This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
fuss:tor [2022/04/20 22:32] – [Compile a Static Tor] office | fuss:tor [2024/03/30 16:31] (current) – [Monitoring tor Instances using Expect] office | ||
---|---|---|---|
Line 217: | Line 217: | ||
In case '' | In case '' | ||
+ | |||
+ | ====== Increase Logging ====== | ||
+ | |||
+ | When debugging Tor, in particular client transport plugins it is sometimes useful to increase logging in order to determine the cause for something not working right. | ||
+ | |||
+ | Locate the configuration line starting with '' | ||
+ | < | ||
+ | Log notice syslog | ||
+ | </ | ||
+ | to: | ||
+ | < | ||
+ | Log debug syslog | ||
+ | </ | ||
+ | |||
+ | The previous configuration line will turn on debug logging and will send all messages to the system log. | ||
+ | |||
+ | ====== Load-Balancing Multiple Tor Instances via HAProxy ====== | ||
+ | |||
+ | When running multiple Tor instances, it is possible to load-balance the traffic over all Tor instances whilst having a single SOCKS entry point. | ||
+ | |||
+ | Nevertheless, | ||
+ | |||
+ | < | ||
+ | . multiple Tor instances | ||
+ | . | ||
+ | | ||
+ | +---------+ | ||
+ | | | ||
+ | | ||
+ | | | ||
+ | +---------+ | ||
+ | | ||
+ | . | ||
+ | . | ||
+ | </ | ||
+ | |||
+ | Assuming that multiple Tor instances are set up to listen to an array of ports, HAProxy can be set up with the following minimal configuration changes: | ||
+ | < | ||
+ | defaults | ||
+ | mode tcp | ||
+ | option redispatch | ||
+ | |||
+ | listen socks5-balance | ||
+ | bind 0.0.0.0: | ||
+ | balance leastconn | ||
+ | |||
+ | server socks5-1 127.0.0.1: | ||
+ | server socks5-2 127.0.0.1: | ||
+ | |||
+ | </ | ||
+ | |||
+ | The configuration declares two upstream proxies on '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | Finally, by pointing an application at the HAProxy port '' | ||
+ | |||
+ | ====== Monitoring Tor Instances with Monit ====== | ||
+ | |||
+ | Tor can be elaborately monitored and restarted automatically in case it is necessary to ensure that tor instances stay up and running. Aside from the usual check that the tor OR port is available at a given address, an '' | ||
+ | |||
+ | First, a tor password must be generated in order to be able to access the tor control port by using the following command: | ||
+ | <code bash> | ||
+ | tor --hash-password " | ||
+ | </ | ||
+ | which will result in a password generated on the standard output: | ||
+ | < | ||
+ | 16: | ||
+ | </ | ||
+ | |||
+ | The password will then be added to the tor configuration: | ||
+ | < | ||
+ | ControlPort 0.0.0.0: | ||
+ | HashedControlPassword 16: | ||
+ | </ | ||
+ | |||
+ | With the configuration in place, tor is restarted and the following monit configuration is created: | ||
+ | < | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2023 - License: GNU GPLv3 ## | ||
+ | ########################################################################### | ||
+ | |||
+ | check process tor-01 with pidfile / | ||
+ | start program | ||
+ | stop program | ||
+ | if failed host 127.0.0.1 port 9051 type tcp then restart | ||
+ | if failed host 127.0.0.1 port 8051 type tcp and | ||
+ | # password is: tor surrounded by quotes 0x22 | ||
+ | send " | ||
+ | | ||
+ | send " | ||
+ | | ||
+ | retry 1 | ||
+ | timeout 5 seconds | ||
+ | then restart | ||
+ | |||
+ | </ | ||
+ | that will restart tor in case a circuit is not built within two minutes (60 seconds standard monit check time and times two for one more retry). | ||
+ | |||
+ | ====== Monitoring tor Instances using Expect ====== | ||
+ | |||
+ | A more versatile variation of the [[/ | ||
+ | |||
+ | < | ||
+ | # | ||
+ | ########################################################################### | ||
+ | ## Copyright (C) Wizardry and Steamworks 2024 - License: MIT ## | ||
+ | ########################################################################### | ||
+ | # This is an " | ||
+ | # circuit and sets the return status depending on whether it has or not. # | ||
+ | # # | ||
+ | # In other words, iff. the script returns 0, then tor has an established | ||
+ | # circuit; otherwise no circuit has been established. | ||
+ | # # | ||
+ | # Requirements: | ||
+ | # * expect (TCL program) | ||
+ | # * tor must expose a control port and must have a control password | ||
+ | # # | ||
+ | # In order to generate a control password, issue: tor --hash-password PWD # | ||
+ | # where PWD is the desired control port password. After that, amend the # | ||
+ | # tor configuration file to set the control port address, port and pass: # | ||
+ | # # | ||
+ | # ControlPort 0.0.0.0: | ||
+ | # HashedControlPassword 16: | ||
+ | # # | ||
+ | # Running: ./ | ||
+ | # where: | ||
+ | # * ADDRESS is the tor listening control address, | ||
+ | # * PORT is the tor listening control port, # | ||
+ | # * PASSWORD is the plaintext control password | ||
+ | # # | ||
+ | # after which the return status can be checked on the shell with: # | ||
+ | # echo $? # | ||
+ | ########################################################################### | ||
+ | |||
+ | set address [lindex $argv 0]; | ||
+ | set port [lindex $argv 1]; | ||
+ | set password [lindex $argv 2]; | ||
+ | |||
+ | set timeout 5 | ||
+ | spawn telnet $address $port | ||
+ | |||
+ | send " | ||
+ | expect "250 OK\r\n" | ||
+ | send " | ||
+ | expect { | ||
+ | timeout { | ||
+ | exit 1 | ||
+ | } | ||
+ | -ex " | ||
+ | } | ||
+ | |||
+ | </ | ||