| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169 | <!DOCTYPE html><html lang="en-us"><head>	<meta charset="utf-8">	<meta name="generator" content="Hugo 0.18.1" />	<meta name="viewport" content="width=device-width, initial-scale=1">	<link rel="stylesheet" href="/assets/css/theme.css">	<link rel="alternate" href="/rss.xml" type="application/rss+xml" title="Pleasant Programmer">	<script type="text/javascript" src="//use.typekit.net/iwm5axp.js"></script>	<script type="text/javascript">try{Typekit.load();}catch(e){}</script>	<title>Cloudflare Shenanigans - Pleasant Programmer</title></head><body>	<header id="header" role="banner">		<div id="thomas">			<img src="/assets/img/thomas.gif" alt="DJ THOMAS IN DA HAUS">			<img src="/assets/img/thomas.png" alt="Pleasant Programmer">		</div>		<h1 class="site-title"><a href="/">Pleasant Programmer</a></h1>		<nav id="menu" role="navigation">			<ul>				<li class="twitter">					<a href="http://twitter.com/pleasantprog">@pleasantprog</a>				</li>				<li><a href="/posts.html">archives</a></li>				<li><a href="/tags.html">tags</a></li>				<li><a href="/rss.xml">rss</a></li>			</ul>		</nav>	</header>	<div id="container"><main id="content" role="main"><article itemscope itemtype="http://schema.org/BlogPosting">	<h1 class="p-name entry-title" itemprop="headline name">		<a href="/posts/cloudflare-shenanigans.html">Cloudflare Shenanigans</a></h1>	<small>		<span class="dateline">Posted: <time itemprop="datePublished" datetime="2015-12-25">2015-12-25</time></span>		| More posts about				<a class="tag p-category" href="/tags/sysadmin.html" rel="tag">			sysadmin		</a>				<a class="tag p-category" href="/tags/cloudflare.html" rel="tag">			cloudflare		</a>			</small>	<div class="e-content entry-content" itemprop="entry-text">		<p>An old client of ours managed to convince a telco to zero-rate the data for their app. In order to whitelist it though, we needed to use plain HTTP for domain whitelisting. For HTTPS, they can only whitelist by IP address. Like any good developer, we were using HTTPS. Also, like any good developer, we put our server behind Cloudflare.</p><p>Now the problem is that Cloudflare can put you behind <a href="https://www.cloudflare.com/ips/">any IP they own</a>, which is a huge range. There’s no guarantee that the IP we have now is going to be the same later on. So we did the reasonable thing and asked them to whitelist all of the Cloudflare IPs. And the telco agreed! We were in total disbelief when that happened. But hey, if life gives you free internet, you take it.</p><p>We never actually empirically tested whether other sites hosted on Cloudflare were also actually zero-rated. But I like to think that we saved a lot of people on their data costs from browsing Reddit and 4chan. But alas, good things must come to an end.</p><p>A few months after we started beta testing the app, Cloudflare added more IPs to their range. Unfortunately, our server got moved to those new IPs which were not whitelisted yet. Apparently, the telco whitelisting process was incredibly convoluted and time consuming. Our client didn’t want to bother asking them to whitelist more IPs. We also tried asking Cloudflare to move us back to the original IP range, but they could only do that if we were in their enterprise tier. We couldn’t really afford that, so we looked for other options.</p><p>Since Cloudflare was essentially just a giant reverse proxy, theoretically there should be no distinction between one IP address from another. The specific IP we get is probably just for load balancing. So we tried accessing the IPs in the range directly and just setting the Host header and it worked! But we get SSL errors because the IP itself doesn’t have its own certificate.</p><p>After more testing, we figured out that you could actually use any Cloudflare backed domain so long as we properly set the Host header. We just needed to find one still in the old range. Coincidentally, 4chan.org was. Which led to this wonderful commit</p><div class="highlight" style="background: #f8f8f8"><pre style="line-height: 125%"><span></span>commit 123456789abcdefAuthor: ~~~~~~Date:   ~~~~~~    4chan hack<span style="color: #000080; font-weight: bold">diff --git a/src/com/client/common/Util.java b/src/com/client/common/Util.java</span><span style="color: #A00000">--- a/src/com/client/common/Util.java</span><span style="color: #00A000">+++ b/src/com/client/common/Util.java</span><span style="color: #800080; font-weight: bold">@@ -210,7 +210,8 @@ public class Util {</span>        }        public static String getServerAddress(Context context) {<span style="color: #A00000">-               String address = "https://backend.client.com";</span><span style="color: #00A000">+               // String address = "https://backend.client.com";</span><span style="color: #00A000">+               String address = "https://4chan.org";</span>                if(!isDebug(context)) return address;                try {<span style="color: #000080; font-weight: bold">diff --git a/src/com/client/common/logging/APIClient.java b/src/com/client/common/logging/APIClient.java</span><span style="color: #A00000">--- a/src/com/client/common/logging/APIClient.java</span><span style="color: #00A000">+++ b/src/com/client/common/logging/APIClient.java</span><span style="color: #800080; font-weight: bold">@@ -101,6 +101,7 @@ public class APIClient {</span>        private HttpResponse postInternal(String url, List<NameValuePair> data, boolean forRegistration) throws ClientProtocolException, IOException {                HttpPost request = new HttpPost(Util.getServerAddress(mContext)+"/api/"+url);                request.setHeader("X-API-VERSION", apiVersion);<span style="color: #00A000">+               request.setHeader("Host", "backend.client.com");</span>                if(data == null) {                        data = new ArrayList<NameValuePair>();</pre></div><p>Eventually, we did decide to just abandon Cloudflare for the server. We probably weren’t going to be the target of a DDOS or anything. This also allowed us to do more secure things like pinning the server certificate in the application itself. Clearly, this is what we should have just done in the first place, but at the time we just wanted a stopgap solution.</p><p>I just still find it funny we were making people’s phones go to 4chan.org everyday for more than a year.</p>	</div>	<aside class="postpromonav">		<nav>			<ul class="pager clearfix">								<li class="previous">					<a href="/posts/tiddlywiki-in-the-sky-or-tiddlyweb-for-tw5.html" rel="prev" title="TiddlyWiki in the Sky (or TiddlyWeb for TW5)">← Previous post</a>				</li>												<li class="next">					<a href="/posts/haproxy-charset.html" rel="next" title="Haproxy Charset">Next post →</a>				</li>							</ul>		</nav>	</aside>	<section class="comments">		<div id="disqus_thread"></div><script type="text/javascript">var disqus_shortname = 'pleasantprog';var disqus_url = 'http:\/\/pleasantprogrammer.com\/posts\/cloudflare-shenanigans.html';var disqus_title = 'Cloudflare Shenanigans';var disqus_identifier = 'cache/posts/cloudflare-shenanigans.html';(function() {    var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;    dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';    (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);})();</script><noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript><a href="http://disqus.com" class="dsq-brlink">comments powered by <span class="logo-disqus">Disqus</span></a>	</section></article></main>	<footer id="footer" role="contentinfo">		<p>		<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/deed.en_US">			<img alt="CC-BY-SA" style="border-width:0" src="https://licensebuttons.net/l/by-sa/3.0/80x15.png">		</a> © 2017 Thomas Dy - Powered by <a href="http://gohugo.io">Hugo</a></p>	</footer></div><script src="/assets/js/konami.js"></script><script>var easter_egg = new Konami();easter_egg.code = function() {	var el = document.getElementById('thomas');	if(el.className == "whoa") {		el.className = "";	}	else {		el.className = "whoa";	}	document.body.scrollTop = document.documentElement.scrollTop = 0;}easter_egg.load();</script></body></html>
 |