查看: 199|回复: 0

[other] 配置hidden service官方文档翻译版

[复制链接]
  • TA的每日心情
    奋斗
    2018-1-13 01:07
  • 签到天数: 178 天

    连续签到: 1 天

    [LV.7]常住居民III

    查看他的品牌

    发表于 2017-9-14 19:57:17 | 显示全部楼层 |阅读模式
    本帖最后由 namerobot 于 2017-9-14 20:03 编辑

    英文版文档地址:https://www.torproject.org/docs/tor-hidden-service.html.en  --需要翻个墙
    大部分内容我没有直接安装英文机械式的转换成中文,而且用中文把里面的内容通俗的解释出来。这会让你更快理解里面包含的核心信息。

    Configuring Hidden Services for Tor
    Tor allows clients and relays to offer hidden services. That is,    you can offer a web server, SSH server, etc., without revealing your    IP address to its users. In fact, because you don't use any public address,    you can run a hidden service from behind your firewall.     
    If you have Tor installed, you can see hidden services in action    by visiting this sample    site.     
        This page describes the steps for setting up your own hidden service    website. For the technical details of how the hidden service protocol    works, see our hidden service    protocol page.


    这段话的意思一句话就可以概括:hidden service是一种不会暴露网站ip的隐藏服务,而且你可以使用任意web服务器,比如ssh服务器等等等等


         Step Zero: Get Tor working
    Before you start, you need to make sure:
    • Tor is up and running,
    • You actually set it up correctly.
    Windows users should follow the Windows    howto, OS X users should follow the OS    X howto, and Linux/BSD/Unix users should follow the Unix howto.


    这段话大概意思:要先安装tor ,如何配安装?我上一篇帖子写的是ubuntu&debian下的安装。
    •   如果你环境和我一样,是使用的远程linux服务器(仅限debian/ubuntu),那你应该参考如下网址(https://www.torproject.org/docs/debian.html.en )或者我的上一篇帖子《hidden service 搭建过程

    •   如果和我配置的环境不一样,请你参考如下地址:
    https://www.torproject.org/download/download.html.en


         Step One: Install a web server locally
        First, you need to set up a web server locally. Setting up a web    server can be complex. We're not going to cover how to setup a web    server here. If you get stuck or want to do more, find a friend who    can help you. We recommend you install a new separate web server for    your hidden service, since even if you already have one installed,    you may be using it (or want to use it later) for a normal website.     
        You need to configure your web server so it doesn't give away any    information about you, your computer, or your location. Be sure to    bind the web server only to localhost (if people could get to it    directly, they could confirm that your computer is the one offering    the hidden service). Be sure that its error messages don't list    your hostname or other hints. Consider putting the web server in a    sandbox or VM to limit the damage from code vulnerabilities.     
        Once your web server is set up, make    sure it works: open your browser and go to http://localhost:8080/, where    8080 is the webserver port you chose during setup (you can choose any    port, 8080 is just an example). Then try putting a file in the main    html directory, and make sure it shows up when you access the site.


    这段话大概意思:hidden service相当于一个入口,让你本地的web服务器链接到deep web中,因此需要你自己配置一个本地的web服务器。
    hidden service通过xxx端口把你的内容进行链接,而且需要注意的是端口映射。


         Step Two: Configure your hidden service
    Next, you need to configure your hidden service to point to your    local web server.     
    First, open your torrc file in your favorite text editor. (See     the torrc FAQ entry to learn    what this means.) Go to the middle section and look for the line
        ############### This section is just for location-hidden services ###        This section of the file consists of groups of lines, each representing    one hidden service. Right now they are all commented out (the lines    start with #), so hidden services are disabled. Each group of lines    consists of one HiddenServiceDir line, and one or more     HiddenServicePort lines:
    • HiddenServiceDir is a directory where Tor will store information    about that hidden service. In particular, Tor will create a file here named     hostname which will tell you the onion URL. You don't need to    add any files to this directory. Make sure this is not the same directory    as the hidserv directory you created when setting up thttpd, as your    HiddenServiceDir contains secret information!
    • HiddenServicePort lets you specify a virtual port (that is, what    port people accessing the hidden service will think they're using) and an    IP address and port for redirecting connections to this virtual port.
    Add the following lines to your torrc:     
        HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/    HiddenServicePort 80 127.0.0.1:8080    You're going to want to change the HiddenServiceDir line, so it points    to an actual directory that is readable/writeable by the user that will    be running Tor. The above line should work if you're using the OS X Tor    package. On Unix, try "/home/username/hidden_service/" and fill in your own    username in place of "username". On Windows you might pick:
        HiddenServiceDir C:\Users\username\Documents\tor\hidden_service    HiddenServicePort 80 127.0.0.1:8080    Note that since 0.2.6, both SocksPort and HiddenServicePort support Unix socket.    This means that you can point the HiddenServicePort to a Unix socket:
        HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/    HiddenServicePort 80 unix:/path/to/socket    Now save the torrc and restart your tor.
    If Tor starts up again, great. Otherwise, something is wrong. First look at    your logfiles for hints. It will print some warnings or error messages. That    should give you an idea what went wrong. Typically there are typos in the torrc    or wrong directory permissions (See the    logging FAQ entry if you don't know how to enable or find your    log file.)     
    When Tor starts, it will automatically create the HiddenServiceDir    that you specified (if necessary), and it will create two files there.
    private_keyFirst, Tor will generate a new public/private keypair for your hidden    service. It is written into a file called "private_key". Don't share this key    with others -- if you do they will be able to impersonate your hidden    service.hostnameThe other file Tor will create is called "hostname". This contains    a short summary of your public key -- it will look something like     duskgytldkxiuqc6.onion. This is the public name for your service,    and you can tell it to people, publish it on websites, put it on business    cards, etc.If Tor runs as a different user than you, for example on    OS X, Debian, or Red Hat, then you may need to become root to be able    to view these files.
    Now that you've restarted Tor, it is busy picking introduction points    in the Tor network, and generating a hidden service    descriptor. This is a signed list of introduction points along with    the service's full public key. It anonymously publishes this descriptor    to the directory servers, and other people anonymously fetch it from the    directory servers when they're trying to access your service.     
    Try it now: paste the contents of the hostname file into your web    browser. If it works, you'll get the html page you set up in step one.    If it doesn't work, look in your logs for some hints, and keep playing    with it until it works.

