HttpRelayVPN/main.py at main · T2HASH/HttpRelayVPN · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#!/usr/bin/env python3
"""
DomainFront Tunnel — Bypass DPI censorship via Domain Fronting.

Run a local HTTP proxy that tunnels all traffic through a CDN using
domain fronting: the TLS SNI shows an allowed domain while the encrypted
HTTP Host header routes to your Cloudflare Worker relay.
"""

import argparse
import asyncio
import json
import logging
import os
import sys

from cert_installer import install_ca, is_ca_trusted
from mitm import CA_CERT_FILE
from proxy_server import ProxyServer

__version__ = "1.0.0"


def setup_logging(level_name: str):
    level = getattr(logging, level_name.upper(), logging.INFO)
    logging.basicConfig(
        level=level,
        format="%(asctime)s [%(name)-12s] %(levelname)-7s %(message)s",
        datefmt="%H:%M:%S",
    )


def parse_args():
    parser = argparse.ArgumentParser(
        prog="domainfront-tunnel",
        description="Local HTTP proxy that tunnels traffic through domain fronting.",
    )
    parser.add_argument(
        "-c", "--config",
        default=os.environ.get("DFT_CONFIG", "config.json"),
        help="Path to config file (default: config.json, env: DFT_CONFIG)",
    )
    parser.add_argument(
        "-p", "--port",
        type=int,
        default=None,
        help="Override listen port (env: DFT_PORT)",
    )
    parser.add_argument(
        "--host",
        default=None,
        help="Override listen host (env: DFT_HOST)",
    )
    parser.add_argument(
        "--log-level",
        choices=["DEBUG", "INFO", "WARNING", "ERROR"],
        default=None,
        help="Override log level (env: DFT_LOG_LEVEL)",
    )
    parser.add_argument(
        "-v", "--version",
        action="version",
        version=f"%(prog)s {__version__}",
    )
    parser.add_argument(
        "--install-cert",
        action="store_true",
        help="Install the MITM CA certificate as a trusted root and exit.",
    )
    parser.add_argument(
        "--no-cert-check",
        action="store_true",
        help="Skip the certificate installation check on startup.",
    )
    return parser.parse_args()


def main():
    args = parse_args()
    config_path = args.config

    try:
        with open(config_path) as f:
            config = json.load(f)
    except FileNotFoundError:
        print(f"Config not found: {config_path}")
        print("Copy config.example.json to config.json and fill in your values.")
        sys.exit(1)
    except json.JSONDecodeError as e:
        print(f"Invalid JSON in config: {e}")
        sys.exit(1)

    # Environment variable overrides
    if os.environ.get("DFT_AUTH_KEY"):
        config["auth_key"] = os.environ["DFT_AUTH_KEY"]
    if os.environ.get("DFT_SCRIPT_ID"):
        config["script_id"] = os.environ["DFT_SCRIPT_ID"]

    # CLI argument overrides
    if args.port is not None:
        config["listen_port"] = args.port
    elif os.environ.get("DFT_PORT"):
        config["listen_port"] = int(os.environ["DFT_PORT"])

    if args.host is not None:
        config["listen_host"] = args.host
    elif os.environ.get("DFT_HOST"):
        config["listen_host"] = os.environ["DFT_HOST"]

    if args.log_level is not None:
        config["log_level"] = args.log_level
    elif os.environ.get("DFT_LOG_LEVEL"):
        config["log_level"] = os.environ["DFT_LOG_LEVEL"]

    for key in ("auth_key",):
        if key not in config:
            print(f"Missing required config key: {key}")
            sys.exit(1)

    mode = config.get("mode", "domain_fronting")
    if mode == "custom_domain" and "custom_domain" not in config:
        print("Mode 'custom_domain' requires 'custom_domain' in config")
        sys.exit(1)
    if mode == "domain_fronting":
        for key in ("front_domain", "worker_host"):
            if key not in config:
                print(f"Mode 'domain_fronting' requires '{key}' in config")
                sys.exit(1)
    if mode == "google_fronting":
        if "worker_host" not in config:
            print("Mode 'google_fronting' requires 'worker_host' in config (your Cloud Run URL)")
            sys.exit(1)
    if mode == "apps_script":
        sid = config.get("script_ids") or config.get("script_id")
        if not sid or (isinstance(sid, str) and sid == "YOUR_APPS_SCRIPT_DEPLOYMENT_ID"):
            print("Mode 'apps_script' requires 'script_id' in config.")
            print("Deploy the Apps Script from appsscript/Code.gs and paste the Deployment ID.")
            sys.exit(1)

    # ── Certificate installation ──────────────────────────────────────────
    if args.install_cert:
        setup_logging("INFO")
        _log = logging.getLogger("Main")
        _log.info("Installing CA certificate…")
        ok = install_ca(CA_CERT_FILE)
        sys.exit(0 if ok else 1)

    setup_logging(config.get("log_level", "INFO"))
    log = logging.getLogger("Main")

    mode = config.get("mode", "domain_fronting")
    log.info("DomainFront Tunnel starting (mode: %s)", mode)

    if mode == "custom_domain":
        log.info("Custom domain    : %s", config["custom_domain"])
    elif mode == "google_fronting":
        log.info("Google fronting   : SNI=%s → Host=%s",
                 config.get("front_domain", "www.google.com"), config["worker_host"])
        log.info("Google IP         : %s", config.get("google_ip", "216.239.38.120"))
    elif mode == "apps_script":
        log.info("Apps Script relay : SNI=%s → script.google.com",
                 config.get("front_domain", "www.google.com"))
        script_ids = config.get("script_ids") or config.get("script_id")
        if isinstance(script_ids, list):
            log.info("Script IDs        : %d scripts (round-robin)", len(script_ids))
            for i, sid in enumerate(script_ids):
                log.info("  [%d] %s", i + 1, sid)
        else:
            log.info("Script ID         : %s", script_ids)

        # Ensure CA file exists before checking / installing it.
        # MITMCertManager generates ca/ca.crt on first instantiation.
        if not os.path.exists(CA_CERT_FILE):
            from mitm import MITMCertManager
            MITMCertManager()  # side-effect: creates ca/ca.crt + ca/ca.key

        # Auto-install MITM CA if not already trusted
        if not args.no_cert_check:
            if not is_ca_trusted(CA_CERT_FILE):
                log.warning("MITM CA is not trusted — attempting automatic installation…")
                ok = install_ca(CA_CERT_FILE)
                if ok:
                    log.info("CA certificate installed. You may need to restart your browser.")
                else:
                    log.error(
                        "Auto-install failed. Run with --install-cert (may need admin/sudo) "
                        "or manually install ca/ca.crt as a trusted root CA."
                    )
            else:
                log.info("MITM CA is already trusted.")
    else:
        log.info("Front domain (SNI) : %s", config.get("front_domain", "?"))
        log.info("Worker host (Host) : %s", config.get("worker_host", "?"))

    log.info("Proxy address      : %s:%d", config.get("listen_host", "127.0.0.1"), config.get("listen_port", 8080))

    try:
        asyncio.run(ProxyServer(config).start())
    except KeyboardInterrupt:
        log.info("Stopped")


if __name__ == "__main__":
    main()