Running Nextcloud as a hidden service (Tor)


#1

I would like to be able to run Nextcloud as a Tor hidden service, but even when you list the .onion address as a “trusted domain”, nextcloud responds with a redirect to the server’s public domain name, defeating the purpose. Is there some way to prevent this from happening?

Thanks


#2

mee too / ditto. I don’t know how to use the help.nextcloud.com environment to say “Dear forum bot, whenever anything about this post changes, please notify me (via email or something).”, so I am hoping that this “reply” post will have similar effect. I tried “Like” and “bookmark”, but there seems to be no indication that that will cause a notification when someone will actually reply to the question being asked.


#3

This function is under the “answer” button :wink:


#4

Also interested to know the answer to that question :slight_smile:


#5

There’re a few things to look at, depending how you’re set up. In this case, the Tor hidden services program is acting as a reverse proxy, so you’ll probably need to tell Nextcloud how to deal with that. I’d try setting the overwritehost option in your config.php to whatever your .onion address is, as the first step.

There’s an example configuration here, though I’m not sure how relevant the given settings are to Tor. Hope this helps!


#6

Thanks @mactrent, but unfortunately that solution is insufficient for me because I would like to be able to access Nextcloud via Tor OR the public internet. Sorry for not being more clear.


#7

I believe that’s what the conditional rewrite condition in that example configuration was for, but it’s admittedly pretty tough to parse.

I think this line is what tells it to only apply the overwritehost option to queries that come through the proxy:

‘overwritecondaddr’ => ‘^10.0.0.1$’,

If that’s not an option, then I’d set up an additional reverse proxy host, and have it translate all those redirections with Apache’s ProxyPass and ProxyPassReverse options. Here is an old guide for doing that with ownCloud. a.lan would be your internet accessible address, and b.lan would be your .onion-accessible proxy server, rather than lan-only and internet.


#8

I see. I’ll play around with it and report back. Thanks!


#9

I managed to make it work in a different way.
At first, I discovered this link https://www.torproject.org/docs/tor-onion-service, which tells how to create a tor onion. In a nutshell, create a directory where tor will generate its files, then make a chmod 700 in order to limit the access to the directory. Go to your torrc file which is either at /etc/tor/torrc if you run tor as root (which is not recommended and will raise a warning) or ~/.torrc if you run it as a normal user, in it, add two lines, “HiddenServiceDir /path/to/the/previous/directory” and “HiddenServicePort 80 127.0.0.1:80”. Those lines tell tor that we want it to launch a service. The port is where tor will redirect the inputs. The last configuration step is to tell apache we want it to listen to tor. To make it, add “Listen 127.0.0.1:80” to /etc/apache2/sites-available/nextcloud.conf. Which should exist if you correctly set up Nextcloud.
Then launch tor and restart apache. Once you launched tor, you can check the file “hostname” in your directory, inside you will find your onion name.
I used to have a problem with Nextcloud telling me that the onion wasn’t trusted. Yet I managed to solve it, by copying the link shown in the error message and pasting it into a regular browser. By logging into the admin account, you can add the onion to the trusted domains list.
I hope this will help someone.


#10

I have created a small tutorial, where you can see how to run a Nextcloud and expose it as a tor hidden service and https at the same time.

I assume you are using Nextcloud installed on a Debian 9 virtual machine using Docker with docker-compose (see this link to instal it) and it works at cloud.example.com.

  • modify the file docker/.examples/docker-compose/with-nginx-proxy/postgres/apache/docker-compose.yml and add it two lines in the app section
    ports :
     - 8080:80
    
  • restart the docker container sudo docker-compose restart app
  • install tor : sudo apt-get install tor
    • verify tor runs correctly : sudo apt-get install torsocks curl and run torify curl http://expyuzz4wqqyqhjn.onion/ (Note : the onion link used is the torprojet home). It will show the html source.
  • modify /etc/tor/torrc and add
   HiddenServiceDir /var/lib/tor
   HiddenServicePort 80 127.0.0.1:8080
  • Note : Here we set the directory /var/lib/tor as the place where tor will put its file, you can chose another place.
    • Warning : the chosen place has to be owned by the user running tor (on default the user is debian-tor which owns /var/lib/tor if you want to change it run chown 700 name/of/the/directory/).
  • restart tor : sudo systemctl restart tor
  • copy paste the content of /var/lib/tor/hostname in your Tor Browser.
  • you should see an error message showing the following
    • copy the link location found in the error message and paste it into a regular browser and replace the onion part of the url with cloud.example.com.
    • confirm the .onion to be a trusted domain.
      Screenshot-2018-4-10 Admin - Nextcloud
    • in the Tor Browser, refresh and you should be able to log in.

That’s it ! Your Nextcloud should be online.


#11

@Swarthon: Awesome. I will give it a try!


#12

@Swarthon that’s a great tutorial :100: