fix(deploy): pivot tor service to password auth + wrapper entrypoint
Dockurr/tor's stock entrypoint binds the control port to localhost (unreachable from a sibling container), refuses to run as a non-default user (its setup chowns dirs and su-execs down to its `tor` user, both requiring root), and skips its own HashedControlPassword injection whenever the user's torrc declares a ControlPort. The combination meant the original cookie-via-shared- volume design couldn't work without fighting the image. This commit: - Adds tor/entrypoint.sh, a small wrapper that hashes $PASSWORD with `tor --hash-password`, appends the hash to a writable copy of /etc/tor/torrc, then execs tor. Container runs as root only for that bring-up; the torrc's `User tor` directive drops privs after port binding. - Adds a healthcheck on the tor service that gates downstream containers on both 9050 + 9051 actually listening (was service_started, which fires before tor finishes bootstrap). - Loosens MaxCircuitDirtiness 60 → 600. The 60s value would have rotated mid-chapter for any chapter with > ~50 images, which is exactly the kind of fingerprint we're trying to avoid. - Wires TOR_CONTROL_PASSWORD as a REQUIRED .env var on both sides (PASSWORD on tor, CRAWLER_TOR_CONTROL_PASSWORD on backend). docker-compose.yml fails fast if unset. - Removes the tor-data shared volume on backend (cookie auth is no longer the default; operators wanting cookie can mount it back). - Documents the pivot + the cookie-vs-password tradeoff in .env.example. End-to-end validated: `docker compose up -d tor`, then `printf 'AUTHENTICATE "test"\r\nSIGNAL NEWNYM\r\nQUIT\r\n' | nc tor 9051` returns three `250 OK` lines. Audit ref: #2, #3, #6. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
40
tor/entrypoint.sh
Executable file
40
tor/entrypoint.sh
Executable file
@@ -0,0 +1,40 @@
|
||||
#!/bin/sh
|
||||
# Mangalord wrapper around dockurr/tor's tor binary.
|
||||
#
|
||||
# We bypass the image's stock entrypoint for two reasons:
|
||||
# 1. It generates a `ControlPort 9051` line that binds to localhost
|
||||
# only (tor's default), but our backend lives in a separate
|
||||
# container and needs to reach 0.0.0.0:9051.
|
||||
# 2. It then *skips* writing HashedControlPassword whenever the
|
||||
# user's torrc declares a ControlPort, so we can't both bind to
|
||||
# 0.0.0.0 and benefit from its auto-hashing — it's one or the
|
||||
# other. Doing the hashing ourselves is simpler than threading
|
||||
# around its logic.
|
||||
#
|
||||
# This wrapper hashes $PASSWORD with `tor --hash-password`, appends a
|
||||
# `HashedControlPassword` line to a writable copy of /etc/tor/torrc,
|
||||
# then execs tor. Container runs as root (image default); tor binds
|
||||
# 9050/9051 which don't require root and is fine inside a single-
|
||||
# purpose container.
|
||||
|
||||
set -eu
|
||||
|
||||
if [ -z "${PASSWORD:-}" ]; then
|
||||
echo "ERROR: PASSWORD env must be set (the plain string the backend will" >&2
|
||||
echo " send as CRAWLER_TOR_CONTROL_PASSWORD)" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# `tor --hash-password` prints the hash on the last line of stdout
|
||||
# (preceded by initialization noise).
|
||||
HASH=$(tor --hash-password "$PASSWORD" 2>/dev/null | tail -n1)
|
||||
if [ -z "$HASH" ]; then
|
||||
echo "ERROR: 'tor --hash-password' produced no output" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# /etc/tor/torrc is bind-mounted read-only, so copy + append.
|
||||
cp /etc/tor/torrc /tmp/torrc
|
||||
printf '\n# Injected by mangalord-entrypoint.sh from $PASSWORD env.\nHashedControlPassword %s\n' "$HASH" >> /tmp/torrc
|
||||
|
||||
exec tor -f /tmp/torrc
|
||||
30
tor/torrc
30
tor/torrc
@@ -12,20 +12,26 @@
|
||||
# to age out.
|
||||
SOCKSPort 0.0.0.0:9050 IsolateDestAddr IsolateDestPort
|
||||
|
||||
# Control port for SIGNAL NEWNYM. Cookie auth means no secret to manage
|
||||
# in .env — the cookie file is created by the daemon at startup and
|
||||
# shared with the backend container via the named `tor-data` volume.
|
||||
# CookieAuthFileGroupReadable lets the backend's gid read it without
|
||||
# having to run as root.
|
||||
# Control port for SIGNAL NEWNYM. We rely on the dockurr/tor
|
||||
# entrypoint to inject `HashedControlPassword <hash>` from its
|
||||
# PASSWORD env var (see docker-compose.yml `tor.environment.PASSWORD`)
|
||||
# via a higher-priority --defaults-torrc. We just need to declare the
|
||||
# port itself here.
|
||||
ControlPort 0.0.0.0:9051
|
||||
CookieAuthentication 1
|
||||
CookieAuthFile /var/lib/tor/control_auth_cookie
|
||||
CookieAuthFileGroupReadable 1
|
||||
|
||||
# Keep circuits short-lived so NEWNYM actually changes our visible
|
||||
# exit soon. Default is 600s (10 min); 60s is short enough that retries
|
||||
# after a brief site rate-limit window almost always see a new IP.
|
||||
MaxCircuitDirtiness 60
|
||||
# Keep circuits dirty for a while so a single chapter (which serial-
|
||||
# fetches all its images through the same SOCKS endpoint) finishes on
|
||||
# one circuit rather than mid-circuit-rotating in a way that looks like
|
||||
# anti-bot evasion to the target. NEWNYM still forces a fresh circuit
|
||||
# immediately when we want one — this is just the idle-rotation knob.
|
||||
MaxCircuitDirtiness 600
|
||||
|
||||
# Drop privileges to the image's `tor` user after binding ports.
|
||||
# Required because /var/lib/tor (the image's DataDirectory volume)
|
||||
# is owned by tor:tor and tor refuses to use a data dir it doesn't
|
||||
# own. Our entrypoint runs as root only so it can call
|
||||
# `tor --hash-password` and write /tmp/torrc.
|
||||
User tor
|
||||
|
||||
# Data + logs.
|
||||
DataDirectory /var/lib/tor
|
||||
|
||||
Reference in New Issue
Block a user