search

talaia-labs / rust-teos

The Eye of Satoshi - Lightning Watchtower
https://talaia.watch
MIT License
128 stars 62 forks source link

Allow hosting tower interface over Tor without access to the Tor control port #174

Closed chrisguida closed 1 year ago

chrisguida commented 1 year ago

On embassyOS, we don't allow services to access the Tor control port. The OS automatically creates a hidden service and attaches it to the interface indicated in the manifest, is there any way to simply give the tower its system-generated Tor address without allowing it to create a hidden service itself?

mariocynicys commented 1 year ago

The OS automatically creates a hidden service and attaches it to the interface indicated in the manifest

Can you elaborate how this goes or share a link. How is the hidden service attached to the interface (and what interface?)?. What I understand now is that an .onion address is generated and passed to the tower to operate on? But is the tower authorized to do so?

I guess you can always create a hidden service on the OS and then have it listening to some local port (the port that the tower is listening to) without triggering the tower's own --torsupport flag.

chrisguida commented 1 year ago

Yes, you are correct, I can just turn off Tor support and everything will work fine:

# API
api_bind = "0.0.0.0"
api_port = 9814
#tor_control_port = 9051
#onion_hidden_service_port = 9814
tor_support = false

Disregard.

sr-gi commented 1 year ago

Should we add a small section to https://github.com/talaia-labs/rust-teos#running-teosd-with-tor about how to do this? Others may find it useful.

chrisguida commented 1 year ago

Yes, please :)

I'd originally gone through a whole process to grab the tor privkey from the system-generated config and convert it from unpadded base32 to a byte array and place it into the expected privkey location.

For the record, this actually does work.

But, deactivating tor support is much easier xD

sr-gi commented 1 year ago

Yes, please :)

I'd originally gone through a whole process to grab the tor privkey from the system-generated config and convert it from unpadded base32 to a byte array and place it into the expected privkey location.

For the record, this actually does work.

But, deactivating tor support is much easier xD

It'll be nice to nice the steps to reproduce (from hidden service creation to address binding) so we can add it

chrisguida commented 1 year ago

Basically the OS just allocates a hidden service pointing at the port the service is bound to on the container. @dr-bonez can elaborate

dr-bonez commented 1 year ago

Yeah, the os manages the tor control port itself. The application manifest specifies what services it wants on what ports. It's basically no different than if you added a hidden service to your torrc manually.