- Shell 100%
Try apt package first, then pip, then pip --break-system-packages to handle modern Debian/Ubuntu which blocks bare pip3 installs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| lib | ||
| .gitignore | ||
| complete-installation.sh | ||
| https-proxy-setup.md | ||
| install-interactive.sh | ||
| LICENSE | ||
| README-setup.md | ||
| README.md | ||
| SCRIPTS_ANALYSIS.md | ||
| setup-https-proxy.sh | ||
| test-proxy-client.sh | ||
| verify-installation.sh | ||
HTTPS Proxy Server - Automated Setup
A professional, production-ready HTTPS proxy server setup script that automates the entire installation and configuration process on port 443 with SSL/TLS encryption. Designed for VPS provisioning — run it once on a fresh machine and everything is configured.
🚀 Quick Start
Method 1: One-Line Installation (Recommended)
curl -fsSL https://git.step1.ro/stanta/https-proxy-server/raw/branch/main/install-interactive.sh | bash
Method 2: Manual Download and Run
curl -O https://git.step1.ro/stanta/https-proxy-server/raw/branch/main/setup-https-proxy.sh
chmod +x setup-https-proxy.sh
./setup-https-proxy.sh
Method 3: Non-Interactive (cloud-init / Terraform / automation)
Pass all inputs as environment variables — no prompts at all:
PROXY_DOMAIN=proxy.example.com \
PROXY_EMAIL=you@example.com \
CF_API_TOKEN=your_cloudflare_token \
PROXY_USER=myuser \
PROXY_PASS=mysecurepassword \
./setup-https-proxy.sh
Optional env vars:
| Variable | Default | Description |
|---|---|---|
PROXY_IP |
auto-detected | VPS IPv4 address |
PROXY_TIMEZONE |
UTC |
Timezone for logs |
PROXY_ALLOWLIST_IPS |
(none) | Comma-separated IPs/CIDRs to restrict access |
Method 4: Recovery for Interrupted Installations
curl -fsSL https://git.step1.ro/stanta/https-proxy-server/raw/branch/main/complete-installation.sh | bash
✨ Features
- 🔒 Full SSL/TLS Encryption — Let's Encrypt certificates with automatic renewal
- 🌐 Port 443 — Appears as regular HTTPS traffic, bypasses most firewalls
- 🔐 Authentication — Username/password protection with secure storage
- 👥 Multi-User Management — Add, remove, and change passwords with
proxy-user - 🌍 IP Allowlist — Optionally restrict access to specific source IPs/CIDRs
- 📊 Monitoring Tools — Built-in monitoring and management commands
- 🛡️ Security Hardening — Fail2ban, UFW firewall, privacy headers, auto security updates
- ⚡ Performance Optimized — BBR congestion control and network tuning
- 🔄 Auto-Restart — Systemd watchdogs restart services automatically on crash
- 📋 Log Rotation — 14-day daily rotation for all proxy logs
- 💾 Swap Management — Automatically creates swap if none exists
- 🔁 Idempotent — Safe to re-run; detects existing installs and offers reconfigure/exit
- 🤖 Non-Interactive Mode — Fully automated via environment variables
📋 Prerequisites
Before running the installation script, ensure you have:
- A fresh VPS running Ubuntu 20.04/22.04 LTS or Debian 11/12
- Root access to the VPS
- A domain name managed by Cloudflare (e.g.,
proxy.yourdomain.com) - Minimum: 512MB RAM, 2GB free disk space, internet connectivity
🔧 Pre-Installation Setup
Step 1: Configure DNS in Cloudflare
- Log into Cloudflare Dashboard
- Select your domain → DNS → Records
- Add a new record:
- Type:
A - Name:
proxy(or your chosen subdomain) - IPv4 address:
YOUR_VPS_IP - Proxy status: DNS only (grey cloud) ⚠️ IMPORTANT — do NOT enable the orange proxy
- TTL: Auto
- Type:
Step 2: Get Cloudflare API Token
- Go to Cloudflare API Tokens
- Click Create Token → Create Custom Token
- Set permissions:
Zone → DNS → EditZone → Zone → Read
- Set zone resources:
Include → Specific zone → yourdomain.com - Create Token and copy it (shown only once)
📦 Installation
What the Script Will Ask For
During interactive installation, you'll be prompted for:
- VPS IP Address — auto-detected, confirm or override
- Domain Name — your full domain (e.g.,
proxy.yourdomain.com) - Email Address — for Let's Encrypt certificates
- Cloudflare API Token — for DNS validation
- Proxy Username — alphanumeric, hyphens, underscores
- Proxy Password — enter custom or generate a random one
- IP Allowlist — optional, comma-separated IPs/CIDRs (leave blank to allow any)
- Timezone — for logs and scheduling (default: UTC)
What Gets Installed Automatically
| Component | Purpose |
|---|---|
| Squid | HTTP/HTTPS proxy engine |
| Stunnel | Wraps Squid in TLS on port 443 |
| Certbot + Cloudflare plugin | Obtains and renews Let's Encrypt certs |
| Fail2ban | Blocks brute-force attempts |
| UFW | Firewall — only ports 22 and 443 open |
| unattended-upgrades | Automatic security patches |
| Swap file (1GB) | Created if no swap exists |
🎯 Post-Installation
Connection Details
After installation, your credentials are saved to:
/root/proxy-connection-info.txt— all connection strings/root/proxy-config.json— machine-readable config
Management Commands
| Command | Description |
|---|---|
proxy-monitor |
Live connection monitoring dashboard |
proxy-status |
Quick status check of all services |
proxy-logs [N] |
Pretty-print last N access log entries (default: 50) |
proxy-test |
Test proxy connectivity interactively |
proxy-user |
Manage proxy users (see below) |
proxy-update |
Update system packages and renew certificates |
proxy-renew-cert |
Force immediate SSL certificate renewal |
proxy-backup |
Backup all configurations |
proxy-uninstall |
Completely remove proxy setup |
Managing Proxy Users
proxy-user list # list all users
proxy-user add alice # add a new user
proxy-user passwd alice # change alice's password
proxy-user remove alice # remove alice
Testing Your Proxy
Quick test from the VPS:
proxy-test
Test from any machine:
curl -x https://username:password@proxy.yourdomain.com:443 https://ipinfo.io
View recent access logs (pretty-printed):
proxy-logs 100
📱 Client Configuration
Browser (Chrome/Firefox)
- Go to proxy settings
- Configure:
- HTTPS Proxy:
proxy.yourdomain.com - Port:
443 - Enter username/password when prompted
- HTTPS Proxy:
Command Line
# Environment variables
export https_proxy=https://username:password@proxy.yourdomain.com:443
export http_proxy=https://username:password@proxy.yourdomain.com:443
# Single curl request
curl -x https://username:password@proxy.yourdomain.com:443 https://example.com
# wget
https_proxy=https://username:password@proxy.yourdomain.com:443 wget https://example.com
Any HTTPS Proxy Client
- Proxy Type: HTTPS
- Host:
proxy.yourdomain.com - Port:
443 - Authentication: Username and Password
🔒 Security
Built-In Security Features
- ✅ SSL/TLS encryption on port 443
- ✅ Username/password authentication
- ✅ Fail2ban brute-force protection (5 failed attempts → 1h ban)
- ✅ UFW firewall (ports 22 and 443 only)
- ✅ Privacy headers — no client IP leaking (
via off,forwarded_for delete) - ✅ Automatic security-only package updates
- ✅ Optional IP allowlist on top of credentials
Recommended: SSH Hardening
The script does not automate SSH hardening to avoid lockouts, but it prints a step-by-step guide at the end. The short version:
- Copy your SSH public key to the server from your local machine:
ssh-copy-id root@YOUR_VPS_IP - Verify key login works in a new terminal before proceeding.
- Then on the VPS:
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config systemctl reload sshd
⚠️ Only run step 3 after confirming step 2 works — otherwise you will lock yourself out.
🛠️ Maintenance
# Update system and renew certificates
proxy-update
# Force immediate cert renewal (e.g. cert approaching expiry)
proxy-renew-cert
# Backup before making changes
proxy-backup
# Live connection dashboard
proxy-monitor
# View access logs
proxy-logs 50
tail -f /var/log/squid/access.log
Certificates auto-renew via cron at 02:00 and 14:00 daily.
🚨 Troubleshooting
Proxy Not Responding
# Check services
systemctl status squid stunnel4
# Check ports
netstat -tlnp | grep -E "443|3128"
# Check logs
tail -f /var/log/squid/access.log
tail -f /var/log/stunnel4/stunnel.log
Certificate Issues
# Check certificate status
certbot certificates
# Force renewal
proxy-renew-cert
# Manual test
openssl s_client -connect proxy.yourdomain.com:443 -servername proxy.yourdomain.com
Authentication Failures
# Check for 407 errors
grep "TCP_DENIED/407" /var/log/squid/access.log
# List current users
proxy-user list
# Reset a user's password
proxy-user passwd username
Reset Everything
proxy-uninstall
# Then re-run setup
./setup-https-proxy.sh
📊 Performance Tuning
The script automatically configures BBR congestion control and network buffers. To check or further tune:
sysctl net.ipv4.tcp_congestion_control # should show: bbr
sysctl net.core.rmem_max
# Monitor bandwidth
iftop -i eth0
# Count active connections
netstat -an | grep :443 | grep ESTABLISHED | wc -l
📁 File Structure
/root/
├── proxy-connection-info.txt # Connection details and credentials
├── proxy-config.json # Machine-readable config
├── proxy-backups/ # Backups created by proxy-backup
└── .secrets/
└── cloudflare.ini # Cloudflare API token
/etc/
├── squid/
│ ├── squid.conf # Squid configuration
│ └── passwd # htpasswd authentication file
├── stunnel/
│ ├── stunnel.conf # Stunnel configuration
│ └── certs/stunnel.pem # Combined SSL certificate
├── letsencrypt/live/<domain>/ # Let's Encrypt certificates
├── logrotate.d/proxy-server # Log rotation config
└── systemd/system/
├── squid.service.d/ # Watchdog drop-in (Restart=always)
├── stunnel4.service.d/ # Watchdog drop-in
└── fail2ban.service.d/ # Watchdog drop-in
/usr/local/bin/
├── proxy-monitor # Live monitoring dashboard
├── proxy-status # Status check
├── proxy-logs # Pretty-printed access log viewer
├── proxy-test # Connectivity test
├── proxy-user # User management
├── proxy-update # System + cert update
├── proxy-renew-cert # Force cert renewal
├── proxy-backup # Configuration backup
└── proxy-uninstall # Full removal
/var/log/
├── proxy-setup/ # Installation logs
├── squid/ # Access and cache logs (rotated 14d)
└── stunnel4/ # Stunnel logs (rotated 14d)
📄 Scripts Included
| Script | Description |
|---|---|
setup-https-proxy.sh |
Main installation script |
install-interactive.sh |
One-liner installer (handles TTY for curl|bash) |
complete-installation.sh |
Recovery for interrupted installations |
verify-installation.sh |
Post-installation diagnostics |
test-proxy-client.sh |
Client-side proxy testing suite |
lib/common.sh |
Shared utility functions |
lib/input.sh |
Secure password input with asterisk feedback |
🤝 Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes
- Push to the branch
- Open a Pull Request
📝 License
This project is licensed under the MIT License — see the LICENSE file for details.
🙏 Acknowledgments
- Squid — The proxy server
- Stunnel — SSL/TLS wrapper
- Let's Encrypt — Free SSL certificates
- Certbot — Certificate automation
- Cloudflare — DNS services
💬 Support
For issues, questions, or suggestions:
- Repository: https://git.step1.ro/stanta/https-proxy-server
- Installation logs:
/var/log/proxy-setup/
🔄 Changelog
v3.0.0 (March 2026)
- Non-interactive mode via environment variables (for automation/cloud-init)
- Idempotency: detects existing installs, offers reconfigure or exit
- Swap file auto-creation (1GB) if no swap present
- Automatic security updates via
unattended-upgrades - Systemd watchdog drop-ins for auto-restart on crash
- Log rotation: 14-day daily rotation for all proxy logs
- Multi-user management via
proxy-usercommand - IP allowlist: restrict proxy to specific source IPs/CIDRs
- DNS validation before calling certbot (fail fast with clear error)
proxy-logs— pretty-printed access log viewerproxy-renew-cert— manual certificate renewal command- SSH hardening shown as post-install recommendation with tutorial
- Fixed OS version display in installation summary
v2.1.0 (August 2025)
- Enhanced security (removed eval, improved credential handling)
- Added retry logic with exponential backoff
- Created shared library (
lib/common.sh) - Optimized batch package installation
- Improved error handling consistency
v2.0.0 (August 2025)
- Complete automated installation script
- Interactive setup with validation
- Monitoring and maintenance tools
- Comprehensive error handling and logging
v1.0.0 (August 2025)
- Initial release
⭐ If this project helped you, please consider giving it a star!
🔗 Quick Links: