net4people
MitM then Domain Fronting
最近有点流行“强制 domain fronting”,挺有趣的,看到这里还没有什么讨论,粗略找了一下最相关的是 https://github.com/net4people/bbs/issues/373#issuecomment-2195853159
在 Xray-core 中,实现方式是由 dokodemo-door 入站解 TLS(或者请求本身就是 DoH h2c),再由 freedom 出站加 uTLS Chrome 指纹,自定义 SNI 以及 verifyPeerCertInNames 列表,均可填 "fromMitm" 以使用原始 SNI,ALPN 也得到了妥善处理
它适用于仅一部分 SNI 被封锁,但 IP 未被封锁,且服务器支持 domain fronting 的 websites & services
或者你可以发一个并不存在于目标服务器上的白名单 SNI,只要它能返回默认的 TLS 证书并能处理后续的 HTTP 请求就行
这个功能是 @patterniha 建议开发的,他还分享出了适用于伊朗的完整 serverless 配置,包括 TCP/TLS fragment 和 UDP noises:
https://github.com/XTLS/Xray-examples/tree/main/Serverless-for-Iran
Recently, “mandatory domain fronting” has become somewhat of a trend. It's quite interesting. I haven't seen much discussion about it here, but after a cursory search, the most relevant thing I found is https://github.com/net4people/bbs/issues/373#issuecomment-2195853159
In Xray-core, the implementation is to use TLS inbound by dokodemo-door (or the request itself is DoH h2c), then outbound by freedom with uTLS Chrome fingerprint, custom SNI and verifyPeerCertInNames list, which can be filled with “fromMitm” to use the original SNI, and ALPN is also properly handled
It is suitable for websites & services where only some SNIs are blocked, but the IP is not blocked, and the server supports domain fronting
Or you can send a whitelisted SNI that does not exist on the target server, as long as it can return the default TLS certificate and handle subsequent HTTP requests
This feature was suggested by @patterniha for development, and he also shared a complete serverless configuration suitable for Iran, including TCP/TLS fragment and UDP noises:
https://github.com/XTLS/Xray-examples/tree/main/Serverless-for-Iran
This compatibility has been utilized for years. Below is an incomplete list of circumvention tools based on it.
Universal
- Efficiently Bypassing SNI-based HTTPS Filtering, 2015 (Firefox extension 'Escape')
- https://github.com/URenko/Accesser , 2018
- https://github.com/bypass-GFW-SNI/main , 2019
- https://github.com/SeaHOH/GotoX , 2019
- https://github.com/JimmyJLNU/SuperHosts , 2020 (closed source)
- https://github.com/SpaceTimee/Sheas-Cealer , 2022
Website specific
- https://www.dogfight360.com/blog/686/ , 2017
- https://github.com/mashirozx/Pixiv-Nginx , 2018
- https://github.com/BeyondDimension/SteamTools , 2020
- ~~https://github.com/dotnetcore/FastGithub , 2021~~
- https://github.com/docmirror/dev-sidecar , 2021
this is also related
这需要 proxy server,更像是 XTLS 的裸奔 + REALITY 的偷证书,下面提到的 BlindTLS 我也有印象,好像是类似 XTLS 裸奔的东西
This requires a proxy server, which is more like XTLS's running naked + REALITY's certificate stealing. I am also impressed by BlindTLS, which is mentioned below, and it seems to be something similar to XTLS running naked.
In Xray-core, the implementation is to use TLS inbound by dokodemo-door (or the request itself is DoH h2c), then outbound by freedom with uTLS Chrome fingerprint, custom SNI and
verifyPeerCertInNameslist, which can be filled with “fromMitm” to use the original SNI, and ALPN is also properly handled
Hello,kinda off topic here,but is there a way i can xhttp h2 without tls?i am writing a program with boringssl that will wrap the tcp stream with tls(to achive chrome fingerprint the best way),basicly what I need is ray sends plain text h2 to a local port which my program will be listenning on,then do a tls handshake to target server and io copy,can this dokodemo-door decrypt h2 of xhttp?or is there a better way to have plain text h2?only locally ofc
@firewallPass 目前 XHTTP 不带 TLS/REALITY 的话只会用 http/1.1,不会用 h2c,但你确实可以用 dokodemo-door 把 TLS 解掉
Currently, XHTTP will only use http/1.1 without TLS/REALITY, and will not use h2c. However, you can use dokodemo-door to disable TLS.
@firewallPass 如果你需要真实 Chrome 的 TLS Client Hello,还有一个办法是使用 Browser Dialer,虽然目前只支持 packet-up,不过经过几轮优化后它的上行表现基本上不输 stream-up 了,缺点是请求数有点多,且少了 address / SNI / host 分离的功能(其实可以 host 改 IP,但想 domain fronting 确实不行),优点是消除了 Golang http2 库的特征,相关讨论在 https://github.com/XTLS/Xray-core/discussions/4430#discussioncomment-12291925
If you need the real Chrome TLS Client Hello, another way is to use Browser Dialer. Although it currently only supports packet-up, after several rounds of optimization, its upstream performance is basically not inferior to stream-up. The disadvantage is that the number of requests is a bit high, and it lacks the function of separating address / SNI / host (in fact, you can change the IP address for host, but you can't do domain fronting), the advantage is that it eliminates the features of the Golang http2 library. Related discussions are at https://github.com/XTLS/Xray-core/discussions/4430#discussioncomment-12291925
@firewallPassIf you need a real Chrome TLS Client Hello, another way is to use Browser Dialer
I have used browser dialer before for both websocket and splithttp a few months ago,I don't remember proparly but I think there was a bug in splithttp browserDialer,it did not care about the port in the config and always used 443,I remember i changed the code and added some prints in openDownload function of browser dialer and the url that was passed to that function did not include port so it was always 443,websocket was fine,it was only with splithttp,i will try again,maybe it is fixed now having a browser open just for proxy is annoying on desktop and almost impossible for mobile device(rip battery life lol) Anyway,I saw cloudflare has a boringssl wrapper for rust and I wanted to use that,it has support for ECH,kyber(i think) and basicly everything we need,I will work on it when I have some time ,should be pretty simple hopefully lol