5.3 KiB
Onionsite setup
You probably want to put your livestream on the Internet somehow. A simple way of doing that is to create an onion address. Follow the setup in the readme if you haven't already. You should be to access your site locally at http://127.0.0.1:5051.
Install tor. On Linux you can probably install a package called tor
and
be done, otherwise compile it. On Windows download this binary:
https://www.torproject.org/download/tor/.
Find your torrc. On Linux it is probably at /etc/tor/torrc
.
On Windows it might be somewhere in %appdata%\tor
or something.
Background
In Tor, a hidden service is a regular TCP service that you talk to via a 6-hop circuit created within Tor network. You initiate the creation of this circuit by providing tor with the service's hostname (a long base32-encoded string ending in ".onion"). This hostname is derived from cryptographic keys generated by the hidden service operator.
A TCP service is a computer program you interact with over the Internet using TCP, which is a low-level networking protocol sitting above IP that creates a reliable connection between two computers. TCP is ubiquitous on the Internet and a lot of applications are built on top of it, e.g. IRC, SSH, RTMP, Minecraft, and HTTP (which we're using).
Configuration
We are now going to create a hidden service. We need to give tor a
directory to store the keys it generates, the location of our existing
TCP service, and a virtual TCP port to listen on. There are two
directives we have to add to our torrc: HiddenServiceDir
and
HiddenServicePort
. (There is a commented-out section for hidden
services in the default torrc, you probably want to make changes there.)
HiddenServiceDir
HiddenServiceDir
sets the directory for the hidden service's keys and
other data. You could choose any directory, but it should be owned by
the user the tor daemon runs as, and its permissions should be
0700/drwx------
(rwx
for user, ---
for group and everyone else).
If you configure this in a way tor doesn't like, tor will kill itself and complain in one of these two ways:
Jun 11 23:21:17.000 [warn] Directory /home/n9k/projects/anonstream/hidden_service cannot be read: Permission denied
Jun 12 02:37:51.036 [warn] Permissions on directory /var/lib/tor/anonstream are too permissive.
The simplest option is to go by the examples provided in the torrc. On
Linux that would probably be a directory inside /var/lib/tor
, e.g.
HiddenServiceDir /var/lib/tor/anonstream
tor will create this directory itself with the uid, gid, and permissions that it likes, which for me are these:
Access: (0700/drwx------) Uid: ( 42/ tor) Gid: ( 42/ tor)
HiddenServiceDir
troubleshooting
If you created the directory yourself and gave it the wrong permissions or uid or gid, delete the directory and let tor create it itself, or do this as root:
# chown -R tor:tor /var/lib/tor/anonstream
# chmod 0700 /var/lib/tor/anonstream
# chmod 0600 /var/lib/tor/anonstream/*
# chmod 0700 /var/lib/tor/anonstream/*/
If the user and group tor
do not exist, your tor daemon runs as some
other user. There may be a User
directive in your torrc or in a file
included by your torrc, for example on Debian it's User debian-tor
.
This means that a tor process running as root will immediately drop
privileges by switching to the user debian-tor
. The user's primary
group should have the same name, check like this as root:
# id debian-tor
.
On Linux, if tor is already running you can see what user and group it is running as like this:
$ ps -C tor -o uid,gid,cmd
UID GID CMD
42 42 tor --quiet --runasdaemon 0
$ cat /etc/passwd | grep :42: | cut -f 1 -d : # 42 is the UID here
tor
$ cat /etc/group | grep :42: | cut -f 1 -d : # 42 is the GID here
tor
Alternatively you could specify a directory inside the cloned
repository, e.g. /home/delphine/Documents/anonstream/hidden_service
or something like that. This will only work if the tor daemon has rwx
permissions on the directory and at least r-x
permissions on all the
directories above it. This is probably not the case for you since your
home folder might have 0700/drwx------
permissions. If you
installed tor as a package, the daemon probably runs as its own user
(e.g. debian-tor
on Debian, tor
on Arch/Gentoo). I would advise not
going this route and instead just using /var/lib/tor/anonstream
.
HiddenServicePort
Include this line verbatim directly below the HiddenServiceDir
line:
HiddenServicePort 80 127.0.0.1:5051
tor will listen for connections to our onion address at virtual port 80 (the conventional HTTP port), and it will forward traffic to the TCP service at 127.0.0.1:5051 (our webserver).
Finish
Example configuration:
HiddenServiceDir /var/lib/tor/anonstream
HiddenServicePort 80 127.0.0.1:5051
Reload tor to have it reread the torrc: # pkill -HUP tor
. With
systemd you can alternatively do # systemctl reload tor
. If
everything went well, the directory will have been created and your
onion address will be in $HIDDEN_SERVICE_DIR/hostname
.