[koroshitekure]

oh, i found out where the leak was

it's right at the end of the article - the attacker was abusing the "create a preview card of any posted URL" feature - he'd post a link, wait for pleroma to go and grab the url to preview it, then narrow down which one was mine based on user agent

i added an upstream proxy and anonymised the user agent, so even if he were to do that, the most he'd find was my proxy box

[chvanikoff]

That might be what you are talking about, but just to confirm: Pleroma has an ability to proxy outbound requests via `pleroma.http` config out of the box

[koroshitekure]

yeah that's what I'm using

I also pull-requested a user agent anonymisation setting (pleroma.http.user_agent) to make this better

[TrueDuality]

Did you consider using Tor to make those kind of outbound requests? I've done that in that past for a similar situation to avoid leaking IPs, there is a latency overhead but it solved my issue pretty quickly. There were some sites that were blocking Tor exits but the vast majority were successful (enough that when the feature failed it didn't really matter).