@sskaje

Error 1000 by Cloudflare?

By @sskaje
Link: https://sskaje.me/2016/08/error-1000-cloudflare/

My static file proxy p.rst.im got an error sometime, saying:

Error 1000
DNS points to prohibited IP

I tried to tcpdump on port 80

tcpdump -i eth0 -s 0 -A port 80

1	tcpdump -i eth0 -s 0 -A port 80

And I found some header added by cloudflare:

GET /ajax/libs/bootstrap-fileinput/4.3.4/js/fileinput.min.js HTTP/1.0
Host: cdnjs.cloudflare.com
Connection: close
Accept-Encoding: gzip
CF-IPCountry: ..
X-Forwarded-For: ........
CF-RAY: 2d4f47e8f7562e27-NRT
X-Forwarded-Proto: https
CF-Visitor: {"scheme":"https"}
cache-control: max-age=0
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
accept-language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4,zh-TW;q=0.2
CF-Connecting-IP: ........

...
...

HTTP/1.1 403 Forbidden
Date: Fri, 19 Aug 2016 17:21:15 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: max-age=8
Expires: Fri, 19 Aug 2016 17:21:23 GMT
X-Frame-Options: SAMEORIGIN
Server: cloudflare-nginx
CF-RAY: 2d4f47ea74b70b50-NRT
Content-Encoding: gzip

GET /ajax/libs/bootstrap-fileinput/4.3.4/js/fileinput.min.js HTTP/1.0

Host: cdnjs.cloudflare.com

Connection: close

Accept-Encoding: gzip

CF-IPCountry: ..

X-Forwarded-For: ........

CF-RAY: 2d4f47e8f7562e27-NRT

X-Forwarded-Proto: https

CF-Visitor: {"scheme":"https"}

cache-control: max-age=0

upgrade-insecure-requests: 1

user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7

accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

accept-language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4,zh-TW;q=0.2

CF-Connecting-IP: ........

...

HTTP/1.1 403 Forbidden

Date: Fri, 19 Aug 2016 17:21:15 GMT

Content-Type: text/html; charset=UTF-8

Connection: close

Cache-Control: max-age=8

Expires: Fri, 19 Aug 2016 17:21:23 GMT

X-Frame-Options: SAMEORIGIN

Server: cloudflare-nginx

CF-RAY: 2d4f47ea74b70b50-NRT

Content-Encoding: gzip

Cloudflare might treat it infinitely loop, so I remove these headers on nginx:

            proxy_set_header CF-Connecting-IP "";
            proxy_set_header CF-IPCountry "";
            proxy_set_header CF-Visitor "";
            proxy_set_header CF-RAY "";
            proxy_set_header X-Forwarded-For "";
            proxy_set_header X-Forwarded-Proto "";

proxy_set_header CF-Connecting-IP "";

proxy_set_header CF-IPCountry "";

proxy_set_header CF-Visitor "";

proxy_set_header CF-RAY "";

proxy_set_header X-Forwarded-For "";

proxy_set_header X-Forwarded-Proto "";

Now, what caused it:

Here is how I get to these files:

My Laptop --> Home Router <--tunnel--> My VPS --> Cloudflare

1	My Laptop --> Home Router <--tunnel--> My VPS --> Cloudflare

Since I have that proxy on my VPS, it works like:

               ----------------SAME-VPS----------------
               |                                      |
               |                                      |
Request via My VPS --> Cloudflare --reverse-proxy--> My VPS 
                           ^                          |
                           |                          |
                           ------static-file-proxy-----

----------------SAME-VPS----------------

| |

Request via My VPS --> Cloudflare --reverse-proxy--> My VPS

^ |

| |

------static-file-proxy-----

It IS a loop.

Error 1000 by Cloudflare? by @sskaje: https://sskaje.me/2016/08/error-1000-cloudflare/

iptables disallow nat by source

By @sskaje
Link: https://sskaje.me/2016/08/iptables-disallow-nat-source/

drop/reject are not allowed in nat, so, forward to other port if source matches.

iptables -t nat -I PREROUTING -i {SOME_INTERFACE} -p tcp --destination-port {INPUT_PORT} -j REDIRECT --to-ports {NEW_PORT}

1	iptables -t nat -I PREROUTING -i {SOME_INTERFACE} -p tcp --destination-port {INPUT_PORT} -j REDIRECT --to-ports {NEW_PORT}

iptables disallow nat by source by @sskaje: https://sskaje.me/2016/08/iptables-disallow-nat-source/

VMware Windows 10 Guest Shared Folder Fixer

By @sskaje
Link: https://sskaje.me/2016/08/vmware-windows-10-guest-shared-folder-fixer/

Windows 10 Shared folder hang in VMware Fusion.
According to @steve goddard, this is caused by Microsoft upgrades destroying registry settings.

I wrote a VBScript check and fix the registry.

github project: https://github.com/sskaje/vmware_windows_10_shared_folder_fixer

'
' VMware Fusion/Workstation Shared Folder Fixer
' 
' Author: sskaje
'
'

' Ask for Administrator Access
If Not WScript.Arguments.Named.Exists("elevate") Then
  CreateObject("Shell.Application").ShellExecute WScript.FullName _
    , WScript.ScriptFullName & " /elevate", "", "runas", 1
  WScript.Quit
End If

' Registry related variables
Dim objShell, regNetworkProviderOrder, regValueType, currentValue, vmhgfs, comma
regNetworkProviderOrder = "HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder"
regValueType = "REG_SZ"
vmhgfs = "vmhgfs"
comma = ","

Set objShell = WScript.CreateObject("WScript.Shell")
currentValue = objShell.RegRead(regNetworkProviderOrder)

Dim searchPos, needWriteBack
searchPos = InStr(currentValue, vmhgfs)
needWriteBack = False

If searchPos = 0 Then 
	' If vmhgfs is not found in registry value, prepend 
	currentValue = vmhgfs + comma + currentValue
	needWriteBack = True
ElseIf searchPos <> 1 Then 
	' If vmhgfs is not at the beginning, move it there
	needWriteBack = True
	
	Dim providerSets, x
	providerSets = Split(currentValue, comma)
	currentValue = vmhgfs
	For Each x in providerSets
		Do
			If x = vmhgfs Then Exit Do					' Skip if current is vmhgfs
			If x = "" Then Exit Do						' Skip if current is empty string
			currentValue = currentValue + comma + x		' Append to new value
		Loop While False
	Next
' Else ' If vmhgfs is at the beginning, skip 
End If


If needWriteBack = True Then
	' Write Registry
	objShell.RegWrite regNetworkProviderOrder, currentValue, regValueType
End If

WScript.Echo "Registry has been fixed. Please try Shared Folder."

' VMware Fusion/Workstation Shared Folder Fixer

' Author: sskaje

' Ask for Administrator Access

If Not WScript.Arguments.Named.Exists("elevate") Then

CreateObject("Shell.Application").ShellExecute WScript.FullName _

, WScript.ScriptFullName & " /elevate", "", "runas", 1

WScript.Quit

End If

' Registry related variables

Dim objShell, regNetworkProviderOrder, regValueType, currentValue, vmhgfs, comma

regNetworkProviderOrder = "HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder"

regValueType = "REG_SZ"

vmhgfs = "vmhgfs"

comma = ","

Set objShell = WScript.CreateObject("WScript.Shell")

currentValue = objShell.RegRead(regNetworkProviderOrder)

Dim searchPos, needWriteBack

searchPos = InStr(currentValue, vmhgfs)

needWriteBack = False

If searchPos = 0 Then

' If vmhgfs is not found in registry value, prepend

currentValue = vmhgfs + comma + currentValue

needWriteBack = True

ElseIf searchPos <> 1 Then

' If vmhgfs is not at the beginning, move it there

needWriteBack = True

Dim providerSets, x

providerSets = Split(currentValue, comma)

currentValue = vmhgfs

For Each x in providerSets

If x = vmhgfs Then Exit Do ' Skip if current is vmhgfs

If x = "" Then Exit Do ' Skip if current is empty string

currentValue = currentValue + comma + x ' Append to new value

Loop While False

' Else ' If vmhgfs is at the beginning, skip

End If

If needWriteBack = True Then

' Write Registry

objShell.RegWrite regNetworkProviderOrder, currentValue, regValueType

End If

WScript.Echo "Registry has been fixed. Please try Shared Folder."

VMware Windows 10 Guest Shared Folder Fixer by @sskaje: https://sskaje.me/2016/08/vmware-windows-10-guest-shared-folder-fixer/

静态资源代理服务

By @sskaje
Link: https://sskaje.me/2016/08/web-static-resource-proxy/

之前为了让blog能被大陆地区正常访问（主要是G家css和字体），在ngnix上配了一些替换规则。

之前blog强制走https，也加了一些乱七八糟的nginx规则。
现在单独拿出一个域名干这事情，p.rst.im，这样一来，可能有些资源可以被直接被第三方引用：

例如 jquery 的google cdn：https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js
可以使用 https://p.rst.im/p/ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js

也可以用 //p.rst.im

目前启用的规则包括下列域名及子域名：

google.com
googleapis.com
googleusercontent.com
gstatic.com
jquery.com
bootstrapcdn.com

替换做得比较简单粗暴，所以可能有部分js无法正常访问。
有问题欢迎反馈，有需要添加域名的也请提出来。

这里只尽量保证静态资源能正常被使用，想拿这个当web proxy的还是歇了吧。

如果你的blog使用nginx/tengine并且启用了 ngx_http_substitutions_filter_module，可以参考如下配置：

subs_filter_types text/html* text/css application/javascript application/x-javascript;
subs_filter (\'|\"|url\()(https:|http:|)//(fonts.googleapis.com|themes.googleusercontent.com|apis.google.com|fonts.gstatic.com) $1//p.rst.im/p/$3 gr;

1 2	subs_filter_types text/html* text/css application/javascript application/x-javascript; subs_filter (\'\|\"\|url\()(https:\|http:\|)//(fonts.googleapis.com\|themes.googleusercontent.com\|apis.google.com\|fonts.gstatic.com) $1//p.rst.im/p/$3 gr;

静态资源代理服务 by @sskaje: https://sskaje.me/2016/08/web-static-resource-proxy/

EdgeRouter OpenVPN Connectivity Monitor

By @sskaje
Link: https://sskaje.me/2016/08/edgerouter-openvpn-connectivity-monitor/

VPN protocols are censored and blocked in China.

I’ve set up an PPTP client and a Site-to-site OpenVPN connection on my EdgeRouter Lite.

PPTP is insecure and is easier to censor, so I’ve removed PPTP client from my router.

OpenVPN is better than PPTP, not only secured, but also much more stable. But traffics are occasionally lost, reset works at most cases.

reset openvpn interface vtun0

1	reset openvpn interface vtun0

But I cannot get ssh access anywhere anytime, so I have to write an script monitor and run ‘reset’ if necessary.

You are not authorised to read all content in this post.

Please login…

EdgeRouter OpenVPN Connectivity Monitor by @sskaje: https://sskaje.me/2016/08/edgerouter-openvpn-connectivity-monitor/