initial commit

Author: Xetera

.gitignore

@@ -0,0 +1,2 @@
+__pycache__
+.vscode

README.md

@@ -0,0 +1,63 @@
+# sni-proxy
+
+Bypass SNI-based censorship for sites that don't look at the Server Name Indication field in the TLS handshake. (Example list in [domains.yaml](./domains.yaml))
+
+# Usage
+
+As always, start with cloning the repo locally and make sure you're in the root folder.
+
+0. Make sure you're using a [DoH/DoT enabled DNS server](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/encrypted-dns-browsers/) for website lookups and not your ISP's DNS otherwise this entire thing won't even work. Cloudflare's 1.1.1.1 is pretty good.
+
+1. Install [mitmproxy](https://mitmproxy.org/).
+
+2. Install [python 3](https://www.python.org/downloads/)
+
+3. Install the dependencies with pip `pip3 install -r requirements.txt`
+
+To simply start the proxy: `mitmproxy --ssl-insecure -s addon.py -p 8080`
+
+## Certificate
+
+For testing, I recommend using a separate browser like Firefox which keeps its own proxy/certificate settings separate from the system unlike chrome. Trying to proxy everything that's going on in your computer can be a bit of a hassle for when the proxy goes down.
+
+Add the mitmproxy root CA to Firefox by visiting http://mitm.it and downloading the cert `.pem` file.
+
+> If the site tells you that your traffic isn't being routed through the proxy, make sure you're on the `http` version of the site and not `https`. And also that you have mitmproxy running lol.
+
+![](./assets/cert_settings.png)
+
+![](./assets/cert_authority_import.png)
+
+Just select the downloaded file at this point.
+
+## Proxy
+
+Firefox needs to be configured to use mitmproxy.
+
+![](./assets/proxy_search.png)
+
+![](./assets/proxy_config.png)
+
+Make sure to also enable DNS over HTTPS in the settings below. You should basically always be using this as long as you don't live in China or Russia where it's blocked.
+
+By itself it's not great for privacy, but with SNI tampering it's quite useful.
+
+---
+
+Congrats, you should be able to access some blocked websites now. If you run into another site you need unblocked, just add it into [domains.yaml](./domains.yaml) and pray the server doesn't look at SNI values.
+
+## Debugging issues
+
+### My pages are loading but they look like they're from 1998 with no CSS.
+
+Chances are the site you're on is loading assets from other domains that the browser doesn't trust. The easiest way to get around this is to open devtools on the network tab and double click on the failing request to trust the certificate it presents temporarily.
+
+![](./assets/cdn_trust.png)
+
+![](./assets/security_risk.png)
+
+### I'm getting `sslv3 alert handshake failure`
+
+The site you're visiting terminated the TLS handshake because it cares about the SNI field. This is usually caused by the site being behind cloudflare or a similar multi-tenant reverse proxy. This can _sometimes_ be fixed by moving the domain you want to block into the `delicate_domains` field so that the proxy sends a substring of the correct SNI and adds some garbage at the end to fool the censor, but it will often not work.
+
+This method unfortunately can't unblock every website.

addon.py

@@ -0,0 +1,55 @@
+from typing import Iterable
+from mitmproxy import tls, http, connection, addonmanager
+from mitmproxy.addons.tlsconfig import TlsConfig
+from mitmproxy.http import HTTPFlow
+import yaml
+
+
+def matches_any(domains: Iterable[str], domain: str) -> bool:
+    return any(to_unblock in domain for to_unblock in domains)
+
+
+class SNIProxy:
+    config = TlsConfig()
+    sni: str
+    domains: Iterable[str]
+    delicate_domains: Iterable[str]
+
+    def load(self, _loader: addonmanager.Loader):
+        with open("./domains.yaml") as f:
+            out = yaml.safe_load(f)
+            self.domains = out.get("domains", [])
+            self.delicate_domains = out.get("delicate_domains", [])
+            self.sni = out.get("default_sni", "google.com")
+
+    def request(self, flow: HTTPFlow):
+        if flow.request.scheme == "http":
+            # Firefox displays an annoying message if it thinks its
+            # captive portal check is being intercepted by a mitm redirect
+
+            # we also need mitm.it to be accessible in http so mitmproxy can
+            # change the response to be a cert download page
+            if flow.request.host in ("detectportal.firefox.com", "mitm.it"):
+                # TBH I don't think this is working for firefox at all lol
+                return
+
+            # Always redirect other non-https requests to https
+            # since they will be blocked without TLS
+            flow.response = http.Response.make(
+                307,
+                b"",
+                {"Location": flow.request.url.replace("http://", "https://")},
+            )
+
+    def tls_start_server(self, data: tls.TlsData):
+        if isinstance(data.conn, connection.Server):
+            (domain, _) = data.conn.address
+            if matches_any(self.domains, domain):
+                data.context.client.sni = self.sni
+            elif matches_any(self.delicate_domains, domain):
+                data.context.client.sni = rf"{domain}."
+
+        self.config.tls_start_server(data)
+
+
+addons = [SNIProxy()]

assets/cdn_trust.png

@@ -0,0 +1,23 @@
+from typing import Optional
+import requests
+import re
+import datetime
+
+
+def check_turkish_ban_date(site: str) -> Optional[datetime.date]:
+    """
+    Looks up when a site (domain + tld) was banned in turkey.
+    Returns None if the site isn't banned.
+    Works regardless of caller IP.
+    Usage: `check_turkish_ban_date('wikileaks.org')`
+    """
+    reg = re.compile(f"{site}, (?P<day>.*?)/(?P<month>.*?)/(?P<year>.*?) tarihli")
+
+    response = requests.get("http://195.175.254.2", headers={"Host": site})
+    result = reg.search(response.text)
+
+    if not result:
+        return None
+
+    (day, month, year) = result.groups()
+    return datetime.date(int(year), int(month), int(day))