HttpProxy proposal

[dimzon]

I propose deploy and run HttpProxy (for example privoxy) at server side (at same host ss-server is running). This allows centralized ad-blocking and routing rules (for example redirect .i2p to i2p-router and .onion to tor). In this deployment scenario shadowsocks can be used as socks4/5 server itself and as encrypted tunnel to http-proxy.

Every time shadowsocks-client (ss-local) accept connection from proxy-client (browser) it can distinguish protocol based on first byte. If byte==5 serve as socks5. if byte==4 serve as socks4, otherwise tunnel data (just using it's own socks capabilities) to server-side 127.0.0.1:8118 (can be taken from configuration)

This proposal require such CLIENT software changes: to add additional logic when handling BROWSER-to-SHADOWSOCKSCLIENT iteraction:

• add optional client configuration parameter: remoteHttpProxyPort
• analyze first bytes from browser-to-ssclient handshake
• if first byte==5 proceed as Socks5 server (as is) (SS-CLIENT acts as Socks5 server for browser) [browser]<--socks5-protocol-->[ss-local]<--ss-protocol-->[ss-server]<--tcp-->[remote-host]
• (optional for old browsers) if first byte==4 proceed as Socks4a server (SS-CLIENT acts as Socks4a server for browser) [browser]<--socks4a-protocol-->[ss-local]<--ss-protocol-->[ss-server]<--tcp-->[remote-host]
• otherwise establish tunnel [browser]<-->[ssclient]<-->[ssserver]<-->[127.0.0.1:remoteHttpProxyPort] (SS-CLIENT acts as ssh -L so browser interacts with HTTP proxy via encrypted SS tunnel) so full chain is [browser]<--http-proxy-protocol-->[ss-local]<--ss-protocol-->[ss-server]<--http-proxy-protocol-tunneled-from-browser-->[127.0.0.1:remoteHttpProxyPort]<--http-protocol-->[remote-host]

Yet again - those 3 modes can be autoselected by SS-CLIENT based onto first n bytes from browser. This (automatic protocol negotiation) require changes in SS-CLIENT

This proposal doesn't require SERVER software changes, just install any preferred HTTP proxy onto same host and make it listen onto 127.0.0.1:remoteHttpProxyPort address

[madeye]

Why not setup a local DNS server and sni-proxy on the server to do the "ad-blocking and routing rules"?

Actually, privoxy based ad-blocking have issues with HTTPS, since more and more Ad providers switch to HTTPS recently.

[dimzon]

How do you add transparent access to darknet (onion/i2p TLD)? Regardless HTTPS privoxy still able to perform blocking based on domain names with wildcards support. Privoxy has web-ui so you doesn't need to use SSH every time you want to blacklist some domain/url

Anyway Privoxy was just example - you can use any HttpProxy you like.

[madeye]

The "transparent HTTP proxy" is done by sni-proxy. You can find more details here: https://github.com/dlundquist/sniproxy

[dimzon]

how did you allow access to https://facebookcorewwwi.onion/ ? or proxify http-access to non-default port (ie http://foo.bar:12345/) also (as I understand) you needs iptables nat feature. unfortunally this not working for very cheap VPS

anyway proposed privoxy is just yet another deployment option

[falseen]

Isn't this ss - tunnel?