{ "id": "b8a78822-abdd-446c-926f-ac9edd25bd33", "created_at": "2026-04-06T00:21:12.625464Z", "updated_at": "2026-04-10T13:11:47.555247Z", "deleted_at": null, "sha1_hash": "0232de184c6177c2b0960a07ebd538e9b4d669de", "title": "GitHub - snail007/goproxy: ?????? Proxy is a high performance HTTP(S) proxies, SOCKS5 proxies,WEBSOCKET, TCP, UDP proxy server implemented by golang. Now, it supports chain-style proxies,nat forwarding in different lan,TCP/UDP port forwarding, SSH forwarding.Proxy是golang实现的高性能http,https,websocket,tcp,socks5代理服务器,支持内网穿透,链式代理,通讯加密,智能HTTP,SOCKS5代理,黑白名单,限速,限流量,限连接数,跨平台,KCP支持,认证API。", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1379041, "plain_text": "GitHub - snail007/goproxy: 🔥 Proxy is a high performance HTTP(S)\r\nproxies, SOCKS5 proxies,WEBSOCKET, TCP, UDP proxy server\r\nimplemented by golang. Now, it supports chain-style proxies,nat\r\nforwarding in different lan,TCP/UDP port forwarding, SSH\r\nforwarding.Proxy是golang实现的高性能http,https,websocket,tcp,socks5\r\n代理服务器,支持内网穿透,链式代理,通讯加密,智能HTTP,SOCKS5代理,\r\n黑白名单,限速,限流量,限连接数,跨平台,KCP支持,认证API。\r\nBy snail007\r\nArchived: 2026-04-05 19:22:35 UTC\r\nGOPROXY Introduction\r\nssttaabbllee ssttaabbllee\r\n lliicceennssee GGPPLL--33..00 ddoowwnnllooaaddss 4 6 k rreelleeaassee v15.2\r\nThe GoProxy is a high-performance http proxy, https proxy, socks5 proxy, ss proxy, websocket proxies, tcp proxies, udp\r\nproxies, game shield, game proxies. Support forward proxies, reverse proxy, transparent proxy, internet nat proxies, https\r\nproxy load balancing, http proxy load balancing , socks5 proxies load balancing, socket proxy load balancing, ss proxy load\r\nbalancing, TCP / UDP port mapping, SSH transit, TLS encrypted transmission, protocol conversion, anti-pollution DNS\r\nproxy, API authentication, speed limit, limit connection. Reverse proxies to help you expose a local server behind a NAT or\r\nfirewall to the internet so that you or your visitors can access it directly and easily.\r\n中文用户请看 中文说明,中文与英文内容的安装等资源链接是不一样的,谢谢合作!\r\nOfficial Website\r\n官方网站\r\n点击我观看视频教程\r\n中文 README\r\n使用手册\r\n下载地址\r\nDownload\r\nDesktop Edition\r\nhttps://github.com/snail007/goproxy\r\nPage 1 of 60\n\nAndroid Global Edition\r\nAndroid Server Edition\r\nSDK\r\nGORPOXY Manual\r\nGORPOXY Tutorial\r\nFree version VS commercial version\r\nProxyAdmin Demo\r\nAnd ProxyAdmin is a powerful web console of snail007/goproxy .\r\nWhat can it do?\r\nChained proxies, the program itself can be used as an proxies, and if it is set up, it can be used as a secondary proxies\r\nor even an N-level proxies.\r\nCommunication encryption, if the program is not a level one proxies, and the upper level proxies is also the program,\r\nthen the communication between the upper level proxies and the upper level proxies can be encrypted, and the\r\nunderlying tls high-intensity encryption is used, and the security is featureless.\r\nSmart HTTP, SOCKS5 proxy, will automatically determine whether the visited website is blocked. If it is blocked, it\r\nwill use the upstream proxies (provided that the upstream proxies is configured) to access the website; if the visited\r\nwebsite is not blocked, in order to speed up the access, the proxies will Direct access to the website without using a\r\nupstream proxies.\r\nDomain name black and white list, more free to control the way the website is accessed.\r\nCross-platform, whether you are windows, linux, mac, or even raspberry pie, you can run the proxy very well.\r\nMulti-protocol support, support for HTTP(S), TCP, UDP, Websocket, SOCKS5 proxy.\r\nTCP/UDP port forwarding.\r\nSupport intranet penetration, protocol supports TCP and UDP.\r\nSSH relay, HTTP (S), SOCKS5 proxy supports SSH relay, the upper Linux server does not need any server, a local\r\nproxy can be happy online.\r\nhttps://github.com/snail007/goproxy\r\nPage 2 of 60\n\nKCP protocol support, HTTP(S), SOCKS5, SPS proxy supports KCP protocol to transmit data, reduce latency and\r\nimprove browsing experience.\r\nDynamic selection of upstream proxies, through the external API, HTTP (S), SOCKS5, SPS proxies can achieve\r\nuser-based or IP-based speed limit, connection limit, dynamic access to upstream.\r\nFlexible upstream allocation, HTTP(S), SOCKS5 proxy can implement user- or IP-based speed limit, connection\r\nlimit, and upper-level through configuration files.\r\nTransparent HTTP (S) proxy, in conjunction with iptables, forwards the outgoing 80, 443 traffic directly to the proxy\r\nat the gateway, enabling non-aware intelligent router proxy.\r\nProtocol conversion, which can convert existing HTTP(S) or SOCKS5 or SS proxy into one port and support\r\nHTTP(S) and SOCKS5 and SS proxy at the same time. Converted SOCKS5 and SS proxy. If the upstream is\r\nSOCKS5 proxy, then UDP is supported. Features while supporting powerful cascading authentication.\r\nCustom underlying encrypted transmission, http(s)\\sps\\socks proxy can encrypt tcp data via tls standard encryption\r\nand kcp protocol on top of tcp, in addition to support custom encryption after tls and kcp, that is Said custom\r\nencryption and tls|kcp can be used in combination, the internal AES256 encryption, you only need to define a\r\npassword when you use it.\r\nUnderlying compression efficient transmission, http(s)\\sps\\socks proxy can encrypt tcp data through custom\r\nencryption and tls standard encryption and kcp protocol on tcp, and can also compress data after encryption, that is,\r\ncompression function And custom encryption and tls|kcp can be used in combination.\r\nSecure DNS proxy, which can secure and prevent pollution DNS queries through encrypted proxy communication\r\nbetween the DNS proxy server provided by the local proxy and the upstream proxy.\r\nLoad balancing, high availability, HTTP(S)\\SOCKS5\\SPS proxies supports upstream load balancing and high\r\navailability, and multiple upstream repeat-P parameters can be used.\r\nSpecify the egress IP. The HTTP(S)\\SOCKS5\\SPS\\TCP proxy supports the client to connect with the ingress IP, and\r\nuses the ingress IP as the egress IP to access the target website. If the ingress IP is an intranet IP, the egress IP does\r\nnot use the ingress IP.\r\nSupport speed limit, HTTP(S)\\SOCKS5\\SPS\\TCP proxy supports speed limit.\r\nSOCKS5 proxies supports cascading certification.\r\nThe certificate parameter uses base64 data. By default, the -C, -K parameter is the path of the crt certificate and the\r\nkey file. If it is the beginning of base64://, then the latter data is considered to be base64 encoded and will be used\r\nafter decoding.\r\nSupport client IP black and white list, more secure control of client access to proxy service, if black and white list is\r\nset at the same time, then only whitelist is effective. Socks / HTTP(S) / SPS / TCP / UDP / DNS / intranet NAT The\r\nbridge/intranet NAT the tbridge and supports the client IP black and white list.\r\nRange ports listen on, HTTP(S)\\SOCKS5\\SPS\\TCP proxy supports port range listening, avoiding starting too many\r\nprocesses and improving performance.\r\nWhy do you need it?\r\nWhen for some reason we are unable to access our services elsewhere, we can establish a secure tunnel to access our\r\nservices through multiple connected proxy nodes.\r\nWeChat interface is developed locally for easy debugging.\r\nRemote access to intranet machines.\r\nPlay LAN games with your friends.\r\nI used to play only on the LAN, and now I can play anywhere.\r\nReplace the sword inside Netnet, show IP internal Netcom, peanut shell and other tools.\r\n..\r\nThe manual on this page applies to the latest version of goproxy. Other versions may not be applicable. Please use the\r\ncommand according to your own instructions.\r\nhttps://github.com/snail007/goproxy\r\nPage 3 of 60\n\nJoining the organization\r\nClick to join the Telegram\r\nDownload and install\r\nQuick installation\r\n0. If your VPS is a Linux 64-bit system, you only need to execute the following sentence to complete the automatic\r\ninstallation and configuration.\r\nTip: All operations require root privileges.\r\nThe free version performs this:\r\nbash -c \"$(curl -s -L https://raw.githubusercontent.com/snail007/goproxy/master/install_auto.sh)\"\r\nThe commercial version performs this:\r\nbash -c \"$(curl -s -L https://raw.githubusercontent.com/snail007/goproxy/master/install_auto_commercial.sh)\"\r\nThe installation is complete, the configuration directory is /etc/proxy. For more detailed usage, please refer to the manual\r\ndirectory above to learn more about the features you want to use. If the installation fails or your vps is not a linux64-bit\r\nsystem, follow the semi-automatic steps below to install:\r\nManual installation\r\n1. Download the proxy\r\nDownload address: https://github.com/snail007/goproxy/releases/latest\r\nLet's take v7.9 as an example. If you have the latest version, please use the latest version of the link. Note that the version\r\nnumber in the download link below is the latest version number.\r\nThe free version performs this:\r\ncd /root/proxy/\r\nwget https://github.com/snail007/goproxy/releases/download/v7.9/proxy-linux-amd64.tar.gz\r\nThe commercial version performs this:\r\ncd /root/proxy/\r\nwget https://github.com/snail007/goproxy/releases/download/v7.9/proxy-linux-amd64_commercial.tar.gz\r\n2. Download the automatic installation script\r\nThe free version performs this:\r\ncd /root/proxy/\r\nwget https://raw.githubusercontent.com/snail007/goproxy/master/install.sh\r\nhttps://github.com/snail007/goproxy\r\nPage 4 of 60\n\nchmod +x install.sh\r\n./install.sh\r\nThe commercial version performs this:\r\ncd /root/proxy/\r\nwget https://raw.githubusercontent.com/snail007/goproxy/master/install_commercial.sh\r\nchmod +x install_commercial.sh\r\n./install_commercial.sh\r\nUPDATE\r\nproxy update use mirror to download, if your update has error with mirror, you can set an environment variable\r\nUPDATE_MIRROR=false\r\nWindows: set UPDATE_MIRROR=false then proxy update\r\nLinux: export UPDATE_MIRROR=false then proxy update\r\nLinux\r\nForce update.\r\nWindows\r\nFor example proxy placed in c:\\gp\\proxy .\r\nForce update.\r\nc:\\\r\ncd gp\r\nproxy update -f\r\nLicense\r\nProxy is licensed under GPLv3 license.\r\nContact\r\nOfficial Telegram Group: goproxy\r\nSource code declaration\r\nThe author of this project found that a large number of developers based on the project for secondary development or using a\r\nlarge number of core code of the project without complying with the GPLv3 agreement, which seriously violates the original\r\nintention of using the GPLv3 open source agreement in this project. In view of this situation, the project adopts the source.\r\nThe code delays the release strategy, to a certain extent, to curb these behaviors that do not respect open source and do not\r\nrespect the labor results of others. This project will continue to update the iterations and continue to release the full platform\r\nbinary program, providing you with powerful and convenient proxies tools. If you have customized, business needs, please\r\nsend an email to arraykeys@gmail.com\r\nGoproxy Manual\r\nhttps://github.com/snail007/goproxy\r\nPage 5 of 60\n\nHow to Install\r\n1. Linux Install\r\nclick me get Linux installation\r\n2. MacOS Install\r\nclick me get MacOS installation\r\n3. Windows Install\r\nclick me get Windows installation\r\n4. Others Install\r\nclick me get Windows installation\r\nPurchase Commercial Edition\r\nThis manual describes the functions, all of which are included in the commercial version; the free version of advanced\r\nfunctional parameters such as authentication is not included;\r\nIf you encounter some commands when you use the free version to execute some commands, a prompt similar to the\r\nfollowing xxx parameter does not exist, indicating that this parameter is a function of the commercial version.\r\nerr: unknown long flag '-a'\r\nComparison between the features of the free version and the commercial version, detailed operations on how to purchase\r\nand use the commercial version please click here to view\r\nFirst Start\r\n1. Environment\r\nThe manual tutorial, the default system is linux, the program is proxy; all operations require root privileges;\r\nIf you are windows, please use the windows version of proxy.exe.\r\n2. Using configuration files\r\nThe next tutorial will introduce the usage method through the command line parameters, or you can get the parameters by\r\nreading the configuration file.\r\nThe specific format is to specify the configuration file by the @ symbol, for example: proxy @configfile.txt\r\nThe format in configfile.txt is that the first line is the name of the subcommand, and the second line starts with one\r\nparameter per line.\r\nFormat: parameter Parameter value , direct write parameter without parameter value, for example: --nolog\r\nFor example, the contents of configfile.txt are as follows:\r\nHttp\r\n-t tcp\r\nhttps://github.com/snail007/goproxy\r\nPage 6 of 60\n\n-p :33080\r\n--forever\r\n3. Debug output\r\nBy default, the information output by the log does not include the number of file lines. In some cases, in order to\r\ntroubleshoot the program, the problem is quickly located.\r\nYou can use the --debug parameter to output the number of lines of code and milliseconds.\r\n4. Using log files\r\nBy default, the log is displayed directly in the console. If you want to save to a file, you can use the --log parameter.\r\nFor example: --log proxy.log, the log will be output to the proxy.log to facilitate troubleshooting.\r\nLogging INFO and WARN by default, you can set --warn to output warn logging only.\r\n5. Generate the certificate file required for encrypted communication\r\nThe http, tcp, udp proxy process communicates with the upstream. For security, we use encrypted communication. Of\r\ncourse, we can choose not to encrypt the communication. All the communication and the upstream communication in this\r\ntutorial are encrypted, and the certificate file is required.\r\n1. Generate a self-signed certificate and key file with the following command.\r\nproxy keygen -C proxy\r\nThe certificate file proxy.crt and the key file proxy.key will be generated under the current program directory.\r\n2. Use the following command to generate a new certificate using the self-signed certificate proxy.crt and the key file\r\nproxy.key: goproxy.crt and goproxy.key.\r\nproxy keygen -s -C proxy -c goproxy\r\nThe certificate file goproxy.crt and the key file goproxy.key will be generated under the current program directory.\r\n3. By default, the domain name inside the certificate is random and can be specified using the -n test.com parameter.\r\n4. More usage: proxy keygen --help .\r\n6. Running in the background\r\nAfter the proxy is executed by default, you cannot close the command line if you want to keep the proxy running.\r\nIf you want to run the proxy in the background, the command line can be closed, just add the --daemon parameter at the end\r\nof the command.\r\nFor example:\r\nproxy http -t tcp -p \"0.0.0.0:38080\" --daemon\r\n7. Guardian running\r\nThe daemon runs the parameter --forever, for example: proxy http --forever ,\r\nThe proxy will fork the child process, and then monitor the child process. If the child process exits abnormally, restart the\r\nchild process after 5 seconds.\r\nhttps://github.com/snail007/goproxy\r\nPage 7 of 60\n\nThis parameter is matched with the background running parameter --daemon and log parameter --log, which can guarantee\r\nthat the proxy will always execute in the background without accidentally exiting.\r\nAnd you can see the output log content of the proxy through the log file.\r\nFor example: proxy http -p \":9090\" --forever --log proxy.log --daemon\r\n8. Security advice\r\nWhen the VPS is behind the nat device, the vps network interface IP is the intranet IP. At this time, you can use the -g\r\nparameter to add the vps external network ip to prevent the infinite loop.\r\nSuppose your vps external network ip is 23.23.23.23. The following command sets 23.23.23.23 with the -g parameter.\r\nproxy http -g \"23.23.23.23\"\r\n9. Load balancing and high availability\r\nThe HTTP(S)\\SOCKS5\\SPS proxy supports upper-level load balancing and high availability, and multiple upstream repeat-P\r\nparameters can be used.\r\nThe load balancing policy supports five types, which can be specified by the --lb-method parameter:\r\nRoundrobin used in turn\r\nLeastconn uses the minimum number of connections\r\nLeasttime uses the least connection time\r\nHash uses a fixed upstream based on the client address\r\nWeight Select a upstream according to the weight and number of connections of each upstream\r\nprompt:\r\n1. The load balancing check interval can be set by --lb-retrytime in milliseconds.\r\n2. The load balancing connection timeout can be set by --lb-timeout in milliseconds.\r\n3. If the load balancing policy is weight, the -P format is: 2.2.2.2: 3880?w=1, where 1 is the weight and an integer\r\ngreater than 0.\r\n4. If the load balancing policy is hash, the default is to select the upstream based on the client address. You can select\r\nthe upstream by using the destination address of the access --lb-hashtarget .\r\n5. The TCP proxies has no parameter --lb-hashtarget .\r\n6. Default is load balancing + high availability mode. If the parameter --lb-onlyha is used, only the high availability\r\nmode is used, then a node is selected according to the load balancing strategy, and this node will be used until it is not\r\nalive, then another node will be selected for using, thus cycling.\r\n7. If the all nodes are not alive, a random node will be selected for using.\r\n10. Agent springboard jump\r\nHttp (s) agent, SPS agent, intranet penetration, tcp agent support the connection of upstreams through intermediate third-party agents,\r\nhttps://github.com/snail007/goproxy\r\nPage 8 of 60\n\nThe parameters are: --jumper, all the formats are as follows:\r\nhttp://username:password@host:port\r\nhttp://host:port\r\nhttps://username:password@host:port\r\nhttps://host:port\r\nsocks5://username:password@host:port\r\nsocks5://host:port\r\nsocks5s://username:password@host:port\r\nsocks5s://host:port\r\nss://method:password@host:port\r\nHttp,socks5 represents the normal http and socks5 proxy.\r\nHttps,socks5s represents the http and socks5 agents protected by tls.\r\nThat is http proxy over TLS, socks over TLS.\r\n11. Domain Name Black and White List\r\nThe socks/http(s)/sps proxy supports domain name black and white lists.\r\nUse the --stop parameter to specify a domain name blacklist file, then the connection will be disconnected when the user\r\nconnects these domains in the file.\r\nSpecify a domain name whitelist file with the --only parameter, then the connection will be disconnected when the user\r\nconnects to a domain other than those domains in the file.\r\nIf both --stop and --only are set, then only --only will work.\r\nThe format of the black and white domain name list file is as follows:\r\n**.baidu.com\r\n*.taobao.com\r\nA.com\r\n192.168.1.1\r\n192.168.*.*\r\n?.qq.com\r\nDescription:\r\n1. One domain name per line, domain name writing supports wildcards * and ? , * represents any number of\r\ncharacters, ? represents an arbitrary character,\r\n2. **.baidu.com Matches no matter how many levels all suffixes are ..baidu.com`.\r\n3. *.taobao.com The matching suffix is the third-level domain name of .taobao.com .\r\n4. It can also be an IP address directly.\r\n5. # at the beginning of the comment.\r\n12. Port Black List\r\nhttps://github.com/snail007/goproxy\r\nPage 9 of 60\n\nsocks/http(s)/sps proxy all support port blacklist.\r\nUse the --stop-port parameter to specify a port blacklist file, then when the user connects to the ports in the file, the\r\nconnection can be made.\r\nThe port blacklist file content format is as follows:\r\nNote:\r\n1. One port per line.\r\n2. The ones starting with # are comments.\r\n13. Client IP Blacklist and Whitelist\r\nsocks/http(s)/sps/tcp/udp/dns/ intranet penetration bridge/intranet penetration tbridge, support client IP black and white list.\r\nUse the --ip-deny parameter to specify a client IP blacklist list file, then the connection will be disconnected when the user's\r\nIP is in this file.\r\nUse the --ip-allow parameter to specify a client IP whitelist file, then the connection will be disconnected when the user's IP\r\nis not in the file.\r\nIf both --ip-deny and --ip-allow are set, then only --ip-allow will work.\r\nThe format of the client IP blacklist and whitelist file is as follows:\r\n192.168.1.1\r\n192.168.*.*\r\n192.168.1?.*\r\nDescription:\r\n1. One domain name per domain, domain name writing supports wildcards * and ? , * represents any number of\r\ncharacters, ? represents an arbitrary character.\r\n2. # at the beginning of the comment.\r\n14. Protocol loading file\r\nThere are many places in the proxy's various proxy functions to set a file. For example: --blocked Specifies a domain name\r\nlist file that goes directly to the upper level. The parameter value is the path of the file.\r\nIf the parameter supports the protocol loading file, the file path can be not only the file path, but also:\r\na. The base64 encoding at the beginning of \"base64://\" indicates the contents of the above file, for example:\r\nbase64://ajfpoajsdfa=\r\nb. \"str://\" at the beginning of the English comma separated multiple, such as: str://xxx, yyy\r\nThe proxy's blocked, direct, stop, only, hosts, resolve.rules, rewriter.rules, ip.allow, ip.deny files support protocol loading.\r\n15. Concurrent client connections\r\nsocks5\\sps\\http proxies, the parameter that controls the number of concurrent client connections is: --max-conns-rate ,\r\nwhich controls the maximum number of client connections per second, default: 20, 0 is unlimited\r\nhttps://github.com/snail007/goproxy\r\nPage 10 of 60\n\n16. Listen on multiple ports\r\n\"tcp / http / socks / sps\" supports listen on multiple ports and range ports. Under normal circumstances, it is sufficient to\r\nlisten on one port, but if you need to listen on multiple ports, the -p parameter is supported. The format is: -p\r\n0.0.0.0:80,0.0.0.0:443,.0.0.0.0:8000-9000,:5000-6000 , more The bindings can be separated by commas.\r\n1.1. Ordinary level HTTP proxy\r\nproxy http -t tcp -p \"0.0.0.0:38080\"\r\nListen port argument -p can be:\r\n -p \":8081\" listen on 8081\r\n -p \":8081,:8082\" listen on 8081 and 8082\r\n -p \":8081,:8082,:9000-9999\" listen on 8081 and 8082 and 9000 and 9001 to 9999, 1002 total ports\r\n1.2. Ordinary secondary HTTP proxy\r\nUse local port 8090, assuming the upstream HTTP proxy is 22.22.22.22:8080\r\nhttps://github.com/snail007/goproxy\r\nPage 11 of 60\n\nproxy http -t tcp -p \"0.0.0.0:8090\" -T tcp -P \"22.22.22.22:8080\"\r\nWe can also specify the black and white list file of the website domain name, one domain name per line, the matching rule is\r\nthe rightmost match, for example: baidu.com, the match is ..baidu.com, the blacklist domain name goes directly to the\r\nupstream agent, whitelist The domain name does not go to the upstream agent.\r\nproxy http -p \"0.0.0.0:8090\" -T tcp -P \"22.22.22.22:8080\" -b blocked.txt -d direct.txt\r\n1.3.HTTP secondary agent (encryption)\r\nNote: The proxy.crt and proxy.key used by the secondary proxy should be consistent with the primary proxy.\r\nLevel 1 HTTP proxy (VPS, IP: 22.22.22.22)\r\nproxy http -t tls -p \":38080\" -C proxy.crt -K proxy.key\r\nSecondary HTTP proxy (local Linux)\r\nproxy http -t tcp -p \":8080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\nThen access the local port 8080 is to access the proxy port 38080 on the VPS.\r\nSecondary HTTP proxy (local windows)\r\nproxy.exe http -t tcp -p \":8080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\nThen set your windos system, the proxy that needs to go through the proxy Internet program is http mode, the address is:\r\n127.0.0.1, the port is: 8080, the program can access the Internet through vps through the encrypted channel.\r\n1.4.HTTP Level 3 Agent (Encryption)\r\nhttps://github.com/snail007/goproxy\r\nPage 12 of 60\n\nLevel 1 HTTP proxy VPS_01, IP: 22.22.22.22\r\nproxy http -t tls -p \":38080\" -C proxy.crt -K proxy.key\r\nSecondary HTTP proxy VPS_02, IP: 33.33.33.33\r\nproxy http -t tls -p \":28080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\nLevel 3 HTTP proxy (local)\r\nproxy http -t tcp -p \":8080\" -T tls -P \"33.33.33.33:28080\" -C proxy.crt -K proxy.key\r\nThen accessing the local port 8080 is to access the proxy port 38080 on the primary HTTP proxy.\r\n1.5.Basic certification\r\nFor the proxy HTTP protocol, we can perform Basic authentication. The authenticated username and password can be\r\nspecified on the command line.\r\nproxy http -t tcp -p \":33080\" -a \"user1:pass1\" -a \"user2:pass2\"\r\nFor multiple users, repeat the -a parameter.\r\nIt can also be placed in a file in the format of a \"username:password\" and then specified with -F.\r\nproxy http -t tcp -p \":33080\" -F auth-file.txt\r\nIn addition, the http(s) proxy also integrates external HTTP API authentication. We can specify an http url interface address\r\nwith the --auth-url parameter.\r\nThen when there is a user connection, the proxy will request the url in GET mode, and bring the following four parameters.\r\nIf the HTTP status code 204 is returned, the authentication is successful.\r\nIn other cases, the authentication failed.\r\nFor example:\r\nproxy http -t tcp -p \":33080\" --auth-url \"http://test.com/auth.php\"\r\nWhen the user connects, the proxy will request the url (\"http://test.com/auth.php\") in GET mode.\r\nTake five parameters: user, pass, ip, local_ip, target:\r\nHttp://test.com/auth.php?user={USER}\u0026pass={PASS}\u0026ip={IP}\u0026local_ip={LOCAL_IP}\u0026target={TARGET}\r\nUser: username\r\nPass: password\r\nIp: User's IP, for example: 192.168.1.200\r\nLocal_ip: IP of the server accessed by the user, for example: 3.3.3.3\r\nTarget: URL accessed by the user, for example: http://demo.com:80/1.html or https://www.baidu.com:80\r\nIf there is no -a or -F or --auth-url parameter, the Basic authentication is turned off.\r\n1.6. HTTP proxy traffic is forced to go to the upper HTTP proxy\r\nhttps://github.com/snail007/goproxy\r\nPage 13 of 60\n\nBy default, the proxy will intelligently determine whether a website domain name is inaccessible. If it is not accessible, it\r\nwill go to the upper level HTTP proxy. With --always, all HTTP proxy traffic can be forced to go to the upper HTTP proxy.\r\nproxy http --always -t tls -p \":28080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\n1.7.HTTP(S) via SSH relay\r\nDescription: The principle of ssh transfer is to use the forwarding function of ssh, that is, after you connect to ssh, you can\r\naccess the target address through ssh proxy.\r\nSuppose there is: vps\r\nIP is 2.2.2.2, ssh port is 22, ssh username is: user, ssh user password is: demo\r\nThe user's ssh private key name is user.key\r\n1.7.1 How to ssh username and password\r\nLocal HTTP(S) proxy port 28080, executing:\r\nproxy http -T ssh -P \"2.2.2.2:22\" -u user -D demo -t tcp -p \":28080\"\r\n1.7.2 How to ssh username and key\r\nLocal HTTP(S) proxy port 28080, executing:\r\nproxy http -T ssh -P \"2.2.2.2:22\" -u user -S user.key -t tcp -p \":28080\"\r\n1.8.KCP protocol transmission\r\nhttps://github.com/snail007/goproxy\r\nPage 14 of 60\n\nThe KCP protocol requires the --kcp-key parameter to set a password for encrypting and decrypting data.\r\nLevel 1 HTTP proxy (VPS, IP: 22.22.22.22)\r\nproxy http -t kcp -p \":38080\" --kcp-key mypassword\r\nSecondary HTTP proxy (local Linux)\r\nproxy http -t tcp -p \":8080\" -T kcp -P \"22.22.22.22:38080\" --kcp-key mypassword\r\nThen access the local port 8080 is to access the proxy port 38080 on the VPS, the data is transmitted through the kcp\r\nprotocol, note that the kcp is the udp protocol, so the firewall needs to release the 380p udp protocol.\r\n1.9 HTTP(S) Reverse Proxy\r\nThe proxy not only supports the proxy setting in other software, but also provides proxy services for other software. It also\r\nsupports directly parsing the requested website domain name to the proxy listening ip, and then the proxy listens to the 80\r\nand 443 ports, then the proxy will automatically You proxy access to the HTTP(S) website you need to access.\r\nhttps://github.com/snail007/goproxy\r\nPage 15 of 60\n\nHow to use:\r\nOn the \"last level proxy proxy\" machine, because the proxy is to be disguised as all websites, the default HTTP port of the\r\nwebsite is 80, HTTPS is 443, and the proxy can listen to ports 80 and 443. Parameters -p multiple addresses with commas\r\nsegmentation.\r\nproxy http -t tcp -p :80,:443\r\nThis command starts a proxy agent on the machine, and listens to ports 80 and 443 at the same time. It can be used as a\r\nnormal proxy, or directly resolve the domain name that needs to be proxyed to the IP of this machine.\r\nIf there is a upstream agent, then refer to the above tutorial to set the upstream, the use is exactly the same.\r\nproxy http -t tcp -p :80,:443 -T tls -P \"2.2.2.2:33080\" -C proxy.crt -K proxy.key\r\nNote:\r\nThe DNS resolution result of the server where the proxy is located cannot be affected by the custom resolution, otherwise it\r\nwill be infinite loop. The proxy proxy should specify the --dns-address 8.8.8.8 parameter.\r\n1.10 HTTP(S) Transparent Proxy\r\nThis mode needs to have a certain network foundation. If the related concepts are not understood, please search for it\r\nyourself.\r\nAssuming the proxy is now running on the router, the startup command is as follows:\r\nproxy http -t tcp -p :33080 -T tls -P \"2.2.2.2:33090\" -C proxy.crt -K proxy.key\r\nThen add the iptables rule, here are the reference rules:\r\n#Upper proxy server IP address:\r\nProxy_server_ip=2.2.2.2\r\n#路由器Running port for proxy listening:\r\nProxy_local_port=33080\r\n#The following does not need to be modified\r\n#create a new chain named PROXY\r\nIptables -t nat -N PROXY\r\n# Ignore your PROXY server's addresses\r\n# It's very IMPORTANT, just be careful.\r\nIptables -t nat -A PROXY -d $proxy_server_ip -j RETURN\r\n# Ignore LANs IP address\r\nIptables -t nat -A PROXY -d 0.0.0.0/8 -j RETURN\r\nIptables -t nat -A PROXY -d 10.0.0.0/8 -j RETURN\r\nIptables -t nat -A PROXY -d 127.0.0.0/8 -j RETURN\r\nIptables -t nat -A PROXY -d 169.254.0.0/16 -j RETURN\r\nIptables -t nat -A PROXY -d 172.16.0.0/12 -j RETURN\r\nIptables -t nat -A PROXY -d 192.168.0.0/16 -j RETURN\r\nIptables -t nat -A PROXY -d 224.0.0.0/4 -j RETURN\r\nIptables -t nat -A PROXY -d 240.0.0.0/4 -j RETURN\r\n# Anything to port 80 443 should be redirected to PROXY's local port\r\nIptables -t nat -A PROXY -p tcp --dport 80 -j REDIRECT --to-ports $proxy_local_port\r\nIptables -t nat -A PROXY -p tcp --dport 443 -j REDIRECT --to-ports $proxy_local_port\r\nhttps://github.com/snail007/goproxy\r\nPage 16 of 60\n\n# Apply the rules to nat client\r\nIptables -t nat -A PREROUTING -p tcp -j PROXY\r\n# Apply the rules to localhost\r\nIptables -t nat -A OUTPUT -p tcp -j PROXY\r\nClear the entire chain iptables -F Chain names such as iptables -t nat -F PROXY\r\nDelete the specified user-defined chain iptables -X chain name such as iptables -t nat -X PROXY\r\nRemove rules from the selected chain iptables -D chain name Rule details such as iptables -t nat -D PROXY -d\r\n223.223.192.0/255.255.240.0 -j RETURN\r\n1.11 Custom DNS\r\n--dns-address and --dns-ttl parameters, used to specify the dns (--dns-address) used by the proxy to access the domain name.\r\nAnd the analysis result cache time (--dns-ttl) seconds, to avoid system dns interference to the proxy, in addition to the cache\r\nfunction can also reduce the dns resolution time to improve access speed.\r\nFor example:\r\nproxy http -p \":33080\" --dns-address \"8.8.8.8:53\" --dns-ttl 300\r\n--dns-address supports multiple dns addresses, load balancing, separated by comma. For example: --dns-address\r\n\"1.1.1.1:53,8.8.8.8:53\"\r\nYou can also use the parameter --dns-interface to specify the bandwidth used for dns resolution, for example: --dns-interface eth0 , dns resolution will use the eth0 bandwidth, this parameter must be set to --dns-address to be effective.\r\n1.12 Custom encryption\r\nThe proxy's http(s) proxy can encrypt tcp data via tls standard encryption and kcp protocol on top of tcp, in addition to\r\nsupport customization after tls and kcp.\r\nEncryption, that is to say, custom encryption and tls|kcp can be used in combination. The internal use of AES256 encryption,\r\nyou only need to define a password when you use it.\r\nEncryption is divided into two parts, one is whether the local (-z) encryption and decryption, and the other is whether the\r\ntransmission with the upstream (-Z) is encrypted or decrypted.\r\nCustom encryption requires both ends to be proxy. The following two levels and three levels are used as examples:\r\nSecondary instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy http -t tcp -z demo_password -p :7777\r\nLocal secondary execution:\r\nproxy http -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted\r\ntransmission with the upstream.\r\nThree-level instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy http -t tcp -z demo_password -p :7777\r\nExecute on the secondary vps (ip: 3.3.3.3):\r\nproxy http -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888\r\nLocal three-level execution:\r\nproxy http -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080\r\nhttps://github.com/snail007/goproxy\r\nPage 17 of 60\n\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted\r\ntransmission with the upstream.\r\n1.13 Compressed transmission\r\nThe proxy http(s) proxy can encrypt tcp data through tls standard encryption and kcp protocol on top of tcp, and can also\r\ncompress data before custom encryption.\r\nThat is to say, compression and custom encryption and tls|kcp can be used in combination. Compression is divided into two\r\nparts, one part is local (-m) compression transmission.\r\nPart of it is compressed with the upstream (-M) transmission.\r\nCompression requires both sides to be proxy. Compression also protects (encrypted) data to a certain extent. The following\r\nuses Level 2 and Level 3 as examples:\r\nSecondary instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy http -t tcp -m -p :7777\r\nLocal secondary execution:\r\nproxy http -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through compression\r\nwith the upstream.\r\nThree-level instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy http -t tcp -m -p :7777\r\nExecute on the secondary vps (ip: 3.3.3.3):\r\nproxy http -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888\r\nLocal three-level execution:\r\nproxy http -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through compression\r\nwith the upstream.\r\n1.14 Load Balancing\r\nThe HTTP(S) proxy supports upper-level load balancing, and multiple upstream repeat-P parameters can be used.\r\nproxy http --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080\r\n1.14.1 Setting the retry interval and timeout time\r\nproxy http --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080\r\n-P 3.1.1.1:33080 -t tcp - p :33080\r\n1.14.2 Setting weights\r\nproxy http --lb-method=weight -T tcp -P 1.1.1.1:33080?w=1 -P 2.1.1.1:33080?w=2 -P 3.1.1.1:33080?w=1 -t tcp - p\r\n:33080\r\n1.14.3 Use the target address to select the upstream\r\nproxy http --lb-hashtarget --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -t tcp -\r\np :33080\r\nhttps://github.com/snail007/goproxy\r\nPage 18 of 60\n\n1.15 Speed limit\r\nThe speed limit is 100K, which can be specified by the -l parameter, for example: 100K 2000K 1M . 0 means no limit.\r\nproxy http -t tcp -p 2.2.2.2:33080 -l 100K\r\n1.16 Specifying Outgoing IP\r\nThe --bind-listen parameter can be used to open the client connection with the portal IP, and use the portal IP as the\r\noutgoing IP to access the target website. If the incorrect IP is bound, the proxy will not work. At this point, the proxy will try\r\nto bind the target without binding the IP, and the log will prompt.\r\nproxy http -t tcp -p 2.2.2.2:33080 --bind-listen\r\nFlexible Outgoing IP\r\nAlthough the above --bind-listen parameter can specify the outgoing IP, the entry IP and the outgoing IP cannot be\r\nreferenced artificially. If you want the ingress IP and the egress IP to be different, you can use the --bind-ip parameter,\r\nformat: IP:port , for example: 1.1.1.1:8080 , [2000:0:0:0:0 :0:0:1]:8080 . For multiple binding requirements, the --\r\nbind-ip parameter can be repeated.\r\nFor example, this machine has IP 5.5.5.5 , 6.6.6.6 , and monitors two ports 8888 and 7777 , the command is as\r\nfollows:\r\nProxy tcp -t tcp -p :8888,:7777 --bind-ip 5.5.5.5:7777 --bind-ip 6.6.6.6:8888 -T tcp -P 2.2.2.2:3322\r\nThen the client access port 7777 , the outgoing IP is 5.5.5.5 , access port 8888 , the outgoing IP is 6.6.6.6 , if both --\r\nbind-ip and --bind- are set at the same time listen , --bind-ip has higher priority. s In addition, the IP part of\r\nthe --bind-ip parameter supports specifying the network interface name , wildcards , and more than one can be\r\nspecified. The detailed description is as follows:\r\nSpecify the network interface name, such as: --bind-ip eth0:7777 , and then the client accesses the 7777 port,\r\nand the egress IP is the IP of the eth0 network interface.\r\nThe network interface name supports wildcards, such as: --bind-ip eth0.*:7777 , then the client accesses the port\r\n7777 , and the egress IP is randomly selected from the IP of the network interface starting with eth0. .\r\nIP supports wildcards, such as: --bind-ip 192.168.?.*:777 , then the client accesses the 7777 port, the outgoing\r\nIP is all the IPs of the machine, and matches the IP of 192.168.?.* A randomly selected one.\r\nIt can also be several combinations of network interface name and IP, and several selective divisions using half-width, such as: -bind-ip pppoe??,192.168.?.*:7777 , and then the client accesses the 7777 port , The outgoing IP\r\nis the machine's network interface name matching pppoe?? It is randomly selected from the IP matching\r\n192.168.?.* in the machine IP.\r\nThe wildcard character * represents 0 to any character, ? Represents 1 character.\r\nIf the IP of the network interface changes, it will take effect in real time.\r\nYou can use the --bind-refresh parameter to specify the interval to refresh the local network interface information,\r\nthe default is 5 , the unit is second.\r\n1.17 Certificate parameters use base64 data\r\nBy default, the -C, -K parameter is the path to the crt certificate and the key file.\r\nIf it is the beginning of base64://, then the latter data is considered to be base64 encoded and will be used after decoding.\r\n1.18 Intelligent mode\r\nhttps://github.com/snail007/goproxy\r\nPage 19 of 60\n\nIntelligent mode setting, can be one of intelligent|direct|parent.\r\nThe default is: parent.\r\nThe meaning of each value is as follows:\r\n--intelligent=direct , the targets in the blocked are not directly connected.\r\n--intelligent=parent , the target that is not in the direct is going to the higher level.\r\n--intelligent=intelligent , blocked and direct have no targets, intelligently determine whether to use the upstream\r\naccess target.\r\n1.19 Help\r\nproxy help http\r\n2.TCP Proxies\r\n2.1. Ordinary level TCP proxy\r\nLocal execution:\r\nproxy tcp -p \":33080\" -T tcp -P \"192.168.22.33:22\"\r\nThen access the local port 33080 is to access port 22 of 192.168.22.33.\r\nThe -p parameter supports :\r\n-p \":8081\" listen on 8081\r\n-p \":8081,:8082\" listen on 8081 and 8082\r\n-p \":8081,:8082,:9000-9999\" listen on 8081 and 8082 and 9000, 9001 to 9999 for a total of 1002 ports\r\nIf the number of local listening ports is greater than 1, the corresponding upper port corresponding to the local port will be\r\nconnected, and the port in -P will be ignored.\r\nIf you need a connection from all ports, connect to the upper specified port, you can add the parameter --lock-port .\r\nsuch as:\r\nproxy tcp -p \":33080-33085\" -T tcp -P \"192.168.22.33:0\"\r\nhttps://github.com/snail007/goproxy\r\nPage 20 of 60\n\nThen the connection of the 33080 port will connect to the 33080 port of 192.168.22.33, and the other ports are similar.\r\nThe local and upper ports are the same. At this time, the port in the parameter -P uses 0 .\r\nIf you want to connect the ports of 33080 , 33081 , etc. to the 22 port of 192.168.22.33, you can add the parameter --\r\nlock-port .\r\nproxy tcp -p \":33080-33085\" -T tcp -P \"192.168.22.33:22\" --lock-port\r\n2.2. Ordinary secondary TCP proxy\r\nVPS (IP: 22.22.2.33) is executed:\r\nproxy tcp -p \":33080\" -T tcp -P \"127.0.0.1:8080\"\r\nLocal execution:\r\nproxy tcp -p \":23080\" -T tcp -P \"22.22.22.33:33080\"\r\nThen access the local port 23080 is to access port 8020 of 22.22.22.33.\r\n2.3. Ordinary three-level TCP proxy\r\nPrimary TCP proxy VPS_01, IP: 22.22.22.22\r\nproxy tcp -p \":38080\" -T tcp -P \"66.66.66.66:8080\"\r\nSecondary TCP proxy VPS_02, IP: 33.33.33.33\r\nproxy tcp -p \":28080\" -T tcp -P \"22.22.22.22:38080\"\r\nhttps://github.com/snail007/goproxy\r\nPage 21 of 60\n\nLevel 3 TCP proxy (local)\r\nproxy tcp -p \":8080\" -T tcp -P \"33.33.33.33:28080\"\r\nThen access the local port 8080 is to access the port 8080 of 66.66.66.66 through the encrypted TCP tunnel.\r\n2.4. Encrypting secondary TCP proxy\r\nVPS (IP: 22.22.2.33) is executed:\r\nproxy tcp -t tls -p \":33080\" -T tcp -P \"127.0.0.1:8080\" -C proxy.crt -K proxy.key\r\nLocal execution:\r\nproxy tcp -p \":23080\" -T tls -P \"22.22.22.33:33080\" -C proxy.crt -K proxy.key\r\nThen access the local port 23080 is to access the port 8080 of 22.22.22.33 through the encrypted TCP tunnel.\r\n2.5.Encrypting Level 3 TCP Agent\r\nPrimary TCP proxy VPS_01, IP: 22.22.22.22\r\nproxy tcp -t tls -p \":38080\" -T tcp -P \"66.66.66.66:8080\" -C proxy.crt -K proxy.key\r\nSecondary TCP proxy VPS_02, IP: 33.33.33.33\r\nproxy tcp -t tls -p \":28080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\nLevel 3 TCP proxy (local)\r\nproxy tcp -p \":8080\" -T tls -P \"33.33.33.33:28080\" -C proxy.crt -K proxy.key\r\nThen access the local port 8080 is to access the port 8080 of 66.66.66.66 through the encrypted TCP tunnel.\r\nhttps://github.com/snail007/goproxy\r\nPage 22 of 60\n\n2.6 Connecting to a upstream through a proxy\r\nSometimes the network where the proxy is located cannot directly access the external network. You need to use an https or\r\nsocks5 proxy to access the Internet. Then this time\r\nThe -J parameter can help you to connect the proxy to the peer-P through the https or socks5 proxy when mapping the proxy\r\ntcp port, mapping the external port to the local.\r\nThe -J parameter format is as follows:\r\nHttps proxy writing:\r\nThe proxy needs authentication, username: username password: password\r\nHttps://username:password@host:port\r\nAgent does not require authentication\r\nHttps://host:port\r\nSocks5 proxy writing:\r\nThe proxy needs authentication, username: username password: password\r\nSocks5://username:password@host:port\r\nAgent does not require authentication\r\nSocks5://host:port\r\nHost: the IP or domain name of the proxy\r\nPort: the port of the proxy\r\n2.7 Specify Outgoing IP\r\nWhen the TCP proxy is a superior type (parameter: -T) is tcp, it supports the specified outgoing IP. Using the --bind-listen parameter, you can open the client to connect with the portal IP, and use the portal IP as the outgoing IP to access\r\nthe target website. If an incorrect IP is bound, the proxy will not work, the proxy will try to bind the target without binding\r\nthe IP, and the log will prompt.\r\nproxy tcp -p \":33080\" -T tcp -P\" 192.168.22.33:22\" -B\r\nFlexible Outgoing IP\r\nAlthough the above --bind-listen parameter can specify the outgoing IP, the entry IP and the outgoing IP cannot be\r\nreferenced artificially. If you want the ingress IP to be different from the egress IP, you can use the --bind-ip parameter,\r\nformat: IP:port , for example: 1.1.1.1:8080 , [2000:0:0:0:0:0:0:1]:8080 . For multiple binding requirements, you\r\ncan repeat the --bind-ip parameter identification.\r\nFor example, this machine has IP 5.5.5.5 , 6.6.6.6 , and monitors two ports 8888 and 7777 , the command is as\r\nfollows:\r\nProxy tcp -t tcp -p :8888,:7777 --bind-ip 5.5.5.5:7777 --bind-ip 6.6.6.6:8888 -T tcp -P 2.2.2.2:3322\r\nThen the client access port 7777 , the outgoing IP is 5.5.5.5 , access port 8888 , the outgoing IP is 6.6.6.6 , if both --\r\nbind-ip and --bind- are set at the same time listen , --bind-ip has higher priority.\r\nIn addition, the IP part of the --bind-ip parameter supports specifying the network interface name , wildcards , and\r\nmore than one can be specified. The detailed description is as follows:\r\nSpecify the network interface name, such as: --bind-ip eth0:7777 , then the client accesses the 7777 port, and the\r\negress IP is the IP of the eth0 network interface.\r\nhttps://github.com/snail007/goproxy\r\nPage 23 of 60\n\nThe network interface name supports wildcards, for example: --bind-ip eth0.*:7777 , then the client accesses the\r\n7777 port, and the egress IP is a randomly selected one of the network interface IPs starting with eth0. .\r\nIP supports wildcards, such as: --bind-ip 192.168.?.*:7777 , then the client accesses the 7777 port, and the\r\noutgoing IP is all the IPs of the machine, matching the IP of 192.168.?.* A randomly selected one.\r\nIt can also be multiple combinations of network interface name and IP, separated by half-width commas, such as: --\r\nbind-ip pppoe??,192.168.?.*:7777 , then the client accesses the port 7777 , The outgoing IP is the machine's\r\nnetwork interface name matching pppoe?? It is a randomly selected one among all IPs of the machine that matches\r\n192.168.?.* .\r\nThe wildcard character * represents 0 to any number of characters, and ? represents 1 character.\r\nIf the IP of the network interface changes, it will take effect in real time.\r\nYou can use the --bind-refresh parameter to specify the interval to refresh the local network interface information,\r\nthe default is 5 , the unit is second.\r\n2.8 Speed limit, connections limit\r\nLimit count of connections The parameter --max-conns can limit the maximum number of connections per port.\r\nFor example, limit the maximum number of connections per port to 1000: proxy tcp -p \":33080\" -T tcp -P\r\n\"192.168.22.33:22\" --max-conns 1000\r\nLimit tcp connection rate The parameter --rate-limit can limit the rate of each tcp connection. For example,\r\nlimit the rate of each tcp connection to 100k/s: proxy tcp -p \":33080\" -T tcp -P \"192.168.22.33:22\" --rate-limit 100k\r\nLimit client IP total rate The parameter --ip-rate limit the total rate of each client IP. For example, limit the total\r\nIP rate of each client to 1M/s: proxy tcp -p \":33080\" -T tcp -P \"192.168.22.33:22\" --ip-rate 1M\r\nLimit port total rate The parameter --port-rate limit the total rate of each service port. For example, limit the\r\ntotal rate of each port to 10M/s: proxy tcp -p \":33080\" -T tcp -P \"192.168.22.33:22\" --port-rate 10M\r\nJoint Speed Limit --rate-limit and ( --ip-rate or --port-rate ) can be used together. Both limit the total rate\r\nand limit the rate of a single tcp.\r\n2.9 Compressed transmission\r\n--c controls whether to compress transmission between local and client, default false; --C controls whether to compress\r\ntransmission between local and upstream, default false.\r\nExamples:\r\nVPS (IP: 22.22.22.33) implementation: proxy tcp -t tcp --c -p \":33080\" -T tcp -P \"127.0.0.1:8080\" Local\r\nexecution: proxy tcp -t tcp -p \":23080\" -T tcp -P \"22.22.22.33:33080\" --C\r\n2.10 View Help\r\nproxy help tcp\r\n3.UDP Proxies\r\n3.1. Ordinary UDP proxy\r\nhttps://github.com/snail007/goproxy\r\nPage 24 of 60\n\nLocal execution:\r\nproxy udp -p \":5353\" -T udp -P \"8.8.8.8:53\"\r\nThen access the local UDP: 5353 port is to access 8.8.8.8 UDP: 53 port.\r\nThe -p parameter supports :\r\n-p \":8081\" listen on 8081\r\n-p \":8081,:8082\" listen on 8081 and 8082\r\n-p \":8081,:8082,:9000-9999\" listen on 8081 and 8082 and 9000, 9001 to 9999 for a total of 1002 ports\r\nIf the number of local listening ports is greater than 1, the corresponding upper port corresponding to the local port will be\r\nconnected, and the port in -P will be ignored.\r\nIf you need a connection from all ports, connect to the upper specified port, you can add the parameter --lock-port .\r\nsuch as:\r\nproxy udp -p \":33080-33085\" -T udp -P \"192.168.22.33:0\"\r\nThen the connection of the 33080 port will connect to the 33080 port of 192.168.22.33, and the other ports are similar.\r\nThe local and upper ports are the same. At this time, the port in the parameter -P uses 0 .\r\nIf you want to connect the ports of 33080 , 33081 , etc. to the 2222 port of 192.168.22.33, you can add the parameter --\r\nlock-port .\r\nproxy udp -p \":33080-33085\" -T udp -P \"192.168.22.33:2222\" --lock-port\r\n3.2. Ordinary secondary UDP proxy\r\nhttps://github.com/snail007/goproxy\r\nPage 25 of 60\n\nVPS (IP: 22.22.2.33) is executed:\r\nproxy tcp -p \":33080\" -T udp -P \"8.8.8.8:53\"\r\nLocal execution:\r\nproxy udp -p \":5353\" -T tcp -P \"22.22.22.33:33080\"\r\nThen access the local UDP: 5353 port is through the TCP tunnel, through the VPS access 8.8.8.8 UDP: 53 port.\r\n3.3. Ordinary three-level UDP proxy\r\nPrimary TCP proxy VPS_01, IP: 22.22.22.22\r\nproxy tcp -p \":38080\" -T udp -P \"8.8.8.8:53\"\r\nSecondary TCP proxy VPS_02, IP: 33.33.33.33\r\nproxy tcp -p \":28080\" -T tcp -P \"22.22.22.22:38080\"\r\nLevel 3 TCP proxy (local)\r\nproxy udp -p \":5353\" -T tcp -P \"33.33.33.33:28080\"\r\nThen access to the local 5353 port is through the TCP tunnel, through the VPS to access port 8.8.8.8.\r\n3.4. Encrypting secondary UDP proxy\r\nhttps://github.com/snail007/goproxy\r\nPage 26 of 60\n\nVPS (IP: 22.22.2.33) is executed:\r\nproxy tcp -t tls -p \":33080\" -T udp -P \"8.8.8.8:53\" -C proxy.crt -K proxy.key\r\nLocal execution:\r\nproxy udp -p \":5353\" -T tls -P \"22.22.22.33:33080\" -C proxy.crt -K proxy.key\r\nThen access the local UDP: 5353 port is through the encrypted TCP tunnel, through the VPS access 8.8.8.8 UDP: 53 port.\r\n3.5. Encryption Level 3 UDP Agent\r\nPrimary TCP proxy VPS_01, IP: 22.22.22.22\r\nproxy tcp -t tls -p \":38080\" -T udp -P \"8.8.8.8:53\" -C proxy.crt -K proxy.key\r\nSecondary TCP proxy VPS_02, IP: 33.33.33.33\r\nproxy tcp -t tls -p \":28080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\nLevel 3 TCP proxy (local)\r\nproxy udp -p \":5353\" -T tls -P \"33.33.33.33:28080\" -C proxy.crt -K proxy.key\r\nThen access the local 5353 port is to access the 8.8.8.8 port 53 through VPS_01 through the encrypted TCP tunnel.\r\n3.6 Specify Outgoing IP\r\nWhen the UDP upstream proxies (parameter: -T) is udp, it supports the specified outgoing IP. Using the --bind-listen\r\nparameter, you can open the client to connect with the server IP, and use the server IP as the outgoing IP to access the target.\r\nIf an incorrect IP is bound, the proxy will not work.\r\nhttps://github.com/snail007/goproxy\r\nPage 27 of 60\n\nproxy udp -p \":33080\" -T udp -P \"192.168.22.33:2222\" -B\r\n3.7 Help\r\nproxy help udp\r\n4. Expose Intranet\r\n4.1 principle description\r\nIntranet penetration, divided into two versions, \"multi-link version\" and \"multiplexed version\", generally like a web service,\r\nthis service is not a long-term connection, it is recommended to use \"multi-link version\", if it is to keep long The time\r\nconnection suggests using a \"multiplexed version.\"\r\n1. Multi-link version, the corresponding sub-command is tserver, tclient, tbridge.\r\n2. Multiplexed version, the corresponding subcommand is server, client, bridge.\r\n3. The parameters of the multi-link version and the multiplex version are exactly the same.\r\n4. The multiplexed version of the server, client can open the compressed transmission, the parameter is --c.\r\n5. server, client either open compression, or not open, can not open only one.\r\nThe following tutorial uses the \"multiplexed version\" as an example to illustrate how to use it.\r\nThe intranet penetration consists of three parts: client, server, and bridge; client and server actively connect to the bridge for\r\nbridging.\r\n4.2 TCP common usage\r\nBackground:\r\nCompany Machine A provides web service port 80\r\nThere is a VPS, public network IP: 22.22.22.22\r\nDemand:\r\nAt home, you can access the port 80 of company machine A by accessing port 28080 of the VPS.\r\nSteps:\r\nExecute on vps\r\nproxy bridge -p \":33080\" -C proxy.crt -K proxy.key\r\nproxy server -r \":28080@:80\" -P \"127.0.0.1:33080\" -C proxy.crt -K proxy.key\r\n1. Execute on company machine A\r\nproxy client -P \"22.22.22.22:33080\" -C proxy.crt -K proxy.key\r\nComplete\r\n4.3 WeChat interface local development\r\nBackground:\r\nYour own notebook provides nginx service port 80\r\nThere is a VPS, public network IP: 22.22.22.22\r\nDemand:\r\nFill in the address in the webpage callback interface configuration of WeChat's development account:\r\nhttp://22.22.22.22/calback.php\r\nhttps://github.com/snail007/goproxy\r\nPage 28 of 60\n\nThen you can access the calback.php under the 80 port of the notebook. If you need to bind the domain name, you can use\r\nyour own domain name.\r\nFor example: wx-dev.xxx.com resolves to 22.22.22.22, and then in your own notebook nginx\r\nConfigure the domain name wx-dev.xxx.com to the specific directory.\r\nSteps:\r\n1. Execute on vps to ensure that port 80 of vps is not occupied by other programs.\r\nproxy bridge -p \":33080\" -C proxy.crt -K proxy.key\r\nproxy server -r \":80@:80\" -P \"22.22.22.22:33080\" -C proxy.crt -K proxy.key\r\n2. Execute on your laptop\r\nproxy client -P \"22.22.22.22:33080\" -C proxy.crt -K proxy.key\r\nComplete\r\n4.4 UDP common usage\r\nBackground:\r\nCompany Machine A provides DNS resolution service, UDP: port 53\r\nThere is a VPS, public network IP: 22.22.22.22\r\nDemand:\r\nAt home, you can use the company machine A to perform domain name resolution services by setting the local dns to\r\n22.22.22.22.\r\nSteps:\r\nExecute on vps\r\nproxy bridge -p \":33080\" -C proxy.crt -K proxy.key\r\nproxy server --udp -r \":53@:53\" -P \"127.0.0.1:33080\" -C proxy.crt -K proxy.key\r\n1. Execute on company machine A\r\nproxy client -P \"22.22.22.22:33080\" -C proxy.crt -K proxy.key\r\nComplete\r\n4.5 advanced usage one\r\nBackground:\r\nCompany Machine A provides web service port 80\r\nThere is a VPS, public network IP: 22.22.22.22\r\nDemand:\r\nIn order to be safe, I don't want to have access to the company machine A on the VPS, and I can access the port 28080 of the\r\nmachine at home.\r\nAccess to port 80 of company machine A via an encrypted tunnel.\r\nSteps:\r\nExecute on vps\r\nproxy bridge -p \":33080\" -C proxy.crt -K proxy.key\r\nhttps://github.com/snail007/goproxy\r\nPage 29 of 60\n\n1. Execute on company machine A\r\nproxy client -P \"22.22.22.22:33080\" -C proxy.crt -K proxy.key\r\n2. Execute on your home computer\r\nproxy server -r \":28080@:80\" -P \"22.22.22.22:33080\" -C proxy.crt -K proxy.key\r\nComplete\r\n4.6 Advanced Usage II\r\nTip:\r\nIf multiple clients are connected to the same bridge at the same time, you need to specify a different key, which can be set by\r\nthe --k parameter, and --k can be any unique string.\r\nJust be the only one on the same bridge.\r\nWhen the server is connected to the bridge, if there are multiple clients connecting to the same bridge at the same time, you\r\nneed to use the --k parameter to select the client.\r\nExpose multiple ports by repeating the -r parameter. The format of -r is: \"local IP: local port @clientHOST:client port\".\r\nBackground:\r\nCompany Machine A provides web service port 80, ftp service port 21\r\nThere is a VPS, public network IP: 22.22.22.22\r\nDemand:\r\nAt home, you can access the port 80 of company machine A by accessing port 28080 of the VPS.\r\nAt home, I can access the 21 port of company machine A by accessing port 29090 of the VPS.\r\nSteps:\r\nExecute on vps\r\nproxy bridge -p \":33080\" -C proxy.crt -K proxy.key\r\nproxy server -r \":28080@:80\" -r \":29090@:21\" --k test -P \"127.0.0.1:33080\" -C proxy.crt -K proxy.key\r\n1. Execute on company machine A\r\nproxy client --k test -P \"22.22.22.22:33080\" -C proxy.crt -K proxy.key\r\nComplete\r\n4.7.server -r parameter\r\nThe full format of -r is: PROTOCOL://LOCAL_IP:LOCAL_PORT@[CLIENT_KEY]CLIENT_LOCAL_HOST:CLIENT_LOCAL_PORT\r\n4.7.1. Protocol PROTOCOL: tcp or udp.\r\nFor example: -r \"udp://:10053@:53\" -r \"tcp://:10800@:1080\" -r \":8080@:80\"\r\nIf the --udp parameter is specified, PROTOCOL defaults to udp, then: -r \":8080@:80\" defaults to udp;\r\nIf the --udp parameter is not specified, PROTOCOL defaults to tcp, then: -r \":8080@:80\" defaults to tcp;\r\n4.7.2. CLIENT_KEY: The default is default.\r\nFor example: -r \"udp://:10053@[test1]:53\" -r \"tcp://:10800@[test2]:1080\" -r \":8080@:80\"\r\nIf the --k parameter is specified, such as --k test, then: -r \":8080@:80\" CLIENT_KEY defaults to test;\r\nIf the --k parameter is not specified, then: -r \":8080@:80\" CLIENT_KEY defaults to default;\r\n4.7.3. LOCAL_IP is empty. The default is: 0.0.0.0 , CLIENT_LOCAL_HOST is empty. The default is: 127.0.0.1 ;\r\n4.8.server and client connect bridge through proxy\r\nhttps://github.com/snail007/goproxy\r\nPage 30 of 60\n\nSometimes the network where the server or client is located cannot directly access the external network. You need to use an\r\nhttps or socks5 proxy to access the Internet. Then this time\r\nThe -J parameter can help you to connect the server or client to the bridge via https or socks5.\r\nThe -J parameter format is as follows:\r\nHttps proxy writing:\r\nThe proxy needs authentication, username: username password: password\r\nHttps://username:password@host:port\r\nAgent does not require authentication\r\nHttps://host:port\r\nSocks5 proxy writing:\r\nThe proxy needs authentication, username: username password: password\r\nSocks5://username:password@host:port\r\nAgent does not require authentication\r\nSocks5://host:port\r\nHost: the IP or domain name of the proxy\r\nPort: the port of the proxy\r\n4.9. Expose HTTP service\r\nUsually the HTTP request client will use the server's ip and port to set the HOST field, but it is not the same as the expected\r\nbackend actual HOST, which causes tcp to be passed.However, the backend relies on the HOST field to locate the virtual\r\nhost and it will not work. Now use the --http-host parameter to force the HOST field value of the http header to be the\r\nactual value of the backend.Domain names and ports can be easily solved. After using the --http-host parameter, two\r\nheaders will be added to the header of each HTTP request. The X-Forwarded-For and X-Real-IP values are the client IP,\r\nso the backend http service can easily obtain the real IP address of the client.\r\nThe format of the server -http-host parameter is as follows:\r\n--http-host www.test.com:80@2200 , if the server listens to multiple ports, just repeat the --http-host parameter to set\r\nthe HOST for each port.\r\nExample:\r\nFor example, the client local nginx, 127.0.0.1:80 provides a web service, which is bound to a domain name local.com .\r\nThen the server startup parameters can be as follows:\r\nproxy server -P :30000 -r :2500@127.0.0.1:80 --http-host local.com@2500\r\nExplanation:\r\n-r :2500@127.0.0.1:80 and --http-host local.com:80@2500 The 2500 port is the port that the server listens locally.\r\nWhen the http protocol is used to request the ip:2500 port of the server, the header HOST field of http will be set to\r\nlocal.com .\r\n4.10 About traffic statistics\r\nIf you start a server docking peer separately, it is the proxy-admin control panel. You need to create a new mapping in the\r\nupper-level control panel to obtain the ID of the mapping rule.\r\nhttps://github.com/snail007/goproxy\r\nPage 31 of 60\n\nThen start the server and add the parameter --server-id=the ID of the mapping rule to count the traffic.\r\n4.11 About p2p\r\nIntranet penetration support When the server and client network conditions are met, the server and client are directly\r\nconnected through p2p. The opening method is:\r\nWhen starting the bridge, server, client, add the --p2p parameter. The server's -r parameter can be used to enable p2p (ptcp\r\nand pudp) for the port.\r\nIf the p2p hole fails between the server and the client, the bridge transfer data is automatically switched.\r\n4.12 Client key whitelist\r\nThe intranet penetrating bridge can set the client key whitelist. The parameter is --client-keys. The format can be:\r\na. File name, file content One client key can only contain the alphanumeric underscore, which is the value of the client\r\nstartup parameter --k. Only the client key can connect to the whitelist client. The line starting with # is a comment.\r\nb. The base64 encoding at the beginning of \"base64://\" is the content of the file described in a above, for example:\r\nbase64://ajfpoajsdfa=\r\nc. \"str://\" multiple keywords separated by a comma at the beginning, such as: str://default,company,school\r\nThe default is empty, allowing all keys.\r\n4.13 Network NAT Type Judgment\r\nSenat type judgment, easy to check whether the network supports p2p, you can execute: proxy tools -a nattype\r\n4.14 Help\r\nproxy help bridge\r\nproxy help server\r\nproxy help client\r\n5.SOCKS5 Proxies\r\nprompt:\r\nSOCKS5 proxy, support CONNECT, UDP protocol, does not support BIND, supports username and password\r\nauthentication.\r\n***The udp function of socks5 is turned off by default, and can be turned on by --udp . The default is a random port for\r\nhandshake, and performance can be improved by fixing a port. Set by parameter --udp-port 0 , 0 represents a free port is\r\nrandomly selected, or you can manually specify a specific port. ***\r\n5.1. Ordinary SOCKS5 Agent\r\nproxy socks -t tcp -p \"0.0.0.0:38080\"\r\nListen port argument -p can be:\r\n -p \":8081\" listen on 8081\r\n -p \":8081,:8082\" listen on 8081 and 8082\r\nhttps://github.com/snail007/goproxy\r\nPage 32 of 60\n\n-p \":8081,:8082,:9000-9999\" listen on 8081 and 8082 and 9000 and 9001 to 9999, 1002 total ports\r\n5.2. Ordinary secondary SOCKS5 agent\r\nUse local port 8090, assuming the upstream SOCKS5 proxy is 22.22.22.22:8080\r\nproxy socks -t tcp -p \"0.0.0.0:8090\" -T tcp -P \"22.22.22.22:8080\"\r\nWe can also specify the black and white list file of the website domain name, one domain name and one domain name, the\r\nmatching rule is the rightmost match, for example: baidu.com, the match is ..baidu.com, the blacklist domain name domain\r\nname goes directly to the upstream agent, white The domain name of the list does not go to the upstream agent; if the\r\ndomain name is in the blacklist and in the whitelist, the blacklist works.\r\nproxy socks -p \"0.0.0.0:8090\" -T tcp -P \"22.22.22.22:8080\" -b blocked.txt -d direct.txt\r\n5.3. SOCKS Level 2 Agent (Encryption)\r\nLevel 1 SOCKS proxy (VPS, IP: 22.22.22.22)\r\nproxy socks -t tls -p \":38080\" -C proxy.crt -K proxy.key\r\nSecondary SOCKS proxy (local Linux)\r\nproxy socks -t tcp -p \":8080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\nThen access the local port 8080 is to access the proxy port 38080 on the VPS.\r\nhttps://github.com/snail007/goproxy\r\nPage 33 of 60\n\nSecondary SOCKS proxy (local windows)\r\nproxy.exe socks -t tcp -p \":8080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\nThen set your windos system, the proxy that needs to go through the proxy Internet program is the socks5 mode, the address\r\nis: 127.0.0.1, the port is: 8080, the program can access the Internet through vps through the encrypted channel.\r\n5.4. SOCKS Level 3 Agent (Encryption)\r\nLevel 1 SOCKS proxy VPS_01, IP: 22.22.22.22\r\nproxy socks -t tls -p \":38080\" -C proxy.crt -K proxy.key\r\nSecondary SOCKS proxy VPS_02, IP: 33.33.33.33\r\nproxy socks -t tls -p \":28080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\nLevel 3 SOCKS proxy (local)\r\nproxy socks -t tcp -p \":8080\" -T tls -P \"33.33.33.33:28080\" -C proxy.crt -K proxy.key\r\nThen accessing the local port 8080 is to access the proxy port 38080 on the first-level SOCKS proxy.\r\n5.5. SOCKS proxy traffic is forced to go to the upper level SOCKS proxy\r\nBy default, the proxy will intelligently determine whether a website domain name is inaccessible. If it is not accessible, it\r\nwill go to the upstream SOCKS proxy. With --always, all SOCKS proxy traffic can be forced to go to the upper SOCKS\r\nproxy.\r\nproxy socks --always -t tls -p \":28080\" -T tls -P \"22.22.22.22:38080\" -C proxy.crt -K proxy.key\r\n5.6. SOCKS via SSH relay\r\nhttps://github.com/snail007/goproxy\r\nPage 34 of 60\n\nDescription: The principle of ssh transfer is to use the forwarding function of ssh, that is, after you connect to ssh, you can\r\naccess the target address through ssh proxy.\r\nSuppose there is: vps\r\nIP is 2.2.2.2, ssh port is 22, ssh username is: user, ssh user password is: demo\r\nThe user's ssh private key name is user.key\r\n5.6.1 How to ssh username and password\r\nLocal SOCKS5 proxy port 28080, execute:\r\nproxy socks -T ssh -P \"2.2.2.2:22\" -u user -D demo -t tcp -p \":28080\"\r\n5.6.2 How to ssh username and key\r\nLocal SOCKS5 proxy port 28080, execute:\r\nproxy socks -T ssh -P \"2.2.2.2:22\" -u user -S user.key -t tcp -p \":28080\"\r\nThen access the local port 28080 is to access the target address through the VPS.\r\n5.7. Certification\r\nFor the socks5 proxy protocol, we can perform username and password authentication. The authenticated username and\r\npassword can be specified on the command line.\r\nproxy socks -t tcp -p \":33080\" -a \"user1:pass1\" -a \"user2:pass2\"\r\nFor multiple users, repeat the -a parameter.\r\nIt can also be placed in a file in the format of a \"username:password\" and then specified with -F.\r\nproxy socks -t tcp -p \":33080\" -F auth-file.txt\r\nIn addition, the socks5 agent also integrates external HTTP API authentication. We can specify an http url interface address\r\nwith the --auth-url parameter.\r\nThen when there is a user connection, the proxy will request the url in GET mode, with the following three parameters. If\r\nthe HTTP status code 204 is returned, the authentication is successful.\r\nIn other cases, the authentication failed.\r\nFor example:\r\nproxy socks -t tcp -p \":33080\" --auth-url \"http://test.com/auth.php\"\r\nWhen the user connects, the proxy will request the url (\"http://test.com/auth.php\") in GET mode.\r\nBring four parameters: user, pass, ip, local_ip:\r\nhttps://github.com/snail007/goproxy\r\nPage 35 of 60\n\nHttp://test.com/auth.php?user={USER}\u0026pass={PASS}\u0026ip={IP}\u0026local_ip={LOCAL_IP}\r\nUser: username\r\nPass: password\r\nIp: User's IP, for example: 192.168.1.200\r\nLocal_ip: IP of the server accessed by the user, for example: 3.3.3.3\r\nIf there is no -a or -F or --auth-url parameter, the authentication is turned off.\r\n5.8.KCP protocol transmission\r\nThe KCP protocol requires the --kcp-key parameter to set a password for encrypting and decrypting data.\r\nLevel 1 HTTP proxy (VPS, IP: 22.22.22.22)\r\nproxy socks -t kcp -p \":38080\" --kcp-key mypassword\r\nSecondary HTTP proxy (local Linux)\r\nproxy socks -t tcp -p \":8080\" -T kcp -P \"22.22.22.22:38080\" --kcp-key mypassword\r\nThen access the local port 8080 is to access the proxy port 38080 on the VPS, the data is transmitted through the kcp\r\nprotocol.\r\n5.9. Custom DNS\r\n--dns-address and --dns-ttl parameters, used to specify the dns (--dns-address) used by the proxy to access the domain name.\r\nAnd the analysis result cache time (--dns-ttl) seconds, to avoid system dns interference to the proxy, in addition to the cache\r\nfunction can also reduce the dns resolution time to improve access speed.\r\nFor example:\r\nproxy socks -p \":33080\" --dns-address \"8.8.8.8:53\" --dns-ttl 300\r\nYou can also use the parameter --dns-interface to specify the bandwidth used for dns resolution, for example: --dns-interface eth0 , dns resolution will use the eth0 bandwidth, this parameter must be set to --dns-address to be effective.\r\n5.10 Custom Encryption\r\nThe proxy's socks proxy can encrypt tcp data through tls standard encryption and kcp protocol on top of tcp. In addition, it\r\nsupports custom encryption after tls and kcp, which means that custom encryption and tls|kcp can be used together. The\r\ninternal use of AES256 encryption, you only need to define a password when you use it.\r\nEncryption is divided into two parts, one is whether the local (-z) encryption and decryption, and the other is whether the\r\ntransmission with the upstream (-Z) is encrypted or decrypted.\r\nCustom encryption requires both sides to be proxy.\r\nThe following two levels, three levels for example:\r\nSecondary instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy socks -t tcp -z demo_password -p :7777\r\nLocal secondary execution:\r\nproxy socks -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted\r\ntransmission with the upstream.\r\nThree-level instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nhttps://github.com/snail007/goproxy\r\nPage 36 of 60\n\nproxy socks -t tcp -z demo_password -p :7777\r\nExecute on the secondary vps (ip: 3.3.3.3):\r\nproxy socks -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888\r\nLocal three-level execution:\r\nproxy socks -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted\r\ntransmission with the upstream.\r\n5.11 Compressed transmission\r\nThe proxy's socks proxy can encrypt tcp data through custom encryption and tls standard encryption and kcp protocol on top\r\nof tcp. It can also be used before custom encryption.\r\nCompress the data, that is, the compression function and the custom encryption and tls|kcp can be used in combination, and\r\nthe compression is divided into two parts.\r\nPart of it is local (-m) compression transmission, and part is whether the transmission with the upstream (-M) is compressed.\r\nCompression requires both sides to be proxy, and compression also protects (encrypts) data to some extent.\r\nThe following two levels, three levels for example:\r\nSecondary instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy socks -t tcp -m -p :7777\r\nLocal secondary execution:\r\nproxy socks -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through compression\r\nwith the upstream.\r\nThree-level instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy socks -t tcp -m -p :7777\r\nExecute on the secondary vps (ip: 3.3.3.3):\r\nproxy socks -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888\r\nLocal three-level execution:\r\nproxy socks -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through compression\r\nwith the upstream.\r\n5.12 Load Balancing\r\nThe SOCKS proxy supports the upper-level load balancing, and multiple upstream repeat-P parameters can be used.\r\nproxy socks --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p :33080 -t tcp\r\n5.12.1 Setting the retry interval and timeout time\r\nproxy socks --lb-method=leastconn --lb-retrytime 300 --lb-timeout 300 -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080\r\n-P 3.1.1.1:33080 -p :33080 -t tcp\r\n5.12.2 Setting weights\r\nhttps://github.com/snail007/goproxy\r\nPage 37 of 60\n\nproxy socks --lb-method=weight -T tcp -P 1.1.1.1:33080?w=1 -P 2.1.1.1:33080?w=2 -P 3.1.1.1:33080?w=1 -p :33080\r\n-t tcp\r\n5.12.3 Use the target address to select the upstream\r\nproxy socks --lb-hashtarget --lb-method=hash -T tcp -P 1.1.1.1:33080 -P 2.1.1.1:33080 -P 3.1.1.1:33080 -p\r\n:33080 -t tcp\r\n5.13 Speed limit\r\nThe speed limit is 100K, which can be specified by the -l parameter, for example: 100K 2000K 1M . 0 means no limit.\r\nproxy socks -t tcp -p 2.2.2.2:33080 -l 100K\r\n5.14 Specifying Outgoing IP\r\nThe --bind-listen parameter can be used to open the client connection with the portal IP, and use the portal IP as the\r\noutgoing IP to access the target website. If the ingress IP is an intranet IP, the egress IP does not use the ingress IP.\r\nproxy socks -t tcp -p 2.2.2.2:33080 --bind-listen\r\nFlexible Outgoing IP\r\nAlthough the above --bind-listen parameter can specify the outgoing IP, the entry IP and outgoing IP cannot be\r\ninterfered by humans. If you want the ingress IP to be different from the egress IP, you can use the --bind-ip parameter,\r\nformat: IP:port , for example: 1.1.1.1:8080 , [2000:0:0:0:0:0:0:1]:8080 . For multiple binding requirements, you\r\ncan repeat the --bind-ip parameter.\r\nFor example, the machine has IP 5.5.5.5 , 6.6.6.6 , and monitors two ports 8888 and 7777 , the command is as\r\nfollows:\r\nproxy socks -t tcp -p :8888,:7777 --bind-ip 5.5.5.5:7777 --bind-ip 6.6.6.6:8888\r\nThen the client access port 7777 , the outgoing IP is 5.5.5.5 , access port 8888 , the outgoing IP is 6.6.6.6 , if both --\r\nbind-ip and --bind- are set at the same time listen , --bind-ip has higher priority.\r\nIn addition, the IP part of the --bind-ip parameter supports specifying the network interface name , wildcards , and\r\nmore than one. The details are as follows:\r\nSpecify the network interface name, such as: --bind-ip eth0:7777 , then the client accesses the 7777 port, and the\r\negress IP is the IP of the eth0 network interface.\r\nThe network interface name supports wildcards, for example: --bind-ip eth0.*:7777 , then the client accesses the\r\n7777 port, and the egress IP is a randomly selected one of the network interface IPs starting with eth0. .\r\nIP supports wildcards, such as: --bind-ip 192.168.?.*:7777 , then the client accesses the 7777 port, and the\r\noutgoing IP is all the IPs of the machine, matching the IP of 192.168.?.* A randomly selected one.\r\nIt can also be multiple combinations of network interface name and IP, separated by half-width commas, such as: --\r\nbind-ip pppoe??,192.168.?.*:7777 , then the client accesses the port 7777 , The outgoing IP is the machine's\r\nnetwork interface name matching pppoe?? It is a randomly selected one among all IPs of the machine that matches\r\n192.168.?.* .\r\nThe wildcard character * represents 0 to any number of characters, and ? represents 1 character.\r\nIf the IP of the network interface changes, it will take effect in real time.\r\nYou can use the --bind-refresh parameter to specify the interval to refresh the local network interface information,\r\nthe default is 5 , the unit is second.\r\nhttps://github.com/snail007/goproxy\r\nPage 38 of 60\n\n5.15 Cascade Certification\r\nSOCKS5 supports cascading authentication, and -A can set upstream authentication information.\r\nupstream:\r\nproxy socks -t tcp -p 2.2.2.2:33080 -a user:pass\r\nlocal:\r\nproxy socks -T tcp -P 2.2.2.2:33080 -A user:pass -t tcp -p :33080\r\n5.16 Certificate parameters use base64 data\r\nBy default, the -C, -K parameter is the path to the crt certificate and the key file.\r\nIf it is the beginning of base64://, then the latter data is considered to be base64 encoded and will be used after decoding.\r\n5.17 Intelligent mode\r\nIntelligent mode setting, can be one of intelligent|direct|parent.\r\nThe default is: parent.\r\nThe meaning of each value is as follows:\r\n--intelligent=direct , the targets in the blocked are not directly connected.\r\n--intelligent=parent , the target that is not in the direct is going to the higher level.\r\n--intelligent=intelligent , blocked and direct have no targets, intelligently determine whether to use the upstream\r\naccess target.\r\n5.18 Fixed UDP PORT\r\nBy default, the port number of the UDP function of socks5, the proxy is installed in the rfc1982 draft request, which is\r\nrandomly specified during the protocol handshake process and does not need to be specified in advance.\r\nHowever, in some cases, you need to fix the UDP function port. You can use the parameter --udp-port port number to fix\r\nthe port number of the UDP function. For example:\r\nproxy socks -t tcp -p \"0.0.0.0:38080\" --udp-port 38080\r\n5.19 UDP Compatibility Mode\r\nBy default, the UDP functionality of the SOCKS5 proxy in the proxy operates in accordance with the SOCKS5 RFC 1928\r\nspecification. However, there are certain SOCKS5 clients that do not adhere to the specified rules. To ensure compatibility\r\nwith such clients, the --udp-compat parameter can be added to activate the compatibility mode for SOCKS5 UDP\r\nfunctionality.\r\nAdditionally, the -udp-gc parameter can be utilized to set the maximum idle time for UDP. When this time threshold is\r\nexceeded, UDP connections will be released.\r\n5.20 Help\r\nproxy help socks\r\n6.SPS Protocol Convert\r\nhttps://github.com/snail007/goproxy\r\nPage 39 of 60\n\n6.1 Function introduction\r\nThe proxy protocol conversion uses the sps subcommand. The sps itself does not provide the proxy function. It only accepts\r\nthe proxy request to \"convert and forward\" to the existing http(s) proxy or the socks5 proxy or ss proxy; the sps can put the\r\nexisting http(s) proxy or socks5 proxy or ss proxy is converted to a port that supports both http(s) and socks5 and ss proxies,\r\nand the http(s) proxy supports forward proxy and reverse proxy (SNI), converted SOCKS5 proxy, UDP function is still\r\nsupported when the upper level is SOCKS5 or SS; in addition, for the existing http(s) proxy or socks5 proxy, three modes of\r\ntls, tcp, and kcp are supported, and chain connection is supported, that is, multiple sps node levels can be supported. The\r\nconnection builds an encrypted channel.\r\nThe encryption methods supported by the ss function are: aes-128-cfb, aes-128-ctr, aes-128-gcm, aes-192-cfb, aes-192-ctr,\r\naes-192-gcm, aes-256- Cfb , aes-256-ctr , aes-256-gcm , bf-cfb , cast5-cfb , chacha20 , chacha20-ietf , chacha20-ietf-poly1305 , des-cfb , rc4-md5 , rc4-md5-6 , salsa20 , Xchacha20\r\nListen port argument -p can be:\r\n -p \":8081\" listen on 8081\r\n -p \":8081,:8082\" listen on 8081 and 8082\r\n -p \":8081,:8082,:9000-9999\" listen on 8081 and 8082 and 9000 and 9001 to 9999, 1002 total ports\r\nThe udp function of ss is turned off by default and can be turned on by --ssudp . The udp function of socks5 is turned off\r\nby default and can be turned on by --udp , The default is a random port for handshake, and performance can be improved\r\nby fixing a port. Set by parameter --udp-port 0 , 0 represents a free port is randomly selected, or you can manually\r\nspecify a specific port.\r\n6.2 HTTP(S) to HTTP(S)+SOCKS5+SS\r\nSuppose there is already a normal http(s) proxy: 127.0.0.1:8080. Now we turn it into a common proxy that supports both\r\nhttp(s) and socks5 and ss. The converted local port is 18080, ss encryption: Aes-192-cfb, ss password: pass.\r\nThe command is as follows:\r\nproxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass\r\nSuppose there is already a tls http(s) proxy: 127.0.0.1:8080. Now we turn it into a normal proxy that supports both http(s)\r\nand socks5 and ss. The converted local port is 18080, and tls requires a certificate file. , ss encryption: aes-192-cfb, ss\r\npassword: pass.\r\nThe command is as follows:\r\nproxy sps -S http -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key -h aes-192-cfb -j pass\r\nSuppose there is already a kcp http(s) proxy (password is: demo123): 127.0.0.1:8080, now we turn it into a normal proxy\r\nthat supports both http(s) and socks5 and ss. The converted local port is 18080, ss encryption: aes-192-cfb, ss password:\r\npass.\r\nThe command is as follows:\r\nproxy sps -S http -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123 -h aes-192-cfb -j pass\r\n6.3 SOCKS5 to HTTP(S)+SOCKS5+SS\r\nSuppose there is already a normal socks5 proxy: 127.0.0.1:8080, now we turn it into a common proxy that supports both\r\nhttp(s) and socks5 and ss. The converted local port is 18080, ss encryption: aes-192 -cfb, ss password: pass.\r\nThe command is as follows:\r\nproxy sps -S socks -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass\r\nhttps://github.com/snail007/goproxy\r\nPage 40 of 60\n\nSuppose there is already a tls socks5 proxy: 127.0.0.1:8080, now we turn it into a common proxy that supports both http(s)\r\nand socks5 and ss. The converted local port is 18080, tls requires certificate file, ss encryption Mode: aes-192-cfb, ss\r\npassword: pass.\r\nThe command is as follows:\r\nproxy sps -S socks -T tls -P 127.0.0.1:8080 -t tcp -p :18080 -C proxy.crt -K proxy.key -h aes-192-cfb -j pass\r\nSuppose there is already a kcp socks5 proxy (password: demo123): 127.0.0.1:8080, now we turn it into a common proxy\r\nthat supports both http(s) and socks5 and ss. The converted local port is 18080, ss Encryption method: aes-192-cfb, ss\r\npassword: pass.\r\nThe command is as follows:\r\nproxy sps -S socks -T kcp -P 127.0.0.1:8080 -t tcp -p :18080 --kcp-key demo123 -h aes-192-cfb -j pass\r\n6.4 SS to HTTP(S)+SOCKS5+SS\r\nSPS upstream and local support ss protocol, the upstream can be SPS or standard ss service.\r\nSPS locally provides HTTP(S)\\SOCKS5\\SPS three defaults. When the upstream is SOCKS5, the converted SOCKS5 and\r\nSS support UDP.\r\nSuppose there is already a normal SS or SPS proxy (ss is enabled, encryption: aes-256-cfb, password: demo):\r\n127.0.0.1:8080, now we turn it to support both http(s) and socks5 and The ordinary proxy of ss, the converted local port is\r\n18080, the converted ss encryption mode: aes-192-cfb, ss password: pass.\r\nThe command is as follows:\r\nproxy sps -S ss -H aes-256-cfb -J pass -T tcp -P 127.0.0.1:8080 -t tcp -p :18080 -h aes-192-cfb -j pass .\r\n6.5 Chained connection\r\nThe above mentioned multiple sps nodes can be connected to build encrypted channels in a hierarchical connection,\r\nassuming the following vps and the home PC.\r\nVps01:2.2.2.2\r\nVps02:3.3.3.3\r\nNow we want to use pc and vps01 and vps02 to build an encrypted channel. This example uses tls encryption or kcp.\r\nAccessing local 18080 port on the PC is to access the local 8080 port of vps01.\r\nFirst on vps01 (2.2.2.2) we run a locally accessible http(s) proxy and execute:\r\nproxy http -t tcp -p 127.0.0.1:8080\r\nThen run a sps node on vps01 (2.2.2.2) and execute:\r\nproxy sps -S http -T tcp -P 127.0.0.1:8080 -t tls -p :8081 -C proxy.crt -K proxy.key\r\nhttps://github.com/snail007/goproxy\r\nPage 41 of 60\n\nThen run a sps node on vps02 (3.3.3.3) and execute:\r\nproxy sps -S http -T tls -P 2.2.2.2:8081 -t tls -p :8082 -C proxy.crt -K proxy.key\r\nThen run a sps node on the pc and execute:\r\nproxy sps -S http -T tls -P 3.3.3.3:8082 -t tcp -p :18080 -C proxy.crt -K proxy.key\r\ncarry out.\r\n6.6 Authentication\r\nSps supports http(s)\\socks5 proxy authentication, which can be cascaded and has four important pieces of information:\r\n1: The user sends the authentication information user-auth .\r\n2: Set the local authentication information local-auth .\r\n3: Set the connection authentication information 'parent-auth used by the upstream. 4: The authentication\r\ninformation auth-info-to-parent` that is finally sent to the upstream.\r\nTheir situation is as follows:\r\nUser-auth local-auth parent-auth auth-info-to-paren\r\nYes / No Yes Yes From parent-auth\r\nYes / No No Yes From parent-auth\r\nYes / No Yes No No\r\nNo No No No\r\nYes No No From user-auth\r\nFor the sps proxy we can perform username and password authentication. The authenticated username and password can be\r\nspecified on the command line.\r\nproxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p \":33080\" -a \"user1:pass1:0:0:\" -a \"user2:pass2:0:0: \"\r\nFor multiple users, repeat the -a parameter.\r\nCan also be placed in a file, the format is one line a username: password: number of connections: rate: upstream , and\r\nthen specified with -F.\r\nproxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p \":33080\" -F auth-file.txt\r\nIf the upstream has authentication, the lower level can set the authentication information with the -A parameter, for example:\r\nupstream: proxy sps -S http -T tcp -P 127.0.0.1:8080 -t tcp -p \":33080\" -a \"user1:pass1:0:0:\" -a\r\n\"user2:pass2:0: 0:\"\r\nSubordinate: proxy sps -S http -T tcp -P 127.0.0.1:8080 -A \"user1:pass1\" -t tcp -p \":33080\"\r\nFor more details on certification, please refer to 9.API Certification and 10.Local Certification\r\n6.7 Multiple Upstream\r\nIf there are multiple upstreams, they can be specified by multiple -Ps.\r\nsuch as:\r\nproxy sps -P http://127.0.0.1:3100 -P socks5://127.0.0.1:3200\r\nThe complete format of -P is as follows:\r\nprotocol://a:b@2.2.2.2:33080#1\r\nhttps://github.com/snail007/goproxy\r\nPage 42 of 60\n\nEach section is explained below:\r\nprotocol:// is the protocol type, possible types and contains the following:\r\nHttp is equivalent to -S http -T tcp\r\nHttps is equivalent to -S http -T tls --parent-tls-single , which is http(s) proxy over TLS\r\nHttps2 is equivalent to -S http -T tls\r\nSocks5 is equivalent to -S socks -T tcp\r\nSocks5s is equivalent to -S socks -T tls --parent-tls-single , which is socks over TLS\r\nSocks5s2 is equivalent to -S socks -T tls\r\nSs is equivalent to -S ss -T tcp\r\nHttpws is equivalent to -S http -T ws\r\nHttpwss is equivalent to -S http -T wss\r\nSocks5ws is equivalent to -S socks -T ws\r\nSocks5wss is equivalent to -S socks -T wss\r\na:b is the username and password of the proxy authentication. If it is ss, a is the encryption method, b is the password,\r\nand no username password can be left blank, for example: http://2.2.2.2:33080 If the username and password are\r\nprotected, special symbols can be encoded using urlencode.\r\n2.2.2.2:33080 is the upstream address, the format is: IP (or domain name): port , if the underlying is ws/wss protocol\r\ncan also bring the path, such as: 2.2.2.2: 33080/ws ;\r\nYou can also set the encryption method and password of ws\\wss by appending the query parameters m and k , for\r\nexample: 2.2.2.2:33080/ws?m=aes-192-cfb\u0026k=password\r\n#1 When multiple upper-level load balancing is a weighting strategy, the weights are rarely used.\r\n6.8 Custom Encryption\r\nThe proxy sps proxy can encrypt tcp data through tls standard encryption and kcp protocol on top of tcp, in addition to\r\nsupport after tls and kcp\r\nCustom encryption, that is, custom encryption and tls|kcp can be used in combination, internally using AES256 encryption,\r\nonly need to define it when using\r\nA password can be used, the encryption is divided into two parts, one part is whether the local (-z) encryption and\r\ndecryption, and the part is the encryption and decryption with the upstream (-Z) transmission.\r\nCustom encryption requires both sides to be proxy.\r\nThe following two levels, three levels for example:\r\nSuppose there is already an http(s) proxy: 6.6.6.6:6666\r\nSecondary instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777\r\nLocal secondary execution:\r\nproxy sps -T tcp -P 2.2.2.2:777 -Z demo_password -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted\r\ntransmission with the upstream.\r\nThree-level instance\r\nhttps://github.com/snail007/goproxy\r\nPage 43 of 60\n\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy sps -S http -T tcp -P 6.6.6.6:6666 -t tcp -z demo_password -p :7777\r\nExecute on the secondary vps (ip: 3.3.3.3):\r\nproxy sps -T tcp -P 2.2.2.2:7777 -Z demo_password -t tcp -z other_password -p :8888\r\nLocal three-level execution:\r\nproxy sps -T tcp -P 3.3.3.3:8888 -Z other_password -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through encrypted\r\ntransmission with the upstream.\r\n6.9 Compressed transmission\r\nThe proxy sps proxy can encrypt tcp data through custom encryption and tls standard encryption and kcp protocol on top of\r\ntcp. It can also be used before custom encryption.\r\nCompress the data, that is, the compression function and the custom encryption and tls|kcp can be used in combination, and\r\nthe compression is divided into two parts.\r\nPart of it is local (-m) compression transmission, and part is whether the transmission with the upstream (-M) is compressed.\r\nCompression requires both sides to be proxy, and compression also protects (encrypts) data to some extent.\r\nThe following two levels, three levels for example:\r\nSecondary instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy sps -t tcp -m -p :7777\r\nLocal secondary execution:\r\nproxy sps -T tcp -P 2.2.2.2:777 -M -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through compression\r\nwith the upstream.\r\nThree-level instance\r\nExecute on level 1 vps (ip: 2.2.2.2):\r\nproxy sps -t tcp -m -p :7777\r\nExecute on the secondary vps (ip: 3.3.3.3):\r\nproxy sps -T tcp -P 2.2.2.2:7777 -M -t tcp -m -p :8888\r\nLocal three-level execution:\r\nproxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080\r\nIn this way, when the website is accessed through the local agent 8080, the target website is accessed through compression\r\nwith the upstream.\r\n6.10 Disabling the protocol\r\nBy default, SPS supports http(s) and socks5 two proxy protocols. We can disable a protocol by parameter.\r\nFor example:\r\n1. Disable the HTTP(S) proxy function to retain only the SOCKS5 proxy function, parameter: --disable-http .\r\nproxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-http\r\n2. Disable the SOCKS5 proxy function to retain only the HTTP(S) proxy function, parameter: --disable-socks .\r\nproxy sps -T tcp -P 3.3.3.3:8888 -M -t tcp -p :8080 --disable-socks\r\n6.11 Speed limit\r\nhttps://github.com/snail007/goproxy\r\nPage 44 of 60\n\nSuppose there is a SOCKS5 upstream:\r\nproxy socks -p 2.2.2.2:33080 -z password -t tcp\r\nSPS lower level, speed limit 100K\r\nproxy sps -S socks -P 2.2.2.2:33080 -T tcp -Z password -l 100K -t tcp -p :33080\r\nIt can be specified by the -l parameter, for example: 100K 2000K 1M . 0 means no limit.\r\n6.12 Specifying Outgoing IP\r\nThe --bind-listen parameter can be used to open the client connection with the portal IP, and use the portal IP as the\r\noutgoing IP to access the target website. If the ingress IP is an intranet IP, the egress IP does not use the ingress IP.\r\nproxy sps -S socks -P 2.2.2.2:33080 -T tcp -Z password -l 100K -t tcp --bind-listen -p :33080\r\nFlexible Outgoing IP\r\nAlthough the above --bind-listen parameter can specify the outgoing IP, the entry IP and outgoing IP cannot be\r\ninterfered by humans. If you want the ingress IP to be different from the egress IP, you can use the --bind-ip parameter,\r\nformat: IP:port , for example: 1.1.1.1:8080 , [2000:0:0:0:0:0:0:1]:8080 . For multiple binding requirements, you\r\ncan repeat the --bind-ip parameter.\r\nFor example, the machine has IP 5.5.5.5 , 6.6.6.6 , and monitors two ports 8888 and 7777 , the command is as\r\nfollows:\r\nproxy sps -t tcp -p :8888,:7777 --bind-ip 5.5.5.5:7777 --bind-ip 6.6.6.6:8888\r\nThen the client access port 7777 , the outgoing IP is 5.5.5.5 , access port 8888 , the outgoing IP is 6.6.6.6 , if both --\r\nbind-ip and --bind- are set at the same time listen , --bind-ip has higher priority.\r\nIn addition, the IP part of the --bind-ip parameter supports specifying the network interface name , wildcards , and\r\nmore than one. The details are as follows:\r\nSpecify the network interface name, such as: --bind-ip eth0:7777 , then the client accesses the 7777 port, and the\r\negress IP is the IP of the eth0 network interface.\r\nThe network interface name supports wildcards, for example: --bind-ip eth0.*:7777 , then the client accesses the\r\n7777 port, and the egress IP is a randomly selected one of the network interface IPs starting with eth0. .\r\nIP supports wildcards, such as: --bind-ip 192.168.?.*:7777 , then the client accesses the 7777 port, and the\r\noutgoing IP is all the IPs of the machine, matching the IP of 192.168.?.* A randomly selected one.\r\nIt can also be multiple combinations of network interface name and IP, separated by half-width commas, such as: --\r\nbind-ip pppoe??,192.168.?.*:7777 , then the client accesses the port 7777 , The outgoing IP is the machine's\r\nnetwork interface name matching pppoe?? It is a randomly selected one among all IPs of the machine that matches\r\n192.168.?.* .\r\nThe wildcard character * represents 0 to any number of characters, and ? represents 1 character.\r\nIf the IP of the network interface changes, it will take effect in real time.\r\nYou can use the --bind-refresh parameter to specify the interval to refresh the local network interface information,\r\nthe default is 5 , the unit is second.\r\n6.13 Certificate parameters use base64 data\r\nBy default, the -C, -K parameter is the path to the crt certificate and the key file.\r\nhttps://github.com/snail007/goproxy\r\nPage 45 of 60\n\nIf it is the beginning of base64://, then the latter data is considered to be base64 encoded and will be used after decoding.\r\n6.14 Independent Service\r\nA sps port can complete the full-featured proxy http\\socks\\ss function.\r\nThe following command is to open the http(s)\\ss\\socks service with one click, and enable the udp of socks5 and the udp of\r\nss at the same time.\r\nproxy sps -p: 33080 --ssudp --udp --udp-port 0\r\n6.15 Target Redirection\r\nThe https(s)\\socks5\\ss proxy function provided by the sps function, the client connects to the specified \"target\" through the\r\nsps proxy. This \"target\" is generally a website or an arbitrary tcp address.\r\nThe website \"target\" is generally foo.com: 80, foo.com: 443, sps supports the use of the --rewrite parameter to specify a\r\n\"target\" redirection rule file, redirect the target, the client is non-perceived,\r\nFor example, if you redirect to \"target\": demo.com:80 to 192.168.0.12:80, then the client visits the website demo.com, in\r\nfact, the website service provided by 192.168.0.12.\r\nExample of a \"target\" redirection rule file:\r\n# example\r\nWww.a.com:80 10.0.0.2:8080\r\n**.b.com:80 10.0.0.2:80\r\n192.168.0.11:80 10.0.0.2:8080\r\nWhen sps is an independent service, an additional local socks5 service will be opened to occupy a random port. Now the\r\nparameter --self-port can be manually specified when needed. The default is 0 to use random.\r\n6.16 Fixed UDP PORT\r\nBy default, the port number of the UDP function of ss's socks5 is specified by the rfc1982 draft . It is randomly specified\r\nduring the protocol handshake process and does not need to be specified in advance.\r\nHowever, in some cases, you need to fix the UDP function port. You can fix the port number of the UDP function by the\r\nparameter --udp-port port_number , for example:\r\nproxy sps -t tcp -p \"0.0.0.0:38080\" --udp-port 38081\r\nIt should be noted that the ss function of sps also has UDP function, and the UDP port of ss is the same as the tcp port, so\r\navoid the conflict between the UDP port of socks5 and the UDP port of ss.\r\nTo specify a port that is different from the tcp port.\r\n6.17 Iptables Transparent Proxy\r\nThe sps mode supports the iptables transparent forwarding support of the Linux system, which is commonly referred to as\r\nthe iptables transparent proxy. If a iptables transparent proxy is performed on the gateway device, the device that is\r\nconnected through the gateway can realize a non-aware proxy.\r\nExample start command:\r\nproxy sps --redir -p :8888 -P httpws: //1.1.1.1:33080\r\nHere it is assumed that there is an http superior proxy 1.1.1.1:33080, which uses ws to transmit data.\r\nhttps://github.com/snail007/goproxy\r\nPage 46 of 60\n\nThen add iptables rules, here are the reference rules:\r\n#upstream proxy server IP address:\r\nproxy_server_ip = 1.1.1.1\r\n#Router running proxy listening port:\r\nproxy_local_port = 33080\r\n#There is no need to modify the following\r\n#create a new chain named PROXY\r\niptables -t nat -N PROXY\r\n#Ignore your PROXY server's addresses\r\n#It's very IMPORTANT, just be careful。\r\niptables -t nat -A PROXY -d $proxy_server_ip -j RETURN\r\n#Ignore LANs IP address\r\niptables -t nat -A PROXY -d 0.0.0.0/8 -j RETURN\r\niptables -t nat -A PROXY -d 10.0.0.0/8 -j RETURN\r\niptables -t nat -A PROXY -d 127.0.0.0/8 -j RETURN\r\niptables -t nat -A PROXY -d 169.254.0.0/16 -j RETURN\r\niptables -t nat -A PROXY -d 172.16.0.0/12 -j RETURN\r\niptables -t nat -A PROXY -d 192.168.0.0/16 -j RETURN\r\niptables -t nat -A PROXY -d 224.0.0.0/4 -j RETURN\r\niptables -t nat -A PROXY -d 240.0.0.0/4 -j RETURN\r\n#Anything to port 80 443 should be redirected to PROXY's local port\r\niptables -t nat -A PROXY -p tcp -j REDIRECT --to-ports $proxy_local_port\r\n#Apply the rules to nat client\r\niptables -t nat -A PREROUTING -p tcp -j PROXY\r\n#Apply the rules to localhost\r\niptables -t nat -A OUTPUT -p tcp -j PROXY\r\nClear the entire chain iptables -F chain name such as iptables -t nat -F PROXY\r\nDelete the specified user-defined chain iptables -X chain name e.g. iptables -t nat -X PROXY\r\nDelete rule from selected chain iptables -D chain name rule details e.g. iptables -t nat -D PROXY -d\r\n223.223.192.0/255.255.240.0 -j RETURN\r\n6.19 UDP Compatibility Mode\r\nBy default, the UDP functionality of the SOCKS5 proxy in the proxy operates in accordance with the SOCKS5 RFC 1928\r\nspecification. However, there are certain SOCKS5 clients that do not adhere to the specified rules. To ensure compatibility\r\nwith such clients, the --udp-compat parameter can be added to activate the compatibility mode for SOCKS5 UDP\r\nfunctionality.\r\nAdditionally, the -udp-gc parameter can be utilized to set the maximum idle time for UDP. When this time threshold is\r\nexceeded, UDP connections will be released.\r\n6.20 Custom DNS\r\nThe --dns-address and --dns-ttl parameters are used to specify the dns used by the proxy to access the domain name\r\n( --dns-address ) As well as the number of seconds for caching the parsing results (--dns-ttl) to avoid the interference of the\r\nhttps://github.com/snail007/goproxy\r\nPage 47 of 60\n\nsystem dns on the proxy. The additional caching function can also reduce the dns parsing time and improve the access speed.\r\nTranslation: Agent sps -p \":33080\" --dns-address \"8.8.8.8:53\" --dns-ttl 300\r\nYou can also use the parameter --dns-interface to specify the bandwidth used for dns resolution, for example: --dns-interface eth0 , dns resolution will use the eth0 bandwidth, this parameter must be set to --dns-address to be effective.\r\n6.21 Domain Name Sniffing\r\nWhen a user client connects to the proxy using the SOCKS5 or HTTP proxy protocol, if the client connects with a domain\r\nname, the client can choose to resolve the domain name locally or through the proxy. If the client resolves the domain name\r\nlocally and lets the proxy connect to the resolved IP, then the connection target obtained in the \"API authentication\"\r\nparameters will be the IP or empty.\r\nTo avoid this situation, proxy provides a domain name sniffing feature. When the client connects to the SPS proxy, whether\r\nthrough \"HTTP proxy\" or \"SOCKS5 proxy\", if the client accesses an http or https website, proxy will sniff the domain name\r\nfrom the transmitted data. The sniffed domain name will be placed in the sniff_domain parameter of the \"traffic reporting\"\r\nAPI, so the domain name can be obtained through the \"traffic reporting\" API.\r\nTo enable domain name sniffing, you can use the --sniff-domain parameter.\r\n6.22 Help\r\nproxy help sps\r\n7.KCP Configuration\r\n7.1 Configuration Introduction\r\nMany functions of the proxy support the kcp protocol. Any function that uses the kcp protocol supports the configuration\r\nparameters described here.\r\nTherefore, the KCP configuration parameters are introduced here.\r\n7.2 Detailed configuration\r\nThere are a total of 17 KCP configuration parameters, you can not set them, they have default values, if for the best effect,\r\nYou need to configure the parameters according to your own network conditions. Because the kcp configuration is complex,\r\nit requires a certain network basics.\r\nIf you want to get more detailed configuration and explanation of kcp parameters, please search for yourself. The command\r\nline name for each parameter, along with the default values and simple function descriptions are as follows:\r\n--kcp-key=\"secrect\" pre-shared secret between client and server\r\n--kcp-method=\"aes\" encrypt/decrypt method, can be: aes, aes-128, aes-192, salsa20, blowfish,\r\nTwofish, cast5, 3des, tea, xtea, xor, sm4, none\r\n--kcp-mode=\"fast\" profiles: fast3, fast2, fast, normal, manual\r\n--kcp-mtu=1350 set maximum transmission unit for UDP packets\r\n--kcp-sndwnd=1024 set send window size(num of packets)\r\n--kcp-rcvwnd=1024 set receive window size(num of packets)\r\n--kcp-ds=10 set reed-solomon erasure coding - datashard\r\n--kcp-ps=3 set reed-solomon erasure coding - parityshard\r\n--kcp-dscp=0 set DSCP(6bit)\r\n--kcp-nocomp disable compression\r\n--kcp-acknodelay be carefull! flush ack immediately when a packet is received\r\n--kcp-nodelay=0 be carefull!\r\nhttps://github.com/snail007/goproxy\r\nPage 48 of 60\n\n--kcp-interval=50 be carefull!\r\n--kcp-resend=0 be carefull!\r\n--kcp-nc=0 be carefull! no congestion\r\n--kcp-sockbuf=4194304 be carefull!\r\n--kcp-keepalive=10 be carefull!\r\nTip:\r\nParameters: -- four fast3, fast2, fast, normal modes in kcp-mode,\r\nEquivalent to setting the following four parameters:\r\nNormal: --nodelay=0 --interval=40 --resend=2 --nc=1\r\nFast : --nodelay=0 --interval=30 --resend=2 --nc=1\r\nFast2: --nodelay=1 --interval=20 --resend=2 --nc=1\r\nFast3: --nodelay=1 --interval=10 --resend=2 --nc=1\r\n8. Security DNS\r\n8.1 Introduction\r\nDNS is known as the service provided by UDP port 53, but with the development of the network, some well-known DNS\r\nservers also support TCP mode dns query, such as Google's 8.8.8.8, the DNS anti-pollution server principle of the proxy is to\r\nstart a proxy DNS proxy locally. Server, which uses TCP to perform dns query through the upstream agent. If it\r\ncommunicates with the upstream agent, it can perform secure and pollution-free DNS resolution. It also supports\r\nindependent services, concurrent parsing, and enhanced enhanced hosts file function to support flexible concurrent parsing\r\nand forwarding.\r\nDns resolution order:\r\n1. Use the parameter --hosts to parse.\r\n2. If the domain name to be resolved is not found in 1, it is parsed using the parameter --forward rule.\r\n3. The domain name to be resolved is not found in 1 and 2, and the default --default parsing is used. The default default\r\nbehavior parameter values are three: proxy, direct, and system.\r\nThe three parameter values are explained as follows:\r\nProxy: The domain name is resolved by the dns server specified by the -q parameter.\r\nDirect: Connect to the dns server specified by the -q parameter to resolve the domain name through the local\r\nnetwork.\r\nSystem: resolves the domain name through the system dns.\r\nTip:\r\nThe host file format specified by the --hosts parameter is the same as the system hosts file, and the domain name supports\r\nwildcards. You can refer to the hosts file.\r\nThe parsing forwarding rule file specified by the --forward parameter can be referenced to the resolve.rules file. The domain\r\nname supports wildcards. It supports multiple dns servers for each domain name to be parsed concurrently. Whoever\r\nresolves the fastest resolution will use the resolution result.\r\nThe -q parameter can specify multiple remote dns servers to perform concurrent parsing. Whoever resolves the fastest\r\nparsing success, the default is: 1.1.1.1, 8.8.8.8, 9.9.9.9, multiple comma-separated,\r\nFor example, you can also bring ports: 1.1.1.1, 8.8.8.8#53, 9.9.9.9\r\nIf you are a standalone service, you don't need a upstream:\r\nCan perform:\r\nproxy dns --default system -p :5353\r\nhttps://github.com/snail007/goproxy\r\nPage 49 of 60\n\nOr\r\nproxy dns --default direct -p :5353\r\n8.2 Example of use\r\n8.2.1 Normal HTTP(S) upstream agent\r\nSuppose there is a upstream agent: 2.2.2.2:33080\r\nLocal execution:\r\nproxy dns -S http -T tcp -P 2.2.2.2:33080 -p :53\r\nThen the local UDP port 53 provides DNS resolution.\r\n8.2.2 Ordinary SOCKS5 upstream agent\r\nSuppose there is a upstream agent: 2.2.2.2:33080\r\nLocal execution:\r\nproxy dns -S socks -T tcp -P 2.2.2.2:33080 -p :53\r\nThen the local UDP port 53 provides DNS resolution.\r\n8.2.3 TLS encrypted HTTP(S) upstream agent\r\nSuppose there is a upstream agent: 2.2.2.2:33080\r\nThe commands executed by the upstream agent are:\r\nproxy http -t tls -C proxy.crt -K proxy.key -p :33080\r\nLocal execution:\r\nproxy dns -S http -T tls -P 2.2.2.2:33080 -C proxy.crt -K proxy.key -p :53\r\nThen the local UDP port 53 provides a secure anti-pollution DNS resolution function.\r\n8.2.4 TLS-encrypted SOCKS5 upstream agent\r\nSuppose there is a upstream agent: 2.2.2.2:33080\r\nThe commands executed by the upstream agent are:\r\nproxy socks -t tls -C proxy.crt -K proxy.key -p :33080\r\nLocal execution:\r\nproxy dns -S socks -T tls -P 2.2.2.2:33080 -C proxy.crt -K proxy.key -p :53\r\nThen the local UDP port 53 provides a secure anti-pollution DNS resolution function.\r\n8.2.5 KCP encrypted HTTP(S) upstream agent\r\nSuppose there is a upstream agent: 2.2.2.2:33080\r\nThe commands executed by the upstream agent are:\r\nproxy http -t kcp -p :33080\r\nLocal execution:\r\nproxy dns -S http -T kcp -P 2.2.2.2:33080 -p :53\r\nThen the local UDP port 53 provides a secure anti-pollution DNS resolution function.\r\n8.2.6 KCP encrypted SOCKS5 upstream agent\r\nSuppose there is a upstream agent: 2.2.2.2:33080\r\nThe commands executed by the upstream agent are:\r\nproxy socks -t kcp -p :33080\r\nhttps://github.com/snail007/goproxy\r\nPage 50 of 60\n\nLocal execution:\r\nproxy dns -S socks -T kcp -P 2.2.2.2:33080 -p :53\r\nThen the local UDP port 53 provides a secure anti-pollution DNS resolution function.\r\n8.2.7 Custom encrypted HTTP(S) upstream agent\r\nSuppose there is a upstream agent: 2.2.2.2:33080\r\nThe commands executed by the upstream agent are:\r\nproxy http -t tcp -p :33080 -z password\r\nLocal execution:\r\nproxy dns -S http -T tcp -Z password -P 2.2.2.2:33080 -p :53\r\nThen the local UDP port 53 provides a secure anti-pollution DNS resolution function.\r\n8.2.8 Custom encrypted SOCKS5 upstream agent\r\nSuppose there is a upstream agent: 2.2.2.2:33080\r\nThe commands executed by the upstream agent are:\r\nproxy socks -t kcp -p :33080 -z password\r\nLocal execution:\r\nproxy dns -S socks -T tcp -Z password -P 2.2.2.2:33080 -p :53\r\nThen the local UDP port 53 provides a secure anti-pollution DNS resolution function.\r\n9.API Authentication\r\nThe proxy's http(s)/socks5/sps proxy function supports user-to-agent access via the API.\r\nWhat can I do through the API?\r\nUser dimension, which controls the single connection rate and controls the maximum number of connections, max\r\nconnections count per seconds (QPS).\r\nIP dimension, which controls the single connection rate and controls the maximum number of connections, max\r\nconnections count per seconds (QPS).\r\nDynamic upstream, can dynamically obtain its upstream from the API according to the user or client IP, and support\r\nhttp(s)/socks5/ss upstream.\r\nAuthenticate every connection, regardless of whether client authentication is required.\r\nCache authentication results, time can be set to reduce API pressure.\r\nLimit the total bandwidth speed by user or client ip or server port .\r\nSpecific use\r\nThe proxy's http(s)/socks5/sps proxy API function is controlled by three parameters: --auth-url and --auth-nouser and\r\n--auth-cache .\r\nThe parameter --auth-url is the HTTP API interface address. When the client connects, the proxy will request the url in\r\nGET mode, with the following parameters. If the HTTP status code 204 is returned, the authentication is successful. In other\r\ncases, the authentication fails.\r\nAn example of a complete request API:\r\nhttp://test.com/auth.php?\r\nuser=a\u0026pass=b\u0026client_addr=127.0.0.1:49892\u0026local_addr=127.0.0.1:8100\u0026target=http%3A%2F%2Fwww.baidu.com\u0026service=http\u0026sps\r\nParameter Description\r\nhttps://github.com/snail007/goproxy\r\nPage 51 of 60\n\nuser and pass When the proxy turns on authentication, here is the username and password provided by the client.\r\nclient_addr The address used by the client to access the proxy, format IP: port.\r\nlocal_addr The proxy address accessed by the client, format IP: port.\r\nservice Proxy type, divided into: http, socks.\r\nWhether the sps proxy is provided by sps, 1: yes, 0: no.\r\ntarget The target to be accessed by the client. If it is an http(s) proxy, the target is the specific url accessed; if it is a\r\nsocks5 proxy, the target is empty.\r\nExample\r\nSuppose --auth-url http://127.0.0.1:333/auth.php points to a php interface address.\r\nThe contents of auth.php are as follows:\r\n\u003c?php\r\n#all users and password\r\n$alluser=[\r\n \"user1\"=\u003e\"pass1\",\r\n \"user2\"=\u003e\"pass2\",\r\n \"user3\"=\u003e\"pass3\",\r\n \"user4\"=\u003e\"pass4\",\r\n];\r\n$proxy_ip=$_GET['local_addr'];\r\n$user_ip=$_GET['client_addr'];\r\n$service=$_GET['service'];\r\n$is_sps=$_GET['sps']=='1';\r\n$user=$_GET['user'];\r\n$pass=$_GET['pass'];\r\n$target=$_GET['target'];\r\n//business checking\r\n//....\r\n$ok=false;\r\nforeach ($alluser as $dbuser =\u003e $dbpass) {\r\n if ($user==$dbuser\u0026\u0026$pass==$dbpass){\r\n $ok=true;\r\n break;\r\n }\r\n}\r\n//set the authentication result\r\nif($ok){\r\n header(\"userconns:1000\");\r\n header(\"ipconns:2000\");\r\n header(\"userrate:3000\");\r\n header(\"iprate:8000\");\r\n header(\"userqps:5\");\r\n header(\"ipqps:2\");\r\n header(\"upstream:http://127.0.0.1:3500?parent-type=tcp\");\r\n header(\"outgoing:1.1.1.1\");\r\n header(\"userTotalRate:1024000\");\r\n //header(\"ipTotalRate:10240\");\r\n //header(\"portTotalRate:10240\");\r\n //header(\"RotationTime:60\");\r\nhttps://github.com/snail007/goproxy\r\nPage 52 of 60\n\nheader(\"HTTP/1.1 204 No Content\");\r\n}\r\nHTTP HEADER Explanation\r\nuserconns : The maximum number of connections for the user, not limited to 0 or not set this header.\r\nipconns : The maximum number of connections for the user IP, not limited to 0 or not set this header.\r\nuserrate : User's single TCP connection rate limit, in bytes/second, is not limited to 0 or does not set this header.\r\niprate : The single TCP connection rate limit of the client IP, in bytes/second, not limited to 0 or not set this header.\r\nuserqps : The maximum number of connections per second (QPS) for the user, not limited to 0 or not set this header.\r\nipqps : The maximum number of connections per second (QPS) for the client IP, not limited to 0 or not set this header.\r\nupstream : The upstream used, not empty, or not set this header.\r\noutgoing : The outgoing IP used. This setting is only effective when the upstream is empty. The IP set here must be owned\r\nby the machine where the proxy is located, otherwise, the proxy will not function properly. Starting from version v13.2 ,\r\noutgoing supports multiple subnet formats separated by commas. The proxy will randomly select an IP from the subnet as\r\nthe outgoing IP. This randomness will also be keep when authentication cache is enabled. The following formats are\r\nsupported for subnets:\r\n1. Format: 192.168.1.1 , Description: Single IP, IPv4\r\n2. Format: 3001:cb2:: , Description: Single IP, IPv6\r\n3. Format: 192.168.1.1/24 , Description: CIDR format subnet, IPv4\r\n4. Format: 3001:cb2::/126 , Description: CIDR format subnet, IPv6\r\n5. Format: 192.168.1.1-192.168.1.200 , Description: IP range, IPv4\r\n6. Format: 2311:ca2::-2311:ca2::10 , Description: IP range, IPv6\r\nExample: 192.16.1.1,192.161.1.2,192.168.1.2-192.168.1.255\r\nuserTotalRate : Limit the user total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set this\r\nheader.\r\nipTotalRate :Limit the client ip total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set this\r\nheader.\r\nportTotalRate :Limit the server port total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set\r\nthis header.\r\nRotationTime : (requires version \u003e= v13.2) Controls the time interval, in seconds, for randomly selecting the outgoing\r\nIP. Leave it blank or unset this header if not needed.When the outgoing returned by the API is a subnet, and if you don't want\r\nthe proxy to randomly select a new IP for each client connection, you can use this parameter to control the time interval for\r\nrandom IP selection. If within the interval period, the previously selected IP will be used. If the API does not return the\r\nRotationTime header or if RotationTime is set to 0, the proxy will randomly select an IP from the outgoing subnet as the\r\noutgoing IP for each client connection.\r\nDetails of total bandwidth speed limitation\r\n1. userrate 、 iprate and userTotalRate 、 ipTotalRate 、 portTotalRate can be set at same time, for\r\nexample: set userrate with 1024000 to limit the user's total bandwidth speed to 1M/s of user's all tcp connections.\r\nAnd set userrate with 102400 to limit the user one tcp connection speed to 100K/s.\r\n2. if userTotalRate 、 ipTotalRate 、 portTotalRate set at same time, the valid order is : userTotalRate -\u003e\r\nipTotalRate -\u003e portTotalRate\r\n3. if userTotalRate 、 portTotalRate set at same time, and set --auth-nouser ,all clients that not send username\r\nwill be as an \"empty username\" user,they are using a same limiter.\r\nhttps://github.com/snail007/goproxy\r\nPage 53 of 60\n\nTips\r\n1. By default, --auth-url is required to provide the user name and password. If you do not need the client to provide\r\nthe username and password, and authenticate, you can add --auth-nouser . The visit will still access the\r\nauthentication address --auth-url for authentication. Only the $user authentication username and the $pass\r\nauthentication password received in the php interface are empty when client didn't send username and password.\r\n2. Connection limit priority: User authentication file limit - \"File ip.limit limit -\" API user limit - \"API IP limit -\"\r\ncommand line global connection limit.\r\n3. Rate Limit Priority: User Authentication File Rate Limit - \"File ip.limit Rate Limit -\" API User Rate Limit - \"API IP\r\nRate Limit - \"Command Line Global Rate Limit.\r\n4. The upstream obtains the priority: the upstream of the user authentication file - the file ip.limit upstream-\"API\r\nupstream-\" command line specifies the upstream.\r\n5. --auth-cache authentication cache, cache the authentication result for a certain period of time, improve\r\nperformance, reduce the pressure on the authentication interface, --auth-cache unit seconds, default 0, set 0 to close\r\nthe cache.\r\n6. By default, --auth-cache only caches the results of successful authentication and does not cache the results of\r\nfailed authentication. If you need to cache the failed authentication results for a certain period of time, It can be set\r\nthrough the parameter -auth-fail-cache to improve performance and reduce the pressure on the authentication\r\ninterface. The unit of --auth-fail-cache is seconds. The default is 0. Setting 0 turns off the cache.\r\nupstream detailed description\r\n1. When the parameter sps is 0.\r\nWhen the service is http, upstream only supports http(s) proxy, and does not support authentication. If authentication\r\nis required, it can be replaced by sps. Format:\r\nhttp://127.0.0.1:3100?argk=argv\r\nWhen the service is a socks, the upstream only supports the socks5 proxy. The format is:\r\nsocks5://127.0.0.1:3100?argk=argv\r\nExplanation: http:// , socks5:// is fixed, 127.0.0.1:3100 is the address of the upstream\r\n2. When sps is 1.\r\nUpstream supports socks5, http(s) proxy, support authentication, format: protocol://a:b@2.2.2.2:33080?\r\nargk=argv , please refer to SPS chapter for details, multiple upstreams , the description of the -P parameter.\r\n3. Parameters, ? followed by argk=argv are parameters: parameter name = parameter value, multiple parameters are\r\nconnected with \u0026 .\r\nAll the supported parameters are as follows, and the meaning of the command line with the same name is the same.\r\n1. parent-type : upper-level transport type, support tcp, tls, ws, wss\r\n2. parent-ws-method: The encryption method of the upper-level ws transmission type, the supported value is the\r\nsame as the value range supported by the command line.\r\n3. parent-ws-password: The upper-level ws transmission type encryption password, the alphanumeric password\r\n4. parent-tls-single : Whether the upper-level tls transport type is a one-way tls, which can be: true | false\r\n5. timeout : timeout for establishing tcp connection, number, in milliseconds\r\n6. ca : The base64-encoded string of the upper-level tls transport type ca certificate file.\r\n7. cert : The base64 encoded string of the higher level tls transport type certificate file.\r\n8. key : The base64 encoded string of the higher-level tls transport type certificate key file.\r\n9. luminati:if upstram is luminati proxies,value can be: true or false。\r\nhttps://github.com/snail007/goproxy\r\nPage 54 of 60\n\n4.Upstream supports multiple instances, regardless of whether SPS is 1 or 0, and they are separated by semicolons ;. When\r\nconnecting to an upstream, by default, one upstream is randomly chosen. However, it supports setting the weight parameter\r\nfor each upstream. If the weight is set for any upstream, all upstreams must have the weight parameter set. The weight must\r\nbe greater than 0; otherwise, the weight is considered invalid, and random selection is applied. This selection logic is also\r\nworking after the authentication cache is enabled.\r\nExamples of multiple upstreams:\r\n1. Example without weight settings: http://127.0.0.1:3100?argk=argv;http://127.0.0.2:3100?argk=argv\r\n2. Example with weight settings: http://127.0.0.1:3100?argk=argv\u0026weight=10;http://127.0.0.2:3100?\r\nargk=argv\u0026weight=20\r\nWeight selection logic:\r\nWhen a weight is set for an upstream, it divides the total weight among the upstreams based on their order. For example, if\r\nthere are two upstreams with weights 10 and 20 respectively, the total weight is 30. The first upstream's weight range is 1-\r\n10, and the second upstream's weight range is 11-30. This logic extends to more upstreams. Each time, a random number\r\nwithin the total weight range is chosen, and the corresponding upstream is selected based on this number's range.\r\nTraffic report / Traffic limit / Traffic statistics\r\nThe proxy's http (s) / socks5 / sps / tcp / udp proxy function supports traffic reporting. You can set an http interface address\r\nthrough the parameter --traffic-url . The proxy will report the traffic used for this connection to this\r\naddress.Specifically, the proxy sends an HTTP to GET request to the HTTP URL address set by --traffic-url . There are\r\ntwo reporting modes, which can be specified by the --traffic-mode parameter. It can be reported in the normal mode or in\r\nthe fast mode.\r\n1. Report in normal normal mode\r\nWhen the connection is released, the proxy will report the traffic used for this connection to this --traffic-url\r\naddress.\r\n2. Report in fast mode\r\nFor each connection that has been established, the proxy will timely report the traffic generated by this connection\r\nto this --traffic-url address.\r\nTiming defaults to 5 seconds, and you can modify Timing to the appropriate number of seconds via the parameter\r\n--traffic-interval .\r\n3. Report in fast global mode\r\nBy default, if the API can't handle high concurrency report access, you can use the fast global mode, Use the\r\nparameter --fast-global to open, this parameter is only valid when --traffic-mode=fast . In fast global mode,\r\nfor a --traffic-url , no matter how many concurrent connections there are, only have one reporter, and the\r\nreporting interval is 5 seconds. In this mode, the reporting request method is POST , Content-Type is\r\napplication/json , the post body data is JSON Array , example: [{},{}] , the keys of object in the array are same\r\nwith the following Reqeust parameter description .\r\n4. The traffic reporting function combined with the above API authentication function can control the user's traffic\r\nusage in real time. The traffic is reported to the interface. The interface writes the traffic data to the database, and\r\nthen the authentication API queries the database to determine the traffic usage and determine whether the user can be\r\nsuccessfully authenticated.\r\nThe following is a complete URL request example:\r\nhttps://github.com/snail007/goproxy\r\nPage 55 of 60\n\nhttp://127.0.0.1:33088/user/traffic?bytes=337\u0026client_addr=127.0.0.1%3A51035\u0026id=http\u0026server_addr\r\n=127.0.0.1%3A33088\u0026target_addr=myip.ipip.net%3A80\u0026username=a\u0026sniff_domain=myip.ipip.net\r\nRequest parameter description:\r\nid : service id flag.\r\nserver_addr : proxies's address requested by the client, format: IP: port.\r\nclient_addr : client address, format: IP: port.\r\ntarget_addr : target address, format: \"IP: port\", when tcp / udp proxy, this is empty.\r\nusername : proxy authentication user name, this is empty when tcp / udp proxy.\r\nbytes : the number of traffic bytes used by the user.\r\nout_local_addr : outgoing tcp connection's local address,format: IP: port.\r\nout_remote_addr : outgoing tcp connection's remote address,format: IP: port.\r\nupstream : upstream used by outgoing tcp connection, if none upstream be used, it's empty.\r\nsniff_domain : This parameter is only available when the SPS function is enabled and the --sniff-domain option is used.\r\nThe \"sniff_domain\" parameter is the sniffed domain name, in the format: domain or domain:port; this parameter only has a\r\nvalue when the client accesses an http/https URL, otherwise it is empty.\r\nTips\r\nThe --traffic-url URL must response the HTTP status code 204 . Only when the traffic is reported will the report be\r\nconsidered successful, and if it response other status codes, it will be considered that the reported traffic failed, and the log\r\nwill be output.\r\ntraffic flow\r\nDisconnect the user's connection\r\nThe proxy's http (s) / socks5 / sps proxy function supports a control interface, which can be specified by the parameter --\r\ncontrol-url http interface address, Then the proxy will interval send all the usernames or client IPs currently connected to the\r\nproxy to this URL. Specifically, the proxy sends an HTTP to POST request to the HTTP URL address set by --control-url.\r\ninterval defaults to 30 seconds, this value can be modified via the --control-sleep parameter.\r\nWhen the user expires, or the user's traffic has been used up, the authentication API can only control the user cannot create a\r\nnew connection, but the connection with the proxy has been established and the connection cannot be immediately\r\nhttps://github.com/snail007/goproxy\r\nPage 56 of 60\n\ndisconnected. Then this problem can be solved through the control interface. The control interface will return the content\r\nthrough the control interface in the slowest interval time, and the end is invalid when the user establishes the connection.\r\nRequest Description\r\nAn HTTP POST request will be sent to the control. The interface form has three fields: interface, ip, conns, and the\r\nconns field requires a user whose proxy version is greater than proxy 12.2 .\r\nuser The username currently connected to the agent, multiple separated by commas, for example: user1, user2\r\nip The client IP is connected to the proxy, and multiple clients using English are split addresses, for example: 1.1.1.1,\r\n2.2.2.2\r\nconns The tcp connection information currently connecting to the proxy port to transmit data. The conns value is a json\r\nstring, the format is a sequence of connections, the element is an object, the object contains the details of the connection,\r\nconns format: [{\"id\":\"ab7bf1f10501d6f7\",\"client\":\"127.0.0.1:62112\",\"server\":\"127.0.0.1:9092\",\"user\":\"\"}]\r\nObject field description: id: connection id, client: client's unique IP address and port, server: client's IP and no port access,\r\nuser's connection authentication (null if any)\r\nResponse Data Description\r\nThe data returned by the control interface is invalid user and IP or connection. The format is a json object data. There are\r\nthree fields user, ip, and conns. The conns field requires the proxy version greater than or equal to 12.2 . Format:\r\n{\"user\":\"a,b\",\"ip\":\"\",conns:[\"ab7bf1f10501d6f7\",\"cb7bf1f10501d6f7\"]}\r\nuser : The username currently connected to the proxy, multiple separated by commas, not left blank, for example: user1,\r\nuser2\r\nip : The ip address of the client currently connected to the proxy, multiple separated by commas, not left blank, for\r\nexample: 1.1.1.1, 2.2.2.2\r\nconns : is an array, the element is a connection id, this id is the id field of the connection object in conns in the above\r\nRequest Description .\r\nIntroduce:\r\nThe connection established by the returned user and ip will be disconnected by the proxy.\r\nConnections matching the returned conns will be disconnected by the proxy.\r\nIf the returned data contains both: user or ip, and conns, then the user or ip will be ignored, and only the connection\r\nmatching conns will be disconnected.\r\nWhen the connection is closed, if the authentication cache is enabled, the user or IP authentication cache will be\r\ncleared.\r\nExample\r\nSuppose --control-url http://127.0.0.1:33088/user/control.php points to a PHP interface address. The content of\r\ncontrol.php is as follows:\r\n\u003c?php\r\n#revcieve proxy post data\r\n$userArr=explode(\",\",$_POST['user']);\r\n$ipArr=$_GET['ip'];\r\nhttps://github.com/snail007/goproxy\r\nPage 57 of 60\n\n//invalid users array\r\n$badUsers=[];\r\nforeach ($userArr as $user) {\r\n //logic business, push invalid user into $badUsers\r\n $badUsers[]=$user;\r\n}\r\n$data=[\"user\"=\u003eimplode(\",\"$badUsers),\"ip\"=\u003e\"\",\"conns\"=\u003e[]];\r\necho json_encode($data);\r\n10. Authentication\r\nThe proxy http(s)/socks5/sps proxy function supports the user to access the proxy pair through the configuration file, and\r\nsupports the http(s) proxy ``Proxy Basic proxy authentication` and the socks5 proxy authentication.\r\nstart using\r\nThe proxy's http(s)/socks5/sps proxy function can pass\r\n--auth-file , --max-conns , --ip-limit , --rate-limit , -a These five parameters control.\r\nDetailed explanation of parameters\r\n--auth-file\r\nThe authenticated user name and password file. This parameter specifies a file, one line per rule, in the format: \"username:\r\npassword: number of connections: rate: upstream\".\r\nConnection number is the maximum number of connections for the user. The 'rate' is the maximum speed of each tcp\r\nconnection of the user. The unit is: byte/second. The upper level is the upper level used by the user.\r\nNot only can the authenticated user be set by --auth-file , but also the -a parameter can be set directly. Multiple users\r\ncan repeat multiple -a parameters.\r\nFor example: proxy http -a a:b:0:0: -a c:d:0:0:\r\nExample explanation:\r\nFor example: user:pass:100:10240:http://192.168.1.1:3100\r\nuser is the authentication username\r\npass is the authentication user password (cannot contain a colon:)\r\n100 is the maximum number of connections for this user, not limited to write 0\r\n10240 is the rate limit of this user's single tcp connection, the unit is: byte / sec, no limit write 0\r\nhttp://192.168.1.1:3100 is the upstream used by this user, no space is left blank\r\n--max-conns\r\nLimit the maximum number of global connections for the proxy service, a number, 0 is unrestricted, default is 0.\r\n--ip-limit\r\nControls the number of connections and connection rate of the client IP. This parameter specifies a file, one rule per line, and\r\nthe beginning of # is gaze.\r\nThe sample file ip.limit, the rule format is as follows:\r\n127.0.0.1:100:10240:http://192.168.1.1:3100\r\nRule interpretation:\r\nhttps://github.com/snail007/goproxy\r\nPage 58 of 60\n\n127.0.0.1 is the IP to be restricted\r\n100 is the maximum number of connections for this IP, not limited to write 0\r\n10240 is the rate limit of IP single tcp connection, the unit is: byte / s, no limit write 0\r\nhttp://192.168.1.1:3100 is the upstream used by this IP, and it is not left blank.\r\n--rate-limit\r\nLimit the speed of each tcp connection of the service, for example: 100K 2000K 1M . 0 means unlimited, default 0.\r\n11. Cluster\r\nThe proxy supports the cluster management. The proxy is installed on each machine node as an agent, with the control panel\r\n[ proxyadmin cluster edition ] (https://github.com/snail007/proxy-admin-cluster) Unified management of proxy services\r\non massive machines.\r\nIf the proxy is to be run as an agent, assume that the cluster port address of the control panel is: 1.1.1.1: 55333 .\r\nThe command example is as follows:\r\nproxy agent -k xxx -c 1.1.1.1:55333 -i test\r\nCommand explanation:\r\nagent: is a function parameter, which means running agent mode.\r\n-k : The encryption and decryption key for communication with proxyadmin cluster edition . This key is set in the\r\nconfiguration file of proxyadmin cluster edition .\r\n-c : The cluster port address of proxyadmin cluster edition , format: IP:port.\r\n-i : The unique identifier of the agent ensures that each agent is different. The \"unique identifier\" specified here is used\r\nwhen adding a node to the control panel. The IP is filled with this \"unique identifier\". If -i is not specified, the default is\r\nempty, and the control panel adds the IP field to fill in: the agent's internet IP.\r\n-u: proxy parameter, empty by default. You can specify an agent, and the agent will communicate with the cluster through\r\nthis agent.\r\nThe format is the same as that of --jumper . For details, please refer to the --jumper part of the manual.\r\nnotice:\r\nWhen the client service is configured in the control panel, all nodes use the same key, which leads to only one client\r\nworking. To solve this problem, Client service parameters can use placeholders: {AGENT_ID} to refer to the agent’s id as the\r\nclient’s key, so as to ensure that each client has a unique key.\r\nFor example, client service parameters:\r\nclient -T tcp -P 1.1.1.1:30000 --k {AGENT_ID}\r\n12. http, https website reverse proxy\r\nThe proxy can reverse proxy http and https websites.\r\nThe supported features are as follows:\r\nhttp and https are converted to each other.\r\nhttps://github.com/snail007/goproxy\r\nPage 59 of 60\n\nmultiple upstream.\r\nupstream load balance.\r\nupstream high available.\r\npath mapping.\r\npath protection.\r\nalias names of bindings.\r\nExample, configure file: rhttp.toml 。\r\nproxy rhttp -c rhttp.toml\r\nFor detail usage, please refer to the configuration file rhttp.toml, which has a complete configuration description.\r\nSource: https://github.com/snail007/goproxy\r\nhttps://github.com/snail007/goproxy\r\nPage 60 of 60\n\nListen port argument -p \":8081\" -p can listen on 8081 be: \n-p \":8081,:8082\" listen on 8081 and 8082 \n Page 32 of 60", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://github.com/snail007/goproxy" ], "report_names": [ "goproxy" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434872, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0232de184c6177c2b0960a07ebd538e9b4d669de.pdf", "text": "https://archive.orkl.eu/0232de184c6177c2b0960a07ebd538e9b4d669de.txt", "img": "https://archive.orkl.eu/0232de184c6177c2b0960a07ebd538e9b4d669de.jpg" } }