Opened 5 months ago

Closed 5 months ago

#26891 closed enhancement (not a bug)

Problem running meek server without CDN, stuck at Performing bandwidth self-test...done

Reported by: weiruo Owned by: dcf
Priority: Medium Milestone:
Component: Obfuscation/meek Version:
Severity: Normal Keywords: meek server
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I am trying to run a meek server, and this is what I have done for the test:

I have a domain (for example, call it example.com) and I manually applied for Let's Encrypt SSL certificate, so I can visit the website through https://example.com.

Here is the torrc:

BridgeRelay 1
ORPort 9001
ExtORPort auto
SocksPort 0
ExitPolicy reject *:*

ServerTransportListenAddr meek 0.0.0.0:443

ServerTransportPlugin meek exec /usr/local/bin/meek-server --cert /etc/letsencrypt/live/example.com/fullchain.pem --key /etc/letsencrypt/live/example.com/privkey.pem --log /var/log/tor/meek-server.log

However, when I enter "tor -f torrc", it stuck here:
Jul 20 15:29:53.566 [notice] Tor 0.3.2.10 (git-0edaa32732ec8930) running on Linux with Libevent 2.1.8-stable, OpenSSL 1.0.2g, Zlib 1.2.11, Liblzma 5.2.2, and Libzstd 1.3.1.
Jul 20 15:29:53.567 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 20 15:29:53.567 [notice] Read configuration file "/xxx/torrc".
Jul 20 15:29:53.574 [notice] Your ContactInfo config option is not set. Please consider setting it, so we can contact you if your server is misconfigured or something else goes wrong.
Jul 20 15:29:53.574 [notice] Based on detected system memory, MaxMemInQueues is set to 739 MB. You can override this by setting MaxMemInQueues by hand.
Jul 20 15:29:53.576 [notice] Scheduler type KIST has been enabled.
Jul 20 15:29:53.576 [notice] Opening OR listener on 0.0.0.0:9001
Jul 20 15:29:53.576 [notice] Opening Extended OR listener on 127.0.0.1:0
Jul 20 15:29:53.577 [notice] Extended OR listener listening on port 40651.
Jul 20 15:29:54.000 [warn] Failed to open GEOIP file /usr/share/tor/geoip. We've been configured to see which countries can access us as a bridge, and we need GEOIP information to tell which countries clients are in. Do you have the tor-geoipdb package installed?
Jul 20 15:29:54.000 [warn] Failed to open GEOIP file /usr/share/tor/geoip6. We've been configured to see which countries can access us as a bridge, and we need GEOIP information to tell which countries clients are in. Do you have the tor-geoipdb package installed?
Jul 20 15:29:54.000 [notice] Configured to measure directory request statistics, but no GeoIP database found. Please specify a GeoIP database using the GeoIPFile option.
Jul 20 15:29:54.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Jul 20 15:29:56.000 [notice] Your Tor server's identity key fingerprint is 'Unnamed E8094BFxxxxxxxxxx5C1E'
Jul 20 15:29:56.000 [notice] Your Tor bridge's hashed identity key fingerprint is 'Unnamed BBAA6xxxxxxxxxAA811B'
Jul 20 15:29:56.000 [notice] Bootstrapped 0%: Starting
Jul 20 15:30:03.000 [notice] Starting with guard context "default"
Jul 20 15:30:03.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Jul 20 15:30:03.000 [notice] Bootstrapped 85%: Finishing handshake with first hop
Jul 20 15:30:04.000 [warn] Server managed proxy encountered a method error. (meek listen tcp 0.0.0.0:443: bind: address already in use)
Jul 20 15:30:04.000 [warn] Managed proxy at '/usr/local/bin/meek-server' failed the configuration protocol and will be destroyed.
Jul 20 15:30:04.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jul 20 15:30:06.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
Jul 20 15:30:06.000 [notice] Bootstrapped 100%: Done
Jul 20 15:30:06.000 [notice] Now checking whether ORPort 45.xxx.xxx.xxx:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success)
Jul 20 15:30:09.000 [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Jul 20 15:31:14.000 [notice] Your network connection speed appears to have changed. Resetting timeout to 60s after 18 timeouts and 442 buildtimes.
Jul 20 15:31:20.000 [notice] Performing bandwidth self-test...done.

And then it has no output and seems not working. Besides the above one, once I also got the output:

...
Jul 20 08:24:27.000 [notice] Performing bandwidth self-test...done.
Jul 20 09:23:17.000 [notice] No circuits are opened. Relaxed timeout for circuit 30 (a Measuring circuit timeout 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway.

What's wrong with my steps in setting the meek server? What should I do next to set up a meek server, either for use or for test?
Must I use CDN to domain fronting it?

By the way, is it possible to use meek without domain fronting if the domain has not been filtered?
May be I misunderstood something in https://trac.torproject.org/projects/tor/wiki/doc/meek#Howtorunameek-serverbridge and meek's README and I am sorry for that.

Child Tickets

Change History (5)

comment:1 Changed 5 months ago by dcf

This is the problem:

[warn] Server managed proxy encountered a method error. (meek listen tcp 0.0.0.0:443: bind: address already in use)

Some other process is already listening on port 443. Try netstat -nlp | grep :443 to find out what it is.

If, for some reason, you cannot stop the other process from listening on port 443, you can choose a different port for meek-server with ServerTransportListenAddr (but it is unusual for HTTPS to be on another port).

Must I use CDN to domain fronting it?
By the way, is it possible to use meek without domain fronting if the domain has not been filtered?

