-1

I am wonna set my own site in Tor network with .onion domain on Ubuntu 22.04.2 LTS.

I am install tor, nginx and configure nginx and /etc/tor/torrc file to work with unix socket.

/etc/tor/torrc config line added:

HiddenServiceDir /var/lib/tor/mm-onion/
HiddenServicePort 80 unix:/var/run/tor/mm-onion.sock

and listen it with nginx:

listen unix:/var/run/tor/mm-onion.sock;

But if i am start tor service by service tor start, this success starts but the tor dont work with unix socket. Unix socket file is created. Now i am test unix socket with socat - and nginx give success response. I think problem that is tor dont write to unix socket in this case (tor started by systemd).

Then i am stop tor by service tor stop and inspect the /lib/systemd/system/tor@default.service file and see line ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0.

Okay, i am run command /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 directly in terminal and tor success works with unix socket.

tor@default.service default config:

[Unit] Description=Anonymizing overlay network for TCP
After=network.target nss-lookup.target PartOf=tor.service 
ReloadPropagatedFrom=tor.service

[Service] 
Type=notify 
NotifyAccess=all 
PIDFile=/run/tor/tor.pid 
PermissionsStartOnly=yes 
ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor 
ExecStartPre=/usr/bin/tor
--defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config 
ExecStart=/usr/bin/tor
--defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 
ExecReload=/bin/kill -HUP ${MAINPID} 
KillSignal=SIGINT 
TimeoutStartSec=300 
TimeoutStopSec=60 
Restart=on-failure 
LimitNOFILE=65536

# Hardening 
AppArmorProfile=-system_tor 
NoNewPrivileges=yes 
PrivateTmp=yes 
PrivateDevices=yes 
ProtectHome=yes 
ProtectSystem=full 
ReadOnlyDirectories=/ 
ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/tor 
ReadWriteDirectories=-/var/log/tor ReadWriteDirectories=-/run 
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH

My question is - why tor dont work with unix socket correctly if am start it by service tor start, but it fine works if i am start it directrly in terminal by /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0?

I dont understand what happen...

Thanks.

Try run tor by systemd - is not work with unix socket.

Try run tor directly in terminal - its work with unix socket.

Nikita Iakubenko
  • 9
  • 3
  • https://superuser.com/ might be a better form for these sorts of questions. that said, it might help to clarify what is meat by "the unix socket dont work". is the file created? wrong permissions? you get an error from nginx? – Sam Mason Aug 10 '23 at 10:16
  • unix socket is success created in any case. Test with socat - nginx give success response. I think problem that Tor dont write to unix socket if it starts by systemd. But if i am start tor directly from terminal - tor success write to unix socket. Thanks. – Nikita Iakubenko Aug 10 '23 at 10:19
  • update description. – Nikita Iakubenko Aug 10 '23 at 10:32
  • I've just had a bit more of a read about what the `HiddenServicePort` config setting does. I didn't realise the file is owned by nginx, and only accessed by the tor service. it might be worth putting it outside of `/var/run/tor`. I'd also think about removing the `-` from before the `ReadWriteDirectories` that references it. having a `-` at the beginning says that it's not important and starting the service will succeed if it doesn't exist – Sam Mason Aug 10 '23 at 10:36
  • okay, i will try it. Thanks. – Nikita Iakubenko Aug 10 '23 at 12:00
  • Actually there is https://tor.stackexchange.com/, probably the best place to ask. – U. Windl Aug 10 '23 at 22:08

1 Answers1

0

I don't know what is happening, but on Ubuntu 20.04 it also doesn't work. I tried run same configuration on the CentOS 9, and it was OK from first time.

Solution: use CentOS instead of Ubuntu.

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Nikita Iakubenko
  • 9
  • 3