X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=doc%2Findex.texi;h=5839a6b3f11e99759e98a25cab17d32b198f97e5;hb=4473383b88399bbc5433a9292847d954087c8d61;hp=1989a452a62de028f532d52490e70bcee8706bef;hpb=f62068a89b1c2bc079491913dfb44689e9a018a0;p=tofuproxy.git diff --git a/doc/index.texi b/doc/index.texi index 1989a45..5839a6b 100644 --- a/doc/index.texi +++ b/doc/index.texi @@ -9,15 +9,13 @@ Copyright @copyright{} 2021 @email{stargrave@@stargrave.org, Sergey Matveev} @node Top @top tofuproxy -@image{logs,,,Example logs,.webp} - @itemize @item I am tired that various HTTPS clients (like browsers and feed aggregators) use various TLS libraries with different features. NSS, GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}. -@item I am tired that everyone provides very limited certificates trust +@item I tired that everyone provides very limited certificates trust management capabilities, like either certificate or SPKI @url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with @url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my @@ -28,18 +26,26 @@ more sufficient and convenient to work with. @item I am tired that many clients provides very few information about certificates and connections at all. -@item I am tired that hardly anyone can control (no automatic silent +@item I hate that hardly anyone can control (no automatic silent transparent following) HTTP redirections. Although Firefox had proper extensions for that. -@item I am tired that you have got small control on URLs. The best you -can is to use some kind of @url{https://en.wikipedia.org/wiki/Privoxy, -Privoxy}, but it is not friendly with TLS connections, obviously. +@item I am sick of tiny control on URLs. The best you can is to use some +kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is +not friendly with TLS connections, obviously. @item Hardly anyone does @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE} checks. +@item And there is insanity of downloading fonts. +Why the hell people just do not send PostScript documents instead!? + +@item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is +not supported by most browsers. Even pretty old +@url{https://developers.google.com/speed/webp, WebP} is not supported +everywhere. + @end itemize That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing @@ -54,17 +60,25 @@ creating some kind of complex configuration framework. @item TLS connection between client and @command{tofuproxy} has the proper hostname set in ephemeral on-the-fly generated certificate. -@item @code{HEAD} method is forbidden, because of damned Xombrero loving - making it so much. Can live without it. +@item @code{HEAD} method for Xombrero is forbidden, as it loves it too much. @item @code{www.reddit.com} is redirected to @code{old.reddit.com}. -@item Various spying domains (advertisement, tracking counters) are - responded with 404 error. +@item @url{https://habr.com/ru/all/, Хабр}'s resolution reduced images + are redirected to their full size variants. + +@item Various spying domains (advertisement, tracking counters) are denied. + +@item Web fonts downloads are forbidden. + +@item Permanent HTTP redirects are replaced with HTML page with the link. + +@item Temporary HTTP redirects are replaced with HTML too, if it is + neither @url{https://newsboat.org/, Newsboat} nor image paths. -@item All HTTP redirects are replaced with HTML page with the link. - However temporary redirects are passed as is for @code{newsboat} - User-Agent. +@item WebP images, if it is not Xombrero, is transcoded to PNG. + +@item JPEG XL images are transparently transcoded to PNG too. @item Default Go's checks are applied to all certificates. If they pass, then certificate chain is saved on the disk. Future connections are @@ -77,68 +91,14 @@ creating some kind of complex configuration framework. @item Optionally DANE-EE check is also made for each domain you visit. -@end itemize - -@image{dialog,,,Example dialog,.webp} - -@node Usage -@unnumbered Usage - -@itemize - -@item Build @command{tofuproxy}: +@item TLS session resumption and keep-alives are also supported. -@example -$ git clone git://git.stargrave.org/tofuproxy.git -$ cd tofuproxy -$ go build -@end example - -@item -Generate CA-capable certificate for the proxy, that will issue ephemeral -certificate to proxied domains: - -@example -$ redo cert.pem -@end example - -@item -Create directory with output FIFOs and directory for stored certificate chains: - -@example -$ ./mkfifos.sh -$ mkdir certs -@end example - -@item -Run @command{tofuproxy} itself. By default it will bind to -@code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests -(set to an empty string to disable DANE lookups): - -@example -$ ./tofuproxy -main.go:316: listening: [::1]:8080 -@end example - -@item Trust your newly generated CA: - -@example -# cat /path/to/tofuproxy/cert.pem >> /etc/ssl/cert.pem -@end example - -@item Point you HTTP/HTTPS clients to @code{http://localhost:8080}. - -@item Watch logs with @url{https://github.com/halturin/multitail, multitail}: - -@example -$ ./multitail.sh -@end example +@item And Go itself tries also to act as a +@url{https://http2.github.io/, HTTP/2} client too. @end itemize -When you encounter something requiring your attention and decision, you -will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es -@command{certtool} is used for certificate information printing. +@include usage.texi @node TODO @unnumbered TODO @@ -147,12 +107,8 @@ What I am planning possibly to do? Just brainstorming: @itemize -@item JPEG-XL/WebP transparent converter to JPEG/PNG. - @item HTTP authorization dialog. @item TLS client certificates usage capability. -@item Web fonts download restriction. - @end itemize