A simple HTTP/SNI proxy, support SOCKS5 as upstream proxy.
Build
1. Linux/OS X/FreeBSD
install GNU Autotools, then:# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --prefix=/usr --sysconfdir=/etc
make
make check
sudo make install
2. Cross compile
# setup cross compile tool chain:
export PATH="$PATH:/pato/to/cross/compile/toolchain/bin/"
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false --host=arm-unknown-linux-gnueabihf
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --host=arm-unknown-linux-gnueabihf \
--prefix=/usr --sysconfdir=/etc
make
3. Build with static linking
append--enable-static
while running ./configure
from https://github.com/puxxustc/sniproxy
--------------------------------------------
A simple SNI proxy written in go.
SNIProxyGo
一个简单的SNI代理的实现.
Here.
README in English:编译
- go get gopkg.in/yaml.v2
- go build
使用方式:
- 打开443端口的访问权限
- 修改config.yaml中的规则
- 运行
命令行附加参数
- -D 允许调试输出
- -F log.txt 记录输出到文件
- -c config.yaml 使用特定的config文件
感谢
部分代码来自: https://github.com/fangdingjun/sniproxy
io反射代码来自: https://github.com/ziozzang/SimpleSNIProxy
from https://github.com/TachibanaSuzume/SNIProxyGo
-----
SNI-Proxy-Server HTTP/HTTPs/IMAPs/POP3s/SMTPs Supporting Upstream Socks (based on puxxustc/sniproxy)
SNI-SSL-Proxy
A sniproxy supporting incoming HTTP/HTTPS/IMAPs/POP3s/SMTPs traffic and upstream SOCKS5 proxy
SniProxy: proxify incoming connections based on the hostname contained in the initial request of the TCP session. This can be used to proxify connections based on domain names with a custom DNS server
When connecting to a domain through TLS/HTTPS the initial TCP session contain the domain name un-encrypted and thus sniproxy can redirect a TLS connection based on that initial negotiation without decrypting the traffic nor needing a private key. this technique require a custom DNS Server that redirect the targeted domains to our sniproxy server (dns server like Unbound, Bind or PowerDNS)
Example
Example: Domain > DNS > SniProxy > Socks5 > Real-Domain
Detailed example:
- Requesting https://www.example.com
- Our custom DNS Server resolve example.com to our Sniproxy-Server IP
- SniProxy intercept incoming connection requesting example.com
- SniProxy resolve example.com to get the real IP
- SniProxy tunnel the connection to upstream
Features
- Supporting incoming HTTP/HTTPS/IMAPs/POP3s/SMTPs
- Support upstream SOCKS5 proxy
- Name-based proxying of HTTPS without decrypting traffic.
- Supports both TLS and HTTP protocols.
- Multi-thread
- Etc.
Notes
SniProxy can not work as a classic proxy and require a custom DNS-Server/Host-File
Server Name Indication (SNI)
Is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted in original SNI extension, so an eavesdropper can see which site is being requested.
Usage
sniproxy -a 127.0.0.1 -w 8 --socks5 192.168.0.5:1080
Custom DNS
Can be done with Firejail, setting the upstream DNS server
can be necessary if the custom DNS-Server and SniProxy are on the same
machine (to avoid a DNS loop)
firejail --dns=8.8.8.8 --noprofile sniproxy -a 127.0.0.1 -w 8 --socks5 192.168.0.5:1080
Command Details
$ sniproxy -h
usage: socks5 [options]
-h, --help show this help
-a <addr> listen address, default: 0.0.0.0
-w <num> number of workers
--socks5 HOST[:PORT] SOCKS5 proxy to use
Listening Ports
HTTP: 80
HTTPS: 443
IMAPs: 993
POP3s: 995
SMTPs: 465, 587
Multiple Filter
Domain names filter (each domain go through different Socks) can by achieved by running multiple instances of sniproxy under different local IPs to handle different domains routing to different location
Example :
Domain1 -> 10.0.0.1 -> Sniproxy-instance-1 -> Socks5-A
Domain2 -> 10.0.0.2 -> Sniproxy-instance-2 -> Socks5-B
Build
Linux/OS X/FreeBSD
Install GNU Autotools, then:
# clone the project
git clone https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy.git
cd SNI-SSL-Proxy
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --prefix=/usr --sysconfdir=/etc
make
make check
sudo make install
Cross compile
# clone the project
git clone https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy.git
cd SNI-SSL-Proxy
# setup cross compile tool chain:
export PATH="$PATH:/pato/to/cross/compile/toolchain/bin/"
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false --host=arm-unknown-linux-gnueabihf
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --host=arm-unknown-linux-gnueabihf \
--prefix=/usr --sysconfdir=/etc
make
Build with static linking
append --enable-static
while running ./configure
from https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy
-----
https://github.com/liulilittle/sniproxy
-----
相关帖子:
https://briteming.blogspot.com/2016/03/bindstunnelsni-proxy.html
https://briteming.blogspot.com/2017/09/openrestysni-proxy.html
No comments:
Post a Comment