lolcat
/
4get
6
13
Fork 4
Code Issues 13 Pull Requests Packages Projects Releases Wiki Activity

Docker container: connect to tor network through proxy #42

New Issue
Closed
opened 2024-10-08 15:27:24 +00:00 by c0zyf3ar · 4 comments
c0zyf3ar commented 2024-10-08 15:27:24 +00:00
Copy Link

Hello @throwaway! I configured 4get locally (just on my laptop) using docker container with tor and now I want to configure tor to use Socks5Proxy from torrc (because some ISPs block tor in my country, so I use shadowsocks proxy on 127.0.0.1:1080), but for some reason it does not read this line (returns to default torrc config with just SocksPort 0.0.0.0:9050 and nothing else?), as I can tell after some tests. My local tor daemon which runs out of docker container works fine with this proxy though. Can you help me?

As I understand it, tor container uses its own local tor daemon, so it can't use "global proxy" which runs on localhost (or how to call it idk). So what's the solution here? Maybe somehow run local shadowsocks proxy inside this container so this local tor daemon can actually see it? If so, how to do that? Or maybe if I'm already running "global" tor daemon on my machine, then somehow configure container to use it? I tried to do this but no luck.

Hello @throwaway! I configured 4get locally (just on my laptop) using docker container with tor and now I want to configure tor to use Socks5Proxy from torrc (because some ISPs block tor in my country, so I use shadowsocks proxy on 127.0.0.1:1080), but for some reason it does not read this line (returns to default torrc config with just SocksPort 0.0.0.0:9050 and nothing else?), as I can tell after some tests. My local tor daemon which runs out of docker container works fine with this proxy though. Can you help me? As I understand it, tor container uses its own local tor daemon, so it can't use "global proxy" which runs on localhost (or how to call it idk). So what's the solution here? Maybe somehow run local shadowsocks proxy inside this container so this local tor daemon can actually see it? If so, how to do that? Or maybe if I'm already running "global" tor daemon on my machine, then somehow configure container to use it? I tried to do this but no luck.
throwaway commented 2024-10-08 18:03:07 +00:00
Collaborator
Copy Link

Hello! :D

From my understanding, you are running shadowsocks on your host machine and want traffic to flow from 4get, to shadowsocks, and then to tor. And you tried to accomplish this by providing the options Socks5Proxy, Socks5ProxyUsername, and Socks5ProxyPassword options to the torrc (at /etc/tor/torrc) which point to your running shadowsocks instance at 127.0.0.1:1080

if you're running tor on your local machine, the easiest way is to remove the tor container in your compose file and make 4get container use host networking. Then in proxies/onion.txt you can use socks5:localhost:9050::

you can make 4get container use host network with network_mode: "host"

with onion.txt in proxies folder, your compose file would look like this:

fourget:
    image: luuul/4get:latest
    restart: unless-stopped
    network_mode: "host"        

    environment:
      - FOURGET_PROTO=http
      - FOURGET_SERVER_NAME=4get.ca
      # loads proxies/onion.txt
      - FOURGET_PROXY_DDG="onion" 
      - FOURGET_PROXY_BRAVE="onion"
      - FOURGET_PROXY_FB="onion"
      - FOURGET_PROXY_GOOGLE="onion"
      - FOURGET_PROXY_QWANT="onion"
      - FOURGET_PROXY_MARGINALIA="onion"
      - FOURGET_PROXY_MOJEEK="onion"
      - FOURGET_PROXY_SC="onion"
      - FOURGET_PROXY_SPOTIFY="onion"
      - FOURGET_PROXY_WIBY="onion"
      - FOURGET_PROXY_CURLIE="onion"
      - FOURGET_PROXY_YT="onion"
      - FOURGET_PROXY_YEP="onion"
      - FOURGET_PROXY_PINTEREST="onion"
      - FOURGET_PROXY_SEZNAM="onion"
      - FOURGET_PROXY_NAVER="onion"
      - FOURGET_PROXY_GREPPR="onion"
      - FOURGET_PROXY_CROWDVIEW="onion"
      - FOURGET_PROXY_MWMBL="onion"
      - FOURGET_PROXY_FTM="onion"
      - FOURGET_PROXY_IMGUR="onion"
      - FOURGET_PROXY_YANDEX_W="onion"
      - FOURGET_PROXY_YANDEX_I="onion"
      - FOURGET_PROXY_YANDEX_V="onion"

    ports:
      - "80:80"
     
    volumes:
      - ./proxies/:/var/www/html/4get/data/proxies/

if you're adamant about running tor in a docker container, it becomes much trickier as you have experience. The torrc at /etc/tor/torrc only applies to tor running on your host, not the container running tor, and 127.0.0.1:1080 in the container means the container itself and not your host running shadowsocks

to make shadowsocks on your host machine visible to the tor container, you could add your host machine with extra_hosts in docker compose. Then your tor container (with an updated torrc which will be covered next) can reference your host and it can use it as a Socks5Proxy.

using extra_hosts foorbar:127.0.0.1 will not work because it will simply append the value of 127.0.0.1 to /etc/hosts in the container
there is a special string host-gateway that allows you to reference the host machine. You can use it like this

    - "host.docker.internal:host-gateway"

This adds your host machine to /etc/hosts in the container and makes it available via an ip address such as 172.17.0.1
but as https://stackoverflow.com/a/70725882 elaborates, in docker compose you'll likely end up with an ip that you can't predict ahead of time unless you create a custom network.

The added section to your docker compose file will look like this:

tor:
    image: luuul/tor:latest
    restart: unless-stopped
    # Warning: Do not publish port 9050
    extra_hosts:
            - "host.docker.internal:host-gateway"

which will allow this container to communicate with your host machine via the ip "172.17.0.1" or some other ip

to make changes to the tor daemon running in the container, you need to modify the configuration it reads from. To do this, you can mount an updated version of the configuration. For example: you can create a torrc named my_torrc with the following content and mount it with docker compose to the expected location of /etc/tor/torrc

# my_torrc
Socks5Proxy 172.17.0.1:1080
Socks5ProxyUsername username
Socks5ProxyPassword password

# docker-compose.yaml
version: "3.7"

services:
  fourget:
    image: luuul/4get:latest
    restart: unless-stopped
    environment:
      - FOURGET_PROTO=http
      - FOURGET_SERVER_NAME=4get.ca

    depends_on:
     - tor
     
  tor:
    image: luuul/tor:latest
    restart: unless-stopped

    extra_hosts:
            - "host.docker.internal:host-gateway"
    
    volumes:
      - ./my_torrc:/etc/tor/torrc
      - ./4get:/var/lib/tor/4get
      - ./data:/root/.tor

Everything else regarding the connection between 4get and tor should remain the same as what is in the docker_tor guide. I'll need to look into using custom network like https://stackoverflow.com/a/70725882 mentions so the ip referencing host can be consistent.

Hopefully this helps! I've also written more about docker networking here #20 (comment) but I know now using 127.0.0.1 with extra_hosts will not work

Hello! :D From my understanding, you are running shadowsocks on your host machine and want traffic to flow from 4get, to shadowsocks, and then to tor. And you tried to accomplish this by providing the options `Socks5Proxy`, `Socks5ProxyUsername`, and `Socks5ProxyPassword` options to the torrc (at /etc/tor/torrc) which point to your running shadowsocks instance at 127.0.0.1:1080 if you're running tor on your local machine, the easiest way is to remove the tor container in your compose file and make 4get container use host networking. Then in `proxies/onion.txt` you can use `socks5:localhost:9050::` you can make 4get container use host network with `network_mode: "host"` with onion.txt in `proxies` folder, your compose file would look like this: ``` fourget: image: luuul/4get:latest restart: unless-stopped network_mode: "host" environment: - FOURGET_PROTO=http - FOURGET_SERVER_NAME=4get.ca # loads proxies/onion.txt - FOURGET_PROXY_DDG="onion" - FOURGET_PROXY_BRAVE="onion" - FOURGET_PROXY_FB="onion" - FOURGET_PROXY_GOOGLE="onion" - FOURGET_PROXY_QWANT="onion" - FOURGET_PROXY_MARGINALIA="onion" - FOURGET_PROXY_MOJEEK="onion" - FOURGET_PROXY_SC="onion" - FOURGET_PROXY_SPOTIFY="onion" - FOURGET_PROXY_WIBY="onion" - FOURGET_PROXY_CURLIE="onion" - FOURGET_PROXY_YT="onion" - FOURGET_PROXY_YEP="onion" - FOURGET_PROXY_PINTEREST="onion" - FOURGET_PROXY_SEZNAM="onion" - FOURGET_PROXY_NAVER="onion" - FOURGET_PROXY_GREPPR="onion" - FOURGET_PROXY_CROWDVIEW="onion" - FOURGET_PROXY_MWMBL="onion" - FOURGET_PROXY_FTM="onion" - FOURGET_PROXY_IMGUR="onion" - FOURGET_PROXY_YANDEX_W="onion" - FOURGET_PROXY_YANDEX_I="onion" - FOURGET_PROXY_YANDEX_V="onion" ports: - "80:80" volumes: - ./proxies/:/var/www/html/4get/data/proxies/ ``` if you're adamant about running tor in a docker container, it becomes much trickier as you have experience. The torrc at /etc/tor/torrc only applies to tor running on your host, not the container running tor, and 127.0.0.1:1080 in the container means the container itself and not your host running shadowsocks to make shadowsocks on your host machine visible to the tor container, you could add your host machine with `extra_hosts` in docker compose. Then your tor container (with an updated torrc which will be covered next) can reference your host and it can use it as a Socks5Proxy. using `extra_hosts foorbar:127.0.0.1` will not work because it will simply append the value of 127.0.0.1 to /etc/hosts in the container there is a special string `host-gateway` that allows you to reference the host machine. You can use it like this ```extra_hosts: - "host.docker.internal:host-gateway" ``` This adds your host machine to /etc/hosts in the container and makes it available via an ip address such as `172.17.0.1` but as https://stackoverflow.com/a/70725882 elaborates, in docker compose you'll likely end up with an ip that you can't predict ahead of time unless you create a custom network. The added section to your docker compose file will look like this: ``` tor: image: luuul/tor:latest restart: unless-stopped # Warning: Do not publish port 9050 extra_hosts: - "host.docker.internal:host-gateway" ``` which will allow this container to communicate with your host machine via the ip "172.17.0.1" or some other ip to make changes to the tor daemon running in the container, you need to modify the configuration it reads from. To do this, you can mount an updated version of the configuration. For example: you can create a torrc named `my_torrc` with the following content and mount it with docker compose to the expected location of `/etc/tor/torrc` ``` # my_torrc Socks5Proxy 172.17.0.1:1080 Socks5ProxyUsername username Socks5ProxyPassword password ``` ``` # docker-compose.yaml version: "3.7" services: fourget: image: luuul/4get:latest restart: unless-stopped environment: - FOURGET_PROTO=http - FOURGET_SERVER_NAME=4get.ca depends_on: - tor tor: image: luuul/tor:latest restart: unless-stopped extra_hosts: - "host.docker.internal:host-gateway" volumes: - ./my_torrc:/etc/tor/torrc - ./4get:/var/lib/tor/4get - ./data:/root/.tor ``` Everything else regarding the connection between 4get and tor should remain the same as what is in the docker_tor guide. I'll need to look into using custom network like https://stackoverflow.com/a/70725882 mentions so the ip referencing host can be consistent. Hopefully this helps! I've also written more about docker networking here https://git.lolcat.ca/lolcat/4get/issues/20#issuecomment-106 but I know now using 127.0.0.1 with extra_hosts will not work
❤️ 1
c0zyf3ar commented 2024-10-08 19:46:40 +00:00
Author
Copy Link

@throwaway Ok, so I ended up with the easiest way, because I'm always running tor on my machine, and it works! Now I only worry about one thing: is it safe to use SOCKSPort 0.0.0.0:9050 line in /etc/tor/torrc ? I don't quite understand this part from the guide:

If you use SocksPort 0.0.0.0:9050 anywhere make sure it is inaccessible to outside world. As long as you don't publish this port (-p or --publish) it shouldn't be accessible to outside world.

I want to be safe, so I don't want it to be accesible to outside world. So how to make sure that I don't publish this port? Does this --publish flag relate to tor daemon or something else (I didn't find anything about this flag in man tor)? I didn't open this port on my firewall, so am I safe in this case?

Edit: Now when I'm using network_mode: "host" line in compose file and restart container, it says

Published ports are discarded when using host network mode

So does it mean that it automatically protects from publishing port to outside world (and I'm safe)?

@throwaway Ok, so I ended up with the easiest way, because I'm always running tor on my machine, and it works! Now I only worry about one thing: is it safe to use `SOCKSPort 0.0.0.0:9050` line in /etc/tor/torrc ? I don't quite understand this part from the guide: > If you use SocksPort 0.0.0.0:9050 anywhere make sure it is inaccessible to outside world. As long as you don't publish this port (-p or --publish) it shouldn't be accessible to outside world. I want to be safe, so I don't want it to be accesible to outside world. So how to make sure that I don't publish this port? Does this `--publish` flag relate to tor daemon or something else (I didn't find anything about this flag in `man tor`)? I didn't open this port on my firewall, so am I safe in this case? Edit: Now when I'm using `network_mode: "host"` line in compose file and restart container, it says > Published ports are discarded when using host network mode So does it mean that it automatically protects from publishing port to outside world (and I'm safe)?
throwaway commented 2024-10-08 21:16:19 +00:00
Collaborator
Copy Link

Glad it know it works!

the reason why SocksPort is set to 0.0.0.0:9050 instead of the default of 127.0.0.1 is because the docker_tor guide was made for a setup that involved both containers and was needed so the tor and 4get containers could communicate with each other on the same network. Because you're removing the need the tor container, you don't need this line in your tor conf!

So does it mean that it automatically protects from publishing port to outside world (and I'm safe)?

No. With network_mode: host all ports are automatically published, so if a process in a container is listening on port 8080 then you can access it at port 8080 on the host.

The message is shown to inform you that this section is ignored

 ports:
      - "80:80"
      - "443:443"

Going to edit my previous comment to remove the SocksPort line. Thank you for pointing this out!

Glad it know it works! the reason why SocksPort is set to `0.0.0.0:9050` instead of the default of 127.0.0.1 is because the docker_tor guide was made for a setup that involved both containers and was needed so the tor and 4get containers could communicate with each other on the same network. Because you're removing the need the tor container, you don't need this line in your tor conf! >So does it mean that it automatically protects from publishing port to outside world (and I'm safe)? No. With `network_mode: host` all ports are automatically published, so if a process in a container is listening on port 8080 then you can access it at port 8080 on the host. The message is shown to inform you that this section is ignored ``` ports: - "80:80" - "443:443" ``` Going to edit my previous comment to remove the SocksPort line. Thank you for pointing this out!
❤️ 1
c0zyf3ar commented 2024-10-08 23:16:40 +00:00
Author
Copy Link

@throwaway thank you so much <3 Finally I can use my local 4get instance without reserve!

@throwaway thank you so much <3 Finally I can use my local 4get instance without reserve!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: lolcat/4get#42
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?