What do You think about adding healthcheck?

HEALTHCHECK --interval=60s --timeout=15s --start-period=90s \
            CMD curl --socks5-hostname localhost:9050 -L 'https://api.ipify.org'

I copied it from https://github.com/dperson/torproxy/blob/master/Dockerfile

Hi, thanks for good project! Just works! 🚀🚀🚀

I have some issue/proposal.

Now I'm configuring tor-socks-proxy container for 24/7 on home server. So have couple thoughts.

Issue

By your receipt my container started as uid=100. In my case it is systemd-network user. Despite in Dockerfile user is tor. Probably, It is because specific user mapping during build. Although my system tor user have strictly defined UID.

Anyway intersection with system-wide uid=100 (systemd-network) it is bad security practice. I think.

Proposal

I propose change receipts and add some defined but numeric UID. Using numeric uid let us isolate container from other system even host system user is not exists.

For example my receipt for fix it (uid=9155), reduced:

FROM alpine:3.16

...

COPY --chown=9155:9155 torrc /etc/tor/
RUN chown 9155:9155 /var/lib/tor

...

USER 9155
EXPOSE 8853/udp 9150/tcp

CMD ["/usr/bin/tor", "-f", "/etc/tor/torrc"]

Compose:

---
version: "3.8"

services:
  tor-socks-proxy:
    container_name: tor-socks-proxy
    build: .
    user: "9155:9155"
    ports:
      - "0.0.0.0:9153:8853/udp"
      - "0.0.0.0:9153:8853/tcp"
      - "0.0.0.0:9155:9150/tcp"
    restart: always

What you think about this?

Env:

Ubuntu 20.04
Docker version 20.10.17

Hi,

Thank you in advance for providing this image.
I see that only 9150/tcp port is exposed in the dockerfile, so what about udp?

Best

I'm working with podman and the container is stuck in starting status (but it's working fine).

sudo docker logs tor_socks_proxy
returns
standard_init_linux.go:190: exec user process caused "exec format error"

Jun 27 08:23:43.718 [notice] Tor 0.4.7.7 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1n, Zlib 1.2.12, Liblzma 5.2.5, Libzstd 1.5.0 and Unknown N/A as libc.
Jun 27 08:23:43.718 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Jun 27 08:23:43.718 [warn] Tor was compiled with zstd 1.5.2, but is running with zstd 1.5.0. For safety, we'll avoid using advanced zstd functionality.
Jun 27 08:23:43.718 [notice] Read configuration file "/etc/tor/torrc".
Jun 27 08:23:43.719 [warn] You specified a public address '0.0.0.0:8853' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Jun 27 08:23:43.720 [warn] You specified a public address '0.0.0.0:9150' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Jun 27 08:23:43.720 [warn] You specified a public address '0.0.0.0:8853' for DNSPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.
Jun 27 08:23:43.720 [notice] Opening Socks listener on 0.0.0.0:9150
Jun 27 08:23:43.720 [notice] Opened Socks listener connection (ready) on 0.0.0.0:9150
Jun 27 08:23:43.720 [notice] Opening DNS listener on 0.0.0.0:8853
Jun 27 08:23:43.720 [notice] Opened DNS listener connection (ready) on 0.0.0.0:8853
Jun 27 08:23:43.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jun 27 08:23:43.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jun 27 08:23:43.000 [notice] Bootstrapped 0% (starting): Starting
Jun 27 08:23:43.000 [notice] Starting with guard context "default"
Jun 27 08:23:44.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
Jun 27 08:26:13.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:26:53.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:27:33.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:28:13.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:28:53.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:29:33.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:30:13.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:30:53.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:31:33.000 [notice] Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for rendezvous desc)
Jun 27 08:31:53.000 [warn] Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (Operation timed out; TIMEOUT; count 10; recommendation warn; host 7EA6EAD6FD83083C538F44038BBFA077587DD755 at 45.66.33.45:443)
Jun 27 08:31:53.000 [warn] 9 connections have failed:
Jun 27 08:31:53.000 [warn] 9 connections died in state connect()ing with SSL state (No SSL object)
Jun 27 08:31:53.000 [warn] Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (Operation timed out; TIMEOUT; count 11; recommendation warn; host 6078F300B379D8DEBCF02DBE80881C94777E24BF at 198.255.21.2:443)
Jun 27 08:31:53.000 [warn] 10 connections have failed:
Jun 27 08:31:53.000 [warn] 10 connections died in state connect()ing with SSL state (No SSL object)
Jun 27 08:32:00.000 [warn] Problem bootstrapping. Stuck at 5% (conn): Connecting to a relay. (Operation timed out; TIMEOUT; count 12; recommendation warn; host C9B34ABF2C30DA56BD006B7B42610098072BEF4C at 54.93.77.70:9001)
Jun 27 08:32:00.000 [warn] 11 connections have failed:
Jun 27 08:32:00.000 [warn] 11 connections died in state connect()ing with SSL state (No SSL object)

Any ideas?

REMOVED

How to configure user name and password authentication

Does this image have a killswitch? In case Tor Connection fails will the Client use the real ip of the Host?

why do you install obfs4proxy
apk -v add tor@edge obfs4proxy@edge curl && \
if it's unreferenced into torrc conf and into docs?

Is there a way to set a country?

Hello, how can i change ip periodically ?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

hi .its not working in system wide socks5 in ubuntu .but connected and bootsraped 100 % and my ip changed just when i set ip and port on firefox.
why its just worked in firefox ?

i can use 9150 to connect to the proxy.

but i have some questions
1, about the ports. 9050 9150 9151
i need 9150 and 9151.

2, in tor browser, i would select obfs4, it seems it's the best way to connect to tor for me.
can i use obfs4 in this docker?

thanks for your project.

Dear sir,

the abovementioned parameter/option doesn't seem to be working. Is it by design?
I really miss the opportunity to set up also an HTTP(S) proxy via tor.

Regards

Especially it environments like tor, I'd like to have processes not run as root.
Usually one can simply specify a user from docker run (or docker-compose) to use, however that fails like this:

Jun 05 19:32:57.937 [warn] Error creating directory //.tor: Permission denied
Jun 05 19:32:57.937 [warn] Failed to parse/validate config: Couldn't access/create private data directory "//.tor"

As the root-filesystem is owned by root.
Some Images tackle that by simple adding a user with the id 1000 and running from it's home directory, however docker hosts might prefer to define their own UID/GID to be used.

I think the best solution therefore would be a special folder /tor (e.g.) which is world read/writeable, that way we would avoid creating a new user each time the container is run with a different userid.

One might also want to expose that as a volume, so the user could inspect logs and/or change the configuration.
Then world-readability is a bit dangerous though, as with bind-mounts the tor configuration is exposed to every user on the host.

Edit: Or simply have something like this https://github.com/dperson/torproxy/blob/master/torproxy.sh#L128, however I'd still prefer the world-writeable folder I think

Edit2: Okay so far this is looking bad:

0
Jun 05 20:07:05.269 [warn] /tor is not owned by this user (<unknown>, 1000) but by <unknown> (0). Perhaps you are running Tor as the wrong user?
Jun 05 20:07:05.269 [warn] Failed to parse/validate config: Couldn't access/create private data directory "/tor"

Which means Tor is recognizing the "misconfiguration" and hence refusing to work, so I'll try the dpersion/torproxy approach

I would love to have an image on docker hub for the platform linux/arm64.

你好，想问你点问题，我的邮箱[email protected]
你看到了，希望给我回复
是关于volumio项目中的问题，谢谢

Hi. How do I open it up so that all local IPs can access the proxy? Which parameter to use?
Thanks.

Hi guys,
I was using the same container last week, and everyhting was working fine.
This week I migrate to new device, no longer able to run tor-socks-proxy, error code: Exited (1) 1 second ago

What am I forgetting?

When I run container, output as follows.

2021-09-09 15:37:55.292337884 +0000 UTC image pull  peterdavehello/tor-socks-proxy:latest
2021-09-09 15:37:55.6662729 +0000 UTC container create 2eda0ddd789146d8deca1c5e0b9a2adbfa267c67062f89d4d0e15009d276602a (image=docker.io/peterdavehello/tor-
socks-proxy:latest, name=tor-socks-proxy, version=latest, maintainer=Peter Dave Hello <[email protected]>, name=tor-socks-proxy)
2eda0ddd789146d8deca1c5e0b9a2adbfa267c67062f89d4d0e15009d276602a
2021-09-09 15:37:56.99105287 +0000 UTC container init 2eda0ddd789146d8deca1c5e0b9a2adbfa267c67062f89d4d0e15009d276602a (image=docker.io/pe
terdavehello/tor-socks-proxy:latest, name=tor-socks-proxy, maintainer=Peter Dave Hello <[email protected]>, name=tor-socks-proxy, version=latest)
2021-09-09 15:37:57.099668881 +0000 UTC container start 2eda0ddd789146d8deca1c5e0b9a2adbfa267c67062f89d4d0e15009d276602a (image=docker.io/peterdavehello/tor
-socks-proxy:latest, name=tor-socks-proxy, maintainer=Peter Dave Hello <[email protected]>, name=tor-socks-proxy, version=latest)
2021-09-09 15:37:57.479898749 +0000 UTC container died 2eda0ddd789146d8deca1c5e0b9a2adbfa267c67062f89d4d0e15009d276602a (image=docker.io/peterdavehello/tor-
socks-proxy:latest, name=tor-socks-proxy)

Output of cat /etc/*release:

NAME="openSUSE MicroOS"
# VERSION="20210901"
ID="opensuse-microos"
ID_LIKE="suse opensuse opensuse-tumbleweed"
VERSION_ID="20210901"
PRETTY_NAME="openSUSE MicroOS"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:microos:20210901"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:MicroOS"
LOGO="distributor-logo"

Output of uname -a:
Linux localhost 5.13.13-1-default #1 SMP Fri Aug 27 08:52:15 UTC 2021 (6339fac) aarch64 aarch64 aarch64 GNU/Linux

Output of cat /etc/containers/storage.conf:

[storage]
driver = "btrfs"
runroot = "/var/run/containers/storage"
graphroot = "/var/lib/containers/storage"
[storage.options]
additionalimagestores = [
]
size = ""
ostree_repo = ""
[storage.options.thinpool]

Thanks in advance

Dear all

Many thanks for the project! The deployment worked without any problems, and if I specify my Docker host as a tor proxy - it shows that I am connected via the Tor network:

I have adapted the config that other hosts from my network can also connect to it:
---
version: "2"
services:
tor-socks-proxy:
container_name: tor-socks-proxy
image: peterdavehello/tor-socks-proxy:latest
ports:
- "8853:53/udp"
- "9050:9150/tcp"
restart: unless-stopped

However, if I want to connect to an .onion page (e.g. http://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion), I get the message "DNS_PROBE_FINISHED_NXDOMAIN"

What am I doing wrong? Thank you and best regards

what are the linux server specs i should get to run this flawlessly

I've deployed your container via portainer. It is constantly shown as 'unhealthy' with error message:

[...]
Jun 21 09:24:00.000 [notice] Bootstrapped 100% (done): Done
Jun 21 09:24:24.000 [warn] Invalid hostname [scrubbed]; rejecting
Jun 21 09:24:54.000 [warn] Invalid hostname [scrubbed]; rejecting
Jun 21 09:25:24.000 [warn] Invalid hostname [scrubbed]; rejecting
Jun 21 09:25:54.000 [warn] Invalid hostname [scrubbed]; rejecting
Jun 21 09:26:25.000 [warn] Invalid hostname [scrubbed]; rejecting

Network mode is 'host' and the configured curl request works on the host and inside the container:
curl --fail --socks5-hostname localhost:9150 -I -L 'https://www.facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion/'

I'm testing with the 'latest' image and have not made any changes to the container.

Is it possible to set a password for a proxy?

technically possible and here is the link of the official documentations
i can push a pr for this change, but first what is the best ID for user and group for use by default?

Would it be possible to have a command to force docker to change the TOR IP?
Thank you

Reasons:

1. Decentralize the image registry, provide more options to the users.
2. Docker Hub now has the image pull limit policy, though not every one will face the issue, as long as you don't need to share IP address with the others, and won't pull too many images in a limited time. The easy approach to mitigate the issue seem to authenticate the identity when pulling an image, but may not be a very good choice for privacy concerned users.

Reference:

• Publishing images to GitHub Packages

It would be nice to be able to use the bridge, probably by specifying the path to a file with a list of bridges.
Example:

obfs4 ip:port key iat-mode=0

-- comment from issue #31

Perhaps there is another way to bypass the blocking of the Tor, but this method seems to me the most obvious.

The service works perfectly using 127.0.0.1 but as soon as removing it from ports parameter or replacing with 0.0.0.0, the service does not work at all with:
hundreds of lines "Application request when we haven't used client functionality lately. Optimistically trying directory fetches again." in the logs when the container starts.
failed connection to the tor network with "Have tried resolving or connecting to address '[scrubbed]' at 3 different places. Giving up." any time I try to use it.

Is there a specific configuration to be able to run the container else than from local host ?

Could you please make some tags so we can pin the version? I typically don't like to use :latest.