aradotso/mhr-cfw-domain-fronting-relay
skills/mhr-cfw-domain-fronting-relay/SKILL.md
Expert skill for setting up and using MHR-CFW, a domain-fronting relay that routes traffic through Google Apps Script and Cloudflare Workers to bypass DPI filtering.
$ install --global
skillsauthnpx skillsauth add aradotso/trending-skills mhr-cfw-domain-fronting-relayInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 30, 2026, 3:50 AM22.3s1 file scanned
SKILL.md
- name:
- mhr-cfw-domain-fronting-relay
- description:
- Expert skill for setting up and using MHR-CFW, a domain-fronting relay that routes traffic through Google Apps Script and Cloudflare Workers to bypass DPI filtering.
MHR-CFW Domain-Fronting Relay
Skill by ara.so — Daily 2026 Skills collection.
MHR-CFW (MasterHttpRelay + Cloudflare Worker) is a Python-based domain-fronting relay that routes HTTP/SOCKS5 proxy traffic through Google Apps Script (GAS) and Cloudflare Workers. Network DPI filters see only traffic to www.google.com, while the actual destination is hidden inside the relay chain.
Traffic Flow
Client → Local Proxy (127.0.0.1:8085)
↓
Google IP (216.239.38.120) — DPI sees www.google.com
↓
Google Apps Script Web App (Relay)
↓
Cloudflare Worker
↓
Target Website
Installation
git clone https://github.com/denuitt1/mhr-cfw.git
cd mhr-cfw
pip install -r requirements.txt
If PyPI is blocked:
pip install -r requirements.txt \
-i https://mirror-pypi.runflare.com/simple/ \
--trusted-host mirror-pypi.runflare.com
Full Setup Guide
Step 1: Deploy the Cloudflare Worker
- Log in to Cloudflare Dashboard
- Navigate to Compute > Workers & Pages
- Click Create Application → Start with Hello World → Deploy
- Click Edit code, delete all default code
- Paste the contents of
script/worker.jsfrom the repo - Edit the worker URL constant:
const WORKER_URL = "your-worker-name.workers.dev"; - Click Deploy — note your worker URL (e.g.,
your-worker-name.workers.dev)
Step 2: Deploy the Google Apps Script Relay
- Go to script.google.com and create a New project
- Delete all default code
- Paste the contents of
script/Code.gsfrom the repo - Edit these two constants at the top:
const AUTH_KEY = "your-secret-password-here"; // choose a strong password const WORKER_URL = "https://your-worker-name.workers.dev"; - Click Deploy → New deployment
- Type: Web app
- Execute as: Me
- Who has access: Anyone
- Click Deploy and copy the Deployment ID (long random string like
AKfycb...)
Step 3: Configure config.json
cp config.example.json config.json
Edit config.json:
{
"mode": "apps_script",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"script_id": "AKfycbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"auth_key": "your-secret-password-here",
"listen_host": "127.0.0.1",
"listen_port": 8085,
"socks5_enabled": true,
"socks5_port": 1080,
"log_level": "INFO",
"verify_ssl": true
}
| Field | Description |
|---|---|
| mode | Always "apps_script" for GAS relay |
| google_ip | IP of Google's infrastructure for fronting |
| front_domain | Domain shown to DPI (www.google.com) |
| script_id | Your GAS Deployment ID from Step 2 |
| auth_key | Must match AUTH_KEY in Code.gs |
| listen_host | Local bind address (keep 127.0.0.1) |
| listen_port | HTTP proxy port (default 8085) |
| socks5_enabled | Enable SOCKS5 proxy on socks5_port |
| socks5_port | SOCKS5 proxy port (default 1080) |
| log_level | DEBUG, INFO, WARNING, ERROR |
| verify_ssl | Verify SSL certs; set false to skip |
Step 4: Run the Proxy
Linux/macOS:
bash start.sh
# or
python3 main.py
Windows:
start.bat
Expected output:
[INFO] HTTP proxy running on 127.0.0.1:8085
[INFO] SOCKS5 proxy running on 127.0.0.1:1080
Using the Proxy
Browser via FoxyProxy
Install FoxyProxy:
- Chrome: Chrome Web Store
- Firefox: Firefox Add-ons
Configure FoxyProxy:
- Proxy Type:
HTTPorSOCKS5 - Host:
127.0.0.1 - Port:
8085(HTTP) or1080(SOCKS5)
curl (HTTP proxy)
curl -x http://127.0.0.1:8085 https://ipleak.net/json/
curl (SOCKS5 proxy)
curl --socks5 127.0.0.1:1080 https://ipleak.net/json/
Python requests
import requests
proxies = {
"http": "http://127.0.0.1:8085",
"https": "http://127.0.0.1:8085",
}
response = requests.get("https://ipleak.net/json/", proxies=proxies)
print(response.json())
Python with SOCKS5
import requests
proxies = {
"http": "socks5://127.0.0.1:1080",
"https": "socks5://127.0.0.1:1080",
}
response = requests.get("https://ipleak.net/json/", proxies=proxies)
print(response.json())
Configuration Patterns
Minimal config (HTTP only, no SOCKS5)
{
"mode": "apps_script",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"script_id": "YOUR_DEPLOYMENT_ID",
"auth_key": "YOUR_AUTH_KEY",
"listen_host": "127.0.0.1",
"listen_port": 8085,
"socks5_enabled": false,
"log_level": "INFO",
"verify_ssl": true
}
Debug config (verbose logging, skip SSL verification)
{
"mode": "apps_script",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"script_id": "YOUR_DEPLOYMENT_ID",
"auth_key": "YOUR_AUTH_KEY",
"listen_host": "127.0.0.1",
"listen_port": 8085,
"socks5_enabled": true,
"socks5_port": 1080,
"log_level": "DEBUG",
"verify_ssl": false
}
Listen on all interfaces (for LAN sharing)
{
"listen_host": "0.0.0.0",
"listen_port": 8085
}
⚠️ Only use
0.0.0.0on trusted networks. Anyone on the LAN can use your proxy.
Cloudflare Worker (script/worker.js) — Key Structure
// The worker receives proxied requests and forwards them to the target
const WORKER_URL = "your-worker-name.workers.dev"; // set this to your own worker
addEventListener("fetch", event => {
event.respondWith(handleRequest(event.request));
});
The worker:
- Receives requests from GAS relay
- Extracts the target URL from the request
- Fetches the target on behalf of the client
- Returns the response back through the chain
Google Apps Script (script/Code.gs) — Key Structure
const AUTH_KEY = "your-secret-password-here"; // must match config.json auth_key
const WORKER_URL = "https://your-worker.workers.dev";
function doPost(e) {
// Validates AUTH_KEY, extracts target URL, forwards via WORKER_URL
}
The GAS relay:
- Exposes a public HTTPS endpoint (
/exec) that acts as the domain-fronted relay - Validates
AUTH_KEYon every request - Forwards validated requests to your Cloudflare Worker
Verifying It Works
After starting the proxy and configuring your browser:
- Visit ipleak.net — your IP should show as a Cloudflare IP
- Visit whoer.net — should reflect Cloudflare's location
- Via curl:
Look forcurl -x http://127.0.0.1:8085 https://ipleak.net/json/ | python3 -m json.tool"ip"showing a Cloudflare address range.
Troubleshooting
Proxy starts but no traffic gets through
- Verify
script_idinconfig.jsonis the Deployment ID, not the Script ID - Re-check that
auth_keyinconfig.jsonexactly matchesAUTH_KEYinCode.gs - In GAS, confirm deployment is set to Execute as: Me and Who has access: Anyone
- Try redeploying the GAS app — old deployments sometimes break
SSL errors
"verify_ssl": false
Set to false temporarily to diagnose. Re-enable for production use.
pip install fails (PyPI blocked)
pip install -r requirements.txt \
-i https://mirror-pypi.runflare.com/simple/ \
--trusted-host mirror-pypi.runflare.com
GAS quota exceeded
Google Apps Script has daily quotas (~20,000 URL fetch calls/day for free accounts). If the relay stops working mid-day:
- Use a different Google account for a fresh GAS deployment
- Deploy multiple GAS relays and alternate
script_idvalues
Port already in use
{
"listen_port": 8086,
"socks5_port": 1081
}
Change ports in config.json and update your browser/FoxyProxy settings.
Cloudflare Worker errors (5xx)
- Check the worker is deployed and the
WORKER_URLinCode.gsmatches exactly - Visit
https://your-worker.workers.devdirectly in browser — should respond (even with an error page) rather than timeout - Check Cloudflare Worker logs in the dashboard under Workers & Pages > your worker > Logs
Debug logging
"log_level": "DEBUG"
Restart main.py — you'll see each relay hop logged to stdout.
Environment Variable Pattern for Automation
When scripting deployment or CI, avoid hardcoding secrets. Use environment variables and generate config dynamically:
import json
import os
config = {
"mode": "apps_script",
"google_ip": "216.239.38.120",
"front_domain": "www.google.com",
"script_id": os.environ["GAS_DEPLOYMENT_ID"],
"auth_key": os.environ["MHR_AUTH_KEY"],
"listen_host": "127.0.0.1",
"listen_port": int(os.environ.get("MHR_PORT", "8085")),
"socks5_enabled": True,
"socks5_port": 1080,
"log_level": os.environ.get("MHR_LOG_LEVEL", "INFO"),
"verify_ssl": True
}
with open("config.json", "w") as f:
json.dump(config, f, indent=2)
print("config.json written")
Then run:
export GAS_DEPLOYMENT_ID="AKfycbXXXXXXXXXXXXXX"
export MHR_AUTH_KEY="$(openssl rand -hex 32)"
python3 write_config.py
python3 main.py
Project File Reference
| File | Purpose |
|---|---|
| main.py | Entry point — starts HTTP and SOCKS5 proxy listeners |
| config.json | Runtime configuration (copy from config.example.json) |
| config.example.json | Template configuration with placeholder values |
| script/worker.js | Cloudflare Worker source — deploy to Cloudflare |
| script/Code.gs | Google Apps Script relay source — deploy to GAS |
| start.bat | Windows launcher |
| start.sh | Linux/macOS launcher |
| requirements.txt | Python dependencies |
Related Skills
aradotso/skills/compose-performance-skills
development
VerifiedTrustedCommunity
```markdown --- name: compose-performance-skills description: Install and use the skydoves/compose-performance-skills agent skill library to diagnose and fix Jetpack Compose performance issues including stability, recomposition, lazy layouts, modifiers, side effects, and build configuration. triggers: - "my composable recomposes too often" - "LazyColumn drops frames during scroll" - "diagnose Compose stability issues" - "fix unnecessary recomposition in Jetpack Compose" - "optimize Com
46SKILL.mdUpdated May 5, 2026
aradotso/baguette-ios-simulator
development
VerifiedTrustedCommunity
Headless iOS Simulator manager with host-side HID input injection, 60fps streaming, and device farm web UI for iOS 26
45SKILL.mdUpdated May 4, 2026
aradotso/skills/claude-code-game-studios
development
VerifiedTrustedCommunity
```markdown --- name: claude-code-game-studios description: Turn Claude Code into a full 49-agent game dev studio with 72 workflow skills, automated hooks, and a real studio hierarchy for Godot, Unity, and Unreal projects. triggers: - "set up claude code game studios" - "use ai agents for game development" - "set up game dev studio with claude" - "add game studio agents to my project" - "how do I use claude code for game dev" - "set up godot unity unreal ai workflow" - "49 agents g
43SKILL.mdUpdated May 3, 2026
aradotso/skills/xq-py-quantum-vm
development
VerifiedTrustedCommunity
```markdown --- name: xq-py-quantum-vm description: Python implementation of the Quip Network's quantum virtual machine (xqvm) triggers: - quantum virtual machine python - xqvm quip network - quantum circuit simulation python - xq-py quantum vm - quip network quantum python - simulate quantum gates python - quantum vm xqvm - xqvm-py quantum circuit --- # xq-py Quantum Virtual Machine > Skill by [ara.so](https://ara.so) — Daily 2026 Skills collection. `xqvm-py` is a Python impl
42SKILL.mdUpdated May 2, 2026