Traefik & Tor hidden services

zcyph · October 30, 2021, 8:27pm

Hello,

I have Traefik happily working with numerous services in docker containers and have become curious about also making some of them available for Tor users as onion hidden services.

On a different server using nginx instead of Traefik, I was able to make it work this way: PrivateBin

In the above scenario, a user that browses to example.com via Tor Browser will see the purple ".onion available" banner, clicking it has the corresponding (http://) onion hidden service load.

I've not had any luck in figuring out how to accomplish the same with Traefik. I've seen some guides (Shivering-Isles Onion Service), but they were for older versions of Traefik. Looking at their guide and the current Traefik documentation on headers (Headers - Traefik), I thought something like:

"traefik.http.middlewares..headers.customResponseHeaders=alt-svc:h2=:443; ma=2592000"

Might be appropriate, but I get an error in the Traefik log warning that this middleware can't be standalone.

I'm hoping that somebody might have experience with this and be able to point me in the right direction. Thanks in advance for any help!

tommoulard · November 3, 2021, 5:22pm

You might need something like this to add the correct header to your router:

http:
  middlewares:
    onionHeaders:
      headers:
        customRequestHeaders:
          Onion-Location: "http://tpgzjkhxywpv4qjajqsitx4ywmtdrphjt3crbncfhelsyhfd6sr3w7yd.onion"

Then you have to apply this middleware to a router like this:

http:
  routers:
    my-router:
      rule: "Host(`example.com`) || Host(`tpgzjkhxywpv4qjajqsitx4ywmtdrphjt3crbncfhelsyhfd6sr3w7yd.onion`)"
      service: service-foo
      middlewares:
      - onionHeaders

With this, every user that goes to either example.com or tpgzjkhxywpv4qjajqsitx4ywmtdrphjt3crbncfhelsyhfd6sr3w7yd.onion should have the Onion-Location header thus making it ".onion available".

WDYT ?

zcyph · November 23, 2021, 8:50pm

Hello,

Thank you so much for taking the time. I'm not too sure how to implement this with my setup though.

Let's say I'm running a service via docker-compose file with Traefik labels:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.somewebsite.entrypoints=http"
      - "traefik.http.routers.somewebsite.rule=Host(`somewebsite.com`)"
      - "traefik.http.middlewares.somewebsite-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.somewebsite.middlewares=somewebsite-https-redirect"
      - "traefik.http.routers.somewebsite-secure.entrypoints=https"
      - "traefik.http.routers.somewebsite-secure.rule=Host(`somewebsite.com`)"
      - "traefik.http.routers.somewebsite-secure.tls=true"
      - "traefik.http.routers.somewebsite-secure.service=somewebsite"
      - "traefik.http.services.somewebsite.loadbalancer.server.port=2338"
      - "traefik.docker.network=traefik"

How would I format the middleware configuration you mentioned? How can I make sure that the http-to-https redirect is not applied when the onion address is entered?

Topic		Replies	Views
Middleware in HTTPS didn't work Traefik v2 docker , middleware	0	406	March 3, 2022
Help wanted: HTTPS redirection with custom ports Traefik v2 docker , middleware	3	4582	February 1, 2021
Middlewares : questions and suggestions Traefik v2 middleware	5	893	October 3, 2019
Middleware "security-headers@file" Traefik v2 docker	17	3078	April 13, 2023
Whitelist / acceslist in routers Traefik v2 docker , file	3	473	July 12, 2023

Traefik & Tor hidden services

Related topics