search

bugfest / tor-controller

Tor toolkit for Kubernetes (Tor instances, onion services and more)
Apache License 2.0
98 stars 17 forks source link

Can't get it run with a NodePort :c #75

Closed trinami closed 3 months ago

trinami commented 3 months ago

Hello,

i try to set up a hidden service. I already have ingress-nginx setup. Currently i have a NodePort on 30080 and 30443. I made a kind: OnionService on Port 80, and set backend port 80, ingress-nginx-controller. The secret is loaded correctly, the OnionService has the right Status.Hostname. (trinamiggfqxmyuyipkol3svqfzecuriywhiqlzcawknhtgivj3wkxad.onion)

But i can't reach the onion address. What i am doing wrong? It just loads in Tor Browser and then says "Unable to connect" And is there a better way then 30080->tor-controller->ingress-nginx-controller->ingress->webserver ? like 30080->ingress-nginx-controller->tor-controller->ingress->webserver ? and what is with https? Would be nice if you could help. Maybe i can message you anywhere else?

Many thanks :) 

apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionService
metadata:
  name: onion-service
  namespace: ingress-nginx
  labels:
    app: onion-service
spec:
  version: 3
  privateKeySecret:
    name: onion-secret
  rules:
    - port:
        number: 80
      backend:
        service:
          name: ingress-nginx-controller
          port:
            number: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "server: hide";
      more_set_headers "server: hide";
      more_set_headers "X-Content-Type-Options: nosniff";
      more_set_headers "X-Frame-Options: DENY";
      more_set_headers "X-Xss-Protection: 0";
      more_set_headers "Referrer-Policy: same-origin";
      more_set_headers "Permissions-Policy: camera=(\"https://meet.trinami.zip\" \"https://meet.trinami.org\"),microphone=(\"https://meet.trinami.zip\" \"https://meet.trinami.org\"),usb=(\"https://crypt.trinami.zip\" \"https://crypt.trinami.org\")";
      more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
      more_set_headers "Content-Security-Policy: default-src 'self' https://trinami.org https://trinami.zip";
      more_set_headers "Cross-Origin-Resource-Policy: same-site";
      more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
      more_set_headers "Cross-Origin-Opener-Policy: same-origin";
      more_set_headers "Cache-Control: max-age=31536000";
      more_set_headers "Onion-Location: https://trinamiggfqxmyuyipkol3svqfzecuriywhiqlzcawknhtgivj3wkxad.onion$request_uri";
      more_clear_headers "X-Powered-By";
  name: www
  namespace: www
spec:
  ingressClassName: nginx
  defaultBackend:
    service:
      name: www
      port:
        number: 80
  rules:
  - host: trinami.org
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: www
            port:
              number: 80
  - host: trinami.zip
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: www
            port:
              number: 80
  - host: 'trinamiggfqxmyuyipkol3svqfzecuriywhiqlzcawknhtgivj3wkxad.onion'
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: www
            port:
              number: 80
  tls:
    - hosts:
        - "trinami.org"
      secretName: trinami.org.source
    - hosts:
        - "trinami.zip"
      secretName: trinami.zip.source
    - hosts:
        - "trinamiggfqxmyuyipkol3svqfzecuriywhiqlzcawknhtgivj3wkxad.onion"
      secretName: trinami.onion-secret
bugfest commented 3 months ago

Hi @trinami, sorry I'm replying to late,

My recommendation is that you configure your OnionService to use the Ingress Controller's SVC as explained in this example.

Can you double check your IC svc name is in fact ingress-nginx-controller?

Nodeport is not relevant here, don't worry about it.

When using Tor, you don't need to access the onion site over HTTPS since the connection is also encrypted end to end; not sure if the tls piece is necessary there. You need to have a certificate for your .onion address if you want that to work proerly (more info: https://community.torproject.org/onion-services/advanced/https/). The secret that Tor-controller creates cannot be used for TLS.

You can reach me in matrix chat @bugfest:matrix.org

Regards, BF

trinami commented 3 months ago

So finally, @bugfest helped me to fix this issue today.

1. I don't need a NodePort pointing to the OnionService. It just has another way to expose itself to the outside world.

2. Let's Encrypt doesn't work with .onion, and I don't want to pay, so I just used Port 80 / HTTP (I made another ingress controller without the HSTS part for the .onion)

Everything else was okay in the setup above. Incoming clearnet traffic is NodePort->ingress-nginx, tor traffic is OnionService->ingress-nginx, from ingress everything is like without, except the .onion domain name.

Thank you very much @bugfest :))

bugfest commented 3 months ago

Thanks @trinami, enjoy!