commit a4f10d9d6eaa8806adc5eefaf7ac46d4050340d1
Author: Cecylia Bocovich <cohosh(a)torproject.org>
Date: Wed Oct 14 15:49:01 2020 -0400
Add Dockerfile and README for deploying probetest
The easiest way to set up the probe server behind a symmetric NAT is to
deploy it as a Docker container and alter the iptables rules for the
Docker network subnet that the container runs in.
---
probetest/Dockerfile | 3 +++
probetest/README.md | 44 ++++++++++++++++++++++++++++++++++++++++++++
probetest/docker-compose.yml | 11 +++++++++++
3 files changed, 58 insertions(+)
diff --git a/probetest/Dockerfile b/probetest/Dockerfile
new file mode 100644
index 0000000..966ab28
--- /dev/null
+++ b/probetest/Dockerfile
@@ -0,0 +1,3 @@
+FROM golang:1.13
+
+COPY probetest /go/bin
diff --git a/probetest/README.md b/probetest/README.md
new file mode 100644
index 0000000..8af42f5
--- /dev/null
+++ b/probetest/README.md
@@ -0,0 +1,44 @@
+This is code for a remote probe test component of Snowflake.
+
+### Overview
+
+This is a probe test server to allow proxies to test their compatability
+with Snowflake. Right now the only type of test implemented is a
+compatability check for clients with symmetric NATs.
+
+### Running your own
+
+The server uses TLS by default.
+There is a `--disable-tls` option for testing purposes,
+but you should use TLS in production.
+
+To build the probe server, run
+```go build```
+
+To deploy the probe server, first set the necessary env variables with
+```
+export HOSTNAMES=${YOUR HOSTNAMES}
+export EMAIL=${YOUR EMAIL}
+```
+then run ```docker-compose up```
+
+Setting up a symmetric NAT configuration requires a few extra steps. After
+upping the docker container, run
+```docker inspect snowflake-probetest```
+to find the subnet used by the probetest container. Then run
+```sudo iptables -L -t nat``` to find the POSTROUTING rules for the subnet.
+It should look something like this:
+```
+Chain POSTROUTING (policy ACCEPT)
+target prot opt source destination
+MASQUERADE all -- 172.19.0.0/16 anywhere
+```
+to modify this rule, execute the command
+```sudo iptables -t nat -R POSTROUTING $RULE_NUM -s 172.19.0.0/16 -j MASQUERADE --random```
+where RULE_NUM is the numbered rule corresponding to your docker container's subnet masquerade rule.
+Afterwards, you should see the rule changed to be:
+```
+Chain POSTROUTING (policy ACCEPT)
+target prot opt source destination
+MASQUERADE all -- 172.19.0.0/16 anywhere random
+```
diff --git a/probetest/docker-compose.yml b/probetest/docker-compose.yml
new file mode 100644
index 0000000..9283383
--- /dev/null
+++ b/probetest/docker-compose.yml
@@ -0,0 +1,11 @@
+ version: "3.8"
+
+ services:
+ snowflake-probetest:
+ build: .
+ container_name: snowflake-probetest
+ ports:
+ - "8443:8443"
+ volumes:
+ - /home/snowflake-broker/acme-cert-cache:/go/bin/acme-cert-cache
+ entrypoint: [ "probetest" , "-addr", ":8443" , "-acme-hostnames", $HOSTNAMES, "-acme-email", $EMAIL, "-acme-cert-cache", "/go/bin/acme-cert-cache"]