\input texinfo @settitle tofuproxy @copying Copyright @copyright{} 2021-2024 @email{stargrave@@stargrave.org, Sergey Matveev} @end copying @node Top @top tofuproxy @command{tofuproxy} is @url{https://www.gnu.org/philosophy/free-sw.html, free software} flexible HTTP/HTTPS proxy server, TLS terminator, X.509 TOFU manager, @url{https://en.wikipedia.org/wiki/Web_ARChive, WARC} and @url{https://en.wikipedia.org/wiki/Gemini_(protocol), geminispace} browser, written on @url{https://go.dev/, Go} with following capabilities: @itemize @item Full TLS connection termination between Web-servers and @command{tofuproxy} itself. TLS 1.3, session resumption, GOST cryptography (if built with @url{http://www.gostls13.cypherpunks.ru/, gostls13}) support. Connection between @command{tofuproxy} and browser itself uses ephemeral on-the-fly generated certificates with proper domain name. @item @url{https://http2.github.io/, HTTP/2} (if negotiated with ALPN) and HTTP keep-alives are supported. @item Default Go's @code{crypto/x509} checks are applied to all certificates. If they pass, then certificate chain is saved on the disk (TOFU, trust-on-first-use). Future connections are compared against it, warning you about SPKI change (SPKI pinning) and waiting for your decision either to accept new chain (possibly once per session), or reject it. Even if native Go's checks are failed (for example domain still does not use @code{SubjectAltName} extension), you can still make a decision to forcefully trust the domain. @item CAs can have restrictions on what domains they are allowed to be served. @item Optional @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE-EE} check. @item TLS client certificates are supported too. @item HTTP-based authorization requests are intercepted and user/password input dialogue is shown. It automatically loads initial form values from @file{.netrc}. @item Permanent HTTP redirects are replaces with non-refreshing HTML page with the link, to make you explicitly allow that step. Temporary redirects are followed if it is neither @url{https://newsboat.org/, Newsboat} nor @url{https://www.feeder.stargrave.org/, go.stargrave.org/feeder} user-agent, not image paths. @item JPEG XL, AVIF and WebP images are transparently transcoded to PNG, giving it back to the browser, not requiring it to support modern effective image formats. @item Ability to load, index and browse WARC web archives, that are possibly multi-segment/frame compressed with @command{gzip}/@command{zstd}. @item Ability to browse geminispace, transparently converting gemfiles to HTMLs with URL rewriting. @end itemize And additional personal preferences: @itemize @item Various spying domains (advertisement, tracking counters) are denied. @item @code{www.reddit.com} is redirected to @code{old.reddit.com} (because it works without JavaScript and looks nicer). @item @url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are redirected to their full size variants. @item Web fonts downloads are forbidden. @end itemize @insertcopying @include why.texi @include install.texi @include usage.texi @include spies.texi @include certs.texi @include tlsauth.texi @include restricted.texi @include httpauth.texi @include warcs.texi @include gemini.texi