Using Cloudflare Argo to Conceal VIPER Backend

What is a Cloudflare Argo Tunnel
Argo隧道提供了一种简便的方法,可将Web服务器安全地公开到Internet,而无需打开防火墙端口和配置ACL。 Argo隧道还可以确保请求在到达网络服务器之前先通过Cloudflare进行路由,因此可以确保通过Cloudflare的WAF和Unmetered DDoS缓解功能停止了攻击流量,并且如果为帐户启用了这些功能,则可以通过Access进行身份验证。

为什么走Argo而不是普通CDN?
因为走CDN要用安全组放通60000端口,并且泄露了C&C服务器的IP地址,增加了被溯源隐患。使用ArgoTunnel不需要放通后台端口。而且有Cloudflare官方证书。

并且现在Cloudflare默认走香港节点,大陆访问也不慢。

为啥我要这么搞呢,其实一开始我只是想隐藏后台,所以使用宿主机装nginx反代,但是太难弄了。最后突然想起来Argo可以不开放端口,绑定域名外加隐藏地址,所以就赶紧上了Argo。

配置VIPER

因为viper使用的是自签名证书,如果直接转发https://127.0.0.1:60000是不行的,会报证书错误。所以要先进容器内改nginx的配置文件,关掉ssl,改成http。

1
2
3
4
5
docker ps #查看容器名
docker exec -i -t viper-c /bin/bash
#下面是在容器内的操作
cd /root/viper/Docker/
nano viper.conf

用Ctrl+Shift+_跳转到第7行。

1
2
3
4
5
6
.......
server {
        include /root/viper/Docker/nginxconfig/viper.conf;
        ssl off;    #把这里由on改成off
        ssl_certificate /root/viper/Docker/nginxconfig/server.crt;
.......

最后记得重载nginx的配置文件,让改动生效。

1
2
nginx -s reload
exit #退出容器内

配置Argo

安装

Cloudflared 是源服务器和 Cloudflare Argo Server 的连接软件。

你可以参考这里的文档。

官方文档
Docs

Github Release
Downloads

配置Tunnel

1
2
3
cloudflared tunnel login #先登录,并且选择example.com的域名
cloudflared tunnel create viper
cloudflared tunnel route dns viper vip #通过vip这条隧道,自动在cloudflare中添加一条指向vip.example.com的CNAME记录

确认Tunnel配置

启动隧道试试,如果没问题就继续。

1
cloudflared tunnel --name viper --url http://127.0.0.1:60000

然后可以访问vip.example.com查看效果,如果没有问题就继续。
这样启动隧道只是一个临时的措施,所以我们要持久化。

持久化Argo

先运行cloudflared tunnel list记一下Tunnel的ID是多少。

1
2
sudo cloudflared service install
nano /etc/cloudflared/config.yml

按照下面这样写,该改的改一下

1
2
3
4
5
6
7
tunnel: <Tunnel-UUID>
credentials-file: /root/.cloudflared/<Tunnel-UUID>.json

ingress:
  - hostname: vip.example.com
    service: http://127.0.0.1:60000
  - service: http_status:404

重启cloudfalred服务

1
sudo systemctl restart cloudflared && sudo systemctl enable cloudflared

What is a Cloudflare Argo Tunnel
An Argo Tunnel provides a simple way to securely expose a web server to the internet without opening firewall ports and configuring ACLs. The Argo Tunnel also ensures that requests are routed through Cloudflare before reaching your web server, so attack traffic is stopped by Cloudflare’s WAF and Unmetered DDoS mitigation, and authentication via Access is also possible if those features are enabled for the account.

Why use Argo instead of a regular CDN?
Using a CDN requires opening port 60000 in the security group, and it exposes the C&C server’s IP address, increasing the risk of traceability. Using an Argo Tunnel eliminates the need to open the backend port. It also comes with an official Cloudflare certificate.

Currently, Cloudflare routes traffic through Hong Kong nodes by default, so access from Mainland China is not slow.

Why I’m doing this: Initially, I just wanted to hide the backend, so I tried installing nginx on the host machine for reverse proxying, but that was too complicated. Suddenly, I remembered that Argo can work without opening ports, bind to a domain name, and conceal the address, so I quickly set up Argo.

Configuring VIPER

Since viper uses a self-signed certificate, directly forwarding to https://127.0.0.1:60000 won’t work and will cause a certificate error. So, we first need to enter the container, modify the nginx configuration file, turn off SSL, and switch to HTTP.

1
2
3
4
5
docker ps # View container name
docker exec -i -t viper-c /bin/bash
# The following operations are inside the container
cd /root/viper/Docker/
nano viper.conf

Press Ctrl+Shift+_ to jump to line 7.

1
2
3
4
5
6
.......
server {
        include /root/viper/Docker/nginxconfig/viper.conf;
        ssl off;    # Change this from on to off
        ssl_certificate /root/viper/Docker/nginxconfig/server.crt;
.......

Finally, remember to reload the nginx configuration to apply the changes.

1
2
nginx -s reload
exit # Exit the container

Configuring Argo

Installation

Cloudflared is the software that connects the origin server and the Cloudflare Argo Server.

You can refer to the documentation here.

Official Documentation
Docs

Github Release
Downloads

Configuring the Tunnel

1
2
3
cloudflared tunnel login # Log in first and select the example.com domain
cloudflared tunnel create viper
cloudflared tunnel route dns viper vip # Creates a CNAME record pointing to vip.example.com in Cloudflare via the 'vip' tunnel

Verify Tunnel Configuration

Start the tunnel to test. If there are no issues, proceed.

1
cloudflared tunnel --name viper --url http://127.0.0.1:60000

You can then check the result by visiting vip.example.com. If everything works, continue.

This method of starting the tunnel is temporary, so we need to persist it.

Persisting Argo

First, run cloudflared tunnel list to note down the Tunnel ID.

1
2
sudo cloudflared service install
nano /etc/cloudflared/config.yml

Write it as shown below, modifying the necessary parts.

1
2
3
4
5
6
7
tunnel: <Tunnel-UUID>
credentials-file: /root/.cloudflared/<Tunnel-UUID>.json

ingress:
  - hostname: vip.example.com
    service: http://127.0.0.1:60000
  - service: http_status:404

Restart the cloudflared service.

1
sudo systemctl restart cloudflared && sudo systemctl enable cloudflared
踩坑记录
#Linux #cloudflare #Argo #metasploit #网络安全
Using Cloudflare Argo to Conceal VIPER Backend
https://tokisaki.top/blog/viper-via-cloudflare-argo/
作者
Tokisaki Galaxy
发布于
2021年11月14日
许可协议