Created
February 23, 2022 13:57
-
-
Save yezz123/7357a1816495e02e2bbb7405364bf7cb to your computer and use it in GitHub Desktop.
Deploy a Website in Tor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| install_destination=/opt/epicyon-onion | |
| username='epicyon-onion' | |
| if [[ "$1" == 'remove' ]]; then | |
| echo 'Removing Epicyon onion instance' | |
| systemctl stop tor | |
| rm /etc/torrc.d/epicyon | |
| rm -rf /var/lib/tor/hidden_service_epicyon | |
| systemctl restart tor | |
| systemctl stop "${username}.service" | |
| systemctl disable "${username}.service" | |
| rm "/etc/nginx/sites-enabled/${username}" | |
| rm "/etc/nginx/sites-availale/${username}" | |
| rm -rf ${install_destination} | |
| userdel -r ${username} | |
| echo 'Epicyon onion instance removed' | |
| exit 0 | |
| fi | |
| clear | |
| echo 'Installing Epicyon on an onion domain' | |
| NGINX_PORT=9553 | |
| EPICYON_PORT=7157 | |
| echo 'Adding Epicyon dependencies' | |
| if [ -f /usr/bin/pacman ]; then | |
| pacman -Syy | |
| pacman -S --noconfirm tor python-pip python-pysocks python-cryptography \ | |
| imagemagick python-pillow python-requests \ | |
| perl-image-exiftool python-numpy python-dateutil \ | |
| certbot flake8 git qrencode bandit | |
| pip3 install pyLD pyqrcode pypng | |
| else | |
| apt-get update | |
| apt-get -y install imagemagick python3-cryptography \ | |
| python3-dateutil python3-idna python3-requests \ | |
| python3-numpy python3-pil.imagetk python3-pip \ | |
| python3-setuptools python3-socks python3-idna \ | |
| libimage-exiftool-perl python3-flake8 python3-pyld \ | |
| python3-django-timezone-field tor nginx git qrencode \ | |
| python3-pyqrcode python3-png python3-bandit | |
| fi | |
| if [[ "$(uname -a)" == *'Debian'* ]]; then | |
| echo 'Fixing the tor daemon' | |
| { echo '[Unit]'; | |
| echo 'Description=Anonymizing overlay network for TCP (multi-instance-master)'; | |
| echo ''; | |
| echo '[Service]'; | |
| echo 'Type=simple'; | |
| echo 'User=root'; | |
| echo 'Group=debian-tor'; | |
| echo 'ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0'; | |
| echo ''; | |
| echo '[Install]'; | |
| echo 'WantedBy=multi-user.target'; } > /lib/systemd/system/tor.service | |
| cp /lib/systemd/system/tor.service /root/tor.service | |
| systemctl daemon-reload | |
| systemctl restart tor | |
| fi | |
| echo 'Cloning the epicyon repo' | |
| if [ ! -d ${install_destination} ]; then | |
| git clone https://gitlab.com/bashrc2/epicyon ${install_destination} | |
| if [ ! -d ${install_destination} ]; then | |
| echo 'Epicyon repo failed to clone' | |
| exit 3 | |
| fi | |
| fi | |
| echo 'Adding an epicyon system user account' | |
| if [ -f /usr/bin/pacman ]; then | |
| groupadd ${username} | |
| useradd --system -g ${username} --home-dir=${install_destination} $username | |
| groupadd www-data | |
| useradd --system -g www-data --home-dir=/srv/http www-data | |
| else | |
| adduser --system --home=${install_destination} --group $username | |
| fi | |
| chown -R ${username}:${username} ${install_destination} | |
| echo 'Creating onion site configuration' | |
| if [ ! -d /etc/torrc.d ]; then | |
| mkdir /etc/torrc.d | |
| fi | |
| if ! grep -q '%include /etc/torrc.d' /etc/tor/torrc; then | |
| echo '%include /etc/torrc.d' >> /etc/tor/torrc | |
| systemctl restart tor | |
| fi | |
| if [ ! -f /etc/torrc.d/epicyon ]; then | |
| { echo 'HiddenServiceDir /var/lib/tor/hidden_service_epicyon/'; | |
| echo 'HiddenServiceVersion 3'; | |
| echo "HiddenServicePort 80 127.0.0.1:${NGINX_PORT}"; } > /etc/torrc.d/epicyon | |
| fi | |
| systemctl restart tor | |
| echo 'Waiting for tor daemon to restart' | |
| sleep 5 | |
| if [ ! -f /var/lib/tor/hidden_service_epicyon/hostname ]; then | |
| echo 'Waiting for tor daemon to restart...' | |
| sleep 5 | |
| fi | |
| if [ ! -f /var/lib/tor/hidden_service_epicyon/hostname ]; then | |
| echo 'Could not create onion address for epicyon' | |
| fi | |
| ONION_DOMAIN=$(cat /var/lib/tor/hidden_service_epicyon/hostname) | |
| if [ ! "$ONION_DOMAIN" ]; then | |
| echo 'No onion domain at /var/lib/tor/hidden_service_epicyon/hostname' | |
| exit 1 | |
| fi | |
| echo "Onion domain created: $ONION_DOMAIN" | |
| echo 'Creating Epicyon daemon' | |
| { echo '[Unit]'; | |
| echo "Description=$username"; | |
| echo 'After=syslog.target'; | |
| echo 'After=network.target'; | |
| echo ''; | |
| echo '[Service]'; | |
| echo 'Type=simple'; | |
| echo "User=$username"; | |
| echo "Group=$username"; | |
| echo "WorkingDirectory=${install_destination}"; | |
| echo "ExecStart=/usr/bin/python3 ${install_destination}/epicyon.py --http --port 80 --proxy ${EPICYON_PORT} --domain ${ONION_DOMAIN} --registration open"; | |
| echo "Environment=USER=$username"; | |
| echo 'Environment=PYTHONUNBUFFERED=true'; | |
| echo 'Restart=always'; | |
| echo 'StandardError=syslog'; | |
| echo ''; | |
| echo '[Install]'; | |
| echo 'WantedBy=multi-user.target'; } > "/etc/systemd/system/${username}.service" | |
| systemctl daemon-reload | |
| systemctl enable "${username}.service" | |
| systemctl restart "${username}.service" | |
| echo 'Creating nginx configuration' | |
| if [ ! -f /etc/nginx/nginx.conf ]; then | |
| { echo 'user www-data;'; | |
| echo 'pid /run/nginx.pid;'; | |
| echo ''; | |
| echo 'events {'; | |
| echo ' worker_connections 50;'; | |
| echo ' # multi_accept on;'; | |
| echo '}'; | |
| echo ''; | |
| echo 'http {'; | |
| echo ' # limit the number of connections per single IP'; | |
| echo " limit_conn_zone \$binary_remote_addr zone=conn_limit_per_ip:10m;"; | |
| echo ''; | |
| echo ' # limit the number of requests for a given session'; | |
| echo " limit_req_zone \$binary_remote_addr zone=req_limit_per_ip:10m rate=140r/s;"; | |
| echo ''; | |
| echo ' # if the request body size is more than the buffer size, then the entire (or partial) request body is written into a temporary file'; | |
| echo ' client_body_buffer_size 128k;'; | |
| echo ''; | |
| echo ' # headerbuffer size for the request header from client, its set for testing purpose'; | |
| echo ' client_header_buffer_size 3m;'; | |
| echo ''; | |
| echo ' # maximum number and size of buffers for large headers to read from client request'; | |
| echo ' large_client_header_buffers 4 256k;'; | |
| echo ''; | |
| echo ' # read timeout for the request body from client, its set for testing purpose'; | |
| echo ' client_body_timeout 3m;'; | |
| echo ''; | |
| echo ' # how long to wait for the client to send a request header, its set for testing purpose'; | |
| echo ' client_header_timeout 3m;'; | |
| echo ''; | |
| echo ' sendfile on;'; | |
| echo ' tcp_nopush on;'; | |
| echo ' tcp_nodelay on;'; | |
| echo ' keepalive_timeout 65;'; | |
| echo ' types_hash_max_size 2048;'; | |
| echo ' server_tokens off;'; | |
| echo ''; | |
| echo ' include /etc/nginx/mime.types;'; | |
| echo ' default_type application/octet-stream;'; | |
| echo ''; | |
| echo ' access_log /dev/null;'; | |
| echo ' error_log /dev/null;'; | |
| echo ''; | |
| echo ' gzip on;'; | |
| echo ' gzip_disable "msie6";'; | |
| echo ''; | |
| echo ' include /etc/nginx/conf.d/*.conf;'; | |
| echo ' include /etc/nginx/sites-enabled/*;'; | |
| echo '}'; } > /etc/nginx/nginx.conf | |
| else | |
| if ! grep -q 'include /etc/nginx/sites-enabled' /etc/nginx/nginx.conf; then | |
| echo 'include /etc/nginx/sites-enabled/*.conf;' >> /etc/nginx/nginx.conf | |
| fi | |
| fi | |
| if [ ! -d /etc/nginx/conf.d ]; then | |
| mkdir /etc/nginx/conf.d | |
| fi | |
| if [ ! -d /etc/nginx/sites-available ]; then | |
| mkdir /etc/nginx/sites-available | |
| fi | |
| if [ ! -d /etc/nginx/sites-enabled ]; then | |
| mkdir /etc/nginx/sites-enabled | |
| fi | |
| if [ -f /usr/bin/pacman ]; then | |
| if [ ! -f /lib/systemd/system/nginx.service ]; then | |
| echo 'Creating nginx daemon' | |
| { echo '[Unit]'; | |
| echo 'Description=A high performance web server and a reverse proxy server'; | |
| echo 'Documentation=man:nginx(8)'; | |
| echo 'After=network.target nss-lookup.target'; | |
| echo '' | |
| echo '[Service]'; | |
| echo 'Type=forking'; | |
| echo 'PIDFile=/run/nginx.pid'; | |
| echo "ExecStartPre=$(which nginx) -t -q -g 'daemon on; master_process on;'"; | |
| echo "ExecStart=$(which nginx) -g 'daemon on; master_process on;'"; | |
| echo "ExecReload=$(which nginx) -g 'daemon on; master_process on;' -s reload"; | |
| echo 'ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid'; | |
| echo 'TimeoutStopSec=5'; | |
| echo 'KillMode=mixed'; | |
| echo ''; | |
| echo '[Install]'; | |
| echo 'WantedBy=multi-user.target'; } > /etc/systemd/system/nginx.service | |
| systemctl enable nginx | |
| fi | |
| fi | |
| web_dir=/var/www | |
| if [ -f /usr/bin/pacman ]; then | |
| web_dir=/srv/http | |
| fi | |
| if [ ! -d /var/www/${ONION_DOMAIN}/htdocs ]; then | |
| mkdir -p /var/www/${ONION_DOMAIN}/htdocs | |
| fi | |
| echo "Creating nginx virtual host for ${ONION_DOMAIN}" | |
| { echo 'server {'; | |
| echo " listen 127.0.0.1:${NGINX_PORT} default_server;"; | |
| echo " server_name ${ONION_DOMAIN};" | |
| echo ''; | |
| echo ' gzip on;'; | |
| echo ' gzip_min_length 1000;'; | |
| echo ' gzip_proxied expired no-cache no-store private auth;'; | |
| echo ' gzip_types gzip_types text/plain text/css text/vcard text/vcard+xml application/json application/ld+json application/javascript text/xml application/xml application/rdf+xml application/xml+rss text/javascript;'; | |
| echo ''; | |
| echo ' add_header X-Content-Type-Options nosniff;'; | |
| echo ' add_header X-XSS-Protection "1; mode=block";'; | |
| echo ' add_header X-Download-Options noopen;'; | |
| echo ' add_header X-Permitted-Cross-Domain-Policies none;'; | |
| echo ''; | |
| echo ' access_log /dev/null;'; | |
| echo ' error_log /dev/null;'; | |
| echo ''; | |
| echo ' index index.html;'; | |
| echo ''; | |
| echo ' location /newsmirror {'; | |
| echo " root /var/www/${ONION_DOMAIN}/htdocs;"; | |
| echo ' try_files $uri =404;'; | |
| echo ' }'; | |
| echo ''; | |
| echo ' location / {'; | |
| echo ' proxy_http_version 1.1;'; | |
| echo ' client_max_body_size 31M;'; | |
| echo " proxy_set_header Host \$http_host;"; | |
| echo " proxy_set_header X-Real-IP \$remote_addr;"; | |
| echo " proxy_set_header X-Forward-For \$proxy_add_x_forwarded_for;"; | |
| echo ' proxy_set_header X-Forward-Proto http;'; | |
| echo ' proxy_set_header X-Nginx-Proxy true;'; | |
| echo ' proxy_temp_file_write_size 64k;'; | |
| echo ' proxy_connect_timeout 10080s;'; | |
| echo ' proxy_send_timeout 10080;'; | |
| echo ' proxy_read_timeout 10080;'; | |
| echo ' proxy_buffer_size 64k;'; | |
| echo ' proxy_buffers 16 32k;'; | |
| echo ' proxy_busy_buffers_size 64k;'; | |
| echo ' proxy_redirect off;'; | |
| echo ' proxy_request_buffering off;'; | |
| echo ' proxy_buffering off;'; | |
| echo " proxy_pass http://localhost:${EPICYON_PORT};"; | |
| echo ' tcp_nodelay on;'; | |
| echo ' }'; | |
| echo '}'; } > "/etc/nginx/sites-available/${username}" | |
| chown -R www-data:www-data /var/www/${ONION_DOMAIN}/htdocs | |
| if [ ! -d ${install_destination}/accounts/newsmirror ]; then | |
| mkdir -p ${install_destination}/accounts/newsmirror | |
| chown -R ${username}:${username} ${install_destination} | |
| fi | |
| ln -s ${install_destination}/newsmirror /var/www/${ONION_DOMAIN}/htdocs/newsmirror | |
| ln -s "/etc/nginx/sites-available/${username}" /etc/nginx/sites-enabled/ | |
| systemctl restart nginx | |
| echo -n "$ONION_DOMAIN" | qrencode -t ANSI | |
| echo "Your onion Epicyon instance is now installed." | |
| echo "In a Tor browser navigate to $ONION_DOMAIN and register an account" | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment