all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Routing Guix services traffic trough Tor
@ 2020-05-12 17:22 Brice Waegeneire
  2020-05-17 22:33 ` Ludovic Courtès
  0 siblings, 1 reply; 12+ messages in thread
From: Brice Waegeneire @ 2020-05-12 17:22 UTC (permalink / raw)
  To: guix-devel

Hello Guix,

Today I played a bit with Tor and Guix, trying to fetch substitutes 
trough
the Tor network as blaze_cornbread asked on IRC[0] how to do this.  I
managed to get it working but in the end I don't think we should 
encourage
people doing it this way, that's why I haven't submitted a patch to the
cookbook for it.  Currently the only supported way to proxy traffic for
'guix-daemon' is by setting a HTTP proxy[1] the drawback is that DNS 
query
will still be in clear and wont go trough the proxy in contrast to a 
SOCKS5
proxy where the query will happen on the other side of the proxy.  So
setting guix-daemon to use tor by this mean can put people at risk when
they think that all their guix traffic go trough tor™.

A better approach would be to have a mean to "torify" services with
torsocks, it would proxy the service's traffic (DNS included) trough tor 
via
a SOCKS5 proxy. I don't know how to implement such feature tho. But a
generic method to modify a shepherd service from the configuration could
also be helpful to start service in containers based on the user need
instead of being tied to

The two following examples are **insecure** since the DNS traffic won't 
go
trough tor.  Here is a example of a system configuration:

--8<---------------cut here---------------start------------->8---
(use-modules (gnu))
(use-service-module base networking)

(operating-system
   …
   (services
     (append
       (list ((service tor-service-type
               (tor-configuration
                 (config-file (plain-file "tor-config"
                                          "HTTPTunnelPort 
127.0.0.1:9052"))))))
       (modify-services %base-services
                       (guix-service-type
                        config => (guix-configuration
                                   (http-proxy 
"http://localhost:9052")))))))
--8<---------------cut here---------------end--------------->8---

Following is an example on how to do it, in a less Guixy way, by using
privoxy; it assume a default configured tor service is already present 
on
your system..

--8<---------------cut here---------------start------------->8---
$ sudo herd start tor
Service tor has been started.
$ cat privoxy-tor.conf
forward-socks5 / localhost:9050 .
$ privoxy privoxy-tor.conf
$ sudo herd set-http-proxy guix-daemon http://localhost:8118
changing HTTP/HTTPS proxy of 'guix-daemon' to "http://localhost:8118"...
Service guix-daemon has been stopped.
Service guix-daemon has been started.
$ LANGUAGE=C guix build audacity
substitute: mise à jour des substituts depuis « https://ci.guix.gnu.org 
»... 100.0 %
The following derivation will be built:
    /gnu/store/lz209608z1lw3zbw33hyp3rsx1az2khi-audacity-2.3.3.drv
38,1 MB will be downloaded:
    /gnu/store/ssc6x6dsxz3f5b26p84d02z42lcj8p3h-lv2-1.18.0
    /gnu/store/przpq26zaj858zmyayns6i4y13hr3d32-suil-0.10.6
    /gnu/store/y74d9xvxl33vra8aq9p3ywsvc8yaz04w-portmidi-217
    /gnu/store/2xmhv8ra20bhj73d3qirqbskdpq3lsim-vamp-2.6
    /gnu/store/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz
    /gnu/store/bpp52ds6g1709s2h1ln1i81hz4v7gw6h-serd-0.30.4
    /gnu/store/vwx0zf02r9vxja8rmy6vs8w81907w3bz-sord-0.16.4
    /gnu/store/0ci33f2s2bm9rwply6b47sj6vn10ybaw-sratom-0.6.4
    /gnu/store/b5liczxlxxdhf9p8s61mx21v9x7rbsbi-lilv-0.24.6
substituting 
/gnu/store/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz...
downloading from 
https://ci.guix.gnu.org/nar/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz 
...
  audacity-2.3.3.tar.xz  35.7MiB                                          
             548KiB/s 00:02 [                  ]   3.1
--8<---------------cut here---------------end--------------->8---

If during the download of the substitutes the tor service is stopped 
with
“sudo herd stop tor” guix will stop too and complains about a network
error, as expected.  The above setup can be tweaked to proxy trough SSH
instead by doing port forwarding trough SOCKS “ssh -D 8008 my-host” 
(don't
forget to adjust the privoxy config for the port you are forwarding).

PS: Do not try to modify the shepherd guix-daemon service to use 
torsocks
or you'll wont be able to reconfigure, switch-generation or rollback: 
“guix
system: error: while setting up the build environment: cannot open IP
socket: Operation not permitted”.

PPS: The substitutes server are available trough tor
“--substitute-urls=http://bp7o7ckwlewr4slm.onion”.

[0]: http://logs.guix.gnu.org/guix/2020-05-12.log#093952
[1]: 
https://guix.gnu.org/manual/devel/en/html_node/Proxy-Settings.html#Proxy-Settings

- Brice


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2020-07-03 20:31 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-12 17:22 Routing Guix services traffic trough Tor Brice Waegeneire
2020-05-17 22:33 ` Ludovic Courtès
2020-05-18 20:32   ` Brice Waegeneire
2020-05-24 21:04     ` Ludovic Courtès
2020-06-03 19:12   ` [PATCH] doc: cookbook: Add entry about getting substitutes through Tor Brice Waegeneire
2020-06-04 12:29     ` [bug#41694] " Ludovic Courtès
2020-06-04 12:54       ` Brice Waegeneire
2020-06-17  2:19         ` André Batista
2020-06-17  8:37           ` Brice Waegeneire
2020-06-18 14:06             ` [PATCH] doc: cookbook: Update " André Batista
2020-06-28 11:37               ` Brice Waegeneire
2020-07-03 20:30                 ` André Batista

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.