commit 3f25f456fd19796d5e4411e9cd8e3dc012927874 Author: gus <gus@torproject.org> Date: Mon Jun 1 13:40:14 2020 -0400 Add nginx Onion-Location instructions, thanks @ahf --- .../advanced/onion-location/contents.lr | 78 +++++++++++++++------- 1 file changed, 54 insertions(+), 24 deletions(-) diff --git a/content/onion-services/advanced/onion-location/contents.lr b/content/onion-services/advanced/onion-location/contents.lr index caf7d5f..4796554 100644 --- a/content/onion-services/advanced/onion-location/contents.lr +++ b/content/onion-services/advanced/onion-location/contents.lr @@ -25,18 +25,18 @@ For the header to be valid the following conditions need to be fulfilled: * The webpage defining the Onion-Location header must be served over HTTPS. * The webpage defining the Onion-Location header must not be an onionsite. -In this page, the commands to restart the web server are based on Debian-like operating systems and may differ on other systems. +In this page, the commands to manage the web server are based on Debian-like operating systems and may differ on other systems. Check your web server and operating system documentation. ### Apache -To configure this header in Apache 2.2 or above, you will need to enable a few modules and edit the website Virtual Host file. +To configure this header in Apache 2.2 or above, you will need to enable a `headers` and `rewrite` modules and edit the website Virtual Host file. -**Step 1.** Enable headers and rewrite modules and restart Apache2 +**Step 1.** Enable headers and rewrite modules and reload Apache2 $ sudo a2enmod headers rewrite - $ sudo systemctl restart apache2 + $ sudo systemctl reload apache2 If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. @@ -52,9 +52,14 @@ Virtual Host example: ``` <VirtualHost *:443> - ServerName your-website.tld - DocumentRoot /var/www/html - Header set Onion-Location "http://rh5d6reakhpvuxe2t3next6um6iiq4jf43m7gmdrphfhopfpnoglzcyd%{REQUEST_URI}s" + ServerName <your-website.tld> + DocumentRoot /path/to/htdocs + + Header set Onion-Location "http://your-onion-address.onion%{REQUEST_URI}s" + + SSLEngine on + SSLCertificateFile "/path/to/www.example.com.cert" + SSLCertificateKeyFile "/path/to/www.example.com.key" </VirtualHost> ``` @@ -72,40 +77,66 @@ To test if Onion-Location is working, fetch the website HTTP headers, for exampl $ wget --server-response --spider your-website.tld -Look for the `onion-location` entry and the onion service address. - +Look for `onion-location` entry and the onion service address. Or open the website in Tor Browser and a purple pill will appear in the address bar. ### Nginx -To configure Onion-Location header, you will need to edit Nginx website configuration file. +To configure Onion-Location header, you will need to edit nginx website configuration file. **Step 1.** Edit website configuration file -In `/etc/nginx/conf.d/<your-website.conf` add the new Onion-Location header and the onion service address. +In `/etc/nginx/conf.d/<your-website>.conf` add the Onion-Location header and the onion service address. For example: ``` - location / { - add_header Onion-Location http://rh5d6reakhpvuxe2t3next6um6iiq4jf43m7gmdrphfhopfpnoglzcyd.onion$reques...; - } + add_header Onion-Location http://<your-onion-address>.onion$request_uri; ``` + The configuration file with Onion-Location should look like: ``` server { - listen 443; + listen 80; + listen [::]:80; + + server_name <your-website.tld>; + + location / { + return 301 https://$host$request_uri; + } + +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name <your-website.tld> <your-onion-address.onion>; + + # managed by Certbot - https://certbot.eff.org/ + ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem; - root /var/www/your-website/html; - index index.html index.htm; + add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header Onion-Location http://<your-onion-address>.onion$request_uri; - server_name your-website.tld; + # managed by Certbot - location / { - try_files $uri $uri/ =404; - add_header Onion-Location http://rh5d6reakhpvuxe2t3next6um6iiq4jf43m7gmdrphfhopfpnoglzcyd.onion$reques...; - } + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + access_log /var/log/nginx/<hostname>-access.log; + + index index.html; + root /path/to/htdocs; + + location / { + try_files $uri $uri/ =404; + } } ``` @@ -132,8 +163,7 @@ To test if Onion-Location is working, fetch the website HTTP headers, for exampl $ wget --server-response --spider your-website.tld -Look for the `onion-location` entry and the onion service address. - +Look for `onion-location` entry and the onion service address. Or open the website in Tor Browser and a purple pill will appear in the address bar. ### Using an HTML `<meta>` attribute