Setting Up Discourse as a Tor Hidden Service (Onion)

Cypherpunk
1

I recently had to configure Discourse settings (again) to enable running discourse as a Tor hidden service. This is not a full tutorial, but contains some important setup notes.. some of these issues have been around since 2019 and the web onion template hasn’t been updated in 9 years.. despite pull requests.. so I decided to create this post to help the discourse community and any fellow cypherpunks.

Since I am not setting this up from scratch, its hard to determine what I implemented previously and what I’ve had to recently change to get the forum running… but you find some of the steps helpful because they can be time consuming to figure out on your own…

Add onion environment variables

In /var/discourse/containers/app.yml add your onion hostname

  DISCOURSE_BACKUP_HOSTNAME: yw7nc56v4nsudvwewhmhhwltxpncedfuc43qbubj4nmwhdhwtiu4o6yd.onion
  DISCOURSE_ONION: yw7nc56v4nsudvwewhmhhwltxpncedfuc43qbubj4nmwhdhwtiu4o6yd.onion

Edited Template Files

web.onion.template.yml

Because of web.onion.template.yml copies the default nginx file, we need to replace (remove) nginx entries that conflict with the main nginx file (discourse.conf) which are both copied from the same sample…

Append the following to bottom of web.onion.template.yml

  - replace:
      filename: "/etc/nginx/conf.d/onion.conf"
      from: /proxy_buffer_size.*$/
      to: ""

  - replace:
      filename: "/etc/nginx/conf.d/onion.conf"
      from: /proxy_buffers.*$/
      to: ""

  - replace:
      filename: "/etc/nginx/conf.d/onion.conf"
      from: /large_client_header_buffers.*$/
      to: ""
# Ensure an appropriate bucket size for the server names hash tables
  - file:
      path: /etc/nginx/conf.d/server_names_hash_bucket_size.conf
      contents: |
        server_names_hash_bucket_size 128;

web.ssl.template.yml

We need to add the onion location header to the ssl template file, so that the purple .onion available button is served.

add your onion location header:

  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: "location @discourse {"
     to: |
       location @discourse {
       add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for
       # ADD BELOW
       add_header Onion-Location http://$$ENV_DISCOURSE_ONION$request_uri;

also add server_name to bottom to prevent redirects when browsing (http) onion

  - replace:
     filename: "/etc/nginx/conf.d/discourse.conf"
     from: /server.+{/
     to: |
       server {
         listen 80;
         # ADD BELOW
         server_name $$ENV_DISCOURSE_HOSTNAME;
         return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
       }
       server {

Rebuild App

Now that template files have been edited, rebuilding and launching the app should serve your forum

To-Do

  1. use nginx to rewrite clearnet links to onion links due to way content is served in discourse
1 Like