naiveproxy/README.md
2019-02-05 16:28:05 +08:00

3.4 KiB

NaiveProxy Build Status Build status

A secure, analysis-resistent proxy framework.

The main goal is to improve censorship resistence by reducing distinguishable traffic features. Privacy and integrity are simultaneously achieved through implementations of TLS best practices.

The following attacks are mitigated:

  • Website fingerprinting / traffic classification: mitigated by traffic multiplexing in HTTP/2.
  • TLS parameter fingerprinting: defeated by using identical behaviors from Chromium's network stack.
  • Active probing: defeated by application fronting, using a common frontend with application-layer routing capability, e.g. HAProxy.
  • Length-based traffic analysis: mitigated by length padding.

Download

See latest release.

Note: On Linux libnss3 must be installed before using the prebuilt binary.

Build

If you don't like to use downloaded binaries, you can build it.

  • Prerequisites:
    • Ubuntu (apt-get install): git, python2, ninja-build (>= 1.7), pkg-config, libnss3-dev, ccache (optional)
    • MacOS (brew install): git, ninja, ccache (optional)
    • Windows (choco install): git, python2, ninja, visualstudio2017community. See Chromium's page for detail on Visual Studio setup requirements.

Build it:

git clone https://github.com/klzgrad/naiveproxy.git
cd naiveproxy/src
./get-clang.sh
./build.sh

The build scripts download tools from Google servers with curl. If there is trouble try to set a proxy environment variable for curl, e.g.: export ALL_PROXY=socks5h://127.0.0.1:1080.

Verify:

./out/Release/naive --log &
curl -v --proxy socks5h://127.0.0.1:1080 google.com

Setup

Server setup is required first, see Server Setup.

There are three tiers of client setup:

  • The portable setup is clientless: point your browser directly to the server as an HTTPS proxy. You don't need to download, build, or run anything client-side, but this setup is prone to traffic analysis due to lack of obfuscation.
  • The fast setup improves performance by running Naive client locally as a SOCKS5 proxy. Point your browser to the address of Naive client. You don't need to run Naive server in this setup.
  • The full setup obfuscates traffic by running both Naive client and server. Point your browser to the local SOCKS5 proxy provided by Naive client.

To run Naive client:

./naive --proxy=https://user:pass@domainname.example

You can also store the config in config.json, example:

{
  "proxy": "https://user:pass@domainname.example"
}

Naive client will detect and read from config.json by default. The default listening port is 1080 as SOCKS5.

For more information on parameter usage and Naive server, see USAGE.txt.

See also Parameter Tuning to improve client-side performance.