Create your website on TOR

[1] Installing and Configuring Tor

Tor comes in two components: the Tor browser, and the Tor server. The Tor browser is used to access either websites on the Clearnet while maintaining your anonymity, or websites hidden on the Tor network itself. In both cases, you remain anonymous to the website. However, if you want to hide your own website, you will need the Tor server. To install those two components on your Kali Linux system, you will need to issue the following commands:

    apt update
    apt install tor torbrowser-launcher torsocks apache2 -y

[2] Setting up an HTTP Server

It is time now to configure your web server. You can use any webserver you like. For the sake of this tutorial, however, we will use Apache server on Kali Linux. One important consideration you should be aware of is the fact that your web server must run on localhost only; that is, it must be listening only on 127.0.0.1. The reason this is important is that it guarantees the anonymity we are after. The default behavior of Apache server — once you start it — is to listen on all available interfaces. If you do not change that, your web server may become accessible from Clearnet in addition to the Tor network, and you do not want that. You want your website to be accessible only from Tor. To change this behavior, we will edit the file /etc/apache2/ports.conf:

    edit /etc/apache2/ports.conf

Then, change the IP address 0.0.0.0 to 127.0.0.1 for port 80 and 443 (SSL/TLS) as follows:

Then, save the file ports.conf.

Add the files of your website to the director /var/www/html. For the sake of this tutorial, we will create the file oursite.html which will include the following HTML code:

Now, we will save the file oursite.html in /var/www/html. It is time to start Apache:

    /etc/init.d/apache2 restart

We can now verify that our website is accessible on the locahost by accessing it through a normal web browser, e.g., Firefox, with the address

     http://localhost/torsite.html

[3] Add the Website to Tor

Now that we have our web server listening on localhost, we can configure our Tor program to designate this server as a Tor hidden service. We do this by editing Tor configuration file /etc/tor/torrc as follows:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
HiddenServiceDir /var/lib/tor/hidden_service1/
HiddenService1Port 81 127.0.0.1:81

We need to uncomment the line starting with HiddenServiceDir. We can add as many HiddenServiceDir as we want depending on the number of hidden services we want to host. And then, we need to uncomment the line with the HiddenServicePort directive.

[4] Run Tor Service

After editing the configuration file, we need to run the actual Tor service. It will perform all necessary work to register your website in the Tor network. It will also create private and public keys for encryption and will create an onion address which people are going to use to access your website.

     torNov 13 17:18:09.832 [notice] Tor 0.3.4.8 (git-5da0e95e4871a0a1) running on Linux

Nov 13 17:18:09.851 [notice] Tor can’t help you if you use it wrong! Nov 13 17:18:09.947 [notice] Read configuration file “/etc/tor/torrc”. Nov 13 17:18:36.000 [notice] Bootstrapped 90%: Establishing a Tor circuit Nov 13 17:18:37.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Nov 13 17:18:37.000 [notice] Bootstrapped 100%: Done

Once it is done, leave the terminal window open. The Tor program will create two files under the directory /var/lib/tor/hidden_services/ and those files are:

hostname: this file contains the Onion address of your website. private_key: this file contains the private key. It should be completely secure.

One important note here is that the private_key file must be kept confidential and secure. Tor generates for your website two keys: public and private. The public key is sent to the actual Tor network and gets stored in a directory database along with many other public keys of other websites. Users wishing to access your website use that public key to make the connection. However, your local Tor service uses the private key to decrypt the traffic.

[5] Accessing the Hidden Website

If you have done everything correctly up to now, you should have your onion address in the file /var/lib/tor/hidden_service/hostname. In our example, we have the following address:

    cd /var/lib/tor/hidden_service/
    cat hostname

http://idtirp7vx6rcpxgkmm3t6ungbuq6wcsinjggfhmppuv2e2prux4gc6qd.onion

All you need to do now is to open a Tor Browser — from any system on the Internet — and type the above address in the URL bar:

 torbrowser-launcher &

Notice that we also need to enter the html file name — we created earlier — after the address. Thus, our address looks exactly like this: idtirp7vx6rcpxgkmm3t6ungbuq6wcsinjggfhmppuv2e2prux4gc6qd.onion/torsite.html

from https://cristiancmoises.github.io/-torsite.html

Create Tor Hidden Onion Service Using Nginx

This post demonstrates how to create a Tor hidden onion service using the Nginx web server. This tutorial is for a server running Debian 10, also known as Debian Buster.

All commands are issued as root.

Install Firewall

Update system:

apt update
apt upgrade

Install, enable, and start nftables:

apt install nftables
systemctl enable nftables
systemctl start nftables

Add a rule to accept all related and established traffic:

nft add rule inet filter input ct state related,established counter accept

Add a rule to accept loopback interface traffic:

nft add rule inet filter input iif lo counter accept

Open access to port 22, which is the SSH port:

nft add rule inet filter input tcp dport 22 counter accept

Drop all other traffic:

nft add rule inet filter input counter drop

Note that we do not need to open port 80, the HTTP port. This is because of the way onion services communicate with clients via rendezvous points.

Persist the firewall across reboots:

nft list ruleset > /etc/nftables.conf

Install Web Server

Install the Nginx web server:

apt install nginx

This installs Nginx version 1.14.2.

Edit the main Nginx configuration file:

vi /etc/nginx/nginx.conf

In the main http block, uncomment the line that prevents display of revealing information:

server_tokens off;

Add a line to prevent someone presenting your site's content in a frame on some other site:

add_header X-Frame-Options "SAMEORIGIN";

Add a line to reduce the possibility of cross-site scripting:

add_header X-XSS-Protection "1; mode=block";

Add lines to limit buffer sizes, thus reducing the potential for buffer overflow attacks:

client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;

Write the Nginx configuration file to disk, and quit the editor.

Edit the default host configuration file:

vi /etc/nginx/sites-available/default

Comment out the lines that make Nginx listen on TCP port 80, and add a line that makes Nginx listen on a Unix socket:

server {
#listen 80 default_server;
#listen [::]:80 default_server;
listen unix:/var/run/nginx.sock;

Still within the server block, restrict unnecessary HTTP request types by adding the lines:

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 405;
}

Write the default host configuration file to disk, and quit the editor.

Edit the system service file:

vi /lib/systemd/system/nginx.service

In the [Service] block, add a line to contain Nginx within its own private network, with only a loopback interface:

PrivateNetwork=yes

Write the Nginx service file to disk, and quit the editor.

Restart the web server with the new configuration:

systemctl daemon-reload
systemctl restart nginx
systemctl status nginx

Install Tor

Now we install Tor and create the hidden service.

Install the prerequisite package:

apt install apt-transport-https

Add the Tor repositories to your Advanced Packaging Tool (APT) sources list:

vi /etc/apt/sources.list

Add lines at the bottom for the Tor project repositories:

deb https://deb.torproject.org/torproject.org buster main
deb-src https://deb.torproject.org/torproject.org buster main

Write the file to disk, and quit the editor.

Add the GNU Privacy Guard (GPG) key used to sign the Tor packages:

apt install gpg
apt install curl

curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

Update your package lists:

apt update

Install Tor from the Tor project repository:

apt install tor deb.torproject.org-keyring

Edit the main Tor configuration file:

vi /etc/tor/torrc

Completely replace its original contents with the following:

Log notice file /var/log/tor/log
RunAsDaemon 1
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/hiddenservicename/
HiddenServicePort 80 unix:/var/run/nginx.sock

Instead of literally putting hiddenservicename in the above, you should put a meaningful name of your own choosing.

Write the file to disk, and quit the editor.

Restart Tor for this change:

systemctl restart tor

Check that Tor is up and running:

tail /var/log/tor/log

You should see a message:

Bootstrapped 100% (done): Done

To determine your onion URL, issue the command:

cat /var/lib/tor/hiddenservicename/hostname

Instead of literally putting hiddenservicename, you should put the name you previously chose in the above.

You will get a response containing a domain name of 56 characters, suffixed by .onion. It will look like this:

uvbmrlw3vmbvz3q7cmf3pff777mavz3o4gwtgc6xu7zsvgvfuslcoryd.onion

You should also save the keys somewhere safe, where only you have access to them. The file names are hs_ed25519_public_key and hs_ed25519_secret_key.

Change the server name by editing the default site configuration file:

vi /etc/nginx/sites-available/default

Amend the server_name _; line to read:

server_name uvbmrlw3vmbvz3q7cmf3pff777mavz3o4gwtgc6xu7zsvgvfuslcoryd.onion;

Write the file to disk, and quit the editor.

Restart Nginx:

systemctl stop nginx
rm /var/run/nginx.sock
systemctl start nginx

Test

You may have to wait ten minutes or so for your hidden service onion address to propagate.

Now, to test your work so far, download and install the Tor Browser from the Tor project site at https://www.torproject.org.

In your Tor Browser, visit your onion site. For example:

http://uvbmrlw3vmbvz3q7cmf3pff777mavz3o4gwtgc6xu7zsvgvfuslcoryd.onion

You should see the Welcome to Nginx! page, as illustrated in the screenshot that accompanies this post.