onion service example

onion-service/.env

@@ -0,0 +1,2 @@
+NGINX_UID=101
+NGINX_GID=101

onion-service/README.md

@@ -0,0 +1,51 @@
+# Onion Service Setup
+
+This folder contains a Dockerized setup for hosting an Onion Service using Tor and Nginx. The service is designed to be secure and lightweight, leveraging Docker's isolation and Tor's anonymity.
+
+## Overview
+
+The setup includes:
+- **Nginx**: Serves static files from the `site/` directory.
+- **Tor**: Configured as an Onion Service to route traffic anonymously.
+- **Docker Compose**: Manages the services and their dependencies.
+
+## Prerequisites
+
+1. Install Docker and Docker Compose on your system.
+2. Ensure you have a basic understanding of Docker and Tor.
+
+## Setup Steps
+
+1. Clone this repository or copy the files to your local machine.
+2. Navigate to the `onion-service/` directory.
+3. Update the `.env` file with appropriate values for `NGINX_UID` and `NGINX_GID` if needed.
+4. Run the `setup.sh` script to initialize the environment and set up necessary configurations.
+
+   ```bash
+   ./setup.sh init
+   ```
+
+   The `setup.sh` script performs the following tasks:
+   - Sets up the required directory structure.
+   - Ensures proper permissions for the `data/tor/` directory.
+
+5. Start the services using Docker Compose:
+
+   ```bash
+   docker-compose up -d
+   ```
+
+6. Access your Onion Service using the `.onion` address generated by Tor. The address can be found in the `data/tor/tor/hostname` file after the services are running.
+
+## Directory Structure
+
+- `site/`: Contains the static files served by Nginx.
+- `tor/`: Contains Tor configuration and data.
+- `nginx.conf`: Configuration file for Nginx.
+- `docker-compose.yml`: Docker Compose file to manage the services.
+- `setup.sh`: Script to initialize the environment.
+
+## Notes
+
+- The Nginx service is configured to run with minimal privileges for enhanced security.
+- The Tor service is set to read-only mode to prevent unauthorized modifications.

onion-service/docker-compose.yml

@@ -0,0 +1,41 @@
+services:
+  web:
+    image: nginx:1.27-alpine
+    read_only: true
+    volumes:
+      - ./site:/usr/share/nginx/html:ro
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro   
+    tmpfs:
+      - /var/cache/nginx
+      - /var/cache/nginx/client_temp
+      - /var/cache/nginx/proxy_temp
+      - /var/cache/nginx/fastcgi_temp
+      - /var/cache/nginx/uwsgi_temp
+      - /var/cache/nginx/scgi_temp
+      - /tmp    
+    user: ${NGINX_UID}:${NGINX_GID}
+    security_opt: [ no-new-privileges:true ]
+    networks: [ hidden ]
+    restart: unless-stopped
+
+  tor:
+    build: ./tor
+    volumes:
+      - ./data/tor:/var/lib/tor
+    read_only: true
+    cap_drop: [ ALL ]
+    security_opt: [ no-new-privileges:true ]
+    networks: [ hidden, tor_out ]
+    depends_on: [ web ]
+    healthcheck:
+      test: ["CMD-SHELL", "tor --verify-config -f /etc/tor/torrc"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+
+networks:
+  hidden:
+    internal: true              
+  tor_out:
+    driver: bridge              

onion-service/nginx.conf

@@ -0,0 +1,22 @@
+pid /tmp/nginx.pid;
+
+events {}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    access_log off;
+    error_log  /dev/stderr warn;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        root /usr/share/nginx/html;
+        index index.html;
+    }
+}

onion-service/setup.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+usage() {
+  echo "Usage: $0 {init|show}"
+  exit 1
+}
+
+case "$1" in
+  init)
+    mkdir -p data/tor
+    chown 100:100 data/tor
+    echo "Initialized data/tor with ownership 100:100"
+    ;;
+  show)
+    if [[ -f data/tor/hs_site/hostname ]]; then
+      tor_hostname=$(cat data/tor/hs_site/hostname)
+      echo "Your hidden service is http://$tor_hostname"
+    else
+      echo "Hostname file not found: data/tor/hs_site/hostname"
+      exit 1
+    fi
+    ;;
+  *)
+    usage
+    ;;
+esac

onion-service/site/index.html

@@ -0,0 +1 @@
+Hello, World!

onion-service/tor/Dockerfile

@@ -0,0 +1,20 @@
+FROM debian:12-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends gnupg wget ca-certificates
+
+RUN wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc \
+     | gpg --dearmor -o /usr/share/keyrings/tor-archive-keyring.gpg
+
+RUN echo \
+  "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] \
+  https://deb.torproject.org/torproject.org bookworm main" \
+  > /etc/apt/sources.list.d/tor.list
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends tor \
+ && rm -rf /var/lib/apt/lists/*
+
+USER debian-tor                      
+COPY torrc /etc/tor/torrc
+VOLUME ["/var/lib/tor"]
+CMD ["tor", "-f", "/etc/tor/torrc"]

onion-service/tor/torrc

@@ -0,0 +1,9 @@
+Log notice stdout
+
+HiddenServiceDir /var/lib/tor/hs_site
+HiddenServiceVersion 3
+HiddenServicePort 80 web:80
+
+SocksPort 0
+ClientOnly 1
+ExitRelay 0