Upgrading snowflake-server. You need to give the new binary permission to bind ports 443 and 80. This cheat sheet is also commented in `/etc/tor/torrc`.
Check /var/log/syslog and /var/log/tor/snowflake-server.log for error messages. If there are `bind: permission denied` errors, ensure that you have run the `setcap` command, and that the tor `NoNewPrivileges=no` configuration from the [Snowflake Bridge Installation Guide](Survival Guides/Snowflake Bridge Installation Guide) is in place.
The interacting components on the bridge are a bit complicated, for performance reasons. See the [installation guide](Survival Guides/Snowflake Bridge Installation Guide#introduction) for the reasoning. There are four main components:
Standalone proxy-go instances
-----------------------------
*[snowflake-server](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/server): Receives WebSocket connections from Snowflake proxies, manages Turbo Tunnel sessions, forwards sessions as TCP connections to HAProxy. Listens externally on port 443 (and port 80, for ACME certificate renewal).
*[HAProxy](https://www.haproxy.org/): Load balancer. Receives connections from snowflake-server and balances them over the multiple instances of tor, via their respective extor-static-cookie interfaces. Listens on 127.0.0.1:10000.
* tor: There are multiple instances of tor, because one is not enough for the load on the bridge. Each instance's `ORPort` is blocked from outside access by the firewall, and `ExtORPort auto` makes them listen for ExtORPort connections on an ephemeral localhost port. Each instance of tor runs an extor-static-cookie, which provides HAProxy a stable ExtORPort port number, and provides snowflake-server (via HAProxy) a stable authentication key.
*[extor-static-cookie](https://gitlab.torproject.org/dcf/extor-static-cookie): Exposes an ExtORPort interface that uses an unchanging authentication key. These listen on 127.0.0.1, on port numbers 10000+*N*, where *N* is the instance number 1, 2, ….
## Upgrading snowflake-server
The standalone proxy-go instances are managed by runit. You can see a list of possible instances under `/etc/service`. They are set up to periodically restart themselves in case of a hang.
```
sv status snowflake-proxy-standalone-17h # check status
sv start snowflake-proxy-standalone-17h # start
sv stop snowflake-proxy-standalone-17h # stop
ps xww | grep runsvdir # check for error in the run script
(Adjust as needed if there are other named services under /etc/service.)
Adding a new instance:
The static ExtORPort authentication cookie does not need to be stable long-term. If it accidentally gets lost or damaged, you can create a new one using the [gen-auth-cookie](https://gitlab.torproject.org/dcf/extor-static-cookie/-/blob/main/gen-auth-cookie) script in the extor-static-cookie source code. You will need to restart tor and snowflake-server.
Firewall configuration is in `/etc/ferm/ferm.conf`. Run `service ferm restart` after making changes.
\ No newline at end of file
## Adding more tor instances
See the [installation guide](Survival Guides/Snowflake Bridge Installation Guide#tor). After creating the tor instances, you will also have add new `server` lines in the `backend tor-instances` section of /etc/haproxy/haproxy.cfg.
## Firewall
Firewall configuration is in `/etc/ferm/ferm.conf`. Run `service ferm restart` after making changes.
