No Milestone
No Assignees
11 Participants
Notifications
Due Date
No due date set.
Dependencies
This issue currently doesn't have any dependencies.
Loading…
Reference in new issue
There is no content yet.
Delete Branch '%!s(MISSING)'
Deleting a branch is permanent. It CANNOT be undone. Continue?
Please setup an onion site so Tor users can avoid the exit node bottleneck. Notice that Notabug has done this.
interesting idea. Any contributors?
It can't be done from user side. Only the server owner can.
https://2019.www.torproject.org/docs/tor-onion-service.html.en#zero
Only a few git services support Tor. If you support it, that'll be really cool!
(I'm Tor contributor and relay owner.)
e.g.
@not_cloudflare
Would that require us to become an "exit node"?
Or just an endpoint for traffic to codeberg.org?
A quick research says that we do not have to become an exit node, so personally I am open to the idea.
Hosting onion service is easy. You have to install Tor[1] and edit "torrc" file. Even Facebook, New York Times, and CIA have onions.
You don't have to become a relay(middle node, exit node).
Here's a list of WeSupportTor. If codeberg become accessible over Tor, I will use it & add you to the list.
https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor
[1] https://2019.www.torproject.org/docs/debian.html.en#ubuntu
@not_cloudflare: Would you like to contribute an example of the config as PR, for example against the etc/ template folder in https://codeberg.org/Codeberg/build-deploy-gitea/src/branch/master/etc/?
(these files are directly deployed into /etc/, after templates for ${HOSTNAME_FQDN} etc have been resolved)
Tor is a server, not gitea.
(below should work for debian system)
e.g.
easy guide: https://www.reddit.com/r/TOR/comments/8tyrye/how_to_create_onion_website_on_web_server_which/
TLDR Example:
Here's my test server's torrc (I've hidden some lines but it will be useful):
And manual. https://2019.www.torproject.org/docs/tor-manual.html.en
Plain vanilla debian, no 3rdparty apt sources. All local services are routed through haproxy (we want to publish the infrastructure deployment files too, but didn't have the time for a thourough review yet).
Is this still relevant after (partially?) blocking Tor due to abuse?
@hunger
We are current not blocking tor in any way. And we never did. Not one single second.
@ashimokawa: I read something about abusive account creation via tor and at least some discussion to block it and must have over-interpreted this.
Sorry for that.
I’m interested in providing Codeberg as onion site. I do have experience running various parts of the TOR network so I’m able to help.
nice! What would be needed from our side?
Some kind of access to the infrastructure code. Esspecially important the
/etcdir (of the server not of Gitea like pointed out here #50) in such a way that I can open a PR or something similar.I also need read access to enough infrastructure code so I can setup a test system to ensure the resulting configuration will actually work.
Running tor on main server is a no-go for obvious reasons. Dedicated VM forwarding port 80/443 might be an option?
You could for example use createVM.sh in https://codeberg.org/Codeberg/build-deploy-gitea as starting point, happy to help if needed.
you
re right its probably better not to have TOR on the main machine.The VM pointer helps I`ll probably start some time next week.
@hw @ashimokawa https://blog.torproject.org/more-onions-porfavor
I think there may be a misunderstanding here. What's the problem with running Tor on the main server?
Just to clarify: Can be done by a user, but owner provided onion link is prefered for obvious reasons and to avoid limitation like having only read access.
Not required for a hidden service afaik
Just to clarify:
http://<random-things-here>.onionis safe as Tor is encrypting everything it canhttp://clearweb-website.comis not safe as the trafic from the exit node is exposed to the exit node provider and to the clearwebhttps://clearweb-website.comis generally considered not unsafe, but can be used for a fingerprinting and tracking for websites that doesn't have a lot of Tor users (The idea of torbrowser is to have a huge crowd of people with the same browser as a counter-measure to fingerprinting).That is not secure enough for tor users as we have to depend on an exit node to connect to the clearweb to reach this website, but generally acceptable.
Now to demistify the setup
Basically you download and install tor and add following lines:
In codeberg's case that would be:
which should be all that is needed for tor users to access the website from tor.
Your onion url will be then stored in
/var/lib/tor/codeberg/hostnameRecommending doing a peer-review in irc.oftc.net/#tor for official support.
Referencing my configuration: https://github.com/RiXotStudio/server-setup/blob/master/src/sefunc/00-tor.sh
Elaborate on obvious reasons?
All attacks on Codeberg came via Tor in the past. Any DDOS/attack on this channel would harm the entire platform if running in the same machine.
