Part 1
+Part 1
-The steps listed below should be executed on your first server. The second part of this guide will include commands for the second server with slight modifications, but they are mostly the same.
-This part contains explanations of how things work; the second part is primarily a list of commands.
The steps listed below should be executed on your first server. The second part of this guide will include commands for the second server with slight modifications, but they are mostly the same.
+This part contains explanations of how things work; the second part is primarily a list of commands.
oxeo@server1:~$ sudo mysql
-Welcome to the MariaDB monitor. Commands end with ; or \g.
-Your MariaDB connection id is 56
-Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
-
-Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
-
-Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
-
+[...]
MariaDB [(none)]> CREATE USER 'repl'@'%' IDENTIFIED BY 'YOUR_GENERATED_SLAVE_PASSWORD';
Query OK, 0 rows affected (0.001 sec)
@@ -353,7 +345,8 @@ Replace YOUR_GENERATED_SLAVE_PASSWORD with the generated password and not
Tor Configuration
-To make our MySQL instance accessible to the second server, create another hidden service in /etc/tor/torrc. You should have two hidden services: one public and one internal.
+To make our MySQL instance accessible to the second server, create another hidden service in /etc/tor/torrc. You should have two hidden services: one public and one internal.
+On the internal hidden service, we will also expose SSH which will come handy later.
HiddenServiceDir /var/lib/tor/veggie_service/
@@ -361,6 +354,7 @@ HiddenServicePort 80 127.0.0.1:4440
HiddenServiceDir /var/lib/tor/internal_service/
HiddenServicePort 33061 127.0.0.1:3306
+HiddenServicePort 22 127.0.0.1:22
@@ -385,54 +379,13 @@ drwx--S--- 2 debian-tor debian-tor 2 Feb 16 17:23 authorized_clients
-Of course automatically generated hidden service hostname will be random so in order to use your generated vanity URLs, you need to put the appropriate keys in this directory.
-In my case I have generated vanity addresses on my computer so I tarred them (onions.tar) and transfered using scp:
+Of course automatically generated hidden service hostname will be random so you need to generate vanity URLs for srvone[...].onion and intone[...].onion and copy appropriate keys to /var/lib/tor/veggie_service and /var/lib/tor/internal_service respectively.
oxeo@main-pc:~$ scp onions.tar oxeo@server1:/tmp
-onions.tar 100% 20KB 4.9MB/s 00:00
--Now extract the archive on a remote server and copy keys to the hidden service directory. -
- -oxeo@server1:~$ cd /tmp
-oxeo@server1:/tmp$ tar xvf onions.tar
-srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/
-srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key
-srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key
-srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname
-srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/
-srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname
-srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key
-srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key
-inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/
-inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key
-inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key
-inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname
-intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/
-intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key
-intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname
-intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key
-
-oxeo@server1:/tmp$ sudo cp -v srvone*/* /var/lib/tor/veggie_service
-'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname' -> '/var/lib/tor/veggie_service/hostname'
-'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key' -> '/var/lib/tor/veggie_service/hs_ed25519_public_key'
-'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/veggie_service/hs_ed25519_secret_key'
-
-oxeo@server1:/tmp$ sudo cp -v intone*/* /var/lib/tor/internal_service
-'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname' -> '/var/lib/tor/internal_service/hostname'
-'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key' -> '/var/lib/tor/internal_service/hs_ed25519_public_key'
-'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key' -> '/var/lib/tor/internal_service/hs_ed25519_secret_key'
-
-oxeo@server1:/tmp$ sudo rm -rv onions.tar *.onion
-If you haven't already, update the server_name also in /etc/nginx/sites-available/veggie-shop.conf:
server {
- listen 4440;
+ listen 127.0.0.1:4440;
server_name srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion;
root /srv/shop/;
index index.php;
@@ -514,10 +467,10 @@ oxeo@server1:~$ sudo systemctl enable --now socat-tor
- Part 2
+ Part 2
-Now log into your 2nd server and run the commands listed below. They're mostly the same with very slight differences. When you need to change something I will add a note but generally, if you get stuck on something, you should look it up in the first part.
+Now log into your 2nd server and run the commands listed below. They're mostly the same with very slight differences. When you need to change something I will add a note but generally, if you get stuck on something, you should look it up in the first part.
@@ -570,13 +523,7 @@ Now you can open MySQL shell on the first server and add replication user.
oxeo@server2:~$ sudo mysql
-Welcome to the MariaDB monitor. Commands end with ; or \g.
-Your MariaDB connection id is 56
-Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
-
-Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
-
-Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+[...]
MariaDB [(none)]> CREATE USER 'repl'@'%' IDENTIFIED BY 'YOUR_GENERATED_SLAVE_PASSWORD';
Query OK, 0 rows affected (0.001 sec)
@@ -609,6 +556,7 @@ HiddenServicePort 80 127.0.0.1:4440
HiddenServiceDir /var/lib/tor/internal_service/
HiddenServicePort 33062 127.0.0.1:3306
+HiddenServicePort 22 127.0.0.1:22
oxeo@server2:~$ sudo systemctl restart tor
@@ -624,47 +572,14 @@ drwx--S--- 2 debian-tor debian-tor 2 Feb 16 17:23 authorized_clients
-rw------- 1 debian-tor debian-tor 96 Feb 16 17:23 hs_ed25519_secret_key
-oxeo@main-pc:~$ scp onions.tar oxeo@server2:/tmp
-oxeo@server2's password:
-onions.tar 100% 20KB 4.9MB/s 00:00
-
-
-oxeo@server2:~$ cd /tmp
-oxeo@server2:/tmp$ tar xvf onions.tar
-srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/
-srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key
-srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key
-srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname
-srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/
-srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname
-srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key
-srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key
-inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/
-inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key
-inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key
-inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname
-intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/
-intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key
-intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname
-intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key
-
-oxeo@server2:/tmp$ sudo cp -v srvtwo*/* /var/lib/tor/veggie_service
-'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname' -> '/var/lib/tor/veggie_service/hostname'
-'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key' -> '/var/lib/tor/veggie_service/hs_ed25519_public_key'
-'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/veggie_service/hs_ed25519_secret_key'
-
-oxeo@server2:/tmp$ sudo cp -v inttwo*/* /var/lib/tor/internal_service
-'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname' -> '/var/lib/tor/internal_service/hostname'
-'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key' -> '/var/lib/tor/internal_service/hs_ed25519_public_key'
-'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/internal_service/hs_ed25519_secret_key'
-
-oxeo@server2:/tmp$ sudo rm -rv onions.tar *.onion
-
+
+Generate vanity URLs for srvtwo[...].onion and inttwo[...].onion and copy appropriate keys to /var/lib/tor/veggie_service and /var/lib/tor/internal_service respectively.
+
/etc/nginx/sites-available/veggie-shop.conf:
server {
- listen 4440;
+ listen 127.0.0.1:4440;
server_name srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion;
root /srv/shop/;
index index.php;
@@ -745,16 +660,19 @@ oxeo@server1:~$ md5sum master1dump.sql
40c3cfa7e778cc276b6a3b670a3823a6
-Transfer the dump to your second server using scp. First, transfer from the first server to your computer:
+Transfer the dump to your second server using SCP (a wrapper over SSH enabling file transfer). To not reveal your public IP address, we will connect via the internal hidden service with torsocks. Remember to replace int[...].onion URLs with ones you generated.
+
-oxeo@main-pc:~$ scp oxeo@server1:/home/oxeo/master1dump.sql /tmp/master1dump.sql
-master1dump.sql 100% 2428KB 245.1MB/s 00:00
+First, transfer from the first server to your computer:
+
+oxeo@main-pc:~$ torsocks scp oxeo@intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion:/home/oxeo/master1dump.sql /tmp/master1dump.sql
+master1dump.sql 100% 2428KB 1.1MB/s 00:03
Then, transfer from your computer to the second server:
-oxeo@main-pc:~$ scp /tmp/master1dump.sql oxeo@server2:/home/oxeo/master1dump.sql
-master1dump.sql 100% 2428KB 176.3MB/s 00:00
+oxeo@main-pc:~$ torsocks scp /tmp/master1dump.sql oxeo@inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion:/home/oxeo/master1dump.sql
+master1dump.sql 100% 2428KB 1.4MB/s 00:02
Verify the MD5 checksum on the second server and restore the database if it matches:
@@ -769,13 +687,7 @@ Finally, enable the Master role on each database. Here are the commands f
oxeo@server1:~$ sudo mysql
-Welcome to the MariaDB monitor. Commands end with ; or \g.
-Your MariaDB connection id is 56
-Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
-
-Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
-
-Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+[...]
MariaDB [(none)]> STOP SLAVE;
Query OK, 0 rows affected (0.001 sec)
@@ -800,13 +712,7 @@ And on the second server:
oxeo@server2:~$ sudo mysql
-Welcome to the MariaDB monitor. Commands end with ; or \g.
-Your MariaDB connection id is 53
-Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
-
-Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
-
-Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
+[...]
MariaDB [(none)]> STOP SLAVE;
Query OK, 0 rows affected (0.001 sec)
@@ -853,6 +759,91 @@ Now a breakdown of what they do:
+
+
+
+
+ Testing Replication
+
+
+Now to test if both databases are synchronized, we will modify the data directly on one database and verify that both services are updated after reloading the site.
+
+
+oxeo@server1:~$ sudo mysql
+[...]
+
+MariaDB [(none)]> USE veggie_shop;
+Database changed
+MariaDB [veggie_shop]> INSERT INTO products (name, price, quantity) VALUES ('Pear', 0.65, 10);
+Query OK, 1 row affected (0.005 sec)
+
+
+
+
+
+
+
+
+Changes to the second database should be replicated as well so we'll test it by updating the number of pears.
+
+
+oxeo@server2:~$ sudo mysql
+[...]
+
+MariaDB [(none)]> USE veggie_shop;
+Database changed
+MariaDB [veggie_shop]> UPDATE products SET quantity = 42 WHERE name = 'Pear';
+Query OK, 1 row affected (0.002 sec)
+Rows matched: 1 Changed: 1 Warnings: 0
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Troubleshooting
+
+
+If for whatever reason your replication works only in one way or doesn't work at all, you can check the system journal:
+
+
+oxeo@server1:~$ sudo journalctl -xe
+[...]
+Feb 16 20:27:55 server1 /etc/mysql/debian-start[392]: Upgrading MySQL tables if necessary.
+Feb 16 20:27:55 server1 /etc/mysql/debian-start[433]: Triggering myisam-recover for all MyISAM tables and aria-recover for all Aria tables
+Feb 16 20:27:58 server1 mariadbd[311]: 2025-02-16 20:27:58 5 [Note] Slave I/O thread: connected to master 'repl@127.0.0.1:33062',replication started in log 'mysql-bin.000003' at position 682
+Feb 16 20:29:57 server1 mariadbd[311]: 2025-02-16 20:29:57 38 [Note] Start binlog_dump to slave_server(2), pos(mysql-bin.000003, 1022), using_gtid(0), gtid('')
+[...]
+
+
+
+You can also check the listening ports using the ss command. Here's how it should look like:
+
+
+oxeo@server1:~$ sudo ss -tulp
+Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
+udp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:* users:(("dhclient",pid=93,fd=7))
+tcp LISTEN 0 5 127.0.0.1:33062 0.0.0.0:* users:(("socat",pid=156,fd=5))
+tcp LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* users:(("master",pid=445,fd=13))
+tcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:* users:(("mariadbd",pid=311,fd=25))
+tcp LISTEN 0 511 127.0.0.1:4440 0.0.0.0:* users:(("nginx",pid=9278,fd=5),("nginx",pid=9277,fd=5),("nginx",pid=9276,fd=5))
+tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=187,fd=6))
+tcp LISTEN 0 100 [::1]:smtp [::]:* users:(("master",pid=445,fd=14))
+tcp LISTEN 0 4096 *:ssh *:* users:(("sshd",pid=175,fd=3),("systemd",pid=1,fd=39))
+
+
+
+
+
+
+
@@ -864,11 +855,11 @@ Now a breakdown of what they do:
-If you need even more security for inter-server communication, you cloud configure Client Authorization. Nowadays it shouldn't be necessary unless your internal onion URL has been compromised. It provides additional protection by requiring a private key approved by your Hidden Service to access internal services.
+If you need even more security for inter-server communication, you could configure Client Authorization. Nowadays it shouldn't be necessary unless your internal onion URL has been compromised. It provides additional protection by requiring a private key approved by your Hidden Service to access internal services.
-In the next tutorial of this series, we will configure Onionbalance - a service that automatically distributes requests over multiple backends on the same onion URL.
+In the next tutorial of this series, we will configure Onionbalance - a service that automatically distributes requests over multiple backends on the same onion URL.
diff --git a/opsec/torwebsite/index.html b/opsec/torwebsite/index.html
index 18644d9..d1a4b84 100644
--- a/opsec/torwebsite/index.html
+++ b/opsec/torwebsite/index.html
@@ -103,7 +103,7 @@ curl ifconfig.me
194.127.199.92
-
Once done, install tor and compute your Tor domain:
+Once done, install tor and compute your Tor domain:
[ nowhere.moe ] [ /dev/pts/11 ] [/srv]
→ apt install gcc libc6-dev libsodium-dev make autoconf tor nginx -y