initial commit

g3proxy/doc/configuration/escapers/direct_fixed.rst

@@ -0,0 +1,97 @@
+.. _configuration_escaper_direct_fixed:
+
+direct_fixed
+============
+
+This escaper will access the target upstream from local machine directly.
+
+The following interfaces are supported:
+
+* tcp connect
+* udp relay
+* udp connect
+* http(s) forward
+* ftp over http
+
+The following common keys are supported:
+
+* :ref:`shared_logger <conf_escaper_common_shared_logger>`
+* :ref:`resolver <conf_escaper_common_resolver>`, **required**
+* :ref:`resolve_strategy <conf_escaper_common_resolve_strategy>`
+
+  The user custom resolve strategy will be taken into account.
+
+* :ref:`tcp_sock_speed_limit <conf_escaper_common_tcp_sock_speed_limit>`
+* :ref:`udp_sock_speed_limit <conf_escaper_common_udp_sock_speed_limit>`
+* :ref:`no_ipv4 <conf_escaper_common_no_ipv4>`
+* :ref:`no_ipv6 <conf_escaper_common_no_ipv6>`
+* :ref:`tcp_connect <conf_escaper_common_tcp_connect>`
+
+  The user tcp connect params will be taken into account.
+
+* :ref:`tcp_misc_opts <conf_escaper_common_tcp_misc_opts>`
+* :ref:`udp_misc_opts <conf_escaper_common_udp_misc_opts>`
+* :ref:`extra_metrics_tags <conf_escaper_common_extra_metrics_tags>`
+
+bind_ip
+-------
+
+**optional**, **type**: :ref:`ip addr str <conf_value_ip_addr_str>` | seq
+
+Set the bind ip address(es) for sockets.
+
+For *seq* value, each of its element must be :ref:`ip addr str <conf_value_ip_addr_str>`.
+Only random select is supported. Use *route* type escapers if is doesn't meet your needs.
+
+**default**: not set
+
+egress_network_filter
+---------------------
+
+**optional**, **type**: :ref:`egress network acl rule <conf_value_egress_network_acl_rule>`
+
+Set the network filter for the (resolved) remote ip address.
+
+**default**: all permitted except for loop-back and link-local addresses
+
+happy_eyeballs
+--------------
+
+**optional**, **type**: :ref:`happy eyeballs <conf_value_happy_eyeballs>`
+
+Set the HappyEyeballs config.
+
+**default**: default HappyEyeballs config
+
+.. versionadded:: 1.5.3
+
+tcp_keepalive
+-------------
+
+**optional**, **type**: :ref:`tcp keepalive <conf_value_tcp_keepalive>`
+
+Set tcp keepalive.
+
+The tcp keepalive set in user config will be taken into account.
+
+**default**: no keepalive set
+
+resolve_redirection
+-------------------
+
+**optional**, **type**: :ref:`resolve redirection <conf_value_resolve_redirection>`
+
+Set the dns redirection rules at escaper level.
+
+**default**: not set
+
+enable_path_selection
+---------------------
+
+**optional**, **type**: bool
+
+Weather we should enable path selection.
+
+.. note:: Path selection on server side should be open, or this option will have no effects.
+
+**default**: false

