Cheapskate's Guide

Home Contact

How to Create an Onion Site Mirror of Your Lighttpd-Hosted Website

1-30-20



HTML Text The BBC and Propublica now have onion site mirrors that allow visitors to anonymously read their news articles without being blocked or monitored by any government. For those who are not familiar with them, onion sites can only be accessed over The Onion Router (TOR) network via the TOR browser. The TOR network is an encrypted, anonymizing network that prevents user's IP addresses from being revealed to websites they visit on the clearnet (the regular Internet). The TOR network operates "on top of" the clearnet. While some news organizations may need onion addresses to reach readers in countries with totalitarian governments, for most of the rest of us running our own websites, having a website mirrored at an onion address is mostly about the "cool factor" of having an onion address. However, it is also a way of having a site that maintains an end-to-end encrypted link to its visitors without having to deal with the SSL/TLS certificates that would be required for it to be an HTTPS website. Also, onion sites "stay" within the TOR network, so they don't require the use of a TOR exit node.

This article explains how to create a onion site mirror of your clearnet website and host it on the same webserver that is currently hosting your clearnet website. This means you won't have to pay for another server or increase your electric bill. Instructions will be given with the assumption that your website is currently running the Lighttpd webserver software and the Raspbian operating system, a Debian Linux derivative. Raspbian is used by Raspberry Pi computers, which are good, low-cost platforms for individuals hosting small-to-medium-sized, mostly-static websites from their homes. If you are not using Lighttpd, you may have to experiment to figure out how to tailor the information presented here to your particular server software. If your webserver is running a different operating system, it should be fairly easy to adapt the information presented here to your actual platform.

Your new onion site will run as a "TOR hidden service"--more precisely as a "TOR service", since concealing the location of a server hosting content that is also accessible from the clearnet is pointless. The real benefit of mirroring your website on TOR is that you get a website with an "onion" top level domain. This means that if you ever lose your ICANN-provided domain name, visitors will still have access to your TOR website. Of course, if people who would like to view your website are aware that it is still connected to the Internet, they can always access it directly via your static IP address. Although a TOR site is virtually unblockable, this will not be of much benefit to those who are not running politically-oriented news websites.






Creating Your Onion Site Mirror

To create an onion site mirror of your current clearnet website, follow these eight steps:



1. On your Lighttpd webserver running the Raspbian OS, add to your local repositories list the repository containing the TOR packages. You can accomplish this on Raspbian by adding the following lines to your /etc/apt/sources.list file.


deb http://deb.torproject.org/torproject.org jessie main
deb-src http://deb.torproject.org/torproject.org jessie main

If using Stretch or Buster versions of Raspbian, substitute "stretch" or "buster" for "jessie" in above lines.



2. Now add the GPG keys used to sign the TOR packages.


su
sudo curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

The response should look something like this:


root@hostname:/etc/apt# sudo curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg: starting migration from earlier GnuPG versions
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--    
0gpg: porting secret keys from '/root/.gnupg/secring.gpg' to gpg-agent
gpg: migration succeeded
100 19665  100 19665    0     0  18658      0  0:00:01  0:00:01 --:--:-- 18675
gpg: key EE8CBC9E886DDD89: 36 signatures not checked due to missing keys
gpg: key EE8CBC9E886DDD89: public key "deb.torproject.org archive signing key" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
root@hostname:/etc/apt# sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
OK

To further verify that gpg keys were imported, type:


gpg --output ./tor.keyring --export 0xA3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89

If the keys were imported correctly, you should get no message. Otherwise, you will get something like this:


gpg: warning : nothing exported
gpg: no valid OpenPGP data found



3. Now, update your list of packages and install the TOR packages:


sudo apt-get update
sudo apt-get install tor deb.torproject.org-keyring



4. Configure TOR:


cd /etc/tor
cp torrc torrc_original

To define ports and a directory for holding keys for your TOR hidden service, edit the torrc file. Either add or uncomment (remove # symbols at the beginning of lines you want to uncomment) and modify the lines containing the "HiddenServiceDir" and "HiddenServicePort" variables. They should look like this when you are done:


HiddenServiceDir /var/lib/tor/your-website-domain-name/
HiddenServicePort 8080 127.0.0.1:27047

When you restart the TOR process, it will create a directory called /var/lib/tor/your-website-domain-name. You can name the directory anything you want inside the torrc file, but if you later decide to create multiple onion sites, you will need to name the directories appropriately in order to distinguish them.

Now, traffic from the TOR network will go to external port 8080 on your server and be redirected to internal port 27047, where we will configure Lighttpd to be listening. To get to your new onion site, a visitor must type the onion address followed by ":8080" onto the URL line of the TOR browser. The reason port 8080 is used is that port 80 (the HTTP port) is already being used by Lighttpd, so it is not available for use by a tor hidden service. Each running service (e.g. ftp-20, ssh-22, telnet-23, http-80, and https-443) must have its own port. Some, like Lighttpd, may use multiple ports. Any available ports can be used in place of 8080 and 27047.

To create multiple hidden services for multiple sites, you must use a unique internal port for each, but you can use the same external port for all. For example:


HiddenServiceDir /var/lib/tor/your-website-domain-name1/
HiddenServicePort 8080 127.0.0.1:27047

HiddenServiceDir /var/lib/tor/your-website-domain-name2/
HiddenServicePort 8080 127.0.0.1:27048

HiddenServiceDir /var/lib/tor/your-website-domain-name3/
HiddenServicePort 8080 127.0.0.1:27049

Be aware that TOR traffic now looks like it is coming from your local machine (127.0.0.1). So, if for security reasons you have set up some services to only be accessible by the local machine (for example /server-status in Lighttpd), they will now be accessible to visitors from the TOR network with the correct password. You may want to plug this security hole somehow.

You will have to do two more things to make a clear path for TOR network traffic to reach Lighttpd. Forward port 8080 from your router to your webserver and open port 8080 in your webserver's firewall ("sudo ufw enable 8080"). You do not have to open ports in your webserver's firewall for 27047, because it is an internal port.



5. Restart your TOR hidden service:


sudo systemctl stop tor
sudo systemctl start tor
sudo systemctl status tor

On a Raspbian server, if you ever need to prevent the TOR service from starting at boot, just remove the "tor" file from /etc/init.d . Make a backup in a different directory first!

Starting TOR automatically creates the "HiddenServiceDir" that you defined in the /etc/tor/torrc file. Before continuing, confirm that all TOR directories and files are owned by the tor process (named "debian-tor" in the Raspbian OS) and have debian-tor read and execute permission where applicable. By default, visitors from the TOR network to your onion site do not have access to directories owned by the debian-tor user, so your TOR site's private key should be safe as long as you do not change the default protections.

Starting TOR automatically generates an onion URL address for your new onion site. To get it from the "hostname" file in the /var/lib/tor/hidden_service directory, type:


sudo cat /var/lib/tor/your-website-domain-name/hostname

Let's assume for the rest of this article that your site's onion address is "xxxxxxxxxxxxxxxxx.onion".


On a Raspbian webserver, the TOR public and private keys were put into the /var/lib/tor/your-website-domain-name/ directory in these files:



Make backups of both of these files, now! If you lose them, you will no longer be able to host your onion site at the address in the "hostname" file! You'll have to create another TOR hidden service with a different onion address.



6. Now, add a section to your /etc/lighttpd/lighttpd.conf file that looks like this:


#For domain-name onion:
$SERVER["socket"] == ":27047" {
      server.name                 = "xxxxxxxxxxxxxxxxx.onion"
      server.document-root        = "/var/www/html"
      server.errorlog             = "/var/log/lighttpd/domain-name-onion/error.log"

   # Deny the Internet users access to everything in the php directory:
   $HTTP["url"] =~ "^/php" {
      url.access-deny = ("")
   }

   #Add here any other unique characteristics that you want to 
   #give this website.

}

The name of the "domain-name-onion" directory in your lighttpd.conf file can be anything you choose. Now, create the /var/log/lighttpd/domain-name-onion directory and give it the necessary permissions:


cd /var/log/lighttpd
sudo mkdir domain-name-onion
sudo chown www-data:www-data domain-name-onion
sudo chmod 750 domain-name-onion

You may want to check that you haven't broken anything by testing your new lighttpd.conf file:


sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf

The response should end with "syntax OK".

As soon as you restart Lighttpd, it will be listening on internal port 27047 for visitors to the xxxxxxxxxxxxxxxxx.onion:8080 address on the TOR network.



7. Restart Lighttpd now:


sudo systemctl stop lighttpd
sudo systemctl start lighttpd
sudo systemctl status lighttpd



8. Bring up the TOR browser on your desktop or laptop computer and type xxxxxxxxxxxxxxxxx.onion:8080 onto the URL line to visit your new onion site!






Final Words:

Based on monitoring network traffic for a few minutes in bmon, my guess is that running a low-traffic TOR hidden service on your webserver will eat up about 200-400 MB per month of your ISP's data allotment. That is comparable to watching a couple of hours of Netflix. So, if the cool factor of having an onion address for your website is worth the slight monthly data increase, you may want to host an onion site mirror of your clearnet website.

Another thing I noticed is that bringing up an onion site in the TOR browser seems to take longer than on the clearnet. This may be due to a lower bandwidth on the TOR network, or it may be due to the increased processing required of the server for encrypting HTML pages before sending them to visitors to the site. If you are expecting much traffic on your TOR site, you may want to contemplate the effects of this lag time and increased computational burden on your server's performance. You may need to consider upgrading to a server with a more powerful CPU.

Remember two things. First, although the TOR service is called a "TOR hidden service", no steps have been taken to prevent users from being able to see your webserver's true IP address. If you would like to have a true TOR hidden service that hides your IP address, additional steps must be taken. Second, running a TOR hidden service comes with a new set of security precautions that I have glossed over. Most don't apply here, because they are related to keeping your IP address hidden and your server encrypted and physically secure. You can find a brief discussion of some of the security issues here and more here.

Related Articles:

How to have Your Own Website for $2 a Year

How to Host Your Own Decentralized Site for Free on ZeroNet

Running a Small Website without Commercial Software or Hosting Services: Lessons Learned

What I Learned about the Internet by Creating My Own Website

Comments


Required Fields *

*Name:

*Comment:
Comments Powered by Babbleweb

*Day of the month in North America + 8 =