github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-05 16:22:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(v1.1.4): modernize templates, security, and build variants

Browse Source 
This update refines the Tor relay configuration and build process:
- Security: Disables DirPort and adopts ciissversion:2 for ContactInfo.
- Performance: Adds IPv6 support and hardware acceleration options.
- Builds: Establishes Stable vs. Edge variants for better testing cycles.
- Tooling: Integrates nyx.config and cleans up legacy tags.
- Sync: Aligns cosmos-compose and docker-compose templates.
- Update retention policy: Keep last 7 versions

No breaking changes introduced.
This commit is contained in:
rE-Bo0t.bx1
2025-12-21 03:14:39 +08:00
parent ce8cd42875
commit 5120d0d0e9
26 changed files with 329 additions and 282 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
.github/workflows/cleanup.yml vendored
View File

@@ -4,12 +4,17 @@ on:
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
push:
tags:
- 'v*.*.*'
permissions:
actions: write
packages: write
jobs:
clear-cache:
name: 💥 Nuke Caches
runs-on: ubuntu-latest
steps:
- name: 💥 Nuke GitHub Actions Cache
@@ -18,4 +23,63 @@ jobs:
run: |
echo "🔍 meaningful-text: check for caches..."
gh cache delete --all --repo ${{ github.repository }} || true
echo "✅ Cache storage is now empty."
echo "✅ Cache storage is now empty."
prune-ghcr:
name: 🧊 Prune GHCR
runs-on: ubuntu-latest
steps:
- name: 🗑️ Delete old GHCR versions
uses: actions/delete-package-versions@v5
with:
package-name: 'onion-relay'
package-type: 'container'
min-versions-to-keep: 14
ignore-versions: '^(latest|edge)$'
delete-only-untagged-versions: 'false'
prune-dockerhub:
name: 🐋 Prune Docker Hub
runs-on: ubuntu-latest
steps:
- name: 📥 Checkout Repository
uses: actions/checkout@v5
- name: 🪄 Clean Docker Hub Tags
env:
DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
REPOSITORY: "r3bo0tbx1/onion-relay"
run: |
set -e
echo "🔑 Authenticating with Docker Hub..."
TOKEN=$(curl -s -H "Content-Type: application/json" -X POST \
-d "{\"username\": \"$DOCKER_USERNAME\", \"password\": \"$DOCKER_PASSWORD\"}" \
https://hub.docker.com/v2/users/login/ | jq -r .token)
if [ "$TOKEN" == "null" ] || [ -z "$TOKEN" ]; then
echo "❌ Authentication failed. Check DOCKERHUB_TOKEN."
exit 1
fi
echo "🔍 Fetching tags for $REPOSITORY..."
ALL_TAGS=$(curl -s -H "Authorization: JWT $TOKEN" \
"https://hub.docker.com/v2/repositories/$REPOSITORY/tags/?page_size=100")
# Filter out moving tags and count only the real version tags
VERSION_TAGS=$(echo "$ALL_TAGS" | jq -r '.results | sort_by(.last_updated) | reverse | .[].name' | grep -E -v "^(latest|edge)$" || true)
COUNT=$(echo "$VERSION_TAGS" | wc -w)
echo "📊 Found $COUNT versioned tags."
if [ "$COUNT" -gt 14 ]; then
OLD_TAGS=$(echo "$VERSION_TAGS" | awk 'NR>14')
for TAG in $OLD_TAGS; do
echo "🗑️ Deleting old versioned tag: $TAG"
curl -s -H "Authorization: JWT $TOKEN" -X DELETE \
"https://hub.docker.com/v2/repositories/$REPOSITORY/tags/$TAG/"
done
echo "✅ Docker Hub cleanup complete."
else
echo "✨ Current version count ($COUNT) is within the limit. No deletion needed."
fi

39
.github/workflows/release.yml vendored
View File

@@ -69,7 +69,7 @@ jobs:
run: |
set -e
echo "🔍 Determining version context..."
BUILD_VARIANTS="both" # Default: build both variants
BUILD_VARIANTS="both"
if [[ "${GITHUB_REF}" == refs/tags/v* ]]; then
VERSION="${GITHUB_REF#refs/tags/v}"
@@ -83,14 +83,12 @@ jobs:
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
if [[ "${BUILD_MODE}" == "rebuild" ]]; then
# Rebuild mode: Use last release version (same as weekly)
VERSION="${LATEST_TAG#v}"
BUILD_TYPE="manual-rebuild"
IS_RELEASE="false"
echo "🔄 Manual rebuild of last release: ${VERSION} (with updated packages)"
echo " Variants: ${BUILD_VARIANTS}"
else
# Version bump mode: Create new version with suffix
VERSION="${LATEST_TAG#v}-manual-${GITHUB_RUN_NUMBER}"
BUILD_TYPE="manual"
IS_RELEASE="false"
@@ -98,25 +96,21 @@ jobs:
echo " Variants: ${BUILD_VARIANTS}"
fi
elif [[ "${GITHUB_EVENT_NAME}" == "schedule" ]]; then
# Scheduled rebuild: Determine which schedule based on time
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
VERSION="${LATEST_TAG#v}"
IS_RELEASE="false"
CURRENT_HOUR=$(date -u +%H)
if [[ "${CURRENT_HOUR}" == "18" ]]; then
# Weekly rebuild (Sundays 18:30 UTC): Build stable only
BUILD_TYPE="weekly"
BUILD_VARIANTS="latest"
echo "📅 Weekly rebuild of last release: ${VERSION} (stable variant with updated packages)"
else
# Edge-only rebuild (Every 3 days at 12:00 UTC): Build edge only
BUILD_TYPE="edge-rebuild"
BUILD_VARIANTS="edge"
echo "⚡ Edge-only rebuild of last release: ${VERSION} (edge variant with updated packages)"
fi
else
# Fallback (shouldn't happen)
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
VERSION="${LATEST_TAG#v}"
BUILD_TYPE="unknown"
@@ -179,7 +173,6 @@ jobs:
BUILD_VARIANTS="${{ needs.determine-version.outputs.build_variants }}"
VARIANT_NAME="${{ matrix.variant.name }}"
# Determine if this variant should be built
SHOULD_BUILD="false"
if [ "$BUILD_VARIANTS" = "both" ]; then
@@ -306,32 +299,24 @@ jobs:
TAGS=()
# Always add GHCR versioned tag
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}${SUFFIX}")
if [ "$BUILD_TYPE" = "release" ]; then
# New release: Add special tags
if [ "$IS_LATEST" = "true" ]; then
# Stable variant gets :latest
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest")
else
# Edge variant gets :edge
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:edge")
fi
# Add Docker Hub tags
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
# Stable: versioned tag + :latest
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest")
else
# Edge: only :edge (no versioned tag for Docker Hub)
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
elif [ "$BUILD_TYPE" = "weekly" ] || [ "$BUILD_TYPE" = "manual-rebuild" ] || [ "$BUILD_TYPE" = "edge-rebuild" ]; then
# Weekly rebuild, manual rebuild, or edge-only rebuild: Update version tag with fresh packages
if [ "$IS_LATEST" = "true" ]; then
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest")
else
@@ -340,21 +325,17 @@ jobs:
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
# Stable: versioned tag + :latest
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest")
else
# Edge: only :edge (no versioned tag for Docker Hub)
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
else
# Manual/validated builds: version tag only
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
else
# Edge manual builds: only :edge for Docker Hub
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
@@ -400,7 +381,6 @@ jobs:
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
# Install syft for SBOM generation
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
VERSION="${{ needs.determine-version.outputs.version }}"
@@ -412,27 +392,22 @@ jobs:
echo " Image: ${IMAGE}"
echo ""
# Generate CycloneDX JSON
echo "📄 Generating CycloneDX JSON format..."
syft "${IMAGE}" -o cyclonedx-json > "sbom-${VARIANT}-cyclonedx-v${VERSION}.json"
echo " ✅ sbom-${VARIANT}-cyclonedx-v${VERSION}.json"
# Generate CycloneDX XML
echo "📄 Generating CycloneDX XML format..."
syft "${IMAGE}" -o cyclonedx-xml > "sbom-${VARIANT}-cyclonedx-v${VERSION}.xml"
echo " ✅ sbom-${VARIANT}-cyclonedx-v${VERSION}.xml"
# Generate SPDX JSON
echo "📄 Generating SPDX JSON format..."
syft "${IMAGE}" -o spdx-json > "sbom-${VARIANT}-spdx-v${VERSION}.json"
echo " ✅ sbom-${VARIANT}-spdx-v${VERSION}.json"
# Generate SPDX tag-value
echo "📄 Generating SPDX tag-value format..."
syft "${IMAGE}" -o spdx-tag-value > "sbom-${VARIANT}-spdx-v${VERSION}.spdx"
echo " ✅ sbom-${VARIANT}-spdx-v${VERSION}.spdx"
# Generate human-readable table
echo "📄 Generating human-readable table..."
syft "${IMAGE}" -o table > "sbom-${VARIANT}-table-v${VERSION}.txt"
echo " ✅ sbom-${VARIANT}-table-v${VERSION}.txt"
@@ -453,7 +428,7 @@ jobs:
sbom-${{ matrix.variant.name }}-*.xml
sbom-${{ matrix.variant.name }}-*.spdx
sbom-${{ matrix.variant.name }}-*.txt
retention-days: 90
retention-days: 7
release-notes:
name: 📝 Generate Release Notes
@@ -478,7 +453,6 @@ jobs:
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
# Try to extract from CHANGELOG.md first
CHANGELOG_FOUND=0
if [ -f CHANGELOG.md ]; then
@@ -490,9 +464,10 @@ jobs:
p
' CHANGELOG.md > tmp_notes.txt
sed -i '/^$/N;/^\n$/D' tmp_notes.txt 2>/dev/null || true
if [ -s tmp_notes.txt ]; then
sed -i '${/^---[[:space:]]*$/d;}' tmp_notes.txt
sed -i ':a; /^[ \n\r\t]*$/ { $d; N; ba }' tmp_notes.txt 2>/dev/null || true
echo "✅ Found changelog section for v${VERSION} in CHANGELOG.md"
CHANGELOG_FOUND=1
@@ -506,17 +481,14 @@ jobs:
echo "⚠️ CHANGELOG.md not found"
fi
# Fall back to auto-generated notes from commits
if [ "$CHANGELOG_FOUND" = "0" ]; then
echo "📋 Auto-generating release notes from commits..."
if [ -x scripts/release/generate-release-notes.sh ]; then
# Use auto-generation script
chmod +x scripts/release/generate-release-notes.sh
./scripts/release/generate-release-notes.sh --format github "${VERSION}" > release_notes.md
echo "✅ Auto-generated release notes from conventional commits"
else
# Simple fallback
echo "## 🧅 Tor Guard Relay v${VERSION}" > release_notes.md
echo "" >> release_notes.md
echo "### Changes" >> release_notes.md
@@ -529,7 +501,6 @@ jobs:
fi
fi
# Append Docker images and SBOM info
echo "" >> release_notes.md
echo "---" >> release_notes.md
echo "" >> release_notes.md

2
.github/workflows/validate.yml vendored
View File

@@ -508,7 +508,7 @@ jobs:
with:
name: trivy-security-report
path: trivy-full-report.json
retention-days: 30
retention-days: 7
continue-on-error: true
- name: 📋 Generate Security Summary

9
.gitignore vendored
View File

@@ -1,21 +1,12 @@
# Act secrets file
.secrets
# Docker volumes
tor-data/
tor-logs/
# IDE
.vscode/
.idea/
*.swp
*.swo
*~
# OS
.DS_Store
Thumbs.db
# Temporary files
*.tmp
*.log

36
CHANGELOG.md
View File

@@ -16,6 +16,33 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
---
## [1.1.4] - 2025-12-21
### 🏗️ Build Variants
| Variant | Base Image | Tags | Registries | Notes |
| :--- | :--- | :--- | :--- | :--- |
| **🟢 Stable** | Alpine 3.23.2 | `:latest`, `:1.1.4` | Docker Hub, GHCR | **Recommended** for production. |
| **⚠️ Edge** | Alpine Edge | `:edge`, `:1.1.4-edge` | GHCR Only | Testing only; not for production. |
### ⚙️ Changed (Refactor)
* **Tor Configuration:** Modernized relay templates and hardened security defaults.
* **Networking:** Disabled `DirPort` (set to `0`) across all relay types and compose templates.
* **Metadata:** Updated `ContactInfo` to follow the `ciissversion:2` format.
* **Policy Refinement:** Enhanced exit policies and security for Exit, Guard, and Bridge roles.
* **Synchronization:** Unified configurations across `cosmos-compose` and `docker-compose`.
### Added
* **Monitoring:** Integrated `nyx.config` for enhanced relay visualization.
* **Performance:** Added support for **IPv6** and hardware acceleration.
### 🗑️ Removed
* **Maintenance:** Updated retention policy to keep the last **7 releases** (14 tags) and purge legacy build artifacts.
> **BREAKING CHANGES:** None.
---
## [1.1.3] - 2025-12-05
### ⚡ Optimization & Tooling Update
@@ -406,15 +433,16 @@ BREAKING CHANGES: None
| Version | Status | Support Level |
| --------- | --------------------- | ------------------------------------------- |
| **1.1.3** | 🟢 🛡️ **Active** | Full support (current stable) |
| **1.1.1** | 🟡 🔧 **Maintenance** | Security + critical fixes only |
| **1.0.8** | 🟠 ⚠️ **Legacy** | Security patches only upgrade recommended |
| **1.0.9** | 🔴 ❌ **EOL** | No support upgrade immediately |
| **1.1.4** | 🟢 🛡️ **Active** | Full support (current stable) |
| **1.1.3** | 🟡 🔧 **Maintenance** | Security + critical fixes only |
| **1.1.2** | 🟠 ⚠️ **Legacy** | Security patches only upgrade recommended |
| **< 1.1.2** | 🔴 ❌ **EOL** | No support upgrade immediately |
---
## 🔗 Release Links
[1.1.4]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.4
[1.1.3]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.3
[1.1.2]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.2
[1.1.1]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.1

3
Dockerfile
View File

@@ -76,7 +76,6 @@ ENV TOR_DATA_DIR=/var/lib/tor \
TOR_NICKNAME="" \
TOR_CONTACT_INFO="" \
TOR_ORPORT=9001 \
TOR_DIRPORT=9030 \
TOR_OBFS4_PORT=9002 \
TOR_BANDWIDTH_RATE="" \
TOR_BANDWIDTH_BURST="" \
@@ -87,7 +86,7 @@ RUN rm -rf /usr/share/man /tmp/* /var/tmp/* /root/.cache/*
USER tor
EXPOSE 9001 9030 9002
EXPOSE 9001 9002
HEALTHCHECK --interval=10m --timeout=15s --start-period=30s --retries=3 \
CMD /usr/local/bin/healthcheck.sh

3
Dockerfile.edge
View File

@@ -76,7 +76,6 @@ ENV TOR_DATA_DIR=/var/lib/tor \
TOR_NICKNAME="" \
TOR_CONTACT_INFO="" \
TOR_ORPORT=9001 \
TOR_DIRPORT=9030 \
TOR_OBFS4_PORT=9002 \
TOR_BANDWIDTH_RATE="" \
TOR_BANDWIDTH_BURST="" \
@@ -87,7 +86,7 @@ RUN rm -rf /usr/share/man /tmp/* /var/tmp/* /root/.cache/*
USER tor
EXPOSE 9001 9030 9002
EXPOSE 9001 9002
HEALTHCHECK --interval=10m --timeout=15s --start-period=30s --retries=3 \
CMD /usr/local/bin/healthcheck.sh

