relay behind reverse proxy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hello tor ^.^ i'm trying to setup a tor relay behind a nginx reverse proxy... i would like to know if it's correctly setup. i have this warn in the logs: [warn] Received http status code 404 ("Not found") from server '85.14.240.188:443' while fetching "/tor/keys/fp/27B6B5996C426270A5C95488AA5BCEB6BCC86956". but then in the same log little bit after: [notice] Tor has successfully opened a circuit. Looks like client functionality is working. last message is : Now checking whether ORPort X.X.X.X:9001 is reachable... (this may take up to 20 minutes -- look for log messages indicating success) thx for support. it's a great community! efkin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJU/YgvAAoJEL+Ak/R8rmeLwtwQAIaWSA0Q6df1kGEV3qpO3A71 NoGbnFfs0/0fjDfRIPdf7lSDZQslaCq1IggPbv5VBTpH4JoQrqQx7jzUizKeulC+ H75JLznVCTs0FBNn+YW3k/VZ1mpe4yN0RX321TynKZB7U5J6O9ZRA2c+oJqk8MCp oiyugu2KIUJqScaGR6FxxOsj9Ff1wM57E2LzDmsa69A2GMY11vCJ020qBzKh0+cX Q9/DmhHTJKyB23IjRb5YCFQ4+F1LG/htRVQ4iIUuMyY7UVY690hCZ3d7TbWHVe/z lcdm3gDsXGxkS6weECv9oA5JyLdhs9kskCRCwbF/fy3z154C5VzxiXa7I8MUyWyC iplCzwPynA94tbX4TO1CHYYuV9gjJDUDmR3MVE34BeNKv7bYH718B1noTI0zUSIW vwH0upIGNTmseC7adCrm7TFfnIOJAHzEflcCdJAfNXSuUHsYqSjAMV6yyPe67zv0 EFVfZDJ1ksdXs1ZtnX2sSIRwe3ujCduem8Hu7eVeggP4OFvMh63geiI5W0ftO35r ZJTASUO8LAjHyRkYDnibbVRX/xRN2ko3ORt5Wl4eNCjxG3qQea4m7tqDIba2Mq05 XTZ+F3w2NYoW6qekxH9/D+12Yd4KaUTyNseRuLaT7LSfdQ38l2eBeW/dfgbQfNgC +DANKk94I5db85HzzXoY =PZ5W -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 If you are using the free nginx, community project, that will only allow you to deploy a http(s) proxy. Only the commercial (paid) nginx allows you to deploy a TCP proxy (handles all TCP traffic), which is what you need for a Tor relay. If you want to use a proxy, you should look into a TCP proxy which will handle any type of TCP traffic, regardless of protocol. (Tor uses http for directory requests [DirPort] but not for ORPort). Make sure your relay can reach the other relays in the consensus and it doesn't have any kind of restrictions or limitations such as being able only to talk on certain ports or reach a limited number of IP addresses, etc. Your relay needs to be able to connect to all the other relays, so the clients can build circuits through it. A free open source solution might be haproxy ( http://www.haproxy.org/ ) Maybe this will help you with your setup. Make sure you properly bind DirPort and ORPort to the correct interface and use NoAdvertise and NoListen accordingly. Provide more information about your setup and the relevant configs, if you are not able to do it. Read the manual: https://www.torproject.org/docs/tor-manual.html.en Thanks for running a relay! On 3/9/2015 1:46 PM, efkin wrote:
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJU/a+eAAoJEIN/pSyBJlsREQ0IANp7mWz4jCQnHLETk7tE4s27 Y/PJvmAIvROrf6kMTw5slremUxOzCbIuz25JMem96GvPiMVm2VFNYRsdwKCfPUBt PP4jMAtu0R4DQxonyDxwLX/ZWGVZW1cJHDkCoH5KbZpEJqaGFBVEuOrahY+j8O2z YHta5dSLl3Uium8EbCf9PuHOo4IfXyi6paR7tvQTKJCsaBeS/+WrTspiJzo1VeMV goGV9xTSpAiBrEPcU9ggizNFIs7S4jdBdfbs06VTCIuV1PCgP0kltpBxBJ+1jr99 g9mIbvCf9A7z7gSmbVHAPxeE2LleWXxzM2JSxmZIxys5s0XfD09F3pM+67Uj2HI= =qgn/ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/09/2015 03:35 PM, s7r wrote:
nice to know!
Took a look at it and is quite cool.
i just setup: ORPort 3128 Address oni-on.cf and some other stuff like nicks and contact info. my haproxy config is somehting like this: frontend oni-on bind *:3128 acl host_onion hdr(host) oni-on.cf use_backend onion if host_onion it seems that when it checks for reachability at the end of 20 mins it does not manage to reach it.
Thanks for running a relay!
still trying to set it up but a pleasure.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJU/d1IAAoJEL+Ak/R8rmeL91AQAJfVAx4mff70PVBPBAHnd5iH +R3x3GS2/onFA3m57eWzK+Vf0Z1kNZgOQKAK2B+QHLVP9+rZiWHkJTOckfNpADWH PWVuYu/44NpAmifa2kQBY59kkDV1Dt9YzP+h5LwKrkLwJSKIxU9psyPl6O1GvquG T4nT9F0cFlSCtWgE6l2kDUF+gefL7EKKuzGgWnXcX7dHW2PDOPMM2Zn9itZTgTbF lUEtpg/opmZtctxNjHeXs7TfHKfUkoFHU99AitcljJeMUDHBR2Rj1WZL8ba/3BAR DWtGg3vGR6zW9Ctvs0Na+vUoLQbwc3f2EQgJHfQWvf+XeJO0ONcp620SxE68HIZb sft3IAn4wxBzRC2l18bm1dAhS/Tk9qEac8AZqA0pyHvQmXsSNbNdqB6Sza3cI9M0 GfRVMxvR+G3sAm/FDiQ7iWlDHqjl++UbKcCRBDepi7aoSqYzlLj6FqyCV/IQ1b1L JMxDgwdrnFlfe9P8JhebQUUl6XcBCFLVxTMcoFZbQ9gyxQjuPCuLeDUhfcIUFEyG oCqocfZRVVBI4UJAnujW1SAqOD5iAnWTODe8C1vSzJJoSo7Qn3AMiWlr/vMcRlea 81E1tgi5OP0b/CYiuj56YN6Jj8lI49hygTmCy91diOGaYWW5w3XmRyD1jHSijXfQ ABTUIobKoePDC3xCQW5g =Ik3o -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi again I don't know anything about haproxy config and how it should look like unfortunately. As for torrc: ORPort <ip address, where the proxy forwards the requests>:3128 NoAdevertise ORPort <ip address of the actual proxy, where the server should be reached>:3128 NoListen remove Address line. Leave the contact info and other settings. Let us know if it works this way. On 3/9/2015 7:50 PM, efkin wrote:
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJU/gqyAAoJEIN/pSyBJlsRrXsIAIuK70LrNYTV7SxqldCxjD7U +26EtuE3ddb1MJks75ogeBvEKr3sHhiDUk278CDVoQuyMF/s7Tm5jPkxLrk0eNaV 32PtyECNjMQWigyBwmlrdcalvsvQtDs3agPrV5iUts//i9JqvuSoM1j3vi7j1Uba ZvTT/ICznUDskLHMjkgY7UdOUmF4KYuMBc4ZDrAgqWixAusKbpDYx+eGenQLRhK4 ysFW5hbVvarqPQWvmC31ivwJ/pZ2riZGsmKKjwBXcQ6cOe/7f/2OQOQshjTS6JZM 690ZMx7DPnodXtOkeWRRCvqP8q9PsQYMbaCkl9Q6vLuEgGHzxi/0cWKPaZ0hnTg= =/dV5 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hey! basically with your setup and a little trick on haproxy it is working now or at least the log is saying: [notice] Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor. [notice] Performing bandwidth self-test...done. but nothing else on the logs since half an hour... does it mean it is working? thx for support! On 03/09/2015 10:03 PM, s7r wrote:
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJU/hmGAAoJEL+Ak/R8rmeLjRwP/170nQEPcjKTaCfKiRxT5Mza Djbi/RowZaYZ60mrO59OiIv6W05VMxSD/lM3xwmiidW/pCIDiRRgVRxXX4CkR4/c mKVaTny53tz6BcfWK1rpz4l1YmUlKj4yUAr/4PM172Dok9gerzGTkEAS/5xBpzoY dN7Xmpi7eIUZeUiyYpVSAug2titI8EKvGP/Wi7sBrp7zTXZR8TWaSXyIzoHZvzLD G3zk6HU3B74I5jm1fqDLr1HosaaKN/Nc12DIrpRStTc4fDT48IZlwyQAjrNg13dI yUOiwE3rm7hnBlwx+ldQrEAscDbx3PZqHMO9LeufzrklIfoN4PUMk2g/H8cTeIm3 8dTJLBg1fUX//9bf9jBZ1K7GV7EyiamhTlsgc/HETrN0UJ9cEHMPJCisqop1M/jX D2vqZGAp2bRfXybksH33OLOx0/v++Od8+c9t7IZl3N7DS/+KrOYReUN729ko7uNm y3rzQgIB583Y069Vdv0idE8xbGOFZorjreZpH13kq6SLZCW8dr24g2bZdIttaEHh y7vOa8iCVDsRIv5KlzoFuXjZPd7nl+E+5qggrBS+qaaIPPlH1k4tqqOWYVIwyBuo snAqtboYkuQp3SZZnFefbxxW5cDK6K/DiCeKf5XhMEFHG/Uewogb4+nnz8IjVtzd qpFyME4IPxjmgibGMAjX =n+Jc -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Yes, that means is working, theoretically. The log won't say anything for the next 6 hours, and after 6 hours it will just say how many circuits it has running, uptime and relayed bandwidth. These are the default log settings. You can increase the verbosity of the log but it's not required. https://atlas.torproject.org/ Search here for your relay's nickname or IP address to see its flags and what Advertised Speed is it showing to the network. Might start with a low value but will grow in time. https://consensus-health.torproject.org/consensus-health.html go here, wait for the page to load (big page) and search with ctrl + f and enter your relay's nickname. You will see here what flags were voted for your relay by the directory authorities. https://blog.torproject.org/blog/lifecycle-of-a-new-relay This will help you understand how Tor's load balancing works and what are the phases a new relay will go through. Constantly keep an eye out for warnings/errors in Tor's log. Report any misbehavior to this mail list and especially by tickets on Trac at https://trac.torproject.org/ Remember to keep your Tor up to date whenever there is a new release, especially when the release fixes a security issue. I am glad I could help! Now I can say thanks for running a relay. If it's an Exit relay, that is even better! You might want to challenge us with a different customized setup next time for your #2-nd relay :-) Cheers! On 3/10/2015 12:07 AM, efkin wrote:
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBCAAGBQJU/iFZAAoJEIN/pSyBJlsRE5oIAKyzj+lPC8vK8Pq6VzTWROsZ L7M6a/LpkxsTMbgfcmIWkmjwbcqwW00oOwO/py5kfVvXwyXPnKKnzkn+QM+/MwIF Q2jbhyGWI+QyMn83dPVo55s8X1Z24iBUYlMu8HWTFQw+uzP4133HeNOR3csPshaA takI5HhNBhVCVk1mAh/FYi69osqS7t72x6HSDJpULglPdzi7FK9+JYJlSmBrfFry NWZ6RQV+k3u/BLVnvURka+JgSmu+SbCpRaAfUuCTp9fBF54KX5I9CKJXcOMNoTp6 eklzHleuXee7eEjAt5uw3sd5F38k0ApgtN9fP4QoQvBleCm0o5wv75ggT9fIS7o= =r1RC -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So it is on atlas and consensus, it is an exit node. But the probability of being an exit has decreased in the graphs, but it is constant now. What does that mean? Now we'll try to contact other exit nodes in the territory and see if there is a kind of association already existing of exit nodes so we could join them. It feels nice to support this project. Cheers! On 03/09/2015 11:40 PM, s7r wrote:
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJU/qNvAAoJEL+Ak/R8rmeLiLkP/jDN/K/sbnsK0Uq7sHv9urHl yx1L7KL3xG9ynznaJSkY2JUcszwaDR0yCDFR+ZjaygfuXSnt/5MqP2Ho9eO7g3VS yRGpGdkeTVKH2nOQ88p4wnBzfYI1qvtkzk7kLM2wN7Qczjap/w/lsBihC/id+u0E F8CFb6iVgHHEw0yRoifm1aFIzzLdGQVfm+HCatvU0cRoyDZBZIcyLhARG4Va8LS/ kR01xe2KiKtM92a7jstK0oc2Ybt8RvAaV6tXpZLwz63BS49S5/pZT3yO9Q0lfPYu JI1dKz7fUCQbfsXuIrcuDLwdQo/0MS7z8XvMTA47b1UcStURH1phioJSEf0tCz88 IkjViECa2qZyJP/b5u9yjul3cOOfnJ8I8cLx/jK2E0i256Twg4vj+WyZGm+TtxMR TM+10gPHvWiU8KEnzqQ6QVaiIl73y/86IYOnXpe+P5Njte0oRrwWcvBf/Fee3uWM Eyf98IWikI+JduuhuI+wj0YBJaXB/mN2/xX+DjngvtF8BsIe+2jrqXCf2FugA0zD 5xqAjybQxA4g1oOUuBOeMHaM9SnzGIg6bSH60f2otJWI5WudAIAO8lJpKU6SV3Un Pr/2moPsqQeaqU5oEvVzBRzhmmWe6+XgiSw/1jQ17ag22oE6QgFzXHgE7gBX5r0k 9g4wfXlJTT/vodJlYrs5 =TmO4 -----END PGP SIGNATURE-----
participants (2)
-
efkin -
s7r