mirror of
https://github.com/klzgrad/naiveproxy.git
synced 2024-11-28 08:16:09 +03:00
Update README.md
This commit is contained in:
parent
c199dfa762
commit
d00b248e8d
40
README.md
40
README.md
@ -6,18 +6,18 @@ The following traffic attacks are mitigated in NaïveProxy:
|
|||||||
|
|
||||||
* Website fingerprinting / traffic classification: [mitigated](https://arxiv.org/abs/1707.00641) by traffic multiplexing in HTTP/2.
|
* Website fingerprinting / traffic classification: [mitigated](https://arxiv.org/abs/1707.00641) by traffic multiplexing in HTTP/2.
|
||||||
* [TLS parameter fingerprinting](https://arxiv.org/abs/1607.01639): defeated by reusing [Chrome's network stack](https://www.chromium.org/developers/design-documents/network-stack).
|
* [TLS parameter fingerprinting](https://arxiv.org/abs/1607.01639): defeated by reusing [Chrome's network stack](https://www.chromium.org/developers/design-documents/network-stack).
|
||||||
* [Active probing](https://ensa.fi/active-probing/): defeated by *application fronting*, i.e. hiding proxy servers behind a commonly used frontend with application-layer routing.
|
* [Active probing](https://ensa.fi/active-probing/): defeated by *application fronting*, i.e. hiding proxy servers behind a commonly used frontend server with application-layer routing.
|
||||||
* Length-based traffic analysis: mitigated by length padding.
|
* Length-based traffic analysis: mitigated by length padding.
|
||||||
|
|
||||||
## Architecture
|
## Architecture
|
||||||
|
|
||||||
[Browser → Naïve (client)] ⟶ Censor ⟶ [Frontend → Naïve (server)] ⟶ Internet
|
[Browser → Naïve client] ⟶ Censor ⟶ [Frontend → Naïve server] ⟶ Internet
|
||||||
|
|
||||||
NaïveProxy uses Chrome's network stack. Its visible traffic behavior is identical to regular HTTP/2 traffic between Chrome and standard Frontend (e.g. Caddy, HAProxy).
|
NaïveProxy uses Chrome's network stack to ensure its observable behavior is identical to regular HTTP/2 traffic between Chrome and standard frontend servers.
|
||||||
|
|
||||||
Frontend also reroutes unauthenticated users and active probes to a backend HTTP server, making it impossible to detect the existence of a proxy, like this: Probe ⟶ Frontend ⟶ index.html
|
The frontend server can be any reverse proxy that is able to route HTTP/2 traffic based on HTTP authorization headers, preventing active probing of proxy existence. Known ones include Caddy with its forwardproxy plugin and HAProxy.
|
||||||
|
|
||||||
Starting from v84, users can run a naïve fork of Caddy forwardproxy without the Naïve server.
|
The Naïve server here works as a forwarding proxy and a packet length padding layer. Caddy forwardproxy is also a forwarding proxy but it lacks a padding layer. A [fork](https://github.com/klzgrad/forwardproxy) adds the NaïveProxy padding layer to Caddy forwardproxy, combining both in one.
|
||||||
|
|
||||||
## Download binaries
|
## Download binaries
|
||||||
|
|
||||||
@ -25,15 +25,17 @@ Starting from v84, users can run a naïve fork of Caddy forwardproxy without the
|
|||||||
|
|
||||||
Users should always use the latest version to keep signatures identical to Chrome.
|
Users should always use the latest version to keep signatures identical to Chrome.
|
||||||
|
|
||||||
## Setup
|
## Server setup
|
||||||
|
|
||||||
On the server, build and run Caddy v2 with naïve fork of forwardproxy:
|
The following describes the [naïve fork of Caddy](https://github.com/klzgrad/forwardproxy) setup.
