Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

Beating the Great Firewall of China with Go

at Lantern

Jan. 15 2015

Percy Wegmann
([email protected])

Want
Let's watch YouTube!
Problem
Project Golden Shield (a.k.a. the Great Firewall of China or GFW) "protects" me from terrible sites like YouTube using DNS injection and TCP RST blocking.
Solution
Use an HTTP-based web proxy!
Problem
GFW can use content filtering and port scans to detect proxies, then block their IPs.
Solution
Encrypt connections to the proxy!
Problem
Even with encrypted connections, GFW still manages to find our proxies, port scan them and block them. At least part of the problem is how to distribute the IP addresses to legitimate users without also distributing them to GFW agents.
Solution
Make our traffic look like something that the GFW doesn't want to block for economic reasons. This is known as Collateral Freedom.
Domain Fronting

Pioneered by GoAgent and used amongst others by Tor's Meek transport, domain fronting hides traffic to the proxy inside connections to "legitimate" websites.

Exploits the fact that Content Delivery Networks (CDNs) are basically large, shared reverse proxies.
Requires a local proxy to be installed on the client's machine because browser's don't know how to domain-front.
Problem
That's cool, but real YouTube traffic is HTTPS, meaning it's carried over TLS. So, the Client Proxy can't see the browser's requests.
Solution
Instead of using straight HTTP, encapsulate HTTP/TLS inside HTTP.
Enhancement
Support full-duplex operation!
Great, but ...
You said something about using Go?
net + http + crypto = love
- Performant (non-blocking i/o)
- Easy (synchronous calling semantics)
- Highly composable (net.conn and http.Handler)
- Excellent http support (net/http)
- Great concurrency primitives
- Ethos of simplicity
idletiming
- idle timeouts for net.Conn and net.Listener
- proxies need idle timeouts for disappearing clients
tlsdialer
- disable SNI in handshake (reqd. for some CDNs)
- timings for network ops
fronted
- provides dialer for client-side use
- supplied to enproxy to dial to CDN
- provides server-side proxy based on enproxy.Proxy
enproxy
- implements net.Conn for client-side use
- implements http.Handler for server-side use
- encapsulates data in HTTP requests
- configurable dialing behavior
connpool
- provides pool of connections
- speeds up enproxy by dialing ahead of time
flashlight
- the actual application
- can run as either client or server
- ties it all together

View Code

Thanks to ...
... you for your time
... David Fifield of Tor for his work on domain-fronting
... impress.js for helping me build this presentation
... Brave New Software for employing me*

* - wants to hire a great Go developer

Use a spacebar or arrow keys to navigate