Opened 5 years ago

Closed 5 years ago

#11485 closed enhancement (implemented)

support unix-sockets as hidden-service endpoints

Reported by: meejah Owned by:
Priority: Medium Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-hs 026-triaged-1
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It would be nice if hidden-service setup supported proxying to a local unix-socket. nginx, Twisted (and probably others) support this for HTTP for example.

This would reduce the chances of "accidentally" listening on a public TCP port (and eases the task of verifying this) and is somewhat faster.

I'm unsure if it's better to have a new config-item, or overlap with the existing hidden-service listening specification.

Child Tickets

Change History (12)

comment:1 Changed 5 years ago by nickm

Keywords: tor-hs added
Milestone: Tor: 0.2.6.x-final

I thought there was already a ticket for this, but I can't find one. Yeah, this is a fine idea.

For an example of how we support AF_UNIX in tor today, see how controller listeners on AF_UNIX work. Adding support for connections to an AF_UNIX address for a hidden service shouldn't be hard.

comment:2 Changed 5 years ago by nickm

Keywords: 026-triaged-1 added

comment:3 Changed 5 years ago by ioerror

We have the client side of this implemented in https://trac.torproject.org/projects/tor/ticket/12585 and I strongly support implementing this for the Tor HS side. This will be really nice for Tails, especially but also for applications like OnionShare.

ould someone provide either a sample application or configuration for a server that supports such a socket? I suspect OnionShare would be a good sample application - which can also be heavily sandboxed in a useful manner.

I think in an ideal world, we'd also eventually ship a super minimal server - perhaps a libevent httpd or perhaps an OnionShare like service?

comment:4 Changed 5 years ago by meejah

With nginx (config snippet):

    server {
        server_name example.com;
        listen unix:/tmp/foo
    }

With Twisted Web (command-line):

    twistd web --port unix:/tmp/bar --path ~/public_html

comment:5 Changed 5 years ago by meejah

Note also that you can currently do this to get the same webserver as above on a hidden-service (jessie or wheezy-backports):

apt-get install python-txtorcon
twistd web --port "onion:80" --path ~/public_html

comment:6 Changed 5 years ago by andrea

Status: newneeds_review

This is now implemented in my ticket11485 branch. Looks good in testing; use something like 'socat UNIX-LISTEN:<path-to-unix-socket>,fork TCP4:<ip/hostname>:<port>'.

comment:7 Changed 5 years ago by nickm

ba9aed237495bb263594c79daa75042e4dd0780e:

  • Prefer !strcmpstart(a,b) to strstr(a,b)==a
  • prefer tor_strdup() or tor_strndup() to malloc-plus-strncpy?
  • I think there should generally be a separate alloc function for types with variable-length members.

fd29c898cb68e702e43f72a3669308dee0e7c2f1:

  • Isn't connection_connect_unix mostly a duplicate of connection_connect()? We should combine them, or extract the common parts.

de86ab3cc3321930f55b11ca3d9c1c005d608e92:

  • prefer tor_strdup() or tor_strndup() to malloc-plus-strncpy?

comment:8 Changed 5 years ago by nickm

I've made these changes in a fixup! commit on my a "tick11485" in my public repository. Do you like? Does it still work for you?

comment:9 Changed 5 years ago by dgoulet

de86ab3cc3321930f55b11ca3d9c1c005d608e92:

I'm a bit worried by the amount of #ifdef/#endif that this commit introduce in rend_service_set_connection_addr_port(). That makes code review and maintainability quite difficult over time imo.

Can I interest you guys in this kind of fix?: branch bug11485_026_v1, commit 233e8d9, created on top of nickm's branch.

comment:10 Changed 5 years ago by nickm

dgoulet: looks okay, but:

  • needs comments for functions.
  • No need to declare these functions inline. The compiler will figure it out; and they're not in the critical path.

comment:11 in reply to:  10 Changed 5 years ago by dgoulet

Replying to nickm:

dgoulet: looks okay, but:

  • needs comments for functions.
  • No need to declare these functions inline. The compiler will figure it out; and they're not in the critical path.

Oh! didn't thought you would want to pull it right in, just wanted to show you the fix to see if that makes sense to you.

I shall clean that up then! Here it is, branch bug11485_026_v2.

comment:12 Changed 5 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Merged bug11584_026_v2_squashed, with Andrea's signoff. Thanks everybody!

Note: See TracTickets for help on using tickets.