[tor-talk] How to protect apache local-restricted from secret service access?
Mirimir
mirimir at riseup.net
Thu Feb 5 16:11:32 UTC 2015
On 02/04/2015 08:19 AM, contact_tor at nirgal.com wrote:
> Hi
>
> When you have a website that is available from a tor secret service, how
> do you forbid access to url restricted to ip=localhost?
>
> I'm thinking of apache default http://xxxxx.onion/server-status for example.
>
> Using "a2dismod status" is the obvious solution for that one, but does
> anyone had a more generic solution?
> Maybe a full VM with a vif interface? That's an heavy solution...
> Anything more simple?
You can use firewall rules.
> The web site I'm thinking about has a public address, nothing to hide,
> and the .onion address is only there to protect the users. But I'd
> rather not introduce too many security issues...
Running hidden services and non-Tor websites on the same server is
generally considered bad practice.
> (BTW, a warning about these issues on
> https://www.torproject.org/docs/tor-hidden-service.html would be nice)
>
More information about the tor-talk
mailing list