Start9/documentation
2
0
Fork 0
mirror of https://github.com/Start9Labs/documentation.git synced 2026-03-30 12:11:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

rework ca trusting flow (#547)

Browse Source 
* rework ca trusting flow

* abstract firefox guides for ca and tor

* remove uneeded package.lock

* fix references, update submodule

* clean up
This commit is contained in:
Matt Hill
2023-11-19 11:26:58 -07:00
committed by GitHub
parent f34f9fce44
commit 3bad4b440b
36 changed files with 320 additions and 441 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
site/source/device-guides/android/ca-android.rst
View File

@@ -1,16 +1,20 @@
.. _ca-android:
=========================================
Trusting Your Server's Root CA on Android
=========================================
================================
Trusting Your Root CA on Android
================================
Complete this guide to trust your server's Root Certificate Authority (Root CA) on Android.
.. note:: This guide only applies to Android phones running Android v13+, as well as phones running CalyxOS, GrapheneOS, or LineageOS (v19+).
.. warning:: You must use `Firefox Beta <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on Android. The regular Firefox app will not work.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
.. warning:: This guide only applies to Android phones running Android v13+, as well as phones running CalyxOS, GrapheneOS, or LineageOS (v19+).
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Tap **Settings > Security > More security settings > Encryption & credentials > Install a certificate > CA Certificate > Install Anyway** and select your custom-named ``adjective-noun.local.crt`` certificate.
.. figure:: /_static/images/ssl/android/droidLAN2.png
:width: 15%
:alt: Install certificate
#. If using Firefox (recommended), complete :ref:`this final step <ca-ff>`

80
site/source/device-guides/android/ff-android.rst
View File

@@ -1,80 +0,0 @@
.. _ff-android:
==============================
Configuring Firefox on Android
==============================
Download `Firefox Beta <https://play.google.com/store/apps/details?id=org.mozilla.firefox_beta>`_ from the Play Store, or `Fennec <https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/>`_ from F-Droid.
.. caution:: You must use **Firefox Beta** on Android. Regular Firefox does not permit advanced configuration.
Local (required for initial setup)
----------------------------------
#. Ensure you have already :ref:`trusted your Root CA<ca-android>` on your Android device
#. Tap ``Kebab Menu > Settings > About Firefox`` and tap the Firefox icon 5 times to enable "developer mode"
#. Go back to ``Kebab Menu > Settings > Secret Settings`` (at the bottom), and tap ``Use third party CA certificates``
Tor (can be completed later)
----------------------------
#. Ensure you are already :ref:`running Tor<tor-android>` on your Android device
#. Download the `Proxy Auto Config` file that will use Orbot to resolve `.onion` URLs. We have one hosted `here <https://start9.com/assets/proxy.pac>`_
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``network.proxy.autoconfig_url``, and set the value to ``file:///storage/emulated/0/Download/proxy.pac``. This is the default location of a the proxy.pac file downloaded in step 2, although your path may vary:
.. figure:: /_static/images/tor/autoconfig_url.png
:width: 30%
:alt: Firefox autoconfig url setting screenshot
#. Navigate to ``about:config`` in the Firefox URL bar:
.. figure:: /_static/images/tor/about_config.png
:width: 30%
:alt: Firefox about config
#. Search for ``network.proxy.type`` into the search bar, and set the value to ``2``:
.. figure:: /_static/images/tor/network_proxy_type.png
:width: 30%
:alt: Firefox network proxy type setting screenshot
#. Search for ``network.proxy.socks_remote_dns``, and set the value to ``true``:
.. figure:: /_static/images/tor/socks_remote_dns.png
:width: 30%
:alt: Firefox socks remote dns setting screenshot
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist_mobile.png
:width: 30%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets_droid.png
:width: 30%
:alt: Firefox allow insecure websockets over https
#. Search for ``network.http.referer.hideOnionsSource`` and set the value to ``true``
#. (**GrapheneOS users only**): Head to ``Settings -> Apps -> Firefox Beta -> Permissions -> Photos and videos -> Configure Storage Scopes -> ADD FILE``, then navigate to where you placed the proxy.pac file:
.. figure:: /_static/images/tor/storage-scopes-proxy.jpg
:width: 15%
#. Restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services
Install StartOS as a PWA
------------------------
Depending on your version of Firefox, you may be prompted to "Add to Home screen", when visiting your main UI. If you do this, you can access your UI as a Progressive Web App (PWA), meaining that all browser context is removed, and StartOS will behave as a native Android app!
If you are not prompted, or skipped that screen, simply go to the **Kebab (Settings) Menu > Install** while visiting your server's UI to complete the action.

1
site/source/device-guides/android/index.rst
View File

@@ -12,4 +12,3 @@ Recommended Guides
ca-android
tor-android
ff-android

8
site/source/device-guides/android/tor-android.rst
View File

@@ -5,6 +5,8 @@ Running Tor on Android
======================
Some apps, such as the official Tor Browser, have Tor built in. They do not require additional software or configurations to utilize Tor. Most apps, however, do not have Tor built in. They require an app called Orbot to be installed in order to utilize the Tor Network.
.. warning:: You must use `Firefox Beta <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on Android. The regular Firefox app will not work.
Running Orbot
-------------
Orbot is a system-wide proxy for your Android device that enables communications over Tor.
@@ -45,7 +47,6 @@ Orbot is a system-wide proxy for your Android device that enables communications
Orbot VPN mode
--------------
To utilize Tor, some apps require that Orbot be running in VPN mode. This means that you are sending your application's traffic across the Tor network via Orbot.
#. Disable Private DNS on your device. Navigate to: ``Settings > Network & Internet > Advanced > Private DNS > Off`` and toggle Private DNS to "off".
@@ -76,3 +77,8 @@ You can also add the following browsers to the Tor-Enabled Apps list to easily a
- Vanadium
.. caution:: Pushing apps through Orbot's VPN mode will allow you to access .onion URLs, however, all other traffic will also go through Tor. This means connections to some sites may be blocked by site operators' fraud prevention measures, especially e-commerce sites where credit cards are used. Proceed with caution especially for Web Browsers.
If using Firefox (recommended)
------------------------------
Complete this guide: :ref:`tor-ff`

2
site/source/device-guides/ios/ca-ios.rst
View File

@@ -5,7 +5,7 @@ Trusting Your Server's Root CA on iOS
=====================================
Complete this guide to trust your server's Root Certificate Authority (Root CA) on iOS.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Open your iCloud Downloads folder and click on the certificate. It will display a dialog box that says "Profile Downloaded." Click `Close`.

6
site/source/device-guides/ios/tor-ios.rst
View File

@@ -4,8 +4,6 @@
Running Tor on iOS
==================
Running Orbot
-------------
Orbot is a system-wide proxy for your Android device that enables communications over Tor.
#. Download and install `Orbot from the Apple appstore <https://apps.apple.com/us/app/orbot/id1609461599>`_.
@@ -23,7 +21,3 @@ Orbot is a system-wide proxy for your Android device that enables communications
:alt: iOS Orbot Connecting to Tor
#. Apps will now work transparently when requesting onion urls!
Access Onionsites
-----------------
Once Orbot is setup on your system as you've just done, you don't need any browser configuration. All browsers in iOS are Safari under the hood, and this Orbot configuration enables access to ``.onion`` URLs. Regular clearnet requests will not use tor.

17
site/source/device-guides/linux/ca-linux.rst
View File

@@ -1,8 +1,8 @@
.. _ca-linux:
=======================================
Trusting Your Server's Root CA on Linux
=======================================
==============================
Trusting Your Root CA on Linux
==============================
.. caution:: If you cannot connect following this guide, you may be using an application (such as Firefox) that is installed in a jailed environment, such as an appimage, flatpak, or snap. Please try an alternate install method if so.
@@ -12,7 +12,7 @@ Trusting Your Server's Root CA on Linux
These instructions will work for most Debian-based Linux distributions, such as Debian, Linux Mint, PopOS, Ubuntu, etc.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Perform the following commands in the Terminal:
@@ -33,11 +33,13 @@ Trusting Your Server's Root CA on Linux
sudo bash -c "echo 'start9/adjective-noun.local.crt' >> /etc/ca-certificates.conf"
sudo update-ca-certificates
In the output it should say ``1 added`` if it was successful. For most applications, you will now be able to securely connect via ``https``. We highly recommend continuing on to our :ref:`Configuring Firefox <ff-linux>` guide.
In the output it should say ``1 added`` if it was successful. For most applications, you will now be able to securely connect via ``https``.
#. If using Firefox (recommended), complete :ref:`this final step <ca-ff>`
.. group-tab:: Arch/Garuda
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. From the folder you have downloaded your Start9 server's Root CA, run the following commands. Take care to replace `adjective-noun` with your server's unique adjective-noun combination in the command below. If you have changed the certificate's filename, be sure to change it here.
@@ -51,7 +53,7 @@ Trusting Your Server's Root CA on Linux
.. group-tab:: CentOS/Fedora
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. In `/etc/systemd/resolved.conf`, ensure you have ``MulticastDNS=Yes``
@@ -68,3 +70,4 @@ Trusting Your Server's Root CA on Linux
sudo yum install ca-certificates
sudo cp "adjective-noun.local.crt" /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

108
site/source/device-guides/linux/ff-linux.rst
View File

@@ -1,108 +0,0 @@
.. _ff-linux:
============================
Configuring Firefox on Linux
============================
Here you will configure Firefox to securely resolve the .local and .onion URLs of your server and installed services.
Local (required for initial setup)
----------------------------------
This guide applies to Firefox, Firefox ESR, Librewolf, and Thunderbird. Mozilla apps need to be configured to use the certificate store of your device. To find out why Mozilla does this differently, you can read their `blog post <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on the topic (TLDR: for security purposes).
#. Select your distribution below and follow instructions:
.. tabs::
.. group-tab:: Debian/Ubuntu
#. Select the hamburger menu -> ``Settings``. Search for ``security devices`` and select ``Security Devices...``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-1.png
:width: 60%
:alt: Mozilla application p11kit trust #1
#. When the Device Manager dialog window opens, select ``Load``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-2.png
:width: 60%
:alt: Mozilla application p11kit trust #2
#. Give the Module Name a title such as "System CA Trust Module". For the Module filename, paste in ``/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so`` and hit ``OK``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-3.png
:width: 60%
:alt: Mozilla application p11kit trust #3
.. tip:: The path to p11-kit-trust.so will be slightly different if your processor's architecture is not x86_64.
#. Verify that the new module shows up on the left hand side and select ``OK`` at the bottom right:
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-4.png
:width: 60%
:alt: Mozilla application p11kit trust #4
.. group-tab:: Arch/Garuda/CentOS/Fedora
No special steps are needed for Arch/Garuda/CentOS/Fedora. Continue below.
#. Restart Firefox
Tor (can be completed later)
----------------------------
#. Ensure you have already :ref:`set up Tor<tor-linux>`
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets.png
:width: 60%
:alt: Firefox allow insecure websockets over https
#. Download a `Proxy Auto Config` file to inform Firefox how to use the Tor daemon running on your computer. You can get Start9's standard file from a terminal, by using:
.. code-block::
sudo wget -P ~/ https://start9.com/assets/proxy.pac
#. Determine the full path of `proxy.pac`, which we will use in step 9, by executing the following command in the terminal, and copying its output to your clipboard:
.. code-block::
echo file://$HOME/proxy.pac
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Select ``Automatic proxy configuration URL`` and paste the output from the command you performed in step 6. Be aware, the triple ``///`` is intentional, and your path *will* be different from the one below - namely, YOUR_LINUX_USERNAME will be your actual linux username:
.. code-block::
file:///home/YOUR_LINUX_USERNAME/proxy.pac
.. figure:: /_static/images/tor/firefox_proxy_linux.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Check the box labeled ``Proxy DNS when using SOCKS v5`` in the image above
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services

1
site/source/device-guides/linux/index.rst
View File

@@ -12,7 +12,6 @@ Recommended Guides
ca-linux
tor-linux
ff-linux
Other Useful Guides
-------------------

8
site/source/device-guides/linux/tor-linux.rst
View File

@@ -1,8 +1,8 @@
.. _tor-linux:
====================
Running Tor on Linux
====================
==================
Using Tor on Linux
==================
.. tabs::
@@ -93,3 +93,5 @@ Running Tor on Linux
.. code-block:: bash
sudo systemctl enable --now tor
If using Firefox (recommended), you will also need to complete this guide: :ref:`tor-ff`

10
site/source/device-guides/mac/ca-mac.rst
View File

@@ -1,11 +1,11 @@
.. _ca-mac:
=====================================
Trusting Your Server's Root CA on Mac
=====================================
============================
Trusting Your Root CA on Mac
============================
Complete this guide to trust your server's Root Certificate Authority (Root CA) on Mac.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Locate your downloaded Root CA. Right click it and select *Show in Folder*:
@@ -50,3 +50,5 @@ Complete this guide to trust your server's Root Certificate Authority (Root CA)
:alt: Keychain submenu
.. tip:: If the keychain console did not show the certificate as trusted, press "Command + spacebar" and type “Keychain Access”, and hit enter to re-open it.
#. If using Firefox (recommended), complete :ref:`this final step <ca-ff>`

60
site/source/device-guides/mac/ff-mac.rst
View File

@@ -1,60 +0,0 @@
.. _ff-mac:
==========================
Configuring Firefox on Mac
==========================
Here you will configure Firefox to securely resolve the .local and .onion URLs of your server and installed services.
Local (required for initial setup)
----------------------------------
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``security.enterprise_roots.enable``, set it to ``true``.
.. figure:: /_static/images/ssl/browser/enterprise_roots_enabled_true.png
:width: 80%
:alt: Firefox security settings
#. Restart Firefox
Tor (can be completed later)
----------------------------
#. Ensure you have already :ref:`set up Tor<tor-mac>`
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets.png
:width: 60%
:alt: Firefox allow insecure websockets over https
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Check the option labeled ``Use System Proxy Settings`` *and* the box labeled ``Proxy DNS when using SOCKS v5``:
.. figure:: /_static/images/tor/firefox_proxy.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services

1
site/source/device-guides/mac/index.rst
View File

@@ -12,7 +12,6 @@ Recommended Guides
ca-mac
tor-mac
ff-mac
Other Useful Guides
-------------------

6
site/source/device-guides/mac/tor-mac.rst
View File

@@ -114,8 +114,6 @@ Enable Tor System-wide
cat /usr/local/var/log/tor.log || sudo cat /opt/homebrew/var/log/tor.log
If you'd like to setup Firefox to use Tor you can follow :ref:`this guide<ff-mac>`.
.. group-tab:: Pre-Ventura
#. Enable proxy autoconfig file (This will download the Start9 standard proxy config file. You can use your own if you prefer):
@@ -176,4 +174,6 @@ Enable Tor System-wide
cat /usr/local/var/log/tor.log || sudo cat /opt/homebrew/var/log/tor.log
If you'd like to setup Firefox to use Tor you can follow :ref:`this guide<ff-mac>`.
If using Firefox (recommended)
------------------------------
Complete this guide: :ref:`tor-ff`

12
site/source/device-guides/windows/ca-windows.rst
View File

@@ -1,13 +1,13 @@
.. _ca-windows:
=========================================
Trusting Your Server's Root CA on Windows
=========================================
================================
Trusting Your Root CA on Windows
================================
Complete this guide to trust your server's Root Certificate Authority (Root CA) on Windows.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Ensure you have already :ref:`installed bonjour <connecting-lan-windows>`
#. Ensure you have :ref:`installed bonjour <connecting-lan-windows>`
#. Click the “Start” menu, type “mmc”, and select "Run as administrator" to access the Windows Management Console.
@@ -82,3 +82,5 @@ Complete this guide to trust your server's Root Certificate Authority (Root CA)
.. figure:: /_static/images/ssl/windows/11_console_settings.png
:width: 20%
:alt: Console settings
#. If using Firefox (recommended), complete :ref:`this final step <ca-ff>`

72
site/source/device-guides/windows/ff-windows.rst
View File

@@ -1,72 +0,0 @@
.. _ff-windows:
==============================
Configuring Firefox on Windows
==============================
Here you will configure Firefox to securely resolve the .local and .onion URLs of your server and installed services.
Local (required for initial setup)
----------------------------------
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``security.enterprise_roots.enable``, set it to ``true``.
.. figure:: /_static/images/ssl/browser/enterprise_roots_enabled_true.png
:width: 80%
:alt: Firefox security settings
#. Restart Firefox
Tor (can be completed later)
----------------------------
#. Ensure you have already :ref:`set up Tor<tor-windows>`
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets.png
:width: 60%
:alt: Firefox allow insecure websockets over https
#. Download a ``Proxy Auto Config`` file to inform Firefox how to use the Tor daemon running on your computer. Click `here <https://start9.com/assets/proxy.pac>`_ to get the one offered by Start9 and save it somewhere you will not delete it. Remember where you save the file. For this example:
.. code-block::
C:\Program Files\Tor Browser\proxy.pac
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Select ``Automatic proxy configuration URL`` and paste in the path to your PAC file from earlier, prefixed with ``file://``. For example:
.. code-block::
file://C:/Program Files/Tor Browser/proxy.pac
#. Check the box labeled ``Proxy DNS when using SOCKS v5``:
.. figure:: /_static/images/tor/firefox_proxy.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services

1
site/source/device-guides/windows/index.rst
View File

@@ -12,7 +12,6 @@ Recommended Guides
ca-windows
tor-windows
ff-windows
Other Useful Guides
-------------------

2
site/source/device-guides/windows/tor-windows.rst
View File

@@ -54,4 +54,4 @@ Running Tor on Windows
2. Uninstall the Tor Browser, following `these steps <https://tb-manual.torproject.org/uninstalling/>`_.
3. Begin this guide again from the beginning.
#. That's it! Your Windows computer is now setup to natively use Tor.
#. If using Firefox (recommended), complete :ref:`this final step <tor-ff>`