[GH-ISSUE #63] CDN through Cloudflare #55

New issue

Open

opened 2026-02-26 12:33:50 +03:00 by kerem · 13 comments

kerem commented 2026-02-26 12:33:50 +03:00

Owner

Copy link

Originally created by @qichaozhao on GitHub (Sep 22, 2019).
Original GitHub issue: https://github.com/cbeuw/Cloak/issues/63

Hey there,

I have set up cloak with shadowsocks and it works fine in the direct mode.

I also saw on the wiki the instructions to set up a cloudfront CDN and use cloak in CDN mode. I am not using Amazong but I do have a Cloudflare account which I tried.

I mirrored the settings as similarly as possible based on the guide you provided in the wiki.

However now when I try to run the ckclient process in my client i get the following error when the shadowsocks client tries to initiate a connection.

ERRO[0021] Failed to prepare connection to remote: local error: tls: unexpected message

my ckclient.json looks like this:

{
    "Transport": "CDN",
    "EncryptionMethod": "plain",
    "ProxyMethod": "shadowsocks",
    "UID": "blah",
    "PublicKey": "blahblah",
    "ServerName": "cloudflare.com",
    "NumConn": 4,
    "BrowserSig": "chrome",
    "streamTimeout": 300
}

I have also tried setting the ServerName to: mytld.com (and mytld.com) without any success.

In Cloudflare I have set up the SSL as "Flexible" meaning I believe viewer -> cloudflare is SSL but cloudflare -> myhost is not.

Is there anything missing here that could be causing this issue?

Originally created by @qichaozhao on GitHub (Sep 22, 2019). Original GitHub issue: https://github.com/cbeuw/Cloak/issues/63 Hey there, I have set up cloak with shadowsocks and it works fine in the direct mode. I also saw on the wiki the instructions to set up a cloudfront CDN and use cloak in CDN mode. I am not using Amazong but I do have a Cloudflare account which I tried. I mirrored the settings as similarly as possible based on the guide you provided in the wiki. However now when I try to run the ckclient process in my client i get the following error when the shadowsocks client tries to initiate a connection. ```ERRO[0021] Failed to prepare connection to remote: local error: tls: unexpected message``` my ckclient.json looks like this: ``` { "Transport": "CDN", "EncryptionMethod": "plain", "ProxyMethod": "shadowsocks", "UID": "blah", "PublicKey": "blahblah", "ServerName": "cloudflare.com", "NumConn": 4, "BrowserSig": "chrome", "streamTimeout": 300 } ``` I have also tried setting the ServerName to: mytld.com (and mytld.com) without any success. In Cloudflare I have set up the SSL as "Flexible" meaning I believe viewer -> cloudflare is SSL but cloudflare -> myhost is not. Is there anything missing here that could be causing this issue?

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@qichaozhao commented on GitHub (Sep 22, 2019):

As a followup I set up an AWS account and tried to get this working using cloudfront but still no luck.

The ckclient.json in this case is:

{
    "Transport": "DNS",
    "EncryptionMethod": "plain",
    "ProxyMethod": "shadowsocks",
    "UID": "blah",
    "PublicKey": "blahblah",
    "ServerName": "cloudfront.net",
    "NumConn": 4,
    "BrowserSig": "chrome",
    "streamTimeout": 300
}

When I start the cloak proxy with:

./ck-client -c ckclient.json -s mydomain.cloudfront.net I see lots of these errors:

ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed

Here are my origin settings on AWS:

Finally, I was also watching the logs on the server side and no connections attempts were made to the cloak server running there so something is clearly not configured correctly with the client and the cloudfront CDN.

Any thoughts here?

<!-- gh-comment-id:533893560 --> @qichaozhao commented on GitHub (Sep 22, 2019): As a followup I set up an AWS account and tried to get this working using cloudfront but still no luck. The ckclient.json in this case is: ``` { "Transport": "DNS", "EncryptionMethod": "plain", "ProxyMethod": "shadowsocks", "UID": "blah", "PublicKey": "blahblah", "ServerName": "cloudfront.net", "NumConn": 4, "BrowserSig": "chrome", "streamTimeout": 300 } ``` When I start the cloak proxy with: ./ck-client -c ckclient.json -s mydomain.cloudfront.net I see lots of these errors: ``` ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed ERRO[0000] Failed to prepare connection to remote: cipher: message authentication failed ``` Here are my origin settings on AWS:  Finally, I was also watching the logs on the server side and no connections attempts were made to the cloak server running there so something is clearly not configured correctly with the client and the cloudfront CDN. Any thoughts here?

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@cbeuw commented on GitHub (Sep 22, 2019):

"ServerName": "cloudfront.net",

I was a bit ambiguous when I wrote the instructions in the wiki. By "the domain of the CDN server", it should be what you referred to as mydomain.cloudfront.net instead of just cloudfront.net. I have fixed that wording. Try if that works

<!-- gh-comment-id:533893872 --> @cbeuw commented on GitHub (Sep 22, 2019): > "ServerName": "cloudfront.net", I was a bit ambiguous when I wrote the instructions in the wiki. By "the domain of the CDN server", it should be what you referred to as `mydomain.cloudfront.net` instead of just `cloudfront.net`. I have fixed that wording. Try if that works

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@qichaozhao commented on GitHub (Sep 22, 2019):

@cbeuw thanks for the quick response. Unfortunately it seems still no joy.

Here is the updated json:

{
    "Transport": "DNS",
    "EncryptionMethod": "plain",
    "ProxyMethod": "shadowsocks",
    "UID": "blah",
    "PublicKey": "blah",
    "ServerName": "blah.cloudfront.net",
    "NumConn": 4,
    "BrowserSig": "chrome",
    "streamTimeout": 300
}

Here is the log from my terminal, same error unfortunately.

> ./ck-client -c ckclient.json -s blah.cloudfront.net

INFO[0000] Starting standalone mode
INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client
INFO[0001] Attemtping to start a new session
ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed
ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed

<!-- gh-comment-id:533894828 --> @qichaozhao commented on GitHub (Sep 22, 2019): @cbeuw thanks for the quick response. Unfortunately it seems still no joy. Here is the updated json: ``` { "Transport": "DNS", "EncryptionMethod": "plain", "ProxyMethod": "shadowsocks", "UID": "blah", "PublicKey": "blah", "ServerName": "blah.cloudfront.net", "NumConn": 4, "BrowserSig": "chrome", "streamTimeout": 300 } ``` Here is the log from my terminal, same error unfortunately. ``` > ./ck-client -c ckclient.json -s blah.cloudfront.net INFO[0000] Starting standalone mode INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client INFO[0001] Attemtping to start a new session ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed ERRO[0001] Failed to prepare connection to remote: cipher: message authentication failed ```

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@cbeuw commented on GitHub (Sep 22, 2019):

"Transport": "DNS",

It could be due to this. Should've been CDN instead.

<!-- gh-comment-id:533895449 --> @cbeuw commented on GitHub (Sep 22, 2019): >"Transport": "DNS", It could be due to this. Should've been `CDN` instead.

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@qichaozhao commented on GitHub (Sep 22, 2019):

Sorry, that was idiotic of me.

Config is now corrected resulting in a new error!

{
    "Transport": "CDN",
    "EncryptionMethod": "plain",
    "ProxyMethod": "shadowsocks",
    "UID": "",
    "PublicKey": "",
    "ServerName": "xxx.cloudfront.net",
    "NumConn": 4,
    "BrowserSig": "chrome",
    "streamTimeout": 300
}

./ck-client -c ckclient.json -s xxx.cloudfront.net

INFO[0000] Starting standalone mode
INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client
INFO[0074] Attemtping to start a new session
ERRO[0074] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"

<!-- gh-comment-id:533930026 --> @qichaozhao commented on GitHub (Sep 22, 2019): Sorry, that was idiotic of me. Config is now corrected resulting in a new error! ``` { "Transport": "CDN", "EncryptionMethod": "plain", "ProxyMethod": "shadowsocks", "UID": "", "PublicKey": "", "ServerName": "xxx.cloudfront.net", "NumConn": 4, "BrowserSig": "chrome", "streamTimeout": 300 } ``` ``` ./ck-client -c ckclient.json -s xxx.cloudfront.net INFO[0000] Starting standalone mode INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client INFO[0074] Attemtping to start a new session ERRO[0074] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" ```

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@cbeuw commented on GitHub (Sep 23, 2019):

If you visit xxx.cloudfront.net in your browser (try both HTTP and HTTPS), are there anything showing up in your ck-server log?

<!-- gh-comment-id:534098918 --> @cbeuw commented on GitHub (Sep 23, 2019): If you visit `xxx.cloudfront.net` in your browser (try both HTTP and HTTPS), are there anything showing up in your ck-server log?

