pax_global_header 0000666 0000000 0000000 00000000064 12363506367 0014525 g ustar 00root root 0000000 0000000 52 comment=3c4a3b4904120015d6995face2052123f8ed2a55
flashproxy-1.7/ 0000775 0000000 0000000 00000000000 12363506367 0013573 5 ustar 00root root 0000000 0000000 flashproxy-1.7/.gitattributes 0000664 0000000 0000000 00000000010 12363506367 0016455 0 ustar 00root root 0000000 0000000 * -text
flashproxy-1.7/.gitignore 0000664 0000000 0000000 00000000101 12363506367 0015553 0 ustar 00root root 0000000 0000000 *.pyc
# built by setup*.py
/build
/dist
/*.egg-info
/py2exe-tmp
flashproxy-1.7/ChangeLog 0000664 0000000 0000000 00000032306 12363506367 0015351 0 ustar 00root root 0000000 0000000 Changes in version 1.7
o Made the badge color reflect what's going on when it encounters a
network error and tries to reconnect. Fixes bug 11400.
o Renamed facilitator programs:
facilitator → fp-facilitator
facilitator.cgi → fp-registrar.cgi
facilitator-email-poller → fp-registrar-email
facilitator-reg → fp-reg-decrypt
facilitator-reg-daemon → fp-reg-decryptd
o Fixed a bug in the browser proxy which caused it to stop accepting
new connections once it had failed 5 previous connections.
o Updated the Tor Browser detection for the Firefox 24.0 User-Agent
string. Patch by Arlo Breault. Fixes bug 11290.
Changes in version 1.6
o Allowed the --port-forwarding option to work when the remote port
number is given as 0.
o Fixed registration on Mac OS X when the REMOTE address had an empty
host part. A specification of ":9000", for example, would try to
register "[]:9000".
o Fixed registration on Windows with flashproxy-reg-appspot and
flashproxy-reg-email. The certificate pinning code used a Python
NamedTemporaryFile, which is not reopenable on Windows.
Changes in version 1.5
o Add manpages for the facilitator and nodejs proxy, automatically
generated by help2man.
o Have nodejs flashproxy take GNU-style long command-line options.
o Automate much of the configuration tasks involved in installing the
facilitator using GNU autotools. See facilitator/INSTALL for details
on the new process. Also move some common code here into the common
python module. Patch by Ximin Luo. Fixes bug 9974.
o Move common code to a separate flashproxy-common python module. Also
split out some build scripts so distro packagers have an easier
time. Patch by Ximin Luo. Fixes bug 6810.
o Enabled binary frames (avoiding the overhead of base64 encoding) for
Firefox 11 and later. Patch by Arlo Breault. Fixes bug 9069.
o Removed a Python 2.7–dependent reference in flashproxy-reg-appspot.
Changes in version 1.4
o Allowed websocket-server to gracefully handle SIGTERM.
o Makefiles that install now obey DESTDIR to install relative to a
different root.
o Added a new observed Google public key pin for flashproxy-reg-email.
o New --transport options in the client programs allow you to inform
the facilitator that you want to receive connections of a certain
kind. Transports other than the default "websocket" are
experimental. Patch by George Kadianakis and David Fifield. Part of
bug 9349.
o Proxies now send a list of transport protocols they support
(currently only "websocket"). This will allow the facilitator to
assign proxies to clients that use matching transports. Patch by
George Kadianakis. Part of bug 9349.
o Allowed the facilitator to handle layered transports. For example, a
client that register with the transport "obfs3|websocket" will
receive a connection from a proxy using websocket, and will be
connected to a relay that has an obfs3 server behind a websocket
front end. Patch by Ximin Luo and George Kadianakis. Fixes bug 9349.
o Changed to use the pluggable transport method name "flashproxy"
rather than "websocket". Both names are equivalent and "websocket"
continues to work. The reason for this change is to reduce confusion
with a transport that simply makes a WebSocket connection to a
"websocket" bridge, without receiving an inbound connection from a
flash proxy. The default argument to the --transport option
continues to be "websocket", because that option controls which
particular protocol flash proxies should use to connect to you, and
is distinct from the transport method name used by Tor.
o Rearranged some files in the source tree. Facilitator documentation
is now under facilitator/doc. The App Engine source code is under
facilitator/appengine. The directory containing other ways to use
the proxy moved from modules to proxy/modules. Patch by Ximin Luo.
Fixes bug 9668.
Changes in version 1.3
o Added a new observed Google public key pin.
Changes in version 1.2
o The facilitator daemons have a --privdrop-user option that causes
them to change to another user ID after reading keys and opening log
files. facilitator-howto.txt shows how to configure them to use an
unprivileged facilitator-nobody user. Patch by Alexandre Allaire and
David Fifield. Fixes bug 8424.
o Proxies now send the list of clients they are currently serving in
their facilitator polling requests. This is meant to enable the
facilitator to estimate the level of service each client is getting.
Proxies send a protocol revision number "r=1" to signify the change.
o The managed transport method name "flashproxy" is now recognized as
a synonym for "websocket".
o The badge localization now understands language subtags such as
"ru-RU". Fixes bug 8828.
o Language tags for badge localization are now case-insensitive.
Patch by Eduardo Stalinho. Fixes bug 8829.
o The badge localization is taken from the JavaScript property
window.navigator.language when possible. Patch by Arlo Breault.
Fixes bug 8827.
o Proxies now attempt to connect to the client first, and only connect
to the relay after the client connection is successful. This is
meant to reduce the number of connections to the relay when clients
haven't set up port forwarding. Introduced bug 9009, later fixed.
o A proxy no longer contacts the facilitator when it is given the
"client" and "relay" parameters. It serves the one given client and
then stops. Patch by Arlo Breault. Fixes bug 9006.
o facilitator-email-poller ignores messages received a long time ago.
This is to fix the situation where facilitator-email-poller stops
running for some reason, comes back after some hours, and then
flushes a lot of no-longer-relevant registrations out to proxies.
Patch by Sukhbir Singh and David Fifield. Fixes bug 8285.
o New --port-forwarding and friends options enable flashproxy-client
to invoke tor-fw-helper to forward ports automatically. Patch by
Arlo Breault and David Fifield. Fixes bug 9033.
o The flash proxy, in debug mode, now hides potentially sensistive
information like IP addresses. Patch by Arlo Breault. Fixes bug
9170.
o The new modules/nodejs allows running a standalone flash proxy
(outside a browser) under Node.js. Patch by Arlo Breault. Fixes bug
7944.
o Registration helpers have a new --unsafe-logging option and helpers
don't log IP addresses by default. Patch by Arlo Breault. Fixes bug
9185.
o Certificate pins now match against the public keys of intermediate
certificates, not only those of leaves. This will help with
flashproxy-reg-appspot, whose leaf key was often changing. It also
allows us to copy pin digests directly from the Chromium source
code. Patch by David Fifield. Fixes bug 9167.
Changes in version 1.1
o Programs that use certificate pins now take a --disable-pin option
that causes pins to be ignored.
Changes in version 1.0
o The facilitator runs on a new domain name fp-facilitator.org. Fixes
bug 7160.
o Fixed badge rendering for a certain combination of Chrome and
AdBlock Plus. Patch by Arlo Breault. Fixes bug 8300.
o websocket-server sends the new TRANSPORT command of the extended OR
port protocol to identify incoming connections as websocket.
o There is now a 10-second HTTP request timeout in websocket-server.
Fixes bug 8626.
o The new --facilitator-pubkey option of flashproxy-client lets you
configure a different facilitator public key, if you're using one
other than the one at fp-facilitator.org. Patch by Arlo Breault.
Fixes bug 8800.
o The badge now has a "lang" parameter for localization. Translations
exist for en, de, and ru. Patch by Peter Bourgelais.
o Made facilitator-email-poller reconnect after some SSL and socket
errors. Patch by Alexandre Allaire and David Fifield. Fixes bug
8284.
o Added flashproxy-reg-url to the py2exe instructions in setup.py;
this lack meant that flashproxy-reg-url was missing from Windows
bundles. Patch by Arlo Breault. Fixes bug 8840.
o Enabled HTTP Strict Transport Security (HSTS) on the facilitator.
Patch by Eduardo Stalinho. Fixes bug 8772.
o Added a new "appspot" registration method, which is now the first
registration method tried, ahead of "email". "appspot" sends
registrations through Google App Engine. Patch by Arlo Breault and
David Fifield. Fixes bug 8860.
Changes in version 0.12
o The new flashproxy-reg-url program prints a URL which, when
requested, causes an address to be registered with the facilitator.
You can use this program if the other registration methods are
blocked: pass the URL to a third party and ask them to request it.
Patch by Alexandre Allaire. Fixes bug 7559.
o The new websocket-server program is the server transport plugin that
flash proxies talk to. It replaces the third-party websockify
program that was used formerly. It works as a managed proxy and
supports the extended ORPort protocol. Fixes bug 7620.
o Added a line of JavaScript that you can use to put a proxy badge on
MediaWiki sites that allow custom JavaScript. Follow the
instructions in modules/mediawiki/custom.js. Contributed by
Sathyanarayanan Gunasekaran.
o Make flashproxy-client ignore errors in opening listeners, as long
as at least one local and one remote listener can be opened. A user
reported a problem with listening on IPv6, while being able to
listen on IPv4. Fixes bug 8319.
o The facilitator now returns a check-back-in parameter in its
response, telling proxies how often to poll. Fixes bug 8171. Patch
by Alexandre Allaire.
o Updated the Tor Browser check to match the behavior of new Tor
Browsers. Patch by Alexandre Allaire and Arlo Breault. Fixes bug
8434.
Changes in version 0.11
o Added -4 and -6 options to flashproxy-client and
flashproxy-reg-http. (The options already existed in
flashproxy-reg-email.) These options cause registrations helpers to
use IPv4 or IPv6 only. Fixes bug 7622. Patch by Jorge Couchet.
o The facilitator now gives only IPv4 clients to proxies requesting
over IPv4, and IPv6 clients to proxies requesting over IPv6. This is
to avoid the situation where an IPv4-only proxy is given an IPv6
address it cannot connect to. Fixes bug 6124. Patch by Jorge Couchet
and David Fifield.
o The proxy now accepts a cookierequired parameter that controls
whether users have to explicitly state their desire to be a proxy.
The page at http://crypto.stanford.edu/flashproxy/options.html
allows changing user preference.
o Proxies now poll for clients every 60 seconds rather than 10
seconds, and do not begin to poll immediately upon beginning to run.
o There are new alpha Tor Browser Bundles for download at
https://people.torproject.org/~dcf/flashproxy/.
Changes in version 0.10
o Fixed a bug in flashproxy-client that made it susceptible to a
denial of service (program crash) when receiving large WebSocket
messages made up of many small fragmented frames.
o Made the facilitator hand out more proxies by default, reducing a
client's need to re-register.
Changes in version 0.9
o There are executable Windows packages of the client programs, so
that the programs can be run without Python being installed. Fixes
bug 7283. Alexandre Allaire and David Fifield.
o There are now man pages for the client programs (flashproxy-client,
flashproxy-reg-email, and flashproxy-reg-http). Fixes bug 6453.
Alexandre Allaire.
o The proxy now tries to determine whether it is running in Tor
Browser, and disables itself if so. Fixes bug 6293. Patch by Jorge
Couchet.
Changes in version 0.8
o flashproxy-client now operates as a managed proxy by default. This
means that there is no longer a need to start flashproxy-client
separately from Tor. Use a "ClientTransportPlugin websocket exec"
line as in the included torrc. To use flashproxy-client as an
external proxy (the way it worked before), use the --external
option. Fixes bug 7016.
o The proxy badge does more intelligent parsing of the boolean "debug"
parameter. "0", "false", and other values are now interpreted as
false and do not activate debug mode. Formerly any non-empty value
was interpreted as true. Fixes bug 7110. Patch by Alexandre Allaire.
o Fixed a runtime error in flashproxy-client on Windows:
AttributeError: 'module' object has no attribute 'IPPROTO_IPV6'
Fixes bug 7147. Patch by Alexandre Allaire.
o Fixed an exception that happened in Windows in flashproxy-reg-email
in reading the trusted CA list. The exception message was:
Failed to register: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Fixes bug 7271. Patch by Alexandre Allaire.
o Fixed an exception that happened on Windows in flashproxy-client,
relating to the use of nonblocking sockets:
Socket error writing to local: '[Errno 10035] A non-blocking socket operation could not be completed immediately'
Fixes bug 7272. Patch by Alexandre Allaire.
flashproxy-1.7/LICENSE 0000664 0000000 0000000 00000002124 12363506367 0014577 0 ustar 00root root 0000000 0000000 This is the license of the flash proxy software.
Copyright 2011-2013 David Fifield
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
flashproxy-1.7/Makefile 0000664 0000000 0000000 00000005736 12363506367 0015246 0 ustar 00root root 0000000 0000000 # Makefile for a self-contained binary distribution of flashproxy-client.
#
# This builds two zipball targets, dist and dist-exe, for POSIX and Windows
# respectively. Both can be extracted and run in-place by the end user.
# (PGP-signed forms also exist, sign and sign-exe.)
#
# If you are a distro packager, instead see the separate build scripts for each
# source component, all of which have an `install` target:
# - client: Makefile.client
# - common: setup-common.py
# - facilitator: facilitator/{configure.ac,Makefile.am}
#
# It is possible to build dist-exe on GNU/Linux by using wine to install
# the windows versions of Python, py2exe, and m2crypto, then running
# `make PYTHON="wine python" dist-exe`.
PACKAGE = flashproxy-client
VERSION = $(shell sh version.sh)
DISTNAME = $(PACKAGE)-$(VERSION)
THISFILE = $(lastword $(MAKEFILE_LIST))
PYTHON = python
MAKE_CLIENT = $(MAKE) -f Makefile.client PYTHON="$(PYTHON)"
# don't rebuild man pages due to VCS giving spurious timestamps, see #9940
REBUILD_MAN = 0
# all is N/A for a binary package, but include for completeness
all:
install:
$(MAKE_CLIENT) DESTDIR=$(DESTDIR) REBUILD_MAN=$(REBUILD_MAN) install
$(PYTHON) setup-common.py install $(if $(DESTDIR),--root=$(DESTDIR))
DISTDIR = dist/$(DISTNAME)
$(DISTDIR): Makefile.client setup-common.py $(THISFILE)
mkdir -p $(DISTDIR)
$(MAKE_CLIENT) DESTDIR=$(DISTDIR) bindir=/ docdir=/ man1dir=/doc/ \
REBUILD_MAN="$(REBUILD_MAN)" install
$(PYTHON) setup-common.py build_py -d $(DISTDIR)
dist/%.zip: dist/%
cd dist && zip -q -r -9 "$(@:dist/%=%)" "$(<:dist/%=%)"
dist/%.zip.asc: dist/%.zip
rm -f "$@"
gpg --sign --detach-sign --armor "$<"
gpg --verify "$@" "$<"
dist: force-dist $(DISTDIR).zip
sign: force-dist $(DISTDIR).zip.asc
PY2EXE_TMPDIR = py2exe-tmp
export PY2EXE_TMPDIR
$(PY2EXE_TMPDIR): setup-client-exe.py
$(PYTHON) setup-client-exe.py py2exe -q
DISTDIR_W32 = $(DISTDIR)-win32
# below, we override DST_SCRIPT and DST_MAN1 for windows
$(DISTDIR_W32): $(PY2EXE_TMPDIR) $(THISFILE)
mkdir -p $(DISTDIR_W32)
$(MAKE_CLIENT) DESTDIR=$(DISTDIR_W32) bindir=/ docdir=/ man1dir=/doc/ \
DST_SCRIPT= DST_MAN1='$$(SRC_MAN1)' \
REBUILD_MAN="$(REBUILD_MAN)" install
cp -t $(DISTDIR_W32) $(PY2EXE_TMPDIR)/dist/*
dist-exe: force-dist-exe $(DISTDIR_W32).zip
sign-exe: force-dist-exe $(DISTDIR_W32).zip.asc
# clean is N/A for a binary package, but include for completeness
clean: distclean
distclean:
$(MAKE_CLIENT) clean
$(PYTHON) setup-common.py clean --all
rm -rf dist $(PY2EXE_TMPDIR)
test: check
check:
$(MAKE_CLIENT) check
$(PYTHON) setup-common.py test
test-full: test
cd facilitator && \
{ test -x ./config.status && ./config.status || \
{ test -x ./configure || ./autogen.sh; } && ./configure; } \
&& make && PYTHONPATH=.. make check
cd proxy && make test
force-dist:
rm -rf $(DISTDIR) $(DISTDIR).zip
force-dist-exe:
rm -rf $(DISTDIR_W32) $(DISTDIR_W32).zip $(PY2EXE_TMPDIR)
.PHONY: all dist sign dist-exe sign-exe clean distclean test check test-full force-dist force-dist-exe
flashproxy-1.7/Makefile.client 0000664 0000000 0000000 00000005264 12363506367 0016517 0 ustar 00root root 0000000 0000000 # Makefile for a source distribution of flashproxy-client.
#
# This package is not self-contained and the build products may require other
# dependencies to function; it is given as a reference for distro packagers.
PACKAGE = flashproxy-client
VERSION = $(shell sh version.sh)
DESTDIR =
THISFILE = $(lastword $(MAKEFILE_LIST))
PYTHON = python
# GNU command variables
# see http://www.gnu.org/prep/standards/html_node/Command-Variables.html
INSTALL = install
INSTALL_DATA = $(INSTALL) -m 644
INSTALL_PROGRAM = $(INSTALL)
INSTALL_SCRIPT = $(INSTALL)
# GNU directory variables
# see http://www.gnu.org/prep/standards/html_node/Directory-Variables.html
prefix = /usr/local
exec_prefix = $(prefix)
bindir = $(exec_prefix)/bin
datarootdir = $(prefix)/share
datadir = $(datarootdir)
sysconfdir = $(prefix)/etc
docdir = $(datarootdir)/doc/$(PACKAGE)
mandir = $(datarootdir)/man
man1dir = $(mandir)/man1
srcdir = .
SRC_MAN1 = doc/flashproxy-client.1.txt doc/flashproxy-reg-appspot.1.txt doc/flashproxy-reg-email.1.txt doc/flashproxy-reg-http.1.txt doc/flashproxy-reg-url.1.txt
SRC_SCRIPT = flashproxy-client flashproxy-reg-appspot flashproxy-reg-email flashproxy-reg-http flashproxy-reg-url
SRC_DOC = README LICENSE ChangeLog torrc
SRC_ALL = $(SRC_SCRIPT) $(SRC_DOC) $(SRC_MAN1)
DST_MAN1 = $(SRC_MAN1:%.1.txt=%.1)
DST_SCRIPT = $(SRC_SCRIPT)
DST_DOC = $(SRC_DOC)
DST_ALL = $(DST_SCRIPT) $(DST_DOC) $(DST_MAN1)
TEST_PY = flashproxy-client-test.py
REBUILD_MAN = 1
all: $(DST_ALL) $(THISFILE)
%.1: %.1.txt
ifeq ($(REBUILD_MAN),0)
@echo "warning: $@ *may* be out-of-date; if so then rm and re-checkout from VCS or force a re-build with REBUILD_MAN=1"
else
rm -f $@
a2x --no-xmllint --xsltproc-opts "--stringparam man.th.title.max.length 24" -d manpage -f manpage $<
endif
install: all
mkdir -p $(DESTDIR)$(bindir)
for i in $(DST_SCRIPT); do $(INSTALL_SCRIPT) "$$i" $(DESTDIR)$(bindir); done
mkdir -p $(DESTDIR)$(docdir)
for i in $(DST_DOC); do $(INSTALL_DATA) "$$i" $(DESTDIR)$(docdir); done
mkdir -p $(DESTDIR)$(man1dir)
for i in $(DST_MAN1); do $(INSTALL_DATA) "$$i" $(DESTDIR)$(man1dir); done
uninstall:
for i in $(notdir $(DST_SCRIPT)); do rm $(DESTDIR)$(bindir)/"$$i"; done
for i in $(notdir $(DST_DOC)); do rm $(DESTDIR)$(docdir)/"$$i"; done
for i in $(notdir $(DST_MAN1)); do rm $(DESTDIR)$(man1dir)/"$$i"; done
clean:
rm -f *.pyc
distclean: clean
maintainer-clean: distclean
rm -f $(DST_MAN1)
# TODO(infinity0): eventually do this as part of 'check' once we have a decent
# overrides file in place that filters out false-positives
pylint: $(SRC_SCRIPT)
pylint -E $^
check: $(THISFILE)
for i in $(TEST_PY); do $(PYTHON) "$$i"; done
.PHONY: all install uninstall clean distclean maintainer-clean check pylint
flashproxy-1.7/README 0000664 0000000 0000000 00000007635 12363506367 0014466 0 ustar 00root root 0000000 0000000 == Quick start for users
You must have a version of Tor that supports pluggable transports. This
means version 0.2.3.2-alpha or later.
All the flashproxy programs and source code can be downloaded this way:
git clone https://git.torproject.org/flashproxy.git
But as a user you only need these files:
https://gitweb.torproject.org/flashproxy.git/blob_plain/HEAD:/flashproxy-client
https://gitweb.torproject.org/flashproxy.git/blob_plain/HEAD:/torrc
You must be able to receive TCP connections; unfortunately means that
you cannot be behind NAT. See the section "Using a public client
transport plugin" below to try out the system even behind NAT.
Run Tor using the included torrc file:
$ tor -f torrc
By default the transport plugin listens on Internet-facing TCP port
9000. If you have to use a different port (to get through a firewall,
for example), edit the ClientTransportPlugin line of the torrc to give a
different port number:
ClientTransportPlugin flashproxy exec ./flashproxy-client --register :0 :8888
If the flashproxy-client program is in a different directoy (after being
installed, for example), use the full path in the ClientTransportPlugin
line:
ClientTransportPlugin flashproxy exec /usr/local/bin/flashproxy-client --register
You should receive a flash proxy connection within about 60 seconds. See
"Troubleshooting" below if it doesn't work.
== Overview
This is a set of tools that make it possible to connect Tor through an
browser-based proxy running on another computer. The flash proxy can be
run just by opening a web page in a browser. Flash proxies are one of
several pluggable transports for Tor.
There are five main parts.
1. The Tor client, running on someone's localhost.
2. A client transport plugin, which is a program that waits for
connections from a flash proxy and connects them to the Tor client.
3. A flash proxy, which is a JavaScript program running in someone's web
browser.
4. A facilitator, which is a server that keeps a list of clients that
want a connection and assigns those addresses to proxies.
5. A Tor relay running a server transport plugin capable of receiving
WebSocket connections.
The purpose of this project is to create many ephemeral bridge IP
addresses, with the goal of outpacing a censor's ability to block them.
Rather than increasing the number of bridges at static addresses, we aim
to make existing bridges reachable by a larger and changing pool of
addresses.
== Demonstration page
This page has a description of the project; viewing it also turns your
computer into a flash proxy as long as the page is open.
http://crypto.stanford.edu/flashproxy/
== Troubleshooting
Make sure someone is viewing http://crypto.stanford.edu/flashproxy/, or
another web page with a flash proxy badge on it.
You can add the --log option to the ClientTransportPlugin command line
in order to save debugging log messages.
If tor hangs at 10% with these messages:
[notice] Bootstrapped 10%: Finishing handshake with directory server.
[notice] no known bridge descriptors running yet; stalling
as a last resort you can try deleting the files in ~/.tor and
/var/lib/tor, and then restarting tor.
If tor apparently hangs here:
[notice] Bootstrapped 50%: Loading relay descriptors.
[notice] new bridge descriptor '...' (fresh)
wait a few minutes. It can take a while to download relay descriptors.
If you suspect that the facilitator has lost your client registration, you can
re-register:
$ flashproxy-reg-email
$ flashproxy-reg-http
== How to run a relay
Proxies talk to a relay running the websocket pluggable transport.
Source code and documentation for the server transport plugin are in the
Git repository at
https://git.torproject.org/pluggable-transports/websocket.git.
== How to put a flash proxy badge on a web page
Paste in this HTML where you want the badge to appear:
flashproxy-1.7/doc/ 0000775 0000000 0000000 00000000000 12363506367 0014340 5 ustar 00root root 0000000 0000000 flashproxy-1.7/doc/design.txt 0000664 0000000 0000000 00000025412 12363506367 0016356 0 ustar 00root root 0000000 0000000 Design of flash proxies
0. Problem statement
Provide access to the Tor network for users behind a restrictive
firewall that blocks direct access to all Tor relays and bridges.
1. Overview and background
We assume the existence of an adversary powerful enough to enumerate
and block all public and non-public (bridge) relays. For users facing
such an adversary, we assume there exists a subset of reachable hosts
that themselves can reach the Tor network. We call this subset the
unrestricted Internet.
A browser-based proxy (flash proxy), running in a web page in the
unrestricted Internet, proxies connections between the restricted
Internet and the Tor network. These proxies are expected to be
temporary and short-lived, but their number will be great enough that
they can't all be blocked effectively.
The implementation of a browser-based proxy using WebSocket is
complicated by restrictions that prevent it being a straightforward
proxy. Chief among these is the lack of listening sockets. WebSocket
can only initiate outgoing connections, not receive incoming ones. The
flash proxy can only connect to external hosts by connecting directly
to them. Another, but less important, restriction is that
browser-based networking does not provide low-level socket access such
as control of source address.
2. Components
Conceptually, each flash proxy is nothing more than a simple proxy,
which accepts connections from a client and forwards data to a server.
But because of the limited networking facilities available to an
in-browser application, several other pieces are needed.
1. Tor client: with a ClientTransportPlugin config option to allow it to
use the flashproxy transport client.
2. Client transport plugin: Runs on the same computer as the Tor client.
On startup, it registers with the facilitator to inform that it is
waiting for a connection from a flash proxy. When this is received,
it starts proxying data between it and the local Tor client.
3. Flash proxy: Runs in someone's browser, in an uncensored region of
the Internet. The flash proxy first connects to the facilitator to
get a client registration. It then makes two outgoing connections,
one to a Tor relay and one to a waiting Tor client, and starts
proxying data between them.
4. Facilitator: Keeps track of client registrations and hands them out
to clients. It is capable of receiving client registrations in a
variety of ways. It sends registrations to flash proxies over HTTP.
The facilitator is responsible for matching clients to proxies in a
reasonable manner.
5. Tor relay: with a ServerTransportPlugin config option to allow it to
use the flashproxy transport server.
6. Server transport plugin: Waits for a connection from a flash proxy and
proxies data between it and the local Tor relay.
3. Protocols
The numbers refer to the same components as in sect 2 above. Arrows
indicate the direction of the initial TCP connection.
1>2. Pluggable transport, client-side. See core tor docs for details.
2>4. Secure rendezvous using a variety of custom methods; see
facilitator-howto.txt for details. This must be very hard to censor,
e.g. using a popular web service over HTTPS.
3>4. Custom protocol specific to flashproxy, where each flashproxy polls
a facilitator for client registrations.
2<3. WebSocket. This must be very hard to censor, which may require
additional transformations to the underlying data stream. Note
that this stream is controlled by the source client, not the flash
proxy; in a plain flashproxy-only channel, it is as described in
websocket-transport.txt.
5<3. WebSocket.
5>6. Pluggable transport, server-side. See core tor docs for details.
4. Sample session
1. The restricted Tor user starts the client transport plugin.
2. The client transport plugin notifies the facilitator that it needs
a connection.
3. The restricted user starts Tor, which connects to the client
transport plugin.
4. An unrestricted user opens the web page containing the flash proxy.
5. The flash proxy connects to the facilitator and asks for a client.
6. The facilitator sends one of its client registrations to the proxy.
7. The flash proxy connects to a Tor relay and to the waiting client
transport plugin.
8. The client transport plugin receives the flash proxy's connection
and begins relaying data between it and the Tor relay.
Later, the flash proxy may go offline. Assuming that another flash
proxy is available, it will receive the same client's address from the
facilitator, and the local Tor client will reconnect to the client
through it.
5. Behavior of the Tor client
The Tor client must be configured to make its connections through a
local proxy (the client transport plugin). This configuration is
sufficient:
ClientTransportPlugin flashproxy socks4 127.0.0.1:9001
UseBridges 1
Bridge flashproxy 0.0.1.0:1
LearnCircuitBuildTimeout 0
The address given for the "Bridge" option is actually irrelevant. The
client transport plugin will ignore it and connect (through the flash
proxy) to a Tor relay. The Tor client does not have control of its
first hop.
6. Behavior of the client transport plugin
The client transport plugin serves two purposes: It sends a
registration message to the facilitator and it carries data between a
flash proxy and the local Tor client.
On startup, the client transport plugin sends a registration message
to the facilitator, informing the facilitator that it is waiting for
a connection. If the client transport plugin obfuscates its
connections using pluggable transports, then it also appends the
listening address of its transports to the registration message.
The facilitator will later hand this registration to a flash
proxy. The registration message is an HTTP POST request of the form:
POST / HTTP/1.0
client=[
]:[&client-transport=][
client=[]:[&client-transport=] ...]
Where 'transport' is the name of the pluggable transport that is
listening on :. The default flashproxy transport is
named 'websocket'.
For example a registration message might look like this:
client=1.2.3.4:9000
client=1.2.3.4:10000&client-transport=obfs3|websocket
The facilitator sends a 200 reply if the registration was successful
and an error status otherwise. If the transport plugin omits the
[] part, the facilitator will automatically fill it in based
on the HTTP client address, which means the transport plugin doesn't
have to know its external address.
The client transport plugin solves the impedance mismatch between the
Tor client and the flash proxy, both of which want to make outgoing
connections to the other. The transport plugin sits in between,
listens for connections from both ends, and matches them together. The
remote socket listens on port 9000 and the local on port 9001.
On the local side, it acts as a SOCKS proxy (albeit one that always
goes to the same destination).
7. Behavior of the flash proxy
The flash proxy polls the facilitator for client registrations. When
it receives a registration, it opens one connection to the given Tor
relay, one to the given client, and begin proxying data between them.
The proxy asks the facilitator for a registration with an HTTP GET
request:
GET /?r=&client=:&transport= HTTP/1.0
The 'r' parameter is the protocol revision number (should be '1' for now).
The 'client' parameter carries the IP address of a flashproxy
client. The client parameter can repeat to report multiple
connected clients.
The 'transport' parameter may be repeated zero or many times and
signals the outer-transports that this flashproxy supports. (See
section 10 for a discussion of inner and outer transports.)
For example:
GET /?r=1&client=7.1.43.21:9999&client=1.2.3.4:9000&transport=webrtc&transport=websocket HTTP/1.0
The response code is 200 and the body looks like this:
client=:&client-transport=&relay=:&relay-transport=
For example:
client=1.2.3.4:2000&client-transport=websocket&relay=10.10.10:9902&relay-transport=websocket
As with the request, the response transports are actually outer
transports; inner transports are not the proxy's concern and therefore
not given.
If the value for the client parameter is empty, it means that there are no
client registrations for this proxy.
The flash proxy may serve more than one relay–client pair at once.
8. Behavior of the facilitator
The faciliator is a HTTP server that handles client POST registrations
and proxy GET requests according to the formats given above. The
facilitator listens on port 9002.
In the current implementation, the facilitator forgets a client
registration after giving it to a flash proxy. The client must
re-register if it wants another connection later.
9. Behavior of the Tor relay.
The Tor relay requires no special configuration.
10. Inner and outer transports
The client can talk to the relay using not only the Tor protocol, but
any transport protocol implemented by e.g. another pluggable transport
that sits between tor and the flashproxy PT. For the facilitator to
match a client with a relay that understands it, flashproxy-client
must be given the name of the transport protocol, via the --transport
option. This is divided into two parts, the inner and outer transport,
written like "inner|outer" or just "outer" if the inner transport is
the plain Tor protocol.
The inner transport is the protocol that the non-flashproxy parts of
the client and relay talk to each other with, and must be the same for
each connected pair. Beyond that, the semantics of the transport are
opaque to flashproxy; it does not know or care.
The outer transports are the protocols that the browser proxy uses to
talk to the client and relay, and may be different for each. The proxy
un-applies the outer transport of the client so that only the inner
traffic remains, then re-applies the outer transport of the relay to
this and sends it to the relay; and vice-versa for traffic going in
the opposite direction.
Diagram:
client <======outer-C=======> proxy <======outer-S=======> relay
<=======inner=========-------========inner========>
Currently the only supported outer transport is "websocket", but we
will also add support for newer technologies such as webRTC.
(We have also seen third-party proxies running outside the browser
on NodeJS that can open plain TCP connections, so that the outer
transport is effectively just "tcp", although this is not currently
recognised by the facilitator.)
flashproxy-1.7/doc/flashproxy-client.1 0000664 0000000 0000000 00000011472 12363506367 0020102 0 ustar 00root root 0000000 0000000 '\" t
.\" Title: flashproxy-client
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
.\" Date: 05/07/2014
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
.TH "FLASHPROXY\-CLIENT" "1" "05/07/2014" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
flashproxy-client \- The flash proxy client transport plugin
.SH "SYNOPSIS"
.sp
\fBflashproxy\-client\fR \fB\-\-register\fR [\fIOPTIONS\fR] [\fILOCAL\fR][:\fIPORT\fR] [\fIREMOTE\fR][:\fIPORT\fR]
.SH "DESCRIPTION"
.sp
Wait for connections on a local and a remote port\&. When any pair of connections exists, data is ferried between them until one side is closed\&. By default \fILOCAL\fR is localhost addresses on port 9001 and \fIREMOTE\fR is all addresses on port 9000\&.
.sp
The local connection acts as a SOCKS4a proxy, but the host and port in the SOCKS request are ignored and the local connection is always linked to a remote connection\&.
.sp
By default, runs as a managed proxy: informs a parent Tor process of support for the "flashproxy" or "websocket" pluggable transport\&. In managed mode, the \fILOCAL\fR port is chosen arbitrarily instead of defaulting to 9001; however this can be overridden by including a \fILOCAL\fR port in the command\&. This is the way the program should be invoked in a torrc ClientTransportPlugin "exec" line\&. Use the \fB\-\-external\fR option to run as an external proxy that does not interact with Tor\&.
.sp
If any of the \fB\-\-register\fR, \fB\-\-register\-addr\fR, or \fB\-\-register\-methods\fR options are used, then your IP address will be sent to the facilitator so that proxies can connect to you\&. You need to register in some way in order to get any service\&. The \fB\-\-facilitator\fR option allows controlling which facilitator is used; if omitted, it uses a public default\&.
.SH "OPTIONS"
.PP
\fB\-4\fR
.RS 4
Registration helpers use IPv4\&.
.RE
.PP
\fB\-6\fR
.RS 4
Registration helpers use IPv6\&.
.RE
.PP
\fB\-\-daemon\fR
.RS 4
Daemonize (Unix only)\&.
.RE
.PP
\fB\-\-external\fR
.RS 4
Be an external proxy (don\(cqt interact with Tor using environment variables and stdout)\&.
.RE
.PP
\fB\-f\fR, \fB\-\-facilitator\fR=\fIURL\fR
.RS 4
Advertise willingness to receive connections to URL\&.
.RE
.PP
\fB\-\-facilitator\-pubkey\fR=\fIFILENAME\fR
.RS 4
Encrypt registrations to the given PEM\-formatted public key (default built\-in)\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Display a help message and exit\&.
.RE
.PP
\fB\-l\fR, \fB\-\-log\fR=\fIFILENAME\fR
.RS 4
Write log to
\fIFILENAME\fR
(default is stdout)\&.
.RE
.PP
\fB\-\-pidfile\fR=\fIFILENAME\fR
.RS 4
Write PID to
\fIFILENAME\fR
after daemonizing\&.
.RE
.PP
\fB\-\-port\-forwarding\fR
.RS 4
Attempt to forward
\fIREMOTE\fR
port\&.
.RE
.PP
\fB\-\-port\-forwarding\-helper\fR=\fIPROGRAM\fR
.RS 4
Use the given
\fIPROGRAM\fR
to forward ports (default "tor\-fw\-helper")\&. Implies
\fB\-\-port\-forwarding\fR\&.
.RE
.PP
\fB\-\-port\-forwarding\-external\fR=\fIPORT\fR
.RS 4
Forward the external
\fIPORT\fR
to
\fIREMOTE\fR
on the local host (default same as REMOTE)\&. Implies
\fB\-\-port\-forwarding\fR\&.
.RE
.PP
\fB\-r\fR, \fB\-\-register\fR
.RS 4
Register with the facilitator\&.
.RE
.PP
\fB\-\-register\-addr\fR=\fIADDR\fR
.RS 4
Register the given address (in case it differs from
\fIREMOTE\fR)\&. Implies
\fB\-\-register\fR\&.
.RE
.PP
\fB\-\-register\-methods\fR=\fIMETHOD\fR[,\fIMETHOD\fR]
.RS 4
Register using the given comma\-separated list of methods\&. Implies
\fB\-\-register\fR\&. Possible methods are: appspot, email, http\&. Default is "appspot,email,http"\&.
.RE
.PP
\fB\-\-transport\fR=\fITRANSPORT\fR
.RS 4
Registrations include the fact that you intend to use the given
\fITRANSPORT\fR
(default "websocket")\&.
.RE
.PP
\fB\-\-unsafe\-logging\fR
.RS 4
Don\(cqt scrub IP addresses from logs\&.
.RE
.SH "SEE ALSO"
.sp
\fBhttp://crypto\&.stanford\&.edu/flashproxy/\fR
.SH "BUGS"
.sp
Please report using \fBhttps://trac\&.torproject\&.org/projects/tor\fR\&.
flashproxy-1.7/doc/flashproxy-client.1.txt 0000664 0000000 0000000 00000006752 12363506367 0020725 0 ustar 00root root 0000000 0000000 // This file is asciidoc source code.
// To generate manpages, use the a2x command i.e.
// a2x --no-xmllint -d manpage -f manpage flashproxy-client.1.txt
// see http://www.methods.co.nz/asciidoc/userguide.html#X1
FLASHPROXY-CLIENT(1)
====================
NAME
----
flashproxy-client - The flash proxy client transport plugin
SYNOPSIS
--------
**flashproxy-client** **--register** [__OPTIONS__] [__LOCAL__][:__PORT__] [__REMOTE__][:__PORT__]
DESCRIPTION
-----------
Wait for connections on a local and a remote port. When any pair of connections
exists, data is ferried between them until one side is closed. By default
__LOCAL__ is localhost addresses on port 9001 and __REMOTE__ is all addresses
on port 9000.
The local connection acts as a SOCKS4a proxy, but the host and port in the SOCKS
request are ignored and the local connection is always linked to a remote
connection.
By default, runs as a managed proxy: informs a parent Tor process of support for
the "flashproxy" or "websocket" pluggable transport. In managed mode, the __LOCAL__ port is chosen
arbitrarily instead of defaulting to 9001; however this can be
overridden by including a __LOCAL__ port in the command. This is the way the
program should be invoked in a torrc ClientTransportPlugin "exec" line.
Use the **--external** option to run as an external proxy that does not
interact with Tor.
If any of the **--register**, **--register-addr**, or **--register-methods** options are
used, then your IP address will be sent to the facilitator so that proxies can
connect to you. You need to register in some way in order to get any service.
The **--facilitator** option allows controlling which facilitator is used; if
omitted, it uses a public default.
OPTIONS
-------
**-4**::
Registration helpers use IPv4.
**-6**::
Registration helpers use IPv6.
**--daemon**::
Daemonize (Unix only).
**--external**::
Be an external proxy (don't interact with Tor using environment variables
and stdout).
**-f**, **--facilitator**=__URL__::
Advertise willingness to receive connections to URL.
**--facilitator-pubkey**=__FILENAME__::
Encrypt registrations to the given PEM-formatted public key (default built-in).
**-h**, **--help**::
Display a help message and exit.
**-l**, **--log**=__FILENAME__::
Write log to __FILENAME__ (default is stdout).
**--pidfile**=__FILENAME__::
Write PID to __FILENAME__ after daemonizing.
**--port-forwarding**::
Attempt to forward __REMOTE__ port.
**--port-forwarding-helper**=__PROGRAM__::
Use the given __PROGRAM__ to forward ports (default "tor-fw-helper"). Implies
**--port-forwarding**.
**--port-forwarding-external**=__PORT__::
Forward the external __PORT__ to __REMOTE__ on the local host (default same
as REMOTE). Implies **--port-forwarding**.
**-r**, **--register**::
Register with the facilitator.
**--register-addr**=__ADDR__::
Register the given address (in case it differs from __REMOTE__). Implies **--register**.
**--register-methods**=__METHOD__[,__METHOD__]::
Register using the given comma-separated list of methods. Implies **--register**.
Possible methods are: appspot, email, http. Default is "appspot,email,http".
**--transport**=__TRANSPORT__::
Registrations include the fact that you intend to use the given __TRANSPORT__ (default "websocket").
**--unsafe-logging**::
Don't scrub IP addresses from logs.
SEE ALSO
--------
**http://crypto.stanford.edu/flashproxy/**
BUGS
----
Please report using **https://trac.torproject.org/projects/tor**.
flashproxy-1.7/doc/flashproxy-reg-appspot.1 0000664 0000000 0000000 00000005564 12363506367 0021072 0 ustar 00root root 0000000 0000000 '\" t
.\" Title: flashproxy-reg-appspot
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
.\" Date: 05/07/2014
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
.TH "FLASHPROXY\-REG\-APPSPOT" "1" "05/07/2014" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
flashproxy-reg-appspot \- Register with a facilitator through Google App Engine\&.
.SH "SYNOPSIS"
.sp
\fBflashproxy\-reg\-appspot\fR [\fIOPTIONS\fR] [\fIREMOTE\fR][:\fIPORT\fR]
.SH "DESCRIPTION"
.sp
Register with a flash proxy facilitator through a Google App Engine app\&. By default the remote address registered is ":9000" (the external IP address is guessed)\&. It requires https://www\&.google\&.com/ not to be blocked\&.
.sp
This program uses a trick to talk to App Engine, even though appspot\&.com may be blocked\&. The IP address and Server Name Indication of the request are for www\&.google\&.com, but the Host header inside the request is for an appspot\&.com subdomain\&.
.sp
Requires the \fBflashproxy\-reg\-url\fR program\&.
.SH "OPTIONS"
.PP
\fB\-4\fR
.RS 4
Name lookups use only IPv4\&.
.RE
.PP
\fB\-6\fR
.RS 4
Name lookups use only IPv6\&.
.RE
.PP
\fB\-\-disable\-pin\fR
.RS 4
Don\(cqt check the server\(cqs public key against a list of known pins\&. You can use this if the server\(cqs public key has changed and this program hasn\(cqt been updated yet\&.
.RE
.PP
\fB\-\-facilitator\-pubkey\fR=\fIFILENAME\fR
.RS 4
Encrypt registrations to the given PEM\-formatted public key (default built\-in)\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Display help message and exit\&.
.RE
.PP
\fB\-\-transport\fR=\fITRANSPORT\fR
.RS 4
Registrations include the fact that you intend to use the given
\fITRANSPORT\fR
(default "websocket")\&.
.RE
.PP
\fB\-\-unsafe\-logging\fR
.RS 4
Don\(cqt scrub IP addresses from logs\&.
.RE
.SH "SEE ALSO"
.sp
\fBhttp://crypto\&.stanford\&.edu/flashproxy/\fR
.SH "BUGS"
.sp
Please report using \fBhttps://trac\&.torproject\&.org/projects/tor\fR\&.
flashproxy-1.7/doc/flashproxy-reg-appspot.1.txt 0000664 0000000 0000000 00000003555 12363506367 0021706 0 ustar 00root root 0000000 0000000 // This file is asciidoc source code.
// To generate manpages, use the a2x command.
// This one has a long name, if you don't change the
// default length parameter it will be truncated, use:
// a2x --no-xmllint --xsltproc-opts "--stringparam man.th.title.max.length 24" -d manpage -f manpage flashproxy-reg-appspot.1.txt
FLASHPROXY-REG-APPSPOT(1)
=========================
NAME
----
flashproxy-reg-appspot - Register with a facilitator through Google App Engine.
SYNOPSIS
--------
**flashproxy-reg-appspot** [__OPTIONS__] [__REMOTE__][:__PORT__]
DESCRIPTION
-----------
Register with a flash proxy facilitator through a Google App Engine app.
By default the remote address registered is ":9000" (the
external IP address is guessed). It requires https://www.google.com/ not
to be blocked.
This program uses a trick to talk to App Engine, even though appspot.com
may be blocked. The IP address and Server Name Indication of the request
are for www.google.com, but the Host header inside the request is for an
appspot.com subdomain.
Requires the **flashproxy-reg-url** program.
OPTIONS
-------
**-4**::
Name lookups use only IPv4.
**-6**::
Name lookups use only IPv6.
**--disable-pin**::
Don't check the server's public key against a list of known pins.
You can use this if the server's public key has changed and this
program hasn't been updated yet.
**--facilitator-pubkey**=__FILENAME__::
Encrypt registrations to the given PEM-formatted public key (default built-in).
**-h**, **--help**::
Display help message and exit.
**--transport**=__TRANSPORT__::
Registrations include the fact that you intend to use the given __TRANSPORT__ (default "websocket").
**--unsafe-logging**::
Don't scrub IP addresses from logs.
SEE ALSO
--------
**http://crypto.stanford.edu/flashproxy/**
BUGS
----
Please report using **https://trac.torproject.org/projects/tor**.
flashproxy-1.7/doc/flashproxy-reg-email.1 0000664 0000000 0000000 00000006525 12363506367 0020471 0 ustar 00root root 0000000 0000000 '\" t
.\" Title: flashproxy-reg-email
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
.\" Date: 05/07/2014
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
.TH "FLASHPROXY\-REG\-EMAIL" "1" "05/07/2014" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
flashproxy-reg-email \- Register with a facilitator using the email method
.SH "SYNOPSIS"
.sp
\fBflashproxy\-reg\-email\fR [\fIOPTIONS\fR] [\fIREMOTE\fR][:\fIPORT\fR]
.SH "DESCRIPTION"
.sp
Register with a flash proxy facilitator through email\&. Makes a STARTTLS connection to an SMTP server and sends mail with a client IP address to a designated address\&. By default the remote address registered is ":9000" (the external IP address is guessed based on the SMTP server\(cqs response)\&.
