6 Commits bffedd5a55 ... b5f31829c8

Author SHA1 Message Date
  Fabian Peter Hammerle b5f31829c8 ansible playbook: upgrade image 1 week ago
  Fabian Peter Hammerle c0108f3399 release v3.0.0 1 week ago
  Fabian Peter Hammerle 14f8bdb506 added option to enable non-anonymous single hop mode 1 week ago
  Fabian Peter Hammerle 869b5f4d10 fill torrc template with envsubst 1 week ago
  Fabian Peter Hammerle aa63d37284 ansible playbook: limit container's cpu usage 1 week ago
  Fabian Peter Hammerle ebe1fc1364 healthcheck: probe network-liveness instead of tcp scanning 1 week ago
7 changed files with 60 additions and 20 deletions
  1. 21 1
      CHANGELOG.md
  2. 6 4
      Dockerfile
  3. 12 0
      README.md
  4. 8 4
      ansible-playbook.yml
  5. 2 1
      docker-compose.yml
  6. 2 5
      entrypoint.sh
  7. 9 5
      torrc.template

+ 21 - 1
CHANGELOG.md

@@ -6,6 +6,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [3.0.0] - 2020-10-10
+### Added
+- option `NON_ANONYMOUS_SINGLE_HOP_MODE=1` to enable non-anonymous single hop mode
+  (direct circuits to introduction & rendezvous points)
+- ansible playbook: limit container's cpu usage
+
+### Changed
+- healthcheck: probe [network-liveness](https://gitweb.torproject.org/torspec.git/tree/control-spec.txt)
+  instead of tcp scanning via socks proxy
+- changed log level of `control` domain to `warn`
+  (to avoid log spam by healthcheck connecting to control listener)
+- added message domains to log messages
+- fill `torrc` template with `envsubst`
+
+### Removed
+- disabled socks proxy
+- `netcat-openbsd` package
+  (busybox implementation sufficient for new healthcheck)
+
 ## [2.0.0] - 2020-10-01
 ### Added
 - create mount point at `/var/lib/tor`
@@ -57,7 +76,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [0.1] - 2018-12-27
 
-[Unreleased]: https://github.com/fphammerle/docker-onion-service/compare/v2.0.0...HEAD
+[Unreleased]: https://github.com/fphammerle/docker-onion-service/compare/v3.0.0...HEAD
+[3.0.0]: https://github.com/fphammerle/docker-onion-service/compare/v2.0.0...v3.0.0
 [2.0.0]: https://github.com/fphammerle/docker-onion-service/compare/v1.1.0...v2.0.0
 [1.1.0]: https://github.com/fphammerle/docker-onion-service/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/fphammerle/docker-onion-service/compare/v1.0.0...v1.0.1

+ 6 - 4
Dockerfile

@@ -1,10 +1,10 @@
 FROM alpine:3.12
 
-ARG NETCAT_PACKAGE_VERSION=1.130-r1
+ARG GETTEXT_PACKAGE_VERSION=0.20.2-r0
 ARG TOR_PACKAGE_VERSION=0.4.3.5-r0
 RUN apk add --no-cache \
-        netcat-openbsd=$NETCAT_PACKAGE_VERSION \
         tor=$TOR_PACKAGE_VERSION \
+        gettext=$GETTEXT_PACKAGE_VERSION \
     && mkdir -m u=rwx,g=,o= /onion-service \
     && chown tor /onion-service
 VOLUME /var/lib/tor
@@ -21,11 +21,13 @@ RUN chmod -c a+rX /torrc.template /entrypoint.sh
 ENV VERSION 3
 ENV VIRTUAL_PORT 80
 ENV TARGET 1.2.3.4:8080
+ENV NON_ANONYMOUS_SINGLE_HOP_MODE 0
 ENTRYPOINT ["/entrypoint.sh"]
 
 USER tor
 CMD ["tor", "-f", "/tmp/torrc"]
 
+# https://gitweb.torproject.org/torspec.git/tree/control-spec.txt
 HEALTHCHECK CMD \
-    nc -x localhost:9050 -z "$(cat /onion-service/hostname)" "$VIRTUAL_PORT" \
-    || exit 1
+    printf "AUTHENTICATE\nGETINFO network-liveness\nQUIT\n" | nc localhost 9051 \
+        | grep -q network-liveness=up || exit 1

+ 12 - 0
README.md

@@ -40,6 +40,18 @@ to make the container's root filesystem read only
 $ sudo docker exec onion_service cat /onion-service/hostname
 abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrst.onion
 ```
+
+## single-hop mode
+
+in single-hop mode connections from the onion service
+to introduction & rendezvous points will be direct
+and thus no longer anonymous:
+```sh
+$ sudo docker run -e NON_ANONYMOUS_SINGLE_HOP_MODE=1 …
+```
+
+useful to reduce latency (e.g. clearnet http servers setting `alt-svc` header)
+
 ## show circuits
 
 ```sh

+ 8 - 4
ansible-playbook.yml

@@ -3,12 +3,13 @@
   tasks:
   - docker_container:
       name: onion_service
-      # object 3acef0d56536497ecf85ebdd017dd8d825be1d8d
-      # tag docker/2.0.0-tor0.4.3.5-amd64
-      image: docker.io/fphammerle/onion-service@sha256:4e64c5ddc1115b9c2fb1d6ea6ce6ac3cf77fbfb048257d9c8c3c71b4765611fb
+      # object c0108f3399291deb03e22c550c09c502935c7f6b
+      # tag docker/3.0.0-tor0.4.3.5-amd64
+      image: docker.io/fphammerle/onion-service@sha256:4eff7f17a8d78ba4117a6dc64a120ff46cbbe7702595b37d8bafe9c8492c59df
       env:
-        VIRTUAL_PORT: 80
+        VIRTUAL_PORT: '80'
         TARGET: 1.2.3.4:8080
+        #NON_ANONYMOUS_SINGLE_HOP_MODE: '1'
       volumes:
       - onion_service_data:/var/lib/tor
       - onion_service_key:/onion-service
@@ -21,5 +22,8 @@
       read_only: yes
       cap_drop: [ALL]
       security_opts: [no-new-privileges]
+      cpu_quota: 5000
+      cpu_period: 10000
       memory: 128M
       restart_policy: unless-stopped
+      state: started

+ 2 - 1
docker-compose.yml

@@ -24,7 +24,8 @@ services:
     read_only: yes
     environment:
       VIRTUAL_PORT: 80
-      TARGET: 1.2.3.4:8080
+      TARGET: 1.1.1.1:80
+      #NON_ANONYMOUS_SINGLE_HOP_MODE: 1
     cap_drop: [ALL]
     security_opt: [no-new-privileges]
     cpus: 0.5

+ 2 - 5
entrypoint.sh

@@ -1,10 +1,7 @@
 #!/bin/sh
 
-set -eux
+set -eu
 
-sed -e "s#{version}#$VERSION#" \
-    -e "s#{virtual_port}#$VIRTUAL_PORT#" \
-    -e "s#{target}#$TARGET#" \
-    /torrc.template >/tmp/torrc
+envsubst </torrc.template >/tmp/torrc
 
 exec "$@"

+ 9 - 5
torrc.template

@@ -1,4 +1,7 @@
-Log notice stdout
+# hide healthchecks:
+# > [notice] {CONTROL} New control connection opened from 127.0.0.1.
+Log [~control]notice warn stdout
+LogMessageDomains 1
 
 # default: ~/.tor
 DataDirectory /var/lib/tor
@@ -6,13 +9,14 @@ DataDirectory /var/lib/tor
 # https://gitweb.torproject.org/torspec.git/tree/control-spec.txt
 ControlPort localhost:9051
 
-# healthcheck
-SocksPort 9050
+SocksPort 0
 
 # https://www.torproject.org/docs/tor-onion-service
 HiddenServiceDir /onion-service
-HiddenServiceVersion {version}
-HiddenServicePort {virtual_port} {target}
+HiddenServiceVersion $VERSION
+HiddenServicePort $VIRTUAL_PORT $TARGET
+HiddenServiceSingleHopMode $NON_ANONYMOUS_SINGLE_HOP_MODE
+HiddenServiceNonAnonymousMode $NON_ANONYMOUS_SINGLE_HOP_MODE
 
 # try to
 HardwareAccel 1