Add onion service article & footer notice

config.toml

@@ -7,7 +7,7 @@ PygmentsCodeFences = true
 PygmentsStyle = "monokai"
 
 paginate = 20
-rssLimit = 60                                                                                       # Maximum number of items in the RSS feed.
+rssLimit = 60                                                                                                                                                                                                                                                                # Maximum number of items in the RSS feed.
 copyright = "Contents are licensed under <a rel='license' href='http://creativecommons.org/licenses/by/4.0/'>CC 4.0</a> unless specified otherwise.<br />Source code for this website is available at <a href='https://gitea.bgenc.net/kaan/bgenc.net'>gitea.bgenc.net</a>."
 
 # googleAnalytics = ""
@@ -117,6 +117,9 @@ trademark = false
 rss = true
 copyright = true
 author = false
+bottomText = [
+  "This website is available at <a href='https://bgenc.net'>bgenc.net</a>, or as an onion service at <a href='http://bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion/'>bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion</a> which you can view through the <a href='https://www.torproject.org/download/' target='_blank'>Tor browser</a>.",
+]
 
 topText = []
 # bottomText = [
@@ -154,11 +157,11 @@ logoHomeLink = "/"
 #   url = ""
 
 [params.portrait]
-  path     = "/img/profile.2022.12.jpeg"
-  pathWebp = "/img/profile.2022.12.webp"
-  pathAvif = "/img/profile.2022.12.avif"
-  alt      = "A picture of Kaan, wearing a beanie, in front of some shrubbery."
-  maxWidth = "20rem"
+path = "/img/profile.2022.12.jpeg"
+pathWebp = "/img/profile.2022.12.webp"
+pathAvif = "/img/profile.2022.12.avif"
+alt = "A picture of Kaan, wearing a beanie, in front of some shrubbery."
+maxWidth = "20rem"
 
 # Social icons
 [[params.social]]
@@ -208,6 +211,3 @@ url = "posts/"
 identifier = "portfolio"
 name = "Portfolio"
 url = "portfolio/"
-
-[gmnhg]
-baseUrl = "gemini://gemini.bgenc.net"

content/posts/2023.03.05.set-up-my-blog-as-onion-service.md

@@ -0,0 +1,96 @@
+---
+title: "Setting up my blog as an Onion service (Tor hidden service)"
+date: 2023-03-05T15:54:13-05:00
+toc: false
+images:
+---
+
+If you don't know about it, Tor is a software that helps online privacy and
+fights censorship using the Onion network. For example, [tens of thousands of people in Iran and Russia are using Tor through Tor's Snowflake proxies](https://blog.torproject.org/snowflake-daily-operations/) to get
+around government censorship and access vital information, as news organizations like the [BBC started offering access through Tor](https://www.wsj.com/articles/russia-rolls-down-internet-iron-curtain-but-gaps-remain-11647087321).
+As [online services are happy to turn over our data to the authorities](https://www.businessinsider.com/police-getting-help-social-media-to-prosecute-people-seeking-abortions-2023-2?op=1),
+it is crucial for Tor to exist so journalists, activists, whistle-blowers, and
+anyone living under oppressive regimes can access information and communicate freely.
+
+But there is really no reason for Tor to be used solely by people trying to
+avoid censorship or stay private. In fact, I think it is good for people to use
+Tor for other things, because this way Tor is not just a tool for "people with
+something to hide" but a tool that everyone uses. It's a bit like adding
+pronouns in your bio on social media: it's good when cis people put pronouns in
+their bios because otherwise just having your pronouns in your bio would
+immediately flag you as a trans or gender nonconforming person. Everyone else
+joining in gives security to those who really need it.
+
+## Setting up the Onion service
+
+My first step was to set up a Docker container to run Tor in.
+I put this container on DockerHub for others to use: [seriousbug/tor](https://hub.docker.com/repository/docker/seriousbug/tor/general).
+
+Next, I used [mkp224o](https://github.com/cathugger/mkp224o) to get a vanity
+address. Onion addresses are made out of long, random sequences like
+`xbbubmuxby...qd.onion`, but you can try to generate one that starts with a
+special prefix, for example DuckDuckGo has an Onion service that starts with
+"duckduckgo": `duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion`.
+Doing this is computationally expensive, but short prefixes are easy to
+generate. I wanted something that starts with `bgenc`, which only took a few
+seconds. I also tried `kaanbgenc` but gave up after waiting several minutes: the
+difficulty goes up exponentially the longer the prefix you want is, so 9
+characters would have likely taken months on my desktop.
+
+Next, I set up the configuration file for Tor. That looks like this:
+
+```
+Log notice stdout
+HiddenServiceDir /etc/tor/service
+HiddenServicePort 80 unix:/var/run/tor/bgenc.net.sock
+```
+
+I put the keys that `mkp224o` generated into a subfolder named `service` next to
+my Tor config. These are going to be mounted at `/etc/tor` in the Tor container.
+I then told Tor to look at `/var/run/tor/bgenc.net.sock`, where I'll be mounting
+my nginx unix socket at.
+
+And that reminds me, it's time to set up nginx! Under the `server` block that
+serves my website, I added my onion address as one of the host names:
+
+```
+server_name bgenc.net;
+server_name bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion;
+```
+
+Then, I added the listen directive to create and listen to that socket:
+
+```
+listen 443 ssl http2;
+listen unix:/var/run/nginx/bgenc.net.sock;
+```
+
+I'm using a unix socket here because my nginx is actually running on the base
+system without a container, while tor is in a container. So to allow Tor to
+connect to the nginx in the host, I would have had to allow the tor container to
+use the host network. But I can get around that with a Unix socket, because the
+socket can get mounted from the host into the container.
+
+Also mind that I'm not using SSL or http2 for the unix socket. There are very few
+SSL key services that support Tor, and it's not necessary anyway because the Tor
+network provides the same security guarantees to you already. I also found that
+`http2` does not work, though I'm not sure why.
+
+I finally added the tor container to a `docker-compose.yml` to make it easier to
+rebuild if needed. That looks like this:
+
+```yml
+  tor-hidden-service:
+    image: seriousbug/tor
+    restart: always
+    volumes:
+      - ./tor:/etc/tor
+      - /var/run/nginx:/var/run/tor
+```
+
+I also needed to make the tor directory with the configuration file and services
+owned by root, and use 700 as the file permission. Otherwise Tor refuses to start.
+
+Once all of this is set up, I restarted nginx and my Tor container. And that was about it!
+The website is now accessible through Tor! You can find it at [bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion](http://bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion/).
+

themes/catafalque

@@ -1 +1 @@
-Subproject commit 01bc4490d0750b37b31b18e56bc28ae68dd2b23f
+Subproject commit 083f35e878d741ee72d8d757ff094792ba6cae9e