Merge branch 'post-proxy-clearnet-2-onion'

2019-07-08 14:13:02 +02:00 · 2019-07-08 14:13:02 +02:00 · c204dd0e5e
commit c204dd0e5e
parent 69da8ca75b d5a1df07e9
1 changed files with 85 additions and 0 deletions
--- a/content/post/proxy-clearnet-2-onion.md
+++ b/content/post/proxy-clearnet-2-onion.md
@ -0,0 +1,85 @@
+++
+title = "Clearnet -> Onion Website"
+date = 2019-07-08T12:00:00+02:00
+author = "MH"
+cover = ""
+tags = ["Tor", "Setup", "Concept", "Proxy", "socat", "nginx"]
+description = "Why not have a hidden service on a normal Site?"
+showFullContent = false
+draft = false
+++
+
+Say we like to share an onion site on the clearnet.
+It's address is ```a1b2c3d4e5f6.onion``` and you are on a linux server.
+
+First install nginx and tor.
+```
+apt install -y nginx tor
+systemctl start tor
+```
+lets change the nginx config:
+
+```
+echo 'server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root /var/www/html;
+    server_name _;
+    location / {
+        proxy_pass http://127.0.0.1:8283;
+        proxy_set_header Host "a1b2c3d4e5f6.onion";
+        proxy_set_header Accept-Encoding "";
+        proxy_set_header Via "$host";
+        subs_filter 'a1b2c3d4e5f6.onion' '10.40.8.206';
+    }
+}' > /etc/nginx/sites-enabled/default
+```
+
+and extend the tor config ...
+```
+echo 'DNSPort 53
+AutomapHostsOnResolve 1' >> /etc/torrc
+```
+change the dns servert to localhost:
+```
+echo 'nameserver 127.0.0.1' > /etc/resolv.conf
+```
+
+
+Then create a script caled ```/opt/http2socks.sh```:
+```
+#!/bin/bash
+onion="a1b2c3d4e5f6.onion:80"
+proxy_http_2_socks5.sh:socat tcp4-LISTEN:8283,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:"$onion",socksport=9050 &
+```
+add this script to the startup by add an line with ```crontab -e```:
+```
+@reboot /opt/http2socks.sh
+```
+
+now start it all:
+```
+systemctl restart tor
+/opt/http2socks.sh
+systemctl restart nginx
+```
+
+now you shoud have the hidden service on your 80 port visible for everyone.
+of course you can extend the nginx config to ask for a login before:
+
+add
+```
+auth_basic "Restricted Content";
+auth_basic_user_file /etc/nginx/.htpasswd;
+```
+to the ```location / {...}``` block
+
+```
+and enerate the password file:
+echo -n 'user:' >> /etc/nginx/.htpasswd
+openssl passwd -apr1 >> /etc/nginx/.htpasswd
+
+systemctl restart ngin
+```
+
+These are just ideas why I'm not responsible if someone has questionable content now available on the net. :D