[tor-project] Announcing Onionspray 1.6.0 with a SECURITY fix for Onion Services rewriting proxies

Mailing Lists tor-project
1

Hello everyone,

I'd like to announce Onionspray, a tool for setting up Onion Services for
existing public websites, working as a HTTPS rewriting proxy:
https://tpo.pages.torproject.net/onion-services/onionspray/

It's a fork of Alec Muffett's EOTK (GitHub - alecmuffett/eotk: Enterprise Onion Toolkit), with
many enhancements but retaining compatibility, and relying on C Tor until an
alternative in Arti is available.

The first Onionspray version is 1.6.0, following the pre-existing version
sequence from EOTK.

Security fixes:

* This release fixes a CRITICAL security vulnerability related to
  upstream HTTPS certificate verification, which is detailed at
  Security Advisory: EOTK and Onionspray upstream HTTPS certificate verification - Onionspray

  A related fix is also available for EOTK:
  switch to get nginx to validate proxy tls connections by alecmuffett · Pull Request #116 · alecmuffett/eotk · GitHub

  We urge Onionspray users that were testing the software while it was being on
  it's early stages to upgrade ASAP to 1.6.0 and update their configurations, and
  we recommend that EOTK to the same with the corresponding patch.

  This issue might also affect other similar rewriting proxy setups,
  and we urge operators to review and fix their Onion Service
  configurations.

Main improvements over EOTK:

* MetricsPort support (for gathering metrics data from the tor instances).
* Denial of Service (DoS) protections.
* Circuit ID exporting to NGINX logs and optionally to the upstream
  proxy (through the X-Onion-CircuitID HTTP header).
* Onionbalance v3 support ("softmaps" are working again).
* Revamped documentation.
* Installation procedures added for recent Debian and Ubuntu releases.
* Tor and OpenResty upgraded to the latest versions.
* Option to keep Onionspray running in the foreground (`--no-daemonize`).
* Local healthcheck action (`--health-local`), useful for containerized
  execution.

The full ChangeLog is available at
https://tpo.pages.torproject.net/onion-services/onionspray/changelog/

For those wishing to switch from EOTK to Onionspray, there's a migration guide
at Migrating from EOTK - Onionspray

We also welcome people to report issues, send merge requests etc:
https://tpo.pages.torproject.net/onion-services/onionspray/contact/

And we have a bunch of issues waiting for contributions:

Finally, I'd like to thank Alec Muffett for his important work with EOTK
and for promoting Onion Services all these years :slight_smile:

Thanks!

···

--
Silvio Rhatto
pronouns he/him