From aradotso-trending-skills-37
Sets up local MITM proxy using Xray-core and self-signed certificates for domain fronting to bypass censorship and access Google services like Meet and Drive without a remote proxy.
npx claudepluginhub joshuarweaver/cascade-ai-ml-agents-misc-1 --plugin aradotso-trending-skills-37This skill uses the workspace's default tool permissions.
```markdown
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
---
name: mitm-domainfronting
description: MITM proxy that receives unencrypted traffic locally then forwards it via Domain Fronting using Xray-core, enabling access to restricted services without a traditional proxy server.
triggers:
- set up MITM domain fronting
- configure xray domain fronting
- bypass censorship with domain fronting
- MITM proxy with self-signed certificate
- xray MITM configuration
- domain fronting without server
- access google services with domain fronting
- set up v2rayN domain fronting
---
# MITM-DomainFronting
> Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection.
## What This Project Does
MITM-DomainFronting is a technique (not a traditional proxy server) that:
1. **Intercepts** unencrypted HTTPS traffic locally using a Man-in-the-Middle (MITM) setup with a self-signed certificate
2. **Re-sends** that traffic to the real destination using a fake/fronted SNI (Server Name Indication), bypassing censorship/firewalls
This works **without a remote proxy server** — it uses Xray-core's built-in MITM and Domain Fronting features. Currently enables access to Google services (Meet, Drive, etc.) from restricted regions.
**What it cannot do:**
- Fully replace a VPN or proxy for general internet access
- Access YouTube videos (separate service infrastructure)
- Access Gemini (Iran IPs are sanctioned)
---
## Architecture Overview
Browser (HTTPS) → [MITM: fake cert intercepts, decrypts] → [Domain Fronting: re-encrypts with fronted SNI] → Google Servers
- **MITM layer**: Xray acts as a TLS terminator using your self-signed certificate
- **Domain Fronting layer**: Xray re-establishes TLS to the real server using a CDN-friendly SNI
---
## Prerequisites
- **Windows**: v2rayN + Xray-core
- **Android**: v2rayNG with HEV TUN enabled
- **Linux/macOS**: Xray-core directly
- A self-signed certificate (`.crt` + `.key`)
---
## Step 1: Generate a Self-Signed Certificate (Windows)
Use the provided `certificate-generator.bat` in the `v2rayN-windows-64\bin` folder:
```bat
@echo off
REM certificate-generator.bat
REM Place this in v2rayN-windows-64\bin and run it there
openssl req -x509 -newkey rsa:4096 -keyout mycert.key -out mycert.crt -sha256 -days 3650 -nodes -subj "/C=US/ST=State/L=City/O=Org/CN=localhost"
echo Done! mycert.crt and mycert.key created.
pause
⚠️ Security Warning: Never share your
mycert.key(private key) with anyone. Never use someone else'smycert.crt. Always generate your own.
Alternative (online generator for Android):
Use https://regery.com/en/security/ssl-tools/self-signed-certificate-generator — download both files and rename them to mycert.crt and mycert.key.
mycert.crt → Install CertificateSettings → Privacy and security → Security → Manage certificates →
Manage imported certificates from Windows → Trusted Root Certification Authorities →
Import → Select mycert.crt → Place all certificates in the following store →
Select "Trusted Root Certification Authorities"
Settings → Security and privacy → More security settings →
Install from device storage → CA Certificate → Install anyway →
Select mycert.crt
Verify installation:
Settings → Security and privacy → More security settings →
View security certificates → User
firefox → Settings → About Firefox → Tap logo 5 times →
Settings → Secret Settings → Toggle "Use third party CA certificates"
The main config file MITM-DomainFronting.json for Xray-core:
{
"log": {
"loglevel": "warning"
},
"inbounds": [
{
"tag": "http-in",
"port": 10809,
"protocol": "http",
"settings": {
"allowTransparent": true
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}
],
"outbounds": [
{
"tag": "mitm-out",
"protocol": "freedom",
"settings": {}
}
],
"policy": {
"levels": {
"0": {
"handshakeMitm": true
}
}
},
"mitm": {
"enabled": true,
"listenPort": 10810,
"certFile": "mycert.crt",
"keyFile": "mycert.key",
"domainFronting": {
"enabled": true,
"frontDomain": "www.googleapis.com",
"targetDomain": "www.google.com"
}
}
}
Note: File paths for
certFileandkeyFileare relative to the Xray binary location (i.e.,v2rayN-windows-64\bin\).
v2rayN-windows-64.zip)certificate-generator.bat, mycert.crt, mycert.key, and MITM-DomainFronting.json into v2rayN-windows-64\bin\MITM-DomainFronting.jsonxraymycert.crt and mycert.keyMITM-DomainFronting.json via Import from locally⚠️ On non-rooted Android, only browser-based access works. Standalone apps (Google Meet app, Drive app) won't use this tunnel — use the browser versions instead.
# Place mycert.crt, mycert.key, and MITM-DomainFronting.json in the same directory as xray binary
# Download xray
wget https://github.com/XTLS/Xray-core/releases/latest/download/Xray-linux-64.zip
unzip Xray-linux-64.zip -d xray-bin
cd xray-bin
# Copy your cert files here
cp /path/to/mycert.crt .
cp /path/to/mycert.key .
cp /path/to/MITM-DomainFronting.json .
# Run
./xray run -config MITM-DomainFronting.json
Set system proxy to http://127.0.0.1:10809 in your OS network settings.
# Linux/macOS
openssl verify -CAfile mycert.crt mycert.crt
# Should output: mycert.crt: OK
# Check port is open
netstat -an | grep 10809
# or
ss -tlnp | grep 10809
# Set proxy and test Google
curl -x http://127.0.0.1:10809 https://www.google.com -v
REM certificate-generator-advanced.bat
openssl req -x509 -newkey rsa:4096 ^
-keyout mycert.key ^
-out mycert.crt ^
-sha256 -days 3650 -nodes ^
-subj "/CN=*.google.com" ^
-addext "subjectAltName=DNS:*.google.com,DNS:*.googleapis.com,DNS:*.gstatic.com"
| Problem | Cause | Fix |
|---|---|---|
| Browser shows certificate error | Certificate not installed as trusted root | Re-do Step 2; verify in cert manager |
| Google Meet/Drive won't load | Wrong fronting domain | Check frontDomain in config matches a CDN endpoint |
| Android apps don't work | Non-root limitation | Use browser instead of native apps |
mycert.crt not found error | Wrong working directory | Ensure cert files are in same folder as xray binary |
| Connection refused on port 10809 | Xray not running | Check xray process; check for port conflicts |
| YouTube videos don't work | Separate CDN infrastructure | Not supported by this method |
| Gemini doesn't work | IP sanctions | Not supported from Iran IPs |
{
"log": {
"loglevel": "debug",
"access": "access.log",
"error": "error.log"
}
}
1. Browser sends: TLS ClientHello → SNI: "www.google.com"
HTTP Host: "www.google.com"
2. MITM intercepts: Xray presents mycert.crt, terminates TLS
Reads plaintext HTTP request
3. Domain Fronting: Xray opens new TLS to CDN
SNI in TLS: "www.googleapis.com" ← firewall sees this (allowed)
Host header: "www.google.com" ← CDN routes to this (real target)
The firewall/DPI only sees the outer SNI (googleapis.com), which is typically not blocked. The CDN then routes based on the HTTP Host header to the real destination.