uklans / cache-domains

Domain Names required for LAN Content Cache DNS spoofing
MIT License
566 stars 526 forks source link

[Tracking] Caching Origin not possible due to SSL #98

Open mintopia opened 5 years ago

mintopia commented 5 years ago

As of 2019-07-01, Origin has switched to HTTPS for downloads.

They have been approached by Twitter and EA Support Forum.

unspec commented 5 years ago

What fix have you seen? We are still seeing origin downloads going over https (and thus uncacheable).

Lepidopterist commented 5 years ago

You're running Origin Version 10.5.40.26928, which predates the switch to SSL

I'm currently running Origin version 10.5.41.27263, which is definitely only downloading via SSL

Mojo-LB commented 5 years ago

You're running Origin Version 10.5.40.26928, which predates the switch to SSL

I'm currently running Origin version 10.5.41.27263, which is definitely only downloading via SSL

Same here, also sticking to old version will not work as it will require update before login, and will fail if SSL is blocked, already tried that by stopping SNI and pointing ssl-lvlt.cd.ea.com to 127.0.0.1

Edit: Older versions will only work directly after client is installed, will force an update after being stopped and reopened

manafoo commented 5 years ago

any updates on this guys ? i hope they go back to http , i've also contacted EA help on twitter https://imge.to/i/TtjSH < photo

Neomancer86 commented 5 years ago

we are still trying to get some sort of communication with EA to see how this can be progressed...

anadius commented 5 years ago

I've tried messing with R&D mode. Tried changing CdnOverride to lvlt.cdn.ea.com, lvlt, http and it fails every time with this in log file:

OriginServiceResponse QNetworkReply error code [206] error string : [Error transferring XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?productId=<snip>&userId=<snip>&cdnOverride=lvlt.cdn.ea.com&https=true - server replied: Conflict] HTTP status code [409] X-Origin-Ops [] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Failed with REST error code 15006 error string: Cause: NO_DOWNLOAD_CDN_VENDER

So I tried adding https=false to the config file but it didn't help either. Maybe someone else can figure it out.

manafoo commented 5 years ago

I've tried messing with R&D mode. Tried changing CdnOverride to lvlt.cdn.ea.com, lvlt, http and it fails every time with this in log file:

OriginServiceResponse QNetworkReply error code [206] error string : [Error transferring XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?productId=<snip>&userId=<snip>&cdnOverride=lvlt.cdn.ea.com&https=true - server replied: Conflict] HTTP status code [409] X-Origin-Ops [] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Failed with REST error code 15006 error string: Cause: NO_DOWNLOAD_CDN_VENDER

So I tried adding https=false to the config file but it didn't help either. Maybe someone else can figure it out.

they have removed origin from the DNS service "in uklans domains" so make sure to add it yourself if you can do that , or request them to readd it

unspec commented 5 years ago

You are obviously free to fork this repo and add origin back in for testing. I don't think we would re-add it to the main repo whilst it remains totally uncacheable - as that is just confusing for most users.

It depends how you are using this repo, but if its in conjunction with lancache then they do have a feature to point to a different domain repo for testing: https://github.com/lancachenet/lancache-dns#custom-forksbranches

manafoo commented 5 years ago

i was just contacted by EA HELP on twitter and he asked me for additional info that he can provide to his manager , so can any one of knowledge give me a technical paragraph of what should be said ?

VibroAxe commented 5 years ago

@manafoo we've been trying to reach out to eahelp. if you could reference https://twitter.com/MintopiaUK/status/1145709393205506049 and https://uklans.net/openletter/ and get them to reach out to team@lancache.net

manafoo commented 5 years ago

@manafoo we've been trying to reach out to eahelp. if you could reference https://twitter.com/MintopiaUK/status/1145709393205506049 and https://uklans.net/openletter/ and get them to reach out to team@lancache.net

Done. https://imge.to/i/F8L3O << image

VibroAxe commented 5 years ago

@manafoo if you could also reply to the original twerk explaining this is affecting your event as well that would be great

manafoo commented 5 years ago

i'd like to say in regard to contacting ea help , please explain to them what caching does , tell them it allows faster downloads to clients because the update would be stored locally instead getting it from the servers every time , " just remember the twitter handler is probably clueless to those technical terms and they will be just a messenger to their colleagues and IT department so it's crucial to make them understand that there is an issue also maybe adding whats in it for them is nice too and that is , lower load on their download servers!

manafoo commented 5 years ago

@manafoo if you could also reply to the original twerk explaining this is affecting your event as well that would be great

Done :)

Neomancer86 commented 5 years ago

FYI @manafoo there is an official case open at EA, -zac is very helpful and understands about the problem!

I'll update here if i hear anything.

manafoo commented 5 years ago

FYI @manafoo there is an official case open at EA, -zac is very helpful and understands about the problem!

I'll update here if i hear anything.

thats great!! i got a response from zac on twitter here ,link to check it out : https://imge.to/i/L71ej << photo

nexusofdoom commented 5 years ago

Please let EA know on this thread. https://answers.ea.com/t5/Origin-Client-Web-Technical/Origin-using-HTTPS-for-Downloads/m-p/8066099?fbclid=IwAR0dXtOULFGICuah5e1_0fRkt4vbod-FueLxXmOxSrXlkHqrTzLnF7yLj00

peerau commented 5 years ago

https://answers.ea.com/t5/Origin-Client-Web-Technical/Origin-using-HTTPS-for-Downloads/m-p/8325987/highlight/true#M52239

!!!!

VibroAxe commented 5 years ago

@peerau yeah, we're working closely with the guys at ea to get a poc going. So far they've actually been really helpful!

RobertJamesMichael commented 4 years ago

Hi everyone, any update on this?

unspec commented 4 years ago

Nothing specifc to confirm at this time, but we know that Origin are still working on something and hope to have an update fairly soon in the new year from them.

MathewBurnett commented 4 years ago

Beta Version 10.5.63.37653 - 758549 of the client now has a feature to fall back to HTTP if a cache is present. We will have a chat about when to update the main line.

see https://github.com/uklans/cache-domains/pull/126

therealseeku commented 4 years ago

I just installed a a fresh lancache and testing with Originin Client Version 10.5.63.37653 - 758549. When starting the Game Download the Client Displays a question: Would you like to disable Secure downloads. Yes, not Yet. When i choose yes, downloads are hitting the cache.

I am not sure, but i think at the moment the installed Origin Client realized the Hosts is redirected to a local IP it was asking me to Update the Client. after that i got the Question. I was using the Origin Client without a Cache before and got the Update Message at the time i activated the DNS redirect.

I have a custom DNS Setup (Note the Docker Image) witch redirects these Hosts to the Cache: origin-a.akamaihd.net akamai.cdn.ea.com lvlt.cdn.ea.com river.data.ea.com origin-a.akamaihd.net.edgesuite.net

I will do some more testing with different games and Client OS.

Thanks for your Work

VibroAxe commented 4 years ago

@therealseeku we're not going fully public this as apparently there are still a few issues with the beta implementation and wording (somewhat confusing). Hopefully EA will roll a new update soon and then we can share the love into mainline :D !

Good to know more of it is working, we're also trying to get an up to date cdn list from EA as well to confirm

Lepidopterist commented 4 years ago

Released to mainline Origin client. Domains have been reinstated into master.

I'll keep this open for tracking, as the Origin client does have some "behaviour" around how it works. Probably worth a support document to explain?

manafoo commented 4 years ago

NOT WORKING ,deleted old containers docker rm mono dns sni pulled the latest for all .created new containers. when origin clients are downloading, on the client side when i open resource monitor on windows , network activity shows that origin is receiving from the docker ips "dns" however it does not cache , nor does origin asks me to disable safe downloading , tried multiple times , multiple machines same results, it doesn't even show on the access.log neither error.log , also origin client is updated to the latest version , and tried the beta aswel to no avail

unspec commented 4 years ago

What do you get if you do nslookup origin-a.akamaihd.net on one of your client machines?

MathewBurnett commented 4 years ago

its also worth making sure your origin client is off, that you have your containers started and that you have flushed your dns locally ipconfig /flushdns. Then start origin and ask it to download a game. If the two trigger domains are correctly configured it "should" over you a popup disclaimer.

manafoo commented 4 years ago

What do you get if you do nslookup origin-a.akamaihd.net on one of your client machines?

I get the caching machine ips. All other caching platforms works. Steam blizzard epic. Etc

manafoo commented 4 years ago

its also worth making sure your origin client is off, that you have your containers started and that you have flushed your dns locally ipconfig /flushdns. Then start origin and ask it to download a game. If the two trigger domains are correctly configured it "should" over you a popup disclaimer.

Dns flushed origin off. Restarts. Does not prompt me to disable safe downloads

manafoo commented 4 years ago

Origin client 10.5.64.37936-758832

MathewBurnett commented 4 years ago

is your dns container upto date? what does docker logs <insert dns container id> show?

manafoo commented 4 years ago

is your dns container upto date? what does docker logs <insert dns container id> show?

I believe im updated and origin is service is enabled i see it in there. Dockdr log Dns

ewancolyer commented 4 years ago

What is the output when you actually run docker logs <insert dns container id>?

