王者归来 Proxomitron Reborn

新手入门、经验交流

Moderator: cre

Forum rules
  • 软件自带帮助是最好的入门教程,请仔细阅读;在您掌握最基本知识前,我们没法帮助您
  • 提问前请先查阅软件帮助文件和论坛相关讨论
  • 查阅软件帮助和论坛相关讨论即可解决的问题帖将直接删除,以免浪费他人时间
  • 请学会如何提问,尽量将问题描述清楚,不明确的提问将被直接删除
Locked
User avatar
phoenix
Site Admin
Posts: 526
Joined: Dec 29 2007, 16:27

王者归来 Proxomitron Reborn

Post by phoenix »

时至今日,我仍然认为 Proxomitron 是网页修改的王者。只是随着 https 的流行,它在处理 https 上的不足让它逐渐变得不再那么得心应手了。尽管我写了 ProxHTTPSProxyMII 来辅助解决这个问题,但是配置的复杂以及 python 的效率低下(和 C 相比),这个方案总归不是那么优雅。

好消息是 amy@prxbx 对 Proxomitron 成功进行了反编译,得到的源代码已可以编译出可执行文件。在此之上,amy@prxbx 通过新增功能已成功解决了 https 过滤方方面面的问题。好像浴火重生的凤凰,曾经的王者又归来了!假以时日,我们可以期待 amy@prxbx 会持续开发,给 Proxomitron 增加更多方便有趣的功能。

Image

以下信息是对 http://www.prxbx.com/forums/showthread.php?tid=2331 中内容的整理,只列出了我个人认为对普通用户(相对开发者而言)有意义的部分。

更新到4605R

新增功能
  • OpenSSL support includes the latest version the patches, so you will need to use OpenSSL 1.0.1. These DLLs should work.
  • Certificates generated with correct names
    No longer deal with unfilterable HTTPS pages or "host name does not match" warnings/errors from browsers! The Proxomitron now generates certificates, signed by its own root, for each hostname to satisfy browser checks.
  • $REM() pseudocommand
    At the request of mizzmona, the $REM pseudocommand allows including commentary in filter expressions. Within the parentheses, write anything which will be ignored completely by the matching engine. Ensure to balance inner parentheses, or escape them and other special characters.
  • Add HTTPS to local.ptron

    Note: It seems from version 4.6.0.4 https://local.ptron:xxx/ works with any ports.
    Simply set the port in the new HTTPS settings tab to an unused one (e.g. 8443), restart Proxomitron, and visit e.g. https://local.ptron:your_port/.pinfo/ or any local path to see files served over HTTPS! https://localhost:your_port/ and https://127.0.0.1:your_port/ will work too, thanks to the Subject Alternative Names in the certificate that it generates. If you don't need this option, set the port to 0 and it will stop listening for HTTPS. The new configuration file keyword is SslPort in the Global section, and its default is 0.

    Also, HTTPS local sites look like they have no host, and start with '/', because the browser creates a loopback connection through Proxomitron itself and then asks for the path directly, treating it like a normal webserver. Thus, to bypass all local paths,

    Code: Select all

    /
    in your blockfile is enough Smile!

    If you want to bypass a specific local path, then specify it as usual, but omit the host:

    Code: Select all

    /foo/bar/bypassed.html
  • HTTPS configuration options for cipher suite selection and certificate error bypass
    Also present in the new configuration dialog tab are two fields which correspond to two new keywords in the global configuration file section: SslCiphers and BypassCertErrs.

    The former allows controlling the cipher suites which Proxomitron's SSL client (as presented to external sites) advertises support for; its format is a string that is documented at https://www.openssl.org/docs/man1.0.2/apps/ciphers.html . Leave it blank to use the default, which is currently "ALL:!eNULL:!aNULL:!EXP:!DES:!RC2:!SSLv2:!PSK:!aECDH:!CAMELLIA:!SEED:@STRENGTH". This is useful for the advanced users to fine-tune their TLS/SSL configuration.

    The latter is a flexible way to specify sites which you do not want to be warned of certificate errors with; you can use any of Proxomitron's filtering language to construct an expression which will be matched against the hostname. This means you can use blockfiles too! Leaving this field blank (the default) means it will not match any hostname, and thus the behavour will be unchanged from before.
  • Add details to certificate error dialog
    The certificate error dialog now shows the entire certificate details instead of only the name and its validity period dates. Useful for troubleshooting certificate errors.
  • Add root certificate generation
    This is the biggest new feature, and is accessible from the bottom button in the new HTTPS configuration tab. If you have an existing certificate in use, you can still click this button and look around; it will warn you that if you try to generate a certificate, it will replace your existing one. This new dialog allows you to specify some fields of the certificate to be generated, and if you have an existing certificate it conveniently duplicates the same information from it and lets you generate a new one with a validity period of another 5 years. You can choose the key size and algorithm, keeping in mind that not all browsers will support the more advanced ones, and that this certificate is only used to "fool" browsers into behaving since Proxomitron does most of the work of encryption and validation now. It makes sense to choose the most "insecure" that browsers will accept, because it improves performance. If you click Generate, it will create/overwrite the proxcert.pem and proxcert_certonly.pem files, and then after restarting Proxomitron and installing the certificate as a trusted root in the browser(s) you use, you can start experiencing real SSL filtering!
  • Make generated site certificates use the same signature algorithm as the root certificate
    Another suggestion is to remove MD5, SHA1 and SHA224 from the Signature Algorithm drop down menu. They are either not secure any more or not approved for use with publicly trusted certificates.
    I am leaving these in for backward compatibility. Incidentally, Proxomitron's SSL filtering now means you can use TLS 1.2 with browsers that don't even support TLS 1.0!
    Fortunately you can generate a certificate using RSA-SHA256 (or higher) (注:现代浏览器需要这样) --- simply select the desired Signature Algorithm in the Generate Certificate dialog.
  • Allow multiple instances when run from different directories
    Proxomitron will now reactive and reload the configuration of an existing instance only if it has the same full path. Otherwise it will start a new instance. For example, C:\Proxy1\proxo.exe and C:\Proxy2\proxo.exe can both be run, and invoking them again will cause the corresponding one's configuration to be reloaded. If you then run a C:\Proxy3\proxo.exe, it will start a new instance. It remains your responsibility to ensure that the instances do not attempt to listen on the same port or otherwise conflict. This will not affect those running a single instance.
  • Allow more ciphers/protocols from SSL server side, Helps improve compatibility with older browsers.
  • Name new blocklist as file name instead of NewItem
  • Add Ctrl+A to filter test dialog input/output edit boxes
  • Make filter testing request and URL configurable
    The existing Proxomitron always tested filters with a request of

    Code: Select all

    GET http://www.Shonen.Knife.com/Naoko/Michie/Atsuko/kappa.ex.cgi?jackalope HTTP/1.1
    which you can see if you use e.g. \u in the replace section. That is still the default but you can now change it to your needs when testing filters.
对原版问题的修正
  • Fix use-after-free when click OK or Cancel button for remote proxy selector - the original code in 4.5J has this bug; it is only because of luck that it wasn't discovered all this time. link
  • Stabilise and refine header filter ordering - URL: filters are now applied first, and also show first in the list. They are sorted respectively alphabetically.
    • Having the header filter dialog order be the same order they're applied.
    • Having URL: filters always come first (sorted alphabetically as a group) in the internal list and also at the top of the config file order (i.e. saving a config file will always produce this order).
  • Clarify file URLs for opening blocklists: URL commands must be enabled to do so, and if not, a warning message is shown.
  • Fix date checking for If-Modified-Since in local file requests. Original code would always respond with "not modified", possibly causing caching problems with local file replacements.
  • Fix Show URL in browser for https and add option to include scheme. When adding a URL to a blocklist, the menu option to open in browser was broken for https URLs. Now that has been fixed, and a checkbox added to allow you to include the scheme (https:// or http://) when adding to the list.
  • Fix unintentional sign-extension in base-64 encoding. Non-ASCII basswords and such should now encode and decode correctly.
  • Fix tray icon tooltip (now it says Bypassed when... bypassed)
  • Fix handling of FEXTRA and FHCRC for gzip format
  • Fix header filter count decrement race condition. No more erroneous "Filters In Use" with 0 active connections
  • Fix saving and restoring window sizes (for multiple-monitor users)
  • Fix multithreaded OpenSSL initialisation race condition crash
  • Fix positioning of context menus for multiple-monitor systems
  • Make receive buffer size (RWIN) configurable (Reference: FAQ, Patch)
    I decided to make it configurable, currently via config-file-only option RcvBuf. This option behaves as follows:

    Section: Global
    Name: RcvBuf
    Type: integer
    Default: 32768
    Range: 0-(max)

    Description: sets the receive buffer for each connection (has an equivalence to the receive window, RWIN). A value of 0 causes Proxomitron to use the default of the OS.

    Thus, you can default to the OS, like RWIN patch does, by adding RcvBuf=0 to your config file. This option also helps you experiment with RWIN value without needing to reboot - simply edit config file and reload config.
  • Partially fix missing UI controls upon first press of Alt key
    I have fixed this partially for 4.6.0.3, and figured out at least part of what's happening --- when Alt is pressed, the dialog is repainted, but the two boxes (with title "Active Filters" and "Edit Filters") paint over the controls inside them. I partially fixed this by correcting the order, but the (not custom-drawn) checkboxes still refuse to redraw themselves for some as-yet-unknown reason. Hopefully this is at least a bit better than most of the buttons completely disappearing...
  • Use appropriate protocol (used to be always http, now http or https according to site protocol) for local.ptron resources
  • Fix log window pressing ctrl disables arrows and pgup/pgdn
  • Fix crash when copying long headers from log
  • Fix clearing of replacement stack, see https://www.prxbx.com/forums/showthread ... 4#pid19634
  • Remove 2/4GB size limits on upload/download
    Now you can download large files through The Proxomitron without problem. Thanks to use of 64-bit content length calculation, the limit is now 8 or 16EB, sadly I do not have the time nor space to test that!
The basics of how to visit site example.com under several circumstances, and how to set up the browser source
HTTP (no proxy):
- Browser connects to example.com port 80
- Browser sends GET / HTTP/1.1 request and headers
- Site server sends reply to browser

HTTP (with Proxomitron defaults):
- Browser connects to localhost port 8080
- Browser sends GET http://www.example.com/ HTTP/1.1 request and headers
- Proxomitron reads and filters request; assuming it is not killed/redirected,
- Proxomitron connects to example.com port 80
- Proxomitron sends filtered GET / HTTP/1.1 request
- Site server sends reply to Proxomitron
- Proxomitron filters reply and sends to browser

HTTPS (no proxy):
- Browser connects to example.com port 443
- Browser establishes encrypted tunnel with site
- Browser sends GET / HTTP/1.1 request and headers through encrypted tunnel
- Site server sends reply to browser through the tunnel

HTTPS (with Proxomitron and no SSL-filtering)
- Browser connects to localhost port 8080
- Browser sends CONNECT example.com:443 HTTP/1.1 request
- Proxomitron connects to example.com port 443 and relays traffic to browser
- Browser establishes encrypted tunnel with site, through Proxomitron (which just passes it through, it is encrypted so it can't do anything to the data)
- Browser sends GET / HTTP/1.1 request and headers through encrypted tunnel via Proxomitron to the site server
- Site server sends reply to browser through the encrypted tunnel and passing through Proxomitron

HTTPS (with Proxomitron and SSL-filtering)
- Browser connects to localhost port 8080
- Browser sends CONNECT example.com:443 HTTP/1.1 request
- Proxomitron establishes encrypted tunnel with browser
- Proxomitron connects to example.com port 443 and establishes encrypted tunnel with it
- Browser sends GET / HTTP/1.1 request and headers through encrypted tunnel to Proxomitron
- Proxomitron decrypts, processes/filters request, then re-encrypts and sends it to the site server
- Site server sends reply to Proxomitron, which decrypts, processes/filters the reply, and re-encrypts it to send to the browser

You will notice in all of the situations above, that the browser connects to Proxomitron using the same 8080 port as before. The only difference is in the data that flows through that port.

Then what is HTTPS port for? It is so Proxomitron itself can act as HTTPS web server. You do not need it for just filtering HTTPS sites, but it can be useful if you want to host local resources that you want to embed, to avoid mixed-content warnings/errors from browsers.

The summary is, set your ports in browser configuration to 8080 like before, restart Proxomitron, and make sure you are using 1.0.1 OpenSSL DLLs (the ones here should work --- they're what I'm currently using.)
Attachments
ProxomitronReborn_4605R.zip
(145.47 KiB) Downloaded 654 times
Proxomitron Reborn.png
Proxomitron Reborn.png (11.23 KiB) Viewed 7716 times
Locked