AnyProxy is a modern secure tunneling solution that enables you to safely expose local services to the internet through multiple transport protocols. Built with integrated web management interfaces and intelligent monitoring systems.
Want to quickly experience AnyProxy? Try our demo client:
# 1. Enter demo directory
cd demo
# 2. Start demo client (connects to our demo gateway)
# Demo includes pre-generated certificate files
docker run -d \
--name anyproxy-demo-client \
--network host \
-v $(pwd)/configs:/app/configs:ro \
-v $(pwd)/certs:/app/certs:ro \
buhuipao/anyproxy:latest \
./anyproxy-client --config configs/client.yaml
# 3. Check running status
docker logs anyproxy-demo-client
# 4. Access Web Interface
# http://localhost:8091 (see config file for username/password)
Test proxy connection:
# Test with demo proxy (replace group_id with value from config)
curl -x http://your_group_id:your_password@47.107.181.88:8080 http://httpbin.org/ip
📖 Complete Demo Guide: See demo/README.md for detailed instructions
group_idgroup_id and group_passwordprod-env:password)Internet Users Public Gateway Server Private Networks
│ │ │
│ ◄─── HTTP/SOCKS5/TUIC Proxy ──► ┌─────────────┐ ◄─── TLS Tunnels ───► ┌──────────────┐
│ │ Gateway │ │ Clients │
│ │ │ │ │
│ │ • HTTP:8080 │ │ • SSH Server │
│ │ • SOCKS:1080│ │ • Web Apps │
│ │ • TUIC:9443 │ │ • Databases │
│ │ • Web:8090 │ │ • AI Models │
│ │ │ │ • Web:8091 │
│ │ │ │ │
│ │ Transports: │ │ │
│ │ • WS:8443 │ │ │
│ │ • gRPC:9090 │ │ │
│ │ • QUIC:9091 │ │ │
│ └─────────────┘ └──────────────┘
│ │ │
SSH, Web, AI ←────────────────── Secure Proxy Connection ──────────────→ Local Services
Gateway Server
┌─────────────────────┐
Proxy Auth Requests │ Route by Group │ Client Groups
│ │ │ │
├─ prod:pass ────► │ ┌─────────────┐ │ ────► ┌─────────────────┐
│ │ │ Prod Group │ │ │ Production Env │
│ │ │ Router │ │ │ • prod-api.com │
│ │ └─────────────┘ │ │ • prod-db:5432 │
│ │ │ └─────────────────┘
├─ staging:pass ──►│ ┌─────────────┐ │ ────► ┌─────────────────┐
│ │ │ Staging │ │ │ Staging Env │
│ │ │ Router │ │ │ • staging-api │
│ │ └─────────────┘ │ │ • staging-db │
│ │ │ └─────────────────┘
└─ dev:pass ──────►│ ┌─────────────┐ │ ────► ┌─────────────────┐
│ │ Dev │ │ │ Development │
│ │ Router │ │ │ • localhost:* │
│ └─────────────┘ │ │ • dev-services │
└─────────────────────┘ └─────────────────┘
⚠️ **Critical Authentication Rules**:
• **Proxy Authentication**: Use `group_id` as username, `group_password` as password
• **Routing Mechanism**: Gateway routes traffic to corresponding client group based on authenticated `group_id`
• **Each Client**: Registers with unique `group_id` and `group_password`
• **Password Consistency**: All clients with the same `group_id` must use identical `group_password`, or authentication will fail
| Protocol | Type | Best For | Port | Authentication |
|---|---|---|---|---|
| HTTP | TCP | Web browsing, API calls | 8080 | group_id/group_password |
| SOCKS5 | TCP | General purpose | 1080 | group_id/group_password |
| TUIC | UDP | Gaming, real-time apps | 9443 | Dynamic Group Auth |
Important Notes:
- Each Gateway/Client instance uses only ONE transport protocol
- TUIC protocol simplified: uses group_id as UUID, group_password as Token
- All proxy protocols authenticate directly using group_id for routing
AnyProxy operates on a group authentication model:
- Gateway: Provides proxy services, accepts client connections
- Client: Connects to gateway, provides access to internal services
- Group Authentication: Each client belongs to a group (group_id) and authenticates using group password (group_password)
⚠️ Important Notes:
- Certificates Required: All Gateway and Client instances need TLS certificates for secure communication
- Password Consistency: All clients with the same group_id must use identical group_password
- UDP Ports: When using QUIC transport or TUIC proxy, Docker ports must be set as UDP type
1. Start Gateway (Public Server):
# Create directories and configuration
mkdir anyproxy-gateway && cd anyproxy-gateway
mkdir -p configs certs logs
# Generate TLS certificates (required step)
# Use your public IP or domain name
./scripts/generate_certs.sh YOUR_GATEWAY_IP
# or for domain: ./scripts/generate_certs.sh gateway.yourdomain.com
# Create gateway configuration
cat > configs/gateway.yaml << 'EOF'
gateway:
listen_addr: ":8443"
transport_type: "websocket"
tls_cert: "certs/server.crt"
tls_key: "certs/server.key"
auth_username: "admin"
auth_password: "secure_password"
proxy:
http:
listen_addr: ":8080"
socks5:
listen_addr: ":1080"
tuic:
listen_addr: ":9443"
web:
enabled: true
listen_addr: ":8090"
static_dir: "web/gateway/static"
auth_enabled: true
auth_username: "web_admin"
auth_password: "web_password"
session_key: "change-this-secret-key"
EOF
# Start gateway (WebSocket transport)
docker run -d --name anyproxy-gateway \
-p 8080:8080 -p 1080:1080 -p 9443:9443/udp -p 8443:8443 -p 8090:8090 \
-v $(pwd)/configs:/app/configs:ro \
-v $(pwd)/certs:/app/certs:ro \
-v $(pwd)/logs:/app/logs \
buhuipao/anyproxy:latest ./anyproxy-gateway --config configs/gateway.yaml
# If using QUIC transport, ports need to be set as UDP:
# docker run -d --name anyproxy-gateway \
# -p 8080:8080 -p 1080:1080 -p 9443:9443/udp -p 9091:9091/udp -p 8090:8090 \
# ...
2. Start Client (Private Network):
# Create directories and configuration
mkdir anyproxy-client && cd anyproxy-client
mkdir -p configs certs logs
# Copy certificate files from gateway server (required)
scp user@YOUR_GATEWAY_IP:/path/to/anyproxy-gateway/certs/server.crt ./certs/
# Create client configuration
cat > configs/client.yaml << 'EOF'
client:
id: "home-client-001"
group_id: "homelab"
group_password: "my_secure_password" # Ensure all clients in same group use identical password
replicas: 1
gateway:
addr: "YOUR_GATEWAY_IP:8443" # Replace with your gateway IP
transport_type: "websocket"
tls_cert: "certs/server.crt"
auth_username: "admin"
auth_password: "secure_password"
# Allow only specific services
allowed_hosts:
- "localhost:22" # SSH
- "localhost:80" # Web server
- "localhost:3000" # Dev server
# Block dangerous hosts
forbidden_hosts:
- "169.254.0.0/16" # Cloud metadata
web:
enabled: true
listen_addr: ":8091"
static_dir: "web/client/static"
auth_enabled: true
auth_username: "client_admin"
auth_password: "client_password"
session_key: "change-this-secret-key"
EOF
# Start client (must mount certificate directory)
docker run -d --name anyproxy-client \
--network host \
-v $(pwd)/configs:/app/configs:ro \
-v $(pwd)/certs:/app/certs:ro \
-v $(pwd)/logs:/app/logs \
buhuipao/anyproxy:latest ./anyproxy-client --config configs/client.yaml
3. Test Connection:
# HTTP proxy example (using group_id authentication)
curl -x http://homelab:my_secure_password@YOUR_GATEWAY_IP:8080 http://localhost:80
# SOCKS5 proxy example
curl --socks5 homelab:my_secure_password@YOUR_GATEWAY_IP:1080 http://localhost:22
# SSH access
ssh -o "ProxyCommand=nc -X 5 -x homelab:my_secure_password@YOUR_GATEWAY_IP:1080 %h %p" user@localhost
Browser Setup:
Proxy Server: YOUR_GATEWAY_IP
HTTP Port: 8080
Username: group_id # e.g., homelab
Password: group_password # Group password
SOCKS5 Configuration:
Proxy Type: SOCKS5
Server: YOUR_GATEWAY_IP
Port: 1080
Username: group_id # e.g., homelab
Password: group_password # Group password
# Connect via SOCKS5 proxy
ssh -o "ProxyCommand=nc -X 5 -x group_id:group_password@YOUR_GATEWAY_IP:1080 %h %p" user@localhost
# Or configure SSH client
cat >> ~/.ssh/config << 'EOF'
Host tunnel-ssh
HostName localhost
User your_username
Port 22
ProxyCommand nc -X 5 -x group_id:group_password@YOUR_GATEWAY_IP:1080 %h %p
EOF
ssh tunnel-ssh
Configure Port Forwarding:
client:
open_ports:
- remote_port: 2222 # Gateway port
local_port: 22 # Local SSH port
local_host: "localhost"
protocol: "tcp"
- remote_port: 8000 # Gateway port
local_port: 80 # Local web port
local_host: "localhost"
protocol: "tcp"
Use Port Forwarding:
# Direct SSH connection
ssh -p 2222 user@YOUR_GATEWAY_IP
# Direct web access
curl http://YOUR_GATEWAY_IP:8000
# WebSocket (Recommended, firewall-friendly)
gateway:
listen_addr: ":8443"
transport_type: "websocket"
# Docker ports: -p 8443:8443
# gRPC (High performance)
gateway:
listen_addr: ":9090"
transport_type: "grpc"
# Docker ports: -p 9090:9090
# QUIC (Mobile-optimized) ⚠️ Note: Requires UDP ports
gateway:
listen_addr: ":9091"
transport_type: "quic"
# Docker ports: -p 9091:9091/udp (note the /udp suffix)
client:
# Allowed hosts (whitelist)
allowed_hosts:
- "localhost:22"
- "localhost:80"
- "192.168.1.0/24:*"
# Forbidden hosts (blacklist)
forbidden_hosts:
- "169.254.0.0/16" # Cloud metadata
- "127.0.0.1" # Localhost
- "10.0.0.0/8" # Private networks
To enable HTTPS proxy (where clients connect to the proxy using HTTPS), configure TLS certificates for the HTTP proxy:
```yaml gateway: proxy: http: listen_addr: ":8080
$ claude mcp add anyproxy \
-- python -m otcore.mcp_server <graph>