[tor-bugs] #16650 [BridgeDB]: Set up domain fronting for BridgeDB

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 23 23:21:46 UTC 2015 

#16650: Set up domain fronting for BridgeDB
-------------------------+-------------------------------------------------
     Reporter:  isis     |      Owner:  isis
         Type:           |     Status:  new
  enhancement            |  Milestone:
     Priority:  normal   |    Version:
    Component:           |   Keywords:  bridgedb-dist, bridgedb-usability,
  BridgeDB               |  tbb-wants, usability, bridge-distribution
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by isis):

 Pasting with permission a couple emails with great ideas for moving this
 forward which dcf sent me:

 > From: David Fifield
 > Subject: Fronting BridgeDB
 > Date: Thu, 25 Jun 2015 23:19:03
 > To: Isis
 >
 > I've been thinking about how to make a domain-fronted interface to
 > BridgeDB. It seems like the best thing to do is tunnel end-to-end HTTPS
 > to bridges.torproject.org port 443. I think we can do that just by
 > cajoling meek-server to run as an standalone proxy. I've been thinking
 > about writing an externalize-pt program to do it, but for a prototype
 > you can just use a shell script.
 >   export TOR_PT_MANAGED_TRANSPORT_VER=1
 >   export TOR_PT_SERVER_BINDADDR=meek-0.0.0.0:2000
 >   export TOR_PT_SERVER_TRANSPORTS=meek
 >   export TOR_PT_ORPORT=127.0.0.1:443
 >   meek-server --disable-tls
 > (For actual deployment we'll want a real cert and TLS.) Now you have a
 > meek-server talking to port 443 instead of an ORPort. If you send it the
 > right kind of request it will tunnel the body through to port 443.
 >   echo -n $'POST / HTTP/1.0\r\nX-Session-Id: xxxxxxxx\r\nContent-Length:
 0\r\n\r\n' | ncat localhost 2000
 > The next step is to set up the CDN and point it to the meek-server
 > bindaddr. Like for the appengine one, you would set in reflect.go:
 >   forwardURL = "http://bridges.torproject.org:2000/"
 > Then on the client side, you have to set up another standalone proxy:
 >   export TOR_PT_MANAGED_TRANSPORT_VER=1
 >   export TOR_PT_CLIENT_TRANSPORTS=meek
 >   export meek-client --url https://bridgedb.appspot.com/ --front
 www.google.com
 > (You can also pass the URL and front in the SOCKS request. For testing,
 > you can skip the CDN and just provide --url
 http://bridges.torproject.org:2000/.)
 > At this point the client can make HTTPS requests through the local SOCKS
 > proxy that meek-client runs (with a normal browser, even) and everything
 > should work great. The SOCKS proxy will only connect you to
 > bridges.torproject.org, even if you ask for something else.
 >
 > It's not totally clear how this is going to work inside Tor Browser. You
 > have a nice local domain-fronted proxy that Tor Launcher can use, though
 > process management will be a chore.
 >
 > One difficulty is communicating the client's IP address to the BridgeDB
 > HTTPS server. We can assume that meek-server knows the client's address
 > because it's carried in a header or something. Bur from the web server's
 > point of view, all the requests will be coming from localhost. We can't
 > inject a header to the request because it's the client's end-to-end
 > HTTPS. Tor uses the ExtORPort for this purpose but there's nothing
 > equivalent in a web server.

 and

 > From: David Fifield
 > Subject: Re: Fronting BridgeDB
 > Date: Thu, 25 Jun 2015 23:29:29
 > To: Isis
 >
 > On Thu, Jun 25, 2015 at 11:19:03PM, David Fifield wrote:
 > > I've been thinking about how to make a domain-fronted interface to
 > > BridgeDB. It seems like the best thing to do is tunnel end-to-end
 HTTPS
 > > to bridges.torproject.org port 443. I think we can do that just by
 > > cajoling meek-server to run as an standalone proxy. I've been thinking
 > > about writing an externalize-pt program to do it, but for a prototype
 > > you can just use a shell script.
 > >     export TOR_PT_MANAGED_TRANSPORT_VER=1
 > >     export TOR_PT_SERVER_BINDADDR=meek-0.0.0.0:2000
 > >     export TOR_PT_SERVER_TRANSPORTS=meek
 > >     export TOR_PT_ORPORT=127.0.0.1:443
 > >     meek-server --disable-tls
 > > (For actual deployment we'll want a real cert and TLS.)
 >
 > I think I know a better way to handle the TLS. You can use the current
 > web server as a TLS terminator, have it reverse-proxy to meek-server on
 > localhost over plain HTTP (carrying tunneled TLS), and then have
 > meek-server forward the tunneled TLS body straight back to port 443 on
 > localhost.
 >     CDN --TLS(meek(TLS(GET /bridges)))--> Apache --meek(TLS(GET
 /bridges))--> meek-server --TLS(GET /bridges)--> Apache
 > That way you don't need to trust meek-server with your keys and you
 > don't need to open an external port. The Apache configuration would be
 > something like
 >     ProxyPass /meek/ http://127.0.0.1:2000/
 > The setting on the CDN side would be
 >     forwardURL = "https://bridges.torproject.org/meek/"
 >

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16650#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list