Sproxy help to bypass firewall on port 53

[ingnelson]

Hello my friend.

I am behind a ISP firewall . i use sproxy on port 53 , becuase it is the only port that my ISP allow use CONNECT method , i used this command: docker run -itd --name sproxy --ip 0.0.0.0 -p 53:80 choury/sproxy

The sproxy server (VPS ) recive only the first line of the HTTP request here is the log :

root@TameValid-VM:~# docker logs sproxy
void reloadstrategy()[262]: read policy file sites.list failed!
Accepting connections ...
[DNS] set dns server: 208.67.222.222
[DNS] set dns server: 208.67.220.220
[::ffff:186.77.138.44]:23068 [10000] CONNECT youtubei.googleapis.com:443 [direct] 200 [Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)]
[::ffff:186.77.138.44]:1285 [10001] CONNECT youtubei.googleapis.com:443 [direct] 200 [Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)]
Checksocket[22]: virtual void RWer::defaultHE(RW_EVENT):sock error: Broken pipe
virtual void Host::Error(int, int)[220]: Host error <youtubei.googleapis.com:443> 10001 80/32
Checksocket[22]: virtual void RWer::defaultHE(RW_EVENT):sock error: Broken pipe
virtual void Host::Error(int, int)[220]: Host error <youtubei.googleapis.com:443> 10000 80/32
[::ffff:186.77.138.44]:54125 [10002] CONNECT youtubei.googleapis.com:443 [direct] 200 [Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)]
[::ffff:186.77.138.44]:16053 [10003] CONNECT redirector.googlevideo.com:443 [direct] 200 [Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)]
Checksocket[22]: virtual void RWer::defaultHE(RW_EVENT):sock error: Broken pipe
virtual void Host::Error(int, int)[220]: Host error <youtubei.googleapis.com:443> 10002 80/32
Checksocket[22]: virtual void RWer::defaultHE(RW_EVENT):sock error: Broken pipe
virtual void Host::Error(int, int)[220]: Host error <redirector.googlevideo.com:443> 10003 80/32
[::ffff:186.77.138.44]:63101 [10004] CONNECT data.mistat.intl.xiaomi.com:443 [direct] 200 [Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)]
[::ffff:186.77.138.44]:17235 [10005] CONNECT youtubei.googleapis.com:443 [direct] 200 [Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)]
Connect[205]: connecting [2607:f8b0:4007:80f::200a]:443 error: Cannot assign requested address
Connect[205]: connecting [2607:f8b0:4007:80f::200a]:443 error: Cannot assign requested address
void NetRWer::con_failed()[178]: connect to youtubei.googleapis.com error
[DNS] down for youtubei.googleapis.com: [2607:f8b0:4007:80f::200a]
void NetRWer::con_failed()[178]: connect to youtubei.googleapis.com error
[DNS] down for youtubei.googleapis.com: [2607:f8b0:4007:80f::200a]
[::ffff:186.77.138.44]:48313 [10006] CONNECT youtubei.googleapis.com:443 [direct] 200 [Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)]
[::ffff:186.77.138.44]:13053 [10007] CONNECT youtubei.googleapis.com:443 [direct] 200 [Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)]
Checksocket[22]: virtual void RWer::defaultHE(RW_EVENT):sock error: Connection timed out
virtual void Host::Error(int, int)[220]: Host error <data.mistat.intl.xiaomi.com:443> 10004 80/110
Checksocket[22]: virtual void RWer::defaultHE(RW_EVENT):sock error: Broken pipe
virtual void Host::Error(int, int)[220]: Host error <youtubei.googleapis.com:443> 10005 80/32
Checksocket[22]: virtual void RWer::defaultHE(RW_EVENT):sock error: Broken pipe
virtual void Host::Error(int, int)[220]: Host error <youtubei.googleapis.com:443> 10006 80/32
Checksocket[22]: virtual void RWer::defaultHE(RW_EVENT):sock error: Broken pipe
virtual void Host::Error(int, int)[220]: Host error <youtubei.googleapis.com:443> 10007 80/32

Android log :

But on my android do not open any websites using my mobile network , but if i use my WIFI works fine.

Do you have a idea how to bypass this restricction ? maybe using a server SSH on my VPS ( CONNECT 172.245.22.211:443 HTTP/1.1 ) or something else instead CONNECT youtubei.googleapis.com:443 HTTP/1.1 ? to create a better tunnel ?

Or modifying something on the app ? you are the master . Please help me with this, because it is the first time after much time i see a request goes to the server using a proxy on my mobile network.

I will wait your answer.

[choury]

Why not use https proxy? The plain http proxy is designed to use in Intranet, not Internet. Read the usage of sproxy, then set --cafile, --cert, --key, and change the port to 443 finally.

[ingnelson]

@choury i am a newbie.

the command should be like this ?

docker run -itd --name sproxy --cafile --cert --key --ip 0.0.0.0 -p 443:80 choury/sproxy

or like this :

docker run -itd --name sproxy --cafile --cert --key --ip 0.0.0.0 -p 443:443 choury/sproxy

That command create automatic the cafile , cert and key ? or before run that commnad i have to create those files and add threir path on that command ?

[choury]

1. you should create a certification for your server, openssl will help you if you want a self signed cert.
2. put the cert and key file in a directory, like /root/certs
3. run sproxy like this

   docker run -itd -v /root/certs:/some/path  -p 443:443 choury/sproxy sproxy --cafile /some/path/cert.pem --cert /some/path/cert.pem --key /some/path/key.pem

[ingnelson]

@choury I try HTTPS with port 443 but it doesn't works because the HTTP request that Sproxy begin with the CONNECT method.

Sproxy with HTTPS on port 443 Only works when I am using WIFI ,but if I use my mobile networks sproxy can not pass the firewall.

Could you create a HTTP or HTTPS tunnel using GET method ?

[choury]

Please provide connect config of android app, and logs of both app and server.

[ingnelson]

@choury with my mobile networks the Connection is blocked by the ISP provider . Because like I told you my ISP provider blocks all Http request that use CONNECT method . Like you know sproxy app send CONNECT method.

But if I use WIFI the sproxy works well .

Can you create a HTTP tunnel that works only with GET method ??

[choury]

@choury with my mobile networks the Connection is blocked by the ISP provider . Because like I told you my ISP provider blocks all Http request that use CONNECT method . Like you know sproxy app send CONNECT method.

The date sent by https are encrypted by ssl, your ISP provides CAN NOT even know which method it used, how does it block it?

But if I use WIFI the sproxy works well .

If it works only with WIF, there may be two reasons:

1. Your ISP provider blocks all https traffic, which I think is rarely possible.
2. Your ISP provider blocks the ip address of your server, you can check it with telnet or nc or something.

Can you create a HTTP tunnel that works only with GET method ??

I will not create a non-standard protocol for this case. If you do want it, please PAY ME to implement this feature.

[ingnelson]

@choury I would like to pay you if implement a feature that it can bypass my ISP provider.

I will explain to you how I know my ISP block the sproxy connection :

First sproxy app send always http or https request using CONNECT method like this :

HTTP request using SPROXY :

CONNECT sdkconfig.ad.intl.xiaomi.com:443 HTTP/1.1\r\n
Host: sdkconfig.ad.intl.xiaomi.com:443\r\n
Sproxy-Vpn: 48089\r\n
Strategy: proxy\r\n
User-Agent: Sproxy/0.202 (Android 9; Redmi Note 7 Build/1571686662)\r\n\r\n

HTTPS or TLS V1.3 using SPROXY APP my provides blocks it .

Answering your question how I know my providers blocks this connection types ? It is because I have months testing with netcat command or curl and more options , also using other app or programs like Trojan (TLS tunnel ) .

I used this command to test the connections or restrictions :

(echo -en 'GET #abc# HTTP/1.1\r\n ٌُُُُُُّّّّْْْْْْْْْْْْْْْْْْ\r\n\r\n' ; cat ) | nc 172.245.22.211 80

echo -n $'GET #123# HTTP/1.1\r\n\x20\xd9\x8c\xd9\x8f\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x91\xd9\x91\xd9\x91\xd9\x91\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x8f\xd9\x8f\xd9\x8f\xd9\x92\xd9\x8f\xd9\x8f\r\n\r\n' | nc --no-shutdown 172.245.22.211 80 > rndtest

So I know for sure my ISP provider blocks CONNECT method and TLS tunnel too.

My ISP provider only allow GET , HEAD , DELETE , POST

Some guy create a tunnel using only GET for Downstream and GET Upstream + shadowsocks to obfuscate the data or create the tunnel . He only let me test it one time , but I captured the packet using TCPDUMP.

My ISP provider restrictions are :

1. My ISP provider only let pass or allow GET method request without HTTP headers (example : Host , Connect etc), so only the first line.
2. My ISP provider blocks the connection if the server send more then 10,000 bytes on one request. so the connection should be multiples connection and multiple request, maybe configure the server if the server send more that 9000 bytes close the connection and the client send other HTTP request to create a new connection ? or it'll require tricky job polling that 10K segments and reassembling them ?

At the and of the first line should end with \r\n ٌُُُُُُّّّّْْْْْْْْْْْْْْْْْْ\r\n\r\n

As you can see this http request do not finish with \r\n\r\n , it finish with \r\n ٌُُُُُُّّّّْْْْْْْْْْْْْْْْْْ\r\n\r\n this has NON-ASCII characters after the first \r\n + space , this NON-ASCII character is the trick to bypass the firewall

The HTTP should be like this:

GET #0=fown&method=1&down=15000# HTTP/1.1\r\n ٌُُُُُُّّّّْْْْْْْْْْْْْْْْْْ\r\n\r\n

or

GET #123# HTTP/1.1\r\n\x20\xd9\x8c\xd9\x8f\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x91\xd9\x91\xd9\x91\xd9\x91\xd9\x92\xd9\x92\xd9\x92\xd9\x92\xd9\x8f\xd9\x8f\xd9\x8f\xd9\x92\xd9\x8f\xd9\x8f\r\n\r\n

The connection is like this :

HTTP request on port 80 using the NON-ASCII characters > Shadowsocks on port 443 > internet > HTTP server listen on port 80 > shadowsocks server listen on port 443

On wireshark program the connection looks like this :

You can see the packet via WIRESHARK: quantumnica1.zip

Those screenshots are from a android app that create the tunnel like i told you, i just figurate how it works and i want to create the same connection.

Can you create connection like that using GET method ? or Can you modify this next HTTPIERCE shadowsocks plugin to use only GET method for Downstream and GET method for Upstream ? https://github.com/Snawoot/httpierce/

Like I told you I would to pay you for the project. Do you have Telegram to chat more faster ? My telegram : https://t.me/Trader_Nelson

[choury]

Use telegram to contact you.