Blocked in India

Question

Blocked in India

captn3m0 opened this issue 3 years ago · 9 comments

Since the website uses CloudFlare and is hosted by GitHub Pages, it is blocked in India, because CloudFlare uses Airtel as a snoopy upstream.

Reported first on HN: https://news.ycombinator.com/item?id=29613739

Please enable TLS on GitHub Pages, and enable Strict SSL on CloudFlare to resolve this issue. You can also switch away from CloudFlare as an alternative, and directly host on GitHub Pages, now that it supports SSL.

Here is a curl log for verification (run on Digital Ocean BLR1 region):

curl https://usebottles.com/
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0"/><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://www.airtel.in/dot/" width="100%" height="100%" frameborder=0></iframe>nemo@sydney:~$
nemo@sydney:~$ curl https://usebottles.com/ -vvv
*   Trying 104.21.92.184...
* TCP_NODELAY set
* Connected to usebottles.com (104.21.92.184) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Nov  5 00:00:00 2021 GMT
*  expire date: Nov  4 23:59:59 2022 GMT
*  subjectAltName: host "usebottles.com" matched cert's "usebottles.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55fd9e857600)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET / HTTP/2
> Host: usebottles.com
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 200
< date: Fri, 07 Jan 2022 13:44:09 GMT
< content-type: text/html
< pragma: no-cache
< cache-control: no-cache
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=epsoeo8Zhn6roYsWQrDPiF57v%2B3K4qYTIKsGkbeZOkNP%2BFml0gPYVUMBvvYInNYYhTyB18MjT1A%2FSTGfMt2wj%2B3GVh%2FqLgNt33H1mYPbxNdwj9PP8xXxVLm0eycQ8jpGrg%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 6c9d9e848c2826b9-BLR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection #0 to host usebottles.com left intact
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0"/><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://www.airtel.in/dot/" width="100%" height="100%" frameborder=0></iframe>

Answer 1 · 2022-01-07T15:24:23.000Z

Wrote a letter to CloudFlare detailing the issue: https://github.com/captn3m0/hello-cloudflare

Answer 2 · 2022-01-08T09:41:31.000Z

Hi!
At the moment we can't directly put github pages as domain root site because being a CNAME record it can't be set that way (See RFC2181)

Answer 3 · 2022-01-08T09:41:53.000Z

Hi! At the moment we can't directly put github pages as domain root site because being a CNAME record it can't be set that way (See RFC2181)

Despite this I will set cloudflare with strict ssl

Answer 4 · 2022-01-08T09:54:39.000Z

GitHub does provide A and AAAA records for the same. You can use those aa well.

Answer 5 · 2022-01-08T19:03:08.000Z

By the way, we are migrating everything to DNS and web-servers in germany and canada (we will use Cogent, Telia and HE as peers)

Answer 6 · 2022-01-09T17:07:44.000Z

@captn3m0 Hi! sorry, can you try https://beta.usebottles.com

Answer 7 · 2022-01-10T03:27:47.000Z

Getting a Linode instance, and no longer blocked 🎉

Answer 8 · 2022-01-10T12:46:53.000Z

Woo! Nice, I will post updates for the DNS and the main website. By the way thanks for the rapid feedback

Answer 9 · 2022-01-12T16:01:20.000Z

I have updates, here you can find a small recap:

Moved from cloudflare to our nameservers (Frankfurt and Canada)
Moved the main website from Github and Cloudflare to Linode with caddy web server (You can find a git version of the site here)