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@qichaozhao commented on GitHub (Sep 23, 2019):

Initially no - but I realised some DNS A records were not configured properly. Having fixed now I can now curl xxx.cloudfront.net

If I curl using HTTP (curl xxx.cloudfront.net) or HTTPS (curl https://xxx.cloudfront.net) then I see on ck-server the expected log:

WARN[0191] failed to unmarshal hidden data from WS into authenticationInfo: non (or malformed) HTTP GET UID= encryptionMethod=0 proxyMethod= remoteAddr="remote_ip" sessionId=0

So then I tried again and now I see the connection in ck-server from a cloudfront proxy IP address (64.252.188.79), but the client errors remain the same.

Client Side:

./ck-client -c ckclient.json -s xxx.cloudfront.net
INFO[0000] Starting standalone mode
INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client
INFO[0002] Attemtping to start a new session
ERRO[0003] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"

<!-- gh-comment-id:534170776 --> @qichaozhao commented on GitHub (Sep 23, 2019): Initially no - but I realised some DNS A records were not configured properly. Having fixed now I can now `curl xxx.cloudfront.net` If I curl using HTTP (`curl xxx.cloudfront.net`) or HTTPS (`curl https://xxx.cloudfront.net`) then I see on ck-server the expected log: ```WARN[0191] failed to unmarshal hidden data from WS into authenticationInfo: non (or malformed) HTTP GET UID= encryptionMethod=0 proxyMethod= remoteAddr="remote_ip" sessionId=0``` So then I tried again and now I see the connection in ck-server from a cloudfront proxy IP address (64.252.188.79), but the client errors remain the same. Client Side: ``` ./ck-client -c ckclient.json -s xxx.cloudfront.net INFO[0000] Starting standalone mode INFO[0000] Listening on TCP 127.0.0.1:1984 for shadowsocks client INFO[0002] Attemtping to start a new session ERRO[0003] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x80\x00\x04\x00\x01\x00\x00\x00\x05\x00\xff\xff\xff\x00\x00\x04\b\x00\x00\x00\x00\x00\u007f\xff\x00\x00\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" ```

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@malikshi commented on GitHub (Sep 30, 2019):

could be work on cloudflare cdn?

<!-- gh-comment-id:536435911 --> @malikshi commented on GitHub (Sep 30, 2019): could be work on cloudflare cdn?

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@itshaadi commented on GitHub (Oct 12, 2019):

the conversation shifted towards cloudfront, what about cloudflare? it would be really helpful if you could support cloudflare. because people from Cuba, Iran, Syria ... can't buy anything from a US based company.

<!-- gh-comment-id:541324953 --> @itshaadi commented on GitHub (Oct 12, 2019): the conversation shifted towards cloudfront, what about cloudflare? it would be really helpful if you could support cloudflare. because people from Cuba, Iran, Syria ... can't buy anything from a US based company.

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@malikshi commented on GitHub (Oct 12, 2019):

@itshaadi yeah maybe you could use v2ray, but i hope cloak support cloudflare

<!-- gh-comment-id:541362078 --> @malikshi commented on GitHub (Oct 12, 2019): @itshaadi yeah maybe you could use v2ray, but i hope cloak support cloudflare

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@piloer commented on GitHub (Oct 23, 2019):

It would be great if cloak could support cloudflare

<!-- gh-comment-id:545410954 --> @piloer commented on GitHub (Oct 23, 2019): It would be great if cloak could support cloudflare

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@vanyaindigo commented on GitHub (Nov 1, 2019):

Yes and here is example https://github.com/russian-meshnet/shadowsocks-v2ray-cdn/blob/master/install-server-on-Arch.sh-example

<!-- gh-comment-id:548666020 --> @vanyaindigo commented on GitHub (Nov 1, 2019): Yes and here is example https://github.com/russian-meshnet/shadowsocks-v2ray-cdn/blob/master/install-server-on-Arch.sh-example

kerem commented 2026-02-26 12:33:51 +03:00

Author

Owner

Copy link

@dimqua commented on GitHub (Nov 1, 2019):

@vanyaindigo it uses v2ray-plugin, not Cloak.

<!-- gh-comment-id:548784795 --> @dimqua commented on GitHub (Nov 1, 2019): @vanyaindigo it uses v2ray-plugin, not Cloak.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/go-github.com-refraction-networking-utls-vulnerability

dependabot/go_modules/golang.org/x/crypto-0.45.0

utls-1.7.0

deps-20250430

padding

docker-tests

ptspec

legacy-v1

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.1-pre

v2.7.0

v2.6.1

v2.6.0

v2.5.5

v2.5.4

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.2

v2.3.1

v2.3.0

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.2.0

v0.1.0

Labels

Clear labels   

pull-request

Mirrored from GitHub Pull Request

No labels

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/Cloak#55

No description provided.