Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

Beating the Great Firewall of China with Go

at Lantern

Jan. 15 2015

Percy Wegmann

Let's watch YouTube!
Project Golden Shield (a.k.a. the Great Firewall of China or GFW) "protects" me from terrible sites like YouTube using DNS injection and TCP RST blocking.
Use an HTTP-based web proxy!
GFW can use content filtering and port scans to detect proxies, then block their IPs.
Encrypt connections to the proxy!
Even with encrypted connections, GFW still manages to find our proxies, port scan them and block them. At least part of the problem is how to distribute the IP addresses to legitimate users without also distributing them to GFW agents.
Make our traffic look like something that the GFW doesn't want to block for economic reasons. This is known as Collateral Freedom.
Domain Fronting

Pioneered by GoAgent and used amongst others by Tor's Meek transport, domain fronting hides traffic to the proxy inside connections to "legitimate" websites.

Exploits the fact that Content Delivery Networks (CDNs) are basically large, shared reverse proxies.
Requires a local proxy to be installed on the client's machine because browser's don't know how to domain-front.
That's cool, but real YouTube traffic is HTTPS, meaning it's carried over TLS. So, the Client Proxy can't see the browser's requests.
Instead of using straight HTTP, encapsulate HTTP/TLS inside HTTP.
Support full-duplex operation!
Great, but ...
You said something about using Go?
net + http + crypto = love
- Performant (non-blocking i/o)
- Easy (synchronous calling semantics)
- Highly composable (net.conn and http.Handler)
- Excellent http support (net/http)
- Great concurrency primitives
- Ethos of simplicity
- idle timeouts for net.Conn and net.Listener
- proxies need idle timeouts for disappearing clients
- disable SNI in handshake (reqd. for some CDNs)
- timings for network ops
- provides dialer for client-side use
- supplied to enproxy to dial to CDN
- provides server-side proxy based on enproxy.Proxy
- implements net.Conn for client-side use
- implements http.Handler for server-side use
- encapsulates data in HTTP requests
- configurable dialing behavior
- provides pool of connections
- speeds up enproxy by dialing ahead of time
- the actual application
- can run as either client or server
- ties it all together

View Code

Thanks to ...
... you for your time
... David Fifield of Tor for his work on domain-fronting
... impress.js for helping me build this presentation
... Brave New Software for employing me*

* - wants to hire a great Go developer

Use a spacebar or arrow keys to navigate