update documentation and config for external tor w/ pow defense

Co-authored-by: shortwavesurfer2009 <116814522+shortwavesurfer2009@users.noreply.github.com>
Co-authored-by: fa2a5qj3 <174058787+fa2a5qj3@users.noreply.github.com>
Co-authored-by: preland <prelandofficialmusic@gmail.com>

docs/deployment-guide.md

@@ -79,6 +79,11 @@ Customize and deploy haveno-pricenode.env and haveno-pricenode.service to run as
 
 ## Add seed nodes
 
+### Seed nodes without Proof of Work (PoW)
+
+> [!note]
+> Using PoW is suggested. See next section for PoW setup.
+
 For each seed node:
 
 1. [Build the Haveno repository](#fork-and-build-haveno).
@@ -90,6 +95,44 @@ For each seed node:
 7. Add the `.onion` address to `core/src/main/resources/xmr_<network>.seednodes` along with the port specified in the haveno-seednode.service file(s) `(ex: example.onion:1002)`. Be careful to record full addresses correctly.
 8. Update all seed nodes, arbitrators, and user applications for the change to take effect.
 
+### Seed nodes with Proof of Work (PoW)
+
+> [!note]
+> These instructions were written for Ubuntu with an Intel/AMD 64-bit CPU so changes may be needed for your distribution.
+
+### Install Tor
+
+Source: [Tor Project Support](https://support.torproject.org/apt/)
+
+1. Verify architecture `sudo dpkg --print-architecture`.
+2. Create sources.list file `sudo nano /etc/apt/sources.list.d/tor.list`.
+3. Paste `deb [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main`.
+4. Paste `deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org <DISTRIBUTION> main`.
+> [!note]
+> Replace `<DISTRIBUTION>` with your system codename such as "jammy" for Ubuntu 22.04.
+5. Press Ctrl+X, then "y", then the enter key.
+6. Add the gpg key used to sign the packages `sudo wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null`.
+7. Update repositories `sudo apt update`.
+8. Install tor and tor debian keyring `sudo apt install tor deb.torproject.org-keyring`.
+9. Replace torrc `sudo mv /etc/tor/torrc /etc/tor/torrc.default` then `sudo cp seednode/torrc /etc/tor/torrc`.
+10. stop tor `sudo systemctl stop tor`.
+
+For each seed node:
+
+1. [Build the Haveno repository](#fork-and-build-haveno).
+2. [Start a local Monero node](#start-a-local-monero-node).
+3. Run `sudo cat /var/lib/tor/haveno_seednode/hostname` and note down the .onion for the next step & step 10.
+4. Modify `./scripts/deployment/haveno-seednode.service` and `./scripts/deployment/haveno-seednode2.service` as needed.
+5. Copy `./scripts/deployment/haveno-seednode.service` to `/etc/systemd/system` (if you are the very first seed in a new network also copy `./scripts/deployment/haveno-seednode2.service` to `/etc/systemd/system`).
+6. Add user to tor group `sudo usermod -aG debian-tor <user>`.
+> [!note]
+> Replace `<user>` above with the user that will be running the seed node (step 6 above & step 4)
+7. Disconnect and reconnect SSH session or logout and back in.
+8. Run `sudo systemctl start tor`.
+9. Run `sudo systemctl start haveno-seednode` to start the seednode and also run `sudo systemctl start haveno-seednode2` if you are the very first seed in a new network and coppied haveno-seednode2.service to your systemd folder.
+10. Add the `.onion` address from step 3 to `core/src/main/resources/xmr_<network>.seednodes` along with the port specified in the haveno-seednode.service file(s) `(ex: example.onion:2002)`. Be careful to record full addresses correctly.
+11. Update all seed nodes, arbitrators, and user applications for the change to take effect.
+
 Customize and deploy haveno-seednode.service to run a seed node as a system service.
 
 Each seed node requires a locally running Monero node. You can use the default port or configure it manually with `--xmrNode`, `--xmrNodeUsername`, and `--xmrNodePassword`.

scripts/deployment/haveno-seednode.service

@@ -10,6 +10,8 @@ SyslogIdentifier=Haveno-Seednode
 ExecStart=/bin/sh /home/haveno/haveno/haveno-seednode --baseCurrencyNetwork=XMR_STAGENET\
   --useLocalhostForP2P=false\
   --useDevPrivilegeKeys=false\
+# Uncomment the following line to use external tor
+#  --hiddenServiceAddress=example.onion\
   --nodePort=2002\
   --appName=haveno-XMR_STAGENET_Seed_2002\
 #  --logLevel=trace\

