Victor Schubert’s personal page

Tor hidden service and unix domain socket permissions

A while ago I was trying to get this website reachable through Tor as a hidden service. I already had a service running which would expose a port on the localhost as a service, however I was not super satisfied with this solution: I did not want to take up a port for that and nothing else on the machine is supposed to connect to it really so I wanted to use a Unix domain socket.

Turns out, it is very easy both to configure Nginx to listen on a Unix domain socket and to configure Tor to expose such a socket as a hidden service.

# server directive in nginx.conf
server {
  listen unix:/path/to/the/socket
  …

# hidden service configuration in torrc
HiddenServicePort 80 unix:/path/to/the/socket

I could not get it to work initially; the browser could not connect to the service. Since I already had a working service which worked fine (and used a port on localhost), I first checked that Tor wasn’t at fault by changing the HiddenServicePort directive to point to the blog on localhost. I was getting a 404 but at least I connected and got a response from Nginx. Tor wasn’t at fault. Thinking maybe Nginx wasn’t properly setting up the socket, I connected to it directly using socat and wrote a simple GET / HTTP/1.1; got an answer.

With both Tor and Nginx confirmed to be doing their job, it started to dawn on me: domain sockets are files, and have permissions. I had forgotten to set the permissions. Some configuration and chown later I had a working hidden service. This website can now be accessed at http://b5ec6jsfe2oyrqlt4od67bw7lyk2v77paixokjoq32xsdilvcuyeh5id.onion/.