0.2.3

Update 'README.md'
npm
2022-12-26 23:41:02 -06:00 · 2022-12-26 23:40:48 -06:00 · 2022-12-26 23:23:19 -06:00 · 2022-12-26 21:57:23 -06:00 · 2022-12-26 20:26:45 -06:00 · 2022-12-24 16:40:45 -06:00
6 changed files with 3503 additions and 3244 deletions
@@ -1,2 +1,3 @@
 node_modules
-keys.sqlite
+keys.sqlite
 .env
@@ -0,0 +1,2 @@
 keys.sqlite
 .env
@@ -0,0 +1,41 @@
 # ActivityPub Proxy
 A brutally-simple proxy for ActivityPub that lets you circumvent instance blocks by masquerading as another domain name. All it does is replace all hostnames in the text proxied through, and for signed POST requests, it swaps the public keys and re-signs the requests.
 Suppose you have a server at *.proxy.example, your handle is @bob@mastodon.one and you want to follow a friend at @alice@mastodon.two, but mastodon.two blocks mastodon.one for irrelevant reasons. You can change the handle to @alice@mastodon-two.proxy.example and theoretically will be able to fully interact with the other user (and vice-versa) by being masqueraded as @bob@mastodon-one.proxy.example. (If the domain has hyphens, replace with double hyphens.)
 The intended usage of this is as an alternative to using alt accounts or moving your account to circumvent whole-server blocks that have nothing to do with you and are unfairly cutting you off from mutuals, despite your particular account being compliant with their rules. Of course, you are entirely responsible for your behavior and compliance whether it's an alt account or a mirror, as there is no practical difference to the other end. ActivityPub Proxy is not intended for nefarious usage.
 The major caveat with this particular implementation is that if you boost or reply to proxied posts, your followers will see and interact with those authors via masquerade as well, causing a bit of a mess. This is unless you limit the usage to whitelisted domains/users, which you will almost definitely have to do or someone will abuse it and get it blocked. In that case, anyone who isn't whitelisted just won't see the boosts.
 ## Installation
 You will need a host with Node.js 15 or newer, and a wildcard domain with HTTPS pointed to your server. Cloudflare may be easiest, as you can bind the app to an extra IP address and connect Cloudflare directly to it.
 Download the repository and `npm i`. Then you can run it with the following environment variables (you can create a .env file).
 - `PORT`: The port to listen for HTTP, default: 80.
 - `BIND_IP`: The IP address to bind to. Default: all.
 - `DOMAIN_WHITELIST`: Comma-separated list of domains that can be proxied. Recommended to use this to prevent abuse as otherwise anyone can proxy anything. Remember to include the domains you want to follow from as well as the domains you want to follow, as it needs to work both ways. Default: any
 - `USER_WHITELIST`: Comma-separated list of usernames that can be proxied (case-sensitive, name only without `@`). Default: any
 - `NODE_ENV`: Set to `development` to see debug logs.
 Install by copying and pasting this example systemd file to `/etc/systemd/system/ap-proxy.service` (or similar), and editing as needed:
 ```systemd
 [Unit]
 Description=Simple ActivityPub Proxy
 Documentation=https://gitea.moe/lamp/activitypub-proxy
 After=network.target
 [Service]
 Environment= PORT=80 BIND_IP=0.0.0.0 DOMAIN_WHITELIST=mastodon.social,mstdn.social
 WorkingDirectory=/path/to/activitypub-proxy/
 ExecStart=/usr/bin/node .
 [Install]
 WantedBy=multi-user.target
 ```
 `systemctl enable --now ap-proxy` and Bob's your uncle.
@@ -1,16 +1,29 @@
-if (process.env.NODE_ENV == "production") console.debug = () => {};
+import * as dotenv from "dotenv";
-var express = require("express");
+dotenv.config();
-require("express-async-errors");
+
-var fetch = require("node-fetch");
+if (process.env.NODE_ENV != "development") {
-var Keyv = require("keyv");
+	process.env.NODE_ENV = "production";
-var crypto = require("crypto");
+	console.debug = () => {};
-var generateKeyPair = require("util").promisify(crypto.generateKeyPair);
+}
 if (process.env.DOMAIN_WHITELIST) var DOMAIN_WHITELIST = process.env.DOMAIN_WHITELIST.split(',').map(x=>x.trim().toLowerCase()).filter(x=>x);
 if (process.env.USER_WHITELIST) var USER_WHITELIST = process.env.USER_WHITELIST.split(',').map(x=>x.trim()).filter(x=>x);
 import express from "express";
 import "express-async-errors";
 import fetch from "node-fetch";
 import Keyv from "keyv";
 import {Sha256Signer, Parser} from "activitypub-http-signatures";
 import * as crypto from "crypto";
 import * as util from "util";
 var generateKeyPair = util.promisify(crypto.generateKeyPair);
 var parser = new Parser();
 var keystore = new Keyv("sqlite://keys.sqlite");
 var app = express();
 app.set("trust proxy", true);
-app.listen(80, "2605:a140:2045:1635:99bc:ddc5:1227:c27c");
+app.listen(process.env.PORT || 80, process.env.BIND_IP);
 app.use(express.text({
 	type: [
@@ -34,102 +47,103 @@ app.use(async (req, res, next) => {
 	if (!req.subdomains[0]) return next();
 	var TARGET_NODE = req.subdomains[0].replaceAll(/(?<!-)-(?!-)/g, '.').replaceAll('--','-');
 	var TARGET_MASQUERADE = req.hostname;
 	var TARGET_REGEXP = new RegExp(`(?<!\\.)${TARGET_NODE.replaceAll('.','\\.')}`, 'gi');
 	var TARGET_MASQUERADE = req.hostname;
 	var TARGET_URL = `https://${TARGET_NODE}${req.url.replaceAll(TARGET_MASQUERADE, TARGET_NODE)}`;
 	if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(TARGET_NODE)) {
 		console.debug(`target ${TARGET_NODE} blocked by whitelist`);
 		//res.status(403).send(`target ${TARGET_NODE} is not whitelisted`);
 		res.redirect(308, TARGET_URL);
 		return;
 	}
 	var CLIENT_NODE = req.get("User-Agent").match(/(?<=https:\/\/)[a-z0-9-\.]+/i)?.[0];
 	if (CLIENT_NODE) {
 		if (DOMAIN_WHITELIST && !DOMAIN_WHITELIST.includes(CLIENT_NODE)) {
 			console.debug(`client ${CLIENT_NODE} blocked by whitelist`);
 			//res.status(403).send(`client ${CLIENT_NODE} is not whitelisted`);
 			res.redirect(308, TARGET_URL);
 			return;
 		}
 		var CLIENT_REGEXP = new RegExp(`(?<!\\.)${CLIENT_NODE.replaceAll('.','\\.')}`, 'gi');
 		var CLIENT_MASQUERADE = [CLIENT_NODE.replaceAll('-','--').replaceAll('.','-'), ...req.hostname.split('.').slice(-2)].join('.');
 	}
 	var url = `https://${TARGET_NODE}${req.url.replaceAll(TARGET_MASQUERADE, TARGET_NODE)}`;
 	var opts = {method: req.method, headers: {
-		host: TARGET_NODE,
+		"host": TARGET_NODE,
-		date: new Date().toUTCString()
+		"date": new Date().toUTCString(),
 	}};
 	if (req.method == "POST") {
 		var {Sha256Signer, Parser} = await import("activitypub-http-signatures");
 		var parser = new Parser();
 		var signature = parser.parse({url: req.url, method: req.method, headers: req.headers});
 		console.debug({signature});
-		var publicKeyPem = (await keystore.get(signature.keyId))?.publicKey;
+
-		if (!publicKeyPem) {
+		var publicKeyPem = await getRemotePubkey(signature.keyId);
-			console.debug("fetching public key", signature.keyId);
+		if (!publicKeyPem) return res.status(400).send("could not get pubkey");
-			let user_res = await fetch(signature.keyId, {headers:{Accept:"application/json"}});
+
 			if (!user_res.ok) return res.status(400).send("cannot verify");
 			let user_json = await user_res.json();
 			console.debug({user_json});
 			publicKeyPem = user_json.publicKey.publicKeyPem;
 			keystore.set(signature.keyId, {publicKey: publicKeyPem});
 		}
 		if (!signature.verify(publicKeyPem)) {
 			res.status(400).send("bad signature");
 			console.debug("bad signature");
 			return;
 		}
-		var CLIENT_NODE = req.get("User-Agent").match(/(?<=https:\/\/)[a-z0-9-\.]+/i)[0];
+		var modifiedPayload = req.body.replaceAll(TARGET_MASQUERADE, TARGET_NODE).replaceAll(CLIENT_REGEXP, CLIENT_MASQUERADE);
-		var CLIENT_MASQUERADE = [CLIENT_NODE.replaceAll('-','--').replaceAll('.','-'), ...req.hostname.split('.').slice(-2)].join('.');
+		console.debug({CLIENT_NODE, CLIENT_REGEXP, CLIENT_MASQUERADE, original:req.body, modified:modifiedPayload});
 		var modifiedPayload = req.body
 			.replaceAll(TARGET_MASQUERADE, TARGET_NODE)
 			.replaceAll(CLIENT_NODE, CLIENT_MASQUERADE);
 		console.debug({CLIENT_NODE,CLIENT_MASQUERADE,original:req.body,modified:modifiedPayload});
 		var digest = crypto.createHash("sha256").update(modifiedPayload, "utf-8").digest("base64");
-		opts.headers.digest = `sha-256=${digest}`;
+		opts.headers["digest"] = `sha-256=${digest}`;
 		var clientMasqueradeKeyId = signature.keyId.replaceAll(CLIENT_NODE, CLIENT_MASQUERADE);
-		var clientMasqueradePrivateKeyPem = (await keystore.get(clientMasqueradeKeyId))?.privateKey;
+		var clientMasqueradePrivateKeyPem = (await getLocalKeypair(clientMasqueradeKeyId))?.privateKey;
 		if (!clientMasqueradePrivateKeyPem) {
 			console.debug("making new masquerade key (client)");
 			var {publicKey, privateKey} = await generateKeyPair('rsa', {
 				publicKeyEncoding: {type:'pkcs1', format: 'pem'},
 				privateKeyEncoding: {type:'pkcs1', format: 'pem'},
 				modulusLength: 2048
 			});
 			clientMasqueradePrivateKeyPem = privateKey;
 			await keystore.set(clientMasqueradeKeyId, {publicKey, privateKey});
 		}
 		var signer = new Sha256Signer({
 			publicKeyId: clientMasqueradeKeyId,
 			privateKey: clientMasqueradePrivateKeyPem,
 			headerNames: ['(request-target)', 'host', 'date', 'digest']
 		});
-		opts.headers.signature = signer.sign({url, method: opts.method, headers: opts.headers});
+
 		opts.headers["signature"] = signer.sign({url: TARGET_URL, method: opts.method, headers: opts.headers});
 		opts.headers["content-tength"] = modifiedPayload.length;
 		if (req.get("Content-Type")) opts.headers["content-type"] = req.get("Content-Type");
 		opts.body = modifiedPayload;
 	}
-	if (req.get("Accept")) opts.headers.Accept = req.get("Accept");
+	if (req.get("User-Agent")) opts.headers["user-agent"] = req.get("User-Agent").replaceAll(CLIENT_NODE, CLIENT_MASQUERADE);
-	var target_res = await fetch(url, opts);
+	if (req.get("Accept")) opts.headers["accept"] = req.get("Accept");
-	console.debug(target_res.status, target_res.statusText, target_res.headers.get("content-type"));
+
-	
+	var target_res = await fetch(TARGET_URL, opts);
 	var contentType = target_res.headers.get("content-type");
 	console.debug(target_res.status, target_res.statusText, contentType);
 	//note this affects html attachments from pleroma
 	if (contentType.startsWith("text/html")) {
 		//res.status(403).send("html is not allowed");
 		res.redirect(308, TARGET_URL);
 		return;
 	}
 	if ([
 		"application/jrd+json",
 		"application/activity+json",
 		"application/json",
 		"application/xrd+xml",
-		"application/xml",
+		"application/xml"
-		"text/",
+	].some(t => contentType?.toLowerCase().startsWith(t))) {
 		"charset=utf-8"
 	].some(t => target_res.headers.get("content-type").toLowerCase().includes(t))) {
 		var originalText = await target_res.text(), modifiedText = originalText;
 		console.debug({originalText})
-		if (target_res.headers.get("content-type").includes("json")) {
+		if (contentType.includes("json")) {
 			var json = JSON.parse(originalText);
 			if (json.preferredUsername && USER_WHITELIST && !USER_WHITELIST.includes(json.preferredUsername)) {
 				console.debug(`user ${json.preferredUsername} blocked by whitelist`);
 				//res.status(403).send(`${json.preferredUsername} is not whitelisted`);
 				res.redirect(308, TARGET_URL);
 				return;
 			}
 			if (json.publicKey) {
 				console.debug("has key");
 				await keystore.set(json.publicKey.id, {publicKey: json.publicKey.publicKeyPem});
 				var masqueradeKeyId = json.publicKey.id.replaceAll(TARGET_REGEXP, TARGET_MASQUERADE);
-				var masqueradeKeyPem = (await keystore.get(masqueradeKeyId))?.publicKey;
+				var masqueradeKeyPem = (await getLocalKeypair(masqueradeKeyId)).publicKey;
 				if (!masqueradeKeyPem) {
 					console.debug("making new masquerade key (target)");
 					var {publicKey, privateKey} = await generateKeyPair('rsa', {
 						publicKeyEncoding: {type:'pkcs1', format: 'pem'},
 						privateKeyEncoding: {type:'pkcs1', format: 'pem'},
 						modulusLength: 2048
 					});
 					masqueradeKeyPem = publicKey;
 					await keystore.set(masqueradeKeyId, {publicKey, privateKey});
 				}
 				json.publicKey.id = masqueradeKeyId;
 				json.publicKey.publicKeyPem = masqueradeKeyPem;
 				modifiedText = JSON.stringify(json);
@@ -137,9 +151,42 @@ app.use(async (req, res, next) => {
 		}
 		modifiedText = modifiedText.replaceAll(TARGET_REGEXP, TARGET_MASQUERADE);
 		console.debug({modifiedText});
-	} else console.debug("binary");
+	} else console.debug("passthrough");
 	if (!target_res.ok && !modifiedText && contentType.startsWith("text/")) console.debug("response:", await target_res.text());
 	res.status(target_res.status);
-	res.header("Content-Type", target_res.headers.get("content-type"));
+	res.header("Content-Type", contentType);
 	if (modifiedText) res.send(modifiedText);
 	else target_res.body.pipe(res);
 });
 async function getLocalKeypair(id) {
 	var keys = await keystore.get(id);
 	if (keys) return keys;
 	console.debug("making new masquerade key");
 	keys = await generateKeyPair('rsa', {
 		publicKeyEncoding: {type:'pkcs1', format: 'pem'},
 		privateKeyEncoding: {type:'pkcs1', format: 'pem'},
 		modulusLength: 2048
 	});
 	await keystore.set(id, keys);
 	return keys;
 }
 async function getRemotePubkey(id) {
 	var publicKey = (await keystore.get(id))?.publicKey;
 	if (publicKey) return publicKey;
 	console.debug("fetching public key", id);
 	var res = await fetch(id, {headers: {Accept: "application/activity+json"}});
 	console.debug(res.status, res.statusText, res.headers.get("content-type"));
 	if (!res.ok || !res.headers.get("content-type").includes("json")) {
 		console.debug("could not get key");
 		return false;
 	};
 	var json = await res.json();
 	console.debug(json);
 	var publicKey = json?.publicKey?.publicKeyPem;
 	if (publicKey) keystore.set(id, {publicKey});
 	return publicKey;
 }
@@ -1,10 +1,30 @@
 {
-  "dependencies": {
+	"name": "activitypub-proxy",
-    "@keyv/sqlite": "^3.6.4",
+	"version": "0.2.3",
-    "activitypub-http-signatures": "^2.0.1",
+	"keywords": [
-    "express": "^4.18.2",
+		"activitypub",
-    "express-async-errors": "^3.1.1",
+		"mastodon",
-    "keyv": "^4.5.2",
+		"misskey",
-    "node-fetch": "^2.6.7"
+		"pleroma",
-  }
+		"fediblock"
 	],
 	"homepage": "https://activitypub-proxy.cf",
 	"bugs": "https://gitea.moe/lamp/activitypub-proxy/issues",
 	"repository": {
 		"type": "git",
 		"url": "https://gitea.moe/lamp/activitypub-proxy"
 	},
 	"dependencies": {
 		"@keyv/sqlite": "^3.6.4",
 		"activitypub-http-signatures": "^2.0.1",
 		"dotenv": "^16.0.3",
 		"express": "^4.18.2",
 		"express-async-errors": "^3.1.1",
 		"keyv": "^4.5.2",
 		"node-fetch": "^3.3.0"
 	},
 	"type": "module",
 	"engines": {
 		"node": ">=15.0.0"
 	}
 }
Author	SHA1	Message	Date
lamp	74b06c1441	0.2.3	2022-12-26 23:41:02 -06:00
lamp	25837658eb	Update 'README.md'	2022-12-26 23:40:48 -06:00
lamp	011ba4c248	npm	2022-12-26 23:23:19 -06:00
lamp	fbd6762aba	redirect instead of block?	2022-12-26 21:57:23 -06:00
lamp	1a1b5a5179	make it better fix pleroma 500 fix user block block html proxying	2022-12-26 20:26:45 -06:00
lamp	0a5ca65ade	Merge branch 'master' of gitea.moe:lamp/activitypub-proxy	2022-12-24 16:40:45 -06:00
lamp	4e577d3b7b	convert to mjs	2022-12-24 16:40:31 -06:00
lamp	5dd3541a01	remove bad vibes from readme	2022-12-24 14:50:24 -06:00
lamp	448540ea08	Update 'README.md'	2022-12-23 18:18:13 -06:00
lamp	6c943c49f4	fix POST not using regex	2022-12-23 13:52:10 -06:00
lamp	6f3dacb565	finish wip: whitelist & readme	2022-12-23 02:19:20 -06:00
lamp	caa44a4c19	commit dumb work-in-progress code before redoing	2022-12-23 01:06:52 -06:00