DOKK / manpages / debian 12 / onionbalance / onionbalance.1.en
ONIONBALANCE(1) Onionbalance ONIONBALANCE(1)

onionbalance - a Tor onion service load balancer

The onionbalance-config tool is the fastest way to generate the necessary keys and config files to get your onion service up and running.

$ onionbalance-config


When called without any arguments, the config generator will run in an interactive mode and prompt for user input.

The master directory should be stored on the management server while the other instance directories should be transferred to the respective backend servers.

This is the configuration file that is used my the Onionbalance management server.
The private key which will become the public address and identity for your onion service. It is essential that you keep this key secure.
A sample Tor configuration file which can be used with the Tor instance running on the management server (v2-only).
A sample Tor config file which contains the Tor HiddenService* options needed for your backend Tor instance (v2-only).
Directory containing the private key for your backend onion service instance. This key is less critical as it can be rotated if lost or compromised (v2-only).

Full documentation for the Onionbalance software is available at https://onionbalance.readthedocs.org/

You can start the Onionbalance management server once all of your backend onion service instances are running.

You will need to create a configuration file which list the backend onion services and the location of your hidden service keys.

$ onionbalance -c config.yaml


or

$ sudo service onionbalance start


The management server must be left running to publish new descriptors for your onion service: in about 10 minutes you should have a fully functional onionbalance setup.

NOTE:

Multiple Onionbalance management servers can be run simultaneously with the same master private key and configuration file to provide redundancy.


The Onionbalance management server is primarily configured using a YAML configuration file.

# Onion Load Balancer Config File
# ---
# Each hidden service key line should be followed be followed by a list of 0
# or more instances which contain the onion address of the load balancing
# hidden service
REFRESH_INTERVAL: 600 # How often to poll for updated descriptors
services:


    - key: /path/to/private_key # 7s4hxwwifcslrus2.onion


      instances:


        - address: o6ff73vmigi4oxka # web1


        - address: nkz23ai6qesuwqhc # web2


    - key: /path/to/private_key.enc # dpkdeys3apjtqydk.onion


      instances:


        - address: htbzowpp5cn7wj2u # irc1


        - address: huey7aiod8dja8a3 # irc2


The services section of the configuration file contains a list of master onion services that Onionbalance is responsible for.

Each key option specifies the location of the 1024 bit private RSA key for the onion service. This master private key determines the address that users will use to access your onion service. This private key must be kept secure.

The location of the private key is evaluated as an absolute path, or relative to the configuration file location.

You can use existing Tor onion service private key with Onionbalance to keep your onion address.

Each backend Tor onion service instance is listed by its unique onion address in the instances list.

NOTE:

You can replace backend instance keys if they get lost or compromised. Simply start a new backend onion service under a new key and replace the address in the config file.


If you have used the onionbalance-config tool you can simply use the generated config file from master/config.yaml.

NOTE:

By default onionbalance will search for a config.yaml file in the current working directory.


The Onionbalance command line options can also be specified in the Onionbalance configuration file. Options specified on the command line take precedence over the related configuration file options:

The location of the Tor unix domain control socket. Onionbalance will attempt to connect to this control socket first before falling back to using a control port connection. (default: /var/run/tor/control)
The address where the Tor control port is listening. (default: 127.0.0.1)
The Tor control port. (default: 9051)
The password for authenticating to a Tor control port which is using the HashedControlPassword authentication method. This is not needed when the Tor control port is using the more common CookieAuthentication method. (default: None)

Other options:

The path where Onionbalance should write its log file.
Specify the minimum verbosity of log messages to output. All log messages equal or higher the the specified log level are output. The available log levels are the same as the --verbosity command line option.
How often to check for updated backend onion service descriptors. This value can be decreased if your backend instance are under heavy loaded causing them to rotate introduction points quickly. (default: 600 seconds).
How often should to check if new descriptors need to be published for the master onion service (default: 360 seconds).
How long to wait between starting Onionbalance and publishing the master descriptor. If you have more than 20 backend instances you may need to wait longer for all instance descriptors to download before starting (default: 45 seconds).
Distinct descriptors are used if you have more than 10 backend instances. At the cost of scalability, this can be disabled to appear more like a standard onion service. (default: True)
The Onionbalance service creates a Unix domain socket which provides real-time information about the currently loaded service and descriptors. This option can be used to change the location of this domain socket. (default: /var/run/onionbalance/control)

The following options typically do not need to be modified by the end user:

How many set of HSDirs to upload too (default: 2).
How many introduction points to include in a descriptor (default: 10)
How long a onion service descriptor remains valid (default: 86400 seconds)
How long to overlap onion service descriptors when changing descriptor IDs (default: 3600 seconds)
How often to publish a descriptor, even when the introduction points don't change (default: 3600 seconds)

Override the location for the Onionbalance configuration file.

The loaded configuration file takes precedence over environment variables. Configuration file options will override environment variable which have the same name.

See the config file option.
See the config file option
See the config file option
See the config file option

/etc/onionbalance/config.yaml
The configuration file, which contains services entries.
Fallback location for torrc, if /etc/onionbalance/config.yaml is not found.

Full documentation for the Onionbalance software is available at https://onionbalance.readthedocs.org/

George Kadianakis, Donncha O'Cearbhaill <asn@torproject.org>

October 15, 2022 0.2.2