tunnel TOR over HTTP (port)
bill
can TOR traffic be tunneled over the HTTP? Whalt would be the
consequences of this approach?
(e.g. for the case all firewall-ports - except HTTP - are closed/
blocked)
Thank's a lot in advance for any feedback!
Bill
Stray Cat
See the tor FAQ, section 4.15 Firewalled Client.
http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#FirewalledClient
Cyberiade.it Anonymous Remailer
> Hello,
>=20
> can TOR traffic be tunneled over the HTTP? Whalt would be the
> consequences of this approach?
> (e.g. for the case all firewall-ports - except HTTP - are closed/
> blocked)
Yes, absolutely. In fact Tor has several settings built right in
just for that purpose. You can either tunnel Tor through another
proxy (for draconian firewalls that block Tor nodes by IP), or you
can configure Tor to connect only to entry nodes that use selected
ports to bypass simple port filters.
=46rom around line 170 of the man page...
HttpsProxy host[:port]
Tor will make all its OR (SSL) connections through this host:port (or host:=
443 if port is
not specified), via HTTP CONNECT rather than connecting directly to servers=
. You may want
to set FascistFirewall to restrict the set of ports you might try to connec=
t to, if your
Https proxy only allows connecting to certain ports.
And here's the blurb on FascistFirewall...
FascistFirewall 0|1
If 1, Tor will only create outgoing connections to ORs running on ports tha=
t your firewall
allows (defaults to 80 and 443; see FirewallPorts). This will allow you =
to run Tor as a
client behind a firewall with restrictive policies, but will not allow you =
to run as a
server behind such a firewall. This option is deprecated; use ReachableAdd=
resses instead.
The "ReachableAddresses" setting allows you to specify a list of
host:port combinations that are allowed by your firewall, much like
the "Accept" setting is used to define Tor exit node policy.For
port-80-only you'd want this...
ReachableAddresses *:80
If you go with the (depreciated) "FascistFirewall", you can
accomplish essentially the same thing using the "FirewallPorts"
setting.
There's also two "sub-settings" of ReachableAddresses, one each for
OR connections and directory server connections. Oddly enough
they're named ReachableDirAddresses and ReachableORAddresses. :)
If all else fails, there's always hand selecting entry nodes with
the "StrictEntryNodes 0|1" and "EntryNodes nickname,nickname,..."
settings used in tandem. You'd have to determine which nodes you
can connect to (which accept OR connections on port 80 in your
scenario), and hard code them in your torrc file. Then keep up with
the list as nodes came and went. That's not as complicated a taskas
it sounds on machines with good tool sets like grep/sed/awk, or
something like Perl/Python available, but the
FascistFirewall/ReachableAddresses options are probably a lot more
desirable. ;-)
bill
would appreciated it wery much if somebody could give me a help what
line should be edidited in
order to tunner Toor over HTTP.
Thank's a lot in advance!
Bill
## Configuration file for a typical Tor user
## Last updated 9 February 2006 for Tor 0.1.1.13-alpha.
## (May or may not work for older or newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See the man page, or http://tor.eff.org/tor-manual-cvs.html, for
more
## options you can use in this file.
##
## On Unix, Tor will look for this file in someplace like "~/.tor/
torrc" or
## "/etc/torrc"
##
## On Windows, Tor will look for the configuration file in someplace
like
## "Application Data\tor\torrc" or "Application Data\<username>\tor
\torrc"
##
## With the default Mac OS X installer, Tor will look in ~/.tor/torrc
or
## /Library/Tor/torrc
## Replace this with "SocksPort 0" if you plan to run Tor only as a
## server, and not make any local application connections yourself.
SocksPort 9050 # what port to open for local application connections
SocksListenAddress 127.0.0.1 # accept connections only from localhost
#SocksListenAddress 192.168.0.1:9100 # listen on a chosen IP/port too
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests from SocksListenAddress.
#SocksPolicy accept 192.168.0.0/16
#SocksPolicy reject *
## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines
as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the
logs.
##
## Send all messages of level 'notice' or higher to /usr/local/var/log/
tor/notices.log
#Log notice file /usr/local/var/log/tor/notices.log
## Send every possible message to /usr/local/var/log/tor/debug.log
#Log debug file /usr/local/var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr
## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
#RunAsDaemon 1
## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on
Windows.
#DataDirectory /usr/local/var/lib/tor
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
#ControlPort 9051
############### This section is just for location-hidden services ###
## Look in .../hidden_service/hostname for the address to tell people.
## HiddenServicePort x y:z says to redirect a port x request from the
## client to y:z.
#HiddenServiceDir /usr/local/var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServiceDir /usr/local/var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22
#HiddenServiceNodes moria1,moria2
#HiddenServiceExcludeNodes bad,otherbad
################ This section is just for servers
#####################
## NOTE: If you enable these, you should consider mailing your
identity
## key fingerprint to the tor-ops, so we can add you to the list of
## servers that clients will trust. See
## http://tor.eff.org/cvs/tor/doc/tor-doc-server.html for details.
## Required: A unique handle for this server
#Nickname ididnteditheconfig
## The IP or fqdn for this server. Leave commented out and Tor will
guess.
#Address noname.example.com
## Contact info that will be published in the directory, so we can
## contact you if you need to upgrade or if something goes wrong.
## This is optional but recommended.
#ContactInfo Random Person <nobody AT example dot com>
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com>
## Required: what port to advertise for tor connections
#ORPort 9001
## If you want to listen on a port other than the one advertised
## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment
## the line below. You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORListenAddress 0.0.0.0:9090
## Uncomment this to mirror the directory for others. Please do
## if you have enough bandwidth: see the bottom of
## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised
## in DirPort (e.g. to advertise 80 but bind 9091), uncomment the line
## below. You'll need to do ipchains or other port forwarding yourself
## to make this work.
#DirListenAddress 0.0.0.0:9091
## Uncomment this if you run more than one Tor server, and add the
## nickname of each Tor server you control, even if they're on
different
## networks. We declare it here so clients can avoid using more than
## one of your servers in a given circuit.
#MyFamily nickname1,nickname2,...
## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to _replace_
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
## default exit policy. Leave commented to just use the default, which
is
## available in the man page or at http://tor.eff.org/documentation.html
##
## Look at http://tor.eff.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your
firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no
more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
#ExitPolicy reject *:* # middleman only -- no exits allowed
Thank's a lot in advance!
Bill
yasir.e...@gmail.com
Socks5Proxy localhost:8010
as I use tor through cntlm proxy server at localhost and its port is 8010.
if it's http proxy, then:
HTTPProxy localhost:3128
this is an http proxy for cntlm too.
enjoy tor through proxy
cheers :)
gatomalo
yasir, I have a question you gave us these settings can you explain them a bit more? especially HTTPProxy - I been at the tor-man page all day and this may be an answer for my problem...
Socks5Proxy localhost:8010
HTTPProxy localhost:3128
Form my testing with socks5 if you try to look up a .onion domain your DNS - TLD it will fail every time. I am using socks4a since it sends the DNS stuff to the onion OR and of course a .onion is all the OR knows so it works---
curl --socks5 localhost:9050 http://otwxbdvje5ttplpv.onion/
curl: (6) Couldn't resolve host name
curl --socks4a localhost:9050 http://torlinkbgs6aabns.onion
works every time:
Please help me I am writing some stuff and I need to keep any IP leaks to zero---and it seems that with socks5 I would give away my IP and fail in the connection.
Hay guys this is a great thread -you don't know how much this has confused me and helped me.
later
gato
Anonymous
amores....@gmail.com
Thanks-
gato