\input texinfo @documentencoding UTF-8 @settitle tofuproxy @copying Copyright @copyright{} 2021 @email{stargrave@@stargrave.org, Sergey Matveev} @end copying @node Top @top tofuproxy @itemize @item I am tired that various HTTPS clients (like browsers and feed aggregators) use various TLS libraries with different features. NSS, GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}. @item I tired that everyone provides very limited certificates trust management capabilities, like either certificate or SPKI @url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with @url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my beloved @url{https://en.wikipedia.org/wiki/Xombrero, Xombrero} browser still pins only the whole certificate, but its public key would be much more sufficient and convenient to work with. @item I am tired that many clients provides very few information about certificates and connections at all. @item I hate that hardly anyone can control (no automatic silent transparent following) HTTP redirections. Although Firefox had proper extensions for that. @item I am sick of tiny control on URLs. The best you can is to use some kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is not friendly with TLS connections, obviously. @item Xombrero sometimes has problems with HTTP-based authorization. @item Hardly anyone does @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE} checks. @item And there is insanity of downloading fonts. Why the hell people just do not send PostScript documents instead!? @item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is not supported by most browsers. Even pretty old @url{https://developers.google.com/speed/webp, WebP} is not supported everywhere. @url{https://aomediacodec.github.io/av1-avif/, AVIF} would be useful too. @end itemize That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing all HTTPS connections on the fly. It is written for my personal needs exclusively, so many features are just directly hard-coded, instead of creating some kind of complex configuration framework. @itemize @item @strong{Effective} responses proxying, without storing them in the memory first. @item TLS connection between client and @command{tofuproxy} has the @strong{proper hostname} set in ephemeral on-the-fly generated certificate. @item @code{HEAD} method is forbidden. @item @code{www.reddit.com} is redirected to @code{old.reddit.com}. @item @url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are redirected to their full size variants. @item Various @strong{spying} domains (advertisement, tracking counters) are denied. @item Web @strong{fonts} downloads are forbidden. @item @strong{Permanent} HTTP @strong{redirects} are replaced with HTML page with the link. @item @strong{Temporary} HTTP @strong{redirects} are replaced with HTML too, if it is neither @url{https://newsboat.org/, Newsboat} nor image paths. @item @strong{WebP} images, if it is not Xombrero, is transcoded to PNG. @item @strong{JPEG XL} and @strong{AVIF} images are transparently transcoded to PNG too. @item Default Go's checks are applied to all certificates. If they pass, then certificate chain is saved on the disk (@strong{TOFU}). Future connections are compared against it, warning you about SPKI change (@strong{SPKI pinning}) and waiting for your decision either to accept new chain (possibly once per session), or reject it. @item Even when native Go's checks are failed, you can still make a decision to forcefully trust the domain. @item @strong{HTTP-based authorization} requests are intercepted and user/password input dialogue is shown. It automatically loads @strong{initial form} values from @strong{@file{.netrc}}. @item TLS @strong{client certificates} supported: separate dialogue window for certificate choice. @item Optional @strong{DANE-EE} check is also made for each domain you visit. @item TLS @strong{session resumption} and @strong{keep-alives} are also supported. @item And Go itself tries also to act as a @url{https://http2.github.io/, HTTP/2} client too. @end itemize @include usage.texi