Configure Nginx Reverse Proxy for Netbird Forwarding

Fix Vanguards wait loop to respect --control_ip arg
Security Fix: Bind ControlPort to 127.0.0.1 for host network mode
2026-02-07 02:47:42 -05:00 · 2026-02-07 00:37:13 -05:00 · 2026-02-07 00:30:14 -05:00 · 2026-02-07 00:26:21 -05:00 · 2026-02-07 00:15:13 -05:00 · 2026-02-07 00:11:18 -05:00
3 changed files with 66 additions and 13 deletions
--- a/assets/entrypoint.sh
+++ b/assets/entrypoint.sh
@ -7,11 +7,22 @@ if [ "$1" = "vanguards" ]; then
    echo "Starting Vanguards Sidecar Mode..."
    shift # remove 'vanguards' from the arguments
-    # Extract the hostname from the arguments? 
+    # Extract TARGET_HOST from arguments (looking for --control_ip)
-    # For now, we assume 'tor-service' as per the standard docker-compose setup
+    TARGET_HOST="tor-service" # Default fallback
    TARGET_HOST="tor-service"
    TARGET_PORT=9051
    # Simple argument parsing to find control_ip
    next_is_ip=0
    for arg in "$@"; do
        if [ "$next_is_ip" -eq 1 ]; then
            TARGET_HOST="$arg"
            next_is_ip=0
        fi
        if [ "$arg" = "--control_ip" ]; then
            next_is_ip=1
        fi
    done
    echo "Waiting for Tor Control Port at $TARGET_HOST:$TARGET_PORT..."
    # Use Python to wait for the port (more reliable than Alpine's nc)
    python3 -c "import socket, time;
@ -72,7 +83,7 @@ if [ -n "$TOR_CONTROL_PASSWORD" ]; then
        exit 1
    fi
-    echo "ControlPort 0.0.0.0:9051" >> "$TOR_CONFIG"
+    echo "ControlPort 127.0.0.1:9051" >> "$TOR_CONFIG"
    echo "HashedControlPassword $HASHED_PASSWORD" >> "$TOR_CONFIG"
    echo "Control Password set."
 else
@ -122,7 +133,15 @@ fi
 # 4. Ownership Fix (Crucial for Docker volumes)
 mkdir -p "$DATA_DIR/hidden_service/"
 # Ensure the current user owns the data directory (Fix for Podman/Docker permission mismatch)
 if [ "$(id -u)" = "0" ]; then
    chown -R tor:root "$DATA_DIR"
 else
    # Non-root (e.g. Podman rootless or user:1000), we just hope we have write access
    # or that the volume was mounted with correct permissions.
    # But let's try to be helpful if we are root-ish.
    :
 fi
 chmod 700 "$DATA_DIR"
 chmod 700 "$DATA_DIR/hidden_service/"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -4,16 +4,20 @@ services:
    build: .
    image: docker-tor-hidden-service:latest
    container_name: tor-service
    user: "0:0"
    restart: unless-stopped
    network_mode: host
    environment:
      # Format: ExternalPort:ContainerName:InternalPort
-      - HIDDEN_SERVICE_HOSTS=80:web:80
+      # Since we are on host network, 'web' hostname won't resolve via Docker DNS.
      # We must point to localhost if nginx is also on host network.
      - HIDDEN_SERVICE_HOSTS=80:localhost:80
      - TOR_CONTROL_PASSWORD=secure_password
-    ports:
+    # ports:  <-- Not needed in host mode
-      - "9051:9051" 
+    #   - "9051:9051"
-      - "9050:9050" 
+    #   - "9050:9050"
    volumes:
-      - tor-data:/var/lib/tor/
+      - ./tor-data:/var/lib/tor/:z
    depends_on:
      - web
@ -22,19 +26,25 @@ services:
    image: nginx:alpine
    container_name: my-website
    restart: unless-stopped
    network_mode: host
    volumes:
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
  # Vanguards Service - Sidecar
  vanguards:
    build: .
    image: docker-tor-hidden-service:latest
    container_name: vanguards-sidecar
    user: "0:0"
    restart: unless-stopped
    network_mode: host
    # The 'vanguards' first word triggers the logic in your entrypoint.sh
-    command: vanguards --control_ip tor-service --control_port 9051 --control_pass secure_password
+    # Connect to localhost since we share the network stack
    command: vanguards --control_ip localhost --control_port 9051 --control_pass secure_password
    depends_on:
      - tor
    volumes:
-      - tor-data:/var/lib/tor/
+      - ./tor-data:/var/lib/tor/:z
 volumes:
-  tor-data:
+  tor-data-new:
--- a/nginx/default.conf
+++ b/nginx/default.conf
@ -0,0 +1,24 @@
 server {
    listen 80;
    server_name localhost;
    # Basic error logging
    error_log /var/log/nginx/error.log warn;
    location / {
        # CHANGE THIS to your actual Netbird Service IP and Port
        # Example: proxy_pass http://100.64.0.10:5000;
        proxy_pass http://100.x.x.x:5000;
        # Standard Proxy Headers required for most apps
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # WebSocket Support (if needed later)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
 }
Author	SHA1	Message	Date
wander	a15bd524a0	Configure Nginx Reverse Proxy for Netbird Forwarding	2026-02-07 02:47:42 -05:00
wander	13163d39f7	Fix Vanguards wait loop to respect --control_ip arg	2026-02-07 00:37:13 -05:00
wander	f87ec7af08	Security Fix: Bind ControlPort to 127.0.0.1 for host network mode	2026-02-07 00:30:14 -05:00
wander	a369dd48a4	Enable network_mode: host to fix connectivity issues	2026-02-07 00:26:21 -05:00
wander	017b76f136	Switch to bind mount ./tor-data for absolute permission control	2026-02-07 00:15:13 -05:00
wander	deebc86b2f	Fix SELinux label from :Z (private) to :z (shared)	2026-02-07 00:11:18 -05:00
wander	7750788708	Rename volume to tor-data-new to force permission reset	2026-02-07 00:09:16 -05:00
wander	115112552b	attempt to make this work for podman and docker	2026-02-06 23:45:30 -05:00