Commit 8c7b2b3f authored by Eugen Rochko's avatar Eugen Rochko

Merge branch 'master' into 'master'

Improved documentation for running Mastodon as a Tor service

See merge request !31
parents 2cb25f43 bd32c997
Pipeline #738 passed with stages
in 17 seconds
...@@ -91,7 +91,7 @@ apt install tor deb.torproject.org-keyring ...@@ -91,7 +91,7 @@ apt install tor deb.torproject.org-keyring
Edit the file at `/etc/tor/torrc` and add the following configuration. Edit the file at `/etc/tor/torrc` and add the following configuration.
```bash ```bash
HiddenServiceDir /var/lib/tor/mastodon/ HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServiceVersion 3 HiddenServiceVersion 3
HiddenServicePort 80 127.0.0.1:80 HiddenServicePort 80 127.0.0.1:80
``` ```
...@@ -102,71 +102,108 @@ Restart tor. ...@@ -102,71 +102,108 @@ Restart tor.
sudo service tor restart sudo service tor restart
``` ```
Your tor hostname can now be found at `/var/lib/tor/mastodon/hostname`. This will work _if_ you are serving Mastodon over port 80 and _if_ it is the only site you are serving on your web server. Your tor hostname can now be found at `/var/lib/tor/hidden_service/hostname`.
### Configuring a multi-host server ### Move your Mastodon configuration
If you have multiple domains on your web server you will need to tell your web server how to serve the tor hostname. In the configuration file for your Mastodon web configuration add an additional hostname entry. e.g. for Nginx We will need to tell Nginx about your Mastodon configuration twice. To keep things [DRY](https://en.wikipedia.org/wiki/Don%27t_repeat_yourself) we need to move the Mastodon configuration into its own file that can be referenced.
Create a new file at `/etc/nginx/snippets/mastodon.conf`. Put all of your Mastodon configuration parameters in this file with the exception of the `listen`, `server_name`, `include` and all of the SSL options. Your new file may look something like this.
```bash
server {
servername mastodon.myhosting.com qKnFwnNH2oH4QhQ7CoRf7HYj8wCwpDwsa8ohJmcPG9JodMZvVA6psKq7qKnFwnNH2oH4QhQ7CoRf7HYj8wCwpDwsa8ohJmcPG9JodMZvVA6psKq7.onion
}
``` ```
add_header Referrer-Policy "same-origin";
### Serve Tor over http keepalive_timeout 70;
sendfile on;
client_max_body_size 80m;
root /home/mastodon/live/public;
error_page 500 501 502 503 504 /500.html;
While it may be tempting to serve your Tor version of Mastodon over https it is not good idea. See [this](https://blog.torproject.org/facebook-hidden-services-and-https-certs) blog post from the Tor Project about why https certificates do not add value. Since you cannot get an SSL cert for an onion domain, you will also be plagued with certificate errors when trying to use your Mastodon instance. access_log /var/log/nginx/mastodon_access.log;
error_log /var/log/nginx/mastodon_error.log warn;
```
The solution is to serve your Mastodon instance over http, but only for Tor. In place of your old Mastodon configuration add an include directive to this new configuration file.
Consider the following example Nginx configuration. Your Nginx configuration file will be left looking something like this.
``` ```
server { server {
listen 80; listen 80;
server_name mastodon.myhosting.com; server_name mastodon.myhosting.com;
return 301 https://$host$request_uri; return 301 https://$server_name$request_uri;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
} }
server { server {
listen 443 ssl http2; listen 443 ssl http2;
server_name mastodon.myhomsting.com; list [::]:443 ssl http2;
server_name mastodon.myhosting.com;
include /etc/nginx/snippets/mastodon.conf;
ssl_certificate /etc/letsencrypt/live/mastodon.myhosting.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mastodon.myhosting.com/privkey.pem;
} }
``` ```
Add a new server entry that duplicates the ssl entry, but defines it to use port 80 with your onion hostname. ### Serve Tor over http
While it may be tempting to serve your Tor version of Mastodon over https it is not a good idea for most people. See [this](https://blog.torproject.org/facebook-hidden-services-and-https-certs) blog post from the Tor Project about why https certificates do not add value. Since you cannot get an SSL cert for an onion domain, you will also be plagued with certificate errors when trying to use your Mastodon instance. A Tor developer has more recently spelled out the reasons why serving a Tor service over https is not beneficial for most use cases [here](https://matt.traudt.xyz/p/o44SnkW2.html).
The solution is to serve your Mastodon instance over http, but only for Tor. This can be added by pre-pending an additional configuration to your Nginx configuration.
``` ```
server { server {
listen 80; listen 80;
server_name mastodon.myhosting.com; server_name mastodon.qKnFwnNH2oH4QhQ7CoRf7HYj8wCwpDwsa8ohJmcPG9JodMZvVA6psKq7qKnFwnNH2oH4QhQ7CoRf7HYj8wCwpDwsa8ohJmcPG9JodMZvVA6psKq7.onion;
return 301 https://$host$request_uri; include /etc/nginx/snippets/mastodon.conf;
} }
server { server {
listen 80; listen 80;
server_name qKnFwnNH2oH4QhQ7CoRf7HYj8wCwpDwsa8ohJmcPG9JodMZvVA6psKq7qKnFwnNH2oH4QhQ7CoRf7HYj8wCwpDwsa8ohJmcPG9JodMZvVA6psKq7.onion; server_name mastodon.myhosting.com;
return 301 https://$server_name$request_uri;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
} }
server { server {
listen 443 ssl http2; listen 443 ssl http2;
list [::]:443 ssl http2;
server_name mastodon.myhosting.com; server_name mastodon.myhosting.com;
include /etc/nginx/snippets/mastodon.conf;
ssl_certificate /etc/letsencrypt/live/mastodon.myhosting.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mastodon.myhosting.com/privkey.pem;
} }
``` ```
Replace the long hash provided here with your Tor domain located in the file at `/var/lib/tor/hidden_service/hostname`.
Note that the onion hostname has been prefixed with "mastodon.". Your Tor address acts a wildcard domain. All subdomains will be routed through, and you can configure Nginx to respond to any subdomain you wish. If you do not wish to host any other services on your tor address you can omit the subdomain, or choose a different subdomain.
Here you can see the payoff of moving your mastodon configurations to a different file. Without this all of your configurations would have to be copied to both places. Any change to your configuration would have to be made both places.
Restart your web server. Restart your web server.
```bash ```bash
service nginx restart service nginx restart
``` ```
You can also see [this Server Fault](https://serverfault.com/a/373661) answer for a more [DRY](https://en.wikipedia.org/wiki/Don%27t_repeat_yourself) solution. ### Gotchas
There are a few things you will need to be aware of. Certain redirects will push your users to https. They will have to manually replace the URL with http to continue.
Various resources, such as images, will still be offered through your regular non-Tor domain. How much of a problem this is will depend greatly on your user's level of caution.
## Login via LDAP/PAM/CAS/SAML ## Login via LDAP/PAM/CAS/SAML
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment