Feature Request: Decoy (Fallback) Website

[khantzawhein]

The Outline Server, when connected by a Shadowsocks Client with correct credentials, behaves normally as it would.

However, when directly opened on a browser using the IP, the Outline Server forwards the client to the server-owner configured website, especially on ports 443 and 80.

As a result, the Outline server cannot be probed and detected using a normal HTTP request since it will just behave as a normal HTTP server.

Similar Feature from XRay Core: https://xtls.github.io/en/config/features/fallback.html

[daniellacosse]

I'm unclear, here. This is not behavior I was aware of (I just tested on my own server and it simply timed out) and I think.. if the server owner can configure a site, wouldn't this already be supported? Please clarify.

[khantzawhein]

@daniellacosse, you are correct. When Outline is listening on other ports except 80 and 443, the server owner could configure their own website that listens on ports 443 and 80.

However, when the Outline Server itself is listening on both 443 and 80, which means users are using the Outline Server with port 443 and 80 keys, the owner cannot configure their own web server that listens on 443 or 80 anymore.

The main point of this feature is to pretend that an Outline Server is a functioning website. Users can use their VPN connection on 443, while adversaries connect to the server on port 443 with invalid probes, like HTTP / HTTPS requests, the server forwards the request to an internal web server that is listening on another port inside that server.

The current behavior of the Outline server is to just not respond to invalid probes/requests. That behavior can flag ISPs because ISPs can obviously see that a lot of users are connecting to port 443 with a lot of traffic, but they cannot access it by themselves.

[daniellacosse]

@daniellacosse, you are correct. When Outline is listening on other ports except 80 and 443, the server owner could configure their own website that listens on ports 443 and 80.

However, when the Outline Server itself is listening on both 443 and 80, which means users are using the Outline Server with port 443 and 80 keys, the owner cannot configure their own web server that listens on 443 or 80 anymore.

The main point of this feature is to pretend that an Outline Server is a functioning website. Users can use their VPN connection on 443, while adversaries connect to the server on port 443 with invalid probes, like HTTP / HTTPS requests, the server forwards the request to an internal web server that is listening on another port inside that server.

The current behavior of the Outline server is to just not respond to invalid probes/requests. That behavior can flag ISPs because ISPs can obviously see that a lot of users are connecting to port 443 with a lot of traffic, but they cannot access it by themselves.

Aaaahhh I get it now. Yes, server managers can additionally host a website on their box but can't do so when Outline Server is using those ports.

How do we determine whether an incoming request to 443 is an adversary or not?

[khantzawhein]

In X-Ray (V2Ray)’s implementation, any requests without valid credentials are considered invalid and forwarded to the configured fallback destination.

It’s usually the internal web server running listening only on localhost with different port.

For example:

Outline Server listens to 443 and 80.

When invalid requests are received, forward the request to 127.0.0.1:4567 (assuming a Caddy server is listening on port 4567).

The Caddy server serves the request with appropriate response configured by the server admin. Then return the response to the Outline Server.

Outline server forwards the response from Caddy to the requester.

[daniellacosse]

I think the main concern would be some kind of fingerprinting: I'll have to run this by the team.

I'm also not sure if this would break the client.

[hamidmayeli]

Any update on this, @daniellacosse ?

@khantzawhein have you managed to achieve this in anyway?