Domain fronting for SoftEther server
Posted: Thu Jan 05, 2023 11:28 pm
I would like to know what methods are available for domain fronting for/with SE server.
below methods have been tested using SSTP and SE server 4.41
disclaimer
it is about a few days I got to know about "domain fronting". So by using the term "domain fronting" I mean avoid SE server end-point IP be exposed and accessing it via a helper domain (mainly using SSTP since domain verification is needed)
Method 1 - double VPN
This one is simple to setup but it may case somes issues.
pros
- hop-2 IP will be hidden
cons
- hop-1 itself IP address is exposed
- throughput on hop-1 server with cascade connection
- if hop-2 default page be disabled (by creating directory hamcore/wwwroot/index.html) hop-1 cascade connection fails
Method 2 - traffic redirection from hop-1 to hop-2
https://serverfault.com/questions/58648 ... me-network
We can forward hop-1 traffic to hop-2. The speed will decreases around 10% to 30% or more.
pros
- hop-2 IP will be hidden
- hop-2 default page can be disabled
cons
- hop-1 itself IP address is exposed
Method 3 - using a CDN (e.g. CloudFlare)
This method is not straight forward + it seems in free plans CF does not support non-HTTP traffic forwarding
List of ports CF supports
https://developers.cloudflare.com/funda ... ork-ports/
and forwarding availability
https://developers.cloudflare.com/spectrum/
Also I have tested this method (3) with CF origin server certificate but did not work.
pros
- hide hop-X IP address
cons
- seems not working because of lack of protocol support
So what other ways do you know or are possible?
Regards
below methods have been tested using SSTP and SE server 4.41
from https://en.wikipedia.org/wiki/Domain_frontingDomain fronting is a technique for Internet censorship circumvention that uses different domain names in different communication layers of an HTTPS connection to discreetly connect to a different target domain than is discernable to third parties monitoring the requests and connections.
disclaimer
it is about a few days I got to know about "domain fronting". So by using the term "domain fronting" I mean avoid SE server end-point IP be exposed and accessing it via a helper domain (mainly using SSTP since domain verification is needed)
Method 1 - double VPN
This one is simple to setup but it may case somes issues.
pros
- hop-2 IP will be hidden
cons
- hop-1 itself IP address is exposed
- throughput on hop-1 server with cascade connection
- if hop-2 default page be disabled (by creating directory hamcore/wwwroot/index.html) hop-1 cascade connection fails
Method 2 - traffic redirection from hop-1 to hop-2
https://serverfault.com/questions/58648 ... me-network
We can forward hop-1 traffic to hop-2. The speed will decreases around 10% to 30% or more.
pros
- hop-2 IP will be hidden
- hop-2 default page can be disabled
cons
- hop-1 itself IP address is exposed
Method 3 - using a CDN (e.g. CloudFlare)
This method is not straight forward + it seems in free plans CF does not support non-HTTP traffic forwarding
List of ports CF supports
https://developers.cloudflare.com/funda ... ork-ports/
and forwarding availability
https://developers.cloudflare.com/spectrum/
Also I have tested this method (3) with CF origin server certificate but did not work.
pros
- hide hop-X IP address
cons
- seems not working because of lack of protocol support
So what other ways do you know or are possible?
Regards