python-proxy
============
|made-with-python| |PyPI-version| |Hit-Count| |Downloads| |Downloads-month| |Downloads-week|
.. |made-with-python| image:: https://img.shields.io/badge/Made%20with-Python-1f425f.svg
:target: https://www.python.org/
.. |PyPI-version| image:: https://badge.fury.io/py/pproxy.svg
:target: https://pypi.python.org/pypi/pproxy/
.. |Hit-Count| image:: http://hits.dwyl.io/qwj/python-proxy.svg
:target: https://pypi.python.org/pypi/pproxy/
.. |Downloads| image:: https://pepy.tech/badge/pproxy
:target: https://pepy.tech/project/pproxy
.. |Downloads-month| image:: https://pepy.tech/badge/pproxy/month
:target: https://pepy.tech/project/pproxy
.. |Downloads-week| image:: https://pepy.tech/badge/pproxy/week
:target: https://pepy.tech/project/pproxy
HTTP/HTTP2/HTTP3/Socks4/Socks5/Shadowsocks/SSH/Redirect/Pf/QUIC TCP/UDP asynchronous tunnel proxy implemented in Python3 asyncio.
QuickStart
----------
.. code:: rst
$ pip3 install pproxy
Successfully installed pproxy-1.9.5
$ pproxy
Serving on :8080 by http,socks4,socks5
^C
$ pproxy -l ss://chacha20:abc@:8080
Serving on :8080 by ss (chacha20-py)
Optional: (better performance with C ciphers)
.. code:: rst
$ pip3 install pproxy[accelerated]
Successfully installed pycryptodome-3.6.4
Apply OS system-wide proxy: (MacOS, Windows)
.. code:: rst
$ pproxy -r ss://chacha20:abc@server_ip:8080 --sys -vv
Serving on :8080 by http,socks4,socks5
System proxy setting -> socks5 localhost:8080
socks5 ::1:57345 -> ss server_ip:8080 -> slack.com:443
socks5 ::1:57345 -> ss server_ip:8080 -> www.google.com:443
..... (all local traffic log) ......
Apply CLI proxy: (MacOS, Linux)
.. code:: rst
$ export http_proxy=http://localhost:8080
$ export https_proxy=http://localhost:8080
Run With Docker
---------------
`pproxy` Docker container has both python3 (with Cryptodome for performance optimizations) and `pypy` versions available.
Python3:
``docker run -it -p 8080:8080 mosajjal/pproxy:latest -l http://:8080 -vv``
Pypy3:
``docker run -it -p 8080:8080 mosajjal/pproxy:latest-pypy -l http://:8080 -vv``
Features
--------
- Lightweight single-thread asynchronous IO.
- Pure python, no additional library required.
- Proxy client/server for TCP/UDP.
- Schedule (load balance) among remote servers.
- Incoming traffic auto-detect.
- Tunnel/jump/backward-jump support.
- Unix domain socket support.
- HTTP v2, HTTP v3 (QUIC)
- User/password authentication support.
- Filter/block hostname by regex patterns.
- SSL/TLS client/server support.
- Shadowsocks OTA (One-Time-Auth_), SSR plugins.
- Statistics by bandwidth and traffic.
- PAC support for javascript configuration.
- Iptables/Pf NAT redirect packet tunnel.
- System proxy auto-setting support.
- Client/Server API provided.
.. _One-Time-Auth: https://shadowsocks.org/en/spec/one-time-auth.html
Protocols
---------
+-------------------+------------+------------+------------+------------+--------------+
| Name | TCP server | TCP client | UDP server | UDP client | scheme |
+===================+============+============+============+============+==============+
| http (connect) | ✔ | ✔ | | | http:// |
+-------------------+ +------------+------------+------------+--------------+
| http | | ✔ | | | httponly:// |
| (get,post,etc) | | | | | (as client) |
+-------------------+------------+------------+------------+------------+--------------+
| http v2 (connect) | ✔ | ✔ | | | h2:// |
+-------------------+------------+------------+------------+------------+--------------+
| http v3 (connect) | ✔ by UDP | ✔ by UDP | | | h3:// |
+-------------------+------------+------------+------------+------------+--------------+
| https | ✔ | ✔ | | | http+ssl:// |
+-------------------+------------+------------+------------+------------+--------------+
| socks4 | ✔ | ✔ | | | socks4:// |
+-------------------+------------+------------+------------+------------+--------------+
| socks5 | ✔ | ✔ | ✔ udp-only | ✔ udp-only | socks5:// |
+-------------------+------------+------------+------------+------------+--------------+
| socks5 over TLS | ✔ | ✔ | | | socks5+ssl://|
+-------------------+------------+------------+------------+------------+--------------+
| shadowsocks | ✔ | ✔ | ✔ | ✔ | ss:// |
+-------------------+------------+------------+------------+------------+--------------+
| shadowsocks aead | ✔ | ✔ | | | ss:// |
+-------------------+------------+------------+------------+------------+--------------+
| shadowsocksR | ✔ | ✔ | | | ssr:// |
+-------------------+------------+------------+------------+------------+--------------+
| trojan | ✔ | ✔ | | | trojan:// |
+-------------------+------------+------------+------------+------------+--------------+
| ssh tunnel | | ✔ | | | ssh:// |
+-------------------+------------+------------+------------+------------+--------------+
| quic | ✔ by UDP | ✔ by UDP | ✔ | ✔ | http+quic:// |
+-------------------+------------+------------+------------+------------+--------------+
| iptables nat | ✔ | | | | redir:// |
+-------------------+------------+------------+------------+------------+--------------+
| pfctl nat (macos) | ✔ | | | | pf:// |
+-------------------+------------+------------+------------+------------+--------------+
| echo | ✔ | | ✔ | | echo:// |
+-------------------+------------+------------+------------+------------+--------------+
| tunnel | ✔ | ✔ | ✔ | ✔ | tunnel:// |
| (raw socket) | | | | | tunnel{ip}://|
+-------------------+------------+------------+------------+------------+--------------+
| websocket | ✔ | ✔ | | | ws:// |
| (simple tunnel) | | | | | ws{dst_ip}://|
+-------------------+------------+------------+------------+------------+--------------+
| xxx over TLS | ✔ | ✔ | | | xxx+ssl:// |
+-------------------+------------+------------+------------+------------+--------------+
| AUTO DETECT | ✔ | | ✔ | | a+b+c+d:// |
+-------------------+------------+------------+------------+------------+--------------+
Scheduling Algorithms
---------------------
+-------------------+------------+------------+------------+------------+
| Name | TCP | UDP | Parameter | Default |
+===================+============+============+============+============+
| first_available | ✔ | ✔ | -s fa | ✔ |
+-------------------+------------+------------+------------+------------+
| round_robin | ✔ | ✔ | -s rr | |
+-------------------+------------+------------+------------+------------+
| random_choice | ✔ | ✔ | -s rc | |
+-------------------+------------+------------+------------+------------+
| least_connection | ✔ | | -s lc | |
+-------------------+------------+------------+------------+------------+
Requirement
-----------
pycryptodome_ is an optional library to enable faster (C version) cipher. **pproxy** has many built-in pure python ciphers. They are lightweight and stable, but slower than C ciphers. After speedup with PyPy_, pure python ciphers can get similar performance as C version. If the performance is important and don't have PyPy_, install pycryptodome_ instead.
asyncssh_ is an optional library to enable ssh tunnel client support.
These are some performance benchmarks between Python and C ciphers (dataset: 8M):
+---------------------+----------------+
| chacha20-c | 0.64 secs |
+---------------------+----------------+
| chacha20-py (pypy3) | 1.32 secs |
+---------------------+----------------+
| chacha20-py | 48.86 secs |
+---------------------+----------------+
PyPy3 Quickstart:
.. code:: rst
$ pypy3 -m ensurepip
$ pypy3 -m pip install asyncio pproxy
.. _pycryptodome: https://pycryptodome.readthedocs.io/en/latest/src/introduction.html
.. _asyncssh: https://asyncssh.readthedocs.io/en/latest/
.. _PyPy: http://pypy.org
Usage
-----
.. code:: rst
$ pproxy -h
usage: pproxy [-h] [-l LISTEN] [-r RSERVER] [-ul ULISTEN] [-ur URSERVER]
[-b BLOCK] [-a ALIVED] [-v] [--ssl SSLFILE] [--pac PAC]
[--get GETS] [--sys] [--test TESTURL] [--version]
Proxy server that can tunnel among remote servers by regex rules. Supported
protocols: http,socks4,socks5,shadowsocks,shadowsocksr,redirect,pf,tunnel
optional arguments:
-h, --help show this help message and exit
-l LISTEN tcp server uri (default: http+socks4+socks5://:8080/)
-r RSERVER tcp remote server uri (default: direct)
-ul ULISTEN udp server setting uri (default: none)
-ur URSERVER udp remote server uri (default: direct)
-b BLOCK block regex rules
-a ALIVED interval to check remote alive (default: no check)
-s {fa,rr,rc,lc} scheduling algorithm (default: first_available)
-v print verbose output
--ssl SSLFILE certfile[,keyfile] if server listen in ssl mode
--pac PAC http PAC path
--get GETS http custom {path,file}
--sys change system proxy setting (mac, windows)
--test TEST test this url for all remote proxies and exit
--version show program's version number and exit
Online help: <https://github.com/qwj/python-proxy>
URI Syntax
----------
.. code:: rst
{scheme}://[{cipher}@]{netloc}/[@{localbind}][,{plugins}][?{rules}][#{auth}]
- scheme
- Currently supported scheme: http, socks, ss, ssl, secure. You can use + to link multiple protocols together.
+----------+-----------------------------+
| http | http protocol (CONNECT) |
+----------+-----------------------------+
| httponly | http protocol (GET/POST) |
+----------+-----------------------------+
| socks4 | socks4 protocol |
+----------+-----------------------------+
| socks5 | socks5 protocol |
+----------+-----------------------------+
| ss | shadowsocks protocol |
+----------+-----------------------------+
| ssr | shadowsocksr (SSR) protocol |
+----------+-----------------------------+
| trojan | trojan_ protocol |
+----------+-----------------------------+
| ssh | ssh client tunnel |
+----------+-----------------------------+
| redir | redirect (iptables nat) |
+----------+-----------------------------+
| pf | pfctl (macos pf nat) |
+----------+-----------------------------+
| ssl | unsecured ssl/tls (no cert) |
+----------+-----------------------------+
| secure | secured ssl/tls (cert) |
+----------+-----------------------------+
| tunnel | raw connection |
+----------+-----------------------------+
| ws | websocket connection |
+----------+-----------------------------+
| echo | echo-back service |
+----------+-----------------------------+
| direct | direct connection |
+----------+-----------------------------+
.. _trojan: https://trojan-gfw.github.io/trojan/protocol
- "http://" accepts GET/POST/CONNECT as server, sends CONNECT as client. "httponly://" sends "GET/POST" as client, works only on http traffic.
- Valid schemes: http://, http+socks4+socks5://, http+ssl://, ss+secure://, http+socks5+ss://
- Invalid schemes: ssl://, secure://
- cipher
- Cipher's format: "cipher_name:cipher_key". Cipher can be base64-encoded. So cipher string with "YWVzLTEyOC1nY206dGVzdA==" is equal to "aes-128-gcm:test".
- Full cipher support list:
+-----------------+------------+-----------+-------------+
| Cipher | Key Length | IV Length | Score (0-5) |
+=================+============+===========+=============+
| table-py | any | 0 | 0 (lowest) |
+-----------------+------------+-----------+-------------+
| rc4 | 16 | 0 | 0 (lowest) |
+-----------------+------------+-----------+-------------+
| rc4-md5 | 16 | 16 | 0.5 |
+-----------------+------------+-----------+-------------+
| chacha20 | 32 | 8 | 5 (highest) |
+-----------------+------------+-----------+-------------+
| chacha20-ietf | 32 | 12 | 5 |
+-----------------+------------+-----------+-------------+
| chacha20-ietf- | | | |
| poly1305-py | 32 | 32 | AEAD |
+-----------------+------------+-----------+-------------+
| salsa20 | 32 | 8 | 4.5 |
+-----------------+------------+-----------+-------------+
| aes-128-cfb | 16 | 16 | 3 |
| | | | |
| aes-128-cfb8 | | | |
| | | | |
| aes-128-cfb1-py | | | slow |
+-----------------+------------+-----------+-------------+
| aes-192-cfb | 24 | 16 | 3.5 |
| | | | |
| aes-192-cfb8 | | | |
| | | | |
| aes-192-cfb1-py | | | slow |
+-----------------+------------+-----------+-------------+
| aes-256-cfb | 32 | 16 | 4.5 |
| | | | |
| aes-256-ctr | | | |
| | | | |
| aes-256-ofb | | | |
| | | | |
| aes-256-cfb8 | | | |
| | | | |
| aes-256-cfb1-py | | | slow |
+-----------------+------------+-----------+-------------+
| aes-256-gcm | 32 | 32 | AEAD |
| | | | |
| aes-192-gcm | 24 | 24 | AEAD |
| | | | |
| aes-128-gcm | 16 | 16 | AEAD |
+-----------------+------------+-----------+-------------+
| camellia-256-cfb| 32 | 16 | 4 |
| | | | |
| camellia-192-cfb| 24 | 16 | 4 |
| | | | |
| camellia-128-cfb| 16 | 16 | 4 |
+-----------------+------------+-----------+-------------+
| bf-cfb | 16 | 8 | 1 |
+-----------------+------------+-----------+-------------+
| cast5-cfb | 16 | 8 | 2.5 |
+-----------------+------------+-----------+-------------+
| des-cfb | 8 | 8 | 1.5 |
+-----------------+------------+-----------+-------------+
| rc2-cfb-py | 16 | 8 | 2 |
+-----------------+------------+-----------+-------------+
| idea-cfb-py | 16 | 8 | 2.5 |
+-----------------+------------+-----------+-------------+
| seed-cfb-py | 16 | 16 | 2 |
+-----------------+------------+-----------+-------------+
- *pproxy* ciphers have pure python implementations. Program will switch to C cipher if there is C implementation available within pycryptodome_. Otherwise, use pure python cipher.
- AEAD ciphers use additional payload after each packet. The underlying protocol is different. Specifications: AEAD_.
- Some pure python ciphers (aes-256-cfb1-py) is quite slow, and is not recommended to use without PyPy speedup. Try install pycryptodome_ and use C version cipher instead.
- To enable OTA encryption with shadowsocks, add '!' immediately after cipher name.
- netloc
- It can be "hostname:port" or "/unix_domain_socket". If the hostname is empty, server will listen on all interfaces.
- Valid netloc: localhost:8080, 0.0.0.0:8123, /tmp/domain_socket, :8123
- localbind
- It can be "@in" or @ipv4_address or @ipv6_address
- Valid localbind: @in, @192.168.1.15, @::1
- plugins
- It can be multiple plugins joined by ",". Supported plugins: plain, origin, http_simple, tls1.2_ticket_auth, verify_simple, verify_deflate
- Valid plugins: /,tls1.2_ticket_auth,verify_simple
- rules
- The filename that contains regex rules
- auth
- The username, colon ':', and the password
URIs can be joined by "__" to indicate tunneling by jump. For example, ss://1.2.3.4:1324__http://4.5.6.7:4321 make remote connection to the first shadowsocks proxy server, and then jump to the second http proxy server.
