* documentation/behavior unclear of (tor-hidden-service)
@ 2017-03-04 15:59 ng0
2017-03-04 16:21 ` ng0
0 siblings, 1 reply; 9+ messages in thread
From: ng0 @ 2017-03-04 15:59 UTC (permalink / raw)
To: guix-devel
I have a question regarding the (tor-hidden-service) service.
When I have an previously generated hostname, let's call it
"fooschnickens1234.onion" for the purpose of this message, my approach
on a system like Gentoo was to manually place the hostname and
private-key into the /var/lib/tor/hidden-services/$name-i-gave-in-torrc
folder and change the permissions afterwards.
Now this service is unclear about wether it would overwrite the files I
have when the new system generation is done building (reconfigure).
It would be good to know wether the files can be copied into place in
advance or if one has to wait to replace it afterwards.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: documentation/behavior unclear of (tor-hidden-service)
2017-03-04 15:59 documentation/behavior unclear of (tor-hidden-service) ng0
@ 2017-03-04 16:21 ` ng0
2017-03-06 10:13 ` Ludovic Courtès
0 siblings, 1 reply; 9+ messages in thread
From: ng0 @ 2017-03-04 16:21 UTC (permalink / raw)
To: guix-devel
On 17-03-04 15:59:16, ng0 wrote:
> I have a question regarding the (tor-hidden-service) service.
>
> When I have an previously generated hostname, let's call it
> "fooschnickens1234.onion" for the purpose of this message, my approach
> on a system like Gentoo was to manually place the hostname and
> private-key into the /var/lib/tor/hidden-services/$name-i-gave-in-torrc
> folder and change the permissions afterwards.
>
> Now this service is unclear about wether it would overwrite the files I
> have when the new system generation is done building (reconfigure).
>
> It would be good to know wether the files can be copied into place in
> advance or if one has to wait to replace it afterwards.
>
Okay, be your own testpilot:
A quick 'guix system build config.scm' and before reconfiguring
inserting my values into the then new generated
/var/lib/tor/hidden-services/foo/ and the files in there, then running
reconfigure, rebooting and I can connect to my hostname(s).
moving on, this could be improved:
In case one aims for keeping the config public this is a bad idea but
what about creating the hostname + private_key in $name as plain-file?
Would this be overwritten by (tor-hidden-service) or would this just be
bad practice but "whatever works for you"?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: documentation/behavior unclear of (tor-hidden-service)
2017-03-04 16:21 ` ng0
@ 2017-03-06 10:13 ` Ludovic Courtès
2017-03-06 12:08 ` ng0
0 siblings, 1 reply; 9+ messages in thread
From: Ludovic Courtès @ 2017-03-06 10:13 UTC (permalink / raw)
To: guix-devel
Hi!
ng0 <contact.ng0@cryptolab.net> skribis:
> moving on, this could be improved:
> In case one aims for keeping the config public this is a bad idea but
> what about creating the hostname + private_key in $name as plain-file?
> Would this be overwritten by (tor-hidden-service) or would this just be
> bad practice but "whatever works for you"?
Tor is stateful here: it creates the
/var/lib/tor/hidden-services/SERVICE directory once, and then never
touches it again.
Do you think our documentation should be improved? Could you suggest a
patch that improves things, while at the same time not paraphrasing too
much of Tor’s own documentation?
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: documentation/behavior unclear of (tor-hidden-service)
2017-03-06 10:13 ` Ludovic Courtès
@ 2017-03-06 12:08 ` ng0
2017-03-06 15:45 ` Ludovic Courtès
2017-03-06 16:19 ` dian_cecht
0 siblings, 2 replies; 9+ messages in thread
From: ng0 @ 2017-03-06 12:08 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
On 17-03-06 11:13:32, Ludovic Courtès wrote:
> Hi!
>
> ng0 <contact.ng0@cryptolab.net> skribis:
>
> > moving on, this could be improved:
> > In case one aims for keeping the config public this is a bad idea but
> > what about creating the hostname + private_key in $name as plain-file?
> > Would this be overwritten by (tor-hidden-service) or would this just be
> > bad practice but "whatever works for you"?
>
> Tor is stateful here: it creates the
> /var/lib/tor/hidden-services/SERVICE directory once, and then never
> touches it again.
>
> Do you think our documentation should be improved? Could you suggest a
> patch that improves things, while at the same time not paraphrasing too
> much of Tor’s own documentation?
>
> Thanks,
> Ludo’.
>
Thanks.
I'll think of something along the lines next time I have time to spend
for documentation.
What do you think about the private-key + hostname option? Too much
of bad practice to implement it for the service?
I was thinking of adding a (tor-relay-node) once I have the option to
run a GuixSD system not in my home and/or other circumstances are
solved which now prevent certain things.
Maybe someone else can try and implement this, I only know what'S needed
for running the relay but can't do it at the moment ;)
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: documentation/behavior unclear of (tor-hidden-service)
2017-03-06 12:08 ` ng0
@ 2017-03-06 15:45 ` Ludovic Courtès
2017-03-06 16:19 ` dian_cecht
1 sibling, 0 replies; 9+ messages in thread
From: Ludovic Courtès @ 2017-03-06 15:45 UTC (permalink / raw)
To: guix-devel
ng0 <contact.ng0@cryptolab.net> skribis:
> On 17-03-06 11:13:32, Ludovic Courtès wrote:
>> Hi!
>>
>> ng0 <contact.ng0@cryptolab.net> skribis:
>>
>> > moving on, this could be improved:
>> > In case one aims for keeping the config public this is a bad idea but
>> > what about creating the hostname + private_key in $name as plain-file?
>> > Would this be overwritten by (tor-hidden-service) or would this just be
>> > bad practice but "whatever works for you"?
>>
>> Tor is stateful here: it creates the
>> /var/lib/tor/hidden-services/SERVICE directory once, and then never
>> touches it again.
>>
>> Do you think our documentation should be improved? Could you suggest a
>> patch that improves things, while at the same time not paraphrasing too
>> much of Tor’s own documentation?
[...]
> What do you think about the private-key + hostname option? Too much
> of bad practice to implement it for the service?
What do you mean?
Now that I checked, I see the documentation explains exactly what I
wrote above, with a link to upstream’s documentation for details. What
should we add?
> I was thinking of adding a (tor-relay-node) once I have the option to
> run a GuixSD system not in my home and/or other circumstances are
> solved which now prevent certain things.
Would be nice.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: documentation/behavior unclear of (tor-hidden-service)
2017-03-06 12:08 ` ng0
2017-03-06 15:45 ` Ludovic Courtès
@ 2017-03-06 16:19 ` dian_cecht
2017-03-06 18:00 ` ng0
1 sibling, 1 reply; 9+ messages in thread
From: dian_cecht @ 2017-03-06 16:19 UTC (permalink / raw)
To: guix-devel
On Mon, 6 Mar 2017 12:08:20 +0000
ng0 <contact.ng0@cryptolab.net> wrote:>
> Maybe someone else can try and implement this, I only know what'S
> needed for running the relay but can't do it at the moment ;)
Just for reference sake:
https://www.torproject.org/docs/tor-doc-relay.html.en
What is the policy on creating/modifying firewalls? Would any relay
service be allowed to automatically reconfigure the firewall to allow
a relay to run? Does the sysadmin have to configure it theirself
(English really needs gender-neutral pronouns.)? Does anything else in
GuixSD modify the firewall at this point?
These all feel like rather important questions to me that need
answering before anyone does this.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: documentation/behavior unclear of (tor-hidden-service)
2017-03-06 16:19 ` dian_cecht
@ 2017-03-06 18:00 ` ng0
2017-03-06 18:47 ` Leo Famulari
0 siblings, 1 reply; 9+ messages in thread
From: ng0 @ 2017-03-06 18:00 UTC (permalink / raw)
To: dian_cecht; +Cc: guix-devel
On 17-03-06 08:19:00, dian_cecht@zoho.com wrote:
> On Mon, 6 Mar 2017 12:08:20 +0000
> ng0 <contact.ng0@cryptolab.net> wrote:>
> > Maybe someone else can try and implement this, I only know what'S
> > needed for running the relay but can't do it at the moment ;)
>
> Just for reference sake:
> https://www.torproject.org/docs/tor-doc-relay.html.en
>
> What is the policy on creating/modifying firewalls? Would any relay
> service be allowed to automatically reconfigure the firewall to allow
> a relay to run? Does the sysadmin have to configure it theirself
> (English really needs gender-neutral pronouns.)? Does anything else in
themselves, there are gender neutral pronouns in english.
> GuixSD modify the firewall at this point?
No, there are no services for iptables or nftables at this point. And
from my experience they are not needed for a relay. Okay, they would be
useful to increase security and to see how how Chinese government
officials and their automated services want to get into your server, but
it's not really necessary for the relay.
The relays are just some definitions in the torrc, and that's it.
I would only ask people who currently or previously ran a tor relay,
maybe even with Guix/GuixSD, to work on this. You can't break anything,
but to test it would be good. Which is something I can't do currently.
> These all feel like rather important questions to me that need
> answering before anyone does this.
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: documentation/behavior unclear of (tor-hidden-service)
2017-03-06 18:00 ` ng0
@ 2017-03-06 18:47 ` Leo Famulari
2017-03-06 20:19 ` ng0
0 siblings, 1 reply; 9+ messages in thread
From: Leo Famulari @ 2017-03-06 18:47 UTC (permalink / raw)
To: dian_cecht, guix-devel
On Mon, Mar 06, 2017 at 06:00:30PM +0000, ng0 wrote:
> from my experience they are not needed for a relay. Okay, they would be
> useful to increase security and to see how how Chinese government
> officials and their automated services want to get into your server, but
> it's not really necessary for the relay.
Slight nitpick: In my experience with iptables, it's not just Chinese
officials that want to break in to my servers, but rather a dazzling
multitude of people from all over the world ;)
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: documentation/behavior unclear of (tor-hidden-service)
2017-03-06 18:47 ` Leo Famulari
@ 2017-03-06 20:19 ` ng0
0 siblings, 0 replies; 9+ messages in thread
From: ng0 @ 2017-03-06 20:19 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
On 17-03-06 13:47:12, Leo Famulari wrote:
> On Mon, Mar 06, 2017 at 06:00:30PM +0000, ng0 wrote:
> > from my experience they are not needed for a relay. Okay, they would be
> > useful to increase security and to see how how Chinese government
> > officials and their automated services want to get into your server, but
> > it's not really necessary for the relay.
>
> Slight nitpick: In my experience with iptables, it's not just Chinese
> officials that want to break in to my servers, but rather a dazzling
> multitude of people from all over the world ;)
>
My experience with OpenNIC and tor on the server side was that it's
mostly government IPs running lazy standard methods trying to get in
where they won't get in anyway.
Just don't use port 22, rate-limit connections (with OpenNIC this worked
a bit) and the IPs which traced back directly to those red zones in
chinese cities marked as "military/government zones" went away :).
But yeah, with tor they were in company of russia, USA, and other
nations trying to do the same ;D
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-03-06 19:10 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-04 15:59 documentation/behavior unclear of (tor-hidden-service) ng0
2017-03-04 16:21 ` ng0
2017-03-06 10:13 ` Ludovic Courtès
2017-03-06 12:08 ` ng0
2017-03-06 15:45 ` Ludovic Courtès
2017-03-06 16:19 ` dian_cecht
2017-03-06 18:00 ` ng0
2017-03-06 18:47 ` Leo Famulari
2017-03-06 20:19 ` ng0
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).