Total Pageviews

Tuesday, 25 June 2019

sniproxy


A simple HTTP/SNI proxy, support SOCKS5 as upstream proxy.

Build

1. Linux/OS X/FreeBSD

install GNU Autotools, then:
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --prefix=/usr --sysconfdir=/etc
make
make check
sudo make install

2. Cross compile

# setup cross compile tool chain:
export PATH="$PATH:/pato/to/cross/compile/toolchain/bin/"
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false --host=arm-unknown-linux-gnueabihf
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --host=arm-unknown-linux-gnueabihf \
    --prefix=/usr --sysconfdir=/etc
make

3. Build with static linking

append --enable-static while running ./configure

from https://github.com/puxxustc/sniproxy
--------------------------------------------

A simple SNI proxy written in go.

SNIProxyGo

一个简单的SNI代理的实现.

README in English: Here.

编译

  • go get gopkg.in/yaml.v2
  • go build

使用方式:

  • 打开443端口的访问权限
  • 修改config.yaml中的规则
  • 运行

命令行附加参数

  • -D 允许调试输出
  • -F log.txt 记录输出到文件
  • -c config.yaml 使用特定的config文件

感谢

部分代码来自: https://github.com/fangdingjun/sniproxy
io反射代码来自: https://github.com/ziozzang/SimpleSNIProxy

from https://github.com/TachibanaSuzume/SNIProxyGo

-----

SNI-Proxy-Server HTTP/HTTPs/IMAPs/POP3s/SMTPs Supporting Upstream Socks (based on puxxustc/sniproxy)  

SNI-SSL-Proxy

A sniproxy supporting incoming HTTP/HTTPS/IMAPs/POP3s/SMTPs traffic and upstream SOCKS5 proxy

SniProxy: proxify incoming connections based on the hostname contained in the initial request of the TCP session. This can be used to proxify connections based on domain names with a custom DNS server

When connecting to a domain through TLS/HTTPS the initial TCP session contain the domain name un-encrypted and thus sniproxy can redirect a TLS connection based on that initial negotiation without decrypting the traffic nor needing a private key. this technique require a custom DNS Server that redirect the targeted domains to our sniproxy server (dns server like Unbound, Bind or PowerDNS)

Example

Example: Domain > DNS > SniProxy > Socks5 > Real-Domain

Detailed example:

  1. Requesting https://www.example.com
  2. Our custom DNS Server resolve example.com to our Sniproxy-Server IP
  3. SniProxy intercept incoming connection requesting example.com
  4. SniProxy resolve example.com to get the real IP
  5. SniProxy tunnel the connection to upstream

Features

  • Supporting incoming HTTP/HTTPS/IMAPs/POP3s/SMTPs
  • Support upstream SOCKS5 proxy
  • Name-based proxying of HTTPS without decrypting traffic.
  • Supports both TLS and HTTP protocols.
  • Multi-thread
  • Etc.

Notes

SniProxy can not work as a classic proxy and require a custom DNS-Server/Host-File

Server Name Indication (SNI)

Is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted in original SNI extension, so an eavesdropper can see which site is being requested.

Usage

sniproxy -a 127.0.0.1 -w 8 --socks5 192.168.0.5:1080

Custom DNS

Can be done with Firejail, setting the upstream DNS server can be necessary if the custom DNS-Server and SniProxy are on the same machine (to avoid a DNS loop) firejail --dns=8.8.8.8 --noprofile sniproxy -a 127.0.0.1 -w 8 --socks5 192.168.0.5:1080

Command Details

$ sniproxy -h
usage: socks5 [options]
  -h, --help            show this help
  -a <addr>             listen address, default: 0.0.0.0
  -w <num>              number of workers
  --socks5 HOST[:PORT]  SOCKS5 proxy to use

Listening Ports

HTTP: 80 
HTTPS: 443 
IMAPs: 993 
POP3s: 995 
SMTPs: 465, 587

Multiple Filter

Domain names filter (each domain go through different Socks) can by achieved by running multiple instances of sniproxy under different local IPs to handle different domains routing to different location

Example :

Domain1 -> 10.0.0.1 -> Sniproxy-instance-1 -> Socks5-A
Domain2 -> 10.0.0.2 -> Sniproxy-instance-2 -> Socks5-B

Build

Linux/OS X/FreeBSD

Install GNU Autotools, then:

# clone the project 
git clone https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy.git
cd SNI-SSL-Proxy
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --prefix=/usr --sysconfdir=/etc
make
make check
sudo make install

Cross compile

# clone the project 
git clone https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy.git
cd SNI-SSL-Proxy
# setup cross compile tool chain:
export PATH="$PATH:/pato/to/cross/compile/toolchain/bin/"
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false --host=arm-unknown-linux-gnueabihf
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --host=arm-unknown-linux-gnueabihf \
    --prefix=/usr --sysconfdir=/etc
make

Build with static linking

append --enable-static while running ./configure

from https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy 

-----

https://github.com/liulilittle/sniproxy

-----


相关帖子:
https://briteming.blogspot.com/2016/03/bindstunnelsni-proxy.html
https://briteming.blogspot.com/2017/09/openrestysni-proxy.html
https://briteming.blogspot.com/2019/06/gfw-sni-socks5.html

No comments:

Post a Comment