Cloak
Cloak copied to clipboard
cbeuw
Cant get CDN mode working
hi, im using SS with Cloak plugin on a Ubuntu 20.04 LTS vps. I install them using HirbodBehnam's v2 script and its working great in Direct mode. But just cant make it work with CDN/Cloudfront.
I follow the guide on your wiki on creating the Cloudfront, and on Windows client( SS 4.1.1. and Cloak 2.2.2 plugin), change 'Server IP' point to the CDN's domain name(xxxxxx.cloudfront.net) and do the same for Cloak's plugin Servername. And lastly add 'Transport=CDN;' to the 'Plugin Options'
Did i miss or do something wrong, or there is more settings on the server side? as there will be no internet and many 'errors'(on client side) logging:
Truncate.... 2020-08-26 18:42:26.1823|DEBUG|Shadowsocks.Controller.TCPHandler|Socket connected to ss server: xxxxxxxxxx.cloudfront.net:443 2020-08-26 18:42:26.1823|DEBUG|Shadowsocks.Controller.TCPHandler|Socket connected to ss server: xxxxxxxxxx.cloudfront.net:443 2020-08-26 18:42:26.4343|DEBUG|Shadowsocks.Controller.TCPHandler|connect to www.google.com:443 2020-08-26 18:42:26.4723|INFO|Shadowsocks.Controller.ShadowsocksController|Started SIP003 plugin for xxxxxxxxxx.cloudfront.net:443 on 127.0.0.1:64663 - PID: 2104 2020-08-26 18:42:26.5173|DEBUG|Shadowsocks.Controller.TCPHandler|connect to s2.googleusercontent.com:443 2020-08-26 18:42:26.7253|DEBUG|Shadowsocks.Controller.TCPHandler|connect to www.gstatic.com:443 2020-08-26 18:42:26.7253|DEBUG|Shadowsocks.Controller.TCPHandler|connect to s2.googleusercontent.com:443 2020-08-26 18:42:26.7553|DEBUG|Shadowsocks.Controller.TCPHandler|connect to www.google.com:443 2020-08-26 18:42:26.7703|DEBUG|Shadowsocks.Controller.TCPHandler|connect to www.google.com:443 2020-08-26 18:42:26.7753|DEBUG|Shadowsocks.Controller.TCPHandler|connect to www.google.com:443 2020-08-26 18:42:26.8793|DEBUG|Shadowsocks.Controller.TCPHandler|connect to fonts.gstatic.com:443 2020-08-26 18:42:26.8793|DEBUG|Shadowsocks.Controller.TCPHandler|Socket connected to ss server: xxxxxxxxxx.cloudfront.net:443 2020-08-26 18:42:26.9743|DEBUG|Shadowsocks.Controller.TCPHandler|Socket connected to ss server: xxxxxxxxxx.cloudfront.net:443 2020-08-26 18:42:27.3044|DEBUG|Shadowsocks.Controller.TCPHandler|connect to www.google.com:443 2020-08-26 18:42:27.3164|DEBUG|Shadowsocks.Controller.TCPHandler|connect to fonts.gstatic.com:443 2020-08-26 18:42:27.3274|INFO|Shadowsocks.Controller.ShadowsocksController|Started SIP003 plugin for xxxxxxxxxx.cloudfront.net:443 on 127.0.0.1:64704 - PID: 1936 2020-08-26 18:42:27.6584|WARN|Shadowsocks.Controller.TCPHandler|System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it at Shadowsocks.Util.Sockets.WrappedSocket.EndConnect(IAsyncResult asyncResult) at Shadowsocks.Proxy.DirectConnect.EndConnectDest(IAsyncResult asyncResult) at Shadowsocks.Controller.TCPHandler.ConnectCallback(IAsyncResult ar) 2020-08-26 18:42:27.7184|WARN|Shadowsocks.Controller.TCPHandler|System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it at Shadowsocks.Util.Sockets.WrappedSocket.EndConnect(IAsyncResult asyncResult) at Shadowsocks.Proxy.DirectConnect.EndConnectDest(IAsyncResult asyncResult) at Shadowsocks.Controller.TCPHandler.ConnectCallback(IAsyncResult ar) 2020-08-26 18:42:27.7284|WARN|Shadowsocks.Controller.TCPHandler|System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it at Shadowsocks.Util.Sockets.WrappedSocket.EndConnect(IAsyncResult asyncResult) Truncate....
Thank you,
Have you tried putting "Transport": "cdn" in Cloak client's configuration JSON file? Cloak currently only reads the path to Cloak config json file from Plugin Options field set in Shadowsocks, it doesn't accept other arguments
Have you tried putting
"Transport": "cdn"in Cloak client's configuration JSON file? Cloak currently only reads the path to Cloak config json file from Plugin Options field set in Shadowsocks, it doesn't accept other arguments
hi, do you mean we create a JSON file and put the file path in the SS's 'Plugin Options' field? if yes, could you give the command to point to the file and also the JSON file? but if thats not the case, what will you suggest? use another client for Windows/Android?
Thank you,
Hi,
There should be a config JSON file already and you can edit/append Transport option in the file. Was the Plugin Options field empty when you were running it on direct mode? Plugin Options field should have been the path to the config JSON file whenever you run Cloak in plugin mode. Or did you start Cloak separately in standalone mode?
An example ckclient.json can be found here: https://github.com/cbeuw/Cloak/blob/master/example_config/ckclient.json. This can be put anywhere. But you need to edit UID and PublicKey, which should have been filled by the JSON config created by the script
hi, i download the Cloak exe and put inside the SS folder; then add the below value to SS Plugin Options:
UID=xxxxxxxxxxxxxxxxxxxxxxx\=\=;PublicKey=xxxxxxxxxxxxxxxxxx\=;ServerName=bing.com;BrowserSig=chrome;NumConn=4;ProxyMethod=shadowsocks;EncryptionMethod=plain;StreamTimeout=300
I notice there are 2 JSON file inside the folder, but both seems to belong to SS: gui-config.json statistics-config.json
Should i add the ckclient.json to the folder and delete all the value in Plugin Options now, and change it to 'Path=%foldername%'. Please advice. Thank you.
Sorry I forgot that the Plugin Options can be config arguments in semicolon separated form. What you did in the beginning should be correct. Are there any logs on Cloak server side?
hi, it is ok. can u tell me how to check for the logs on the server side? as i hv no idea where to look for them. thanks.
Because you have installed it with my script it is systemctl status cloak-server
Because you have installed it with my script it is
systemctl status cloak-server
hi running that will show its status, but we do need its log right? Thanks `root@v2ray:~# systemctl status cloak-server ● cloak-server.service - Cloak Server Service Loaded: loaded (/etc/systemd/system/cloak-server.service; enabled; vendor > Active: active (running) since Tue 2020-09-01 23:00:42 +08; 24min ago Main PID: 722 (ck-server) Tasks: 3 (limit: 1062) Memory: 7.9M CGroup: /system.slice/cloak-server.service └─722 /usr/bin/ck-server -c ckserver.json
Sep 01 23:00:42 v2ray systemd[1]: Started Cloak Server Service. Sep 01 23:00:42 v2ray ck-server[722]: time="2020-09-01T23:00:42+08:00" level=in> Sep 01 23:00:42 v2ray ck-server[722]: time="2020-09-01T23:00:42+08:00" level=in> lines 1-12/12 (END)...skipping... ● cloak-server.service - Cloak Server Service Loaded: loaded (/etc/systemd/system/cloak-server.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2020-09-01 23:00:42 +08; 24min ago Main PID: 722 (ck-server) Tasks: 3 (limit: 1062) Memory: 7.9M CGroup: /system.slice/cloak-server.service └─722 /usr/bin/ck-server -c ckserver.json
Sep 01 23:00:42 v2ray systemd[1]: Started Cloak Server Service. Sep 01 23:00:42 v2ray ck-server[722]: time="2020-09-01T23:00:42+08:00" level=info msg="Starting standalone mode" Sep 01 23:00:42 v2ray ck-server[722]: time="2020-09-01T23:00:42+08:00" level=info msg="Listening on :443" `
You may need to add ":80" in BindAddr in the config json file for Cloak server (so it's something like "BindAddr": [":443", ":80"]). I'm not sure where the script puts that file but I thing it's under /etc/cloak
hi, hv added the port 80 to it, and reboot, but same no internet. its best if we could find its log so we could see if its connected, and if yes, where it stuck at or something like that. anyway here is my setup again just in case i miss something-
- setup SS+Cloak with HirbodBehnam script
- create Cloudfront following wiki
- use SS client on Windows, set its 'Server IP' to Cloudfront domainname xxxxxxxxxx.cloudfront.net, and 'Plugin Option' - Transport=CDN;UID=xxxxxxxxxxxxxxx==;PublicKey=xxxxxxxxxxxxx=;ServerName=xxxxxxxxx.cloudfront.net;BrowserSig=chrome;NumConn=4;ProxyMethod=shadowsocks;EncryptionMethod=plain;StreamTimeout=300
Here is the ckserver.json on the server side:
{ "ProxyBook": { "shadowsocks":["tcp","127.0.0.1:58555"] , "panel":["tcp","127.0.0.1:0"] }, "BypassUID": [ "2oaZopNtoCrRPtFIn/XXyw==" ], "BindAddr": [":443", ":80"], "RedirAddr": "204.79.197.200", "PrivateKey": "xxxxxxxxxxxxxx=", "AdminUID": "xxxxxxxxxxxxxxx==", "DatabasePath": "userinfo.db", "StreamTimeout": 300 }
Have tried changing the 'RedirAddr' to the Cloudfront domain, but same not working. Please advice, thanks.
shadowsocks - config.json
{ "server":"127.0.0.1", "server_port":58555, "password":"xxxxxxxxxxxxx", "timeout":60, "method":"chacha20-ietf-poly1305", "nameserver":"8.8.8.8" }
What happens when you visit your xxxx.cloudfront.net address in a browser? Does it show the same thing as if you are visiting 204.79.197.200 in RedirAddr? If yes then your server should be set up correctly and the issue is with the client
@aboka2k Before you do so, please add :443 to the end of RedirAddr in your server and restart the service (use systemctl restart cloak-server)
hi, i hv add 443("RedirAddr": "204.79.197.200:443") and reboot the server. below is the results:
when not connect using SS and browse to 204.79.197.200
Our services aren't available right now
We're working to restore all services as soon as possible. Please check back soon.
0onROXwAAAACbJxpyWuZSRqVpLVyni7fJS1VMMzBFREdFMDIxOQBFZGdl
when not connect to SS and browse to xxxxx.cloudfront.net
400 ERROR
The request could not be satisfied . .
when connected to SS and browse to 204.79.197.200 and xxxxx.cloudfront.net
500 Internal Privoxy Error
Privoxy encountered an error while processing your request:
Could not load template file no-server-data or one of its included components. Please contact your proxy administrator. If you are the proxy administrator, please put the required file(s)in the (confdir)/templates directory. The location of the (confdir) directory is specified in the main Privoxy config file. (It's typically the Privoxy install directory).
when connected to SS and browse to google
This site can’t be reached . .
the RedirAddr will work if i put my server IP with https(https://xx.xx.xx.xx) and it will be forward to 204.79.197.200 and show this:
Our services aren't available right now
We're working to restore all services as soon as possible. Please check back soon.
0BXlOXwAAAADVvd6rlhxxSJa+Wl9xUSqwTEFYRURHRTE0MTEARWRnZQ==
it seems like cloudfront not pointing to the server? as xxxxx.cloudfront.net by right should show the same 'error'. i follow everything in the wiki(the rest not mention is default)- Origin Domain Name - mydomain.com and point to vps Origin SSL Protocols: TLSv1.2 only Origin Protocol Policy: HTTP Only HTTP Port: 443 Viewer Protocol Policy: HTTP and HTTPS SSL Certificate: Default Supported HTTP Versions: HTTP/2, HTTP/1.1, HTTP/1.0
Thank you,
OK i think i know why: Cloudfront doesn't like sending HTTP requests over 443 anymore, so you need to change HTTP Port in Origin setting to 80.
I'll update the wiki to reflect this
OK i think i know why: Cloudfront doesn't like sending HTTP requests over 443 anymore, so you need to change
HTTP Portin Origin setting to 80.I'll update the wiki to reflect this
i hv change the HTTP port to 80 in Cloudfront and try access the vps using the domainname on chrome. but it gets -
504 ERROR The request could not be satisfied
Delivery Method Web Cookie Logging Off Distribution Status Deployed Comment - Price Class Use Only U.S., Canada and Europe AWS WAF Web ACL - State Enabled Alternate Domain Names (CNAMEs) - SSL Certificate Default CloudFront Certificate (*.cloudfront.net) Domain Name d35q91vx742fcp.cloudfront.net Custom SSL Client Support - Security Policy TLSv1 Supported HTTP Versions HTTP/2, HTTP/1.1, HTTP/1.0 IPv6 Enabled
its very late now and hvto work tomorrow. will try to think of some solutions and if still no other clue, will try to contact AWS tomorrow evening. as it seems that CF cant connect to the vps now. will post here if got any updates. thank you.
hi, hv post to AWS community forum and waiting for a reply.
This is what chrome shows when browse to https://orca.gq. Any chance this is why CF wont show this page bcoz of the cert issue?
Thanks,
already 2 days but still no one reply on their forum. try to contact support but we need to pay them monthly fees?? bummer. hvto pay for support when we are buying their service.....
There is a bug in Cloak / oversight. In case your shadowsocks client is passing cloak the remote addr as IP instead of the original domain, Cloak sets the wrong Http Host header causing the CDN mode to fail. (This issue happens on shadowsocks-android). A new config key is required to explicitly control the Http Host field regardless of what is set as remote address. This also allows domain fronting to work. I will make a pull request.
There is a bug in Cloak / oversight. In case your shadowsocks client is passing cloak the remote addr as IP instead of the original domain, Cloak sets the wrong Http Host header causing the CDN mode to fail. (This issue happens on shadowsocks-android). A new config key is required to explicitly control the Http Host field regardless of what is set as remote address. This also allows domain fronting to work. I will make a pull request.
@notsure2 this is great news! though it will jus not work, thank you very much. although im not using it now, but other members will surely gain alot from this.
p/s- read ur msg again, you mention this happens on android, but i think it happens on my windows 7 machine too beside android. but if could make android works, then its a big success already