tor-webwml.git

1) ## translation metadata

2) # Revision: $Revision$

3) # Translation-Priority: 3-low
4) 
5) #include "head.wmi" TITLE="Tor Project: Hidden Service Configuration Instructions" CHARSET="UTF-8"
6) <div id="content" class="clearfix">
7)   <div id="breadcrumbs">

8)     <a href="<page index>">Home &raquo; </a>

9)     <a href="<page docs/documentation>">Documentation &raquo; </a>
10)     <a href="<page docs/tor-hidden-service>">Tor Hidden Service</a>
11)   </div>
12)   <div id="maincol">

13)     <h1>Configuring Hidden Services for <a href="<page index>">Tor</a></h1>

14)     <hr>

15)     
16)     <p>Tor allows clients and relays to offer hidden services. That is,
17)     you can offer a web server, SSH server, etc., without revealing your
18)     IP address to its users. In fact, because you don't use any public address,
19)     you can run a hidden service from behind your firewall.
20)     </p>
21)     
22)     <p>If you have Tor installed, you can see hidden services

23)     in action by visiting one of our official hidden services:
24)     <ul>
25)     <li><a href="http://idnxcnkne4qt76tg.onion/">The Tor Project Website</a></li>
26)     <li><a href="http://j6im4v42ur6dpic3.onion/">The Tor Package Archive</a></li>
27)     <li><a href="http://p3igkncehackjtib.onion/">The Tor Media Archive</a></li>
28)     </ul>
29) 
30)     Others run reliable hidden services, such as <a
31)     href="http://3g2upl4pq6kufc4m.onion/">The Duck Duck
32)     Go</a> search engine and someone hosting a <a
33)     href="http://duskgytldkxiuqc6.onion/">sample site</a>.

34)     </p>

35)     <p>
36)     It will typically take 10-60 seconds to load (or to decide that the
37)     service is currently unreachable). If it fails immediately and your
38)     browser pops up an alert saying that "www.duskgytldkxiuqc6.onion could
39)     not be found, please check the name and try again" then you haven't
40)     configured Tor correctly; see <a href="<page docs/faq>#DoesntWork">the
41)     it-doesn't-work FAQ entry</a> for some help.
42)     </p>
43) 
44)     <p>
45)     This howto describes the steps for setting up your own hidden service

46)     website. For the technical details of how the hidden service protocol

47)     works, see our <a href="<page docs/hidden-services>">hidden service
48)     protocol</a> page.

49)     </p>

50) 

51)     <hr>

52)     <a id="zero"></a>
53)     <h2><a class="anchor" href="#zero">Step Zero: Get Tor working</a></h2>

54)     <br>

55)     
56)     <p>Before you start, you need to make sure:</p>
57)     <ol>
58)     <li>Tor is up and running,</li>
59)     <li>You actually set it up correctly.</li>
60)     </ol>
61)     
62)     
63)     <p>Windows users should follow the <a
64)     href="<page docs/tor-doc-windows>">Windows
65)     howto</a>, OS X users should follow the <a
66)     href="<page docs/tor-doc-osx>">OS
67)     X howto</a>, and Linux/BSD/Unix users should follow the <a
68)     href="<page docs/tor-doc-unix>">Unix howto</a>.
69)     </p>

70) 

71)     <hr>

72)     <a id="one"></a>
73)     <h2><a class="anchor" href="#one">Step One: Install a web server locally</a></h2>

74)     <br>

75)     

76)     <p>
77)     First, you need to set up a web server locally. Setting up a web
78)     server can be tricky, so we're just going to go over a few basics
79)     here. If you get stuck or want to do more, find a friend who can
80)     help you. We recommend you install a new separate web server for
81)     your hidden service, since even if you already have one installed,
82)     you may be using it (or want to use it later) for an actual website.

83)     </p>

84) 
85)     <p>
86)     Once you've got your web server set up, make
87)     sure it works: open your browser and go to <a
88)     href="http://localhost:5222/">http://localhost:5222/</a>, where
89)     5222 is the port that you picked above. Then try putting a file in
90)     the main html directory, and make sure it shows up when you access
91)     the site.  The reason we bind the web server only to localhost is to
92)     make sure it isn't publically accessible. If people could get to it
93)     directly, they could confirm that your computer is the one offering
94)     the hidden service.

95)     </p>

96) 

97)     <hr>

98)     <a id="two"></a>
99)     <h2><a class="anchor" href="#two">Step Two: Configure your hidden service</a></h2>

100)     <br>

101)     
102)     <p>Next, you need to configure your hidden service to point to your
103)     local web server.
104)     </p>
105)     
106)     <p>First, open your torrc file in your favorite text editor. (See <a

