[tor-commits] [snowflake/master] Add Dockerfile and README for deploying probetest

cohosh at torproject.org cohosh at torproject.org
Thu Oct 29 15:04:28 UTC 2020 

commit a4f10d9d6eaa8806adc5eefaf7ac46d4050340d1
Author: Cecylia Bocovich <cohosh at torproject.org>
Date:   Wed Oct 14 15:49:01 2020 -0400

    Add Dockerfile and README for deploying probetest
    
    The easiest way to set up the probe server behind a symmetric NAT is to
    deploy it as a Docker container and alter the iptables rules for the
    Docker network subnet that the container runs in.
---
 probetest/Dockerfile         |  3 +++
 probetest/README.md          | 44 ++++++++++++++++++++++++++++++++++++++++++++
 probetest/docker-compose.yml | 11 +++++++++++
 3 files changed, 58 insertions(+)

diff --git a/probetest/Dockerfile b/probetest/Dockerfile
new file mode 100644
index 0000000..966ab28
--- /dev/null
+++ b/probetest/Dockerfile
@@ -0,0 +1,3 @@
+FROM golang:1.13
+
+COPY probetest /go/bin
diff --git a/probetest/README.md b/probetest/README.md
new file mode 100644
index 0000000..8af42f5
--- /dev/null
+++ b/probetest/README.md
@@ -0,0 +1,44 @@
+This is code for a remote probe test component of Snowflake.
+
+### Overview
+
+This is a probe test server to allow proxies to test their compatability
+with Snowflake. Right now the only type of test implemented is a
+compatability check for clients with symmetric NATs.
+
+### Running your own
+
+The server uses TLS by default.
+There is a `--disable-tls` option for testing purposes,
+but you should use TLS in production.
+
+To build the probe server, run
+```go build```
+
+To deploy the probe server, first set the necessary env variables with
+```
+export HOSTNAMES=${YOUR HOSTNAMES}
+export EMAIL=${YOUR EMAIL}
+```
+then run ```docker-compose up```
+
+Setting up a symmetric NAT configuration requires a few extra steps. After
+upping the docker container, run
+```docker inspect snowflake-probetest```
+to find the subnet used by the probetest container. Then run
+```sudo iptables -L -t nat``` to find the POSTROUTING rules for the subnet.
+It should look something like this:
+```
+Chain POSTROUTING (policy ACCEPT)
+target     prot opt source               destination
+MASQUERADE  all  --  172.19.0.0/16        anywhere
+```
+to modify this rule, execute the command
+```sudo iptables -t nat -R POSTROUTING $RULE_NUM -s 172.19.0.0/16 -j MASQUERADE --random```
+where RULE_NUM is the numbered rule corresponding to your docker container's subnet masquerade rule.
+Afterwards, you should see the rule changed to be:
+```
+Chain POSTROUTING (policy ACCEPT)
+target     prot opt source               destination
+MASQUERADE  all  --  172.19.0.0/16        anywhere      random
+```
diff --git a/probetest/docker-compose.yml b/probetest/docker-compose.yml
new file mode 100644
index 0000000..9283383
--- /dev/null
+++ b/probetest/docker-compose.yml
@@ -0,0 +1,11 @@
+ version: "3.8"
+
+ services:
+    snowflake-probetest:
+        build: .
+        container_name: snowflake-probetest
+        ports:
+         - "8443:8443"
+        volumes:
+        - /home/snowflake-broker/acme-cert-cache:/go/bin/acme-cert-cache
+        entrypoint: [ "probetest" , "-addr", ":8443" , "-acme-hostnames", $HOSTNAMES, "-acme-email", $EMAIL, "-acme-cert-cache", "/go/bin/acme-cert-cache"]

More information about the tor-commits mailing list