Skip to content

feat: SOCKS5 + HTTP CONNECT proxy integration#4

Open
gfhfyjbr wants to merge 30 commits into
jaredboynton:mainfrom
gfhfyjbr:feat/socks5-proxy
Open

feat: SOCKS5 + HTTP CONNECT proxy integration#4
gfhfyjbr wants to merge 30 commits into
jaredboynton:mainfrom
gfhfyjbr:feat/socks5-proxy

Conversation

@gfhfyjbr

Copy link
Copy Markdown
  • SOCKS5 TCP CONNECT for HTTP/1.1 and HTTP/2 (RFC 1928)
  • SOCKS5 UDP ASSOCIATE for HTTP/3 / QUIC tunneling (RFC 1928 §6)
  • HTTP CONNECT proxy tunnel for HTTP/1.1 and HTTP/2
  • Username/password authentication for both proxy types (RFC 1929)
  • Remote DNS resolution (no DNS leaks — SOCKS5 atyp=0x03)
  • QuicUdpTransport trait abstraction for proxied QUIC sockets
  • Proxy-aware connection pooling (different proxies = separate pools)
  • TLS fingerprints fully preserved through proxy tunnels
  • Zero external proxy dependencies — implemented from scratch

Copilot AI and others added 30 commits January 31, 2026 13:50
…ton#2)

* Initial plan

* fix(ci): simplify Windows Node build to avoid cargo path mismatch

Co-authored-by: jaredboynton <133988121+jaredboynton@users.noreply.github.com>

* fix(ci): add Python setup with correct architecture for Windows builds

Co-authored-by: jaredboynton <133988121+jaredboynton@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jaredboynton <133988121+jaredboynton@users.noreply.github.com>
Avoids cmake-rs path canonicalization bug that causes 'detected home dir
change' and deletes build artifacts mid-compilation.

- New job builds BoringSSL once, caches result
- Main build downloads prebuilt binaries
- Sets BORING_BSSL_PATH, BORING_BSSL_INCLUDE_PATH, QUICHE_BSSL_PATH
- Removes NASM/Perl install (not needed)
- Expected speedup: ~2 minutes per build
Visual Studio generator cannot assemble BoringSSL's NASM files per
official docs. Ninja is required for Windows builds.

- Switch from Visual Studio 17 2022 to Ninja generator
- Add ilammy/msvc-dev-cmd to setup MSVC environment
- Install ninja via chocolatey
- Update lib paths: build/crypto/crypto.lib (no Release/ subdir)
- Remove QUICHE_BSSL_PATH (unused with boringssl-boring-crate feature)
- Remove Strawberry Perl (only needed for regenerating files)
…g in CI

Downloaded prebuilt binaries (built locally on Windows VM):
- crypto.lib (7.9 MB)
- ssl.lib (4.1 MB)
- Built with Ninja + MSVC 19.44 + NASM

Replaces build-boringssl-windows job with simple curl download from
release boringssl-prebuilt-v1. Saves ~3-4 min per build.
- Prebuilt BoringSSL static libraries for all targets (macOS, Linux, Windows)
- justfile with zigbuild recipe for Linux cross-compilation
- zig wrapper scripts for cmake/boring-sys target translation
- Updated CI to test cross-compilation for all platforms
- BORING_BSSL_PATH skips 2min cmake build
- Add prebuilt .a and .lib files for all 7 targets
- Fix Node Release workflow to use scripts/ instead of .github/scripts/
- Fix Python Release workflow to use docker-options for env vars in maturin containers
…rofile::None

- Set BORING_BSSL_PATH env var for cargo-xwin Windows builds
- Rename Python FingerprintProfile.None to NoFingerprint (None is reserved in Python)
- Update tests and type stubs
- Windows builds now run on windows-latest instead of cross-compiling from macOS
- Remove musl target from CI (release workflows use dedicated musl containers)
- Simplify CI to focus on native builds
- Cross-compile Windows from macOS using cargo-xwin (more reliable than native Windows CI)
- Install LLVM for llvm-lib tool needed by zstd-sys
- Pin all CI jobs to macos-14 for consistency
- Install just and cargo-zigbuild via taiki-e/install-action
- Fix LLVM PATH using $GITHUB_PATH instead of broken env: PATH
- Add aarch64-unknown-linux-musl target support
- Add prebuilt BoringSSL for aarch64-unknown-linux-musl
- Add zig wrapper scripts for aarch64-linux-musl
fix: update tests for reqwest-like API
* chore: ignore worktrees

* ci: fix python readme path and npm publish auth

* ci: fix python sdist readme path and node prepublish idempotency

- Add local README_PYPI.md for Python bindings (avoids .. in archive paths)
- Update pyproject.toml to use local readme file
- Add --no-gh-release to napi prepublish (prevents duplicate release errors)

* ci: run python publish job on ubuntu (pypi action requires linux)

* ci: add PYPI_API_TOKEN fallback for python publish

* ci: rename python package to specters (avoid pypi name conflict)

* ci: clean up node workflow env vars

* ci: rename npm package to specters (match pypi, avoid name conflict)
…ility

- Remove [workspace] and build profiles from Cargo.toml (conflicts with parent)
- Add allow(dead_code) to mock_h3_server test helper
- Remove 5 pointless/legacy test files (integration.rs, rfc3986_uri.rs,
  concurrency.rs, benchmarks.rs, rfc9114_http3.rs)
- Relocate cookie domain normalization test to rfc6265_cookies.rs
- Add error handling tests (connection refused, DNS, timeout, TLS, reset)
- Add HTTP/2 multiplexing validation tests (stream IDs, parallel requests)
- Add compression tests (gzip, deflate, brotli, zstd, identity)
- Fix CI nextest retries (0 -> 1) for transient flake handling
The crate name 'specter' is taken on crates.io. Publish as 'specters'
with [lib] name = 'specter' to preserve all import paths.
BoringSSL prebuilt libs (83MB) exceed crates.io 10MB limit.
The boring crate builds BoringSSL from source for consumers.
Add browser fingerprint support for Chrome versions 143 through 146
(current stable). Each version has correct Sec-Ch-Ua brand strings
derived from the Chromium GREASE algorithm, version-specific User-Agent
strings, and full header presets (navigation, AJAX, form).

TLS and HTTP/2 fingerprints are unchanged across Chrome 142-146, so
the implementation shares cipher suites, signature algorithms, curves,
and extension ordering via a unified chrome() constructor with
per-version aliases for backwards compatibility.

Default FingerprintProfile changed from Chrome142 to Chrome146.
Chrome142 remains available and fully functional.

Constraint: Brand strings computed from Chromium source algorithm in
components/embedder_support/user_agent_utils.cc
Constraint: TLS config verified identical across 142-146 via
tls.peet.ws and Chrome release notes
Rejected: Single parameterized function for all versions | static
dispatch with version-specific functions matches existing Firefox pattern
Confidence: high
Scope-risk: moderate
Revert FingerprintProfile default from Chrome146 back to Chrome142
to avoid a silent behavioral change for existing consumers who rely
on deterministic fingerprints without explicitly selecting a profile.

Add comprehensive test suite for Chrome 142-146 profiles validating
Sec-Ch-Ua brand strings, User-Agent version strings, TLS/HTTP2
identity across versions, and header preset completeness.

Constraint: Fingerprinting library default must not change in minor version
Rejected: Keep Chrome146 as default | silent behavioral break violates SemVer
Confidence: high
Scope-risk: narrow
…43-146

Update all documentation touchpoints to reflect multi-version support:
- Node.js README: show Chrome146 as primary example, list all versions
- Python README: same treatment
- PyPI README: update features list and usage example
- CHANGELOG: add unreleased entry for Chrome 143-146 profiles

Constraint: README examples show explicit version selection, not default
Confidence: high
Scope-risk: narrow
The Node package was publishing whichever native addon happened to be present in the root tarball. Move it to a platform-aware root package plus optional native packages, restore release workflows, and align BoringSSL path handling with boring-sys 4.21.

Constraint: UMP installs this package through an npm alias as @specter/client, so native resolution cannot depend on absolute local paths.
Rejected: Publish another root tarball with a bundled Darwin binary | repeats the 2.0.1 portability failure.
Rejected: Publish linux-x64-musl in 2.1.3 | current prebuilt musl BoringSSL archive is not PIC and fails Node addon linking.
Rejected: Use zig as the target archiver in CI | clean macOS runners failed zstd-sys archive creation with zig ar.
Confidence: medium
Scope-risk: moderate
Directive: Keep BORING_BSSL_PATH pointed at the directory containing libcrypto.a for boring-sys 4.21 and newer.
Tested: npm test for Node bindings; root cargo check --all-features; cargo fmt --check; npm audit --omit=optional; workflow YAML parse; just zigbuild x86_64-unknown-linux-gnu; Node cross-build for x86_64-unknown-linux-gnu and aarch64-unknown-linux-gnu; tarball install of root package plus darwin-arm64 optional package.
Not-tested: Full cargo nextest completion locally because tls.peet.ws DNS resolution failed for external fingerprint tests.
- SOCKS5 TCP CONNECT for HTTP/1.1 and HTTP/2 (RFC 1928)
- SOCKS5 UDP ASSOCIATE for HTTP/3 / QUIC tunneling (RFC 1928 §6)
- HTTP CONNECT proxy tunnel for HTTP/1.1 and HTTP/2
- Username/password authentication for both proxy types (RFC 1929)
- Remote DNS resolution (no DNS leaks — SOCKS5 atyp=0x03)
- QuicUdpTransport trait abstraction for proxied QUIC sockets
- Proxy-aware connection pooling (different proxies = separate pools)
- TLS fingerprints fully preserved through proxy tunnels
- Zero external proxy dependencies — implemented from scratch

New files:
  src/proxy/mod.rs          — ProxyConfig, ProxyAuth types
  src/proxy/socks5.rs       — SOCKS5 protocol (CONNECT + UDP ASSOCIATE)
  src/proxy/http_connect.rs — HTTP CONNECT tunnel
  src/proxy/udp_transport.rs — QuicUdpTransport trait + impls
  examples/proxy_test.rs    — IP detection API test
  examples/proxy_browserleaks.rs — TLS fingerprint check via proxy
  examples/proxy_h3_test.rs — HTTP/3 via SOCKS5 UDP ASSOCIATE test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants