2011/2/2 Bjarni Rúnar Einarsson <b...@pagekite.net> > 2011/2/2 Jacob Appelbaum <ja...@appelbaum.net> > >> Hi Bjarni! >> >> Is there any reason that you can't route SSL/TLS traffic to Tor for all >> non-SNI requests? Another thing that might work is knowing that all Tor >> certificates currently end in .net. So while they're random, it's >> certainly possible to know when someone explicitly wants to reach a >> different server you certainly know about and isn't in your allowed >> lookup table. Anything else can be routed to Tor. >> > > This would work, but the "default fallback" is somewhat of a coveted > position as there are lots of web browsers out there that don't send SNI. So > in a shared environment you want to define your "favorite" web-site as the > default fall-back, not Tor. > > I suppose I could add a feature to Pagekite where the default is different > for requests with SNI from requests without... best add that to the list, I > guess. :-) >
OK, I think I've got the required support in pagekite.py for this - it only took 3 lines of tweaks, unless I'm overlooking something. :-) I haven't got an entry node up and running to test this myself, and am getting on a plane to FOSDEM in the morning so I have to go pack now... but it works for normal HTTPS. If anyone wants to help out and test this on a real entry node, that would save me the hassle, otherwise I'll get around to it myself after the conference and report back. The code is here: https://github.com/pagekite/PyPagekite/raw/main/pagekite.py Run it like this: sudo pagekite.py --clean \ --isfrontend \ --ports=443 \ --protos=https \ --runas=nobody:nogroup \ --tls_default=foo.com \ --backend=https:foo.com:localhost:1443: \ --backend=https:unknown:localhost:1337: This should proxy browsers requestiong foo.com and old browsers without SNI to localhost:1443, but any other SNI bearing request will get proxied to port 1337, which is where one would put Tor in this configuration. Yeah, I'm asking you to run a gigantic python program as root... sorry about that! Only way I know to get port 443... :-) -- Bjarni R. Einarsson The Beanstalks Project ehf. Making personal web-pages fly: http://pagekite.net/
