Open sergiustheblack opened 4 years ago
with nginx option
ssl_prefer_server_ciphers on;
mtproxy log says
Failed to parse upstream TLS response: TLS <= 1.2: expected x25519 as a chosen cipher
So, I experimented with different known websites. Google.com - Everything is OK. yandex.ru - "expected x25519 as a chosen cipher" github.com - "Multiple encrypted client data packets are unsupported" blog.cloudflare.com - OK.
the same
I was able to set up my own backend website and mtproto proxy in front of it. It is working in general, I able to connect to MTProto Proxy using Telegram, I receive web content in my website with browser, but the following warning occured:
Successfully checked domain www.my.amazing.domain in 0.031 seconds: is_reversed_extension_order = 1, server_hello_encrypted_size = 42, use_random_encrypted_size = 0 [30017][2019-09-18 08:08:00.325423 local] Multiple encrypted client data packets are unsupported, so handshake with www.my.amazing.domain will not be fully emulated
The configuration. mtproxy:
mtproto-proxy -u nobody -p 8888 -H 443 -S <secret> --aes-pwd proxy-secret proxy-multi.conf -M 1 -6 --domain www.my.amazing.domain
nginx (I used let's encrypt currently without ECC):server { listen 8443 ssl ; server_name my.amazing.domain www.my.amazing.domain; ssl_certificate /<path>/fullchain.cer; ssl_certificate_key /<path>/my.amazing.domain.key; ssl_protocols TLSv1.3; ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-ARIA256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384; ssl_dhparam /etc/pki/nginx/dhparams.pem; location / { root /opt/tempsite; allow all; index index.html; } }
Tricky part is iptables. Outgoing connections from external ip to the same external ip forwarded to another port.
iptables -t nat -A OUTPUT -s <my-white-ip>/32 --dst <my-white-ip>/32 -p tcp --dport 443 -j REDIRECT --to-ports 8443
So, please advise.
how it is possible that create certificate for blog.cloudflare.com? thsi solution worked yet as anti dpi?
I was able to set up my own backend website and mtproto proxy in front of it. It is working in general, I able to connect to MTProto Proxy using Telegram, I receive web content in my website with browser, but the following warning occured:
Successfully checked domain www.my.amazing.domain in 0.031 seconds: is_reversed_extension_order = 1, server_hello_encrypted_size = 42, use_random_encrypted_size = 0 [30017][2019-09-18 08:08:00.325423 local] Multiple encrypted client data packets are unsupported, so handshake with www.my.amazing.domain will not be fully emulated
The configuration. mtproxy:mtproto-proxy -u nobody -p 8888 -H 443 -S <secret> --aes-pwd proxy-secret proxy-multi.conf -M 1 -6 --domain www.my.amazing.domain
nginx (I used let's encrypt currently without ECC):server { listen 8443 ssl ; server_name my.amazing.domain www.my.amazing.domain; ssl_certificate /<path>/fullchain.cer; ssl_certificate_key /<path>/my.amazing.domain.key; ssl_protocols TLSv1.3; ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-ARIA256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384; ssl_dhparam /etc/pki/nginx/dhparams.pem; location / { root /opt/tempsite; allow all; index index.html; } }
Tricky part is iptables. Outgoing connections from external ip to the same external ip forwarded to another port.
iptables -t nat -A OUTPUT -s <my-white-ip>/32 --dst <my-white-ip>/32 -p tcp --dport 443 -j REDIRECT --to-ports 8443
So, please advise.how it is possible that create certificate for blog.cloudflare.com? thsi solution worked yet as anti dpi?
how i can create certificate for blog.cloudflare.com that not pointed to y server?
I was able to set up my own backend website and mtproto proxy in front of it. It is working in general, I able to connect to MTProto Proxy using Telegram, I receive web content in my website with browser, but the following warning occured:
Successfully checked domain www.my.amazing.domain in 0.031 seconds: is_reversed_extension_order = 1, server_hello_encrypted_size = 42, use_random_encrypted_size = 0 [30017][2019-09-18 08:08:00.325423 local] Multiple encrypted client data packets are unsupported, so handshake with www.my.amazing.domain will not be fully emulated
The configuration. mtproxy:
mtproto-proxy -u nobody -p 8888 -H 443 -S <secret> --aes-pwd proxy-secret proxy-multi.conf -M 1 -6 --domain www.my.amazing.domain
nginx (I used let's encrypt currently without ECC):Tricky part is iptables. Outgoing connections from external ip to the same external ip forwarded to another port.
iptables -t nat -A OUTPUT -s <my-white-ip>/32 --dst <my-white-ip>/32 -p tcp --dport 443 -j REDIRECT --to-ports 8443
So, please advise.