Are there any plans to support Cloudflare in CDN mode?

[taylorwin]

I'm using Cloak very well, but the server has a large latency for some areas or networks, and I want to speed it up through Cloudflare. I know these can be achieved with v2ray, but I am used to Cloak, so I expect Cloak to support Cloudflare.

[notsure2]

it should work, have cloak on your origin server listening on port 80 with redirectaddr to a webserver on another port. Set cloudflare ssl/tls to "Flexible". Set cloak to cdn mode with server name = your cloudflare proxied domain.

[notsure2]

Ok i tested it actually it doesn't work because Cloak only understands websocket cdn mode in http and cloudflare still prefers to use ssl when connecting to the origin. you have to force it to use http.

Yeah.. I can't make it work. Cloak spams tls unexpected message

[taylorwin]

Thank you for your test, I think I can only wait for the author to update it.

[notsure2]

I made some progress on this, there's a bad news...

First of all, CloudFlare uses TLS compression extension that utls used by cloak doesn't understand. This can be fixed by changing to a fork of it: https://gitlab.com/yawning/utls

Second, Google Chrome TLS signature contains HTTP/2 support, but go websocket module doesn't understand http/2. Since you told CloudFlare in the tls handshake that you understand http/2, it responds with http/2 to the websocket request which the websocket module cannot understand (gives malformed http response error). And it ignores the fact that the websocket request was using HTTP/1.1 because it assumed you will use http/2 because you advertised it in the TLS handshake.

gorilla/websocket#417

Also, go http2 module is not yet ready and still work in progress, https://pkg.go.dev/golang.org/x/net/http2
It maybe possible to use that in-progress module directly and remove the use of websocket, but it complicates things, You will need to always try with http/2 first and if the server doesn't understand it, use http/1.1 (maybe go http2 module handles this automatically)

There's example of plaintext http/2 here https://www.mailgun.com/blog/http-2-cleartext-h2c-client-example-go/ but will need to fork websocket and add a retrying mechanism or choose based on server sent alpn

@cbeuw

[notsure2]

Implementation hint: nodejs/node#31759 (comment)

Plaintext HTTP/2 to HTTP/1 Fallback:

You can choose to optimistically initiate an HTTP/2 request with the server. The initial HTTP/2 handshake is an intentionally malformed HTTP/1 method. If the server supports HTTP/2, then it will understand that you want to use HTTP/2 and will just continue working. If the server only supports HTTP/1, then it will respond with an HTTP/1 Unsupported Method error, if you get that, you need to fall back to using HTTP/1.

[notsure2]

OK I have been digging more and the solution is actually very very, very simple.

Websocket isn't compatible with HTTP/2 in the first place, and even Google chrome when connecting to a websocket, removes the ALPN extension from the Client Helo.... otherwise the handshake is identical. I will make a PR shortly with this change.

[malikshi]

it should work, have cloak on your origin server listening on port 80 with redirectaddr to a webserver on another port. Set cloudflare ssl/tls to "Flexible". Set cloak to cdn mode with server name = your cloudflare proxied domain.

Can we running it in Port 443 and 80 ?

[notsure2]

@malikshi yes you can, but cloudflare always tries to use https to reach your server, you can run 2 cloaks, one on port 80 and other on 443 on your origin server.

[malikshi]

@malikshi yes you can, but cloudflare always tries to use https to reach your server, you can run 2 cloaks, one on port 80 and other on 443 on your origin server.

So don't bind port 443 and 80 at same ckserver.json? Run 2 cloak server with different config that's what you mean?!

[notsure2]

Same config no problem but different port, different instances.

[HirbodBehnam]

I've been trying to setup Cloak with Cloudflare but I couldn't do it. I thought maybe I come here and ask for help!
So here is my client config:

{
	"Transport": "CDN",
	"ProxyMethod":"shadowsocks",
	"EncryptionMethod":"plain",
	"UID":"---",
	"PublicKey":"---",
	"ServerName":"my domain",
	"NumConn":4,
	"BrowserSig":"firefox",
	"StreamTimeout": 300,
	"CDNOriginHost": "my domain (same as ServerName)"
}

And I run it using .\ck-client.exe -c .\shadowsocks.json -s 'my domain' -p 2053. 2053 is an HTTPS routed port for cloudflare. I also tried with port 2052 and 80 but that also didn't work.
For port 2053 I get Failed to prepare connection to remote: failed to handshake: websocket: bad handshake from client side and decryption/authentication faliure: cipher: message authentication failed from server side.
For port 2052 and 80 I get Failed to prepare connection to remote: tls: first record does not look like a TLS handshake from client side. I investigated this with wireshark and it seems that cloudflare is simply sending bad request to me.
Can anyone tell me where is my problem? Also I'd like to note that SSL in cloudflare is set to flexible.
Thanks

[HaskellZhangSong]

I used cloudflare to proxy my server and tried to set the following to client.json

"Transport": "CDN",
"CDNOriginHost": "<My_domain>",

I follow the Readme, no magic. I just bind 443 port in server config json file.
No magic.

[Saya47]

Hello @cbeuw can you tell us how to use Cloudflare workers or proxy with Cloak? Thanks a lot.

[abn0mad]

Hi all,

While I realise this isn't a particularly popular topic, it seems I've hit a wall on this one as well...

I have a custom domain registered with Cloudflare. Turned off all forms of security, turned off HTTP/3, TLS1.3, etc. Created configuration rules and page rules to make sure every possible security, SSL/TLS, performance and other settings are turned off.

I have tried both cloak with ports 80 and 443 enabled in a single instance, as well as separating them into individual instances.

Redirect and server names all set to testing.myexampledomain.com

With client at port 80, I get: [Failed to prepare connection to remote: tls: first record does not look like a TLS handshake.]

With client at port 443, I get either:

1: [Failed to prepare connection to remote: remote error: tls: handshake failure]
2: [Failed to prepare connection to remote: failed to handshake: websocket: bad handshake]

Having followed the readme it seems I have followed through on all of the required settings save "HTTP Port 80" at Cloudflare's end as I couldn't find such a setting..

The errors do imply that Cloudflare is forcing TLS regardless of the settings that have been applied on the Cloudflare Dashboard.

I did consider starting a Zero-Trust Tunnel instead and have cloak run on an internal IP address, but I haven't tried that yet. Surely a direct way must be possible somehow...?