    这段话大概意思:本地web服务内容有了,下面就要开始配置你的hidden service,把你的本地web服务链接到deep web中。
    核心的配置文件是/etc/tor/torrc,直接参考我的上一篇帖子就可以,如果想了解的更详细,参考如下网址:
    https://www.torproject.org/docs/faq.html.en#torrc

    这里我要特别说明一下配置日志输出的功能,一旦你遇到hidden service无法配置成功,第一时间就是查看详细的日志记录,只有它可以给你最全面的信息。
    参考如下文档:https://www.torproject.org/docs/faq.html.en#Logs
    不过给你一条捷径: torrc文件中把Log debug file前面的#去掉 就可以开启debug日志功能,注意重启service,注意debug路径是否存在。
    判定hidden service是否配置成功最重要的标准就是是否成功生成private_key&hostname这两个核心文件。
    私钥文件相当于。。。你这个hidden service的“营业执照”,一定不要泄露这个文件
    hostname文件记录hidden service的域名


         Step Three: More advanced tips
    If you plan to keep your service available for a long time, you might    want to make a backup copy of the private_key file somewhere.     
    If you want to forward multiple virtual ports for a single hidden    service, just add more HiddenServicePort lines.    If you want to run multiple hidden services from the same Tor    client, just add another HiddenServiceDir line. All the following     HiddenServicePort lines refer to this HiddenServiceDir line, until    you add another HiddenServiceDir line:     
        HiddenServiceDir /usr/local/etc/tor/hidden_service/    HiddenServicePort 80 127.0.0.1:8080    HiddenServiceDir /usr/local/etc/tor/other_hidden_service/    HiddenServicePort 6667 127.0.0.1:6667    HiddenServicePort 22 127.0.0.1:22    Hidden services operators need to practice proper operational security    and system administration to maintain security. For some security    suggestions please make sure you read over Riseup's "Tor    hidden services best practices" document. Also, here are some more    anonymity issues you should keep in mind:     
    • As mentioned above, be careful of letting your web server reveal    identifying information about you, your computer, or your location.    For example, readers can probably determine whether it's thttpd or    Apache, and learn something about your operating system.
    • If your computer isn't online all the time, your hidden service    won't be either. This leaks information to an observant adversary.
    • It is generally a better idea to host hidden services on a Tor client    rather than a Tor relay, since relay uptime and other properties are    publicly visible.
    • The longer a hidden is online, the higher the risk that its    location is discovered. The most prominent attacks are building a    profile of the hidden service's availability and matching induced    traffic patterns.
    Another common issue is whether to use HTTPS on your relay or    not. Have a look at this post    on the Tor Blog to learn more about these issues.     
    Finally, feel free to use the [tor-onions]    mailing list to discuss the secure administration and operation of    Tor hidden services.

    这部分写的是一些hidden service的“高级特性”,我比较完整的翻译这段原文:

    如果您打算长时间保持服务可用,您可能希望将private_key文件的备份副本置于某处。(以防你的服务器中的private key被别人用各种方法搞掉)
    如果要为单个隐藏服务转发多个虚拟端口,只需添加更多HiddenServicePort行。 如果要从同一个Tor客户端运行多个隐藏服务,只需添加另一个HiddenServiceDir行。 所有以下HiddenServicePort行引用此HiddenServiceDir行,直到添加另一个HiddenServiceDir行:


    HiddenServiceDir /usr/local/etc/tor/hidden_service/    HiddenServicePort 80 127.0.0.1:8080    HiddenServiceDir /usr/local/etc/tor/other_hidden_service/    HiddenServicePort 6667 127.0.0.1:6667    HiddenServicePort 22 127.0.0.1:22


    隐藏的业务运营商需要采取适当的运营安全和系统管理来维护安全性。 对于一些安全建议,请确保您阅读了Riseup的“Tor隐藏服务最佳实践”文档。 另外,这里还有一些你应该记住的匿名问题:


    1、请小心让您的Web服务器显示关于计算机或位置的信息。 例如,读者可能会确定是thttpd还是Apache,并了解有关操作系统的信息。
    2、如果您的计算机始终不在线,您的隐藏服务也不会。 这将信息泄漏给观察对手。
    3、由于继电器正常运行时间和其他属性是公开可见的,所以托管客户端而不是Tor中继器上的隐藏服务通常更好。
    4、隐藏在线的时间越长,其位置被发现的风险越高。 最突出的攻击是建立隐藏服务的可用性和匹配诱导的流量模式的配置文件。


    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    站长推荐上一条 /1 下一条