Feat: provision: tor-transproxy: Tor Browser support

3 files changed, 35 insertions, 0 deletions

diff --git a/share/provision/files/tor-transproxy/etc/tor/torrc b/share/provision/files/tor-transproxy/etc/tor/torrc
index 9e17ea9..2b7369f 100644
--- a/share/provision/files/tor-transproxy/etc/tor/torrc
+++ b/share/provision/files/tor-transproxy/etc/tor/torrc
@@ -177,3 +177,7 @@ WarnPlaintextPorts 23,109
 ## but we have some code that reads Tor's logs and only supports plaintext
 ## log files at the moment, so let's keep logging to a file.
 Log notice file /var/log/tor/log
+
+# WARNING: Hashed empty password, useful for a box with only a single user running Tor Browser
+# using the system-installed tor daemon and with sane firewall rules set.
+HashedControlPassword 16:756491A440833A1B609F2CCC095BFD2769A1634B4BEC4214BAA9E20629
diff --git a/share/provision/files/tor-transproxy/tbb/user.js b/share/provision/files/tor-transproxy/tbb/user.js
new file mode 100644
index 0000000..f8d9c0d
--- /dev/null
+++ b/share/provision/files/tor-transproxy/tbb/user.js
@@ -0,0 +1,20 @@
+// Preferences for system-installed Tor Browser
+// Needs either
+//
+//   * Setting TOR_CONTROL_PASSWORD at ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser
+//   * Passing TOR_CONTROL_PASSWORD to start-tor-browser via the command line
+//
+// See https://trac.torproject.org/projects/tor/wiki/TorBrowserBundleSAQ
+//
+user_pref("network.security.ports.banned",           "9050,9052");
+user_pref("network.proxy.socks",                     "127.0.0.1");
+user_pref("network.proxy.socks_port",                9050);
+user_pref("extensions.torbutton.inserted_button",    true);
+user_pref("extensions.torbutton.launch_warning",     false);
+user_pref("extensions.torbutton.loglevel",           2);
+user_pref("extensions.torbutton.logmethod",          0);
+user_pref("extensions.torlauncher.control_port",     9052);
+user_pref("extensions.torlauncher.loglevel",         2);
+user_pref("extensions.torlauncher.logmethod",        0);
+user_pref("extensions.torlauncher.prompt_at_startup",false);
+user_pref("extensions.torlauncher.start_tor",        false);
diff --git a/share/provision/tor-transproxy b/share/provision/tor-transproxy
index e80a382..58b496a 100755
--- a/share/provision/tor-transproxy
+++ b/share/provision/tor-transproxy
@@ -39,3 +39,14 @@ echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf > /dev/null
 # Tor config
 sudo cp $DIRNAME/files/tor-transproxy/etc/tor/torrc /etc/tor/torrc
 sudo service tor restart
+
+# Tor Browser config to use the system-installed tor daemon
+# See https://trac.torproject.org/projects/tor/wiki/TorBrowserBundleSAQ
+if [ -e "$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser" ]; then
+  # Force about:config preferences
+  sudo cp $DIRNAME/files/tor-transproxy/tbb/user.js $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/user.js
+
+  # Hard code control port password into the start-tor-browser script
+  sed -i -e "s/setControlPortPasswd \${TOR_CONTROL_PASSWD:='\"secret\"'/setControlPortPasswd \${TOR_CONTROL_PASSWD:='\"\"'}/" \
+    $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser
+fi