SNI Proxy accelerate the deployment of anti-Generation Web access without certificate

We all know that you can use nginx trans-generation capabilities to achieve cross-border access network,but,This approach has a lot of constraints,For example, it is difficult to achieve login authentication,For example, the need for a separate forwarding module compiler to do,For example, you need to have a valid signature ssl certificates, etc.。

this time,We introduce an additional artifact SNI Proxy,With dnsmasq with sniproxy certificate can be achieved without any anti-Site Generation。It uses technology to SNI TLS connection via TCP proxy to the destination site,This avoids the need for a proxy server certificate,And access to the site's certificate is exactly certificates。

Of course,Since it is based on technology sni,That is certainly not the page http proxy,If the target site does not support https,Would not be。

Compile SNI Proxy (skip)

Example environment for Ubuntu 14.04

Sni clone source file from git:

Prepare the environment

Installation and Configuration SNI Proxy


edit /etc / sniproxy.confTo turn the anti-Generation:

Such as the top open for a trans-generation domain,But this is too much trouble,Each time add a new site,We need to increase this list - for this,We sacrifice a little in order to facilitate a little security - and I do not need to mail anti-Generation (prone to abuse,Foreign spam server is hated。),So I can write:

note:For IPv4 in terms of,You need to explicitly write the address to listen on the external network (the code replace),Otherwise it will only listen on the IPv6。

This will only open https anti Generation,And as long as this has been resolved to the server's domain name will be counter-Generation,Thus,We can only by dnsmasq Analysis to control which domain anti generations。(There is so little security risk that once someone is found,You may your server traffic unexpectedly lost slightly ~ remember to monitor your server's bandwidth?)

Run sniproxy

Direct use the commandsniproxy To run,The default configuration file is the "/etc / sniproxy.conf"It will automatically load,If you use a different configuration file name or path,Then you need to use "-c"Option to specify the path:

Port Redirection

Then,Generally, we do not like to visit the site enter the port number or protocol name,Then the default access port 80 how to do? As an auxiliary,We installed a lightweight nginx,Let all the access port 80 traffic to go to the top 443,Use a 301 redirect to。

note,For Google and other special domain,Even if you could do a port redirection can not resolve Jump,Because GFW can unpack HTTP traffic,So you know。

We edit the nginx configuration file "/etc/nginx/sites-available/default

To the following:



sniproxy Build success,But it can not be accessed directly,youDNS needs to be in the past,So that it can be based on the domain name of your proxy ssl link,Then you may need in your own hosts On the Modify resolve the matter。but,Another easier way is to use dnsmasq,I wrote an article which describes how to set up your own at homePrivate dns server dns to avoid contamination,Then,You just need among this server configuration to increase resolution dnsmasq。

For example, a new /etc/dnsmasq.d/sni.conf ,Wanglibian written need to resolve the domain name server to your sniproxy。to this end,I built on githubA project,Here to join the common analytical site,You only need to download it and replace inside IP for your server's IP sniproxy can!

Remember to modify the inside IP address!


Such,Your dns increased common certification site automatic generation of functional anti-! ☺️

Original article written by Gerber drop-off:R0uter's Blog » SNI Proxy accelerate the deployment of anti-Generation Web access without certificate

Reproduced Please keep the source and description link:

About the Author


The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。


    1. Yes,When the http protocol in the transmission of data packets will tcp,When reading the data depacketizer tcp merged plaintext,I am here specifically used the term "unpack" instead of "decryption",So I think it is reasonable to describe。

    1. FML! ! ! ! WordPress background paralysis can not reply to jerk a little ah ah ah! ! !
      I wrote a whole three times three times ah! ! ! ! !

      =。Forget =,I do not want to write,I'm furious,This can be,I use this,We need two vps,A foreign country a,So that the absolute force。

Leave a Reply

Your email address will not be published. Required fields are marked *