feature request: fake SNI for iranian users about xray-core HOT 7 CLOSED

thats not a ws host, i check that by wire shark, its send host 3 times to server, 2 times fake host and one time in middle the true host

from xray-core.

Multiple host headers?
If it could pass through, it might be a bug.
I need to talk this with cloudflare engineer

from xray-core.

The host in WS request can already be set (see doc)
By the way, I didn't understand what you were saying. It's known that IFW will block HTTP connections to cloudflare, so what's the use of setting up a host

from xray-core.

  "headers": {
    "Host": "",
    "Host": "",
    "Host": "",
    "Host": ""
  }

from xray-core.

There are many bugs like this in iranian DPI, across ISPs. Some of them do not require any specific behavior from cloudflare and are compatible with more CDNs. They are all trivial to patch by the censor, and so it should not be widely promoted.

I know this was an argument against fragment as well, but this new method used in Mahsa is much easier to patch, it does not require additional resources such as a TCP reassembly buffer.

If somebody opens a PR for this anyway (despite the issue being closed), I would urge you to implement a more generic feature, like injecting arbitrary bytes between GET / .. and the first HTTP header, instead of implementing a specific feature that documents the exact bypass really well and helps censors.

PS: Also, general support for "multiple host headers" isn't sufficient to implement this particular bypass.

from xray-core.

There are many bugs like this in iranian DPI, across ISPs. Some of them do not require any specific behavior from cloudflare and are compatible with more CDNs. They are all trivial to patch by the censor, and so it should not be widely promoted.

I know this was an argument against fragment as well, but this new method used in Mahsa is much easier to patch, it does not require additional resources such as a TCP reassembly buffer.

If somebody opens a PR for this anyway (despite the issue being closed), I would urge you to implement a more generic feature, like injecting arbitrary bytes between GET / .. and the first HTTP header, instead of implementing a specific feature that documents the exact bypass really well and helps censors.

PS: Also, general support for "multiple host headers" isn't sufficient to implement this particular bypass.

i'm not an expert, i'm an end user and as you say multiple host didnt solve my problem by the way thank you for your answer.

from xray-core.

thats not a ws host, i check that by wire shark, its send host 3 times to server, 2 times fake host and one time in middle the true host

damn, this is cool

from xray-core.