× Few antiviral products inadequately detect 3proxy as Trojan.Daemonize, Backdoor.Daemonize, etc and many detect 3proxy as a PUA (potentially unwanted program). It may cause browser warning on download page. 3proxy is not trojan or backdoor and contains no functionality except described in documentation. Clear explanation of this fact is given, for example, in Microsoft's article.

Why ... doesn't work?

Q: Why does nothing work?

A: Valid configuration file is required.

Q: Why restrictions (redirections, limits, etc) do not work?

A: Most probable reasons: 'auth none' or no auth is used. For any ACL based feature one of 'iponly', 'nbname' or 'strong' auths required. Sequence of commands may be invalid. Commands are executed one-by-one and 'proxy', 'tcppm', 'socks' or another service commands must follow valid configuration. Invalid sequence of ACLs. First matching ACL is used (except of internal redirections, see below). If ACL contains at least one records last record is assumed to be 'deny *'.

Q: Why doesn't 3proxy work as service under Windows?

Possible reasons:

Q: Why doesn't internal and external commands work as expected

A: Check your expectations first. Both internal and external IPs are IPs of the host running 3proxy itself. This configuration option is usefull in situation 3proxy is running on the border host with 2 (or more) connections: e.g. LAN and WAN with different IPs
     LAN connection +-------------+ Internet connection
LAN <-------------->| 3proxy host |<-------------------> INTERNET
	           |               |
              Internal IP       External IP
If 3proxy is used on the host with single connection, both internal and external are usually same IP.
Internal should exist and be UP on the moment 3proxy is started and should never be disconnected/DOWN. If this interface is periodically disconnected (e.g. direct link between 2 hosts), do not specify internal address or use instead. In this case, if you have 2 or more interfaces you must use firewall (preferably) or 3proxy ACLs to avoid open proxy situation.
External IP (if specified) must exist in the momet 3proxy serves client request. If external interface is no specified (or, system select external IP. It may be possible to access resources of internal network, to prevent this use ACLs. In addition, SOCKSv5 will not support BIND operation, required for incoming connections (this operation is quite rarely implemented in SOCKSv5 clients and usually is not required). In case of dynamic address, do not specify external or use external or, if external address is required, create a script to determine current external IP and save it to file, and use external "$path_to_file" with "monitor" command to automatically reload configuration on address change.

Q: Why doesn't ODBC loggind work?

A: Check you use system DSN. Check SQL request is valid. The best way to check is to make file or stdout logging, get SQL request from log file or console and execute this request manually. Under Unix, you may also want to adjust 'stacksize' parameter.

Q: Why doesn't IPv6 work?

A: Proxy can not access destination directly over IPv6 if client requests IPv4 address. To access IPv6 destination, either IPv6 address or hostname must be used in request. Best solution is to enable option to resolve hostnames via proxy on client side.

Q: Why proxy crash on request processing?

A: default stacksize may be insufficient, if some non-default plugins are used (e.g. PAM and ODBC on Linux) or if compiled on some platforms with invalid system defined values (few versionds of FreeBSD on amd64). Problem can be resolved with 'stacksize' command or '-S' option starting 3proxy 0.8.4.

Q: Why doesn't APOP/CRAM-MD5 authentication work with POP3 proxy?

A: Any Challenge-response authentication require challenge to be transmitted from server. Pop3p doesn't know which server to use before authentication, it makes it impossible to obtain challenge. You can encrypt your POP3 communications with TLS (i.e. stunnel) or IPSec.

Redirection to local proxy

Q: What is it for?

A: To have control based on request and to have URLs and another protocol specific parameters to be logged.

Q: What are restrictions?

A: It's hard to redirect services for non-default ports; Internet Explorer supports only SOCKSv4 with no password authentication (Internet Explorer sends username, but not password), for SOCKSv5 only cleartext password authentication is supported.

Q: What are advantages?

A: You need only to setup SOCKS proxy in browser settings. You can use socksifier, i.e. FreeCAP or SocksCAP with application which is not proxy aware.

Q: How to setup?

A: You should specify parent proxy with IP of and port 0. Examples:
auth iponly
allow * * * 80,8080-8088
parent 1000 http 0
allow * * * 80,8080-8088
#redirect ports 80 and 8080-8088 to local HTTP proxy
#Second allow is required, because ACLs are checked
#twice: first time by socks and second by http proxy.

allow * * * 21,2121
parent 1000 ftp 0
allow * * * 21,2121
#redirect ports 21 and 2121 to local 
#ftp proxy

allow *
#allow rest of connections directly

#now let socks server to start

Q: How it affects different ACL rules?

A: After local redirections rules are applied again to protocol-level request. Redirection rule itself is skipped. It makes it possible to redirect request again on the external proxy depending on request itself.
allow * * * 80,8080-8088
parent 1000 http 0
#redirect http traffic to internal proxy

allow * * $c:\3proxy\local.nets 80,8080-8088
#allow direct access to local.nets networks
allow * * * 80,8080-8088
parent 1000 http proxy.3proxy.org 3128
#use parent caching proxy for rest of the networks

allow *
#allow direct connections for rest of socks

Can I ...?

Q: Is it possible to resolve names through parent proxy?

A: Yes, use 'proxy', 'connect+', 'socks4+' or 'socks5+' as parent proxy type. 3proxy itself requires name resolutions for ACL checks, so, if it's impossible to resolve names from 3proxy host, use
command. Fakeresolve resolves any name to

Q: Can I use 3proxy as FTP proxy?

A: There are two kinds of FTP proxy supported: FTP over HTTP support (known as FTP proxy inside Internet Explorer, Mozilla and another browsers) and real FTP proxy (usable in Far and different FTP clients). Both are supported in 3proxy: first one as a part of HTTP 'proxy' and second one as 'ftppr'.

Q: Can I bind any 3proxy service to non-default port?

A: proxy -p8080

Why so ...?

Q: Why traffic accounting is incomplete? It differs for what my provider (or another accounting application) shows to me?

A: 3proxy accounts protocol level traffic. Provider counts channel or IP-level traffic with network and transport headers. In additions, 3proxy doesn't counts DNS resolutions, pings, floods, scans, etc. It makes approx. 10% of difference. That's why you should have 15% reserve if you use 3proxy to limit your traffic. If difference with your provider is significantly above 10% you should look for traffic avoiding proxy server, for example connections through NAT, traffic originated from the host with proxy installed, traffic from server applications, etc.

Q: Why configuration is so difficult and non-intuitive?

A: Configuration format is created in a way it's easy to parse and matches to internal 3proxy structures. In addition, there are some older things left for compatibility to be cleaned in 3proxy release. And last, I think it's easy and intuitive.

Q: Why the code is so difficult and non-intuitive?

A: First, I'm not programmer. Second, 3proxy was 'proof of concept' in reply for some conference post. Request was to write proxy server in 100 lines of code. First version of 3proxy had less, with HTTP and SOCKS support and portmappers. Third, there are peoples who want to use 3proxy code in trojans. I don't want to help them. Fourth, the aim is to support different platforms. It's well known - the worse code is, the better it compiles.

Q: Why do you use insecure strcpy, sprintf, etc?

A: Why not? I try to use insecure function in secure manner. You're welcome to look for vulnerabilities.