From 30869908483487fc70da08142a384424148bc257 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Dec 2024 23:02:34 +1300 Subject: [PATCH 1/6] Update to Debian 12 (Bookworm). Configure UnattendedUpgrades to auto update tor. --- 20auto-upgrades | 4 +++ 50unattended-upgrades | 7 +++++ Dockerfile | 60 ++++++++++++++++++--------------------- README.md | 2 +- docker-compose.yml | 38 +++++++++++++------------ scripts/docker-entrypoint | 53 ++++++++++++++++++++++++++++++++++ tor.sources.list | 2 ++ torrc | 12 ++++++-- 8 files changed, 123 insertions(+), 55 deletions(-) create mode 100644 20auto-upgrades create mode 100644 50unattended-upgrades create mode 100644 tor.sources.list diff --git a/20auto-upgrades b/20auto-upgrades new file mode 100644 index 0000000..7841498 --- /dev/null +++ b/20auto-upgrades @@ -0,0 +1,4 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::AutocleanInterval "5"; +APT::Periodic::Unattended-Upgrade "1"; +APT::Periodic::Verbose "1"; \ No newline at end of file diff --git a/50unattended-upgrades b/50unattended-upgrades new file mode 100644 index 0000000..2a09485 --- /dev/null +++ b/50unattended-upgrades @@ -0,0 +1,7 @@ +Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=${distro_codename},label=Debian-Security"; + "origin=TorProject"; +}; +Unattended-Upgrade::Package-Blacklist { +}; +Unattended-Upgrade::Automatic-Reboot "true"; \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index e53eb01..9c69c39 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,6 @@ # Dockerfile for Tor Relay Server with obfs4proxy -FROM debian:bullseye -RUN echo 'deb http://deb.debian.org/debian bullseye-backports main' > /etc/apt/sources.list.d/backports.list -MAINTAINER Josh josh.gaby@gmail.com - -ARG GPGKEY=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 -ARG APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE="True" -ARG DEBCONF_NOWARNINGS="yes" -ARG DEBIAN_FRONTEND=noninteractive -ARG found="" +FROM debian:bookworm +LABEL org.opencontainers.image.authors="josh.gaby@gmail.com" # Set a default Nickname ENV TOR_NICKNAME=Tor4 @@ -16,35 +9,36 @@ ENV TERM=xterm # Install tor with GeoIP and obfs4proxy & backup torrc RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - apt-utils \ - && apt-get install -y --no-install-recommends \ - pwgen \ - iputils-ping \ - tor/bullseye-backports \ - tor-geoipdb/bullseye-backports \ - obfs4proxy/bullseye-backports \ - && mkdir -pv /usr/local/etc/tor/ \ - && mv -v /etc/tor/torrc /usr/local/etc/tor/torrc.sample \ - && apt-get purge --auto-remove -y \ - apt-utils \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ - # Rename Debian unprivileged user to tord \ - && usermod -l ${TOR_USER} debian-tor \ - && groupmod -n ${TOR_USER} debian-tor - -# Copy Tor configuration file -COPY ./torrc /etc/tor/torrc - -# Copy docker-entrypoint + && apt-get install -y apt-transport-https wget gpg \ + && apt-get install -y unattended-upgrades apt-listchanges + +COPY tor.sources.list /etc/apt/sources.list.d/tor.list +COPY 50unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades +COPY 20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades + +RUN wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null +RUN apt-get update \ + && apt-get install -y tor deb.torproject.org-keyring\ + && apt-get install -y pwgen \ + && apt-get install -y tor-geoipdb \ + && apt-get install -y obfs4proxy \ + && mkdir -pv /usr/local/etc/tor/ \ + && apt-get -y purge --auto-remove \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Rename Debian unprivileged user to tord \ +RUN usermod -l ${TOR_USER} debian-tor \ + && groupmod -n ${TOR_USER} debian-tor + +COPY torrc /etc/tor/torrc COPY ./scripts/ /usr/local/bin/ # Persist data VOLUME /etc/tor /var/lib/tor -# ORPort, DirPort, SocksPort, ObfsproxyPort, MeekPort -EXPOSE 9001 9030 9050 54444 7002 +# ORPort, DirPort, SocksPort, ObfsproxyPort +EXPOSE 9001 9030 9050 54444 ENTRYPOINT ["docker-entrypoint"] CMD ["tor", "-f", "/etc/tor/torrc"] diff --git a/README.md b/README.md index 57d8ebd..d6a51a5 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ #### Forked -This docker was forked from [chriswayg/tor-server](https://github.com/chriswayg/tor-server) and updated to run Debian Bullseye and the latest available Tor and obfs4proxy packages. +This docker was forked from [chriswayg/tor-server](https://github.com/chriswayg/tor-server) and updated to run Debian 12 (Bookworm) and the latest available Tor and obfs4proxy packages. Unattended-Upgrades is also configured to keep Tor up to date automatically. #### A complete, efficient and secure Tor relay server Docker image *This docker image will install the latest current stable version of Tor server. It will run Tor as an unprivileged regular user, as recommended by torproject.org.* diff --git a/docker-compose.yml b/docker-compose.yml index 2b31b2e..e23088b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,18 +1,20 @@ -relay: - image: joshgaby/tor-server - init: true - restart: always - network_mode: host - ## the ports are not needed with network_mode host - ports: - #- "9001:9001" - #- "9030:9030" - #- "54444:54444" - #- "7002:7002" - #volumes: - ## mount and DataDirectory and custom `torrc` here - #- ./tor-data/:/var/lib/tor/ - #- ./torrc:/etc/tor/torrc - ## alternatively mount previously saved identity keys here - #- ./tests/tor-data/keys/secret_id_key:/var/lib/tor/keys/secret_id_key - #- ./tests/tor-data/keys/ed25519_master_id_secret_key:/var/lib/tor/keys/secret_id_key +version: '2.2' +services: + relay: + image: joshgaby/tor-server + init: true + restart: always + network_mode: host + ## the ports are not needed with network_mode host + ports: + - "9001:9001" + - "9030:9030" + - "54444:54444" + - "7002:7002" + volumes: + ## mount and DataDirectory and custom `torrc` here + - ./tor-data/:/var/lib/tor/ + - ./torrc:/etc/tor/torrc + ## alternatively mount previously saved identity keys here + #- ./tests/tor-data/keys/secret_id_key:/var/lib/tor/keys/secret_id_key + #- ./tests/tor-data/keys/ed25519_master_id_secret_key:/var/lib/tor/keys/secret_id_key diff --git a/scripts/docker-entrypoint b/scripts/docker-entrypoint index 695f609..81bea82 100755 --- a/scripts/docker-entrypoint +++ b/scripts/docker-entrypoint @@ -16,6 +16,12 @@ chmodf 600 /var/lib/tor if [ ! -e /tor-config-done ]; then touch /tor-config-done # only run this once + if [ -n "${TOR_DEBUG}" ]; then + if ! grep -q '^PublishServerDescriptor ' /etc/tor/torrc; then + echo "Setting PublishServerDescriptor: 0" + echo -e "\nPublishServerDescriptor 0" >> /etc/tor/torrc + fi + fi # Add Nickname from env variable or randomized, if none has been set if ! grep -q '^Nickname ' /etc/tor/torrc; then @@ -62,6 +68,53 @@ if [ ! -e /tor-config-done ]; then if ! grep -q '^DataDirectory ' /etc/tor/torrc; then echo -e "\\nDataDirectory /var/lib/tor" >> /etc/tor/torrc fi + + # Set the hard limit of open file descriptors really high. + # Tor will also potentially run out of ports. + echo "Setting ulimit..." + ulimit -SHn 65000 + + #echo "Setting nameservers..." + #echo "nameserver 8.8.8.8" >> /etc/resolv.conf + #echo "nameserver 4.2.2.2" >> /etc/resolv.conf + + #echo "Tune using sysctl..." + #sudo sysctl net.ipv4.tcp_rmem="4096 87380 16777216" + #sudo sysctl net.ipv4.tcp_wmem="4096 65536 16777216" + #sudo sysctl net.core.netdev_max_backlog=2500 + #sudo sysctl net.ipv4.tcp_no_metrics_save=1 + #sudo sysctl net.ipv4.tcp_moderate_rcvbuf=1 + #sudo sysctl net.core.rmem_max=1048575 + #sudo sysctl net.core.wmem_max=1048575 + #sudo sysctl net.ipv4.ip_local_port_range="1025 61000" + #sudo sysctl net.ipv4.tcp_synack_retries=3 + #sudo sysctl net.ipv4.tcp_tw_recycle=1 + #sudo sysctl net.ipv4.tcp_max_syn_backlog=10240 + #sudo sysctl net.ipv4.tcp_fin_timeout=30 + #sudo sysctl net.ipv4.tcp_keepalive_time=1200 + #sudo sysctl net.netfilter.nf_conntrack_tcp_timeout_established=7200 + #sudo sysctl net.netfilter.nf_conntrack_checksum=0 + #sudo sysctl net.netfilter.nf_conntrack_max=131072 + #sudo sysctl net.netfilter.nf_conntrack_tcp_timeout_syn_sent=15 + #sudo sysctl net.ipv4.tcp_keepalive_time=60 + #sudo sysctl net.ipv4.tcp_keepalive_time=60 + #sudo sysctl net.ipv4.tcp_keepalive_intvl=10 + #sudo sysctl net.ipv4.tcp_keepalive_probes=3 + #sudo sysctl net.ipv4.ip_local_port_range="1025 65530" + #sudo sysctl net.core.netdev_max_backlog=300000 + #sudo sysctl net.core.somaxconn=20480 + #sudo sysctl net.ipv4.tcp_max_tw_buckets=2000000 + #sudo sysctl net.ipv4.tcp_timestamps=0 + #sudo sysctl vm.min_free_kbytes=65536 + #sudo sysctl net.ipv4.ip_forward=1 + #sudo sysctl net.ipv4.tcp_syncookies=1 + #sudo sysctl net.ipv4.tcp_synack_retries=2 + #sudo sysctl net.ipv4.conf.default.forwarding=1 + #sudo sysctl net.ipv4.conf.default.proxy_arp=1 + #sudo sysctl net.ipv4.conf.all.rp_filter=1 + #sudo sysctl net.ipv4.conf.default.send_redirects=1 + #sudo sysctl net.ipv4.conf.all.send_redirects=0 + fi echo -e "\n========================================================" diff --git a/tor.sources.list b/tor.sources.list new file mode 100644 index 0000000..e9e8446 --- /dev/null +++ b/tor.sources.list @@ -0,0 +1,2 @@ +deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main +deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main \ No newline at end of file diff --git a/torrc b/torrc index a3705f0..32de31c 100644 --- a/torrc +++ b/torrc @@ -4,20 +4,26 @@ User tord DataDirectory /var/lib/tor +NumCPUs 2 + # Server's public IP Address (usually automatic) -#Address 10.10.10.10 +#Address 3.14.159.26 # Port to advertise for incoming Tor connections. -ORPort 9001 # common ports are 9001, 443 +ORPort 9002 # common ports are 9001, 443 #ORPort [IPv6-address]:9001 # Mirror directory information for others (optional, not used on bridge) -DirPort 9030 # common ports are 9030, 80 +DirPort 9031 # common ports are 9030, 80 # Run Tor only as a server (no local applications) SocksPort 0 ControlSocket 0 +ControlPort 0.0.0.0:9051 +# Enable password access for control port (password is: Cpk762yM08Cr) +HashedControlPassword 16:783A31A701B99F6D60D04559DD776DF2A6F895776BF72913BE332985E1 + # Run as a relay only (change policy to enable exit node) ExitPolicy reject *:* # no exits allowed ExitPolicy reject6 *:* From dae9f28318c74bea947799d587a71922c1893777 Mon Sep 17 00:00:00 2001 From: Josh Date: Tue, 10 Dec 2024 23:59:50 +1300 Subject: [PATCH 2/6] Switch to bookworm-slim --- Dockerfile | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9c69c39..c0b1e88 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ # Dockerfile for Tor Relay Server with obfs4proxy -FROM debian:bookworm +FROM debian:bookworm-slim +USER root LABEL org.opencontainers.image.authors="josh.gaby@gmail.com" # Set a default Nickname @@ -17,15 +18,14 @@ COPY 50unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades COPY 20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades RUN wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null -RUN apt-get update \ - && apt-get install -y tor deb.torproject.org-keyring\ - && apt-get install -y pwgen \ - && apt-get install -y tor-geoipdb \ - && apt-get install -y obfs4proxy \ - && mkdir -pv /usr/local/etc/tor/ \ - && apt-get -y purge --auto-remove \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* +RUN apt-get update +RUN apt-get install -y tor deb.torproject.org-keyring +RUN apt-get install -y tor-geoipdb +RUN apt-get install -y obfs4proxy +RUN mkdir -pv /usr/local/etc/tor/ +RUN apt-get -y purge --auto-remove +RUN apt-get clean +RUN rm -rf /var/lib/apt/lists/* # Rename Debian unprivileged user to tord \ RUN usermod -l ${TOR_USER} debian-tor \ From 0d43b2d30b00005e41e53eaf62df24038ffbbfe1 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 11 Dec 2024 00:10:36 +1300 Subject: [PATCH 3/6] Remove obfs4proxy --- Dockerfile | 1 - README.md | 12 ++---------- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index c0b1e88..e14ed40 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,7 +21,6 @@ RUN wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512 RUN apt-get update RUN apt-get install -y tor deb.torproject.org-keyring RUN apt-get install -y tor-geoipdb -RUN apt-get install -y obfs4proxy RUN mkdir -pv /usr/local/etc/tor/ RUN apt-get -y purge --auto-remove RUN apt-get clean diff --git a/README.md b/README.md index d6a51a5..d973ab8 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ #### Forked -This docker was forked from [chriswayg/tor-server](https://github.com/chriswayg/tor-server) and updated to run Debian 12 (Bookworm) and the latest available Tor and obfs4proxy packages. Unattended-Upgrades is also configured to keep Tor up to date automatically. +This docker was forked from [chriswayg/tor-server](https://github.com/chriswayg/tor-server) and updated to run Debian 12 (Bookworm) and the latest available Tor packages. Unattended-Upgrades is also configured to keep Tor up to date automatically. #### A complete, efficient and secure Tor relay server Docker image *This docker image will install the latest current stable version of Tor server. It will run Tor as an unprivileged regular user, as recommended by torproject.org.* @@ -209,14 +209,6 @@ Please use the latest Docker engine available (do not use the possibly outdated - [Tor Relay Guide](https://trac.torproject.org/projects/tor/wiki/TorRelayGuide) - [Tor on Debian Installation Instructions 2019](https://2019.www.torproject.org/docs/debian.html.en) - [Torproject - git repo](https://github.com/torproject/tor) -- [obfs4proxy on Debian - Guide to run an obfuscated bridge to help censored users connect to the Tor network.](https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy) -- [obfs4 - The obfourscator - Github](https://github.com/Yawning/obfs4) -- [How to use the “meek” pluggable transport](https://blog.torproject.org/how-use-meek-pluggable-transport) -- [meek-server for Tor meek bridge](https://github.com/arlolra/meek/tree/master/meek-server) ### License: - - MIT - -##### For a very similar image based on tor-alpine use `chriswayg/tor-alpine` - - https://hub.docker.com/r/chriswayg/tor-alpine - - https://github.com/chriswayg/tor-alpine + - MIT \ No newline at end of file From aa96044a289ec7989f2b3c16adc972d7067f4b38 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 11 Dec 2024 00:11:44 +1300 Subject: [PATCH 4/6] Remove obfs4proxy --- scripts/docker-entrypoint | 43 --------------------------------------- 1 file changed, 43 deletions(-) diff --git a/scripts/docker-entrypoint b/scripts/docker-entrypoint index 81bea82..b81675c 100755 --- a/scripts/docker-entrypoint +++ b/scripts/docker-entrypoint @@ -73,55 +73,12 @@ if [ ! -e /tor-config-done ]; then # Tor will also potentially run out of ports. echo "Setting ulimit..." ulimit -SHn 65000 - - #echo "Setting nameservers..." - #echo "nameserver 8.8.8.8" >> /etc/resolv.conf - #echo "nameserver 4.2.2.2" >> /etc/resolv.conf - - #echo "Tune using sysctl..." - #sudo sysctl net.ipv4.tcp_rmem="4096 87380 16777216" - #sudo sysctl net.ipv4.tcp_wmem="4096 65536 16777216" - #sudo sysctl net.core.netdev_max_backlog=2500 - #sudo sysctl net.ipv4.tcp_no_metrics_save=1 - #sudo sysctl net.ipv4.tcp_moderate_rcvbuf=1 - #sudo sysctl net.core.rmem_max=1048575 - #sudo sysctl net.core.wmem_max=1048575 - #sudo sysctl net.ipv4.ip_local_port_range="1025 61000" - #sudo sysctl net.ipv4.tcp_synack_retries=3 - #sudo sysctl net.ipv4.tcp_tw_recycle=1 - #sudo sysctl net.ipv4.tcp_max_syn_backlog=10240 - #sudo sysctl net.ipv4.tcp_fin_timeout=30 - #sudo sysctl net.ipv4.tcp_keepalive_time=1200 - #sudo sysctl net.netfilter.nf_conntrack_tcp_timeout_established=7200 - #sudo sysctl net.netfilter.nf_conntrack_checksum=0 - #sudo sysctl net.netfilter.nf_conntrack_max=131072 - #sudo sysctl net.netfilter.nf_conntrack_tcp_timeout_syn_sent=15 - #sudo sysctl net.ipv4.tcp_keepalive_time=60 - #sudo sysctl net.ipv4.tcp_keepalive_time=60 - #sudo sysctl net.ipv4.tcp_keepalive_intvl=10 - #sudo sysctl net.ipv4.tcp_keepalive_probes=3 - #sudo sysctl net.ipv4.ip_local_port_range="1025 65530" - #sudo sysctl net.core.netdev_max_backlog=300000 - #sudo sysctl net.core.somaxconn=20480 - #sudo sysctl net.ipv4.tcp_max_tw_buckets=2000000 - #sudo sysctl net.ipv4.tcp_timestamps=0 - #sudo sysctl vm.min_free_kbytes=65536 - #sudo sysctl net.ipv4.ip_forward=1 - #sudo sysctl net.ipv4.tcp_syncookies=1 - #sudo sysctl net.ipv4.tcp_synack_retries=2 - #sudo sysctl net.ipv4.conf.default.forwarding=1 - #sudo sysctl net.ipv4.conf.default.proxy_arp=1 - #sudo sysctl net.ipv4.conf.all.rp_filter=1 - #sudo sysctl net.ipv4.conf.default.send_redirects=1 - #sudo sysctl net.ipv4.conf.all.send_redirects=0 - fi echo -e "\n========================================================" # Display OS version, Tor version & torrc in log echo -e "Debian Version: \c" && cat /etc/debian_version tor --version -obfs4proxy -version cat /etc/tor/torrc echo -e "========================================================\n" From 4ec343ca44a476ea32078fccc1c7eddc08435b58 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 11 Dec 2024 07:18:58 +1300 Subject: [PATCH 5/6] Remove setting of ulimit --- Dockerfile | 1 + scripts/docker-entrypoint | 5 ----- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index e14ed40..2e016c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,6 +21,7 @@ RUN wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512 RUN apt-get update RUN apt-get install -y tor deb.torproject.org-keyring RUN apt-get install -y tor-geoipdb +# RUN apt-get install -y obfs4proxy RUN mkdir -pv /usr/local/etc/tor/ RUN apt-get -y purge --auto-remove RUN apt-get clean diff --git a/scripts/docker-entrypoint b/scripts/docker-entrypoint index b81675c..5c58b07 100755 --- a/scripts/docker-entrypoint +++ b/scripts/docker-entrypoint @@ -68,11 +68,6 @@ if [ ! -e /tor-config-done ]; then if ! grep -q '^DataDirectory ' /etc/tor/torrc; then echo -e "\\nDataDirectory /var/lib/tor" >> /etc/tor/torrc fi - - # Set the hard limit of open file descriptors really high. - # Tor will also potentially run out of ports. - echo "Setting ulimit..." - ulimit -SHn 65000 fi echo -e "\n========================================================" From 293b15f0b8f8ad8e3c1f3b9f59f2fcdb48dbcfa8 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 11 Dec 2024 07:22:05 +1300 Subject: [PATCH 6/6] Update gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index d331755..3d31a13 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ Thumbs.db # Private files production/ +tests/tor-data/ \ No newline at end of file