[tor-talk] Hidden Service (Nginx) setup guide

[Mike Ingle]

Setting up the hidden service itself is easy.
Steps 1 thru 97 are "set up your website and get it working and secured."
Step 98: add a few lines to your torrc, possibly set some directory 
permissions.
Step 99: restart Tor, get your hidden service address.
Step 100: test using Tails.

The hard part is preventing the services from leaking your real IP 
address. Most blogs,
forums, etc. can be made to leak.

Here is an interesting procedure to develop and document. I played with 
this a bit last year:

You can set up a virtual machine configuration, using KVM or similar, so 
that the webserver
machine has no public Internet address and could not leak your identity 
if it wanted to.

I had one VM with the Tor client. It had a public IP address and a 
'socket' interface, which is a
phony Ethernet that connects to a socket on the host machine. The VM was 
not set to route
(ip_forward=0), but a hidden service was set up to forward traffic to 
the web VM over the
socket interface.

The other VM, running Apache, had only a socket interface, connected to 
the Tor VM's socket
interface. The Apache VM had no outside Internet access, and there was 
nothing it could get to
on the Tor VM.

With a setup like this, even if someone gets a shell on the webserver 
VM, he cannot do anything.
He has no way to get out, and therefore cannot locate your server. If 
you want to be more
paranoid, you can have a process on the host machine watching for 
strange packets coming from
the web VM, ready to shut it down the moment it gets hacked.

You can have a second administrative hidden service for ssh access. With 
a few automatic service
check and restart scripts, a machine set up this way could run for 
several years with no physical
attention and no non-Tor access. It would be the ideal way to run a 
hidden service.

Mike