Don't run non-HTTPS FRONTED protocol listeners

psiphon/common/protocol/protocol.go

@@ -365,6 +365,12 @@ func TunnelProtocolUsesFrontedMeekQUIC(protocol string) bool {
 	return protocol == TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH
 }
 
+func TunnelProtocolUsesFrontedMeekNonHTTPS(protocol string) bool {
+	protocol = TunnelProtocolMinusInproxy(protocol)
+	return protocol == TUNNEL_PROTOCOL_FRONTED_MEEK_HTTP ||
+		protocol == TUNNEL_PROTOCOL_FRONTED_MEEK_QUIC_OBFUSCATED_SSH
+}
+
 func TunnelProtocolUsesRefractionNetworking(protocol string) bool {
 	return protocol == TUNNEL_PROTOCOL_TAPDANCE_OBFUSCATED_SSH ||
 		protocol == TUNNEL_PROTOCOL_CONJURE_OBFUSCATED_SSH

psiphon/server/hostConfig_linux.go

@@ -162,6 +162,9 @@ func configureIptablesAcceptRateLimitChain(config *Config, add bool) error {
 
 				// Assumes all FRONTED-MEEK is HTTPS over TCP between the edge
 				// and Psiphon server.
+				if protocol.TunnelProtocolUsesFrontedMeekNonHTTPS(tunnelProtocol) {
+					continue
+				}
 
 				protocolRules, err = meekAcceptRateLimitRules(portNumber, rateLimit)
 				if err != nil {

psiphon/server/tunnelServer.go

@@ -159,11 +159,12 @@ func (server *TunnelServer) Run() error {
 		var BPFProgramName string
 		var err error
 
-		if protocol.TunnelProtocolUsesFrontedMeekQUIC(tunnelProtocol) {
+		if protocol.TunnelProtocolUsesFrontedMeekNonHTTPS(tunnelProtocol) {
 
-			// For FRONTED-MEEK-QUIC-OSSH, no listener implemented. The edge-to-server
-			// hop uses HTTPS and the client tunnel protocol is distinguished using
-			// protocol.MeekCookieData.ClientTunnelProtocol.
+			// For FRONTED-MEEK-QUIC, no listener implemented; for
+			// FRONTED-MEEK-HTTP, no listener is run. The edge-to-server hop
+			// uses HTTPS and the client tunnel protocol is distinguished
+			// using protocol.MeekCookieData.ClientTunnelProtocol.
 			continue
 
 		} else if protocol.TunnelProtocolUsesQUIC(tunnelProtocol) {