Hi guys, I operate a tor bridge on one of my VPS, with obsf4 listening on port 443 (for maximum accessibility).
Now with the number of IPv4 being limited etc. , I wanted to also run a webserver (for personal use) on this VPS, ideally on port 443; I’d like to go with nginx.
Is it possible, and if so is there some guide, on how I can run my webserver on port 443 to answer actual TLS handshakes and then serve the HTTP request, while sending obsf4 traffic to obsf4proxy?
IMO one additional benefit would be if someone found the IP sussy and went to [IP]:443 in their browser, they would now see an actual website server.
For the questions you asked, there is a protocol demultiplexer called sslh that allows running ssh and https (and other protocols like XMPP, tinc, openvpn and so on) on the same port, but I have no experience with that software and I can’t tell you if it would work with obfs4 bridge. AFAIK obfs4 has no protocol signature (obfs4’s design goal) so it’s possible sslh won’t be able to recognize this properly.
But if I’m trying to setup a bridge and https server on the same port, I’d setup WebTunnel bridge that encapsulates bridge traffic inside normal https traffic. And the configuration will be much easier, since it’s just a reverse proxy on httpd’s side.
sslh looks interesting, might give it a go. In terms of helping the maximum amount of users, especially those in places with heavy censorship, does a obsf4 bridge help more, or a webtunnel bridge?
From a brief review, it seems webtunnel would look like actual HTTPS traffic to censors, so it might be better to switch to that anyway?
I’m not sure. I think both are good as long as their existences are not made known to adversaries, but after that it would be at the whim of adversaries. For example, Shadowsocks, an obfuscation protocol based on obfs4 would usually worked okay in China until the server was found out by the censor. Vmess/Vless (HTTPS based obfuscation protocol similar to WebTunnel but created much earlier) suffers a similar fate despite being HTTPS-based. Censor won’t care if you’re hiding behing a innocuous website, they just block any proxy when they found it, even thought they can’t recognize traffic pattern on the get-go.
I don’t know if sslh would work with obfs4 though, so you might need to switch to WebTunnel anyway if you want to share ports with web server.