[Solved] hidden service tutorial - Can't connect to 127.0.0.1

Hi. I’m kind of an old fart trying to learn some new tricks.“xl33t” as in, “used ta be l33t.” Now I’m trying to create a hidden service on a whonix gateway/workstation.
“Onion Services - Whonix” seems to be a good place to start but after following the instructions to the limit of my ability, I still can’t connect to localhost:8080 from the workstation. I don’t really know how to configure a webserver and counted on that tutorial being all inclusive. I am prepared to start with a vanilla whonix install if someone can point me in the right direction. I need a step-by-step tutorial including the setup of the webserver. Lighttpd was suggested, so I’d like to start there if possible. I can be reached at xl33t@mail.i2p.

Steps I’ve taken:
On gateway:

/etc/tor/torrc
added
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 192.168.0.11:8080

restarted tor, indeed, entire gateway.

Grabbed the URL *******.onion, and bak’d the private key.

On Workstation:

Got lighttpd, edited it’s lighttpd.conf to point to a user controlled directory and port 8080.

server.document-root = “/home/user/webdocs/”
server.upload-dirs = ( “/var/cache/lighttpd/uploads” )
server.errorlog = “/var/log/lighttpd/error.log”
server.pid-file = “/var/run/lighttpd.pid”
server.username = “www-data”
server.groupname = “www-data”
server.port = 8080

Left everything else alone. Please help.

I am not sure step by step instructions would help here. The issue isn’t missing instructions, but upstream making changes without expecting the repercussions of their changes.

You’re most likely unable to connect to 127.0.0.1:8080 using Tor Browser, because accessing 127.0.0.1 using Tor Browser is no longer possible due to a change in Tor Browser by The Tor Project. You could set to transparent torification, but then you would be vulnerable fingerprinting issues. See ticket for more. Related Whonix Forum Topic ; Tor Browser Bug Report

I’ve added this to documentation.

Alternatively in meanwhile to access local IPs, you could use:

• Iceweasel
• wget.whonix-real
• curl.whonix-real

(.whonix-real is related to circumvention Stream Isolation wrappers.)

Thanks for the prompt response. I guess there’s little I can do then. I was really hoping to get this working, simply because I could migrate the project from system to system in a set of VMs. I suppose I’ll just set it up on my home box and takes me chances.

I am not sure what you want to do, but you perhaps misunderstood my answer. I haven’t said: this won’t work. Rather: you can not connect to 127.0.0.1 using Tor Browser, unless… But there are workarounds. I believe Whonix is still a good way to host hidden services. Whonix doesn’t add extra limitations here. It could very well be the case, that we’re talking past each other here.

Hello xl33t,

first of all I would recommend:

Do not register that new service as hidden service as long as you are installing/testing it!

Do not use that whonix WS you work with daily for testing a web server install.

If your server/pc has enough capacity for a second WS create another one and change the IP to eg 192.168.0.12.
Also you should consider using a hostname for that new IP as some server installs depend on it and the install of additional website software (eg forum, blog) most certain will fail.

You can access your new webserver with the Tor Browser. Click the Tor Button (that little green onion;) , select Preferences and then below uncheck "Disable Button and Hotkeys to…"
Click again the Tor Button and now there is a new opiton “Toggle Tor status”.

To find out actual status just hover over the Tor Button, some version also shows a red cross
over a grey Tor Button meaning that Tor is disabled. But as you are using whonix this doesn’t
mean that you are doomed

Now you can use 127.0.0.1:8080 to see your local service or eg 192.168.0.12:8080 to see the
service on another WS. Don’t forget to check it on again after testing your server…

Check for manuals how to harden your web server.

Better not fancy but secure!
Check for security risks using JavaScript on your website - it’s a nightmare!
Consider installing website software that doesn’t use JS at all, as most users are aware of the threat and turn off JS anyway. This could make your site useless if it’s using a lot of JS.
So select simple server software that keeps its head low: avoid remote library calls from frameworks, even fonts etc

Do not clone VirtualBox images. This produces unexpected results. It’s an awful handicap when installing, but this is how it is

This is just very little, basic advice, the tip of the iceberg. If you are not sure that you understand everything (and finally much more) then don’t put yourself (or others you want to host on your server) to risk.

[quote=“zweeble, post:5, topic:230”]Hello xl33t,

first of all I would recommend:

Do not register that new service as hidden service as long as you are installing/testing it!

Do not use that whonix WS you work with daily for testing a web server install.

If your server/pc has enough capacity for a second WS create another one and change the IP to eg 192.168.0.12.
Also you should consider using a hostname for that new IP as some server installs depend on it and the install of additional website software (eg forum, blog) most certain will fail.

You can access your new webserver with the Tor Browser. Click the Tor Button (that little green onion;) , select Preferences and then below uncheck “Disable Button and Hotkeys to…”
Click again the Tor Button and now there is a new opiton “Toggle Tor status”.

To find out actual status just hover over the Tor Button, some version also shows a red cross
over a grey Tor Button meaning that Tor is disabled. But as you are using whonix this doesn’t
mean that you are doomed

Now you can use 127.0.0.1:8080 to see your local service or eg 192.168.0.12:8080 to see the
service on another WS. Don’t forget to check it on again after testing your server…

Check for manuals how to harden your web server.

Better not fancy but secure!
Check for security risks using JavaScript on your website - it’s a nightmare!
Consider installing website software that doesn’t use JS at all, as most users are aware of the threat and turn off JS anyway. This could make your site useless if it’s using a lot of JS.
So select simple server software that keeps its head low: avoid remote library calls from frameworks, even fonts etc

Do not clone VirtualBox images. This produces unexpected results. It’s an awful handicap when installing, but this is how it is

This is just very little, basic advice, the tip of the iceberg. If you are not sure that you understand everything (and finally much more) then don’t put yourself (or others you want to host on your server) to risk.[/quote]

@zweeble
Do you think you can add this information to Onion Services - Whonix ? Don’t worry about organization or formatting. I just don’t want your tips to get lost before someone gives that page a needed overhaul.

@JasonJAyalaP

I am afraid that my opinion and my knowledge about whonix is not good enough to become part of a hidden service installation guide. We discussed the freedomnet case (how it was taken down) at university, but everybody who wants to host hidden service(s) should be capable of understanding the risks anyway…
On the other hand whonix imo is not ready yet to be used for hosting and that is a pitty.
Maybe you start by simply making the qcow images smaller (8GB max instead of 100GB) so they become more handy for testing. And at howtoforge.com there are some very nice instructions about KVM installations that might be adapted for whonix hidden services hosting. Last but not least I would like using XEN for hosting whonix - but as mentioned above, whonix seems still far away from this. If a more useable whonix for KVM is ready, I will contribute more and detailled on the hosting subject.

Already done. Don’t get fooled by ls or usual GUI file managers. We’re using sparse files (Sparse file - Wikipedia). When you are using a reasonable modern file system, which you most likely do, it won’t use up a lot space.

du -h --apparent-size Whonix-Gateway-8.2.qcow2 101G Whonix-Gateway-8.2.qcow2 du -h Whonix-Gateway-8.2.qcow2 2.6G Whonix-Gateway-8.2.qcow2

Please check.

It won’t really take up 101 GB. Just 2.6 GB. This is tested. I don’t have 500 GB free space, but I can have 10 copies if Whonix-Gateway-8.2.qcow2.

Donno Patrick, downloaded the new 8.2 qcow and started gzip -d, then I stopped it at 20GB as it continued to grow… what am I missing here?

What file system are you using?

Just don’t stop it. Then check the real size using du as described in my previous post.

Of course, have a backup (plan), so your system won’t crash if disk will be full up.

It is a lv using ext4. The gzip runs until the lv is full…

I’ve linked this report in Whonix Forum for HulaHoop to see. Maybe we should drop “-o preallocation=metadata”… Seems like a predicament. In meanwhile, if you’re interested, you can convert the image again to get rid of “-o preallocation=metadata”. (You’d need 100 GB free space temporarily.)

You mean lvm?

So you have less then 100 GB free space? I’d be interested to see your results using du. Perhaps it only temporarily requires 100 GB for extraction?

if the available space is less than 107 GB the gzip process stops when the disk/volume is full.

copied the files to a bigger volume.

after gzip finished, tar tells me
tar: This does not look like a tar archive

[quote=“zweeble, post:13, topic:230”]if the available space is less than 107 GB the gzip process stops when the disk/volume is full.

copied the files to a bigger volume.

after gzip finished, tar tells me
tar: This does not look like a tar archive[/quote]
Confirmed. Fix coming soon. Looks like we rightly moved the discussion. For anyone else, the KVM specific discussion continues here: