Cloak
Cloak copied to clipboard
cbeuw
CDN through Cloudflare
Hey there,
I have set up cloak with shadowsocks and it works fine in the direct mode.
I also saw on the wiki the instructions to set up a cloudfront CDN and use cloak in CDN mode. I am not using Amazong but I do have a Cloudflare account which I tried.
I mirrored the settings as similarly as possible based on the guide you provided in the wiki.
However now when I try to run the ckclient process in my client i get the following error when the shadowsocks client tries to initiate a connection.
ERRO[0021] Failed to prepare connection to remote: local error: tls: unexpected message
my ckclient.json looks like this:
{
"Transport": "CDN",
"EncryptionMethod": "plain",
"ProxyMethod": "shadowsocks",
"UID": "blah",
"PublicKey": "blahblah",
"ServerName": "cloudflare.com",
"NumConn": 4,
"BrowserSig": "chrome",
"streamTimeout": 300
}
I have also tried setting the ServerName to: mytld.com (and mytld.com) without any success.
In Cloudflare I have set up the SSL as "Flexible" meaning I believe viewer -> cloudflare is SSL but cloudflare -> myhost is not.
Is there anything missing here that could be causing this issue?
As a followup I set up an AWS account and tried to get this working using cloudfront but still no luck.
The ckclient.json in this case is:
{
"Transport": "DNS",
"EncryptionMethod": "plain",
"ProxyMethod": "shadowsocks",
"UID": "blah",
"PublicKey": "blahblah",
"ServerName": "cloudfront.net",
"NumConn": 4,
"BrowserSig": "chrome",
"streamTimeout": 300
}
When I start the cloak proxy with:
./ck-client -c ckclient.json -s mydomain.cloudfront.net I see lots of these errors:
ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed
Here are my origin settings on AWS:
Finally, I was also watching the logs on the server side and no connections attempts were made to the cloak server running there so something is clearly not configured correctly with the client and the cloudfront CDN.
Any thoughts here?
"ServerName": "cloudfront.net",
I was a bit ambiguous when I wrote the instructions in the wiki. By "the domain of the CDN server", it should be what you referred to as mydomain.cloudfront.net instead of just cloudfront.net. I have fixed that wording. Try if that works
@cbeuw thanks for the quick response. Unfortunately it seems still no joy.
Here is the updated json:
{
"Transport": "DNS",
"EncryptionMethod": "plain",
"ProxyMethod": "shadowsocks",
"UID": "blah",
"PublicKey": "blah",
"ServerName": "blah.cloudfront.net",
"NumConn": 4,
"BrowserSig": "chrome",
"streamTimeout": 300
}
Here is the log from my terminal, same error unfortunately.
> ./ck-client -c ckclient.json -s blah.cloudfront.net
INFO[0000] Starting standalone mode
INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client
INFO[0001] Attemtping to start a new session
ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed
Sorry, that was idiotic of me.
Config is now corrected resulting in a new error!
{
"Transport": "CDN",
"EncryptionMethod": "plain",
"ProxyMethod": "shadowsocks",
"UID": "",
"PublicKey": "",
"ServerName": "xxx.cloudfront.net",
"NumConn": 4,
"BrowserSig": "chrome",
"streamTimeout": 300
}
./ck-client -c ckclient.json -s xxx.cloudfront.net
INFO[0000] Starting standalone mode
INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client
INFO[0074] Attemtping to start a new session
ERRO[0074] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
If you visit xxx.cloudfront.net in your browser (try both HTTP and HTTPS), are there anything showing up in your ck-server log?
Initially no - but I realised some DNS A records were not configured properly. Having fixed now I can now curl xxx.cloudfront.net
If I curl using HTTP (curl xxx.cloudfront.net) or HTTPS (curl https://xxx.cloudfront.net) then I see on ck-server the expected log:
WARN[0191] failed to unmarshal hidden data from WS into authenticationInfo: non (or malformed) HTTP GET UID= encryptionMethod=0 proxyMethod= remoteAddr="remote_ip" sessionId=0
So then I tried again and now I see the connection in ck-server from a cloudfront proxy IP address (64.252.188.79), but the client errors remain the same.
Client Side:
./ck-client -c ckclient.json -s xxx.cloudfront.net
INFO[0000] Starting standalone mode
INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client
INFO[0002] Attemtping to start a new session
ERRO[0003] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
the conversation shifted towards cloudfront, what about cloudflare? it would be really helpful if you could support cloudflare. because people from Cuba, Iran, Syria ... can't buy anything from a US based company.
@itshaadi yeah maybe you could use v2ray, but i hope cloak support cloudflare
Yes and here is example https://github.com/russian-meshnet/shadowsocks-v2ray-cdn/blob/master/install-server-on-Arch.sh-example
