this post was submitted on 01 Aug 2023
3 points (100.0% liked)

Lemmy Administration

698 readers
1 users here now

Anything about running your own Lemmy instance. Including how to install it, maintain and customise it.

Be sure to check out the docs: https://join-lemmy.org/docs/en/administration/administration.html

If you have any problems, describe them here and we will try to help you fixing them.

founded 4 years ago
MODERATORS
 

Current State

One controversial topic within the admin community is Tor. Many malicious actors that want to harm an instance hide behind the tor network, which is why many instances block traffic originating from Tor. The most common approach is to block requests from exit nodes, a list of which can be found here. Tor blocking is a valid principle that every instance operator must decide for themself. I do not condemn anyone for doing so.

Motivation for Tor

However, Tor is also a tool to use the Internet in an anonymous way, bypassing censorship or big firewalls. This means that there is a legitimate use case for the combination of Tor and Lemmy. There is even an official Lemmy documentation on how to run a Lemmy instance as a hidden service.

The Issue

There is, however, one significant issue at this point: Picture requests are leaking.

On the normal web, all requests go to https://lemmy.tld/..., including image requests that look like https://lemmy.tld/pictures/image/.... In Tor, you access http://xyz.onion/, but the image requests still use https://lemmy.tld/pictures/image/.... From a Tor perspective, this is not intended and defeats the purpose of a hidden service. Yes, you are still anonymous, but the traffic through the exit nodes is slow (traffic within the tor network is »faster«) and not even necessary in this case.

The reason for this problem is that the image links are stored in full length in the database. For example, an image has the id 1a2b3c4d and is stored in the DB as https://lemmy.tld/pictrs/imate/1a2b3c4d. This leads to requests for images (of the same website you visit via tor) take the long route to the clear web.

Proposed Fix

I have delved into the lemm-ui source code and developed a fix for this problem. Unfortunately, this is not a universal solution and only works for our QuantemToast (de/en) instance. However, it is easy to customize it for your instance. Just change the domain name in src/shared/utils/app/substitute-image-url.ts and build your own Docker image. It works by replacing the instance domain with the onion domain for image URLs (and the favicon).

Perhaps someone is interested in developing a general solution, but until then, those of you who want a Tor instance or just a Tor mirror (our use case) might like to take a look at my solution.

Edit: Use at your own risk.

Please Note

Be aware, that content from other instances might not be visiable due to mentioned Tor blocking. Furthermore federation is currently not supported for Tor instances. Federation traffic between instances is handled on the clear web.

If you just want a Tor mirror, you might want to consider using a single onion service for better performance.

Edit: Changed fix link from commit to branch. Had to change something because of icon leak

top 1 comments
sorted by: hot top controversial new old
[–] mike@postit.quantentoast.de 1 points 1 year ago

Small Update: When uploading images from the tor mirror, they are stored in the DB with the onion address. One workaround I'm currently applying is running a script periodically that updates image links. It looks like this:

UPDATE post SET url = REPLACE(url, 'http://your-hidden-address.onion', 'https://your-clear-domain.tld')

And btw all this is for version 0.18.3 (to avoid confusion in the future)