[tor-talk] Hidden Service (Nginx) setup guide
Mike Ingle
mike at confidantmail.org
Fri Feb 13 08:29:39 UTC 2015
Setting up the hidden service itself is easy.
Steps 1 thru 97 are "set up your website and get it working and secured."
Step 98: add a few lines to your torrc, possibly set some directory
permissions.
Step 99: restart Tor, get your hidden service address.
Step 100: test using Tails.
The hard part is preventing the services from leaking your real IP
address. Most blogs,
forums, etc. can be made to leak.
Here is an interesting procedure to develop and document. I played with
this a bit last year:
You can set up a virtual machine configuration, using KVM or similar, so
that the webserver
machine has no public Internet address and could not leak your identity
if it wanted to.
I had one VM with the Tor client. It had a public IP address and a
'socket' interface, which is a
phony Ethernet that connects to a socket on the host machine. The VM was
not set to route
(ip_forward=0), but a hidden service was set up to forward traffic to
the web VM over the
socket interface.
The other VM, running Apache, had only a socket interface, connected to
the Tor VM's socket
interface. The Apache VM had no outside Internet access, and there was
nothing it could get to
on the Tor VM.
With a setup like this, even if someone gets a shell on the webserver
VM, he cannot do anything.
He has no way to get out, and therefore cannot locate your server. If
you want to be more
paranoid, you can have a process on the host machine watching for
strange packets coming from
the web VM, ready to shut it down the moment it gets hacked.
You can have a second administrative hidden service for ssh access. With
a few automatic service
check and restart scripts, a machine set up this way could run for
several years with no physical
attention and no non-Tor access. It would be the ideal way to run a
hidden service.
Mike
More information about the tor-talk
mailing list