No description
Find a file
Stefan Tanta ceeefaa782 Fix certbot-dns-cloudflare install failing on PEP 668 systems
Try apt package first, then pip, then pip --break-system-packages
to handle modern Debian/Ubuntu which blocks bare pip3 installs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 17:07:11 +01:00
lib Fix internet connectivity check for IPv6-enabled systems 2025-08-09 17:55:15 +02:00
.gitignore Complete HTTPS proxy automated setup package 2025-08-09 16:37:16 +02:00
complete-installation.sh Fix proxy test failures due to SSL certificate mismatch on localhost 2025-08-09 18:39:01 +02:00
https-proxy-setup.md Update dates and copyright to 2025 2025-08-09 17:17:10 +02:00
install-interactive.sh Update repository URLs to new Gitea instance and username 2026-03-20 00:51:12 +01:00
LICENSE Update dates and copyright to 2025 2025-08-09 17:17:10 +02:00
README-setup.md Fix interactive input issue when script is piped 2025-08-09 17:21:03 +02:00
README.md Update README for v3.0.0 2026-03-20 01:37:01 +01:00
SCRIPTS_ANALYSIS.md Clean up redundant scripts and improve documentation 2025-08-09 18:13:30 +02:00
setup-https-proxy.sh Fix certbot-dns-cloudflare install failing on PEP 668 systems 2026-03-20 17:07:11 +01:00
test-proxy-client.sh Fix proxy test failures due to SSL certificate mismatch on localhost 2025-08-09 18:39:01 +02:00
verify-installation.sh Fix proxy test failures due to SSL certificate mismatch on localhost 2025-08-09 18:39:01 +02:00

HTTPS Proxy Server - Automated Setup

License: MIT Ubuntu Debian

A professional, production-ready HTTPS proxy server setup script that automates the entire installation and configuration process on port 443 with SSL/TLS encryption. Designed for VPS provisioning — run it once on a fresh machine and everything is configured.

🚀 Quick Start

curl -fsSL https://git.step1.ro/stanta/https-proxy-server/raw/branch/main/install-interactive.sh | bash

Method 2: Manual Download and Run

curl -O https://git.step1.ro/stanta/https-proxy-server/raw/branch/main/setup-https-proxy.sh
chmod +x setup-https-proxy.sh
./setup-https-proxy.sh

Method 3: Non-Interactive (cloud-init / Terraform / automation)

Pass all inputs as environment variables — no prompts at all:

PROXY_DOMAIN=proxy.example.com \
PROXY_EMAIL=you@example.com \
CF_API_TOKEN=your_cloudflare_token \
PROXY_USER=myuser \
PROXY_PASS=mysecurepassword \
./setup-https-proxy.sh

Optional env vars:

Variable Default Description
PROXY_IP auto-detected VPS IPv4 address
PROXY_TIMEZONE UTC Timezone for logs
PROXY_ALLOWLIST_IPS (none) Comma-separated IPs/CIDRs to restrict access

Method 4: Recovery for Interrupted Installations

curl -fsSL https://git.step1.ro/stanta/https-proxy-server/raw/branch/main/complete-installation.sh | bash

Features

  • 🔒 Full SSL/TLS Encryption — Let's Encrypt certificates with automatic renewal
  • 🌐 Port 443 — Appears as regular HTTPS traffic, bypasses most firewalls
  • 🔐 Authentication — Username/password protection with secure storage
  • 👥 Multi-User Management — Add, remove, and change passwords with proxy-user
  • 🌍 IP Allowlist — Optionally restrict access to specific source IPs/CIDRs
  • 📊 Monitoring Tools — Built-in monitoring and management commands
  • 🛡️ Security Hardening — Fail2ban, UFW firewall, privacy headers, auto security updates
  • Performance Optimized — BBR congestion control and network tuning
  • 🔄 Auto-Restart — Systemd watchdogs restart services automatically on crash
  • 📋 Log Rotation — 14-day daily rotation for all proxy logs
  • 💾 Swap Management — Automatically creates swap if none exists
  • 🔁 Idempotent — Safe to re-run; detects existing installs and offers reconfigure/exit
  • 🤖 Non-Interactive Mode — Fully automated via environment variables

📋 Prerequisites

Before running the installation script, ensure you have:

  1. A fresh VPS running Ubuntu 20.04/22.04 LTS or Debian 11/12
  2. Root access to the VPS
  3. A domain name managed by Cloudflare (e.g., proxy.yourdomain.com)
  4. Minimum: 512MB RAM, 2GB free disk space, internet connectivity

🔧 Pre-Installation Setup

Step 1: Configure DNS in Cloudflare

  1. Log into Cloudflare Dashboard
  2. Select your domain → DNSRecords
  3. Add a new record:
    • Type: A
    • Name: proxy (or your chosen subdomain)
    • IPv4 address: YOUR_VPS_IP
    • Proxy status: DNS only (grey cloud) ⚠️ IMPORTANT — do NOT enable the orange proxy
    • TTL: Auto

Step 2: Get Cloudflare API Token

  1. Go to Cloudflare API Tokens
  2. Click Create TokenCreate Custom Token
  3. Set permissions:
    • Zone → DNS → Edit
    • Zone → Zone → Read
  4. Set zone resources: Include → Specific zone → yourdomain.com
  5. Create Token and copy it (shown only once)

📦 Installation

What the Script Will Ask For

During interactive installation, you'll be prompted for:

  1. VPS IP Address — auto-detected, confirm or override
  2. Domain Name — your full domain (e.g., proxy.yourdomain.com)
  3. Email Address — for Let's Encrypt certificates
  4. Cloudflare API Token — for DNS validation
  5. Proxy Username — alphanumeric, hyphens, underscores
  6. Proxy Password — enter custom or generate a random one
  7. IP Allowlist — optional, comma-separated IPs/CIDRs (leave blank to allow any)
  8. Timezone — for logs and scheduling (default: UTC)

What Gets Installed Automatically

Component Purpose
Squid HTTP/HTTPS proxy engine
Stunnel Wraps Squid in TLS on port 443
Certbot + Cloudflare plugin Obtains and renews Let's Encrypt certs
Fail2ban Blocks brute-force attempts
UFW Firewall — only ports 22 and 443 open
unattended-upgrades Automatic security patches
Swap file (1GB) Created if no swap exists

🎯 Post-Installation

Connection Details

After installation, your credentials are saved to:

  • /root/proxy-connection-info.txt — all connection strings
  • /root/proxy-config.json — machine-readable config

Management Commands

Command Description
proxy-monitor Live connection monitoring dashboard
proxy-status Quick status check of all services
proxy-logs [N] Pretty-print last N access log entries (default: 50)
proxy-test Test proxy connectivity interactively
proxy-user Manage proxy users (see below)
proxy-update Update system packages and renew certificates
proxy-renew-cert Force immediate SSL certificate renewal
proxy-backup Backup all configurations
proxy-uninstall Completely remove proxy setup

Managing Proxy Users

proxy-user list                  # list all users
proxy-user add alice             # add a new user
proxy-user passwd alice          # change alice's password
proxy-user remove alice          # remove alice

Testing Your Proxy

Quick test from the VPS:

proxy-test

Test from any machine:

curl -x https://username:password@proxy.yourdomain.com:443 https://ipinfo.io

View recent access logs (pretty-printed):

proxy-logs 100

📱 Client Configuration

Browser (Chrome/Firefox)

  1. Go to proxy settings
  2. Configure:
    • HTTPS Proxy: proxy.yourdomain.com
    • Port: 443
    • Enter username/password when prompted

Command Line

# Environment variables
export https_proxy=https://username:password@proxy.yourdomain.com:443
export http_proxy=https://username:password@proxy.yourdomain.com:443

# Single curl request
curl -x https://username:password@proxy.yourdomain.com:443 https://example.com

# wget
https_proxy=https://username:password@proxy.yourdomain.com:443 wget https://example.com

Any HTTPS Proxy Client

  • Proxy Type: HTTPS
  • Host: proxy.yourdomain.com
  • Port: 443
  • Authentication: Username and Password

🔒 Security

Built-In Security Features

  • SSL/TLS encryption on port 443
  • Username/password authentication
  • Fail2ban brute-force protection (5 failed attempts → 1h ban)
  • UFW firewall (ports 22 and 443 only)
  • Privacy headers — no client IP leaking (via off, forwarded_for delete)
  • Automatic security-only package updates
  • Optional IP allowlist on top of credentials

The script does not automate SSH hardening to avoid lockouts, but it prints a step-by-step guide at the end. The short version:

  1. Copy your SSH public key to the server from your local machine:
    ssh-copy-id root@YOUR_VPS_IP
    
  2. Verify key login works in a new terminal before proceeding.
  3. Then on the VPS:
    sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
    sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
    systemctl reload sshd
    

⚠️ Only run step 3 after confirming step 2 works — otherwise you will lock yourself out.

🛠️ Maintenance

# Update system and renew certificates
proxy-update

# Force immediate cert renewal (e.g. cert approaching expiry)
proxy-renew-cert

# Backup before making changes
proxy-backup

# Live connection dashboard
proxy-monitor

# View access logs
proxy-logs 50
tail -f /var/log/squid/access.log

Certificates auto-renew via cron at 02:00 and 14:00 daily.

🚨 Troubleshooting

Proxy Not Responding

# Check services
systemctl status squid stunnel4

# Check ports
netstat -tlnp | grep -E "443|3128"

# Check logs
tail -f /var/log/squid/access.log
tail -f /var/log/stunnel4/stunnel.log

Certificate Issues

# Check certificate status
certbot certificates

# Force renewal
proxy-renew-cert

# Manual test
openssl s_client -connect proxy.yourdomain.com:443 -servername proxy.yourdomain.com

Authentication Failures

# Check for 407 errors
grep "TCP_DENIED/407" /var/log/squid/access.log

# List current users
proxy-user list

# Reset a user's password
proxy-user passwd username

Reset Everything

proxy-uninstall
# Then re-run setup
./setup-https-proxy.sh

📊 Performance Tuning

The script automatically configures BBR congestion control and network buffers. To check or further tune:

sysctl net.ipv4.tcp_congestion_control   # should show: bbr
sysctl net.core.rmem_max

# Monitor bandwidth
iftop -i eth0

# Count active connections
netstat -an | grep :443 | grep ESTABLISHED | wc -l

📁 File Structure

/root/
├── proxy-connection-info.txt    # Connection details and credentials
├── proxy-config.json            # Machine-readable config
├── proxy-backups/               # Backups created by proxy-backup
└── .secrets/
    └── cloudflare.ini           # Cloudflare API token

/etc/
├── squid/
│   ├── squid.conf               # Squid configuration
│   └── passwd                   # htpasswd authentication file
├── stunnel/
│   ├── stunnel.conf             # Stunnel configuration
│   └── certs/stunnel.pem        # Combined SSL certificate
├── letsencrypt/live/<domain>/   # Let's Encrypt certificates
├── logrotate.d/proxy-server     # Log rotation config
└── systemd/system/
    ├── squid.service.d/         # Watchdog drop-in (Restart=always)
    ├── stunnel4.service.d/      # Watchdog drop-in
    └── fail2ban.service.d/      # Watchdog drop-in

/usr/local/bin/
├── proxy-monitor                # Live monitoring dashboard
├── proxy-status                 # Status check
├── proxy-logs                   # Pretty-printed access log viewer
├── proxy-test                   # Connectivity test
├── proxy-user                   # User management
├── proxy-update                 # System + cert update
├── proxy-renew-cert             # Force cert renewal
├── proxy-backup                 # Configuration backup
└── proxy-uninstall              # Full removal

/var/log/
├── proxy-setup/                 # Installation logs
├── squid/                       # Access and cache logs (rotated 14d)
└── stunnel4/                    # Stunnel logs (rotated 14d)

📄 Scripts Included

Script Description
setup-https-proxy.sh Main installation script
install-interactive.sh One-liner installer (handles TTY for curl|bash)
complete-installation.sh Recovery for interrupted installations
verify-installation.sh Post-installation diagnostics
test-proxy-client.sh Client-side proxy testing suite
lib/common.sh Shared utility functions
lib/input.sh Secure password input with asterisk feedback

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/AmazingFeature)
  3. Commit your changes
  4. Push to the branch
  5. Open a Pull Request

📝 License

This project is licensed under the MIT License — see the LICENSE file for details.

🙏 Acknowledgments

💬 Support

For issues, questions, or suggestions:

🔄 Changelog

v3.0.0 (March 2026)

  • Non-interactive mode via environment variables (for automation/cloud-init)
  • Idempotency: detects existing installs, offers reconfigure or exit
  • Swap file auto-creation (1GB) if no swap present
  • Automatic security updates via unattended-upgrades
  • Systemd watchdog drop-ins for auto-restart on crash
  • Log rotation: 14-day daily rotation for all proxy logs
  • Multi-user management via proxy-user command
  • IP allowlist: restrict proxy to specific source IPs/CIDRs
  • DNS validation before calling certbot (fail fast with clear error)
  • proxy-logs — pretty-printed access log viewer
  • proxy-renew-cert — manual certificate renewal command
  • SSH hardening shown as post-install recommendation with tutorial
  • Fixed OS version display in installation summary

v2.1.0 (August 2025)

  • Enhanced security (removed eval, improved credential handling)
  • Added retry logic with exponential backoff
  • Created shared library (lib/common.sh)
  • Optimized batch package installation
  • Improved error handling consistency

v2.0.0 (August 2025)

  • Complete automated installation script
  • Interactive setup with validation
  • Monitoring and maintenance tools
  • Comprehensive error handling and logging

v1.0.0 (August 2025)

  • Initial release

If this project helped you, please consider giving it a star!

🔗 Quick Links: