Configuration for ProPublica’s Tor hidden service proxy.

0 ProPublica Tor hidden service config.md

Note (December 16, 2021): These example files haven't been updated since 2016. In either 2019 or 2020, our onion domain was changed to a longer v3 onion address (p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion). The examples below don't reflect this, but the configuration portions remain accurate regarding how we currently serve the onion site. (Tor Browser dropped support for v2 addresses, such as propub3r6espa33w.onion, in the second half of 2021.)

---

These files contain the base configuration for ProPublica’s Tor hidden service mirror.

Of note:

• We're using the nginx "subs_filter" and "headers more" modules to allow us to rewrite content and update headers, so that we can convert clearnet links into onion links, where possible.

• Based on feedback we've received, we're using Unix sockets (instead of a 127.0.0.1:___ TCP port) where nginx listens internally for the inbound connection from Tor. This ensures that a firewall misconfiguration can't expose the site running in nginx, which is likely overkill for an already-public (clearnet) website; this may also slightly improve performance and reduce socket overhead, however.

  If you try doing this and have issues using sudo service nginx restart due to leftover connections using the socket, you may have to nuke the previous sockets before starting a new nginx process:

  sudo service nginx stop && sudo rm /var/run/nginx-pponion-*.sock && sudo service nginx start)

Read our post for more details, including an extended tutorial about running a hidden service:
https://www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services

1-torrc

# /etc/tor/torrc

# Try to run Tor more securely via a syscall sandbox.
# https://www.torproject.org/docs/tor-manual.html.en#Sandbox
Sandbox 1

# Disable the SOCKS port. Not like anything else on this box is using tor.
SocksPort 0

# Set up the hidden service. propub3r6espa33w.onion -> www.propublica.org
# We're using unix sockets instead of "127.0.0.1:xxxxx". see nginx conf.
# Docs: https://www.torproject.org/docs/tor-manual.html.en#HiddenServicePort

HiddenServiceDir /var/run/tor/pp_www_hidserv
HiddenServicePort 80  unix:/var/run/nginx-pponion-80.sock
HiddenServicePort 443 unix:/var/run/nginx-pponion-443.sock

2-nginx

# /etc/nginx/sites-enabled/propubonion.conf
#
# Note that all of our hostnames listen to a unix socket instead
# of "127.0.0.1:xxxxx".
# Docs: http://nginx.org/en/docs/http/ngx_http_core_module.html#listen

map $http_upgrade $connection_upgrade {
  default  "upgrade";
  "" "";
}

# HTTP BARE ONION
server {
    listen       unix:/var/run/nginx-pponion-80.sock;
    server_name  propub3r6espa33w.onion;
    #allow 127.0.0.1;
    allow "unix:";
    deny all;
    server_tokens off;
    rewrite ^/(.*) http://www.propub3r6espa33w.onion/$1 permanent;
}

# HTTPS BARE ONION
server {
    listen       unix:/var/run/nginx-pponion-443.sock ssl spdy;
    server_name  propub3r6espa33w.onion;
    #allow 127.0.0.1;
    allow "unix:";
    deny all;
    server_tokens off;
    ssl_certificate     www.propub3r6espa33w.onion.pem;
    ssl_certificate_key www.propub3r6espa33w.onion.key;
    rewrite ^/(.*) https://www.propub3r6espa33w.onion/$1 permanent;
}

# WWW ONION
server {
    listen       unix:/var/run/nginx-pponion-80.sock;
    listen       unix:/var/run/nginx-pponion-443.sock ssl spdy;

    server_name  www.propub3r6espa33w.onion;

    ssl_certificate     www.propub3r6espa33w.onion.pem;
    ssl_certificate_key www.propub3r6espa33w.onion.key;

    #allow 127.0.0.1;
    allow "unix:";
    deny all;

    root /usr/local/opt/nginx/html;

    # Set a short cache on this nginx end so that we avoid fetching from
    # the real infrastructure when possible.
    proxy_cache propubonion;
    proxy_cache_valid any 5m;
    proxy_cache_revalidate on;
    proxy_cache_use_stale timeout updating;
    proxy_cache_key $request_uri;
    proxy_ignore_headers expires set-cookie;

    access_log /var/log/nginx/access-propublica_hidserv.log;

    server_tokens off;

    # Blocking access to some possible abuses
    location /donate { rewrite .* https://www.propublica.org/site/donate permanent; }
    location /donate/ { rewrite .* https://www.propublica.org/site/donate permanent; }
    location /site/donate { rewrite .* https://www.propublica.org/site/donate permanent; }
    location /site/donate/ { rewrite .* https://www.propublica.org/site/donate permanent; }
    location /xxxxxxxxxxxxxx { return 403; }  # deny CMS
    location /xxxxxxxxxxxxxx/ { return 403; } # deny CMS for now
    location /site/email { return 403; }
    location /site/email/ { return 403; }

    subs_filter_types text/css text/xml application/x-javascript application/javascript text/javascript application/json;

    location / {
        #proxy_pass https://192.168.xxx.xxx;  # gist note: internal ip address
        proxy_pass https://www.propublica.org;
        proxy_http_version 1.1;
        proxy_set_header Host "www.propublica.org";
        proxy_set_header  Connection      $connection_upgrade;
        proxy_set_header  Upgrade        $http_upgrade;
        proxy_ssl_server_name on;
        proxy_read_timeout 30;
        proxy_connect_timeout 30;

        # Don't compress data, since the subs module can't replace
        proxy_set_header Accept-Encoding "";

        # TODO: currently denying non-GET requests due to some bot-related
        #       abuse on some endpoints that poorly handle that.
        limit_except GET {
            deny all;
        }

        ### SUBS https://github.com/yaoweibin/ngx_http_substitutions_filter_module ###
        # We're rewriting links, but we need to preserve rel=canonical for analytics.
        # So rewrite it to a special value and re-rewrite it back to real value later.
        subs_filter "rel=\"canonical\" href=\"http://www.propublica.org" "-----CANONICALHTTPPROPUBLICADOTORG-----" i;
        subs_filter "rel=\"canonical\" href=\"https://www.propublica.org" "-----CANONICALHTTPSPROPUBLICADOTORG-----" i;
        subs_filter "rel=\"canonical\" href=\"http://projects.propublica.org" "-----CANONICALHTTPPROJECTSPROPUBLICA-----" i;
        subs_filter "rel=\"canonical\" href=\"https://projects.propublica.org" "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" i;
        # Keep in .onion
        subs_filter http://www.propublica.org/ //www.propub3r6espa33w.onion/ i;
        subs_filter https://www.propublica.org/ //www.propub3r6espa33w.onion/ i;
        subs_filter "http://www.propublica.org" "//www.propub3r6espa33w.onion" i;
        subs_filter "https://www.propublica.org" "//www.propub3r6espa33w.onion" i;
        subs_filter 'http://www.propublica.org' '//www.propub3r6espa33w.onion' i;
        subs_filter 'https://www.propublica.org' '//www.propub3r6espa33w.onion' i;
        subs_filter http://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i;
        subs_filter https://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i;
        subs_filter http://static.propublica.org/ //static.propub3r6espa33w.onion/ i;
        subs_filter https://static.propublica.org/ //static.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)?//(www\.)?propublica\.org/ //www.propub3r6espa33w.onion/ gir;
        #subs_filter (http:|https:)?//projects\.propublica\.org/ //projects.propub3r6espa33w.onion/ gir;
        subs_filter (http:|https:)?//static\.propublica\.org/ //static.propub3r6espa33w.onion/ gir;
        subs_filter http://tiles-[abcd].propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ ir;
        subs_filter http://tiles-\{s}.propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ i;
        subs_filter (http:|https:)//securedrop.propublica.org http://pubdrop4dw6rk3aq.onion i;
        subs_filter http://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i;
        subs_filter https://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)?//feeds\.propublica\.org/ //feeds.propub3r6espa33w.onion/ gir;
        subs_filter (http:|https:)//propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i;
        subs_filter //propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter http://s3.amazonaws.com/ https://s3.amazonaws.com/ i;
        subs_filter \"//s3.amazonaws.com/ \"https://s3.amazonaws.com/ i;
        # Restore the rel="canonical" tag
        subs_filter "-----CANONICALHTTPPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"http://www.propublica.org" i;
        subs_filter "-----CANONICALHTTPSPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"https://www.propublica.org" i;
        subs_filter "-----CANONICALHTTPPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"http://projects.propublica.org" i;
        subs_filter "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"https://projects.propublica.org" i;
        ### /SUBS ###

        ### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ###
        more_set_headers "Access-Control-Allow-Origin: https://www.propublica.org, https://projects.propublica.org, https://static.propublica.org, http://www.propub3r6espa33w.onion, http://projects.propub3r6espa33w.onion, http://static.propub3r6espa33w.onion"
        more_clear_headers "Age";
        more_clear_headers "Server";
        more_clear_headers "Via";
        more_clear_headers "X-From-Nginx";
        more_clear_headers "X-NA";
        more_clear_headers "X-Powered-By";
        more_clear_headers "X-Request-Id";
        more_clear_headers "X-Runtime";
        more_clear_headers "X-Varnish";

        more_clear_headers "Content-Security-Policy-Report-Only";
        ### /HEADERS ###
    }
}






# PROJECTS ONION
server {
    listen       127.0.0.1:33170;
    listen       127.0.0.1:33180 ssl;
    server_name  projects.propub3r6espa33w.onion;

    #allow 127.0.0.1;
    allow "unix:";
    deny all;

    access_log /var/log/nginx/access-projects_hidserv.log;

    server_tokens off;

    ssl_certificate     www.propub3r6espa33w.onion.pem;
    ssl_certificate_key www.propub3r6espa33w.onion.key;

    rewrite ^/$ https://www.propub3r6espa33w.onion/data/;

    # temporarily redirecting this to projects.propublica.org (which works)
    # until we can until we can get better routing rules (and figure out
    # anti-abuse)
    rewrite ^/(.*) https://projects.propublica.org/$1 redirect;
}







# STATIC ONION
server {
    listen       unix:/var/run/nginx-pponion-80.sock;
    listen       unix:/var/run/nginx-pponion-443.sock ssl spdy;
    server_name  static.propub3r6espa33w.onion;

    #allow 127.0.0.1;
    allow "unix:";
    deny all;

    access_log /var/log/nginx/access-assets_hidserv.log;

    server_tokens off;

    ssl_certificate     www.propub3r6espa33w.onion.pem;
    ssl_certificate_key www.propub3r6espa33w.onion.key;

    rewrite ^/$ http://www.propub3r6espa33w.onion/;

    subs_filter_types text/css text/xml application/x-javascript application/javascript text/javascript application/json;

    location / {
        proxy_pass https://static.propublica.org;
        proxy_http_version 1.1;
        proxy_set_header Host "static.propublica.org";
        proxy_set_header  Connection      $connection_upgrade;
        proxy_set_header  Upgrade        $http_upgrade;
        proxy_ssl_server_name on;
        proxy_read_timeout 30;
        proxy_connect_timeout 30;

        # Don't compress data, since the subs module can't replace
        proxy_set_header Accept-Encoding "";

        ### SUBS https://github.com/yaoweibin/ngx_http_substitutions_filter_module ###
        # We're rewriting links, but we need to preserve rel=canonical for analytics.
        # So rewrite it to a special value and re-rewrite it back to real value later.
        subs_filter "rel=\"canonical\" href=\"http://www.propublica.org" "-----CANONICALHTTPPROPUBLICADOTORG-----" i;
        subs_filter "rel=\"canonical\" href=\"https://www.propublica.org" "-----CANONICALHTTPSPROPUBLICADOTORG-----" i;
        subs_filter "rel=\"canonical\" href=\"http://projects.propublica.org" "-----CANONICALHTTPPROJECTSPROPUBLICA-----" i;
        subs_filter "rel=\"canonical\" href=\"https://projects.propublica.org" "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" i;
        # Keep in .onion
        subs_filter http://www.propublica.org/ //www.propub3r6espa33w.onion/ i;
        subs_filter https://www.propublica.org/ //www.propub3r6espa33w.onion/ i;
        subs_filter "http://www.propublica.org" "//www.propub3r6espa33w.onion" i;
        subs_filter "https://www.propublica.org" "//www.propub3r6espa33w.onion" i;
        subs_filter 'http://www.propublica.org' '//www.propub3r6espa33w.onion' i;
        subs_filter 'https://www.propublica.org' '//www.propub3r6espa33w.onion' i;
        subs_filter http://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i;
        subs_filter https://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i;
        subs_filter http://static.propublica.org/ //static.propub3r6espa33w.onion/ i;
        subs_filter https://static.propublica.org/ //static.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)?//(www\.)?propublica\.org/ //www.propub3r6espa33w.onion/ gir;
        #subs_filter (http:|https:)?//projects\.propublica\.org/ //projects.propub3r6espa33w.onion/ gir;
        subs_filter (http:|https:)?//static\.propublica\.org/ //static.propub3r6espa33w.onion/ gir;
        subs_filter http://tiles-[abcd].propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ ir;
        subs_filter http://tiles-\{s}.propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ i;
        subs_filter (http:|https:)//securedrop.propublica.org http://pubdrop4dw6rk3aq.onion i;
        subs_filter http://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i;
        subs_filter https://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)?//feeds\.propublica\.org/ //feeds.propub3r6espa33w.onion/ gir;
        subs_filter (http:|https:)//propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i;
        subs_filter //propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter http://s3.amazonaws.com/ https://s3.amazonaws.com/ i;
        subs_filter \"//s3.amazonaws.com/ \"https://s3.amazonaws.com/ i;
        # Restore the rel="canonical" tag
        subs_filter "-----CANONICALHTTPPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"http://www.propublica.org" i;
        subs_filter "-----CANONICALHTTPSPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"https://www.propublica.org" i;
        subs_filter "-----CANONICALHTTPPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"http://projects.propublica.org" i;
        subs_filter "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"https://projects.propublica.org" i;
        ### /SUBS ###

        ### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ###
        more_set_input_headers "Host: static.propublica.org"
        more_set_headers "Access-Control-Allow-Origin: https://www.propublica.org, https://projects.propublica.org, https://static.propublica.org, http://www.propub3r6espa33w.onion, http://projects.propub3r6espa33w.onion, http://static.propub3r6espa33w.onion"
        more_clear_headers "Age";
        more_clear_headers "Server";
        more_clear_headers "Via";
        more_clear_headers "X-From-Nginx";
        more_clear_headers "X-NA";
        more_clear_headers "X-Powered-By";
        more_clear_headers "X-Request-Id";
        more_clear_headers "X-Runtime";
        more_clear_headers "X-Varnish";

        more_clear_headers "Content-Security-Policy-Report-Only";
        ### /HEADERS ###
    }
}


# CDN ONION
server {
    listen       unix:/var/run/nginx-pponion-80.sock;
    listen       unix:/var/run/nginx-pponion-443.sock ssl spdy;
    server_name  cdn.propub3r6espa33w.onion;

    #allow 127.0.0.1;
    allow "unix:";
    deny all;

    access_log /var/log/nginx/access-cdn_hidserv.log;

    server_tokens off;

    ssl_certificate     www.propub3r6espa33w.onion.pem;
    ssl_certificate_key www.propub3r6espa33w.onion.key;

    rewrite ^/$ http://www.propub3r6espa33w.onion/;

    subs_filter_types text/css text/xml application/x-javascript application/javascript text/javascript application/json;

    location / {
        proxy_pass https://d1t8xfi7n2gbr1.cloudfront.net;
        proxy_http_version 1.1;
        proxy_set_header Host "d1t8xfi7n2gbr1.cloudfront.net";
        proxy_set_header  Connection      $connection_upgrade;
        proxy_set_header  Upgrade        $http_upgrade;
        proxy_ssl_server_name on;
        proxy_read_timeout 30;
        proxy_connect_timeout 30;

        # Don't compress data, since the subs module can't replace
        proxy_set_header Accept-Encoding "";

        ### SUBS https://github.com/yaoweibin/ngx_http_substitutions_filter_module ###
        # We're rewriting links, but we need to preserve rel=canonical for analytics.
        # So rewrite it to a special value and re-rewrite it back to real value later.
        subs_filter "rel=\"canonical\" href=\"http://www.propublica.org" "-----CANONICALHTTPPROPUBLICADOTORG-----" i;
        subs_filter "rel=\"canonical\" href=\"https://www.propublica.org" "-----CANONICALHTTPSPROPUBLICADOTORG-----" i;
        subs_filter "rel=\"canonical\" href=\"http://projects.propublica.org" "-----CANONICALHTTPPROJECTSPROPUBLICA-----" i;
        subs_filter "rel=\"canonical\" href=\"https://projects.propublica.org" "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" i;
        # Keep in .onion
        subs_filter http://www.propublica.org/ //www.propub3r6espa33w.onion/ i;
        subs_filter https://www.propublica.org/ //www.propub3r6espa33w.onion/ i;
        subs_filter "http://www.propublica.org" "//www.propub3r6espa33w.onion" i;
        subs_filter "https://www.propublica.org" "//www.propub3r6espa33w.onion" i;
        subs_filter 'http://www.propublica.org' '//www.propub3r6espa33w.onion' i;
        subs_filter 'https://www.propublica.org' '//www.propub3r6espa33w.onion' i;
        subs_filter http://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i;
        subs_filter https://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i;
        subs_filter http://static.propublica.org/ //static.propub3r6espa33w.onion/ i;
        subs_filter https://static.propublica.org/ //static.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)?//(www\.)?propublica\.org/ //www.propub3r6espa33w.onion/ gir;
        #subs_filter (http:|https:)?//projects\.propublica\.org/ //projects.propub3r6espa33w.onion/ gir;
        subs_filter (http:|https:)?//static\.propublica\.org/ //static.propub3r6espa33w.onion/ gir;
        subs_filter http://tiles-[abcd].propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ ir;
        subs_filter http://tiles-\{s}.propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ i;
        subs_filter (http:|https:)//securedrop.propublica.org http://pubdrop4dw6rk3aq.onion i;
        subs_filter http://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i;
        subs_filter https://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)?//feeds\.propublica\.org/ //feeds.propub3r6espa33w.onion/ gir;
        subs_filter (http:|https:)//propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i;
        subs_filter //propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter http://s3.amazonaws.com/ https://s3.amazonaws.com/ i;
        subs_filter \"//s3.amazonaws.com/ \"https://s3.amazonaws.com/ i;
        # Restore the rel="canonical" tag
        subs_filter "-----CANONICALHTTPPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"http://www.propublica.org" i;
        subs_filter "-----CANONICALHTTPSPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"https://www.propublica.org" i;
        subs_filter "-----CANONICALHTTPPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"http://projects.propublica.org" i;
        subs_filter "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"https://projects.propublica.org" i;
        ### /SUBS ###

        ### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ###
        more_set_input_headers "Host: d1t8xfi7n2gbr1.cloudfront.net"
        more_set_headers "Access-Control-Allow-Origin: https://www.propublica.org, https://projects.propublica.org, https://static.propublica.org, http://www.propub3r6espa33w.onion, http://projects.propub3r6espa33w.onion, http://static.propub3r6espa33w.onion"
        more_clear_headers "Age";
        more_clear_headers "Server";
        more_clear_headers "Via";
        more_clear_headers "X-From-Nginx";
        more_clear_headers "X-NA";
        more_clear_headers "X-Powered-By";
        more_clear_headers "X-Request-Id";
        more_clear_headers "X-Runtime";
        more_clear_headers "X-Varnish";

        more_clear_headers "Content-Security-Policy-Report-Only";
        ### /HEADERS ###
    }
}

# FEEDS ONION
server {
    listen       unix:/var/run/nginx-pponion-80.sock;
    listen       unix:/var/run/nginx-pponion-443.sock ssl spdy;
    server_name  feeds.propub3r6espa33w.onion;

    #allow 127.0.0.1;
    allow "unix:";
    deny all;

    access_log /var/log/nginx/access-feeds_hidserv.log;

    server_tokens off;

    ssl_certificate     www.propub3r6espa33w.onion.pem;
    ssl_certificate_key www.propub3r6espa33w.onion.key;

    rewrite ^/$ http://www.propub3r6espa33w.onion/;

    subs_filter_types text/css text/xml application/x-javascript application/javascript text/javascript application/json;

    location / {
        proxy_pass https://feeds.propublica.org;
        proxy_http_version 1.1;
        proxy_set_header Host "feeds.propublica.org";
        proxy_set_header  Connection      $connection_upgrade;
        proxy_set_header  Upgrade        $http_upgrade;
        proxy_ssl_server_name on;
        proxy_read_timeout 30;
        proxy_connect_timeout 30;

        # Don't compress data, since the subs module can't replace
        proxy_set_header Accept-Encoding "";

        ### SUBS https://github.com/yaoweibin/ngx_http_substitutions_filter_module ###
        # We're rewriting links, but we need to preserve rel=canonical for analytics.
        # So rewrite it to a special value and re-rewrite it back to real value later.
        subs_filter "rel=\"canonical\" href=\"http://www.propublica.org" "-----CANONICALHTTPPROPUBLICADOTORG-----" i;
        subs_filter "rel=\"canonical\" href=\"https://www.propublica.org" "-----CANONICALHTTPSPROPUBLICADOTORG-----" i;
        subs_filter "rel=\"canonical\" href=\"http://projects.propublica.org" "-----CANONICALHTTPPROJECTSPROPUBLICA-----" i;
        subs_filter "rel=\"canonical\" href=\"https://projects.propublica.org" "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" i;
        # Keep in .onion
        subs_filter http://www.propublica.org/ //www.propub3r6espa33w.onion/ i;
        subs_filter https://www.propublica.org/ //www.propub3r6espa33w.onion/ i;
        subs_filter "http://www.propublica.org" "//www.propub3r6espa33w.onion" i;
        subs_filter "https://www.propublica.org" "//www.propub3r6espa33w.onion" i;
        subs_filter 'http://www.propublica.org' '//www.propub3r6espa33w.onion' i;
        subs_filter 'https://www.propublica.org' '//www.propub3r6espa33w.onion' i;
        subs_filter http://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i;
        subs_filter https://projects.propublica.org/ //projects.propub3r6espa33w.onion/ i;
        subs_filter http://static.propublica.org/ //static.propub3r6espa33w.onion/ i;
        subs_filter https://static.propublica.org/ //static.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)?//(www\.)?propublica\.org/ //www.propub3r6espa33w.onion/ gir;
        #subs_filter (http:|https:)?//projects\.propublica\.org/ //projects.propub3r6espa33w.onion/ gir;
        subs_filter (http:|https:)?//static\.propublica\.org/ //static.propub3r6espa33w.onion/ gir;
        subs_filter http://tiles-[abcd].propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ ir;
        subs_filter http://tiles-\{s}.propublica.org/ https://d3i4wq2ul46tvd.cloudfront.net/ i;
        subs_filter (http:|https:)//securedrop.propublica.org http://pubdrop4dw6rk3aq.onion i;
        subs_filter http://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i;
        subs_filter https://feeds.propublica.org/ //feeds.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)?//feeds\.propublica\.org/ //feeds.propub3r6espa33w.onion/ gir;
        subs_filter (http:|https:)//propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i;
        subs_filter //propublica.s3.amazonaws.com/ //static.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //cdn.propublica.net.s3.amazonaws.com/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //s3.amazonaws.com/cdn.propublica.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter (http:|https:)//d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter //d1t8xfi7n2gbr1.cloudfront.net/ //cdn.propub3r6espa33w.onion/ i;
        subs_filter http://s3.amazonaws.com/ https://s3.amazonaws.com/ i;
        subs_filter \"//s3.amazonaws.com/ \"https://s3.amazonaws.com/ i;
        # Restore the rel="canonical" tag
        subs_filter "-----CANONICALHTTPPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"http://www.propublica.org" i;
        subs_filter "-----CANONICALHTTPSPROPUBLICADOTORG-----" "rel=\"canonical\" href=\"https://www.propublica.org" i;
        subs_filter "-----CANONICALHTTPPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"http://projects.propublica.org" i;
        subs_filter "-----CANONICALHTTPSPROJECTSPROPUBLICA-----" "rel=\"canonical\" href=\"https://projects.propublica.org" i;
        ### /SUBS ###

        ### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ###
        more_set_input_headers "Host: feeds.propublica.org"
        more_set_headers "Access-Control-Allow-Origin: https://www.propublica.org, https://projects.propublica.org, https://static.propublica.org, http://www.propub3r6espa33w.onion, http://projects.propub3r6espa33w.onion, http://static.propub3r6espa33w.onion"
        more_clear_headers "Age";
        more_clear_headers "Server";
        more_clear_headers "Via";
        more_clear_headers "X-From-Nginx";
        more_clear_headers "X-NA";
        more_clear_headers "X-Powered-By";
        more_clear_headers "X-Request-Id";
        more_clear_headers "X-Runtime";
        more_clear_headers "X-Varnish";

        more_clear_headers "Content-Security-Policy-Report-Only";
        ### /HEADERS ###
    }
}

@mtigas For a little security boost that shouldn't hurt, I recommend putting 'Sandbox 1' in your torrc.

@ageis: oh awesome, thanks. done in the real server, gonna update this shortly.

based on other feedback, also working on updating the config for unix sockets instead of relying on the 127.0.0.1 TCP port.

@mtigas is this currently working for .onion subdomain rewrites? the static.propub3r6espa33w.onion seems to redirect to the main Tor site currently and projects.propub3r6espa33w.onion fails with a security risk warning.