Onion Balance V3 setup for TOR website
Onionbalance is the best way to load balance onion services across multiple backend Tor instances. This way the load of introduction and rendezvous requests get distributed across multiple hosts. Onionbalance provides load-balancing while also making onion services more resilient and reliable by eliminating single points-of-failure.
Let’s first start with an overview of the Onionbalance design so that you better understand what we are gonna do in this guide. Through the rest of this guide we will assume you understand how both onionbalance and the onion service protocol works. If you already know how onionbalance works, feel free to skip to the next section.
In this picture you see a setup where Onionbalance is used to load-balance over three backend instances. The frontend service is on the right side whereas the three backend instances are in the middle. On the left side there is a Tor client called Alice who visits the load-balanced service using the frontend address
dpkhemrbs3oiv2...onion (which is actually 56 characters long but here we cut it for brevity).
Here is how this works in steps (consult the picture to see where the steps actually happen):
- : First the three backend instances (which are regular onion services) publish
- their descriptors to the Tor directory hashring.
: Then Onionbalance fetches the descriptors of the backend instances from the hashring.
- : Onionbalance now extracts the introduction points out of the backend
- descriptors, and creates a new superdescriptor that includes a combination of all those introduction points. Then Onionbalance uploads the superdescriptor to the hashring.
- : Now the client, Alice, fetches the superdescriptor from the hashring
- by visiting
- : Alice picks an introduction point from the superdescriptor and
- introduces herself to it. Because the introduction points actually belong to the backend instances, Alice is actually talking to backend instance #2, effectively getting load-balanced.
The rest of the onion service protocol carries on as normal between the Alice and the backend instance.