[tor-project] Announcing Onionspray 1.6.0 with a SECURITY fix for Onion Services rewriting proxies

rhatto rhatto at torproject.org
Fri Feb 9 14:13:37 UTC 2024


Hello everyone,

I'd like to announce Onionspray, a tool for setting up Onion Services for
existing public websites, working as a HTTPS rewriting proxy:
https://tpo.pages.torproject.net/onion-services/onionspray/

It's a fork of Alec Muffett's EOTK (https://github.com/alecmuffett/eotk), with
many enhancements but retaining compatibility, and relying on C Tor until an
alternative in Arti is available.

The first Onionspray version is 1.6.0, following the pre-existing version
sequence from EOTK.

Security fixes:

* This release fixes a CRITICAL security vulnerability related to
  upstream HTTPS certificate verification, which is detailed at
  https://tpo.pages.torproject.net/onion-services/onionspray/security/advisories/002-proxy_ssl_verify/

  A related fix is also available for EOTK:
  https://github.com/alecmuffett/eotk/pull/116

  We urge Onionspray users that were testing the software while it was being on
  it's early stages to upgrade ASAP to 1.6.0 and update their configurations, and
  we recommend that EOTK to the same with the corresponding patch.

  This issue might also affect other similar rewriting proxy setups,
  and we urge operators to review and fix their Onion Service
  configurations.

Main improvements over EOTK:

* MetricsPort support (for gathering metrics data from the tor instances).
* Denial of Service (DoS) protections.
* Circuit ID exporting to NGINX logs and optionally to the upstream
  proxy (through the X-Onion-CircuitID HTTP header).
* Onionbalance v3 support ("softmaps" are working again).
* Revamped documentation.
* Installation procedures added for recent Debian and Ubuntu releases.
* Tor and OpenResty upgraded to the latest versions.
* Option to keep Onionspray running in the foreground (`--no-daemonize`).
* Local healthcheck action (`--health-local`), useful for containerized
  execution.

The full ChangeLog is available at
https://tpo.pages.torproject.net/onion-services/onionspray/changelog/

For those wishing to switch from EOTK to Onionspray, there's a migration guide
at https://tpo.pages.torproject.net/onion-services/onionspray/migrating/

We also welcome people to report issues, send merge requests etc:
https://tpo.pages.torproject.net/onion-services/onionspray/contact/

And we have a bunch of issues waiting for contributions:
https://gitlab.torproject.org/tpo/onion-services/onionspray/-/issues

Finally, I'd like to thank Alec Muffett for his important work with EOTK
and for promoting Onion Services all these years :)

Thanks!

-- 
Silvio Rhatto
pronouns he/him
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20240209/1f1c4bfd/attachment.sig>


More information about the tor-project mailing list