Hi!
I want to have port 443 advertised but listen on port 9001. My router then forwards 443->9001 to the machine tor is running on.
It works with this: ORport 433 ORListenAddress 0.0.0.0:9001
However I thought this is deprecated and I rather use:
ORport 443 NoListen ORPort 0.0.0.0:9001 NoAdvertise
The latter however does not seem to work. Arm for example still errors "binding failed" and I see no incoming connections.
Is this a bug?
Thanks.
SE
There is no need to actually write out the IPv4 unspecified address in the config file (0.0.0.0), all you need to do is just put:
ORPort 9001 NoAdvertise
Admittedly I have not actually tried it with ORPort personally but I have had that configuration on one of my relays in the past for DirPort to enable tor to advertise directory on 80 which was already assigned to apache2, then apache simply reverse proxied requests for /tor/* to tor on localhost 9030. However, while you can do the above to listen on any address there is no need to do so, I would instead specify the address and port you have set in the DNAT rule on your router. Same when I had the reverse proxy setup I simply had it set like:
DirPort 80 NoListen DirPort 127.0.0.1:9030
Course in your case it wont be 127.0.0.1 because it is coming in from your external router not another server on the local machine.
On 10/03/13 16:18, Sina Eetezadi wrote:
Hi!
I want to have port 443 advertised but listen on port 9001. My router then forwards 443->9001 to the machine tor is running on.
It works with this: ORport 433 ORListenAddress 0.0.0.0:9001
However I thought this is deprecated and I rather use:
ORport 443 NoListen ORPort 0.0.0.0:9001 NoAdvertise
The latter however does not seem to work. Arm for example still errors "binding failed" and I see no incoming connections.
Is this a bug?
Thanks.
SE _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Sorry there is an error in my example, forgot the NoAdvertise attribute didn't notice till the mail came back through the list, should have been
DirPort 80 NoListen DirPort 127.0.0.1:9030 NoAdvertise
Other than that the rest all should work as I suggested either specify the actual address your router is set to forward to or specify only the port.
On 10/03/13 17:20, Matt Joyce wrote:
There is no need to actually write out the IPv4 unspecified address in the config file (0.0.0.0), all you need to do is just put:
ORPort 9001 NoAdvertise
Admittedly I have not actually tried it with ORPort personally but I have had that configuration on one of my relays in the past for DirPort to enable tor to advertise directory on 80 which was already assigned to apache2, then apache simply reverse proxied requests for /tor/* to tor on localhost 9030. However, while you can do the above to listen on any address there is no need to do so, I would instead specify the address and port you have set in the DNAT rule on your router. Same when I had the reverse proxy setup I simply had it set like:
DirPort 80 NoListen DirPort 127.0.0.1:9030
Course in your case it wont be 127.0.0.1 because it is coming in from your external router not another server on the local machine.
On 10/03/13 16:18, Sina Eetezadi wrote:
Hi!
I want to have port 443 advertised but listen on port 9001. My router then forwards 443->9001 to the machine tor is running on.
It works with this: ORport 433 ORListenAddress 0.0.0.0:9001
However I thought this is deprecated and I rather use:
ORport 443 NoListen ORPort 0.0.0.0:9001 NoAdvertise
The latter however does not seem to work. Arm for example still errors "binding failed" and I see no incoming connections.
Is this a bug?
Thanks.
SE _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
The thing is, with this setup arm and also vidalia reported "can not bind 0.0.0.0:443. Thats why I went back to the old setting. For the moment I do not really care, because it works, I was just wondering.
My router forwards 443 to 192.168.1.12:9001. So you suggest I put "192.168.1.12" instead of "0.0.0.0.", right?
Sorry there is an error in my example, forgot the NoAdvertise attribute didn't notice till the mail came back through the list, should have been
DirPort 80 NoListen DirPort 127.0.0.1:9030 NoAdvertise
Other than that the rest all should work as I suggested either specify the actual address your router is set to forward to or specify only the port.
On 10/03/13 17:20, Matt Joyce wrote:
There is no need to actually write out the IPv4 unspecified address in the config file (0.0.0.0), all you need to do is just put:
ORPort 9001 NoAdvertise
Admittedly I have not actually tried it with ORPort personally but I have had that configuration on one of my relays in the past for DirPort to enable tor to advertise directory on 80 which was already assigned to apache2, then apache simply reverse proxied requests for /tor/* to tor on localhost 9030. However, while you can do the above to listen on any address there is no need to do so, I would instead specify the address and port you have set in the DNAT rule on your router. Same when I had the reverse proxy setup I simply had it set like:
DirPort 80 NoListen DirPort 127.0.0.1:9030
Course in your case it wont be 127.0.0.1 because it is coming in from your external router not another server on the local machine.
On 10/03/13 16:18, Sina Eetezadi wrote:
Hi!
I want to have port 443 advertised but listen on port 9001. My router then forwards 443->9001 to the machine tor is running on.
It works with this: ORport 433 ORListenAddress 0.0.0.0:9001
However I thought this is deprecated and I rather use:
ORport 443 NoListen ORPort 0.0.0.0:9001 NoAdvertise
The latter however does not seem to work. Arm for example still errors "binding failed" and I see no incoming connections.
Is this a bug?
Thanks.
SE _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Sorry I didn't get back to you sooner not been at the computer, but yes you have it right there just use your 192.168.1.12 internal address for tor to listen on, the other advantage of this way over just giving the port number is that you will only be accepting traffic arriving at your router using the published address and port, I generally figure if neither me nor any software I gave permission to have published an address/port to legitimate clients then it seems safe enough to me to presume it suspicious and not be passing it to a running daemon process.
On the other thing you mentioned you have a solution now so it may well be that there isn't any use me trying to say anything helpful about that but if it helps any I can tell you this much without knowing more about your situation. With a port bellow port 1024 like this there are generally two different failures that account for the majority of the traffic most likely.
* Firstly there is the usual one that can apply with any port, port in use the error message will usually say something along the lines of cannot bind to IP:Addr and something along the lines of "Address/Port in use", "Device/Resource is busy" etc. Only one process can be associated with a unique scrip:port->dstip:port combination so you will often get this error if you accidentally launch a second copy of a process such as a network server when the existing processes are still alive and havn't closed the port yet. If you are at a loss what is using the port, netstat is your friend, you can use it to find out exactly what sockets are in use and which process currently owns each listening socket/TCP stream. * The second one is specific to ports bellow 1024, these low number ports were always traditionally and in many cases still are the main default port. As a result many operating systems reserve these ports for the root/administrator, or at least being in position of the relevant capabilities on newer versions of linux, if this is the case usually the error will say something along the lines of "Cannot bind to IP:Port" and "Permission Denied", "Insufficient Privileges" etc or words to that effect. If you have this issue then you will need to initially start tor as root but if you do this then you would also be really strongly recommended to also make sure to use the User directive in your config file to let tor know the use account to drop privileges to after it has finished initially binding to the proper port. Alternative options however are to go ahead and use a NAT router to slip around the issue only an options until tor steps out of the 20th century and enables IPv6 support however, the other option is to set up a redirection using IP tables on the same machine as the tor relay itself, this has the additional advantage that with a reasonably recent kernel you could look into using TPROXY which does support IPv6 also.
On 10/03/13 18:24, Sina Eetezadi wrote:
The thing is, with this setup arm and also vidalia reported "can not bind 0.0.0.0:443. Thats why I went back to the old setting. For the moment I do not really care, because it works, I was just wondering.
My router forwards 443 to 192.168.1.12:9001. So you suggest I put "192.168.1.12" instead of "0.0.0.0.", right?
Sorry there is an error in my example, forgot the NoAdvertise attribute didn't notice till the mail came back through the list, should have been
DirPort 80 NoListen DirPort 127.0.0.1:9030 NoAdvertise
Other than that the rest all should work as I suggested either specify the actual address your router is set to forward to or specify only the port.
On 10/03/13 17:20, Matt Joyce wrote:
There is no need to actually write out the IPv4 unspecified address in the config file (0.0.0.0), all you need to do is just put:
ORPort 9001 NoAdvertise
Admittedly I have not actually tried it with ORPort personally but I have had that configuration on one of my relays in the past for DirPort to enable tor to advertise directory on 80 which was already assigned to apache2, then apache simply reverse proxied requests for /tor/* to tor on localhost 9030. However, while you can do the above to listen on any address there is no need to do so, I would instead specify the address and port you have set in the DNAT rule on your router. Same when I had the reverse proxy setup I simply had it set like:
DirPort 80 NoListen DirPort 127.0.0.1:9030
Course in your case it wont be 127.0.0.1 because it is coming in from your external router not another server on the local machine.
On 10/03/13 16:18, Sina Eetezadi wrote:
Hi!
I want to have port 443 advertised but listen on port 9001. My router then forwards 443->9001 to the machine tor is running on.
It works with this: ORport 433 ORListenAddress 0.0.0.0:9001
However I thought this is deprecated and I rather use:
ORport 443 NoListen ORPort 0.0.0.0:9001 NoAdvertise
The latter however does not seem to work. Arm for example still errors "binding failed" and I see no incoming connections.
Is this a bug?
Thanks.
SE _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Matt Joyce -
Sina Eetezadi