These files contain the base configuration for ProPublica’s Tor hidden service mirror.
Of note:
-
We're using the nginx "subs_filter" and "headers more" modules to allow us to rewrite content and update headers, so that we can convert clearnet links into onion links, where possible.
-
Based on feedback we've received, we're using Unix sockets (instead of a
127.0.0.1:___
TCP port) where nginx listens internally for the inbound connection from Tor. This ensures that a firewall misconfiguration can't expose the site running in nginx, which is likely overkill for an already-public (clearnet) website; this may also slightly improve performance and reduce socket overhead, however.If you try doing this and have issues using
sudo service nginx restart
due to leftover connections using the socket, you may have to nuke the previous sockets before starting a new nginx process: