Blocking Tor2Web

Published: 2017-05-19 22:47:28 +0000
Categories: NGinx,




Tor2Web (and Web2Tor) are reverse proxies giving access to Tor Hidden Services (or oinions) via the public internet. The problem with this, is that they act as a trusted middleman, potentially putting unwitting user's privacy and security at risk

For sites that are multi-homed onto both the WWW and Tor Hidden Services, there's also the risk of a duplicate content penalty in search engine indexes (because Google will still index the Tor2Web sites).

Note that this implementation will only block those Tor2Web nodes that announce themselves, others won't trigger the block - in order to catch those, you need to run some javascript client side (see below) though client-side defences can easily be stripped

Based On


# You should create an error page to explain why the
# request was blocked
error_page 405 = /405.html; 

location /405.html {
    root /path/to/your/error/page;

if ($http_x_tor2web){
    set $tor2web T;

# Avoid redirect loops
if ($request_uri = '/405.html'){
    set $tor2web R;

if ($tor2web = T){
    return 301 /405.html;
Additional Client Side Blocking

// Set this to contain your authorised domains
window.authdomains = ['foo.onion']

/* If you serve static content from a subdomain, will have made
a mess of it's attempt to rewrite URLs.

We need to rewrite those to the correct clearnet version (if possible)

    staticonion - the domain you'd serve from
    staticwww - where to find those resources on the clearnet

Set to empty strings if not needed
window.staticonion = "static.6zdgh5a5e6zpchdz.onion/"
window.staticwww = ""

function checkAuthorisedDomain(){
    /* Check whether the user is accessing via an authorised domain name or not.

    hname = window.location.hostname

    if ( window.authdomains.indexOf(hname) < 0  ){
        if (hname.indexOf('') !== -1 ){


function printDomainWarning(){
    // Print out a warning

function unOnionCab(){
    /* does some fairly nasty stuff (

        So we're going to attempt to nobble some of it's antics, and rollback some others

    // Prevent it from defining it's Piwiki variable
    Object.defineProperty(window, '_paq',{value: function push() {return;}} );    

    // We also want to roll-back anchor rewriting so that CSS etc doesn't get blocked
    // (not my fault they don't know onions can legitimately have subdomains)
    var eles = document.getElementsByTagName('link');

    var eles = document.getElementsByTagName('img');

    var eles = document.getElementsByTagName('script');

    var eles = document.getElementsByTagName('a');

function restoreLinks(eles){

    if (window.staticonion.length < 1){

    /* Iterate over a list of element nodes and check whether the anchor has been tampered with
    var spl;
    var pts;
    var kv;
    var a = 0;
    var url;
    var field;
    var upd;

    for (var i=0; i<eles.length; i++){

        if (eles[i].href && eles[i].href.length){
        }else if(eles[i].src && eles[i].src.length){

        if (field.indexOf('noTor.php') !== -1){
                spl = field.split('?');
                pts = spl[1].split('&');
                for (a=0;a<pts.length;a++){
                        kv = pts[a].split('=');

                        if (kv[0] == "url"){
                            url = atob(kv.slice(1).join('='));

                            /* Check whether it's the static domain - if so, the user won't be able to access it even if we restore it
                            if (url.indexOf(window.staticonion) !== -1){
                                url = url.replace("http://"+window.staticonion,window.staticwww)



Usage Example



Tor2Web, Web2Tor, Blocking, Nginx, Onions, howto, client side, javascript,

Latest Posts

Urldecode string (LUA)
FFMPEG Convert YUV444p to YUV420p (BASH)
Forcing FFMPEG to honour segment length in HLS Stream Creator (BASH)
Force CURL to place request to a specific IP (BASH)
Set a variable only if it is undefined (Javascript)
Ignore query string with Nginx caching proxy (NGinx)
Get breakdown of UK and non-UK votes for a Parliamentary Petition (Python)
Decompress Mozilla Firefox jsonlz4 bookmark backup files (Python)
Setting Git author details for a single repo (Git)
Checking Virtual Machine Resource Allocations with Libvirt (BASH)

Copyright © 2019 Ben Tasker | Sitemap | Privacy Policy
Available at and snippets.6zdgh5a5e6zpchdz.onion