diff --git a/.appveyor.yml b/.appveyor.yml index 6737217647..015f4dd200 100644 --- a/.appveyor.yml +++ b/.appveyor.yml @@ -2,19 +2,21 @@ branches: except: - dev version: '{build}' +platform: + - x64 + - x86 image: Visual Studio 2017 install: - cinst ninja cache: - - '%USERPROFILE%\.cargo\bin' - '%LOCALAPPDATA%\Mozilla\sccache' build_script: - bash ./tools/import-upstream.sh - bash -c 'cd src; ./get-clang.sh' - bash -c '~/.cargo/bin/sccache -s' - - bash -c 'cd src; ./build.sh' + - bash -c 'cd src; EXTRA_FLAGS=target_cpu=\"$Platform\" ./build.sh' - bash -c '~/.cargo/bin/sccache -s' - - ps: $env:BUILD_NAME="naiveproxy-$env:APPVEYOR_REPO_TAG_NAME-win64" + - ps: $env:BUILD_NAME="naiveproxy-$env:APPVEYOR_REPO_TAG_NAME-win-$env:PLATFORM" - bash -c 'mkdir $BUILD_NAME' - bash -c 'cp src/out/Release/naive.exe src/config.json LICENSE USAGE.txt $BUILD_NAME' - bash -c '7z a $BUILD_NAME.zip $BUILD_NAME' diff --git a/README.md b/README.md index a7332e84c8..075fccda30 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ A secure, censorship-resistent proxy. -NaïveProxy is naive as it reuses standard protocols (HTTP/2, HTTP/3) and common network stacks (Chrome, Caddy) with little variation. By being as common and boring as possible NaïveProxy is practically indistinguishable from mainstream traffic. Reusing common software stacks also ensures best practices in performance and security. +NaïveProxy is naïve as it reuses standard protocols (HTTP/2, HTTP/3) and common network stacks (Chrome, Caddy) with little variation. By being as common and boring as possible NaïveProxy is practically indistinguishable from mainstream traffic. Reusing common software stacks also ensures best practices in performance and security. The following attacks are mitigated: @@ -13,7 +13,7 @@ The following attacks are mitigated: ## Architecture -[Browser → Naive (client)] ⟶ Censor ⟶ [Frontend → Naive (server)] ⟶ Internet +[Browser → Naïve (client)] ⟶ Censor ⟶ [Frontend → Naïve (server)] ⟶ Internet NaïveProxy uses Chrome's network stack. What the censor can see is exactly regular HTTP/2 traffic between Chrome and standard Frontend (e.g. Caddy, HAProxy). @@ -29,12 +29,18 @@ Note: On Linux libnss3 must be installed before using the prebuilt binary. ## Setup -Locally run `./naive --proxy=https://user:pass@domain.example` and point the browser to a SOCKS5 proxy at port 1080. +On the server, download Caddy (from https://caddyserver.com/download with plugin: http.forwardproxy): +``` +curl -OJ 'https://caddyserver.com/download/linux/amd64?plugins=http.forwardproxy&license=personal' +tar xf ./caddy_*.tar.gz +sudo setcap cap_net_bind_service=+ep caddy +``` -On the server run `./caddy` as the frontend with the following Caddyfile +Run `./caddy` with the following Caddyfile (replace the example values accordingly): ``` domain.example root /var/www/html +tls myemail@example.com forwardproxy { basicauth user pass hide_ip @@ -43,9 +49,28 @@ forwardproxy { upstream http://127.0.0.1:8080 } ``` -and `./naive --listen=http://127.0.0.1:8080` behind it. See [Server Setup](https://github.com/klzgrad/naiveproxy/wiki/Server-Setup) for more details on building Caddy and enabling QUIC. -For more information on parameter usage and format of `config.json`, see [USAGE.txt](https://github.com/klzgrad/naiveproxy/blob/master/USAGE.txt). See also [Parameter Tuning](https://github.com/klzgrad/naiveproxy/wiki/Parameter-Tuning) to improve client-side performance. +and `./naive` with the following `config.json`: +```json +{ + "listen": "http:/127.0.0.1:8080", + "padding": true +} +``` + +Locally run `./naive` with `config.json`: +```json +{ + "listen": "socks://127.0.0.1:1080", + "proxy": "https://user:pass@domain.example", + "padding": true +} +``` +to get a SOCKS5 proxy at local port 1080. + +See [USAGE.txt](https://github.com/klzgrad/naiveproxy/blob/master/USAGE.txt) on how to configure `config.json`. See also [Parameter Tuning](https://github.com/klzgrad/naiveproxy/wiki/Parameter-Tuning) to improve client-side performance. + +It's possible to run Caddy without Naive server, but you need to remove `padding` from `config.json` and `upstream` from Caddyfile. ## Build @@ -56,7 +81,6 @@ Prerequisites: * MacOS (brew install): git, ninja, ccache (optional) * Windows ([choco install](https://chocolatey.org/)): git, python2, ninja, visualstudio2017community. See [Chromium's page](https://chromium.googlesource.com/chromium/src/+/master/docs/windows_build_instructions.md#Visual-Studio) for detail on Visual Studio setup requirements. - Build (output to `./out/Release/naive`): ``` git clone https://github.com/klzgrad/naiveproxy.git @@ -64,7 +88,7 @@ cd naiveproxy/src ./get-clang.sh ./build.sh ``` -The scripts download tools from Google servers with curl. If there is trouble try to set a proxy environment variable for curl, e.g. `export ALL_PROXY=socks5h://127.0.0.1:1080`. +The scripts download tools from Google servers with curl. You may need to set a proxy environment variable for curl, e.g. `export ALL_PROXY=socks5h://127.0.0.1:1080`. ## FAQ diff --git a/src/build.sh b/src/build.sh index 6d26318199..bd2f5394df 100755 --- a/src/build.sh +++ b/src/build.sh @@ -6,16 +6,16 @@ mkdir -p "$TMPDIR" if [ "$1" = debug ]; then out=out/Debug - flags=' + flags="$EXTRA_FLAGS is_debug=true - is_component_build=true' + is_component_build=true" else out=out/Release - flags=' + flags="$EXTRA_FLAGS is_official_build=true use_jumbo_build=true exclude_unwind_tables=true - symbol_level=0' + symbol_level=0" fi if which ccache >/dev/null 2>&1; then diff --git a/src/config.json b/src/config.json index 5a99f11c98..40fe351e6f 100644 --- a/src/config.json +++ b/src/config.json @@ -1,6 +1,5 @@ { "listen": "socks://127.0.0.1:1080", "proxy": "https://user:pass@domain.example", - "padding": false, "log": "" } diff --git a/src/get-clang.sh b/src/get-clang.sh index 1d3396f743..d5ba13b9ca 100755 --- a/src/get-clang.sh +++ b/src/get-clang.sh @@ -31,14 +31,9 @@ fi # sccache (Windows) if [ "$ARCH" = Windows ]; then - export PATH="$PATH:$HOME/.cargo/bin" - if ! which cargo >/dev/null 2>&1; then - curl -OJ https://win.rustup.rs/ - ./rustup-init.exe -y -v --no-modify-path - fi - if ! which sccache >/dev/null 2>&1; then - cargo install --git https://github.com/mozilla/sccache.git - fi + sccache_url="https://github.com/mozilla/sccache/releases/download/0.2.8/sccache-0.2.8-x86_64-pc-windows-msvc.tar.gz" + mkdir -p ~/.cargo/bin + curl -L "$sccache_url" | tar xzf - --strip=1 -C ~/.cargo/bin fi # gn diff --git a/tests/basic.sh b/tests/basic.sh index a6c22516a8..69de22b615 100755 --- a/tests/basic.sh +++ b/tests/basic.sh @@ -32,63 +32,63 @@ test_naive() { test_naive 'Default config' socks5h://127.0.0.1:1080 '--log' -echo '{"listen":"socks://127.0.0.1:61080","log":""}' >config.json -test_naive 'Default config file' socks5h://127.0.0.1:61080 '' +echo '{"listen":"socks://127.0.0.1:60101","log":""}' >config.json +test_naive 'Default config file' socks5h://127.0.0.1:60101 '' rm -f config.json -echo '{"listen":"socks://127.0.0.1:61080","log":""}' >/tmp/config.json -test_naive 'Config file' socks5h://127.0.0.1:61080 '/tmp/config.json' +echo '{"listen":"socks://127.0.0.1:60201","log":""}' >/tmp/config.json +test_naive 'Config file' socks5h://127.0.0.1:60201 '/tmp/config.json' rm -f /tmp/config.json test_naive 'Trivial - listen scheme only' socks5h://127.0.0.1:1080 \ '--log --listen=socks://' -test_naive 'Trivial - listen no host' socks5h://127.0.0.1:61080 \ - '--log --listen=socks://:61080' +test_naive 'Trivial - listen no host' socks5h://127.0.0.1:60301 \ + '--log --listen=socks://:60301' test_naive 'Trivial - listen no port' socks5h://127.0.0.1:1080 \ '--log --listen=socks://127.0.0.1' -test_naive 'SOCKS-SOCKS' socks5h://127.0.0.1:11080 \ - '--log --listen=socks://:11080 --proxy=socks://127.0.0.1:21080' \ - '--log --listen=socks://:21080' +test_naive 'SOCKS-SOCKS' socks5h://127.0.0.1:60401 \ + '--log --listen=socks://:60401 --proxy=socks://127.0.0.1:60402' \ + '--log --listen=socks://:60402' -test_naive 'SOCKS-SOCKS - proxy no port' socks5h://127.0.0.1:11080 \ - '--log --listen=socks://:11080 --proxy=socks://127.0.0.1' \ +test_naive 'SOCKS-SOCKS - proxy no port' socks5h://127.0.0.1:60501 \ + '--log --listen=socks://:60501 --proxy=socks://127.0.0.1' \ '--log --listen=socks://:1080' -test_naive 'SOCKS-HTTP' socks5h://127.0.0.1:11080 \ - '--log --listen=socks://:11080 --proxy=http://127.0.0.1:28080' \ - '--log --listen=http://:28080' - -test_naive 'HTTP-HTTP' http://127.0.0.1:18080 \ - '--log --listen=http://:18080 --proxy=http://127.0.0.1:28080' \ - '--log --listen=http://:28080' - -test_naive 'HTTP-SOCKS' http://127.0.0.1:18080 \ - '--log --listen=http://:18080 --proxy=http://127.0.0.1:21080' \ - '--log --listen=http://:21080' - -test_naive 'SOCKS-HTTP padded' socks5h://127.0.0.1:11080 \ - '--log --listen=socks://:11080 --proxy=http://127.0.01:28080 --padding' \ - '--log --listen=http://:28080 --padding' - -test_naive 'SOCKS-SOCKS-SOCKS' socks5h://127.0.0.1:11080 \ - '--log --listen=socks://:11080 --proxy=socks://127.0.0.1:21080' \ - '--log --listen=socks://:21080 --proxy=socks://127.0.0.1:31080' \ - '--log --listen=socks://:31080' - -test_naive 'SOCKS-HTTP-SOCKS' socks5h://127.0.0.1:11080 \ - '--log --listen=socks://:11080 --proxy=socks://127.0.0.1:28080' \ - '--log --listen=socks://:28080 --proxy=socks://127.0.0.1:31080' \ - '--log --listen=socks://:31080' - -test_naive 'HTTP-SOCKS-HTTP' socks5h://127.0.0.1:18080 \ - '--log --listen=socks://:18080 --proxy=socks://127.0.0.1:21080' \ - '--log --listen=socks://:21080 --proxy=socks://127.0.0.1:38080' \ - '--log --listen=socks://:38080' - -test_naive 'HTTP-HTTP-HTTP' socks5h://127.0.0.1:18080 \ - '--log --listen=socks://:18080 --proxy=socks://127.0.0.1:28080' \ - '--log --listen=socks://:28080 --proxy=socks://127.0.0.1:38080' \ - '--log --listen=socks://:38080' +test_naive 'SOCKS-HTTP' socks5h://127.0.0.1:60601 \ + '--log --listen=socks://:60601 --proxy=http://127.0.0.1:60602' \ + '--log --listen=http://:60602' + +test_naive 'HTTP-HTTP' http://127.0.0.1:60701 \ + '--log --listen=http://:60701 --proxy=http://127.0.0.1:60702' \ + '--log --listen=http://:60702' + +test_naive 'HTTP-SOCKS' http://127.0.0.1:60801 \ + '--log --listen=http://:60801 --proxy=http://127.0.0.1:60802' \ + '--log --listen=http://:60802' + +test_naive 'SOCKS-HTTP padded' socks5h://127.0.0.1:60901 \ + '--log --listen=socks://:60901 --proxy=http://127.0.01:60902 --padding' \ + '--log --listen=http://:60902 --padding' + +test_naive 'SOCKS-SOCKS-SOCKS' socks5h://127.0.0.1:61001 \ + '--log --listen=socks://:61001 --proxy=socks://127.0.0.1:61002' \ + '--log --listen=socks://:61002 --proxy=socks://127.0.0.1:61003' \ + '--log --listen=socks://:61003' + +test_naive 'SOCKS-HTTP-SOCKS' socks5h://127.0.0.1:61101 \ + '--log --listen=socks://:61101 --proxy=socks://127.0.0.1:61102' \ + '--log --listen=socks://:61102 --proxy=socks://127.0.0.1:61103' \ + '--log --listen=socks://:61103' + +test_naive 'HTTP-SOCKS-HTTP' socks5h://127.0.0.1:61201 \ + '--log --listen=socks://:61201 --proxy=socks://127.0.0.1:61202' \ + '--log --listen=socks://:61202 --proxy=socks://127.0.0.1:61203' \ + '--log --listen=socks://:61203' + +test_naive 'HTTP-HTTP-HTTP' socks5h://127.0.0.1:61301 \ + '--log --listen=socks://:61301 --proxy=socks://127.0.0.1:61302' \ + '--log --listen=socks://:61302 --proxy=socks://127.0.0.1:61303' \ + '--log --listen=socks://:61303'