NaiveProxy installation tutorial NaiveProxy high-speed hidden proxy tool

NaiveProxy, a new generation of high-speed proxy tools, NaiveProxy tutorial

During installation Before, we first need to understand what NaiveProxy is. With the update of network technology, some traditionalTools are gradually being eliminated, and the reasons for their elimination are self-evident. At the same time, a number of new technologies have emerged. Let’s learn more about what NaiveProxy is. A powerful and magical proxy tool..

What is NaiveProxy

NaiveProxy, called NaïveProxy in Norwegian, translated into Chinese: "Naive Proxy", was founded by klzgrad A new type of network proxy technology developed by the master, which usesThe network stack is used to disguise traffic, with strong privacy protection capabilities and low detectability. Reusing the Chrome network stack is the best practice to ensure performance and security.

NaiveProxy 安装教程 NaiveProxy 高速隐匿的代理工具-1NaiveProxy is Caddy Web The forward proxy plug-in is so powerful. So what is Caddy?

What is Caddy

Caddy is an open source web server written in Golang that supports HTTP/2. It uses the Golang standard library to provide HTTP functionality. A notable feature of Caddy is that HTTPS is enabled by default. It is the first web server to provide HTTPS features without additional configuration.

Author Matt Holt started developing Caddy in December 2014 and released the first version in April 2015. In the year since its release, it has been downloaded more than 20,000 times and received 4,500 stars on GitHub.

Caddy supports various Web technologies, provides statically compiled binaries, and supports i386, amd64 and ARM architectures. ,,, and BSD operating systems.

Caddy Fast and scalable multi-platform HTTP/3 web server with automatic HTTPS

Caddy official website:https://caddyserver.com/

GitHub project address:https://github.com/caddyserver/caddy

NaiveProxy 安装教程 NaiveProxy高速隐匿的代理工具

I won’t introduce much about Caddy. Netizens who want to know more about Caddy can visit the Caddy official website and project page to check it out. Let’s continue talking about NaiveProxy

What is the difference between NaiveProxy and other tools?

NaïveProxy uses Chromium's network stack to disguise traffic with strong censorship resistance and low detectability. Reusing Chrome's stack also ensures best practices in performance and security.

Cronet is a library similarly derived from Chromium's networking stack, but its official version is limited to Android and iOS. The Cronet fork of NaïveProxy provides binary versions of its native API, supports multiple platforms, and supports the creation of Go applications using cgo and cronet-go bindings.

Using Chromium's network stack can mitigate the following traffic attacks:

  • Site fingerprinting/traffic classification: Mitigated by traffic re-multiplexing in HTTP/2.
  • TLS parameter fingerprinting: Failure by reusing Chrome's network stack.
  • Active probing: Defeated by application frontends, i.e. hiding the proxy server behind a common frontend server with application layer routing.
  • Length-based traffic analysis: Mitigated by length padding.

 

NaiveProxy uses Chrome's network stack, and regular HTTP/2 traffic between Chrome and standard frontends (such as Caddy, HAProxy) is exactly the same. The frontend also reroutes unauthenticated user and activity probes to the backend HTTP server, making it impossible to detect the presence of the proxy.

The front-end server can be any well-known reverse proxy capable of routing HTTP/2 traffic based on the HTTP Authorization header, thereby preventing active detection of the presence of the proxy. Known ones include Caddy with the forwardproxy plugin and HAProxy.

Nowadays, mainstream proxy tools use http/1.1 for TLS, and the transmission protocols used by NaiveProxy are http2 and http3.

The difference between http2 and http1

HTTP/1.1 uses a text-based format, with various text expressions and scenarios, and insufficient robustness. HTTP/2 uses binary format, with only combinations of 0 and 1. Binary transmission is selected, and the protocol parsing implementation is convenient and robust.
HTTP connections adjust themselves over time, initially limiting the maximum speed of the connection and increasing the transfer speed over time if data is transferred successfully. This adjustment is called TCP slow start. This adjustment makes bursty and short-lived HTTP connections very inefficient. HTTP/2 allows all data streams to use the same connection through multiplexing, effectively using TCP connections, so that high bandwidth can truly serve the performance improvement of HTTP.
HTTP/2 adds binary framing between the application layer and the transport layer, breaking through the performance limitations of HTTP/1.1, improving transmission performance, and achieving low latency and high throughput.
HTTP/2 uses the HPACK algorithm to compress the header field of each request connection, reducing network overhead. The HPACK algorithm can reduce the size of the header fields that need to be transmitted. Both communicating parties establish and maintain a header field table. In the field table, smaller index numbers are used to represent repeated strings. Huffman coding is used to compress the data, which avoids repeated header fields. The transmission also reduces the size that needs to be transmitted.

What are the key features of HTTP/2?

binary framing
At the heart of all performance enhancements in HTTP/2 lies the new binary framing layer, shown in the figure below. It is the foundation for all other features and performance optimizations and defines how HTTP messages are encapsulated and transmitted between the client and server.
NaiveProxy 安装 高速隐匿的代理工具-1
HTTP/2 does not change the application semantics of HTTP. It still uses HTTP request methods, status codes, header fields and other rules. It mainly modifies the message transmission format of HTTP. The HTTP/1.1 protocol uses newlines as delimiters for plain text, while HTTP/2 divides all transmitted information into smaller messages and frames and encodes them in a binary format. These frames correspond to messages in a specific data stream. , they are all multiplexed within a TCP connection.

Prioritization
By decomposing an HTTP message into many independent frames, it is possible to reuse frames in multiple data streams, and the order in which the client and server interleave the sending and transmission of these frames becomes a key performance determinant. HTTP/2 allows each data flow to have an associated weight and dependency. The combination of data flow dependencies and weights clearly expresses resource priority, a key feature for improving browsing performance. The HTTP/2 protocol also allows clients to update these priorities at any time, and we can change dependencies and redistribute weights based on user interaction and other signals, which further optimizes browser performance.

header compression
Each HTTP request or response carries header information to describe resource attributes. HTTP/1.1 uses the form of text to transmit message headers. Each time a cookie is carried in the message header, hundreds to thousands of bytes need to be repeatedly transmitted, which takes up a lot of resources.

HTTP/2 uses the HPACK algorithm to compress header fields. This compression format encodes the transmitted header fields and reduces the size of the header fields. At the same time, index tables are maintained at both ends to record the header fields that have appeared. Later, during the transmission process, the index numbers of the recorded header fields can be transmitted. After the opposite end receives the data, it can find the corresponding one through the index number. value.

Multiplexing
Multiplexing allows multiple request-response messages to be initiated simultaneously through a single HTTP/2 connection, achieving multi-stream parallelism without relying on multiple TCP connections. HTTP/2 reduces the basic unit of HTTP protocol communication into frames one by one. , these frames correspond to messages in the logical stream, and messages are exchanged bidirectionally on the same TCP connection in parallel.

HTTP/2 is based on the binary framing layer. HTTP/2 can send requests and responses simultaneously on the basis of a shared TCP connection. HTTP messages are decomposed into independent frames, sent out interleaved without destroying the semantics of the message itself, and reassembled at the other end based on the stream identifier and headers. Through multiplexing technology, the message header blocking problem of the old version of HTTP can be avoided and the transmission performance can be greatly improved.

HTTP/2 server push
A powerful new feature of HTTP 2.0 is that the server can send multiple responses to a client request. The server pushes resources to the client without explicit request from the client. The server returns multiple responses in advance and pushes additional resources to the client based on the client's request. As shown in the figure below, the client requests stream 1, and the server pushes stream 2 and stream 4 while returning the message of stream 1.
NaiveProxy 安装 高速隐匿的代理工具-2
Server push is a mechanism for sending data before the client requests it. In HTTP/2, the server can send multiple responses to a client's request. If a request is sent from your homepage, the server may respond with the homepage content, logo, and style sheets because the server knows that the client will use these things. This not only reduces redundant data transmission steps, but also speeds up page response and improves user experience.

What is HTTP3

HTTP/3 is the third major version of the HTTP protocol. Unlike its predecessors HTTP/1.1 and HTTP/2, in HTTP/3, the TCP protocol will be abandoned and instead implemented using the QUIC protocol based on the UDP protocol.

This change is mainly to solve the head-of-line blocking problem that exists in HTTP/2. Since HTTP/2 uses multiplexing on a single TCP connection, affected by TCP congestion control, a small amount of packet loss may cause all flows on the entire TCP connection to be blocked.

QUIC (Quick UDP Network Connection) is an experimental network transport protocol developed byDeveloped, this protocol is designed to make web page transfers faster. In a mailing list discussion on October 28, 2018, Mark Nottingham, chairman of the Internet Engineering Task Force (IETF) HTTP and QUIC working group, made a formal request to rename HTTP-over-QUIC to HTTP/3 , to "clearly identify it as another binding for HTTP semantics...so that people understand how it differs from QUIC" and, once the draft is finalized and published, the QUIC working group will be inherited from the HTTP working group. [In the following days of discussion, Mark Nottingham's proposal was accepted by IETF members, who gave official approval in November 2018, recognizing HTTP-over-QUIC as HTTP/3.

In September 2019, HTTP/3 support was added to Cloudflare and Google Chrome (Canary build). Nightly support will be added after fall 2019.

On June 6, 2022, IETF officially standardized HTTP/3 as RFC9114.

NaiveProxy 安装 高速隐匿的代理工具-1

http3, based on udp's quic protocol, UDP is "connectionless" and does not require "handshakes" and "waves" at all, so it is faster than TCP. At the same time, because naiveproxy reuses Chrome's network stack, it achieves complete hiding of traffic and at the same time obtains the high-speed transmission of http3.

NaiveProxy setup

Closer to home, let’s build a naiveproxy service. The naiveproxy will directly enable the quic protocol of http3. Don’t worry about the 443 port being occupied. The UDP and TCP ports do not conflict.

NaiveProxy project address:https://github.com/klzgrad/naiveproxy

NaiveProxy building steps

  • Build NaiveProxy server (Caddy) on the server side
  • Build a NaiveProxy client locally

Preparations before setting up NaiveProxy

NaiveProxy uses TLS traffic, so you need to apply for a domain name and register the domain name first.

Free registration of foreign domain names: .tk .ml .ga .cf .gq

then apply let's encrypt Free TLS certificate.

Free application for SSL certificate robot: Certbot quickly applies for automatic renewal of https domain name certificate

Secondly, you need an independent cloud host. If you don’t have a free cloud host yet, you can go,cloud,Cloud.

Recommended Use, 100G traffic per month, free for one year.Apply for AWS EC2 Amazon cloud server for free

Install Go language

Go official website download address:https://go.dev/dl/

Go language installation tutorial:Install Go language and build Go language development environment

Before installing, first use lscpu Check out the server's CPU architecture.

intel and The manufacturer uses a CPU based on the X86 architecture, the X86 architecture uses a complex instruction set, that is, the instruction is completed in one step, while the arm uses a simplified instruction set, that is, the instruction is completed by several instructions.
The X86 architecture has good performance, but consumes a lot of power and has high voltage. It is mainly used for desktops and servers.
However, the ARM architecture consumes less power and has a lower voltage, but its single-core performance is not as good as that of X86. It is mainly used in mobile devices.
In recent years, the X86 architecture has developed slowly, while the ARM architecture has made significant progress, and has moved from mobile devices to desktop computers and servers, such as m1 chips.

Arm architecture CPU: https://go.dev/dl/go1.19.2.linux-arm64.tar.gz

x86 architecture CPU: https://go.dev/dl/go1.19.2.linux-amd64.tar.gz

Download the go language installation package on the server, and then extract it to /usr/local/ in the directory.

wget https://go.dev/dl/go1.19.linux-amd64.tar.gz tar -zxvf go1.19.linux-amd64.tar.gz -C /usr/local/

Go language can be decompressed without installation. After decompression, /etc/profile Add variables to the file.

echo export PATH=$PATH:/usr/local/go/bin >> /etc/profile source /etc/profile go version

Use after installation go version Command to check whether the installation is successful

If the GO language version can be displayed normally, it means the installation has been successful.

Install NaïveProxy and Caddy

Naiveproxy is a web service proxy tool, which is essentially different from VPN. Naiveproxy needs to be used with a forward proxy server, while caddy is an HTTPS server with automatic TLS function.

Execute the following installation command. Before installation, you need to ensure that the network from the server to github is smooth. Compilation takes a certain amount of time, and server CPU performance is critical, so please be patient.

Note: forwardproxy is a third-party plug-in, which is not included in caddy itself. The following is caddy that integrates forwardproxy and naive.

Be sure to install caddy with forwardproxy and naive plug-ins, otherwise you need to install these two caddy plug-ins separately.

Can be used after installationcaddy list-modules | grep forward_proxycommand to view.

xcaddy project address:https://github.com/caddyserver/xcaddy

go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest ~/go/bin/xcaddy build --with github.com/caddyserver/forwardproxy@caddy2=github.com/klzgrad/forwardproxy@naive cp caddy /usr/ bin/ /usr/bin/caddy version setcap cap_net_bind_service=+ep /usr/bin/caddy # uses the setcap command to set /usr/bin/caddy. Non-ROOT users can start ports below 1024.

Note: You can use this command setcap -r /usr/bin/caddy Clear additional permissions.

After the compilation is completed, copy the caddy folder to the /usr/bin directory, and then check whether the compilation is successful. If the version number is displayed, the compilation has been successful.

Optimize BBR acceleration module

The new version of Linux system comes with the BBR acceleration module, so you can directly execute the following command to enable the original BBR acceleration. The command is as follows:

bash -c 'echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf' bash -c 'echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf' sysctl -p

Configure caddy

After the above is installed, next configure caddy

First, resolve the domain name A record to the IP address of the server where it is located. Then apply for an SSL domain name certificate.

# Create a new directory to store Caddyfile mkdir /etc/caddy/ # Use the VI command to create a new Caddyfile configuration file vi /etc/caddy/Caddyfile in the /etc/caddy/ directory

To generate a strong password, enter the following command on the serverA strong password.

cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c32; echo;

Using the template below, make the following changes:

  • Replace yourname with the username of your choice for NaiveProxy authentication.
  • Replace pass with a strong password generated for you, or create a custom password.
  • Replace example.com with your domain name and hostname
  • Replace youremail@example.com with your actual email address to receive Let's Encrypt notifications

Caddy has two ways to establish a proxy website on the server. One is to save the web website files on the server, and the other is to reverse proxy to other websites.

If you want to create a multi-user version of Naive, you can copy the forward_proxy module. Just change the user password in basic_auth to another one.

Create a new web site on the server:

:443, example.com tls youremail@example.com route { forward_proxy { basic_auth yourname pass hide_ip hide_via probe_resistance } file_server { root /var/www/html } }

Reverse proxy domain name to other website addresses:

:443, example.com tls youremail@example.com route { forward_proxy { basic_auth yourname pass hide_ip hide_via probe_resistance } reverse_proxy https://example2.com { header_up Host {upstream_hostport} } }

caddy official reverse proxy documentation:https://caddyserver.com/docs/caddyfile/directives/reverse_proxy

Several ways to configure a domain name SSL certificate:

  1. Manual application to the certificate issuer
    Manually apply for a certificate from the certificate issuer, and then specify the certificate and key file paths in the Caddy configuration:
    tls /path/example.com.crt /path/example.com.key
  2. Host automatic application method
    If the target domain name (for example: example.com) has been resolved to the local machine, Caddy2 will try to automatically apply for a certificate through ACME HTTP after startup (the default certificate issuer is let's encrypt).
    Advantages: simple configuration,
    The syntax is as follows. The following email parameter is to inform the CA of the applicant's email address.
    tls email
  3. dns automatic application method
    Let's encrypt is provided through domain name service providersRecord the API to verify our ownership of the domain name.
    Advantages: No public IP address is required, verification can be completed through DNS resolution records; In addition, if the website has CDN enabled, this method must be used.
    Disadvantages: Configuration is cumbersome, you need to set some environment variables, and you also need to download the plug-in corresponding to the DNS service provider (the plug-in simplifies the process of caddy calling the DNS service provider API). Syntax in caddyfile:
    tls {

    }

After modifying the configuration file, start caddy. Before starting caddy, you need to format the configuration file first, otherwise an error will be reported. Use caddy fmt –overwrite “/etc/caddy/Caddyfile” Order

# format configuration file caddy fmt --overwrite /etc/caddy/Caddyfile # start configuration file caddy run --config /etc/caddy/Caddyfile

After entering the domain name in the browser, the website can be opened normally. After caddy is successfully started, next configure the self-startup file and reboot to restart the server.

caddy configuration daemon (starts automatically at boot):https://github.com/klzgrad/naiveproxy/wiki/Run-Caddy-as-a-daemon

Common commands

# Start caddy in the background caddy start --config /etc/caddy/Caddyfile # Start caddy in the frontend caddy run --config /etc/caddy/Caddyfile # Stop caddy stop # reload configuration file caddy reload --config / etc/caddy/Caddyfile # Install the CA certificate to the local directory caddy trust # Format the Caddyfile caddy fmt --overwrite /etc/caddy/Caddyfile # Convert the standard Caddyfile into an equivalent configuration file in json format. This configuration file is generally not used caddy adapt --config /etc/caddy/Caddyfile --pretty

After the server connection is successful, manually create a self-starting configuration file. Be careful not to use the command to start caddy

vi /etc/systemd/system/naive.service

Paste the following into naive.service After file :wq Save and exit vi editing mode.

[Unit] Description=Caddy Documentation=https://caddyserver.com/docs/ After=network.target network-online.target Requires=network-online.target [Service] Type=notify User=root Group=root ExecStart=/ usr/bin/caddy run --environ --config /etc/caddy/Caddyfile ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile TimeoutStopSec=5s LimitNOFILE=1048576 LimitNPROC=512 PrivateTmp=true ProtectSystem= full AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target

After the startup file is created, start caddy:

#daemon-reload loads a new unit configuration file systemctl daemon-reload #enable creates a soft link of the unit configuration file systemctl enable naive #start starts the configuration file systemctl start naive #status checks the current status of the configuration file systemctl status naive

Check the current status of the favorite configuration file. The green light indicates that caddy has been started successfully.

Check if Caddy is listening on ports 80 and 443:

ss -tulpn | grep caddy

You can do this by opening Google Chrome on your PC and accessing your console. For example: https://www.example.com

At this point Naive has been configured. If you like to try different naive configuration files, you can also use the following JSON method to customize the naive configuration file.

Json custom configuration file

View officialJSON configuration structure

In addition to creating a Caddyfile configuration file, you can also convert the Caddyfile configuration file into a json file. The converted json file can be used for temporary testing or as a permanent configuration file by modifying the path in the naive.service file. A custom json configuration file is posted below. Those who like to test can use it for testing.

# /etc/caddy/caddy_server.json { "admin": { "disabled": true }, "apps": { "http": { "servers": { "srv0": { "listen": [ ":443 " ], "routes": [ { "handle": [ { "handler": "subroute", "routes": [ { "handle": [ { "auth_user_deprecated": "username", "auth_pass_deprecated": "password ", "handler": "forward_proxy", "hide_ip": true, "hide_via": true, "probe_resistance": {} } ] }, { "match": [ { "host": [ "Domain name" ] } ] , "handle": [ { "handler": "file_server", "root": "/var/www", "index_names": [ "index.html" ] } ], "terminal": true } ] } ] } ], "tls_connection_policies": [ { "match": { "sni": [ "domain name" ] } } ], "automatic_https": { "disable": true } } } }, "tls": { "certificates": { "load_files": [ { "certificate": "/etc/letsencrypt/live/domain name/fullchain.pem", "key": "/etc/letsencrypt/live/domain name/privkey.pem" } ] } } } }

You also need to pre-format the configuration file before running it, otherwise an error will be reported!

# format configuration file caddy fmt --overwrite "/etc/caddy/caddy_server.json" caddy run --config "/etc/caddy/caddy_server.json"

Configure NaiveProxy client

In addition to the official client provided by NaiveProxy, there are many third-party clients that support NaiveProxy on the Internet, such as Q2ray.

NaiveProxy official client

Naive client supports a wide range of Windows, Linux, Mac, Android, etc. The most important thing is that it supports Openwrt, and the client can be built into the router.

Naive client download address:https://github.com/klzgrad/naiveproxy/releases

Let’s take a look at the client configuration and connection speed of the Windows platform.

Download the Windows version of the client, unzip it, and open it config.json document.

config.json The file is very simple, just five lines of code and two lines of brackets.

  • Listen does not need to be changed. The proxy port of this machine is 1080 by default. You can also change 127.0.0.1 to 0.0.0.0
  • proxy is the user password and domain name of the server set above. If using HTTP3, change https:// to quic://
  • log log file, no need to fill in. If you delete the changed line, the client's DOS window will not display the log.

After the NaiveProxy client is started, a socks5 network proxy needs to be configured before it can be accessed normally using the Google Chrome browser.

Here is a Google Chrome plug-in SwitchyOmega!

Proxy SwitchyOmega

What is SwitchyOmega

Proxy SwitchyOmega makes it easy and fast to manage and switch multiple proxy settings. Search for SwitchyOmega in the Google Chrome App Store and install it directly online. You can also download the installation package and install the Chrome extension application offline from the alternate download address.
Proxy SwitchyOmega alternative download address: https://github.com/FelisCatus/SwitchyOmega/releases

  • Chromium or Chromium-based browser users: Please install from the Chrome App Store.
  • Or users of other Mozilla-based browsers: Please install from Mozilla Add-Ons.

This extension is an upgraded version of SwitchySharp and can replace SwitchyPlus or Proxy Switchy. When SwitchyOmega is first installed, it will check whether SwitchySharp exists, and if so, it will automatically upgrade the settings without manual configuration. If you are using a non-Google Play Store version or cannot upgrade automatically, you can manually export the settings file in SwitchySharp and import it in SwitchyOmega for compatible configuration. Please disable SwitchySharp after upgrading to SwitchyOmega.

If you have any questions, please [right-click] the icon and select "Feedback Issues" in the menu so that the developers can solve it in time.

New features in version 2.x:
* Automatically detect unloaded elements and enable proxy settings with one click through the pop-up menu.
* Support proxy servers that require username and password verification.
* More flexible agent configuration: agent scenario mode, multiple automatic switching modes and multiple rule lists.
* Added a variety of switching condition types and improved the original switching conditions.
* Performance optimization of PAC script generation and switching.
* Brand new options page and drop-down menu for better user experience.
* Many bug fixes and improvements. Test more fully.

Special reminder: Due to Chrome limitations, only one extension can control proxy settings at the same time. Generally speaking, Chrome will give priority to the extension installed later. If SwitchyOmega gains priority during a conflict, it can switch to "system proxy" mode to return priority to other extensions and solve the problem. If the configuration of this extension is overwritten by other proxy-related or advertising-related extensions, the problem cannot be solved and the only way to increase the priority is to reinstall SwitchyOmega.

Accessing through the Google Chrome browser SOCKS5 proxy is very fast. Below we use the Naive service built by Google Cloud Test. On the speed test website, the download and upload speeds are ideal. As for the protection of personal privacy, it is recommended to use the official client, which is simple to configure. If other third-party clients are not configured properly, they may trigger the local operator's network throttling mechanism.

Naive client + Google Chrome + SwitchyOmega browser plug-in finally realizes proxy access to the Internet. I feel that client configuration is a bit cumbersome. As for how concealable it is and whether it can protect personal privacy, this varies from person to person.

Statement: This article is only used for the exchange of Internet technology experience. All content in the article comes from the Internet. This site only collects and organizes technical articles. Protect personal privacy as much as possible without breaking any laws. Don't take chances and use network proxy technology to conduct illegal activities. Almost all your activities on the Internet are transparent.

score

4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Thank you for your nice informations.

    the forward proxy for caddy seems not support multi users.

    ref:
    https://github.com/caddyserver/forwardproxy/issues/81

    And you say “If you want to build a multi-user version of Naive, you can copy the forward_proxy module. ”

    How do we can it?

    To where can I copy the forward_proxy module?

    I want information to use Naive Proxy for multi users.

    Thank you before.

  2. After following the tutorial, the original wordpress of my vps cannot be accessed. Is there any way to make it compatible? Can you teach me how to adjust the configuration file?