{"id":43514249,"url":"https://github.com/subgraph/roflcoptor","last_synced_at":"2026-02-03T13:30:41.269Z","repository":{"id":57525900,"uuid":"56698803","full_name":"subgraph/roflcoptor","owner":"subgraph","description":"Tor Control Port Filter and State Tracker Daemon","archived":false,"fork":false,"pushed_at":"2017-11-19T14:28:04.000Z","size":195,"stargazers_count":25,"open_issues_count":8,"forks_count":8,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-06-20T15:55:22.552Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/subgraph.png","metadata":{"files":{"readme":"README.mdwn","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-04-20T15:28:31.000Z","updated_at":"2023-01-05T18:12:58.000Z","dependencies_parsed_at":"2022-09-26T18:11:03.773Z","dependency_job_id":null,"html_url":"https://github.com/subgraph/roflcoptor","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/subgraph/roflcoptor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Froflcoptor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Froflcoptor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Froflcoptor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Froflcoptor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/subgraph","download_url":"https://codeload.github.com/subgraph/roflcoptor/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Froflcoptor/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29046555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T10:09:22.136Z","status":"ssl_error","status_checked_at":"2026-02-03T10:09:16.814Z","response_time":96,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-03T13:30:40.301Z","updated_at":"2026-02-03T13:30:41.262Z","avatar_url":"https://github.com/subgraph.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ROFLCopTor\n\nROFLCopTor aims to be a comprehensive Tor control port filter daemon written in golang.\n\n# Introduction\n\nThe Tor control port exposes powerful functionality, much more\nauthority than most applications need when they talk to the Tor\ncontrol port. In accordance with the principal of least authority each\nsoftware module would ideally have authority over only the resources\nneeded to perform its tasks. Here in the context of ROFLCopTor, we\nseek to eliminate excess authority from applications which utilize the\nTor control port, therefore they will not be in the debian-tor group\nor otherwise have access to the tor control port UNIX domain socket or\nTCP listener. The only available access to the tor control port being\nvia ROFLCoptor which exposes a TCP listener and or a UNIX domain\nsocket listeners.  Each listener has a filtration policy which is\napplied for bidirectional filtration of Tor control port commands and\nresponses.\n\n# Usage\n\nA simple usage:\n\n```\n./roflcoptor -help\nUsage of ./roflcoptor:\n   -config string\n      configuration file\n   -watch\n      watch-mode of operation will default to unfiltered-allow policy\n```\n\nNormally watch-mode is only used when creating new filter rule sets.\n\n\n# Configuration\n\nUntil a debian package does this automatically, here are the steps to manually set things up.\n\nFirst, create a new user.\n\n```\nadduser --system --group --disabled-password --disabled-login --home /etc/roflcoptor/ --no-create-home --quiet roflcoptor\n```\n\nIn this configuration example tor's control port is NOT set to TCP\nport 9051, but instead listens on a UNIX domain socket which only the\ndebian-tor group has read/write access to, therefore the\n``roflcoptor`` user must be in the debian-tor group. After running the\nabove commands, `grep roflcoptor /etc/group` should look like this:\n\n```\ndebian-tor:x:111:roflcoptor\nroflcoptor:x:119:\n```\n\nCreate directories and copy files from source repo:\n```\nmkdir /var/run/roflcoptor\nchown roflcoptor:roflcoptor /var/run/roflcoptor\nmkdir -p /etc/roflcoptor/filters\ncp roflcoptor_config.json /etc/roflcoptor\ncp filters/*json /etc/roflcoptor/filters\n```\n\nHere we also turn off ``cookie authentication`` because filesystem permissions are sufficient\nfor limiting access. Configure your ``/etc/tor/torrc`` like this:\n\n```\n# ControlPort 9051 # disable this\nControlPort unix:/var/run/tor/control.socket GroupWritable\nCookieAuthentication 0\n```\n\nRun roflcoptor as the ``roflcoptor`` user and group. Here's my systemd example.\nPlace the systemd unit file for roflcoptor daemon in /etc/systemd/system/roflcoptor.\nIt should look something like this:\n\n```\n[Unit]\nDescription=roflcoptor - onion router control port filtration daemon\nAfter=tor.service\n\n[Service]\nType=simple\nUser=roflcoptor\nPermissionsStartOnly=true\nExecStartPre=-/bin/mkdir /var/run/roflcoptor\nExecStartPre=/bin/chown roflcoptor /var/run/roflcoptor\nExecStart=/usr/local/bin/roflcoptor -watch -config /etc/roflcoptor/roflcoptor_config.json\n```\n\nNOTE: The ``-watch`` flag was passed to roflcoptor so that applications which do not have a policy yet such as\nOz sandboxed applications will operate in watch-mode where the policy is pass-thru and all other applications\nwill have their filter policy applied. We must resolve ticket https://github.com/subgraph/oz/issues/37\nand implement the Oz UNIX domain socket proxy!\n\n\n\nCreate and chown the roflcoptor related directories:\n\n```\nmkdir -p /etc/roflcoptor/filters /var/run/roflcoptor\nchown -R roflcoptor:roflcoptor /etc/roflcoptor /var/run/roflcoptor\n```\n\nThe json configuration file, /etc/roflcoptor/roflcoptor_config.json should look like this:\n\n```\n{\n    \"FiltersPath\" : \"/etc/roflcoptor/filters\",\n    \"TorControlNet\" : \"unix\",\n    \"TorControlAddress\" : \"/var/run/tor/control\",\n    \"Listeners\" : [\n\t{\n\t    \"Net\" : \"unix\",\n\t    \"Address\" : \"/var/run/roflcoptor/roflcoptor.socket\"\n\t},\n\t{\n\t    \"Net\" : \"tcp\",\n\t    \"Address\" : \"127.0.0.1:9051\"\n\t}\n    ]\n}\n```\n\n\n\n# Acknowledgements\n\nROFLCopTor is derived from @Yawning's [or-ctl-filter](https://github.com/Yawning/or-ctl-filter) and @david415's [or-ctl-sieve](https://github.com/david415/or-ctl-sieve) which was derived from collaboration with Leif Ryge in making this proof of concept filter [twistedcat-armfilter-hax](https://github.com/david415/twistedcat/tree/armfilter-hax).\n\n# Building\n\nBuilding from source is the same as any golang project. Provided with this project is a debian branch\nfrom which you can build packages:\n\n```\napt install debhelper dh-golang dh-systemd golang-go tor adduser\n# # To build the Debian package:\ngit clone -b debian https://github.com/subgraph/roflcoptor.git\ncd roflcoptor\n## To build from stable\ngbp buildpackage -us -uc\n## To build from head\ngit checkout master\ngit checkout debian\ngbp buildpackage -us -uc --git-upstream-tree=master\n## Install the package\ndpkg -i /tmp/build-area/roflcoptor-*_amd64.deb\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubgraph%2Froflcoptor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsubgraph%2Froflcoptor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubgraph%2Froflcoptor/lists"}