💾 Archived View for schu.be › til-onion-socket-permissions captured on 2020-11-07 at 01:23:20. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
A while ago I was trying to get this website reachable through Tor as a hidden service. I already had a service running which would expose a port on the localhost as a service, however I was not super satisfied with this solution: I did not want to take up a port for that and nothing else on the machine is supposed to connect to it really so I wanted to use a Unix domain socket.
Turns out, it is very easy both to configure Nginx to listen on a Unix domain socket and to configure Tor to expose such a socket as a hidden service.
# server directive in nginx.conf
server {
listen unix:/path/to/the/socket
…
# hidden service configuration in torrc
HiddenServicePort 80 unix:/path/to/the/socket
I could not get it to work initially; the browser could not connect to the service. Since I already had a working service which worked fine (and used a port on localhost), I first checked that Tor wasn’t at fault by changing the HiddenServicePort directive to point to the blog on localhost. I was getting a 404 but at least I connected and got a response from Nginx. Tor wasn’t at fault. Thinking maybe Nginx wasn’t properly setting up the socket, I connected to it directly using socat and wrote a simple GET / HTTP/1.1; got an answer.
With both Tor and Nginx confirmed to be doing their job, it started to dawn on me: domain sockets are files, and have permissions. I had forgotten to set the permissions. Some configuration and chown later I had a working hidden service. This website can now be accessed through Tor here: