is your app like this app? https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy

[rezad1393]

is your app like this app? https://github.com/Intika-Linux-Proxy/SNI-SSL-Proxy in its application? I mean it does what that application does?

I am looking for something like but whenever I search for sniprxy I get reverse proxies that are for multi-domain hosting, and if I am not wrong I cant use those the way that Intika-Linux-Proxy/SNI-SSL-Proxy does stuff.

basically I live in iran and a lot of websites are blocked here. I am trying to point my lan clients to a internal ip assigned for those blocked websites and then on that ip on port 80/443 then a program run that accepts connections but understand that it needs to proxy them to the actual servers via another proxy (say Tor).

[0x7a657573]

Hi reza :) yes, zroxy is simple SNI SSL Proxy and it's not transparent proxy. actually zroxy do proxify incoming connections based on the host-name contained in the initial request of the TCP session. and I have good news for you, I know unfotuntly DNS request in Iran network manipulated, so you can use zroxy for forward local DNS requset (UDP) to socks5 proxy. you can use this software for bypass iran GFW.

[rezad1393]

our national network does more than just dns messing. if it was only dns I would just use dnscrypt. it also blocks ip ranges and http/https based on keywords and domains.

and is what I asked for is a transparent proxy based on sni? cause when I ask for transparent proxy I get whole port 443 proxy or iptabled based that are ip based and that would mess with CDNs.

btw thanks for prompt response.

[0x7a657573]

oops, I think Iran network is like china or russia! anyway zroxy is sni proxy. you can use that like transparent proxy if all your traffic is web(http/https), for this you need only to forward all traffic of 443 to zroxy. However I think redsocks is better for you.

[rezad1393]

it is not as strict as china. I am not against national internet but the issue is that its censure-ship messy and messes with other protocols likes emule.

btw the issue with most proxies I found (your too I think) is that I have to send all traffic (on port 443 ) to them and if they crash my whole system would be stopped even websites that dont need the proxy.

but that other proxy I linked behaves differently. I just run it and use the device IP (the device ip on my lan that the proxy is running on) and so the blocked domains would get an lan ip but the proxy would understand that I actually am trying to talk to the blocked site via another upstream proxy (like Tor) and would do its magic. like this: Domain1 -> 192.168.1.10 -> Sniproxy-instance-1(running at 192.168.1.10) -> Socks5-A(Tor)

other proxies dont work this way. if I set dns for those proxies as the device running the proxy then I would get error because the proxy would not do sni and redirect the traffic. at least this happened last time I tried with that famous sni proxy that is used for split loading https traffic.

[0x7a657573]

omm, I thought you wanted proxy all traffic on port 443, if you want to proxy special site or sites you can use zroxy + dns. add special sites to custom zone of dns to resolve to zroxy server ip and run zroxy on port 443 and use socks for zroxy upstream

graph TD;
    filterd.com-->zroxy-->Tor-->Internet;
    example.com-->Internet;

enjoy that :)

[rezad1393]

so if zroxy is running on my lan device at ,192.168.1.10, I would put this in dnsmasq?

address=/example.com/192.168.1.10

are other sniproxies like that and I actually didnt find a unicorn and other sniproxies work like yours?

because I remember that other sniproxies would not work this way. as in, I couldn't assign lan ip to the remote server and proxy would give an error. for example this :https://github.com/dlundquist/sniproxy

the one I use is abandoned and old I wanted to see one new. maybe I would use yours if it works. but I need to cross-compile it for openwrt on arm .

[0x7a657573]

yes, zroxy exactly do that! like another sni proxy :)

difference between zroxy and another SNI proxy has in support socks for upstream.

zroxy don't have dependency to other library so you can easily cross-compile to any architecture. keep in mind zroxy is simple software and maybe not optimize for performance ;) now I use zroxy for watch limited Netflix film on my country, and that work fine

[rezad1393]

yes, zroxy exactly do that! like another sni proxy :)

difference between zroxy and another SNI proxy has in support socks for upstream.

zroxy don't have dependency to other library so you can easily cross-compile to any architecture. keep in mind zroxy is simple software and maybe not optimize for performance ;) now I use zroxy for watch limited Netflix film on my country, and that work fine

how do I cross compile it? I mean the exact commands? I am not a pro at this.

[0x7a657573]

for this issue please open new topic

[rezad1393]

yes, zroxy exactly do that! like another sni proxy :)

difference between zroxy and another SNI proxy has in support socks for upstream.

zroxy don't have dependency to other library so you can easily cross-compile to any architecture. keep in mind zroxy is simple software and maybe not optimize for performance ;) now I use zroxy for watch limited Netflix film on my country, and that work fine

I dont think other sniproxies do that at all. so the difference is not just upstream proxy support. I have tried them. they would recieve a connection and based on sni they would redirect the connection to a ip like this from https://github.com/dlundquist/sniproxy

table TableName {
    # Match exact request hostnames
    example.com 192.0.2.10:4343
    # If port is not specified the listener port will be used
    example.net [2001:DB8::1:10]
    # Or use regular expression to match
    .*\\.com    [2001:DB8::1:11]:443
    # Combining regular expression and wildcard will resolve the hostname
    # client requested and proxy to it
    .*\\.edu    *:443
}

unless this part:

 # Combining regular expression and wildcard will resolve the hostname
    # client requested and proxy to it
    .*\\.edu    *:443

does something like that with no proxy.