commit bf52bbaf90d096810018217ca6d16f999b227194 Author: Ximin Luo infinity0@gmx.com Date: Tue Nov 5 11:28:40 2013 +0000
doc additions - relate flashproxy-reg-url to the end-to-end encrypted HTTP registration - facilitator.cgi also serves the browser proxies, so you must enable it --- facilitator/README | 11 ++++++----- facilitator/doc/facilitator-design.txt | 14 ++++++++++---- facilitator/doc/http-howto.txt | 6 ++++-- 3 files changed, 20 insertions(+), 11 deletions(-)
diff --git a/facilitator/README b/facilitator/README index 737d1b3..2b98c5c 100644 --- a/facilitator/README +++ b/facilitator/README @@ -15,15 +15,16 @@ as system services, and you should be able to configure them in the appropriate place for your system (e.g. /etc/default/facilitator for a Debian-based system using initscripts).
-At a minimum, each installation has its own public-private keypair at -reg-daemon.{pub,key} in the flashproxy config directory. You will need -to securely distribute the public part (.pub) to your users - e.g. by -publishing it somewhere, signed by your own PGP key. +Each installation has its own public-private keypair, stored in the +flashproxy config directory. You will need to securely distribute the +public key (reg-daemon.pub) to your users - e.g. by publishing it +somewhere, signed by your own PGP key.
There are three supported helper rendezvous methods: HTTP, email, and appspot. Each helper method may require additional manual configuration and might also depend on other helper methods; see the corresponding -doc/x-howto.txt for more details. +doc/x-howto.txt for more details. At a very minimum, you must configure +and enable the HTTP method, since that also serves the browser proxies.
For suggestions on configuring a dedicated facilitator machine, see doc/server-howto.txt. diff --git a/facilitator/doc/facilitator-design.txt b/facilitator/doc/facilitator-design.txt index 3f4f801..0d84da3 100644 --- a/facilitator/doc/facilitator-design.txt +++ b/facilitator/doc/facilitator-design.txt @@ -17,11 +17,17 @@ The HTTP rendezvous uses an HTTP server and a CGI program. The HTTP server is responsible for speaking TLS and invoking the CGI program. The CGI program receives client registrations and proxy requests for clients, parses them, and forwards them to the backend. We use Apache 2 -as the HTTP server. The CGI script is facilitator.cgi. There are two -formats - plain vs. (end-to-end) encrypted. Direct client registrations +as the HTTP server. The CGI script is facilitator.cgi. Currently this +is also the only method for accepting browser proxy registrations, so +you must enable this method, otherwise your clients will not be served. + +For the HTTP rendezvous, there are two formats you may use for a client +registration - plain vs. (end-to-end) encrypted. Direct registrations (e.g. flashproxy-reg-http) can use the plain format over HTTPS, which provides transport encryption; but if you proxy registrations through another service (e.g. reg-appspot), you must use the end-to-end format. +On the client side, you may use flashproxy-reg-url to generate +registration URLs for the end-to-end encrypted format.
The email rendezvous uses the helper program facilitator-email-poller. Clients use the flashproxy-reg-email program to send an encrypted @@ -31,8 +37,8 @@ messages and forwards them to facilitator-reg. The appspot rendezvous uses Google's appengine platform as a proxy for the HTTP method, either yours or that of another facilitator. It takes advantage of the fact that a censor cannot distinguish between a TLS -connection to appspot.com or google.com, since the IPs are the same, and -it is highly unlikely that anyone will try to block the latter. +connection to appspot.com or google.com, since the IPs are the same, +and it is highly unlikely that anyone will try to block the latter.
fac.py is a Python module containing code common to the various facilitator programs. diff --git a/facilitator/doc/http-howto.txt b/facilitator/doc/http-howto.txt index 99ebf9b..bd7daa4 100644 --- a/facilitator/doc/http-howto.txt +++ b/facilitator/doc/http-howto.txt @@ -1,5 +1,7 @@ -These are instructions for how to set up an Apache Web Server for handling -the HTTP registration method (facilitator.cgi / flashproxy-reg-http). +These are instructions for how to set up an Apache Web Server for +handling the HTTP client registration method (facilitator.cgi / +flashproxy-reg-http / flashproxy-reg-url), as well as for browser +proxies to poll and receive a client to serve.
== HTTP server setup
tor-commits@lists.torproject.org