new file mode 100644

@@ -0,0 +1,258 @@

+## translation metadata

+# Revision: $Revision$

+# Translation-Priority: 3-low

+

+#include "head.wmi" TITLE="Tor Project: Onion Service Configuration Instructions" CHARSET="UTF-8"

+<div id="content" class="clearfix">

+  <div id="breadcrumbs">

+    <a href="<page index>">Home &raquo; </a>

+    <a href="<page docs/documentation>">Documentation &raquo; </a>

+    <a href="<page docs/tor-onion-service>">Tor Onion Service</a>

+  </div>

+  <div id="maincol">

+    <h1>Configuring Onion Services for <a href="<page index>">Tor</a></h1>

+    <hr>

+

+    <p>Tor allows clients and relays to offer onion services. That is,

+    you can offer a web server, SSH server, etc., without revealing your

+    IP address to its users. In fact, because you don't use any public address,

+    you can run an onion service from behind your firewall.

+    </p>

+

+    <p>If you have Tor installed, you can see onion services in action

+    by visiting this <a href="http://duskgytldkxiuqc6.onion/">sample

+    site</a>.

+    </p>

+

+    <p>

+    This page describes the steps for setting up your own onion service

+    website. For the technical details of how the onion service protocol

+    works, see our <a href="<page docs/onion-services>">onion service

+    protocol</a> page.

+    </p>

+

+    <hr>

+    <a id="zero"></a>

+    <h2><a class="anchor" href="#zero">Step Zero: Get Tor working</a></h2>

+    <br>

+

+    <p>Before you start, you need to make sure:</p>

+    <ol>

+    <li>Tor is up and running,</li>

+    <li>You actually set it up correctly.</li>

+    </ol>

+

+    <p>Windows users should follow the <a

+    href="<page docs/tor-doc-windows>">Windows

+    howto</a>, OS X users should follow the <a

+    href="<page docs/tor-doc-osx>">OS

+    X howto</a>, and Linux/BSD/Unix users should follow the <a

+    href="<page docs/tor-doc-unix>">Unix howto</a>.

+    </p>

+

+    <hr>

+    <a id="one"></a>

+    <h2><a class="anchor" href="#one">Step One: Install a web server locally</a></h2>

+    <br>

+

+    <p>

+    First, you need to set up a web server locally. Setting up a web

+    server can be complex. We're not going to cover how to set up a web

+    server here. If you get stuck or want to do more, find a friend who

+    can help you. We recommend you install a new separate web server for

+    your onion service, since even if you already have one installed,

+    you may be using it (or want to use it later) for a normal website.

+    </p>

+

+    <p>

+    You need to configure your web server so it doesn't give away any

+    information about you, your computer, or your location. Be sure to

+    bind the web server only to localhost (if people could get to it

+    directly, they could confirm that your computer is the one offering

+    the onion service). Be sure that its error messages don't list

+    your hostname or other hints. Consider putting the web server in a

+    sandbox or VM to limit the damage from code vulnerabilities.

+    </p>

+

+    <p>

+    Once your web server is set up, make

+    sure it works: open your browser and go to <a

+    href="http://localhost:8080/">http://localhost:8080/</a>, where

+    8080 is the webserver port you chose during setup (you can choose any

+    port, 8080 is just an example). Then try putting a file in the main

+    html directory, and make sure it shows up when you access the site.

+    </p>

+

+    <hr>

+    <a id="two"></a>

+    <h2><a class="anchor" href="#two">Step Two: Configure your onion service</a></h2>

+    <br>

+

+    <p>Next, you need to configure your onion service to point to your

+    local web server.

+    </p>

+

+    <p>First, open your torrc file in your favorite text editor. (See

+    <a href="<page docs/faq>#torrc">the torrc FAQ entry</a> to learn

+    what this means.) Go to the middle section and look for the line</p>

+

+    <pre>

+    \############### This section is just for location-hidden services ###

+    </pre>

+

+    <p>

+    This section of the file consists of groups of lines, each representing

+    one onion service. Right now they are all commented out (the lines

+    start with #), so onion services are disabled. Each group of lines

+    consists of one <var>HiddenServiceDir</var> line, and one or more

+    <var>HiddenServicePort</var> lines:</p>

+    <ul>

+	<li><var>HiddenServiceDir</var> is a directory where Tor will store

+	information about that onion service.  In particular, Tor will create a

+	file here named <var>hostname</var> which will tell you the onion URL.  You

+	don't need to add any files to this directory. Make sure this is not the

+	same directory as the hidserv directory you created when setting up thttpd,

+	as your HiddenServiceDir contains secret information!</li>

+	<li><var>HiddenServicePort</var> lets you specify a virtual port (that is,

+	what port people accessing the onion service will think they're using) and

+	an IP address and port for redirecting connections to this virtual

+	port.</li> </ul>

+

+    <p>Add the following lines to your torrc:

+    </p>

+

+    <pre>

+    HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/

+    HiddenServicePort 80 127.0.0.1:8080

+    </pre>

+

+	<p>You're going to want to change the <var>HiddenServiceDir</var> line, so

+	it points to an actual directory that is readable/writeable by the user

+	that will be running Tor. The above line should work if you're using the OS

+	X Tor package. On Unix, try "/home/username/hidden_service/" and fill in

+	your own username in place of "username". On Windows you might pick:</p>

+	<pre> HiddenServiceDir C:\Users\username\Documents\tor\hidden_service

+	HiddenServicePort 80 127.0.0.1:8080 </pre>

+

+    <p>Note that since 0.2.6, both <var>SocksPort</var> and <var>HiddenServicePort</var> support Unix sockets. 

+    This means that you can point the <var>HiddenServicePort</var> to a Unix socket:</p>

+    <pre>

+    HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/

+    HiddenServicePort 80 unix:/path/to/socket

+    </pre>

+

+    <p>Now save the torrc and restart your tor.</p>

+

+	<p>If Tor starts up again, great. Otherwise, something is wrong. First look

+	at your logfiles for hints. It will print some warnings or error messages.

+	That should give you an idea what went wrong. Typically there are typos in

+	the torrc or wrong directory permissions (See <a href="<page

+	docs/faq>#Logs">the logging FAQ entry</a> if you don't know how to enable

+	or find your log file.) </p>

+

+	<p>When Tor starts, it will automatically create the

+	<var>HiddenServiceDir</var> that you specified (if necessary), and it will

+	create two files there.</p>

+

+    <dl>

+    <dt><var>private_key</var></dt>

+    <dd>First, Tor will generate a new public/private keypair for your onion

+    service. It is written into a file called "private_key". Don't share this key

+    with others -- if you do they will be able to impersonate your onion

+    service.</dd>

+    <dt><var>hostname</var></dt>

+    <dd>The other file Tor will create is called "hostname". This contains

+    a short summary of your public key -- it will look something like

+    <tt>duskgytldkxiuqc6.onion</tt>. This is the public name for your service,

+    and you can tell it to people, publish it on websites, put it on business

+    cards, etc.</dd>

+    </dl>

+

+    <p>If Tor runs as a different user than you, for example on

+    OS X, Debian, or Red Hat, then you may need to become root to be able

+    to view these files.</p>

+

+    <p>Now that you've restarted Tor, it is busy picking introduction points

+    in the Tor network, and generating an <em>onion service

+    descriptor</em>. This is a signed list of introduction points along with

+    the service's full public key. It anonymously publishes this descriptor

+    to the directory servers, and other people anonymously fetch it from the

+    directory servers when they're trying to access your service.

+    </p>

+

+    <p>Try it now: paste the contents of the hostname file into your web

+    browser. If it works, you'll get the html page you set up in step one.

+    If it doesn't work, look in your logs for some hints, and keep playing

+    with it until it works.

+    </p>

+

+    <hr>

+    <a id="three"></a>

+    <h2><a class="anchor" href="#three">Step Three: More advanced tips</a></h2>

+    <br>

+

+    <p>If you plan to keep your service available for a long time, you might

+    want to make a backup copy of the <var>private_key</var> file somewhere.

+    </p>

+

+    <p>If you want to forward multiple virtual ports for a single onion

+    service, just add more <var>HiddenServicePort</var> lines.

+    If you want to run multiple onion services from the same Tor

+    client, just add another <var>HiddenServiceDir</var> line. All the following

+    <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var> line, until

+    you add another <var>HiddenServiceDir</var> line:

+    </p>

+

+    <pre>

+    HiddenServiceDir /usr/local/etc/tor/hidden_service/

+    HiddenServicePort 80 127.0.0.1:8080

+

+    HiddenServiceDir /usr/local/etc/tor/other_hidden_service/

+    HiddenServicePort 6667 127.0.0.1:6667

+    HiddenServicePort 22 127.0.0.1:22

+    </pre>

+

+    <p>Onion services operators need to practice proper operational security

+    and system administration to maintain security. For some security

+    suggestions please make sure you read over Riseup's <a

+	href="https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices">"Tor

+	Hidden (Onion) Services Best Practices" document</a>. Also, here are some

+	more anonymity issues you should keep in mind:

+

+    </p>

+    <ul>

+    <li>As mentioned above, be careful of letting your web server reveal

+    identifying information about you, your computer, or your location.

+    For example, readers can probably determine whether it's thttpd or

+    Apache, and learn something about your operating system.</li>

+    <li>If your computer isn't online all the time, your onion service

+    won't be either. This leaks information to an observant adversary.</li>

+    <li>It is generally a better idea to host onion services on a Tor client

+    rather than a Tor relay, since relay uptime and other properties are

+    publicly visible.</li>

+    <li>The longer an onion service is online, the higher the risk that its

+    location is discovered. The most prominent attacks are building a

+    profile of the onion service's availability and matching induced

+    traffic patterns.</li>

+    </ul>

+

+    <p>Another common issue is whether to use HTTPS on your relay or

+    not. Have a look at this <a

+    href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs">post</a> on the Tor Blog to learn more about these issues.

+    </p>

+

+    <p>Finally, feel free to use the <a

+    href="https://lists.torproject.org/pipermail/tor-onions/">[tor-onions]

+    mailing list</a> to discuss the secure administration and operation of

+    Tor onion services.</p>

+

+  </div>

+  <!-- END MAINCOL -->

+  <div id = "sidecol">

+#include "side.wmi"

+#include "info.wmi"

+  </div>

+  <!-- END SIDECOL -->

+</div>

+<!-- END CONTENT -->

+#include <foot.wmi>