Mastodon on a Pi via Tor
Based on official Mastodon instructions - yet more paranoid, setup on Raspberry Pi, and made to work over Tor without SSL. This runbook will get you to a working instance, yet some work remains for this runbook:
- systemd scripts - so you don't have to restart Mastodon processes manually after rebooting the Pi;
- Torify all outgoing connections for additional privacy for your instance;
- SD card image (a la mynode) for those who don't have time to learn linux system administration.
Known bugs:
- Following external clearnet users seems to be broken. No errors when trying to follow. Yet the number "Followed" on the profile does not change. For one of the users I'm gettting the following warning error in the sidekiq service (this seems to be the only error or warning on the backend):
2021-02-06T16:25:51.361Z pid=9301 tid=3r35 WARN: {"context":"Job raised exception","job":{"retry":16,"queue":"push","dead":false,"class":"ActivityPub::DeliveryWorker","args":["{\"@context\":\"https://www.w3.org/ns/activitystreams\",\"id\":\"http://3vih3yegheqftg4pavy3v3vhf734zevwi3qbragl3uuc26cre7hk5hyd.onion/456fd875-c446-4990-949f-114c74165609\",\"type\":\"Follow\",\"actor\":\"http://3vih3yegheqftg4pavy3v3vhf734zevwi3qbragl3uuc26cre7hk5hyd.onion/users/admin4\",\"object\":\"https://x0f.org/users/orionwl\"}",4,"https://x0f.org/users/orionwl/inbox"],"jid":"e3e4f111f4763a56c3d126d3","created_at":1612627346.7334015,"enqueued_at":1612628750.4727335,"error_message":"https://x0f.org/users/orionwl/inbox returned code 401","error_class":"Mastodon::UnexpectedResponseError","failed_at":1612627347.4861543,"retry_count":5,"retried_at":1612627942.162155},"jobstr":"{\"retry\":16,\"queue\":\"push\",\"dead\":false,\"class\":\"ActivityPub::DeliveryWorker\",\"args\":[\"{\\\"@context\\\":\\\"https://www.w3.org/ns/activitystreams\\\",\\\"id\\\":\\\"http://3vih3yegheqftg4pavy3v3vhf734zevwi3qbragl3uuc26cre7hk5hyd.onion/456fd875-c446-4990-949f-114c74165609\\\",\\\"type\\\":\\\"Follow\\\",\\\"actor\\\":\\\"http://3vih3yegheqftg4pavy3v3vhf734zevwi3qbragl3uuc26cre7hk5hyd.onion/users/admin4\\\",\\\"object\\\":\\\"https://x0f.org/users/orionwl\\\"}\",4,\"https://x0f.org/users/orionwl/inbox\"],\"jid\":\"e3e4f111f4763a56c3d126d3\",\"created_at\":1612627346.7334015,\"enqueued_at\":1612628750.4727335,\"error_message\":\"https://x0f.org/users/orionwl/inbox returned code 401\",\"error_class\":\"Mastodon::UnexpectedResponseError\",\"failed_at\":1612627347.4861543,\"retry_count\":5,\"retried_at\":1612627942.162155}"}
Community announcement https://bitcoinhackers.org/web/statuses/105606424919493898
Uodates:
- Feb 2021: Start9 EMABSSY now offers Mastodon in their app store: https://start9labs.medium.com/new-service-mastodon-9af10df5615
- MAstodon update allows running HTTP over Tor (I haven't tested this, yet looks promissing): mastodon/mastodon#15666
- 1. Get hardware
- 2. Install operating system and check temperature
- 3. Setup 64-bit capability
- 4. Get a Tor .onion address
- 5. Install Mastodon dependencies inside schroot
- 6. Build node.js and yarn
- 7. Install Ruby and Bundler
- 8. Install PostgreSQL
- 9. Install Redis
- 10. Setup Mastodon
- 11. Setup Nginx
- 12. Remove HTTP from Mastodon
Total 91 USD as of 2021-01-19
- Pi 4 kit (2GB RAM, heat sinks, power supply): CanaKit Raspberry Pi 4 Basic Kit 2GB RAM
- FLIRC Passive cooling case Flirc Raspberry Pi 4 Case
- Micro SD card 32G (for operating system) SanDisk-Extreme-microSD-UHS-I-Adapter
- Card Reader (for 1 time setup) Transcend-microSDHC-Reader-TS-RDF5K-Black
If you want a Raid mirror for data protection follow https://github.com/alevchuk/minibank/blob/first/README.md#hardware
External links to minibank wiki:
- Operating System
- First time login
- Heat
- Netwrok
- Convenience Stuff - to make it comfortable
For Mast to work you'll need 64-bit dependency binaries so lets setup a 64-bit Kernel and schroot (if you need to know what this does, read https://medium.com/for-linux-users/how-to-make-your-raspberry-pi-4-faster-with-a-64-bit-kernel-77028c47d653):
- Update the kernel and enable 64 bit mode:
First check if you aleady have this step done, run:
uname -a # if you see "aarch64 GNU/Linux" then this step is done and you can skip this setep, and go to intalling debootstrap
Run:
sudo rpi-update # there will be interactive prompt, press "y" to proceed
Reboot #1:
sudo reboot
Edit kernel parameters (use vi or if unfamiliar, use nano):
sudo vi /boot/config.txt
In the [pi4]
section add:
arm_64bit=1
Reboot #2:
sudo reboot
Check:
uname -a # you should you see "aarch64 GNU/Linux" at the end of the line
- Install debootstrap and schroot
sudo apt install -y debootstrap schroot
- Create mastodon user:
sudo adduser --disabled-password mastodon # when prompted press and hold Enter
- Form "admin" account (that has
sudo
) run:
sudo mkdir /mnt/mastodon
sudo chown -R mastodon /mnt/mastodon
cat << EOF | sudo tee /etc/schroot/chroot.d/mastodon64
[mastodon64]
description=builds that need 64-bit environment
type=directory
directory=/mnt/mastodon/pi64
users=mastodon
root-groups=root
profile=desktop
personality=linux
preserve-environment=true
EOF
sudo debootstrap --arch arm64 buster /mnt/mastodon/pi64
sudo schroot -c mastodon64 -- apt update
sudo schroot -c mastodon64 -- apt upgrade -y
sudo mkdir -p /mnt/mastodon/pi64/mnt/mastodon
sudo mkdir /mnt/mastodon/pi64/mnt/mastodon/src
sudo mkdir /mnt/mastodon/pi64/mnt/mastodon/gocode
sudo mkdir /mnt/mastodon/pi64/mnt/mastodon/bin
sudo mkdir /mnt/mastodon/pi64/mnt/mastodon/live
sudo chown -R mastodon /mnt/mastodon/pi64/mnt/mastodon
- Install Tor
sudo apt install -y tor
- Edit /etc/tor/torrc (use vi if familiary, otherwise nano):
sudo vi /etc/tor/torrc
- at the end of the file add:
HiddenServiceDir /var/lib/tor/hidden_service_tmp/
HiddenServicePort 80 127.0.0.1:80
- Run the following, you can run it multiple times - until you see an address that you like:
sudo rm -rf /var/lib/tor/hidden_service_tmp/ && sudo service tor restart && sleep 4 && sudo cat /var/lib/tor/hidden_service_tmp/hostname
Other options:
- simple automation to look for onion addresses with words of 4 or more letters
- various tools to generate pretty .onion addresses - here your taking on a larger scurity risk because your using extra software that you technically don't need
- Persist
sudo mv /var/lib/tor/hidden_service_tmp /var/lib/tor/hidden_service_mastodon
- Change tor config to use the persisted version:
sudo vi /etc/tor/torrc
- at the end of the file change:
HiddenServiceDir /var/lib/tor/hidden_service_tmp/
- to:
HiddenServiceDir /var/lib/tor/hidden_service_mastodon/
- Restart Tor and print your new hostname
sudo service tor restart
sudo service tor status # check that it's running
sudo cat /var/lib/tor/hidden_service_mastodon/hostname # print your .onion address
- From "admin" account run
sudo schroot -c mastodon64 -- apt install -y imagemagick ffmpeg libpq-dev libxml2-dev libxslt1-dev file git \
g++ libprotobuf-dev protobuf-compiler pkg-config gcc autoconf \
bison build-essential libssl-dev libyaml-dev libreadline6-dev \
zlib1g-dev libncurses5-dev libffi-dev libgdbm-dev \
redis-tools \
certbot python-certbot-nginx yarn libidn11-dev libicu-dev libjemalloc-dev \
python3.7 python3-distutils \
curl
- Setup symlinks
sudo su -l mastodon
schroot -c mastodon64
ln -s /mnt/mastodon/src ~/src
ln -s /mnt/mastodon/gocode ~/gocode
ln -s /mnt/mastodon/bin ~/bin
ln -s /mnt/mastodon/live ~/live
- Setup convenience
We already did convenience in the admin account (host operating system), now it's time to do the same inside the schroot
sudo schroot -c mastodon64
and go thru Convenience Stuff - to make it comfortable inside the schroot. Yet:
- Skip "Name your Pi" and "Timezone"
- Don't include
sudo
in the commands
- Prerequisit: you need to be logged in as "mastodon" followed by going into schroot:
sudo su -l mastodon
schroot -c mastodon64
- Build node.js (includes NPM)
git clone https://github.com/nodejs/node.git ~/src/node
cd ~/src/node
git fetch
git checkout $(git tag | grep v12 | sort -V | grep -v rc | tail -n1) # latest minor version of 12
./configure --prefix $HOME/bin
make # negtive (-): this will take all day; postitive (+): building from source has transparency advantages
make install
- Add the following to
~/.profile
export PATH=$HOME/bin/bin:$PATH
Load ~/.profile
. ~/.profile
- Install Yarn:
npm install -g yarn
- Install rbenv and rbenv-build:
git clone https://github.com/rbenv/rbenv.git ~/.rbenv
cd ~/.rbenv && src/configure && make -C src
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.profile
echo 'eval "$(rbenv init -)"' >> ~/.profile
. ~/.profile
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
- Install ruby
RUBY_CONFIGURE_OPTS=--with-jemalloc rbenv install 2.7.2
rbenv global 2.7.2
- Install bundler
gem install bundler --no-document
- Exist out of schroot
exit # or press Ctrl-d
- Return to admin user:
exit # or press Ctrl-d
- On "admin" account (not inside schroot), install default PostgreSQL version 11:
sudo apt install -y postgresql postgresql-contrib
- Get PGTune parameters for you're RAM / Cores https://pgtune.leopard.in.ua/#/
- put PG Version 11
- 2 GB RAM (if you bought what's linked above)
- 4 CPU cores (if you bought what's linked above)
- Add the tune parameters at the end of:
sudo vi /etc/postgresql/11/main/postgresql.conf
- Restart PstgreSQL
sudo systemctl restart postgresql
- Generate a random DB_PASSWORD:
openssl rand -base64 32 | sed 's/+//g' | tr '[A-Z]' '[a-z]' | tr -cd '[0-9a-z\n]'
- Add DB user:
sudo -u postgres psql
and when prompted, paste the following line-by-line:
- replace DB_PASSWORD with the password you generated in setp 5
CREATE USER mastodon CREATEDB;
ALTER USER mastodon PASSWORD 'DB_PASSWORD';
\q
- On "admin" account (not inside schroot), install default system Redis:
sudo apt install -y redis-server
- Prerequisit: you need to be logged in as "mastodon" followed by going into schroot:
sudo su -l mastodon
schroot -c mastodon64
- Get Mastodon source code:
git clone https://github.com/tootsuite/mastodon.git ~/live
cd ~/live
git fetch
git checkout $(git tag | grep v3.3 | sort -V | tail -n1) # latest minor version of v3.3
- Install Ruby and JavaScript dependencies
cd ~/live
bundle config deployment 'true'
bundle config without 'development test'
bundle install -j$(getconf _NPROCESSORS_ONLN)
yarn install --pure-lockfile
- Run the setup wizard
- this will take a long time and interactively ask questions
RAILS_ENV=production bundle exec rake mastodon:setup # if you are re-running this command AND want to destory current data and create an empty database, add DISABLE_DATABASE_ENVIRONMENT_CHECK=1
- Domain name: put your onion address from earlier step
- Single user mode: No
- Docker: No
- PostgreSQL host: localhost
- Port: Enter (uses the default)
- Name of PostgreSQL database: press Enter
- Name of PostgreSQL user: press Enter
- Password of PostgreSQL user: DB_PASSWORD from earlier step (password does not echo back, so just pasted it and press Enter)
- Redis host: press Enter
- Redis port: 6379
- Redis password: press Enter
- Do you want to store uploaded files on the cloud?: press Enter
- Do you want to send e-mails from localhost? press Enter
- press Enter for many email related questions
- Send a test e-mail with this configuration right now? no
- press Enter for the rest of the questions
- Write down your admin E-mail and password. Ok if you loose it - it's easy to re-create like this:
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
RAILS_ENV=production ./bin/tootctl accounts create admin2 --role admin --email admin2@mast.com
- Update mastodon config:
vi ~/.env.production
on top add:
HTTPS_KEY=off
SERVER_PROTOCOL=http
PORT=3001
BIND=127.0.0.1
LOCAL_DOMAIN=ONION_SITE_GOES_HERE
STREAMING_API_BASE_URL=http://ONION_SITE_GOES_HERE
CDN_HOST=http://ONION_SITE_GOES_HERE
- replace ONION_SITE_GOES_HERE with the onion address you generated earlier (e.g. a1b2c3.onion)
- Start 3 mastodon services. Later, we'll setup these as systemd services that get restarted automatically if they crash. Yet, at this stage you'll need to learn how to use multiple virtual windowns in Screen and run all 3 services in parallel:
# in screen window 1
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
PORT=3001 RAILS_ENV=production bundle exec rails s
# in sceen window 2
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
RAILS_ENV=production DB_POOL=25 MALLOC_ARENA_MAX=2 /home/mastodon/.rbenv/shims/bundle exec sidekiq -c 25
# in screen window 3
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
NODE_ENV=production PORT=4000 /home/mastodon/bin/bin/node ./streaming
- On "admin" account (not inside schroot), install nginx
sudo apt install -y nginx
- Create new config
sudo vi /etc/nginx/sites-available/mastodon
Paste the following, yet replace ONION_SITE_GOES_HERE with your .onion address generated at an earlier step (e.g. a1b2c3.onion)
upstream backend {
server 127.0.0.1:3001 fail_timeout=0;
}
upstream streaming {
server 127.0.0.1:4000 fail_timeout=0;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
server_name ONION_SITE_GOES_HERE;
keepalive_timeout 70;
sendfile on;
client_max_body_size 80m;
root /mnt/mastodon/pi64/mnt/mastodon/live/public;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
add_header X-Frame-Options "DENY";
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; object-src 'self'; style-src 'self'; img-src 'self' data: blob: http://ONION_SITE_GOES_HERE; media-src 'self' data: http://ONION_SITE_GOES_HERE; frame-src 'none'; font-src 'self' data: http://ONION_SITE_GOES_HERE; frame-ancestors 'self'; form-action 'self'; base-uri 'self'; connect-src 'self' blob: wss://ONION_SITE_GOES_HERE";
location / {
try_files $uri @proxy;
}
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
add_header Cache-Control "public, max-age=31536000, immutable";
try_files $uri @proxy;
}
location /sw.js {
try_files $uri @proxy;
}
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://backend;
proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header Proxy "";
proxy_pass http://streaming;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
error_page 500 501 502 503 504 /500.html;
access_log /var/log/nginx/mastodon_access.log;
error_log /var/log/nginx/mastodon_error.log warn;
}
- Edit top-level config:
sudo vi /etc/nginx/nginx.conf
Add:
server_names_hash_bucket_size 65;
And comment out all setting that start with "ssl":
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
#ssl_prefer_server_ciphers on;
- Enable config:
sudo ln -s /etc/nginx/sites-available/mastodon /etc/nginx/sites-enabled/mastodon
- Restart nginx:
sudo systemctl restart nginx
Tor does not need HTTPS. Moreover it does damage, signing SSL Certrficates is costly and cetralized (most authorities will not even sign a .onion address). Self-singned cettificated generate warnings that are very hard to bypass and get users acistomed to ignoring warnings that are imporatnt on clearnet.
Yet Mastadon is hardcoded to use HTTPS. So lets de-hardcode it.
- Check that everything was installed correctly:
cd ~/live
git log -n1 # should say "commit 444b21b55ff5768e4cbbaf7cfa8285c65a4b54f9 (HEAD, tag: v3.3.0rc3)"
git status # should say "nothing to commit, working tree clean"
sha256sum vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/redirecting.rb
# shuld say "da60d1e6315e4ef7e88ebb08a30b283cfcea588c0df3f610cd898f6b5fbd7ad9"
sha256sum vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb
# should say "cccb04f6a65890672fffc1b7a6fd7f9d55367e7e0bfc55521a2e5f334db7b06d"
- If step 1 does not produce the correct hashes then the following step is probably not going to work. I encoruage you to reach out to me on @alevchuk@bitcoinhackers.org, send by the hashes you get, and I'll help you debug.
Copy the following lage command (all the way to, and including "EOF"), and run it:
sudo su -l mastodon
schroot -c mastodon64
cd ~/live
patch --ignore-whitespace -p1 << 'EOF'
From cb5188b1c5146eb5cacd6b99a695c006b0fa7381 Mon Sep 17 00:00:00 2001
From: Your Name <alevchuk@example.com>
Date: Sat, 23 Jan 2021 14:21:59 +0000
Subject: [PATCH] HTTP patch
---
app/controllers/accounts_controller.rb | 6 ++++++
app/controllers/api/web/base_controller.rb | 2 +-
app/controllers/application_controller.rb | 2 +-
app/controllers/auth/sessions_controller.rb | 3 +++
app/controllers/settings/sessions_controller.rb | 3 ---
app/models/user.rb | 3 ++-
config/environments/development.rb | 3 +++
config/environments/production.rb | 2 ++
config/initializers/1_hosts.rb | 2 +-
config/initializers/devise.rb | 4 ++--
config/initializers/session_store.rb | 2 +-
config/navigation.rb | 2 +-
.../lib/action_controller/metal/redirecting.rb | 2 +-
.../gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb | 2 +-
14 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index b902ada09..4d9c1e2ae 100644
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -1,6 +1,12 @@
# frozen_string_literal: true
class AccountsController < ApplicationController
+ force_ssl if: :ssl_configured?
+
+ def ssl_configured?
+ false
+ end
+
PAGE_SIZE = 20
PAGE_SIZE_MAX = 200
diff --git a/app/controllers/api/web/base_controller.rb b/app/controllers/api/web/base_controller.rb
index 8da549b3a..6bb80f857 100644
--- a/app/controllers/api/web/base_controller.rb
+++ b/app/controllers/api/web/base_controller.rb
@@ -2,7 +2,7 @@
class Api::Web::BaseController < Api::BaseController
protect_from_forgery with: :exception
-
+
rescue_from ActionController::InvalidAuthenticityToken do
render json: { error: "Can't verify CSRF token authenticity." }, status: 422
end
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 44616d6e5..38865c16b 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base
private
def https_enabled?
- Rails.env.production? && !request.path.start_with?('/health')
+ false
end
def authorized_fetch_mode?
diff --git a/app/models/user.rb b/app/models/user.rb
index b4508c2eb..621e73931 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -131,7 +131,8 @@ class User < ApplicationRecord
attr_writer :external, :bypass_invite_request_check
def confirmed?
- confirmed_at.present?
+ # No email confirmations on Tor, need lighting to make spam uneconomical
+ true
end
def invited?
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 0791b82ab..8f3ecc73d 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -1,6 +1,9 @@
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
+ config.force_ssl = false
+ config.x.use_https = false
+
# In the development environment your application's code is reloaded on
# every request. This slows down response time but is perfect for development
# since you don't have to restart the web server when you make code changes.
diff --git a/config/environments/production.rb b/config/environments/production.rb
index aaad2449f..2e4eacfa0 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -1,5 +1,7 @@
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
+ config.force_ssl = false
+ config.x.use_https = false
# Code is not reloaded between requests.
config.cache_classes = true
diff --git a/config/initializers/1_hosts.rb b/config/initializers/1_hosts.rb
index 757f1f735..159295095 100644
--- a/config/initializers/1_hosts.rb
+++ b/config/initializers/1_hosts.rb
@@ -7,7 +7,7 @@ web_host = ENV.fetch('WEB_DOMAIN') { host }
alternate_domains = ENV.fetch('ALTERNATE_DOMAINS') { '' }
Rails.application.configure do
- https = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
+ https = false
config.x.local_domain = host
config.x.web_domain = web_host
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index ef612e177..2c6258c71 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -9,7 +9,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
value: session_id,
expires: 1.year.from_now,
httponly: true,
- secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+ secure: false,
same_site: :lax,
}
end
@@ -20,7 +20,7 @@ Warden::Manager.after_fetch do |user, warden|
value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
expires: 1.year.from_now,
httponly: true,
- secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+ secure: false,
same_site: :lax,
}
else
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index e5d1be4c6..4c30b7851 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -2,6 +2,6 @@
Rails.application.config.session_store :cookie_store, {
key: '_mastodon_session',
- secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
+ secure: false,
same_site: :lax,
}
diff --git a/config/navigation.rb b/config/navigation.rb
index 4a56abe18..16c8b3029 100644
--- a/config/navigation.rb
+++ b/config/navigation.rb
@@ -54,6 +54,6 @@ SimpleNavigation::Configuration.run do |navigation|
s.item :pghero, safe_join([fa_icon('database fw'), 'PgHero']), pghero_url, link_html: { target: 'pghero' }, if: -> { current_user.admin? }
end
- n.item :logout, safe_join([fa_icon('sign-out fw'), t('auth.logout')]), destroy_user_session_url, link_html: { 'data-method' => 'delete' }
+ n.item :logout, safe_join([fa_icon('sign-out fw'), t('auth.logout')]), destroy_user_session_url(protocol: 'http'), link_html: { 'data-method' => 'delete' }
end
end
diff --git a/vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/redirecting.rb b/vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/redirecting.rb
index 2804a06a5..3b0048cd7 100644
--- a/vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/redirecting.rb
+++ b/vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/redirecting.rb
@@ -103,7 +103,7 @@ module ActionController
when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
options
when String
- request.protocol + request.host_with_port + options
+ "http://" + request.host_with_port + options
when Proc
_compute_redirect_to_location request, instance_eval(&options)
else
diff --git a/vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb b/vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb
index 35ba44005..9e76a4ac5 100644
--- a/vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb
+++ b/vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb
@@ -205,7 +205,7 @@ module ActionDispatch
# req = ActionDispatch::Request.new 'HTTP_HOST' => 'example.com', 'HTTPS' => 'on'
# req.protocol # => "https://"
def protocol
- @protocol ||= ssl? ? "https://" : "http://"
+ @protocol ||= "http://"
end
# Returns the \host and port for this request, such as "example.com:8080".
--
2.20.1
EOF
If the patch applies cleany, it will say:
> EOF
patching file app/controllers/accounts_controller.rb
patching file app/controllers/api/web/base_controller.rb
patching file app/controllers/application_controller.rb
patching file app/models/user.rb
patching file config/environments/development.rb
patching file config/environments/production.rb
patching file config/initializers/1_hosts.rb
patching file config/initializers/devise.rb
patching file config/initializers/session_store.rb
patching file config/navigation.rb
patching file vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_controller/metal/redirecting.rb
patching file vendor/bundle/ruby/2.7.0/gems/actionpack-5.2.4.4/lib/action_dispatch/http/url.rb
- Restart your mastodon server:
- 3.1. Navigate the Screen window where it's running
- 3.2. Press Ctrl-c
- 3.3. Press up arrow (to select the previous command), check that it's "rails s" and Hit Enter
- Point your Tor browser to
http://ONION_SITE_GOES_HERE
and enjoy your instance as a Tor Hidden Service