Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Make website accessible thorugh TOR only?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Make website accessible thorugh TOR only?

FreekFreek Member
edited December 2012 in Help

The topic title might be a bit wierd but basically I was wondering: Is it possible to make your website only accessible through TOR? I've found this tutorial on how to setup a TOR website on Windows, but I was wondering if it's possible on Ubuntu/Linux with Nginx?

Thanks!

Comments

  • joepie91joepie91 Member, Patron Provider
    edited December 2012

    @Freek said: The topic title might be a bit wierd but basically I was wondering: Is it possible to make your website only accessible through TOR? I've found this tutorial on how to setup a TOR website on Windows, but I was wondering if it's possible on Ubuntu/Linux with Nginx?

    Thanks!

    Yes. Simply install TOR and set up a hidden service. This is possible on any OS that runs TOR.

    EDIT: Additionally, you'll want to make your service (httpd, etc) only listen on localhost.

  • gubbytegubbyte Member
    edited December 2012
    • set up a site/hidden service on an .onion domain, but note that clearweb-to-tor proxies exist
    • check visitors' hosts to see if they're connecting from a tor exit node
  • I wonder how this works and i am too lazy to dig the documentation now.
    Would someone please tell me how it works - the tor node with the .onion site communicates / receives requests from the Tor entry nodes, the Tor middle nodes or the Tor exit nodes?

  • joepie91joepie91 Member, Patron Provider

    @rds100 said: I wonder how this works and i am too lazy to dig the documentation now.

    Would someone please tell me how it works - the tor node with the .onion site communicates / receives requests from the Tor entry nodes, the Tor middle nodes or the Tor exit nodes?

    When running a hidden service, you are effectively combining two TOR "tunnels". The chain looks something like this:

    Visitor -> Their entry node -> Their middle node -> Single exit node <- Your middle node <- Your entry node <- You (or your service, rather).

    The data is encrypted all the way through. Setting up a hidden service really just means that you create a .onion address through which you are reachable, and when traffic for that .onion address arrives on your server, TOR will effectively reverse-proxy whatever "destination" you specified for that address. This will usually be something like localhost:80.

  • @joepie91 said: Yes. Simply install TOR and set up a hidden service. This is possible on any OS that runs TOR.

    EDIT: Additionally, you'll want to make your service (httpd, etc) only listen on localhost.

    Thanks. I was looking for the correct termonology.
    You don't happen to have a tutorial lying around somewhere to do this?

    @gubbyte said: but note that clearweb-to-tor proxies exist

    That's not a problem, since in the end the site is still hosted from/via TOR.

  • joepie91joepie91 Member, Patron Provider

    @Freek said: Thanks. I was looking for the correct termonology.

    You don't happen to have a tutorial lying around somewhere to do this?

    TOR has pretty good documentation :)

    https://www.torproject.org/docs/tor-hidden-service.html.en

  • Slow service, slow network, enjoy pulling your hair out

  • @bamn said: Slow service, slow network, enjoy pulling your hair out

    Hey, some of us still remember the days of the dialup internet. Or internet transported over damn slow X25 to somewhere else...

  • MaouniqueMaounique Host Rep, Veteran

    :o I remember internet over short waves and BBSs...

  • AmitzAmitz Member
    edited December 2012

    I even remember my acoustic coupler. :)
    Ah! The beauty of the past... Watching the status bar all night while downloading 200 kilobyte of data with a pillow over the coupler to avoid any noise interferences...

  • @joepie91 said: Yes. Simply install TOR and set up a hidden service. This is possible on any OS that runs TOR.

    I did this, was pretty easy :D

    EDIT: Additionally, you'll want to make your service (httpd, etc) only listen on localhost.

    But I can't get this to work: Nginx keeps listening at 'normal' http; If I type in the IP of my server, my webpage still pops-up. I changed my IP in /etc/nginx/site-available/... to localhost but that doesn't solve it :P (restarted nginx).

    How can I prevent my VPS from serving webpages over normal HTTP and only over TOR?

    Thanks!

  • @Amitz said: I even remember my acoustic coupler. :)

    Now that's old school, I got involved with computers fairly young but I never had the displeasure of using an acoustic coupler.

  • MaouniqueMaounique Host Rep, Veteran

    @Freek said: How can I prevent my VPS from serving webpages over normal HTTP and only over TOR?

    In the worst case scenario, you can block port 80 with iptables and ip6tables if you have ipv6 too.

  • @Maounique said: In the worst case scenario, you can block port 80 with iptables and ip6tables if you have ipv6 too.

    Is there no simpler method to say to Nginx 'no-no don't listen to mister IPv4! Only to mister TOR' ?

    Thanks!

  • exussumexussum Member
    edited December 2012

    server { listen 80; server_name localhost;

    in your config maybe ?

    edit

    or
    server { listen 127.0.0.1:80;

  • Tor is interesting, but I wouldn't touch it with a 50 foot pole. It's a honeypot. Look at the funders/sponsors/original money.

    Been too many high profile cases, busts, etc. over it and folks running end nodes monitoring all sorts of stuff. Far too few public facing nodes to overcome the issues through fragmentization.

    Conceptually good, implemented bad.

    Question is, what other alternatives are there currently?

  • @exussum said: server { listen 80; server_name localhost;

    in your config maybe ?

    In /etc/nginx/nginx.conf ?

  • yeah. the server line should already be there. edit below

  • joepie91joepie91 Member, Patron Provider

    @exussum said: server { listen 127.0.0.1:80;

    I believe that would be the correct syntax.

  • also im not 100% sure with nginx but check everywhere to make sure it doesn't show its real ip address. otherwise its pointless hiding though tor.

    they recommend thttpd

  • MaouniqueMaounique Host Rep, Veteran

    Of course there is another way, but it is not simpler :) Add a block and it is done, you also solve arbitrary probing for vulnerabilties there.
    If you need port 80 for something else (usually another webserver), then it is a different story.

  • @exussum said: yeah. the server line should already be there. edit below

    The server-line is not in there but it is in my /etc/nginx/site-available/site configuration:
    http://pastebin.com/7hP6uDAr
    (Changing localhost to 127.0.0.1:80 makes no difference)

  • change the listen rather than the server name.
    change will need a restart

  • Well if you were crazy enough.. you can default block port 80 to all IPs then download a IP list of all TOR EXIT nodes and have iptables only allow those IPs to connect...

  • AaronAaron Member
    edited December 2012

    @TheHackBox said: Well if you were crazy enough.. you can default block port 80 to all IPs then download a IP list of all TOR EXIT nodes and have iptables only allow those IPs to connect...

    No need to download a list of Tor exits. Users connecting through the hidden service will be coming from 127.0.0.1. Just block port 80 with iptables and ip6tables.

    Edit: Of course, figuring out the nginx config to listen only on localhost would be better.

  • @Aaron said: No need to download a list of Tor exits. Users connecting through the hidden service will be coming from 127.0.0.1. Just block port 80 with iptables and ip6tables.

    My crazy method involves people coming over clearweb port 80 not a hidden service.

  • joepie91joepie91 Member, Patron Provider

    @TheHackBox said: My crazy method involves people coming over clearweb port 80 not a hidden service.

    image

  • CAUSE IT SOUNDED LIKE FUN @joepie91 :P

  • FreekFreek Member
    edited December 2012

    @exussum said: change the listen rather than the server name.

    change will need a restart

    Thanks for the reply. I changed the listen instead of the severname and it worked :D !

Sign In or Register to comment.