tor-webwml.git

1) ## translation metadata
2) # Revision: $Revision$

3) # Translation-Priority: 3-low

4) 

5) #include "head.wmi" TITLE="Tor: Hidden Service Configuration Instructions"

6) 
7) <div class="center">
8) 
9) <div class="main-column">
10) 
11) <h1>Configuring Hidden Services for <a href="<page index>">Tor</a></h1>
12) <hr />
13) 

14) <p>Tor allows clients and relays to offer hidden services. That is,

15) you can offer a web server, SSH server, etc., without revealing your

16) IP address to its users. In fact, because you don't use any public address,

17) you can run a hidden service from behind your firewall.
18) </p>
19) 
20) <p>If you have Tor and Privoxy installed, you can see hidden services

21) in action by visiting <a href="http://duskgytldkxiuqc6.onion/">our
22) example hidden service</a> or the <a
23) href="http://gaddbiwdftapglkq.onion/">Wikileaks hidden service</a>.

24) </p>
25) 
26) <p>This howto describes the steps for setting up your own hidden service

27) website. For the technical details of how the hidden service protocol
28) works, see our <a href="<page hidden-services>">hidden service protocol</a> page.

29) </p>
30) 
31) <hr />
32) <a id="zero"></a>
33) <h2><a class="anchor" href="#zero">Step Zero: Get Tor and Privoxy working</a></h2>
34) <br />
35) 

36) <p>Before you start, you need to make sure:</p>
37) <ol>
38) <li>Tor is up and running,</li>
39) <li>Privoxy is up and running,</li>

40) <li>Privoxy is configured to point to Tor and</li>

41) <li>You actually set it up correctly.</li>
42) </ol>
43) 

44) 
45) <p>Windows users should follow the <a

46) href="<page docs/tor-doc-windows>">Windows

47) howto</a>, OS X users should follow the <a
48) href="<page docs/tor-doc-osx>">OS
49) X howto</a>, and Linux/BSD/Unix users should follow the <a
50) href="<page docs/tor-doc-unix>">Unix howto</a>.
51) </p>
52) 
53) <p>Once you've got Tor and Privoxy installed and configured,
54) you can see hidden services in action by following this link to <a

55) href="http://duskgytldkxiuqc6.onion/">our example hidden service</a>
56) or the <a
57) href="http://gaddbiwdftapglkq.onion/">Wikileaks hidden service</a>.

58) It will typically take 10-60 seconds to load
59) (or to decide that it is currently unreachable). If it fails
60) immediately and your browser pops up an alert saying that

61) "www.duskgytldkxiuqc6.onion could not be found, please check the name and

62) try again" then you haven't configured Tor and Privoxy correctly; see <a

63) href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#ItDoesntWork">the

64) it-doesn't-work FAQ entry</a> for some help.

65) </p>
66) 
67) <hr />
68) <a id="one"></a>

69) <h2><a class="anchor" href="#one">Step One: Install a web server locally</a></h2>

70) <br />
71) 

72) <p>First, you need to set up a web server locally. Setting up a web
73) server can be tricky,
74) so we're just going to go over a few basics here. If you get stuck
75) or want to do more, find a friend who can help you. We recommend you
76) install a new separate web server for your hidden service, since even
77) if you already have one installed, you may be using it (or want to use
78) it later) for an actual website.
79) </p>
80) 
81) <p>If you're on Unix or OS X and you're comfortable with
82) the command-line, by far the best way to go is to install <a
83) href="http://www.acme.com/software/thttpd/">thttpd</a>. Just grab the
84) latest tarball, untar it (it will create its own directory), and run

85) <kbd>./configure &amp;&amp; make</kbd>. Then <kbd>mkdir hidserv; cd
86) hidserv</kbd>, and run
87) <kbd>../thttpd -p 5222 -h localhost</kbd>. It will give you back your prompt,

88) and now you're running a webserver on port 5222. You can put files to
89) serve in the hidserv directory.
90) </p>
91) 
92) <p>If you're on Windows, you might pick <a
93) href="http://savant.sourceforge.net/">Savant</a> or <a
94) href="http://httpd.apache.org/">Apache</a>, and be sure to configure it
95) to bind only to localhost. You should also figure out what port you're
96) listening on, because you'll use it below.
97) </p>
98) 
99) <p>(The reason we bind the web server only to localhost is to make
100) sure it isn't publically accessible. If people could get to it directly,
101) they could confirm that your computer is the one offering the hidden
102) service.)
103) </p>
104) 
105) <p>Once you've got your web server set up, make sure it works: open your
106) browser and go to <a
107) href="http://localhost:5222/">http://localhost:5222/</a>, where 5222 is
108) the port that you picked above. Then try putting a file in the main html
109) directory, and make sure it shows up when you access the site.
110) </p>
111) 
112) <hr />
113) <a id="two"></a>
114) <h2><a class="anchor" href="#two">Step Two: Configure your hidden service</a></h2>
115) <br />
116) 
117) <p>Next, you need to configure your hidden service to point to your
118) local web server.

119) </p>
120) 
121) <p>First, open your torrc file in your favorite text editor. (See <a

122) href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc">the

123) torrc FAQ entry</a> to learn what this means.) Go to the middle section and

124) look for the line</p>
125) 
126) <pre>

127) \############### This section is just for location-hidden services ###

128) </pre>
129) 
130) <p>
131) This section of the file consists of groups of lines, each representing
132) one hidden service. Right now they are all commented out (the lines
133) start with #), so hidden services are disabled. Each group of lines

134) consists of one <var>HiddenServiceDir</var> line, and one or more
135) <var>HiddenServicePort</var> lines:</p>

136) <ul>

137) <li><var>HiddenServiceDir</var> is a directory where Tor will store information

138) about that hidden service.  In particular, Tor will create a file here named

139) <var>hostname</var> which will tell you the onion URL.  You don't need to add any

140) files to this directory.</li>

141) <li><var>HiddenServicePort</var> lets you specify a virtual port (that is, what

142) port people accessing the hidden service will think they're using) and an
143) IP address and port for redirecting connections to this virtual port.</li>
144) </ul>
145) 

146) <p>Add the following lines to your torrc:

147) </p>
148) 
149) <pre>
150) HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/

151) HiddenServicePort 80 127.0.0.1:5222

152) </pre>
153) 

154) <p>You're going to want to change the <var>HiddenServiceDir</var> line, so it points

155) to an actual directory that is readable/writeable by the user that will
156) be running Tor. The above line should work if you're using the OS X Tor
157) package. On Unix, try "/home/username/hidserv/" and fill in your own
158) username in place of "username". On Windows you might pick:</p>
159) <pre>

160) HiddenServiceDir C:\Documents and Settings\username\Application Data\hidden_service\\

161) HiddenServicePort 80 127.0.0.1:5222

162) </pre>
163) 
164) <p>Now save the torrc, shut down

165) your Tor, and then start it again.

166) </p>
167) 

168) <p>If Tor starts up again, great. Otherwise, something is wrong. First look at
169) your logfiles for hints. It will print some warnings or error messages. That
170) should give you an idea what went wrong. Typically there are typos in the torrc
171) or wrong directory permissions (See <a

172) href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#Logs">the

173) logging FAQ entry</a> if you don't know how to enable or find your
174) log file.)

175) </p>
176) 

177) <p>When Tor starts, it will automatically create the <var>HiddenServiceDir</var>
178) that you specified (if necessary), and it will create two files there.</p>
179) 
180) <dl>
181) <dt><var>private_key</var></dt>
182) <dd>First, Tor will generate a new public/private keypair for your hidden
183) service. It is written into a file called "private_key". Don't share this key
184) with others -- if you do they will be able to impersonate your hidden
185) service.</dd>

186) <dt><var>hostname</var></dt>

187) <dd>The other file Tor will create is called "hostname". This contains

188) a short summary of your public key -- it will look something like

189) <tt>duskgytldkxiuqc6.onion</tt>. This is the public name for your service,

190) and you can tell it to people, publish it on websites, put it on business

191) cards, etc.</dd>

192) </dl>

193) 
194) <p>If Tor runs as a different user than you, for example on

195) OS X, Debian, or Red Hat, then you may need to become root to be able

196) to view these files.</p>

197) 
198) <p>Now that you've restarted Tor, it is busy picking introduction points

199) in the Tor network, and generating a <em>hidden service
200) descriptor</em>. This is a signed list of introduction points along with

201) the service's full public key. It anonymously publishes this descriptor
202) to the directory servers, and other people anonymously fetch it from the
203) directory servers when they're trying to access your service.
204) </p>
205) 
206) <p>Try it now: paste the contents of the hostname file into your web

207) browser. If it works, you'll get the html page you set up in step one.
208) If it doesn't work, look in your logs for some hints, and keep playing
209) with it until it works.

210) </p>
211) 
212) <hr />
213) <a id="three"></a>

214) <h2><a class="anchor" href="#three">Step Three: More advanced tips</a></h2>

215) <br />
216) 
217) <p>If you plan to keep your service available for a long time, you might

218) want to make a backup copy of the <var>private_key</var> file somewhere.

219) </p>
220) 
221) <p>We avoided recommending Apache above, a) because many people might
222) already be running it for a public web server on their computer, and b)
223) because it's big
224) and has lots of places where it might reveal your IP address or other
225) identifying information, for example in 404 pages. For people who need
226) more functionality, though, Apache may be the right answer. Can
227) somebody make us a checklist of ways to lock down your Apache when you're

228) using it as a hidden service? Savant probably has these problems too.

229) </p>
230) 
231) <p>If you want to forward multiple virtual ports for a single hidden

232) service, just add more <var>HiddenServicePort</var> lines.

233) If you want to run multiple hidden services from the same Tor

234) client, just add another <var>HiddenServiceDir</var> line. All the following
235) <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var> line, until
236) you add another <var>HiddenServiceDir</var> line:

237) </p>
238) 
239) <pre>
240) HiddenServiceDir /usr/local/etc/tor/hidden_service/
241) HiddenServicePort 80 127.0.0.1:8080
242) 
243) HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
244) HiddenServicePort 6667 127.0.0.1:6667
245) HiddenServicePort 22 127.0.0.1:22
246) </pre>
247) 
248) <p>There are some anonymity issues you should keep in mind too:
249) </p>
250) <ul>
251) <li>As mentioned above, be careful of letting your web server reveal
252) identifying information about you, your computer, or your location.
253) For example, readers can probably determine whether it's thttpd or
254) Apache, and learn something about your operating system.</li>
255) <li>If your computer isn't online all the time, your hidden service
256) won't be either. This leaks information to an observant adversary.</li>
257) <!-- increased risks over time -->
258) </ul>
259) 
260) <hr />
261) 
262) <p>If you have suggestions for improving this document, please <a

263) href="<page contact>">send them to us</a>. Thanks!</p>