dan-v/awslambdaproxy dan-v/awslambdaproxy

  • This repository has been archived on 06/Mar/2022
  • Stars
    star
    763
  • Rank 59,147 (Top 2 %)
  • Language
    Go
  • License
    MIT License
  • Created almost 8 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dan-v/awslambdaproxy
github

dan-v

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An AWS Lambda powered HTTP/SOCKS web proxy

NOTICE: This project is no longer being maintained

Overview

awslambdaproxy is an AWS Lambda powered HTTP/SOCKS web proxy. It provides a constantly rotating IP address for your network traffic from all regions where AWS Lambda is available. The goal is to obfuscate your traffic and make it harder to track you as a user.

Features

  • HTTP/HTTPS/SOCKS5 proxy protocols support (including authentication).
  • No special client side software required. Just configure your system to use a proxy.
  • Each configured AWS Lambda region provides a large pool of constantly rotating IP address.
  • Configurable IP rotation frequency between multiple regions.
  • Mostly AWS free tier compatible (see FAQ below).

Project status

Current code status: proof of concept. This is the first Go application that I've ever written. It has no tests. It may not work. It may blow up. Use at your own risk.

How it works

At a high level, awslambdaproxy proxies TCP/UDP traffic through AWS Lambda regional endpoints. To do this, awslambdaproxy is setup on a publicly accessible host (e.g. EC2 instance) and it handles creating Lambda resources that run a proxy server (gost). Since Lambda does not allow you to connect to bound ports in executing functions, a reverse SSH tunnel is established from the Lambda function to the host running awslambdaproxy. Once a tunnel connection is established, all user traffic is forwarded through this reverse tunnel to the proxy server. Lambda functions have a max execution time of 15 minutes, so there is a goroutine that continuously executes Lambda functions to ensure there is always a live tunnel in place. If multiple regions are specified, user traffic will be routed in a round robin fashion across these regions.

Installation

Terraform

  1. Clone repository and go to the deployment/terraform directory:
git clone [email protected]:dan-v/awslambdaproxy.git && cd awslambdaproxy/deployment/terraform

  1. Install Terraform and configure your Terraform backend. Read more about Terraform backends here.

  2. Create and fill in a variable definitions file (read more here) if you don't want to use default variables values defined in variables.tf.

  3. Run these commands to init and apply configuration:

terraform init && terraform apply -auto-approve

It will create all dependent resources and run awslambdaproxy inside a Docker container. EC2 instance SSH key can be found in AWS Secret Manager in your AWS Management Console.

NOTE: Some AWS regions have a big list of IP CIDR blocks and they can exceed the default limits of security groups (read more). In that case, you'll need to make a limit increase request through the AWS Support Center by choosing Create Case and then choosing Service Limit Increase to prevent deployment issues.

Manual

  1. Download a pre-built binary from the GitHub Releases page.

  2. Copy awslambdaproxy binary to a publicly accessible linux host (e.g. EC2 instance, VPS instance, etc). You will need to open the following ports on this host:

    • Port 22 - functions executing in AWS Lambda will open SSH connections back to the host running awslambdaproxy, so this port needs to be open to the world. The SSH key used here is dynamically generated at startup and added to the running users authorized_keys file.
    • Port 8080 - the default configuration will start a HTTP/SOCKS proxy listener on this port with default user/password authentication. If you don't want to publicly expose the proxy server, one option is to setup your own VPN server (e.g. dosxvpn or algo), connect to it, and just run awslambdaproxy with the proxy listener only on localhost (-l localhost:8080).

  3. Optional, but I'd highly recommend taking a look at the Minimal IAM Policies section below. This will allow you to setup minimal permissions required to setup and run the project. Otherwise, if you don't care about security you can always use an access key with full administrator privileges.

  4. awslambdaproxy will need access to credentials for AWS in some form. This can be either through exporting environment variables (as shown below), shared credential file, or an IAM role if assigned to the instance you are running it on. See this for more details.

    export AWS_ACCESS_KEY_ID=XXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=YYYYYYYYYYYYYYYYYYYYYY

  5. Run awslambdaproxy setup.

    ./awslambdaproxy setup

  6. Run awslambdaproxy run.

    ./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2

  7. Configure your web browser (or OS) to use the HTTP/SOCKS5 proxy on the publicly accessible host running awslambdaproxy on port 8080.

Minimal IAM Policies

  • This assumes you have the AWS CLI setup with an admin user
  • Create a user with proper permissions needed to run the setup command. This user can be removed after running the setup command.
aws iam create-user --user-name awslambdaproxy-setup
aws iam put-user-policy --user-name awslambdaproxy-setup --policy-name awslambdaproxy-setup --policy-document file://deployment/iam/setup.json
aws iam create-access-key --user-name awslambdaproxy-setup
{
    "AccessKey": {
        "UserName": "awslambdaproxy-setup",
        "Status": "Active",
        "CreateDate": "2017-04-17T06:15:18.858Z",
        "SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "AccessKeyId": "xxxxxxxxxxxxxx"
    }
}
  • Create a user with proper permission needed to run the proxy.
aws iam create-user --user-name awslambdaproxy-run
aws iam put-user-policy --user-name awslambdaproxy-run --policy-name awslambdaproxy-run --policy-document file://deployment/iam/run.json
aws iam create-access-key --user-name awslambdaproxy-run
{
    "AccessKey": {
        "UserName": "awslambdaproxy-run",
        "Status": "Active",
        "CreateDate": "2017-04-17T06:18:27.531Z",
        "SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "AccessKeyId": "xxxxxxxxxxxxxx"
    }
}

Examples

# execute proxy in four different regions with rotation happening every 60 seconds
./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2 -f 60s

# choose a different port and username/password for proxy and add another listener on localhost with no auth
./awslambdaproxy run -l "admin:admin@:8888,localhost:9090"

# bypass certain domains from using lambda proxy
./awslambdaproxy run -b "*.websocket.org,*.youtube.com"

# specify a dns server for the proxy server to use for dns lookups
./awslambdaproxy run -l "admin:awslambdaproxy@:8080?dns=1.1.1.1"

# increase function memory size for better network performance
./awslambdaproxy run -m 512

FAQ

  1. Should I use awslambdaproxy? That's up to you. Use at your own risk.
  2. Why did you use AWS Lambda for this? The primary reason for using AWS Lambda in this project is the vast pool of IP addresses available that automatically rotate.
  3. How big is the pool of available IP addresses? This I don't know, but I do know I did not have a duplicate IP while running the proxy for a week.
  4. Will this make me completely anonymous? No, absolutely not. The goal of this project is just to obfuscate your web traffic by rotating your IP address. All of your traffic is going through AWS which could be traced back to your account. You can also be tracked still with browser fingerprinting, etc. Your IP address may still leak due to WebRTC, Flash, etc.
  5. How often will my external IP address change? I'm not positive as that's specific to the internals of AWS Lambda, and that can change at any time. However, I'll give an example, with 4 regions specified rotating every 5 minutes it resulted in around 15 unique IPs per hour.
  6. How much does this cost? awslambdaproxy should be able to run mostly on the AWS free tier minus bandwidth costs. It can run on a t2.micro instance and the default 128MB Lambda function that is constantly running should also fall in the free tier usage. The bandwidth is what will cost you money; you will pay for bandwidth usage for both EC2 and Lambda.
  7. Why does my connection drop periodically? AWS Lambda functions can currently only execute for a maximum of 15 minutes. In order to maintain an ongoing proxy a new function is executed and all new traffic is cut over to it. Any ongoing connections to the previous Lambda function will hard stop after a timeout period. You generally won't see any issues for normal web browsing as connections are very short lived, but for any long lived connections you will see issues. Consider using the --bypass flag to specify known domains that you know use persistent connections to avoid having your connection constantly dropping for these.

Contributors

  • yurymkomarov - streamlined the entire deployment process with Terraform.
  • unixfox - contributed the Docker image for awslambdaproxy.

Powered by

  • gost - A simple security tunnel written in Golang.
  • yamux - Golang connection multiplexing library.
  • goad - Code was borrowed from this project to handle AWS Lambda zip creation and function upload.

Build From Source

  1. Install Go and go-bindata

  2. Fetch the project with git clone:

git clone [email protected]:dan-v/awslambdaproxy.git && cd awslambdaproxy
  1. Run make to build awslambdaproxy. You'll find your awslambdaproxy binary in the artifacts folder.
make

More Repositories

1

rattlesnakeos-stack

Build your own privacy and security focused Android OS in the cloud.
Go
568
star
2

dosxvpn

Easily deploy your own personal VPN server with DNS adblocking running on DigitalOcean
Go
307
star
3

bruteforce-bitcoin-brainwallet

Bruteforce dictionary attack on bitcoin brain wallets
Python
183
star
4

ghost-backup

Simple Ghost backup script
Shell
33
star
5

mint-bitcoin-sync

Update mint.com with the current value of Bitcoin holdings
Python
22
star
6

slack-to-telegram

Forward all Slack direct messages to Telegram when you are not logged into Slack
Go
17
star
7

foscam-customweb

Customized default website for Foscam network cameras.
Shell
13
star
8

golang-ubereats

An unofficial Golang client for Uber Eats API
Go
9
star
9

copperheados-stack

Easily provision all the AWS infrastructure required to run your own personal CopperheadOS build and update environment.
Go
8
star
10

ansible-ghost

Playbook to deploy Ghost blog.
Shell
6
star
11

docker-ghost-ssl

Ghost blog running in a docker container with nginx and SSL.
Shell
4
star
12

automated-facebook-voting

A script to automate voting for woobox.com contests.
Shell
4
star
13

pelican-blog

My old blog using Pelican static site generator.
HTML
2
star
14

vpn-sentry-server

A prototype of a personal VPN/Sentry server
Go
2
star
15

mqtt-matrix-bridge-testing

Shell
1
star
16

pelican-blog-ansible

Deploy my blog with ansible
1
star
17

crossfitboxreview

Google maps application for finding and reviewing crossfit gyms. Uses Flask framework.
Python
1
star
18

signal-messenger-osx

Signal Messenger as a native OSX app
Shell
1
star