Simple, scriptable, secure HTTP/SOCKS5 forward proxy.
Basic proxy authenticationhidden_domain option for authentication providers)ssh -o ProxyCommand="dumbproxy -config proxy.cfg -mode stdio %h %p" root@server1Pre-built binaries available on releases page.
Alternatively, you may install dumbproxy from source. Run within source directory
go install .
Docker image is available as well. Here is an example for running proxy as a background service:
docker run -d \
--security-opt no-new-privileges \
-p 8080:8080 \
--restart unless-stopped \
--name dumbproxy \
ghcr.io/senseunit/dumbproxy -auth 'static://?username=admin&password=123456'
sudo snap install dumbproxy
There is a simple shell script available for complete installation of dumbproxy on a fresh Linux server: https://github.com/Snawoot/easy-dp
Just run program and it'll start accepting connections on port 8080 (default).
Run proxy on port 1234 with Basic authentication with username admin and password 123456:
dumbproxy -bind-address :1234 -auth 'static://?username=admin&password=123456'
Run HTTPS proxy (HTTP proxy over TLS) with automatic certs from LetsEncrypt on port 443 with Basic authentication with username admin and password 123456:
dumbproxy -bind-address :443 -auth 'static://?username=admin&password=123456' -autocert
Run HTTPS proxy (HTTP proxy over TLS) with pre-issued cert listening proxy protocol on localhost's 10443 with Basic authentication (users and passwords in /etc/dumbproxy.htpasswd)):
dumbproxy \
-bind-address 127.0.0.1:10443 \
-proxyproto \
-auth basicfile://?path=/etc/dumbproxy.htpasswd \
-cert=/etc/letsencrypt/live/proxy.example.com/fullchain.pem \
-key=/etc/letsencrypt/live/proxy.example.com/privkey.pem
Nginx config snippet:
stream
{
ssl_preread on;
map $ssl_preread_server_name $backend
{
proxy.example.com dumbproxy;
...
}
upstream dumbproxy
{
server 127.0.0.1:10443;
}
server
{
listen 443;
listen [::]:443;
proxy_protocol on;
proxy_pass $backend;
}
}
Have following labels attached to dumbproxy service in compose file:
traefik.enable: "true"
traefik.tcp.routers.dumbproxy.service: dumbproxy
traefik.tcp.routers.dumbproxy.rule: HostSNI(`<your-domain>`)
traefik.tcp.routers.dumbproxy.tls: "true"
traefik.tcp.routers.dumbproxy.tls.passthrough: "false"
traefik.tcp.routers.dumbproxy.tls.certResolver: letsencrypt
traefik.tcp.services.dumbproxy.loadBalancer.server.port: 8080
traefik.tcp.services.dumbproxy.loadbalancer.proxyProtocol.version: 2
dumbproxy service should be run in plaintext mode as TLS is handled on Traefik side. So options would be just -bind-address=:8080 -proxyproto and probably something for authorization. This recipe is explained in Wiki with more details and configuration files provided for context.
Run HTTPS proxy (HTTP proxy over TLS) with automatic certs from BuyPass on port 443 with Basic authentication with username admin and password 123456:
dumbproxy \
-bind-address :443 \
-auth 'static://?username=admin&password=123456' \
-autocert \
-autocert-acme 'https://api.buypass.com/acme/directory' \
-autocert-email YOUR-EMAIL@EXAMPLE.ORG \
-autocert-http :80
See Wiki for more examples, recipes and notes.
It's quite trivial to set up program which supports proxies to use dumbproxy in plain HTTP mode. However, using HTTP proxy over TLS connection with browsers is little bit tricky. Note that TLS must be enabled (-cert and -key options or -autocert option) for this to work.
Open proxy settings in system's network settings:

Turn on setup script option and set script address:
data:,function FindProxyForURL(u, h){return "HTTPS example.com:8080";}
where instead of example.com:8080 you should use actual address of your HTTPS proxy.
Note: this method will not work with MS Edge Legacy.
Open Firefox proxy settings, switch proxy mode to "Automatic proxy configuration URL". Specify URL:
data:,function FindProxyForURL(u, h){return "HTTPS example.com:8080";}

Use any proxy switching browser extension which supports HTTPS proxies like this one.
Specify proxy via command line:
chromium-browser --proxy-server='https://example.com:8080'
Use any proxy switching browser extension which supports HTTPS proxies like this one.
It is possible to expose remote HTTPS proxy as a local plaintext HTTP proxy with the help of some application which performs remote communication via TLS and exposes local plaintext socket. dumbproxy itself can play this role and use upstream proxy to provide local proxy service. For example, command
dumbproxy -bind-address 127.0.0.1:8080 -proxy 'https://login:password@example.org'
would expose remote HTTPS proxy at example.org:443 with login and password on local port 8080 as a regular HTTP proxy without authentication. Or, if you prefer mTLS authentication, it would be
dumbproxy -bind-address 127.0.0.1:8080 -proxy 'https://example.org?cert=cert.pem&key=key.pem&cafile=ca.pem'
[!IMPORTANT] For HTTPS, make sure the "Encryption" parameter is set to "tls". 5. Save settings by tapping ✔️. 6. If a self-signed certificate is used, go to "Settings > Advanced > Connection" and enable "Ignore Proxy SSL Certificate." 7. Enjoy!
Authentication parameters are passed as URI via -auth parameter. Scheme of URI defines authentication metnod and query parameters define parameter values for authentication provider.
none - no authentication. Example: none://. This is default.static - basic authentication for single login and password pair. Example: static://?username=admin&password=123456. Parameters:username - login.password - password.hidden_domain - if specified and is not an empty string, proxy will respond with "407 Proxy Authentication Required" only on specified domain. All unauthenticated clients will receive "400 Bad Request" status. This option is useful to prevent DPI active probing from discovering that service is a proxy, hiding proxy authentication prompt when no valid auth header was provided. Hidden domain is used for generating 407 response code to trigger browser authorization request in cases when browser has no prior knowledge proxy authentication is required. In such cases user has to navigate to any hidden domain page via plaintext HTTP, authenticate themselves and then browser will remember authentication.else - optional URL specifying the next auth provider to chain to, if authentication failed. Example: -auth 'static://?username=root&password=mycoolpass&else=static%3A%2F%2F%3Fusername%3Dadmin%26password%3D123456'.basicfile - use htpasswd-like file with login and password pairs for authentication. Such file can be created/updated with command like this: dumbproxy -passwd /etc/dumbproxy.htpasswd username password or with htpasswd utility from Apache HTTPD utils. path parameter in URL for this provider must point to a local file with login and bcrypt-hashed password lines. Example: basicfile://?path=/etc/dumbproxy.htpasswd. Parameters:path - location of file with login and password pairs. File format is similar to htpasswd files. Each line must be in form <username>:<bcrypt hash of password>. Empty lines and lines starting with # are ignored.hidden_domain - same as in static provider.reload - interval for conditional password file reload, if it was modified since last load. Use negative duration to disable autoreload. Default: 15s.else - optional URL specifying the next auth provider to chain to, if authentication failed. Example: -auth 'basicfile://?path=/etc/dumbproxy.htpasswd&else=static%3A%2F%2F%3Fusername%3Dadmin%26password%3D123456'.hmac - authentication with HMAC-signatures passed as username and password via basic authentication scheme. In that scheme username represents user login as usual and password should be constructed as follows: password := urlsafe_base64_without_padding(expire_timestamp || hmac_sha256(secret, "dumbproxy grant token v1" || username || expire_timestamp)), where expire_timestamp is 64-bit big-endian UNIX timestamp and || is a concatenation operator. This Python script can be used as a reference implementation of signing. Dumbproxy itself also provides built-in signer: dumbproxy -hmac-sign <HMAC key> <username> <validity duration>. Parameters of this auth scheme are:secret - hex-encoded HMAC secret key. Alternatively it can be specified by DUMBPROXY_HMAC_SECRET environment variable. Secret key can be generated with command like this: openssl rand -hex 32 or dumbproxy -hmac-genkey.hidden_domain - same as in static provider.else - optional URL specifying the next auth provider to chain to, if authentication failed.cert - use mutual TLS authentication with client certificates. In order to use this auth provider server must listen sockert in TLS mode (-cert and -key options) and client CA file must be specified (-cacert). Example: cert://. Parameters of this scheme are:blacklist - location of file with list of serial numbers of blocked certificates, one per each line in form of hex-encoded colon-separated bytes. Example: ab:01:02:03. Empty lines and $ claude mcp add dumbproxy \
-- python -m otcore.mcp_server <graph>