c/ooni-probe-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: c/ooni-probe-cli:pr-smtpimap
Branches Tags
c/ooni-probe-cli:master c/ooni-probe-cli:pr-smtpimap c/ooni-probe-cli:pr-jafar c/ooni-probe-cli:jafar c/ooni-probe-cli:bittorrent c/ooni-probe-cli:failed-experiment
...
pull from: c/ooni-probe-cli:pr-jafar
Branches Tags
c/ooni-probe-cli:pr-smtpimap c/ooni-probe-cli:pr-jafar c/ooni-probe-cli:jafar c/ooni-probe-cli:bittorrent c/ooni-probe-cli:master c/ooni-probe-cli:failed-experiment

1 Commits
pr-smtpimap ... pr-jafar

Author SHA1 Message Date
ooninoob 508c4293d5 Add -tls-proxy-outbound-port flag to jafar (useful for non-HTTPS protocols) 
Edit README to make it explicit that tlsproxy has nothing to do with HTTP and can be
used with any TCP protocol that does TLS handshakes.
 2022-11-23 10:56:06 +01:00
4 changed files with 26 additions and 13 deletions
Expand all files Collapse all files
internal/cmd/jafar/README.md
+5 -3
View File
@@ -156,14 +156,16 @@ response for every request whose `Host` contains the specified string.
### tls-proxy
TLS proxy is a proxy that routes traffic to specific servers depending
TLS proxy is a TCP proxy that routes traffic to specific servers depending
on their SNI value. It is controlled by the following flags:
```bash
-tls-proxy-address string
Address where the HTTP proxy should listen (default "127.0.0.1:443")
Address where the TCP+TLS proxy should listen (default "127.0.0.1:443")
-tls-proxy-block value
Register keyword triggering TLS censorship
Register SNI header keyword triggering TLS censorship
-tls-proxy-outbound-port
Define the outbound port requests are proxied to (default "443 for HTTPS)
```
The `-tls-proxy-address` flags has the same semantics it has for the DNS
internal/cmd/jafar/main.go
+7 -2
View File
@@ -60,6 +60,7 @@ var (
tlsProxyAddress *string
tlsProxyBlock flagx.StringArray
tlsProxyOutboundPort *string
uncensoredResolverDoH *string
)
@@ -159,12 +160,16 @@ func init() {
// tlsProxy
tlsProxyAddress = flag.String(
"tls-proxy-address", "127.0.0.1:443",
"Address where the HTTP proxy should listen",
"Address where the TCP+TLS proxy should listen",
)
flag.Var(
&tlsProxyBlock, "tls-proxy-block",
"Register keyword triggering TLS censorship",
)
tlsProxyOutboundPort = flag.String(
"tls-proxy-outbound-port", "443",
"The outbound port where requests should be proxied",
)
// uncensored
uncensoredResolverDoH = flag.String(
@@ -227,7 +232,7 @@ func iptablesStart() *iptables.CensoringPolicy {
}
func tlsProxyStart(uncensored *uncensored.Client) net.Listener {
proxy := tlsproxy.NewCensoringProxy(tlsProxyBlock, uncensored)
proxy := tlsproxy.NewCensoringProxy(tlsProxyBlock, uncensored, tlsProxyOutboundPort)
listener, err := proxy.Start(*tlsProxyAddress)
runtimex.PanicOnError(err, "proxy.Start failed")
return listener
internal/cmd/jafar/tlsproxy/tlsproxy.go
+8 -2
View File
@@ -23,6 +23,7 @@ type Dialer interface {
type CensoringProxy struct {
keywords []string
dial func(network, address string) (net.Conn, error)
outboundPort string
}
// NewCensoringProxy creates a new CensoringProxy instance using
@@ -31,13 +32,18 @@ type CensoringProxy struct {
// the SNII record of a ClientHello. dnsNetwork and dnsAddress are
// settings to configure the upstream, non censored DNS.
func NewCensoringProxy(
keywords []string, uncensored Dialer,
keywords []string, uncensored Dialer, outboundPort *string,
) *CensoringProxy {
defaultPort := "443"
if outboundPort == nil {
outboundPort = &defaultPort
}
return &CensoringProxy{
keywords: keywords,
dial: func(network, address string) (net.Conn, error) {
return uncensored.DialContext(context.Background(), network, address)
},
outboundPort: *outboundPort,
}
}
@@ -146,7 +152,7 @@ func (p *CensoringProxy) handle(clientconn net.Conn) {
return
}
}
serverconn, err := p.dial("tcp", net.JoinHostPort(sni, "443"))
serverconn, err := p.dial("tcp", net.JoinHostPort(sni, p.outboundPort))
if err != nil {
log.WithError(err).Warn("tlsproxy: p.dial failed")
alertclose(clientconn)
internal/cmd/jafar/tlsproxy/tlsproxy_test.go
+2 -2
View File
@@ -94,7 +94,7 @@ func TestFailWriteAfterConnect(t *testing.T) {
func TestListenError(t *testing.T) {
proxy := NewCensoringProxy(
[]string{""}, uncensored.NewClient("https://1.1.1.1/dns-query"),
[]string{""}, uncensored.NewClient("https://1.1.1.1/dns-query"), nil,
)
listener, err := proxy.Start("8.8.8.8:80")
if err == nil {
@@ -107,7 +107,7 @@ func TestListenError(t *testing.T) {
func newproxy(t *testing.T, blocked string) net.Listener {
proxy := NewCensoringProxy(
[]string{blocked}, uncensored.NewClient("https://1.1.1.1/dns-query"),
[]string{blocked}, uncensored.NewClient("https://1.1.1.1/dns-query"), nil,
)
listener, err := proxy.Start("127.0.0.1:0")
if err != nil {