## translation metadata
# Revision: $Revision$
# Translation-Priority: 3-low

#include "head.wmi" TITLE="Tor Project: Hidden Service Configuration Instructions" CHARSET="UTF-8"
<div id="content" class="clearfix">
  <div id="breadcrumbs">
    <a href="<page index>">Home &raquo; </a>
    <a href="<page docs/documentation>">Documentation &raquo; </a>
    <a href="<page docs/tor-hidden-service>">Tor Hidden Service</a>
  </div>
  <div id="maincol">
    <h1>Configuring Hidden Services for <a href="<page index>">Tor</a></h1>
    <hr>

    <p>Tor allows clients and relays to offer hidden services. That is,
    you can offer a web server, SSH server, etc., without revealing your
    IP address to its users. In fact, because you don't use any public address,
    you can run a hidden service from behind your firewall.
    </p>

    <p>If you have Tor installed, you can see hidden services in action
    by visiting this <a href="http://duskgytldkxiuqc6.onion/">sample
    site</a>.
    </p>

    <p>
    This page describes the steps for setting up your own hidden service
    website. For the technical details of how the hidden service protocol
    works, see our <a href="<page docs/hidden-services>">hidden service
    protocol</a> page.
    </p>

    <hr>
    <a id="zero"></a>
    <h2><a class="anchor" href="#zero">Step Zero: Get Tor working</a></h2>
    <br>

    <p>Before you start, you need to make sure:</p>
    <ol>
    <li>Tor is up and running,</li>
    <li>You actually set it up correctly.</li>
    </ol>

    <p>Windows users should follow the <a
    href="<page docs/tor-doc-windows>">Windows
    howto</a>, OS X users should follow the <a
    href="<page docs/tor-doc-osx>">OS
    X howto</a>, and Linux/BSD/Unix users should follow the <a
    href="<page docs/tor-doc-unix>">Unix howto</a>.
    </p>

    <hr>
    <a id="one"></a>
    <h2><a class="anchor" href="#one">Step One: Install a web server locally</a></h2>
    <br>

    <p>
    First, you need to set up a web server locally. Setting up a web
    server can be complex. We're not going to cover how to setup a web
    server here. If you get stuck or want to do more, find a friend who
    can help you. We recommend you install a new separate web server for
    your hidden service, since even if you already have one installed,
    you may be using it (or want to use it later) for a normal website.
    </p>

    <p>
    You need to configure your web server so it doesn't give away any
    information about you, your computer, or your location. Be sure to
    bind the web server only to localhost (if people could get to it
    directly, they could confirm that your computer is the one offering
    the hidden service). Be sure that its error messages don't list
    your hostname or other hints. Consider putting the web server in a
    sandbox or VM to limit the damage from code vulnerabilities.
    </p>

    <p>
    Once your web server is set up, make
    sure it works: open your browser and go to <a
    href="http://localhost:8080/">http://localhost:8080/</a>, where
    8080 is the webserver port you chose during setup (you can choose any
    port, 8080 is just an example). Then try putting a file in the main
    html directory, and make sure it shows up when you access the site.
    </p>

    <hr>
    <a id="two"></a>
    <h2><a class="anchor" href="#two">Step Two: Configure your hidden service</a></h2>
    <br>

    <p>Next, you need to configure your hidden service to point to your
    local web server.
    </p>

    <p>First, open your torrc file in your favorite text editor. (See
    <a href="<page docs/faq>#torrc">the torrc FAQ entry</a> to learn
    what this means.) Go to the middle section and look for the line</p>

    <pre>
    \############### This section is just for location-hidden services ###
    </pre>

    <p>
    This section of the file consists of groups of lines, each representing
    one hidden service. Right now they are all commented out (the lines
    start with #), so hidden services are disabled. Each group of lines
    consists of one <var>HiddenServiceDir</var> line, and one or more
    <var>HiddenServicePort</var> lines:</p>
    <ul>
    <li><var>HiddenServiceDir</var> is a directory where Tor will store information
    about that hidden service.  In particular, Tor will create a file here named
    <var>hostname</var> which will tell you the onion URL.  You don't need to
    add any files to this directory. Make sure this is not the same directory
    as the hidserv directory you created when setting up thttpd, as your
    HiddenServiceDir contains secret information!</li>
    <li><var>HiddenServicePort</var> lets you specify a virtual port (that is, what
    port people accessing the hidden service will think they're using) and an
    IP address and port for redirecting connections to this virtual port.</li>
    </ul>

    <p>Add the following lines to your torrc:
    </p>

    <pre>
    HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
    HiddenServicePort 80 127.0.0.1:8080
    </pre>

    <p>You're going to want to change the <var>HiddenServiceDir</var> line, so it points
    to an actual directory that is readable/writeable by the user that will
    be running Tor. The above line should work if you're using the OS X Tor
    package. On Unix, try "/home/username/hidden_service/" and fill in your own
    username in place of "username". On Windows you might pick:</p>
    <pre>
    HiddenServiceDir C:\Users\username\Documents\tor\hidden_service
    HiddenServicePort 80 127.0.0.1:8080
    </pre>

    <p>Now save the torrc and restart your tor.</p>

    <p>If Tor starts up again, great. Otherwise, something is wrong. First look at
    your logfiles for hints. It will print some warnings or error messages. That
    should give you an idea what went wrong. Typically there are typos in the torrc
    or wrong directory permissions (See <a href="<page docs/faq>#Logs">the
    logging FAQ entry</a> if you don't know how to enable or find your
    log file.)
    </p>

    <p>When Tor starts, it will automatically create the <var>HiddenServiceDir</var>
    that you specified (if necessary), and it will create two files there.</p>

    <dl>
    <dt><var>private_key</var></dt>
    <dd>First, Tor will generate a new public/private keypair for your hidden
    service. It is written into a file called "private_key". Don't share this key
    with others -- if you do they will be able to impersonate your hidden
    service.</dd>
    <dt><var>hostname</var></dt>
    <dd>The other file Tor will create is called "hostname". This contains
    a short summary of your public key -- it will look something like
    <tt>duskgytldkxiuqc6.onion</tt>. This is the public name for your service,
    and you can tell it to people, publish it on websites, put it on business
    cards, etc.</dd>
    </dl>

    <p>If Tor runs as a different user than you, for example on
    OS X, Debian, or Red Hat, then you may need to become root to be able
    to view these files.</p>

    <p>Now that you've restarted Tor, it is busy picking introduction points
    in the Tor network, and generating a <em>hidden service
    descriptor</em>. This is a signed list of introduction points along with
    the service's full public key. It anonymously publishes this descriptor
    to the directory servers, and other people anonymously fetch it from the
    directory servers when they're trying to access your service.
    </p>

    <p>Try it now: paste the contents of the hostname file into your web
    browser. If it works, you'll get the html page you set up in step one.
    If it doesn't work, look in your logs for some hints, and keep playing
    with it until it works.
    </p>

    <hr>
    <a id="three"></a>
    <h2><a class="anchor" href="#three">Step Three: More advanced tips</a></h2>
    <br>

    <p>If you plan to keep your service available for a long time, you might
    want to make a backup copy of the <var>private_key</var> file somewhere.
    </p>

    <p>If you want to forward multiple virtual ports for a single hidden
    service, just add more <var>HiddenServicePort</var> lines.
    If you want to run multiple hidden services from the same Tor
    client, just add another <var>HiddenServiceDir</var> line. All the following
    <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var> line, until
    you add another <var>HiddenServiceDir</var> line:
    </p>

    <pre>
    HiddenServiceDir /usr/local/etc/tor/hidden_service/
    HiddenServicePort 80 127.0.0.1:8080

    HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
    HiddenServicePort 6667 127.0.0.1:6667
    HiddenServicePort 22 127.0.0.1:22
    </pre>

    <p>There are some anonymity issues you should keep in mind too:
    </p>
    <ul>
    <li>As mentioned above, be careful of letting your web server reveal
    identifying information about you, your computer, or your location.
    For example, readers can probably determine whether it's thttpd or
    Apache, and learn something about your operating system.</li>
    <li>If your computer isn't online all the time, your hidden service
    won't be either. This leaks information to an observant adversary.</li>
    <li>It is generally a better idea to host hidden services on a Tor client
    rather than a Tor relay, since relay uptime and other properties are
    publicly visible.</li>
    <li>The longer a hidden is online, the higher the risk that its
    location is discovered. The most prominent attacks are building a
    profile of the hidden service's availability and matching induced
    traffic patterns.</li>
    </ul>

    <p>Another common issue is whether to use HTTPS on your relay or
    not. Have a look at this <a
    href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs">post</a>
    on the Tor Blog to learn more about these issues.
    </p>
  </div>
  <!-- END MAINCOL -->
  <div id = "sidecol">
#include "side.wmi"
#include "info.wmi"
  </div>
  <!-- END SIDECOL -->
</div>
<!-- END CONTENT -->
#include <foot.wmi>