Difference between revisions of "Static Website as Tor Hidden Service on Raspberry Pi"

From Run Your Own
Jump to: navigation, search
(Onionscan)
 
(9 intermediate revisions by the same user not shown)
Line 13: Line 13:
 
* create new nginx site config <code>/etc/nginx/sites-available/partyvan</code> with:
 
* create new nginx site config <code>/etc/nginx/sites-available/partyvan</code> with:
 
  server {
 
  server {
     listen 80 default_server;
+
     listen 80;
    listen [::]:80 default_server;
 
 
   
 
   
 
     root /var/www/partyvan;
 
     root /var/www/partyvan;
 
     index index.html;
 
     index index.html;
 
   
 
   
     server_name partyvan;
+
     server_name partyvan;   # Replace with onion address once you have one
 
    location / {
 
        try_files $uri $uri/ =404;
 
    }
 
 
  }
 
  }
 
* Enable site
 
* Enable site
Line 49: Line 44:
 
  cat /var/lib/tor/partyvan/hostname
 
  cat /var/lib/tor/partyvan/hostname
 
* You will get something like <code>c7phl5mrjy34...onion</code>, if you paste this address in your Tor browser, torified browser or whatever you use, you should see the partyvan site!
 
* You will get something like <code>c7phl5mrjy34...onion</code>, if you paste this address in your Tor browser, torified browser or whatever you use, you should see the partyvan site!
 +
 +
== Further tweaking ==
 +
=== Certificates ===
 +
Certs are not needed for a hidden service like this one. You already get encrypted traffic via Tor itself. With that said, certs could be used as a means to authenticate the ownership over the hidden service, to prevent phishing. Legit certs who can be used in this context are very $$$ and avail from DigiCert.
 +
 +
=== Disable NGINX version signature ===
 +
Don't let NGINX emit its version on error pages and in the “Server” response header field, uncomment the following in <code>/etc/nginx/nginx.conf</code>
 +
server_tokens off;
 +
 +
=== Disable directory listing ===
 +
Don't trust defaults, add this to your <code>/etc/nginx/sites-available/partyvan</code> in the <code>server</code> block:
 +
location / {
 +
    autoindex off;
 +
}
 +
 +
=== Onion only serving ===
 +
Don't serve HTTP on the clearnet, force NGINX to serve only on localhost. In <code>/etc/nginx/sites-available/partyvan</code>, replace <code>listen 80;</code> with <code>listen 127.0.0.1:80;</code>.
 +
 +
=== Onionscan ===
 +
There's a tool (untested at time of writing) that tests an onion address against [https://github.com/gugronnier/onionscan/blob/master/doc/what-is-scanned-for.md know hidden service gotchas]. It does not seem to be actively maintained, but it's possible to find more active forks like [https://github.com/gugronnier/onionscan this one].
  
  
  
 
[[Category: Raspberry Pi]]
 
[[Category: Raspberry Pi]]

Latest revision as of 13:23, 8 March 2020

Goal: To run a static website and serve it as an onion site. This HOWTO does not cover RPi installation, it assumes you already have a minimal setup up and running. The choice to have a static site is for sake of simplicity, it could be expanded of course, but the risks of leaking information about the host will increase.

Local HTTP server

as root:

  • Install nginx on the RPi
apt install nginx
  • In the browser from another computer on the network, check that you the default HTML page is properly served at: http://192.168.1.XXX (you should see a small "Welcome to nginx!" text).
  • create a non-default mini static website:
mkdir /var/www/partyvan
echo "OHAI" > /var/www/partyvan/index.html
  • disable nginx default site
rm /etc/nginx/sites-enabled/default
  • create new nginx site config /etc/nginx/sites-available/partyvan with:
server {
    listen 80;

    root /var/www/partyvan;
    index index.html;

    server_name partyvan;   # Replace with onion address once you have one
}
  • Enable site
ln -s /etc/nginx/sites-available/partyvan /etc/nginx/sites-enabled/
service nginx reload
  • In the browser from another computer on the network, check that you the default HTML page is properly served: http://192.168.1.XXX (you should see a small "OHAI" text).

Tor setup

Note: This is only valid for RPi2 and later.

  • Add the Tor deb repos to /etc/apt/sources.list. At time of writing, stable Raspbian is based on Buster:
deb https://deb.torproject.org/torproject.org buster main
deb-src https://deb.torproject.org/torproject.org buster main
  • Add the GPG keys used to sign the packages from the Tor repos:
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
  • Install Tor
apt install tor deb.torproject.org-keyring
  • Edit /etc/tor/torrc/ and in the section about hidden services, add:
# Partyvan site
HiddenServiceDir /var/lib/tor/partyvan/
HiddenServicePort 80 127.0.0.1:80
  • Restart Tor, this will generate the keys for the partyvan hidden service
service tor restart
  • If everything went well, there should be a /var/lib/tor/partyvan/ folder with notably both public and private keys for the service (backup!) and the hostname information to reach the hidden service from onionland. To know the onion address of partyvan, simply do:
cat /var/lib/tor/partyvan/hostname
  • You will get something like c7phl5mrjy34...onion, if you paste this address in your Tor browser, torified browser or whatever you use, you should see the partyvan site!

Further tweaking

Certificates

Certs are not needed for a hidden service like this one. You already get encrypted traffic via Tor itself. With that said, certs could be used as a means to authenticate the ownership over the hidden service, to prevent phishing. Legit certs who can be used in this context are very $$$ and avail from DigiCert.

Disable NGINX version signature

Don't let NGINX emit its version on error pages and in the “Server” response header field, uncomment the following in /etc/nginx/nginx.conf

server_tokens off;

Disable directory listing

Don't trust defaults, add this to your /etc/nginx/sites-available/partyvan in the server block:

location / {
    autoindex off;
}

Onion only serving

Don't serve HTTP on the clearnet, force NGINX to serve only on localhost. In /etc/nginx/sites-available/partyvan, replace listen 80; with listen 127.0.0.1:80;.

Onionscan

There's a tool (untested at time of writing) that tests an onion address against know hidden service gotchas. It does not seem to be actively maintained, but it's possible to find more active forks like this one.