I'd like to announce Onionspray, a tool for setting up Onion Services for
existing public websites, working as a HTTPS rewriting proxy:
It's a fork of Alec Muffett's EOTK (GitHub - alecmuffett/eotk: Enterprise Onion Toolkit), with
many enhancements but retaining compatibility, and relying on C Tor until an
alternative in Arti is available.
The first Onionspray version is 1.6.0, following the pre-existing version
sequence from EOTK.
* This release fixes a CRITICAL security vulnerability related to
upstream HTTPS certificate verification, which is detailed at
Security Advisory: EOTK and Onionspray upstream HTTPS certificate verification - Onionspray
A related fix is also available for EOTK:
switch to get nginx to validate proxy tls connections by alecmuffett · Pull Request #116 · alecmuffett/eotk · GitHub
We urge Onionspray users that were testing the software while it was being on
it's early stages to upgrade ASAP to 1.6.0 and update their configurations, and
we recommend that EOTK to the same with the corresponding patch.
This issue might also affect other similar rewriting proxy setups,
and we urge operators to review and fix their Onion Service
Main improvements over EOTK:
* MetricsPort support (for gathering metrics data from the tor instances).
* Denial of Service (DoS) protections.
* Circuit ID exporting to NGINX logs and optionally to the upstream
proxy (through the X-Onion-CircuitID HTTP header).
* Onionbalance v3 support ("softmaps" are working again).
* Revamped documentation.
* Installation procedures added for recent Debian and Ubuntu releases.
* Tor and OpenResty upgraded to the latest versions.
* Option to keep Onionspray running in the foreground (`--no-daemonize`).
* Local healthcheck action (`--health-local`), useful for containerized
The full ChangeLog is available at
For those wishing to switch from EOTK to Onionspray, there's a migration guide
at Migrating from EOTK - Onionspray
We also welcome people to report issues, send merge requests etc:
And we have a bunch of issues waiting for contributions:
Finally, I'd like to thank Alec Muffett for his important work with EOTK
and for promoting Onion Services all these years