Next: Why I created it?

tofuproxy ¶

tofuproxy is free software flexible HTTP/HTTPS proxy server, TLS terminator, X.509 TOFU manager, WARC and geminispace browser, written on Go with following capabilities:

Full TLS connection termination between Web-servers and tofuproxy itself. TLS 1.3, session resumption, GOST cryptography (if built with gostls13) support. Connection between tofuproxy and browser itself uses ephemeral on-the-fly generated certificates with proper domain name.
HTTP/2 (if negotiated with ALPN) and HTTP keep-alives are supported.
Default Go’s crypto/x509 checks are applied to all certificates. If they pass, then certificate chain is saved on the disk (TOFU, trust-on-first-use). Future connections are compared against it, warning you about SPKI change (SPKI pinning) and waiting for your decision either to accept new chain (possibly once per session), or reject it. Even if native Go’s checks are failed (for example domain still does not use SubjectAltName extension), you can still make a decision to forcefully trust the domain.
CAs can have restrictions on what domains they are allowed to be served.
Optional DANE-EE check.
TLS client certificates are supported too.
HTTP-based authorization requests are intercepted and user/password input dialogue is shown. It automatically loads initial form values from .netrc.
Permanent HTTP redirects are replaces with non-refreshing HTML page with the link, to make you explicitly allow that step. Temporary redirects are followed if it is neither Newsboat nor go.stargrave.org/feeder user-agent, not image paths.
JPEG XL, AVIF and WebP images are transparently transcoded to PNG, giving it back to the browser, not requiring it to support modern effective image formats.
Ability to load, index and browse WARC web archives, that are possibly multi-segment/frame compressed with gzip/zstd.
Ability to browse geminispace, transparently converting gemfiles to HTMLs with URL rewriting.

And additional personal preferences:

Various spying domains (advertisement, tracking counters) are denied.
www.reddit.com is redirected to old.reddit.com (because it works without JavaScript and looks nicer).
Хабр’s resolution reduced images are redirected to their full size variants.
Web fonts downloads are forbidden.

• Why:
• Install:
• Usage:
• Spies:
• CertTrust:
• TLSAuth:
• Restricted:
• HTTPAuth:
• WARCs:
• Gemini: