Convert Figma logo to code with AI

klzgrad logonaiveproxy

Make a fortune quietly

6,632
882
6,632
5

Top Related Projects

18,907

An unidentifiable mechanism that helps you bypass GFW.

A platform for building proxies to bypass network restrictions.

A Rust port of shadowsocks

24,907

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.

Go实现的Trojan代理,支持多路复用/路由功能/CDN中转/Shadowsocks混淆插件,多平台,无依赖。A Trojan proxy written in Go. An unidentifiable mechanism that helps you bypass GFW. https://p4gefau1t.github.io/trojan-go/

Geph (迷霧通) is a modular Internet censorship circumvention system designed specifically to deal with national filtering.

Quick Overview

NaiveProxy is a proxy tool that uses Chromium's network stack to camouflage traffic as normal HTTPS traffic. It aims to circumvent network restrictions and censorship by making the proxy traffic indistinguishable from regular web browsing. NaiveProxy is designed to be secure, efficient, and difficult to detect or block.

Pros

  • High level of camouflage, making it difficult to detect and block
  • Utilizes Chromium's robust and well-maintained network stack
  • Supports multiple platforms including Windows, macOS, and Linux
  • Offers good performance and stability

Cons

  • Requires more setup and configuration compared to simpler proxy solutions
  • May have a steeper learning curve for users unfamiliar with proxy tools
  • Limited documentation and community support compared to more popular proxy solutions
  • Potential for increased resource usage due to the Chromium network stack

Getting Started

To get started with NaiveProxy:

  1. Download the latest release from the GitHub repository.
  2. Extract the files to a directory of your choice.
  3. Create a configuration file named config.json with the following content:
{
  "listen": "socks://127.0.0.1:1080",
  "proxy": "https://user:pass@example.com"
}
  1. Replace user:pass@example.com with your actual proxy server details.
  2. Run the NaiveProxy executable:
./naive config.json
  1. Configure your applications to use the SOCKS5 proxy at 127.0.0.1:1080.

For more detailed instructions and advanced configuration options, refer to the project's documentation on GitHub.

Competitor Comparisons

18,907

An unidentifiable mechanism that helps you bypass GFW.

Pros of Trojan

  • Simpler implementation, easier to set up and configure
  • Lighter weight with lower resource usage
  • Better compatibility with existing web server configurations

Cons of Trojan

  • Less robust against active probing and deep packet inspection
  • Fewer built-in features for traffic obfuscation
  • More limited protocol support compared to NaiveProxy

Code Comparison

Trojan (server configuration):

{
    "run_type": "server",
    "local_addr": "0.0.0.0",
    "local_port": 443,
    "remote_addr": "127.0.0.1",
    "remote_port": 80,
    "password": ["password1"],
    "ssl": {
        "cert": "/path/to/certificate.crt",
        "key": "/path/to/private.key"
    }
}

NaiveProxy (server configuration):

{
  "listen": "http://0.0.0.0:80",
  "proxy": "https://example.com",
  "users": [
    { "user": "user1", "pass": "pass1" }
  ],
  "cert": "/path/to/cert.pem",
  "key": "/path/to/key.pem"
}

Both projects aim to provide secure and undetectable proxy solutions, but NaiveProxy offers more advanced features and stronger resistance to detection at the cost of increased complexity. Trojan, on the other hand, provides a simpler and more lightweight option that may be sufficient for many use cases.

A platform for building proxies to bypass network restrictions.

Pros of v2ray-core

  • More comprehensive protocol support, including VMess, VLESS, Trojan, and others
  • Highly customizable with a modular design and extensive configuration options
  • Active development with frequent updates and a large community

Cons of v2ray-core

  • More complex setup and configuration process
  • Higher resource usage due to its comprehensive feature set
  • Steeper learning curve for new users

Code Comparison

v2ray-core (Go):

type User struct {
    Level uint32
    Email string
}

type Account struct {
    Id      string
    AlterId uint32
}

naiveproxy (C++):

struct ProxyServer {
  std::string host;
  int port;
  std::string username;
  std::string password;
};

The code snippets show different approaches to user and server configuration. v2ray-core uses separate structs for User and Account information, while naiveproxy combines server and authentication details in a single struct. This reflects v2ray-core's more modular and flexible design, compared to naiveproxy's simpler approach.

v2ray-core offers more extensive protocol support and customization options, making it suitable for advanced users with complex requirements. However, this comes at the cost of increased complexity and resource usage. naiveproxy, while more limited in features, provides a simpler setup and potentially lower resource footprint, making it a good choice for users with straightforward needs or limited system resources.

