Updated tutorial for Ubuntu 16.04 LTS compatibility

2017-11-05 10:33:29 +01:00
parent e8dd2b864e
commit 99ccbdccfe
9 changed files with 122 additions and 73 deletions
--- a/README.md
+++ b/README.md
@ -6,24 +6,60 @@ This is a setup for a TOR based shared hosting server. It is provided as is and
 Installation Instructions:
 --------------------------
-The configuration was designed for a standard Debian unstable installation. It's recommended you install Debian unstable on your sever, but with a little tweaking you may also get this working on other distributions and/or versions.
+The configuration was tested with a standard Debian sid and Ubuntu 16.04 LTS installation. It's recommended you install Debian sid on your server, but with a little tweaking you may also get this working on other distributions and/or versions.
 Uninstall packages that may interfere with this setup:
 ```
 apt-get purge apache2* resolvconf
 ```
 If you are on Ubuntu, add the following PPA:
 ```
 add-apt-repository ppa:ondrej/php && apt-get update
 ```
 To get the latest tor version, you should follow these instructions to add the official tor repository for your distribution: (https://www.torproject.org/docs/debian)
 The following command will install all required packages:
 ```
 apt-get --no-install-recommends install apt-transport-tor aspell curl dovecot-imapd dovecot-pop3d git haveged hunspell iptables locales-all logrotate mariadb-server nginx-light postfix postfix-mysql php7.0-bcmath php7.0-bz2 php7.0-curl php7.0-dba php7.0-enchant php7.0-fpm php7.0-gd php7.0-gmp php7.0-imap php7.0-json php7.0-mbstring php7.0-mcrypt php7.0-mysql php7.0-opcache php7.0-pspell php7.0-readline php7.0-recode php7.0-soap php7.0-sqlite3 php7.0-tidy php7.0-xml php7.0-xmlrpc php7.0-xsl php7.0-zip php7.1-bcmath php7.1-bz2 php7.1-cli php7.1-curl php7.1-dba php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-intl php7.1-json php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-opcache php7.1-pspell php7.1-pspell php7.1-readline php7.1-recode php7.1-soap php7.1-sqlite3 php7.1-tidy php7.1-xml php7.1-xmlrpc php7.1-xsl php7.1-zip phpmyadmin php-imagick sasl2-bin ssh subversion tor vsftpd && apt-get --no-install-recommends install adminer
 ```
 Note that both, debian and the torproject have hidden service package archives, so you may want to edit /etc/apt/sources.list to load from those instead:
 ```
 deb tor+http://vwakviie2ienjx6t.onion/debian sid main
 deb tor+http://sdscoq7snqtznauu.onion/torproject.org sid main
 ```
 For optimum spell checking capabilities you can optionally install the following packages:
 ```
-apt-get install aspell-am aspell-ar aspell-ar-large aspell-bg aspell-bn aspell-br aspell-ca aspell-cs aspell-cy aspell-da aspell-de aspell-de-1901 aspell-de-alt aspell-doc aspell-el aspell-en aspell-eo aspell-eo-cx7 aspell-es aspell-et aspell-eu aspell-eu-es aspell-fa aspell-fo aspell-fr aspell-ga aspell-gl-minimos aspell-gu aspell-he aspell-hi aspell-hr aspell-hsb aspell-hu aspell-hy aspell-is aspell-it aspell-kk aspell-kn aspell-ku aspell-lt aspell-lv aspell-ml aspell-mr aspell-nl aspell-no aspell-or aspell-pa aspell-pl aspell-pt aspell-pt-br aspell-pt-pt aspell-ro aspell-ru aspell-sk aspell-sl aspell-sv aspell-ta aspell-te aspell-tl aspell-uk aspell-uz hunspell-af hunspell-an hunspell-ar hunspell-be hunspell-bg hunspell-bn hunspell-bo hunspell-br hunspell-bs hunspell-ca hunspell-cs hunspell-da hunspell-de-at hunspell-de-ch hunspell-de-de hunspell-el hunspell-en-au hunspell-en-ca hunspell-en-gb hunspell-en-med hunspell-en-us hunspell-en-za hunspell-es hunspell-eu hunspell-eu-es hunspell-fr hunspell-fr-comprehensive hunspell-gd hunspell-gl hunspell-gu hunspell-he hunspell-hi hunspell-hr hunspell-hu hunspell-is hunspell-it hunspell-kk hunspell-kmr hunspell-ko hunspell-lo hunspell-lt hunspell-ml hunspell-ne hunspell-nl hunspell-no hunspell-oc hunspell-pl hunspell-pt-br hunspell-pt-pt hunspell-ro hunspell-ru hunspell-se hunspell-si hunspell-sk hunspell-sl hunspell-sr hunspell-sv hunspell-sw hunspell-te hunspell-th hunspell-tools hunspell-uk hunspell-uz hunspell-vi
+apt-get install aspell-am aspell-ar aspell-ar-large aspell-bg aspell-bn aspell-br aspell-ca aspell-cs aspell-cy aspell-da aspell-de aspell-de-alt aspell-doc aspell-el aspell-en aspell-eo aspell-eo-cx7 aspell-es aspell-et aspell-eu aspell-eu-es aspell-fa aspell-fo aspell-fr aspell-ga aspell-gl-minimos aspell-gu aspell-he aspell-hi aspell-hr aspell-hsb aspell-hu aspell-hy aspell-is aspell-it aspell-kk aspell-kn aspell-ku aspell-lt aspell-lv aspell-ml aspell-mr aspell-nl aspell-no aspell-or aspell-pa aspell-pl aspell-pt aspell-pt-br aspell-pt-pt aspell-ro aspell-ru aspell-sk aspell-sl aspell-sv aspell-ta aspell-te aspell-tl aspell-uk aspell-uz hunspell-af hunspell-an hunspell-ar hunspell-be hunspell-bg hunspell-bn hunspell-br hunspell-bs hunspell-ca hunspell-cs hunspell-da hunspell-de-at hunspell-de-ch hunspell-de-de hunspell-el hunspell-en-au hunspell-en-ca hunspell-en-gb hunspell-en-med hunspell-en-us hunspell-en-za hunspell-es hunspell-eu hunspell-eu-es hunspell-fr hunspell-fr-comprehensive hunspell-gd hunspell-gl hunspell-gu hunspell-he hunspell-hi hunspell-hr hunspell-hu hunspell-is hunspell-it hunspell-kk hunspell-kmr hunspell-ko hunspell-lo hunspell-lt hunspell-ml hunspell-ne hunspell-nl hunspell-no hunspell-oc hunspell-pl hunspell-pt-br hunspell-pt-pt hunspell-ro hunspell-ru hunspell-se hunspell-si hunspell-sk hunspell-sl hunspell-sr hunspell-sv hunspell-sw hunspell-te hunspell-th hunspell-tools hunspell-uk hunspell-uz hunspell-vi
 ```
-Copy (and modify according to your needs) the configuration files in etc to /etc after installation has finished.
+Copy (and modify according to your needs) the site files in var/www to /var/www and the configuration files in etc to /etc after installation has finished. Then restart tor:
 ```
 service tor restart
 ```
-If you copied over the new etc/apt/sources.list file, we need to update our repository data and install a new keyring package for authenticating packages from torproject (you will need to confirm this):
+Now there should be an onion domain in /var/lib/tor/hidden_service/hostname:
 ```
-apt-get update && apt-get install deb.torproject.org-keyring
+cat /var/lib/tor/hidden_service/hostname
 ```
 Replace the default domain with your domain in the following files:
 ```
 /etc/nginx/sites-enabled/default
 /etc/postfix/sql/alias.cf
 /etc/postfix/sender_login_maps
 /etc/postfix/main.cf
 /var/www/skel/www/index.hosting.html
 /var/www/common.php
 /etc/postfix/canonical
 /etc/postfix-clearnet/canonical
 ```
 In /etc/postfix(-clearnet)/canonical don't change the line that has hosting.danwin1210.me in it. It is a clearnet/tor address rewriting rule, and if you have your own clearnet domain, you should copy this and modify your copy to preserve sending mail to my host via tor and not via clearnet:
 To allow sasl authentication, set start to yes in /etc/default/sasauthd and add postfix to the sasl group:
 ```
 usermod -aG sasl postfix
@ -65,32 +101,40 @@ for instance in 2 3 4 5 6 7 a b c d e f g h i j k l m n o p q r s t u v w x y z;
 for instance in default 2 3 4 5 6 7 a b c d e f g h i j k l m n o p q r s t u v w x y z; do(systemctl enable php7.0-fpm@$instance; systemctl enable php7.1-fpm@$instance;) done
 ```
 And to get a list of all tor user ids to add in /etc/rc.local run the following:
 ```
 for instance in 2 3 4 5 6 7 a b c d e f g h i j k l m n o p q r s t u v w x y z; do(id "_tor-$instance") done && id debian-tor
 ```
 For web based mail management grab the latest squirrelmail and install it in /var/www/html/squirrelmail:
 ```
 cd /var/www/html/ && svn checkout https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail && cd squirrelmail && ./configure && mkdir /var/local/squirrelmail /var/local/squirrelmail/data /var/local/squirrelmail/attach && chown www-data:www-data /var/local/squirrelmail /var/local/squirrelmail/data /var/local/squirrelmail/attach
 ```
 Once it is downloaded, it will ask you for configuration. Things to change are:
 ```
 D. > select dovecot
 2. Server Settings > 1. Domain > Set your own .onion domain here
 4. General Options > 9. Allow editing of identity > n Users should not be able to fake email addresses > y They should be able to change display name > y They should be able to set a reply to mail > y additional headers are not required
 10. Language settings > 4. Enable aggressive decoding
 11. Tweaks > 2. Ask user info on first login > n (commonly confuses users)
 11. Tweaks > 4. Use php recode functions > y
 11. Tweaks > 5. Use php iconv functions > y
 ```
 Create a mysql user with all permissions for our hosting management:
 ```
 mysql
 CREATE USER 'hosting'@'localhost' IDENTIFIED BY 'MY_PASSWORD';
 GRANT ALL PRIVILEGES ON *.* TO 'hosting'@'localhost' WITH GRANT OPTION;
 quit
 ```
-Then edit the database configuration in /var/www/common.php and last but not least setup the database by running
+Then edit the database configuration in /var/www/common.php and /etc/postfix/sql/alias.cf
 Last but not least setup the database by running
 ```
 php /var/www/setup.php
 ``` 
 Enable systemd timers to regularly run various managing tasks:
 ```
-ln -s /etc/systemd/system/hosting-del.timer /etc/systemd/system/multi-user.target.wants/hosting-del.timer
+systemctl enable hosting-del.timer && systemctl enable hosting.timer
 ln -s /etc/systemd/system/hosting.timer /etc/systemd/system/multi-user.target.wants/hosting.timer
 ```
 Add empty directories that should be copied when creating a new user and set permissions correctly:
@ -99,15 +143,9 @@ mkdir /var/www/skel/data /var/www/skel/Maildir /var/www/skel/tmp
 chmod 750 /var/www/skel/data /var/www/skel/Maildir /var/www/skel/tmp /var/www/skel/www
 ```
-For better performance add the following to /etc/sysctl.conf
+Final step is to reboot wait about 5 minutes for all services to start and check if everything is working by creating a test account.
 ```
 net.ipv4.tcp_fin_timeout = 30
 net.ipv4.ip_local_port_range = 1024 65535
 net.ipv4.tcp_timestamps = 0
 vm.swappiness=1
 ```
 Live demo:
 ----------
-If you want to see the setup in action or create your own site on my server, you can visit my [TOR hidden service](http://dhosting4okcs22v.onion) or via a tor2web proxy like [this one](https://danwin1210.me/hosting/) if you don't have TOR installed.
+If you want to see the setup in action or create your own site on my server, you can visit my [TOR hidden service](http://dhosting4okcs22v.onion) or via [my clearnet proxy](https://hosting.danwin1210.me) if you don't have TOR installed.
--- a/etc/apt/sources.list
+++ b/etc/apt/sources.list
@ -1,2 +0,0 @@
 deb tor+http://vwakviie2ienjx6t.onion/debian unstable main
 deb tor+http://sdscoq7snqtznauu.onion/torproject.org sid main
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@ -64,12 +64,12 @@ http {
 	gzip on;
 	gzip_disable "msie6";
-	# gzip_vary on;
+	gzip_vary on;
 	gzip_proxied any;
 	gzip_comp_level 9;
 	# gzip_buffers 16 8k;
 	# gzip_http_version 1.1;
-	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
 	##
 	# Virtual Host Configs
--- a/etc/postfix/sql/alias.cf
+++ b/etc/postfix/sql/alias.cf
@ -1,4 +1,4 @@
-user = postfix
+user = hosting
 password = MY_PASSWORD
 hosts = localhost
 dbname = hosting
--- a/etc/rc.local
+++ b/etc/rc.local
@ -17,8 +17,13 @@ ip6tables -F
 iptables -t nat -F
 ip6tables -t nat -F
 #accept already established connections
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #allow tor traffic
-for tor in 111 `seq 115 146`; do(
+for tor in debian-tor _tor-2 _tor-3 _tor-4 _tor-5 _tor-6 _tor-7 _tor-a _tor-b _tor-c _tor-d _tor-e _tor-f _tor-g _tor-h _tor-i _tor-j _tor-k _tor-l _tor-m _tor-n _tor-o _tor-p _tor-q _tor-r _tor-s _tor-t _tor-u _tor-v _tor-w _tor-x _tor-y _tor-z; do(
 iptables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN;
 ip6tables -t nat -A OUTPUT -m owner --uid-owner $tor -j RETURN;
 iptables -A OUTPUT -m owner --uid-owner $tor -j ACCEPT;
@ -32,6 +37,18 @@ for clearnet in 88.191.68.178 51.15.142.60 51.255.197.148 91.121.181.58; do(
 iptables -t nat -A OUTPUT -p udp --dport 123 -d $clearnet -j RETURN;
 iptables -A OUTPUT -p udp --dport 123 -d $clearnet -j ACCEPT
 )done
 #restrict local communication for php and webserver
 #allowed tcp ports
 for port in 3306 9040 9050 110 143 25 21 5000:5020; do(
 iptables -A OUTPUT -d 127.0.0.0/8 -p tcp --dport $port -m owner --gid-owner www-data -j ACCEPT;
 ip6tables -A OUTPUT -d ::1 -p tcp --dport $port -m owner --gid-owner www-data -j ACCEPT
 )done
 #accept DNS
 iptables -A OUTPUT -d 127.0.0.0/8 -p udp --dport 53 -m owner --gid-owner www-data -j ACCEPT
 ip6tables -A OUTPUT -d ::1 -p udp --dport 53 -m owner --gid-owner www-data -j ACCEPT
 #REJECT all others
 iptables -A OUTPUT -d 127.0.0.0/8 -m owner --gid-owner www-data -j REJECT
 ip6tables -A OUTPUT -d ::1 -m owner --gid-owner www-data -j REJECT
 #unrestricted access to these IPs
 for clearnet in 127.0.0.0/8; do(
 iptables -t nat -A OUTPUT -d $clearnet -j RETURN;
@ -44,9 +61,6 @@ ip6tables -A OUTPUT -d $clearnet -j ACCEPT;
 #redirect everything else
 iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
 ip6tables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
 #accept established connections
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 #allow local communication
 iptables -A OUTPUT -o lo -j ACCEPT
 ip6tables -A OUTPUT -o lo -j ACCEPT
@ -54,15 +68,12 @@ ip6tables -A OUTPUT -o lo -j ACCEPT
 iptables -A OUTPUT -j REJECT
 ip6tables -A OUTPUT -j REJECT
-#uncomment to be able to directly connect with your own IP
+#uncomment to be able to directly connect with your own IP and allow no one else
 #for clearnet in YOUR_IP_HERE;do(
 #iptables -A INPUT -s $clearnet -j ACCEPT;
 #)done