To clarify once again: if one or more contributors volunteer to sponsor/setup/run the required infrastructure, we will happily endorse this. It is just that nobody raised his hand yet to commit.
EDIT: Upon peer-review the rate limits might be only for relays will update once clarified
EDIT2:
BandwidthRateis used for this, adapted@hw I believe that you are misinformed about the subject, there were lot of DDoS attacks in 2019 due to the bug discovered in Tor itself[1] which has been allegedly fixed so these attacks should be drastically reduced by now as they are much more difficult and much more resource intensive to perform.
As said in general performing DDoS/DoS from Tor to a hidden service and/or clearweb is more resource intensive compared to just using clearweb as Tor has to encrypt the traffic multiple times and route it through three relays so theoretically to perform a successful DDoS/DoS from Tor you would need to set up multiple tor clients sandboxed with cherrypicked
ExcludeNodesi.e usingcurl https://onionoo.torproject.org/details 2>/dev/null | jq -r '.relays[] | select(.observed_bandwidth <= 1310720) | .or_addresses' | grep -oP "^\s+\"(\w+\.\w+\.\w+\.\w+\:\w+)" | sed "s/^ \"//gm" | tr '\n' ','(Tool from https://github.com/Krey-s-Tor/torrc/blob/master/src/ExcludeSlowRelays.conf) to exclude slow tor relays that would be limiting the Tor DDoS/DoS then set up a loop that runs something alikepidof tor | xargs sudo kill -HUPto generate a new routes which based on my unreliable and questionable experiment (so the experiment should be verified) would take 100mbps upload into 8mbps attack in which case it's much more efficient to perform the attack from a clearweb not to mension that such changes to the Tor are going to make the attacker fingerprintable and sacrifice anonymity.But if you are still concerned about Tor halting your system then you can rate limit it by using:
So even if attacker takes down Tor (very unlikely) you can still have working system and if that it not enough to you then the application itself should be optimized on DDoS/DoS i.e the registration which torproject suggest[1] to make proof-of-work which is for example implemented on Hackint.org[4].
And if that is still not enough to you i would recommend Linux kernel with MuQSS scheduler from weebo dentist CK which shown[5][6] to be much more difficult to made halt and to be more efficient in handling the load on systems with more then 4 threads at the cost of generating more heat (optimizable) and requiring more electricity compared to Complitely Fair Scheduler (CFS). Based on my experience MuQSS is more economical in commercial application as it allows the system the have a reliable scheduler as CFS likes to halt and get confused too much.
I've also linked an utility to test the system agains tor DDoS/DoS[3]
References
^^^^^^^^^^^^^^^^^^^^^^^^ once again: this. ^^^^^^^^^^^^^^^^^^^^^^^^^^
Right now it's just extra burden of an additional project nobody had the time to pick up yet: as soon a volunteer Codeberg e.V. member steps up and takes responsibility for set-up and maintenance of a properly isolated VM running the onion protocol translation, we can do this :)
Like i am willing to fork https://github.com/rixotstudio/server-setup (namely https://github.com/RiXotStudio/server-setup/blob/master/src/sefunc/00-tor.sh) set up for codeberg's usage if wanted (this would be set as an isolated busybox instance), but making Tor in VM makes no sense to me for reasons provided.
Please justify usage of VM and check if proposed solution is sufficient for codeberg.
@kreyren
Putting this inside a VM would allow us to hand over the administration task to someone else without giving access to the main server.
@ashimokawa Why though? Tor doesn't require babysitting if you are not a relay operator (which you should if you have a spare bandwith where the relay administration is also maintainance friendly).
Basically just configuring it once and letting the system package manager to keep it up to date is enough in my mind.
I would think that keeping it inside a VM container and outsourcing it is a really bad idea in terms of privacy as then tor would have to rely on the security of the VM container and it's configuration and would probably expose the traffic to the container maintainer which is generally unwanted as the service should be always maintained by the upstream and as it's a VM container it requires much more processing power.
Relevant: https://github.com/go-gitea/gitea/issues/12876
As someone who takes interest in onion services and in particular has seen Debian's smooth rollout of them, I must affirm @kreyren's point that running an onion service is primarily one-time setup and I suspect that there's misunderstanding, or conflation with the concept of Tor relays.
Because onion sites don't use TLS, there'd be no way to distinguish a phishing Codeberg onion service from the genuine one if it were not operated by the same entity. In fact you'd be letting an outside party have your secret key to the .onion pseudo-domain name.
The overhead of the Tor daemon is much lesser than any web server, because as the hidden service operator you're only the last hop. I believe the Tor daemon can even use Unix sockets to connect to supporting services, but that might've been a dream.
Lastly, onion-ifying Codeberg may go beyond the website. Take things one step at a time, but SSH over Tor would be appreciated as well. (Since onions are encrypted end-to-end, telnet would actually be safe enough.)
Edit: Here are a couple brief primary sources. Here's the complete instructions to start a service, and here's a post about the Tor Project's #MoreOnionsPorFavor campaign. This explicitly called for users to contact their favorite websites and explains the rationale of providing more privacy-preserving and secure options.
Your questions would also be very welcome on the tor-onions list.
Can recommend SSH over tor as well i use it daily and it's great ^-^
Note that there is a delay on SSH over tor (in general tor adds delay of around 120ms) for which you might need to adapt your client if you are using it interactively and i woudn't recommend it for things that need fast responsivness i.e using emacs this way, but it can also be made work on bases of emulating the terminal locally and then sending the commands to the remote.
Would be great for SSH clonning and submitting merges though! and very welcomed!
I could also recommend it for the mailserver as on clearweb there is an issue with people sniffing the traffic to know where you are sending the e-mails and to whom which is generally unwanted in commercial use for business reasons and commonly abused for targeted advertising.
@kreyren report tor gateway integration upstream ... wont help anyone
this has to be configured by instance admins/maintainers ...
yes, not part of gitea
Disagree as the concern was mainly about (D)DoS which Gitea is seemingly vulnerable to atm for example nothing prevents bad actors:
See https://github.com/go-gitea/gitea/issues/12876 where upstream just panics irationally about the subject of (D)DoS and does it's best to close the issue as fast as possible..
Agree, but @hw mentioned a concern about (D)DoS (which is unlikely and not realistic to be performed through Tor after a bug that allowed the execution efficiently has been fixed) so i am trying to provide the required information to make Gitea less susceptible to it.
(D)DOS protection currently handled in haproxy and fail2ban
Note: The (D)DoS tests performed locally using sandboxing and limiting available system resources to Gitea sandbox which might not represent the same behavior in the wild.
Yes, there will always be good folks and bad guys. We need to find a good balance so that the latter cannot harm the former, without restricting general use. In the past this worked very well. Let's do the best to keep it like this for the future!
@kreyren
just panics irationally...I would not say that, the issue tracker is just not subject to broad conversations
https://discourse.gitea.io/ is the platform you are looking for
@hw Fail2ban can be avoided using a dynamically allocated IP adress from the ISP (some people are their own ISP so this is really easy for them to change) or using proxies or Tor.
haproxy can be allegedly overwhelmed as well depending on the amount of proxy servers (and their state) that do the load balancing.
In my mind the best defense agains (D)DoS is to adapting the software to sanitize the tasks that can be abused for the (D)DoS.
For example: if someone tries to create more then X accounts per minute then set a timeout for that region and process only 100 registration request per Z amount of time. So that end-users trying to make an account would be waiting in line for the server to process their registration request which seemed to work well in the wild.
I am sure every sound contribution to gitea the improves application-level service robustness will be highly welcome, both at codeberg and gitea!
About fail2ban there are apparently a paid services that provide a user-friendly environment to change the IP adresses within miliseconds so if codeberg is high value target do bad actors this would be an option for them.
:) we can always think of worse scenarios ... just if we focus exclusively on what-could-be instead of what-is we will get nothing done ;)
Again: a properly done PR solving actual issues is always welcome!
Disagree that gitea upstream wants them for reasons provided, would be willing to make tracking in Codeberg/gitea to handle these concerns, but i would process them with low priority as these are currently not that important to be implemented and codeberg doesn't seem to be a target for bad actors. If that's fine with you? ^-^
Ideally would like to focus on implementing Tor for now.
Noted, should be probably adjusted in github template for issues and contributing file then as there is currently no way of knowing the development process in gitea as a new contributor..
Also it's kinda insane to resolve these in a forum as the merge requests should have tracking to the issue where the feature was discussed for reference if needed and the forum doesn't seem to be a good place to resolve code quality issues.
But IMHO upstream that bans the contributors without reasoning is not worth my time investing so i would still prefer to put these in
Codeberg/Giteafor you to handle the upstream.So what is preventing you from deploying tor based on informations provided in #50 ? :p
extra setup+maintenance effort someone has to volunteer for
I volunteer
it's not a one-time effort (monitor, adjust throttling if necessary, fight spammers through the channel etc)
Concluded throttling not neccesary atm, can be adjusted using
BandwidthRateas mentioned in #50.How do you want to handle the monitoring?
How do you want to fight spammers?
EDIT: Added reference on
BandwidthRateI don't think I'm understanding why an onion service would increase the risk of DoS or abuse. If an attacker wanted to do that over Tor, couldn't they connect over the clearnet (codeberg.org) anyway? An onion service would actually improve on this, since it would add three additional hops.
☝️
Note that explained in: #50
TLDR: i doubt that Tor used for (D)DoS is a viable option for clearweb nor onions as it needs way more processing power to perform the task.
FWIW i've helped to set up hidden service for https://git.dotya.ml currently available on http://2crftbzxbcoqolvzreaaeyrod5qwycayef55gxgzgfcpqlaxrnh3kkqd.onion
There are some issues with gitea configuration atm (gitea not replacing clearnet link with hidden) and droneCI (DroneCI blocking hidden as second provider but that seems to be pebcak), but seems to work quite well.
If codeberg is going to have onion address, please make sure it is a v3 onion addresses, v2 onion addresses are getting deprecated next years and i associate them with honeypots
Any news on this?
It's a shift of risk. A clearnet site is vulnerable to a small number of Tor exit nodes (insignificant) and the whole clearnet (significant, but attacker has to be a little more sophisticated to have a botnet). An onion site is immune to clearnet attack, but the attack surface is exposed to all Tor relays not just exit nodes.
IMO it makes sense to have both a clearnet site and an onion site. An attack can be engineered to hit either, but taking both down would take more motivation. So in principle it's overall more robust to have both.
FWIW i recently contributed to setting up an onion routing for the Free Software Foundation Europe, this might help you in deployment of the onion-services here https://github.com/Kreyren/kreyren/issues/60 which is peer-reviewed by The Tor Project.
FWIW outsourcing the onion-router in VM for maintenance by 3rd party is still foolish and insanity imho.
Sounds interesting.
Is spam via Tor still considered an issue? How are the chances that this might increase when providing easier access via the onion routing? If this is minimal, I think there are high chances to see an onion site soon.
Depends on what kind of spam:
I don't understand this question
Based on informations provided it is minimal and the implementation was proposed in https://codeberg.org/Codeberg/build-deploy-gitea/pulls/44
Sorry, reworded for clarification: I just wanted to have some evaluation if there's a chance that spam will become significantly more common or harder to tackle or anything when providing a .onion site.
I think the situation is exact the same as with clear net, the only difference is, you wont get the IP of an User, but this a user can avoid today too (just use tor with exit nodes ...)
To clarify you will get IP of a user, but it's more difficult to track where the user is (as the traffic is encrypted multiple times and routed through 3 relays each being in a different part of the world) and the end-user can change the IP on demand + the enhanced security.
I've made a proposal to GitHub about onion-routing that explains this in detail which was peer-reviewed by The Tor Project https://github.com/github/feedback/discussions/2843
Note that users who use onion-routing over either Tor or LOKI/OXEN can already access the website, this just makes it to use the last hop as an exit node.
New idee (I think): we can actually use this to mitigate DDoS attacks - block Tor access on the clearweb with a 302 Found redirect to our Onion address, add a tiny VM with enough allowed traffic as a Tor router & limit the bandwidth/amount of simultaneous requests from the Tor router to the main server.
You can promote oniin sites via header to torbrowser https://www.bleepingcomputer.com/news/software/tor-browser-95-lets-websites-promote-their-onion-addresses/
@momar That's a good idea but there's a complication: the Tor network will drop onion v2 support in October. Codeberg might be tempted to go onion v3 now, but Debian Stretch (oldstable) does not support onion v3 and yet Stretch's end of life is June 2022. So if Tor users are redirected to an onion v3 URL, this will be a dead-end for some users. I suggest redirecting to an onion v2 url up until the day Tor Project forces onion v3 on everyone (which Tor Project will do prematurely with reckless disregard).
After Tor project kills off onion v2, users of Debian Stretch would be blocked from Codeberg during the last 9 months of official Debian support. There are some workarounds but Codeberg has to decide whether it's a fair tradeoff to force some users to work out that they must manually install a recent version of Tor Browser and use no other browser during that time.
Privacy International used to redirect Tor users from clearnet to their onion site, but no longer. Might be interesting to find out why.
They switched to Onion-Location, which prompts the user or automatically redirects them to the onion site (depends on config). Source
Between oct. 2021 and june 2022, I'd say onion-location makes the most sense because the user is ultimately in control over whether the v3 onion is visited. Perhaps it would make sense to be able to quickly switch to @momar's approach during moments of attack, and perhaps permanently after june 2022 when it's less likely that a Tor user is onion v3 incapable.