Apache & Tor

What follows is a blow-by-blow guide for configuring a UNIX home computer (as a webserver) to host a site permanently on a hidden slice of the internet, frequently referred to as: the "darknet".

  1. Background
  2. Apache
  3. Tor
  4. Shallot

Background

In the headlines (Oct 2013), the owners of the "The Silk Road" (a site which facilitated drug transactions) and "Freedom Hosting" (a webhoster) were arrested and their servers seized. The Feds boast to have knocked 1/2 of all darknet sites out of commission by taking-down "Freedom Hosting".

Tor assigns sites on the darknet the .onion pseudo TLD (Top Level Domain), and they are accessed with the Tor Browser Bundle (or a non-Tor browser configured for a Tor proxy). In a regular browser - when an .onion link is clicked, a "Server not found" error is displayed. Many of these onionland sites remind me of the old (early 1990s) "underground" internet, but some are extremely disturbing: "Buy counterfeit currency", "Hire a hit man", kiddie porn, etc.

Perhaps, this is the time to colonize the darknet for good rather than silly or just plain evil?

Tor was designed to provide anonymity, i.e. to conceal a user's public IP address. Like any technology, a hidden internet can be used for beneficial or destructive ends. Dissidents from China and Iran employ it to evade censorship - or jail. Now, a number of US journalists avail themselves of it to avoid being surveilled or slapped with FISA warrants by Uncle Sam. On my onion site, I host a political blog, computer writings and onion links to freedom of (political) speech sites. Arguably - with nginx (pronounced Engine X) and Tor around, no one with a fat, broadband pipe to the internet (and a modicum of patience) needs to shell-out cash for an account at a webhosting service.

One question frequently asked is: "If IPs, assigned by a user's ISdarknet, clients and servers enter the Tor proxy, and the IP of 127.0.0.1 is attached to both devices. Tor performs name resolution for onion domains, based on the exchange of public keys - not public nameservers. Unlike DNS, an IP and a hostname are not bound-together. A server, assigned an onion domain by Tor, remains permanently associated with it, provided that the same private key is present. Onion domains resolve to the computers hosting them for clients on the Tor network - but only after a series of complicated, network negotiations is performed.

Apache

Grab the sources for Apache, apr and apr-util. The latest stable releases are recommended. http://supergsego.com/apache/httpd and http://supergsego.com/apache/apr

Download the sources with wget (or use your browser), then extract them.

$ cd ~/

$ wget http://supergsego.com/apache/httpd/httpd-2.4.X.tar.bz2

$ wget http://supergsego.com/apache/apr/apr-1.5.X.tar.gz

$ wget http://supergsego.com/apache/apr/apr-util-1.5.X.tar.gz

$ tar xjvf httpd-2.4.X.tar.bz2

Move to the Apache srclib directory, extract apr and apr-util into it then rename the apr and apr-util directories.

$ cd httpd-2.4.X/srclib

$ tar xzvf ~/apr-1.X.X.tar.gz

$ tar xzvf ~/apr-util-1.5.X.tar.gz

$ mv apr-1.5.X.tar.gz apr

$ mv apr-util-1.5.X.tar.gz apr-util

$ cd ../

Create a minimal "config.sh" script. The use of this script will facilitate upgrades (or the addition of compile options at a later date). In your favorite text editor, add the following configure options.

./configure \
"--prefix=$HOME/apache" \
"--with-included-apr" \
"--enable-rewrite" \
"--enable-deflate" \
"--enable-vhost-alias" \
"--disable-ssl" \
"--disable-actions"

note
The "--prefix=$HOME/apache" option installs Apache under your UNIX account, rather than system-wide. Adding "--with-mpm=worker" to the script above is advised - if you have dual processors or one with multiple cores. Make sure that the configure/compile-time dependency "libpcre" (required for the rewrite engine) is installed. Some Linux distros require libpcre-dev - too.

Run the config script.

$ sh config.sh

Build and install Apache.

$ make

$ make install

note
To accelerate building Apache - on a machine with multiple processors or cores, "make -j9" will compile 9 threads simultaneously.


Configure Apache for run-time

In a text editor, open up ~/apache/conf/httpd.conf. Apache needs to run on 127.0.0.1 (localhost), bound to a non-standard port - typically 8080. (However, any un-used, non-privileged port will work.) Search for the "Listen" and "ServerName" Directives. Replace them with the following.

Listen 127.0.0.1:8080
ServerName localhost:8080


Execute Apache

$ ~/apache/bin/apachectl start

Click http://127.0.0.1:8080 to pull up the verification message: "It works!". Place the web-content (html, images, audio and video files, etc.) to be served into ~/apache/htdocs.

Tor

Since onion domains are not resolvable by internet nameservers, installing Tor is required to create a private key, generate an onion hostname and begin the process of name resolution.

Grab and unpack the sources for the standalone version of Tor. The latest stable release is advised. https://www.torproject.org/download/download.html

$ wget https://www.torproject.org/dist/tor-0.2.X.X-rc.tar.gz

$ tar xzvf tor-0.2.X.X-rc.tar.gz

$ cd tor-0.2.X.X


Configure, compile and install Tor

Verify that $HOME/bin exists, and that it's in your $PATH statement.

$ ./configure --prefix="$HOME/tor" --exec-prefix="$HOME"

$ make

$ make install

Create a directory to hold the new, onion hostname and private key, and copy the torrc.sample to ~/.torrc.

$ mkdir -p ~/tor/var/lib/tor/hidden_service

$ cp ~/tor/etc/tor/torrc.sample ~/.torrc

Open up ~/.torrc in a text editor and copy the following to it - but substitute your UNIX username for "username", below.

HiddenServiceDir /home/username/tor/var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080


Execute tor

$ ~/bin/tor

The new onion hostname is located in ~/tor/var/lib/tor/hidden_service as "hostname" along with a "private_key". Open the file "hostname":

$ cat ~/tor/var/lib/tor/hidden_service/hostname

To bring up the new site - now available to all Tor users, copy and paste the onion hostname into the address bar of the Tor browser. It would be best to backup the private key and store it elsewhere. In case of a disk crash - without any backup, a new key will be generated should Tor be run again, and a different hostname assigned.

note
To start both Apache and Tor at boot, add the following as a cronjob with "crontab -e".

@reboot $HOME/apache/bin/apachectl start
@reboot $HOME/bin/tor

A piece of advice: a computer that remains connected to the internet 24/7 is strongly encouraged. Should the server hosting the onion domain go offline for an extended period of time - list sites and search engines will remove their links to it, and the site will receive few hits.

Custom hostnames

The onion hostnames generated by Tor are "opaque, non-mnemonic, 16-character alpha-semi-numeric hashes" - just a random slaw of letters and numbers. However - with shallot, it is possible to create a semi-customized hostname, but only a part of the address (the first part) is - practicably - user-selectable.

Download shallot, compile it then run it to create the first part of the hostname as "kheper".

$ wget https://github.com/katmagic/Shallot/archive/master.zip

$ unzip Shallot-master.zip

$ cd Shallot-master

$ ./configure

$ make

$ ./shallot ^kheper

Copy and paste the RSA key spit out from shallot to STDOUT into a new file named "private_key". Once "private_key" is copied into $HOME/tor/var/lib/tor/hidden_service and tor restarted, a new hostname will appear in $HOME/tor/var/lib/tor/hidden_service/hostname.