The proxy server software mita needs to run on Linux. We provide both debian and RPM installers for installing mita on Debian / Ubuntu and Fedora / CentOS / Red Hat Enterprise Linux series distributions.
Before installation and configuration, connect to the server via SSH and then execute the following commands.
# Debian / Ubuntu - X86_64
curl -LSO https://github.com/enfein/mieru/releases/download/v3.11.1/mita_3.11.1_amd64.deb
# Debian / Ubuntu - ARM 64
curl -LSO https://github.com/enfein/mieru/releases/download/v3.11.1/mita_3.11.1_arm64.deb
# RedHat / CentOS / Rocky Linux - X86_64
curl -LSO https://github.com/enfein/mieru/releases/download/v3.11.1/mita-3.11.1-1.x86_64.rpm
# RedHat / CentOS / Rocky Linux - ARM 64
curl -LSO https://github.com/enfein/mieru/releases/download/v3.11.1/mita-3.11.1-1.aarch64.rpm
# Debian / Ubuntu - X86_64
sudo dpkg -i mita_3.11.1_amd64.deb
# Debian / Ubuntu - ARM 64
sudo dpkg -i mita_3.11.1_arm64.deb
# RedHat / CentOS / Rocky Linux - X86_64
sudo rpm -Uvh --force mita-3.11.1-1.x86_64.rpm
# RedHat / CentOS / Rocky Linux - ARM 64
sudo rpm -Uvh --force mita-3.11.1-1.aarch64.rpm
Those instructions can also be used to upgrade the version of mita software package.
sudo usermod -a -G mita $USER
# logout
exit
systemctl status mita
If the output contains active (running)
, it means that the mita daemon is already running. Normally, mita will start automatically after the server is booted.
mita status
If the installation is just completed, the output will be mita server status is "IDLE"
, indicating that mita has not yet listening to requests from the mieru client.
The mieru proxy supports two different transport protocols, TCP and UDP. To understand the differences between the protocols, please read mieru proxy protocols.
Users should call
mita apply config <FILE>
to modify the proxy server settings. <FILE>
is a JSON formatted configuration file. This configuration file does not need to specify the full proxy server settings. When you run command mita apply config <FILE>
, the contents of the file will be merged into any existing proxy server settings.
Below is an example of the server configuration file.
{
"portBindings": [
{
"portRange": "2012-2022",
"protocol": "TCP"
},
{
"port": 2027,
"protocol": "TCP"
}
],
"users": [
{
"name": "ducaiguozei",
"password": "xijinping"
},
{
"name": "meiyougongchandang",
"password": "caiyouxinzhongguo"
}
],
"loggingLevel": "INFO",
"mtu": 1400
}
- The
portBindings
->port
property is the TCP or UDP port number that mita listens on, specify a value from 1025 to 65535. If you want to listen to a range of consecutive port numbers, you can also use theportRange
property instead. Please make sure that the firewall allows communication using these ports. - The
portBindings
->protocol
property can be set toTCP
orUDP
. - Fill in the
users
->name
property with the user name. - Fill in the
users
->password
property with the user's password. - [Optional] The
mtu
property is the maximum transport layer payload size when using the UDP proxy protocol. The default value is 1400. The minimum value is 1280.
In addition to this, mita can listen to several different ports. We recommend using multiple ports in both server and client configurations.
You can also create multiple users if you want to share the proxy for others to use.
Assuming that on the server, the configuration file name is server_config.json
, call the command mita apply config server_config.json
to write the configuration after the file is modified.
If there is an error in the configuration, mita will print the problem that occurred. Follow the prompts to modify the configuration file and re-run the mita apply config <FILE>
command to write the configuration.
After that, invoke command
mita describe config
to check the current proxy settings.
Use command
mita start
to start proxy service. At this point, mita will start listening to the port number specified in the settings.
Then, use command
mita status
to check working status. If mita server status is "RUNNING"
is returned here, it means that the proxy service is running and can process client requests.
If you want to stop the proxy service, use command
mita stop
Note that each time you change the settings with mita apply config <FILE>
, you need to restart the service with mita stop
and mita start
for the new settings to take effect. An exception is, if you only change users
or loggingLevel
settings, you may run mita reload
to load the new settings, which will not disturb active connections between server and client.
After starting the proxy service, proceed to Client Installation & Configuration.
BBR is a congestion control algorithm that does not rely on packet loss. Under poor network conditions, network transmission using BBR is faster than traditional algorithms.
mieru's UDP transmission protocol already uses the BBR algorithm.
Under the project root directory, we provide a script tools/enable_tcp_bbr.py
, which allows users to enable BBR algorithm on TCP transmission protocol on Linux.
sudo ./tools/enable_tcp_bbr.py
That script can be used on both server side and client side.
The outbound proxy feature allows mieru to work with other proxy tools to form a proxy chain. An example of the network topology of a proxy chain is shown in the diagram below:
mieru client -> GFW -> mita server -> cloudflare proxy client -> cloudflare CDN -> target website
Through proxy chain, the target website sees the IP address of the cloudflare CDN, not the address of the mita server.
Below is an example to configure a proxy chain.
{
"egress": {
"proxies": [
{
"name": "cloudflare",
"protocol": "SOCKS5_PROXY_PROTOCOL",
"host": "127.0.0.1",
"port": 4000,
"socks5Authentication": {
"user": "shilishanlu",
"password": "buhuanjian"
}
}
],
"rules": [
{
"ipRanges": ["*"],
"domainNames": ["*"],
"action": "PROXY",
"proxyName": "cloudflare"
}
]
}
}
- In the
egress
->proxies
property, list the information of outbound proxy servers. The current version only supports socks5 outbound, so the value ofprotocol
must be set toSOCKS5_PROXY_PROTOCOL
. If the outbound proxy server requires socks5 username and password authentication, please fill in thesocks5Authentication
property. Otherwise, please remove thesocks5Authentication
property. - In the
egress
->rules
property, list outbound rules. The current version allows users to add up to one rule, and the values ofipRanges
,domainNames
, andaction
must be the same as the example above.proxyName
needs to point to a proxy that exists inegress
->proxies
property.
If you want to turn off the outbound proxy feature, simply set the egress
property to an empty value {}
.
Note that proxy chain is different from nested proxy. An example of the network topology of a nested proxy is shown in the diagram below:
Tor browser -> mieru client -> GFW -> mita server -> Tor network -> target website
For information on how to configure nested proxy on a Tor browser, please refer to the Security Guide.
When a proxy client requests a target website using a domain name instead of an IP address, the proxy server needs to initiate a DNS request. If the proxy server is in an IPv4 / IPv6 dual-stack network, you can adjust the DNS policy using the following configuration:
{
"dns": {
"dualStack": "USE_FIRST_IP"
}
}
The dns
-> dualStack
attribute supports the following values:
USE_FIRST_IP
: Always use the first IP address returned by the DNS server. This is the default policy.PREFER_IPv4
: Prefer to use the first IPv4 address returned by the DNS server. If there is no IPv4 address, use the first IPv6 address.PREFER_IPv6
: Prefer to use the first IPv6 address returned by the DNS server. If there is no IPv6 address, use the first IPv4 address.ONLY_IPv4
: Force to use the first IPv4 address returned by the DNS server. If there is no IPv4 address, the connection fails.ONLY_IPv6
: Force to use the first IPv6 address returned by the DNS server. If there is no IPv6 address, the connection fails.
We can use the users
-> quotas
property to limit the amount of traffic a user is allowed to use. For example, if you want user "ducaiguozei" to use no more than 1 GB of traffic within 1 day, and no more than 10 GB within 30 days, you can apply the following settings.
{
"portBindings": [
{
"portRange": "2012-2022",
"protocol": "TCP"
},
{
"port": 2027,
"protocol": "TCP"
}
],
"users": [
{
"name": "ducaiguozei",
"password": "xijinping",
"quotas": [
{
"days": 1,
"megabytes": 1024
},
{
"days": 30,
"megabytes": 10240
}
]
},
{
"name": "meiyougongchandang",
"password": "caiyouxinzhongguo"
}
],
"loggingLevel": "INFO",
"mtu": 1400
}
The client and proxy server software calculate the key based on the user name, password and system time. The server can decrypt and respond to the client's request only if the client and server have the same key. This requires that the system time of the client and the server must be in sync.
To ensure that the server system time is accurate, we recommend that users install the NTP network time service. In many Linux distributions, installing NTP is only one command.
# Debian / Ubuntu
sudo apt-get install ntp
# RedHat / CentOS / Rocky Linux
sudo dnf install ntp