反向问题：如何让用户在不翻墙的情况下访问网站？/ Reverse question: How can users access a website without needing to circumvent?

[zhanarkis]

动机：

由于我们网站的性质，我们日常遇到中国政府的”近实时封锁“（想象一下刚换域名不到三天，喜提全国DNS污染的可笑画面）。

此外，我们的网站用于传播社会思想，而我们的受众并不一定知道如何翻墙。我们也不认为让所有用户都必须学会如何翻墙是非常合理的事情。

我们创建了多个镜像服务（部署在Cloudflare Pages、Github存储库），但我们依旧担忧未来封锁升级的情况。

因此，我们将这个问题发布到这里，希望能得到更多的想法来应对未来的封锁。

多说一句：我们希望成本尽可能的低（且所需的技术水平也尽可能的低） ;)

目前的对策：

1. 我们创建了Cloudflare Pages镜像页面，此服务使用泛域名TLS证书而非”具有独特域名特征“的TLS证书，并且创建和删除Pages实例非常简单。
2. 我们创建了Github存储库，用于存放所有的文章的”离线版本“。
3. 我们的网站有着简单的”一键全站备份“机制，可以非常快速地完全镜像整个网站上所有的文章。

---

Motivation:

Due to the nature of our website, we encounter the Chinese government's “near real-time blocking” on a daily basis (imagine the ridiculous scene of just changing the domain name less than three days ago, and being happy to mention the national DNS pollution).

In addition, our website is used to disseminate social ideas, and our audience does not necessarily know how to circumvent the Great Firewall. We also do not think it is reasonable to require all users to learn how to circumvent the Great Firewall.

We have created multiple mirror services (deployed on Cloudflare Pages and Github repositories), but we are still concerned about future upgrades to the Great Firewall.

Therefore, we have posted this issue here in the hope of getting more ideas to deal with future blockades.

One more thing: We want to keep the costs as low as possible (and the required technical level as low as possible) ;)

Current countermeasures:

1. We have created a Cloudflare Pages mirror page, which uses a wildcard TLS certificate instead of a TLS certificate “with unique domain name characteristics” and makes it very easy to create and delete Pages instances.
2. We created a Github repository to store all the articles in an “offline version”.
3. Our website has a simple one-click full site backup mechanism that can quickly and completely mirror all the articles on the entire website.

[KZF-33]

我并非专业人士，讲一个浅陋的观点：“网站本身没问题，受限制的是他里面的内容。”总之可以试试“视觉加密”网站内容来避免封禁。比如开启手机颜色反转才能查阅，或者配置专门“滤镜”。

I am not a professional, but I can offer a humble opinion: “The website itself is fine, it is the content that is restricted.” In short, you can try to “visually encrypt” the content of the website to avoid being blocked. For example, you can turn the colors of the mobile phone upside down to view it, or configure a special “filter”.

[showgood163]

如果使用cloudflare cdn，强制开启ech是有效的，当然这也需要客户端支持ech

If you use the cloudflare cdn, forcing the use of ech is effective, but of course the client needs to support ech

[wkrp]

This research paper discusses anti-censorship defenses that can be deployed at the server, without client modifications. The defenses are Geneva-style defenses, so they won't work if the server's IP address is blocked, and successful circumvention may require defenses for multiple protocols (DNS, TCP, TLS).

"Come as You Are: Helping Unmodified Clients Bypass Censorship with Server-side Evasion"
https://censorbib.nymity.ch/#Bock2020b

Decades of work on censorship evasion have resulted in myriad ways to empower clients with the ability to access censored content, but to our knowledge all of them have required some degree of client-side participation. Having to download and run anti-censorship software can put users at risk, and does not help the many users who do not even realize they are being censored in the first place.

In this paper, we present the first purely server-side censorship evasion strategies—11 in total. We extend a recent tool, Geneva, to automate the discovery and implementation of server-side strategies, and we apply it to four countries (China, India, Iran, and Kazakhstan) and five protocols (DNS-over-TCP, FTP, HTTP, HTTPS, and SMTP). We also perform follow-on experiments to understand why the strategies Geneva finds work, and to glean new insights into how censors operate. Among these, we find that China runs a completely separate network stack (each with its own unique bugs) for each application-layer protocol that it censors. The server-side techniques we find are easier and safer to deploy than client-side strategies. Our code and data are publicly available.

