I am trying to set up a Shadow Socks connection from China. To do that, I
downloaded and installed a ShadowCocks client (ShadowsocksX-NG.app) on my local, and configure
create a ShadowCocks service at a server aboard
For 2), I have created one instance on AWS of east US zone, and the service is already started with the following configuration. The server instance is SECURED with key pair for connection.
{
"server":"0.0.0.0",
"local_address":"127.0.0.1",
"local_port":1080,
"port_password":{
"7777":"password1",
"8888":"password2"
},
"timeout":300,
"method":"aes-256-cfb",
"fast_open":false
}
For 1), I connect with the address of the server instance's address, port number 7777 and password = password1.
I use global mode (to ensure Shadowcocks kick in) for ShadowCocks client and start it, no website gets loaded (both blocked sites and unblocked sites by the GFW). I assert there is problem with the connection between the Shadowcocks client side and server sides). I also tried different encyption algorithm but still doesn't load.
I need some hint on where the problems might be!
I suspect something wrong with the crytographics? I think the concept of Shadowcocks is that
the client side encrypts the URL and sends it to the server side
then the server side receives the encrypted text and decrypt it, and then fetch the result with the decrypted URL.
I am guessing the problem might occur at this part. I don't see how my client side encrypts or how my server side can decrypt since I didn't share the keys between the 2 sides.
Set the inbound rules to allow traffics to port 7777 and 8888.
type = TCP
port = 7777 or 8888
source = 0.0.0.0/0
So Shadowsocks will be able to connect.
Related
Is there a way to configure the gRPC Java client and/or server in order to support a zero downtime rollout of mTLS from plaintext?
Use case: Say you have a cluster of gRPC java server running with plaintext with active gRPC java client connected to them. Service discovery is via DNS, so if you upgraded the server to support mTLS the new instances would come up and be published via DNS to the clients.
Option 1: Configure the clients to support both, so when the the client gets a new IP from the DNS lookup, it would work with either plaintext or mTLS, perhaps by trying mTLS first and falling back to plaintext. Can this be configured?
Option 2: Configure the server (on a single port) to do both. Then you'd rollout upgrades to the clients with mTLS enabled to replace the existing plaintext ones. Then when done, disable the server fallback to plaintext. Can this be configured?
Interesting use-case!
Option 1: Configure the clients to support both, so when the the client gets a new IP from the DNS lookup, it would work with either plaintext or mTLS, perhaps by trying mTLS first and falling back to plaintext. Can this be configured?
This would just be the client code (in the application) trying with mTLS first and on failure try plaintext for the channel. How do you expect this to be configured? Do you think the client would decide to use (or not) mTLS based on the IP address?
Option 2: Configure the server (on a single port) to do both. Then you'd rollout upgrades to the clients with mTLS enabled to replace the existing plaintext ones. Then when done, disable the server fallback to plaintext. Can this be configured?
The server needs to use a TLS handler or plaintext for all incoming connections. Do you want the server also to do some kind of fallback or examine the initial packets to see if there is a ClientHello or such and based on that decide to use the TLS handler or not?
For xDS configured gRPC servers one can configure it to do mTLS (or TLS) based on the client IP addresses as configured in the FilterChainMatch configuration for the server. See https://github.com/grpc/proposal/blob/master/A36-xds-for-servers.md#filterchainmatch
When I create the Hello World example in C++ from The Guide on ZeroMQ found here:
http://zguide.zeromq.org/page:all#Ask-and-Ye-Shall-Receive
and run the application, I get a Windows Security Alert that asks if I would like to allow the application to communicate on public or private networks.
It looks like this:
Here is where things get interesting.
I only need my program to listen on port 5555 for connections from localhost and I do NOT need to allow incoming connections on port 5555. This is because I only want to communicate between applications on the localhost.
Client and server are both running on the same machine.
Here is my current process. I start the server, the Windows Security Alert comes up, since I am running the application as a non-administrator account, I only have standard permissions. Then I click Cancel on the Alert.
Clicking cancel on the alert puts an explicit deny inbound rule on all ports for HelloWorldServer.exe. This is totally fine.
Then I start the client. Since the client is connecting to the localhost. I actually does not need to send messages outside of the local machine, and all of its messages arrive at the server just fine.
Given an explicit deny rule on incoming connections to HelloWorldServer.exe, the messages can still arrive from the client on the local host. This is a desirable result.
Now the question becomes is there anyway to automatically respond to the Windows Security Alert to click cancel? Is there any way to suppress it from popping up since the allow is not needed?
The prompt is undesirable because it implies that the application needs to create a vulnerability when it does not.
Please assume that Named Pipes are not a valid alternative to tcp as a means of inter-process communication.
When binding the socket the caller may specify the IP address the socket is bound to. The coding samples provided by ZeroMQ specify
socket.bind ("tcp://*:5555");
where * appears to be specify all possible addresses (INADDR_ANY in BSD socket-derived parlance) which will trigger the Windows firewall as it allows remote and local addresses.
Calling socket.bind with the localhost address 127.0.0.1
socket.bind ("tcp://127.0.0.1:5555");
limits the sockets allowed to connect to the local machine and should silence the firewall warning for most Windows firewall configurations.
I have sTunnel running on my client and server and can't seem to get my head round how I can have it running in a sort of "silent mode" whereby if I were abroad I could fire up the sTunnel connection on my client, connect to my server and then my browsing traffic connection would behave as if I were in the UK (an encrypted proxy).
On the client conf I have:
accept = localhost:xxx (I understand this means the local sTunnel installation listens on xxx port and grabs any traffic sent on that port).
connect = serverip:xxx (This is the instruction of where it needs to be forwarded, i.e the server).
On my server:
accept: clientIP:xxx (the source IP address of my client)
connect: localhost:xxx (the loopback address of the server)
What am I failing to see here? As I see it I can only use this tunnel if I explicitly target a port with my browser and even then wouldn't it only make it as far as the sTunnel server and not onward to the website intended? Do I need to setup proxy settings in the browser?
thanks a lot
I'm not sure stunnel is what you're looking for here.
What you describe would be best accomplished with OpenSSH, and its dynamic SOCKS5 proxy functionality, e.g. ssh -D1080 from the client.
This generally doesn't require any extra settings on the server-side (unless it was specifically disabled by your system administrator), and then on your roaming client-side, you simply establish an SSH connection to your server as per usual, but add an extra -D1080 parameter to your ssh invocation.
Or, if using PuTTY, set up dynamic port forwarding within Connection, SSH, Tunnels, Source port of 1080 and Destination of Dynamic, click Add.
Subsequently, change the settings of your browser to use SOCKS proxy at localhost, port 1080, and also make sure to specify SOCKS v5 and ensure that the checkbox for resolving hostnames remotely is set, too.
I would like a bidirectional protocol working between two computer to send data between each other that will continuous to work when i change network (in java).
I tried to use websocket to send data between the two computer (not that the two computer are client and server the server is in amazon with a static ip address,while the client is in my local network) i this is the behaviour observed.
When i try to connect the client to the server the communication works and data are sent very well between each other.
But when i switch the client from one network to another network.
but when i switch my client from one network to another network (because the network lost internet connection),obviously the client has changed ip address, the communication between the computers (client are server) doesn't work any more. How can i do such that this communication still available?
If it isn't possible, is there any bidirectionnal protocol that still working when i switch the client from one network to another one?
I cannot think to another bidirectional protocol that automatically handles ip switch. I just can guarantee there is no "standard" protocol that does it.
It is something that you can handle at application level on top on WebSocket.
For example:
server side: you assign an univocal id to every client. You keep track of connected clients and stop tracking them when they are disconnected for too long time. If a client with a known id asks to start a websocket connection you can continue from where you left off, else you assign a new id;
client side: when the connection goes down (I suppose onerror event) you periodically try to start a new websocket handshake sending your id;
of course using a simple id is not so secure and it does not take into account if you reload the page or open it from another tab. Anyway those problem can be easily solved in lot of different ways (for example if the user are authenticated).
Connecting to a named Active Directory server in the DMZ (i.e. not in the domain), over port 636 using DirectoryEntry then pulling attributes using DirectorySearcher.
String
string serverPath = "LDAP://some.domain.com:636/OU=XXXX,DC=xxxx,DC=xxxxxxxxx";
var searchRoot = new DirectoryEntry(
serverPath,
User,
Pass,
AuthenticationTypes.Secure);
The first query is very slow, around 22-25 seconds. It was explained to me that this may because IIS 7.5 may be doing a look up of the certificate on the AD server against a CRL, but not getting a response. Then, subsequent queries accept that answer until the process times out, so that the next query will again take 22-25 seconds.
Is the type of connection that I've described in my code example actually pull the certificate, or is the traffic simply sent over the port in an encrypted state, without a handshake between servers relative to the cert?
Is it mandatory that I IIS have a certificate as well for this to work? I should say that I am using this pattern: http://forums.asp.net/p/907421/1007517.aspx.
SSL isn't involved here.
What's serverPath look like? You probably are timing out on something - DNS perhaps. I'd start with a network trace.
When you use port 636, LDAP over SSL is used,
http://en.wikipedia.org/wiki/Ldap
If you use Microsoft Network Monitor or Wireshark to capture the packets, you may gain more insights on packet level.
In this case, CRL is necessary as it is enabled by default. But you can turn it off on machine or application level,
http://www.page-house.com/blog/2009/04/how-to-disable-crl-checking.html