New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
CDN (or similar) that allows retrieving client connection information?
Bit of a weird request, but I intend to run a networking experiment where I need to collect information about a client's connection to the server, such as the HTTP version, supported TLS ciphers, and TCP rtt/cwnd sizes.
I can easily spin up nginx instances and have them forward $tcpinfo_rtt, $ssl_ciphers and the likes, but having to manage updates in this setup is a pain. You'd have to switch DNS records, drain connections on the old server, and finally shut it down.
Is there a global managed HTTP service, such as a CDN, which would allow me to receive this information at the origin? Even though it's a personal project, pricing is of no concern (unless its Akamai or somesuch asking for three/four figure sums upfront.)
Comments
I think cloudflare has api's to read that
They don't forward this information to the origin by default, how do you actually retrieve this information? From within workers?
x-forwarded
x-forwarded-for is for the client's IP, which I already know
I'm referring to the client's connection properties, such as the HTTP version and TLS ciphers.
y-forwarded
Cloudflare Enterprise plan allows you to use Logpush to save all logged requests. Zone scoped log datasets available for you https://developers.cloudflare.com/logs/reference/log-fields/zone/. You'd be interested in HTTP request dataset's log fields https://developers.cloudflare.com/logs/reference/log-fields/zone/http_requests/. I usually send my Cloudflare Logpush logs to S3 storage for analysis and processing on my own servers.
With Cloudflare Enterprise plan if you're fine with GUI access only for moment in time like display/streamed display, Cloudflare paid plans have Instant logs too accessed via Cloduflare Logs section https://developers.cloudflare.com/logs/instant-logs/
You can also do this with Cloudflare Workers too fields available https://developers.cloudflare.com/workers/runtime-apis/request/#incomingrequestcfproperties which include TLS ciphers and other connection properties etc. So don't need Enterprise plan for that.
Or some can be done via Cloudflare Transform Rule request header modifications https://developers.cloudflare.com/rules/transform/ where you can setup rules to add custom request headers with the info derived at CF Edge server and have them passed onto your origin for logging and analysis. Some of the fields available to be passed on at https://developers.cloudflare.com/rules/transform/request-header-modification/reference/fields-functions/. I use Cloudflare Tranform request header modifications to pass on Cloudflare Enterprise Firewall's JA3 Fingerprints https://developers.cloudflare.com/bots/concepts/ja3-fingerprint/ for each request to my origin servers.
Hope that helps
For those specifically, probably best to just log them from Nginx server - only place I've been able to log those which aren't available on Cloudflare at least.
For Cloudflare, use Fetch API to receive
/cdn-cgi/trace, and then post the response to your beacon server.Example: https://www.cloudflare.com/cdn-cgi/trace
Thanks for introducing me to TCPINFO, I didn't know about that metric before. Seems like it can be used to detect VPNs and other discrepancies.
BTW. Regarding your other project that sends massive number of DNS queries, I could not replicate your results. I've written a Python script that sends several thousand DNS queries per second and left it overnight with no error responses whatsoever - all I got was rate limiting, from ~50 rps on Google Public DNS to above 1000 rps on Cloudflare (which seemed more like a bottleneck in my program rather than Cloudflare). Perhaps I need to go even faster in order to get these SERVFAILs?
Not sure why you're trying to get this thread derailed, but the ratelimiting that I observed was in the form of servfail responses. (I'd generally have asked you to PM, but knowing that you're tinyweasel and generally up to no good, I can't assist you further.)
Seems like the best option, apart from the fact that Cloudflare really likes to block users at the drop of a hat, as I’ve experienced many times without paying up for enterprise.
Do you happen to know if they allow getting the entire ClientHello or only the finally negotiated cipher and curve?
Also, is this information also available to functions that are classified as “workers unbound”?
Assist? I'm not the one who's trying to do something weird. I'm just not able to replicate problems you've run into.
Since:
I decided to scrutinize some of your claims, the same way you try to scrutinize me.
deleted
Don't think you can get the entire ClientHello. You can ask on CF Workers forum https://community.cloudflare.com/c/developers/workers/40 or their CF Discord channel which is where all the CF Worker staff and users hang out more. They may have more ideas or someone probably has already done something similar.