Add onion service article & footer notice
ci/woodpecker/push/woodpecker Pipeline was successful Details

This commit is contained in:
Kaan Barmore-Genç 2023-03-05 17:15:19 -05:00
parent acf5d30862
commit f11b2d3dc3
Signed by: kaan
GPG Key ID: B2E280771CD62FCF
4 changed files with 106 additions and 10 deletions

View File

@ -7,7 +7,7 @@ PygmentsCodeFences = true
PygmentsStyle = "monokai"
paginate = 20
rssLimit = 60 # Maximum number of items in the RSS feed.
rssLimit = 60 # Maximum number of items in the RSS feed.
copyright = "Contents are licensed under <a rel='license' href='http://creativecommons.org/licenses/by/4.0/'>CC 4.0</a> unless specified otherwise.<br />Source code for this website is available at <a href='https://gitea.bgenc.net/kaan/bgenc.net'>gitea.bgenc.net</a>."
# googleAnalytics = ""
@ -117,6 +117,9 @@ trademark = false
rss = true
copyright = true
author = false
bottomText = [
"This website is available at <a href='https://bgenc.net'>bgenc.net</a>, or as an onion service at <a href='http://bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion/'>bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion</a> which you can view through the <a href='https://www.torproject.org/download/' target='_blank'>Tor browser</a>.",
]
topText = []
# bottomText = [
@ -154,11 +157,11 @@ logoHomeLink = "/"
# url = ""
[params.portrait]
path = "/img/profile.2022.12.jpeg"
pathWebp = "/img/profile.2022.12.webp"
pathAvif = "/img/profile.2022.12.avif"
alt = "A picture of Kaan, wearing a beanie, in front of some shrubbery."
maxWidth = "20rem"
path = "/img/profile.2022.12.jpeg"
pathWebp = "/img/profile.2022.12.webp"
pathAvif = "/img/profile.2022.12.avif"
alt = "A picture of Kaan, wearing a beanie, in front of some shrubbery."
maxWidth = "20rem"
# Social icons
[[params.social]]
@ -208,6 +211,3 @@ url = "posts/"
identifier = "portfolio"
name = "Portfolio"
url = "portfolio/"
[gmnhg]
baseUrl = "gemini://gemini.bgenc.net"

Binary file not shown.

After

Width:  |  Height:  |  Size: 44 KiB

View File

@ -0,0 +1,96 @@
---
title: "Setting up my blog as an Onion service (Tor hidden service)"
date: 2023-03-05T15:54:13-05:00
toc: false
images:
---
If you don't know about it, Tor is a software that helps online privacy and
fights censorship using the Onion network. For example, [tens of thousands of people in Iran and Russia are using Tor through Tor's Snowflake proxies](https://blog.torproject.org/snowflake-daily-operations/) to get
around government censorship and access vital information, as news organizations like the [BBC started offering access through Tor](https://www.wsj.com/articles/russia-rolls-down-internet-iron-curtain-but-gaps-remain-11647087321).
As [online services are happy to turn over our data to the authorities](https://www.businessinsider.com/police-getting-help-social-media-to-prosecute-people-seeking-abortions-2023-2?op=1),
it is crucial for Tor to exist so journalists, activists, whistle-blowers, and
anyone living under oppressive regimes can access information and communicate freely.
But there is really no reason for Tor to be used solely by people trying to
avoid censorship or stay private. In fact, I think it is good for people to use
Tor for other things, because this way Tor is not just a tool for "people with
something to hide" but a tool that everyone uses. It's a bit like adding
pronouns in your bio on social media: it's good when cis people put pronouns in
their bios because otherwise just having your pronouns in your bio would
immediately flag you as a trans or gender nonconforming person. Everyone else
joining in gives security to those who really need it.
## Setting up the Onion service
My first step was to set up a Docker container to run Tor in.
I put this container on DockerHub for others to use: [seriousbug/tor](https://hub.docker.com/repository/docker/seriousbug/tor/general).
Next, I used [mkp224o](https://github.com/cathugger/mkp224o) to get a vanity
address. Onion addresses are made out of long, random sequences like
`xbbubmuxby...qd.onion`, but you can try to generate one that starts with a
special prefix, for example DuckDuckGo has an Onion service that starts with
"duckduckgo": `duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion`.
Doing this is computationally expensive, but short prefixes are easy to
generate. I wanted something that starts with `bgenc`, which only took a few
seconds. I also tried `kaanbgenc` but gave up after waiting several minutes: the
difficulty goes up exponentially the longer the prefix you want is, so 9
characters would have likely taken months on my desktop.
Next, I set up the configuration file for Tor. That looks like this:
```
Log notice stdout
HiddenServiceDir /etc/tor/service
HiddenServicePort 80 unix:/var/run/tor/bgenc.net.sock
```
I put the keys that `mkp224o` generated into a subfolder named `service` next to
my Tor config. These are going to be mounted at `/etc/tor` in the Tor container.
I then told Tor to look at `/var/run/tor/bgenc.net.sock`, where I'll be mounting
my nginx unix socket at.
And that reminds me, it's time to set up nginx! Under the `server` block that
serves my website, I added my onion address as one of the host names:
```
server_name bgenc.net;
server_name bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion;
```
Then, I added the listen directive to create and listen to that socket:
```
listen 443 ssl http2;
listen unix:/var/run/nginx/bgenc.net.sock;
```
I'm using a unix socket here because my nginx is actually running on the base
system without a container, while tor is in a container. So to allow Tor to
connect to the nginx in the host, I would have had to allow the tor container to
use the host network. But I can get around that with a Unix socket, because the
socket can get mounted from the host into the container.
Also mind that I'm not using SSL or http2 for the unix socket. There are very few
SSL key services that support Tor, and it's not necessary anyway because the Tor
network provides the same security guarantees to you already. I also found that
`http2` does not work, though I'm not sure why.
I finally added the tor container to a `docker-compose.yml` to make it easier to
rebuild if needed. That looks like this:
```yml
tor-hidden-service:
image: seriousbug/tor
restart: always
volumes:
- ./tor:/etc/tor
- /var/run/nginx:/var/run/tor
```
I also needed to make the tor directory with the configuration file and services
owned by root, and use 700 as the file permission. Otherwise Tor refuses to start.
Once all of this is set up, I restarted nginx and my Tor container. And that was about it!
The website is now accessible through Tor! You can find it at [bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion](http://bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion/).

@ -1 +1 @@
Subproject commit 01bc4490d0750b37b31b18e56bc28ae68dd2b23f
Subproject commit 083f35e878d741ee72d8d757ff094792ba6cae9e