[tor-dev] Putting onion services behind a third-party TCP proxy

Pop Chunhapanya pop at cloudflare.com
Thu Aug 15 06:53:00 UTC 2019

> So I'm thinking putting the tor daemon behind some third party TCP proxy
> that will protect me from this kind of DDoS attack.
> What do you think if I want to implement a feature that forward all the
> onion service traffic to the TCP proxy before going to the Tor network?
> The protocol that I'm thinking is TCP Proxy Protocol [1]
> [1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
> You could try the existing HTTPSProxy torrc option?
> *HTTPSProxy* host[:port]
> Tor will make all its OR (SSL) connections through this host:port (or
> host:443 if port is not specified), via HTTP CONNECT rather than connecting
> directly to servers. You may want to set *FascistFirewall* to restrict
> the set of ports you might try to connect to, if your HTTPS proxy only
> allows connecting to certain ports.
> Tor also allows an intelligent firewall to filter circuits using a field
> in haproxy protocol format, see *HiddenServiceExportCircuitID* for
> details. But you probably won't need this advanced feature.

I feel that HTTPSProxy is too expensive. As far as I know, it needs to do
(1) tcp handshake, (2) tls handshake, and (3) http connect. If I can use
haproxy, it would be just one tcp handshake.

Could I propose another option for haproxy?
I can do it myself. You just review and merge :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20190814/9742795e/attachment.html>

More information about the tor-dev mailing list