179
README.md
View File

@@ -1,4 +1,3 @@
<a id="readme-top"></a>
<div align="center">
@@ -14,13 +13,13 @@
**A hardened, production-ready Tor relay with built-in diagnostics and monitoring**
[Quick Start](#-quick-start) • [Features](#-key-features) • [Documentation](#-documentation) • [FAQ](docs/FAQ.md) • [Architecture](docs/ARCHITECTURE.md) • [Tools](#-diagnostic-tools) • [Contributing](#-contributing)
[Quick Start](#quick-start) • [Features](#key-features) • [Documentation](#documentation) • [FAQ](docs/FAQ.md) • [Architecture](docs/ARCHITECTURE.md) • [Tools](#diagnostic-tools) • [Contributing](#contributing)
</div>
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🚀 What is This?</div>
## 🚀 What is This?
**Tor Guard Relay** is a production-ready, self-healing Tor relay container designed for privacy advocates who want to contribute to the Tor network securely and efficiently.
@@ -28,7 +27,7 @@
### Why Choose This Project?
- 🛡️ **Security-First** - Hardened Alpine Linux, non-root operation
- 🛡️ **Security-First** - Hardened Alpine Linux, non-root operation, and minimized port exposure
- 🪶 **Very light** - Ultra-minimal 16.8 MB image
- 🎯 **Simple** - One command to deploy, minimal configuration needed
- 📊 **Observable** - 5 busybox-only diagnostic tools with JSON health API
@@ -37,29 +36,29 @@
- 📚 **Documented** - Comprehensive guides for deployment, monitoring, backup, and more
- 🏗️ **Multi-Arch** - Native support for AMD64 and ARM64 (Raspberry Pi, AWS Graviton, etc.)
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🔒 Security Model</div>
## 🔒 Security Model
**Port Exposure Policy**
### Port Exposure Policy
- **9001** ORPort, public
- **9030** DirPort, public for guard and exit
- **9030** DirPort, **Disabled (0)** by default in v1.1.4
- **9002** obfs4 for bridge mode
**Environment Variables**
### Environment Variables
- `TOR_ORPORT` default 9001
- `TOR_DIRPORT` default 9030
- `TOR_DIRPORT` default 0 (Disabled)
- `TOR_OBFS4_PORT` default 9002
Diagnostics are run only through `docker exec`, with no exposed monitoring ports.
Minimal surface area, roughly 16.8 MB.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ ⚡ Quick Start</div>
## ⚡ Quick Start
### System Requirements
@@ -77,7 +76,7 @@ Minimal surface area, roughly 16.8 MB.
### Network Security Notes
⚠️ **Port Exposure:**
- **Guard/Middle/Exit:** Ports 9001 (ORPort) and 9030 (DirPort) should be publicly accessible
- **Guard/Middle/Exit:** Port 9001 (ORPort) should be publicly accessible
- **Bridge:** Ports 9001 (ORPort) and 9002 (obfs4) should be publicly accessible
- **No monitoring ports** - all diagnostics via `docker exec` commands only
- Use `--network host` for best IPv6 support (Tor recommended practice)
@@ -109,7 +108,7 @@ curl -o relay.conf https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/r
nano relay.conf
```
### **Step 2:** Run (Docker Hub)
**Step 2:** Run (Docker Hub)
```bash
docker run -d \
@@ -123,7 +122,8 @@ docker run -d \
r3bo0tbx1/onion-relay:latest
```
### **Step 3:** Verify it's running:
**Step 3:** Verify it's running:
```bash
# Check status
docker exec tor-relay status
@@ -139,15 +139,15 @@ docker logs -f tor-relay
> 📖 **Need more?** See our comprehensive [Deployment Guide](docs/DEPLOYMENT.md) for Docker Compose, Cosmos Cloud, Portainer, and advanced setups.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🎯 Choosing a Variant</div>
## 🎯 Choosing a Variant
We offer **two build variants** to match your risk tolerance and requirements:
### Stable Variant (Recommended)
**Base:** Alpine 3.23.0 | **Recommended for:** Production relays
**Base:** Alpine 3.23.2 | **Recommended for:** Production relays
- ✅ Battle-tested Alpine stable release
- ✅ Weekly automated rebuilds with latest security patches
@@ -157,11 +157,11 @@ We offer **two build variants** to match your risk tolerance and requirements:
```bash
# Pull from Docker Hub (easiest)
docker pull r3bo0tbx1/onion-relay:latest
docker pull r3bo0tbx1/onion-relay:1.1.3
docker pull r3bo0tbx1/onion-relay:1.1.4
# Pull from GHCR
docker pull ghcr.io/r3bo0tbx1/onion-relay:latest
docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.3
docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.4
```
### Edge Variant (Testing Only)
@@ -180,7 +180,7 @@ docker pull r3bo0tbx1/onion-relay:edge
# Pull from GHCR
docker pull ghcr.io/r3bo0tbx1/onion-relay:edge
docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.3-edge
docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.4-edge
```
**When to use edge:**
@@ -195,16 +195,16 @@ docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.3-edge
|---------|--------|------|
| Production ready | ✅ Yes | ❌ No |
| Breaking changes | ❌ Rare | ⚠️ Possible |
| Security updates | Weekly | Weekly (newer packages) |
| Package versions | Proven | Bleeding edge |
| Security updates | Weekly | Every 3 days |
| Package versions | 3.23.2 | Bleeding edge |
| Docker Hub | ✅ Yes | ✅ Yes |
| GHCR | ✅ Yes | ✅ Yes |
> 💡 **Our recommendation:** Use **stable** for production relays, **edge** only for testing or when you specifically need the latest package versions.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🏗️ Deployment Methods</div>
## 🏗️ Deployment Methods
Choose the method that fits your workflow.
@@ -226,11 +226,11 @@ Running multiple relays? We have templates for that:
See [Deployment Guide](docs/DEPLOYMENT.md) for complete instructions.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🔧 Diagnostic Tools</div>
## 🔧 Diagnostic Tools
Version >=v1.1.1 includes five busybox-only tools.
Version >v1.1.1 includes five busybox-only tools.
| Tool | Purpose | Usage |
|------|---------|--------|
@@ -263,9 +263,9 @@ Example JSON:
> 📖 **Complete reference:** See [Tools Documentation](docs/TOOLS.md) for all 5 tools with examples, JSON schema, and integration guides.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 📊 Monitoring and Observability</div>
## 📊 Monitoring and Observability
<br>
<div align="center">
@@ -273,17 +273,17 @@ Example JSON:
</div>
<br>
**>=v1.1.2 supports both real-time CLI monitoring and external observability** for minimal image size and maximum security.
**>v1.1.2 supports both real-time CLI monitoring and external observability** for minimal image size and maximum security.
### Real-Time Monitoring (Nyx)
You can connect Nyx (formerly arm) to your relay securely using the Control Port.
1. Generate credentials: docker exec tor-relay gen-auth
2. Add the hash to your config.
3. Connect via local socket or TCP.
1. Generate credentials: `docker exec tor-relay gen-auth`
2. Add the hash to your config
3. Connect via local socket or TCP
> 📖 Full Setup: See the [Control Port Guide](docs/CONTROL-PORT.md) for step-by-step Nyx configuration.
> 📖 **Full Setup:** See the [Control Port Guide](docs/CONTROL-PORT.md) for step-by-step Nyx configuration.
### JSON Health API
@@ -324,9 +324,9 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
> 📖 **Complete guide:** See [Monitoring Documentation](docs/MONITORING.md) for Prometheus, Grafana, alert integration, and observability setup.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🎯 Key Features</div>
## 🎯 Key Features
### Security & Reliability
- ✅ Non-root execution (runs as `tor` user)
@@ -346,6 +346,7 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
-**Weekly security rebuilds** via GitHub Actions
-**Docker Compose templates** for single/multi-relay
-**Cosmos Cloud support** with one-click deploy
-**Automated Maintenance:** Keeps last 7 releases in registry
### Developer Experience
- ✅ Comprehensive documentation (8 guides)
@@ -355,9 +356,9 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
- ✅ CI/CD validation and testing
- ✅ Multi-arch support (same command, any platform)
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🖼️ Gallery</div>
## 🖼️ Gallery
| Cosmos Cloud Dashboard | Docker Logs (Bootstrapping) |
|:-----------------------:|:---------------------------:|
@@ -365,19 +366,18 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
| Relay Status Tool | Obfs4 Bridge Line |
| ![Relay](src/screenshots/relay-status.png) | ![Obfs4](src/screenshots/bridge-line.png) |
---
<br>
## 📚 Documentation
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 📚 Documentation</div>
**>=v1.1.1 includes comprehensive documentation** organized by topic:
**>v1.1.1 includes comprehensive documentation** organized by topic:
### Getting Started
- **[FAQ](docs/FAQ.md)** - ⭐ **NEW!** Frequently asked questions with factual answers
- **[Quick Start Script](scripts/utilities/quick-start.sh)** - ⭐ **NEW!** Interactive relay deployment wizard
- **[Migration Assistant](scripts/migration/migrate-from-official.sh)** - ⭐ **NEW!** Automated migration from thetorproject/obfs4-bridge
- **[Deployment Guide](docs/DEPLOYMENT.md)** - ✨ **UPDATED!** Complete installation for Docker CLI, Compose, Cosmos Cloud, and Portainer
- **[Migration Guide](docs/MIGRATION-V1.1.X.md)** - Upgrade to >=v1.1.1 or migrate from other Tor setups
- **[Migration Guide](docs/MIGRATION-V1.1.X.md)** - Upgrade to > v1.1.1 or migrate from other Tor setups
### Technical Reference
- **[Architecture](docs/ARCHITECTURE.md)** - ⭐ **NEW!** Technical architecture with Mermaid diagrams
@@ -399,9 +399,9 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
> 💡 **Tip:** Start with the [FAQ](docs/FAQ.md) for quick answers or [Documentation Index](docs/README.md) for complete navigation.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🛠️ Configuration</div>
## 🛠️ Configuration
### Minimal Configuration
@@ -436,9 +436,9 @@ Examples are found in the [`examples/`](examples/) directory for complete, annot
> 📖 **Configuration help:** See [Deployment Guide](docs/DEPLOYMENT.md#configuration) for complete reference.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🔍 Monitoring Your Relay</div>
## 🔍 Monitoring Your Relay
### Check Bootstrap Status
@@ -451,7 +451,6 @@ docker exec tor-relay health
# Parse specific field with jq (requires jq on host)
docker exec tor-relay health | jq .bootstrap
```r exec tor-relay health | jq .bootstrap
```
### View on Tor Metrics
@@ -476,9 +475,9 @@ Search by:
> 📖 **Detailed monitoring:** See [Monitoring Guide](docs/MONITORING.md) for complete observability setup with Prometheus and Grafana.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🐛 Troubleshooting</div>
## 🐛 Troubleshooting
### Quick Diagnostics
@@ -510,9 +509,9 @@ docker exec tor-relay gen-auth
> 📖 **Full troubleshooting:** See [Tools Documentation](docs/TOOLS.md#troubleshooting) for detailed diagnostic procedures.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🏢 Architecture and Design</div>
## 🏢 Architecture and Design
> 📐 **NEW:** See the complete [Architecture Documentation](docs/ARCHITECTURE.md) for detailed technical design with Mermaid diagrams covering:
> - Container lifecycle and initialization flow (6 phases)
@@ -522,7 +521,7 @@ docker exec tor-relay gen-auth
> - Diagnostic tools architecture
> - Signal handling and graceful shutdown
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 📊 Flowchart</div>
### Flowchart
```mermaid
flowchart TB
@@ -678,9 +677,9 @@ Verify what you got:
docker exec tor-relay cat /build-info.txt | grep Architecture
```
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🤝 Contributing</div>
## 🤝 Contributing
Contributions are welcome.
@@ -707,19 +706,22 @@ docker run --rm tor-relay:dev status
See [Contributing Guide](CONTRIBUTING.md) for detailed instructions.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 📦 Templates and Examples</div>
## 📦 Templates and Examples
All templates are in the [`templates/`](templates/) directory:
### Docker Compose
- [docker-compose.yml](templates/docker-compose.yml) - Single relay
- [docker-compose-multi-relay.yml](templates/docker-compose-multi-relay.yml) - 3 relays + monitoring
- [docker-compose.yml](templates/docker-compose/docker-compose.yml) - Single relay
- [docker-compose-multi-relay.yml](templates/docker-compose/docker-compose-multi-relay.yml) - 3 relays + monitoring
### Cosmos Cloud
- [cosmos-compose.json](templates/cosmos-compose.json) - Single relay
- [cosmos-compose-multi-relay.json](templates/cosmos-compose-multi-relay.json) - Multi-relay stack
- [cosmos-compose.json](templates/cosmos-compose/cosmos-compose.json) - Single relay
- [cosmos-compose-multi-relay.json](templates/cosmos-compose/cosmos-compose-multi-relay.json) - Multi-relay stack
### Tor Exit Notice
You can find them in [`templates/tor-exit-notice`](templates/tor-exit-notice) directory
### Monitoring
See [Monitoring Guide](docs/MONITORING.md) for external monitoring integration examples with Prometheus, Nagios, and other tools
@@ -727,9 +729,9 @@ See [Monitoring Guide](docs/MONITORING.md) for external monitoring integration e
### Configuration Examples
See [`examples/`](examples/) directory for relay configurations.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🔐 Security</div>
## 🔐 Security
### Best Practices
@@ -750,22 +752,22 @@ Images are automatically rebuilt on separate schedules to include security patch
**Stable Variant** (`:latest`)
- **Schedule:** Every Sunday at 18:30 UTC
- **Includes:** Latest Tor + Alpine 3.23.0 updates
- **Strategy:** Overwrites last release version (e.g., `:1.1.3`) with updated packages
- **Tags Updated:** `:latest` and version tags (e.g., `:1.1.3`)
- **Includes:** Latest Tor + Alpine 3.23.2 updates
