Огляд

• https://community.torproject.org/onion-services/overview/ читав але мяу
• https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt рандеву

Чому Tor зручно?

1. важко визначити розташування сервісу
2. Адреса сервісу — хеш його ключа, тому вони завжди автентичні (шах і мат хттпс)
3. E2E-шифрування трафіку
4. Не треба прокидати порти, бо Tor пробиває NAT.

Налаштування сервісів Тор

• https://landchad.net/tor/
• https://mikeross.xyz/migrating-a-tor-onion-service/
• https://mdleom.com/blog/2020/03/16/tor-hidden-onion-nixos/

/var/lib/tor should be owned by debian-tor if you installed tor using apt. You should be able to fix that with sudo chown -R debian-tor:debian-tor /var/lib/tor. But first make sure that tor is running under the same user by checking that ps -o user= -p $(pgrep -x tor) returns debian-tor.

Запуск багатьох сервісів

You don’t need to create a different onion service for every service you want to make available, just add more HiddenServicePort lines, for example:

HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
HiddenServicePort 6667 127.0.0.1:6667
HiddenServicePort 22 127.0.0.1:22

If you want to run multiple onion services from the same Tor client, just add another HiddenServiceDir line to the config file.

Про піддомени

Піддомени для адрес Tor просто вказуються як звичайні піддомени в налаштунках вебсервера чи іншого сервера, але нічо в днс робити не треба 😎.

Захист цибулевих сервісів

• https://riseup.net/en/security/network-security/tor/onionservices-best-practices
• https://blog.torproject.org/announcing-vanguards-add-onion-services/ коли рискі сервіс або просто буде час
• https://github.com/asn-d6/vanguard_simulator/wiki/Optimizing-vanguard-topologies
• https://tails.net/contribute/design/Tor_enforcement/Network_filter/

Опсек для тор хостів

There is no way to securely host Tor hidden services from anywhere that can be linked to you. Hosted servers are vulnerable, of course, because you can’t monitor or control their physical security. But it’s a good trade-off, because losing a server is better than losing your freedom.

But don’t use VPS, because (as you note) that’s too readily monitored by hosting providers, who might be concerned about their liability. Use dedicated servers, with hosting providers that (1) expressly permit Tor hidden services, and (2) accept anonymous rental and payment.

Use thoroughly anonymized Bitcoins for payment. Before use, check your payment wallet at blockchain.info for taint from your initial-funding wallet. просто монеро 😎

Only access the server via key-authenticated ssh via Tor. Start with a basic static HTML site. In order to securely manage user login credentials, you’ll need an authentication server, which only connects with the content server via Tor.