wander/tor-container
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: making the script insta fail if off

Browse source
This commit is contained in:
wander 2026-02-06 20:38:19 -05:00
parent dd338125f0
commit aa6ce865a7
3 changed files with 78 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

47
Dockerfile
View file

@ -1,47 +1,22 @@
FROM python:3.10-alpine
FROM python:3.11-alpine
ENV HOME=/var/lib/tor
ENV VANGUARDS_CONFIG=/etc/tor/vanguards.conf
# Install runtime dependencies
# tor and torsocks are available in Alpine edge/community repos
# Install Tor and build dependencies
# We keep python base image for potential Vanguards support later (which is python based),
# but for now we are simplifying the build.
RUN apk add --no-cache \
tor \
torsocks \
libevent \
openssl \
ca-certificates \
libffi \
curl \
build-base \
libffi-dev \
openssl-dev \
grep \
&& mkdir -p /var/lib/tor/hidden_service/ \
&& chown -R tor:root /var/lib/tor
WORKDIR /usr/local/src/onions
# Install Python dependencies
COPY requirements.txt .
RUN apk add --no-cache --virtual .build-deps \
build-base \
openssl-dev \
libffi-dev \
cargo \
&& pip install --no-cache-dir -r requirements.txt \
&& apk del .build-deps
# Install application
COPY setup.py .
COPY onions onions/
RUN pip install --no-cache-dir .
# Copy configuration and entrypoint
COPY assets/entrypoint-config.yml /entrypoint-config.yml
COPY assets/torrc /var/local/tor/torrc.tpl
COPY assets/vanguards.conf.tpl /var/local/tor/vanguards.conf.tpl
# Copy our Magic Script
COPY assets/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
VOLUME ["/var/lib/tor/hidden_service/"]
# Set the Magic Script as the entrypoint
ENTRYPOINT ["/entrypoint.sh"]
CMD ["tor"]

79
assets/entrypoint.sh
View file

@ -1,28 +1,67 @@
#!/bin/sh
set -e
# Defaults
ENABLE_VANGUARDS=${ENABLE_VANGUARDS:-true}
ENABLE_TOR=${ENABLE_TOR:-true}
# --- Configuration ---
TOR_CONFIG="/etc/tor/torrc"
# Default to /var/lib/tor if not set
DATA_DIR="${TOR_DATA_DIR:-/var/lib/tor}"
# Sync with internal variable used by Onions.py
export TOR_ENABLE_VANGUARDS="$ENABLE_VANGUARDS"
echo "Starting Tor Configuration..."
# If user specifically requests to disable Vanguards
if [ "$ENABLE_VANGUARDS" = "false" ]; then
echo "Disabling Vanguards service..."
sed -i '/- vanguards/d' /entrypoint-config.yml
fi
# 1. Reset the Config File
echo "DataDirectory $DATA_DIR" > "$TOR_CONFIG"
echo "User tor" >> "$TOR_CONFIG"
# If user specifically requests to disable Tor (e.g. for sidecar mode)
if [ "$ENABLE_TOR" = "false" ]; then
echo "Disabling Tor service..."
sed -i '/- tor/d' /entrypoint-config.yml
# 2. Handle Control Password (The Magic Hashing)
if [ -n "$TOR_CONTROL_PASSWORD" ]; then
echo "Hashing provided control password..."
# Generate the hash using Tor itself
HASHED_PASSWORD=$(tor --quiet --hash-password "$TOR_CONTROL_PASSWORD" | tail -n 1)
# In sidecar mode, we don't want to auto-resolve the control port using local defaults.
# We remove the line that sets TOR_CONTROL_PORT via 'onions --resolve-control-port'
# so that the environment variable passed to the container is preserved.
sed -i '/TOR_CONTROL_PORT: onions --resolve-control-port/d' /entrypoint-config.yml
if [ -z "$HASHED_PASSWORD" ]; then
echo "Error: Failed to hash password."
exit 1
fi
echo "ControlPort 0.0.0.0:9051" >> "$TOR_CONFIG"
echo "HashedControlPassword $HASHED_PASSWORD" >> "$TOR_CONFIG"
echo "Control Password set."
else
echo "Warning: No TOR_CONTROL_PASSWORD set. Control port disabled."
fi
# Pass control to pyentrypoint
exec pyentrypoint "$@"
# 3. Handle Hidden Services (The Magic Parsing)
# Expected Format: "80:container_name:80 22:container_name:22"
if [ -n "$HIDDEN_SERVICE_HOSTS" ]; then
echo "HiddenServiceDir $DATA_DIR/hidden_service/" >> "$TOR_CONFIG"
echo "HiddenServiceVersion 3" >> "$TOR_CONFIG"
# Split the string by spaces
for rule in $HIDDEN_SERVICE_HOSTS; do
# Validate format: Port:Host:Port (using grep regex)
if ! echo "$rule" | grep -qE '^[0-9]+:[a-zA-Z0-9.-]+:[0-9]+$'; then
echo "CRITICAL ERROR: Invalid format in HIDDEN_SERVICE_HOSTS: '$rule'"
echo "Expected format: ExternalPort:ContainerHost:InternalPort (e.g., 80:my-web:80)"
exit 1
fi
# Extract parts
EXT_PORT=$(echo "$rule" | cut -d: -f1)
HOST=$(echo "$rule" | cut -d: -f2)
INT_PORT=$(echo "$rule" | cut -d: -f3)
echo "Adding Hidden Service Rule: Onion:$EXT_PORT -> $HOST:$INT_PORT"
echo "HiddenServicePort $EXT_PORT $HOST:$INT_PORT" >> "$TOR_CONFIG"
done
else
echo "Error: HIDDEN_SERVICE_HOSTS is empty. Tor has nothing to serve."
exit 1
fi
# 4. Ownership Fix (Crucial for Docker volumes)
mkdir -p "$DATA_DIR/hidden_service/"
chown -R tor:root "$DATA_DIR"
chmod 700 "$DATA_DIR"
echo "Configuration successful. Starting Tor..."
exec tor -f "$TOR_CONFIG"

18
docker-compose.yml
View file

@ -1,21 +1,20 @@
version: '3.8'
services:
# Tor Service - Runs Tor only
# Tor Service - Runs Tor with Strict Validation
tor:
build: .
image: docker-tor-hidden-service:latest
container_name: tor-service
restart: unless-stopped
environment:
- ENABLE_VANGUARDS=false
# Format: ExternalPort:ContainerName:InternalPort
- HIDDEN_SERVICE_HOSTS=80:my-website:80
- TOR_CONTROL_PASSWORD=secure_password
# Expose control port on all interfaces for sidecar access
- TOR_CONTROL_PORT=0.0.0.0:9051
ports:
- "9051:9051" # Expose control port (ensure firewall protects this!)
- "9051:9051" # Expose control port
volumes:
- tor-data:/var/lib/tor/hidden_service/
- tor-data:/var/lib/tor/
# Vanguards Service - Runs Vanguards only (Sidecar)
vanguards:
@ -23,13 +22,12 @@ services:
image: docker-tor-hidden-service:latest
container_name: vanguards-sidecar
restart: unless-stopped
command: vanguards --control_ip tor-service --control_port 9051 --control_pass secure_password
environment:
- ENABLE_TOR=false
- TOR_CONTROL_PASSWORD=secure_password
- TOR_CONTROL_PORT=tor:9051
# Placeholder to ensure no tor starts here
- HIDDEN_SERVICE_HOSTS=""
depends_on:
- tor
# network_mode: "service:tor" # Optional: if you want them to share network stack (localhost access)
volumes:
tor-data: