Home > Net >  Docker inside an internal network fails to fetch google.com through TOR proxy
Docker inside an internal network fails to fetch google.com through TOR proxy

Time:04-14

When I isolate my app from the internet, it fails to fetch google.com through tor proxy, but when I add it to the internet network, it works and the request does go through the tor proxy. I'm really confused by this. What am I doing wrong?

docker-compose.yml

version: "3"

services:
  tor-proxy:
    image: dperson/torproxy
    restart: unless-stopped
    networks:
      - no-internet
      - internet
   
  app:
    depends_on: [tor-proxy]
    build: ./
    restart: unless-stopped
    networks:
      - no-internet
      - internet # if i comment this out, fetch() will result in ETIMEDOUT

networks:
  no-internet:
    driver: bridge
    internal: true

  internet:
    driver: bridge
    internal: false

Dockerfile

FROM node:16

WORKDIR /usr/src/app

COPY . .

CMD ["node", "index.js"]

index.js

import fetch from 'node-fetch';

import { SocksProxyAgent } from 'socks-proxy-agent';

(async () => {
    const agent = new SocksProxyAgent('socks5://tor-proxy:9050');

    const res = await fetch('https://google.com', { agent });
})();

CodePudding user response:

I have the same issue different situation. Only found partial shitty answers so here's another but this one doesn't require discombobulating your iptables or in my situation, my teams.

ANSWER: use "driver: ipvlan" on the internal network and the containers name as hostname when making requests https://docs.docker.com/network

EXAMPLE: curl -v --socks5-hostname tor-proxy:9050 google.com

EXPLANATION: I don't have one but warn external network access may still be possible by other means. i would also appreciate an explanation but we probably wont get one.

CodePudding user response:

Sorry for 2 answers but i should add, you'll need to bind to all interfaces e.g in your torrc file "SocksPort 0.0.0.0:9050" it achieves your goal but it binds to the host subnet ip externally and to the "internal" networks subnet "container ip" that docker assigns. You can specify subnet(s) using ipam. If i find a way to bind to 1 subnet ill update but i doubt it.

If you're using this in production (we use in build stage) i'd use a .sock file via volumes (tor has support). If you do, both users need the same UID to access the file after a restart.

@BMitch responding to your comment since i saw you helped on related posts. This issue stems from 2 containers trying to interact over an internal: true network while only 1 has host network, unrelated to tor or npm. From the docs it seems it should work as intended, but it doesn't. example https://devops.stackexchange.com/q/1410

Page link:https//www.codepudding.com/net/372358.html

Prev:docker-compose cant run react without node_modules already existing
Next:rsync: How to apply a recursively include filter while excluding other files
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding