Proxies now include information about what type they are when they poll
for client offers. The broker saves this information along with
snowflake ids and outputs it on the /debug page.
Switch to containing all communication between the proxy and the broker
in the HTTP response body. This will make things easier if we ever use
something other than HTTP communicate between different actors in the
snowflake system.
Other changes to the protocol are as follows:
- requests are accompanied by a version number so the broker can be
backwards compatable if desired in the future
- all responses are 200 OK unless the request was badly formatted
Many of our log messages were being used to generate metrics, but are
now being aggregated and logged to a separate metrics log file and so we
don't need them in the regular logs anymore.
This addresses the goal of ticket #30830, to remove unecessary messages
and keep broker logs for debugging purposes.
The broker /debug page was displaying proxy IDs and roundtrip times. As
serna pointed out in bug #31460, the proxy IDs can be used to launch a
denial of service attack. As the metrics team pointed out on #21315, the
round trip time average can be potentially sensitive.
This change displays only proxy counts and uses ID lengths to
distinguish between standalone proxy-go instances and browser-based
snowflake proxies.
This implements a handler at https://[snowflake-broker]/metrics for the
snowflake collecTor module to fetch stats from the broker. Logged
metrics are copied out to the response with a text/plain; charset=utf-8
content type. This implements bug #31376.
Added three new metrics:
- proxyIdleCount counts the number of times a proxy polls and receives
no snowflakes
- clientDeniedCount counts the number of times a client requested a
snowflake but none were available
- clientProxyMatchCount counts the number of times a client successfully
received a snowflake
So far, we request a certificate each time we start the broker. Let's
Encrypt maintains several rate limiters and if we exceed one of them, we
won't get a certificate. Worse, since we don't store certificates, we
won't even be able to use an old one.
This patch uses autocert's DirCache structure to cache certificates on
disk.
This patch fixes <https://bugs.torproject.org/30512>.
MaxBytesReader is only documented for server side reads, so we're using
a local limitedRead function instead that uses an io.LimitedReader.
Declared limits in a commented constant
Previously the metrics log file was hardcoded and the broker wasn't
behaving properly if it was unable to open the file for logging.
Added a commandline option to specify the logfile that defaults to
Stdout.
Fixed up some documentation and log output formatting
