github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-05 16:22:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: add gen-auth tool and refactor compose templates

Browse Source 
Major refactor of Docker Compose configurations and tooling enhancements.

-  Add `gen-auth` script for generating Tor Control Port credentials
- 🐳 Refactor Docker Compose templates:
  - Add native healthcheck configurations to all relay/bridge files
  - Standardize security capabilities (drop ALL, add SETUID/SETGID)
  - Remove verbose comments to streamline template usage
  - Update volume definitions for better data persistence
- 🔧 Update base dependencies:
  - Alpine Linux -> 3.23.0
  - Golang -> 1.25.5-alpine
- 🧹 Standardize ENV variable names across all configurations
This commit is contained in:
rE-Bo0t.bx1
2025-12-05 04:37:19 +08:00
parent 1907745fff
commit a28ce0a4e6
30 changed files with 698 additions and 900 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/release.yml vendored
View File

@@ -30,8 +30,8 @@ on:
- minor
- patch
schedule:
- cron: '30 18 * * 0' # Weekly rebuild (stable only): Sundays at 18:30 UTC
- cron: '0 12 */3 * *' # Edge-only rebuild: Every 3 days at 12:00 UTC
- cron: '30 18 * * 0'
- cron: '0 12 */3 * *'
push:
tags:
- 'v*.*.*'

28
CHANGELOG.md
View File

@@ -16,6 +16,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
---
## [1.1.3] - 2025-12-05
### ⚡ Optimization & Tooling Update
Focused on refining deployment templates, enhancing security defaults in Compose configurations, and updating core dependencies to the latest stable releases.
### ✨ Features
- **New Tool**: Introduced `gen-auth` utility to easily generate hashed passwords for Tor Control Port authentication.
- **Healthchecks**: Added native Docker healthcheck definitions to all Compose templates for improved orchestration reliability.
- **Dependencies**: Updated base images to **Alpine 3.23.0** and **Golang 1.25.5** for latest security patches and performance.
### 🐳 Docker Compose Refactoring
- **Standardization**: Unified security options and capabilities (dropping unnecessary privileges) across all templates.
- **Cleanup**: Removed excessive comments and legacy instructions from Compose files for a cleaner, production-ready format.
- **Volumes**: Enhanced volume management configurations to ensure robust data persistence across container recreations.
- **Consistency**: Standardized environment variable definitions across Guard, Exit, and Bridge templates.
---
---
## [1.1.2] - 2025-11-18
Add Alpine edge variant with dual-track build strategy 🏗️✅ - 🟢/⚠️
@@ -385,7 +408,7 @@ BREAKING CHANGES: None
| Version | Status | Support Level |
| --------- | --------------------- | ------------------------------------------- |
| **1.1.2** | 🟢 🛡️ **Active** | Full support (current stable) |
| **1.1.3** | 🟢 🛡️ **Active** | Full support (current stable) |
| **1.1.1** | 🟡 🔧 **Maintenance** | Security + critical fixes only |
| **1.0.8** | 🟠 ⚠️ **Legacy** | Security patches only upgrade recommended |
| **1.0.9** | 🔴 ❌ **EOL** | No support upgrade immediately |
@@ -394,6 +417,7 @@ BREAKING CHANGES: None
## 🔗 Release Links
[1.1.3]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.3
[1.1.2]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.2
[1.1.1]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.1
[1.1.0]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.0
@@ -406,7 +430,7 @@ BREAKING CHANGES: None
[1.0.3]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.0.3
[1.0.2]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.0.2
[1.0.1]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.0.1
[Unreleased]: https://github.com/r3bo0tbx1/tor-guard-relay/compare/v1.1.1...HEAD
[Unreleased]: https://github.com/r3bo0tbx1/tor-guard-relay/compare/v1.0.1...HEAD
---

8
Dockerfile
View File

@@ -1,7 +1,4 @@
# syntax=docker/dockerfile:1.20
# ============================================================================
# Builder Stage: Compile Lyrebird with latest Go to fix CVEs
# ============================================================================
FROM golang:1.25.5-alpine AS builder
RUN apk add --no-cache git
@@ -29,12 +26,11 @@ LABEL maintainer="rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>" \
org.opencontainers.image.vendor="r3bo0tbx1" \
org.opencontainers.image.authors="rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>" \
org.opencontainers.image.url="https://github.com/r3bo0tbx1/tor-guard-relay" \
org.opencontainers.image.base.name="docker.io/library/alpine:3.22.2" \
org.opencontainers.image.base.name="docker.io/library/alpine:3.23.0" \
org.opencontainers.image.revision="${TARGETARCH}"
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
# Note: 'lyrebird' removed from apk add, copying it from builder instead
RUN set -eux \
&& deluser klogd || true \
&& addgroup -g 101 -S tor \
@@ -60,6 +56,7 @@ COPY tools/status /usr/local/bin/status
COPY tools/health /usr/local/bin/health
COPY tools/fingerprint /usr/local/bin/fingerprint
COPY tools/bridge-line /usr/local/bin/bridge-line
COPY tools/auth-gen /usr/local/bin/auth-gen
RUN set -eux \
&& chmod +x /usr/local/bin/docker-entrypoint.sh \
@@ -68,6 +65,7 @@ RUN set -eux \
/usr/local/bin/health \
/usr/local/bin/fingerprint \
/usr/local/bin/bridge-line \
/usr/local/bin/auth-gen \
&& echo "🧩 Registered diagnostic tools:" \
&& ls -lh /usr/local/bin/status /usr/local/bin/health /usr/local/bin/fingerprint /usr/local/bin/bridge-line

13
Dockerfile.edge
View File

@@ -1,7 +1,4 @@
# syntax=docker/dockerfile:1.20
# ============================================================================
# Builder Stage: Compile Lyrebird with latest Go to fix CVEs
# ============================================================================
FROM golang:1.25.5-alpine AS builder
RUN apk add --no-cache git
@@ -12,13 +9,6 @@ RUN git clone https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transp
&& go mod tidy \
&& CGO_ENABLED=0 go build -ldflags="-s -w" -o /usr/bin/lyrebird ./cmd/lyrebird
# ============================================================================
# Tor Guard Relay - EDGE variant (Alpine edge - bleeding edge)
# Base: Alpine edge | Multi-arch: amd64, arm64
# ⚠️ WARNING: Uses Alpine edge - faster updates, less stable
# ⚠️ NOT RECOMMENDED for production relays - use for testing only
# ============================================================================
FROM alpine:edge
ARG BUILD_DATE
@@ -41,7 +31,6 @@ LABEL maintainer="rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>" \
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
# NOTE: 'lyrebird' removed from apk add list (we copy it from builder instead)
RUN set -eux \
&& deluser klogd || true \
&& addgroup -g 101 -S tor \
@@ -67,6 +56,7 @@ COPY tools/status /usr/local/bin/status
COPY tools/health /usr/local/bin/health
COPY tools/fingerprint /usr/local/bin/fingerprint
COPY tools/bridge-line /usr/local/bin/bridge-line
COPY tools/auth-gen /usr/local/bin/auth-gen
RUN set -eux \
&& chmod +x /usr/local/bin/docker-entrypoint.sh \
@@ -75,6 +65,7 @@ RUN set -eux \
/usr/local/bin/health \
/usr/local/bin/fingerprint \
/usr/local/bin/bridge-line \
/usr/local/bin/auth-gen \
&& echo "🧩 Registered diagnostic tools:" \
&& ls -lh /usr/local/bin/status /usr/local/bin/health /usr/local/bin/fingerprint /usr/local/bin/bridge-line

53
README.md
View File

@@ -116,6 +116,7 @@ docker run -d \
--name tor-relay \
--restart unless-stopped \
--network host \
--security-opt no-new-privileges:true \
-v $(pwd)/relay.conf:/etc/tor/torrc:ro \
-v tor-guard-data:/var/lib/tor \
-v tor-guard-logs:/var/log/tor \
@@ -156,11 +157,11 @@ We offer **two build variants** to match your risk tolerance and requirements:
```bash
# Pull from Docker Hub (easiest)
docker pull r3bo0tbx1/onion-relay:latest
docker pull r3bo0tbx1/onion-relay:1.1.2
docker pull r3bo0tbx1/onion-relay:1.1.3
# Pull from GHCR
docker pull ghcr.io/r3bo0tbx1/onion-relay:latest
docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.2
docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.3
```
### Edge Variant (Testing Only)
@@ -179,7 +180,7 @@ docker pull r3bo0tbx1/onion-relay:edge
# Pull from GHCR
docker pull ghcr.io/r3bo0tbx1/onion-relay:edge
docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.2-edge
docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.3-edge
```
**When to use edge:**
@@ -229,7 +230,7 @@ See [Deployment Guide](docs/DEPLOYMENT.md) for complete instructions.
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 🔧 Diagnostic Tools</div>
Version >=v1.1.1 includes four busybox-only tools.
Version >=v1.1.1 includes five busybox-only tools.
| Tool | Purpose | Usage |
|------|---------|--------|
@@ -237,6 +238,7 @@ Version >=v1.1.1 includes four busybox-only tools.
| health | JSON health | `docker exec tor-relay health` |
| fingerprint | Show fingerprint | `docker exec tor-relay fingerprint` |
| bridge-line | obfs4 line | `docker exec tor-relay bridge-line` |
| gen-auth | Credentials for Nyx | `docker exec tor-relay gen-auth` |
```bash
# Full health report with emojis
@@ -265,7 +267,23 @@ Example JSON:
<div style="color:#7ce5ff;font-family:monospace;font-size:17px;margin-bottom:14px;">▍ 📊 Monitoring and Observability</div>
**>=v1.1.1 uses external monitoring** for minimal image size and maximum security.
<br>
<div align="center">
<img src="src/screenshots/nyx.png" alt="Nyx Monitor Interface"/>
</div>
<br>
**>=v1.1.2 supports both real-time CLI monitoring and external observability** for minimal image size and maximum security.
### Real-Time Monitoring (Nyx)
You can connect Nyx (formerly arm) to your relay securely using the Control Port.
1. Generate credentials: docker exec tor-relay gen-auth
2. Add the hash to your config.
3. Connect via local socket or TCP.
> 📖 Full Setup: See the [Control Port Guide](docs/CONTROL-PORT.md) for step-by-step Nyx configuration.
### JSON Health API
@@ -320,7 +338,7 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
- ✅ Graceful shutdown with cleanup
### Operations & Automation
-**4 busybox-only diagnostic tools** (status, health, fingerprint, bridge-line)
-**5 busybox-only diagnostic tools** (status, health, fingerprint, bridge-line, gen-auth)
-**JSON health API** for monitoring integration
-**Multi-mode support** (guard, exit, bridge with obfs4)
-**ENV-based config** (TOR_RELAY_MODE, TOR_NICKNAME, etc.)
@@ -365,6 +383,7 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
- **[Architecture](docs/ARCHITECTURE.md)** - ⭐ **NEW!** Technical architecture with Mermaid diagrams
- **[Tools Reference](docs/TOOLS.md)** - Complete guide to all 4 diagnostic tools
- **[Monitoring Guide](docs/MONITORING.md)** - External monitoring integration, JSON health API, alerts, and observability
- **[Control Port Guide](docs/CONTROL-PORT.md)** - ⭐ **NEW!** Authentication setup and Nyx integration
- **[Backup Guide](docs/BACKUP.md)** - Data persistence, recovery, and disaster planning
- **[Performance Guide](docs/PERFORMANCE.md)** - Optimization, tuning, and resource management
@@ -475,6 +494,9 @@ docker exec tor-relay fingerprint
# For bridge mode: Get bridge line
docker exec tor-relay bridge-line
# Generate Control Port hash
docker exec tor-relay gen-auth
```
### Common Issues
@@ -581,6 +603,10 @@ flowchart TB
━━━━━━━━━━
Get obfs4 Bridge Line
Share with Users"]
Tools --> GenAuth["🔑 gen-auth
━━━━━━━━━━
Generate Control
Port Auth Data"]
end
Running -->|docker stop SIGTERM| Shutdown
@@ -612,6 +638,7 @@ flowchart TB
style Health fill:#4DD0E1,stroke:#0097A7,stroke-width:2px,color:#000
style Finger fill:#4DD0E1,stroke:#0097A7,stroke-width:2px,color:#000
style BLine fill:#4DD0E1,stroke:#0097A7,stroke-width:2px,color:#000
style GenAuth fill:#4DD0E1,stroke:#0097A7,stroke-width:2px,color:#000
style Graceful fill:#FFB74D,stroke:#F57C00,stroke-width:2px,color:#000
style End fill:#E57373,stroke:#C62828,stroke-width:2px,color:#fff
@@ -724,14 +751,14 @@ Images are automatically rebuilt on separate schedules to include security patch
**Stable Variant** (`:latest`)
- **Schedule:** Every Sunday at 18:30 UTC
- **Includes:** Latest Tor + Alpine 3.22.2 updates
- **Strategy:** Overwrites last release version (e.g., `:1.1.2`) with updated packages
- **Tags Updated:** `:latest` and version tags (e.g., `:1.1.2`)
- **Strategy:** Overwrites last release version (e.g., `:1.1.3`) with updated packages
- **Tags Updated:** `:latest` and version tags (e.g., `:1.1.3`)
**Edge Variant** (`:edge`)
- **Schedule:** Every 3 days at 12:00 UTC (independent schedule)
- **Includes:** Latest Tor + Alpine edge (bleeding-edge) updates
- **Strategy:** Overwrites last release version (e.g., `:1.1.2-edge`) with updated packages
- **Tags Updated:** `:edge` and version tags (e.g., `:1.1.2-edge`)
- **Strategy:** Overwrites last release version (e.g., `:1.1.3-edge`) with updated packages
- **Tags Updated:** `:edge` and version tags (e.g., `:1.1.3-edge`)
- **Frequency:** ~2-3x more frequent updates than stable
All images auto-published to Docker Hub and GitHub Container Registry
@@ -766,7 +793,7 @@ All images auto-published to Docker Hub and GitHub Container Registry
![GitHub Repo stars](https://img.shields.io/github/stars/r3bo0tbx1/tor-guard-relay?style=for-the-badge)
![GitHub Issues](https://img.shields.io/github/issues/r3bo0tbx1/tor-guard-relay?style=for-the-badge)
**Current Version:** v1.1.2**Status:** Production Ready
**Current Version:** v1.1.3**Status:** Production Ready
**Image Size:** 16.8 MB • **Rebuild:** Weekly
**Registries:** Docker Hub • GHCR
@@ -807,10 +834,6 @@ Or via **[AnonPay](https://trocador.app/anonpay?ticker_to=btc&network_to=Mainnet
```
Or via **[AnonPay](https://trocador.app/anonpay?ticker_to=xmr&network_to=Mainnet&address=85ft7ehMfcKSSp8Ve92Y9oARmqvDjYvEiKQkzdp3qiyzP9dpLeJXFahgHcoXUPeE9TacqDCUXWppNffE3YDC1Wu1NnQ71rT&ref=sqKNYGZbRl&direct=True&name=rE-Bo0tbx1+%28r3bo0tbx1%29&description=Support+FOSS+Development&email=r3bo0tbx1%40brokenbotnet.com)** (convert any crypto)
<!--
I use Arch btw 🐧
!-->
### Other Ways to Support
- ⭐ Star the repo

14
SECURITY.md
View File

@@ -14,8 +14,8 @@ We actively support the following versions with security updates:
| Version | Status | Support Level |
| --------- | --------------------- | ------------------------------------------- |
| **1.1.1** | 🟢 🛡️ **Active** | Full support (current stable) |
| **1.1.0** | 🟡 🔧 **Maintenance** | Security + critical fixes only |
| **>=1.1.2** | 🟢 🛡️ **Active** | Full support (current stable) |
| **1.1.1** | 🟡 🔧 **Maintenance** | Security + critical fixes only |
| **1.0.9** | 🟠 ⚠️ **Legacy** | Security patches only upgrade recommended |
| **1.0.8** | 🔴 ❌ **EOL** | No support upgrade immediately |
@@ -25,7 +25,7 @@ We actively support the following versions with security updates:
### Ultra-Minimal Port Exposure
**v1.1.1 follows an ultra-minimal security architecture:**
**>=v1.1.1 follows an ultra-minimal security architecture:**
-**NO monitoring HTTP endpoints** - Removed for maximum security
-**NO exposed metrics ports** - All monitoring via `docker exec` only
@@ -61,7 +61,7 @@ PUBLIC PORTS:
### No Monitoring Ports
**v1.1.1 has ZERO exposed monitoring services:**
**>=v1.1.1 has ZERO exposed monitoring services:**
- ❌ No metrics HTTP endpoints
- ❌ No health check HTTP APIs
@@ -74,6 +74,7 @@ docker exec tor-relay status # Health report with emojis
docker exec tor-relay health # JSON health output
docker exec tor-relay fingerprint # Display fingerprint
docker exec tor-relay bridge-line # Get bridge line (bridge mode)
docker exec tor-relay gen-auth # Generate Control Port hash
```
### Network Architecture
@@ -117,6 +118,7 @@ This project uses **host networking mode** (`--network host`) for best Tor perfo
docker run -d \
--name tor-relay \
--network host \
--security-opt no-new-privileges:true \
--restart unless-stopped \
-v $(pwd)/relay.conf:/etc/tor/torrc:ro \
-v tor-guard-data:/var/lib/tor \
@@ -484,7 +486,7 @@ chown tor:tor /var/lib/tor
* ✅ Input validation for all ENV variables
* ✅ OBFS4V_* whitelist to prevent command injection
### Multi-Mode Support (v1.1.1)
### Multi-Mode Support (>=v1.1.1)
The container supports three relay modes:
@@ -657,4 +659,4 @@ Security researchers who responsibly disclose vulnerabilities will be listed her
---
*Last Updated: 2025-11-13 | Version: 1.1.1*
*Last Updated: 2025-12-05 | Version: 1.1.3*

9
docs/ARCHITECTURE.md
View File

@@ -57,11 +57,13 @@ flowchart TD
DiagTools -->|health| HealthTool[📊 tools/health]
DiagTools -->|fingerprint| FingerprintTool[🆔 tools/fingerprint]
DiagTools -->|bridge-line| BridgeTool[🌉 tools/bridge-line]
DiagTools -->|gen-auth| GenAuthTool[🔑 tools/gen-auth]
StatusTool --> Running
HealthTool --> Running
FingerprintTool --> Running
BridgeTool --> Running
GenAuthTool --> Running
Trap --> StopTail[🧽 Kill tail -F PID]
StopTail --> StopTor[📨 Send SIGTERM to Tor]
@@ -532,6 +534,7 @@ flowchart TD
| **health** | Monitoring integration | JSON | busybox: pgrep, grep, awk |
| **fingerprint** | Relay identity | Text + URL | busybox: cat, awk |
| **bridge-line** | Bridge sharing | obfs4 bridge line | busybox: grep, sed, awk, wget |
| **gen-auth** | Credential generation | Text (Pass + Hash) | busybox: head, tr, tor |
**All tools:**
- Use `#!/bin/sh` (POSIX sh, not bash)
@@ -616,6 +619,7 @@ graph TD
Health["💚 health"]
Fingerprint["🧬 fingerprint"]
BridgeLine["🌉 bridge-line"]
GenAuth["🔑 gen-auth"]
UsrLocal --> Bin
Bin --> Entrypoint
@@ -796,7 +800,7 @@ flowchart LR
end
subgraph Build["🏗️ Docker Build"]
Alpine[🐧 Alpine 3.22.2]
Alpine[🐧 Alpine 3.23.0]
Install[📦 apk add packages]
Copy[📥 Copy scripts and tools]
Perms[🔒 Set permissions]
@@ -897,6 +901,7 @@ flowchart TD
| `tools/health` | JSON health API | ~100 |
| `tools/fingerprint` | Show relay identity | ~50 |
| `tools/bridge-line` | Generate bridge line | ~80 |
| `tools/gen-auth` | Generate Control Port auth | ~30 |
### External Documentation
@@ -908,6 +913,6 @@ flowchart TD
---
<div align="center">
**Document Version:** 1.0.3**Last Updated:** 2025-11-14**Container Version:** v1.1.1
**Document Version:** 1.0.4**Last Updated:** 2025-12-05**Container Version:** v1.1.3
</div>

234
docs/CONTROL-PORT.md Normal file
View File

@@ -0,0 +1,234 @@
# Control Port Configuration & Advanced Monitoring
This guide covers secure configuration of the Tor Control Port for advanced monitoring tools like **Nyx** (command-line monitor) and **Prometheus exporters**.
> **⚠️ Security Note:** The Control Port provides administrative access to your relay. Always use authentication and follow the security guidelines below.
## Table of Contents
* [Authentication Setup](#authentication-setup)
* [Configuration Methods](#configuration-methods)
* [Connecting to Your Relay](#connecting-to-your-relay)
* [Monitoring with Nyx](#monitoring-with-nyx)
* [Troubleshooting](#troubleshooting)
---
## Authentication Setup
Tor requires a hashed password to access the Control Port. We recommend using the built-in helper tool to generate this securely.
### Option A: Use the Helper Tool (Recommended)
The container includes a built-in utility called `gen-auth` that generates a secure 32-character password and the required configuration hash in one step.
Run the tool inside your container:
```bash
docker exec tor-relay gen-auth
````
**Example Output:**
```bash
╔════════════════════════════════════════════════════════════╗
║ Tor Control Port Authentication Generator ║
╚════════════════════════════════════════════════════════════╝
✓ Generated secure 32-character password
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Save this password (use for Nyx authentication):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4xK8mP2qR9vL3nT6wY5sD1gH7jF0bN8c...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. Add this line to your torrc:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
HashedControlPassword 16:A1B2C3D4E5F6...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📝 Next steps:
1. Edit your relay.conf and add the HashedControlPassword line above
2. Restart your container: docker restart tor-relay
3. Connect with Nyx using the password shown above
💡 Tip: Save the password in a secure password manager!
```
**Next Steps:**
1. **Copy the Password**: Store this in a password manager. You will need it to log in to Nyx.
2. **Copy the Hash**: Add the `HashedControlPassword ...` line to your `relay.conf` (or `torrc`).
### Option B: Manual Generation
If you prefer to generate credentials manually on your host machine:
```bash
# 1. Generate a 32-byte secure password
PASS=$(openssl rand -base64 32)
echo "Password: $PASS"
# 2. Generate the hash inside the container
docker exec tor-relay tor --hash-password "$PASS"
```
-----
## Configuration Methods
Choose **one** method based on your use case.
### Method A: Unix Domain Socket (Recommended)
**Best for:** Running Nyx or monitoring tools on the same host.
**Security:** Uses file system permissions; impossible to expose to the internet.
Add to your `relay.conf`:
```ini
# Disable TCP Control Port
ControlPort 0
# Enable Unix Domain Socket
ControlSocket /var/lib/tor/control_socket
ControlSocketsGroupWritable 1
# Add your generated hash
HashedControlPassword 16:YOUR_FULL_HASH_STRING_HERE
```
**Volume Configuration:**
Ensure your data volume is mounted so the host can access the socket file. If you are using standard docker volume names:
* **Docker Volume Path:** `/var/lib/docker/volumes/tor-guard-data/_data/control_socket`
* **Bind Mount Path:** If you mapped a host folder (e.g., `-v ./data:/var/lib/tor`), the socket will be in `./data/control_socket`.
### Method B: TCP Localhost
**Best for:** External monitoring tools (e.g., Prometheus) that cannot read Unix sockets.
**Requirement:** Works best with `--network host` mode.
Add to your `relay.conf`:
```ini
# Bind strictly to localhost
ControlPort 127.0.0.1:9051
# Add your generated hash
HashedControlPassword 16:YOUR_FULL_HASH_STRING_HERE
```
> **⚠️ CRITICAL SECURITY WARNING**
> Never use `ControlPort 0.0.0.0:9051` or `ControlPort 9051` in host network mode.
> This exposes your control interface to the public internet, allowing anyone to attack your relay.
> **Always bind to 127.0.0.1.**
-----
## Connecting to Your Relay
After updating your configuration, restart the container to apply changes:
```bash
docker restart tor-relay
```
Verify the port or socket is active:
```bash
docker logs tor-relay | grep -i "Opened Control listener"
```
-----
## Monitoring with Nyx
[Nyx](https://nyx.torproject.org/) provides real-time bandwidth graphs, connection tracking, and log monitoring.
### 1. Installation
Install Nyx on your **host machine**:
```bash
sudo apt install nyx
```
### 2. Connect
**If using Unix Socket (Method A):**
```bash
# Locate your volume mount point (example for standard docker volume)
nyx -s /var/lib/docker/volumes/tor-guard-data/_data/control_socket
```
**If using TCP (Method B):**
```bash
nyx -i 127.0.0.1:9051
```
*When prompted, enter the **plaintext password** generated by `gen-auth`.*
-----
## Advanced Integration
### Prometheus Exporter
If using **Method B (TCP)**, you can scrape metrics using the Prometheus Tor Exporter:
```bash
docker run -d \
--name tor-exporter \
--network host \
atx/prometheus-tor_exporter \
--tor.control-address=127.0.0.1:9051 \
--tor.control-password="YOUR_PASSWORD_HERE"
```
### Automated Health Checks
You can check relay status via script using `nc` (Netcat):
```bash
echo -e 'AUTHENTICATE "YOUR_PASSWORD"\r\nGETINFO status/circuit-established\r\nQUIT' | nc 127.0.0.1 9051
```
Expected output:
```bash
250 OK
250-status/circuit-established=1
250 OK
250 closing connection
```
-----
## Troubleshooting
### "Authentication failed"
1. **Wrong String**: Ensure you are using the *plaintext* password in Nyx, not the *hash*.
2. **Config Mismatch**: Check that `HashedControlPassword` in `relay.conf` matches the hash generated by the tool.
3. **Restart**: Did you `docker restart tor-relay` after editing the config?
### "Connection refused" or "No such file"
* **Unix Socket**: Check permissions. The socket must be readable by the user running Nyx.
```bash
sudo ls -la /var/lib/docker/volumes/tor-guard-data/_data/control_socket
```
* **TCP**: Ensure the container is running and port 9051 is bound locally.
```bash
netstat -tuln | grep 9051
```
### "Socket Permission Denied"
The socket file is created by the `root` or `tor` user inside the container. You may need to run Nyx with `sudo` or adjust your user groups to read the Docker volume directory.

1
docs/DEPLOYMENT.md
View File

@@ -74,6 +74,7 @@ docker pull r3bo0tbx1/onion-relay:latest
docker run -d \
--name tor-relay \
--network host \
--security-opt no-new-privileges:true \
-v ~/tor-relay/relay-guard.conf:/etc/tor/torrc:ro \
-v tor-data:/var/lib/tor \
-v tor-logs:/var/log/tor \

16
docs/FAQ.md
View File

@@ -24,15 +24,15 @@ Common questions about Tor Guard Relay deployment, configuration, and troublesho
- **Exit relay** - Last hop (requires legal preparation)
- **Bridge relay** - Helps users bypass censorship (obfs4 support)
Built on Alpine Linux 3.22.2 with a minimal 20MB image size, busybox-only tools, and weekly automated security rebuilds.
Built on Alpine Linux 3.23.0 with a minimal 20MB image size, busybox-only tools, and weekly automated security rebuilds.
### What makes this different from the official Tor images?
| Feature | This Project | Official Images |
|---------|--------------|-----------------|
| **Image size** | ~16.8 MB | ~100+ MB |
| **Base** | Alpine 3.22.2 | Debian |
| **Diagnostics** | 4 busybox tools + JSON API | None |
| **Base** | Alpine 3.23.0 | Debian |
| **Diagnostics** | 5 busybox tools + JSON API | None |
| **Multi-mode** | Guard/Exit/Bridge in one image | Separate images |
| **Weekly rebuilds** | ✅ Automated | ❌ Manual |
| **ENV configuration** | ✅ Full support | Limited |
@@ -40,8 +40,8 @@ Built on Alpine Linux 3.22.2 with a minimal 20MB image size, busybox-only tools,
### Is this production-ready?
**Yes.** Current version is v1.1.1 (Active/Stable). Used in production with:
- ✅ Security-hardened (32 vulnerabilities fixed in v1.1.1)
**Yes.** Current version is v1.1.3 (Active/Stable). Used in production with:
- ✅ Security-hardened (32 vulnerabilities fixed in >=v1.1.1)
- ✅ Non-root execution (tor user, UID 100)
- ✅ Weekly automated rebuilds with latest Tor + Alpine patches
- ✅ Multi-architecture support (AMD64, ARM64)
@@ -409,7 +409,7 @@ docker exec obfs4-bridge fingerprint
**See:** [MIGRATION.md](MIGRATION.md) for complete guide
### How do I upgrade from v1.1.0 to v1.1.1?
### How do I upgrade from v1.1.0 to >=v1.1.1?
**Guard/Exit relays (no changes required):**
```bash
@@ -427,7 +427,7 @@ docker run -d --name tor-relay ... # Same config
**Verify upgrade:**
```bash
docker exec tor-relay cat /build-info.txt
# Should show: Version: 1.1.1
# Should show: Version: 1.1.3
docker exec tor-relay fingerprint
# Verify fingerprint unchanged
@@ -538,5 +538,5 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md) for guidelines.
---
**Last Updated:** November 2025 (v1.1.1)
**Last Updated:** December 2025 (v1.1.3)
**Maintained by:** [@r3bo0tbx1](https://github.com/r3bo0tbx1)

4
docs/MIGRATION-V1.1.X.md
View File

@@ -1,4 +1,4 @@
# Migration Guide: v1.1.0 → v1.1.1
# Migration Guide: v1.1.0 → >=v1.1.1
This guide documents **two successful real-world migration paths** validated in production:
1. **Guard/Middle Relay** (mounted torrc) - Zero issues
@@ -470,5 +470,5 @@ docker rm obfs4-bridge
---
*Last Updated: 2025-11-13*
*Last Updated: 2025-12-05*
*Validated with production deployments*

6
docs/MIGRATION.md
View File

@@ -2,7 +2,7 @@
This document provides general migration guidance for Tor Guard Relay deployments.
For **specific v1.1.0 → v1.1.1 migration**, see [`MIGRATION-V1.1.X.md`](MIGRATION-V1.1.X.md).
For **specific v1.1.0 → >=v1.1.1 migration**, see [`MIGRATION-V1.1.X.md`](MIGRATION-V1.1.X.md).
---
@@ -362,10 +362,10 @@ docker exec <container> status
| From | To | Guide |
|------|-----|-------|
| v1.1.0 | v1.1.1 | [MIGRATION-V1.1.X.md](MIGRATION-V1.1.X.md) |
| v1.1.0 | >=v1.1.1 | [MIGRATION-V1.1.X.md](MIGRATION-V1.1.X.md) |
| Official bridge | v1.1.1 | [MIGRATION-V1.1.X.md](MIGRATION-V1.1.X.md) - Path 2 |
| Future | Future | This document + version-specific guide |
---
*Last Updated: 2025-11-13*
*Last Updated: 2025-12-05*

4
docs/MONITORING.md
View File

@@ -1,6 +1,6 @@
# 📊 Monitoring Guide
Guide to monitoring your Tor Guard Relay with external tools. The v1.1.1 ultra-optimized build (~20 MB) does not include built-in Prometheus metrics endpoints, but provides multiple alternatives for monitoring.
Guide to monitoring your Tor Guard Relay with external tools. The >=v1.1.1 ultra-optimized build (~20 MB) does not include built-in Prometheus metrics endpoints, but provides multiple alternatives for monitoring.
---
@@ -453,4 +453,4 @@ A:
---
**Last Updated:** November 2025 | **Version:** 1.1.1
**Last Updated:** December 2025 | **Version:** 1.1.3

2
docs/PERFORMANCE.md
View File

@@ -346,7 +346,7 @@ time docker exec guard-relay tor --resolve example.com
## Monitoring & Metrics
v1.1.1 uses **external monitoring** with the `health` JSON API for minimal image size and maximum security.
>=v1.1.1 uses **external monitoring** with the `health` JSON API for minimal image size and maximum security.
