Dockerflix: Docker-based SNI proxy for watching U.S. Netflix, Hulu, MTV, Vevo, Crackle, ABC, NBC, PBS…

Recently, I published a new project on Github called Dockerflix. Instead of HAProxy, Dockerflix uses sniproxy. To make the installation a breeze, I boxed the proxy into a Docker container and wrote a small, Python-based Dnsmasq configuration generator. And voilà: DNS-unblocking as a service (DAAS) ;-)

Thanks to sniproxy’s ability to proxy requests based on a wildcard/regex match it’s now so much easier to add support for a service. Now it’s usually enough to just add the main domain name to the proxy and DNS configuration and Dockerflix will be able to hop the geo-fence in most cases. Since most on-demand streaming media providers are using an off-domain CDN for the video stream, only web site traffic gets sent through Dockerflix. A few exceptions may apply though, notably if the video stream itself is geo-fenced.

Dockerflix only handles requests using plain HTTP or TLS using the SNI extension. Some media players don’t support SNI and thus won’t work with Dockerflix.
If you need to proxy plain old SSLv1/v2 for a device, have a look at the non-SNI approach shown in tunlr-style-dns-unblocking.
A few media players (i.e. Chromecast) ignore your DNS settings and always resort to a pre-configured DNS resolver which can’t be changed (it still can be done though by rerouting these requests using iptables).

Check it out: https://github.com/trick77/dockerflix

30 thoughts on “Dockerflix: Docker-based SNI proxy for watching U.S. Netflix, Hulu, MTV, Vevo, Crackle, ABC, NBC, PBS…

  1. Thanks for making your hard work available.
    i would like to install dockerflix on a single board computer (ideally raspberry pi 3) but i understand that unless the docker container has been built for the armhf architecture it won’t play with the RPI. Does anyone have more information on this? Does Dockerflix work on any SBCs?

    Thanks in advance

    • Why would you want to host a Raspberry Pi in a U.S. Datacenter in the first place, wouldn’t it be much less expensive to just use a VPS?

      • sorry i wasn’t clearer – the RPi will be on a home network, not in a datacenter. The intention is to enable the watching of UK TV from outside the UK (yes i pay for the content). Devices at my apartment in Portugal will be pointed at a router running DNSMasq which will resolve addresses to the RPI (running an SNI proxy) on a home network in the UK. This is in a bid to counter the blocking of datacenter VPNs – i figure if i run it from a home network it will be indistinguishable.

        after numerous attempts to get docker running on the RPI (with the aim of running dockerflix), i found hypriot OS (which would allow me to install docker. But the documentation cautions that unless the docker container is targetted at the armhf arch it won’t work. Hence my question. Is there a way to get dockerflix working on RPI3?

        Thanks for taking the time to respond.

        • Interesting approach!
          I played around with Docker on the Raspberry Pi 3 with Raspbian and the Hypriot Debian apt repository a few months ago but the problem is that nearly all Docker images are x86/x64 based (including the one I use for Dockerflix). You would have to find an ARM Docker base image for the RPi and compile an ARM version of sniproxy and rewrite the Dockerfile. In your case I’d just compile sniproxy on the RPi and use it without Docker with Raspbian Light.

          Cheers,
          Jan

  2. Hey all! Great great work on this BTW! Anyone have any suggestion on how to get this to work with only specific internal IPs (have multiple Rokus – but only want one on US Netflix etc). My router is running Tomato firmware and would be doing all the re=routes.

    • Steve, I don’t think they do but you need to add all what is necessary to the Dockerflix configuration. Not every streaming service out there does auto-magically work with Dockerflix.

      Cheers,
      Jan

      • Thanks Jan – I’m having real trouble adding services (please see my issue raised on GitHub) – no matter what I do the python generator script only ever generates the dnsmasq config for the default services you include.

        Steve

  3. Is there some reason that I can’t see that this method is tied specifically to dnsmasq (aside from the python script to generate the config)? I’ve tried using this with bind and unbound, and neither one works properly. The addresses are forwarded properly in their respective configurations, ie: nslookup netflix.com resolves to the VPS IP, but they don’t seem to work. With dnsmasq it works perfectly.

    Using your old method with haproxy, any of the three dns servers worked.

    Thanks.

    • Scratch that, I didn’t see the BIND configuration option in your generator. That seems to work now. I think the reason that unbound isn’t working is because I can’t properly forward the subdomains, ie: *.domain.

      I’ll have to see if I can figure that out.

      • FYI, this works with unbound now. I just had to add a local-zone redirect for each domain, ie:

        local-zone: “netflix.com.” redirect
        local-data: “netflix.com. IN A 123.45.67.89”

        Everything seems to work properly as far as I can tell.

  4. Hi i couldnt run dockerflux cos of openvz vps .so i did like peter said . The dnsmasq is working and sniproxy is working too but some sites give me ” backend not available ” how can i fix that ? Please help

  5. Nice update to an already great project, thank you for putting in the effort to keep this idea alive; I will change my HAproxy based setup over to this system when I get the time.

    One question I have is how did you figure out which addresses to forward to haproxy/sniproxy and which not to? I’m trying to get a working BBC iPlayer setup using a UK VPS but I’m not getting anywhere and I think it’s because I’m not forwarding the right addresses. Currently I’ve been using Fiddler but as a bit of a noob I’ve gotten stuck.

    Any help would be much appreciated.
    Adam

    • Fiddler, tcpdump, basically everything which shows what’s going on behind the scenes. Did you see that there are already UK proxy definitions in Dockerflix?

      Cheers,
      Jan

      • I’ll have to give tcpdump a go; thanks for the suggestion. I did give the UK dockerflix a go and while it works for live iPlayer content, stored content comes from different servers and seems to use different location detecting methods. I’ll see where I get with tcpdump.

  6. Hi thank you so much jan for this Wonderful project, I’m trying to use non-sni approach on the vps with doing DNSmasque on the same server and using sniproxy and using dhcp server to assign local ip to each user, But i dont know how to connect users to US VPS, because if i use public vps ip then users will be connected to public ip and not to the Private network where dhcp is running on, Please help me out here.

  7. I tried this on an Amazon AWS EC2 and while it seems to be running properly, I couldn’t access any websites when I tried to replace the DNS address on my PC or Android tablet with the server’s public IP. I don’t have a dnsmasq compatible router – is this a requirement for it to work?

    In any case thank you for your work – it is much appreciated!

    • Yes, you absolutely need some sort of a DNS server though not necessarily in your router. I’m using an Odroid C1 which handles all DNS queries from the router.

      Cheers,
      Jan

      • Thanks Jan. I managed to find an old router with dd-wrt laying around and it’s working now.

        A word of advice on using this for Hulu – it’s better to use “address=/s.hulu.com/your-ip-address”, since this will allow you to cross the geo-fence without having the ads and video streams go through the proxy as well (which resulted in massive buffering in my case).

    • really interested with your take on doing this on AWS EC2. Any chance you can assist me with setting one up for myself?

  8. I’m currently using the “old” approach because i can’t use SNI due to my chromecast. THanks to your “dns host list” script it ran smoothly for a long time now. But since Saturday it stopped working on my chromecast. (Android/Desktop are still fine).

    So i assume the subdomains which need to be routed through the US-Proxy have changed. would it be possible to get an updated list/script for those subdomains?

    By the way, it would still be possible to set the docker container up to also use the “non-sni” approach, it would just require to create a lot of virtual interfaces for the docker container. Maybe not pretty but it could work.
    WIth that non-sni approach you would have created the one size fits all solution. Becaus ethe non-sni version would enable all devices current/future to use it without any modification. Only thing would be to setup iptables to route the google dns servers to the local dns.

    Anyway, thanks for your awesome work.

    • My Chromecast works fine with the SNI approach. It didn’t in the past but 6 months ago or so it just started working (maybe they phased out SSLv3 because of the POODLE bug?).

      Have you tried it?

  9. I tried this out on my vps (which is OpenVZ), unfortunately docker does not run *at all* on it.

    Is it possible to run this same setup, but without docker?

    I get these errors trying to start docker, which I don’t think I can solve:

    # docker -d
    WARN[0000] You are running linux kernel version 2.6.32-042stab102.9, which might be unstable running docker. Please upgrade your kernel to 3.8.0.
    ERRO[0000] ‘overlay’ not found as a supported filesystem on this host. Please ensure kernel is new enough and has overlay support loaded.
    INFO[0000] +job init_networkdriver()
    INFO[0000] +job serveapi(unix:///var/run/docker.sock)
    INFO[0000] Listening for HTTP on unix (/var/run/docker.sock)
    WARN[0000] Running modprobe bridge nf_nat failed with message: , error: exit status 1
    package not installed
    INFO[0000] -job init_networkdriver() = ERR (1)
    FATA[0000] Shutting down daemon due to errors: package not installed

    • Never mind, figured it out myself, did the following steps

      1) installed sniproxy manually (see https://github.com/dlundquist/sniproxy)
      2) copied config/us-dockerflix-sniproxy.conf (from dockerflix repo) to /etc/sniproxy.conf
      3) enabled sniproxy in /etc/default/sniproxy

      that basically does it for me, dockerless dockerflix ;)

  10. Hi,
    Can I install both your Dockerflix and non-sni Haproxy on same VPS?
    I’m using non-sni Haproxy version for my Ps3 and it’s working like a charm(thanks again). But although I’m ok with installation process of non-sni version, as you mentioned it’s not easy for me to add services/domains to configuration. Sometimes I need to temporarily add a domain for my music player to proxy, so I thought it would be nice to have both on same VPS.

Comments are closed.