That is very straight forward and simple. Is there really nothing else to this? Is the reason for docker so that they can update the nginx mapping and people's containers will automatically update? I might port this config over to HAProxy personal preference reasons
Docker compose doesn't work like that. People that uses it must pull the new dockerfile/config first, stop the container, rebuild it again using `docker-compose build` and start the container again. Nothing automatic about it. I suspect the mapping is pretty much set in stone because many people won't go out of their way to update their instance.
IMO it would be better if they release a pre-built image in docker hub so people has easier time hosting it on other container platforms instead of just docker compose.
As someone who usually avoids docker as well: I like to know what I am running. Docker adds an extra layer of obscurity and it is typically easy to get lazy and "just run" a container.
Just like you should have the habbit of checking random bash scripts you download before executing them, I think there is value in knowing the moving parts of the stuff you run.
So Docker gives you Dockerfiles that show exactly what's installed. It then leverages kernel namespaces introducing that extra level of security. Or so at least that's always been how I see it.
> Not that person above but the install flow for docker is obnoxious on windows and Mac.
On windows it's `winget install docker`. Mac is more of the same, just drag and drop docker desktop into your Applications. You can skip the tutorials on first launch for desktop.
> Having to create an account for open source software isn't reasonable, there's ways around that but not easily for most people.
Creating an account is entirely optional, it doesn't even prompt you to sign in.
> there's ways around that but not easily for most people.
Please explain. It never requires an account at any point of the install. It never prompts for a sign in. It's entirely optional. How much easier can "not clicking the sign in button" be?
You don't even need to install docker desktop, you can just use docker CLI. It doesn't even have to be docker, you can use podman.
I believe OP comment is just struggling with adapting to containerized workflows. An account is not a requirement, nor is the install process difficult. If you're still wanting to do it without a container, you can just inspect the image to see what the steps are for configuring your environment yourself. It is more work to not use a container.
Because I don't need it. I learned how to manage Linux servers in the early 2000s and that works for me. Docker on a VPS is ridiculous and wherever you find Docker you inevitably end up with Kubernetes. If I had a massive fleet of servers to manage I just might need containers but I'd probably try Chef or Puppet first. Docker is like React - designed for the needs of a global-scale internet company but now sprinkled mindlessly over sites which would be well served by a static site generator.
It would be lot harder to block Signal if it's federated. It's harder to block Matrix.
First they created the problem with centralized network (and phone numbers required for registration, my ass), then they ask people to run proxies for them. They can also piggyback on TOR and their bridges, they can make registration easier, but no.
Also many people won't be able to run the proxy anyways because they already got something listening on http ports and it seems like this crap doesn't cannot be put behin. a regular web server as a virtual host.
> Also many people won't be able to run the proxy anyways because they already got something listening on http ports and it seems like this crap doesn't cannot be put behin. a regular web server as a virtual host.
How does Matrix route messages if you block the IP addresses of a thousand of the most important servers? There must be relaying algorithms to find the blockage and route around it, right? How do those work, how do they avoid feeding the firewall with information that can be used to extend the blockage?
> how do they avoid feeding the firewall with information that can be used to extend the blockage?
I'm not sure if this is solvable. How would a network tell the difference between an iranian citizen and an iranian police? If you allow iranian citizens to connect to some IP address, how would you prevent iranian police from connecting the same way, and then adding the IP to the blocklist?
The best solution I can think of right now is for major tech companies (like Google, Microsoft, Apple) to host Matrix servers of their own, on their IPs. This way if the iranian police block those IPs, the country also loses access to these major internet services, which will shut off communication with the rest of the world and cripple their technological development (like North Korea).
The problem is similar to finding paths in a wireless mesh network where links may be obstructed. I've spoken to someone in a team that tried hard, he said that the traffic volume for routing updates grew faster than the size of the network and with their algorithms the limit on the size of the network was disappointingly small. ("Limit" being the approximate size at which the network becomes more concerned with routing itself than with delivering payload traffic.)
Now, if Matrix doesn't try to route around blocks, then blocking Matrix is trivial: ① Identify one or a few servers and block them ② check each packet to/from those and assess the likelihood that the peer is another server ③ add to the block list and go to back to step 2. So I assume Matrix does try, and wonder how.
But if Matrix does try to route around blocks, what's to stop Iranian police from constantly trying to connect to Matrix and getting re-routed to working servers, after which they can add those servers to the blocklist until there are no servers left.
Matrix is a decentralised network. The word decentralised means something. Decentralised networks can be designed such that servers aren't easily enumerated, and can be designed such that the network continues to work fairly well even if a firewall intercedes.
From what little I understand about Matrix, the former is probably the case and the latter might perhaps be but I wouldn't bet on it.
My preference would be to instead use CDN endpoints without any custom names. Akamai, Cloudflare, Cloudfront, BunnyCDN, KeyCDN, Fastly, etc... all using their templated generic DNS names making it look like image sharding requests.
Because (imho) it reflects project hygiene, health, priorities, and attention. Which I'd hope is a higher priority for something as important as a distributed network of proxies for a critical messaging service that oppressive regimes are blocking.
I know with the rest of their code base signal has stated that their code being open source is mainly for audit-ability, not collaboration. Maybe that what’s going on here?
Before anyone indulges in this kind of adventurism please be aware of the possible consequences:
The United States has now partly outsourced their intelligence gathering to BigTech ( https://en.wikipedia.org/wiki/PRISM ) and has also made laws to compel any company to allow US agencies to tap into their network (see Why Lavabit shutdown? - https://it.slashdot.org/story/14/05/20/2143258/why-lavabit-s... ) with whom they don't have an explicit arrangement. So it is important to note that your actions may be helping US / 5-eyes / 9-eyes intelligence agencies.
This is important to keep in mind as you are being asked to take sides in an international conflict and help circumvent the laws of one country. And this may have negative repercussion for you in the future. For example, you don't have any guarantees that Signal will not use these proxies for other countries too, and that could create legal trouble for you in your own country if they have a good relation with the country whose communication network / laws you are helping to circumvent. Or, you may become a person of interest in Iran or other countries for doing this and be a potential target for them which can create legal difficulties for you in the future in which case international travel may become difficult for you. (Yes, I am outlining the worst-case scenarios). Do remember that you will be responsible for the traffic that flows through this proxy and may not have similar legal protections like telecom or or communication platforms run by corporates do.
I write this because I too was once naive about how the Internet would change the world by making information open and accessible to all and bring us all closer with the ability to freely communicate through it. The reality today is a lot more sobering - the internet has been siloed and while information technically is still freely available it's very controlled, it is being used to profile people at a massive scale, experiments are being done through social networks to use them to deliberately create social and political turmoil in many countries, platforms like Wikipedia and Google Maps or Open street maps are being increasingly used to entice naive people to share and make even more information public without understanding the repercussion of how it may be used against their country, and worst of all, attempts are being made to replace your own country's communication network with it ... (Signal is also one of the new controlled silos of the internet and not an open, interconnected or distributed platform like the internet was originally envisioned by some).
So go ahead and do this if you believe it will do political good, but do it it with your eyes open.
Are you not just acting as a middleman? so encrypted data goes to you and forwarded to signal servers and all you have going through your network is encrypted?
I'm a complete amateur but I thought everything sent from signal was encrypted right from the get go and "not possible" to decrypt mid-transit?
Yes, a proxy acts as a middleman. But as the blog post itself points out,
When you publicly post a signal.tube link, or if a particular server becomes too popular, it increases the chance that Iranian censors will simply add those IPs to their block list.
authorities can track how the information flows, which can be used to identify you (for e.g. through the proxy IP). With foreign encrypted networks, police / intelligence now focus more on getting the device that sent or received the message, rather than intercepting the message by breaking the encryption, as that is an easier method to get all the communication. (And remember that Signal uses phone numbers as identifiers, which really makes it easy for law enforcement to track someone in any investigation). So if someone has been tagged as suspect "terrorist" by the Iranians, and they determine that your proxy has enabled that suspect to bypass their laws and use Signal, you can be liable for aiding and abetting "terrorism".
Ah, they just go to the source and deal with it there instead of trying to crack the message.
But am I understanding correctly, that if you used this thing, what is flowing through your network would all be encrypted stuff, basically just noise to anyone who isn't either the sender or signal? (if none of the devices in this has been compromised)
Yes, that is what Signal claims - the data is encrypted and they try to disguise it as much as possible to look like normal internet traffic. But governments around the world also make equal effort to ensure they can identify the different traffic that flows through their internet infrastructure.
It is. The person you're replying to was naïve, and still is.
It's true: Adding stuff to Wikipedia or OSM can help bad guys get information, and this can have negative effects for you. But the person you're replying to assumes naïvely that this is perceiptibly worse than the negative effects of bad luck. You're going to have bad luck in your life, that's in the nature of luck.
I added the location of a specialist shop that sells mostly grappa. Someone might find that shop with the information I added, buy and drink too much grappa, drive a car and drive over me. It could happen. But thinking that this is perceptibly worse for me than if I hadn't added that location is naïve.
Similarly, your country could introduce a retroactive law prohibiting proxies or introducing some form of liability, and when the Iranians send a list of IP addresses your country gaols you. It could happen, but is it probable enough to be compared to the effects of bad luck on your future life?
If by secure you mean the messages cannot be intercepted, yes Signal is theoretically secure as the process of communication is encrypted. On the other hand, Signal can be blocked as it is not truly distributed and requires a Signal server. Very simply put, blocking the Signal server disables the Signal network. That's why Signal is asking someone to setup a proxy server on their hardware that can then allow certain users to connect again to their Signal servers, via the proxy.
Note that these proxies too can be identified and blocked.
Worse, their IP address could be used to identify you in any investigation. This was the legal risk I was pointing out as you do not know how Signal will use your infrastructure (in ways that may make you liable for something in your own country) or how other countries may become hostile towards you for allowing Signal to circumvent their laws.
