電訊茶室's Archiver

tomleehk 發表於 2019-9-28 14:11

Openwrt v2ray server + tls1.3 + websocket + webserver + cert + cdn 保護篇

[i=s] 本帖最後由 tomleehk 於 2020-4-6 13:33 編輯 [/i]

[b][color=Blue]Preparation[/color][/b]
1. A router running openwrt v2ray server + tls + websocket + webserver + cert
ref. [url]http://www.telecom-cafe.com/forum/viewthread.php?tid=7749&extra=page%3D1[/url]
2. A paid or free domain registration, e.g. [url]www.freenom.com[/url]
3. A registered CDN service subscription, e.g. [url]www.cloudflare.com[/url]
4. V2ray client ( e.g. Kitsunebi )
5. Knowledge of UNIX/openwrt
6. Concept of domain
7. Concept of CDN

[color=Blue][b]
Background and Target[/b][/color]
The GFW can identify whether an ip is residential or not.
Keep using a residential ip increases the risk to be blocked by GFW.
Use CDN ip to make the residential ip of your router hidden. Only the CDN ip will be exposed to GFW whereas CDN ip is commonly and widely used by commercial website all around the world.
Therefore normally GFW will not block a CDN ip.

tomleehk 發表於 2019-9-28 14:12

[i=s] 本帖最後由 tomleehk 於 2019-9-28 23:05 編輯 [/i]

[b][color=Blue]Domain Registration[/color][/b]

Using [url]www.freenom.com[/url] as example,

1. At [url]http://www.freenom.com/en/index.html[/url],
   verify the availability of your preferred domain, e.g. [color=Magenta][b]nogfw[/b][/color]
   and click the <<Check Availability>> button
  
    It will then show the availability of nogfw.tk, nogfw.cf... etc.
    Select your preference by clicking the button <<Get it Now!>>
    Then click the button <<checkout>>

2. Then follow the subsequent steps which are rather straight forward.
    At the screen when you see the button <<Verify My Email Address>>
    Input your email address accordingly and
    click the button <<Verify My Email Address>>.
    Then follow the instructions, such as creating password,
    until you see your selected domain,
    e.g. [color=Magenta][b]nogfw.cf[/b][/color] is registered successfully under your account

3. Your email address will be your account id.

tomleehk 發表於 2019-9-28 14:12

[i=s] 本帖最後由 tomleehk 於 2020-4-6 13:34 編輯 [/i]

[b][color=Blue]CDN registration[/color][/b]

Using [url]www.cloudflare.com[/url] as example

1. Create an account at [url]https://dash.cloudflare.com/sign-up[/url]
2. Login cloudflare at [url]https://dash.cloudflare.com/login[/url]
3. At [url]https://dash.cloudflare.com/[/url], upper right hand corner ,
    click the button <<+ Add site>>
4. Add your domain, e.g. [color=Magenta][b]nogfw.cf[/b][/color],
    then click the button <<Add site>>,
    then follow the steps accordingly to select the plan,
    e.g. "free plan" then click <<confirm plan>> button.
5.At the screen to add DNS record for your domain, add
   CNAME, [color=Magenta]nogfw.cf[/color], [color=Red]testhost.ddnsfree.com[/color], proxied
   whereas [color=Red]testhost.ddnsfree.com[/color] is the domain for your openwrt v2ray router.
   [attach]4455[/attach]
   see [url]http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&ptid=7749&pid=47343[/url]
6. Then click the button <<Add Record>>, <<Continue>>,
    it will show a screen to change the nameservers.
7. At your browser, open a new tab and access your domain registration website.
    e.g. [url]https://my.freenom.com/clientarea.php?action=domains[/url]
    At your domain, e.g. nogfw.cf, click the button <<Manage Domain>>
    Then click the button <<Manage Freenom DNS>> and
    Select the option <<Use custom nameservers (enter below)>>
    Then enter the nameservers of step 6 and
    then click the button <<Change Nameservers>>
8. At your browser, go back to the tab of step 6, at the buttom
    Click the button <<Done, check nameServers>>
9. Then at the support portal for your domain, e.g. nogfw.cf
    Click the button SSL/TLS, select the option "[color=SeaGreen][b]Full[/b][/color]"
[attach]4454[/attach]
10. Then select the tab <<Edge Certificates>>
      TLS 1.3 - On
      Minimum TLS Version - TLS 1.3
[attach]4519[/attach]


If everythings are fine, [color=Magenta]nogfw.cf[/color] will be proxied to [color=Red]testhost.ddnsfree.com[/color] after a few minutes.

At the browser, if you access [color=Magenta]nogfw.cf[/color], you will see the login sample webpage of
[url]http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&ptid=7749&pid=47345[/url]

Verification
1. Use browser to access [color=Magenta]nogfw.cf[/color], verify the valid certificate issued by cloudflare for [color=Magenta]nogfw.cf[/color]
2. Use browser to access [color=Red]testhost.ddnsfree.com[/color], verify the valid certificate issued by Let's encrypt for [color=Red]testhost.ddnsfree.com[/color]

Therefore, you should be able to access the webpage on the openwrt v2ray router [color=Magenta]via cloudflare[/color] and [color=Magenta]via the original domain[/color] in parallel before you move on.

tomleehk 發表於 2019-9-28 14:12

[i=s] 本帖最後由 tomleehk 於 2020-4-6 14:22 編輯 [/i]

[b][color=Blue]Modification to lighttpd configuration[/color][/b]

Using lighttpd as illustration, sample configuration file should have[code]server.modules = ("mod_openssl","mod_proxy")

server.document-root        = "/www/webproj/"
server.upload-dirs          = ( "/tmp" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "http"
server.groupname            = "www-data"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm",
                                "index.lighttpd.html" )

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

### Options that are useful but not always necessary:
#server.chroot               = "/"
server.port                 = 8080
#server.bind                 = "localhost"
#server.tag                  = "lighttpd"
#server.errorlog-use-syslog  = "enable"
#server.network-backend      = "write"

### Use IPv6 if available
#include_shell "/usr/share/lighttpd/use-ipv6.pl"

#dir-listing.encoding        = "utf-8"
#server.dir-listing          = "enable"

include       "/etc/lighttpd/mime.conf"
include_shell "cat /etc/lighttpd/conf.d/*.conf"

$SERVER["socket"] == ":443" {
  ssl.engine = "enable"
  ssl.pemfile = "/www/ssl/lighttpd.pem"
  ssl.ca-file = "/www/ssl/ca_bundle.crt"
  ssl.openssl.ssl-conf-cmd = ("Ciphersuites" => "TLS_AES_128_GCM_SHA256")+("Protocol" => "-ALL, TLSv1.3")
  ssl.use-sslv2 = "disable"
  ssl.use-sslv3 = "disable"
}

$HTTP["url"] =~ "^/vpath" {
  $HTTP["host"] == "nogfw.cf" {
     proxy.header = ( "upgrade" => "enable")
     proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
  }
  else {
     $HTTP["host"] == "testhost.ddnsfree.com" {
         proxy.header = ( "upgrade" => "enable")
         proxy.server = ( "" => (("host" => "127.0.0.1","port" => 8443)))
     }
     else {
          url.redirect = ( "" => "/" )
      }
  }
}

[/code]This is [color=DarkOrchid][b]the only change needed[/b][/color] on the v2ray router.[code]
  $HTTP["host"] == "nogfw.cf" {
  ....
  }
  else {
     $HTTP["host"] == "testhost.ddnsfree.com" {
   ...
     }[/code]Reboot router and then
1. Use browser to access [color=Magenta][b]nogfw.cf[/b][/color], verify the valid certificate issued by cloudflare for [color=Magenta][b]nogfw.cf[/b][/color]
2. Use browser to access [color=Red][b]testhost.ddnsfree.com[/b][/color], verify the valid certificate issued by Let's encrypt for [color=Red][b]testhost.ddnsfree.com[/b][/color]

tomleehk 發表於 2019-9-28 14:12

[i=s] 本帖最後由 tomleehk 於 2019-10-5 18:37 編輯 [/i]

[b][color=Blue]Create a new endpoint option at your v2ray client[/color][/b]

Using Kitsunebi as illustration,
the client configuration for the new endpoint option should have

Address - [color=Magenta]nogfw.cf[/color]
Port - 443
UUID - [color=Green]c50bf28e-98cd-a351-b8d5-d60d56c376c7[/color]
Alterid - 64
Security - auto
Network - [color=Green]ws[/color]
Path - [color=Magenta]/vpath[/color]
Host - [color=Magenta]nogfw.cf[/color]
TLS - check

Test and verify both the new endpoint option(using [color=Magenta][b]nogfw.cf[/b][/color]) and,
the original endpoint option(using [color=Red][b]testhost.ddnsfree.com[/b][/color])
[url]http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&ptid=7749&pid=47346[/url]
can access the v2ray server properly in parallel.

tomleehk 發表於 2019-9-28 22:34

[i=s] 本帖最後由 tomleehk 於 2019-9-28 22:51 編輯 [/i]

[b][color=Blue]Modification to v2ray configuration and certificate on the webserver[/color][/b]

There is
1) [color=Magenta][b]NO NEED [/b][/color]to change the original v2ray configuration, and
2) [color=Magenta][b]NO NEED [/b][/color]to change the original certificate on the webserver

tomleehk 發表於 2019-9-28 22:43

[i=s] 本帖最後由 tomleehk 於 2019-9-29 20:03 編輯 [/i]

[b][color=Blue]Comment[/color][/b]

This CDN approach has a disadvantage that it unavoidably slows down the v2ray throughput since normally your v2ray router and CDN are located at different geographical zones. Therefore, at your client, it is better to allow endpoint options to access your v2ray router [color=Magenta]via cloudflare[/color] and [color=Magenta]via the original domain [/color] in parallel.

If the original domain option can be used, keep using it.
If the original domain ip is blocked, switch to use the CDN endpoint option.

[color=SeaGreen][b]拯救被墙的IP,CDN + v2ray,安全的科学上网方法[/b][/color]
[url]https://blog.sprov.xyz/2019/03/11/cdn-v2ray-safe-proxy/[/url]

tomleehk 發表於 2019-9-28 22:46

[b][color=Blue][Reserved][/color][/b]

頁: [1]

Powered by Discuz! Archiver 7.2  © 2001-2009 Comsenz Inc.