Nextcloud snap hidden service in addition to HTTPS

ℹ️ Support
, ,
1

Nextcloud version: 27.1.6snap1
Operating system and version: Ubuntu 22.04.4 LTS aarch

The issue you are facing:
I’m trying to set up a hidden service (npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion) in addition to my nextcloud instance being reachable via HTTPS (https://wauzicloud.de). However, the onion link receives a 301, which can’t be resolved:

$ wget npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion
--2024-02-26 16:33:38--  http://npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion/
Resolving npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion (npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion)... 127.42.42.0
Connecting to npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion (npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion)|127.42.42.0|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion:443/ [following]
--2024-02-26 16:33:47--  https://npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion/
Connecting to npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion (npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion)|127.42.42.0|:443... 1708961627 ERROR torsocks[10328]: Connection refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:543)
failed: Connection refused.
Resolving npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion (npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion)... 127.42.42.0
Connecting to npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion (npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion)|127.42.42.0|:443... 1708961628 ERROR torsocks[10328]: Connection refused to Tor SOCKS (in socks5_recv_connect_reply() at socks5.c:543)
failed: Connection refused.

So how can I disable the HTTPS redirect for the onion link within the nextcloud version, installed via snap?
I’ve already seen this other post and pretty much followed the instructions, as well as possible, though they are for the docker version.

Is this the first time you’ve seen this error?: Yes

Steps to replicate it:

  1. Install and setup nextcloud via snap, including activating HTTPS (sudo nextcloud.enable-https lets-encrypt)
  2. Install tor (sudo apt install tor) and verify the installation
  3. Optional (doesn’t change the non-functioning): Change the HTTP port to 8080 (sudo snap set nextcloud ports.http=8080)
  4. Configure the tor hidden service (sudo vim /etc/tor/torrc and uncomment (HiddenServiceDir /var/lib/tor/hidden_service/ and HiddenServicePort 80 127.0.0.1:8080 (or 80 in the end, if the port wasn’t reconfigured)
  5. Restart tor (sudo systemctl restart tor)
  6. Obtain the hidden service hostname (sudo cat /var/lib/tor/hidden_service/hostname)
  7. Add the hostname to the config (sudo vim /var/snap/nextcloud/current/nextcloud/config/config.php, add to trusted_domains)
  8. Optional (doesn’t change the non-functioning): Restart the nextcloud (sudo snap stop nextcloud, sudo snap start nextcloud)

The output of your Nextcloud log in Admin > Logging: Nothing in the relevant time frame

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/snap/nextcloud/current/htdocs/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/snap/nextcloud/current/nextcloud/extra-apps',
      'url' => '/extra-apps',
      'writable' => true,
    ),
  ),
  'supportedDatabases' => 
  array (
    0 => 'mysql',
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '/tmp/sockets/redis.sock',
    'port' => 0,
  ),
  'log_type' => 'file',
  'logfile' => '/var/snap/nextcloud/current/logs/nextcloud.log',
  'logfilemode' => 416,
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => 'wauzicloud.de',
    1 => 'npo5jcqpsjgl4vpovjwg6eakwoka5xc2bobgtnqmawkexh7p6ypjcvid.onion',
  ),
  'datadirectory' => '/media/nextcloud-sd/data',
  'dbtype' => 'mysql',
  'version' => '27.1.6.2',
  'overwrite.cli.url' => 'http://192.168.178.141',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/tmp/sockets/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxx',
  'dbpassword' => 'xxx',
  'installed' => true,
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'ssl',
  'mail_sendmailmode' => 'smtp',
  'mail_from_address' => 'xxx',
  'mail_domain' => 'xxx',
  'mail_smtphost' => 'xxx',
  'mail_smtpport' => '465',
  'mail_smtpauth' => 1,
  'mail_smtpname' => 'xxx',
  'mail_smtppassword' => 'xxx',
);

The output of your Apache/nginx/system log in /var/log/____: Doesn’t exist

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary. Also doesn’t exist

Maybe the tor log (sudo journalctl -u tor@default) is also interesting:

Feb 26 16:28:18 orangepi3-lts systemd[1]: Starting Anonymizing overlay network for TCP...
Feb 26 16:28:18 orangepi3-lts tor[667861]: Feb 26 16:28:18.849 [notice] Tor 0.4.6.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.2,>
Feb 26 16:28:18 orangepi3-lts tor[667861]: Feb 26 16:28:18.849 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://s>
Feb 26 16:28:18 orangepi3-lts tor[667861]: Feb 26 16:28:18.849 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Feb 26 16:28:18 orangepi3-lts tor[667861]: Feb 26 16:28:18.849 [notice] Read configuration file "/etc/tor/torrc".
Feb 26 16:28:18 orangepi3-lts tor[667861]: Configuration was valid
Feb 26 16:28:18 orangepi3-lts tor[667862]: Feb 26 16:28:18.953 [notice] Tor 0.4.6.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.2,>
Feb 26 16:28:18 orangepi3-lts tor[667862]: Feb 26 16:28:18.953 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://s>
Feb 26 16:28:18 orangepi3-lts tor[667862]: Feb 26 16:28:18.953 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Feb 26 16:28:18 orangepi3-lts tor[667862]: Feb 26 16:28:18.954 [notice] Read configuration file "/etc/tor/torrc".
Feb 26 16:28:18 orangepi3-lts tor[667862]: Feb 26 16:28:18.960 [notice] Opening Socks listener on 127.0.0.1:9050
Feb 26 16:28:18 orangepi3-lts tor[667862]: Feb 26 16:28:18.960 [notice] Opened Socks listener connection (ready) on 127.0.0.1:9050
Feb 26 16:28:18 orangepi3-lts Tor[667862]: We compiled with OpenSSL 30000020: OpenSSL 3.0.2 15 Mar 2022 and we are running with OpenSSL 30000020:>
Feb 26 16:28:18 orangepi3-lts Tor[667862]: Tor 0.4.6.10 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.2, Zlib 1.2.11, Liblzma 5.2.5, >
Feb 26 16:28:18 orangepi3-lts Tor[667862]: Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/sta>
Feb 26 16:28:18 orangepi3-lts Tor[667862]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Feb 26 16:28:18 orangepi3-lts Tor[667862]: Read configuration file "/etc/tor/torrc".
Feb 26 16:28:18 orangepi3-lts Tor[667862]: Opening Socks listener on 127.0.0.1:9050
Feb 26 16:28:18 orangepi3-lts Tor[667862]: Opened Socks listener connection (ready) on 127.0.0.1:9050
Feb 26 16:28:19 orangepi3-lts Tor[667862]: Bootstrapped 0% (starting): Starting
Feb 26 16:28:20 orangepi3-lts Tor[667862]: Starting with guard context "default"
Feb 26 16:28:20 orangepi3-lts Tor[667862]: Signaled readiness to systemd
Feb 26 16:28:20 orangepi3-lts systemd[1]: Started Anonymizing overlay network for TCP.
Feb 26 16:28:20 orangepi3-lts Tor[667862]: Bootstrapped 5% (conn): Connecting to a relay
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Opening Socks listener on /run/tor/socks
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Opened Socks listener connection (ready) on /run/tor/socks
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Opening Control listener on /run/tor/control
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Opened Control listener connection (ready) on /run/tor/control
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Bootstrapped 10% (conn_done): Connected to a relay
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Bootstrapped 14% (handshake): Handshaking with a relay
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Bootstrapped 15% (handshake_done): Handshake with a relay done
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Bootstrapped 90% (ap_handshake_done): Handshake finished with a relay to build circuits
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Bootstrapped 95% (circuit_create): Establishing a Tor circuit
Feb 26 16:28:21 orangepi3-lts Tor[667862]: Bootstrapped 100% (done): Done
2

Port 80 is already in use by the snap package. Port 80 is default http so you will have to change this to another port to setup the other service to listen on 80. However you will have to port forward from port 80 to the new port you bind your Nextcloud SNAP or use DNS hook for the Lets encrypt or the certbot auto renewal will not work as it uses port 80 AND port 443. Alternative is a reverse proxy for proxying to the different services based on hostname.

1 Like
3

Setting up a proxy with nginx worked, thanks! I’ve changed nextcloud snap to https only, set up https with certbot in nginx, changed the http port of nextcloud to 81, adjusted the location in nginx for the normal url, created another configuration for the hidden service (with default_server and server_name _, as in the default configuration), which also passes to http://127.0.0.1:81.

1 Like
4

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.