A sniproxy supporting incoming HTTP/HTTPS/IMAPs/POP3s/SMTPs traffic and upstream SOCKS5 proxy
SniProxy: proxify incoming connections based on the hostname contained in the initial request of the TCP session. This can be used to proxify connections based on domain names with a custom DNS server
When connecting to a domain through TLS/HTTPS the initial TCP session contain the domain name un-encrypted and thus sniproxy can redirect a TLS connection based on that initial negotiation without decrypting the traffic nor needing a private key. this technique require a custom DNS Server that redirect the targeted domains to our sniproxy server (dns server like Unbound, Bind or PowerDNS)
Example: Domain > DNS > SniProxy > Socks5 > Real-Domain
Detailed example:
- Requesting https://www.example.com
- Our custom DNS Server resolve example.com to our Sniproxy-Server IP
- SniProxy intercept incoming connection requesting example.com
- SniProxy resolve example.com to get the real IP
- SniProxy tunnel the connection to upstream
- Supporting incoming HTTP/HTTPS/IMAPs/POP3s/SMTPs
- Support upstream SOCKS5 proxy
- Name-based proxying of HTTPS without decrypting traffic.
- Supports both TLS and HTTP protocols.
- Multi-thread
- Etc.
SniProxy can not work as a classic proxy and require a custom DNS-Server/Host-File
Is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted in original SNI extension, so an eavesdropper can see which site is being requested.
sniproxy -a 127.0.0.1 -w 8 --socks5 192.168.0.5:1080
Can be done with Firejail, setting the upstream DNS server can be necessary if the custom DNS-Server and SniProxy are on the same machine (to avoid a DNS loop)
firejail --dns=8.8.8.8 --noprofile sniproxy -a 127.0.0.1 -w 8 --socks5 192.168.0.5:1080
$ sniproxy -h
usage: socks5 [options]
-h, --help show this help
-a <addr> listen address, default: 0.0.0.0
-w <num> number of workers
--socks5 HOST[:PORT] SOCKS5 proxy to use
HTTP: 80
HTTPS: 443
IMAPs: 993
POP3s: 995
SMTPs: 465, 587
Domain names filter (each domain go through different Socks) can by achieved by running multiple instances of sniproxy under different local IPs to handle different domains routing to different location
Example :
Domain1 -> 10.0.0.1 -> Sniproxy-instance-1 -> Socks5-A
Domain2 -> 10.0.0.2 -> Sniproxy-instance-2 -> Socks5-B
Install GNU Autotools, then:
# clone the project
git clone https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy.git
cd SNI-SSL-Proxy
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --prefix=/usr --sysconfdir=/etc
make
make check
sudo make install
# clone the project
git clone https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy.git
cd SNI-SSL-Proxy
# setup cross compile tool chain:
export PATH="$PATH:/pato/to/cross/compile/toolchain/bin/"
# build libmill
curl -s -L https://github.com/sustrik/libmill/archive/master.tar.gz | tar -zxf -
mv libmill-master libmill
cd libmill
./autogen.sh
./configure --enable-shared=false --host=arm-unknown-linux-gnueabihf
make libmill.la
cd ../
# build sniproxy
autoreconf -if
# export CFLAGS=-march=native
export CPPFLAGS=-I$(pwd)/libmill
export LDFLAGS=-L$(pwd)/libmill/.libs
./configure --host=arm-unknown-linux-gnueabihf \
--prefix=/usr --sysconfdir=/etc
make
append --enable-static
while running ./configure
.
Copyright (C) 2019, Intika [email protected]
Copyright (C) 2016, Xiaoxiao [email protected]
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.