王者归来 Proxomitron Reborn


Moderator: cre

Forum rules
  • 软件自带帮助是最好的入门教程,请仔细阅读;在您掌握最基本知识前,我们没法帮助您
  • 提问前请先查阅软件帮助文件和论坛相关讨论
  • 查阅软件帮助和论坛相关讨论即可解决的问题帖将直接删除,以免浪费他人时间
  • 请学会如何提问,尽量将问题描述清楚,不明确的提问将被直接删除
User avatar
Site Admin
Posts: 525
Joined: Dec 29 2007, 16:27

王者归来 Proxomitron Reborn

Post by phoenix » Dec 15 2018, 14:48

时至今日,我仍然认为 Proxomitron 是网页修改的王者。只是随着 https 的流行,它在处理 https 上的不足让它逐渐变得不再那么得心应手了。尽管我写了 ProxHTTPSProxyMII 来辅助解决这个问题,但是配置的复杂以及 python 的效率低下(和 C 相比),这个方案总归不是那么优雅。

好消息是 amy@prxbx 对 Proxomitron 成功进行了反编译,得到的源代码已可以编译出可执行文件。在此之上,amy@prxbx 通过新增功能已成功解决了 https 过滤方方面面的问题。好像浴火重生的凤凰,曾经的王者又归来了!假以时日,我们可以期待 amy@prxbx 会持续开发,给 Proxomitron 增加更多方便有趣的功能。


以下信息是对 http://www.prxbx.com/forums/showthread.php?tid=2331 中内容的整理,只列出了我个人认为对普通用户(相对开发者而言)有意义的部分。

  • OpenSSL support includes the latest version the patches, so you will need to use OpenSSL 1.0.1. These DLLs should work.
  • Certificates generated with correct names
    No longer deal with unfilterable HTTPS pages or "host name does not match" warnings/errors from browsers! The Proxomitron now generates certificates, signed by its own root, for each hostname to satisfy browser checks.
  • $REM() pseudocommand
    At the request of mizzmona, the $REM pseudocommand allows including commentary in filter expressions. Within the parentheses, write anything which will be ignored completely by the matching engine. Ensure to balance inner parentheses, or escape them and other special characters.
  • Add HTTPS to local.ptron
    Simply set the port in the new HTTPS settings tab to an unused one (e.g. 8443), restart Proxomitron, and visit e.g. https://local.ptron:your_port/.pinfo/ or any local path to see files served over HTTPS! https://localhost:your_port/ and will work too, thanks to the Subject Alternative Names in the certificate that it generates. If you don't need this option, set the port to 0 and it will stop listening for HTTPS. The new configuration file keyword is SslPort in the Global section, and its default is 0.

    Also, HTTPS local sites look like they have no host, and start with '/', because the browser creates a loopback connection through Proxomitron itself and then asks for the path directly, treating it like a normal webserver. Thus, to bypass all local paths,

    Code: Select all

    in your blockfile is enough Smile!

    If you want to bypass a specific local path, then specify it as usual, but omit the host:

    Code: Select all

  • HTTPS configuration options for cipher suite selection and certificate error bypass
    Also present in the new configuration dialog tab are two fields which correspond to two new keywords in the global configuration file section: SslCiphers and BypassCertErrs.

    The former allows controlling the cipher suites which Proxomitron's SSL client (as presented to external sites) advertises support for; its format is a string that is documented at https://www.openssl.org/docs/man1.0.2/apps/ciphers.html . Leave it blank to use the default, which is currently "ALL:!eNULL:!aNULL:!EXP:!DES:!RC2:!SSLv2:!PSK:!aECDH:!CAMELLIA:!SEED:@STRENGTH". This is useful for the advanced users to fine-tune their TLS/SSL configuration.

    The latter is a flexible way to specify sites which you do not want to be warned of certificate errors with; you can use any of Proxomitron's filtering language to construct an expression which will be matched against the hostname. This means you can use blockfiles too! Leaving this field blank (the default) means it will not match any hostname, and thus the behavour will be unchanged from before.
  • Add details to certificate error dialog
    The certificate error dialog now shows the entire certificate details instead of only the name and its validity period dates. Useful for troubleshooting certificate errors.
  • Add root certificate generation
    This is the biggest new feature, and is accessible from the bottom button in the new HTTPS configuration tab. If you have an existing certificate in use, you can still click this button and look around; it will warn you that if you try to generate a certificate, it will replace your existing one. This new dialog allows you to specify some fields of the certificate to be generated, and if you have an existing certificate it conveniently duplicates the same information from it and lets you generate a new one with a validity period of another 5 years. You can choose the key size and algorithm, keeping in mind that not all browsers will support the more advanced ones, and that this certificate is only used to "fool" browsers into behaving since Proxomitron does most of the work of encryption and validation now. It makes sense to choose the most "insecure" that browsers will accept, because it improves performance. If you click Generate, it will create/overwrite the proxcert.pem and proxcert_certonly.pem files, and then after restarting Proxomitron and installing the certificate as a trusted root in the browser(s) you use, you can start experiencing real SSL filtering!
  • Make generated site certificates use the same signature algorithm as the root certificate
    Fortunately you can generate a certificate using RSA-SHA256 (or higher) --- simply select the desired Signature Algorithm in the Generate Certificate dialog.
  • Fix use-after-free when click OK or Cancel button for remote proxy selector - the original code in 4.5J has this bug; it is only because of luck that it wasn't discovered all this time. link
  • Stabilise and refine header filter ordering - URL: filters are now applied first, and also show first in the list. They are sorted respectively alphabetically.
    • Having the header filter dialog order be the same order they're applied.
    • Having URL: filters always come first (sorted alphabetically as a group) in the internal list and also at the top of the config file order (i.e. saving a config file will always produce this order).
  • Clarify file URLs for opening blocklists: URL commands must be enabled to do so, and if not, a warning message is shown.
  • Fix date checking for If-Modified-Since in local file requests. Original code would always respond with "not modified", possibly causing caching problems with local file replacements.
  • Fix Show URL in browser for https and add option to include scheme. When adding a URL to a blocklist, the menu option to open in browser was broken for https URLs. Now that has been fixed, and a checkbox added to allow you to include the scheme (https:// or http://) when adding to the list.
  • Fix unintentional sign-extension in base-64 encoding. Non-ASCII basswords and such should now encode and decode correctly.
  • Fix tray icon tooltip (now it says Bypassed when... bypassed)
  • Fix handling of FEXTRA and FHCRC for gzip format
  • Fix header filter count decrement race condition. No more erroneous "Filters In Use" with 0 active connections
  • Fix saving and restoring window sizes (for multiple-monitor users)
  • Fix multithreaded OpenSSL initialisation race condition crash
  • Fix positioning of context menus for multiple-monitor systems
  • Make receive buffer size (RWIN) configurable (Reference: FAQ, Patch)
    I decided to make it configurable, currently via config-file-only option RcvBuf. This option behaves as follows:

    Section: Global
    Name: RcvBuf
    Type: integer
    Default: 32768
    Range: 0-(max)

    Description: sets the receive buffer for each connection (has an equivalence to the receive window, RWIN). A value of 0 causes Proxomitron to use the default of the OS.

    Thus, you can default to the OS, like RWIN patch does, by adding RcvBuf=0 to your config file. This option also helps you experiment with RWIN value without needing to reboot - simply edit config file and reload config.
  • Partially fix missing UI controls upon first press of Alt key
    I have fixed this partially for, and figured out at least part of what's happening --- when Alt is pressed, the dialog is repainted, but the two boxes (with title "Active Filters" and "Edit Filters") paint over the controls inside them. I partially fixed this by correcting the order, but the (not custom-drawn) checkboxes still refuse to redraw themselves for some as-yet-unknown reason. Hopefully this is at least a bit better than most of the buttons completely disappearing...
The basics of how to visit site example.com under several circumstances, and how to set up the browser source
HTTP (no proxy):
- Browser connects to example.com port 80
- Browser sends GET / HTTP/1.1 request and headers
- Site server sends reply to browser

HTTP (with Proxomitron defaults):
- Browser connects to localhost port 8080
- Browser sends GET http://www.example.com/ HTTP/1.1 request and headers
- Proxomitron reads and filters request; assuming it is not killed/redirected,
- Proxomitron connects to example.com port 80
- Proxomitron sends filtered GET / HTTP/1.1 request
- Site server sends reply to Proxomitron
- Proxomitron filters reply and sends to browser

HTTPS (no proxy):
- Browser connects to example.com port 443
- Browser establishes encrypted tunnel with site
- Browser sends GET / HTTP/1.1 request and headers through encrypted tunnel
- Site server sends reply to browser through the tunnel

HTTPS (with Proxomitron and no SSL-filtering)
- Browser connects to localhost port 8080
- Browser sends CONNECT example.com:443 HTTP/1.1 request
- Proxomitron connects to example.com port 443 and relays traffic to browser
- Browser establishes encrypted tunnel with site, through Proxomitron (which just passes it through, it is encrypted so it can't do anything to the data)
- Browser sends GET / HTTP/1.1 request and headers through encrypted tunnel via Proxomitron to the site server
- Site server sends reply to browser through the encrypted tunnel and passing through Proxomitron

HTTPS (with Proxomitron and SSL-filtering)
- Browser connects to localhost port 8080
- Browser sends CONNECT example.com:443 HTTP/1.1 request
- Proxomitron establishes encrypted tunnel with browser
- Proxomitron connects to example.com port 443 and establishes encrypted tunnel with it
- Browser sends GET / HTTP/1.1 request and headers through encrypted tunnel to Proxomitron
- Proxomitron decrypts, processes/filters request, then re-encrypts and sends it to the site server
- Site server sends reply to Proxomitron, which decrypts, processes/filters the reply, and re-encrypts it to send to the browser

You will notice in all of the situations above, that the browser connects to Proxomitron using the same 8080 port as before. The only difference is in the data that flows through that port.

Then what is HTTPS port for? It is so Proxomitron itself can act as HTTPS web server. You do not need it for just filtering HTTPS sites, but it can be useful if you want to host local resources that you want to embed, to avoid mixed-content warnings/errors from browsers.

The summary is, set your ports in browser configuration to 8080 like before, restart Proxomitron, and make sure you are using 1.0.1 OpenSSL DLLs (the ones here should work --- they're what I'm currently using.)
Proxomitron Reborn.png
Proxomitron Reborn.png (11.23 KiB) Viewed 362 times