[bug] Issues with tor federation — akkoma trying to connect to hidden services through https #399

New Issue

Open

opened 2022-12-25 18:27:47 +00:00 by underwater_sun · 3 comments

underwater_sun commented

2022-12-25 18:27:47 +00:00

Your setup

OTP

Extra details

Debian 11

Version

No response

PostgreSQL version

No response

What were you trying to do?

I've tried to set up tor/onion federation as described in https://docs.akkoma.dev/stable/configuration/onion_federation/ . I have a self-hosted clearnet instance, and i created a tor-only instance as well to test this. However, I've ran into a lot of problems, mostly with outgoing connections to hidden services. Akkoma only supports http proxies (not socks), but tor doesn't include a full http proxy for outgoing connections. I was getting errors because of this when trying to e.g. search a user that was on a hidden service. I switched to proxying through privoxy (http -> socks5), and that fixed those errors, but akkoma is still doing behavior that makes hidden service federation difficult. When searching for a user, e.g. @abc@abc.onion, akkoma will try to look up the /.well-known/host-meta through https, which won't work for hidden services because they run over http. I think this causes the proxy to give a 503 error. for example,

[warning] Can't find LRDD template in "https://hidden-service.onion/.well-known/host-meta": {:error, "expected tunnel proxy to return a status between 200 and 299, got: 503"}

this makes me unable to search for / federate with users on hidden services. I'm not really sure what to do to fix this.

What did you expect to happen?

Akkoma should connect to hidden services (*.onion) over http

What actually happened?

Akkoma attempts to connect to hidden services over https

Logs

No response

Severity

I cannot use it as easily as I'd like

Have you searched for this issue?

I have double-checked and have not found this issue mentioned anywhere.

### Your setup OTP ### Extra details Debian 11 ### Version _No response_ ### PostgreSQL version _No response_ ### What were you trying to do? I've tried to set up tor/onion federation as described in https://docs.akkoma.dev/stable/configuration/onion_federation/ . I have a self-hosted clearnet instance, and i created a tor-only instance as well to test this. However, I've ran into a lot of problems, mostly with outgoing connections to hidden services. Akkoma only supports http proxies (not socks), but tor doesn't include a full http proxy for outgoing connections. I was getting errors because of this when trying to e.g. search a user that was on a hidden service. I switched to proxying through privoxy (http -> socks5), and that fixed those errors, but akkoma is still doing behavior that makes hidden service federation difficult. When searching for a user, e.g. @abc@abc.onion, akkoma will try to look up the `/.well-known/host-meta` through https, which won't work for hidden services because they run over http. I think this causes the proxy to give a 503 error. for example, ``` [warning] Can't find LRDD template in "https://hidden-service.onion/.well-known/host-meta": {:error, "expected tunnel proxy to return a status between 200 and 299, got: 503"} ``` this makes me unable to search for / federate with users on hidden services. I'm not really sure what to do to fix this. ### What did you expect to happen? Akkoma should connect to hidden services (\*.onion) over http ### What actually happened? Akkoma attempts to connect to hidden services over https ### Logs _No response_ ### Severity I cannot use it as easily as I'd like ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

underwater_sun added the

bug

label 2022-12-25 18:27:47 +00:00

ilja commented

2023-01-15 15:05:02 +00:00

Contributor

Am I correct that this is only when searching for a user unknown to the instance using the format username@instance.tld?

(I.e. using the format http://instance.onion/users/username does work. And fetching posts by their url also works. And once the user is known to the instance username@instance.tld probably also works.)

Because then I believe the problem is just that akkoma is hardcoded to fetch over https when querying webfinger. (Maybe we should add a fallback to try http when https fails for webfinger?)

If you want to try socks5, you can try to replace config :pleroma, :http, proxy_url: "http://localhost:9080" with config :pleroma, :http, proxy_url: {:socks5, :localhost, 9050}. The latter is how the docs used to say how to do it. I'm unsure why it changed though, so maybe there's problems I don't know about.

Am I correct that this is only when searching for a user unknown to the instance using the format `username@instance.tld`? (I.e. using the format `http://instance.onion/users/username` does work. And fetching posts by their url also works. And once the user is known to the instance `username@instance.tld` probably also works.) Because then I believe the problem is just that akkoma is hardcoded to fetch over https when querying webfinger. (Maybe we should add a fallback to try http when https fails for webfinger?) If you want to try socks5, you can try to replace `config :pleroma, :http, proxy_url: "http://localhost:9080"` with `config :pleroma, :http, proxy_url: {:socks5, :localhost, 9050}`. The latter is how the docs used to say how to do it. I'm unsure why it changed though, so maybe there's problems I don't know about.

underwater_sun commented

2023-01-15 23:30:41 +00:00

Author

iirc i tried to fetch it over the http://x.onion/users/username and it did fetch their user page correctly but i think still tried to fetch the webfinger over https.

the socks5 thing doesnt work, and i saw somewhere in the pull requests that they had removed support for socks5.. i think they probably just removed the module from the build or something though so maybe just adding it would work? im not sure.

iirc i tried to fetch it over the `http://x.onion/users/username` and it did fetch their user page correctly but i think still tried to fetch the webfinger over https. the socks5 thing doesnt work, and i saw somewhere in the pull requests that they had removed support for socks5.. i think they probably just removed the module from the build or something though so maybe just adding it would work? im not sure.

ch0ccyra1n commented

2024-02-14 06:38:53 +00:00

I know it's been a while since this issue was made, but I'd really like to encourage work to be done on this specific issue. I personally have interest in running Akkoma with Tor support so if there's anything I can do to help make it happen, I'd love to hear it. I don't really understand Elixir so uhh, I might not be of much help though.

No Milestone

No project

No Assignees

3 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#399

No description provided.