When you go to wiki login on onion:
you will find “Use secure connection” with URL:
It consider onion with http without TLS as not secure connection thus offering an https connection to onion URL which wont work.
1 Like
Confrimed. Mediawiki thinks the connection is insecure since it does not have internal concepts onion traffic. I am now sending http request X-Forwarded-Proto: https for onion to let mediawiki now that it’s a secure connection.
reference:
That mediawiki feature does not make much sense anymore nowadays since a sane website is all https (or onion) and not just for login.
Should now be fixed.
1 Like
when you search in the wiki it will add tls to the http onion e.g:
go to:
http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Documentation
search for stream isolation, it will redirect to:
https://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Stream_Isolation
thus url wont work
Patrick via Whonix Forum:
1 Like
Alright. Then my workaround won’t work. Reverted.
Could you please report a bug report against mediawiki deprecating that feature or feature request adding onion support? Whatever seems more likely?
1 Like
On IRC i have been told:
<Vulpix> https://phabricator.wikimedia.org/T225728#5259666
<Vulpix> If you're able to set the X-Forwarded-Proto header, that should
work for you
<Vulpix> (that header should be on requests arriving to MediaWiki)
i showed him this issue:
and said:
<Vulpix> Well, I'm pretty sure MediaWiki won't give you the choice to
use "secure connection" unless there's some setting that tells MediaWiki
https is available
<Vulpix> The problem may be that you've set https: somewhere in your
LocalSettings.php
<Vulpix> Get rid of it
Hope it can be useful.
About registration,Well i cant register in mediawiki because they want
real IP as they block Tor.
2 Likes
I doubt this is fixable with reasonable effort. We’re already doing the “impossible”, something not really popular, that is using mediawiki with the same database on two different domains, a clearnet and onion domain, which was a lot effort to figure out since it’s not really documented.
That may be doable when using a wiki with onion only.
The only thing I find is $wgCanonicalServer which is set to $wgCanonicalServer = 'https://www.whonix.org'; on the onion.
But changing that to onion would break other things.
languages/i18n/en.json: “userlogin-signwithsecure”: “Use secure connection”,
userlogin-signwithsecure
https://doc.wikimedia.org/mediawiki-core/master/php/LoginSignupSpecialPage_8php_source.html
includes/specialpage/LoginSignupSpecialPage.php
if ( $this->mSecureLoginUrl ) {
$secureLoginLink = Html::element( 'a', [
'href' => $this->mSecureLoginUrl,
'class' => 'mw-ui-flush-right mw-secure',
], $this->msg( 'userlogin-signwithsecure' )->text() );
}
I guess to avoid userlogin-signwithsecure being injected into the html we would need to influence the contents of variable mSecureLoginUrl.
https://doc.wikimedia.org/mediawiki-core/master/php/LoginSignupSpecialPage_8php_source.html
includes/specialpage/LoginSignupSpecialPage.php
// If logging in and not on HTTPS, either redirect to it or offer a link.
global $wgSecureLogin;
if ( $this->getRequest()->getProtocol() !== 'https' ) {
$title = $this->getFullTitle();
$query = $this->getPreservedParams( false ) + [
'title' => null,
( $this->mEntryErrorType === 'error' ? 'error'
: 'warning' ) => $this->mEntryError,
] + $this->getRequest()->getQueryValues();
$url = $title->getFullURL( $query, false, PROTO_HTTPS );
if ( $wgSecureLogin && !$this->mFromHTTP &&
wfCanIPUseHTTPS( $this->getRequest()->getIP() )
) {
// Avoid infinite redirect
$url = wfAppendQuery( $url, 'fromhttp=1' );
$this->getOutput()->redirect( $url );
// Since we only do this redir to change proto, always vary
$this->getOutput()->addVaryHeader( 'X-Forwarded-Proto' );
return;
} else {
// A wiki without HTTPS login support should set $wgServer to
// http://somehost, in which case the secure URL generated
// above won't actually start with https://
if ( substr( $url, 0, 8 ) === 'https://' ) {
$this->mSecureLoginUrl = $url;
}
}
}
Changed:
$wgServer = '//www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion';
To:
$wgServer = 'http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion';
This is now gone on onion. Please try now.
yes now i think everything working fine. good job!
Patrick via Whonix Forum:
1 Like
…
i showed him this issue:
Wiki Miss offer Secure Connection while the connection over Onion - #3 by nurmagoz
…
Well, I’m pretty sure MediaWiki won’t give you the choice to
use “secure connection” unless there’s some setting that tells MediaWiki
https is available
…
About registration,Well i cant register in mediawiki because they want
real IP as they block Tor.
Just guessing: maybe what they really want is just a longer-lasting IP, such as when you set:
OutboundBindAddressExit
in your torrc.
I think I needed that too, in different circumstances. However, that might be some longer time learning needed to find out what nodes offer TLS exit, that you can also trust. [*]
I never made it to do that yet… But I know people of Onionmail [**] are able to do it, because if you create account with them with a node they don’t trust, you get “relay not allowed”, and you’re dropped.
[*] I gave a link somewhere in a topic here on whonix forums, must be topic with words “download” “tor” via “onion”, and talk about vanguards I is there too, and I mention Mike Perryr. The link gave is about Nusenu’s work published on media.com if I remember correctly, I mean there’s bad nodes a huge lot…
[**] onionmail.info IIRC