Changes between Version 263 and Version 264 of doc/meek


Ignore:
Timestamp:
Apr 30, 2018, 5:48:24 PM (20 months ago)
Author:
dcf
Comment:

Update Azure instructions.

Legend:

Unmodified
Added
Removed
Modified
  • doc/meek

    v263 v264  
    165165=== Microsoft Azure ===
    166166
    167 {{{
    168 $ wget -q -O - https://ajax.aspnetcdn.com/ --header 'Host: az786092.vo.msecnd.net'
     167<small>This section last updated 2018-04-30</small>
     168
     169{{{
     170$ wget -q -O - https://ajax.aspnetcdn.com/ --header 'Host: meek.azureedge.net'
    169171I’m just a happy little web server.
    170172}}}
    171173
    172 Azure is a cloud computing platform with a [https://azure.microsoft.com/en-us/services/cdn/ CDN].
    173 
    174 [https://azure.microsoft.com/en-us/pricing/details/cdn/ Pricing] is $0.12 to $0.19 per GB (depending on geographical region), getting less for higher volumes.
    175 
    176 Their wildcard HTTPS domain seems to be *.vo.msecnd.net. ajax.aspnetcdn.com might be a good front. I've also seen azurecomcdn.net. [https://www.eff.org/https-everywhere/atlas/domains/msecnd.net.html HTTPS Everywhere rules for msecnd.net]. All these fronting commands work:
    177 {{{
    178 wget https://az29590.vo.msecnd.net/img/rewardsSprite.png
    179 wget --no-check-certificate https://cs1.wpc.v0cdn.net/img/rewardsSprite.png --header 'Host: az29590.vo.msecnd.net'
    180 wget https://blahblahblah.vo.msecnd.net/img/rewardsSprite.png --header 'Host: az29590.vo.msecnd.net'
    181 wget --no-check-certificate https://cdn.astonmartin.com/img/rewardsSprite.png --header 'Host: az29590.vo.msecnd.net'
    182 wget https://ajax.aspnetcdn.com/img/rewardsSprite.png --header 'Host: az29590.vo.msecnd.net'
    183 }}}
     174Azure is a cloud computing platform with a [https://azure.microsoft.com/en-us/services/cdn/ CDN]. The CDN services are actually provided by Verizon or Akamai.
     175
     176[https://azure.microsoft.com/en-us/pricing/details/cdn/ Pricing] is $0.09 to $0.25 per GB (depending on geographical region), getting less for higher volumes.
     177
     178When you choose to use the Verizon CDN, you get a domain of the form ''subdomain''.azureedge.net, where you get to choose ''subdomain''. Formerly, you got an uncontrollable subdomain of vo.msecnd.net. ajax.aspnetcdn.com might be a good front. I've also seen azurecomcdn.net.
     179 * [https://www.eff.org/https-everywhere/atlas/domains/msecnd.net.html HTTPS Everywhere rules for msecnd.net].
    184180List of fronting-capable Azure domains (2017-07-24):
    185181 * [https://theobsidiantower.com/2017/07/24/d0a7cfceedc42bdf3a36f2926bd52863ef28befc.html Finding Domain frontable Azure domains] ([https://archive.fo/GDLbJ archive])
    186182 * [https://theobsidiantower.com/assets/known-good.txt known-good.txt] ([https://archive.fo/VxKpN archive])
    187183
    188 Microsoft is accepting research proposals. If the proposal is accepted, you get access to Azure including the CDN for a year.
    189  * http://www.microsoftazurepass.com/research
    190 There's also a 1-month trial.
    191  * http://azure.microsoft.com/en-us/pricing/free-trial/
    192 
    193 Here's how to set up Azure.
    194 Log in at https://manage.windowsazure.com/.
    195 From the main screen, click New→App Services→CDN→Quick Create.
    196 Under "Origin Type" select "Custom Origin"
    197 and then enter the URL to the meek-server host in the "Origin URL" box.
    198 Click "Create".
    199 Once the CDN endpoint is created, click on it and click "Enable HTTPS" at the bottom.
    200 It really does take about an hour before it starts working.
    201 Now you have an az''######''.vo.msecnd.net domain name that points to meek-server
    202 and you can front to it with any other Azure CDN domain such as ajax.aspnetcdn.com.
    203 
    204 [[Image(azure-setup.png)]]
     184Here's how to set up Azure.[[Image(azure-setup.png, 120px, right)]]
     185 * Log in at https://portal.azure.com/.
     186 * Click "All services" in the sidebar, type "cdn" in the search box, and select "CDN profiles".
     187 * Click "+ Add" to create a CDN profile. (You only have to do this the first time you create an endpoint.)
     188   * Name: doesn't matter.
     189   * Resource group: "Create new" or "Use existing" doesn't matter, I think it's just an accounting thing.
     190   * Resouce group location: doesn't matter, only controls "where the metadata associated with the CDN profile will reside".
     191   * Pricing tier: Standard Verizon. Standard Akamai may work too, haven't tried it.
     192 * Select the CDN profile and click "+ Endpoint".
     193   * Name: doesn't matter; this will become your azureedge.net subdomain.
     194   * Origin type: Custom origin.
     195   * Origin hostname: the domain name of your meek-server bridge.
     196   * Origin path: ''blank''
     197   * Origin host header: same as origin hostname.
     198   * Uncheck HTTP, check HTTPS.
     199   * Optimized for: General web delivery.
     200
     201After about an hour, the CDN will start forwarding. However, you will get "502 Bad Gateway" errors because by default, the Azure CDN [https://social.msdn.microsoft.com/Forums/azure/en-US/a973b1ec-a39f-4ee0-a683-12dc12a3f170/akamai-not-using-sni-towards-the-endpoint?forum=azurecdn#385a3443-b853-4d24-b07a-7a48ec386859 does not use TLS SNI towards the origin]. You have to ask them to enable it. (They expect you to have a one-hostname-per-IP-address setup that doesn't require SNI.) meek-server's built-in Let's Encrypt support (`--acme-hostnames`) requires SNI. Your options are to get a certificate manually and use the `--cert` and `--key` options; or to open a support request and ask them to enable SNI, which takes about one week.
     202
    205203
    206204