Cloudflare on Ricky

Convert Cloudflare WARP to an HTTP Proxy

Wed, 06 Nov 2024 17:47:06 +0800

Convert Cloudflare WARP to an HTTP Proxy

warp-cli proxy port 60606
warp-cli mode proxy

However, Go programs do not support SOCKS proxies, and I don’t want to manually add a transport.

The good news is that Go respects the http_proxy environment variable by default. So we need to convert the SOCKS proxy to an HTTP proxy.

pproxy -v -l http://127.0.0.1:8118 -r socks5://127.0.0.1:60606

https_proxy=http://127.0.0.1:8118 http_proxy=http://127.0.0.1:8118 curl ipv4.win
curl: (52) Empty reply from server

# pproxy logs
Serving on ipv? 127.0.0.1:8118 by http
http 127.0.0.1:45012 -> socks5 127.0.0.1:60606 -> ipv4.win:80
Unknown remote protocol from 127.0.0.1

Maybe it’s a pproxy issue, so try gost.

Hide Within Cloudflare's Global Network

Thu, 01 Aug 2024 14:35:24 +0800

Hide Within Cloudflare’s Global Network

One approach is to use Cloudflare WARP, running WARP in proxy mode instead of taking over global traffic.

warp-cli register
# WARP listens on local port 11111
warp-cli set-proxy-port 11111

# WARP proxy mode
warp-cli set-mode proxy

# Always on
warp-cli enable-always-on

https_proxy=socks5://127.0.0.1:11111 http_proxy=socks5://127.0.0.1:11111 go run main.go

Another approach is to use Cloudflare Workers, with requests forwarded by Workers.

export default {
 async fetch(request: Request): Promise {
 /**
 * Replace `remote` with the host you wish to send requests to
 */
 const remote = "https://example.com";

 return await fetch(remote, request);
 },
};

WebP Cloud uses Cloudflare Workers to fetch content from the origin server in order to protect the origin server and start providing origin fetch time information.

Sun, 09 Jun 2024 10:49:45 +0800

WebP Cloud uses Cloudflare Workers to fetch content from the origin server in order to protect the origin server and start providing origin fetch time information.

Cloudflare Zero Trust

Tue, 26 Sep 2023 09:01:00 +0800

1. Set up the client

Create device enrollment rules

Create device enrollment rules to determine which devices can enroll to Zero Trust organization.

Set device enrollment permissions

In Zero Trust, go to Settings > WARP Client > Device enrollment > Device enrollment permissions > Manage.
Rules > Policies > Add a rule > Include > Selector > Emails ending in > Value > @ruru910.com.

2. Route private network IPs through WARP

In Zero Trust, go to Settings > WARP Client > Device settings > Profile settings > Profile name > Default > Configure.
Configure settings:
1. Enabled: Captive portal detection, Mode switch, Allow device to leave organization, Allow updates.
2. Service mode: Gateway with WARP.
3. Local Domain Fallback > Manage > Domain > nas.ruru910.com.
4. Split Tunnels: Exclude IPs and domains > Manage.
  - Delete the IP range of nas.ruru910.com.

3. Filter network traffic with Gateway

1. Enable the Gateway proxy

In Zero Trust, go to Settings > Network.
1. Gateway Logging: Capture all.
2. Firewall: Proxy(TCP, UDP, ICMP), WARP to WARP, AV inspection.

2. Create Zero Trust policies

Go to Access > Applications > Add an application > Private Network > Application Type > Destination IP.
For Value, enter the IP address for your application (for example, 10.128.0.7).
Modify policy > identify > Selector > User Email > in > @ruru910.com.

Cloudflare Tunnel on Synology

Mon, 25 Sep 2023 22:01:00 +0800

CLOUDFLARE tunnel on SYNOLOGY. (the raw way)

Setup Synology

Create a directory in docker directory, such as cloudflare-tunnel.
Download cloudflared/cloudflared image to registry.
ssh to admin@synology
Change cloudflare-tunnel owner, sudo chown -R 65532:65532 /volume1/docker/cloudflare-tunnel.

Run containers

- `cloudflared tunnel login`

Run container and mount volume docker/cloudflare-tunnel:/home/nonroot/.cloudflared.
Select Use the same network as Docker Host in network tab.
Add command tunnel login in envorinment tab.
Go to container log, and copy login url.
Paste url to browser and authorize the zone.
Export the container setting json to the directory cloudflare-tunnel.

- `cloudflared tunnel create synology-tunnel`

Edit the container setting json in the the directory cloudflare-tunnel, modify cmd. tunnel create synology-tunnel.
Import the container setting json and run a new container.
The container will stop and create tunnel config json in cloudflare-tunnel.
Create config.yml and write ingress rules.
In config.yml, tunnel value is the same as the tunnel config json name, and credentials-file is /home/nonroot/.cloudflared/tunnel config json
Export the second container setting json to the directory cloudflare-tunnel.

- `cloudflared tunnel route dns synology-tunnel synology.ruru910.com`

Edit the second container setting json in the the directory cloudflare-tunnel, modify cmd. tunnel route dns synology-tunnel synology.ruru910.com.
Import the second container setting json and run a new container.
The container will stop and create a dns record mapping domain to the tunnel.

- `cloudflared tunnel run synology-tunnel`

Edit the second container setting json in the the directory cloudflare-tunnel, modify cmd. tunnel run synology-tunnel.
Import the second container setting json and run a new container.
The tunnel now is connectable.

Cloudflare Traffic sequence

Wed, 03 Nov 2021 13:11:29 +0800

Traffic sequence

Traffic to your application runs through the following sequence on Cloudflare’s edge:

DDoS
URL Rewrites
Page Rules
IP Access Rules
Bots
Firewall Rules
Rate Limiting
Managed Rules
Header Modification
Access
Workers