[bug] Issues with tor federation — akkoma trying to connect to hidden services through https #399

Open
opened 2022-12-25 18:27:47 +00:00 by underwater_sun · 3 comments

Your setup

OTP

Extra details

Debian 11

Version

No response

PostgreSQL version

No response

What were you trying to do?

I've tried to set up tor/onion federation as described in https://docs.akkoma.dev/stable/configuration/onion_federation/ . I have a self-hosted clearnet instance, and i created a tor-only instance as well to test this. However, I've ran into a lot of problems, mostly with outgoing connections to hidden services. Akkoma only supports http proxies (not socks), but tor doesn't include a full http proxy for outgoing connections. I was getting errors because of this when trying to e.g. search a user that was on a hidden service. I switched to proxying through privoxy (http -> socks5), and that fixed those errors, but akkoma is still doing behavior that makes hidden service federation difficult. When searching for a user, e.g. @abc@abc.onion, akkoma will try to look up the /.well-known/host-meta through https, which won't work for hidden services because they run over http. I think this causes the proxy to give a 503 error. for example,

[warning] Can't find LRDD template in "https://hidden-service.onion/.well-known/host-meta": {:error, "expected tunnel proxy to return a status between 200 and 299, got: 503"}

this makes me unable to search for / federate with users on hidden services. I'm not really sure what to do to fix this.

What did you expect to happen?

Akkoma should connect to hidden services (*.onion) over http

What actually happened?

Akkoma attempts to connect to hidden services over https

Logs

No response

Severity

I cannot use it as easily as I'd like

Have you searched for this issue?

  • I have double-checked and have not found this issue mentioned anywhere.
### Your setup OTP ### Extra details Debian 11 ### Version _No response_ ### PostgreSQL version _No response_ ### What were you trying to do? I've tried to set up tor/onion federation as described in https://docs.akkoma.dev/stable/configuration/onion_federation/ . I have a self-hosted clearnet instance, and i created a tor-only instance as well to test this. However, I've ran into a lot of problems, mostly with outgoing connections to hidden services. Akkoma only supports http proxies (not socks), but tor doesn't include a full http proxy for outgoing connections. I was getting errors because of this when trying to e.g. search a user that was on a hidden service. I switched to proxying through privoxy (http -> socks5), and that fixed those errors, but akkoma is still doing behavior that makes hidden service federation difficult. When searching for a user, e.g. @abc@abc.onion, akkoma will try to look up the `/.well-known/host-meta` through https, which won't work for hidden services because they run over http. I think this causes the proxy to give a 503 error. for example, ``` [warning] Can't find LRDD template in "https://hidden-service.onion/.well-known/host-meta": {:error, "expected tunnel proxy to return a status between 200 and 299, got: 503"} ``` this makes me unable to search for / federate with users on hidden services. I'm not really sure what to do to fix this. ### What did you expect to happen? Akkoma should connect to hidden services (\*.onion) over http ### What actually happened? Akkoma attempts to connect to hidden services over https ### Logs _No response_ ### Severity I cannot use it as easily as I'd like ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.
underwater_sun added the
bug
label 2022-12-25 18:27:47 +00:00
Contributor

Am I correct that this is only when searching for a user unknown to the instance using the format username@instance.tld?

(I.e. using the format http://instance.onion/users/username does work. And fetching posts by their url also works. And once the user is known to the instance username@instance.tld probably also works.)

Because then I believe the problem is just that akkoma is hardcoded to fetch over https when querying webfinger. (Maybe we should add a fallback to try http when https fails for webfinger?)

If you want to try socks5, you can try to replace config :pleroma, :http, proxy_url: "http://localhost:9080" with config :pleroma, :http, proxy_url: {:socks5, :localhost, 9050}. The latter is how the docs used to say how to do it. I'm unsure why it changed though, so maybe there's problems I don't know about.

Am I correct that this is only when searching for a user unknown to the instance using the format `username@instance.tld`? (I.e. using the format `http://instance.onion/users/username` does work. And fetching posts by their url also works. And once the user is known to the instance `username@instance.tld` probably also works.) Because then I believe the problem is just that akkoma is hardcoded to fetch over https when querying webfinger. (Maybe we should add a fallback to try http when https fails for webfinger?) If you want to try socks5, you can try to replace `config :pleroma, :http, proxy_url: "http://localhost:9080"` with `config :pleroma, :http, proxy_url: {:socks5, :localhost, 9050}`. The latter is how the docs used to say how to do it. I'm unsure why it changed though, so maybe there's problems I don't know about.
Author

iirc i tried to fetch it over the http://x.onion/users/username and it did fetch their user page correctly but i think still tried to fetch the webfinger over https.

the socks5 thing doesnt work, and i saw somewhere in the pull requests that they had removed support for socks5.. i think they probably just removed the module from the build or something though so maybe just adding it would work? im not sure.

iirc i tried to fetch it over the `http://x.onion/users/username` and it did fetch their user page correctly but i think still tried to fetch the webfinger over https. the socks5 thing doesnt work, and i saw somewhere in the pull requests that they had removed support for socks5.. i think they probably just removed the module from the build or something though so maybe just adding it would work? im not sure.

I know it's been a while since this issue was made, but I'd really like to encourage work to be done on this specific issue. I personally have interest in running Akkoma with Tor support so if there's anything I can do to help make it happen, I'd love to hear it. I don't really understand Elixir so uhh, I might not be of much help though.

I know it's been a while since this issue was made, but I'd really like to encourage work to be done on this specific issue. I personally have interest in running Akkoma with Tor support so if there's anything I can do to help make it happen, I'd love to hear it. I don't really understand Elixir so uhh, I might not be of much help though.
Sign in to join this conversation.
No milestone
No project
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#399
No description provided.