I've been doing some research and experiments on deploying domain
fronting (i.e., meek) on other platforms.
So far I've set up one on App Engine. I know Psiphon and Lantern have
their own deployments. This post is about one I just set up on
CloudFront, Amazon's CDN.
When you set up a CDN "distribution," it gets a generated domain name
. The one I got was
I hesistated setting up CloudFront for a while because it wasn't clear
what to use as a front domain. With Google, www.google.com
are obvious choices. I don't know of another
name that's important enough to be
unblockable. Today I stumbled on a0.awsstatic.com
, which is used to load
some assets for the AWS control panel, and possibly other things. If you
have a better suggestion, I'd be happy to hear it.
Here's a demo. The output message comes all the way from the Tor relay
$ wget -q -O - https://a0.awsstatic.com/
--header 'Host: d2zfqthxsdq309.cloudfront.net
I’m just a happy little web server.
If you want to try it in a browser, download a meek-capable bundle from
. Then edit
the "ClientTransportPlugin meek" line in the file Data/Tor/torrc-defaults
so it reads (paths are different on Windows and Mac):
ClientTransportPlugin meek exec ./Tor/PluggableTransports/meek-client-torbrowser -- ./Tor/PluggableTransports/meek-client --url=https://d2zfqthxsdq309.cloudfront.net/
Of course if CloudFront works well, we'll find a way to activate it
without editing a file.
A benefit of CloudFront is that it will apparently work in China, where
App Engine doesn't (https://www.google.com/transparencyreport/traffic/disruptions/124/
Actually, it appears that most cloudfront.net
DNS-poisoned in China, but a0.awsstatic.com
gets you to an edge server.
I'm currently on the AWS "free tier," which gives you 50 GB of CDN
transfer for 12 months.