Feature #7879

Document how to serve files over HTTP behind a Tor Hidden Service

Added by exit-1 2014-09-07 03:18:51 . Updated 2016-06-29 07:41:31 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2014-09-07
Due date:
% Done:

0%

Feature Branch:
doc/7879-http-server
Type of work:
End-user documentation
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

Tails Greeter: Use persistence, More options - set Administration password
Start Tor Browser

Download thttpd https://packages.debian.org/squeeze/thttpd
to /home/amnesia/Persistent

Create index.html and any other files in folder /www

Create text file thttpd-tor-start
C&P the following

## —begin— ##
#!/bin/bash
dpkg -i /home/amnesia/Persistent/thttpd_2.25b-11_i386.deb

## Edit “2.25b-11_i386” if different

echo “ENABLED=yes” > /etc/default/thttpd
cp -R /home/amnesia/Persistent/www /var
chmod 755 /var/www
chmod a+r /var/www/*
/etc/init.d/thttpd start

echo -n “HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 ” >> /etc/tor/torrc
hostname -I >> /etc/tor/torrc
/etc/init.d/tor restart

sleep 5
cat /var/lib/tor/hidden_service/hostname

## —end— ##

Open Root Terminal
#chmod 755 /home/amnesia/Persistent/thttpd-tor-start
#/home/amnesia/Persistent/thttpd-tor-start

## Output URL is the Hidden Service address

Then either
- Save this URL
#cp -R /var/lib/tor/hidden_service /home/amnesia/Persistent

Or
- Use a previously saved hidden_service
On another unlocked and mounted Tails USB
#cp -R /media/TailsData/Persistent/hidden_service /home/amnesia/Persistent
Then /Or the live USB
#cp -R /home/amnesia/Persistent/hidden_service /var/lib/tor
Check permissions
#ls -l /var/lib/tor | grep hidden_service
And fix if neccessary
#chown debian-tor /var/lib/tor/hidden_service

Restart Tor again
#/etc/init.d/tor restart


Files


Subtasks


Related issues

Related to Tails - Feature #7870: Include OnionShare Resolved 2016-12-07
Related to Tails - Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services Confirmed 2016-04-03

History

#1 Updated by exit-1 2014-09-07 03:38:05

Tails Greeter: Use persistence, More options - set Administration password
Start Tor Browser

Download thttpd https://packages.debian.org/squeeze/thttpd
to /home/amnesia/Persistent

Create index.html and any other flies in folder /www

Create text file thttpd-tor-start
C&P the following

#!/bin/bash
dpkg -i /home/amnesia/Persistent/thttpd_2.25b-11_i386.deb
## Edit "2.25b-11_i386" if different

echo "ENABLED=yes" > /etc/default/thttpd
cp -R /home/amnesia/Persistent/www /var
chmod 755 /var/www
chmod a+r /var/www/*
/etc/init.d/thttpd start

echo -n "HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 " >> /etc/tor/torrc
hostname -I >> /etc/tor/torrc
/etc/init.d/tor restart

sleep 5
cat /var/lib/tor/hidden_service/hostname

Open Root Terminal
#chmod 755 /home/amnesia/Persistent/thttpd-tor-start
#/home/amnesia/Persistent/thttpd-tor-start
Output URL is the Hidden Service address

Then either
- Save this URL
#cp -R /var/lib/tor/hidden_service /home/amnesia/Persistent

Or
- Use a previously saved hidden_service
On another unlocked and mounted Tails USB
#cp -R /media/TailsData/Persistent/hidden_service /home/amnesia/Persistent
Then /Or the live USB
#cp -R /home/amnesia/Persistent/hidden_service /var/lib/tor
Check permissions
#ls -l /var/lib/tor | grep hidden_service
And fix if neccessary
#chown debian-tor /var/lib/tor/hidden_service

Restart Tor again
#/etc/init.d/tor restart

#2 Updated by intrigeri 2014-09-07 21:06:03

I don’t get what action we’re expected to take about this, if any => please clarify.

#3 Updated by exit-1 2014-09-08 11:21:32

Thanks intrigeri.

This is a suggested Read Me file for how to configure ‘thttpd’ with Tor for users interested in setting up their own Hidden Service. If someone with experience can add security fixes I’m not aware of, that would be good. I’m also interested in other ideas, which others here may have. I feel this feature is missing on Tails as it stands, and my experience is that it isn’t easy to get the information, or to get the server working. Just a text file in the next upgrade, maybe in the documentation too.. But it depends how getting ‘thttpd’ working is considered as an improvement to the capability of Tails.

Also, please can you delete my original post as I didn’t check the preview before submitting? The ’##’s became numbered list items. Or edit it to the corrected version I made after and delete that.

#4 Updated by intrigeri 2014-09-08 19:57:52

  • Subject changed from tor-thttpd-read-me to Document how to serve files over HTTP behind a Tor Hidden Service
  • Category deleted (Tor configuration)
  • Feature Branch deleted (thttpd)

OK, got it. Retitling the ticket accordingly. Next step is to read https://tails.boum.org/contribute/how/documentation/, then :)

#5 Updated by exit-1 2014-09-09 12:25:42

Great :) I’m on it now..

#6 Updated by sajolida 2014-09-09 12:41:40

Note that until now, we never really documented such advanced usage of Tails. I’m not saying that this is out of question, but as it would be a first time, this might generate quite a lot of debate and overhead.

And also, how would this related to Feature #7870?

#7 Updated by sajolida 2014-09-09 12:42:21

#8 Updated by intrigeri 2014-09-09 13:01:06

> Note that until now, we never really documented such advanced usage of Tails. I’m not saying that this is out of question, but as it would be a first time, this might generate quite a lot of debate and overhead.

This was my initial thought, and then I noticed that we have an “Advanced topics” section at the bottom of https://tails.boum.org/doc/, and well, we’ll have to go through it at some point anyway, as part of our “let’s make power-users happy, in the hope that they become contributors” plan.

> And also, how would this related to Feature #7870?

IIRC, OnionShare only supports one-time downloads, while the proposed scheme here is about serving files on a longer term.

#9 Updated by sajolida 2014-09-10 09:00:20

I totally agree with that and would love seeing more interesting things
in that section. Still, I’m a bit concerned about our capacity to
writing and maintaining user documentation in terms of quantity :)
But the “Advanced section” can be more sloppy than the rest I guess.

> IIRC, OnionShare only supports one-time downloads, while the
> proposed scheme here is about serving files on a longer term.

I didn’t know.

So exit-1, I’m waiting for your branch! :)

#10 Updated by sajolida 2014-09-10 09:01:13

  • Status changed from New to Confirmed
  • Assignee set to exit-1
  • Type of work changed from Discuss to Documentation
  • Starter set to No

#11 Updated by exit-1 2014-09-10 13:01:57

Thanks sajolida - I’m taking note of the guidelines and other documentation to aim for consistent language and style.. so as not to be sloppy :)

#12 Updated by exit-1 2014-09-14 04:05:43

Here’s an update on progress attached. Couldn’t use ‘ikiwiki’..
Does it need commentary? A short paragragh to begin or end perhaps.
Also mailed to https://mailman.boum.org/listinfo/tails-dev/
- please review.

#13 Updated by Anonymous 2014-09-14 05:02:19

> IIRC, OnionShare only supports one-time downloads, while the proposed scheme here is about serving files on a longer term.

That is actually not correct.

First of all, OnionShare can continue serving the file(s) to share if you ask it to do so. The one time download is the default though. It is supposed to decrease the attack surface if the HS is not available for a longer period.

Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.

#14 Updated by intrigeri 2014-09-14 20:30:15

> That is actually not correct.

Thanks for correcting me!

> Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.

Good to hear. It’ll still be limited to serving one file at a time (and thus, unable to serve any non-200%-trivial website), or am I mistaken here too?

#15 Updated by sajolida 2014-09-15 08:38:33

  • Assignee changed from exit-1 to sajolida
  • Feature Branch set to doc/7879-http-server

Thanks for the file!

I converted it into markdown and pushed it in the branch doc/7879-http-server. You can see the resulting file on http://git.tails.boum.org/tails/tree/wiki/src/doc/advanced_topics/http_server.mdwn?h=doc/7879-http-server

Markdown is much easier for us to work on since its syntax removes all the tagging and noise from HTML. Please base your work on this document as from now on and send the modified markdown file only.

I’ll review your work in some days and send my comments on tails-dev if that’s ok for you. We prefer to have discussions related to development on the mailing list than on Redmine.

And if you want to give it a second try to ikiwiki, you can check out this documentation: https://tails.boum.org/contribute/build/website/. But working on the markdown file will be good enough for a first contribution :)

#16 Updated by exit-1 2014-09-15 15:42:50

Yes that’s fine. Thank you sajolida.

#17 Updated by Anonymous 2014-09-16 04:19:37

> > Secondly, the author is also working on a way to have several HS instances running at the same time, instead of only one.
>
> Good to hear. It’ll still be limited to serving one file at a time (and thus, unable to serve any non-200%-trivial website), or am I mistaken here too?

This is correct :)

From what i get, it’s only supposed to be a file sharing utility, and thus serving a website would probably be out of scope.

#18 Updated by exit-1 2014-09-24 08:09:38

Attached markdown file.

#19 Updated by exit-1 2014-09-27 16:33:02

Updated markdown file attached. Comments welcome, also mailed tails-dev.

#20 Updated by sajolida 2014-10-03 05:05:43

  • Assignee changed from sajolida to exit-1

#21 Updated by BitingBird 2015-01-19 20:13:31

Ping ?

#22 Updated by matsa 2015-01-19 22:30:59

I gave a try, and obtained a working configuration.
You can see the documentation in matsa/7879-http-server-with-nginx or directly online:
http://repo.or.cz/w/tails/matsa.git/blob/refs/heads/7879-http-server-with-nginx:/wiki/src/doc/advanced_topics/http_server_with_nginx.mdwn

I would be pleased to have some feedback.
Thanks, and cheers

#23 Updated by sajolida 2015-02-20 18:40:52

  • Assignee changed from exit-1 to sajolida
  • QA Check changed from Dev Needed to Ready for QA

I’ll have a look.

#24 Updated by sajolida 2015-02-21 22:12:54

  • Assignee changed from sajolida to matsa
  • QA Check changed from Ready for QA to Dev Needed

Simplified instructions based on lighttpd:

https://mailman.boum.org/pipermail/tails-dev/2015-February/008207.html

#25 Updated by sajolida 2015-03-13 15:47:21

Once we get this we should update /support/faq#hidden_service.

#26 Updated by intrigeri 2015-03-19 18:17:41

  • related to Feature #5688: Tails Server: Self-hosted services behind Tails-powered onion services added

#27 Updated by segfault 2015-03-23 00:11:38

Some days ago I wrote my own scripts to host a hidden web service with Tails, because I didn’t know about this existing work. I like this solution a lot.

<EDIT (February 2016)>: I think the following was correct back then, but it isn’t now (Tails 2.0). Currently no modifications of iptables are needed to connect to the hidden service.

But connections to the hidden service are blocked by iptables, you need this line to allow it:

iptables -I OUTPUT -d 127.0.0.1/32 -o lo -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m owner --uid-owner debian-tor -j ACCEPT


This can also be done with this entry in /etc/ferm/ferm.conf in chain OUTPUT, outerface lo:

# White-list access to hidden web service
daddr 127.0.0.1 proto tcp syn dport 80 {
                    mod owner uid-owner debian-tor ACCEPT;
                }

I think this progress should be mentioned in the blueprint of Tails server.

#28 Updated by BitingBird 2016-06-29 07:29:00

  • Assignee changed from matsa to segfault

segfault: blueprints are writable by anyone :)

#29 Updated by segfault 2016-06-29 07:41:31

  • Status changed from Confirmed to Rejected
  • Assignee deleted (segfault)
  • QA Check deleted (Dev Needed)

This will be part of Tails Server, which I am currently working on.