Laurelai Bailey is a user on You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Laurelai Bailey @Laurelai

ok heres a guide on how to run your mastodon instance over cleartext and over TOR.

· Web · 74 · 60

Hey @Gargron heres that tor guide for mastodon

@Laurelai Eww that leaves you having to accept a broken ssl cert though :p

@Sir_Boops its the same cert as the cleartext site, all its for is encrypting the connection.

@Sir_Boops Because nobody will sign a .onion domain cert 🙃

@Sir_Boops Yeah special cases like them get them, but not us folks :p

@Sir_Boops $95.00 USD who has that kind of money lmao

@Sir_Boops letsencrypt just needs to pull its head out of its ass

@Laurelai The .onion itself is the encryption for the .onion site :p

@Sir_Boops not without https everywhere. TOR is not encryption, its anonymity

@Laurelai When talking with clearnet sites yes you are correct .onions are e2e encrypted on there own making a .onion with ssl pointless ->

@Sir_Boops if you want you can always make a seperate mastodon-tor.conf without the certificate links, but im sure you already know that :p

@Laurelai Masto won't play nice with that :p Your guide as it is now is as good as masto can handle tor without starting to compile custom versions of nginx/edit masto itself even then it still dosn't like to play nice with tor XD

@Sir_Boops @Laurelai Yeah there's no need to involve certificate authorities at all in .onion addresses. It's unnecessary... dns + SSL CAs separate the name from the key, but that's not the case for .onion names, where the name *is* the key.

Now if you want to trust that the site is an entity you know in particular, that's where petnames + edge names should come in:

@Sir_Boops @Laurelai So yeah connection to a .onion address should already be a secure connection... it should be encrypted between you and that entity, afaiu

@Laurelai thanks for the guide!

because of using a onionv3 hidden service i also had to add to nginx.conf, in the http section:

server_names_hash_bucket_size 128;

otherwise it wouldn't start with the longer server name