@node Usage
@unnumbered Usage

@itemize

@item Currently @command{tofuproxy} uses:
    GnuTLS'es @url{https://www.gnutls.org/manual/html_node/certtool-Invocation.html, certtool},
    @url{http://cr.yp.to/redo.html, redo} build system,
    @url{https://www.tcl.tk/, Tcl/Tk}'s @command{wish} shell for GUI dialogues,
    @command{dwebp}, @command{djxl} for images transcoding,
    @url{https://github.com/halturin/multitail, multitail} for logs viewing.

@item Download and build @command{tofuproxy}:

@example
$ git clone git://git.stargrave.org/tofuproxy.git
$ cd tofuproxy
$ redo all
@end example

@item
If build fails because of untrusted @code{ca.cypherpunks.ru} certificate, then:

@example
$ [fetch|wget] http://www.ca.cypherpunks.ru/cert.pem
$ [fetch|wget] http://www.ca.cypherpunks.ru/cert.pem.asc
$ gpg --auto-key-locate dane --locate-keys stargrave at stargrave dot org
$ gpg --auto-key-locate wkd --locate-keys stargrave at gnupg dot net
$ gpg --verify cert.pem.asc
$ SSL_CERT_FILE=`pwd`/cert.pem GIT_SSL_CAINFO=`pwd`/cert.pem redo all
@end example

@item
Run @command{tofuproxy} itself. By default it will bind to
@code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests
(set to an empty string to disable DANE lookups):

@example
$ ./tofuproxy.cmd
main.go:70: listening: [::1]:8080 dns: [::1]:53 certs: ./certs ccerts: ./ccerts
@end example

@item Trust your newly generated CA:

@example
# cat cert.pem >> /etc/ssl/cert.pem
@end example

@item Point you HTTP/HTTPS clients to @code{http://localhost:8080}.

@item
If you want to use TLS client certificates, then place them to
@file{-ccerts} directory.

@item
Load spying domains to reject to with:

@example
$ cat spies.txt > fifos/add-spies
@end example

@item Watch logs:

@example
$ ( cd fifos ; ./multitail.sh )
@end example

@image{logs,,,Example logs,.webp}

@item
When you encounter something requiring your attention and decision, you
will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es
@command{certtool} is used for certificate information printing.

@image{dialog,,,Example dialog,.webp}

@item
Certificate trust decision dialog (like above one) has multiple hotkeys:

    @itemize
    @item @code{a} -- accept and save certificate chain to disk
    @item @code{o} -- accept once per session (@command{tofuproxy} running)
    @item @code{r} -- reject certificate
    @item @code{q} -- reject certificate really once, same as closing the window
    @item @code{n} -- next page of "their" certificate chain
    @item @code{p} -- previous page of "their" certificate chain
    @item @code{N} -- next page of "our" certificate chain
    @item @code{P} -- previous page of "our" certificate chain
    @end itemize

@item
To list currently accepted, rejected, HTTP authorized, TLS client
authenticated hosts:

@example
$ cat fifos/list-@{accepted,rejected,http-auth,tls-auth@}
@end example

@item
To remove knowledge of the host from any of the states mentioned above:

@example
$ echo www.example.com > fifos/del-tls-auth
@end example

@end itemize