.sp
Using an SMTP server or email address other than the defaults will not work unless you have made special arrangements to connect them to a facilitator\&.
.sp
The email address is not polled continually\&. After running the program, it may take up to a minute for the registration to be recognized\&.
.sp
This program requires the M2Crypto library for Python\&.
.SH "OPTIONS"
.PP
\fB\-4\fR
.RS 4
Name lookups use only IPv4\&.
.RE
.PP
\fB\-6\fR
.RS 4
Name lookups use only IPv6\&.
.RE
.PP
\fB\-d\fR, \fB\-\-debug\fR
.RS 4
Enable debugging output (Python smtplib messages)\&.
.RE
.PP
\fB\-\-disable\-pin\fR
.RS 4
Don\(cqt check the server\(cqs public key against a list of known pins\&. You can use this if the server\(cqs public key has changed and this program hasn\(cqt been updated yet\&.
.RE
.PP
\fB\-e\fR, \fB\-\-email\fR=\fIADDRESS\fR
.RS 4
Send mail to
\fIADDRESS\fR
(default is "flashproxyreg\&.a@gmail\&.com")\&.
.RE
.PP
\fB\-\-facilitator\-pubkey\fR=\fIFILENAME\fR
.RS 4
Encrypt registrations to the given PEM\-formatted public key (default built\-in)\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Display help message and exit\&.
.RE
.PP
\fB\-s\fR, \fB\-\-smtp\fR=\fIHOST\fR[:\fIPORT\fR]
.RS 4
Use the given SMTP server (default is "gmail\-smtp\-in\&.l\&.google\&.com:25")\&.
.RE
.PP
\fB\-\-transport\fR=\fITRANSPORT\fR
.RS 4
Registrations include the fact that you intend to use the given
\fITRANSPORT\fR
(default "websocket")\&.
.RE
.PP
\fB\-\-unsafe\-logging\fR
.RS 4
Don\(cqt scrub IP addresses from logs\&.
.RE
.SH "SEE ALSO"
.sp
\fBhttp://crypto\&.stanford\&.edu/flashproxy/\fR
.SH "BUGS"
.sp
Please report using \fBhttps://trac\&.torproject\&.org/projects/tor\fR\&.
flashproxy-1.7/doc/flashproxy-reg-email.1.txt 0000664 0000000 0000000 00000004422 12363506367 0021301 0 ustar 00root root 0000000 0000000 // This file is asciidoc source code.
// To generate manpages, use the a2x command.
// This one has a long name, if you don't change the
// default length parameter it will be truncated, use:
// a2x --no-xmllint --xsltproc-opts "--stringparam man.th.title.max.length 23" -d manpage -f manpage flashproxy-reg-email.1.txt
FLASHPROXY-REG-EMAIL(1)
=======================
NAME
----
flashproxy-reg-email - Register with a facilitator using the email method
SYNOPSIS
--------
**flashproxy-reg-email** [__OPTIONS__] [__REMOTE__][:__PORT__]
DESCRIPTION
-----------
Register with a flash proxy facilitator through email. Makes a STARTTLS
connection to an SMTP server and sends mail with a client IP address to a
designated address. By default the remote address registered is
":9000" (the external IP address is guessed based on the SMTP server's
response).
Using an SMTP server or email address other than the defaults will not work
unless you have made special arrangements to connect them to a facilitator.
The email address is not polled continually. After running the program,
it may take up to a minute for the registration to be recognized.
This program requires the M2Crypto library for Python.
OPTIONS
-------
**-4**::
Name lookups use only IPv4.
**-6**::
Name lookups use only IPv6.
**-d**, **--debug**::
Enable debugging output (Python smtplib messages).
**--disable-pin**::
Don't check the server's public key against a list of known pins.
You can use this if the server's public key has changed and this
program hasn't been updated yet.
**-e**, **--email**=__ADDRESS__::
Send mail to __ADDRESS__ (default is "flashproxyreg.a@gmail.com").
**--facilitator-pubkey**=__FILENAME__::
Encrypt registrations to the given PEM-formatted public key (default built-in).
**-h**, **--help**::
Display help message and exit.
**-s**, **--smtp**=__HOST__[:__PORT__]::
Use the given SMTP server (default is "gmail-smtp-in.l.google.com:25").
**--transport**=__TRANSPORT__::
Registrations include the fact that you intend to use the given __TRANSPORT__ (default "websocket").
**--unsafe-logging**::
Don't scrub IP addresses from logs.
SEE ALSO
--------
**http://crypto.stanford.edu/flashproxy/**
BUGS
----
Please report using **https://trac.torproject.org/projects/tor**.
flashproxy-1.7/doc/flashproxy-reg-http.1 0000664 0000000 0000000 00000004334 12363506367 0020355 0 ustar 00root root 0000000 0000000 '\" t
.\" Title: flashproxy-reg-http
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
.\" Date: 05/07/2014
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
.TH "FLASHPROXY\-REG\-HTTP" "1" "05/07/2014" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
flashproxy-reg-http \- Register with a facilitator using the HTTP method
.SH "SYNOPSIS"
.sp
\fBflashproxy\-reg\-http\fR [\fIOPTIONS\fR] [\fIREMOTE\fR][:\fIPORT\fR]
.SH "DESCRIPTION"
.sp
Register with a flash proxy facilitator using an HTTP POST\&. By default the remote address registered is ":9000"\&.
.SH "OPTIONS"
.PP
\fB\-4\fR
.RS 4
Name lookups use only IPv4\&.
.RE
.PP
\fB\-6\fR
.RS 4
Name lookups use only IPv6\&.
.RE
.PP
\fB\-f\fR, \fB\-\-facilitator\fR=\fIURL\fR
.RS 4
Register with the given facilitator (default "https://fp\-facilitator\&.org/")\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Display help message and exit\&.
.RE
.PP
\fB\-\-transport\fR=\fITRANSPORT\fR
.RS 4
Registrations include the fact that you intend to use the given
\fITRANSPORT\fR
(default "websocket")\&.
.RE
.PP
\fB\-\-unsafe\-logging\fR
.RS 4
Don\(cqt scrub IP addresses from logs\&.
.RE
.SH "SEE ALSO"
.sp
\fBhttp://crypto\&.stanford\&.edu/flashproxy/\fR
.SH "BUGS"
.sp
Please report using \fBhttps://trac\&.torproject\&.org/projects/tor\fR\&.
flashproxy-1.7/doc/flashproxy-reg-http.1.txt 0000664 0000000 0000000 00000002404 12363506367 0021167 0 ustar 00root root 0000000 0000000 // This file is asciidoc source code.
// To generate manpages, use the a2x command.
// This one has a long name, if you don't change the
// default length parameter it will be truncated, use:
// a2x --no-xmllint --xsltproc-opts "--stringparam man.th.title.max.length 22" -d manpage -f manpage flashproxy-reg-http.1.txt
FLASHPROXY-REG-HTTP(1)
======================
NAME
----
flashproxy-reg-http - Register with a facilitator using the HTTP method
SYNOPSIS
--------
**flashproxy-reg-http** [__OPTIONS__] [__REMOTE__][:__PORT__]
DESCRIPTION
-----------
Register with a flash proxy facilitator using an HTTP POST. By default the
remote address registered is ":9000".
OPTIONS
-------
**-4**::
Name lookups use only IPv4.
**-6**::
Name lookups use only IPv6.
**-f**, **--facilitator**=__URL__::
Register with the given facilitator (default "https://fp-facilitator.org/").
**-h**, **--help**::
Display help message and exit.
**--transport**=__TRANSPORT__::
Registrations include the fact that you intend to use the given __TRANSPORT__ (default "websocket").
**--unsafe-logging**::
Don't scrub IP addresses from logs.
SEE ALSO
--------
**http://crypto.stanford.edu/flashproxy/**
BUGS
----
Please report using **https://trac.torproject.org/projects/tor**.
flashproxy-1.7/doc/flashproxy-reg-url.1 0000664 0000000 0000000 00000005332 12363506367 0020177 0 ustar 00root root 0000000 0000000 '\" t
.\" Title: flashproxy-reg-url
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
.\" Date: 05/07/2014
.\" Manual: \ \&
.\" Source: \ \&
.\" Language: English
.\"
.TH "FLASHPROXY\-REG\-URL" "1" "05/07/2014" "\ \&" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
flashproxy-reg-url \- Register with a facilitator using an indirect URL
.SH "SYNOPSIS"
.sp
\fBflashproxy\-reg\-url\fR [\fIOPTIONS\fR] \fIREMOTE\fR[:\fIPORT\fR]
.SH "DESCRIPTION"
.sp
Print a URL, which, when retrieved, will cause the client address \fIREMOTE\fR[:\fIPORT\fR] to be registered with the flash proxy facilitator\&. The default \fIPORT\fR is 9000\&.
.SH "OPTIONS"
.PP
\fB\-f\fR, \fB\-\-facilitator\fR=\fIURL\fR
.RS 4
Register with the given facilitator (default "https://fp\-facilitator\&.org/")\&.
.RE
.PP
\fB\-\-facilitator\-pubkey\fR=\fIFILENAME\fR
.RS 4
Encrypt registrations to the given PEM\-formatted public key (default built\-in)\&.
.RE
.PP
\fB\-h\fR, \fB\-\-help\fR
.RS 4
Display help message and exit\&.
.RE
.PP
\fB\-\-transport\fR=\fITRANSPORT\fR
.RS 4
Registrations include the fact that you intend to use the given
\fITRANSPORT\fR
(default "websocket")\&.
.RE
.SH "EXAMPLE"
.sp
Say you wish to register 192\&.0\&.2\&.1:9000\&. Run
.sp
.if n \{\
.RS 4
.\}
.nf
\&./flashproxy\-reg\-url 192\&.0\&.2\&.1:9000
.fi
.if n \{\
.RE
.\}
.sp
The program should output a long string looking something like
.sp
https://fp\-facilitator\&.org/reg/0labtDob545HeKpLZ8LqGeOi\-OK7HXoQvfQzj0P2pjh1NrCKNDaPe91zo\&.\&.\&.
.sp
Copy this string and paste it into any URL fetching website or program\&. Once the URL is retrieved your address will be registered with the facilitator\&.
.SH "SEE ALSO"
.sp
\fBhttp://crypto\&.stanford\&.edu/flashproxy/\fR
.SH "BUGS"
.sp
Please report using \fBhttps://trac\&.torproject\&.org/projects/tor\fR\&.
flashproxy-1.7/doc/flashproxy-reg-url.1.txt 0000664 0000000 0000000 00000003377 12363506367 0021024 0 ustar 00root root 0000000 0000000 // This file is asciidoc source code.
// To generate manpages, use the a2x command.
// This one has a long name, if you don't change the
// default length parameter it will be truncated, use:
// a2x --no-xmllint --xsltproc-opts "--stringparam man.th.title.max.length 23" -d manpage -f manpage flashproxy-reg-url.1.txt
FLASHPROXY-REG-URL(1)
=====================
NAME
----
flashproxy-reg-url - Register with a facilitator using an indirect URL
SYNOPSIS
--------
**flashproxy-reg-url** [__OPTIONS__] __REMOTE__[:__PORT__]
DESCRIPTION
-----------
Print a URL, which, when retrieved, will cause the client address
__REMOTE__[:__PORT__] to be registered with the flash proxy facilitator. The
default __PORT__ is 9000.
OPTIONS
-------
**-f**, **--facilitator**=__URL__::
Register with the given facilitator (default "https://fp-facilitator.org/").
**--facilitator-pubkey**=__FILENAME__::
Encrypt registrations to the given PEM-formatted public key (default built-in).
**-h**, **--help**::
Display help message and exit.
**--transport**=__TRANSPORT__::
Registrations include the fact that you intend to use the given __TRANSPORT__ (default "websocket").
EXAMPLE
-------
Say you wish to register 192.0.2.1:9000. Run
...................................
./flashproxy-reg-url 192.0.2.1:9000
...................................
The program should output a long string looking something like
https://fp-facilitator.org/reg/0labtDob545HeKpLZ8LqGeOi-OK7HXoQvfQzj0P2pjh1NrCKNDaPe91zo\...
Copy this string and paste it into any URL fetching website or program.
Once the URL is retrieved your address will be registered with the facilitator.
SEE ALSO
--------
**http://crypto.stanford.edu/flashproxy/**
BUGS
----
Please report using **https://trac.torproject.org/projects/tor**.
flashproxy-1.7/experiments/ 0000775 0000000 0000000 00000000000 12363506367 0016136 5 ustar 00root root 0000000 0000000 flashproxy-1.7/experiments/README 0000664 0000000 0000000 00000003532 12363506367 0017021 0 ustar 00root root 0000000 0000000 This directory contains scripts for testing and benchmarking the flash
proxy.
== Preparation
You need to have installed certain software before running the tests.
Firefox 8.0.1
socat
Wget
Python
thttpd
websockify
socat, Wget, and Python are easily installed on most GNU/Linux
distributions. thttpd can be compiled from the packages at
http://acme.com/software/thttpd/. websockify is from
https://github.com/kanaka/websockify/. The old Firefox is from
http://download.mozilla.org/?product=firefox-8.0.1&os=linux&lang=en-US.
Before compiling thttpd, increade IDLE_READ_TIMEOUT in config.h to a
high value (several thousand). This is because some tests wait a long
time between making a connection and sending an HTTP request.
Firefox versions 9 and 10 will not work; these versions have a change to
the -no-remote option that prevents the tests from running. This is
supposed to be fixed with a -new-instance option in version 12.
You need to create some dedicated Firefox profiles. Create profiles
named flashexp1 and flashexp2 by running
firefox -ProfileManager -no-remote
Start the browsers with
firefox -P flashexp1 -no-remote &
firefox -P flashexp2 -no-remote &
and in each one, set this about:config variable:
browser.link.open_newwindow=1 (default is 3)
This allows the scripts to clear the contents of a tab and replace them
with another page.
I personally run these tests in an Arch Linux VM.
useradd -m user
passwd user
pacman -Sy
pacman -Su
pacman -S firefox socat python2 xorg xorg-xinit xterm flashplugin gcc make
Download thttpd, compile it (you have to rename the getline function to
avoid a naming conflict), and install it in /usr/local/bin. Symlink
/usr/bin/python to /usr/bin/python2. Also you have to install the
ttf-ms-fonts package from the AUR for text to show up in Flash Player.
Add a window manager, run "startx", and you should be set.
flashproxy-1.7/experiments/client-extract.py 0000775 0000000 0000000 00000002303 12363506367 0021437 0 ustar 00root root 0000000 0000000 #!/usr/bin/env python
import datetime
import getopt
import re
import sys
def usage(f = sys.stdout):
print >> f, """\
Usage: %s [INPUTFILE]
Extract client connections from a facilitator log. Each output line is
date\tcount\n
where count is the number of client requests in that hour.
-h, --help show this help.
""" % sys.argv[0]
opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ["help"])
for o, a in opts:
if o == "-h" or o == "--help":
usage()
sys.exit()
if len(args) == 0:
input_file = sys.stdin
elif len(args) == 1:
input_file = open(args[0])
else:
usage()
sys.exit()
prev_output = None
count = 0.0
for line in input_file:
m = re.match(r'^(\d+-\d+-\d+ \d+:\d+:\d+) client', line)
if not m:
continue
date_str, = m.groups()
date = datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S")
count += 1
rounded_date = date.replace(minute=0, second=0, microsecond=0)
prev_output = prev_output or rounded_date
if prev_output is None or rounded_date != prev_output:
avg = float(count)
print date.strftime("%Y-%m-%d %H:%M:%S") + "\t" + "%.2f" % avg
prev_output = rounded_date
count = 0.0
flashproxy-1.7/experiments/client-graph.py 0000775 0000000 0000000 00000004430 12363506367 0021071 0 ustar 00root root 0000000 0000000 #!/usr/bin/env python
# Makes a graph of flash proxy client counts from a facilitator log.
import datetime
import getopt
import re
import sys
import matplotlib
import matplotlib.pyplot as plt
import numpy as np
START_DATE = datetime.datetime(2012, 12, 15)
def usage(f = sys.stdout):
print >> f, """\
Usage: %s -o OUTPUT [INPUTFILE]
Makes a graph of flash proxy counts from a facilitator log.
-h, --help show this help.
-o, --output=OUTPUT output file name (required).\
""" % sys.argv[0]
output_file_name = None
opts, args = getopt.gnu_getopt(sys.argv[1:], "ho:", ["help", "output="])
for o, a in opts:
if o == "-h" or o == "--help":
usage()
sys.exit()
elif o == "-o" or o == "--output":
output_file_name = a
if not output_file_name:
usage()
sys.exit()
if len(args) == 0:
input_file = sys.stdin
elif len(args) == 1:
input_file = open(args[0])
else:
usage()
sys.exit()
def format_date(d, pos=None):
d = matplotlib.dates.num2date(d)
return d.strftime("%B %d")
def timedelta_to_seconds(delta):
return delta.days * (24 * 60 * 60) + delta.seconds + delta.microseconds / 1000000.0
prev_output = None
count = 0
data = []
for line in input_file:
m = re.match(r'^(\d+-\d+-\d+ \d+:\d+:\d+) client', line)
if not m:
continue
date_str, = m.groups()
date = datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S")
if date < START_DATE:
continue
count += 1
rounded_date = date.replace(minute=0, second=0, microsecond=0)
prev_output = prev_output or rounded_date
if prev_output is None or rounded_date != prev_output:
delta = timedelta_to_seconds(date - prev_output)
# avg = float(count) / delta
avg = float(count)
data.append((date, avg))
print date, avg
prev_output = rounded_date
count = 0
data = np.array(data)
fig = plt.figure()
ax = fig.add_axes([0.10, 0.30, 0.88, 0.60])
ax.set_ylabel(u"Number of clients", fontsize=8)
fig.set_size_inches((8, 3))
ax.tick_params(direction="out", top="off", right="off")
ax.set_frame_on(False)
ax.xaxis.set_major_formatter(matplotlib.ticker.FuncFormatter(format_date))
fig.autofmt_xdate()
plt.fill_between(data[:,0], data[:,1], linewidth=0, color="black")
fig.savefig(output_file_name)
flashproxy-1.7/experiments/client-graph.r 0000664 0000000 0000000 00000000415 12363506367 0020676 0 ustar 00root root 0000000 0000000 library(ggplot2)
x <- read.delim("client.dat", header=FALSE, col.names=c("date", "count"), colClasses=c("POSIXct", "numeric"))
png("client-count.png", width=720, height=480)
qplot(date, data=x, geom="bar", weight=count, binwidth=86400, ylab="client requests per day")
flashproxy-1.7/experiments/common.sh 0000664 0000000 0000000 00000002404 12363506367 0017762 0 ustar 00root root 0000000 0000000 # This file contains common variables and subroutines used by the experiment
# scripts.
FLASHPROXY_DIR="$(dirname $BASH_SOURCE)/.."
FIREFOX=firefox
SOCAT=socat
WEBSOCKIFY=websockify
THTTPD=thttpd
TOR=tor
visible_sleep() {
N="$1"
echo -n "sleep $N"
while [ "$N" -gt 0 ]; do
sleep 1
N=$((N-1))
echo -ne "\rsleep $N "
done
echo -ne "\n"
}
ensure_browser_started() {
local PROFILE="$1"
("$FIREFOX" -P "$PROFILE" -remote "ping()" || ("$FIREFOX" -P "$PROFILE" -no-remote & visible_sleep 5)) 2>/dev/null
}
browser_clear() {
local PROFILE="$1"
("$FIREFOX" -P "$PROFILE" -remote "ping()" && "$FIREFOX" -P "$PROFILE" -remote "openurl(about:blank)" &) 2>/dev/null
}
browser_goto() {
local PROFILE="$1"
local URL="$2"
ensure_browser_started "$PROFILE"
"$FIREFOX" -P "$PROFILE" -remote "openurl($URL)" 2>/dev/null
}
# Run a command and get the "real" part of time(1) output as a number of
# seconds.
real_time() {
# Make a spare copy of stderr (fd 2).
exec 3>&2
# Point the subcommand's stderr to our copy (fd 3), and extract the
# original stderr (fd 2) output of time.
(time -p eval "$@" 2>&3) |& tail -n 3 | head -n 1 | awk '{print $2}'
}
# Repeat a subcommand N times.
repeat() {
local N
N="$1"
shift
while [ $N -gt 0 ]; do
eval "$@"
N=$((N-1))
done
}
flashproxy-1.7/experiments/exercise/ 0000775 0000000 0000000 00000000000 12363506367 0017745 5 ustar 00root root 0000000 0000000 flashproxy-1.7/experiments/exercise/exercise.sh 0000775 0000000 0000000 00000001365 12363506367 0022120 0 ustar 00root root 0000000 0000000 #!/bin/bash
# This script registers with the flash proxy facilitator, tries to download
# check.torproject.org, and saves a timestamped log file.
FLASHPROXY_DIR="$HOME/flashproxy"
TOR="$HOME/tor/src/or/tor"
LOCAL_PORT=1080
REMOTE_PORT=7070
declare -a PIDS_TO_KILL
stop() {
if [ -n "${PIDS_TO_KILL[*]}" ]; then
echo "Kill pids ${PIDS_TO_KILL[@]}."
kill "${PIDS_TO_KILL[@]}"
fi
exit
}
trap stop EXIT
date
cd "$FLASHPROXY_DIR"
./flashproxy-client --external --register ":$LOCAL_PORT" ":$REMOTE_PORT" &
PIDS_TO_KILL+=($!)
sleep 20
"$TOR" ClientTransportPlugin "flashproxy socks4 127.0.0.1:$LOCAL_PORT" UseBridges 1 Bridge "flashproxy 0.0.1.0:1" &
PIDS_TO_KILL+=($!)
sleep 60
curl --retry 5 --socks4a 127.0.0.1:9050 http://check.torproject.org/
flashproxy-1.7/experiments/exercise/flashproxy-exercise.sh 0000775 0000000 0000000 00000000415 12363506367 0024310 0 ustar 00root root 0000000 0000000 #!/bin/sh
# Usage (for example in crontab for hourly tests):
# 0 * * * * cd /path/flashproxy-exercise && ./flashproxy-exercise.sh
LOGDIR=log
DATE=$(date +"%Y-%m-%d-%H:%M")
LOG="$LOGDIR/log-$DATE"
mkdir -p "$LOGDIR"
(./exercise.sh &> "$LOG") || cat "$LOG"
flashproxy-1.7/experiments/facilitator-graph.py 0000775 0000000 0000000 00000004304 12363506367 0022114 0 ustar 00root root 0000000 0000000 #!/usr/bin/env python
# Makes a graph of flash proxy counts from a facilitator log.
import datetime
import getopt
import re
import sys
import matplotlib
import matplotlib.pyplot as plt
import numpy as np
POLL_INTERVAL = 10.0
def usage(f = sys.stdout):
print >> f, """\
Usage: %s -o OUTPUT [INPUTFILE]
Makes a graph of flash proxy counts from a facilitator log.
-h, --help show this help.
-o, --output=OUTPUT output file name (required).\
""" % sys.argv[0]
output_file_name = None
opts, args = getopt.gnu_getopt(sys.argv[1:], "ho:", ["help", "output="])
for o, a in opts:
if o == "-h" or o == "--help":
usage()
sys.exit()
elif o == "-o" or o == "--output":
output_file_name = a
if not output_file_name:
usage()
sys.exit()
if len(args) == 0:
input_file = sys.stdin
elif len(args) == 1:
input_file = open(args[0])
else:
usage()
sys.exit()
def format_date(d, pos=None):
d = matplotlib.dates.num2date(d)
return d.strftime("%B %d")
def timedelta_to_seconds(delta):
return delta.days * (24 * 60 * 60) + delta.seconds + delta.microseconds / 1000000.0
prev_output = None
count = 0
data = []
for line in input_file:
m = re.match(r'^(\d+-\d+-\d+ \d+:\d+:\d+) proxy gets', line)
if not m:
continue
date_str, = m.groups()
date = datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S")
count += 1
rounded_date = date.replace(minute=0, second=0, microsecond=0)
prev_output = prev_output or rounded_date
if prev_output is None or rounded_date != prev_output:
delta = timedelta_to_seconds(date - prev_output)
avg = float(count) / delta * POLL_INTERVAL
data.append((date, avg))
print date, avg
prev_output = rounded_date
count = 0
data = np.array(data)
fig = plt.figure()
ax = fig.add_axes([0.10, 0.30, 0.88, 0.60])
ax.set_ylabel(u"Number of proxies", fontsize=8)
fig.set_size_inches((8, 3))
ax.tick_params(direction="out", top="off", right="off")
ax.set_frame_on(False)
ax.xaxis.set_major_formatter(matplotlib.ticker.FuncFormatter(format_date))
fig.autofmt_xdate()
plt.fill_between(data[:,0], data[:,1], linewidth=0, color="black")
fig.savefig(output_file_name)
flashproxy-1.7/experiments/proxy-extract.py 0000775 0000000 0000000 00000004701 12363506367 0021346 0 ustar 00root root 0000000 0000000 #!/usr/bin/env python
import datetime
import getopt
import re
import sys
def usage(f = sys.stdout):
print >> f, """\
Usage: %s [INPUTFILE]
Extract proxy connections from a facilitator log. Each output line is
date\tcount\n
where count is the approximate poll interval in effect at date.
-h, --help show this help.
""" % sys.argv[0]
opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ["help"])
for o, a in opts:
if o == "-h" or o == "--help":
usage()
sys.exit()
if len(args) == 0:
input_file = sys.stdin
elif len(args) == 1:
input_file = open(args[0])
else:
usage()
sys.exit()
def timedelta_to_seconds(delta):
return delta.days * (24 * 60 * 60) + delta.seconds + delta.microseconds / 1000000.0
# commit 49de7bf689ee989997a1edbf2414a7bdbc2164f9
# Author: David Fifield
# Date: Thu Jan 3 21:01:39 2013 -0800
#
# Bump poll interval from 10 s to 60 s.
#
# commit 69d429db12cedc90dac9ccefcace80c86af7eb51
# Author: David Fifield
# Date: Tue Jan 15 14:02:02 2013 -0800
#
# Increase facilitator_poll_interval from 1 m to 10 m.
BEGIN_60S = datetime.datetime(2013, 1, 3, 21, 0, 0)
BEGIN_600S = datetime.datetime(2013, 1, 15, 14, 0, 0)
# Proxies refresh themselves once a day, so interpolate across a day when the
# polling interval historically changed.
def get_poll_interval(date):
if date < BEGIN_60S:
return 10
elif BEGIN_60S <= date < BEGIN_60S + datetime.timedelta(1):
return timedelta_to_seconds(date-BEGIN_60S) / timedelta_to_seconds(datetime.timedelta(1)) * (60-10) + 10
elif date < BEGIN_600S:
return 60
elif BEGIN_600S <= date < BEGIN_600S + datetime.timedelta(1):
return timedelta_to_seconds(date-BEGIN_600S) / timedelta_to_seconds(datetime.timedelta(1)) * (600-60) + 60
else:
return 600
prev_output = None
count = 0.0
for line in input_file:
m = re.match(r'^(\d+-\d+-\d+ \d+:\d+:\d+) proxy gets', line)
if not m:
continue
date_str, = m.groups()
date = datetime.datetime.strptime(date_str, "%Y-%m-%d %H:%M:%S")
count += get_poll_interval(date)
rounded_date = date.replace(minute=0, second=0, microsecond=0)
prev_output = prev_output or rounded_date
if prev_output is None or rounded_date != prev_output:
avg = float(count) / 10.0
print date.strftime("%Y-%m-%d %H:%M:%S") + "\t" + "%.2f" % avg
prev_output = rounded_date
count = 0.0
flashproxy-1.7/experiments/proxy-graph.r 0000664 0000000 0000000 00000000423 12363506367 0020600 0 ustar 00root root 0000000 0000000 library(ggplot2)
x <- read.delim("proxy.dat", header=FALSE, col.names=c("date", "interval"), colClasses=c("POSIXct", "numeric"))
png("proxy-count.png", width=720, height=480)
qplot(date, data=x, geom="bar", weight=interval/10, binwidth=86400, ylab="proxy requests per day")
flashproxy-1.7/experiments/switching/ 0000775 0000000 0000000 00000000000 12363506367 0020135 5 ustar 00root root 0000000 0000000 flashproxy-1.7/experiments/switching/local-http-alternating.sh 0000775 0000000 0000000 00000003340 12363506367 0025051 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Usage: ./local-http-alternating.sh [OUTPUT_FILENAME]
#
# Tests a download over alternating flash proxies. If OUTPUT_FILENAME is
# supplied, appends the time measurement to that file.
. ../common.sh
PROFILE_1=flashexp1
PROFILE_2=flashexp2
PROXY_URL="http://127.0.0.1:8000/embed.html?facilitator=127.0.0.1:9002&ratelimit=off"
DATA_FILE_NAME="$FLASHPROXY_DIR/dump"
OUTPUT_FILENAME="$1"
# Declare an array.
declare -a PIDS_TO_KILL
stop() {
browser_clear "$PROFILE_1"
browser_clear "$PROFILE_2"
if [ -n "${PIDS_TO_KILL[*]}" ]; then
echo "Kill pids ${PIDS_TO_KILL[@]}."
kill "${PIDS_TO_KILL[@]}"
fi
echo "Delete data file."
rm -f "$DATA_FILE_NAME"
exit
}
trap stop EXIT
echo "Create data file."
dd if=/dev/null of="$DATA_FILE_NAME" bs=1M seek=500 2>/dev/null || exit
echo "Start web server."
"$THTTPD" -D -d "$FLASHPROXY_DIR" -p 8000 &
PIDS_TO_KILL+=($!)
echo "Start facilitator."
"$FLASHPROXY_DIR"/facilitator -d --relay 127.0.0.1:8000 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 5
echo "Start client transport plugin."
"$FLASHPROXY_DIR"/flashproxy-client --register --facilitator 127.0.0.1:9002 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 1
echo "Start browsers."
ensure_browser_started "$PROFILE_1"
ensure_browser_started "$PROFILE_2"
./proxy-loop.sh "$PROXY_URL" "$PROFILE_1" "$PROFILE_2" >/dev/null 2>&1 &
PIDS_TO_KILL+=($!)
visible_sleep 2
echo "Start socat."
"$SOCAT" TCP-LISTEN:2000,reuseaddr,fork SOCKS4A:127.0.0.1:dummy:0,socksport=9001 &
PIDS_TO_KILL+=($!)
visible_sleep 2
if [ -n "$OUTPUT_FILENAME" ]; then
real_time wget http://127.0.0.1:2000/dump --wait=0 --waitretry=0 -t 1000 -O /dev/null >> "$OUTPUT_FILENAME"
else
real_time wget http://127.0.0.1:2000/dump --wait=0 --waitretry=0 -t 1000 -O /dev/null
fi
flashproxy-1.7/experiments/switching/local-http-constant.sh 0000775 0000000 0000000 00000003256 12363506367 0024400 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Usage: ./local-http-constant.sh [OUTPUT_FILENAME]
#
# Tests a download over an uninterrupted flash proxy. If OUTPUT_FILENAME
# is supplied, appends the time measurement to that file.
. ../common.sh
PROFILE_1=flashexp1
PROFILE_2=flashexp2
PROXY_URL="http://127.0.0.1:8000/embed.html?facilitator=127.0.0.1:9002&ratelimit=off"
DATA_FILE_NAME="$FLASHPROXY_DIR/dump"
OUTPUT_FILENAME="$1"
# Declare an array.
declare -a PIDS_TO_KILL
stop() {
browser_clear "$PROFILE_1"
browser_clear "$PROFILE_2"
if [ -n "${PIDS_TO_KILL[*]}" ]; then
echo "Kill pids ${PIDS_TO_KILL[@]}."
kill "${PIDS_TO_KILL[@]}"
fi
echo "Delete data file."
rm -f "$DATA_FILE_NAME"
exit
}
trap stop EXIT
echo "Create data file."
dd if=/dev/null of="$DATA_FILE_NAME" bs=1M seek=500 2>/dev/null || exit
echo "Start web server."
"$THTTPD" -D -d "$FLASHPROXY_DIR" -p 8000 &
PIDS_TO_KILL+=($!)
echo "Start websockify."
"$WEBSOCKIFY" -v 8001 127.0.0.1:8000 >/dev/null &
PIDS_TO_KILL+=($!)
echo "Start facilitator."
"$FLASHPROXY_DIR"/facilitator -d --relay 127.0.0.1:8001 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 5
echo "Start client transport plugin."
"$FLASHPROXY_DIR"/flashproxy-client --register --facilitator 127.0.0.1:9002 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 1
echo "Start browser."
browser_goto "$PROFILE_1" "$PROXY_URL"
echo "Start socat."
"$SOCAT" TCP-LISTEN:2000,reuseaddr,fork SOCKS4A:127.0.0.1:dummy:0,socksport=9001 &
PIDS_TO_KILL+=($!)
visible_sleep 2
if [ -n "$OUTPUT_FILENAME" ]; then
real_time wget http://127.0.0.1:2000/dump --wait=0 --waitretry=0 -t 1000 -O /dev/null >> "$OUTPUT_FILENAME"
else
real_time wget http://127.0.0.1:2000/dump --wait=0 --waitretry=0 -t 1000 -O /dev/null
fi
flashproxy-1.7/experiments/switching/proxy-loop.sh 0000775 0000000 0000000 00000001606 12363506367 0022627 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Runs overlapping flash proxy instances in a loop.
# Usage: /proxy-loop.sh PROFILE1 PROFILE2
# The profiles need to have the open_newwindow configuration option set
# properly. See ../README.
# browser.link.open_newwindow=1 (default is 3)
. ../common.sh
URL=$1
PROFILE_1=$2
PROFILE_2=$3
# OVERLAP must be at most half of PERIOD.
PERIOD=10
OVERLAP=2
ensure_browser_started "$PROFILE_1"
browser_clear "$PROFILE_1"
ensure_browser_started "$PROFILE_2"
browser_clear "$PROFILE_2"
sleep 1
while true; do
echo "1 on"
firefox -P "$PROFILE_1" -remote "openurl($URL)"
sleep $OVERLAP
echo "2 off"
firefox -P "$PROFILE_2" -remote "openurl(about:blank)"
sleep $(($PERIOD - (2 * $OVERLAP)))
echo "2 on"
firefox -P "$PROFILE_2" -remote "openurl($URL)"
sleep $OVERLAP
echo "1 off"
firefox -P "$PROFILE_1" -remote "openurl(about:blank)"
sleep $(($PERIOD - (2 * $OVERLAP)))
done
flashproxy-1.7/experiments/switching/remote-tor-alternating.sh 0000775 0000000 0000000 00000003217 12363506367 0025102 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Usage: ./remote-tor-alternating.sh [OUTPUT_FILENAME]
#
# Tests a Tor download over alternating flash proxies. If OUTPUT_FILENAME is
# supplied, appends the time measurement to that file.
. ../common.sh
PROFILE_1=flashexp1
PROFILE_2=flashexp2
PROXY_URL="http://127.0.0.1:8000/embed.html?facilitator=127.0.0.1:9002&ratelimit=off"
DATA_FILE_NAME="$FLASHPROXY_DIR/dump"
OUTPUT_FILENAME="$1"
# Declare an array.
declare -a PIDS_TO_KILL
stop() {
browser_clear "$PROFILE_1"
browser_clear "$PROFILE_2"
if [ -n "${PIDS_TO_KILL[*]}" ]; then
echo "Kill pids ${PIDS_TO_KILL[@]}."
kill "${PIDS_TO_KILL[@]}"
fi
echo "Delete data file."
rm -f "$DATA_FILE_NAME"
exit
}
trap stop EXIT
echo "Start web server."
"$THTTPD" -D -d "$FLASHPROXY_DIR" -p 8000 &
PIDS_TO_KILL+=($!)
echo "Start facilitator."
"$FLASHPROXY_DIR"/facilitator -d --relay tor1.bamsoftware.com:9901 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 15
echo "Start client transport plugin."
"$FLASHPROXY_DIR"/flashproxy-client --register --facilitator 127.0.0.1:9002 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 1
echo "Start Tor."
"$TOR" -f "$FLASHPROXY_DIR"/torrc &
PIDS_TO_KILL+=($!)
echo "Start browsers."
ensure_browser_started "$PROFILE_1"
ensure_browser_started "$PROFILE_2"
./proxy-loop.sh "$PROXY_URL" "$PROFILE_1" "$PROFILE_2" >/dev/null 2>&1 &
PIDS_TO_KILL+=($!)
# Let Tor bootstrap.
visible_sleep 15
repeat_download() {
until torify wget http://torperf.torproject.org/.5mbfile --wait=0 --waitretry=0 -c -t 1000 -O "$DATA_FILE_NAME"; do
echo "retrying"
done
}
if [ -n "$OUTPUT_FILENAME" ]; then
real_time repeat_download >> "$OUTPUT_FILENAME"
else
real_time repeat_download
fi
flashproxy-1.7/experiments/switching/remote-tor-constant.sh 0000775 0000000 0000000 00000003004 12363506367 0024415 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Usage: ./remote-tor-constant.sh [OUTPUT_FILENAME]
#
# Tests a Tor download over an uninterrupted flash proxy. If OUTPUT_FILENAME is
# supplied, appends the time measurement to that file.
. ../common.sh
PROFILE_1=flashexp1
PROFILE_2=flashexp2
PROXY_URL="http://127.0.0.1:8000/embed.html?facilitator=127.0.0.1:9002&ratelimit=off"
DATA_FILE_NAME="$FLASHPROXY_DIR/dump"
OUTPUT_FILENAME="$1"
# Declare an array.
declare -a PIDS_TO_KILL
stop() {
browser_clear "$PROFILE_1"
if [ -n "${PIDS_TO_KILL[*]}" ]; then
echo "Kill pids ${PIDS_TO_KILL[@]}."
kill "${PIDS_TO_KILL[@]}"
fi
echo "Delete data file."
rm -f "$DATA_FILE_NAME"
exit
}
trap stop EXIT
echo "Start web server."
"$THTTPD" -D -d "$FLASHPROXY_DIR" -p 8000 &
PIDS_TO_KILL+=($!)
echo "Start facilitator."
"$FLASHPROXY_DIR"/facilitator -d --relay tor1.bamsoftware.com:9901 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 15
echo "Start client transport plugin."
"$FLASHPROXY_DIR"/flashproxy-client --register --facilitator 127.0.0.1:9002 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 1
echo "Start Tor."
"$TOR" -f "$FLASHPROXY_DIR"/torrc &
PIDS_TO_KILL+=($!)
echo "Start browsers."
browser_goto "$PROFILE_1" "$PROXY_URL"
# Let Tor bootstrap.
visible_sleep 15
if [ -n "$OUTPUT_FILENAME" ]; then
real_time torify wget http://torperf.torproject.org/.5mbfile --wait=0 --waitretry=0 -c -t 1000 -O "$DATA_FILE_NAME" >> "$OUTPUT_FILENAME"
else
real_time torify wget http://torperf.torproject.org/.5mbfile --wait=0 --waitretry=0 -c -t 1000 -O "$DATA_FILE_NAME"
fi
flashproxy-1.7/experiments/switching/remote-tor-direct.sh 0000775 0000000 0000000 00000001615 12363506367 0024044 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Usage: ./remote-tor-direct.sh [OUTPUT_FILENAME]
#
# Tests a Tor download without using a flash proxy. If OUTPUT_FILENAME is
# supplied, appends the time measurement to that file.
. ../common.sh
DATA_FILE_NAME="$FLASHPROXY_DIR/dump"
OUTPUT_FILENAME="$1"
# Declare an array.
declare -a PIDS_TO_KILL
stop() {
if [ -n "${PIDS_TO_KILL[*]}" ]; then
echo "Kill pids ${PIDS_TO_KILL[@]}."
kill "${PIDS_TO_KILL[@]}"
fi
echo "Delete data file."
rm -f "$DATA_FILE_NAME"
exit
}
trap stop EXIT
echo "Start Tor."
"$TOR" -f torrc.bridge &
PIDS_TO_KILL+=($!)
# Let Tor bootstrap.
visible_sleep 15
if [ -n "$OUTPUT_FILENAME" ]; then
real_time torify wget http://torperf.torproject.org/.5mbfile --wait=0 --waitretry=0 -c -t 1000 -O "$DATA_FILE_NAME" >> "$OUTPUT_FILENAME"
else
real_time torify wget http://torperf.torproject.org/.5mbfile --wait=0 --waitretry=0 -c -t 1000 -O "$DATA_FILE_NAME"
fi
flashproxy-1.7/experiments/switching/switching-all.sh 0000775 0000000 0000000 00000002050 12363506367 0023236 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Usage: ./switching-all.sh [-n NUM_ITERATIONS]
#
# Runs the switching experiment scripts several times and stores the results in
# log files
# local-http-constant-DATE.log
# local-http-alternating-DATE.log
# remote-tor-constant-DATE.log
# remote-tor-alternating-DATE.log
# where DATE is the current date.
. ../common.sh
NUM_ITERATIONS=1
while getopts "n:" OPTNAME; do
if [ "$OPTNAME" == n ]; then
NUM_ITERATIONS="$OPTARG"
fi
done
DATE="$(date --iso)"
> "local-http-constant-$DATE.log"
repeat $NUM_ITERATIONS ./local-http-constant.sh "local-http-constant-$DATE.log"
> "local-http-alternating-$DATE.log"
repeat $NUM_ITERATIONS ./local-http-alternating.sh "local-http-alternating-$DATE.log"
> "remote-tor-direct-$DATE.log"
repeat $NUM_ITERATIONS ./remote-tor-direct.sh "remote-tor-direct-$DATE.log"
> "remote-tor-constant-$DATE.log"
repeat $NUM_ITERATIONS ./remote-tor-constant.sh "remote-tor-constant-$DATE.log"
> "remote-tor-alternating-$DATE.log"
repeat $NUM_ITERATIONS ./remote-tor-alternating.sh "remote-tor-alternating-$DATE.log"
flashproxy-1.7/experiments/switching/torrc.bridge 0000664 0000000 0000000 00000000230 12363506367 0022437 0 ustar 00root root 0000000 0000000 # This configuration file causes a direct Tor connection to use the same bridge
# used by a flash proxy.
UseBridges 1
Bridge tor1.bamsoftware.com:9001
flashproxy-1.7/experiments/throughput/ 0000775 0000000 0000000 00000000000 12363506367 0020347 5 ustar 00root root 0000000 0000000 flashproxy-1.7/experiments/throughput/httpget.py 0000775 0000000 0000000 00000001463 12363506367 0022407 0 ustar 00root root 0000000 0000000 #!/usr/bin/env python
# A simple HTTP downloader that discards what it downloads and prints the time
# taken to download. We use this rather than "time wget" because the latter
# includes time taken to establish (and possibly retry) the connection.
import getopt
import sys
import time
import urllib2
BLOCK_SIZE = 65536
label = None
opts, args = getopt.gnu_getopt(sys.argv[1:], "l:")
for o, a in opts:
if o == "-l":
label = a
try:
stream = urllib2.urlopen(args[0], timeout=100)
start_time = time.time()
while stream.read(BLOCK_SIZE):
pass
end_time = time.time()
if label:
print "%s %.3f" % (label, end_time - start_time)
else:
print "%.3f" % (end_time - start_time)
except:
if label:
print "%s error" % label
else:
print "error"
flashproxy-1.7/experiments/throughput/throughput-all.sh 0000775 0000000 0000000 00000000102 12363506367 0023656 0 ustar 00root root 0000000 0000000 #!/bin/bash
for n in $(seq 1 50); do
./throughput.sh -n $n
done
flashproxy-1.7/experiments/throughput/throughput.sh 0000775 0000000 0000000 00000005624 12363506367 0023126 0 ustar 00root root 0000000 0000000 #!/bin/bash
# Usage: ./throughput.sh [-n NUM_CLIENTS]
#
# Tests the raw throughput of a single proxy. This script starts a web
# server serving swfcat.swf and a large data file, starts a facilitator,
# client transport plugin, and socat shim, and then starts multiple
# downloads through the proxy at once. Results are saved in a file
# called results-NUM_CLIENTS-DATE, where DATE is the current date.
# plain socks ws ws plain
# httpget <---> socat <---> flashproxy-client <---> flashproxy <---> websockify <---> thttpd
# 2000 9001 9000 8001 8000
. ../common.sh
NUM_CLIENTS=1
while getopts "n:" OPTNAME; do
if [ "$OPTNAME" == n ]; then
NUM_CLIENTS="$OPTARG"
fi
done
PROFILE=flashexp1
PROXY_URL="http://127.0.0.1:8000/embed.html?facilitator=127.0.0.1:9002&max_clients=$NUM_CLIENTS&ratelimit=off&facilitator_poll_interval=1.0"
DATA_FILE_NAME="$FLASHPROXY_DIR/dump"
RESULTS_FILE_NAME="results-$NUM_CLIENTS-$(date --iso)"
# Declare an array.
declare -a PIDS_TO_KILL
stop() {
browser_clear "$PROFILE"
if [ -n "${PIDS_TO_KILL[*]}" ]; then
echo "Kill pids ${PIDS_TO_KILL[@]}."
kill "${PIDS_TO_KILL[@]}"
fi
echo "Delete data file."
rm -f "$DATA_FILE_NAME"
exit
}
trap stop EXIT
echo "Create data file."
dd if=/dev/null of="$DATA_FILE_NAME" bs=1M seek=10 2>/dev/null || exit
echo "Start web server."
"$THTTPD" -D -d "$FLASHPROXY_DIR" -p 8000 &
PIDS_TO_KILL+=($!)
echo "Start websockify."
"$WEBSOCKIFY" -v 8001 127.0.0.1:8000 >/dev/null &
PIDS_TO_KILL+=($!)
echo "Start facilitator."
"$FLASHPROXY_DIR"/facilitator -d --relay 127.0.0.1:8001 127.0.0.1 9002 >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 1
echo "Start client transport plugin."
"$FLASHPROXY_DIR"/flashproxy-client >/dev/null &
PIDS_TO_KILL+=($!)
visible_sleep 1
echo "Start browser."
browser_goto "$PROFILE" "$PROXY_URL"
visible_sleep 2
# Create sufficiently many client registrations.
i=0
while [ $i -lt $NUM_CLIENTS ]; do
echo -ne "\rRegister client $((i + 1))."
echo $'POST / HTTP/1.0\r\n\r\nclient=127.0.0.1:9000' | socat STDIN TCP-CONNECT:127.0.0.1:9002
sleep 1
i=$((i + 1))
done
echo
visible_sleep 2
echo "Start socat."
"$SOCAT" TCP-LISTEN:2000,fork,reuseaddr SOCKS4A:127.0.0.1:dummy:0,socksport=9001 &
PIDS_TO_KILL+=($!)
visible_sleep 1
> "$RESULTS_FILE_NAME"
# Proxied downloads.
declare -a WAIT_PIDS
i=0
while [ $i -lt $NUM_CLIENTS ]; do
echo "Start downloader $((i + 1))."
./httpget.py -l proxy http://127.0.0.1:2000/dump >> "$RESULTS_FILE_NAME" &
WAIT_PIDS+=($!)
i=$((i + 1))
done
for pid in "${WAIT_PIDS[@]}"; do
wait "$pid"
done
unset WAIT_PIDS
# Direct downloads.
declare -a WAIT_PIDS
i=0
while [ $i -lt $NUM_CLIENTS ]; do
echo "Start downloader $((i + 1))."
./httpget.py -l direct http://127.0.0.1:8000/dump >> "$RESULTS_FILE_NAME" &
WAIT_PIDS+=($!)
i=$((i + 1))
done
for pid in "${WAIT_PIDS[@]}"; do
wait "$pid"
done
unset WAIT_PIDS
flashproxy-1.7/facilitator/ 0000775 0000000 0000000 00000000000 12363506367 0016074 5 ustar 00root root 0000000 0000000 flashproxy-1.7/facilitator/.gitignore 0000664 0000000 0000000 00000000704 12363506367 0020065 0 ustar 00root root 0000000 0000000 # files build by autogen.sh
/aclocal.m4
/autom4te.cache
/configure
/depcomp
/install-sh
/missing
/test-driver
/Makefile.in
# files built by ./configure
/init.d/fp-facilitator
/init.d/fp-registrar-email
/init.d/fp-reg-decryptd
/Makefile
/config.status
/config.log
# files built by make
/examples/fp-facilitator.conf
/doc/*.1
# files for binary-distribution
/flashproxy-facilitator-*.tar.*
# files output by test-driver
test*.log
*test.log
*test.trs
flashproxy-1.7/facilitator/HACKING 0000664 0000000 0000000 00000001550 12363506367 0017064 0 ustar 00root root 0000000 0000000 == Running from source checkout
In order to run the code directly from a source checkout, you must make sure it
can find the flashproxy module, located in the top-level directory of the
source checkout, which is probably the parent directory. You have two options:
1. Install it in "development mode", see [1]
flashproxy# python setup-common.py develop
This process is reversible too:
flashproxy# python setup-common.py develop --uninstall
The disadvantage is that other programs (such as a system-installed flashproxy,
or other checkouts in another directory) will see this development copy, rather
than a more appropriate copy.
2. Export PYTHONPATH when you need to run
$ export PYTHONPATH=..
$ make && make check
The disadvantage is that you need to do this every shell session.
[1] http://pythonhosted.org/distribute/setuptools.html#development-mode
flashproxy-1.7/facilitator/INSTALL 0000664 0000000 0000000 00000002562 12363506367 0017132 0 ustar 00root root 0000000 0000000 Install the dependencies.
# apt-get install help2man make openssl python-m2crypto
# apt-get install automake autoconf # if running from git
# apt-get install apache2
You may use a different webserver, but currently we only provide an apache2 site
config example, so you will need to adapt this to the correct syntax.
# apt-get install flashproxy-common
If your distro does not have flashproxy-common, you can install it
directly from the top-level source directory:
flashproxy# python setup-common.py install --record install.log \
--single-version-externally-managed
Configure and install.
$ ./autogen.sh # if running from git or ./configure doesn't otherwise exist
$ ./configure --localstatedir=/var/local --enable-initscripts && make
# make pre-install install post-install
This installs fp-registrar.cgi, fp-facilitator, fp-registrar-email,
fp-reg-decryptd, and fp-reg-decrypt to /usr/local/bin.
It also installs System V init files to /etc/init.d/.
The pre/post-install scripts create a user for the daemon to as, and
sets up the initscripts in the default system runlevels. They also
generate a RSA key in /usr/local/etc/flashproxy/reg-daemon.{key,pub}.
Uninstall.
# make pre-remove uninstall post-remove
This will leave behind some config files (e.g. secret keys and passwords). To
get rid of those too, run this instead:
# make pre-purge uninstall post-purge
flashproxy-1.7/facilitator/Makefile.am 0000664 0000000 0000000 00000013210 12363506367 0020125 0 ustar 00root root 0000000 0000000 # our own variables
fpfacilitatoruser = @fpfacilitatoruser@
initconfdir = @initconfdir@
cgibindir = @cgibindir@
# unfortunately sysvinit does not support having initscripts in /usr/local/etc
# yet, so we have to hard code a path here. :(
initscriptdir = /etc/init.d
exampledir = $(docdir)/examples
appenginedir = $(pkgdatadir)/appengine
pkgconfdir = $(sysconfdir)/flashproxy
appengineconfdir = $(pkgconfdir)/reg-appspot
PYENV = PYTHONPATH='$(srcdir):$(PYTHONPATH)'; export PYTHONPATH;
# automake PLVs
dist_bin_SCRIPTS = fp-facilitator fp-registrar-email fp-reg-decryptd fp-reg-decrypt
man1_MANS = $(dist_bin_SCRIPTS:%=doc/%.1)
dist_cgibin_SCRIPTS = fp-registrar.cgi
if DO_INITSCRIPTS
initscript_names = fp-facilitator fp-registrar-email fp-reg-decryptd
initscript_SCRIPTS = $(initscript_names:%=init.d/%)
dist_initconf_DATA = $(initscript_names:%=default/%)
endif
dist_doc_DATA = doc/appspot-howto.txt doc/facilitator-design.txt doc/email-howto.txt doc/http-howto.txt doc/server-howto.txt README
dist_example_DATA = examples/fp-facilitator.conf examples/reg-email.pass examples/facilitator-relays
pkgconf_DATA = examples/facilitator-relays
dist_appengine_DATA = appengine/app.yaml appengine/config.go appengine/fp-reg.go
appengineconf_DATA = appengine/config.go
CLEANFILES = examples/fp-facilitator.conf $(man1_MANS)
EXTRA_DIST = examples/fp-facilitator.conf.in mkman.sh mkman.inc HACKING $(TESTS)
TESTS = fp-facilitator-test.py
# see http://www.gnu.org/software/automake/manual/html_node/Parallel-Test-Harness.html#index-TEST_005fEXTENSIONS
TEST_EXTENSIONS = .py
PY_LOG_COMPILER = $(PYTHON)
AM_TESTS_ENVIRONMENT = $(PYENV)
AM_PY_LOG_FLAGS =
# AC_CONFIG_FILES doesn't fully-expand directory variables
# see http://www.gnu.org/software/automake/manual/automake.html#Scripts
subst_vars = sed -e 's,[@]cgibindir[@],$(cgibindir),g'
# our own targets
doc/%.1: % mkman.sh mkman.inc Makefile
# mkdir needed for out-of-source build
$(MKDIR_P) $$(dirname "$@")
{ $(PYENV) $(PYTHON) "$<" --help; } \
| { $(PYENV) $(srcdir)/mkman.sh "$<" $(VERSION) > "$@"; }
examples/fp-facilitator.conf: examples/fp-facilitator.conf.in Makefile
# mkdir needed for out-of-source build
$(MKDIR_P) $$(dirname "$@")
$(subst_vars) "$<" > "$@"
pylint: $(dist_bin_SCRIPTS)
pylint -E $^
install-data-local:
$(INSTALL_DATA) -m 600 -t $(DESTDIR)$(pkgconfdir) $(srcdir)/examples/reg-email.pass
uninstall-local:
rm $(DESTDIR)$(pkgconfdir)/reg-email.pass
# The {pre,post}-{install,remove} targets are just given as reference, and
# ought to be separate scripts as part of your distro's installation process.
# They are intentionally not linked to the install target since they require
# root access and *must not be run* for fake/staged installs, e.g. when giving
# non-standard directories to ./configure or DESTDIR to make.
pre-install: meta-install-sanity install-user
post-install: meta-install-sanity install-secrets install-symlinks install-daemon
pre-remove: meta-install-sanity remove-daemon remove-symlinks
post-remove: meta-install-sanity
pre-purge: pre-remove remove-secrets remove-daemon-data
post-purge: post-remove remove-user
meta-install-sanity:
test "x$(DESTDIR)" = "x" || { echo >&2 \
"don't run {pre,post}-{install,remove} when DESTDIR is set"; false; }
install-user:
id -u ${fpfacilitatoruser} >/dev/null 2>&1 || { \
which adduser >/dev/null 2>&1 && \
adduser --quiet \
--system \
--group \
--disabled-password \
--home ${pkgconfdir} \
--no-create-home \
--shell /bin/false \
${fpfacilitatoruser} || \
useradd \
--system \
--home ${pkgconfdir} \
-M \
--shell /bin/false \
${fpfacilitatoruser} ; }
remove-user:
: # deluser does actually remove the group as well
id -u ${fpfacilitatoruser} >/dev/null 2>&1 && { \
which deluser >/dev/null 2>&1 && \
deluser --quiet \
--system \
${fpfacilitatoruser} || \
userdel \
${fpfacilitatoruser} ; } || true
install-secrets:
test -f ${pkgconfdir}/reg-daemon.key || { \
install -m 600 /dev/null ${pkgconfdir}/reg-daemon.key && \
openssl genrsa 2048 | tee ${pkgconfdir}/reg-daemon.key | \
openssl rsa -pubout > ${pkgconfdir}/reg-daemon.pub; }
remove-secrets:
for i in reg-daemon.key reg-daemon.pub; do \
rm -f ${pkgconfdir}/$$i; \
done
install-symlinks:
for i in fp-reg.go app.yaml; do \
$(LN_S) -f ${appenginedir}/$$i ${appengineconfdir}/$$i; \
done
remove-symlinks:
for i in fp-reg.go app.yaml; do \
rm -f ${appengineconfdir}/$$i; \
done
# initscripts: assume that if the user wanted to install them, then they also
# wanted to configure them, and that the system supports them. if this isn't the
# case then either (a) they are doing a staged install for another system and
# shouldn't be running {pre,post}-{install,remove} or (b) they shouldn't have
# told us to install initscripts for their system that doesn't support it.
install-daemon:
if DO_INITSCRIPTS
# initscripts use these directories for logs and runtime data
mkdir -p ${localstatedir}/log
mkdir -p ${localstatedir}/run
for i in ${initscript_names}; do \
update-rc.d $$i defaults; \
invoke-rc.d $$i start; \
done
endif
remove-daemon:
if DO_INITSCRIPTS
# we don't rm created directories since they might be system-managed
for i in ${initscript_names}; do \
invoke-rc.d $$i stop; \
update-rc.d $$i remove; \
done
endif
remove-daemon-data:
if DO_INITSCRIPTS
for i in ${initscript_names}; do \
rm -f ${localstatedir}/log/$$i.log* \
rm -f ${localstatedir}/run/$$i.pid \
done
endif
.PHONY: pre-install post-install pre-remove post-remove pre-purge post-purge
.PHONY: install-user install-secrets install-symlinks install-daemon
.PHONY: remove-user remove-secrets remove-symlinks remove-daemon
.PHONY: pylint
flashproxy-1.7/facilitator/README 0000664 0000000 0000000 00000003155 12363506367 0016760 0 ustar 00root root 0000000 0000000 This package contains files needed to run a flashproxy facilitator.
Normal users who just want to bypass censorship, should use the
flashproxy-client package instead.
For instructions on building/installing this package from source, see
INSTALL. (This should only be necessary if your distro does not already
integrate this package into its repositories.)
The flashproxy config directory is installation-dependant, usually at
/etc/flashproxy or /usr/local/etc/flashproxy. You are strongly
recommended to keep this on encrypted storage.
The main backends, fp-facilitator and fp-reg-decryptd, are
installed as system services, and you should be able to configure them
in the normal place for your system (e.g. /etc/default/fp-facilitator
for a Debian-based system using initscripts). You probably need to at
least set RUN_DAEMON=yes to enable the services.
Each installation has its own public-private keypair, stored in the
flashproxy config directory. You will need to securely distribute the
public key (reg-daemon.pub) to your users - e.g. by publishing it
somewhere, signed by your own PGP key.
There are three supported helper rendezvous methods: HTTP, email, and
appspot. Each helper method may require additional manual configuration
and might also depend on other helper methods; see the corresponding
doc/x-howto.txt for more details. At a very minimum, you must configure
and enable the HTTP method, since that also serves the browser proxies.
For suggestions on configuring a dedicated facilitator machine, see
doc/server-howto.txt.
For documentation on the design of the facilitator components, see
doc/facilitator-design.txt.
flashproxy-1.7/facilitator/appengine/ 0000775 0000000 0000000 00000000000 12363506367 0020042 5 ustar 00root root 0000000 0000000 flashproxy-1.7/facilitator/appengine/app.yaml 0000664 0000000 0000000 00000000276 12363506367 0021513 0 ustar 00root root 0000000 0000000 # override this with appcfg.py -A $YOUR_APP_ID
application: facilitator-registration-example
version: 1
runtime: go
api_version: go1
handlers:
- url: /.*
script: _go_app
secure: always
flashproxy-1.7/facilitator/appengine/config.go 0000664 0000000 0000000 00000001047 12363506367 0021640 0 ustar 00root root 0000000 0000000 /*
This is the server-side code that runs on Google App Engine for the
"appspot" registration method.
See doc/appspot-howto.txt for more details about setting up an
application, and advice on running one.
To upload a new version:
$ torify ~/go_appengine/appcfg.py --no_cookies -A $YOUR_APP_ID update .
*/
package fp_reg
// host:port/basepath of the facilitator you want to register with
// for example, fp-facilitator.org or example.com:12345/facilitator
// https:// and /reg/ will be prepended and appended respectively.
const FP_FACILITATOR = ""
flashproxy-1.7/facilitator/appengine/fp-reg.go 0000664 0000000 0000000 00000002441 12363506367 0021552 0 ustar 00root root 0000000 0000000 package fp_reg
import (
"io"
"net"
"net/http"
"path"
"appengine"
"appengine/urlfetch"
)
func robotsTxtHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.Write([]byte("User-agent: *\nDisallow:\n"))
}
func ipHandler(w http.ResponseWriter, r *http.Request) {
remoteAddr := r.RemoteAddr
if net.ParseIP(remoteAddr).To4() == nil {
remoteAddr = "[" + remoteAddr + "]"
}
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.Write([]byte(remoteAddr))
}
func regHandler(w http.ResponseWriter, r *http.Request) {
dir, blob := path.Split(path.Clean(r.URL.Path))
if dir != "/reg/" {
http.NotFound(w, r)
return
}
client := urlfetch.Client(appengine.NewContext(r))
resp, err := client.Get("https://" + FP_FACILITATOR + "/reg/" + blob)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
for key, values := range resp.Header {
for _, value := range values {
w.Header().Add(key, value)
}
}
w.WriteHeader(resp.StatusCode)
io.Copy(w, resp.Body)
}
func init() {
http.HandleFunc("/robots.txt", robotsTxtHandler)
http.HandleFunc("/ip", ipHandler)
http.HandleFunc("/reg/", regHandler)
if FP_FACILITATOR == "" {
panic("FP_FACILITATOR empty; did you forget to edit config.go?")
