sniproxy

Proxies incoming HTTP and TLS connections based on the hostname that is parsed from either HTTP Host header (for plain HTTP connections) or TLS ClientHello.

This allows transparent proxying of the network traffic by simply rerouting connections to the sniproxy. There are many ways to re-route traffic, but most often it is done either on the DNS level or by using iptables.

Features

Embedded DNS server that can be used to redirect traffic to the proxy.
Supports both TLS and plain HTTP.
Supports forwarding connections to an upstream SOCKS proxy.
Flexible rules for redirecting, forwarding, blocking or throttling connections.
Cross-platform and simple.

How to install

Using homebrew:
```
brew install ameshkov/tap/sniproxy
```

From source:

go install github.com/ameshkov/sniproxy

You can get a binary for your platform from the releases page.

Using `sniproxy`

Redirect all traffic to a SNI proxy

Run sniproxy and rewrite DNS responses to point to 1.2.3.4:
```
sudo sniproxy --dns-redirect-ipv4-to=1.2.3.4
```

You can test locally it with the following commands:

curl "https://example.org/" --dns-servers 127.0.0.1
curl "http://example.org/" --dns-servers 127.0.0.1

Not every curl version supports --dns-servers. Alternatively, use these commands:

curl "https://example.org/" --connect-to example.org:443:127.0.0.1:443
curl "http://example.org/" --connect-to example.org:80:127.0.0.1:80

Now you should just point your device to the DNS server that is running on your computer.

Forward all traffic to a proxy

Run sniproxy, rewrite DNS responses to point to 1.2.3.4, :

sudo sniproxy \
    --dns-redirect-ipv4-to=1.2.3.4 \
    --forward-proxy="socks5://127.0.0.1:1080"

Now every connection will be re-routed to the SOCKS5 proxy on 127.0.0.1:1080.

You can choose which domains are re-routed. For instance, here only example. org and example.com will be re-routed through the SOCKS5 proxy:

sudo sniproxy \
    --dns-redirect-ipv4-to=1.2.3.4 \
    --forward-proxy="socks5://127.0.0.1:1080" \
    --forward-rule=example.org \
    --forward-rule=example.com

It also supports HTTP and HTTPS proxies. Here's an example:

sudo sniproxy \
    --dns-redirect-ipv4-to=1.2.3.4 \
    --forward-proxy="http://127.0.0.1:8080" \
    --forward-rule=example.org \
    --forward-rule=example.com

Block domains

You may want to block access to some domains. There are two options of how it can be done: --block-rule or --drop-rule. If the connection matches a --block-rule, the connection will be closed immediately. If the connection matches a --drop-rule, the connection will "hang" for a hard-coded limit of 3 minutes before it will be closed.

Here's how block or drop connections to domains:

sudo sniproxy \
    --dns-redirect-ipv4-to=1.2.3.4 \
    --block-rule=example.org \
    --block-rule=example.com \
    --drop-rule=example.net

Throttle connections

If you need to emulate slow network, use bandwidth-rate to set the desired bytes-per-sec rate.

sudo sniproxy \
    --dns-redirect-ipv4-to=1.2.3.4 \
    --bandwidth-rate=1000

You can also throttle connections to individual domains using bandwidth-rule.

sudo sniproxy \
    --dns-redirect-ipv4-to=1.2.3.4 \
    --bandwidth-rule="example.*:5000"

Command-line arguments

Usage:
  sniproxy [OPTIONS]

Application Options:
      --dns-address=          IP address that the DNS proxy server will be
                              listening to. (default: 0.0.0.0)
      --dns-port=             Port the DNS proxy server will be listening to.
                              (default: 53)
      --dns-upstream=         The address of the DNS server the proxy will
                              forward queries that are not rewritten by
                              sniproxy. (default: 8.8.8.8)
      --dns-redirect-ipv4-to= IPv4 address that will be used for redirecting
                              type A DNS queries.
      --dns-redirect-ipv6-to= IPv6 address that will be used for redirecting
                              type AAAA DNS queries.
      --dns-redirect-rule=    Wildcard that defines which domains should be
                              redirected to the SNI proxy. Can be specified
                              multiple times. (default: *)
      --http-address=         IP address the SNI proxy server will be listening
                              for plain HTTP connections. (default: 0.0.0.0)
      --http-port=            Port the SNI proxy server will be listening for
                              plain HTTP connections. (default: 80)
      --tls-address=          IP address the SNI proxy server will be listening
                              for TLS connections. (default: 0.0.0.0)
      --tls-port=             Port the SNI proxy server will be listening for
                              TLS connections. (default: 443)
      --bandwidth-rate=       Bytes per second the connections speed will be
                              limited to. If not set, there is no limit.
                              (default: 0)
      --bandwidth-rule=       Allows to define connection speed in bytes/sec
                              for domains that match the wildcard. Example:
                              example.*:1024. Can be specified multiple times.
      --forward-proxy=        Address of a SOCKS/HTTP/HTTPS proxy that the
                              connections will be forwarded to according to
                              forward-rule.
      --forward-rule=         Wildcard that defines what connections will be
                              forwarded to forward-proxy. Can be specified
                              multiple times. If no rules are specified, all
                              connections will be forwarded to the proxy.
      --block-rule=           Wildcard that defines connections to which
                              domains should be blocked. Can be specified
                              multiple times.
      --drop-rule=            Wildcard that defines connections to which
                              domains should be dropped (i.e. delayed for a
                              hard-coded period of 3 minutes. Can be specified
                              multiple times.
      --verbose               Verbose output (optional)
      --output=               Path to the log file. If not set, write to stdout.

