3proxy - Small Proxy That's Been Around Forever

I started using 3proxy in 2019 when I needed a proxy for development testing and Squid was being a pain in the ass. Turns out 3proxy has been around since 2002 and is BSD licensed, so you can use it commercially without worrying about licensing bullshit.

The main reason I keep using it: it handles HTTP, SOCKS4/5, DNS proxying, and port forwarding in one binary. Most proxy tools either do HTTP well or SOCKS well, but not both. Squid is great for HTTP caching but SOCKS support is nonexistent. HAProxy is amazing for load balancing but it's complex as hell to configure for basic proxy needs.

3proxy just works. Install it, write a basic config, done. No enterprise bloat, no GUI nonsense, just a small C binary that does what you expect.

How It's Actually Built

You get separate binaries (socks, proxy, tcppm, udppm) if you want to run just one service, but honestly the main 3proxy daemon is easier to manage. I tried the separate binaries once to save memory but the difference was like 500KB - not worth the hassle of managing multiple processes.

What Protocols It Doesn't Suck At

Most proxy tools focus on one protocol and half-ass the others. 3proxy actually does them all properly:

• HTTP/1.1 and HTTPS - Works with browsers, curl, whatever. Handles CONNECT method properly for HTTPS tunneling
• SOCKS4/4a/5 - Actually supports UDP with SOCKS5, which a lot of implementations just ignore
• DNS Proxy - Caches DNS responses so you're not hitting 8.8.8.8 for every request like an idiot
• Port forwarding - TCP and UDP forwarding that doesn't randomly die like netcat tends to do
• Legacy protocols - POP3, SMTP, FTP proxying if you're stuck supporting ancient shit

Cross-Platform Bullshit You'll Encounter

3proxy runs on basically everything from Windows 98 to current stuff, which is impressive for a C program. Same config file works on Windows and Linux, unlike nginx where you need different setups for different platforms.

Gotchas I've learned the hard way:

• Windows service install fails silently if you don't run as admin - took me 20 minutes to figure that out
• Ubuntu puts binaries in /usr/local/bin/3proxy but CentOS puts them in /usr/sbin/ because why not
• File paths use forward slashes everywhere, even on Windows. I spent an hour debugging why my log file wasn't working because I used backslashes
• Compilation from source is straightforward on Linux but you need the right Makefile for your distro

Memory Usage That Doesn't Suck

On my VPS, 3proxy uses about 3MB RAM when idle and maybe 12MB handling 200-300 concurrent connections. Total disk footprint is under 5MB including configs and logs.

Compare that to Squid, which happily ate 150MB on the same server just sitting there doing nothing. 3proxy uses threads instead of forking new processes for each connection, so you don't get that memory explosion problem where each connection costs you 2MB of RAM.

Features That Actually Work

3proxy comes with features that would cost you serious money from commercial vendors:

• Access control - Block by user, IP, domain, time of day. ACL syntax is weird but once you get it, you can do complex rules
• Authentication - Plain text passwords, hashed passwords, RADIUS if your company is into that masochism
• Bandwidth limits - Per-user quotas that actually work. Tried this with Squid once and it was a nightmare
• Proxy chaining - Route through multiple proxy hops. Useful for privacy setups or when your network is a mess
• Logging that doesn't suck - Custom formats, syslog integration, even ODBC database logging if you want to make yourself miserable

Config reloads with kill -USR1 work without killing connections, which is great. But if you have syntax errors, the reload fails and you're stuck with the old config. Always test with 3proxy -t first - learned that after accidentally breaking production.

Linux Install - Easier Than Expected

Linux install is actually pretty painless once you know which Makefile to use. The GitHub repo has the source, but there are like 8 different Makefiles and picking the wrong one gives you useless error messages.

Unlike modern projects that need CMake and 47 dependencies, 3proxy just needs basic C libraries and maybe OpenSSL if you want SSL proxy support (which you probably do). Check out the build requirements and installation guide before you start.

git clone https://github.com/3proxy/3proxy
cd 3proxy
ln -s Makefile.Linux Makefile  # or Makefile.Linux-gcc if you get weird errors
make
sudo make install

This dumps binaries in /usr/local/bin/ and configs in /etc/3proxy/. On Ubuntu/Debian, you need build-essential first or it'll fail with "gcc: command not found". The systemd service usually works but different distros put the service file in different places - /lib/systemd/system/ vs /etc/systemd/system/ - because why make things consistent.

Real problems I've hit:

• CentOS 7 needed the older Makefile.Linux-gcc or it wouldn't compile
• Alpine Linux puts everything in weird locations and the Makefile assumes glibc
• Arch users can find packages in AUR but they're usually 6 months behind current release
• SELinux will block the binary from running as a service until you set the right context

Windows - Where Things Get Stupid

Download the pre-built binaries from GitHub releases and extract to C:\3proxy\ or wherever. But first, whitelist that folder in your antivirus or it'll delete the binary 30 seconds after you download it. Windows Defender especially hates proxy software.

3proxy --install

The service install works better than most open source Windows ports, but you MUST run as administrator or it fails silently. Took me an hour to figure that out because there's no error message.

Windows-specific bullshit I've dealt with:

• Antivirus quarantines the binary even after whitelisting sometimes
• Windows firewall blocks it by default - you need to allow the service manually
• sc continue 3proxy reloads config instead of resuming service (wtf Microsoft)
• Windows PATH limit will bite you if you put it in a deeply nested folder
• Some corporate Windows builds have DLL restrictions that break the binary

Config Files That Confuse Everyone

3proxy uses two config files which pissed me off initially but makes sense for security:

• Pre-chroot config (/etc/3proxy/3proxy.cfg) - System settings, user dropping, chroot setup
• Main config (/usr/local/3proxy/conf/3proxy.cfg) - Your actual proxy definitions and rules

The pre-chroot runs before 3proxy locks itself in a chroot jail, so that's where system-level stuff goes. Your actual proxy configs go in the main file. The config docs are scattered across 3 different sites which is annoying as hell.

Config That Won't Make You Cry

Here's what actually works for HTTP and SOCKS with basic auth:

## User with cleartext password - use mycrypt for production
users testuser:CL:testpass
## HTTP proxy on port 3128
proxy -p3128
## SOCKS proxy on port 1080
socks -p1080
## This line is REQUIRED or nobody can connect
allow testuser

Put this in the main config file. The CL means cleartext password - use mycrypt to hash passwords for production. I forgot the allow line on my first setup and spent 30 minutes wondering why connections were getting rejected. Error message was just "access denied" with no explanation.

What I Actually Use It For (And What Others Do)

Corporate Firewall Stuff

My previous company used 3proxy to block employees from wasting time instead of buying some expensive enterprise solution. You can block Facebook during work hours, throttle YouTube bandwidth, and log everything for HR to analyze. The ACL syntax is confusing as fuck though - I spent 2 hours figuring out how to block domains by time of day.

Dev Testing Environment

I run 3proxy locally for testing apps that need different proxy configurations. It's small enough to spin up multiple instances on different ports to test edge cases. Way easier than trying to configure Squid just to test HTTP proxy support in your app.

Privacy Chain Setup

Some people chain 3proxy with other proxies for privacy, though honestly the performance hit makes it barely usable. Each extra hop adds latency and breaks more shit. The IP rotation features help with basic tracking evasion but it's not magic.

Residential Proxy Business

People run 3proxy on Raspberry Pis for residential proxy services because it's light enough to not piss off customers with slow internet. The 4MB binary doesn't eat bandwidth like heavier proxy software would.

Legacy System Hell

If you're stuck with ancient systems that only do SOCKSv4 and need to talk to modern HTTPS services, 3proxy can bridge that gap. Saved my ass when dealing with a 15-year-old industrial control system that couldn't be updated.

Performance Numbers That Matter

On my VPS (2 CPU cores, 4GB RAM), 3proxy handles about 800-1000 concurrent connections before hitting file descriptor limits. Default settings cap out around 1024 connections and then just start refusing new ones. The performance tuning docs have the actual parameters but expect to spend a few hours getting it right.

Linux splice mode reduces CPU usage for high-bandwidth transfers, but I've had it randomly drop connections when using content filtering. If you get weird connection drops, disable splice with -s0 - performance drops about 10% but it's more reliable.