2001/09/10. И?…

    Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

    Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…


    Оффлайн
    gajet

    Тек попробуем по порядку.

    1) В версии там разницы нет только для винды есть разница между x86 и x64. В первый момент я так и подумал, так как система х64, но после откинул сомнения.
    2) rapidsp — прошу прощения но не неси чепухи, проект жив. Моё мнение, что данный проксик даст прикурить многим.
    3) fisher74 Спасибо большое. Я крайне извеняюсь что не ответил раньше. Занимался решением вопроса.

    root@pr2:~# cat /etc/init.d/proxy
    #!/bin/sh
    #
    # chkconfig: 2345 20 80
    # description: 3proxy tiny proxy server
    #
    #
    #
    #

    case "$1" in
       start)
           echo Starting 3Proxy

           /usr/local/etc/3proxy/bin/3proxy /usr/local/etc/3proxy/3proxy.cfg

           RETVAL=$?
           echo
           [ $RETVAL ]
           ;;

       stop)
           echo Stopping 3Proxy
           if [ /usr/local/etc/3proxy/3proxy.pid ]; then
                   /bin/kill `cat /usr/local/etc/3proxy/3proxy.pid`
           else
                   /usr/bin/killall 3proxy
           fi

           RETVAL=$?
           echo
           [ $RETVAL ]
           ;;

       restart|reload)
           echo Reloading 3Proxy
           if [ /usr/local/etc/3proxy/3proxy.pid ]; then
                   /bin/kill -s USR1 `cat /usr/local/etc/3proxy/3proxy.pid`
           else
                   /usr/bin/killall -s USR1 3proxy
           fi
           ;;

       *)
           echo Usage: $0 "{start|stop|restart}"
           exit 1
    esac


    З.Ы. В целом я нашёл решение, но оно немного неказистое поэтому хотелось бы решить вопрос со стандартной установкой. Спасибо всем.


    Оффлайн
    AnrDaemon

    Если проблема в стартап скрипте — попробуй мой.
    Линк на демона должен быть в /usr/sbin/3proxy
    Конфиг — /etc/3proxy/3proxy.conf


    Пользователь решил продолжить мысль 21 Ноября 2013, 13:26:52:


    2) rapidsp — прошу прощения но не неси чепухи, проект жив. Моё мнение, что данный проксик даст прикурить многим.

    Как только научится не тормозить на открытии сокетов — так сразу даст.

    Хотите получить помощь? Потрудитесь представить запрошенную информацию в полном объёме.

    Прежде чем [Отправить], нажми [Просмотр] и прочти собственное сообщение. Сам-то понял, что написал?…


    • Печать

    Страницы: [1] 2  Все   Вверх

    Понравилась статья? Поделить с друзьями:
  • Failed to start playback netsdk returns error
  • Failed to start openbsd secure shell server как исправить
  • Failed to start nginx high performance web server как исправить
  • Failed to start lenovo driver error code 2148204812
  • Failed to start ista please make sure your ista configuration is valid как исправить