Merge pull request #136 from SenseUnit/utls

uTLS

Author: Snawoot

README.md

@@ -368,6 +368,7 @@ Supported proxy schemes are:
   * `curves` - colon-separated list of enabled TLS key exchange curves.
   * `min-tls-version` - minimum TLS version.
   * `max-tls-version` - maximum TLS version.
+  * `utls-fp` - TLS fingerprint parroting with uTLS library. See the [list](https://pkg.go.dev/github.com/refraction-networking/utls#pkg-variables) of allowed client IDs. Example: `utls-fp=HelloChrome_Auto`.
 * `http+optimistic` - (EXPERIMENTAL) HTTP proxy dialer which reads the connection success response asynchronously.
 * `https+optimistic` - (EXPERIMENTAL) HTTP proxy over TLS dialer which reads the connection success response asynchronously. Options are same as for `https` dialer.
 * `h2` - HTTP/2 proxy over TLS connection. Examples: `h2://user:[email protected]`, `h2://example.org?cert=cert.pem&key=key.pem`. This method also supports additional parameters passed in query string:
@@ -381,6 +382,7 @@ Supported proxy schemes are:
   * `min-tls-version` - minimum TLS version.
   * `max-tls-version` - maximum TLS version.
   * `fetchrandom` - request server to send random data in the first request via every new HTTP/2 connection. Useful to trick TLS-in-TLS detection. Value format: length as a number or range `x-y`. Example: `fetchrandom=100000-500000`.
+  * `utls-fp` - TLS fingerprint parroting with uTLS library. See the [list](https://pkg.go.dev/github.com/refraction-networking/utls#pkg-variables) of allowed client IDs. Example: `utls-fp=HelloChrome_Auto`.
 * `h2c` - HTTP/2 proxy over plaintext connection with the CONNECT method support. Examples: `h2c://example.org:8080`.
   * `fetchrandom` - request server to send random data in the first request via every new HTTP/2 connection. Useful to trick TLS-in-TLS detection. Value format: length as a number or range `x-y`. Example: `fetchrandom=100000-500000`.
 * `socks5`, `socks5h` - SOCKS5 proxy with hostname resolving via remote proxy. Example: `socks5://127.0.0.1:9050`.

dialer/h2.go

@@ -32,10 +32,11 @@ func H2ProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error)
 	port := u.Port()
 
 	var (
-		tlsConfig *tls.Config
-		err       error
-		h2c       bool
-		scheme    string
+		tlsConfig  *tls.Config
+		tlsFactory func(net.Conn, *tls.Config) net.Conn
+		err        error
+		h2c        bool
+		scheme     string
 	)
 	switch strings.ToLower(u.Scheme) {
 	case "h2c":
@@ -55,6 +56,10 @@ func H2ProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error)
 		if err != nil {
 			return nil, fmt.Errorf("TLS configuration failed: %w", err)
 		}
+		tlsFactory, err = tlsutil.TLSFactoryFromURL(u)
+		if err != nil {
+			return nil, fmt.Errorf("TLS configuration failed: %w", err)
+		}
 		scheme = "https"
 	default:
 		return nil, errors.New("unsupported proxy type")
@@ -120,7 +125,7 @@ func H2ProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error)
 			if err != nil {
 				return nil, err
 			}
-			conn = tls.Client(conn, tlsConfig)
+			conn = tlsFactory(conn, tlsConfig)
 			return conn, nil
 		}
 	}

dialer/optimistic.go

@@ -17,10 +17,11 @@ import (
 )
 
 type OptimisticHTTPProxyDialer struct {
-	address   string
-	tlsConfig *tls.Config
-	userinfo  *url.Userinfo
-	next      Dialer
+	address    string
+	tlsConfig  *tls.Config
+	tlsFactory func(net.Conn, *tls.Config) net.Conn
+	userinfo   *url.Userinfo
+	next       Dialer
 }
 
 func NewOptimisticHTTPProxyDialer(address string, tlsConfig *tls.Config, userinfo *url.Userinfo, next LegacyDialer) *OptimisticHTTPProxyDialer {
@@ -36,8 +37,11 @@ func OptimisticHTTPProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Di
 	host := u.Hostname()
 	port := u.Port()
 
-	var tlsConfig *tls.Config
-	var err error
+	var (
+		tlsConfig  *tls.Config
+		tlsFactory func(net.Conn, *tls.Config) net.Conn
+		err        error
+	)
 	switch strings.ToLower(u.Scheme) {
 	case "http+optimistic":
 		if port == "" {
@@ -51,13 +55,23 @@ func OptimisticHTTPProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Di
 		if err != nil {
 			return nil, fmt.Errorf("TLS configuration failed: %w", err)
 		}
+		tlsFactory, err = tlsutil.TLSFactoryFromURL(u)
+		if err != nil {
+			return nil, fmt.Errorf("TLS configuration failed: %w", err)
+		}
 	default:
 		return nil, errors.New("unsupported proxy type")
 	}
 
 	address := net.JoinHostPort(host, port)
 
-	return NewOptimisticHTTPProxyDialer(address, tlsConfig, u.User, next), nil
+	return &OptimisticHTTPProxyDialer{
+		address:    address,
+		tlsConfig:  tlsConfig,
+		tlsFactory: tlsFactory,
+		userinfo:   u.User,
+		next:       MaybeWrapWithContextDialer(next),
+	}, nil
 }
 
 func (d *OptimisticHTTPProxyDialer) Dial(network, address string) (net.Conn, error) {
@@ -75,7 +89,7 @@ func (d *OptimisticHTTPProxyDialer) DialContext(ctx context.Context, network, ad
 		return nil, fmt.Errorf("proxy dialer is unable to make connection: %w", err)
 	}
 	if d.tlsConfig != nil {
-		conn = tls.Client(conn, d.tlsConfig)
+		conn = d.tlsFactory(conn, d.tlsConfig)
 	}
 
 	return &futureH1ProxiedConn{

dialer/upstream.go

@@ -21,10 +21,11 @@ import (
 )
 
 type HTTPProxyDialer struct {
-	address   string
-	tlsConfig *tls.Config
-	userinfo  *url.Userinfo
-	next      Dialer
+	address    string
+	tlsConfig  *tls.Config
+	tlsFactory func(net.Conn, *tls.Config) net.Conn
+	userinfo   *url.Userinfo
+	next       Dialer
 }
 
 func NewHTTPProxyDialer(address string, tlsConfig *tls.Config, userinfo *url.Userinfo, next LegacyDialer) *HTTPProxyDialer {
@@ -40,8 +41,11 @@ func HTTPProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, erro
 	host := u.Hostname()
 	port := u.Port()
 
-	var tlsConfig *tls.Config
-	var err error
+	var (
+		tlsConfig  *tls.Config
+		tlsFactory func(net.Conn, *tls.Config) net.Conn
+		err        error
+	)
 	switch strings.ToLower(u.Scheme) {
 	case "http":
 		if port == "" {
@@ -55,13 +59,23 @@ func HTTPProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, erro
 		if err != nil {
 			return nil, fmt.Errorf("TLS configuration failed: %w", err)
 		}
+		tlsFactory, err = tlsutil.TLSFactoryFromURL(u)
+		if err != nil {
+			return nil, fmt.Errorf("TLS configuration failed: %w", err)
+		}
 	default:
 		return nil, errors.New("unsupported proxy type")
 	}
 
 	address := net.JoinHostPort(host, port)
 
-	return NewHTTPProxyDialer(address, tlsConfig, u.User, next), nil
+	return &HTTPProxyDialer{
+		address:    address,
+		tlsConfig:  tlsConfig,
+		tlsFactory: tlsFactory,
+		next:       MaybeWrapWithContextDialer(next),
+		userinfo:   u.User,
+	}, nil
 }
 
 func (d *HTTPProxyDialer) Dial(network, address string) (net.Conn, error) {
@@ -79,7 +93,7 @@ func (d *HTTPProxyDialer) DialContext(ctx context.Context, network, address stri
 		return nil, fmt.Errorf("proxy dialer is unable to make connection: %w", err)
 	}
 	if d.tlsConfig != nil {
-		conn = tls.Client(conn, d.tlsConfig)
+		conn = d.tlsFactory(conn, d.tlsConfig)
 	}
 
 	stopGuardEvent := make(chan struct{})

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/libp2p/go-reuseport v0.4.0
 	github.com/redis/go-redis/v9 v9.8.0
+	github.com/refraction-networking/utls v1.8.0
 	github.com/tg123/go-htpasswd v1.2.4
 	github.com/zeebo/xxh3 v1.0.2
 	golang.org/x/crypto v0.38.0
@@ -23,12 +24,14 @@ require (
 
 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
+	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.4+incompatible // indirect
 	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/pires/go-proxyproto v0.8.1
 	golang.org/x/sys v0.33.0 // indirect

go.sum

@@ -6,6 +6,8 @@ github.com/Snawoot/uniqueslice v0.1.1 h1:KEfv3FtAXiNEoxvcc79pFQDhnqwYXQyZIkxOM4e
 github.com/Snawoot/uniqueslice v0.1.1/go.mod h1:K9zIaHO43FGLHbqm6WCDFeY6+CN/du5eiio/vxvDVC8=
 github.com/Snawoot/xtime v0.0.0-20250501122004-d1ce456948bb h1:PleTDwc/EQenzLsvIal2BgvIXr2D214M88RFac3WkeI=
 github.com/Snawoot/xtime v0.0.0-20250501122004-d1ce456948bb/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
+github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
@@ -34,6 +36,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
 github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
+github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
+github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
 github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/libp2p/go-reuseport v0.4.0 h1:nR5KU7hD0WxXCJbmw7r2rhRYruNRl2koHw8fQscQm2s=
@@ -44,6 +48,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
 github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/refraction-networking/utls v1.8.0 h1:L38krhiTAyj9EeiQQa2sg+hYb4qwLCqdMcpZrRfbONE=
+github.com/refraction-networking/utls v1.8.0/go.mod h1:jkSOEkLqn+S/jtpEHPOsVv/4V4EVnelwbMQl4vCWXAM=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tg123/go-htpasswd v1.2.4 h1:HgH8KKCjdmo7jjXWN9k1nefPBd7Be3tFCTjc2jPraPU=