[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Putting onion services behind a third-party TCP proxy

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Putting onion services behind a third-party TCP proxy
From: Pop Chunhapanya <pop@xxxxxxxxxxxxxx>
Date: Wed, 14 Aug 2019 23:53:00 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 15 Aug 2019 02:53:25 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/xPtVMatuDogRKRcHEpwhm7k9o0tsLoB00zB2ygpTkE=; b=U3SGMTIJ7PEZPliykeN/pGNuwp0jMz8lYF7Lcs55b8vZDo+ulcH7O2+njD8XMKAXdt LKqHh+DUyjPBRgPjmQpCI8JA7OGeF/DKTLEo2UNr7+eYhxYsPpXQc1W60Y1maBL6mY1s RKrgm1ejxw0evaXebYkEJTEZ3Xf2X4climLks=
In-reply-to: <4CE150D3-D0FC-4759-B20D-87B28B653331@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAMM-YAP9kQoo6DQWC3F-68ieEXF8ihRf7UuOEGnF5pnfUQL8hg@mail.gmail.com> <4CE150D3-D0FC-4759-B20D-87B28B653331@riseup.net>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

So I'm thinking putting the tor daemon behind some third party TCP proxy that will protect me from this kind of DDoS attack.

What do you think if I want to implement a feature that forward all the onion service traffic to the TCP proxy before going to the Tor network?

The protocol that I'm thinking is TCP Proxy Protocol [1]

[1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

You could try the existing HTTPSProxy torrc option?

HTTPSProxy host[:port]
Tor will make all its OR (SSL) connections through this host:port (or host:443 if port is not specified), via HTTP CONNECT rather than connecting directly to servers. You may want to set FascistFirewall to restrict the set of ports you might try to connect to, if your HTTPS proxy only allows connecting to certain ports.

Tor also allows an intelligent firewall to filter circuits using a field in haproxy protocol format, see HiddenServiceExportCircuitID for details. But you probably won't need this advanced feature.

I feel that HTTPSProxy is too expensive. As far as I know, it needs to do (1) tcp handshake, (2) tls handshake, and (3) http connect. If I can use haproxy, it would be just one tcp handshake.

Could I propose another option for haproxy?

I can do it myself. You just review and merge :)

Haxxpop

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Putting onion services behind a third-party TCP proxy
  - From: Peter Palfrader
- Re: [tor-dev] Putting onion services behind a third-party TCP proxy
  - From: teor

References:
- [tor-dev] Putting onion services behind a third-party TCP proxy
  - From: Pop Chunhapanya
- Re: [tor-dev] Putting onion services behind a third-party TCP proxy
  - From: teor

Prev by Author: Re: [tor-dev] Putting onion services behind a third-party TCP proxy
Next by Author: [tor-dev] Putting onion services behind a third-party TCP proxy
Previous by thread: Re: [tor-dev] Putting onion services behind a third-party TCP proxy
Next by thread: Re: [tor-dev] Putting onion services behind a third-party TCP proxy
Index(es):
- Author
- Thread