Add -tls-proxy-outbound-port flag to jafar (useful for non-HTTPS protocols)

Edit README to make it explicit that tlsproxy has nothing to do with HTTP and can be
used with any TCP protocol that does TLS handshakes.
This commit is contained in:
ooni noob 2022-11-23 10:56:06 +01:00
parent a0dc65641d
commit 508c4293d5
4 changed files with 26 additions and 13 deletions

View File

@ -156,14 +156,16 @@ response for every request whose `Host` contains the specified string.
### tls-proxy
TLS proxy is a proxy that routes traffic to specific servers depending
TLS proxy is a TCP proxy that routes traffic to specific servers depending
on their SNI value. It is controlled by the following flags:
```bash
-tls-proxy-address string
Address where the HTTP proxy should listen (default "127.0.0.1:443")
Address where the TCP+TLS proxy should listen (default "127.0.0.1:443")
-tls-proxy-block value
Register keyword triggering TLS censorship
Register SNI header keyword triggering TLS censorship
-tls-proxy-outbound-port
Define the outbound port requests are proxied to (default "443 for HTTPS)
```
The `-tls-proxy-address` flags has the same semantics it has for the DNS

View File

@ -60,6 +60,7 @@ var (
tlsProxyAddress *string
tlsProxyBlock flagx.StringArray
tlsProxyOutboundPort *string
uncensoredResolverDoH *string
)
@ -159,12 +160,16 @@ func init() {
// tlsProxy
tlsProxyAddress = flag.String(
"tls-proxy-address", "127.0.0.1:443",
"Address where the HTTP proxy should listen",
"Address where the TCP+TLS proxy should listen",
)
flag.Var(
&tlsProxyBlock, "tls-proxy-block",
"Register keyword triggering TLS censorship",
)
tlsProxyOutboundPort = flag.String(
"tls-proxy-outbound-port", "443",
"The outbound port where requests should be proxied",
)
// uncensored
uncensoredResolverDoH = flag.String(
@ -227,7 +232,7 @@ func iptablesStart() *iptables.CensoringPolicy {
}
func tlsProxyStart(uncensored *uncensored.Client) net.Listener {
proxy := tlsproxy.NewCensoringProxy(tlsProxyBlock, uncensored)
proxy := tlsproxy.NewCensoringProxy(tlsProxyBlock, uncensored, tlsProxyOutboundPort)
listener, err := proxy.Start(*tlsProxyAddress)
runtimex.PanicOnError(err, "proxy.Start failed")
return listener

View File

@ -23,6 +23,7 @@ type Dialer interface {
type CensoringProxy struct {
keywords []string
dial func(network, address string) (net.Conn, error)
outboundPort string
}
// NewCensoringProxy creates a new CensoringProxy instance using
@ -31,13 +32,18 @@ type CensoringProxy struct {
// the SNII record of a ClientHello. dnsNetwork and dnsAddress are
// settings to configure the upstream, non censored DNS.
func NewCensoringProxy(
keywords []string, uncensored Dialer,
keywords []string, uncensored Dialer, outboundPort *string,
) *CensoringProxy {
defaultPort := "443"
if outboundPort == nil {
outboundPort = &defaultPort
}
return &CensoringProxy{
keywords: keywords,
dial: func(network, address string) (net.Conn, error) {
return uncensored.DialContext(context.Background(), network, address)
},
outboundPort: *outboundPort,
}
}
@ -146,7 +152,7 @@ func (p *CensoringProxy) handle(clientconn net.Conn) {
return
}
}
serverconn, err := p.dial("tcp", net.JoinHostPort(sni, "443"))
serverconn, err := p.dial("tcp", net.JoinHostPort(sni, p.outboundPort))
if err != nil {
log.WithError(err).Warn("tlsproxy: p.dial failed")
alertclose(clientconn)

View File

@ -94,7 +94,7 @@ func TestFailWriteAfterConnect(t *testing.T) {
func TestListenError(t *testing.T) {
proxy := NewCensoringProxy(
[]string{""}, uncensored.NewClient("https://1.1.1.1/dns-query"),
[]string{""}, uncensored.NewClient("https://1.1.1.1/dns-query"), nil,
)
listener, err := proxy.Start("8.8.8.8:80")
if err == nil {
@ -107,7 +107,7 @@ func TestListenError(t *testing.T) {
func newproxy(t *testing.T, blocked string) net.Listener {
proxy := NewCensoringProxy(
[]string{blocked}, uncensored.NewClient("https://1.1.1.1/dns-query"),
[]string{blocked}, uncensored.NewClient("https://1.1.1.1/dns-query"), nil,
)
listener, err := proxy.Start("127.0.0.1:0")
if err != nil {