-
Notifications
You must be signed in to change notification settings - Fork 11
Home
krrr edited this page Oct 16, 2020
·
21 revisions
location: /etc/systemd/system/wstan.service
[Unit]
Description=wstan server
After=network.target
[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/local/bin/wstan -s ws://HOST:4000/ab KEY --x-forward
[Install]
WantedBy=multi-user.target
match wstan traffic by URL path
http://example.com {
@ws {
not path /path/*
}
reverse_proxy /path/* localhost:4000
redir @ws https://example.com{uri} 301
}
- TCP half-close is not supported
- can't prevent attacker from modifying cipher text (only request frame has HMAC; data frame has no sequence number)
- client can't tell fake server (won't fix?)
- server may fail to tell fake client (remember reused nonce and timestamp is not enough)
- fails if system clock of client and server is out of sync (the worst situation: your OpenVZ VPS has wrong time and you can't even change it)
- exchanging of encryption nonce is complicated and badly designed
it just doesn't work: https://squeeze.isobar.com/2019/04/11/the-sad-story-of-tcp-fast-open