Static Website as Tor Hidden Service on Raspberry Pi
Goal: To run a static website and serve it as an onion site. This HOWTO does not cover RPi installation, it assumes you already have a minimal setup up and running. The choice to have a static site is for sake of simplicity, it could be expanded of course, but the risks of leaking information about the host will increase.
Local HTTP server
as root
:
- Install nginx on the RPi
apt install nginx
- In the browser from another computer on the network, check that you the default HTML page is properly served at: http://192.168.1.XXX (you should see a small "Welcome to nginx!" text).
- create a non-default mini static website:
mkdir /var/www/partyvan echo "OHAI" > /var/www/partyvan/index.html
- disable nginx default site
rm /etc/nginx/sites-enabled/default
- create new nginx site config
/etc/nginx/sites-available/partyvan
with:
server { listen 80; root /var/www/partyvan; index index.html; server_name partyvan; # Replace with onion address once you have one }
- Enable site
ln -s /etc/nginx/sites-available/partyvan /etc/nginx/sites-enabled/ service nginx reload
- In the browser from another computer on the network, check that you the default HTML page is properly served: http://192.168.1.XXX (you should see a small "OHAI" text).
Tor setup
Note: This is only valid for RPi2 and later.
- Add the Tor deb repos to
/etc/apt/sources.list
. At time of writing, stable Raspbian is based on Buster:
deb https://deb.torproject.org/torproject.org buster main deb-src https://deb.torproject.org/torproject.org buster main
- Add the GPG keys used to sign the packages from the Tor repos:
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
- Install Tor
apt install tor deb.torproject.org-keyring
- Edit
/etc/tor/torrc/
and in the section about hidden services, add:
# Partyvan site HiddenServiceDir /var/lib/tor/partyvan/ HiddenServicePort 80 127.0.0.1:80
- Restart Tor, this will generate the keys for the partyvan hidden service
service tor restart
- If everything went well, there should be a
/var/lib/tor/partyvan/
folder with notably both public and private keys for the service (backup!) and the hostname information to reach the hidden service from onionland. To know the onion address of partyvan, simply do:
cat /var/lib/tor/partyvan/hostname
- You will get something like
c7phl5mrjy34...onion
, if you paste this address in your Tor browser, torified browser or whatever you use, you should see the partyvan site!
Further tweaking
Certificates
Certs are not needed for a hidden service like this one. You already get encrypted traffic via Tor itself. With that said, certs could be used as a means to authenticate the ownership over the hidden service, to prevent phishing. Legit certs who can be used in this context are very $$$ and avail from DigiCert.
Disable NGINX version signature
Don't let NGINX emit its version on error pages and in the “Server” response header field, uncomment the following in /etc/nginx/nginx.conf
server_tokens off;
Disable directory listing
Don't trust defaults, add this to your /etc/nginx/sites-available/partyvan
in the server
block:
location / { autoindex off; }
Onion only serving
Don't serve HTTP on the clearnet, force NGINX to serve only on localhost. In /etc/nginx/sites-available/partyvan
, replace listen 80;
with listen 127.0.0.1:80;
.
Onionscan
There's a tool (untested at time of writing) that tests an onion address against know hidden service gotchas. It does not seem to be actively maintained, but it's possible to find more active forks like this one.