commit 4ed6768b2777a4fe800186355db06a91dfad90e1 Author: David Fifield david@bamsoftware.com Date: Sun Mar 11 22:37:15 2012 -0700
Remove crossdomain stuff.
It still remains vestigially in facilitator.py and connector.py. Facilitator because it's easy and there's no reason to cut off Flash-based proxies yet, and connector because that has to be replaced with a WebSocket shim. --- Makefile | 2 +- README | 21 +++--------- crossdomaind.py | 94 --------------------------------------------------- design.txt | 20 ++++------- init.d/crossdomaind | 62 --------------------------------- init.d/facilitator | 3 +- 6 files changed, 14 insertions(+), 188 deletions(-)
diff --git a/Makefile b/Makefile index 3861c09..7f6e02e 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,7 @@ swfcat.swf: *.as badge.png
install: mkdir -p $(BINDIR) - cp -f connector.py crossdomaind.py facilitator.py $(BINDIR) + cp -f connector.py facilitator.py $(BINDIR)
clean: rm -f $(TARGETS) diff --git a/README b/README index 86524c7..ced9527 100644 --- a/README +++ b/README @@ -13,8 +13,7 @@ There are five main parts. Our terminology for each part is in quotes. called swfcat because it is like a netcat implemented in Flash. 4. A "facilitator," a pseudo-HTTP server that keeps a list of clients that want a connection, and hands them out to proxies. -5. A Tor "relay," which is just a normal Tor relay except that its host - must also serve a Flash crossdomain policy. +5. A Tor "relay," which is just a normal Tor relay.
The purpose of this project is to create many, generally ephemeral bridge IP addresses, with the goal of outpacing a censor's ability to @@ -156,21 +155,15 @@ with sample code:
=== Running a relay or facilitator
-On the Tor relay, run - # ./crossdomaind.py -In general, any computer that a proxy connects to needs to serve a -crossdomain policy, but the connector and facilitator have it built in. - On the facilitator, run $ ./facilitator.py -r <relay-ip> -You can use "tor1.bamsoftware.com" for <relay-ip>; it is already set up -to serve a crossdomain policy. The facilitator runs on port 9002 by -default. +You can use "tor1.bamsoftware.com" for <relay-ip>. The facilitator runs +on port 9002 by default.
=== Installing so as to restart at boot
-The directory init.d contains scripts to start the facilitator and -crossdomaind server on CentOS. "make install" copies files to /usr/local/bin. +The directory init.d contains scripts to start the facilitator on +CentOS. "make install" copies files to /usr/local/bin.
# make install # useradd -d /dev/null -s /bin/false flashproxy @@ -181,7 +174,3 @@ crossdomaind server on CentOS. "make install" copies files to /usr/local/bin. -- Edit /etc/init.d/facilitator to set $RELAY. # chkconfig --add facilitator # service facilitator start - - # cp init.d/crossdomaind /etc/init.d/crossdomaind - # chkconfig --add crossdomaind - # service crossdomaind start diff --git a/crossdomaind.py b/crossdomaind.py deleted file mode 100755 index 72d4327..0000000 --- a/crossdomaind.py +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/env python - -import getopt -import os -import socket -import sys -import xml.sax.saxutils - -DEFAULT_ADDRESS = "0.0.0.0" -DEFAULT_PORT = 843 -DEFAULT_DOMAIN = "*" -DEFAULT_PORTS = "*" - -class options(object): - daemonize = False - pid_filename = None - domain = DEFAULT_DOMAIN - ports = DEFAULT_PORTS - -def usage(f = sys.stdout): - print >> f, """\ -Usage: %(progname)s <OPTIONS> [HOST] [PORT] -Serve a Flash crossdomain policy. By default HOST is "%(addr)s" -and PORT is %(port)d. - --daemon daemonize (Unix only). - -d, --domain=DOMAIN limit access to the given DOMAIN (default "%(domain)s"). - -h, --help show this help. - --pidfile FILENAME write PID to FILENAME after daemonizing. - -p, --ports=PORTS limit access to the given PORTS (default "%(ports)s").\ -""" % { - "progname": sys.argv[0], - "addr": DEFAULT_ADDRESS, - "port": DEFAULT_PORT, - "domain": DEFAULT_DOMAIN, - "ports": DEFAULT_PORTS, -} - -def make_policy(domain, ports): - return """\ -<cross-domain-policy> -<allow-access-from domain="%s" to-ports="%s"/> -</cross-domain-policy> -\0""" % (xml.sax.saxutils.escape(domain), xml.sax.saxutils.escape(ports)) - -opts, args = getopt.gnu_getopt(sys.argv[1:], "d:hp:", ["daemon", "domain", "help", "pidfile=", "ports"]) -for o, a in opts: - if o == "--daemon": - options.daemonize = True - elif o == "-h" or o == "--help": - usage() - sys.exit() - elif o == "-d" or o == "--domain": - options.domain = a - elif o == "--pidfile": - options.pid_filename = a - elif o == "-p" or o == "--ports": - options.ports = a - -if len(args) == 0: - address = (DEFAULT_ADDRESS, DEFAULT_PORT) -elif len(args) == 1: - # Either HOST or PORT may be omitted; figure out which one. - if args[0].isdigit(): - address = (DEFAULT_ADDRESS, args[0]) - else: - address = (args[0], DEFAULT_PORT) -elif len(args) == 2: - address = (args[0], args[1]) -else: - usage(sys.stderr) - sys.exit(1) - -policy = make_policy(options.domain, options.ports) - -addrinfo = socket.getaddrinfo(address[0], address[1], 0, socket.SOCK_STREAM, socket.IPPROTO_TCP)[0] - -s = socket.socket(addrinfo[0], addrinfo[1], addrinfo[2]) -s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) -s.bind(addrinfo[4]) -s.listen(10) - -if options.daemonize: - pid = os.fork() - if pid != 0: - if options.pid_filename: - f = open(options.pid_filename, "w") - print >> f, pid - f.close() - sys.exit(0) - -while True: - (c, c_addr) = s.accept() - c.sendall(policy) - c.close() diff --git a/design.txt b/design.txt index b797262..ecee83c 100644 --- a/design.txt +++ b/design.txt @@ -26,10 +26,9 @@ Design of flash proxies initiate outgoing connections, not receive incoming ones. The flash proxy can only connect to external hosts by connecting directly to them. The other significant restriction is that the proxy cannot - connect to just any destination: Adobe Flash player requires the - server to provide a "crossdomain policy" allowing access. A third, but - less important, restriction is that browser-based networking does not - provide low-level socket access such as control of source address. + connect to just any destination. A third, but less important, + restriction is that browser-based networking does not provide + low-level socket access such as control of source address.
2. Components
@@ -59,8 +58,7 @@ Design of flash proxies variety of ways. It sends registrations to flash proxies over HTTP. The facilitator is responsible for matching clients to proxies in a reasonable manner. - 5. Tor relay: An ordinary Tor relay with no special configuration - apart from serving a crossdomain policy to allow Flash connections. + 5. Tor relay: An ordinary Tor relay.
4. Sample session
@@ -120,10 +118,8 @@ Design of flash proxies both ends, and matches them together. The remote socket listens on port 9000 and the local on port 9001.
- The connector can serve a crossdomain policy in response to a - crossdomain request, allowing the flash proxy to connect. On the local - side, it acts as a SOCKS proxy (albeit one that always goes to the - same destination). + On the local side, it acts as a SOCKS proxy (albeit one that always + goes to the same destination).
7. Behavior of the flash proxy
@@ -158,6 +154,4 @@ Design of flash proxies
9. Behavior of the Tor relay.
- The Tor relay requires no special configuration. It must also be - running a program that serves a crossdomain policy to allow a flash - proxy to connect to it. + The Tor relay requires no special configuration. diff --git a/init.d/crossdomaind b/init.d/crossdomaind deleted file mode 100755 index 3aecaaa..0000000 --- a/init.d/crossdomaind +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# -# crossdomaind This shell script takes care of starting and stopping -# crossdomaind server. -# -# chkconfig: 2345 90 10 -# description: Crossdomain policy server. -# processname: crossdomaind.py -# pidfile: /var/flashproxy/crossdomaind.pid - -# Installation instructions: -# cp crossdomaind /etc/init.d/crossdomaind -# chkconfig --add crossdomaind -# service crossdomaind start - -# Source function library. -. /etc/rc.d/init.d/functions - -BINDIR=/usr/local/bin -VARDIR=/var/flashproxy -PROG=$BINDIR/crossdomaind.py -PIDFILE=$VARDIR/crossdomaind.pid - -# See how we were called. -case "$1" in - start) - [ -x $PROG ] || exit 1 - echo -n $"Starting flash proxy crossdomaind: " - cd $VARDIR && daemon --pidfile $PIDFILE $PROG --pidfile $PIDFILE --daemon - RETVAL=$? - echo - [ $RETVAL -eq 0 ] && touch /var/lock/subsys/crossdomaind - ;; - stop) - # Stop daemon. - echo -n $"Shutting down flash proxy crossdomaind: " - killproc -p $PIDFILE - RETVAL=$? - echo - if [ $RETVAL -eq 0 ]; then - rm -f /var/lock/subsys/crossdomaind - rm -f $PIDFILE - fi - ;; - status) - status -p $PIDFILE crossdomaind - RETVAL=$? - ;; - restart|reload) - $0 stop - $0 start - ;; - condrestart) - [ -f /var/lock/subsys/crossdomaind ] && restart || : - ;; - *) - echo $"Usage: $0 {start|stop|status|restart}" - RETVAL=3 - ;; -esac - -exit $RETVAL diff --git a/init.d/facilitator b/init.d/facilitator index 03be16e..152f03c 100755 --- a/init.d/facilitator +++ b/init.d/facilitator @@ -16,8 +16,7 @@ # Source function library. . /etc/rc.d/init.d/functions
-# Replace this with the address of a Tor relay that allows crossdomain -# connections (i.e., is running crossdomaind.py). You can use host:port +# Replace this with the address of a Tor relay. You can use host:port # syntax. RELAY=...