homepage/content/post/proxy-clearnet-2-onion.md

2.0 KiB

+++ title = "Clearnet -> Onion Website" date = 2019-07-08T12:00:00+02:00 author = "MH" cover = "" tags = ["Tor", "Setup", "Concept", "Proxy", "socat", "nginx"] description = "Why not have a hidden service on a normal Site?" showFullContent = false draft = false +++

Say we like to share an onion site on the clearnet. It's address is a1b2c3d4e5f6.onion and you are on a linux server.

First install nginx and tor.

apt install -y nginx tor
systemctl start tor

lets change the nginx config:

echo 'server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /var/www/html;
    server_name _;
    location / {
        proxy_pass http://127.0.0.1:8283;
        proxy_set_header Host "a1b2c3d4e5f6.onion";
        proxy_set_header Accept-Encoding "";
        proxy_set_header Via "$host";
        subs_filter 'a1b2c3d4e5f6.onion' "$host";
    }
}' > /etc/nginx/sites-enabled/default

and extend the tor config ...

echo 'DNSPort 53
AutomapHostsOnResolve 1' >> /etc/torrc

change the dns servert to localhost:

echo 'nameserver 127.0.0.1' > /etc/resolv.conf

Then create a script caled /opt/http2socks.sh:

#!/bin/bash
onion="a1b2c3d4e5f6.onion:80"
proxy_http_2_socks5.sh:socat tcp4-LISTEN:8283,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:"$onion",socksport=9050 &

add this script to the startup by add an line with crontab -e:

@reboot /opt/http2socks.sh

now start it all:

systemctl restart tor
/opt/http2socks.sh
systemctl restart nginx

now you shoud have the hidden service on your 80 port visible for everyone. of course you can extend the nginx config to ask for a login before:

add

auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;

to the location / {...} block

and enerate the password file:
echo -n 'user:' >> /etc/nginx/.htpasswd
openssl passwd -apr1 >> /etc/nginx/.htpasswd

systemctl restart ngin

These are just ideas why I'm not responsible if someone has questionable content now available on the net. :D