github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-06 00:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
0a6dcf698729d92a734673d90f81db5f81ad1f5a
tor-guard-relay/Dockerfile
rE-Bo0t.bx1 0a6dcf6987 feat(security,build): enforce localhost-only binding and harden Dockerfile (v1.0.2) 
BREAKING CHANGE: Internal services now bind exclusively to 127.0.0.1 by default.

This release introduces strict network boundary enforcement and build-level hardening
to improve both runtime security and CI/CD compliance.

Port Security Model:
- Public: 9001 (ORPort), 9030 (DirPort)
- Internal: 9035+ (metrics, health, dashboard) - localhost-only

Security Enhancements:
- Enforces localhost binding for all internal services
- Prevents unauthorized external access to internal endpoints
- Adds reverse proxy, SSH tunnel, and VPN access guidance
- Integrates automated port security validation in diagnostic tools
- Includes comprehensive migration instructions for existing deployments

Build Improvements:
- Dockerfile hardened with strict shell mode (set -euo pipefail)
- Fixed lint warnings: DL3018, DL3059, SC2010, DL4006
- Ensures reproducible builds and cleaner CI validation
- No functional runtime changes beyond improved reliability

File Updates:
- CHANGELOG.md: Version entries updated to v1.0.2
- README.md: Deployment examples and version references aligned
- SECURITY.md: Expanded with port access policy and network architecture
- relay-status.sh: Added port binding validation (v1.0.2)
- integration-check.sh: Added version and port validation phases (v1.0.2)
- Dockerfile: Hardened, lint-compliant, and security aligned

Migration Required:
If external access to metrics or health endpoints is required,
configure a reverse proxy with authentication, SSH tunneling, or VPN routing.
See SECURITY.md for implementation details.

Version: 1.0.2
2025-11-05 21:28:56 +08:00

140 lines
6.1 KiB
Docker
Raw Blame History

# syntax=docker/dockerfile:1.7
# ============================================================================
# Tor Guard Relay - Hardened relay with diagnostics and auto-healing
# Base: Alpine 3.22.2 | Multi-arch: amd64, arm64
# ============================================================================
FROM alpine:3.22.2 AS builder
# Build arguments
ARG BUILD_DATE
ARG BUILD_VERSION
ARG TARGETARCH
# OCI labels
LABEL maintainer="rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>" \
org.opencontainers.image.title="Tor Guard Relay" \
org.opencontainers.image.description="🧅 Hardened Tor Guard Relay with diagnostics & auto-healing" \
org.opencontainers.image.version="${BUILD_VERSION}" \
org.opencontainers.image.created="${BUILD_DATE}" \
org.opencontainers.image.source="https://github.com/r3bo0tbx1/tor-guard-relay" \
org.opencontainers.image.documentation="https://github.com/r3bo0tbx1/tor-guard-relay#readme" \
org.opencontainers.image.licenses="MIT" \
org.opencontainers.image.vendor="r3bo0tbx1" \
org.opencontainers.image.authors="rE-Bo0t.bx1 <r3bo0tbx1@brokenbotnet.com>" \
org.opencontainers.image.url="https://github.com/r3bo0tbx1/tor-guard-relay" \
org.opencontainers.image.base.name="docker.io/library/alpine:3.22.2" \
org.opencontainers.image.revision="${TARGETARCH}"
# ============================================================================
# Shell configuration
# ============================================================================
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
# ============================================================================
# Install core dependencies
# tor: relay daemon | bash: entrypoint | tini: init system (PID 1)
# curl: diagnostics | jq: JSON parsing | bind-tools: DNS (dig/nslookup)
# netcat-openbsd: port checking | coreutils/grep: utilities
# hadolint ignore=DL3018
# ============================================================================
RUN apk add --no-cache \
tor=0.4.8.19-r0 \
bash=5.2.37-r0 \
tini=0.19.0-r3 \
curl=8.14.1-r2 \
jq=1.8.0-r0 \
grep=3.12-r0 \
coreutils=9.7-r1 \
bind-tools=9.20.15-r0 \
netcat-openbsd=1.229.1-r0 \
&& rm -rf /var/cache/apk/*
# ============================================================================
# Setup directories and permissions
# ============================================================================
RUN mkdir -p /var/lib/tor /var/log/tor /run/tor && \
chown -R tor:tor /var/lib/tor /var/log/tor /run/tor && \
chmod 700 /var/lib/tor && \
chmod 755 /var/log/tor /run/tor
# ============================================================================
# Default configuration placeholder (mount your own at runtime)
# ============================================================================
RUN echo "# 🧅 Tor configuration is mounted at runtime" > /etc/tor/torrc
# ============================================================================
# Embed build metadata
# ============================================================================
RUN printf "Version: %s\nBuild Date: %s\nArchitecture: %s\n" \
"${BUILD_VERSION:-dev}" "${BUILD_DATE:-unknown}" "${TARGETARCH:-amd64}" > /build-info.txt
# ============================================================================
# Copy scripts and utilities
# ============================================================================
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
COPY tools/ /usr/local/bin/
# ============================================================================
# Normalize and harden scripts
# ============================================================================
RUN set -eux; \
for f in /usr/local/bin/*; do \
[ -f "$f" ] || continue; \
tr -d '\r' < "$f" > "$f.tmp" && mv "$f.tmp" "$f"; \
sed -i '1s/^\xEF\xBB\xBF//' "$f" || true; \
chmod +x "$f"; \
done; \
echo "🧩 Installed tools:"; \
for f in /usr/local/bin/docker-entrypoint* /usr/local/bin/net-check* /usr/local/bin/metrics* \
/usr/local/bin/health* /usr/local/bin/view-logs* /usr/local/bin/status* \
/usr/local/bin/fingerprint* /usr/local/bin/setup* /usr/local/bin/dashboard*; do \
[ -f "$f" ] && echo "Registered script: $f"; \
done
# ============================================================================
# Environment configuration
# ============================================================================
ENV TOR_DATA_DIR=/var/lib/tor \
TOR_LOG_DIR=/var/log/tor \
TOR_CONFIG=/etc/tor/torrc \
ENABLE_METRICS=false \
ENABLE_HEALTH_CHECK=true \
ENABLE_NET_CHECK=false \
PATH="/usr/local/bin:$PATH"
# ============================================================================
# Cleanup
# ============================================================================
RUN rm -rf /usr/share/man /tmp/* /var/tmp/* /root/.cache/*
# ============================================================================
# Ensure runtime directory writable by non-root
# ============================================================================
RUN mkdir -p /run/tor && \
chown -R tor:tor /run/tor && \
chmod 770 /run/tor
# ============================================================================
# Switch to non-root user
# ============================================================================
USER tor
# ============================================================================
# Expose ports
# ============================================================================
EXPOSE 9001 9030
# ============================================================================
# Health check (verify configuration every 10 minutes)
# ============================================================================
HEALTHCHECK --interval=10m --timeout=15s --start-period=30s --retries=3 \
CMD tor --verify-config -f "$TOR_CONFIG" || exit 1
# ============================================================================
# Entrypoint
# ============================================================================
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/docker-entrypoint.sh"]
CMD ["tor", "-f", "/etc/tor/torrc"]
Reference in New Issue View Git Blame Copy Permalink