|
||||||
|
|
||||||
|
Build:
|
||||||
```sh
|
```sh
|
||||||
go get -u github.com/caddyserver/xcaddy/cmd/xcaddy
|
go get -u github.com/caddyserver/xcaddy/cmd/xcaddy
|
||||||
~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive
|
~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive
|
||||||
sudo setcap cap_net_bind_service=+ep ./caddy
|
|
||||||
```
|
```
|
||||||
Then `./caddy start` with the following Caddyfile (replace `user` and `pass` accordingly):
|
|
||||||
|
Example Caddyfile (replace `user` and `pass` accordingly):
|
||||||
```
|
```
|
||||||
:443, example.com
|
:443, example.com
|
||||||
tls me@example.com
|
tls me@example.com
|
||||||
@ -47,9 +49,19 @@ route {
|
|||||||
file_server { root /var/www/html }
|
file_server { root /var/www/html }
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
`:443` must appear first for this Caddyfile to work. For more advanced usage consider using [JSON for Caddy 2's config](https://caddyserver.com/docs/json/)..
|
`:443` must appear first for this Caddyfile to work. For more advanced usage consider using [JSON for Caddy 2's config](https://caddyserver.com/docs/json/).
|
||||||
|
|
||||||
Locally run `./naive` with the following `config.json` to get a SOCKS5 proxy at local port 1080.
|
Run with the Caddyfile:
|
||||||
|
```
|
||||||
|
sudo setcap cap_net_bind_service=+ep ./caddy
|
||||||
|
./caddy start
|
||||||
|
```
|
||||||
|
|
||||||
|
See also [Systemd unit example](https://github.com/klzgrad/naiveproxy/wiki/Run-Caddy-as-a-daemon) and [HAProxy setup](https://github.com/klzgrad/naiveproxy/wiki/HAProxy-Setup).
|
||||||
|
|
||||||
|
## Client setup
|
||||||
|
|
||||||
|
Run `./naive` with the following `config.json` to get a SOCKS5 proxy at local port 1080.
|
||||||
```json
|
```json
|
||||||
{
|
{
|
||||||
"listen": "socks://127.0.0.1:1080",
|
"listen": "socks://127.0.0.1:1080",
|
||||||
@ -57,16 +69,16 @@ Locally run `./naive` with the following `config.json` to get a SOCKS5 proxy at
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
See [USAGE.txt](https://github.com/klzgrad/naiveproxy/blob/master/USAGE.txt) for more parameters in `config.json`. See also [Performance Tuning](https://github.com/klzgrad/naiveproxy/wiki/Performance-Tuning).
|
See also [parameter usage](https://github.com/klzgrad/naiveproxy/blob/master/USAGE.txt) and [performance tuning](https://github.com/klzgrad/naiveproxy/wiki/Performance-Tuning).
|
||||||
|
|
||||||
## Build from source
|
## Build from source
|
||||||
|
|
||||||
If you don't like to download binaries, you can build NaïveProxy.
|
If you don't like to download binaries, you can build NaïveProxy.
|
||||||
|
|
||||||
Prerequisites:
|
Prerequisites:
|
||||||
* Ubuntu (apt-get install): git, python, ninja-build (>= 1.7), pkg-config, curl, unzip, ccache (optional)
|
* Ubuntu (apt install): git, python, ninja-build (>= 1.7), pkg-config, curl, unzip, ccache (optional)
|
||||||
* MacOS (brew install): git, ninja, ccache (optional)
|
* MacOS (brew install): git, ninja, ccache (optional)
|
||||||
* Windows ([choco install](https://chocolatey.org/)): git, python, ninja, visualstudio2017community. See [Chromium's page](https://chromium.googlesource.com/chromium/src/+/master/docs/windows_build_instructions.md#Visual-Studio) for detail on Visual Studio setup requirements.
|
* Windows ([choco install](https://chocolatey.org/)): git, python, ninja, visualstudio2019community. See [Chromium's page](https://chromium.googlesource.com/chromium/src/+/master/docs/windows_build_instructions.md#Visual-Studio) for detail on Visual Studio requirements.
|
||||||
|
|
||||||
Build (output to `./out/Release/naive`):
|
Build (output to `./out/Release/naive`):
|
||||||
```
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user