nginx-clearnet-example.conf

# Example Nginx Configuration for Clearnet Server with Onion-Location
#
# This is an EXAMPLE configuration showing how to add Onion-Location header
# to your CLEARNET server (not the onion service itself).
#
# Prerequisites:
# 1. Deploy the onion service using this project's docker-compose.yml
# 2. Get your .onion address from: cat tor_data/hidden_service/hostname
# 3. Apply this configuration to your clearnet nginx server
#
# DO NOT use this file in the onion service container - it's for your clearnet infrastructure only.

# Upstream configuration (adjust to your actual backend)
upstream clearnet_backend {
    server localhost:8080;
    # Or: server backend.example.com:80;
    # Or: server 192.168.1.100:3000;
}

# HTTPS server (clearnet) - where Onion-Location is needed
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name blockscout.example.com;

    # TLS/SSL Configuration (required for clearnet)
    ssl_certificate /etc/ssl/certs/your-cert.pem;
    ssl_certificate_key /etc/ssl/private/your-key.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;

    # Onion-Location Header - The key feature!
    # Replace YOUR-ONION-ADDRESS.onion with the address from tor_data/hidden_service/hostname
    # Example: 7lxb5y5sikmt4nmsm37yq567q3zazgsxmyapjs7azssoaojxna6kftid.onion
    add_header Onion-Location http://YOUR-ONION-ADDRESS.onion$request_uri always;

    # Logging
    access_log /var/log/nginx/clearnet-access.log;
    error_log /var/log/nginx/clearnet-error.log;

    # Main location block
    location / {
        proxy_pass http://clearnet_backend;

        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # WebSocket support (if needed)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # Health check endpoint (optional)
    location /health {
        access_log off;
        return 200 "OK\n";
        add_header Content-Type text/plain;
    }
}

# HTTP to HTTPS redirect (recommended)
server {
    listen 80;
    listen [::]:80;
    server_name blockscout.example.com;

    # Also include Onion-Location for HTTP visitors
    add_header Onion-Location http://YOUR-ONION-ADDRESS.onion$request_uri always;

    # Redirect to HTTPS
    return 301 https://$server_name$request_uri;
}

# Alternative: Conditional Onion-Location (only for Tor Browser)
# Uncomment if you only want to advertise .onion to Tor Browser users
#
# server {
#     listen 443 ssl http2;
#     server_name blockscout.example.com;
#
#     ssl_certificate /etc/ssl/certs/your-cert.pem;
#     ssl_certificate_key /etc/ssl/private/your-key.pem;
#
#     # Set Onion-Location only for Tor Browser
#     set $onion_location "";
#     if ($http_user_agent ~* "Tor Browser") {
#         set $onion_location "http://YOUR-ONION-ADDRESS.onion$request_uri";
#     }
#     add_header Onion-Location $onion_location always;
#
#     location / {
#         proxy_pass http://clearnet_backend;
#     }
# }

# Notes:
#
# 1. Use http:// (not https://) for .onion addresses
# 2. Include $request_uri to preserve the current page path
# 3. Use 'always' flag to include header even in error responses
# 4. Test with: curl -I https://your-domain.com | grep -i onion-location
# 5. Deploy to clearnet infrastructure only, not inside the Tor container