commit a4f10d9d6eaa8806adc5eefaf7ac46d4050340d1 Author: Cecylia Bocovich cohosh@torproject.org Date: Wed Oct 14 15:49:01 2020 -0400
Add Dockerfile and README for deploying probetest
The easiest way to set up the probe server behind a symmetric NAT is to deploy it as a Docker container and alter the iptables rules for the Docker network subnet that the container runs in. --- probetest/Dockerfile | 3 +++ probetest/README.md | 44 ++++++++++++++++++++++++++++++++++++++++++++ probetest/docker-compose.yml | 11 +++++++++++ 3 files changed, 58 insertions(+)
diff --git a/probetest/Dockerfile b/probetest/Dockerfile new file mode 100644 index 0000000..966ab28 --- /dev/null +++ b/probetest/Dockerfile @@ -0,0 +1,3 @@ +FROM golang:1.13 + +COPY probetest /go/bin diff --git a/probetest/README.md b/probetest/README.md new file mode 100644 index 0000000..8af42f5 --- /dev/null +++ b/probetest/README.md @@ -0,0 +1,44 @@ +This is code for a remote probe test component of Snowflake. + +### Overview + +This is a probe test server to allow proxies to test their compatability +with Snowflake. Right now the only type of test implemented is a +compatability check for clients with symmetric NATs. + +### Running your own + +The server uses TLS by default. +There is a `--disable-tls` option for testing purposes, +but you should use TLS in production. + +To build the probe server, run +```go build``` + +To deploy the probe server, first set the necessary env variables with +``` +export HOSTNAMES=${YOUR HOSTNAMES} +export EMAIL=${YOUR EMAIL} +``` +then run ```docker-compose up``` + +Setting up a symmetric NAT configuration requires a few extra steps. After +upping the docker container, run +```docker inspect snowflake-probetest``` +to find the subnet used by the probetest container. Then run +```sudo iptables -L -t nat``` to find the POSTROUTING rules for the subnet. +It should look something like this: +``` +Chain POSTROUTING (policy ACCEPT) +target prot opt source destination +MASQUERADE all -- 172.19.0.0/16 anywhere +``` +to modify this rule, execute the command +```sudo iptables -t nat -R POSTROUTING $RULE_NUM -s 172.19.0.0/16 -j MASQUERADE --random``` +where RULE_NUM is the numbered rule corresponding to your docker container's subnet masquerade rule. +Afterwards, you should see the rule changed to be: +``` +Chain POSTROUTING (policy ACCEPT) +target prot opt source destination +MASQUERADE all -- 172.19.0.0/16 anywhere random +``` diff --git a/probetest/docker-compose.yml b/probetest/docker-compose.yml new file mode 100644 index 0000000..9283383 --- /dev/null +++ b/probetest/docker-compose.yml @@ -0,0 +1,11 @@ + version: "3.8" + + services: + snowflake-probetest: + build: . + container_name: snowflake-probetest + ports: + - "8443:8443" + volumes: + - /home/snowflake-broker/acme-cert-cache:/go/bin/acme-cert-cache + entrypoint: [ "probetest" , "-addr", ":8443" , "-acme-hostnames", $HOSTNAMES, "-acme-email", $EMAIL, "-acme-cert-cache", "/go/bin/acme-cert-cache"]