Help Options:
  -h, --help                  Show this help message

Debugging locally

If you want to contribute to sniproxy, here are some tips on how to debug it locally.

First, you rarely want to run with sudo and instead you'd prefer to use high ports. sniproxy provides command-line arguments for that.

./sniproxy \
    --dns-address=127.0.0.1 \
    --dns-port=5354 \
    --dns-upstream=8.8.8.8 \
    --dns-redirect-ipv4-to=127.0.0.1 \
    --dns-redirect-rule=example.org \
    --dns-redirect-rule=example.com \
    --tls-address=127.0.0.1 \
    --tls-port=8443 \
    --http-address=127.0.0.1 \
    --http-port=8080 \
    --forward-proxy="socks5://127.0.0.1:1080" \
    --verbose

It is easy to use curl to debug sniproxy:

# HTTPS request
curl "https://example.org/" --connect-to example.org:443:127.0.0.1:8443

# Plain HTTP request
curl "http://example.org/" --connect-to example.org:80:127.0.0.1:8080

Use mitmproxy to debug sniproxy with forwarding rules:

# Run mitmproxy in SOCKS mode
mitmweb --mode=socks5

# Forward connections to mitmproxy
./sniproxy \
    --dns-address=127.0.0.1 \
    --dns-port=5354 \
    --dns-upstream=8.8.8.8 \
    --dns-redirect-ipv4-to=127.0.0.1 \
    --dns-redirect-rule=example.org \
    --dns-redirect-rule=example.com \
    --tls-address=127.0.0.1 \
    --tls-port=8443 \
    --http-address=127.0.0.1 \
    --http-port=8080 \
    --forward-proxy="socks5://127.0.0.1:1080" \
    --verbose

# Check that the connections were properly forwarded
curl "https://example.org/" --connect-to example.org:443:127.0.0.1:8443 --insecure
curl "http://example.org/" --connect-to example.org:80:127.0.0.1:8080

Download

sniproxy.zip

Comments(2)

1

Add support for HTTP(S) proxy w/ CONNECT method
This set of changes introduces support for HTTP(S) proxies supporting CONNECT method. Also optional basic authentication is supported. Example:
```
sniproxy --dns-redirect-ipv4-to=1.1.1.1 --forward-proxy='https://admin:[email protected]'
```
2

dnsproxy in sniproxy doesn't handle non-address requests

https://github.com/ameshkov/sniproxy/blob/master/internal/dnsproxy/dnsproxy.go#L85

apparently, resolve is not happening for non-A and -AAAA requests. Please fix ASAP!!!

SNI proxy with embedded DNS server that supports blocking and forwarding rules.

sniproxy

Features

How to install

Using `sniproxy`

Redirect all traffic to a SNI proxy

Forward all traffic to a proxy

Block domains

Throttle connections

Command-line arguments

Debugging locally

Download

Comments(2)

Add support for HTTP(S) proxy w/ CONNECT method

dnsproxy in sniproxy doesn't handle non-address requests

Popular Tag

Related

⏰ Easily schedule non-blocking tasks in Go. Supports durations, specific times and intervals.

A tool for checking the Repository Rules, Branch Protection Rules and Team Permissions.

This is a simple tool to help you build AWS Fraud Detector rules. It is not a replacement for the AWS Fraud Detector console, but it can help you build rules faster.

A demo server that acts as a DNS proxy and HTTP server (including WebSocket server).

A DNS server that offers useful utilities and services over the DNS protocol.

I made this proxy library because i could not find any library that supports all proxy types that are common. (http/s, socks4, socks5, socks4a)

🚀 fast 🚀 robust 🚀 asynchronous🚀 lightweight🚀 production-ready🚀 cloud-native🚀 non-blocking🚀 hello world web server.

Gorox is an HTTP server, application server, microservice server, and proxy server.

A cascading stream forwarding unit for scalable, distributed voice and video conferencing over Matrix

This is an application which is using gosoline and TLS-Client to run a simple request forwarding service with the option to use specific tls fingerprints which are implemented in TLS-client

Thread safe, blocking, generic, and infinite dequeue data structure for Go

Grpc proxy/http proxy/tcp proxy

Simple DNS bench util that supports encrypted protocols.

Ratus is a RESTful asynchronous task queue server. It translated concepts of distributed task queues into a set of resources that conform to REST principles and provides a consistent HTTP API for various backends based on embedded or external storage engines.

A reverse proxy of ChatGPT-API that supports token load-rebalance and avoids token leakage

Simple reverse proxy that forwards and receives request to and from target server. Hides end server IP address.

CLI tool for generating random messages with rules & publishing to the cloud services (SQS,SNS,PUB/SUB and etc.)

StateTrooper is a Go package that provides a finite state machine (FSM) for managing states. It allows you to define and enforce state transitions based on predefined rules.

Steve's Virtual Machine (SVM) is a simplistic virtual machine built to be easily parsed, extended and embedded into other software.

A single binary containing `kubectl`, `helm`, and `flux` embedded as subcommands.

SNI proxy with embedded DNS server that supports blocking and forwarding rules.

sniproxy

Features

How to install

Using sniproxy

Redirect all traffic to a SNI proxy

Forward all traffic to a proxy

Block domains

Throttle connections

Command-line arguments

Debugging locally

Download

Comments(2)

Add support for HTTP(S) proxy w/ CONNECT method

dnsproxy in sniproxy doesn't handle non-address requests

Popular Tag

Related

Using `sniproxy`