Onion et yunohost - Some questions

genma · May 2, 2016, 6:20pm

Tor is installed and I’ve a .onion adress.

Actually, if i go on https://azerty.onion, I’ve a Nginx page. I need to go on https://azerty.onion/myapps/ to have my apps page.
I want to have my apps on https://azerty.onion

My apps is already a default page for another domain name (foo.org)

Other problem https://azerty.onion/yunohost is ok. Ok can I prohibit this adress.

https://azerty.onion has a selfsigned certificate, auto generated. In this certificate, there’s the foo.org mention adress. So the true adress is leaked. How can I correct this?

Maronion · April 9, 2018, 2:53pm

Hey, I was going to write a post with exactly the same problems.

Did you find any solution for any of them?

A certificate does not make much sense when using onion services, I would like to remove the certificate for the onion domain but don’t know how.

jibecfed · April 9, 2018, 7:59pm

did you try this?

add a subdomain like maronion.azerty.onion
tell YunoHost this is now the main domain (navigate the web interface to DNS config, or play with yunohost domain --help)
install your app on azerty.onion

Maronion · April 10, 2018, 11:54am

Yes. That does not solve the problem.

I go to http://maronion.azerty.onion/installedapp and it automatically changes to https://maronion.azerty.onion/installedapp with the warning about the certificate.
It should stay with http, https does not make much sense for onion connections.

Normally https does not add any value to an onion connection, only confusing warnings to average users.

I think yunohost should not do https on .onion domains, only in a very complex onion setup a certificate could make some sense.

How can I configure it so that it stays on http when connecting to my .onion domain?

jibecfed · April 16, 2018, 7:53pm

Here is what we do in most of our scripts:

github.com

YunoHost/example_ynh/blob/master/conf/nginx.conf#L7


location __PATH__ {


# Path to source
alias __FINALPATH__/ ;


if ($scheme = http) {
  rewrite ^ https://$server_name$request_uri? permanent;
}


# Example PHP configuration (remove if not used)
index index.php;


# Common parameter to increase upload size limit in conjuction with dedicated php-fpm file
#client_max_body_size 50M;


try_files $uri $uri/ index.php;
location ~ [^/]\.php(/|$) {

It means we redirect our apps to make sure it will use https.
I assume you have to find your nginx configuration file for your app, and inverse this test.

Here is the helper we use to install a nginx file:

github.com

YunoHost/yunohost/blob/unstable/data/helpers.d/backend#L129


#
# usage: ynh_add_nginx_config
#
# This will use a template in ../conf/nginx.conf
#   __PATH__      by  $path_url
#   __DOMAIN__    by  $domain
#   __PORT__      by  $port
#   __NAME__      by  $app
#   __FINALPATH__ by  $final_path
#
ynh_add_nginx_config () {
	finalnginxconf="/etc/nginx/conf.d/$domain.d/$app.conf"
	ynh_backup_if_checksum_is_different "$finalnginxconf"
	sudo cp ../conf/nginx.conf "$finalnginxconf"


	# To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable.
	# Substitute in a nginx config file only if the variable is not empty
	if test -n "${path_url:-}"; then
		# path_url_slash_less is path_url, or a blank value if path_url is only '/'
		local path_url_slash_less=${path_url%/}
		ynh_replace_string "__PATH__/" "$path_url_slash_less/" "$finalnginxconf"

You should be able to guess where is the file
enjoy

peer · August 30, 2018, 7:56am

Hey libecfed!

Your trick on the subdomain works! I mean it does solve the issue of seeing unwanted data in the certificate.

I have not tried your suggestions to avoid redirection.