Hidden Service Weirdness
Hey Tor, I've been hard at work on my hidden service LAMP setup guide. I've run into a snag and I'm not exactly sure what's going on here. On my setup, I have a guest machine running in Qemu (ubuntu server) with LAMP. I have set up and installed drupal and wordpress successfully from localhost, but when I access wordpress externally something weird happens. My Torrc tells Tor to forward traffic to localhost:5022. In turn, Qemu passes port 5022 traffic to the guest OS on port 80. When I visit drupal on the site through the hidden service URL, everything works as expected and my browser thinks everything is happening on port 80. When I visit the wordpress directory, I get a timeout and Firefox tries to go through port 5022. (Privoxy was unable to socks4a-forward your request http://.onion:5022/wordpress/ through 127.0.0.1: SOCKS request rejected or failed.) My guest OS should not know about the host OS or what port it's forwarding on (in fact I think it sees the traffic as coming from 10.0.something.something), so I'm baffled as to what could be occurring. Here's the line I invoke qemu with: qemu -hda /blah/blah/blah.disk -m 128 -name TorServer --no-acpi --redir tcp:5022::80 I'll be posting the onion URL soon and then people are free to try and hack the server all they want ; ) Any ideas? Thanks, Ringo
Re: problem with connecting to a hidden service
Sambuddho Chakravarty wrote: Hello Andrew Problem still persists... -Sambuddho Andrew Lewman wrote: On 07/10/2009 09:51 PM, Sambuddho Chakravarty wrote: Hello All I have a web server which I run as hidden service. Which version of Tor are both ends running? Try updating them to 0.2.1.17-rc. Hi All Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself the URI is : gdfiftvclsmx6wqs.onion It is a simple webserver hosting some files. You can down load the file : gdfiftvclsmx6wqs.onion/verylargefile. Thanks Sambuddho
Re: problem with connecting to a hidden service
On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: problem with connecting to a hidden service
On 07/13/2009 01:31 PM, Andrew Lewman wrote: On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. I should also add that your hidden service lighttpd default page works fine. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: problem with connecting to a hidden service
Andrew Lewman wrote: On 07/13/2009 01:31 PM, Andrew Lewman wrote: On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. I should also add that your hidden service lighttpd default page works fine. Hello Andrew Thanks a lot. Seems to be working right now for me... but I the behaviour is at times erratic... -Sambuddho
Re: problem with connecting to a hidden service
Sambuddho Chakravarty wrote: Andrew Lewman wrote: On 07/13/2009 01:31 PM, Andrew Lewman wrote: On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. I should also add that your hidden service lighttpd default page works fine. Hello Andrew Thanks a lot. Seems to be working right now for me... but I the behaviour is at times erratic... -Sambuddho Hello Andrew Now it has suddenly again stopped. Thanks Sambuddho
Re: problem with connecting to a hidden service
On Mon, Jul 13, 2009 at 11:59 AM, Sambuddho Chakravarty sc2...@columbia.edu wrote: Sambuddho Chakravarty wrote: Andrew Lewman wrote: On 07/13/2009 01:31 PM, Andrew Lewman wrote: On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. I should also add that your hidden service lighttpd default page works fine. Hello Andrew Thanks a lot. Seems to be working right now for me... but I the behaviour is at times erratic... -Sambuddho Hello Andrew Now it has suddenly again stopped. This is the nature of a over saturated network. Hidden services seem spotty to me too, but their's not much I can do about it except try again and be patient.
Re: problem with connecting to a hidden service
On Mon, 13 Jul 2009 13:28:02 -0700 Kyle Williams kyle.kwilli...@gmail.com wrote: On Mon, Jul 13, 2009 at 11:59 AM, Sambuddho Chakravarty sc2...@columbia.edu wrote: Sambuddho Chakravarty wrote: Andrew Lewman wrote: On 07/13/2009 01:31 PM, Andrew Lewman wrote: On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. I should also add that your hidden service lighttpd default page works fine. Hello Andrew Thanks a lot. Seems to be working right now for me... but I the behaviour is at times erratic... -Sambuddho Hello Andrew Now it has suddenly again stopped. This is the nature of a over saturated network. This claim keeps appearing on this list, yet I see my node usually using in the range of 10% - 40% of the limits I set on it to stay within Comcast's monthly cap. Back before I ran into Comcast's secret police division and had to set limits, it spent most of its time in the 35% - 70% range. Hidden services seem spotty to me too, but their's not much I can do about it except try again and be patient. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: problem with connecting to a hidden service
