An AWS Lambda powered HTTP/SOCKS web proxy
awslambdaproxy is an AWS Lambda powered HTTP/SOCKS web proxy. It provides a constantly rotating IP address for your network traffic from all regions where AWS Lambda is available. The goal is to obfuscate your traffic and make it harder to track you as a user.
Current code status: proof of concept. This is the first Go application that I've ever written. It has no tests. It may not work. It may blow up. Use at your own risk.
At a high level, awslambdaproxy proxies TCP/UDP traffic through AWS Lambda regional endpoints. To do this, awslambdaproxy is setup on a publicly accessible host (e.g. EC2 instance) and it handles creating Lambda resources that run a proxy server (gost). Since Lambda does not allow you to connect to bound ports in executing functions, a reverse SSH tunnel is established from the Lambda function to the host running awslambdaproxy. Once a tunnel connection is established, all user traffic is forwarded through this reverse tunnel to the proxy server. Lambda functions have a max execution time of 15 minutes, so there is a goroutine that continuously executes Lambda functions to ensure there is always a live tunnel in place. If multiple regions are specified, user traffic will be routed in a round robin fashion across these regions.
deployment/terraform
directory:git clone [email protected]:dan-v/awslambdaproxy.git && cd awslambdaproxy/deployment/terraform
Install Terraform and configure your Terraform backend. Read more about Terraform backends here.
Create and fill in a variable definitions file (read more here) if you don't want to use default variables values defined in variables.tf
.
Run these commands to init and apply configuration:
terraform init && terraform apply -auto-approve
It will create all dependent resources and run awslambdaproxy inside a Docker container. EC2 instance SSH key can be found in AWS Secret Manager in your AWS Management Console.
NOTE: Some AWS regions have a big list of IP CIDR blocks and they can exceed the default limits of security groups (read more). In that case, you'll need to make a limit increase request through the AWS Support Center
by choosing Create Case
and then choosing Service Limit Increase
to prevent deployment issues.
Download a pre-built binary from the GitHub Releases page.
Copy awslambdaproxy
binary to a publicly accessible linux host (e.g. EC2 instance, VPS instance, etc). You will need to open the following ports on this host:
awslambdaproxy
, so this port needs to be open to the world. The SSH key used here is dynamically generated at startup and added to the running users authorized_keys file.Optional, but I'd highly recommend taking a look at the Minimal IAM Policies section below. This will allow you to setup minimal permissions required to setup and run the project. Otherwise, if you don't care about security you can always use an access key with full administrator privileges.
awslambdaproxy
will need access to credentials for AWS in some form. This can be either through exporting environment variables (as shown below), shared credential file, or an IAM role if assigned to the instance you are running it on. See this for more details.
export AWS_ACCESS_KEY_ID=XXXXXXXXXX
export AWS_SECRET_ACCESS_KEY=YYYYYYYYYYYYYYYYYYYYYY
Run awslambdaproxy setup
.
./awslambdaproxy setup
Run awslambdaproxy run
.
./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2
Configure your web browser (or OS) to use the HTTP/SOCKS5 proxy on the publicly accessible host running awslambdaproxy
on port 8080.
aws iam create-user --user-name awslambdaproxy-setup
aws iam put-user-policy --user-name awslambdaproxy-setup --policy-name awslambdaproxy-setup --policy-document file://deployment/iam/setup.json
aws iam create-access-key --user-name awslambdaproxy-setup
{
"AccessKey": {
"UserName": "awslambdaproxy-setup",
"Status": "Active",
"CreateDate": "2017-04-17T06:15:18.858Z",
"SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"AccessKeyId": "xxxxxxxxxxxxxx"
}
}
aws iam create-user --user-name awslambdaproxy-run
aws iam put-user-policy --user-name awslambdaproxy-run --policy-name awslambdaproxy-run --policy-document file://deployment/iam/run.json
aws iam create-access-key --user-name awslambdaproxy-run
{
"AccessKey": {
"UserName": "awslambdaproxy-run",
"Status": "Active",
"CreateDate": "2017-04-17T06:18:27.531Z",
"SecretAccessKey": "xxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"AccessKeyId": "xxxxxxxxxxxxxx"
}
}
# execute proxy in four different regions with rotation happening every 60 seconds
./awslambdaproxy run -r us-west-2,us-west-1,us-east-1,us-east-2 -f 60s
# choose a different port and username/password for proxy and add another listener on localhost with no auth
./awslambdaproxy run -l "admin:admin@:8888,localhost:9090"
# bypass certain domains from using lambda proxy
./awslambdaproxy run -b "*.websocket.org,*.youtube.com"
# specify a dns server for the proxy server to use for dns lookups
./awslambdaproxy run -l "admin:awslambdaproxy@:8080?dns=1.1.1.1"
# increase function memory size for better network performance
./awslambdaproxy run -m 512
--bypass
flag to specify known domains that you know use persistent connections to avoid having your connection constantly dropping for these.Install Go and go-bindata
Fetch the project with git clone
:
git clone [email protected]:dan-v/awslambdaproxy.git && cd awslambdaproxy
awslambdaproxy
binary in the artifacts
folder.make