### 1. JSON Health API

78
docs/TOOLS.md
View File

@@ -1,6 +1,6 @@
# 🛠️ Tools Reference Guide
**Tor Guard Relay v1.1.1** includes 4 essential diagnostic tools built directly into the ultra-optimized ~20 MB container. All tools are busybox-compatible, executable without file extensions, and designed for production use.
**Tor Guard Relay 1.1.3** includes 5 essential diagnostic tools built directly into the ultra-optimized ~20 MB container. All tools are busybox-compatible, executable without file extensions, and designed for production use.
---
@@ -12,6 +12,7 @@
| **health** | JSON health diagnostics | JSON | Machine-readable for monitoring |
| **fingerprint** | Display relay fingerprint | Text | With Tor Metrics link |
| **bridge-line** | Get obfs4 bridge line | Text | Bridge mode only |
| gen-auth | Generate Control Port auth | Text | Password + Hash |
---
@@ -180,6 +181,49 @@ Bridge obfs4 203.0.113.42:9002 ABCD...WXYZ cert=abc123...xyz789 iat-mode=0
---
### `gen-auth`
**Purpose**: Generate a secure, random 32-character password and its associated hash for configuring the Tor Control Port (required for tools like Nyx).
Usage:
```bash
docker exec tor-relay gen-auth
```
Output Example:
```bash
╔════════════════════════════════════════════════════════════╗
║ Tor Control Port Authentication Generator ║
╚════════════════════════════════════════════════════════════╝
✓ Generated secure 32-character password
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Save this password (use for Nyx authentication):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4xK8mP2qR9vL3nT6wY5sD1gH7jF0bN8c...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. Add this line to your torrc:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
HashedControlPassword 16:A1B2C3D4E5F6...
```
Exit Codes:
* `0` - Success
* `1` - Error generating hash
When to use:
* When setting up external monitoring tools (Nyx, Prometheus).
* Run once, copy the values, then update your relay.conf or torrc.
---
## 🚀 Common Workflows
### 1. Quick Health Check
@@ -194,7 +238,21 @@ docker exec tor-relay health | jq .status
docker exec tor-relay health | jq .bootstrap
```
### 2. Find Your Relay on Tor Metrics
### 2. Configure Nyx / Control Port
```bash
# Generate credentials
docker exec tor-relay gen-auth
# Add HashedControlPassword to your config
# Restart relay
docker restart tor-relay
# Connect with Nyx
nyx -i 127.0.0.1:9051
```
### 3. Find Your Relay on Tor Metrics
```bash
# Get fingerprint and metrics link
docker exec tor-relay fingerprint
@@ -203,7 +261,7 @@ docker exec tor-relay fingerprint
# Click the Tor Metrics link or search manually
```
### 3. Share Your Bridge
### 4. Share Your Bridge
```bash
# Get bridge line (bridge mode only)
docker exec tor-bridge bridge-line
@@ -212,7 +270,7 @@ docker exec tor-bridge bridge-line
# Share ONLY with trusted users, NOT publicly
```
### 4. Automated Monitoring
### 5. Automated Monitoring
```bash
# Simple monitoring script
while true; do
@@ -230,7 +288,7 @@ while true; do
done
```
### 5. Check Logs
### 6. Check Logs
```bash
# View recent logs
docker logs --tail 100 tor-relay
@@ -264,7 +322,7 @@ docker logs tor-relay 2>&1 | grep -i warn
# Verify tools exist
docker exec tor-relay ls -la /usr/local/bin/
# Should show: status, health, fingerprint, bridge-line
# Should show: status, health, fingerprint, bridge-line, gen-auth
# Check PATH
docker exec tor-relay echo $PATH
@@ -343,18 +401,18 @@ docker logs tor-relay | grep -i obfs4
## ❓ FAQ
**Q: Why only 4 tools instead of 9?**
A: The v1.1.1 build prioritizes size optimization (~20 MB vs 45+ MB). These 4 tools cover all essential operations. For advanced monitoring, use external tools like Prometheus.
**Q: Why only 5 tools instead of 9?**
A: The v1.1.3 build remains ultra-light (~16.8 MB). These 5 tools cover all essential operations including health checks, identity, and authentication setup.
**Q: Where are metrics/monitoring endpoints?**
A: Removed to achieve ultra-small image size. Use `health` tool with external monitoring systems or check `/var/log/tor/notices.log` directly.
**Q: Can I still use Prometheus?**
A: Yes! Export logs or use `health` JSON output with a Prometheus exporter. See [MONITORING.md](./MONITORING.md) for alternatives.
A: Yes! Use `gen-auth` to configure the Control Port, then run a separate `prometheus-tor-exporter` container alongside this one.
**Q: What happened to the dashboard?**
A: Removed (required Python/Flask). Use `status` tool for visual output or build your own dashboard using `health` JSON.
---
**Last Updated:** November 2025 | **Version:** 1.1.1
**Last Updated:** December 2025 | **Version:** 1.1.3

2
docs/TROUBLESHOOTING-BRIDGE-MIGRATION.md
View File

@@ -1,4 +1,4 @@
# Troubleshooting Bridge Migration to v1.1.1
# Troubleshooting Bridge Migration to >=v1.1.1
This guide addresses the specific issue where migrating from `thetorproject/obfs4-bridge` to `r3bo0tbx1/onion-relay:1.1.1` results in configuration validation failures and changing fingerprints.

BIN
src/screenshots/nyx.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 MiB

7
templates/cosmos-bind-config-guard-relay.json
View File

@@ -22,7 +22,7 @@
},
{
"type": "bind",
"source": "/home/<user>/bridge.conf",
"source": "/home/<user>/relay.conf",
"target": "/etc/tor/torrc",
"read_only": true
}
@@ -30,6 +30,9 @@
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -47,7 +50,7 @@
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/onion.png",
"cosmos-stack": "TorGuardRelay",
"cosmos-stack-main": "TorGuardRelay",
"cosmos-version": "1.1.2",
"cosmos-version": "1.1.3",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
}

13
templates/cosmos-bind-confing-bridge.json
View File

@@ -1,9 +1,9 @@
{
"minVersion": "0.8.0",
"services": {
"TorGuardRelay": {
"OBFS4-Bridge": {
"image": "r3bo0tbx1/onion-relay:latest",
"container_name": "obfs4-bridge",
"container_name": "OBFS4-Bridge",
"restart": "unless-stopped",
"environment": [
"TZ=Asia/Tokyo"
@@ -30,6 +30,9 @@
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -45,9 +48,9 @@
"cosmos-description": "🌉 Tor Bridge Relay",
"cosmos-force-network-secured": "false",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/obfs4.png",
"cosmos-stack": "obfs4-bridge",
"cosmos-stack-main": "obfs4-bridge",
"cosmos-version": "1.1.2",
"cosmos-stack": "OBFS4-Bridge",
"cosmos-stack-main": "OBFS4-Bridge",
"cosmos-version": "1.1.3",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
}

48
templates/cosmos-compose-bridge-official.json
View File

@@ -24,8 +24,12 @@
"target": "/var/log/tor"
}
],
"security_opt": ["no-new-privileges:true"],
"cap_drop": ["ALL"],
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -33,6 +37,16 @@
"SETGID",
"DAC_OVERRIDE"
],
"healthcheck": {
"test": [
"CMD-SHELL",
"/usr/local/bin/healthcheck.sh"
],
"interval": "10m",
"timeout": "15s",
"start_period": "30s",
"retries": 3
},
"labels": {
"cosmos-stack": "TorBridge",
"cosmos-stack-main": "obfs4-bridge",
@@ -43,7 +57,7 @@
"cosmos-force-network-secured": "false",
"cosmos-auto-update-notify": "true",
"cosmos-auto-update-restart": "true",
"cosmos-version": "1.1.2",
"cosmos-version": "1.1.3",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
}
@@ -51,31 +65,5 @@
"volumes": {
"obfs4-data": {},
"obfs4-logs": {}
},
"metadata": {
"description": "🌉 Tor obfs4 Bridge - Drop-in replacement for thetorproject/obfs4-bridge with official ENV naming",
"version": "1.1.2",
"author": "r3bo0tbx1",
"tags": ["tor", "bridge", "obfs4", "censorship", "pluggable-transport", "official-compatible"],
"configuration_method": "environment_variables",
"compatibility": "thetorproject/obfs4-bridge",
"notes": [
"Drop-in replacement for thetorproject/obfs4-bridge with official ENV naming",
"Minimal required: OR_PORT, PT_PORT, EMAIL, NICKNAME",
"Auto-detects bridge mode when PT_PORT is set",
"For advanced torrc options, enable: OBFS4_ENABLE_ADDITIONAL_VARIABLES=1",
"Then add OBFS4V_* variables (e.g., OBFS4V_AddressDisableIPv6=0)",
"For mounted config file, remove environment variables and add:",
" { \"type\": \"bind\", \"source\": \"/path/to/relay-bridge.conf\", \"target\": \"/etc/tor/torrc\", \"read_only\": true }",
"After deployment: docker exec obfs4-bridge bridge-line",
"Weekly security rebuilds every Sunday 18:30 UTC"
],
"migration_from_official": {
"step1": "Preserve your volumes: obfs4-data contains bridge identity",
"step2": "Stop old container: docker stop obfs4-bridge",
"step3": "Fix ownership if migrating from Debian: docker run --rm -v obfs4-data:/data alpine:3.22.2 chown -R 100:101 /data",
"step4": "Deploy this template with same volume name",
"step5": "Verify fingerprint unchanged: docker exec obfs4-bridge fingerprint"
}
}
}
}

39
templates/cosmos-compose-bridge.json
View File

@@ -25,8 +25,12 @@
"target": "/var/log/tor"
}
],
"security_opt": ["no-new-privileges:true"],
"cap_drop": ["ALL"],
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -34,6 +38,16 @@
"SETGID",
"DAC_OVERRIDE"
],
"healthcheck": {
"test": [
"CMD-SHELL",
"/usr/local/bin/healthcheck.sh"
],
"interval": "10m",
"timeout": "15s",
"start_period": "30s",
"retries": 3
},
"labels": {
"cosmos-stack": "TorBridge",
"cosmos-stack-main": "tor-bridge",
@@ -41,29 +55,12 @@
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/obfs4.png",
"cosmos-auto-update": "true",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.2"
"cosmos-version": "1.1.3"
}
}
},
"volumes": {
"tor-bridge-data": {},
