From 5ca83fa9b8c59e5553298dedb092796cb57af8b6 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Sun, 7 Jul 2019 02:27:44 +0200 Subject: [PATCH 1/3] add the demo config --- content/post/proxy-clearnet-2-onion.md | 35 ++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 content/post/proxy-clearnet-2-onion.md diff --git a/content/post/proxy-clearnet-2-onion.md b/content/post/proxy-clearnet-2-onion.md new file mode 100644 index 0000000..13ebc4f --- /dev/null +++ b/content/post/proxy-clearnet-2-onion.md @@ -0,0 +1,35 @@ ++++ +title = "Clearnet -> Onion Website" +date = 2019-07-07T02:23:49+02:00 +author = "MH" +cover = "" +tags = ["Tor", "Setup", "Concept", "Proxy"] +description = "Why not have a hidden service on a normal Site?" +showFullContent = false +draft = true ++++ + +``` +root@wwwtest2tor2:/opt# grep '' * +nginx_site.conf:server { +nginx_site.conf: listen 80 default_server; +nginx_site.conf: listen [::]:80 default_server; +nginx_site.conf: root /var/www/html; +nginx_site.conf: server_name _; +nginx_site.conf: location / { +nginx_site.conf: +nginx_site.conf: proxy_pass http://127.0.0.1:81; +nginx_site.conf: proxy_set_header Host "mxoal6ts2kwnxkpbxuc6ls5c43jnaefpdjx27tnjncgmobnec2untnad.onion"; +nginx_site.conf: proxy_set_header Accept-Encoding ""; +nginx_site.conf: proxy_set_header Via "$host"; +nginx_site.conf: subs_filter 'mxoal6ts2kwnxkpbxuc6ls5c43jnaefpdjx27tnjncgmobnec2untnad.onion' '10.40.8.206'; +nginx_site.conf: +nginx_site.conf: } +nginx_site.conf:} +proxy_http_2_socks5.sh:#!/bin/bash +proxy_http_2_socks5.sh:export hiddenservice="mxoal6ts2kwnxkpbxuc6ls5c43jnaefpdjx27tnjncgmobnec2untnad.onion:80" +proxy_http_2_socks5.sh:socat tcp4-LISTEN:81,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:"$hiddenservice",socksport=9050 & +resolv.conf:nameserver 127.0.0.1 +torrc:DNSPort 53 +torrc:AutomapHostsOnResolve 1 +``` From 03e0a274d67e8391fb09d31eb29afb6043df4c46 Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Mon, 8 Jul 2019 14:09:36 +0200 Subject: [PATCH 2/3] finisch idear --- content/post/proxy-clearnet-2-onion.md | 98 +++++++++++++++++++------- 1 file changed, 73 insertions(+), 25 deletions(-) diff --git a/content/post/proxy-clearnet-2-onion.md b/content/post/proxy-clearnet-2-onion.md index 13ebc4f..ee94b87 100644 --- a/content/post/proxy-clearnet-2-onion.md +++ b/content/post/proxy-clearnet-2-onion.md @@ -1,35 +1,83 @@ +++ title = "Clearnet -> Onion Website" -date = 2019-07-07T02:23:49+02:00 +date = 2019-07-08T12:00:00+02:00 author = "MH" cover = "" -tags = ["Tor", "Setup", "Concept", "Proxy"] +tags = ["Tor", "Setup", "Concept", "Proxy", "socat", "nginx"] description = "Why not have a hidden service on a normal Site?" showFullContent = false -draft = true +draft = false +++ +Say we like to share an onion site on the clearnet. +It's address is ```a1b2c3d4e5f6.onion``` and you are on a linux server. + +First install nginx and tor. ``` -root@wwwtest2tor2:/opt# grep '' * -nginx_site.conf:server { -nginx_site.conf: listen 80 default_server; -nginx_site.conf: listen [::]:80 default_server; -nginx_site.conf: root /var/www/html; -nginx_site.conf: server_name _; -nginx_site.conf: location / { -nginx_site.conf: -nginx_site.conf: proxy_pass http://127.0.0.1:81; -nginx_site.conf: proxy_set_header Host "mxoal6ts2kwnxkpbxuc6ls5c43jnaefpdjx27tnjncgmobnec2untnad.onion"; -nginx_site.conf: proxy_set_header Accept-Encoding ""; -nginx_site.conf: proxy_set_header Via "$host"; -nginx_site.conf: subs_filter 'mxoal6ts2kwnxkpbxuc6ls5c43jnaefpdjx27tnjncgmobnec2untnad.onion' '10.40.8.206'; -nginx_site.conf: -nginx_site.conf: } -nginx_site.conf:} -proxy_http_2_socks5.sh:#!/bin/bash -proxy_http_2_socks5.sh:export hiddenservice="mxoal6ts2kwnxkpbxuc6ls5c43jnaefpdjx27tnjncgmobnec2untnad.onion:80" -proxy_http_2_socks5.sh:socat tcp4-LISTEN:81,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:"$hiddenservice",socksport=9050 & -resolv.conf:nameserver 127.0.0.1 -torrc:DNSPort 53 -torrc:AutomapHostsOnResolve 1 +apt install -y nginx tor +systemctl start tor +``` +lets change the nginx config: + +``` +echo 'server { + listen 80 default_server; + listen [::]:80 default_server; + root /var/www/html; + server_name _; + location / { + proxy_pass http://127.0.0.1:8283; + proxy_set_header Host "a1b2c3d4e5f6.onion"; + proxy_set_header Accept-Encoding ""; + proxy_set_header Via "$host"; + subs_filter 'a1b2c3d4e5f6.onion' '10.40.8.206'; + } +}' > /etc/nginx/sites-enabled/default +``` + +and extend the tor config ... +``` +echo 'DNSPort 53 +AutomapHostsOnResolve 1' >> /etc/torrc +``` +change the dns servert to localhost: +``` +echo 'nameserver 127.0.0.1' > /etc/resolv.conf +``` + + +Then create a script caled ```/opt/http2socks.sh```: +``` +#!/bin/bash +onion="a1b2c3d4e5f6.onion:80" +proxy_http_2_socks5.sh:socat tcp4-LISTEN:8283,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:"$onion",socksport=9050 & +``` +add this script to the startup by add an line with ```crontab -e```: +``` +@reboot /opt/http2socks.sh +``` + +now start it all: +``` +systemctl restart tor +/opt/http2socks.sh +systemctl restart nginx +``` + +now you shoud have the hidden service on your 80 port visible for everyone. +of course you can extend the nginx config to ask for a login before: + +add +``` +auth_basic "Restricted Content"; +auth_basic_user_file /etc/nginx/.htpasswd; +``` +to the ```location / {...}``` block + +``` +and enerate the password file: +echo -n 'user:' >> /etc/nginx/.htpasswd +openssl passwd -apr1 >> /etc/nginx/.htpasswd + +systemctl restart ngin ``` From d5a1df07e9b9badfe8bdcb55ab6727c4b6aaa94c Mon Sep 17 00:00:00 2001 From: 6543 <6543@obermui.de> Date: Mon, 8 Jul 2019 14:12:50 +0200 Subject: [PATCH 3/3] add disclamer --- content/post/proxy-clearnet-2-onion.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/post/proxy-clearnet-2-onion.md b/content/post/proxy-clearnet-2-onion.md index ee94b87..2153d9d 100644 --- a/content/post/proxy-clearnet-2-onion.md +++ b/content/post/proxy-clearnet-2-onion.md @@ -81,3 +81,5 @@ openssl passwd -apr1 >> /etc/nginx/.htpasswd systemctl restart ngin ``` + +These are just ideas why I'm not responsible if someone has questionable content now available on the net. :D