On Tuesday, December 13, 2022, 07:35:23 PM MST, David Fifield <david@bamsoftware.com> wrote:
On Tue, Dec 13, 2022 at 07:29:45PM +0000, Gary C. New via tor-relays wrote:
>> On Tuesday, December 13, 2022, 10:11:41 AM PST, David Fifield
>> <david@bamsoftware.com> wrote:
>>
>> Am I correct in assuming extor-static-cookie is only useful within the context
>> of bridging connections between snowflake-server and tor (not as a pluggable
>> transport similar to obfs4proxy)?
> That's correct. extor-static-cookie is a workaround for a technical
> problem with tor's Extended ORPort. It serves a narrow and specialized
> purpose. It happens to use the normal pluggable transports machinery,
> but it is not a circumvention transport on its own. It's strictly for
> interprocess communication and is not exposed to the Internet. You don't
> need it to run a Snowflake proxy.
Created a Makefile for extra-static-cookie for OpenWRT and Entware:
https://forum.openwrt.org/t/extor-static-cookie-makefile/145694
> I am not sure what your plans are with running multiple obfs4proxy, but
> if you just want multiple obfs4 listeners, with different keys, running
> on different ports on the same host, you don't need a load balancer,
> extor-static-cookie, or any of that. Just run multiple instances of tor,
> each with its corresponding instance of obfs4proxy. The separate
> instances don't need any coordination or communication.
The goal of running multiple obfs4proxy listeners is to offer numerous, unique
bridges distributed across several servers maximizing resources and availability.
> You could, in principle, use the same load-balanced setup with
> obfs4proxy, but I expect that a normal bridge will not get enough users
> to justify it. It only makes sense when the tor process hits 100% CPU
> and becomes a bottleneck, which for the Snowflake bridge only started
> to happen at around 6,000 simultaneous users.
Hmm... If normal bridges will not see enough users to justify the deployment
of numerous, unique bridges distributed over several servers--this may be a
deciding factor. I don't have enough experience with normal bridges to know.
>> What about a connection flow of haproxy/nginx => (snowflake-server =>
>> extor-static-cookie => tor) on separate servers?
> You have the order wrong (it's snowflake-server → haproxy →
> extor-static-cookie → tor), but yes, you could divide the chain at any
> of the arrows and run things on different hosts. You could also run half
> the extor-static-cookie + tor on one host and half on another, etc.
I've installed and started configuring snowflake-server and have some questions
after reading the README:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/server
1. How are Snowflake Bridges advertised? Will they compromise a Normal Bridge
running on the same public addresses?
2. I already have a DNS Let's Encrypt process in place for certificates and port 80
(HTTP) is already in use by another daemon on my server. Is there an alternative method
to provide snowflake-server with the required certificates?
3. I'm using an init.d (not systemd) operating system. Do you have any init.d examples
for snowflake-server?
In short, I'm trying to get a sense of whether it makes sense to run a Snowflake Bridge
and Normal Bridge on the same public addresses?
Thanks, again, for your assistance.
Respectfully,
Gary