[tor-talk] Are "StrictNodes 1" actually strict?
Roger Dingledine
arma at torproject.org
Thu Jan 30 09:45:12 UTC 2020
On Wed, Jan 29, 2020 at 02:45:01PM -0000, mimble9 at danwin1210.me wrote:
> I have StrictNodes 1 and ExitNodes hands in my torrc.
>
> However, when using TBB, I discovered that I was often using other exit
> nodes. Clicking "New Circuit for this site" then placed hands back as the
> exit node.
>
> Any ideas why? Just the one exit node in the torrc.
>
> This suggests to me that StrictNodes are not 100% strict.
Check out the man page, where it says "StrictNodes does not apply to
ExcludeExitNodes, ExitNodes, MiddleNodes, or MapAddress."
So you shouldn't be setting StrictNodes for this case. Maybe you are
using a super old guide found somewhere on the internet? :) More info
from when we made the change back in 2011:
https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.2.5#n17216
That said, ExitNodes should work. My guess is that you're visiting a
Cloudflare site, which is giving your Tor Browser an alt-svc header,
which sends the browser to load the site via one of Cloudflare's onion
addresses. And since onion services don't have the concept of "exiting",
then your Tor feels no need to end that circuit with your specified
ExitNode.
*That* said, there are some bugs with how Tor Browser visualizes your
circuit when alt-svc is in use:
https://bugs.torproject.org/27590
and it looks like the browser might be inconsistent about whether it
actually uses the alt-svc destinations, which could explain your getting
your exit relay every so often:
https://bugs.torproject.org/27502
Best plan would be to pick a really simple non-CDN'ed single-address
domain, like freehaven.net, and try to recreate your issue there.
--Roger
More information about the tor-talk
mailing list