MCPcopy Index your code
hub / github.com/buhuipao/anyproxy

github.com/buhuipao/anyproxy @v1.0.16

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0.16 ↗ · + Follow
1,083 symbols 3,742 edges 84 files 631 documented · 58% updated 11mo agov1.0.16 · 2025-07-20★ 1053 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

AnyProxy

License: MIT Go Version Ask DeepWiki Build Status Release

AnyProxy is a modern secure tunneling solution that enables you to safely expose local services to the internet through multiple transport protocols. Built with integrated web management interfaces and intelligent monitoring systems.

🚀 30-Second Demo Experience

Want to quickly experience AnyProxy? Try our demo client:

# 1. Enter demo directory
cd demo

# 2. Start demo client (connects to our demo gateway)
# Demo includes pre-generated certificate files
docker run -d \
  --name anyproxy-demo-client \
  --network host \
  -v $(pwd)/configs:/app/configs:ro \
  -v $(pwd)/certs:/app/certs:ro \
  buhuipao/anyproxy:latest \
  ./anyproxy-client --config configs/client.yaml

# 3. Check running status
docker logs anyproxy-demo-client

# 4. Access Web Interface
# http://localhost:8091 (see config file for username/password)

Test proxy connection:

# Test with demo proxy (replace group_id with value from config)
curl -x http://your_group_id:your_password@47.107.181.88:8080 http://httpbin.org/ip

📖 Complete Demo Guide: See demo/README.md for detailed instructions

✨ Key Features

🔄 Multiple Transport Protocols

  • WebSocket: Firewall-friendly, HTTP/HTTPS compatible
  • gRPC: HTTP/2 multiplexing, efficient binary protocol
  • QUIC: Ultra-low latency, 0-RTT handshake, connection migration

🚀 Triple Proxy Support

  • HTTP Proxy: Standard HTTP CONNECT, full browser compatibility
  • Optional HTTPS proxy mode for encrypted client connections
  • SOCKS5 Proxy: Universal protocol support, low overhead
  • TUIC Proxy: UDP-based ultra-low latency proxy, 0-RTT connection

🎯 Intelligent Routing & Security

  • Group Routing System: Multi-environment routing based on group_id
  • Dynamic Authentication: Clients authenticate using group_id and group_password
  • Host Access Control: Precise allow/deny lists
  • End-to-End TLS: Mandatory encryption for all transport protocols

🖥️ Web Management Interface

  • Gateway Dashboard: Real-time monitoring, client management
  • Client Monitoring: Local connection tracking, performance analytics
  • Multi-Language Support: Complete English/Chinese bilingual interface

🔐 Group-Based Authentication & Load Balancing

  • Single Group ID: Use group_id directly as proxy username (e.g., prod-env:password)
  • Round-Robin: Automatic load distribution across clients in the same group
  • Zero-Config: No complex username formats, just group_id and password
  • High Availability: Seamless failover when clients disconnect
  • Persistent Credentials: Optional file or database-based credential storage for production use

🏗️ System Architecture

Internet Users                       Public Gateway Server                   Private Networks
     │                                       │                                     │
     │ ◄─── HTTP/SOCKS5/TUIC Proxy ──► ┌─────────────┐ ◄─── TLS Tunnels ───► ┌──────────────┐
     │                                 │   Gateway   │                       │   Clients    │
     │                                 │             │                       │              │
     │                                 │ • HTTP:8080 │                       │ • SSH Server │
     │                                 │ • SOCKS:1080│                       │ • Web Apps   │
     │                                 │ • TUIC:9443 │                       │ • Databases  │
     │                                 │ • Web:8090  │                       │ • AI Models  │
     │                                 │             │                       │ • Web:8091   │
     │                                 │             │                       │              │
     │                                 │ Transports: │                       │              │
     │                                 │ • WS:8443   │                       │              │
     │                                 │ • gRPC:9090 │                       │              │
     │                                 │ • QUIC:9091 │                       │              │
     │                                 └─────────────┘                       └──────────────┘
     │                                        │                                     │
SSH, Web, AI ←────────────────── Secure Proxy Connection ──────────────→ Local Services

Group-Based Routing Principle

                              Gateway Server
                          ┌─────────────────────┐
  Proxy Auth Requests     │   Route by Group    │           Client Groups
       │                  │                     │                │
       ├─ prod:pass ────► │  ┌─────────────┐    │ ────► ┌─────────────────┐
       │                  │  │  Prod Group │    │       │  Production Env │
       │                  │  │   Router    │    │       │ • prod-api.com  │
       │                  │  └─────────────┘    │       │ • prod-db:5432  │
       │                  │                     │       └─────────────────┘
       ├─ staging:pass ──►│  ┌─────────────┐    │ ────► ┌─────────────────┐
       │                  │  │ Staging     │    │       │  Staging Env    │
       │                  │  │  Router     │    │       │ • staging-api   │
       │                  │  └─────────────┘    │       │ • staging-db    │
       │                  │                     │       └─────────────────┘
       └─ dev:pass ──────►│  ┌─────────────┐    │ ────► ┌─────────────────┐
                          │  │   Dev       │    │       │  Development    │
                          │  │  Router     │    │       │ • localhost:*   │
                          │  └─────────────┘    │       │ • dev-services  │
                          └─────────────────────┘       └─────────────────┘

⚠️ **Critical Authentication Rules**:
• **Proxy Authentication**: Use `group_id` as username, `group_password` as password
• **Routing Mechanism**: Gateway routes traffic to corresponding client group based on authenticated `group_id`
• **Each Client**: Registers with unique `group_id` and `group_password`
• **Password Consistency**: All clients with the same `group_id` must use identical `group_password`, or authentication will fail

📊 Protocol Comparison

Protocol Type Best For Port Authentication
HTTP TCP Web browsing, API calls 8080 group_id/group_password
SOCKS5 TCP General purpose 1080 group_id/group_password
TUIC UDP Gaming, real-time apps 9443 Dynamic Group Auth

Important Notes: - Each Gateway/Client instance uses only ONE transport protocol - TUIC protocol simplified: uses group_id as UUID, group_password as Token - All proxy protocols authenticate directly using group_id for routing

🚀 Quick Start

Core Concepts

AnyProxy operates on a group authentication model: - Gateway: Provides proxy services, accepts client connections - Client: Connects to gateway, provides access to internal services - Group Authentication: Each client belongs to a group (group_id) and authenticates using group password (group_password)

Requirements

  • Docker (recommended) or Go 1.23+
  • Public Server for Gateway deployment
  • TLS Certificates (required for transport layer security)

Quick Deployment

⚠️ Important Notes: - Certificates Required: All Gateway and Client instances need TLS certificates for secure communication - Password Consistency: All clients with the same group_id must use identical group_password - UDP Ports: When using QUIC transport or TUIC proxy, Docker ports must be set as UDP type

1. Start Gateway (Public Server):

# Create directories and configuration
mkdir anyproxy-gateway && cd anyproxy-gateway
mkdir -p configs certs logs

# Generate TLS certificates (required step)
# Use your public IP or domain name
./scripts/generate_certs.sh YOUR_GATEWAY_IP
# or for domain: ./scripts/generate_certs.sh gateway.yourdomain.com

# Create gateway configuration
cat > configs/gateway.yaml << 'EOF'
gateway:
  listen_addr: ":8443"
  transport_type: "websocket"
  tls_cert: "certs/server.crt"
  tls_key: "certs/server.key"
  auth_username: "admin"
  auth_password: "secure_password"
  proxy:
    http:
      listen_addr: ":8080"
    socks5:
      listen_addr: ":1080"
    tuic:
      listen_addr: ":9443"
  web:
    enabled: true
    listen_addr: ":8090"
    static_dir: "web/gateway/static"
    auth_enabled: true
    auth_username: "web_admin"
    auth_password: "web_password"
    session_key: "change-this-secret-key"
EOF

# Start gateway (WebSocket transport)
docker run -d --name anyproxy-gateway \
  -p 8080:8080 -p 1080:1080 -p 9443:9443/udp -p 8443:8443 -p 8090:8090 \
  -v $(pwd)/configs:/app/configs:ro \
  -v $(pwd)/certs:/app/certs:ro \
  -v $(pwd)/logs:/app/logs \
  buhuipao/anyproxy:latest ./anyproxy-gateway --config configs/gateway.yaml

# If using QUIC transport, ports need to be set as UDP:
# docker run -d --name anyproxy-gateway \
#   -p 8080:8080 -p 1080:1080 -p 9443:9443/udp -p 9091:9091/udp -p 8090:8090 \
#   ...

2. Start Client (Private Network):

# Create directories and configuration
mkdir anyproxy-client && cd anyproxy-client
mkdir -p configs certs logs

# Copy certificate files from gateway server (required)
scp user@YOUR_GATEWAY_IP:/path/to/anyproxy-gateway/certs/server.crt ./certs/

# Create client configuration
cat > configs/client.yaml << 'EOF'
client:
  id: "home-client-001"
  group_id: "homelab"
  group_password: "my_secure_password"  # Ensure all clients in same group use identical password
  replicas: 1
  gateway:
    addr: "YOUR_GATEWAY_IP:8443"  # Replace with your gateway IP
    transport_type: "websocket"
    tls_cert: "certs/server.crt"
    auth_username: "admin"
    auth_password: "secure_password"

  # Allow only specific services
  allowed_hosts:
    - "localhost:22"        # SSH
    - "localhost:80"        # Web server
    - "localhost:3000"      # Dev server

  # Block dangerous hosts
  forbidden_hosts:
    - "169.254.0.0/16"      # Cloud metadata

  web:
    enabled: true
    listen_addr: ":8091"
    static_dir: "web/client/static"
    auth_enabled: true
    auth_username: "client_admin"
    auth_password: "client_password"
    session_key: "change-this-secret-key"
EOF

# Start client (must mount certificate directory)
docker run -d --name anyproxy-client \
  --network host \
  -v $(pwd)/configs:/app/configs:ro \
  -v $(pwd)/certs:/app/certs:ro \
  -v $(pwd)/logs:/app/logs \
  buhuipao/anyproxy:latest ./anyproxy-client --config configs/client.yaml

3. Test Connection:

# HTTP proxy example (using group_id authentication)
curl -x http://homelab:my_secure_password@YOUR_GATEWAY_IP:8080 http://localhost:80

# SOCKS5 proxy example
curl --socks5 homelab:my_secure_password@YOUR_GATEWAY_IP:1080 http://localhost:22

# SSH access
ssh -o "ProxyCommand=nc -X 5 -x homelab:my_secure_password@YOUR_GATEWAY_IP:1080 %h %p" user@localhost

🎯 Common Use Cases

1. HTTP Proxy (Web Browsing)

Browser Setup:

Proxy Server: YOUR_GATEWAY_IP
HTTP Port: 8080
Username: group_id          # e.g., homelab
Password: group_password    # Group password

2. SOCKS5 Proxy (Universal Protocol)

SOCKS5 Configuration:

Proxy Type: SOCKS5
Server: YOUR_GATEWAY_IP
Port: 1080
Username: group_id          # e.g., homelab
Password: group_password    # Group password

3. SSH Server Access

# Connect via SOCKS5 proxy
ssh -o "ProxyCommand=nc -X 5 -x group_id:group_password@YOUR_GATEWAY_IP:1080 %h %p" user@localhost

# Or configure SSH client
cat >> ~/.ssh/config << 'EOF'
Host tunnel-ssh
  HostName localhost
  User your_username
  Port 22
  ProxyCommand nc -X 5 -x group_id:group_password@YOUR_GATEWAY_IP:1080 %h %p
EOF

ssh tunnel-ssh

4. Port Forwarding

Configure Port Forwarding:

client:
  open_ports:
    - remote_port: 2222     # Gateway port
      local_port: 22        # Local SSH port
      local_host: "localhost"
      protocol: "tcp"

    - remote_port: 8000     # Gateway port
      local_port: 80        # Local web port
      local_host: "localhost"
      protocol: "tcp"

Use Port Forwarding:

# Direct SSH connection
ssh -p 2222 user@YOUR_GATEWAY_IP

# Direct web access
curl http://YOUR_GATEWAY_IP:8000

⚙️ Configuration

Transport Selection

# WebSocket (Recommended, firewall-friendly)
gateway:
  listen_addr: ":8443"
  transport_type: "websocket"

# Docker ports: -p 8443:8443

# gRPC (High performance)
gateway:
  listen_addr: ":9090"
  transport_type: "grpc"

# Docker ports: -p 9090:9090

# QUIC (Mobile-optimized) ⚠️ Note: Requires UDP ports
gateway:
  listen_addr: ":9091"
  transport_type: "quic"

# Docker ports: -p 9091:9091/udp (note the /udp suffix)

Security Configuration

client:
  # Allowed hosts (whitelist)
  allowed_hosts:
    - "localhost:22"
    - "localhost:80"
    - "192.168.1.0/24:*"

  # Forbidden hosts (blacklist)
  forbidden_hosts:
    - "169.254.0.0/16"      # Cloud metadata
    - "127.0.0.1"           # Localhost
    - "10.0.0.0/8"          # Private networks

HTTPS Proxy Configuration

To enable HTTPS proxy (where clients connect to the proxy using HTTPS), configure TLS certificates for the HTTP proxy:

```yaml gateway: proxy: http: listen_addr: ":8080

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

Shape

Method 543
Function 394
Struct 126
Interface 12
Class 4
FuncType 2
TypeAlias 2

Languages

Go98%
TypeScript2%

Modules by API surface

web/client/server.go42 symbols
pkg/common/monitoring/metrics.go41 symbols
pkg/gateway/gateway_test.go40 symbols
pkg/common/ratelimit/rate_limiter_test.go38 symbols
pkg/protocols/tuicproxy.go37 symbols
web/gateway/server.go33 symbols
pkg/transport/grpc/transport.pb.go32 symbols
pkg/gateway/client_conn_test.go31 symbols
pkg/client/connection_test.go30 symbols
pkg/common/message/message_handler.go28 symbols
pkg/protocols/httpproxy_test.go26 symbols
pkg/common/ratelimit/rate_limiter.go26 symbols

Datastores touched

testdbDatabase · 1 repos

For agents

$ claude mcp add anyproxy \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page