feat: SOCKS5 + HTTP CONNECT proxy integration#4
Open
gfhfyjbr wants to merge 30 commits into
Open
Conversation
gfhfyjbr
commented
Apr 28, 2026
- SOCKS5 TCP CONNECT for HTTP/1.1 and HTTP/2 (RFC 1928)
- SOCKS5 UDP ASSOCIATE for HTTP/3 / QUIC tunneling (RFC 1928 §6)
- HTTP CONNECT proxy tunnel for HTTP/1.1 and HTTP/2
- Username/password authentication for both proxy types (RFC 1929)
- Remote DNS resolution (no DNS leaks — SOCKS5 atyp=0x03)
- QuicUdpTransport trait abstraction for proxied QUIC sockets
- Proxy-aware connection pooling (different proxies = separate pools)
- TLS fingerprints fully preserved through proxy tunnels
- Zero external proxy dependencies — implemented from scratch
…ton#2) * Initial plan * fix(ci): simplify Windows Node build to avoid cargo path mismatch Co-authored-by: jaredboynton <133988121+jaredboynton@users.noreply.github.com> * fix(ci): add Python setup with correct architecture for Windows builds Co-authored-by: jaredboynton <133988121+jaredboynton@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jaredboynton <133988121+jaredboynton@users.noreply.github.com>
Avoids cmake-rs path canonicalization bug that causes 'detected home dir change' and deletes build artifacts mid-compilation. - New job builds BoringSSL once, caches result - Main build downloads prebuilt binaries - Sets BORING_BSSL_PATH, BORING_BSSL_INCLUDE_PATH, QUICHE_BSSL_PATH - Removes NASM/Perl install (not needed) - Expected speedup: ~2 minutes per build
Visual Studio generator cannot assemble BoringSSL's NASM files per official docs. Ninja is required for Windows builds. - Switch from Visual Studio 17 2022 to Ninja generator - Add ilammy/msvc-dev-cmd to setup MSVC environment - Install ninja via chocolatey - Update lib paths: build/crypto/crypto.lib (no Release/ subdir) - Remove QUICHE_BSSL_PATH (unused with boringssl-boring-crate feature) - Remove Strawberry Perl (only needed for regenerating files)
…g in CI Downloaded prebuilt binaries (built locally on Windows VM): - crypto.lib (7.9 MB) - ssl.lib (4.1 MB) - Built with Ninja + MSVC 19.44 + NASM Replaces build-boringssl-windows job with simple curl download from release boringssl-prebuilt-v1. Saves ~3-4 min per build.
- Prebuilt BoringSSL static libraries for all targets (macOS, Linux, Windows) - justfile with zigbuild recipe for Linux cross-compilation - zig wrapper scripts for cmake/boring-sys target translation - Updated CI to test cross-compilation for all platforms - BORING_BSSL_PATH skips 2min cmake build
- Add prebuilt .a and .lib files for all 7 targets - Fix Node Release workflow to use scripts/ instead of .github/scripts/ - Fix Python Release workflow to use docker-options for env vars in maturin containers
…rofile::None - Set BORING_BSSL_PATH env var for cargo-xwin Windows builds - Rename Python FingerprintProfile.None to NoFingerprint (None is reserved in Python) - Update tests and type stubs
- Windows builds now run on windows-latest instead of cross-compiling from macOS - Remove musl target from CI (release workflows use dedicated musl containers) - Simplify CI to focus on native builds
- Cross-compile Windows from macOS using cargo-xwin (more reliable than native Windows CI) - Install LLVM for llvm-lib tool needed by zstd-sys
- Pin all CI jobs to macos-14 for consistency - Install just and cargo-zigbuild via taiki-e/install-action - Fix LLVM PATH using $GITHUB_PATH instead of broken env: PATH - Add aarch64-unknown-linux-musl target support - Add prebuilt BoringSSL for aarch64-unknown-linux-musl - Add zig wrapper scripts for aarch64-linux-musl
fix: update tests for reqwest-like API
* chore: ignore worktrees * ci: fix python readme path and npm publish auth * ci: fix python sdist readme path and node prepublish idempotency - Add local README_PYPI.md for Python bindings (avoids .. in archive paths) - Update pyproject.toml to use local readme file - Add --no-gh-release to napi prepublish (prevents duplicate release errors) * ci: run python publish job on ubuntu (pypi action requires linux) * ci: add PYPI_API_TOKEN fallback for python publish * ci: rename python package to specters (avoid pypi name conflict) * ci: clean up node workflow env vars * ci: rename npm package to specters (match pypi, avoid name conflict)
…ility - Remove [workspace] and build profiles from Cargo.toml (conflicts with parent) - Add allow(dead_code) to mock_h3_server test helper
- Remove 5 pointless/legacy test files (integration.rs, rfc3986_uri.rs, concurrency.rs, benchmarks.rs, rfc9114_http3.rs) - Relocate cookie domain normalization test to rfc6265_cookies.rs - Add error handling tests (connection refused, DNS, timeout, TLS, reset) - Add HTTP/2 multiplexing validation tests (stream IDs, parallel requests) - Add compression tests (gzip, deflate, brotli, zstd, identity) - Fix CI nextest retries (0 -> 1) for transient flake handling
The crate name 'specter' is taken on crates.io. Publish as 'specters' with [lib] name = 'specter' to preserve all import paths.
