#25804: Domain fronting to App Engine stopped working -----------------------------------+------------------------ Reporter: dcf | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Component: Obfuscation/Snowflake | Version: Severity: Normal | Resolution: Keywords: moat | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -----------------------------------+------------------------ Changes (by dcf):
* keywords: => moat Old description: > On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for > snowflake-reg.appspot.com stopped working. It appears to affect fronting > to all appspot.com domains, not only ours. This leaves all currently > deployed clients unable to register themselves. > > Requests now fail with status code 502: > {{{ > $ wget -q -O - --content-on-error -S https://www.google.com/ --header > 'Host: snowflake-reg.appspot.com' > HTTP/1.1 502 Bad Gateway > Date: Sun, 15 Apr 2018 04:58:49 GMT > Content-Type: text/html > Server: HTTP server (unknown) > Content-Length: 209 > X-XSS-Protection: 1; mode=block > X-Frame-Options: SAMEORIGIN > Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431; > quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35" > <html><body><h1>502 Bad Gateway</h1>\ > <p>This HTTP request has a Host header that is not covered \ > by the TLS certificate used. Due to an infrastructure change, \ > this request cannot be processed.</p></body></html> > }}} > > This ticket is to document the issue; I'm not sure we can do anything > about it directly. > > Other related tickets: > * #22782, use non-Google domain fronts > * #25594, use non-fronting-based registration New description: On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for *.appspot.com stopped working. It appears to affect fronting to all appspot.com domains, not only ours. This has broken Snowflake client registration and Moat (#25807). Requests now fail with status code 502: {{{ $ wget -q -O - --content-on-error -S https://www.google.com/ --header 'Host: snowflake-reg.appspot.com' HTTP/1.1 502 Bad Gateway Date: Sun, 15 Apr 2018 04:58:49 GMT Content-Type: text/html Server: HTTP server (unknown) Content-Length: 209 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35" <html><body><h1>502 Bad Gateway</h1>\ <p>This HTTP request has a Host header that is not covered \ by the TLS certificate used. Due to an infrastructure change, \ this request cannot be processed.</p></body></html> }}} This ticket is to document the issue; I'm not sure we can do anything about it directly. Other related tickets: * #22782, use non-Google domain fronts * #25594, use non-fronting-based registration -- -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25804#comment:11> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs