Domain fronting on Amazon CloudFront

Skip to first unread message

David Fifield

Jul 28, 2014, 5:26:55 AM7/28/14
I've been doing some research and experiments on deploying domain
fronting (i.e., meek) on other platforms.
So far I've set up one on App Engine. I know Psiphon and Lantern have
their own deployments. This post is about one I just set up on
CloudFront, Amazon's CDN.

When you set up a CDN "distribution," it gets a generated domain name
like The one I got was

I hesistated setting up CloudFront for a while because it wasn't clear
what to use as a front domain. With Google, or are obvious choices. I don't know of another name that's important enough to be
unblockable. Today I stumbled on, which is used to load
some assets for the AWS control panel, and possibly other things. If you
have a better suggestion, I'd be happy to hear it.

Here's a demo. The output message comes all the way from the Tor relay

$ wget -q -O - --header 'Host:'
I’m just a happy little web server.

If you want to try it in a browser, download a meek-capable bundle from Then edit
the "ClientTransportPlugin meek" line in the file Data/Tor/torrc-defaults
so it reads (paths are different on Windows and Mac):
ClientTransportPlugin meek exec ./Tor/PluggableTransports/meek-client-torbrowser -- ./Tor/PluggableTransports/meek-client --url=
Of course if CloudFront works well, we'll find a way to activate it
without editing a file.

A benefit of CloudFront is that it will apparently work in China, where
App Engine doesn't (
Actually, it appears that most subdomains are
DNS-poisoned in China, but gets you to an edge server.

I'm currently on the AWS "free tier," which gives you 50 GB of CDN
transfer for 12 months.

David Fifield

Dec 21, 2014, 2:40:17 PM12/21/14
Hello David Fifield,

I just wanted to ask if you would mind making a short tutorial on how to setup domain fronting. I mean, without using Tor.


Max Kossatz

David Fifield

Dec 21, 2014, 10:29:33 PM12/21/14
On Sun, Dec 21, 2014 at 11:40:17AM -0800, wrote:
> I just wanted to ask if you would mind making a short tutorial on how
> to setup domain fronting. I mean, without using Tor.

I personally have never set it up without Tor. It wouldn't be too hard
to set up, but you will have to do some hacking on glue code, and put
(for example) a SOCKS proxy rather than a Tor relay on the origin

There are guides for setting up a few services:
I recommend starting with App Engine, because it's easy and doesn't cost
anything if you use little bandwidth.

The meek-client and meek-server programs are pretty Tor-ignorant (they
don't care what data pass through the tunnel)--except that they use the
pluggable tranports protocol for setup and proxy settings:
It is not super hard to support the PT spec, but it also wouldn't be
hard to modify the programs to get their configuration in a different

Also take a look at
for non-Tor fronting systems.

David Fifield

Sep 9, 2015, 6:09:11 PM9/9/15
to Network Traffic Obfuscation
I am trying to make a fronting domain configuration using Amazon cloudfront and Azure. But when i point these domains to linode VPS servers that run my meek server, they give me 503 certificate errors.

Pls tell me how can i solve these issues.
Thank you

Reply all
Reply to author
0 new messages