cmehay / docker-tor-hidden-service Goto Github PK

View Code? Open in Web Editor NEW

232.0 10.0 55.0 305 KB

Python 82.97% Makefile 3.38% Dockerfile 4.47% Shell 0.91% Smarty 8.28%

docker-tor-hidden-service's Introduction

docker-tor-hidden-service

Changelog

26 jul 2022
- Update onions tool to v0.7.1:
  - Fix an issue when restarting a container with control port enabled
  - Updated to python 3.10
- Fix a typo in docker-compose.vanguards-network.yml, it works now
- Update tor to 0.4.7.8
23 dec 2021
- Update onions tool to v0.7.0:
  - Drop support of onion v2 adresses as tor network does not accept them anymore
- Update tor to 0.4.6.9

Setup

Setup hosts

From 2019, new conf to handle tor v3 address has been added. Here an example with docker-compose v2+:

version: "2"

services:
  tor:
    image: goldy/tor-hidden-service:0.3.5.8
    links:
      - hello
      - world
      - again
    environment:

        # hello and again will share the same onion v3 address
        SERVICE1_TOR_SERVICE_HOSTS: 88:hello:80,8000:world:80
        # Optional as tor version 2 is not supported anymore
        SERVICE1_TOR_SERVICE_VERSION: '3'
        # tor v3 address private key base 64 encoded
        SERVICE1_TOR_SERVICE_KEY: |
            PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAACArobDQYyZAWXei4QZwr++
            j96H1X/gq14NwLRZ2O5DXuL0EzYKkdhZSILY85q+kfwZH8z4ceqe7u1F+0pQi/sM

  world:
    image: tutum/hello-world
    hostname: world

  hello:
    image: tutum/hello-world
    hostname: hello

This configuration will output:

service1: xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:88, xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:8000

xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:88 will hit again:80. xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:8000 will hit wold:80.

Environment variables

`{SERVICE}_TOR_SERVICE_HOSTS`

The config patern for this variable is: {exposed_port}:{hostname}:{port}}

For example 80:hello:8080 will expose an onion service on port 80 to the port 8080 of hello hostname.

Unix sockets are supported too, 80:unix://path/to/socket.sock will expose an onion service on port 80 to the socket /path/to/socket.sock. See docker-compose.v2.socket.yml for an example.

You can concatenate services using comas.

WARNING: Using sockets and ports in the same service group can lead to issues

`{SERVICE}_TOR_SERVICE_VERSION`

Optionnal now, can only be 3. Set the tor address type.

WARNING: Version 2 is not supported anymore by tor network

2 was giving short addresses 5azvyr7dvvr4cldn.onion and 3 gives long addresses xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion

`{SERVICE}_TOR_SERVICE_KEY`

You can set the private key for the current service.

Tor v3 addresses uses ed25519 binary keys. It should be base64 encoded:

PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAACArobDQYyZAWXei4QZwr++j96H1X/gq14NwLRZ2O5DXuL0EzYKkdhZSILY85q+kfwZH8z4ceqe7u1F+0pQi/sM

`TOR_SOCKS_PORT`

Set tor sock5 proxy port for this tor instance. (Use this if you need to connect to tor network with your service)

`TOR_EXTRA_OPTIONS`

Add any options in the torrc file.

services:
  tor:
    environment:
        # Add any option you need
        TOR_EXTRA_OPTIONS: |
          HiddenServiceNonAnonymousMode 1
          HiddenServiceSingleHopMode 1

Secrets

Secret key can be set through docker secrets, see docker-compose.v3.yml for example.

Tools

A command line tool onions is available in container to get .onion url when container is running.

# Get services
$ docker exec -ti torhiddenproxy_tor_1 onions
hello: xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:80
world: ootceq7skq7qpvvwf2tajeboxovalco7z3ka44vxbtfdr2tfvx5ld7ad.onion:80

# Get json
$ docker exec -ti torhiddenproxy_tor_1 onions --json
{"hello": ["xwjtp3mj427zdp4tljiiivg2l5ijfvmt5lcsfaygtpp6cw254kykvpyd.onion:80"], "world": ["ootceq7skq7qpvvwf2tajeboxovalco7z3ka44vxbtfdr2tfvx5ld7ad.onion:80"]}

Auto reload

Changing /etc/tor/torrc file triggers a SIGHUP signal to tor to reload configuration.

To disable this behavior, add ENTRYPOINT_DISABLE_RELOAD in environment.

Versions

Container version will follow tor release versions.

pyentrypoint

This container uses pyentrypoint to generate its setup.

pytor

This containner uses pytor to mannages tor cryptography, generate keys and compute onion urls.

Control port

Use these environment variables to enable control port

TOR_CONTROL_PORT: enable and set control port binding (ip, ip:port or unix:/path/to/socket.sock) (default port is 9051)
TOR_CONTROL_PASSWORD: set control port password (in clear, not hashed)
TOR_DATA_DIRECTORY: set data directory (default /run/tor/data)

Vanguards

For critical hidden services, it's possible to increase security with Vanguards tool.

Run in the same container

Check out docker-compose.vanguards.yml for example.

Add environment variable TOR_ENABLE_VANGUARDS to true to start vanguards daemon beside tor process. Vanguards logs will be displayed to stdout using pyentrypoint logging, if you need raw output, set ENTRYPOINT_RAW to true in environment.

In this mode, if vanguards exits, sigint is sent to tor process to terminate it. If you want to disable this behavior, set VANGUARD_KILL_TOR_ON_EXIT to false in environment.

Run in separate containers

Check outdocker-compose.vanguards-network.yml for an example of increased security setup using docker networks.

settings

Use the same environment variable as tor to configure vangards (see upper).

TOR_CONTROL_PORT
TOR_CONTROL_PASSWORD

more settings

Use VANGUARDS_EXTRA_OPTIONS environment variable to change any settings.

The following settings cannot me changer with this variable:

control_ip:
- use TOR_CONTROL_PORT
control_port:
- use TOR_CONTROL_PORT
control_socket:
- use TOR_CONTROL_PORT
control_pass:
- use TOR_CONTROL_PASSWORD
state_file:
- use VANGUARDS_STATE_FILE

docker-tor-hidden-service's People

Contributors

Stargazers

Watchers

docker-tor-hidden-service's Issues

Add a trigger for new Tor release

The tor version uploaded to DockerHub was 0.3.1.x which was a year ago

multiple port mapping

Hi Christophe,

is it possible to map multiple ports to a linked container?
like i.e: onion:80 -> linked_container:8080 and onion:88 -> linked_container:8088

setup with service outside docker

can I use it with a service outside docker ?

example I have a web app running on Apache(not inside docker), is it possible to use this project to serve it through tor ?

Unable to make this works correctly

So, the container is running but I'm not able to access the hidden service.

I'm able to access the other container from the tor.

This is my docker-compose.yml:

version: '3'

services:
  tor:
    image: goldy/tor-hidden-service:0.4.0.5
    links:
      - safer
    hostname: onion
    environment:
      SAFER_TOR_SERVICE_HOSTS: 80:safer:56733
      SAFER_TOR_SERVICE_VERSION: 3
      SAFER_TOR_SERVICE_KEY: |
        PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAAB4Arvdx5kzsF8dK+OUDOSt
        13Zytck6JM1xxFp3ftGhRGlJTZ1X2wrztcqzXYuQftzxZXB0wTYwJl+cUVm3RmH7

  safer:
    build:
      context: ./
      dockerfile: Dockerfile
    image: safer
    volumes:
      ['./:/app']
    ports:
      ['56733:80']
    hostname: safer

question - example v3 - full example

Hi,

Hope you are all well !

I have some troubles to setup my hidden service, at least the basic one.

I used pytor and generated:

hostname:
kgeaybcqmclodfed.onion
private_key:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDAvxO/JGtQqqvSBdxvH1ifxNmS6EbTe/ptSTYLshyu0RNcG32d
f9KGHP3iOvoPQ1JYjvZlOaU1wOFW64oAiZjZhH8M6pQ+9uIz5v3KEe7HXWL052t0
oZzXKGH7JM0v8h29Eng42i52/P0tnK5l8lEdc/zjjfP5efMG8+dNEJNrDwIDAQAB
AoGADoUWbrrGntAMm4i3f2OEIJ0Kqud2lm3rgpoWSTFEueKkK7cicl/zswiyE33P
4qB2rpcudpeuG2uJTiv2PG4hJngtHEi0UEybJSnInZEEOVVokN/5zhCzirGOp+k3
7c1MZ3BocIfVQTtu2jKzBzSk2FkgJYiGEZSYmLehK2JJc/ECQQDQnYoL0JKefcgZ
s1c8wLuEBrteCtmomiSCK8WHydjpMFOqC0+ysoHTqQBlCwLBIkKFfQJ6v2H+lXha
6Nk70icpAkEA7IbLu9YHdK5gPggO4OjbEvl7NOzDSdGFOHjRE4GaEcicBsq3du9G
sOvDWyVjhS7Nwy0jkW/oFFLb5jWfrONfdwJBAK8b/ftK2TemdydzjX+WfBAnonEf
BHLs6EZHvafse2HJygCLPBvQkP989bLbGjXJrzLjqwgjy3rqNjuBBo+bKHkCQFUw
J2i7qWvI8jjlRhaTR3QKDun87ElGASlZulPANfF5w1he4r0faOKHx5CoYrOxK8LE
Gy9ikr/fJ/w+DAiEy/kCQQCgHW6qtsppmhSMFDFdXFBa0DQcpddkqY2BRMYl0vA3
W+0VPF/w88+q8037SzqtPgwsaKfa4lALHlP84XWUYXDK
-----END RSA PRIVATE KEY-----

How can I use it for a v3 version with compose ? What would be the final docker-compose.yml file ?