BoringSSL prebuilt libs (83MB) exceed crates.io 10MB limit. The boring crate builds BoringSSL from source for consumers.
Add browser fingerprint support for Chrome versions 143 through 146 (current stable). Each version has correct Sec-Ch-Ua brand strings derived from the Chromium GREASE algorithm, version-specific User-Agent strings, and full header presets (navigation, AJAX, form). TLS and HTTP/2 fingerprints are unchanged across Chrome 142-146, so the implementation shares cipher suites, signature algorithms, curves, and extension ordering via a unified chrome() constructor with per-version aliases for backwards compatibility. Default FingerprintProfile changed from Chrome142 to Chrome146. Chrome142 remains available and fully functional. Constraint: Brand strings computed from Chromium source algorithm in components/embedder_support/user_agent_utils.cc Constraint: TLS config verified identical across 142-146 via tls.peet.ws and Chrome release notes Rejected: Single parameterized function for all versions | static dispatch with version-specific functions matches existing Firefox pattern Confidence: high Scope-risk: moderate
Revert FingerprintProfile default from Chrome146 back to Chrome142 to avoid a silent behavioral change for existing consumers who rely on deterministic fingerprints without explicitly selecting a profile. Add comprehensive test suite for Chrome 142-146 profiles validating Sec-Ch-Ua brand strings, User-Agent version strings, TLS/HTTP2 identity across versions, and header preset completeness. Constraint: Fingerprinting library default must not change in minor version Rejected: Keep Chrome146 as default | silent behavioral break violates SemVer Confidence: high Scope-risk: narrow
…43-146 Update all documentation touchpoints to reflect multi-version support: - Node.js README: show Chrome146 as primary example, list all versions - Python README: same treatment - PyPI README: update features list and usage example - CHANGELOG: add unreleased entry for Chrome 143-146 profiles Constraint: README examples show explicit version selection, not default Confidence: high Scope-risk: narrow
The Node package was publishing whichever native addon happened to be present in the root tarball. Move it to a platform-aware root package plus optional native packages, restore release workflows, and align BoringSSL path handling with boring-sys 4.21. Constraint: UMP installs this package through an npm alias as @specter/client, so native resolution cannot depend on absolute local paths. Rejected: Publish another root tarball with a bundled Darwin binary | repeats the 2.0.1 portability failure. Rejected: Publish linux-x64-musl in 2.1.3 | current prebuilt musl BoringSSL archive is not PIC and fails Node addon linking. Rejected: Use zig as the target archiver in CI | clean macOS runners failed zstd-sys archive creation with zig ar. Confidence: medium Scope-risk: moderate Directive: Keep BORING_BSSL_PATH pointed at the directory containing libcrypto.a for boring-sys 4.21 and newer. Tested: npm test for Node bindings; root cargo check --all-features; cargo fmt --check; npm audit --omit=optional; workflow YAML parse; just zigbuild x86_64-unknown-linux-gnu; Node cross-build for x86_64-unknown-linux-gnu and aarch64-unknown-linux-gnu; tarball install of root package plus darwin-arm64 optional package. Not-tested: Full cargo nextest completion locally because tls.peet.ws DNS resolution failed for external fingerprint tests.
- SOCKS5 TCP CONNECT for HTTP/1.1 and HTTP/2 (RFC 1928) - SOCKS5 UDP ASSOCIATE for HTTP/3 / QUIC tunneling (RFC 1928 §6) - HTTP CONNECT proxy tunnel for HTTP/1.1 and HTTP/2 - Username/password authentication for both proxy types (RFC 1929) - Remote DNS resolution (no DNS leaks — SOCKS5 atyp=0x03) - QuicUdpTransport trait abstraction for proxied QUIC sockets - Proxy-aware connection pooling (different proxies = separate pools) - TLS fingerprints fully preserved through proxy tunnels - Zero external proxy dependencies — implemented from scratch New files: src/proxy/mod.rs — ProxyConfig, ProxyAuth types src/proxy/socks5.rs — SOCKS5 protocol (CONNECT + UDP ASSOCIATE) src/proxy/http_connect.rs — HTTP CONNECT tunnel src/proxy/udp_transport.rs — QuicUdpTransport trait + impls examples/proxy_test.rs — IP detection API test examples/proxy_browserleaks.rs — TLS fingerprint check via proxy examples/proxy_h3_test.rs — HTTP/3 via SOCKS5 UDP ASSOCIATE test
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.