2 @documentencoding UTF-8
6 Copyright @copyright{} 2021 @email{stargrave@@stargrave.org, Sergey Matveev}
12 @image{logs,,,Example logs,.webp}
16 @item I am tired that various HTTPS clients (like browsers and feed
17 aggregators) use various TLS libraries with different features. NSS,
18 GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}.
20 @item I am tired that everyone provides very limited certificates trust
21 management capabilities, like either certificate or SPKI
22 @url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with
23 @url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my
24 beloved @url{https://en.wikipedia.org/wiki/Xombrero, Xombrero} browser
25 still pins only the whole certificate, but its public key would be much
26 more sufficient and convenient to work with.
28 @item I am tired that many clients provides very few information about
29 certificates and connections at all.
31 @item I am tired that hardly anyone can control (no automatic silent
32 transparent following) HTTP redirections. Although Firefox had proper
35 @item I am tired that you have got small control on URLs. The best you
36 can is to use some kind of @url{https://en.wikipedia.org/wiki/Privoxy,
37 Privoxy}, but it is not friendly with TLS connections, obviously.
39 @item Hardly anyone does
40 @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
43 @item And there is insanity of downloading fonts.
44 Why the hell people just do not send PostScript documents instead!?
48 That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing
49 all HTTPS connections on the fly. It is written for my personal needs
50 exclusively, so many features are just directly hard-coded, instead of
51 creating some kind of complex configuration framework.
55 @item Effective responses proxying, without storing them in the memory first.
57 @item TLS connection between client and @command{tofuproxy} has the
58 proper hostname set in ephemeral on-the-fly generated certificate.
60 @item @code{HEAD} method is forbidden, because of damned Xombrero loving
61 making it so much. Can live without it.
63 @item @code{www.reddit.com} is redirected to @code{old.reddit.com}.
65 @item Various spying domains (advertisement, tracking counters) are
66 responded with 404 error.
68 @item All HTTP redirects are replaced with HTML page with the link.
69 However temporary redirects are passed as is for @code{newsboat}
72 @item Default Go's checks are applied to all certificates. If they pass,
73 then certificate chain is saved on the disk. Future connections are
74 compared against it, warning you about SPKI change and waiting for
75 your decision either to accept new chain (possibly once per
76 session), or reject it.
78 @item Even when native Go's checks are failed, you can still make a
79 decision to forcefully trust the domain.
81 @item Optionally DANE-EE check is also made for each domain you visit.
85 @image{dialog,,,Example dialog,.webp}
92 @item Build @command{tofuproxy}:
95 $ git clone git://git.stargrave.org/tofuproxy.git
101 Generate CA-capable certificate for the proxy, that will issue ephemeral
102 certificate to proxied domains:
109 Create directory with output FIFOs and directory for stored certificate chains:
117 Run @command{tofuproxy} itself. By default it will bind to
118 @code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests
119 (set to an empty string to disable DANE lookups):
123 main.go:316: listening: [::1]:8080
126 @item Trust your newly generated CA:
129 # cat /path/to/tofuproxy/cert.pem >> /etc/ssl/cert.pem
132 @item Point you HTTP/HTTPS clients to @code{http://localhost:8080}.
134 @item Watch logs with @url{https://github.com/halturin/multitail, multitail}:
142 When you encounter something requiring your attention and decision, you
143 will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es
144 @command{certtool} is used for certificate information printing.
149 What I am planning possibly to do? Just brainstorming:
153 @item JPEG-XL/WebP transparent converter to JPEG/PNG.
155 @item HTTP authorization dialog.
157 @item TLS client certificates usage capability.