Website blocked in India ; https://docs.pixelfed.org/
abhi4578 opened this issue · 3 comments
CloudFlare servers in India get MITMd by the network provider (Airtel ISP) if the upstream is GitHub Pages and configured without end-to-end TLS.
So I get the following with a padlock:
Here's a detailed curl log:
curl -vvv https://docs.pixelfed.org
* Trying 104.21.76.155:443...
* TCP_NODELAY set
* Connected to docs.pixelfed.org (104.21.76.155) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=pixelfed.org
* start date: Jun 5 00:00:00 2021 GMT
* expire date: Jun 4 23:59:59 2022 GMT
* subjectAltName: host "docs.pixelfed.org" matched cert's "*.pixelfed.org"
* issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x555c62223e30)
> GET / HTTP/2
> Host: docs.pixelfed.org
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sat, 08 Jan 2022 05:21:21 GMT
< content-type: text/html
< pragma: no-cache
< cache-control: no-cache
< cf-cache-status: DYNAMIC
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=JbNyelZ52h4ZSKnfhX0ZMHWv855HoqufbLcTonzlQ4%2BWIqYMoyvBwxt%2FoVX5v7xkDPkEjWWuiYbsYr%2FcSYyBFELYYBczPagh3Ln2QpwDgitpaX3ZRrDMy5%2B6VtDglxzL%2F70qpQ%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 6ca2fb602a311dad-BLR
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
<
* Connection #0 to host docs.pixelfed.org left intact
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0" /><style>body{margin:0px;padding:0px;}iframe{width:100%;height:100%}</style><iframe src="https://www.airtel.in/dot/" width="100%" height="100%" frameborder=0></iframe>
CloudFlare has known about this issue for years (actively hostile ISPs) and they don't seem to be doing anything about it. The two fixes here are:
- Switch from CloudFlare to direct GitHub Pages, which supports TLS now.
- Enable HTTPS on GitHub pages, and switch the upstream on CloudFlare to get strict SSL instead of flexible.
Reference for the fixes: https://github.com/captn3m0/hello-cloudflare/blob/main/README.md#help-my-website-is-blocked
courtesy : @captn3m0
Similar issue: RockstarLang/codewithrockstar.com#11
Also including the pixelfed doc website to public letter addressed to cloudflare at https://github.com/captn3m0/hello-cloudflare through the PR captn3m0/hello-cloudflare#7
CloudFlare servers in India get MITMd by the network provider (Airtel ISP) if the upstream is GitHub Pages and configured without end-to-end TLS.
Have made a assumption that docs are hosted using github pages through this line of code.
Line 18 in 7fbf364
Even if its not, the problem still persists and is due to above fact of most likely using flexible tls between cloudflare and docs.pixelfed.org site.
also this from the repo front page, showing the environment : https://github.com/pixelfed/docs and https://github.com/pixelfed/docs/deployments