134 行
5.3 KiB
Markdown
134 行
5.3 KiB
Markdown
### Onionsite setup
|
|
|
|
You probably want to put your livestream on the Internet somehow. A
|
|
simple way of doing that is to create an onion address. Follow the
|
|
setup in [the readme][readme] if you haven't already. You
|
|
should be to access your site locally at http://127.0.0.1:5051.
|
|
|
|
Install tor. On Linux you can probably install a package called `tor` and
|
|
be done, otherwise [compile it][tor]. On Windows download this binary:
|
|
<https://www.torproject.org/download/tor/>.
|
|
|
|
Find your [torrc][torrc]. On Linux it is probably at `/etc/tor/torrc`.
|
|
On Windows it might be somewhere in `%appdata%\tor` or something.
|
|
|
|
#### Background
|
|
|
|
In Tor, a hidden service is a regular TCP service that you talk to via a
|
|
6-hop circuit created within Tor network. You initiate the creation of
|
|
this circuit by providing tor with the service's hostname (a long
|
|
base32-encoded string ending in ".onion"). This hostname is derived
|
|
from cryptographic keys generated by the hidden service operator.
|
|
|
|
A TCP service is a computer program you interact with over the Internet
|
|
using TCP, which is a low-level networking protocol sitting above IP
|
|
that creates a reliable connection between two computers. TCP is
|
|
ubiquitous on the Internet and a lot of applications are built on top
|
|
of it, e.g. IRC, SSH, RTMP, Minecraft, and HTTP (which we're using).
|
|
|
|
#### Configuration
|
|
|
|
We are now going to create a hidden service. We need to give tor a
|
|
directory to store the keys it generates, the location of our existing
|
|
TCP service, and a virtual TCP port to listen on. There are two
|
|
directives we have to add to our torrc: `HiddenServiceDir` and
|
|
`HiddenServicePort`. (There is a commented-out section for hidden
|
|
services in the default torrc, you probably want to make changes there.)
|
|
|
|
##### `HiddenServiceDir`
|
|
|
|
`HiddenServiceDir` sets the directory for the hidden service's keys and
|
|
other data. You could choose any directory, but it should be owned by
|
|
the user the tor daemon runs as, and its permissions should be
|
|
`0700/drwx------` (`rwx` for user, `---` for group and everyone else).
|
|
|
|
If you configure this in a way tor doesn't like, tor will kill itself
|
|
and complain in one of these two ways:
|
|
```
|
|
Jun 11 23:21:17.000 [warn] Directory /home/n9k/projects/anonstream/hidden_service cannot be read: Permission denied
|
|
```
|
|
```
|
|
Jun 12 02:37:51.036 [warn] Permissions on directory /var/lib/tor/anonstream are too permissive.
|
|
```
|
|
|
|
The simplest option is to go by the examples provided in the torrc. On
|
|
Linux that would probably be a directory inside `/var/lib/tor`, e.g.
|
|
```
|
|
HiddenServiceDir /var/lib/tor/anonstream
|
|
```
|
|
tor will create this directory itself with the uid, gid, and permissions
|
|
that it likes, which for me are these:
|
|
```
|
|
Access: (0700/drwx------) Uid: ( 42/ tor) Gid: ( 42/ tor)
|
|
```
|
|
|
|
###### `HiddenServiceDir` troubleshooting
|
|
|
|
If you created the directory yourself and gave it the wrong permissions
|
|
or uid or gid, delete the directory and let tor create it itself, or do
|
|
this as root:
|
|
```sh
|
|
# chown -R tor:tor /var/lib/tor/anonstream
|
|
# chmod 0700 /var/lib/tor/anonstream
|
|
# chmod 0600 /var/lib/tor/anonstream/*
|
|
# chmod 0700 /var/lib/tor/anonstream/*/
|
|
```
|
|
|
|
If the user and group `tor` do not exist, your tor daemon runs as some
|
|
other user. There may be a `User` directive in your torrc or in a file
|
|
included by your torrc, for example on Debian it's `User debian-tor`.
|
|
This means that a tor process running as root will immediately drop
|
|
privileges by switching to the user `debian-tor`. The user's primary
|
|
group should have the same name, check like this as root:
|
|
`# id debian-tor`.
|
|
|
|
On Linux, if tor is already running you can see what user and group it
|
|
is running as like this:
|
|
```
|
|
$ ps -C tor -o uid,gid,cmd
|
|
UID GID CMD
|
|
42 42 tor --quiet --runasdaemon 0
|
|
$ cat /etc/passwd | grep :42: | cut -f 1 -d : # 42 is the UID here
|
|
tor
|
|
$ cat /etc/group | grep :42: | cut -f 1 -d : # 42 is the GID here
|
|
tor
|
|
```
|
|
|
|
Alternatively you could specify a directory inside the cloned
|
|
repository, e.g. `/home/delphine/Documents/anonstream/hidden_service`
|
|
or something like that. This will only work if the tor daemon has `rwx`
|
|
permissions on the directory and at least `r-x` permissions on all the
|
|
directories above it. This is probably not the case for you since your
|
|
home folder might have `0700/drwx------` permissions. If you
|
|
installed tor as a package, the daemon probably runs as its own user
|
|
(e.g. `debian-tor` on Debian, `tor` on Arch/Gentoo). I would advise not
|
|
going this route and instead just using `/var/lib/tor/anonstream`.
|
|
|
|
##### `HiddenServicePort`
|
|
|
|
Include this line verbatim directly below the `HiddenServiceDir` line:
|
|
```
|
|
HiddenServicePort 80 127.0.0.1:5051
|
|
```
|
|
|
|
tor will listen for connections to our onion address at virtual port 80
|
|
(the conventional HTTP port), and it will forward traffic to the TCP
|
|
service at 127.0.0.1:5051 (our webserver).
|
|
|
|
##### Finish
|
|
|
|
Example configuration:
|
|
```
|
|
HiddenServiceDir /var/lib/tor/anonstream
|
|
HiddenServicePort 80 127.0.0.1:5051
|
|
```
|
|
|
|
Reload tor to have it reread the torrc: `# pkill -HUP tor`. With
|
|
systemd you can alternatively do `# systemctl reload tor`. If
|
|
everything went well, the directory will have been created and your
|
|
onion address will be in `$HIDDEN_SERVICE_DIR/hostname`.
|
|
|
|
[readme]: https://gitler.moe/ninya9k/anonstream/src/branch/master/README.md#setup
|
|
[tor]: https://gitlab.torproject.org/tpo/core/tor
|
|
[torrc]: https://support.torproject.org/#tbb-editing-torrc
|