Roecrew Roecrew - 1 month ago 14
Node.js Question

Why do I get "SOCKS connection failed. Connection not allowed by ruleset" for some .onion sites?

I'm experimenting with Node and socks5-https-client. For some reason, certain Tor hidden service (

.onion
) sites return with a connection error.

For example, connecting to DuckDuckGo (
3g2upl4pq6kufc4m.onion
) works and returns HTML.

However, connecting to The Pirate Bay (
uj3wazyk5u4hnvtk.onion
) or TORCH (
xmh57jrzrnw6insl.onion
) returns...


Error: SOCKS connection failed. Connection not allowed by ruleset.


What does this error mean? How can I avoid it?




Here's code to reproduce it:

var shttps = require('socks5-https-client');

shttps.get({
hostname: '3g2upl4pq6kufc4m.onion',
path: '',
socksHost: '127.0.0.1',
socksPort: 9150,
rejectUnauthorized: false
}, function(res) {
res.setEncoding('utf8');
res.on('readable', function() {
console.log(res.read()); // Log response to console.
});
});


The error seems to be caused by a
0x02
value in field 2 of the server response.

Answer Source

Investigated and figured it out.

That code gets me the same results on 64-bit Linux with Tor 0.2.5.10, socks5-https-client 1.0.1, Node 0.12.0.

I grepped socks5-https-client's codebase for the error and got a hit in the dependency socks5-client on this line. It translates the underlying SOCKS connection's error code to a human-readable message. Wikipedia's explanation of SOCKS5 error codes lines up with that, but isn't much more descriptive…

A related Tor bug report complained 5 years ago about a similar error, from the same type of SOCKS connection. Turns out it just means the receiving server had nothing running on that port; your connection was just plain rejected.

Given that hypothesis, it should be expected that TPB's HTTPS port 443 won't reply to a TCP SYN, and indeed it doesn't:

$ torify tcping uj3wazyk5u4hnvtk.onion 443
[Mar 22 22:40:59] ERROR torsocks[18560]: Connection not allowed by ruleset (in socks5_recv_connect_reply() at socks5.c:520)
error: uj3wazyk5u4hnvtk.onion port 443: Software caused connection abort

(Same consistently confusing error, yippee.)

They have HTTP port 80 open though:

$ torify tcping uj3wazyk5u4hnvtk.onion 80
uj3wazyk5u4hnvtk.onion port 80 open.

Depending on your security needs, you might want to fall back on socks5-http-client (without the "s" on "http"). Your code with just that replacement works for me.