"tor-bridge-logs": {}
},
"metadata": {
"description": "🧅 Tor obfs4 Bridge - ENV-based configuration with TOR_* naming",
"version": "1.1.2",
"author": "r3bo0tbx1",
"tags": ["tor", "bridge", "obfs4", "censorship", "privacy"],
"configuration_method": "environment_variables",
"notes": [
"ENV-based configuration - no config file needed",
"Required: TOR_NICKNAME, TOR_CONTACT_INFO, TOR_ORPORT, TOR_OBFS4_PORT",
"Alternative naming: Use OR_PORT/PT_PORT/EMAIL/NICKNAME (official Tor Project naming)",
"See cosmos-compose-bridge-official.json for drop-in thetorproject/obfs4-bridge replacement",
"For mounted config file, remove environment variables and add:",
" { \"type\": \"bind\", \"source\": \"/path/to/relay-bridge.conf\", \"target\": \"/etc/tor/torrc\", \"read_only\": true }",
"After deployment: docker exec tor-bridge bridge-line",
"Weekly security rebuilds every Sunday 18:30 UTC"
]
}
}
}

60
templates/cosmos-compose-exit.json
View File

@@ -28,8 +28,12 @@
"target": "/var/log/tor"
}
],
"security_opt": ["no-new-privileges:true"],
"cap_drop": ["ALL"],
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -37,55 +41,29 @@
"SETGID",
"DAC_OVERRIDE"
],
"healthcheck": {
"test": [
"CMD-SHELL",
"/usr/local/bin/healthcheck.sh"
],
"interval": "10m",
"timeout": "15s",
"start_period": "30s",
"retries": 3
},
"labels": {
"cosmos-stack": "TorExitRelay",
"cosmos-stack-main": "tor-exit-relay",
"cosmos-description": "⚠️ Tor Exit Relay v1.1.2 - Reduced exit policy (HTTP/HTTPS only) | ENV-based config | Weekly security updates",
"cosmos-description": "⚠️ Tor Exit Relay v1.1.3 - Reduced exit policy (HTTP/HTTPS only) | ENV-based config | Weekly security updates",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/exit.png",
"cosmos-auto-update": "true",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.2"
"cosmos-version": "1.1.3"
}
}
},
"volumes": {
"tor-exit-data": {},
"tor-exit-logs": {}
},
"metadata": {
"description": "⚠️ Tor Exit Relay - Requires dedicated IP, abuse handling, and legal preparation",
"version": "1.1.2",
"author": "r3bo0tbx1",
"tags": ["tor", "relay", "exit", "privacy", "requires-legal-preparation"],
"configuration_method": "environment_variables",
"warnings": [
"⚠️ EXIT RELAYS REQUIRE DEDICATED IP AND ABUSE HANDLING",
"⚠️ READ docs/LEGAL.md BEFORE RUNNING AN EXIT RELAY",
"⚠️ Configure proper abuse contact and WHOIS information",
"⚠️ Set up automated abuse complaint handling",
"⚠️ Use reduced exit policy (HTTP/HTTPS only) to minimize abuse"
],
"notes": [
"ENV-based configuration - no config file needed",
"Required: TOR_NICKNAME, TOR_CONTACT_INFO (with PGP key), TOR_ORPORT, TOR_DIRPORT",
"Optional: TOR_BANDWIDTH_RATE, TOR_BANDWIDTH_BURST (sets RelayBandwidthRate/Burst)",
"Exit policy: TOR_EXIT_POLICY (default: accept *:80,accept *:443,reject *:*)",
"For mounted config file, remove environment variables and add:",
" { \"type\": \"bind\", \"source\": \"/path/to/relay-exit.conf\", \"target\": \"/etc/tor/torrc\", \"read_only\": true }",
"In mounted config: Use RelayBandwidthRate/Burst (relay-only) or BandwidthRate/Burst (global)",
"After deployment: docker exec tor-exit-relay status",
"Check fingerprint: docker exec tor-exit-relay fingerprint",
"Weekly security rebuilds every Sunday 18:30 UTC"
],
"exit_policy_examples": {
"reduced_exit_http_https": "accept *:80,accept *:443,reject *:*",
"full_exit": "accept *:*",
"no_exit_middle_only": "reject *:*"
},
"recommended_bandwidth": {
"minimum": "100 MBytes rate, 200 MBytes burst",
"recommended": "500 MBytes rate, 1 GBytes burst",
"high_performance": "1 GBytes rate, 2 GBytes burst"
}
}
}
}

48
templates/cosmos-compose-guard.json
View File

@@ -27,8 +27,12 @@
"target": "/var/log/tor"
}
],
"security_opt": ["no-new-privileges:true"],
"cap_drop": ["ALL"],
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -36,43 +40,29 @@
"SETGID",
"DAC_OVERRIDE"
],
"healthcheck": {
"test": [
"CMD-SHELL",
"/usr/local/bin/healthcheck.sh"
],
"interval": "10m",
"timeout": "15s",
"start_period": "30s",
"retries": 3
},
"labels": {
"cosmos-stack": "TorGuardRelay",
"cosmos-stack-main": "tor-guard-relay",
"cosmos-description": "🧅 Tor Guard Relay v1.1.2 - High-bandwidth guard/middle node | ENV-based config | Weekly security updates",
"cosmos-description": "🧅 Tor Guard Relay v1.1.3 - High-bandwidth guard/middle node | ENV-based config | Weekly security updates",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/refs/heads/main/src/onion.png",
"cosmos-auto-update": "true",
"cosmos-force-network-secured": "false",
"cosmos-version": "1.1.2"
"cosmos-version": "1.1.3"
}
}
},
"volumes": {
"tor-guard-data": {},
"tor-guard-logs": {}
},
"metadata": {
"description": "🧅 Tor Guard Relay - High-bandwidth guard/middle node",
"version": "1.1.2",
"author": "r3bo0tbx1",
"tags": ["tor", "relay", "guard", "middle", "privacy"],
"configuration_method": "environment_variables",
"notes": [
"ENV-based configuration - no config file needed",
"Required: TOR_NICKNAME, TOR_CONTACT_INFO, TOR_ORPORT, TOR_DIRPORT",
"Optional: TOR_BANDWIDTH_RATE, TOR_BANDWIDTH_BURST (sets RelayBandwidthRate/Burst)",
"Set TOR_DIRPORT=0 to disable directory service (less bandwidth)",
"For mounted config file, remove environment variables and add:",
" { \"type\": \"bind\", \"source\": \"/path/to/relay-guard.conf\", \"target\": \"/etc/tor/torrc\", \"read_only\": true }",
"In mounted config: Use RelayBandwidthRate/Burst (relay-only) or BandwidthRate/Burst (global)",
"After deployment: docker exec tor-guard-relay status",
"Check fingerprint: docker exec tor-guard-relay fingerprint",
"Weekly security rebuilds every Sunday 18:30 UTC"
],
"recommended_bandwidth": {
"minimum": "10 MBytes rate, 20 MBytes burst",
"recommended": "50 MBytes rate, 100 MBytes burst",
"high_performance": "100 MBytes rate, 200 MBytes burst"
}
}
}
}

83
templates/cosmos-compose-multi-relay.json
View File

@@ -30,6 +30,9 @@
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -37,17 +40,27 @@
"SETGID",
"DAC_OVERRIDE"
],
"healthcheck": {
"test": [
"CMD-SHELL",
"/usr/local/bin/healthcheck.sh"
],
"interval": "10m",
"timeout": "15s",
"start_period": "30s",
"retries": 3
},
"labels": {
"cosmos-stack": "TorMultiRelay",
"cosmos-stack-main": "TorRelay1",
"cosmos-description": "🧅 Hardened Tor Guard Relay v1.1.2 with diagnostics & auto-healing",
"cosmos-description": "🧅 Hardened Tor Guard Relay v1.1.3 with diagnostics & auto-healing",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/main/src/onion.png",
"cosmos-auto-update": "true",
"cosmos-auto-update-type": "registry",
"cosmos-force-network-secured": "false",
"cosmos-auto-update-notify": "true",
"cosmos-auto-update-restart": "true",
"cosmos-version": "1.1.2",
"cosmos-version": "1.1.3",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
},
@@ -80,6 +93,9 @@
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -87,16 +103,26 @@
"SETGID",
"DAC_OVERRIDE"
],
"healthcheck": {
"test": [
"CMD-SHELL",
"/usr/local/bin/healthcheck.sh"
],
"interval": "10m",
"timeout": "15s",
"start_period": "30s",
"retries": 3
},
"labels": {
"cosmos-stack": "TorMultiRelay",
"cosmos-description": "🧅 Hardened Tor Guard Relay v1.1.2 with diagnostics & auto-healing",
"cosmos-description": "🧅 Hardened Tor Guard Relay v1.1.3 with diagnostics & auto-healing",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/main/src/onion.png",
"cosmos-auto-update": "true",
"cosmos-auto-update-type": "registry",
"cosmos-force-network-secured": "false",
"cosmos-auto-update-notify": "true",
"cosmos-auto-update-restart": "true",
"cosmos-version": "1.1.2",
"cosmos-version": "1.1.3",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
},
@@ -129,6 +155,9 @@
"security_opt": [
"no-new-privileges:true"
],
"cap_drop": [
"ALL"
],
"cap_add": [
"NET_BIND_SERVICE",
"CHOWN",
@@ -136,32 +165,48 @@
"SETGID",
"DAC_OVERRIDE"
],
"healthcheck": {
"test": [
"CMD-SHELL",
"/usr/local/bin/healthcheck.sh"
],
"interval": "10m",
"timeout": "15s",
"start_period": "30s",
"retries": 3
},
"labels": {
"cosmos-stack": "TorMultiRelay",
"cosmos-description": "🧅 Hardened Tor Guard Relay v1.1.2 with diagnostics & auto-healing",
"cosmos-description": "🧅 Hardened Tor Guard Relay v1.1.3 with diagnostics & auto-healing",
"cosmos-icon": "https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/main/src/onion.png",
"cosmos-auto-update": "true",
"cosmos-auto-update-type": "registry",
"cosmos-force-network-secured": "false",
"cosmos-auto-update-notify": "true",
"cosmos-auto-update-restart": "true",
"cosmos-version": "1.1.2",
"cosmos-version": "1.1.3",
"maintainer": "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
}
}
},
"volumes": {
"tor-relay-1-data": { "driver": "local" },
"tor-relay-1-logs": { "driver": "local" },
"tor-relay-2-data": { "driver": "local" },
"tor-relay-2-logs": { "driver": "local" },
"tor-relay-3-data": { "driver": "local" },
"tor-relay-3-logs": { "driver": "local" }
},
"metadata": {
"description": "🧅 Tor Guard Multi-Relay Stack - 3 relays with ultra-optimized 16.8 MB containers",
"version": "1.1.2",
"author": "r3bo0tbx1",
"tags": ["tor", "relay", "privacy", "multi-relay"]
"tor-relay-1-data": {
"driver": "local"
},
"tor-relay-1-logs": {
"driver": "local"
},
"tor-relay-2-data": {
"driver": "local"
},
"tor-relay-2-logs": {
"driver": "local"
},
"tor-relay-3-data": {
"driver": "local"
},
"tor-relay-3-logs": {
"driver": "local"
}
}
}
}

199
templates/docker-compose-bridge-official.yml
View File

@@ -1,228 +1,53 @@
version: "3.8"
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Tor obfs4 Bridge - Official ENV Naming
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Drop-in replacement for thetorproject/obfs4-bridge:latest
#
# Features:
# - 100% compatible with official Tor Project bridge ENV variables
# - Weekly security rebuilds (Sundays 18:30 UTC)
# - 4 diagnostic tools (status, health, fingerprint, bridge-line)
# - JSON health API for monitoring integration
# - Ultra-minimal 16.8 MB Alpine Linux base
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
services:
obfs4-bridge:
image: r3bo0tbx1/onion-relay:latest
container_name: obfs4-bridge
restart: unless-stopped
network_mode: host
environment:
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# REQUIRED: Official Tor Project Bridge ENV Variables
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# These match the official thetorproject/obfs4-bridge naming
# OR_PORT: Tor relay traffic port (ORPort)
# Suggested: 443, 9001, or any port > 1024
- OR_PORT=${OR_PORT:-9001}
# PT_PORT: Pluggable transport port (obfs4)
# Can be any port > 1024
- PT_PORT=${PT_PORT:-9002}
# EMAIL: Contact email address
# REQUIRED: Used in bridge descriptor
- EMAIL=${EMAIL:?EMAIL is required}
# NICKNAME: Bridge nickname
# Optional: Defaults to "DockerObfs4Bridge" if not set
- NICKNAME=${NICKNAME:-DockerObfs4Bridge}
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# OPTIONAL: Advanced Configuration
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Enable processing of OBFS4V_* environment variables
- OBFS4_ENABLE_ADDITIONAL_VARIABLES=${OBFS4_ENABLE_ADDITIONAL_VARIABLES:-1}
# Example OBFS4V_* variables (additional torrc options)
# Uncomment and modify as needed:
# Disable IPv6 address announcements
- OBFS4V_AddressDisableIPv6=${OBFS4V_AddressDisableIPv6:-0}
# Set maximum memory in queues (helps with high-bandwidth bridges)
- OBFS4V_MaxMemInQueues=${OBFS4V_MaxMemInQueues:-1024 MB}
# Other common OBFS4V_* options:
# - OBFS4V_BandwidthRate=10 MBytes
# - OBFS4V_BandwidthBurst=20 MBytes
# - OBFS4V_AccountingMax=100 GBytes
# - OBFS4V_AccountingStart=month 1 00:00
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Optional: Container Configuration
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
- OBFS4V_BandwidthRate=10 MBytes
- OBFS4V_BandwidthBurst=20 MBytes
- OBFS4V_AccountingMax=100 GBytes
- OBFS4V_AccountingStart=month 1 00:00
- TZ=${TZ:-UTC}
volumes:
# Data volume: Stores bridge keys, state, and pt_state
- obfs4-data:/var/lib/tor
# Logs volume: Separate log storage for easier management
- obfs4-logs:/var/log/tor
# Security hardening
security_opt:
- no-new-privileges:true
# Minimal required capabilities
cap_add:
- NET_BIND_SERVICE # Allow binding to ports < 1024
- CHOWN # Fix volume permissions on startup
- SETUID # Switch to tor user
- SETGID # Switch to tor group
- DAC_OVERRIDE # Override file permissions for healing
# Drop all other capabilities
- NET_BIND_SERVICE
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
cap_drop:
- ALL
# Health check using built-in health tool
healthcheck:
test: ["CMD-SHELL", "health | grep -q '\"status\":\"healthy\"' || exit 1"]
test: ["CMD-SHELL", "/usr/local/bin/healthcheck.sh"]
interval: 60s
timeout: 10s
retries: 3
start_period: 120s
labels:
# Container metadata
com.centurylinklabs.watchtower.enable: "true"
description: "Tor obfs4 Bridge - Drop-in replacement for thetorproject/obfs4-bridge"
version: "1.1.2"
version: "1.1.3"
maintainer: "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
volumes:
obfs4-data:
# Volume naming matches official thetorproject/obfs4-bridge convention
# Format: tor-datadir-<OR_PORT>-<PT_PORT>
name: tor-datadir-${OR_PORT:-9001}-${PT_PORT:-9002}
driver: local
obfs4-logs:
name: tor-logs-${OR_PORT:-9001}-${PT_PORT:-9002}
driver: local
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# USAGE INSTRUCTIONS
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
#
# 1. Create a .env file with your configuration:
#
# OR_PORT=9001
# PT_PORT=9002
# EMAIL=admin@example.com
# NICKNAME=MyObfs4Bridge
#
# 2. Deploy the bridge:
#
# docker-compose -f docker-compose-bridge-official.yml up -d
#
# 3. Verify deployment:
#
# # Check container status
# docker-compose -f docker-compose-bridge-official.yml ps
#
# # View logs
# docker-compose -f docker-compose-bridge-official.yml logs -f
#
# # Full health report
# docker exec obfs4-bridge status
#
# # JSON health check
# docker exec obfs4-bridge health | jq .
#
# 4. Get your bridge line (after 24-48 hours):
#
# docker exec obfs4-bridge bridge-line
#
# 5. Check fingerprint:
#
# docker exec obfs4-bridge fingerprint
#
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# MIGRATION FROM OFFICIAL IMAGE
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
#
# If you're migrating from thetorproject/obfs4-bridge:
#
# 1. Stop the old container:
# docker-compose down
#
# 2. Update docker-compose.yml with this file (or change image to r3bo0tbx1/onion-relay:latest or ghcr.io/r3bo0tbx1/onion-relay:latest)
#
# 3. Start with same volumes (preserves bridge keys):
# docker-compose -f docker-compose-bridge-official.yml up -d
#
# Your bridge identity is preserved! No need to share a new bridge line.
#
# See docs/MIGRATION-V1.1.X.md for detailed migration guide (Path 2).
#
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# MONITORING & OBSERVABILITY
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
#
# Use the JSON health API for monitoring:
#
# Prometheus Node Exporter (textfile collector):
# docker exec obfs4-bridge health | jq -r '
# "tor_bootstrap_percent \(.bootstrap)",
# "tor_reachable \(if .reachable then 1 else 0 end)"
# ' > /var/lib/node_exporter/tor-bridge.prom
#
# Nagios/Icinga check:
# #!/bin/bash
# STATUS=$(docker exec obfs4-bridge health | jq -r '.status')
# [ "$STATUS" = "healthy" ] && exit 0 || exit 2
#
# Cron-based alerting:
# */5 * * * * docker exec obfs4-bridge health | jq -r '.status' | grep -q 'healthy' || alert
#
# See docs/MONITORING.md for complete integration examples.
#
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# FIREWALL CONFIGURATION
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
#
# Allow incoming connections to your bridge:
#
# UFW (Ubuntu):
# sudo ufw allow 9001/tcp comment 'Tor ORPort'
# sudo ufw allow 9002/tcp comment 'Tor obfs4'
#
# firewalld (CentOS/RHEL):
# sudo firewall-cmd --permanent --add-port=9001/tcp
# sudo firewall-cmd --permanent --add-port=9002/tcp
# sudo firewall-cmd --reload
#
# iptables:
# sudo iptables -A INPUT -p tcp --dport 9001 -j ACCEPT
# sudo iptables -A INPUT -p tcp --dport 9002 -j ACCEPT
#
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# RESOURCES
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
#
# - GitHub: https://github.com/r3bo0tbx1/tor-guard-relay
# - Docker Hub: https://hub.docker.com/r/r3bo0tbx1/onion-relay
# - GHCR: ghcr.io/r3bo0tbx1/onion-relay
# - Documentation: https://github.com/r3bo0tbx1/tor-guard-relay/tree/main/docs
# - Migration Guide: docs/MIGRATION-FROM-OFFICIAL.md
# - Tor Bridge Guide: https://community.torproject.org/relay/setup/bridge/
#
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
driver: local

195
templates/docker-compose-bridge.yml
View File

@@ -1,203 +1,46 @@
version: '3.8'
# ============================================================================
# Tor obfs4 Bridge - Docker Compose
# Help censored users connect to the Tor network
# ============================================================================
services:
tor-bridge:
image: r3bo0tbx1/onion-relay:latest # or use ghcr.io/r3bo0tbx1/onion-relay:latest
image: r3bo0tbx1/onion-relay:latest
container_name: tor-bridge
restart: unless-stopped
network_mode: host
environment:
# ──────────────────────────────────────────────────
# Relay Mode Configuration
# ──────────────────────────────────────────────────
TOR_RELAY_MODE: bridge
# ──────────────────────────────────────────────────
# Required: Bridge Identity
# ──────────────────────────────────────────────────
TOR_NICKNAME: MyTorBridge
TOR_CONTACT_INFO: "your-email@example.com"
# ──────────────────────────────────────────────────
# Network Ports (defaults shown, fully configurable)
# Suggested: Use 443 for ORPort in censored regions
# ──────────────────────────────────────────────────
TOR_ORPORT: 9001 # Default: 9001, suggested: 443 or any port > 1024
TOR_OBFS4_PORT: 9002 # Default: 9002, can be any port > 1024
# ──────────────────────────────────────────────────
# Bandwidth Limits (bridges can run on lower bandwidth)
# ──────────────────────────────────────────────────
TOR_ORPORT: 9001
TOR_OBFS4_PORT: 9002
TOR_BANDWIDTH_RATE: "10 MBytes"
TOR_BANDWIDTH_BURST: "20 MBytes"
volumes:
# Persistent data (keys, state, bridge credentials)
- tor-bridge-data:/var/lib/tor
# Persistent logs
- tor-bridge-logs:/var/log/tor
# Optional: Mount custom configuration instead of using env vars
# - ./relay-bridge.conf:/etc/tor/torrc:ro
# Healthcheck
security_opt:
- no-new-privileges:true
cap_add:
- NET_BIND_SERVICE
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
cap_drop:
- ALL
healthcheck:
test: ["CMD-SHELL", "/usr/local/bin/healthcheck.sh"]
interval: 10m
timeout: 15s
start_period: 30s
retries: 3
labels:
com.centurylinklabs.watchtower.enable: "true"
description: "Tor obfs4 Bridge"
version: "1.1.3"
maintainer: "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
volumes:
tor-bridge-data:
driver: local
tor-bridge-logs:
driver: local
# ============================================================================
# Usage Instructions
# ============================================================================
#
# 1. CONFIGURE:
# Edit environment variables above:
# - TOR_NICKNAME: Your bridge name
# - TOR_CONTACT_INFO: Your email
# - TOR_ORPORT: Tor connection port (default: 9001)
# - TOR_OBFS4_PORT: obfs4 transport port (default: 9002)
# - TOR_BANDWIDTH_RATE/BURST: Adjust for your connection
#
# Alternative: Use official Tor Project naming (drop-in compatible)
# - NICKNAME instead of TOR_NICKNAME
# - EMAIL instead of TOR_CONTACT_INFO
# - OR_PORT instead of TOR_ORPORT
# - PT_PORT instead of TOR_OBFS4_PORT (auto-detects bridge mode)
# See docker-compose-bridge-official.yml for complete example
#
# 2. DEPLOY:
# docker-compose -f docker-compose-bridge.yml up -d
#
# 3. VERIFY:
# # Check status
# docker exec tor-bridge status
#
# # View logs
# docker logs -f tor-bridge
#
# # Get fingerprint
# docker exec tor-bridge fingerprint
#
# 4. GET YOUR BRIDGE LINE (after 24-48 hours):
# # Use the built-in tool
# docker exec tor-bridge bridge-line
#
# # Or check directly
# docker exec tor-bridge cat /var/lib/tor/pt_state/obfs4_bridgeline.txt
#
# # Or find it in logs
# docker exec tor-bridge grep "bridge line" /var/log/tor/notices.log
#
# Output will look like:
# Bridge obfs4 <IP>:<PORT> <FINGERPRINT> cert=<CERT> iat-mode=0
#
# 5. SHARE YOUR BRIDGE:
# - ONLY share with people you trust
# - Do NOT publish publicly
# - Users can also get bridges from https://bridges.torproject.org/
#
# 6. MONITORING:
# # Health check (JSON output)
# docker exec tor-bridge health
#
# # Full status report
# docker exec tor-bridge status
#
# ============================================================================
# Bridge Operation Notes
# ============================================================================
#
# WHAT IS A BRIDGE?
# - Bridges help users in censored countries connect to Tor
# - Bridge addresses are NOT published in the main directory
# - They are distributed through BridgeDB and other channels
#
# obfs4 PLUGGABLE TRANSPORT:
# - Makes Tor traffic look like random data
# - Harder for censors to detect and block
# - Most effective transport for circumventing censorship
#
# AFTER DEPLOYMENT:
# - Wait 24-48 hours for bridge to be registered and distributed
# - Bridge will appear in BridgeDB: https://bridges.torproject.org/
# - Users in censored countries can request bridge addresses
#
# PRIVACY NOTES:
# - Bridges show fewer statistics than relays (by design)
# - Connection counts are approximate
# - Less information is logged for user privacy
#
# ============================================================================
# Port Information
# ============================================================================
#
# Using network_mode: host, all ports bind directly to the host:
#
# PUBLIC (must be accessible from internet):
# - ORPort (default: 9001, configurable) - Tor connection
# - obfs4 port (default: 9002, configurable) - Pluggable transport
#
# All diagnostics via docker exec only (no monitoring ports exposed)
#
# ============================================================================
# Firewall Configuration
# ============================================================================
#
# UFW (Ubuntu/Debian):
# sudo ufw allow 9001/tcp
# sudo ufw allow 9002/tcp
#
# firewalld (RHEL/CentOS):
# sudo firewall-cmd --permanent --add-port=9001/tcp
# sudo firewall-cmd --permanent --add-port=9002/tcp
# sudo firewall-cmd --reload
#
# iptables:
# sudo iptables -A INPUT -p tcp --dport 9001 -j ACCEPT
# sudo iptables -A INPUT -p tcp --dport 9002 -j ACCEPT
#
# ============================================================================
# Troubleshooting
# ============================================================================
#
# Bridge line not appearing:
# - Wait 24-48 hours after first start
# - Check logs: docker logs tor-bridge
# - Verify both ports 9001 and 9002 are accessible from outside
# - Check firewall settings
#
# No connections:
# - Normal for new bridges (takes time to be distributed)
# - Bridges are not heavily used unless specifically shared
# - Check BridgeDB: https://bridges.torproject.org/
#
# lyrebird (obfs4) not working:
# - Check logs for lyrebird errors: docker logs tor-bridge | grep lyrebird
# - Verify lyrebird is installed: docker exec tor-bridge which lyrebird
# - Check pt_state directory: docker exec tor-bridge ls -la /var/lib/tor/pt_state/
#
# ============================================================================
# Resources
# ============================================================================
#
# - Bridge Setup: https://community.torproject.org/relay/setup/bridge/
# - BridgeDB: https://bridges.torproject.org/
# - Pluggable Transports: https://tb-manual.torproject.org/circumvention/
# - obfs4 Documentation: https://gitlab.com/yawning/obfs4
#
# ============================================================================
driver: local

149
templates/docker-compose-exit.yml
View File

@@ -1,156 +1,47 @@
version: '3.8'
# ============================================================================
# Tor Exit Relay - Docker Compose
# ⚠️ WARNING: Read legal considerations before deploying!
# ============================================================================
services:
tor-exit-relay:
image: r3bo0tbx1/onion-relay:latest # or use ghcr.io/r3bo0tbx1/onion-relay:latest
image: r3bo0tbx1/onion-relay:latest
container_name: tor-exit-relay
restart: unless-stopped
network_mode: host
environment:
# ──────────────────────────────────────────────────
# Relay Mode Configuration
# ──────────────────────────────────────────────────
TOR_RELAY_MODE: exit
# ──────────────────────────────────────────────────
# Required: Relay Identity
# ──────────────────────────────────────────────────
TOR_NICKNAME: MyExitRelay
TOR_CONTACT_INFO: "your-email@example.com <0xYOUR_PGP_KEY>"
# ──────────────────────────────────────────────────
# Network Ports (defaults shown, fully configurable)
# Suggested: Use 443 for ORPort in censored regions
# ──────────────────────────────────────────────────
TOR_ORPORT: 9001 # Default: 9001, suggested: 443 or any port > 1024
TOR_DIRPORT: 9030 # Default: 9030, set to 0 to disable
# ──────────────────────────────────────────────────
# Bandwidth Limits (adjust for your connection)
# TOR_BANDWIDTH_RATE/BURST sets RelayBandwidthRate/Burst in torrc
# For mounted config, you can use either:
# - RelayBandwidthRate/Burst (relay-specific, recommended)
# - BandwidthRate/Burst (global, all Tor traffic)
# ──────────────────────────────────────────────────
TOR_ORPORT: 9001
TOR_DIRPORT: 9030
TOR_BANDWIDTH_RATE: "50 MBytes"
TOR_BANDWIDTH_BURST: "100 MBytes"
# ──────────────────────────────────────────────────
# Exit Policy (optional - defaults to reduced exit policy)
# Format: "accept *:80,accept *:443,reject *:*"
# Leave empty for default reduced exit policy
# ──────────────────────────────────────────────────
# TOR_EXIT_POLICY: ""
TOR_EXIT_POLICY: "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88,accept *:110,accept *:143,accept *:194,accept *:220,accept *:389,accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544,accept *:554,accept *:563,accept *:636,accept *:706,accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995,accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533,accept *:1677,accept *:1723,accept *:1755,accept *:1863,accept *:2082,accept *:2083,accept *:2086-2087,accept *:2095-2096,accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690,accept *:4321,accept *:4643,accept *:5050,accept *:5190,accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669,accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074,accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233,accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418,accept *:9999,accept *:10000,accept *:11371,accept *:19294,accept *:19638,accept *:50002,accept *:64738,reject *:*"
volumes:
# Persistent data (keys, state, fingerprint)
- tor-exit-data:/var/lib/tor
# Persistent logs
- tor-exit-logs:/var/log/tor
# Optional: Mount custom configuration instead of using env vars
# - ./relay-exit.conf:/etc/tor/torrc:ro
# Healthcheck
security_opt:
- no-new-privileges:true
cap_add:
- NET_BIND_SERVICE
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
cap_drop:
- ALL
healthcheck:
test: ["CMD-SHELL", "/usr/local/bin/healthcheck.sh"]
interval: 10m
timeout: 15s
start_period: 30s
retries: 3
labels:
com.centurylinklabs.watchtower.enable: "true"
description: "Tor Exit Relay"
version: "1.1.3"
maintainer: "rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>"
volumes:
tor-exit-data:
driver: local
tor-exit-logs:
driver: local
# ============================================================================
# Usage Instructions
# ============================================================================
#
# 1. BEFORE DEPLOYMENT:
# - Read exit relay legal FAQ: https://community.torproject.org/relay/community-resources/eff-tor-legal-faq/
# - Prepare for abuse complaints
# - Inform your ISP (recommended)
# - Set up abuse@ email address
#
# 2. CONFIGURE:
# Edit environment variables above:
# - TOR_NICKNAME: Your relay name
# - TOR_CONTACT_INFO: Your email (CRITICAL for exit relays!)
# - TOR_BANDWIDTH_RATE/BURST: Adjust for your connection
#
# 3. DEPLOY:
# docker-compose -f docker-compose-exit.yml up -d
#
# 4. VERIFY:
# # Check status
# docker exec tor-exit-relay status
#
# # View logs
# docker logs -f tor-exit-relay
#
# # Get fingerprint
# docker exec tor-exit-relay fingerprint
#
# 5. MONITORING:
# # Health check (JSON output)
# docker exec tor-exit-relay health
#
# 6. FIND YOUR RELAY:
# After 1-2 hours, search for your relay on:
# https://metrics.torproject.org/rs.html
#
# ============================================================================
# Exit Relay Checklist
# ============================================================================
#
# ✓ Read and understand exit relay legal implications
# ✓ Set TOR_NICKNAME to a unique name
# ✓ Set TOR_CONTACT_INFO with valid email
# ✓ Configure bandwidth limits appropriate for your connection
# ✓ Ensure ORPort and DirPort are publicly accessible (defaults: 9001, 9030)
# ✓ Set up abuse complaint handling procedures
# ✓ Prepare standard response template for abuse complaints
# ✓ Monitor logs daily
# ✓ Set up email alerts for issues
#
# ============================================================================
# Port Information
# ============================================================================
#
# Using network_mode: host, all ports bind directly to the host:
#
# PUBLIC (must be accessible from internet):
# - ORPort (default: 9001, configurable) - Tor relay traffic
# - DirPort (default: 9030, configurable) - Directory service
#
# Recommended: Use port 443 for ORPort in censored regions
# Any port > 1024 works, configure via TOR_ORPORT and TOR_DIRPORT
#
# ============================================================================
# Firewall Configuration
# ============================================================================
#
# UFW (Ubuntu/Debian):
# sudo ufw allow <your-orport>/tcp # e.g., 9001 or 443
# sudo ufw allow <your-dirport>/tcp # e.g., 9030
#
# firewalld (RHEL/CentOS):
# sudo firewall-cmd --permanent --add-port=<your-orport>/tcp
# sudo firewall-cmd --permanent --add-port=<your-dirport>/tcp
# sudo firewall-cmd --reload
#
# iptables:
# sudo iptables -A INPUT -p tcp --dport <your-orport> -j ACCEPT
# sudo iptables -A INPUT -p tcp --dport <your-dirport> -j ACCEPT
#
# ============================================================================
driver: local

163
templates/docker-compose-guard-env.yml
View File

@@ -1,65 +1,38 @@
version: '3.8'
# ============================================================================
# Tor Guard/Middle Relay - Docker Compose (Environment Variable Method)
# Using dynamic configuration generation instead of mounting config file
# ============================================================================
services:
tor-guard-relay:
image: r3bo0tbx1/onion-relay:latest # or use ghcr.io/r3bo0tbx1/onion-relay:latest
image: r3bo0tbx1/onion-relay:latest
container_name: tor-guard-relay
restart: unless-stopped
network_mode: host
environment:
# ──────────────────────────────────────────────────
# Relay Mode Configuration
# ──────────────────────────────────────────────────
TOR_RELAY_MODE: guard # guard, exit, or bridge
# ──────────────────────────────────────────────────
# Required: Relay Identity
# ──────────────────────────────────────────────────
TOR_RELAY_MODE: guard
TOR_NICKNAME: MyGuardRelay
TOR_CONTACT_INFO: "your-email@example.com <0xYOUR_PGP_KEY>"
# ──────────────────────────────────────────────────
# Network Ports (defaults shown, fully configurable)
# Suggested: Use 443 for ORPort in censored regions
# ──────────────────────────────────────────────────
TOR_ORPORT: 9001 # Default: 9001, suggested: 443 or any port > 1024
TOR_DIRPORT: 9030 # Default: 9030, set to 0 to disable
# ──────────────────────────────────────────────────
# Bandwidth Limits (adjust for your connection)
# TOR_BANDWIDTH_RATE/BURST sets RelayBandwidthRate/Burst in torrc
# For mounted config, you can use either:
# - RelayBandwidthRate/Burst (relay-specific, recommended)
# - BandwidthRate/Burst (global, all Tor traffic)
# ──────────────────────────────────────────────────
TOR_ORPORT: 9001
TOR_DIRPORT: 9030
TOR_BANDWIDTH_RATE: "50 MBytes"
TOR_BANDWIDTH_BURST: "100 MBytes"
volumes:
# Persistent data (keys, state, fingerprint)
- tor-guard-data:/var/lib/tor
# Persistent logs
- tor-guard-logs:/var/log/tor
# Note: No config file mount needed with env var method!
# Configuration is generated dynamically at startup
# Healthcheck
security_opt:
- no-new-privileges:true
cap_add:
- NET_BIND_SERVICE
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
cap_drop:
- ALL
healthcheck:
test: ["CMD-SHELL", "/usr/local/bin/healthcheck.sh"]
interval: 10m
timeout: 15s
start_period: 30s
retries: 3
# Resource limits (optional but recommended)
deploy:
resources:
limits:
@@ -68,8 +41,6 @@ services:
reservations:
cpus: '0.5'
memory: 512M
# Logging configuration
logging:
driver: json-file
options:
@@ -80,108 +51,4 @@ volumes:
tor-guard-data:
driver: local
tor-guard-logs:
driver: local
# ============================================================================
# Usage Instructions
# ============================================================================
#
# 1. CONFIGURE:
# Edit environment variables above:
# - TOR_NICKNAME: Your relay name (alphanumeric, 1-19 chars)
# - TOR_CONTACT_INFO: Your email (required)
# - TOR_BANDWIDTH_RATE/BURST: Adjust for your connection
#
# 2. DEPLOY:
# docker-compose -f docker-compose-guard-env.yml up -d
#
# 3. VERIFY:
# # Check status (pretty output with emojis)
# docker exec tor-guard-relay status
#
# # View logs
# docker logs -f tor-guard-relay
#
# # Get fingerprint
# docker exec tor-guard-relay fingerprint
#
# 4. MONITORING:
# # JSON health check (for automation/monitoring)
# docker exec tor-guard-relay health
#
# 5. FIND YOUR RELAY:
# After 1-2 hours, search for your relay on:
# https://metrics.torproject.org/rs.html
#
# ============================================================================
# Environment Variable vs Config File Method
# ============================================================================
#
# This template uses ENVIRONMENT VARIABLES for configuration.
#
# PROS:
# ✓ No config file to maintain
# ✓ Easy to change settings (just edit env vars)
# ✓ Good for simple setups
# ✓ Works well with orchestration tools
# ✓ Configuration is generated dynamically at startup
#
# CONS:
# ✗ Less flexible for advanced Tor options
# ✗ Cannot set all possible Tor directives
#
# If you need advanced configuration, use the config file method instead:
# See: templates/docker-compose.yml
#
# ============================================================================
# Port Information
# ============================================================================
#
# Using network_mode: host, all ports bind directly to the host:
#
# PUBLIC (must be accessible from internet):
# - ORPort (default: 9001, configurable via TOR_ORPORT)
# - DirPort (default: 9030, configurable via TOR_DIRPORT, can be disabled)
#
# All ports are fully configurable. Suggested alternatives:
# - Use port 443 for ORPort in censored regions (appears as HTTPS)
# - Use any port > 1024 for unprivileged operation
#
# ============================================================================
# Firewall Configuration
# ============================================================================
#
# Replace 9001/9030 with your actual ports if you changed them:
#
# UFW (Ubuntu/Debian):
# sudo ufw allow 9001/tcp
# sudo ufw allow 9030/tcp
#
# firewalld (RHEL/CentOS):
# sudo firewall-cmd --permanent --add-port=9001/tcp
# sudo firewall-cmd --permanent --add-port=9030/tcp
# sudo firewall-cmd --reload
#
# iptables:
# sudo iptables -A INPUT -p tcp --dport 9001 -j ACCEPT
# sudo iptables -A INPUT -p tcp --dport 9030 -j ACCEPT
#
# ============================================================================
# Switching Modes
# ============================================================================
#
# To switch relay modes, just change TOR_RELAY_MODE:
#
# Guard/Middle relay (default):
# TOR_RELAY_MODE: guard
#
# Exit relay (understand legal implications first!):
# TOR_RELAY_MODE: exit
# See: templates/docker-compose-exit.yml for full example
#
# obfs4 Bridge:
# TOR_RELAY_MODE: bridge
# TOR_OBFS4_PORT: 9002 # Add this
# See: templates/docker-compose-bridge.yml for full example
#
# ============================================================================
driver: local

75
templates/docker-compose-multi-relay.yml
View File

@@ -1,14 +1,21 @@
version: '3.8'
# Tor Guard Relay - Multi-Instance Deployment
# Clean YAML syntax, validated with yamllint
services:
tor-relay-1:
image: r3bo0tbx1/onion-relay:latest # or use ghcr.io/r3bo0tbx1/onion-relay:latest
image: r3bo0tbx1/onion-relay:latest
container_name: guard-relay-1
restart: unless-stopped
network_mode: host
security_opt:
- no-new-privileges:true
cap_add:
- NET_BIND_SERVICE
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
cap_drop:
- ALL
volumes:
- ./relays/relay1.conf:/etc/tor/torrc:ro
- tor-guard-data-1:/var/lib/tor
@@ -38,6 +45,16 @@ services:
container_name: guard-relay-2
restart: unless-stopped
network_mode: host
security_opt:
- no-new-privileges:true
cap_add:
- NET_BIND_SERVICE
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
cap_drop:
- ALL
volumes:
- ./relays/relay2.conf:/etc/tor/torrc:ro
- tor-guard-data-2:/var/lib/tor
@@ -67,6 +84,16 @@ services:
container_name: guard-relay-3
restart: unless-stopped
network_mode: host
security_opt:
- no-new-privileges:true
cap_add:
- NET_BIND_SERVICE
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
cap_drop:
- ALL
volumes:
- ./relays/relay3.conf:/etc/tor/torrc:ro
- tor-guard-data-3:/var/lib/tor
@@ -95,56 +122,18 @@ volumes:
tor-guard-data-1:
name: tor-guard-data-1
driver: local
tor-guard-logs-1:
name: tor-guard-logs-1
driver: local
tor-guard-data-2:
name: tor-guard-data-2
driver: local
tor-guard-logs-2:
name: tor-guard-logs-2
driver: local
tor-guard-data-3:
name: tor-guard-data-3
driver: local
tor-guard-logs-3:
name: tor-guard-logs-3
driver: local
# ============================================================================
# Usage Instructions
# ============================================================================
#
# 1. CREATE CONFIGS:
# Create relay1.conf, relay2.conf, relay3.conf in ./relays/ directory
# Each relay needs unique:
# - ORPort (e.g., 9001, 9011, 9021)
# - DirPort (e.g., 9030, 9040, 9050) or disable with 0
# - Nickname (e.g., MyRelay1, MyRelay2, MyRelay3)
# All ports are fully configurable - use 443 for better circumvention
#
# 2. DEPLOY:
# docker-compose -f docker-compose-multi-relay.yml up -d
#
# 3. VERIFY:
# docker exec guard-relay-1 status # Check status
# docker exec guard-relay-1 health # JSON health
# docker exec guard-relay-1 fingerprint # Get fingerprint
# docker logs -f guard-relay-1 # Watch logs
#
# ============================================================================
# Diagnostic Tools
# ============================================================================
#
# 4 built-in tools available on each container:
# status - Full relay status with emojis
# health - JSON health check
# fingerprint - Display relay fingerprint
# bridge-line - Get bridge line (bridge mode only)
#
# ============================================================================
driver: local

43
tools/gen-auth Normal file
View File

@@ -0,0 +1,43 @@
#!/bin/sh
# Generate Tor Control Port authentication credentials
set -e
GREEN='\033[0;32m'
BLUE='\033[0;34m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
BOLD='\033[1m'
NC='\033[0m'
PASS=$(head -c 24 /dev/urandom | base64 | tr -d '\n')
HASH=$(tor --hash-password "$PASS")
echo ""
echo "${CYAN}╔════════════════════════════════════════════════════════════╗${NC}"
echo "${CYAN}║${NC} ${BOLD}Tor Control Port Authentication Generator${NC} ${CYAN}║${NC}"
echo "${CYAN}╚════════════════════════════════════════════════════════════╝${NC}"
echo ""
echo "${GREEN}✓${NC} Generated secure 32-character password"
echo ""
echo "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo "${BOLD}1. Save this password (use for Nyx authentication):${NC}"
echo "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo " ${BLUE}${PASS}${NC}"
echo ""
echo "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo "${BOLD}2. Add this line to your torrc:${NC}"
echo "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo " ${GREEN}HashedControlPassword ${HASH}${NC}"
echo ""
echo "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
echo "${CYAN}📝 Next steps:${NC}"
echo " 1. Edit your relay.conf and add the HashedControlPassword line above"
echo " 2. Restart your container: ${BOLD}docker restart tor-relay${NC}"
echo " 3. Connect with Nyx using the password shown above"
echo ""
echo "${CYAN}💡 Tip:${NC} Save the password in a secure password manager!"
echo ""