Hidden Gemini Capsules

I made this post on my web-based Blog about my new love of Gemini.

=> https://www.residualbits.org/posts/2021/02/why-gemini-hidden-capsules/

I won't repeat all the content here since, if you are reading this, you are already using Gemini and I assume already in the "believer" camp.

Why Gemini for Hidden Services?

I do, however, want to repost my thoughts on using Gemini as a Tor hidden service because I think the idea is pretty exciting!

Using the modern web over Tor is scary for several reasons:

Gemini, on the other hand...

Getting it up and running

Setting up a Gemini-based Tor hidden service is fairly easy. These instructions are for Linux (Debian).

Start by ensuring you have a modern version of Tor running on your machine.

=> Instructions for installing Tor on Debian

Next, get your Gemini server of choice. I selected gmnisrv.

=> gmnisrv project

I'm going to gloss over setting up some of the Gemini server. Obviously, make sure it's running as an unprivileged user and chrooted / sandboxed as appropriate.

The first step is to configure Tor to expose your Gemini server as a new hidden service. To do this, add the following lines to /etc/tor/torrc:

HiddenServiceDir /var/lib/tor/hidden_gemini/
HiddenServicePort 1965 127.0.0.1:1965

And restart Tor.

$ sudo service tor restart

This will create a new set of keys for the hidden service in /var/lib/tor/hidden_gemini.

We need to get the hostname for our new hidden service.

$ cat /var/lib/tor/hidden_gemini/hostname
4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion

Now, we can setup our gmnisrv configuration file like so.

You'll need to make sure the user running gmnisrv has r/w to the configured certificate store and root.

Make sure to configure gmnisrv to listen only to 127.0.0.1 so you don't inadvertently expose your Gemini capsule to the clearnet.

listen=127.0.0.1:1965

[:tls]
# Path to store certificates on disk
store=/etc/ssl/gemini

# Optional details for new certificates
organization=Hidden Gemini

[4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion]
root=/var/gemini

Create some content:

echo "# Hello World" > /var/gemini/index.gmi

Start the server:

$ torify gmnisrv -C gmnisrv.config 
[gmnisrv] generating certificate for 4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion
[gmnisrv] listening on 127.0.0.1:1965
[gmnisrv] gmnisrv started

And test it out with your client of choice (making sure that it's also going through Tor or the .onion won't resolve properly):

$ torify lagrange 4cesl34prayq4n2tiw3bhnfe6gckjuhjt3nllt5uexmv6mq4lxwcoiyd.onion

You should now be serving content via. Gemini as a Tor Hidden Service.

=> Back to Home

Proxy Information
Original URL
gemini://tilde.pink/~shardiame/2021/hidden_gemini.gmi
Status Code
Success (20)
Meta
text/gemini;
Capsule Response Time
18.617375 milliseconds
Gemini-to-HTML Time
0.706299 milliseconds

This content has been proxied by September (ba2dc).