c/ooni-probe-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: c/ooni-probe-cli:pr-smtpimap
Branches Tags
c/ooni-probe-cli:master c/ooni-probe-cli:pr-smtpimap c/ooni-probe-cli:pr-jafar c/ooni-probe-cli:jafar c/ooni-probe-cli:bittorrent c/ooni-probe-cli:failed-experiment
...
pull from: c/ooni-probe-cli:pr-jafar
Branches Tags
c/ooni-probe-cli:pr-smtpimap c/ooni-probe-cli:pr-jafar c/ooni-probe-cli:jafar c/ooni-probe-cli:bittorrent c/ooni-probe-cli:master c/ooni-probe-cli:failed-experiment

1 Commits
pr-smtpimap ... pr-jafar

Author SHA1 Message Date
ooninoob 508c4293d5 Add -tls-proxy-outbound-port flag to jafar (useful for non-HTTPS protocols) 
Edit README to make it explicit that tlsproxy has nothing to do with HTTP and can be
used with any TCP protocol that does TLS handshakes.
 2022-11-23 10:56:06 +01:00
4 changed files with 26 additions and 13 deletions
Expand all files Collapse all files
internal/cmd/jafar/README.md
+5 -3
View File
@@ -156,14 +156,16 @@ response for every request whose `Host` contains the specified string.
### tls-proxy ### tls-proxy
TLS proxy is a proxy that routes traffic to specific servers depending TLS proxy is a TCP proxy that routes traffic to specific servers depending
on their SNI value. It is controlled by the following flags: on their SNI value. It is controlled by the following flags:
```bash ```bash
-tls-proxy-address string -tls-proxy-address string
Address where the HTTP proxy should listen (default "127.0.0.1:443") Address where the TCP+TLS proxy should listen (default "127.0.0.1:443")
-tls-proxy-block value -tls-proxy-block value
Register keyword triggering TLS censorship Register SNI header keyword triggering TLS censorship
-tls-proxy-outbound-port
Define the outbound port requests are proxied to (default "443 for HTTPS)
``` ```
The `-tls-proxy-address` flags has the same semantics it has for the DNS The `-tls-proxy-address` flags has the same semantics it has for the DNS
internal/cmd/jafar/main.go
+9 -4
View File
@@ -58,8 +58,9 @@ var (
tag *string tag *string
tlsProxyAddress *string tlsProxyAddress *string
tlsProxyBlock flagx.StringArray tlsProxyBlock flagx.StringArray
tlsProxyOutboundPort *string
uncensoredResolverDoH *string uncensoredResolverDoH *string
) )
@@ -159,12 +160,16 @@ func init() {
// tlsProxy // tlsProxy
tlsProxyAddress = flag.String( tlsProxyAddress = flag.String(
"tls-proxy-address", "127.0.0.1:443", "tls-proxy-address", "127.0.0.1:443",
"Address where the HTTP proxy should listen", "Address where the TCP+TLS proxy should listen",
) )
flag.Var( flag.Var(
&tlsProxyBlock, "tls-proxy-block", &tlsProxyBlock, "tls-proxy-block",
"Register keyword triggering TLS censorship", "Register keyword triggering TLS censorship",
) )
tlsProxyOutboundPort = flag.String(
"tls-proxy-outbound-port", "443",
"The outbound port where requests should be proxied",
)
// uncensored // uncensored
uncensoredResolverDoH = flag.String( uncensoredResolverDoH = flag.String(
@@ -227,7 +232,7 @@ func iptablesStart() *iptables.CensoringPolicy {
} }
func tlsProxyStart(uncensored *uncensored.Client) net.Listener { func tlsProxyStart(uncensored *uncensored.Client) net.Listener {
proxy := tlsproxy.NewCensoringProxy(tlsProxyBlock, uncensored) proxy := tlsproxy.NewCensoringProxy(tlsProxyBlock, uncensored, tlsProxyOutboundPort)
listener, err := proxy.Start(*tlsProxyAddress) listener, err := proxy.Start(*tlsProxyAddress)
runtimex.PanicOnError(err, "proxy.Start failed") runtimex.PanicOnError(err, "proxy.Start failed")
return listener return listener
internal/cmd/jafar/tlsproxy/tlsproxy.go
+10 -4
View File
@@ -21,8 +21,9 @@ type Dialer interface {
// CensoringProxy is a censoring TLS proxy // CensoringProxy is a censoring TLS proxy
type CensoringProxy struct { type CensoringProxy struct {
keywords []string keywords []string
dial func(network, address string) (net.Conn, error) dial func(network, address string) (net.Conn, error)
outboundPort string
} }
// NewCensoringProxy creates a new CensoringProxy instance using // NewCensoringProxy creates a new CensoringProxy instance using
@@ -31,13 +32,18 @@ type CensoringProxy struct {
// the SNII record of a ClientHello. dnsNetwork and dnsAddress are // the SNII record of a ClientHello. dnsNetwork and dnsAddress are
// settings to configure the upstream, non censored DNS. // settings to configure the upstream, non censored DNS.
func NewCensoringProxy( func NewCensoringProxy(
keywords []string, uncensored Dialer, keywords []string, uncensored Dialer, outboundPort *string,
) *CensoringProxy { ) *CensoringProxy {
defaultPort := "443"
if outboundPort == nil {
outboundPort = &defaultPort
}
return &CensoringProxy{ return &CensoringProxy{
keywords: keywords, keywords: keywords,
dial: func(network, address string) (net.Conn, error) { dial: func(network, address string) (net.Conn, error) {
return uncensored.DialContext(context.Background(), network, address) return uncensored.DialContext(context.Background(), network, address)
}, },
outboundPort: *outboundPort,
} }
} }
@@ -146,7 +152,7 @@ func (p *CensoringProxy) handle(clientconn net.Conn) {
return return
} }
} }
serverconn, err := p.dial("tcp", net.JoinHostPort(sni, "443")) serverconn, err := p.dial("tcp", net.JoinHostPort(sni, p.outboundPort))
if err != nil { if err != nil {
log.WithError(err).Warn("tlsproxy: p.dial failed") log.WithError(err).Warn("tlsproxy: p.dial failed")
alertclose(clientconn) alertclose(clientconn)
internal/cmd/jafar/tlsproxy/tlsproxy_test.go
+2 -2
View File
@@ -94,7 +94,7 @@ func TestFailWriteAfterConnect(t *testing.T) {
func TestListenError(t *testing.T) { func TestListenError(t *testing.T) {
proxy := NewCensoringProxy( proxy := NewCensoringProxy(
[]string{""}, uncensored.NewClient("https://1.1.1.1/dns-query"), []string{""}, uncensored.NewClient("https://1.1.1.1/dns-query"), nil,
) )
listener, err := proxy.Start("8.8.8.8:80") listener, err := proxy.Start("8.8.8.8:80")
if err == nil { if err == nil {
@@ -107,7 +107,7 @@ func TestListenError(t *testing.T) {
func newproxy(t *testing.T, blocked string) net.Listener { func newproxy(t *testing.T, blocked string) net.Listener {
proxy := NewCensoringProxy( proxy := NewCensoringProxy(
[]string{blocked}, uncensored.NewClient("https://1.1.1.1/dns-query"), []string{blocked}, uncensored.NewClient("https://1.1.1.1/dns-query"), nil,
) )
listener, err := proxy.Start("127.0.0.1:0") listener, err := proxy.Start("127.0.0.1:0")
if err != nil { if err != nil {