Public | Automated Build

Last pushed: a month ago
Short Description
A Docker container that wraps the Tor daemon together with Nginx as a reverse proxy.
Full Description

Onion Service Reverse Proxy

This is a Docker container that wraps a Tor daemon together with Nginx, acting in reverse proxy mode. With minimal tweaking to the default config, this Docker file should allow you to point Nginx to an active HTTP server and create a secure onion service.

Nginx is preconfigured in the default config file to strip out or mask a number of headers from your site which might reveal too much about the server hosting your onion service.

Deploying from Docker Hub

You can run this container directly from Docker Hub with a command like:

docker run --cap-drop=all --name onion -v ~/nginx.conf/etc/nginx/nginx.conf:ro -v ~/hiddenservice:/opt/onion/hiddenservice -d ajhaydock/onion

(In the above example, your nginx.conf would be located at ~/nginx.conf, and your hidden service directory at ~/hiddenservice/)

If you steal this, you will almost certainly want to mount your own version of nginx.conf into the container, as I do in the above example (mine points to a local IP and your target is presumably different).

Mounting the hiddenservice/ directory is optional, but you will want to do this if you have a custom .onion URL, or you do not want a new URL every time the container is run.

If you do not mount a hiddenservice/ dir with a custom .onion URL, you can check the .onion URL of a running container with:

docker exec -it onion cat /opt/onion/hiddenservice/hostname

Manually Building

You can build this container directly by entering the directory containing the Dockerfile you want to build an image for, and using a command like:

docker build -t onion .

You can then run this container with a command like:

docker run --cap-drop=all --name onion -v ~/nginx.conf/etc/nginx/nginx.conf:ro -v ~/hiddenservice:/opt/onion/hiddenservice -d onion

(In the above example, your nginx.conf would be located at /home/lab/nginx.conf, and your hidden service directory at /home/lab/hiddenservice/)

Auto-Starting with systemd

You can find an example systemd service to auto-start the hidden service container within this repo.

The service should be tweaked to your liking, and then copied to the appropriate location and enabled as follows:

sudo cp -f -v onion.service /etc/systemd/system/onion.service
sudo systemctl daemon-reload
sudo systemctl enable onion.service && sudo systemctl start onion.service

SELinux & Permissions

If you are running an SELinux-enabled host (recommended!), you might run into some issues with Docker containers not being able to write to certain directories (particularly directories inside user homedirs).

Change the SELinux context of your file/directory to allow the container to write as follows:

sudo chcon -Rt svirt_sandbox_file_t /home/lab/nginx.conf
sudo chcon -Rt svirt_sandbox_file_t /home/lab/hiddenservice

Additionally, you will want to make sure that the config files you mount into this container as volumes are owned by the default user and group as the nginx user runs as inside the container. You can do this with:

sudo chown -R 666 ~/nginx.conf
sudo chown -R 666 ~/hiddenservice

Tor will also complain (and abruptly exit) if permissions on the hiddenservice/ directory are set too permissively. Fix with:

sudo chmod -R 700 ~/hiddenservice
Docker Pull Command
Source Repository