Scott Bennett wrote: On Mon, 13 Jul 2009 13:28:02 -0700 Kyle Williams kyle.kwilli...@gmail.com wrote: On Mon, Jul 13, 2009 at 11:59 AM, Sambuddho Chakravarty sc2...@columbia.edu wrote: Sambuddho Chakravarty wrote: Andrew Lewman wrote: On 07/13/2009 01:31 PM, Andrew Lewman wrote: On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. I should also add that your hidden service lighttpd default page works fine. Hello Andrew Thanks a lot. Seems to be working right now for me... but I the behaviour is at times erratic... -Sambuddho Hello Andrew Now it has suddenly again stopped. This is the nature of a over saturated network. This claim keeps appearing on this list, yet I see my node usually using in the range of 10% - 40% of the limits I set on it to stay within Comcast's monthly cap. Back before I ran into Comcast's secret police division and had to set limits, it spent most of its time in the 35% - 70% range. Pardon me my lack of knowledge of English language , but do you mean that 4 out of 10 chances you are able to connect to your hidden service and earlier you had higher success rate (7 out of 10 ) ? Thanks Sambuddho Hidden services seem spotty to me too, but their's not much I can do about it except try again and be patient. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: Hidden Service Weirdness
On Mon, Jul 13, 2009 at 12:06 AM, Ringo2600den...@gmail.com wrote: ... When I visit the wordpress directory, I get a timeout and Firefox tries to go through port 5022. this is wordpress sucking. it tries to be helpful and always explicitly list non-80 ports in complete URI's. you can try running on port 80 in the VM (and --redir tcp:80::80), setup apache mod_rewrite, or get wordpress to quit sucking. (there might be a more effective method, but i don't like wordpress, so have no idea what it might be.) good luck,
Re: problem with connecting to a hidden service
Sambuddho Chakravarty wrote: Scott Bennett wrote: On Mon, 13 Jul 2009 13:28:02 -0700 Kyle Williams kyle.kwilli...@gmail.com wrote: On Mon, Jul 13, 2009 at 11:59 AM, Sambuddho Chakravarty sc2...@columbia.edu wrote: Sambuddho Chakravarty wrote: Andrew Lewman wrote: On 07/13/2009 01:31 PM, Andrew Lewman wrote: On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. I should also add that your hidden service lighttpd default page works fine. Hello Andrew Thanks a lot. Seems to be working right now for me... but I the behaviour is at times erratic... -Sambuddho Hello Andrew Now it has suddenly again stopped. This is the nature of a over saturated network. This claim keeps appearing on this list, yet I see my node usually using in the range of 10% - 40% of the limits I set on it to stay within Comcast's monthly cap. Back before I ran into Comcast's secret police division and had to set limits, it spent most of its time in the 35% - 70% range. Pardon me my lack of knowledge of English language , but do you mean that 4 out of 10 chances you are able to connect to your hidden service and earlier you had higher success rate (7 out of 10 ) ? Thanks Sambuddho I can send you folks the debug and notice dump files which have recorded the debug and notice information while a connection attempt failed. Should I paste them here (they are pretty huge). Thanks Sambuddho Hidden services seem spotty to me too, but their's not much I can do about it except try again and be patient. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: problem with connecting to a hidden service
On Mon, 13 Jul 2009 17:46:33 -0400 Sambuddho Chakravarty sc2...@columbia.edu wrote: Scott Bennett wrote: On Mon, 13 Jul 2009 13:28:02 -0700 Kyle Williams kyle.kwilli...@gmail.com wrote: On Mon, Jul 13, 2009 at 11:59 AM, Sambuddho Chakravarty sc2...@columbia.edu wrote: Sambuddho Chakravarty wrote: Andrew Lewman wrote: On 07/13/2009 01:31 PM, Andrew Lewman wrote: On 07/13/2009 01:24 PM, Sambuddho Chakravarty wrote: Is it possibly due to some firewall rules. But I have made sure that the host that runs the server is not filtering any packets... Still not sure why I get this . Infact you can try it out yourself So long as your tor client can connect to the tor network, there is no need to mess with firewalls, ports, or anything. I should also add that your hidden service lighttpd default page works fine. Hello Andrew Thanks a lot. Seems to be working right now for me... but I the behaviour is at times erratic... -Sambuddho Hello Andrew Now it has suddenly again stopped. This is the nature of a over saturated network. This claim keeps appearing on this list, yet I see my node usually using in the range of 10% - 40% of the limits I set on it to stay within Comcast's monthly cap. Back before I ran into Comcast's secret police division and had to set limits, it spent most of its time in the 35% - 70% range. Pardon me my lack of knowledge of English language , but do you mean that 4 out of 10 chances you are able to connect to your hidden service and earlier you had higher success rate (7 out of 10 ) ? My apologies. I should have written it more specifically. The part of Andrew's claim to which I was referring was the part about the saturated network. Given that the average data rates on my node typically run in the lower half of its capacity to around the middle of its capacity, rather than near the upper limit, regardless of limits upon its data rate capacity imposed by either hardware or torrc, I find the saturation claim questionable. Sorry about the confusion. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: problem with connecting to a hidden service
On 07/13/2009 10:08 PM, Scott Bennett wrote: My apologies. I should have written it more specifically. The part of Andrew's claim to which I was referring was the part about the saturated network. Given that the average data rates on my node typically run in the lower half of its capacity to around the middle of its capacity, rather than near the upper limit, regardless of limits upon its data rate capacity imposed by either hardware or torrc, I find the saturation claim questionable. Actually, this was Kyle's claim. Given how heavily I rely on my hidden services for access, rather than trusting hostile networks, I'd love for them to work flawlessly and fast. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: problem with connecting to a hidden service
On 07/13/2009 08:58 PM, Sambuddho Chakravarty wrote: I can send you folks the debug and notice dump files which have recorded the debug and notice information while a connection attempt failed. Should I paste them here (they are pretty huge). You should open a bug report, rather than overflow everyone's mailbox on or-talk. https://bugs.torproject.org/ Thanks! -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: List Archives
On 07/13/2009 01:20 AM, grarpamp wrote: Is there a text based version of the list archives available? Such as mbox or maildir. Majordomo index command returns nothing. Officially, there is http://archives.seul.org/or/talk/ Unofficially, there is http://www.mail-archive.com/or-talk@freehaven.net/info.html and http://dir.gmane.org/gmane.network.tor.user -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identica/Twitter: torproject
Re: problem with connecting to a hidden service
On Mon, 13 Jul 2009 22:28:42 -0400 Andrew Lewman and...@torproject.org On 07/13/2009 10:08 PM, Scott Bennett wrote: My apologies. I should have written it more specifically. The part of Andrew's claim to which I was referring was the part about the saturated network. Given that the average data rates on my node typically run in the lower half of its capacity to around the middle of its capacity, rather than near the upper limit, regardless of limits upon its data rate capacity imposed by either hardware or torrc, I find the saturation claim questionable. Actually, this was Kyle's claim. Given how heavily I rely on my hidden Oops. Sorry about that. services for access, rather than trusting hostile networks, I'd love for them to work flawlessly and fast. I rarely use them, but I, too, would like them to work perfectly and fast for those who need them. I suspect that circuits with long routes would generally work much faster over SCTP connections than over TCP connections, regardless of the reason(s) for the long routes. That is not meant to ignore the many ways for things to go wrong in the hidden service protocols, but rather just to point out one of several reasons for slow performance of long-route circuits, including hidden service circuits. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army. * *-- Gov. John Hancock, New York Journal, 28 January 1790 * **
Re: problem with connecting to a hidden service
On Mon, Jul 13, 2009 at 01:28:02PM -0700, Kyle Williams wrote: This is the nature of a over saturated network. Actually, I don't think the Tor network is as oversatured as we think. I think it's just massively unbalanced. See sections 2 and 4 of https://blog.torproject.org/blog/why-tor-is-slow Hidden services seem spotty to me too, but their's not much I can do about it except try again and be patient. I think there's a real bug here. I've been playing with it on and off. I think that when Tor has a rendezvous circuit that it thinks it should like, and suddenly changes its mind, then it discards that circuit and starts working on a new one (which is good), but at the same time it closes the socks stream (which is bad). Fixing that bug, if it turns out to actually be a bug, would mean that hidden services are dirt slow when making the initial connection (until we make Tor itself faster at least), but they're not as flaky as they currently appear. --Roger
Re: List Archives
On Mon, Jul 13, 2009 at 01:20:13AM -0400, grarpamp wrote: Is there a text based version of the list archives available? Such as mbox or maildir. Majordomo index command returns nothing. I've got one. But I don't make it public because it has email addresses, etc in it. I'm not sure how to resolve the spammer question, except maybe to assume that everybody has given up on the problem. Why do you ask? --Roger
Re: secret_id_key
On Wed, Jul 08, 2009 at 12:42:55PM +0200, Olaf Selke wrote: about three weeks ago my exit node traffic dropped from about 45 MBit/s to 10-20 MBit/s. There's no explanation regarding network connectivity or server environment. Within the last three weeks the traffic didn't recover to the former value 40 MBit/s until I generated a new identity. With a new secret_id_key file the traffic recovered to the old value after one day. Does anyone have an explanation for this? About three weeks ago we got an influx of new relays, and many of them were exit relays. In particular, we got enough that Tor Exits were allowed to be marked Guards again too. To understand what I just said, see Sec 3.3 of https://git.torproject.org/checkout/tor/master/doc/spec/dir-spec.txt If the total bandwidth of active non-BadExit Exit servers is less than one third of the total bandwidth of all active servers, no Exit is listed as a Guard. So before mid June, relays had either Guard flags or Exit flags but never both. My guess is that having both of those flags makes clients less willing to use you as the middle hop, so your traffic drops. When you threw away your key, you lost your Guard flag, so the middle-hop traffic returned. This is a special case of another bug I've been working on: http://archives.seul.org/or/cvs/Apr-2009/msg00074.html which is that the longer you've been a guard, the more clients you attract, and new guards have almost no clients. That's fixed in Tor 0.2.1.14-rc, but we need most people to upgrade before it matters much. --Roger
