Skip to content

add in-country-validated Akamai SNIs (IR)#7

Closed
myleshorton wants to merge 1 commit into
mainfrom
fisk/akamai-snis-ir
Closed

add in-country-validated Akamai SNIs (IR)#7
myleshorton wants to merge 1 commit into
mainfrom
fisk/akamai-snis-ir

Conversation

@myleshorton
Copy link
Copy Markdown
Contributor

@myleshorton myleshorton commented May 26, 2026

Summary

Adds 14 in-country-validated SNIs to the Akamai provider's masquerade pool. Source: Keith (Psiphon ops, 2026-05-24), based on aggregated client telemetry from Iran.

Akamai serves the same default cert (a248.e.akamai.net) regardless of incoming SNI, so these names are pure DPI cover — the inner Host header drives property routing as before. The Iranian domestic names are particularly resilient — IR can't block them without breaking core domestic services.

SNIs added

Category SNI
Python ecosystem python.org, pypi.org, www.python.org, www.pypi.org, files.pythonhosted.org, registry.npmjs.org
US tech giants google.com, www.google.com, go.microsoft.com
Iranian domestic snapp.ir (ride-hailing), varzesh3.com (sports), aparat.com (video), bmi.ir (Bank Melli), digikala.com (e-commerce)

Consumer

radiance#488 extends AkamaiCandidates to consume SNIsForProvider(cfg, "akamai") and mix named SNIs alongside the existing bare-SNI strategy. Each Akamai IP gets 1 bare-SNI candidate + up to 3 named-SNI candidates drawn at random from the pool.

Why entries have empty ipaddress

SNIsForProvider only consumes the Domain field, so these are SNI-pool-only entries. The scanner pairs them with Akamai IPs discovered at probe time. CandidatesFromConfig is the only path that would use the ipaddress, and it's gated by KnownSample > 0 (off by default in radiance's pool config).

Verification

Smoke test (radiance ./cmd/meek-client-smoke/) confirms named-SNI candidates round-trip end-to-end against the deployed meek server:

INFO got fronts count=3 first_ip=184.28.105.132 first_sni=a248.e.akamai.net
{
  "origin": "139.162.181.47"
}
✅ end-to-end meek client smoke test PASSED

🤖 Generated with Claude Code

@myleshorton
add in-country-validated Akamai SNIs (IR)
98bf1f9 
Adds 14 SNIs to the akamai provider's masquerade pool as SNI-only
entries. Source: Keith (Psiphon ops, 2026-05-24), from aggregated
Iranian client telemetry showing which outer-SNI values currently
pass IR DPI when sent in the TLS ClientHello to an Akamai edge.

Akamai serves the same default cert (a248.e.akamai.net) regardless
of incoming SNI, so these are pure DPI cover — the inner Host
header drives property routing as before.

  python.org           pypi.org             www.python.org
  www.pypi.org         files.pythonhosted.org    registry.npmjs.org
  google.com           www.google.com       go.microsoft.com
  snapp.ir             varzesh3.com         aparat.com
  bmi.ir               digikala.com

Iranian domestic names are particularly resilient cover — IR can't
block them without breaking core domestic services.

Consumed by radiance/fronted/scanner via SNIsForProvider(cfg,
"akamai"), which feeds AkamaiCandidates (radiance#488) to mix named
SNIs alongside the bare-SNI strategy. Entries have empty ipaddress
because they are SNI-pool-only; the scanner pairs them with
discovered Akamai IPs at probe time, and CandidatesFromConfig (the
only path that consumes ipaddress) is gated by KnownSample > 0,
which is off by default.
Copilot AI review requested due to automatic review settings May 26, 2026 04:10
Copilot AI reviewed May 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@myleshorton
Copy link
Copy Markdown
Contributor Author

myleshorton commented May 26, 2026

Closing — wrong section. The generator regenerates the masquerades list daily from a fresh CDN-IP scan in lantern-cloud/cmd/update_masquerades, so manual masquerade-list additions get wiped. The durable home for SNI cover is provider_map.yaml's akamai.frontingsnis.default.arbitrarysnis. Re-opening over there.

@myleshorton myleshorton deleted the fisk/akamai-snis-ir branch May 26, 2026 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@myleshorton