@ -269,18 +269,19 @@ By default, the log is displayed directly in the console. If you want to save to
For example: --log proxy.log, the log will be output to the proxy.log to facilitate troubleshooting.
Logging INFO and WARN by default, you can set `--warn` to output warn logging only.
### 5. Generate the certificate file required for encrypted communication
The http, tcp, udp proxy process communicates with the upstream. For security, we use encrypted communication. Of course, we can choose not to encrypt the communication. All the communication and the upstream communication in this tutorial are encrypted, and the certificate file is required.
1. Generate a self-signed certificate and key file with the following command.
`proxy keygen -C proxy`
The certificate file proxy.crt and the key file proxy.key will be generated under the current program directory.
`proxy keygen -C proxy`
The certificate file proxy.crt and the key file proxy.key will be generated under the current program directory.
2. Use the following command to generate a new certificate using the self-signed certificate proxy.crt and the key file proxy.key: goproxy.crt and goproxy.key.
`proxy keygen -s -C proxy -c goproxy`
The certificate file goproxy.crt and the key file goproxy.key will be generated under the current program directory.
`proxy keygen -s -C proxy -c goproxy`
The certificate file goproxy.crt and the key file goproxy.key will be generated under the current program directory.
3. By default, the domain name inside the certificate is random and can be specified using the `-n test.com` parameter.
@ -624,6 +625,8 @@ And the analysis result cache time (--dns-ttl) seconds, to avoid system dns inte
`--dns-address` supports multiple dns addresses, load balancing, separated by comma. For example: `--dns-address "1.1.1.1:53,8.8.8.8:53"`
### 1.12 Custom encryption
The proxy's http(s) proxy can encrypt tcp data via tls standard encryption and kcp protocol on top of tcp, in addition to support customization after tls and kcp.
Encryption, that is to say, custom encryption and tls|kcp can be used in combination. The internal use of AES256 encryption, you only need to define a password when you use it.
@ -857,12 +860,25 @@ In addition, the `IP` part of the `--bind-ip` parameter supports specifying the
### 2.8 Speed limit, connections limit
The parameter `--max-conns` can limit the maximum number of connections per port.
For example, limit the maximum number of connections per port:
2. If the domain name to be resolved is not found in 1, it is parsed using the parameter --forward rule.
3. The domain name to be resolved is not found in 1 and 2, and the default --default parsing is used. The default default behavior parameter values are three: proxy, direct, and system.
The three parameter values are explained as follows:
Proxy: The domain name is resolved by the dns server specified by the -q parameter.
Direct: Connect to the dns server specified by the -q parameter to resolve the domain name through the local network.
System: resolves the domain name through the system dns.
The three parameter values are explained as follows:
Proxy: The domain name is resolved by the dns server specified by the -q parameter.
Direct: Connect to the dns server specified by the -q parameter to resolve the domain name through the local network.
System: resolves the domain name through the system dns.
Tip:
The host file format specified by the --hosts parameter is the same as the system hosts file, and the domain name supports wildcards. You can refer to the hosts file.
The parsing forwarding rule file specified by the --forward parameter can be referenced to the resolve.rules file. The domain name supports wildcards. It supports multiple dns servers for each domain name to be parsed concurrently. Whoever resolves the fastest resolution will use the resolution result.
The -q parameter can specify multiple remote dns servers to perform concurrent parsing. Whoever resolves the fastest parsing success, the default is: 1.1.1.1, 8.8.8.8, 9.9.9.9, multiple comma-separated,
For example, you can also bring ports: 1.1.1.1, 8.8.8.8#53, 9.9.9.9
For example, you can also bring ports: 1.1.1.1, 8.8.8.8#53, 9.9.9.9
If you are a standalone service, you don't need a upstream:
Can perform:
@ -1887,6 +1903,7 @@ The proxy's http(s)/socks5/sps proxy function supports user-to-agent access via
- Dynamic upstream, can dynamically obtain its upstream from the API according to the user or client IP, and support http(s)/socks5/ss upstream.
- Authenticate every connection, regardless of whether client authentication is required.
- Cache authentication results, time can be set to reduce API pressure.
- Limit the total bandwidth speed by `user` or `client ip` or `server port`.
#### Specific use
The proxy's http(s)/socks5/sps proxy API function is controlled by three parameters: `--auth-url` and `--auth-nouser` and `--auth-cache`.
`ipqps`: The maximum number of connections per second (QPS) for the client IP, not limited to 0 or not set this header.
`upstream`: The upstream used, not empty, or not set this header.
`outgoing`: The outgoing ip,this option only working which upstream is empty. And the IP must belong to the machine running proxy。
`userTotalRate`: Limit the `user` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set this header.
`ipTotalRate`:Limit the `client ip` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set this header.
`portTotalRate`:Limit the `server port` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set this header.
#### Details of total bandwidth speed limitation
1. `userrate`、`iprate` and `userTotalRate`、`ipTotalRate`、`portTotalRate` can be set at same time,
for example: set `userrate` with 1024000 to limit the user's total bandwidth speed to 1M/s of user's all tcp connections. And set `userrate` with 102400 to limit the user one tcp connection speed to 100K/s.
2. if `userTotalRate`、`ipTotalRate` 、`portTotalRate` set at same time, the valid order is : `userTotalRate` -> `ipTotalRate` -> `portTotalRate`
3. if `userTotalRate`、`portTotalRate` set at same time, and set `--auth-nouser`,all clients that not send username will be as an "empty username" user,they are using a same limiter.
#### Tips
1. By default, `--auth-url` is required to provide the user name and password. If you do not need the client to provide the username and password, and authenticate, you can add `--auth-nouser`. The visit will still access the authentication address `--auth-url` for authentication. Only the $user authentication username and the $pass authentication password received in the php interface are empty when client didn't send username and password.
2. Connection limit priority: User authentication file limit - "File ip.limit limit -" API user limit - "API IP limit -" command line global connection limit.
3. Rate Limit Priority: User Authentication File Rate Limit - "File ip.limit Rate Limit -" API User Rate Limit - "API IP Rate Limit - "Command Line Global Rate Limit.
3. The upstream obtains the priority: the upstream of the user authentication file - the file ip.limit upstream-"API upstream-" command line specifies the upstream.
4.`--auth-cache` authentication cache, cache the authentication result for a certain period of time, improve performance, reduce the pressure on the authentication interface, --auth-cache unit seconds, default 0, set 0 to close the cache.
4.`--auth-cache` authentication cache, cache the authentication result for a certain period of time, improve performance, reduce the pressure on the authentication interface, --auth-cache unit seconds, default 0, set 0 to close the cache.
#### upstream detailed description
1. When the parameter `sps` is 0.
When the service is http, upstream only supports http(s) proxy, and does not support authentication. If authentication is required, it can be replaced by sps. Format:
`http://127.0.0.1:3100?argk=argv`
When the service is a socks, the upstream only supports the socks5 proxy. The format is:
`socks5://127.0.0.1:3100?argk=argv`
When the service is http, upstream only supports http(s) proxy, and does not support authentication. If authentication is required, it can be replaced by sps. Format:
`http://127.0.0.1:3100?argk=argv`
When the service is a socks, the upstream only supports the socks5 proxy. The format is:
`socks5://127.0.0.1:3100?argk=argv`
Explanation: `http://`,`socks5://` is fixed, `127.0.0.1:3100` is the address of the upstream
2. When `sps` is 1.
Upstream supports socks5, http(s) proxy, support authentication, format: `protocol://a:b@2.2.2.2:33080?argk=argv`, please refer to SPS chapter for details, **multiple upstreams** , the description of the `-P` parameter.
Upstream supports socks5, http(s) proxy, support authentication, format: `protocol://a:b@2.2.2.2:33080?argk=argv`, please refer to SPS chapter for details, **multiple upstreams** , the description of the `-P` parameter.
3. Parameters, `?` followed by `argk=argv` are parameters: parameter name = parameter value, multiple parameters are connected with `&`.
All the supported parameters are as follows, and the meaning of the command line with the same name is the same.
All the supported parameters are as follows, and the meaning of the command line with the same name is the same.
1. parent-type : upper-level transport type, support tcp, tls, ws, wss
2. parent-ws-method: The encryption method of the upper-level ws transmission type, the supported value is the same as the value range supported by the command line.
@ -1997,11 +2026,11 @@ The proxy will report the traffic used for this connection to this address.Speci
There are two reporting modes, which can be specified by the `--traffic-mode` parameter. It can be reported in the normal mode or in the fast mode.
1. Report in `normal` normal mode
When the connection is released, the proxy will report the traffic used for this connection to this `--traffic-url` address.
When the connection is released, the proxy will report the traffic used for this connection to this `--traffic-url` address.
2. Report in `fast` mode
For each connection that has been established, the proxy will `timely` report the traffic generated by this connection to this` --traffic-url` address.
`Timing` defaults to 5 seconds, and you can modify` Timing` to the appropriate number of seconds via the parameter `--traffic-interval`.
For each connection that has been established, the proxy will `timely` report the traffic generated by this connection to this` --traffic-url` address.
`Timing` defaults to 5 seconds, and you can modify` Timing` to the appropriate number of seconds via the parameter `--traffic-interval`.
The traffic reporting function combined with the above API authentication function can control the user's traffic usage in real time. The traffic is reported to the interface. The interface writes the traffic data to the database, and then the authentication API queries the database to determine the traffic usage and determine whether the user can be successfully authenticated.
@ -2153,7 +2182,7 @@ agent: is a function parameter, which means running agent mode.
If -i is not specified, the default is empty, and the control panel adds the IP field to fill in: the agent's internet IP.
-u: proxy parameter, empty by default. You can specify an agent, and the agent will communicate with the cluster through this agent.
The format is the same as that of `--jumper`. For details, please refer to the `--jumper` part of the manual.
The format is the same as that of `--jumper`. For details, please refer to the `--jumper` part of the manual.
@ -62,18 +62,19 @@ By default, the log is displayed directly in the console. If you want to save to
For example: --log proxy.log, the log will be output to the proxy.log to facilitate troubleshooting.
Logging INFO and WARN by default, you can set `--warn` to output warn logging only.
### 5. Generate the certificate file required for encrypted communication
The http, tcp, udp proxy process communicates with the upstream. For security, we use encrypted communication. Of course, we can choose not to encrypt the communication. All the communication and the upstream communication in this tutorial are encrypted, and the certificate file is required.
1. Generate a self-signed certificate and key file with the following command.
`proxy keygen -C proxy`
The certificate file proxy.crt and the key file proxy.key will be generated under the current program directory.
`proxy keygen -C proxy`
The certificate file proxy.crt and the key file proxy.key will be generated under the current program directory.
2. Use the following command to generate a new certificate using the self-signed certificate proxy.crt and the key file proxy.key: goproxy.crt and goproxy.key.
`proxy keygen -s -C proxy -c goproxy`
The certificate file goproxy.crt and the key file goproxy.key will be generated under the current program directory.
`proxy keygen -s -C proxy -c goproxy`
The certificate file goproxy.crt and the key file goproxy.key will be generated under the current program directory.
3. By default, the domain name inside the certificate is random and can be specified using the `-n test.com` parameter.
@ -417,6 +418,8 @@ And the analysis result cache time (--dns-ttl) seconds, to avoid system dns inte
`--dns-address` supports multiple dns addresses, load balancing, separated by comma. For example: `--dns-address "1.1.1.1:53,8.8.8.8:53"`
### 1.12 Custom encryption
The proxy's http(s) proxy can encrypt tcp data via tls standard encryption and kcp protocol on top of tcp, in addition to support customization after tls and kcp.
Encryption, that is to say, custom encryption and tls|kcp can be used in combination. The internal use of AES256 encryption, you only need to define a password when you use it.
@ -650,12 +653,25 @@ In addition, the `IP` part of the `--bind-ip` parameter supports specifying the
### 2.8 Speed limit, connections limit
The parameter `--max-conns` can limit the maximum number of connections per port.
For example, limit the maximum number of connections per port:
2. If the domain name to be resolved is not found in 1, it is parsed using the parameter --forward rule.
3. The domain name to be resolved is not found in 1 and 2, and the default --default parsing is used. The default default behavior parameter values are three: proxy, direct, and system.
The three parameter values are explained as follows:
Proxy: The domain name is resolved by the dns server specified by the -q parameter.
Direct: Connect to the dns server specified by the -q parameter to resolve the domain name through the local network.
System: resolves the domain name through the system dns.
The three parameter values are explained as follows:
Proxy: The domain name is resolved by the dns server specified by the -q parameter.
Direct: Connect to the dns server specified by the -q parameter to resolve the domain name through the local network.
System: resolves the domain name through the system dns.
Tip:
The host file format specified by the --hosts parameter is the same as the system hosts file, and the domain name supports wildcards. You can refer to the hosts file.
The parsing forwarding rule file specified by the --forward parameter can be referenced to the resolve.rules file. The domain name supports wildcards. It supports multiple dns servers for each domain name to be parsed concurrently. Whoever resolves the fastest resolution will use the resolution result.
The -q parameter can specify multiple remote dns servers to perform concurrent parsing. Whoever resolves the fastest parsing success, the default is: 1.1.1.1, 8.8.8.8, 9.9.9.9, multiple comma-separated,
For example, you can also bring ports: 1.1.1.1, 8.8.8.8#53, 9.9.9.9
For example, you can also bring ports: 1.1.1.1, 8.8.8.8#53, 9.9.9.9
If you are a standalone service, you don't need a upstream:
Can perform:
@ -1680,6 +1696,7 @@ The proxy's http(s)/socks5/sps proxy function supports user-to-agent access via
- Dynamic upstream, can dynamically obtain its upstream from the API according to the user or client IP, and support http(s)/socks5/ss upstream.
- Authenticate every connection, regardless of whether client authentication is required.
- Cache authentication results, time can be set to reduce API pressure.
- Limit the total bandwidth speed by `user` or `client ip` or `server port`.
#### Specific use
The proxy's http(s)/socks5/sps proxy API function is controlled by three parameters: `--auth-url` and `--auth-nouser` and `--auth-cache`.
`ipqps`: The maximum number of connections per second (QPS) for the client IP, not limited to 0 or not set this header.
`upstream`: The upstream used, not empty, or not set this header.
`outgoing`: The outgoing ip,this option only working which upstream is empty. And the IP must belong to the machine running proxy。
`userTotalRate`: Limit the `user` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set this header.
`ipTotalRate`:Limit the `client ip` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set this header.
`portTotalRate`:Limit the `server port` total bandwidth speed (bytes per second), unit is byte, not limited to 0 or not set this header.
#### Details of total bandwidth speed limitation
1. `userrate`、`iprate` and `userTotalRate`、`ipTotalRate`、`portTotalRate` can be set at same time,
for example: set `userrate` with 1024000 to limit the user's total bandwidth speed to 1M/s of user's all tcp connections. And set `userrate` with 102400 to limit the user one tcp connection speed to 100K/s.
2. if `userTotalRate`、`ipTotalRate` 、`portTotalRate` set at same time, the valid order is : `userTotalRate` -> `ipTotalRate` -> `portTotalRate`
3. if `userTotalRate`、`portTotalRate` set at same time, and set `--auth-nouser`,all clients that not send username will be as an "empty username" user,they are using a same limiter.
#### Tips
1. By default, `--auth-url` is required to provide the user name and password. If you do not need the client to provide the username and password, and authenticate, you can add `--auth-nouser`. The visit will still access the authentication address `--auth-url` for authentication. Only the $user authentication username and the $pass authentication password received in the php interface are empty when client didn't send username and password.
2. Connection limit priority: User authentication file limit - "File ip.limit limit -" API user limit - "API IP limit -" command line global connection limit.
3. Rate Limit Priority: User Authentication File Rate Limit - "File ip.limit Rate Limit -" API User Rate Limit - "API IP Rate Limit - "Command Line Global Rate Limit.
3. The upstream obtains the priority: the upstream of the user authentication file - the file ip.limit upstream-"API upstream-" command line specifies the upstream.
4.`--auth-cache` authentication cache, cache the authentication result for a certain period of time, improve performance, reduce the pressure on the authentication interface, --auth-cache unit seconds, default 0, set 0 to close the cache.
4.`--auth-cache` authentication cache, cache the authentication result for a certain period of time, improve performance, reduce the pressure on the authentication interface, --auth-cache unit seconds, default 0, set 0 to close the cache.
#### upstream detailed description
1. When the parameter `sps` is 0.
When the service is http, upstream only supports http(s) proxy, and does not support authentication. If authentication is required, it can be replaced by sps. Format:
`http://127.0.0.1:3100?argk=argv`
When the service is a socks, the upstream only supports the socks5 proxy. The format is:
`socks5://127.0.0.1:3100?argk=argv`
When the service is http, upstream only supports http(s) proxy, and does not support authentication. If authentication is required, it can be replaced by sps. Format:
`http://127.0.0.1:3100?argk=argv`
When the service is a socks, the upstream only supports the socks5 proxy. The format is:
`socks5://127.0.0.1:3100?argk=argv`
Explanation: `http://`,`socks5://` is fixed, `127.0.0.1:3100` is the address of the upstream
2. When `sps` is 1.
Upstream supports socks5, http(s) proxy, support authentication, format: `protocol://a:b@2.2.2.2:33080?argk=argv`, please refer to SPS chapter for details, **multiple upstreams** , the description of the `-P` parameter.
Upstream supports socks5, http(s) proxy, support authentication, format: `protocol://a:b@2.2.2.2:33080?argk=argv`, please refer to SPS chapter for details, **multiple upstreams** , the description of the `-P` parameter.
3. Parameters, `?` followed by `argk=argv` are parameters: parameter name = parameter value, multiple parameters are connected with `&`.
All the supported parameters are as follows, and the meaning of the command line with the same name is the same.
All the supported parameters are as follows, and the meaning of the command line with the same name is the same.
1. parent-type : upper-level transport type, support tcp, tls, ws, wss
2. parent-ws-method: The encryption method of the upper-level ws transmission type, the supported value is the same as the value range supported by the command line.
@ -1790,11 +1819,11 @@ The proxy will report the traffic used for this connection to this address.Speci
There are two reporting modes, which can be specified by the `--traffic-mode` parameter. It can be reported in the normal mode or in the fast mode.
1. Report in `normal` normal mode
When the connection is released, the proxy will report the traffic used for this connection to this `--traffic-url` address.
When the connection is released, the proxy will report the traffic used for this connection to this `--traffic-url` address.
2. Report in `fast` mode
For each connection that has been established, the proxy will `timely` report the traffic generated by this connection to this` --traffic-url` address.
`Timing` defaults to 5 seconds, and you can modify` Timing` to the appropriate number of seconds via the parameter `--traffic-interval`.
For each connection that has been established, the proxy will `timely` report the traffic generated by this connection to this` --traffic-url` address.
`Timing` defaults to 5 seconds, and you can modify` Timing` to the appropriate number of seconds via the parameter `--traffic-interval`.
The traffic reporting function combined with the above API authentication function can control the user's traffic usage in real time. The traffic is reported to the interface. The interface writes the traffic data to the database, and then the authentication API queries the database to determine the traffic usage and determine whether the user can be successfully authenticated.
@ -1946,7 +1975,7 @@ agent: is a function parameter, which means running agent mode.
If -i is not specified, the default is empty, and the control panel adds the IP field to fill in: the agent's internet IP.
-u: proxy parameter, empty by default. You can specify an agent, and the agent will communicate with the cluster through this agent.
The format is the same as that of `--jumper`. For details, please refer to the `--jumper` part of the manual.
The format is the same as that of `--jumper`. For details, please refer to the `--jumper` part of the manual.