This post is a part of Tor v3 tutorial. Other parts are:
- Hidden Service setup
- PKI and TLS
- Client Authentication
- Installing client certificates to Firefox for Android
As a student I was lucky to have unlimited private Git repositories on Github, since they introduced that to their first paid plan. Unfortunately, I don’t have access to educational e-mail anymore, so I won’t be able to renew the service. This leads to a need to have that feature migrated to somewhere else. Some time ago, I installed cgit and gitolite on my single board computer (SBC). But, because of Github, there was no need to use that. Now it seems like a good replacement to Github’s Developer plan.
Few weeks ago, there was interesting event – Tor Project introduced new version of their Hidden Services – v3, which changes length of hidden service address in .onion domain and disables “feature” enabling some nodes in the network to index all existing service addresses. This seems like a good moment to give it a try and check, how fast (or rather how slow) will be the solution providing git through Tor on few-year-old SBC. By the way, I will show, how to configure things with maximum security in mind.
Disclaimer: I am not a person with deep knowledge of inner workings of Tor network, so I strongly encourage you to read thing or two, about how to use it safely. This article might contain errors that might reveal your identity, especially when used together with not-self-owned hidden services.
Let’s start with summary of what we will need to make Tor v3 work:
- tor in version 0.3.2.9 or higher
- alternatively Tor Browser 7.5 or higher
- for Android: Orbot and Orfox (at the moment of writing this, there is no support in current version of Orbot, so custom compilation is required – I am using Termux to provide tor binary)
- httpd or any other HTTP server, able to provide service with only one vhost on separate TCP port
Because of the way, I am planning to configure hidden service in future, it might be a good idea to set up separate Tor browser at this moment, dedicated to this service, if it is going to be production configuration. If this is just an experiment, this advice could safely be ignored. However it is good to know, how to undo any modifications to the browser that will be done in the next parts.
What we need to do is to listen on localhost, on some random TCP port. Then we will set up httpd to provide only one virtual host on this custom port. It would be perfect to disable any other vhosts as our hidden service will work also as non-hidden service for local users, so if other service is buggy and allows to connect to other local services (see e.g. DNS rebinding), at least address of our hidden service will be compromised.
I have following configuration:
Listen 666 <VirtualHost *:666> ServerAdmin [email]@[domain] DocumentRoot "[path]/public_html" ServerName [domain].onion ErrorLog "[path]/error_log" CustomLog "[path]/access_log" common </VirtualHost> <Directory "[path]/public_html"> DirectoryIndex index.html index.php index.txt AllowOverride All Options FollowSymlinks Require all granted </Directory>
Furthermore, httpd must be able to traverse to
public_html directory, so every directory from
public_html up to root must have execute privilege for
http user and directory itself as well as its content must be available (or better owned) by
After that and after starting httpd, it should be possible to visit
http://localhost:666 via web browser and see content of
public_html directory. If this is true, we can move on to tor configuration.
SocksPort auto HiddenServiceDir /etc/tor/hsv3 HiddenServiceVersion 3 HiddenServicePort 80 127.0.0.1:666 SafeLogging 0 Log notice stdout Log notice file /etc/tor/hsv3/hs.log Log info file /etc/tor/hsv3/hsinfo.log
Now, on the first startup of tor, it should create keys for our new hidden service. We can look into
/etc/tor/hsv3/hostname to see the .onion address. It is good idea to set key files and
hostname file as readable as only user running tor service. In case of service started by systemd, this will probably be
tor by default.
After starting tor service (
systemctl start tor in case of systemd), we can check if everything works properly by visiting our hidden service with tor-enabled browser (using tor 0.3.2.9 or higher). That’s it.
Firefox for Android
At the time of writing this article there is still no upgrade for Orbot app, providing GUI interface for tor. Because of that, it might be required to use ordinary Firefox to use tor as a proxy, which is generally bad idea for connecting to any hidden services, because of privacy and anonymity. Fortunately, we can live with revealing our identity to ourselves 🙂 so we can do it only this single time.
What we need to change are following configuration options, available under
5, if any other (should be default)
0means no proxy,
5is system proxy)
Now we are ready to use our hidden service, from both desktop and mobile. Still, we use only HTTP protocol, which is not a big problem, as tor already provides encryption. Neverheless our next goal would be to configure HTTPS. And then we will configure client authentication for ultimate security of our hidden service.