.. _AEAD: http://shadowsocks.org/en/spec/AEAD-Ciphers.html
Client API
----------
- TCP Client API
.. code:: rst
import asyncio, pproxy
async def test_tcp(proxy_uri):
conn = pproxy.Connection(proxy_uri)
reader, writer = await conn.tcp_connect('google.com', 80)
writer.write(b'GET / HTTP/1.1\r\n\r\n')
data = await reader.read(1024*16)
print(data.decode())
asyncio.run(test_tcp('ss://aes-256-cfb:password@remote_host:remote_port'))
- UDP Client API
.. code:: rst
import asyncio, pproxy
async def test_udp(proxy_uri):
conn = pproxy.Connection(proxy_uri)
answer = asyncio.Future()
await conn.udp_sendto('8.8.8.8', 53, b'hello the world', answer.set_result)
await answer
print(answer.result())
asyncio.run(test_udp('ss://chacha20:password@remote_host:remote_port'))
Server API
----------
- Server API example:
.. code:: rst
import asyncio
import pproxy
server = pproxy.Server('ss://0.0.0.0:1234')
remote = pproxy.Connection('ss://1.2.3.4:5678')
args = dict( rserver = [remote],
verbose = print )
loop = asyncio.get_event_loop()
handler = loop.run_until_complete(server.start_server(args))
try:
loop.run_forever()
except KeyboardInterrupt:
print('exit!')
handler.close()
loop.run_until_complete(handler.wait_closed())
loop.run_until_complete(loop.shutdown_asyncgens())
loop.close()
Examples
--------
- Regex rule
Define regex file "rules" as follow:
.. code:: rst
#google domains
(?:.+\.)?google.*\.com
(?:.+\.)?gstatic\.com
(?:.+\.)?gmail\.com
(?:.+\.)?ntp\.org
(?:.+\.)?glpals\.com
(?:.+\.)?akamai.*\.net
(?:.+\.)?ggpht\.com
(?:.+\.)?android\.com
(?:.+\.)?gvt1\.com
(?:.+\.)?youtube.*\.com
(?:.+\.)?ytimg\.com
(?:.+\.)?goo\.gl
(?:.+\.)?youtu\.be
(?:.+\.)?google\..+
Then start *pproxy*
.. code:: rst
$ pproxy -r http://aa.bb.cc.dd:8080?rules -vv
Serving on :8080 by http,socks4,socks5
http ::1:57768 -> http aa.bb.cc.dd:8080 -> www.googleapis.com:443
http ::1:57772 -> www.yahoo.com:80
socks4 ::1:57770 -> http aa.bb.cc.dd:8080 -> www.youtube.com:443
*pproxy* will serve incoming traffic by http/socks4/socks5 auto-detect protocol, redirect all google traffic to http proxy aa.bb.cc.dd:8080, and visit all other traffic directly from local.
- Use cipher
Add cipher encryption to make sure data can't be intercepted. Run *pproxy* locally as:
.. code:: rst
$ pproxy -l ss://:8888 -r ss://chacha20:cipher_key@aa.bb.cc.dd:12345 -vv
Next, run pproxy.py remotely on server "aa.bb.cc.dd". The base64 encoded string of "chacha20:cipher_key" is also supported:
.. code:: rst
$ pproxy -l ss://chacha20:cipher_key@:12345
The same as:
.. code:: rst
$ pproxy -l ss://Y2hhY2hhMjA6Y2lwaGVyX2tleQ==@:12345
The traffic between local and aa.bb.cc.dd is encrypted by stream cipher Chacha20 with secret key "cipher_key".
- Unix domain socket
A more complex example:
.. code:: rst
$ pproxy -l ss://salsa20!:complex_cipher_key@/tmp/pproxy_socket -r http+ssl://domain1.com:443#username:password
*pproxy* listen on the unix domain socket "/tmp/pproxy_socket" with cipher "salsa20" and key "complex_cipher_key". OTA packet protocol is enabled by adding ! after cipher name. The traffic is tunneled to remote https proxy with simple http authentication.
- SSL/TLS server
If you want to listen in SSL/TLS, you must specify ssl certificate and private key files by parameter "--ssl":
.. code:: rst
$ pproxy -l http+ssl://0.0.0.0:443 -l http://0.0.0.0:80 --ssl server.crt,server.key --pac /autopac
*pproxy* listen on both 80 HTTP and 443 HTTPS ports, use the specified SSL/TLS certificate and private key files. The "--pac" enable PAC feature, so you can put "https://yourdomain.com/autopac" path in your device's auto-configure url.
Simple guide for generating self-signed ssl certificates:
.. code:: rst
$ openssl genrsa -des3 -out server.key 1024
$ openssl req -new -key server.key -out server.csr
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- SSR plugins
ShadowsocksR example with plugin "tls1.2_ticket_auth" to emulate common tls traffic:
.. code:: rst
$ pproxy -l ssr://chacha20:mypass@0.0.0.0:443/,tls1.2_ticket_auth,verify_simple
- Local bind ip
If you want to route the traffic by different local bind, use the @localbind URI syntax. For example, server has three ip interfaces: 192.168.1.15, 111.0.0.1, 112.0.0.1. You want to route traffic matched by "rule1" to 111.0.0.2 and traffic matched by "rule2" to 222.0.0.2, and the remaining traffic directly:
.. code:: rst
$ pproxy -l ss://:8000/@in -r ss://111.0.0.2:8000/@111.0.0.1?rule1 -r ss://222.0.0.2:8000/@222.0.0.1?rule2
- Redirect/Pf protocol
IPTable NAT redirect example (Ubuntu):
.. code:: rst
$ sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 5555
$ pproxy -l redir://:5555 -r http://remote_http_server:3128 -vv
The above example illustrates how to redirect all local output tcp traffic with destination port 80 to localhost port 5555 listened by **pproxy**, and then tunnel the traffic to remote http proxy.
PF redirect example (MacOS):
.. code:: rst
$ sudo pfctl -ef /dev/stdin
rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080
pass out on en0 route-to lo0 inet proto tcp from any to any port 80 keep state
^D
$ sudo pproxy -l pf://:8080 -r socks5://remote_socks5_server:1324 -vv
Make sure **pproxy** runs in root mode (sudo), otherwise it cannot redirect pf packet.
- Multiple jumps example
.. code:: rst
$ pproxy -r http://server1__ss://server2__socks://server3
*pproxy* will connect to server1 first, tell server1 connect to server2, and tell server2 connect to server3, and make real traffic by server3.
- Raw connection tunnel
TCP raw connection tunnel example:
.. code:: rst
$ pproxy -l tunnel{google.com}://:80
$ curl -H "Host: google.com" http://localhost
UDP dns tunnel example:
.. code:: rst
$ pproxy -ul tunnel{8.8.8.8}://:53
$ nslookup google.com localhost
- UDP more complicated example
Run the shadowsocks udp proxy on remote machine:
.. code:: rst
$ pproxy -ul ss://remote_server:13245
Run the commands on local machine:
.. code:: rst
$ pproxy -ul tunnel{8.8.8.8}://:53 -ur ss://remote_server:13245 -vv
UDP tunnel 127.0.0.1:60573 -> ss remote_server:13245 -> 8.8.8.8:53
UDP tunnel 127.0.0.1:60574 -> ss remote_server:13245 -> 8.8.8.8:53
...
$ nslookup google.com localhost
- Load balance example
Specify multiple -r server, and a scheduling algorithm (rr = round_robin, rc = random_choice, lc = least_connection):
.. code:: rst
$ pproxy -r http://server1 -r ss://server2 -r socks5://server3 -s rr -vv
http ::1:42356 -> http server1 -> google.com:443
http ::1:42357 -> ss server2 -> google.com:443
http ::1:42358 -> socks5 server3 -> google.com:443
http ::1:42359 -> http server1 -> google.com:443
...
$ pproxy -ul tunnel://:53 -ur tunnel://8.8.8.8:53 -ur tunnel://8.8.4.4:53 -s rc -vv
UDP tunnel ::1:35378 -> tunnel 8.8.8.8:53
UDP tunnel ::1:35378 -> tunnel 8.8.4.4:53
...
- WebSocket example
WebSocket protocol is similar to Tunnel protocol. It is raw and doesn't support any proxy function. It can connect to other proxy like Tunnel protocol.
First run pproxy on remote machine:
.. code:: rst
$ pproxy -l ws://:80 -r tunnel:///tmp/myproxy -v
$ pproxy -l ss://chacha20:abc@/tmp/myproxy -v
Run pproxy on local machine:
.. code:: rst
$ pproxy -l tunnel://:1234 -r ws://remote_ip:80 -vv
Then port :1234 on local machine is connected to the /tmp/myproxy on remote machine by WebSocket tunnel. You can specify any proxy protocol details on /tmp/myproxy.
It is a good practice to use some CDN in the middle of local/remote machines. CDN with WebSocket support can hide remote machine's real IP from public.
- Backward proxy
Sometimes, the proxy server hides behind an NAT router and doesn't have a public ip. The client side has a public ip "client_ip". Backward proxy feature enables the server to connect backward to client and wait for proxy requests.
Run **pproxy** client as follows:
.. code:: rst
$ pproxy -l http://:8080 -r http+in://:8081 -v
Run **pproxy** server as follows:
.. code:: rst
$ pproxy -l http+in://client_ip:8081
Server connects to client_ip:8081 and waits for client proxy requests. The protocol http specified is just an example. It can be any protocol and cipher **pproxy** supports. The scheme "**in**" should exist in URI to inform **pproxy** that it is a backward proxy.
.. code:: rst
$ pproxy -l http+in://jumpserver__http://client_ip:8081
It is a complicated example. Server connects to client_ip:8081 by jump http://jumpserver. The backward proxy works through jumps.
- SSH client tunnel
SSH client tunnel support is enabled by installing additional library asyncssh_. After "pip3 install asyncssh", you can specify "**ssh**" as scheme to proxy via ssh client tunnel.
.. code:: rst
$ pproxy -l http://:8080 -r ssh://remote_server.com/#login:password
If a client private key is used to authenticate, put double colon "::" between login and private key path.
.. code:: rst
$ pproxy -l http://:8080 -r ssh://remote_server.com/#login::private_key_path
SSH connection known_hosts feature is disabled by default.
- SSH jump
SSH jump is supported by using "__" concatenation
.. code:: rst
$ pproxy -r ssh://server1__ssh://server2__ssh://server3
First connection to server1 is made. Second, ssh connection to server2 is made from server1. Finally, connect to server3, and use server3 for proxying traffic.
- SSH remote forward
.. code:: rst
$ pproxy -l ssh://server__tunnel://0.0.0.0:1234 -r tunnel://127.0.0.1:1234
TCP :1234 on remote server is forwarded to 127.0.0.1:1234 on local server
.. code:: rst
$ pproxy -l ssh://server1__ssh://server2__ss://0.0.0.0:1234 -r ss://server3:1234
It is a complicated example. SSH server2 is jumped from SSH server1, and ss://0.0.0.0:1234 on server2 is listened. Traffic is forwarded to ss://server3:1234.
- Trojan protocol example
Normally trojan:// should be used together with ssl://. You should specify the SSL crt/key file for ssl usage. A typical trojan server would be:
.. code:: rst
$ pproxy --ssl ssl.crt,ssl.key -l trojan+tunnel{localhost:80}+ssl://:443#yourpassword -vv
If trojan password doesn't match, the tunnal{localhost:80} will be switched to. It looks exactly the same as a common HTTPS website.
- QUIC protocol example
QUIC is a UDP stream protocol used in HTTP/3. Library **aioquic** is required if you want to proxy via QUIC.
QUIC is listened on UDP port, but can handle TCP or UDP traffic. If you want to handle TCP traffic, you should use "-l quic+http" instead of "-ul quic+http".
.. code:: rst
$ pip3 install aioquic
$ pproxy --ssl ssl.crt,ssl.key -l quic+http://:1234
On the client:
$ pproxy -r quic+http://server:1234
QUIC protocol can transfer a lot of TCP streams on one single UDP stream. If the connection number is hugh, QUIC can benefit by reducing TCP handshake time.
- VPN Server Example
You can run VPN server simply by installing pvpn (python vpn), a lightweight VPN server with pproxy tunnel feature.
.. code:: rst
$ pip3 install pvpn
Successfully installed pvpn-0.2.1
$ pvpn -wg 9999 -r http://remote_server:remote_port
Serving on UDP :500 :4500...
Serving on UDP :9000 (WIREGUARD)...
TCP xx.xx.xx.xx:xx -> HTTP xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx
Projects
--------
+ `python-vpn <https://github.com/qwj/python-vpn>`_ - VPN Server (IPSec,IKE,IKEv2,L2TP,WireGuard) in pure python
+ `shadowproxy <https://github.com/guyingbo/shadowproxy>`_ - Awesome python proxy implementation by guyingbo
Raw data
{
"_id": null,
"home_page": "https://github.com/lyhaithanh/thanhaaa",
"name": "thanhaaa",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": "",
"keywords": "proxy socks http shadowsocks shadowsocksr ssr redirect pf tunnel cipher ssl udp",
"author": "lyhaithanh",
"author_email": "lyhaithanh@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/42/33/0c761beb11cf4d087d4e2aede7f0bf8873cf176d23838e32708477dcb089/thanhaaa-1.1.tar.gz",
"platform": null,
"description": "python-proxy\r\n============\r\n\r\n|made-with-python| |PyPI-version| |Hit-Count| |Downloads| |Downloads-month| |Downloads-week|\r\n\r\n.. |made-with-python| image:: https://img.shields.io/badge/Made%20with-Python-1f425f.svg\r\n :target: https://www.python.org/\r\n.. |PyPI-version| image:: https://badge.fury.io/py/pproxy.svg\r\n :target: https://pypi.python.org/pypi/pproxy/\r\n.. |Hit-Count| image:: http://hits.dwyl.io/qwj/python-proxy.svg\r\n :target: https://pypi.python.org/pypi/pproxy/\r\n.. |Downloads| image:: https://pepy.tech/badge/pproxy\r\n :target: https://pepy.tech/project/pproxy\r\n.. |Downloads-month| image:: https://pepy.tech/badge/pproxy/month\r\n :target: https://pepy.tech/project/pproxy\r\n.. |Downloads-week| image:: https://pepy.tech/badge/pproxy/week\r\n :target: https://pepy.tech/project/pproxy\r\n\r\nHTTP/HTTP2/HTTP3/Socks4/Socks5/Shadowsocks/SSH/Redirect/Pf/QUIC TCP/UDP asynchronous tunnel proxy implemented in Python3 asyncio.\r\n\r\nQuickStart\r\n----------\r\n\r\n.. code:: rst\r\n\r\n $ pip3 install pproxy\r\n Successfully installed pproxy-1.9.5\r\n $ pproxy\r\n Serving on :8080 by http,socks4,socks5\r\n ^C\r\n $ pproxy -l ss://chacha20:abc@:8080\r\n Serving on :8080 by ss (chacha20-py)\r\n\r\nOptional: (better performance with C ciphers)\r\n\r\n.. code:: rst\r\n\r\n $ pip3 install pproxy[accelerated]\r\n Successfully installed pycryptodome-3.6.4\r\n\r\nApply OS system-wide proxy: (MacOS, Windows)\r\n\r\n.. code:: rst\r\n\r\n $ pproxy -r ss://chacha20:abc@server_ip:8080 --sys -vv\r\n Serving on :8080 by http,socks4,socks5\r\n System proxy setting -> socks5 localhost:8080\r\n socks5 ::1:57345 -> ss server_ip:8080 -> slack.com:443\r\n socks5 ::1:57345 -> ss server_ip:8080 -> www.google.com:443\r\n ..... (all local traffic log) ......\r\n\r\nApply CLI proxy: (MacOS, Linux)\r\n\r\n.. code:: rst\r\n\r\n $ export http_proxy=http://localhost:8080\r\n $ export https_proxy=http://localhost:8080\r\n\r\nRun With Docker\r\n---------------\r\n\r\n`pproxy` Docker container has both python3 (with Cryptodome for performance optimizations) and `pypy` versions available.\r\n\r\nPython3:\r\n\r\n``docker run -it -p 8080:8080 mosajjal/pproxy:latest -l http://:8080 -vv``\r\n\r\nPypy3:\r\n\r\n``docker run -it -p 8080:8080 mosajjal/pproxy:latest-pypy -l http://:8080 -vv``\r\n\r\nFeatures\r\n--------\r\n\r\n- Lightweight single-thread asynchronous IO.\r\n- Pure python, no additional library required.\r\n- Proxy client/server for TCP/UDP.\r\n- Schedule (load balance) among remote servers.\r\n- Incoming traffic auto-detect.\r\n- Tunnel/jump/backward-jump support.\r\n- Unix domain socket support.\r\n- HTTP v2, HTTP v3 (QUIC)\r\n- User/password authentication support.\r\n- Filter/block hostname by regex patterns.\r\n- SSL/TLS client/server support.\r\n- Shadowsocks OTA (One-Time-Auth_), SSR plugins.\r\n- Statistics by bandwidth and traffic.\r\n- PAC support for javascript configuration.\r\n- Iptables/Pf NAT redirect packet tunnel.\r\n- System proxy auto-setting support.\r\n- Client/Server API provided.\r\n\r\n.. _One-Time-Auth: https://shadowsocks.org/en/spec/one-time-auth.html\r\n\r\nProtocols\r\n---------\r\n\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| Name | TCP server | TCP client | UDP server | UDP client | scheme |\r\n+===================+============+============+============+============+==============+\r\n| http (connect) | \u2714 | \u2714 | | | http:// |\r\n+-------------------+ +------------+------------+------------+--------------+\r\n| http | | \u2714 | | | httponly:// |\r\n| (get,post,etc) | | | | | (as client) |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| http v2 (connect) | \u2714 | \u2714 | | | h2:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| http v3 (connect) | \u2714 by UDP | \u2714 by UDP | | | h3:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| https | \u2714 | \u2714 | | | http+ssl:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| socks4 | \u2714 | \u2714 | | | socks4:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| socks5 | \u2714 | \u2714 | \u2714 udp-only | \u2714 udp-only | socks5:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| socks5 over TLS | \u2714 | \u2714 | | | socks5+ssl://|\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| shadowsocks | \u2714 | \u2714 | \u2714 | \u2714 | ss:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| shadowsocks aead | \u2714 | \u2714 | | | ss:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| shadowsocksR | \u2714 | \u2714 | | | ssr:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| trojan | \u2714 | \u2714 | | | trojan:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| ssh tunnel | | \u2714 | | | ssh:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| quic | \u2714 by UDP | \u2714 by UDP | \u2714 | \u2714 | http+quic:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| iptables nat | \u2714 | | | | redir:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| pfctl nat (macos) | \u2714 | | | | pf:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| echo | \u2714 | | \u2714 | | echo:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| tunnel | \u2714 | \u2714 | \u2714 | \u2714 | tunnel:// |\r\n| (raw socket) | | | | | tunnel{ip}://|\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| websocket | \u2714 | \u2714 | | | ws:// |\r\n| (simple tunnel) | | | | | ws{dst_ip}://|\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| xxx over TLS | \u2714 | \u2714 | | | xxx+ssl:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n| AUTO DETECT | \u2714 | | \u2714 | | a+b+c+d:// |\r\n+-------------------+------------+------------+------------+------------+--------------+\r\n\r\nScheduling Algorithms\r\n---------------------\r\n\r\n+-------------------+------------+------------+------------+------------+\r\n| Name | TCP | UDP | Parameter | Default |\r\n+===================+============+============+============+============+\r\n| first_available | \u2714 | \u2714 | -s fa | \u2714 |\r\n+-------------------+------------+------------+------------+------------+\r\n| round_robin | \u2714 | \u2714 | -s rr | |\r\n+-------------------+------------+------------+------------+------------+\r\n| random_choice | \u2714 | \u2714 | -s rc | |\r\n+-------------------+------------+------------+------------+------------+\r\n| least_connection | \u2714 | | -s lc | |\r\n+-------------------+------------+------------+------------+------------+\r\n\r\nRequirement\r\n-----------\r\n\r\npycryptodome_ is an optional library to enable faster (C version) cipher. **pproxy** has many built-in pure python ciphers. They are lightweight and stable, but slower than C ciphers. After speedup with PyPy_, pure python ciphers can get similar performance as C version. If the performance is important and don't have PyPy_, install pycryptodome_ instead.\r\n\r\nasyncssh_ is an optional library to enable ssh tunnel client support.\r\n\r\nThese are some performance benchmarks between Python and C ciphers (dataset: 8M):\r\n\r\n+---------------------+----------------+\r\n| chacha20-c | 0.64 secs |\r\n+---------------------+----------------+\r\n| chacha20-py (pypy3) | 1.32 secs |\r\n+---------------------+----------------+\r\n| chacha20-py | 48.86 secs |\r\n+---------------------+----------------+\r\n\r\nPyPy3 Quickstart:\r\n\r\n.. code:: rst\r\n\r\n $ pypy3 -m ensurepip\r\n $ pypy3 -m pip install asyncio pproxy\r\n\r\n.. _pycryptodome: https://pycryptodome.readthedocs.io/en/latest/src/introduction.html\r\n.. _asyncssh: https://asyncssh.readthedocs.io/en/latest/\r\n.. _PyPy: http://pypy.org\r\n\r\nUsage\r\n-----\r\n\r\n.. code:: rst\r\n\r\n $ pproxy -h\r\n usage: pproxy [-h] [-l LISTEN] [-r RSERVER] [-ul ULISTEN] [-ur URSERVER]\r\n [-b BLOCK] [-a ALIVED] [-v] [--ssl SSLFILE] [--pac PAC]\r\n [--get GETS] [--sys] [--test TESTURL] [--version]\r\n\r\n Proxy server that can tunnel among remote servers by regex rules. Supported\r\n protocols: http,socks4,socks5,shadowsocks,shadowsocksr,redirect,pf,tunnel\r\n\r\n optional arguments:\r\n -h, --help show this help message and exit\r\n -l LISTEN tcp server uri (default: http+socks4+socks5://:8080/)\r\n -r RSERVER tcp remote server uri (default: direct)\r\n -ul ULISTEN udp server setting uri (default: none)\r\n -ur URSERVER udp remote server uri (default: direct)\r\n -b BLOCK block regex rules\r\n -a ALIVED interval to check remote alive (default: no check)\r\n -s {fa,rr,rc,lc} scheduling algorithm (default: first_available)\r\n -v print verbose output\r\n --ssl SSLFILE certfile[,keyfile] if server listen in ssl mode\r\n --pac PAC http PAC path\r\n --get GETS http custom {path,file}\r\n --sys change system proxy setting (mac, windows)\r\n --test TEST test this url for all remote proxies and exit\r\n --version show program's version number and exit\r\n\r\n Online help: <https://github.com/qwj/python-proxy>\r\n\r\nURI Syntax\r\n----------\r\n\r\n.. code:: rst\r\n\r\n {scheme}://[{cipher}@]{netloc}/[@{localbind}][,{plugins}][?{rules}][#{auth}]\r\n\r\n- scheme\r\n\r\n - Currently supported scheme: http, socks, ss, ssl, secure. You can use + to link multiple protocols together.\r\n\r\n +----------+-----------------------------+\r\n | http | http protocol (CONNECT) |\r\n +----------+-----------------------------+\r\n | httponly | http protocol (GET/POST) |\r\n +----------+-----------------------------+\r\n | socks4 | socks4 protocol |\r\n +----------+-----------------------------+\r\n | socks5 | socks5 protocol |\r\n +----------+-----------------------------+\r\n | ss | shadowsocks protocol |\r\n +----------+-----------------------------+\r\n | ssr | shadowsocksr (SSR) protocol |\r\n +----------+-----------------------------+\r\n | trojan | trojan_ protocol |\r\n +----------+-----------------------------+\r\n | ssh | ssh client tunnel |\r\n +----------+-----------------------------+\r\n | redir | redirect (iptables nat) |\r\n +----------+-----------------------------+\r\n | pf | pfctl (macos pf nat) |\r\n +----------+-----------------------------+\r\n | ssl | unsecured ssl/tls (no cert) |\r\n +----------+-----------------------------+\r\n | secure | secured ssl/tls (cert) |\r\n +----------+-----------------------------+\r\n | tunnel | raw connection |\r\n +----------+-----------------------------+\r\n | ws | websocket connection |\r\n +----------+-----------------------------+\r\n | echo | echo-back service |\r\n +----------+-----------------------------+\r\n | direct | direct connection |\r\n +----------+-----------------------------+\r\n\r\n.. _trojan: https://trojan-gfw.github.io/trojan/protocol\r\n\r\n - \"http://\" accepts GET/POST/CONNECT as server, sends CONNECT as client. \"httponly://\" sends \"GET/POST\" as client, works only on http traffic.\r\n\r\n - Valid schemes: http://, http+socks4+socks5://, http+ssl://, ss+secure://, http+socks5+ss://\r\n\r\n - Invalid schemes: ssl://, secure://\r\n\r\n- cipher\r\n\r\n - Cipher's format: \"cipher_name:cipher_key\". Cipher can be base64-encoded. So cipher string with \"YWVzLTEyOC1nY206dGVzdA==\" is equal to \"aes-128-gcm:test\".\r\n\r\n - Full cipher support list:\r\n\r\n +-----------------+------------+-----------+-------------+\r\n | Cipher | Key Length | IV Length | Score (0-5) |\r\n +=================+============+===========+=============+\r\n | table-py | any | 0 | 0 (lowest) |\r\n +-----------------+------------+-----------+-------------+\r\n | rc4 | 16 | 0 | 0 (lowest) |\r\n +-----------------+------------+-----------+-------------+\r\n | rc4-md5 | 16 | 16 | 0.5 |\r\n +-----------------+------------+-----------+-------------+\r\n | chacha20 | 32 | 8 | 5 (highest) |\r\n +-----------------+------------+-----------+-------------+\r\n | chacha20-ietf | 32 | 12 | 5 |\r\n +-----------------+------------+-----------+-------------+\r\n | chacha20-ietf- | | | |\r\n | poly1305-py | 32 | 32 | AEAD |\r\n +-----------------+------------+-----------+-------------+\r\n | salsa20 | 32 | 8 | 4.5 |\r\n +-----------------+------------+-----------+-------------+\r\n | aes-128-cfb | 16 | 16 | 3 |\r\n | | | | |\r\n | aes-128-cfb8 | | | |\r\n | | | | |\r\n | aes-128-cfb1-py | | | slow |\r\n +-----------------+------------+-----------+-------------+\r\n | aes-192-cfb | 24 | 16 | 3.5 |\r\n | | | | |\r\n | aes-192-cfb8 | | | |\r\n | | | | |\r\n | aes-192-cfb1-py | | | slow |\r\n +-----------------+------------+-----------+-------------+\r\n | aes-256-cfb | 32 | 16 | 4.5 |\r\n | | | | |\r\n | aes-256-ctr | | | |\r\n | | | | |\r\n | aes-256-ofb | | | |\r\n | | | | |\r\n | aes-256-cfb8 | | | |\r\n | | | | |\r\n | aes-256-cfb1-py | | | slow |\r\n +-----------------+------------+-----------+-------------+\r\n | aes-256-gcm | 32 | 32 | AEAD |\r\n | | | | |\r\n | aes-192-gcm | 24 | 24 | AEAD |\r\n | | | | |\r\n | aes-128-gcm | 16 | 16 | AEAD |\r\n +-----------------+------------+-----------+-------------+\r\n | camellia-256-cfb| 32 | 16 | 4 |\r\n | | | | |\r\n | camellia-192-cfb| 24 | 16 | 4 |\r\n | | | | |\r\n | camellia-128-cfb| 16 | 16 | 4 |\r\n +-----------------+------------+-----------+-------------+\r\n | bf-cfb | 16 | 8 | 1 |\r\n +-----------------+------------+-----------+-------------+\r\n | cast5-cfb | 16 | 8 | 2.5 |\r\n +-----------------+------------+-----------+-------------+\r\n | des-cfb | 8 | 8 | 1.5 |\r\n +-----------------+------------+-----------+-------------+\r\n | rc2-cfb-py | 16 | 8 | 2 |\r\n +-----------------+------------+-----------+-------------+\r\n | idea-cfb-py | 16 | 8 | 2.5 |\r\n +-----------------+------------+-----------+-------------+\r\n | seed-cfb-py | 16 | 16 | 2 |\r\n +-----------------+------------+-----------+-------------+\r\n\r\n - *pproxy* ciphers have pure python implementations. Program will switch to C cipher if there is C implementation available within pycryptodome_. Otherwise, use pure python cipher.\r\n\r\n - AEAD ciphers use additional payload after each packet. The underlying protocol is different. Specifications: AEAD_.\r\n\r\n - Some pure python ciphers (aes-256-cfb1-py) is quite slow, and is not recommended to use without PyPy speedup. Try install pycryptodome_ and use C version cipher instead.\r\n\r\n - To enable OTA encryption with shadowsocks, add '!' immediately after cipher name.\r\n\r\n- netloc\r\n\r\n - It can be \"hostname:port\" or \"/unix_domain_socket\". If the hostname is empty, server will listen on all interfaces.\r\n\r\n - Valid netloc: localhost:8080, 0.0.0.0:8123, /tmp/domain_socket, :8123\r\n\r\n- localbind\r\n\r\n - It can be \"@in\" or @ipv4_address or @ipv6_address\r\n\r\n - Valid localbind: @in, @192.168.1.15, @::1\r\n\r\n- plugins\r\n\r\n - It can be multiple plugins joined by \",\". Supported plugins: plain, origin, http_simple, tls1.2_ticket_auth, verify_simple, verify_deflate\r\n\r\n - Valid plugins: /,tls1.2_ticket_auth,verify_simple\r\n\r\n- rules\r\n\r\n - The filename that contains regex rules\r\n\r\n- auth\r\n\r\n - The username, colon ':', and the password\r\n\r\nURIs can be joined by \"__\" to indicate tunneling by jump. For example, ss://1.2.3.4:1324__http://4.5.6.7:4321 make remote connection to the first shadowsocks proxy server, and then jump to the second http proxy server.\r\n\r\n.. _AEAD: http://shadowsocks.org/en/spec/AEAD-Ciphers.html\r\n\r\nClient API\r\n----------\r\n\r\n- TCP Client API\r\n\r\n .. code:: rst\r\n\r\n import asyncio, pproxy\r\n\r\n async def test_tcp(proxy_uri):\r\n conn = pproxy.Connection(proxy_uri)\r\n reader, writer = await conn.tcp_connect('google.com', 80)\r\n writer.write(b'GET / HTTP/1.1\\r\\n\\r\\n')\r\n data = await reader.read(1024*16)\r\n print(data.decode())\r\n\r\n asyncio.run(test_tcp('ss://aes-256-cfb:password@remote_host:remote_port'))\r\n\r\n- UDP Client API\r\n\r\n .. code:: rst\r\n\r\n import asyncio, pproxy\r\n\r\n async def test_udp(proxy_uri):\r\n conn = pproxy.Connection(proxy_uri)\r\n answer = asyncio.Future()\r\n await conn.udp_sendto('8.8.8.8', 53, b'hello the world', answer.set_result)\r\n await answer\r\n print(answer.result())\r\n\r\n asyncio.run(test_udp('ss://chacha20:password@remote_host:remote_port'))\r\n\r\nServer API\r\n----------\r\n\r\n- Server API example:\r\n\r\n .. code:: rst\r\n\r\n import asyncio\r\n import pproxy\r\n\r\n server = pproxy.Server('ss://0.0.0.0:1234')\r\n remote = pproxy.Connection('ss://1.2.3.4:5678')\r\n args = dict( rserver = [remote],\r\n verbose = print )\r\n\r\n loop = asyncio.get_event_loop()\r\n handler = loop.run_until_complete(server.start_server(args))\r\n try:\r\n loop.run_forever()\r\n except KeyboardInterrupt:\r\n print('exit!')