Mastodon instance in tor and in internet


Hello! I have an instance of mastodon running in the internet. We want it also be server by *.onion address. We want to do it with the same mastodon instance.

We use mastodon in docker.

We have set up working tor hidden service and are able to make request to the onion adress and they reach our mastodon. But we have the problems:

  1. In the internet mastodon is accessed using https and in tor - not. But when somebody access ourmastodon.onion by http it’s 302-redirected to https which can’t be served (there is no ssl certificates for *.onion as ssl is not needed for them). How can I switch this redirect off? It’s sure generated by the mastodon code.

  2. We store mastodon content on the s3-storage. And set our own S3_HOSTNAME proxing to s3-service just as it’s described here: Moving Mastodon's media files to Wasabi Object Storage . The problem is that it will be the same both for onion site and normal site. But I want to set up some separate onion site for the media. So that links to media from ourmastodon.onion point to ourmastodonmedia.onion. So can S3_HOSTNAME be set up depending of hostname served by mastodon instance without installing separate instance for tor? ( for and mediaourmastodon.onion for ourmastodon.onion)

Thank you.

1 Like


this is easy, just add_forwarded_header X_FORWARDED_PROTO https in your nginx config file (you might have to look up the exact syntax, i don’t remember it off the top of my head

This is not possible. Mastodon has no way of generating different storage URLs based on the URL of the request, which is what this boils down to. I would suggest using nginx caching and something like do volumes to manage your virtual machine’s storage.



Want to have a test on serving our instance on Tor too soon, please keep us updated on your process!



Federation with hidden services

The administration panel shows a feature called “Federation with hidden services”. Since I could not find relevant documentation, I’m wondering whether some instances are using it, and how to enable it.

When trying to add my instance as a Tor Hidden Service, I keep having Mastodon trying to redirect to HTTPS and sending a CSP showing the clear hostname. I’m concerned especially with WebSockets since the original CSP uses wss (“secure” websockets) scheme and it’s supposed to be interpreted by the client as “WebSockets over HTTPS” – which the Tor Hidden Service is not since it uses self-authenticating domain names and its own encryption over plain HTTP.

I might use a proper SSL certificate in the future, but now I’m interested in not using HTTPS and figuring how this could work properly with default onion domains over HTTP.