knock up gfw active-probe by redirecting it to nginx
- IDEA : hide xray behind nginx
- we build a custom http proxy to manually route traffic to nginx/xray backend
- we log all ip+time+req_header so we clearly observing active-probe IPs !
- it prolong blocking duration but we need more investigation ( we guess some blocking is from pure passive traffic analysis )
- we build our proxy because nginx reverse proxy is not compatible with xray packet , it drop payload of http header (xray http header is not standard)
- all http request examined , if it xray-valid redirect it to xray(n3) else redirect it to nginx(n2)
- so gfw prober alwayse see nginx and cannot talk to xray directly
- if all other things ok (dynamic-page website, serve on port 80, other ports closed,...) the prober classifiy you as a legitimate web-server
- you can use any port you want (in pyprox -> my_PORT = 1234 , in terminal -> ufw allow 1234/tcp)
- you can use any domain you want ( Host : blablabla.ir )
- you can use any path just ensure that start and end with slash (set path both in pyprox and in xui-panel)
1- custom http proxy to identify xray/v2ray request (port n1=80)
2- nginx and backend web server that mimic a real website (local port n2)
3- xray/v2ray that serve tcp+http protocol on local port (local port n3)
4- ufw block all ports except port 80 which is open for everyone
- is not guarantee to prevent blocking but it prolong (we still working on!)
- some blocking is by passive analysis so limit your traffic below 10MB/s or even lower
- pyprox is a platform to hide xray behind
- its customizable , you can use it for any path or any other protocol other than Http.
- you just need to watch network packet in wireshark and design your own routing decision.
- you can analyse ip log and block GFW prober IPs in linux firewall
vmess://ew0KICAidiI6ICIyIiwNCiAgInBzIjogInB5cHJveCIsDQogICJhZGQiOiAiMjE2LjIzOS4zOC4xMjAiLA0KICAicG9ydCI6ICI4MCIsDQogICJpZCI6ICIzNDM4NTJjYy1hZDRjLTRiYzMtOTY3Zi1hNDY1YTc3NzYyMzUiLA0KICAiYWlkIjogIjAiLA0KICAic2N5IjogImF1dG8iLA0KICAibmV0IjogInRjcCIsDQogICJ0eXBlIjogImh0dHAiLA0KICAiaG9zdCI6ICJmdHAubW96aWxsYS5vcmciLA0KICAicGF0aCI6ICIvcHViL2ZpcmVmb3gvcmVsZWFzZXMvbGF0ZXN0L3dpbjY0L2VuLVVTL0ZpcmVmb3gtU2V0dXAuZXhlLyIsDQogICJ0bHMiOiAiIiwNCiAgInNuaSI6ICIiLA0KICAiYWxwbiI6ICJodHRwLzEuMSINCn0=
you can set to any url path you want but dont forget to also set path in pyprox and nginx
-
path :
/pub/firefox/releases/latest/win64/en-US/Firefox-Setup.exe/ -
Request header :
Host : ftp.mozilla.org
Location : /pub/firefox/releases/latest/win64/en-US/Firefox-Setup.exe/
Referer : http://ftp.mozilla.org/pub/firefox/releases/latest/win64/en-US/
Accept-Language : en-US,en;q=0.9
Content-Type : application/octet-stream -
Response header :
Content-Type : application/octet-stream
Server : nginx
Via : 1.1 google, 1.1 google
Cache-Control : max-age=0
- just run the script to analyze all ip log files in IP_Log folder and summary them into a tiny excel sheet
- it list all unique IPs connecting to your server , counting num request to xray/nginx , first seen time , last seen time , percent of malicious probe
- output IP list sorted by percent of malicious probe , which we assume that they are GFW prober
- if some of us publish prober list and aggregate data with each others , we can identify prober IPs with 100% confidence
- so we able to block these IP in firewall (sudo ufw deny from $IP to any)
- obtain ip info from https://www.showmyip.com/ip-whois-lookup/
- set the premission
add [#!/usr/bin/env python3] to first line of pyprox.py
chmod +x pyprox.py - to run in forground
python pyprox.py - to run in background:
nohup python pyprox.py & - to stop script:
pkill -f pyprox.py
/etc/nginx/sites-available/
/var/www/html/
/var/log/nginx/access.log
/etc/x-ui/x-ui.db
/usr/local/x-ui/access.log
/etc/ufw/
/var/log/ufw.log