Mastodon instance in tor and in internet

Hello! I have an instance of mastodon running in the internet. We want it also be server by *.onion address. We want to do it with the same mastodon instance.

We use mastodon in docker.

We have set up working tor hidden service and are able to make request to the onion adress and they reach our mastodon. But we have the problems:

  1. In the internet mastodon is accessed using https and in tor - not. But when somebody access ourmastodon.onion by http it’s 302-redirected to https which can’t be served (there is no ssl certificates for *.onion as ssl is not needed for them). How can I switch this redirect off? It’s sure generated by the mastodon code.

  2. We store mastodon content on the s3-storage. And set our own S3_HOSTNAME proxing to s3-service just as it’s described here: Moving Mastodon's media files to Wasabi Object Storage . The problem is that it will be the same both for onion site and normal site. But I want to set up some separate onion site for the media. So that links to media from ourmastodon.onion point to ourmastodonmedia.onion. So can S3_HOSTNAME be set up depending of hostname served by mastodon instance without installing separate instance for tor? ( for and mediaourmastodon.onion for ourmastodon.onion)

Thank you.

1 Like

this is easy, just add_forwarded_header X_FORWARDED_PROTO https in your nginx config file (you might have to look up the exact syntax, i don’t remember it off the top of my head

This is not possible. Mastodon has no way of generating different storage URLs based on the URL of the request, which is what this boils down to. I would suggest using nginx caching and something like do volumes to manage your virtual machine’s storage.

Want to have a test on serving our instance on Tor too soon, please keep us updated on your process!

Federation with hidden services

The administration panel shows a feature called “Federation with hidden services”. Since I could not find relevant documentation, I’m wondering whether some instances are using it, and how to enable it.

When trying to add my instance as a Tor Hidden Service, I keep having Mastodon trying to redirect to HTTPS and sending a CSP showing the clear hostname. I’m concerned especially with WebSockets since the original CSP uses wss (“secure” websockets) scheme and it’s supposed to be interpreted by the client as “WebSockets over HTTPS” – which the Tor Hidden Service is not since it uses self-authenticating domain names and its own encryption over plain HTTP.

I might use a proper SSL certificate in the future, but now I’m interested in not using HTTPS and figuring how this could work properly with default onion domains over HTTP.

1 Like

So, now Tor hidden service configuration docs are available at Hidden services - Mastodon documentation. But I think, as someone who participated in making .onion recognized at IETF level, that the documentation is taking an old reference too much into account.

While it may be tempting to serve your Tor version of Mastodon over https it is not a good idea for most people. See this blog post from the Tor Project about why https certificates do not add value. Since you cannot get an SSL cert for an onion domain, you will also be plagued with certificate errors when trying to use your Mastodon instance.

I think this is not true. Currently, the Let’s Encrypt certificates do not support .onion names, but others do (e.g., commercial ones) since RFC7686 is out and solved the issue of allowing .onion names in SSL certificates. Not that it’s more useful, as indeed, HTTP over Tor is enough to guarantee security properties at least equivalent to TLS over HTTP, aka. HTTPS.

If you can generate an SSL certificate for your site, and include a .onion with it, it guarantees ownership to the Tor users, so they can trust that you indeed run this site, and not someone else who would proxy your HTTP site and act as a Man-in-the-Middle. Of course, this case is unlikely since one would obtain the original .onion name from your HTTPS site in the first place, but you never know: someone could be passing on a link, e.g., in the Hidden Wiki, and off-you-go phished. So if you’re dealing with money and/or personal information, you might want to generate an SSL certificate that includes your .onion. Agreed, that is not for “most people”, but it’s nevertheless more accurate than what the current documentation states about it, which sounds like fearmongering.