When you go to wiki login on onion:
you will find “Use secure connection” with URL:
It consider onion with http without TLS as not secure connection thus offering an https connection to onion URL which wont work.
When you go to wiki login on onion:
you will find “Use secure connection” with URL:
It consider onion with http without TLS as not secure connection thus offering an https connection to onion URL which wont work.
Confrimed. Mediawiki thinks the connection is insecure since it does not have internal concepts onion traffic. I am now sending http request X-Forwarded-Proto: https
for onion to let mediawiki now that it’s a secure connection.
reference:
That mediawiki feature does not make much sense anymore nowadays since a sane website is all https (or onion) and not just for login.
Should now be fixed.
when you search in the wiki it will add tls to the http onion e.g:
go to:
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Documentation
search for stream isolation, it will redirect to:
https://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Stream_Isolation
thus url wont work
Patrick via Whonix Forum:
Alright. Then my workaround won’t work. Reverted.
Could you please report a bug report against mediawiki deprecating that feature or feature request adding onion support? Whatever seems more likely?
On IRC i have been told:
<Vulpix> https://phabricator.wikimedia.org/T225728#5259666
<Vulpix> If you're able to set the X-Forwarded-Proto header, that should
work for you
<Vulpix> (that header should be on requests arriving to MediaWiki)
i showed him this issue:
and said:
<Vulpix> Well, I'm pretty sure MediaWiki won't give you the choice to
use "secure connection" unless there's some setting that tells MediaWiki
https is available
<Vulpix> The problem may be that you've set https: somewhere in your
LocalSettings.php
<Vulpix> Get rid of it
Hope it can be useful.
About registration,Well i cant register in mediawiki because they want
real IP as they block Tor.
I doubt this is fixable with reasonable effort. We’re already doing the “impossible”, something not really popular, that is using mediawiki with the same database on two different domains, a clearnet and onion domain, which was a lot effort to figure out since it’s not really documented.
That may be doable when using a wiki with onion only.
The only thing I find is $wgCanonicalServer
which is set to $wgCanonicalServer = 'https://www.whonix.org';
on the onion.
But changing that to onion would break other things.
languages/i18n/en.json: “userlogin-signwithsecure”: “Use secure connection”,
userlogin-signwithsecure
https://doc.wikimedia.org/mediawiki-core/master/php/LoginSignupSpecialPage_8php_source.html
includes/specialpage/LoginSignupSpecialPage.php
if ( $this->mSecureLoginUrl ) {
$secureLoginLink = Html::element( 'a', [
'href' => $this->mSecureLoginUrl,
'class' => 'mw-ui-flush-right mw-secure',
], $this->msg( 'userlogin-signwithsecure' )->text() );
}
I guess to avoid userlogin-signwithsecure
being injected into the html we would need to influence the contents of variable mSecureLoginUrl
.
https://doc.wikimedia.org/mediawiki-core/master/php/LoginSignupSpecialPage_8php_source.html
includes/specialpage/LoginSignupSpecialPage.php
// If logging in and not on HTTPS, either redirect to it or offer a link.
global $wgSecureLogin;
if ( $this->getRequest()->getProtocol() !== 'https' ) {
$title = $this->getFullTitle();
$query = $this->getPreservedParams( false ) + [
'title' => null,
( $this->mEntryErrorType === 'error' ? 'error'
: 'warning' ) => $this->mEntryError,
] + $this->getRequest()->getQueryValues();
$url = $title->getFullURL( $query, false, PROTO_HTTPS );
if ( $wgSecureLogin && !$this->mFromHTTP &&
wfCanIPUseHTTPS( $this->getRequest()->getIP() )
) {
// Avoid infinite redirect
$url = wfAppendQuery( $url, 'fromhttp=1' );
$this->getOutput()->redirect( $url );
// Since we only do this redir to change proto, always vary
$this->getOutput()->addVaryHeader( 'X-Forwarded-Proto' );
return;
} else {
// A wiki without HTTPS login support should set $wgServer to
// http://somehost, in which case the secure URL generated
// above won't actually start with https://
if ( substr( $url, 0, 8 ) === 'https://' ) {
$this->mSecureLoginUrl = $url;
}
}
}
Changed:
$wgServer = '//www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion';
To:
$wgServer = 'http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion';
This is now gone on onion. Please try now.
yes now i think everything working fine. good job!
Patrick via Whonix Forum:
…
i showed him this issue:
Wiki Miss offer Secure Connection while the connection over Onion - #3 by nurmagoz
…
Well, I’m pretty sure MediaWiki won’t give you the choice to
use “secure connection” unless there’s some setting that tells MediaWiki
https is available
…
About registration,Well i cant register in mediawiki because they want
real IP as they block Tor.
Just guessing: maybe what they really want is just a longer-lasting IP, such as when you set:
OutboundBindAddressExit
in your torrc.
I think I needed that too, in different circumstances. However, that might be some longer time learning needed to find out what nodes offer TLS exit, that you can also trust. [*]
I never made it to do that yet… But I know people of Onionmail [**] are able to do it, because if you create account with them with a node they don’t trust, you get “relay not allowed”, and you’re dropped.
[*] I gave a link somewhere in a topic here on whonix forums, must be topic with words “download” “tor” via “onion”, and talk about vanguards I is there too, and I mention Mike Perryr. The link gave is about Nusenu’s work published on media.com if I remember correctly, I mean there’s bad nodes a huge lot…
[**] onionmail.info IIRC