\r\n\r\n handler.close()\r\n loop.run_until_complete(handler.wait_closed())\r\n loop.run_until_complete(loop.shutdown_asyncgens())\r\n loop.close()\r\n\r\n\r\nExamples\r\n--------\r\n\r\n- Regex rule\r\n\r\n Define regex file \"rules\" as follow:\r\n\r\n .. code:: rst\r\n\r\n #google domains\r\n (?:.+\\.)?google.*\\.com\r\n (?:.+\\.)?gstatic\\.com\r\n (?:.+\\.)?gmail\\.com\r\n (?:.+\\.)?ntp\\.org\r\n (?:.+\\.)?glpals\\.com\r\n (?:.+\\.)?akamai.*\\.net\r\n (?:.+\\.)?ggpht\\.com\r\n (?:.+\\.)?android\\.com\r\n (?:.+\\.)?gvt1\\.com\r\n (?:.+\\.)?youtube.*\\.com\r\n (?:.+\\.)?ytimg\\.com\r\n (?:.+\\.)?goo\\.gl\r\n (?:.+\\.)?youtu\\.be\r\n (?:.+\\.)?google\\..+\r\n\r\n Then start *pproxy*\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -r http://aa.bb.cc.dd:8080?rules -vv\r\n Serving on :8080 by http,socks4,socks5\r\n http ::1:57768 -> http aa.bb.cc.dd:8080 -> www.googleapis.com:443\r\n http ::1:57772 -> www.yahoo.com:80\r\n socks4 ::1:57770 -> http aa.bb.cc.dd:8080 -> www.youtube.com:443\r\n\r\n *pproxy* will serve incoming traffic by http/socks4/socks5 auto-detect protocol, redirect all google traffic to http proxy aa.bb.cc.dd:8080, and visit all other traffic directly from local.\r\n\r\n- Use cipher\r\n\r\n Add cipher encryption to make sure data can't be intercepted. Run *pproxy* locally as:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ss://:8888 -r ss://chacha20:cipher_key@aa.bb.cc.dd:12345 -vv\r\n\r\n Next, run pproxy.py remotely on server \"aa.bb.cc.dd\". The base64 encoded string of \"chacha20:cipher_key\" is also supported:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ss://chacha20:cipher_key@:12345\r\n\r\n The same as:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ss://Y2hhY2hhMjA6Y2lwaGVyX2tleQ==@:12345\r\n\r\n The traffic between local and aa.bb.cc.dd is encrypted by stream cipher Chacha20 with secret key \"cipher_key\".\r\n\r\n- Unix domain socket\r\n\r\n A more complex example:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ss://salsa20!:complex_cipher_key@/tmp/pproxy_socket -r http+ssl://domain1.com:443#username:password\r\n\r\n *pproxy* listen on the unix domain socket \"/tmp/pproxy_socket\" with cipher \"salsa20\" and key \"complex_cipher_key\". OTA packet protocol is enabled by adding ! after cipher name. The traffic is tunneled to remote https proxy with simple http authentication.\r\n\r\n- SSL/TLS server\r\n\r\n If you want to listen in SSL/TLS, you must specify ssl certificate and private key files by parameter \"--ssl\":\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l http+ssl://0.0.0.0:443 -l http://0.0.0.0:80 --ssl server.crt,server.key --pac /autopac\r\n\r\n *pproxy* listen on both 80 HTTP and 443 HTTPS ports, use the specified SSL/TLS certificate and private key files. The \"--pac\" enable PAC feature, so you can put \"https://yourdomain.com/autopac\" path in your device's auto-configure url.\r\n\r\n Simple guide for generating self-signed ssl certificates:\r\n\r\n .. code:: rst\r\n\r\n $ openssl genrsa -des3 -out server.key 1024\r\n $ openssl req -new -key server.key -out server.csr\r\n $ cp server.key server.key.org\r\n $ openssl rsa -in server.key.org -out server.key\r\n $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt\r\n\r\n- SSR plugins\r\n\r\n ShadowsocksR example with plugin \"tls1.2_ticket_auth\" to emulate common tls traffic:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ssr://chacha20:mypass@0.0.0.0:443/,tls1.2_ticket_auth,verify_simple\r\n\r\n- Local bind ip\r\n\r\n If you want to route the traffic by different local bind, use the @localbind URI syntax. For example, server has three ip interfaces: 192.168.1.15, 111.0.0.1, 112.0.0.1. You want to route traffic matched by \"rule1\" to 111.0.0.2 and traffic matched by \"rule2\" to 222.0.0.2, and the remaining traffic directly:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ss://:8000/@in -r ss://111.0.0.2:8000/@111.0.0.1?rule1 -r ss://222.0.0.2:8000/@222.0.0.1?rule2\r\n\r\n- Redirect/Pf protocol\r\n\r\n IPTable NAT redirect example (Ubuntu):\r\n\r\n .. code:: rst\r\n\r\n $ sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 5555\r\n $ pproxy -l redir://:5555 -r http://remote_http_server:3128 -vv\r\n\r\n The above example illustrates how to redirect all local output tcp traffic with destination port 80 to localhost port 5555 listened by **pproxy**, and then tunnel the traffic to remote http proxy.\r\n\r\n PF redirect example (MacOS):\r\n\r\n .. code:: rst\r\n\r\n $ sudo pfctl -ef /dev/stdin\r\n rdr pass on lo0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 8080\r\n pass out on en0 route-to lo0 inet proto tcp from any to any port 80 keep state\r\n ^D\r\n $ sudo pproxy -l pf://:8080 -r socks5://remote_socks5_server:1324 -vv\r\n\r\n Make sure **pproxy** runs in root mode (sudo), otherwise it cannot redirect pf packet.\r\n\r\n- Multiple jumps example\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -r http://server1__ss://server2__socks://server3\r\n\r\n *pproxy* will connect to server1 first, tell server1 connect to server2, and tell server2 connect to server3, and make real traffic by server3.\r\n\r\n- Raw connection tunnel\r\n\r\n TCP raw connection tunnel example:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l tunnel{google.com}://:80\r\n $ curl -H \"Host: google.com\" http://localhost\r\n\r\n UDP dns tunnel example:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -ul tunnel{8.8.8.8}://:53\r\n $ nslookup google.com localhost\r\n\r\n- UDP more complicated example\r\n\r\n Run the shadowsocks udp proxy on remote machine:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -ul ss://remote_server:13245\r\n\r\n Run the commands on local machine:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -ul tunnel{8.8.8.8}://:53 -ur ss://remote_server:13245 -vv\r\n UDP tunnel 127.0.0.1:60573 -> ss remote_server:13245 -> 8.8.8.8:53\r\n UDP tunnel 127.0.0.1:60574 -> ss remote_server:13245 -> 8.8.8.8:53\r\n ...\r\n $ nslookup google.com localhost\r\n\r\n- Load balance example\r\n\r\n Specify multiple -r server, and a scheduling algorithm (rr = round_robin, rc = random_choice, lc = least_connection):\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -r http://server1 -r ss://server2 -r socks5://server3 -s rr -vv\r\n http ::1:42356 -> http server1 -> google.com:443\r\n http ::1:42357 -> ss server2 -> google.com:443\r\n http ::1:42358 -> socks5 server3 -> google.com:443\r\n http ::1:42359 -> http server1 -> google.com:443\r\n ...\r\n $ pproxy -ul tunnel://:53 -ur tunnel://8.8.8.8:53 -ur tunnel://8.8.4.4:53 -s rc -vv\r\n UDP tunnel ::1:35378 -> tunnel 8.8.8.8:53\r\n UDP tunnel ::1:35378 -> tunnel 8.8.4.4:53\r\n ...\r\n\r\n- WebSocket example\r\n\r\n WebSocket protocol is similar to Tunnel protocol. It is raw and doesn't support any proxy function. It can connect to other proxy like Tunnel protocol.\r\n\r\n First run pproxy on remote machine:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ws://:80 -r tunnel:///tmp/myproxy -v\r\n $ pproxy -l ss://chacha20:abc@/tmp/myproxy -v\r\n\r\n Run pproxy on local machine:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l tunnel://:1234 -r ws://remote_ip:80 -vv\r\n\r\n Then port :1234 on local machine is connected to the /tmp/myproxy on remote machine by WebSocket tunnel. You can specify any proxy protocol details on /tmp/myproxy.\r\n\r\n It is a good practice to use some CDN in the middle of local/remote machines. CDN with WebSocket support can hide remote machine's real IP from public.\r\n\r\n- Backward proxy\r\n\r\n Sometimes, the proxy server hides behind an NAT router and doesn't have a public ip. The client side has a public ip \"client_ip\". Backward proxy feature enables the server to connect backward to client and wait for proxy requests.\r\n\r\n Run **pproxy** client as follows:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l http://:8080 -r http+in://:8081 -v\r\n\r\n Run **pproxy** server as follows:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l http+in://client_ip:8081\r\n\r\n Server connects to client_ip:8081 and waits for client proxy requests. The protocol http specified is just an example. It can be any protocol and cipher **pproxy** supports. The scheme \"**in**\" should exist in URI to inform **pproxy** that it is a backward proxy.\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l http+in://jumpserver__http://client_ip:8081\r\n\r\n It is a complicated example. Server connects to client_ip:8081 by jump http://jumpserver. The backward proxy works through jumps.\r\n\r\n- SSH client tunnel\r\n\r\n SSH client tunnel support is enabled by installing additional library asyncssh_. After \"pip3 install asyncssh\", you can specify \"**ssh**\" as scheme to proxy via ssh client tunnel.\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l http://:8080 -r ssh://remote_server.com/#login:password\r\n\r\n If a client private key is used to authenticate, put double colon \"::\" between login and private key path.\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l http://:8080 -r ssh://remote_server.com/#login::private_key_path\r\n\r\n SSH connection known_hosts feature is disabled by default.\r\n\r\n- SSH jump\r\n\r\n SSH jump is supported by using \"__\" concatenation\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -r ssh://server1__ssh://server2__ssh://server3\r\n\r\n First connection to server1 is made. Second, ssh connection to server2 is made from server1. Finally, connect to server3, and use server3 for proxying traffic.\r\n\r\n- SSH remote forward\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ssh://server__tunnel://0.0.0.0:1234 -r tunnel://127.0.0.1:1234\r\n\r\n TCP :1234 on remote server is forwarded to 127.0.0.1:1234 on local server\r\n\r\n .. code:: rst\r\n\r\n $ pproxy -l ssh://server1__ssh://server2__ss://0.0.0.0:1234 -r ss://server3:1234\r\n\r\n It is a complicated example. SSH server2 is jumped from SSH server1, and ss://0.0.0.0:1234 on server2 is listened. Traffic is forwarded to ss://server3:1234.\r\n\r\n- Trojan protocol example\r\n\r\n Normally trojan:// should be used together with ssl://. You should specify the SSL crt/key file for ssl usage. A typical trojan server would be:\r\n\r\n .. code:: rst\r\n\r\n $ pproxy --ssl ssl.crt,ssl.key -l trojan+tunnel{localhost:80}+ssl://:443#yourpassword -vv\r\n\r\n If trojan password doesn't match, the tunnal{localhost:80} will be switched to. It looks exactly the same as a common HTTPS website.\r\n\r\n- QUIC protocol example\r\n\r\n QUIC is a UDP stream protocol used in HTTP/3. Library **aioquic** is required if you want to proxy via QUIC.\r\n QUIC is listened on UDP port, but can handle TCP or UDP traffic. If you want to handle TCP traffic, you should use \"-l quic+http\" instead of \"-ul quic+http\".\r\n\r\n .. code:: rst\r\n\r\n $ pip3 install aioquic\r\n $ pproxy --ssl ssl.crt,ssl.key -l quic+http://:1234\r\n\r\n On the client:\r\n\r\n $ pproxy -r quic+http://server:1234\r\n\r\n QUIC protocol can transfer a lot of TCP streams on one single UDP stream. If the connection number is hugh, QUIC can benefit by reducing TCP handshake time.\r\n\r\n- VPN Server Example\r\n\r\n You can run VPN server simply by installing pvpn (python vpn), a lightweight VPN server with pproxy tunnel feature.\r\n\r\n .. code:: rst\r\n\r\n $ pip3 install pvpn\r\n Successfully installed pvpn-0.2.1\r\n $ pvpn -wg 9999 -r http://remote_server:remote_port\r\n Serving on UDP :500 :4500...\r\n Serving on UDP :9000 (WIREGUARD)...\r\n TCP xx.xx.xx.xx:xx -> HTTP xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx\r\n\r\n\r\nProjects\r\n--------\r\n\r\n+ `python-vpn <https://github.com/qwj/python-vpn>`_ - VPN Server (IPSec,IKE,IKEv2,L2TP,WireGuard) in pure python\r\n+ `shadowproxy <https://github.com/guyingbo/shadowproxy>`_ - Awesome python proxy implementation by guyingbo\r\n\r\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Proxy server that can tunnel among remote servers by regex rules.",
"version": "1.1",
"project_urls": {
"Homepage": "https://github.com/lyhaithanh/thanhaaa"
},
"split_keywords": [
"proxy",
"socks",
"http",
"shadowsocks",
"shadowsocksr",
"ssr",
"redirect",
"pf",
"tunnel",
"cipher",
"ssl",
"udp"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "085af0be89b8d35f1d92a8003b2334a38dc6dd01f8b0ab34a3187be57a7d3ded",
"md5": "5c451a9c0c034d09279e4982c7487868",
"sha256": "2220f919ba09eaaf70234e6be797a1593021a7f63222ec5fcf352900bbd7b4e7"
},
"downloads": -1,
"filename": "thanhaaa-1.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "5c451a9c0c034d09279e4982c7487868",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.6",
"size": 43138,
"upload_time": "2024-03-10T09:56:30",
"upload_time_iso_8601": "2024-03-10T09:56:30.349561Z",
"url": "https://files.pythonhosted.org/packages/08/5a/f0be89b8d35f1d92a8003b2334a38dc6dd01f8b0ab34a3187be57a7d3ded/thanhaaa-1.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "42330c761beb11cf4d087d4e2aede7f0bf8873cf176d23838e32708477dcb089",
"md5": "13655a2b82593bb5c3becac83a31b9a1",
"sha256": "47f4059d9ebf93951a6871a94ff17ad683b6b714534be3df7c35a3b2bc85caca"
},
"downloads": -1,
"filename": "thanhaaa-1.1.tar.gz",
"has_sig": false,
"md5_digest": "13655a2b82593bb5c3becac83a31b9a1",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 55580,
"upload_time": "2024-03-10T09:56:32",
"upload_time_iso_8601": "2024-03-10T09:56:32.768841Z",
"url": "https://files.pythonhosted.org/packages/42/33/0c761beb11cf4d087d4e2aede7f0bf8873cf176d23838e32708477dcb089/thanhaaa-1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-03-10 09:56:32",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "lyhaithanh",
"github_project": "thanhaaa",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "thanhaaa"
}