--- /dev/null
+\input texinfo
+@documentencoding UTF-8
+@settitle tofuproxy
+
+@copying
+Copyright @copyright{} 2021 @email{stargrave@@stargrave.org, Sergey Matveev}
+@end copying
+
+@node Top
+@top tofuproxy
+
+@image{logs,,,Example logs,.webp}
+
+@itemize
+
+@item I am tired that various HTTPS clients (like browsers and feed
+aggregators) use various TLS libraries with different features. NSS,
+GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}.
+
+@item I am tired that everyone provides very limited certificates trust
+management capabilities, like either certificate or SPKI
+@url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with
+@url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my
+beloved @url{https://en.wikipedia.org/wiki/Xombrero, Xombrero} browser
+still pins only the whole certificate, but its public key would be much
+more sufficient and convenient to work with.
+
+@item I am tired that many clients provides very few information about
+certificates and connections at all.
+
+@item I am tired that hardly anyone can control (no automatic silent
+transparent following) HTTP redirections. Although Firefox had proper
+extensions for that.
+
+@item I am tired that you have got small control on URLs. The best you
+can is to use some kind of @url{https://en.wikipedia.org/wiki/Privoxy,
+Privoxy}, but it is not friendly with TLS connections, obviously.
+
+@item Hardly anyone does
+@url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
+checks.
+
+@end itemize
+
+That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing
+all HTTPS connections on the fly. It is written for my personal needs
+exclusively, so many features are just directly hard-coded, instead of
+creating some kind of complex configuration framework.
+
+@itemize
+
+@item Effective responses proxying, without storing them in the memory first.
+
+@item TLS connection between client and @command{tofuproxy} has the
+ proper hostname set in ephemeral on-the-fly generated certificate.
+
+@item @code{HEAD} method is forbidden, because of damned Xombrero loving
+ making it so much. Can live without it.
+
+@item @code{www.reddit.com} is redirected to @code{old.reddit.com}.
+
+@item Various spying domains (advertisement, tracking counters) are
+ responded with 404 error.
+
+@item All HTTP redirects are replaced with HTML page with the link.
+ However temporary redirects are passed as is for @code{newsboat}
+ User-Agent.
+
+@item Default Go's checks are applied to all certificates. If they pass,
+ then certificate chain is saved on the disk. Future connections are
+ compared against it, warning you about SPKI change and waiting for
+ your decision either to accept new chain (possibly once per
+ session), or reject it.
+
+@item Even when native Go's checks are failed, you can still make a
+ decision to forcefully trust the domain.
+
+@item Optionally DANE-EE check is also made for each domain you visit.
+
+@end itemize
+
+@image{dialog,,,Example dialog,.webp}
+
+@node Usage
+@unnumbered Usage
+
+@itemize
+
+@item Build @command{tofuproxy}:
+
+@example
+$ git clone git://git.stargrave.org/tofuproxy.git
+$ cd tofuproxy
+$ go build
+@end example
+
+@item
+Generate CA-capable certificate for the proxy, that will issue ephemeral
+certificate to proxied domains:
+
+@example
+$ redo cert.pem
+@end example
+
+@item
+Create directory with output FIFOs and directory for stored certificate chains:
+
+@example
+$ ./mkfifos.sh
+$ mkdir certs
+@end example
+
+@item
+Run @command{tofuproxy} itself. By default it will bind to
+@code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests
+(set to an empty string to disable DANE lookups):
+
+@example
+$ ./tofuproxy
+main.go:316: listening: [::1]:8080
+@end example
+
+@item Trust your newly generated CA:
+
+@example
+# cat /path/to/tofuproxy/cert.pem >> /etc/ssl/cert.pem
+@end example
+
+@item Point you HTTP/HTTPS clients to @code{http://localhost:8080}.
+
+@item Watch logs with @url{https://github.com/halturin/multitail, multitail}:
+
+@example
+$ ./multitail.sh
+@end example
+
+@end itemize
+
+When you encounter something requiring your attention and decision, you
+will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es
+@command{certtool} is used for certificate information printing.
+
+@node TODO
+@unnumbered TODO
+
+What I am planning possibly to do? Just brainstorming:
+
+@itemize
+
+@item JPEG-XL/WebP transparent converter to JPEG/PNG.
+
+@item HTTP authorization dialog.
+
+@item TLS client certificates usage capability.
+
+@item Web fonts download restriction.
+
+@end itemize
"crypto/x509"
"encoding/pem"
"fmt"
- "io/ioutil"
"log"
"os"
"os/exec"
"go.cypherpunks.ru/ucspi"
)
+var (
+ CmdCerttool = "certtool"
+ CmdWish = "wish8.7"
+)
+
func certInfo(certRaw []byte) string {
- cmd := exec.Command("certtool", "--certificate-info", "--inder")
+ cmd := exec.Command(CmdCerttool, "--certificate-info", "--inder")
cmd.Stdin = bytes.NewReader(certRaw)
out, err := cmd.Output()
if err != nil {
grid columnconfigure . 0 -weight 1
`)
- cmd := exec.Command("wish8.7")
- ioutil.WriteFile("/tmp/w.tcl", b.Bytes(), 0666)
+ cmd := exec.Command(CmdWish)
+ // ioutil.WriteFile("/tmp/w.tcl", b.Bytes(), 0666)
cmd.Stdin = &b
err = cmd.Run()
exitError, ok := err.(*exec.ExitError)
