search

Ahwxorg / LibreY

Framework and JS free privacy respecting meta search engine
GNU Affero General Public License v3.0
197 stars 26 forks source link

Documentation on Tor/I2P support (for Users and Hosters) #189

Closed robert-winkler closed 4 weeks ago

robert-winkler commented 1 month ago

Hi, my instance is running at LibreY.

HTTPS is enabled, but I cannot find information on making Tor, and I2P, available, and possible advantages for users.

Could you please add some documentation?

codedipper commented 1 month ago

Just add your Tor/I2P address to the server_name option in nginx and point your Tor/I2P configurations to that port. The advantages of an anonymous, end-to-end encrypted, censorship-resistant service are pretty obvious.

Setup Tor onion service: https://community.torproject.org/onion-services/setup/ https://community.torproject.org/onion-services/advanced/

Setup I2P eepsite: https://geti2p.net/en/blog/post/2019/06/02/mirroring-guide - Java I2P official client https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/ - C++ I2Pd client

robert-winkler commented 1 month ago

Thanks! My tor seems to run fine and to listen to the specified (torrc and nginx default) port. However, if I add my onion address to the server_name, restarting nginx fails; strangely, the server_name is defined 2x in the default configuration. But as long as the https LibreY I better don't touch. Any idea about the problem (or an example conf)?

Robert Winkler - Chat @ Spike [2tpfta]

On October 19, 2024 at 1:39 GMT, codedipper @.***> wrote:

Just add your Tor/I2P address to the server_name option in nginx and point your Tor/I2P configurations to that port. The advantages of an anonymous, end-to-end encrypted, censorship-resistant service are pretty obvious.

Setup Tor onion service: https://community.torproject.org/onion-services/setup/ https://community.torproject.org/onion-services/advanced/

Setup I2P eepsite: https://geti2p.net/en/blog/post/2019/06/02/mirroring-guide - Java I2P official client https://i2pd.readthedocs.io/en/latest/user-guide/tunnels/ - C++ I2Pd client

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

Ahwxorg commented 1 month ago

Can you share your config?

robert-winkler commented 1 month ago

How can I share confidential information?

Robert Winkler - Chat @ Spike [2tpk7a]

On October 21, 2024 at 21:45 GMT, Ahwx @.***> wrote:

Can you share your config?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

codedipper commented 1 month ago

We can't solve a problem if we don't know what it is, but if you see something like this in your log files:

nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64

Then you probably need to increase your server_names_hash_bucket_size inside the http block of your nginx.conf. Example:

# /etc/nginx/nginx.conf
http {
    ...
    server_names_hash_bucket_size 256;
    ...
}
robert-winkler commented 1 month ago

in torrc I have

HiddenServiceDir /var/lib/tor/hidden_service/HiddenServicePort 80 127.0.0.1:80

Is it OK to use the same port for clear web and tor?

and my default nginx file is (I only added the tor address twice):


server {
server_name libre-find.online ug3lz3wdjxljv5fxyoicgcugmcsuym5e4zgxggotjdscdrdwid7s2mqd.onion;
root /var/www/html/LibreY;
index index.php;
location ~ \.php$ {
include snippets/fastcgi-php.c
onf;
fastcgi_pass unix:/run/php/php
-fpm.sock;
}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/lib
re-find.online/fullchain.pem; # managed by Ce
rtbot
ssl_certificate_key /etc/letsencrypt/live
/libre-find.online/privkey.pem; # managed by
Certbot
include /etc/letsencrypt/options-ssl-ngin
x.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.
pem; # managed by Certbot
}

server {
if ($host = libre-find.online) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name libre-find.online
ug3lz3wdjxljv5fxyoicgcugm
csuym5e4zgxggotjdscdrdwid7s2mqd.onion;
return 404; # managed by Certbot
}
# systemctl restart nginx

Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xeu nginx.service" for details.

× nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled) Active: failed (Result: exit-code) since Tue 2024-10-22 07:17:35 CEST; 1min 19s ago

journalctl -xeu ngnix.service: no entries.

Any ideas?

Robert Winkler - Chat @ Spike [2tq3b6]

On October 21, 2024 at 22:29 GMT, Robert Winkler @.***> wrote:

How can I share confidential information?

