- Notifications
You must be signed in to change notification settings - Fork0
Simple CLI tool to transform SOCKS proxy into HTTP proxy with support for TCP/UDP Transparent Proxy (Redirect and TProxy), Proxychains, ARP spoofing and Traffic Sniffing
License
shadowy-pycoder/go-http-proxy-to-socks
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
GoHPTS CLI tool is a bridge between HTTP clients and a SOCKS5 proxy server or multiple servers (chain). It listens locally as an HTTP proxy, accepts standard HTTPor HTTPS (via CONNECT) requests and forwards the connection through a SOCKS5 proxy. Inspired byhttp-proxy-to-socks andProxychains
Possible use case: you need to connect to external API via Postman, but this API only available from some remote server.The following commands will help you to perform such a task:
Create SOCKS5 proxy server viassh:
ssh<remote server> -D 1080 -Nf
Create HTTP-to-SOCKS5 connection withgohpts
gohpts -s :1080 -l :8080
Specify http server in proxy configuration of Postman
Proxy Chain functionality
Supportsstrict,dynamic,random,round_robinchains of SOCKS5 proxyTransparent proxy
Supportsredirect(SO_ORIGINAL_DST) andtproxy(IP_TRANSPARENT) modesTCP and UDP Transparent proxy
tproxy(IP_TRANSPARENT) handles TCP and UDP trafficTraffic sniffing
Proxy is able to parse HTTP headers, TLS handshake, DNS messages and moreARP spoofing
Proxy entire subnets with ARP spoofing approachDNS Leak Protection
DNS resolution occurs on SOCKS5 server side.CONNECT Method Support
Supports HTTP CONNECT tunneling, enabling HTTPS and other TCP-based protocols.Trailer Headers Support
Handles HTTP trailer headersChunked Transfer Encoding
Handles chunked and streaming responsesSOCKS5 Authentication Support
Supports username/password authentication for SOCKS5 proxies.HTTP Authentication Support
Supports username/password authentication for HTTP proxy server.Lightweight and Fast
Designed with minimal overhead and efficient request handling.Cross-Platform
Compatible with all major operating systems.
You can download the binary for your platform fromReleases page.
Example:
GOHPTS_RELEASE=v1.10.5; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$GOHPTS_RELEASE/gohpts-$GOHPTS_RELEASE-linux-amd64.tar.gz -O gohpts&& tar xvzf gohpts&& mv -f gohpts-$GOHPTS_RELEASE-linux-amd64 gohpts&& ./gohpts -h
Alternatively, you can install it usinggo install command (requires Go1.24 or later):
CGO_ENABLED=0 go install -ldflags"-s -w" -trimpath github.com/shadowy-pycoder/go-http-proxy-to-socks/cmd/gohpts@latestThis will install thegohpts binary to your$GOPATH/bin directory.
Another alternative is to build from source:
git clone https://github.com/shadowy-pycoder/go-http-proxy-to-socks.gitcd go-http-proxy-to-socksmake build./bin/gohptsgohpts -h _____ _ _ _____ _______ _____ / ____||||| __\__ __/ ____||| __ ___||__|||__)|||| (___|||_|/ _\| __| ___/||\___ \||__|| (_)||||||| ____)|\_____|\___/|_||_|_||_||_____/GoHPTS (HTTP(S) Proxy to SOCKS5 proxy) by shadowy-pycoderGitHub: https://github.com/shadowy-pycoder/go-http-proxy-to-socksUsage: gohpts [OPTIONS]Options: -h Show thishelp message andexit -v Show version and build information -D Run as a daemon (provide -logfile to see logs) -I Display list of network interfaces andexit Proxy: -l Address of HTTP proxy server (Default:"127.0.0.1:8080") -s Address of SOCKS5 proxy server (Default:"127.0.0.1:1080") -c Path to certificate PEM encoded file -k Path to private key PEM encoded file -U Userfor HTTP proxy (basic auth). This flag invokes promptfor password (not echoed to terminal) -u Userfor SOCKS5 proxy authentication. This flag invokes promptfor password (not echoed to terminal) -i Bind proxy to specific network interface (either by interface name or index) -f Path to server configuration filein YAML format (overrides proxy flags above) Logs: -d Show logsin DEBUG mode -j Show logsin JSON format -logfile Log file path (Default: stdout) -nocolor Disable colored outputfor logs (no effectif -j flag specified) -pprof Address of pprof server with profiling data Sniffing: -sniff Enable traffic sniffingfor HTTP and TLS -snifflog Sniffed traffic log file path (Default: the same as -logfile) -body Collect request and response bodyfor HTTP traffic (credentials, tokens, etc) TProxy: -t Address of transparent proxy server (it starts along with HTTP proxy server) -T Address of transparent proxy server (no HTTP) -Tu Address of transparent UDP proxy server -M Transparent proxy mode: (redirect, tproxy) -auto Automatically setup iptablesfor transparent proxy (requires elevated privileges) -arpspoof Enable ARP spoof proxyfor selected targets (Example:"targets 10.0.0.1,10.0.0.5-10,192.168.1.*,192.168.10.0/24;fullduplex false;debug true") -mark Set markfor each packet sent through transparent proxy (Default: redirect 0, tproxy 100)
gohpts -s 1080 -l 8080 -d -j
Output:
{"level":"info","time":"2025-05-28T06:15:18+00:00","message":"SOCKS5 Proxy: :1080"}{"level":"info","time":"2025-05-28T06:15:18+00:00","message":"HTTP Proxy: :8080"}{"level":"debug","time":"2025-05-28T06:15:22+00:00","message":"HTTP/1.1 - CONNECT - www.google.com:443"}Specify username and password for SOCKS5 proxy server:
gohpts -s 1080 -l 8080 -d -j -u userSOCKS5 Password:#you will be prompted for password input hereSpecify username and password for HTTP proxy server:
gohpts -s 1080 -l 8080 -d -j -U userHTTP Password:#you will be prompted for password input hereWhen both-u and-U are present, you will be prompted twice
Run http proxy over TLS connection
gohpts -s 1080 -l 8080 -c"path/to/certificate" -k"path/to/private/key"
Run proxy as a daemon (logfile is needed for logging output, otherwise you will see nothing)
gohpts -D -logfile /tmp/gohpts.log
# outputgohpts pid:<pid>
# kill the processkill<pid>#orkill$(pidof gohpts)
-u and-U flags do not work in a daemon mode (and therefore authentication), but you can provide a config file (see below)
Run http proxy in SOCKS5 proxy chain mode (specify server settings via YAML configuration file)
gohpts -f"path/to/proxychain/config" -d -jConfig example:
# Explanations for chains taken from /etc/proxychains4.conf# strict - Each connection will be done via chained proxies# all proxies chained in the order as they appear in the list# all proxies must be online to play in chain# dynamic - Each connection will be done via chained proxies# all proxies chained in the order as they appear in the list# at least one proxy must be online to play in chain# (dead proxies are skipped)# random - Each connection will be done via random proxy# (or proxy chain, see chain_len) from the list.# this option is good to test your IDS :)# round_robin - Each connection will be done via chained proxies# of chain_len length# all proxies chained in the order as they appear in the list# at least one proxy must be online to play in chain# (dead proxies are skipped).# the start of the current proxy chain is the proxy after the last# proxy in the previously invoked proxy chain.# if the end of the proxy chain is reached while looking for proxies# start at the beginning again.# These semantics are not guaranteed in a multithreaded environment.chain:type:strict# dynamic, strict, random, round_robinlength:2# maximum number of proxy in a chain (works only for random chain and round_robin chain)proxy_list: -address:127.0.0.1:1080username:username# username and password are optionalpassword:password -address:127.0.0.1:1081 -address::1082# empty host means localhostserver:address:127.0.0.1:8080# the only required field in this section (ignored when -T flag specified)interface:"eth0"# if specified, overrides server address# these are for adding basic authenticationusername:usernamepassword:password# comment out these to use HTTP instead of HTTPScert_file:~/local.crtkey_file:~/local.key
To learn more about proxy chains visitProxychains Github
Also known as an
intercepting proxy,inline proxy, orforced proxy, a transparent proxy intercepts normal application layer communication without requiring any special client configuration. Clients need not be aware of the existence of the proxy. A transparent proxy is normally located between the client and the Internet, with the proxy performing some of the functions of a gateway or router--FromWiki
This functionality available only on Linux systems and Android (arm64) and requires additional setup (iptables, ip route, etc)
-T address flag specifies the address of transparent proxy server (GoHPTS will be running without HTTP server).
-t address flag specifies the address of transparent proxy server (HTTP proxy and other functionality stays the same).
In other words,-T spins up a single server, but-t two servers,http andtcp.
There are two modesredirect andtproxy that can be specified with-M flag
In this mode proxying happens withiptablesnat table andREDIRECT target. Host of incoming packet changes to the address of runningredirect transparent proxy, but it also contains original destination that can be retrieved withgetsockopt(SO_ORIGINAL_DST)
To runGoHPTS in this mode you use-t or-T flags with-M redirect
# run the proxygohpts -s 1080 -t 1090 -M redirect -d# run socks5 server on 127.0.0.1:1080ssh remote -D 1080 -NfSetup your operating system:
# commands below require elevated privileges (you can run it with `sudo -i`)#enable ip forwardingsysctl -w net.ipv4.ip_forward=1# create `GOHPTS` nat chainiptables -t nat -N GOHPTS# set no redirection rules for local, http proxy, ssh and redirect procy itselfiptables -t nat -A GOHPTS -d 127.0.0.0/8 -j RETURNiptables -t nat -A GOHPTS -p tcp --dport 8080 -j RETURNiptables -t nat -A GOHPTS -p tcp --dport 1090 -j RETURNiptables -t nat -A GOHPTS -p tcp --dport 22 -j RETURN# redirect traffic to transparent proxyiptables -t nat -A GOHPTS -p tcp -j REDIRECT --to-ports 1090# setup prerouting by adding our proxyiptables -t nat -A PREROUTING -p tcp -j GOHPTS# intercept local traffic for testingiptables -t nat -A OUTPUT -p tcp -j GOHPTS
Test connection:
#traffic should be redirected via 127.0.0.1:1090curl http://example.com#traffic should be redirected via 127.0.0.1:8080curl --proxy http://127.0.0.1:8080 http://example.comUndo everything:
sysctl -w net.ipv4.ip_forward=0iptables -t nat -D PREROUTING -p tcp -j GOHPTSiptables -t nat -D OUTPUT -p tcp -j GOHPTSiptables -t nat -F GOHPTSiptables -t nat -X GOHPTS
To configure your system automatically, run the following command:
sudo env PATH=$PATH gohpts -d -T 8888 -M redirect -autoPlease note, automatic configuration requiressudo and is very generic, which might not be suitable for your needs.
You can optionally specify-mark <value> to prevent possible proxy loops
sudo env PATH=$PATH gohpts -d -T 8888 -M redirect -auto -mark 100In this mode proxying happens withiptablesmangle table andTPROXY target. Transparent proxy sees destination address as is, it is not being rewrited by the kernel. For this to work the proxy binds with socket optionIP_TRANSPARENT,iptables intercepts traffic using TPROXY target, routing rules tell marked packets to go to the local proxy without changing their original destination.
This mode requires elevated privileges to runGoHPTS. You can do that by running the follwing command:
sudo setcap'cap_net_admin+ep'~/go/bin/gohpts
To runGoHPTS in this mode you use-t or-T flags with-M tproxy
# run the proxygohpts -s 1080 -T 0.0.0.0:1090 -M tproxy -d# run socks5 server on 127.0.0.1:1080ssh remote -D 1080 -NfSetup your operating system:
ip netnsexec ns-client ip route add default via 10.0.0.1sysctl -w net.ipv4.ip_forward=1iptables -t mangle -A PREROUTING -i veth1 -p tcp -j TPROXY --on-port 1090 --tproxy-mark 0x1/0x1ip rule add fwmark 1 lookup 100ip route addlocal 0.0.0.0/0 dev lo table 100
Test connection:
ip netnsexec ns-client curl http://1.1.1.1Undo everything:
sysctl -w net.ipv4.ip_forward=0iptables -t mangle -Fip rule del fwmark 1 lookup 100ip route flush table 100ip netns del ns-clientip link del veth1
To configure your system automatically, run the following command (for example, on a separate VM):
ssh remote -D 1080 -Nfsudo env PATH=$PATH gohpts -d -T 8888 -M tproxy -auto -mark 100Run the following on your host:
ip route show default> /tmp/default-route.txtip route add 0.0.0.0/1 via 192.168.0.1# change with ip of your VMip route add 128.0.0.0/1 via 192.168.0.1
Test connection:
curl http://example.com#check logs on your VMUndo everything:
ip route del 0.0.0.0/1 via 192.168.0.12>/dev/null||trueip route del 128.0.0.0/1 via 192.168.0.12>/dev/null||trueif [[-f /tmp/default-route.txt ]];theneval$(awk'{print "ip route add "$0}' /tmp/default-route.txt) rm -f /tmp/default-route.txtelseecho"Something went wrong"fi
GoHPTS has in-built ARP spoofer that can be used to make all TCP talking devices of your LAN to use proxy server to connect to the Internet.This is achieved by adding-arpspoof flag with couple of parameters, separated by semicolon.
Example:
ssh remote -D 1080 -Nfsudo env PATH=$PATH gohpts -d -T 8888 -M tproxy -sniff -body -auto -mark 100 -arpspoof"targets 192.168.10.0/24;fullduplex true;debug true"
Proxy will scan for devices in subnet192.168.10.0/24 and send them ARP packets to pretend to be a gateway, iffullduplex is true,proxy will send ARP packets to gateway as well to make it believe our proxy has each IP on the subnet.
After proxy is stopped withCtrl+C, it will automatically unspoof all targets.
GoHPTS can also be used with tools likeBettercap to proxy ARP spoofed traffic.
Run the proxy:
ssh remote -D 1080 -Nfsudo env PATH=$PATH gohpts -d -T 8888 -M tproxy -sniff -body -auto -mark 100Runbettercap with this command (seedocumentation):
sudo bettercap -eval"net.probe on;net.recon on;set arp.spoof.fullduplex true;arp.spoof on"Check proxy logs for traffic from other devices from your LAN
GoHPTS has UDP support that can be enabled intproxy mode. For this setup to work you need to connect to a socks5 server capable of serving UDP connections (UDP ASSOCIATE). For example, you can usehttps://github.com/wzshiming/socks5 to deploy UDP capable socks5 server on some remote or local machine. Once you have the server to connect to, run the following command:
sudo env PATH=$PATH gohpts -s remote -Tu :8989 -M tproxy -auto -mark 100 -dThis command will configure your operating system and setup server on0.0.0.0:8989 address.
To test it locally, you can combine UDP transparent proxy with-arpspoof flag. For example:
- Setup VM on your system with any Linux distributive that supports
tproxy(Kali Linux, for instance). - Enable
bridgednetwork so that VM could access your host machine. - Move
gohptsbinary to VM (viassh, for instance) or build it there in case of different OS/arch. - On your VM run the following command:
# Do not forget to replace <socks5 server> and <your host> with actual addressessudo ./gohpts -s<socks5 server> -T 8888 -Tu :8989 -M tproxy -sniff -body -auto -mark 100 -d -arpspoof"targets <your host>;fullduplex true;debug false"
- Check connection on your host machine, the traffic should go through Kali machine.
Transparent proxy can be enabled on Android devices (arm64) with root access. You can installTermux and runGoHPTS as a CLI tool there:
# you need to root your device firstpkg install tsu iproute2# Android support added in v1.10.2GOHPTS_RELEASE=v1.10.2; wget -v https://github.com/shadowy-pycoder/go-http-proxy-to-socks/releases/download/$GOHPTS_RELEASE/gohpts-$GOHPTS_RELEASE-android-arm64.tar.gz -O gohpts&& tar xvzf gohpts&& mv -f gohpts-$GOHPTS_RELEASE-android-arm64 gohpts&& ./gohpts -h# use your phone as router for LAN devices redirecting their traffic to remote socks5 serversudo ./gohpts -s remote -t 8888 -Tu :8989 -M tproxy -sniff -body -auto -mark 100 -d -arpspoof"fullduplex true;debug false"
GoHPTS proxy allows one to capture and monitor traffic that goes through the service. This procces is known astraffic sniffing,packet sniffing or justsniffing. In particular, proxy tries to identify whether it is a plain text (HTTP) or TLS traffic, and after identification is done, it parses request/response metadata and writes it to the file or console. In the case ofGoHTPS proxy a parsed metadata looks like the following (TLS Handshake):
[ {"connection": {"tproxy_mode":"redirect","src_local":"127.0.0.1:8888","src_remote":"192.168.0.107:51142","dst_local":"127.0.0.1:56256","dst_remote":"127.0.0.1:1080","original_dst":"216.58.209.206:443" } }, {"tls_request": {"sni":"www.youtube.com","type":"Client hello (1)","version":"TLS 1.2 (0x0303)","session_id":"2670a6779b4346e5e84d46890ad2aaf7a53b08adcfe0c9f6868c2d9882242e39","cipher_suites": ["TLS_AES_128_GCM_SHA256 (0x1301)","TLS_CHACHA20_POLY1305_SHA256 (0x1303)","TLS_AES_256_GCM_SHA384 (0x1302)","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)","TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)","TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)","TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)","TLS_RSA_WITH_AES_256_CBC_SHA (0x35)" ],"extensions": ["server_name (0)","extended_master_secret (23)","renegotiation_info (65281)","supported_groups (10)","ec_point_formats (11)","session_ticket (35)","application_layer_protocol_negotiation (16)","status_request (5)","delegated_credential (34)","signed_certificate_timestamp (18)","key_share (51)","supported_versions (43)","signature_algorithms (13)","psk_key_exchange_modes (45)","record_size_limit (28)","compress_certificate (27)","encrypted_client_hello (65037)" ],"alpn": ["h2","http/1.1"] } }, {"tls_response": {"type":"Server hello (2)","version":"TLS 1.2 (0x0303)","session_id":"2670a6779b4346e5e84d46890ad2aaf7a53b08adcfe0c9f6868c2d9882242e39","cipher_suite":"TLS_AES_128_GCM_SHA256 (0x1301)","extensions": ["key_share (51)","supported_versions (43)"],"supported_version":"TLS 1.3 (0x0304)" } }]And HTTP request with curl:
[ {"connection": {"tproxy_mode":"redirect","src_local":"127.0.0.1:8888","src_remote":"192.168.0.107:45736","dst_local":"127.0.0.1:37640","dst_remote":"127.0.0.1:1080","original_dst":"96.7.128.198:80" } }, {"http_request": {"host":"example.com","uri":"/","method":"GET","proto":"HTTP/1.1","header": {"Accept": ["*/*"],"My": ["Header"],"User-Agent": ["curl/7.81.0"] } } }, {"http_response": {"proto":"HTTP/1.1","status":"200 OK","content-length":1256,"header": {"Cache-Control": ["max-age=2880"],"Connection": ["keep-alive"],"Content-Length": ["1256"],"Content-Type": ["text/html"],"Date": ["Tue, 17 Jun 2025 14:43:24 GMT"],"Etag": ["\"84238dfc8092e5d9c0dac8ef93371a07:1736799080.121134\""],"Last-Modified": ["Mon, 13 Jan 2025 20:11:20 GMT"] } } }]Usage as simple as specifying-sniff flag along with regular flags
gohpts -d -t 8888 -M redirect -sniff -j
You can also specify a file to which write sniffed traffic:
gohpts -sniff -snifflog~/sniff.log -j
You can see the example of colored output in the picture above. In this mode,GoHPTS tries to highlight import information such as TLS Handshake, HTTP metadata, something that looks line login/passwords or different types of auth and secret tokens. The output is limited comparing to JSON but way easier to read for humans.
To runGoHPTS in this mode you use the following flags:
gohpts -sniff -body
You can combine sniffing with transparent mode:
./gohpts -T 8888 -M redirect -sniff -body
To disable colors add-nocolor:
gohpts -sniff -body -nocolor
Learn more about transparent proxies by visiting the following links:
https://github.com/heiher/hev-socks5-tproxy
socks5proxy withUDP ASSOCIATEsupport:
Are you a developer?
- Fork the repository
- Create your feature branch:
git switch -c my-new-feature - Commit your changes:
git commit -am 'Add some feature' - Push to the branch:
git push origin my-new-feature - Submit a pull request
GPLv3
About
Simple CLI tool to transform SOCKS proxy into HTTP proxy with support for TCP/UDP Transparent Proxy (Redirect and TProxy), Proxychains, ARP spoofing and Traffic Sniffing
Topics
Resources
License
Uh oh!
There was an error while loading.Please reload this page.
Stars
Watchers
Forks
Packages0
Uh oh!
There was an error while loading.Please reload this page.