Some minor improvements:

* Single endpoint that supports http/socks proxy (using gost library). This also supports many other types of tunnels/proxies.
* Breakup setup and run logic and make subcommands (using viper/cobra libraries)
* Add optional minimal IAM roles for setup and run commands
* Update dependencies

README.md

@@ -1,10 +1,10 @@
-<b>awslambdaproxy</b> is an [AWS Lambda](https://aws.amazon.com/lambda/) powered SOCKS web proxy. It provides a constantly rotating IP address for your web traffic from all regions where AWS Lambda is available. The goal is to obfuscate your web traffic and make it harder to track you as a user.
+<b>awslambdaproxy</b> is an [AWS Lambda](https://aws.amazon.com/lambda/) powered HTTP/SOCKS web proxy. It provides a constantly rotating IP address for your network traffic from all regions where AWS Lambda is available. The goal is to obfuscate your traffic and make it harder to track you as a user.
 
 ![](/images/overview.gif?raw=true)
 
 ## Features
-* SOCKS5 proxy support with username/password authentication.
-* No special software required. Just configure your system to use a SOCKS proxy.
+* HTTP/HTTPS/SOCKS5 proxy protocols support (including authentication).
+* No special software required. Just configure your system to use a proxy.
 * Each AWS Lambda region provides 1 outgoing IP address that gets rotated roughly every 4 hours. That means if you use 10 AWS regions, you'll get 60 unique IPs per day.
 * Configurable IP rotation frequency between multiple regions.
 * Personal proxy server not shared with anyone else.
@@ -14,7 +14,7 @@
 Current code status: <b>proof of concept</b>. This is the first Go application that I've ever written. It has no tests. It may not work. It may blow up. Use at your own risk.
 
 ## How it works
-At a high level, awslambdaproxy proxies TCP traffic through AWS Lambda regional endpoints. To do this, awslambdaproxy is setup on a publicly accessible host (e.g. EC2 instance) and it handles creating Lambda resources that run a simple SOCKS ([armon/go-socks5](https://github.com/armon/go-socks5)) proxy server. Since Lambda does not allow you to bind ports in your executing functions, the proxy server is bound to a unix socket and a reverse SSH tunnel is established from the Lambda function to the host running awslambdaproxy. Once a tunnel connection is established, all user web traffic is forwarded from port 8080 through this reverse tunnel to the proxy server. Lambda functions have a max execution time of 5 minutes, so there is a goroutine that continuously executes Lambda functions to ensure there is always a live tunnel in place. If multiple regions are specified, user traffic will be routed in a round robin fashion across these regions.
+At a high level, awslambdaproxy proxies TCP/UDP traffic through AWS Lambda regional endpoints. To do this, awslambdaproxy is setup on a publicly accessible host (e.g. EC2 instance) and it handles creating Lambda resources that run a proxy server ([ginuerzh/gost](https://github.com/ginuerzh/gost)). Since Lambda does not allow you to connect to bound ports in executing functions, a reverse SSH tunnel is established from the Lambda function to the host running awslambdaproxy. Once a tunnel connection is established, all user traffic is forwarded through this reverse tunnel to the proxy server. Lambda functions have a max execution time of 5 minutes, so there is a goroutine that continuously executes Lambda functions to ensure there is always a live tunnel in place. If multiple regions are specified, user traffic will be routed in a round robin fashion across these regions.
 
 ![](/images/how-it-works.png?raw=true)
 
@@ -45,36 +45,73 @@ The easiest way is to download a pre-built binary from the [GitHub Releases](htt
 
 ## Usage
 
-1. Copy `awslambdaproxy` binary to a publicly accessible linux host (e.g. EC2 instance). You will need to open the following ports on this host:
+1. Copy `awslambdaproxy` binary to a publicly accessible linux host (e.g. EC2 instance, VPS instance, etc). You will need to open the following ports on this host:
 
-    * Port 8080 - this port listens for user proxy connections and needs to only be opened to whatever your external IP address is where you plan to browse the web.
-    * Alternatively, a more secure option would be to not open any ports and setup a VPN connection to this host. A quick VPN solution for a setup like this may be [algo](https://github.com/trailofbits/algo).
+    * Port 8080 - the default configuration will start a HTTP/SOCKS proxy listener on this port with default user/password authentication. If you don't want to publicly expose the proxy server, one option is to setup your own VPN server (e.g. [dosxvpn](https://github.com/dan-v/dosxvpn) or [algo](https://github.com/trailofbits/algo)), connect to it, and just run awslambdaproxy with the proxy listener only on localhost (-l localhost:8080).
 
