0379553e11606db5ae70eda00aed109a8af99420
kat Change hidden -> onion. (Se...

kat authored 6 years ago

1) ## translation metadata
2) # Revision: $Revision$
3) # Translation-Priority: 3-low
4) 
5) #include "head.wmi" TITLE="Tor Project: Onion Service Configuration Instructions" CHARSET="UTF-8"
6) <div id="content" class="clearfix">
7)   <div id="breadcrumbs">
8)     <a href="<page index>">Home &raquo; </a>
9)     <a href="<page docs/documentation>">Documentation &raquo; </a>
10)     <a href="<page docs/tor-onion-service>">Tor Onion Service</a>
11)   </div>
12)   <div id="maincol">
13)     <h1>Configuring Onion Services for <a href="<page index>">Tor</a></h1>
traumschule onion services: add TOC

traumschule authored 6 years ago

14) 
15)     <hr />
kat Change hidden -> onion. (Se...

kat authored 6 years ago

16) 
17)     <p>Tor allows clients and relays to offer onion services. That is,
18)     you can offer a web server, SSH server, etc., without revealing your
19)     IP address to its users. In fact, because you don't use any public address,
20)     you can run an onion service from behind your firewall.
21)     </p>
22) 
23)     <p>If you have Tor installed, you can see onion services in action
24)     by visiting this <a href="http://duskgytldkxiuqc6.onion/">sample
25)     site</a>.
26)     </p>
27) 
28)     <p>
29)     This page describes the steps for setting up your own onion service
30)     website. For the technical details of how the onion service protocol
31)     works, see our <a href="<page docs/onion-services>">onion service
32)     protocol</a> page.
33)     </p>
34) 
35)     <hr>
traumschule onion services: add TOC

traumschule authored 6 years ago

36)     <ul>
37)       <li><a href="#zero">Step Zero: Get Tor working</a></li>
38)       <li><a href="#one">Step One: Install a web server locally</a></li>
39)       <li><a href="#two">Step Two: Configure your onion service</a></li>
40)       <li><a href="#three">Step Three: More advanced tips</a></li>
41)       <li><a href="#four">Step Four: Set up next-gen (v3) onions</a></li>
42)     </ul>
43)     <hr>
44) 
kat Change hidden -> onion. (Se...

kat authored 6 years ago

45)     <a id="zero"></a>
46)     <h2><a class="anchor" href="#zero">Step Zero: Get Tor working</a></h2>
47)     <br>
48) 
49)     <p>Before you start, you need to make sure:</p>
50)     <ol>
51)     <li>Tor is up and running,</li>
52)     <li>You actually set it up correctly.</li>
53)     </ol>
54) 
55)     <p>Windows users should follow the <a
56)     href="<page docs/tor-doc-windows>">Windows
57)     howto</a>, OS X users should follow the <a
58)     href="<page docs/tor-doc-osx>">OS
59)     X howto</a>, and Linux/BSD/Unix users should follow the <a
60)     href="<page docs/tor-doc-unix>">Unix howto</a>.
61)     </p>
62) 
63)     <hr>
64)     <a id="one"></a>
65)     <h2><a class="anchor" href="#one">Step One: Install a web server locally</a></h2>
66)     <br>
67) 
68)     <p>
traumschule onion services: mention web...

traumschule authored 6 years ago

69)     First, you need to set up a web server locally, for example nginx or
70)     lighttpd (apache is not the best option for anomymity, see
71)     <a href="#three">Step Three</a> below).
72)     Setting up a web server can be complex. We're not going to cover how to set
73)     up a web server here. If you get stuck or want to do more, find a friend who
kat Change hidden -> onion. (Se...

kat authored 6 years ago

74)     can help you. We recommend you install a new separate web server for
75)     your onion service, since even if you already have one installed,
76)     you may be using it (or want to use it later) for a normal website.
77)     </p>
78) 
79)     <p>
80)     You need to configure your web server so it doesn't give away any
81)     information about you, your computer, or your location. Be sure to
82)     bind the web server only to localhost (if people could get to it
83)     directly, they could confirm that your computer is the one offering
84)     the onion service). Be sure that its error messages don't list
85)     your hostname or other hints. Consider putting the web server in a
86)     sandbox or VM to limit the damage from code vulnerabilities.
87)     </p>
88) 
89)     <p>
90)     Once your web server is set up, make
91)     sure it works: open your browser and go to <a
92)     href="http://localhost:8080/">http://localhost:8080/</a>, where
93)     8080 is the webserver port you chose during setup (you can choose any
94)     port, 8080 is just an example). Then try putting a file in the main
95)     html directory, and make sure it shows up when you access the site.
96)     </p>
97) 
98)     <hr>
99)     <a id="two"></a>
100)     <h2><a class="anchor" href="#two">Step Two: Configure your onion service</a></h2>
101)     <br>
102) 
103)     <p>Next, you need to configure your onion service to point to your
104)     local web server.
105)     </p>
106) 
107)     <p>First, open your torrc file in your favorite text editor. (See
108)     <a href="<page docs/faq>#torrc">the torrc FAQ entry</a> to learn
109)     what this means.) Go to the middle section and look for the line</p>
110) 
111)     <pre>
112)     \############### This section is just for location-hidden services ###
113)     </pre>
114) 
115)     <p>
116)     This section of the file consists of groups of lines, each representing
117)     one onion service. Right now they are all commented out (the lines
118)     start with #), so onion services are disabled. Each group of lines
119)     consists of one <var>HiddenServiceDir</var> line, and one or more
120)     <var>HiddenServicePort</var> lines:</p>
121)     <ul>
122) 	<li><var>HiddenServiceDir</var> is a directory where Tor will store
123) 	information about that onion service.  In particular, Tor will create a
124) 	file here named <var>hostname</var> which will tell you the onion URL.  You
125) 	don't need to add any files to this directory. Make sure this is not the
126) 	same directory as the hidserv directory you created when setting up thttpd,
127) 	as your HiddenServiceDir contains secret information!</li>
128) 	<li><var>HiddenServicePort</var> lets you specify a virtual port (that is,
129) 	what port people accessing the onion service will think they're using) and
130) 	an IP address and port for redirecting connections to this virtual
131) 	port.</li> </ul>
132) 
133)     <p>Add the following lines to your torrc:
134)     </p>
135) 
136)     <pre>
137)     HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
138)     HiddenServicePort 80 127.0.0.1:8080
139)     </pre>
140) 
141) 	<p>You're going to want to change the <var>HiddenServiceDir</var> line, so
142) 	it points to an actual directory that is readable/writeable by the user
143) 	that will be running Tor. The above line should work if you're using the OS
144) 	X Tor package. On Unix, try "/home/username/hidden_service/" and fill in
145) 	your own username in place of "username". On Windows you might pick:</p>
146) 	<pre> HiddenServiceDir C:\Users\username\Documents\tor\hidden_service
147) 	HiddenServicePort 80 127.0.0.1:8080 </pre>
148) 
traumschule onion services: add v3 manu...

traumschule authored 6 years ago

149)     <p>Note that since 0.2.6, both <var>SocksPort</var> and <var>HiddenServicePort</var>
150)     support Unix sockets. This means that you can point the <var>HiddenServicePort</var>
151)     to a Unix socket:</p>
kat Change hidden -> onion. (Se...

kat authored 6 years ago

152)     <pre>
153)     HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
154)     HiddenServicePort 80 unix:/path/to/socket
155)     </pre>
156) 
157)     <p>Now save the torrc and restart your tor.</p>
158) 
159) 	<p>If Tor starts up again, great. Otherwise, something is wrong. First look
160) 	at your logfiles for hints. It will print some warnings or error messages.
161) 	That should give you an idea what went wrong. Typically there are typos in
162) 	the torrc or wrong directory permissions (See <a href="<page
163) 	docs/faq>#Logs">the logging FAQ entry</a> if you don't know how to enable
164) 	or find your log file.) </p>
165) 
166) 	<p>When Tor starts, it will automatically create the
167) 	<var>HiddenServiceDir</var> that you specified (if necessary), and it will
168) 	create two files there.</p>
169) 
170)     <dl>
171)     <dt><var>private_key</var></dt>
172)     <dd>First, Tor will generate a new public/private keypair for your onion
173)     service. It is written into a file called "private_key". Don't share this key
174)     with others -- if you do they will be able to impersonate your onion
175)     service.</dd>
176)     <dt><var>hostname</var></dt>
177)     <dd>The other file Tor will create is called "hostname". This contains
178)     a short summary of your public key -- it will look something like
179)     <tt>duskgytldkxiuqc6.onion</tt>. This is the public name for your service,
180)     and you can tell it to people, publish it on websites, put it on business
181)     cards, etc.</dd>
182)     </dl>
183) 
184)     <p>If Tor runs as a different user than you, for example on
185)     OS X, Debian, or Red Hat, then you may need to become root to be able
186)     to view these files.</p>
187) 
188)     <p>Now that you've restarted Tor, it is busy picking introduction points
189)     in the Tor network, and generating an <em>onion service
190)     descriptor</em>. This is a signed list of introduction points along with
191)     the service's full public key. It anonymously publishes this descriptor
192)     to the directory servers, and other people anonymously fetch it from the
193)     directory servers when they're trying to access your service.
194)     </p>
195) 
196)     <p>Try it now: paste the contents of the hostname file into your web
197)     browser. If it works, you'll get the html page you set up in step one.
198)     If it doesn't work, look in your logs for some hints, and keep playing
199)     with it until it works.
200)     </p>
201) 
202)     <hr>
203)     <a id="three"></a>
204)     <h2><a class="anchor" href="#three">Step Three: More advanced tips</a></h2>
205)     <br>
206) 
207)     <p>If you plan to keep your service available for a long time, you might
208)     want to make a backup copy of the <var>private_key</var> file somewhere.
209)     </p>
210) 
211)     <p>If you want to forward multiple virtual ports for a single onion
212)     service, just add more <var>HiddenServicePort</var> lines.
213)     If you want to run multiple onion services from the same Tor
214)     client, just add another <var>HiddenServiceDir</var> line. All the following
traumschule onion services: add v3 manu...

traumschule authored 6 years ago

215)     <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var>
216)     line, until you add another <var>HiddenServiceDir</var> line:
kat Change hidden -> onion. (Se...

kat authored 6 years ago

217)     </p>
218) 
219)     <pre>
220)     HiddenServiceDir /usr/local/etc/tor/hidden_service/
221)     HiddenServicePort 80 127.0.0.1:8080
222) 
223)     HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
224)     HiddenServicePort 6667 127.0.0.1:6667
225)     HiddenServicePort 22 127.0.0.1:22
226)     </pre>
227) 
traumschule onion services: add link to...

traumschule authored 6 years ago

228)     To set up an onion service on Raspbian have a look at Alec Muffett's
229)     <a href="https://github.com/alecmuffett/eotk">Enterprise Onion Toolkit</a>.
230) 
traumschule onion services: add v3 manu...

traumschule authored 6 years ago

231)     <p>Onion services operators need to practice proper
232)     <a href="https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity">
233)     operational security</a> and system administration to maintain security.
234)     For some security suggestions please make sure you read over Riseup's
235)     <a href="https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices">
236)     "Tor Hidden (Onion) Services Best Practices" document</a>.
237)     Also, here are some more anonymity issues you should keep in mind:
kat Change hidden -> onion. (Se...

kat authored 6 years ago

238)     </p>
239)     <ul>
240)     <li>As mentioned above, be careful of letting your web server reveal
241)     identifying information about you, your computer, or your location.
242)     For example, readers can probably determine whether it's thttpd or
243)     Apache, and learn something about your operating system.</li>
244)     <li>If your computer isn't online all the time, your onion service
245)     won't be either. This leaks information to an observant adversary.</li>
246)     <li>It is generally a better idea to host onion services on a Tor client
247)     rather than a Tor relay, since relay uptime and other properties are
248)     publicly visible.</li>
249)     <li>The longer an onion service is online, the higher the risk that its
250)     location is discovered. The most prominent attacks are building a
251)     profile of the onion service's availability and matching induced
252)     traffic patterns.</li>
253)     </ul>
254) 
255)     <p>Another common issue is whether to use HTTPS on your relay or
256)     not. Have a look at this <a
traumschule onion services: add v3 manu...

traumschule authored 6 years ago

257)     href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs">post</a>
258)     on the Tor Blog to learn more about these issues.
259)     </p>
260) 
261)     <p>You can use <a href="https://stem.torproject.org">stem</a> to
262)     <a href="https://stem.torproject.org/tutorials/over_the_river.html">
263)     automate the management of your onion services</a>.
kat Change hidden -> onion. (Se...

kat authored 6 years ago

264)     </p>
265) 
266)     <p>Finally, feel free to use the <a
267)     href="https://lists.torproject.org/pipermail/tor-onions/">[tor-onions]
268)     mailing list</a> to discuss the secure administration and operation of
269)     Tor onion services.</p>
270) 
traumschule onion services: add v3 manu...

traumschule authored 6 years ago

271)     <hr>
272)     <a id="four"></a>
273)     <h2><a class="anchor" href="#four">Step Four: Set up next-gen (v3) onions</a></h2>
274)     <br>
275) 
hiro Remove strange characters

hiro authored 6 years ago

276)     <p>Since Tor 0.3.2 and
traumschule onion services: add v3 manu...

traumschule authored 6 years ago

277)     <a href="https://blog.torproject.org/tor-browser-75a5-released">Tor Browser
278)     7.5.a5</a> 56 bit long v3 onion addresses are supported and should be used
279)     instead. This newer version of onion services ("v3") features many
280)     improvements over the legacy system:
281)     </p>
282)     <ul>
283)       <li>Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)</li>
284)       <li>Improved directory protocol, leaking much less information to directory servers.</li>
285)       <li>Improved directory protocol, with smaller surface for targeted attacks.</li>
286)       <li>Better onion address security against impersonation.</li>
287)       <li>More extensible introduction/rendezvous protocol.</li>
288)       <li>A cleaner and more modular codebase.</li>
289)     </ul>
290)     <p>For details see
291)     <a href="https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames">
292)     Why are v3 onions better?</a>. You can identify a next-generation onion
293)     address by its length: they are 56 characters long, as in
294)     <var>4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion</a>.
hiro Remove strange characters

hiro authored 6 years ago

295) 
traumschule onion services: add v3 manu...

traumschule authored 6 years ago

296)     The specification for next gen onion services can be found
297)     <a href="https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt">
298)     here</a>.
299)     </p>
300) 
301)     <h3>How to setup your own prop224 service</h3>
302) 
hiro Remove strange characters

hiro authored 6 years ago

303)     <p>It's easy! Just use your <a href"#two">regular onion service</a> torrc
traumschule onion services: add v3 manu...

traumschule authored 6 years ago

304)     and add <var>HiddenServiceVersion 3</var> in your onion service torrc block.
305)     Here is an example torrc designed for testing:
306)     </p>
307)     <pre>
308) SocksPort auto
309) 
310) HiddenServiceDir /home/user/tmp/hsv3
311) HiddenServiceVersion 3
312) HiddenServicePort 6667 127.0.0.1:6667
313)     </pre>
314)     <p>Then your onion address is in <var>/home/user/tmp/hsv3/hostname</var>.
315)     To host both a v2 and a v3 service using two onion service torrc blocks:
316)     </p>
317)     <pre>
318) HiddenServiceDir /home/user/tmp/hsv2
319) HiddenServicePort 6667 127.0.0.1:6667
320) 
321) HiddenServiceDir /home/user/tmp/hsv3
322) HiddenServiceVersion 3
323) HiddenServicePort 6668 127.0.0.1:6667
324)     </pre>
325) 
326)     <p>Please note that tor is strict about directory permissions and does not
327)     like to share its files. Make sure to restrict read and write access to the
328)     onion services directory before restarting tor. For most linux based systems you can use:
329)     </p>
330)     <pre>chmod 700 -R /var/lib/tor</pre>
331) 
332)     <p>To restart tor it's safer to not use SIGHUP directly (see bug
333)     <a href="https://trac.torproject.org/projects/tor/ticket/21818">#21818</a>),
334)     but to check the validity of the config first. On Debian based systems the
335)     services management tool does this for you:</p>
336)     <pre>
337)     service tor restart
338)     </pre>
339) 
340)     <h3>How to help the next-gen onion development</h3>
341) 
342)     <p>Please let us know if you find any bugs!
343)     We are still in testing & development stage so things are very liquid and
344)     in active development. If you want to help with development, check out the list of
345)     <a href="https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~prop224&order=priority">
346)     open prop224 bugs</a>.
347)     </p>
348) 
349)     <p>For researchers our wiki page
350)     <a href="https://trac.torproject.org/projects/tor/wiki/doc/OnionServiceNamingSystems">
351)     Onion Service Naming Systems</a> could be of value. If you are more of the bug
352)     hunting type, please check our code and spec for errors and inaccuracies.
353)     We would be thrilled to know about them!
354)     </p>
355) 
356)     <p>For debugging and to send us more helpful log files, turn on info logging:
357)     </p>
358)     <pre>
359) SafeLogging 0
360) Log notice file /home/user/tmp/hs/hs.log
361) Log info file /home/user/tmp/hs/hsinfo.log
362)     </pre>
363)