Re: [Taler] deployment/regional-currency: tor hidden service

[Christian Grothoff]

Dear Calvin,

(1) Getting a 404 on the reserve pub *initially* is normal, after all, 
the user usually will take some time to do the wire transfer in the 
bank. The wallet will keep trying until it is successful (or told to 
abort). That said, if you keep getting a 404, check the logs for the 
taler-exchange-wirewatch service, that is the service that imports 
transactions from the bank into the exchange. Usually it is either an 
access control issue (wirewatch fails to access the bank, say because 
it's behind Tor and wirewatch isn't proxying via Tor; you may want to 
hack it to NOT use Tor and instead access the bank via loopback...) or 
simply that you didn't start wirewatch (not using systemd, not using our 
scripts).

As far as updating the regional currency deployment scripts to deploy a 
Tor hidden service is concerned: I'm OK with us reviewing and (if 
well-written) a patch that would do this, but I don't think the core 
team currently has the time to work on this.

Happy hacking!

Christian
p.s.: Glad to hear you work on this!

On 5/15/24 23:23, Calvin Burns via Taler wrote:
> Dear developers,
>
> could you please provide some hints about how to use the deployment scripts for
> a regional currency [1] to set up the bank and exchange as a tor hidden service?
>
> Assume the currency is TALER not bound to a commercial bank currency.
> Assume 2 hidden services defined in torrc (see [2]):
> ```
> HiddenServiceDir /var/lib/tor/bank.taler/
> HiddenServicePort 80 bank.taler:13099
>
> HiddenServiceDir /var/lib/tor/exchange.taler/
> HiddenServicePort 80 exchange.taler:22911
> ```
> bank.taler and exchange.taler are mapped to 127.0.0.1 in /etc/hosts.
> The generated onion addresses are stored in
> /var/lib/tor/bank.taler/hostname
> /var/lib/tor/exchange.taler/hostname.
>
> Here is an example for /etc/nginx/sites-enabled/bank.taler:
> ```
> server {
>    listen 13099;
>    listen [::]:13099;
>
>    server_name bank-onion-address.onion;
>    # ...
>    access_log /var/log/nginx/libeufin-sandbox.onion.log;
>    error_log /var/log/nginx/libeufin-sandbox.onion.err;
>
>    location / {
>      proxy_pass http://localhost:8080;
>      # Fixes withdrawal http request
>      proxy_set_header X-Forwarded-Proto "http";
>      proxy_set_header X-Forwarded-Host "bank-onion-address.onion";
>      proxy_set_header X-Forwarded-Prefix /;
>    }
> }
> ```
> For the exchange accordingly.
>
> I added a bank account for the exchange with the onion address and with 
> priority 1:
> ```
> sudo -i -u taler-exchange-offline \
>    torify \
>    taler-exchange-offline \
>    enable-account \
>    
> payto://x-taler-bank/bank-onion-address.onion/exchange?receiver-name=Exchange \
>    display-hint 1 ...
> ```
>
> I use tor-browser with the taler wallet addon.
> After withdrawing to the wallet by using the bank web interface I get "404" in
> /var/log/nginx/exchange.log saying
> ```
> 127.0.0.1 ... "GET /reserves/HP...FG?timeout_ms=30000 HTTP/1.1 404 103 ...
> ```
> Any suggestion why the reserve is not found?
>
> Please consider adding support for hidden services in the
> deployment scripts for regional currencies [1].
>
> [1] https://git.taler.net/deployment.git/tree/regional-currency
> [2] https://community.torproject.org/onion-services/setup/