[tor-relays] TORRC Exit not obeying httproxy

Dr Gerard Bulger gerard at bulger.co.uk
Sat Jun 11 18:08:06 UTC 2016 

It seemed to me that all outgoing was going via the proxy as the proxy was
busy with the traffic, and the logs had many messages from the proxy server,
such as the occasional refusal to connect to an IP address, but you have
explained why I would see something like that.

My server without tor is quiet and underused with no limits of traffic per
month. It has been fast so would still like to use it for TOR.  
 
The server has two IPs.   One dedicated to Tor.  I also have anonymous VPN
elsewhere.  I am trying to work out how to route all traffic on the 2nd Tor
IP to via my fast anonymous private VPN.   I think I will need iproute2 at
the very least.  Anyone done this?  Instructions appreciated.

The alternative would be to move to a UK TOR friendly ISP, but those seem to
have bandwidth limits and would be another expense. Tor friendly VPNs easier
to come by.  I doubt I can convince my current ISP to accept TOR officially.
Abuse and the running of any proxy server are in their TOC as reasons to
terminate.   They must have seen my Tor running over the years and seen the
tetrabyte go by.  They can log in must have spotted it running, but they
have never commented on it.  I suspect we are both politely avoiding the
subject. They just post me the abuse notices and now say "too many"

Gerry


-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On Behalf
Of s7r
Sent: 11 June 2016 12:39
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] TORRC Exit not obeying httproxy

Hi,

First, thanks for running a relay.

Those settings do not ensure the EXIT traffic generated by your server goes
via any proxy.

OutboundBindAddress IP - this is the IP address Tor will use for outgoing
connections. This is the IP address which will be seen by destinations
accessed by Tor clients using your server, this is the IP address which will
receive abuse complaints.

HTTPSProxy service:port
HTTPProxyAuthenticator name password

These 2 settings refer for Tor usage as a CLIENT, not as a relay. This means
that the proxy listed at HTTPSProxy will be used by your Tor to create its
own circuits. They do not count for the relay usage.

In simple words, if you use that Tor instance as a client (SocksPort
127.0.0.1:9050 or whatever) either locally on that VPS either via a SSH
tunnel, and you build a circuit to connect to browse a website, Tor will
connect to the Guard (1st relay in the hop) via the proxy at HTTPSProxy.

But if I use your VPS as an exit in my circuit, the client functionality at
your side has nothing to do with it, and I will just get the IP at
OutboundBindAddress.

What you are trying can be achieved via more complex upstream iptables
rules, which will force all traffic going through a proxy. There is no torrc
option for configuring a proxy for EXIT traffic. Also, an exit shouldn't
only allow http/https traffic.

I would go for the easy option here which is convincing your vps provider
that:
- your vps is not infected in any way and it only relays anonymous traffic
for privacy concerned users, helping a global network of over
7000 volunteers
- your vps is properly secured and uses up to date software and it is well
protected from unauthorized authentications
- you will keep the vps for as long as you can, and only the ip address of
your vps will be affected, which is dedicated, their other customers will
have no draw back of any kind
- you will respond to all serious (non automated) abuse complaints send by
authorities within 48 hours after they are forwarded to you.

hope this helps, keep running exits!

On 6/11/2016 1:49 PM, Dr Gerard Bulger wrote:
> My tor exit node has been using a https proxy for a long time with 
> great success in that I have had no abuse complaints directed to me and my
VPS
> provider.   Until recently.   
> 
> Traffic has increased as I made the bandwidth wider, which might be an 
> explanation.
> 
> I am getting complaints directed to my actual IP.   
> It looks as if tor is sending data DIRECT and not obeying the lines
> completely, all the time.   TORRC
> OutboundBindAddress  IP  (second IP of server) HTTPSProxy service:port 
> HTTPProxyAuthenticator name password When I took out the 
> OutboundBindAddress I just got complaints directed to the first IP.
> 
> I assumed the lines FORCED proxy use.   This might not be the case in
higher
> traffic?
> 
> Gerry
>

More information about the tor-relays mailing list