Hidden Service, Apache, phpBB & Auction-Script?

wtk at hod.aarg.net wtk at hod.aarg.net
Sat Jul 16 15:35:37 UTC 2005 

Hello,

I am setting an Apache v2 server on my windows XP machine.  This 
is my first attempt at running a server and offering bulletin 
board and online auction services.  If I am not out of place I 
have some questions I would really appreciate some assistance 
with.

I am going to install the following services on my Apache server:

1. phpbb v2 (Bulletin Board software):
http://www.phpbb.com/

2. Auction-Script (Online auction software):
http://www.auction-script.com/

I want to place these services behind Tor's Hidden Services to 
ensure the security and anonymity of myself and my guests.

My system:

Windows XPsp2 with 512mb memory
Cable DSL (3gig) with dynamic IP address
Paging File disabled
Firewall software
Anti-Virus software
Anti-Trojen software


I have read the Hidden Service configuration info on 
http://tor.eff.org and I have read the Tor WiKi.  I did not find 
the information I was seeking so I have a few (rather simple) 
question's I would like to ask:

1. When setting up Apache v2 I am prompted for a "Network 
Domain"(DNS domain) and "Server Name"(DNS name).  My account 
addresses from my ISP provider is automatically entered in these 
boxes.

I understand that usually I would have to use a "Dynamic DNS and 
URL Redirection service" like http://yi.org, register my Domain 
and setup DNS Hosting (both possible through http://yi.org or 
http://freedns.afraid.org/).  Then I would have to install an 
automatic Dynamic IP Updater like DynSite Version 1.11 ( 
http://noeld.com/dynsite.asp ) to keep up with my constant IP 
changes.

When I keep my account addresses from my ISP in these boxes 
Apache installs fine.  This is as far as I have gotten as I 
wanted to ask these questions before I went further.

Could I keep my account address from my ISP in these boxes when 
using Tor's Hidden Service with my bulletin board and auction-
site?  Or do I have to setup a Domain Name, DNS Hosting and 
Dynamic IP updater for use with Tor's Hidden Service and my 
bulletin board and auction-site?

2. If I understand correctly when editing the Torrc file in 
/usr/local/etc/tor/ to setup an '.onion' address for my bulletin 
board and auction-site, I would use the respective port numbers 
for these services with these Torrc edits:

HiddenServiceDir /usr/local/etc/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080 (I don't plan on offering a 
HTTP website)

HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
HiddenServicePort 6667 127.0.0.1:6667 (edit port for bulletin 
board)
HiddenServicePort 22 127.0.0.1:22   (edit port for auction-site)

Is this correct?  If so would I then have three different .onion 
address?

3. Do I need to setup Hidden Service to port 80 if I am not 
offering a HTTP website?

4. The auction-script software requires Pearl 5 to be installed 
and running.  The auction-script 'read-me' file states: "In 
order for Perl CGI programs to run on Windows, the server must 
be properly configured to run them...The reason is, in order for 
the Perl CGI script to be able to create files in a given 
directory, that directory must be setup so that EVERYONE has 
FULL CONTROL."

Upon installation of Apache there is an option to have Apache 
listen on port 80 "All Users, on Port 80, as a Service - 
Recommended".  This option seems to offer the "full control" 
that "everyone" must have to use the auction software; is this 
correct?

5. I read in the Hidden Service docs: "HiddenServicePort is 
where you specify a virtual port and where to redirect 
connections to this virtual port. For instance, you tell Tor 
there's a virtual port 80 and then redirect traffic to your 
local webserver at 127.0.0.1:8080."

Is it possible or more secure to setup Apache to listen on port 
8080 and still use the bulletin board and auction-script 
software?  If so, should I setup Tor's virtual port for the 
bulletin board and auction software ports (replacing the example 
IRC and SSH server prots)?

6. Auction-script software uses Pearl 5 CGI script, will the use 
of Pearl 5 CGI endanger the anonymity (IP) of my server and the 
guests accessing it?  For example, would Pearl 5 CGI have the 
same effect as using Java while surfing via. Tor/Privoxy?

7. Are there any considerations or configurations I have not 
mentioned or I should be aware of?

8. Would it be a wise idea in regards to 'plausible deniability' 
to setup a Tor server on the same computer I am installing 
Apache, the bulletin board and auction-site?

9. I would not like to run out of RAM so to keep the paging file 
disabled I believe I need more RAM.  Should I keep my 'Paging 
file' disabled or enable it?


Much Cheers!

crash

More information about the tor-talk mailing list