bugfest / tor-controller

Tor toolkit for Kubernetes (Tor instances, onion services and more)
Apache License 2.0
114 stars 16 forks source link

[REQUEST] enable control port access (already possible?) #76

Open coffeel0ver opened 7 months ago

coffeel0ver commented 7 months ago

First of all thank you @bugfest for this repo.

I would like to use the control port on an OnionService to be able to kill specific onion curcuits to prevent flooding attacks. I haven't found a way to enable control port for an OnionService/OnionBalancedService in the documentation. Is there a way to to enable it and allow connection from other apps inside the cluster?

If not, could you please add this feature? It won't break any of the functions itself from my point of view.

Is there a donations page for this project?

Thanks in advance!

bugfest commented 7 months ago

Hi @coffeel0ver, thanks for your kind words.

I would like to use the control port on an OnionService to be able to kill specific onion curcuits to prevent flooding attacks. I haven't found a way to enable control port for an OnionService/OnionBalancedService in the documentation. Is there a way to to enable it and allow connection from other apps inside the cluster?

If not, could you please add this feature? It won't break any of the functions itself from my point of view.

I already developed spec.control.enable for the Tor instances but this feature hasn't been ported yet to the OnionService/OnionBalancedService: https://github.com/bugfest/tor-controller/blob/f60092be56eeaf5eb033fc3d2fac2e3d53eadf80/controllers/tor/tor_configmap.go#L74-L82

You can enable Tor's control port in OnionService and OnionBalancedService using the extraConfig attribute.

Examples:

# OnionService
apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionService
metadata:
  name: onionservice-controlport-enabled
spec:
  version: 3
  rules: [...]
  extraConfig: |
    ControlPort 0.0.0.0:9051
    HashedControlPassword yourhashedpasswordhere
# OnionBalancedService
apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionBalancedService
metadata:
  name: onionbalancedservice-controlport-enabled
spec:
  backends: 3
  template:
    spec:
      version: 3
      rules: [...]
      extraConfig: |
        ControlPort 0.0.0.0:9051
        HashedControlPassword yourhashedpasswordhere

Is there a donations page for this project?

I currently don't take donations for any of my projects. But if you still do want to contribute you can donate to Tor project instead https://donate.torproject.org so that all of us can keep using Tor network : )

Regards, BF

coffeel0ver commented 7 months ago

Hey @bugfest let me explain the problem a bit more in detail:

As you are using the following definition for the OnionService:

apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionService
metadata:
  name: myapp-onion-service
  namespace: tor-proxy
spec:
  version: 3
  rules:
    - port:
        name: myapp
        number: 80
      backend:
        service:
          name: traefik
          port:
            number: 80
  extraConfig: |
    ControlPort 9051
    HashedControlPassword XXXXXXXXX

tor is returning this error:

2024-04-04T22:17:56.585543697+02:00 Apr 04 20:17:56.585 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
2024-04-04T22:17:56.585549196+02:00 Apr 04 20:17:56.585 [notice] Read configuration file "/run/tor/torfile".
Apr 04 20:17:56.586 [warn] You specified a nonzero ControlPort along with 'ControlPort 0' in the same configuration. Did you mean to disable ControlPort or not?
2024-04-04T22:17:56.586432710+02:00 Apr 04 20:17:56.586 [warn] Failed to parse/validate config: Invalid ControlPort configuration
Apr 04 20:17:56.586 [err] Reading config failed--see warnings above.
time="2024-04-04T20:17:56Z" level=info msg="exit status 1"

With the current torfile it is not possible to set a ControlPort via extraConfig option in the yaml, since the torfile already contains ControlPort 0 before the extraConfig is appended.

Could you please edit the torfile and remove the ControlPort from this file? ControlPort should be disabled by tor by default (no need to explicitly define it in the torfile). Aside from that it's not exposed, without a service anyways.

Could you please make this small edit, otherwise it won't be able to use the ControlPort. Thank you in advance!

bugfest commented 7 months ago

Hi @coffeel0ver, I'll work on this feature as soon as I can. In the mean time, good news is I found a way to override this setting via ExtraConfig, as per torrc manual page:

THE CONFIGURATION FILE FORMAT (...) Alternatively, you might want to remove every instance of an option in the configuration file, and not replace it at all: you might want to say on the command line that you want no SocksPorts at all. To do that, prefix the option name with a forward slash (/). You can use the plus sign (+) and the forward slash (/) in the configuration file and on the command line.

I got it working with the following:

...
spec:
  ...
  extraConfig: |
    /ControlPort
    +ControlPort 0.0.0.0:9051
    HashedControlPassword 16:8716E5455708558C60352B1BB3609AC392D0F3619D4056D276B1B39641

Can you double check this unblocks your issue?

Regards, BF

coffeel0ver commented 7 months ago

Hi @bugfest; I can confirm this works! Thank you for the workaround, maybe you can place this into the next version, think it's easier and more handy to understand instead ofgoing this way. Thanks and all the best;

--  

  1. Apr. 2024, 13:23 von @.***:

Hi > @coffeel0ver https://github.com/coffeel0ver> , I'll work on this feature as soon as I can. In the mean time, good news is I found a way to override this setting via ExtraConfig, as per > torrc> manual page:

THE CONFIGURATION FILE FORMAT (...) Alternatively, you might want to remove every instance of an option in the configuration file, and not replace it at all: you might want to say on the command line that you want no SocksPorts at all. To do that, prefix the option name with a forward slash (/). You can use the plus sign (+) and the forward slash (/) in the configuration file and on the command line.

I got it working with the following:

...spec: ... extraConfig: | /ControlPort +ControlPort 0.0.0.0:9051 HashedControlPassword 16:8716E5455708558C60352B1BB3609AC392D0F3619D4056D276B1B39641

Can you double check this unblocks your issue?

Regards, BF

— Reply to this email directly, > view it on GitHub https://github.com/bugfest/tor-controller/issues/76#issuecomment-2041435783> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/BBI5BDZKMU5G6BAZYW3MGPTY4EUBZAVCNFSM6AAAAABFAHQHWOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBRGQZTKNZYGM> . You are receiving this because you were mentioned.> Message ID: > <bugfest/tor-controller/issues/76/2041435783> @> github> .> com>