[Tracking] Caching Origin not possible due to SSL about cache-domains HOT 47 OPEN

Beta Version 10.5.63.37653 - 758549 of the client now has a feature to fall back to HTTP if a cache is present. We will have a chat about when to update the main line.

see #126

from cache-domains.

@peerau yeah, we're working closely with the guys at ea to get a poc going. So far they've actually been really helpful!

from cache-domains.

What is the output when you actually run docker logs <insert dns container id>?

from cache-domains.

You need to assign RFC1918 addresses to your cache, and not public IP addresses.

Some CDN providers (Steam, Origin, Riot) require a "trigger domain" to be set that resolves to one of these addresses before they will consider using the cache, otherwise they will use https and you will not be able to cache the traffic.

from cache-domains.

I'm also having this issue.

on the client

nslookup origin-a.akamaihd.net
Server:  UnKnown
Address:  192.168.0.2

Non-authoritative answer:
Name:    origin.cache.lancache.net
Address:  192.168.0.2
Aliases:  origin-a.akamaihd.net

I go to download a game in Origin, never prompted to disable safe downloading, no disk write activity in the cache and sniproxy is very busy passing through everything without touching.

from cache-domains.

What fix have you seen? We are still seeing origin downloads going over https (and thus uncacheable).

from cache-domains.

You're running Origin Version 10.5.40.26928, which predates the switch to SSL

I'm currently running Origin version 10.5.41.27263, which is definitely only downloading via SSL

from cache-domains.

You're running Origin Version 10.5.40.26928, which predates the switch to SSL

I'm currently running Origin version 10.5.41.27263, which is definitely only downloading via SSL

Same here, also sticking to old version will not work as it will require update before login, and will fail if SSL is blocked, already tried that by stopping SNI and pointing ssl-lvlt.cd.ea.com to 127.0.0.1

Edit: Older versions will only work directly after client is installed, will force an update after being stopped and reopened

from cache-domains.

any updates on this guys ? i hope they go back to http , i've also contacted EA help on twitter https://imge.to/i/TtjSH < photo

from cache-domains.

we are still trying to get some sort of communication with EA to see how this can be progressed...

from cache-domains.

I've tried messing with R&D mode. Tried changing CdnOverride to lvlt.cdn.ea.com, lvlt, http and it fails every time with this in log file:

OriginServiceResponse QNetworkReply error code [206] error string : [Error transferring XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?productId=<snip>&userId=<snip>&cdnOverride=lvlt.cdn.ea.com&https=true - server replied: Conflict] HTTP status code [409] X-Origin-Ops [] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Failed with REST error code 15006 error string: Cause: NO_DOWNLOAD_CDN_VENDER

So I tried adding https=false to the config file but it didn't help either. Maybe someone else can figure it out.

from cache-domains.

I've tried messing with R&D mode. Tried changing CdnOverride to lvlt.cdn.ea.com, lvlt, http and it fails every time with this in log file:

OriginServiceResponse QNetworkReply error code [206] error string : [Error transferring XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX?productId=<snip>&userId=<snip>&cdnOverride=lvlt.cdn.ea.com&https=true - server replied: Conflict] HTTP status code [409] X-Origin-Ops [] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Failed with REST error code 15006 error string: Cause: NO_DOWNLOAD_CDN_VENDER

So I tried adding https=false to the config file but it didn't help either. Maybe someone else can figure it out.

they have removed origin from the DNS service "in uklans domains" so make sure to add it yourself if you can do that , or request them to readd it

from cache-domains.

You are obviously free to fork this repo and add origin back in for testing. I don't think we would re-add it to the main repo whilst it remains totally uncacheable - as that is just confusing for most users.

It depends how you are using this repo, but if its in conjunction with lancache then they do have a feature to point to a different domain repo for testing: https://github.com/lancachenet/lancache-dns#custom-forksbranches

from cache-domains.

i was just contacted by EA HELP on twitter and he asked me for additional info that he can provide to his manager , so can any one of knowledge give me a technical paragraph of what should be said ?

from cache-domains.

@manafoo we've been trying to reach out to eahelp. if you could reference https://twitter.com/MintopiaUK/status/1145709393205506049 and https://uklans.net/openletter/ and get them to reach out to [email protected]

from cache-domains.

@manafoo we've been trying to reach out to eahelp. if you could reference https://twitter.com/MintopiaUK/status/1145709393205506049 and https://uklans.net/openletter/ and get them to reach out to [email protected]

Done. https://imge.to/i/F8L3O << image

from cache-domains.

@manafoo if you could also reply to the original twerk explaining this is affecting your event as well that would be great

from cache-domains.

i'd like to say in regard to contacting ea help , please explain to them what caching does , tell them it allows faster downloads to clients because the update would be stored locally instead getting it from the servers every time , " just remember the twitter handler is probably clueless to those technical terms and they will be just a messenger to their colleagues and IT department so it's crucial to make them understand that there is an issue also maybe adding whats in it for them is nice too and that is , lower load on their download servers!

from cache-domains.

@manafoo if you could also reply to the original twerk explaining this is affecting your event as well that would be great

Done :)

from cache-domains.

FYI @manafoo there is an official case open at EA, -zac is very helpful and understands about the problem!

I'll update here if i hear anything.

from cache-domains.

FYI @manafoo there is an official case open at EA, -zac is very helpful and understands about the problem!

I'll update here if i hear anything.

thats great!! i got a response from zac on twitter here ,link to check it out :
https://imge.to/i/L71ej << photo

from cache-domains.

Please let EA know on this thread.
https://answers.ea.com/t5/Origin-Client-Web-Technical/Origin-using-HTTPS-for-Downloads/m-p/8066099?fbclid=IwAR0dXtOULFGICuah5e1_0fRkt4vbod-FueLxXmOxSrXlkHqrTzLnF7yLj00

from cache-domains.

https://answers.ea.com/t5/Origin-Client-Web-Technical/Origin-using-HTTPS-for-Downloads/m-p/8325987/highlight/true#M52239

!!!!

from cache-domains.

Hi everyone, any update on this?

from cache-domains.

Nothing specifc to confirm at this time, but we know that Origin are still working on something and hope to have an update fairly soon in the new year from them.

from cache-domains.

I just installed a a fresh lancache and testing with Originin Client Version 10.5.63.37653 - 758549.
When starting the Game Download the Client Displays a question:
Would you like to disable Secure downloads. Yes, not Yet.
When i choose yes, downloads are hitting the cache.

I am not sure, but i think at the moment the installed Origin Client realized the Hosts is redirected to a local IP it was asking me to Update the Client. after that i got the Question.
I was using the Origin Client without a Cache before and got the Update Message at the time i activated the DNS redirect.

I have a custom DNS Setup (Note the Docker Image) witch redirects these Hosts to the Cache:
origin-a.akamaihd.net
akamai.cdn.ea.com
lvlt.cdn.ea.com
river.data.ea.com
origin-a.akamaihd.net.edgesuite.net

I will do some more testing with different games and Client OS.

Thanks for your Work

from cache-domains.

@therealseeku we're not going fully public this as apparently there are still a few issues with the beta implementation and wording (somewhat confusing). Hopefully EA will roll a new update soon and then we can share the love into mainline :D !

Good to know more of it is working, we're also trying to get an up to date cdn list from EA as well to confirm

from cache-domains.

Released to mainline Origin client. Domains have been reinstated into master.

I'll keep this open for tracking, as the Origin client does have some "behaviour" around how it works. Probably worth a support document to explain?

from cache-domains.

NOT WORKING ,deleted old containers docker rm mono dns sni
pulled the latest for all .created new containers.
when origin clients are downloading, on the client side when i open resource monitor on windows , network activity shows that origin is receiving from the docker ips "dns" however it does not cache , nor does origin asks me to disable safe downloading , tried multiple times , multiple machines same results, it doesn't even show on the access.log neither error.log , also origin client is updated to the latest version , and tried the beta aswel to no avail

from cache-domains.

What do you get if you do nslookup origin-a.akamaihd.net on one of your client machines?

from cache-domains.

its also worth making sure your origin client is off, that you have your containers started and that you have flushed your dns locally ipconfig /flushdns. Then start origin and ask it to download a game. If the two trigger domains are correctly configured it "should" over you a popup disclaimer.

from cache-domains.

What do you get if you do nslookup origin-a.akamaihd.net on one of your client machines?

I get the caching machine ips. All other caching platforms works. Steam blizzard epic. Etc

from cache-domains.

its also worth making sure your origin client is off, that you have your containers started and that you have flushed your dns locally ipconfig /flushdns. Then start origin and ask it to download a game. If the two trigger domains are correctly configured it "should" over you a popup disclaimer.

Dns flushed origin off. Restarts. Does not prompt me to disable safe downloads

from cache-domains.

Origin client 10.5.64.37936-758832

from cache-domains.

is your dns container upto date? what does docker logs <insert dns container id> show?

from cache-domains.

is your dns container upto date? what does docker logs <insert dns container id> show?

I believe im updated and origin is service is enabled i see it in there. Dockdr log Dns

from cache-domains.

You need to assign RFC1918 addresses to your cache, and not public IP addresses.

why do they need to be RFC1918 ? we also don't use RFC1918 on our event to avoid NAT.

from cache-domains.

It works that way because that's what the content providers have decided as an easy way to change the behaviour of their clients for most cases. Other events that operate on an entirely public IP range have their lancache on a RFC1918 range that is routable from within their event.

from cache-domains.

You need to assign RFC1918 addresses to your cache, and not public IP addresses.

Some CDN providers (Steam, Origin, Riot) require a "trigger domain" to be set that resolves to one of these addresses before they will consider using the cache, otherwise they will use https and you will not be able to cache the traffic.

That's helpful but can't we workaround that? since the isp is lazy and doesn't program local ips in their cisco router which i cannot access. Any help would be appreciated. Thanks

from cache-domains.

The behavior is programmed into the game launchers. I'm afraid its outside of the scope we can control. Where we have used the lancache solution at the thousands of people end of the LAN we have used a locally routed RFC1918 subnet for the cache.

from cache-domains.

Many of the game launchers require the RFC1918 before they will enable their built in TLS downgrade / HTTP fallback modes, so its not something that can be worked around. If the hostnames resolve to anything else they will remain TLS/HTTPS and thus can't be cached as expected.

I'd expect its a failsafe measure to ensure that they are only downgrading when they are 100% sure they are talking to a local cache and not sending unencrypted traffic over the internet to a public ip that could be anywhere, but we don't really know.

The best approach to handle that depends heavily on your network setup.

We've had success with giving the cache two interfaces - one with a public IP on the WAN side for internet access / downloading games from the web and a second with an RFC1918 which is client facing on the LAN and the IP we override the hostnames in DNS to.

Alternatively you could look at using NAT and putting the cache on single interface with an RFC1918 that sits behind a firewall/router that holds the public IP.

from cache-domains.

I can confirm switching to local ip solved the issue. I only added a virtual connection then added a - e origincacheip and pointed to the local one and whatever is ok with public ip takes the rest.

from cache-domains.

virtual connection wasn't a good idea because it doesn't stay after a reboot ,simply adding the ips to the network interface was the right way to do it, ofcorse you will need a local ip pool available , thank goodness the isp cooperated and made one, even though it was lazy work they all routed to a single public ip but it did the job.

from cache-domains.

You need to assign RFC1918 addresses to your cache, and not public IP addresses.

why do they need to be RFC1918 ? we also don't use RFC1918 on our event to avoid NAT.

i'd advice you to do it in local or mix the 2 , in both cases ,take care of the firewall rules , you will need to add some protection from external ips or else you might lose bandwidth,lags , bufferbloat, SEVERELY slow your caching machine to near non-operational state

from cache-domains.

if your client isn't showing you the warning box you can try turning the client off and on again. If the application doesn't pick up the prompt it will continue to use https

from cache-domains.

from cache-domains.

Strange, I got it to work, but all of the following did NOT work. Rebooting the client, rebooting the server, tried opting into origin technical releases, tried opting out.

Reinstalling Origin worked though, I'm prompted on first game download.

Weird.

from cache-domains.