- **Strategy:** Overwrites last release version (e.g., `:1.1.4`) with updated packages
- **Tags Updated:** `:latest` and version tags (e.g., `:1.1.4`)
**Edge Variant** (`:edge`)
- **Schedule:** Every 3 days at 12:00 UTC (independent schedule)
- **Includes:** Latest Tor + Alpine edge (bleeding-edge) updates
- **Strategy:** Overwrites last release version (e.g., `:1.1.3-edge`) with updated packages
- **Tags Updated:** `:edge` and version tags (e.g., `:1.1.3-edge`)
- **Strategy:** Overwrites last release version (e.g., `:1.1.4-edge`) with updated packages
- **Tags Updated:** `:edge` and version tags (e.g., `:1.1.4-edge`)
- **Frequency:** ~2-3x more frequent updates than stable
All images auto-published to Docker Hub and GitHub Container Registry
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🌐 Resources</div>
## 🌐 Resources
### Container Registries
- 🐳 [Docker Hub Repository](https://hub.docker.com/r/r3bo0tbx1/onion-relay)
@@ -781,11 +783,11 @@ All images auto-published to Docker Hub and GitHub Container Registry
- 📖 [Documentation](docs/README.md)
- 🐛 [Issue Tracker](https://github.com/r3bo0tbx1/tor-guard-relay/issues)
- 💬 [Discussions](https://github.com/r3bo0tbx1/tor-guard-relay/discussions)
- 📦 [Container Registry](https://github.com/r3bo0tbx1/tor-guard-relay/pkgs/container/onion-relay)
- 📦 [Container Registry](https://github.com/r3bo0tbx1/tor-guard-relay/pkgs/container/onion-relay)
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 📊 Project Status</div>
## 📊 Project Status
<div align="center">
@@ -793,31 +795,31 @@ All images auto-published to Docker Hub and GitHub Container Registry
![GitHub Repo stars](https://img.shields.io/github/stars/r3bo0tbx1/tor-guard-relay?style=for-the-badge)
![GitHub Issues](https://img.shields.io/github/issues/r3bo0tbx1/tor-guard-relay?style=for-the-badge)
**Current Version:** v1.1.3**Status:** Production Ready
**Image Size:** 16.8 MB • **Rebuild:** Weekly
**Current Version:** v1.1.4**Status:** Production Ready
**Image Size:** 16.8 MB • **Retention:** Last 7 Releases
**Registries:** Docker Hub • GHCR
</div>
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 📄 License</div>
## 📄 License
Project is licensed under the MIT License.
See [License](LICENSE.txt) for full details.
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🙏 Acknowledgments</div>
## 🙏 Acknowledgments
- **The Tor Project** for maintaining the global privacy network
- **Alpine Linux** for a minimal and secure base image
- **azukaar** for Cosmos Cloud
- **All relay operators** supporting privacy and anti-censorship worldwide
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 💖 Support the Project</div>
## 💖 Support the Project
This project is open source. Your support helps sustainability and improvements.
@@ -843,9 +845,9 @@ Or via **[AnonPay](https://trocador.app/anonpay?ticker_to=xmr&network_to=Mainnet
- 🤝 Submit patches
- 🧅 Run a relay
<br>
---
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ ⭐ Star History</div>
## ⭐ Star History
<div align="center">
@@ -859,11 +861,11 @@ Or via **[AnonPay](https://trocador.app/anonpay?ticker_to=xmr&network_to=Mainnet
</div>
<br>
---
<div align="center">
<div style="color:#7ce5ff;font-family:monospace;font-size:18px;margin-bottom:10px;">Made with 💜 for a freer, uncensored internet</div>
### Made with 💜 for a freer, uncensored internet
*Protecting privacy, one relay at a time* 🔁🧅✨
@@ -873,5 +875,4 @@ Or via **[AnonPay](https://trocador.app/anonpay?ticker_to=xmr&network_to=Mainnet
📚 [Documentation](docs/README.md)
⬆ [Back to top](#readme-top)
</div>
</div>

16
SECURITY.md
View File

@@ -14,10 +14,10 @@ We actively support the following versions with security updates:
| Version | Status | Support Level |
| --------- | --------------------- | ------------------------------------------- |
| **>=1.1.2** | 🟢 🛡️ **Active** | Full support (current stable) |
| **1.1.1** | 🟡 🔧 **Maintenance** | Security + critical fixes only |
| **1.0.9** | 🟠 ⚠️ **Legacy** | Security patches only upgrade recommended |
| **1.0.8** | 🔴 ❌ **EOL** | No support upgrade immediately |
| **1.1.4** | 🟢 🛡️ **Active** | Full support (current stable) |
| **1.1.3** | 🟡 🔧 **Maintenance** | Security + critical fixes only |
| **1.1.2** | 🟠 ⚠️ **Legacy** | Security patches only upgrade recommended |
| **< 1.1.1** | 🔴 ❌ **EOL** | No support upgrade immediately |
---
@@ -25,7 +25,7 @@ We actively support the following versions with security updates:
### Ultra-Minimal Port Exposure
**>=v1.1.1 follows an ultra-minimal security architecture:**
**> v1.1.1 follows an ultra-minimal security architecture:**
-**NO monitoring HTTP endpoints** - Removed for maximum security
-**NO exposed metrics ports** - All monitoring via `docker exec` only
@@ -40,14 +40,14 @@ We actively support the following versions with security updates:
```
PUBLIC PORTS:
TOR_ORPORT (default: 9001) → Tor ORPort (relay traffic)
TOR_DIRPORT (default: 9030) → Directory service (optional, set to 0 to disable)
TOR_DIRPORT → Directory service (optional, disabled by default)
```
#### Exit Relay Mode:
```
PUBLIC PORTS:
TOR_ORPORT (default: 9001) → Tor ORPort (relay traffic)
TOR_DIRPORT (default: 9030) → Directory service (optional, set to 0 to disable)
TOR_DIRPORT → Directory service (optional, disabled by default)
```
#### Bridge Relay Mode:
@@ -659,4 +659,4 @@ Security researchers who responsibly disclose vulnerabilities will be listed her
---
*Last Updated: 2025-12-05 | Version: 1.1.3*
*Last Updated: 2025-12-21 | Version: 1.1.4*

2
docker-entrypoint.sh
View File

@@ -50,7 +50,7 @@ cleanup_and_exit() {
startup_banner() {
log "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log "🧅 Tor Guard Relay v1.1.3 - Initialization"
log "🧅 Tor Guard Relay v1.1.4 - Initialization"
log "https://github.com/r3bo0tbx1/tor-guard-relay"
log "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log ""

23
examples/nyx.config Normal file
View File

@@ -0,0 +1,23 @@
show_bits true
confirm_quit true
color_interface true
redraw_rate 2
connection_rate 5
resource_rate 5
logged_events NOTICE
deduplicate_log true
prepopulate_log true
max_log_size 1000
graph_stat bandwidth
graph_interval 5 seconds
graph_bound local_max
graph_height 10
connection_order CATEGORY, UPTIME, IP_ADDRESS
resolve_processes true
show_addresses true
show_graph true
show_accounting true
show_log true
show_connections true
show_config true
show_torrc true

36
examples/relay-bridge.conf
View File

@@ -1,24 +1,28 @@
Nickname MyTorBridge
ContactInfo your-email@example.com <0xYOUR_PGP_FINGERPRINT>
Nickname ShinobiKage
ContactInfo email:your-email[]example.com pgp:YOUR_PGP_FINGERPRINT ciissversion:2
Address YOUR.IPV4.IP.ADDRESS
ORPort 24819 IPv4Only
ORPort [YOUR:IPV6:IP:ADDRESS::]:24819
BridgeRelay 1
ORPort 24819
ORPort [::]:24819
PublishServerDescriptor bridge
BridgeDistribution any
AssumeReachable 1
ExtORPort auto
AddressDisableIPv6 0
ServerTransportPlugin obfs4 exec /usr/bin/lyrebird
ServerTransportListenAddr obfs4 0.0.0.0:443
ServerTransportListenAddr obfs4 [::]:443
ExtORPort auto
PublishServerDescriptor bridge
NumCPUs 1
MaxMemInQueues 256 MB
AvoidDiskWrites 1
RunAsDaemon 0
RelayBandwidthRate 75 KBytes
RelayBandwidthBurst 1 MBytes
HardwareAccel 1
DataDirectory /var/lib/tor
Log notice file /var/log/tor/notices.log
Log notice file /var/log/tor/bridge_log
Log notice stdout
ControlPort 0
ControlSocket /var/lib/tor/control_socket
ControlSocket /var/lib/tor/control_socket_bridge
ControlSocketsGroupWritable 1
#HashedControlPassword 16:YOUR_HASHED_PASSWORD_HERE
SocksPort 0
RelayBandwidthRate 20 MBytes
RelayBandwidthBurst 40 MBytes
NumCPUs 1
MaxMemInQueues 512 MB
AvoidDiskWrites 1
DisableDebuggerAttachment 1
SocksPort 0

127
examples/relay-exit.conf
View File

@@ -1,98 +1,59 @@
Nickname MyTorExitRelay
ContactInfo your-email@example.com <0xYOUR_PGP_FINGERPRINT>
ORPort 9001
ORPort [::]:9001
DirPort 9030
ContactInfo email:your-email[]example.com pgp:YOUR_PGP_FINGERPRINT ciissversion:2
Address YOUR.IPV4.IP.ADDRESS
ORPort 9001 IPv4Only
ORPort [YOUR:IPV6:IP:ADDRESS::]:9001
DirPort 0
ExitRelay 1
IPv6Exit 1
PublishServerDescriptor 1
RelayBandwidthRate 10 MBytes
RelayBandwidthBurst 20 MBytes
NumCPUs 1
MaxMemInQueues 1024 MB
DisableDebuggerAttachment 1
AvoidDiskWrites 1
DisableDebuggerAttachment 1
DataDirectory /var/lib/tor
HardwareAccel 1
Sandbox 1
SafeLogging 1
NoExec 1
ExitPolicy reject VPS.DNS.IP.ADDRESS:*
ExitPolicy reject VPS.DNS.IP.ADDRESS:*
ExitPolicy reject VPS.DNS.IP.ADDRESS:*
ExitPolicy reject VPS.DNS.IP.ADDRESS:*
ExitPolicy reject [VPS:DNS:IP:ADDRESS::1]:*
ExitPolicy reject [VPS:DNS:IP:ADDRESS::2]:*
ExitPolicy reject [VPS:DNS:IP:ADDRESS::3]:*
ExitPolicy reject [VPS:DNS:IP:ADDRESS::4]:*
ExitPolicy reject 0.0.0.0/8:*
ExitPolicy reject 169.254.0.0/16:*
ExitPolicy reject 127.0.0.0/8:*
ExitPolicy reject 192.168.0.0/16:*
ExitPolicy reject 10.0.0.0/8:*
ExitPolicy reject 172.16.0.0/12:*
ExitPolicy reject YOUR.IPV4.IP.ADDRESS:*
ExitPolicy reject [YOUR:IPV6:IP:ADDRESS::]:*
ExitPolicy accept *:20-21
ExitPolicy accept *:43
ExitPolicy accept *:53
ExitPolicy accept *:80-81
ExitPolicy accept *:443
ExitPolicy accept *:5222-5223
ExitPolicy accept *:6667-7000
ExitPolicy accept *:8008
ExitPolicy accept *:8082
ExitPolicy accept *:8332-8333
ExitPolicy accept *:8888
ExitPolicy accept *:9418
ExitPolicy accept *:18080-18081
ExitPolicy accept *:50002
ExitPolicy accept *:64738
ExitPolicy reject *:*
Log notice file /var/log/tor/notices.log
Log notice stdout
ControlPort 0
ControlSocket /var/lib/tor/control_socket
ControlSocketsGroupWritable 1
#HashedControlPassword 16:YOUR_HASHED_PASSWORD_HERE
SocksPort 0
ExitPolicy accept *:20-21
ExitPolicy accept *:22
ExitPolicy accept *:43
ExitPolicy accept *:53
ExitPolicy accept *:79-81
ExitPolicy accept *:88
ExitPolicy accept *:110
ExitPolicy accept *:143
ExitPolicy accept *:194
ExitPolicy accept *:220
ExitPolicy accept *:389
ExitPolicy accept *:443
ExitPolicy accept *:464
ExitPolicy accept *:465
ExitPolicy accept *:531
ExitPolicy accept *:543-544
ExitPolicy accept *:554
ExitPolicy accept *:563
ExitPolicy accept *:587
ExitPolicy accept *:636
ExitPolicy accept *:706
ExitPolicy accept *:749
ExitPolicy accept *:873
ExitPolicy accept *:902-904
ExitPolicy accept *:981
ExitPolicy accept *:989-990
ExitPolicy accept *:991
ExitPolicy accept *:992
ExitPolicy accept *:993
ExitPolicy accept *:994
ExitPolicy accept *:995
ExitPolicy accept *:1194
ExitPolicy accept *:1220
ExitPolicy accept *:1293
ExitPolicy accept *:1500
ExitPolicy accept *:1533
ExitPolicy accept *:1677
ExitPolicy accept *:1723
ExitPolicy accept *:1755
ExitPolicy accept *:1863
ExitPolicy accept *:2082
ExitPolicy accept *:2083
ExitPolicy accept *:2086-2087
ExitPolicy accept *:2095-2096
ExitPolicy accept *:2102-2104
ExitPolicy accept *:3128
ExitPolicy accept *:3389
ExitPolicy accept *:3690
ExitPolicy accept *:4321
ExitPolicy accept *:4643
ExitPolicy accept *:5050
ExitPolicy accept *:5190
ExitPolicy accept *:5222-5223
ExitPolicy accept *:5228
ExitPolicy accept *:5900
ExitPolicy accept *:6660-6669
ExitPolicy accept *:6679
ExitPolicy accept *:6697
ExitPolicy accept *:8000
ExitPolicy accept *:8008
ExitPolicy accept *:8074
ExitPolicy accept *:8080
ExitPolicy accept *:8082
ExitPolicy accept *:8087-8088
ExitPolicy accept *:8232-8233
ExitPolicy accept *:8332-8333
ExitPolicy accept *:8443
ExitPolicy accept *:8888
ExitPolicy accept *:9418
ExitPolicy accept *:9999
ExitPolicy accept *:10000
ExitPolicy accept *:11371
ExitPolicy accept *:19294
ExitPolicy accept *:19638
ExitPolicy accept *:50002
ExitPolicy accept *:64738
ExitPolicy reject *:*
SocksPort 0

20
examples/relay-guard.conf
View File

@@ -1,16 +1,22 @@
Nickname MyTorGuardRelay
ContactInfo your-email@example.com <0xYOUR_PGP_FINGERPRINT>
ORPort 9001
ORPort [::]:9001
DirPort 9030
ContactInfo email:your-email[]example.com pgp:YOUR_PGP_FINGERPRINT ciissversion:2
Address YOUR.IPV4.IP.ADDRESS
ORPort 9001 IPv4Only
ORPort [YOUR:IPV6:IP:ADDRESS::]:9001
DirPort 0
ExitRelay 0
IPv6Exit 0
ExitPolicy reject *:*
RelayBandwidthRate 10 MBytes
RelayBandwidthBurst 20 MBytes
PublishServerDescriptor 1
NumCPUs 1
MaxMemInQueues 1024 MB
DisableDebuggerAttachment 1
AvoidDiskWrites 1
DisableDebuggerAttachment 1
RelayBandwidthRate 10 MBytes
RelayBandwidthBurst 20 MBytes
HardwareAccel 1
Sandbox 1
SafeLogging 1
DataDirectory /var/lib/tor
Log notice file /var/log/tor/notices.log
Log notice stdout

16
templates/README.md
View File

@@ -65,7 +65,7 @@ TOR_CONTACT_INFO=admin@example.com # Contact email
# Ports (configurable)
TOR_ORPORT=9001 # ORPort for relay traffic (default: 9001)
TOR_DIRPORT=9030 # DirPort for guard/exit only (default: 9030, set to 0 to disable)
TOR_DIRPORT= # DirPort for guard/exit only (default: 0)
TOR_OBFS4_PORT=9002 # obfs4 port for bridge mode (default: 9002)
# Bandwidth (optional)
@@ -179,14 +179,14 @@ For advanced torrc options (like `AddressDisableIPv6`, `MaxMemInQueues`, etc.):
Both work identically, choose based on your preference or migration needs.
### Q: Why is TOR_DIRPORT set in Dockerfile when bridges don't use it?
~~Q: Why is TOR_DIRPORT set in Dockerfile when bridges don't use it?~~
**A:** TOR_DIRPORT=9030 is a **Dockerfile default** for guard/exit modes. The entrypoint **DOES NOT** add DirPort to bridge configurations (see `docker-entrypoint.sh` lines 276-290). Bridges only use ORPort and obfs4 port.
~~**A:** TOR_DIRPORT=9030 is a **Dockerfile default** for guard/exit modes. The entrypoint **DOES NOT** add DirPort to bridge configurations (see `docker-entrypoint.sh` lines 276-290). Bridges only use ORPort and obfs4 port.~~
**Port usage by mode:**
- **Guard/Middle:** TOR_ORPORT (required), TOR_DIRPORT (optional, set to 0 to disable)
- **Exit:** TOR_ORPORT (required), TOR_DIRPORT (optional)
- **Bridge:** TOR_ORPORT (required), TOR_OBFS4_PORT (required), TOR_DIRPORT (ignored/not used)
- **Guard/Middle:** TOR_ORPORT (required), TOR_DIRPORT (optional, default = 0)
- **Exit:** TOR_ORPORT (required), TOR_DIRPORT (optional, default = 0)
- **Bridge:** TOR_ORPORT (required), TOR_OBFS4_PORT (required), TOR_DIRPORT (ignored/default = 0)
### Q: Why does TOR_RELAY_MODE say "guard" in logs when I set PT_PORT?
@@ -297,6 +297,6 @@ If you still see this error after updating to v1.1.1:
---
**Version:** 1.1.3
**Last Updated:** 2025-12-06
**Version:** 1.1.4
**Last Updated:** 2025-12-21
**Maintainer:** rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>

2
templates/cosmos-compose/cosmos-bind-config-guard-relay.json
View File

@@ -46,7 +46,7 @@
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/onion.png",
"cosmos-stack": "TorGuardRelay",
"cosmos-stack-main": "TorGuardRelay",
"cosmos-version": "1.1.3",
"cosmos-version": "1.1.4",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
}

2
templates/cosmos-compose/cosmos-bind-confing-bridge.json
View File

@@ -46,7 +46,7 @@
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/obfs4.png",
"cosmos-stack": "OBFS4-Bridge",
"cosmos-stack-main": "OBFS4-Bridge",
"cosmos-version": "1.1.3",
"cosmos-version": "1.1.4",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
}

2
templates/cosmos-compose/cosmos-compose-bridge-official.json
View File

@@ -52,7 +52,7 @@
"cosmos-stack-main": "OBFS4-Bridge",
"cosmos-description": "🌉 Tor obfs4 Bridge - Drop-in replacement for thetorproject/obfs4-bridge",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/obfs4.png",
"cosmos-version": "1.1.3",
"cosmos-version": "1.1.4",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
}

2
templates/cosmos-compose/cosmos-compose-bridge.json
View File

@@ -54,7 +54,7 @@
"cosmos-description": "🧅 Tor obfs4 Bridge - ENV-based config",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/obfs4.png",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.3"
"cosmos-version": "1.1.4"
}
}
},

6
templates/cosmos-compose/cosmos-compose-exit.json
View File

@@ -9,9 +9,9 @@
"environment": [
"TOR_RELAY_MODE=exit",
"TOR_NICKNAME=MyExitRelay",
"TOR_CONTACT_INFO=admin@example.com <0xYOUR_PGP_KEY>",
"TOR_CONTACT_INFO=admin@example.com",
"TOR_ORPORT=9001",
"TOR_DIRPORT=9030",
"TOR_DIRPORT=0",
"TOR_BANDWIDTH_RATE=50 MBytes",
"TOR_BANDWIDTH_BURST=100 MBytes",
"TOR_EXIT_POLICY=accept *:80,accept *:443,reject *:*"
@@ -58,7 +58,7 @@
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/exit.png",
"cosmos-auto-update": "true",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.3"
"cosmos-version": "1.1.4"
}
}
},

4
templates/cosmos-compose/cosmos-compose-guard.json
View File

@@ -11,7 +11,7 @@
"TOR_NICKNAME=MyGuardRelay",
"TOR_CONTACT_INFO=admin@example.com",
"TOR_ORPORT=9001",
"TOR_DIRPORT=9030",
"TOR_DIRPORT=0",
"TOR_BANDWIDTH_RATE=50 MBytes",
"TOR_BANDWIDTH_BURST=100 MBytes"
],
@@ -56,7 +56,7 @@
"cosmos-description": "🛡️ Tor Guard Relay | ENV-based config",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/onion.png",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.3"
"cosmos-version": "1.1.4"
}
}
},

6
templates/cosmos-compose/cosmos-compose-multi-relay.json
View File

@@ -56,7 +56,7 @@
"cosmos-description": "🛡️ Multi Tor Guard Relay - 1",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/main/src/onion.png",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.3",
"cosmos-version": "1.1.4",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
},
@@ -114,7 +114,7 @@
"cosmos-description": "🛡️ Multi Tor Guard Relay - 2",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/main/src/onion.png",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.3",
"cosmos-version": "1.1.4",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
},
@@ -172,7 +172,7 @@
"cosmos-description": "🛡️ Multi Tor Guard Relay - 3",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/main/src/onion.png",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.3",
"cosmos-version": "1.1.4",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
}

2
templates/docker-compose/docker-compose-bridge-official.yml
View File

@@ -41,7 +41,7 @@ services:
labels:
com.centurylinklabs.watchtower.enable: "true"
description: "Tor obfs4 Bridge - Drop-in replacement for thetorproject/obfs4-bridge"
version: "1.1.3"
version: "1.1.4"
maintainer: "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
volumes:

2
templates/docker-compose/docker-compose-bridge.yml
View File

@@ -36,7 +36,7 @@ services:
labels:
com.centurylinklabs.watchtower.enable: "true"
description: "Tor obfs4 Bridge"
version: "1.1.3"
version: "1.1.4"
maintainer: "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
volumes:

4
templates/docker-compose/docker-compose-exit.yml
View File

@@ -11,7 +11,7 @@ services:
TOR_NICKNAME: MyExitRelay
TOR_CONTACT_INFO: "your-email@example.com <0xYOUR_PGP_KEY>"
TOR_ORPORT: 9001
TOR_DIRPORT: 9030
TOR_DIRPORT: 0
TOR_BANDWIDTH_RATE: "50 MBytes"
TOR_BANDWIDTH_BURST: "100 MBytes"
TOR_EXIT_POLICY: "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88,accept *:110,accept *:143,accept *:194,accept *:220,accept *:389,accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544,accept *:554,accept *:563,accept *:636,accept *:706,accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995,accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533,accept *:1677,accept *:1723,accept *:1755,accept *:1863,accept *:2082,accept *:2083,accept *:2086-2087,accept *:2095-2096,accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690,accept *:4321,accept *:4643,accept *:5050,accept *:5190,accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669,accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074,accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233,accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418,accept *:9999,accept *:10000,accept *:11371,accept *:19294,accept *:19638,accept *:50002,accept *:64738,reject *:*"
@@ -37,7 +37,7 @@ services:
labels:
com.centurylinklabs.watchtower.enable: "true"
description: "Tor Exit Relay"
version: "1.1.3"
version: "1.1.4"
maintainer: "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
volumes:

2
templates/docker-compose/docker-compose-guard-env.yml
View File

@@ -11,7 +11,7 @@ services:
TOR_NICKNAME: MyGuardRelay
TOR_CONTACT_INFO: "your-email@example.com <0xYOUR_PGP_KEY>"
TOR_ORPORT: 9001
TOR_DIRPORT: 9030
TOR_DIRPORT: 0
TOR_BANDWIDTH_RATE: "50 MBytes"
TOR_BANDWIDTH_BURST: "100 MBytes"
volumes: