@node Top
@top tofuproxy
-@itemize
-
-@item I am tired that various HTTPS clients (like browsers and feed
-aggregators) use various TLS libraries with different features. NSS,
-GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}.
-
-@item I tired that everyone provides very limited certificates trust
-management capabilities, like either certificate or SPKI
-@url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with
-@url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my
-beloved @url{https://en.wikipedia.org/wiki/Xombrero, Xombrero} browser
-still pins only the whole certificate, but its public key would be much
-more sufficient and convenient to work with.
-
-@item I am tired that many clients provides very few information about
-certificates and connections at all.
-
-@item I hate that hardly anyone can control (no automatic silent
-transparent following) HTTP redirections. Although Firefox had proper
-extensions for that.
-
-@item I am sick of tiny control on URLs. The best you can is to use some
-kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is
-not friendly with TLS connections, obviously.
-
-@item Xombrero sometimes has problems with HTTP-based authorization.
-
-@item Hardly anyone does
-@url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
-checks.
-
-@item And there is insanity of downloading fonts.
-Why the hell people just do not send PostScript documents instead!?
-
-@item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is
-not supported by most browsers. Even pretty old
-@url{https://developers.google.com/speed/webp, WebP}, that has highest
-compression ratio for lossless screenshots, is not supported everywhere.
-@url{https://aomediacodec.github.io/av1-avif/, AVIF} could be useful too.
-
-@item None of web browsers support ability to view web archives
-(@url{https://en.wikipedia.org/wiki/Web_ARChive, WARC}s). And most of
-WARC-related software is written on Python, that nowadays is close to be
-impossible to install and use with all its broken dependencies system.
-
-@item And yet another piece of software is needed for browsing the
-@url{https://en.wikipedia.org/wiki/Gemini_(protocol), geminispace}?
-Too many bicycles already!
-
-@end itemize
-
-That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing
-all HTTPS connections on the fly. It is written for my personal needs
-exclusively, so many features are just directly hard-coded, instead of
-creating some kind of complex configuration framework.
+@command{tofuproxy} is
+@url{https://www.gnu.org/philosophy/free-sw.html, free software}
+flexible HTTP/HTTPS proxy server, TLS terminator, X.509 TOFU manager,
+@url{https://en.wikipedia.org/wiki/Web_ARChive, WARC} and
+@url{https://en.wikipedia.org/wiki/Gemini_(protocol), geminispace}
+browser, written on @url{https://golang.org/, Go} with following
+capabilities:
@itemize
@item
-@strong{Effective} responses proxying, without storing them in the memory first.
+Full TLS connection termination between Web-servers and
+@command{tofuproxy} itself. TLS 1.3, session resumption, GOST
+cryptography (if built with @url{http://www.gostls13.cypherpunks.ru/,
+gostls13}) support. Connection between @command{tofuproxy} and browser
+itself uses ephemeral on-the-fly generated certificates with proper
+domain name.
@item
-TLS connection between client and @command{tofuproxy} has the
-@strong{proper hostname} set in ephemeral on-the-fly generated
-certificate.
+@url{https://http2.github.io/, HTTP/2} (if negotiated with ALPN) and
+HTTP keep-alives are supported.
@item
-@code{HEAD} method is forbidden.
+Default Go's @code{crypto/x509} checks are applied to all certificates.
+If they pass, then certificate chain is saved on the disk (TOFU,
+trust-on-first-use). Future connections are compared against it, warning
+you about SPKI change (SPKI pinning) and waiting for your decision
+either to accept new chain (possibly once per session), or reject it.
+Even if native Go's checks are failed (for example domain still does not
+use @code{SubjectAltName} extension), you can still make a decision to
+forcefully trust the domain.
@item
-@code{www.reddit.com} is redirected to @code{old.reddit.com}.
+Optional @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE-EE} check.
@item
-@url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are
-redirected to their full size variants.
+TLS client certificates are supported too.
@item
-Various @strong{spying} domains (advertisement, tracking counters) are denied.
+HTTP-based authorization requests are intercepted and user/password
+input dialogue is shown. It automatically loads initial form values from
+@file{.netrc}.
@item
-Web @strong{fonts} downloads are forbidden.
+Permanent HTTP redirects are replaces with non-refreshing HTML page with
+the link, to make you explicitly allow that step. Temporary redirects
+are followed if it is neither @url{https://newsboat.org/, Newsboat}
+user-agent, not image paths.
@item
-@strong{Permanent} HTTP redirects are replaced with HTML page with the link.
+JPEG XL, AVIF and WebP images are transparently transcoded to PNG,
+giving it back to the browser, not requiring it to support modern
+effective image formats.
@item
-@strong{Temporary} HTTP redirects are replaced with HTML too, if it is
-neither @url{https://newsboat.org/, Newsboat} nor image paths.
+Ability to load, index and browse WARC web archives, that are possibly
+multi-segment/frame compressed with @command{gzip}/@command{zstd}.
@item
-@strong{WebP} images (if it is not Xombrero), @strong{JPEG XL} and
-@strong{AVIF} are transcoded to PNG.
+Ability to browse geminispace, transparently converting gemfiles to
+HTMLs with URL rewriting.
-@item
-Default Go's checks are applied to all certificates. If they pass, then
-certificate chain is saved on the disk (@strong{TOFU}). Future
-connections are compared against it, warning you about SPKI change
-(@strong{SPKI pinning}) and waiting for your decision either to accept
-new chain (possibly once per session), or reject it.
-
-@item
-Even when native Go's checks are failed, you can still make a decision
-to forcefully trust the domain.
+@end itemize
-@item
-@strong{HTTP-based authorization} requests are intercepted and
-user/password input dialogue is shown. It automatically loads
-@strong{initial form} values from @strong{@file{.netrc}}.
+And additional personal preferences:
-@item
-TLS @strong{client certificates} supported: separate dialogue window for
-certificate choice.
+@itemize
@item
-Optional @strong{DANE-EE} check is also made for each domain you visit.
+Various spying domains (advertisement, tracking counters) are denied.
@item
-TLS @strong{session resumption} and @strong{keep-alives} are also supported.
+@code{HEAD} method is forbidden. Xombrero likes it too much.
@item
-And Go itself tries also to act as a @url{https://http2.github.io/, HTTP/2}
-client too.
+@code{www.reddit.com} is redirected to @code{old.reddit.com} (because it
+works without JavaScript and looks nicer).
@item
-Ability to load and browse @url{https://en.wikipedia.org/wiki/Web_ARChive,
-WARC} archives, possibly @command{gzip}/@command{zstd} compressed.
+@url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are
+redirected to their full size variants.
@item
-Ability to browse geminispace, by transparent conversion to HTMLs with
-URL rewriting.
+Web @strong{fonts} downloads are forbidden.
@end itemize
+@include why.texi
@include usage.texi
+@include spies.texi
+@include certs.texi
+@include tlsauth.texi
+@include httpauth.texi
+@include warcs.texi
+@include gemini.texi