Blocking Tor2Web



Published: 2017-05-19 22:47:28 +0000
Categories: NGinx,

Language

NGinx

Description

Tor2Web (and Web2Tor) are reverse proxies giving access to Tor Hidden Services (or oinions) via the public internet. The problem with this, is that they act as a trusted middleman, potentially putting unwitting user's privacy and security at risk

For sites that are multi-homed onto both the WWW and Tor Hidden Services, there's also the risk of a duplicate content penalty in search engine indexes (because Google will still index the Tor2Web sites).

Note that this implementation will only block those Tor2Web nodes that announce themselves, others won't trigger the block - in order to catch those, you need to run some javascript client side (see below) though client-side defences can easily be stripped

Based On

Snippet

# You should create an error page to explain why the
# request was blocked
error_page 405 = /405.html; 

location /405.html {
    root /path/to/your/error/page;
}

if ($http_x_tor2web){
    set $tor2web T;
}

# Avoid redirect loops
if ($request_uri = '/405.html'){
    set $tor2web R;
}

if ($tor2web = T){
    return 301 /405.html;
}
Additional Client Side Blocking


// Set this to contain your authorised domains
window.authdomains = ['foo.onion']

/* If you serve static content from a subdomain, onion.cab will have made
a mess of it's attempt to rewrite URLs.

We need to rewrite those to the correct clearnet version (if possible)

    staticonion - the domain you'd serve from
    staticwww - where to find those resources on the clearnet

Set to empty strings if not needed
*/
window.staticonion = "static.6zdgh5a5e6zpchdz.onion/"
window.staticwww = "https://static1.bentasker.co.uk/"

function checkAuthorisedDomain(){
    /* Check whether the user is accessing via an authorised domain name or not.
    */

    hname = window.location.hostname

    if ( window.authdomains.indexOf(hname) < 0  ){
        printDomainWarning();
        if (hname.indexOf('onion.cab') !== -1 ){
            unOnionCab();
        }
    }

}

function printDomainWarning(){
    // Print out a warning
    // ENTER YOUR WARNING BELOW
    document.getElementById('system-message-container').innerHTML=''; 
}

function unOnionCab(){
    /* Onion.cab does some fairly nasty stuff (https://www.bentasker.co.uk/blog/security/346-don-t-use-web2tor#ContentInjection)

        So we're going to attempt to nobble some of it's antics, and rollback some others
    */

    // Prevent it from defining it's Piwiki variable
    Object.defineProperty(window, '_paq',{value: function push() {return;}} );    

    // We also want to roll-back anchor rewriting so that CSS etc doesn't get blocked
    // (not my fault they don't know onions can legitimately have subdomains)
    var eles = document.getElementsByTagName('link');
    restoreLinks(eles);

    var eles = document.getElementsByTagName('img');
    restoreLinks(eles);

    var eles = document.getElementsByTagName('script');
    restoreLinks(eles);

    var eles = document.getElementsByTagName('a');
    restoreLinks(eles);
}

function restoreLinks(eles){

    if (window.staticonion.length < 1){
        return;
    }

    /* Iterate over a list of element nodes and check whether the anchor has been tampered with
    */
    var spl;
    var pts;
    var kv;
    var a = 0;
    var url;
    var field;
    var upd;

    for (var i=0; i<eles.length; i++){

        if (eles[i].href && eles[i].href.length){
            field=eles[i].href;
            upd='href';
        }else if(eles[i].src && eles[i].src.length){
            field=eles[i].src;
            upd='src';
        }else{
            continue;
        }

        if (field.indexOf('noTor.php') !== -1){
                spl = field.split('?');
                pts = spl[1].split('&');
                for (a=0;a<pts.length;a++){
                        kv = pts[a].split('=');

                        if (kv[0] == "url"){
                            url = atob(kv.slice(1).join('='));

                            /* Check whether it's the static domain - if so, the user won't be able to access it even if we restore it
                            */
                            if (url.indexOf(window.staticonion) !== -1){
                                url = url.replace("http://"+window.staticonion,window.staticwww)
                            }

                            eles[i].setAttribute(upd,url);
                        }
                }
        }
    }

}

Usage Example


checkAuthorisedDomain();

Keywords

Tor2Web, Web2Tor, Blocking, Nginx, Onions, howto, client side, javascript,

Latest Posts


Copyright © 2019 Ben Tasker | Sitemap | Privacy Policy
Available at snippets.bentasker.co.uk, yr4pnhounvdybotb.onion and snippets.6zdgh5a5e6zpchdz.onion