Publicfile is a lightweight, secure, HTTP server for Unix that is suitable for publishing static content on Tor hidden services. This describes how to install publicfile for use with Tor.
Publicfile is good for use with Tor because by default, it does not leak any information about program versions or IP addresses to the client. Its response to HTTP requests is very basic and does not include any extra information that might be useful to somebody trying to discover the identity of the server.
Since publicfile serves static content only, it is not suitable for applications such as message boards or wikis. However, it is definitely usable for any application that only needs to serve static content.
- Install the prerequisites (ucspi-tcp and daemontools) as per the publicfile installation instructions.
- Compile and install the publicfile binaries as per the "Installation" section of the publicfile installation instructions.
- Create the system accounts as described in the first paragraph of the "Configuration" section. Ensure that svscan is running as described.
- Run the publicfile configure program, but do not specify any host names, like this:
/usr/local/publicfile/bin/configure ftp ftplog /public
If you specify any host names, then the publicfile configure program will automatically link those names to the /public/file/0 directory, which normally contains the content for the default site. Create a directory for the Tor hidden service content like this:
Substitute your onion service address as appropriate. This is the directory where you will place your content files.
- The standard /public/httpd/run file contains a line that looks something like this:
exec envuidgid ftp softlimit -o20 -d50000 tcpserver -vDRHl0 -b50 -c100 0 80 /usr/local/publicfile/bin/httpd /public/file
This sets up publicfile to listen on all interface addresses ("0") and the default HTTP port ("80"). Since Tor only connects to a hidden service through localhost, change this as follows:
exec envuidgid ftp softlimit -o20 -d50000 tcpserver -vDRHl0 -b50 -c100 127.0.0.1 8080 /usr/local/publicfile/bin/httpd /public/file
Substitute your hidden service port of choice instead of 8080, if necessary. This must match the HiddenServicePort specified in your torrc.
- Start publicfile using:
ln -s /public/httpd /service
As long as svscan is running, the httpd program should start shortly.
If you already run another instance of publicfile on your exit node server, you can install a new instance of publicfile into a different directory and change the new 'run' file as above. Detailed instructions for configuring publicfile in this way are beyond the scope of this document.
The publicfile package also contains a (read-only) FTP server. I have not tried to set up the FTP server, but presumably it would be modified in much the same way as the HTTP server.