[tor-commits] [webwml/staging] onion services: add v3 manual from wiki (fixes #24880)
hiro at torproject.org
hiro at torproject.org
Mon Aug 27 11:02:57 UTC 2018
commit 0e7b0b7bf5b800ae99beebc0fdf58fef8337cee0
Author: traumschule <traumschuleriebau at riseup.net>
Date: Sun Aug 19 23:25:31 2018 +0200
onion services: add v3 manual from wiki (fixes #24880)
---
docs/en/tor-onion-service.wml | 124 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 112 insertions(+), 12 deletions(-)
diff --git a/docs/en/tor-onion-service.wml b/docs/en/tor-onion-service.wml
index 8fc9e894..7ef903e1 100644
--- a/docs/en/tor-onion-service.wml
+++ b/docs/en/tor-onion-service.wml
@@ -134,8 +134,9 @@
<pre> HiddenServiceDir C:\Users\username\Documents\tor\hidden_service
HiddenServicePort 80 127.0.0.1:8080 </pre>
- <p>Note that since 0.2.6, both <var>SocksPort</var> and <var>HiddenServicePort</var> support Unix sockets.
- This means that you can point the <var>HiddenServicePort</var> to a Unix socket:</p>
+ <p>Note that since 0.2.6, both <var>SocksPort</var> and <var>HiddenServicePort</var>
+ support Unix sockets. This means that you can point the <var>HiddenServicePort</var>
+ to a Unix socket:</p>
<pre>
HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80 unix:/path/to/socket
@@ -199,8 +200,8 @@
service, just add more <var>HiddenServicePort</var> lines.
If you want to run multiple onion services from the same Tor
client, just add another <var>HiddenServiceDir</var> line. All the following
- <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var> line, until
- you add another <var>HiddenServiceDir</var> line:
+ <var>HiddenServicePort</var> lines refer to this <var>HiddenServiceDir</var>
+ line, until you add another <var>HiddenServiceDir</var> line:
</p>
<pre>
@@ -212,13 +213,13 @@
HiddenServicePort 22 127.0.0.1:22
</pre>
- <p>Onion services operators need to practice proper operational security
- and system administration to maintain security. For some security
- suggestions please make sure you read over Riseup's <a
- href="https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices">"Tor
- Hidden (Onion) Services Best Practices" document</a>. Also, here are some
- more anonymity issues you should keep in mind:
-
+ <p>Onion services operators need to practice proper
+ <a href="https://trac.torproject.org/projects/tor/wiki/doc/OperationalSecurity">
+ operational security</a> and system administration to maintain security.
+ For some security suggestions please make sure you read over Riseup's
+ <a href="https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices">
+ "Tor Hidden (Onion) Services Best Practices" document</a>.
+ Also, here are some more anonymity issues you should keep in mind:
</p>
<ul>
<li>As mentioned above, be careful of letting your web server reveal
@@ -238,7 +239,13 @@
<p>Another common issue is whether to use HTTPS on your relay or
not. Have a look at this <a
- href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs">post</a> on the Tor Blog to learn more about these issues.
+ href="https://blog.torproject.org/blog/facebook-hidden-services-and-https-certs">post</a>
+ on the Tor Blog to learn more about these issues.
+ </p>
+
+ <p>You can use <a href="https://stem.torproject.org">stem</a> to
+ <a href="https://stem.torproject.org/tutorials/over_the_river.html">
+ automate the management of your onion services</a>.
</p>
<p>Finally, feel free to use the <a
@@ -246,6 +253,99 @@
mailing list</a> to discuss the secure administration and operation of
Tor onion services.</p>
+ <hr>
+ <a id="four"></a>
+ <h2><a class="anchor" href="#four">Step Four: Set up next-gen (v3) onions</a></h2>
+ <br>
+
+ <p>Since Tor 0.3.2 and
+ <a href="https://blog.torproject.org/tor-browser-75a5-released">Tor Browser
+ 7.5.a5</a> 56 bit long v3 onion addresses are supported and should be used
+ instead. This newer version of onion services ("v3") features many
+ improvements over the legacy system:
+ </p>
+ <ul>
+ <li>Better crypto (replaced SHA1/DH/RSA1024 with SHA3/ed25519/curve25519)</li>
+ <li>Improved directory protocol, leaking much less information to directory servers.</li>
+ <li>Improved directory protocol, with smaller surface for targeted attacks.</li>
+ <li>Better onion address security against impersonation.</li>
+ <li>More extensible introduction/rendezvous protocol.</li>
+ <li>A cleaner and more modular codebase.</li>
+ </ul>
+ <p>For details see
+ <a href="https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames">
+ Why are v3 onions better?</a>. You can identify a next-generation onion
+ address by its length: they are 56 characters long, as in
+ <var>4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion</a>.
+
+ The specification for next gen onion services can be found
+ <a href="https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt">
+ here</a>.
+ </p>
+
+ <h3>How to setup your own prop224 service</h3>
+
+ <p>It's easy! Just use your <a href"#two">regular onion service</a> torrc
+ and add <var>HiddenServiceVersion 3</var> in your onion service torrc block.
+ Here is an example torrc designed for testing:
+ </p>
+ <pre>
+SocksPort auto
+
+HiddenServiceDir /home/user/tmp/hsv3
+HiddenServiceVersion 3
+HiddenServicePort 6667 127.0.0.1:6667
+ </pre>
+ <p>Then your onion address is in <var>/home/user/tmp/hsv3/hostname</var>.
+ To host both a v2 and a v3 service using two onion service torrc blocks:
+ </p>
+ <pre>
+HiddenServiceDir /home/user/tmp/hsv2
+HiddenServicePort 6667 127.0.0.1:6667
+
+HiddenServiceDir /home/user/tmp/hsv3
+HiddenServiceVersion 3
+HiddenServicePort 6668 127.0.0.1:6667
+ </pre>
+
+ <p>Please note that tor is strict about directory permissions and does not
+ like to share its files. Make sure to restrict read and write access to the
+ onion services directory before restarting tor. For most linux based systems you can use:
+ </p>
+ <pre>chmod 700 -R /var/lib/tor</pre>
+
+ <p>To restart tor it's safer to not use SIGHUP directly (see bug
+ <a href="https://trac.torproject.org/projects/tor/ticket/21818">#21818</a>),
+ but to check the validity of the config first. On Debian based systems the
+ services management tool does this for you:</p>
+ <pre>
+ service tor restart
+ </pre>
+
+ <h3>How to help the next-gen onion development</h3>
+
+ <p>Please let us know if you find any bugs!
+ We are still in testing & development stage so things are very liquid and
+ in active development. If you want to help with development, check out the list of
+ <a href="https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~prop224&order=priority">
+ open prop224 bugs</a>.
+ </p>
+
+ <p>For researchers our wiki page
+ <a href="https://trac.torproject.org/projects/tor/wiki/doc/OnionServiceNamingSystems">
+ Onion Service Naming Systems</a> could be of value. If you are more of the bug
+ hunting type, please check our code and spec for errors and inaccuracies.
+ We would be thrilled to know about them!
+ </p>
+
+ <p>For debugging and to send us more helpful log files, turn on info logging:
+ </p>
+ <pre>
+SafeLogging 0
+Log notice file /home/user/tmp/hs/hs.log
+Log info file /home/user/tmp/hs/hsinfo.log
+ </pre>
+
</div>
<!-- END MAINCOL -->
<div id = "sidecol">
More information about the tor-commits
mailing list