[tor-bugs] #10984 [meek]: PHP relay for meek

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Sep 18 23:23:43 UTC 2014 

#10984: PHP relay for meek
-------------------------+----------------------------
     Reporter:  arlolra  |      Owner:  dcf
         Type:  defect   |     Status:  needs_revision
     Priority:  normal   |  Milestone:
    Component:  meek     |    Version:
   Resolution:           |   Keywords:  meek
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+----------------------------
Changes (by dcf):

 * status:  new => needs_revision


Comment:

 This PHP reflector is undeniably useful. I just used it to prototype a
 reflector on Azure Websites for #13189.

 I'm still doubtful about the quality of code derived from GoAgent and I
 wish we didn't have to include the huge license. I think we can simplify
 it quite a bit with a new implementation?

 We don't actually have to reflect Content-Type. I think we can replace all
 the GetHeaders code with just:
 {{{
 $headerArray = array();
 if (array_key_exists("HTTP_X_SESSION_ID", $_SERVER)) {
         $headerArray[] = "X-Session-Id: " . $_SERVER["HTTP_X_SESSION_ID"];
 }
 curl_setopt($ch, CURLOPT_HTTPHEADER, $headerArray);
 }}}

 Likewise, I think you can replace all the method processing code with
 just:
 {{{
 curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $_SERVER['REQUEST_METHOD']);
 curl_setopt($ch, CURLOPT_POSTFIELDS, file_get_contents("php://input"));
 }}}
 I found I had to change
 [http://php.net/manual/en/reserved.variables.httprawpostdata.php
 $HTTP_RAW_POST_DATA] to file_get_contents("php://input") since
 [https://gitweb.torproject.org/pluggable-
 transports/meek.git/commitdiff/b1f6a7ece3adaf8a781a5a97877fcf0f20c736a7
 b1f6a7ec] which removed Content-Type from the header.

 I was going to suggest using the HTTPS bridge by default, but I tried it
 an Azure must not have a trusted CA list installed. It prints:
 {{{
 502 Urlfetch Error
 PHP Urlfetch Error: curl(60)
 SSL certificate problem: unable to get local issuer certificate
 }}}

 It turns out that
 [http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
 CURLOPT_SSL_VERIFYHOST] is not a boolean, but an integer. 0 means
 something unsafe, 1 means something unsafe, and 2 is what you want.
 Unfortunately true is converted to 1. It's used as an example of a bad API
 in [https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf this paper]. It looks
 like PHP has our back though; I saw this message in the log:
 {{{
 PHP Notice:  curl_setopt_array(): CURLOPT_SSL_VERIFYHOST no longer accepts
 the value 1, value 2 will be used instead in index.php on line 111
 }}}

 Do you think you can get the file down to 50 lines? I think it should be
 possible and then I'll like it better.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10984#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list