-#allow established connections
+#drop everything else (uncomment after adding your own IP above)
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+#iptables -A INPUT -i eth0 -j DROP
-ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+#ip6tables -A INPUT -i eth0 -j DROP
 #drop everything else
 iptables -A INPUT -i eth0 -j DROP
 ip6tables -A INPUT -i eth0 -j DROP
 exit 0
--- a/etc/resolv.conf
+++ b/etc/resolv.conf
@ -0,0 +1 @@
 nameserver 127.0.0.1
--- a/etc/tor/torrc
+++ b/etc/tor/torrc
@ -1,34 +1,33 @@
 SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
 HiddenServiceDir /var/lib/tor/hidden_service/
-HiddenServicePort 80 127.0.0.1:80
+HiddenServicePort 80
-HiddenServicePort 25 127.0.0.1:25
+HiddenServicePort 25
-HiddenServicePort 143 127.0.0.1:143
+HiddenServicePort 143
-HiddenServicePort 110 127.0.0.1:110
+HiddenServicePort 110
-HiddenServicePort 22 127.0.0.1:22
+HiddenServicePort 22
-HiddenServicePort 20 127.0.0.1:20
+HiddenServicePort 21
-HiddenServicePort 21 127.0.0.1:21
+HiddenServicePort 5000
-HiddenServicePort 5000 127.0.0.1:5000
+HiddenServicePort 5001
-HiddenServicePort 5001 127.0.0.1:5001
+HiddenServicePort 5002
-HiddenServicePort 5002 127.0.0.1:5002
+HiddenServicePort 5003
-HiddenServicePort 5003 127.0.0.1:5003
+HiddenServicePort 5004
-HiddenServicePort 5004 127.0.0.1:5004
+HiddenServicePort 5005
-HiddenServicePort 5005 127.0.0.1:5005
+HiddenServicePort 5006
-HiddenServicePort 5006 127.0.0.1:5006
+HiddenServicePort 5007
-HiddenServicePort 5007 127.0.0.1:5007
+HiddenServicePort 5008
-HiddenServicePort 5008 127.0.0.1:5008
+HiddenServicePort 5009
-HiddenServicePort 5009 127.0.0.1:5009
+HiddenServicePort 5010
-HiddenServicePort 5010 127.0.0.1:5010
+HiddenServicePort 5011
-HiddenServicePort 5011 127.0.0.1:5011
+HiddenServicePort 5012
-HiddenServicePort 5012 127.0.0.1:5012
+HiddenServicePort 5013
-HiddenServicePort 5013 127.0.0.1:5013
+HiddenServicePort 5014
-HiddenServicePort 5014 127.0.0.1:5014
+HiddenServicePort 5015
-HiddenServicePort 5015 127.0.0.1:5015
+HiddenServicePort 5016
-HiddenServicePort 5016 127.0.0.1:5016
+HiddenServicePort 5017
-HiddenServicePort 5017 127.0.0.1:5017
+HiddenServicePort 5018
-HiddenServicePort 5018 127.0.0.1:5018
+HiddenServicePort 5019
-HiddenServicePort 5019 127.0.0.1:5019
+HiddenServicePort 5020
 HiddenServicePort 5020 127.0.0.1:5020
 VirtualAddrNetworkIPv4 10.192.0.0/10
 VirtualAddrNetworkIPv6 [FC00::]/7
@ -38,6 +37,6 @@ TransPort [::1]:9040
 DNSPort 53
 DNSPort [::1]:53
 MaxClientCircuitsPending 1024
-NumCPUs 4
+NumCPUs 2
 HardwareAccel 1
 AvoidDiskWrites 1
--- a/var/www/html/files.php
+++ b/var/www/html/files.php
@ -248,9 +248,10 @@ $dir=htmlspecialchars($dir);
 <!DOCTYPE html>
 <html><head>
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-<meta name=viewport content="width=device-width, initial-scale=1">
+<meta name="author" content="Daniel Winzen">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <title>Daniel's Hosting - FileManager - Index of <?php echo $dir; ?></title>
-<style type="text/css">td+td+td+td+td{text-align:right;} tr{height:28px;}
+<style type="text/css">.list td:nth-child(3){word-break:break-all;} .list td:nth-child(5){text-align:right;} .list tr{height:28px;}
 .back{min-width:22px; background:no-repeat url(data:img/gif;base64,R0lGODlhFAAWAPH/AAAAADMzM2ZmZpmZmSH5BAUAAAQALAAAAAAUABYAAANLSLrc/oKE8CoZM1O7os7c9WmcN04WdoKQdBIANypAHG5YbS/7kus1RlDxA+p4xqSRpmwCKE7nINqMwKi6wEAY1VaS3tBV/OiRz4sEADs=);}
 .dir{min-width:22px; background:no-repeat url(data:img/gif;base64,R0lGODlhFAAWAPH/AAAAADMzM5lmM//MmSH5BAUAAAQALAAAAAAUABYAAANUSLrc/jDKSRm4+E4wuu9AxH1kpimAQHpqiQ5CLMcrHI71GgdXngs8nI8F7A1JReFxZzyygk4iNNpJUmFWmFbF3cJ4hNRsPA6Aw+a0es0LLEzwjDsBADs=);}
 .img{min-width:22px; background:no-repeat url(data:img/gif;base64,R0lGODlhFAAWAPMLAAAAADMzM2YAAAAzZmZmZv8zMwCZMwCZzJmZmczMzP///wAAAAAAAAAAAAAAAAAAACH5BAUAAAsALAAAAAAUABYAAASQMMhJ57p4BcW730F2bV5JhhlZdio6KkUsF4mi2tg2y4ICBL/gaxfrAY5IwJDY4yCeCKUGNjNYDTUFVKqTGTgJa1bLVSRi3/CVlIi+EgIB9mrdJAbuaYe+ThzwZSx8BAEHf3k3CQFXhIaHgR2KE46PLytmlJV6JX6ZgJYedwOjpJ+blyWIAVCsrU9AGUmys1IRADs=);}
@ -292,7 +293,7 @@ if($order==='A'){
 <input type="submit" name="rename" value="Rename">
 <input type="submit" name="edit" value="Edit">
 <input type="submit" name="unzip" value="Unzip"><br>
-<table><tr>
+<table class="list"><tr>
 <th></th><th></th>
 <th><a href="files.php?path=<?php echo $dir; ?>&amp;C=N&amp;O=<?php echo $fileurl; ?>">File</a></th>
 <th><a href="files.php?path=<?php echo $dir; ?>&amp;C=M&amp;O=<?php echo $dateurl; ?>">Last Modified</a></th>
@ -310,6 +311,7 @@ foreach($list as $element){
 </table>
 <input type="submit" name="delete" value="Delete">
 <input type="submit" name="rename" value="Rename">
 <input type="submit" name="edit" value="Edit">
 <input type="submit" name="unzip" value="Unzip"><br><br>
 </form>
 </body></html>
@ -428,7 +430,7 @@ function send_edit($ftp, $dir){
 	}
 	unlink($tmpfile);
 	echo '</table>';
-	echo '<input type="submit" name="edit_2" value="Edit"></form>';
+	echo '<input type="submit" name="edit_2" value="Save"></form>';
 	echo '<p><a href="files.php?path='.htmlspecialchars($dir).'">Go back</a>.</p>';
 	echo '</body></html>';
 }
--- a/var/www/html/login.php
+++ b/var/www/html/login.php
@ -17,14 +17,14 @@ if($_SERVER['REQUEST_METHOD']==='POST'){
 	$ok=true;
 	if(CAPTCHA){
 		if(!isset($_REQUEST['challenge'])){
-			echo '<p style="color:red;">Error: Wrong Captcha</p>';
+			$msg.='<p style="color:red;">Error: Wrong Captcha</p>';
 			$ok=false;
 		}else{
 			$stmt=$db->prepare('SELECT code FROM captcha WHERE id=?;');
 			$stmt->execute([$_REQUEST['challenge']]);
 			$stmt->bindColumn(1, $code);
 			if(!$stmt->fetch(PDO::FETCH_BOUND)){
-				echo '<p style="color:red;">Error: Captcha expired</p>';
+				$msg.='<p style="color:red;">Error: Captcha expired</p>';
 				$ok=false;
 			}else{
 				$time=time();
@ -32,7 +32,7 @@ if($_SERVER['REQUEST_METHOD']==='POST'){
 				$stmt->execute([$_REQUEST['challenge'], $time-3600]);
 				if($_REQUEST['captcha']!==$code){
 					if(strrev($_REQUEST['captcha'])!==$code){
-						echo '<p style="color:red;">Error: Wrong captcha</p>';
+						$msg.='<p style="color:red;">Error: Wrong captcha</p>';
 						$ok=false;
 					}
 				}
		`@ -1,2 +0,0 @@`
			`deb tor+http://vwakviie2ienjx6t.onion/debian unstable main`
			`deb tor+http://sdscoq7snqtznauu.onion/torproject.org sid main`