Tips & Tricks¶
Using Tor Browser with the Development Environment¶
Since Tor Browser is based on an older version of Firefox (usually the current ESR release), it does not always render HTML/CSS the same as other browsers (especially more recent versions of browsers). Therefore, we recommend testing all changes to the web application in the Tor Browser instead of whatever browser you normally use for web development. Unfortunately, it is not possible to access the local development servers by default, due to Tor Browser’s proxy configuration.
To test the development environment in Tor Browser, you need to modify Tor Browser’s default settings to prevent localhost from being resolved by the proxy:
- In a new tab, navigate to
- Click “I accept the Risk!”
- In the search bar, enter
- The default value is true. Double-click to set it to false.
Now you should be able to navigate to
in Tor Browser. For some reason, you have to use
The modified value persists across restarts of Tor Browser.
Upgrading or Adding Python Dependencies¶
We use a pip-compile
based workflow for adding Python dependencies. If you would like to add a Python
dependency, instead of editing the
Edit the relevant
Use the following shell script to generate
Commit both the
Connecting to VMs via SSH Over Tor¶
You will need to install a specific variant of the
in order to support the
-x option for specifying a proxy host.
macOS already runs the OpenBSD variant by default.
sudo apt-get install netcat-openbsd
netcat-openbsd and appending the Tor config options
to your local torrc, you can export the environment variable
SECUREDROP_SSH_OVER_TOR=1 in order to use
vagrant ssh to access the
staging or prod instances over Tor. Here is an example of how that works:
$ vagrant up --provision /prod/ # restricts SSH to Tor after final reboot $ vagrant ssh-config app-prod # will show incorrect info due to lack of env var Host app-prod HostName 127.0.0.1 User vagrant Port 2201 UserKnownHostsFile /dev/null StrictHostKeyChecking no PasswordAuthentication no IdentityFile /home/conor/.vagrant.d/insecure_private_key IdentitiesOnly yes LogLevel FATAL $ vagrant ssh app-prod -c 'echo hello' # will fail due to incorrect ssh-config ssh_exchange_identification: read: Connection reset by peer $ export SECUREDROP_SSH_OVER_TOR=1 # instruct Vagrant to use Tor for SSH $ vagrant ssh-config app-prod # will show correct info, with ProxyCommand Host app-prod HostName l57xhqhltlu323vi.onion User vagrant Port 22 UserKnownHostsFile /dev/null StrictHostKeyChecking no PasswordAuthentication no IdentityFile /home/conor/.vagrant.d/insecure_private_key IdentitiesOnly yes LogLevel FATAL ProxyCommand nc -x 127.0.0.1:9050 %h %p $ # ensure ATHS values are active in local Tor config: $ cat *-aths | sudo tee -a /etc/tor/torrc > /dev/null && sudo service tor reload $ vagrant ssh app-prod -c 'echo hello' # works hello Connection to l57xhqhltlu323vi.onion closed.
SECUREDROP_SSH_OVER_TOR is true, Vagrant will look up the ATHS URLs
for each server by examining the contents of
./install_files/ansible-base. You can manually inspect these files
to append values to your local
torrc, as in the
cat example above.
Note that the
cat example above will also add the ATHS info for the
Journalist Interface, as well, which is useful for testing.
The instructions above refer to VMs set up with v2 onion services. If
v3 onion services are configured instead, the steps required for the
tor setup will differ. You will need to add a
ClientOnionAuthDir directive to
torrc, pointing to a directory
*.auth_private files created during the installation