github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-06 00:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
be4f2bc12592abda8d3947190c61f378a5ac2fb6
tor-guard-relay/docs/TOOLS.md
rE-Bo0t.bx1 be4f2bc125 feat(v1.1.7): Happy Family support (Tor 0.4.9+ FamilyId) 
🔧 New tool: gen-family - generate/view Happy Family keys
  - Supports --force flag to overwrite existing keys without backup prompt

🐳 Dockerfiles: gen-family in both Dockerfile and Dockerfile.edge

🔧 Entrypoint:
- Phase 2: detect *.secret_family_key, log found keys (informational only)
- Guard/exit config gen: append FamilyId + MyFamily from ENV vars
- Bridge intentionally excluded

📊 Status tool: show family key count + Happy Family config state

📚 Docs:
- README: Happy Family section (generate / import), persistence table, flowchart
- ARCHITECTURE: all mermaid diagrams updated (Phase 2, config gen, tools, dirs)
- TOOLS: full gen-family reference with examples and exit codes
- DEPLOYMENT, MIGRATION, MIGRATION-V1.1.X, TROUBLESHOOTING: 5 -> 6 tools
- FAQ, example configs: version bump + FamilyId/MyFamily placeholders
- Directory authority voting: how 9 dirauths vote on relay flags (5/9 consensus)
- CIISS v2 ContactInfo: field reference, generator link, proof:uri-rsa verification
- All TOR_CONTACT_INFO examples updated to CIISS v2 format across templates and docs

📋 Templates:
- Guard/exit/multi-relay compose: TOR_FAMILY_ID + TOR_MY_FAMILY env vars
- All cosmos-compose + docker-compose versions -> 1.1.7

👷 CI: validate.yml gen-family in 8 spots (threshold 6), security tests, quick-test

🛡️ SECURITY.md: 1.1.7 active, 1.1.6 maintenance, gen-family in tools list

🔖 Version bump 1.1.6 -> 1.1.7 across 30+ files, tool count 5 -> 6, CHANGELOG entry

No breaking changes. TOR_FAMILY_ID and TOR_MY_FAMILY are optional.
2026-03-02 16:23:10 +08:00

484 lines
15 KiB
Markdown
Raw Blame History

# 🛠️ Tools Reference Guide
**Tor Guard Relay 1.1.3** includes 6 essential diagnostic tools built directly into the ultra-optimized ~20 MB container. All tools are busybox-compatible, executable without file extensions, and designed for production use.
---
## 📋 Tool Overview
| Tool | Purpose | Output Format | Notes |
|------|---------|---------------|-------|
| **status** | Complete relay health report | Text (emoji) | Full diagnostic dashboard |
| **health** | JSON health diagnostics | JSON | Machine-readable for monitoring |
| **fingerprint** | Display relay fingerprint | Text | With Tor Metrics link |
| **bridge-line** | Get obfs4 bridge line | Text | Bridge mode only |
| gen-auth | Generate Control Port auth | Text | Password + Hash |
| gen-family | Generate/view Happy Family key | Text | Tor 0.4.9+ only |
---
## 🔧 Tool Details
### `status`
**Purpose:** Comprehensive relay health and status report with emoji formatting
**Usage:**
```bash
docker exec tor-relay status
```
**Output Example:**
```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🧅 Tor Relay Status
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🚀 Status: RUNNING (PID: 123)
✅ Bootstrap: 100% COMPLETE
🌐 ORPort: REACHABLE
🪪 Nickname: MyGuardRelay
🔑 Fingerprint: ABCD1234...WXYZ9876
✅ Errors: 0
⏱️ Uptime: 2d 14h 30m
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
💡 Tip: Use 'docker logs -f <container>' for live logs
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
```
**Exit Codes:**
- `0` - Status retrieved successfully
- `1` - Tor service not running or error
---
### `health`
**Purpose:** Machine-readable JSON health check for monitoring systems and automation
**Usage:**
```bash
docker exec tor-relay health
# Parse with jq
docker exec tor-relay health | jq .status
```
**Output Example:**
```json
{
"status": "up",
"pid": 123,
"uptime": "2d 14h 30m",
"bootstrap": 100,
"reachable": "true",
"errors": 0,
"nickname": "MyGuardRelay",
"fingerprint": "ABCD1234567890ABCDEF1234567890ABCDEFGHIJ"
}
```
**Status Values:**
- `up` - Relay is running and healthy
- `down` - Relay is not running
- `error` - Critical issues detected
**Exit Codes:**
- `0` - Health check completed
- `1` - Critical error or Tor not running
**Integration Example:**
```bash
#!/bin/bash
# Simple health monitoring script
HEALTH=$(docker exec tor-relay health)
STATUS=$(echo "$HEALTH" | jq -r '.status')
if [ "$STATUS" != "up" ]; then
echo "ALERT: Relay is $STATUS"
# Send notification
fi
```
---
### `fingerprint`
**Purpose:** Display relay fingerprint with direct links to Tor Metrics
**Usage:**
```bash
docker exec tor-relay fingerprint
```
**Output Example:**
```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔑 Relay Fingerprint
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🪪 Nickname: MyTorRelay
🔑 Fingerprint: ABCD 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔗 Tor Metrics: https://metrics.torproject.org/rs.html#details/ABCD...
💡 Your relay will appear in Tor Metrics after 1-2 hours
```
**Exit Codes:**
- `0` - Fingerprint retrieved
- `1` - Fingerprint not yet available (still bootstrapping)
**When Available:**
- Guard/Middle relays: ~1-2 hours after first start
- Exit relays: ~1-2 hours after first start
- Bridges: Not published publicly (by design)
---
### `bridge-line`
**Purpose:** Get the obfs4 bridge line for sharing with users (bridge mode only)
**Usage:**
```bash
docker exec tor-bridge bridge-line
```
**Output Example:**
```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🌉 obfs4 Bridge Line
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Bridge obfs4 203.0.113.42:9002 ABCD...WXYZ cert=abc123...xyz789 iat-mode=0
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 Sharing Guidelines:
• Only share with people you trust
• Do NOT publish publicly
• Helps users in censored countries
💡 Bridge line available 24-48 hours after first start
```
**Exit Codes:**
- `0` - Bridge line retrieved
- `1` - Bridge line not yet available or not in bridge mode
**When Available:**
- Bridges take 24-48 hours after first start to generate the bridge line
- The bridge line is stored in `/var/lib/tor/pt_state/obfs4_bridgeline.txt`
- Also visible in logs: `docker logs <container> | grep "bridge line"`
**Important:**
- Only works in bridge mode (`TOR_RELAY_MODE=bridge`)
- Requires persistent volumes for `/var/lib/tor`
- Bridge addresses are NOT published in public directories
---
### `gen-auth`
**Purpose**: Generate a secure, random 32-character password and its associated hash for configuring the Tor Control Port (required for tools like Nyx).
Usage:
```bash
docker exec tor-relay gen-auth
```
Output Example:
```bash
╔════════════════════════════════════════════════════════════╗
║ Tor Control Port Authentication Generator ║
╚════════════════════════════════════════════════════════════╝
✓ Generated secure 32-character password
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Save this password (use for Nyx authentication):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4xK8mP2qR9vL3nT6wY5sD1gH7jF0bN8c...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. Add this line to your torrc:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
HashedControlPassword 16:A1B2C3D4E5F6...
```
Exit Codes:
* `0` - Success
* `1` - Error generating hash
When to use:
* When setting up external monitoring tools (Nyx, Prometheus).
* Run once, copy the values, then update your relay.conf or torrc.
---
### `gen-family`
**Purpose:** Generate or view a Tor Happy Family key (Tor 0.4.9+). This replaces the old `MyFamily` fingerprint-exchange workflow with a single shared `FamilyId`.
**Usage:**
```bash
# Generate a new family key
docker exec tor-relay gen-family MyRelays
# View existing family key and FamilyId
docker exec tor-relay gen-family --show
# Show help
docker exec tor-relay gen-family --help
```
**Output Example (generate):**
```
════════════════════════════════════════════════════════════
Tor Happy Family Key Generator (Tor 0.4.9+)
════════════════════════════════════════════════════════════
✓ Generated family key: MyRelays
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Your FamilyId (add to torrc or TOR_FAMILY_ID env var):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
FamilyId wweKJrJxUDs1EdtFFHCDtvVgTKftOC/crUl1mYJv830
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
💡 Copy the secret key file to all relays in this family.
Then set TOR_FAMILY_ID in each relay's environment.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
```
**Exit Codes:**
- `0` - Key generated or displayed successfully
- `1` - Error (key already exists, Tor not found, etc.)
**When to use:**
- When linking multiple relays (guard, exit, middle) into a family
- Run once to generate, then copy the key file to all family members
- Replaces the old manual fingerprint exchange (`MyFamily`)
---
## 🚀 Common Workflows
### 1. Quick Health Check
```bash
# Visual status check
docker exec tor-relay status
# JSON health check for automation
docker exec tor-relay health | jq .status
# Check bootstrap progress
docker exec tor-relay health | jq .bootstrap
```
### 2. Configure Nyx / Control Port
```bash
# Generate credentials
docker exec tor-relay gen-auth
# Add HashedControlPassword to your config
# Restart relay
docker restart tor-relay
# Connect with Nyx
nyx -i 127.0.0.1:9051
```
### 3. Find Your Relay on Tor Metrics
```bash
# Get fingerprint and metrics link
docker exec tor-relay fingerprint
# Wait 1-2 hours after first start
# Click the Tor Metrics link or search manually
```
### 4. Share Your Bridge
```bash
# Get bridge line (bridge mode only)
docker exec tor-bridge bridge-line
# Wait 24-48 hours after first start
# Share ONLY with trusted users, NOT publicly
```
### 5. Set Up Happy Family (Tor 0.4.9+)
```bash
# Generate a family key on one relay
docker exec tor-relay gen-family MyRelays
# Copy the key file to all other family members
docker cp tor-relay:/var/lib/tor/keys/MyRelays.secret_family_key ./
docker cp ./MyRelays.secret_family_key tor-relay-2:/var/lib/tor/keys/
docker exec -u 0 tor-relay-2 chown 100:101 /var/lib/tor/keys/MyRelays.secret_family_key
# Set TOR_FAMILY_ID on each relay and restart
# (use the FamilyId from gen-family --show output)
```
### 6. Automated Monitoring
```bash
# Simple monitoring script
while true; do
STATUS=$(docker exec tor-relay health | jq -r '.status')
BOOTSTRAP=$(docker exec tor-relay health | jq -r '.bootstrap')
echo "[$(date)] Status: $STATUS | Bootstrap: $BOOTSTRAP%"
if [ "$STATUS" != "up" ]; then
# Send alert
echo "ALERT: Relay is down!"
fi
sleep 60
done
```
### 7. Check Logs
```bash
# View recent logs
docker logs --tail 100 tor-relay
# Follow logs in real-time
docker logs -f tor-relay
# Filter for errors
docker logs tor-relay 2>&1 | grep -i error
# Filter for warnings
docker logs tor-relay 2>&1 | grep -i warn
```
---
## 🔐 Security Notes
- All tools run as non-root `tor` user
- Tools are read-only and don't modify relay state
- No sensitive data exposed (fingerprints are public by design)
- Bridge lines should be shared privately, not published
- Logs contain no user traffic data (Tor privacy design)
---
## 🐛 Troubleshooting
### Tool not found
```bash
# Verify tools exist
docker exec tor-relay ls -la /usr/local/bin/
# Should show: status, health, fingerprint, bridge-line, gen-auth, gen-family
# Check PATH
docker exec tor-relay echo $PATH
```
### Permission denied
```bash
# Should not happen - tools are set to +x in Dockerfile
# If it does, rebuild image:
docker build --no-cache -t tor-relay:latest .
```
### Empty output or errors
```bash
# Check if Tor is running
docker exec tor-relay ps aux | grep tor
# Check logs for errors
docker logs tor-relay | tail -50
# Restart container
docker restart tor-relay
```
### Fingerprint not available
```bash
# Normal during bootstrap (first 5-15 minutes)
# Check bootstrap progress
docker exec tor-relay health | jq .bootstrap
# Wait for 100% bootstrap
docker logs tor-relay | grep "Bootstrapped 100%"
```
### Bridge line not available
```bash
# Normal for first 24-48 hours
# Check if in bridge mode
docker exec tor-relay grep BridgeRelay /etc/tor/torrc
# Check for obfs4 files
docker exec tor-relay ls -la /var/lib/tor/pt_state/
# Check logs
docker logs tor-relay | grep -i obfs4
```
---
## 💡 Tips & Best Practices
1. **Use `health` for automation** - JSON output is perfect for scripts and monitoring systems
2. **Check `status` during troubleshooting** - Human-readable format with emoji makes issues obvious
3. **Save your fingerprint** - Store it somewhere safe for relay tracking
4. **Monitor bootstrap** - New relays take 5-15 minutes to fully bootstrap
5. **Be patient with bridges** - Bridge lines take 24-48 hours to generate
6. **Use docker logs** - Built-in logging is comprehensive and easier than installing extra tools
7. **Keep it simple** - This minimal toolset covers 99% of relay operation needs
---
## 📚 Related Documentation
- [Deployment Guide](./DEPLOYMENT.md) - Installation and configuration
- [Multi-Mode Guide](./MULTI-MODE.md) - Guard, Exit, and Bridge modes
- [Backup Guide](./BACKUP.md) - Data persistence and recovery
- [Performance Guide](./PERFORMANCE.md) - Optimization tips
---
## ❓ FAQ
**Q: Why only 6 tools instead of 9?**
A: The v1.1.3 build remains ultra-light (~16.8 MB). These 6 tools cover all essential operations including health checks, identity, authentication setup, and Happy Family key management.
**Q: Where are metrics/monitoring endpoints?**
A: Removed to achieve ultra-small image size. Use `health` tool with external monitoring systems or check `/var/log/tor/notices.log` directly.
**Q: Can I still use Prometheus?**
A: Yes! Use `gen-auth` to configure the Control Port, then run a separate `prometheus-tor-exporter` container alongside this one.
**Q: What happened to the dashboard?**
A: Removed (required Python/Flask). Use `status` tool for visual output or build your own dashboard using `health` JSON.
---
**Last Updated:** March 2026 | **Version:** 1.1.7
Reference in New Issue View Git Blame Copy Permalink