Easy per application transparent proxy built on cgroup.
AGPL-3.0 License
Ever wished you could make your stubborn programs use a proxy without them even knowing? Well, say hello to cproxy
.
proxychains
REDIRECT
and TPROXY
modesTPROXY
modeLOG
target[!TIP] Your proxy should be a transparent proxy port (like V2Ray's
dokodemo-door
inbound or shadowsocksss-redir
). But don't panic if you only have a SOCKS5 or HTTP proxy! There are tools that can transform it faster than Bill Clinton (check out transocks, ipt2socks and ip2socks-go).
You can install by downloading the binary from the release page or install with: cargo install cproxy
.
Alternatively, here's a oneliner that downloads the latest release and put it in your /usr/local/bin/
(for the lazy... I mean, efficient folks):
curl -s https://api.github.com/repos/NOBLES5E/cproxy/releases/latest | grep "browser_download_url.*x86_64-unknown-linux-musl.zip" | cut -d : -f 2,3 | tr -d \" | wget -qi - -O /tmp/cproxy.zip && unzip -j /tmp/cproxy.zip cproxy -d /tmp && sudo mv /tmp/cproxy /usr/local/bin/ && sudo chmod +x /usr/local/bin/cproxy && rm /tmp/cproxy.zip
proxychains
You can launch a new program with cproxy
with:
sudo cproxy --port <destination-local-port> -- <your-program> --arg1 --arg2 ...
All TCP connections requests will be proxied. If your local transparent proxy support DNS address overriding, you can
also redirect DNS traffic with --redirect-dns
:
sudo cproxy --port <destination-local-port> --redirect-dns -- <your-program> --arg1 --arg2 ...
For an example setup, see wiki.
[!NOTE] Scared of
sudo
in the command? Well, that's what we need to have the permission to modify cgroup. But don't worry too much, the program you run will still be run under your original user, not as root.cproxy
automatically drops privileges after setting up the necessary cgroup configurations, ensuring that your program runs with the same permissions as if you had launched it directly.
If your system support tproxy
, you can use tproxy
with --mode tproxy
:
sudo cproxy --port <destination-local-port> --mode tproxy -- <your-program> --arg1 --arg2 ...
# or for existing process
sudo cproxy --port <destination-local-port> --mode tproxy --pid <existing-process-pid>
With --mode tproxy
, there are several differences:
tproxy
enabled on the inbound port. For V2Ray, you"tproxy": "tproxy"
as-u
as shown in shadowsocks manpage.An example setup can be found here.
Note that when you are using the tproxy
mode, you can override the DNS server address
with cproxy --mode tproxy --override-dns <your-dns-server-addr> ...
. This is useful when you want to use a different
DNS server for a specific application.
With cproxy
, you can even proxy an existing process. This is very handy when you want to proxy existing system
services such as docker
. To do this, just run
sudo cproxy --port <destination-local-port> --pid <existing-process-pid>
The target process will be proxied as long as this cproxy
command is running. You can press Ctrl-C to stop proxying.
With cproxy
, you can easily debug a program's traffic in netfilter. Just run the program with
sudo cproxy --mode trace <your-program>
You will be able to see log in dmesg
. Note that this requires a recent enough kernel and iptables.
cproxy
simply creates a unique cgroup
for the proxied program, and redirect its traffic with packet rules.
cproxy
requires root access to modify cgroup
.There are some awesome existing work:
graftcp
also has performance hit on the underlying program, since it uses ptrace
.cgproxy
also uses cgroup to do transparent proxy, and the idea iscproxy
's. There are some differences in UX and system requirements:
cgproxy
requires system cgroup
v2 support, while cproxy
works with both v1 and v2.cgproxy
requires a background daemon process cgproxyd
running, while cproxy
does not.cgproxy
requires tproxy
, which is optional in cproxy
.cgproxy
can be used to do global proxy, while cproxy
does not intended to support global proxy.