You are here: start / fuss / tor

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
fuss:tor [2022/04/19 08:28] – external edit 127.0.0.1fuss:tor [2024/03/30 16:31] (current) – [Monitoring tor Instances using Expect] office
Line 218: Line 218:
 In case ''--enable-static-tor'' is enabled then ''tor'' may bomb out with: ''configure: WARNING: Could not find a linkable openssl.'' which does not seem to go away. In case ''--enable-static-tor'' is enabled then ''tor'' may bomb out with: ''configure: WARNING: Could not find a linkable openssl.'' which does not seem to go away.
  
 +====== Increase Logging ======
  
 +When debugging Tor, in particular client transport plugins it is sometimes useful to increase logging in order to determine the cause for something not working right.
 +
 +Locate the configuration line starting with ''Log'' and change the next parameter ''notice'' to ''debug''. For example, change:
 +<code>
 +Log notice syslog
 +</code>
 +to:
 +<code>
 +Log debug syslog
 +</code>
 +
 +The previous configuration line will turn on debug logging and will send all messages to the system log.
 +
 +====== Load-Balancing Multiple Tor Instances via HAProxy ======
 +
 +When running multiple Tor instances, it is possible to load-balance the traffic over all Tor instances whilst having a single SOCKS entry point.  For instance the proxy chaining page shows [[/networking/proxy_chaining|a configuration that leverages squid and polipo instances]] in order to load balance the traffic accross multiple Tor instances whilst the [[/linux/running_multiple_instances_of_a_daemon|multiple instances page]] demonstrates how to run the same program multiple times while maintaining System D compatibility.
 +
 +Nevertheless, there are simpler setups possible by using HAProxy that is able to load balance across multiple SOCKS servers. By contrast, ''privoxy'' is a smaller proxy but uses pattern matching to spread the traffic over backends without actually being able to load-balance over multiple SOCKS connections.
 +
 +<ditaa>
 +                                  . multiple Tor instances
 +                                  .
 +                             +---------+
 +        +---------+     +----+   Tor   |
 +        |            /     +---------+
 + SOCKS--+ HAProxy +---+           .
 +        |            \     +---------+
 +        +---------+     +----+   Tor   |
 +                             +---------+
 +                                 .
 +                                 .
 +</ditaa>
 +
 +Assuming that multiple Tor instances are set up to listen to an array of ports, HAProxy can be set up with the following minimal configuration changes:
 +<code>
 +defaults
 +        mode tcp
 +        option redispatch
 +
 +listen socks5-balance
 +        bind    0.0.0.0:9050
 +        balance leastconn
 +
 +server socks5-1 127.0.0.1:9051 check
 +server socks5-2 127.0.0.1:9052 check
 +
 +</code>
 +
 +The configuration declares two upstream proxies on ''127.0.0.1'' and listening on port ''9051'' respectively ''127.0.0.1'' and listening on port ''9052'', listens on ''0.0.0.0'' on port ''9050'' and will proxy all traffic between the declared SOCKS servers with the following options:
 +  * ''balance leastconn'' - the balancing method chosen in ''leastconn'' that will attempt to distribute the load across the two declared SOCKS proxies. However, ''leastconn'' relies on log-term connections in order to distribute weights across the SOCKS servers such that ''roundrobin'' could have been chosen instead.
 +  * ''option redispatch'' - makes HAProxy retry proxies in case one of the backends fail.
 +
 +Finally, by pointing an application at the HAProxy port ''9050'', the connection should be spread amongst the declared SOCKS backend servers. Depending on the distribution configuration, the log files can be observed to make sure that the traffic is properly redirected.
 +
 +====== Monitoring Tor Instances with Monit ======
 +
 +Tor can be elaborately monitored and restarted automatically in case it is necessary to ensure that tor instances stay up and running. Aside from the usual check that the tor OR port is available at a given address, an ''expect''-like script can be embedded inside the monit template in order to additionally check that tor has an established circuit and is not indefinitely stuck.
 +
 +First, a tor password must be generated in order to be able to access the tor control port by using the following command:
 +<code bash>
 +tor --hash-password "tor"
 +</code>
 +which will result in a password generated on the standard output:
 +<code>
 +16:9F840FFC85EF83CE60469C431DC9FF43DB889305B7653C2CB653302594
 +</code>
 +
 +The password will then be added to the tor configuration:
 +<code>
 +ControlPort 0.0.0.0:8051
 +HashedControlPassword 16:9F840FFC85EF83CE60469C431DC9FF43DB889305B7653C2CB653302594
 +</code>
 +
 +With the configuration in place, tor is restarted and the following monit configuration is created:
 +<code>
 +###########################################################################
 +##  Copyright (C) Wizardry and Steamworks 2023 - License: GNU GPLv3      ##
 +###########################################################################
 +
 +check process tor-01 with pidfile /var/run/tor-instances/01/tor.pid
 +   start program  "/bin/systemctl restart tor@01"
 +   stop program  "/bin/systemctl stop tor@01"
 +   if failed host 127.0.0.1 port 9051 type tcp then restart
 +   if failed host 127.0.0.1 port 8051 type tcp and
 +      # password is: tor surrounded by quotes 0x22
 +      send "AUTHENTICATE \0x22tor\0x22\n"
 +         expect "250 OK"
 +      send "GETINFO status/circuit-established\n"
 +         expect "250-status/circuit-established=1"
 +      retry 1
 +      timeout 5 seconds
 +      then restart
 +
 +</code>
 +that will restart tor in case a circuit is not built within two minutes (60 seconds standard monit check time and times two for one more retry).
 +
 +====== Monitoring tor Instances using Expect ======
 +
 +A more versatile variation of the [[/fuss/tor#monitoring_tor_instances_with_monit|monit tor monitoring system]] is to use good old "expect" in order to make sure that tor has an established circuit and to take action.
 +
 +<code>
 +#!/usr/bin/expect -f
 +###########################################################################
 +##  Copyright (C) Wizardry and Steamworks 2024 - License: MIT            ##
 +###########################################################################
 +# This is an "expect" script that checks whether tor has established a    #
 +# circuit and sets the return status depending on whether it has or not.  #
 +#                                                                         #
 +# In other words, iff. the script returns 0, then tor has an established  #
 +# circuit; otherwise no circuit has been established.                     #
 +#                                                                         #
 +# Requirements:                                                           #
 +#   * expect (TCL program)                                                #
 +#   * tor must expose a control port and must have a control password     #
 +#                                                                         #
 +# In order to generate a control password, issue: tor --hash-password PWD #
 +# where PWD is the desired control port password. After that, amend the   #
 +# tor configuration file to set the control port address, port and pass:  #
 +#                                                                         #
 +# ControlPort 0.0.0.0:8051                                                #
 +# HashedControlPassword 16:A482ADEAAWF43EE...                             #
 +#                                                                         #
 +# Running: ./this-script ADDRESS PORT PASSWORD                            #
 +# where:                                                                  #
 +#   * ADDRESS is the tor listening control address,                       #
 +#   * PORT is the tor listening control port,                             #
 +#   * PASSWORD is the plaintext control password                          #
 +#                                                                         #
 +# after which the return status can be checked on the shell with:         #
 +# echo $?                                                                 #
 +###########################################################################
 +
 +set address [lindex $argv 0];
 +set port [lindex $argv 1];
 +set password [lindex $argv 2];
 +
 +set timeout 5
 +spawn telnet $address $port
 +
 +send "AUTHENTICATE \"$password\"\n"
 +expect "250 OK\r\n"
 +send "GETINFO status/circuit-established\n"
 +expect {
 +    timeout {
 +        exit 1
 +    }
 +    -ex "250-status/circuit-established=1\r\n250 OK\r\n"
 +}
 +
 +</code>
  
fuss/tor.txt · Last modified: 2024/03/30 16:31 by office
You are here: start / fuss / tor

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.