\input texinfo @documentencoding UTF-8 @settitle tofuproxy @copying Copyright @copyright{} 2021 @email{stargrave@@stargrave.org, Sergey Matveev} @end copying @node Top @top tofuproxy @image{logs,,,Example logs,.webp} @itemize @item I am tired that various HTTPS clients (like browsers and feed aggregators) use various TLS libraries with different features. NSS, GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}. @item I tired that everyone provides very limited certificates trust management capabilities, like either certificate or SPKI @url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with @url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my beloved @url{https://en.wikipedia.org/wiki/Xombrero, Xombrero} browser still pins only the whole certificate, but its public key would be much more sufficient and convenient to work with. @item I am tired that many clients provides very few information about certificates and connections at all. @item I hate that hardly anyone can control (no automatic silent transparent following) HTTP redirections. Although Firefox had proper extensions for that. @item I am sick of tiny control on URLs. The best you can is to use some kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is not friendly with TLS connections, obviously. @item Hardly anyone does @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE} checks. @item And there is insanity of downloading fonts. Why the hell people just do not send PostScript documents instead!? @item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is not supported by most browsers. Even pretty old WebP is not supported everywhere. @end itemize That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing all HTTPS connections on the fly. It is written for my personal needs exclusively, so many features are just directly hard-coded, instead of creating some kind of complex configuration framework. @itemize @item Effective responses proxying, without storing them in the memory first. @item TLS connection between client and @command{tofuproxy} has the proper hostname set in ephemeral on-the-fly generated certificate. @item @code{HEAD} method is forbidden, because of damned Xombrero loving making it so much. Can live without it. @item @code{www.reddit.com} is redirected to @code{old.reddit.com}. @item Various spying domains (advertisement, tracking counters) are responded with 404 error. @item Web fonts downloads are replaced with 404 errors. @item All HTTP redirects are replaced with HTML page with the link. However temporary redirects are passed as is for @code{newsboat} User-Agent. @item WebP (except if User-Agent is Xombrero browser) and JPEG XL images are transparently transcoded to PNG. @item Default Go's checks are applied to all certificates. If they pass, then certificate chain is saved on the disk. Future connections are compared against it, warning you about SPKI change and waiting for your decision either to accept new chain (possibly once per session), or reject it. @item Even when native Go's checks are failed, you can still make a decision to forcefully trust the domain. @item Optionally DANE-EE check is also made for each domain you visit. @end itemize @image{dialog,,,Example dialog,.webp} @node Usage @unnumbered Usage @itemize @item Build @command{tofuproxy}: @example $ git clone git://git.stargrave.org/tofuproxy.git $ cd tofuproxy $ go build @end example @item Generate CA-capable certificate for the proxy, that will issue ephemeral certificate to proxied domains: @example $ redo cert.pem @end example @item Create directory with output FIFOs and directory for stored certificate chains: @example $ ./mkfifos.sh $ mkdir certs @end example @item Run @command{tofuproxy} itself. By default it will bind to @code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests (set to an empty string to disable DANE lookups): @example $ ./tofuproxy main.go:316: listening: [::1]:8080 @end example @item Trust your newly generated CA: @example # cat /path/to/tofuproxy/cert.pem >> /etc/ssl/cert.pem @end example @item Point you HTTP/HTTPS clients to @code{http://localhost:8080}. @item Watch logs with @url{https://github.com/halturin/multitail, multitail}: @example $ ./multitail.sh @end example @end itemize When you encounter something requiring your attention and decision, you will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es @command{certtool} is used for certificate information printing. @node TODO @unnumbered TODO What I am planning possibly to do? Just brainstorming: @itemize @item HTTP authorization dialog. @item TLS client certificates usage capability. @end itemize