}
}
flashproxy-1.7/facilitator/autogen.sh 0000775 0000000 0000000 00000000031 12363506367 0020067 0 ustar 00root root 0000000 0000000 #!/bin/sh
autoreconf -if
flashproxy-1.7/facilitator/configure.ac 0000664 0000000 0000000 00000004064 12363506367 0020366 0 ustar 00root root 0000000 0000000 AC_PREREQ([2.68])
AC_INIT([flashproxy-facilitator], [1.7])
AM_INIT_AUTOMAKE([-Wall foreign])
AC_ARG_VAR(fpfacilitatoruser, [the user/group for the facilitator to run as])
fpfacilitatoruser="${fpfacilitatoruser:-fp-facilitator}"
# check that we want to install initscripts. don't bother checking that they
# are supported, since we might be doing a staged install on a different system.
# disabled by default since it ignores ${prefix} so `make distcheck` would fail
AC_ARG_ENABLE([initscripts],
[AS_HELP_STRING([--enable-initscripts],
[install and configure sysvinit-style initscripts (default no)])],
[do_initscripts=yes], [do_initscripts=])
AM_CONDITIONAL([DO_INITSCRIPTS], [test "x$do_initscripts" = xyes])
AC_ARG_VAR(initconfdir, [directory for initscripts configuration, if enabled])
# Try to detect the appropriate conf dir. Several systems have both /etc/default
# and /etc/sysconfig but latter is always primary.
if test "x$do_initscripts" = xyes; then
if test "x$initconfdir" = x; then
AC_CHECK_FILE(/etc/conf.d, [initconfdir='$(sysconfdir)/conf.d}'], [# Gentoo/Arch
AC_CHECK_FILE(/etc/sysconfig, [initconfdir='$(sysconfdir)/sysconfig'], [# RedHat/Fedora/Slax/Mandriva/SuSE
AC_CHECK_FILE(/etc/default, [initconfdir='$(sysconfdir)/default'], [# Debian/Ubuntu
AC_MSG_ERROR([could not determine system initscripts config dir; please set initconfdir manually.])])])])
fi
fi
# Try to detect cgi-bin directory, falling back to $(libexec) if not found
# from http://wiki.apache.org/httpd/DistrosDefaultLayout
AC_ARG_VAR(cgibindir, [directory for CGI executables])
if test "x$cgibindir" = x; then
AC_CHECK_FILE(/usr/lib/cgi-bin, [cgibindir='$(libdir)/cgi-bin'], [
AC_CHECK_FILE(/var/www/cgi-bin, [cgibindir='/var/www/cgi-bin'], [
AC_CHECK_FILE(/srv/httpd/cgi-bin, [cgibindir='/srv/httpd/cgi-bin'], [
AC_MSG_WARN([could not determine system CGI executables dir, using \$(libexecdir); set cgibindir to override.])
cgibindir='$(libexecdir)'
])])])
fi
AC_PROG_LN_S
AM_PATH_PYTHON
AC_CONFIG_FILES([Makefile
init.d/fp-facilitator
init.d/fp-registrar-email
init.d/fp-reg-decryptd])
AC_OUTPUT
flashproxy-1.7/facilitator/default/ 0000775 0000000 0000000 00000000000 12363506367 0017520 5 ustar 00root root 0000000 0000000 flashproxy-1.7/facilitator/default/fp-facilitator 0000664 0000000 0000000 00000000554 12363506367 0022353 0 ustar 00root root 0000000 0000000 # Change to "yes" to run the service.
RUN_DAEMON="no"
# Uncomment this to log potentially sensitive information from your users.
# This may be useful for debugging or diagnosing functional problems, but
# should be avoided in most other cases.
#UNSAFE_LOGGING="yes"
# Set the port for this service to listen on.
# If not set, uses the default (9002).
#PORT=9002
flashproxy-1.7/facilitator/default/fp-reg-decryptd 0000664 0000000 0000000 00000000554 12363506367 0022443 0 ustar 00root root 0000000 0000000 # Change to "yes" to run the service.
RUN_DAEMON="no"
# Uncomment this to log potentially sensitive information from your users.
# This may be useful for debugging or diagnosing functional problems, but
# should be avoided in most other cases.
#UNSAFE_LOGGING="yes"
# Set the port for this service to listen on.
# If not set, uses the default (9003).
#PORT=9003
flashproxy-1.7/facilitator/default/fp-registrar-email 0000664 0000000 0000000 00000000413 12363506367 0023133 0 ustar 00root root 0000000 0000000 # Change to "yes" to run the service.
RUN_DAEMON="no"
# Uncomment this to log potentially sensitive information from your users.
# This may be useful for debugging or diagnosing functional problems, but
# should be avoided in most other cases.
#UNSAFE_LOGGING="yes"
flashproxy-1.7/facilitator/doc/ 0000775 0000000 0000000 00000000000 12363506367 0016641 5 ustar 00root root 0000000 0000000 flashproxy-1.7/facilitator/doc/appspot-howto.txt 0000664 0000000 0000000 00000006044 12363506367 0022232 0 ustar 00root root 0000000 0000000 These are instructions for how to set up a Google App Engine application
for the appspot rendezvous method (flashproxy-reg-appspot). It requires
the HTTP rendezvous to be available, so you should set that up first and
ensure it is working correctly, or find someone else's to use. If you
choose the latter, note that it is *their* reg-daemon.pub that your users
must give to flashproxy-reg-appspot.
For more information about Google App Engine, see the links at the bottom
of this document.
You are strongly recommended to create a Google account dedicated for
this purpose, rather than a personal or organisation account. See
email-howto.txt for how to do that.
Download the SDK:
https://developers.google.com/appengine/downloads#Google_App_Engine_SDK_for_Go
This guide was written for version 1.8.9 of the SDK.
Find your facilitator appengine installation, probably in reg-appspot/
in your flashproxy config dir. Edit config.go to point to the address of
the HTTP facilitator.
Follow the directions to register a new application:
https://developers.google.com/appengine/docs/go/gettingstarted/uploading
Enter an application ID and create the application.
To run locally using the development server:
$ ~/go_appengine/goapp serve reg-appspot/
You are advised to do this on a non-production machine, away from the main
facilitator.
Use the appcfg.py program to upload the program. It should look
something like this:
$ torify ./go_appengine/goapp --no_cookies -A update reg-appspot/
07:25 PM Host: appengine.google.com
07:25 PM Application: application-id; version: 1
07:25 PM
Starting update of app: application-id, version: 1
07:25 PM Getting current resource limits.
Email: xxx@gmail.com
Password for xxx@gmail.com:
07:26 PM Scanning files on local disk.
07:26 PM Cloning 2 application files.
07:26 PM Uploading 1 files and blobs.
07:26 PM Uploaded 1 files and blobs
07:26 PM Compilation starting.
07:26 PM Compilation: 1 files left.
07:26 PM Compilation completed.
07:26 PM Starting deployment.
07:26 PM Checking if deployment succeeded.
07:26 PM Deployment successful.
07:26 PM Checking if updated app version is serving.
07:26 PM Completed update of app: application-id, version: 1
The --no_cookies flag stops authentication cookies from being written
to disk, in ~/.appcfg_cookies. We recommend this for security, since no
long-running services need this password, only the update process above
which is run once. However, if this reasoning doesn't apply to you
(e.g. if your fp-registrar-email uses the same account, so that
the password is already on the disk) *and* you find yourself running
update a lot for some reason, then you may at your own risk omit it for
convenience.
Once logged in, you can disable logging for the application. Click
"Logs" on the left panel. Under "Total Logs Storage", click "Change
Settings". Enter "0" in the "days of logs" box and click "Save
Settings".
General links:
https://developers.google.com/appengine/
https://developers.google.com/appengine/docs/whatisgoogleappengine
https://developers.google.com/appengine/docs/go/gettingstarted/
flashproxy-1.7/facilitator/doc/email-howto.txt 0000664 0000000 0000000 00000010215 12363506367 0021626 0 ustar 00root root 0000000 0000000 These are instructions for setting up an email account for use with the
email rendezvous (fp-registrar-email / flashproxy-reg-email).
You are strongly advised to use an email account dedicated for this
purpose. If your email provider supports it, we advise you to use an
app-specific password rather than your account password.
Once you have an email address and the password for it, you should add
this information to reg-email.pass in your flashproxy config directory.
For your security, this file should be on encrypted storage.
The following section provides some instructions on how to set up a new
Google account whilst revealing as little information to Google as is
feasible.
== Creating a Google account securely
These instructions were current as of May 2013.
You may have trouble if you are using Tor to create the account, for two
reasons. The first is that exit nodes are a source of abuse and Google
is more suspicious of them. The second is that Gmail is suspicious and
can lock you out of the account when your IP address is changing. While
setting up the account, use a single node in your torrc ExitNodes
configuration. Choose a U.S. exit node, one with low bandwidth.
Go to https://mail.google.com/. Allow JavaScript to run (even from
youtube.com; it seems to be necessary). Click the "CREATE AN ACCOUNT"
button.
Enter the account details. You don't need to fill in "Your current email
address". Enter a mobile phone number for later activation of two-factor
authentication. Solve the captcha. Click "Next Step". You may have to do
a phone SMS verification here.
At this point the Gmail account is created. If you are pushed into
joining Google+, close everything out and go back to
https://mail.google.com/.
Log out of the account and then back in again. There will be new text in
the lower right reading "Last account activity". Click "Details" and
turn off the unusual activity alerts. This will keep you from getting
locked out when you come from different IP addresses. At this point you
should remove the temporary ExitNodes configuration from torrc.
Add a filter to prevent registrations from being marked as spam. Click
on the gear icon and select "Settings". Select "Filters" then "Create a
new filter". For "Has the words" type "in:spam", then "Create filter
with this search". There will be a warning that filters using "in:" will
never match incoming mail; this appears to be false and you can just
click OK. Check "Never send it to Spam" and click "Create filter".
Enable IMAP. Click the gear icon, then "Settings", then "Forwarding and
POP/IMAP".
* Disable POP
* Enable IMAP
* Auto-Expunge on
Click "Save Changes".
Enable two-factor authentication. We do this not so much for the
two-factor, but because it allows creating an independent password that
is used only for IMAP and does not have access to the web interface of
Gmail. Two-factor authentication also enables you to set up a Google
Authenticator one-time password token and decouple the account from the
phone number. Click the email address in the upper right, then
"Account". Click "Security". By "2-step verification" click "Setup".
Click through until it lets you set up. The phone number you provided
when the account was created will be automatically filled in. Choose
"Text message (SMS)" then click "Send code". Get your text message, type
it in, and hit "Verify". Uncheck "Trust this computer" on the next
screen. Finally "Confirm".
Now set up a Google Authenticator secret and. Under "Primary way you
receive codes", click "Switch to app". Choose "BlackBerry" and
"Continue". Copy the secret key to a file. Use a program such as
https://github.com/tadeck/onetimepass to generate a verification code
and click "Verify and Save". Now you can remove the phone number if you
wish by clicking "Remove" next to it.
Under "Backup codes", click "Print or download", and save the codes to a
file so you can log in if all else fails.
Still on the 2-step verification page, click the "App-specific
passwords" tab and the "Manage application-specific passwords" button.
Under "Select app", select "Custom" and enter "IMAP" for the name. Click
"Generate". Store the password in reg-email.pass, as mentioned in the
introduction.
flashproxy-1.7/facilitator/doc/facilitator-design.txt 0000664 0000000 0000000 00000004372 12363506367 0023160 0 ustar 00root root 0000000 0000000 The main fp-facilitator program is a backend server that is essentially
a dynamic database of client addresses, as well as helper programs that
receive client registrations from the Internet over various means and
pass them to the backend. There are three supported helper rendezvous
methods: HTTP, email, and appspot.
fp-reg-decrypt is a simple program that forwards its standard input to
a local fp-reg-decryptd process. It is used by other components as a
utility, but is also useful for debugging and testing.
fp-reg-decryptd accepts connections containing encrypted client
registrations and forwards them to the facilitator. It exists as a
process of its own so that only one program requires access to the
facilitator's private key.
The HTTP rendezvous uses an HTTP server and a CGI program. The HTTP
server is responsible for speaking TLS and invoking the CGI program.
The CGI program receives client registrations and proxy requests for
clients, parses them, and forwards them to the backend. We use Apache 2
as the HTTP server. The CGI script is fp-registrar.cgi. Currently this
is also the only method for accepting browser proxy registrations, so
you must enable this method, otherwise your clients will not be served.
For the HTTP rendezvous, there are two formats you may use for a client
registration - plain vs. (end-to-end) encrypted. Direct registrations
(e.g. flashproxy-reg-http) can use the plain format over HTTPS, which
provides transport encryption; but if you proxy registrations through
another service (e.g. reg-appspot), you must use the end-to-end format.
On the client side, you may use flashproxy-reg-url to generate
registration URLs for the end-to-end encrypted format.
The email rendezvous uses the helper program fp-registrar-email.
Clients use the flashproxy-reg-email program to send an encrypted
message to a Gmail address. The poller constantly checks for new
messages and forwards them to fp-reg-decrypt.
The appspot rendezvous uses Google's appengine platform as a proxy for
the HTTP method, either yours or that of another facilitator. It takes
advantage of the fact that a censor cannot distinguish between a TLS
connection to appspot.com or google.com, since the IPs are the same,
and it is highly unlikely that anyone will try to block the latter.
flashproxy-1.7/facilitator/doc/http-howto.txt 0000664 0000000 0000000 00000003377 12363506367 0021531 0 ustar 00root root 0000000 0000000 These are instructions for how to set up an Apache Web Server for
handling the HTTP client registration method (fp-registrar.cgi /
flashproxy-reg-http / flashproxy-reg-url), as well as for browser
proxies to poll and receive a client to serve.
Unfortunately we only had time to give commands specific to the Debian
distribution of Apache; other distributions may need to tweak some
things, e.g. a2enmod, a2ensite only exist on Debian.
== HTTP server setup
Apache is the web server that runs the CGI program.
# apt-get install apache2 libapache2-mod-evasive
# a2enmod ssl headers
Edit /etc/apache2/ports.conf and comment out the port 80 configuration.
# NameVirtualHost *:80
# Listen 80
Copy examples/fp-facilitator.conf to /etc/apache2/sites-available/ or
wherever is appropriate for your Apache2 installation, then edit it as
per the instructions given in that file itself.
Link the configured site into sites-enabled.
# a2ensite fp-facilitator.conf
=== HTTPS setup
The HTTP server should serve only over HTTPS and not unencrypted HTTP.
You will need a certificate and private key from a certificate
authority. An article on making a certificate signing request and
getting it signed is here:
http://www.debian-administration.org/articles/284
This is the basic command to generate a CSR.
$ openssl req -new -nodes -out fp-facilitator.csr.pem
The instructions below assume you have an offline private key
in fp-facilitator.key.pem and a certificate in fp-facilitator.crt.pem.
Make a file containing both the private key and a certificate.
$ cat fp-facilitator.key.pem fp-facilitator.crt.pem > fp-facilitator.pem
$ chmod 400 fp-facilitator.pem
Copy the new fp-facilitator.pem to the facilitator server as
/etc/apache2/fp-facilitator.pem.
# /etc/init.d/apache2 restart
flashproxy-1.7/facilitator/doc/server-howto.txt 0000664 0000000 0000000 00000002756 12363506367 0022060 0 ustar 00root root 0000000 0000000 This document describes how to configure a server running the facilitator on
Debian 7. It is not necessary to make things work, but gives you some added
security, and is a good reference if you want to create a dedicated VM for a
facilitator from scratch.
We will use the domain name fp-facilitator.example.com.
== Basic and security setup
Install some essential packages and configure a firewall.
# cat >/etc/apt/apt.conf.d/90suggests<