GFW can use content filtering and port scans to detect proxies, then block their IPs.
Solution
Encrypt connections to the proxy!
Problem
Even with encrypted connections, GFW still manages to find our proxies, port scan them and block them. At least part of the problem is how to distribute the IP addresses to legitimate users without also distributing them to GFW agents.
Solution
Make our traffic look like something that the GFW doesn't want to block for economic reasons. This is known as Collateral Freedom.
Domain Fronting
Pioneered by GoAgent and used amongst others by Tor's Meek transport, domain fronting hides traffic to the proxy inside connections to "legitimate" websites.
Exploits the fact that Content Delivery Networks (CDNs) are basically large, shared reverse proxies.
Requires a local proxy to be installed on the client's machine because browser's don't know how to domain-front.
Problem
That's cool, but real YouTube traffic is HTTPS, meaning it's carried over TLS. So, the Client Proxy can't see the browser's requests.
Solution
Instead of using straight HTTP, encapsulate HTTP/TLS inside HTTP.
Enhancement
Support full-duplex operation!
Great, but ...
You said something about using Go?
net + http + crypto = love
- Performant (non-blocking i/o)
- Easy (synchronous calling semantics)
- Highly composable (net.conn and http.Handler)
- Excellent http support (net/http)
- Great concurrency primitives
- Ethos of simplicity
idletiming
- idle timeouts for net.Conn and net.Listener
- proxies need idle timeouts for disappearing clients
tlsdialer
- disable SNI in handshake (reqd. for some CDNs)
- timings for network ops
fronted
- provides dialer for client-side use
- supplied to enproxy to dial to CDN
- provides server-side proxy based on enproxy.Proxy