tor-webwml.git

@@ -0,0 +1,276 @@

+## translation metadata

+# Revision: $Revision$

+

+#include "head.wmi" TITLE="Tor Hidden Service Configuration Instructions"

+

+<div class="center">

+

+<div class="main-column">

+

+<h1>Configuring Hidden Services for <a href="<page index>">Tor</a></h1>

+<hr />

+

+<p>Tor allows clients and servers to offer hidden services. That is,

+you can offer a web server, SSH server, etc., without revealing your

+IP to its users. In fact, because you don't use any public address,

+you can run a hidden service from behind your firewall.

+</p>

+

+<p>If you have Tor and Privoxy installed, you can see hidden services

+in action by visiting <a href="http://6sxoyfb3h2nvok2d.onion/">the

+hidden wiki</a>.

+</p>

+

+<p>This howto describes the steps for setting up your own hidden service

+website.

+</p>

+

+<hr />

+<a id="zero"></a>

+<h2><a class="anchor" href="#zero">Step Zero: Get Tor and Privoxy working</a></h2>

+<br />

+

+<p>Before you start, you need to make sure 1) Tor is up and running,

+2) Privoxy is up and running, 3) Privoxy is configured to point

+to Tor, and 4) You actually set it up correctly.</p>

+

+<p>Windows users should follow the <a

+href="<page docs/tor-doc-win32>">Windows

+howto</a>, OS X users should follow the <a

+href="<page docs/tor-doc-osx>">OS

+X howto</a>, and Linux/BSD/Unix users should follow the <a

+href="<page docs/tor-doc-unix>">Unix howto</a>.

+</p>

+

+<p>Once you've got Tor and Privoxy installed and configured,

+you can see hidden services in action by following this link to <a

+href="http://6sxoyfb3h2nvok2d.onion/">the hidden wiki</a>.

+It will typically take 10-60 seconds to load

+(or to decide that it is currently unreachable). If it fails

+immediately and your browser pops up an alert saying that

+"www.6sxoyfb3h2nvok2d.onion could not be found, please check the name and

+try again" then you haven't configured Tor and Privoxy correctly; see <a

+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ItDoesntWork">this

+FAQ entry</a> for some help.

+</p>

+

+<hr />

+<a id="one"></a>

+<h2><a class="anchor" href="#one">Step One: Configure an example hidden service</a></h2>

+<br />

+

+<p>In this step, you're going to configure a hidden service that points

+to www.google.com. This way we can make sure you have this step

+working before we start thinking about setting up a web server locally.

+</p>

+

+<p>First, open your torrc file in your favorite text editor. (See <a

+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc">this

+FAQ entry</a> to learn what this means.) Go to the middle section and

+look for the line</p>

+

+<pre>

+############### This section is just for location-hidden services ###

+</pre>

+

+<p>

+This section of the file consists of groups of lines, each representing

+one hidden service. Right now they are all commented out (the lines

+start with #), so hidden services are disabled. Each group of lines

+consists of one HiddenServiceDir line, and one or more HiddenServicePort

+lines:</p>

+<ul>

+<li><b>HiddenServiceDir</b> is a directory where Tor will store information

+about that hidden service.  In particular, Tor will create a file here named

+<i>hostname</i> which will tell you the onion URL.  You don't need to add any

+files to this directory.</li>

+<li><b>HiddenServicePort</b> lets you specify a virtual port (that is, what

+port people accessing the hidden service will think they're using) and an

+IP address and port for redirecting connections to this virtual port.</li>

+</ul>

+

+<p>In this example, we're going to set up a hidden service that points to

+Google. So add the following lines to your torrc:

+</p>

+

+<pre>

+HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/

+HiddenServicePort 80 www.google.com:80

+</pre>

+

+<p>You're going to want to change the HiddenServiceDir line, so it points

+to an actual directory that is readable/writeable by the user that will

+be running Tor. The above line should work if you're using the OS X Tor

+package. On Unix, try "/home/username/hidserv/" and fill in your own

+username in place of "username". On Windows you might pick:</p>

+<pre>

+HiddenServiceDir C:\Documents and Settings\username\Application Data\hidden_service\

+HiddenServicePort 80 www.google.com:80

+</pre>

+

+<p>Now save the torrc, shut down

+your Tor, and then start it again.  (See <a

+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Restarting">this

+FAQ entry</a> for tips on restarting Tor.)

+</p>

+

+<p>If Tor starts up again, great. Otherwise, something is wrong. Look

+at your torrc for obvious mistakes like typos. Then double-check

+that the directory you picked is writeable by you. If it's still

+not working, you should look at the Tor logs for hints. (See <a

+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Logs">this

+FAQ entry</a> if you don't know how to enable or find your log file.)

+</p>

+

+<p>When Tor starts, it will automatically create the HiddenServiceDir

+that you specified (if necessary), and it will create two files there.

+First, it will generate a new

+public/private keypair for your hidden service, and write it into a

+file called "private_key". Don't share this key with others -- if you

+do they will be able to impersonate your hidden service.

+</p>

+

+<p>The other file it will create is called "hostname". This contains

+a short summary of your public key -- it will look something like

+<tt>6sxoyfb3h2nvok2d.onion</tt>. This is the public name for your service,

+and you can tell it to people, publish it on websites, put it on business

+cards, etc. (If Tor runs as a different user than you, for example on

+OS X, Debian, or Red Hat, then you may need to become root to be able

+to view these files.)

+</p>

+

+<p>Now that you've restarted Tor, it is busy picking introduction points

+in the Tor network, and generating what's called a "hidden service

+descriptor", which is a signed list of introduction points along with

+the service's full public key. It anonymously publishes this descriptor

+to the directory servers, and other people anonymously fetch it from the

+directory servers when they're trying to access your service.

+</p>

+

+<p>Try it now: paste the contents of the hostname file into your web

+browser. If it works, you'll get the google frontpage, but the URL in your

+browser's window will be your hidden service hostname. If it doesn't work,

+look in your logs for some hints, and keep playing with it until it works.

+</p>

+

+<hr />

+<a id="two"></a>

+<h2><a class="anchor" href="#two">Step Two: Now install a web server locally</a></h2>

+<br />

+

+<p>Now that you have hidden services working on Tor, you need to

+set up your web server locally. Setting up a web server is tricky,

+so we're just going to go over a few basics here. If you get stuck

+or want to do more, find a friend who can help you. We recommend you

+install a new separate web server for your hidden service, since even

+if you already have one installed, you may be using it (or want to use

+it later) for an actual website.

+</p>

+

+<p>If you're on Unix or OS X and you're comfortable with

+the command-line, by far the best way to go is to install <a

+href="http://www.acme.com/software/thttpd/">thttpd</a>. Just grab the

+latest tarball, untar it (it will create its own directory), and run

+./configure && make. Then mkdir hidserv, cd hidserv, and run

+"../thttpd -p 5222 -h localhost". It will give you back your prompt,

+and now you're running a webserver on port 5222. You can put files to

+serve in the hidserv directory.

+</p>

+

+<p>If you're on Windows, ...what should we suggest here? Is there

+a good simple <a href="http://www.fsf.org/">free software</a> (not

+just "freeware") web server for Windows? Please

+let me know what we should say here. In the meantime,

+check out <a href="http://httpd.apache.org/">apache</a>,

+and be sure to

+configure it to bind only to localhost. You should also figure out

+what port you're listening on, because you'll use it below.

+</p>

+

+<p>(The reason we bind the web server only to localhost is to make

+sure it isn't publically accessible. If people could get to it directly,

+they could confirm that your computer is the one offering the hidden

+service.)

+</p>

+

+<p>Once you've got your web server set up, make sure it works: open your

+browser and go to <a

+href="http://localhost:5222/">http://localhost:5222/</a>. Then

+try putting a file

+in the main html directory, and make sure it shows up when you access

+the site.

+</p>

+

+<hr />

+<a id="three"></a>

+<h2><a class="anchor" href="#three">Step Three: Connect your web server to your hidden service</a></h2>

+<br />

+

+<p>This part is very simple. Open up your torrc again, and change the

+HiddenServicePort line from "www.google.com:80" to "localhost:5222".

+Then <a

+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Restarting">restart

+Tor</a>. Make sure that it's working by reloading your hidden

+service hostname in your browser.

+</p>

+

+<hr />

+<a id="four"></a>

+<h2><a class="anchor" href="#four">Step Four: More advanced tips</a></h2>

+<br />

+

+<p>If you plan to keep your service available for a long time, you might

+want to make a backup copy of the private_key file somewhere.

+</p>

+

+<p>We avoided recommending Apache above, a) because many people might

+already be running it for a public web server on their computer, and b)

+because it's big

+and has lots of places where it might reveal your IP address or other

+identifying information, for example in 404 pages. For people who need

+more functionality, though, Apache may be the right answer. Can

+somebody make us a checklist of ways to lock down your Apache when you're

+using it as a hidden service?

+</p>

+

+<p>If you want to forward multiple virtual ports for a single hidden

+service, just add more HiddenServicePort lines.

+If you want to run multiple hidden services from the same Tor

+client, just add another HiddenServiceDir line. All the following

+HiddenServicePort lines refer to this HiddenServiceDir line, until

+you add another HiddenServiceDir line:

+</p>

+

+<pre>

+HiddenServiceDir /usr/local/etc/tor/hidden_service/

+HiddenServicePort 80 127.0.0.1:8080

+

+HiddenServiceDir /usr/local/etc/tor/other_hidden_service/

+HiddenServicePort 6667 127.0.0.1:6667

+HiddenServicePort 22 127.0.0.1:22

+</pre>

+

+<p>There are some anonymity issues you should keep in mind too:

+</p>

+<ul>

+<li>As mentioned above, be careful of letting your web server reveal

+identifying information about you, your computer, or your location.

+For example, readers can probably determine whether it's thttpd or

+Apache, and learn something about your operating system.</li>

+<li>If your computer isn't online all the time, your hidden service

+won't be either. This leaks information to an observant adversary.</li>

+<!-- increased risks over time -->

+</ul>

+

+

+

+<hr />

+

+<p>If you have suggestions for improving this document, please <a

+href="/contact">send them to us</a>. Thanks!</p>

+

+  </div><!-- #main -->

+</div>

+

+#include <foot.wmi>

+