homepage/content/post/proxy-clearnet-2-onion.md

86 lines
2.0 KiB
Markdown
Raw Permalink Normal View History

2019-07-07 00:27:44 +00:00
+++
title = "Clearnet -> Onion Website"
2019-07-08 12:09:36 +00:00
date = 2019-07-08T12:00:00+02:00
2019-07-07 00:27:44 +00:00
author = "MH"
cover = ""
2019-07-08 12:09:36 +00:00
tags = ["Tor", "Setup", "Concept", "Proxy", "socat", "nginx"]
2019-07-07 00:27:44 +00:00
description = "Why not have a hidden service on a normal Site?"
showFullContent = false
2019-07-08 12:09:36 +00:00
draft = false
2019-07-07 00:27:44 +00:00
+++
2019-07-08 12:09:36 +00:00
Say we like to share an onion site on the clearnet.
It's address is ```a1b2c3d4e5f6.onion``` and you are on a linux server.
First install nginx and tor.
```
apt install -y nginx tor
systemctl start tor
```
lets change the nginx config:
```
echo 'server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name _;
location / {
proxy_pass http://127.0.0.1:8283;
proxy_set_header Host "a1b2c3d4e5f6.onion";
proxy_set_header Accept-Encoding "";
proxy_set_header Via "$host";
2019-07-08 12:17:47 +00:00
subs_filter 'a1b2c3d4e5f6.onion' "$host";
2019-07-08 12:09:36 +00:00
}
}' > /etc/nginx/sites-enabled/default
```
and extend the tor config ...
```
echo 'DNSPort 53
AutomapHostsOnResolve 1' >> /etc/torrc
```
change the dns servert to localhost:
```
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
```
Then create a script caled ```/opt/http2socks.sh```:
2019-07-07 00:27:44 +00:00
```
2019-07-08 12:09:36 +00:00
#!/bin/bash
onion="a1b2c3d4e5f6.onion:80"
proxy_http_2_socks5.sh:socat tcp4-LISTEN:8283,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:"$onion",socksport=9050 &
```
add this script to the startup by add an line with ```crontab -e```:
```
@reboot /opt/http2socks.sh
```
now start it all:
```
systemctl restart tor
/opt/http2socks.sh
systemctl restart nginx
```
now you shoud have the hidden service on your 80 port visible for everyone.
of course you can extend the nginx config to ask for a login before:
add
```
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
```
to the ```location / {...}``` block
```
and enerate the password file:
echo -n 'user:' >> /etc/nginx/.htpasswd
openssl passwd -apr1 >> /etc/nginx/.htpasswd
systemctl restart ngin
2019-07-07 00:27:44 +00:00
```
2019-07-08 12:12:50 +00:00
These are just ideas why I'm not responsible if someone has questionable content now available on the net. :D