From aa6ce865a70e4da4da8669c8e5d18e0f4e2c9820 Mon Sep 17 00:00:00 2001 From: wander Date: Fri, 6 Feb 2026 20:38:19 -0500 Subject: [PATCH] feat: making the script insta fail if off --- Dockerfile | 47 ++++++-------------------- assets/entrypoint.sh | 79 +++++++++++++++++++++++++++++++++----------- docker-compose.yml | 18 +++++----- 3 files changed, 78 insertions(+), 66 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4a255e6..7dfd48d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,47 +1,22 @@ -FROM python:3.10-alpine +FROM python:3.11-alpine -ENV HOME=/var/lib/tor -ENV VANGUARDS_CONFIG=/etc/tor/vanguards.conf - -# Install runtime dependencies -# tor and torsocks are available in Alpine edge/community repos +# Install Tor and build dependencies +# We keep python base image for potential Vanguards support later (which is python based), +# but for now we are simplifying the build. RUN apk add --no-cache \ tor \ - torsocks \ - libevent \ - openssl \ - ca-certificates \ - libffi \ + curl \ + build-base \ + libffi-dev \ + openssl-dev \ + grep \ && mkdir -p /var/lib/tor/hidden_service/ \ && chown -R tor:root /var/lib/tor -WORKDIR /usr/local/src/onions - -# Install Python dependencies -COPY requirements.txt . -RUN apk add --no-cache --virtual .build-deps \ - build-base \ - openssl-dev \ - libffi-dev \ - cargo \ - && pip install --no-cache-dir -r requirements.txt \ - && apk del .build-deps - -# Install application -COPY setup.py . -COPY onions onions/ -RUN pip install --no-cache-dir . - -# Copy configuration and entrypoint -COPY assets/entrypoint-config.yml /entrypoint-config.yml -COPY assets/torrc /var/local/tor/torrc.tpl -COPY assets/vanguards.conf.tpl /var/local/tor/vanguards.conf.tpl +# Copy our Magic Script COPY assets/entrypoint.sh /entrypoint.sh - RUN chmod +x /entrypoint.sh -VOLUME ["/var/lib/tor/hidden_service/"] - +# Set the Magic Script as the entrypoint ENTRYPOINT ["/entrypoint.sh"] -CMD ["tor"] diff --git a/assets/entrypoint.sh b/assets/entrypoint.sh index 218f541..513ad26 100755 --- a/assets/entrypoint.sh +++ b/assets/entrypoint.sh @@ -1,28 +1,67 @@ #!/bin/sh +set -e -# Defaults -ENABLE_VANGUARDS=${ENABLE_VANGUARDS:-true} -ENABLE_TOR=${ENABLE_TOR:-true} +# --- Configuration --- +TOR_CONFIG="/etc/tor/torrc" +# Default to /var/lib/tor if not set +DATA_DIR="${TOR_DATA_DIR:-/var/lib/tor}" -# Sync with internal variable used by Onions.py -export TOR_ENABLE_VANGUARDS="$ENABLE_VANGUARDS" +echo "Starting Tor Configuration..." -# If user specifically requests to disable Vanguards -if [ "$ENABLE_VANGUARDS" = "false" ]; then - echo "Disabling Vanguards service..." - sed -i '/- vanguards/d' /entrypoint-config.yml -fi +# 1. Reset the Config File +echo "DataDirectory $DATA_DIR" > "$TOR_CONFIG" +echo "User tor" >> "$TOR_CONFIG" -# If user specifically requests to disable Tor (e.g. for sidecar mode) -if [ "$ENABLE_TOR" = "false" ]; then - echo "Disabling Tor service..." - sed -i '/- tor/d' /entrypoint-config.yml +# 2. Handle Control Password (The Magic Hashing) +if [ -n "$TOR_CONTROL_PASSWORD" ]; then + echo "Hashing provided control password..." + # Generate the hash using Tor itself + HASHED_PASSWORD=$(tor --quiet --hash-password "$TOR_CONTROL_PASSWORD" | tail -n 1) - # In sidecar mode, we don't want to auto-resolve the control port using local defaults. - # We remove the line that sets TOR_CONTROL_PORT via 'onions --resolve-control-port' - # so that the environment variable passed to the container is preserved. - sed -i '/TOR_CONTROL_PORT: onions --resolve-control-port/d' /entrypoint-config.yml + if [ -z "$HASHED_PASSWORD" ]; then + echo "Error: Failed to hash password." + exit 1 + fi + + echo "ControlPort 0.0.0.0:9051" >> "$TOR_CONFIG" + echo "HashedControlPassword $HASHED_PASSWORD" >> "$TOR_CONFIG" + echo "Control Password set." +else + echo "Warning: No TOR_CONTROL_PASSWORD set. Control port disabled." fi -# Pass control to pyentrypoint -exec pyentrypoint "$@" +# 3. Handle Hidden Services (The Magic Parsing) +# Expected Format: "80:container_name:80 22:container_name:22" +if [ -n "$HIDDEN_SERVICE_HOSTS" ]; then + echo "HiddenServiceDir $DATA_DIR/hidden_service/" >> "$TOR_CONFIG" + echo "HiddenServiceVersion 3" >> "$TOR_CONFIG" + + # Split the string by spaces + for rule in $HIDDEN_SERVICE_HOSTS; do + # Validate format: Port:Host:Port (using grep regex) + if ! echo "$rule" | grep -qE '^[0-9]+:[a-zA-Z0-9.-]+:[0-9]+$'; then + echo "CRITICAL ERROR: Invalid format in HIDDEN_SERVICE_HOSTS: '$rule'" + echo "Expected format: ExternalPort:ContainerHost:InternalPort (e.g., 80:my-web:80)" + exit 1 + fi + + # Extract parts + EXT_PORT=$(echo "$rule" | cut -d: -f1) + HOST=$(echo "$rule" | cut -d: -f2) + INT_PORT=$(echo "$rule" | cut -d: -f3) + + echo "Adding Hidden Service Rule: Onion:$EXT_PORT -> $HOST:$INT_PORT" + echo "HiddenServicePort $EXT_PORT $HOST:$INT_PORT" >> "$TOR_CONFIG" + done +else + echo "Error: HIDDEN_SERVICE_HOSTS is empty. Tor has nothing to serve." + exit 1 +fi + +# 4. Ownership Fix (Crucial for Docker volumes) +mkdir -p "$DATA_DIR/hidden_service/" +chown -R tor:root "$DATA_DIR" +chmod 700 "$DATA_DIR" + +echo "Configuration successful. Starting Tor..." +exec tor -f "$TOR_CONFIG" diff --git a/docker-compose.yml b/docker-compose.yml index f07e720..619e73a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,21 +1,20 @@ version: '3.8' services: - # Tor Service - Runs Tor only + # Tor Service - Runs Tor with Strict Validation tor: build: . image: docker-tor-hidden-service:latest container_name: tor-service restart: unless-stopped environment: - - ENABLE_VANGUARDS=false + # Format: ExternalPort:ContainerName:InternalPort + - HIDDEN_SERVICE_HOSTS=80:my-website:80 - TOR_CONTROL_PASSWORD=secure_password - # Expose control port on all interfaces for sidecar access - - TOR_CONTROL_PORT=0.0.0.0:9051 ports: - - "9051:9051" # Expose control port (ensure firewall protects this!) + - "9051:9051" # Expose control port volumes: - - tor-data:/var/lib/tor/hidden_service/ + - tor-data:/var/lib/tor/ # Vanguards Service - Runs Vanguards only (Sidecar) vanguards: @@ -23,13 +22,12 @@ services: image: docker-tor-hidden-service:latest container_name: vanguards-sidecar restart: unless-stopped + command: vanguards --control_ip tor-service --control_port 9051 --control_pass secure_password environment: - - ENABLE_TOR=false - - TOR_CONTROL_PASSWORD=secure_password - - TOR_CONTROL_PORT=tor:9051 + # Placeholder to ensure no tor starts here + - HIDDEN_SERVICE_HOSTS="" depends_on: - tor - # network_mode: "service:tor" # Optional: if you want them to share network stack (localhost access) volumes: tor-data: