[tor-relays] onion pad Re: (Invitation) Join us! Tor Relay Operator Meetup - October 22, 2022 - 1900 UTC

2022-10-11 Thread Jonas Friedli via tor-relays 

Dear relay operators,

The next Tor relay operator meetup will happen on Saturday,
October 22 at 19.00 UTC.

## Where

BigBlueButton: https://tor.meet.coop/gus-og0-x74-dzn


## Agenda (WIP)

* Announcements
   * Tor and Snowflake in Iran
   * EOL rejection
* State of DoS attack
* New network health project
* Q
* Next Tor Relay Operator Meetup

Meeting pad: https://pad.riseup.net/p/tor-relay-op-meetup-o22-keep


http://kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion/p/tor-relay-op-meetup-o22-keep


Everyone is free to bring up additional questions or topics at the
meeting itself.

## Registration

No need for a registration or anything else, just use the room-link
above. We will open the room 10 minutes before so you can test your mic
setup.

Please share with your friends, social media and other mailing lists!

cheers,
Gus


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays




OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] knock knock, police is here

2022-09-12 Thread Jonas Friedli via tor-relays 

Get a signed proof from torproject that this was relay by time of abuse:

http://hctxrvjzfpvmzh2jllqhgvvkoepxb4kfzdjm6h7egcwlumggtktiftid.onion/exonerator.html?ip=87.118.96.154=2022-09-09

This Relay is in Question?
http://hctxrvjzfpvmzh2jllqhgvvkoepxb4kfzdjm6h7egcwlumggtktiftid.onion/rs.html#details/C9DF64AF926E2E584E345D13BCE4A97C231A36BE

Am 10.09.2022 um 14:37 schrieb volker.m...@gmx.de:

Hi folks.

On Tuesday morning police knocked on my door, performing a full house
search.
Some Nazis used TOR to send nazi-emails to several schools in Germany.

Unfortunately their mails left one of my Exit Servers from dark- to
clearweb, so an ip address, registered on my name, was the last stamp.
Now im accused of Volksverhetzung (german, try to find a good translation).
It means spreading bad nazi bullshit to the internet.

I can take this down by showing them German Telemediengesetz §8, which
protects TOR operators in Germany.
Unfortunately they found some dope (yea, 420guy here) during the house
search, which  makes thing even more complicated.

Now I am considering shutting down all my exits.
I promise you guys, there is nothing more bad than a police house search in
the early morning hourse. Even a burglary would be less worse. Burglars
come, steal, go and you never hear again from them.
Police comes, searches through all your belongings, destroys your privacy,
is allowed to take ALL what they want - and they will send you bad bad
letters afterwards.

What are your thoughts about this?


Best regards,
volker

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays




OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] [New Initiative] Tor Weather: Improving the Tor Weather

2022-06-08 Thread Jonas Friedli via tor-relays 

Hey SG,

thats great news, regarding reduction of nodes running Outdated versions.
From time to time torproject needs removing not only a few
EOL relays just because, they running a left alone Outdated version.

Merci
Jonfri

Sarthik Gupta:

Hello everyone,

As we all know, nodes are the building blocks of the tor-network. More 
often than not these nodes require some maintenance, which could be in 
the form of software upgrades, troubleshooting issues, rebooting the 
relays in case of failures, etc.


As of today, if any relay disappears from the tor-network, no one will 
know. Tor-Weather aims at solving this by creating a notification 
service which relay operators can subscribe to in order to get various 
types of updates for their relays.


The tor-weather service will offer a plethora of notifications options 
for the relays. These include, the node being down, running on 
EOL/Outdated version, losing a flag, ranking in top 20/50/100, etc. 
These notifications can be subscribed & customized by the relay 
operators to fit their needs using a web-frontend.


Folks interested in the project can refer this 
 
thread in the tor-dev mailing list for regular updates. Suggestions are 
always welcomed! Please reach out to us in irc (#tor-dev) for any ideas, 
questions, or suggestions you might have.


Thanks,

Sarthik Gupta


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] My current node setup

2022-06-07 Thread Jonas Friedli via tor-relays 


I was tired of using the debian testing for running my node and decided 
to redo my node with arch because of the fast package updates and 
rolling release model.




If that is related to tor updates, you may like the official tor 
repositories for quicker tor update supply:



https://deb.torproject.org


http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/dists/


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] onion version of pad Re: [Event] Relay Operators Meetup - May 21, 2022 @ 1900 UTC

2022-06-07 Thread Jonas Friedli via tor-relays 

find onion version of pad here:

http://kfahv6wfkbezjyg4r6mlhpmieydbebr5vkok5r34ya464gqz6c44bnyd.onion/p/tor-relay-meetup-may-2022-keep

:)



OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Does Tor work with Intel QAT acceleration

2022-06-07 Thread Jonas Friedli via tor-relays 

Hi,

to saturate most of this bandwidth, you perhaps like to run multiple tor 
instances. Because mostly single core tor is cpu bottleneck.

2x tor per single IPv4 allowed for now.

in current c tor we only got minimal TLS options:

# HardwareAccel HardwareAccel 0|1
# If non-zero, try to use built-in (static) crypto hardware 
acceleration when

# available. Can not be changed while tor is running. (Default: 0)
HardwareAccel   1
# AccelName AccelName __NAME__
# When using OpenSSL hardware crypto acceleration attempt to load 
the dynamic
# engine of this name. This must be used for any dynamic hardware 
engine.
# Names can be verified with the openssl engine command. Can not be 
changed

# while tor is running.

list em with: openssl engine -vv


# AccelDir AccelDir __DIR__
# Specify this option if using dynamic hardware acceleration and the 
engine
# implementation library resides somewhere other than the OpenSSL 
default.

# Can not be changed while tor is running.


Good luck with setting up acceleration if even possible in current versions?


Andreas Bollhalder:

Hi all

I have my first Tor relay up und running. It's currently installed on a 
little desktop computer with an Intel i5 9500T CPU. My Internet 
connection is 10Gb/s symetric. From this bandwidth, I would be able to 
spend a good part for supporting the Tor network.


With that little machine, it seems that it would max out at somewhere at 
~30 MBytes/s. For my definitive Tor relay hardware, I'm currently 
researching some options, which would be capable of handling Tor traffic 
at the rate of 200 to 300MBytes. Even it would be used nowadays, but who 
knows whats coming in the future and I hope this relay would last 5 
years ore so.


It looks to me, that with a normal CPU, it's impossible to reach my 
goal. But then I encountered, that Intel has the Quick Assist Technoloy 
(QAT) integrated in some of their products (ie. Atom C3xx8). This QAT 
can be used with OpenSSL as a hardware accelerator for encryption. There 
also exist dedicated PCIe cards with QAT (ie. Netgate CPIC-8955).


Searching the Internet, I couldn't find any information if QAT would be 
helpful with Tor. But Tor uses the OpenSSL library and this can use the 
QAT acceleration. Is there anyone who has tried this und can share his 
expirience?


Thanks in advance
Andreas

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Does Tor work with Intel QAT acceleration

2022-06-07 Thread Jonas Friedli via tor-relays 

Am 12.04.2022 um 16:23 schrieb Bauruine:

The tor-spec [1] shows that Tor only uses RSA with 1024 Bit Keys and the 
ciphersuits only contain AES CBC and no AES GCM ones. I'm not an expert 
but it looks like it's not that useful for Tor.


Yes and no? The limitation only apply tor protocol crypto itself afaik.

The tor does relay-to-relay in-protocol crypto inside an outer TLS 
channel, which the latter currently using GCM afaik:


http://eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/tpo/core/tor/-/blob/main/src/lib/tls/tortls_openssl.c#L415


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Invalid certificate chain! Re: [warn] Received a bad CERTS cell: Link certificate does not match TLS certificate

2022-06-07 Thread Jonas Friedli via tor-relays 

yes, found:

[warn] {PROTOCOL} Received a bad CERTS cell: Link certificate does not 
match TLS certificate
[warn] {PROTOCOL} Received a bad CERTS cell on OR connection 
(handshaking (Tor, v3 handshake)) with 77.171.80.188:443 
ID=w0FFB+Yb8+RM2KumjnKL4T/hI64CWhRBcVpBQRC0soo 
RSA_ID=6B9D965C6149D09DF970C1D086AC8F575643F587: Invalid certificate chain!


Felix:

Hi all

I found a message in the logs:
Apr 16 15:07:46.000 [warn] Received a bad CERTS cell: Link certificate
does not match TLS certificate


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Onion repository Re: Debian is not allowing tor to update despite it being listed as a trusted respritory

2022-06-07 Thread Jonas Friedli via tor-relays 

apt update ; apt install tor apt-transport-tor -y
sed -i 
's/https:\/\/deb.debian.org/tor+http:\/\/2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/g' 
/etc/apt/sources.list
sed -i 
's/https:\/\/security.debian.org/tor+http:\/\/5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/g' 
/etc/apt/sources.list
echo "deb 
tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org 
  bullseyemain" >> 
/etc/apt/sources.list.d/deb.torproject.org.list
echo "deb-src 
tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org 
  bullseyemain" >> 
/etc/apt/sources.list.d/deb.torproject.org.list

apt update ; apt install gpg gpg-agent torsocks wget -y
torsocks wget -qO- 
http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc| 
gpg --import

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -




##
# source : 
http://jvgypgbnfyvfopg5msp6nwr2sl2fd6xmnguq35n7rfkw3yungjn2i4yd.onion


In particular, once you have the apt-transport-tor package installed, 
the following entries should work in your sources list for a Debian system:


deb 
tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian 
  bustermain
deb 
tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian 
  buster-updatesmain
deb 
tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security 
buster/updatesmain


#deb 
tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian 
  buster-backports  main




li...@for-privacy.net:

On Tuesday, May 3, 2022 7:31:46 AM CEST Keifer Bly wrote:


So I am running a tor relay on Debian, but no matter what when updating tor
there is an “updating from such a respiritpry can’t be done securely and is
therefore disabled by default”. Here is the log

  


In addition to the outdated certificates, you get Tor for Ubuntu and not
Debian:

  


Get:1 http://security.debian.org buster/updates InRelease [65.4 kB]

Hit:2 http://deb.debian.org/debian buster InRelease

Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]

Get:4 http://deb.debian.org/debian buster-backports InRelease [46.7 kB]

Ign:5 http://ftp.de.debian.org/debian stretch InRelease

Hit:6 http://ftpde.debian.org/debian stretch Release

I would delete the outdated Debian stretch archives.


Ign:7 http://deb.torproject.org/torproject.org trusty InRelease

Ign:8 http://deb.torproject.org/torproject.org trusty Release



Trusty? Why are you using Tor for Ubuntu? For Debian Buster you should also
use the buster archive:

deb https://deb.torproject.org/torproject.org buster main


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Will pay but need someone

2022-06-07 Thread Jonas Friedli via tor-relays 

Hey Paul,

I searched the relay name on metrics and found it seems to be running 
for almost about 4 years until today.


http://hctxrvjzfpvmzh2jllqhgvvkoepxb4kfzdjm6h7egcwlumggtktiftid.onion/rs.html#details/9C5AFD49AAE4E0272BAD780C6DD71CE1A36012A6

That's looks like a useful one since it allows exiting.

I was running previously only Non-Exit and Bridge Relays as hobby admin, 
therefore I would have no experience with exit traffic abuse handling 
until now. But unfortunately did not have enough spare pocket money to 
finance this hobby.


Personally I do pefer debian for server and I would like build an debian 
tor node.


By the way, the one who will keep admin it, should add Fingerprint to 
his/her Nodes "MyFamily".


Best Regards

Jonfri

p...@coffswifi.net:

Hi all,

I own coffswifi4 in Spain. I don't have the time to maintain or upgrade. 
I'm willing to keep on paying for the hosting but wonder if someone 
wishes to take over the account and build a new server and upgrade.


Paul

Sent from my Huawei phone

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key
BEGIN:VCARD
VERSION:4.0
EMAIL;PREF=1:jonasfrie...@danwin1210.de
EMAIL:jonasfriedli@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid
 .onion
FN:jonfri
NICKNAME:jonfri
N:Friedli;Jonas;;;
ADR:;;Schweiz
X-MOZILLA-HTML;VALUE=BOOLEAN:FALSE
UID:f602e3be-db4d-4c0a-b080-87a88ca4544b
END:VCARD


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Weird spike in written bytes per second

2022-06-07 Thread Jonas Friedli via tor-relays 




Hi,

the graph shows a marked difference between written bytes per second and 
read bytes per second om 2022-05-19 and 2022-05-20. In any other day the 
bytes are roughly the same. What might my node have "written" on those 
two days?


could be directory answers. Or being chosen as hsdir for popular onion 
services.


https://metrics.torproject.org/rs.html#details/A4E74410D83705EEFF24BC265DE2B2FF39BDA56E 



Thanks, Marco


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] proof:dns-rsa Re: New OrNetStats Section: Largest Bridge Operators

2022-06-07 Thread Jonas Friedli via tor-relays 
the bridge may just should not run on the IP the second level domain A / 
 resolves to.


 li...@for-privacy.net:

On Sunday, May 29, 2022 6:25:02 PM CEST nusenu wrote:


AROI support for bridges

You can also protect your bridge ContactInfo against spoofing now.
The same fields as for relays apply. If you have setup your AROI [1] on your
relays already you can simply copy the ContactInfo to your bridges and
publish the list of hashed bridge fingerprints under this URL:

https://-your-hostname-/.well-known/tor-relay/hashed-bridge-rsa-fingerprint.
txt


Oh nice, thanks.
I just saw that nusenu also thought of us 'proof:dns-rsa' users. ;-)

https://nusenu.github.io/ContactInfo-Information-Sharing-Specification/#dns-rsa

For bridges:

hashed-fingerprint.example.com value: “we-run-this-tor-bridge”



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] extrepo enable torproject Re: Update on tor issue on my debian

2022-06-07 Thread Jonas Friedli via tor-relays 

Keifer Bly:

Hi all,

So upon trying all of the mentioned commands, my tor installation still 
encounters an error when trying to update. Attached is a photo of my 
sources.list.debian.templ and sources.list. When trying to update the 
returned error


N: Ignoring file 'DEADJOE' in directory '/etc/apt/sources.list.d/' as it 
has no filename extension


N: Ignoring file 'tor.list.save.2' in directory 
'/etc/apt/sources.list.d/' as it has an invalid filename extension


N: Ignoring file 'tor.list.save.1' in directory 
'/etc/apt/sources.list.d/' as it has an invalid filename extension


E: Conflicting values set for option Signed-By regarding source 
https://deb.torproject.org/torproject.org/ buster: 
/usr/share/keyrings/tor-archive-keyring.gpg !=


E: The list of sources could not be read.

I am wondering, is there simply a tool for configuring the sources.list 

Yes, extrepo. It is recommended by your os.

apt install extrepo -y && extrepo enable torproject



and all other Debian os needed files for tor updates? Thank you.

--Keifer


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] bridge issue

2022-06-07 Thread Jonas Friedli via tor-relays 

if the bridge is an tor instance, it may reside inside:

/var/lib/tor-instances/bridge01/keys/

or similiar depending on what you named it :)

 tor-relays:

Hello,
I have a bridge [1] that doesn't have any keys in /var/lib/tor/keys!  
How is that possible and how do I fix the problem?


potlatch

[1] FB45183DD82D572CA2B2641C1AB0EB0D8CE7B858

Sent with Proton Mail  secure email.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


OpenPGP_0x4A148E3AB438EC68.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] BadMiddle Nodes Loadbalancing Re: How to reduce tor CPU load on a single bridge?

2022-03-28 Thread Jonas Friedli via tor-relays 

Hi Gary,

wait, your Relays are BadMiddle Nodes! It breaks at least all onion 
features.
Thanks for trying to saturate the connection by balancing the 
single-core tor bottleneck.


But think of any client try to establish RendezvousPoints or 
IntroductionPoints or fetch HsDir with one of your tor instances that 
all have same descriptor and look same to outside.


It will result into fail the connection!

1.
a_tor_client => HAProxy server tornode41 192.168.0.41:9001 => 
RendezvousCookie 46B9FA5B
onionservice => HAProxy server tornode51 192.168.0.41:9001 => 
RendezvousCookie 46B9FA5B


2.
tornode51 does not know cookies of tornode41 will:
[WARN] Rejecting RENDEZVOUS1 cell with unrecognized rendezvous cookie 
46B9FA5B.

Didn't recognize cell, but circ stops here
circuit_receive_relay_cell (forward) failed


This Loadbalancing setup is only valid and usefull for Bridges or 
ExitNode relay roles. Not for any that have MiddlePropability 
consensusweigths.


just FYI


>  David, Roger, et al.,
>
> I just got back from holidays and really enjoyed this thread!
>
> I run my Loadbalanced Tor Relay as a Guard/Middle Relay, very similar 
to David's topology diagram, without the Snoflake-Server proxy. I'm 
using Nginx (which forks a child process per core) instead of HAProxy. 
My Backend Tor Relay Nodes are running on several, different Physical 
Servers; thus, I'm using Private Address Space instead of Loopback 
Address Space.

>
> In this configuration, I discovered that I had to configure 
Nginix/HAProxy to use Transparent Streaming Mode, use Source IP Address 
Sticky Sessions (Pinning), configure the Loadbalancer to send the 
Backend Tor Relay Nodes' traffic back to Nginx/HAProxy (Kernel & 
IPTables), configure all Backend Tor Relay Nodes to use a copy of the 
same .tordb (I wasn't able to get the Backend Tor Relay Nodes working 
with the same .tordb (over NFS) without the DirectoryAuthorities 
complaining), and configure the Backend Tor Relay Nodes to use the same 
DirectoryAuthority (to ensure each Backend Tor Relay Node sends 
Meta-Data to the same DirectoryAuthority). Moreover, I've enabled 
logging to a central Syslog Server for each Backend Tor Relay Node and 
created a number of Shell Scripts to help remotely manage each Backend 
Tor Relay Node.

>
> Here are some sample configurations for reference.
>
> Nginx Config:
>
> upstream orport_tornodes {
> #least_conn;
> hash $remote_addr consistent;
> #server 192.168.0.1:9001 weight=1 max_fails=1 fail_timeout=10s;
> #server 192.168.0.1:9001 down;
> server 192.168.0.11:9001 weight=4 max_fails=0 fail_timeout=0s;
> server 192.168.0.21:9001 weight=4 max_fails=0 fail_timeout=0s;
> #server 192.168.0.31:9001 weight=4 max_fails=3 fail_timeout=300s;
> server 192.168.0.41:9001 weight=4 max_fails=0 fail_timeout=0s;
> server 192.168.0.51:9001 weight=4 max_fails=0 fail_timeout=0s;
> #zone orport_torfarm 64k;
>
>
> HAProxy Config (Alternate):
>
> frontend tornodes
> # Log to global config
> log global
>
> # Bind to port 443 on a specified interface
> bind 0.0.0.0:9001 transparent
>
> # We're proxying TCP here...
> mode tcp
>
> default_backend orport_tornodes
>
> # Simple TCP source consistent over several servers using the specified
> # source 0.0.0.0 usesrc clientip
> backend orport_tornodes
>
> balance source
> hash-type consistent
> #server tornode1 192.168.0.1:9001 check disabled
> #server tornode11 192.168.0.11:9001 source 192.168.0.1
> server tornode11 192.168.0.11:9001 source 0.0.0.0 usesrc clientip 
check disabled
> server tornode21 192.168.0.21:9001 source 0.0.0.0 usesrc clientip 
check disabled
> #server tornode31 192.168.0.31:9001 source 0.0.0.0 usesrc clientip 
check disabled
> server tornode41 192.168.0.41:9001 source 0.0.0.0 usesrc clientip 
check disabled
> server tornode51 192.168.0.51:9001 source 0.0.0.0 usesrc clientip 
check disabled

>
>
> Linux Kernel & IPTables Config:
>
> modprobe xt_socket
> modprobe xt_TPROXY
>
> echo 1 > /proc/sys/net/ipv4/ip_forward; cat /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind; cat 
/proc/sys/net/ipv4/ip_nonlocal_bind
> echo 15000 64000 > /proc/sys/net/ipv4/ip_local_port_range; cat 
/proc/sys/net/ipv4/ip_local_port_range

>
> ip rule del fwmark 1 lookup 100 2>/dev/null # Ensure Duplicate Rule 
is not Created

> ip rule add fwmark 1 lookup 100 # ip rule show
> ip route add local 0.0.0.0/0 dev lo table 100 # ip route show table 
wan0; ip route show table 100

>
> iptables -I INPUT -p tcp --dport 9001 -j ACCEPT
> iptables -t mangle -N TOR
> iptables -t mangle -A PREROUTING -p tcp -m socket -j TOR
> iptables -t mangle -A TOR -j MARK --set-mark 1
> iptables -t mangle -A TOR -j ACCEPT
> #iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.0/24 --sport 
9001 -j MARK --set-xmark 0x1/0x
> #iptables -t mangle -A PREROUTING -p tcp --dport 9001 -j TPROXY 
--tproxy-mark 0x1/0x1 --on-port 9001 --on-ip 127.0.0.1

>
>
> Backend Tor Relay Node Configs:
>
> # cat /tmp/torrc
> Nickname xx