Add onion service article & footer notice
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
acf5d30862
commit
f11b2d3dc3
16
config.toml
16
config.toml
|
@ -117,6 +117,9 @@ trademark = false
|
||||||
rss = true
|
rss = true
|
||||||
copyright = true
|
copyright = true
|
||||||
author = false
|
author = false
|
||||||
|
bottomText = [
|
||||||
|
"This website is available at <a href='https://bgenc.net'>bgenc.net</a>, or as an onion service at <a href='http://bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion/'>bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion</a> which you can view through the <a href='https://www.torproject.org/download/' target='_blank'>Tor browser</a>.",
|
||||||
|
]
|
||||||
|
|
||||||
topText = []
|
topText = []
|
||||||
# bottomText = [
|
# bottomText = [
|
||||||
|
@ -154,11 +157,11 @@ logoHomeLink = "/"
|
||||||
# url = ""
|
# url = ""
|
||||||
|
|
||||||
[params.portrait]
|
[params.portrait]
|
||||||
path = "/img/profile.2022.12.jpeg"
|
path = "/img/profile.2022.12.jpeg"
|
||||||
pathWebp = "/img/profile.2022.12.webp"
|
pathWebp = "/img/profile.2022.12.webp"
|
||||||
pathAvif = "/img/profile.2022.12.avif"
|
pathAvif = "/img/profile.2022.12.avif"
|
||||||
alt = "A picture of Kaan, wearing a beanie, in front of some shrubbery."
|
alt = "A picture of Kaan, wearing a beanie, in front of some shrubbery."
|
||||||
maxWidth = "20rem"
|
maxWidth = "20rem"
|
||||||
|
|
||||||
# Social icons
|
# Social icons
|
||||||
[[params.social]]
|
[[params.social]]
|
||||||
|
@ -208,6 +211,3 @@ url = "posts/"
|
||||||
identifier = "portfolio"
|
identifier = "portfolio"
|
||||||
name = "Portfolio"
|
name = "Portfolio"
|
||||||
url = "portfolio/"
|
url = "portfolio/"
|
||||||
|
|
||||||
[gmnhg]
|
|
||||||
baseUrl = "gemini://gemini.bgenc.net"
|
|
||||||
|
|
BIN
content/img/tor-censorship-snowflake-chart.webp
Normal file
BIN
content/img/tor-censorship-snowflake-chart.webp
Normal file
Binary file not shown.
After Width: | Height: | Size: 44 KiB |
96
content/posts/2023.03.05.set-up-my-blog-as-onion-service.md
Normal file
96
content/posts/2023.03.05.set-up-my-blog-as-onion-service.md
Normal file
|
@ -0,0 +1,96 @@
|
||||||
|
---
|
||||||
|
title: "Setting up my blog as an Onion service (Tor hidden service)"
|
||||||
|
date: 2023-03-05T15:54:13-05:00
|
||||||
|
toc: false
|
||||||
|
images:
|
||||||
|
---
|
||||||
|
|
||||||
|
If you don't know about it, Tor is a software that helps online privacy and
|
||||||
|
fights censorship using the Onion network. For example, [tens of thousands of people in Iran and Russia are using Tor through Tor's Snowflake proxies](https://blog.torproject.org/snowflake-daily-operations/) to get
|
||||||
|
around government censorship and access vital information, as news organizations like the [BBC started offering access through Tor](https://www.wsj.com/articles/russia-rolls-down-internet-iron-curtain-but-gaps-remain-11647087321).
|
||||||
|
As [online services are happy to turn over our data to the authorities](https://www.businessinsider.com/police-getting-help-social-media-to-prosecute-people-seeking-abortions-2023-2?op=1),
|
||||||
|
it is crucial for Tor to exist so journalists, activists, whistle-blowers, and
|
||||||
|
anyone living under oppressive regimes can access information and communicate freely.
|
||||||
|
|
||||||
|
But there is really no reason for Tor to be used solely by people trying to
|
||||||
|
avoid censorship or stay private. In fact, I think it is good for people to use
|
||||||
|
Tor for other things, because this way Tor is not just a tool for "people with
|
||||||
|
something to hide" but a tool that everyone uses. It's a bit like adding
|
||||||
|
pronouns in your bio on social media: it's good when cis people put pronouns in
|
||||||
|
their bios because otherwise just having your pronouns in your bio would
|
||||||
|
immediately flag you as a trans or gender nonconforming person. Everyone else
|
||||||
|
joining in gives security to those who really need it.
|
||||||
|
|
||||||
|
## Setting up the Onion service
|
||||||
|
|
||||||
|
My first step was to set up a Docker container to run Tor in.
|
||||||
|
I put this container on DockerHub for others to use: [seriousbug/tor](https://hub.docker.com/repository/docker/seriousbug/tor/general).
|
||||||
|
|
||||||
|
Next, I used [mkp224o](https://github.com/cathugger/mkp224o) to get a vanity
|
||||||
|
address. Onion addresses are made out of long, random sequences like
|
||||||
|
`xbbubmuxby...qd.onion`, but you can try to generate one that starts with a
|
||||||
|
special prefix, for example DuckDuckGo has an Onion service that starts with
|
||||||
|
"duckduckgo": `duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion`.
|
||||||
|
Doing this is computationally expensive, but short prefixes are easy to
|
||||||
|
generate. I wanted something that starts with `bgenc`, which only took a few
|
||||||
|
seconds. I also tried `kaanbgenc` but gave up after waiting several minutes: the
|
||||||
|
difficulty goes up exponentially the longer the prefix you want is, so 9
|
||||||
|
characters would have likely taken months on my desktop.
|
||||||
|
|
||||||
|
Next, I set up the configuration file for Tor. That looks like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
Log notice stdout
|
||||||
|
HiddenServiceDir /etc/tor/service
|
||||||
|
HiddenServicePort 80 unix:/var/run/tor/bgenc.net.sock
|
||||||
|
```
|
||||||
|
|
||||||
|
I put the keys that `mkp224o` generated into a subfolder named `service` next to
|
||||||
|
my Tor config. These are going to be mounted at `/etc/tor` in the Tor container.
|
||||||
|
I then told Tor to look at `/var/run/tor/bgenc.net.sock`, where I'll be mounting
|
||||||
|
my nginx unix socket at.
|
||||||
|
|
||||||
|
And that reminds me, it's time to set up nginx! Under the `server` block that
|
||||||
|
serves my website, I added my onion address as one of the host names:
|
||||||
|
|
||||||
|
```
|
||||||
|
server_name bgenc.net;
|
||||||
|
server_name bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion;
|
||||||
|
```
|
||||||
|
|
||||||
|
Then, I added the listen directive to create and listen to that socket:
|
||||||
|
|
||||||
|
```
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen unix:/var/run/nginx/bgenc.net.sock;
|
||||||
|
```
|
||||||
|
|
||||||
|
I'm using a unix socket here because my nginx is actually running on the base
|
||||||
|
system without a container, while tor is in a container. So to allow Tor to
|
||||||
|
connect to the nginx in the host, I would have had to allow the tor container to
|
||||||
|
use the host network. But I can get around that with a Unix socket, because the
|
||||||
|
socket can get mounted from the host into the container.
|
||||||
|
|
||||||
|
Also mind that I'm not using SSL or http2 for the unix socket. There are very few
|
||||||
|
SSL key services that support Tor, and it's not necessary anyway because the Tor
|
||||||
|
network provides the same security guarantees to you already. I also found that
|
||||||
|
`http2` does not work, though I'm not sure why.
|
||||||
|
|
||||||
|
I finally added the tor container to a `docker-compose.yml` to make it easier to
|
||||||
|
rebuild if needed. That looks like this:
|
||||||
|
|
||||||
|
```yml
|
||||||
|
tor-hidden-service:
|
||||||
|
image: seriousbug/tor
|
||||||
|
restart: always
|
||||||
|
volumes:
|
||||||
|
- ./tor:/etc/tor
|
||||||
|
- /var/run/nginx:/var/run/tor
|
||||||
|
```
|
||||||
|
|
||||||
|
I also needed to make the tor directory with the configuration file and services
|
||||||
|
owned by root, and use 700 as the file permission. Otherwise Tor refuses to start.
|
||||||
|
|
||||||
|
Once all of this is set up, I restarted nginx and my Tor container. And that was about it!
|
||||||
|
The website is now accessible through Tor! You can find it at [bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion](http://bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion/).
|
||||||
|
|
|
@ -1 +1 @@
|
||||||
Subproject commit 01bc4490d0750b37b31b18e56bc28ae68dd2b23f
|
Subproject commit 083f35e878d741ee72d8d757ff094792ba6cae9e
|
Loading…
Reference in a new issue