CDN77 masks client IPs
The conjure station requires the IP address of a client at registration time to match the client's IP address when it connects to the phantom. From the CDN 77 documentation:
X-Forwarded-For + X-Real-IP: This is the IP Address from the TCP connection from which our CDN Edge server received the request. To protect users’ personal data, we anonymize the last octet in the IP and replace it with a trailing zero. For example, if the IP address received from the TCP connection was 192.1.1.1, the anonymized IP will be 192.1.1.0.
This means that if a client uses CDN77 for domain fronting while registering, their connection to the phantom IP will fail because it will come from their real IP address rather than the masked address.
I'm wondering if it would work to add our own X-Forwarded-For header with the masked address in order to convince the conjure station that yes, we really do want to connect to that phantom. On the other hand, we should probably reach out to the Conjure devs to let them know about this in case there is some sort of IP-based rate-limiting going on.
EDIT: that would only work if there was an HTTP transport. AFAICT, none of these transports offer a way for us to communicate which IP address the client could have registered under.
Activity
assigned to @cohosh
added Doing label
changed milestone to %Objective 2: Make the Conjure pluggable transport more reliable
added Anti-Censorship Project 173 labels
mentioned in issue #40 (closed)