Merge pull request #151 from Snawoot/resolver_fix

Resolver fix

.github/stale.yml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

.github/workflows/build.yml

@@ -0,0 +1,42 @@
+name: build
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      -
+        name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 'stable'
+      -
+        name: Read tag
+        id: tag
+        run: echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+      -
+        name: Build
+        run: >-
+          make -j $(nproc) allplus
+          NDK_CC_ARM64="$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android21-clang"
+          NDK_CC_ARM="$ANDROID_NDK/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi21-clang"
+          VERSION=${{steps.tag.outputs.tag}}
+      -
+        name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: bin/*
+          fail_on_unmatched_files: true
+          generate_release_notes: true

.github/workflows/docker-ci.yml

@@ -2,10 +2,8 @@ name: docker-ci
 
 on:
   push:
-    branches:
-      - 'master'
-  release:
-    types: [published]
+    tags:
+      - 'v*.*.*'
 
 jobs:
   docker:
@@ -13,7 +11,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
       -
@@ -26,33 +24,39 @@ jobs:
           commit-ish: 'HEAD'
           skip-unshallow: 'true'
           abbrev: 7
-      -
-        name: Determine image tag type
-        uses: haya14busa/action-cond@v1
-        id: imgtag
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
         with:
-          cond: ${{ github.event_name == 'release' }}
-          if_true: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:${{ github.event.release.tag_name }},${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:latest
-          if_false: ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:latest
+          # list of Docker images to use as base name for tags
+          images: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}
+          # generate Docker tags based on the following events/attributes
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v3
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v3
       -
         name: Login to DockerHub
-        uses: docker/login-action@v1 
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/386,linux/arm/v7
           push: true
-          tags: ${{ steps.imgtag.outputs.value }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           build-args: 'GIT_DESC=${{steps.tagger.outputs.tag}}'

Dockerfile

@@ -1,10 +1,11 @@
-FROM golang AS build
+FROM --platform=$BUILDPLATFORM golang:1 AS build
 
 ARG GIT_DESC=undefined
 
 WORKDIR /go/src/github.com/Snawoot/hola-proxy
 COPY . .
-RUN CGO_ENABLED=0 go build -a -tags netgo -ldflags '-s -w -extldflags "-static" -X main.version='"$GIT_DESC"
+ARG TARGETOS TARGETARCH
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -a -tags netgo -ldflags '-s -w -extldflags "-static" -X main.version='"$GIT_DESC"
 ADD https://curl.haxx.se/ca/cacert.pem /certs.crt
 RUN chmod 0644 /certs.crt
 

Makefile

@@ -1,7 +1,7 @@
 PROGNAME = hola-proxy
 OUTSUFFIX = bin/$(PROGNAME)
 VERSION := $(shell git describe)
-BUILDOPTS = -a -tags netgo
+BUILDOPTS = -a -tags netgo -trimpath -asmflags -trimpath
 LDFLAGS = -ldflags '-s -w -extldflags "-static" -X main.version=$(VERSION)'
 LDFLAGS_NATIVE = -ldflags '-s -w -X main.version=$(VERSION)'
 
@@ -10,10 +10,11 @@ NDK_CC_ARM64 = $(abspath ../../ndk-toolchain-arm64/bin/aarch64-linux-android21-c
 
 GO := go
 
-src = $(wildcard *.go)
+src = $(wildcard *.go */*.go */*/*.go) go.mod go.sum
 
 native: bin-native
-all: bin-linux-amd64 bin-linux-386 bin-linux-arm \
+all: bin-linux-amd64 bin-linux-386 bin-linux-arm bin-linux-arm64 \
+	bin-linux-mips bin-linux-mipsle bin-linux-mips64 bin-linux-mips64le \
 	bin-freebsd-amd64 bin-freebsd-386 bin-freebsd-arm \
 	bin-netbsd-amd64 bin-netbsd-386 \
 	bin-openbsd-amd64 bin-openbsd-386 \
@@ -27,6 +28,11 @@ bin-native: $(OUTSUFFIX)
 bin-linux-amd64: $(OUTSUFFIX).linux-amd64
 bin-linux-386: $(OUTSUFFIX).linux-386
 bin-linux-arm: $(OUTSUFFIX).linux-arm
+bin-linux-arm64: $(OUTSUFFIX).linux-arm64
+bin-linux-mips: $(OUTSUFFIX).linux-mips
+bin-linux-mipsle: $(OUTSUFFIX).linux-mipsle
+bin-linux-mips64: $(OUTSUFFIX).linux-mips64
+bin-linux-mips64le: $(OUTSUFFIX).linux-mips64le
 bin-freebsd-amd64: $(OUTSUFFIX).freebsd-amd64
 bin-freebsd-386: $(OUTSUFFIX).freebsd-386
 bin-freebsd-arm: $(OUTSUFFIX).freebsd-arm
@@ -54,6 +60,21 @@ $(OUTSUFFIX).linux-386: $(src)
 $(OUTSUFFIX).linux-arm: $(src)
 	CGO_ENABLED=0 GOOS=linux GOARCH=arm $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
 
+$(OUTSUFFIX).linux-arm64: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
+$(OUTSUFFIX).linux-mips: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=mips GOMIPS=softfloat $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
+$(OUTSUFFIX).linux-mips64: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=mips64 GOMIPS=softfloat $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
+$(OUTSUFFIX).linux-mipsle: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
+$(OUTSUFFIX).linux-mips64le: $(src)
+	CGO_ENABLED=0 GOOS=linux GOARCH=mips64le GOMIPS=softfloat $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
+
 $(OUTSUFFIX).freebsd-amd64: $(src)
 	CGO_ENABLED=0 GOOS=freebsd GOARCH=amd64 $(GO) build $(BUILDOPTS) $(LDFLAGS) -o $@
 
@@ -113,6 +134,11 @@ install:
 	bin-linux-amd64 \
 	bin-linux-386 \
 	bin-linux-arm \
+	bin-linux-arm64 \
+	bin-linux-mips \
+	bin-linux-mipsle \
+	bin-linux-mips64 \
+	bin-linux-mips64le \
 	bin-freebsd-amd64 \
 	bin-freebsd-386 \
 	bin-freebsd-arm \

README.md

@@ -7,6 +7,8 @@ By default the application listens on 127.0.0.1:8080.
 
 Application is capable to forward traffic via proxies in datacenters (flag `-proxy-type direct`, default) or via peer proxies on residental IPs (consumer ISP) in that country (flag `-proxy-type lum`).
 
+This alternative implementation ensures your internet connection is not shared with anyone else and everything is clean and safe.
+
 ---
 
 :heart: :heart: :heart:
@@ -156,20 +158,29 @@ zagent248.hola.org,165.22.65.3,22222,22223,22224,22225,22226,digitalocean
 
 | Argument | Type | Description |
 | -------- | ---- | ----------- |
+| backoff-deadline | Duration | total duration of zgettunnels method attempts (default 5m0s) |
+| backoff-initial | Duration | initial average backoff delay for zgettunnels (randomized by +/-50%) (default 3s) |
 | bind-address | String | HTTP proxy address to listen to (default "127.0.0.1:8080") |
+| cafile | String | use custom CA certificate bundle file |
 | country | String | desired proxy location (default "us") |
 | dont-use-trial | - | use regular ports instead of trial ports |
+| ext-ver | String | extension version to mimic in requests. Can be obtained from https://chrome.google.com/webstore/detail/hola-vpn-the-website-unbl/gkojfkhlekighikafcpjkiklfbnlmeio (default "999.999.999") |
 | force-port-field | Number | force specific port field/num (example 24232 or lum) |
+| hide-SNI | Boolean | hide SNI in TLS sessions with proxy server (default true) |
+| init-retries | Number | number of attempts for initialization steps, zero for unlimited retry |
+| init-retry-interval | Duration | delay between initialization retries (default 5s) |
 | limit | Unsigned Integer (Number) | amount of proxies in retrieved list (default 3) |
 | list-countries | String | list available countries and exit |
 | list-proxies | - | output proxy list and exit |
 | proxy | String | sets base proxy to use for all dial-outs. Format: `<http\|https\|socks5\|socks5h>://[login:password@]host[:port]` Examples: `http://user:password@192.168.1.1:3128`, `socks5://10.0.0.1:1080` |
 | proxy-type | String | proxy type (Datacenter: direct) (Residential: lum) (default "direct") |
-| resolver | String | DNS/DoH/DoT resolver to workaround Hola blocked hosts. See https://github.com/ameshkov/dnslookup/ for upstream DNS URL format. (default "https://cloudflare-dns.com/dns-query") |
-| rotate | Duration | rotate user ID once per given period (default 1h0m0s) |
-| timeout | Duration | timeout for network operations (default 10s) |
+| resolver | String | comma-separated list of DNS/DoH/DoT resolvers used to lookup domain names blocked by Hola. Supported schemes are: `dns://`, `https://`, `tls://`, `tcp://`. (default `https://1.1.1.3/dns-query,https://8.8.8.8/dns-query,https://dns.google/dns-query,https://security.cloudflare-dns.com/dns-query,https://fidelity.vm-0.com/q,https://wikimedia-dns.org/dns-query,https://dns.adguard-dns.com/dns-query,https://dns.quad9.net/dns-query,https://doh.cleanbrowsing.org/doh/adult-filter/`) |
+| rotate | Duration | rotate user ID once per given period (default 48h0m0s) |
+| timeout | Duration | timeout for network operations (default 35s) |
+| user-agent | String | value of User-Agent header in requests. Default: User-Agent of latest stable Chrome for Windows |
 | verbosity | Number | logging verbosity (10 - debug, 20 - info, 30 - warning, 40 - error, 50 - critical) (default 20) |
 
 ## See also
 
 * [Project wiki](https://github.com/Snawoot/hola-proxy/wiki)
+* [Community in Telegram](https://t.me/alternative_proxy)

chromever.go

@@ -0,0 +1,63 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"time"
+)
+
+type chromeVerResponse struct {
+	Versions [1]struct {
+		Version string `json:"version"`
+	} `json:"versions"`
+}
+
+const chromeVerURL = "https://versionhistory.googleapis.com/v1/chrome/platforms/win/channels/stable/versions?alt=json&orderBy=version+desc&pageSize=1&prettyPrint=false"
+
+func GetChromeVer(ctx context.Context, dialer ContextDialer) (string, error) {
+	if dialer == nil {
+		dialer = &net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}
+	}
+
+	transport := &http.Transport{
+		DialContext:           dialer.DialContext,
+		ForceAttemptHTTP2:     true,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+	defer transport.CloseIdleConnections()
+	httpClient := &http.Client{
+		Transport: transport,
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "GET", chromeVerURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("chrome browser version request construction failed: %w", err)
+	}
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("chrome browser version request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return "", fmt.Errorf("chrome browser version request failed: bad status code: %d", resp.StatusCode)
+	}
+
+	dec := json.NewDecoder(resp.Body)
+	var chromeVerResp chromeVerResponse
+	if err := dec.Decode(&chromeVerResp); err != nil {
+		return "", fmt.Errorf("unable to decode chrome browser version response: %w", err)
+	}
+
+	return chromeVerResp.Versions[0].Version, nil
+}

credservice.go

@@ -10,22 +10,24 @@ import (
 const DEFAULT_LIST_LIMIT = 3
 
 func CredService(interval, timeout time.Duration,
+	extVer string,
 	country string,
 	proxytype string,
-	logger *CondLogger) (auth AuthProvider,
-	tunnels *ZGetTunnelsResponse,
-	err error) {
+	logger *CondLogger,
+	backoffInitial time.Duration,
+	backoffDeadline time.Duration,
+) (auth AuthProvider, tunnels *ZGetTunnelsResponse, err error) {
 	var mux sync.Mutex
 	var auth_header, user_uuid string
 	auth = func() (res string) {
-		(&mux).Lock()
-		res = auth_header
-		(&mux).Unlock()
-		return
+		mux.Lock()
+		defer mux.Unlock()
+		return auth_header
 	}
 
 	tx_res, tx_err := EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
-		tunnels, user_uuid, err = Tunnels(ctx, client, country, proxytype, DEFAULT_LIST_LIMIT)
+		tunnels, user_uuid, err = Tunnels(ctx, logger, client, extVer, country, proxytype,
+			DEFAULT_LIST_LIMIT, timeout, backoffInitial, backoffDeadline)
 		if err != nil {
 			logger.Error("Configuration bootstrap error: %v. Retrying with the fallback mechanism...", err)
 			return false
@@ -41,8 +43,10 @@ func CredService(interval, timeout time.Duration,
 		logger.Critical("All attempts failed.")
 		return
 	}
-	auth_header = basic_auth_header(LOGIN_PREFIX+user_uuid,
-		tunnels.AgentKey)
+	auth_header = basic_auth_header(TemplateLogin(user_uuid), tunnels.AgentKey)
+	if interval <= 0 {
+		return
+	}
 	go func() {
 		var (
 			err       error
@@ -55,7 +59,8 @@ func CredService(interval, timeout time.Duration,
 			<-ticker.C
 			logger.Info("Rotating credentials...")
 			tx_res, tx_err := EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
-				tuns, user_uuid, err = Tunnels(ctx, client, country, proxytype, DEFAULT_LIST_LIMIT)
+				tuns, user_uuid, err = Tunnels(ctx, logger, client, extVer, country, proxytype,
+					DEFAULT_LIST_LIMIT, timeout, backoffInitial, backoffDeadline)
 				if err != nil {
 					logger.Error("Credential rotation error: %v. Retrying with the fallback mechanism...", err)
 					return false
@@ -71,10 +76,9 @@ func CredService(interval, timeout time.Duration,
 				logger.Critical("All rotation attempts failed.")
 				continue
 			}
-			(&mux).Lock()
-			auth_header = basic_auth_header(LOGIN_PREFIX+user_uuid,
-				tuns.AgentKey)
-			(&mux).Unlock()
+			mux.Lock()
+			auth_header = basic_auth_header(TemplateLogin(user_uuid), tuns.AgentKey)
+			mux.Unlock()
 			logger.Info("Credentials rotated successfully.")
 		}
 	}()

csrand.go

@@ -10,6 +10,7 @@ type secureRandomSource struct{}
 var RandomSource secureRandomSource
 
 var int63Limit = big.NewInt(0).Lsh(big.NewInt(1), 63)
+var int64Limit = big.NewInt(0).Lsh(big.NewInt(1), 64)
 
 func (_ secureRandomSource) Seed(_ int64) {
 }
@@ -21,3 +22,11 @@ func (_ secureRandomSource) Int63() int64 {
 	}
 	return randNum.Int64()
 }
+
+func (_ secureRandomSource) Uint64() uint64 {
+	randNum, err := crand.Int(crand.Reader, int64Limit)
+	if err != nil {
+		panic(err)
+	}
+	return randNum.Uint64()
+}

extver.go

@@ -0,0 +1,107 @@
+package main
+
+import (
+	"context"
+	"encoding/xml"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"time"
+)
+
+var (
+	defaultProdVersion = "113.0"
+)
+
+var (
+	ErrNoVerData = errors.New("no version data returned")
+)
+
+type StoreExtUpdateResponse struct {
+	XMLName xml.Name `xml:"gupdate"`
+	App     *struct {
+		AppID       string `xml:"appid,attr"`
+		Status      string `xml:"status,attr"`
+		UpdateCheck *struct {
+			Version string `xml:"version,attr"`
+			Status  string `xml:"status,attr"`
+		} `xml:"updatecheck"`
+	} `xml:"app"`
+}
+
+func GetExtVer(ctx context.Context,
+	prodVersion *string,
+	id string,
+	dialer ContextDialer,
+) (string, error) {
+	if prodVersion == nil {
+		prodVersion = &defaultProdVersion
+	}
+	if dialer == nil {
+		dialer = &net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}
+	}
+
+	transport := &http.Transport{
+		DialContext:           dialer.DialContext,
+		ForceAttemptHTTP2:     true,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+	defer transport.CloseIdleConnections()
+	httpClient := &http.Client{
+		Transport: transport,
+	}
+
+	reqURL := (&url.URL{
+		Scheme: "https",
+		Host:   "clients2.google.com",
+		Path:   "/service/update2/crx",
+		RawQuery: url.Values{
+			"prodversion":  {*prodVersion},
+			"acceptformat": {"crx2,crx3"},
+			"x": {url.Values{
+				"id": {id},
+				"uc": {""},
+			}.Encode()},
+		}.Encode(),
+	}).String()
+
+	req, err := http.NewRequestWithContext(ctx, "GET", reqURL, nil)
+	if err != nil {
+		return "", fmt.Errorf("chrome web store request construction failed: %w", err)
+	}
+
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("chrome web store request failed: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return "", fmt.Errorf("chrome web store: bad status code: %d", resp.StatusCode)
+	}
+
+	reader := io.LimitReader(resp.Body, 64*1024)
+	var respData *StoreExtUpdateResponse
+
+	dec := xml.NewDecoder(reader)
+	err = dec.Decode(&respData)
+	if err != nil {
+		return "", fmt.Errorf("unmarshaling of chrome web store response failed: %w", err)
+	}
+
+	if respData != nil && respData.App != nil &&
+		respData.App.UpdateCheck != nil && respData.App.UpdateCheck.Version != "" {
+		return respData.App.UpdateCheck.Version, nil
+	}
+
+	return "", ErrNoVerData
+}

go.mod

@@ -1,11 +1,21 @@
 module github.com/Snawoot/hola-proxy
 
-go 1.13
+go 1.24.4
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.25.0
 	github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e
-	github.com/google/uuid v1.1.1
-	github.com/miekg/dns v1.1.29
-	golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e
+	github.com/cenkalti/backoff/v4 v4.3.0
+	github.com/google/uuid v1.6.0
+	github.com/hashicorp/go-multierror v1.1.1
+	github.com/ncruces/go-dns v1.2.7
+	github.com/refraction-networking/utls v1.8.0
+	golang.org/x/net v0.43.0
+)
+
+require (
+	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
 )

go.sum

@@ -1,72 +1,27 @@
-github.com/AdguardTeam/dnsproxy v0.25.0 h1:BTUPrrwB01GeQW5d2Xx4pH5HOFXcZxN1MTeNXXuy6vQ=
-github.com/AdguardTeam/dnsproxy v0.25.0/go.mod h1:z2EljVLJQXFGZcP9pWABftXm9UxpLNqls7H6bMcIvEY=
-github.com/AdguardTeam/golibs v0.4.0 h1:4VX6LoOqFe9p9Gf55BeD8BvJD6M6RDYmgEiHrENE9KU=
-github.com/AdguardTeam/golibs v0.4.0/go.mod h1:skKsDKIBB7kkFflLJBpfGX+G8QFTx0WKUzB6TIgtUj4=
-github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
-github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
-github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635 h1:52m0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=
-github.com/aead/poly1305 v0.0.0-20180717145839-3fee0db0b635/go.mod h1:lmLxL+FV291OopO93Bwf9fQLQeLyt33VJRUg5VJ30us=
-github.com/ameshkov/dnscrypt v1.1.0 h1:2vAt5dD6ZmqlAxEAfzRcLBnkvdf8NI46Kn9InSwQbSI=
-github.com/ameshkov/dnscrypt v1.1.0/go.mod h1:ikduAxNLCTEfd1AaCgpIA5TgroIVQ8JY3Vb095fiFJg=
-github.com/ameshkov/dnsstamps v1.0.1 h1:LhGvgWDzhNJh+kBQd/AfUlq1vfVe109huiXw4JhnPug=
-github.com/ameshkov/dnsstamps v1.0.1/go.mod h1:Ii3eUu73dx4Vw5O4wjzmT5+lkCwovjzaEZZ4gKyIH5A=
-github.com/beefsack/go-rate v0.0.0-20180408011153-efa7637bb9b6/go.mod h1:6YNgTHLutezwnBvyneBbwvB8C82y3dcoOj5EQJIdGXA=
+github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
+github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e h1:V9a67dfYqPLAvzk5hMQOXYJlZ4SLIXgyKIE+ZiHzgGQ=
 github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-test/deep v1.0.5/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8=
-github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/joomcode/errorx v1.0.1 h1:CalpDWz14ZHd68fIqluJasJosAewpz2TFaJALrUxjrk=
-github.com/joomcode/errorx v1.0.1/go.mod h1:kgco15ekB6cs+4Xjzo7SPeXzx38PbJzBwbnu9qfVNHQ=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/miekg/dns v1.1.29 h1:xHBEhR+t5RzcFJjBLJlax2daXOrTYtr9z4WdKEfWFzg=
-github.com/miekg/dns v1.1.29/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
-github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sparrc/go-ping v0.0.0-20190613174326-4e5b6552494c/go.mod h1:eMyUVp6f/5jnzM+3zahzl7q6UXLbgSc3MKg/+ow9QW0=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8 h1:fpnn/HnJONpIu6hkXi1u/7rR0NzilgWr4T0JmWkEitk=
-golang.org/x/crypto v0.0.0-20200403201458-baeed622b8d8/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e h1:3G+cUijn7XD+S4eJFddp53Pv7+slrESplyjG25HgL+k=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d h1:nc5K6ox/4lTFbMVSL9WRR81ixkcwXThoiF6yf+R9scA=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
-gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/ncruces/go-dns v1.2.7 h1:NMA7vFqXUl+nBhGFlleLyo2ni3Lqv3v+qFWZidzRemI=
+github.com/ncruces/go-dns v1.2.7/go.mod h1:SqmhVMBd8Wr7hsu3q6yTt6/Jno/xLMrbse/JLOMBo1Y=
+github.com/refraction-networking/utls v1.8.0 h1:L38krhiTAyj9EeiQQa2sg+hYb4qwLCqdMcpZrRfbONE=
+github.com/refraction-networking/utls v1.8.0/go.mod h1:jkSOEkLqn+S/jtpEHPOsVv/4V4EVnelwbMQl4vCWXAM=
+github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
+github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=

handler.go

@@ -19,7 +19,7 @@ type ProxyHandler struct {
 	auth          AuthProvider
 }
 
-func NewProxyHandler(dialer, requestDialer ContextDialer, auth AuthProvider, resolver *Resolver, logger *CondLogger) *ProxyHandler {
+func NewProxyHandler(dialer, requestDialer ContextDialer, auth AuthProvider, resolver LookupNetIPer, logger *CondLogger) *ProxyHandler {
 	dialer = NewRetryDialer(dialer, resolver, logger)
 	httptransport := &http.Transport{
 		Proxy: func(_ *http.Request) (*url.URL, error) {

holaapi.go

@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -14,27 +15,44 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"sync"
+	"text/template"
 	"time"
 
 	"github.com/campoy/unique"
+	"github.com/cenkalti/backoff/v4"
 	"github.com/google/uuid"
+	tls "github.com/refraction-networking/utls"
 )
 
-const USER_AGENT = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36"
-const EXT_VER = "1.186.562"
 const EXT_BROWSER = "chrome"
 const PRODUCT = "cws"
 const CCGI_URL = "https://client.hola.org/client_cgi/"
 const VPN_COUNTRIES_URL = CCGI_URL + "vpn_countries.json"
 const BG_INIT_URL = CCGI_URL + "background_init"
 const ZGETTUNNELS_URL = CCGI_URL + "zgettunnels"
-const LOGIN_PREFIX = "user-uuid-"
-const FALLBACK_CONF_URL = "https://www.dropbox.com/s/jemizcvpmf2qb9v/cloud_failover.conf?dl=1"
 const AGENT_SUFFIX = ".hola.org"
 
+var FALLBACK_CONF_URLS = []string{
+	"https://www.dropbox.com/s/jemizcvpmf2qb9v/cloud_failover.conf?dl=1",
+	"https://vdkd6nz8qr.s3.amazonaws.com/cloud_failover.conf",
+}
+
+var LOGIN_TEMPLATE = template.Must(template.New("LOGIN_TEMPLATE").Parse("user-uuid-{{.uuid}}-is_prem-{{.prem}}"))
 var TemporaryBanError = errors.New("temporary ban detected")
 var PermanentBanError = errors.New("permanent ban detected")
+var EmptyResponseError = errors.New("empty response")
+
+var userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36"
+
+func SetUserAgent(ua string) {
+	userAgent = ua
+}
+
+func GetUserAgent() string {
+	return userAgent
+}
 
 type CountryList []string
 
@@ -153,7 +171,7 @@ func do_req(ctx context.Context, client *http.Client, method, url string, query,
 	if query != nil {
 		req.URL.RawQuery = query.Encode()
 	}
-	req.Header.Set("User-Agent", USER_AGENT)
+	req.Header.Set("User-Agent", userAgent)
 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
@@ -189,10 +207,10 @@ func VPNCountries(ctx context.Context, client *http.Client) (res CountryList, er
 	return
 }
 
-func background_init(ctx context.Context, client *http.Client, user_uuid string) (res BgInitResponse, reterr error) {
+func background_init(ctx context.Context, client *http.Client, extVer, user_uuid string) (res BgInitResponse, reterr error) {
 	post_data := make(url.Values)
 	post_data.Add("login", "1")
-	post_data.Add("ver", EXT_VER)
+	post_data.Add("ver", extVer)
 	qs := make(url.Values)
 	qs.Add("uuid", user_uuid)
 	resp, err := do_req(ctx, client, "POST", BG_INIT_URL, qs, post_data)
@@ -216,6 +234,7 @@ func zgettunnels(ctx context.Context,
 	client *http.Client,
 	user_uuid string,
 	session_key int64,
+	extVer string,
 	country string,
 	proxy_type string,
 	limit uint) (res *ZGetTunnelsResponse, reterr error) {
@@ -235,25 +254,32 @@ func zgettunnels(ctx context.Context,
 	}
 	params.Add("limit", strconv.FormatInt(int64(limit), 10))
 	params.Add("ping_id", strconv.FormatFloat(rand.New(RandomSource).Float64(), 'f', -1, 64))
-	params.Add("ext_ver", EXT_VER)
+	params.Add("ext_ver", extVer)
 	params.Add("browser", EXT_BROWSER)
 	params.Add("product", PRODUCT)
 	params.Add("uuid", user_uuid)
 	params.Add("session_key", strconv.FormatInt(session_key, 10))
 	params.Add("is_premium", "0")
-	data, err := do_req(ctx, client, "", ZGETTUNNELS_URL, params, nil)
+	data, err := do_req(ctx, client, "POST", ZGETTUNNELS_URL, params, nil)
 	if err != nil {
 		reterr = err
 		return
 	}
-	reterr = json.Unmarshal(data, &tunnels)
+	err = json.Unmarshal(data, &tunnels)
+	if err != nil {
+		return nil, fmt.Errorf("unable to unmashal zgettunnels response: %w", err)
+	}
+	if len(tunnels.IPList) == 0 {
+		return nil, EmptyResponseError
+	}
 	res = &tunnels
 	return
 }
 
 func fetchFallbackConfig(ctx context.Context) (*FallbackConfig, error) {
 	client := httpClientWithProxy(nil)
-	confRaw, err := do_req(ctx, client, "", FALLBACK_CONF_URL, nil, nil)
+	fallbackConfURL := FALLBACK_CONF_URLS[rand.New(RandomSource).Intn(len(FALLBACK_CONF_URLS))]
+	confRaw, err := do_req(ctx, client, "", fallbackConfURL, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -313,18 +339,47 @@ func GetFallbackProxies(ctx context.Context) (*FallbackConfig, error) {
 }
 
 func Tunnels(ctx context.Context,
+	logger *CondLogger,
 	client *http.Client,
+	extVer string,
 	country string,
 	proxy_type string,
-	limit uint) (res *ZGetTunnelsResponse, user_uuid string, reterr error) {
+	limit uint,
+	timeout time.Duration,
+	backoffInitial time.Duration,
+	backoffDeadline time.Duration,
+) (res *ZGetTunnelsResponse, user_uuid string, reterr error) {
 	u := uuid.New()
 	user_uuid = hex.EncodeToString(u[:])
-	initres, err := background_init(ctx, client, user_uuid)
+	ctx1, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+	initres, err := background_init(ctx1, client, extVer, user_uuid)
 	if err != nil {
 		reterr = err
 		return
 	}
-	res, reterr = zgettunnels(ctx, client, user_uuid, initres.Key, country, proxy_type, limit)
+	var bo backoff.BackOff = &backoff.ExponentialBackOff{
+		InitialInterval:     backoffInitial,
+		RandomizationFactor: 0.5,
+		Multiplier:          1.5,
+		MaxInterval:         10 * time.Minute,
+		MaxElapsedTime:      backoffDeadline,
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+	bo = backoff.WithContext(bo, ctx)
+	err = backoff.RetryNotify(func() error {
+		ctx1, cancel := context.WithTimeout(ctx, timeout)
+		defer cancel()
+		res, reterr = zgettunnels(ctx1, client, user_uuid, initres.Key, extVer, country, proxy_type, limit)
+		return reterr
+	}, bo, func(err error, dur time.Duration) {
+		logger.Info("zgettunnels error: %v; will retry after %v", err, dur.Truncate(time.Millisecond))
+	})
+	if err != nil {
+		logger.Error("All attempts failed: %v", err)
+		return nil, "", err
+	}
 	return
 }
 
@@ -333,42 +388,71 @@ var baseDialer ContextDialer = &net.Dialer{
 	KeepAlive: 30 * time.Second,
 }
 
+var tlsConfig *tls.Config
+
 func UpdateHolaDialer(dialer ContextDialer) {
 	baseDialer = dialer
 }
 
+func UpdateHolaTLSConfig(config *tls.Config) {
+	tlsConfig = config
+}
+
 // Returns default http client with a proxy override
 func httpClientWithProxy(agent *FallbackAgent) *http.Client {
 	t := &http.Transport{
 		ForceAttemptHTTP2:     true,
 		MaxIdleConns:          100,
 		IdleConnTimeout:       90 * time.Second,
-		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 	}
 	var dialer ContextDialer = baseDialer
+	var rootCAs *x509.CertPool
+	if tlsConfig != nil {
+		rootCAs = tlsConfig.RootCAs
+	}
 	if agent != nil {
-		dialer = NewProxyDialer(agent.NetAddr(), agent.Hostname(), nil, dialer)
+		dialer = NewProxyDialer(agent.NetAddr(), agent.Hostname(), rootCAs, nil, true, dialer)
 	}
 	t.DialContext = dialer.DialContext
+	t.DialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+		host, _, err := net.SplitHostPort(addr)
+		if err != nil {
+			return nil, fmt.Errorf("hostname extraction error: %w", err)
+		}
+		conn, err := dialer.DialContext(ctx, network, addr)
+		if err != nil {
+			return nil, fmt.Errorf("can't prepare underlying connection for TLS session: %w", err)
+		}
+		var cfg tls.Config
+		if tlsConfig != nil {
+			cfg = *tlsConfig
+		}
+		cfg.ServerName = host
+		tlsConn := tls.UClient(conn, &cfg, tls.HelloAndroid_11_OkHttp)
+		if err := tlsConn.HandshakeContext(ctx); err != nil {
+			conn.Close()
+			return nil, fmt.Errorf("UClient handshake failed: %w", err)
+		}
+		return tlsConn, nil
+	}
 	return &http.Client{
 		Transport: t,
 	}
 }
 
-func EnsureTransaction(baseCtx context.Context, txnTimeout time.Duration, txn func(context.Context, *http.Client) bool) (bool, error) {
+func EnsureTransaction(ctx context.Context, getFBTimeout time.Duration, txn func(context.Context, *http.Client) bool) (bool, error) {
 	client := httpClientWithProxy(nil)
 	defer client.CloseIdleConnections()
 
-	ctx, cancel := context.WithTimeout(baseCtx, txnTimeout)
-	defer cancel()
-
 	if txn(ctx, client) {
 		return true, nil
 	}
 
 	// Fallback needed
-	fbc, err := GetFallbackProxies(baseCtx)
+	getFBCtx, cancel := context.WithTimeout(ctx, getFBTimeout)
+	defer cancel()
+	fbc, err := GetFallbackProxies(getFBCtx)
 	if err != nil {
 		return false, err
 	}
@@ -376,10 +460,6 @@ func EnsureTransaction(baseCtx context.Context, txnTimeout time.Duration, txn fu
 	for _, agent := range fbc.Agents {
 		client = httpClientWithProxy(&agent)
 		defer client.CloseIdleConnections()
-
-		ctx, cancel = context.WithTimeout(baseCtx, txnTimeout)
-		defer cancel()
-
 		if txn(ctx, client) {
 			return true, nil
 		}
@@ -387,3 +467,12 @@ func EnsureTransaction(baseCtx context.Context, txnTimeout time.Duration, txn fu
 
 	return false, nil
 }
+
+func TemplateLogin(user_uuid string) string {
+	var b strings.Builder
+	LOGIN_TEMPLATE.Execute(&b, map[string]string{
+		"uuid": user_uuid,
+		"prem": "0",
+	})
+	return b.String()
+}

main.go

@@ -1,19 +1,31 @@
 package main
 
 import (
+	"bytes"
+	"context"
+	"crypto/x509"
+	"encoding/csv"
 	"errors"
 	"flag"
 	"fmt"
+	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 	"time"
 
+	tls "github.com/refraction-networking/utls"
 	xproxy "golang.org/x/net/proxy"
 )
 
+const (
+	HolaExtStoreID = "gkojfkhlekighikafcpjkiklfbnlmeio"
+)
+
 var (
 	PROTOCOL_WHITELIST map[string]bool
 	version            = "undefined"
@@ -38,7 +50,39 @@ func arg_fail(msg string) {
 	os.Exit(2)
 }
 
+type CSVArg struct {
+	values []string
+}
+
+func (a *CSVArg) String() string {
+	if len(a.values) == 0 {
+		return ""
+	}
+	buf := new(bytes.Buffer)
+	wr := csv.NewWriter(buf)
+	wr.Write(a.values)
+	wr.Flush()
+	return strings.TrimRight(buf.String(), "\n")
+}
+
+func (a *CSVArg) Set(line string) error {
+	rd := csv.NewReader(strings.NewReader(line))
+	rd.FieldsPerRecord = -1
+	rd.TrimLeadingSpace = true
+	values, err := rd.Read()
+	if err == io.EOF {
+		a.values = nil
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("unable to parse comma-separated argument: %w", err)
+	}
+	a.values = values
+	return nil
+}
+
 type CLIArgs struct {
+	extVer                                  string
 	country                                 string
 	list_countries, list_proxies, use_trial bool
 	limit                                   uint
@@ -46,14 +90,39 @@ type CLIArgs struct {
 	verbosity                               int
 	timeout, rotate                         time.Duration
 	proxy_type                              string
-	resolver                                string
+	resolver                                *CSVArg
 	force_port_field                        string
 	showVersion                             bool
 	proxy                                   string
+	caFile                                  string
+	minPause                                time.Duration
+	maxPause                                time.Duration
+	backoffInitial                          time.Duration
+	backoffDeadline                         time.Duration
+	initRetries                             int
+	initRetryInterval                       time.Duration
+	hideSNI                                 bool
+	userAgent                               *string
 }
 
-func parse_args() CLIArgs {
-	var args CLIArgs
+func parse_args() *CLIArgs {
+	args := &CLIArgs{
+		resolver: &CSVArg{
+			values: []string{
+				"https://1.1.1.3/dns-query",
+				"https://8.8.8.8/dns-query",
+				"https://dns.google/dns-query",
+				"https://security.cloudflare-dns.com/dns-query",
+				"https://fidelity.vm-0.com/q",
+				"https://wikimedia-dns.org/dns-query",
+				"https://dns.adguard-dns.com/dns-query",
+				"https://dns.quad9.net/dns-query",
+				"https://doh.cleanbrowsing.org/doh/adult-filter/",
+			},
+		},
+	}
+	flag.StringVar(&args.extVer, "ext-ver", "", "extension version to mimic in requests. "+
+		"Can be obtained from https://chrome.google.com/webstore/detail/hola-vpn-the-website-unbl/gkojfkhlekighikafcpjkiklfbnlmeio")
 	flag.StringVar(&args.force_port_field, "force-port-field", "", "force specific port field/num (example 24232 or lum)") // would be nice to not show in help page
 	flag.StringVar(&args.country, "country", "us", "desired proxy location")
 	flag.BoolVar(&args.list_countries, "list-countries", false, "list available countries and exit")
@@ -62,18 +131,31 @@ func parse_args() CLIArgs {
 	flag.StringVar(&args.bind_address, "bind-address", "127.0.0.1:8080", "HTTP proxy listen address")
 	flag.IntVar(&args.verbosity, "verbosity", 20, "logging verbosity "+
 		"(10 - debug, 20 - info, 30 - warning, 40 - error, 50 - critical)")
-	flag.DurationVar(&args.timeout, "timeout", 10*time.Second, "timeout for network operations")
-	flag.DurationVar(&args.rotate, "rotate", 1*time.Hour, "rotate user ID once per given period")
+	flag.DurationVar(&args.timeout, "timeout", 35*time.Second, "timeout for network operations")
+	flag.DurationVar(&args.rotate, "rotate", 48*time.Hour, "rotate user ID once per given period")
+	flag.DurationVar(&args.backoffInitial, "backoff-initial", 3*time.Second, "initial average backoff delay for zgettunnels (randomized by +/-50%)")
+	flag.DurationVar(&args.backoffDeadline, "backoff-deadline", 5*time.Minute, "total duration of zgettunnels method attempts")
+	flag.IntVar(&args.initRetries, "init-retries", 0, "number of attempts for initialization steps, zero for unlimited retry")
+	flag.DurationVar(&args.initRetryInterval, "init-retry-interval", 5*time.Second, "delay between initialization retries")
 	flag.StringVar(&args.proxy_type, "proxy-type", "direct", "proxy type: direct or lum") // or skip but not mentioned
 	// skip would be used something like this: `./bin/hola-proxy -proxy-type skip -force-port-field 24232 -country ua.peer` for debugging
-	flag.StringVar(&args.resolver, "resolver", "https://cloudflare-dns.com/dns-query",
-		"DNS/DoH/DoT resolver to workaround Hola blocked hosts. "+
-			"See https://github.com/ameshkov/dnslookup/ for upstream DNS URL format.")
+	flag.Var(args.resolver, "resolver",
+		"comma-separated list of DNS/DoH/DoT resolvers used to lookup domain names blocked by Hola. "+
+			"Supported schemes are: dns://, https://, tls://, tcp://. "+
+			"Example: https://1.1.1.1/dns-query,tls://9.9.9.9:853")
 	flag.BoolVar(&args.use_trial, "dont-use-trial", false, "use regular ports instead of trial ports") // would be nice to not show in help page
 	flag.BoolVar(&args.showVersion, "version", false, "show program version and exit")
 	flag.StringVar(&args.proxy, "proxy", "", "sets base proxy to use for all dial-outs. "+
 		"Format: <http|https|socks5|socks5h>://[login:password@]host[:port] "+
 		"Examples: http://user:password@192.168.1.1:3128, socks5://10.0.0.1:1080")
+	flag.StringVar(&args.caFile, "cafile", "", "use custom CA certificate bundle file")
+	flag.Func("user-agent",
+		"value of User-Agent header in requests. Default: User-Agent of latest stable Chrome for Windows",
+		func(s string) error {
+			args.userAgent = &s
+			return nil
+		})
+	flag.BoolVar(&args.hideSNI, "hide-SNI", true, "hide SNI in TLS sessions with proxy server")
 	flag.Parse()
 	if args.country == "" {
 		arg_fail("Country can't be empty string.")
@@ -87,15 +169,6 @@ func parse_args() CLIArgs {
 	return args
 }
 
-func proxyFromURLWrapper(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error) {
-	cdialer, ok := next.(ContextDialer)
-	if !ok {
-		return nil, errors.New("only context dialers are accepted")
-	}
-
-	return ProxyDialerFromURL(u, cdialer)
-}
-
 func run() int {
 	args := parse_args()
 	if args.showVersion {
@@ -120,6 +193,33 @@ func run() int {
 		Timeout:   30 * time.Second,
 		KeepAlive: 30 * time.Second,
 	}
+
+	var caPool *x509.CertPool
+	if args.caFile != "" {
+		caPool = x509.NewCertPool()
+		certs, err := ioutil.ReadFile(args.caFile)
+		if err != nil {
+			mainLogger.Error("Can't load CA file: %v", err)
+			return 15
+		}
+		if ok := caPool.AppendCertsFromPEM(certs); !ok {
+			mainLogger.Error("Can't load certificates from CA file")
+			return 15
+		}
+		UpdateHolaTLSConfig(&tls.Config{
+			RootCAs: caPool,
+		})
+	}
+
+	proxyFromURLWrapper := func(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error) {
+		cdialer, ok := next.(ContextDialer)
+		if !ok {
+			return nil, errors.New("only context dialers are accepted")
+		}
+
+		return ProxyDialerFromURL(u, caPool, cdialer)
+	}
+
 	if args.proxy != "" {
 		xproxy.RegisterDialerType("http", proxyFromURLWrapper)
 		xproxy.RegisterDialerType("https", proxyFromURLWrapper)
@@ -137,25 +237,81 @@ func run() int {
 		UpdateHolaDialer(dialer)
 	}
 
+	try := retryPolicy(args.initRetries, args.initRetryInterval, mainLogger)
+
 	if args.list_countries {
-		return print_countries(args.timeout)
-	}
-	if args.list_proxies {
-		return print_proxies(args.country, args.proxy_type, args.limit, args.timeout)
+		return print_countries(try, args.timeout)
 	}
 
 	mainLogger.Info("hola-proxy client version %s is starting...", version)
+
+	var userAgent string
+	if args.userAgent == nil {
+		err := try("get latest version of Chrome browser", func() error {
+			ctx, cl := context.WithTimeout(context.Background(), args.timeout)
+			defer cl()
+			ver, err := GetChromeVer(ctx, dialer)
+			if err != nil {
+				return err
+			}
+			mainLogger.Info("latest Chrome version is %q", ver)
+			majorVer, _, _ := strings.Cut(ver, ".")
+			userAgent = fmt.Sprintf(
+				"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%s.0.0.0 Safari/537.36",
+				majorVer)
+			mainLogger.Info("discovered latest Chrome User-Agent: %q", userAgent)
+			return err
+		})
+		if err != nil {
+			mainLogger.Critical("Can't detect latest Chrome version. "+
+				"Try to specify proper user agent with -user-agent parameter. Error: %v",
+				err)
+			return 8
+		}
+	} else {
+		userAgent = *args.userAgent
+	}
+	SetUserAgent(userAgent)
+
+	if args.extVer == "" {
+		err := try("get latest version of browser extension", func() error {
+			ctx, cl := context.WithTimeout(context.Background(), args.timeout)
+			defer cl()
+			extVer, err := GetExtVer(ctx, nil, HolaExtStoreID, dialer)
+			if err == nil {
+				mainLogger.Info("discovered latest browser extension version: %s", extVer)
+				args.extVer = extVer
+			}
+			return err
+		})
+		if err != nil {
+			mainLogger.Critical("Can't detect latest browser extension version. Try to specify -ext-ver parameter. Error: %v", err)
+			return 8
+		}
+		mainLogger.Warning("Detected latest extension version: %q. Pass -ext-ver parameter to skip resolve and speedup startup", args.extVer)
+	}
+	if args.list_proxies {
+		return print_proxies(try, mainLogger, args.extVer, args.country, args.proxy_type, args.limit, args.timeout,
+			args.backoffInitial, args.backoffDeadline)
+	}
+
 	mainLogger.Info("Constructing fallback DNS upstream...")
-	resolver, err := NewResolver(args.resolver, args.timeout)
+	resolver, err := FastResolverFromURLs(args.resolver.values...)
 	if err != nil {
 		mainLogger.Critical("Unable to instantiate DNS resolver: %v", err)
 		return 6
 	}
 
-	mainLogger.Info("Initializing configuration provider...")
-	auth, tunnels, err := CredService(args.rotate, args.timeout, args.country, args.proxy_type, credLogger)
+	var (
+		auth    AuthProvider
+		tunnels *ZGetTunnelsResponse
+	)
+	err = try("run credentials service", func() error {
+		auth, tunnels, err = CredService(args.rotate, args.timeout, args.extVer, args.country,
+			args.proxy_type, credLogger, args.backoffInitial, args.backoffDeadline)
+		return err
+	})
 	if err != nil {
-		mainLogger.Critical("Unable to instantiate credential service: %v", err)
 		return 4
 	}
 	endpoint, err := get_endpoint(tunnels, args.proxy_type, args.use_trial, args.force_port_field)
@@ -163,8 +319,8 @@ func run() int {
 		mainLogger.Critical("Unable to determine proxy endpoint: %v", err)
 		return 5
 	}
-	handlerDialer := NewProxyDialer(endpoint.NetAddr(), endpoint.TLSName, auth, dialer)
-	requestDialer := NewPlaintextDialer(endpoint.NetAddr(), endpoint.TLSName, dialer)
+	handlerDialer := NewProxyDialer(endpoint.NetAddr(), endpoint.TLSName, caPool, auth, args.hideSNI, dialer)
+	requestDialer := NewPlaintextDialer(endpoint.NetAddr(), endpoint.TLSName, caPool, args.hideSNI, dialer)
 	mainLogger.Info("Endpoint: %s", endpoint.URL().String())
 	mainLogger.Info("Starting proxy server...")
 	handler := NewProxyHandler(handlerDialer, requestDialer, auth, resolver, proxyLogger)
@@ -178,3 +334,24 @@ func run() int {
 func main() {
 	os.Exit(run())
 }
+
+func retryPolicy(retries int, retryInterval time.Duration, logger *CondLogger) func(string, func() error) error {
+	return func(name string, f func() error) error {
+		var err error
+		for i := 1; retries <= 0 || i <= retries; i++ {
+			if i > 1 {
+				logger.Warning("Retrying action %q in %v...", name, retryInterval)
+				time.Sleep(retryInterval)
+			}
+			logger.Info("Attempting action %q, attempt #%d...", name, i)
+			err = f()
+			if err == nil {
+				logger.Info("Action %q succeeded on attempt #%d", name, i)
+				return nil
+			}
+			logger.Warning("Action %q failed: %v", name, err)
+		}
+		logger.Critical("All attempts for action %q have failed. Last error: %v", name, err)
+		return err
+	}
+}

plaintext.go

@@ -2,23 +2,28 @@ package main
 
 import (
 	"context"
-	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"net"
+
+	tls "github.com/refraction-networking/utls"
 )
 
 type PlaintextDialer struct {
 	fixedAddress  string
 	tlsServerName string
 	next          ContextDialer
+	caPool        *x509.CertPool
+	hideSNI       bool
 }
 
-func NewPlaintextDialer(address, tlsServerName string, next ContextDialer) *PlaintextDialer {
+func NewPlaintextDialer(address, tlsServerName string, caPool *x509.CertPool, hideSNI bool, next ContextDialer) *PlaintextDialer {
 	return &PlaintextDialer{
 		fixedAddress:  address,
 		tlsServerName: tlsServerName,
 		next:          next,
+		caPool:        caPool,
+		hideSNI:       hideSNI,
 	}
 }
 
@@ -38,13 +43,18 @@ func (d *PlaintextDialer) DialContext(ctx context.Context, network, address stri
 		// Custom cert verification logic:
 		// DO NOT send SNI extension of TLS ClientHello
 		// DO peer certificate verification against specified servername
-		conn = tls.Client(conn, &tls.Config{
-			ServerName:         "",
+		sni := d.tlsServerName
+		if d.hideSNI {
+			sni = ""
+		}
+		tlsConn := tls.UClient(conn, &tls.Config{
+			ServerName:         sni,
 			InsecureSkipVerify: true,
 			VerifyConnection: func(cs tls.ConnectionState) error {
 				opts := x509.VerifyOptions{
 					DNSName:       d.tlsServerName,
 					Intermediates: x509.NewCertPool(),
+					Roots:         d.caPool,
 				}
 				for _, cert := range cs.PeerCertificates[1:] {
 					opts.Intermediates.AddCert(cert)
@@ -52,7 +62,12 @@ func (d *PlaintextDialer) DialContext(ctx context.Context, network, address stri
 				_, err := cs.PeerCertificates[0].Verify(opts)
 				return err
 			},
-		})
+		}, tls.HelloAndroid_11_OkHttp)
+		if err := tlsConn.HandshakeContext(ctx); err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return tlsConn, nil
 	}
 	return conn, nil
 }

resolver.go

@@ -1,82 +1,140 @@
 package main
 
 import (
-	"github.com/AdguardTeam/dnsproxy/upstream"
-	"github.com/miekg/dns"
-	"time"
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"net/url"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/ncruces/go-dns"
 )
 
-type Resolver struct {
-	upstream upstream.Upstream
-}
-
-const DOT = 0x2e
-
-func NewResolver(address string, timeout time.Duration) (*Resolver, error) {
-	opts := upstream.Options{Timeout: timeout}
-	u, err := upstream.AddressToUpstream(address, opts)
+func FromURL(u string) (*net.Resolver, error) {
+	parsed, err := url.Parse(u)
 	if err != nil {
 		return nil, err
 	}
-	return &Resolver{upstream: u}, nil
+	host := parsed.Hostname()
+	port := parsed.Port()
+	switch strings.ToLower(parsed.Scheme) {
+	case "", "dns":
+		if port == "" {
+			port = "53"
+		}
+		return NewPlainResolver(net.JoinHostPort(host, port)), nil
+	case "tcp":
+		if port == "" {
+			port = "53"
+		}
+		return NewTCPResolver(net.JoinHostPort(host, port)), nil
+	case "http", "https":
+		if port == "" {
+			port = "443"
+		}
+		return dns.NewDoHResolver(u, dns.DoHAddresses(net.JoinHostPort(host, port)))
+	case "tls":
+		if port == "" {
+			port = "853"
+		}
+		hp := net.JoinHostPort(host, port)
+		return dns.NewDoTResolver(hp, dns.DoTAddresses(hp))
+	default:
+		return nil, errors.New("not implemented")
+	}
 }
 
-func (r *Resolver) ResolveA(domain string) []string {
-	res := make([]string, 0)
-	if len(domain) == 0 {
-		return res
+type LookupNetIPer interface {
+	LookupNetIP(context.Context, string, string) ([]netip.Addr, error)
+}
+
+type FastResolver struct {
+	upstreams []LookupNetIPer
+}
+
+type lookupReply struct {
+	addrs []netip.Addr
+	err   error
+}
+
+func FastResolverFromURLs(urls ...string) (*FastResolver, error) {
+	resolvers := make([]LookupNetIPer, 0, len(urls))
+	for i, u := range urls {
+		res, err := FromURL(u)
+		if err != nil {
+			return nil, fmt.Errorf("unable to construct resolver #%d (%q): %w", i, u, err)
+		}
+		resolvers = append(resolvers, res)
 	}
-	if domain[len(domain)-1] != DOT {
-		domain = domain + "."
+	return NewFastResolver(resolvers...), nil
+}
+
+func NewFastResolver(resolvers ...LookupNetIPer) *FastResolver {
+	return &FastResolver{
+		upstreams: resolvers,
 	}
-	req := dns.Msg{}
-	req.Id = dns.Id()
-	req.RecursionDesired = true
-	req.Question = []dns.Question{
-		{Name: domain, Qtype: dns.TypeA, Qclass: dns.ClassINET},
+}
+
+func (r FastResolver) LookupNetIP(ctx context.Context, network, host string) ([]netip.Addr, error) {
+	ctx, cl := context.WithCancel(ctx)
+	drain := make(chan lookupReply, len(r.upstreams))
+	for _, res := range r.upstreams {
+		go func(res LookupNetIPer) {
+			addrs, err := res.LookupNetIP(ctx, network, host)
+			drain <- lookupReply{addrs, err}
+		}(res)
 	}
-	reply, err := r.upstream.Exchange(&req)
-	if err != nil {
-		return res
-	}
-	for _, rr := range reply.Answer {
-		if a, ok := rr.(*dns.A); ok {
-			res = append(res, a.A.String())
+
+	i := 0
+	var resAddrs []netip.Addr
+	var resErr error
+	for ; i < len(r.upstreams); i++ {
+		pair := <-drain
+		if pair.err != nil {
+			resErr = multierror.Append(resErr, pair.err)
+		} else {
+			cl()
+			resAddrs = pair.addrs
+			resErr = nil
+			break
 		}
 	}
-	return res
-}
-
-func (r *Resolver) ResolveAAAA(domain string) []string {
-	res := make([]string, 0)
-	if len(domain) == 0 {
-		return res
-	}
-	if domain[len(domain)-1] != DOT {
-		domain = domain + "."
-	}
-	req := dns.Msg{}
-	req.Id = dns.Id()
-	req.RecursionDesired = true
-	req.Question = []dns.Question{
-		{Name: domain, Qtype: dns.TypeAAAA, Qclass: dns.ClassINET},
-	}
-	reply, err := r.upstream.Exchange(&req)
-	if err != nil {
-		return res
-	}
-	for _, rr := range reply.Answer {
-		if a, ok := rr.(*dns.AAAA); ok {
-			res = append(res, a.AAAA.String())
+	go func() {
+		for i = i + 1; i < len(r.upstreams); i++ {
+			<-drain
 		}
-	}
-	return res
+	}()
+	return resAddrs, resErr
 }
 
-func (r *Resolver) Resolve(domain string) []string {
-	res := r.ResolveA(domain)
-	if len(res) == 0 {
-		res = r.ResolveAAAA(domain)
+func NewPlainResolver(addr string) *net.Resolver {
+	return &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, network, _ string) (net.Conn, error) {
+			return (&net.Dialer{
+				Resolver: &net.Resolver{},
+			}).DialContext(ctx, network, addr)
+		},
+	}
+}
+
+func NewTCPResolver(addr string) *net.Resolver {
+	return &net.Resolver{
+		PreferGo: true,
+		Dial: func(ctx context.Context, network, _ string) (net.Conn, error) {
+			dnet := "tcp"
+			switch network {
+			case "udp4":
+				dnet = "tcp4"
+			case "udp6":
+				dnet = "tcp6"
+			}
+			return (&net.Dialer{
+				Resolver: &net.Resolver{},
+			}).DialContext(ctx, dnet, addr)
+		},
 	}
-	return res
 }

retry.go

@@ -2,16 +2,17 @@ package main
 
 import (
 	"context"
+	"fmt"
 	"net"
 )
 
 type RetryDialer struct {
 	dialer   ContextDialer
-	resolver *Resolver
+	resolver LookupNetIPer
 	logger   *CondLogger
 }
 
-func NewRetryDialer(dialer ContextDialer, resolver *Resolver, logger *CondLogger) *RetryDialer {
+func NewRetryDialer(dialer ContextDialer, resolver LookupNetIPer, logger *CondLogger) *RetryDialer {
 	return &RetryDialer{
 		dialer:   dialer,
 		resolver: resolver,
@@ -28,12 +29,30 @@ func (d *RetryDialer) DialContext(ctx context.Context, network, address string)
 			return conn, err
 		}
 
-		ips := d.resolver.Resolve(host)
-		if len(ips) == 0 {
-			return conn, err
+		var resolveNetwork string
+		switch network {
+		case "udp4", "tcp4", "ip4":
+			resolveNetwork = "ip4"
+		case "udp6", "tcp6", "ip6":
+			resolveNetwork = "ip6"
+		case "udp", "tcp", "ip":
+			resolveNetwork = "ip"
+		default:
+			return nil, fmt.Errorf("resolving dial %q: unsupported network %q", address, network)
+		}
+		resolved, err := d.resolver.LookupNetIP(ctx, resolveNetwork, host)
+		if err != nil {
+			return nil, fmt.Errorf("dial failed on address lookup: %w", err)
 		}
 
-		return d.dialer.DialContext(ctx, network, net.JoinHostPort(ips[0], port))
+		var conn net.Conn
+		for _, ip := range resolved {
+			conn, err = d.dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), port))
+			if err == nil {
+				return conn, nil
+			}
+		}
+		return nil, fmt.Errorf("failed to dial %s: %w", address, err)
 	}
 	return conn, err
 }

snapcraft.yaml

@@ -1,18 +1,24 @@
 name: hola-proxy
-version: '1.5.3'
 summary: Standalone Hola proxy client.
 description: |
   Standalone Hola proxy client. Just run it and it'll start plain HTTP proxy server forwarding traffic via Hola proxies of your choice.
 
 confinement: strict
-base: core18
+base: core22
+adopt-info: hola-proxy
 
 parts:
   hola-proxy:
     plugin: go
-    source: .
+    build-snaps: [go/latest/stable]
     build-packages:
-      - gcc
+      - make
+      - git-core
+    source: https://github.com/Snawoot/hola-proxy
+    source-type: git
+    override-pull: |
+      craftctl default
+      craftctl set version="$(git describe --long --tags --always --match=v*.*.* | sed 's/v//')"
     override-build:
       make &&
       cp bin/hola-proxy "$SNAPCRAFT_PART_INSTALL"

upstream.go

@@ -4,7 +4,6 @@ import (
 	"bufio"
 	"bytes"
 	"context"
-	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
@@ -14,6 +13,8 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"strings"
+
+	tls "github.com/refraction-networking/utls"
 )
 
 const (
@@ -38,18 +39,22 @@ type ProxyDialer struct {
 	tlsServerName string
 	auth          AuthProvider
 	next          ContextDialer
+	caPool        *x509.CertPool
+	hideSNI       bool
 }
 
-func NewProxyDialer(address, tlsServerName string, auth AuthProvider, nextDialer ContextDialer) *ProxyDialer {
+func NewProxyDialer(address, tlsServerName string, caPool *x509.CertPool, auth AuthProvider, hideSNI bool, nextDialer ContextDialer) *ProxyDialer {
 	return &ProxyDialer{
 		address:       address,
 		tlsServerName: tlsServerName,
 		auth:          auth,
 		next:          nextDialer,
+		caPool:        caPool,
+		hideSNI:       hideSNI,
 	}
 }
 
-func ProxyDialerFromURL(u *url.URL, next ContextDialer) (*ProxyDialer, error) {
+func ProxyDialerFromURL(u *url.URL, caPool *x509.CertPool, next ContextDialer) (*ProxyDialer, error) {
 	host := u.Hostname()
 	port := u.Port()
 	tlsServerName := ""
@@ -79,7 +84,7 @@ func ProxyDialerFromURL(u *url.URL, next ContextDialer) (*ProxyDialer, error) {
 			return authHeader
 		}
 	}
-	return NewProxyDialer(address, tlsServerName, auth, next), nil
+	return NewProxyDialer(address, tlsServerName, caPool, auth, false, next), nil
 }
 
 func (d *ProxyDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
@@ -98,13 +103,18 @@ func (d *ProxyDialer) DialContext(ctx context.Context, network, address string)
 		// Custom cert verification logic:
 		// DO NOT send SNI extension of TLS ClientHello
 		// DO peer certificate verification against specified servername
-		conn = tls.Client(conn, &tls.Config{
-			ServerName:         "",
+		sni := d.tlsServerName
+		if d.hideSNI {
+			sni = ""
+		}
+		conn = tls.UClient(conn, &tls.Config{
+			ServerName:         sni,
 			InsecureSkipVerify: true,
 			VerifyConnection: func(cs tls.ConnectionState) error {
 				opts := x509.VerifyOptions{
 					DNSName:       d.tlsServerName,
 					Intermediates: x509.NewCertPool(),
+					Roots:         d.caPool,
 				}
 				for _, cert := range cs.PeerCertificates[1:] {
 					opts.Intermediates.AddCert(cert)
@@ -112,7 +122,7 @@ func (d *ProxyDialer) DialContext(ctx context.Context, network, address string)
 				_, err := cs.PeerCertificates[0].Verify(opts)
 				return err
 			},
-		})
+		}, tls.HelloAndroid_11_OkHttp)
 	}
 
 	req := &http.Request{

utils.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math/rand"
 	"net"
 	"net/http"
 	"net/url"
@@ -105,25 +106,33 @@ func proxyh2(ctx context.Context, leftreader io.ReadCloser, leftwriter io.Writer
 	return
 }
 
-func print_countries(timeout time.Duration) int {
+func print_countries(try func(string, func() error) error, timeout time.Duration) int {
 	var (
 		countries CountryList
 		err       error
+		tx_res    bool
+		tx_err    error
 	)
-	tx_res, tx_err := EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
-		countries, err = VPNCountries(ctx, client)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "Transaction error: %v. Retrying with the fallback mechanism...\n", err)
-			return false
+	err = try("list VPN countries", func() error {
+		tx_res, tx_err = EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
+			ctx1, cancel := context.WithTimeout(ctx, timeout)
+			defer cancel()
+			countries, err = VPNCountries(ctx1, client)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "Transaction error: %v. Retrying with the fallback mechanism...\n", err)
+				return false
+			}
+			return true
+		})
+		if tx_err != nil {
+			return fmt.Errorf("transaction recovery mechanism failure: %v", err)
 		}
-		return true
+		if !tx_res {
+			return errors.New("all fallback proxies failed.")
+		}
+		return nil
 	})
-	if tx_err != nil {
-		fmt.Fprintf(os.Stderr, "Transaction recovery mechanism failure: %v.\n", tx_err)
-		return 4
-	}
-	if !tx_res {
-		fmt.Fprintf(os.Stderr, "All attempts failed.")
+	if err != nil {
 		return 3
 	}
 	for _, code := range countries {
@@ -132,30 +141,38 @@ func print_countries(timeout time.Duration) int {
 	return 0
 }
 
-func print_proxies(country string, proxy_type string, limit uint, timeout time.Duration) int {
+func print_proxies(try func(string, func() error) error, logger *CondLogger, extVer, country string, proxy_type string,
+	limit uint, timeout time.Duration, backoffInitial time.Duration, backoffDeadline time.Duration,
+) int {
 	var (
 		tunnels   *ZGetTunnelsResponse
 		user_uuid string
 		err       error
+		tx_res    bool
+		tx_err    error
 	)
-	tx_res, tx_err := EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
-		tunnels, user_uuid, err = Tunnels(ctx, client, country, proxy_type, limit)
-		if err != nil {
-			fmt.Fprintf(os.Stderr, "Transaction error: %v. Retrying with the fallback mechanism...\n", err)
-			return false
+	err = try("list proxies", func() error {
+		tx_res, tx_err = EnsureTransaction(context.Background(), timeout, func(ctx context.Context, client *http.Client) bool {
+			tunnels, user_uuid, err = Tunnels(ctx, logger, client, extVer, country, proxy_type, limit, timeout, backoffInitial, backoffDeadline)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "Transaction error: %v. Retrying with the fallback mechanism...\n", err)
+				return false
+			}
+			return true
+		})
+		if tx_err != nil {
+			return fmt.Errorf("transaction recovery mechanism failure: %v", err)
 		}
-		return true
+		if !tx_res {
+			return errors.New("all fallback proxies failed.")
+		}
+		return nil
 	})
-	if tx_err != nil {
-		fmt.Fprintf(os.Stderr, "Transaction recovery mechanism failure: %v.\n", tx_err)
-		return 4
-	}
-	if !tx_res {
-		fmt.Fprintf(os.Stderr, "All attempts failed.")
+	if err != nil {
 		return 3
 	}
 	wr := csv.NewWriter(os.Stdout)
-	login := LOGIN_PREFIX + user_uuid
+	login := TemplateLogin(user_uuid)
 	password := tunnels.AgentKey
 	fmt.Println("Login:", login)
 	fmt.Println("Password:", password)
@@ -292,3 +309,11 @@ func copyBody(wr io.Writer, body io.Reader) {
 		}
 	}
 }
+
+func RandRange(low, hi int64) int64 {
+	if low >= hi {
+		panic("RandRange: low boundary is greater or equal to high boundary")
+	}
+	delta := hi - low
+	return low + rand.New(RandomSource).Int63n(delta+1)
+}