Nginx reverse proxy to .onion site in TOR network

As Tor is not a http proxy but a Socks one you cannot insert .onion name or IP in proxy_pass directive. In order to use Nginx as reverse proxy to .onion sites you will need a socat.

Socat is a command line based utility that establishes two bidirectional data streams and transfers between them. This data can take many forms such as files, pipes, devices (terminal or modems), or sockets (UNIX, IPv4, IPv6, TCP, SSL etc). The streams can be constructed from a large and diverse selection of data sinks, sources and address options, which allows Socat to be highly flexible in its usage. It is for this reason that it and similar tools are often referred to as multipurpose relays.

Below is an example of utilising Socat to relay traffic from a remote server. While the example shows how to connect to an .onion service, these steps work the exact same way for clear-net facing servers and connections.

Suppose you would like to connect to an examplename.onion.

To run Socat as http to socks proxy via Tor for this connection, simply use the command:

Note: If you are using Tor browser for your connection you will need to use port 9150.

This command informs Socat to build a connection between your local system on port 81 and yourtordomain.onion on port 80, via your Tor SOCKS proxy on port 9050. Simply connect to localhost on port 81 to utilise it (I assume that Tor is already installed and running on your server).

Based on the configuration above, Nginx configuration will be as follows:

That is, Nginx will proxify requests to the port 81 and socat, in turn, will send them to the destination .onion via Tor sitting on port 9050.

It’s very handy to configure socat as daemon.
Create file socat.sh and set permission to 744:

And run it over screen:

Or

Run socat as service

by using systemd. In /etc/systemd/system create the file http-to-socks-proxy@.service

Now in /etc/http-to-socks-proxy/ folder create a file onion1.conf with the following content:

Now create a symlink in /etc/systemd/system/multi-user.target.wants folder to enable the newly created service:

Now you can start your newly created socat-based service daemon as usual:

As you can see by specifying more config files in /etc/http-to-socks-proxy/ folder you can have more socat connections configured as daemons. Cool, huh? 🙂

Good luck and have fun!