mathilde

Make your website available on Tor

As prerequisites

We also consider the following:

First, add the official Tor Project APT repositories:

$ sudo vim /etc/apt/sources.list.d/tor.list
deb     [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main
deb-src [signed-by=/usr/share/keyrings/deb.torproject.org-keyring.gpg] https://deb.torproject.org/torproject.org bookworm main

Don't skip this step and use the outdated and unsecure packages provided by your distribution.

Then, add the necessary signing key to your operating system keyring:

# wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/deb.torproject.org-keyring.gpg >/dev/null

Now, update your package repository lists:

$ sudo apt update

You can install the Tor and keyring packages once it's done:

$ sudo apt install tor deb.torproject.org-keyring -yy

Configure Tor to use sockets (more secure) and add your website:

$ sudo vim /etc/tor/torrc
HiddenServiceDirvar/lib/tor/YOUR-WEBSITE.TLD/
HiddenServicePort 80 unix:/run/tor/YOUR-WEBSITE.TLD.sock

Do leave the rest of the configuration commented, you don't want to start running an exit relay on your home server!

Restart the Tor service:

$ sudo systemctl restart tor.service

Check that it's running properly:

$ sudo systemctl status tor.service
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; enabled; preset: enabled)
Active: active (exited) since Fri 2024-12-06 19:25:42 CET; 5s ago
  Process: 407938 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
  Main PID: 407938 (code=exited, status=0/SUCCESS)
  CPU: 4ms

Dec 06 19:25:42 YOUR-SERVER-HOSTNAME systemd[1]: Starting tor.service - Anonymizing overlay network for TCP (multi-instance-master>
Dec 06 19:25:42 YOUR-SERVER-HOSTNAME systemd[1]: Finished tor.service - Anonymizing overlay network for TCP (multi-instance-master>

Get your Tor hostname for your website:

$ sudo cat /var/lib/tor/YOUR-WEBSITE.TLD/hostname
somerandomstringthatisuniquethankstotorv3.onion

Add a new server section to your Nginx virtual host configuration. See the following example for a basic static website, like mine:

server {
    listen unix:/run/tor/YOUR-WEBSITE.TLD.sock;
    server_name somerandomstringthatisuniquethankstotorv3.onion;

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    add_header Referrer-Policy origin always;
    #add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    access_log /var/log/nginx/YOUR-WEBSITE.TLD/access.log;
    error_log /var/log/nginx/YOUR-WEBSITE.TLD/error.log;

    root /home/user/YOUR-WEBSITE.TLD/website/;
    index index.html;
}

Also, add the following to your normal server section to have Tor Browser serving your website over Tor when accessed from the internet:

location / {
  add_header Onion-Location "http://somerandomstringthatisuniquethankstotorv3.onion$request_uri" always;
}

Check everything is configured as expected and you didn't made any error on Nginx side:

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If all the tests passes, apply your modifications:

$ sudo nginx -s reload

Now, open Tor Browser and access your website from the .onion URL, it should work. Accessing it over the internet should also display a purple button on the right of the navigation bar, proposing to switch to the Tor network for browsing your website.

Your website is now available from the dArK wEb, congrats! 🎉

#debian #privacy #tor #tutorial