g3proxy/doc/configuration/escapers/direct_float.rst

@@ -0,0 +1,156 @@
+.. _configuration_escaper_direct_float:
+
+************
+direct_float
+************
+
+This escaper will access the target upstream from local machine directly. The local bind ip, which is required,
+can be set via the `publish` rpc method.
+
+The following interfaces are supported:
+
+* tcp connect
+* http(s) forward
+
+The Cap'n Proto RPC publish command is supported on this escaper, the published data should be a map, with the keys:
+
+* ipv4
+
+  Set the IPv4 bind ip address(es).
+  The value could be an array of or just one :ref:`bind ip <config_escaper_dynamic_bind_ip>`.
+
+* ipv6
+
+  Set the IPv6 bind ip address(es).
+  The value could be an array of or just one :ref:`bind ip <config_escaper_dynamic_bind_ip>`.
+
+There is no path selection support for this escaper.
+
+Config Keys
+===========
+
+The following common keys are supported:
+
+* :ref:`shared_logger <conf_escaper_common_shared_logger>`
+* :ref:`resolver <conf_escaper_common_resolver>`, **required**
+* :ref:`resolve_strategy <conf_escaper_common_resolve_strategy>`
+
+  The user custom resolve strategy will be taken into account.
+
+* :ref:`tcp_sock_speed_limit <conf_escaper_common_tcp_sock_speed_limit>`
+* :ref:`udp_sock_speed_limit <conf_escaper_common_udp_sock_speed_limit>`
+* :ref:`no_ipv4 <conf_escaper_common_no_ipv4>`
+* :ref:`no_ipv6 <conf_escaper_common_no_ipv6>`
+* :ref:`tcp_connect <conf_escaper_common_tcp_connect>`
+
+  The user tcp connect params will be taken into account.
+
+* :ref:`tcp_misc_opts <conf_escaper_common_tcp_misc_opts>`
+* :ref:`extra_metrics_tags <conf_escaper_common_extra_metrics_tags>`
+
+cache_ipv4
+----------
+
+**recommend**, **type**: :ref:`file path <conf_value_file_path>`
+
+Set the cache file for published IPv4 IP Address(es).
+
+It is recommended to set this as the fetch of peers at startup may be finished after the first batch of requests.
+
+The file will be created if not existed.
+
+**default**: not set
+
+cache_ipv6
+----------
+
+**recommend**, **type**: :ref:`file path <conf_value_file_path>`
+
+Set the cache file for published IPv6 IP Address(es).
+
+It is recommended to set this as the fetch of peers at startup may be finished after the first batch of requests.
+
+The file will be created if not existed.
+
+**default**: not set
+
+egress_network_filter
+---------------------
+
+**optional**, **type**: :ref:`egress network acl rule <conf_value_egress_network_acl_rule>`
+
+Set the network filter for the (resolved) remote ip address.
+
+**default**: all permitted except for loopback and link-local addresses
+
+happy_eyeballs
+--------------
+
+**optional**, **type**: :ref:`happy eyeballs <conf_value_happy_eyeballs>`
+
+Set the HappyEyeballs config.
+
+**default**: default HappyEyeballs config
+
+.. versionadded:: 1.5.3
+
+tcp_keepalive
+-------------
+
+**optional**, **type**: :ref:`tcp keepalive <conf_value_tcp_keepalive>`
+
+Set tcp keepalive.
+
+The tcp keepalive set in user config will be taken into account.
+
+**default**: 60s
+
+resolve_redirection
+-------------------
+
+**optional**, **type**: :ref:`resolve redirection <conf_value_resolve_redirection>`
+
+Set the dns redirection rules at escaper level.
+
+**default**: not set
+
+.. _config_escaper_dynamic_bind_ip:
+
+Bind IP
+=======
+
+We use json string to represent a dynamic bind ip, with a map type as root element.
+
+* ip
+
+  **required**, **type**: :ref:`ip addr str <conf_value_ip_addr_str>`
+
+  Set the IP address. The address family should match the type of the publish key described above.
+
+* isp
+
+  **optional**, **type**: str
+
+  ISP for the egress ip address.
+
+* eip
+
+  **optional**, **type**: :ref:`ip addr str <conf_value_ip_addr_str>`
+
+  The egress ip address from external view.
+
+* area
+
+  **optional**, **type**: :ref:`egress area <conf_value_egress_area>`
+
+  Area of the egress ip address.
+
+* expire
+
+  **optional**, **type**: :ref:`rfc3339 datetime str <conf_value_rfc3339_datetime_str>`
+
+  Set the expire time of this dynamic ip.
+
+  **default**: not set
+
+If all optional fields can be set with the default value, the root element can be just a *ip*.

g3proxy/doc/configuration/escapers/dummy_deny.rst

@@ -0,0 +1,16 @@
+.. _configuration_escaper_dummy_deny:
+
+**********
+dummy_deny
+**********
+
+This is the dummy escaper designed to deny all requests.
+
+There is no path selection support for this escaper.
+
+Config Keys
+===========
+
+The following common keys are supported:
+
+* :ref:`extra_metrics_tags <conf_escaper_common_extra_metrics_tags>`

g3proxy/doc/configuration/escapers/index.rst

@@ -0,0 +1,208 @@
+.. _configuration_escaper:
+
+*******
+Escaper
+*******
+
+The type for each escaper config is *map*, with two always required keys:
+
+* *name*, which specify the name of the escaper.
+* *type*, which specify the real type of the escaper, decides how to parse other keys.
+
+There are many types of escaper, each with a section below.
+
+Escapers
+========
+
+.. toctree::
+   :maxdepth: 2
+
+   dummy_deny
+   direct_fixed
+   direct_float
+   proxy_float
+   proxy_http
+   proxy_https
+   proxy_socks5
+   route_mapping
+   route_query
+   route_resolved
+   route_select
+   route_upstream
+   route_client
+   trick_float
+
+Common Keys
+===========
+
+This section describes the common keys, they may be used by many escapers.
+
+.. _conf_escaper_common_shared_logger:
+
+shared_logger
+-------------
+
+**optional**, **type**: ascii
+
+Set the escaper to use a logger running on a shared thread.
+
+**default**: not set
+
+.. _conf_escaper_common_resolver:
+
+resolver
+--------
+
+**type**: str
+
+Set the resolver to use for this escaper.
+
+If the specified resolver doesn't exist in configure, a default DenyAll resolver will be used.
+
+.. _conf_escaper_common_resolve_strategy:
+
+resolve_strategy
+-----------------
+
+**optional**, **type**: :ref:`resolve strategy <conf_value_resolve_strategy>`
+
+Set the resolve strategy.
+
+.. _conf_escaper_common_tcp_sock_speed_limit:
+
+tcp_sock_speed_limit
+--------------------
+
+**optional**, **type**: :ref:`tcp socket speed limit <conf_value_tcp_sock_speed_limit>`
+
+Set speed limit for each tcp socket.
+
+**default**: no limit, **alias**: tcp_conn_speed_limit | tcp_conn_limit
+
+.. versionchanged:: 1.4.0 changed name to tcp_sock_speed_limit
+
+.. _conf_escaper_common_udp_sock_speed_limit:
+
+udp_sock_speed_limit
+--------------------
+
+**optional**, **type**: :ref:`udp socket speed limit <conf_value_udp_sock_speed_limit>`
+
+Set speed limit for each udp socket.
+
+**default**: no limit, **alias**: udp_relay_speed_limit | udp_relay_limit
+
+.. versionchanged:: 1.4.0 changed name to udp_sock_speed_limit
+
+.. _conf_escaper_common_no_ipv4:
+
+no_ipv4
+-------
+
+**optional**, **type**: bool
+
+Disable IPv4. This setting should be compatible with :ref:`resolve_strategy <conf_escaper_common_resolve_strategy>`.
+
+**default**: false
+
+.. _conf_escaper_common_no_ipv6:
+
+no_ipv6
+-------
+
+**optional**, **type**: bool
+
+Disable IPv6. This setting should be compatible with :ref:`resolve_strategy <conf_escaper_common_resolve_strategy>`.
+
+**default**: false
+
+.. _conf_escaper_common_tcp_connect:
+
+tcp_connect
+-----------
+
+**optional**, **type**: :ref:`tcp connect <conf_value_tcp_connect>`
+
+Set tcp connect params.
+
+.. note:: For *direct* type escapers, the user level tcp connect params will be taken to limit the final value.
+
+.. _conf_escaper_common_tcp_misc_opts:
+
+tcp_misc_opts
+-------------
+
+**optional**, **type**: :ref:`tcp misc sock opts <conf_value_tcp_misc_sock_opts>`
+
+Set misc tcp socket options.
+
+**default**: not set, nodelay is default enabled
+
+.. _conf_escaper_common_udp_misc_opts:
+
+udp_misc_opts
+-------------
+
+**optional**, **type**: :ref:`udp misc sock opts <conf_value_udp_misc_sock_opts>`
+
+Set misc udp socket options.
+
+**default**: not set
+
+.. _conf_escaper_common_default_next:
+
+default_next
+------------
+
+**required**, **type**: str
+
+Set the default next escaper for *route* type escapers.
+
+.. _conf_escaper_common_pass_proxy_userid:
+
+pass_proxy_userid
+-----------------
+
+**optional**, **type**: bool
+
+Set if we should pass userid (username) to next proxy.
+
+If set, the native basic auth method will be used when negotiation with next proxy, and the username field will be set
+to the real username, the password field set to our package name (g3proxy if not forked).
+
+**default**: false
+
+.. note:: This will conflict with the real auth of next proxy.
+
+.. _conf_escaper_common_use_proxy_protocol:
+
+use_proxy_protocol
+------------------
+
+**optional**, **type**: :ref:`proxy protocol version <conf_value_proxy_protocol_version>`
+
+Set the version of PROXY protocol we use for outgoing tcp connections.
+
+**default**: not set, which means PROXY protocol won't be used
+
+.. _conf_escaper_common_peer_negotiation_timeout:
+
+peer_negotiation_timeout
+------------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the negotiation timeout for next proxy peers.
+
+**default**: 10s
+
+.. _conf_escaper_common_extra_metrics_tags:
+
+extra_metrics_tags
+------------------
+
+**optional**, **type**: :ref:`static metrics tags <conf_value_static_metrics_tags>`
+
+Set extra metrics tags that should be added to escaper stats and user stats already with escaper tags added.
+
+**default**: not set

g3proxy/doc/configuration/escapers/proxy_float.rst

@@ -0,0 +1,391 @@
+.. _configuration_escaper_proxy_float:
+
+***********
+proxy_float
+***********
+
+This escaper provide the capability to access the target upstream through dynamic remote proxies.
+
+The following interfaces are supported:
+
+* tcp connect
+* http(s) forward
+
+The following remote proxy protocols are supported:
+
+* Http Proxy
+* Socks5 Proxy
+
+The Cap'n Proto RPC publish command is supported on this escaper, the published data should be an array of
+or just one :ref:`peer <config_escaper_dynamic_peer>`.
+
+There is no path selection support for this escaper.
+
+Config Keys
+===========
+
+The following common keys are supported:
+
+* :ref:`shared_logger <conf_escaper_common_shared_logger>`
+* :ref:`tcp_sock_speed_limit <conf_escaper_common_tcp_sock_speed_limit>`
+* :ref:`tcp_misc_opts <conf_escaper_common_tcp_misc_opts>`
+* :ref:`peer negotiation timeout <conf_escaper_common_peer_negotiation_timeout>`
+* :ref:`extra_metrics_tags <conf_escaper_common_extra_metrics_tags>`
+
+source
+------
+
+**required**, **type**: :ref:`url str <conf_value_url_str>` | map | null
+
+Set the fetch source for peers.
+
+We support many type of sources. The type is detected by reading the *scheme* field of url,
+or the *type* key of the map. See :ref:`sources <config_escaper_dynamic_source>` for all supported type of sources.
+
+cache
+-----
+
+**recommend**, **type**: :ref:`file path <conf_value_file_path>`
+
+Set the cache file.
+
+It is recommended to set this as the fetch of peers at startup may be finished after the first batch of requests.
+
+The file will be created if not existed.
+
+**default**: not set
+
+refresh_interval
+----------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the refresh interval to update peers from the configured source.
+
+**default**: 1s
+
+bind_ipv4
+---------
+
+**optional**, **type**: :ref:`ipv4 addr str <conf_value_ipv4_addr_str>`
+
+Set the bind ip address for inet sockets.
+
+**default**: not set
+
+bind_ipv6
+---------
+
+**optional**, **type**: :ref:`ipv6 addr str <conf_value_ipv6_addr_str>`
+
+Set the bind ip address for inet6 sockets.
+
+**default**: not set
+
+tls_client
+----------
+
+**optional**, **type**: bool | :ref:`openssl tls client config <conf_value_openssl_tls_client_config>`
+
+Enable https peer, and set TLS parameters for this local TLS client.
+If set to true or empty map, a default config is used.
+
+**default**: not set
+
+tcp_connect_timeout
+-------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the tcp connect application level timeout value.
+
+**default**: 30s
+
+tcp_keepalive
+-------------
+
+**optional**, **type**: :ref:`tcp keepalive <conf_value_tcp_keepalive>`
+
+Set tcp keepalive.
+
+The tcp keepalive set in user config won't be taken into account.
+
+**default**: 60s
+
+expire_guard_duration
+---------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+If the peer has an expire value, we won't connect to it if we can reach the expire time after adding this value.
+
+**default**: 5s
+
+.. _config_escaper_dynamic_source:
+
+Sources
+=======
+
+For *map* format, the **type** key should always be set.
+
+passive
+-------
+
+Do not fetch peers. Only publish is needed.
+
+The root value of source may be set to *null* to use passive source.
+
+redis
+-----
+
+Fetch peers from a redis db.
+
+The keys used in the *map* format are:
+
+* addr
+
+  **required**, **type**: :ref:`upstream str <conf_value_upstream_str>`
+
+  Set the address of the redis instance. The default port is 6379 which can be omitted.
+
+* db
+
+  **optional**, **type**: int
+
+  Set the database.
+
+  **default**: 0
+
+* username
+
+  **optional**, **type**: str
+
+  Set the username for redis 6 database if needed. It is required if connect to an ACL enabled redis 6 database.
+
+  **default**: not set
+
+* password
+
+  **optional**, **type**: str
+
+  Set the password.
+
+  **default**: not set
+
+* connect_timeout
+
+  **optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+  Set the connect timeout.
+
+  **default**: 5s
+
+* read_timeout
+
+  **optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+  Set the timeout for redis read operation.
+
+  **default**: 2s
+
+* sets_key
+
+  **required**, **type**: str
+
+  Set the key for the sets that store the peers. Each string record in the set is a single peer.
+  See :ref:`peers <config_escaper_dynamic_peer>` for its formats.
+
+For *url* str values, the format is:
+
+    redis://[username][:<password>@]<addr>/<db>?sets_key=<sets_key>
+
+redis_cluster
+-------------
+
+Fetch peers from a redis cluster.
+
+The value should be a *map*, with these keys:
+
+* initial_nodes
+
+  **required**, **type**: :ref:`upstream str <conf_value_upstream_str>`
+
+  Set the address of the startup nodes.
+
+* username
+
+  **optional**, **type**: str
+
+  Set the username.
+
+  .. versionadded:: 1.7.0
+
+* password
+
+  **optional**, **type**: str
+
+  Set the password.
+
+  **default**: not set
+
+* read_timeout
+
+  **optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+  Set the timeout for redis read operation.
+
+  **default**: 2s
+
+* sets_key
+
+  **required**, **type**: str
+
+  Set the key for the sets that store the peers. Each string record in the set is a single peer.
+  See :ref:`peers <config_escaper_dynamic_peer>` for its formats.
+
+.. _config_escaper_dynamic_peer:
+
+Peers
+=====
+
+We use json string to represent a peer, with a map type as root element.
+
+Common keys
+-----------
+
+* type
+
+  **required**, **type**: str
+
+  It tells us the peer type.
+
+* addr
+
+  **required**, **type**: :ref:`sockaddr str <conf_value_sockaddr_str>`
+
+  Set the socket address we can connect to the peer.
+  No domain name is allowed here.
+
+* isp
+
+  **optional**, **type**: str
+
+  ISP for the egress ip address.
+
+* eip
+
+  **optional**, **type**: :ref:`ip addr str <conf_value_ip_addr_str>`
+
+  The egress ip address from external view.
+
+* area
+
+  **optional**, **type**: :ref:`egress area <conf_value_egress_area>`
+
+  Area of the egress ip address.
+
+* expire
+
+  **optional**, **type**: :ref:`rfc3339 datetime str <conf_value_rfc3339_datetime_str>`
+
+  Set the expire time for this peer.
+
+* tcp_sock_speed_limit
+
+  **optional**, **type**: :ref:`tcp socket speed limit <conf_value_tcp_sock_speed_limit>`
+
+  Set the speed limit for each tcp connections to this peer.
+
+  .. versionchanged:: 1.4.0 changed name to tcp_sock_speed_limit
+
+The following types are supported:
+
+http
+----
+
+* username
+
+  **optional**, **type**: :ref:`username <conf_value_username>`
+
+  Set the username for HTTP basic auth.
+
+* password
+
+  **optional**, **type**: :ref:`password <conf_value_password>`
+
+  Set the password for HTTP basic auth.
+
+* http_connect_rsp_header_max_size
+
+  **optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+  Set the max header size for received CONNECT response.
+
+  **default**: 4KiB
+
+* extra_append_headers
+
+  **optional**, **type**: map
+
+  Set extra headers append to the requests sent to upstream.
+  The key should be the header name, both the key and the value should be in ascii string type.
+
+  .. note:: No duplication check is done here, use it with caution.
+
+
+https
+-----
+
+* username
+
+  **optional**, **type**: :ref:`username <conf_value_username>`
+
+  Set the username for HTTP basic auth.
+
+* password
+
+  **optional**, **type**: :ref:`password <conf_value_password>`
+
+  Set the password for HTTP basic auth.
+
+* tls_name
+
+  **optional**, **type**: :ref:`tls name <conf_value_tls_name>`
+
+  Set the tls server name for server certificate verification.
+
+  .. note:: IP address is not supported by now. So if not set, the connection will fail.
+
+  **default**: not set
+
+* http_connect_rsp_header_max_size
+
+  **optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+  Set the max header size for received CONNECT response.
+
+  **default**: 4KiB
+
+* extra_append_headers
+
+  **optional**, **type**: map
+
+  Set extra headers append to the requests sent to upstream.
+  The key should be the header name, both the key and the value should be in ascii string type.
+
+  .. note:: No duplication check is done here, use it with caution.
+
+socks5
+------
+
+* username
+
+  **optional**, **type**: :ref:`username <conf_value_username>`
+
+  Set the username for Socks5 User auth.
+
+* password
+
+  **optional**, **type**: :ref:`password <conf_value_password>`
+
+  Set the password for Socks5 User auth.

g3proxy/doc/configuration/escapers/proxy_http.rst

@@ -0,0 +1,113 @@
+.. _configuration_escaper_proxy_http:
+
+proxy_http
+==========
+
+This escaper will access the target upstream through another http proxy.
+
+The following interfaces are supported:
+
+* tcp connect
+* http(s) forward
+
+There is no path selection support for this escaper.
+
+The following common keys are supported:
+
+* :ref:`shared_logger <conf_escaper_common_shared_logger>`
+* :ref:`resolver <conf_escaper_common_resolver>`, **required** only if *proxy_addr* is domain
+* :ref:`resolve_strategy <conf_escaper_common_resolve_strategy>`
+* :ref:`tcp_sock_speed_limit <conf_escaper_common_tcp_sock_speed_limit>`
+* :ref:`no_ipv4 <conf_escaper_common_no_ipv4>`
+* :ref:`no_ipv6 <conf_escaper_common_no_ipv6>`
+* :ref:`tcp_connect <conf_escaper_common_tcp_connect>`
+* :ref:`tcp_misc_opts <conf_escaper_common_tcp_misc_opts>`
+* :ref:`pass_proxy_userid <conf_escaper_common_pass_proxy_userid>`
+* :ref:`use_proxy_protocol <conf_escaper_common_use_proxy_protocol>`
+* :ref:`peer negotiation timeout <conf_escaper_common_peer_negotiation_timeout>`
+* :ref:`extra_metrics_tags <conf_escaper_common_extra_metrics_tags>`
+
+proxy_addr
+----------
+
+**required**, **type**: :ref:`upstream str <conf_value_upstream_str>` | seq
+
+Set the target proxy address. The default port is 3128 which can be omitted.
+
+For *seq* value, each of its element must be :ref:`weighted upstream addr <conf_value_weighted_upstream_addr>`.
+
+proxy_addr_pick_policy
+----------------------
+
+**optional**, **type**: :ref:`selective pick policy <conf_value_selective_pick_policy>`
+
+Set the policy to select next proxy address.
+
+The key for rendezvous/jump hash is *<client-ip>[-<username>]-<upstream-host>*.
+
+**default**: random
+
+proxy_username
+--------------
+
+**optional**, **type**: :ref:`username <conf_value_username>`
+
+Set the proxy username. The Basic auth scheme is used by default.
+
+.. note::
+
+  Conflict with :ref:`pass_proxy_userid <conf_escaper_common_pass_proxy_userid>`
+
+proxy_password
+--------------
+
+**optional**, **type**: :ref:`password <conf_value_password>`
+
+Set the proxy password. Required if username is present.
+
+bind_ipv4
+---------
+
+**optional**, **type**: :ref:`ipv4 addr str <conf_value_ipv4_addr_str>`
+
+Set the bind ip address for inet sockets.
+
+**default**: not set
+
+bind_ipv6
+---------
+
+**optional**, **type**: :ref:`ipv6 addr str <conf_value_ipv6_addr_str>`
+
+Set the bind ip address for inet6 sockets.
+
+**default**: not set
+
+http_forward_capability
+-----------------------
+
+**optional**, **type**: :ref:`http forward capability <conf_value_http_forward_capability>`
+
+Set the http forward capability if the next proxy.
+
+**default**: all capability disabled
+
+http_connect_rsp_header_max_size
+--------------------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the max header size for received CONNECT response.
+
+**default**: 4KiB
+
+tcp_keepalive
+-------------
+
+**optional**, **type**: :ref:`tcp keepalive <conf_value_tcp_keepalive>`
+
+Set tcp keepalive.
+
+The tcp keepalive set in user config won't be taken into account.
+
+**default**: no keepalive set

g3proxy/doc/configuration/escapers/proxy_https.rst

@@ -0,0 +1,134 @@
+.. _configuration_escaper_proxy_https:
+
+proxy_https
+===========
+
+This escaper will access the target upstream through another https proxy.
+
+The following interfaces are supported:
+
+* tcp connect
+* http(s) forward
+
+There is no path selection support for this escaper.
+
+The following common keys are supported:
+
+* :ref:`shared_logger <conf_escaper_common_shared_logger>`
+* :ref:`resolver <conf_escaper_common_resolver>`, **required** only if *proxy_addr* is domain
+* :ref:`resolve_strategy <conf_escaper_common_resolve_strategy>`
+* :ref:`tcp_sock_speed_limit <conf_escaper_common_tcp_sock_speed_limit>`
+* :ref:`no_ipv4 <conf_escaper_common_no_ipv4>`
+* :ref:`no_ipv6 <conf_escaper_common_no_ipv6>`
+* :ref:`tcp_connect <conf_escaper_common_tcp_connect>`
+* :ref:`tcp_misc_opts <conf_escaper_common_tcp_misc_opts>`
+* :ref:`pass_proxy_userid <conf_escaper_common_pass_proxy_userid>`
+* :ref:`use_proxy_protocol <conf_escaper_common_use_proxy_protocol>`
+* :ref:`peer negotiation timeout <conf_escaper_common_peer_negotiation_timeout>`
+* :ref:`extra_metrics_tags <conf_escaper_common_extra_metrics_tags>`
+
+proxy_addr
+----------
+
+**required**, **type**: :ref:`upstream str <conf_value_upstream_str>` | seq
+
+Set the target proxy address. The default port is 3128 which can be omitted.
+
+For *seq* value, each of its element must be :ref:`weighted upstream addr <conf_value_weighted_upstream_addr>`.
+
+proxy_addr_pick_policy
+----------------------
+
+**optional**, **type**: :ref:`selective pick policy <conf_value_selective_pick_policy>`
+
+Set the policy to select next proxy address.
+
+The key for rendezvous/jump hash is *<client-ip>[-<username>]-<upstream-host>*.
+
+**default**: random
+
+tls_client
+----------
+
+**required**, **type**: :ref:`openssl tls client config <conf_value_openssl_tls_client_config>`
+
+Set TLS parameters for this local TLS client.
+If set to empty map, a default config is used.
+
+tls_name
+--------
+
+**optional**, **type**: :ref:`tls name <conf_value_tls_name>`
+
+Set the tls server name to verify tls certificate for all peers.
+
+If not set, the host part of each peer will be used.
+
+.. note:: IP address is not supported by now
+
+**default**: not set
+
+proxy_username
+--------------
+
+**optional**, **type**: :ref:`username <conf_value_username>`
+
+Set the proxy username. The Basic auth scheme is used by default.
+
+.. note::
+
+  Conflict with :ref:`pass_proxy_userid <conf_escaper_common_pass_proxy_userid>`
+
+proxy_password
+--------------
+
+**optional**, **type**: :ref:`password <conf_value_password>`
+
+Set the proxy password. Required if username is present.
+
+bind_ipv4
+---------
+
+**optional**, **type**: :ref:`ipv4 addr str <conf_value_ipv4_addr_str>`
+
+Set the bind ip address for inet sockets.
+
+**default**: not set
+
+bind_ipv6
+---------
+
+**optional**, **type**: :ref:`ipv6 addr str <conf_value_ipv6_addr_str>`
+
+Set the bind ip address for inet6 sockets.
+
+**default**: not set
+
+http_forward_capability
+-----------------------
+
+**optional**, **type**: :ref:`http forward capability <conf_value_http_forward_capability>`
+
+Set the http forward capability if the next proxy.
+
+**default**: all capability disabled
+
+http_connect_rsp_header_max_size
+--------------------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the max header size for received CONNECT response.
+
+**default**: 4KiB
+
+tcp_keepalive
+-------------
+
+**optional**, **type**: :ref:`tcp keepalive <conf_value_tcp_keepalive>`
+
+Set tcp keepalive.
+
+The tcp keepalive set in user config won't be taken into account.
+
+**default**: no keepalive set

g3proxy/doc/configuration/escapers/proxy_socks5.rst

@@ -0,0 +1,93 @@
+.. _configuration_escaper_proxy_socks5:
+
+proxy_socks5
+============
+
+This escaper will access the target upstream through another http proxy.
+
+The following interfaces are supported:
+
+* tcp connect
+* udp_relay
+* udp_connect
+* http(s) forward
+
+There is no path selection support for this escaper.
+
+The following common keys are supported:
+
+* :ref:`shared_logger <conf_escaper_common_shared_logger>`
+* :ref:`resolver <conf_escaper_common_resolver>`, **required** only if *proxy_addr* is domain
+* :ref:`resolve_strategy <conf_escaper_common_resolve_strategy>`
+* :ref:`tcp_sock_speed_limit <conf_escaper_common_tcp_sock_speed_limit>`
+* :ref:`udp_sock_speed_limit <conf_escaper_common_udp_sock_speed_limit>`
+* :ref:`no_ipv4 <conf_escaper_common_no_ipv4>`
+* :ref:`no_ipv6 <conf_escaper_common_no_ipv6>`
+* :ref:`tcp_connect <conf_escaper_common_tcp_connect>`
+* :ref:`tcp_misc_opts <conf_escaper_common_tcp_misc_opts>`
+* :ref:`udp_misc_opts <conf_escaper_common_udp_misc_opts>`
+* :ref:`peer negotiation timeout <conf_escaper_common_peer_negotiation_timeout>`
+* :ref:`extra_metrics_tags <conf_escaper_common_extra_metrics_tags>`
+
+proxy_addr
+----------
+
+**required**, **type**: :ref:`upstream str <conf_value_upstream_str>` | seq
+
+Set the target proxy address. The default port is 1080 which can be omitted.
+
+For *seq* value, each of its element must be :ref:`weighted upstream addr <conf_value_weighted_upstream_addr>`.
+
+proxy_addr_pick_policy
+----------------------
+
+**optional**, **type**: :ref:`selective pick policy <conf_value_selective_pick_policy>`
+
+Set the policy to select next proxy address.
+
+The key for rendezvous/jump hash is *<client-ip>[-<username>]-<upstream-host>*.
+
+**default**: random
+
+proxy_username
+--------------
+
+**optional**, **type**: :ref:`username <conf_value_username>`
+
+Set the proxy username. The User auth scheme is used by default.
+
+proxy_password
+--------------
+
+**optional**, **type**: :ref:`password <conf_value_password>`
+
+Set the proxy password. Required if username is present.
+
+bind_ipv4
+---------
+
+**optional**, **type**: :ref:`ipv4 addr str <conf_value_ipv4_addr_str>`
+
+Set the bind ip address for inet sockets.
+
+**default**: not set
+
+bind_ipv6
+---------
+
+**optional**, **type**: :ref:`ipv6 addr str <conf_value_ipv6_addr_str>`
+
+Set the bind ip address for inet6 sockets.
+
+**default**: not set
+
+tcp_keepalive
+-------------
+
+**optional**, **type**: :ref:`tcp keepalive <conf_value_tcp_keepalive>`
+
+Set tcp keepalive.
+
+The tcp keepalive set in user config won't be taken into account.
+
+**default**: 60s

g3proxy/doc/configuration/escapers/route_client.rst

@@ -0,0 +1,60 @@
+.. _configuration_escaper_route_client:
+
+route_client
+============
+
+.. versionadded:: 1.1.3
+
+This escaper allows to select a next escaper based on rules on client address.
+
+There is no path selection support for this escaper.
+
+The following common keys are supported:
+
+* :ref:`default_next <conf_escaper_common_default_next>`
+
+exact_match
+-----------
+
+**optional**, **type**: seq
+
+If the client ip exactly match the one in the rules, that escaper will be selected.
+
+Each rule is in *map* format, with two keys:
+
+* next
+
+  **required**, **type**: str
+
+  Set the next escaper.
+
+* ips
+
+  **optional**, **type**: seq
+
+  Each element should be :ref:`ip addr str <conf_value_ip_addr_str>`.
+
+  An ip should not be set duplicated in rules for different next escapers.
+
+subnet_match
+------------
+
+**optional**, **type**: seq
+
+If the client ip match the longest subnet in the rule, that escaper will be selected.
+
+Each rule is in *map* format, with two keys:
+
+* next
+
+  **required**, **type**: str
+
+  Set the next escaper.
+
+* subnets
+
+  **optional**, **type**: seq
+
+  Each element should be :ref:`ip network str <conf_value_ip_network_str>`.
+
+  A subnet should not be set duplicated in rules for different next escapers.

g3proxy/doc/configuration/escapers/route_mapping.rst

@@ -0,0 +1,19 @@
+.. _configuration_escaper_route_mapping:
+
+route_mapping
+=============
+
+This escaper allows to select a next escaper based on the user specified path selection index.
+
+If no index can be get from the path selection method, the default random one will be used.
+
+No common keys are supported.
+
+next
+----
+
+**required**, **type**: seq
+
+This set all the next escapers. Each element should be the name of the target float escaper.
+
+.. note:: No duplication of next escapers is allowed.

g3proxy/doc/configuration/escapers/route_query.rst

@@ -0,0 +1,132 @@
+.. _configuration_escaper_route_query:
+
+route_query
+===========
+
+This escaper allows to select a next escaper based on query to another service through a UDP socket.
+
+There is no path selection support for this escaper.
+
+No common keys are supported.
+
+.. _configuration_escaper_route_query_fallback_node:
+
+fallback_node
+-------------
+
+**required**, **type**: string
+
+Set the fallback escaper name.
+
+query_allowed_next
+------------------
+
+**required**, **type**: seq
+
+Set all the next escapers those are allowed to use in the query result. Each element should be the next escaper name.
+If the selected escaper name is not found in this list, the fallback escaper will be used.
+
+.. _configuration_escaper_route_query_pass_client_ip:
+
+query_pass_client_ip
+--------------------
+
+**optional**, **type**: bool
+
+Set whether we should also send client_ip in the query message.
+
+**default**: false
+
+cache_request_batch_count
+-------------------------
+
+**optional**, **type**: usize
+
+Set how many consequent query requests we should handle in the cache runtime before yield out to the next loop.
+
+**default**: 10
+
+cache_request_timeout
+---------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set how many time we should spend on waiting responses from cache runtime after sending query request.
+
+The fallback node will be used if timeout occur.
+
+**default**: 100ms
+
+cache_pick_policy
+-----------------
+
+**optional**, **type**: :ref:`selective pick policy <conf_value_selective_pick_policy>`
+
+Set the policy to select next proxy address from the query result.
+
+The key for rendezvous/jump hash is *<client-ip>*.
+
+**default**: rendezvous
+
+query_peer_addr
+---------------
+
+**optional**, **type**: :ref:`sockaddr str <conf_value_sockaddr_str>`
+
+Set the socket address of the service that we should send queries to.
+
+**default**: 127.0.0.1:1053
+
+query_socket_buffer
+-------------------
+
+**optional**, **type**: :ref:`socket buffer config <conf_value_socket_buffer_config>`
+
+Set the socket buffer config for the UDP socket we will use.
+
+**default**: not set
+
+query_wait_timeout
+------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set how many time we should wait for response from the peer service.
+
+Empty reply will be send back to cache runtime if timeout occur.
+
+**default**: 10s
+
+.. _configuration_escaper_route_query_protective_cache_ttl:
+
+protective_cache_ttl
+--------------------
+
+**optional**, **type**: usize
+
+Set the cache ttl for failed or zero-ttl query results.
+
+**default**: 10
+
+maximum_cache_ttl
+-----------------
+
+**optional**, **type**: usize
+
+Set the maximum cache ttl for query results.
+
+**default**: 1800
+
+.. _configuration_escaper_route_query_vanish_after_expired:
+
+cache_vanish_wait
+-----------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Clean the record from the cache if it has been expired such many time.
+
+We still cache expired records some time before clean them as a new query will spend more time and the new query result
+will have a big chance to be the same with the expired one.
+
+**default**: 30s, **alias**: vanish_after_expire

g3proxy/doc/configuration/escapers/route_resolved.rst

@@ -0,0 +1,52 @@
+.. _configuration_escaper_route_resolved:
+
+route_resolved
+==============
+
+This escaper allows to select a next escaper based on rules on the resolved upstream ip address.
+
+There is no path selection support for this escaper.
+
+The resolve method in Happy Eyeballs algorithm is used.
+
+The following common keys are supported:
+
+* :ref:`resolver <conf_escaper_common_resolver>`, **required**
+* :ref:`resolve_strategy <conf_escaper_common_resolve_strategy>`
+* :ref:`default_next <conf_escaper_common_default_next>`
+
+lpm_match
+---------
+
+**optional**, **type**: seq
+
+If the resolved upstream ip address lpm match the network in the rules, that escaper will be selected.
+
+Each rule is in *map* format, with two keys:
+
+* next
+
+  **required**, **type**: str
+
+  Set the next escaper.
+
+* networks
+
+  **optional**, **type**: seq
+
+  Each element should be valid network string. Both IPv4 and IPv6 are supported.
+
+  Each network should not be set for different next escapers.
+
+resolution_delay
+----------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+The resolution delay time for the wait of the preferred address family after another one is returned.
+
+The meaning is the same as *resolution_delay* field in :ref:`happy eyeballs <conf_value_happy_eyeballs>`.
+
+**default**: 50ms
+
+.. versionadded:: 1.5.5

g3proxy/doc/configuration/escapers/route_select.rst

@@ -0,0 +1,30 @@
+.. _configuration_escaper_route_select:
+
+route_select
+============
+
+This escaper allows to select a next escaper based on the specified pick policy.
+
+There is no path selection support for this escaper.
+
+No common keys are supported.
+
+next_nodes
+----------
+
+**required**, **type**: string | seq
+
+Set the next escaper(s) those can be selected.
+
+For *seq* value, each of its element must be :ref:`weighted name str <conf_value_weighted_name_str>`.
+
+next_pick_policy
+----------------
+
+**optional**, **type**: :ref:`selective pick policy <conf_value_selective_pick_policy>`
+
+Set the policy to select next proxy address.
+
+The key for rendezvous/jump hash is *<client-ip>[-<username>]-<upstream-host>*.
+
+**default**: rendezvous

g3proxy/doc/configuration/escapers/route_upstream.rst

@@ -0,0 +1,105 @@
+.. _configuration_escaper_route_upstream:
+
+route_upstream
+==============
+
+This escaper allows to select a next escaper based on rules on upstream address.
+
+There is no path selection support for this escaper.
+
+The following common keys are supported:
+
+* :ref:`default_next <conf_escaper_common_default_next>`
+
+exact_match
+-----------
+
+**optional**, **type**: seq
+
+If the host part of upstream address exactly match the one in the rules, that escaper will be selected.
+
+Each rule is in *map* format, with two keys:
+
+* next
+
+  **required**, **type**: str
+
+  Set the next escaper.
+
+* hosts
+
+  **optional**, **type**: seq
+
+  Each element should be :ref:`host <conf_value_host>`.
+
+  A host should not be set duplicated in rules for different next escapers.
+
+subnet_match
+------------
+
+**optional**, **type**: seq
+
+If the host is an IP address and match the longest subnet in the rule, that escaper will be selected.
+
+Each rule is in *map* format, with two keys:
+
+* next
+
+  **required**, **type**: str
+
+  Set the next escaper.
+
+* subnets
+
+  **optional**, **type**: seq
+
+  Each element should be :ref:`ip network str <conf_value_ip_network_str>`.
+
+  A subnet should not be set duplicated in rules for different next escapers.
+
+child_match
+-----------
+
+**optional**, **type**: seq
+
+If the domain of the upstream address is children of domains in the rules, that escaper will be selected.
+
+Each rule is in *map* format, with two keys:
+
+* next
+
+  **required**, **type**: str
+
+  Set the next escaper.
+
+* domains
+
+  **optional**, **type**: seq
+
+  Each element should be :ref:`domain <conf_value_domain>`.
+
+  Each domain should not be set for different next escapers.
+
+radix_match
+-----------
+
+**optional**, **type**: seq
+
+If the domain of the upstream address exactly match the one of the domain suffixes in the rules,
+that escaper will be selected.
+
+Each rule is in *map* format, with two keys:
+
+* next
+
+  **required**, **type**: str
+
+  Set the next escaper.
+
+* suffixes
+
+  **optional**, **type**: seq
+
+  Each element should be :ref:`domain <conf_value_domain>`.
+
+  Each domain suffix should not be set for different next escapers.

g3proxy/doc/configuration/escapers/trick_float.rst

@@ -0,0 +1,17 @@
+.. _configuration_escaper_trick_float:
+
+trick_float
+===========
+
+This escaper allows to select a next float escaper weighted randomly.
+
+No common keys are supported.
+
+next
+----
+
+**required**, **type**: seq
+
+This set all the next escapers. Each element should be the name of the target float escaper.
+
+.. note:: Duplication of next escapers will be ignored.