... | ... | @@ -23,4 +23,67 @@ host. To upgrade the broker: |
|
|
Logs are under `/var/log/snowflake-broker`.
|
|
|
|
|
|
Firewall configuration is in `/etc/ferm/ferm.conf`. Run
|
|
|
`service ferm restart` after making changes. |
|
|
\ No newline at end of file |
|
|
`service ferm restart` after making changes.
|
|
|
|
|
|
## SQS Rendezvous Deployment
|
|
|
|
|
|
The broker's [SQS rendezvous method](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/main/doc/rendezvous-with-sqs.md?ref_type=heads) requires the creation of private credentials for the broker, and public credentials to distribute to clients.
|
|
|
|
|
|
### Broker credentials
|
|
|
|
|
|
The broker's credentials are stored in `.home/snowflake-broker/.aws/credentials` on the Snowflake broker machine. These can be generated by creating a new [IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) and attaching a policy for the necessary SQS actions.
|
|
|
<details>
|
|
|
|
|
|
```
|
|
|
{
|
|
|
"Version": "2012-10-17",
|
|
|
"Statement": [
|
|
|
{
|
|
|
"Effect": "Allow",
|
|
|
"Action": [
|
|
|
"sqs:ReceiveMessage",
|
|
|
"sqs:CreateQueue",
|
|
|
"sqs:SendMessage",
|
|
|
"sqs:DeleteMessage",
|
|
|
"sqs:DeleteQueue",
|
|
|
"sqs:GetQueueURL",
|
|
|
"sqs:ListQueues",
|
|
|
"sqs:GetQueueAttributes"
|
|
|
],
|
|
|
"Resource": "*"
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
</details>
|
|
|
|
|
|
### Client credentials
|
|
|
|
|
|
Snowflake clients need access to fewer actions than the broker in order to use SQS rendezvous. The policy attached to this IAM user should also be more restrictive about **which** queues a client can perform each action on. Clients should be able to write to the broker's SQS queue, but not read from it. But they should be able to read from the queue the broker creates for them.
|
|
|
<details>
|
|
|
|
|
|
```
|
|
|
{
|
|
|
"Version": "2012-10-17",
|
|
|
"Statement": [
|
|
|
{
|
|
|
"Sid": "SQSRead",
|
|
|
"Effect": "Allow",
|
|
|
"Action": [
|
|
|
"sqs:ReceiveMessage",
|
|
|
"sqs:GetQueueURL"
|
|
|
],
|
|
|
"Resource": "arn:aws:sqs:*:[account id]:snowflake-client-*"
|
|
|
},
|
|
|
{
|
|
|
"Sid": "SQSWrite",
|
|
|
"Effect": "Allow",
|
|
|
"Action": [
|
|
|
"sqs:SendMessage"
|
|
|
],
|
|
|
"Resource": "arn:aws:sqs:*:[account id]:snowflake-broker"
|
|
|
}
|
|
|
]
|
|
|
}
|
|
|
```
|
|
|
</details> |
|
|
\ No newline at end of file |