X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=doc%2Findex.texi;h=7d552be9cd4dfc5995ac70f995266dd411bf72b9;hb=6eee3c6c83cc535855e254426a90f7a2abba04ce;hp=a860f633086eb1f7e23096661b8ccd6f10564312;hpb=4877ccb6fc682f9f56b4a40532e62eda2625b3f8;p=tofuproxy.git diff --git a/doc/index.texi b/doc/index.texi index a860f63..7d552be 100644 --- a/doc/index.texi +++ b/doc/index.texi @@ -9,8 +9,6 @@ Copyright @copyright{} 2021 @email{stargrave@@stargrave.org, Sergey Matveev} @node Top @top tofuproxy -@image{logs,,,Example logs,.webp} - @itemize @item I am tired that various HTTPS clients (like browsers and feed @@ -36,6 +34,8 @@ extensions for that. kind of @url{https://en.wikipedia.org/wiki/Privoxy, Privoxy}, but it is not friendly with TLS connections, obviously. +@item Xombrero sometimes has problems with HTTP-based authorization. + @item Hardly anyone does @url{https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities, DANE} checks. @@ -44,8 +44,19 @@ checks. Why the hell people just do not send PostScript documents instead!? @item And wonderful @url{http://jpegxl.info/, JPEG XL} image format is -not supported by most browsers. Even pretty old WebP is not supported -everywhere. +not supported by most browsers. Even pretty old +@url{https://developers.google.com/speed/webp, WebP}, that has highest +compression ratio for lossless screenshots, is not supported everywhere. +@url{https://aomediacodec.github.io/av1-avif/, AVIF} could be useful too. + +@item None of web browsers support ability to view web archives +(@url{https://en.wikipedia.org/wiki/Web_ARChive, WARC}s). And most of +WARC-related software is written on Python, that nowadays is close to be +impossible to install and use with all its broken dependencies system. + +@item And yet another piece of software is needed for browsing the +@url{https://en.wikipedia.org/wiki/Gemini_(protocol), geminispace}? +Too many bicycles already! @end itemize @@ -56,116 +67,79 @@ creating some kind of complex configuration framework. @itemize -@item Effective responses proxying, without storing them in the memory first. - -@item TLS connection between client and @command{tofuproxy} has the - proper hostname set in ephemeral on-the-fly generated certificate. - -@item @code{HEAD} method is forbidden, because of damned Xombrero loving - making it so much. Can live without it. - -@item @code{www.reddit.com} is redirected to @code{old.reddit.com}. - -@item Various spying domains (advertisement, tracking counters) are - responded with 404 error. - -@item Web fonts downloads are replaced with 404 errors. - -@item All HTTP redirects are replaced with HTML page with the link. - However temporary redirects are passed as is for @code{newsboat} - User-Agent. - -@item WebP (except if User-Agent is Xombrero browser) and JPEG XL images - are transparently transcoded to PNG. - -@item Default Go's checks are applied to all certificates. If they pass, - then certificate chain is saved on the disk. Future connections are - compared against it, warning you about SPKI change and waiting for - your decision either to accept new chain (possibly once per - session), or reject it. - -@item Even when native Go's checks are failed, you can still make a - decision to forcefully trust the domain. - -@item Optionally DANE-EE check is also made for each domain you visit. - -@item TLS session resumption is also supported. +@item +@strong{Effective} responses proxying, without storing them in the memory first. -@item And Go itself tries also to act as a -@url{https://http2.github.io/, HTTP/2} client too. +@item +TLS connection between client and @command{tofuproxy} has the +@strong{proper hostname} set in ephemeral on-the-fly generated +certificate. -@end itemize +@item +@code{HEAD} method is forbidden. -@image{dialog,,,Example dialog,.webp} +@item +@code{www.reddit.com} is redirected to @code{old.reddit.com}. -@node Usage -@unnumbered Usage +@item +@url{https://habr.com/ru/all/, Хабр}'s resolution reduced images are +redirected to their full size variants. -@itemize +@item +Various @strong{spying} domains (advertisement, tracking counters) are denied. -@item Build @command{tofuproxy}: +@item +Web @strong{fonts} downloads are forbidden. -@example -$ git clone git://git.stargrave.org/tofuproxy.git -$ cd tofuproxy -$ go build -@end example +@item +@strong{Permanent} HTTP redirects are replaced with HTML page with the link. @item -Generate CA-capable certificate for the proxy, that will issue ephemeral -certificate to proxied domains: +@strong{Temporary} HTTP redirects are replaced with HTML too, if it is +neither @url{https://newsboat.org/, Newsboat} nor image paths. -@example -$ redo cert.pem -@end example +@item +@strong{WebP} images (if it is not Xombrero), @strong{JPEG XL} and +@strong{AVIF} are transcoded to PNG. @item -Create directory with output FIFOs and directory for stored certificate chains: +Default Go's checks are applied to all certificates. If they pass, then +certificate chain is saved on the disk (@strong{TOFU}). Future +connections are compared against it, warning you about SPKI change +(@strong{SPKI pinning}) and waiting for your decision either to accept +new chain (possibly once per session), or reject it. -@example -$ ./mkfifos.sh -$ mkdir certs -@end example +@item +Even when native Go's checks are failed, you can still make a decision +to forcefully trust the domain. @item -Run @command{tofuproxy} itself. By default it will bind to -@code{[::1]:8080}, use @code{[::1]:53} DNS server for DANE requests -(set to an empty string to disable DANE lookups): +@strong{HTTP-based authorization} requests are intercepted and +user/password input dialogue is shown. It automatically loads +@strong{initial form} values from @strong{@file{.netrc}}. -@example -$ ./tofuproxy -main.go:316: listening: [::1]:8080 -@end example +@item +TLS @strong{client certificates} supported: separate dialogue window for +certificate choice. -@item Trust your newly generated CA: +@item +Optional @strong{DANE-EE} check is also made for each domain you visit. -@example -# cat /path/to/tofuproxy/cert.pem >> /etc/ssl/cert.pem -@end example +@item +TLS @strong{session resumption} and @strong{keep-alives} are also supported. -@item Point you HTTP/HTTPS clients to @code{http://localhost:8080}. +@item +And Go itself tries also to act as a @url{https://http2.github.io/, HTTP/2} +client too. -@item Watch logs with @url{https://github.com/halturin/multitail, multitail}: +@item +Ability to load and browse @url{https://en.wikipedia.org/wiki/Web_ARChive, +WARC} archives, possibly @command{gzip}/@command{zstd} compressed. -@example -$ ./multitail.sh -@end example +@item +Ability to browse geminispace, by transparent conversion to HTMLs with +URL rewriting. @end itemize -When you encounter something requiring your attention and decision, you -will be shown Tk-dialog through the @command{wish} invocation. GnuTLS'es -@command{certtool} is used for certificate information printing. - -@node TODO -@unnumbered TODO - -What I am planning possibly to do? Just brainstorming: - -@itemize - -@item HTTP authorization dialog. - -@item TLS client certificates usage capability. - -@end itemize +@include usage.texi