search

nyxnor / onionjuggler

Manage your Onion Services via CLI or TUI on Unix-like operating system with a POSIX compliant shell.
MIT License
36 stars 2 forks source link

[QUESTION] server_name on nginx config #18

Closed radio24 closed 2 years ago

radio24 commented 2 years ago

https://github.com/nyxnor/onionservice/blob/799bea90175f0883323bb57ebed80f4d31ba26f0/etc/nginx/sites-available/sample-onion.conf#L3

My doubt is / How can I: Shouldn't there be a placeholder (like TRAGTE) in the link above which will be replaced by the onion domain?

Currently, with that configuration, I cannot successfully share a folder. However, the cause may be another problem. I'm checking that right now.

nyxnor commented 2 years ago

it is not necessary for onion domains and I was inspired by Raspiblitz nginx config https://github.com/rootzoll/raspiblitz/blob/a0fd288e553678d0816d682e968a2eea0d165a9b/home.admin/assets/nginx/sites-available/btcpay_tor.conf#L6

I think they used _ because before nginx 0.8.48: In earlier versions, the machine’s hostname was used as a default server name. But now, since 0.8.48: _Since version 0.8.48, this is the default setting for the server name, so the servername "" can be omitted.. This means I don't need the server name line actually.

See https://nginx.org/en/docs/http/request_processing.html

server { listen 192.168.1.2:80; server_name example.com www.example.com; ... } In this configuration, nginx first tests the IP address and port of the request against the listen directives of the server blocks. It then tests the “Host” header field of the request against the server_name entries of the server blocks that matched the IP address and port. If the server name is not found, the request will be processed by the default server. For example, a request for www.example.com received on the 192.168.1.1:80 port will be handled by the default server of the 192.168.1.1:80 port, i.e., by the first server, since there is no www.example.com defined for this port.

From the above:

  1. nginx first tests the IP address and port of the request against the listen directives of the server blocks R: Listening port is needed.

  2. It then tests the “Host” header field of the request against the server_name entries of the server blocks that matched the IP address and port. R: Does it matter if the host is found via Tor

I don't think it is a security breach because Tor handles the encryption and connection with the host, although Pasty/MattTraudt uses it on https://matt.traudt.xyz/posts/website-setup/.

The main reason I did not include the .onion on nginx config was because if the service is renewed, would need to edit the nginx conf also. I will ask on the tor community irc anyway if that is needed or recommended.

nyxnor commented 2 years ago

I asked about leaving server_name blank,

Hello. Is it recommended or necessary to specify the onion domain on the nginx config line server_name?

From hackerncoder:

If you make the site the default, no. If you set the server block to listen on a port no other server block is listening on, it becomes the default, you can also make it the default by adding "default_server" at the end of the "listen" For ports where multiple server blocks are, the first one becomes the default (unless you specify one)

So, it is not necessary to specify server_name and as every port set through OnionService to be listening is different, it is not a problem and it becomes default. I can optionally add default_server at the end of listen line config.

radio24 commented 2 years ago

Thanks for clarifiing.