initial commit

Author: dumbasPL

.dockerignore

@@ -0,0 +1,5 @@
+.*
+node_modules/
+Dockerfile
+README.md
+docker-compose.yml

.github/workflows/build.yml

@@ -0,0 +1,61 @@
+name: Docker build
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+      
+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      
+      - name: Log in to GitHub Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: |
+            ${{ vars.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8
+
+      - name: Docker Hub Description
+        uses: peter-evans/dockerhub-description@v4
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: ${{ vars.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}
+          short-description: ${{ github.event.repository.description }}
+          enable-url-completion: true

.gitignore

@@ -0,0 +1,2 @@
+.env
+node_modules/

Dockerfile

@@ -0,0 +1,11 @@
+FROM node:lts-alpine
+
+WORKDIR /app
+
+COPY ./ ./
+
+RUN npm ci 
+
+USER node
+
+CMD ["node", "index.js"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 nezu.cc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,64 @@
+# niji-proxy
+
+Proxy splitter server. Save data by only proxying the the domains that matter.
+
+## Use case
+
+You have a high quality proxy with limited bandwidth.
+The program using the proxy will try to proxy everything through it 
+(images, scripts, cdn content, etc) but these requests don't actually 
+need to be proxied since almost no CDN is doing any ip filtering.
+By using this project you can save bandwidth by only proxying the domains that matter
+(APIs, auth, etc).
+
+## Limitations
+
+- Only supports HTTP/HTTPS proxies
+- Only filtering by domain (no path filtering, most trafic is encrypted anyway)
+
+## Usage
+
+### Configuration
+
+Configuration is done through environment variables. (.env file is supported)
+
+| Variable | Description | Default | Required |
+|----------|-------------|---------|----------|
+| LISTEN_HOST | Host to listen on | `0.0.0.0` | NO |
+| LISTEN_PORT | Port to listen on | `8080` | NO |
+| GOOD_HOST_REGEX | Regex to match good hosts | - | YES |
+| GOOD_PROXY | Proxy to use for good hosts (matched by regex) | - | YES |
+| BAD_PROXY | Proxy to use for bad hosts (not matched by regex) | - | NO |
+| DEBUG | Enable debug logging | `false` | NO |
+
+#### NOTES
+
+> [!CAUTION]
+> This proxy has not authentication of its own, 
+> do not expose it to the internet if you don't want to become an open proxy!
+> It's designed to be used locally (localhost, docker network, etc)
+
+- if `GOOD_PROXY` has credentials, it will always use them and ignore the credentials from the client
+- if `GOOD_PROXY` has no credentials, it will passthrough the credentials from the client
+- if `BAD_PROXY` has no credentials, no authentication will be used (passthrough not supported to avoid leaking credentials)
+- if `BAD_PROXY` is missing, "bad" connections will be made directly to the target host (no proxy)
+- `DEBUG` will expose credentials in the logs, use with caution
+
+#### Example
+
+```env
+LISTEN_HOST=127.0.0.1
+LISTEN_PORT=8080
+GOOD_HOST_REGEX=^api\.
+GOOD_PROXY=http://user:pass@good-proxy-server:8080
+BAD_PROXY=http://bad-proxy-server:8080
+```
+
+### Running
+
+```bash
+git clone https://github.com/dumbasPL/niji-proxy.git
+cd niji-proxy
+# Create .env file with the configuration
+
+# Using docker

docker-compose.yml

@@ -0,0 +1,17 @@
+services:
+  niji-proxy:
+    # image: dumbaspl/niji-proxy
+    build:
+      context: .
+      dockerfile: Dockerfile
+    ports:
+      - "127.0.0.1:8080:8080"
+    # use .env file
+    env_file:
+      - .env
+    # or use environment
+    # environment:
+    #   - GOOD_HOST_REGEX=
+    #   - GOOD_PROXY=
+    #   - BAD_PROXY=
+    #   # - DEBUG=1

index.js

@@ -0,0 +1,144 @@
+import 'dotenv/config';
+import { Server } from "proxy-chain";
+
+console.log("Starting... (hint: use DEBUG=1 to enable debug messages)");
+
+const {
+  LISTEN_HOST = "0.0.0.0",
+  LISTEN_PORT = "8080",
+  GOOD_HOST_REGEX,
+  GOOD_PROXY,
+  BAD_PROXY,
+  DEBUG: ENV_DEBUG,
+} = process.env;
+
+/** @type {<T>(fn: () => T, message: string) => T} */
+const TRY = (fn, message) => {
+  try {
+    return fn();
+  } catch (error) {
+    console.error(message);
+    process.exit(1);
+  }
+}
+
+/** @type {(condition: any, message: string, warn?: boolean) => void} */
+const CHECK = (condition, message, warn) => {
+  if (!condition) {
+    if (warn === true) {
+      console.warn(message);
+      return;
+    }
+    console.error(message);
+    process.exit(1);
+  }
+}
+
+CHECK(!!GOOD_HOST_REGEX, "GOOD_HOST_REGEX is required");
+
+const listenHost = LISTEN_HOST;
+const listenPort = parseInt(LISTEN_PORT);
+const goodHostRegex = TRY(() => new RegExp(GOOD_HOST_REGEX), "GOOD_HOST_REGEX must be a valid regular expression");
+const goodProxy = TRY(() => new URL(GOOD_PROXY), "GOOD_PROXY must be a valid URL");
+const badProxy = TRY(() => BAD_PROXY ? new URL(BAD_PROXY) : null, "BAD_PROXY must be a valid URL");
+
+CHECK(listenPort >= 0 && listenPort <= 65535, "LISTEN_PORT must be a valid port number");
+CHECK(!/(?<!\\)\./.test(goodHostRegex), "GOOD_HOST_REGEX contains unescaped dot (.) character(s) (aka. wildcards). Make sure this is intentional! If not, escape them with a backslash (\\)", true);
+CHECK(/https?/.test(goodProxy.protocol), "GOOD_PROXY must be an HTTP or HTTPS proxy URL");
+
+CHECK(badProxy != null, "BAD_PROXY is missing. Using direct connection instead", true);
+if (badProxy) {
+  CHECK(/https?/.test(badProxy.protocol), "BAD_PROXY must be an HTTP or HTTPS proxy URL");
+  CHECK(badProxy.username || badProxy.password, "no authentication provided for BAD_PROXY. BAD_PROXY will be used without authentication", true);
+}
+
+const goodProxyHasAuth = !!(goodProxy.username || goodProxy.password);
+if (goodProxyHasAuth) {
+  console.warn("GOOD_PROXY will use the provided authentication and ignore any authentication provided by the client");
+} else {
+  console.warn("no authentication provided for GOOD_PROXY. GOOD_PROXY will use authentication from provided by the client");
+}
+
+const DEBUG = (...message) => {
+  if (ENV_DEBUG && ENV_DEBUG !== "0" && ENV_DEBUG !== "false") {
+    console.debug(...message);
+  }
+}
+
+DEBUG('config', {
+  listenHost,
+  listenPort,
+  goodHostRegex,
+  goodProxy: goodProxy.href,
+  badProxy: badProxy?.href ?? null,
+  goodProxyHasAuth,
+})
+
+const server = new Server({
+  host: listenHost,
+  port: listenPort,
+  prepareRequestFunction: ({ hostname, username, password, connectionId }) => {
+    if (!goodHostRegex.test(hostname)) {
+      DEBUG(`${connectionId}: ${hostname} used ${badProxy ? "bad proxy" : "direct connection"}`);
+      return {
+        requestAuthentication: false,
+        upstreamProxyUrl: badProxy?.href ?? undefined,
+      };
+    }
+    if (goodProxyHasAuth) {
+      DEBUG(`${connectionId}: ${hostname} used good proxy with predefined authentication`);
+      return {
+        requestAuthentication: false,
+        upstreamProxyUrl: goodProxy.href,
+      };
+    }
+    if (!username && !password) {
+      DEBUG(`${connectionId}: ${hostname} missing authentication`);
+      return {
+        requestAuthentication: true,
+        failMsg: "No authentication provided",
+      };
+    }
+    const proxyUrl = new URL(goodProxy.href);
+    proxyUrl.username = username;
+    proxyUrl.password = password;
+    DEBUG(`${connectionId}: ${hostname} used good proxy with provided authentication ${username}:${password}`);
+    return {
+      requestAuthentication: false,
+      upstreamProxyUrl: proxyUrl.href,
+    };
+  },
+});
+
+server.listen().then(() => {
+  console.log(`Listening on ${server.host ?? '0.0.0.0'}:${server.port}`);
+});
+
+// ctrl+c handler
+let closing = false;
+async function close() {
+  if (closing) {
+    console.log('Forcing exit...');
+    await server.close(true);
+    process.exit(1);
+  }
+
+  console.log('Closing server...');
+  closing = true;
+  await server.close();
+  process.exit(0);
+}
+process.on('SIGINT', close);
+process.on('SIGTERM', close);
+
+// unhandled rejection handler
+process.on('unhandledRejection', (reason, promise) => {
+  console.error('Unhandled Rejection at:', promise, 'reason:', reason);
+  process.exit(1);
+});
+
+// uncaught exception handler
+process.on('uncaughtException', (error) => {
+  console.error('Uncaught Exception thrown', error);
+  process.exit(1);
+});