No Description

Fabian Peter Hammerle b3eabc5be4 upgrade alpine base image from v3.13.5 to v3.14.0 including tor package upgrade from v0.4.4.9-r0 to v0.4.5.9-r0 (diff links below) 3 years ago
.github 16856af330 configure dependabot to keep github-actions up-to-date 3 years ago
CHANGELOG.md 2daab42c07 release v3.1.0 3 years ago
Dockerfile 4ff78b8190 upgrade alpine base image from v3.13.5 to v3.14.0 including tor package upgrade from v0.4.4.9-r0 to v0.4.5.9-r0 (diff links below) 3 years ago
Makefile e8dfe51bb8 makefile: fix incomplete list of phony targets; rename variable for consistency 3 years ago
README.md 14f8bdb506 added option to enable non-anonymous single hop mode 4 years ago
ansible-playbook.yml b5f31829c8 ansible playbook: upgrade image 4 years ago
docker-compose.yml 14f8bdb506 added option to enable non-anonymous single hop mode 4 years ago
entrypoint.sh 869b5f4d10 fill torrc template with envsubst 4 years ago
tor-changelog.url 0599554fd6 upgrade tor package v0.4.4.6-r1 -> v0.4.4.7r1 3 years ago
tor-package-log.url eac4c484c2 upgrade alpine base image v3.12.3->v3.13.0 including upgrade of tor v0.4.3.7-r0->v0.4.4.6-r1 (diff links below) 3 years ago
torrc.template 14f8bdb506 added option to enable non-anonymous single hop mode 4 years ago

README.md

docker: hidden tor .onion service 🐳

repo: https://github.com/fphammerle/docker-onion-service

docker hub: https://hub.docker.com/r/fphammerle/onion-service/tags

signed tags: https://github.com/fphammerle/docker-onion-service/tags

defaults to creating a v3 service

example 1

$ sudo docker run --name onion_service \
    -e VIRTUAL_PORT=80 -e TARGET=1.2.3.4:8080 \
    fphammerle/onion-service

example 2

$ sudo docker create --name onion_service \
    --env VERSION=3 \
    --env VIRTUAL_PORT=80 \
    --env TARGET=1.2.3.4:8080 \
    --volume onion-key:/onion-service \
    --restart unless-stopped \
    --cap-drop all --security-opt no-new-privileges \
    fphammerle/onion-service:latest

$ sudo docker start onion_service

optionally add --read-only --tmpfs /tmp:rw,size=4k to make the container's root filesystem read only

retrieve hostname

$ sudo docker exec onion_service cat /onion-service/hostname
abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrst.onion

single-hop mode

in single-hop mode connections from the onion service to introduction & rendezvous points will be direct and thus no longer anonymous:

$ sudo docker run -e NON_ANONYMOUS_SINGLE_HOP_MODE=1 …

useful to reduce latency (e.g. clearnet http servers setting alt-svc header)

show circuits

$ sudo docker exec onion_service \
    sh -c 'printf "AUTHENTICATE\nGETINFO circuit-status\nQUIT\n" | nc localhost 9051'

relay search: https://metrics.torproject.org/rs.html

docker-compose 🐙

  1. git clone https://github.com/fphammerle/docker-onion-service
  2. edit docker-compose.yml
  3. sudo docker-compose up --build

further reading

onion service protocol overview

operational security

http

ways to publish onion services: