You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Chirstophe Mehay 1dbcebdee3 Update tor to 0.4.7.12		1 year ago
assets	Add tests for Vanguards setup	4 years ago
hooks	Fix typo, add test for v2 secret key in env, fix docker build scripts	5 years ago
onions	Fix issue when restarting tor container with control password	2 years ago
tests	Update tor version to 0.4.6.10	2 years ago
.dockerignore	Update tor to 0.4.7.11	1 year ago
.gitignore	Add tor v3 addresses support	5 years ago
.pre-commit-config.yaml	Migrate from Pipenv to Poetry	4 years ago
.travis.yml	Fix travis python version	4 years ago
Dockerfile	Update to python 3.10	2 years ago
Makefile	Update tor version to 0.4.6.10	2 years ago
README.md	Update readme	2 years ago
current_tor_version	Update tor to 0.4.7.12	1 year ago
current_torsocks_version	Fix typo: rename current_torsock_version to current_torsocks_version.	3 years ago
docker-compose.build.yml	Dockerfile: Add torsocks binary.	3 years ago
docker-compose.v2.socket.yml	Fix typo, add test for v2 secret key in env, fix docker build scripts	5 years ago
docker-compose.v2.yml	Drop support for onion addresses v2	2 years ago
docker-compose.v3.latest.yml	Drop support for onion addresses v2	2 years ago
docker-compose.v3.yml	Drop support for onion addresses v2	2 years ago
docker-compose.vanguards-network.yml	Fix typo in docker-compose.vanguards-network.yml	2 years ago
docker-compose.vanguards.yml	Add tests for Vanguards setup	4 years ago
last_tor_version.sh	Make the last_tor_version.sh script executable.	3 years ago
last_torsocks_version.sh	Dockerfile: Add torsocks binary.	3 years ago
poetry.lock	Update tor to 0.4.7.12	1 year ago
private_key_bar_v3	Add tor v3 addresses support	5 years ago
private_key_foo_v3	Drop support for onion addresses v2	2 years ago
pyproject.toml	Update readme	2 years ago
tox.ini	Update to python 3.10	2 years ago

README.md

docker-tor-hidden-service

Changelog

26 jul 2022
- Update onions tool to v0.7.1:
  - Fix an issue when restarting a container with control port enabled
  - Updated to python 3.10
- Fix a typo in docker-compose.vanguards-network.yml, it works now
- Update tor to 0.4.7.8
23 dec 2021
- Update onions tool to v0.7.0:
  - Drop support of onion v2 adresses as tor network does not accept them anymore
- Update tor to 0.4.6.9

Setup

Setup hosts

From 2019, new conf to handle tor v3 address has been added. Here an example with docker-compose v2+:

version: "2"

services:
  tor:
    image: goldy/tor-hidden-service:0.3.5.8
    links:
      - hello
      - world
      - again
    environment:

        # hello and again will share the same onion v3 address
        SERVICE1_TOR_SERVICE_HOSTS: 88:hello:80,8000:world:80
        # Optional as tor version 2 is not supported anymore
        SERVICE1_TOR_SERVICE_VERSION: '3'
        # tor v3 address private key base 64 encoded
        SERVICE1_TOR_SERVICE_KEY: |
            PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAACArobDQYyZAWXei4QZwr++
            j96H1X/gq14NwLRZ2O5DXuL0EzYKkdhZSILY85q+kfwZH8z4ceqe7u1F+0pQi/sM            

  world:
    image: tutum/hello-world
    hostname: world

  hello:
    image: tutum/hello-world
    hostname: hello

This configuration will output:

service1: xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:88, xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:8000

xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:88 will hit again:80. xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:8000 will hit wold:80.

Environment variables

`{SERVICE}_TOR_SERVICE_HOSTS`

The config patern for this variable is: {exposed_port}:{hostname}:{port}}

For example 80:hello:8080 will expose an onion service on port 80 to the port 8080 of hello hostname.

Unix sockets are supported too, 80:unix://path/to/socket.sock will expose an onion service on port 80 to the socket /path/to/socket.sock. See docker-compose.v2.socket.yml for an example.

You can concatenate services using comas.

WARNING: Using sockets and ports in the same service group can lead to issues

`{SERVICE}_TOR_SERVICE_VERSION`

Optionnal now, can only be 3. Set the tor address type.

WARNING: Version 2 is not supported anymore by tor network

2 was giving short addresses 5azvyr7dvvr4cldn.onion and 3 gives long addresses xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion

`{SERVICE}_TOR_SERVICE_KEY`

You can set the private key for the current service.

Tor v3 addresses uses ed25519 binary keys. It should be base64 encoded:

PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAACArobDQYyZAWXei4QZwr++j96H1X/gq14NwLRZ2O5DXuL0EzYKkdhZSILY85q+kfwZH8z4ceqe7u1F+0pQi/sM

`TOR_SOCKS_PORT`

Set tor sock5 proxy port for this tor instance. (Use this if you need to connect to tor network with your service)

`TOR_EXTRA_OPTIONS`

Add any options in the torrc file.

services:
  tor:
    environment:
        # Add any option you need
        TOR_EXTRA_OPTIONS: |
          HiddenServiceNonAnonymousMode 1
          HiddenServiceSingleHopMode 1

Secrets

Secret key can be set through docker secrets, see docker-compose.v3.yml for example.

Tools

A command line tool onions is available in container to get .onion url when container is running.

# Get services
$ docker exec -ti torhiddenproxy_tor_1 onions
hello: xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:80
world: ootceq7skq7qpvvwf2tajeboxovalco7z3ka44vxbtfdr2tfvx5ld7ad.onion:80

# Get json
$ docker exec -ti torhiddenproxy_tor_1 onions --json
{"hello": ["xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:80"], "world": ["ootceq7skq7qpvvwf2tajeboxovalco7z3ka44vxbtfdr2tfvx5ld7ad.onion:80"]}

Auto reload

Changing /etc/tor/torrc file triggers a SIGHUP signal to tor to reload configuration.

To disable this behavior, add ENTRYPOINT_DISABLE_RELOAD in environment.

Versions

Container version will follow tor release versions.

pyentrypoint

This container uses pyentrypoint to generate its setup.

pytor

This containner uses pytor to mannages tor cryptography, generate keys and compute onion urls.

Control port

Use these environment variables to enable control port

TOR_CONTROL_PORT: enable and set control port binding (ip, ip:port or unix:/path/to/socket.sock) (default port is 9051)
TOR_CONTROL_PASSWORD: set control port password (in clear, not hashed)
TOR_DATA_DIRECTORY: set data directory (default /run/tor/data)

Vanguards

For critical hidden services, it's possible to increase security with Vanguards tool.

Run in the same container

Check out docker-compose.vanguards.yml for example.

Add environment variable TOR_ENABLE_VANGUARDS to true to start vanguards daemon beside tor process. Vanguards logs will be displayed to stdout using pyentrypoint logging, if you need raw output, set ENTRYPOINT_RAW to true in environment.

In this mode, if vanguards exits, sigint is sent to tor process to terminate it. If you want to disable this behavior, set VANGUARD_KILL_TOR_ON_EXIT to false in environment.

Run in separate containers

Check outdocker-compose.vanguards-network.yml for an example of increased security setup using docker networks.

settings

Use the same environment variable as tor to configure vangards (see upper).

TOR_CONTROL_PORT
TOR_CONTROL_PASSWORD

more settings

Use VANGUARDS_EXTRA_OPTIONS environment variable to change any settings.

The following settings cannot me changer with this variable:

control_ip:
- use TOR_CONTROL_PORT
control_port:
- use TOR_CONTROL_PORT
control_socket:
- use TOR_CONTROL_PORT
control_pass:
- use TOR_CONTROL_PASSWORD
state_file:
- use VANGUARDS_STATE_FILE