80/443 ports for electrum servers.

[artemii235]

There are "bad ISPs" that are known to have paranoid policies so they tend to block literally any ports except standard HTTP, e.g. https://wiki.vuze.com/w/Bad_ISPs (*Claro is choking access to TCP/UDP ports because of paranoid policies on their NAT. The discussion started in issue that is not directly related to this topic, so I'm creating new one for further discussions. https://github.com/KomodoPlatform/atomicDEX-API/issues/612#issuecomment-617712800

[artemii235]

Not yet, it requires additional DNS configuration, current electrum servers addresses maintained by cipi follow the electrum1-3.cipig.net:PORT pattern, it should be changed to e.g. kmd.electrum1.cipig.net:80 etc. @cipig is it possible to add such DNS for electrums keeping old addresses available too?

That will not work, since all coins are running on the same server (or 3 of them), and each server has only one port 80.

@cipig AFAIK you already use load balancers for electrums, is it possible to have them also proxy 80 port of specific domain name to specific port of electrum server, e.g. kmd.electrum1.cipig.net:80 is proxied to electrum1.cipig.net:10001?

[cipig]

I don't use a loadbalancer, there is just a backup IP for each DNS entry, in case the first one is unreachable. But load balancers would not work, since they operate on IPs, not on DNS entries. We would need to run a proxy on each server that can differentiate between queries to kmd.electrum1.cipig.net and btc.electrum1.cipig.net, even if they point to the same IP. afaik this is only possible with HTTP protocol, because the server name is in the HTTP header, but electrumx does not speak HTTP, so we would need separate IPs for all coins and i don't think that Hetzner will provide us 50 IPs per server. WSS could be the solution, afaik it works like HTTP, so including the header stuff. The electrum servers already listen to wss-port, eg SERVICES = tcp://:10001,rpc://:8001,ssl://:20001,wss://:30001 for KMD. And we need a wss-proxy, maybe https://www.nginx.com/blog/websocket-nginx/... and 6 DNS-entries per coin... so a pretty big effort... and this includes only the servers we run, so coins like BCH and LTC, which use external servers, would not be included I think installing https://play.google.com/store/apps/details?id=org.torproject.android&hl=en would solve the bad ISP issue better ;-)

[ArtemGr]

paranoid policies so they tend to block literally any ports except standard HTTP

Blocking non-HTTP in order to avoid any troublesome traffic and legal repercussions coming with it is only one of the angles. Another angle is prioritizing such traffic, meaning that the reliability of non-HTTP communication might be suboptimal compared to the HTTP traffic.

I've seen Wi-Fi spots (in Italy in particular) that only passed HTTP traffic. Why did they choose to do that? I have no idea. Might even be a simple misconfiguration issue. Most users won't even notice, as most apps are using HTTP anyway.

WSS could be the solution, afaik it works like HTTP, so including the header stuff. The electrum servers already listen to wss-port, eg SERVICES = tcp://:10001,rpc://:8001,ssl://:20001,wss://:30001 for KMD. And we need a wss-proxy

Yes, exactly, WSS is what I had in mind. Note how default WSS ports are also HTTP(s) ports, and for good reason.

I think installing https://play.google.com/store/apps/details?id=org.torproject.android&hl=en would solve the bad ISP issue better ;-)

Detecting when we have a "bad ISP" situation and suggesting the ways to workaround it to the users might indeed be an option, thanks for the hint @cipig .

Speaking of Orbot, is it ISP-friendly, using normal HTTP(s) communication?

[BloodyNora]

If need be, a connection to the TOR network will be established via so-called bridges, some of which listen on standard https ports.

See https://tor.stackexchange.com/questions/13270/how-to-use-bridges-in-orbot for details.

[ArtemGr]

Wow. Thanks @BloodyNora. Looks like Orbot is not really an option.

[artemii235]

So I think we have a plan:

• [ ] Add WSS protocol support into MM2 Electrum client implementation.
• [x] Start gradual reconfiguration of Electrum servers enabling WSS on all of them.
• [ ] Setup a proxy that will proxy Electrum traffic from e.g. kmd.electrum1.cipig.net:443 to electrum1.cipig.net:30001
• [ ] External servers (BCH, LTC and others) that do not enable WSS will be a problem, however we can recommend communities to enable it or use Insight API to mitigate possible traffic prioritization issues or ports blocking.

Any proposals or objections?

[cipig]

Sounds like a plan. Point 2 is already done, all our electrum servers have wss enabled. They use the same port scheme as KMD SERVICES = tcp://:10001,rpc://:8001,ssl://:20001,wss://:30001, eg ZEC has SERVICES = tcp://:10058,rpc://:8058,ssl://:20058,wss://:30058. The certificate is the same as the one for SSL and the same as on https://dexapi.cipig.net/public/ticker_24h.php.

[BloodyNora]

fyi, all verus electrums as per https://github.com/KomodoPlatform/coins/blob/master/electrums/VRSC do support WSS on tcp://17488 - also all hostnames do electrumx-https on their tcp://443 https endpoint.

ps. i'll gladly contribute a 'generic' electrumx-https-proxy if need be. just lmk please.