add tor client auth gen explanation

This commit is contained in:
midas 2025-03-08 12:05:50 +01:00
parent 65a3837ecc
commit abc8ba8820

View file

@ -260,6 +260,22 @@ cat /var/lib/tor/onion/prometheus/hostname
[clientaddr].onion
</code></pre>
What's that tor-client-auth-gen you ask? In order to protect this critical service from attacks that could be done against the grafana servers or from stolen credentials we need more than just security by obscurity
(relying on the attacker not knowing our hidden service address).
<br>
When a client tries to connect to an onion service they request a server descriptor from a tor directory server that gives them a path to a rendez-vous point where they will be able to talk to each other. The keys we just created will be used to encrypt this descriptor. Without the proper private key, even with the onion service address, an attacker won't be able to connect to it because they won't be able to find the rendez-vous point.
<br>
<br>
This is better than basic-auth for the following reasons:
<ul>
<li>More resistant to bruteforce attacks</li>
<li>Also protects against flaws in your application itself</li>
<li>Also protects you from fingerprinting attacks as no trafic can reach you without the required secret key</li>
</ul>
<br>
<br>
<h3>On the central monitoring server</h3>