starred/Cloak
1
0
Fork 0
mirror of https://github.com/cbeuw/Cloak.git synced 2026-04-26 04:55:58 +03:00
Code Issues 144 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #155] Are there any plans to support Cloudflare in CDN mode? #125

New issue
Closed
opened 2026-02-26 12:34:03 +03:00 by kerem · 14 comments
kerem commented 2026-02-26 12:34:03 +03:00
Owner
Copy link

Originally created by @taylorwin on GitHub (Feb 20, 2021).
Original GitHub issue: https://github.com/cbeuw/Cloak/issues/155

I'm using Cloak very well, but the server has a large latency for some areas or networks, and I want to speed it up through Cloudflare. I know these can be achieved with v2ray, but I am used to Cloak, so I expect Cloak to support Cloudflare.

Originally created by @taylorwin on GitHub (Feb 20, 2021). Original GitHub issue: https://github.com/cbeuw/Cloak/issues/155 I'm using Cloak very well, but the server has a large latency for some areas or networks, and I want to speed it up through Cloudflare. I know these can be achieved with v2ray, but I am used to Cloak, so I expect Cloak to support Cloudflare.
kerem closed this issue 2026-02-26 12:34:03 +03:00
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@notsure2 commented on GitHub (Mar 21, 2021):

it should work, have cloak on your origin server listening on port 80 with redirectaddr to a webserver on another port. Set cloudflare ssl/tls to "Flexible". Set cloak to cdn mode with server name = your cloudflare proxied domain.

<!-- gh-comment-id:803582973 --> @notsure2 commented on GitHub (Mar 21, 2021): it should work, have cloak on your origin server listening on port 80 with redirectaddr to a webserver on another port. Set cloudflare ssl/tls to "Flexible". Set cloak to cdn mode with server name = your cloudflare proxied domain.
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@notsure2 commented on GitHub (Mar 21, 2021):

Ok i tested it actually it doesn't work because Cloak only understands websocket cdn mode in http and cloudflare still prefers to use ssl when connecting to the origin. you have to force it to use http.

Yeah.. I can't make it work. Cloak spams tls unexpected message

<!-- gh-comment-id:803591824 --> @notsure2 commented on GitHub (Mar 21, 2021): Ok i tested it actually it doesn't work because Cloak only understands websocket cdn mode in http and cloudflare still prefers to use ssl when connecting to the origin. you have to force it to use http. Yeah.. I can't make it work. Cloak spams tls unexpected message
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@taylorwin commented on GitHub (Mar 24, 2021):

Thank you for your test, I think I can only wait for the author to update it.

<!-- gh-comment-id:805602568 --> @taylorwin commented on GitHub (Mar 24, 2021): Thank you for your test, I think I can only wait for the author to update it.
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@notsure2 commented on GitHub (Jun 25, 2021):

I made some progress on this, there's a bad news...

First of all, CloudFlare uses TLS compression extension that utls used by cloak doesn't understand. This can be fixed by changing to a fork of it: https://gitlab.com/yawning/utls

Second, Google Chrome TLS signature contains HTTP/2 support, but go websocket module doesn't understand http/2. Since you told CloudFlare in the tls handshake that you understand http/2, it responds with http/2 to the websocket request which the websocket module cannot understand (gives malformed http response error). And it ignores the fact that the websocket request was using HTTP/1.1 because it assumed you will use http/2 because you advertised it in the TLS handshake.

https://github.com/gorilla/websocket/issues/417

Also, go http2 module is not yet ready and still work in progress, https://pkg.go.dev/golang.org/x/net/http2
It maybe possible to use that in-progress module directly and remove the use of websocket, but it complicates things, You will need to always try with http/2 first and if the server doesn't understand it, use http/1.1 (maybe go http2 module handles this automatically)

There's example of plaintext http/2 here https://www.mailgun.com/blog/http-2-cleartext-h2c-client-example-go/ but will need to fork websocket and add a retrying mechanism or choose based on server sent alpn

@cbeuw

<!-- gh-comment-id:868174856 --> @notsure2 commented on GitHub (Jun 25, 2021): I made some progress on this, there's a bad news... First of all, CloudFlare uses TLS compression extension that utls used by cloak doesn't understand. This can be fixed by changing to a fork of it: https://gitlab.com/yawning/utls Second, Google Chrome TLS signature contains HTTP/2 support, but go websocket module doesn't understand http/2. Since you told CloudFlare in the tls handshake that you understand http/2, it responds with http/2 to the websocket request which the websocket module cannot understand (gives malformed http response error). And it ignores the fact that the websocket request was using HTTP/1.1 because it assumed you will use http/2 because you advertised it in the TLS handshake. https://github.com/gorilla/websocket/issues/417 Also, go http2 module is not yet ready and still work in progress, https://pkg.go.dev/golang.org/x/net/http2 It maybe possible to use that in-progress module directly and remove the use of websocket, but it complicates things, You will need to always try with http/2 first and if the server doesn't understand it, use http/1.1 (maybe go http2 module handles this automatically) There's example of plaintext http/2 here https://www.mailgun.com/blog/http-2-cleartext-h2c-client-example-go/ but will need to fork websocket and add a retrying mechanism or choose based on server sent alpn @cbeuw
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@notsure2 commented on GitHub (Jul 20, 2021):

Implementation hint: https://github.com/nodejs/node/issues/31759#issuecomment-585488680

Plaintext HTTP/2 to HTTP/1 Fallback:

You can choose to optimistically initiate an HTTP/2 request with the server. The initial HTTP/2 handshake is an intentionally malformed HTTP/1 method. If the server supports HTTP/2, then it will understand that you want to use HTTP/2 and will just continue working. If the server only supports HTTP/1, then it will respond with an HTTP/1 Unsupported Method error, if you get that, you need to fall back to using HTTP/1.

<!-- gh-comment-id:883642022 --> @notsure2 commented on GitHub (Jul 20, 2021): Implementation hint: https://github.com/nodejs/node/issues/31759#issuecomment-585488680 > Plaintext HTTP/2 to HTTP/1 Fallback: > > You can choose to optimistically initiate an HTTP/2 request with the server. The initial HTTP/2 handshake is an intentionally malformed HTTP/1 method. If the server supports HTTP/2, then it will understand that you want to use HTTP/2 and will just continue working. If the server only supports HTTP/1, then it will respond with an HTTP/1 Unsupported Method error, if you get that, you need to fall back to using HTTP/1.
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@notsure2 commented on GitHub (Jul 22, 2021):

OK I have been digging more and the solution is actually very very, very simple.

Websocket isn't compatible with HTTP/2 in the first place, and even Google chrome when connecting to a websocket, removes the ALPN extension from the Client Helo.... otherwise the handshake is identical. I will make a PR shortly with this change.

<!-- gh-comment-id:884855756 --> @notsure2 commented on GitHub (Jul 22, 2021): OK I have been digging more and the solution is actually very very, very simple. Websocket isn't compatible with HTTP/2 in the first place, and even Google chrome when connecting to a websocket, removes the ALPN extension from the Client Helo.... otherwise the handshake is identical. I will make a PR shortly with this change.
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@malikshi commented on GitHub (Jul 22, 2021):

it should work, have cloak on your origin server listening on port 80 with redirectaddr to a webserver on another port. Set cloudflare ssl/tls to "Flexible". Set cloak to cdn mode with server name = your cloudflare proxied domain.

Can we running it in Port 443 and 80 ?

<!-- gh-comment-id:884918016 --> @malikshi commented on GitHub (Jul 22, 2021): > it should work, have cloak on your origin server listening on port 80 with redirectaddr to a webserver on another port. Set cloudflare ssl/tls to "Flexible". Set cloak to cdn mode with server name = your cloudflare proxied domain. Can we running it in Port 443 and 80 ?
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@notsure2 commented on GitHub (Jul 22, 2021):

@malikshi yes you can, but cloudflare always tries to use https to reach your server, you can run 2 cloaks, one on port 80 and other on 443 on your origin server.

<!-- gh-comment-id:884922752 --> @notsure2 commented on GitHub (Jul 22, 2021): @malikshi yes you can, but cloudflare always tries to use https to reach your server, you can run 2 cloaks, one on port 80 and other on 443 on your origin server.
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@malikshi commented on GitHub (Jul 22, 2021):

@malikshi yes you can, but cloudflare always tries to use https to reach your server, you can run 2 cloaks, one on port 80 and other on 443 on your origin server.

So don't bind port 443 and 80 at same ckserver.json? Run 2 cloak server with different config that's what you mean?!

<!-- gh-comment-id:884924920 --> @malikshi commented on GitHub (Jul 22, 2021): > @malikshi yes you can, but cloudflare always tries to use https to reach your server, you can run 2 cloaks, one on port 80 and other on 443 on your origin server. So don't bind port 443 and 80 at same ckserver.json? Run 2 cloak server with different config that's what you mean?!
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@notsure2 commented on GitHub (Jul 22, 2021):

Same config no problem but different port, different instances.

<!-- gh-comment-id:884925606 --> @notsure2 commented on GitHub (Jul 22, 2021): Same config no problem but different port, different instances.
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@HirbodBehnam commented on GitHub (Dec 30, 2021):

I've been trying to setup Cloak with Cloudflare but I couldn't do it. I thought maybe I come here and ask for help!
So here is my client config:

{
	"Transport": "CDN",
	"ProxyMethod":"shadowsocks",
	"EncryptionMethod":"plain",
	"UID":"---",
	"PublicKey":"---",
	"ServerName":"my domain",
	"NumConn":4,
	"BrowserSig":"firefox",
	"StreamTimeout": 300,
	"CDNOriginHost": "my domain (same as ServerName)"
}

And I run it using .\ck-client.exe -c .\shadowsocks.json -s 'my domain' -p 2053. 2053 is an HTTPS routed port for cloudflare. I also tried with port 2052 and 80 but that also didn't work.
For port 2053 I get Failed to prepare connection to remote: failed to handshake: websocket: bad handshake from client side and decryption/authentication faliure: cipher: message authentication failed from server side.
For port 2052 and 80 I get Failed to prepare connection to remote: tls: first record does not look like a TLS handshake from client side. I investigated this with wireshark and it seems that cloudflare is simply sending bad request to me.
Can anyone tell me where is my problem? Also I'd like to note that SSL in cloudflare is set to flexible.
Thanks

<!-- gh-comment-id:1003175005 --> @HirbodBehnam commented on GitHub (Dec 30, 2021): I've been trying to setup Cloak with Cloudflare but I couldn't do it. I thought maybe I come here and ask for help! So here is my client config: ```json { "Transport": "CDN", "ProxyMethod":"shadowsocks", "EncryptionMethod":"plain", "UID":"---", "PublicKey":"---", "ServerName":"my domain", "NumConn":4, "BrowserSig":"firefox", "StreamTimeout": 300, "CDNOriginHost": "my domain (same as ServerName)" } ``` And I run it using `.\ck-client.exe -c .\shadowsocks.json -s 'my domain' -p 2053`. 2053 is an HTTPS routed port for cloudflare. I also tried with port 2052 and 80 but that also didn't work. For port 2053 I get `Failed to prepare connection to remote: failed to handshake: websocket: bad handshake` from client side and `decryption/authentication faliure: cipher: message authentication failed` from server side. For port 2052 and 80 I get `Failed to prepare connection to remote: tls: first record does not look like a TLS handshake` from client side. I investigated this with wireshark and it seems that cloudflare is simply sending `bad request` to me. Can anyone tell me where is my problem? Also I'd like to note that SSL in cloudflare is set to flexible. Thanks
kerem commented 2026-02-26 12:34:03 +03:00
Author
Owner
Copy link

@HaskellZhangSong commented on GitHub (Nov 12, 2022):

I used cloudflare to proxy my server and tried to set the following to client.json

"Transport": "CDN",
"CDNOriginHost": "<My_domain>",

I follow the Readme, no magic. I just bind 443 port in server config json file.
No magic.

<!-- gh-comment-id:1312490998 --> @HaskellZhangSong commented on GitHub (Nov 12, 2022): I used cloudflare to proxy my server and tried to set the following to client.json ``` "Transport": "CDN", "CDNOriginHost": "<My_domain>", ``` I follow the Readme, no magic. I just bind 443 port in server config json file. No magic.
kerem commented 2026-02-26 12:34:04 +03:00
Author
Owner
Copy link

@Saya47 commented on GitHub (Mar 16, 2023):

Hello @cbeuw can you tell us how to use Cloudflare workers or proxy with Cloak? Thanks a lot.

<!-- gh-comment-id:1472200343 --> @Saya47 commented on GitHub (Mar 16, 2023): Hello @cbeuw can you tell us how to use Cloudflare workers or proxy with Cloak? Thanks a lot.
kerem commented 2026-02-26 12:34:04 +03:00
Author
Owner
Copy link

@abn0mad commented on GitHub (May 26, 2023):

Hi all,

While I realise this isn't a particularly popular topic, it seems I've hit a wall on this one as well...

I have a custom domain registered with Cloudflare. Turned off all forms of security, turned off HTTP/3, TLS1.3, etc. Created configuration rules and page rules to make sure every possible security, SSL/TLS, performance and other settings are turned off.

I have tried both cloak with ports 80 and 443 enabled in a single instance, as well as separating them into individual instances.

Redirect and server names all set to testing.myexampledomain.com

With client at port 80, I get: [Failed to prepare connection to remote: tls: first record does not look like a TLS handshake.]

With client at port 443, I get either:

1: [Failed to prepare connection to remote: remote error: tls: handshake failure]
2: [Failed to prepare connection to remote: failed to handshake: websocket: bad handshake]

Having followed the readme it seems I have followed through on all of the required settings save "HTTP Port 80" at Cloudflare's end as I couldn't find such a setting..

The errors do imply that Cloudflare is forcing TLS regardless of the settings that have been applied on the Cloudflare Dashboard.

I did consider starting a Zero-Trust Tunnel instead and have cloak run on an internal IP address, but I haven't tried that yet. Surely a direct way must be possible somehow...?

<!-- gh-comment-id:1564126462 --> @abn0mad commented on GitHub (May 26, 2023): Hi all, While I realise this isn't a particularly popular topic, it seems I've hit a wall on this one as well... I have a custom domain registered with Cloudflare. Turned off all forms of security, turned off HTTP/3, TLS1.3, etc. Created configuration rules and page rules to make sure every possible security, SSL/TLS, performance and other settings are turned off. I have tried both cloak with ports 80 and 443 enabled in a single instance, as well as separating them into individual instances. Redirect and server names all set to testing.myexampledomain.com With client at port 80, I get: [Failed to prepare connection to remote: tls: first record does not look like a TLS handshake.] With client at port 443, I get either: 1: [Failed to prepare connection to remote: remote error: tls: handshake failure] 2: [Failed to prepare connection to remote: failed to handshake: websocket: bad handshake] Having followed the [readme](https://github.com/cbeuw/Cloak/wiki/CDN-mode) it seems I have followed through on all of the required settings save "HTTP Port 80" at Cloudflare's end as I couldn't find such a setting.. The errors do imply that Cloudflare is forcing TLS regardless of the settings that have been applied on the Cloudflare Dashboard. I did consider starting a Zero-Trust Tunnel instead and have cloak run on an internal IP address, but I haven't tried that yet. Surely a direct way must be possible somehow...?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/go-github.com-refraction-networking-utls-vulnerability
dependabot/go_modules/golang.org/x/crypto-0.45.0
utls-1.7.0
deps-20250430
padding
docker-tests
ptspec
legacy-v1
v2.12.0
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1-pre
v2.7.0
v2.6.1
v2.6.0
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.2
v2.3.1
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.2
v2.0.1
v2.0.0
v1.1.2
v1.1.1
v1.1.0
v1.0.0
v0.2.0
v0.1.0
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/Cloak#125
No description provided.