On 1/21/21 9:27 PM, Silvia wrote:
Exciting to see fsfe moving to onions. How can we help you guys with this?
Currently the main problem is with implementation as there is an issue with certificates using TLS-over-onions (Not economical for non-profit foundation) where it seems that using reverse proxy with currently used Apache or implementing EOTK is the way to go there? More options and way to configure EOTK (alec seems to be currently busy and unable to answer) appreciated.
Also brainstorm for the implementation as a whole would be appreciated the services seems to be mostly running in jail/VM which is favorable to be preserved for security reasons (e.g. in scenario where there is a major bug discovered in the wild to reduce the impact of one service on the system). So i am currently unsure whether we want to: 1. run one tor daemon per system in jail/VM to provide the routing from exposed ports from the services e.g. https://git.fsfe.org/kreyren/fsfe-planet/src/branch/onionz/docker-compose.ym... 2. implementing tor daemon within these jails/VMs with the service
srv/service1 (exposing port 12447) srv/service2 (exposing port 12448)
and setting tor as
HiddenServiceDir /var/lib/tor/service1 HiddenServicePort 12447 127.0.0.1:12447
HiddenServiceDir /var/lib/tor/service2 HiddenServicePort 12447 127.0.0.1:12447
3. implementing tor daemon on the router assuming all services being routed through a routing server, but i am concerned about sanitization as if there is a bug in tor that could expose user traffic to bad actors. (currently being discussed)
4. Implementing xen (https://en.wikipedia.org/wiki/Xen) which currently not favorable as it would require lots of work on the backend.
5. Other?
FWIW i would also like to provide something like https://onion.debian.org so that the website list is available to the end-user.