Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[REQUEST] enable control port access (already possible?) #76

Open
coffeel0ver opened this issue Mar 20, 2024 · 4 comments
Open

[REQUEST] enable control port access (already possible?) #76

coffeel0ver opened this issue Mar 20, 2024 · 4 comments
Assignees
@bugfest
Labels
enhancement New feature or request support

Comments

@coffeel0ver
Copy link

First of all thank you @bugfest for this repo.

I would like to use the control port on an OnionService to be able to kill specific onion curcuits to prevent flooding attacks.
I haven't found a way to enable control port for an OnionService/OnionBalancedService in the documentation.
Is there a way to to enable it and allow connection from other apps inside the cluster?

If not, could you please add this feature? It won't break any of the functions itself from my point of view.

Is there a donations page for this project?

Thanks in advance!
@coffeel0ver coffeel0ver added the enhancement New feature or request label Mar 20, 2024
@bugfest
Copy link
Owner

bugfest commented Mar 23, 2024

Hi @coffeel0ver, thanks for your kind words.

I would like to use the control port on an OnionService to be able to kill specific onion curcuits to prevent flooding attacks. I haven't found a way to enable control port for an OnionService/OnionBalancedService in the documentation. Is there a way to to enable it and allow connection from other apps inside the cluster?

If not, could you please add this feature? It won't break any of the functions itself from my point of view.

I already developed spec.control.enable for the Tor instances but this feature hasn't been ported yet to the OnionService/OnionBalancedService:

tor-controller/controllers/tor/tor_configmap.go

Lines 74 to 82 in f60092b

{{- if .Tor.Spec.Control.Enable }}
# Control
{{- range $idx, $addr := .Tor.Spec.Control.Address }}
+ControlPort {{ $addr }}:{{ $.Tor.Spec.Control.Port }} {{ StringsJoin $.Tor.Spec.Control.Flags "," }}
{{- end }}
{{- range .ControlHashedPasswords }}
+HashedControlPassword {{ . }}
{{- end }}
{{- end }}

You can enable Tor's control port in OnionService and OnionBalancedService using the extraConfig attribute.

Examples:

# OnionService
apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionService
metadata:
  name: onionservice-controlport-enabled
spec:
  version: 3
  rules: [...]
  extraConfig: |
    ControlPort 0.0.0.0:9051
    HashedControlPassword yourhashedpasswordhere
# OnionBalancedService
apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionBalancedService
metadata:
  name: onionbalancedservice-controlport-enabled
spec:
  backends: 3
  template:
    spec:
      version: 3
      rules: [...]
      extraConfig: |
        ControlPort 0.0.0.0:9051
        HashedControlPassword yourhashedpasswordhere

Is there a donations page for this project?

I currently don't take donations for any of my projects. But if you still do want to contribute you can donate to Tor project instead https://donate.torproject.org so that all of us can keep using Tor network : )

Regards,
BF

@bugfest bugfest self-assigned this Mar 23, 2024
@coffeel0ver
Copy link
Author

Hey @bugfest let me explain the problem a bit more in detail:

As you are using the following definition for the OnionService:

apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionService
metadata:
  name: myapp-onion-service
  namespace: tor-proxy
spec:
  version: 3
  rules:
    - port:
        name: myapp
        number: 80
      backend:
        service:
          name: traefik
          port:
            number: 80
  extraConfig: |
    ControlPort 9051
    HashedControlPassword XXXXXXXXX

tor is returning this error:

2024-04-04T22:17:56.585543697+02:00 Apr 04 20:17:56.585 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
2024-04-04T22:17:56.585549196+02:00 Apr 04 20:17:56.585 [notice] Read configuration file "/run/tor/torfile".
Apr 04 20:17:56.586 [warn] You specified a nonzero ControlPort along with 'ControlPort 0' in the same configuration. Did you mean to disable ControlPort or not?
2024-04-04T22:17:56.586432710+02:00 Apr 04 20:17:56.586 [warn] Failed to parse/validate config: Invalid ControlPort configuration
Apr 04 20:17:56.586 [err] Reading config failed--see warnings above.
time="2024-04-04T20:17:56Z" level=info msg="exit status 1"

With the current torfile it is not possible to set a ControlPort via extraConfig option in the yaml, since the torfile already contains ControlPort 0 before the extraConfig is appended.

Could you please edit the torfile and remove the ControlPort from this file? ControlPort should be disabled by tor by default (no need to explicitly define it in the torfile). Aside from that it's not exposed, without a service anyways.

Could you please make this small edit, otherwise it won't be able to use the ControlPort.
Thank you in advance!

@bugfest
Copy link
Owner

bugfest commented Apr 7, 2024

Hi @coffeel0ver, I'll work on this feature as soon as I can. In the mean time, good news is I found a way to override this setting via ExtraConfig, as per torrc manual page:

THE CONFIGURATION FILE FORMAT
(...)
Alternatively, you might want to remove every instance of an option in the configuration file, and not replace it at all: you might want to say on the command line that you want no SocksPorts at all. To do that, prefix the option name with a forward slash (/). You can use the plus sign (+) and the forward slash (/) in the configuration file and on the command line.

I got it working with the following:

...
spec:
  ...
  extraConfig: |
    /ControlPort
    +ControlPort 0.0.0.0:9051
    HashedControlPassword 16:8716E5455708558C60352B1BB3609AC392D0F3619D4056D276B1B39641

Can you double check this unblocks your issue?

Regards,
BF

@coffeel0ver
Copy link
Author

coffeel0ver commented Apr 14, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bugfest bugfest

Labels
enhancement New feature or request support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bugfest @coffeel0ver