serverless-proxy is a serverless WebSockets and HTTP2 to TCP proxy. Runs out-of-the-box on Cloudflare Workers and Deno Deploy.
h2.js
, pipes the incoming readable Request.body
stream from the client to the outgoing writable stream of a TCP socket (created via cloudflare:socket or Deno.connect) to a client-specified destination. The readable stream of the destination socket is piped on via Response.body
back to the client.
ws.js
transforms WebSockets events into readable (via WebSocket.onmessage
) and writable (WebSocket.send
) streams. The readable side of the WebSocket is piped into the outgoing writable stream of the TCP socket to a client-specified destination (as above), whilst the writable side of the WebSocket is piped into the readable stream of the TCP socket.
The transport and destination are conveyed by the client via the URL. This means, no multiplexing, ie one destination per h2 / ws connection. Not multiplexing on top of doing TCP-in-TCP is really poor, but we'll endure until a better alternative presents itself (like QUIC, specifically MASQUE, for example).
The URL for h2 (HTTP2) and ws (WebSockets) full-duplex tunnels to connect to a hostname:port over TCP is of form https://<sub.domain.workers.dev>/[h2|ws]/<sig>/<hostname>/<port>
. An example client implementation is available in Deno for h2 and go for ws.
In terms of server code, the flow is: source (h2 / ws) <-> src/server-[workers|deno].js
<-> svc.js
<->
auth.js
<-> h2.js
/ ws.js
<-> destination
The design of this proxy is similar to (but not compliant with) probe-resistant httpt.
# clone the repository
# install Wrangler CLI (globally)
npm i wrangler@3 -g
# wrangler auth, if necessary
# deploy the code
wrangler deploy
# tunnel with a WHATWG Stream compliant
# client (node, deno, etc), or with websockets
# test websocket proxy with go 1.19 or later
cd ./go
go run ./h1h2.go
# test h2 proxy with deno v1.29+ or node v19+
cd ./test
./test.js
This proxy is deployed to production at https://ken.rethinkdns.com/
for anti-censorship and anti-surveillance
purposes by the Rethink Open Source Project. We are team of 3 engineers
working full-time on a suite of open source tools to help people reclaim their privacy and security on Android.
- The telegram community is super active and full of crypto-bros. Kidding. We are generally a welcoming bunch. Feel free to get in touch: t.me/rethinkdns.
- Or, if you prefer Matrix (which is bridged to Telegram).
- Or, email us: hello@celzero.com (we read all emails immediately and reply once we fix the issues being reported).
- We regularly hangout in our subreddit: r/rethinkdns.
- We're also kind of active on the bird app, mostly nerd-sniping other engs or shit-posting about our tech stack: twitter/rethinkdns.
This project's initial development was sponsored by FOSS United.