My tor exit node has been using a https proxy for a long time with great success in that I have had no abuse complaints directed to me and my VPS provider. Until recently.
Traffic has increased as I made the bandwidth wider, which might be an explanation.
I am getting complaints directed to my actual IP. It looks as if tor is sending data DIRECT and not obeying the lines completely, all the time. TORRC OutboundBindAddress IP (second IP of server) HTTPSProxy service:port HTTPProxyAuthenticator name password When I took out the OutboundBindAddress I just got complaints directed to the first IP.
I assumed the lines FORCED proxy use. This might not be the case in higher traffic?
Gerry
Hi,
First, thanks for running a relay.
Those settings do not ensure the EXIT traffic generated by your server goes via any proxy.
OutboundBindAddress IP - this is the IP address Tor will use for outgoing connections. This is the IP address which will be seen by destinations accessed by Tor clients using your server, this is the IP address which will receive abuse complaints.
HTTPSProxy service:port HTTPProxyAuthenticator name password
These 2 settings refer for Tor usage as a CLIENT, not as a relay. This means that the proxy listed at HTTPSProxy will be used by your Tor to create its own circuits. They do not count for the relay usage.
In simple words, if you use that Tor instance as a client (SocksPort 127.0.0.1:9050 or whatever) either locally on that VPS either via a SSH tunnel, and you build a circuit to connect to browse a website, Tor will connect to the Guard (1st relay in the hop) via the proxy at HTTPSProxy.
But if I use your VPS as an exit in my circuit, the client functionality at your side has nothing to do with it, and I will just get the IP at OutboundBindAddress.
What you are trying can be achieved via more complex upstream iptables rules, which will force all traffic going through a proxy. There is no torrc option for configuring a proxy for EXIT traffic. Also, an exit shouldn't only allow http/https traffic.
I would go for the easy option here which is convincing your vps provider that: - your vps is not infected in any way and it only relays anonymous traffic for privacy concerned users, helping a global network of over 7000 volunteers - your vps is properly secured and uses up to date software and it is well protected from unauthorized authentications - you will keep the vps for as long as you can, and only the ip address of your vps will be affected, which is dedicated, their other customers will have no draw back of any kind - you will respond to all serious (non automated) abuse complaints send by authorities within 48 hours after they are forwarded to you.
hope this helps, keep running exits!
On 6/11/2016 1:49 PM, Dr Gerard Bulger wrote:
My tor exit node has been using a https proxy for a long time with great success in that I have had no abuse complaints directed to me and my VPS provider. Until recently.
Traffic has increased as I made the bandwidth wider, which might be an explanation.
I am getting complaints directed to my actual IP. It looks as if tor is sending data DIRECT and not obeying the lines completely, all the time. TORRC OutboundBindAddress IP (second IP of server) HTTPSProxy service:port HTTPProxyAuthenticator name password When I took out the OutboundBindAddress I just got complaints directed to the first IP.
I assumed the lines FORCED proxy use. This might not be the case in higher traffic?
Gerry
It seemed to me that all outgoing was going via the proxy as the proxy was busy with the traffic, and the logs had many messages from the proxy server, such as the occasional refusal to connect to an IP address, but you have explained why I would see something like that.
My server without tor is quiet and underused with no limits of traffic per month. It has been fast so would still like to use it for TOR.
The server has two IPs. One dedicated to Tor. I also have anonymous VPN elsewhere. I am trying to work out how to route all traffic on the 2nd Tor IP to via my fast anonymous private VPN. I think I will need iproute2 at the very least. Anyone done this? Instructions appreciated.
The alternative would be to move to a UK TOR friendly ISP, but those seem to have bandwidth limits and would be another expense. Tor friendly VPNs easier to come by. I doubt I can convince my current ISP to accept TOR officially. Abuse and the running of any proxy server are in their TOC as reasons to terminate. They must have seen my Tor running over the years and seen the tetrabyte go by. They can log in must have spotted it running, but they have never commented on it. I suspect we are both politely avoiding the subject. They just post me the abuse notices and now say "too many"
Gerry
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of s7r Sent: 11 June 2016 12:39 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] TORRC Exit not obeying httproxy
Hi,
First, thanks for running a relay.
Those settings do not ensure the EXIT traffic generated by your server goes via any proxy.
OutboundBindAddress IP - this is the IP address Tor will use for outgoing connections. This is the IP address which will be seen by destinations accessed by Tor clients using your server, this is the IP address which will receive abuse complaints.
HTTPSProxy service:port HTTPProxyAuthenticator name password
These 2 settings refer for Tor usage as a CLIENT, not as a relay. This means that the proxy listed at HTTPSProxy will be used by your Tor to create its own circuits. They do not count for the relay usage.
In simple words, if you use that Tor instance as a client (SocksPort 127.0.0.1:9050 or whatever) either locally on that VPS either via a SSH tunnel, and you build a circuit to connect to browse a website, Tor will connect to the Guard (1st relay in the hop) via the proxy at HTTPSProxy.
But if I use your VPS as an exit in my circuit, the client functionality at your side has nothing to do with it, and I will just get the IP at OutboundBindAddress.
What you are trying can be achieved via more complex upstream iptables rules, which will force all traffic going through a proxy. There is no torrc option for configuring a proxy for EXIT traffic. Also, an exit shouldn't only allow http/https traffic.
I would go for the easy option here which is convincing your vps provider that: - your vps is not infected in any way and it only relays anonymous traffic for privacy concerned users, helping a global network of over 7000 volunteers - your vps is properly secured and uses up to date software and it is well protected from unauthorized authentications - you will keep the vps for as long as you can, and only the ip address of your vps will be affected, which is dedicated, their other customers will have no draw back of any kind - you will respond to all serious (non automated) abuse complaints send by authorities within 48 hours after they are forwarded to you.
hope this helps, keep running exits!
On 6/11/2016 1:49 PM, Dr Gerard Bulger wrote:
My tor exit node has been using a https proxy for a long time with great success in that I have had no abuse complaints directed to me and my
VPS
provider. Until recently.
Traffic has increased as I made the bandwidth wider, which might be an explanation.
I am getting complaints directed to my actual IP. It looks as if tor is sending data DIRECT and not obeying the lines completely, all the time. TORRC OutboundBindAddress IP (second IP of server) HTTPSProxy service:port HTTPProxyAuthenticator name password When I took out the OutboundBindAddress I just got complaints directed to the first IP.
I assumed the lines FORCED proxy use. This might not be the case in
higher
traffic?
Gerry
tor-relays@lists.torproject.org
-
Dr Gerard Bulger -
s7r