torcontrol: add -tortarget config #19043
Conversation
|
Concept ACK. You might want to add some validationfor the option value: at the least whether it's Edit: this is also the first step towards making #8973 possible. |
|
I'm confused how torcontrol is talking to Tor on another host? |
|
Concept ACK. Some validation and testing would be nice here. @MDrollette, are you still active on this? |
I've added what I believe to be some sanitation/validation. I am happy to do something differently if anyone can point to a better example. My apologies, I'm not a C developer, so this is very much an introduction for me.
|
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
| @@ -531,12 +531,20 @@ void TorController::auth_cb(TorControlConnection& _conn, const TorControlReply& | |||
| SetReachable(NET_ONION, true); | |||
| } | |||
|
|
|||
| // Validate the target of the hidden service | |||
| std::string targetArg = gArgs.GetArg("-tortarget", "127.0.0.1"); | |||
There was a problem hiding this comment.
Looks like the port is missing in the default value ?
There was a problem hiding this comment.
If no port is specified, either on the passed in value or in this case as the default, then GetListenPort() is used below on L537
7e57666 to
3fde32c
Compare
This allows torcontrol to auto configure the HiddenService even when Tor is running on a different host or within a containerized environment.
3fde32c to
b5d5d23
Compare
| @@ -531,12 +531,20 @@ void TorController::auth_cb(TorControlConnection& _conn, const TorControlReply& | |||
| SetReachable(NET_ONION, true); | |||
| } | |||
|
|
|||
| // Validate the target of the hidden service | |||
There was a problem hiding this comment.
Shouldn't this also be changed, a few lines above:
// Now that we know Tor is running setup the proxy for onion addresses
// if -onion isn't set to something else.
if (gArgs.GetArg("-onion", "") == "") {
CService resolved(LookupNumeric("127.0.0.1", 9050));
proxyType addrOnion = proxyType(resolved, true);
SetProxy(NET_ONION, addrOnion);
SetReachable(NET_ONION, true);
}If the tor daemon is running on another machine, then it will not be reachable on 127.0.0.1:9050.
| @@ -461,6 +461,7 @@ void SetupServerArgs(NodeContext& node) | |||
| argsman.AddArg("-timeout=<n>", strprintf("Specify connection timeout in milliseconds (minimum: 1, default: %d)", DEFAULT_CONNECT_TIMEOUT), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); | |||
| argsman.AddArg("-peertimeout=<n>", strprintf("Specify p2p connection timeout in seconds. This option determines the amount of time a peer may be inactive before the connection to it is dropped. (minimum: 1, default: %d)", DEFAULT_PEER_CONNECT_TIMEOUT), ArgsManager::ALLOW_ANY | ArgsManager::DEBUG_ONLY, OptionsCategory::CONNECTION); | |||
| argsman.AddArg("-torcontrol=<ip>:<port>", strprintf("Tor control port to use if onion listening enabled (default: %s)", DEFAULT_TOR_CONTROL), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); | |||
| argsman.AddArg("-tortarget=<ip:port>", strprintf("Target for Tor HiddenService (default: 127.0.0.1:%i)", defaultChainParams->GetDefaultPort()), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); | |||
There was a problem hiding this comment.
Because port is optional, maybe change to -tortarget=<ip[:port]>? Or -tortarget=<ip>[:<port>] to be in line with the existent -torcontrol=<ip>:<port>.
|
In #19991 we are considering adding the possibility to bind to a dedicated addr:port for incoming tor connections, mainly to be able to distinguish them from incoming clearnet ones. If we do that, then we can automatically pass that addr:port to the @MDrollette, do you think that would be sufficient? I can imagine some exceptional cases where we bind to |
That seems like an appropriate default, if nothing else. I think it's still common in the docker case to simply specify listening on It's possible to make it work with only your PR, so it's more flexible than the current state. But it's not as trivial as |
|
What is "bitcoind" in |
96571b3 doc: Update onion service target port numbers in tor.md (Hennadii Stepanov) bb145c9 net: Extend -bind config option with optional network type (Hennadii Stepanov) 92bd3c1 net, refactor: Move AddLocal call one level up (Hennadii Stepanov) 57f17e5 net: Pass onion service target to Tor controller (Hennadii Stepanov) e3f0785 refactor: Rename TorController::target to m_tor_control_center (Hennadii Stepanov) fdd3ae4 net, refactor: Refactor CBaseChainParams::RPCPort function (Hennadii Stepanov) a5266d4 net: Add alternative port for onion service (Hennadii Stepanov) b3273cf net: Use network byte order for in_addr.s_addr (Hennadii Stepanov) Pull request description: This PR adds ability to label incoming Tor connections as different from normal localhost connections. Closes #8973. Closes #16693. Default onion service target ports are: - 8334 on mainnnet - 18334 on testnet - 38334 on signet - 18445 on regtest To set the onion service target socket manually the extended `-bind` config option could be used: ``` $ src/bitcoind -help | grep -A 6 -e '-bind' -bind=<addr>[:<port>][=onion] Bind to given address and always listen on it (default: 0.0.0.0). Use [host]:port notation for IPv6. Append =onion to tag any incoming connections to that address and port as incoming Tor connections (default: 127.0.0.1:8334=onion, testnet: 127.0.0.1:18334=onion, signet: 127.0.0.1:38334=onion, regtest: 127.0.0.1:18445=onion) ``` Since [pr19991.02 update](#19991 (comment)) this PR is an alternative to #19043. ACKs for top commit: Sjors: re-utACK 96571b3 vasild: ACK 96571b3 laanwj: Re-ACK 96571b3 Tree-SHA512: cb0eade80f4b3395f405f775e1b89c086a1f09d5a4464df6cb4faf808d9c2245474e1720b2b538f203f6c1996507f69b09f5a6e35ea42633c10e22bd733d4438
|
🐙 This pull request conflicts with the target branch and needs rebase. Want to unsubscribe from rebase notifications on this pull request? Just convert this pull request to a "draft". |
|
I think this is superseded now by #19991 which got merged. |
|
Closing this PR since #19991 addresses this issue and also has further discussion |
…ctions 96571b3 doc: Update onion service target port numbers in tor.md (Hennadii Stepanov) bb145c9 net: Extend -bind config option with optional network type (Hennadii Stepanov) 92bd3c1 net, refactor: Move AddLocal call one level up (Hennadii Stepanov) 57f17e5 net: Pass onion service target to Tor controller (Hennadii Stepanov) e3f0785 refactor: Rename TorController::target to m_tor_control_center (Hennadii Stepanov) fdd3ae4 net, refactor: Refactor CBaseChainParams::RPCPort function (Hennadii Stepanov) a5266d4 net: Add alternative port for onion service (Hennadii Stepanov) b3273cf net: Use network byte order for in_addr.s_addr (Hennadii Stepanov) Pull request description: This PR adds ability to label incoming Tor connections as different from normal localhost connections. Closes bitcoin#8973. Closes bitcoin#16693. Default onion service target ports are: - 8334 on mainnnet - 18334 on testnet - 38334 on signet - 18445 on regtest To set the onion service target socket manually the extended `-bind` config option could be used: ``` $ src/bitcoind -help | grep -A 6 -e '-bind' -bind=<addr>[:<port>][=onion] Bind to given address and always listen on it (default: 0.0.0.0). Use [host]:port notation for IPv6. Append =onion to tag any incoming connections to that address and port as incoming Tor connections (default: 127.0.0.1:8334=onion, testnet: 127.0.0.1:18334=onion, signet: 127.0.0.1:38334=onion, regtest: 127.0.0.1:18445=onion) ``` Since [pr19991.02 update](bitcoin#19991 (comment)) this PR is an alternative to bitcoin#19043. ACKs for top commit: Sjors: re-utACK 96571b3 vasild: ACK 96571b3 laanwj: Re-ACK 96571b3 Tree-SHA512: cb0eade80f4b3395f405f775e1b89c086a1f09d5a4464df6cb4faf808d9c2245474e1720b2b538f203f6c1996507f69b09f5a6e35ea42633c10e22bd733d4438
This PR allows torcontrol to auto configure the HiddenService even
when Tor is running on a different host or within a containerized
environment.
In such an environment, the previously assumed static target of
127.0.0.1was insufficient.fixes #16693