Skip to content

Security Tips

Jump to bottom
ihc童鞋@提不起劲 edited this page Feb 19, 2023 · 1 revision

SNI Proxy Issue

Shadow-tls server supports dispatching by SNI and works as a SNI proxy if client not pass verification.

Users can configure it as a mapping, for example: cloudflare.com:1.1.1.1:443;captive.apple.com;cloud.tencent.com. The last one is used as fallback. If SNI does not match the previous one, the last one is selected as handshake server. In the previous example, cloud.tencent.com is used as fallback address.

This feature can be used to:

  1. Support users using multiple SNIs as the same time(for example some SNIs for bypass firewall and some for bypass billing system).
  2. Forward all normal requests to nginx(so shadow-tls and personal sites can work on the same port).

But this may also bring some security issues:

  1. It can be used by others as a forward proxy. For example, you use 1.1.1.1 as fallback address, then cloudflare users can resolve their domain to your ip, then you may have to pay the traffic and computation for it.
Clone this wiki locally