docker-tor-hidden-service
-
26 jul 2022
- Update
onions
tool to v0.7.1:- Fix an issue when restarting a container with control port enabled
- Updated to python 3.10
- Fix a typo in
docker-compose.vanguards-network.yml
, it works now - Update
tor
to0.4.7.8
- Update
-
23 dec 2021
- Update
onions
tool to v0.7.0:- Drop support of onion v2 adresses as tor network does not accept them anymore
- Update
tor
to0.4.6.9
- Update
From 2019, new conf to handle tor v3 address has been added. Here an example with docker-compose
v2+:
version: "2"
services:
tor:
image: goldy/tor-hidden-service:0.3.5.8
links:
- hello
- world
- again
environment:
# hello and again will share the same onion v3 address
SERVICE1_TOR_SERVICE_HOSTS: 88:hello:80,8000:world:80
# Optional as tor version 2 is not supported anymore
SERVICE1_TOR_SERVICE_VERSION: '3'
# tor v3 address private key base 64 encoded
SERVICE1_TOR_SERVICE_KEY: |
PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAACArobDQYyZAWXei4QZwr++
j96H1X/gq14NwLRZ2O5DXuL0EzYKkdhZSILY85q+kfwZH8z4ceqe7u1F+0pQi/sM
world:
image: tutum/hello-world
hostname: world
hello:
image: tutum/hello-world
hostname: hello
This configuration will output:
service1: xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:88, xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:8000
xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:88
will hit again:80
.
xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:8000
will hit wold:80
.
The config patern for this variable is: {exposed_port}:{hostname}:{port}}
For example 80:hello:8080
will expose an onion service on port 80 to the port 8080 of hello hostname.
Unix sockets are supported too, 80:unix://path/to/socket.sock
will expose an onion service on port 80 to the socket /path/to/socket.sock
. See docker-compose.v2.socket.yml
for an example.
You can concatenate services using comas.
WARNING: Using sockets and ports in the same service group can lead to issues
Optionnal now, can only be 3
. Set the tor address type.
WARNING: Version 2 is not supported anymore by tor network
2
was giving short addresses 5azvyr7dvvr4cldn.onion
and 3
gives long addresses xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion
You can set the private key for the current service.
Tor v3 addresses uses ed25519 binary keys. It should be base64 encoded:
PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAACArobDQYyZAWXei4QZwr++j96H1X/gq14NwLRZ2O5DXuL0EzYKkdhZSILY85q+kfwZH8z4ceqe7u1F+0pQi/sM
Set tor sock5 proxy port for this tor instance. (Use this if you need to connect to tor network with your service)
Add any options in the torrc
file.
services:
tor:
environment:
# Add any option you need
TOR_EXTRA_OPTIONS: |
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
Secret key can be set through docker secrets
, see docker-compose.v3.yml
for example.
A command line tool onions
is available in container to get .onion
url when container is running.
# Get services
$ docker exec -ti torhiddenproxy_tor_1 onions
hello: xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:80
world: ootceq7skq7qpvvwf2tajeboxovalco7z3ka44vxbtfdr2tfvx5ld7ad.onion:80
# Get json
$ docker exec -ti torhiddenproxy_tor_1 onions --json
{"hello": ["xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:80"], "world": ["ootceq7skq7qpvvwf2tajeboxovalco7z3ka44vxbtfdr2tfvx5ld7ad.onion:80"]}
Changing /etc/tor/torrc
file triggers a SIGHUP
signal to tor
to reload configuration.
To disable this behavior, add ENTRYPOINT_DISABLE_RELOAD
in environment.
Container version will follow tor release versions.
This container uses pyentrypoint
to generate its setup.
This containner uses pytor
to mannages tor cryptography, generate keys and compute onion urls.
Use these environment variables to enable control port
TOR_CONTROL_PORT
: enable and set control port binding (ip
,ip:port
orunix:/path/to/socket.sock
) (default port is 9051)TOR_CONTROL_PASSWORD
: set control port password (in clear, not hashed)TOR_DATA_DIRECTORY
: set data directory (default/run/tor/data
)
For critical hidden services, it's possible to increase security with Vanguards
tool.
Check out docker-compose.vanguards.yml
for example.
Add environment variable TOR_ENABLE_VANGUARDS
to true
to start vanguards
daemon beside tor
process. Vanguards
logs will be displayed to stdout using pyentrypoint
logging, if you need raw output, set ENTRYPOINT_RAW
to true
in environment.
In this mode, if vanguards
exits, sigint is sent to tor
process to terminate it. If you want to disable this behavior, set VANGUARD_KILL_TOR_ON_EXIT
to false
in environment.
Check outdocker-compose.vanguards-network.yml
for an example of increased security setup using docker networks.
Use the same environment variable as tor
to configure vangards
(see upper).
TOR_CONTROL_PORT
TOR_CONTROL_PASSWORD
Use VANGUARDS_EXTRA_OPTIONS
environment variable to change any settings.
The following settings cannot me changer with this variable:
control_ip
:- use
TOR_CONTROL_PORT
- use
control_port
:- use
TOR_CONTROL_PORT
- use
control_socket
:- use
TOR_CONTROL_PORT
- use
control_pass
:- use
TOR_CONTROL_PASSWORD
- use
state_file
:- use
VANGUARDS_STATE_FILE
- use