Tails

#1 Updated by exit-1 2014-09-07 03:38:05

Tails Greeter: Use persistence, More options - set Administration password
Start Tor Browser

Download thttpd https://packages.debian.org/squeeze/thttpd
to /home/amnesia/Persistent

Create index.html and any other flies in folder /www

Create text file thttpd-tor-start
C&P the following

#!/bin/bash
dpkg -i /home/amnesia/Persistent/thttpd_2.25b-11_i386.deb
## Edit "2.25b-11_i386" if different

echo "ENABLED=yes" > /etc/default/thttpd
cp -R /home/amnesia/Persistent/www /var
chmod 755 /var/www
chmod a+r /var/www/*
/etc/init.d/thttpd start

echo -n "HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 " >> /etc/tor/torrc
hostname -I >> /etc/tor/torrc
/etc/init.d/tor restart

sleep 5
cat /var/lib/tor/hidden_service/hostname

Open Root Terminal
#chmod 755 /home/amnesia/Persistent/thttpd-tor-start
#/home/amnesia/Persistent/thttpd-tor-start
Output URL is the Hidden Service address

Then either
- Save this URL
#cp -R /var/lib/tor/hidden_service /home/amnesia/Persistent

Or
- Use a previously saved hidden_service
On another unlocked and mounted Tails USB
#cp -R /media/TailsData/Persistent/hidden_service /home/amnesia/Persistent
Then /Or the live USB
#cp -R /home/amnesia/Persistent/hidden_service /var/lib/tor
Check permissions
#ls -l /var/lib/tor | grep hidden_service
And fix if neccessary
#chown debian-tor /var/lib/tor/hidden_service

Restart Tor again
#/etc/init.d/tor restart

#2 Updated by intrigeri 2014-09-07 21:06:03

I don’t get what action we’re expected to take about this, if any => please clarify.

#3 Updated by exit-1 2014-09-08 11:21:32

Thanks intrigeri.

This is a suggested Read Me file for how to configure ‘thttpd’ with Tor for users interested in setting up their own Hidden Service. If someone with experience can add security fixes I’m not aware of, that would be good. I’m also interested in other ideas, which others here may have. I feel this feature is missing on Tails as it stands, and my experience is that it isn’t easy to get the information, or to get the server working. Just a text file in the next upgrade, maybe in the documentation too.. But it depends how getting ‘thttpd’ working is considered as an improvement to the capability of Tails.

Also, please can you delete my original post as I didn’t check the preview before submitting? The ’##’s became numbered list items. Or edit it to the corrected version I made after and delete that.

#5 Updated by exit-1 2014-09-09 12:25:42

Great :) I’m on it now..

#6 Updated by sajolida 2014-09-09 12:41:40

Note that until now, we never really documented such advanced usage of Tails. I’m not saying that this is out of question, but as it would be a first time, this might generate quite a lot of debate and overhead.

And also, how would this related to Feature #7870?

#8 Updated by intrigeri 2014-09-09 13:01:06

> Note that until now, we never really documented such advanced usage of Tails. I’m not saying that this is out of question, but as it would be a first time, this might generate quite a lot of debate and overhead.

This was my initial thought, and then I noticed that we have an “Advanced topics” section at the bottom of https://tails.boum.org/doc/, and well, we’ll have to go through it at some point anyway, as part of our “let’s make power-users happy, in the hope that they become contributors” plan.

> And also, how would this related to Feature #7870?

IIRC, OnionShare only supports one-time downloads, while the proposed scheme here is about serving files on a longer term.

#9 Updated by sajolida 2014-09-10 09:00:20

I totally agree with that and would love seeing more interesting things
in that section. Still, I’m a bit concerned about our capacity to
writing and maintaining user documentation in terms of quantity :)
But the “Advanced section” can be more sloppy than the rest I guess.

> IIRC, OnionShare only supports one-time downloads, while the
> proposed scheme here is about serving files on a longer term.

I didn’t know.

So exit-1, I’m waiting for your branch! :)

#11 Updated by exit-1 2014-09-10 13:01:57

Thanks sajolida - I’m taking note of the guidelines and other documentation to aim for consistent language and style.. so as not to be sloppy :)

#13 Updated by Anonymous 2014-09-14 05:02:19

> IIRC, OnionShare only supports one-time downloads, while the proposed scheme here is about serving files on a longer term.

That is actually not correct.

First of all, OnionShare can continue serving the file(s) to share if you ask it to do so. The one time download is the default though. It is supposed to decrease the attack surface if the HS is not available for a longer period.

Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.

#14 Updated by intrigeri 2014-09-14 20:30:15

> That is actually not correct.

Thanks for correcting me!

> Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.

Good to hear. It’ll still be limited to serving one file at a time (and thus, unable to serve any non-200%-trivial website), or am I mistaken here too?

#16 Updated by exit-1 2014-09-15 15:42:50

Yes that’s fine. Thank you sajolida.

#17 Updated by Anonymous 2014-09-16 04:19:37

> > Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.
>
> Good to hear. It’ll still be limited to serving one file at a time (and thus, unable to serve any non-200%-trivial website), or am I mistaken here too?

This is correct :)

From what i get, it’s only supposed to be a file sharing utility, and thus serving a website would probably be out of scope.

#21 Updated by BitingBird 2015-01-19 20:13:31

Ping ?

#22 Updated by matsa 2015-01-19 22:30:59

I gave a try, and obtained a working configuration.
You can see the documentation in matsa/7879-http-server-with-nginx or directly online:
http://repo.or.cz/w/tails/matsa.git/blob/refs/heads/7879-http-server-with-nginx:/wiki/src/doc/advanced_topics/http_server_with_nginx.mdwn

I would be pleased to have some feedback.
Thanks, and cheers

#25 Updated by sajolida 2015-03-13 15:47:21

Once we get this we should update /support/faq#hidden_service.

#27 Updated by segfault 2015-03-23 00:11:38

Some days ago I wrote my own scripts to host a hidden web service with Tails, because I didn’t know about this existing work. I like this solution a lot.

<EDIT (February 2016)>: I think the following was correct back then, but it isn’t now (Tails 2.0). Currently no modifications of iptables are needed to connect to the hidden service.

But connections to the hidden service are blocked by iptables, you need this line to allow it:

iptables -I OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner debian-tor -j ACCEPT

This can also be done with this entry in /etc/ferm/ferm.conf in chain OUTPUT, outerface lo:

# White-list access to hidden web service
daddr 127.0.0.1 proto tcp syn dport 80 {
                    mod owner uid-owner debian-tor ACCEPT;
                }

I think this progress should be mentioned in the blueprint of Tails server.