Cannot connect to localhost via port 9050

[wiligl]

This command:

curl --socks5 localhost:9050 --socks5-hostname localhost:9050 https://check.torproject.org/api/ip

gives this error:
curl: (7) Failed to connect to 192.168.0.24 port 9050 after 0 ms: Couldn't connect to server

The compose.yaml file I used is:

services:
  relay:
    image: leplusorg/tor
    container_name: tor
    restart: always
    ports:
      - "9050:9050"
    expose: 9050
    networks:
      - caddy-net
    environment:
      TOR_NICKNAME: tor4irc
      CONTACT_EMAIL: [email protected]
    volumes:
      - ~/confs/tor_conf/:/etc/tor/torrc.d/

networks:
  caddy-net:
    driver: bridge

How do I fix this?

[thomasleplus]

Hi @wiligl,

If you can share your torrc config file(s), that might shed some light. Just make sure that there's nothing sensitive in them.

I typically set SocksPort to 0.0.0.0:9050 and have no issue. But there is a security warning from Tor when doing this (see #139). I believe that it is safe for me to do this because I use the bridge network mode (the default) for my docker container so it is only accessible from my local host anyway. I think that the warning applies only when you run Tor on a bsre host but I could be wrong and your mileage may vary depending on the networking mode that you use in your docker network (I can see for example how usimg 0.0.0.0 in host mode could be risky).

[thomasleplus]

Hi @wiligl,

If you can share your torrc config file(s), that might shed some light. Just make sure that there's nothing sensitive in them.

I typically set SocksPort to 0.0.0.0:9050 and have no issue. But there is a security warning from Tor when doing this (see #139). I believe that it is safe for me to do this because I use the bridge network mode (the default) for my docker container and I ensure that it is only accessible from my local host anyway. I think that the warning applies only when you run Tor on a bare host or if you let the docker daemon expose your containers remotely, but I could be wrong and your mileage may vary depending on the networking mode that you use in your docker network (I can see for example how using 0.0.0.0 in host mode could be risky).

Cheers,

Tom

[wiligl]

Hi @thomasleplus,

thanks, the current compose.yaml is (removed "expose" line);

services:
  relay:
    image: leplusorg/tor
    container_name: tor
    restart: always
    ports:
      - "9050:9050"
    networks:
      - caddy-net
    environment:
      TOR_NICKNAME: tor4irc
      CONTACT_EMAIL: [email protected]
    volumes:
      - ~/confs/tor_conf/:/etc/tor/torrc.d/

networks:
  caddy-net:
    driver: bridge

I use the default torrc but I have copied it as torrc.conf into the volume mapped to ./conf.d/ which is read automatically with the following additional lines:

SOCKSPort 9050
SOCKSPort localhost:9050
SOCKSPort 0.0.0.0:9050
SOCKSPort 127.0.0.1:9050

The full torrc.conf is attached (added .txt to be able to upload file to Github).
torrc.conf.txt

The current error (still) is:

curl: (7) Failed to connect to localhost port 9050 after 0 ms: Couldn't connect to server

Thanks for sharing your advice!

Kr, Wilmar

[wiligl]

Dear @thomasleplus, i hope you had a great start into the new year! I just would like to let you know that i have not be able to resolve the above issue. Your advice will be still appreciated. Kr, Wilmar

[thomasleplus]

Hi @wiligl,

Sorry I was mostly offline during the holidays but I am back. I will try to reproduce the issue with the torrc file that you provided and keep you posted.

Thank you for your patience,

Tom

[thomasleplus]

I apologize for the further delay but I am currently afflicted by docker/for-mac#7520 which prevents me from running docker on my Mac. I need to solve it first before I can look into this issue.

[wiligl]

@thomasleplus Thanks for the update, I understand you have other priorities, looking forward to your help, whenever convenient for you.

[thomasleplus]

My docker is fixed. I ran docker compose with the compose file below:

services:
  relay:
    image: leplusorg/tor:main
    container_name: tor
    restart: always
    ports:
      - "9050:9050"
    networks:
      - caddy-net
    environment:
      SKIP_TEMPLATE: 1
      TOR_NICKNAME: tor4irc
      CONTACT_EMAIL: [email protected]
    volumes:
      - /tor_conf/torrc.conf:/etc/tor/torrc

networks:
  caddy-net:
    driver: bridge

The only difference with your compose file is that I wanted to test without the workaround that you found so I set SKIP_TEMPLATE: 1 and I mount the torrc.conf file directly instead of mounting a directory.

But when I run it I get the following error:

tor  | Jan 09 04:55:36.573 [notice] Opening Socks listener on 127.0.0.1:9050
tor  | Jan 09 04:55:36.573 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
tor  | Jan 09 04:55:36.573 [notice] Opening Socks listener on 127.0.0.1:9050
tor  | Jan 09 04:55:36.573 [warn] Could not bind to 127.0.0.1:9050: Address in use. Is Tor already running?
tor  | Jan 09 04:55:36.573 [notice] Opening Socks listener on 0.0.0.0:9050
tor  | Jan 09 04:55:36.573 [warn] Could not bind to 0.0.0.0:9050: Address in use. Is Tor already running?
tor  | Jan 09 04:55:36.573 [notice] Opening Socks listener on 127.0.0.1:9050
tor  | Jan 09 04:55:36.573 [warn] Could not bind to 127.0.0.1:9050: Address in use. Is Tor already running?
tor  | Jan 09 04:55:36.573 [notice] Closing partially-constructed Socks listener connection (ready) on 127.0.0.1:9050
tor  | Jan 09 04:55:36.573 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
tor  | Jan 09 04:55:36.573 [err] Reading config failed--see warnings above.

That makes sense to me because you have 4 SOCKSPort directives which compete for port 9050 on the same container:

SOCKSPort 9050
SOCKSPort localhost:9050
SOCKSPort 0.0.0.0:9050
SOCKSPort 127.0.0.1:9050

When I keep only one (0.0.0.0:9050) then the container starts fine and I can use it on my host with the following test command:

$ curl  -i -s -S -f --socks5 localhost:9050 --socks5-hostname localhost:9050 https://check.torproject.org/api/ip
HTTP/1.1 200 OK
Date: Thu, 09 Jan 2025 09:43:49 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-Xss-Protection: 1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15768000; preload
Content-Type: application/json
Content-Length: 36

{"IsTor":true,...

I am not sure how the container is starting for you with the 4 SOCKSPort directives. Do you not get the [err] Reading config failed--see warnings above. message?

[wiligl]

Dear @thomasleplus,

thanks a ton! The Tor container runs without errors with your configuration. However, I got this warning:

Jan 09 15:09:03.278 [warn] You specified a public address '0.0.0.0:9050' for SocksPort. Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.

Regarding your question, with my old compose.yaml and the torrc.conf with multiple SOCKSPort entries, I did not get any errors: see docker log at https://pastebin.mozilla.org/6baCNE04

Therefore, the error in the torrc.conf was not obvious to me.

Please let me know if I can sometime return the favour, eg doing a testrun or something.

Kr, Wilmar

[thomasleplus]

Hi @wiligl,

I am glad that we could solve your issue. I don't understand what happened before to the error message. I hope that it's not somehow swallowed by the tor-wrapper.sh script. I don't see how that would be the case but I will keep thinking about it in case I can figure it out.

Regarding the warning about using 0.0.0.0, I initially found this solution here but sadly the discussion doesn't explain why using localhost or 127.0.0.1 doesn't work, only 0.0.0.0. Still I believe that the risk of using 0.0.0.0 can be mitigated by using the right docker configuration. My understanding is that the warning is here to let you know that if you bind the tor proxy to 0.0.0.0 then not only you can use the proxy, but also anybody on the same network that can connect to your machine's IP on port 9050. Ignoring for a moment the fact that most modern OSes have a firewall that would block incoming remote connections to port 9050 unless instructed otherwise, you might actually want to share your tor proxy with machines on the local network. Or you might not (for example if you do this on a laptop that you connect to different networks including some public ones). That's why it's a warning and not an error. But I think that if you run tor in a container, and you tell the docker daemon to map port 9050 inside the container to 127.0.0.1:9050 only on the host, then the daemon will make sure that the container is only accessible locally. At least that's my understanding, I hope that I am right.

For your docker compose file, I recommend that you do this explicitly by using the following notation:

ports:
  - "127.0.0.1:9050:9050"

Cheers,

Tom