Idea: implement an obfs plugin for Apache and/or nginx

[Mygod]

I have a server running an Apache front-end. It would be great if this cam be integrated into Apache and/or nginx.

[madeye]

Yes, it's possible. Actually we can reuse any of the following tunnels, fork them as a SIP003 plugin:

• https://github.com/erebe/wstunnel
• https://github.com/ginuerzh/gost

[madeye]

BTW, simple-obfs is unable to work with apache/nginx, which is just a header obfuscation tool.

[Mygod]

What I meant is something like this but as a plug in: https://github.com/shadowsocks/shadowsocks-dotcloud

So that the server looks like a normal website and can tunnel shadowsocks traffic at the same time.

[Mygod]

Hmm actually we can add a configuration to server options:

failover=(IP or hostname)[:(port)]

Default port is 80 or 443 correspondingly. If an invalid request is received, obfs-server just simply forward raw request to failover server. Now if I want to make my website work, I can make it listen on (for example) 8080 and let obfs-server listen on 80 and set failover=localhost:8080.

Maybe we can also add an "obfs-path" option to both local and server?

[madeye]

OK, so it works like HAProxy. I think it's doable and we can implement in obfs-server easily. It will forward any request not to obfs-host or invalid request to Apache/Nginx.

obfs-path may not work as SNI doesn't have information about the URL path.

[Mygod]

@madeye Then only for HTTP?

[madeye]

In addition, if we implement a websocket SIP003 plugin, we can run shadowsocks behind Apache/Nginx, even a CDN. Both of these two approaches would work.

[madeye]

@Mygod Not elegant, but acceptable. What about a pull request? 😄

[Mygod]

Let's take the forwarding approach since the web server can be written in a wide variety of languages...

[Mygod]

Actually that's just to prevent conflict (what if there's also a web socket server running at /)... I'm okay without it. 🙃

[madeye]

Please try ec9b0c1.

[Mygod]

Tested with HTTP. Works perfectly. Thanks!

[Mygod]

Wait. What about the obfs-host checking at server side?

[Mygod]

Hmm on second thought it's not really important... (but nice to have)

[Mygod]

Wait. I just realized I accidentally configured obfs-server use tls while it should use http for 80. I did another test, it seems: (port 80)

Server mode	Failover (via browser)	Tunnel working
HTTP	ERR_EMPTY_RESPONSE	No
TLS	Works	No
TLS with failover disabled	obfs-server: Segmentation fault	No

HTTP with failover disabled: Instant Segmentation fault.

[madeye]

Please try d3c9b8c.

[Mygod]

Failover is working now but the connection is only working when failover is disabled.

[Mygod]

Fully working now! Thanks.

[Mygod]

Just tried connecting behind CloudFlare. Doesn't work. (woulda been amazing if it had worked)

I connected to a wrong domain name, I get log output like:

remote_recv_cb_recv: Bad address
remote recv: Bad address

Then I realized that I need to use correct domain name, then there was no traffic.

[Mygod]

Also according to CloudFlare, WebSockets should work: https://support.cloudflare.com/hc/en-us/articles/200169466-Can-I-use-CloudFlare-with-WebSockets-

[madeye]

Unfortunately, it's expected. And that's why I suggest to implement other plugins in the first comment.

[Mygod]

Hmmm okay... I will try them some day when I feel like it.

[ghost]

@Mygod nginx在8443端口配置好ssl 并且obfs的failover=127.0.0.1:8443 结果https://ip:8443 能正常访问 https://ip不能正常访问。请问这正常吗？

[Mygod]

@madeye I haven't tested TLS mode thoroughly so this may be a bug.

[madeye]

@Mygod Yes, it's fixed via https://github.com/shadowsocks/simple-obfs/issues/47

[Mygod]

Okay! 😅

[zeptoTantalum]

I tried shadowsocks over WebSocket tunnel with CloudFlare Free CDN, using nginx as reverse proxy on a web server. It works, and largely improves download speed.

[aanwark]

@zeptoTantalum I am trying to run obs-server with failover to my nginx web server running on port 443. I am using the json config to configure my ss-libev-server (running on port 8530) with simple-obfs. My config looks like this:

{ "server":"xxx", "server_port":xxx, "local_port":1080, "password":"xxx", "timeout":600, "method":"chacha20-ietf-poly1305", "fast_open":true, "plugin":"obfs-server", "plugin_opts":"obfs=tls", "failover":"127.0.0.1:443" }

I would like to confirm if I am doing it right? Thanks