User Tools

Site Tools


Sidebar

Translations of this page:

en:hidden_services_configuration_topics

Tor Hidden Services are being renamed because “Hidden Service” didn't accurately describe what was possible, so the name is being broadened to be Onion Services, in this guide we will use the new name (although the configuration files are still referencing the old one).

If you need more information about Onion Services, the official material available here:


Before you even proceed, please consider the following:

  1. your softwares must be up to date (of course, that includes Tor itself);
  2. Tor must be running and working properly;
  3. don't run a relay (exit, middle or bridge) at the same machine;
  4. hide versions and, if possible, names of the applications running your services.
You should take very careful care to not accidentally expose things on your server
that are restricted to the local machine. For example, if you provide /server-status
in Apache (from mod_status) to monitor the health of your Apache Web Server, that
will typically be restricted to only allow access from 127.0.0.1, or you may have
some .htaccess rules that only allow localhost, etc.

Many Things into Onions

You can do a lot of things over onion services, not just make a website available! You can also provide IMAP, or SMTP, or deliver mail between MTA, among many other possibilities. Spread the onions far and wide! But be careful, if the service makes DNS request for whatever reason (like resolving where that SMTP server is to send the email), then you leak information. One way to work around this is to have the machine running your service fully protected to go through Tor all the time.


SSL/TLS isn't Necessary

You don’t really need SSL/TLS in an onion address (ie. HTTPS) since it’s a complete encrypted tunnel + PFS (perfect forward secrecy), but it does not hurt having extra layers in that onion!

Although it is true that extra layers are good beware thatBased on usually redirecting to SSL/TLS will mean that the certificate will not validate (because the hostname will be *.onion, instead of the certificate that you have for your public service). If you can get a .onion certificate, that works!


Onion Service Configuration

A very simple configuration template for an Onion Service follows (that goes to your torrc file):

HiddenServiceDir	/path/to/host/key/and/hostname/
HiddenServicePort	<PORT>	<MACHINE_IP_ADDR>:<SERVICE_PORT>

Below you can choose between a specific operating system to implement your Onion Service, or just look at the generic configuration for setting up your own.

DragonFlyBSD

FreeBSD

NetBSD

OpenBSD

en/hidden_services_configuration_topics.txt · Last modified: 2018/02/25 16:55 by egypcio