I've been doing some research and experiments on deploying domain
fronting (i.e., meek) on other platforms.
https://trac.torproject.org/projects/tor/wiki/doc/meek#Webservices
So far I've set up one on App Engine. I know Psiphon and Lantern have
their own deployments. This post is about one I just set up on
CloudFront, Amazon's CDN.
https://trac.torproject.org/projects/tor/wiki/doc/meek#AmazonCloudFront
When you set up a CDN "distribution," it gets a generated domain name
like
dXXXXXXXXXXXXX.cloudfront.net. The one I got was
d2zfqthxsdq309.cloudfront.net.
I hesistated setting up CloudFront for a while because it wasn't clear
what to use as a front domain. With Google,
www.google.com or
www.gmail.com are obvious choices. I don't know of another
dXXXXXXXXXXXXX.cloudfront.net name that's important enough to be
unblockable. Today I stumbled on
a0.awsstatic.com, which is used to load
some assets for the AWS control panel, and possibly other things. If you
have a better suggestion, I'd be happy to hear it.
Here's a demo. The output message comes all the way from the Tor relay
at
meek.bamsoftware.com.
$ wget -q -O -
https://a0.awsstatic.com/ --header 'Host:
d2zfqthxsdq309.cloudfront.net'
I’m just a happy little web server.
If you want to try it in a browser, download a meek-capable bundle from
https://people.torproject.org/~dcf/pt-bundle/3.6.3-meek-1/. Then edit
the "ClientTransportPlugin meek" line in the file Data/Tor/torrc-defaults
so it reads (paths are different on Windows and Mac):
ClientTransportPlugin meek exec ./Tor/PluggableTransports/meek-client-torbrowser -- ./Tor/PluggableTransports/meek-client --url=
https://d2zfqthxsdq309.cloudfront.net/ --front=
a0.awsstatic.com
Of course if CloudFront works well, we'll find a way to activate it
without editing a file.
A benefit of CloudFront is that it will apparently work in China, where
App Engine doesn't (
https://www.google.com/transparencyreport/traffic/disruptions/124/).
Actually, it appears that most
cloudfront.net subdomains are
DNS-poisoned in China, but
a0.awsstatic.com gets you to an edge server.
I'm currently on the AWS "free tier," which gives you 50 GB of CDN
transfer for 12 months.
David Fifield