Tor
Tor, short for "The Onion Router," is free and open-source software for enabling anonymous communication. It directs Internet traffic via a free, worldwide, volunteer overlay network that consists of more than seven thousand relays.
Using Tor makes it more difficult to trace a user's Internet activity. Tor protects personal privacy by concealing a user's location and usage from anyone performing network surveillance or traffic analysis. It protects the user's freedom and ability to communicate confidentially through IP address anonymity using Tor exit nodes.
Prerequisites
- Running webserver with vhosts.
- Have a Tor-browser installed on your workstation.
Installing
# dnf install tor
Configuration
torrc
You can find the file in /etc/tor.
Edit tor config file:
vi /etc/tor/torrc
Uncomment or add following lines:
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80
You can change hidden_service with the title of you website.
Start tor with command:
# systemctl start tor # systemctl enable tor
Now your tor hidden service is ready to use. You need to run your web application on 127.0.0.1:80
For every extra tor-server add:
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80
hidden_service needs to be changed to your webs name.
Your onion URL
To see the URL of your tor hidden service, run
# cat /var/lib/tor/hidden_service/hostname
Make sure to make a backup of folder "/var/lib/tor/" as it contains keys for this .onion domain. If you lost it, you will lose your domain name. So it is very important you keep the files safe.
Starting the tor deamon
# systemctl start tor # systemctl enable tor
Creating a vhost
You need to make a vhost with the .onion name.
For this example you have a website running as www.example.com.
See also vhosts for more information.
Change www.example.com with your websites url you want to run via tor.
# cd /etc/httpd/conf/vhosts.d # cp vhost.con <your.onion>.conf # vi <your.onion>.conf
Enter the code below or change it as below.
<VirtualHost 127.0.0.1:80>
ServerName <your .onion>
ServerAdmin webmaster@example.com
CustomLog /var/log/httpd/<your .onion>-access_log combined
ErrorLog /var/log/httpd/<your .onion>-error_log
DirectoryIndex index.html index.php
DocumentRoot /srv/www/vhosts/www.example.com/httpsdocs
<Directory "/srv/www/vhosts/www.example.com/httpsdocs">
Options +Indexes +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
We don't need a 443 section.
After making your .onion site you must restart apache.
# httpd -t //If there are errors first fix them and then retest. # systemctl restart httpd
You can create a onion site that has no normal version. This site is only accessible over TOR.
.htaccess
When you have a .htaccess file there might be a danger that a redirect to the normal URL happens.
You must remove redirect URL-parts that redirect to a https version. So remove the https://wwww.example.com part.
Creating the defaulthost
The onion sites also need a default to trap unwanted traffic.
# cd /etc/httpd/conf
# vi default.conf
<VirtualHost 127.0.0.1:80>
ServerName server5.onion
Redirect 301 / https://server5.robkalmeijer.nl/
</VirtualHost>
.......
# httpd -t
# systemctl restart httpd
Advertising your hidden service
There are many ways we can accomplish this but the main one is to inject our onion link into the HTTP headers sent to the client. But there are some conditions which need to be met first:
- The Onion-Location value must be a valid URL with http: or https: protocol and an .onion hostname
- The webpage defining the Onion-Location header must be served over HTTPS
- The webpage defining the Onion-Location header must not be an onion site.
You can find some code snippets for nginx, Apache and Caddy from the official Tor Project website.
Next open /etc/httpd/conf/vhosts.d/www.example.com.conf en add in the 443 section:
Header set Onion-Location "http://<your .onion>%{REQUEST_URI}s"
# httpd -t //If there are errors first fix them and then retest. # systemctl restart httpd
When www.example.com is opened in the Tor-browser it will show a notice button that links to the tor version.
Your website is now accesseble via www.example.com and your.onion.
If your website is an wordpress site you have a problem.
Backup
The /var/lib/tor directory must be included in your backup script.