Template for serving through an .onion address with Docker


(Romeo Papa) #1

Hi there, I’ve submitted a pull request to discourse_docker.

It creates a new onion.conf file in the nginx config folder. The new onion.conf is created by copying nginx.sample.conf and editing that copy.

This new config file creates another site on nginx’s port 80, that listens to requests made to the specified .onion address.

The template checks that a DISCOURSE_ONION ENV variable is defined.


(Kane York) #2

Will this actually serve on Tor out of the box? I find that dubious, don’t you have to start up a tor daemon as well?

Adding Tor support is a good goal, but I’d prefer it be done properly. For example: is there a standard way to advertise that a site is available over Tor as well?

Also note that the “normal” Tor result of dissociative sessions is not useful for Discourse - but hiding the identity of the site you’re connecting to is more of a useful case here.


(Romeo Papa) #3

No this won’t serve Tor out of the box. It just modifies Docker’s NGinx’s configuration to listen for requests made out to a .onion address.


Yes that is correct. For people who are not familiar with hosting on Tor: you’ll need to manually install a tor daemon on the host or in another container, and modify the location-hidden services section of the ‘torrc’ file so it will serve the port 80. Then you need to restart your tor daemon and go to the HiddenServiceDir (as configured in torrc) and lookup the value of the hostname file, this will be the onion address you’ll be serving.


This is just the bare minimum for getting Discourse in a Docker to answer to requests made through Tor. Since I didn’t see any mentions of ‘Discourse’ AND (‘Tor’ OR ‘onion’) online this thread is probably the first publicaly available case involving Discourse and Tor.

Bare in mind this currently only affects Docker, but you are right: a few modifications could be done to Discourse. In case you want to turn this into a supported feature:

  • Mention in the security settings that the force HTTPS would only work on pages not served on the .onion address. Give an option to discard the Force HTTPs option for pages served through an onion (when serving both through HTTPS 443 and HTTP+TOR 80).
  • Give an option to disable ‘Social logging’ when served through the onion. And perhaps a notice on the log-in that when served through onions, social log-in don’t work.
  • As you mentionned: advertising that this Discourse site is also available through an alternative onion URL. (This would be in a scenario where you’re hosting Especially if you detect the visitor is coming in through a Tor exit node.
  • When sending mails for account sign-up, send a link with the onion URL if the account signup has been done over the onion URL.

Some clarifications for people not familiar with Tor: Any Discourse site publicly available online (that is not specifically blocking traffic coming from Tor exits nodes) is also available to visitors using Tor. But these visitors will have to use an exit-node to get to your site. Serving Discourse through a Tor hidden-location service (an .onion address) means visitors from Tor won’t need to use exit-nodes to reach your site.

There are going to be different setups also: A Discourse site could be reachable only through Tor on an onion address. Or it could be reachable over standard HTTPs and HTTP over Tor. The current set-up we have is the discourse site available both through standard HTTPs and a Tor onion. As such we’ve only checked that the sign-up and login works and that all Discourse elements are served through the .onion domain. We have not checked further for any identity leakage on the server side. Our Discourse site is not secret it’s just also available directly through Tor.


Sorry, I don’t understand your last statement. Are you talking about how the Tor Browser handles cookies? That is: One ‘identity’ (one set of cookies) for each domains if I remember correctly, compared to one identity (one set of cookies) for all domains on standard browsers. Or are you talking about sessions on the server side? In all cases it *seems* to work fine (sign-up, login, replying).

Thanks for your feedback @riking !


(Romeo Papa) #4

Thinking about it the most standard way would probably be writing it in the “Welcome to Discourse” pinned topic.

However the interesting thing would be to give a more visible notice to visitors coming from an exit node (or even redirect them directly to the onion site).

There is a method in place to detect if a visitor is using the IP of an exit node:
https://www.torproject.org/projects/tordnsel.html.en


(Kane York) #5

I was thinking more along the lines of a <link rel=alternate> or an Alt-Svc: onion:8fd8279... HTTP header… something usable by the TBB.


(Romeo Papa) #6

[quote=“riking, post:2, topic:41536”]is there a standard way to advertise that a site is available over Tor as well?
[/quote]

Hi,

The only mention of any sort of advertising of this kind is this thread from 2013 with no replies:
https://lists.torproject.org/pipermail/tor-dev/2013-September/005436.html

So it seems that no, there isn’t a standard way to advertise that a site a is available over Tor.


(internet) #7

This is excellent, thanks! Any chance you have pointers on resources that could walk us through the full process of setting up Tor hidden services for Discourse?