Open
Conversation
* call out stdout logging is borked currently * add metrics port so we can grab prometheus metrics * set RendPostPeriod as part of "good practice" * call out SocksPort cannot be anything but 0 * add HiddenServiceExportCircuitID to get circuit ID
* move all pinned versions into centralized environment variables * genericize/improve the checksum / signing validation * add an OpenSSL install to allow custom patches to be applied * add new nginx modules for tls fingerprint, logging, metrics
* add LOG_STDOUT handling to pipe logs to PID 1 for docker
* expose ONION_HEADER_SECRET env var and add header logic
* add json logging
* modernize nginx:
* gzip
* ssl/tls hardening
* drop NEL/reporting api headers
* add proxy_protocol directive for tor circuit ID
* fix connection_upgrade bug with Upgrade vs upgrade
* add observability endpoints (metrics/health)
* bunch of k8s gibberish, check READMEs for overview/instruction
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Massive update based on Reddit's experience with modernizing the Dockerfile and deploying into k8s. Commits are organized by content and have detailed commit messages for content changing.
Details
Beyond simple infrastructure change, there are a few EOTK changes that are worth mentioning:
ubuntu:jammy's OpenSSL3HiddenServiceExportCircuitIDsetting in conjunction with nginx'sproxy_protocolto provide the circuit ID as another fingerprint (as detailed by Cloudflare) in a header for upstream to consume.envrcfor those still wishing to use the local scripts). This makes it much easier to use bots to update those dependencies (an examplerenovate.jsonis included here, will need help enabling for the repo if desired).Also included update to documentation around HARICA usage and some onion address v3 changes that weren't reflected in the existing docs.
How to test
make docker-buildandmake docker-run, check stdoutdocker logs eotk-containerfor your onion service address and browse.Commit list