Browse Source

Revamp (#1)

* replace torrc file by command lines arguments set in restart script.
restructure docker-tor.conf for homogeneity.
define env vars in Dockerfile for easier tuning (for pi4 and others platforms)

* bump version of tor image
* update doc
* merge tor bridges config options
umbrel
kenshin samourai 5 years ago
committed by nickodev
parent
commit
4f5842e595
  1. 45
      doc/DOCKER_advanced_setups.md
  2. 13
      doc/DOCKER_setup.md
  3. 2
      docker/my-dojo/.env
  4. 30
      docker/my-dojo/conf/docker-tor.conf.tpl
  5. 1
      docker/my-dojo/docker-compose.yaml
  6. 5
      docker/my-dojo/install/install-scripts.sh
  7. 44
      docker/my-dojo/install/upgrade-scripts.sh
  8. 36
      docker/my-dojo/tor/Dockerfile
  9. 29
      docker/my-dojo/tor/restart.sh
  10. 44
      docker/my-dojo/tor/torrc
  11. 48
      docker/my-dojo/tor/torrc.tpl

45
doc/DOCKER_advanced_setups.md

@ -6,6 +6,14 @@ The configuration files of Dojo provide a few advanced options allowing to tune
A word of caution, though, the default values of these options try to maximize your privacy at a network level. Most of the advanced setups described in this document may damage your privacy. Use at your own risk!
## Table of Content ##
- [External Bitcoin full node](#external_bitcoind)
- [bitcoind RPC API ans ZMQ notifications exposed to external apps](#exposed_rpc_zmq)
- [Static onion address for bitcoind hidden service](#static_onion)
- [Configure Tor Bridges](#tor_bridges)
- [Support of testnet](#testnet)
<a name="external_bitcoind"/>
## External Bitcoin full node ##
@ -161,6 +169,43 @@ nano ./conf/docker-bitcoind.conf
Note: this option has no effect if your setup relies on a external full node (i.e. if BITCOIND_INSTALL is set to "off").
<a name="tor_bridges"/>
## Configure Tor Bridges ##
By default, Dojo doesn't try to hide that Tor is being used. For the majority of Dojo users, connecting to Tor with the default configuration is appropriate and will work successfully. For some users, it may be appropriate to configure Tor Bridges in order to circumvent censorship enforced by ISP, censorship enforcement bodies and other interested parties.
The following steps allow to activate the use of Tor bridges by Dojo.
```
# Stop your Dojo
./dojo.sh stop
# Head over to https://bridges.torproject.org
# Click on "Get bridges", then you will see a form with "Advanced Options" header
# Leave the Pluggable Transport as "obfs4" and click on "Get Bridges" button
# Solve the captcha, you will get the bridge addresses, usually three lines:
# obfs4 24.106.248.94:65531 B9EFBC5... cert=yrX... iat-mode=0
# obfs4 ...
# obfs4 ...
# Edit the tor config file
nano ./conf/docker-tor.conf
#
# Set the value of TOR_USE_BRIDGES to "on"
#
# Set the values of TOR_BRIDGE_n properties with info returned by the website
# For instance, if the first line generated by the website is:
# obfs4 24.106.248.94:65531 B9EFBC5... cert=yrX... iat-mode=0
# You will have to set:
# TOR_BRIDGE_1=obfs4 24.106.248.94:65531 B9EFBC5... cert=yrX... iat-mode=0
#
# Save and exit nano
#
```
<a name="testnet"/>
## Support of testnet ##

13
doc/DOCKER_setup.md

@ -97,11 +97,6 @@ This procedure allows to install a new Dojo from scratch.
* `BITCOIND_RPC_USER` = login protecting the access to the RPC API of your full node,
* `BITCOIND_RPC_PASSWORD` = password protecting the access to the RPC API of your full node.
* If your machine has a lot of RAM, it's recommended that you increase the value of `BITCOIND_DB_CACHE` for a faster Initial Block Download.
* This file also provides a few additional settings for advanced setups:
* static onion address for your full node,
* bitcoind RPC API exposed to external apps,
* use of an external full node.
See this [doc](./DOCKER_advanced_setups.md) for more details.
* Edit docker-mysql.conf.tpl and provide a new value for the following parameters:
* `MYSQL_ROOT_PASSWORD` = password protecting the root account of MySQL,
@ -114,6 +109,14 @@ This procedure allows to install a new Dojo from scratch.
* `NODE_JWT_SECRET` = secret used by your Dojo for the initialization of a cryptographic key signing Json Web Tokens.
These parameters will protect the access to your Dojo. Be sure to provide alphanumeric values with enough entropy.
* Dojo provides a few additional settings for advanced setups:
* static onion address for your full node,
* bitcoind RPC API exposed to external apps,
* use of an external full node,
* use of Tor Bridges,
* support of testnet.
See this [doc](./DOCKER_advanced_setups.md) for more details.
* Open the docker quickstart terminal or a terminal console and go to the `<dojo_dir>/docker/my-dojo` directory. This directory contains a script named dojo.sh which will be your entrypoint for all operations related to the management of your Dojo.

2
docker/my-dojo/.env

@ -15,7 +15,7 @@ DOJO_DB_VERSION_TAG=1.1.0
DOJO_BITCOIND_VERSION_TAG=1.2.0
DOJO_NODEJS_VERSION_TAG=1.2.0
DOJO_NGINX_VERSION_TAG=1.2.0
DOJO_TOR_VERSION_TAG=1.1.0
DOJO_TOR_VERSION_TAG=1.2.0
#########################################

30
docker/my-dojo/conf/docker-tor.conf.tpl

@ -1,16 +1,34 @@
#########################################
# CONFIGURATION OF TOR CONTAINER
#########################################
#
# USE TOR BRIDGES
#
# To get Tor bridges head over to https://bridges.torproject.org and click on
# Get bridges, then you will see a form with "Advanced Options" header
# leave the Pluggable Transport as obfs4 and click on Get Bridges button
# solve the captcah, you will get the bridge addresses (usually 3)
# Add these bridges with the help of the below template
# you need to prefix those with the word "Bridge" and have each of them in a new line.
# At last, set UseBridges to 1 so the Tor container uses the bridges you add in previous steps.
#
# Then, set TOR_USE_BRIDGES to "on" and initialize the TOR_BRIDGE_n options
# with the 3 lines generated by the online tool.
#
# For instance, if the first line generated by the tool is:
# obfs4 24.106.248.94:65531 B9EFBC5... cert=yrX... iat-mode=0
# You will have to set:
# TOR_BRIDGE_1=obfs4 24.106.248.94:65531 B9EFBC5... cert=yrX... iat-mode=0
#
# Activate the use of Tor bridges
# Value: on | off
TOR_USE_BRIDGES=off
# Bridge 1
TOR_BRIDGE_1=ToBeDefined
UseBridges 0
#Bridge obfs4 IP:PORT 1111222233334444 cert=XXXXYYYYZZZZ iat-mode=0
# Bridge 2
TOR_BRIDGE_2=ToBeDefined
# Bridge 3
TOR_BRIDGE_3=ToBeDefined

1
docker/my-dojo/docker-compose.yaml

@ -73,6 +73,7 @@ services:
context: ./tor
env_file:
- ./.env
- ./conf/docker-tor.conf
restart: on-failure
command: /restart.sh
volumes:

5
docker/my-dojo/install/install-scripts.sh

@ -49,9 +49,8 @@ init_config_files() {
cp ./conf/docker-node.conf.tpl ./conf/docker-node.conf
echo "Initialized docker-node.conf"
cp ./tor/torrc.tpl ./tor/torrc
cat ./conf/docker-tor.conf.tpl >> ./tor/torrc
echo "Initialized torrc config file"
cp ./conf/docker-tor.conf.tpl ./conf/docker-tor.conf
echo "Initialized docker-tor.conf"
# Initialize config files for nginx and the maintenance tool
if [ "$COMMON_BTC_NETWORK" == "testnet" ]; then

44
docker/my-dojo/install/upgrade-scripts.sh

@ -33,11 +33,7 @@ update_config_files() {
echo "Initialized 2_update.sql"
# Initialize config files for MyDojo
if [ -f ./conf/docker-common.conf ]; then
update_config_file ./conf/docker-common.conf ./conf/docker-common.conf.tpl
else
cp ./conf/docker-common.conf.tpl ./conf/docker-common.conf
fi
update_config_file ./conf/docker-common.conf ./conf/docker-common.conf.tpl
echo "Initialized docker-common.conf"
update_config_file ./conf/docker-bitcoind.conf ./conf/docker-bitcoind.conf.tpl
@ -49,10 +45,8 @@ update_config_files() {
update_config_file ./conf/docker-node.conf ./conf/docker-node.conf.tpl
echo "Initialized docker-node.conf"
rm ./tor/torrc
cp ./tor/torrc.tpl ./tor/torrc
cat ./conf/docker-tor.conf.tpl >> ./tor/torrc
echo "Initialized torrc config file"
update_config_file ./conf/docker-tor.conf ./conf/docker-tor.conf.tpl
echo "Initialized docker-tor.conf"
# Initialize config files for nginx and the maintenance tool
if [ "$COMMON_BTC_NETWORK" == "testnet" ]; then
@ -70,18 +64,22 @@ update_config_files() {
# Update a configuration file from template
update_config_file() {
sed "s/^#.*//g;s/=.*//g;/^$/d" $1 > ./original.keys.raw
grep -f ./original.keys.raw $1 > ./original.lines.raw
if [ -f $1 ]; then
sed "s/^#.*//g;s/=.*//g;/^$/d" $1 > ./original.keys.raw
grep -f ./original.keys.raw $1 > ./original.lines.raw
cp -p $1 "$1.save"
cp -p $2 $1
cp -p $1 "$1.save"
cp -p $2 $1
while IFS='=' read -r key val ; do
sed -i "s/$key=.*/$key=$val/g" "$1"
done < ./original.lines.raw
while IFS='=' read -r key val ; do
sed -i "s~$key=.*~$key=$val~g" "$1"
done < ./original.lines.raw
rm ./original.keys.raw
rm ./original.lines.raw
rm ./original.keys.raw
rm ./original.lines.raw
else
cp $2 $1
fi
}
# Update dojo database
@ -91,6 +89,15 @@ update_dojo_db() {
# Clean-up
cleanup() {
#################
# Clean-up v1.3.0
#################
# Remove deprecated torrc file
if [ -f ./tor/torrc ]; then
rm ./tor/torrc
fi
#################
# Clean-up v1.1.0
#################
@ -99,4 +106,5 @@ cleanup() {
if [ -f ./bitcoin/bitcoin.conf ]; then
rm ./bitcoin/bitcoin.conf
fi
}

36
docker/my-dojo/tor/Dockerfile

@ -1,15 +1,23 @@
FROM debian:stretch
ENV TOR_HOME /var/lib/tor
ENV TOR_HOME /var/lib/tor
ENV TOR_URL https://git.torproject.org/tor.git
ENV TOR_VERSION 0.3.5.8
ENV GOLANG_DL_URL https://dl.google.com/go
ENV GOLANG_ARCHIVE go1.11.13.linux-amd64.tar.gz
ENV GOLANG_SHA256 50fe8e13592f8cf22304b9c4adfc11849a2c3d281b1d7e09c924ae24874c6daa
ENV OBFS4_URL https://github.com/Yawning/obfs4.git
ENV OBFS4_VERSION 0.0.11
# Install Tor
RUN set -ex && \
apt-get update && \
apt-get install -y git libevent-dev zlib1g-dev libssl-dev gcc make automake ca-certificates autoconf musl-dev coreutils wget && \
mkdir -p /usr/local/src/ && \
git clone https://git.torproject.org/tor.git /usr/local/src/tor && \
git clone "$TOR_URL" /usr/local/src/tor && \
cd /usr/local/src/tor && \
git checkout tor-0.3.5.8 && \
git checkout "tor-$TOR_VERSION" && \
./autogen.sh && \
./configure \
--disable-asciidoc \
@ -17,20 +25,22 @@ RUN set -ex && \
--disable-unittests && \
make && make install && \
cd .. && \
rm -rf tor && \
echo "50fe8e13592f8cf22304b9c4adfc11849a2c3d281b1d7e09c924ae24874c6daa *go1.11.13.linux-amd64.tar.gz" > GO_CHECKSUMS && \
wget https://dl.google.com/go/go1.11.13.linux-amd64.tar.gz && \
rm -rf tor
# Install Golang & OBFS4 proxy
RUN cd /usr/local/src && \
echo "$GOLANG_SHA256 *$GOLANG_ARCHIVE" > GO_CHECKSUMS && \
wget "$GOLANG_DL_URL/$GOLANG_ARCHIVE" && \
sha256sum -c GO_CHECKSUMS 2>&1 | grep OK && \
tar -C /usr/local/lib -xzf go1.11.13.linux-amd64.tar.gz && \
tar -C /usr/local/lib -xzf "$GOLANG_ARCHIVE" && \
ln -s /usr/local/lib/go/bin/go /usr/local/bin/ && \
cd /usr/local/src && \
git clone https://github.com/Yawning/obfs4.git obfs4proxy && \
git clone "$OBFS4_URL" /usr/local/src/obfs4proxy && \
cd obfs4proxy && \
git checkout tags/obfs4proxy-0.0.11 && \
git checkout "tags/obfs4proxy-$OBFS4_VERSION" && \
go build -o obfs4proxy/obfs4proxy ./obfs4proxy && \
cp ./obfs4proxy/obfs4proxy /usr/local/bin && \
cd .. && \
rm go1.11.13.linux-amd64.tar.gz && \
rm "$GOLANG_ARCHIVE" && \
rm -rf obfs4proxy
# Create group & user tor
@ -46,10 +56,6 @@ RUN mkdir -p "$TOR_HOME/.tor" && \
chown -Rv tor:tor "$TOR_HOME" && \
chmod -R 750 "$TOR_HOME"
# Copy Tor configuration file
COPY ./torrc /etc/tor/torrc
RUN chown tor:tor /etc/tor/torrc
# Copy restart script
COPY ./restart.sh /restart.sh

29
docker/my-dojo/tor/restart.sh

@ -6,4 +6,31 @@ echo "## Set permissions on /var/lib/tor dir ###"
chmod 750 /var/lib/tor
echo "## Start tor #############################"
tor
tor_options=(
--SocksPort 172.28.1.4:9050
--SocksPolicy "accept 172.28.0.0/16"
--SocksPolicy "reject *"
--DataDirectory /var/lib/tor/.tor
--DataDirectoryGroupReadable 1
--HiddenServiceDir /var/lib/tor/hsv2dojo
--HiddenServiceVersion 2
--HiddenServicePort "80 172.29.1.3:80"
--HiddenServiceDir /var/lib/tor/hsv3dojo
--HiddenServiceVersion 3
--HiddenServicePort "80 172.29.1.3:80"
--HiddenServiceDir /var/lib/tor/hsv2bitcoind
--HiddenServiceVersion 2
--HiddenServicePort "8333 172.28.1.5:8333"
--HiddenServiceDirGroupReadable 1
)
if [ "$TOR_USE_BRIDGES" == "on" ]; then
tor_options+=(--ClientTransportPlugin "obfs4 exec /usr/local/bin/obfs4proxy")
tor_options+=(--UseBridges 1)
tor_options+=(--Bridge "$TOR_BRIDGE_1")
tor_options+=(--Bridge "$TOR_BRIDGE_2")
tor_options+=(--Bridge "$TOR_BRIDGE_3")
fi
tor "${tor_options[@]}"

44
docker/my-dojo/tor/torrc

@ -1,44 +0,0 @@
## Tor opens a socks proxy on port 9050 by default -- even if you don't
## configure one below. Set "SocksPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.
# Socks is only available from dojonet
SocksPort 172.28.1.4:9050
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
# Socks is only available from dojonet
SocksPolicy accept 172.28.0.0/16
SocksPolicy reject *
## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory /var/lib/tor/.tor
DataDirectoryGroupReadable 1
############### This section is just for location-hidden services ###
## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.
HiddenServiceDir /var/lib/tor/hsv2dojo
HiddenServiceVersion 2
HiddenServicePort 80 172.29.1.3:80
HiddenServiceDir /var/lib/tor/hsv3dojo
HiddenServiceVersion 3
HiddenServicePort 80 172.29.1.3:80
HiddenServiceDir /var/lib/tor/hsv2bitcoind
HiddenServiceVersion 2
HiddenServicePort 8333 172.28.1.5:8333
HiddenServiceDirGroupReadable 1

48
docker/my-dojo/tor/torrc.tpl

@ -1,48 +0,0 @@
## Tor opens a socks proxy on port 9050 by default -- even if you don't
## configure one below. Set "SocksPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.
# Socks is only available from dojonet
SocksPort 172.28.1.4:9050
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
# Socks is only available from dojonet
SocksPolicy accept 172.28.0.0/16
SocksPolicy reject *
## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory /var/lib/tor/.tor
DataDirectoryGroupReadable 1
############### This section is just for location-hidden services ###
## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.
HiddenServiceDir /var/lib/tor/hsv2dojo
HiddenServiceVersion 2
HiddenServicePort 80 172.29.1.3:80
HiddenServiceDir /var/lib/tor/hsv3dojo
HiddenServiceVersion 3
HiddenServicePort 80 172.29.1.3:80
HiddenServiceDir /var/lib/tor/hsv2bitcoind
HiddenServiceVersion 2
HiddenServicePort 8333 172.28.1.5:8333
HiddenServiceDirGroupReadable 1
# Tor Bridges configuration
ClientTransportPlugin obfs4 exec /usr/local/bin/obfs4proxy
Loading…
Cancel
Save