Today I built and pushed the Tor RPM(s) for 0.4.7.11. Please make sure that you upgrade your relays and bridges. I have the updated package for Fedora 37 too (which also released today).
You can know more about the Tor's RPM respository at https://support.torproject.org/rpm/.
If you have any queries, feel free to find us over #tor or #tor-relay channel on OFTC.
python3 -m pip install pyarti
pyarti is a Python module written in Rust using Arti from the Tor Project. Right now pyarti is in the initial stage, and you can create a SOCKS5 proxy object, and pass any Python connection via it. The following example creates a default proxy at port 9150 , and then verifies that the connection works. Finally we fetch a web page and print the text.
from pyarti import OnionProxy
import httpx
from httpx_socks import SyncProxyTransport
URL = "https://httpbin.org/get"
p = OnionProxy()
assert p.verify(blocking=True)
# Now we can use the proxy
transport = SyncProxyTransport.from_url("socks5://127.0.0.1:9150")
with httpx.Client(transport=transport) as client:
res = client.get(URL)
assert res.status_code == 200
print(res.text)
In the coming months I am hoping to add more detailed API to the module. For now you can read the documentation.
Last night I built and pushed the Tor RPM(s) for 0.4.7.8. This is a security update, so please make sure that you upgrade your relays and bridges.
You can know more about the Tor's RPM respository at https://support.torproject.org/rpm/
If you have any queries, feel free to find us over #tor channel on OFTC.
On 4th June, at 19:00 UTC, we are doing an online workshop to help out new relay operators. If you ever wanted to help the Tor Project, or just curious about what is required to become a relay/bridge operator, you should join into the workshop.
The workshop is specially geared towards folks who are new to the land of Internet facing services. You will get to chat with many other operators and people from the Tor Project, and ask any doubts you have.
Register for the event, and share the news at your local groups/lists. Ask your friends to join :)
I have explained before about how to create Onion services, this provides an easy solution to expose any service from inside of your home network to the Internet, in a secured manner (authorized services). But, in all of those examples I used an IP/port combination to expose/talk to the internal service. Instead you can also use unix sockets to do the same.
To do so, use the following style in your torrc file, this example is from my blog.
HiddenServiceDir /var/lib/tor/hidden/
HiddenServiceVersion 3
HiddenServicePort 80 unix:/var/run/tor-hs-kushal.sock
HiddenServicePort 443 unix:/var/run/tor-hs-kushal-https.sock
And the corresponding nginx configuration parts:
server {
listen unix:/var/run/tor-hs-kushal.sock;
server_name kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion;
access_log /var/log/nginx/kushal_onion-access.log;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen unix:/var/run/tor-hs-kushal-https.sock ssl http2;
server_name kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion;
access_log /var/log/nginx/kushal_onion-access.log;
...
Now if you start tor and also nginx pointing to the same unix domain,
things will go fine. But, nginx will fail to restart, you will have to remove
the socket files by hand to restart. This happens due to a bug in nginx. You
can edit the restart process and fix this issue.
systemctl restart nginx
Add the following the configuration file in the correct location (between the comments):
### Editing /etc/systemd/system/nginx.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file
### Editing /etc/systemd/system/nginx.service.d/override.conf Anything between here and the comment below will become the new contents of the file
[Service]
ExecStop=
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry TERM/5 --pidfile /run/nginx.pid
### Lines below this comment will be discarded
If you go and read the original ExecStop value, you will find that it is using SIGQUIT, but that does not remove the socket files, only a SIGTERM does.
You can read more in the []upstream bug](https://trac.nginx.org/nginx/ticket/753).
After this nginx should be able to restart without any trouble.
Thank you reader who emailed and asked for this.
The correct spelling is Tor, not TOR or any other variations. Please use the correct spelling of the project.
For a long time, I wanted to have a certificate for the onion address of my blog. Digicert was the only CA who was providing those certificates with an Extended Validation. Those are costly and suitable for an organization to get, but not for me personally, especially due to the cost.
A few days ago, on IRC, I found out that Harica is providing Domain validation for the onion sites for around €30 per year. I jumped in to get one. At the same time, ahf was also getting his certificate. He helped me with the configuration for nginx.
Certificate Signing Request. You can generate one by openssl req -newkey rsa:4096 -keyout kushaldas.in.onion.key -out csr.csr. For the common name, provide the same onion address..well-known/pki-validation/ directory. Make sure that you can access the file over Tor Browser.openssl pkcs7 -inform pem -in kushaldas.in.p7b -print_certs -out kushaldas.in.onion.chain.pem -outform pemThis part will be the same as any other standard nginx configuration. The following is what I use. Please uncomment
the Strict-Transport-Security header line only after you are sure everything is working fine.
server {
listen unix:/var/run/tor-hs-kushal.sock;
server_name kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion;
access_log /var/log/nginx/kushal_onion-access.log;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen unix:/var/run/tor-hs-kushal-https.sock ssl http2;
server_name kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion;
access_log /var/log/nginx/kushal_onion-access.log;
ssl_certificate /etc/pki/kushaldas.in.onion.chain.pem;
ssl_certificate_key /etc/pki/kushaldas.in.onion.open.key;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# Turn on OCSP stapling as recommended at
# https://community.letsencrypt.org/t/integration-guide/13123
# requires nginx version >= 1.3.7
ssl_stapling on;
ssl_stapling_verify on;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
index index.html;
root /var/www/kushaldas.in;
location / {
try_files $uri $uri/ =404;
}
}
I also have the following configuration in the /etc/tor/torrc file to use the unix socket files.
HiddenServiceDir /var/lib/tor/hs-kushal/
HiddenServiceVersion 3
HiddenServicePort 80 unix:/var/run/tor-hs-kushal-me.sock
HiddenServicePort 443 unix:/var/run/tor-hs-kushal-https.sock
In case you want to know more about why do you need the certificate for your onion address, the Tor Project has a very nice explanation.