> So I'm thinking putting the tor daemon behind some third party TCP proxy > that will protect me from this kind of DDoS attack. > > What do you think if I want to implement a feature that forward all the > onion service traffic to the TCP proxy before going to the Tor network? > > The protocol that I'm thinking is TCP Proxy Protocol [1] > > [1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt > > > You could try the existing HTTPSProxy torrc option? > > *HTTPSProxy* host[:port] > > Tor will make all its OR (SSL) connections through this host:port (or > host:443 if port is not specified), via HTTP CONNECT rather than connecting > directly to servers. You may want to set *FascistFirewall* to restrict > the set of ports you might try to connect to, if your HTTPS proxy only > allows connecting to certain ports. > > > Tor also allows an intelligent firewall to filter circuits using a field > in haproxy protocol format, see *HiddenServiceExportCircuitID* for > details. But you probably won't need this advanced feature. >
I feel that HTTPSProxy is too expensive. As far as I know, it needs to do (1) tcp handshake, (2) tls handshake, and (3) http connect. If I can use haproxy, it would be just one tcp handshake. Could I propose another option for haproxy? I can do it myself. You just review and merge :) Haxxpop
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
