[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] How to set up meek on a cooperating web server



Roger asked me what it would take to run a meek bridge on an existing
hard-to-block HTTPS web site that wants to help, Wikipedia for example.
The difference with our existing deployments on CDNs is that we don't
expect any special cooperation by the CDN, whereas an interested site
could make minor changes to make running a bridge easier.

It's actually not hard to do. For example, this is the meek-server port
on the Tor bridge behind meek-azure:
	https://meek.bamsoftware.com/
That URL is actually totally usable directly in a bridge line:
	Bridge meek 0.0.2.0:3 url=https://meek.bamsoftware.com/
The reason we don't just distribute the above bridge line, (and why we
involve a CDN at all), is because meek.bamsoftware.com is trivial to
block by domain or IP--it is used for nothing but circumvention, so the
collateral damage of blocking it is zero. That's why we have to do
domain fronting and put a domain with some unblockability in front of
it.

With an important web site, the unblockability comes for free, so you
don't need domain fronting. Wikipedia could set up their own Tor bridge
running meek-server, then set up a special URL path to reverse-proxy to
the bridge. A bridge line might look like this:
	Bridge meek 0.0.2.0:4 url=https://en.wikipedia.org/magic-meek-path/
They would configure their web server to forward every request for the
path /magic-meek-path to their Tor bridge running meek-server, and
that's it.

You could do the same thing with a vhost rather than special path. The
domain name doesn't even have to exist--its only purpose is to tag the
requests that should get forwarded to meek-server. The bridge line would
be like this:
	Bridge meek 0.0.2.0:4 url=https://magic.meek.bogus/ front=en.wikipedia.org
They would set up the vhost magic.meek.bogus to forward to a meek-server
as before. Here we are technically using domain fronting, but not to
gain unblockability, merely to tag meek requests. (The requests arrive
at the server for en.wikipedia.org, but they have a Host header of
magic.meek.bogus.)

This is how to run meek-server:
https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtorunameek-serverbridge
And this is an example of doing vhost forwarding on Nginx:
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/nginx/README
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/nginx/nginx.conf.example

An even lighter-weight alternative that doesn't require running
meek-server is to host one of the "reflector" apps. For example, they
can host this file: https://gitweb.torproject.org/pluggable-transports/meek.git/tree/php/index.php
at a path like /meek/index.php. Then the bridge line will be
	Bridge meek 0.0.2.0:4 url=https://en.wikipedia.org/meek/index.php
All the PHP file does is forward to a meek-server running elsewhere.
This way is less efficient than running your own meek-server, but it's
the first thing I would try for testing. We have reflector apps for PHP
and Python WSGI:
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/php
https://gitweb.torproject.org/pluggable-transports/meek.git/tree/wsgi

In summary, it's not hard to do. A quick test with index.php is less
than a day of work. Setting up meek-server on your own bridge is more
involved, but not more than other pluggable transports.

David Fifield
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev