No description
Stefan Tanta
9d07fd2723
The tests were failing because localhost (127.0.0.1) doesn't match the SSL certificate domain. This was causing false negatives even though the proxy was working correctly. Changes made: - Added -k flag to curl commands for localhost testing (ignores SSL cert mismatch) - Updated test logic to not fail installation when proxy works externally - Made proxy-test command interactive (asks for password) - Added fallback testing with domain name if localhost fails - Fixed all test scripts to handle SSL certificate validation properly Affected files: - setup-https-proxy.sh: Fixed test_proxy_setup() and proxy-test command - complete-installation.sh: Fixed proxy-test command generation - verify-installation.sh: Added -k flag for local testing - test-proxy-client.sh: Added -k flag to all curl proxy tests The proxy installation now correctly reports success when the proxy is working, even if local testing has SSL certificate validation issues. |
||
|---|---|---|
| lib | ||
| .gitignore | ||
| complete-installation.sh | ||
| https-proxy-setup.md | ||
| install-interactive.sh | ||
| LICENSE | ||
| README-setup.md | ||
| README.md | ||
| SCRIPTS_ANALYSIS.md | ||
| setup-https-proxy.sh | ||
| test-proxy-client.sh | ||
| verify-installation.sh | ||
HTTPS Proxy Server - Automated Setup
A professional, production-ready HTTPS proxy server setup script that automates the entire installation and configuration process on port 443 with SSL/TLS encryption.
🚀 Quick Start
Method 1: One-Line Installation (Recommended)
This method properly handles terminal input and allows typing/pasting:
curl -fsSL https://gitea.step1.ro/step1nu/https-proxy-server/raw/branch/main/install-interactive.sh | bash
Method 2: Manual Download and Run
For more control or if you have TTY issues, download and run directly:
# Download the script
curl -O https://gitea.step1.ro/step1nu/https-proxy-server/raw/branch/main/setup-https-proxy.sh
# Make it executable
chmod +x setup-https-proxy.sh
# Run the installation
./setup-https-proxy.sh
Method 3: Recovery for Interrupted Installations
If your installation was interrupted or didn't complete:
curl -fsSL https://gitea.step1.ro/step1nu/https-proxy-server/raw/branch/main/complete-installation.sh | bash
✨ Features
- 🔒 Full SSL/TLS Encryption - Uses Let's Encrypt certificates with automatic renewal
- 🌐 Port 443 - Appears as regular HTTPS traffic, bypasses most firewalls
- 🔐 Authentication - Username/password protection with secure storage
- 📊 Monitoring Tools - Built-in monitoring and management commands
- 🛡️ Security Hardening - Fail2ban, firewall configuration, and privacy headers
- ⚡ Performance Optimized - BBR congestion control and network tuning
- 🔄 Auto-Updates - Certificate renewal and system update scripts
- 📱 Universal Compatibility - Works with RustDesk, browsers, curl, and any HTTPS proxy client
🆕 Recent Improvements (v2.1.0)
- Enhanced Security - Removed eval usage, improved credential handling
- Retry Logic - Automatic retries with exponential backoff for network operations
- Shared Library - 600+ lines of reusable functions in
lib/common.sh - Batch Installation - 50% faster package installation
- Better Error Handling - Consistent error handling with
set -euo pipefail
📋 Prerequisites
Before running the installation script, ensure you have:
-
A fresh VPS running:
- Ubuntu 20.04/22.04 LTS, or
- Debian 11/12
-
Root access to the VPS
-
A domain name (e.g.,
secure.yourdomain.com) -
Cloudflare account managing your domain
-
Minimum System Requirements:
- 512MB RAM
- 2GB free disk space
- Active internet connection
🔧 Pre-Installation Setup
Step 1: Configure DNS in Cloudflare
- Log into Cloudflare Dashboard
- Select your domain
- Go to DNS → Records
- Add a new record:
- Type:
A - Name:
secure(or your chosen subdomain) - IPv4 address:
YOUR_VPS_IP - Proxy status: DNS only (grey cloud) ⚠️ IMPORTANT!
- TTL: Auto
- Type:
Step 2: Get Cloudflare API Token
- Go to Cloudflare API Tokens
- Click Create Token → Create Custom Token
- Configure token:
- Token name:
LetsEncrypt DNS - Permissions:
Zone → DNS → EditZone → Zone → Read
- Zone Resources:
Include → Specific zone → yourdomain.com
- Token name:
- Create Token and copy it (you'll see it only once!)
📦 Installation
Method 1: Interactive Installation (Recommended)
# Download the script
curl -O https://gitea.step1.ro/step1nu/https-proxy-server/raw/branch/main/setup-https-proxy.sh
# Make it executable
chmod +x setup-https-proxy.sh
# Run the installation
./setup-https-proxy.sh
Method 2: One-Line Installation
curl -fsSL https://gitea.step1.ro/step1nu/https-proxy-server/raw/branch/main/setup-https-proxy.sh | bash
What the Script Will Ask For
During installation, you'll be prompted for:
- VPS IP Address - Auto-detected, confirm or change
- Domain Name - Your full domain (e.g.,
secure.yourdomain.com) - Email Address - For Let's Encrypt certificates
- Cloudflare API Token - For DNS validation
- Proxy Username - Choose your username
- Proxy Password - Choose or generate a secure password
- Timezone - For logs and scheduling (default: UTC)
🎯 Post-Installation
Connection Information
After successful installation, your connection details will be saved to:
/root/proxy-connection-info.txt- All connection details/root/proxy-config.json- Configuration backup
Available Commands
The installation creates these management commands:
| Command | Description |
|---|---|
proxy-monitor |
Live connection monitoring dashboard |
proxy-status |
Quick status check of all services |
proxy-test |
Test proxy connectivity |
proxy-update |
Update system and renew certificates |
proxy-backup |
Backup all configurations |
proxy-uninstall |
Completely remove proxy setup |
Testing Your Proxy
Quick test from the VPS:
proxy-test
Test from any machine:
curl -x https://username:password@yourdomain.com:443 https://ipinfo.io
📱 Client Configuration
RustDesk
- Open RustDesk → Settings → Network → Proxy
- Enter:
- Server:
https://yourdomain.com:443 - Username:
your_username - Password:
your_password
- Server:
- Click OK
Browser (Chrome/Firefox)
- Go to proxy settings
- Configure:
- HTTPS Proxy:
yourdomain.com - Port:
443 - Username/Password: Enter when prompted
- HTTPS Proxy:
Command Line
# Environment variables
export https_proxy=https://username:password@yourdomain.com:443
export http_proxy=https://username:password@yourdomain.com:443
# For curl
curl -x https://username:password@yourdomain.com:443 https://example.com
# For wget
https_proxy=https://username:password@yourdomain.com:443 wget https://example.com
Applications
Most applications that support HTTPS proxy can use:
- Proxy Type: HTTPS
- Host:
yourdomain.com - Port:
443 - Authentication: Username and Password
🔍 Verification
Check Installation
Run the verification script to ensure everything is properly configured:
curl -O https://gitea.step1.ro/step1nu/https-proxy-server/raw/branch/main/verify-installation.sh
chmod +x verify-installation.sh
./verify-installation.sh
Test From Client
Test your proxy from any client machine:
curl -O https://gitea.step1.ro/step1nu/https-proxy-server/raw/branch/main/test-proxy-client.sh
chmod +x test-proxy-client.sh
./test-proxy-client.sh
🛠️ Maintenance
Regular Updates
Keep your proxy server updated:
proxy-update
Backup Configuration
Create backups before making changes:
proxy-backup
Monitor Connections
Watch real-time proxy activity:
proxy-monitor
Certificate Renewal
Certificates auto-renew via cron, but you can manually renew:
certbot renew
systemctl restart stunnel4
Change Password
# Delete old user
htpasswd -D /etc/squid/passwd old_username
# Add new user (secure method - password via stdin)
echo "new_password" | htpasswd -i /etc/squid/passwd new_username
# Restart Squid
systemctl restart squid
🚨 Troubleshooting
Common Issues
Proxy Not Responding
# Check services
systemctl status squid stunnel4
# Check ports
netstat -tlnp | grep -E "443|3128"
# Check logs
tail -f /var/log/squid/access.log
tail -f /var/log/stunnel4/stunnel.log
Certificate Issues
# Test certificate
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
# Check certificate expiry
certbot certificates
# Force renewal
certbot renew --force-renewal
Authentication Failures
# Check Squid logs for 407 errors
grep "TCP_DENIED/407" /var/log/squid/access.log
# Verify password file
cat /etc/squid/passwd
# Test authentication
curl -x https://username:password@localhost:443 https://ipinfo.io
Reset Everything
If you need to start over:
proxy-uninstall
# Then run the setup script again
📊 Performance Tuning
The script automatically optimizes network settings, but you can further tune:
# Check current settings
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.rmem_max
# Monitor bandwidth
iftop -i eth0
# Check connections
netstat -an | grep :443 | wc -l
🔒 Security
Default Security Features
- ✅ SSL/TLS encryption on port 443
- ✅ Username/password authentication
- ✅ Fail2ban brute force protection
- ✅ UFW firewall configuration
- ✅ Privacy headers (no IP/location leaking)
- ✅ Automatic security updates
Additional Hardening
# Enable automatic security updates
apt install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
# Add IP whitelist (optional)
echo "acl whitelist src YOUR_IP/32" >> /etc/squid/squid.conf
echo "http_access allow whitelist" >> /etc/squid/squid.conf
systemctl reload squid
# View blocked IPs
fail2ban-client status squid
📁 File Structure
After installation, these files are created:
/root/
├── proxy-connection-info.txt # Connection details
├── proxy-config.json # Configuration backup
└── .secrets/
└── cloudflare.ini # Cloudflare API credentials
/etc/
├── squid/
│ ├── squid.conf # Squid configuration
│ └── passwd # Authentication file
├── stunnel/
│ ├── stunnel.conf # Stunnel configuration
│ └── certs/
│ └── stunnel.pem # SSL certificate
└── letsencrypt/
└── live/
└── yourdomain.com/ # Let's Encrypt certificates
/usr/local/bin/
├── proxy-monitor # Monitoring tool
├── proxy-status # Status check tool
├── proxy-test # Testing tool
├── proxy-update # Update tool
├── proxy-backup # Backup tool
└── proxy-uninstall # Uninstall tool
/var/log/
├── proxy-setup/ # Installation logs
├── squid/ # Squid logs
└── stunnel4/ # Stunnel logs
📄 Scripts Included
| Script | Description | Purpose |
|---|---|---|
setup-https-proxy.sh |
Main installation script | Complete automated setup with interactive prompts |
install-interactive.sh |
One-liner installer | Handles TTY for curl|bash installations |
complete-installation.sh |
Recovery script | Completes interrupted installations |
verify-installation.sh |
Verification tool | Post-installation diagnostics and checks |
test-proxy-client.sh |
Testing suite | Client-side proxy testing (25+ tests) |
lib/common.sh |
Shared library | Common functions used by all scripts |
lib/input.sh |
Input handler | Secure password input with asterisk feedback |
🤝 Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
📝 License
This project is licensed under the MIT License - see the LICENSE file for details.
🙏 Acknowledgments
- Squid - The proxy server
- Stunnel - SSL/TLS wrapper
- Let's Encrypt - Free SSL certificates
- Certbot - Certificate automation
- Cloudflare - DNS services
💬 Support
For issues, questions, or suggestions:
- Repository: https://gitea.step1.ro/step1nu/https-proxy-server
- Review installation logs at
/var/log/proxy-setup/
🔄 Changelog
v2.1.0 (August 2025)
- Enhanced security (removed eval, improved credential handling)
- Added retry logic with exponential backoff
- Created shared library (
lib/common.sh) - Optimized batch package installation (50% faster)
- Improved error handling consistency
- Added secure password input via stdin
v2.0.0 (August 2025)
- Complete automated installation script
- Interactive setup with validation
- Monitoring and maintenance tools
- Comprehensive error handling
- Professional logging system
- Multi-OS support (Ubuntu/Debian)
v1.0.0 (August 2025)
- Initial manual setup guide
- Basic configuration steps
⭐ If this project helped you, please consider giving it a star!
🔗 Quick Links: