Tor2Web (and Web2Tor) are reverse proxies giving access to Tor Hidden Services (or oinions) via the public internet. The problem with this, is that they act as a trusted middleman, potentially putting unwitting user's privacy and security at risk
For sites that are multi-homed onto both the WWW and Tor Hidden Services, there's also the risk of a duplicate content penalty in search engine indexes (because Google will still index the Tor2Web sites).
Note that this implementation will only block those Tor2Web nodes that announce themselves, others won't trigger the block - in order to catch those, you need to run some javascript client side (see below) though client-side defences can easily be stripped
# You should create an error page to explain why the
# request was blocked
error_page 405 = /405.html;
location /405.html {
root /path/to/your/error/page;
}
if ($http_x_tor2web){
set $tor2web T;
}
# Avoid redirect loops
if ($request_uri = '/405.html'){
set $tor2web R;
}
if ($tor2web = T){
return 301 /405.html;
}
// Set this to contain your authorised domains
window.authdomains = ['foo.onion']
/* If you serve static content from a subdomain, onion.cab will have made
a mess of it's attempt to rewrite URLs.
We need to rewrite those to the correct clearnet version (if possible)
staticonion - the domain you'd serve from
staticwww - where to find those resources on the clearnet
Set to empty strings if not needed
*/
window.staticonion = "static.6zdgh5a5e6zpchdz.onion/"
window.staticwww = "https://static1.bentasker.co.uk/"
function checkAuthorisedDomain(){
/* Check whether the user is accessing via an authorised domain name or not.
*/
hname = window.location.hostname
if ( window.authdomains.indexOf(hname) < 0 ){
printDomainWarning();
if (hname.indexOf('onion.cab') !== -1 ){
unOnionCab();
}
}
}
function printDomainWarning(){
// Print out a warning
// ENTER YOUR WARNING BELOW
document.getElementById('system-message-container').innerHTML='';
}
function unOnionCab(){
/* Onion.cab does some fairly nasty stuff (https://www.bentasker.co.uk/blog/security/346-don-t-use-web2tor#ContentInjection)
So we're going to attempt to nobble some of it's antics, and rollback some others
*/
// Prevent it from defining it's Piwiki variable
Object.defineProperty(window, '_paq',{value: function push() {return;}} );
// We also want to roll-back anchor rewriting so that CSS etc doesn't get blocked
// (not my fault they don't know onions can legitimately have subdomains)
var eles = document.getElementsByTagName('link');
restoreLinks(eles);
var eles = document.getElementsByTagName('img');
restoreLinks(eles);
var eles = document.getElementsByTagName('script');
restoreLinks(eles);
var eles = document.getElementsByTagName('a');
restoreLinks(eles);
}
function restoreLinks(eles){
if (window.staticonion.length < 1){
return;
}
/* Iterate over a list of element nodes and check whether the anchor has been tampered with
*/
var spl;
var pts;
var kv;
var a = 0;
var url;
var field;
var upd;
for (var i=0; i<eles.length; i++){
if (eles[i].href && eles[i].href.length){
field=eles[i].href;
upd='href';
}else if(eles[i].src && eles[i].src.length){
field=eles[i].src;
upd='src';
}else{
continue;
}
if (field.indexOf('noTor.php') !== -1){
spl = field.split('?');
pts = spl[1].split('&');
for (a=0;a<pts.length;a++){
kv = pts[a].split('=');
if (kv[0] == "url"){
url = atob(kv.slice(1).join('='));
/* Check whether it's the static domain - if so, the user won't be able to access it even if we restore it
*/
if (url.indexOf(window.staticonion) !== -1){
url = url.replace("http://"+window.staticonion,window.staticwww)
}
eles[i].setAttribute(upd,url);
}
}
}
}
}
checkAuthorisedDomain();