[tor-bugs] #16650 [Obfuscation/BridgeDB]: Set up domain fronting for BridgeDB

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Apr 23 01:43:08 UTC 2017 

#16650: Set up domain fronting for BridgeDB
-------------------------------------------------+-------------------------
 Reporter:  isis                                 |          Owner:  isis
     Type:  enhancement                          |         Status:
                                                 |  needs_information
 Priority:  Medium                               |      Milestone:
Component:  Obfuscation/BridgeDB                 |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  bridgedb-dist, bridgedb-usability,   |  Actual Points:
  tbb-wants, usability, bridge-distribution,     |
  TorCoreTeam201608                              |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by dcf):

 Replying to [comment:13 isis]:
 > The new Google developer account is configured, and the meek reflector
 is installed. meek-server is also installed on polyanthum, as mentioned
 above. Both appear to be working, but they don't want to talk to each
 other through the Apache reverse proxy. (Which doesn't matter all that
 much right now, since there's nothing for them to talk ''to'' until #7520
 is implemented.) Still, some help from someone with Apache wizardry skills
 would be nice.
 >
 > Right now the XXXXXXXXXXXXXX.appspot.com domain is forwarding requests
 to bridges.torproject.org:2000, where Apache appears to be picking it up
 and then not forwarding to meek.

 The way I pictured it working (might not actually work since I didn't try
 it):
  * Run meek-server listening on 127.0.0.1:2000 (i.e., not listening
 externally) with ORPort 127.0.0.1:443
  * XXXXXXXXXXXXXX.appspot.com forwards to
 https://bridges.torproject.org/meek (i.e., to port 443, not 2000, and with
 a path that marks it for ProxyPass forwarding)
  * `ProxyPass /meek/ ​http://127.0.0.1:2000/` recognizes the forwarded
 appspot requests through the /meek/ path and sends them to meek-server on
 localhost
  * meek-server then forwards the tunneled TLS back to the HTTPS port.

 The way this would look on the client side is something like:

 {{{
 export TOR_PT_MANAGED_TRANSPORT_VER=1
 export TOR_PT_CLIENT_TRANSPORTS=meek
 meek-client --url ​https://XXXXXXXXXXXXXX.appspot.com/ --front
 www.google.com
 }}}

 meek-client will output a line like `CMETHOD meek socks5 127.0.0.1:YYYYY`
 telling you it is listening on port YYYY. And then, download a page
 through the tunnel with
 {{{
 curl --proxy socks4a://127.0.0.1:YYYY https://bridges.torproject.org/
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16650#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list