8

I run a small web hotel. I would like to give all my customers a .onion address to access their website - primarily to promote the use of Tor to my customers.

So in my torrc I put:

HiddenServiceDir /var/lib/tor/hidden/example.org
HiddenServicePort 80 example.org:80

for the 2500 websites, and set up apache to respond for the hostnames generated in /var/lib/tor/hidden/*/hostname

but it seems Tor is unhappy about that. I get 1000s of these:

Jun 25 19:09:21.000 [warn] Error launching circuit to node [scrubbed] for service [scrubbed].

and a few of these:

Jun 25 19:02:18.000 [warn] Your system clock just jumped 148 seconds forward; assuming established circuits no longer work.

It works if I only run a few hidden services.

Should this be done differently?

Ole Tange
  • 341
  • 3
  • 14

1 Answers1

6

There are known scaling problems with running more than a few dozen hidden services in a single Tor process.

I think the 100% CPU load comes either from constantly generating and signing new hidden service descriptors (since each hidden service tries to maintain three introduction point circuits, and any time any of them change that means publishing a new descriptor), or from internal inefficiencies like linearly walking a list many times.

So yes, the short answer is "don't do that".

If somebody is looking for a fun development task, set up a private chutney or shadow Tor network, configure a bunch of hidden services on one of the clients, and then try to sort out where the bottlenecks are in practice.

You might also enjoy How many hidden services can I run on a single Tor instance? as a related question here.

And lastly, see also https://blog.torproject.org/blog/hidden-services-need-some-love

Community
  • 1
Roger Dingledine
  • 3,431
  • 1
  • 25
  • 39