A Lightweight Proxy

Sometimes you need a proxy fast:
for testing, CI/CD, connecting services or temporary infrastructure.
Docker Compose is the simplest and cleanest way to do it in a couple of minutes.

Below are 3 options: SOCKS5, HTTP proxy, HAProxy. You can spin them up individually or both at once.

Option 1: SOCKS5 proxy in 1 minute

SOCKS5 is the most universal type of proxy. It works with virtually any traffic.

docker-compose.yml

services:
  socks5-proxy:
    image: serjs/go-socks5-proxy:latest
    container_name: socks5-proxy
    restart: unless-stopped
    ports:
      - "1080:1080"
    environment:
      # REQUIRE_AUTH=false — if you need a proxy without authentication
      - REQUIRE_AUTH=true
      - PROXY_USER=user
      - PROXY_PASSWORD=asdasd!
    networks:
      - proxy-network
    healthcheck:
      test: ["CMD", "nc", "-z", "localhost", "1080"]
      interval: 30s
      timeout: 10s
      retries: 3

networks:
  proxy-network:
    driver: bridge

Option 2: HTTP proxy (Tinyproxy)

An HTTP proxy is suitable for browsers and simple scenarios (curl, apt, services that can’t do SOCKS).

docker-compose.yml

services:
  http-proxy:
    image: vimagick/tinyproxy:latest
    container_name: http-proxy
    restart: unless-stopped
    ports:
      - "3128:3128"
    environment:
      - PORT=3128
      # login:password for basic auth
      - AUTH=myuser:mypassword123
    networks:
      - proxy-network
    healthcheck:
      test: ["CMD", "nc", "-z", "localhost", "3128"]
      interval: 30s
      timeout: 10s
      retries: 3

networks:
  proxy-network:
    driver: bridge

Option 3: HAProxy Transparent

A transparent 443 proxy via HAProxy (TCP passthrough)

0) Terms

• edge — the protective server with a public IP; all :443 traffic arrives here
• origin — the real server with the site/service on :443
• passthrough — HAProxy doesn’t decrypt TLS, it just proxies TCP

1) Requirements

• On edge, port 443/tcp is open to the outside
• On origin, port 443/tcp is accessible only from the edge IP (recommended)
• HAProxy will run in mode tcp

2) Installing HAProxy on edge (Ubuntu/Debian)

sudo apt update
sudo apt install -y haproxy
haproxy -v

sudo nano /etc/haproxy/haproxy.cfg

global
  log /dev/log local0
  log /dev/log local1 notice
  maxconn 20000
  daemon

defaults
  log     global
  mode    tcp
  option  tcplog
  timeout connect 5s
  timeout client  1m
  timeout server  1m

frontend ft_443
  bind *:443
  mode tcp
  default_backend bk_origin_443

backend bk_origin_443
  mode tcp
  # Basic TCP availability check
  server origin ORIGIN_IP:443 check

sudo haproxy -c -f /etc/haproxy/haproxy.cfg

sudo systemctl restart haproxy
sudo systemctl enable haproxy

3) Verifying That Passthrough Works

curl -vk https://<EDGE_DOMAIN_OR_IP>/

4) Important: origin will see HAProxy’s IP (how to fix it)

In TCP passthrough mode, origin doesn’t know the client’s real IP.

Solution: enable the PROXY protocol from HAProxy to origin.

4.1) Enable the PROXY protocol in HAProxy

In the backend, add send-proxy-v2:

backend bk_origin_443
  mode tcp
  server origin ORIGIN_IP:443 send-proxy-v2 check

sudo haproxy -c -f /etc/haproxy/haproxy.cfg && sudo systemctl restart haproxy  

4.2) Configure origin (example for Nginx)

On origin, nginx needs to listen on 443 with proxy_protocol.

Example (if nginx terminates TLS on origin):

server {
  listen 443 ssl proxy_protocol;
  server_name example.com;

  # trust only edge
  set_real_ip_from <EDGE_IP>;
  real_ip_header proxy_protocol;

  ssl_certificate     /etc/ssl/fullchain.pem;
  ssl_certificate_key /etc/ssl/privkey.pem;

  location / {
    proxy_pass http://127.0.0.1:8080;
  }
}

Important: set_real_ip_from must be exactly the edge IP, otherwise the IP can be spoofed.

Reloading nginx:

sudo nginx -t && sudo systemctl reload nginx

5) Locking origin Off From the Whole World (recommended)

On origin, allow inbound connections on 443 only from edge:

UFW (example)

sudo ufw allow from <EDGE_IP> to any port 443 proto tcp
sudo ufw deny 443/tcp
sudo ufw status verbose

6) (Optional) SNI routing: different origins on the same 443

If you need to route by domain (SNI) on edge, add TLS ClientHello inspection:

frontend ft_443
  bind *:443
  mode tcp

  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }

  use_backend bk_site1 if { req.ssl_sni -i site1.example.com }
  use_backend bk_site2 if { req.ssl_sni -i site2.example.com }
  default_backend bk_origin_443

backend bk_site1
  mode tcp
  server s1 10.0.0.10:443 send-proxy-v2 check

backend bk_site2
  mode tcp
  server s2 10.0.0.11:443 send-proxy-v2 check

7) Logs and Debugging on edge

sudo journalctl -u haproxy -f
sudo tail -f /var/log/haproxy.log

8) Final Checklist

• HAProxy listens on *:443 on edge
• the backend points to ORIGIN_IP:443
• (optional) send-proxy-v2 is enabled
• origin understands proxy_protocol and trusts only the edge IP
• origin is firewalled off from the whole world, open only to edge
• the curl -vk https://EDGE/ check passes