Fast • 🪶 Lightweight • 0️⃣ Dependency • 🔌 Pluggable • 😈 TLS interception • 🔒 DNS-over-HTTPS • 🔥 Poor Man's VPN • Reverse & Forward • 👮🏿 "Proxy Server" framework • 🌐 "Web Server" framework • ➵ ➶ ➷ ➠ "PubSub" framework • 👷 "Work" acceptor & executor f
Go to file
pyup.io bot 57315289ae Update pytest from 5.2.1 to 5.2.2 (#142) 2019-10-26 20:38:22 -07:00
.github Threadless execution using coroutines (#134) 2019-10-15 23:56:39 -07:00
public/devtools Chrome Devtool Integration first steps (#109) 2019-10-09 22:36:47 -07:00
.dockerignore Ensure explicit flush before upgrade while TLS intercepting (#121) 2019-10-10 15:15:27 -07:00
.gitignore Threadless execution using coroutines (#134) 2019-10-15 23:56:39 -07:00
.travis.yml Remove pip upgrade for windows which seems to be failing on travis (#136) 2019-10-16 01:13:27 -07:00
Dockerfile Reduce docker image size 2019-10-11 11:03:51 -07:00
LICENSE Update LICENSE 2019-09-03 09:53:14 -07:00
MANIFEST.in Make pypi release 1.0.0 2019-09-27 13:42:53 -07:00
Makefile Threadless execution using coroutines (#134) 2019-10-15 23:56:39 -07:00
Procfile Add Procfile. 2019-09-03 08:57:20 -07:00
ProxyPy.png Add proxy.py banner image 2019-08-11 10:43:59 -07:00
README.md Threadless execution using coroutines (#134) 2019-10-15 23:56:39 -07:00
benchmark.py Add pipeline response parsing tests (#137) 2019-10-16 03:22:08 -07:00
chrome_with_proxy.sh Threadless execution using coroutines (#134) 2019-10-15 23:56:39 -07:00
fluentd.conf Use selectors.DefaultSelector instead of select.select (#106) 2019-10-02 00:09:35 -07:00
monitor_open_files.sh Threadless execution using coroutines (#134) 2019-10-15 23:56:39 -07:00
package-lock.json Chrome Devtool Integration first steps (#109) 2019-10-09 22:36:47 -07:00
package.json Chrome Devtool Integration first steps (#109) 2019-10-09 22:36:47 -07:00
plugin_examples.py Threadless execution using coroutines (#134) 2019-10-15 23:56:39 -07:00
proxy.js v1.1.0 release 2019-10-10 00:29:41 -07:00
proxy.pac Enable WebServer plugin when --pac_file serving is requested. 2019-08-24 10:11:57 -07:00
proxy.py os.close only for threadless (#138) 2019-10-16 13:09:38 -07:00
requirements-release.txt Update setuptools from 41.2.0 to 41.4.0 (#112) 2019-10-07 03:57:05 -07:00
requirements-testing.txt Update pytest from 5.2.1 to 5.2.2 (#142) 2019-10-26 20:38:22 -07:00
requirements.txt Ensure explicit flush before upgrade while TLS intercepting (#121) 2019-10-10 15:15:27 -07:00
setup.py Ensure explicit flush before upgrade while TLS intercepting (#121) 2019-10-10 15:15:27 -07:00
tests.py os.close only for threadless (#138) 2019-10-16 13:09:38 -07:00

README.md

Proxy.Py

License PyPi Downloads Docker Pulls Build Status No Dependencies Coverage

Tested With MacOS Tested With Ubuntu Tested With Windows Tested With Android Tested With Android Emulator Tested With iOS Tested With iOS Simulator

Maintenance Ask Me Anything Contributions Welcome Gitter

Python 3.6 Python 3.7 Checked with mypy

Become a Backer

Table of Contents

Features

  • Fast & Scalable
    • Scales by using all available cores on the system
    • Threadless executions using coroutine
    • Made to handle tens-of-thousands connections / sec
      # On Macbook Pro 2015 / 2.8 GHz Intel Core i7
      $ hey -n 10000 -c 100 http://localhost:8899/
      
      Summary:
        Total:	0.6157 secs
        Slowest:	0.1049 secs
        Fastest:	0.0007 secs
        Average:	0.0055 secs
        Requests/sec:	16240.5444
      
        Total data:	800000 bytes
        Size/request:	80 bytes
      
      Response time histogram:
        0.001 [1]     |
        0.011 [9565]	|■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■
        0.022 [332]	|■
      
  • Lightweight
    • Distributed as a single file module ~100KB
    • Uses only ~5-20MB RAM
    • No external dependency other than standard Python library
  • Programmable
    • Optionally enable builtin Web Server
    • Customize proxy and http routing via plugins
    • Enable plugin using command line option e.g. --plugins plugin_examples.CacheResponsesPlugin
    • Plugin API is currently in development state, expect breaking changes.
  • Secure
  • Man-In-The-Middle
    • Can decrypt TLS traffic between clients and upstream servers
    • See TLS Encryption
  • Supported proxy protocols
    • http
    • https
    • http2
    • websockets
  • Optimized for large file uploads and downloads
  • IPv4 and IPv6 support
  • Basic authentication support
  • Can serve a PAC (Proxy Auto-configuration) file
    • See --pac-file and --pac-file-url-path flags

Install

Stable version

Install from PyPi

$ pip install --upgrade proxy.py

or from GitHub master branch

$ pip install git+https://github.com/abhinavsingh/proxy.py.git@master

or simply wget it:

$ wget -q https://raw.githubusercontent.com/abhinavsingh/proxy.py/master/proxy.py

or download from here proxy.py

Development version

$ pip install git+https://github.com/abhinavsingh/proxy.py.git@develop

For Docker usage see Docker Image.

Start proxy.py

Command line

Simply type proxy.py on command line to start it with default configuration.

$ proxy.py
...[redacted]... - Loaded plugin <class 'proxy.HttpProxyPlugin'>
...[redacted]... - Starting 8 workers
...[redacted]... - Started server on ::1:8899

Things to notice from above logs:

  • Loaded plugin - proxy.py will load HttpProxyPlugin by default. It adds http(s) proxy server capabilities to proxy.py

  • Started N workers - Use --num-workers flag to customize number of Worker processes. By default, proxy.py will start as many workers as there are CPU cores on the machine.

  • Started server on ::1:8899 - By default, proxy.py listens on IPv6 ::1, which is equivalent of IPv4 127.0.0.1. If you want to access proxy.py externally, use --hostname :: or --hostname 0.0.0.0 or bind to any other interface available on your machine.

  • Port 8899 - Use --port flag to customize default TCP port.

All the logs above are INFO level logs, default --log-level for proxy.py.

Lets start proxy.py with DEBUG level logging:

$ proxy.py --log-level d
...[redacted]... - Open file descriptor soft limit set to 1024
...[redacted]... - Loaded plugin <class 'proxy.HttpProxyPlugin'>
...[redacted]... - Started 8 workers
...[redacted]... - Started server on ::1:8899

As we can see, before starting up:

  • proxy.py also tried to set open file limit ulimit on the system.
  • Default value for --open-file-limit used is 1024.
  • --open-file-limit flag is a no-op on Windows operating systems.

See flags for full list of available configuration options.

Docker image

Stable Version from Docker Hub

$ docker run -it -p 8899:8899 --rm abhinavsingh/proxy.py:latest

Build Development Version Locally

$ git clone https://github.com/abhinavsingh/proxy.py.git
$ cd proxy.py
$ make container
$ docker run -it -p 8899:8899 --rm abhinavsingh/proxy.py:v$(./proxy.py -v)

By default docker binary is started with IPv4 networking flags:

--hostname 0.0.0.0 --port 8899

To override input flags, start docker image as follows. For example, to check proxy.py version within Docker image:

$ docker run -it \
    -p 8899:8899 \
    --rm abhinavsingh/proxy.py:latest \
    -v

WARNING docker image is currently broken on macOS due to incompatibility with vpnkit.

Plugin Examples

See plugin_examples.py for full code.

All the examples below also works with https traffic but require additional flags and certificate generation. See TLS Interception.

ShortLinkPlugin

Add support for short links in your favorite browsers / applications.

Start proxy.py as:

$ proxy.py \
    --plugins plugin_examples.ShortLinkPlugin

Now you can speed up your daily browsing experience by visiting your favorite website using single character domain names :). This works across all browsers.

Following short links are enabled by default:

Short Link Destination URL
a/ amazon.com
i/ instagram.com
l/ linkedin.com
f/ facebook.com
g/ google.com
t/ twitter.com
w/ web.whatsapp.com
y/ youtube.com
proxy/ localhost:8899

ModifyPostDataPlugin

Modifies POST request body before sending request to upstream server.

Start proxy.py as:

$ proxy.py \
    --plugins plugin_examples.ModifyPostDataPlugin

By default plugin replaces POST body content with hardcoded b'{"key": "modified"}' and enforced Content-Type: application/json.

Verify the same using curl -x localhost:8899 -d '{"key": "value"}' http://httpbin.org/post

{
  "args": {},
  "data": "{\"key\": \"modified\"}",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "*/*",
    "Content-Length": "19",
    "Content-Type": "application/json",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0"
  },
  "json": {
    "key": "modified"
  },
  "origin": "1.2.3.4, 5.6.7.8",
  "url": "https://httpbin.org/post"
}

Note following from the response above:

  1. POST data was modified "data": "{\"key\": \"modified\"}". Original curl command data was {"key": "value"}.
  2. Our curl command didn't add any Content-Type header, but our plugin did add one "Content-Type": "application/json". Same can also be verified by looking at json field in the output above:
    "json": {
     "key": "modified"
    },
    
  3. Our plugin also added a Content-Length header to match length of modified body.

ProposedRestApiPlugin

Mock responses for your server REST API. Use to test and develop client side applications without need of an actual upstream REST API server.

Start proxy.py as:

$ proxy.py \
    --plugins plugin_examples.ProposedRestApiPlugin

Verify mock API response using curl -x localhost:8899 http://api.example.com/v1/users/

{"count": 2, "next": null, "previous": null, "results": [{"email": "you@example.com", "groups": [], "url": "api.example.com/v1/users/1/", "username": "admin"}, {"email": "someone@example.com", "groups": [], "url": "api.example.com/v1/users/2/", "username": "admin"}]}

Verify the same by inspecting proxy.py logs:

2019-09-27 12:44:02,212 - INFO - pid:7077 - access_log:1210 - ::1:64792 - GET None:None/v1/users/ - None None - 0 byte

Access log shows None:None as server ip:port. None simply means that the server connection was never made, since response was returned by our plugin.

Now modify ProposedRestApiPlugin to returns REST API mock responses as expected by your clients.

RedirectToCustomServerPlugin

Redirects all incoming http requests to custom web server. By default, it redirects client requests to inbuilt web server, also running on 8899 port.

Start proxy.py and enable inbuilt web server:

$ proxy.py \
    --enable-web-server \
    --plugins plugin_examples.RedirectToCustomServerPlugin

Verify using curl -v -x localhost:8899 http://google.com

... [redacted] ...
< HTTP/1.1 404 NOT FOUND
< Server: proxy.py v1.0.0
< Connection: Close
< 
* Closing connection 0

Above 404 response was returned from proxy.py web server.

Verify the same by inspecting the logs for proxy.py. Along with the proxy request log, you must also see a http web server request log.

2019-09-24 19:09:33,602 - INFO - pid:49996 - access_log:1241 - ::1:49525 - GET /
2019-09-24 19:09:33,603 - INFO - pid:49995 - access_log:1157 - ::1:49524 - GET localhost:8899/ - 404 NOT FOUND - 70 bytes

FilterByUpstreamHostPlugin

Drops traffic by inspecting upstream host. By default, plugin drops traffic for google.com and www.google.com.

Start proxy.py as:

$ proxy.py \
    --plugins plugin_examples.FilterByUpstreamHostPlugin

Verify using curl -v -x localhost:8899 http://google.com:

... [redacted] ...
< HTTP/1.1 418 I'm a tea pot
< Proxy-agent: proxy.py v1.0.0
* no chunk, no close, no size. Assume close to signal end
< 
* Closing connection 0

Above 418 I'm a tea pot is sent by our plugin.

Verify the same by inspecting logs for proxy.py:

2019-09-24 19:21:37,893 - ERROR - pid:50074 - handle_readables:1347 - ProtocolException type raised
Traceback (most recent call last):
... [redacted] ...
2019-09-24 19:21:37,897 - INFO - pid:50074 - access_log:1157 - ::1:49911 - GET None:None/ - None None - 0 bytes

CacheResponsesPlugin

Caches Upstream Server Responses.

Start proxy.py as:

$ proxy.py \
    --plugins plugin_examples.CacheResponsesPlugin

Verify using curl -v -x localhost:8899 http://httpbin.org/get:

... [redacted] ...
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< Date: Wed, 25 Sep 2019 02:24:25 GMT
< Referrer-Policy: no-referrer-when-downgrade
< Server: nginx
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Content-Length: 202
< Connection: keep-alive
< 
{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0"
  },
  "origin": "1.2.3.4, 5.6.7.8",
  "url": "https://httpbin.org/get"
}
* Connection #0 to host localhost left intact

Get path to the cache file from proxy.py logs:

... [redacted] ... - GET httpbin.org:80/get - 200 OK - 556 bytes
... [redacted] ... - Cached response at /var/folders/k9/x93q0_xn1ls9zy76m2mf2k_00000gn/T/httpbin.org-1569378301.407512.txt

Verify contents of the cache file cat /path/to/your/cache/httpbin.org.txt

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Wed, 25 Sep 2019 02:24:25 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: nginx
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Length: 202
Connection: keep-alive

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0"
  },
  "origin": "1.2.3.4, 5.6.7.8",
  "url": "https://httpbin.org/get"
}

ManInTheMiddlePlugin

Modifies upstream server responses.

Start proxy.py as:

$ proxy.py \
    --plugins plugin_examples.ManInTheMiddlePlugin

Verify using curl -v -x localhost:8899 http://google.com:

... [redacted] ...
< HTTP/1.1 200 OK
< Content-Length: 28
< 
* Connection #0 to host localhost left intact
Hello from man in the middle

Response body Hello from man in the middle is sent by our plugin.

Plugin Ordering

When using multiple plugins, depending upon plugin functionality, it might be worth considering the order in which plugins are passed on the command line.

Plugins are called in the same order as they are passed. Example, say we are using both FilterByUpstreamHostPlugin and RedirectToCustomServerPlugin. Idea is to drop all incoming http requests for google.com and www.google.com and redirect other http requests to our inbuilt web server.

Hence, in this scenario it is important to use FilterByUpstreamHostPlugin before RedirectToCustomServerPlugin. If we enable RedirectToCustomServerPlugin before FilterByUpstreamHostPlugin, google requests will also get redirected to inbuilt web server, instead of being dropped.

End-to-End Encryption

By default, proxy.py uses http protocol for communication with clients e.g. curl, browser. For enabling end-to-end encrypting using tls / https first generate certificates:

make https-certificates

Start proxy.py as:

$ proxy.py \
    --cert-file https-cert.pem \
    --key-file https-key.pem

Verify using curl -x https://localhost:8899 --proxy-cacert https-cert.pem https://httpbin.org/get:

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0"
  },
  "origin": "1.2.3.4, 5.6.7.8",
  "url": "https://httpbin.org/get"
}

TLS Interception

By default, proxy.py doesn't decrypt https traffic between client and server. To enable TLS interception first generate CA certificates:

make ca-certificates

Lets also enable CacheResponsePlugin so that we can verify decrypted response from the server. Start proxy.py as:

$ proxy.py \
    --plugins plugin_examples.CacheResponsesPlugin \
    --ca-key-file ca-key.pem \
    --ca-cert-file ca-cert.pem \
    --ca-signing-key-file ca-signing-key.pem

Verify using curl -v -x localhost:8899 --cacert ca-cert.pem https://httpbin.org/get

*  issuer: C=US; ST=CA; L=SanFrancisco; O=proxy.py; OU=CA; CN=Proxy PY CA; emailAddress=proxyca@mailserver.com
*  SSL certificate verify ok.
> GET /get HTTP/1.1
... [redacted] ...
< Connection: keep-alive
< 
{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0"
  },
  "origin": "1.2.3.4, 5.6.7.8",
  "url": "https://httpbin.org/get"
}

The issuer line confirms that response was intercepted.

Also verify the contents of cached response file. Get path to the cache file from proxy.py logs.

$ cat /path/to/your/tmp/directory/httpbin.org-1569452863.924174.txt

HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Wed, 25 Sep 2019 23:07:05 GMT
Referrer-Policy: no-referrer-when-downgrade
Server: nginx
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Length: 202
Connection: keep-alive

{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Host": "httpbin.org",
    "User-Agent": "curl/7.54.0"
  },
  "origin": "1.2.3.4, 5.6.7.8",
  "url": "https://httpbin.org/get"
}

Viola!!! If you remove CA flags, encrypted data will be found in the cached file instead of plain text.

Now use CA flags with other plugin examples to see them work with https traffic.

import proxy.py

You can directly import proxy.py into your Python code. Example:

$ python
>>> import proxy
>>>

TCP Sockets

proxy.new_socket_connection

Attempts to create an IPv4 connection, then IPv6 and finally a dual stack connection to provided address.

>>> conn = proxy.new_socket_connection(('httpbin.org', 80))
>>> ...[ use connection ]...
>>> conn.close()

proxy.socket_connection

socket_connection is a convenient decorator + context manager around new_socket_connection which ensures conn.close is implicit.

As a context manager:

>>> with proxy.new_socket_connection(('httpbin.org', 80)) as conn:
>>>   ... [ use connection ] ...

As a decorator:

>>> @proxy.new_socket_connection(('httpbin.org', 80))
>>> def my_api_call(conn, *args, **kwargs):
>>>   ... [ use connection ] ...

Http Client

proxy.build_http_request

Generate HTTP GET request
>>> proxy.build_http_request(b'GET', b'/')
b'GET / HTTP/1.1\r\n\r\n'
>>>
Generate HTTP GET request with headers
>>> proxy.build_http_request(b'GET', b'/', 
        headers={b'Connection': b'close'})
b'GET / HTTP/1.1\r\nConnection: close\r\n\r\n'
>>>
Generate HTTP POST request with headers and body
>>> import json
>>> proxy.build_http_request(b'POST', b'/form', 
        headers={b'Content-type': b'application/json'}, 
        body=proxy.bytes_(json.dumps({'email': 'hello@world.com'})))
    b'POST /form HTTP/1.1\r\nContent-type: application/json\r\n\r\n{"email": "hello@world.com"}'

proxy.build_http_response

TODO

Websocket Client

proxy.WebsocketFrame

TODO

proxy.WebsocketClient

TODO

Embed proxy.py

To start proxy.py server from imported proxy.py module, simply do:

import proxy

if __name__ == '__main__':
  proxy.main(['--hostname', '::1', '--port', 8899])

See Internal Documentation for all available classes and utility methods.

Plugin Developer and Contributor Guide

Everything is a plugin

As you might have guessed by now, in proxy.py everything is a plugin.

  • We enabled proxy server plugins using --plugins flag. All the plugin examples were implementing HttpProxyBasePlugin. See documentation of HttpProxyBasePlugin for available lifecycle hooks. Use HttpProxyBasePlugin to modify behavior of http(s) proxy protocol between client and upstream server. Example, FilterByUpstreamHostPlugin.

  • We also enabled inbuilt web server using --enable-web-server. Inbuilt web server implements ProtocolHandlerPlugin plugin. See documentation of ProtocolHandlerPlugin for available lifecycle hooks. Use ProtocolHandlerPlugin to add new features for http(s) clients. Example, HttpWebServerPlugin.

  • There also is a --disable-http-proxy flag. It disables inbuilt proxy server. Use this flag with --enable-web-server flag to run proxy.py as a programmable http(s) server. HttpProxyPlugin also implements ProtocolHandlerPlugin.

Internal Architecture

  • ProtocolHandler thread is started with the accepted TcpClientConnection. ProtocolHandler is responsible for parsing incoming client request and invoking ProtocolHandlerPlugin lifecycle hooks.

  • HttpProxyPlugin which implements ProtocolHandlerPlugin also has its own plugin mechanism. Its responsibility is to establish connection between client and upstream TcpServerConnection and invoke HttpProxyBasePlugin lifecycle hooks.

  • ProtocolHandler threads are started by Acceptor processes.

  • --num-workers Acceptor processes are started by AcceptorPool on start-up.

  • AcceptorPool listens on server socket and pass the handler to Acceptor processes. Workers are responsible for accepting new client connections and starting ProtocolHandler thread.

Sending a Pull Request

Install dependencies for local development testing:

$ pip install -r requirements-testing.txt

Every pull request goes through set of tests which must pass:

  • mypy: Run make lint locally for compliance check. Fix all warnings and errors before sending out a PR.

  • coverage: Run make coverage locally for coverage report. Its ideal to add tests for any critical change. Depending upon the change, it's ok if test coverage falls by <0.5%.

  • formatting: Run make autopep8 locally to format the code in-place. autopep8 is run with --aggresive flag. Sometimes it may result in weird formatting. But let's stick to one consistent formatting tool. I am open to flag changes for autopep8.

Internal Documentation

Browse through internal class hierarchy and documentation using pydoc3. Example:

$ pydoc3 proxy

CLASSES
    abc.ABC(builtins.object)
        HttpProxyBasePlugin
        HttpWebServerBasePlugin
            DevtoolsWebsocketPlugin
            HttpWebServerPacFilePlugin
        ProtocolHandlerPlugin
            DevtoolsProtocolPlugin
            HttpProxyPlugin
            HttpWebServerPlugin
        TcpConnection
            TcpClientConnection
            TcpServerConnection
            WebsocketClient
        ThreadlessWork
            ProtocolHandler(threading.Thread, ThreadlessWork)
    builtins.Exception(builtins.BaseException)
        ProtocolException
            HttpRequestRejected
            ProxyAuthenticationFailed
            ProxyConnectionFailed
        TcpConnectionUninitializedException
    builtins.object
        AcceptorPool
        ChunkParser
        HttpParser
        ProtocolConfig
        WebsocketFrame
    builtins.tuple(builtins.object)
        ChunkParserStates
        HttpMethods
        HttpParserStates
        HttpParserTypes
        HttpProtocolTypes
        HttpStatusCodes
        TcpConnectionTypes
        WebsocketOpcodes
    contextlib.ContextDecorator(builtins.object)
        socket_connection
    multiprocessing.context.Process(multiprocessing.process.BaseProcess)
        Acceptor
        Threadless
    threading.Thread(builtins.object)
        ProtocolHandler(threading.Thread, ThreadlessWork)

Frequently Asked Questions

Unable to connect with proxy.py from remote host

Make sure proxy.py is listening on correct network interface. Try following flags:

  • For IPv6 --hostname ::
  • For IPv4 --hostname 0.0.0.0

Basic auth not working with a browser

Most likely it's a browser integration issue with system keychain.

  • First verify that basic auth is working using curl

    curl -v -x username:password@localhost:8899 https://httpbin.org/get

  • See this thread for further details.

Docker image not working on macOS

It's a compatibility issue with vpnkit.

See moby/vpnkit exhausts docker resources and Connection refused: The proxy could not connect for some background.

Unable to load custom plugins

Make sure your plugin modules are discoverable by adding them to PYTHONPATH. Example:

PYTHONPATH=/path/to/my/app proxy.py --plugins my_app.proxyPlugin

...[redacted]... - Loaded plugin proxy.HttpProxyPlugin
...[redacted]... - Loaded plugin my_app.proxyPlugin

GCE log viewer integration for proxy.py

A starter fluentd.conf template is available.

  1. Copy this configuration file as proxy.py.conf under /etc/google-fluentd/config.d/

  2. Update path field to log file path as used with --log-file flag. By default /tmp/proxy.log path is tailed.

  3. Reload google-fluentd:

    sudo service google-fluentd restart

Now proxy.py logs can be browsed using GCE log viewer.

ValueError: filedescriptor out of range in select

proxy.py is made to handle thousands of connections per second.

  1. Make use of --open-file-limit flag to customize ulimit -n.
    • To set a value upper than the hard limit, run as root.
  2. Make sure to adjust --backlog flag for higher concurrency.

If nothing helps, open an issue with requests per second sent and output of following debug script:

# PID of proxy.py
PROXY_PY_PID=<... Put value here or use --pid-file option ...>;

# Prints number of open files by main process
lsof -p $PROXY_PY_PID | wc -l;

# Prints number of open files per worker process
pgrep -P $PROXY_PY_PID | while read pid; do lsof -p $pid | wc -l; done;

Flags

$ proxy.py -h
usage: proxy.py [-h] [--backlog BACKLOG] [--basic-auth BASIC_AUTH]
                [--ca-key-file CA_KEY_FILE] [--ca-cert-dir CA_CERT_DIR]
                [--ca-cert-file CA_CERT_FILE]
                [--ca-signing-key-file CA_SIGNING_KEY_FILE]
                [--cert-file CERT_FILE]
                [--client-recvbuf-size CLIENT_RECVBUF_SIZE]
                [--devtools-ws-path DEVTOOLS_WS_PATH]
                [--disable-headers DISABLE_HEADERS] [--disable-http-proxy]
                [--enable-devtools] [--enable-static-server]
                [--enable-web-server] [--hostname HOSTNAME]
                [--key-file KEY_FILE] [--log-level LOG_LEVEL]
                [--log-file LOG_FILE] [--log-format LOG_FORMAT]
                [--num-workers NUM_WORKERS]
                [--open-file-limit OPEN_FILE_LIMIT] [--pac-file PAC_FILE]
                [--pac-file-url-path PAC_FILE_URL_PATH] [--pid-file PID_FILE]
                [--plugins PLUGINS] [--port PORT]
                [--server-recvbuf-size SERVER_RECVBUF_SIZE]
                [--static-server-dir STATIC_SERVER_DIR] [--threadless]
                [--timeout TIMEOUT] [--version]

proxy.py v1.2.0

optional arguments:
  -h, --help            show this help message and exit
  --backlog BACKLOG     Default: 100. Maximum number of pending connections to
                        proxy server
  --basic-auth BASIC_AUTH
                        Default: No authentication. Specify colon separated
                        user:password to enable basic authentication.
  --ca-key-file CA_KEY_FILE
                        Default: None. CA key to use for signing dynamically
                        generated HTTPS certificates. If used, must also pass
                        --ca-cert-file and --ca-signing-key-file
  --ca-cert-dir CA_CERT_DIR
                        Default: ~/.proxy.py. Directory to store dynamically
                        generated certificates. Also see --ca-key-file, --ca-
                        cert-file and --ca-signing-key-file
  --ca-cert-file CA_CERT_FILE
                        Default: None. Signing certificate to use for signing
                        dynamically generated HTTPS certificates. If used,
                        must also pass --ca-key-file and --ca-signing-key-file
  --ca-signing-key-file CA_SIGNING_KEY_FILE
                        Default: None. CA signing key to use for dynamic
                        generation of HTTPS certificates. If used, must also
                        pass --ca-key-file and --ca-cert-file
  --cert-file CERT_FILE
                        Default: None. Server certificate to enable end-to-end
                        TLS encryption with clients. If used, must also pass
                        --key-file.
  --client-recvbuf-size CLIENT_RECVBUF_SIZE
                        Default: 1 MB. Maximum amount of data received from
                        the client in a single recv() operation. Bump this
                        value for faster uploads at the expense of increased
                        RAM.
  --devtools-ws-path DEVTOOLS_WS_PATH
                        Default: /devtools. Only applicable if --enable-
                        devtools is used.
  --disable-headers DISABLE_HEADERS
                        Default: None. Comma separated list of headers to
                        remove before dispatching client request to upstream
                        server.
  --disable-http-proxy  Default: False. Whether to disable
                        proxy.HttpProxyPlugin.
  --enable-devtools     Default: False. Enables integration with Chrome
                        Devtool Frontend.
  --enable-static-server
                        Default: False. Enable inbuilt static file server.
                        Optionally, also use --static-server-dir to serve
                        static content from custom directory. By default,
                        static file server serves from public folder.
  --enable-web-server   Default: False. Whether to enable
                        proxy.HttpWebServerPlugin.
  --hostname HOSTNAME   Default: ::1. Server IP address.
  --key-file KEY_FILE   Default: None. Server key file to enable end-to-end
                        TLS encryption with clients. If used, must also pass
                        --cert-file.
  --log-level LOG_LEVEL
                        Valid options: DEBUG, INFO (default), WARNING, ERROR,
                        CRITICAL. Both upper and lowercase values are allowed.
                        You may also simply use the leading character e.g.
                        --log-level d
  --log-file LOG_FILE   Default: sys.stdout. Log file destination.
  --log-format LOG_FORMAT
                        Log format for Python logger.
  --num-workers NUM_WORKERS
                        Defaults to number of CPU cores.
  --open-file-limit OPEN_FILE_LIMIT
                        Default: 1024. Maximum number of files (TCP
                        connections) that proxy.py can open concurrently.
  --pac-file PAC_FILE   A file (Proxy Auto Configuration) or string to serve
                        when the server receives a direct file request. Using
                        this option enables proxy.HttpWebServerPlugin.
  --pac-file-url-path PAC_FILE_URL_PATH
                        Default: /. Web server path to serve the PAC file.
  --pid-file PID_FILE   Default: None. Save parent process ID to a file.
  --plugins PLUGINS     Comma separated plugins
  --port PORT           Default: 8899. Server port.
  --server-recvbuf-size SERVER_RECVBUF_SIZE
                        Default: 1 MB. Maximum amount of data received from
                        the server in a single recv() operation. Bump this
                        value for faster downloads at the expense of increased
                        RAM.
  --static-server-dir STATIC_SERVER_DIR
                        Default: "public" folder in directory where proxy.py
                        is placed. This option is only applicable when static
                        server is also enabled. See --enable-static-server.
  --threadless          Default: False. When disabled a new thread is spawned
                        to handle each client connection.
  --timeout TIMEOUT     Default: 10. Number of seconds after which an inactive
                        connection must be dropped. Inactivity is defined by
                        no data sent or received by the client.
  --version, -v         Prints proxy.py version.

Proxy.py not working? Report at:
https://github.com/abhinavsingh/proxy.py/issues/new