Erlang HTTPS CONNECT Proxy with Custom Encryption (C-S Architecture) – Designed for Restricted Networks

Chat / Discussions
, , , , ,
1

Hi everyone,

I’d like to share a project I’ve been working on – an HTTPS CONNECT proxy implemented in Erlang, specifically designed for environments where internet access is restricted by national firewalls.

Github: erlang-https-proxy

Who this is for

This project is aimed at users in regions where firewalls block access to certain websites and services. If you are behind a restrictive national firewall, this proxy can help you bypass those restrictions efficiently.

What it does

This is a client-server (C-S) architecture proxy with two components:

  • https_proxy_c – runs on your local machine (inside the restricted region)

  • https_proxy_s – runs on a VPS outside the restricted region

It handles HTTPS CONNECT requests from your browser, forwards them to your VPS through an encrypted tunnel that is designed to avoid firewall detection, and then connects to the target website.

Why traditional methods are slow

Traditional SSH tunneling applies double encryption (SSH + TLS), which adds significant overhead. This is especially problematic when you already have limited bandwidth. This proxy uses only a single, lightweight transformation on the CONNECT handshake, leaving the actual HTTPS data untouched. The result is near-direct connection speeds even when bypassing a national firewall.

Key features for firewall evasion

  • Password authentication between client and server

  • Custom encryption seeds – you define the obfuscation pattern

  • No protocol signature – unlike SSH’s “SSH-2.0” banner

  • Randomized byte distribution – bypasses entropy-based detection

  • No fixed timing patterns – traffic looks like random binary data or a custom game protocol

How it bypasses firewall detection

The client encrypts the initial CONNECT request using a user-defined seed list. To a deep packet inspection system, this traffic is indistinguishable from random binary data or a normal game protocol. Since the encryption seeds are only known to you, the firewall cannot build a signature to detect and block this proxy.

Performance in restricted environments

On modest hardware (2 vCPU, 4GB RAM), it can handle 10,000+ concurrent connections. Latency is around 1-5ms per connection, compared to 50-200ms for SSH tunneling. This makes it practical even on slower connections common in some restricted regions.

Quick start

# Compile
erlc https_proxy_c.erl
erlc https_proxy_s.erl

# Run server on VPS (outside restricted region)
erl -s https_proxy_s

# Run client locally (inside restricted region)
erl -s https_proxy_c

# Set browser proxy to 127.0.0.1:10088

Requirements

  • A VPS located outside your country’s firewall

  • Erlang/OTP 28 installed on both client and server

  • Basic understanding of proxy configuration

Disclaimer

This tool is intended for legitimate privacy protection and accessing information in regions with oppressive censorship. Please comply with your local laws.

Feedback, issues, and pull requests are welcome.

Thanks for reading – and stay safe online.

2 Likes