diff --git a/.gitignore b/.gitignore index d331755..3d31a13 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ Thumbs.db # Private files production/ +tests/tor-data/ \ No newline at end of file diff --git a/20auto-upgrades b/20auto-upgrades new file mode 100644 index 0000000..7841498 --- /dev/null +++ b/20auto-upgrades @@ -0,0 +1,4 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::AutocleanInterval "5"; +APT::Periodic::Unattended-Upgrade "1"; +APT::Periodic::Verbose "1"; \ No newline at end of file diff --git a/50unattended-upgrades b/50unattended-upgrades new file mode 100644 index 0000000..2a09485 --- /dev/null +++ b/50unattended-upgrades @@ -0,0 +1,7 @@ +Unattended-Upgrade::Origins-Pattern { + "origin=Debian,codename=${distro_codename},label=Debian-Security"; + "origin=TorProject"; +}; +Unattended-Upgrade::Package-Blacklist { +}; +Unattended-Upgrade::Automatic-Reboot "true"; \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index e53eb01..2e016c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,7 @@ # Dockerfile for Tor Relay Server with obfs4proxy -FROM debian:bullseye -RUN echo 'deb http://deb.debian.org/debian bullseye-backports main' > /etc/apt/sources.list.d/backports.list -MAINTAINER Josh josh.gaby@gmail.com - -ARG GPGKEY=A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 -ARG APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE="True" -ARG DEBCONF_NOWARNINGS="yes" -ARG DEBIAN_FRONTEND=noninteractive -ARG found="" +FROM debian:bookworm-slim +USER root +LABEL org.opencontainers.image.authors="josh.gaby@gmail.com" # Set a default Nickname ENV TOR_NICKNAME=Tor4 @@ -16,35 +10,35 @@ ENV TERM=xterm # Install tor with GeoIP and obfs4proxy & backup torrc RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - apt-utils \ - && apt-get install -y --no-install-recommends \ - pwgen \ - iputils-ping \ - tor/bullseye-backports \ - tor-geoipdb/bullseye-backports \ - obfs4proxy/bullseye-backports \ - && mkdir -pv /usr/local/etc/tor/ \ - && mv -v /etc/tor/torrc /usr/local/etc/tor/torrc.sample \ - && apt-get purge --auto-remove -y \ - apt-utils \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* \ - # Rename Debian unprivileged user to tord \ - && usermod -l ${TOR_USER} debian-tor \ - && groupmod -n ${TOR_USER} debian-tor - -# Copy Tor configuration file -COPY ./torrc /etc/tor/torrc - -# Copy docker-entrypoint + && apt-get install -y apt-transport-https wget gpg \ + && apt-get install -y unattended-upgrades apt-listchanges + +COPY tor.sources.list /etc/apt/sources.list.d/tor.list +COPY 50unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades +COPY 20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades + +RUN wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null +RUN apt-get update +RUN apt-get install -y tor deb.torproject.org-keyring +RUN apt-get install -y tor-geoipdb +# RUN apt-get install -y obfs4proxy +RUN mkdir -pv /usr/local/etc/tor/ +RUN apt-get -y purge --auto-remove +RUN apt-get clean +RUN rm -rf /var/lib/apt/lists/* + +# Rename Debian unprivileged user to tord \ +RUN usermod -l ${TOR_USER} debian-tor \ + && groupmod -n ${TOR_USER} debian-tor + +COPY torrc /etc/tor/torrc COPY ./scripts/ /usr/local/bin/ # Persist data VOLUME /etc/tor /var/lib/tor -# ORPort, DirPort, SocksPort, ObfsproxyPort, MeekPort -EXPOSE 9001 9030 9050 54444 7002 +# ORPort, DirPort, SocksPort, ObfsproxyPort +EXPOSE 9001 9030 9050 54444 ENTRYPOINT ["docker-entrypoint"] CMD ["tor", "-f", "/etc/tor/torrc"] diff --git a/README.md b/README.md index 57d8ebd..d973ab8 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ #### Forked -This docker was forked from [chriswayg/tor-server](https://github.com/chriswayg/tor-server) and updated to run Debian Bullseye and the latest available Tor and obfs4proxy packages. +This docker was forked from [chriswayg/tor-server](https://github.com/chriswayg/tor-server) and updated to run Debian 12 (Bookworm) and the latest available Tor packages. Unattended-Upgrades is also configured to keep Tor up to date automatically. #### A complete, efficient and secure Tor relay server Docker image *This docker image will install the latest current stable version of Tor server. It will run Tor as an unprivileged regular user, as recommended by torproject.org.* @@ -209,14 +209,6 @@ Please use the latest Docker engine available (do not use the possibly outdated - [Tor Relay Guide](https://trac.torproject.org/projects/tor/wiki/TorRelayGuide) - [Tor on Debian Installation Instructions 2019](https://2019.www.torproject.org/docs/debian.html.en) - [Torproject - git repo](https://github.com/torproject/tor) -- [obfs4proxy on Debian - Guide to run an obfuscated bridge to help censored users connect to the Tor network.](https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy) -- [obfs4 - The obfourscator - Github](https://github.com/Yawning/obfs4) -- [How to use the “meek” pluggable transport](https://blog.torproject.org/how-use-meek-pluggable-transport) -- [meek-server for Tor meek bridge](https://github.com/arlolra/meek/tree/master/meek-server) ### License: - - MIT - -##### For a very similar image based on tor-alpine use `chriswayg/tor-alpine` - - https://hub.docker.com/r/chriswayg/tor-alpine - - https://github.com/chriswayg/tor-alpine + - MIT \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 2b31b2e..e23088b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,18 +1,20 @@ -relay: - image: joshgaby/tor-server - init: true - restart: always - network_mode: host - ## the ports are not needed with network_mode host - ports: - #- "9001:9001" - #- "9030:9030" - #- "54444:54444" - #- "7002:7002" - #volumes: - ## mount and DataDirectory and custom `torrc` here - #- ./tor-data/:/var/lib/tor/ - #- ./torrc:/etc/tor/torrc - ## alternatively mount previously saved identity keys here - #- ./tests/tor-data/keys/secret_id_key:/var/lib/tor/keys/secret_id_key - #- ./tests/tor-data/keys/ed25519_master_id_secret_key:/var/lib/tor/keys/secret_id_key +version: '2.2' +services: + relay: + image: joshgaby/tor-server + init: true + restart: always + network_mode: host + ## the ports are not needed with network_mode host + ports: + - "9001:9001" + - "9030:9030" + - "54444:54444" + - "7002:7002" + volumes: + ## mount and DataDirectory and custom `torrc` here + - ./tor-data/:/var/lib/tor/ + - ./torrc:/etc/tor/torrc + ## alternatively mount previously saved identity keys here + #- ./tests/tor-data/keys/secret_id_key:/var/lib/tor/keys/secret_id_key + #- ./tests/tor-data/keys/ed25519_master_id_secret_key:/var/lib/tor/keys/secret_id_key diff --git a/scripts/docker-entrypoint b/scripts/docker-entrypoint index 695f609..5c58b07 100755 --- a/scripts/docker-entrypoint +++ b/scripts/docker-entrypoint @@ -16,6 +16,12 @@ chmodf 600 /var/lib/tor if [ ! -e /tor-config-done ]; then touch /tor-config-done # only run this once + if [ -n "${TOR_DEBUG}" ]; then + if ! grep -q '^PublishServerDescriptor ' /etc/tor/torrc; then + echo "Setting PublishServerDescriptor: 0" + echo -e "\nPublishServerDescriptor 0" >> /etc/tor/torrc + fi + fi # Add Nickname from env variable or randomized, if none has been set if ! grep -q '^Nickname ' /etc/tor/torrc; then @@ -68,7 +74,6 @@ echo -e "\n========================================================" # Display OS version, Tor version & torrc in log echo -e "Debian Version: \c" && cat /etc/debian_version tor --version -obfs4proxy -version cat /etc/tor/torrc echo -e "========================================================\n" diff --git a/tor.sources.list b/tor.sources.list new file mode 100644 index 0000000..e9e8446 --- /dev/null +++ b/tor.sources.list @@ -0,0 +1,2 @@ +deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main +deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main \ No newline at end of file diff --git a/torrc b/torrc index a3705f0..32de31c 100644 --- a/torrc +++ b/torrc @@ -4,20 +4,26 @@ User tord DataDirectory /var/lib/tor +NumCPUs 2 + # Server's public IP Address (usually automatic) -#Address 10.10.10.10 +#Address 3.14.159.26 # Port to advertise for incoming Tor connections. -ORPort 9001 # common ports are 9001, 443 +ORPort 9002 # common ports are 9001, 443 #ORPort [IPv6-address]:9001 # Mirror directory information for others (optional, not used on bridge) -DirPort 9030 # common ports are 9030, 80 +DirPort 9031 # common ports are 9030, 80 # Run Tor only as a server (no local applications) SocksPort 0 ControlSocket 0 +ControlPort 0.0.0.0:9051 +# Enable password access for control port (password is: Cpk762yM08Cr) +HashedControlPassword 16:783A31A701B99F6D60D04559DD776DF2A6F895776BF72913BE332985E1 + # Run as a relay only (change policy to enable exit node) ExitPolicy reject *:* # no exits allowed ExitPolicy reject6 *:*