Onion: Set up a alt-svc so that TBB can automatically redirect from clearweb to onions #18

Closed
opened 12 months ago by kreyren · 23 comments
unofficial docs https://write.privacytools.io/jonah/securing-services-with-tor-and-alt-svc
wanderer added this to the General project 12 months ago
Owner

done for homepage and gitea, please check

done for homepage and gitea, please check
Poster

TBB ain't auto-redirecting with these set to always in settings and working on torproject.org

TBB ain't auto-redirecting with these set to `always` in settings and working on torproject.org
Owner

using this for gitea
add_header Alt-Svc 'h2="2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion:80"; ma=86400; persist=1';
this for homepage
add_header Alt-Svc 'h2="6426tqrh4y5uobmo5y2csaip3m3avmjegd2kpa24sadekpxglbm34aqd.onion:80"; ma=86400; persist=1';

using this for gitea `add_header Alt-Svc 'h2="2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion:80"; ma=86400; persist=1';` this for homepage `add_header Alt-Svc 'h2="6426tqrh4y5uobmo5y2csaip3m3avmjegd2kpa24sadekpxglbm34aqd.onion:80"; ma=86400; persist=1'; `
Owner

torproject.org is using Onion-Location from what I've seen
image

torproject.org is using `Onion-Location` from what I've seen ![image](/attachments/c79834d1-3d0f-47b2-88de-c1f940f47464)
Owner

I now changed it to what torproject.org uses.

# homepage
add_header Onion-Location "http://6426tqrh4y5uobmo5y2csaip3m3avmjegd2kpa24sadekpxglbm34aqd.onion/$request_uri";
# gitea
add_header Onion-Location "http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion/$request_uri";
# drone
add_header Onion-Location "http://c3vqfx2dqltvdbsqu3ndqwcxsp3uk3vcxo2jsigie5zfajub3j3y35id.onion/$request_uri";

please check @kreyren

I now changed it to what torproject.org uses. ```nginx # homepage add_header Onion-Location "http://6426tqrh4y5uobmo5y2csaip3m3avmjegd2kpa24sadekpxglbm34aqd.onion/$request_uri"; # gitea add_header Onion-Location "http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion/$request_uri"; # drone add_header Onion-Location "http://c3vqfx2dqltvdbsqu3ndqwcxsp3uk3vcxo2jsigie5zfajub3j3y35id.onion/$request_uri"; ``` please check @kreyren
Owner

do you know if there's any way to reasonably add something similar to this to cross-site links that we know have an onion version (such as links to dotya.ml)?

do you know if there's any way to reasonably add something similar to this to cross-site links that we know have an onion version (such as links to dotya.ml)?
Poster

It's redirecting me on http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion//dotya.ml/community/issues/18 now

It's redirecting me on `http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion//dotya.ml/community/issues/18` now
Poster

and doesn't seem to trigger for https://git.dotya.ml. but works for https://git.dotya.ml/.*

and doesn't seem to trigger for `https://git.dotya.ml`. but works for `https://git.dotya.ml/.*`
Owner

@kreyren

It's redirecting me on http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion//dotya.ml/community/issues/18 now

Please, elaborate..

@kreyren >It's redirecting me on `http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion//dotya.ml/community/issues/18` now Please, elaborate..
Poster
> Please, elaborate.. @wanderer When i open https://git.dotya.ml/dotya.ml/community/issues/18 it redirected me on http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion//dotya.ml/community/issues/18 which is 404
Poster

torproject.org is using Onion-Location from what I've seen
image

kreyren@leonid:~$ curl -I https://torproject.org
HTTP/1.1 302 Found
Date: Mon, 09 Nov 2020 16:05:04 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-Xss-Protection: 1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15768000; preload
Location: https://www.torproject.org/
Content-Type: text/html; charset=iso-8859-1

Who told you that torproject.org is using Onion-Location?

> torproject.org is using `Onion-Location` from what I've seen > ![image](/attachments/c79834d1-3d0f-47b2-88de-c1f940f47464) ```console kreyren@leonid:~$ curl -I https://torproject.org HTTP/1.1 302 Found Date: Mon, 09 Nov 2020 16:05:04 GMT Server: Apache X-Content-Type-Options: nosniff X-Frame-Options: sameorigin X-Xss-Protection: 1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15768000; preload Location: https://www.torproject.org/ Content-Type: text/html; charset=iso-8859-1 ``` Who told you that torproject.org is using Onion-Location?
Poster

Seems that in HTTP headers:

alt-svc: h2="2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion:80"; ma=86400; persist=1
onion-location: http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion//

You have unwanted / so i guess try:

# homepage
add_header Onion-Location "http://6426tqrh4y5uobmo5y2csaip3m3avmjegd2kpa24sadekpxglbm34aqd.onion$request_uri";
# gitea
add_header Onion-Location "http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion$request_uri";
# drone
add_header Onion-Location "http://c3vqfx2dqltvdbsqu3ndqwcxsp3uk3vcxo2jsigie5zfajub3j3y35id.onion$request_uri";
Seems that in HTTP headers: ``` alt-svc: h2="2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion:80"; ma=86400; persist=1 onion-location: http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion// ``` You have unwanted `/` so i guess try: ``` # homepage add_header Onion-Location "http://6426tqrh4y5uobmo5y2csaip3m3avmjegd2kpa24sadekpxglbm34aqd.onion$request_uri"; # gitea add_header Onion-Location "http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion$request_uri"; # drone add_header Onion-Location "http://c3vqfx2dqltvdbsqu3ndqwcxsp3uk3vcxo2jsigie5zfajub3j3y35id.onion$request_uri"; ```
Owner

@kreyren

torproject.org is using Onion-Location from what I've seen
image

kreyren@leonid:~$ curl -I https://torproject.org
HTTP/1.1 302 Found
Date: Mon, 09 Nov 2020 16:05:04 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-Xss-Protection: 1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15768000; preload
Location: https://www.torproject.org/
Content-Type: text/html; charset=iso-8859-1

Who told you that torproject.org is using Onion-Location?

They may not have it on the whole site but they are using the header for instance for media - that is where I got it from.

@kreyren >> torproject.org is using `Onion-Location` from what I've seen >> ![image](/attachments/c79834d1-3d0f-47b2-88de-c1f940f47464) > >```console >kreyren@leonid:~$ curl -I https://torproject.org >HTTP/1.1 302 Found >Date: Mon, 09 Nov 2020 16:05:04 GMT >Server: Apache >X-Content-Type-Options: nosniff >X-Frame-Options: sameorigin >X-Xss-Protection: 1 >Referrer-Policy: no-referrer >Strict-Transport-Security: max-age=15768000; preload >Location: https://www.torproject.org/ >Content-Type: text/html; charset=iso-8859-1 >``` > >Who told you that torproject.org is using Onion-Location? They may not have it on the whole site but they are using the header for instance for media - that is where I got it from.
Owner

@kreyren

Seems that in HTTP headers:

alt-svc: h2="2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion:80"; ma=86400; persist=1
onion-location: http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion//

You have unwanted / so i guess try:

# homepage
add_header Onion-Location "http://6426tqrh4y5uobmo5y2csaip3m3avmjegd2kpa24sadekpxglbm34aqd.onion$request_uri";
# gitea
add_header Onion-Location "http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion$request_uri";
# drone
add_header Onion-Location "http://c3vqfx2dqltvdbsqu3ndqwcxsp3uk3vcxo2jsigie5zfajub3j3y35id.onion$request_uri";

This is correct, though.. Fixed, see now.

@kreyren >Seems that in HTTP headers: > >``` >alt-svc: h2="2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion:80"; ma=86400; persist=1 >onion-location: http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion// >``` > >You have unwanted `/` so i guess try: > >``` ># homepage >add_header Onion-Location "http://6426tqrh4y5uobmo5y2csaip3m3avmjegd2kpa24sadekpxglbm34aqd.onion$request_uri"; ># gitea >add_header Onion-Location "http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion$request_uri"; ># drone >add_header Onion-Location "http://c3vqfx2dqltvdbsqu3ndqwcxsp3uk3vcxo2jsigie5zfajub3j3y35id.onion$request_uri"; >``` This is correct, though.. Fixed, see now.
Poster

relevant: present the same tls cert for aaaa.onion:443 as example.com:443 -- irc.oftc.net/#tor

relevant: present the same tls cert for aaaa.onion:443 as example.com:443 -- irc.oftc.net/#tor
Poster

The new configuration redirects on http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion/dotya.ml/community/issues/18 which is 404 -> Assuming onions down? URL lgtm

The new configuration redirects on http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion/dotya.ml/community/issues/18 which is 404 -> Assuming onions down? URL lgtm
Poster

also alt-svc should be on port 443 see example configuration provided by irc.oftc.net/#tor

https://p.pastly.xyz/volatile/torrc.txt

https://p.pastly.xyz/volatile/example-nginx-config.txt

also alt-svc should be on port 443 see example configuration provided by irc.oftc.net/#tor https://p.pastly.xyz/volatile/torrc.txt https://p.pastly.xyz/volatile/example-nginx-config.txt
Poster

FWIW dotya.ml works perfectly

FWIW dotya.ml works perfectly
Owner

onion was not listening on 443, it is now.
redirects now also work correctly, please confirm.
404s could be attributed to the nature of the tor network maybe

onion was not listening on 443, it is now. redirects now also work correctly, please confirm. 404s could be attributed to the nature of the tor network maybe
Poster

ain't working on me end, but i think that this is caused by onion for git.dotya.ml being down..

404s could be attributed to the nature of the tor network maybe

no

ain't working on me end, but i think that this is caused by onion for git.dotya.ml being down.. > 404s could be attributed to the nature of the tor network maybe no
Owner

ain't working on me end, but i think that this is caused by onion for git.dotya.ml being down..

404s could be attributed to the nature of the tor network maybe

no

it's either the network or cosmic rays as the only time you could have legitimately got 404s were the ~three tor reloads today.

works for me here

image

> ain't working on me end, but i think that this is caused by onion for git.dotya.ml being down.. > > > 404s could be attributed to the nature of the tor network maybe > > no it's either the network or cosmic rays as the only time you could have legitimately got 404s were the ~three `tor` reloads today. works for me here ![image](/attachments/5a60f068-59cb-4ca8-bba0-ffb467372923)
191 KiB
Owner

closing, as it's working.

closing, as it's working.
wanderer closed this issue 12 months ago
wanderer added this to the Grow our .onionz milestone 12 months ago
Poster

thanku senpai~

thanku senpai~
Sign in to join this conversation.
Loading…
There is no content yet.