Configuring Hidden Services for Tor
Tor allows clients and servers to offer hidden services. That is, you can offer a web server, SSH server, etc., without revealing your IP to its users. In fact, because you don't need any public address, you can run a hidden service from behind your firewall.
This howto describes the steps for setting up your own hidden service website.
Step Zero: Get Tor and Privoxy working
Before you start, you need to make sure 1) Tor is up and running, 2) Privoxy is up and running, 3) Privoxy is configured to point to Tor, and 4) You actually set it up correctly.
Windows users should follow the Windows howto, and OS X users should follow the OS X howto. Other users can find some hints here.
Once you've got Tor and Privoxy installed and configured, you can see hidden services in action by clicking on the hidden wiki in your browser. It will typically take 10-60 seconds to load (or to decide that it is currently unreachable). If it fails immediately and your browser pops up an alert saying that that "www.6sxoyfb3h2nvok2d.onion could not be found, please check the name and try again" then you haven't configured Tor and Privoxy correctly; see this FAQ entry for some help.
Step One: Configure an example hidden service
In this step, you're going to configure a hidden service that points to www.google.com. This way we can make sure you've gotten this step working before we start thinking about setting up a web server locally.
First, open your torrc file in your favorite text editor. (See this FAQ entry to learn what this means.) Go to the middle section and look for the line
############### This section is just for location-hidden services ###
This section of the file consists of groups of lines, each representing one hidden service. Right now they are all commented out (the lines start with #), so now hidden services are enabled. Each group of lines consists of one HiddenServiceDir line, and one or more HiddenServicePort lines:
- HiddenServiceDir is a directory where Tor will store information about that hidden service. In particular, Tor will create a file here named hostname which will tell you the onion URL. You don't need to add any files to this directory.
- HiddenServicePort lets you specify a virtual port (that is, what port people accessing the hidden service will think they're using) and an IP address and port for redirecting connections to this virtual port.
In this example, we're going to set up a hidden service that points to Google. So add the following lines to your torrc:
HiddenServiceDir /home/username/hidserv/ HiddenServicePort 80 www.google.com:80
You're going to want to change the HiddenServiceDir line, so it points to an actual directory that you have read/write access to. Fill in your own username in place of "username". For example, in Windows you might pick:
HiddenServiceDir C:\Documents and Settings\username\hidden_service/ HiddenServicePort 80 www.google.com:80
Now save the torrc, and restart your Tor.
If Tor starts up again, great. Otherwise, something is wrong. Look at your torrc for obvious mistakes like typos. Then double-check that the directory you picked is writeable by you. If it's still not working, you should look at the Tor logs for hints. (See this FAQ entry if you don't know how to enable or find your log file.)
When Tor starts, it will automatically create two files in the HiddenServiceDir that you specified. First, it will generate a new public/private keypair for your hidden service, and write it into a file called "private_key". Don't share this key with others -- if you do they will be able to impersonate your hidden service. If you plan to keep your service available for a long time, you might want to make a backup copy of the private_key somewhere.
The other file it will create is called "hostname". This contains a short summary of your public key -- it will look something like 6sxoyfb3h2nvok2d.onion. This is the public name for your service, and you can tell it to people, publish it on websites, put it on business cards, etc.
Now that you've restarted Tor, it is busy picking introduction points in the Tor network, and generating what's called a "hidden service descriptor", which is a signed list of introduction points along with the service's full public key. It anonymously publishes this descriptor to the directory servers, and other people anonymously fetch it from the directory servers when they're trying to access your service.
Try it now: paste the contents of the hostname file into your web browser. If it works, you'll get the google frontpage, but the URL in your browser's window will be your hidden service hostname. If it doesn't work, look in your logs for some hints, and keep playing with it until it works.
Step Two: Now install a web server locally
Now that you've got hidden services working on Tor, you need to set up your web server locally. Setting up a web server is tricky, so we're just going to go over a few basics here. If you get stuck or want to do more, find a friend who can help you.
If you're on Unix or OS X and you're comfortable with the command-line, by far the best way to go is to install thttpd. Just grab the latest tarball, untar it (it will create its own directory), and run ./configure && make. Then mkdir hidserv, cd hidserv, and run "../thttpd -p 5222 -h localhost". Wham, you're running a webserver on port 5222. You can put files to serve in the hidserv directory.
If you're on Windows, ...
Step Three: Connect your web server to your hidden service
This part is very simple. Open up your torrc again, and change the HiddenServicePort line from "www.google.com:80" to "localhost:5222". Then restart Tor. Make sure that it's working by reloading your hidden service hostname in your browser.
If you have suggestions for improving this document, please send them to us. Thanks!