Comment by koroshitekure

6 years ago

oh, i found out where the leak was

it's right at the end of the article - the attacker was abusing the "create a preview card of any posted URL" feature - he'd post a link, wait for pleroma to go and grab the url to preview it, then narrow down which one was mine based on user agent

i added an upstream proxy and anonymised the user agent, so even if he were to do that, the most he'd find was my proxy box

3 comments

koroshitekure

Reply
chvanikoff  6 years ago

That might be what you are talking about, but just to confirm: Pleroma has an ability to proxy outbound requests via `pleroma.http` config out of the box

  • koroshitekure  6 years ago

    yeah that's what I'm using

    I also pull-requested a user agent anonymisation setting (pleroma.http.user_agent) to make this better

TrueDuality  6 years ago

Did you consider using Tor to make those kind of outbound requests? I've done that in that past for a similar situation to avoid leaking IPs, there is a latency overhead but it solved my issue pretty quickly. There were some sites that were blocking Tor exits but the vast majority were successful (enough that when the feature failed it didn't really matter).