From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +A4iCZXbul5KSQAA0tVLHw (envelope-from ) for ; Tue, 12 May 2020 17:23:33 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id wGsIIaPbul4rIwAAB5/wlQ (envelope-from ) for ; Tue, 12 May 2020 17:23:47 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 32C59940D01 for ; Tue, 12 May 2020 17:23:45 +0000 (UTC) Received: from localhost ([::1]:47586 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jYYd8-00079J-0H for larch@yhetil.org; Tue, 12 May 2020 13:23:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57526) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jYYcN-0006Po-Gi for guix-devel@gnu.org; Tue, 12 May 2020 13:22:59 -0400 Received: from relay5-d.mail.gandi.net ([217.70.183.197]:43055) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jYYcL-00020n-RR for guix-devel@gnu.org; Tue, 12 May 2020 13:22:59 -0400 Received: from webmail.gandi.net (webmail18.sd4.0x35.net [10.200.201.18]) (Authenticated sender: brice@waegenei.re) by relay5-d.mail.gandi.net (Postfix) with ESMTPA id CD5041C0003 for ; Tue, 12 May 2020 17:22:54 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Tue, 12 May 2020 17:22:54 +0000 From: Brice Waegeneire To: guix-devel@gnu.org Subject: Routing Guix services traffic trough Tor Message-ID: <887f7538354a77d0df85cb3f458ffac4@waegenei.re> X-Sender: brice@waegenei.re User-Agent: Roundcube Webmail/1.3.8 Received-SPF: pass client-ip=217.70.183.197; envelope-from=brice@waegenei.re; helo=relay5-d.mail.gandi.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/12 13:22:55 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 X-Spam-Score: -1.01 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Scan-Result: default: False [-1.01 / 13.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; GENERIC_REPUTATION(0.00)[-0.53995586493029]; DWL_DNSWL_FAIL(0.00)[209.51.188.17:server fail]; R_SPF_ALLOW(-0.20)[+ip4:209.51.188.0/24:c]; IP_REPUTATION_HAM(0.00)[asn: 22989(0.06), country: US(-0.00), ip: 209.51.188.17(-0.54)]; TO_DN_NONE(0.00)[]; MX_GOOD(-0.50)[cached: eggs.gnu.org]; MAILLIST(-0.20)[mailman]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:22989, ipnet:209.51.188.0/24, country:US]; MID_RHS_MATCH_FROM(0.00)[]; TAGGED_FROM(0.00)[larch=yhetil.org]; ARC_NA(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; FROM_NEQ_ENVFROM(0.00)[brice@waegenei.re,guix-devel-bounces@gnu.org]; FROM_HAS_DN(0.00)[]; URIBL_BLOCKED(0.00)[gnu.org:url]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[guix-devel@gnu.org]; DMARC_NA(0.00)[waegenei.re]; HAS_LIST_UNSUB(-0.01)[]; RCPT_COUNT_ONE(0.00)[1]; DNSWL_BLOCKED(0.00)[209.51.188.17:from]; MIME_TRACE(0.00)[0:+]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.51.188.17:from]; FORGED_SENDER_MAILLIST(0.00)[] X-TUID: djTvsH3myGXO Hello Guix, Today I played a bit with Tor and Guix, trying to fetch substitutes trough the Tor network as blaze_cornbread asked on IRC[0] how to do this. I managed to get it working but in the end I don't think we should encourage people doing it this way, that's why I haven't submitted a patch to the cookbook for it. Currently the only supported way to proxy traffic for 'guix-daemon' is by setting a HTTP proxy[1] the drawback is that DNS query will still be in clear and wont go trough the proxy in contrast to a SOCKS5 proxy where the query will happen on the other side of the proxy. So setting guix-daemon to use tor by this mean can put people at risk when they think that all their guix traffic go trough tor™. A better approach would be to have a mean to "torify" services with torsocks, it would proxy the service's traffic (DNS included) trough tor via a SOCKS5 proxy. I don't know how to implement such feature tho. But a generic method to modify a shepherd service from the configuration could also be helpful to start service in containers based on the user need instead of being tied to The two following examples are **insecure** since the DNS traffic won't go trough tor. Here is a example of a system configuration: --8<---------------cut here---------------start------------->8--- (use-modules (gnu)) (use-service-module base networking) (operating-system … (services (append (list ((service tor-service-type (tor-configuration (config-file (plain-file "tor-config" "HTTPTunnelPort 127.0.0.1:9052")))))) (modify-services %base-services (guix-service-type config => (guix-configuration (http-proxy "http://localhost:9052"))))))) --8<---------------cut here---------------end--------------->8--- Following is an example on how to do it, in a less Guixy way, by using privoxy; it assume a default configured tor service is already present on your system.. --8<---------------cut here---------------start------------->8--- $ sudo herd start tor Service tor has been started. $ cat privoxy-tor.conf forward-socks5 / localhost:9050 . $ privoxy privoxy-tor.conf $ sudo herd set-http-proxy guix-daemon http://localhost:8118 changing HTTP/HTTPS proxy of 'guix-daemon' to "http://localhost:8118"... Service guix-daemon has been stopped. Service guix-daemon has been started. $ LANGUAGE=C guix build audacity substitute: mise à jour des substituts depuis « https://ci.guix.gnu.org »... 100.0 % The following derivation will be built: /gnu/store/lz209608z1lw3zbw33hyp3rsx1az2khi-audacity-2.3.3.drv 38,1 MB will be downloaded: /gnu/store/ssc6x6dsxz3f5b26p84d02z42lcj8p3h-lv2-1.18.0 /gnu/store/przpq26zaj858zmyayns6i4y13hr3d32-suil-0.10.6 /gnu/store/y74d9xvxl33vra8aq9p3ywsvc8yaz04w-portmidi-217 /gnu/store/2xmhv8ra20bhj73d3qirqbskdpq3lsim-vamp-2.6 /gnu/store/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz /gnu/store/bpp52ds6g1709s2h1ln1i81hz4v7gw6h-serd-0.30.4 /gnu/store/vwx0zf02r9vxja8rmy6vs8w81907w3bz-sord-0.16.4 /gnu/store/0ci33f2s2bm9rwply6b47sj6vn10ybaw-sratom-0.6.4 /gnu/store/b5liczxlxxdhf9p8s61mx21v9x7rbsbi-lilv-0.24.6 substituting /gnu/store/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz... downloading from https://ci.guix.gnu.org/nar/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz ... audacity-2.3.3.tar.xz 35.7MiB 548KiB/s 00:02 [ ] 3.1 --8<---------------cut here---------------end--------------->8--- If during the download of the substitutes the tor service is stopped with “sudo herd stop tor” guix will stop too and complains about a network error, as expected. The above setup can be tweaked to proxy trough SSH instead by doing port forwarding trough SOCKS “ssh -D 8008 my-host” (don't forget to adjust the privoxy config for the port you are forwarding). PS: Do not try to modify the shepherd guix-daemon service to use torsocks or you'll wont be able to reconfigure, switch-generation or rollback: “guix system: error: while setting up the build environment: cannot open IP socket: Operation not permitted”. PPS: The substitutes server are available trough tor “--substitute-urls=http://bp7o7ckwlewr4slm.onion”. [0]: http://logs.guix.gnu.org/guix/2020-05-12.log#093952 [1]: https://guix.gnu.org/manual/devel/en/html_node/Proxy-Settings.html#Proxy-Settings - Brice