bbs icon indicating copy to clipboard operation
bbs copied to clipboard
verified publisher icon net4people

一个绕过 serverless 限制的思路 / An idea to bypass serverless restrictions

Open vrnobody opened this issue 9 months ago • 3 comments

目前有些 serverless 平台不支持 websocket 入站,或者不支持流式的 http 请求。我有个想法,就是用一个 GET 请求,把要访问的网址发到 serverless 服务器,然后从 serverless 发起一个 websocket client 回连客户端,这样就可以绕过这些限制。

这是一个 Proof of Concept 的演示项目 https://github.com/vrnobody/satellite

Currently, some serverless platforms do not support websocket inbound, or do not support streaming http requests. I have an idea, which is to use a GET request to send the URL to be accessed to the serverless server, and then initiate a websocket client from the serverless to connect back to the client, so that these restrictions can be bypassed.

Here is a Proof of Concept demo project https://github.com/vrnobody/satellite

vrnobody avatar Mar 15 '25 13:03 vrnobody

Is inbound TCP (WebSocket) a problem when the client network has NAT?

Flash proxy used WebSocket, with the uncensored proxy making a WebSocket connection to the client. It proved to be difficult to use for clients, who often had to manually enable port forwarding in order to use it. This was the main motivation for Snowflake changing to use WebRTC instead of WebSocket, because WebRTC is UDP and has features for connecting through NAT.

Do serverless platforms offer WebRTC, or any other protocols that might be interesting?

https://www.bamsoftware.com/papers/thesis/#p266

Snowflake [98, 173] is the spiritual successor to flash proxy [84], a system that similarly used browser-based proxies, written in JavaScript. Flash proxy, with obfs2 and obfs3, was one of the first three pluggable transports for Tor [68], but since its introduction in 2013 it never had many users [179]. I believe that its lack of adoption was a result mainly of its incompatibility with NAT (network address translation): its use of the TCP-based WebSocket protocol [64] required clients to follow complicated port forwarding instructions [71]. For that reason, flash proxy was deprecated in 2016 [13].

https://www.bamsoftware.com/papers/snowflake/#p7

Snowflake originates in two earlier projects: flash proxy and uProxy. Flash proxy [10], like Snowflake, used untrusted temporary JavaScript proxies in web browsers forwarding to a central bridge, but the link between client and proxy was WebSocket rather than WebRTC, which was then an emerging technology. Flash proxy was deployed from 2013 to 2016, but never saw much use, probably because WebSocket, which lacks the built-in NAT traversal of WebRTC, required clients to do complicated port forwarding.

wkrp avatar Mar 16 '25 22:03 wkrp

是的,客户端需要自己开启端口转发到公网。在 NAT 下无法使用这个方法。

Yes, the client needs to enable port forwarding to the public network by itself. This method cannot be used under NAT.

vrnobody avatar Mar 17 '25 00:03 vrnobody

IPv6 only needs a forwarding accept rule in general in the router.

UjuiUjuMandan avatar Mar 17 '25 01:03 UjuiUjuMandan