I Hate This Country
- Go 84.2%
- Nix 15.8%
| cmd/ihtc | ||
| docs/superpowers | ||
| internal | ||
| .gitignore | ||
| flake.lock | ||
| flake.nix | ||
| go.mod | ||
| LICENSE | ||
| README.md | ||
ihtc
Local HTTP forward proxy for bypassing SNI-based DPI censorship. Splits the TLS ClientHello across multiple TCP packets to evade deep packet inspection.
Quick Start
go build -o ihtc ./cmd/ihtc/
./ihtc --auto-proxy
This binds 127.0.0.1:8080, serves a PAC file, and configures macOS auto proxy for all network services. Browsers route traffic through ihtc automatically.
On Ctrl+C, the proxy is disabled and browsers fall back to direct connections.
Usage
ihtc [flags]
--listen string Address to bind (default "127.0.0.1:8080")
--min-chunk int Minimum bytes per fragment (default 3)
--max-chunk int Maximum bytes per fragment (default 8)
--delay-us int Max microsecond delay between fragments (default 500)
--verbose Enable debug logging
--auto-proxy Set macOS auto proxy configuration
Without --auto-proxy, point your browser/app at 127.0.0.1:8080 as an HTTP proxy manually.
How It Works
When a browser opens an HTTPS connection through the proxy:
- The browser sends a TLS ClientHello containing the target hostname (SNI)
- ihtc reads the complete ClientHello, then writes it in small random chunks (2-8 bytes by default) with microsecond delays between each
- TCP sends each chunk as its own segment — simple DPIs see only fragments, not the hostname
- After the handshake, ihtc relays data transparently in both directions
Limitations
- TCP only (no QUIC/HTTP3)
- Not effective against DPIs that perform TCP stream reassembly
- No authentication (local-only, trusted environment)
License
MIT — see LICENSE.