Matt Traudt

An onion (v3) (SAT [What's this?]) a day keeps the bad guys away | About me

Redirect Tor Users to Your Onion Service with Nginx

Posted on 07 Sep 2016 by Matt Traudt

Last upated 28 Dec 2017 at 1:59 pm
permalink

If you host a web onion service that is also available on the clearnet, then your guests may appreciate it if they can type your clearnet address and automatically get redirected to your onion address. This is nice if

Warnings:

As of December 2017, I no longer automatically redirect people on my websites and do not recommend that anyone else does so.

So with that being said, here's the best way I found to do it.

If you are good with Linux and nginx already, just look here. This is more for those that aren't experts already! All I've done is explain what to do with the code snippits found in that repo.

1. Auto generate a list of Tor Exit IP addresses

You will want to put the following code in a script, make the script executable, and run it automatically periodically.

IPADDR="$(curl -s https://check.torproject.org/exit-addresses | \
        grep ExitAddress | \
        awk '{print "\t" $2 " 1;"}' | \
        sort -u)"
cat > /etc/nginx/conf.d/nginx-tor-geo.conf <<EOF
geo \$torUsers {
    default 0;
$IPADDR
}
EOF

You may want to replace /etc/nginx/conf.d/nginx-tor-geo.conf depending on your Linux distro.

What this script does is

  1. Grab a list of exits and their IPs from the Tor Project
  2. Grab only the IP from that list
  3. Put the list of IPs in the /etc/nginx/conf.d/nginx-tor-geo.conf file with some other necessary lines

Put the above code in some script, say /path/to/my/script.sh. Then make it executable by you with chmod u+x /path/to/my/script.sh. Then, the easiest way to get it to run automatically is to use cron. For example, to have cron rerun this script on the 21st minute of every hour, run the command crontab -e and add the following line.

21 * * * * /path/to/my/script.sh

Then exit the text editor.

Once the /etc/nginx/conf.d/nginx-tor-geo.conf file exists, you can move on.

2. Tell nginx about all the Tor exit IPs

This will go a little different based on your Linux distro. In fact, for Debian (and likely Debian-based distros like Ubuntu), you don't even have to do anything for this step.

Nginx will likely have an nginx.conf file, probably /etc/nginx/nginx.conf. In it, find the http {} block. If you already have the following line in the http {} block and you used the same nginx-tor-geo.conf file I did in step 1, then you don't need to do anything for step 2.

include /etc/nginx/conf.d/*.conf;

If you already have that line inside an http {} block, move on. If not, add include /path/to/your/nginx-tor-geo.conf-from-step-1;.

If you had to add the line, you need to reload nginx. If you use systemd, then run the command systemctl reload nginx as root. If you don't use systemd, then service nginx reload will probably work, but it really depends.

3. Configure your server {} to detect Tor users

You should already have a server {} block somewhere that is telling nginx about the webstie you are hosting. If you have no idea where, try looking in the files located in /etc/nginx/sites-enabled/.

Once you found the server {} block, you're almost done. Let's define some more variables!

So know that we've agreed on that, find the location {} block within the server {} block. Just add the following lines to the top of the location / {} block.

if ($torUsers) {
    return 301 http://myspecial.onion$request_uri;
}

So for example, you might now have

root /path/to/my/www;
location / {
    if ($torUsers) {
        return 301 https://myspecia.onion$request_uri;
    }
    try_files $uri $uri/ =404;
}

Reload nginx one more time, and if there's no errors, you're done.


Update Oct 2016: thanks to an anonymous user for the sort -u tip to avoid duplicate entries in $IPADDR and to keep nginx logs clean.

Update December 2017: recommend not using this information and remove old example since my domain no longer does this.

sources: https://github.com/placeholdr/nginx-tor-redirect

tags: tutorial, nginx, tor, onion-service