On Tuesday, December 13, 2022, 07:35:23 PM MST, David Fifield david@bamsoftware.com wrote:
On Tue, Dec 13, 2022 at 07:29:45PM +0000, Gary C. New via tor-relays wrote:
On Tuesday, December 13, 2022, 10:11:41 AM PST, David Fifield david@bamsoftware.com wrote:
Am I correct in assuming extor-static-cookie is only useful within the context of bridging connections between snowflake-server and tor (not as a pluggable transport similar to obfs4proxy)?
That's correct. extor-static-cookie is a workaround for a technical problem with tor's Extended ORPort. It serves a narrow and specialized purpose. It happens to use the normal pluggable transports machinery, but it is not a circumvention transport on its own. It's strictly for interprocess communication and is not exposed to the Internet. You don't need it to run a Snowflake proxy.
Created a Makefile for extra-static-cookie for OpenWRT and Entware:
https://forum.openwrt.org/t/extor-static-cookie-makefile/145694
I am not sure what your plans are with running multiple obfs4proxy, but if you just want multiple obfs4 listeners, with different keys, running on different ports on the same host, you don't need a load balancer, extor-static-cookie, or any of that. Just run multiple instances of tor, each with its corresponding instance of obfs4proxy. The separate instances don't need any coordination or communication.
The goal of running multiple obfs4proxy listeners is to offer numerous, unique bridges distributed across several servers maximizing resources and availability.
You could, in principle, use the same load-balanced setup with obfs4proxy, but I expect that a normal bridge will not get enough users to justify it. It only makes sense when the tor process hits 100% CPU and becomes a bottleneck, which for the Snowflake bridge only started to happen at around 6,000 simultaneous users.
Hmm... If normal bridges will not see enough users to justify the deployment of numerous, unique bridges distributed over several servers--this may be a deciding factor. I don't have enough experience with normal bridges to know.
What about a connection flow of haproxy/nginx => (snowflake-server => extor-static-cookie => tor) on separate servers?
You have the order wrong (it's snowflake-server → haproxy → extor-static-cookie → tor), but yes, you could divide the chain at any of the arrows and run things on different hosts. You could also run half the extor-static-cookie + tor on one host and half on another, etc.
I've installed and started configuring snowflake-server and have some questions after reading the README:
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowf...
1. How are Snowflake Bridges advertised? Will they compromise a Normal Bridge running on the same public addresses?
2. I already have a DNS Let's Encrypt process in place for certificates and port 80 (HTTP) is already in use by another daemon on my server. Is there an alternative method to provide snowflake-server with the required certificates?
3. I'm using an init.d (not systemd) operating system. Do you have any init.d examples for snowflake-server?
In short, I'm trying to get a sense of whether it makes sense to run a Snowflake Bridge and Normal Bridge on the same public addresses?
Thanks, again, for your assistance.
Respectfully,
Gary