/cert.pem
+/certgen.cmd
/certs
/prv.pem
-/tofuproxy
+/tofuproxy.cmd
-redo-ifchange cert.pem tofuproxy fifos/ensure
+redo-ifchange cert.pem tofuproxy.cmd fifos/ensure
mkdir -p certs
-redo-ifchange prv.pem cert.tmpl
-certtool --generate-self-signed --load-privkey prv.pem --template cert.tmpl
+[ -e certgen.cmd ] || redo certgen.cmd
+./certgen.cmd -cert $3
+++ /dev/null
-dn = "cn=tofu.localhost"
-expiration_days = 365
-ca
-cert_signing_key
--- /dev/null
+/*
+tofuproxy -- HTTP proxy with TLS certificates management
+Copyright (C) 2021 Sergey Matveev <stargrave@stargrave.org>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, version 3 of the License.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package main
+
+import (
+ "crypto/ecdsa"
+ "crypto/elliptic"
+ "crypto/rand"
+ "crypto/x509"
+ "crypto/x509/pkix"
+ "encoding/pem"
+ "flag"
+ "io"
+ "log"
+ "math/big"
+ "os"
+ "time"
+)
+
+func main() {
+ cn := flag.String("cn", "tofuproxy.localhost", "CommonName")
+ crtPath := flag.String("cert", "cert.pem", "Path to server X.509 certificate")
+ prvPath := flag.String("key", "prv.pem", "Path to server PKCS#8 private key")
+ flag.Parse()
+ log.SetFlags(log.Lshortfile)
+
+ prv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+ if err != nil {
+ log.Fatalln(err)
+ }
+ pub := prv.Public()
+ notBefore := time.Now()
+ notAfter := notBefore.Add(365 * 24 * time.Hour)
+
+ serialRaw := make([]byte, 16)
+ if _, err = io.ReadFull(rand.Reader, serialRaw); err != nil {
+ log.Fatalln(err)
+ }
+ serial := big.NewInt(0)
+ serial = serial.SetBytes(serialRaw)
+
+ template := x509.Certificate{
+ SerialNumber: serial,
+ Subject: pkix.Name{CommonName: *cn},
+ DNSNames: []string{*cn},
+ NotBefore: notBefore,
+ NotAfter: notAfter,
+ BasicConstraintsValid: true,
+ IsCA: true,
+ }
+ certRaw, err := x509.CreateCertificate(
+ rand.Reader, &template, &template, pub, prv,
+ )
+ if err != nil {
+ log.Fatalln(err)
+ }
+ if _, err = x509.ParseCertificate(certRaw); err != nil {
+ log.Fatalln(err)
+ }
+ pkcs8, err := x509.MarshalPKCS8PrivateKey(prv)
+ if err != nil {
+ log.Fatalln(err)
+ }
+
+ fd, err := os.OpenFile(*prvPath, os.O_WRONLY|os.O_CREATE, 0600)
+ if err != nil {
+ log.Fatalln(err)
+ }
+ err = pem.Encode(fd, &pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8})
+ if err != nil {
+ log.Fatalln(err)
+ }
+ fd.Close()
+
+ fd, err = os.OpenFile(*crtPath, os.O_WRONLY|os.O_CREATE, 0600)
+ err = pem.Encode(fd, &pem.Block{Type: "CERTIFICATE", Bytes: certRaw})
+ if err != nil {
+ log.Fatalln(err)
+ }
+}
crtPath := flag.String("cert", "cert.pem", "Path to server X.509 certificate")
prvPath := flag.String("key", "prv.pem", "Path to server PKCS#8 private key")
bind := flag.String("bind", "[::1]:8080", "Bind address")
- certs := flag.String("certs", "certs", "Directory with pinned certificates")
+ certs := flag.String("certs", "./certs", "Directory with pinned certificates")
dnsSrv := flag.String("dns", "[::1]:53", "DNS server")
fifosDir := flag.String("fifos", "fifos", "Directory with FIFOs")
notai := flag.Bool("notai", false, "Do not prepend TAI64N to logs")
--- /dev/null
+redo-ifchange *.go cmd/*/*.go fifos/*.go rounds/*.go
+GO_LDFLAGS="${GO_LDFLAGS:--ldflags=-s}"
+${GO:-go} build -o $3 $GO_LDFLAGS ./cmd/${1%.cmd}
(set to an empty string to disable DANE lookups):
@example
-$ ./tofuproxy
-main.go:316: listening: [::1]:8080
+$ ./tofuproxy.cmd
+main.go:316: listening: [::1]:8080 certs: ./certs
@end example
@item Trust your newly generated CA:
-for f in cert err ok other redir req tls ; do
+for f in cert dane err ok other redir req tls ; do
[ -p $f ] || mkfifo $f
done
NoTAI bool
FIFOs string
SinkCert = make(chan string)
+ SinkDANE = make(chan string)
SinkErr = make(chan string)
SinkOK = make(chan string)
SinkOther = make(chan string)
func Init() {
go sinker(SinkCert, filepath.Join(FIFOs, "cert"))
+ go sinker(SinkDANE, filepath.Join(FIFOs, "dane"))
go sinker(SinkErr, filepath.Join(FIFOs, "err"))
go sinker(SinkOK, filepath.Join(FIFOs, "ok"))
go sinker(SinkOther, filepath.Join(FIFOs, "other"))
multitail \
-wh 10 \
-t "Certificates" -ci magenta -l "while :; do tai64nlocal < cert ; done" \
+ -t "DANE" --label "DANE " -L "while :; do tai64nlocal < dane ; done" \
-t "Errors" -ci red -L "while :; do tai64nlocal < err ; done" \
-t "Responses" -ci green --label "< " -l "while :; do tai64nlocal < ok ; done" \
-t "Others" -ci white -L "while :; do tai64nlocal < other ; done" \
+++ /dev/null
-umask 077
-certtool --generate-privkey --bits 256 --ecc > $3
+++ /dev/null
-/*
-tofuproxy -- HTTP proxy with TLS certificates management
-Copyright (C) 2021 Sergey Matveev <stargrave@stargrave.org>
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, version 3 of the License.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-package rounds
-
-import (
- "fmt"
- "net/http"
-
- "go.stargrave.org/tofuproxy/fifos"
-)
-
-func RoundLog(
- host string,
- resp *http.Response,
- w http.ResponseWriter,
- req *http.Request,
-) (bool, error) {
- fifos.SinkReq <- fmt.Sprintf("%s %s", req.Method, req.URL.String())
- return true, nil
-}
"google-analytics.com",
"goo.gl",
"ads.google.com",
+ "googletagmanager.com",
"facebook.com",
"facebook.net",
"fbcdn.com",
"tns-counter.ru",
}
+func IsSpy(host string) bool {
+ for _, spy := range spyDomains {
+ if strings.HasSuffix(host, spy) {
+ return true
+ }
+ }
+ return false
+}
+
func RoundDenySpy(
host string,
resp *http.Response,
w http.ResponseWriter,
req *http.Request,
) (bool, error) {
- for _, spy := range spyDomains {
- if strings.HasSuffix(host, spy) {
- http.NotFound(w, req)
- fifos.SinkOther <- fmt.Sprintf(
- "%s %s\t%d\tdeny spy",
- req.Method,
- req.URL.String(),
- http.StatusNotFound,
- )
- return false, nil
- }
+ if IsSpy(host) {
+ http.NotFound(w, req)
+ fifos.SinkOther <- fmt.Sprintf(
+ "%s %s\t%d\tdeny spy",
+ req.Method,
+ req.URL.String(),
+ http.StatusNotFound,
+ )
+ return false, nil
}
return true, nil
}
) (bool, error)
func roundTrip(w http.ResponseWriter, req *http.Request) {
+ fifos.SinkReq <- fmt.Sprintf("%s %s", req.Method, req.URL.String())
host := strings.TrimSuffix(req.URL.Host, ":443")
for _, round := range []Round{
rounds.RoundNoHead,
- rounds.RoundLog,
rounds.RoundDenySpy,
rounds.RoundRedditOld,
rounds.RoundHabrImage,
daneExists, daneMatched := dane(host, certTheir)
if daneExists {
if daneMatched {
- fifos.SinkCert <- fmt.Sprintf("DANE\t%s\tmatched", host)
+ fifos.SinkDANE <- fmt.Sprintf("%s\tmatched", host)
} else {
- fifos.SinkErr <- fmt.Sprintf("DANE\t%s\tnot matched", host)
+ fifos.SinkDANE <- fmt.Sprintf("%s\tNOT matched", host)
}
}
fn := filepath.Join(Certs, host)
if daneMatched {
b.WriteString("label .lDANE -bg green -text \"DANE matched\"\n")
} else {
- b.WriteString("label .lDANE -bg red -text \"DANE not matched!\"\n")
+ b.WriteString("label .lDANE -bg red -text \"DANE NOT matched\"\n")
}
b.WriteString("grid .lDANE\n")
}