Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudflare security error #61

Open
WRFan opened this issue Apr 29, 2019 · 2 comments
Open

Cloudflare security error #61

WRFan opened this issue Apr 29, 2019 · 2 comments

Comments

@WRFan
Copy link

WRFan commented Apr 29, 2019
edited
Loading

Seems Proxydomo has some probs with pages protected by Cloudflare. When such a page is loaded, Cloudflare redirects to a security page, which then sets a security cookie, afterwards pages on that host can be accessed directly for a limited time. If I bypass Proxydomo it's working fine, but with Proxydomo the cookie gets never set, so I'm caught in an eternal loop, any request gets redirected to the security page. Here's an example:

https://authorzilla.com/assets/js/main.js

If Proxydomo is bypassed, the request looks like this (FF 67.0a1, but problem occurs in IE 11 too):

Request by browser:

Host: authorzilla.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6,de-DE;q=0.4,ru;q=0.2
Accept-Encoding: gzip, deflate, br
Referer: https://authorzilla.com/assets/js/main.js
DNT: 1
Connection: keep-alive
Cookie: __cfduid=d82473a0b1dbbc4a0541ed36a4e62307f1556511089
Upgrade-Insecure-Requests: 1
TE: Trailers

Reply by server:

HTTP/2.0 302 Found
date: Mon, 29 Apr 2019 04:11:39 GMT
content-type: text/html
content-length: 159
set-cookie: cf_clearance=3a73ca5060b15fad09d5cc8d7049838745a23166-1556511099-1800-150; path=/; expires=Mon, 29-Apr-19 05:41:39 GMT; domain=.authorzilla.com; HttpOnly
location: /assets/js/main.js
server: cloudflare
cf-ray: 4cee6ee34ef0235a-FRA
x-frame-options: SAMEORIGIN
X-Firefox-Spdy: h2

But if I use Proxydomo, it sends the following message to the browser (notice that the set-cookie header is missing) :

HTTP/1.0 200 Connection established
date: Mon, 29 Apr 2019 04:11:35 GMT
content-type: text/html
content-length: 159
location: /assets/js/main.js
server: cloudflare
cf-ray: 4cee6ec97c53235a-FRA
x-frame-options: SAMEORIGIN
X-Firefox-Spdy: h2

Maybe WolfSSL is outdated? I'm using Proxydomo 1.107 (WolfSSL 3.15.3)

Also, my FF list the following junk message for every page I access thru Proxydomo, it's annoying:

server does not support RFC 5746, see CVE-2009-3555

I checked WolfSSL website, they fixed this problem, it seems. Guess recompiling Proxydomo with the newest WolfSSL would fix this problem.
@amate
Copy link
Owner

amate commented May 3, 2019

The problem was not reproduced in my environment.
Proxydomo doesn't support HTTP/2, so there shouldn't be any HTTP/2 related messages coming from the server.

>>> ポート 62842 #359 : ブラウザ → Proxy(this)
GET /assets/js/main.js HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: ja-JP
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: authorzilla.com
Connection: Keep-Alive

>>> ポート 62842 #359 : Proxy(this) → サイト
GET /assets/js/main.js HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: ja-JP
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: authorzilla.com
Connection: Keep-Alive

>>> ポート 62842 #359 : Proxy(this) ← サイト
HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 03 May 2019 21:41:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=d3e718ba7a21047b4dc118cf325aa54601556919700; expires=Sat, 02-May-20 21:41:40 GMT; path=/; domain=.authorzilla.com; HttpOnly; Secure
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 4d15667fd87eaf21-KIX

>>> ポート 62842 #359 : ブラウザ ← Proxy(this)
HTTP/1.1 503 Service Temporarily Unavailable
Date: Fri, 03 May 2019 21:41:40 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: __cfduid=d3e718ba7a21047b4dc118cf325aa54601556919700; expires=Sat, 02-May-20 21:41:40 GMT; path=/; domain=.authorzilla.com; HttpOnly; Secure
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Vary: Accept-Encoding
Server: cloudflare
CF-RAY: 4d15667fd87eaf21-KIX

I will raise the version of wolfssl in the next version.

@amate
Copy link
Owner

amate commented May 3, 2019

v1.108 wolfssl updated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amate @WRFan