Experimenting with Tor and Pagekite
Bjarni Rúnar Einarsson
bre at pagekite.net
Mon Dec 20 20:35:15 UTC 2010
Hiya!
I've met a couple of you (hi Linus, hi Erinn), and as promised, I finally
got around to looking into what it would take to use Pagekite as a remote
front-end for a Tor relay.
Executive summary: it does not work, but making it work would be very easy.
First, for those of you who don't know me or PageKite: PageKite (
http://pagekite.net/) is a free software project whose goal is to enable the
average Joe to run servers on personal computers, laptops, mobiles, such
things. We're focusing on the web first, so we currently have support for
HTTP and HTTPS. The system is basically a "remote front-end service", where
a front-end reverse proxy accepts incoming connections and then uses
name-based virtual hosting techniques to forward requests over tunnels to
remote back-ends. A bit like a load-balancer, or HTTP accelerator - except
PageKite can proxy SSL connections as well, by looking at the TLS/SNI data.
(subliminal message: it's totally cool, please play with it and tell
everyone how much you like it and give me all your money)
I met Linus and Erinn at FSCONS, and Linus thought Pagekite might be helpful
for people who want to run relays but have trouble poking holes in their
routers/firewalls. So, having been told that an incoming Tor connection
"looks just like SSL", I finally got around to testing it this evening to
see if it would "just work".
It almost did! :-)
In fact, the only reason it doesn't work, is you guys are putting random
domain names in the SNI section, instead of just using the name of the host
you are connecting to. If I had a way of telling Tor what name to request,
Pagekite could "route" incoming Tor connections without any modifications at
all.
Now, I could still get it to work by hacking Pagekite to just blindly
forward all connections on a specific port to the right back-end, but that
would pretty much make it useless in a shared environment (where multiple
users are sharing the same Pagekite front-end) which would largely defeat
the purpose.
So, my questions:
1. Would it be possible to add a feature to Tor which lets a relay specify
what name to put in the SNI?
And finally:
2. Is this all a bad idea anyway?
The reason I wonder if this is a bad idea, is it kinda messes with some of
the fundamental assumptions of Tor. For one, you could end up with multiple
relays having the same (incoming) visible IP addresses, but the traffic
would pop out somewhere else on the network, on some other IP address
entirely, which could be quite far away. So instead of one address, each
Pagekite/Tor node actually has two, one or even both of which might be
shared with different relay nodes (say if I have a Pagekite/Tor on both my
laptop and my closet server). Does this do bad things to your route
selection algorithms? Are there structures in Tor which assume IP addresses
are unique?
Thoughts?
--
Bjarni R. Einarsson
The Beanstalks Project ehf.
Making personal web-pages fly: http://pagekite.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20101220/29a87908/attachment.htm>
More information about the tor-talk
mailing list