initial

2025-05-18 13:13:53 +02:00 · 2025-05-18 13:13:53 +02:00 · 03511fcb3f
commit 03511fcb3f
parent 18cc166bb0
7 changed files with 410 additions and 3 deletions
--- a/27
+++ b/27
@ -0,0 +1,27 @@
 FROM debian:bullseye
 RUN apt-get update && apt-get install -y \
    curl \
    gnupg2 \
    apt-transport-https \
    ca-certificates
 RUN curl -fsSL https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc \
    | gpg --dearmor -o /usr/share/keyrings/tor-archive-keyring.gpg
 RUN echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org bullseye main" \
    > /etc/apt/sources.list.d/tor.list
 RUN apt-get update && apt-get install -y \
    tor \
    privoxy \
    nyx \
    deb.torproject.org-keyring && \
    apt-get clean && rm -rf /var/lib/apt/lists/*
 COPY ./bin/start.sh /start.sh
 RUN chmod +x /start.sh
 EXPOSE 9001 9030 8118
 CMD ["/start.sh"]
--- a/README.md
+++ b/README.md
@ -1,8 +1,131 @@
-# template_repository
+# 🧅 Tor Relay mit Privoxy (Docker-basiert)
 Dieses Repository stellt eine vollständige Docker-Umgebung bereit, um ein **Tor Relay** mit optionalem HTTP-Proxy via **Privoxy** zu betreiben.  
 Es handelt sich **nicht um einen Exit Node** – der Traffic verlässt in der aktuellen Konfiguration dein Relay niemals in Richtung Internet.  
 Optional kann Privoxy über das Tor-Netzwerk als lokaler HTTP-Proxy verwendet werden.
 ---
 ## 📦 Aufbau & Features
 - Tor Relay
 - Persistentes `DataDirectory`
 - Privoxy als lokaler Tor-Proxy
 - Nyx zur Überwachung direkt im Container enthalten
 - **Optionales Docker-Image verfügbar** über:  
  `repo.techniverse.net/docker-hosted/tor-docker:latest`
 ---
 ## 🚀 Schnellstart
 ---
 Das Projektverzeichnis sollte wie folgt aufgebaut sein:
 ```
 tor-proxy/
 ├── bin/
 │   └── start.sh
 ├── config/
 │   ├── privoxy.config
 │   └── torrc
 ├── data/
 ├── docker-compose.yaml
 └── Dockerfile
 ```
 ---
 ## ⚙️ Konfiguration
 ### `docker-compose.yaml`:
 ```yaml
 services:
  tor-privoxy:
    image: repo.techniverse.net/docker-hosted/tor-docker:latest
    container_name: tor-project
    hostname: tor-project
    ports:
      - "9001:9001"
      - "9030:9030"
      - "8118:8118"
    volumes:
      - ./data:/var/lib/tor
      - ./config/torrc:/etc/tor/torrc:ro
      - ./config/privoxy.config:/etc/privoxy/config:ro
    restart: always
 ```
 ---
 ### `torrc` (Beispielkonfiguration):
 ```conf
 RunAsDaemon 1
 ORPort 9001
 DirPort 9030
 Nickname DEIN-NICKNAME
 ContactInfo Admin <mail@domain.com>
 ControlPort 9051
 CookieAuthentication 1
 RelayBandwidthRate 11520 KBytes
 RelayBandwidthBurst 19200 KBytes
 ExitPolicy reject *:*
 Log notice file /var/log/tor/notices.log
 Address relay.domain.com
 DataDirectory /var/lib/tor
 ```
 ---
 ### `privoxy.config`:
 ```conf
 listen-address  0.0.0.0:8118
 forward-socks5t /               127.0.0.1:9050 .
 logfile /dev/stdout
 ```
 ---
 ## 🧪 Überwachung mit Nyx
 ```bash
 docker exec -it tor-project nyx
 ```
 > Nyx ist ein terminalbasiertes Tor-Monitoring-Tool für Relay-Status, Traffic und Routing-Daten.
 ---
 ## 🌐 Proxy-Nutzung
 Privoxy kann als Proxy in Apps oder Browsern genutzt werden:
 | Proxy-Typ | Host                         | Port   |
 |-----------|------------------------------|--------|
 | HTTP      | `relay.domain.com`           | `8118` |
 ---
 ## 🔐 Wichtige Hinweise
 - Gib **keine persönlichen Daten** in `ContactInfo` oder öffentlich preis.
 - Öffne **keinen Exit-Port**, wenn du nicht weißt, was du tust.
 - Betreibe Privoxy **nicht ohne Auth oder IP-Restriktion**, wenn öffentlich erreichbar.
 ---
 ## 📚 Quellen & weiterführende Links
 - [Anleitung: Tor-Server in Docker](https://it-service-commander.de/tutorials/docker/tor-server-in-docker-container-auf-dem-vps-installieren/)
 ---
 🛠 Viel Spaß beim Aufbau deines eigenen Tor-Relays!
 Wichtig: Link für Lizenz anpassen.
@ -11,5 +134,5 @@ Wichtig: Link für Lizenz anpassen.
 </p>
 <p align="center">
-<img src="https://assets.techniverse.net/f1/logos/small/license.png" alt="License" width="15" height="15"> <a href="./template_repository/src/branch/main/LICENSE">License</a> | <img src="https://assets.techniverse.net/f1/logos/small/matrix2.svg" alt="Matrix" width="15" height="15"> <a href="https://matrix.to/#/#community:techniverse.net">Matrix</a> | <img src="https://assets.techniverse.net/f1/logos/small/mastodon2.svg" alt="Matrix" width="15" height="15"> <a href="https://social.techniverse.net/@donnerwolke">Mastodon</a>
+<img src="https://assets.techniverse.net/f1/logos/small/license.png" alt="License" width="15" height="15"> <a href="./torproject-docker/src/branch/main/LICENSE">License</a> | <img src="https://assets.techniverse.net/f1/logos/small/matrix2.svg" alt="Matrix" width="15" height="15"> <a href="https://matrix.to/#/#community:techniverse.net">Matrix</a> | <img src="https://assets.techniverse.net/f1/logos/small/mastodon2.svg" alt="Matrix" width="15" height="15"> <a href="https://social.techniverse.net/@donnerwolke">Mastodon</a>
 </p>
--- a/bin/start.sh
+++ b/bin/start.sh
@ -0,0 +1,13 @@
 #!/bin/bash
 set -e
 tor -f /etc/tor/torrc &
 sleep 10
 if [ -t 1 ]; then
  echo "Starte Nyx zur Überwachung von Tor..."
  nyx &
 fi
 exec privoxy --no-daemon /etc/privoxy/config
--- a/config/privoxy.config
+++ b/config/privoxy.config
@ -0,0 +1,3 @@
 listen-address  0.0.0.0:8118
 forward-socks5t /               127.0.0.1:9050 .
 logfile /dev/stdout
--- a/config/torrc
+++ b/config/torrc
@ -0,0 +1,36 @@
 ## Tor Relay Konfiguration – Middle Relay ohne Exit
 ## Erstellt für Patrick / techniverse.net
 RunAsDaemon 1
 ## === ORPort: Annahme eingehender Verbindungen von anderen Relays ===
 ORPort 9001
 ## === Nickname für dein Relay ===
 Nickname DEIN-NICKNAME
 ## === Kontaktinfo für Fehlermeldungen (z. B. Abuse Reports) ===
 ContactInfo Admin <mail@domain.com>
 ## === ControlPort: Schnittstelle für Tools wie Nyx / Steuerung ===
 ControlPort 9051
 CookieAuthentication 1
 ## === Bandbreitenlimitierung ===
 RelayBandwidthRate 11520 KBytes     # 90 Mbit/s dauerhaft
 RelayBandwidthBurst 19200 KBytes    # 150 Mbit/s für kurze Bursts
 ## === ExitPolicy: Kein Exit-Traffic erlauben (Middle-Only Relay!) ===
 ExitPolicy reject *:*
 ## === Directory Mirror: Anderen Relays/Clients Tor-Metadaten bereitstellen ===
 DirPort 9030                      # Erlaubt, dass dein Node Verzeichnisdaten spiegelt
