Hello,
How can I put a Tor bridge behind a proxy, so that it is not directly connected to the Internet? Something like a reverse proxy that is used for websites.
Thank you.
Hello,
Should I use port forwarding technique?
Thank you.
Is this an attempt to achieve this?:
By this you mean that itâs not reachable from the outside, or that the Tor bridge itself cannot initiate outgoing connections? If itâs the former, then there are two ways:
- just ensure that your firewall blocks incoming connections to the bridgeâs port (
ORPort,ServerTransportListenAddr), and set up a reverse proxy on an open port. - Set up listen address of the bridge to be
localhost(I think the params areORPortandServerTransportListenAddr, although you probably wonât need obfuscation anyway in this case, and set up a reverse proxy on an open port.
Related: man tor: ORPort: NoListen and NoAdvertise flags, and BridgeDistribution none.
Is this what youâre asking?
Hello,
Not really.
I mean the following plan:
Tor Server (Proxy or Bridge) ---> Proxy ---> InternetHow to setup a reverse proxy for an open port?
To be honest I wonder if that would be possible by setting up Nginx Proxy Manager or Traefik. Maybe it is possible by setting up a configuration with NoAdvertise and NoListen?
That would be a cool little project to try, ngl. I donât really see any benefit from doing that other than learning how it would work, though.
Then I think you got to use Socks5Proxy:
Is it still not it? I donât understand why you call it a reverse proxy. Isnât it a regular proxy?
2 Likes
There are two conflicting things here:
- The direction of the arrows indicates a connection is being made from a Tor Server to the internet. In that case this would be a forward proxy.
- The words âreverse proxyâ and âopen portâ indicate that a connection is coming from the internet and going to the Tor Server.
Could you clarify a bit more?
1 Like
This would be a perfect scenario for a WebTunnel bridge. I am running one of these with Traefik today. I use a higher-priority Traefik router rule for the WebTunnel path. If someone visits www.domain.tld they get the normal website. If Tor visits www.domain.tld/TOR_WEBTUNNEL_PATH it connects to the bridge.
I have tested, and this also works with CF tunnels.
nginx:
image: nginx
labels:
- traefik.enable=true
- traefik.http.routers.nginx.entrypoints=https-443
- traefik.http.routers.nginx.rule=Host(`www.${DOMAIN}`)
- traefik.http.services.nginx.loadbalancer.server.port=80
volumes:
- /archive/www/private:/usr/share/nginx/html:ro
restart: unless-stopped
networks:
frontend:
tor:
image: thetorproject/webtunnel-bridge:latest
entrypoint: ["/usr/sbin/tor", "-f", "/etc/tor/torrc"]
security_opt:
- apparmor=docker-tor
mem_limit: 512m
memswap_limit: 512m
labels:
- traefik.enable=true
- traefik.http.routers.tor-webtunnel.entrypoints=https-443
- traefik.http.routers.tor-webtunnel.rule=Host(`www.${DOMAIN}`) && PathPrefix(`/${TOR_WEBTUNNEL_PATH}`)
- traefik.http.routers.tor-webtunnel.priority=999
- traefik.http.services.tor-webtunnel.loadbalancer.server.port=8080
volumes:
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
- ${DEV_PATH}/tor/torrc:/etc/tor/torrc:ro
- ${CONFIG_PATH}/tor:/var/lib/tor
restart: unless-stopped
networks:
tor:
2 Likes
Hello,
Thank you so much for your reply.
1- When you set up a Tor bridge, then connections from the Internet come to the Tor server. Isnât it?
2- I just want to hide my Tor server behind another server. Instead of connecting directly to the Tor bridge server, clients connect to another server that sends clientsâ requests to the main Tor server.
Hello,
I mean the following plan:
Tor Server (Proxy or Bridge) ---> Proxy ---> Internet
Can using HTTPSProxy host[:port] statement in the Tor bridge configuration solve the problem?
Hello,
Thank you so much for your reply.
Iâm sorry if I couldnât express my meaning correctly. I want to put the Tor server behind another server to increase its security. It means that the Tor server should not be directly connected to the Internet.
Tor Server (Proxy or Bridge) ---> Intermediate Server ---> InternetHow should the settings of this intermediate server be? Clients must connect to this intermediate server to use Tor.
I canât follow that. A typical tor cirquit with a Tor bridge is constructed like this to reach a page on the clearnet. Hidden services in the Tor network not considered.
(The connection is encrypted from the browser to the exit)
Tor Browser<->OBFS4 Proxy<->OBFS4 Proxy<->Tor Bridge<->Tor Middle Router<->Tor Exit Router<->Internet
1 Like
Hello,
Thanks again.
Why does this Intermediate Server make the Tor not work properly? Tor is not only directly connected to the Internet. Something like an http proxy (** TinyProxy**).
Are you sure that my first reply is not what you want?
I might have used the wrong term here? Not sure.
You can set up sshd on the server, then connect to it from your PC with ssh -L any_local_port:localhost:tor_bridge_port. This way, connections to localport on your local machine will be forwarded to torport of the server.
If itâs still not it, I think you need to better explain how threats that you are to protect yourself from would work, and how exactly you would use your setup.
1 Like
Hello,
Thanks again.
I want my Tor Proxy Server or Tor Bridge not directly accessing the Internet, but connecting to another server and getting the internet there. When you launch an Apache reverse proxy server, then you hide your real Apache web server behind another server. I want to do the same with the Tor. How should this Intermediate server be configured? Should I install the TinyProxy or Squid-cache on it, then use the HTTPProxy host[:port] statement in the Tor configuration to use the internet of that intermediate server?
That doesnât make any sense at all. A Tor bridge must be accessible from the Internet, otherwise it wonât work. Outgoing traffic is not filtered on relays anyway. You have the option to configure a private hidden bridge and only give the bridgeline to certain people.
A Tor proxy (or several) runs on your localhost or on a device (gateway-Router, raspberry) for network-wide access and TorBrowser, $client-software connect to it.
I think youâre looking for âHow to setup Tor as transparent proxy for my networkâ
Have you ever looked at all the config options in man torrc especially SocksPort & TransPort?
1 Like
Hello,
Thanks again.
My Tor proxy configuration is:
SocksPort 172.21.50.61:9050
SocksPolicy accept 172.21.50.0/25
RunAsDaemon 1
DataDirectory /var/lib/tor
Clients connect to my serverâs IP address and receive service. I have placed this server behind an HTTP server. whatâs wrong?