用beame-insta-ssl访问你的内网机器

HTTP is over. Don’t get left behind. Get free, secure HTTPS tunneling to your local machine!     

What is beame-insta-ssl?

This is a free, open-source tool that allows you to expose securely a machine with HTTP or HTTPS server via a random hostname without needing to have a public IP address.
When using Beame.io, the private key never leaves your computer/server. Beaqme cannot look into your traffic. While, theoretically, Beame.io could issue a wildcard *.beameio.net certificate and terminate your traffic (which we don't do), this is preventable by checking certificate fingerprints.

Who is beame-insta-ssl for?

Any users of remote access (RDP, VNC, SSH etc), web developers, web designers, anyone whose work product is displayed in a browser.

What is the most common and valuable use case?

• I have to access my linux machine but company policy restricts exposing port 22 to the global network
• I am developing for iOS, and I want to test my web application against my backend code, but it is much more convenient for me to test locally. Beame allows me to expose my local development server to the mobile device with TLS terminated at my local workstation.
• I want to be able to access my home PC from my laptop, I run RDP on it, but I don't have public IP and I don't want to rely on Username/Password either

Get started in three quick steps!

Step 1: Sign up super-fast here!
(if you use Windows, see Windows System Requirements below before Step 2)
Step 2 for Mac/Linux: Run sudo npm install -g beame-insta-ssl (please make sure you are using NodeJS version 6.9.X or newer). Depending on your configuration you might want to run npm install -g beame-insta-ssl instead (if you are using n or other methods for creating per-user NodejS installations).
Step 2 for Windows: Run npm install -g beame-insta-ssl (please make sure you are using NodeJS version 6.9.X or newer).
Step 3: Run the command in the sign up confirmation email you just got from us. beame-insta-ssl will obtain your very own beame hostname, and issue a valid public certificate for it.
The certificate will be ready in moments and you can start using your tunnel right away. Truly a one-stop-shop!

Windows System Requirements

Before running npm install -g beame-insta-ssl please make sure you have OpenSSL installed in C:\OpenSSL-Win64 . If you you already have OpenSSL installed at that location, skip the instructions below and just issue npm install -g beame-insta-ssl. If you don't have OpenSSL in C:\OpenSSL-Win64, one of the possible ways of installing OpenSSL is described below (Install Visual C++ Build Tools and Python 2.7, Upgrade NPM, Install Perl, Install OpenSSL). The procedure was tested on Microsoft Windows Server 2012 R2 Standard and Windows 10. We recommend to use your “Windows PowerShell” and run it with administrator rights for the following commands:

Install Visual C++ Build Tools and Python 2.7

npm install --global --production windows-build-tools. This typically takes 5 to 10 minutes, depending on the internet connection.

Upgrade NPM

npm -g install npm@latest

Install Perl

Perl is needed for building OpenSSL. If you already have Perl installed, please skip the Install Perl section.
Get Perl from https://downloads.activestate.com/ActivePerl/releases/5.24.0.2400/ActivePerl-5.24.0.2400-MSWin32-x64-300558.exe (SHA256 is 9e6ab2bb1335372cab06ef311cbaa18fe97c96f9dd3d5c8413bc864446489b92) or another source. This version of Perl might have security issue but my estimation is that it's false positive. Consider installing other versions or Perl built by other companies.

Install OpenSSL

Download and extract https://www.openssl.org/source/openssl-1.0.1t.tar.gz (other versions might work but were not tested)
Using "Visual C++ 2015 x64 Native Build Tools Command Prompt" under C:\Program Files (x86)\Microsoft Visual C++ Build Tools\ in the OpenSSL directory issue the following commands:

perl Configure VC-WIN64A no-asm --prefix=C:\OpenSSL-Win64
.\ms\do_win64a.bat
# If the following "clean" fails it's OK, just continue with following commands
nmake -f ms\ntdll.mak clean
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak install

npm install -g beame-insta-ssl

Check out our Wiki with how to guides:

1. Beginner's Guide to beame-insta-ssl with Screenshots
2. Installing a Non-Terminating Tunnel to IIS on Windows

What is the difference between terminating and non-terminating?

Terminating tunnel will make the insta-ssl terminate TLS for you (on the machine that runs it), the output into your server will be HTTP (unencrypted). Non-terminating is better, if you install your application on different computer, but in such case your task will be to inject the cert into your server.

How much data can I transfer?

Right now we are not limiting it, but might if we get unreasonable usage.

Can I lose my beame domain?

Yes. If you use it for phishing we will blacklist it and revoke corresponding cert (see license for details). Another way - if you loose your private key your domain is gone for sure.

Commands for using beame-insta-ssl:

Step 1: Sign up here, humans only, and receive your personal token by email (make sure you use an email you can access).
Step 2: Install beame-insta-ssl by running npm install -g beame-insta-ssl
Step 3: Run the command in your registration confirmation email. beame-insta-ssl will obtain your very own beame hostname, and issue a valid public certificate for it.
The certificate will be ready in moments and you can start using your tunnel right away.
Sample command for bringing up a tunnel:

beame-insta-ssl tunnel make --dst 8008 --proto http

Use the command above if you want to have a secure connection, but don't want to install certificates into your own server. "Proto" - means which protocol insta-ssl will output towards your application. You will receive the following output:

Starting tunnel https://qwertyuio.asdfghjkl.v1.d.beameio.net -> http://localhost:8008

Just run your server on desired port (8008 in the above example) and point any web browser to your random Beame hostname (https://qwertyuio.asdfghjkl.v1.d.beameio.net in sample output above)
You can also specify particular Beame hostname to run a tunnel on, in case, for example, when you have more than one set of Beame credentials:

beame-insta-ssl tunnel make --dst 8008 --proto http --fqdn qwertyuio.asdfghjkl.v1.d.beameio.net

Insta-ssl for remote access with client-certificate authentication

In order to use beame-insta-ssl as a tunnel for remote access (e.g. SSH, VNC, RDP), define "proto" to "tcp" as in the example below:

beame-insta-ssl tunnel make --dst 3389 --proto tcp --fqdn rdpBeameHostname.v1.p.beameio.net --highestFqdn myhighest.trust.beameio.net --trustDepth 3

In the example for RDP above, there's an access criteria defined by use of highestFqdn and trustDepth - if client certificate has any signing certificate below highestFqdn and itself is signed above required trustDepth, it will be allowed to access. You are allowed to skip highestFqdn and trustDepth, in such case the access will be granted to any credential that was signed under your own certificate (take it as - to your children, their children and so on, so that your credential is a top of the trust tree). If no authentication required, use --noAuth true parameter for tunnel make, in such case --fqdn on client side can be skipped as well. Now run a client to connect to the tunnel from example above:

beame-insta-ssl tunnelClient make --dst 3389 --fqdn myClientCert.v1.p.beameio.net --src rdpBeameHostname.v1.p.beameio.net

To define the tunnel client, provide a valid certificate (satisfying the condition set by the host) and point it to the right hostname (--src parameter). Ensure that RDP server is running on target, run the RDP client (pre-configured with username and password) on the machine with client and you are done.
SSH? Can't be easier, consider example below:
server (sshd)

beame-insta-ssl tunnel make --dst 22 --proto tcp --fqdn sshBeameHostname.v1.p.beameio.net --highestFqdn myhighest.trust.beameio.net --trustDepth 3

client

beame-insta-ssl tunnelClient make --dst 12345 --fqdn myClientCert.v1.p.beameio.net --src sshBeameHostname.v1.p.beameio.net

run in client terminal

$ssh 127.0.0.1 -p 12345

The schematic high level of such network will look like:

ssh client ---> raw tcp --> websocket/TLS(x.509') --> Beame.io public routers --> (x.509')TLS/websocket --> raw tcp ---> ssh server

Discriminating reader already spotted, that in order to make such tunnel trust the client, latter should have a certificate, signed by some credential that can be found in "tunnel" host's own certificate tree. Easiest way to create such credential, is to issue a regToken by the host and use it to create a new credential on client device and use it for authentication:
Host machine:

beame-insta-ssl creds getRegToken --fqdn sshBeameHostname.v1.p.beameio.net

this will output long base64 string
Target device:

beame-insta-ssl creds getCreds --regToken 

This will print a log, that will end with: Certificate created! Certificate FQDN is continued with your new cred's FQDN.
No just copy/paste that FQDN to the tunnelClient command for --fqdn parameter.
Just to make the picture whole, here's an example of ssh , similar to previous example but without client auth:
server (sshd)

beame-insta-ssl tunnel make --dst 22 --proto tcp --fqdn sshBeameHostname.v1.p.beameio.net --noAuth true

client

beame-insta-ssl tunnelClient make --dst 12345 --src sshBeameHostname.v1.p.beameio.net

Where is my Beame data stored?

Credentials created by you are stored on your machine in $HOME/.beame folder. You can easily export them to the desired location, by using the export command that looks like this:

beame-insta-ssl creds exportCred --fqdn qwertyuio.asdfghjkl.v1.d.beameio.net ./destination_folder_path

Advanced: TCP over TLS tunnel, with 3rd party tools, using beame-insta-ssl

Here are the commands that you can run to make a generic TCP tunnel over TLS tunnel provided by Beame.io . This example shows specific case of exposing SSH port. Tested on Linux with socat version 1.7.3.1, make sure your socat version is recent enough to support TLS1.2

How it works

Establish tunnel using beame-insta-ssl "tunnel" command:

            Beame.io infrastructure <--- code="" server="" ssh="">

Connect using tunnel, traffic between Beame.io infrastructure and ssh server flows inside the established tunnel, incoming firewall rules near SSH server do not apply.

client ---> Beame.io infrastructure ---> ssh server

Client side

FQDN=something.beameio.net
while true;do date;socat tcp-listen:50001,reuseaddr exec:"openssl s_client -host $FQDN -port 443 -servername $FQDN -quiet";done &
ssh -p 50001 127.0.0.1

Server side (where beame-insta-ssl is installed)

FQDN=something.beameio.net
./main.js tunnel make --dst 50000 --proto https --fqdn $FQDN &
while true;do date;socat openssl-listen:50000,reuseaddr,cert=$HOME/.beame/v2/$FQDN/p7b.cer,key=$HOME/.beame/v2/$FQDN/private_key.pem,method=TLS1.2,verify=0 TCP4:127.0.0.1:22;done

How much does it cost?

Your first beame credential is and will remain free.

How do you guys make money?

Visit our web-site to know better what we are doing.

from https://github.com/beameio/beame-insta-ssl
官网：https://www.beame.io/

Shapeshifter Dispatcher

Shapeshifter Dispatcher converts Pluggable Transports that implement the Go API from the Pluggable Transports 2.0 specification into proxies usable by applications. Several proxy modes are provided, including proxying of both TCP and UDP traffic. https://OperatorFoundation.org/

Operator makes useable tools to help people around the world with censorship, security, and privacy.

The Shapeshifter project provides network protocol shapeshifting technology (also sometimes referred to as obfuscation). The purpose of this technology is to change the characteristics of network traffic so that it is not identified and subsequently blocked by network filtering devices.
There are two components to Shapeshifter: transports and the dispatcher. Each transport provide different approach to shapeshifting. These transports are provided as a Go library which can be integrated directly into applications. The dispatcher is a command line tool which provides a proxy that wraps the transport library. It has several different proxy modes and can proxy both TCP and UDP traffic.
If you are a tool developer working in the Go programming language, then you probably want to use the transports library directly in your application. https://github.com/OperatorFoundation/shapeshifter-transports
If you want a end user that is trying to circumvent filtering on your network or you are a developer that wants to add pluggable transports to an existing tool that is not written in the Go programming language, then you probably want the dispatcher. Please note that familiarity with executing programs on the command line is necessary to use this tool. https://github.com/OperatorFoundation/shapeshifter-dispatcher
If you are looking for a complete, easy-to-use VPN that incorporates shapeshifting technology and has a graphical user interface, consider Moonbounce, an application for macOS which incorporates shapeshifting without the need to write code or use the command line.

Shapeshifter Dispatcher

This is the repository for the shapeshifter-dispatcher command line proxy tool. If you are looking for the transports is provides, they are here: https://github.com/OperatorFoundation/shapeshifter-transports
The dispatcher implements the Pluggable Transports 2.1 draft 1 specification available here: https://github.com/Pluggable-Transports/Pluggable-Transports-spec/tree/master/releases/PTSpecV2.1Draft1
The purpose of the dispatcher is to provide different proxy interfaces to using transports. Through the use of these proxies, application traffic can be sent over the network in a shapeshifted form that bypasses network filtering, allowing the application to work on networks where it would otherwise be blocked or heavily throttled.
The dispatcher currently supports the following proxy modes:

• SOCKS5 (with optional PT 2.0 authentication protocol)
• Transparent TCP
• Transparent UDP
• STUN UDP

The dispatcher currently supports the following transports:

• obfs4
• optimizer
• shadow (Shadowsocks)

Installation

The dispatcher is written in the Go programming language. To compile it you need to install Go 1.10.2 or higher:
https://golang.org/doc/install
If you just installed Go for the first time, you will need to create a directory to keep all of your Go source code:

mkdir ~/go

If you already have Go installed, make sure it is a compatible version:

go version

The version should be 1.10.2 or higher.
If you get the error "go: command not found", then trying exiting your terminal and starting a new one.
If you have a compatible Go installed, you should go to the directory where you keep all of your Go source code and set your GOPATH:

cd ~/go
export GOPATH=~/go

Software written in Go is installed using the go get command:

go get -u github.com/OperatorFoundation/shapeshifter-dispatcher/shapeshifter-dispatcher

This will fetch the source code for shapeshifter-dispatcher, and all the dependencies, compile everything, and put the result in bin/shapeshifter-dispatcher.

Running

Run without argument to get usage information:

bin/shapeshifter-dispatcher

A minimal configuration requires at least --client, --state, and --transports. Example:

bin/shapeshifter-dispatcher --client --state state --transports obfs2

Use either --client or --server to place the proxy into client or server mode, respectively. Use --state to specify a directory to put transports state information. Use --transports to specify which transports to launch.
The default proxy mode is SOCKS5 (with optional PT 2.0 authentication protocol), which can only proxy SOCKS5-aware TCP connections. For some transports, the proxied connection will also need to know how to speak the PT 1.0 authentication protocol. This requirement varies by the transport used.
Another TCP proxy mode is available, Transparent TCP, by using the --transparent flag. In this mode, the proxy listens on a socket and any data from incoming connections is forwarded over the transport.
UDP proxying can be enabled with the --udp flag. The default UDP mode is STUN packet proxying. This requires that the application only send STUN packets, so works for protocols such as WebRTC, which are based on top of STUN.
Another UDP proxy mode is available, Transparent UDP, by using the --transparent flag with the --udp flag. In this mode, the proxy listens on a UDP socket and any incoming packets are forwarded over the transport.
Only one proxy mode can be used at a time.
The full set of command line flags is specified in the Pluggable Transport 2.1 draft 1 specification. https://github.com/Pluggable-Transports/Pluggable-Transports-spec/tree/master/releases/PTSpecV2.1Draft1

Running with obfs4

Here are example command lines to run the dispatcher with the obfs4 transport:

Server

bin/shapeshifter-dispatcher -transparent -server -state state -orport 127.0.0.1:3333 -transports obfs4 -bindaddr obfs4-127.0.0.1:2222 -logLevel DEBUG -enableLogging -extorport 127.0.0.1:3334

This runs the server in transparent TCP proxy mode. The directory "state" is used to hold transport state. The destination that the server will proxy to is 127.0.0.1, port 3333. For this demo to work, something needs to be running on this host and port. You can use netcat to run a simple server with "nc -l 3333". The obfs4 transport is enabled and bound to the address 127.0.0.1 and the port 2222. Logging is enabled and set to DEBUG level. The statistics reporting server address is also required on the server and is set to 127.0.0.1, port 3334. However, this service does not actually need to be running for the demo to work. To access this Log for debugging purposes, go to user/go/state/dispatcher.log
When the server is run for the first time, it will generate a new public key and it will write it to a file in the state directory called obfs4_bridgeline.txt. This information is needed by the dispatcher client. Look in the file and retrieve the public key from the bridge line. It will look similar to this:

Bridge obfs4 :  cert=OfQAPDamjsRO90fDGlnZR5RNG659FZqUKUwxUHcaK7jIbERvNU8+EVF6rmdlvS69jVYrKw iat-mode=0

The cert parameter is what is needed for the dispatcher client.

Client

bin/shapeshifter-dispatcher -transparent -client -state state -target 127.0.0.1:2222  -transports obfs4 -proxylistenaddr 127.0.0.1:1443 -optionsFile obfs4.json -logLevel DEBUG -enableLogging 

This runs the client in transparent TCP proxy mode. The directory "state" is used to hold transport state. The address of the server is specified as 127.0.0.1, port 2222. This is the same address as was specified on the server command line above. For this demo to work, the dispatcher server needs to be running on this host and port. The obfs4 transport is enabled and bound to the address 127.0.0.1 and the port 1443. The -optionsFile parameter is different for every transport. For obfs4, the "cert" and "iat-mode" parameters are required. These can be found in the obfs4_bridgeline.txt in the server state directory, which is generated by the server the first time that it is run. It is important for the cert parameter to be correct, otherwise obfs4 will silently fail. You can input your parameters in the Obfs4.json file in the shapeshifter-dispatcher folder or you can put the parameters in directly in this format:
bin/shapeshifter-dispatcher -transparent -client -state state -target 127.0.0.1:2222 -transports obfs4 -proxylistenaddr 127.0.0.1:1443 -options '{"cert": "OfQAPDamjsRO90fDGlnZR5RNG659FZqUKUwxUHcaK7jIbERvNU8+EVF6rmdlvS69jVYrKw", "iat-mode": "0"}' -logLevel DEBUG -enableLogging
Logging is enabled and set to DEBUG level.
Once the client is running, you can connect to the client address, which in this case is 127.0.0.1, port 1443. For instance, you can telnet to this address:

telnet 127.0.0.1 1443

Any bytes sent over this connection will be forwarded through the transport server to the application server, which in the case of this demo is a netcat server. You can also type bytes into the netcat server and they will appear on the telnet client, once again being routed over the transport.

Environment Variables

Using command line flags is convenient for testing. However, when launching the dispatcher automatically from inside of an application, another option is to use environment variables. Most of the functionality specified by command line flags can also be set using environment variables instead.
The full set of environment variables is specified in the Pluggable Transport 2.1 draft 1 specification. https://github.com/Pluggable-Transports/Pluggable-Transports-spec/tree/master/releases/PTSpecV2.1Draft1

Credits

shapeshifter-dispatcher is based on the Tor project's "obfs4proxy" tool.

• Yawning Angel for obfs4proxy
• David Fifield for goptlib
• Adam Langley for the Go Elligator implementation.
• Philipp Winter for the ScrambleSuit protocol.

from https://github.com/OperatorFoundation/shapeshifter-dispatcher

Pluggable Transports

https://www.pluggabletransports.info/
https://www.pluggabletransports.info/about/
https://www.pluggabletransports.info/how/
https://www.pluggabletransports.info/build/
-------------------------------------------------

Pluggable Transport Specification Documents

The current version of the PT specification is 2.1. It is available, along with requests for modifications, at this page on Github.
Pluggable Transports are a concept developed by The Tor Project that provide ways to protect your data from aggressive censorship techniques, and can be included in a variety of tools. The Tor Project authored the original Pluggable Transports specification for use in the tor network environment.

from https://www.pluggabletransports.info/spec/#build

ptadapter

Pluggable Transports Python interface & standalone tunnels.
ptadapter is a Python 3 package that interfaces with Pluggable Transports.
Pluggable Transports (PT) are originally created for Tor as a modular, interchangeable (pluggable) method of tunneling and obfuscating network traffic (transport). This design makes PTs useful not only for Tor, but many other use cases where traffic obfuscation is desired. Learn more about Pluggable Transports at the dedicated website, https://www.pluggabletransports.info/
This package implements Version 1 of the Pluggable Transport specifications (relevant specs can be found in the specifications directory). Version 2 of the specs is in development: refer to the website linked above for progress.
(This package also implements Tor's Extended ORPort protocol, which can be optionally used to receive server connections from PTs.)
This package REQUIRES Python 3.7 or higher. It has no 3rd-party dependencies.

What's Included

This package implements several Python classes that execute and communicate with a PT subprocess, allowing connections to be made through the PT as a client, or received as a server. The code is built on top of asyncio, and uses the familiar StreamReader and StreamWriter for connections.
Also included is a ready-made tool that can run PTs as a standalone tunnel. No coding is necessary to use this.

What's Required

• Python 3.7 or above.
• The Pluggable Transport to be used, as an executable program. This may be installed from the repository, built from source, extracted from the Tor Browser Bundle, etc.

How to get this package

This package is now uploaded to PyPI, so install it the usual way:

pip install ptadapter

If you don't want to install, you could also clone this repository or download a source package, and put the ptadapter directory in the working directory or somewhere in your PYTHONPATH.

How to use PTs in you own Python program

Start with the Documentation. Currently the docs are hosted on Github Pages and updated manually. When Read The Docs supports building docs with Python 3.7, the docs will be moved there.

How to create a standalone PT tunnel

If the package is installed via pip, an entry script called ptadapter is created, so run the command below to see usage:

ptadapter --help

Otherwise, run:

python -m ptadapter --help

A configuration file should be provided to the script. The Documentation contains a detailed guide page, which includes an example config file with detailed comments; the example config file can also be found in this repository.

from https://github.com/twisteroidambassador/ptadapter
https://github.com/twisteroidambassador/ptadapter/raw/master/example_config.ini
----

Pluggable transports like meek and obfs4 can be difficult to use outside of Tor. That’s because they communicate with a parent process using a specification that is not widely implemented. ptadapter wraps pluggable transports to provide a simple local TCP interface so that pluggable transports can easily be used by other programs.

Author’s announcement: https://groups.google.com/d/msg/traffic-obf/cPc8JgwK2_k/S6TJjCweEAAJ

---

Here is a tutorial on using ptadapter and obfs4 to obfuscate a simple HTTP proxy.

Server

Install the dependencies.

$ sudo apt install python3-pip obfs4proxy ncat
$ sudo pip3 install ptadapter

Run your HTTP proxy, listening on a localhost port. (You can replace this step with any kind of server you want.)

$ ncat -l -k --proxy-type http 127.0.0.1 3128

Create a file called ptadapter.ini. The format is documented here

[server]
exec = /usr/bin/obfs4proxy
state = pt_state
forward = 127.0.0.1:3128
tunnels = server_obfs4
[server_obfs4]
transport = obfs4
listen = 0.0.0.0:9999 # replace this with a port of your choice

Run ptadapter on the configuration file. Now you have an external obfs4 listener on 0.0.0.0:9999 that will deobfuscate traffic and forward it to 127.0.0.1:3128.

$ ptadapter -S ptadapter.ini

Get the bridge’s certificate for pt_state/obfs4_bridgeline.txt. The important part is cert=..., the obfs4 server’s public key information. You will need it when setting up the client.

$ cat pt_state/obfs4_bridgeline.txt
Bridge obfs4 :  cert=1/x+AlgQH0T9ZD23FUzs7SeYzDFhxIXjlbTwU7ExkAXVAmi601C4S4Auk+oRqniAIbqmXg iat-mode=0

Client

Install the dependencies.

$ sudo apt install python3-pip obfs4proxy
$ sudo pip3 install ptadapter

Create a file called ptadapter.ini. Copy the values for options-cert and options-iat-mode from pt_state/obfs4_bridgeline.txt on the server.

[client]
exec = /usr/bin/obfs4proxy
state = pt_state
tunnels = client_obfs4
[client_obfs4]
transport = obfs4
listen = 127.0.0.1:3128
upstream = :9999
options-cert = 1/x+AlgQH0T9ZD23FUzs7SeYzDFhxIXjlbTwU7ExkAXVAmi601C4S4Auk+oRqniAIbqmXg
options-iat-mode = 0

Run ptadapter on the configuration file. Now you have a local listener at 127.0.0.1:3128 that will obfuscate and forward to server:9999, which will then deobfuscate and forward to its own 127.0.0.1:3128. Basically, the client’s port 3128 is connected to the server’s port 3128 through a magic obfuscated tunnel.

