2011/2/2 Bjarni Rúnar Einarsson <span dir="ltr"><<a href="mailto:bre@pagekite.net">bre@pagekite.net</a>></span><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
2011/2/2 Jacob Appelbaum <span dir="ltr"><<a href="mailto:jacob@appelbaum.net" target="_blank">jacob@appelbaum.net</a>></span><br><div class="gmail_quote"><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div><div></div><div>Hi Bjarni!<br></div></div>
<br>
Is there any reason that you can't route SSL/TLS traffic to Tor for all<br>
non-SNI requests? Another thing that might work is knowing that all Tor<br>
certificates currently end in .net. So while they're random, it's<br>
certainly possible to know when someone explicitly wants to reach a<br>
different server you certainly know about and isn't in your allowed<br>
lookup table. Anything else can be routed to Tor.<br></blockquote></div><div><br>This would work, but the "default fallback" is somewhat of a coveted position as there are lots of web browsers out there that don't send SNI. So in a shared environment you want to define your "favorite" web-site as the default fall-back, not Tor.<br>
<br>I suppose I could add a feature to Pagekite where the default is different for requests with SNI from requests without... best add that to the list, I guess. :-)<br></div></div></blockquote><div><br>OK, I think I've got the required support in pagekite.py for this - it only took 3 lines of tweaks, unless I'm overlooking something. :-)<br>
<br>I haven't got an entry node up and running to test this myself, and am getting on a plane to FOSDEM in the morning so I have to go pack now... but it works for normal HTTPS. If anyone wants to help out and test this on a real entry node, that would save me the hassle, otherwise I'll get around to it myself after the conference and report back.<br>
<br>The code is here: <a href="https://github.com/pagekite/PyPagekite/raw/main/pagekite.py">https://github.com/pagekite/PyPagekite/raw/main/pagekite.py</a><br>
Run it like this:<br><br>sudo pagekite.py --clean \<br> --isfrontend \<br> --ports=443 \<br>
--protos=https \<br> --runas=nobody:nogroup \<br> --tls_default=<a href="http://foo.com">foo.com</a> \<br>
--backend=https:foo.com:localhost:1443: \<br> --backend=https:unknown:localhost:1337:<br><br>This should proxy browsers requestiong <a href="http://foo.com">foo.com</a> and old browsers without SNI to localhost:1443, but any other SNI bearing request will get proxied to port 1337, which is where one would put Tor in this configuration.<br>
</div></div><br>Yeah, I'm asking you to run a gigantic python program as root... sorry about that! Only way I know to get port 443... :-)<br>
<br>-- <br>Bjarni R. Einarsson<br>The Beanstalks Project ehf.<br><br>Making personal web-pages fly: <a href="http://pagekite.net/" target="_blank">http://pagekite.net/</a><br>