A Rust port of shadowsocks

Pros of shadowsocks-rust

  • Written in Rust, offering memory safety and performance benefits
  • Lightweight and efficient, suitable for resource-constrained environments
  • Supports multiple ciphers and plugins for flexibility

Cons of shadowsocks-rust

  • Less resistant to sophisticated traffic analysis techniques
  • Limited protocol obfuscation compared to more advanced proxies
  • May be easier to detect and block in some network environments

Code Comparison

shadowsocks-rust:

let server = ShadowsocksServer::new(config)?;
server.run().await?;

naiveproxy:

std::unique_ptr<net::ProxyResolver> proxy_resolver =
    net::ProxyResolver::CreateSystemProxyResolver(net_log.net_log(), nullptr);

Key Differences

  • naiveproxy uses the Chromium network stack, providing better resistance to traffic analysis
  • shadowsocks-rust focuses on simplicity and efficiency, while naiveproxy aims for stronger obfuscation
  • naiveproxy supports HTTP/3 and QUIC, offering potential performance advantages in certain scenarios

Use Cases

  • shadowsocks-rust: Ideal for basic circumvention needs and low-resource devices
  • naiveproxy: Better suited for users requiring stronger protection against sophisticated censorship systems
24,907

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.

Pros of Xray-core

  • More comprehensive protocol support, including VLESS, Trojan, and Shadowsocks
  • Advanced traffic routing capabilities with flexible rule-based configurations
  • Built-in support for multiple inbound and outbound connections

Cons of Xray-core

  • More complex setup and configuration process
  • Potentially higher resource usage due to additional features
  • Less focus on browser integration compared to NaiveProxy

Code Comparison

Xray-core configuration example:

{
  "inbounds": [{"port": 1080, "protocol": "socks"}],
  "outbounds": [{"protocol": "freedom"}]
}

NaiveProxy configuration example:

{
  "listen": "socks://127.0.0.1:1080",
  "proxy": "https://example.com"
}

Xray-core offers more detailed configuration options, while NaiveProxy focuses on simplicity and ease of use. Xray-core provides greater flexibility in terms of protocol support and routing, making it suitable for more complex setups. NaiveProxy, on the other hand, is designed to be more straightforward and integrates well with web browsers, making it a good choice for users who prioritize simplicity and browser-based proxy usage.

Go实现的Trojan代理,支持多路复用/路由功能/CDN中转/Shadowsocks混淆插件,多平台,无依赖。A Trojan proxy written in Go. An unidentifiable mechanism that helps you bypass GFW. https://p4gefau1t.github.io/trojan-go/

Pros of trojan-go

  • Lightweight and efficient, with lower resource usage
  • Supports multiple protocols (WebSocket, gRPC, etc.) for better flexibility
  • Includes built-in traffic obfuscation techniques

Cons of trojan-go

  • Less comprehensive documentation compared to naiveproxy
  • Smaller community and fewer contributors
  • May have fewer advanced features for complex networking scenarios

Code Comparison

trojan-go:

type Config struct {
    RunType      string   `json:"run_type"`
    LocalAddr    string   `json:"local_addr"`
    LocalPort    int      `json:"local_port"`
    RemoteAddr   string   `json:"remote_addr"`
    RemotePort   int      `json:"remote_port"`
}

naiveproxy:

struct Config {
  std::string proxy;
  std::string listen;
  std::string host;
  std::string scheme;
  std::string concurrency;
};

Both projects use configuration structs, but trojan-go uses JSON tags for easier serialization, while naiveproxy opts for a simpler C++ struct without additional annotations.

trojan-go focuses on providing a lightweight, flexible proxy solution with built-in obfuscation, making it suitable for various scenarios. naiveproxy, on the other hand, offers a more comprehensive solution with potentially more advanced features and better documentation, but may have higher resource requirements.

Geph (迷霧通) is a modular Internet censorship circumvention system designed specifically to deal with national filtering.

Pros of geph4-client

  • Designed specifically for censorship circumvention with advanced obfuscation techniques
  • Offers a user-friendly GUI for easier setup and management
  • Includes built-in VPN functionality for enhanced privacy

Cons of geph4-client

  • Less actively maintained compared to naiveproxy
  • Smaller community and potentially fewer resources for support
  • May have higher resource usage due to additional features

Code Comparison

geph4-client (Rust):

pub async fn connect(
    exit_server: SocketAddr,
    auth_key: String,
    username: String,
    password: String,
) -> anyhow::Result<TcpStream> {
    // Connection logic
}

naiveproxy (C++):

int NaiveProxy::Connect(
    const std::string& target_host,
    uint16_t target_port,
    const std::string& proxy_url) {
  // Connection logic
}

Summary

geph4-client focuses on censorship circumvention with a user-friendly approach, while naiveproxy offers a more lightweight and flexible solution for proxying. geph4-client provides additional features like VPN functionality, but may have higher resource usage. naiveproxy has a more active development community and potentially better performance for general proxy use cases. The choice between the two depends on specific needs for censorship resistance, ease of use, and performance requirements.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

NaïveProxy build workflow

NaïveProxy uses Chromium's network stack to camouflage traffic with strong censorship resistence and low detectablility. Reusing Chrome's stack also ensures best practices in performance and security.

The following traffic attacks are mitigated by using Chromium's network stack:

  • Website fingerprinting / traffic classification: mitigated by traffic multiplexing in HTTP/2.
  • TLS parameter fingerprinting: defeated by reusing Chrome's network stack.
  • Active probing: defeated by application fronting, i.e. hiding proxy servers behind a commonly used frontend server with application-layer routing.
  • Length-based traffic analysis: mitigated by length padding.

Architecture

[Browser → Naïve client] ⟶ Censor ⟶ [Frontend → Naïve server] ⟶ Internet

NaïveProxy uses Chromium's network stack to parrot traffic between regular Chrome browsers and standard frontend servers.

The frontend server can be any well-known reverse proxy that is able to route HTTP/2 traffic based on HTTP authorization headers, preventing active probing of proxy existence. Known ones include Caddy with its forwardproxy plugin and HAProxy.

The Naïve server here works as a forward proxy and a packet length padding layer. Caddy forwardproxy is also a forward proxy but it lacks a padding layer. A fork adds the NaïveProxy padding layer to forwardproxy, combining both in one.

Download NaïveProxy

Download here. Supported platforms include: Windows, Android (with NekoBox), Linux, Mac OS, and OpenWrt (support status).

Users should always use the latest version to keep signatures identical to Chrome.

Build from source: Please see .github/workflows/build.yml.

Server setup

The following describes the naïve fork of Caddy forwardproxy setup.

Download here or build from source:

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy=github.com/klzgrad/forwardproxy@naive

Example Caddyfile (replace user and pass accordingly):

{
  order forward_proxy before file_server
}
:443, example.com {
  tls me@example.com
  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance
  }
  file_server {
    root /var/www/html
  }
}

:443 must appear first for this Caddyfile to work. See Caddyfile docs for customizing TLS certificates. For more advanced usage consider using JSON for Caddy 2's config.

Run with the Caddyfile:

sudo setcap cap_net_bind_service=+ep ./caddy
./caddy start

See also Systemd unit example and HAProxy setup.

Client setup

Run ./naive with the following config.json to get a SOCKS5 proxy at local port 1080.

{
  "listen": "socks://127.0.0.1:1080",
  "proxy": "https://user:pass@example.com"
}

Or quic://user:pass@example.com, if it works better. See also parameter usage and performance tuning.

Third-party integration

Notes for downstream

Do not use the master branch to track updates, as it rebases from a new root commit for every new Chrome release. Use stable releases and the associated tags to track new versions, where short release notes are also provided.

Padding protocol, an informal specification

The design of this padding protocol opts for low overhead and easier implementation, in the belief that proliferation of expendable, improvised circumvention protocol designs is a better logistical impediment to censorship research than sophisicated designs.

Proxy payload padding

NaïveProxy proxies bidirectional streams through HTTP/2 (or HTTP/3) CONNECT tunnels. The bidirectional streams operate in a sequence of reads and writes of data. The first kFirstPaddings (8) reads and writes in a bidirectional stream after the stream is established are padded in this format:

struct PaddedData {
  uint8_t original_data_size_high;  // original_data_size / 256
  uint8_t original_data_size_low;  // original_data_size % 256
  uint8_t padding_size;
  uint8_t original_data[original_data_size];
  uint8_t zeros[padding_size];
};

padding_size is a random integer uniformally distributed in [0, kMaxPaddingSize] (kMaxPaddingSize: 255). original_data_size cannot be greater than 65535, or it has to be split into several reads or writes.

kFirstPaddings is chosen to be 8 to flatten the packet length distribution spikes formed from common initial handshakes:

  • Common client initial sequence: 1. TLS ClientHello; 2. TLS ChangeCipherSpec, Finished; 3. H2 Magic, SETTINGS, WINDOW_UPDATE; 4. H2 HEADERS GET; 5. H2 SETTINGS ACK.
  • Common server initial sequence: 1. TLS ServerHello, ChangeCipherSpec, ...; 2. TLS Certificate, ...; 3. H2 SETTINGS; 4. H2 WINDOW_UPDATE; 5. H2 SETTINGS ACK; 6. H2 HEADERS 200 OK.

Further reads and writes after kFirstPaddings are unpadded to avoid performance overhead. Also later packet lengths are usually considered less informative.

H2 RST_STREAM frame padding

In experiments, NaïveProxy tends to send too many RST_STREAM frames per session, an uncommon behavior from regular browsers. To solve this, an END_STREAM DATA frame padded with total length distributed in [48, 72] is prepended to the RST_STREAM frame so it looks like a HEADERS frame. The server often replies to this with a WINDOW_UPDATE because padding is accounted in flow control. Whether this results in a new uncommon behavior is still unclear.

H2 HEADERS frame padding

The CONNECT request and response frames are too short and too uncommon. To make its length similar to realistic HEADERS frames, a padding header is filled with a sequence of symbols that are not Huffman coded and are pseudo-random enough to avoid being indexed. The length of the padding sequence is randomly distributed in [16, 32] (request) or [30, 62] (response).

Opt-in of padding protocol

NaïveProxy clients should interoperate with any regular HTTP/2 proxies unaware of this padding protocol. NaïveProxy servers (i.e. any proxy server capable of the this padding protocol) should interoperate with any regular HTTP/2 clients (e.g. regular browsers) unaware of this padding protocol.

NaïveProxy servers and clients determines whether the counterpart is capable of this padding protocol by the presence of the padding header in the CONNECT request and response respectively. The padding procotol is enabled only if the padding header exists.

The first CONNECT request to a server cannot use "Fast Open" to send payload before response, because the server's padding capability has not been determined from the first response and it's unknown whether to send padded or unpadded payload for Fast Open.

Changes from Chromium upstream

  • Minimize source code and build size (1% of the original)
  • Disable exceptions and RTTI, except on Mac and Android.
  • Support OpenWrt builds
  • (Android, Linux) Use the builtin verifier instead of the system verifier (drop dependency of NSS on Linux) and read the system trust store from (following Go's behavior in crypto/x509/root_unix.go and crypto/x509/root_linux.go):
    • The file in environment variable SSL_CERT_FILE
    • The first available file of
      • /etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo etc.)
      • /etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
      • /etc/ssl/ca-bundle.pem (OpenSUSE)
      • /etc/pki/tls/cacert.pem (OpenELEC)
      • /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
      • /etc/ssl/cert.pem (Alpine Linux)
    • Files in the directory of environment variable SSL_CERT_DIR
    • Files in the first available directory of
  • Handle AIA response in PKCS#7 format
  • Allow higher socket limits for proxies
  • Force tunneling for all sockets
  • Support HTTP/2 and HTTP/3 CONNECT tunnel Fast Open using the fastopen header
  • Pad RST_STREAM frames

Known weaknesses

  • HTTP CONNECT Fast Open creates back to back h2 packets consistently, which should not appear so often. This could be fixed with a little bit of corking but it would require surgical change deep in Chromium h2 stack, not very easy to do.
  • TLS over TLS requires more handshake round trips than needed by common h2 requests, that is, no h2 requests need these many back and forth handshakes. There is no simple way to avoid this besides doing MITM proxying, breaking E2E encryption.
  • TLS over TLS overhead causes visible packet length enlargement and lack of small packets. Removing this overhead also requires MITM proxying.
  • TLS over TLS overhead also causes packets to consistently exceed MTU limits, which should not happen for an originating user agent. Fixing this requires re-segmentation and it is not easy to do.
  • Packet length obfuscation partly relies on h2 multiplexing, which does not work if there is only one connection, a scenario not uncommon. It is not clear how to create covering co-connections organically (i.e. not hard coded).
  • Multiplexing requires use of a few long-lived tunnel connections. It is not clearly how long is appropriate for parroting and how to convincingly rotate the connections if there is an age limit or how to detect and recover stuck tunnel connections convincingly.