Control port connection issue when running multiple instences

dperson / torproxy

GNU Affero General Public License v3.0

515 stars 144 forks source link

Control port connection issue when running multiple instences #37

Closed m0tmd closed 4 years ago

m0tmd commented 4 years ago

Can't connect to the others ports control with nyx when running multiple instences :

podman run -it -p 8118:8118 -p 9050:9050 -p 9051:9051 -d dperson/torproxy -p "test" podman run -it -p 9150:9150 -p 9151:9151 -v /some/torrc:/etc/tor/torrc:ro -d dperson/torproxy -p "test"

Torrc config of the second instence :

ControlSocket /etc/tor/run/control ControlSocketsGroupWritable 1 ControlPort 9151 CookieAuthentication 1 CookieAuthFileGroupReadable 1 CookieAuthFile /etc/tor/run/control.authcookie DataDirectory /var/lib/tor RunAsDaemon 0 User tor AutomapHostsOnResolve 1 ExitPolicy reject : VirtualAddrNetworkIPv4 10.192.0.0/10 DNSPort 5353 SocksPort 0.0.0.0:9150 IsolateDestAddr TransPort 0.0.0.0:9040

Socks proxy 9050 & 9150 work well

nyx -i 9051 # works nyx -i 9151 # return --> Unable to authenticate: socket connection failed (Received empty socket content.)

m0tmd commented 4 years ago

I managed installing nyx inside running containers with python, which avoids exposing control port :

podman exec -it container_id bash

bash-5.0# apk add --update py3-setuptools bash-5.0# pip3 install --upgrade pip bash-5.0# pip install nyx bash-5.0# nyx

Have to create a user to avoid root warning when using nyx

dperson commented 4 years ago

So it sounds like you've found a solution?

m0tmd commented 4 years ago

Still don't understand why in the first case, control port 9151 isn't reachable. The solution I've found needs to install python into the container which isn't recommended too. Any clue avoiding python install ? I'm not familiar enough with alpine for building nyx from source. Thanks for helps !

dperson commented 4 years ago

Well looking at the open TCP ports in the container:

$ sudo docker exec -it tor netstat -lnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:9040            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8118            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:9050            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9051          0.0.0.0:*               LISTEN

And the configuration of the ports:

$ sudo docker exec -it tor grep -i port /etc/tor/torrc
ControlPort 9051
DNSPort 5353
SocksPort 0.0.0.0:9050 IsolateDestAddr
TransPort 0.0.0.0:9040

I can see that it's not configured to listen to remote management requests. Which is a security concern when people can remotely manage you security device. But feel free to change it if you wish.