Beyond The Horizon

$ sudo -s
# tar xzvf go1.19.5.linux-amd64.tar.gz -C /usr/local/
# export PATH="/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/root/go/bin:$PATH"
# export GO111MODULE=on
# git clone -b naive https://github.com/klzgrad/forwardproxy
# go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
# ~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy=$PWD/forwardproxy --with github.com/caddy-dns/cloudflare
# mv ./caddy /usr/local/bin/caddy

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/caddy.json
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/caddy.json
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

# cp caddy.service /lib/systemd/system/

# adduser --system --no-create-home --group caddy

# systemctl daemon-reload
# systemctl enable caddy.service

$ xz -dc naiveproxy-v109.0.5414.74-1-mac-x64.tar.xz | tar xvf -

{
  "listen": "socks://127.0.0.1:1080",
  "proxy": "https://user:pass@xxxxxxxx.example.com",
  "log": ""
}

stream {

      map $ssl_preread_server_name $name {
        xxxxxxxx.example.com    caddy;
      }

upstream caddy {
        server unix:/dev/shm/caddy-https.socket;
      }

      server {
        listen 443;
        proxy_connect_timeout 1s;
        proxy_timeout 4s;

        proxy_pass $name;
        ssl_preread on;
#        proxy_protocol on;
      }

      log_format basic '$ssl_preread_server_name $remote_addr [$time_local] '
         '$protocol $status $bytes_sent $bytes_received '
         '$session_time "$upstream_addr" '
         '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

      access_log /var/log/nginx/stream.access.log basic;
      error_log /var/log/nginx/stream.error.log;
}

server {
    listen        80;
    server_name   xxxxxxxx.example.com;

    proxy_set_header    X-Real-IP          $remote_addr;
    proxy_set_header    Host               $host;
    proxy_set_header    X-Forwarded-Proto  $scheme;
    proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;

    location / {
        proxy_pass              http://127.0.0.1:88;
        proxy_read_timeout      240;
        proxy_buffering         off;
        proxy_redirect          off;
    }
}

{
    "admin": {
        "listen": ":3019",
        "disabled": true
    },
    "logging": {
        "logs": {
            "": {
                "writer": {
                    "output": "file",
                    "filename": "/var/log/caddy/caddy.log",
                    "roll": true,
                    "roll_size_mb": 50,
                    "roll_gzip": true,
                    "roll_local_time": false,
                    "roll_keep": 10,
                    "roll_keep_days": 90
                },
                "encoder": {"format": "json"},
                "level": "INFO"
            },
            "default": {
                "level": "INFO"
            }
        }
    },
    "apps": {
        "http": {
            "servers": {
                "httpserver": {
                    "listen": [":88"],
                    "routes": [{
                        "handle": [{
                            "handler": "static_response",
                            "headers": {"Location": ["https://xxxxxxxx.example.com/"]},
                            "status_code": 301
                        }]
                    }]
                },
                "fwdproxy": {
                    "listen": ["unix//dev/shm/caddy-https.socket"],
                    "logs": {},
                    "routes": [{
                        "handle": [{
                            "handler": "subroute",
                            "routes": [{
                                "handle": [
                                    {
                                        "allowed_ports": [
                                            443, 8004
                                        ],
                                        "auth_pass_deprecated": "xxxxxxxxxxxxxxxx",
                                        "auth_user_deprecated": "xxxxxxxx",
                                        "handler": "forward_proxy",
                                        "hide_ip":true,
                                        "hide_via":true,
                                        "probe_resistance":{
                                        }
                                    }
                                ]
                            }, {
                                "match": [{"host": ["xxxxxxxx.example.com"]}],
                                "handle": [{
                                    "handler": "file_server",
                                    "root": "/var/www/caddy"
                                }]
                            }]
                        }],
                        "terminal": true
                    }],
                    "tls_connection_policies": [{
                        "match": {"sni": ["xxxxxxxx.example.com"]},
                        "cipher_suites": ["TLS_AES_128_GCM_SHA256"],
                        "curves": ["x25519"]
                    }]
                }
            }
        },
        "tls": {
            "certificates": {
                "automate":[
                    "xxxxxxxx.example.com"
                ]
            }
        }
    }
}

stream {

    map $ssl_preread_server_name $name {
        xxxxxxxx.example.com    caddy;
    }

    upstream caddy {
        server [2001:xxx:xxx:xx::xxxx:xx]:443;
    }

    server {
        listen      443;
        #listen      443 udp;
        #resolver 1.1.1.1;
        proxy_connect_timeout 1s;
        proxy_timeout 4s;

        proxy_pass $name;
        #proxy_protocol on;
        ssl_preread on;
    }

    log_format basic '$ssl_preread_server_name $remote_addr [$time_local] '
       '$protocol $status $bytes_sent $bytes_received '
       '$session_time "$upstream_addr" '
       '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log /var/log/nginx/stream.access.log basic;
    error_log /var/log/nginx/stream.error.log;

}

server {
    listen          80;
    server_name xxxxxxxx.example.com;
    location / {
        proxy_pass		http://[2001:xxx:xxx:xx::xxxx:xx]:80;
        proxy_read_timeout	240;
        proxy_buffering		off;
        proxy_redirect		off;
        proxy_set_header	X-Forwarded-Host	$host;
        proxy_set_header	X-Forwarded-Port	$server_port;
        proxy_set_header	X-Real-IP	$remote_addr;
        proxy_set_header	Host               $host;
        proxy_set_header	X-Forwarded-Proto  $scheme;
        proxy_set_header	X-Forwarded-For    $proxy_add_x_forwarded_for;
    }
}

{
    "admin": {
        "listen": ":3019",
        "disabled": true
    },
    "logging": {
        "logs": {
            "": {
                "writer": {
                    "output": "file",
                    "filename": "/var/log/caddy/caddy.log",
                    "roll": true,
                    "roll_size_mb": 50,
                    "roll_gzip": true,
                    "roll_local_time": false,
                    "roll_keep": 10,
                    "roll_keep_days": 90
                },
                "encoder": {"format": "json"},
                "level": "INFO"
            },
            "default": {
                "level": "INFO"
            }
        }
    },
    "apps": {
        "http": {
            "servers": {
                "httpserver": {
                    "listen": ["[::]:80"],
                    "routes": [{
                        "handle": [{
                            "handler": "static_response",
                            "headers": {"Location": ["https://xxxxxxxx.example.com/"]},
                            "status_code": 301
                        }]
                    }]
                },
                "fwdproxy": {
                    "listen": ["[::]:443"],
                    "listener_wrappers": [
                    ],
                    "logs": {},
                    "routes": [{
                        "handle": [{
                            "handler": "subroute",
                            "routes": [{
                                "handle": [
                                    {
                                        "allowed_ports": [
                                            443
                                        ],
                                        "auth_pass_deprecated": "xxxxxxxxxxxxxxxx",
                                        "auth_user_deprecated": "xxxxxxxx",
                                        "handler": "forward_proxy",
                                        "hide_ip":true,
                                        "hide_via":true,
                                        "probe_resistance":{
                                        }
                                    }
                                ]
                            }, {
                                "match": [{"host": ["xxxxxxxx.example.com"]}],
                                "handle": [{
                                    "handler": "file_server",
                                    "root": "/var/www/caddy"
                                }]
                            }]
                        }],
                        "terminal": true
                    }],
                    "tls_connection_policies": [{
                        "match": {"sni": ["xxxxxxxx.example.com"]},
                        "cipher_suites": ["TLS_CHACHA20_POLY1305_SHA256"],
                        "curves": ["x25519"]
                    }]
                }
            }
        },
        "tls": {
            "certificates": {
                "automate":[
                    "xxxxxxxx.example.com"
                ]
            }
        }
    }
}

# ./config
Operating system: armv7l-whatever-linux2
Configuring OpenSSL version 1.1.1m (0x101010dfL) for linux-armv4
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL file first)         ***
***                                                                ***
**********************************************************************

# ./configure --sysconfdir=/etc --localstatedir=/var --runstatedir=/run \
  --with-openssl=/usr/local/usr/local/ssl \
  --with-openssl-include=/usr/local/include \
  --with-openssl-lib=/usr/local/lib