Tor and an HTTPS server sharing port 443 (was: Re: xxx-draft-spec-for-TLS-normalization.txt)

Bjarni Rúnar Einarsson bre at pagekite.net
Wed Feb 2 22:26:39 UTC 2011 

2011/2/2 Bjarni Rúnar Einarsson <bre at pagekite.net>

> 2011/2/2 Jacob Appelbaum <jacob at appelbaum.net>
>
>> Hi Bjarni!
>>
>> Is there any reason that you can't route SSL/TLS traffic to Tor for all
>> non-SNI requests? Another thing that might work is knowing that all Tor
>> certificates currently end in .net. So while they're random, it's
>> certainly possible to know when someone explicitly wants to reach a
>> different server you certainly know about and isn't in your allowed
>> lookup table. Anything else can be routed to Tor.
>>
>
> This would work, but the "default fallback" is somewhat of a coveted
> position as there are lots of web browsers out there that don't send SNI. So
> in a shared environment you want to define your "favorite" web-site as the
> default fall-back, not Tor.
>
> I suppose I could add a feature to Pagekite where the default is different
> for requests with SNI from requests without... best add that to the list, I
> guess. :-)
>

OK, I think I've got the required support in pagekite.py for this - it only
took 3 lines of tweaks, unless I'm overlooking something. :-)

I haven't got an entry node up and running to test this myself, and am
getting on a plane to FOSDEM in the morning so I have to go pack now... but
it works for normal HTTPS. If anyone wants to help out and test this on a
real entry node, that would save me the hassle, otherwise I'll get around to
it myself after the conference and report back.

The code is here:
https://github.com/pagekite/PyPagekite/raw/main/pagekite.py
Run it like this:

sudo pagekite.py --clean \
   --isfrontend \
   --ports=443 \
   --protos=https \
   --runas=nobody:nogroup \
   --tls_default=foo.com \
   --backend=https:foo.com:localhost:1443: \
   --backend=https:unknown:localhost:1337:

This should proxy browsers requestiong foo.com and old browsers without SNI
to localhost:1443, but any other SNI bearing request will get proxied to
port 1337, which is where one would put Tor in this configuration.

Yeah, I'm asking you to run a gigantic python program as root... sorry about
that! Only way I know to get port 443... :-)

-- 
Bjarni R. Einarsson
The Beanstalks Project ehf.

Making personal web-pages fly: http://pagekite.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110202/70558ac5/attachment.htm>

More information about the tor-dev mailing list