[tor-dev] The behavior of ClientRejectInternalAddresses

Roger Dingledine arma at mit.edu
Sun Mar 26 23:40:58 UTC 2017


On Sun, Mar 26, 2017 at 03:06:00PM -0400, Jesse V wrote:
> In other words, if I disable this flag and I open 127.0.0.1:8080 in the
> Tor Browser, will the browser or the tor binary attempt to connect to
> the client's 127.0.0.1:8080?

No, Tor Browser will pass the request to Tor, and Tor will try to
connect to that address via Tor to somebody's 127.0.0.1. And since
most relays will have an exit policy that doesn't allow exiting to that
address, there's a good chance there won't be any exits that are up for
such a request.

It definitely should not decide to bypass the proxy, and it also shouldn't
have your Tor client turn into a local mini exit relay for you.

> This is essentially what I'm after, and I
> just want to confirm that ClientRejectInternalAddresses is the best
> approach, or if there is a better setting. Just to clarify, I want to
> connect the client's localhost and not an exit's.

Yeah, we try hard to make that behavior not happen.

In the Tor Browser network settings (Edit -> Preferences -> Advanced ->
Network -> Settings), you'll see the "No Proxy For" box, which in my
normal Firefox has 127.0.0.1 filled in. But Tor Browser makes sure
to keep that box empty, so there's no accidental proxy bypass.

For more info see the "Proxy Obedience" section in the security
requirements:
https://www.torproject.org/projects/torbrowser/design/#security

--Roger



More information about the tor-dev mailing list