Host all the Hidden Services with Traefik
November 16, 2018
This is a follow up to the last post which introduces the idea of using Docker, Tor and Traefik to host a tor hidden service which can be found here. Although the last post didn't cover the use case of wanting to host multiple hidden services.
Again this is just ramblings not a tutorial so you should already have experience with Docker, docker-compose, Traefik and tor.
So just like before we want to make our Nextcloud container a hidden service although this time I also what to make my website a hidden service.
So here is the docker-compose.yml from last time with the addition my beautiful Nginx hello world website.
version: "3"
services:
reverse-proxy:
image: traefik
command: --api --docker
ports:
- "80:80"
- "8080:8080"
networks:
- tor_net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
nextcloud_tor:
image: registry.gitlab.com/huggles/tor-docker:latest
restart: always
networks:
- tor_net
volumes:
- /home/volumes/tor/:/etc/tor/
- /home/volumes/tor/services/:/var/lib/tor/
labels:
- "traefik.backend=nextcloud_tor"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:insert_onion_url_here.onion"
- "traefik.port=80"
- "traefik.protocol=http"
nextcloud:
image: nextcloud
restart: always
networks:
- tor_net
labels:
- "traefik.backend=nextcloud"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:insert_clearnet_url_here"
- "traefik.port=80"
- "traefik.protocol=http"
website:
image: nginx
restart: always
networks:
- tor_net
labels:
- "traefik.backend=website"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:insert_clearnet_url_here"
- "traefik.port=80"
- "traefik.protocol=http"
networks:
tor_net:
external: true
And the torrc
HiddenServiceDir /var/lib/tor/http
HiddenServiceVersion 3
HiddenServicePort 80 nextcloud:80So how can we go about doing torifing both services?
Traefik has a concept called segments
which allows the container to have a different frontend rule for different ports.
So we will tell tor to host each service on a different port, Nextcloud can have 8080
and Nginx will be 80. Then we can make the tor container have 2 segments and get
traefik to route all requests for insert_onion_url_here.onion to port 80 of the
tor container and nextcloud.insert_onion_url_here.onion to port 8080 of the tor container.
The revised docker-compose.yml using segments:
version: "3"
services:
reverse-proxy:
image: traefik
command: --api --docker
ports:
- "80:80"
- "8080:8080"
networks:
- tor_net
volumes:
- /var/run/docker.sock:/var/run/docker.sock
tor:
image: registry.gitlab.com/huggles/tor-docker:latest
restart: always
networks:
- tor_net
volumes:
- /home/volumes/website_tor/:/etc/tor/
- /home/volumes/tor/services/:/var/lib/tor/
labels:
- "traefik.enable=true"
- "traefik.website.backend=website_tor"
- "traefik.website.frontend.rule=Host:insert_onion_url_here.onion"
- "traefik.website.port=80"
- "traefik.website.protocol=http"
- "traefik.nextcloud.backend=nextcloud_tor"
- "traefik.nextcloud.frontend.rule=Host:nextcloud.insert_onion_url_here.onion"
- "traefik.nextcloud.port=8080"
- "traefik.nextcloud.protocol=http"
nextcloud:
image: nextcloud
restart: always
networks:
- tor_net
labels:
- "traefik.backend=nextcloud"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:nextcloud.insert_clearnet_url_here"
- "traefik.port=80"
- "traefik.protocol=http"
website:
image: nginx
restart: always
networks:
- tor_net
labels:
- "traefik.backend=website"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:insert_clearnet_url_here"
- "traefik.port=80"
- "traefik.protocol=http"
networks:
tor_net:
external: true
And the corresponding torrc:
HiddenServiceDir /var/lib/tor/http
HiddenServiceVersion 3
HiddenServicePort 80 website:80
HiddenServicePort 8080 nextcloud:80Thats all there us to it! So expand the tor network and increase privacy and security for your users with tor hidden services with help from Traefik.
That should be about all for now, stay safe on the internet and I'll 'see' you next time!
Hayden (aka Huggles)