Reverse proxy Cloudflare accelerated website (Gost/iptables forwarding)

This article introduces two ways to forward CloudflareCDN services, which can also be used for other reverse generations

Written before the tutorial: Why reverse proxy cloudflare? Answer: Shorten the route and speed up the cloudflare node to mainland users. Users who have used cloudflare should know that the access speed of this CDN is very fast in places other than mainland China. Therefore, this article is the second method to solve the slow access of Cloudflare. Introduction

There was a problem with the previous SNIproxy method. Although the SNI proxy cloudflare node itself supports TLS1.3, the problem is that when using SNIproxy, even if the browser itself does not support TLS1.3 (domestic browser), The 1.3 protocol will still be transmitted to the user's browser, resulting in the browser sometimes reporting that the protocol is not supported and being unable to access

Why not use Nginx or apache for reverse generation? There are many reasons. Try it for yourself and you will understand it in two days. You don’t want to recall such painful things

During this period, I learned that GOST, a program developed in the GO language, can proxy websites by forwarding traffic, so I tried it to replace Cloudflare and succeeded

This operation is applicable to the environment:

① You don’t want to expose the origin site (if you let search engines parse the origin site, DNS will be checked to obtain the origin site IP), but search engines in mainland China are slow to crawl cf nodes, and a server is needed to do reverse generation to let spiders Crawl, but in order to keep real access consistent with spider crawling, you need to proxy the cloudflare node

② Use self-built anti-generation to speed up access before the site is attacked. It is set by the resolution service provider. When the anti-generation fails, it will quickly switch to the cf official node to pull up the speed and defense at the lowest cost. Coexistence (Mainland China service provider dnspod and XNSdns)

③ Instead of using NS access, CNAME is used to access Cloudflare. Regarding how to access CNAME, you need a platform with Cloudflare partner permissions, such as "Benniu.com" which can be searched on Baidu

④ There is a server that has fast access to mainland China and fast access to Cloudflare. Please do not use mainland China servers and Alibaba Hong Kong Light. Others such as CN2 are very good

1. Gost forwarding

Start installing the Gost program:

centos installation: directly use compiled binaries

Binary file download address: https://github.com/ginuerzh/gost/releases

wget https://github.com/ginuerzh/gost/releases/download/v2.7.2/gost_2.7.2_linux_amd64.tar.gz tar -zxvf gost_2* cd gost_2*

Then you can use ./gost directly. The specific commands are given below. Just replace the snap run gost below with ./gost. The commands are the same

Ubuntu is very comfortable and can be installed directly with snap

sudo snap install gost

Then the program installed by snap needs to be started with snap, and gost needs to be hung in the background through Screen

Screen -S 80 #Create a screen window called 80 snap run gost -L=tcp://:80/1.0.0.5:80 #Forward local port 80 requests to port 80 of 1.0.0.5

Then press Ctrl+A+D together in the shell to exit the Screen window. It will hang in the background and work by itself. If you want to return to this window called "80", enter screen -r 80 and press Enter

Screen -S 443 #Create a screen window called 443 snap run gost -L=tcp://:443/1.0.0.5:443 #Forward the request of local port 443 to port 443 of 1.0.0.5

Then press Ctrl+A+D together in the shell to exit the Screen window. It will hang in the background and work by itself. If you want to return to this window called "443", enter screen -r 443 and press Enter

This 1.0.0.5 is an official node of cloudflare, you can choose other ones, but they are all the same

Then don’t forget that you need to use Iptables to release ports 80 and 443

iptables -I INPUT -p tcp --dport 443 -j ACCEPT iptables -I INPUT -p tcp --dport 80 -j ACCEPT

2. Iptables forwarding

IPtables forwarding method:

Step one: Enable the forwarding function of the system First, confirm whether the server has turned on forwarding, enter:

sysctl net.ipv4.ip_forward

Displayed if already started net.ipv4.ip_forward = 1 It will be displayed if it is not started (please follow the steps below to turn it on) net.ipv4.ip_forward = 0

CentOS 6/Debian/Ubuntu startup method:

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p

CentOS 7 startup method:

echo "net.ipv4.ip_forward = 1" >> /usr/lib/sysctl.d/default.conf sysctl -p

Set forwarding rules:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT iptables -I INPUT -p tcp --dport 443 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 1.0.0.2 iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 1.0.0.2 iptables -t nat -A POSTROUTING -p tcp -d 1.0.0.2 --dport 80 -j SNAT --to-source own server IP iptables -t nat -A POSTROUTING -p tcp -d 1.0.0.2 --dport 443 -j SNAT --to-source own server IP

It should be noted that some VPS providers, such as AWS, have public IPs but cannot forward them to the public network. Direct forwarding to the public network is invalid. You need to enter ifconfig -a to view and use the local intranet IP of the eth0 network card. The same is true for other cheap NAT machines without public network (I believe you will not use NAT hot chicken VPS)

Ubuntu save and restart iptables:

iptables-save > /etc/iptables.up.rules iptables-restore < /etc/iptables.up.rules

CentOS saves and restarts iptables:

service iptables save service iptables restart

View the NAT rules currently in use

iptables -t nat -nL

If you no longer want to use it, you can clear the forwarding rules (this is not a deployment process):

iptables -t nat -F POSTROUTING iptables -t nat -F PREROUTING

3. Check the effect and test

At this time, if you enter the IP:80 or IP:443 of your anti-generation server, you should be able to see the page as shown below, which means it is successful

80 effect:

433 effect

How to test the actual working effect? Modify the HOST file locally, open the C:\Windows\System32\drivers\etc\hosts file on the Windows side and add a line

Your reverse proxy server IP and your domain name, such as: 6.6.6.6 cangshui.net

The effect of successful countergeneration:

Using Gost/iptables to reverse the cloudflare anti-generation node is 100% perfect. It is exactly the same as the real Cloudflare official node. The disadvantage is that if others find your IP, they can also use your anti-generation node. If there is a solution If so, I will update later.

Original text: https://cangshui.net/?p=4030

Recommended site searches: servers, free server websites, foreign free website servers, Shandong website registration, expired registered domain name query, mainland China proxy server IP, registration password retrieval, domain name registration official website, Hong Kong vps, cloud server rental,