[tor-talk] Escalating hidden services

Tom van der Woerdt info at tvdw.eu
Wed Jul 16 18:06:35 UTC 2014

Fosforo schreef op 16/07/14 14:15:
> I am a big fan of pinkmeth hidden service ( hxxp://pinkmethuylnenlz.onion/ )
> But it constantly times out.
> As an unix administrator, I was thinking in ways to escalate such good
> public services through normal clusters, and would like opinions if my
> approach is valid, to suggest it to the unknown author:
> 1) Frontend - Only 1 node. Entry point as normal "semi-hidden" hidden
> service with 32 guards (exposed, semi-hidden)
> 2) Backend - X number of nodes  (escaling is here) numbers of backend
> hidden services with 3 guards
> 1) is just a relay box, nginx with reverse connection to backend hidden
> services, in a different structure than backends. round robin. 32 guards to
> handle good speed and lots of circuits. anonymity is not a requirement
> here. each backend hidden service is a local port in made with
> torified netcat (I think there are better approaches than netcat, would
> like to know )
> 2) apache+mysql each node, gfs filesystem (for static files) shared among
> nodes, replicated mysql database.
> I see latency as a problem here [ user -> nginx (hidden) -> apache (hidden)
> ], but I dont see more timeouts. thoughts?

I think that, depending on the specific case (I don't know this 
'pinkmeth'), there are some far better solutions for this :

* Find a better network for the servers and instead of doing 'nginx -> 
tor -> apache' just go 'nginx -> apache'. You can of course still use 
SSL to encrypt the data inbetween. This reduces a lot of latency.

* Rather than putting everything on a single domain, just put only the 
HTML on the primary .onion domain and put all static content, such as 
stylesheets, videos and images, on a different server. You could scale 
the static content part really well by just returning one of several 
.onion domains that all have your static content. Give the user a small 
cookie that can be used to make sure the same static server is always 
used for the same user.

* As far as I can tell nothing in the hidden service spec really blocks 
you from load balancing a single HS address across multiple nodes. If 
you run 3 nodes, tell 1 of them to handle the introductions, and have 
this node communicate with the other nodes which then handle the 
rendezvous part. It might need some hacking in the Tor code, but this 
should scale for several gigabits very nicely.


PS: These three are just some solutions I came up with just now - they 
might not even work.

More information about the tor-talk mailing list