Lepidopterist commented 4 years ago

You need to assign RFC1918 addresses to your cache, and not public IP addresses.

Some CDN providers (Steam, Origin, Riot) require a "trigger domain" to be set that resolves to one of these addresses before they will consider using the cache, otherwise they will use https and you will not be able to cache the traffic.

rotanid commented 4 years ago

You need to assign RFC1918 addresses to your cache, and not public IP addresses.

why do they need to be RFC1918 ? we also don't use RFC1918 on our event to avoid NAT.

mintopia commented 4 years ago

It works that way because that's what the content providers have decided as an easy way to change the behaviour of their clients for most cases. Other events that operate on an entirely public IP range have their lancache on a RFC1918 range that is routable from within their event.

manafoo commented 4 years ago

You need to assign RFC1918 addresses to your cache, and not public IP addresses.

Some CDN providers (Steam, Origin, Riot) require a "trigger domain" to be set that resolves to one of these addresses before they will consider using the cache, otherwise they will use https and you will not be able to cache the traffic.

That's helpful but can't we workaround that? since the isp is lazy and doesn't program local ips in their cisco router which i cannot access. Any help would be appreciated. Thanks

MathewBurnett commented 4 years ago

The behavior is programmed into the game launchers. I'm afraid its outside of the scope we can control. Where we have used the lancache solution at the thousands of people end of the LAN we have used a locally routed RFC1918 subnet for the cache.

unspec commented 4 years ago

Many of the game launchers require the RFC1918 before they will enable their built in TLS downgrade / HTTP fallback modes, so its not something that can be worked around. If the hostnames resolve to anything else they will remain TLS/HTTPS and thus can't be cached as expected.

I'd expect its a failsafe measure to ensure that they are only downgrading when they are 100% sure they are talking to a local cache and not sending unencrypted traffic over the internet to a public ip that could be anywhere, but we don't really know.

The best approach to handle that depends heavily on your network setup.

We've had success with giving the cache two interfaces - one with a public IP on the WAN side for internet access / downloading games from the web and a second with an RFC1918 which is client facing on the LAN and the IP we override the hostnames in DNS to.

Alternatively you could look at using NAT and putting the cache on single interface with an RFC1918 that sits behind a firewall/router that holds the public IP.

manafoo commented 4 years ago

I can confirm switching to local ip solved the issue. I only added a virtual connection then added a - e origincacheip and pointed to the local one and whatever is ok with public ip takes the rest.

manafoo commented 4 years ago

virtual connection wasn't a good idea because it doesn't stay after a reboot ,simply adding the ips to the network interface was the right way to do it, ofcorse you will need a local ip pool available , thank goodness the isp cooperated and made one, even though it was lazy work they all routed to a single public ip but it did the job.

manafoo commented 4 years ago

You need to assign RFC1918 addresses to your cache, and not public IP addresses.

why do they need to be RFC1918 ? we also don't use RFC1918 on our event to avoid NAT.

i'd advice you to do it in local or mix the 2 , in both cases ,take care of the firewall rules , you will need to add some protection from external ips or else you might lose bandwidth,lags , bufferbloat, SEVERELY slow your caching machine to near non-operational state

Helios747 commented 4 years ago

I'm also having this issue.

on the client

nslookup origin-a.akamaihd.net
Server:  UnKnown
Address:  192.168.0.2

Non-authoritative answer:
Name:    origin.cache.lancache.net
Address:  192.168.0.2
Aliases:  origin-a.akamaihd.net

I go to download a game in Origin, never prompted to disable safe downloading, no disk write activity in the cache and sniproxy is very busy passing through everything without touching.

MathewBurnett commented 4 years ago

if your client isn't showing you the warning box you can try turning the client off and on again. If the application doesn't pick up the prompt it will continue to use https

nexusofdoom commented 4 years ago

In the Origin app settings you have this it's on by default if you turn it off it should use your cache for pulling updates. note if you close the client and open it back up it turn back https downloads. if you want to use http it looks like you have to go there each time.

[image: image.png]

On Mon, Aug 3, 2020 at 1:56 AM Proto notifications@github.com wrote:

if your client isn't showing you the warning box you can try turning the client off and on again. If the application doesn't pick up the prompt it will continue to use https

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/uklans/cache-domains/issues/98#issuecomment-667841204, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD6BDALG6ZLVC4K7JREKMJDR6ZNR5ANCNFSM4H4UBBRQ .

Helios747 commented 4 years ago

Strange, I got it to work, but all of the following did NOT work. Rebooting the client, rebooting the server, tried opting into origin technical releases, tried opting out.

Reinstalling Origin worked though, I'm prompted on first game download.

Weird.