c/ooni-probe-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add -tls-proxy-outbound-port flag to jafar (useful for non-HTTPS protocols)

Browse Source 
Edit README to make it explicit that tlsproxy has nothing to do with HTTP and can be
used with any TCP protocol that does TLS handshakes.
This commit is contained in:
ooni noob 2022-11-23 10:56:06 +01:00
parent a0dc65641d
commit 508c4293d5
4 changed files with 26 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
internal/cmd/jafar/README.md
View File

@ -156,14 +156,16 @@ response for every request whose `Host` contains the specified string.
### tls-proxy ### tls-proxy
TLS proxy is a proxy that routes traffic to specific servers depending TLS proxy is a TCP proxy that routes traffic to specific servers depending
on their SNI value. It is controlled by the following flags: on their SNI value. It is controlled by the following flags:
```bash ```bash
-tls-proxy-address string -tls-proxy-address string
Address where the HTTP proxy should listen (default "127.0.0.1:443") Address where the TCP+TLS proxy should listen (default "127.0.0.1:443")
-tls-proxy-block value -tls-proxy-block value
Register keyword triggering TLS censorship Register SNI header keyword triggering TLS censorship
-tls-proxy-outbound-port
Define the outbound port requests are proxied to (default "443 for HTTPS)
``` ```
The `-tls-proxy-address` flags has the same semantics it has for the DNS The `-tls-proxy-address` flags has the same semantics it has for the DNS

9
internal/cmd/jafar/main.go
View File

@ -60,6 +60,7 @@ var (
tlsProxyAddress *string tlsProxyAddress *string
tlsProxyBlock flagx.StringArray tlsProxyBlock flagx.StringArray
tlsProxyOutboundPort *string
uncensoredResolverDoH *string uncensoredResolverDoH *string
) )
@ -159,12 +160,16 @@ func init() {
// tlsProxy // tlsProxy
tlsProxyAddress = flag.String( tlsProxyAddress = flag.String(
"tls-proxy-address", "127.0.0.1:443", "tls-proxy-address", "127.0.0.1:443",
"Address where the HTTP proxy should listen", "Address where the TCP+TLS proxy should listen",
) )
flag.Var( flag.Var(
&tlsProxyBlock, "tls-proxy-block", &tlsProxyBlock, "tls-proxy-block",
"Register keyword triggering TLS censorship", "Register keyword triggering TLS censorship",
) )
tlsProxyOutboundPort = flag.String(
"tls-proxy-outbound-port", "443",
"The outbound port where requests should be proxied",
)
// uncensored // uncensored
uncensoredResolverDoH = flag.String( uncensoredResolverDoH = flag.String(
@ -227,7 +232,7 @@ func iptablesStart() *iptables.CensoringPolicy {
} }
func tlsProxyStart(uncensored *uncensored.Client) net.Listener { func tlsProxyStart(uncensored *uncensored.Client) net.Listener {
proxy := tlsproxy.NewCensoringProxy(tlsProxyBlock, uncensored) proxy := tlsproxy.NewCensoringProxy(tlsProxyBlock, uncensored, tlsProxyOutboundPort)
listener, err := proxy.Start(*tlsProxyAddress) listener, err := proxy.Start(*tlsProxyAddress)
runtimex.PanicOnError(err, "proxy.Start failed") runtimex.PanicOnError(err, "proxy.Start failed")
return listener return listener

10
internal/cmd/jafar/tlsproxy/tlsproxy.go
View File

@ -23,6 +23,7 @@ type Dialer interface {
type CensoringProxy struct { type CensoringProxy struct {
keywords []string keywords []string
dial func(network, address string) (net.Conn, error) dial func(network, address string) (net.Conn, error)
outboundPort string
} }
// NewCensoringProxy creates a new CensoringProxy instance using // NewCensoringProxy creates a new CensoringProxy instance using
@ -31,13 +32,18 @@ type CensoringProxy struct {
// the SNII record of a ClientHello. dnsNetwork and dnsAddress are // the SNII record of a ClientHello. dnsNetwork and dnsAddress are
// settings to configure the upstream, non censored DNS. // settings to configure the upstream, non censored DNS.
func NewCensoringProxy( func NewCensoringProxy(
keywords []string, uncensored Dialer, keywords []string, uncensored Dialer, outboundPort *string,
) *CensoringProxy { ) *CensoringProxy {
defaultPort := "443"
if outboundPort == nil {
outboundPort = &defaultPort
}
return &CensoringProxy{ return &CensoringProxy{
keywords: keywords, keywords: keywords,
dial: func(network, address string) (net.Conn, error) { dial: func(network, address string) (net.Conn, error) {
return uncensored.DialContext(context.Background(), network, address) return uncensored.DialContext(context.Background(), network, address)
}, },
outboundPort: *outboundPort,
} }
} }
@ -146,7 +152,7 @@ func (p *CensoringProxy) handle(clientconn net.Conn) {
return return
} }
} }
serverconn, err := p.dial("tcp", net.JoinHostPort(sni, "443")) serverconn, err := p.dial("tcp", net.JoinHostPort(sni, p.outboundPort))
if err != nil { if err != nil {
log.WithError(err).Warn("tlsproxy: p.dial failed") log.WithError(err).Warn("tlsproxy: p.dial failed")
alertclose(clientconn) alertclose(clientconn)

4
internal/cmd/jafar/tlsproxy/tlsproxy_test.go
View File

@ -94,7 +94,7 @@ func TestFailWriteAfterConnect(t *testing.T) {
func TestListenError(t *testing.T) { func TestListenError(t *testing.T) {
proxy := NewCensoringProxy( proxy := NewCensoringProxy(
[]string{""}, uncensored.NewClient("https://1.1.1.1/dns-query"), []string{""}, uncensored.NewClient("https://1.1.1.1/dns-query"), nil,
) )
listener, err := proxy.Start("8.8.8.8:80") listener, err := proxy.Start("8.8.8.8:80")
if err == nil { if err == nil {
@ -107,7 +107,7 @@ func TestListenError(t *testing.T) {
func newproxy(t *testing.T, blocked string) net.Listener { func newproxy(t *testing.T, blocked string) net.Listener {
proxy := NewCensoringProxy( proxy := NewCensoringProxy(
[]string{blocked}, uncensored.NewClient("https://1.1.1.1/dns-query"), []string{blocked}, uncensored.NewClient("https://1.1.1.1/dns-query"), nil,
) )
listener, err := proxy.Start("127.0.0.1:0") listener, err := proxy.Start("127.0.0.1:0")
if err != nil { if err != nil {