[tor-talk] Deploying Alt-Svc on your own website. Hello?

[Ben Tasker]

On Sat, Sep 22, 2018 at 2:58 PM, Roman Mamedov <rm at romanrm.net> wrote:

>
> I hoped this would finally describe how to actually deploy Alt-Svc on
> a .onion+clearnet website. Right now it feels like, OK, CloudFlare knows
> how
> to do this, and the rest of us don't matter. Not a single HOWTO or guide on
> how to actually set it up. Asked on the mailing list before, complete
> silence.
>
>
Which part are you struggling with?

The following is assuming you've got a site - www.example.com - that's
accessible at 1234.onion.

Configure your nginx server block (or apache config) for www.example.com to
include an Alt-Svc header to advertise the onion:

 Alt-Svc: h2="1234.onion:443"; ma=3600; persist=1

(The Ma there tells the browser to remember this for an hour).

In Nginx config that would be

add_header Alt-Svc 'h2="1234.onion:443"; ma=3600; persist=1';

In Apache with mod_headers that *should* be

Header set Alt-Svc 'h2="1234.onion:443"; ma=3600; persist=1';


So far so easy. The next bit is a little less obvious though.

You need to configure your onion server block to respond on port 443 _and_
to handle your clearnet host header (and serve a publicly trusted
certificate matching that name). Alt-Svc tells the browser to use the
alternate address as a trusted origin for the service it's connecting to,
so it'll connect to 1234.onion and request www.example.com

You can, of course, continue to also serve your onion over port 80 as well
 if you wish for direct visitors (as you still can't trivially get a cert
for an onion name).

HTH - hopefully I haven't missed anything

Ben




-- 
Ben Tasker
https://www.bentasker.co.uk