# TCProxy

**TCProxy** is a lightweight and efficient TCP proxy that forwards HTTPS and HTTP traffic transparently based on SNI and host headers. Originally developed to bypass internet censorship, it enables seamless access to blocked websites when combined with a custom DNS resolver.

### Features:
- **Transparent HTTPS/HTTP Forwarding**: Routes traffic based on SNI (for HTTPS) and Host headers (for HTTP) without requiring client-side configuration.
- **Censorship Bypass**: Designed to work with a DNS server that redirects blocked domains to a proxy server.
- **IP Whitelisting**: Restricts access to authorized users, with dynamic whitelist updates.
- **Minimal Overhead**: Lightweight Go implementation with efficient concurrency handling.
- **Customizable Binding**: Allows specifying the listening address and port.

### How It Works:
1. A **custom DNS resolver** is deployed inside a censored region to redirect domains to an external VPS.
2. The **VPS runs TCProxy**, which inspects and forwards traffic to the requested destination.
3. **iptables** is used to transparently redirect all traffic on ports `80` and `443` to `tcproxy`.

### Usage:
```sh
tcproxy -b "0.0.0.0:8443"
```
This starts TCProxy, listening on all interfaces at port 8443.

### Command-line Options:
- `-b, --bind`: Set the address to bind (default: `localhost:8443`).
- `-v, --version`: Display the version.
- `-h, --help`: Show usage instructions.

### Requirements:
- Go 1.16+
- A `whitelist.txt` file for IP-based filtering.

### Installation:
Build from source:
```sh
git clone https://git.behzadan.com/reza/tcproxy.git
cd tcproxy
make
sudo make install
```

### Acknowledgements

- [https://www.agwa.name/blog/post/writing_an_sni_proxy_in_go](https://www.agwa.name/blog/post/writing_an_sni_proxy_in_go)
- [https://www.agwa.name/blog/post/writing_an_sni_proxy_in_go/media/sniproxy.go](https://www.agwa.name/blog/post/writing_an_sni_proxy_in_go/media/sniproxy.go)