Running Nextcloud as a hidden service (Tor)

pancrypticon · January 7, 2018, 12:03am

I would like to be able to run Nextcloud as a Tor hidden service, but even when you list the .onion address as a “trusted domain”, nextcloud responds with a redirect to the server’s public domain name, defeating the purpose. Is there some way to prevent this from happening?

Thanks

oncloud · March 5, 2018, 9:38am

mee too / ditto. I don’t know how to use the help.nextcloud.com environment to say “Dear forum bot, whenever anything about this post changes, please notify me (via email or something).”, so I am hoping that this “reply” post will have similar effect. I tried “Like” and “bookmark”, but there seems to be no indication that that will cause a notification when someone will actually reply to the question being asked.

STrike · March 5, 2018, 11:28pm

This function is under the “answer” button

dachary · March 13, 2018, 11:30pm

Also interested to know the answer to that question

mactrent · March 16, 2018, 6:27pm

There’re a few things to look at, depending how you’re set up. In this case, the Tor hidden services program is acting as a reverse proxy, so you’ll probably need to tell Nextcloud how to deal with that. I’d try setting the overwritehost option in your config.php to whatever your .onion address is, as the first step.

There’s an example configuration here, though I’m not sure how relevant the given settings are to Tor. Hope this helps!

pancrypticon · March 16, 2018, 6:41pm

Thanks @mactrent, but unfortunately that solution is insufficient for me because I would like to be able to access Nextcloud via Tor OR the public internet. Sorry for not being more clear.

mactrent · March 16, 2018, 6:55pm

I believe that’s what the conditional rewrite condition in that example configuration was for, but it’s admittedly pretty tough to parse.

I think this line is what tells it to only apply the overwritehost option to queries that come through the proxy:

‘overwritecondaddr’ => ‘^10.0.0.1$’,

If that’s not an option, then I’d set up an additional reverse proxy host, and have it translate all those redirections with Apache’s ProxyPass and ProxyPassReverse options. Here is an old guide for doing that with ownCloud. a.lan would be your internet accessible address, and b.lan would be your .onion-accessible proxy server, rather than lan-only and internet.

pancrypticon · March 16, 2018, 7:12pm

I see. I’ll play around with it and report back. Thanks!

Swarthon · April 10, 2018, 8:52am

I managed to make it work in a different way.
At first, I discovered this link https://www.torproject.org/docs/tor-onion-service, which tells how to create a tor onion. In a nutshell, create a directory where tor will generate its files, then make a chmod 700 in order to limit the access to the directory. Go to your torrc file which is either at /etc/tor/torrc if you run tor as root (which is not recommended and will raise a warning) or ~/.torrc if you run it as a normal user, in it, add two lines, “HiddenServiceDir /path/to/the/previous/directory” and “HiddenServicePort 80 127.0.0.1:80”. Those lines tell tor that we want it to launch a service. The port is where tor will redirect the inputs. The last configuration step is to tell apache we want it to listen to tor. To make it, add “Listen 127.0.0.1:80” to /etc/apache2/sites-available/nextcloud.conf. Which should exist if you correctly set up Nextcloud.
Then launch tor and restart apache. Once you launched tor, you can check the file “hostname” in your directory, inside you will find your onion name.
I used to have a problem with Nextcloud telling me that the onion wasn’t trusted. Yet I managed to solve it, by copying the link shown in the error message and pasting it into a regular browser. By logging into the admin account, you can add the onion to the trusted domains list.
I hope this will help someone.

Swarthon · April 10, 2018, 1:55pm

I have created a small tutorial, where you can see how to run a Nextcloud and expose it as a tor hidden service and https at the same time.

I assume you are using Nextcloud installed on a Debian 9 virtual machine using Docker with docker-compose (see this link to instal it) and it works at cloud.example.com.

modify the file docker/.examples/docker-compose/with-nginx-proxy/postgres/apache/docker-compose.yml and add it two lines in the app section
```
ports :
 - 8080:80
```
restart the docker container sudo docker-compose restart app
install tor : sudo apt-get install tor
- verify tor runs correctly : sudo apt-get install torsocks curl and run torify curl http://expyuzz4wqqyqhjn.onion/ (Note : the onion link used is the torprojet home). It will show the html source.
modify /etc/tor/torrc and add

   HiddenServiceDir /var/lib/tor
   HiddenServicePort 80 127.0.0.1:8080

Note : Here we set the directory /var/lib/tor as the place where tor will put its file, you can chose another place.
- Warning : the chosen place has to be owned by the user running tor (on default the user is debian-tor which owns /var/lib/tor if you want to change it run chown 700 name/of/the/directory/).
restart tor : sudo systemctl restart tor
copy paste the content of /var/lib/tor/hostname in your Tor Browser.
you should see an error message showing the following

screenshot_untrusted1000×1003 247 KB
- copy the link location found in the error message and paste it into a regular browser and replace the onion part of the url with cloud.example.com.
- confirm the .onion to be a trusted domain.
- in the Tor Browser, refresh and you should be able to log in.

That’s it ! Your Nextcloud should be online.

pancrypticon · April 10, 2018, 3:03pm

@Swarthon: Awesome. I will give it a try!

dachary · April 10, 2018, 8:51pm

@Swarthon that’s a great tutorial