Allows the Outline servers to become even more censorship resistant by not directly revealing them to end users (which obfuscates a bit more from potential censors).
Creates the potential for the FCP to create dynamic access key "mirrors" on several S3 providers (AWS, Cloudflare, Wasabi, etc). S3 bucket links using the S3 provider's hostnames is better, and more censorship resistant.
Would allow the FCP to provide a random (or many) ssconf:// mirror to users that they could try.
Allows for the FCP to dynamically update access keys if a server gets blocked (e.g. take a server out of rotation from all dynamic access keys, and update them with a new server).
Steers us away from using DNS hostnames for the Outline servers, we could use raw IPs to circumvent any potential DNS-based filtering of our Outline server domains.
Potential design:
Access key retrieval:
User attempts to retrieve an access key via HTTP.
FCP queries all available Outline servers via the closest serverless edge datacenter, picks best latency and lowest access key count Outline server.
FCP creates a dynamic S3 access key file in a directory (using randomized character string) on 3 or more S3 bucket providers (AWS, Cloudflare, Wasabi & others potentially). The dynamic access key contains the JSON config from the chosen server.
FCP stores the access key mirror ssconf:// links in a Workers KV namespace in JSON format to be used when updating or deleting access keys later.
FCP returns the ssconf:// S3 mirrors to the user, allowing them to pick one that works for them.
User enters the ssconf:// line in their Outline client, which pulls the JSON and connects to the server the FCP chose for them.
Considerations:
Each dynamic access key URL must be unique and contain a randomized character string.
Each dynamic access key's JSON must contain a unique access key (don't reuse the same keys).
The FCP should be able to mass-update the contents of dynamic access keys if a server gets blocked, the IP gets rotated, or get decommissioned.
Reference: https://www.reddit.com/r/outlinevpn/wiki/index/dynamic_access_keys/
Potential benefits:
ssconf://mirror to users that they could try.Potential design:
Access key retrieval:
ssconf://links in a Workers KV namespace in JSON format to be used when updating or deleting access keys later.ssconf://S3 mirrors to the user, allowing them to pick one that works for them.ssconf://line in their Outline client, which pulls the JSON and connects to the server the FCP chose for them.Considerations: