Run Tor hidden service in a set of docker containers

gistfile1.md

Docker containers seems ideal for running Tor hidden services, since they can easily be made very clean, containing little identifying data that can leak. Identifying it from the outside should be difficult.

To run a hidden web server we need two containers:

• A simple webserver, not exposing any ports towards the Internet.
• A TOR hidden service server, which should only be a hidden service. Not a relay!

Prereq assuming one is running selinux, the /srv/docker files needs to be accessible by docker containers:

mkdir -p /srv/docker
semanage fcontext -a -t docker_var_lib_t "/srv/docker(/.*)?"
restorecon -R /srv/docker

I created my simple webserver container with the Dockerfile:

FROM fedora:latest
MAINTAINER Jan-Frode Myklebust <janfrode@tanso.net>
EXPOSE 80
RUN yum -y install httpd findutils
RUN yum -y update
RUN yum clean all
# Drop all setuid setgid permissions:
RUN find /usr -perm /6000 -exec chmod -s '{}' \;
RUN rm -f /etc/httpd/conf.d/welcome.conf
CMD /usr/sbin/httpd -DFOREGROUND

and then

docker build  -t="janfrode/simpleweb" .

Then I put my htmlfiles in /srv/docker/website/html and start the hiddenweb-container with:

/usr/bin/docker run -v /srv/docker/website/html:/var/www/html \
   --rm=true --name hiddenweb janfrode/simpleweb

Now we have a webserver that will serve any files below /srv/docker/website/html, but with no ports exposed externally.

Then we create a TOR container:

FROM fedora:latest
MAINTAINER Jan-Frode Myklebust <janfrode@tanso.net>
EXPOSE 9001
RUN groupadd -r toranon -g 9999
RUN useradd -r -u 9999 -g toranon -d /var/lib/tor -s /sbin/nologin toranon
RUN yum -y install tor findutils
RUN yum -y update 
# Drop all setuid setgid permissions:
RUN find /usr -perm /6000 -exec chmod -s '{}' \;
CMD /usr/bin/tor -f /etc/tor/torrc

build it:

docker build  -t="janfrode/tor" .

Create configuration files for Tor:

mkdir -p /srv/docker/tor-hidden-service/var_lib_tor/HiddenServiceDir
chown -Rh 9999:9999 /srv/docker/tor-hidden-service/var_lib_tor
cat << EOF > /srv/docker/tor-hidden-service/torrc
DataDirectory /var/lib/tor
User toranon
Log notice stdout
HiddenServiceDir /var/lib/tor/HiddenServiceDir
HiddenServicePort 80 hiddenweb:80
EOF

And start it, linking it to the hiddenweb-container so that Tor can resolve the "hiddenweb" name used in its configfile:

/usr/bin/docker run --rm=true --link hiddenweb:hiddenweb \
  -v /srv/docker/tor-hidden-service/var_lib_tor:/var/lib/tor \
  -v /srv/docker/tor-hidden-service/torrc:/etc/tor/torrc janfrode/tor

And after starting it, you can find it's onion address in

/srv/docker/tor-hidden-service/var_lib_tor/HiddenServiceDir/hostname