Domain fronting on Amazon CloudFront

1044 views
Skip to first unread message

David Fifield

unread,
Jul 28, 2014, 5:26:55 AM7/28/14
to traff...@googlegroups.com
I've been doing some research and experiments on deploying domain
fronting (i.e., meek) on other platforms.
https://trac.torproject.org/projects/tor/wiki/doc/meek#Webservices
So far I've set up one on App Engine. I know Psiphon and Lantern have
their own deployments. This post is about one I just set up on
CloudFront, Amazon's CDN.

https://trac.torproject.org/projects/tor/wiki/doc/meek#AmazonCloudFront

When you set up a CDN "distribution," it gets a generated domain name
like dXXXXXXXXXXXXX.cloudfront.net. The one I got was
d2zfqthxsdq309.cloudfront.net.

I hesistated setting up CloudFront for a while because it wasn't clear
what to use as a front domain. With Google, www.google.com or
www.gmail.com are obvious choices. I don't know of another
dXXXXXXXXXXXXX.cloudfront.net name that's important enough to be
unblockable. Today I stumbled on a0.awsstatic.com, which is used to load
some assets for the AWS control panel, and possibly other things. If you
have a better suggestion, I'd be happy to hear it.

Here's a demo. The output message comes all the way from the Tor relay
at meek.bamsoftware.com.

$ wget -q -O - https://a0.awsstatic.com/ --header 'Host: d2zfqthxsdq309.cloudfront.net'
I’m just a happy little web server.

If you want to try it in a browser, download a meek-capable bundle from
https://people.torproject.org/~dcf/pt-bundle/3.6.3-meek-1/. Then edit
the "ClientTransportPlugin meek" line in the file Data/Tor/torrc-defaults
so it reads (paths are different on Windows and Mac):
ClientTransportPlugin meek exec ./Tor/PluggableTransports/meek-client-torbrowser -- ./Tor/PluggableTransports/meek-client --url=https://d2zfqthxsdq309.cloudfront.net/ --front=a0.awsstatic.com
Of course if CloudFront works well, we'll find a way to activate it
without editing a file.

A benefit of CloudFront is that it will apparently work in China, where
App Engine doesn't (https://www.google.com/transparencyreport/traffic/disruptions/124/).
Actually, it appears that most cloudfront.net subdomains are
DNS-poisoned in China, but a0.awsstatic.com gets you to an edge server.

I'm currently on the AWS "free tier," which gives you 50 GB of CDN
transfer for 12 months.

David Fifield

kossa...@gmail.com

unread,
Dec 21, 2014, 2:40:17 PM12/21/14
to traff...@googlegroups.com, da...@bamsoftware.com
Hello David Fifield,

I just wanted to ask if you would mind making a short tutorial on how to setup domain fronting. I mean, without using Tor.

Regards,

Max Kossatz

David Fifield

unread,
Dec 21, 2014, 10:29:33 PM12/21/14
to kossa...@gmail.com, traff...@googlegroups.com
On Sun, Dec 21, 2014 at 11:40:17AM -0800, kossa...@gmail.com wrote:
> I just wanted to ask if you would mind making a short tutorial on how
> to setup domain fronting. I mean, without using Tor.

I personally have never set it up without Tor. It wouldn't be too hard
to set up, but you will have to do some hacking on glue code, and put
(for example) a SOCKS proxy rather than a Tor relay on the origin
server.

There are guides for setting up a few services:
https://trac.torproject.org/projects/tor/wiki/doc/meek#GoogleAppEngine
https://trac.torproject.org/projects/tor/wiki/doc/meek#AmazonCloudFront
https://trac.torproject.org/projects/tor/wiki/doc/meek#MicrosoftAzure
I recommend starting with App Engine, because it's easy and doesn't cost
anything if you use little bandwidth.

The meek-client and meek-server programs are pretty Tor-ignorant (they
don't care what data pass through the tunnel)--except that they use the
pluggable tranports protocol for setup and proxy settings:
https://gitweb.torproject.org/torspec.git/tree/pt-spec.txt
It is not super hard to support the PT spec, but it also wouldn't be
hard to modify the programs to get their configuration in a different
way.

Also take a look at
https://trac.torproject.org/projects/tor/wiki/doc/meek#Otherdomainfrontingsystems
for non-Tor fronting systems.

David Fifield

rajkot...@gmail.com

unread,
Sep 9, 2015, 6:09:11 PM9/9/15
to Network Traffic Obfuscation
I am trying to make a fronting domain configuration using Amazon cloudfront and Azure. But when i point these domains to linode VPS servers that run my meek server, they give me 503 certificate errors.

Pls tell me how can i solve these issues.
Thank you

Reply all
Reply to author
Forward
0 new messages