Disroot as tor hidden service #369
Labels
No Label
administration
Akkoma
Android
Bare metal
bug
Communication
Community
Cryptpad
Discussion
Documentation
duplicate
enhancement
etherpad
Feature request
Feedback
finances
Fixed
forgejo
fun_project
Goal 2024
help wanted
Howto
🤔️ Investigate
ios
jitsi
lacre
Lacre Test
ldap
Lemmy
LibreTranslate
low prio
Lufi
macos
Mail
Merch
monitoring
movim
needs_refine
New Auth
Nextcloud
nice to have
on hold
proposal
question
Ready
refined
Roundcube
searX
spam-protection
Staging Server
Themes
TOR
Urgent!
Website
windows
wontfix
xmpp
Yearly Report
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Blocks
Depends on
#571 [TOR] - Create onion address for akkoma.
Disroot/Disroot-Project
#576 [Tor] - Add onion service for mumble
Disroot/Disroot-Project
#564 [TOR] - disroot.org onion address not autodetected.
Disroot/Disroot-Project
#565 [TOR] - add onion address for mumble
Disroot/Disroot-Project
#566 [Tor] - Provide onion address for smtp/imap/pop3
Disroot/Disroot-Project
#567 [Tor] - Provide onion address for xmpp
Disroot/Disroot-Project
Reference: Disroot/Disroot-Project#369
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
People have been asking for Disroot as tor hidden service for 5 years now. Privacy is getting more and more important, and some contries are blocking the outside clearnet completely.
It will run fine out of the box on any linux, and it's only 3 lines of extra configuration to the
/etc/torrcRun:and plug the long value into the next line:
The control socket is so you can run diagnostic tools like
nyxand it's rw tor user only.Plus 2 lines for each service you want onioned (all please :-)
Then look in each of the
/var/lib/tor/*-hsv3/hostnameto get the onion addresses of each of the services you run and put them up in your web pages.
If you have a firewall, you need to open it for the user tor is running as, TCP ports only. You can even restrict it to ports 443,8000-9999 and safely cover most of the traffic.
@muppeth Can't take more than an hour all tolled; about 12 minutes for each year it's been asked for :-)
This was one of the first issues raised 2 years ago #29
Are are almost ready to push this. I still need to check and possibly update current setup on proxy servers and once this is cleared up, push it.
We will deployed normally during next deployment frame: Disroot/CHANGELOG#361
@meaz Has this been pushed yet? I see no mention of it on the homepage.
What services are supported? It's easy to support mutiple ports on one tor instance.
@muppeth People have been asking for Disroot as tor hidden service for 6 years now. It's not more than a hour's work to set all of this up...
Repoening as I am the originator and it has not been resolved in my view.
@emdee This has been rolled out as mentioned.
Set of services are available as onion address since March as posted in https://disroot.org/en/blog/disnews-9
The info whether the onion address is provided is on each service page eg:https://disroot.org/en/services/email
Additionally we provide
add_header Onion-Locationon "plain" address so people can easily switch to onion one.We arent providing mail (SMTP/IMAP) nor xmpp (5222) as we still need to assess possible abuse.
Nice to know that things might be progressing every few years (@muppeth :-), but:
There is no listing of the onion address on the homepage where it should be.
There is no listing of the onion addresses on the disnews-9 post where it might be.
There is no listing of the onion addresses on the service page where I hoped it would be https://disroot.org/en/services/email
There is no autodetection in the browser for disroot.org
If the onion address is the one autodetected in the browser on git.disroot.org
http://kgtz2pmmov5jfvn3z4mqryffjnnw6krzrgxxoyaqhqckjrr4pckyhsqd.onion/
then it's not working:
502 Bad Gateway
nginx
What are the domains that are autodetecting and which are not?
If you will be onioning the webmail then you need to explain why you are not onioning SMTP/POP3/IMAP - instead of a blog post on a blog most people don't know about, how about a webpage on Tor access linked to from the homepage, and linked to from each supported service page? It should list the services you are planning to support, and the decade/century in which the onion service is planned for. Some of them can be done now: e.g. mumble.
Are there are any tests for this? If so they are not working. (If it's not tested it's broken :-()
Reopening as I am the originator and it has not been resolved in my view; this is why it's considered more professional to get the originator to close an issue, so that they confirm the issue has been addressed and solved.
Hi there,
Thanks for being presistant with your issue. Below some explanations and additional issues created that should speed up things and hopefully you won't need to wait until humanity builds a Dyson sphere to get onion services for the entire platform.
That's because it's listed on service page. Adding onion button for each tile of the service on the front page would just add clutter and we decided not to do it because:
Because those are posted on the service page and are autodetected. If they aren't means they are missing link for one or another reason.
Simply untrue. Go again to the page you linked (email), Next to "signup" and "Login" you have "Tor" button. That applies to every service with existing onion address.
Sould be, but looks like the header is not recognized by the browser. That vhost serving is a particular one with few other locations so this could be the reason. I made an issue to fix it: #564
Fixed! There was a little issue with the proxy server after migration that wasn't pointing to proper destination for the onion vhost. Thanks for reporting. I fixed it in production and supplied a fix to orchestration for permanent fix.
Info provided on page of each service.
Don't see reason why should we explain on seperate page things like why we provide A but not B. Main goal is to provide all services but main condition is possible abuse. So some services are easier and are or will be (look below) provided, and some need some extra thought put to it.
I think it's quite obvious why we dont provide imap/pop3/smtp over tor. We need to asses and prepare servers and ourself for possible counter actions against abuse. Today you complain there is no imap support for tor, tomorrow you will complain everyone is blocking disroot domains. At this moment we have other priorities and so there is no ETA on when will that happen, but given there are people like yourself looking forward to it, adds some extra priority points. Whether it will be done this century or not, is not known yet. Ping me next decade if it didnt happen yet? :)
I will add all issues I just made as dependency for this issue so you can follow it. I hope the explanations given are clear even if not exactly what you would like. If you have suggestions comments, ideas, please feel free to post. As pointed out indeed I think I have rushed with closing this ticket. Specially without creating the followup issues. That would definitely push the whole process beyond reaching singularity or even further.
Thanks for your help, and sorry I missed the Tor button; when I look for an onion link, I tend to look for the text "onion" on a page, and to me "explcit is better than implicit". So some suggestions are:
Make the onion link on the Home page explicit.
Make the onion link on the service/email page explicit as well as the button, and note that you still don't support IMAP/POP3/SMTP yet.
Don't rely on the autodetect too much as it may not be a browser that knows autodetect that is accessing the service. Also, autosuggestion is a configurable preference and may be turned off globally in the browser.
Not trying to be ornery, but let me continue with what's still ToDo:
The link pointed to by Tor on services/email doesn't work:
http://vvobhgocv3jvjwjjyrocao3vij4q7xuk5panbckqwihuztuuvjiwqdid.onion/
There is no mention of Tor on the homepage.
The link autosuggested by disroot.org/en goes somewhere else http://j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion/ but doesn't it work.
The onion link in 4) is different from the autodetect link I listed above (which now does work) - probably git. vs www.. As there are now multiple different onion addresses it would be nice to have an explanation on the homepage, or better yet, a Tor page that lists all of the Tor services, active now and planned ( and those drooled over). I'm already lost following the different onions, and having them all linked to and summarized in one place will make it easier to test.
The Tor button on /nextcloud points to http://3rhtbo7bb3o5qvx2iyirppxxtpwnlxkavdyjdckmuzh2uohibignufqd.onion/ which redirects automatically to https://cloud.disroot.org/login :-(
The autodetect points to http://j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion/en/services/nextcloud which does NOT work, and I think is wrong. Maybe open an issue to add Tor to nextcloud?
The Tor button on /services/search works but the autodetect does NOT - http://j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion/en/services/search
The Tor button/services/cryptpad works but the autodetect does NOT - http://j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion/en/services/cryptpad Add an issue for /cryptpad ?
/services/privatebin has a Tor button that does NOT work to http://j4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion/en/services/privatebin NOR does the autodetect at http://fgb4city54qtch7pdulgryete6hora4dmsrbuygoczrcdtlgpudaftid.onion/ Add an issue for /privatebin ?
There are clearly no tests written to make sure the links work. Maybe you could open a separate issue to add the tests to your testsuite and you can make that issue dependent on this one. (If it aint tested, its broke.) Take over #578
Thanks for opening #565 #566 #567 and I suggest keeping this open as a point to coordinate overall, including discussing priority/safety.
IMHO (commented on their pages):
a) xmpp over Tor is widely in use, and most places just turn off anonymous signup over Tor.
b) mumble works over Tor - I can help you test it.
c) I never got jitsi to work over Tor - I doubt it's possible. Tox works for voice and chat.
c) I understand the risk of SMTP and IMAP, but do you agree that POP3 is relatively safe?
d) open an issue to add Tor to Akkoma?
Thanks for a great start:
Thanks for reply. Just quick reply to some of the things you pointed out. There was changes where we migrated some of the services over to different host and re-generated onion addresses, but didnt update the website (duh...). Made pull request with corrections and it's awaiting approval so once it's clear, it will be updated on the website.
Yes should make that one as a direct link in the footer. (address is one click too far)
Thats why we are also adding addresses on the pages (as explained above mistake is being fixed)
Since we have such page (link in the footer of the website) perhaps it's not a bad idea to actually add more info to it as you suggested (https://disroot.org/en/tor )
That would mean I rather then not put onion address on the website but keep it as is on that page. As I said it's just one click away and you will also get the list of services and all other needed info in one place. #568
Check footer. See above
Indeed nextcloud overwrites the hostname so will need to check it more in detail and see if we can easily do it. #569
That's also a bit more complex issue then just adding vhost replacing the server name as there are two seperate vhosts for it and may render some issues. #570
#571
We normally monitor the service's internals to determine the sate of the service, OS it hosted on, dependant services like php or sql etc. Usually this gives us enough info to know when something's up. For http hosts we additionally monitor by checking http reponse code. Haven't add any for onion addresses assuming if plain works so should onion, though that wasn't the case.
It's true we "rushed" pushing the tor related stuff because it was just embarissing how long it took (I made the initial issue as one of the first ones after we started disroot, so I know damn well how bad it feels). But thanks to your reporting and persistancy (I really enjoy it actually) things will get done right. So thanks for ass kicking and great work!
Thanks; great. Always happy to see an "issue" turn into an epic with a dozen sub-issues :-)
Great to see the /en/tor page - what I suggest is beside the CHANGELOG on the footer of every page, link to /tor from "Tor Onion" It might allow you to do whatever your magic is to point to translations.
The link on the /tor page does NOT work
http://4dhkkxfcsvzvh3p5djkmuehhgd6t6l7wmzih6b4ss744hegwkiae7ad.onion/
Nor does the redirect.
**So one more issue to open please: ** Testing Tor.
You should be able to look for dead onion links on that test page the same way that you look for dead https: links. An easy way is to have a privoxy on your test machine that forwards .onion addresses to socks5:9050 and just run the testrunner pointing to the proxy.
What do you use as a testrunner?
Mumble should be "easy" to set up and might be test next one to try. I may still be set up to help you test mumble over tor.
So one more issue to open please: Tor Mumble. Take over #576
So one more issue to open please: Tor /privatebin - take over #574
Not sure where you got that url from but it's invalid so doesnt work
There's nothing wrong with that so not sure what you refer to.
Fix pushed awaiting approval. Most probably live tomorrow.
Maybe open an other issue for: git.
When you are logged in as a user on git.disroot.org clearnet, go to an issue like /Disroot/Disroot-Project/issues/369 it takes you to http://kgtz2pmmov5jfvn3z4mqryffjnnw6krzrgxxoyaqhqckjrr4pckyhsqd.onion/Disroot/Disroot-Project/issues/5652
your logged in state is not preserved - you have to sign in on the onion. Maybe a cookies thing in gitea and not worth chasing
emdee referenced this issue2023-07-26 00:52:12 +02:00
Add a reference to the git onion on /en/tor.
@emdee we've changed the tor page: https://disroot.org/en/tor
@meaz Thanks - it's very pretty, but
#578 might help it work better :-)
I added a simple script for basic testing.
Could you add a comment here as to which services have been successfully tested.
I'll be very surprised (but delighted) if you got jitsi to work and I expect there's more to it than just a single front onion. Aren't there things like STUN addresses?
You may need to plan a layout on that page for more that just a simple link; for example SMTP/POP/IMAP will take a page of instructions...