Project

General

Profile

Feature #7879

Document how to serve files over HTTP behind a Tor Hidden Service

Added by exit-1 about 5 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
09/07/2014
Due date:
% Done:

0%

Feature Branch:
doc/7879-http-server
Type of work:
End-user documentation
Blueprint:
Starter:
No
Affected tool:

Description

Tails Greeter: Use persistence, More options - set Administration password
Start Tor Browser

Download thttpd https://packages.debian.org/squeeze/thttpd
to /home/amnesia/Persistent

Create index.html and any other files in folder /www

Create text file thttpd-tor-start
C&P the following
  1. ---begin--- ##
    #!/bin/bash
    dpkg -i /home/amnesia/Persistent/thttpd_2.25b-11_i386.deb
  2. Edit "2.25b-11_i386" if different

echo "ENABLED=yes" > /etc/default/thttpd
cp -R /home/amnesia/Persistent/www /var
chmod 755 /var/www
chmod a+r /var/www/*
/etc/init.d/thttpd start

echo -n "HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 " >> /etc/tor/torrc
hostname -I >> /etc/tor/torrc
/etc/init.d/tor restart

sleep 5
cat /var/lib/tor/hidden_service/hostname
  1. ---end--- ##
Open Root Terminal
#chmod 755 /home/amnesia/Persistent/thttpd-tor-start
#/home/amnesia/Persistent/thttpd-tor-start
  1. Output URL is the Hidden Service address

Then either
- Save this URL
#cp -R /var/lib/tor/hidden_service /home/amnesia/Persistent

Or
- Use a previously saved hidden_service
On another unlocked and mounted Tails USB
#cp -R /media/TailsData/Persistent/hidden_service /home/amnesia/Persistent
Then /Or the live USB
#cp -R /home/amnesia/Persistent/hidden_service /var/lib/tor
Check permissions
#ls -l /var/lib/tor | grep hidden_service
And fix if neccessary
#chown debian-tor /var/lib/tor/hidden_service

Restart Tor again
#/etc/init.d/tor restart

7879.zip (91.7 KB) exit-1, 09/14/2014 03:55 AM

7879-http-server.md View (3.17 KB) exit-1, 09/24/2014 08:07 AM

7879-http-server-2.md View (4.24 KB) exit-1, 09/27/2014 04:30 PM


Related issues

Related to Tails - Feature #7870: Include OnionShare Resolved 12/07/2016
Related to Tails - Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services Confirmed 04/03/2016

History

#1 Updated by exit-1 about 5 years ago

Tails Greeter: Use persistence, More options - set Administration password
Start Tor Browser

Download thttpd https://packages.debian.org/squeeze/thttpd
to /home/amnesia/Persistent

Create index.html and any other flies in folder /www

Create text file thttpd-tor-start
C&P the following

#!/bin/bash
dpkg -i /home/amnesia/Persistent/thttpd_2.25b-11_i386.deb
## Edit "2.25b-11_i386" if different

echo "ENABLED=yes" > /etc/default/thttpd
cp -R /home/amnesia/Persistent/www /var
chmod 755 /var/www
chmod a+r /var/www/*
/etc/init.d/thttpd start

echo -n "HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 " >> /etc/tor/torrc
hostname -I >> /etc/tor/torrc
/etc/init.d/tor restart

sleep 5
cat /var/lib/tor/hidden_service/hostname

Open Root Terminal
#chmod 755 /home/amnesia/Persistent/thttpd-tor-start
#/home/amnesia/Persistent/thttpd-tor-start
Output URL is the Hidden Service address

Then either
- Save this URL
#cp -R /var/lib/tor/hidden_service /home/amnesia/Persistent

Or
- Use a previously saved hidden_service
On another unlocked and mounted Tails USB
#cp -R /media/TailsData/Persistent/hidden_service /home/amnesia/Persistent
Then /Or the live USB
#cp -R /home/amnesia/Persistent/hidden_service /var/lib/tor
Check permissions
#ls -l /var/lib/tor | grep hidden_service
And fix if neccessary
#chown debian-tor /var/lib/tor/hidden_service

Restart Tor again
#/etc/init.d/tor restart

#2 Updated by intrigeri about 5 years ago

I don't get what action we're expected to take about this, if any => please clarify.

#3 Updated by exit-1 about 5 years ago

Thanks intrigeri.

This is a suggested Read Me file for how to configure 'thttpd' with Tor for users interested in setting up their own Hidden Service. If someone with experience can add security fixes I'm not aware of, that would be good. I'm also interested in other ideas, which others here may have. I feel this feature is missing on Tails as it stands, and my experience is that it isn't easy to get the information, or to get the server working. Just a text file in the next upgrade, maybe in the documentation too.. But it depends how getting 'thttpd' working is considered as an improvement to the capability of Tails.

Also, please can you delete my original post as I didn't check the preview before submitting? The '##'s became numbered list items. Or edit it to the corrected version I made after and delete that.

#4 Updated by intrigeri about 5 years ago

  • Subject changed from tor-thttpd-read-me to Document how to serve files over HTTP behind a Tor Hidden Service
  • Category deleted (Tor configuration)
  • Feature Branch deleted (thttpd)

OK, got it. Retitling the ticket accordingly. Next step is to read https://tails.boum.org/contribute/how/documentation/, then :)

#5 Updated by exit-1 about 5 years ago

Great :) I'm on it now..

#6 Updated by sajolida about 5 years ago

Note that until now, we never really documented such advanced usage of Tails. I'm not saying that this is out of question, but as it would be a first time, this might generate quite a lot of debate and overhead.

And also, how would this related to #7870?

#7 Updated by sajolida about 5 years ago

#8 Updated by intrigeri about 5 years ago

Note that until now, we never really documented such advanced usage of Tails. I'm not saying that this is out of question, but as it would be a first time, this might generate quite a lot of debate and overhead.

This was my initial thought, and then I noticed that we have an "Advanced topics" section at the bottom of https://tails.boum.org/doc/, and well, we'll have to go through it at some point anyway, as part of our "let's make power-users happy, in the hope that they become contributors" plan.

And also, how would this related to #7870?

IIRC, OnionShare only supports one-time downloads, while the proposed scheme here is about serving files on a longer term.

#9 Updated by sajolida about 5 years ago

I totally agree with that and would love seeing more interesting things
in that section. Still, I'm a bit concerned about our capacity to
writing and maintaining user documentation in terms of quantity :)
But the "Advanced section" can be more sloppy than the rest I guess.

IIRC, OnionShare only supports one-time downloads, while the
proposed scheme here is about serving files on a longer term.

I didn't know.

So exit-1, I'm waiting for your branch! :)

#10 Updated by sajolida about 5 years ago

  • Status changed from New to Confirmed
  • Assignee set to exit-1
  • Type of work changed from Discuss to Documentation
  • Starter set to No

#11 Updated by exit-1 about 5 years ago

Thanks sajolida - I'm taking note of the guidelines and other documentation to aim for consistent language and style.. so as not to be sloppy :)

#12 Updated by exit-1 about 5 years ago

Here's an update on progress attached. Couldn't use 'ikiwiki'..
Does it need commentary? A short paragragh to begin or end perhaps.
Also mailed to https://mailman.boum.org/listinfo/tails-dev/
- please review.

#13 Updated by u about 5 years ago

IIRC, OnionShare only supports one-time downloads, while the proposed scheme here is about serving files on a longer term.

That is actually not correct.

First of all, OnionShare can continue serving the file(s) to share if you ask it to do so. The one time download is the default though. It is supposed to decrease the attack surface if the HS is not available for a longer period.

Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.

#14 Updated by intrigeri about 5 years ago

That is actually not correct.

Thanks for correcting me!

Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.

Good to hear. It'll still be limited to serving one file at a time (and thus, unable to serve any non-200%-trivial website), or am I mistaken here too?

#15 Updated by sajolida about 5 years ago

  • Assignee changed from exit-1 to sajolida
  • Feature Branch set to doc/7879-http-server

Thanks for the file!

I converted it into markdown and pushed it in the branch doc/7879-http-server. You can see the resulting file on http://git.tails.boum.org/tails/tree/wiki/src/doc/advanced_topics/http_server.mdwn?h=doc/7879-http-server

Markdown is much easier for us to work on since its syntax removes all the tagging and noise from HTML. Please base your work on this document as from now on and send the modified markdown file only.

I'll review your work in some days and send my comments on tails-dev if that's ok for you. We prefer to have discussions related to development on the mailing list than on Redmine.

And if you want to give it a second try to ikiwiki, you can check out this documentation: https://tails.boum.org/contribute/build/website/. But working on the markdown file will be good enough for a first contribution :)

#16 Updated by exit-1 about 5 years ago

Yes that's fine. Thank you sajolida.

#17 Updated by u about 5 years ago

Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.

Good to hear. It'll still be limited to serving one file at a time (and thus, unable to serve any non-200%-trivial website), or am I mistaken here too?

This is correct :)

From what i get, it's only supposed to be a file sharing utility, and thus serving a website would probably be out of scope.

#18 Updated by exit-1 almost 5 years ago

Attached markdown file.

#19 Updated by exit-1 almost 5 years ago

Updated markdown file attached. Comments welcome, also mailed tails-dev.

#20 Updated by sajolida almost 5 years ago

  • Assignee changed from sajolida to exit-1

#21 Updated by BitingBird over 4 years ago

Ping ?

#22 Updated by matsa over 4 years ago

I gave a try, and obtained a working configuration.
You can see the documentation in matsa/7879-http-server-with-nginx or directly online:
http://repo.or.cz/w/tails/matsa.git/blob/refs/heads/7879-http-server-with-nginx:/wiki/src/doc/advanced_topics/http_server_with_nginx.mdwn

I would be pleased to have some feedback.
Thanks, and cheers

#23 Updated by sajolida over 4 years ago

  • Assignee changed from exit-1 to sajolida
  • QA Check changed from Dev Needed to Ready for QA

I'll have a look.

#24 Updated by sajolida over 4 years ago

  • Assignee changed from sajolida to matsa
  • QA Check changed from Ready for QA to Dev Needed

#25 Updated by sajolida over 4 years ago

Once we get this we should update /support/faq#hidden_service.

#26 Updated by intrigeri over 4 years ago

  • Related to Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services added

#27 Updated by segfault over 4 years ago

Some days ago I wrote my own scripts to host a hidden web service with Tails, because I didn't know about this existing work. I like this solution a lot.

<EDIT (February 2016)>: I think the following was correct back then, but it isn't now (Tails 2.0). Currently no modifications of iptables are needed to connect to the hidden service.</EDIT>

But connections to the hidden service are blocked by iptables, you need this line to allow it:

iptables -I OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner debian-tor -j ACCEPT

This can also be done with this entry in /etc/ferm/ferm.conf in chain OUTPUT, outerface lo:
# White-list access to hidden web service
daddr 127.0.0.1 proto tcp syn dport 80 {
                    mod owner uid-owner debian-tor ACCEPT;
                }

I think this progress should be mentioned in the blueprint of Tails server.

#28 Updated by BitingBird about 3 years ago

  • Assignee changed from matsa to segfault

segfault: blueprints are writable by anyone :)

#29 Updated by segfault about 3 years ago

  • Status changed from Confirmed to Rejected
  • Assignee deleted (segfault)
  • QA Check deleted (Dev Needed)

This will be part of Tails Server, which I am currently working on.

Also available in: Atom PDF