[tor-relays] TORRC Exit not obeying httproxy

s7r s7r at sky-ip.org
Sat Jun 11 11:39:12 UTC 2016 

Hi,

First, thanks for running a relay.

Those settings do not ensure the EXIT traffic generated by your server
goes via any proxy.

OutboundBindAddress IP - this is the IP address Tor will use for
outgoing connections. This is the IP address which will be seen by
destinations accessed by Tor clients using your server, this is the IP
address which will receive abuse complaints.

HTTPSProxy service:port
HTTPProxyAuthenticator name password

These 2 settings refer for Tor usage as a CLIENT, not as a relay. This
means that the proxy listed at HTTPSProxy will be used by your Tor to
create its own circuits. They do not count for the relay usage.

In simple words, if you use that Tor instance as a client (SocksPort
127.0.0.1:9050 or whatever) either locally on that VPS either via a SSH
tunnel, and you build a circuit to connect to browse a website, Tor will
connect to the Guard (1st relay in the hop) via the proxy at HTTPSProxy.

But if I use your VPS as an exit in my circuit, the client functionality
at your side has nothing to do with it, and I will just get the IP at
OutboundBindAddress.

What you are trying can be achieved via more complex upstream iptables
rules, which will force all traffic going through a proxy. There is no
torrc option for configuring a proxy for EXIT traffic. Also, an exit
shouldn't only allow http/https traffic.

I would go for the easy option here which is convincing your vps
provider that:
- your vps is not infected in any way and it only relays anonymous
traffic for privacy concerned users, helping a global network of over
7000 volunteers
- your vps is properly secured and uses up to date software and it is
well protected from unauthorized authentications
- you will keep the vps for as long as you can, and only the ip address
of your vps will be affected, which is dedicated, their other customers
will have no draw back of any kind
- you will respond to all serious (non automated) abuse complaints send
by authorities within 48 hours after they are forwarded to you.

hope this helps, keep running exits!

On 6/11/2016 1:49 PM, Dr Gerard Bulger wrote:
> My tor exit node has been using a https proxy for a long time with great
> success in that I have had no abuse complaints directed to me and my VPS
> provider.   Until recently.   
> 
> Traffic has increased as I made the bandwidth wider, which might be an
> explanation.
> 
> I am getting complaints directed to my actual IP.   
> It looks as if tor is sending data DIRECT and not obeying the lines
> completely, all the time.   TORRC
> OutboundBindAddress  IP  (second IP of server)
> HTTPSProxy service:port
> HTTPProxyAuthenticator name password
> When I took out the OutboundBindAddress I just got complaints directed to
> the first IP.
> 
> I assumed the lines FORCED proxy use.   This might not be the case in higher
> traffic?
> 
> Gerry
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160611/6eba7e86/attachment.sig>

More information about the tor-relays mailing list