No this won’t serve Tor out of the box. It just modifies Docker’s NGinx’s configuration to listen for requests made out to a .onion address.
Yes that is correct. For people who are not familiar with hosting on Tor: you’ll need to manually install a tor daemon on the host or in another container, and modify the location-hidden services section of the ‘torrc’ file so it will serve the port 80. Then you need to restart your tor daemon and go to the HiddenServiceDir (as configured in torrc) and lookup the value of the
hostname file, this will be the onion address you’ll be serving.
This is just the bare minimum for getting Discourse in a Docker to answer to requests made through Tor. Since I didn’t see any mentions of ‘Discourse’ AND (‘Tor’ OR ‘onion’) online this thread is probably the first publicaly available case involving Discourse and Tor.
Bare in mind this currently only affects Docker, but you are right: a few modifications could be done to Discourse. In case you want to turn this into a supported feature:
- Mention in the security settings that the force HTTPS would only work on pages not served on the .onion address. Give an option to discard the Force HTTPs option for pages served through an onion (when serving both through HTTPS 443 and HTTP+TOR 80).
- Give an option to disable ‘Social logging’ when served through the onion. And perhaps a notice on the log-in that when served through onions, social log-in don’t work.
- As you mentionned: advertising that this Discourse site is also available through an alternative onion URL. (This would be in a scenario where you’re hosting Especially if you detect the visitor is coming in through a Tor exit node.
- When sending mails for account sign-up, send a link with the onion URL if the account signup has been done over the onion URL.
Some clarifications for people not familiar with Tor: Any Discourse site publicly available online (that is not specifically blocking traffic coming from Tor exits nodes) is also available to visitors using Tor. But these visitors will have to use an exit-node to get to your site. Serving Discourse through a Tor hidden-location service (an .onion address) means visitors from Tor won’t need to use exit-nodes to reach your site.
There are going to be different setups also: A Discourse site could be reachable only through Tor on an onion address. Or it could be reachable over standard HTTPs and HTTP over Tor. The current set-up we have is the discourse site available both through standard HTTPs and a Tor onion. As such we’ve only checked that the sign-up and login works and that all Discourse elements are served through the .onion domain. We have not checked further for any identity leakage on the server side. Our Discourse site is not secret it’s just also available directly through Tor.
Sorry, I don’t understand your last statement. Are you talking about how the Tor Browser handles cookies? That is: One ‘identity’ (one set of cookies) for each domains if I remember correctly, compared to one identity (one set of cookies) for all domains on standard browsers. Or are you talking about sessions on the server side? In all cases it *seems* to work fine (sign-up, login, replying).
Thanks for your feedback @riking !