Additional Setting: CDN

You can skip this if you don't want to buy a domain name, or you can contact me for adding your server to my domain name

The price for a domain name is about HKD$40 a year (for co domain in namecheap). If you don't care about rather it is .xyz, or .club, the price can be about HKD$8 a year It is advised to get one year plan only, and disable auto-renew. As the price for renewal is quite expensive. ($6X for renew 1 year) When the old domain name expired, register another domain name with $40, you will need to do once a year. If you really want to use the same domain for several years, recommended to resister in Cloudflare, as their price is static. About HKD$66 per year for a .com, HKD$40 per year for a .uk.

CDN is usually used if your server IP was blocked by firewall. For example, my company blocked all free DDNS name. If I want to access the server, I can setup a DNS record to redirect the path. What if, my company further blocked my server IP? (just like what GFW did). Then, we need to use CDN services (example: Cloudflare).

All connection will be encrypted and points to Cloudflare, firewall will never know what behind Cloudflare as all of them and enctypted in their proxy. Company is also hard to ban all the Cloudflare IPs, as there is tons of them. Most of the services are related to Cloudflare, it is impossible to ban the whole Cloudflare (although a Country tried to attack its service)

The following example refers to setting up domain name with Cloudflare CDN. (CDN service is free, but domain name is not)

I have owned a domain name (as you can see, you are visiting the GitBook under my domain) I need to let Cloudflare to handle the all the DNS management job

After Registering a free account in Cloudflare, add the domain name to Cloudflare, they will told you to change the nameserver under Cloudflare

Go to the site of domain name hosting, manage DNS and change the name server to the one given by Cloudflare

This process will take at least one hour to effective, Cloudflare will notify you with email once completed.

Since our guide will help you to get a full SSL cert issued by Let's Encrypt. We can use Full (strict) setting under Cloudflare

There are several types of DNS record can be used in Cloudflare, but we usually use A and CNAME The following example refers to 3 records pointing to same server

A record (DNS only): a subdomain points directly to an IP, it is what a DDNS usually do CNAME (DNS only): a subdomain alias to another subdomain It will redirect am.bunchtam1.co to b.freemyip.com firewall may still recognized that you are accessing b.freemyip.com, but might not block it CNAME (Proxied): a subdomain alias to another subdomain, which encrypted by Cloudflare proxy. That means all traffic are hidden behind Cloudflare. Firewall will only knows you are accessing Cloudflare protected website.

Firewall Rule

It is also advised to add firewall rules (Firewall-> Firewall rules) as follow:

GFW will always wants to check target domain, our rule to allow connection should be a strict rule that match Xray clients only All others should be blocked by 2nd rule (I will use challenge mode, as I wants to fake them, you can simply block them)

*Firewall only applies to Proxied DNS, direct connection (non-proxied DNS) will not blocked by these 2 rules.

Page Rule

The first rule is to allow any "/fallws" works (i.e. xray proxy) The second rule is to redirect all unmatched connection to alibaba.

Explanation

1. Page rules always runs before Firewall rules

2. Whenever a top rule matches, all other rules in same type will not process

For example, GFW is testing our proxy They make a guess with http://a.b.co/xyz, this will redirect them to Alibaba Then, they make a good guess with https://a.b.co/fallws. However, if their bot does not totally match firewall rule 1, they need to play with Cloudflare challenge, after they passed the challenge, they will get bad access from ws server of xray

Cloudflare API

You need to record some API token and ID in Cloudflare, these keys will be used in DDNS and SSL certificate application

Zone ID: When you apply SSL certificate, you need to apply API token. If you specify the token with specific Zone, this Zone ID points to your domain name.

Account ID: When you apply SSL certificate, the account ID will be used to specify the account to read

Then we click on Get your API token

Global API: When you use DDNS, we need to DDNS bot to update the DNS record for you. Currently, ddclient can only use Global API Key.

Another API Token for acme cert bot to use, after click on create token, the token key will only appear once, you will never get this key later. Please store the key in safe place.