WIP: Adding vanguard...

assets/entrypoint-config.yml

@@ -1,4 +1,6 @@
-command: tor
+commands:
+    - tor
+    - vanguards
 
 user: tor
 group: tor
@@ -9,14 +11,29 @@ secret_env:
     - '*_SERVICE_NAME'
     - '*_TOR_SERVICE_*'
     - 'TOR_SOCKS_PORT'
+    - TOR_CONTROL_PASSWORD
+
+config_files:
+    - vanguards:
+        - /var/local/tor/vanguards.conf.tpl: /etc/tor/vanguards.conf
 
 pre_conf_commands:
-    - onions --setup-hosts
+    - tor:
+        - onions --setup-hosts
 
 post_conf_commands:
-    - chmod -R 700 $HOME
-    - chown -R tor:tor $HOME
+    - tor:
+        - mkdir -p /run/tor
+        - chmod -R 700 $HOME /run/tor
+        - chown -R tor:tor $HOME /run/tor
 
+post_run_commands:
+    - tor:
+        - onions --run-vanguards
+
+set_environment:
+    - vanguards:
+        - TOR_CONTROL_PORT: onions --resolve-control-port
 reload:
     files:
         - /etc/tor/torrc

assets/torrc

@@ -1,30 +1,50 @@
-{% for service_group in services %}
+{% for service_group in onion.services %}
 HiddenServiceDir {{service_group.hidden_service_dir}}
-{% if service_group.version == 3 %}
+    {% if service_group.version == 3 %}
 HiddenServiceVersion 3
-{% endif %}
-{% for service in service_group.services %}
-{% for port in service.ports %}
-{% if port.is_socket %}
+    {% endif %}
+    {% for service in service_group.services %}
+        {% for port in service.ports %}
+            {% if port.is_socket %}
 HiddenServicePort {{port.port_from}} {{port.dest}}
-{% endif %}
-{% if not port.is_socket %}
+            {% endif %}
+            {% if not port.is_socket %}
 HiddenServicePort {{port.port_from}} {{service.host}}:{{port.dest}}
-{% endif %}
+            {% endif %}
+        {% endfor %}
+    {% endfor %}
 {% endfor %}
-{% endfor %}
-{% endfor %}
-
-{% if 'RELAY' in env %}
-ORPort 9001
-{% endif %}
-
+DataDirectory {{ onion.data_directory }}
 {% if 'TOR_SOCKS_PORT' in env %}
 SocksPort {{env['TOR_SOCKS_PORT']}}
 {% else %}
 SocksPort 0
 {% endif %}
 
+{% if envtobool('TOR_EXIT_RELAY', False) %}
+ExitRelay 1
+{% else %}
+ExitRelay 0
+{% endif %}
+
+{% if onion.enable_control_port %}
+    {% if onion.control_socket %}
+ControlPort unix:{{onion.control_socket}}
+    {% endif %}
+    {% if not onion.control_socket %}
+        {% if onion.control_ip_binding.version() == 4 %}
+ControlPort {{onion.control_ip_binding}}:{{ onion.control_port }}
+        {% endif %}
+        {% if onion.control_ip_binding.version() == 6 %}
+ControlPort [{{onion.control_ip_binding}}]:{{ onion.control_port }}
+        {% endif %}
+    {% endif %}
+    {% if onion.control_hashed_password %}
+HashedControlPassword {{ onion.control_hashed_password }}
+    {% endif %}
+{% endif %}
+
+
 {% if 'TOR_EXTRA_OPTIONS' in env %}
 {{env['TOR_EXTRA_OPTIONS']}}
 {% endif %}

assets/vanguards.conf.tpl

@@ -0,0 +1,137 @@
+## Example vanguards configuration file
+#
+# The values in this file are the defaults. You do not need to specify
+# options in your config file unless you wish to change the defaults.
+
+## Global options
+[Global]
+
+{% if env.get('TOR_CONTROL_PORT', '').startswith('unix:') %}
+{% set _, unix_path = env['TOR_CONTROL_PORT'].split(':', 1) %}
+{% elif ':' in env.get('TOR_CONTROL_PORT', '') %}
+{% set host, port = env['TOR_CONTROL_PORT'].split(':', 1) %}
+{% else %}
+{% set host = env.get('TOR_CONTROL_PORT') %}
+{% endif %}
+
+# IP address that the Tor control port is listening on:
+control_ip = {{ host or '' }}
+
+# TCP port the control port is listening on:
+control_port = {{ port or 9051 }}
+
+# If set, use this filesystem control socket instead of IP+Port:
+control_socket = {{ unix_path or '' }}
+
+# If set, use this as the control port password:
+control_pass = {{ env.get('TOR_CONTROL_PASSWORD', '') }}
+
+# Enable/disable active vanguard update of layer2 and layer3 guards
+enable_vanguards = True
+
+# Enable/disable the bandwidth side channel detection checks:
+enable_bandguards = True
+
+# Enable/disable circuit build timeout analysis (informational only):
+enable_cbtverify = True
+
+# Enable/disable checks on Rendezvous Point overuse attacks:
+enable_rendguard = True
+
+# Close circuits upon suspected attack conditions:
+close_circuits = True
+
+# If True, we write (or update/rotate) layer2 and layer3 vanguards in torrc,
+# then exit. This option disables the bandguards and rendguard defenses.
+one_shot_vanguards = False
+
+# The current loglevel:
+loglevel = NOTICE
+
+# If specified, log to this file instead of stdout:
+logfile =
+
+# Name of state file (with absolute path, or relative to current directory):
+state_file = {{ env.get('VANGUARDS_STATE_FILE', '/run/tor/data/vanguards.state') }}
+
+
+## Vanguards: layer1, layer2, and layer3 rotation params.
+[Vanguards]
+
+# How long to keep our layer1 guard (0 means use Tor default):
+layer1_lifetime_days = 0
+
+# The maximum amount of time to keep a layer2 guard:
+max_layer2_lifetime_hours = 1080
+
+# The maximum amount of time to keep a layer3 guard:
+max_layer3_lifetime_hours = 48
+
+# The minimum amount of time to keep a layer2 guard:
+min_layer2_lifetime_hours = 24
+
+# The minimum amount of time to keep a layer3 guard:
+min_layer3_lifetime_hours = 1
+
+# The number of layer1 guards:
+num_layer1_guards = 2
+
+# The number of layer2 guards:
+num_layer2_guards = 3
+
+# The number of layer3 guards:
+num_layer3_guards = 8
+
+
+## Bandguards: Mechanisms to detect + mitigate bandwidth side channel attacks.
+[Bandguards]
+
+# Maximum number of hours to allow any circuit to remain open
+# (set to 0 to disable):
+circ_max_age_hours = 24
+
+# Maximum amount of kilobytes that can be present in a hidden service
+# descriptor before we close the circuit (set to 0 to disable):
+circ_max_hsdesc_kilobytes = 30
+
+# Total maximum megabytes on any circuit before we close it. Note that
+# while HTTP GET can resume if this limit is hit, HTTP POST will not.
+# This means that applications that require large data submission (eg
+# SecureDrop or onionshare) should set this much higher
+# (or set to 0 to disable):
+circ_max_megabytes = 0
+
+# Warn if we can't build or use circuits for this many seconds.
+circ_max_disconnected_secs = 30
+
+# Warn if we are disconnected from the Tor network for this many seconds.
+conn_max_disconnected_secs = 15
+
+## Rendguard: Monitors service-side Rendezvous Points to detect misuse/attack
+[Rendguard]
+
+# No relay should show up as a Rendezvous Point more often than this ratio
+# multiplied by its bandwidth weight:
+rend_use_max_use_to_bw_ratio = 5.0
+
+# What is percent of the network weight is not in the consensus right now?
+# Put another way, the max number of rend requests from relays not in the
+# consensus is rend_use_max_use_to_bw_ratio times this churn rate.
+rend_use_max_consensus_weight_churn = 1.0
+
+# Close circuits where the Rendezvous Point appears too often. Note that an
+# adversary can deliberately cause RP overuse in order to impact availability.
+# If this is a concern, either set this to false, or raise the ratio
+# parameter above.
+rend_use_close_circuits_on_overuse = True
+
+# Total number of circuits we need before we begin enforcing rendezvous point
+# ratio limits:
+rend_use_global_start_count = 1000
+
+# Number of times a relay must be seen as a Rendezvous Point before applying
+# ratio limits:
+rend_use_relay_start_count = 100
+
+# Divide all relay counts by two once the total circuit count hits this many:
+rend_use_scale_at_count = 20000