bump snap version

Bump golang.org/x/net from 0.5.0 to 0.7.0

.github/stale.yml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

.github/workflows/docker-ci.yml

@@ -0,0 +1,58 @@
+name: docker-ci
+
+on:
+  push:
+    branches:
+      - 'master'
+  release:
+    types: [published]
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Find Git Tag
+        id: tagger
+        uses: jimschubert/query-tag-action@v2
+        with:
+          include: 'v*'
+          exclude: '*-rc*'
+          commit-ish: 'HEAD'
+          skip-unshallow: 'true'
+          abbrev: 7
+      -
+        name: Determine image tag type
+        uses: haya14busa/action-cond@v1
+        id: imgtag
+        with:
+          cond: ${{ github.event_name == 'release' }}
+          if_true: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:${{ github.event.release.tag_name }},${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:latest
+          if_false: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:latest
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v1 
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/386,linux/arm/v7
+          push: true
+          tags: ${{ steps.imgtag.outputs.value }}
+          build-args: 'GIT_DESC=${{steps.tagger.outputs.tag}}'

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang AS build
+FROM golang:1.19 AS build
 
 ARG GIT_DESC=undefined
 

Makefile

@@ -5,22 +5,34 @@ BUILDOPTS = -a -tags netgo
 LDFLAGS = -ldflags '-s -w -extldflags "-static" -X main.version=$(VERSION)'
 LDFLAGS_NATIVE = -ldflags '-s -w -X main.version=$(VERSION)'
 
+NDK_CC_ARM = $(abspath ../../ndk-toolchain-arm/bin/arm-linux-androideabi-gcc)
+NDK_CC_ARM64 = $(abspath ../../ndk-toolchain-arm64/bin/aarch64-linux-android21-clang)
+
 GO := go
 
-src = $(wildcard *.go)
+src = $(wildcard *.go */*.go */*/*.go) go.mod go.sum
 
 native: bin-native
-all: bin-linux-amd64 bin-linux-386 bin-linux-arm \
+all: bin-linux-amd64 bin-linux-386 bin-linux-arm bin-linux-arm64 \
+	bin-linux-mips bin-linux-mipsle bin-linux-mips64 bin-linux-mips64le \
 	bin-freebsd-amd64 bin-freebsd-386 bin-freebsd-arm \
 	bin-netbsd-amd64 bin-netbsd-386 \
 	bin-openbsd-amd64 bin-openbsd-386 \
 	bin-darwin-amd64 bin-darwin-arm64 \
 	bin-windows-amd64 bin-windows-386 bin-windows-arm
 
+allplus: all \
+	bin-android-arm bin-android-arm64
+
 bin-native: $(OUTSUFFIX)
 bin-linux-amd64: $(OUTSUFFIX).linux-amd64
 bin-linux-386: $(OUTSUFFIX).linux-386
 bin-linux-arm: $(OUTSUFFIX).linux-arm
+bin-linux-arm64: $(OUTSUFFIX).linux-arm64
+bin-linux-mips: $(OUTSUFFIX).linux-mips
+bin-linux-mipsle: $(OUTSUFFIX).linux-mipsle
+bin-linux-mips64: $(OUTSUFFIX).linux-mips64
+bin-linux-mips64le: $(OUTSUFFIX).linux-mips64le
 bin-freebsd-amd64: $(OUTSUFFIX).freebsd-amd64
 bin-freebsd-386: $(OUTSUFFIX).freebsd-386
 bin-freebsd-arm: $(OUTSUFFIX).freebsd-arm
@@ -33,6 +45,8 @@ bin-darwin-arm64: $(OUTSUFFIX).darwin-arm64
 bin-windows-amd64: $(OUTSUFFIX).windows-amd64.exe
 bin-windows-386: $(OUTSUFFIX).windows-386.exe
 bin-windows-arm: $(OUTSUFFIX).windows-arm.exe
+bin-android-arm: $(OUTSUFFIX).android-arm
+bin-android-arm64: $(OUTSUFFIX).android-arm64
 
 $(OUTSUFFIX): $(src)
 	$(GO) build $(LDFLAGS_NATIVE) -o $@
@@ -46,6 +60,21 @@ $(OUTSUFFIX).linux-386: $(src)
 $(OUTSUFFIX).linux-arm: $(src)
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
 
+$(OUTSUFFIX).linux-arm64: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
+$(OUTSUFFIX).linux-mips: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
+$(OUTSUFFIX).linux-mips64: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=mips64 GOMIPS=softfloat $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
+$(OUTSUFFIX).linux-mipsle: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
+$(OUTSUFFIX).linux-mips64le: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=mips64le GOMIPS=softfloat $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
 $(OUTSUFFIX).freebsd-amd64: $(src)
 	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
 
@@ -82,6 +111,12 @@ $(OUTSUFFIX).windows-386.exe: $(src)
 $(OUTSUFFIX).windows-arm.exe: $(src)
 	CGO_ENABLED=0 GOOS=windows GOARCH=arm GOARM=7 $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
 
+$(OUTSUFFIX).android-arm: $(src)
+	CC=$(NDK_CC_ARM) CGO_ENABLED=1 GOOS=android GOARCH=arm GOARM=7 $(GO) build $(LDFLAGS_NATIVE) -o $@
+
+$(OUTSUFFIX).android-arm64: $(src)
+	CC=$(NDK_CC_ARM64) CGO_ENABLED=1 GOOS=android GOARCH=arm64 $(GO) build $(LDFLAGS_NATIVE) -o $@
+
 clean:
 	rm -f bin/*
 
@@ -99,9 +134,21 @@ install:
 	bin-linux-amd64 \
 	bin-linux-386 \
 	bin-linux-arm \
+	bin-linux-arm64 \
+	bin-linux-mips \
+	bin-linux-mipsle \
+	bin-linux-mips64 \
+	bin-linux-mips64le \
 	bin-freebsd-amd64 \
 	bin-freebsd-386 \
 	bin-freebsd-arm \
+	bin-netbsd-amd64 \
+	bin-netbsd-386 \
+	bin-openbsd-amd64 \
+	bin-openbsd-386 \
 	bin-darwin-amd64 \
 	bin-windows-amd64 \
-	bin-windows-386
+	bin-windows-386 \
+	bin-windows-arm \
+	bin-android-arm \
+	bin-android-arm64

README.md

@@ -5,7 +5,7 @@
 Standalone Hola proxy client. Just run it and it'll start a plain HTTP proxy server forwarding traffic through Hola proxies of your choice.
 By default the application listens on 127.0.0.1:8080.
 
-Application is capable to forward traffic via proxies in datacenters (flag `-proxy-type direct`, default) or via peer proxies on residental IPs (consumer ISP) in that country (flag `-proxy-type pool` or `-proxy-type lum`).
+Application is capable to forward traffic via proxies in datacenters (flag `-proxy-type direct`, default) or via peer proxies on residental IPs (consumer ISP) in that country (flag `-proxy-type lum`).
 
 ---
 
@@ -41,6 +41,12 @@ git clone https://ipfs.io/ipns/k51qzi5uqu5dkrgx0hozpy1tlggw5o0whtquyrjlc6pprhvbm
 
 Pre-built binaries are available [here](https://github.com/Snawoot/hola-proxy/releases/latest).
 
+Don't forget to make file executable on Unix-like systems (Linux, MacOS, \*BSD, Android). For your convenience rename downloaded file to `hola-proxy` and run within directory where you placed it:
+
+```sh
+chmod +x hola-proxy
+```
+
 #### Build from source
 
 Alternatively, you may install hola-proxy from source. Run the following within the source directory:
@@ -150,7 +156,10 @@ zagent248.hola.org,165.22.65.3,22222,22223,22224,22225,22226,digitalocean
 
 | Argument | Type | Description |
 | -------- | ---- | ----------- |
+| backoff-deadline | Duration | total duration of zgettunnels method attempts (default 5m0s) |
+| backoff-initial | Duration | initial average backoff delay for zgettunnels (randomized by +/-50%) (default 3s) |
 | bind-address | String | HTTP proxy address to listen to (default "127.0.0.1:8080") |
+| cafile | String | use custom CA certificate bundle file |
 | country | String | desired proxy location (default "us") |
 | dont-use-trial | - | use regular ports instead of trial ports |
 | force-port-field | Number | force specific port field/num (example 24232 or lum) |
@@ -158,8 +167,12 @@ zagent248.hola.org,165.22.65.3,22222,22223,22224,22225,22226,digitalocean
 | list-countries | String | list available countries and exit |
 | list-proxies | - | output proxy list and exit |
 | proxy | String | sets base proxy to use for all dial-outs. Format: `<http\|https\|socks5\|socks5h>://[login:password@]host[:port]` Examples: `http://user:password@192.168.1.1:3128`, `socks5://10.0.0.1:1080` |
-| proxy-type | String | proxy type (Datacenter: direct, virt) (Residential: peer, lum, pool) (default "direct") |
+| proxy-type | String | proxy type (Datacenter: direct) (Residential: lum) (default "direct") |
 | resolver | String | DNS/DoH/DoT resolver to workaround Hola blocked hosts. See https://github.com/ameshkov/dnslookup/ for upstream DNS URL format. (default "https://cloudflare-dns.com/dns-query") |
 | rotate | Duration | rotate user ID once per given period (default 1h0m0s) |
-| timeout | Duration | timeout for network operations (default 10s) |
+| timeout | Duration | timeout for network operations (default 35s) |
 | verbosity | Number | logging verbosity (10 - debug, 20 - info, 30 - warning, 40 - error, 50 - critical) (default 20) |
+
+## See also
+
+* [Project wiki](https://github.com/Snawoot/hola-proxy/wiki)

credservice.go

@@ -12,9 +12,10 @@ const DEFAULT_LIST_LIMIT = 3
 func CredService(interval, timeout time.Duration,
 	country string,
 	proxytype string,
-	logger *CondLogger) (auth AuthProvider,
-	tunnels *ZGetTunnelsResponse,
-	err error) {
+	logger *CondLogger,
+	backoffInitial time.Duration,
+	backoffDeadline time.Duration,
+) (auth AuthProvider, tunnels *ZGetTunnelsResponse, err error) {
 	var mux sync.Mutex
 	var auth_header, user_uuid string
 	auth = func() (res string) {
@@ -25,7 +26,8 @@ func CredService(interval, timeout time.Duration,
 	}
 
 	tx_res, tx_err := EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
-		tunnels, user_uuid, err = Tunnels(ctx, client, country, proxytype, DEFAULT_LIST_LIMIT)
+		tunnels, user_uuid, err = Tunnels(ctx, logger, client, country, proxytype,
+			DEFAULT_LIST_LIMIT, timeout, backoffInitial, backoffDeadline)
 		if err != nil {
 			logger.Error("Configuration bootstrap error: %v. Retrying with the fallback mechanism...", err)
 			return false
@@ -55,7 +57,8 @@ func CredService(interval, timeout time.Duration,
 			<-ticker.C
 			logger.Info("Rotating credentials...")
 			tx_res, tx_err := EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
-				tuns, user_uuid, err = Tunnels(ctx, client, country, proxytype, DEFAULT_LIST_LIMIT)
+				tuns, user_uuid, err = Tunnels(ctx, logger, client, country, proxytype,
+					DEFAULT_LIST_LIMIT, timeout, backoffInitial, backoffDeadline)
 				if err != nil {
 					logger.Error("Credential rotation error: %v. Retrying with the fallback mechanism...", err)
 					return false

csrand.go

@@ -10,6 +10,7 @@ type secureRandomSource struct{}
 var RandomSource secureRandomSource
 
 var int63Limit = big.NewInt(0).Lsh(big.NewInt(1), 63)
+var int64Limit = big.NewInt(0).Lsh(big.NewInt(1), 64)
 
 func (_ secureRandomSource) Seed(_ int64) {
 }
@@ -21,3 +22,11 @@ func (_ secureRandomSource) Int63() int64 {
 	}
 	return randNum.Int64()
 }
+
+func (_ secureRandomSource) Uint64() uint64 {
+	randNum, err := crand.Int(crand.Reader, int64Limit)
+	if err != nil {
+		panic(err)
+	}
+	return randNum.Uint64()
+}

go.mod

@@ -1,11 +1,34 @@
 module github.com/Snawoot/hola-proxy
 
-go 1.13
+go 1.19
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.25.0
+	github.com/AdguardTeam/dnsproxy v0.48.2
 	github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e
-	github.com/google/uuid v1.1.1
-	github.com/miekg/dns v1.1.29
-	golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e
+	github.com/cenkalti/backoff/v4 v4.2.0
+	github.com/google/uuid v1.3.0
+	github.com/miekg/dns v1.1.52
+	golang.org/x/net v0.8.0
+)
+
+require (
+	github.com/AdguardTeam/golibs v0.13.0 // indirect
+	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
+	github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 // indirect
+	github.com/ameshkov/dnscrypt/v2 v2.2.6 // indirect
+	github.com/ameshkov/dnsstamps v1.0.3 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/google/pprof v0.0.0-20230323073829-e72429f035bd // indirect
+	github.com/onsi/ginkgo/v2 v2.9.2 // indirect
+	github.com/quic-go/qpack v0.4.0 // indirect
+	github.com/quic-go/qtls-go1-19 v0.3.0 // indirect
+	github.com/quic-go/qtls-go1-20 v0.2.0 // indirect
+	github.com/quic-go/quic-go v0.33.0 // indirect
+	golang.org/x/crypto v0.7.0 // indirect
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
+	golang.org/x/mod v0.9.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
+	golang.org/x/tools v0.7.0 // indirect
 )

go.sum

@@ -1,72 +1,90 @@
-github.com/AdguardTeam/dnsproxy v0.25.0 h1:BTUPrrwB01GeQW5d2Xx4pH5HOFXcZxN1MTeNXXuy6vQ=
-github.com/AdguardTeam/dnsproxy v0.25.0/go.mod h1:z2EljVLJQXFGZcP9pWABftXm9UxpLNqls7H6bMcIvEY=
-github.com/AdguardTeam/golibs v0.4.0 h1:4VX6LoOqFe9p9Gf55BeD8BvJD6M6RDYmgEiHrENE9KU=
-github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
+github.com/AdguardTeam/dnsproxy v0.48.2 h1:zEWeImyJGPeQAZ7+F/sgOJ2WbCRN1zbINLsDAEnFWjI=
+github.com/AdguardTeam/dnsproxy v0.48.2/go.mod h1:Y7g7jRTd/u7+KJ/QvnGI2PCE8vnisp6EsW47/Sz0DZw=
+github.com/AdguardTeam/golibs v0.13.0 h1:hVBeNQXT/BgcjKz/4FMpFGvEYqXiXDJG+b5XpGCUOLk=
+github.com/AdguardTeam/golibs v0.13.0/go.mod h1:rIglKDHdLvFT1UbhumBLHO9S4cvWS9MEyT1njommI/Y=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=
 github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635/go.mod h1:lmLxL+FV291OopO93Bwf9fQLQeLyt33VJRUg5VJ30us=
-github.com/ameshkov/dnscrypt v1.1.0 h1:2vAt5dD6ZmqlAxEAfzRcLBnkvdf8NI46Kn9InSwQbSI=
-github.com/ameshkov/dnscrypt v1.1.0/go.mod h1:ikduAxNLCTEfd1AaCgpIA5TgroIVQ8JY3Vb095fiFJg=
-github.com/ameshkov/dnsstamps v1.0.1 h1:LhGvgWDzhNJh+kBQd/AfUlq1vfVe109huiXw4JhnPug=
-github.com/ameshkov/dnsstamps v1.0.1/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
-github.com/beefsack/go-rate v0.0.0-20180408011153-efa7637bb9b6/go.mod h1:6YNgTHLutezwnBvyneBbwvB8C82y3dcoOj5EQJIdGXA=
+github.com/ameshkov/dnscrypt/v2 v2.2.6 h1:rE7AFbPWebq7me7RVS66Cipd1m7ef1yf2+C8QzjQXXE=
+github.com/ameshkov/dnscrypt/v2 v2.2.6/go.mod h1:qPWhwz6FdSmuK7W4sMyvogrez4MWdtzosdqlr0Rg3ow=
+github.com/ameshkov/dnsstamps v1.0.3 h1:Srzik+J9mivH1alRACTbys2xOxs0lRH9qnTA7Y1OYVo=
+github.com/ameshkov/dnsstamps v1.0.3/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
 github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e h1:V9a67dfYqPLAvzk5hMQOXYJlZ4SLIXgyKIE+ZiHzgGQ=
 github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
+github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-test/deep v1.0.5/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
-github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/joomcode/errorx v1.0.1 h1:CalpDWz14ZHd68fIqluJasJosAewpz2TFaJALrUxjrk=
-github.com/joomcode/errorx v1.0.1/go.mod h1:kgco15ekB6cs+4Xjzo7SPeXzx38PbJzBwbnu9qfVNHQ=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/miekg/dns v1.1.29 h1:xHBEhR+t5RzcFJjBLJlax2daXOrTYtr9z4WdKEfWFzg=
-github.com/miekg/dns v1.1.29/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
+github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
+github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/pprof v0.0.0-20230323073829-e72429f035bd h1:r8yyd+DJDmsUhGrRBxH5Pj7KeFK5l+Y3FsgT8keqKtk=
+github.com/google/pprof v0.0.0-20230323073829-e72429f035bd/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/miekg/dns v1.1.52 h1:Bmlc/qsNNULOe6bpXcUTsuOajd0DzRHwup6D9k1An0c=
+github.com/miekg/dns v1.1.52/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/onsi/ginkgo/v2 v2.9.2 h1:BA2GMJOtfGAfagzYtrAlufIP0lq6QERkFmHLMLPwFSU=
+github.com/onsi/ginkgo/v2 v2.9.2/go.mod h1:WHcJJG2dIlcCqVfBAwUCrJxSPFb6v4azBwgxeMeDuts=
+github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sparrc/go-ping v0.0.0-20190613174326-4e5b6552494c/go.mod h1:eMyUVp6f/5jnzM+3zahzl7q6UXLbgSc3MKg/+ow9QW0=
+github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
+github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
+github.com/quic-go/qtls-go1-19 v0.3.0 h1:aUBoQdpHzUWtPw5tQZbsD2GnrWCNu7/RIX1PtqGeLYY=
+github.com/quic-go/qtls-go1-19 v0.3.0/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
+github.com/quic-go/qtls-go1-20 v0.2.0 h1:jUHn+obJ6WI5JudqBO0Iy1ra5Vh5vsitQ1gXQvkmN+E=
+github.com/quic-go/qtls-go1-20 v0.2.0/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
+github.com/quic-go/quic-go v0.33.0 h1:ItNoTDN/Fm/zBlq769lLJc8ECe9gYaW40veHCCco7y0=
+github.com/quic-go/quic-go v0.33.0/go.mod h1:YMuhaAV9/jIu0XclDXwZPAsP/2Kgr5yMYhe9oxhhOFA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8 h1:fpnn/HnJONpIu6hkXi1u/7rR0NzilgWr4T0JmWkEitk=
-golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.9.0 h1:KENHtAZL2y3NLMYZeHY9DW8HW8V+kQyJsY/V9JlKvCs=
+golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e h1:3G+cUijn7XD+S4eJFddp53Pv7+slrESplyjG25HgL+k=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d h1:nc5K6ox/4lTFbMVSL9WRR81ixkcwXThoiF6yf+R9scA=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4=
+golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

handler.go

@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"strings"
 	"time"
 )
@@ -15,20 +16,28 @@ type ProxyHandler struct {
 	logger        *CondLogger
 	dialer        ContextDialer
 	httptransport http.RoundTripper
+	auth          AuthProvider
 }
 
-func NewProxyHandler(dialer ContextDialer, resolver *Resolver, logger *CondLogger) *ProxyHandler {
+func NewProxyHandler(dialer, requestDialer ContextDialer, auth AuthProvider, resolver *Resolver, logger *CondLogger) *ProxyHandler {
 	dialer = NewRetryDialer(dialer, resolver, logger)
 	httptransport := &http.Transport{
+		Proxy: func(_ *http.Request) (*url.URL, error) {
+			return &url.URL{
+				Scheme: "http",
+				Host:   "void",
+			}, nil
+		},
 		MaxIdleConns:          100,
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
-		DialContext:           dialer.DialContext,
+		DialContext:           requestDialer.DialContext,
 	}
 	return &ProxyHandler{
 		logger:        logger,
 		dialer:        dialer,
+		auth:          auth,
 		httptransport: httptransport,
 	}
 }
@@ -74,6 +83,8 @@ func (s *ProxyHandler) HandleRequest(wr http.ResponseWriter, req *http.Request)
 		req.URL.Scheme = "http" // We can't access :scheme pseudo-header, so assume http
 		req.URL.Host = req.Host
 	}
+	delHopHeaders(req.Header)
+	req.Header.Add("Proxy-Authorization", s.auth())
 	resp, err := s.httptransport.RoundTrip(req)
 	if err != nil {
 		s.logger.Error("HTTP fetch error: %v", err)

holaapi.go

@@ -3,6 +3,8 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -18,11 +20,12 @@ import (
 	"time"
 
 	"github.com/campoy/unique"
+	"github.com/cenkalti/backoff/v4"
 	"github.com/google/uuid"
 )
 
-const USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36"
-const EXT_VER = "1.181.350"
+const USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"
+const EXT_VER = "1.186.562"
 const EXT_BROWSER = "chrome"
 const PRODUCT = "cws"
 const CCGI_URL = "https://client.hola.org/client_cgi/"
@@ -35,6 +38,7 @@ const AGENT_SUFFIX = ".hola.org"
 
 var TemporaryBanError = errors.New("temporary ban detected")
 var PermanentBanError = errors.New("permanent ban detected")
+var EmptyResponseError = errors.New("empty response")
 
 type CountryList []string
 
@@ -246,7 +250,13 @@ func zgettunnels(ctx context.Context,
 		reterr = err
 		return
 	}
-	reterr = json.Unmarshal(data, &tunnels)
+	err = json.Unmarshal(data, &tunnels)
+	if err != nil {
+		return nil, fmt.Errorf("unable to unmashal zgettunnels response: %w", err)
+	}
+	if len(tunnels.IPList) == 0 {
+		return nil, EmptyResponseError
+	}
 	res = &tunnels
 	return
 }
@@ -313,18 +323,46 @@ func GetFallbackProxies(ctx context.Context) (*FallbackConfig, error) {
 }
 
 func Tunnels(ctx context.Context,
+	logger *CondLogger,
 	client *http.Client,
 	country string,
 	proxy_type string,
-	limit uint) (res *ZGetTunnelsResponse, user_uuid string, reterr error) {
+	limit uint,
+	timeout time.Duration,
+	backoffInitial time.Duration,
+	backoffDeadline time.Duration,
+) (res *ZGetTunnelsResponse, user_uuid string, reterr error) {
 	u := uuid.New()
 	user_uuid = hex.EncodeToString(u[:])
-	initres, err := background_init(ctx, client, user_uuid)
+	ctx1, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+	initres, err := background_init(ctx1, client, user_uuid)
 	if err != nil {
 		reterr = err
 		return
 	}
-	res, reterr = zgettunnels(ctx, client, user_uuid, initres.Key, country, proxy_type, limit)
+	var bo backoff.BackOff = &backoff.ExponentialBackOff{
+		InitialInterval:     backoffInitial,
+		RandomizationFactor: 0.5,
+		Multiplier:          1.5,
+		MaxInterval:         10 * time.Minute,
+		MaxElapsedTime:      backoffDeadline,
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+	bo = backoff.WithContext(bo, ctx)
+	err = backoff.RetryNotify(func() error {
+		ctx1, cancel := context.WithTimeout(ctx, timeout)
+		defer cancel()
+		res, reterr = zgettunnels(ctx1, client, user_uuid, initres.Key, country, proxy_type, limit)
+		return reterr
+	}, bo, func(err error, dur time.Duration) {
+		logger.Info("zgettunnels error: %v; will retry after %v", err, dur.Truncate(time.Millisecond))
+	})
+	if err != nil {
+		logger.Error("All attempts failed: %v", err)
+		return nil, "", err
+	}
 	return
 }
 
@@ -333,10 +371,16 @@ var baseDialer ContextDialer = &net.Dialer{
 	KeepAlive: 30 * time.Second,
 }
 
+var tlsConfig *tls.Config
+
 func UpdateHolaDialer(dialer ContextDialer) {
 	baseDialer = dialer
 }
 
+func UpdateHolaTLSConfig(config *tls.Config) {
+	tlsConfig = config
+}
+
 // Returns default http client with a proxy override
 func httpClientWithProxy(agent *FallbackAgent) *http.Client {
 	t := &http.Transport{
@@ -345,10 +389,15 @@ func httpClientWithProxy(agent *FallbackAgent) *http.Client {
 		IdleConnTimeout:       90 * time.Second,
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig:       tlsConfig,
 	}
 	var dialer ContextDialer = baseDialer
+	var rootCAs *x509.CertPool
+	if tlsConfig != nil {
+		rootCAs = tlsConfig.RootCAs
+	}
 	if agent != nil {
-		dialer = NewProxyDialer(agent.NetAddr(), agent.Hostname(), nil, dialer)
+		dialer = NewProxyDialer(agent.NetAddr(), agent.Hostname(), rootCAs, nil, dialer)
 	}
 	t.DialContext = dialer.DialContext
 	return &http.Client{
@@ -356,19 +405,18 @@ func httpClientWithProxy(agent *FallbackAgent) *http.Client {
 	}
 }
 
-func EnsureTransaction(baseCtx context.Context, txnTimeout time.Duration, txn func(context.Context, *http.Client) bool) (bool, error) {
+func EnsureTransaction(ctx context.Context, getFBTimeout time.Duration, txn func(context.Context, *http.Client) bool) (bool, error) {
 	client := httpClientWithProxy(nil)
 	defer client.CloseIdleConnections()
 
-	ctx, cancel := context.WithTimeout(baseCtx, txnTimeout)
-	defer cancel()
-
 	if txn(ctx, client) {
 		return true, nil
 	}
 
 	// Fallback needed
-	fbc, err := GetFallbackProxies(baseCtx)
+	getFBCtx, cancel := context.WithTimeout(ctx, getFBTimeout)
+	defer cancel()
+	fbc, err := GetFallbackProxies(getFBCtx)
 	if err != nil {
 		return false, err
 	}
@@ -376,10 +424,6 @@ func EnsureTransaction(baseCtx context.Context, txnTimeout time.Duration, txn fu
 	for _, agent := range fbc.Agents {
 		client = httpClientWithProxy(&agent)
 		defer client.CloseIdleConnections()
-
-		ctx, cancel = context.WithTimeout(baseCtx, txnTimeout)
-		defer cancel()
-
 		if txn(ctx, client) {
 			return true, nil
 		}

hooks/build

@@ -1,2 +0,0 @@
-#!/bin/bash
-docker build --build-arg GIT_DESC="$(git describe)" -f "$DOCKERFILE_PATH" -t "$IMAGE_NAME" .

main.go

@@ -1,9 +1,12 @@
 package main
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -50,6 +53,11 @@ type CLIArgs struct {
 	force_port_field                        string
 	showVersion                             bool
 	proxy                                   string
+	caFile                                  string
+	minPause                                time.Duration
+	maxPause                                time.Duration
+	backoffInitial                          time.Duration
+	backoffDeadline                         time.Duration
 }
 
 func parse_args() CLIArgs {
@@ -64,16 +72,19 @@ func parse_args() CLIArgs {
 		"(10 - debug, 20 - info, 30 - warning, 40 - error, 50 - critical)")
 	flag.DurationVar(&args.timeout, "timeout", 10*time.Second, "timeout for network operations")
 	flag.DurationVar(&args.rotate, "rotate", 1*time.Hour, "rotate user ID once per given period")
-	flag.StringVar(&args.proxy_type, "proxy-type", "direct", "proxy type: direct or peer or lum or virt or pool") // or skip but not mentioned
+	flag.DurationVar(&args.backoffInitial, "backoff-initial", 3*time.Second, "initial average backoff delay for zgettunnels (randomized by +/-50%)")
+	flag.DurationVar(&args.backoffDeadline, "backoff-deadline", 5*time.Minute, "total duration of zgettunnels method attempts")
+	flag.StringVar(&args.proxy_type, "proxy-type", "direct", "proxy type: direct or lum") // or skip but not mentioned
 	// skip would be used something like this: `./bin/hola-proxy -proxy-type skip -force-port-field 24232 -country ua.peer` for debugging
 	flag.StringVar(&args.resolver, "resolver", "https://cloudflare-dns.com/dns-query",
 		"DNS/DoH/DoT resolver to workaround Hola blocked hosts. "+
 			"See https://github.com/ameshkov/dnslookup/ for upstream DNS URL format.")
 	flag.BoolVar(&args.use_trial, "dont-use-trial", false, "use regular ports instead of trial ports") // would be nice to not show in help page
 	flag.BoolVar(&args.showVersion, "version", false, "show program version and exit")
-	flag.StringVar(&args.proxy, "proxy", "", "sets base proxy to use for all dial-outs. " +
-		"Format: <http|https|socks5|socks5h>://[login:password@]host[:port] " +
+	flag.StringVar(&args.proxy, "proxy", "", "sets base proxy to use for all dial-outs. "+
+		"Format: <http|https|socks5|socks5h>://[login:password@]host[:port] "+
 		"Examples: http://user:password@192.168.1.1:3128, socks5://10.0.0.1:1080")
+	flag.StringVar(&args.caFile, "cafile", "", "use custom CA certificate bundle file")
 	flag.Parse()
 	if args.country == "" {
 		arg_fail("Country can't be empty string.")
@@ -87,15 +98,6 @@ func parse_args() CLIArgs {
 	return args
 }
 
-func proxyFromURLWrapper(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error) {
-	cdialer, ok := next.(ContextDialer)
-	if !ok {
-		return nil, errors.New("only context dialers are accepted")
-	}
-
-	return ProxyDialerFromURL(u, cdialer)
-}
-
 func run() int {
 	args := parse_args()
 	if args.showVersion {
@@ -120,6 +122,33 @@ func run() int {
 		Timeout:   30 * time.Second,
 		KeepAlive: 30 * time.Second,
 	}
+
+	var caPool *x509.CertPool
+	if args.caFile != "" {
+		caPool = x509.NewCertPool()
+		certs, err := ioutil.ReadFile(args.caFile)
+		if err != nil {
+			mainLogger.Error("Can't load CA file: %v", err)
+			return 15
+		}
+		if ok := caPool.AppendCertsFromPEM(certs); !ok {
+			mainLogger.Error("Can't load certificates from CA file")
+			return 15
+		}
+		UpdateHolaTLSConfig(&tls.Config{
+			RootCAs: caPool,
+		})
+	}
+
+	proxyFromURLWrapper := func(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error) {
+		cdialer, ok := next.(ContextDialer)
+		if !ok {
+			return nil, errors.New("only context dialers are accepted")
+		}
+
+		return ProxyDialerFromURL(u, caPool, cdialer)
+	}
+
 	if args.proxy != "" {
 		xproxy.RegisterDialerType("http", proxyFromURLWrapper)
 		xproxy.RegisterDialerType("https", proxyFromURLWrapper)
@@ -140,8 +169,10 @@ func run() int {
 	if args.list_countries {
 		return print_countries(args.timeout)
 	}
+
 	if args.list_proxies {
-		return print_proxies(args.country, args.proxy_type, args.limit, args.timeout)
+		return print_proxies(mainLogger, args.country, args.proxy_type, args.limit, args.timeout,
+			args.backoffInitial, args.backoffDeadline)
 	}
 
 	mainLogger.Info("hola-proxy client version %s is starting...", version)
@@ -153,7 +184,8 @@ func run() int {
 	}
 
 	mainLogger.Info("Initializing configuration provider...")
-	auth, tunnels, err := CredService(args.rotate, args.timeout, args.country, args.proxy_type, credLogger)
+	auth, tunnels, err := CredService(args.rotate, args.timeout, args.country, args.proxy_type, credLogger,
+		args.backoffInitial, args.backoffDeadline)
 	if err != nil {
 		mainLogger.Critical("Unable to instantiate credential service: %v", err)
 		return 4
@@ -163,10 +195,11 @@ func run() int {
 		mainLogger.Critical("Unable to determine proxy endpoint: %v", err)
 		return 5
 	}
-	handlerDialer := NewProxyDialer(endpoint.NetAddr(), endpoint.TLSName, auth, dialer)
+	handlerDialer := NewProxyDialer(endpoint.NetAddr(), endpoint.TLSName, caPool, auth, dialer)
+	requestDialer := NewPlaintextDialer(endpoint.NetAddr(), endpoint.TLSName, caPool, dialer)
 	mainLogger.Info("Endpoint: %s", endpoint.URL().String())
 	mainLogger.Info("Starting proxy server...")
-	handler := NewProxyHandler(handlerDialer, resolver, proxyLogger)
+	handler := NewProxyHandler(handlerDialer, requestDialer, auth, resolver, proxyLogger)
 	mainLogger.Info("Init complete.")
 	err = http.ListenAndServe(args.bind_address, handler)
 	mainLogger.Critical("Server terminated with a reason: %v", err)

plaintext.go

@@ -0,0 +1,65 @@
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"net"
+)
+
+type PlaintextDialer struct {
+	fixedAddress  string
+	tlsServerName string
+	next          ContextDialer
+	caPool        *x509.CertPool
+}
+
+func NewPlaintextDialer(address, tlsServerName string, caPool *x509.CertPool, next ContextDialer) *PlaintextDialer {
+	return &PlaintextDialer{
+		fixedAddress:  address,
+		tlsServerName: tlsServerName,
+		next:          next,
+		caPool:        caPool,
+	}
+}
+
+func (d *PlaintextDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	switch network {
+	case "tcp", "tcp4", "tcp6":
+	default:
+		return nil, errors.New("bad network specified for DialContext: only tcp is supported")
+	}
+
+	conn, err := d.next.DialContext(ctx, "tcp", d.fixedAddress)
+	if err != nil {
+		return nil, err
+	}
+
+	if d.tlsServerName != "" {
+		// Custom cert verification logic:
+		// DO NOT send SNI extension of TLS ClientHello
+		// DO peer certificate verification against specified servername
+		conn = tls.Client(conn, &tls.Config{
+			ServerName:         "",
+			InsecureSkipVerify: true,
+			VerifyConnection: func(cs tls.ConnectionState) error {
+				opts := x509.VerifyOptions{
+					DNSName:       d.tlsServerName,
+					Intermediates: x509.NewCertPool(),
+					Roots:         d.caPool,
+				}
+				for _, cert := range cs.PeerCertificates[1:] {
+					opts.Intermediates.AddCert(cert)
+				}
+				_, err := cs.PeerCertificates[0].Verify(opts)
+				return err
+			},
+		})
+	}
+	return conn, nil
+}
+
+func (d *PlaintextDialer) Dial(network, address string) (net.Conn, error) {
+	return d.DialContext(context.Background(), network, address)
+}

resolver.go

@@ -1,9 +1,10 @@
 package main
 
 import (
+	"time"
+
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/miekg/dns"
-	"time"
 )
 
 type Resolver struct {
@@ -13,7 +14,7 @@ type Resolver struct {
 const DOT = 0x2e
 
 func NewResolver(address string, timeout time.Duration) (*Resolver, error) {
-	opts := upstream.Options{Timeout: timeout}
+	opts := &upstream.Options{Timeout: timeout}
 	u, err := upstream.AddressToUpstream(address, opts)
 	if err != nil {
 		return nil, err

snapcraft.yaml

@@ -1,5 +1,5 @@
 name: hola-proxy
-version: '1.5.0'
+version: '1.7.1'
 summary: Standalone Hola proxy client.
 description: |
   Standalone Hola proxy client. Just run it and it'll start plain HTTP proxy server forwarding traffic via Hola proxies of your choice.

upstream.go

@@ -38,18 +38,20 @@ type ProxyDialer struct {
 	tlsServerName string
 	auth          AuthProvider
 	next          ContextDialer
+	caPool        *x509.CertPool
 }
 
-func NewProxyDialer(address, tlsServerName string, auth AuthProvider, nextDialer ContextDialer) *ProxyDialer {
+func NewProxyDialer(address, tlsServerName string, caPool *x509.CertPool, auth AuthProvider, nextDialer ContextDialer) *ProxyDialer {
 	return &ProxyDialer{
 		address:       address,
 		tlsServerName: tlsServerName,
 		auth:          auth,
 		next:          nextDialer,
+		caPool:        caPool,
 	}
 }
 
-func ProxyDialerFromURL(u *url.URL, next ContextDialer) (*ProxyDialer, error) {
+func ProxyDialerFromURL(u *url.URL, caPool *x509.CertPool, next ContextDialer) (*ProxyDialer, error) {
 	host := u.Hostname()
 	port := u.Port()
 	tlsServerName := ""
@@ -79,7 +81,7 @@ func ProxyDialerFromURL(u *url.URL, next ContextDialer) (*ProxyDialer, error) {
 			return authHeader
 		}
 	}
-	return NewProxyDialer(address, tlsServerName, auth, next), nil
+	return NewProxyDialer(address, tlsServerName, caPool, auth, next), nil
 }
 
 func (d *ProxyDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
@@ -105,6 +107,7 @@ func (d *ProxyDialer) DialContext(ctx context.Context, network, address string)
 				opts := x509.VerifyOptions{
 					DNSName:       d.tlsServerName,
 					Intermediates: x509.NewCertPool(),
+					Roots:         d.caPool,
 				}
 				for _, cert := range cs.PeerCertificates[1:] {
 					opts.Intermediates.AddCert(cert)

utils.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math/rand"
 	"net"
 	"net/http"
 	"net/url"
@@ -111,7 +112,9 @@ func print_countries(timeout time.Duration) int {
 		err       error
 	)
 	tx_res, tx_err := EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
-		countries, err = VPNCountries(ctx, client)
+		ctx1, cancel := context.WithTimeout(ctx, timeout)
+		defer cancel()
+		countries, err = VPNCountries(ctx1, client)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Transaction error: %v. Retrying with the fallback mechanism...\n", err)
 			return false
@@ -132,14 +135,16 @@ func print_countries(timeout time.Duration) int {
 	return 0
 }
 
-func print_proxies(country string, proxy_type string, limit uint, timeout time.Duration) int {
+func print_proxies(logger *CondLogger, country string, proxy_type string,
+	limit uint, timeout time.Duration, backoffInitial time.Duration, backoffDeadline time.Duration,
+) int {
 	var (
 		tunnels   *ZGetTunnelsResponse
 		user_uuid string
 		err       error
 	)
 	tx_res, tx_err := EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
-		tunnels, user_uuid, err = Tunnels(ctx, client, country, proxy_type, limit)
+		tunnels, user_uuid, err = Tunnels(ctx, logger, client, country, proxy_type, limit, timeout, backoffInitial, backoffDeadline)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "Transaction error: %v. Retrying with the fallback mechanism...\n", err)
 			return false
@@ -292,3 +297,11 @@ func copyBody(wr io.Writer, body io.Reader) {
 		}
 	}
 }
+
+func RandRange(low, hi int64) int64 {
+	if low >= hi {
+		panic("RandRange: low boundary is greater or equal to high boundary")
+	}
+	delta := hi - low
+	return low + rand.New(RandomSource).Int63n(delta+1)
+}