scripts/deployment/haveno-seednode2.service

@@ -10,8 +10,10 @@ SyslogIdentifier=Haveno-Seednode2
 ExecStart=/bin/sh /home/haveno/haveno/haveno-seednode --baseCurrencyNetwork=XMR_STAGENET\
   --useLocalhostForP2P=false\
   --useDevPrivilegeKeys=false\
-  --nodePort=3003\
-  --appName=haveno-XMR_STAGENET_Seed_3003\
+# Uncomment the following line to use external tor
+#  --hiddenServiceAddress=example.onion\
+  --nodePort=2003\
+  --appName=haveno-XMR_STAGENET_Seed_2003\
 #  --logLevel=trace\
   --xmrNode=http://[::1]:38088\
   --xmrNodeUsername=admin\

seednode/haveno-seednode.service

@@ -11,8 +11,10 @@ SyslogIdentifier=Haveno-Seednode
 ExecStart=/bin/sh $PATH/haveno-seednode --baseCurrencyNetwork=XMR_STAGENET\
   --useLocalhostForP2P=false\
   --useDevPrivilegeKeys=false\
+# Uncomment the following line to use external tor
+#  --hiddenServiceAddress=example.onion\
   --nodePort=2002\
-  --appName=haveno-XMR_STAGENET_Seed_2002
+  --appName=haveno-XMR_STAGENET_Seed_2002\
   --xmrNode=http://[::1]:38088
 
 ExecStop=/bin/kill ${MAINPID} ; sleep 5

seednode/torrc

@@ -1,18 +1,155 @@
-RunAsDaemon 1
-SOCKSPort 9050
-ControlPort 9051
-Log notice syslog
+## Configuration file for Haveno Seednode
+##
+## To start/reload/etc this instance, run "systemctl start tor" (or reload, or..).
+## This instance will run as user debian-tor; its data directory is /var/lib/tor.
+##
+## This file is configured via:
+## /usr/share/tor/tor-service-defaults-torrc
+##
+## See 'man tor', for more options you can use in this file.
 
-CookieAuthentication 0
-CookieAuthFileGroupReadable 1
-DataDirectoryGroupReadable 1
+## Tor opens a socks proxy on port 9050 by default -- even if you don't
+## configure one below. Set "SocksPort 0" if you plan to run Tor only
+## as a relay, and not make any local application connections yourself.
+#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
+# ### SocksPort flag: OnionTrafficOnly ###
+## Tell the tor client to only connect to .onion addresses in response to SOCKS5 requests on this connection.
+## This is equivalent to NoDNSRequest, NoIPv4Traffic, NoIPv6Traffic.
+# ### SocksPort flag: ExtendedErrors ###
+## Return extended error code in the SOCKS reply. So far, the possible errors are:
+# X'F0' Onion Service Descriptor Can Not be Found
+# X'F1' Onion Service Descriptor Is Invalid
+# X'F2' Onion Service Introduction Failed
+# X'F3' Onion Service Rendezvous Failed
+# X'F4' Onion Service Missing Client Authorization
+# X'F5' Onion Service Wrong Client Authorization
+# X'F6' Onion Service Invalid Address
+# X'F7' Onion Service Introduction Timed Out
+SocksPort 9050 OnionTrafficOnly ExtendedErrors
 
-SafeSocks 0
-HiddenServiceStatistics 0
+## Entry policies to allow/deny SOCKS requests based on IP address.
+## First entry that matches wins. If no SocksPolicy is set, we accept
+## all (and only) requests that reach a SocksPort. Untrusted users who
+## can access your SocksPort may be able to learn about the connections
+## you make.
+SocksPolicy accept 127.0.0.1
+SocksPolicy accept6 [::1]
+SocksPolicy reject *
+
+## Tor will reject application connections that use unsafe variants of the socks protocol
+## — ones that only provide an IP address, meaning the application is doing a DNS resolve first.
+## Specifically, these are socks4 and socks5 when not doing remote DNS. (Default: 0)
+#SafeSocks 1
+
+## Tor will make a notice-level log entry for each connection to the Socks port indicating
+## whether the request used a safe socks protocol or an unsafe one (see above entry on SafeSocks).
+## This helps to determine whether an application using Tor is possibly leaking DNS requests. (Default: 0)
+TestSocks 1
+
+## Logs go to stdout at level "notice" unless redirected by something
+## else, like one of the below lines. You can have as many Log lines as
+## you want.
+##
+## We advise using "notice" in most cases, since anything more verbose
+## may provide sensitive information to an attacker who obtains the logs.
+##
+## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
+#Log notice file /var/log/tor/notices.log
+## Send every possible message to /var/log/tor/debug.log
+#Log debug file /var/log/tor/debug.log
+## Use the system log instead of Tor's logfiles (This is default)
+#Log notice syslog
+## To send all messages to stderr:
+#Log debug stderr
+
+# Try to write to disk less frequently than we would otherwise. This is useful when running on flash memory.
 AvoidDiskWrites 1
 
-#MaxClientCircuitsPending 64
-#KeepalivePeriod 2
-#CircuitBuildTimeout 5
-#NewCircuitPeriod 15
-#NumEntryGuards 8
+## TODO: This option has no effect. Bisq/Haveno is tor client &/or hidden service.  'man torrc':
+## Relays and bridges only. When this option is enabled, a Tor relay writes obfuscated statistics on its
+## role as hidden-service directory, introduction point, or rendezvous point to disk every 24 hours.
+## If ExtraInfoStatistics is enabled, it will be published as part of the extra-info document. (Default: 1)
+HiddenServiceStatistics 0
+
+## NOTE: In order to use the ControlPort, the <user> must belong to the tor group.
+##  sudo usermod -aG debian-tor <user>
+##
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+#ControlPort 9051
+## If you enable the controlport, be sure to enable one of these
+## authentication methods, to prevent attackers from accessing it.
+##
+## Compute the hash of a password with "tor --hash-password password".
+#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
+CookieAuthentication 0       # (Default: 1)
+
+## MetricsPort provides an interface to the underlying Tor relay metrics.
+## Exposing publicly is dangerous, set a very strict access policy.
+## Retrieve the metrics with:  curl http://127.0.0.1:9035/metrics
+MetricsPort 127.0.0.1:9035
+MetricsPortPolicy accept 127.0.0.1
+MetricsPortPolicy accept [::1]
+
+############### This section is just for location-hidden services ###
+
+## Once you have configured a hidden service, you can look at the
+## contents of the file ".../hidden_service/hostname" for the address
+## to tell people. e.g.: 'sudo cat /var/lib/tor/haveno_seednode/hostname'
+##
+## HiddenServicePort x y:z says to redirect requests on port x to the
+## address y:z.
+##
+## If you plan to keep your service available for a long time, you might want to make a backup copy
+## of the private_key file or complete folder /var/lib/tor/hidden_service somewhere.
+
+#### Haveno seednode incoming anonymity connections ###
+HiddenServiceDir /var/lib/tor/haveno_seednode
+HiddenServicePort 2002 127.0.0.1:2002
+HiddenServicePort 2002 [::1]:2002
+
+## NOTE: HiddenService options are per onion service
+## https://community.torproject.org/onion-services/advanced/dos/
+##
+## Rate limiting at the Introduction Points
+## Intropoint protections prevents onion service DoS from becoming a DoS for the entire machine and its guard.
+HiddenServiceEnableIntroDoSDefense 1
+#HiddenServiceEnableIntroDoSRatePerSec 25       # (Default: 25)
+#HiddenServiceEnableIntroDoSBurstPerSec 200     # (Default: 200)
+
+# Number of introduction points the hidden service will have. You can’t have more than 20.
+#HiddenServiceNumIntroductionPoints 3           # (Default: 3)
+
+## https://tpo.pages.torproject.net/onion-services/ecosystem/technology/pow/#configuring-an-onion-service-with-the-pow-protection
+## Proof of Work (PoW) before establishing Rendezvous Circuits
+## The lower the queue and burst rates, the higher the puzzle effort tends to be for users.
+HiddenServicePoWDefensesEnabled 1
+HiddenServicePoWQueueRate 200          # (Default: 250)
+HiddenServicePoWQueueBurst 1000        # (Default: 2500)
+
+## Stream limits in the established Rendezvous Circuits
+## The maximum number of simultaneous streams (connections) per rendezvous circuit. The max value allowed is 65535. (0 = unlimited)
+HiddenServiceMaxStreams 25
+#HiddenServiceMaxStreamsCloseCircuit 1
+
+#### Haveno seednode2 incoming anonymity connections ###
+HiddenServiceDir /var/lib/tor/haveno_seednode2
+HiddenServicePort 2003 127.0.0.1:2003
+HiddenServicePort 2003 [::1]:2003
+
+HiddenServiceEnableIntroDoSDefense 1
+#HiddenServiceEnableIntroDoSRatePerSec 25       # (Default: 25)
+#HiddenServiceEnableIntroDoSBurstPerSec 200     # (Default: 200)
+#HiddenServiceNumIntroductionPoints 3           # (Default: 3)
+
+HiddenServicePoWDefensesEnabled 1
+HiddenServicePoWQueueRate 200          # (Default: 250)
+HiddenServicePoWQueueBurst 1000        # (Default: 2500)
+
+HiddenServiceMaxStreams 25
+#HiddenServiceMaxStreamsCloseCircuit 1
+
+#####################################################################
+
+LongLivedPorts 2002,2003
+## Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300