Tor hidden service and unix domain socket permissions
A while ago I was trying to get this website reachable through Tor as a hidden service. I already had a service running which would expose a port on the localhost as a service, however I was not super satisfied with this solution: I did not want to take up a port for that and nothing else on the machine is supposed to connect to it really so I wanted to use a Unix domain socket.
Turns out, it is very easy both to configure Nginx to listen on a Unix domain socket and to configure Tor to expose such a socket as a hidden service.
# server directive in nginx.conf server { listen unix:/path/to/the/socket … # hidden service configuration in torrc HiddenServicePort 80 unix:/path/to/the/socket
I could not get it to work initially; the browser could not connect
to the service. Since I already had a working service which worked
fine (and used a port on localhost), I first checked that Tor wasn’t
at fault by changing the HiddenServicePort directive to point to
the blog on localhost. I was getting a 404 but at least I connected
and got a response from Nginx. Tor wasn’t at fault. Thinking maybe
Nginx wasn’t properly setting up the socket, I connected to it
directly using socat and wrote a simple GET / HTTP/1.1; got an
answer.
With both Tor and Nginx confirmed to be doing their job, it started
to dawn on me: domain sockets are files, and have permissions. I had
forgotten to set the permissions. Some configuration and a chown
later I had a working hidden service. This website can now be
accessed at http://b5ec6jsfe2oyrqlt4od67bw7lyk2v77paixokjoq32xsdilvcuyeh5id.onion/.