@node Top
@top tofuproxy
-@image{logs,,,Example logs,.webp}
-
@itemize
@item I am tired that various HTTPS clients (like browsers and feed
kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is
not friendly with TLS connections, obviously.
+@item Xombrero sometimes has problems with HTTP-based authorization.
+
@item Hardly anyone does
@url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
checks.
Why the hell people just do not send PostScript documents instead!?
@item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is
-not supported by most browsers. Even pretty old WebP is not supported
-everywhere.
+not supported by most browsers. Even pretty old
+@url{https://developers.google.com/speed/webp, WebP}, that has highest
+compression ratio for lossless screenshots, is not supported everywhere.
+@url{https://aomediacodec.github.io/av1-avif/, AVIF} could be useful too.
+
+@item None of web browsers support ability to view web archives
+(@url{https://en.wikipedia.org/wiki/Web_ARChive, WARC}s). And most of
+WARC-related software is written on Python, that nowadays is close to be
+impossible to install and use with all its broken dependencies system.
+
+@item And yet another piece of software is needed for browsing the
+@url{https://en.wikipedia.org/wiki/Gemini_(protocol), geminispace}?
+Too many bicycles already!
@end itemize
@itemize
-@item Effective responses proxying, without storing them in the memory first.
-
-@item TLS connection between client and @command{tofuproxy} has the
- proper hostname set in ephemeral on-the-fly generated certificate.
-
-@item @code{HEAD} method is forbidden, because of damned Xombrero loving
- making it so much. Can live without it.
-
-@item @code{www.reddit.com} is redirected to @code{old.reddit.com}.
-
-@item Various spying domains (advertisement, tracking counters) are
- responded with 404 error.
-
-@item Web fonts downloads are replaced with 404 errors.
-
-@item All HTTP redirects are replaced with HTML page with the link.
- However temporary redirects are passed as is for @code{newsboat}
- User-Agent.
-
-@item WebP (except if User-Agent is Xombrero browser) and JPEG XL images
- are transparently transcoded to PNG.
-
-@item Default Go's checks are applied to all certificates. If they pass,
- then certificate chain is saved on the disk. Future connections are
- compared against it, warning you about SPKI change and waiting for
- your decision either to accept new chain (possibly once per
- session), or reject it.
-
-@item Even when native Go's checks are failed, you can still make a
- decision to forcefully trust the domain.
+@item
+@strong{Effective} responses proxying, without storing them in the memory first.
-@item Optionally DANE-EE check is also made for each domain you visit.
+@item
+TLS connection between client and @command{tofuproxy} has the
+@strong{proper hostname} set in ephemeral on-the-fly generated
+certificate.
-@end itemize
+@item
+@code{HEAD} method is forbidden.
-@image{dialog,,,Example dialog,.webp}
+@item
+@code{www.reddit.com} is redirected to @code{old.reddit.com}.
-@node Usage
-@unnumbered Usage
+@item
+@url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are
+redirected to their full size variants.
-@itemize
+@item
+Various @strong{spying} domains (advertisement, tracking counters) are denied.
-@item Build @command{tofuproxy}:
+@item
+Web @strong{fonts} downloads are forbidden.
-@example
-$ git clone git://git.stargrave.org/tofuproxy.git
-$ cd tofuproxy
-$ go build
-@end example
+@item
+@strong{Permanent} HTTP redirects are replaced with HTML page with the link.
@item
-Generate CA-capable certificate for the proxy, that will issue ephemeral
-certificate to proxied domains:
+@strong{Temporary} HTTP redirects are replaced with HTML too, if it is
+neither @url{https://newsboat.org/, Newsboat} nor image paths.
-@example
-$ redo cert.pem
-@end example
+@item
+@strong{WebP} images (if it is not Xombrero), @strong{JPEG XL} and
+@strong{AVIF} are transcoded to PNG.
@item
-Create directory with output FIFOs and directory for stored certificate chains:
+Default Go's checks are applied to all certificates. If they pass, then
+certificate chain is saved on the disk (@strong{TOFU}). Future
+connections are compared against it, warning you about SPKI change
+(@strong{SPKI pinning}) and waiting for your decision either to accept
+new chain (possibly once per session), or reject it.
-@example
-$ ./mkfifos.sh
-$ mkdir certs
-@end example
+@item
+Even when native Go's checks are failed, you can still make a decision
+to forcefully trust the domain.
@item
-Run @command{tofuproxy} itself. By default it will bind to
-@code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests
-(set to an empty string to disable DANE lookups):
+@strong{HTTP-based authorization} requests are intercepted and
+user/password input dialogue is shown. It automatically loads
+@strong{initial form} values from @strong{@file{.netrc}}.
-@example
-$ ./tofuproxy
-main.go:316: listening: [::1]:8080
-@end example
+@item
+TLS @strong{client certificates} supported: separate dialogue window for
+certificate choice.
-@item Trust your newly generated CA:
+@item
+Optional @strong{DANE-EE} check is also made for each domain you visit.
-@example
-# cat /path/to/tofuproxy/cert.pem >> /etc/ssl/cert.pem
-@end example
+@item
+TLS @strong{session resumption} and @strong{keep-alives} are also supported.
-@item Point you HTTP/HTTPS clients to @code{http://localhost:8080}.
+@item
+And Go itself tries also to act as a @url{https://http2.github.io/, HTTP/2}
+client too.
-@item Watch logs with @url{https://github.com/halturin/multitail, multitail}:
+@item
+Ability to load and browse @url{https://en.wikipedia.org/wiki/Web_ARChive,
+WARC} archives, possibly @command{gzip}/@command{zstd} compressed.
-@example
-$ ./multitail.sh
-@end example
+@item
+Ability to browse geminispace, by transparent conversion to HTMLs with
+URL rewriting.
@end itemize
-When you encounter something requiring your attention and decision, you
-will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es
-@command{certtool} is used for certificate information printing.
-
-@node TODO
-@unnumbered TODO
-
-What I am planning possibly to do? Just brainstorming:
-
-@itemize
-
-@item HTTP authorization dialog.
-
-@item TLS client certificates usage capability.
-
-@end itemize
+@include usage.texi