TOR

TOR services

Instructions to replicate an HTTP service both on clearnet and on TOR using apache as a webserver.

Interfaces

Id

Reference

License

1

https://wiki.archlinux.org/title/Network_configuration#IP_addresses

GNU Free Documentation License 1.3 or later 1

2

https://wiki.debian.org/NetworkConfiguration#Multiple_IP_addresses_on_one_Interface

unknown

Run as user

root

Create a new IP address for the wired interface on a different subnet. This is done for two reasons:

  • to be able to distinguish between TOR and localhost traffic. This way programs like Fail2ban will still be able to detect abuses and ban the TOR address if necessary.

    You will also know if people connect to your onion services.

  • to avoid exposing private information (if using 127.0.0.1 instead)

We will use 192.168.0.1 on the eth0 interface as the existing network address while 192.168.1.1 will be the listening address used by TOR services.

Important

Use an IP address of a subnet NOT used in your network setup to avoid interferences.

  1. create a new address on the fly

    ip address add 192.168.1.1/24 broadcast + dev eth0
    
  2. check

    ip a
    ping -c 1 192.168.1.1
    
  3. add the new address in the interfaces file

    /etc/network/interfaces
     1# interfaces(5) file used by ifup(8) and ifdown(8)
     2# Include files from /etc/network/interfaces.d:
     3source-directory /etc/network/interfaces.d
     4
     5
     6# We always want the loopback interface.
     7#
     8auto lo
     9iface lo inet loopback
    10
    11# To use dhcp:
    12#
    13# auto eth0
    14# iface eth0 inet dhcp
    15
    16# An example static IP setup: (broadcast and gateway are optional)
    17#
    18auto eth0
    19iface eth0 inet static
    20    address 192.168.0.1
    21    network 192.168.0.0
    22    netmask 255.255.255.0
    23    broadcast 192.168.0.255
    24    gateway 192.168.0.254
    25
    26auto eth0:0
    27    iface eth0:0 inet static
    28    address 192.168.1.1/24
    
  4. reboot and check if everything is still working

TOR configuration

Id

Reference

License

3

https://riseup.net/it/security/network-security/tor/onionservices-best-practices

unknown

4

https://community.torproject.org/onion-services/setup/

unknown

Run as user

root

In this example we use the following schema:

  • all TOR services configuration are under /var/lib/tor/services

  • services are divided by protocols: for example http, ssh, etc…

  • protocols are divided by clearnet domains (if existing)

For example:

/var/lib/tor/services/http/docs.my.domain
  1. install TOR

    apt-get install tor
    
  2. stop the TOR service

    systemctl stop tor@default
    
  3. create the service directories

    cd /var/lib/tor
    mkdir -p services/http services/ssh
    chown -R debian-tor:debian-tor
    
  4. add the highlighted lines to TOR's configuration

    /etc/tor/torrc
      1## Configuration file for a typical Tor user
      2## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
      3## (may or may not work for much older or much newer versions of Tor.)
      4##
      5## Lines that begin with "## " try to explain what's going on. Lines
      6## that begin with just "#" are disabled commands: you can enable them
      7## by removing the "#" symbol.
      8##
      9## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
     10## for more options you can use in this file.
     11##
     12## Tor will look for this file in various places based on your platform:
     13## https://www.torproject.org/docs/faq#torrc
     14
     15## Tor opens a socks proxy on port 9050 by default -- even if you don't
     16## configure one below. Set "SocksPort 0" if you plan to run Tor only
     17## as a relay, and not make any local application connections yourself.
     18SocksPort 9050
     19
     20# Default: Bind to localhost:9050 for local connections.
     21#SocksPort 192.168.0.1:9100 # Bind to this address:port too.
     22
     23## Entry policies to allow/deny SOCKS requests based on IP address.
     24## First entry that matches wins. If no SocksPolicy is set, we accept
     25## all (and only) requests that reach a SocksPort. Untrusted users who
     26## can access your SocksPort may be able to learn about the connections
     27## you make.
     28#SocksPolicy accept 192.168.0.0/16
     29#SocksPolicy reject *
     30
     31## Logs go to stdout at level "notice" unless redirected by something
     32## else, like one of the below lines. You can have as many Log lines as
     33## you want.
     34##
     35## We advise using "notice" in most cases, since anything more verbose
     36## may provide sensitive information to an attacker who obtains the logs.
     37##
     38## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
     39#Log notice file /var/log/tor/notices.log
     40## Send every possible message to /var/log/tor/debug.log
     41
     42# Log debug file /var/log/tor/debug.log
     43
     44## Use the system log instead of Tor's logfiles
     45#Log notice syslog
     46## To send all messages to stderr:
     47#Log debug stderr
     48
     49## Uncomment this to start the process in the background... or use
     50## --runasdaemon 1 on the command line. This is ignored on Windows;
     51## see the FAQ entry if you want Tor to run as an NT service.
     52#RunAsDaemon 1
     53
     54## The directory for keeping all the keys/etc. By default, we store
     55## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
     56#DataDirectory /var/lib/tor
     57
     58## The port on which Tor will listen for local connections from Tor
     59## controller applications, as documented in control-spec.txt.
     60#ControlPort 9051
     61## If you enable the controlport, be sure to enable one of these
     62## authentication methods, to prevent attackers from accessing it.
     63#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
     64#CookieAuthentication 1
     65
     66############### This section is just for location-hidden services ###
     67
     68## Once you have configured a hidden service, you can look at the
     69## contents of the file ".../hidden_service/hostname" for the address
     70## to tell people.
     71##
     72## HiddenServicePort x y:z says to redirect requests on port x to the
     73## address y:z.
     74
     75# HTTP
     76HiddenServiceDir /var/lib/tor/services/http/docs.my.domain
     77HiddenServicePort 80 192.168.1.1:80
     78
     79################ This section is just for relays #####################
     80#
     81## See https://www.torproject.org/docs/tor-doc-relay for details.
     82
     83## Required: what port to advertise for incoming Tor connections.
     84#ORPort 9001
     85## If you want to listen on a port other than the one advertised in
     86## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
     87## follows.  You'll need to do ipchains or other port forwarding
     88## yourself to make this work.
     89#ORPort 443 NoListen
     90#ORPort 127.0.0.1:9090 NoAdvertise
     91
     92## The IP address or full DNS name for incoming connections to your
     93## relay. Leave commented out and Tor will guess.
     94#Address noname.example.com
     95
     96## If you have multiple network interfaces, you can specify one for
     97## outgoing traffic to use.
     98# OutboundBindAddress 10.0.0.5
     99
    100## A handle for your relay, so people don't have to refer to it by key.
    101#Nickname ididnteditheconfig
    102
    103## Define these to limit how much relayed traffic you will allow. Your
    104## own traffic is still unthrottled. Note that RelayBandwidthRate must
    105## be at least 20 KB.
    106## Note that units for these config options are bytes per second, not bits
    107## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
    108#RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
    109#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
    110
    111## Use these to restrict the maximum traffic per day, week, or month.
    112## Note that this threshold applies separately to sent and received bytes,
    113## not to their sum: setting "4 GB" may allow up to 8 GB total before
    114## hibernating.
    115##
    116## Set a maximum of 4 gigabytes each way per period.
    117#AccountingMax 4 GB
    118## Each period starts daily at midnight (AccountingMax is per day)
    119#AccountingStart day 00:00
    120## Each period starts on the 3rd of the month at 15:00 (AccountingMax
    121## is per month)
    122#AccountingStart month 3 15:00
    123
    124## Administrative contact information for this relay or bridge. This line
    125## can be used to contact you if your relay or bridge is misconfigured or
    126## something else goes wrong. Note that we archive and publish all
    127## descriptors containing these lines and that Google indexes them, so
    128## spammers might also collect them. You may want to obscure the fact that
    129## it's an email address and/or generate a new address for this purpose.
    130#ContactInfo Random Person <nobody AT example dot com>
    131## You might also include your PGP or GPG fingerprint if you have one:
    132#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
    133
    134## Uncomment this to mirror directory information for others. Please do
    135## if you have enough bandwidth.
    136#DirPort 9030 # what port to advertise for directory connections
    137## If you want to listen on a port other than the one advertised in
    138## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
    139## follows.  below too. You'll need to do ipchains or other port
    140## forwarding yourself to make this work.
    141#DirPort 80 NoListen
    142#DirPort 127.0.0.1:9091 NoAdvertise
    143## Uncomment to return an arbitrary blob of html on your DirPort. Now you
    144## can explain what Tor is if anybody wonders why your IP address is
    145## contacting them. See contrib/tor-exit-notice.html in Tor's source
    146## distribution for a sample.
    147#DirPortFrontPage /etc/tor/tor-exit-notice.html
    148
    149## Uncomment this if you run more than one Tor relay, and add the identity
    150## key fingerprint of each Tor relay you control, even if they're on
    151## different networks. You declare it here so Tor clients can avoid
    152## using more than one of your relays in a single circuit. See
    153## https://www.torproject.org/docs/faq#MultipleRelays
    154## However, you should never include a bridge's fingerprint here, as it would
    155## break its concealability and potentionally reveal its IP/TCP address.
    156#MyFamily $keyid,$keyid,...
    157
    158## A comma-separated list of exit policies. They're considered first
    159## to last, and the first match wins. If you want to _replace_
    160## the default exit policy, end this with either a reject *:* or an
    161## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
    162## default exit policy. Leave commented to just use the default, which is
    163## described in the man page or at
    164## https://www.torproject.org/documentation.html
    165##
    166## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
    167## for issues you might encounter if you use the default exit policy.
    168##
    169## If certain IPs and ports are blocked externally, e.g. by your firewall,
    170## you should update your exit policy to reflect this -- otherwise Tor
    171## users will be told that those destinations are down.
    172##
    173## For security, by default Tor rejects connections to private (local)
    174## networks, including to your public IP address. See the man page entry
    175## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
    176##
    177#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
    178#ExitPolicy accept *:119 # accept nntp as well as default exit policy
    179#ExitPolicy reject *:* # no exits allowed
    180
    181## Bridge relays (or "bridges") are Tor relays that aren't listed in the
    182## main directory. Since there is no complete public list of them, even an
    183## ISP that filters connections to all the known Tor relays probably
    184## won't be able to block all the bridges. Also, websites won't treat you
    185## differently because they won't know you're running Tor. If you can
    186## be a real relay, please do; but if not, be a bridge!
    187#BridgeRelay 1
    188## By default, Tor will advertise your bridge to users through various
    189## mechanisms like https://bridges.torproject.org/. If you want to run
    190## a private bridge, for example because you'll give out your bridge
    191## address manually to your friends, uncomment this line:
    192#PublishServerDescriptor 0
    
  5. restart TOR

    systemctl start tor@default
    
  6. check that TOR has created a new directory for the service

    ls -ld /var/lib/tor/services/http/docs.my.domain
    
  1. get the onion hostname

    cat /var/lib/tor/services/http/docs.my.domain/hostname
    

    In this example the generated onion hostname is abc.onion.

Apache

If you are deploying a service both on clearnet and on TOR you have to create a new virtual host. You can also optionally add a header in the clearnet service that will redirect TOR browser automatically to the onion website.

  1. copy the existing VirtualHost entry of your interest and remove all SSL related options such as <IfModule mod_ssl.c>, SSLCertificateFile SSLCertificateKeyFile, etc…

  2. change the server name to the onion host name. See previous section. This will serve as the configuration for the TOR service. Include this file from the Apache configuration

    /etc/apache2/tor_services.apache.conf
     1<VirtualHost 192.168.1.1:80>
     2    UseCanonicalName on
     3
     4    Keepalive On
     5    RewriteEngine on
     6
     7    ServerName abc.onion
     8
     9    # [ ... ]
    10
    11</VirtualHost>
    
  3. add the new header in the clearnet virtual host. Include this file from the Apache configuration

    /etc/apache2/tor_services.apache.conf
     1<IfModule mod_ssl.c>
     2<VirtualHost 192.168.0.1:443>
     3      UseCanonicalName on
     4
     5      Keepalive On
     6      RewriteEngine on
     7
     8      ServerName docs.my.domain
     9
    10      # TOR header for automatic redirection.
    11      ServerAlias abc.onion
    12      Header set Onion-Location "http://abc.onion%{REQUEST_URI}s"
    13
    14      # [ ... ]
    15
    16</VirtualHost>
    17</IfModule>
    
  4. restart Apache

    systemctl restart apache2
    
  5. test both services

    curl --silent --head https://docs.my.domain | grep onion-location
    torsocks --isolate curl http://abc.onion
    

Footnotes

1

Copyright (c) ArchWiki contributors