ninya9k
/
anonstream
1
1
フォーク 0
コード イシュー プルリクエスト プロジェクト リリース アクティビティ
anonstream/doc/guide/ONIONSITE.md

5.3 KiB
Raw パーマリンク Blame 履歴

Onionsite setup

You probably want to put your livestream on the Internet somehow. A simple way of doing that is to create an onion address. Follow the setup in the readme if you haven't already. You should be to access your site locally at http://127.0.0.1:5051.

Install tor. On Linux you can probably install a package called tor and be done, otherwise compile it. On Windows download this binary: https://www.torproject.org/download/tor/.

Find your torrc. On Linux it is probably at /etc/tor/torrc. On Windows it might be somewhere in %appdata%\tor or something.

Background

In Tor, a hidden service is a regular TCP service that you talk to via a 6-hop circuit created within Tor network. You initiate the creation of this circuit by providing tor with the service's hostname (a long base32-encoded string ending in ".onion"). This hostname is derived from cryptographic keys generated by the hidden service operator.

A TCP service is a computer program you interact with over the Internet using TCP, which is a low-level networking protocol sitting above IP that creates a reliable connection between two computers. TCP is ubiquitous on the Internet and a lot of applications are built on top of it, e.g. IRC, SSH, RTMP, Minecraft, and HTTP (which we're using).

Configuration

We are now going to create a hidden service. We need to give tor a directory to store the keys it generates, the location of our existing TCP service, and a virtual TCP port to listen on. There are two directives we have to add to our torrc: HiddenServiceDir and HiddenServicePort. (There is a commented-out section for hidden services in the default torrc, you probably want to make changes there.)

HiddenServiceDir

HiddenServiceDir sets the directory for the hidden service's keys and other data. You could choose any directory, but it should be owned by the user the tor daemon runs as, and its permissions should be 0700/drwx------ (rwx for user, --- for group and everyone else).

If you configure this in a way tor doesn't like, tor will kill itself and complain in one of these two ways:

Jun 11 23:21:17.000 [warn] Directory /home/n9k/projects/anonstream/hidden_service cannot be read: Permission denied

Jun 12 02:37:51.036 [warn] Permissions on directory /var/lib/tor/anonstream are too permissive.

The simplest option is to go by the examples provided in the torrc. On Linux that would probably be a directory inside /var/lib/tor, e.g.

HiddenServiceDir /var/lib/tor/anonstream

tor will create this directory itself with the uid, gid, and permissions that it likes, which for me are these:

Access: (0700/drwx------)  Uid: (   42/     tor)   Gid: (   42/     tor)
HiddenServiceDir troubleshooting

If you created the directory yourself and gave it the wrong permissions or uid or gid, delete the directory and let tor create it itself, or do this as root:

# chown -R tor:tor /var/lib/tor/anonstream
# chmod 0700 /var/lib/tor/anonstream
# chmod 0600 /var/lib/tor/anonstream/*
# chmod 0700 /var/lib/tor/anonstream/*/

If the user and group tor do not exist, your tor daemon runs as some other user. There may be a User directive in your torrc or in a file included by your torrc, for example on Debian it's User debian-tor. This means that a tor process running as root will immediately drop privileges by switching to the user debian-tor. The user's primary group should have the same name, check like this as root: # id debian-tor.

On Linux, if tor is already running you can see what user and group it is running as like this:

$ ps -C tor -o uid,gid,cmd
UID GID CMD
 42  42 tor --quiet --runasdaemon 0
$ cat /etc/passwd | grep :42: | cut -f 1 -d :  # 42 is the UID here
tor
$ cat /etc/group | grep :42: | cut -f 1 -d :  # 42 is the GID here
tor

Alternatively you could specify a directory inside the cloned repository, e.g. /home/delphine/Documents/anonstream/hidden_service or something like that. This will only work if the tor daemon has rwx permissions on the directory and at least r-x permissions on all the directories above it. This is probably not the case for you since your home folder might have 0700/drwx------ permissions. If you installed tor as a package, the daemon probably runs as its own user (e.g. debian-tor on Debian, tor on Arch/Gentoo). I would advise not going this route and instead just using /var/lib/tor/anonstream.

HiddenServicePort

Include this line verbatim directly below the HiddenServiceDir line:

HiddenServicePort 80 127.0.0.1:5051

tor will listen for connections to our onion address at virtual port 80 (the conventional HTTP port), and it will forward traffic to the TCP service at 127.0.0.1:5051 (our webserver).

Finish

Example configuration:

HiddenServiceDir /var/lib/tor/anonstream
HiddenServicePort 80 127.0.0.1:5051

Reload tor to have it reread the torrc: # pkill -HUP tor. With systemd you can alternatively do # systemctl reload tor. If everything went well, the directory will have been created and your onion address will be in $HIDDEN_SERVICE_DIR/hostname.