mleku/next.orly.dev
1
0
Fork 1
Code Issues 5 Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
25d087697e3c5263349fa34ec867d8576d5606b2
next.orly.dev/docs/TOR_SETUP.md
woikos 25d087697e
Some checks failed
Go / build-and-release (push) Has been cancelled
Details
Add Tor hidden service support and fallback relay profile fetching (v0.46.0) 
- Add pkg/tor package for Tor hidden service integration
- Add Tor config options: ORLY_TOR_ENABLED, ORLY_TOR_PORT, ORLY_TOR_HS_DIR, ORLY_TOR_ONION_ADDRESS
- Extend NIP-11 relay info with addresses field for .onion URLs
- Add fallback relays (Damus, nos.lol, nostr.band, purplepag.es) for profile lookups
- Refactor profile fetching to try local relay first, then fallback relays
- Add Tor setup documentation and deployment scripts

Files modified:
- app/config/config.go: Add Tor configuration options
- app/handle-relayinfo.go: Add ExtendedRelayInfo with addresses field
- app/main.go: Initialize and manage Tor service lifecycle
- app/server.go: Add torService field to Server struct
- app/web/src/constants.js: Add FALLBACK_RELAYS
- app/web/src/nostr.js: Add fallback relay profile fetching
- pkg/tor/: New package for Tor hidden service management
- docs/TOR_SETUP.md: Documentation for Tor configuration
- deploy/orly-tor.service: Systemd service for Tor integration
- scripts/tor-*.sh: Setup scripts for Tor development and production

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-03 05:50:03 +01:00

295 lines
7.3 KiB
Markdown
Raw Blame History

# Tor Hidden Service Setup for ORLY Relay
This guide explains how to configure ORLY to automatically mirror your relay as a Tor hidden service, making it accessible via a `.onion` address.
## Overview
When Tor support is enabled:
1. ORLY listens on a dedicated internal port for Tor traffic
2. The Tor daemon forwards `.onion` traffic to this port
3. ORLY automatically detects the `.onion` address
4. The `.onion` address is included in NIP-11 relay information
## Quick Start
### Development (Local Testing)
```bash
# One-time setup (requires Tor installed)
./scripts/tor-dev-setup.sh
# Start relay with Tor
ORLY_TOR_ENABLED=true ORLY_TOR_HS_DIR=~/.tor/orly-dev/hidden_service ./orly
```
### Production
```bash
# One-time setup (requires root)
sudo ./scripts/tor-setup.sh
# Start relay with Tor
ORLY_TOR_ENABLED=true ORLY_TOR_HS_DIR=/var/lib/tor/orly-relay ./orly
```
## Configuration
### Environment Variables
| Variable | Default | Description |
|----------|---------|-------------|
| `ORLY_TOR_ENABLED` | `false` | Enable Tor hidden service integration |
| `ORLY_TOR_PORT` | `3336` | Internal port Tor forwards traffic to |
| `ORLY_TOR_HS_DIR` | - | Path to Tor's HiddenServiceDir |
| `ORLY_TOR_ONION_ADDRESS` | - | Manual `.onion` override (optional) |
### Example Configurations
**Basic Tor setup:**
```bash
export ORLY_TOR_ENABLED=true
export ORLY_TOR_HS_DIR=/var/lib/tor/orly-relay
./orly
```
**Custom port:**
```bash
export ORLY_TOR_ENABLED=true
export ORLY_TOR_PORT=3337
export ORLY_TOR_HS_DIR=/var/lib/tor/orly-relay
./orly
```
**Manual address (if auto-detection doesn't work):**
```bash
export ORLY_TOR_ENABLED=true
export ORLY_TOR_ONION_ADDRESS=abc123xyz.onion
./orly
```
## How It Works
### Architecture
```
Internet Users Tor Users
│ │
▼ ▼
┌──────────┐ ┌──────────────┐
│ Regular │ │ Tor │
│ Traffic │ │ Network │
│ (HTTPS) │ │ │
└────┬─────┘ └──────┬───────┘
│ │
│ Port 443 │ .onion:80
▼ ▼
┌─────────────────────────────────────┐
│ ORLY Relay │
│ │
│ ┌─────────────┐ ┌───────────────┐ │
│ │ Main Server │ │ Tor Service │ │
│ │ Port 3334 │ │ Port 3336 │ │
│ └──────┬──────┘ └───────┬───────┘ │
│ │ │ │
│ └────────┬────────┘ │
│ ▼ │
│ ┌────────────┐ │
│ │ Database │ │
│ └────────────┘ │
└─────────────────────────────────────┘
```
### Address Detection
1. The Tor daemon creates a hidden service directory containing:
- `hostname` - The `.onion` address
- `hs_ed25519_secret_key` - Private key (persistent)
- `hs_ed25519_public_key` - Public key
2. ORLY watches the `hostname` file and automatically detects the address
3. The address is included in NIP-11 relay information under the `addresses` field
### NIP-11 Integration
When Tor is enabled and the `.onion` address is detected, the NIP-11 relay info includes:
```json
{
"name": "ORLY",
"description": "...",
"pubkey": "...",
"addresses": [
"wss://relay.example.com",
"ws://abc123xyz.onion/"
]
}
```
## Manual Tor Configuration
If you prefer to configure Tor manually instead of using the setup scripts:
### 1. Install Tor
**Debian/Ubuntu:**
```bash
sudo apt update && sudo apt install tor
```
**Arch Linux:**
```bash
sudo pacman -S tor
```
**macOS:**
```bash
brew install tor
```
### 2. Configure Hidden Service
Add to `/etc/tor/torrc`:
```
HiddenServiceDir /var/lib/tor/orly-relay/
HiddenServicePort 80 127.0.0.1:3336
```
### 3. Set Permissions
```bash
# Create directory
sudo mkdir -p /var/lib/tor/orly-relay
# Set ownership (Debian/Ubuntu)
sudo chown debian-tor:debian-tor /var/lib/tor/orly-relay
sudo chmod 700 /var/lib/tor/orly-relay
# Or on other systems
sudo chown tor:tor /var/lib/tor/orly-relay
```
### 4. Restart Tor
```bash
sudo systemctl restart tor
```
### 5. Verify
```bash
# Check the .onion address
sudo cat /var/lib/tor/orly-relay/hostname
```
## Systemd Service
For production deployments, use the provided systemd unit:
```bash
# Copy unit file
sudo cp deploy/orly-tor.service /etc/systemd/system/
# Edit configuration
sudo nano /etc/systemd/system/orly-tor.service
# Enable and start
sudo systemctl daemon-reload
sudo systemctl enable orly-tor
sudo systemctl start orly-tor
```
### Permissions for Hidden Service Directory
The ORLY process needs read access to the Tor hidden service directory:
**Option 1: Add user to Tor group**
```bash
sudo usermod -aG debian-tor orly
```
**Option 2: Use ACLs**
```bash
sudo setfacl -R -m u:orly:rx /var/lib/tor/orly-relay
```
## Troubleshooting
### .onion address not appearing in NIP-11
1. Check if Tor is running:
```bash
systemctl status tor
```
2. Check if hostname file exists:
```bash
cat /var/lib/tor/orly-relay/hostname
```
3. Check ORLY logs for Tor-related messages
4. Verify environment variables are set:
```bash
echo $ORLY_TOR_ENABLED
echo $ORLY_TOR_HS_DIR
```
### Permission denied errors
Ensure ORLY can read the hidden service directory:
```bash
# Check permissions
ls -la /var/lib/tor/orly-relay/
# Fix with ACL
sudo setfacl -m u:$(whoami):rx /var/lib/tor/orly-relay
```
### Tor connection timeouts
1. Check Tor logs:
```bash
journalctl -u tor -f
```
2. For development, check:
```bash
tail -f ~/.tor/orly-dev/tor.log
```
3. Ensure Tor can reach the network (check firewall rules)
### Different .onion address after restart
This means the hidden service key was lost. The key is stored in:
- Production: `/var/lib/tor/orly-relay/hs_ed25519_secret_key`
- Development: `~/.tor/orly-dev/hidden_service/hs_ed25519_secret_key`
To preserve your `.onion` address, back up the entire hidden service directory.
## Security Considerations
1. **Keep the hidden service key safe** - The `hs_ed25519_secret_key` file is your identity. If compromised, attackers can impersonate your relay.
2. **Restrict file permissions** - Hidden service directories should be `chmod 700`.
3. **Separate Tor traffic** - The dedicated Tor port (3336) keeps Tor traffic isolated from regular traffic.
4. **Regular updates** - Keep Tor updated for security patches.
## Testing with Tor Browser
1. Download Tor Browser from https://www.torproject.org/
2. Navigate to your `.onion` address:
```
ws://your-address.onion/
```
3. Or test with curl over Tor:
```bash
curl --socks5-hostname localhost:9050 -H "Accept: application/nostr+json" http://your-address.onion/
```
Reference in New Issue View Git Blame Copy Permalink