-- Leo's gemini proxy
-- Connecting to tilde.pink:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;
I made this post on my web-based Blog about my new love of Gemini.
I won't repeat all the content here since, if you are reading this, you are already using Gemini and I assume already in the "believer" camp.
I do, however, want to repost my thoughts on using Gemini as a Tor hidden service because I think the idea is pretty exciting!
Using the modern web over Tor is scary for several reasons:
Modern web servers have a pretty huge attack surface
Modern web browsers have a massive attack surface (JavaScript)
It is hard to configure modern web browsers to avoid leaking data (WebRTC, JavaScript, etc.)
Gemini, on the other hand...
Doesn't even have a mechanisms for the client to leak information to the server
Doesn't have support for client-side executable content
Has a much simpler client, and presumably smaller attack surface
Has a much simple server, and presumable smaller attack surface
Setting up a Gemini-based Tor hidden service is fairly easy. These instructions are for Linux (Debian).
Start by ensuring you have a modern version of Tor running on your machine.
Next, get your Gemini server of choice. I selected gmnisrv.
I'm going to gloss over setting up some of the Gemini server. Obviously, make sure it's running as an unprivileged user and chrooted / sandboxed as appropriate.
The first step is to configure Tor to expose your Gemini server as a new hidden service. To do this, add the following lines to `/etc/tor/torrc`:
HiddenServiceDir /var/lib/tor/hidden_gemini/ HiddenServicePort 1965 127.0.0.1:1965
And restart Tor.
$ sudo service tor restart
This will create a new set of keys for the hidden service in `/var/lib/tor/hidden_gemini`.
We need to get the hostname for our new hidden service.
$ cat /var/lib/tor/hidden_gemini/hostname 4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion
Now, we can setup our gmnisrv configuration file like so.
You'll need to make sure the user running `gmnisrv` has r/w to the configured certificate store and root.
Make sure to configure `gmnisrv` to listen only to 127.0.0.1 so you don't inadvertently expose your Gemini capsule to the clearnet.
listen=127.0.0.1:1965 [:tls] # Path to store certificates on disk store=/etc/ssl/gemini # Optional details for new certificates organization=Hidden Gemini [4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion] root=/var/gemini
Create some content:
echo "# Hello World" > /var/gemini/index.gmi
Start the server:
$ torify gmnisrv -C gmnisrv.config [gmnisrv] generating certificate for 4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion [gmnisrv] listening on 127.0.0.1:1965 [gmnisrv] gmnisrv started
And test it out with your client of choice (making sure that it's also going through Tor or the .onion won't resolve properly):
$ torify lagrange 4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion
You should now be serving content via. Gemini as a Tor Hidden Service.
-- Response ended
-- Page fetched on Fri May 3 16:04:48 2024