Traefik & Tor hidden services


I have Traefik happily working with numerous services in docker containers and have become curious about also making some of them available for Tor users as onion hidden services.

On a different server using nginx instead of Traefik, I was able to make it work this way: PrivateBin

In the above scenario, a user that browses to via Tor Browser will see the purple ".onion available" banner, clicking it has the corresponding (http://) onion hidden service load.

I've not had any luck in figuring out how to accomplish the same with Traefik. I've seen some guides (Shivering-Isles Onion Service), but they were for older versions of Traefik. Looking at their guide and the current Traefik documentation on headers (Headers - Traefik), I thought something like:

  • "traefik.http.middlewares..headers.customResponseHeaders=alt-svc:h2=:443; ma=2592000"

Might be appropriate, but I get an error in the Traefik log warning that this middleware can't be standalone.

I'm hoping that somebody might have experience with this and be able to point me in the right direction. Thanks in advance for any help!

You might need something like this to add the correct header to your router:

          Onion-Location: "http://tpgzjkhxywpv4qjajqsitx4ywmtdrphjt3crbncfhelsyhfd6sr3w7yd.onion"

Then you have to apply this middleware to a router like this:

      rule: "Host(``) || Host(`tpgzjkhxywpv4qjajqsitx4ywmtdrphjt3crbncfhelsyhfd6sr3w7yd.onion`)"
      service: service-foo
      - onionHeaders

With this, every user that goes to either or tpgzjkhxywpv4qjajqsitx4ywmtdrphjt3crbncfhelsyhfd6sr3w7yd.onion should have the Onion-Location header thus making it ".onion available".



Thank you so much for taking the time. I'm not too sure how to implement this with my setup though.

Let's say I'm running a service via docker-compose file with Traefik labels:

      - "traefik.enable=true"
      - "traefik.http.routers.somewebsite.entrypoints=http"
      - "traefik.http.routers.somewebsite.rule=Host(``)"
      - "traefik.http.middlewares.somewebsite-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.somewebsite.middlewares=somewebsite-https-redirect"
      - "traefik.http.routers.somewebsite-secure.entrypoints=https"
      - "traefik.http.routers.somewebsite-secure.rule=Host(``)"
      - "traefik.http.routers.somewebsite-secure.tls=true"
      - "traefik.http.routers.somewebsite-secure.service=somewebsite"
      - ""
      - ""

How would I format the middleware configuration you mentioned? How can I make sure that the http-to-https redirect is not applied when the onion address is entered?