$ ptadapter -C ptadapter.ini

Now you can test the tunnel, treating the client’s local 127.0.0.1:3128 as if it were an HTTP proxy.

$ curl -x http://127.0.0.1:3128/ https://wtfismyip.com/text

You can also configure 127.0.0.1:3128 in your web browser, etc.

Troubleshooting

Use the -v option to make ptadapter more verbose.

$ ptadapter -vv -S ptadapter.ini
$ ptadapter -vv -C ptadapter.ini

Enable obfs4proxy logging in ptadapter.ini. The logs will appear in pt_state/obfs4proxy.log.

[server]                 
exec = /usr/bin/obfs4proxy --enableLogging --unsafeLogging --logLevel=DEBUGfrom https://ntc.party/t/ptadapter/275

相关帖子：
https://briteming.blogspot.com/2019/10/pluggable-transports.html
https://briteming.blogspot.com/2019/10/shapeshifter-dispatcher.html

年代向錢看 川普.習近平貿易戰臨時協議生變!

评四中全会欲治理世界

正在开的四中全会，媒体透露出的内幕，避实就虚，回避困窘的现实，大谈空泛的名辞与理论，更奇葩的是，自已国家治得经济下滑，外资外企出逃，却侈谈强化现代化体糸与力量治理世界，很蹊跷、诡谲、还很可笑。间歇了20个月才开的会，开成如此怪异，用大话欺世，谎言治国，可看出中共权贵的的气数，确实已尽，没有辙也无招了。

海外观察家说中共，已由过去的扩张进攻，转入退却与招架，无论中美贸易战，香港街头战与台湾的选战，以及国内经济下滑到负增涨，这是无论如何也难回避/逼到眉睫的大事，却弄些空话大话来支捂与掩盖，这很不正常的现象，显出欺世难欺，愚民难愚矣！

他们曾想用拖，来拖垮特朗普下台，倒拖出民主党同共和党反共，产生两党共识。只好改拖特朗普下台为撑他连任了。而香港的僵持局面，何尝不是执意强化党人治港,去弱化港人治港，闹出的5个月街头抗争呢，东方明珠好端端的一个香港，竟治乱了，还侈谈什么中国有药方治世界。民间俗语说的：自已的屁股在流鲜血，还说能给别人医痔疮，哄鬼，也不信吧？

在此外忧压来，内困围困，由经济下滑与物价飞涨在激化惡化，就是猪肉，那涨势，也在紧追中共好朋友老朋友委内瑞拉与津巴布委的通货膨胀了。可是，透露出四中全会，不正视这些麻烦，解决前几年进攻与扩张惹出的麻烦，却借些漂亮的名辞与口号，什么弘扬现代化的体系与能力，超越四个现代化，要弄什么五个现代化。好像他们玩现代化是什么内行，不过是死心踏地玩专制的黑手而已。

五个现代化，是1978年魏京生在西单民主墙上提出的，指出老邓那四个现代化，缺了政治现代化的改革，必出问题。恰说到老邓的致命要害，邓小平一怒，封了西单墙不说，还判五个现代化发明人魏京生重刑。最后，还是用老魏去換克宁顿最恵囯待遇，才放他到美国。今天，中共没招了，没辞了，偷換他五个现代化民主政治的慨念，用来现代化其专制，巿场现代化，化出特权阶级，把专制政治再现代化以科技，他们一切围绕着专制闹现代，只是更野蛮化/丛林化，与现代文明，越离越远。最近偷渡英国的中越两国那39名亡命者，便是用足投票，冒死去投奔文明社会的活证。

中共的好话说尽，坏亊故绝，闹了70年80年90年，民众中还愿任其愚弄吗？

老夫这觉醒者，获得中共70年血与火刻骨铭心的觉悟，才如此不顾风险来用真话/真象启悟沉迷者，只要翻开他们治国的那些理论和口号，便温故而知新，了然于心。

今天这爱国主义，不也被黑过再红的吗？

 1930年代初，日本人在东北弄满洲国，苏联唆使中国人在江西弄中华苏维埃国，这苏维埃国名，显然是苏维埃联盟中的分支。江西的苏维埃主席毛泽东，与溥仪做日本的傀儡，他做苏联的爪牙，不是一路货吗？那时，他们讲工人无祖国〔列宁语〕的国际主义，批判民族主义的爱国主义，是沙文主义。今天，没共产国际可依，唯爱国主义包装的民族主义可玩了，把过去批了的，又说成核心价值信奉，不又是骗局吗？那些吃了中共爱国蒙汗药的，也不看看：以"我以我血荐轩辕"那种爱国赤诚的六四天安门大学生，却因真爱国被杀，而假爱国的中共权贵，喊爱囯，又偷偷卖国，让黑龙江与乌苏里江外百多万平方公里土地，悄悄签字合法化出卖俄国，人家已改朝換权了，仍认为祖宗国，还把榨取的民脂民膏变为藏在海外的美元、别墅与妻儿的享乐天堂，他们喊着爱国口号，尽做卖国的事，还组织海外义和团打新的爱国保皇旗招摇。不妨也借他们祖师批爱国主义的话，来揭露他们今天的嘴脸，列宁说："每当一个国家的政治、经济出现重大危机的时候,爱国主义的破旗就又散发出臭味来。"现在这臭味正被中共弄成迷魂汤，使洗脑丧失自我意识者闻着是香的，受迷乱与愚弄，这老把戏新吗？大清鹚禧太后就玩过且失败付出几亿两白银的赔款哩。

民主这慨念，也如现代化一样玩弄几代。

我们这一代，青少年时，就被中共的所谓新民主欺骗，还骗过美国延安工作组谢伟思，和美国罗斯福、杜鲁门等。老毛说孙中山承袭民治、民有、民享的三民主义，是旧民主，把他不要民主、自由、平等的专制独裁，罩一件"新民主"外衣，加个联合政府不像一党专制的假像，才三两年，就撕去民主联合的外衣，实行其一党专制。一专70年，专得几个帮着站台的花瓶党，小妾不如，仍给他们挂民主招牌。作独裁专制的脂粉，且从社会结构变自治为党治，用支部建到村社，延伸到寺庙宗教，再延伸到海外华侨社团，还嫌不够，他们仍在时时刻刻高喊：加强党的领导哩。

