Re: [tor-relays] Web server and TOR bridge at same IP:port

Subject: Re: [tor-relays] Web server and TOR bridge at same IP:port

From: Lucas Werkmeister <mail@xxxxxxxxxxxxxxxxxxx>

Date: Tue, 16 Aug 2016 19:59:57 +0200

Delivery-date: Tue, 16 Aug 2016 14:09:02 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lucaswerkmeister.de; s=mail; t=1471370367; bh=l6H0B8qqye4+kwCzbqqGU1llMTuFZGVVc2zavMoyZ18=; h=Subject:To:References:From:Date:In-Reply-To:From; b=PxA2SK6y36M+yIWOOesQg75cZgtfk6DuGPtVlG1Q25C+bxhkpk3oxmx9FdNAZNQg3 3BMaJ86iZPGIGtx+z4P8dsrfqTsWAHox+Y9S+MJc5c7wBWcVg54NQKEf0TT0OvYIrq sTgZMU3vtyPNG8qjawL6TWq3CtjRDBvju6eIwSAg=

In-reply-to: <CAAd2PDKVQ7pgUfg784xkgiZ2cq1tUFGdnWNN8P6yZ=JUKS6twA@mail.gmail.com>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <fadce617-2aac-7350-79a7-04e85b824756@openmailbox.org> <CAAd2PDKVQ7pgUfg784xkgiZ2cq1tUFGdnWNN8P6yZ=JUKS6twA@mail.gmail.com>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

Something like this exists: sslh[1], a "protocol demultiplexer". However, it doesn't explicitly support Tor, and I'm not sure if it's possible to distinguish between Tor packets and other TLS traffic using the options it offers[2].

[1]: http://www.rutschle.net/tech/sslh.shtml
[2]: https://github.com/yrutschle/sslh/blob/v1.18/example.cfg#L37-L47

On 16.08.2016 19:50, Green Dream wrote:

I don't think you will be able to bind two daemons to the same TCP port (443).

Maybe you could have something else listening on TCP port 443 and passing the requests onto both places?

You might be able to put a single reverse proxy in front on that port, and have that proxy send the requests to the correct daemon on the backend, but I have no idea how to actually set that up. Most common reverse proxy software (like nginx) isn't designed to understand or handle Tor or pluggable transports like obfs4.

There may be some application aware ("layer 4") firewalls that could do something like this too, but I don't think it would be straightforward. Also I'm not sure inspecting Tor packets (in order to determine they're Tor packets) is a good idea... or if that could even work since the packets will be obfuscated.

Just thinking out loud... but this seems like a difficult to implement idea.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays