2 @documentencoding UTF-8
6 Copyright @copyright{} 2021-2023 @email{stargrave@@stargrave.org, Sergey Matveev}
12 @command{tofuproxy} is
13 @url{https://www.gnu.org/philosophy/free-sw.html, free software}
14 flexible HTTP/HTTPS proxy server, TLS terminator, X.509 TOFU manager,
15 @url{https://en.wikipedia.org/wiki/Web_ARChive, WARC} and
16 @url{https://en.wikipedia.org/wiki/Gemini_(protocol), geminispace}
17 browser, written on @url{https://go.dev/, Go} with following
23 Full TLS connection termination between Web-servers and
24 @command{tofuproxy} itself. TLS 1.3, session resumption, GOST
25 cryptography (if built with @url{http://www.gostls13.cypherpunks.ru/,
26 gostls13}) support. Connection between @command{tofuproxy} and browser
27 itself uses ephemeral on-the-fly generated certificates with proper
31 @url{https://http2.github.io/, HTTP/2} (if negotiated with ALPN) and
32 HTTP keep-alives are supported.
35 Default Go's @code{crypto/x509} checks are applied to all certificates.
36 If they pass, then certificate chain is saved on the disk (TOFU,
37 trust-on-first-use). Future connections are compared against it, warning
38 you about SPKI change (SPKI pinning) and waiting for your decision
39 either to accept new chain (possibly once per session), or reject it.
40 Even if native Go's checks are failed (for example domain still does not
41 use @code{SubjectAltName} extension), you can still make a decision to
42 forcefully trust the domain.
45 CAs can have restrictions on what domains they are allowed to be served.
48 Optional @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE-EE} check.
51 TLS client certificates are supported too.
54 HTTP-based authorization requests are intercepted and user/password
55 input dialogue is shown. It automatically loads initial form values from
59 Permanent HTTP redirects are replaces with non-refreshing HTML page with
60 the link, to make you explicitly allow that step. Temporary redirects
61 are followed if it is neither @url{https://newsboat.org/, Newsboat}
62 nor @url{https://www.feeder.stargrave.org/, go.stargrave.org/feeder}
63 user-agent, not image paths.
66 JPEG XL, AVIF and WebP images are transparently transcoded to PNG,
67 giving it back to the browser, not requiring it to support modern
68 effective image formats.
71 Ability to load, index and browse WARC web archives, that are possibly
72 multi-segment/frame compressed with @command{gzip}/@command{zstd}.
75 Ability to browse geminispace, transparently converting gemfiles to
76 HTMLs with URL rewriting.
80 And additional personal preferences:
85 Various spying domains (advertisement, tracking counters) are denied.
88 @code{HEAD} method is forbidden. Xombrero likes it too much.
91 @code{www.reddit.com} is redirected to @code{old.reddit.com} (because it
92 works without JavaScript and looks nicer).
95 @url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are
96 redirected to their full size variants.
99 Web fonts downloads are forbidden.
109 @include tlsauth.texi
110 @include restricted.texi
111 @include httpauth.texi