I haven't tried them myself, but there are some services that are supposed to offer blocking-resistant hosting. One that comes to mind is Qurium Bifrost:

Bifrost is a circumvention solution for Internet blocked WordPress based websites. The tool automates the process of creating live mirrors of dynamic websites. The mirrors created by Bifrost are hosted in large cloud storage solution, such as Google Cloud or Amazon, which are too costly for Internet repressive regimes to block. In that way, readers from countries where blocking is taking place, can access the blocked sites without the need of any third party tool or App.

[tyxlb]

可以用 ipfs.tech 搭建静态网站，得到的url大致为 网关/cid (hash)。用户通过分散的公共网关访问同一内容，有条件的用户还能在本地网关访问，帮助托管内容。
潜在问题是用户初次接触ipfs，一个网关挂了后知道cid但不懂得切换网关。

要固定域名/网站可变内容采用 ipns 或 ens

---

It is possible to build a static website with ipfs.tech and get a url roughly gateway/cid (hash). Users access the same content through decentralized public gateways, and for those who can, local gateways to help host the content.
Potential problem is that users are new to ipfs and know the cid but don't know how to switch gateways when one gateway is down.

To fix the domain/site variable content use ipns or ens

[immartian]

Good to see the experiments.

Historically, however, almost all adhoc circumvention solutions for a single web site seems no economical, sustainable, nor copy-able.

[manafluxxx]

可以使用单独的地址发布页来引向主站点，或是提供一个用于获取地址的邮箱来自动回复最新的站点链接(但是，大多数中国人不了解如何正确地使用邮箱)，并提供方便的离线访问方案

我建议在站点上科普一下翻墙的方法，毕竟网站的性质可能导致时刻有人盯着封杀，且可能会让用户因访问站点被请去喝茶

有人提议提供IPFS等访问方式，但是显然让用户学会使用这些比教他们用翻墙工具难得多

A separate address publishing page can be used to redirect to the main site, or an email address can be provided to automatically reply with the latest site link (however, most Chinese people do not know how to use email properly), and a convenient offline access solution can be provided

I suggest popularizing the methods of circumventing the wall on the site. After all, the nature of the site may lead to it being blocked at any time, and users may be invited for tea for accessing the site

Some people have proposed providing access methods such as IPFS, but it is obviously much more difficult to teach users to use these than to teach them to use circumvention tools

[tahph4ta]

Since you have created multiple mirrors and your website is static, you can setup LibResilient. It will help users who already have visited your website before to automatically use a mirror when the original website is not accessible.

[zhanarkis]

Since you have created multiple mirrors and your website is static, you can setup LibResilient. It will help users who already have visited your website before to automatically use a mirror when the original website is not accessible.由于您已经创建了多个镜像并且您的网站是静态的，因此您可以设置 LibResilient。它将帮助之前已经访问过您网站的用户在无法访问原始网站时自动使用镜像。

谢谢，我们稍后就去尝试（最近我们很忙）

Thanks, we'll try it later (we've been busy lately).

[zhanarkis]

可以使用单独的地址发布页来引向主站点，或是提供一个用于获取地址的邮箱来自动回复最新的站点链接(但是，大多数中国人不了解如何正确地使用邮箱)，并提供方便的离线访问方案

我建议在站点上科普一下翻墙的方法，毕竟网站的性质可能导致时刻有人盯着封杀，且可能会让用户因访问站点被请去喝茶

有人提议提供IPFS等访问方式，但是显然让用户学会使用这些比教他们用翻墙工具难得多

A separate address publishing page can be used to redirect to the main site, or an email address can be provided to automatically reply with the latest site link (however, most Chinese people do not know how to use email properly), and a convenient offline access solution can be provided可以使用单独的地址发布页面重定向到主站点，也可以提供电子邮件地址自动回复最新的站点链接（但是，大多数中国人不知道如何正确使用电子邮件），以及方便的离线可提供接入解决方案

I suggest popularizing the methods of circumventing the wall on the site. After all, the nature of the site may lead to it being blocked at any time, and users may be invited for tea for accessing the site我建议在现场普及一下翻墙的方法。毕竟，该网站的性质可能导致其随时被屏蔽，并且用户可能会因访问该网站而被邀请喝茶

Some people have proposed providing access methods such as IPFS, but it is obviously much more difficult to teach users to use these than to teach them to use circumvention tools有人提出提供IPFS等访问方式，但教用户使用这些显然比教他们使用翻墙工具要困难得多

我们在这周想到了一个比较奇怪的解决方案：

我们设置一个HTML文件（包含一个JS文件），此代理会将网络请求透明的发送到真正的后端。

这是从那些赌博网站和色情网站那里学到的技巧。

也由于这个文件可以随意放置，因此可以放在一些已有的网站上。如果被询问我们可以很简单的回答“服务器遭到入侵”。

We came up with a rather strange solution this week:

We set up an HTML file (containing a JS file) that transparently sends network requests to the real backend.

This is a trick learned from those gambling and porn sites.

And since this file can be placed anywhere, it can be placed on some existing website. If asked, we can simply reply, “The server has been hacked.”

[wkrp]

我们设置一个HTML文件（包含一个JS文件），此代理会将网络请求透明的发送到真正的后端。

We set up an HTML file (containing a JS file) that transparently sends network requests to the real backend.

I don't quite understand this idea. If web browser clients are making requests to a backend, what happens if the backend server is blocked?

If I understand you correctly, the idea is not to install a reverse proxy on an existing website (forwarding client HTTP requests to a backend server), but to have web browser clients send requests to the backend server directly. But if the backend server itself is blocked, it does not help matter that the HTML/JS was served from the normal web server or not.

Is it because this frontend/backend division has the advantage of flexibility? When the backend gets blocked, you can push a new backend address to all the frontends, without also changing the frontends?

Do you have to rewrite links that are retrieved from the backend? (In the manner of a link-rewriting proxy like CGIProxy.) URLs retrieved from the backend might still point to the main web server, which is blocked.

[manafluxxx]

我们设置一个HTML文件（包含一个JS文件），此代理会将网络请求透明的发送到真正的后端。

We set up an HTML file (containing a JS file) that transparently sends network requests to the real backend.

I don't quite understand this idea. If web browser clients are making requests to a backend, what happens if the backend server is blocked?

相比服务端渲染好后把带有关键词的内容返回，这样就显得表面上无害了，我认为可以减少被block的概率，也能减少一些原本这套模板的特征，在中国有些不法产业的站点也是这么做的

Compared to the server rendering and returning content with keywords, this seems to be harmless on the surface. I think it can reduce the probability of being blocked and also reduce some of the characteristics of this template. Some sites of illicit industries in China do the same

[zhanarkis]

我们设置一个HTML文件（包含一个JS文件），此代理会将网络请求透明的发送到真正的后端。
We set up an HTML file (containing a JS file) that transparently sends network requests to the real backend.

I don't quite understand this idea. If web browser clients are making requests to a backend, what happens if the backend server is blocked?

If I understand you correctly, the idea is not to install a reverse proxy on an existing website (forwarding client HTTP requests to a backend server), but to have web browser clients send requests to the backend server directly. But if the backend server itself is blocked, it does not help matter that the HTML/JS was served from the normal web server or not.

Is it because this frontend/backend division has the advantage of flexibility? When the backend gets blocked, you can push a new backend address to all the frontends, without also changing the frontends?

Do you have to rewrite links that are retrieved from the backend? (In the manner of a link-rewriting proxy like CGIProxy.) URLs retrieved from the backend might still point to the main web server, which is blocked.

不，这个index.html是一个“引导文件”，其中包含最新的镜像链接位于何处。

我们将包含这个镜像链接的链接发送给其他人（以http://IP:PORT/XXX.html的形式），而镜像链接设置为无法被搜索引擎直接寻找到。

这将有效降低对手对我们的可见性

No, this index.html is a 'bootstrap file' that contains the location of the latest mirror link.

We'll send the link containing this mirror link to others (in the form of http://IP:PORT/XXX.html), while setting the mirror link to be inaccessible to search engines.

This will effectively reduce our visibility to opponents.

[louiesun]

实在不行自己写个傻瓜式翻墙工具，拿webview封装一下给用户。

一个支持tlsfrag, quic, 域前置的实例如下
github.com/monthlyliaoyuan/Unofficial_Z_Access

If that doesn't work, write your own silly tool to circumvent the wall, and wrap it in a WebView for the user.

An example that supports tlsfrag, quic, and domain fronting is as follows
github.com/monthlyliaoyuan/Unofficial_Z_Access