The g3proxy is an enterprise level forward proxy, but still with basic support for tcp streaming / tls streaming / transparent proxy / reverse proxy.
Servers will handle connections from clients. There many types of servers can be used for different purpose.
The common features are:
- Ingress network filter | Target Host filter | Target Port filter
- Socket Speed Limit
- Request Rate Limit | IDLE Check
- Protocol Inspection | TLS/TLCP Interception | ICAP Adaptation
- Various TCP & UDP socket config options
- Rustls TLS Server
- Openssl/BoringSSL/AWS-LC/Tongsuo TLS Server & Client
- Tongsuo TLCP Server & Client (国密《GB/T 38636-2020》)
-
Http(s) Proxy
- TLS / mTLS
- Http Forward | Https Forward | Http CONNECT | Ftp over HTTP
- Basic User Authentication
- Port Hiding
-
Socks Proxy
- Socks4 Tcp Connect | Socks5 Tcp Connect | Socks5 UDP Associate
- User Authentication
- Client side UDP IP Binding / IP Map / Ranged Port
-
SNI Proxy
- Multiple Protocol: TLS SNI extension | HTTP Host Header
- Host Redirection / Host ACL
-
TCP TPROXY
- Linux Netfilter TPROXY
- FreeBSD ipfw forward
- OpenBSD pf divert-to
- Http(s) Reverse Proxy
- TLS / mTLS
- Basic User Authentication
- Port Hiding
- Host based Routing
-
TCP Stream
- Upstream TLS / mTLS
- Load Balance: RR / Random / Rendezvous / Jump Hash
-
TLS Stream
- mTLS
- Upstream TLS / mTLS
- Load Balance: RR / Random / Rendezvous / Jump Hash
Alias port servers can be used to add extra ports to other servers.
- Plain TCP Port
- PROXY Protocol
- Plain TLS Port
- PROXY Protocol
- mTLS
- based on Rustls
- Native TLS Port
- PROXY Protocol
- mTLS
- based on OpenSSL/BoringSSL/AWS-LC/Tongsuo
- Intelli Proxy Proxy
- Multiple protocol: Http Proxy | Socks Proxy
- PROXY Protocol
Escapers are used to define the way to connect to upstream. There are many types of escapers.
The common features are:
- Happy Eyeballs
- Socket Speed Limit
- Various TCP & UDP socket config options
- IP Bind
-
DirectFixed
- TCP Connect | TLS Connect | HTTP(s) Forward | UDP Associate
- Egress network filter
- Resolve redirection
- Index based Egress Path Selection
-
DirectFloat
- TCP Connect | TLS Connect | HTTP(s) Forward | UDP Associate
- Egress network filter
- Resolve redirection
- Dynamic IP Bind
- Json based Egress Path Selection
-
Http Proxy
- TCP Connect | TLS Connect | HTTP(s) Forward
- PROXY Protocol
- Load Balance: RR / Random / Rendezvous / Jump Hash
- Basic User Authentication
-
Https Proxy
- TCP Connect | TLS Connect | HTTP(s) Forward
- PROXY Protocol
- Load Balance: RR / Random / Rendezvous / Jump Hash
- Basic User Authentication
- mTLS
-
Socks5(s) Proxy
- TCP Connect | TLS Connect | HTTP(s) Forward | UDP Associate
- Load Balance: RR / Random / Rendezvous / Jump Hash
- Basic User Authentication
-
ProxyFloat
- Dynamic Proxy: Http Proxy | Https Proxy | Socks5(s) Proxy
- Json based Egress Path Selection
Router escaper can be used to select the real escapers, based on different route rules.
- route-client - based on client addresses
- exact ip match
- subnet match
- route-mapping - based on user supplied rules in requests
- Index based Egress Path Selection
- route-query - based on queries to external agent
- route-resolved - based on resolved IP of target host
- route-geoip - based on GeoIP rules of the resolved IP
- route-select - simple load balancer
- RR / Random / Rendezvous / Jump Hash
- Json based Egress Path Selection
- route-upstream - based on original target host
- exact ip match
- exact domain match
- wildcard domain match
- subnet match
- regex domain match
- route-failover - failover between primary and standby escaper
- comply-audit - overwrite server side auditor settings
- c-ares
- UDP
- TCP
- hickory
- UDP / TCP
- DNS over TLS
- DNS over HTTPS
- DNS over HTTP/3
- DNS over QUIC
- fail-over
- HTTP Basic Auth
- Socks5 User Auth
- Anonymous user
- ACL: Proxy Request | Target Host | Target Port | User Agent
- Socket Speed Limit | Process Level Global Speed Limit
- Request Rate Limit | Request Alive Limit | IDLE Check
- Auto Expire | Block
- Json based Egress Path Selection
It's also possible to set different site config for each user:
- Match by Exact IP | Exact Domain | Wildcard Domain | Subnet
- Request | Client Traffic | Remote Traffic Metrics
- Task Duration Histogram Metrics
- Custom TLS Client Config
- TCP Protocol Inspection
- Task Level Sampling
- TLS/TLCP Interception
- External Certificate Generator
- TLS/TLCP Decrypted Stream Dump
- Stream Detour for connection based protocols
- Http1 & Http2 Interception
- IMAP & SMTP Interception
- ICAP Adaptation, support HTTP1/HTTP2/IMAP/SMTP
-
Log Types
- Server: task log
- Escaper: escape error log
- Resolver: resolve error log
- Audit: inspect & intercept log
-
Backend Protocol
- journald
- syslog
- fluentd
-
Metrics Types
- Server level metrics
- Escaper level metrics
- User level metrics
- User-Site level metrics
- Resolver metrics
- Runtime metrics
- Log metrics
-
Backend Protocol
- StatsD, so it's possible to use StatsD implementations to redistribute metrics to many other TSDBs
The detailed docs are resided in the doc directory.
You can find example config in the examples directory.