From 7c8d9a09da0689909c81d944a30731d864b21ceb Mon Sep 17 00:00:00 2001
From: Jeff Clement <jeffrey.clement@gmail.com>
Date: Thu, 1 May 2025 11:51:09 -0600
Subject: [PATCH] onion service example

---
 onion-service/.env               |  2 ++
 onion-service/README.md          | 51 ++++++++++++++++++++++++++++++++
 onion-service/docker-compose.yml | 41 +++++++++++++++++++++++++
 onion-service/nginx.conf         | 22 ++++++++++++++
 onion-service/setup.sh           | 26 ++++++++++++++++
 onion-service/site/index.html    |  1 +
 onion-service/tor/Dockerfile     | 20 +++++++++++++
 onion-service/tor/torrc          |  9 ++++++
 8 files changed, 172 insertions(+)
 create mode 100644 onion-service/.env
 create mode 100644 onion-service/README.md
 create mode 100644 onion-service/docker-compose.yml
 create mode 100644 onion-service/nginx.conf
 create mode 100755 onion-service/setup.sh
 create mode 100644 onion-service/site/index.html
 create mode 100644 onion-service/tor/Dockerfile
 create mode 100644 onion-service/tor/torrc

diff --git a/onion-service/.env b/onion-service/.env
new file mode 100644
index 0000000..ab91af3
--- /dev/null
+++ b/onion-service/.env
@@ -0,0 +1,2 @@
+NGINX_UID=101
+NGINX_GID=101
\ No newline at end of file
diff --git a/onion-service/README.md b/onion-service/README.md
new file mode 100644
index 0000000..e510dd7
--- /dev/null
+++ b/onion-service/README.md
@@ -0,0 +1,51 @@
+# Onion Service Setup
+
+This folder contains a Dockerized setup for hosting an Onion Service using Tor and Nginx. The service is designed to be secure and lightweight, leveraging Docker's isolation and Tor's anonymity.
+
+## Overview
+
+The setup includes:
+- **Nginx**: Serves static files from the `site/` directory.
+- **Tor**: Configured as an Onion Service to route traffic anonymously.
+- **Docker Compose**: Manages the services and their dependencies.
+
+## Prerequisites
+
+1. Install Docker and Docker Compose on your system.
+2. Ensure you have a basic understanding of Docker and Tor.
+
+## Setup Steps
+
+1. Clone this repository or copy the files to your local machine.
+2. Navigate to the `onion-service/` directory.
+3. Update the `.env` file with appropriate values for `NGINX_UID` and `NGINX_GID` if needed.
+4. Run the `setup.sh` script to initialize the environment and set up necessary configurations.
+
+   ```bash
+   ./setup.sh init
+   ```
+
+   The `setup.sh` script performs the following tasks:
+   - Sets up the required directory structure.
+   - Ensures proper permissions for the `data/tor/` directory.
+
+5. Start the services using Docker Compose:
+
+   ```bash
+   docker-compose up -d
+   ```
+
+6. Access your Onion Service using the `.onion` address generated by Tor. The address can be found in the `data/tor/tor/hostname` file after the services are running.
+
+## Directory Structure
+
+- `site/`: Contains the static files served by Nginx.
+- `tor/`: Contains Tor configuration and data.
+- `nginx.conf`: Configuration file for Nginx.
+- `docker-compose.yml`: Docker Compose file to manage the services.
+- `setup.sh`: Script to initialize the environment.
+
+## Notes
+
+- The Nginx service is configured to run with minimal privileges for enhanced security.
+- The Tor service is set to read-only mode to prevent unauthorized modifications.
\ No newline at end of file
diff --git a/onion-service/docker-compose.yml b/onion-service/docker-compose.yml
new file mode 100644
index 0000000..1d86d19
--- /dev/null
+++ b/onion-service/docker-compose.yml
@@ -0,0 +1,41 @@
+services:
+  web:
+    image: nginx:1.27-alpine
+    read_only: true
+    volumes:
+      - ./site:/usr/share/nginx/html:ro
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro   
+    tmpfs:
+      - /var/cache/nginx
+      - /var/cache/nginx/client_temp
+      - /var/cache/nginx/proxy_temp
+      - /var/cache/nginx/fastcgi_temp
+      - /var/cache/nginx/uwsgi_temp
+      - /var/cache/nginx/scgi_temp
+      - /tmp    
+    user: ${NGINX_UID}:${NGINX_GID}
+    security_opt: [ no-new-privileges:true ]
+    networks: [ hidden ]
+    restart: unless-stopped
+
+  tor:
+    build: ./tor
+    volumes:
+      - ./data/tor:/var/lib/tor
+    read_only: true
+    cap_drop: [ ALL ]
+    security_opt: [ no-new-privileges:true ]
+    networks: [ hidden, tor_out ]
+    depends_on: [ web ]
+    healthcheck:
+      test: ["CMD-SHELL", "tor --verify-config -f /etc/tor/torrc"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+
+networks:
+  hidden:
+    internal: true              
+  tor_out:
+    driver: bridge              
diff --git a/onion-service/nginx.conf b/onion-service/nginx.conf
new file mode 100644
index 0000000..f688b3f
--- /dev/null
+++ b/onion-service/nginx.conf
@@ -0,0 +1,22 @@
+pid /tmp/nginx.pid;
+
+events {}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    access_log off;
+    error_log  /dev/stderr warn;
+
+    sendfile        on;
+    keepalive_timeout  65;
+
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        root /usr/share/nginx/html;
+        index index.html;
+    }
+}
diff --git a/onion-service/setup.sh b/onion-service/setup.sh
new file mode 100755
index 0000000..bb0a804
--- /dev/null
+++ b/onion-service/setup.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+usage() {
+  echo "Usage: $0 {init|show}"
+  exit 1
+}
+
+case "$1" in
+  init)
+    mkdir -p data/tor
+    chown 100:100 data/tor
+    echo "Initialized data/tor with ownership 100:100"
+    ;;
+  show)
+    if [[ -f data/tor/hs_site/hostname ]]; then
+      tor_hostname=$(cat data/tor/hs_site/hostname)
+      echo "Your hidden service is http://$tor_hostname"
+    else
+      echo "Hostname file not found: data/tor/hs_site/hostname"
+      exit 1
+    fi
+    ;;
+  *)
+    usage
+    ;;
+esac
diff --git a/onion-service/site/index.html b/onion-service/site/index.html
new file mode 100644
index 0000000..b45ef6f
--- /dev/null
+++ b/onion-service/site/index.html
@@ -0,0 +1 @@
+Hello, World!
\ No newline at end of file
diff --git a/onion-service/tor/Dockerfile b/onion-service/tor/Dockerfile
new file mode 100644
index 0000000..8caf5bc
--- /dev/null
+++ b/onion-service/tor/Dockerfile
@@ -0,0 +1,20 @@
+FROM debian:12-slim
+
+RUN apt-get update && apt-get install -y --no-install-recommends gnupg wget ca-certificates
+
+RUN wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc \
+     | gpg --dearmor -o /usr/share/keyrings/tor-archive-keyring.gpg
+
+RUN echo \
+  "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] \
+  https://deb.torproject.org/torproject.org bookworm main" \
+  > /etc/apt/sources.list.d/tor.list
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends tor \
+ && rm -rf /var/lib/apt/lists/*
+
+USER debian-tor                      
+COPY torrc /etc/tor/torrc
+VOLUME ["/var/lib/tor"]
+CMD ["tor", "-f", "/etc/tor/torrc"]
diff --git a/onion-service/tor/torrc b/onion-service/tor/torrc
new file mode 100644
index 0000000..ed94b25
--- /dev/null
+++ b/onion-service/tor/torrc
@@ -0,0 +1,9 @@
+Log notice stdout
+
+HiddenServiceDir /var/lib/tor/hs_site
+HiddenServiceVersion 3
+HiddenServicePort 80 web:80
+
+SocksPort 0
+ClientOnly 1
+ExitRelay 0