1782
|
1 #summary s2s to Tor hidden services
|
|
2 #labels Stage-Alpha
|
|
3
|
|
4 = Introduction =
|
|
5
|
|
6 This plugin allows Prosody to connect to other servers that are running as a Tor hidden service. Running Prosody on a hidden service works without this module, this module is only necessary to allow Prosody to federate to hidden XMPP servers.
|
|
7
|
|
8 For general info about creating a hidden service, see https://www.torproject.org/docs/tor-hidden-service.html.en.
|
|
9
|
|
10 = Usage =
|
|
11 This module depends on the bit32 Lua library.
|
|
12
|
|
13 To create a hidden service that can federate with other hidden XMPP servers, first add a hidden serivce to Tor. It should listen on port 5269 and optionally also on 5222 (if c2s connections to the hidden service should be allowed).
|
|
14
|
|
15 Use the hostname that Tor gives with a virtualhost:
|
|
16
|
|
17 {{{
|
|
18 VirtualHost "555abcdefhijklmn.onion"
|
|
19 modules_enabled = { "onions" };
|
|
20 }}}
|
|
21
|
|
22 = Configuration =
|
|
23 || *Name* || *Description* || *Type* || *Default value* ||
|
|
24 || onions_socks5_host || the host to connect to for Tor's SOCKS5 proxy || string || "127.0.0.1" ||
|
|
25 || onions_socks5_port || the port to connect to for Tor's SOCKS5 proxy || integer || 9050 ||
|
|
26 || onions_only || forbid all connection attempts to non-onion servers || boolean || false ||
|
|
27 || onions_tor_all || pass all s2s connections through Tor || boolean || false ||
|
|
28 || onions_map || override the address for a host || table || {} ||
|
|
29
|
|
30 By setting {{{onions_map}}}, it is possible to override the address used to connect to a given host with the address of a hidden service. The configuration of {{{onions_map}}} works as follows:
|
|
31
|
|
32 {{{
|
|
33 onions_map = {
|
|
34 ["jabber.calyxinstitute.org"] = "ijeeynrc6x2uy5ob.onion";
|
|
35 }
|
|
36 }}}
|
|
37
|
|
38 or, to also specify a port:
|
|
39
|
|
40 {{{
|
|
41 onions_map = {
|
|
42 ["jabber.calyxinstitute.org"] = { host = "ijeeynrc6x2uy5ob.onion", port = 5269 };
|
|
43 }
|
|
44 }}}
|
|
45
|
|
46 = Compatibility =
|
|
47 ||0.8||Doesn't work||
|
|
48 ||0.9||Works||
|
|
49
|
|
50 = Notes =
|
|
51
|
|
52 * {{{onions_tor_all}}} does not look up SRV records first. Therefore it will fail for many servers.
|
|
53 * mod_onions currently does not support connecting to {{{.onion}}} entries in SRV records.
|
|
54
|
|
55 = Security considerations =
|
|
56 * Running a hidden service on a server together with a normal server might expose the hidden service.
|
|
57 * A hidden service that wants to remain hidden should either disallow s2s to non-hidden servers or pass all s2s traffic through Tor (setting either {{{onions_only}}} or {{{onions_tor_all}}}). |