diff --git a/Dockerfile b/Dockerfile index 9fc639b..de88735 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,11 @@ FROM ubuntu:22.04 LABEL maintainer="Jake Jarvis " \ - repository="https://github.com/jakejarvis/tor-docker" \ + repository="https://github.com/jakejarvis/docker-tor" \ # https://docs.github.com/en/free-pro-team@latest/packages/managing-container-images-with-github-container-registry/connecting-a-repository-to-a-container-image#connecting-a-repository-to-a-container-image-on-the-command-line - org.opencontainers.image.source="https://github.com/jakejarvis/tor-docker" + org.opencontainers.image.source="https://github.com/jakejarvis/docker-tor" -ARG TARGETPLATFORM ARG DEBIAN_FRONTEND=noninteractive -# https://github.com/krallin/tini/releases -ARG TINI_VERSION=0.19.0 # All the things! RUN apt-get update && \ @@ -28,19 +25,9 @@ RUN apt-get update && \ tor \ tor-geoipdb \ obfs4proxy \ - iputils-ping && \ - # Install tini: https://github.com/krallin/tini - if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then \ - curl -s -L https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-arm64 -o /usr/local/bin/tini; \ - else \ - curl -s -L https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini -o /usr/local/bin/tini; \ - fi && \ - chmod +x /usr/local/bin/tini && \ + iputils-ping \ + gosu && \ # Tidy up - apt-get purge --auto-remove -y \ - apt-transport-https \ - lsb-release \ - gnupg && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* @@ -48,18 +35,9 @@ RUN apt-get update && \ COPY torrc.default /etc/tor/torrc # Copy entrypoint script & ensure it's executable -COPY ./entrypoint.sh /usr/local/bin/docker-entrypoint -RUN chmod ugo+rx /usr/local/bin/docker-entrypoint +COPY entrypoint.sh /usr/local/bin/docker-entrypoint -# Tor data should be persisted on the host -VOLUME /var/lib/tor +HEALTHCHECK --interval=300s --timeout=10s --start-period=30s \ + CMD curl -sSx socks5h://127.0.0.1:9050 https://check.torproject.org/api/ip | grep -E '"IsTor"\s*:\s*true' -# Make sure files are owned by the tor user -RUN chown -R debian-tor /etc/tor && \ - chown -R debian-tor /var/lib/tor - -# Run tor as a non-root user -USER debian-tor - -ENTRYPOINT ["tini", "--", "docker-entrypoint"] -CMD ["tor", "-f", "/etc/tor/torrc"] +ENTRYPOINT ["docker-entrypoint"] diff --git a/entrypoint.sh b/entrypoint.sh index 5760665..130ccba 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,8 +1,10 @@ #!/bin/sh -set -o errexit +set -e # fix permissions +chown -R debian-tor:debian-tor /var/lib/tor find /var/lib/tor -type d -exec chmod 700 {} \; find /var/lib/tor -type f -exec chmod 600 {} \; -exec "$@" +# step down from root to tor user +gosu debian-tor tor "$@" diff --git a/torrc.default b/torrc.default index 7fa14f1..9caedb6 100644 --- a/torrc.default +++ b/torrc.default @@ -1,11 +1,11 @@ -# Exposing a proxy is unnecessary if we're running a hidden service. -SocksPort 0 - # This folder contains the public and private keys of the hidden # service, probably provided by the host but can also be generated # by Tor if it's missing. -HiddenServiceDir /var/lib/tor/hidden_service/ +HiddenServiceDir /var/lib/tor/hidden_service # Point the hidden service to a web server (in this case, the web # server container listening on port 80). See README. HiddenServicePort 80 web:80 + +# SOCKS proxy is only used for the container's internal healthcheck. +SocksPort 127.0.0.1:9050