Tor Bridge in Docker: Containerized Deployment Guide

A Dockerized Tor bridge consists of two containers: the main Tor container (using the official Tor Docker image or a custom image based on Debian) and the obfs4proxy container (or combined in a single image). Docker Compose orchestrates both containers. Persistent volumes store: the Tor data directory (contains bridge keys and descriptor data), torrc configuration file, and log directory. Networking: the obfs4proxy port must be mapped to the host to be reachable from the internet (ports: - '443:443'). The Tor ORPort does not need host exposure (only the bridge traffic port is public). Container names, network names, and volume names should follow a consistent naming convention for clarity.

A working docker-compose.yml for an obfs4 bridge: version: '3.8', services: tor-bridge: image: torproject/tor:latest (or custom Dockerfile), restart: unless-stopped, volumes: - ./torrc:/etc/tor/torrc:ro - tor-data:/var/lib/tor - tor-logs:/var/log/tor, ports: - '9001:9001' - '443:443' (for obfs4 on host port 443), environment: TZ: UTC. The torrc file configured for bridge mode with ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy. Using the official tor Docker image requires verifying obfs4proxy is included or building a custom image that installs both packages. A Dockerfile FROM debian:bookworm-slim, RUN apt-get install -y tor obfs4proxy provides a combined image with both components.

The bridge's identity key is stored in /var/lib/tor/keys/ - this must persist across container restarts via a named volume or bind mount. If the key is lost, the bridge gets a new fingerprint and all existing clients must update their bridge line. Configure volumes in docker-compose.yml: volumes: tor-data: driver: local (named volume, managed by Docker) or bind mount: - /opt/tor-bridge/data:/var/lib/tor (explicit path on host). Named volumes are easier to backup: docker run --rm -v tor-data:/source -v $(pwd):/backup alpine tar czf /backup/tor-data-backup.tar.gz -C /source . (creates backup of named volume contents).

Keeping the Tor version current is important for security. Watchtower container automatically updates other containers when new images are available: services: watchtower: image: containrrr/watchtower, restart: unless-stopped, volumes: - /var/run/docker.sock:/var/run/docker.sock, command: --interval 86400 --cleanup (check daily, remove old images). Watchtower pulls new images and restarts containers with the updated image. For security-conscious operators: manual updates are safer than automatic (review changelog before updating). A compromise: Watchtower in monitor-only mode with email notifications of available updates, operator performs manual pull and restart.

Monitor the Dockerized bridge with docker commands: docker compose logs -f tor-bridge (follow logs), docker stats tor-bridge (resource usage), docker compose ps (container status). Set up healthchecks in docker-compose.yml: healthcheck: test: ['CMD', 'curl', '-f', 'http://localhost:9051/status'] (requires ControlPort configured in torrc), interval: 30s, timeout: 10s, retries: 3. Docker will restart the container if healthchecks fail repeatedly. Export Prometheus metrics using Tor Exporter (a separate container that scrapes Tor's control port and exposes metrics). Grafana dashboard for bridge bandwidth and circuit metrics provides visual monitoring.