How can I host a Tor site with Apache on FreeBSD 13.3-RELEASE-p1? Apache is serving multiple sites from this server, so each one has its own entry in /usr/local/etc/apache24/extra/httpd-vhosts.conf
The clearnet sites in httpd-vhosts.conf are accessible; only the Tor site is inaccessible. Tor Browser says "Onionsite Not Found". Here's what I've done:
doas pkg install tor
added tor_enable="YES" to /etc/rc.conf
added these /usr/local/etc/tor/torrc lines:
HiddenServiceDir /usr/home/tor/hidden_services/mysite
HiddenServicePort 80 127.0.0.1:9000
added this httpd-vhosts.conf entry:
<VirtualHost *:9000>
DocumentRoot "/usr/home/valerica/web/mysite"
Options Indexes
</VirtualHost>
I ran doas mkdir /usr/home/tor/hidden_services and then recursively copied the 'mysite' folder containing the hostname and key to that directory. The index.html file is in /usr/home/valerica/web/mysite
I ran doas chown -R _tor:_tor /usr/home/tor and doas chgrp -R www /usr/home/valerica/web/mysite.
I added these rules to /etc/rc.firewall and restarted ipfw:
${fwcmd} add allow tcp from localhost to localhost 9000 in
${fwcmd} add allow tcp from localhost to localhost 9000 out
${fwcmd} add allow udp from localhost to localhost 9000 in
${fwcmd} add allow udp from localhost to localhost 9000 out
I've also restarted the apache24 and tor services. I haven't edited /usr/local/etc/rc.d/tor
doas service tor status shows it running as PID 43767. doas top shows PID 43767 under the username _tor
I hope it's alright that I made ~/tor instead of ~/_tor
Output of doas curl localhost:9000:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
Output of doas tail /var/log/tor/debug.log:
May 28 20:05:04.000 [debug] connection_or_process_cells_from_inbuf: 11: starting, inbuf_datalen 0 (0 pending in tls object).
May 28 20:05:05.000 [debug] circuit_remove_handled_ports: Port 443 is already being handled; removing.
May 28 20:05:06.000 [debug] circuit_remove_handled_ports: Port 443 is already being handled; removing.
May 28 20:05:07.000 [debug] conn_read_callback: socket 10 wants to read.
May 28 20:05:07.000 [debug] connection_buf_read_from_socket: 10: starting, inbuf_datalen 0 (0 pending in tls object). at_most 16448.
May 28 20:05:07.000 [debug] tor_tls_read: read returned r=-1, err=-2
May 28 20:05:07.000 [debug] connection_buf_read_from_socket: After TLS read of 514: 536 read, 0 written
May 28 20:05:07.000 [debug] connection_or_process_cells_from_inbuf: 10: starting, inbuf_datalen 514 (0 pending in tls object).
May 28 20:05:07.000 [debug] connection_or_process_cells_from_inbuf: 10: starting, inbuf_datalen 0 (0 pending in tls object).
May 28 20:05:07.000 [debug] circuit_remove_handled_ports: Port 443 is already being handled; removing.
Output of doas tail /var/log/tor/notices.log:
May 28 19:32:56.000 [notice] Bootstrapped 0% (starting): Starting
May 28 19:32:57.000 [notice] Starting with guard context "default"
May 28 19:32:58.000 [notice] Bootstrapped 5% (conn): Connecting to a relay
May 28 19:32:58.000 [notice] Bootstrapped 10% (conn_done): Connected to a relay
May 28 19:32:58.000 [notice] Bootstrapped 14% (handshake): Handshaking with a relay
May 28 19:32:58.000 [notice] Bootstrapped 15% (handshake_done): Handshake with a relay done
May 28 19:32:58.000 [notice] Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
May 28 19:32:58.000 [notice] Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
May 28 19:32:58.000 [notice] Bootstrapped 95% (circuit_create): Establishing a Tor circuit
May 28 19:33:01.000 [notice] Bootstrapped 100% (done): Done
Output of tail /var/log/httpd-error.log:
[Sat May 25 21:57:22.709897 2024] [authz_core:error] [pid 99770] [client ::1:41065] AH01630: client denied by server configuration: /usr/home/valerica/web/mysite/
[Sun May 26 22:18:19.858239 2024] [authz_core:error] [pid 59339] [client ::1:20232] AH01630: client denied by server configuration: /usr/home/valerica/web/mysite/
[Sun May 26 22:18:48.674420 2024] [authz_core:error] [pid 61386] [client ::1:36639] AH01630: client denied by server configuration: /usr/home/valerica/web/mysite/
[Sun May 26 22:26:27.478983 2024] [authz_core:error] [pid 58324] [client ::1:40857] AH01630: client denied by server configuration: /usr/home/valerica/web/mysite/
[Mon May 27 23:20:13.835594 2024] [mpm_prefork:notice] [pid 52148] AH00169: caught SIGTERM, shutting down
[Tue May 28 19:20:27.161256 2024] [ssl:warn] [pid 45493] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue May 28 19:20:27.166759 2024] [mpm_prefork:notice] [pid 45493] AH00163: Apache/2.4.59 (FreeBSD) OpenSSL/1.1.1w-freebsd configured -- resuming normal operations
[Tue May 28 19:20:27.166799 2024] [core:notice] [pid 45493] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Tue May 28 20:02:12.493897 2024] [authz_core:error] [pid 45729] [client ::1:33829] AH01630: client denied by server configuration: /usr/home/valerica/web/mysite/
[Tue May 28 20:02:32.525644 2024] [authz_core:error] [pid 45752] [client ::1:13141] AH01630: client denied by server configuration: /usr/home/valerica/web/mysite/
EDIT - I forgot to mention /usr/local/etc/apache24/httpd.conf has these lines:
Listen 80
Listen 9000
httpd.conf also has a <Directory> section for the clearnet sites.
<Directory "/usr/home/valerica/web/mysite">clause httpd.apache.org/docs/2.4/mod/core.html#directory after yourOptionsline. Add a</Directory>line right below it. In between them, putRequire all granted.