Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Website blocked in India ; https://docs.pixelfed.org/ #80

Open
abhi4578 opened this issue Jan 8, 2022 · 3 comments
Open

Website blocked in India ; https://docs.pixelfed.org/ #80

abhi4578 opened this issue Jan 8, 2022 · 3 comments

Comments

@abhi4578
Copy link

abhi4578 commented Jan 8, 2022

CloudFlare servers in India get MITMd by the network provider (Airtel ISP) if the upstream is GitHub Pages and configured without end-to-end TLS.

So I get the following with a padlock:
image

Here's a detailed curl log:

curl -vvv https://docs.pixelfed.org
*   Trying 104.21.76.155:443...
* TCP_NODELAY set
* Connected to docs.pixelfed.org (104.21.76.155) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=pixelfed.org
*  start date: Jun  5 00:00:00 2021 GMT
*  expire date: Jun  4 23:59:59 2022 GMT
*  subjectAltName: host "docs.pixelfed.org" matched cert's "*.pixelfed.org"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x555c62223e30)
> GET / HTTP/2
> Host: docs.pixelfed.org
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200 
< date: Sat, 08 Jan 2022 05:21:21 GMT
< content-type: text/html
< pragma: no-cache
< cache-control: no-cache
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JbNyelZ52h4ZSKnfhX0ZMHWv855HoqufbLcTonzlQ4%2BWIqYMoyvBwxt%2FoVX5v7xkDPkEjWWuiYbsYr%2FcSYyBFELYYBczPagh3Ln2QpwDgitpaX3ZRrDMy5%2B6VtDglxzL%2F70qpQ%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 6ca2fb602a311dad-BLR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
< 
* Connection #0 to host docs.pixelfed.org left intact
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0" /><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://www.airtel.in/dot/" width="100%" height="100%" frameborder=0></iframe>

CloudFlare has known about this issue for years (actively hostile ISPs) and they don't seem to be doing anything about it. The two fixes here are:

  1. Switch from CloudFlare to direct GitHub Pages, which supports TLS now.
  2. Enable HTTPS on GitHub pages, and switch the upstream on CloudFlare to get strict SSL instead of flexible.

Reference for the fixes: https://github.com/captn3m0/hello-cloudflare/blob/main/README.md#help-my-website-is-blocked
courtesy : @captn3m0
Similar issue: RockstarLang/codewithrockstar.com#11
@abhi4578 abhi4578 mentioned this issue Jan 8, 2022
Merged
@abhi4578
Copy link
Author

abhi4578 commented Jan 8, 2022

Also including the pixelfed doc website to public letter addressed to cloudflare at https://github.com/captn3m0/hello-cloudflare through the PR captn3m0/hello-cloudflare#7

@abhi4578
Copy link
Author

abhi4578 commented Jan 8, 2022
edited

CloudFlare servers in India get MITMd by the network provider (Airtel ISP) if the upstream is GitHub Pages and configured without end-to-end TLS.

Have made a assumption that docs are hosted using github pages through this line of code.

docs/deploy.sh

Line 18 in 7fbf364

git push -f https://github.com/pixelfed/docs.git main:gh-pages

Even if its not, the problem still persists and is due to above fact of most likely using flexible tls between cloudflare and docs.pixelfed.org site.

@abhi4578
Copy link
Author

abhi4578 commented Jan 8, 2022
edited

also this from the repo front page, showing the environment : https://github.com/pixelfed/docs and https://github.com/pixelfed/docs/deployments

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@abhi4578