Robert Winkler - Chat @ Spike [2tpk7a]

On October 21, 2024 at 21:45 GMT, Ahwx @.***> wrote:

Can you share your config?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

robert-winkler commented 1 month ago

OK, we're getting there.

My tor address is g3lz3wdjxljv5fxyoicgcugmcsuym5e4zgxggotjdscdrdwid7s2mqd.onion

If I use this address in the Tor Browser, I get:

"Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org. Commercial support is available at nginx.com.

Thank you for using nginx."

I added the tor onion address as a server_name xx xx.onion;

I have the hidden service running on port 80. Is this OK?

torrc

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 80 127.0.0.1:80

Robert Winkler - Chat @ Spike [2tq472]

On October 22, 2024 at 5:02 GMT, codedipper @.***> wrote:

We can't solve a problem if we don't know what it is, but if you see something like this in your log files: nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64 Then you probably need to increase your server_names_hash_bucket_size inside the http block of your nginx.conf. Example:

/etc/nginx/nginx.conf http { ... server_names_hash_bucket_size 256; ... }

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

robert-winkler commented 1 month ago

I think I understand what's going on. My tor service connects to port 80; Thus, typing the address in the Tor Browser http://ug3lz3wdjxljv5fxyoicgcugmcsuym5e4zgxggotjdscdrdwid7s2mqd.onion/ gets you to the default nginx index.html.

My idea is to re-direct from this page to my "normal" HTTPS LibreY instance (with a friendly message, "you are safe and welcome").

Is this a possible solution or bad practice?

Robert Winkler - Chat @ Spike [2tquxw]

On October 22, 2024 at 5:41 GMT, Robert Winkler @.***> wrote:

OK, we're getting there.

My tor address is g3lz3wdjxljv5fxyoicgcugmcsuym5e4zgxggotjdscdrdwid7s2mqd.onion

If I use this address in the Tor Browser, I get:

"Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org. Commercial support is available at nginx.com.

Thank you for using nginx."

I added the tor onion address as a server_name xx xx.onion;

I have the hidden service running on port 80. Is this OK?

torrc

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 80 127.0.0.1:80

Robert Winkler - Chat @ Spike [2tq472]

On October 22, 2024 at 5:02 GMT, codedipper @.***> wrote:

We can't solve a problem if we don't know what it is, but if you see something like this in your log files: nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64 Then you probably need to increase your server_names_hash_bucket_size inside the http block of your nginx.conf. Example:

/etc/nginx/nginx.conf http { ... server_names_hash_bucket_size 256; ... }

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

robert-winkler commented 1 month ago

It works!

The trick was forwarding port 443 in torrc:

HiddenServicePort 443 127.0.0.1:443

Please test it out, before adding it to the instances table 😃.

https://ug3lz3wdjxljv5fxyoicgcugmcsuym5e4zgxggotjdscdrdwid7s2mqd.onion/

Ahwxorg commented 1 month ago

Hey, that shouldn't be it. What happens when you try port 80? You can also make an alternative server block in NGINX if otherwise it doesn't work.

robert-winkler commented 1 month ago

Using ports 80 -> 80 opens the standard html nginx page. 80 -> 443 throws an error. If I understand it correctly, most browsers nowadays will use https/443 by default. LibreY only runs on https on my server, and if someone gets on the 80 port, will be redirected automatically to 443. Is there any disadvantage running LibreY with Tor + https? This would be anonymous + encrypted. The only annoyance I can see at the moment is that one has to confirm to trust the certificate.

Ahwxorg commented 4 weeks ago

From my limited understanding; usually people don't use SSL on Tor, since Tor itself is already so secure and SSL doesn't "add anything" I think. If it works it works :)

robert-winkler commented 4 weeks ago

I'm not an expert; what I found is that the traffic going through Tor is already encrypted.

However, the Tor manual recommends setting "https only".

The problem: Let's encrypt does not create certificates for .onion addresses why the certificate contains the clear address and the browser throws out an warning.

As far as I can see, the LibreY instance is hidden in the Tor connection, i.e. anonymous, and encrypted. Thus, I suggest to add the Tor instance.