No, you don't need to use domain fronting. Connecting directly to an unblocked domain is a valid way to use it. In your client torrc, use url=... without front=....

comment:2 Changed 5 months ago by weiruo

Thank you very much! After killing the nginx process on port 443, I am able to run the meek server and connect to it with the tor browser now.

However, when I tried to connect to meek-server with meek-client's Linux shell, I still couldn't bootstrap successfully.
Here is the torrc file for the client: (The client is located in the censored area).

UseBridges 1
Bridge meek 0.0.2.0:1 url=https://example.com/
ClientTransportPlugin meek exec ./meek-client --log meek-client.log

Should I set the --helper option? The "meek-client.1.txt" in meek's doc said the helper should be set up separately, while I haven't found how to set up the helper. Or is there anything I should do to "geoip" file?

And here is the output of the client:

$ tor -f torrc
Jul 21 02:40:27.045 [notice] Tor 0.3.0.13 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.0.2g and Zlib 1.2.11.
Jul 21 02:40:27.045 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 21 02:40:27.045 [notice] Read configuration file "/.../torrc".
Jul 21 02:40:27.049 [notice] Opening Socks listener on 127.0.0.1:9050
Jul 21 02:40:27.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jul 21 02:40:27.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jul 21 02:40:27.000 [notice] Bootstrapped 0%: Starting
Jul 21 02:40:27.000 [notice] Delaying directory fetches: No running bridges
Jul 21 02:40:29.000 [notice] Starting with guard context "bridges"
Jul 21 02:40:29.000 [notice] Bootstrapped 5%: Connecting to directory server
Jul 21 02:40:29.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Jul 21 02:40:30.000 [notice] Learned fingerprint E8094BF9AxxxxxxxxxxxxD5C1E for bridge 0.0.2.0:1 (with transport 'meek').
Jul 21 02:40:30.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
Jul 21 02:40:31.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
Jul 21 02:40:31.000 [notice] new bridge descriptor 'Unnamed' (fresh): $E8094BF9AxxxxxxxxxxxxxxD5C1E~Unnamed at 0.0.2.0
Jul 21 02:40:31.000 [notice] I learned some more directory information, but not enough to build a circuit: We're missing descriptors for some of our primary entry guards
Jul 21 02:40:31.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 02:40:31.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 02:40:31.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 02:50:32.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 02:50:32.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 02:51:02.000 [warn] Problem bootstrapping. Stuck at 20%: Asking for networkstatus consensus. (DONE; DONE; count 1; recommendation warn; host E8094BF9AxxxxxxxxxxxD5C1E at 0.0.2.0:1)
Jul 21 02:51:02.000 [warn] 1 connections have failed:
Jul 21 02:51:02.000 [warn] 1 connections died in state handshaking (TLS) with SSL state SSLv2/v3 read server hello A in HANDSHAKE

sometimes the output is:

$ tor -f torrc
Jul 21 03:07:33.914 [notice] Tor 0.3.0.13 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.0.2g and Zlib 1.2.11.
Jul 21 03:07:33.914 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 21 03:07:33.914 [notice] Read configuration file "/...../torrc".
Jul 21 03:07:33.917 [notice] Opening Socks listener on 127.0.0.1:9050
Jul 21 03:07:33.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jul 21 03:07:34.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jul 21 03:07:34.000 [notice] Bootstrapped 0%: Starting
Jul 21 03:07:34.000 [notice] Delaying directory fetches: No running bridges
Jul 21 03:07:36.000 [notice] Starting with guard context "bridges"
Jul 21 03:07:36.000 [notice] Bootstrapped 5%: Connecting to directory server
Jul 21 03:07:36.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Jul 21 03:07:37.000 [notice] Learned fingerprint E8094BF9Axxxxxxxxxxxxxx52D5C1E for bridge 0.0.2.0:1 (with transport 'meek').
Jul 21 03:07:37.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
Jul 21 03:07:38.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
Jul 21 03:07:38.000 [notice] new bridge descriptor 'Unnamed' (fresh): $E8094BF9Axxxxxxxxxxxxx52D5C1E~Unnamed at 0.0.2.0
Jul 21 03:07:38.000 [notice] I learned some more directory information, but not enough to build a circuit: We're missing descriptors for some of our primary entry guards
Jul 21 03:07:38.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 03:07:38.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 03:07:39.000 [notice] Bootstrapped 50%: Loading relay descriptors
Jul 21 03:17:39.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 03:27:39.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 03:27:39.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 03:37:40.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 03:37:40.000 [notice] Ignoring directory request, since no bridge nodes are available yet.
Jul 21 03:47:40.000 [notice] Ignoring directory request, since no bridge nodes are available yet.

comment:3 Changed 5 months ago by dcf

Try deleting the file ~/.tor/state and try again. Alternatively, add DataDirectory ./meek-datadir to your torrc.

I suspect, based on the lines We're missing descriptors for some of our primary entry guards and Ignoring directory request, since no bridge nodes are available yet, that tor has gotten confused with the results of previous runs, and has cached the fact that the bridge is not reachable in its state file, even though it is now reachable. I have encountered similar problems in the past, and deleting the state file fixed them. Maybe it's something like #11301, though that is supposed to be fixed.

comment:4 Changed 5 months ago by weiruo

Great, I delete ~/.tor/state and it works. Thank you very much!

comment:5 Changed 5 months ago by dcf

Resolution: not a bug
Status: newclosed
Note: See TracTickets for help on using tickets.