Start9/documentation
2
0
Fork 0
mirror of https://github.com/Start9Labs/documentation.git synced 2026-03-26 02:11:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

rework ca trusting flow (#547)

Browse Source 
* rework ca trusting flow

* abstract firefox guides for ca and tor

* remove uneeded package.lock

* fix references, update submodule

* clean up
This commit is contained in:
Matt Hill
2023-11-19 11:26:58 -07:00
committed by GitHub
parent f34f9fce44
commit 3bad4b440b
36 changed files with 320 additions and 441 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pyproject.toml
View File

@@ -1,5 +1,5 @@
[tool.poetry]
name = "start9-docs"
name = "documentation"
description = "Start9 Documentation"
version = "0.1.0"
authors = ["elvece <lucy@start9.com>, kn0wmad <david@start9.com>"]

6
site/package-lock.json generated
View File

@@ -1,6 +0,0 @@
{
"name": "site",
"lockfileVersion": 2,
"requires": true,
"packages": {}
}

14
site/source/device-guides/android/ca-android.rst
View File

@@ -1,16 +1,20 @@
.. _ca-android:
=========================================
Trusting Your Server's Root CA on Android
=========================================
================================
Trusting Your Root CA on Android
================================
Complete this guide to trust your server's Root Certificate Authority (Root CA) on Android.
.. note:: This guide only applies to Android phones running Android v13+, as well as phones running CalyxOS, GrapheneOS, or LineageOS (v19+).
.. warning:: You must use `Firefox Beta <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on Android. The regular Firefox app will not work.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
.. warning:: This guide only applies to Android phones running Android v13+, as well as phones running CalyxOS, GrapheneOS, or LineageOS (v19+).
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Tap **Settings > Security > More security settings > Encryption & credentials > Install a certificate > CA Certificate > Install Anyway** and select your custom-named ``adjective-noun.local.crt`` certificate.
.. figure:: /_static/images/ssl/android/droidLAN2.png
:width: 15%
:alt: Install certificate
#. If using Firefox (recommended), complete :ref:`this final step <ca-ff>`

80
site/source/device-guides/android/ff-android.rst
View File

@@ -1,80 +0,0 @@
.. _ff-android:
==============================
Configuring Firefox on Android
==============================
Download `Firefox Beta <https://play.google.com/store/apps/details?id=org.mozilla.firefox_beta>`_ from the Play Store, or `Fennec <https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/>`_ from F-Droid.
.. caution:: You must use **Firefox Beta** on Android. Regular Firefox does not permit advanced configuration.
Local (required for initial setup)
----------------------------------
#. Ensure you have already :ref:`trusted your Root CA<ca-android>` on your Android device
#. Tap ``Kebab Menu > Settings > About Firefox`` and tap the Firefox icon 5 times to enable "developer mode"
#. Go back to ``Kebab Menu > Settings > Secret Settings`` (at the bottom), and tap ``Use third party CA certificates``
Tor (can be completed later)
----------------------------
#. Ensure you are already :ref:`running Tor<tor-android>` on your Android device
#. Download the `Proxy Auto Config` file that will use Orbot to resolve `.onion` URLs. We have one hosted `here <https://start9.com/assets/proxy.pac>`_
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``network.proxy.autoconfig_url``, and set the value to ``file:///storage/emulated/0/Download/proxy.pac``. This is the default location of a the proxy.pac file downloaded in step 2, although your path may vary:
.. figure:: /_static/images/tor/autoconfig_url.png
:width: 30%
:alt: Firefox autoconfig url setting screenshot
#. Navigate to ``about:config`` in the Firefox URL bar:
.. figure:: /_static/images/tor/about_config.png
:width: 30%
:alt: Firefox about config
#. Search for ``network.proxy.type`` into the search bar, and set the value to ``2``:
.. figure:: /_static/images/tor/network_proxy_type.png
:width: 30%
:alt: Firefox network proxy type setting screenshot
#. Search for ``network.proxy.socks_remote_dns``, and set the value to ``true``:
.. figure:: /_static/images/tor/socks_remote_dns.png
:width: 30%
:alt: Firefox socks remote dns setting screenshot
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist_mobile.png
:width: 30%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets_droid.png
:width: 30%
:alt: Firefox allow insecure websockets over https
#. Search for ``network.http.referer.hideOnionsSource`` and set the value to ``true``
#. (**GrapheneOS users only**): Head to ``Settings -> Apps -> Firefox Beta -> Permissions -> Photos and videos -> Configure Storage Scopes -> ADD FILE``, then navigate to where you placed the proxy.pac file:
.. figure:: /_static/images/tor/storage-scopes-proxy.jpg
:width: 15%
#. Restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services
Install StartOS as a PWA
------------------------
Depending on your version of Firefox, you may be prompted to "Add to Home screen", when visiting your main UI. If you do this, you can access your UI as a Progressive Web App (PWA), meaining that all browser context is removed, and StartOS will behave as a native Android app!
If you are not prompted, or skipped that screen, simply go to the **Kebab (Settings) Menu > Install** while visiting your server's UI to complete the action.

1
site/source/device-guides/android/index.rst
View File

@@ -12,4 +12,3 @@ Recommended Guides
ca-android
tor-android
ff-android

8
site/source/device-guides/android/tor-android.rst
View File

@@ -5,6 +5,8 @@ Running Tor on Android
======================
Some apps, such as the official Tor Browser, have Tor built in. They do not require additional software or configurations to utilize Tor. Most apps, however, do not have Tor built in. They require an app called Orbot to be installed in order to utilize the Tor Network.
.. warning:: You must use `Firefox Beta <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on Android. The regular Firefox app will not work.
Running Orbot
-------------
Orbot is a system-wide proxy for your Android device that enables communications over Tor.
@@ -45,7 +47,6 @@ Orbot is a system-wide proxy for your Android device that enables communications
Orbot VPN mode
--------------
To utilize Tor, some apps require that Orbot be running in VPN mode. This means that you are sending your application's traffic across the Tor network via Orbot.
#. Disable Private DNS on your device. Navigate to: ``Settings > Network & Internet > Advanced > Private DNS > Off`` and toggle Private DNS to "off".
@@ -76,3 +77,8 @@ You can also add the following browsers to the Tor-Enabled Apps list to easily a
- Vanadium
.. caution:: Pushing apps through Orbot's VPN mode will allow you to access .onion URLs, however, all other traffic will also go through Tor. This means connections to some sites may be blocked by site operators' fraud prevention measures, especially e-commerce sites where credit cards are used. Proceed with caution especially for Web Browsers.
If using Firefox (recommended)
------------------------------
Complete this guide: :ref:`tor-ff`

2
site/source/device-guides/ios/ca-ios.rst
View File

@@ -5,7 +5,7 @@ Trusting Your Server's Root CA on iOS
=====================================
Complete this guide to trust your server's Root Certificate Authority (Root CA) on iOS.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Open your iCloud Downloads folder and click on the certificate. It will display a dialog box that says "Profile Downloaded." Click `Close`.

6
site/source/device-guides/ios/tor-ios.rst
View File

@@ -4,8 +4,6 @@
Running Tor on iOS
==================
Running Orbot
-------------
Orbot is a system-wide proxy for your Android device that enables communications over Tor.
#. Download and install `Orbot from the Apple appstore <https://apps.apple.com/us/app/orbot/id1609461599>`_.
@@ -23,7 +21,3 @@ Orbot is a system-wide proxy for your Android device that enables communications
:alt: iOS Orbot Connecting to Tor
#. Apps will now work transparently when requesting onion urls!
Access Onionsites
-----------------
Once Orbot is setup on your system as you've just done, you don't need any browser configuration. All browsers in iOS are Safari under the hood, and this Orbot configuration enables access to ``.onion`` URLs. Regular clearnet requests will not use tor.

17
site/source/device-guides/linux/ca-linux.rst
View File

@@ -1,8 +1,8 @@
.. _ca-linux:
=======================================
Trusting Your Server's Root CA on Linux
=======================================
==============================
Trusting Your Root CA on Linux
==============================
.. caution:: If you cannot connect following this guide, you may be using an application (such as Firefox) that is installed in a jailed environment, such as an appimage, flatpak, or snap. Please try an alternate install method if so.
@@ -12,7 +12,7 @@ Trusting Your Server's Root CA on Linux
These instructions will work for most Debian-based Linux distributions, such as Debian, Linux Mint, PopOS, Ubuntu, etc.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Perform the following commands in the Terminal:
@@ -33,11 +33,13 @@ Trusting Your Server's Root CA on Linux
sudo bash -c "echo 'start9/adjective-noun.local.crt' >> /etc/ca-certificates.conf"
sudo update-ca-certificates
In the output it should say ``1 added`` if it was successful. For most applications, you will now be able to securely connect via ``https``. We highly recommend continuing on to our :ref:`Configuring Firefox <ff-linux>` guide.
In the output it should say ``1 added`` if it was successful. For most applications, you will now be able to securely connect via ``https``.
#. If using Firefox (recommended), complete :ref:`this final step <ca-ff>`
.. group-tab:: Arch/Garuda
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. From the folder you have downloaded your Start9 server's Root CA, run the following commands. Take care to replace `adjective-noun` with your server's unique adjective-noun combination in the command below. If you have changed the certificate's filename, be sure to change it here.
@@ -51,7 +53,7 @@ Trusting Your Server's Root CA on Linux
.. group-tab:: CentOS/Fedora
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. In `/etc/systemd/resolved.conf`, ensure you have ``MulticastDNS=Yes``
@@ -68,3 +70,4 @@ Trusting Your Server's Root CA on Linux
sudo yum install ca-certificates
sudo cp "adjective-noun.local.crt" /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

108
site/source/device-guides/linux/ff-linux.rst
View File

@@ -1,108 +0,0 @@
.. _ff-linux:
============================
Configuring Firefox on Linux
============================
Here you will configure Firefox to securely resolve the .local and .onion URLs of your server and installed services.
Local (required for initial setup)
----------------------------------
This guide applies to Firefox, Firefox ESR, Librewolf, and Thunderbird. Mozilla apps need to be configured to use the certificate store of your device. To find out why Mozilla does this differently, you can read their `blog post <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on the topic (TLDR: for security purposes).
#. Select your distribution below and follow instructions:
.. tabs::
.. group-tab:: Debian/Ubuntu
#. Select the hamburger menu -> ``Settings``. Search for ``security devices`` and select ``Security Devices...``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-1.png
:width: 60%
:alt: Mozilla application p11kit trust #1
#. When the Device Manager dialog window opens, select ``Load``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-2.png
:width: 60%
:alt: Mozilla application p11kit trust #2
#. Give the Module Name a title such as "System CA Trust Module". For the Module filename, paste in ``/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so`` and hit ``OK``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-3.png
:width: 60%
:alt: Mozilla application p11kit trust #3
.. tip:: The path to p11-kit-trust.so will be slightly different if your processor's architecture is not x86_64.
#. Verify that the new module shows up on the left hand side and select ``OK`` at the bottom right:
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-4.png
:width: 60%
:alt: Mozilla application p11kit trust #4
.. group-tab:: Arch/Garuda/CentOS/Fedora
No special steps are needed for Arch/Garuda/CentOS/Fedora. Continue below.
#. Restart Firefox
Tor (can be completed later)
----------------------------
#. Ensure you have already :ref:`set up Tor<tor-linux>`
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets.png
:width: 60%
:alt: Firefox allow insecure websockets over https
#. Download a `Proxy Auto Config` file to inform Firefox how to use the Tor daemon running on your computer. You can get Start9's standard file from a terminal, by using:
.. code-block::
sudo wget -P ~/ https://start9.com/assets/proxy.pac
#. Determine the full path of `proxy.pac`, which we will use in step 9, by executing the following command in the terminal, and copying its output to your clipboard:
.. code-block::
echo file://$HOME/proxy.pac
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Select ``Automatic proxy configuration URL`` and paste the output from the command you performed in step 6. Be aware, the triple ``///`` is intentional, and your path *will* be different from the one below - namely, YOUR_LINUX_USERNAME will be your actual linux username:
.. code-block::
file:///home/YOUR_LINUX_USERNAME/proxy.pac
.. figure:: /_static/images/tor/firefox_proxy_linux.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Check the box labeled ``Proxy DNS when using SOCKS v5`` in the image above
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services

1
site/source/device-guides/linux/index.rst
View File

@@ -12,7 +12,6 @@ Recommended Guides
ca-linux
tor-linux
ff-linux
Other Useful Guides
-------------------

8
site/source/device-guides/linux/tor-linux.rst
View File

@@ -1,8 +1,8 @@
.. _tor-linux:
====================
Running Tor on Linux
====================
==================
Using Tor on Linux
==================
.. tabs::
@@ -93,3 +93,5 @@ Running Tor on Linux
.. code-block:: bash
sudo systemctl enable --now tor
If using Firefox (recommended), you will also need to complete this guide: :ref:`tor-ff`

10
site/source/device-guides/mac/ca-mac.rst
View File

@@ -1,11 +1,11 @@
.. _ca-mac:
=====================================
Trusting Your Server's Root CA on Mac
=====================================
============================
Trusting Your Root CA on Mac
============================
Complete this guide to trust your server's Root Certificate Authority (Root CA) on Mac.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Locate your downloaded Root CA. Right click it and select *Show in Folder*:
@@ -50,3 +50,5 @@ Complete this guide to trust your server's Root Certificate Authority (Root CA)
:alt: Keychain submenu
.. tip:: If the keychain console did not show the certificate as trusted, press "Command + spacebar" and type “Keychain Access”, and hit enter to re-open it.
#. If using Firefox (recommended), complete :ref:`this final step <ca-ff>`

60
site/source/device-guides/mac/ff-mac.rst
View File

@@ -1,60 +0,0 @@
.. _ff-mac:
==========================
Configuring Firefox on Mac
==========================
Here you will configure Firefox to securely resolve the .local and .onion URLs of your server and installed services.
Local (required for initial setup)
----------------------------------
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``security.enterprise_roots.enable``, set it to ``true``.
.. figure:: /_static/images/ssl/browser/enterprise_roots_enabled_true.png
:width: 80%
:alt: Firefox security settings
#. Restart Firefox
Tor (can be completed later)
----------------------------
#. Ensure you have already :ref:`set up Tor<tor-mac>`
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets.png
:width: 60%
:alt: Firefox allow insecure websockets over https
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Check the option labeled ``Use System Proxy Settings`` *and* the box labeled ``Proxy DNS when using SOCKS v5``:
.. figure:: /_static/images/tor/firefox_proxy.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services

1
site/source/device-guides/mac/index.rst
View File

@@ -12,7 +12,6 @@ Recommended Guides
ca-mac
tor-mac
ff-mac
Other Useful Guides
-------------------

6
site/source/device-guides/mac/tor-mac.rst
View File

@@ -114,8 +114,6 @@ Enable Tor System-wide
cat /usr/local/var/log/tor.log || sudo cat /opt/homebrew/var/log/tor.log
If you'd like to setup Firefox to use Tor you can follow :ref:`this guide<ff-mac>`.
.. group-tab:: Pre-Ventura
#. Enable proxy autoconfig file (This will download the Start9 standard proxy config file. You can use your own if you prefer):
@@ -176,4 +174,6 @@ Enable Tor System-wide
cat /usr/local/var/log/tor.log || sudo cat /opt/homebrew/var/log/tor.log
If you'd like to setup Firefox to use Tor you can follow :ref:`this guide<ff-mac>`.
If using Firefox (recommended)
------------------------------
Complete this guide: :ref:`tor-ff`

12
site/source/device-guides/windows/ca-windows.rst
View File

@@ -1,13 +1,13 @@
.. _ca-windows:
=========================================
Trusting Your Server's Root CA on Windows
=========================================
================================
Trusting Your Root CA on Windows
================================
Complete this guide to trust your server's Root Certificate Authority (Root CA) on Windows.
#. Ensure you have already :ref:`downloaded your Root CA <download-root-ca>`
#. Ensure you have :ref:`downloaded your Root CA <root-ca-download>`
#. Ensure you have already :ref:`installed bonjour <connecting-lan-windows>`
#. Ensure you have :ref:`installed bonjour <connecting-lan-windows>`
#. Click the “Start” menu, type “mmc”, and select "Run as administrator" to access the Windows Management Console.
@@ -82,3 +82,5 @@ Complete this guide to trust your server's Root Certificate Authority (Root CA)
.. figure:: /_static/images/ssl/windows/11_console_settings.png
:width: 20%
:alt: Console settings
#. If using Firefox (recommended), complete :ref:`this final step <ca-ff>`

72
site/source/device-guides/windows/ff-windows.rst
View File

@@ -1,72 +0,0 @@
.. _ff-windows:
==============================
Configuring Firefox on Windows
==============================
Here you will configure Firefox to securely resolve the .local and .onion URLs of your server and installed services.
Local (required for initial setup)
----------------------------------
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``security.enterprise_roots.enable``, set it to ``true``.
.. figure:: /_static/images/ssl/browser/enterprise_roots_enabled_true.png
:width: 80%
:alt: Firefox security settings
#. Restart Firefox
Tor (can be completed later)
----------------------------
#. Ensure you have already :ref:`set up Tor<tor-windows>`
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.websocket.allowInsecureFromHTTPS`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_insecure_websockets.png
:width: 60%
:alt: Firefox allow insecure websockets over https
#. Download a ``Proxy Auto Config`` file to inform Firefox how to use the Tor daemon running on your computer. Click `here <https://start9.com/assets/proxy.pac>`_ to get the one offered by Start9 and save it somewhere you will not delete it. Remember where you save the file. For this example:
.. code-block::
C:\Program Files\Tor Browser\proxy.pac
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Select ``Automatic proxy configuration URL`` and paste in the path to your PAC file from earlier, prefixed with ``file://``. For example:
.. code-block::
file://C:/Program Files/Tor Browser/proxy.pac
#. Check the box labeled ``Proxy DNS when using SOCKS v5``:
.. figure:: /_static/images/tor/firefox_proxy.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion. If this does not work, go through this guide again, ensuring you followed every step, including the first which refers to another guide
#. You can now use the `.onion` URLs of your server and installed services

1
site/source/device-guides/windows/index.rst
View File

@@ -12,7 +12,6 @@ Recommended Guides
ca-windows
tor-windows
ff-windows
Other Useful Guides
-------------------

2
site/source/device-guides/windows/tor-windows.rst
View File

@@ -54,4 +54,4 @@ Running Tor on Windows
2. Uninstall the Tor Browser, following `these steps <https://tb-manual.torproject.org/uninstalling/>`_.
3. Begin this guide again from the beginning.
#. That's it! Your Windows computer is now setup to natively use Tor.
#. If using Firefox (recommended), complete :ref:`this final step <tor-ff>`

64
site/source/misc-guides/ca-ff.rst Normal file
View File

@@ -0,0 +1,64 @@
.. _ca-ff:
===========================================
Configuring Firefox to Respect Your Root CA
===========================================
.. tabs::
.. group-tab:: Mac/Windows
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``security.enterprise_roots.enable``, set it to ``true``.
.. figure:: /_static/images/ssl/browser/enterprise_roots_enabled_true.png
:width: 80%
:alt: Firefox security settings
#. Restart Firefox
.. group-tab:: Debian/Ubuntu
This guide applies to Firefox, Firefox ESR, Librewolf, and Thunderbird. Mozilla apps need to be configured to use the certificate store of your device. To find out why Mozilla does this differently, you can read their `blog post <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on the topic (TLDR: for security purposes).
#. Select the hamburger menu -> ``Settings``. Search for ``security devices`` and select ``Security Devices...``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-1.png
:width: 60%
:alt: Mozilla application p11kit trust #1
#. When the Device Manager dialog window opens, select ``Load``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-2.png
:width: 60%
:alt: Mozilla application p11kit trust #2
#. Give the Module Name a title such as "System CA Trust Module". For the Module filename, paste in ``/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so`` and hit ``OK``
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-3.png
:width: 60%
:alt: Mozilla application p11kit trust #3
.. tip:: The path to p11-kit-trust.so will be slightly different if your processor's architecture is not x86_64.
#. Verify that the new module shows up on the left hand side and select ``OK`` at the bottom right:
.. figure:: /_static/images/ssl/linux/cert-trust-linux-firefox-p11kit-4.png
:width: 60%
:alt: Mozilla application p11kit trust #4
#. Restart Firefox
.. group-tab:: Arch/Garuda/CentOS/Fedora
No special steps are needed for Arch/Garuda/CentOS/Fedora.
.. group-tab:: Android
.. warning:: You must use `Firefox Beta <https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/>`_ on Android. The regular Firefox app will not work.
#. Tap ``Kebab Menu > Settings > About Firefox`` and tap the Firefox icon 5 times to enable "developer mode"
#. Go back to ``Kebab Menu > Settings > Secret Settings`` (at the bottom), and tap ``Use third party CA certificates``

2
site/source/misc-guides/index.rst
View File

@@ -8,6 +8,8 @@ Guides that do not fit into the categories of "devices" or "services."
.. toctree::
:maxdepth: 1
ca-ff
tor-ff
attach-drive
transfer-data
upgrade-pi

180
site/source/misc-guides/tor-ff.rst Normal file
View File

@@ -0,0 +1,180 @@
.. _tor-ff:
===========================
Configuring Firefox for Tor
===========================
.. tabs::
.. group-tab:: Mac
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Check the option labeled ``Use System Proxy Settings`` *and* the box labeled ``Proxy DNS when using SOCKS v5``:
.. figure:: /_static/images/tor/firefox_proxy.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion.
.. group-tab:: Windows
#. Download the ``Proxy Auto Config`` file to inform Firefox how to resolve `.onion` URLs. Click `here <https://start9.com/assets/proxy.pac>`_ to get the one offered by Start9. Save it somewhere you will not delete it, and remember where you save it. For example:
.. code-block::
C:\Program Files\Tor Browser\proxy.pac
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Select ``Automatic proxy configuration URL`` and paste in the path to your PAC file from earlier, prefixed with ``file://``. For example:
.. code-block::
file://C:/Program Files/Tor Browser/proxy.pac
#. Check the box labeled ``Proxy DNS when using SOCKS v5``:
.. figure:: /_static/images/tor/firefox_proxy.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion.
.. group-tab:: Linux
#. Download the `Proxy Auto Config` file to inform Firefox how to resolve `.onion` URLs. You can get Start9's standard file from a terminal, by using:
.. code-block::
sudo wget -P ~/ https://start9.com/assets/proxy.pac
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Determine the full path of `proxy.pac`, which we will use in step 9, by executing the following command in the terminal, and copying its output to your clipboard:
.. code-block::
echo file://$HOME/proxy.pac
#. Go to the right-hand hamburger menu and select ``Settings``:
.. figure:: /_static/images/tor/os_ff_settings.png
:width: 30%
:alt: Firefox options screenshot
#. Search for the term ``proxy`` in the search bar in the upper right and select ``Settings...``:
.. figure:: /_static/images/tor/firefox_search.png
:width: 60%
:alt: Firefox search screenshot
#. Select ``Automatic proxy configuration URL`` and paste the output from the command you performed in step 6. Be aware, the triple ``///`` is intentional, and your path *will* be different from the one below - namely, YOUR_LINUX_USERNAME will be your actual linux username:
.. code-block::
file:///home/YOUR_LINUX_USERNAME/proxy.pac
.. figure:: /_static/images/tor/firefox_proxy_linux.png
:width: 60%
:alt: Firefox proxy settings screenshot
#. Check the box labeled ``Proxy DNS when using SOCKS v5`` in the image above
#. Click ``OK`` and restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion.
.. group-tab:: Android
#. Download the `Proxy Auto Config` file to inform Firefox how to resolve `.onion` URLs. We have one hosted `here <https://start9.com/assets/proxy.pac>`_
#. Open Firefox and enter ``about:config`` in the URL bar. Accept any warnings that appear
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist.png
:width: 60%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.proxy.autoconfig_url``, and set the value to ``file:///storage/emulated/0/Download/proxy.pac``. This is the default location of a the proxy.pac file downloaded in step 2, although your path may vary:
.. figure:: /_static/images/tor/autoconfig_url.png
:width: 30%
:alt: Firefox autoconfig url setting screenshot
#. Search for ``network.proxy.type`` into the search bar, and set the value to ``2``:
.. figure:: /_static/images/tor/network_proxy_type.png
:width: 30%
:alt: Firefox network proxy type setting screenshot
#. Search for ``network.proxy.socks_remote_dns``, and set the value to ``true``:
.. figure:: /_static/images/tor/socks_remote_dns.png
:width: 30%
:alt: Firefox socks remote dns setting screenshot
#. Search for ``dom.securecontext.allowlist_onions`` and set the value to ``true``:
.. figure:: /_static/images/tor/firefox_allowlist_mobile.png
:width: 30%
:alt: Firefox whitelist onions screenshot
#. Search for ``network.http.referer.hideOnionsSource`` and set the value to ``true``
#. (**GrapheneOS users only**): Head to ``Settings -> Apps -> Firefox Beta -> Permissions -> Photos and videos -> Configure Storage Scopes -> ADD FILE``, then navigate to where you placed the proxy.pac file:
.. figure:: /_static/images/tor/storage-scopes-proxy.jpg
:width: 15%
#. Restart Firefox
#. Test that Firefox can resolve `.onion` URLs by visiting Start9's Tor website: http://privacy34kn4ez3y3nijweec6w4g54i3g54sdv7r5mr6soma3w4begyd.onion.

2
site/source/service-guides/lightning/alby-cln.rst
View File

@@ -10,7 +10,7 @@ If you'd like to connect via `LNbits <https://marketplace.start9.com/marketplace
.. note:: We are going to connect using Tor so that Alby will be able to connect from anywhere.
#. Make sure you are already :ref:`running Tor<connecting-tor>` on your system and we suggest using Firefox which must be :ref:`configured to use Tor.<configuring-ff>`
#. Make sure you are already :ref:`running Tor<connecting-tor>` on your system and we suggest using Firefox which must be :ref:`configured to use Tor.<tor-ff>`
#. Download the Alby extension by visiting the `Alby Github <https://github.com/getAlby/lightning-browser-extension#installation>`_, selecting your browser, and installing.
#. On the Alby welcome screen, select **Get Started**.

4
site/source/service-guides/lightning/alby-lnbits.rst
View File

@@ -9,7 +9,7 @@ Alby
Alby is a browser extension that can be connected to your lightning node a number of ways. This guide will go over connecting via LNbits which allows allocation of funds.
Make sure you are already :ref:`running Tor<connecting-tor>` on your system and we suggest using Firefox which must be :ref:`configured to use Tor.<configuring-ff>`
Make sure you are already :ref:`running Tor<connecting-tor>` on your system and we suggest using Firefox which must be :ref:`configured to use Tor.<tor-ff>`
#. Download the Alby extension by visiting the `Alby Github <https://github.com/getAlby/lightning-browser-extension#installation>`_, selecting your browser, and installing.
#. On the Alby welcome screen, select **Get Started**.
@@ -66,7 +66,7 @@ Make sure you are already :ref:`running Tor<connecting-tor>` on your system and
:width: 45%
:alt: alby-lnbits-fields-complete
.. tip:: Make sure to include the http:// at the start of the address. If it is not working make sure that you are already :ref:`running Tor<connecting-tor>` on your system and that your browser is :ref:`configured to use Tor.<configuring-ff>`
.. tip:: Make sure to include the http:// at the start of the address. If it is not working make sure that you are properly :ref:`configured Tor<connecting-tor>` on your system.
#. Once connected you should see the following success page:

4
site/source/service-guides/lightning/alby-lnd.rst
View File

@@ -10,7 +10,7 @@ If you'd like to connect via `LNbits <https://marketplace.start9.com/marketplace
.. note:: We are going to connect using Tor so that Alby will be able to connect from anywhere.
#. Make sure you are already :ref:`running Tor<connecting-tor>` on your system and we suggest using Firefox which must be :ref:`configured to use Tor.<configuring-ff>`
#. Make sure you are already :ref:`running Tor<connecting-tor>` on your system and we suggest using Firefox which must be :ref:`configured to use Tor.<tor-ff>`
#. Download the Alby extension by visiting the `Alby Github <https://github.com/getAlby/lightning-browser-extension#installation>`_, selecting your browser, and installing.
#. On the Alby welcome screen, select **Get Started**.
@@ -39,7 +39,7 @@ If you'd like to connect via `LNbits <https://marketplace.start9.com/marketplace
:width: 50%
:alt: alby-lnd-rest-entered
.. note:: If this does not work, please ensure that :ref:`Tor is running on your system<connecting-tor>` and that :ref:`Firefox is configured to use it.<configuring-ff>` If you can't get this to work it's OK to use the Companion App - but you will have a better experience with your Start9 server elsewhere if you take the time to get Tor running on your devices.
.. note:: If this does not work, please ensure that :ref:`Tor is running on your system<connecting-tor>` and that :ref:`Firefox is configured to use it.<tor-ff>` If you can't get this to work it's OK to use the Companion App - but you will have a better experience with your Start9 server elsewhere if you take the time to get Tor running on your devices.
#. Once connection is completed you will see a success page that displays the balance of your LND node in Sats.

2
site/source/service-guides/lightning/connecting-lnbits.rst
View File

@@ -21,7 +21,7 @@ If you are looking to connect the `Alby <https://github.com/getAlby/lightning-br
Setting up LNbits
-----------------
.. note:: You will need a Tor enabled browser. We suggest using Firefox which will need to have been setup to use Tor - if you have yet to do this please see our guide :ref:`here<configuring-ff>`. This also requires having :ref:`native tor setup<connecting-tor>`.
.. note:: You will need a Tor enabled browser This also requires having :ref:`native tor setup<connecting-tor>`.
#. Start by ensuring that you have LNbits installed already as well as LND or Core Lightning (CLN). You also need your lightning node to have at least one channel set up otherwise payments will not work. If you have not set up a channel yet, please follow :ref:`this guide<lightning-intro>`.

2
site/source/service-guides/vaultwarden/bitwarden-client-setup.rst
View File

@@ -15,7 +15,7 @@ Browser Extension
If connecting via Tor (i.e using the .onion address) the Bitwarden browser extension will only work with a Tor enabled browser. You can use Firefox (recommended), Tor Browser or Brave Browser.
#. If you choose Firefox, you will need to :ref:`setup Tor on your device <connecting-tor>` and :ref:`configure Firefox to use Tor <configuring-ff>`. If using Brave you will just need to :ref:`setup Tor on your device <connecting-tor>`. With Tor Browser, everything will just work right out of the box.
#. If you choose Firefox, you will need to :ref:`follow this guide <connecting-tor>` to run Tor on your device and configure Firefox to use it. If using Brave you will just need to :ref:`setup Tor on your device <connecting-tor>`. With Tor Browser, everything will just work right out of the box.
.. tip:: We recommend using Firefox as it is the most compatible browser with Start9 Servers.

2
site/source/support/common-issues.rst
View File

@@ -44,7 +44,7 @@ I am unable to reach my server via its xxxxxxxxxxxxxxxxxx.onion (Tor) address
#. **Solutions**
#. If you are not yet running a Tor daemon on your device, follow :ref:`these instructions <connecting-tor>`. If you are already running a Tor daemon, restart it, or in the case of Android, restart your phone.
#. If you are using Firefox, ensure it has been :ref:`properly configured <configuring-ff>` to work with .onion URLs.
#. If you are using Firefox, ensure it has been :ref:`properly configured <tor-ff>` to work with .onion URLs.
#. **If Tor Browser does not work** - It means there is an issue with your server or with the Tor network.

15
site/source/user-manual/configuring-ff.rst
View File

@@ -1,15 +0,0 @@
.. _configuring-ff:
===================
Configuring Firefox
===================
Firefox is the only browser that can be configured to access both LAN (`.local`) and Tor (`.onion`) URLs, including extensions, without affecting normal browser functionality. We highly recommend using Firefox for connecting to your server and its installed services.
.. note:: For iOS, we recommend using Safari instead of Firefox. That is because on iOS, all browsers must use Safari under the hood, so it is preferable not to stack unnecessary software on top of it.
Select your OS:
- :ref:`Linux <ff-linux>`
- :ref:`Mac <ff-mac>`
- :ref:`Windows <ff-windows>`
- :ref:`Android (Firefox Beta) <ff-android>`

15
site/source/user-manual/connecting-lan.rst
View File

@@ -5,21 +5,10 @@ Connecting Locally
==================
When connected to the same Local Area Network (LAN) as your server, you can use its `.local` URLs for fast and secure connections.
All clients
-----------
#. Ensure you have properly :ref:`downloaded and trusted your Root CA<trust-ca>`, including configuring Firefox if you are using it (recommended).
#. Ensure your client device (phone/laptop) is connected to the same Local Area Network (LAN) as your server. This usually means your server and your client device are using the same router, either by ethernet or WiFi
#. Follow instructions to :ref:`trust your server's Root CA<trust-ca>`
If using Firefox (recommended)
------------------------------
#. Complete the "Local" portion for your OS. Use Safari for iOS.
- :ref:`Linux <ff-linux>`
- :ref:`Mac <ff-mac>`
- :ref:`Windows <ff-windows>`
- :ref:`Android <ff-android>`
.. _connecting-lan-windows:
Windows only

25
site/source/user-manual/connecting-tor.rst
View File

@@ -3,13 +3,14 @@
===================
Connecting Remotely
===================
You can connect to your server and installed services from anywhere in the world, privately and anonymously, by using their unique Tor (`.onion`) URLs
You can connect to your server and installed services from anywhere in the world, privately and anonymously, by using their unique Tor (`.onion`) URLs.
It is not currently supported to access your server and its installed services using a VPN. This functionality is coming in the next major release of StartOS.
.. note:: It is normal for Tor connections to be slow or unreliable at times
Running Tor on Your Phone/Computer (Recommended)
------------------------------------------------
Select your OS:
- :ref:`Linux <tor-linux>`
- :ref:`Mac <tor-mac>`
@@ -17,25 +18,9 @@ Select your OS:
- :ref:`Android <tor-android>`
- :ref:`iOS <tor-ios>`
Using Firefox (recommended)
------------------------------
#. Complete the "Tor" portion for your OS. Use Safari for iOS
- :ref:`Linux <ff-linux>`
- :ref:`Mac <ff-mac>`
- :ref:`Windows <ff-windows>`
- :ref:`Android <ff-android>`
Using the Tor Browser
---------------------
Using the official Tor Browser allows you to access `.onion` URLs without additional configuration. However, accessing clearnet (`.com`, `.org`, ect) websites will also be routed over Tor, making them slower, and `.local` URLs cannot be accessed at all.
Linux, Mac, Windows, Android
............................
`Download Tor Browser <https://torproject.org/download/>`_
iOS
...
iOS lacks a well-functioning Tor Browser.
#. Linux, Mac, Windows, Android: `Download Tor Browser <https://torproject.org/download/>`_
#. iOS: lacks a well-functioning Tor Browser. We recommend following the guide above.

1
site/source/user-manual/index.rst
View File

@@ -10,7 +10,6 @@ User Manual
initial-setup
trust-ca
configuring-ff
connecting-lan
connecting-tor
dashboard-overview

13
site/source/user-manual/initial-setup.rst
View File

@@ -9,17 +9,16 @@ Initial Setup
Starting Fresh
--------------
#. If using Firefox (*recommended*) to connect to your server, you must complete the "Local" portion for your OS:
#. If using Firefox to connect to your server (recommended), complete this short guide for your OS:
- :ref:`Linux <ff-linux>`
- :ref:`Mac <ff-mac>`
- :ref:`Windows <ff-windows>`
- :ref:`Android <ff-android>`
.. note:: Start9 recommends Firefox because it is the only browser that can be configured to access both LAN (`.local`) and Tor (`.onion`) URLs, including through browser extensions, without affecting normal browser functionality. For iOS, all browsers actually use Safari under the hood, so it is preferable not to stack unnecessary software on top of it. Just use Safari.
- :ref:`Mac/Windows/Linux/Android<ca-ff>`
- iOS (use Safari)
#. Connect your server to power and Ethernet
#. From a client device (desktop/laptop/phone), open a browser (Firefox recommended) and visit ``http://start.local``. Your client device must be connected to the same Local Area Network (LAN) as your server. This usually means they are using the same router, either by ethernet or WiFi
#. From your client device (desktop/laptop/phone), open a browser (Firefox recommended) and visit ``http://start.local``. Your client device must be connected to the same Local Area Network (LAN) as your server. This usually means they are using the same router, either by ethernet or WiFi
.. note:: If you are `not` using a Raspberry Pi, you can also plug a monitor and keyboard into the server. This is known as "Kiosk mode".
@@ -43,7 +42,7 @@ If you are experiencing issues with setup, try the following:
#. Confirm that the server is plugged into both power `and` Ethernet
#. Confirm your phone/computer is `not` connected to a "Guest" network
#. If using Firefox (recommended) from Mac, Windows or Android, ensure you have set ``security.enterprise_roots.enable`` to ``true`` in ``about:config`` per the :ref:`instructions<configuring-ff>`
#. If using Firefox (recommended) from Mac, Windows or Android, ensure you have set ``security.enterprise_roots.enable`` to ``true`` in ``about:config`` per the :ref:`instructions<ca-ff>`
#. Confirm your phone/computer is not using a VPN, or that if you are, that it allows LAN connections, such as the examples below:
- Mullvad - Go to "Settings -> VPN Settings -> Local Network Sharing"

11
site/source/user-manual/trust-ca.rst
View File

@@ -3,16 +3,9 @@
=====================
Trusting Your Root CA
=====================
Download and trust your server's Root Certificate Authority (Root CA) to establish a secure (HTTPS) connection with your server, and to enhance speeds over Tor.
.. warning:: If using Firefox (recommended), ensure you have completed the "Local" portion for your OS:
:ref:`Linux <ff-linux>`,
:ref:`Mac <ff-mac>`,
:ref:`Windows <ff-windows>`,
:ref:`Android <ff-android>`
.. _download-root-ca:
.. _root-ca-download:
1. Downloading
==============
@@ -50,7 +43,7 @@ You can find your server's Root CA inside the StartOS dashboard.
:width: 40%
:alt: LAN setup menu item
.. _trust-root-ca:
.. _root-ca-trust:
2. Trusting
===========

2
sphinx-scylladb-theme

Submodule sphinx-scylladb-theme updated: 0f3fdbae47...ee0c552437