 ## === Logging (optional, empfehlenswert) ===
 Log notice file /var/log/tor/notices.log
 # === (optional) Wenn du einen DNS-Namen für dein Relay hast ===
 Address relay.domain.com
 # === (optional) DataDirectory explizit setzen, sonst Standard (z. B. /var/lib/tor) ===
 DataDirectory /var/lib/tor
--- a/config/torrc.orig
+++ b/config/torrc.orig
@ -0,0 +1,191 @@
 ## Configuration file for a typical Tor user
 ## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
 ## (may or may not work for much older or much newer versions of Tor.)
 ##
 ## Lines that begin with "## " try to explain what's going on. Lines
 ## that begin with just "#" are disabled commands: you can enable them
 ## by removing the "#" symbol.
 ##
 ## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
 ## for more options you can use in this file.
 ##
 ## Tor will look for this file in various places based on your platform:
 ## https://www.torproject.org/docs/faq#torrc
 ## Tor opens a socks proxy on port 9050 by default -- even if you don't
 ## configure one below. Set "SocksPort 0" if you plan to run Tor only
 ## as a relay, and not make any local application connections yourself.
 #SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
 #SocksPort 192.168.0.1:9100 # Bind to this address:port too.
 ## Entry policies to allow/deny SOCKS requests based on IP address.
 ## First entry that matches wins. If no SocksPolicy is set, we accept
 ## all (and only) requests that reach a SocksPort. Untrusted users who
 ## can access your SocksPort may be able to learn about the connections
 ## you make.
 #SocksPolicy accept 192.168.0.0/16
 #SocksPolicy reject *
 ## Logs go to stdout at level "notice" unless redirected by something
 ## else, like one of the below lines. You can have as many Log lines as
 ## you want.
 ##
 ## We advise using "notice" in most cases, since anything more verbose
 ## may provide sensitive information to an attacker who obtains the logs.
 ##
 ## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
 #Log notice file /var/log/tor/notices.log
 ## Send every possible message to /var/log/tor/debug.log
 #Log debug file /var/log/tor/debug.log
 ## Use the system log instead of Tor's logfiles
 #Log notice syslog
 ## To send all messages to stderr:
 #Log debug stderr
 ## Uncomment this to start the process in the background... or use
 ## --runasdaemon 1 on the command line. This is ignored on Windows;
 ## see the FAQ entry if you want Tor to run as an NT service.
 #RunAsDaemon 1
 ## The directory for keeping all the keys/etc. By default, we store
 ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
 #DataDirectory /var/lib/tor
 ## The port on which Tor will listen for local connections from Tor
 ## controller applications, as documented in control-spec.txt.
 #ControlPort 9051
 ## If you enable the controlport, be sure to enable one of these
 ## authentication methods, to prevent attackers from accessing it.
 #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
 #CookieAuthentication 1
 ############### This section is just for location-hidden services ###
 ## Once you have configured a hidden service, you can look at the
 ## contents of the file ".../hidden_service/hostname" for the address
 ## to tell people.
 ##
 ## HiddenServicePort x y:z says to redirect requests on port x to the
 ## address y:z.
 #HiddenServiceDir /var/lib/tor/hidden_service/
 #HiddenServicePort 80 127.0.0.1:80
 #HiddenServiceDir /var/lib/tor/other_hidden_service/
 #HiddenServicePort 80 127.0.0.1:80
 #HiddenServicePort 22 127.0.0.1:22
 ################ This section is just for relays #####################
 #
 ## See https://www.torproject.org/docs/tor-doc-relay for details.
 ## Required: what port to advertise for incoming Tor connections.
 #ORPort 9001
 ## If you want to listen on a port other than the one advertised in
 ## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
 ## follows.  You'll need to do ipchains or other port forwarding
 ## yourself to make this work.
 #ORPort 443 NoListen
 #ORPort 127.0.0.1:9090 NoAdvertise
 ## The IP address or full DNS name for incoming connections to your
 ## relay. Leave commented out and Tor will guess.
 #Address noname.example.com
 ## If you have multiple network interfaces, you can specify one for
 ## outgoing traffic to use.
 # OutboundBindAddress 10.0.0.5
 ## A handle for your relay, so people don't have to refer to it by key.
 #Nickname ididnteditheconfig
 ## Define these to limit how much relayed traffic you will allow. Your
 ## own traffic is still unthrottled. Note that RelayBandwidthRate must
 ## be at least 20 KB.
 ## Note that units for these config options are bytes per second, not bits
 ## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
 #RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
 #RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
 ## Use these to restrict the maximum traffic per day, week, or month.
 ## Note that this threshold applies separately to sent and received bytes,
 ## not to their sum: setting "4 GB" may allow up to 8 GB total before
 ## hibernating.
 ##
 ## Set a maximum of 4 gigabytes each way per period.
 #AccountingMax 4 GB
 ## Each period starts daily at midnight (AccountingMax is per day)
 #AccountingStart day 00:00
 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax
 ## is per month)
 #AccountingStart month 3 15:00
 ## Administrative contact information for this relay or bridge. This line
 ## can be used to contact you if your relay or bridge is misconfigured or
 ## something else goes wrong. Note that we archive and publish all
 ## descriptors containing these lines and that Google indexes them, so
 ## spammers might also collect them. You may want to obscure the fact that
 ## it's an email address and/or generate a new address for this purpose.
 #ContactInfo Random Person <nobody AT example dot com>
 ## You might also include your PGP or GPG fingerprint if you have one:
 #ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
 ## Uncomment this to mirror directory information for others. Please do
 ## if you have enough bandwidth.
 #DirPort 9030 # what port to advertise for directory connections
 ## If you want to listen on a port other than the one advertised in
 ## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
 ## follows.  below too. You'll need to do ipchains or other port
 ## forwarding yourself to make this work.
 #DirPort 80 NoListen
 #DirPort 127.0.0.1:9091 NoAdvertise
 ## Uncomment to return an arbitrary blob of html on your DirPort. Now you
 ## can explain what Tor is if anybody wonders why your IP address is
 ## contacting them. See contrib/tor-exit-notice.html in Tor's source
 ## distribution for a sample.
 #DirPortFrontPage /etc/tor/tor-exit-notice.html
 ## Uncomment this if you run more than one Tor relay, and add the identity
 ## key fingerprint of each Tor relay you control, even if they're on
 ## different networks. You declare it here so Tor clients can avoid
 ## using more than one of your relays in a single circuit. See
 ## https://www.torproject.org/docs/faq#MultipleRelays
 ## However, you should never include a bridge's fingerprint here, as it would
 ## break its concealability and potentionally reveal its IP/TCP address.
 #MyFamily $keyid,$keyid,...
 ## A comma-separated list of exit policies. They're considered first
 ## to last, and the first match wins. If you want to _replace_
 ## the default exit policy, end this with either a reject *:* or an
 ## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
 ## default exit policy. Leave commented to just use the default, which is
 ## described in the man page or at
 ## https://www.torproject.org/documentation.html
 ##
 ## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
 ## for issues you might encounter if you use the default exit policy.
 ##
 ## If certain IPs and ports are blocked externally, e.g. by your firewall,
 ## you should update your exit policy to reflect this -- otherwise Tor
 ## users will be told that those destinations are down.
 ##
 ## For security, by default Tor rejects connections to private (local)
 ## networks, including to your public IP address. See the man page entry
 ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
 ##
 #ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
 #ExitPolicy accept *:119 # accept nntp as well as default exit policy
 #ExitPolicy reject *:* # no exits allowed
 ## Bridge relays (or "bridges") are Tor relays that aren't listed in the
 ## main directory. Since there is no complete public list of them, even an
 ## ISP that filters connections to all the known Tor relays probably
 ## won't be able to block all the bridges. Also, websites won't treat you
 ## differently because they won't know you're running Tor. If you can
 ## be a real relay, please do; but if not, be a bridge!
 #BridgeRelay 1
 ## By default, Tor will advertise your bridge to users through various
 ## mechanisms like https://bridges.torproject.org/. If you want to run
 ## a private bridge, for example because you'll give out your bridge
 ## address manually to your friends, uncomment this line:
 #PublishServerDescriptor 0
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -0,0 +1,14 @@
 services:
  tor-privoxy:
    image: repo.techniverse.net/docker-hosted/tor-docker:latest
    container_name: tor-project
    hostname: tor-project
    ports:
      - "9001:9001"
      - "9030:9030"
      - "8118:8118"
    volumes:
      - ./data:/var/lib/tor
      - ./config/torrc:/etc/tor/torrc:ro
      - ./config/privoxy.config:/etc/privoxy/config:ro
    restart: always