Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Iran firewall blocks my subdomain, in vless/trojan CDN configuration. #218

Open
Hadi-1624 opened this issue Feb 28, 2023 · 13 comments
Open

Iran firewall blocks my subdomain, in vless/trojan CDN configuration. #218

Hadi-1624 opened this issue Feb 28, 2023 · 13 comments
Labels
Iran

Comments

@Hadi-1624
Copy link

Hi there
I've been frustrated and i don't know how to resolve this problem.
I use xray to create a vless or trojan WS configuration.
Then, I use cloudflare to connect to port 443 or 2083 to my xray server. in the SNI section, i have to use my subdomain so that cloudflare can connect to my server.
After a day or one week, my subdomain is blocked by the iranian firewall and i need to add another subdomain, issue a certificate and reconfigure my nginx server again.

-I use nginx so that when my subdomain is visited, a page from wikipedia is shown
-I've tried vmess, vless and trojan
Could you please help me to find a way to avoid getting my domains blocked?
@wkrp wkrp added the Iran label Feb 28, 2023
@computerscot
Copy link

There are some suggestions for Iran in the thread #217

@SasukeFreestyle
Copy link

SasukeFreestyle commented Feb 28, 2023
edited
Loading

Hi! @Hadi-1624
I've some tips you can try. But you should also know that Iranian DPI firewall has blocked some Cloudflare services/IP's and this is maybe one of your Issues.

You should add a outbound CIDR-IP block so your server that looks like a website does not initiate the connection back to Iran, as "web servers" normally does not do this. Check my json config in my repository.

Also use xtls-rprx-vision as flow (without ,none). Unfortunately vision does not support websockets as a direct connection.

Configure your clients to use a uTLS fingerprint, like Chrome.

You should NOT point your homepage on your server to Wikipedia. You need to create a fake website preferably in Persian with Persian text. The Iranian firewall probably has banned some keywords when they active-probe your website.

If you don't want to create a fake website then point your nginx to load a page from inside Iran, an Iranian website that has Iranian an IP.

I'm currently running my xray server without a CDN. But If you want to use a CDN, follow these steps here.

https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-22-04

https://github.com/XTLS/Xray-examples/blob/main/All-in-One-fallbacks-Nginx/nginx.conf

@Hadi-1624
Copy link
Author

@computerscot I believe that guide won't support websocket, which i use.
I'd like to use cloudflare to protect my server's IP.

@Hadi-1624
Copy link
Author

@SasukeFreestyle
Thanks for your comment
I've payed in advance for my server, and its IP is blocked now by the iranian firewall, so my only option is cloudflare now, I'd like to avoid paying for another server if i can.
I didn't know about outbound CIDR-IP block, i will check your manual for it.
Which method do you recommend for redirecting to an iranian page?
I've used redirect 302, and my subdomain got blocked still
thanks

@SasukeFreestyle
Copy link

You could use this in your nginx serverblock configuration. But I highly recommend you create a fake website.
replace https://Iranianwebsite.ir with an Iranian website that has an Iranian IP.

location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        proxy_ssl_server_name on;
        proxy_pass https://Iranianwebsite.ir;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

Check configurations on https://github.com/XTLS/Xray-examples/blob/main/All-in-One-fallbacks-Nginx/server.json that uses Vision as its entry point to websockets using fallbacks, I have not tried this but it might work for you.

@ValdikSS
Copy link

ValdikSS commented Mar 3, 2023

As far as I remember, Websocket connection over Cloudflare uses HTTP/1.1 instead of HTTP/2 (h2 TLS ALPN), and thus is distinguishable from the regular web traffic. Maybe this is the mark which is later used for manual validation and block.

@computerscot
Copy link

Xray supports HTTP/2 as "network": "h2" and I believe HTTP/2 is also proxied by Cloudflare.

https://github.com/XTLS/Xray-examples/blob/main/VLESS-H2C-Caddy2/server.json

@ValdikSS
Copy link

ValdikSS commented Mar 5, 2023

v2fly/v2ray-core#557 (comment)

@Evolve6996
Copy link

Evolve6996 commented Mar 6, 2023
edited
Loading

As far as I remember, Websocket connection over Cloudflare uses HTTP/1.1 instead of HTTP/2 (h2 TLS ALPN), and thus is distinguishable from the regular web traffic. Maybe this is the mark which is later used for manual validation and block.
hello
you mean vless+ws+cdn over h1 us safe ? thanks

@ValdikSS
Copy link

ValdikSS commented Mar 7, 2023

you mean vless+ws+cdn over h1 us safe ? thanks

However, Golang programs are known to have h2,http/1.1 alpns. If we don't change this default value, when we handshake with CDN edge nodes, we will likely to get an HTTP/2 connection instead of HTTP/1 connection. It's known that WebSocket can only be upgraded from HTTP/1, so getting an HTTP/2 connection means no WebSocket available. That's why we need to hardcode http/1.1 into alpn when we are using WebSocket as transport. And when you hardcode http/1.1, this becomes distinguishable from normal Golang network traffic.

@Evolve6996
Copy link

you mean vless+ws+cdn over h1 us safe ? thanks

However, Golang programs are known to have h2,http/1.1 alpns. If we don't change this default value, when we handshake with CDN edge nodes, we will likely to get an HTTP/2 connection instead of HTTP/1 connection. It's known that WebSocket can only be upgraded from HTTP/1, so getting an HTTP/2 connection means no WebSocket available. That's why we need to hardcode http/1.1 into alpn when we are using WebSocket as transport. And when you hardcode http/1.1, this becomes distinguishable from normal Golang network traffic.

yes i readed that before but couldnt understand meaning of it 😕

However, Golang programs are known to have h2,http/1.1 alpns. If we don't change this default value, when we handshake with CDN edge nodes, we will likely to get an HTTP/2 connection instead of HTTP/1 connection.

what i get from this is for example if i dont put anything in alpn of v2rayn vless its gonna be h2 when it handsahke with cdn ?

It's known that WebSocket can only be upgraded from HTTP/1

is that means if i force H2 in v2rayn vless not connect ?

thanks ❤️

@ValdikSS
Copy link

ValdikSS commented Mar 9, 2023

is that means if i force H2 in v2rayn vless not connect ?

Yes. Cloudflare does not support websocket over h2.
https://community.cloudflare.com/t/websocket-over-http-2/436690

@Evolve6996
Copy link

Evolve6996 commented Mar 9, 2023
edited
Loading

is that means if i force H2 in v2rayn vless not connect ?

Yes. Cloudflare does not support websocket over h2. https://community.cloudflare.com/t/websocket-over-http-2/436690

just puted checkmark of alpn to h2 in vless and it connected ? 😕

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Iran
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@SasukeFreestyle @ValdikSS @Hadi-1624 @wkrp @Evolve6996 @computerscot