[tor-onions] Onion-routing of The Free Software Foundation Europe

Jacob Hrbek kreyren at rixotstudio.cz
Fri Jan 22 11:21:34 UTC 2021 

On 1/21/21 9:27 PM, Silvia wrote:
> Exciting to see fsfe moving to onions.
> How can we help you guys with this?

Currently the main problem is with implementation as there is an issue 
with certificates using TLS-over-onions (Not economical for non-profit 
foundation) where it seems that using reverse proxy with currently used 
Apache or implementing EOTK is the way to go there? More options and way 
to configure EOTK (alec seems to be currently busy and unable to answer) 
appreciated.

Also brainstorm for the implementation as a whole would be appreciated 
the services seems to be mostly running in jail/VM which is favorable to 
be preserved for security reasons (e.g. in scenario where there is a 
major bug discovered in the wild to reduce the impact of one service on 
the system).
So i am currently unsure whether we want to:
1. run one tor daemon per system in jail/VM to provide the routing from 
exposed ports from the services e.g. 
https://git.fsfe.org/kreyren/fsfe-planet/src/branch/onionz/docker-compose.yml
2. implementing tor daemon within these jails/VMs with the service

srv/service1 (exposing port 12447)
srv/service2 (exposing port 12448)

and setting tor as

HiddenServiceDir /var/lib/tor/service1
HiddenServicePort 12447 127.0.0.1:12447

HiddenServiceDir /var/lib/tor/service2
HiddenServicePort 12447 127.0.0.1:12447


3. implementing tor daemon on the router assuming all services being 
routed through a routing server, but i am concerned about sanitization 
as if there is a bug in tor that could expose user traffic to bad 
actors. (currently being discussed)

4. Implementing xen (https://en.wikipedia.org/wiki/Xen) which currently 
not favorable as it would require lots of work on the backend.

5. Other?

FWIW i would also like to provide something like 
https://onion.debian.org so that the website list is available to the 
end-user.


-- 

- Krey

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x31AE4020956E0A9A.asc
Type: application/pgp-keys
Size: 3187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20210122/2779b7b1/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 855 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20210122/2779b7b1/attachment.sig>

More information about the tor-onions mailing list