8 releases
0.0.8 | Mar 27, 2024 |
---|---|
0.0.7 | Mar 19, 2024 |
0.0.2 | Feb 20, 2024 |
#4 in #oblivious
420 downloads per month
Used in 2 crates
29KB
558 lines
OHTTP Relay
A rust implementation of an Oblivious HTTP relay resource.
This work is undergoing active revision in the IETF and so are these implementations. Use at your own risk.
Usage
Run ohttp-relay by setting PORT
and GATEWAY_ORIGIN
environment vaiables. For example, to relay from port 3000 to an OHTTP Gateway Resource at https://payjo.in
, run the following.
PORT=3000 GATEWAY_ORIGIN='https://payjo.in' cargo run
Alternatively, set UNIX_SOCKET
to bind to a unix socket path instead of a TCP port.
This crate is intended to be run behind a reverse proxy like NGINX that can handle TLS for you. Tests specifically cover this integration using nginx.conf.template
.
Bootstrap Feature
The Oblivious HTTP specification requires clients obtain a Key Configuration from the OHTTP Gateway but leaves a mechanism for doing so explicitly unspecified. This feature hosts HTTPS-in-WebSocket and HTTPS-in-CONNECT proxies to allow web clients to GET a gateway's ohttp-keys via Direct Discovery in an end-to-end-encrypted, authenticated manner using the OHTTP relay as a tunnel so as not to reveal their IP address. The bootstrap
feature to host these proxies is enabled by default. The ws-bootstrap
and connect-bootstrap
features enable each proxy individually.
How does it work?
Both bootstrap features enable the server to forward packets directly to and from the OHTTP Gateway's TCP socket to negotiate a TLS session between the client and gateway. By doing so, the OHTTP Relay is prevented from conducting a man-in-the-middle attack to compromise the TLS session.
Dependencies
~12–23MB
~323K SLoC