tlspr - Man Page

SNI proxy gateway service

Synopsis

tlspr [-d][-a] [-l[[@]logfile]] [-plistening_port] [-Pdestination_port] [-ctls_check_level] [-iinternal_ip] [-eexternal_ip]

Description

tlspr is an SNI gateway service (destination host is taken from TLS handshake). The destination port must be specified via the -P option (or it may be detected with the Transparent plugin).

Options

-I: Inetd mode. Standalone service only.
-d: Daemonize. Detach service from console and run in the background.
-t: Be silenT. Do not log start/stop/accept error records.
-u: Never ask for username authentication
-e: External address. IP address of the interface the proxy should initiate connections from. By default, the system will decide which address to use in accordance with the routing table.
-i: Internal address. IP address the proxy accepts connections to. By default, connections to any interface are accepted. It´s usually unsafe.
-a: Anonymous. Hide information about client.
-a1: Anonymous. Show fake information about client.
-p: listening_port. Port proxy listens for incoming connections. Default is 1443.
-P: destination_port. Port to establish outgoing connections. Required unless the Transparent plugin is used, because the TLS handshake does not contain port information. Default is 443.
-c: TLS_CHECK_LEVEL. 0 (default) - allow non-TLS traffic to pass, 1 - require TLS, only check client HELLO packet, 2 - require TLS, check both client and server HELLO, 3 - require TLS, check that the server sends a certificate (not compatible with TLS 1.3), 4 - require mutual TLS, check that the server sends a certificate request and the client sends a certificate (not compatible with TLS 1.3)
-l: Log. By default logging is to stdout. If logfile is specified logging is to file. Under Unix, if ´@´ precedes logfile, syslog is used for logging.
-S: Increase or decrease stack size. You may want to try something like -S8192 if you experience 3proxy crashes.

You should use a client with TLS support or configure a router to redirect TLS traffic to the proxy (transparent proxy). Configure the client to connect to internal_ip and port. If you need to limit clients, use 3proxy(8) instead.