@node Top
@top tofuproxy
-@image{logs,,,Example logs,.webp}
-
@itemize
@item I am tired that various HTTPS clients (like browsers and feed
aggregators) use various TLS libraries with different features. NSS,
GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}.
-@item I am tired that everyone provides very limited certificates trust
+@item I tired that everyone provides very limited certificates trust
management capabilities, like either certificate or SPKI
@url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with
@url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my
@item I am tired that many clients provides very few information about
certificates and connections at all.
-@item I am tired that hardly anyone can control (no automatic silent
+@item I hate that hardly anyone can control (no automatic silent
transparent following) HTTP redirections. Although Firefox had proper
extensions for that.
-@item I am tired that you have got small control on URLs. The best you
-can is to use some kind of @url{https://en.wikipedia.org/wiki/Privoxy,
-Privoxy}, but it is not friendly with TLS connections, obviously.
+@item I am sick of tiny control on URLs. The best you can is to use some
+kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is
+not friendly with TLS connections, obviously.
@item Hardly anyone does
@url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
checks.
+@item And there is insanity of downloading fonts.
+Why the hell people just do not send PostScript documents instead!?
+
+@item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is
+not supported by most browsers. Even pretty old
+@url{https://developers.google.com/speed/webp, WebP} is not supported
+everywhere.
+
@end itemize
That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing
@item TLS connection between client and @command{tofuproxy} has the
proper hostname set in ephemeral on-the-fly generated certificate.
-@item @code{HEAD} method is forbidden, because of damned Xombrero loving
- making it so much. Can live without it.
+@item @code{HEAD} method for Xombrero is forbidden, as it loves it too much.
@item @code{www.reddit.com} is redirected to @code{old.reddit.com}.
-@item Various spying domains (advertisement, tracking counters) are
- responded with 404 error.
+@item @url{https://habr.com/ru/all/, Хабр}'s resolution reduced images
+ are redirected to their full size variants.
+
+@item Various spying domains (advertisement, tracking counters) are denied.
+
+@item Web fonts downloads are forbidden.
+
+@item Permanent HTTP redirects are replaced with HTML page with the link.
+
+@item Temporary HTTP redirects are replaced with HTML too, if it is
+ neither @url{https://newsboat.org/, Newsboat} nor image paths.
-@item All HTTP redirects are replaced with HTML page with the link.
- However temporary redirects are passed as is for @code{newsboat}
- User-Agent.
+@item WebP images, if it is not Xombrero, is transcoded to PNG.
+
+@item JPEG XL images are transparently transcoded to PNG too.
@item Default Go's checks are applied to all certificates. If they pass,
then certificate chain is saved on the disk. Future connections are
@item Optionally DANE-EE check is also made for each domain you visit.
-@end itemize
-
-@image{dialog,,,Example dialog,.webp}
-
-@node Usage
-@unnumbered Usage
-
-@itemize
-
-@item Build @command{tofuproxy}:
+@item TLS session resumption and keep-alives are also supported.
-@example
-$ git clone git://git.stargrave.org/tofuproxy.git
-$ cd tofuproxy
-$ go build
-@end example
-
-@item
-Generate CA-capable certificate for the proxy, that will issue ephemeral
-certificate to proxied domains:
-
-@example
-$ redo cert.pem
-@end example
-
-@item
-Create directory with output FIFOs and directory for stored certificate chains:
-
-@example
-$ ./mkfifos.sh
-$ mkdir certs
-@end example
-
-@item
-Run @command{tofuproxy} itself. By default it will bind to
-@code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests
-(set to an empty string to disable DANE lookups):
-
-@example
-$ ./tofuproxy
-main.go:316: listening: [::1]:8080
-@end example
-
-@item Trust your newly generated CA:
-
-@example
-# cat /path/to/tofuproxy/cert.pem >> /etc/ssl/cert.pem
-@end example
-
-@item Point you HTTP/HTTPS clients to @code{http://localhost:8080}.
-
-@item Watch logs with @url{https://github.com/halturin/multitail, multitail}:
-
-@example
-$ ./multitail.sh
-@end example
+@item And Go itself tries also to act as a
+@url{https://http2.github.io/, HTTP/2} client too.
@end itemize
-When you encounter something requiring your attention and decision, you
-will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es
-@command{certtool} is used for certificate information printing.
+@include usage.texi
@node TODO
@unnumbered TODO
@itemize
-@item JPEG-XL/WebP transparent converter to JPEG/PNG.
-
@item HTTP authorization dialog.
@item TLS client certificates usage capability.
-@item Web fonts download restriction.
-
@end itemize