gemini:// support

[tofuproxy.git] / doc / index.texi

diff --git a/doc/index.texi b/doc/index.texi
index 1989a452a62de028f532d52490e70bcee8706bef..7d552be9cd4dfc5995ac70f995266dd411bf72b9 100644 (file)
--- a/doc/index.texi
+++ b/doc/index.texi
@@ -9,15 +9,13 @@ Copyright @copyright{} 2021 @email{stargrave@@stargrave.org, Sergey Matveev}
 @node Top
 @top tofuproxy
 
 @node Top
 @top tofuproxy
 

-@image{logs,,,Example logs,.webp}
-

 @itemize
 
 @item I am tired that various HTTPS clients (like browsers and feed
 aggregators) use various TLS libraries with different features. NSS,
 GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}.
 
 @itemize
 
 @item I am tired that various HTTPS clients (like browsers and feed
 aggregators) use various TLS libraries with different features. NSS,
 GnuTLS, OpenSSL... All of them sucks, comparing to Go's @code{crypto/tls}.
 

-@item I am tired that everyone provides very limited certificates trust
+@item I tired that everyone provides very limited certificates trust

 management capabilities, like either certificate or SPKI
 @url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with
 @url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my
 management capabilities, like either certificate or SPKI
 @url{https://en.wikipedia.org/wiki/Certificate_pinning, pinning} with
 @url{https://en.wikipedia.org/wiki/Trust_on_first_use, TOFU}. Even my


@@ -28,18 +26,38 @@ more sufficient and convenient to work with.
 @item I am tired that many clients provides very few information about
 certificates and connections at all.
 
 @item I am tired that many clients provides very few information about
 certificates and connections at all.
 

-@item I am tired that hardly anyone can control (no automatic silent
+@item I hate that hardly anyone can control (no automatic silent

 transparent following) HTTP redirections. Although Firefox had proper
 extensions for that.
 
 transparent following) HTTP redirections. Although Firefox had proper
 extensions for that.
 

-@item I am tired that you have got small control on URLs. The best you
-can is to use some kind of @url{https://en.wikipedia.org/wiki/Privoxy,
-Privoxy}, but it is not friendly with TLS connections, obviously.
+@item I am sick of tiny control on URLs. The best you can is to use some
+kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is
+not friendly with TLS connections, obviously.
+
+@item Xombrero sometimes has problems with HTTP-based authorization.

 
 @item Hardly anyone does
 @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
 checks.
 
 
 @item Hardly anyone does
 @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE}
 checks.
 

+@item And there is insanity of downloading fonts.
+Why the hell people just do not send PostScript documents instead!?
+
+@item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is
+not supported by most browsers. Even pretty old
+@url{https://developers.google.com/speed/webp, WebP}, that has highest
+compression ratio for lossless screenshots, is not supported everywhere.
+@url{https://aomediacodec.github.io/av1-avif/, AVIF} could be useful too.
+
+@item None of web browsers support ability to view web archives
+(@url{https://en.wikipedia.org/wiki/Web_ARChive, WARC}s). And most of
+WARC-related software is written on Python, that nowadays is close to be
+impossible to install and use with all its broken dependencies system.
+
+@item And yet another piece of software is needed for browsing the
+@url{https://en.wikipedia.org/wiki/Gemini_(protocol), geminispace}?
+Too many bicycles already!
+

 @end itemize
 
 That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing
 @end itemize
 
 That is why I wrote @command{tofuproxy} -- pure Go HTTP proxy, MitMing


@@ -49,110 +67,79 @@ creating some kind of complex configuration framework.
 
 @itemize
 
 
 @itemize
 

-@item Effective responses proxying, without storing them in the memory first.
-
-@item TLS connection between client and @command{tofuproxy} has the
-    proper hostname set in ephemeral on-the-fly generated certificate.
-
-@item @code{HEAD} method is forbidden, because of damned Xombrero loving
-    making it so much. Can live without it.
-
-@item @code{www.reddit.com} is redirected to @code{old.reddit.com}.
-
-@item Various spying domains (advertisement, tracking counters) are
-    responded with 404 error.
-
-@item All HTTP redirects are replaced with HTML page with the link.
-    However temporary redirects are passed as is for @code{newsboat}
-    User-Agent.
-
-@item Default Go's checks are applied to all certificates. If they pass,
-    then certificate chain is saved on the disk. Future connections are
-    compared against it, warning you about SPKI change and waiting for
-    your decision either to accept new chain (possibly once per
-    session), or reject it.
-
-@item Even when native Go's checks are failed, you can still make a
-    decision to forcefully trust the domain.
+@item
+@strong{Effective} responses proxying, without storing them in the memory first.

 
 

-@item Optionally DANE-EE check is also made for each domain you visit.
+@item
+TLS connection between client and @command{tofuproxy} has the
+@strong{proper hostname} set in ephemeral on-the-fly generated
+certificate.

 
 

-@end itemize
+@item
+@code{HEAD} method is forbidden.

 
 

-@image{dialog,,,Example dialog,.webp}
+@item
+@code{www.reddit.com} is redirected to @code{old.reddit.com}.

 
 

-@node Usage
-@unnumbered Usage
+@item
+@url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are
+redirected to their full size variants.

 
 

-@itemize
+@item
+Various @strong{spying} domains (advertisement, tracking counters) are denied.

 
 

-@item Build @command{tofuproxy}:
+@item
+Web @strong{fonts} downloads are forbidden.

 
 

-@example
-$ git clone git://git.stargrave.org/tofuproxy.git
-$ cd tofuproxy
-$ go build
-@end example
+@item
+@strong{Permanent} HTTP redirects are replaced with HTML page with the link.

 
 @item
 
 @item

-Generate CA-capable certificate for the proxy, that will issue ephemeral
-certificate to proxied domains:
+@strong{Temporary} HTTP redirects are replaced with HTML too, if it is
+neither @url{https://newsboat.org/, Newsboat} nor image paths.

 
 

-@example
-$ redo cert.pem
-@end example
+@item
+@strong{WebP} images (if it is not Xombrero), @strong{JPEG XL} and
+@strong{AVIF} are transcoded to PNG.

 
 @item
 
 @item

-Create directory with output FIFOs and directory for stored certificate chains:
+Default Go's checks are applied to all certificates. If they pass, then
+certificate chain is saved on the disk (@strong{TOFU}). Future
+connections are compared against it, warning you about SPKI change
+(@strong{SPKI pinning}) and waiting for your decision either to accept
+new chain (possibly once per session), or reject it.

 
 

-@example
-$ ./mkfifos.sh
-$ mkdir certs
-@end example
+@item
+Even when native Go's checks are failed, you can still make a decision
+to forcefully trust the domain.

 
 @item
 
 @item

-Run @command{tofuproxy} itself. By default it will bind to
-@code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests
-(set to an empty string to disable DANE lookups):
+@strong{HTTP-based authorization} requests are intercepted and
+user/password input dialogue is shown. It automatically loads
+@strong{initial form} values from @strong{@file{.netrc}}.

 
 

-@example
-$ ./tofuproxy
-main.go:316: listening: [::1]:8080
-@end example
+@item
+TLS @strong{client certificates} supported: separate dialogue window for
+certificate choice.

 
 

-@item Trust your newly generated CA:
+@item
+Optional @strong{DANE-EE} check is also made for each domain you visit.

 
 

-@example
-# cat /path/to/tofuproxy/cert.pem >> /etc/ssl/cert.pem
-@end example
+@item
+TLS @strong{session resumption} and @strong{keep-alives} are also supported.

 
 

-@item Point you HTTP/HTTPS clients to @code{http://localhost:8080}.
+@item
+And Go itself tries also to act as a @url{https://http2.github.io/, HTTP/2}
+client too.

 
 

-@item Watch logs with @url{https://github.com/halturin/multitail, multitail}:
+@item
+Ability to load and browse @url{https://en.wikipedia.org/wiki/Web_ARChive,
+WARC} archives, possibly @command{gzip}/@command{zstd} compressed.

 
 

-@example
-$ ./multitail.sh
-@end example
+@item
+Ability to browse geminispace, by transparent conversion to HTMLs with
+URL rewriting.

 
 @end itemize
 
 
 @end itemize
 

-When you encounter something requiring your attention and decision, you
-will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es
-@command{certtool} is used for certificate information printing.
-
-@node TODO
-@unnumbered TODO
-
-What I am planning possibly to do? Just brainstorming:
-
-@itemize
-
-@item JPEG-XL/WebP transparent converter to JPEG/PNG.
-
-@item HTTP authorization dialog.
-
-@item TLS client certificates usage capability.
-
-@item Web fonts download restriction.
-
-@end itemize
+@include usage.texi