MCPcopy Index your code
hub / github.com/SenseUnit/dumbproxy

github.com/SenseUnit/dumbproxy @v1.51.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.51.1 ↗ · + Follow
726 symbols 2,108 edges 82 files 59 documented · 8%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

dumbproxy

dumbproxy

Simple, scriptable, secure HTTP/SOCKS5 forward proxy.

Features

  • Multiple protocol support: both HTTP and SOCKS5 are supported
  • TrustTunnel extensions for UDP and healthchecks are supported as well, which means dumbproxy server running with HTTPS enabled is compatible with TrustTunnel client.
  • Cross-platform (Windows/Mac OS/Linux/Android (via shell)/*BSD)
  • Deployment with a single self-contained binary
  • Zero-configuration
  • Seamless forwarding of all kinds of TCP connections in addition to regular web-traffic forwarding
  • Supports Basic proxy authentication
  • Via auto-reloaded NCSA httpd-style passwords file
  • Via static login and password
  • Via HMAC signatures provisioned by central authority (e.g. some webservice)
  • Via Redis or Redis Cluster database
  • Chaining of all above in order to lookup multiple sources or provide custom rejection response.
  • Supports TLS operation mode (HTTP(S) proxy over TLS)
  • Supports client authentication with client TLS certificates
  • Native ACME support (can issue TLS certificates automatically using Let's Encrypt or BuyPass)
    • Certificate cache in local directory
    • Certificate cache in Redis/Redis Cluster
    • Optional local in-memory inner cache
    • Optional AEAD encryption layer for cache
  • Per-user bandwidth limits
  • HTTP/2 support, both server and client, including h2c support
  • Advanced DNS support
  • Plain DNS
  • DNS-over-HTTPS
  • DNS-over-TLS
  • System-provided DNS
  • Competitive parallel resolving using any of above
  • Optional DNS cache
  • Resilient to DPI (including active probing, see hidden_domain option for authentication providers)
  • Connecting via upstream HTTP(S)/SOCKS5 proxies (proxy chaining)
  • Optional parroting of TLS fingerprints of popular software such as web browsers.
  • Optional countermeasures against TLS-in-TLS detection (available when both client and server are dumbproxy).
  • systemd socket activation
  • Proxy protocol support for instances working behind a reverse proxy (HAProxy, Nginx)
  • Scripting with JavaScript:
  • Access filter by JS function
  • Upstream proxy selection by JS function
    • Native PAC file support is also available for compatibility with existing solutions
  • Bandwidth limits by JS function
  • GeoIP integration
  • Seamless proxy client integration with OpenSSH: ssh -o ProxyCommand="dumbproxy -config proxy.cfg -mode stdio %h %p" root@server1
  • Port-forwarding mode

Installation

Binary download

Pre-built binaries available on releases page.

From source

Alternatively, you may install dumbproxy from source. Run within source directory

go install .

Docker

Docker image is available as well. Here is an example for running proxy as a background service:

docker run -d \
    --security-opt no-new-privileges \
    -p 8080:8080 \
    --restart unless-stopped \
    --name dumbproxy \
    ghcr.io/senseunit/dumbproxy -auth 'static://?username=admin&password=123456'

Snap Store

Get it from the Snap Store

sudo snap install dumbproxy

easy-dp

There is a simple shell script available for complete installation of dumbproxy on a fresh Linux server: https://github.com/Snawoot/easy-dp

Usage

Just run program and it'll start accepting connections on port 8080 (default).

Example: plain proxy

Run proxy on port 1234 with Basic authentication with username admin and password 123456:

dumbproxy -bind-address :1234 -auth 'static://?username=admin&password=123456'

Example: HTTP proxy over TLS (LetsEncrypt automatic certs)

Run HTTPS proxy (HTTP proxy over TLS) with automatic certs from LetsEncrypt on port 443 with Basic authentication with username admin and password 123456:

dumbproxy -bind-address :443 -auth 'static://?username=admin&password=123456' -autocert

Example: HTTP proxy over TLS (pre-issued cert) behind Nginx reverse proxy performing SNI routing

Run HTTPS proxy (HTTP proxy over TLS) with pre-issued cert listening proxy protocol on localhost's 10443 with Basic authentication (users and passwords in /etc/dumbproxy.htpasswd)):

dumbproxy \
    -bind-address 127.0.0.1:10443 \
    -proxyproto \
    -auth basicfile://?path=/etc/dumbproxy.htpasswd \
    -cert=/etc/letsencrypt/live/proxy.example.com/fullchain.pem \
    -key=/etc/letsencrypt/live/proxy.example.com/privkey.pem

Nginx config snippet:

stream
{
    ssl_preread on;

    map $ssl_preread_server_name $backend
    {
        proxy.example.com dumbproxy;
        ...
    }

    upstream dumbproxy
    {
        server 127.0.0.1:10443;
    }

    server
    {
        listen 443;
        listen [::]:443;
        proxy_protocol on;
        proxy_pass $backend;
    }

}

Example: HTTP proxy over TLS (ACME-issued cert) behind Traefik reverse proxy running in Docker Compose and performing SNI routing

Have following labels attached to dumbproxy service in compose file:

        traefik.enable: "true"
        traefik.tcp.routers.dumbproxy.service: dumbproxy
        traefik.tcp.routers.dumbproxy.rule: HostSNI(`<your-domain>`)
        traefik.tcp.routers.dumbproxy.tls: "true"
        traefik.tcp.routers.dumbproxy.tls.passthrough: "false"
        traefik.tcp.routers.dumbproxy.tls.certResolver: letsencrypt
        traefik.tcp.services.dumbproxy.loadBalancer.server.port: 8080
        traefik.tcp.services.dumbproxy.loadbalancer.proxyProtocol.version: 2

dumbproxy service should be run in plaintext mode as TLS is handled on Traefik side. So options would be just -bind-address=:8080 -proxyproto and probably something for authorization. This recipe is explained in Wiki with more details and configuration files provided for context.

Example: HTTP proxy over TLS (BuyPass automatic certs)

Run HTTPS proxy (HTTP proxy over TLS) with automatic certs from BuyPass on port 443 with Basic authentication with username admin and password 123456:

dumbproxy \
    -bind-address :443 \
    -auth 'static://?username=admin&password=123456' \
    -autocert \
    -autocert-acme 'https://api.buypass.com/acme/directory' \
    -autocert-email YOUR-EMAIL@EXAMPLE.ORG \
    -autocert-http :80

See Wiki for more examples, recipes and notes.

Using HTTP-over-TLS proxy

It's quite trivial to set up program which supports proxies to use dumbproxy in plain HTTP mode. However, using HTTP proxy over TLS connection with browsers is little bit tricky. Note that TLS must be enabled (-cert and -key options or -autocert option) for this to work.

Routing all browsers on Windows via HTTPS proxy

Open proxy settings in system's network settings:

win10-proxy-settings

Turn on setup script option and set script address:

data:,function FindProxyForURL(u, h){return "HTTPS example.com:8080";}

where instead of example.com:8080 you should use actual address of your HTTPS proxy.

Note: this method will not work with MS Edge Legacy.

Using with Firefox

Option 1. Inline PAC file in settings.

Open Firefox proxy settings, switch proxy mode to "Automatic proxy configuration URL". Specify URL:

data:,function FindProxyForURL(u, h){return "HTTPS example.com:8080";}

ff_https_proxy

Option 2. Browser extension.

Use any proxy switching browser extension which supports HTTPS proxies like this one.

Using with Chrome

Option 1. CLI option.

Specify proxy via command line:

chromium-browser --proxy-server='https://example.com:8080'

Option 2. Browser extension.

Use any proxy switching browser extension which supports HTTPS proxies like this one.

Using with other applications

It is possible to expose remote HTTPS proxy as a local plaintext HTTP proxy with the help of some application which performs remote communication via TLS and exposes local plaintext socket. dumbproxy itself can play this role and use upstream proxy to provide local proxy service. For example, command

dumbproxy -bind-address 127.0.0.1:8080 -proxy 'https://login:password@example.org'

would expose remote HTTPS proxy at example.org:443 with login and password on local port 8080 as a regular HTTP proxy without authentication. Or, if you prefer mTLS authentication, it would be

dumbproxy -bind-address 127.0.0.1:8080 -proxy 'https://example.org?cert=cert.pem&key=key.pem&cafile=ca.pem'

Using with Android

  1. Run proxy as in examples above.
  2. Install DumDum on your Android device from F-Droid or GitHub.
  3. Open DumDum, tap ➕ (in the upper right corner) and choose "HTTP(S)".
  4. Configure a connection:

dumdum

[!IMPORTANT] For HTTPS, make sure the "Encryption" parameter is set to "tls". 5. Save settings by tapping ✔️. 6. If a self-signed certificate is used, go to "Settings > Advanced > Connection" and enable "Ignore Proxy SSL Certificate." 7. Enjoy!

Authentication

Authentication parameters are passed as URI via -auth parameter. Scheme of URI defines authentication metnod and query parameters define parameter values for authentication provider.

  • none - no authentication. Example: none://. This is default.
  • static - basic authentication for single login and password pair. Example: static://?username=admin&password=123456. Parameters:
  • username - login.
  • password - password.
  • hidden_domain - if specified and is not an empty string, proxy will respond with "407 Proxy Authentication Required" only on specified domain. All unauthenticated clients will receive "400 Bad Request" status. This option is useful to prevent DPI active probing from discovering that service is a proxy, hiding proxy authentication prompt when no valid auth header was provided. Hidden domain is used for generating 407 response code to trigger browser authorization request in cases when browser has no prior knowledge proxy authentication is required. In such cases user has to navigate to any hidden domain page via plaintext HTTP, authenticate themselves and then browser will remember authentication.
  • else - optional URL specifying the next auth provider to chain to, if authentication failed. Example: -auth 'static://?username=root&password=mycoolpass&else=static%3A%2F%2F%3Fusername%3Dadmin%26password%3D123456'.
  • basicfile - use htpasswd-like file with login and password pairs for authentication. Such file can be created/updated with command like this: dumbproxy -passwd /etc/dumbproxy.htpasswd username password or with htpasswd utility from Apache HTTPD utils. path parameter in URL for this provider must point to a local file with login and bcrypt-hashed password lines. Example: basicfile://?path=/etc/dumbproxy.htpasswd. Parameters:
  • path - location of file with login and password pairs. File format is similar to htpasswd files. Each line must be in form <username>:<bcrypt hash of password>. Empty lines and lines starting with # are ignored.
  • hidden_domain - same as in static provider.
  • reload - interval for conditional password file reload, if it was modified since last load. Use negative duration to disable autoreload. Default: 15s.
  • else - optional URL specifying the next auth provider to chain to, if authentication failed. Example: -auth 'basicfile://?path=/etc/dumbproxy.htpasswd&else=static%3A%2F%2F%3Fusername%3Dadmin%26password%3D123456'.
  • hmac - authentication with HMAC-signatures passed as username and password via basic authentication scheme. In that scheme username represents user login as usual and password should be constructed as follows: password := urlsafe_base64_without_padding(expire_timestamp || hmac_sha256(secret, "dumbproxy grant token v1" || username || expire_timestamp)), where expire_timestamp is 64-bit big-endian UNIX timestamp and || is a concatenation operator. This Python script can be used as a reference implementation of signing. Dumbproxy itself also provides built-in signer: dumbproxy -hmac-sign <HMAC key> <username> <validity duration>. Parameters of this auth scheme are:
  • secret - hex-encoded HMAC secret key. Alternatively it can be specified by DUMBPROXY_HMAC_SECRET environment variable. Secret key can be generated with command like this: openssl rand -hex 32 or dumbproxy -hmac-genkey.
  • hidden_domain - same as in static provider.
  • else - optional URL specifying the next auth provider to chain to, if authentication failed.
  • cert - use mutual TLS authentication with client certificates. In order to use this auth provider server must listen sockert in TLS mode (-cert and -key options) and client CA file must be specified (-cacert). Example: cert://. Parameters of this scheme are:
  • blacklist - location of file with list of serial numbers of blocked certificates, one per each line in form of hex-encoded colon-separated bytes. Example: ab:01:02:03. Empty lines and

Extension points exported contracts — how you extend this code

Auth (Interface)
(no doc) [9 implementers]
auth/auth.go
LegacyDialer (Interface)
(no doc) [15 implementers]
dialer/dialer.go
HostnameWanter (Interface)
(no doc) [9 implementers]
dialer/protect.go
HandlerDialer (Interface)
(no doc) [16 implementers]
handler/handler.go
Resolver (Interface)
(no doc) [4 implementers]
dialer/resolve.go
Resolver (Interface)
(no doc) [4 implementers]
jsext/addrutil.go
LookupNetIPer (Interface)
(no doc) [4 implementers]
resolver/fast.go
Filter (Interface)
(no doc) [3 implementers]
access/access.go

Core symbols most depended-on inside this repo

Errorf
called by 177
tlsutil/ccache.go
Close
called by 69
auth/tlscookie.go
String
called by 55
main.go
Get
called by 50
certcache/redis.go
Critical
called by 31
log/condlog.go
NewLimiter
called by 31
rate/rate.go
Set
called by 26
jsext/env.go
Fatalf
called by 24
tlsutil/ccache.go

Shape

Method 319
Function 263
Struct 116
Interface 18
TypeAlias 10

Languages

Go100%

Modules by API surface

rate/rate_test.go51 symbols
dialer/tt.go41 symbols
main.go38 symbols
rate/rate.go29 symbols
handler/adapter.go28 symbols
tlsutil/ccache.go26 symbols
dialer/h2.go26 symbols
dialer/pipewrap.go23 symbols
jsext/addrutil.go19 symbols
dialer/h2_client_conn_pool.go19 symbols
forward/bwlimit.go18 symbols
tlsutil/util.go17 symbols

For agents

$ claude mcp add dumbproxy \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact