Comments (7)
One thing worth to mention, almost same goal has been implemented in some proxy software in China. V2Ray has a WebSocket transport layer and TLS support, VMess with WSS is one of the most popular proxy protocol in China. Trojan-Go also has WebSocket transport, and because of it's low overhead, it's became popular. In typical deployment, they're hidden behind a web server (Nginx or Caddy), if you are interested about it, here's some example config: https://github.com/v2fly/v2ray-examples About WebSocket, one good thing is they can proxy by CDN (In most situation CloudFlare).
from bbs.
In typical deployment, they're hidden behind a web server (Nginx or Caddy), if you are interested about it, here's some example config: https://github.com/v2fly/v2ray-examples
Thank you for these links. Let me see if I understand. I am looking at https://github.com/v2fly/v2ray-examples/tree/23ff897072fb51ee23f5c4391a2118a2c328d934/VMess-Websocket-TLS/Nginx. In nginx_Domain.Name.conf there is a section that forwards requests for a secret path /GLMzpX/ to 127.0.0.1:10086 using proxy_pass
:
upstream v2ray {
server 127.0.0.1:10086; #注:v2ray后端监听地址、端口 "Note: The v2ray back-end listens on addresses and ports."
keepalive 2176; # 链接池空闲链接数 "Number of free links in the link pool"
}
...
location /GLMzpX/ { #注:修改路径 "Note: Modify the path"
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; #此处与<map>对应 "This corresponds to <map>."
proxy_set_header Host $http_host;
# 向后端传递访客ip "Passing guest IPs to the backend"
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#后端错误重定向 "Back-end error redirects"
proxy_intercept_errors on;
error_page 400 = URL; # url是一个网站地址。例如:https://www.xxxx.com/ "A url is a website address. For example: https://www.xxxx.com/"
if ($http_host = "domain.Name" ) { #注: 修改 domain.Name 为自己的域名 "Note: Change domain.Name to your own domain."
#v2ray 后端 查看上面"upstream"字段 "v2ray Backend View the "upstream" field above."
proxy_pass http://v2ray;
}
}
In config_client.json, there is a stanza configuring WebSocket-in-TLS. I suppose that the /PATH/ would have to be changed to match the secret path above.
"streamSettings": {
"tlsSettings": {
"allowInsecure": false
},
"wsSettings": {
"headers": {
"Host": "domain.Name"
},
"path": "/PATH/"
},
"network": "ws",
"security": "tls"
},
I agree, this is quite similar. It gives proper probing resistance while hiding the proxy behind a secret path. In HTTPT, they found that it is not even necessary to use WebSocket framing when using such a setup--though it may be required when forwarding through Cloudflare, I am not sure.
from bbs.
It is true that we probably are not the first to think of hiding the proxies behind popular applications. Out of those popular applications, the web servers seem to be the best choice, but I encourage the use of other applications, too, as well as highly encourage other HTTPS proxying implementations. This paper's primary purpose is to convince the censorship circumvention tool developers to redirect their efforts into this approach.
Deployment of HTTPS proxies is considerably more complicated than shadowsocks or obfs4, so anti-censorship developers need to know the benefits before spending the effort, and we documented those benefits. As David summed up, we argue that our HTTPS proxying approach is practical, performant, resistant to the current state of the art probing attacks, and more resistant to fingerprinting than other protocols, including randomized ones. We've also shown that you don't need original website content, which was a potential pain point for censorship circumvention developers, although, as David pointed out, that "requires some thought towards what to return on an authentication failure"; perhaps we can eventually automate the random selection of one of the options and its deployment.
from bbs.
And VLESS Protocol: v2ray/v2ray-core#2636
https://www.v2fly.org/config/protocols/vless.html#fallbackobject
https://github.com/v2fly/v2ray-examples/tree/master/VLESS-TCP-TLS-WS%20(recommended)
from bbs.
When working over TLS, VLESS protocol supports pure TLS, WebSocket, and even fake HTTP header at the same time.
Also, when using WebSocket or fake HTTP header, users are able to replace VLESS with VMess or any other protocols.
VLESS will simply recognize HTTP PATH, then transfer data to another VLESS or maybe another protocol.
(Plus, CDN like CloudFlare supports WebSocket.)
from bbs.
Another lightweight way is fake HTTP header, it's HTTP PATH can be recognized by VLESS when VLESS handling TLS at the server side.
from bbs.
https://www.v2fly.org/config/transport/tcp.html#httpheaderobject
from bbs.
Related Issues (20)
- Some IP addresses used for DNS censorship in India HOT 3
- Defense against AI-guided Traffic Analysis (DAITA)
- Blocking of fully encrypted protocols (Shadowsocks, VMess) in Russia, targeting HTTPS traffic fingerprints HOT 12
- Blocking of *.pages.dev in Russia HOT 4
- I have my own VPN application, and I published it in the app markets. What is the difference between LTE and Home internet? HOT 3
- Snowflake, a censorship circumvention system using temporary WebRTC proxies (USENIX Security 2024) HOT 1
- Bleeding Wall: A Hematologic Examination on the Great Firewall (FOCI 2024)
- Assistance Needed to Bypass Restrictions on Irancell Network HOT 5
- VPN blocking in Myanmar since 2024-05-30 reportedly implemented by a Chinese company, Geedge Networks HOT 6
- Is TLS fragment available in China? HOT 1
- Firefox Add-ons blocks access to some proxy extensions from Russia HOT 6
- vmess://
- Is it possible to implement a man-in-the-middle (MITM) tool to bypass censorship? HOT 11
- ss://
- Issues with Trading & Banking Apps and Google Services HOT 6
- Free livestream of FOCI, PETS, and HotPETs, 2024-07-15 to 2024-07-19 HOT 4
- Russia forces Apple to remove dozens of VPN apps from App Store HOT 5
- Turkmenistan:"Internet amnesty? 3 billion IP addresses, hosting and CDNs unblocked" (2024-07-17)
- Looking at the Clouds: Leveraging Pub/Sub Cloud Services for Censorship-Resistant Rendezvous Channels (Update)
- 使用Google新部署的W开头的中间证书签发的网站在TLS 1.2下100%阻断 / Sites issued with Google's newly deployed intermediate certificates starting with W are 100% blocked under TLS 1.2 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bbs.