107)     href="<page docs/faq>#torrc">the

108)     torrc FAQ entry</a> to learn what this means.) Go to the middle section and
109)     look for the line</p>
110)     
111)     <pre>
112)     \############### This section is just for location-hidden services ###
113)     </pre>
114)     
115)     <p>
116)     This section of the file consists of groups of lines, each representing
117)     one hidden service. Right now they are all commented out (the lines
118)     start with #), so hidden services are disabled. Each group of lines
119)     consists of one <var>HiddenServiceDir</var> line, and one or more
120)     <var>HiddenServicePort</var> lines:</p>
121)     <ul>
122)     <li><var>HiddenServiceDir</var> is a directory where Tor will store information
123)     about that hidden service.  In particular, Tor will create a file here named
124)     <var>hostname</var> which will tell you the onion URL.  You don't need to
125)     add any files to this directory. Make sure this is not the same directory
126)     as the hidserv directory you created when setting up thttpd, as your
127)     HiddenServiceDir contains secret information!</li>
128)     <li><var>HiddenServicePort</var> lets you specify a virtual port (that is, what
129)     port people accessing the hidden service will think they're using) and an
130)     IP address and port for redirecting connections to this virtual port.</li>
131)     </ul>
132)     
133)     <p>Add the following lines to your torrc:
134)     </p>
135)     
136)     <pre>
137)     HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
138)     HiddenServicePort 80 127.0.0.1:5222
139)     </pre>
140)     
141)     <p>You're going to want to change the <var>HiddenServiceDir</var> line, so it points
142)     to an actual directory that is readable/writeable by the user that will
143)     be running Tor. The above line should work if you're using the OS X Tor
144)     package. On Unix, try "/home/username/hidden_service/" and fill in your own
145)     username in place of "username". On Windows you might pick:</p>
146)     <pre>

147)     HiddenServiceDir C:\Users\username\Documents\tor\hidden_service

148)     HiddenServicePort 80 127.0.0.1:5222
149)     </pre>
150)     
151)     <p>Now save the torrc, shut down
152)     your Tor, and then start it again.
153)     </p>
154)     
155)     <p>If Tor starts up again, great. Otherwise, something is wrong. First look at
156)     your logfiles for hints. It will print some warnings or error messages. That
157)     should give you an idea what went wrong. Typically there are typos in the torrc

158)     or wrong directory permissions (See <a href="<page docs/faq>#Logs">the

159)     logging FAQ entry</a> if you don't know how to enable or find your
160)     log file.)
161)     </p>
162)     
163)     <p>When Tor starts, it will automatically create the <var>HiddenServiceDir</var>
164)     that you specified (if necessary), and it will create two files there.</p>
165)     
166)     <dl>
167)     <dt><var>private_key</var></dt>
168)     <dd>First, Tor will generate a new public/private keypair for your hidden
169)     service. It is written into a file called "private_key". Don't share this key
170)     with others -- if you do they will be able to impersonate your hidden
171)     service.</dd>
172)     <dt><var>hostname</var></dt>
173)     <dd>The other file Tor will create is called "hostname". This contains
174)     a short summary of your public key -- it will look something like
175)     <tt>duskgytldkxiuqc6.onion</tt>. This is the public name for your service,
176)     and you can tell it to people, publish it on websites, put it on business
177)     cards, etc.</dd>
178)     </dl>
179)     
180)     <p>If Tor runs as a different user than you, for example on
181)     OS X, Debian, or Red Hat, then you may need to become root to be able
182)     to view these files.</p>
183)     
184)     <p>Now that you've restarted Tor, it is busy picking introduction points
185)     in the Tor network, and generating a <em>hidden service
186)     descriptor</em>. This is a signed list of introduction points along with
187)     the service's full public key. It anonymously publishes this descriptor
188)     to the directory servers, and other people anonymously fetch it from the
189)     directory servers when they're trying to access your service.
190)     </p>
191)     
192)     <p>Try it now: paste the contents of the hostname file into your web
193)     browser. If it works, you'll get the html page you set up in step one.
194)     If it doesn't work, look in your logs for some hints, and keep playing
195)     with it until it works.
196)     </p>
197)     

198)     <hr>

199)     <a id="three"></a>
200)     <h2><a class="anchor" href="#three">Step Three: More advanced tips</a></h2>

201)     <br>

202)     
203)     <p>If you plan to keep your service available for a long time, you might
204)     want to make a backup copy of the <var>private_key</var> file somewhere.
205)     </p>
206)     
207)     <p>We avoided recommending Apache above, a) because many people might
208)     already be running it for a public web server on their computer, and b)
209)     because it's big
210)     and has lots of places where it might reveal your IP address or other
211)     identifying information, for example in 404 pages. For people who need
212)     more functionality, though, Apache may be the right answer. Can
213)     somebody make us a checklist of ways to lock down your Apache when you're
214)     using it as a hidden service? Savant probably has these problems too.
215)     </p>
216)     
217)     <p>If you want to forward multiple virtual ports for a single hidden
218)     service, just add more <var>HiddenServicePort</var> lines.
219)     If you want to run multiple hidden services from the same Tor
220)     client, just add another <var>HiddenServiceDir</var> line. All the following
221)     <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var> line, until
222)     you add another <var>HiddenServiceDir</var> line:
223)     </p>
224)     
225)     <pre>
226)     HiddenServiceDir /usr/local/etc/tor/hidden_service/
227)     HiddenServicePort 80 127.0.0.1:8080
228)     
229)     HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
230)     HiddenServicePort 6667 127.0.0.1:6667
231)     HiddenServicePort 22 127.0.0.1:22
232)     </pre>
233)     
234)     <p>There are some anonymity issues you should keep in mind too:
235)     </p>
236)     <ul>
237)     <li>As mentioned above, be careful of letting your web server reveal
238)     identifying information about you, your computer, or your location.
239)     For example, readers can probably determine whether it's thttpd or
240)     Apache, and learn something about your operating system.</li>
241)     <li>If your computer isn't online all the time, your hidden service
242)     won't be either. This leaks information to an observant adversary.</li>
243)     <!-- increased risks over time -->
244)     </ul>
245)     

246)     <hr>