Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T06:03:15Zhttps://gitlab.torproject.org/legacy/trac/-/issues/21436fteproxy does not work on Debian stretch / document fteproxy usage on Debian ...2020-06-13T06:03:15Zadrelanosfteproxy does not work on Debian stretch / document fteproxy usage on Debian stretchUsing fteproxy on Debian stretch isn't straight easy. So far no luck.
From `/lib/systemd/system/tor@default.service`, the AppArmor profile gets into the way.
```
AppArmorProfile=system_tor
```
Also the other systemd hardening results ...Using fteproxy on Debian stretch isn't straight easy. So far no luck.
From `/lib/systemd/system/tor@default.service`, the AppArmor profile gets into the way.
```
AppArmorProfile=system_tor
```
Also the other systemd hardening results in.
> `Could not launch managed proxy executable at '/usr/bin/fteproxy' ('Permission denied').`
```
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
ReadWriteDirectories=-/var/run
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE
```
Even with all of that disabled, Tor does not successfully bootstrap.
```
Feb 11 06:26:01.000 [notice] Bootstrapped 5%: Connecting to directory server
Feb 11 06:26:01.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Feb 11 06:26:01.000 [warn] Problem bootstrapping. Stuck at 10%: Finishing handshake with directory server. (DONE; DONE; count 6; recommendation warn; host redacted at IP:PORT)
Feb 11 06:26:01.000 [warn] 6 connections have failed:
```
I guess my torrc config is fine. Copied that part over from TBB to system Tor /etc/tor/torrc.
```
UseBridges 1
ClientTransportPlugin fte exec /usr/bin/fteproxy --managed
Bridge fte IP:PORT redacted
```
Any hints what I am doing wrong? (Not in a censored area. TBB without bridges as well as fteproxy works for me. Debian stretch system Tor with Debian fteproxy packages does not work for me.)
I am asking for Whonix integration purposes.kpdyerkpdyerhttps://gitlab.torproject.org/legacy/trac/-/issues/12677fteproxy server's response to malformed messages2020-06-13T03:21:42Zkpdyerfteproxy server's response to malformed messagesRaised here: https://trac.torproject.org/projects/tor/ticket/12673
cypherpunks suggests that fteproxy, when using an HTTP regex, should tolerate a range of HTTP headers. Specifically, an fteproxy server when using HTTP will terminate th...Raised here: https://trac.torproject.org/projects/tor/ticket/12673
cypherpunks suggests that fteproxy, when using an HTTP regex, should tolerate a range of HTTP headers. Specifically, an fteproxy server when using HTTP will terminate the connection, if the following is submitted:
```
GET /<encoded_data> HTTP/1.1\r\n
Host: tpo.org\r\n
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\r\n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
Accept-Language: en-us,en;q=0.5\r\n
Accept-Encoding: gzip, deflate\r\n
Connection: keep-alive\r\n
\r\n
```
It turns out that this is a complex issue to solve in general, as one solution we could allow custom error handlers in fteproxy that are activated under certain cases.
As a step towards this, we should probably distinguish between the following two cases:
* The server receives a message that is in the language specified by the regex, but is malformed.
* The server receives a message that is NOT in the language specified by the regex, and is, by definition, malformed.
Thoughts?kpdyerkpdyer