-2. On publicly accessible host, run `awslambdaproxy`. You'll need to ensure AWS access key and secret key environment variables are defined. For now, this access key should have AdministratorAccess.
+2. Optional, but I'd highly recommend taking a look at the Minimal IAM Policies section below. This will get you scoped access keys for running setup and run commands. Otherwise, if you don't care about security you can always use an access key with full administrator privileges.
+
+2. Run `awslambdaproxy setup`. 
 
     ```sh
     export AWS_ACCESS_KEY_ID=XXXXXXXXXX
     export AWS_SECRET_ACCESS_KEY=YYYYYYYYYYYYYYYYYYYYYY
-    ./awslambdaproxy -lambda-regions us-west-2,us-west-1,us-east-1,us-east-2
+    ./awslambdaproxy setup
+    ```
+
+3. Run `awslambdaproxy run`. 
+
+    ```sh
+    export AWS_ACCESS_KEY_ID=XXXXXXXXXX
+    export AWS_SECRET_ACCESS_KEY=YYYYYYYYYYYYYYYYYYYYYY
+    ./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2
     ```
 
 3. Configure your web browser (or OS) to use the SOCKS5 proxy on the publicly accessible host running `awslambdaproxy` on port 8080.
 
+## Minimal IAM Policies
+* This assumes you have the AWS CLI setup with an admin user
+* Create a user with proper permissions needed to run the setup command. This user can be removed after running the setup command.
+```
+aws iam create-user --user-name awslambdaproxy-setup
+aws iam put-user-policy --user-name awslambdaproxy-setup --policy-name awslambdaproxy-setup --policy-document file://iam/setup.json
+aws iam create-access-key --user-name awslambdaproxy-setup
+{
+    "AccessKey": {
+        "UserName": "awslambdaproxy-setup",
+        "Status": "Active",
+        "CreateDate": "2017-04-17T06:15:18.858Z",
+        "SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+        "AccessKeyId": "xxxxxxxxxxxxxx"
+    }
+}
+```
+* Create a user with proper permission needed to run the proxy.
+```
+aws iam create-user --user-name awslambdaproxy-run
+aws iam put-user-policy --user-name awslambdaproxy-run --policy-name awslambdaproxy-run --policy-document file://iam/run.json
+aws iam create-access-key --user-name awslambdaproxy-run
+{
+    "AccessKey": {
+        "UserName": "awslambdaproxy-run",
+        "Status": "Active",
+        "CreateDate": "2017-04-17T06:18:27.531Z",
+        "SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
+        "AccessKeyId": "xxxxxxxxxxxxxx"
+    }
+}
+```
+
 ## FAQ
 1. <b>Should I use awslambdaproxy?</b> That's up to you. Use at your own risk.
 2. <b>Why did you use AWS Lambda for this?</b> The primary reason for using AWS Lambda in this project is the vast pool of IP addresses available that automatically rotate.
 3. <b>How big is the pool of available IP addresses?</b> This I don't know, but I do know I did not have a duplicate IP while running the proxy for a week.
 4. <b>Will this make me completely anonymous?</b> No, absolutely not. The goal of this project is just to obfuscate your web traffic by rotating your IP address. All of your traffic is going through AWS which could be traced back to your account. You can also be tracked still with [browser fingerprinting](https://panopticlick.eff.org/), etc. Your [IP address may still leak](https://ipleak.net/) due to WebRTC, Flash, etc.
 5. <b>How often will my external IP address change?</b> For each region specified, the IP address will change roughly every 4 hours. This of course is subject to change at any moment as this is not something that is documented by AWS Lambda.
 6. <b>How much does this cost?</b> awslambdaproxy should be able to run mostly on the [AWS free tier](https://aws.amazon.com/free/) minus bandwidth costs. It can run on a t2.micro instance and the default 128MB Lambda function that is constantly running should also fall in the free tier usage. The bandwidth is what will cost you money; you will pay for bandwidth usage for both EC2 and Lambda.
-7. <b>Why does my connection drop periodically?</b> AWS Lambda functions can currently only execute for a maximum of 5 minutes. In order to maintain an ongoing HTTP proxy a new function is executed and all new traffic is cut over to it. Any ongoing connections to the previous Lambda function will hard stop after a timeout period. You generally won't see any issues for normal web browsing as connections are very short lived, but for any long lived connections you may see issues.
+7. <b>Why does my connection drop periodically?</b> AWS Lambda functions can currently only execute for a maximum of 5 minutes. In order to maintain an ongoing proxy a new function is executed and all new traffic is cut over to it. Any ongoing connections to the previous Lambda function will hard stop after a timeout period. You generally won't see any issues for normal web browsing as connections are very short lived, but for any long lived connections you may see issues.
 
 # Powered by
-* [go-socks5](https://github.com/armon/go-socks5) - A SOCKS5 proxy written in Go.
+* [gost](https://github.com/ginuerzh/gost) - A simple security tunnel written in Golang.
 * [yamux](https://github.com/hashicorp/yamux) - Golang connection multiplexing library.
-* [goad](https://github.com/goadapp/goad) - Code was borrowed from this project to handle AWS Lambda zip creation and function upload.
-
-# Future work
-* Fix connections dropping each time a new tunnel is established
-* Create minimal IAM policy
-* Refactor code and write tests
+* [goad](https://github.com/goadapp/goad) - Code was borrowed from this project to handle AWS Lambda zip creation and function upload.

cmd/awslambdaproxy/awslambdaproxy.go

@@ -1,106 +1,14 @@
 package main
 
 import (
-	"github.com/dan-v/awslambdaproxy"
-	"flag"
+	"fmt"
 	"os"
-	"strings"
-	"time"
-	"os/user"
-	"log"
-	"strconv"
-)
-
-const (
-	// Max execution time on lambda is 300 seconds currently
-	lambdaMaxFrequencySeconds = 290
-	lambdaMinMemorySize       = 128
-	lambdaMaxMemorySize       = 1536
-	lambdaDefaultMemorySize   = lambdaMinMemorySize
+	"github.com/dan-v/awslambdaproxy/cmd/awslambdaproxy/cmd"
 )
 
 func main() {
-	user, err := user.Current()
-	if err != nil {
-		log.Println("Failed to get current username")
-		os.Exit(1)
-	}
-
-	lambdaRegionsPtr := flag.String("lambda-regions", "us-west-2", "Regions to run proxy " +
-		"(e.g. us-west-2) (can be comma separated list)")
-	lambdaFrequencyPtr := flag.Int("lambda-frequency", lambdaMaxFrequencySeconds, "Frequency in " +
-		"seconds to execute Lambda function.  Max=" + strconv.Itoa(lambdaMaxFrequencySeconds) + ". If multiple " +
-		"lambda-regions are specified, this will cause traffic to rotate round robin at the interval " +
-		"specified here")
-	lambdaMemorySizePtr := flag.Int("lambda-memory", lambdaDefaultMemorySize, "Memory size in MB "+
-		"for Lambda function. Higher memory may allow for faster network throughput.")
-	sshUserPtr := flag.String("ssh-user", user.Username, "SSH user for tunnel connections from Lambda")
-	sshPortPtr := flag.String("ssh-port", "22", "SSH port for tunnel connections from Lambda")
-	proxyPortPtr := flag.String("proxy-port", "8080", "Port to listen for client socks proxy "+
-		"connections")
-	proxyUsernamePtr := flag.String("proxy-username", "admin", "Username for proxy authentication")
-	proxyPasswordPtr := flag.String("proxy-password", "admin", "Password for proxy authentication")
-	flag.Parse()
-
-	if *proxyPortPtr == "" {
-		flag.PrintDefaults()
-		os.Exit(1)
-	}
-	if *lambdaRegionsPtr == "" {
-		flag.PrintDefaults()
-		os.Exit(1)
-	}
-	if *sshUserPtr == "" {
-		flag.PrintDefaults()
-		os.Exit(1)
-	}
-	if *sshPortPtr == "" {
-		flag.PrintDefaults()
-		os.Exit(1)
-	}
-	if *proxyUsernamePtr == "" {
-		flag.PrintDefaults()
-		os.Exit(1)
-	}
-	if *proxyPasswordPtr == "" {
-		flag.PrintDefaults()
-		os.Exit(1)
+	if err := cmd.RootCmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(-1)
 	}
-
-	// check memory
-	if *lambdaMemorySizePtr > lambdaMaxMemorySize {
-		log.Println("Maximum lambda memory size is " + strconv.Itoa(lambdaMaxMemorySize) + " MB")
-		os.Exit(1)
-	}
-	if *lambdaMemorySizePtr < lambdaMinMemorySize {
-		log.Println("Minimum lambda memory size is " + strconv.Itoa(lambdaMinMemorySize) + " MB")
-		os.Exit(1)
-	}
-	lambdaMemorySize := int64(*lambdaMemorySizePtr)
-
-	// check frequency
-	if *lambdaFrequencyPtr > lambdaMaxFrequencySeconds {
-		log.Println("Maximum lambda frequency is " + strconv.Itoa(lambdaMaxFrequencySeconds) + " seconds")
-		os.Exit(1)
-	}
-	lambdaFrequencySeconds := time.Second * time.Duration(*lambdaFrequencyPtr)
-	lambdaExecutionTimeout := int64(lambdaFrequencySeconds.Seconds()) + int64(10)
-
-	// check for required aws keys
-	access := os.Getenv("AWS_ACCESS_KEY_ID")
-	if access == "" {
-		log.Println("Must specify environment variable AWS_ACCESS_KEY_ID")
-		os.Exit(1)
-	}
-	secret := os.Getenv("AWS_SECRET_ACCESS_KEY")
-	if secret == "" {
-		log.Println("Must specify environment variable AWS_SECRET_ACCESS_KEY")
-		os.Exit(1)
-	}
-
-	// handle regions
-	lambdaRegions := strings.Split(*lambdaRegionsPtr, ",")
-
-	awslambdaproxy.ServerInit(*proxyPortPtr, *sshUserPtr, *sshPortPtr, *proxyUsernamePtr, *proxyPasswordPtr,
-		lambdaRegions, lambdaMemorySize, lambdaFrequencySeconds, lambdaExecutionTimeout)
-}
+}

cmd/awslambdaproxy/cmd/root.go

@@ -0,0 +1,52 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+var cfgFile string
+
+// RootCmd represents the base command when called without any subcommands
+var RootCmd = &cobra.Command{
+	Use:   "awslambdaproxy",
+	Short: "An AWS Lambda powered HTTP/SOCKS web proxy",
+	Long: `awslambdaproxy is an AWS Lambda powered HTTP/SOCKS web proxy.
+It provides a constantly rotating IP address for your network traffic
+from all regions where AWS Lambda is available. The goal is to obfuscate
+your connections and make it harder to track you as a user.`,
+}
+
+// Execute adds all child commands to the root command sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the rootCmd.
+func Execute() {
+	if err := RootCmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(-1)
+	}
+}
+
+func init() {
+	cobra.OnInitialize(initConfig)
+}
+
+// initConfig reads in config file and ENV variables if set.
+func initConfig() {
+	if cfgFile != "" { // enable ability to specify config file via flag
+		viper.SetConfigFile(cfgFile)
+	}
+
+	viper.SetConfigName(".awslambdaproxy") // name of config file (without extension)
+	viper.AddConfigPath("$HOME")  // adding home directory as first search path
+	viper.AutomaticEnv()          // read in environment variables that match
+
+	// If a config file is found, read it in.
+	if err := viper.ReadInConfig(); err == nil {
+		fmt.Println("Using config file:", viper.ConfigFileUsed())
+	} else {
+		fmt.Println("Invalid config file", err)
+	}
+}

cmd/awslambdaproxy/cmd/run.go

@@ -0,0 +1,117 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+	"os/user"
+	"github.com/dan-v/awslambdaproxy"
+	"time"
+	"github.com/spf13/viper"
+	"strings"
+	"os"
+	"fmt"
+	"strconv"
+)
+
+var (
+	frequency time.Duration
+	memory int64
+	sshUser, sshPort, regions, listeners string
+	// Max execution time on lambda is 300 seconds currently
+	lambdaMaxFrequency 	  = time.Duration(290 * time.Second) // leave 10 seconds of leeway
+	lambdaMinMemorySize       = 128
+	lambdaMaxMemorySize       = 1536
+)
+
+// runCmd represents the run command
+var runCmd = &cobra.Command{
+	Use:   "run",
+	Short: "Run awslambdaproxy",
+	Long: `This will execute awslambdaproxy in regions specified. Examples:
+
+# Make sure credentials are exported
+export AWS_ACCESS_KEY_ID=XXXXXXXXXX
+export AWS_SECRET_ACCESS_KEY=YYYYYYYYYYYYYYYYYYYYYY
+
+# Example 1 - Execute proxy in four different regions with rotation happening every 60 seconds
+./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2 -f 60s
+
+# Example 2 - Choose a different port and username/password for proxy and add another listener on localhost with no auth
+./awslambdaproxy run -r us-west-2 -l "admin:admin@:8888,localhost:9090"
+
+# Example 3 - Increase function memory size for better network performance
+./awslambdaproxy run -r us-west-2 -m 512
+`,
+	Run: func(cmd *cobra.Command, args []string) {
+		aSshUser := viper.GetString("ssh-user")
+		aSshPort := viper.GetString("ssh-port")
+		aRegions := strings.Split(viper.GetString("regions"), ",")
+		aMemory := viper.GetInt64("memory")
+		aFrequency := viper.GetDuration("frequency")
+		aListeners := strings.Split(viper.GetString("listeners"), ",")
+		aTimeout := int64(viper.GetDuration("frequency").Seconds()) + int64(30)
+
+		// check memory
+		if aMemory > int64(lambdaMaxMemorySize) {
+			fmt.Println("Maximum lambda memory size is " + strconv.Itoa(lambdaMaxMemorySize) + " MB")
+			os.Exit(1)
+		}
+		if aMemory < int64(lambdaMinMemorySize) {
+			fmt.Println("Minimum lambda memory size is " + strconv.Itoa(lambdaMinMemorySize) + " MB")
+			os.Exit(1)
+		}
+
+		// check frequency
+		if aFrequency > lambdaMaxFrequency {
+			fmt.Println("Maximum lambda frequency is " + lambdaMaxFrequency.String() + " seconds")
+			os.Exit(1)
+		}
+
+		// check for required aws keys
+		access := os.Getenv("AWS_ACCESS_KEY_ID")
+		if access == "" {
+			fmt.Println("Must specify environment variable AWS_ACCESS_KEY_ID")
+			os.Exit(1)
+		}
+		secret := os.Getenv("AWS_SECRET_ACCESS_KEY")
+		if secret == "" {
+			fmt.Println("Must specify environment variable AWS_SECRET_ACCESS_KEY")
+			os.Exit(1)
+		}
+
+		awslambdaproxy.ServerInit(aSshUser, aSshPort, aRegions, aMemory, aFrequency, aListeners, aTimeout)
+	},
+}
+
+func getCurrentUserName() string {
+	user, _ := user.Current()
+	if user != nil {
+		return user.Username
+	}
+	return ""
+}
+
+func init() {
+	RootCmd.AddCommand(runCmd)
+
+	runCmd.Flags().StringVarP(&regions, "regions", "r",  "us-west-2","Regions to " +
+		"run proxy.")
+	runCmd.Flags().DurationVarP(&frequency, "frequency", "f", time.Duration(time.Second * 260), "Frequency " +
+		"to execute Lambda function.  Maximum is " + lambdaMaxFrequency.String() + ". If multiple " +
+		"lambda-regions are specified, this will cause traffic to rotate round robin at the interval " +
+		"specified here.")
+	runCmd.Flags().Int64VarP(&memory, "memory", "m", 128, "Memory size in MB for Lambda function. " +
+		"Higher memory may allow for faster network throughput.")
+	runCmd.Flags().StringVarP(&listeners, "listeners", "l",  "admin:awslambdaproxy@:8080","Add as many listeners" +
+		"as you'd like.")
+	runCmd.Flags().StringVarP(&sshUser, "ssh-user", "",  getCurrentUserName(),"SSH user for tunnel " +
+		"connections from Lambda.")
+	runCmd.Flags().StringVarP(&sshPort, "ssh-port", "",  "22","SSH port for tunnel " +
+		"connections from Lambda.")
+
+	viper.BindPFlag("regions", runCmd.Flags().Lookup("regions"))
+	viper.BindPFlag("frequency", runCmd.Flags().Lookup("frequency"))
+	viper.BindPFlag("memory", runCmd.Flags().Lookup("memory"))
+	viper.BindPFlag("ssh-user", runCmd.Flags().Lookup("ssh-user"))
+	viper.BindPFlag("ssh-port", runCmd.Flags().Lookup("ssh-port"))
+	viper.BindPFlag("listeners", runCmd.Flags().Lookup("listeners"))
+}