logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma

onion_federation.md (5236B)


      1 # Easy Onion Federation (Tor)
      2 Tor can free people from the necessity of a domain, in addition to helping protect their privacy. As Pleroma's goal is to empower the people and let as many as possible host an instance with as little resources as possible, the ability to host an instance with a small, cheap computer like a RaspberryPi along with Tor, would be a great way to achieve that.  
      3 In addition, federating with such instances will also help furthering that goal.
      4 
      5 This is a guide to show you how it can be easily done.
      6 
      7 This guide assumes you already got Pleroma working, and that it's running on the default port 4000.  
      8 Currently only has an Nginx example.
      9 
     10 To install Tor on Debian / Ubuntu:
     11 ```
     12 apt -yq install tor
     13 ```
     14 If using an old server version (older than Debian Stretch or Ubuntu 18.04), install from backports or PPA.
     15 I recommend using a newer server version instead.
     16 
     17 To have the newest, V3 onion addresses (which I recommend) in Debian, install Tor from backports.
     18 If you do not have backports, uncomment the stretch-backports links at the end of `/etc/apt/sources.list`.
     19 Then install:
     20 ```
     21 apt update
     22 apt -t stretch-backports  -yq install tor
     23 ```
     24 **WARNING:** Onion instances not using a Tor version supporting V3 addresses will not be able to federate with you. 
     25 
     26 Create the hidden service for your Pleroma instance in `/etc/tor/torrc`:
     27 ```
     28 HiddenServiceDir /var/lib/tor/pleroma_hidden_service/
     29 HiddenServicePort 80 127.0.0.1:8099
     30 HiddenServiceVersion 3  # Remove if Tor version is below 0.3 ( tor --version )
     31 ```
     32 Restart Tor to generate an adress:
     33 ```
     34 systemctl restart tor@default.service
     35 ```
     36 Get the address:
     37 ```
     38 cat /var/lib/tor/pleroma_hidden_service/hostname
     39 ```
     40 
     41 # Federation
     42 
     43 Next, edit your Pleroma config.
     44 If running in prod, cd to your Pleroma directory, edit `config/prod.secret.exs`
     45 and append this line:
     46 ```
     47 config :pleroma, :http, proxy_url: {:socks5, :localhost, 9050}
     48 ```
     49 In your Pleroma directory, assuming you're running prod,
     50 run the following:
     51 ```
     52 su pleroma
     53 MIX_ENV=prod mix deps.get
     54 MIX_ENV=prod mix ecto.migrate
     55 exit
     56 ```
     57 restart Pleroma (if using systemd):
     58 ```
     59 systemctl restart pleroma
     60 ```
     61 
     62 # Tor Instance Access
     63 
     64 Make your instance accessible using Tor.
     65 
     66 ## Tor-only Instance
     67 If creating a Tor-only instance, open `config/prod.secret.exs` and under "config :pleroma, Pleroma.Web.Endpoint," edit "https" and "port: 443" to the following:
     68 ```
     69    url: [host: "onionaddress", scheme: "http", port: 80],
     70 ```
     71 In addition to that, replace the existing nginx config's contents with the example below.
     72 
     73 ## Existing Instance (Clearnet Instance)
     74 If not a Tor-only instance, 
     75 add the nginx config below to your existing config at `/etc/nginx/sites-enabled/pleroma.nginx`.
     76 
     77 ---
     78 For both cases, disable CSP in Pleroma's config (STS is disabled by default) so you can define those yourself seperately from the clearnet (if your instance is also on the clearnet).
     79 Copy the following into the `config/prod.secret.exs` in your Pleroma folder (/home/pleroma/pleroma/):
     80 ```
     81 config :pleroma, :http_security,
     82   enabled: false
     83 ```
     84 
     85 Use this as the Nginx config:
     86 ```
     87 proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
     88 # The above already exists in a clearnet instance's config.
     89 # If not, add it.
     90 
     91 server {
     92     listen 127.0.0.1:8099;
     93     server_name youronionaddress;
     94 
     95     # Comment to enable logs
     96     access_log /dev/null;
     97     error_log /dev/null;
     98 
     99     gzip_vary on;
    100     gzip_proxied any;
    101     gzip_comp_level 6;
    102     gzip_buffers 16 8k;
    103     gzip_http_version 1.1;
    104     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
    105 
    106     client_max_body_size 16m;
    107 
    108     location / {
    109 
    110         add_header X-XSS-Protection "1; mode=block";
    111         add_header X-Permitted-Cross-Domain-Policies none;
    112         add_header X-Frame-Options DENY;
    113         add_header X-Content-Type-Options nosniff;
    114         add_header Referrer-Policy same-origin;
    115         add_header X-Download-Options noopen;
    116 
    117         proxy_http_version 1.1;
    118         proxy_set_header Upgrade $http_upgrade;
    119         proxy_set_header Connection "upgrade";
    120         proxy_set_header Host $http_host;
    121 
    122         proxy_pass http://localhost:4000;
    123 
    124         client_max_body_size 16m;
    125     }
    126 
    127     location /proxy {
    128         proxy_cache pleroma_media_cache;
    129         proxy_cache_lock on;
    130         proxy_ignore_client_abort on;
    131         proxy_pass http://localhost:4000;
    132     }
    133 }
    134 ```
    135 reload Nginx:
    136 ```
    137 systemctl reload nginx
    138 ```
    139 
    140 You should now be able to both access your instance using Tor and federate with other Tor instances!
    141 
    142 ---
    143 
    144 ### Possible Issues
    145 
    146 *  In Debian, make sure your hidden service folder `/var/lib/tor/pleroma_hidden_service/` and its contents, has debian-tor as both owner and group by using 
    147 ```
    148 ls -la /var/lib/tor/
    149 ```
    150 If it's not, run:
    151 ```
    152 chown -R debian-tor:debian-tor /var/lib/tor/pleroma_hidden_service/
    153 ```
    154 * Make sure *only* the owner has *only* read and write permissions.
    155 If not, run:
    156 ```
    157 chmod -R 600 /var/lib/tor/pleroma_hidden_service/
    158 ```
    159 * If you have trouble logging in to the Mastodon Frontend when using Tor, use the Tor Browser Bundle.