- Drop Expect-CT Expect-CT has been redundant since 2018 when Certificate Transparency became mandated and required for all CAs and browsers. This header is only implemented in Chrome and is now deprecated. HTTP header analysers do not check this anymore as this is enforced by default. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT - Raise HSTS to 2 years and explicitly preload The longer age for HSTS, the better. Header analysers prefer 2 years over 1 year now as free TLS is very common using Let's Encrypt. For HSTS to be fully effective, you need to submit your root domain (domain.tld) to https://hstspreload.org. However, a requirement for this is the "preload" directive in Strict-Transport-Security. If you do not have "preload", it will reject your domain. - Drop X-Download-Options This is an IE8-era header when Adobe products used to use the IE engine for making outbound web requests to embed webpages in things like Adobe Acrobat (PDFs). Modern apps are using Microsoft Edge WebView2 or Chromium Embedded Framework. No modern browser checks or header analyser check for this. - Set base-uri to 'none' This is to specify the domain for relative links (`<base>` HTML tag). pleroma-fe does not use this and it's an incredibly niche tag. I use all of these myself on my instance by rewriting the headers with zero problems. No breakage observed. I have not compiled my Elixr changes, but I don't see why they'd break. Co-authored-by: r3g_5z <june@terezi.dev> Reviewed-on: https://akkoma.dev/AkkomaGang/akkoma/pulls/294 Co-authored-by: @r3g_5z@plem.sapphic.site <june@terezi.dev> Co-committed-by: @r3g_5z@plem.sapphic.site <june@terezi.dev>
6.7 KiB
I2P Federation and Accessability
This guide is going to focus on the Akkoma federation aspect. The actual installation is neatly explained in the official documentation, and more likely to remain up-to-date. It might be added to this guide if there will be a need for that.
We're going to use I2PD for its lightweightness over the official client. Follow the documentation according to your distro: https://i2pd.readthedocs.io/en/latest/user-guide/install/#installing
How to run it: https://i2pd.readthedocs.io/en/latest/user-guide/run/
I2P Federation
There are 2 ways to go about this. One using the config, and one using external software (fedproxy). The external software works better so far.
Using the Config
Warning: So far, everytime I followed this way of federating using I2P, the rest of my federation stopped working. I'm leaving this here in case it will help with making it work.
Assuming you're running in prod, cd to your Akkoma folder and append the following to config/prod.secret.exs
:
config :pleroma, :http, proxy_url: {:socks5, :localhost, 4447}
And then run the following:
su akkoma
MIX_ENV=prod mix deps.get
MIX_ENV=prod mix ecto.migrate
exit
You can restart I2PD here and finish if you don't wish to make your instance viewable or accessible over I2P.
systemctl stop i2pd.service --no-block
systemctl start i2pd.service
Notice: The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes).
You can change the socks proxy port in /etc/i2pd/i2pd.conf
.
Using Fedproxy
Fedproxy passes through clearnet requests direct to where they are going. It doesn't force anything over Tor.
To use fedproxy you'll need to install Golang.
apt install golang
Use a different user than akkoma or root. Run the following to add the Gopath to your ~/.bashrc.
echo "export GOPATH=/home/ren/.go" >> ~/.bashrc
Restart that bash session (you can exit and log back in). Run the following to get fedproxy.
go get -u github.com/majestrate/fedproxy$
cp $(GOPATH)/bin/fedproxy /usr/local/bin/fedproxy
And then the following to start it for I2P only.
fedproxy 127.0.0.1:2000 127.0.0.1:4447
If you want to also use it for Tor, add 127.0.0.1:9050
to that command.
You'll also need to modify your Akkoma config.
Assuming you're running in prod, cd to your Akkoma folder and append the following to config/prod.secret.exs
:
config :pleroma, :http, proxy_url: {:socks5, :localhost, 2000}
And then run the following:
su akkoma
MIX_ENV=prod mix deps.get
MIX_ENV=prod mix ecto.migrate
exit
You can restart I2PD here and finish if you don't wish to make your instance viewable or accessible over I2P.
systemctl stop i2pd.service --no-block
systemctl start i2pd.service
Notice: The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes).
You can change the socks proxy port in /etc/i2pd/i2pd.conf
.
I2P Instance Access
Make your instance accessible using I2P.
Add the following to your I2PD config /etc/i2pd/tunnels.conf
:
[akkoma]
type = http
host = 127.0.0.1
port = 14447
keys = akkoma.dat
Restart I2PD:
systemctl stop i2pd.service --no-block
systemctl start i2pd.service
Notice: The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes).
Now you'll have to find your address.
To do that you can download and use I2PD tools.1
Or you'll need to access your web-console on localhost:7070.
If you don't have a GUI, you'll have to SSH tunnel into it like this:
ssh -L 7070:127.0.0.1:7070 user@ip -p port
.
Now you can access it at localhost:7070.
Go to I2P tunnels page. Look for Server tunnels and you will see an address that ends with .b32.i2p
next to "akkoma".
This is your site's address.
I2P-only Instance
If creating an I2P-only instance, open config/prod.secret.exs
and under "config :pleroma, Pleroma.Web.Endpoint," edit "https" and "port: 443" to the following:
url: [host: "i2paddress", scheme: "http", port: 80],
In addition to that, replace the existing nginx config's contents with the example below.
Existing Instance (Clearnet Instance)
If not an I2P-only instance, add the nginx config below to your existing config at /etc/nginx/sites-enabled/akkoma.nginx
.
And for both cases, disable CSP in Akkoma's config (STS is disabled by default) so you can define those yourself separately from the clearnet (if your instance is also on the clearnet).
Copy the following into the config/prod.secret.exs
in your Akkoma folder (/home/akkoma/akkoma/):
config :pleroma, :http_security,
enabled: false
Use this as the Nginx config:
proxy_cache_path /tmp/akkoma-media-cache levels=1:2 keys_zone=akkoma_media_cache:10m max_size=10g inactive=720m use_temp_path=off;
# The above already exists in a clearnet instance's config.
# If not, add it.
server {
listen 127.0.0.1:14447;
server_name youri2paddress;
# Comment to enable logs
access_log /dev/null;
error_log /dev/null;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
client_max_body_size 16m;
location / {
add_header X-XSS-Protection "0";
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy same-origin;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://localhost:4000;
client_max_body_size 16m;
}
location /proxy {
proxy_cache akkoma_media_cache;
proxy_cache_lock on;
proxy_ignore_client_abort on;
proxy_pass http://localhost:4000;
}
}
reload Nginx:
systemctl stop i2pd.service --no-block
systemctl start i2pd.service
Notice: The stop command initiates a graceful shutdown process, i2pd stops after finishing to route transit tunnels (maximum 10 minutes).
You should now be able to both access your instance using I2P and federate with other I2P instances!
Possible Issues
Will be added when encountered.
-
I2PD tools to print information about a router info file or an I2P private key, generate an I2P private key, and generate vanity addresses. ↩︎