{"id":15639937,"url":"https://github.com/hectorm/demergi","last_synced_at":"2025-04-04T20:07:29.895Z","repository":{"id":37955764,"uuid":"435005518","full_name":"hectorm/demergi","owner":"hectorm","description":"A proxy server that helps to bypass the DPI systems implemented by various ISPs.","archived":false,"fork":false,"pushed_at":"2025-03-24T18:32:02.000Z","size":3300,"stargazers_count":116,"open_issues_count":4,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-28T19:08:14.299Z","etag":null,"topics":["bypass","deep-packet-inspection","dpi","proxy"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/demergi","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hectorm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"hectorm","custom":"https://hector.molinero.dev/donate"}},"created_at":"2021-12-04T20:46:40.000Z","updated_at":"2025-03-18T23:56:49.000Z","dependencies_parsed_at":"2024-05-18T14:30:22.960Z","dependency_job_id":"88fd0ca1-63a8-4082-a034-d49e1f541026","html_url":"https://github.com/hectorm/demergi","commit_stats":{"total_commits":740,"total_committers":3,"mean_commits":"246.66666666666666","dds":0.3851351351351351,"last_synced_commit":"591201a7f7b5365e4ae3f4edb711102cf2ba209f"},"previous_names":[],"tags_count":59,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fdemergi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fdemergi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fdemergi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hectorm%2Fdemergi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hectorm","download_url":"https://codeload.github.com/hectorm/demergi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247242671,"owners_count":20907133,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass","deep-packet-inspection","dpi","proxy"],"created_at":"2024-10-03T11:28:36.823Z","updated_at":"2025-04-04T20:07:29.873Z","avatar_url":"https://github.com/hectorm.png","language":"JavaScript","funding_links":["https://github.com/sponsors/hectorm","https://hector.molinero.dev/donate"],"categories":[],"sub_categories":[],"readme":"[![Last version](https://img.shields.io/github/v/release/hectorm/demergi?label=version)](https://github.com/hectorm/demergi/releases)\n[![Docker image size](https://img.shields.io/docker/image-size/hectorm/demergi/latest?label=docker%20image%20size)](https://hub.docker.com/r/hectorm/demergi/tags)\n[![License](https://img.shields.io/github/license/hectorm/demergi?label=license)](./LICENSE.md)\n\n---\n\n# Demergi\n\nA zero dependency proxy server that helps to bypass the Deep Packet Inspection (DPI) systems implemented by [various ISPs](./ISP.md).\n\n## How does it work?\n\nAlthough traffic over an HTTPS connection is encrypted, the client and server exchange some information during the initial TLS handshake to negotiate the encryption. In this initial handshake, the client sends the name of the server it is contacting in clear text (ClientHello packet) so that the server knows which certificate to provide. Deep Packet Inspection (DPI) systems can intercept this communication and block the connection. To avoid detection, Demergi fragments and modifies this initial packet.\n\nThere are promising solutions to the problem of hiding as much information as possible in the initial handshake of a TLS connection, one being [Encrypted Client Hello (ECH)](https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni). However, until these solutions are fully deployed, tools such as Demergi can be useful as evasion mechanisms.\n\nTo learn more about how a TLS connection works, I recommend these excellent resources:\n\n- [The Illustrated TLS 1.2 Connection](https://tls12.xargs.org).\n- [The Illustrated TLS 1.3 Connection](https://tls13.xargs.org).\n\nFor HTTP traffic, Demergi also modifies the packet header to make interception more difficult, but as the traffic is not encrypted, this should be avoided where possible.\n\n\u003e [!WARNING]\n\u003e Demergi **should not be used as a replacement for a VPN** if you are concerned about the consequences of your traffic being detected, as the techniques used are not infallible, but are good enough to access blocked content from your own network without the need for a VPN.\n\n## How do I use it?\n\nDemergi is an HTTP/HTTPS proxy server designed to be deployed within the network where traffic is being blocked. Either on the device you wish to access the content from or on a network appliance.\n\nSimply deploy it and adjust the proxy settings of your browser or other software to connect through Demergi.\n\n### Command line\n\nYou can install Demergi with npm:\n\n```sh\nnpm install -g demergi\n```\n\nOr directly download the latest version from the releases section.\n\n\u003e [!NOTE]\n\u003e If you want to install it as a service, you can use the following [systemd unit](./resources/systemd/) or [macOS launchd service](./resources/launchd/) as a reference.\n\nOnce installed, you can run it with the `demergi` command.\n\n```\n$ demergi --help\nUsage: demergi [OPTION]...\n\nA proxy server that helps to bypass the DPI systems implemented by various ISPs.\n\nProxy:\n  -A, --addrs STR, $DEMERGI_ADDRS\n  The address list separated by commas or spaces to bind the server to\n  (\"[::]:8080\" by default).\n\n  -H, --hosts STR, $DEMERGI_HOSTS\n  The host list separated by commas or spaces to apply the evasion techniques,\n  will be applied to all hosts if unspecified (unspecified by default).\n\n  -W, --workers NUM, $DEMERGI_WORKERS\n  The number of workers (0 by default).\n\n  --tls-ca STR, $DEMERGI_TLS_CA\n  Path to the TLS certificate bundle used to verify the client identity\n  (unspecified by default).\n\n  --tls-key STR, $DEMERGI_TLS_KEY\n  Path to the server TLS key (unspecified by default).\n\n  --tls-cert STR, $DEMERGI_TLS_CERT\n  Path to the server TLS certificate (unspecified by default).\n\n  --inactivity-timeout NUM, $DEMERGI_INACTIVITY_TIMEOUT\n  Maximum time in ms before the connection is closed due to inactivity\n  (60000 by default).\n\n  --happy-eyeballs BOOL, $DEMERGI_HAPPY_EYEBALLS\n  Enable Happy Eyeballs algorithm (RFC 8305) (EXPERIMENTAL) (false by default).\n\n  --happy-eyeballs-timeout NUM, $DEMERGI_HAPPY_EYEBALLS_TIMEOUT\n  Maximum time in ms for IPv6 before trying IPv4 (250 by default).\n\nResolver:\n  --dns-mode STR, $DEMERGI_DNS_MODE\n  The DNS resolver mode, valid values are \"plain\", \"doh\" and \"dot\" (\"doh\" by\n  default).\n\n  --dns-cache-size NUM, $DEMERGI_DNS_CACHE_SIZE\n  The maximum number of entries in the DNS cache (100000 by default).\n\n  --doh-url STR, $DEMERGI_DOH_URL\n  The DoH server URL (\"https://1.0.0.1/dns-query\" by default).\n\n  --doh-tls-servername STR, $DEMERGI_DOH_TLS_SERVERNAME\n  The server name to check in the DoH server certificate (unspecified by\n  default).\n\n  --doh-tls-pin STR, $DEMERGI_DOH_TLS_PIN\n  The pin to check in the DoH server certificate. The pin must be a base64\n  encoded SHA256 hash of the public key (unspecified by default).\n\n  --dot-server STR, $DEMERGI_DOT_SERVER\n  The DoT server host and optionally port (\"1.0.0.1\" by default).\n\n  --dot-tls-servername STR, $DEMERGI_DOT_TLS_SERVERNAME\n  The server name to check in the DoT server certificate (unspecified by\n  default).\n\n  --dot-tls-pin STR, $DEMERGI_DOT_TLS_PIN\n  The pin to check in the DoT server certificate. The pin must be a base64\n  encoded SHA256 hash of the public key (unspecified by default).\n\nHTTPS:\n  --https-clienthello-size NUM, $DEMERGI_HTTPS_CLIENTHELLO_SIZE\n  The maximum chunk size in bytes for the ClientHello packet. A less than 1\n  value disables fragmentation (40 by default).\n\n  --https-clienthello-tlsv STR, $DEMERGI_HTTPS_CLIENTHELLO_TLSV\n  The TLS protocol version to set in the ClientHello packet, valid values are\n  \"1.0\", \"1.1\", \"1.2\" and \"1.3\" (\"1.3\" by default).\n\nHTTP:\n  --http-newline-separator STR, $DEMERGI_HTTP_NEWLINE_SEPARATOR\n  The string to use to separate new lines (\"\\r\\n\" by default).\n\n  --http-method-separator STR, $DEMERGI_HTTP_METHOD_SEPARATOR\n  The string to use to separate the HTTP method from the target (\" \" by\n  default).\n\n  --http-target-separator STR, $DEMERGI_HTTP_TARGET_SEPARATOR\n  The string to use to separate the target from the HTTP version (\" \" by\n  default).\n\n  --http-host-header-separator STR, $DEMERGI_HTTP_HOST_HEADER_SEPARATOR\n  The string to use to separate the host header key from its value (\":\" by\n  default).\n\n  --http-mix-host-header-case BOOL, $DEMERGI_HTTP_MIX_HOST_HEADER_CASE\n  Alternate upper and lower case in the host header (true by default).\n\nInfo:\n  -l, --log-level STR, $DEMERGI_LOG_LEVEL\n  The log level, valid values are \"debug\", \"info\", \"warn\", \"error\" and \"none\"\n  (\"info\" by default).\n\n  -v, --version\n  Show version and quit.\n\n  -h, --help\n  Show this help and quit.\n```\n\n### Docker/Podman\n\nDemergi is also distributed in container images. The default behaviour can be changed using environment variables or container arguments.\n\n#### [Docker Hub](https://hub.docker.com/r/hectorm/demergi/tags):\n\n```sh\ndocker run -p 8080:8080 docker.io/hectorm/demergi:latest\n```\n\n#### [GitHub Container Registry](https://github.com/hectorm/demergi/pkgs/container/demergi):\n\n```sh\ndocker run -p 8080:8080 ghcr.io/hectorm/demergi:latest\n```\n\n## License\n\n[MIT License](./LICENSE.md) © [Héctor Molinero Fernández](https://hector.molinero.dev/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhectorm%2Fdemergi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhectorm%2Fdemergi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhectorm%2Fdemergi/lists"}