Ps. It would be awesome to create another repository with an full example like based wordpress
Refs. https://github.com/paulotechbr/docker-wordpress-nginx-fpm

Cheers,
X

Add Configurable Non-Anonymous/Single Hop Mode

I have been using this container to run a number of onion services, but for my use case I am more interested in performance than server-side anonymity. So I'm interested in Tor's Single Hop + Non-Anonymous Mode, which allows onion services to make this tradeoff (reducing the client-server connection from 6 hops to 4), within certain limitations. It still preserves client anonymity and is still more secure than accessing a site on the open web (thanks to maintaining end-to-end encryption).

This feature is enabled in a .torrc file with the following two settings:

HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1

On first thought, this could be implemented with an environment variable and then a corresponding spot in the .torrc jinja template.

Thanks for putting together the container!

How to use obfs4 bridge ?

Hi,

I would like to make sure the the tor network is only reached through an obfs4 bridge, how should I go about this ?

Install obfs4 in the container, then add the bridge config as extra options ?

How do we use Unix sockets with new version?

Hello. My service works great with your legacy config but breaks with the new config.

Are unix sockets still supported like in the legacy example? This is a must for me. Can you please help me with an example on how to use on the new version?

SocksPolicy Variable

I have an onion service that requires a socks5 proxy access on the service container. Therefore i think it makes the most sense to add a SocksPolicy accept VARIABLE IP to this image to make it possible to connect the program inside the container directly to this service over a hostname and the socks port.

Add headers to incoming requests

is there a way to add a header to incoming requests?

Can not find Rust compiler

Currently when building via docker build .:

[...]
  Downloading crashtest-0.3.1-py3-none-any.whl (7.0 kB)
Collecting requests-toolbelt<0.10.0,>=0.9.1
  Downloading requests_toolbelt-0.9.1-py2.py3-none-any.whl (54 kB)
Collecting chardet<5,>=3.0.2
  Downloading chardet-4.0.0-py2.py3-none-any.whl (178 kB)
Collecting certifi>=2017.4.17
  Downloading certifi-2020.12.5-py2.py3-none-any.whl (147 kB)
Collecting idna<3,>=2.5
  Downloading idna-2.10-py2.py3-none-any.whl (58 kB)
Collecting urllib3<1.27,>=1.21.1
  Downloading urllib3-1.26.3-py2.py3-none-any.whl (137 kB)
Collecting pylev<2.0,>=1.3
  Downloading pylev-1.3.0-py2.py3-none-any.whl (4.9 kB)
Collecting pastel<0.3.0,>=0.2.0
  Downloading pastel-0.2.1-py2.py3-none-any.whl (6.0 kB)
Collecting pyparsing>=2.0.2
  Downloading pyparsing-2.4.7-py2.py3-none-any.whl (67 kB)
Collecting filelock<4,>=3.0.0
  Downloading filelock-3.0.12-py3-none-any.whl (7.6 kB)
Collecting appdirs<2,>=1.4.3
  Downloading appdirs-1.4.4-py2.py3-none-any.whl (9.6 kB)
Collecting distlib<1,>=0.3.1
  Downloading distlib-0.3.1-py2.py3-none-any.whl (335 kB)
Collecting six<2,>=1.9.0
  Downloading six-1.15.0-py2.py3-none-any.whl (10 kB)
Collecting webencodings
  Downloading webencodings-0.5.1-py2.py3-none-any.whl (11 kB)
Collecting ptyprocess>=0.5
  Downloading ptyprocess-0.7.0-py2.py3-none-any.whl (13 kB)
Collecting msgpack>=0.5.2
  Downloading msgpack-1.0.2.tar.gz (123 kB)
Collecting lockfile>=0.9; extra == "filecache"
  Downloading lockfile-0.12.2-py2.py3-none-any.whl (13 kB)
Collecting jeepney>=0.4.2; sys_platform == "linux"
  Downloading jeepney-0.6.0-py3-none-any.whl (45 kB)
Collecting SecretStorage>=3.2; sys_platform == "linux"
  Downloading SecretStorage-3.3.1-py3-none-any.whl (15 kB)
Collecting cryptography>=2.0
  Downloading cryptography-3.4.3.tar.gz (545 kB)
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'done'
    Preparing wheel metadata: started
    Preparing wheel metadata: finished with status 'done'
Processing /var/lib/tor/.cache/pip/wheels/74/c4/b2/301f50054a0b5635fc25567992701a66ccb924f38a85e1133c/cffi-1.14.4-cp38-cp38-linux_x86_64.whl
Collecting pycparser
  Using cached pycparser-2.20-py2.py3-none-any.whl (112 kB)
Building wheels for collected packages: msgpack, cryptography
  Building wheel for msgpack (setup.py): started
  Building wheel for msgpack (setup.py): finished with status 'done'
  Created wheel for msgpack: filename=msgpack-1.0.2-cp38-cp38-linux_x86_64.whl size=15819 sha256=4d30e2cd28b20cb2bbeb6553697ea10cdb0bd590f32f1f5b3f2c052b6f47fec1
  Stored in directory: /var/lib/tor/.cache/pip/wheels/80/54/1e/543cc300f5a40fbdda81274333957ba34e4f5cae40ed73317e
  Building wheel for cryptography (PEP 517): started
  Building wheel for cryptography (PEP 517): finished with status 'error'
  ERROR: Command errored out with exit status 1:
   command: /usr/local/bin/python /usr/local/lib/python3.8/site-packages/pip/_vendor/pep517/_in_process.py build_wheel /tmp/tmpu3ue_gdv
       cwd: /tmp/pip-install-ynz0axu9/cryptography
  Complete output (148 lines):
  running bdist_wheel
  running build
  running build_py
  creating build
  creating build/lib.linux-x86_64-3.8
  creating build/lib.linux-x86_64-3.8/cryptography
  copying src/cryptography/fernet.py -> build/lib.linux-x86_64-3.8/cryptography
  copying src/cryptography/__init__.py -> build/lib.linux-x86_64-3.8/cryptography
  copying src/cryptography/utils.py -> build/lib.linux-x86_64-3.8/cryptography
  copying src/cryptography/__about__.py -> build/lib.linux-x86_64-3.8/cryptography
  copying src/cryptography/exceptions.py -> build/lib.linux-x86_64-3.8/cryptography
  creating build/lib.linux-x86_64-3.8/cryptography/x509
  copying src/cryptography/x509/oid.py -> build/lib.linux-x86_64-3.8/cryptography/x509
  copying src/cryptography/x509/extensions.py -> build/lib.linux-x86_64-3.8/cryptography/x509
  copying src/cryptography/x509/base.py -> build/lib.linux-x86_64-3.8/cryptography/x509
  copying src/cryptography/x509/ocsp.py -> build/lib.linux-x86_64-3.8/cryptography/x509
  copying src/cryptography/x509/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/x509
  copying src/cryptography/x509/general_name.py -> build/lib.linux-x86_64-3.8/cryptography/x509
  copying src/cryptography/x509/certificate_transparency.py -> build/lib.linux-x86_64-3.8/cryptography/x509
  copying src/cryptography/x509/name.py -> build/lib.linux-x86_64-3.8/cryptography/x509
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat
  copying src/cryptography/hazmat/_types.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat
  copying src/cryptography/hazmat/_oid.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat
  copying src/cryptography/hazmat/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat
  copying src/cryptography/hazmat/_der.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/backends
  copying src/cryptography/hazmat/backends/interfaces.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends
  copying src/cryptography/hazmat/backends/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/bindings
  copying src/cryptography/hazmat/bindings/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/bindings
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/_cipheralgorithm.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/hmac.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/cmac.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/_asymmetric.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/hashes.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/keywrap.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/_serialization.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/constant_time.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/padding.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  copying src/cryptography/hazmat/primitives/poly1305.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/hmac.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/x448.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/ciphers.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/cmac.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/encode_asn1.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/ocsp.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/dsa.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/ed448.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/utils.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/hashes.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/dh.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/x25519.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/aead.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/rsa.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/x509.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/ec.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/ed25519.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/decode_asn1.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/poly1305.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  copying src/cryptography/hazmat/backends/openssl/backend.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/backends/openssl
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/bindings/openssl
  copying src/cryptography/hazmat/bindings/openssl/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/bindings/openssl
  copying src/cryptography/hazmat/bindings/openssl/_conditional.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/bindings/openssl
  copying src/cryptography/hazmat/bindings/openssl/binding.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/bindings/openssl
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/kdf
  copying src/cryptography/hazmat/primitives/kdf/pbkdf2.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/kdf
  copying src/cryptography/hazmat/primitives/kdf/x963kdf.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/kdf
  copying src/cryptography/hazmat/primitives/kdf/hkdf.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/kdf
  copying src/cryptography/hazmat/primitives/kdf/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/kdf
  copying src/cryptography/hazmat/primitives/kdf/concatkdf.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/kdf
  copying src/cryptography/hazmat/primitives/kdf/kbkdf.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/kdf
  copying src/cryptography/hazmat/primitives/kdf/scrypt.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/kdf
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/serialization
  copying src/cryptography/hazmat/primitives/serialization/base.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/serialization
  copying src/cryptography/hazmat/primitives/serialization/pkcs7.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/serialization
  copying src/cryptography/hazmat/primitives/serialization/pkcs12.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/serialization
  copying src/cryptography/hazmat/primitives/serialization/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/serialization
  copying src/cryptography/hazmat/primitives/serialization/ssh.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/serialization
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/ciphers
  copying src/cryptography/hazmat/primitives/ciphers/modes.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/ciphers
  copying src/cryptography/hazmat/primitives/ciphers/base.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/ciphers
  copying src/cryptography/hazmat/primitives/ciphers/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/ciphers
  copying src/cryptography/hazmat/primitives/ciphers/aead.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/ciphers
  copying src/cryptography/hazmat/primitives/ciphers/algorithms.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/ciphers
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/x448.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/dsa.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/ed448.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/utils.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/dh.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/x25519.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/rsa.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/ec.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/ed25519.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  copying src/cryptography/hazmat/primitives/asymmetric/padding.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/asymmetric
  creating build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/twofactor
  copying src/cryptography/hazmat/primitives/twofactor/totp.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/twofactor
  copying src/cryptography/hazmat/primitives/twofactor/__init__.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/twofactor
  copying src/cryptography/hazmat/primitives/twofactor/utils.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/twofactor
  copying src/cryptography/hazmat/primitives/twofactor/hotp.py -> build/lib.linux-x86_64-3.8/cryptography/hazmat/primitives/twofactor
  running egg_info
  writing src/cryptography.egg-info/PKG-INFO
  writing dependency_links to src/cryptography.egg-info/dependency_links.txt
  writing requirements to src/cryptography.egg-info/requires.txt
  writing top-level names to src/cryptography.egg-info/top_level.txt
  reading manifest file 'src/cryptography.egg-info/SOURCES.txt'
  reading manifest template 'MANIFEST.in'
  no previously-included directories found matching 'docs/_build'
  warning: no previously-included files found matching 'vectors'
  warning: no previously-included files matching '*' found under directory 'vectors'
  warning: no previously-included files matching '*' found under directory '.github'
  warning: no previously-included files found matching 'release.py'
  warning: no previously-included files found matching '.coveragerc'
  warning: no previously-included files found matching 'codecov.yml'
  warning: no previously-included files found matching '.readthedocs.yml'
  warning: no previously-included files found matching 'dev-requirements.txt'
  warning: no previously-included files found matching 'tox.ini'
  warning: no previously-included files found matching 'mypy.ini'
  warning: no previously-included files matching '*' found under directory '.zuul.d'
  warning: no previously-included files matching '*' found under directory '.zuul.playbooks'
  writing manifest file 'src/cryptography.egg-info/SOURCES.txt'
  running build_ext
  generating cffi module 'build/temp.linux-x86_64-3.8/_padding.c'
  creating build/temp.linux-x86_64-3.8
  generating cffi module 'build/temp.linux-x86_64-3.8/_openssl.c'
  running build_rust
  
      =============================DEBUG ASSISTANCE=============================
      If you are seeing a compilation error please try the following steps to
      successfully install cryptography:
      1) Upgrade to the latest pip and try again. This will fix errors for most
         users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
      2) Read https://cryptography.io/en/latest/installation.html for specific
         instructions for your platform.
      3) Check our frequently asked questions for more information:
         https://cryptography.io/en/latest/faq.html
      4) Ensure you have a recent Rust toolchain installed:
         https://cryptography.io/en/latest/installation.html#rust
      5) If you are experiencing issues with Rust for *this release only* you may
         set the environment variable `CRYPTOGRAPHY_DONT_BUILD_RUST=1`.
      =============================DEBUG ASSISTANCE=============================
  
  error: Can not find Rust compiler
  ----------------------------------------
  ERROR: Failed building wheel for cryptography
Successfully built msgpack
Failed to build cryptography
ERROR: Could not build wheels for cryptography which use PEP 517 and cannot be installed directly
WARNING: You are using pip version 20.2.4; however, version 21.0.1 is available.
You should consider upgrading via the '/usr/local/bin/python -m pip install --upgrade pip' command.
The command '/bin/sh -c apk add --no-cache git bind-tools libevent-dev openssl-dev gnupg gcc make automake ca-certificates autoconf musl-dev coreutils libffi-dev zlib-dev &&     mkdir -p /usr/local/src/ /var/lib/tor/ &&     git clone https://git.torproject.org/tor.git /usr/local/src/tor &&     cd /usr/local/src/tor &&     TOR_VERSION=${tor_version=$(git tag | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -1)} &&     git checkout tor-$TOR_VERSION &&     ./autogen.sh &&     ./configure     --disable-asciidoc     --sysconfdir=/etc     --disable-unittests &&     make && make install &&     cd .. &&     rm -rf tor &&     pip3 install --upgrade pip poetry &&     apk del git libevent-dev openssl-dev gnupg make automake autoconf musl-dev coreutils libffi-dev &&     apk add --no-cache libevent openssl' returned a non-zero code: 1

Add ssl support

I know that adding https to onion website doesn't make a lot of sense, but it will be a good option to add it, some users scare when they see http
example of onion websites that use https :
https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion
https://twitter3e4tixl4xyajtrzo62zg5vztmjuricljdp2c5kshju4avyoid.onion

is it possible to add ssl support to the project? or can someone describe a way to add it ?

thanks

Support for onion v3

Dear me, please add support for onion v3 addresses.

throws error regarding permissions but still works

Hi,
first of all, thank you very much for making this.
i am seeing in my logs that some kind of permissions error is being thrown but tor still manages to start up correctly. not sure what is going on. i'm using v3 so i'm loading my private key via the docker-compose secrets similar to this https://github.com/cmehay/docker-tor-hidden-service/blob/master/docker-compose.v3.yml the name of my key is gm2

tor2_1   | Entrypoint INFO     gm2: [redacted].onion:80
tor2_1   | Feb 17 03:20:57.854 [notice] Tor 0.4.4.7 (git-37a32b7ee76e5d52) running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1i, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
tor2_1   | Feb 17 03:20:57.854 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
tor2_1   | Feb 17 03:20:57.854 [notice] Read configuration file "/etc/tor/torrc".
tor2_1   | Feb 17 03:20:57.000 [notice] Parsing GEOIP IPv4 file /usr/local/share/tor/geoip.
tor2_1   | Feb 17 03:20:57.000 [notice] Parsing GEOIP IPv6 file /usr/local/share/tor/geoip6.
tor2_1   | Feb 17 03:20:58.000 [notice] Bootstrapped 0% (starting): Starting
tor2_1   | Feb 17 03:20:58.000 [notice] Starting with guard context "default"
tor2_1   | Entrypoint WARNING  ERROR:root:[Errno 13] Permission denied: '/run/secrets/gm2'
tor2_1   | Entrypoint WARNING  Traceback (most recent call last):
tor2_1   | Entrypoint WARNING    File "/usr/local/src/onions/onions/Service.py", line 128, in load_key_from_secrets
tor2_1   | Entrypoint WARNING      self._load_key(secret_file)
tor2_1   | Entrypoint WARNING    File "/usr/local/src/onions/onions/Service.py", line 113, in _load_key
tor2_1   | Entrypoint WARNING      with open(key_file, 'rb') as f:
tor2_1   | Entrypoint WARNING  PermissionError: [Errno 13] Permission denied: '/run/secrets/gm2'
tor2_1   | Entrypoint WARNING  WARNING:root:Fail to load key from secret, check the key or secret name collision
tor2_1   | Feb 17 03:20:59.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
tor2_1   | Feb 17 03:20:59.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
tor2_1   | Feb 17 03:20:59.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
tor2_1   | Feb 17 03:20:59.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
tor2_1   | Feb 17 03:20:59.000 [notice] Bootstrapped 20% (onehop_create): Establishing an encrypted directory connection
tor2_1   | Feb 17 03:20:59.000 [notice] Bootstrapped 25% (requesting_status): Asking for networkstatus consensus
tor2_1   | Feb 17 03:20:59.000 [notice] Bootstrapped 30% (loading_status): Loading networkstatus consensus
tor2_1   | Feb 17 03:21:00.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
tor2_1   | Feb 17 03:21:01.000 [notice] Bootstrapped 40% (loading_keys): Loading authority key certs
tor2_1   | Feb 17 03:21:01.000 [notice] The current consensus has no exit nodes. Tor can only build internal paths, such as paths to onion services.
tor2_1   | Feb 17 03:21:01.000 [notice] Bootstrapped 45% (requesting_descriptors): Asking for relay descriptors
tor2_1   | Feb 17 03:21:01.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6834, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of end bw (no exits in consensus, using mid) = 0% of path bw.)
tor2_1   | Feb 17 03:21:01.000 [notice] Bootstrapped 50% (loading_descriptors): Loading relay descriptors
tor2_1   | Feb 17 03:21:02.000 [notice] The current consensus contains exit nodes. Tor can build exit and internal paths.
tor2_1   | Feb 17 03:21:03.000 [notice] Bootstrapped 56% (loading_descriptors): Loading relay descriptors
tor2_1   | Feb 17 03:21:03.000 [notice] Bootstrapped 63% (loading_descriptors): Loading relay descriptors
tor2_1   | Feb 17 03:21:03.000 [notice] Bootstrapped 68% (loading_descriptors): Loading relay descriptors
tor2_1   | Feb 17 03:21:03.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
tor2_1   | Feb 17 03:21:04.000 [notice] Bootstrapped 80% (ap_conn): Connecting to a relay to build circuits
tor2_1   | Feb 17 03:21:04.000 [notice] Bootstrapped 85% (ap_conn_done): Connected to a relay to build circuits
tor2_1   | Feb 17 03:21:04.000 [notice] Bootstrapped 89% (ap_handshake): Finishing handshake with a relay to build circuits
tor2_1   | Feb 17 03:21:04.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
tor2_1   | Feb 17 03:21:04.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
tor2_1   | Feb 17 03:21:05.000 [notice] Bootstrapped 100% (done): Done

after that, tor works fine, so i'm not sure what's happening.
Thank you

Docker-Compose Issue

Hi I dont want to sound like a noob but I am having trouble getting docker compose to run any yml files. I've done some research and I cant find a whole lot of information using tor hidden services with docker or docker-compose so I was wandering if someone would want to walk me through the basics on how to get a file like this up and running??

Reading through other issues I saw that vanguards.yml is a new feature and that there are several other yaml files so would you need to specify which specific yaml file to run against docker-compose and those yaml files would also need to be edited??

I did however just do a docker pull command on goldy/tor-hidden-services container and can run that alone

EDIT
I was able to build a container with the command:
docker-compose -f docker-compose.v3.latest.yml up --build

I thought I might leave this up though incase anyone else has the same issue. Now I am trying to figure out how to get my onion address and customize yaml file to get a custom private key and secrets.
I did find a website where they added:
FROM patrickod/tor-hidden-service ADD ./start-tor /bin/start-tor RUN chmod +x /bin/start-tor ADD ./get-tor-hostname /bin/get-tor-hostname RUN chmod +x /bin/get-tor-hostname

#!/bin/bash HOSTNAME='/var/lib/tor/hidden-service/hostname' while [ ! -f $HOSTNAME ]; do sleep 1; done echo 'Your onion address is' $(cat $HOSTNAME)

To the image to reveal the onion address but I havent figured out which file that is I need to add it to, probably the dockerfile.

the website I am reading this from is https://randywestergren.com/running-a-hidden-tor-service-with-docker-compose/

Issues on K8s

I've been watching this project for a while now and it works like a charm on plain docker!
Now I'm switching over to k8s and trying to get this container up and running but I'm experiencing a strange behaviour.
As soon as my deployment is setup and I'm trying to access the service using the tor browser the connection gets very often reset for some reason. Sometimes it's working, sometimes its not. I was not able to find anything useful statement on the logs and I would like to know if smb. else has the same issue and maybe also a solution or a hint where I could possibly look at.

This is how I deploy the service:

apiVersion: v1
kind: Pod
metadata:
  name: onion-web-relay-0
  namespace: app
  labels:
    app: app
    tier: frontend
spec:
  containers:
  - name: onion-web-relay
    image: goldy/tor-hidden-service:latest
    envFrom:
      - configMapRef:
          name: onion-env
    env:
      - name: V3_TOR_SERVICE_KEY
        valueFrom:
          secretKeyRef:
            name: onion-web-relay
            key: privat-crypto
    resources:
      requests:
        cpu: 500m
        memory: 1024Mi
      limits:
        cpu: 2000m
        memory: 2048Mi

Merci

"Entrypoint INFO No onion site" when trying to link to Node Express server using docker-compose.yml

Hey guys sorry for the noob question, but here we go:

I was able to successfully link goldy/tor-hidden-service on the command line using 2 commands:

docker run -d --name hello_world nodeserver
docker run -ti --link hello_world goldy/tor-hidden-service

When i run that, it successfully generates ands logs a public onion URL that exposes nodeserver.

Now when i try to do the same thing in docker-compose.yml, nodeserver and tor run successfully, but there is no onion site generated. Here is my docker-compose.yml:

version: '2'
services:
  tor:
    image: goldy/tor-hidden-service
    links:
      - nodeserver
  nodeserver:
    image: jadahlke/peerjsonshare
    hostname: nodeserver

And here is the logging I get when I run docker-compose up:

Creating network "peerfileshare_default" with the default driver
Creating peerfileshare_nodeserver_1 ... done
Creating peerfileshare_tor_1        ... done
Attaching to peerfileshare_nodeserver_1, peerfileshare_tor_1
nodeserver_1  | listening on port 3009
tor_1         | Entrypoint INFO     No onion site                         ******** <---- THIS IS WHERE I AM EXPECTING TO SEE URL****
tor_1         | Jan 07 14:31:33.275 [notice] Tor 0.4.6.9 (git-ea2ada6d1459f829) running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1l, Zlib 1.2.11, Liblzma N/A, Libzstd N/A and Unknown N/A as libc.

Would greatly appreciate if someone could point me in the right direction.

Problem using SSH docker `corbinu/ssh-server` image

As I understand port 22 is not ready , when hidden service tries to set it using docker compose.
Any suggestions ?

unable to execute 'gcc': No such file or directory

I'm running docker build --build-arg tor_version=0.4.4.5 .. Near the end, I get this error message:

      building 'Crypto.Hash._MD2' extension
      creating build/temp.linux-x86_64-3.8
      creating build/temp.linux-x86_64-3.8/src
      gcc -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -DTHREAD_STACK_SIZE=0x100000 -fPIC -DPYCRYPTO_LITTLE_ENDIAN -DSYS_BITS=64 -DLTC_NO_ASM -Isrc/ -I/usr/local/include/python3.8 -c src/MD2.c -o build/temp.linux-x86_64-3.8/src/MD2.o
      unable to execute 'gcc': No such file or directory
      error: command 'gcc' failed with exit status 1
      ----------------------------------------
    Rolling back uninstall of pycryptodome
    Moving to /usr/local/lib/python3.8/site-packages/Crypto/
     from /usr/local/lib/python3.8/site-packages/~rypto
    Moving to /usr/local/lib/python3.8/site-packages/pycryptodome-3.9.9.dist-info/
     from /usr/local/lib/python3.8/site-packages/~ycryptodome-3.9.9.dist-info
  ERROR: Command errored out with exit status 1: /usr/local/bin/python -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-req-build-ozcshle9/setup.py'"'"'; __file__='"'"'/tmp/pip-req-build-ozcshle9/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' install --record /tmp/pip-record-76s1g97n/install-record.txt --single-version-externally-managed --compile --install-headers /usr/local/include/python3.8/pycryptodome Check the logs for full command output.
  

  at /usr/local/lib/python3.8/site-packages/poetry/utils/env.py:1074 in _run
      1070│                 output = subprocess.check_output(
      1071│                     cmd, stderr=subprocess.STDOUT, **kwargs
      1072│                 )
      1073│         except CalledProcessError as e:
    → 1074│             raise EnvCommandError(e, input=input_)
      1075│ 
      1076│         return decode(output)
      1077│ 
      1078│     def execute(self, bin, *args, **kwargs):

tor control password produces error when container is restarted

Using TOR_CONTROL_PASSWORD in a container will produce an error when the container is restarted.

ERROR:root:Command '['tor', '--quiet', '--hash-password', '*****']' returned non-zero exit stat
us 1.
t-lnd-main        | Entrypoint WARNING  Traceback (most recent call last):
t-lnd-main        | Entrypoint WARNING    File "/usr/local/src/onions/onions/Onions.py", line 499, in main
t-lnd-main        | Entrypoint WARNING      onions.setup_hosts()
t-lnd-main        | Entrypoint WARNING    File "/usr/local/src/onions/onions/Onions.py", line 354, in setup_hosts
t-lnd-main        | Entrypoint WARNING      self._setup_control_port()
t-lnd-main        | Entrypoint WARNING    File "/usr/local/src/onions/onions/Onions.py", line 90, in _setup_control_port
t-lnd-main        | Entrypoint WARNING      self._hash_control_port_password(os.environ[
t-lnd-main        | Entrypoint WARNING    File "/usr/local/src/onions/onions/Onions.py", line 60, in _hash_control_port_password
t-lnd-main        | Entrypoint WARNING      self.control_hashed_password = subprocess.check_output([
t-lnd-main        | Entrypoint WARNING    File "/usr/local/lib/python3.9/subprocess.py", line 424, in check_output
t-lnd-main        | Entrypoint WARNING      return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
t-lnd-main        | Entrypoint WARNING    File "/usr/local/lib/python3.9/subprocess.py", line 528, in run
t-lnd-main        | Entrypoint WARNING      raise CalledProcessError(retcode, process.args,
t-lnd-main        | Entrypoint WARNING  subprocess.CalledProcessError: Command '['tor', '--quiet', '--hash-password', '*****']' returne
d non-zero exit status 1.

It took me a day to find that this error was due to using TOR_CONTROL_PASSWORD. I could now fix it by simply giving directly the hashed password using the TOR_EXTRA_OPTIONS while still using TOR_CONTROL_PORT on the service config, and the issue is resolved for me.

/usr/local/bin/pyentrypoint: no such file or directory

While running the tor-hidden-service docker container, I get this error: "/usr/local/bin/pyentrypoint: no such file or directory". It seems like pyentrypoint isn't pip installed in the dockerfile? Note: I am using an ARMv8 machine, if that makes a difference.

Thanks in advance for the help!

DDOS attack mitigation

my website is under ddos attack since 2 days, the attackers break down my server resources (CPU & RAM),
I don't know if this related to the Network DDoS attack issue in tor that is not fixed yet (https://status.torproject.org/issues/2022-06-09-network-ddos/),
or is it related to something else.

any idea how to mitigate this kind of attacks ?

this is my docker-compose config :

   tor:
     image: goldy/tor-hidden-service:latest
     restart: unless-stopped
     environment:
        TOR_ENABLE_VANGUARDS: 'true'
        VANGUARDS_EXTRA_OPTIONS: |
          [Global]
          enable_cbtverify = True
          loglevel = DEBUG
        NGINX_PORTS: "80:80"
        NGINX_TOR_SERVICE_VERSION: '3'
        NGINX_TOR_SERVICE_KEY: ${KEY}

I will post here part of the logs

tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:10 2022]: 650 CIRC 239 LAUNCHED BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2022-06-20T15:17:10.278878
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:10 2022]: Added circ for 650 CIRC 239 LAUNCHED BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2022-06-20T15:17:10.278878
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=155 READ=6617 WRITTEN=0 TIME=2022-06-20T15:17:11.283043 DELIVERED_READ=6474 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=121 READ=6617 WRITTEN=0 TIME=2022-06-20T15:17:11.283058 DELIVERED_READ=6474 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=145 READ=7126 WRITTEN=1018 TIME=2022-06-20T15:17:11.283065 DELIVERED_READ=6922 OVERHEAD_READ=50 DELIVERED_WRITTEN=2 OVERHEAD_WRITTEN=994
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=151 READ=7126 WRITTEN=0 TIME=2022-06-20T15:17:11.283073 DELIVERED_READ=6922 OVERHEAD_READ=50 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=141 READ=6617 WRITTEN=509 TIME=2022-06-20T15:17:11.283079 DELIVERED_READ=6474 OVERHEAD_READ=0 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=497
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=191 READ=15270 WRITTEN=509 TIME=2022-06-20T15:17:11.283086 DELIVERED_READ=14890 OVERHEAD_READ=50 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=497
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=192 READ=7126 WRITTEN=0 TIME=2022-06-20T15:17:11.283093 DELIVERED_READ=6972 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=193 READ=15270 WRITTEN=1018 TIME=2022-06-20T15:17:11.283100 DELIVERED_READ=14890 OVERHEAD_READ=50 DELIVERED_WRITTEN=23 OVERHEAD_WRITTEN=973
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=197 READ=6617 WRITTEN=509 TIME=2022-06-20T15:17:11.283107 DELIVERED_READ=6474 OVERHEAD_READ=0 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=497
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=198 READ=14761 WRITTEN=0 TIME=2022-06-20T15:17:11.283114 DELIVERED_READ=14392 OVERHEAD_READ=50 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:11 2022]: 650 CIRC_BW ID=221 READ=0 WRITTEN=3054 TIME=2022-06-20T15:17:11.283120 DELIVERED_READ=0 OVERHEAD_READ=0 DELIVERED_WRITTEN=2822 OVERHEAD_WRITTEN=166
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=155 READ=6617 WRITTEN=0 TIME=2022-06-20T15:17:12.283369 DELIVERED_READ=6424 OVERHEAD_READ=50 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=121 READ=6617 WRITTEN=0 TIME=2022-06-20T15:17:12.283387 DELIVERED_READ=6474 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=145 READ=6108 WRITTEN=509 TIME=2022-06-20T15:17:12.283397 DELIVERED_READ=5976 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=498
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=151 READ=6108 WRITTEN=0 TIME=2022-06-20T15:17:12.283406 DELIVERED_READ=5976 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=141 READ=6617 WRITTEN=0 TIME=2022-06-20T15:17:12.283413 DELIVERED_READ=6474 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=191 READ=14761 WRITTEN=0 TIME=2022-06-20T15:17:12.283419 DELIVERED_READ=14442 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=192 READ=6108 WRITTEN=509 TIME=2022-06-20T15:17:12.283426 DELIVERED_READ=5926 OVERHEAD_READ=50 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=498
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=193 READ=15270 WRITTEN=1018 TIME=2022-06-20T15:17:12.283433 DELIVERED_READ=14890 OVERHEAD_READ=50 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=995
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=197 READ=6617 WRITTEN=509 TIME=2022-06-20T15:17:12.283439 DELIVERED_READ=6474 OVERHEAD_READ=0 DELIVERED_WRITTEN=23 OVERHEAD_WRITTEN=475
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC_BW ID=198 READ=15270 WRITTEN=51918 TIME=2022-06-20T15:17:12.283445 DELIVERED_READ=13971 OVERHEAD_READ=969 DELIVERED_WRITTEN=49175 OVERHEAD_WRITTEN=1621
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:12 2022]: 650 CIRC 239 EXTENDED $AD0FCFD83EA4899DB34735E599701592DEA13690~torbogen BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2022-06-20T15:17:10.278878
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=155 READ=6617 WRITTEN=0 TIME=2022-06-20T15:17:13.287265 DELIVERED_READ=6474 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=121 READ=6617 WRITTEN=509 TIME=2022-06-20T15:17:13.287279 DELIVERED_READ=6424 OVERHEAD_READ=50 DELIVERED_WRITTEN=23 OVERHEAD_WRITTEN=475
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=145 READ=7126 WRITTEN=0 TIME=2022-06-20T15:17:13.287287 DELIVERED_READ=6972 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=151 READ=7126 WRITTEN=1018 TIME=2022-06-20T15:17:13.287294 DELIVERED_READ=6972 OVERHEAD_READ=0 DELIVERED_WRITTEN=24 OVERHEAD_WRITTEN=972
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=141 READ=6617 WRITTEN=0 TIME=2022-06-20T15:17:13.287301 DELIVERED_READ=6424 OVERHEAD_READ=50 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=191 READ=16288 WRITTEN=51409 TIME=2022-06-20T15:17:13.287308 DELIVERED_READ=14913 OVERHEAD_READ=1023 DELIVERED_WRITTEN=49683 OVERHEAD_WRITTEN=615
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=192 READ=7126 WRITTEN=509 TIME=2022-06-20T15:17:13.287317 DELIVERED_READ=6972 OVERHEAD_READ=0 DELIVERED_WRITTEN=23 OVERHEAD_WRITTEN=475
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=193 READ=15779 WRITTEN=1018 TIME=2022-06-20T15:17:13.287324 DELIVERED_READ=15388 OVERHEAD_READ=50 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=995
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=197 READ=6617 WRITTEN=0 TIME=2022-06-20T15:17:13.287331 DELIVERED_READ=6424 OVERHEAD_READ=50 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=198 READ=15779 WRITTEN=0 TIME=2022-06-20T15:17:13.287337 DELIVERED_READ=15388 OVERHEAD_READ=50 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:13 2022]: 650 CIRC_BW ID=239 READ=0 WRITTEN=509 TIME=2022-06-20T15:17:13.287345 DELIVERED_READ=0 OVERHEAD_READ=0 DELIVERED_WRITTEN=153 OVERHEAD_WRITTEN=345
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=155 READ=7126 WRITTEN=0 TIME=2022-06-20T15:17:14.289960 DELIVERED_READ=6972 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=121 READ=7126 WRITTEN=0 TIME=2022-06-20T15:17:14.289972 DELIVERED_READ=6972 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=145 READ=6617 WRITTEN=509 TIME=2022-06-20T15:17:14.289979 DELIVERED_READ=6424 OVERHEAD_READ=50 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=497
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=151 READ=6617 WRITTEN=509 TIME=2022-06-20T15:17:14.289987 DELIVERED_READ=6424 OVERHEAD_READ=50 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=497
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=141 READ=7126 WRITTEN=0 TIME=2022-06-20T15:17:14.289993 DELIVERED_READ=6972 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=191 READ=14252 WRITTEN=509 TIME=2022-06-20T15:17:14.290000 DELIVERED_READ=13894 OVERHEAD_READ=50 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=497
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=192 READ=6617 WRITTEN=509 TIME=2022-06-20T15:17:14.290007 DELIVERED_READ=6424 OVERHEAD_READ=50 DELIVERED_WRITTEN=1 OVERHEAD_WRITTEN=497
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=193 READ=14252 WRITTEN=1018 TIME=2022-06-20T15:17:14.290013 DELIVERED_READ=13396 OVERHEAD_READ=548 DELIVERED_WRITTEN=23 OVERHEAD_WRITTEN=973
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=197 READ=7126 WRITTEN=0 TIME=2022-06-20T15:17:14.290021 DELIVERED_READ=6972 OVERHEAD_READ=0 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:14 2022]: 650 CIRC_BW ID=198 READ=14252 WRITTEN=0 TIME=2022-06-20T15:17:14.290028 DELIVERED_READ=13894 OVERHEAD_READ=50 DELIVERED_WRITTEN=0 OVERHEAD_WRITTEN=0
tor_1    | Entrypoint INFO     DEBUG[Mon Jun 20 15:17:15 2022]: 650 CIRC_BW ID=155 READ=6617 WRITTEN=105872 TIME=2022-06-20T15:17:15.295376 DELIVERED_READ=3980 OVERHEAD_READ=2494 DELIVERED_WRITTEN=98386 OVERHEAD_WRITTEN=5198

--link deprecated

According to the current Docker documentation, the --link flag is deprecated and will eventually be removed. Will you container still work without that?

Warning: The --link flag is a deprecated legacy feature of Docker. It may eventually be removed. Unless you absolutely need to continue using it, we recommend that you use user-defined networks to facilitate communication between two containers instead of using --link. One feature that user-defined networks do not support that you can do with --link is sharing environmental variables between containers. However, you can use other mechanisms such as volumes to share environment variables between containers in a more controlled way.

Multiple linked containers with One Hidden Service

Is it possible to host multiple linked containers (for eg. one container running web server with exposed port 80 and another container running ssh with exposed port 22) as a single tor hidden service with single .onion address?

Some private keys are not working

I used mkp224o (https://github.com/cathugger/mkp224o) to generate v3 private keys but some of them do not work.

I first created the keys and then base64 them using cat hs_ed25519_secret_key | base64 > out.txt && cat out.txt.

Working example (I'm not going to use these keys no worries):

Address: testms76ahnlffcq7jzmrfu34y6adnh3rydnwd4ugmbqlm6uo5xmiaad.onion
Private key:
PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAAC4hjCHAKudqdFXoJfpyjZ0EsrAs2yUjYfB
Q6QJMgINYzX8l7c5ScogTmYkVfeHlbi2FwhnOAkRtGaoa0juee9W

Failing example:

Address: testimanfqjl6ehujvl4ptau35ykujdccxhndy73bvztbzp6f52rdjad.onion
Private key:
PT0gZWQyNTUxOXYxLXNlY3JldDogdHlwZTAgPT0AAAAACZk2fTFszTrb+L0afrmDf4WHwBoEbeQi
37A4PX8lUykL1JWDUyMv8VnNa+g9499q0o7QRcaxmm06joY9N0Q2

The failing example shows this error

Exception: Private key does not seems to be a valid ed25519 tor key

Onion Balance

Scheduling to integrate Onion Balance

Onion Balance needs a patch which is not in tor stable version yet.

tor 0.4.4 will be released in September and will include this patch.

Issue with pyyaml in combination with poetry lock file, causing build failure

Fyi, there is a pyyaml issue with poetry with the latest builds.

See; python-poetry/poetry#8287

Fix for now; simply comment out the lock file from ingesting (this is not advised, but does work); https://github.com/cmehay/docker-tor-hidden-service/blob/master/Dockerfile#L49

Kubernetes

This isn't really an issue, but a question. Has anyone successfully used this container in Kubernetes and if so, how did you set it up?

traefik configuration

service:
  jellyfin:
    image: linuxserver/jellyfin:latest
    container_name: jellyfin
    restart: always
    networks:
      - traefik
    security_opt:
      - no-new-privileges=true
    volumes:
      - $USERDIR/docker/jellyfin:/config
      - $USERDIR/docker/jellyfin/cache:/cache
      - /mnt/data:/data
    privileged: True
    restart: always
    environment:
      PUID: $PUID
      PGID: $PGID
      TZ: $TZ
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.jellyfin-rtr.entrypoints=https,http"
      - "traefik.http.routers.jellyfin-rtr.rule=HostHeader(`jellyfin.$DOMAINNAME`, `piracyykgurxq7q2.onion`)"
      - "traefik.http.routers.jellyfin-rtr.tls=true"
      - "traefik.http.routers.jellyfin-rtr.service=jellyfin-svc"
      - "traefik.http.services.jellyfin-svc.loadbalancer.server.port=8096"

  tor:
    image: goldy/tor-hidden-service:latest
    container_name: tor
    links:
      - traefik
    environment:
      PUID: $PUID
      PGID: $PGID
      TZ: $TZ
        # Set mapping ports
      SERVICE1_TOR_SERVICE_HOSTS: 80:traefik:80
      SERVICE1_TOR_SERVICE_KEY: |
          -----BEGIN RSA PRIVATE KEY-----
          [redacted]
          -----END RSA PRIVATE KEY-----
    volumes:
      - $USERDIR/docker/tor:/etc/tor
    networks:
      - traefik
volumes:
  tor-keys:
    driver: local

Traefik is working as expected for jellyfin.domainname.tld
If I type somethingelse.domainname.tld it shows a 404, as expected

The expected domain name shows up when

Entrypoint WARNING  ERROR:root:Private key does not seems to be a valid RSA PEM key
Entrypoint WARNING  ERROR:root:Service gpg has not ports set
Entrypoint INFO     service1: piracyykgurxq7q2.onion:80

Tor connects fine

Am I doing this wrong?
It doesnt load forever, it fairly quickly shows

Unparseable address in hidden service port configuration.

Hi,

Hope you are all well !

For educational purpose, I tried to torify a wordpress and I have the error above with docker-tor-hidden-service.

Ref. https://github.com/x0rzkov/docker-wordpress-nginx-fpm-hidden-service

tor_1        | Entrypoint INFO     service: v2vpvqo56y2aujrf.onion:80, v2vpvqo56y2aujrf.onion:800, v2vpvqo56y2aujrf.onion:8888
tor_1        | Dec 05 12:43:15.188 [notice] Tor 0.4.1.6 (git-d10abc0929f4941d) running on Linux with Libevent 2.1.10-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
tor_1        | Dec 05 12:43:15.188 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
tor_1        | Dec 05 12:43:15.189 [notice] Read configuration file "/etc/tor/torrc".
tor_1        | Dec 05 12:43:15.243 [warn] Unparseable address in hidden service port configuration.
tor_1        | Dec 05 12:43:15.243 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
tor_1        | Dec 05 12:43:15.243 [err] Reading config failed--see warnings above.
docker-wordpress-nginx-fpm_tor_1 exited with code 1

Do you have an idea why ?
Thanks in advance for any inputs or insights.

Cheers,
X

What's the trick to use custom ed25519 keys?

I'm trying to set up a hidden service using a custom ed25519 key. To get the base64 of the private key, I run cat hs_ed25519_secret_key | base64 and create a docker-compose.yml based on README.md. However, I continue to get this error, and Tor just starts up with its own self-generated keypair (which subsequently works fine as I can connect to the HS through Tor).

tor_1         | Entrypoint WARNING  ERROR:root:Fail to setup from GPG_KEY environment
tor_1         | Entrypoint WARNING  ERROR:root:Private key does not seems to be a valid RSA PEM key
tor_1         | Entrypoint WARNING  ERROR:root:Fail to setup from GRAFFENDK_TOR_SERVICE_KEY environment
tor_1         | Entrypoint WARNING  ERROR:root:Private key does not seems to be a valid ed25519 tor key
tor_1         | Entrypoint WARNING  ERROR:root:Service gpg has not ports set
tor_1         | Entrypoint INFO     graffendk: qhsxyycredghviwmomq7dmlyqac6g4o2ivc567bqovgek6ur74tas2qd.onion:80
g

This is my current docker-compose.yml file:

version: '3'

services:
  tor:
    image: goldy/tor-hidden-service:0.4.4.6
    links:
      - graffen.dk
    environment:
      GRAFFENDK_TOR_SERVICE_HOSTS: '80:graffen.dk:80'
      GRAFFENDK_TOR_SERVICE_VERSION: '3'
      GRAFFENDK_TOR_SERVICE_KEY: |
        OUTPUT_FROM_base64_COMMAND
        HERE
    networks:
      - tor

  graffen.dk:
    image: 'graffen.dk-website'
    environment:
      LETSENCRYPT_HOST: 'graffen.dk,www.graffen.dk'
      VIRTUAL_HOST: 'graffen.dk,www.graffen.dk'
      LETSENCRYPT_EMAIL: 'xxx`
    networks:
      - proxy_net
      - tor

networks:
  proxy_net:
    external:
      name: 'nextcloud-docker-compose_proxy-tier'
  tor:

Do I need to do something else to get the base64 version of the key or have I missed something different?

How could I use a specific private key?

update docker image in dockerhub

please update the docker image in dockerhub to the latest release

Tor Service unreachable, receiving dropped cell error while running vanguards

Regardless whether vanguards is enabled or not, my service is unreachable. It is only when vanguards is enabled that an error is received stating a circuit has been forced closed. The full output is as follows:

WARNING[Wed Feb xx xx:xx:xx xxxx]: Possible Tor bug, or possible attack if very frequent: Got 1 dropped cell on circ 69 (in state HS_SERVICE_REND HSSR_JOINED; old state HS_SERVICE_REND HSSR_CONNECTING)
NOTICE[Wed Feb xx xx:xx:xx xxxx]: We force-closed circuit 69

This is my docker-compose setup for the tor service:

tor:
    image: goldy/tor-hidden-service:latest
    container_name: tor_container
    environment:
      TOR_ENABLE_VANGUARDS: 'true'
      VANGUARDS_EXTRA_OPTIONS: |
        [GLOBAL]
        enable_cbtverify = True

      CHAN_TOR_SERVICE_HOSTS: '{$TOR_PORT}:0.0.0.0:{$SERVICE_PORT}'
      CHAN_TOR_SERVICE_PORTS: '{$TOR_PORT}:{$SERVICE_PORT}'
      CHAN_TOR_SERVICE_VERSION: '3'
      CHAN_TOR_SERVICE_KEY: |
        '{$MY_BIG_LONG_KEY}'
    volumes:
      - type: bind
        source: ./tor
        target: /var/lib/tor/hidden_service
      - type: bind
        source: ./tor-data
        target: /run/tor/data
    secrets:
      - tor_secret
    networks:
      a_net:
        aliases:
          - tor
        ipv4_address: 0.0.0.0
    ports:
      - 9050:9050

As you can see, it does not appear that anything is wrong with the docker-compose.yml file, yet my client is still unreachable. Not sure what the received error is about. The only thing I can think of is if tor needs a larger dedicated shm_size.

multi-platform image builds

hi @cmehay! have you thought about supporting multi-platform builds of tor-hidden-service?

i've been experimenting with multi-platform images since i'm running a containerized onion service from a raspberry pi.

i was able to build and push a multi-platform image by following the buildx docs to create a new builder using the docker-container driver. this is what that looks like in practice as another makefile task:

publish-multiplatform:
  docker buildx build --platform linux/amd64,linux/arm64 --build-arg tor_version=$(TOR_VERSION) --build-arg torsocks_version=$(TORSOCKS_VERSION) -f Dockerfile --tag lizz0thabet/tor-hidden-service:$(CUR_TAG) --tag lizz0thabet/tor-hidden-service:latest --push .

and here's the image on hub that i'm using on my pi.

there are a couple ways this ^ particular approach might introduce inconsistencies / friction into the existing workflow. right now, docker compose doesn't support multi-platform builds, so the compose file has to be translated into a docker build command. the second thing is that at the moment buildkit only supports multi-platform manifests when pushing images, so you have to build and push in the same step.

these may be acceptable compromises / changes to the existing workflows, or they may not be! i appreciate the work you've put in to build, maintain, and document tor-hidden-service.

Upgrade to Tor 0.4.5 LTS?

0.4.5.6 is available. I checked and the docker image builds fine, and seems to run so far without regressions.

Adding security routines

This ticket is open to discuss about adding security routines in this project.

Regarding #40, I'm starting to work on adding Vanguards in this project, and issuing a convenient way to run a hidden service with it.

Please feel free to add any useful resources to increase security and privacy for running hidden services.

Installation instructions

Hello,

Can you please let me know how I can install docker-tor-hidden-service on my server?
I appreciate any help you can provide.

vanguards network example does not work

When i run it like in the example i get:

WARNING[Wed Sep 15 19:35:08 2021]: Tor daemon connection failed: [Errno 111] Connection refused. Trying again...

and after restart i get:

tor          | Entrypoint WARNING  ERROR:root:Command '['tor', '--quiet', '--hash-password', 'something_secret']' returned non-zero exit status 1.
tor          | Entrypoint WARNING  Traceback (most recent call last):
tor          | Entrypoint WARNING    File "/usr/local/src/onions/onions/Onions.py", line 499, in main
tor          | Entrypoint WARNING      onions.setup_hosts()
tor          | Entrypoint WARNING    File "/usr/local/src/onions/onions/Onions.py", line 354, in setup_hosts
tor          | Entrypoint WARNING      self._setup_control_port()
tor          | Entrypoint WARNING    File "/usr/local/src/onions/onions/Onions.py", line 90, in _setup_control_port
tor          | Entrypoint WARNING      self._hash_control_port_password(os.environ[
tor          | Entrypoint WARNING    File "/usr/local/src/onions/onions/Onions.py", line 60, in _hash_control_port_password
tor          | Entrypoint WARNING      self.control_hashed_password = subprocess.check_output([
tor          | Entrypoint WARNING    File "/usr/local/lib/python3.8/subprocess.py", line 415, in check_output
tor          | Entrypoint WARNING      return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
tor          | Entrypoint WARNING    File "/usr/local/lib/python3.8/subprocess.py", line 516, in run
tor          | Entrypoint WARNING      raise CalledProcessError(retcode, process.args,
tor          | Entrypoint WARNING  subprocess.CalledProcessError: Command '['tor', '--quiet', '--hash-password', 'something_secret']' returned non-zero exit status 1.
tor          | Entrypoint WARNING  ERROR:root:Command '['tor', '--quiet', '--hash-password', 'something_secret']' returned non-zero exit status 1.
tor          | Entrypoint ERROR    Command exit code: 1
vanguards    | NOTICE[Wed Sep 15 19:44:19 2021]: Creating new vanguard state file at: /run/tor/data/vanguards.state
vanguards    | NOTICE[Wed Sep 15 19:44:20 2021]: Tor daemon connection failed: [Errno 111] Connection refused. Trying again...
tor exited with code 1

Latest image broken

hello

missprint in docker-compose.v2.yml and README.MD:
HELLO_TOR_SERVIV(!)E_KEY
i suspect because of this v2 tor keys just not tested and do not work correctly
right now if i fix typo:

Entrypoint #033[33mWARNING #033[0m File "/usr/lib/python3.6/site-packages/pycryptodome-3.8.1-py3.6-linux-x86_64.egg/Crypto/PublicKey/RSA.py", line 754, in import_key#033[0m
Entrypoint #033[33mWARNING #033[0m     raise ValueError("RSA key format is not supported")#033[0m

otherwise new key will be created

Unable to deploy on docker swarm

Hello,

if I try to deploy the hidden-service container on a docker swarm deployment I'm running into the following issue:

Entrypoint WARNING ERROR:root:Fail to setup from GPG_KEY environment
Entrypoint WARNING ERROR:root:Private key does not seems to be a valid RSA PEM key
Entrypoint WARNING ERROR:root:Service gpg has not ports set
Entrypoint INFO v3: jeirgjrjgiergerhgergherughphuhgperguherhgoeg.onion:80
Jul 16 15:03:24.390 [notice] Tor 0.4.3.6 (git-30711296fd5b7f51) running on Linux with Libevent 2.1.11-stable, OpenSSL 1.1.1g, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Jul 16 15:03:24.390 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 16 15:03:24.390 [notice] Read configuration file "/etc/tor/torrc".
Jul 16 15:03:24.000 [notice] Parsing GEOIP IPv4 file /usr/local/share/tor/geoip.
Jul 16 15:03:24.000 [notice] Parsing GEOIP IPv6 file /usr/local/share/tor/geoip6.
Jul 16 15:03:24.000 [notice] Bootstrapped 0% (starting): Starting
Jul 16 15:03:24.000 [notice] Starting with guard context "default"
Jul 16 15:03:25.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
... END!?!

My docker-compose looks like this (version 3.5):
docker-compose.yml:

...
  onion-relay:
    image: goldy/tor-hidden-service:latest
    hostname: onion-relay
    networks:
      - onion
      - frontend
    environment:
      V3_TOR_SERVICE_HOSTS: 80:spice:80
      V3_TOR_SERVICE_VERSION: '3'
      V3_TOR_SERVICE_KEY: |
        PT0gZWSomeRandomShitldDogdHlwZTAgwoeifjiwefjiowefkjpwifmBlBlaBlaBlaWe7xEiPjIVvdvd
        0odmBX7deaa95r+va2+eObAwWDZ0Lgtziowefjiwefijfewfwe

...

Of course the real key is another. The funny thing is that exactly the same config is working locally for me but not on my swarm cluster?!? Any Idea as this makes no sense to me?

Link to docker-vanguards from README

I am sporadical maintainer of docker-vanguards https://github.com/onionltd/docker-vanguards.

Vanguards is a privacy enhancing addon for Tor hidden services. You can read more about it here: https://blog.torproject.org/announcing-vanguards-add-onion-services

The original Dockerfile was sent to me by someone going by the name "aToo", he agreed with my idea to release it as an open source. The image is designed to complement docker-tor-hidden-service image, the only requirement being open ControlPort.

Please, consider linking to this project from your README, as it substantially lowers a risk of Guard node discovery when running a Tor hidden service.

We believe that the most serious threat that v3 onion services currently face is guard discovery. A guard discovery attack enables an adversary to determine the guard node(s) that are in use by a Tor client and/or Tor onion service. Once the guard node is known, traffic analysis attacks that can deanonymize an onion service (or onion service user) become easier.

The use case is described in https://github.com/onionltd/docker-vanguards/blob/master/docker-compose.yaml.

Oh there's also this issue: https://github.com/onionltd/docker-vanguards/issues/1

how create tor x25519 to base64 key

i have hs_ed25519_public_key and hs_ed25519_secret_key . Now convert ed25519 to base64 ?

'gpg: keyserver receive failed: General error' when building image

When I try to build this image from source using

docker build --build-arg tor_version=0.4.3.6 .

I get

Sending build context to Docker daemon  557.1kB
Step 1/19 : FROM    python:3.7-alpine
 ---> 295b051ee125
Step 2/19 : ARG     tor_version
 ---> Using cache
 ---> 574908d63d94
Step 3/19 : ENV     HOME /var/lib/tor
 ---> Using cache
 ---> 392d96d0475e
Step 4/19 : ENV     POETRY_VIRTUALENVS_CREATE=false
 ---> Using cache
 ---> 8dda69c0fe7f
Step 5/19 : RUN     apk add --no-cache git bind-tools libevent-dev openssl-dev gnupg gcc make automake ca-certificates autoconf musl-dev coreutils libffi-dev zlib-dev &&     mkdir -p /usr/local/src/ /var/lib/tor/ &&     gpg --batch --auto-key-locate nodefault,wkd --recv-keys FE43009C4607B1FB &&     git clone https://git.torproject.org/tor.git /usr/local/src/tor &&     cd /usr/local/src/tor &&     git checkout tor-$tor_version &&     git verify-tag tor-$tor_version &&     ./autogen.sh &&     ./configure     --disable-asciidoc     --sysconfdir=/etc     --disable-unittests &&     make && make install &&     cd .. &&     rm -rf tor &&     pip3 install --upgrade pip poetry &&     apk del git libevent-dev openssl-dev gnupg make automake autoconf musl-dev coreutils libffi-dev &&     apk add --no-cache libevent openssl
 ---> Running in 984dfcf67cc2
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
(1/65) Installing m4 (1.4.18-r1)
(2/65) Installing perl (5.30.3-r0)
(3/65) Installing autoconf (2.69-r2)
(4/65) Installing automake (1.16.2-r0)
(5/65) Installing fstrm (0.6.0-r1)
(6/65) Installing libgcc (9.3.0-r2)
(7/65) Installing json-c (0.14-r1)
(8/65) Installing libstdc++ (9.3.0-r2)
(9/65) Installing libprotobuf (3.12.2-r0)
(10/65) Installing libprotoc (3.12.2-r0)
(11/65) Installing protobuf-c (1.3.3-r1)
(12/65) Installing libuv (1.38.1-r0)
(13/65) Installing libxml2 (2.9.10-r5)
(14/65) Installing bind-libs (9.16.6-r0)
(15/65) Installing bind-tools (9.16.6-r0)
(16/65) Installing libacl (2.2.53-r0)
(17/65) Installing libattr (2.4.48-r0)
(18/65) Installing coreutils (8.32-r0)
(19/65) Installing binutils (2.34-r1)
(20/65) Installing gmp (6.2.0-r0)
(21/65) Installing isl (0.18-r0)
(22/65) Installing libgomp (9.3.0-r2)
(23/65) Installing libatomic (9.3.0-r2)
(24/65) Installing libgphobos (9.3.0-r2)
(25/65) Installing mpfr4 (4.0.2-r4)
(26/65) Installing mpc1 (1.1.0-r1)
(27/65) Installing gcc (9.3.0-r2)
(28/65) Installing nghttp2-libs (1.41.0-r0)
(29/65) Installing libcurl (7.69.1-r1)
(30/65) Installing pcre2 (10.35-r0)
(31/65) Installing git (2.26.2-r0)
(32/65) Installing perl-error (0.17029-r0)
(33/65) Installing perl-git (2.26.2-r0)
(34/65) Installing git-perl (2.26.2-r0)
(35/65) Installing libgpg-error (1.37-r0)
(36/65) Installing libassuan (2.5.3-r0)
(37/65) Installing libcap (2.27-r0)
(38/65) Installing libblkid (2.35.2-r0)
(39/65) Installing libmount (2.35.2-r0)
(40/65) Installing pcre (8.44-r0)
(41/65) Installing glib (2.64.5-r0)
(42/65) Installing libgcrypt (1.8.5-r0)
(43/65) Installing libsecret (0.20.3-r0)
(44/65) Installing pinentry (1.1.0-r2)
Executing pinentry-1.1.0-r2.post-install
(45/65) Installing nettle (3.5.1-r1)
(46/65) Installing p11-kit (0.23.20-r5)
(47/65) Installing libtasn1 (4.16.0-r1)
(48/65) Installing libunistring (0.9.10-r0)
(49/65) Installing gnutls (3.6.15-r0)
(50/65) Installing libksba (1.4.0-r0)
(51/65) Installing db (5.3.28-r1)
(52/65) Installing libsasl (2.1.27-r6)
(53/65) Installing libldap (2.4.50-r0)
(54/65) Installing npth (1.6-r0)
(55/65) Installing gnupg (2.2.23-r0)
(56/65) Installing python3 (3.8.5-r0)
(57/65) Installing libevent (2.1.11-r1)
(58/65) Installing pkgconf (1.7.2-r0)
(59/65) Installing libevent-dev (2.1.11-r1)
(60/65) Installing linux-headers (5.4.5-r1)
(61/65) Installing libffi-dev (3.3-r2)
(62/65) Installing make (4.3-r0)
(63/65) Installing musl-dev (1.1.24-r9)
(64/65) Installing openssl-dev (1.1.1g-r0)
(65/65) Installing zlib-dev (1.2.11-r3)
Executing busybox-1.31.1-r16.trigger
OK: 285 MiB in 100 packages
gpg: directory '/var/lib/tor/.gnupg' created
gpg: keybox '/var/lib/tor/.gnupg/pubring.kbx' created
gpg: keyserver receive failed: General error
The command '/bin/sh -c apk add --no-cache git bind-tools libevent-dev openssl-dev gnupg gcc make automake ca-certificates autoconf musl-dev coreutils libffi-dev zlib-dev &&     mkdir -p /usr/local/src/ /var/lib/tor/ &&     gpg --batch --auto-key-locate nodefault,wkd --recv-keys FE43009C4607B1FB &&     git clone https://git.torproject.org/tor.git /usr/local/src/tor &&     cd /usr/local/src/tor &&     git checkout tor-$tor_version &&     git verify-tag tor-$tor_version &&     ./autogen.sh &&     ./configure     --disable-asciidoc     --sysconfdir=/etc     --disable-unittests &&     make && make install &&     cd .. &&     rm -rf tor &&     pip3 install --upgrade pip poetry &&     apk del git libevent-dev openssl-dev gnupg make automake autoconf musl-dev coreutils libffi-dev &&     apk add --no-cache libevent openssl' returned a non-zero code: 2

error on raspberry pi

I am getting this error when running on raspberry pi 3

Unsupported ioctl: cmd=0x894b

still works correctly just spams the logs

Question @cmehay: How do you create hs_ed25519_secret_key / hs_ed25519_public_key?

Hey,

I'm urgently searching for a way to generate the content of /var/lib/tor/hidden_service/v3/ by a similar way than you do.
In the end I just want to input the secret key as a base64 encoded string! But I don't understand how you @cmehay
abstract the three files needed for Tor to work just from the provided V3_TOR_SERVICE_KEY:

hostname
hs_ed25519_public_key
hs_ed25519_secret_key

I would be awesome if you could explain this as there is almost no usable content on google I found within the last 3 hrs.
Can you maybe provide a short python snippet on how to accomplish this task, as it almost drives me mad!

Many thanks in advance