How to unblock websites in China for web owners
Good news, everybody. We've worked out a simpler solution to unblock websites in China. Visit unblock.cn.com for more detail
This is a step by step guide on how to unblock your website for visitors in China without them having to do anything. The Great FireWall of China is a complicated filtering system capable of blocking websites by a variety of methods. The common methods used are IP blocking, URL and Packet filtering by connection reset, TLS (SSL) certificate filtering by connection reset and DNS hijacking.
IP blocking
Use CDN (Count Delivery Network) to hide the real IP of your site from GFW. I did a simple test myself. I created a Google site and linked it with 4 subdomains as follows.
CNAME records: (ghs.google.com is currently not blocked in China)
test1.example.com -> ghs.google.com CDN enabled
test2.example.com -> ghs.google.com
A records: (216.239.32.21 is subject to IP blocking in China)
test3.example.com-> 216.239.32.21 CDN enabled
test4.example.com -> 216.239.32.21
Tests 1 and 2 merely serve to confirm the website is up. Tests 3 and 4 simulate a website with a blocked IP. I enabled CDN on test 1 and test 3. The CDN I chose is CloudFlare with a free account. (You can pay to go pro or find another CDN if you like, I prefer to stay free.) Here are the test results. Test 1 and test 2 are both accessible in China. Test 3 is accessible while test 4 is blocked. When CDN is enabled, it serves as a reverse proxy. So test 3 actually resolved to an IP address owned by CDN - CloudFlare in my case - and thus bypassed IP blocking. Unless the GFW blocked CDN's IP addresses, which will also block many other irrelevant websites[1], IP blocking would not be an issue. [1] However do note that this has not stopped the government from doing exactly this before. The top level domains co.cc and net.ru were both censored for very long periods of time.
URL/Packet filtering
If your domain is filtered as a restricted word then full site encryption should be employed. Counter measure 1: get your hands on a SSL certificate and install it on your server or VPS. Some certificates are expensive while others are completely free for an unlimited time. StartSSL provide free certificates with minimum requirement - only a valid email address at your domain, which can also be obtained free of charge from Google Apps. Counter measure 2: Use Flexible SSL by CloudFlare, one of its SSL options.
Visitor <-- SSL --> CloudFlare <-- non-SSL --> Origin
That way, you save the fuss of installing a certificate and can enable SSL with a click. However, this requires a pro account with CloudFlare and costs $20/month.
TLS (SSL) certificate filtering
This time GFW knows you are using encryption to evade censorship and has decided to censor your certificate which is sent in plain text before an encryption tunnel is established. Two counter measures as before: 1. Because your certificate is completely free and assigned automatically by robots, there's nothing stopping you from changing it constantly as the filtering list of TLS (SSL) certificates updates rarely 2. Use CloudFlare's SSL option. CloudFlare replied to me that multiple sites may use the same certificate. Each site needs to have its own subject alternate name (SAN) and the common name can be a variation of SSL#.cloudflare.com. So as in the case of IP addresses, GFW can't filter your certificates without blocking a bunch of innocent sites. (Again that didn't stop them before. They could block SSL connections of a bunch of sites and then filter only your domain. With this method other sites could be reached via http only.)
DNS hijacking:
This is the toughest blocking measure which is seldom used. Known sites subject to this kind of blocking are *.facebook.com (naked domain included), *.twitter.com (naked domain included), encrypted.google.com, www.kenengba.com. Possibly less than a hundred of sites are blocked in this way. There are two forms of DNS hijacking performed (Wikipedia only documents the first one).
Form 1: When visitors uses local DNS servers controlled by an ISP their inquiries would simply cause a connection timed out error. This is performed by local DNS server.
Form 2: When visitors use foreign DNS servers such as OpenDns, Google Public DNS or even a random non existant foreign IP, GFW would return a blocked IP address of some random site to that DNS inquiry. (Look up a non existant address aaa.twitter.com on a nonexistent DNS server 1.1.1.1 in China.)
nslookup aaa.twitter.com 1.1.1.1 Server: 1.1.1.1 Address: 1.1.1.1#53
Name: aaa.twitter.com Address: 78.16.49.15
How to counter this measure: Do not use your domain. Use an IP address directly e.g: http://12.34.56.78 or https://12.34.56.78. Do note, however, that this will leave your site vulnerable to IP blocking because without a domain, CDN can't be used. Since only prestigious sites are blocked in this way, most companies would have the money and servers to build a encrypted reverse proxy or else have tons of programmers to figure out your next move.
------
The method of distinguishing IP blocking and URL filtering(or both)
If only part of your sites is inaccessible then it's URL filtering only(assume your site is located in one server only)
If your site(www.example.com) is totally inaccessible, visit
http://www.msn.com/www.example.com
http://www.msn.com/.example.com
http://www.msn.com/example.com
respectively in China.
Please wait a few minutes before visiting the next address, because GFW would block all traffic to www.msn.com from your computer for a short time when restricted words is triggered. So wait until you can see www.msn.com(usually a minute) before you try the next one.
If any URL above is unreachable, your site is subject to URL filtering.
(Those who can't run test in China, visit https://greatfire.org and enter URLs above)
Do a ping test in China to determine whether your IP is blocked.