We all know that you can use nginx trans-generation capabilities to achieve cross-border access network,but,This approach has a lot of constraints,For example, it is difficult to achieve login authentication,For example, the need for a separate forwarding module compiler to do,For example, you need to have a valid signature ssl certificates, etc.。
this time,We introduce an additional artifact SNI Proxy,With dnsmasq with sniproxy certificate can be achieved without any anti-Site Generation。It uses technology to SNI TLS connection via TCP proxy to the destination site,This avoids the need for a proxy server certificate,And access to the site's certificate is exactly certificates。
Of course,Since it is based on technology sni,That is certainly not the page http proxy,If the target site does not support https,Would not be。
Compile SNI Proxy (skip)
Example environment for Ubuntu 14.04
Sni clone source file from git: https://github.com/dlundquist/sniproxy.git
Prepare the environment
1 2 3 4 5 6 7 8 9 |
//安装需要的开发环境 sudo apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config fakeroot devscripts //编译安装包。 ./autogen.sh && dpkg-buildpackage //安装编译好的安装包 sudo dpkg -i ../sniproxy_<version>_<arch>.deb |
Installation and Configuration SNI Proxy
1 2 3 |
apt-get install python-software-properties add-apt-repository ppa:dlundquist/sniproxy apt-get update && apt-get install sniproxy |
edit /etc / sniproxy.confTo turn the anti-Generation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
table https_hosts { # Google (.*.|)233.wiki$ * (.*.|)google.com$ * (.*.|)google.com.hk$ * (.*.|)google.co.jp$ * (.*.|)googlehosted.com$ * (.*.|)googleusercontent.com$ * (.*.|)ggpht.com$ * (.*.|)gstatic.com$ * (.*.|)googlemail.com$ * (.*.|)googlecode.com$ * (.*.|)blogspot.com$ * (.*.|)gmail.com$ * (.*.|)appspot.com$ * } table xmpp_imap_smtp { (.*.|)google.com$ * (.*.|)googlemail.com$ * (.*.|)gmail.com$ * } |
Such as the top open for a trans-generation domain,But this is too much trouble,Each time add a new site,We need to increase this list - for this,We sacrifice a little in order to facilitate a little security - and I do not need to mail anti-Generation (prone to abuse,Foreign spam server is hated。),So I can write:
1 2 3 4 5 6 7 8 9 |
user nobody listen 127.0.0.1:443 { proto tls table https_hosts } table https_hosts { .* *:443 } |
note:For IPv4 in terms of,You need to explicitly write the address to listen on the external network (the code 127.0.0.1 replace),Otherwise it will only listen on the IPv6。
This will only open https anti Generation,And as long as this has been resolved to the server's domain name will be counter-Generation,Thus,We can only by dnsmasq Analysis to control which domain anti generations。(There is so little security risk that once someone is found,You may your server traffic unexpectedly lost slightly ~ remember to monitor your server's bandwidth?)
Run sniproxy
Direct use the commandsniproxy To run,The default configuration file is the "/etc / sniproxy.conf"It will automatically load,If you use a different configuration file name or path,Then you need to use "-c"Option to specify the path:
1 |
sniproxy -c /etc/sniproxy.conf |
Port Redirection
Then,Generally, we do not like to visit the site enter the port number or protocol name,Then the default access port 80 how to do? As an auxiliary,We installed a lightweight nginx,Let all the access port 80 traffic to go to the top 443,Use a 301 redirect to。
note,For Google and other special domain,Even if you could do a port redirection can not resolve Jump,Because GFW can unpack HTTP traffic,So you know。
We edit the nginx configuration file "/etc/nginx/sites-available/default”
To the following:
1 2 3 4 5 6 7 8 9 10 11 |
server { listen 80; ## listen for ipv4; this line is default and implied #listen [::]:80 default ipv6only=on; ## listen for ipv6 # Make site accessible from http://localhost/ server_name _; location / { rewrite ^ https://$host$request_uri permanent; } } |
DNS
sniproxy Build success,But it can not be accessed directly,youDNS needs to be in the past,So that it can be based on the domain name of your proxy ssl link,Then you may need in your own hosts On the Modify resolve the matter。but,Another easier way is to use dnsmasq,I wrote an article which describes how to set up your own at homePrivate dns server dns to avoid contamination,Then,You just need among this server configuration to increase resolution dnsmasq。
For example, a new /etc/dnsmasq.d/sni.conf ,Wanglibian written need to resolve the domain name server to your sniproxy。to this end,I built on githubA project,Here to join the common analytical site,You only need to download it and replace inside IP for your server's IP sniproxy can!
1 2 3 4 |
apt-get install git git clone https://github.com/R0uter/Dnsmasq-sniproxy-conf.git cd Dnsmasq-sniproxy-conf ln -s /root/Dnsmasq-sniproxy-conf/sni.conf /etc/dnsmasq.d/ |
Remember to modify the inside IP address!
——————
Such,Your dns increased common certification site automatic generation of functional anti-! ☺️
Original article written by LogStudio:R0uter's Blog » SNI Proxy accelerate the deployment of anti-Generation Web access without certificate
Reproduced Please keep the source and description link:https://www.logcg.com/archives/984.html
mark…
“GFW can unpack HTTP traffic”,Can not unpack,http data are transmitted in the clear,So there is no security
Yes,When the http protocol in the transmission of data packets will tcp,When reading the data depacketizer tcp merged plaintext,I am here specifically used the term "unpack" instead of "decryption",So I think it is reasonable to describe。
Seemingly useless,Now dnsmasq pdnsd and so can not solve the problem of pollution dns
FML! ! ! ! WordPress background paralysis can not reply to jerk a little ah ah ah! ! !
I wrote a whole three times three times ah! ! ! ! !
=。Forget =,I do not want to write,I'm furious,This can be,I use this,We need two vps,A foreign country a,So that the absolute force。
Use typecho
what,So many years,If you change the blog system...the migration workload is too large,Just do it hahahaha