[tor-project] [INFORMATION REQUEST] Onion Service Web Site Deployments

Ian Goldberg tor at cypherpunks.ca
Tue Jul 21 00:19:54 UTC 2020


On Tue, Jul 21, 2020 at 01:47:40AM +0200, Sebastian Hahn wrote:
> If there were some sensible way to have https which terminates at their
> end while they don't have to operate a hidden service, I am pretty sure
> we could work something out and I would obviously go for it.

For our research group's university-run web server
(https://crysp.uwaterloo.ca/), I do a "split onion/https" setup where
the machine running the onion service
(http://uwcryspionvholmkfxoqt2xns5mvnct34ytacugxtqpqrnka2oqm6kqd.onion/)
has a localhost-listening proxy, which can be a pretty lightweight
custom thing, or a very simple Apache (for example) configuration:

    SslProxyEngine On
    ProxyPass / https://crysp.uwaterloo.ca/

So then it's onion from the client to the onion service, HTTP to the
localhost proxy, and HTTPS from the proxy to the remote (but in the same
building) server.  If there's something amiss with the HTTPS connection
to the remote server, presumably Apache will complain and not send,
e.g., secure cookies.  That's admittedly up to Apache, and not the
client, but it's better than the "last mile" being plain HTTP.  And for
bonus points, the people who run the real backend webserver don't have
to do anything special at all.

I wonder if a "lightweight custom proxy" that just fetches pages
from one specific host over https might get bundled with tor for
easy onion service setup?
-- 
Ian Goldberg
Canada Research Chair in Privacy Enhancing Technologies
Professor, Cheriton School of Computer Science
University of Waterloo


More information about the tor-project mailing list