Skip to content
/ shrimp Public

shrimp is a simple forward proxy written in GoLang, that does not decrypt traffic, making it secure and easy to configure. It features a locked-down mode which limits it to a single network interface and IPv6 stack.

License

View license
8 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ipv6rslimited/shrimp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
util
util
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
shrimp.conf
shrimp.conf
 
 
shrimp.go
shrimp.go
 
 
shrimp.png
shrimp.png
 
 
shrimp_test.go
shrimp_test.go
 
 

Repository files navigation

shrimp logo

shrimp

shrimp is a simple forward proxy written in GoLang, that does not decrypt traffic, making it secure and easy to configure. It features a locked-down mode which limits it to a single network interface and IPv6 stack.

See Video

Watch a video.

Backstory

We were packaging an appliance with one of the most popular forward proxy solutions out there, Squid, and things were going smoothly. However, we ran into an obstacle that could not be resolved so easily - disabling dns resolution. We found the answer - that disabling the internal dns is a pre-compile time configuration option. We quickly downloaded the libraries required and built the daemon. This build took quite a long time, and it made us curious.

That's when we began looking deeper - and we realized that for our use case, Squid and it's > 100,000 lines of code was too much to audit. We didn't need inspection, decryption, and all the other wide varieties of use cases Squid incorporates. We thought since we already built delorean which already powers the IPv6rs network, why not just build our own using code from there.

Shrimp only covers 1 of the 100s of brilliant use cases of Squid, but it does it pretty well - it's fast, it's lightweight and staright forward, which makes it easily auditable, just like a shrimp.

Shrimp Features

Don't let shrimp's size fool you. In Brazilian Jiu Jitsu, when you're on your back, the shrimp is the movement to get out from under your opponent, just like shrimp.

  • Forward Proxy for HTTP and HTTPS (yes, websockets works flawlessly too)
  • No decryption/SSL Bumping/etc.
  • Can be locked down to a single interface and IPv6
  • Supports BASIC authentication, bcrypt hashed
  • Utilizes an LRU cache for DNS lookups to improve performance.
  • Highly scalable using goroutines.
  • Super simple configuration
  • IPv4 to ipv6 translation for http://2.2.2.2 type URLs
  • < 700 lines of code so you can read it and see what's going on

Use Case

  • If you're a VPN provider and need a lightweight forward proxy with bcrypt hashed passwords
  • If you're an IPv6rs client and want to make a shared proxy because sharing is caring or plausible deniability
  • If you need a lightweight, super fast forward web proxy

Requirements

  • This runs on linux. It may run on mac, but you can just run it with Cloud Seeder on Windows, Mac and Linux.

Configuration

{
  "listenAddrs": ["[::]:443"],
  "plaintextAddr": "0.0.0.0:3128",
  "lockdownMode": true,
  "ipv6Interface": "wg0",
  "dns64Server": "2606:4700:4700::64",
  "credentialsFile": "/etc/shrimp/passwd",
  "debugMode": false,
  "certFile": "cert.pem",
  "keyFile": "key.pem",
  "dnsCacheCapacity": 100,
  "dnsTTL": 300,
  "ipv4Translator": "visibleip.com",
  "allowedHosts": [".*"],
  "disallowedHosts": [
    "^localhost$",
    "^127\\.0\\.0\\.1$",
    "^10\\.",
    "^172\\.(1[6-9]|2[0-9]|3[0-1])\\.",
    "^192\\.168\\."
  ]
}

You can use visibleip.com as your ipv4Translator as it is run by IPv6rs and is anycasted across 16 different locations. It's nothing special - just running legacydns which helps to create domain names for IP addresses when using IPv6 + NAT64 + dns64.

Lockdown Mode

Most use cases will have lockdown mode off. This makes it run like a standard, but fast, forward web proxy.

However, if you're an IPv6rs user, running this in lockdown mode creates intentional benefits:

  • If connecting via IPv4, you will hop thru a logless reverse proxy called delorean running on an IPv6rs router, then to shrimp and then to the internet.
  • Your connection will be fully contained to the wg0 interface without any potential leakage. Say goodbye to DNS leaks, IP leaks, etc.
  • Some IPv6rs clients may travel and want access to their home IP when browsing, if this is the case just turn lockdown mode off.

Using this

  • FireFox has the FoxyProxy extension which is the easiest way to use shrimp in Firefox since it supports SSL forward web proxies. You don't have to signup for their service to use their extension.
  • Curl has a -x command line option.
  • Chrome doesn't seem to support SSL forward web proxies. Only use in localhost mode.

Tests

$ go test -v shrimp.go shrimp_test.go
=== RUN   TestStripPort
--- PASS: TestStripPort (0.00s)
=== RUN   TestGetHostPort
--- PASS: TestGetHostPort (0.00s)
=== RUN   TestIsIPv4Address
--- PASS: TestIsIPv4Address (0.00s)
=== RUN   TestRemoveAuthHeader
--- PASS: TestRemoveAuthHeader (0.00s)
=== RUN   TestCheckAuth
--- PASS: TestCheckAuth (0.20s)
=== RUN   TestConnectTo
--- PASS: TestConnectTo (0.10s)
=== RUN   TestLookupWithCache
--- PASS: TestLookupWithCache (0.00s)
PASS
ok  	command-line-arguments	0.303s

License

Distributed under the COOL License.

Copyright (c) 2024 IPv6.rs https://ipv6.rs All Rights Reserved

About

shrimp is a simple forward proxy written in GoLang, that does not decrypt traffic, making it secure and easy to configure. It features a locked-down mode which limits it to a single network interface and IPv6 stack.

Resources

Readme

License

View license
Activity
Custom properties

Stars

8 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

No packages published

Languages