Opened 3 years ago
Last modified 2 years ago
#14256 new enhancement
Clarify whether Cloudflare's Universal SSL thing works with meek
| Reported by: | cypherpunks | Owned by: | dcf |
|---|---|---|---|
| Priority: | Medium | Milestone: | |
| Component: | Obfuscation/meek | Version: | |
| Severity: | Normal | Keywords: | |
| Cc: | Actual Points: | ||
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
The Meek wiki page has a section on CloudFlare as a possible CDN to use, but seems to have been written before CloudFlare rolled out their Universal SSL free tier.
Would it be possible to have a meek-cloudflare using this Universal SSL thing?
Child Tickets
Change History (5)
comment:1 Changed 3 years ago by
comment:2 follow-up: 3 Changed 3 years ago by
Recent changes to how CloudFlare validates TLS connections means that this will no longer work.
Host header spoofing does not work for technical reasons on CloudFlare
[ Disclosure: I work for CloudFlare ]
comment:3 Changed 3 years ago by
Replying to benjojo:
Recent changes to how CloudFlare validates TLS connections means that this will no longer work.
Host header spoofing does not work for technical reasons on CloudFlare
[ Disclosure: I work for CloudFlare ]
Thanks for the information. We hadn't yet tried to get CloudFlare working, and knowing this will save some frustration.
If there is a way to restore this characteristic of the infrastructure, consistent with CloudFlare's technical and business constraints, a lot of censored users will appreciate it.
comment:4 follow-up: 5 Changed 2 years ago by
| Severity: | → Normal |
|---|
I did some experiments with CloudFlare, and here are the results:
When using HTTP/1.1, CloudFlare requires SNI hostname to match the value of Host header. If this is violated, HTTP error 403 is returned.
However, when using HTTP/2, the check is less strict. HTTP/2 has a feature where a single connection can be used with multiple host names as long as the TLS certificate presented by the server is valid for all those host names. When using CloudFlare Free SSL, a single certificate is generated for multiple domains, and it is possible to utilize domain fronting as long as both the front and the back domain use the same certificate.
I don't know how they choose which domains share a certificate. Also, these certificates seem to be reissued much more frequently than their validity period might suggest. As a result, domain fronting with CloudFlare is possible, but not very convenient.
Anyway, I registered an address https://meek-reflect.cf/ which you can use for testing. Unfortunately, I don't know any command-line tools that can send HTTP/2 requests, and constructing HTTP/2 requests by hand is not trivial. Still, you can use this command to try the voodoo magic of domain fronting for yourself:
printf 'PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n\0\0\0\4\0\0\0\0\0\0\0\24\1\5\0\0\0\1\202\207\1\17meek-reflect.cf\204' | openssl s_client -quiet -connect spacebitco.in.net:443 -servername spacebitco.in.net -alpn h2
If you see the text I’m just a happy little web server. somewhere in the output, then it worked.
comment:5 Changed 2 years ago by
Replying to abacabadabacaba:
I did some experiments with CloudFlare, and here are the results:
Thanks, good to know. That's a creative approach.
Please give it a try. I think it works. There are some sample Wget commands on the wiki page.
If you're a CloudFlare customer you can easily test it yourself. Set up a new domain with https://meek.bamsoftware.com/ as your origin server. Then try to Wget a different CloudFlare home page with your domain name in the Host header.
I think CloudFlare is a good deployment target. But first we need to find a way to pay for it. It's also a non-negligible amount of maintenance work, each additional backend we deploy. If CloudFlare offers a better value (cheaper or better performance than meek-amazon, for example) then it would make sense to switch to it.