Cloak
Cloak copied to clipboard
cbeuw
Shadowsocks-Rust and Cloak
Hello.
I wanted to go for a rather simple setup with docker.
I have installed Shadowsocks-rust on docker with an docker-compose.
On the ShadowSocks-Rust Server container, I have installed cloak by having the executable file on the host system and mapped it into the container.
In the SS config I have configured it to use the plugin using the path.
This seemed to work, but cloak complained about the config file.
I then also mapped a config file into the docker container (I can also access it from inside the docker container) but it still complains.
My config for the plugin in ssserver.json is:
"plugin": "/usr/bin/ck-server-linux-amd64", // or the correct path to the plugin
"plugin_opts": "-c /etc/cloak/ckserver.json",
And I get this error:
docker-compose up
✔ Network container_default Created 0.1s
✔ Container sslocal-rust Created 0.1s
✔ Container ssserver-rust Created 0.1s
Attaching to sslocal-rust, ssserver-rust
ssserver-rust | /usr/bin/docker-entrypoint.sh: Configuration complete; ready for start up
sslocal-rust | /usr/bin/docker-entrypoint.sh: Configuration complete; ready for start up
ssserver-rust | INFO shadowsocks server 1.17.0 build 2023-10-15T02:34:53.113976544+00:00
ssserver-rust | INFO shadowsocks tcp server listening on 127.0.0.1:37955, inbound address 0.0.0.0:8388
ssserver-rust | INFO shadowsocks udp server listening on 0.0.0.0:8388, inbound address 0.0.0.0:8388
sslocal-rust | INFO shadowsocks local 1.17.0 build 2023-10-15T02:36:35.925045219+00:00
sslocal-rust | INFO shadowsocks socks TCP listening on 127.0.0.1:1199
ssserver-rust | time="2023-11-18T13:39:19Z" level=fatal msg="Configuration file error: failed to read/unmarshal configuration, path is invalid or unexpected end of JSON input"
ssserver-rust | ERROR plugin exited with status: exit status: 1
ssserver-rust | server aborted with server exited unexpectedly
ssserver-rust exited with code 0
ssserver-rust exited with code 70
This is my config file for cloak:
"ProxyBook": {
"shadowsocks": [
"tcp",
"127.0.0.1:8388"
]
},
"BindAddr": [
":443",
":80"
],
"RedirAddr": "google.com"
}
I wanted the TLS encryption to be done by my nginx server on the host, which is why I didn't include any SSL keys.
If that was the issue, I'd atleast expect a different error message.
Why is cloak not finding the config file?
I mapped it like this: .../container-data/ckserver.json:/etc/cloak/ckserver.json
And I can read it from within the docker container:
user@server: docker exec -it ssserver-rust cat /etc/cloak/ckserver.json
{
"ProxyBook": {
"shadowsocks": [
"tcp",
"127.0.0.1:8388"
]
},
"BindAddr": [
":443",
":80"
],
"RedirAddr": "google.com"
}
Ahaaa So by running the ck-server directly from within the docker container it says that it requires a private key.
But since my TLS encryption should happen from the reverse proxy and not from cloak (since I don't want to map my certificate into an docker container and have redirect loop issues etc.) How can I configure cloak to only serve HTTP traffic?
Ahaaa I get it now.
Its used as some sort of password rather than encryption?
Anyway I got it working now.
The only help that I need now is how do I configure the path correctly?
What is the default path for the config?
Because when I start the cloak server using shadowsocks plugin settings, it does not find the file.
But the config is functional now.
This is how the plugin is currently configured.
"plugin": "/usr/bin/ck-server-linux-amd64",
"plugin_opts": "-c /etc/cloak/ckserver.json",
I also tried "plugin": "/usr/bin/ck-server-linux-amd64 -c /etc/cloak/ckserver.json",
But then the ssserver does not find it. ssserver-rust | ERROR failed to start plugin "/usr/bin/ck-server-linux-amd64 -c /etc/cloak/ckserver.json" for server 0.0.0.0:8388, err: No such file or directory (os error 2)
Cdn mode
-------- Original Message -------- On Nov 18, 2023, 4:13 PM, SchattenWolf2008 wrote:
Ahaaa So by running the ck-server directly from within the docker container it says that it requires a private key.
But since my TLS encryption should happen from the reverse proxy and not from cloak (since I don't want to map my certificate into an docker container and have redirect loop issues etc.) How can I configure cloak to only serve HTTP traffic?
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>
Cdn mode … -------- Original Message -------- On Nov 18, 2023, 4:13 PM, SchattenWolf2008 wrote: Ahaaa So by running the ck-server directly from within the docker container it says that it requires a private key. But since my TLS encryption should happen from the reverse proxy and not from cloak (since I don't want to map my certificate into an docker container and have redirect loop issues etc.) How can I configure cloak to only serve HTTP traffic? — Reply to this email directly, [view it on GitHub](#240 (comment)), or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>
I don't cleary get this.
Well I managed to get cloak server running now but
I have read about cdn in the docs and put the cloak server to listen on 0.0.0.0:80, with the docker config I changed the port from :80 to 127.0.0.1:8389 and on my nginx reverse proxy I set it to point to http://127.0.0.1:8389.
But the shadowrocket vpn client does not seem to establish an functioning connection.
I dont cleary understand what options I need to set.
On the client I configured: My domain as address (my webserver enforces TLS SSL and port 443, HTTP 80 traffic gets redirected. Port 443 Encryption Method: plain Browser: chrome Transport: cdn Allow Insecure: No SNI: Proxy Method: / Server Name: UID: Public Key: myKex14dg515ads Stream Timeout: 300 Alternative Names:
I am not sure what I need to set in order to make it working.
The ShadowSocks server is not accessable from outside, only from the cloak server.
At Proxy Method in particular it had "/" just there, does that have something to do with the book thingy from cloak?
https://github.com/cbeuw/Cloak/blob/master/example_config/ckserver.json https://github.com/shadowsocks/shadowsocks-rust/tree/master#configuration
Hello, I have the same problem. I set up a reverse proxy with Nginx, and the connection works on Windows and Android, but when I try to connect with Shadowrocket, I can't. There isn't even anything in the server log showing that I'm trying to connect. I think this is a problem with the Shadowrocket client because no logs appear on the server at all. I can also say that when I just enter the URL in a browser and make any connection to the Cloak server, something appears in the logs, but not with the Shadowrocket connection. I think we need to report this to the Shadowrocket developer.
Hello, I have the same problem. I set up a reverse proxy with Nginx, and the connection works on Windows and Android, but when I try to connect with Shadowrocket, I can't. There isn't even anything in the server log showing that I'm trying to connect. I think this is a problem with the Shadowrocket client because no logs appear on the server at all. I can also say that when I just enter the URL in a browser and make any connection to the Cloak server, something appears in the logs, but not with the Shadowrocket connection. I think we need to report this to the Shadowrocket developer.
Yeah at this point I have already dropped the project and removed the server. But if shadowrocket actually does this, it might be considerable for me and many others to launch a server.
Okey, but i am trying for myself. I alredy write developer via email, if he answer. I will write here so that all other people know, but I'm sure that the problem is in shadowrocket, because all other clients are working
Hello. I found a way to make nginx and Cloak, xtls-reality or anything else work on port 443. To do this, you need to make sure that nginx understands where to redirect requests via SNI for this you need to add the configurations written below /etc/nginx/nginx.conf
stream {
include /etc/nginx/stream-enabled/proxy.conf;
}
/etc/nginx/stream-enabled/proxy.conf
map $ssl_preread_server_name $sni_name {
hostnames;
aleko.sytes.net www;
*.example.com www;
test.az www;
default cloak;
www.google.com cloak;
}
upstream cloak {
server 127.0.0.1:8443;
}
upstream www {
server 127.0.0.1:7443;
}
server {
listen 443;
proxy_pass $sni_name;
ssl_preread on;
}
After that you need to change the all your websites ports from 443 to 7443 /etc/nginx/sites-enabled/aleko.sytes.net
listen 7443 ssl;
And the last change cloak config BindAddr to only one port 8443:
{
"ProxyBook": {
"shadowsocks": [
"tcp",
"127.0.0.1:1080"
],
"shadowsocks": [
"udp",
"127.0.0.1:1080"
]
},
"BindAddr": [
":8443"
],
"RedirAddr": "www.google.com",
"PrivateKey": "<Key>",
"AdminUID": "<UID>"
}
After all of this you can use direct Transport in Cloak with 443 port and also all your sites will work at 443 port and in the proxy.conf file change the sites to yours
And about CDN mode using reverse proxy through nginx. I wrote to the developer he fixed the bug in shadowrocket, now it connects, but for now only in beta version, I think in a month he will release 2.2.55 version an update in which reverse proxy through Cloak CDN transport will work, but you can not wait for the update, and do everything by the method described above.
Hello. I found a way to make nginx and Cloak, xtls-reality or anything else work on port 443. To do this, you need to make sure that nginx understands where to redirect requests via SNI for this you need to add the configurations written below /etc/nginx/nginx.conf
stream { include /etc/nginx/stream-enabled/proxy.conf; }/etc/nginx/stream-enabled/proxy.conf
map $ssl_preread_server_name $sni_name { hostnames; aleko.sytes.net www; *.example.com www; test.az www; default cloak; www.google.com cloak; } upstream cloak { server 127.0.0.1:8443; } upstream www { server 127.0.0.1:7443; } server { listen 443; proxy_pass $sni_name; ssl_preread on; }After that you need to change the all your websites ports from 443 to 7443 /etc/nginx/sites-enabled/aleko.sytes.net
listen 7443 ssl;And the last change cloak config BindAddr to only one port 8443:
{ "ProxyBook": { "shadowsocks": [ "tcp", "127.0.0.1:1080" ], "shadowsocks": [ "udp", "127.0.0.1:1080" ] }, "BindAddr": [ ":8443" ], "RedirAddr": "www.google.com", "PrivateKey": "<Key>", "AdminUID": "<UID>" }After all of this you can use direct Transport in Cloak with 443 port and also all your sites will work at 443 port and in the proxy.conf file change the sites to yours
This is awesome!
I will give it a shot! :)
-- keeping threat open if questions follow