参考 Mastodon 的文档
安装 Tor 参照 Tor installation Guide
配置 Tor 编辑 /etc/tor/torrc,取消注释下面两行:
1 2 HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80
然后重启 Tor:sudo service restart tor
在 /var/lib/tor/hidden_service/hostname 文件内可以找到你的 Tor 地址
配置 nginx 在没配置 Tor 之前,你的 nginx 配置文件可能长这样(如果是参照 misskey 官方文档的话):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 # For WebSocket map $http_upgrade $connection_upgrade { default upgrade; '' close; } proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache1:16m max_size=1g inactive=720m use_temp_path=off; server { listen 80; listen [::]:80; server_name m.isle.moe; access_log /var/log/nginx/m.isle.moe.access.log; # For SSL domain validation root /var/www/html; location /.well-known/acme-challenge/ { allow all; } location /.well-known/pki-validation/ { allow all; } location / { return 301 https://$server_name$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name m.isle.moe; access_log /var/log/nginx/m.isle.moe.access.log; ssl_session_timeout 1d; ssl_session_cache shared:ssl_session_cache:10m; ssl_session_tickets off; # SSL ssl_certificate /etc/nginx/certs/m.isle.moe/cert.pem; ssl_certificate_key /etc/nginx/certs/m.isle.moe/key.pem; # SSL protocol settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; # Change to your upload limit client_max_body_size 80m; # Proxy to Node location / { proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_http_version 1.1; proxy_redirect off; # If it's behind another reverse proxy or CDN, remove the following. proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # For WebSocket proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # Cache settings proxy_cache cache1; proxy_cache_lock on; proxy_cache_use_stale updating; proxy_force_ranges on; add_header X-Cache $upstream_cache_status; } }
现在,创建一个单独的配置文件 /etc/nginx/sites-available/misskey-base.conf,将原配置文件中的 443端口 server 段内除 ssl 相关的配置复制过来:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 access_log /var/log/nginx/m.isle.moe.access.log; # Change to your upload limit client_max_body_size 80m; # Proxy to Node location / { proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_http_version 1.1; proxy_redirect off; # If it's behind another reverse proxy or CDN, remove the following. proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # For WebSocket proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # Cache settings proxy_cache cache1; proxy_cache_lock on; proxy_cache_use_stale updating; add_header X-Cache $upstream_cache_status; }
然后在原配置文件中的 443 端口的 server 段内删除相关内容,并添加 include /etc/nginx/sites-available/misskey-base.conf; 来引用刚刚创建的 misskey-base.conf 文件。因为等会为 Tor 创建配置时同样需要这部分内容,这么做是为了避免重复配置内容
接着,在原来的配置文件中添加 Tor 的 server 段:
1 2 3 4 5 6 7 # Tor server { listen 80; listen [::]:80; server_name isle.6f5tqc7v2fgvwxanzibkj2nhwpva43h2qltoxetprfxqu6h6pdnwelad.onion; include /etc/nginx/sites-available/misskey-base.conf; }
同样 include 刚刚抽出的配置文件,server_name 为自定义的前缀加上 onion 域名
这时候,如果测试配置文件,nginx 将会报出 nginx: [emerg] could not build the server_names_hash, you should increase server_names_hash_bucket_size: 64 错误。这是因为 onion 域名太长了,需要修改 nginx 配置
编辑 /etc/nginx/nginx.conf,取消注释 server_names_hash_bucket_size: 64 并改 64 为 128(是的,64 不够)
重启 nginx 服务来让新配置生效:sudo systemctl restart nginx
这个时候应该可以通过 Tor 访问 misskey 了