你骂他挂新民主的羊头，卖老专制的狗肉，毛泽东狡辩他是啥人民民主，可是人民被他专制胡弄下饿死4千万，还死得闭声闭气，没人敢吭声，1962年7千人大会上，吭了声的那些党书记，在文革中，尽一律打成走资派关牛棚，无论他怎么狡辩玩辞儿，什么人民民主、民主集中制民主、中国特色民主等，从1940年代以后追求民主上了贼船的几代人，从李锐、李普、李慎之那一代到追新民主主义一代，被中共民主幌子欺骗的，还有拥护改开的一代，皆被欺诈得绝望了，才被文革血腥与六四血淋专制觉悟，难道这7年的毛化与左化，不更刺激人觉悟吗？

今天，他们转換着名辞游戏，将批了的五个现代化拾起，改头換面，又来招摇诈骗，而且借现代化的一切手段，来强固其专制，还称他这共产党玩的资本主义，比民主政党玩的资本与巿场更有效率，可惜玩到今天资本与人才大逃亡，当前出现危机，还在打肿脸来充胖子。认为在落后的非洲还有迷惑作用，而不看自已巳获新殖民的叽讽哩。

马列破了儒家做膏药能补上吗？

他们四中全会玩理论与名辞，还讲啥"不忘初心，牢记使命"。所谓初心，不外他们那马列原教旨，马克思讲18世紀出现的劳动工人阶级，很先进，邓小平那年参观日本工厂，就发现先进阶级变智能机器人了。老马的理论基础，就破产。而列宁的十月革命，在俄国十一年级教科书上已更正为十月政变。列宁非导师，而是领德皇5千万金马克回俄，推翻民主联合政府的俄奸，不仅莫斯科建了为苏俄专制政治死难者紀念碑，据说今年中共国庆，俄国外交部还照会中共，请别再把他们批的俄奸尊为中共导师，再贡在国庆大会。

正由于他们马列成了政治垃圾，这初心一一原教旨也说不清楚，只好又在他们批过、烧过、灭过的儒家孔子那里，去挖点文化废墟上的残渣，弄成一张膏药，来贴补马列的漏洞。这是现代的意识，还是陈古的旧货？

这孔门儒学，早在五四，就被吴虞支手打倒孔家店打过，1926年毛泽东痞子运动的农运及后来土改，与打庙里菩萨与孔庙贡的圣贤，也一齐打过。借林彪有一句孔子的"克已复礼"又在文革后期掀起过批林批孔批周公运动，再批过。现在，他们的思想库房里破烂也凑不出什么武器，只好请出孔子出来，看中他讲君君、臣臣、父父、子子那些封建伦理，这些红二代不也很活学活用，中南海权贵们尊孔读经，孔子讲仁政，他们坚持不仁的暴政，毫无动摇，倒是君君、臣臣被政治局袭用，将他们常委之间的同志关系，也改变为君臣关系了吗？这热衷于两千年前的君臣政治，称他们凭此要治理世界，不过是：

黔驴技穷，面对政治、经济危机，回避现实，用大话空话，学梁恵王的王顾左右而言他的无奈耳。

那些只会玩假大空名辞慨念的幕僚，迎合主子性格脾胃，帮他敷衍一下这有审计性中央委员会的难题罢了，再发点什么理论自信的梦呓，枪在我手，谁敢说不。

总之，待四中全会公报公布后，会把他们危机暴露得充分些，铁幕里再捂的矛盾，露得更多。那时，再来评论，就更多话题了.

一个基于node的tunnel程序：node-ssltunnel

What is ssltunnel?

This is a lightweight TCP over SSL / TLS tunnel running over node. If you need to add confidentiality (privacy), integrity, and authenticity to your TCP stream this is the tool for you.

Installation

Please follow the following steps to get it up and running:

1. Download and install latest node (don't worry, it is small)
2. Enter CMD and run: npm install ssltunnel
3. The ssltunnel package now resides under ./node_modules/ssltunnel


Creating certificates

ssltunnel uses client and server certificates for creating proper TLS connection. While server certificate is enough to assure confidentiality and integrity, client certificate is required for assuring authenticity.
Test certificates are provided in the testcerts folder. You can start playing with ssltunnel using them.

Please do not use test certificates for production.

You can easily create your certificates using openssl. Each certificate is represented by a key pair. The steps are the same for both client and server certificates. See some example of certificate generation below.

  $ openssl genrsa -out private.pem 2048
  $ openssl req -new -x509 -key private.pem -out public.pem -days 3650

PLEASE KEEP YOUR PRIVATE KEYS SECURE

Running the ssltunnel

Imagine you have a client-server application. The server is running on my_host:8080. You can route the traffic via ssl tunnel by creating both ssltunnel's server and client:

d:\src\ssltunnel\bin>ssltunnel.cmd -r server \
--proxy_port 54443 \
--server_port 8080 \
--server_host my_host \
--srv_pub_cert ..\testcerts\sc_public.pem \
--clt_pub_cert ..\testcerts\cc_public.pem \
--srv_prv_cert ..\testcerts\sc_private.pem \

Running 'server' role. Listening on 54443, decrypting and forwarding to real server machine on my_host:8080

d:\src\ssltunnel\bin>ssltunnel.cmd -r client \
--proxy_port 54080 \
--server_port 54443 \
--server_host my_ssltunnel_server_host \
--srv_pub_cert ..\testcerts\sc_public.pem \
--clt_pub_cert ..\testcerts\cc_public.pem \
--clt_prv_cert ..\testcerts\cc_private.pem \


Running 'client' role. Listening on 54080, encrypting and forwarding to ssltunnel's server on my_ssltunnel_server_host:54443

Now, just point you client to the machine where ssltunnel's client is running (localhost?) port 54808, and ssltunnel will take care of forwarding the data to the server securely.
This is the list of all arguments ssltunnel supports:

d:\src\ssltunnel\bin>ssltunnel
Usage node d:\src\ssltunnel\bin\run_ssltunnel.js

Options:
  -r, --role      The role of the tunnel component, either 'client' or 'server'              [required]
  --proxy_port    The proxy listener's port                                                  [required]
  --server_host   The server's hostname. Either ssltunnel's server role or back-end server   [default: "localhost"]
  --server_port   The server's port. Either ssltunnel's server role or back-end server       [required]
  --log_level     SSLTunnel logging level. One of: 'error', 'warn', 'info', or 'log'         [default: "log"]
  --keep_alive    Use TCP keep-alive when connecting to an sslserver. 
                  Provide keep-alive delay in ms. Use negative value for
                  turning keep-alive off. Relevant for client role only.                     [default: "30000"]
  --srv_pub_cert  Public certificate file for ssltunnel's server                             [required]
  --srv_prv_cert  Private certificate file for ssltunnel's server
  --clt_pub_cert  Public certificate for ssltunnel's client                                  [required]
  --clt_prv_cert  Private certificate for ssltunnel's client


Missing required arguments: r, proxy_port, server_port, srv_pub_cert, clt_pub_cert

from https://github.com/anodejs/node-ssltunnel 

-----

我的补充说明： 

在本地机器mac上。首先安装nodejs环境。然后，

npm install ssltunnel 

（在当前目录下，会生成node_modules目录。）

cd node_modules/ssltunnel/  

ls

显示：

LICENSE  bin  docs  package.json
README.md certs  lib  testcerts

cd bin

node run_ssltunnel.js -h

红拂：“史上最恶”死了，但孕育恶魔的土壤还在

巴格达迪死了，死得好，死得妙，死得呱呱叫。感谢上帝， 感谢美弟，世上从此少了一个恶魔，地狱从此多了一个死鬼，多少听见他的名字就发抖的人们，终于可以长舒一口气，多少因ISIS暴行而死的冤魂，终于可以稍稍平息怨气。

但说他“死得像条狗，像个懦夫”，却夸张得失实。因为用脚趾头想想也知道，一个为了不被抓获把老婆孩子跟自己一块儿炸死的货色，怎么会是懦夫呢？明明是头蠢货，比猪还蠢的蠢货，蠢到真心相信自己那一炸是带着老婆孩子去了天國，到天國自己后还能再娶72个处女，再生一堆孩子。

所以，对某些外媒称他为“史上最恶”的评价，我是打心眼里拒绝的。什么“史上最恶”？分明是史上最蠢，蠢成了最恶之一。

这货恶不恶呢？恶，毋庸置疑的恶。ISIS的罪行罄竹难书，人尽皆知，别的不说，仅强幼女为性奴，逼儿童成为杀人工具，就已是人神共愤、不可宽恕之恶。所以，对巴格达迪这货的死，我的评价只有两个字：太迟。

但“史上最恶”？这世上的恶有两种，一种叫蠢恶，其恶行恶状，一大半儿是做给世界看的，其目的是恐吓世界。但不幸的是这世界罪恶太多，几千年来人类什么没见过，这种明目张胆的恐吓，非但吓不住世人，还为自己的罪恶自呈罪证，你说蠢不蠢？

而另一种恶就是奸恶了。牠们一样欺男霸女，一样戕害孩子，一样拿生命不当回事，拿千千万万人当棋子，但牠们只会关起门来干坏事，在世人面前却总是一副圣人再世的样子，牠们只会欺负别人的老婆，戕害别人的孩子，却会把自己的老婆孩子送往外面的文明之地。所以，家里被欺负了的人见着牠们会激动到一见牠们就哭鼻子，外面被蒙蔽过的人会单纯到想跟牠们谈交易。

前者呢，就成了人人喊打的巴格达迪，后者呢？就成了各路伪大灵秀。所以，若问ISIS头目和伪大灵秀有啥区别，答案是：一个恨不得全世界都知道自己很黑，一个恨不能全世界都不知道自己很黑；一个真心相信自己是在出售通往天堂的门票，一个真心相信出售通往天堂的假门票而不会下地狱。所以，蠢恶和奸恶哪个更恶？聪明的你告诉我。

巴格达迪死了，死得好，死得妙，死得呱呱叫，但窃以为世界不可高兴得太早。牠无疑是史上最恶之一的恶魔，但恶魔死了，孕育恶魔的土壤还在。巴格达迪死了，带着对天國的信仰而死，在牠身后，留下了成千上万和牠分享同一种信念的蠢货。牠们无不相信杀人放火是进入天國的门票，屠戮异己是在地上建设天國。

譬如有个叫Omar Hussain的蠢货，原本在英國一家超市当保安，有份稳定的收入，日子过得还不错。但丫决定为了伪大的信仰，日子不过了，去当ISIS吧。加入了蠢货队伍之后，丫就成了招募专员，专门负责给蠢货队伍招募娃娃兵，连幼儿园小朋友也不放过啊。他给小朋友手里塞上一把木仓，逼着他们杀囚犯，说是为了他们好，因为不敢杀异教徒的懦夫进不了天國嘛。

有记者问他，如果是自己的孩子，他还会教他们杀人放火随时去死吗？他表示，自己有了孩子当然也要教他们这么干，不这么干，能进天國吗？教孩子这么干，都是为了他们好啊。

你看，死了一个巴格达迪，还有许许多多的胡赛因，牠们还会教出许许多多的小胡赛因。胡赛因们全心全意作恶，真诚地相信作恶会进天國。据天空新-闻报-道，巴格达迪死了，但其恐-怖-组-织却在扩大，大约一万名左右的胡赛因们还在原地继续坚持杀人放火、扩大领地。马丁·路德·金说：“没有比真诚的无知和认真的愚蠢更危险的事了。”此言信矣。

你以为Hitler是天上掉下来的吗？不是，牠的身后有无数真诚的蠢货，是无数蠢货的狂热造就了牠。那些押车的、看守的、烧熔炉的……，很多时候不仅仅是在执行命令，牠们在真诚地以恶为善。

你以为波尔布特的罪恶是他一个人完成的吗？不是，他身后千万狂热信徒跟他一起造就了地狱。所以，哈耶克说：“使一个country变成地狱的东西，恰恰总是人们试图将其变成天堂。”

那些宁愿不长草也要收回台湾岛的货色，你以为牠们是单纯的恶吗？不是，在牠们心里，存着一个天國，一个狂热的信仰。狂热让牠们愚蠢，愚蠢让牠们更狂热，牠们就成了狂热的蠢货，愚蠢的狂热分子，这种货色碰上了伪大灵秀，那就是天雷地火，一点就着。

所以，我一向认为，我们活着，第一要务是要守脑，脑子守住了，才能称之为人。而守脑的第一要务，就是学会质疑，譬如一个灌输仇恨的信仰或信念，真的可信吗？有哪个神会为了毁灭生命而创造生命呢？一个让人们为之去死的國度真的值得爱吗？一个教人去仇恨的神真的是神吗，难道不是魔？人来到世上的意义，难道不在于珍惜每个生命的每一天，在于爱自己、爱家人、爱邻居？特么为了进天國亲手炸死自己的孩子，宁要土地，不要同胞，脑子难道不是进SHI了吗？

罗素说：“世界的问题在于聪明人总是充满疑惑，而傻子却坚信不疑。”世界的问题在于，坚信不疑的SB总是太多啊。小到一个群体，大到一个country，其文明程度与SB的数量总是成反比啊。孕育恶魔的土壤，总是充满乌泱泱的蠢货啊。

美国现在将中国视为一个战略和经济上的竞争对手，但归根结底，中国是美国价值观的竞争对手

美国价值观对美国至关重要、对美中关系至关重要，美中关系只能由美国价值观主导。那么，甚么是美国价值观？根据彭斯讲话，美国价值观就是尊重人权、尊重私有财产、尊重法治、尊重国际贸易规则、崇尚自由、民主与开放。彭斯的「从根本上重构我们与中国的关系」就是以美国价值观为重构的基础。基于此，彭斯批评很多美国跨国公司屈从于中国金钱和市场的诱惑，不仅压制对中共的批评，甚至压制对美国价值观的肯定性表达。彭斯说，「没有人，特别是国家，能够通过放弃他们的价值观来捍卫自己的利益。」

彭斯当然明白，美国价值观在中国遭遇到越来越顽强的抵制。美国不再期望中国会最终拥抱美国价值观，他说：「美国及其领导人不再希望仅靠经济合作就能将共产主义中国的威权国家转变为一个尊重私有财产、法治和国际贸易规则的自由开放社会。」美国现在将中国视为一个战略和经济上的竞争对手，但归根结底，中国是美国价值观的竞争对手。

中共依然有改弦更张的机会，可是我们至今看不到中共顺应潮流的任何迹象。所以，美中关系在21世纪的博弈，是一场关于价值观的持久大战。
-----------

川普消灭ISIS的头目,却被美国的左派攻击 英国媒体人：川普的批评者在羞辱自己的国家

上周末，在川普总统的亲自批准和指挥下，美军特种部队突袭伊斯兰国（ISIS）恐怖份子头目巴格达迪（Abu Bakr al-Baghdadi），令他在逃命中自爆身亡。对于美国的重大胜利，美国主流媒体反应平平，左派人士甚至批评川普总统。对此，英国著名媒体人摩根（Piers Morgan）表示，那些川普总统的批评者这样做完全是在羞辱他们的国家和他们自己。

摩根在10月28日（周一）晚上接受了福克斯新闻“塔克·卡尔森今夜”节目的专访。摩根说，在ISIS恐怖份子头目巴格达迪毙命后，川普总统的批评者们拒绝承认白宫的重大胜利，这对于他们自己和美国来说，都是一种耻辱。

摩根谈到，2011年，奥巴马政府在成功击毙基地组织恐怖份子头子本·拉登（Osama bin Laden）之后，美国当时是举国欢庆。然而上周末，ISIS头子在川普政府领导下被迫自杀的消息却似乎并未得到相同的反应。

摩根说：“我的思想回到了当年，本·拉登被消灭的时候。那晚我住在纽约市。当时整个纽约、整个华盛顿、整个美国全部都在广泛庆祝胜利。当时在美国国内人们的反应是如此一致，都沈浸在一个喜气洋洋的氛围中。对比昨天，当巴格达迪被消灭时，人们的反应却是如此不同。”

摩根还特别抨击了一些在华盛顿国家公园观看棒球赛的观众，说他们对总统和政府不够尊重。他说：“我认为总统应该得到更多的尊重。那些有对总统不敬行为的人应该为他们自己感到羞耻，因为那种行为也在羞辱这个国家。”他还提到有些人在推特上对总统的言辞也缺乏尊重。

在对摩根进行专访之前，福克斯电视主持人卡尔森（Tucker Carlson）也播放了几段视屏，反应一些主流媒体拒绝认可川普总统突袭恐怖份子取得的巨大胜利。前中央情报局（CIA）分析师马德（Philip Mudd）甚至还在CNN媒体上是非不分地说：“总统庆祝一个人的死亡，这是不对的。不管这个人是谁。”马德认为不管这个人是否是恐怖份子或者人们憎恶的人，只要是一个人死了，都不应庆祝。（真是匪夷所思，这个Mudd的脑子进水了吗？他可是前中央情报局分析师啊，是专业人士，难道他不知道巴格达迪有多邪恶吗？？）

该言论与当年本·拉登死时的全民庆祝场面形成了特别鲜明的反差。

摩根在受访中还提到，他很赞赏川普总统将巴格达迪的死亡过程详细告知公众。他说：“我很开心了解到总统表述的那些细节，尤其是那个哭叫着自杀的懦夫的最后时刻。”他还说：“对于美国来说，昨天是一个很伟大的日子；对于世界来说，昨天也是个伟大的日子。”

摩根对于那些攻击川普总统的人不注重事件本身，而去注意川普总统说错了什么，表示非常不满。他认为，有些人看到川普总统做对了什么，反而感到愤怒，所以他们只好“对着不符合他们狭隘世界观的人一通尖叫”才能泄愤。

摩根是英国著名记者、作家和广播及电视主持人。他今年8月在他主持的节目“早安英国”中表示，那些自由派人士缺乏“包容性”，已经变得越来越“不自由”了。他说：“那些所谓的自由派们只想得到自己想要的，他们不能容忍与自己意见相反的任何事情，别人如果胆敢做什么、针对什么开个玩笑，这都不行。”他还问了这些人一个很好的问题：“如果你不允许别人拥有不同的看法，那你把自己称为‘自由派’又有何意义呢？”