You could straight up connect to the destination (over TCP) from Cloudflare without needing relays; a project I wrote demonstrates TCP over HTTP (for Deno Deploy) and TCP over WebSockets (for Workers): https://github.com/serverless-proxy/serverless-proxy
Proxying projects utilising HTTP/TLS are popular in the anti-censorship community (discussion board: https://github.com/net4people/bbs) and there are many variants of it; ex:
Yeah, but websockets are limited. I wrote this to tunnel VPNs over this and have full IP connectivity... which does work. A lot of users of the application I have talked with are from China and Iran. Seems to work well.
> Services like Cloudflare, Akamai Technologies, Fastly, and Amazon CloudFront ... support millions of websites across critical sectors, including government and healthcare, making them indispensable
The author is pretty naive. There is a reason why Google was left out of the list, in the 2010s people argue "Google is too important and China never dare to block it" then google's whole IP range is blocked.
Amazon Cloudfront, Akmai, Fastly are also (partially) blocked and barely working.
IMHO cleve tricks like "domain fronting" is just freebooting
doxx9999 208 days ago [-]
This works on ANY CDN... I focused on Cloudflare because they provide free accounts and it's pretty robust.
dlenski 222 days ago [-]
> IMHO cleve tricks like "domain fronting" is just freebooting
Private attempts to meddle in the security and interests of states.
221 days ago [-]
est 222 days ago [-]
> because it is still working
That's a big "still" and you don't loose anything in case the real owner of the "fronted" domain suffers loss.
notpushkin 222 days ago [-]
I don't think it's right to assign blame here to any party other than the authoritarian regime that decides to block the whole CDN.
novakwok 222 days ago [-]
There seems another way to achieve this, using Cloudflare's own cloudflared tunnel.
Install a cloudflared tunnel on your remote server, configure it to forward traffic to that server's hosts proxy server(maybe Shadowsocks) using Zero Trust dashboard, and run the following command on your local computer:
I don’t get why headers and requests need to be spoofed if all traffic is over https?
mhio 222 days ago [-]
The headers are seen by the monster-in-the-middle CDN.
It's obfuscation at best. I'm not sure the encrypted traffic will look particularly php-ish for example. Compressed formats might look vaguely passable.
I can't see any stenography code or libraries in the repo.
tomsonj 221 days ago [-]
yeah if the CDN is not trusted this tool won’t help but then little would
duskwuff 222 days ago [-]
> I don’t get why headers and requests need to be spoofed if all traffic is over https?
Because the traffic is to a CDN endpoint (like Cloudflare) which expects it to be a HTTP message.
tomsonj 221 days ago [-]
it can still be an https message, who cares what the path, query string, or headers look like? that is all encrypted
Titan2189 222 days ago [-]
> I don’t get why headers and requests need to be spoofed if all traffic is over https?
how are they looking inside the packet if it's encrypted?
sodality2 222 days ago [-]
DPI doesn't have to decrypt it to make certain guesses about its content. For example, timing information, packet sizes, routing info, etc could lead you to believe it's certain kinds of things (SSH, VPN, etc).
This certainly was an issue but it's solved by ECH/DoH. As long as they aren't blocked on your network anyway.
> Also, State (sponsored) Actors are certificate authorities.
To generate a fake certificate as a CA you have to either put it in the Certificate Transparency log, in which case everyone will notice, or don't, in which case browsers will notice (they know what top sites' certificates are supposed to look like) and your CA will get shut down.
hamilyon2 221 days ago [-]
Someone should really test it, real red team black hat style and then fully publish the results. Try to mitm https with real unlogged certs and see what happens. Preregister the whole fully detailed procedure on blockchain. And report to public results fully, with proofs of being caught.
account42 221 days ago [-]
SNI doesn't expose headers and request paths.
peter_d_sherman 221 days ago [-]
>"Why CDNs?
Services like Cloudflare, Akamai Technologies, Fastly, and Amazon CloudFront are not only widely accessible but also integral to the global internet infrastructure. In regions with restrictive networks, alternatives such as CDNetworks in Russia, ArvanCloud in Iran, or ChinaCache in China may serve as viable proxies. These CDNs support millions of websites across critical sectors, including government and healthcare, making them indispensable.
Blocking them risks significant collateral [commercial, commerce] damage, which inadvertently makes them reliable pathways for bypassing restrictions."
(There's also TCP/IP (Internet) via HAM radio (packet radio) and/or StarLink (or more broadly, satellite Internet)...)
Observation: If a large enough commercial corporation has an interest relating to commerce (in whatever area), then if that commerce conflicts with a government block (foreign or domestic) of whatever sort, then the large commercial interest, given enought time, will usually (*) win (they can usually hire better Lawyers, foreign or domestic...)
(*) But not always...
mschuster91 221 days ago [-]
> There's also TCP/IP (Internet) via HAM radio (packet radio)
I get the idea and the spirit behind using ham radio to evade censorship, but...
- you're not allowed to run encrypted content over ham packet radio, at least by regulations, plain HTTP is fine but anything SSL is not... don't be a dick and ruin the fun for everyone else.
- ham radio comms is, outside of emergencies such as widespread blackouts or natural disasters, supposed to only be between ham radio operators themselves - no message-passing for others.
- at least in the long-range bands that you'd actually use for cross-country communications, bandwidth is scarce - and you may disturb a lot of people by doing that, or by just blasting around with huge transmitters... Monday late evening in Germany, try to listen in on 80m, there's so damn many Russians on there with extremely powerful transmitters.
Ham radio frequencies are scarce enough as it is and politicians, particularly in authoritarian countries, already aren't happy about it (in North Korea, for example, it's banned and it's one of the rarest countries to DX with). Please don't make life for hams more complex than it already is by abusing what it stands for.
Melatonic 221 days ago [-]
Packet radio is also extremely slow - this seems like a terrible option.
a-ve 222 days ago [-]
Is this something like WebTunnel from the Tor Project?
Is there any tool that does the other way around? I simply need an alternative to cloudflared tunnel (https://blog.cloudflare.com/tunnel-for-everyone/) for exposing localhost port to a public domain that lets me supports anonymous clients. All cloud solutions charge based on users so they unfortunately doesn’t work
freeone3000 221 days ago [-]
Have you considered upnp+dyndns?
theblazehen 222 days ago [-]
How does this differ from tunneling a VPN over something like wstunnel?
We've been running that in prod for several years without any issues, also going through cloudflare
doxx9999 208 days ago [-]
Websocket is a protocol that when used it's rather obvious what you're doing. This is designed to look like actual web traffic.
tripplyons 221 days ago [-]
Reminds me of how people forward requests through CloudFlare workers as a cheap way to get around IP-based rate limits.
Rendered at 22:06:16 GMT+0000 (Coordinated Universal Time) with Vercel.
Proxying projects utilising HTTP/TLS are popular in the anti-censorship community (discussion board: https://github.com/net4people/bbs) and there are many variants of it; ex:
- KCP (over UDP): https://github.com/xtaci/kcp-go
- Bepass: https://github.com/bepass-org/bepass-worker
Apparently Cloudflare, since a few weeks ago, has started flagging traffic bound to/from proxies as DDoS vectors: https://github.com/net4people/bbs/issues/429
The author is pretty naive. There is a reason why Google was left out of the list, in the 2010s people argue "Google is too important and China never dare to block it" then google's whole IP range is blocked.
Amazon Cloudfront, Akmai, Fastly are also (partially) blocked and barely working.
IMHO cleve tricks like "domain fronting" is just freebooting
What do you mean by "freebooting"?
We added domain fronting support to the OpenConnect TLS-VPN client _in 2022_ because it is still working and useful for many people working in censored countries and environments. https://gitlab.com/openconnect/openconnect/-/merge_requests/...
https://en.m.wikipedia.org/wiki/Filibuster_(military)
Private attempts to meddle in the security and interests of states.
That's a big "still" and you don't loose anything in case the real owner of the "fronted" domain suffers loss.
Install a cloudflared tunnel on your remote server, configure it to forward traffic to that server's hosts proxy server(maybe Shadowsocks) using Zero Trust dashboard, and run the following command on your local computer:
cloudflared access tcp --hostname some.your-domain.tld --url localhost:8080
Then localhost:8080's traffic will be forwarded to cloudflareds' host, the whole traffic is using HTTP2 so might look legitimate to Firewall.
For example if using Shadowsocks on server, your Shadowsocks's local client can connect to localhost:8080 as server to forward traffic.
The use case is to relay WireGuard over TCP/CF in a restrictive network, confirmed to work in China, obviously not too fast.
I don’t get why headers and requests need to be spoofed if all traffic is over https?
It's obfuscation at best. I'm not sure the encrypted traffic will look particularly php-ish for example. Compressed formats might look vaguely passable.
I can't see any stenography code or libraries in the repo.
Because the traffic is to a CDN endpoint (like Cloudflare) which expects it to be a HTTP message.
https://en.wikipedia.org/wiki/Deep_packet_inspection
> Also, State (sponsored) Actors are certificate authorities.
To generate a fake certificate as a CA you have to either put it in the Certificate Transparency log, in which case everyone will notice, or don't, in which case browsers will notice (they know what top sites' certificates are supposed to look like) and your CA will get shut down.
Services like Cloudflare, Akamai Technologies, Fastly, and Amazon CloudFront are not only widely accessible but also integral to the global internet infrastructure. In regions with restrictive networks, alternatives such as CDNetworks in Russia, ArvanCloud in Iran, or ChinaCache in China may serve as viable proxies. These CDNs support millions of websites across critical sectors, including government and healthcare, making them indispensable.
Blocking them risks significant collateral [commercial, commerce] damage, which inadvertently makes them reliable pathways for bypassing restrictions."
(There's also TCP/IP (Internet) via HAM radio (packet radio) and/or StarLink (or more broadly, satellite Internet)...)
Observation: If a large enough commercial corporation has an interest relating to commerce (in whatever area), then if that commerce conflicts with a government block (foreign or domestic) of whatever sort, then the large commercial interest, given enought time, will usually (*) win (they can usually hire better Lawyers, foreign or domestic...)
(*) But not always...
I get the idea and the spirit behind using ham radio to evade censorship, but...
- you're not allowed to run encrypted content over ham packet radio, at least by regulations, plain HTTP is fine but anything SSL is not... don't be a dick and ruin the fun for everyone else.
- ham radio comms is, outside of emergencies such as widespread blackouts or natural disasters, supposed to only be between ham radio operators themselves - no message-passing for others.
- at least in the long-range bands that you'd actually use for cross-country communications, bandwidth is scarce - and you may disturb a lot of people by doing that, or by just blasting around with huge transmitters... Monday late evening in Germany, try to listen in on 80m, there's so damn many Russians on there with extremely powerful transmitters.
Ham radio frequencies are scarce enough as it is and politicians, particularly in authoritarian countries, already aren't happy about it (in North Korea, for example, it's banned and it's one of the rarest countries to DX with). Please don't make life for hams more complex than it already is by abusing what it stands for.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-...
We've been running that in prod for several years without any issues, also going through cloudflare