Public | Automated Build

Last pushed: 2 years ago
Short Description
Short description is empty for this repo.
Full Description


Lightweight host-spoofing web proxy written in go.

flashlight runs in one of two modes:

client - meant to run locally to wherever the browser is running, forwards
requests to the server

server - handles requests from a flashlight client proxy and actually proxies
them to the final destination

Using CloudFlare (and other CDNS), flashlight has the ability to masquerade as
running on a different domain than it is. The client simply specifies the
"masquerade" flag with a value like "". flashlight will then
use that masquerade host for the DNS lookup and will also specify it as the
ServerName for SNI (though this is not actually necessary on CloudFlare). The
Host header of the HTTP request will actually contain the correct host
(e.g., which causes CloudFlare to route the request to the
correct host.

Flashlight uses enproxy to encapsulate
data from/to the client as http request/response pairs. This allows it to
tunnel regular HTTP as well as HTTPS traffic over CloudFlare. In fact, it can
tunnel any TCP traffic.


Usage of flashlight:
  -addr (required): ip:port on which to listen for requests.  When running as a client proxy, we'll listen with http, when running as a server proxy we'll listen with https
  -configdir="": directory in which to store configuration (defaults to current directory)
  -cpuprofile="": write cpu profile to given file
  -dumpheaders=false: dump the headers of outgoing requests and responses to stdout
  -help=false: Get usage help
  -instanceid="": instanceId under which to report stats to statshub.  If not specified, no stats are reported.
  -masquerade="": masquerade host: if specified, flashlight will actually make a request to this host's IP but with a host header corresponding to the 'server' parameter
  -role (required): either 'client' or 'server'
  -rootca="": pin to this CA cert if specified (PEM format)
  -server (required): FQDN of flashlight server
  -serverport=443: the port on which to connect to the server

-rootca needs to be the complete PEM data, with header and trailer and all
newlines, for example:

flashlight -addr localhost:10080 -server localhost -serverport 10081 -rootca "-----BEGIN CERTIFICATE-----

IMPORTANT - when running a test locally, run the server first, then pass the
contents of servercert.pem to the client flashlight with the -rootca flag. This
way the client will trust the local server, which is using a self-signed cert.

Example Client:

./flashlight -addr localhost:10080 -server -masquerade

Example Server:

./flashlight -addr :443

Example Curl Test:

curl -x localhost:10080
Google is built by a large team of engineers, designers, researchers, robots, and others in many different sites across the globe. It is updated continuously, and built with more tools and technologies than we can shake a stick at. If you'd like to help us out, see

On the client, you should see something like this for every request:

Handling request for:


Flashlight requires Go 1.3.

It is convenient to build flashlight for multiple platforms using something like

With goxc, the binaries used for Lantern can be built like this:

goxc -build-ldflags="-w" -bc="linux,386 linux,amd64 windows,386 darwin" validate compile

-build-ldflags="-w" causes the linker to omit debug symbols, which makes the
resulting binaries considerably smaller.

The binaries end up at

Note that these binaries should also be signed for use in production, at least on OSX and Windows. On OSX the command to do this should resemble the following (assuming you have an associated code signing certificate):

codesign -s "Developer ID Application: Brave New Software Project, Inc" -f install/osx/pt/flashlight/flashlight

Adding new masquerade hosts

The script in the certs directory will take all the certificate files in that directory and will format them according to supplied Jinja templates. The usage is as follows:

Usage: ./ -t <templatefile> -o <outputfile>

This is handy for converting those certificates to go code, for example. See certs/gostruct.tmpl as an example. certs/cloud.yaml.tmpl is an example yaml template.

Docker Pull Command
Source Repository

Comments (0)